1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies parameters that con‐
15 trol the operation of the Postfix mail system. Typically the file con‐
16 tains only a small subset of all parameters; parameters not specified
17 are left at their default values.
18 The general format of the main.cf file is as follows:
20 • Each logical line has the form "parameter = value". Whitespace
22 around the "=" is ignored, as is whitespace at the end of a log‐
23 ical line.
24 • Empty lines and whitespace-only lines are ignored, as are lines
26 whose first non-whitespace character is a `#'.
27 • A logical line starts with non-whitespace text. A line that
29 starts with whitespace continues a logical line.
30 • A parameter value may refer to other parameters.
32 • The expressions "$name" and "${name}" are recursively re‐
34 placed with the value of the named parameter. The parame‐
35 ter name must contain only characters from the set [a-zA-
36 Z0-9_]. An undefined parameter value is replaced with the
37 empty value.
38 • The expressions "${name?value}" and "${name?{value}}" are
40 replaced with "value" when "$name" is non-empty. The pa‐
41 rameter name must contain only characters from the set
42 [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43 sions >= 2.2 and >= 3.0, respectively.
44 • The expressions "${name:value}" and "${name:{value}}" are
46 replaced with "value" when "$name" is empty. The parame‐
47 ter name must contain only characters from the set [a-zA-
48 Z0-9_]. These forms are supported with Postfix versions
49 >= 2.2 and >= 3.0, respectively.
50 • The expression "${name?{value1}:{value2}}" is replaced
52 with "value1" when "$name" is non-empty, and with
53 "value2" when "$name" is empty. The "{}" is required for
54 "value1", optional for "value2". The parameter name must
55 contain only characters from the set [a-zA-Z0-9_]. This
56 form is supported with Postfix versions >= 3.0.
57 • The first item inside "${...}" may be a relational ex‐
59 pression of the form: "{value3} == {value4}". Besides the
60 "==" (equality) operator Postfix supports "!=" (inequal‐
61 ity), "<", "<=", ">=", and ">". The comparison is numeri‐
62 cal when both operands are all digits, otherwise the com‐
63 parison is lexicographical. These forms are supported
64 with Postfix versions >= 3.0.
65 • Each "value" is subject to recursive named parameter and
67 relational expression evaluation, except where noted.
68 • Whitespace before or after each "{value}" is ignored.
70 • Specify "$$" to produce a single "$" character.
72 • The legacy form "$(...)" is equivalent to the preferred
74 form "${...}".
75 • When the same parameter is defined multiple times, only the last
77 instance is remembered.
78 • Otherwise, the order of main.cf parameter definitions does not
80 matter.
81 The remainder of this document is a description of all Postfix configu‐
83 ration parameters. Default values are shown after the parameter name in
84 parentheses, and can be looked up with the "postconf -d" command.
85 Note: this is not an invitation to make changes to Postfix configura‐
87 tion parameters. Unnecessary changes can impair the operation of the
88 mail system.
89
91 The recipient of undeliverable mail that cannot be returned to the
92 sender. This feature is enabled with the notify_classes parameter.
93
95 The numerical Postfix SMTP server response code for an access(5) map
96 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97 to Postfix 2.6, the response is hard-coded as "450".
98 Do not change this unless you have a complete understanding of RFC
100 5321.
101 This feature is available in Postfix 2.6 and later.
103
105 The numerical Postfix SMTP server response code for an access(5) map
106 "reject" action.
107 Do not change this unless you have a complete understanding of RFC
109 5321.
110
112 The amount of time between verify(8) address verification database
113 cleanup runs. This feature requires that the database supports the
114 "delete" and "sequence" operators. Specify a zero interval to disable
115 database cleanup.
116 After each database cleanup run, the verify(8) daemon logs the number
118 of entries that were retained and dropped. A cleanup run is logged as
119 "partial" when the daemon terminates early after "postfix reload",
120 "postfix stop", or no requests for $max_idle seconds.
121 Specify a non-negative time value (an integral value plus an optional
123 one-letter suffix that specifies the time unit). Time units: s (sec‐
124 onds), m (minutes), h (hours), d (days), w (weeks). The default time
125 unit is h (hours).
126 This feature is available in Postfix 2.7.
128
130 Overrides the default_transport parameter setting for address verifica‐
131 tion probes.
132 This feature is available in Postfix 2.1 and later.
134
136 Overrides the local_transport parameter setting for address verifica‐
137 tion probes.
138 This feature is available in Postfix 2.1 and later.
140
142 Lookup table for persistent address verification status storage. The
143 table is maintained by the verify(8) service, and is opened before the
144 process releases privileges.
145 The lookup table is persistent by default (Postfix 2.7 and later).
147 Specify an empty table name to keep the information in volatile memory
148 which is lost after "postfix reload" or "postfix stop". This is the de‐
149 fault with Postfix version 2.6 and earlier.
150 Specify a location in a file system that will not fill up. If the data‐
152 base becomes corrupted, the world comes to an end. To recover, delete
153 (NOT: truncate) the file and do "postfix reload".
154 Postfix daemon processes do not use root privileges when opening this
156 file (Postfix 2.5 and later). The file must therefore be stored under
157 a Postfix-owned directory such as the data_directory. As a migration
158 aid, an attempt to open the file under a non-Postfix directory is redi‐
159 rected to the Postfix-owned data_directory, and a warning is logged.
160 Examples:
162 address_verify_map = hash:/var/lib/postfix/verify
164 address_verify_map = btree:/var/lib/postfix/verify
165 This feature is available in Postfix 2.1 and later.
167
169 Enable caching of failed address verification probe results. When this
170 feature is enabled, the cache may pollute quickly with garbage. When
171 this feature is disabled, Postfix will generate an address probe for
172 every lookup.
173 This feature is available in Postfix 2.1 and later.
175
177 The time after which a failed probe expires from the address verifica‐
178 tion cache.
179 Specify a non-zero time value (an integral value plus an optional
181 one-letter suffix that specifies the time unit). Time units: s (sec‐
182 onds), m (minutes), h (hours), d (days), w (weeks). The default time
183 unit is d (days).
184 This feature is available in Postfix 2.1 and later.
186
188 The time after which a failed address verification probe needs to be
189 refreshed.
190 Specify a non-zero time value (an integral value plus an optional
192 one-letter suffix that specifies the time unit). Time units: s (sec‐
193 onds), m (minutes), h (hours), d (days), w (weeks). The default time
194 unit is h (hours).
195 This feature is available in Postfix 2.1 and later.
197
199 A safety limit that prevents address verification requests from over‐
200 whelming the Postfix queue. By default, the number of pending requests
201 is limited to 1/4 of the active queue maximum size (qmgr_message_ac‐
202 tive_limit). The queue manager enforces the limit by tempfailing re‐
203 quests that exceed the limit. This affects only unknown addresses and
204 inactive addresses that have expired, because the verify(8) daemon au‐
205 tomatically refreshes an active address before it expires.
206 This feature is available in Postfix 3.1 and later.
208
210 How many times to query the verify(8) service for the completion of an
211 address verification request in progress.
212 By default, the Postfix SMTP server polls the verify(8) service up to
214 three times under non-overload conditions, and only once when under
215 overload. With Postfix version 2.5 and earlier, the SMTP server always
216 polls the verify(8) service up to three times by default.
217 Specify 1 to implement a crude form of greylisting, that is, always de‐
219 fer the first delivery request for a new address.
220 Examples:
222 # Postfix <= 2.6 default
224 address_verify_poll_count = 3
225 # Poor man's greylisting
226 address_verify_poll_count = 1
227 This feature is available in Postfix 2.1 and later.
229
231 The delay between queries for the completion of an address verification
232 request in progress.
233 The default polling delay is 3 seconds.
235 Specify a non-zero time value (an integral value plus an optional
237 one-letter suffix that specifies the time unit). Time units: s (sec‐
238 onds), m (minutes), h (hours), d (days), w (weeks). The default time
239 unit is s (seconds).
240 This feature is available in Postfix 2.1 and later.
242
244 The time after which a successful probe expires from the address veri‐
245 fication cache.
246 Specify a non-zero time value (an integral value plus an optional
248 one-letter suffix that specifies the time unit). Time units: s (sec‐
249 onds), m (minutes), h (hours), d (days), w (weeks). The default time
250 unit is d (days).
251 This feature is available in Postfix 2.1 and later.
253
255 The time after which a successful address verification probe needs to
256 be refreshed. The address verification status is not updated when the
257 probe fails (optimistic caching).
258 Specify a non-zero time value (an integral value plus an optional
260 one-letter suffix that specifies the time unit). Time units: s (sec‐
261 onds), m (minutes), h (hours), d (days), w (weeks). The default time
262 unit is d (days).
263 This feature is available in Postfix 2.1 and later.
265
267 Overrides the relay_transport parameter setting for address verifica‐
268 tion probes.
269 This feature is available in Postfix 2.1 and later.
271
273 Overrides the relayhost parameter setting for address verification
274 probes. This information can be overruled with the transport(5) table.
275 This feature is available in Postfix 2.1 and later.
277
279 The sender address to use in address verification probes; prior to
280 Postfix 2.5 the default was "postmaster". To avoid problems with ad‐
281 dress probes that are sent in response to address probes, the Postfix
282 SMTP server excludes the probe sender address from all SMTPD access
283 blocks.
284 Specify an empty value (address_verify_sender =) or <> if you want to
286 use the null sender address. Beware, some sites reject mail from <>,
287 even though RFCs require that such addresses be accepted.
288 Examples:
290 address_verify_sender = <>
292 address_verify_sender = postmaster@mydomain
293 This feature is available in Postfix 2.1 and later.
295
297 pendent_default_transport_maps)
298 Overrides the sender_dependent_default_transport_maps parameter setting
299 for address verification probes.
300 This feature is available in Postfix 2.7 and later.
302
304 layhost_maps)
305 Overrides the sender_dependent_relayhost_maps parameter setting for ad‐
306 dress verification probes.
307 This feature is available in Postfix 2.3 and later.
309
311 The time between changes in the time-dependent portion of address veri‐
312 fication probe sender addresses. The time-dependent portion is appended
313 to the localpart of the address specified with the address_ver‐
314 ify_sender parameter. This feature is ignored when the probe sender ad‐
315 dresses is the null sender, i.e. the address_verify_sender value is
316 empty or <>.
317 Historically, the probe sender address was fixed. This has caused such
319 addresses to end up on spammer mailing lists, and has resulted in
320 wasted network and processing resources.
321 To enable time-dependent probe sender addresses, specify a non-zero
323 time value. Specify a value of at least several hours, to avoid prob‐
324 lems with senders that use greylisting. Avoid nice TTL values, to make
325 the result less predictable.
326 Specify a non-negative time value (an integral value plus an optional
328 one-letter suffix that specifies the time unit). Time units: s (sec‐
329 onds), m (minutes), h (hours), d (days), w (weeks). The default time
330 unit is s (seconds).
331 This feature is available in Postfix 2.9 and later.
333
335 The name of the verify(8) address verification service. This service
336 maintains the status of sender and/or recipient address verification
337 probes, and generates probes on request by other Postfix processes.
338
340 Overrides the transport_maps parameter setting for address verification
341 probes.
342 This feature is available in Postfix 2.1 and later.
344
346 Overrides the virtual_transport parameter setting for address verifica‐
347 tion probes.
348 This feature is available in Postfix 2.1 and later.
350
352 The alias databases for local(8) delivery that are updated with
353 "newaliases" or with "sendmail -bi".
354 This is a separate configuration parameter because not all the tables
356 specified with $alias_maps have to be local files.
357 Examples:
359 alias_database = hash:/etc/aliases
361 alias_database = hash:/etc/mail/aliases
362
364 The alias databases that are used for local(8) delivery. See aliases(5)
365 for syntax details. Specify zero or more "type:name" lookup tables,
366 separated by whitespace or comma. Tables will be searched in the speci‐
367 fied order until a match is found. Note: these lookups are recursive.
368 The default list is system dependent. On systems with NIS, the default
370 is to search the local alias database, then the NIS alias database.
371 If you change the alias database, run "postalias /etc/aliases" (or
373 wherever your system stores the mail alias file), or simply run
374 "newaliases" to build the necessary DBM or DB file.
375 The local(8) delivery agent disallows regular expression substitution
377 of $1 etc. in alias_maps, because that would open a security hole.
378 The local(8) delivery agent will silently ignore requests to use the
380 proxymap(8) server within alias_maps. Instead it will open the table
381 directly. Before Postfix version 2.2, the local(8) delivery agent will
382 terminate with a fatal error.
383 Examples:
385 alias_maps = hash:/etc/aliases, nis:mail.aliases
387 alias_maps = hash:/etc/aliases
388
390 Restrict local(8) mail delivery to external commands. The default is
391 to disallow delivery to "|command" in :include: files (see aliases(5)
392 for the text that defines this terminology).
393 Specify zero or more of: alias, forward or include, in order to allow
395 commands in aliases(5), .forward files or in :include: files, respec‐
396 tively.
397 Example:
399 allow_mail_to_commands = alias,forward,include
401
403 Restrict local(8) mail delivery to external files. The default is to
404 disallow "/file/name" destinations in :include: files (see aliases(5)
405 for the text that defines this terminology).
406 Specify zero or more of: alias, forward or include, in order to allow
408 "/file/name" destinations in aliases(5), .forward files and in :in‐
409 clude: files, respectively.
410 Example:
412 allow_mail_to_files = alias,forward,include
414
416 Allow a sender or recipient address to have `-' as the first character.
417 By default, this is not allowed, to avoid accidents with software that
418 passes email addresses via the command line. Such software would not be
419 able to distinguish a malicious address from a bona fide command-line
420 option. Although this can be prevented by inserting a "--" option ter‐
421 minator into the command line, this is difficult to enforce consis‐
422 tently and globally.
423 As of Postfix version 2.5, this feature is implemented by trivial-re‐
425 write(8). With earlier versions this feature was implemented by
426 qmgr(8) and was limited to recipient addresses only.
427
429 Enable the rewriting of the form "user%domain" to "user@domain". This
430 is enabled by default.
431 Note: as of Postfix version 2.2, message header address rewriting hap‐
433 pens only when one of the following conditions is true:
434 • The message is received with the Postfix sendmail(1) command,
436 • The message is received from a network client that matches $lo‐
438 cal_header_rewrite_clients,
439 • The message is received from the network, and the re‐
441 mote_header_rewrite_domain parameter specifies a non-empty
442 value.
443 To get the behavior before Postfix version 2.2, specify "lo‐
445 cal_header_rewrite_clients = static:all".
446 Example:
448 allow_percent_hack = no
450
452 When SRV record lookup fails or no SRV record exists, fall back to MX
453 or IP address lookup as if SRV record lookup was not enabled.
454 This feature is available in Postfix 3.8 and later.
456
458 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
459 from untrusted clients to destinations matching $relay_domains.
460 By default, this feature is turned off. This closes a nasty open relay
462 loophole where a backup MX host can be tricked into forwarding junk
463 mail to a primary MX host which then spams it out to the world.
464 This parameter also controls if non-local addresses with sender-speci‐
466 fied routing can match Postfix access tables. By default, such ad‐
467 dresses cannot match Postfix access tables, because the address is am‐
468 biguous.
469
471 A list of non-default Postfix configuration directories that may be
472 specified with "-c config_directory" on the command line (in the case
473 of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environ‐
474 ment parameter.
475 This list must be specified in the default Postfix main.cf file, and
477 will be used by set-gid Postfix commands such as postqueue(1) and post‐
478 drop(1).
479 Specify absolute pathnames, separated by comma or space. Note: $name
481 expansion is not supported.
482
484 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
485 present. Postfix 2.6 and later add these headers only when clients
486 match the local_header_rewrite_clients parameter setting. Earlier
487 Postfix versions always add these headers; this may break DKIM signa‐
488 tures that cover non-existent headers. The undisclosed_recipi‐
489 ents_header parameter setting determines whether a To: header will be
490 added.
491
493 Optional address that receives a "blind carbon copy" of each message
494 that is received by the Postfix mail system.
495 Note: with Postfix 2.3 and later the BCC address is added as if it was
497 specified with NOTIFY=NONE. The sender will not be notified when the
498 BCC address is undeliverable, as long as all down-stream software im‐
499 plements RFC 3461.
500 Note: with Postfix 2.2 and earlier the sender will be notified when the
502 BCC address is undeliverable.
503 Note: automatic BCC recipients are produced only for new mail. To
505 avoid mailer loops, automatic BCC recipients are not generated after
506 Postfix forwards mail internally, or after Postfix generates mail it‐
507 self.
508
510 The time unit over which client connection rates and other rates are
511 calculated.
512 This feature is implemented by the anvil(8) service which is available
514 in Postfix version 2.2 and later.
515 The default interval is relatively short. Because of the high frequency
517 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
518 mation is lost whenever the process terminates.
519 Specify a non-zero time value (an integral value plus an optional
521 one-letter suffix that specifies the time unit). Time units: s (sec‐
522 onds), m (minutes), h (hours), d (days), w (weeks). The default time
523 unit is s (seconds).
524
526 How frequently the anvil(8) connection and rate limiting server logs
527 peak usage information.
528 Specify a non-zero time value (an integral value plus an optional
530 one-letter suffix that specifies the time unit). Time units: s (sec‐
531 onds), m (minutes), h (hours), d (days), w (weeks). The default time
532 unit is s (seconds).
533 This feature is available in Postfix 2.2 and later.
535
537 With locally submitted mail, append the string "@$myorigin" to mail ad‐
538 dresses without domain information. With remotely submitted mail, ap‐
539 pend the string "@$remote_header_rewrite_domain" instead.
540 Note 1: this feature is enabled by default and must not be turned off.
542 Postfix does not support domain-less addresses.
543 Note 2: with Postfix version 2.2, message header address rewriting hap‐
545 pens only when one of the following conditions is true:
546 • The message is received with the Postfix sendmail(1) command,
548 • The message is received from a network client that matches $lo‐
550 cal_header_rewrite_clients,
551 • The message is received from the network, and the re‐
553 mote_header_rewrite_domain parameter specifies a non-empty
554 value.
555 To get the behavior before Postfix version 2.2, specify "lo‐
557 cal_header_rewrite_clients = static:all".
558
560 With locally submitted mail, append the string ".$mydomain" to ad‐
561 dresses that have no ".domain" information. With remotely submitted
562 mail, append the string ".$remote_header_rewrite_domain" instead.
563 Note 1: When disabled (Postfix 3.0 and later), users will not be able
565 to send mail to "user@partialdomainname" but will have to specify full
566 domain names instead.
567 Note 2: with Postfix version 2.2, message header address rewriting hap‐
569 pens only when one of the following conditions is true:
570 • The message is received with the Postfix sendmail(1) command,
572 • The message is received from a network client that matches $lo‐
574 cal_header_rewrite_clients,
575 • The message is received from the network, and the re‐
577 mote_header_rewrite_domain parameter specifies a non-empty
578 value.
579 To get the behavior before Postfix version 2.2, specify "lo‐
581 cal_header_rewrite_clients = static:all".
582
584 How long the postkick(1) command waits for a request to enter the Post‐
585 fix daemon process input buffer before giving up.
586 Specify a non-zero time value (an integral value plus an optional
588 one-letter suffix that specifies the time unit). Time units: s (sec‐
589 onds), m (minutes), h (hours), d (days), w (weeks). The default time
590 unit is s (seconds).
591 This feature is available in Postfix 2.1 and later.
593
595 List of users who are authorized to flush the queue.
596 By default, all users are allowed to flush the queue. Access is always
598 granted if the invoking user is the super-user or the $mail_owner user.
599 Otherwise, the real UID of the process is looked up in the system pass‐
600 word file, and access is granted only if the corresponding login name
601 is on the access list. The username "unknown" is used for processes
602 whose real UID is not found in the password file.
603 Specify a list of user names, "/file/name" or "type:table" patterns,
605 separated by commas and/or whitespace. The list is matched left to
606 right, and the search stops on the first match. A "/file/name" pattern
607 is replaced by its contents; a "type:table" lookup table is matched
608 when a name matches a lookup key (the lookup result is ignored). Con‐
609 tinue long lines by starting the next line with whitespace. Specify
610 "!pattern" to exclude a name from the list. The form "!/file/name" is
611 supported only in Postfix version 2.4 and later.
612 This feature is available in Postfix 2.2 and later.
614
616 List of users who are authorized to view the queue.
617 By default, all users are allowed to view the queue. Access is always
619 granted if the invoking user is the super-user or the $mail_owner user.
620 Otherwise, the real UID of the process is looked up in the system pass‐
621 word file, and access is granted only if the corresponding login name
622 is on the access list. The username "unknown" is used for processes
623 whose real UID is not found in the password file.
624 Specify a list of user names, "/file/name" or "type:table" patterns,
626 separated by commas and/or whitespace. The list is matched left to
627 right, and the search stops on the first match. A "/file/name" pattern
628 is replaced by its contents; a "type:table" lookup table is matched
629 when a name matches a lookup key (the lookup result is ignored). Con‐
630 tinue long lines by starting the next line with whitespace. Specify
631 "!pattern" to exclude a user name from the list. The form "!/file/name"
632 is supported only in Postfix version 2.4 and later.
633 This feature is available in Postfix 2.2 and later.
635
637 List of users who are authorized to submit mail with the sendmail(1)
638 command (and with the privileged postdrop(1) helper command).
639 By default, all users are allowed to submit mail. Otherwise, the real
641 UID of the process is looked up in the system password file, and access
642 is granted only if the corresponding login name is on the access list.
643 The username "unknown" is used for processes whose real UID is not
644 found in the password file. To deny mail submission access to all users
645 specify an empty list.
646 Specify a list of user names, "/file/name" or "type:table" patterns,
648 separated by commas and/or whitespace. The list is matched left to
649 right, and the search stops on the first match. A "/file/name" pattern
650 is replaced by its contents; a "type:table" lookup table is matched
651 when a name matches a lookup key (the lookup result is ignored). Con‐
652 tinue long lines by starting the next line with whitespace. Specify
653 "!pattern" to exclude a user name from the list. The form "!/file/name"
654 is supported only in Postfix version 2.4 and later.
655 Example:
657 authorized_submit_users = !www, static:all
659 This feature is available in Postfix 2.2 and later.
661
663 What remote SMTP clients are allowed to specify the XVERP command.
664 This command requests that mail be delivered one recipient at a time
665 with a per recipient return address.
666 By default, only trusted clients are allowed to specify XVERP.
668 This parameter was introduced with Postfix version 1.1. Postfix ver‐
670 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
671 changed the default to none.
672 Specify a list of network/netmask patterns, separated by commas and/or
674 whitespace. The mask specifies the number of bits in the network part
675 of a host address. You can also specify hostnames or .domain names (the
676 initial dot causes the domain to match any name below it),
677 "/file/name" or "type:table" patterns. A "/file/name" pattern is re‐
678 placed by its contents; a "type:table" lookup table is matched when a
679 table entry matches a lookup string (the lookup result is ignored).
680 Continue long lines by starting the next line with whitespace. Specify
681 "!pattern" to exclude an address or network block from the list. The
682 form "!/file/name" is supported only in Postfix version 2.4 and later.
683 Note: IP version 6 address information must be specified inside [] in
685 the authorized_verp_clients value, and in files specified with
686 "/file/name". IP version 6 addresses contain the ":" character, and
687 would otherwise be confused with a "type:table" pattern.
688
690 Produce additional bounce(8) logfile records that can be read by Post‐
691 fix versions before 2.0. The current and more extensible "name = value"
692 format is needed in order to implement more sophisticated functional‐
693 ity.
694 This feature is available in Postfix 2.1 and later.
696
698 The per-table I/O buffer size for programs that create Berkeley DB hash
699 or btree tables. Specify a byte count.
700 This feature is available in Postfix 2.0 and later.
702
704 The per-table I/O buffer size for programs that read Berkeley DB hash
705 or btree tables. Specify a byte count.
706 This feature is available in Postfix 2.0 and later.
708
710 Where the Postfix SMTP client should deliver mail when it detects a
711 "mail loops back to myself" error condition. This happens when the lo‐
712 cal MTA is the best SMTP mail exchanger for a destination not listed in
713 $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_do‐
714 mains, or $virtual_mailbox_domains. By default, the Postfix SMTP
715 client returns such mail as undeliverable.
716 Specify, for example, "best_mx_transport = local" to pass the mail from
718 the Postfix SMTP client to the local(8) delivery agent. You can specify
719 any message delivery "transport" or "transport:nexthop" that is defined
720 in the master.cf file. See the transport(5) manual page for the syntax
721 and meaning of "transport" or "transport:nexthop".
722 However, this feature is expensive because it ties up a Postfix SMTP
724 client process while the local(8) delivery agent is doing its work. It
725 is more efficient (for Postfix) to list all hosted domains in a table
726 or database.
727
729 Whether or not to use the local biff service. This service sends "new
730 mail" notifications to users who have requested new mail notification
731 with the UNIX command "biff y".
732 For compatibility reasons this feature is on by default. On systems
734 with lots of interactive users, the biff service can be a performance
735 drain. Specify "biff = no" in main.cf to disable.
736
738 Optional lookup tables for content inspection as specified in the
739 body_checks(5) manual page.
740 Note: with Postfix versions before 2.0, these rules inspect all content
742 after the primary message headers.
743
745 How much text in a message body segment (or attachment, if you prefer
746 to use that term) is subjected to body_checks inspection. The amount
747 of text is limited to avoid scanning huge attachments.
748 This feature is available in Postfix 2.0 and later.
750
752 The recipient of postmaster notifications with the message headers of
753 mail that Postfix did not deliver and of SMTP conversation transcripts
754 of mail that Postfix did not receive. This feature is enabled with the
755 notify_classes parameter.
756
758 Consider a bounce message as undeliverable, when delivery fails with a
759 temporary error, and the time in the queue has reached the
760 bounce_queue_lifetime limit. By default, this limit is the same as for
761 regular mail.
762 Specify a non-negative time value (an integral value plus an optional
764 one-letter suffix that specifies the time unit). Time units: s (sec‐
765 onds), m (minutes), h (hours), d (days), w (weeks). The default time
766 unit is d (days).
767 Specify 0 when mail delivery should be tried only once.
769 This feature is available in Postfix 2.1 and later.
771
773 The name of the bounce(8) service. This service maintains a record of
774 failed delivery attempts and generates non-delivery notifications.
775 This feature is available in Postfix 2.0 and later.
777
779 The maximal amount of original message text that is sent in a non-de‐
780 livery notification. Specify a byte count. A message is returned as
781 either message/rfc822 (the complete original) or as text/rfc822-headers
782 (the headers only). With Postfix version 2.4 and earlier, a message is
783 always returned as message/rfc822 and is truncated when it exceeds the
784 size limit.
785 Notes:
787 • If you increase this limit, then you should increase the
789 mime_nesting_limit value proportionally.
790 • Be careful when making changes. Excessively large values will
792 result in the loss of non-delivery notifications, when a bounce
793 message size exceeds a local or remote MTA's message size limit.
794
796 Pathname of a configuration file with bounce message templates. These
797 override the built-in templates of delivery status notification (DSN)
798 messages for undeliverable mail, delayed mail, successful delivery, or
799 delivery verification. The bounce(5) manual page describes how to edit
800 and test template files.
801 Template message body text may contain $name references to Postfix con‐
803 figuration parameters. The result of $name expansion can be previewed
804 with "postconf -b file_name" before the file is placed into the Postfix
805 configuration directory.
806 This feature is available in Postfix 2.3 and later.
808
810 Enable interoperability with remote SMTP clients that implement an ob‐
811 solete version of the AUTH command (RFC 4954). Examples of such clients
812 are MicroSoft Outlook Express version 4 and MicroSoft Exchange version
813 5.0.
814 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
816 support in a non-standard way.
817
819 header_sender, header_recipient)
820 What addresses are subject to canonical_maps address mapping. By de‐
821 fault, canonical_maps address mapping is applied to envelope sender and
822 recipient addresses, and to header sender and header recipient ad‐
823 dresses.
824 Specify one or more of: envelope_sender, envelope_recipient,
826 header_sender, header_recipient
827 This feature is available in Postfix 2.2 and later.
829
831 Optional address mapping lookup tables for message headers and en‐
832 velopes. The mapping is applied to both sender and recipient addresses,
833 in both envelopes and in headers, as controlled with the canoni‐
834 cal_classes parameter. This is typically used to clean up dirty ad‐
835 dresses from legacy mail systems, or to replace login names by First‐
836 name.Lastname. The table format and lookups are documented in canoni‐
837 cal(5). For an overview of Postfix address manipulations see the AD‐
838 DRESS_REWRITING_README document.
839 Specify zero or more "type:name" lookup tables, separated by whitespace
841 or comma. Tables will be searched in the specified order until a match
842 is found. Note: these lookups are recursive.
843 If you use this feature, run "postmap /etc/postfix/canonical" to build
845 the necessary DBM or DB file after every change. The changes will be‐
846 come visible after a minute or so. Use "postfix reload" to eliminate
847 the delay.
848 Note: with Postfix version 2.2, message header address mapping happens
850 only when message header address rewriting is enabled:
851 • The message is received with the Postfix sendmail(1) command,
853 • The message is received from a network client that matches $lo‐
855 cal_header_rewrite_clients,
856 • The message is received from the network, and the re‐
858 mote_header_rewrite_domain parameter specifies a non-empty
859 value.
860 To get the behavior before Postfix version 2.2, specify "lo‐
862 cal_header_rewrite_clients = static:all".
863 Examples:
865 canonical_maps = dbm:/etc/postfix/canonical
867 canonical_maps = hash:/etc/postfix/canonical
868
870 The name of the cleanup(8) service. This service rewrites addresses
871 into the standard form, and performs canonical(5) address mapping and
872 virtual(5) aliasing.
873 This feature is available in Postfix 2.0 and later.
875
877 The location of all postfix administrative commands.
878
880 The local(8) delivery agent working directory for delivery to external
881 commands. Failure to change directory causes the delivery to be de‐
882 ferred.
883 The command_execution_directory value is not subject to Postfix config‐
885 uration parameter $name expansion. Instead, the following $name expan‐
886 sions are done on command_execution_directory before the directory is
887 used. Expansion happens in the context of the delivery request. The
888 result of $name expansion is filtered with the character set that is
889 specified with the execution_directory_expansion_filter parameter.
890 $user The recipient's username.
892 $shell The recipient's login shell pathname.
894 $home The recipient's home directory.
896 $recipient
898 The full recipient address.
899 $extension
901 The optional recipient address extension.
902 $domain
904 The recipient domain.
905 $local The entire recipient localpart.
907 $recipient_delimiter
909 The address extension delimiter that was found in the recipient
910 address (Postfix 2.11 and later), or the system-wide recipient
911 address extension delimiter (Postfix 2.10 and earlier).
912 ${name?value}
914 ${name?{value}} (Postfix >= 3.0)
916 Expands to value when $name is non-empty.
917 ${name:value}
919 ${name:{value}} (Postfix >= 3.0)
921 Expands to value when $name is empty.
922 ${name?{value1}:{value2}} (Postfix >= 3.0)
924 Expands to value1 when $name is non-empty, value2 otherwise.
925 Instead of $name you can also specify ${name} or $(name).
927 This feature is available in Postfix 2.2 and later.
929
931 Restrict the characters that the local(8) delivery agent allows in
932 $name expansions of $mailbox_command and $command_execution_directory.
933 Characters outside the allowed set are replaced by underscores.
934
936 Time limit for delivery to external commands. This limit is used by the
937 local(8) delivery agent, and is the default time limit for delivery by
938 the pipe(8) delivery agent.
939 Note: if you set this time limit to a large value you must update the
941 global ipc_timeout parameter as well.
942
944 A safety net that causes Postfix to run with backwards-compatible de‐
945 fault settings after an upgrade to a newer Postfix version.
946 With backwards compatibility turned on (the main.cf compatibility_level
948 value is less than the Postfix built-in value), Postfix looks for set‐
949 tings that are left at their implicit default value, and logs a message
950 when a backwards-compatible default setting is required.
951 using backwards-compatible default setting name=value
953 to [accept a specific client request]
954 using backwards-compatible default setting name=value
956 to [enable specific Postfix behavior]
957 See COMPATIBILITY_README for specific message details. If such a mes‐
959 sage is logged in the context of a legitimate request, the system ad‐
960 ministrator should make the backwards-compatible setting permanent in
961 main.cf or master.cf, for example:
962 # postconf name=value
964 # postfix reload
965 When no more backwards-compatible settings need to be made permanent,
967 the administrator should turn off backwards compatibility by updating
968 the compatibility_level setting in main.cf:
969 # postconf compatibility_level=N
971 # postfix reload
972 For N specify the number that is logged in your postfix(1) warning mes‐
974 sage:
975 warning: To disable backwards compatibility use "postconf
977 compatibility_level=N" and "postfix reload"
978 Starting with Postfix version 3.6, the compatibility level in the above
980 warning message is the Postfix version that introduced the last incom‐
981 patible change. The level is formatted as major.minor.patch, where
982 patch is usually omitted and defaults to zero. Earlier compatibility
983 levels are 0, 1 and 2.
984 NOTE: this also introduces support for the "<level", "<=level", and
986 other operators to compare compatibility levels. With the standard op‐
987 erators "<", "<=", etc., compatibility level "3.10" would be smaller
988 than "3.9" which is undesirable.
989 This feature is available in Postfix 3.0 and later.
991
993 The default location of the Postfix main.cf and master.cf configuration
994 files. This can be overruled via the following mechanisms:
995 • The MAIL_CONFIG environment variable (daemon processes and com‐
997 mands).
998 • The "-c" command-line option (commands only).
1000 With Postfix commands that run with set-gid privileges, a config_direc‐
1002 tory override either requires root privileges, or it requires that the
1003 directory is listed with the alternate_config_directories parameter in
1004 the default main.cf file.
1005
1007 After sending a "your message is delayed" notification, inform the
1008 sender when the delay clears up. This can result in a sudden burst of
1009 notifications at the end of a prolonged network outage, and is there‐
1010 fore disabled by default.
1011 See also: delay_warning_time.
1013 This feature is available in Postfix 3.0 and later.
1015
1017 Time limit for connection cache connect, send or receive operations.
1018 The time limit is enforced in the client.
1019 This feature is available in Postfix 2.3 and later.
1021
1023 The name of the scache(8) connection cache service. This service main‐
1024 tains a limited pool of cached sessions.
1025 This feature is available in Postfix 2.2 and later.
1027
1029 How frequently the scache(8) server logs usage statistics with connec‐
1030 tion cache hit and miss rates for logical destinations and for physical
1031 endpoints.
1032
1034 The maximal time-to-live value that the scache(8) connection cache
1035 server allows. Requests that specify a larger TTL will be stored with
1036 the maximum allowed TTL. The purpose of this additional control is to
1037 protect the infrastructure against careless people. The cache TTL is
1038 already bounded by $max_idle.
1039
1041 After the message is queued, send the entire message to the specified
1042 transport:destination. The transport name specifies the first field of
1043 a mail delivery agent definition in master.cf; the syntax of the
1044 next-hop destination is described in the manual page of the correspond‐
1045 ing delivery agent. More information about external content filters is
1046 in the Postfix FILTER_README file.
1047 Notes:
1049 • This setting has lower precedence than a FILTER action that is
1051 specified in an access(5), header_checks(5) or body_checks(5)
1052 table.
1053 • The meaning of an empty next-hop filter destination is version
1055 dependent. Postfix 2.7 and later will use the recipient domain;
1056 earlier versions will use $myhostname. Specify "default_fil‐
1057 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1058 earlier, or specify a content_filter value with an explicit
1059 next-hop destination.
1060
1062 Search path for Cyrus SASL application configuration files, currently
1063 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
1064 more directories separated by a colon character, or an empty value to
1065 use Cyrus SASL's built-in search path.
1066 This feature is available in Postfix 2.5 and later when compiled with
1068 Cyrus SASL 2.1.22 or later.
1069
1071 The directory with Postfix support programs and daemon programs. These
1072 should not be invoked directly by humans. The directory must be owned
1073 by root.
1074
1076 How a Postfix daemon process handles errors while opening lookup ta‐
1077 bles: gradual degradation or immediate termination.
1078 no (default)
1080 Gradual degradation: a daemon process logs a message of type
1081 "error" and continues execution with reduced functionality. Fea‐
1082 tures that do not depend on the unavailable table will work nor‐
1083 mally, while features that depend on the table will result in a
1084 type "warning" message.
1085 When the notify_classes parameter value contains the "data"
1086 class, the Postfix SMTP server and client will report tran‐
1087 scripts of sessions with an error because a table is unavail‐
1088 able.
1089 yes (historical behavior)
1091 Immediate termination: a daemon process logs a type "fatal" mes‐
1092 sage and terminates immediately. This option reduces the number
1093 of possible code paths through Postfix, and may therefore be
1094 slightly more secure than the default.
1095 For the sake of sanity, the number of type "error" messages is limited
1097 to 13 over the lifetime of a daemon process.
1098 This feature is available in Postfix 2.9 and later.
1100
1102 How much time a Postfix daemon process may take to handle a request be‐
1103 fore it is terminated by a built-in watchdog timer.
1104 Specify a non-zero time value (an integral value plus an optional
1106 one-letter suffix that specifies the time unit). Time units: s (sec‐
1107 onds), m (minutes), h (hours), d (days), w (weeks). The default time
1108 unit is s (seconds).
1109
1111 The directory with Postfix-writable data files (for example: caches,
1112 pseudo-random numbers). This directory must be owned by the mail_owner
1113 account, and must not be shared with non-Postfix software.
1114 This feature is available in Postfix 2.5 and later.
1116
1118 The increment in verbose logging level when a nexthop destination, re‐
1119 mote client or server name or network address matches a pattern given
1120 with the debug_peer_list parameter.
1121 Per-nexthop debug logging is available in Postfix 3.6 and later.
1123
1125 Optional list of nexthop destination, remote client or server name or
1126 network address patterns that, if matched, cause the verbose logging
1127 level to increase by the amount specified in $debug_peer_level.
1128 Per-nexthop debug logging is available in Postfix 3.6 and later.
1130 Specify domain names, network/netmask patterns, "/file/name" patterns
1132 or "type:table" lookup tables. The right-hand side result from
1133 "type:table" lookups is ignored.
1134 Pattern matching of domain names is controlled by the presence or ab‐
1136 sence of "debug_peer_list" in the parent_domain_matches_subdomains pa‐
1137 rameter value.
1138 Examples:
1140 debug_peer_list = 127.0.0.1
1142 debug_peer_list = example.com
1143
1145 The external command to execute when a Postfix daemon program is in‐
1146 voked with the -D option.
1147 Use "command .. & sleep 5" so that the debugger can attach before the
1149 process marches on. If you use an X-based debugger, be sure to set up
1150 your XAUTHORITY environment variable before starting Postfix.
1151 Note: the command is subject to $name expansion, before it is passed to
1153 the default command interpreter. Specify "$$" to produce a single "$"
1154 character.
1155 Example:
1157 debugger_command =
1159 PATH=/usr/bin:/usr/X11R6/bin
1160 ddd $daemon_directory/$process_name $process_id & sleep 5
1161
1163 The default database type for use in newaliases(1), postalias(1) and
1164 postmap(1) commands. On many UNIX systems the default type is either
1165 dbm or hash. The default setting is frozen when the Postfix system is
1166 built.
1167 Examples:
1169 default_database_type = hash
1171 default_database_type = dbm
1172
1174 How often the Postfix queue manager's scheduler is allowed to preempt
1175 delivery of one message with another.
1176 Each transport maintains a so-called "available delivery slot counter"
1178 for each message. One message can be preempted by another one when the
1179 other message can be delivered using no more delivery slots (i.e., in‐
1180 vocations of delivery agents) than the current message counter has ac‐
1181 cumulated (or will eventually accumulate - see about slot loans below).
1182 This parameter controls how often the counter is incremented - it hap‐
1183 pens after each default_delivery_slot_cost recipients have been deliv‐
1184 ered.
1185 The cost of 0 is used to disable the preempting scheduling completely.
1187 The minimum value the scheduling algorithm can use is 2 - use it if you
1188 want to maximize the message throughput rate. Although there is no max‐
1189 imum, it doesn't make much sense to use values above say 50.
1190 The only reason why the value of 2 is not the default is the way this
1192 parameter affects the delivery of mailing-list mail. In the worst case,
1193 delivery can take somewhere between (cost+1/cost) and (cost/cost-1)
1194 times more than if the preemptive scheduler was disabled. The default
1195 value of 5 turns out to provide reasonable message response times while
1196 making sure the mailing-list deliveries are not extended by more than
1197 20-25 percent even in the worst case.
1198 Use transport_delivery_slot_cost to specify a transport-specific over‐
1200 ride, where transport is the master.cf name of the message delivery
1201 transport.
1202 Examples:
1204 default_delivery_slot_cost = 0
1206 default_delivery_slot_cost = 2
1207
1209 The default value for transport-specific _delivery_slot_discount set‐
1210 tings.
1211 This parameter speeds up the moment when a message preemption can hap‐
1213 pen. Instead of waiting until the full amount of delivery slots re‐
1214 quired is available, the preemption can happen when transport_deliv‐
1215 ery_slot_discount percent of the required amount plus transport_deliv‐
1216 ery_slot_loan still remains to be accumulated. Note that the full
1217 amount will still have to be accumulated before another preemption can
1218 take place later.
1219 Use transport_delivery_slot_discount to specify a transport-specific
1221 override, where transport is the master.cf name of the message delivery
1222 transport.
1223
1225 The default value for transport-specific _delivery_slot_loan settings.
1226 This parameter speeds up the moment when a message preemption can hap‐
1228 pen. Instead of waiting until the full amount of delivery slots re‐
1229 quired is available, the preemption can happen when transport_deliv‐
1230 ery_slot_discount percent of the required amount plus transport_deliv‐
1231 ery_slot_loan still remains to be accumulated. Note that the full
1232 amount will still have to be accumulated before another preemption can
1233 take place later.
1234 Use transport_delivery_slot_loan to specify a transport-specific over‐
1236 ride, where transport is the master.cf name of the message delivery
1237 transport.
1238
1240 Optional filter to replace the delivery status code or explanatory text
1241 of successful or unsuccessful deliveries. This does not allow the re‐
1242 placement of a successful status code (2.X.X) with an unsuccessful sta‐
1243 tus code (4.X.X or 5.X.X) or vice versa.
1244 Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
1246 recipient: when delivery is successful, when delivery is rejected with
1247 5XX, or when there are no more alternate MX or A destinations. Use
1248 smtp_reply_filter or lmtp_reply_filter to inspect responses for all de‐
1249 livery attempts.
1250 The following parameters can be used to implement a filter for specific
1252 delivery agents: lmtp_delivery_status_filter, local_delivery_sta‐
1253 tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1254 virtual_delivery_status_filter. These parameters support the same fil‐
1255 ter syntax as described here.
1256 Specify zero or more "type:table" lookup table names, separated by
1258 comma or whitespace. For each successful or unsuccessful delivery to a
1259 recipient, the tables are queried in the specified order with one line
1260 of text that is structured as follows:
1261 enhanced-status-code SPACE explanatory-text
1263 The first table match wins. The lookup result must have the same struc‐
1265 ture as the query, a successful status code (2.X.X) must be replaced
1266 with a successful status code, an unsuccessful status code (4.X.X or
1267 5.X.X) must be replaced with an unsuccessful status code, and the ex‐
1268 planatory text field must be non-empty. Other results will result in a
1269 warning.
1270 Example 1: convert specific soft TLS errors into hard errors, by over‐
1272 riding the first number in the enhanced status code.
1273 /etc/postfix/main.cf:
1275 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1276 /etc/postfix/smtp_dsn_filter:
1278 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1279 5$1
1280 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1281 5$1
1282 # Do not change the following into hard bounces. They may
1283 # result from a local configuration problem.
1284 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1285 # 4.\d+.\d+ TLS is required, but unavailable
1286 # 4.\d+.\d+ Cannot start TLS: handshake failure
1287 Example 2: censor the per-recipient delivery status text so that it
1289 does not reveal the destination command or filename when a remote
1290 sender requests confirmation of successful delivery.
1291 /etc/postfix/main.cf:
1293 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1294 /etc/postfix/local_dsn_filter:
1296 /^(2\S+ delivered to file).+/ $1
1297 /^(2\S+ delivered to command).+/ $1
1298 Notes:
1300 • This feature will NOT override the soft_bounce safety net.
1302 • This feature will change the enhanced status code and text that
1304 is logged to the maillog file, and that is reported to the
1305 sender in delivery confirmation or non-delivery notifications.
1306 This feature is available in Postfix 3.0 and later.
1308
1310 How many pseudo-cohorts must suffer connection or handshake failure be‐
1311 fore a specific destination is considered unavailable (and further de‐
1312 livery is suspended). Specify zero to disable this feature. A destina‐
1313 tion's pseudo-cohort failure count is reset each time a delivery com‐
1314 pletes without connection or handshake failure for that specific desti‐
1315 nation.
1316 A pseudo-cohort is the number of deliveries equal to a destination's
1318 delivery concurrency.
1319 Use transport_destination_concurrency_failed_cohort_limit to specify a
1321 transport-specific override, where transport is the master.cf name of
1322 the message delivery transport.
1323 This feature is available in Postfix 2.5. The default setting is com‐
1325 patible with earlier Postfix versions.
1326
1328 The default maximal number of parallel deliveries to the same destina‐
1329 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1330 smtp(8) and virtual(8) delivery agents. With a per-destination recipi‐
1331 ent limit > 1, a destination is a domain, otherwise it is a recipient.
1332 Use transport_destination_concurrency_limit to specify a transport-spe‐
1334 cific override, where transport is the master.cf name of the message
1335 delivery transport.
1336
1338 The per-destination amount of delivery concurrency negative feedback,
1339 after a delivery completes with a connection or handshake failure.
1340 Feedback values are in the range 0..1 inclusive. With negative feed‐
1341 back, concurrency is decremented at the beginning of a sequence of
1342 length 1/feedback. This is unlike positive feedback, where concurrency
1343 is incremented at the end of a sequence of length 1/feedback.
1344 As of Postfix version 2.5, negative feedback cannot reduce delivery
1346 concurrency to zero. Instead, a destination is marked dead (further
1347 delivery suspended) after the failed pseudo-cohort count reaches $de‐
1348 fault_destination_concurrency_failed_cohort_limit (or $transport_desti‐
1349 nation_concurrency_failed_cohort_limit). To make the scheduler com‐
1350 pletely immune to connection or handshake failures, specify a zero
1351 feedback value and a zero failed pseudo-cohort limit.
1352 Specify one of the following forms:
1354 number
1356 number / number
1358 Constant feedback. The value must be in the range 0..1 inclu‐
1359 sive. The default setting of "1" is compatible with Postfix
1360 versions before 2.5, where a destination's delivery concurrency
1361 is throttled down to zero (and further delivery suspended) after
1362 a single failed pseudo-cohort.
1363 number / concurrency
1365 Variable feedback of "number / (delivery concurrency)". The
1366 number must be in the range 0..1 inclusive. With number equal to
1367 "1", a destination's delivery concurrency is decremented by 1
1368 after each failed pseudo-cohort.
1369 A pseudo-cohort is the number of deliveries equal to a destination's
1371 delivery concurrency.
1372 Use transport_destination_concurrency_negative_feedback to specify a
1374 transport-specific override, where transport is the master.cf name of
1375 the message delivery transport.
1376 This feature is available in Postfix 2.5. The default setting is com‐
1378 patible with earlier Postfix versions.
1379
1381 The per-destination amount of delivery concurrency positive feedback,
1382 after a delivery completes without connection or handshake failure.
1383 Feedback values are in the range 0..1 inclusive. The concurrency in‐
1384 creases until it reaches the per-destination maximal concurrency limit.
1385 With positive feedback, concurrency is incremented at the end of a se‐
1386 quence with length 1/feedback. This is unlike negative feedback, where
1387 concurrency is decremented at the start of a sequence of length 1/feed‐
1388 back.
1389 Specify one of the following forms:
1391 number
1393 number / number
1395 Constant feedback. The value must be in the range 0..1 inclu‐
1396 sive. The default setting of "1" is compatible with Postfix ver‐
1397 sions before 2.5, where a destination's delivery concurrency
1398 doubles after each successful pseudo-cohort.
1399 number / concurrency
1401 Variable feedback of "number / (delivery concurrency)". The
1402 number must be in the range 0..1 inclusive. With number equal to
1403 "1", a destination's delivery concurrency is incremented by 1
1404 after each successful pseudo-cohort.
1405 A pseudo-cohort is the number of deliveries equal to a destination's
1407 delivery concurrency.
1408 Use transport_destination_concurrency_positive_feedback to specify a
1410 transport-specific override, where transport is the master.cf name of
1411 the message delivery transport.
1412 This feature is available in Postfix 2.5 and later.
1414
1416 The default amount of delay that is inserted between individual message
1417 deliveries to the same destination and over the same message delivery
1418 transport. Specify a non-zero value to rate-limit those message deliv‐
1419 eries to at most one per $default_destination_rate_delay.
1420 The resulting behavior depends on the value of the corresponding
1422 per-destination recipient limit.
1423 • With a corresponding per-destination recipient limit > 1, the
1425 rate delay specifies the time between deliveries to the same do‐
1426 main. Different domains are delivered in parallel, subject to
1427 the process limits specified in master.cf.
1428 • With a corresponding per-destination recipient limit equal to 1,
1430 the rate delay specifies the time between deliveries to the same
1431 recipient. Different recipients are delivered in parallel, sub‐
1432 ject to the process limits specified in master.cf.
1433 To enable the delay, specify a non-zero time value (an integral value
1435 plus an optional one-letter suffix that specifies the time unit).
1436 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1438 The default time unit is s (seconds).
1439 NOTE: the delay is enforced by the queue manager. The delay timer state
1441 does not survive "postfix reload" or "postfix stop".
1442 Use transport_destination_rate_delay to specify a transport-specific
1444 override, where transport is the master.cf name of the message delivery
1445 transport.
1446 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1448 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1449 fix from deferring all mail for the same destination after only one
1450 connection or handshake error.
1451 This feature is available in Postfix 2.5 and later.
1453
1455 The default maximal number of recipients per message delivery. This is
1456 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1457 virtual(8) delivery agents.
1458 Setting this parameter to a value of 1 affects email deliveries as fol‐
1460 lows:
1461 • It changes the meaning of the corresponding per-destination con‐
1463 currency limit, from concurrency of deliveries to the same do‐
1464 main into concurrency of deliveries to the same recipient. Dif‐
1465 ferent recipients are delivered in parallel, subject to the
1466 process limits specified in master.cf.
1467 • It changes the meaning of the corresponding per-destination rate
1469 delay, from the delay between deliveries to the same domain into
1470 the delay between deliveries to the same recipient. Again, dif‐
1471 ferent recipients are delivered in parallel, subject to the
1472 process limits specified in master.cf.
1473 • It changes the meaning of other corresponding per-destination
1475 settings in a similar manner, from settings for delivery to the
1476 same domain into settings for delivery to the same recipient.
1477 Use transport_destination_recipient_limit to specify a transport-spe‐
1479 cific override, where transport is the master.cf name of the message
1480 delivery transport.
1481
1483 The default value for the extra per-transport limit imposed on the num‐
1484 ber of in-memory recipients. This extra recipient space is reserved
1485 for the cases when the Postfix queue manager's scheduler preempts one
1486 message with another and suddenly needs some extra recipient slots for
1487 the chosen message in order to avoid performance degradation.
1488 Use transport_extra_recipient_limit to specify a transport-specific
1490 override, where transport is the master.cf name of the message delivery
1491 transport.
1492
1494 When a content_filter or FILTER request specifies no explicit next-hop
1495 destination, use $default_filter_nexthop instead; when that value is
1496 empty, use the domain in the recipient address. Specify "default_fil‐
1497 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1498 and earlier, or specify an explicit next-hop destination with each con‐
1499 tent_filter value or FILTER action.
1500 This feature is available in Postfix 2.7 and later.
1502
1504 How many recipients a message must have in order to invoke the Postfix
1505 queue manager's scheduling algorithm at all. Messages which would
1506 never accumulate at least this many delivery slots (subject to slot
1507 cost parameter as well) are never preempted.
1508 Use transport_minimum_delivery_slots to specify a transport-specific
1510 override, where transport is the master.cf name of the message delivery
1511 transport.
1512
1514 The default rights used by the local(8) delivery agent for delivery to
1515 an external file or command. These rights are used when delivery is
1516 requested from an aliases(5) file that is owned by root, or when deliv‐
1517 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1518 POSTFIX OWNER.
1519
1521 The default maximal number of Postfix child processes that provide a
1522 given service. This limit can be overruled for specific services in the
1523 master.cf file.
1524
1526 The default Postfix SMTP server response template for a request that is
1527 rejected by an RBL-based restriction. This template can be overruled by
1528 specific entries in the optional rbl_reply_maps lookup table.
1529 This feature is available in Postfix 2.0 and later.
1531 The template does not support Postfix configuration parameter $name
1533 substitution. Instead, it supports exactly one level of $name substitu‐
1534 tion for the following attributes:
1535 $client
1537 The client hostname and IP address, formatted as name[address].
1538 $client_address
1540 The client IP address.
1541 $client_name
1543 The client hostname or "unknown". See reject_un‐
1544 known_client_hostname for more details.
1545 $reverse_client_name
1547 The client hostname from address->name lookup, or "unknown".
1548 See reject_unknown_reverse_client_hostname for more details.
1549 $helo_name
1551 The hostname given in HELO or EHLO command or empty string.
1552 $rbl_class
1554 The denylisted entity type: Client host, Helo command, Sender
1555 address, or Recipient address.
1556 $rbl_code
1558 The numerical SMTP response code, as specified with the
1559 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1560 cal SMTP response code is required, and must appear at the start
1561 of the reply. With Postfix version 2.3 and later this informa‐
1562 tion may be followed by an RFC 3463 enhanced status code.
1563 $rbl_domain
1565 The RBL domain where $rbl_what is denylisted.
1566 $rbl_reason
1568 The reason why $rbl_what is denylisted, or an empty string.
1569 $rbl_what
1571 The entity that is denylisted (an IP address, a hostname, a do‐
1572 main name, or an email address whose domain was denylisted).
1573 $recipient
1575 The recipient address or <> in case of the null address.
1576 $recipient_domain
1578 The recipient domain or empty string.
1579 $recipient_name
1581 The recipient address localpart or <> in case of null address.
1582 $sender
1584 The sender address or <> in case of the null address.
1585 $sender_domain
1587 The sender domain or empty string.
1588 $sender_name
1590 The sender address localpart or <> in case of the null address.
1591 ${name?value}
1593 ${name?{value}} (Postfix >= 3.0)
1595 Expands to value when $name is non-empty.
1596 ${name:value}
1598 ${name:{value}} (Postfix >= 3.0)
1600 Expands to value when $name is empty.
1601 ${name?{value1}:{value2}} (Postfix >= 3.0)
1603 Expands to value1 when $name is non-empty, value2 otherwise.
1604 Instead of $name you can also specify ${name} or $(name).
1606 Note: when an enhanced status code is specified in an RBL reply tem‐
1608 plate, it is subject to modification. The following transformations
1609 are needed when the same RBL reply template is used for client, helo,
1610 sender, or recipient access restrictions.
1611 • When rejecting a sender address, the Postfix SMTP server will
1613 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1614 corresponding sender DSN status, and vice versa.
1615 • When rejecting non-address information (such as the HELO command
1617 argument or the client hostname/address), the Postfix SMTP
1618 server will transform a sender or recipient DSN status into a
1619 generic non-address DSN status (e.g., 4.0.0).
1620
1622 The default per-transport upper limit on the number of in-memory recip‐
1623 ients. These limits take priority over the global qmgr_message_recipi‐
1624 ent_limit after the message has been assigned to the respective trans‐
1625 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1626 ent_minimum.
1627 Use transport_recipient_limit to specify a transport-specific override,
1629 where transport is the master.cf name of the message delivery trans‐
1630 port.
1631
1633 The default per-transport maximum delay between refilling recipients.
1634 When not all message recipients fit into memory at once, keep loading
1635 more of them at least once every this many seconds. This is used to
1636 make sure the recipients are refilled in a timely manner even when $de‐
1637 fault_recipient_refill_limit is too high for too slow deliveries.
1638 Use transport_recipient_refill_delay to specify a transport-specific
1640 override, where transport is the master.cf name of the message delivery
1641 transport.
1642 This feature is available in Postfix 2.4 and later.
1644
1646 The default per-transport limit on the number of recipients refilled at
1647 once. When not all message recipients fit into memory at once, keep
1648 loading more of them in batches of at least this many at a time. See
1649 also $default_recipient_refill_delay, which may result in recipient
1650 batches lower than this when this limit is too high for too slow deliv‐
1651 eries.
1652 Use transport_recipient_refill_limit to specify a transport-specific
1654 override, where transport is the master.cf name of the message delivery
1655 transport.
1656 This feature is available in Postfix 2.4 and later.
1658
1660 The default mail delivery transport and next-hop destination for desti‐
1661 nations that do not match $mydestination, $inet_interfaces, $proxy_in‐
1662 terfaces, $virtual_alias_domains, $virtual_mailbox_domains, or $re‐
1663 lay_domains. This information can be overruled with the sender_depen‐
1664 dent_default_transport_maps parameter and with the transport(5) table.
1665 In order of decreasing precedence, the nexthop destination is taken
1667 from $sender_dependent_default_transport_maps, $default_transport,
1668 $sender_dependent_relayhost_maps, $relayhost, or from the recipient do‐
1669 main.
1670 Specify a string of the form transport:nexthop, where transport is the
1672 name of a mail delivery transport defined in master.cf. The :nexthop
1673 destination is optional; its syntax is documented in the manual page of
1674 the corresponding delivery agent. In the case of SMTP or LMTP, specify
1675 one or more destinations separated by comma or whitespace (with Postfix
1676 3.5 and later).
1677 Example:
1679 default_transport = uucp:relayhostname
1681
1683 The default amount of delay that is inserted between individual message
1684 deliveries over the same message delivery transport, regardless of des‐
1685 tination. Specify a non-zero value to rate-limit those message deliver‐
1686 ies to at most one per $default_transport_rate_delay.
1687 Use transport_transport_rate_delay to specify a transport-specific
1689 override, where the initial transport is the master.cf name of the mes‐
1690 sage delivery transport.
1691 Example: throttle outbound SMTP mail to at most 3 deliveries per
1693 minute.
1694 /etc/postfix/main.cf:
1696 smtp_transport_rate_delay = 20s
1697 To enable the delay, specify a non-zero time value (an integral value
1699 plus an optional one-letter suffix that specifies the time unit).
1700 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1702 The default time unit is s (seconds).
1703 NOTE: the delay is enforced by the queue manager.
1705 This feature is available in Postfix 3.1 and later.
1707
1709 The two default VERP delimiter characters. These are used when no ex‐
1710 plicit delimiters are specified with the SMTP XVERP command or with the
1711 "sendmail -XV" command-line option (Postfix 2.2 and earlier: -V). Spec‐
1712 ify characters that are allowed by the verp_delimiter_filter setting.
1713 This feature is available in Postfix 1.1 and later.
1715
1717 The numerical Postfix SMTP server response code when a remote SMTP
1718 client request is rejected by the "defer" restriction.
1719 Do not change this unless you have a complete understanding of RFC
1721 5321.
1722
1724 The name of the defer service. This service is implemented by the
1725 bounce(8) daemon and maintains a record of failed delivery attempts and
1726 generates non-delivery notifications.
1727 This feature is available in Postfix 2.0 and later.
1729
1731 The names of message delivery transports that should not deliver mail
1732 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1733 mail delivery transport names that appear in the first field of mas‐
1734 ter.cf.
1735 Example:
1737 defer_transports = smtp
1739
1741 The maximal number of digits after the decimal point when logging
1742 sub-second delay values. Specify a number in the range 0..6.
1743 Large delay values are rounded off to an integral number of seconds;
1745 delay values below the delay_logging_resolution_limit are logged as
1746 "0", and delay values under 100s are logged with at most two-digit pre‐
1747 cision.
1748 The format of the "delays=a/b/c/d" logging is as follows:
1750 • a = time from message arrival to last active queue entry
1752 • b = time from last active queue entry to connection setup
1754 • c = time in connection setup, including DNS, EHLO and STARTTLS
1756 • d = time in message transmission
1758 This feature is available in Postfix 2.3 and later.
1760
1762 The recipient of postmaster notifications with the message headers of
1763 mail that cannot be delivered within $delay_warning_time time units.
1764 See also: delay_warning_time, notify_classes.
1766
1768 The time after which the sender receives a copy of the message headers
1769 of mail that is still queued. The confirm_delay_cleared parameter con‐
1770 trols sender notification when the delay clears up.
1771 To enable this feature, specify a non-zero time value (an integral
1773 value plus an optional one-letter suffix that specifies the time unit).
1774 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1776 The default time unit is h (hours).
1777 See also: delay_notice_recipient, notify_classes, confirm_de‐
1779 lay_cleared.
1780
1782 The maximal number of attempts to acquire an exclusive lock on a mail‐
1783 box file or bounce(8) logfile.
1784
1786 The time between attempts to acquire an exclusive lock on a mailbox
1787 file or bounce(8) logfile.
1788 Specify a non-zero time value (an integral value plus an optional
1790 one-letter suffix that specifies the time unit). Time units: s (sec‐
1791 onds), m (minutes), h (hours), d (days), w (weeks). The default time
1792 unit is s (seconds).
1793
1795 Make the queue manager's feedback algorithm verbose for performance
1796 analysis purposes.
1797 This feature is available in Postfix 2.5 and later.
1799
1801 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1802 fer-Encoding: message headers; historically, this behavior was
1803 hard-coded to be "always on".
1804 This feature is available in Postfix 2.5 and later.
1806
1808 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1809 abled, hosts are looked up with the getaddrinfo() system library rou‐
1810 tine which normally also looks in /etc/hosts. As of Postfix 2.11, this
1811 parameter is deprecated; use smtp_dns_support_level instead.
1812 DNS lookups are enabled by default.
1814
1816 Turn off MIME processing while receiving mail. This means that no spe‐
1817 cial treatment is given to Content-Type: message headers, and that all
1818 text after the initial message headers is considered to be part of the
1819 message body.
1820 This feature is available in Postfix 2.0 and later.
1822 Mime input processing is enabled by default, and is needed in order to
1824 recognize MIME headers in message content.
1825
1827 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1828 conversion is needed when the destination does not advertise 8BITMIME
1829 support.
1830 This feature is available in Postfix 2.0 and later.
1832
1834 Disable sending one bounce report per recipient.
1835 The default, one per recipient, is what ezmlm needs.
1837 This feature is available in Postfix 1.1 and later.
1839
1841 Disable the SMTP VRFY command. This stops some techniques used to har‐
1842 vest email addresses.
1843 Example:
1845 disable_vrfy_command = no
1847
1849 Enable a workaround for future libc incompatibility. The Postfix imple‐
1850 mentation of RFC 2308 negative reply caching relies on the promise that
1851 res_query() and res_search() invoke res_send(), which returns the
1852 server response in an application buffer even if the requested record
1853 does not exist. If this promise is broken, specify "yes" to enable a
1854 workaround for DNS reputation lookups.
1855 This feature is available in Postfix 3.1 and later.
1857
1859 A debugging aid to artificially delay DNS responses.
1860 This feature is available in Postfix 2.8.
1862
1864 The name of the dnsblog(8) service entry in master.cf. This service
1865 performs DNS allow/denylist lookups.
1866 This feature is available in Postfix 2.8 and later.
1868
1870 The DNS query type (default: "ns") and DNS query name (default: ".")
1871 that Postfix may use to determine whether DNSSEC validation is avail‐
1872 able.
1873 Background: DNSSEC validation is needed for Postfix DANE support; this
1875 ensures that Postfix receives TLSA records with secure TLS server cer‐
1876 tificate info. When DNSSEC validation is unavailable, mail deliveries
1877 using opportunistic DANE will not be protected by server certificate
1878 info in TLSA records, and mail deliveries using mandatory DANE will not
1879 be made at all.
1880 By default, a Postfix process will send a DNSSEC probe after 1) the
1882 process made a DNS query that requested DNSSEC validation, 2) the
1883 process did not receive a DNSSEC validated response to this query or to
1884 an earlier query, and 3) the process did not already send a DNSSEC
1885 probe.
1886 When the DNSSEC probe has no response, or when the response is not
1888 DNSSEC validated, Postfix logs a warning that DNSSEC validation may be
1889 unavailable.
1890 Example:
1892 warning: DNSSEC validation may be unavailable
1894 warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
1895 warning: reason: dnssec_probe 'ns:.' received no response: Server failure
1896 Possible reasons why DNSSEC validation may be unavailable:
1898 • The local /etc/resolv.conf file specifies a DNS resolver that
1900 does not validate DNSSEC signatures (that's $queue_direc‐
1901 tory/etc/resolv.conf when a Postfix daemon runs in a chroot
1902 jail).
1903 • The local system library does not pass on the "DNSSEC validated"
1905 bit to Postfix, or Postfix does not know how to ask the library
1906 to do that.
1907 By default, the DNSSEC probe asks for the DNS root zone NS records, be‐
1909 cause resolvers should always have that information cached. If Postfix
1910 runs on a network where the DNS root zone is not reachable, specify a
1911 different probe, or specify an empty dnssec_probe value to disable the
1912 feature.
1913 This feature is available in Postfix 3.6 and later. It was backported
1915 to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
1916
1918 Don't remove queue files and save them to the "saved" mail queue. This
1919 is a debugging aid. To inspect the envelope information and content of
1920 a Postfix queue file, use the postcat(1) command.
1921
1923 The sender address of postmaster notifications that are generated by
1924 the mail system. All mail to this address is silently discarded, in or‐
1925 der to terminate mail bounce loops.
1926
1928 The maximal number of addresses remembered by the address duplicate
1929 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1930 queue displays.
1931
1933 The sender_dependent_default_transport_maps search string that will be
1934 used instead of the null sender address.
1935 This feature is available in Postfix 2.7 and later.
1937
1939 The lookup key to be used in local_login_sender_maps tables, instead of
1940 the null sender address.
1941 This feature is available in Postfix 3.6 and later.
1943
1945 The recipient of mail addressed to the null address. Postfix does not
1946 accept such addresses in SMTP commands, but they may still be created
1947 locally as the result of configuration or software error.
1948
1950 The sender_dependent_relayhost_maps search string that will be used in‐
1951 stead of the null sender address.
1952 This feature is available in Postfix 2.5 and later. With earlier ver‐
1954 sions, sender_dependent_relayhost_maps lookups were skipped for the
1955 null sender address.
1956
1958 Report mail delivery errors to the address specified with the non-stan‐
1959 dard Errors-To: message header, instead of the envelope sender address
1960 (this feature is removed with Postfix version 2.2, is turned off by de‐
1961 fault with Postfix version 2.1, and is always turned on with older
1962 Postfix versions).
1963
1965 Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1966 converting UTF-8 domain names to/from the ASCII form that is used for
1967 DNS lookups. Specify "yes" for compatibility with Postfix <= 3.1 (not
1968 recommended). This affects the conversion of domain names that contain
1969 for example the German sz and the Greek zeta. See http://uni‐
1970 code.org/cldr/utility/idna.jsp for more examples.
1971 This feature is available in Postfix 3.2 and later.
1973
1975 Enable long, non-repeating, queue IDs (queue file names). The benefit
1976 of non-repeating names is simpler logfile analysis and easier queue mi‐
1977 gration (there is no need to run "postsuper" to change queue file names
1978 that don't match their message file inode number).
1979 Note: see below for how to convert long queue file names to Postfix <=
1981 2.8.
1982 Changing the parameter value to "yes" has the following effects:
1984 • Existing queue file names are not affected.
1986 • New queue files are created with names such as 3Pt2mN2VXxznjll.
1988 These are encoded in a 52-character alphabet that contains dig‐
1989 its (0-9), upper-case letters (B-Z) and lower-case letters
1990 (b-z). For safety reasons the vowels (AEIOUaeiou) are excluded
1991 from the alphabet. The name format is: 6 or more characters for
1992 the time in seconds, 4 characters for the time in microseconds,
1993 the 'z'; the remainder is the file inode number encoded in the
1994 first 51 characters of the 52-character alphabet.
1995 • New messages have a Message-ID header with queueID@myhostname.
1997 • The mailq (postqueue -p) output has a wider Queue ID column.
1999 The number of whitespace-separated fields is not changed.
2000 • The hash_queue_depth algorithm uses the first characters of the
2002 queue file creation time in microseconds, after conversion into
2003 hexadecimal representation. This produces the same queue hashing
2004 behavior as if the queue file name was created with "en‐
2005 able_long_queue_ids = no".
2006 Changing the parameter value to "no" has the following effects:
2008 • Existing long queue file names are renamed to the short form
2010 (while running "postfix reload" or "postsuper").
2011 • New queue files are created with names such as C3CD21F3E90 from
2013 a hexadecimal alphabet that contains digits (0-9) and upper-case
2014 letters (A-F). The name format is: 5 characters for the time in
2015 microseconds; the remainder is the file inode number.
2016 • New messages have a Message-ID header with YYYYMMDDHH‐
2018 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
2019 month, day, hour, minute and second.
2020 • The mailq (postqueue -p) output has the same format as with
2022 Postfix <= 2.8.
2023 • The hash_queue_depth algorithm uses the first characters of the
2025 queue file name, with the hexadecimal representation of the file
2026 creation time in microseconds.
2027 Before migration to Postfix <= 2.8, the following commands are required
2029 to convert long queue file names into short names:
2030 # postfix stop
2032 # postconf enable_long_queue_ids=no
2033 # postsuper
2034 Repeat the postsuper command until it reports no more queue file name
2036 changes.
2037 This feature is available in Postfix 2.9 and later.
2039
2041 Enable support for the original recipient address after an address is
2042 rewritten to a different address (for example with aliasing or with
2043 canonical mapping).
2044 The original recipient address is used as follows:
2046 Final delivery
2048 With "enable_original_recipient = yes", the original recipient
2049 address is stored in the X-Original-To message header. This
2050 header may be used to distinguish between different recipients
2051 that share the same mailbox.
2052 Recipient deduplication
2054 With "enable_original_recipient = yes", the cleanup(8) daemon
2055 performs duplicate recipient elimination based on the content of
2056 (original recipient, maybe-rewritten recipient) pairs. Other‐
2057 wise, the cleanup(8) daemon performs duplicate recipient elimi‐
2058 nation based only on the maybe-rewritten recipient address.
2059 Note: with Postfix <= 3.2 the "setting enable_original_recipient = no"
2061 breaks address verification for addresses that are aliased or otherwise
2062 rewritten (Postfix is unable to store the address verification result
2063 under the original probe destination address; instead, it can store the
2064 result only under the rewritten address).
2065 This feature is available in Postfix 2.1 and later. Postfix version 2.0
2067 behaves as if this parameter is always set to yes. Postfix versions
2068 before 2.0 have no support for the original recipient address.
2069
2071 Enable non-delivery, success, and delay notifications that link to the
2072 original message by including a References: and In-Reply-To: header
2073 with the original Message-ID value. There are advantages and disadvan‐
2074 tages to consider.
2075 advantage
2077 This allows mail readers to present a delivery status notifica‐
2078 tion in the same email thread as the original message.
2079 disadvantage
2081 This makes it easy for users to mistakenly delete the whole
2082 email thread (all related messages), instead of deleting only
2083 the non-delivery notification.
2084 This feature is available in Postfix 3.6 and later.
2086
2088 The recipient of postmaster notifications about mail delivery problems
2089 that are caused by policy, resource, software or protocol errors.
2090 These notifications are enabled with the notify_classes parameter.
2091
2093 The name of the error(8) pseudo delivery agent. This service always re‐
2094 turns mail as undeliverable.
2095 This feature is available in Postfix 2.0 and later.
2097
2099 Restrict the characters that the local(8) delivery agent allows in
2100 $name expansions of $command_execution_directory. Characters outside
2101 the allowed set are replaced by underscores.
2102 This feature is available in Postfix 2.2 and later.
2104
2106 When delivering to an alias "aliasname" that has an "owner-aliasname"
2107 companion alias, set the envelope sender address to the expansion of
2108 the "owner-aliasname" alias. Normally, Postfix sets the envelope
2109 sender address to the name of the "owner-aliasname" alias.
2110
2112 The list of environment variables that a Postfix process will export to
2113 non-Postfix processes. The TZ variable is needed for sane time keeping
2114 on System-V-ish systems.
2115 Specify a list of names and/or name=value pairs, separated by white‐
2117 space or comma. Specify "{ name=value }" to protect whitespace or comma
2118 in parameter values (whitespace after the opening "{" and before the
2119 closing "}" is ignored). The form name=value is supported with Postfix
2120 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
2121 later.
2122 Example:
2124 export_environment = TZ PATH=/bin:/usr/bin
2126
2128 The maximal number of recipient addresses that Postfix will extract
2129 from message headers when mail is submitted with "sendmail -t".
2130 This feature was removed in Postfix version 2.1.
2132
2134 Optional list of relay hosts for SMTP destinations that can't be found
2135 or that are unreachable. With Postfix 2.3 this parameter is renamed to
2136 smtp_fallback_relay.
2137 By default, mail is returned to the sender when a destination is not
2139 found, and delivery is deferred when a destination is unreachable.
2140 The fallback relays must be SMTP destinations. Specify a domain, host,
2142 host:port, [host]:port, [address] or [address]:port; the form [host]
2143 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
2144 fix will try them in the specified order.
2145 Note: before Postfix 2.2, do not use the fallback_relay feature when
2147 relaying mail for a backup or primary MX domain. Mail would loop be‐
2148 tween the Postfix MX host and the fallback_relay host when the final
2149 destination is unavailable.
2150 • In main.cf specify "relay_transport = relay",
2152 • In master.cf specify "-o fallback_relay =" (i.e., empty) at the
2154 end of the relay entry.
2155 • In transport maps, specify "relay:nexthop..." as the right-hand
2157 side for backup or primary MX domain entries.
2158 Postfix version 2.2 and later will not use the fallback_relay feature
2160 for destinations that it is MX host for.
2161
2163 Optional message delivery transport that the local(8) delivery agent
2164 should use for names that are not found in the aliases(5) or UNIX pass‐
2165 word database.
2166 The precedence of local(8) delivery features from high to low is:
2168 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2169 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2170 tory, fallback_transport_maps, fallback_transport and luser_relay.
2171
2173 Optional lookup tables with per-recipient message delivery transports
2174 for recipients that the local(8) delivery agent could not find in the
2175 aliases(5) or UNIX password database.
2176 The precedence of local(8) delivery features from high to low is:
2178 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2179 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2180 tory, fallback_transport_maps, fallback_transport and luser_relay.
2181 For safety reasons, this feature does not allow $number substitutions
2183 in regular expression maps.
2184 This feature is available in Postfix 2.3 and later.
2186
2188 Optional list of destinations that are eligible for per-destination
2189 logfiles with mail that is queued to those destinations.
2190 By default, Postfix maintains "fast flush" logfiles only for destina‐
2192 tions that the Postfix SMTP server is willing to relay to (i.e. the de‐
2193 fault is: "fast_flush_domains = $relay_domains"; see the relay_domains
2194 parameter in the postconf(5) manual).
2195 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
2197 ble" lookup tables, separated by commas and/or whitespace. Continue
2198 long lines by starting the next line with whitespace. A "/file/name"
2199 pattern is replaced by its contents; a "type:table" lookup table is
2200 matched when the domain or its parent domain appears as lookup key.
2201 Pattern matching of domain names is controlled by the presence or ab‐
2203 sence of "fast_flush_domains" in the parent_domain_matches_subdomains
2204 parameter value.
2205 Specify "fast_flush_domains =" (i.e., empty) to disable the feature al‐
2207 together.
2208
2210 The time after which an empty per-destination "fast flush" logfile is
2211 deleted.
2212 You can specify the time as a number, or as a number followed by a let‐
2214 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2215 d=days, w=weeks. The default time unit is days.
2216
2218 The time after which a non-empty but unread per-destination "fast
2219 flush" logfile needs to be refreshed. The contents of a logfile are
2220 refreshed by requesting delivery of all messages listed in the logfile.
2221 You can specify the time as a number, or as a number followed by a let‐
2223 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2224 d=days, w=weeks. The default time unit is hours.
2225
2227 Force specific internal tests to fail, to test the handling of errors
2228 that are difficult to reproduce otherwise.
2229
2231 The name of the flush(8) service. This service maintains per-destina‐
2232 tion logfiles with the queue file names of mail that is queued for
2233 those destinations.
2234 This feature is available in Postfix 2.0 and later.
2236
2238 The maximal number of attempts to fork() a child process.
2239
2241 The delay between attempts to fork() a child process.
2242 Specify a non-zero time value (an integral value plus an optional
2244 one-letter suffix that specifies the time unit). Time units: s (sec‐
2245 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2246 unit is s (seconds).
2247
2249 Restrict the characters that the local(8) delivery agent allows in
2250 $name expansions of $forward_path. Characters outside the allowed set
2251 are replaced by underscores.
2252
2254 The local(8) delivery agent search list for finding a .forward file
2255 with user-specified delivery methods. The first file that is found is
2256 used.
2257 The forward_path value is not subject to Postfix configuration parame‐
2259 ter $name expansion. Instead, the following $name expansions are done
2260 on forward_path before the search actually happens. The result of
2261 $name expansion is filtered with the character set that is specified
2262 with the forward_expansion_filter parameter.
2263 $user The recipient's username.
2265 $shell The recipient's login shell pathname.
2267 $home The recipient's home directory.
2269 $recipient
2271 The full recipient address.
2272 $extension
2274 The optional recipient address extension.
2275 $domain
2277 The recipient domain.
2278 $local The entire recipient localpart.
2280 $recipient_delimiter
2282 The address extension delimiter that was found in the recipient
2283 address (Postfix 2.11 and later), or the system-wide recipient
2284 address extension delimiter (Postfix 2.10 and earlier).
2285 ${name?value}
2287 ${name?{value}} (Postfix >= 3.0)
2289 Expands to value when $name is non-empty.
2290 ${name:value}
2292 ${name:{value}} (Postfix >= 3.0)
2294 Expands to value when $name is empty.
2295 ${name?{value1}:{value2}} (Postfix >= 3.0)
2297 Expands to value1 when $name is non-empty, value2 otherwise.
2298 Instead of $name you can also specify ${name} or $(name).
2300 Examples:
2302 forward_path = /var/forward/$user
2304 forward_path =
2305 /var/forward/$user/.forward$recipient_delimiter$extension,
2306 /var/forward/$user/.forward
2307
2309 Update the local(8) delivery agent's idea of the Delivered-To: address
2310 (see prepend_delivered_header) only once, at the start of a delivery
2311 attempt; do not update the Delivered-To: address while expanding
2312 aliases or .forward files.
2313 This feature is available in Postfix 2.3 and later. With older Postfix
2315 releases, the behavior is as if this parameter is set to "no". The old
2316 setting can be expensive with deeply nested aliases or .forward files.
2317 When an alias or .forward file changes the Delivered-To: address, it
2318 ties up one queue file and one cleanup process instance while mail is
2319 being forwarded.
2320
2322 The number of subdirectory levels for queue directories listed with the
2323 hash_queue_names parameter. Queue hashing is implemented by creating
2324 one or more levels of directories with one-character names. Origi‐
2325 nally, these directory names were equal to the first characters of the
2326 queue file name, with the hexadecimal representation of the file cre‐
2327 ation time in microseconds.
2328 With long queue file names, queue hashing produces the same results as
2330 with short names. The file creation time in microseconds is converted
2331 into hexadecimal form before the result is used for queue hashing. The
2332 base 16 encoding gives finer control over the number of subdirectories
2333 than is possible with the base 52 encoding of long queue file names.
2334 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2336 cute the command "postfix reload".
2337
2339 The names of queue directories that are split across multiple subdirec‐
2340 tory levels.
2341 Before Postfix version 2.2, the default list of hashed queues was sig‐
2343 nificantly larger. Claims about improvements in file system technology
2344 suggest that hashing of the incoming and active queues is no longer
2345 needed. Fewer hashed directories speed up the time needed to restart
2346 Postfix.
2347 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2349 cute the command "postfix reload".
2350
2352 The maximal number of address tokens are allowed in an address message
2353 header. Information that exceeds the limit is discarded. The limit is
2354 enforced by the cleanup(8) server.
2355
2357 Optional lookup tables for content inspection of primary non-MIME mes‐
2358 sage headers, as specified in the header_checks(5) manual page.
2359
2361 The format of the Postfix-generated From: header. This setting affects
2362 the appearance of 'full name' information when a local program such as
2363 /bin/mail submits a message without a From: header through the Postfix
2364 sendmail(1) command.
2365 Specify one of the following:
2367 standard (default)
2369 Produce a header formatted as "From: name <address>". This is
2370 the default as of Postfix 3.3.
2371 obsolete
2373 Produce a header formatted as "From: address (name)". This is
2374 the behavior prior to Postfix 3.3.
2375 Notes:
2377 • Postfix generates the format "From: address" when name informa‐
2379 tion is unavailable or the envelope sender address is empty.
2380 This is the same behavior as prior to Postfix 3.3.
2381 • In the standard form, the name will be quoted if it contains
2383 specials as defined in RFC 5322, or the "!%" address operators.
2384 • The Postfix sendmail(1) command gets name information from the
2386 -F command-line option, from the NAME environment variable, or
2387 from the UNIX password file.
2388 This feature is available in Postfix 3.3 and later.
2390
2392 The maximal amount of memory in bytes for storing a message header. If
2393 a header is larger, the excess is discarded. The limit is enforced by
2394 the cleanup(8) server.
2395
2397 Log warnings about problematic configuration settings, and provide
2398 helpful suggestions.
2399 This feature is available in Postfix 2.0 and later.
2401
2403 Optional pathname of a mailbox file relative to a local(8) user's home
2404 directory.
2405 Specify a pathname ending in "/" for qmail-style delivery.
2407 The precedence of local(8) delivery features from high to low is:
2409 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2410 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2411 tory, fallback_transport_maps, fallback_transport and luser_relay.
2412 Examples:
2414 home_mailbox = Mailbox
2416 home_mailbox = Maildir/
2417
2419 The maximal number of Received: message headers that is allowed in the
2420 primary message headers. A message that exceeds the limit is bounced,
2421 in order to stop a mailer loop.
2422
2424 The location of Postfix HTML files that describe how to build, config‐
2425 ure or operate a specific Postfix subsystem or feature.
2426
2428 Ignore DNS MX lookups that produce no response. By default, the Post‐
2429 fix SMTP client defers delivery and tries again after some delay. This
2430 behavior is required by the SMTP standard.
2431 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
2433 instead. This violates the SMTP standard and can result in mis-delivery
2434 of mail.
2435
2437 When SRV record lookup fails, fall back to MX or IP address lookup as
2438 if SRV record lookup was not enabled.
2439 This feature is available in Postfix 3.8 and later.
2441
2443 The list of environment variables that a privileged Postfix process
2444 will import from a non-Postfix parent process, or name=value environ‐
2445 ment overrides. Unprivileged utilities will enforce the name=value
2446 overrides, but otherwise will not change their process environment.
2447 Examples of relevant environment variables:
2448 TZ May be needed for sane time keeping on most System-V-ish sys‐
2450 tems.
2451 DISPLAY
2453 Needed for debugging Postfix daemons with an X-windows debugger.
2454 XAUTHORITY
2456 Needed for debugging Postfix daemons with an X-windows debugger.
2457 MAIL_CONFIG
2459 Needed to make "postfix -c" work.
2460 POSTLOG_SERVICE
2462 Needed to make "maillog_file" work during daemon process ini‐
2463 tialization.
2464 POSTLOG_HOSTNAME
2466 Needed to make "maillog_file" work during daemon process ini‐
2467 tialization.
2468 Specify a list of names and/or name=value pairs, separated by white‐
2470 space or comma. Specify "{ name=value }" to protect whitespace or comma
2471 in environment variable values (whitespace after the opening "{" and
2472 before the closing "}" is ignored). The form name=value is supported
2473 with Postfix version 2.1 and later; the use of {} is supported with
2474 Postfix 3.0 and later.
2475
2477 Time to pause before accepting a new message, when the message arrival
2478 rate exceeds the message delivery rate. This feature is turned on by
2479 default (it's disabled on SCO UNIX due to an SCO bug).
2480 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2482 = 1s" limits the mail inflow to 100 messages per second above the num‐
2483 ber of messages delivered per second.
2484 Specify 0 to disable the feature. Valid delays are 0..10.
2486
2488 The local network interface addresses that this mail system receives
2489 mail on. Specify "all" to receive mail on all network interfaces (de‐
2490 fault), and "loopback-only" to receive mail on loopback network inter‐
2491 faces only (Postfix version 2.2 and later). The parameter also con‐
2492 trols delivery of mail to user@[ip.address].
2493 Note 1: you need to stop and start Postfix when this parameter changes.
2495 Note 2: address information may be enclosed inside [], but this form is
2497 not required here.
2498 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2500 is not a loopback address, the Postfix SMTP client will use this ad‐
2501 dress as the IP source address for outbound mail. Support for IPv6 is
2502 available in Postfix version 2.2 and later.
2503 On a multi-homed firewall with separate Postfix instances listening on
2505 the "inside" and "outside" interfaces, this can prevent each instance
2506 from being able to reach remote SMTP servers on the "other side" of the
2507 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2508 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2509 lem for IPv6.
2510 A better solution for multi-homed firewalls is to leave inet_interfaces
2512 at the default value and instead use explicit IP addresses in the mas‐
2513 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2514 client's loop detection, by ensuring that each side of the firewall
2515 knows that the other IP address is still the same host. Setting
2516 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2517 ful with virtual hosting of domains on secondary IP addresses, when
2518 each IP address serves a different domain (and has a different $myhost‐
2519 name setting).
2520 See also the proxy_interfaces parameter, for network addresses that are
2522 forwarded to Postfix by way of a proxy or address translator.
2523 Examples:
2525 inet_interfaces = all (DEFAULT)
2527 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2528 inet_interfaces = 127.0.0.1
2529 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2530 inet_interfaces = 192.168.1.2, 127.0.0.1
2531
2533 The Internet protocols Postfix will attempt to use when making or ac‐
2534 cepting connections. Specify one or more of "ipv4" or "ipv6", separated
2535 by whitespace or commas. The form "all" is equivalent to "ipv4, ipv6"
2536 or "ipv4", depending on whether the operating system implements IPv6.
2537 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2539 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2540 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2541 when no explicit setting is present. This compatibility workaround will
2542 be phased out as IPv6 deployment becomes more common.
2543 This feature is available in Postfix 2.2 and later.
2545 Note: you MUST stop and start Postfix after changing this parameter.
2547 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2549 will also accept IPv4 connections, even when IPv4 is turned off with
2550 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2551 Postfix will use separate server sockets for IPv6 and IPv4, and each
2552 will accept only connections for the corresponding protocol.
2553 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2555 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2556 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2557 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2558 3493).
2559 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2561 will do DNS type AAAA record lookups.
2562 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2564 will choose the protocol as specified with the smtp_address_preference
2565 parameter. Postfix versions before 2.8 attempt to connect via IPv6 be‐
2566 fore attempting to use IPv4.
2567 Examples:
2569 inet_protocols = ipv4
2571 inet_protocols = all (DEFAULT)
2572 inet_protocols = ipv6
2573 inet_protocols = ipv4, ipv6
2574
2576 The email address form that will be used in non-debug logging (info,
2577 warning, etc.). As of Postfix 3.5 when an address localpart contains
2578 spaces or other special characters, the localpart will be quoted, for
2579 example:
2580 from=<"name with spaces"@example.com>
2582 Older Postfix versions would log the internal (unquoted) form:
2584 from=<name with spaces@example.com>
2586 The external and internal forms are identical for the vast majority of
2588 email addresses that contain no spaces or other special characters in
2589 the localpart.
2590 The logging in external form is consistent with the address form that
2592 Postfix 3.2 and later prefer for most table lookups. This is therefore
2593 the more useful form for non-debug logging.
2594 Specify "info_log_address_format = internal" for backwards compatibil‐
2596 ity.
2597 Postfix uses the unquoted form internally, because an attacker can
2599 specify an email address in different forms by playing games with
2600 quotes and backslashes. An attacker should not be able to use such
2601 games to circumvent Postfix access policies.
2602 This feature is available in Postfix 3.5 and later.
2604
2606 The initial per-destination concurrency level for parallel delivery to
2607 the same destination. With per-destination recipient limit > 1, a des‐
2608 tination is a domain, otherwise it is a recipient.
2609 Use transport_initial_destination_concurrency to specify a trans‐
2611 port-specific override, where transport is the master.cf name of the
2612 message delivery transport (Postfix 2.5 and later).
2613 Warning: with concurrency of 1, one bad message can be enough to block
2615 all mail to a site.
2616
2618 What categories of Postfix-generated mail are subject to before-queue
2619 content inspection by non_smtpd_milters, header_checks and body_checks.
2620 Specify zero or more of the following, separated by whitespace or
2621 comma.
2622 bounce Inspect the content of delivery status notifications.
2624 notify Inspect the content of postmaster notifications by the smtp(8)
2626 and smtpd(8) processes.
2627 NOTE: It's generally not safe to enable content inspection of Post‐
2629 fix-generated email messages. The user is warned.
2630 This feature is available in Postfix 2.3 and later.
2632
2634 The numerical Postfix SMTP server response code when the client HELO or
2635 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2636 restriction.
2637 Do not change this unless you have a complete understanding of RFC
2639 5321.
2640
2642 The time after which a client closes an idle internal communication
2643 channel. The purpose is to allow Postfix daemon processes to terminate
2644 voluntarily after they become idle. This is used, for example, by the
2645 Postfix address resolving and rewriting clients.
2646 With Postfix 2.4 the default value was reduced from 100s to 5s.
2648 Specify a non-zero time value (an integral value plus an optional
2650 one-letter suffix that specifies the time unit). Time units: s (sec‐
2651 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2652 unit is s (seconds).
2653
2655 The time limit for sending or receiving information over an internal
2656 communication channel. The purpose is to break out of deadlock situa‐
2657 tions. If the time limit is exceeded the software aborts with a fatal
2658 error.
2659 Specify a non-zero time value (an integral value plus an optional
2661 one-letter suffix that specifies the time unit). Time units: s (sec‐
2662 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2663 unit is s (seconds).
2664
2666 The time after which a client closes an active internal communication
2667 channel. The purpose is to allow Postfix daemon processes to terminate
2668 voluntarily after reaching their client limit. This is used, for exam‐
2669 ple, by the Postfix address resolving and rewriting clients.
2670 Specify a non-zero time value (an integral value plus an optional
2672 one-letter suffix that specifies the time unit). Time units: s (sec‐
2673 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2674 unit is s (seconds).
2675 This feature is available in Postfix 2.1 and later.
2677
2679 sion=587)
2680 Optional setting that avoids lookups in the services(5) database. This
2681 feature was implemented to address inconsistencies in the name of the
2682 port "465" service. The ABNF is:
2683 known_tcp_ports = empty | name-to-port *("," name-to-port)
2685 name-to-port = 1*(service-name "=') port-number
2686 The comma is required. Whitespace is optional but it cannot appear in‐
2688 side a service name or port number.
2689 This feature is available in Postfix 3.6 and later.
2691
2693 Upon input, long lines are chopped up into pieces of at most this
2694 length; upon delivery, long lines are reconstructed.
2695
2697 The initial OpenLDAP LMDB database size limit in bytes. Each time a
2698 database becomes full, its size limit is doubled.
2699 This feature is available in Postfix 2.11 and later.
2701
2703 The LMTP-specific version of the smtp_address_preference configuration
2704 parameter. See there for details.
2705 This feature is available in Postfix 2.8 and later.
2707
2709 The LMTP-specific version of the smtp_address_verify_target configura‐
2710 tion parameter. See there for details.
2711 This feature is available in Postfix 3.0 and later.
2713
2715 When a remote LMTP server announces no DSN support, assume that the
2716 server performs final delivery, and send "delivered" delivery status
2717 notifications instead of "relayed". The default setting is backwards
2718 compatible to avoid the infinitesimal possibility of breaking existing
2719 LMTP-based content filters.
2720
2722 The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2723 tion parameter. See there for details.
2724 This feature is available in Postfix 3.3 and later.
2726
2728 The LMTP-specific version of the smtp_bind_address configuration param‐
2729 eter. See there for details.
2730 This feature is available in Postfix 2.3 and later.
2732
2734 The LMTP-specific version of the smtp_bind_address6 configuration pa‐
2735 rameter. See there for details.
2736 This feature is available in Postfix 2.3 and later.
2738
2740 The LMTP-specific version of the smtp_bind_address_enforce configura‐
2741 tion parameter. See there for details.
2742 This feature is available in Postfix 3.7 and later.
2744
2746 The LMTP-specific version of the smtp_body_checks configuration parame‐
2747 ter. See there for details.
2748 This feature is available in Postfix 2.5 and later.
2750
2752 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2753 When the LMTP client receives a request for the same connection the
2754 connection is reused.
2755 This parameter is available in Postfix version 2.2 and earlier. With
2757 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2758 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2759 use_time_limit.
2760 The effectiveness of cached connections will be determined by the num‐
2762 ber of remote LMTP servers in use, and the concurrency limit specified
2763 for the Postfix LMTP client. Cached connections are closed under any of
2764 the following conditions:
2765 • The Postfix LMTP client idle time limit is reached. This limit
2767 is specified with the Postfix max_idle configuration parameter.
2768 • A delivery request specifies a different destination than the
2770 one currently cached.
2771 • The per-process limit on the number of delivery requests is
2773 reached. This limit is specified with the Postfix max_use con‐
2774 figuration parameter.
2775 • Upon the onset of another delivery request, the remote LMTP
2777 server associated with the current session does not respond to
2778 the RSET command.
2779 Most of these limitations have been with the Postfix connection cache
2781 that is shared among multiple LMTP client programs.
2782
2784 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2785 figuration parameter. See there for details.
2786 This feature is available in Postfix 2.3 and later.
2788
2790 The Postfix LMTP client time limit for completing a TCP connection, or
2791 zero (use the operating system built-in time limit). When no connec‐
2792 tion can be made within the deadline, the LMTP client tries the next
2793 address on the mail exchanger list.
2794 Specify a non-negative time value (an integral value plus an optional
2796 one-letter suffix that specifies the time unit). Time units: s (sec‐
2797 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2798 unit is s (seconds).
2799 Example:
2801 lmtp_connect_timeout = 30s
2803
2805 The LMTP-specific version of the smtp_connection_cache_destinations
2806 configuration parameter. See there for details.
2807 This feature is available in Postfix 2.3 and later.
2809
2811 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2812 figuration parameter. See there for details.
2813 This feature is available in Postfix 2.3 and later.
2815
2817 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2818 figuration parameter. See there for details.
2819 This feature is available in Postfix 2.3 and later.
2821
2823 The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2824 figuration parameter. See there for details.
2825 This feature is available in Postfix 2.11 and later.
2827
2829 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2830 figuration parameter. See there for details.
2831 This feature is available in Postfix 2.3 and later.
2833
2835 The Postfix LMTP client time limit for sending the LMTP ".", and for
2836 receiving the remote LMTP server response. When no response is re‐
2837 ceived within the deadline, a warning is logged that the mail may be
2838 delivered multiple times.
2839 Specify a non-zero time value (an integral value plus an optional
2841 one-letter suffix that specifies the time unit). Time units: s (sec‐
2842 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2843 unit is s (seconds).
2844
2846 The Postfix LMTP client time limit for sending the LMTP DATA command,
2847 and for receiving the remote LMTP server response.
2848 Specify a non-zero time value (an integral value plus an optional
2850 one-letter suffix that specifies the time unit). Time units: s (sec‐
2851 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2852 unit is s (seconds).
2853
2855 The Postfix LMTP client time limit for sending the LMTP message con‐
2856 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2857 the LMTP client terminates the transfer.
2858 Specify a non-zero time value (an integral value plus an optional
2860 one-letter suffix that specifies the time unit). Time units: s (sec‐
2861 onds), m (minutes), h (hours), d (days), w (weeks). The default time
2862 unit is s (seconds).
2863
2865 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2866 figuration parameter. See there for details.
2867 This feature is available in Postfix 2.3 and later.
2869
2871 The LMTP-specific version of the smtp_delivery_status_filter configura‐
2872 tion parameter. See there for details.
2873 This feature is available in Postfix 3.0 and later.
2875
2877 rency_limit)
2878 The maximal number of parallel deliveries to the same destination via
2879 the lmtp message delivery transport. This limit is enforced by the
2880 queue manager. The message delivery transport name is the first field
2881 in the entry in the master.cf file.
2882
2884 ent_limit)
2885 The maximal number of recipients per message for the lmtp message de‐
2886 livery transport. This limit is enforced by the queue manager. The mes‐
2887 sage delivery transport name is the first field in the entry in the
2888 master.cf file.
2889 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2891 tination_concurrency_limit from concurrency per domain into concurrency
2892 per recipient.
2893
2895 Lookup tables, indexed by the remote LMTP server address, with case in‐
2896 sensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2897 that the Postfix LMTP client will ignore in the LHLO response from a
2898 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2899 ble is not indexed by hostname for consistency with smtpd_dis‐
2900 card_ehlo_keyword_address_maps.
2901 This feature is available in Postfix 2.3 and later.
2903
2905 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2906 etc.) that the Postfix LMTP client will ignore in the LHLO response
2907 from a remote LMTP server.
2908 This feature is available in Postfix 2.3 and later.
2910 Notes:
2912 • Specify the silent-discard pseudo keyword to prevent this action
2914 from being logged.
2915 • Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2917 card LHLO keywords selectively.
2918
2920 Optional filter for Postfix LMTP client DNS lookup results. See
2921 smtp_dns_reply_filter for details including an example.
2922 This feature is available in Postfix 3.0 and later.
2924
2926 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2927 tion parameter. See there for details.
2928 This feature is available in Postfix 2.8 and later.
2930
2932 The LMTP-specific version of the smtp_dns_support_level configuration
2933 parameter. See there for details.
2934 This feature is available in Postfix 2.11 and later.
2936
2938 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2939 ter. See there for details.
2940 This feature is available in Postfix 2.3 and later.
2942
2944 Optional list of relay hosts for LMTP destinations that can't be found
2945 or that are unreachable. In main.cf elements are separated by white‐
2946 space or commas.
2947 By default, mail is returned to the sender when a destination is not
2949 found, and delivery is deferred when a destination is unreachable.
2950 The fallback relays must be TCP destinations, specified without a lead‐
2952 ing "inet:" prefix. Specify a host or host:port. Since MX lookups do
2953 not apply with LMTP, there is no need to use the "[host]" or
2954 "[host]:port" forms. If you specify multiple LMTP destinations, Post‐
2955 fix will try them in the specified order.
2956 This feature is available in Postfix 3.1 and later.
2958
2960 The LMTP-specific version of the smtp_generic_maps configuration param‐
2961 eter. See there for details.
2962 This feature is available in Postfix 2.3 and later.
2964
2966 The LMTP-specific version of the smtp_header_checks configuration pa‐
2967 rameter. See there for details.
2968 This feature is available in Postfix 2.5 and later.
2970
2972 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2973 ter. See there for details.
2974 This feature is available in Postfix 2.3 and later.
2976
2978 The hostname to send in the LMTP LHLO command.
2979 The default value is the machine hostname. Specify a hostname or
2981 [ip.add.re.ss] or [ip:v6:add:re::ss].
2982 This information can be specified in the main.cf file for all LMTP
2984 clients, or it can be specified in the master.cf file for a specific
2985 client, for example:
2986 /etc/postfix/master.cf:
2988 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2989 This feature is available in Postfix 2.3 and later.
2991
2993 The Postfix LMTP client time limit for sending the LHLO command, and
2994 for receiving the initial remote LMTP server response.
2995 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2997 The default time unit is s (seconds).
2998
3000 The LMTP-specific version of the smtp_line_length_limit configuration
3001 parameter. See there for details.
3002 This feature is available in Postfix 2.3 and later.
3004
3006 The Postfix LMTP client time limit for sending the MAIL FROM command,
3007 and for receiving the remote LMTP server response.
3008 Specify a non-zero time value (an integral value plus an optional
3010 one-letter suffix that specifies the time unit). Time units: s (sec‐
3011 onds), m (minutes), h (hours), d (days), w (weeks). The default time
3012 unit is s (seconds).
3013
3015 The LMTP-specific version of the smtp_mime_header_checks configuration
3016 parameter. See there for details.
3017 This feature is available in Postfix 2.5 and later.
3019
3021 The LMTP-specific version of the smtp_min_data_rate configuration pa‐
3022 rameter. See there for details.
3023 This feature is available in Postfix 3.7 and later.
3025
3027 The LMTP-specific version of the smtp_mx_address_limit configuration
3028 parameter. See there for details.
3029 This feature is available in Postfix 2.3 and later.
3031
3033 The LMTP-specific version of the smtp_mx_session_limit configuration
3034 parameter. See there for details.
3035 This feature is available in Postfix 2.3 and later.
3037
3039 The LMTP-specific version of the smtp_nested_header_checks configura‐
3040 tion parameter. See there for details.
3041 This feature is available in Postfix 2.5 and later.
3043
3045 The LMTP-specific version of the smtp_per_record_deadline configuration
3046 parameter. See there for details.
3047 This feature is available in Postfix 2.9 and later.
3049
3051 The LMTP-specific version of the smtp_per_request_deadline configura‐
3052 tion parameter. See there for details.
3053 This feature is available in Postfix 3.7 and later.
3055
3057 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
3058 uration parameter. See there for details.
3059 This feature is available in Postfix 2.3 and later.
3061
3063 The LMTP-specific version of the smtp_pix_workaround_maps configuration
3064 parameter. See there for details.
3065 This feature is available in Postfix 2.4 and later.
3067
3069 The LMTP-specific version of the smtp_pix_workaround_threshold_time
3070 configuration parameter. See there for details.
3071 This feature is available in Postfix 2.3 and later.
3073
3075 The LMTP-specific version of the smtp_pix_workaround configuration pa‐
3076 rameter. See there for details.
3077 This feature is available in Postfix 2.4 and later.
3079
3081 The Postfix LMTP client time limit for sending the QUIT command, and
3082 for receiving the remote LMTP server response.
3083 Specify a non-zero time value (an integral value plus an optional
3085 one-letter suffix that specifies the time unit). Time units: s (sec‐
3086 onds), m (minutes), h (hours), d (days), w (weeks). The default time
3087 unit is s (seconds).
3088
3090 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
3091 tion parameter. See there for details.
3092 This feature is available in Postfix 2.3 and later.
3094
3096 The LMTP-specific version of the smtp_randomize_addresses configuration
3097 parameter. See there for details.
3098 This feature is available in Postfix 2.3 and later.
3100
3102 The Postfix LMTP client time limit for sending the RCPT TO command, and
3103 for receiving the remote LMTP server response.
3104 Specify a non-zero time value (an integral value plus an optional
3106 one-letter suffix that specifies the time unit). Time units: s (sec‐
3107 onds), m (minutes), h (hours), d (days), w (weeks). The default time
3108 unit is s (seconds).
3109
3111 The LMTP-specific version of the smtp_reply_filter configuration param‐
3112 eter. See there for details.
3113 This feature is available in Postfix 2.7 and later.
3115
3117 The Postfix LMTP client time limit for sending the RSET command, and
3118 for receiving the remote LMTP server response. The LMTP client sends
3119 RSET in order to finish a recipient address probe, or to verify that a
3120 cached connection is still alive.
3121 Specify a non-zero time value (an integral value plus an optional
3123 one-letter suffix that specifies the time unit). Time units: s (sec‐
3124 onds), m (minutes), h (hours), d (days), w (weeks). The default time
3125 unit is s (seconds).
3126
3128 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
3129 tion parameter. See there for details.
3130 This feature is available in Postfix 2.5 and later.
3132
3134 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
3135 tion parameter. See there for details.
3136 This feature is available in Postfix 2.5 and later.
3138
3140 Enable SASL authentication in the Postfix LMTP client.
3141
3143 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
3144 tion parameter. See there for details.
3145 This feature is available in Postfix 2.5 and later.
3147
3149 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
3150 tion parameter. See there for details.
3151 This feature is available in Postfix 2.3 and later.
3153
3155 Optional Postfix LMTP client lookup tables with one username:password
3156 entry per host or domain. If a remote host or domain has no user‐
3157 name:password entry, then the Postfix LMTP client will not attempt to
3158 authenticate to the remote host.
3159
3161 Implementation-specific information that is passed through to the SASL
3162 plug-in implementation that is selected with lmtp_sasl_type. Typically
3163 this specifies the name of a configuration file or rendezvous point.
3164 This feature is available in Postfix 2.3 and later.
3166
3168 SASL security options; as of Postfix 2.3 the list of available features
3169 depends on the SASL client implementation that is selected with
3170 lmtp_sasl_type.
3171 The following security features are defined for the cyrus client SASL
3173 implementation:
3174 noplaintext
3176 Disallow authentication methods that use plaintext passwords.
3177 noactive
3179 Disallow authentication methods that are vulnerable to non-dic‐
3180 tionary active attacks.
3181 nodictionary
3183 Disallow authentication methods that are vulnerable to passive
3184 dictionary attacks.
3185 noanonymous
3187 Disallow anonymous logins.
3188 Example:
3190 lmtp_sasl_security_options = noplaintext
3192
3194 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
3195 uration parameter. See there for details.
3196 This feature is available in Postfix 2.3 and later.
3198
3200 tions)
3201 The LMTP-specific version of the smtp_sasl_tls_verified_security_op‐
3202 tions configuration parameter. See there for details.
3203 This feature is available in Postfix 2.3 and later.
3205
3207 The SASL plug-in type that the Postfix LMTP client should use for au‐
3208 thentication. The available types are listed with the "postconf -A"
3209 command.
3210 This feature is available in Postfix 2.3 and later.
3212
3214 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
3215 tion parameter. See there for details.
3216 This feature is available in Postfix 2.9 and later.
3218
3220 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
3221 server response announces XFORWARD support. This allows an lmtp(8) de‐
3222 livery agent, used for content filter message injection, to forward the
3223 name, address, protocol and HELO name of the original client to the
3224 content filter and downstream LMTP server. Before you change the value
3225 to yes, it is best to make sure that your content filter supports this
3226 command.
3227 This feature is available in Postfix 2.1 and later.
3229
3231 The LMTP-specific version of the smtp_sender_dependent_authentication
3232 configuration parameter. See there for details.
3233 This feature is available in Postfix 2.3 and later.
3235
3237 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
3238 parameter. See there for details.
3239 This feature is available in Postfix 2.3 and later.
3241
3243 Wait for the response to the LMTP QUIT command.
3244
3246 The LMTP-specific version of the smtp_starttls_timeout configuration
3247 parameter. See there for details.
3248 This feature is available in Postfix 2.3 and later.
3250
3252 The default TCP port that the Postfix LMTP client connects to. Specify
3253 a symbolic name (see services(5)) or a numeric port.
3254
3256 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3257 ter. See there for details.
3258 This feature is available in Postfix 2.3 and later.
3260
3262 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
3263 ter. See there for details.
3264 This feature is available in Postfix 2.3 and later.
3266
3268 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
3269 figuration parameter. See there for details.
3270 This feature is available in Postfix 2.7 and later.
3272
3274 The LMTP-specific version of the smtp_tls_cert_file configuration pa‐
3275 rameter. See there for details.
3276 This feature is available in Postfix 2.3 and later.
3278
3280 The LMTP-specific version of the smtp_tls_chain_files configuration pa‐
3281 rameter. See there for details.
3282 This feature is available in Postfix 3.4 and later.
3284
3286 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3287 ter. See there for details.
3288 This feature is available in Postfix 2.6 and later.
3290
3292 The LMTP-specific version of the smtp_tls_connection_reuse configura‐
3293 tion parameter. See there for details.
3294 This feature is available in Postfix 3.4 and later.
3296
3298 The LMTP-specific version of the smtp_tls_dcert_file configuration pa‐
3299 rameter. See there for details.
3300 This feature is available in Postfix 2.3 and later.
3302
3304 The LMTP-specific version of the smtp_tls_dkey_file configuration pa‐
3305 rameter. See there for details.
3306 This feature is available in Postfix 2.3 and later.
3308
3310 The LMTP-specific version of the smtp_tls_eccert_file configuration pa‐
3311 rameter. See there for details.
3312 This feature is available in Postfix 2.6 and later, when Postfix is
3314 compiled and linked with OpenSSL 1.0.0 or later.
3315
3317 The LMTP-specific version of the smtp_tls_eckey_file configuration pa‐
3318 rameter. See there for details.
3319 This feature is available in Postfix 2.6 and later, when Postfix is
3321 compiled and linked with OpenSSL 1.0.0 or later.
3322
3324 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
3325 tion parameter. See there for details.
3326 This feature is available in Postfix 2.3 and later.
3328
3330 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3331 parameter. See there for details.
3332 This feature is available in Postfix 2.3 and later.
3334
3336 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
3337 figuration parameter. See there for details.
3338 This feature is available in Postfix 2.5 and later.
3340
3342 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3343 tion parameter. See there for details.
3344 This feature is available in Postfix 2.5 and later.
3346
3348 The LMTP-specific version of the smtp_tls_force_inse‐
3349 cure_host_tlsa_lookup configuration parameter. See there for details.
3350 This feature is available in Postfix 2.11 and later.
3352
3354 The LMTP-specific version of the smtp_tls_key_file configuration param‐
3355 eter. See there for details.
3356 This feature is available in Postfix 2.3 and later.
3358
3360 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3361 eter. See there for details.
3362 This feature is available in Postfix 2.3 and later.
3364
3366 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3367 tion parameter. See there for details.
3368 This feature is available in Postfix 2.3 and later.
3370
3372 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
3373 configuration parameter. See there for details.
3374 This feature is available in Postfix 2.3 and later.
3376
3378 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3379 ration parameter. See there for details.
3380 This feature is available in Postfix 2.3 and later.
3382
3384 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3385 ration parameter. See there for details.
3386 This feature is available in Postfix 2.3 and later.
3388
3390 The LMTP-specific version of the smtp_tls_per_site configuration param‐
3391 eter. See there for details.
3392 This feature is available in Postfix 2.3 and later.
3394
3396 The LMTP-specific version of the smtp_tls_policy_maps configuration pa‐
3397 rameter. See there for details.
3398 This feature is available in Postfix 2.3 and later.
3400
3402 The LMTP-specific version of the smtp_tls_protocols configuration pa‐
3403 rameter. See there for details.
3404 This feature is available in Postfix 2.6 and later.
3406
3408 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3409 tion parameter. See there for details.
3410 This feature is available in Postfix 2.3 and later.
3412
3414 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3415 tion parameter. See there for details.
3416 This feature is available in Postfix 2.3 and later.
3418
3420 The LMTP-specific version of the smtp_tls_security_level configuration
3421 parameter. See there for details.
3422 This feature is available in Postfix 2.3 and later.
3424
3426 The LMTP-specific version of the smtp_tls_servername configuration pa‐
3427 rameter. See there for details.
3428 This feature is available in Postfix 3.4 and later.
3430
3432 The LMTP-specific version of the smtp_tls_session_cache_database con‐
3433 figuration parameter. See there for details.
3434 This feature is available in Postfix 2.3 and later.
3436
3438 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3439 uration parameter. See there for details.
3440 This feature is available in Postfix 2.3 and later.
3442
3444 The LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3445 tion parameter. See there for details.
3446 This feature is available in Postfix 2.11 and later.
3448
3450 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3451 tion parameter. See there for details.
3452 This feature is available in Postfix 2.3 and later.
3454
3456 The LMTP-specific version of the smtp_tls_wrappermode configuration pa‐
3457 rameter. See there for details.
3458 This feature is available in Postfix 3.0 and later.
3460
3462 The LMTP-specific version of the smtp_use_tls configuration parameter.
3463 See there for details.
3464 This feature is available in Postfix 2.3 and later.
3466
3468 The Postfix LMTP client time limit for sending the XFORWARD command,
3469 and for receiving the remote LMTP server response.
3470 In case of problems the client does NOT try the next address on the
3472 mail exchanger list.
3473 Specify a non-zero time value (an integral value plus an optional
3475 one-letter suffix that specifies the time unit). Time units: s (sec‐
3476 onds), m (minutes), h (hours), d (days), w (weeks). The default time
3477 unit is s (seconds).
3478 This feature is available in Postfix 2.1 and later.
3480
3482 Optional shell program for local(8) delivery to non-Postfix commands.
3483 By default, non-Postfix commands are executed directly; commands are
3484 given to the default shell (typically, /bin/sh) only when they contain
3485 shell meta characters or shell built-in commands.
3486 "sendmail's restricted shell" (smrsh) is what most people will use in
3488 order to restrict what programs can be run from e.g. .forward files
3489 (smrsh is part of the Sendmail distribution).
3490 Note: when a shell program is specified, it is invoked even when the
3492 command contains no shell built-in commands or meta characters.
3493 Example:
3495 local_command_shell = /some/where/smrsh -c
3497 local_command_shell = /bin/bash -c
3498
3500 Optional filter for the local(8) delivery agent to change the status
3501 code or explanatory text of successful or unsuccessful deliveries. See
3502 default_delivery_status_filter for details.
3503 This feature is available in Postfix 3.0 and later.
3505
3507 The maximal number of parallel deliveries via the local mail delivery
3508 transport to the same recipient (when "local_destination_recipi‐
3509 ent_limit = 1") or the maximal number of parallel deliveries to the
3510 same local domain (when "local_destination_recipient_limit > 1"). This
3511 limit is enforced by the queue manager. The message delivery transport
3512 name is the first field in the entry in the master.cf file.
3513 A low limit of 2 is recommended, just in case someone has an expensive
3515 shell command in a .forward file or in an alias (e.g., a mailing list
3516 manager). You don't want to run lots of those at the same time.
3517
3519 The maximal number of recipients per message delivery via the local
3520 mail delivery transport. This limit is enforced by the queue manager.
3521 The message delivery transport name is the first field in the entry in
3522 the master.cf file.
3523 Setting this parameter to a value > 1 changes the meaning of local_des‐
3525 tination_concurrency_limit from concurrency per recipient into concur‐
3526 rency per domain.
3527
3529 Rewrite or add message headers in mail from these clients, updating in‐
3530 complete addresses with the domain name in $myorigin or $mydomain, and
3531 adding missing headers.
3532 See the append_at_myorigin and append_dot_mydomain parameters for de‐
3534 tails of how domain names are appended to incomplete addresses.
3535 See remote_header_rewrite_domain to optionally rewrite or add message
3537 headers in mail from other clients.
3538 Specify a list of zero or more of the following:
3540 permit_inet_interfaces
3542 Append the domain name in $myorigin or $mydomain when the client
3543 IP address matches $inet_interfaces. This is enabled by default.
3544 permit_mynetworks
3546 Append the domain name in $myorigin or $mydomain when the client
3547 IP address matches any network or network address listed in
3548 $mynetworks. This setting will not prevent remote mail header
3549 address rewriting when mail from a remote client is forwarded by
3550 a neighboring system.
3551 permit_sasl_authenticated
3553 Append the domain name in $myorigin or $mydomain when the client
3554 is successfully authenticated via the RFC 4954 (AUTH) protocol.
3555 permit_tls_clientcerts
3557 Append the domain name in $myorigin or $mydomain when the remote
3558 SMTP client TLS certificate fingerprint or public key finger‐
3559 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
3560 The fingerprint digest algorithm is configurable via the
3561 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
3562 to Postfix version 2.5).
3563 The default algorithm is sha256 with Postfix >= 3.6 and the com‐
3564 patibility_level set to 3.6 or higher. With Postfix <= 3.5, the
3565 default algorithm is md5. The best-practice algorithm is now
3566 sha256. Recent advances in hash function cryptanalysis have led
3567 to md5 and sha1 being deprecated in favor of sha256. However,
3568 as long as there are no known "second pre-image" attacks against
3569 the older algorithms, their use in this context, though not rec‐
3570 ommended, is still likely safe.
3571 permit_tls_all_clientcerts
3573 Append the domain name in $myorigin or $mydomain when the remote
3574 SMTP client TLS certificate is successfully verified, regardless
3575 of whether it is listed on the server, and regardless of the
3576 certifying authority.
3577 check_address_map type:table
3579 type:table
3581 Append the domain name in $myorigin or $mydomain when the client
3582 IP address matches the specified lookup table. The lookup re‐
3583 sult is ignored, and no subnet lookup is done. This is suitable
3584 for, e.g., pop-before-smtp lookup tables.
3585 Examples:
3587 The Postfix < 2.2 backwards compatible setting: always rewrite message
3589 headers, and always append my own domain to incomplete header ad‐
3590 dresses.
3591 local_header_rewrite_clients = static:all
3593 The purist (and default) setting: rewrite headers only in mail from
3595 Postfix sendmail and in SMTP mail from this machine.
3596 local_header_rewrite_clients = permit_inet_interfaces
3598 The intermediate setting: rewrite header addresses and append $myorigin
3600 or $mydomain information only with mail from Postfix sendmail, from lo‐
3601 cal clients, or from authorized SMTP clients.
3602 Note: this setting will not prevent remote mail header address rewrit‐
3604 ing when mail from a remote client is forwarded by a neighboring sys‐
3605 tem.
3606 local_header_rewrite_clients = permit_mynetworks,
3608 permit_sasl_authenticated permit_tls_clientcerts
3609 check_address_map hash:/etc/postfix/pop-before-smtp
3610
3612 A list of lookup tables that are searched by the UNIX login name, and
3613 that return a list of allowed envelope sender patterns separated by
3614 space or comma. These sender patterns are enforced by the Postfix post‐
3615 drop(1) command. The default is backwards-compatible: every user may
3616 specify any sender envelope address.
3617 When no UNIX login name is available, the postdrop(1) command will
3619 prepend "uid:" to the numerical UID and use that instead.
3620 This feature ignores address extensions in the user-specified envelope
3622 sender address.
3623 The following sender patterns are special; these cannot be used as part
3625 of a longer pattern.
3626 * This pattern allows any envelope sender address.
3628 <> This pattern allows the empty envelope sender address. See the
3630 empty_address_local_login_sender_maps_lookup_key configuration
3631 parameter.
3632 @domain
3634 This pattern allows an envelope sender address when the '@' and
3635 domain part match.
3636 Examples:
3638 /etc/postfix/main.cf:
3640 # Allow root and postfix full control, anyone else can only
3641 # send mail as themselves. Use "uid:" followed by the numerical
3642 # UID when the UID has no entry in the UNIX password file.
3643 local_login_sender_maps =
3644 inline:{ { root = * }, { postfix = * } },
3645 pcre:/etc/postfix/login_senders
3646 /etc/postfix/login_senders:
3648 # Allow both the bare username and the user@domain forms.
3649 /(.+)/ $1 $1@example.com
3650 This feature is available in Postfix 3.6 and later.
3652
3654 Lookup tables with all names or addresses of local recipients: a recip‐
3655 ient address is local when its domain matches $mydestination, $inet_in‐
3656 terfaces or $proxy_interfaces. Specify @domain as a wild-card for do‐
3657 mains that do not have a valid recipient list. Technically, tables
3658 listed with $local_recipient_maps are used as lists: Postfix needs to
3659 know only if a lookup string is found or not, but it does not use the
3660 result from table lookup.
3661 Specify zero or more "type:name" lookup tables, separated by whitespace
3663 or comma. Tables will be searched in the specified order until a match
3664 is found.
3665 If this parameter is non-empty (the default), then the Postfix SMTP
3667 server will reject mail for unknown local users.
3668 To turn off local recipient checking in the Postfix SMTP server, spec‐
3670 ify "local_recipient_maps =" (i.e. empty).
3671 The default setting assumes that you use the default Postfix local de‐
3673 livery agent for local delivery. You need to update the local_recipi‐
3674 ent_maps setting if:
3675 • You redefine the local delivery agent in master.cf.
3677 • You redefine the "local_transport" setting in main.cf.
3679 • You use the "luser_relay", "mailbox_transport", or "fall‐
3681 back_transport" feature of the Postfix local(8) delivery agent.
3682 Details are described in the LOCAL_RECIPIENT_README file.
3684 Beware: if the Postfix SMTP server runs chrooted, you need to access
3686 the passwd file via the proxymap(8) service, in order to overcome ch‐
3687 root access restrictions. The alternative, maintaining a copy of the
3688 system password file in the chroot jail is not practical.
3689 Examples:
3691 local_recipient_maps =
3693
3695 The default mail delivery transport and next-hop destination for final
3696 delivery to domains listed with mydestination, and for [ipaddress] des‐
3697 tinations that match $inet_interfaces or $proxy_interfaces. This in‐
3698 formation can be overruled with the transport(5) table.
3699 By default, local mail is delivered to the transport called "local",
3701 which is just the name of a service that is defined the master.cf file.
3702 Specify a string of the form transport:nexthop, where transport is the
3704 name of a mail delivery transport defined in master.cf. The :nexthop
3705 destination is optional; its syntax is documented in the manual page of
3706 the corresponding delivery agent.
3707 Beware: if you override the default local delivery agent then you need
3709 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3710 server may reject mail for local recipients.
3711
3713 Optional catch-all destination for unknown local(8) recipients. By de‐
3714 fault, mail for unknown recipients in domains that match $mydestina‐
3715 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3716 able.
3717 The luser_relay value is not subject to Postfix configuration parameter
3719 $name expansion. Instead, the following $name expansions are done:
3720 $domain
3722 The recipient domain.
3723 $extension
3725 The recipient address extension.
3726 $home The recipient's home directory.
3728 $local The entire recipient address localpart.
3730 $recipient
3732 The full recipient address.
3733 $recipient_delimiter
3735 The address extension delimiter that was found in the recipient
3736 address (Postfix 2.11 and later), or the system-wide recipient
3737 address extension delimiter (Postfix 2.10 and earlier).
3738 $shell The recipient's login shell.
3740 $user The recipient username.
3742 ${name?value}
3744 ${name?{value}} (Postfix >= 3.0)
3746 Expands to value when $name is non-empty.
3747 ${name:value}
3749 ${name:{value}} (Postfix >= 3.0)
3751 Expands to value when $name is empty.
3752 ${name?{value1}:{value2}} (Postfix >= 3.0)
3754 Expands to value1 when $name is non-empty, value2 otherwise.
3755 Instead of $name you can also specify ${name} or $(name).
3757 Note: luser_relay works only for the Postfix local(8) delivery agent.
3759 Note: if you use this feature for accounts not in the UNIX password
3761 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3762 the main.cf file, otherwise the Postfix SMTP server will reject mail
3763 for non-UNIX accounts with "User unknown in local recipient table".
3764 Examples:
3766 luser_relay = $user@other.host
3768 luser_relay = $local@other.host
3769 luser_relay = admin+$local
3770
3772 The mail system name that is displayed in Received: headers, in the
3773 SMTP greeting banner, and in bounced mail.
3774
3776 The UNIX system account that owns the Postfix queue and most Postfix
3777 daemon processes. Specify the name of an unprivileged user account
3778 that does not share a user or group ID with other accounts, and that
3779 owns no other files or processes on the system. In particular, don't
3780 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3781 When this parameter value is changed you need to re-run "postfix
3783 set-permissions" (with Postfix version 2.0 and earlier: "/etc/post‐
3784 fix/post-install set-permissions".
3785
3787 The Postfix release date, in "YYYYMMDD" format.
3788
3790 The directory where local(8) UNIX-style mailboxes are kept. The default
3791 setting depends on the system type. Specify a name ending in / for
3792 maildir-style delivery.
3793 Note: maildir delivery is done with the privileges of the recipient.
3795 If you use the mail_spool_directory setting for maildir style delivery,
3796 then you must create the top-level maildir directory in advance. Post‐
3797 fix will not create it.
3798 Examples:
3800 mail_spool_directory = /var/mail
3802 mail_spool_directory = /var/spool/mail
3803
3805 The version of the mail system. Stable releases are named major.mi‐
3806 nor.patchlevel. Experimental releases also include the release date.
3807 The version string can be used in, for example, the SMTP greeting ban‐
3808 ner.
3809
3811 Optional external command that the local(8) delivery agent should use
3812 for mailbox delivery. The command is run with the user ID and the pri‐
3813 mary group ID privileges of the recipient. Exception: command delivery
3814 for root executes with $default_privs privileges. This is not a prob‐
3815 lem, because 1) mail for root should always be aliased to a real user
3816 and 2) don't log in as root, use "su" instead.
3817 The following environment variables are exported to the command:
3819 CLIENT_ADDRESS
3821 Remote client network address. Available in Postfix version 2.2
3822 and later.
3823 CLIENT_HELO
3825 Remote client EHLO command parameter. Available in Postfix ver‐
3826 sion 2.2 and later.
3827 CLIENT_HOSTNAME
3829 Remote client hostname. Available in Postfix version 2.2 and
3830 later.
3831 CLIENT_PROTOCOL
3833 Remote client protocol. Available in Postfix version 2.2 and
3834 later.
3835 DOMAIN The domain part of the recipient address.
3837 EXTENSION
3839 The optional address extension.
3840 HOME The recipient home directory.
3842 LOCAL The recipient address localpart.
3844 LOGNAME
3846 The recipient's username.
3847 ORIGINAL_RECIPIENT
3849 The entire recipient address, before any address rewriting or
3850 aliasing.
3851 RECIPIENT
3853 The full recipient address.
3854 SASL_METHOD
3856 SASL authentication method specified in the remote client AUTH
3857 command. Available in Postfix version 2.2 and later.
3858 SASL_SENDER
3860 SASL sender address specified in the remote client MAIL FROM
3861 command. Available in Postfix version 2.2 and later.
3862 SASL_USER
3864 SASL username specified in the remote client AUTH command.
3865 Available in Postfix version 2.2 and later.
3866 SENDER The full sender address.
3868 SHELL The recipient's login shell.
3870 USER The recipient username.
3872 Unlike other Postfix configuration parameters, the mailbox_command pa‐
3874 rameter is not subjected to $name substitutions. This is to make it
3875 easier to specify shell syntax (see example below).
3876 If you can, avoid shell meta characters because they will force Postfix
3878 to run an expensive shell process. If you're delivering via "procmail"
3879 then running a shell won't make a noticeable difference in the total
3880 cost.
3881 Note: if you use the mailbox_command feature to deliver mail sys‐
3883 tem-wide, you must set up an alias that forwards mail for root to a
3884 real user.
3885 The precedence of local(8) delivery features from high to low is:
3887 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3888 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3889 tory, fallback_transport_maps, fallback_transport and luser_relay.
3890 Examples:
3892 mailbox_command = /some/where/procmail
3894 mailbox_command = /some/where/procmail -a "$EXTENSION"
3895 mailbox_command = /some/where/maildrop -d "$USER"
3896 -f "$SENDER" "$EXTENSION"
3897
3899 Optional lookup tables with per-recipient external commands to use for
3900 local(8) mailbox delivery. Behavior is as with mailbox_command.
3901 The precedence of local(8) delivery features from high to low is:
3903 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3904 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3905 tory, fallback_transport_maps, fallback_transport and luser_relay.
3906 Specify zero or more "type:name" lookup tables, separated by whitespace
3908 or comma. Tables will be searched in the specified order until a match
3909 is found.
3910
3912 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3913 For a list of available file locking methods, use the "postconf -l"
3914 command.
3915 This setting is ignored with maildir style delivery, because such de‐
3917 liveries are safe without explicit locks.
3918 Note: The dotlock method requires that the recipient UID or GID has
3920 write access to the parent directory of the mailbox file.
3921 Note: the default setting of this parameter is system dependent.
3923
3925 The maximal size of any local(8) individual mailbox or maildir file, or
3926 zero (no limit). In fact, this limits the size of any file that is
3927 written to upon local delivery, including files written by external
3928 commands that are executed by the local(8) delivery agent. The value
3929 cannot exceed LONG_MAX (typically, a 32-bit or 64-bit signed integer).
3930 This limit must not be smaller than the message size limit.
3932
3934 Optional message delivery transport that the local(8) delivery agent
3935 should use for mailbox delivery to all local recipients, whether or not
3936 they are found in the UNIX passwd database.
3937 The precedence of local(8) delivery features from high to low is:
3939 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3940 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3941 tory, fallback_transport_maps, fallback_transport and luser_relay.
3942
3944 Optional lookup tables with per-recipient message delivery transports
3945 to use for local(8) mailbox delivery, whether or not the recipients are
3946 found in the UNIX passwd database.
3947 The precedence of local(8) delivery features from high to low is:
3949 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3950 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3951 tory, fallback_transport_maps, fallback_transport and luser_relay.
3952 Specify zero or more "type:name" lookup tables, separated by whitespace
3954 or comma. Tables will be searched in the specified order until a match
3955 is found.
3956 For safety reasons, this feature does not allow $number substitutions
3958 in regular expression maps.
3959 This feature is available in Postfix 2.3 and later.
3961
3963 The name of an optional logfile that is written by the Postfix post‐
3964 logd(8) service. An empty value selects logging to syslogd(8). Specify
3965 "/dev/stdout" to select logging to standard output. Stdout logging re‐
3966 quires that Postfix is started with "postfix start-fg".
3967 Note 1: The maillog_file parameter value must contain a prefix that is
3969 specified with the maillog_file_prefixes parameter.
3970 Note 2: Some Postfix non-daemon programs may still log information to
3972 syslogd(8), before they have processed their configuration parameters
3973 and command-line options.
3974 This feature is available in Postfix 3.4 and later.
3976
3978 The program to run after rotating $maillog_file with "postfix logro‐
3979 tate". The command is run with the rotated logfile name as its first
3980 argument.
3981 This feature is available in Postfix 3.4 and later.
3983
3985 A list of allowed prefixes for a maillog_file value. This is a safety
3986 feature to contain the damage from a single configuration mistake.
3987 Specify one or more prefix strings, separated by comma or whitespace.
3988 This feature is available in Postfix 3.4 and later.
3990
3992 The format of the suffix to append to $maillog_file while rotating the
3993 file with "postfix logrotate". See strftime(3) for syntax. The default
3994 suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3995 This feature is available in Postfix 3.4 and later.
3997
3999 Sendmail compatibility feature that specifies where the Postfix
4000 mailq(1) command is installed. This command can be used to list the
4001 Postfix mail queue.
4002
4004 Where the Postfix manual pages are installed.
4005
4007 Obsolete feature: use the reject_rbl_client feature instead.
4008
4010 The numerical Postfix SMTP server response code when a remote SMTP
4011 client request is blocked by the reject_rbl_client, re‐
4012 ject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender or
4013 reject_rhsbl_recipient restriction.
4014 Do not change this unless you have a complete understanding of RFC
4016 5321.
4017
4019 What addresses are subject to address masquerading.
4021 By default, address masquerading is limited to envelope sender ad‐
4023 dresses, and to header sender and header recipient addresses. This al‐
4024 lows you to use address masquerading on a mail gateway while still be‐
4025 ing able to forward mail to users on individual machines.
4026 Specify zero or more of: envelope_sender, envelope_recipient,
4028 header_sender, header_recipient
4029
4031 Optional list of domains whose subdomain structure will be stripped off
4032 in email addresses.
4033 The list is processed left to right, and processing stops at the first
4035 match. Thus,
4036 masquerade_domains = foo.example.com example.com
4038 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
4040 strips "user@any.thing.else.example.com" to "user@example.com".
4041 A domain name prefixed with ! means do not masquerade this domain or
4043 its subdomains. Thus,
4044 masquerade_domains = !foo.example.com example.com
4046 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
4048 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
4049 ple.com".
4050 Note: with Postfix version 2.2, message header address masquerading
4052 happens only when message header address rewriting is enabled:
4053 • The message is received with the Postfix sendmail(1) command,
4055 • The message is received from a network client that matches $lo‐
4057 cal_header_rewrite_clients,
4058 • The message is received from the network, and the re‐
4060 mote_header_rewrite_domain parameter specifies a non-empty
4061 value.
4062 To get the behavior before Postfix version 2.2, specify "lo‐
4064 cal_header_rewrite_clients = static:all".
4065 Example:
4067 masquerade_domains = $mydomain
4069
4071 Optional list of user names that are not subjected to address mas‐
4072 querading, even when their addresses match $masquerade_domains.
4073 By default, address masquerading makes no exceptions.
4075 Specify a list of user names, "/file/name" or "type:table" patterns,
4077 separated by commas and/or whitespace. The list is matched left to
4078 right, and the search stops on the first match. A "/file/name" pattern
4079 is replaced by its contents; a "type:table" lookup table is matched
4080 when a name matches a lookup key (the lookup result is ignored). Con‐
4081 tinue long lines by starting the next line with whitespace. Specify
4082 "!pattern" to exclude a name from the list. The form "!/file/name" is
4083 supported only in Postfix version 2.4 and later.
4084 Examples:
4086 masquerade_exceptions = root, mailer-daemon
4088 masquerade_exceptions = root
4089
4091 Selectively disable master(8) listener ports by service type or by ser‐
4092 vice name and type. Specify a list of service types ("inet", "unix",
4093 "fifo", or "pass") or "name/type" tuples, where "name" is the first
4094 field of a master.cf entry and "type" is a service type. As with other
4095 Postfix matchlists, a search stops at the first match. Specify "!pat‐
4096 tern" to exclude a service from the list. By default, all master(8)
4097 listener ports are enabled.
4098 Note: this feature does not support "/file/name" or "type:table" pat‐
4100 terns, nor does it support wildcards such as "*" or "all". This is in‐
4101 tentional.
4102 Examples:
4104 # With Postfix 2.6..2.10 use '.' instead of '/'.
4106 # Turn on all master(8) listener ports (the default).
4107 master_service_disable =
4108 # Turn off only the main SMTP listener port.
4109 master_service_disable = smtp/inet
4110 # Turn off all TCP/IP listener ports.
4111 master_service_disable = inet
4112 # Turn off all TCP/IP listener ports except "foo".
4113 master_service_disable = !foo/inet, inet
4114 This feature is available in Postfix 2.6 and later.
4116
4118 The maximum amount of time that an idle Postfix daemon process waits
4119 for an incoming connection before terminating voluntarily. This param‐
4120 eter is ignored by the Postfix queue manager and by other long-lived
4121 Postfix daemon processes.
4122 Specify a non-zero time value (an integral value plus an optional
4124 one-letter suffix that specifies the time unit). Time units: s (sec‐
4125 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4126 unit is s (seconds).
4127
4129 The maximal number of incoming connections that a Postfix daemon
4130 process will service before terminating voluntarily. This parameter is
4131 ignored by the Postfix queue manager and by other long-lived Postfix
4132 daemon processes.
4133
4135 The maximal time between attempts to deliver a deferred message.
4136 This parameter should be set to a value greater than or equal to $mini‐
4138 mal_backoff_time. See also $queue_run_delay.
4139 Specify a non-zero time value (an integral value plus an optional
4141 one-letter suffix that specifies the time unit). Time units: s (sec‐
4142 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4143 unit is s (seconds).
4144
4146 Consider a message as undeliverable, when delivery fails with a tempo‐
4147 rary error, and the time in the queue has reached the maxi‐
4148 mal_queue_lifetime limit.
4149 Specify a non-negative time value (an integral value plus an optional
4151 one-letter suffix that specifies the time unit). Time units: s (sec‐
4152 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4153 unit is d (days).
4154 Specify 0 when mail delivery should be tried only once.
4156
4158 Names of message headers that the cleanup(8) daemon will remove after
4159 applying header_checks(5) and before invoking Milter applications. The
4160 default setting is compatible with Postfix < 3.0.
4161 Specify a list of header names, separated by comma or space. Names are
4163 matched in a case-insensitive manner. The list of supported header
4164 names is limited only by available memory.
4165 This feature is available in Postfix 3.0 and later.
4167
4169 The set of characters that Postfix will reject in message content. The
4170 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
4171 (up to three octal digits) and \\.
4172 Note 1: this feature does not recognize text that requires MIME decod‐
4174 ing. It inspects raw message content, just like header_checks and
4175 body_checks.
4176 Note 2: this feature is disabled with "receive_override_options =
4178 no_header_body_checks".
4179 Example:
4181 message_reject_characters = \0
4183 This feature is available in Postfix 2.3 and later.
4185
4187 The maximal size in bytes of a message, including envelope information.
4188 The value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit signed
4189 integer).
4190 Note: be careful when making changes. Excessively small values will
4192 result in the loss of non-delivery notifications, when a bounce message
4193 size exceeds the local or remote MTA's message size limit.
4194
4196 The set of characters that Postfix will remove from message content.
4197 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
4198 \ddd (up to three octal digits) and \\.
4199 Note 1: this feature does not recognize text that requires MIME decod‐
4201 ing. It inspects raw message content, just like header_checks and
4202 body_checks.
4203 Note 2: this feature is disabled with "receive_override_options =
4205 no_header_body_checks".
4206 Example:
4208 message_strip_characters = \0
4210 This feature is available in Postfix 2.3 and later.
4212
4214 The location of non-executable files that are shared among multiple
4215 Postfix instances, such as postfix-files, dynamicmaps.cf, and the
4216 multi-instance template files main.cf.proto and master.cf.proto. This
4217 directory should contain only Postfix-related files. Typically, the
4218 meta_directory parameter has the same default as the config_directory
4219 parameter (/etc/postfix or /usr/local/etc/postfix).
4220 For backwards compatibility with Postfix versions 2.6..2.11, specify
4222 "meta_directory = $daemon_directory" in main.cf before installing or
4223 upgrading Postfix, or specify "meta_directory = /path/name" on the
4224 "make makefiles", "make install" or "make upgrade" command line.
4225 This feature is available in Postfix 3.0 and later.
4227
4229 The time limit for sending an SMTP command to a Milter (mail filter)
4230 application, and for receiving the response.
4231 Specify a non-zero time value (an integral value plus an optional
4233 one-letter suffix that specifies the time unit). Time units: s (sec‐
4234 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4235 unit is s (seconds).
4236 This feature is available in Postfix 2.3 and later.
4238
4240 The macros that are sent to Milter (mail filter) applications after
4241 completion of an SMTP connection. See MILTER_README for a list of
4242 available macro names and their meanings.
4243 This feature is available in Postfix 2.3 and later.
4245
4247 The time limit for connecting to a Milter (mail filter) application,
4248 and for negotiating protocol options.
4249 Specify a non-zero time value (an integral value plus an optional
4251 one-letter suffix that specifies the time unit). Time units: s (sec‐
4252 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4253 unit is s (seconds).
4254 This feature is available in Postfix 2.3 and later.
4256
4258 The time limit for sending message content to a Milter (mail filter)
4259 application, and for receiving the response.
4260 Specify a non-zero time value (an integral value plus an optional
4262 one-letter suffix that specifies the time unit). Time units: s (sec‐
4263 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4264 unit is s (seconds).
4265 This feature is available in Postfix 2.3 and later.
4267
4269 The macros that are sent to version 4 or higher Milter (mail filter)
4270 applications after the SMTP DATA command. See MILTER_README for a list
4271 of available macro names and their meanings.
4272 This feature is available in Postfix 2.3 and later.
4274
4276 The default action when a Milter (mail filter) response is unavailable
4277 (for example, bad Postfix configuration or Milter failure). Specify one
4278 of the following:
4279 accept Proceed as if the mail filter was not present.
4281 reject Reject all further commands in this session with a permanent
4283 status code.
4284 tempfail
4286 Reject all further commands in this session with a temporary
4287 status code.
4288 quarantine
4290 Like "accept", but freeze the message in the "hold" queue.
4291 Available with Postfix 2.6 and later.
4292 This feature is available in Postfix 2.3 and later.
4294
4296 The macros that are sent to Milter (mail filter) applications after the
4297 message end-of-data. See MILTER_README for a list of available macro
4298 names and their meanings.
4299 This feature is available in Postfix 2.3 and later.
4301
4303 The macros that are sent to Milter (mail filter) applications after the
4304 end of the message header. See MILTER_README for a list of available
4305 macro names and their meanings.
4306 This feature is available in Postfix 2.5 and later.
4308
4310 Optional lookup tables for content inspection of message headers that
4311 are produced by Milter applications. See the header_checks(5) manual
4312 page available actions. Currently, PREPEND is not implemented.
4313 The following example sends all mail that is marked as SPAM to a spam
4315 handling machine. Note that matches are case-insensitive by default.
4316 /etc/postfix/main.cf:
4318 milter_header_checks = pcre:/etc/postfix/milter_header_checks
4319 /etc/postfix/milter_header_checks:
4321 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4322 The milter_header_checks mechanism could also be used for allowlisting.
4324 For example it could be used to skip heavy content inspection for
4325 DKIM-signed mail from known friendly domains.
4326 This feature is available in Postfix 2.7, and as an optional patch for
4328 Postfix 2.6.
4329
4331 The macros that are sent to Milter (mail filter) applications after the
4332 SMTP HELO or EHLO command. See MILTER_README for a list of available
4333 macro names and their meanings.
4334 This feature is available in Postfix 2.3 and later.
4336
4338 The {daemon_name} macro value for Milter (mail filter) applications.
4339 See MILTER_README for a list of available macro names and their mean‐
4340 ings.
4341 This feature is available in Postfix 2.3 and later.
4343
4345 Optional list of name=value pairs that specify default values for arbi‐
4346 trary macros that Postfix may send to Milter applications. These de‐
4347 faults are used when there is no corresponding information from the
4348 message delivery context.
4349 Specify name=value or {name=value} pairs separated by comma or white‐
4351 space. Enclose a pair in "{}" when a value contains comma or white‐
4352 space (this form ignores whitespace after the enclosing "{", around the
4353 "=", and before the enclosing "}").
4354 This feature is available in Postfix 3.1 and later.
4356
4358 The {v} macro value for Milter (mail filter) applications. See MIL‐
4359 TER_README for a list of available macro names and their meanings.
4360 This feature is available in Postfix 2.3 and later.
4362
4364 The macros that are sent to Milter (mail filter) applications after the
4365 SMTP MAIL FROM command. See MILTER_README for a list of available macro
4366 names and their meanings.
4367 This feature is available in Postfix 2.3 and later.
4369
4371 The mail filter protocol version and optional protocol extensions for
4372 communication with a Milter application; prior to Postfix 2.6 the de‐
4373 fault protocol is 2. Postfix sends this version number during the ini‐
4374 tial protocol handshake. It should match the version number that is
4375 expected by the mail filter application (or by its Milter library).
4376 Protocol versions:
4378 2 Use Sendmail 8 mail filter protocol version 2 (default with
4380 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
4381 3 Use Sendmail 8 mail filter protocol version 3.
4383 4 Use Sendmail 8 mail filter protocol version 4.
4385 6 Use Sendmail 8 mail filter protocol version 6 (default with
4387 Sendmail version 8.14 and Postfix version 2.6).
4388 Protocol extensions:
4390 no_header_reply
4392 Specify this when the Milter application will not reply for each
4393 individual message header.
4394 This feature is available in Postfix 2.3 and later.
4396
4398 The macros that are sent to Milter (mail filter) applications after the
4399 SMTP RCPT TO command. See MILTER_README for a list of available macro
4400 names and their meanings.
4401 This feature is available in Postfix 2.3 and later.
4403
4405 The macros that are sent to version 3 or higher Milter (mail filter)
4406 applications after an unknown SMTP command. See MILTER_README for a
4407 list of available macro names and their meanings.
4408 This feature is available in Postfix 2.3 and later.
4410
4412 The maximal length of MIME multipart boundary strings. The MIME proces‐
4413 sor is unable to distinguish between boundary strings that do not dif‐
4414 fer in the first $mime_boundary_length_limit characters.
4415 This feature is available in Postfix 2.0 and later.
4417
4419 Optional lookup tables for content inspection of MIME related message
4420 headers, as described in the header_checks(5) manual page.
4421 This feature is available in Postfix 2.0 and later.
4423
4425 The maximal recursion level that the MIME processor will handle. Post‐
4426 fix refuses mail that is nested deeper than the specified limit.
4427 This feature is available in Postfix 2.0 and later.
4429
4431 The minimal time between attempts to deliver a deferred message; prior
4432 to Postfix 2.4 the default value was 1000s.
4433 This parameter also limits the time an unreachable destination is kept
4435 in the short-term, in-memory, destination status cache.
4436 This parameter should be set greater than or equal to $queue_run_delay.
4438 See also $maximal_backoff_time.
4439 Specify a non-zero time value (an integral value plus an optional
4441 one-letter suffix that specifies the time unit). Time units: s (sec‐
4442 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4443 unit is s (seconds).
4444
4446 An optional list of non-default Postfix configuration directories;
4447 these directories belong to additional Postfix instances that share the
4448 Postfix executable files and documentation with the default Postfix in‐
4449 stance, and that are started, stopped, etc., together with the default
4450 Postfix instance. Specify a list of pathnames separated by comma or
4451 whitespace.
4452 When $multi_instance_directories is empty, the postfix(1) command runs
4454 in single-instance mode and operates on a single Postfix instance only.
4455 Otherwise, the postfix(1) command runs in multi-instance mode and in‐
4456 vokes the multi-instance manager specified with the multi_in‐
4457 stance_wrapper parameter. The multi-instance manager in turn executes
4458 postfix(1) commands for the default instance and for all Postfix in‐
4459 stances in $multi_instance_directories.
4460 Currently, this parameter setting is ignored except for the default
4462 main.cf file.
4463 This feature is available in Postfix 2.6 and later.
4465
4467 Allow this Postfix instance to be started, stopped, etc., by a
4468 multi-instance manager. By default, new instances are created in a
4469 safe state that prevents them from being started inadvertently. This
4470 parameter is reserved for the multi-instance manager.
4471 This feature is available in Postfix 2.6 and later.
4473
4475 The optional instance group name of this Postfix instance. A group
4476 identifies closely-related Postfix instances that the multi-instance
4477 manager can start, stop, etc., as a unit. This parameter is reserved
4478 for the multi-instance manager.
4479 This feature is available in Postfix 2.6 and later.
4481
4483 The optional instance name of this Postfix instance. This name becomes
4484 also the default value for the syslog_name parameter.
4485 This feature is available in Postfix 2.6 and later.
4487
4489 The pathname of a multi-instance manager command that the postfix(1)
4490 command invokes when the multi_instance_directories parameter value is
4491 non-empty. The pathname may be followed by initial command arguments
4492 separated by whitespace; shell metacharacters such as quotes are not
4493 supported in this context.
4494 The postfix(1) command invokes the manager command with the postfix(1)
4496 non-option command arguments on the manager command line, and with all
4497 installation configuration parameters exported into the manager command
4498 process environment. The manager command in turn invokes the postfix(1)
4499 command for individual Postfix instances as "postfix -c config_direc‐
4500 tory command".
4501 This feature is available in Postfix 2.6 and later.
4503
4505 The numerical Postfix SMTP server response code when a remote SMTP
4506 client request is blocked by the reject_multi_recipient_bounce restric‐
4507 tion.
4508 Do not change this unless you have a complete understanding of RFC
4510 5321.
4511 This feature is available in Postfix 2.1 and later.
4513
4515 The list of domains that are delivered via the $local_transport mail
4516 delivery transport. By default this is the Postfix local(8) delivery
4517 agent which looks up all recipients in /etc/passwd and /etc/aliases.
4518 The SMTP server validates recipient addresses with $local_recipi‐
4519 ent_maps and rejects non-existent recipients. See also the local domain
4520 class in the ADDRESS_CLASS_README file.
4521 The default mydestination value specifies names for the local machine
4523 only. On a mail domain gateway, you should also include $mydomain.
4524 The $local_transport delivery method is also selected for mail ad‐
4526 dressed to user@[the.net.work.address] of the mail system (the IP ad‐
4527 dresses specified with the inet_interfaces and proxy_interfaces parame‐
4528 ters).
4529 Warnings:
4531 • Do not specify the names of virtual domains - those domains are
4533 specified elsewhere. See VIRTUAL_README for more information.
4534 • Do not specify the names of domains that this machine is backup
4536 MX host for. See STANDARD_CONFIGURATION_README for how to set up
4537 backup MX hosts.
4538 • By default, the Postfix SMTP server rejects mail for recipients
4540 not listed with the local_recipient_maps parameter. See the
4541 postconf(5) manual for a description of the local_recipient_maps
4542 and unknown_local_recipient_reject_code parameters.
4543 Specify a list of host or domain names, "/file/name" or "type:table"
4545 patterns, separated by commas and/or whitespace. A "/file/name" pattern
4546 is replaced by its contents; a "type:table" lookup table is matched
4547 when a name matches a lookup key (the lookup result is ignored). Con‐
4548 tinue long lines by starting the next line with whitespace.
4549 Examples:
4551 mydestination = $myhostname, localhost.$mydomain $mydomain
4553 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4554
4556 The internet domain name of this mail system. The default is to use
4557 $myhostname minus the first component, or "localdomain" (Postfix 2.3
4558 and later). $mydomain is used as a default value for many other con‐
4559 figuration parameters.
4560 Example:
4562 mydomain = domain.tld
4564
4566 The internet hostname of this mail system. The default is to use the
4567 fully-qualified domain name (FQDN) from gethostname(), or to use the
4568 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
4569 name is used as a default value for many other configuration parame‐
4570 ters.
4571 Example:
4573 myhostname = host.example.com
4575
4577 The list of "trusted" remote SMTP clients that have more privileges
4578 than "strangers".
4579 In particular, "trusted" SMTP clients are allowed to relay mail through
4581 Postfix. See the smtpd_relay_restrictions parameter description in the
4582 postconf(5) manual.
4583 You can specify the list of "trusted" network addresses by hand or you
4585 can let Postfix do it for you (which is the default). See the descrip‐
4586 tion of the mynetworks_style parameter for more information.
4587 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
4589 works_style setting.
4590 Specify a list of network addresses or network/netmask patterns, sepa‐
4592 rated by commas and/or whitespace. Continue long lines by starting the
4593 next line with whitespace.
4594 The netmask specifies the number of bits in the network part of a host
4596 address. You can also specify "/file/name" or "type:table" patterns.
4597 A "/file/name" pattern is replaced by its contents; a "type:table"
4598 lookup table is matched when a table entry matches a lookup string (the
4599 lookup result is ignored).
4600 The list is matched left to right, and the search stops on the first
4602 match. Specify "!pattern" to exclude an address or network block from
4603 the list. The form "!/file/name" is supported only in Postfix version
4604 2.4 and later.
4605 Note 1: Pattern matching of domain names is controlled by the presence
4607 or absence of "mynetworks" in the parent_domain_matches_subdomains pa‐
4608 rameter value.
4609 Note 2: IP version 6 address information must be specified inside [] in
4611 the mynetworks value, and in files specified with "/file/name". IP
4612 version 6 addresses contain the ":" character, and would otherwise be
4613 confused with a "type:table" pattern.
4614 Note 3: CIDR ranges cannot be specified in hash tables. Use cidr ta‐
4616 bles if CIDR ranges are used.
4617 Examples:
4619 mynetworks = 127.0.0.0/8 168.100.189.0/28
4621 mynetworks = !192.168.0.1, 192.168.0.0/28
4622 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4623 mynetworks = $config_directory/mynetworks
4624 mynetworks = hash:/etc/postfix/network_table
4625 mynetworks = cidr:/etc/postfix/network_table.cidr
4626
4628 The method to generate the default value for the mynetworks parameter.
4629 This is the list of trusted networks for relay access control etc.
4630 • Specify "mynetworks_style = host" when Postfix should "trust"
4632 only the local machine.
4633 • Specify "mynetworks_style = subnet" when Postfix should "trust"
4635 remote SMTP clients in the same IP subnetworks as the local ma‐
4636 chine. On Linux, this works correctly only with interfaces
4637 specified with the "ifconfig" or "ip" command.
4638 • Specify "mynetworks_style = class" when Postfix should "trust"
4640 remote SMTP clients in the same IP class A/B/C networks as the
4641 local machine. Caution: this may cause Postfix to "trust" your
4642 entire provider's network. Instead, specify an explicit mynet‐
4643 works list by hand, as described with the mynetworks configura‐
4644 tion parameter.
4645
4647 The domain name that locally-posted mail appears to come from, and that
4648 locally posted mail is delivered to. The default, $myhostname, is ade‐
4649 quate for small sites. If you run a domain with multiple machines, you
4650 should (1) change this to $mydomain and (2) set up a domain-wide alias
4651 database that aliases each user to user@that.users.mailhost.
4652 Example:
4654 myorigin = $mydomain
4656
4658 Optional lookup tables for content inspection of non-MIME message head‐
4659 ers in attached messages, as described in the header_checks(5) manual
4660 page.
4661 This feature is available in Postfix 2.0 and later.
4663
4665 Sendmail compatibility feature that specifies the location of the
4666 newaliases(1) command. This command can be used to rebuild the local(8)
4667 aliases(5) database.
4668
4670 The numerical Postfix SMTP server reply code when a client request is
4671 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4672 or reject_non_fqdn_recipient restriction.
4673
4675 A list of Milter (mail filter) applications for new mail that does not
4676 arrive via the Postfix smtpd(8) server. This includes local submission
4677 via the sendmail(1) command line, new mail that arrives via the Postfix
4678 qmqpd(8) server, and old mail that is re-injected into the queue with
4679 "postsuper -r". Specify space or comma as a separator. See the MIL‐
4680 TER_README document for details.
4681 This feature is available in Postfix 2.3 and later.
4683
4685 The list of error classes that are reported to the postmaster. These
4686 postmaster notifications do not replace user notifications. The default
4687 is to report only the most serious problems. The paranoid may wish to
4688 turn on the policy (UCE and mail relaying) and protocol error (broken
4689 mail software) reports.
4690 NOTE: postmaster notifications may contain confidential information
4692 such as SASL passwords or message content. It is the system adminis‐
4693 trator's responsibility to treat such information with care.
4694 The error classes are:
4696 bounce (also implies 2bounce)
4698 Send the postmaster copies of the headers of bounced mail, and
4699 send transcripts of SMTP sessions when Postfix rejects mail. The
4700 notification is sent to the address specified with the
4701 bounce_notice_recipient configuration parameter (default: post‐
4702 master).
4703 2bounce
4705 Send undeliverable bounced mail to the postmaster. The notifica‐
4706 tion is sent to the address specified with the 2bounce_no‐
4707 tice_recipient configuration parameter (default: postmaster).
4708 data Send the postmaster a transcript of the SMTP session with an er‐
4710 ror because a critical data file was unavailable. The notifica‐
4711 tion is sent to the address specified with the error_notice_re‐
4712 cipient configuration parameter (default: postmaster).
4713 This feature is available in Postfix 2.9 and later.
4714 delay Send the postmaster copies of the headers of delayed mail (see
4716 delay_warning_time). The notification is sent to the address
4717 specified with the delay_notice_recipient configuration parame‐
4718 ter (default: postmaster).
4719 policy Send the postmaster a transcript of the SMTP session when a
4721 client request was rejected because of (UCE) policy. The notifi‐
4722 cation is sent to the address specified with the error_no‐
4723 tice_recipient configuration parameter (default: postmaster).
4724 protocol
4726 Send the postmaster a transcript of the SMTP session in case of
4727 client or server protocol errors. The notification is sent to
4728 the address specified with the error_notice_recipient configura‐
4729 tion parameter (default: postmaster).
4730 resource
4732 Inform the postmaster of mail not delivered due to resource
4733 problems. The notification is sent to the address specified
4734 with the error_notice_recipient configuration parameter (de‐
4735 fault: postmaster).
4736 software
4738 Inform the postmaster of mail not delivered due to software
4739 problems. The notification is sent to the address specified
4740 with the error_notice_recipient configuration parameter (de‐
4741 fault: postmaster).
4742 Examples:
4744 notify_classes = bounce, delay, policy, protocol, resource, software
4746 notify_classes = 2bounce, resource, software
4747
4749 The location of the OpenSSL command line program openssl(1). This is
4750 used by the "postfix tls" command to create private keys, certificate
4751 signing requests, self-signed certificates, and to compute public key
4752 digests for DANE TLSA records. In multi-instance environments, this
4753 parameter is always determined from the configuration of the default
4754 Postfix instance.
4755 Example:
4757 /etc/postfix/main.cf:
4759 # NetBSD pkgsrc:
4760 openssl_path = /usr/pkg/bin/openssl
4761 # Local build:
4762 openssl_path = /usr/local/bin/openssl
4763 This feature is available in Postfix 3.1 and later.
4765
4767 Enable special treatment for owner-listname entries in the aliases(5)
4768 file, and don't split owner-listname and listname-request address lo‐
4769 calparts when the recipient_delimiter is set to "-". This feature is
4770 useful for mailing lists.
4771
4773 A list of Postfix features where the pattern "example.com" also matches
4774 subdomains of example.com, instead of requiring an explicit ".exam‐
4775 ple.com" pattern. This is planned backwards compatibility: eventu‐
4776 ally, all Postfix features are expected to require explicit ".exam‐
4777 ple.com" style patterns when you really want to match subdomains.
4778 The following Postfix feature names are supported.
4780 Postfix version 1.0 and later
4782 debug_peer_list, fast_flush_domains, mynetworks, per‐
4783 mit_mx_backup_networks, relay_domains, transport_maps
4784 Postfix version 1.1 and later
4786 qmqpd_authorized_clients, smtpd_access_maps,
4787 Postfix version 2.8 and later
4789 postscreen_access_list
4790 Postfix version 3.0 and later
4792 smtpd_client_event_limit_exceptions
4793
4795 Restrict the use of the permit_mx_backup SMTP access feature to only
4796 domains whose primary MX hosts match the listed networks. The parame‐
4797 ter value syntax is the same as with the mynetworks parameter; note,
4798 however, that the default value is empty.
4799 Pattern matching of domain names is controlled by the presence or ab‐
4801 sence of "permit_mx_backup_networks" in the parent_domain_matches_sub‐
4802 domains parameter value.
4803
4805 The name of the pickup(8) service. This service picks up local mail
4806 submissions from the Postfix maildrop queue.
4807 This feature is available in Postfix 2.0 and later.
4809
4811 Optional filter for the pipe(8) delivery agent to change the delivery
4812 status code or explanatory text of successful or unsuccessful deliver‐
4813 ies. See default_delivery_status_filter for details.
4814 This feature is available in Postfix 3.0 and later.
4816
4818 The numerical Postfix SMTP server response code when a request is re‐
4819 jected by the reject_plaintext_session restriction.
4820 This feature is available in Postfix 2.3 and later.
4822
4824 The name of the postlogd(8) service entry in master.cf. This service
4825 appends logfile records to the file specified with the maillog_file pa‐
4826 rameter.
4827 This feature is available in Postfix 3.4 and later.
4829
4831 How much time a postlogd(8) process may take to process a request be‐
4832 fore it is terminated by a built-in watchdog timer. This is a safety
4833 mechanism that prevents postlogd(8) from becoming non-responsive due to
4834 a bug in Postfix itself or in system software. This limit cannot be set
4835 under 10s.
4836 Specify a non-zero time value (an integral value plus an optional
4838 one-letter suffix that specifies the time unit). Time units: s (sec‐
4839 onds), m (minutes), h (hours), d (days), w (weeks). The default time
4840 unit is s (seconds).
4841 This feature is available in Postfix 3.4 and later.
4843
4845 The postfix(1) commands that the postmulti(1) instance manager treats
4846 as "control" commands, that operate on running instances. For these
4847 commands, disabled instances are skipped.
4848 This feature is available in Postfix 2.6 and later.
4850
4852 The postfix(1) commands that the postmulti(1) instance manager treats
4853 as "start" commands. For these commands, disabled instances are
4854 "checked" rather than "started", and failure to "start" a member in‐
4855 stance of an instance group will abort the start-up of later instances.
4856 This feature is available in Postfix 2.6 and later.
4858
4860 The postfix(1) commands that the postmulti(1) instance manager treats
4861 as "stop" commands. For these commands, disabled instances are skipped,
4862 and enabled instances are processed in reverse order.
4863 This feature is available in Postfix 2.6 and later.
4865
4867 Permanent allow/denylist for remote SMTP client IP addresses.
4868 postscreen(8) searches this list immediately after a remote SMTP client
4869 connects. Specify a comma- or whitespace-separated list of commands
4870 (in upper or lower case) or lookup tables. The search stops upon the
4871 first command that fires for the client IP address.
4872 permit_mynetworks
4874 Allowlist the client and terminate the search if the client IP
4875 address matches $mynetworks. Do not subject the client to any
4876 before/after 220 greeting tests. Pass the connection immedi‐
4877 ately to a Postfix SMTP server process.
4878 Pattern matching of domain names is controlled by the presence
4879 or absence of "postscreen_access_list" in the parent_do‐
4880 main_matches_subdomains parameter value.
4881 type:table
4883 Query the specified lookup table. Each table lookup result is an
4884 access list, except that access lists inside a table cannot
4885 specify type:table entries.
4886 To discourage the use of hash, btree, etc. tables, there is no
4887 support for substring matching like smtpd(8). Use CIDR tables
4888 instead.
4889 permit
4891 Allowlist the client and terminate the search. Do not subject
4892 the client to any before/after 220 greeting tests. Pass the con‐
4893 nection immediately to a Postfix SMTP server process.
4894 reject
4896 Denylist the client and terminate the search. Subject the client
4897 to the action configured with the postscreen_denylist_action
4898 configuration parameter.
4899 dunno All postscreen(8) access lists implicitly have this command at
4901 the end.
4902 When dunno is executed inside a lookup table, return from the
4903 lookup table and evaluate the next command.
4904 When dunno is executed outside a lookup table, terminate the
4905 search, and subject the client to the configured before/after
4906 220 greeting tests.
4907 Example:
4909 /etc/postfix/main.cf:
4911 postscreen_access_list = permit_mynetworks,
4912 cidr:/etc/postfix/postscreen_access.cidr
4913 # Postfix < 3.6 use postscreen_blacklist_action.
4914 postscreen_denylist_action = enforce
4915 /etc/postfix/postscreen_access.cidr:
4917 # Rules are evaluated in the order as specified.
4918 # Denylist 192.168.* except 192.168.0.1.
4919 192.168.0.1 dunno
4920 192.168.0.0/16 reject
4921 This feature is available in Postfix 2.8.
4923
4925 A list of local postscreen(8) server IP addresses where a non-al‐
4926 lowlisted remote SMTP client can obtain postscreen(8)'s temporary al‐
4927 lowlist status. This status is required before the client can talk to a
4928 Postfix SMTP server process. By default, a client can obtain
4929 postscreen(8)'s allowlist status on any local postscreen(8) server IP
4930 address.
4931 When postscreen(8) listens on both primary and backup MX addresses, the
4933 postscreen_allowlist_interfaces parameter can be configured to give the
4934 temporary allowlist status only when a client connects to a primary MX
4935 address. Once a client is allowlisted it can talk to a Postfix SMTP
4936 server on any address. Thus, clients that connect only to backup MX ad‐
4937 dresses will never become allowlisted, and will never be allowed to
4938 talk to a Postfix SMTP server process.
4939 Specify a list of network addresses or network/netmask patterns, sepa‐
4941 rated by commas and/or whitespace. The netmask specifies the number of
4942 bits in the network part of a host address. Continue long lines by
4943 starting the next line with whitespace.
4944 You can also specify "/file/name" or "type:table" patterns. A
4946 "/file/name" pattern is replaced by its contents; a "type:table" lookup
4947 table is matched when a table entry matches a lookup string (the lookup
4948 result is ignored).
4949 The list is matched left to right, and the search stops on the first
4951 match. Specify "!pattern" to exclude an address or network block from
4952 the list.
4953 Note: IP version 6 address information must be specified inside [] in
4955 the postscreen_allowlist_interfaces value, and in files specified with
4956 "/file/name". IP version 6 addresses contain the ":" character, and
4957 would otherwise be confused with a "type:table" pattern.
4958 Example:
4960 /etc/postfix/main.cf:
4962 # Don't allowlist connections to the backup IP address.
4963 # Postfix < 3.6 use postscreen_whitelist_interfaces.
4964 postscreen_allowlist_interfaces = !168.100.189.8, static:all
4965 This feature is available in Postfix 3.6 and later.
4967 Available as postscreen_whitelist_interfaces in Postfix 2.9 - 3.5.
4969
4971 The action that postscreen(8) takes when a remote SMTP client sends a
4972 bare newline character, that is, a newline not preceded by carriage re‐
4973 turn. Specify one of the following:
4974 ignore Ignore the failure of this test. Allow other tests to complete.
4976 Do not repeat this test before the result from some other test
4977 expires. This option is useful for testing and collecting sta‐
4978 tistics without blocking mail permanently.
4979 enforce
4981 Allow other tests to complete. Reject attempts to deliver mail
4982 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4983 mation. Repeat this test the next time the client connects.
4984 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4986 this test the next time the client connects.
4987 This feature is available in Postfix 2.8.
4989
4991 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4992 These tests are expensive: a remote SMTP client must disconnect after
4993 it passes the test, before it can talk to a real Postfix SMTP server.
4994 This feature is available in Postfix 2.8.
4996
4998 The amount of time that postscreen(8) will use the result from a suc‐
4999 cessful "bare newline" SMTP protocol test. During this time, the client
5000 IP address is excluded from this test. The default is long because a
5001 remote SMTP client must disconnect after it passes the test, before it
5002 can talk to a real Postfix SMTP server.
5003 Specify a non-zero time value (an integral value plus an optional
5005 one-letter suffix that specifies the time unit). Time units: s (sec‐
5006 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5007 unit is d (days).
5008 This feature is available in Postfix 2.8.
5010
5012 Renamed to postscreen_denylist_action in Postfix 3.6.
5013 This feature is available in Postfix 2.8 - 3.5.
5015
5017 The amount of time between postscreen(8) cache cleanup runs. Cache
5018 cleanup increases the load on the cache database and should therefore
5019 not be run frequently. This feature requires that the cache database
5020 supports the "delete" and "sequence" operators. Specify a zero inter‐
5021 val to disable cache cleanup.
5022 After each cache cleanup run, the postscreen(8) daemon logs the number
5024 of entries that were retained and dropped. A cleanup run is logged as
5025 "partial" when the daemon terminates early after "postfix reload",
5026 "postfix stop", or no requests for $max_idle seconds.
5027 Specify a non-negative time value (an integral value plus an optional
5029 one-letter suffix that specifies the time unit). Time units: s (sec‐
5030 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5031 unit is h (hours).
5032 This feature is available in Postfix 2.8.
5034
5036 Persistent storage for the postscreen(8) server decisions.
5037 To share a postscreen(8) cache between multiple postscreen(8) in‐
5039 stances, use "postscreen_cache_map = proxy:btree:/path/to/file". This
5040 requires Postfix version 2.9 or later; earlier proxymap(8) implementa‐
5041 tions don't support cache cleanup. For an alternative approach see the
5042 memcache_table(5) manpage.
5043 This feature is available in Postfix 2.8.
5045
5047 The amount of time that postscreen(8) will cache an expired temporary
5048 allowlist entry before it is removed. This prevents clients from being
5049 logged as "NEW" just because their cache entry expired an hour ago. It
5050 also prevents the cache from filling up with clients that passed some
5051 deep protocol test once and never came back.
5052 Specify a non-zero time value (an integral value plus an optional
5054 one-letter suffix that specifies the time unit). Time units: s (sec‐
5055 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5056 unit is d (days).
5057 This feature is available in Postfix 2.8.
5059
5061 tion_count_limit)
5062 How many simultaneous connections any remote SMTP client is allowed to
5063 have with the postscreen(8) daemon. By default, this limit is the same
5064 as with the Postfix SMTP server. Note that the triage process can take
5065 several seconds, with the time spent in postscreen_greet_wait delay,
5066 and with the time spent talking to the postscreen(8) built-in dummy
5067 SMTP protocol engine.
5068 This feature is available in Postfix 2.8.
5070
5072 The limit on the total number of commands per SMTP session for
5073 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
5074 or rejects all attempts to deliver mail, therefore there is no need to
5075 enforce separate limits on the number of junk commands and error com‐
5076 mands.
5077 This feature is available in Postfix 2.8.
5079
5081 A mechanism to transform commands from remote SMTP clients. See
5082 smtpd_command_filter for further details.
5083 This feature is available in Postfix 2.8 and later.
5085
5087 The time limit to read an entire command line with postscreen(8)'s
5088 built-in SMTP protocol engine.
5089 This feature is available in Postfix 2.8.
5091
5093 The action that postscreen(8) takes when a remote SMTP client is perma‐
5094 nently denylisted with the postscreen_access_list parameter. Specify
5095 one of the following:
5096 ignore (default)
5098 Ignore this result. Allow other tests to complete. Repeat this
5099 test the next time the client connects. This option is useful
5100 for testing and collecting statistics without blocking mail.
5101 enforce
5103 Allow other tests to complete. Reject attempts to deliver mail
5104 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5105 mation. Repeat this test the next time the client connects.
5106 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5108 this test the next time the client connects.
5109 This feature is available in Postfix 3.6 and later.
5111 Available as postscreen_blacklist_action in Postfix 2.8 - 3.5.
5113
5115 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
5116 able_vrfy_command for details.
5117 This feature is available in Postfix 2.8.
5119
5121 card_ehlo_keyword_address_maps)
5122 Lookup tables, indexed by the remote SMTP client address, with case in‐
5123 sensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
5124 that the postscreen(8) server will not send in the EHLO response to a
5125 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
5126 table is not searched by hostname for robustness reasons.
5127 This feature is available in Postfix 2.8 and later.
5129
5131 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
5132 etc.) that the postscreen(8) server will not send in the EHLO response
5133 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
5134 This feature is available in Postfix 2.8 and later.
5136
5138 The action that postscreen(8) takes when a remote SMTP client's com‐
5139 bined DNSBL score is equal to or greater than a threshold (as defined
5140 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
5141 ters). Specify one of the following:
5142 ignore (default)
5144 Ignore the failure of this test. Allow other tests to complete.
5145 Repeat this test the next time the client connects. This option
5146 is useful for testing and collecting statistics without blocking
5147 mail.
5148 enforce
5150 Allow other tests to complete. Reject attempts to deliver mail
5151 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5152 mation. Repeat this test the next time the client connects.
5153 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5155 this test the next time the client connects.
5156 This feature is available in Postfix 2.8.
5158
5160 Allow a remote SMTP client to skip "before" and "after 220 greeting"
5161 protocol tests, based on its combined DNSBL score as defined with the
5162 postscreen_dnsbl_sites parameter.
5163 Specify a negative value to enable this feature. When a client passes
5165 the postscreen_dnsbl_allowlist_threshold without having failed other
5166 tests, all pending or disabled tests are flagged as completed with a
5167 time-to-live value equal to postscreen_dnsbl_ttl. When a test was al‐
5168 ready completed, its time-to-live value is updated if it was less than
5169 postscreen_dnsbl_ttl.
5170 This feature is available in Postfix 3.6 and later.
5172 Available as postscreen_dnsbl_whitelist_threshold in Postfix 2.11 -
5174 3.5.
5175
5177 ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
5178 The maximum amount of time that postscreen(8) will use the result from
5179 a successful DNS-based reputation test before a client IP address is
5180 required to pass that test again. If the DNS reply specifies a shorter
5181 TTL value, that value will be used unless it would be smaller than
5182 postscreen_dnsbl_min_ttl.
5183 Specify a non-zero time value (an integral value plus an optional
5185 one-letter suffix that specifies the time unit). Time units: s (sec‐
5186 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5187 unit is h (hours).
5188 This feature is available in Postfix 3.1. The default setting is back‐
5190 wards-compatible with older Postfix versions.
5191
5193 The minimum amount of time that postscreen(8) will use the result from
5194 a successful DNS-based reputation test before a client IP address is
5195 required to pass that test again. If the DNS reply specifies a larger
5196 TTL value, that value will be used unless it would be larger than
5197 postscreen_dnsbl_max_ttl.
5198 Specify a non-zero time value (an integral value plus an optional
5200 one-letter suffix that specifies the time unit). Time units: s (sec‐
5201 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5202 unit is s (seconds).
5203 This feature is available in Postfix 3.1.
5205
5207 A mapping from an actual DNSBL domain name which includes a secret
5208 password, to the DNSBL domain name that postscreen will reply with when
5209 it rejects mail. When no mapping is found, the actual DNSBL domain
5210 will be used.
5211 For maximal stability it is best to use a file that is read into memory
5213 such as pcre:, regexp: or texthash: (texthash: is similar to hash:, ex‐
5214 cept a) there is no need to run postmap(1) before the file can be used,
5215 and b) texthash: does not detect changes after the file is read).
5216 Example:
5218 /etc/postfix/main.cf:
5220 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
5221 /etc/postfix/dnsbl_reply:
5223 secret.zen.spamhaus.org zen.spamhaus.org
5224 This feature is available in Postfix 2.8.
5226
5228 Optional list of patterns with DNS allow/denylist domains, filters and
5229 weight factors. When the list is non-empty, the dnsblog(8) daemon will
5230 query these domains with the reversed IP addresses of remote SMTP
5231 clients, and postscreen(8) will update an SMTP client's DNSBL score
5232 with each non-error reply as described below.
5233 Caution: when postscreen rejects mail, its SMTP response contains the
5235 DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide
5236 "password" information in DNSBL domain names.
5237 When a client's score is equal to or greater than the threshold speci‐
5239 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
5240 nection with the remote SMTP client.
5241 Specify a list of domain=filter*weight patterns, separated by comma or
5243 whitespace.
5244 • When a pattern specifies no "=filter", postscreen(8) will use
5246 any non-error DNSBL query result. Otherwise, postscreen(8) will
5247 use only DNSBL query results that match the filter. The filter
5248 has the form d.d.d.d, where each d is a number, or a pattern in‐
5249 side [] that contains one or more ";"-separated numbers or num‐
5250 ber..number ranges.
5251 • When a pattern specifies no "*weight", the weight of the pattern
5253 is 1. Otherwise, the weight must be an integral number. Spec‐
5254 ify a negative number for allowlisting.
5255 • When a pattern matches one or more DNSBL query results,
5257 postscreen(8) adds that pattern's weight once to the remote SMTP
5258 client's DNSBL score.
5259 Examples:
5261 To use example.com as a high-confidence blocklist, and to block mail
5263 with example.net and example.org only when both agree:
5264 postscreen_dnsbl_threshold = 2
5266 postscreen_dnsbl_sites = example.com*2, example.net, example.org
5267 To filter only DNSBL replies containing 127.0.0.4:
5269 postscreen_dnsbl_sites = example.com=127.0.0.4
5271 This feature is available in Postfix 2.8.
5273
5275 The inclusive lower bound for blocking a remote SMTP client, based on
5276 its combined DNSBL score as defined with the postscreen_dnsbl_sites pa‐
5277 rameter.
5278 This feature is available in Postfix 2.8.
5280
5282 The time limit for DNSBL or DNSWL lookups. This is separate from the
5283 timeouts in the dnsblog(8) daemon which are defined by system re‐
5284 solver(3) routines.
5285 Specify a non-zero time value (an integral value plus an optional
5287 one-letter suffix that specifies the time unit). Time units: s (sec‐
5288 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5289 unit is s (seconds).
5290 This feature is available in Postfix 3.0.
5292
5294 The amount of time that postscreen(8) will use the result from a suc‐
5295 cessful DNS-based reputation test before a client IP address is re‐
5296 quired to pass that test again.
5297 Specify a non-zero time value (an integral value plus an optional
5299 one-letter suffix that specifies the time unit). Time units: s (sec‐
5300 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5301 unit is h (hours).
5302 This feature is available in Postfix 2.8-3.0. It was replaced by
5304 postscreen_dnsbl_max_ttl in Postfix 3.1.
5305
5307 Renamed to postscreen_dnsbl_allowlist_threshold in Postfix 3.6.
5308 This feature is available in Postfix 2.11 - 3.5.
5310
5312 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
5313 require that clients use TLS encryption. See smtpd_postscreen_en‐
5314 force_tls for details.
5315 This feature is available in Postfix 2.8 and later. Preferably, use
5317 postscreen_tls_security_level instead.
5318
5320 List of characters that are permitted in postscreen_reject_footer at‐
5321 tribute expansions. See smtpd_expansion_filter for further details.
5322 This feature is available in Postfix 2.8 and later.
5324
5326 List of commands that the postscreen(8) server considers in violation
5327 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
5328 postscreen_non_smtp_command_action for possible actions.
5329 This feature is available in Postfix 2.8.
5331
5333 The action that postscreen(8) takes when a remote SMTP client speaks
5334 before its turn within the time specified with the
5335 postscreen_greet_wait parameter. Specify one of the following:
5336 ignore (default)
5338 Ignore the failure of this test. Allow other tests to complete.
5339 Repeat this test the next time the client connects. This option
5340 is useful for testing and collecting statistics without blocking
5341 mail.
5342 enforce
5344 Allow other tests to complete. Reject attempts to deliver mail
5345 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5346 mation. Repeat this test the next time the client connects.
5347 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5349 this test the next time the client connects.
5350 In either case, postscreen(8) will not allowlist the remote SMTP client
5352 IP address.
5353 This feature is available in Postfix 2.8.
5355
5357 The text in the optional "220-text..." server response that
5358 postscreen(8) sends ahead of the real Postfix SMTP server's "220
5359 text..." response, in an attempt to confuse bad SMTP clients so that
5360 they speak before their turn (pre-greet). Specify an empty value to
5361 disable this feature.
5362 This feature is available in Postfix 2.8.
5364
5366 The amount of time that postscreen(8) will use the result from a suc‐
5367 cessful PREGREET test. During this time, the client IP address is ex‐
5368 cluded from this test. The default is relatively short, because a good
5369 client can immediately talk to a real Postfix SMTP server.
5370 Specify a non-zero time value (an integral value plus an optional
5372 one-letter suffix that specifies the time unit). Time units: s (sec‐
5373 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5374 unit is d (days).
5375 This feature is available in Postfix 2.8.
5377
5379 The amount of time that postscreen(8) will wait for an SMTP client to
5380 send a command before its turn, and for DNS blocklist lookup results to
5381 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
5382 wise).
5383 Specify a non-zero time value (an integral value plus an optional
5385 one-letter suffix that specifies the time unit). Time units: s (sec‐
5386 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5387 unit is s (seconds).
5388 This feature is available in Postfix 2.8.
5390
5392 Require that a remote SMTP client sends HELO or EHLO before commencing
5393 a MAIL transaction.
5394 This feature is available in Postfix 2.8.
5396
5398 The action that postscreen(8) takes when a remote SMTP client sends
5399 non-SMTP commands as specified with the postscreen_forbidden_commands
5400 parameter. Specify one of the following:
5401 ignore Ignore the failure of this test. Allow other tests to complete.
5403 Do not repeat this test before the result from some other test
5404 expires. This option is useful for testing and collecting sta‐
5405 tistics without blocking mail permanently.
5406 enforce
5408 Allow other tests to complete. Reject attempts to deliver mail
5409 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5410 mation. Repeat this test the next time the client connects.
5411 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5413 this test the next time the client connects. This action is the
5414 same as with the Postfix SMTP server's smtpd_forbidden_commands
5415 feature.
5416 This feature is available in Postfix 2.8.
5418
5420 Enable "non-SMTP command" tests in the postscreen(8) server. These
5421 tests are expensive: a client must disconnect after it passes the test,
5422 before it can talk to a real Postfix SMTP server.
5423 This feature is available in Postfix 2.8.
5425
5427 The amount of time that postscreen(8) will use the result from a suc‐
5428 cessful "non_smtp_command" SMTP protocol test. During this time, the
5429 client IP address is excluded from this test. The default is long be‐
5430 cause a client must disconnect after it passes the test, before it can
5431 talk to a real Postfix SMTP server.
5432 Specify a non-zero time value (an integral value plus an optional
5434 one-letter suffix that specifies the time unit). Time units: s (sec‐
5435 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5436 unit is d (days).
5437 This feature is available in Postfix 2.8.
5439
5441 The action that postscreen(8) takes when a remote SMTP client sends
5442 multiple commands instead of sending one command and waiting for the
5443 server to respond. Specify one of the following:
5444 ignore Ignore the failure of this test. Allow other tests to complete.
5446 Do not repeat this test before the result from some other test
5447 expires. This option is useful for testing and collecting sta‐
5448 tistics without blocking mail permanently.
5449 enforce
5451 Allow other tests to complete. Reject attempts to deliver mail
5452 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5453 mation. Repeat this test the next time the client connects.
5454 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5456 this test the next time the client connects.
5457 This feature is available in Postfix 2.8.
5459
5461 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
5462 These tests are expensive: a good client must disconnect after it
5463 passes the test, before it can talk to a real Postfix SMTP server.
5464 This feature is available in Postfix 2.8.
5466
5468 The amount of time that postscreen(8) will use the result from a suc‐
5469 cessful "pipelining" SMTP protocol test. During this time, the client
5470 IP address is excluded from this test. The default is long because a
5471 good client must disconnect after it passes the test, before it can
5472 talk to a real Postfix SMTP server.
5473 Specify a non-zero time value (an integral value plus an optional
5475 one-letter suffix that specifies the time unit). Time units: s (sec‐
5476 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5477 unit is d (days).
5478 This feature is available in Postfix 2.8.
5480
5482 The number of clients that can be waiting for service from a real Post‐
5483 fix SMTP server process. When this queue is full, all clients will re‐
5484 ceive a 421 response.
5485 This feature is available in Postfix 2.8.
5487
5489 The number of non-allowlisted clients that can be waiting for a deci‐
5490 sion whether they will receive service from a real Postfix SMTP server
5491 process. When this queue is full, all non-allowlisted clients will re‐
5492 ceive a 421 response.
5493 This feature is available in Postfix 2.8.
5495
5497 Optional information that is appended after a 4XX or 5XX postscreen(8)
5498 server response. See smtpd_reject_footer for further details.
5499 This feature is available in Postfix 2.8 and later.
5501
5503 Optional lookup table for information that is appended after a 4XX or
5504 5XX postscreen(8) server response. See smtpd_reject_footer_maps for
5505 further details.
5506 This feature is available in Postfix 3.4 and later.
5508
5510 The SMTP TLS security level for the postscreen(8) server; when a
5511 non-empty value is specified, this overrides the obsolete parameters
5512 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
5513 rity_level for details.
5514 This feature is available in Postfix 2.8 and later.
5516
5518 The name of the proxy protocol used by an optional before-postscreen
5519 proxy agent. When a proxy agent is used, this protocol conveys local
5520 and remote address and port information. Specify "postscreen_up‐
5521 stream_proxy_protocol = haproxy" to enable the haproxy protocol; ver‐
5522 sion 2 is supported with Postfix 3.5 and later.
5523 This feature is available in Postfix 2.10 and later.
5525
5527 The time limit for the proxy protocol specified with the postscreen_up‐
5528 stream_proxy_protocol parameter.
5529 This feature is available in Postfix 2.10 and later.
5531
5533 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
5534 but do not require that clients use TLS encryption.
5535 This feature is available in Postfix 2.8 and later. Preferably, use
5537 postscreen_tls_security_level instead.
5538
5540 How much time a postscreen(8) process may take to respond to a remote
5541 SMTP client command or to perform a cache operation before it is termi‐
5542 nated by a built-in watchdog timer. This is a safety mechanism that
5543 prevents postscreen(8) from becoming non-responsive due to a bug in
5544 Postfix itself or in system software. To avoid false alarms and unnec‐
5545 essary cache corruption this limit cannot be set under 10s.
5546 Specify a non-zero time value (an integral value plus an optional
5548 one-letter suffix that specifies the time unit). Time units: s (sec‐
5549 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5550 unit is s (seconds).
5551 This feature is available in Postfix 2.8.
5553
5555 Renamed to postscreen_allowlist_interfaces in Postfix 3.6.
5556 This feature is available in Postfix 2.9 - 3.5.
5558
5560 The message delivery contexts where the Postfix local(8) delivery agent
5561 prepends a Delivered-To: message header with the address that the mail
5562 was delivered to. This information is used for mail delivery loop de‐
5563 tection.
5564 By default, the Postfix local delivery agent prepends a Delivered-To:
5566 header when forwarding mail and when delivering to file (mailbox) and
5567 command. Turning off the Delivered-To: header when forwarding mail is
5568 not recommended.
5569 Specify zero or more of forward, file, or command.
5571 Example:
5573 prepend_delivered_header = forward
5575
5577 The process ID of a Postfix command or daemon process.
5578
5580 The location of Postfix PID files relative to $queue_directory. This
5581 is a read-only parameter.
5582
5584 The process name of a Postfix command or daemon process.
5585
5587 What address lookup tables copy an address extension from the lookup
5588 key to the lookup result.
5589 For example, with a virtual(5) mapping of "joe@example.com =>
5591 joe.user@example.net", the address "joe+foo@example.com" would rewrite
5592 to "joe.user+foo@example.net".
5593 Specify zero or more of canonical, virtual, alias, forward, include or
5595 generic. These cause address extension propagation with canonical(5),
5596 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
5597 file lookups, and with smtp(8) generic maps, respectively.
5598 Note: enabling this feature for types other than canonical and virtual
5600 is likely to cause problems when mail is forwarded to other sites, es‐
5601 pecially with mail that is sent to a mailing list exploder address.
5602 Examples:
5604 propagate_unmatched_extensions = canonical, virtual, alias,
5606 forward, include
5607 propagate_unmatched_extensions = canonical, virtual
5608
5610 The remote network interface addresses that this mail system receives
5611 mail on by way of a proxy or network address translation unit.
5612 This feature is available in Postfix 2.0 and later.
5614 You must specify your "outside" proxy/NAT addresses when your system is
5616 a backup MX host for other domains, otherwise mail delivery loops will
5617 happen when the primary MX host is down.
5618 Example:
5620 proxy_interfaces = 1.2.3.4
5622
5624 The lookup tables that the proxymap(8) server is allowed to access for
5625 the read-only service.
5626 Specify zero or more "type:name" lookup tables, separated by whitespace
5628 or comma. Table references that don't begin with proxy: are ignored.
5629 This feature is available in Postfix 2.0 and later.
5631
5633 The lookup tables that the proxymap(8) server is allowed to access for
5634 the read-write service. Postfix-owned local database files should be
5635 stored under the Postfix-owned data_directory. Table references that
5636 don't begin with proxy: are ignored.
5637 This feature is available in Postfix 2.5 and later.
5639
5641 The name of the proxymap read-only table lookup service. This service
5642 is normally implemented by the proxymap(8) daemon.
5643 This feature is available in Postfix 2.6 and later.
5645
5647 The name of the proxywrite read-write table lookup service. This ser‐
5648 vice is normally implemented by the proxymap(8) daemon.
5649 This feature is available in Postfix 2.6 and later.
5651
5653 The minimal delay between warnings that a specific destination is clog‐
5654 ging up the Postfix active queue. Specify 0 to disable.
5655 Specify a non-negative time value (an integral value plus an optional
5657 one-letter suffix that specifies the time unit). Time units: s (sec‐
5658 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5659 unit is s (seconds).
5660 This feature is enabled with the helpful_warnings parameter.
5662 This feature is available in Postfix 2.0 and later.
5664
5666 How much time a Postfix queue manager process may take to handle a re‐
5667 quest before it is terminated by a built-in watchdog timer.
5668 Specify a non-zero time value (an integral value plus an optional
5670 one-letter suffix that specifies the time unit). Time units: s (sec‐
5671 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5672 unit is s (seconds).
5673 This feature is available in Postfix 2.8 and later.
5675
5677 Obsolete feature: the percentage of delivery resources that a busy mail
5678 system will use up for delivery of a large mailing list message.
5679 This feature exists only in the oqmgr(8) old queue manager. The current
5681 queue manager solves the problem in a better way.
5682
5684 The time limit for the queue manager to send or receive information
5685 over an internal communication channel. The purpose is to break out of
5686 deadlock situations. If the time limit is exceeded the software either
5687 retries or aborts the operation.
5688 Specify a non-zero time value (an integral value plus an optional
5690 one-letter suffix that specifies the time unit). Time units: s (sec‐
5691 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5692 unit is s (seconds).
5693 This feature is available in Postfix 2.8 and later.
5695
5697 The maximal number of messages in the active queue.
5698
5700 The maximal number of recipients held in memory by the Postfix queue
5701 manager, and the maximal size of the short-term, in-memory "dead" des‐
5702 tination status cache.
5703
5705 The minimal number of in-memory recipients for any message. This takes
5706 priority over any other in-memory recipient limits (i.e., the global
5707 qmgr_message_recipient_limit and the per transport _recipient_limit) if
5708 necessary. The minimum value allowed for this parameter is 1.
5709
5711 What remote QMQP clients are allowed to connect to the Postfix QMQP
5712 server port.
5713 By default, no client is allowed to use the service. This is because
5715 the QMQP server will relay mail to any destination.
5716 Specify a list of client patterns. A list pattern specifies a host
5718 name, a domain name, an internet address, or a network/mask pattern,
5719 where the mask specifies the number of bits in the network part. When
5720 a pattern specifies a file name, its contents are substituted for the
5721 file name; when a pattern is a "type:table" table specification, table
5722 lookup is used instead.
5723 Patterns are separated by whitespace and/or commas. In order to reverse
5725 the result, precede a pattern with an exclamation point (!). The form
5726 "!/file/name" is supported only in Postfix version 2.4 and later.
5727 Pattern matching of domain names is controlled by the presence or ab‐
5729 sence of "qmqpd_authorized_clients" in the parent_domain_matches_subdo‐
5730 mains parameter value.
5731 Example:
5733 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5735
5737 Enable logging of the remote QMQP client port in addition to the host‐
5738 name and IP address. The logging format is "host[address]:port".
5739 This feature is available in Postfix 2.5 and later.
5741
5743 How long the Postfix QMQP server will pause before sending a negative
5744 reply to the remote QMQP client. The purpose is to slow down confused
5745 or malicious clients.
5746 Specify a non-negative time value (an integral value plus an optional
5748 one-letter suffix that specifies the time unit). Time units: s (sec‐
5749 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5750 unit is s (seconds).
5751
5753 The time limit for sending or receiving information over the network.
5754 If a read or write operation blocks for more than $qmqpd_timeout sec‐
5755 onds the Postfix QMQP server gives up and disconnects.
5756 Specify a non-zero time value (an integral value plus an optional
5758 one-letter suffix that specifies the time unit). Time units: s (sec‐
5759 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5760 unit is s (seconds).
5761
5763 The location of the Postfix top-level queue directory. This is the root
5764 directory of Postfix daemon processes that run chrooted.
5765
5767 The maximal number of (name=value) attributes that may be stored in a
5768 Postfix queue file. The limit is enforced by the cleanup(8) server.
5769 This feature is available in Postfix 2.0 and later.
5771
5773 The minimal amount of free space in bytes in the queue file system that
5774 is needed to receive mail. This is currently used by the Postfix SMTP
5775 server to decide if it will accept any mail at all.
5776 By default, the Postfix SMTP server rejects MAIL FROM commands when the
5778 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5779 sion 2.1 and later). To specify a higher minimum free space limit,
5780 specify a queue_minfree value that is at least 1.5*$message_size_limit.
5781 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
5783 means there is no minimum required amount of free space.
5784
5786 The time between deferred queue scans by the queue manager; prior to
5787 Postfix 2.4 the default value was 1000s.
5788 This parameter should be set less than or equal to $minimal_back‐
5790 off_time. See also $maximal_backoff_time.
5791 Specify a non-zero time value (an integral value plus an optional
5793 one-letter suffix that specifies the time unit). Time units: s (sec‐
5794 onds), m (minutes), h (hours), d (days), w (weeks). The default time
5795 unit is s (seconds).
5796
5798 The name of the qmgr(8) service. This service manages the Postfix queue
5799 and schedules delivery requests.
5800 This feature is available in Postfix 2.0 and later.
5802
5804 Optional lookup tables with RBL response templates. The tables are in‐
5805 dexed by the RBL domain name. By default, Postfix uses the default tem‐
5806 plate as specified with the default_rbl_reply configuration parameter.
5807 See there for a discussion of the syntax of RBL reply templates.
5808 This feature is available in Postfix 2.0 and later.
5810
5812 The location of Postfix README files that describe how to build, con‐
5813 figure or operate a specific Postfix subsystem or feature.
5814
5816 Enable or disable recipient validation, built-in content filtering, or
5817 address mapping. Typically, these are specified in master.cf as com‐
5818 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5819 Specify zero or more of the following options. The options override
5821 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
5822 pickup(8) themselves, or they are forwarded to the cleanup server.
5823 no_unknown_recipient_checks
5825 Do not try to reject unknown recipients (SMTP server only).
5826 This is typically specified AFTER an external content filter.
5827 no_address_mappings
5829 Disable canonical address mapping, virtual alias map expansion,
5830 address masquerading, and automatic BCC (blind carbon-copy) re‐
5831 cipients. This is typically specified BEFORE an external content
5832 filter.
5833 no_header_body_checks
5835 Disable header/body_checks. This is typically specified AFTER an
5836 external content filter.
5837 no_milters
5839 Disable Milter (mail filter) applications. This is typically
5840 specified AFTER an external content filter.
5841 Note: when the "BEFORE content filter" receive_override_options setting
5843 is specified in the main.cf file, specify the "AFTER content filter"
5844 receive_override_options setting in master.cf (and vice versa).
5845 Examples:
5847 receive_override_options =
5849 no_unknown_recipient_checks, no_header_body_checks
5850 receive_override_options = no_address_mappings
5851 This feature is available in Postfix 2.1 and later.
5853
5855 Optional BCC (blind carbon-copy) address lookup tables, indexed by en‐
5856 velope recipient address. The BCC address (multiple results are not
5857 supported) is added when mail enters from outside of Postfix.
5858 Specify zero or more "type:name" lookup tables, separated by whitespace
5860 or comma. Tables will be searched in the specified order until a match
5861 is found.
5862 The table search order is as follows:
5864 • Look up the "user+extension@domain.tld" address including the
5866 optional address extension.
5867 • Look up the "user@domain.tld" address without the optional ad‐
5869 dress extension.
5870 • Look up the "user+extension" address local part when the recipi‐
5872 ent domain equals $myorigin, $mydestination, $inet_interfaces or
5873 $proxy_interfaces.
5874 • Look up the "user" address local part when the recipient domain
5876 equals $myorigin, $mydestination, $inet_interfaces or $proxy_in‐
5877 terfaces.
5878 • Look up the "@domain.tld" part.
5880 Note: with Postfix 2.3 and later the BCC address is added as if it was
5882 specified with NOTIFY=NONE. The sender will not be notified when the
5883 BCC address is undeliverable, as long as all down-stream software im‐
5884 plements RFC 3461.
5885 Note: with Postfix 2.2 and earlier the sender will unconditionally be
5887 notified when the BCC address is undeliverable.
5888 Note: automatic BCC recipients are produced only for new mail. To
5890 avoid mailer loops, automatic BCC recipients are not generated after
5891 Postfix forwards mail internally, or after Postfix generates mail it‐
5892 self.
5893 Example:
5895 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5897 After a change, run "postmap /etc/postfix/recipient_bcc".
5899 This feature is available in Postfix 2.1 and later.
5901
5903 What addresses are subject to recipient_canonical_maps address mapping.
5904 By default, recipient_canonical_maps address mapping is applied to en‐
5905 velope recipient addresses, and to header recipient addresses.
5906 Specify one or more of: envelope_recipient, header_recipient
5908 This feature is available in Postfix 2.2 and later.
5910
5912 Optional address mapping lookup tables for envelope and header recipi‐
5913 ent addresses. The table format and lookups are documented in canoni‐
5914 cal(5).
5915 Note: $recipient_canonical_maps is processed before $canonical_maps.
5917 Example:
5919 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5921
5923 The set of characters that can separate an email address localpart,
5924 user name, or a .forward file name from its extension. For example,
5925 with "recipient_delimiter = +", the software tries user+foo@example.com
5926 before trying user@example.com, user+foo before trying user, and .for‐
5927 ward+foo before trying .forward.
5928 More formally, an email address localpart or user name is separated
5930 from its extension by the first character that matches the recipi‐
5931 ent_delimiter set. The delimiter character and extension may then be
5932 used to generate an extended .forward file name. This implementation
5933 recognizes one delimiter character and one extension per email address
5934 localpart or email address. With Postfix 2.10 and earlier, the recipi‐
5935 ent_delimiter specifies a single character.
5936 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5938 of recipient_delimiter on lookups in aliases, canonical, virtual, and
5939 relocated maps, and see the propagate_unmatched_extensions parameter
5940 for propagating an extension from one email address to another.
5941 When used in command_execution_directory, forward_path, or luser_relay,
5943 ${recipient_delimiter} is replaced with the actual recipient delimiter
5944 that was found in the recipient email address (Postfix 2.11 and later),
5945 or it is replaced with the main.cf recipient_delimiter parameter value
5946 (Postfix 2.10 and earlier).
5947 The recipient_delimiter is not applied to the mailer-daemon address,
5949 the postmaster address, or the double-bounce address. With the default
5950 "owner_request_special = yes" setting, the recipient_delimiter is also
5951 not applied to addresses with the special "owner-" prefix or the spe‐
5952 cial "-request" suffix.
5953 Examples:
5955 # Handle Postfix-style extensions.
5957 recipient_delimiter = +
5958 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5960 recipient_delimiter = +-
5961 # Use .forward for mail without address extension, and for mail with
5963 # an unrecognized address extension.
5964 forward_path = $home/.forward${recipient_delimiter}${extension},
5965 $home/.forward
5966
5968 The numerical Postfix SMTP server response code when a remote SMTP
5969 client request is rejected by the "reject" restriction.
5970 Do not change this unless you have a complete understanding of RFC
5972 5321.
5973
5975 The Postfix SMTP server's action when a reject-type restriction fails
5976 due to a temporary error condition. Specify "defer" to defer the remote
5977 SMTP client request immediately. With the default "defer_if_permit" ac‐
5978 tion, the Postfix SMTP server continues to look for opportunities to
5979 reject mail, and defers the client request only if it would otherwise
5980 be accepted.
5981 For finer control, see: unverified_recipient_tempfail_action, unveri‐
5983 fied_sender_tempfail_action, unknown_address_tempfail_action, and un‐
5984 known_helo_hostname_tempfail_action.
5985 This feature is available in Postfix 2.6 and later.
5987
5989 List of tables with remote SMTP client-certificate fingerprints or pub‐
5990 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5991 server will allow access with the permit_tls_clientcerts feature. The
5992 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
5993 print_digest parameter (hard-coded as md5 prior to Postfix version
5994 2.5).
5995 The default algorithm is sha256 with Postfix >= 3.6 and the compatibil‐
5997 ity_level set to 3.6 or higher. With Postfix <= 3.5, the default algo‐
5998 rithm is md5. The best-practice algorithm is now sha256. Recent ad‐
5999 vances in hash function cryptanalysis have led to md5 and sha1 being
6000 deprecated in favor of sha256. However, as long as there are no known
6001 "second pre-image" attacks against the older algorithms, their use in
6002 this context, though not recommended, is still likely safe.
6003 Postfix lookup tables are in the form of (key, value) pairs. Since we
6005 only need the key, the value can be chosen freely, e.g. the name of
6006 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
6007 lutzpc.at.home
6008 Example:
6010 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
6012 For more fine-grained control, use check_ccert_access to select an ap‐
6014 propriate access(5) policy for each client. See RESTRIC‐
6015 TION_CLASS_README.
6016 This feature is available with Postfix version 2.2.
6018
6020 rency_limit)
6021 The maximal number of parallel deliveries to the same destination via
6022 the relay message delivery transport. This limit is enforced by the
6023 queue manager. The message delivery transport name is the first field
6024 in the entry in the master.cf file.
6025 This feature is available in Postfix 2.0 and later.
6027
6029 ent_limit)
6030 The maximal number of recipients per message for the relay message de‐
6031 livery transport. This limit is enforced by the queue manager. The mes‐
6032 sage delivery transport name is the first field in the entry in the
6033 master.cf file.
6034 Setting this parameter to a value of 1 changes the meaning of re‐
6036 lay_destination_concurrency_limit from concurrency per domain into con‐
6037 currency per recipient.
6038 This feature is available in Postfix 2.0 and later.
6040
6042 What destination domains (and subdomains thereof) this system will re‐
6043 lay mail to. For details about how the relay_domains value is used, see
6044 the description of the permit_auth_destination and reject_unauth_desti‐
6045 nation SMTP recipient restrictions.
6046 Domains that match $relay_domains are delivered with the $relay_trans‐
6048 port mail delivery transport. The SMTP server validates recipient ad‐
6049 dresses with $relay_recipient_maps and rejects non-existent recipients.
6050 See also the relay domains address class in the ADDRESS_CLASS_README
6051 file.
6052 Note: Postfix will not automatically forward mail for domains that list
6054 this system as their primary or backup MX host. See the per‐
6055 mit_mx_backup restriction in the postconf(5) manual page.
6056 Specify a list of host or domain names, "/file/name" patterns or
6058 "type:table" lookup tables, separated by commas and/or whitespace.
6059 Continue long lines by starting the next line with whitespace. A
6060 "/file/name" pattern is replaced by its contents; a "type:table" lookup
6061 table is matched when a (parent) domain appears as lookup key. Specify
6062 "!pattern" to exclude a domain from the list. The form "!/file/name" is
6063 supported only in Postfix version 2.4 and later.
6064 Pattern matching of domain names is controlled by the presence or ab‐
6066 sence of "relay_domains" in the parent_domain_matches_subdomains param‐
6067 eter value.
6068
6070 The numerical Postfix SMTP server response code when a client request
6071 is rejected by the reject_unauth_destination recipient restriction.
6072 Do not change this unless you have a complete understanding of RFC
6074 5321.
6075
6077 Optional lookup tables with all valid addresses in the domains that
6078 match $relay_domains. Specify @domain as a wild-card for domains that
6079 have no valid recipient list, and become a source of backscatter mail:
6080 Postfix accepts spam for non-existent recipients and then floods inno‐
6081 cent people with undeliverable mail. Technically, tables listed with
6082 $relay_recipient_maps are used as lists: Postfix needs to know only if
6083 a lookup string is found or not, but it does not use the result from
6084 the table lookup.
6085 Specify zero or more "type:name" lookup tables, separated by whitespace
6087 or comma. Tables will be searched in the specified order until a match
6088 is found.
6089 If this parameter is non-empty, then the Postfix SMTP server will re‐
6091 ject mail to unknown relay users. This feature is off by default.
6092 See also the relay domains address class in the ADDRESS_CLASS_README
6094 file.
6095 Example:
6097 relay_recipient_maps = hash:/etc/postfix/relay_recipients
6099 This feature is available in Postfix 2.0 and later.
6101
6103 The default mail delivery transport and next-hop destination for remote
6104 delivery to domains listed with $relay_domains. In order of decreasing
6105 precedence, the nexthop destination is taken from $relay_transport,
6106 $sender_dependent_relayhost_maps, $relayhost, or from the recipient do‐
6107 main. This information can be overruled with the transport(5) table.
6108 Specify a string of the form transport:nexthop, where transport is the
6110 name of a mail delivery transport defined in master.cf. The :nexthop
6111 destination is optional; its syntax is documented in the manual page of
6112 the corresponding delivery agent.
6113 See also the relay domains address class in the ADDRESS_CLASS_README
6115 file.
6116 This feature is available in Postfix 2.0 and later.
6118
6120 The next-hop destination(s) for non-local mail; overrides non-local do‐
6121 mains in recipient addresses. This information is overruled with re‐
6122 lay_transport, sender_dependent_default_transport_maps, default_trans‐
6123 port, sender_dependent_relayhost_maps and with the transport(5) table.
6124 On an intranet, specify the organizational domain name. If your inter‐
6126 nal DNS uses no MX records, specify the name of the intranet gateway
6127 host instead.
6128 In the case of SMTP or LMTP delivery, specify one or more destinations
6130 in the form of a domain name, hostname, hostname:port, [hostname]:port,
6131 [hostaddress] or [hostaddress]:port, separated by comma or whitespace.
6132 The form [hostname] turns off MX lookups. Multiple destinations are
6133 supported in Postfix 3.5 and later.
6134 If you're connected via UUCP, see the UUCP_README file for useful in‐
6136 formation.
6137 Examples:
6139 relayhost = $mydomain
6141 relayhost = [gateway.example.com]
6142 relayhost = mail1.example:587, mail2.example:587
6143 relayhost = [an.ip.add.ress]
6144
6146 Optional lookup tables with new contact information for users or do‐
6147 mains that no longer exist. The table format and lookups are docu‐
6148 mented in relocated(5).
6149 Specify zero or more "type:name" lookup tables, separated by whitespace
6151 or comma. Tables will be searched in the specified order until a match
6152 is found.
6153 If you use this feature, run "postmap /etc/postfix/relocated" to build
6155 the necessary DBM or DB file after change, then "postfix reload" to
6156 make the changes visible.
6157 Examples:
6159 relocated_maps = dbm:/etc/postfix/relocated
6161 relocated_maps = hash:/etc/postfix/relocated
6162
6164 Rewrite or add message headers in mail from remote clients if the re‐
6165 mote_header_rewrite_domain parameter value is non-empty, updating in‐
6166 complete addresses with the domain specified in the remote_header_re‐
6167 write_domain parameter, and adding missing headers.
6168 The local_header_rewrite_clients parameter controls what clients Post‐
6170 fix considers local.
6171 Examples:
6173 The safe setting: append "domain.invalid" to incomplete header ad‐
6175 dresses from remote SMTP clients, so that those addresses cannot be
6176 confused with local addresses.
6177 remote_header_rewrite_domain = domain.invalid
6179 The default, purist, setting: don't rewrite headers from remote clients
6181 at all.
6182 remote_header_rewrite_domain =
6184
6186 Require that a local(8) recipient's home directory exists before mail
6187 delivery is attempted. By default this test is disabled. It can be
6188 useful for environments that import home directories to the mail server
6189 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
6190
6192 Reset the local(8) delivery agent's idea of the owner-alias attribute,
6193 when delivering mail to a child alias that does not have its own owner
6194 alias.
6195 This feature is available in Postfix 2.8 and later. With older Postfix
6197 releases, the behavior is as if this parameter is set to "yes".
6198 As documented in aliases(5), when an alias name has a companion alias
6200 named owner-name, this will replace the envelope sender address, so
6201 that delivery errors will be reported to the owner alias instead of the
6202 sender. This configuration is recommended for mailing lists.
6203 A less known property of the owner alias is that it also forces the lo‐
6205 cal(8) delivery agent to write local and remote addresses from alias
6206 expansion to a new queue file, instead of attempting to deliver mail to
6207 local addresses as soon as they come out of alias expansion.
6208 Writing local addresses from alias expansion to a new queue file allows
6210 for robust handling of temporary delivery errors: errors with one local
6211 member have no effect on deliveries to other members of the list. On
6212 the other hand, delivery to local addresses as soon as they come out of
6213 alias expansion is fragile: a temporary error with one local address
6214 from alias expansion will cause the entire alias to be expanded repeat‐
6215 edly until the error goes away, or until the message expires in the
6216 queue. In that case, a problem with one list member results in multi‐
6217 ple message deliveries to other list members.
6218 The default behavior of Postfix 2.8 and later is to keep the
6220 owner-alias attribute of the parent alias, when delivering mail to a
6221 child alias that does not have its own owner alias. Then, local ad‐
6222 dresses from that child alias will be written to a new queue file, and
6223 a temporary error with one local address will not affect delivery to
6224 other mailing list members.
6225 Unfortunately, older Postfix releases reset the owner-alias attribute
6227 when delivering mail to a child alias that does not have its own owner
6228 alias. To be precise, this resets only the decision to create a new
6229 queue file, not the decision to override the envelope sender address.
6230 The local(8) delivery agent then attempts to deliver local addresses as
6231 soon as they come out of child alias expansion. If delivery to any ad‐
6232 dress from child alias expansion fails with a temporary error condi‐
6233 tion, the entire mailing list may be expanded repeatedly until the mail
6234 expires in the queue, resulting in multiple deliveries of the same mes‐
6235 sage to mailing list members.
6236
6238 Resolve a recipient address safely instead of correctly, by looking in‐
6239 side quotes.
6240 By default, the Postfix address resolver does not quote the address lo‐
6242 calpart as per RFC 822, so that additional @ or % or ! operators re‐
6243 main visible. This behavior is safe but it is also technically incor‐
6244 rect.
6245 If you specify "resolve_dequoted_address = no", then the Postfix re‐
6247 solver will not know about additional @ etc. operators in the address
6248 localpart. This opens opportunities for obscure mail relay attacks with
6249 user@domain@domain addresses when Postfix provides backup MX service
6250 for Sendmail systems.
6251
6253 Resolve an address that ends in the "@" null domain as if the local
6254 hostname were specified, instead of rejecting the address as invalid.
6255 This feature is available in Postfix 2.1 and later. Earlier versions
6257 always resolve the null domain as the local hostname.
6258 The Postfix SMTP server uses this feature to reject mail from or to ad‐
6260 dresses that end in the "@" null domain, and from addresses that re‐
6261 write into a form that ends in the "@" null domain.
6262
6264 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
6265 the address as invalid.
6266 This feature is available in Postfix 2.3 and later.
6268
6270 Avoid logging that implies white is better than black. Instead use 'al‐
6271 lowlist', 'denylist', and variations of those words.
6272 This feature is available in Postfix 3.6 and later.
6274
6276 The name of the address rewriting service. This service rewrites ad‐
6277 dresses to standard form and resolves them to a (delivery method,
6278 next-hop host, recipient) triple.
6279 This feature is available in Postfix 2.0 and later.
6281
6283 The name of the directory with example Postfix configuration files.
6284 Starting with Postfix 2.1, these files have been replaced with the
6285 postconf(5) manual page.
6286
6288 When authenticating to a remote SMTP or LMTP server with the default
6289 setting "no", send no SASL authoriZation ID (authzid); send only the
6290 SASL authentiCation ID (authcid) plus the authcid's password.
6291 The non-default setting "yes" enables the behavior of older Postfix
6293 versions. These always send a SASL authzid that is equal to the SASL
6294 authcid, but this causes interoperability problems with some SMTP
6295 servers.
6296 This feature is available in Postfix 2.4.4 and later.
6298
6300 This parameter should not be used. It was replaced by sender_depen‐
6301 dent_relayhost_maps in Postfix version 2.3.
6302
6304 Optional BCC (blind carbon-copy) address lookup tables, indexed by en‐
6305 velope sender address. The BCC address (multiple results are not sup‐
6306 ported) is added when mail enters from outside of Postfix.
6307 Specify zero or more "type:name" lookup tables, separated by whitespace
6309 or comma. Tables will be searched in the specified order until a match
6310 is found.
6311 The table search order is as follows:
6313 • Look up the "user+extension@domain.tld" address including the
6315 optional address extension.
6316 • Look up the "user@domain.tld" address without the optional ad‐
6318 dress extension.
6319 • Look up the "user+extension" address local part when the sender
6321 domain equals $myorigin, $mydestination, $inet_interfaces or
6322 $proxy_interfaces.
6323 • Look up the "user" address local part when the sender domain
6325 equals $myorigin, $mydestination, $inet_interfaces or $proxy_in‐
6326 terfaces.
6327 • Look up the "@domain.tld" part.
6329 Note: with Postfix 2.3 and later the BCC address is added as if it was
6331 specified with NOTIFY=NONE. The sender will not be notified when the
6332 BCC address is undeliverable, as long as all down-stream software im‐
6333 plements RFC 3461.
6334 Note: with Postfix 2.2 and earlier the sender will be notified when the
6336 BCC address is undeliverable.
6337 Note: automatic BCC recipients are produced only for new mail. To
6339 avoid mailer loops, automatic BCC recipients are not generated after
6340 Postfix forwards mail internally, or after Postfix generates mail it‐
6341 self.
6342 Example:
6344 sender_bcc_maps = hash:/etc/postfix/sender_bcc
6346 After a change, run "postmap /etc/postfix/sender_bcc".
6348 This feature is available in Postfix 2.1 and later.
6350
6352 What addresses are subject to sender_canonical_maps address mapping.
6353 By default, sender_canonical_maps address mapping is applied to enve‐
6354 lope sender addresses, and to header sender addresses.
6355 Specify one or more of: envelope_sender, header_sender
6357 This feature is available in Postfix 2.2 and later.
6359
6361 Optional address mapping lookup tables for envelope and header sender
6362 addresses. The table format and lookups are documented in canoni‐
6363 cal(5).
6364 Example: you want to rewrite the SENDER address "user@ugly.example" to
6366 "user@pretty.example", while still being able to send mail to the RE‐
6367 CIPIENT address "user@ugly.example".
6368 Note: $sender_canonical_maps is processed before $canonical_maps.
6370 Example:
6372 sender_canonical_maps = hash:/etc/postfix/sender_canonical
6374
6376 A sender-dependent override for the global default_transport parameter
6377 setting. The tables are searched by the envelope sender address and
6378 @domain. A lookup result of DUNNO terminates the search without over‐
6379 riding the global default_transport parameter setting. This informa‐
6380 tion is overruled with the transport(5) table.
6381 Specify zero or more "type:name" lookup tables, separated by whitespace
6383 or comma. Tables will be searched in the specified order until a match
6384 is found.
6385 Note: this overrides default_transport, not transport_maps, and there‐
6387 fore the expected syntax is that of default_transport, not the syntax
6388 of transport_maps. Specifically, this does not support the trans‐
6389 port_maps syntax for null transport, null nexthop, or null email ad‐
6390 dresses.
6391 For safety reasons, this feature does not allow $number substitutions
6393 in regular expression maps.
6394 This feature is available in Postfix 2.7 and later.
6396
6398 A sender-dependent override for the global relayhost parameter setting.
6399 The tables are searched by the envelope sender address and @domain. A
6400 lookup result of DUNNO terminates the search without overriding the
6401 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6402 mation is overruled with relay_transport, sender_dependent_de‐
6403 fault_transport_maps, default_transport and with the transport(5) ta‐
6404 ble.
6405 Specify zero or more "type:name" lookup tables, separated by whitespace
6407 or comma. Tables will be searched in the specified order until a match
6408 is found.
6409 For safety reasons, this feature does not allow $number substitutions
6411 in regular expression maps.
6412 This feature is available in Postfix 2.3 and later.
6414
6416 Controls how the Postfix sendmail command converts email message line
6417 endings from <CR><LF> into UNIX format (<LF>).
6418 always Always convert message lines ending in <CR><LF>. This setting is
6420 the default with Postfix 2.9 and later.
6421 strict Convert message lines ending in <CR><LF> only if the first input
6423 line ends in <CR><LF>. This setting is backwards-compatible with
6424 Postfix 2.8 and earlier.
6425 never Never convert message lines ending in <CR><LF>. This setting ex‐
6427 ists for completeness only.
6428 This feature is available in Postfix 2.9 and later.
6430
6432 A Sendmail compatibility feature that specifies the location of the
6433 Postfix sendmail(1) command. This command can be used to submit mail
6434 into the Postfix queue.
6435
6437 The master.cf service name of a Postfix daemon process. This can be
6438 used to distinguish the logging from different services that use the
6439 same program name.
6440 Example master.cf entries:
6442 # Distinguish inbound MTA logging from submission and smtps logging.
6444 smtp inet n - n - - smtpd
6445 submission inet n - n - - smtpd
6446 -o syslog_name=postfix/$service_name
6447 smtps inet n - n - - smtpd
6448 -o syslog_name=postfix/$service_name
6449 # Distinguish outbound MTA logging from inbound relay logging.
6451 smtp unix - - n - - smtp
6452 relay unix - - n - - smtp
6453 -o syslog_name=postfix/$service_name
6454
6456 How long the Postfix master(8) waits before forking a server that ap‐
6457 pears to be malfunctioning.
6458 Specify a non-zero time value (an integral value plus an optional
6460 one-letter suffix that specifies the time unit). Time units: s (sec‐
6461 onds), m (minutes), h (hours), d (days), w (weeks). The default time
6462 unit is s (seconds).
6463
6465 The group ownership of set-gid Postfix commands and of group-writable
6466 Postfix directories. When this parameter value is changed you need to
6467 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6468 "/etc/postfix/post-install set-permissions".
6469
6471 The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6472 and the default location of Postfix database plugins (postfix-*.so)
6473 that have a relative pathname in the dynamicmaps.cf file. The
6474 shlib_directory parameter defaults to "no" when Postfix dynami‐
6475 cally-linked libraries and database plugins are disabled at compile
6476 time, otherwise it typically defaults to /usr/lib/postfix or /usr/lo‐
6477 cal/lib/postfix.
6478 Notes:
6480 • The directory specified with shlib_directory should contain only
6482 Postfix-related files. Postfix dynamically-linked libraries and
6483 database plugins should not be installed in a "public" system
6484 directory such as /usr/lib or /usr/local/lib. Linking Postfix
6485 dynamically-linked library files or database plugins into
6486 non-Postfix programs is not supported. Postfix dynami‐
6487 cally-linked libraries and database plugins implement a Post‐
6488 fix-internal API that changes without maintaining compatibility.
6489 • You can change the shlib_directory value after Postfix is built.
6491 However, you may have to run ldconfig or equivalent to prevent
6492 Postfix programs from failing because the libpostfix-*.so files
6493 are not found. No ldconfig command is needed if you keep the
6494 libpostfix-*.so files in the compiled-in default $shlib_direc‐
6495 tory location.
6496 This feature is available in Postfix 3.0 and later.
6498
6500 Display the name of the recipient table in the "User unknown" re‐
6501 sponses. The extra detail makes troubleshooting easier but also re‐
6502 veals information that is nobody else's business.
6503 This feature is available in Postfix 2.0 and later.
6505
6507 The name of the showq(8) service. This service produces mail queue sta‐
6508 tus reports.
6509 This feature is available in Postfix 2.0 and later.
6511
6513 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6514 will try first, when a destination has IPv6 and IPv4 addresses with
6515 equal MX preference. This feature has no effect unless the inet_proto‐
6516 cols setting enables both IPv4 and IPv6.
6517 Postfix SMTP client address preference has evolved. With Postfix 2.8
6519 the default is "ipv6"; earlier implementations are hard-coded to prefer
6520 IPv6 over IPv4.
6521 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6523 nectivity:
6524 • The setting "smtp_address_preference = ipv6" is unsafe. It can
6526 fail to deliver mail when there is an outage that affects IPv6,
6527 while the destination is still reachable over IPv4.
6528 • The setting "smtp_address_preference = any" is safe. With this,
6530 mail will eventually be delivered even if there is an outage
6531 that affects IPv6 or IPv4, as long as it does not affect both.
6532 This feature is available in Postfix 2.8 and later.
6534
6536 In the context of email address verification, the SMTP protocol stage
6537 that determines whether an email address is deliverable. Specify one
6538 of "rcpt" or "data". The latter is needed with remote SMTP servers
6539 that reject recipients after the DATA command. Use transport_maps to
6540 apply this feature selectively:
6541 /etc/postfix/main.cf:
6543 transport_maps = hash:/etc/postfix/transport
6544 /etc/postfix/transport:
6546 smtp-domain-that-verifies-after-data smtp-data-target:
6547 lmtp-domain-that-verifies-after-data lmtp-data-target:
6548 /etc/postfix/master.cf:
6550 smtp-data-target unix - - n - - smtp
6551 -o smtp_address_verify_target=data
6552 lmtp-data-target unix - - n - - lmtp
6553 -o lmtp_address_verify_target=data
6554 Unselective use of the "data" target does no harm, but will result in
6556 unnecessary "lost connection after DATA" events at remote SMTP/LMTP
6557 servers.
6558 This feature is available in Postfix 3.0 and later.
6560
6562 Always send EHLO at the start of an SMTP session.
6563 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
6565 only when the word "ESMTP" appears in the server greeting banner (exam‐
6566 ple: 220 spike.porcupine.org ESMTP Postfix).
6567
6569 When a remote destination resolves to a combination of IPv4 and IPv6
6570 addresses, ensure that the Postfix SMTP client can try both address
6571 types before it runs into the smtp_mx_address_limit.
6572 This avoids an interoperability problem when a destination resolves to
6574 primarily IPv6 addresses, the smtp_address_limit feature eliminates
6575 most or all IPv4 addresses, and the destination is not reachable over
6576 IPv6.
6577 This feature is available in Postfix 3.3 and later.
6579
6581 An optional numerical network address that the Postfix SMTP client
6582 should bind to when making an IPv4 connection.
6583 This can be specified in the main.cf file for all SMTP clients, or it
6585 can be specified in the master.cf file for a specific client, for exam‐
6586 ple:
6587 /etc/postfix/master.cf:
6589 smtp ... smtp -o smtp_bind_address=11.22.33.44
6590 See smtp_bind_address_enforce for how Postfix should handle errors
6592 (Postfix 3.7 and later).
6593 Note 1: when inet_interfaces specifies no more than one IPv4 address,
6595 and that address is a non-loopback address, it is automatically used as
6596 the smtp_bind_address. This supports virtual IP hosting, but can be a
6597 problem on multi-homed firewalls. See the inet_interfaces documentation
6598 for more detail.
6599 Note 2: address information may be enclosed inside [], but this form is
6601 not required here.
6602
6604 An optional numerical network address that the Postfix SMTP client
6605 should bind to when making an IPv6 connection.
6606 This feature is available in Postfix 2.2 and later.
6608 This can be specified in the main.cf file for all SMTP clients, or it
6610 can be specified in the master.cf file for a specific client, for exam‐
6611 ple:
6612 /etc/postfix/master.cf:
6614 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6615 See smtp_bind_address_enforce for how Postfix should handle errors
6617 (Postfix 3.7 and later).
6618 Note 1: when inet_interfaces specifies no more than one IPv6 address,
6620 and that address is a non-loopback address, it is automatically used as
6621 the smtp_bind_address6. This supports virtual IP hosting, but can be a
6622 problem on multi-homed firewalls. See the inet_interfaces documentation
6623 for more detail.
6624 Note 2: address information may be enclosed inside [], but this form is
6626 not recommended here.
6627
6629 Defer delivery when the Postfix SMTP client cannot apply the
6630 smtp_bind_address or smtp_bind_address6 setting. By default, the Post‐
6631 fix SMTP client will continue delivery after logging a warning.
6632 This feature is available in Postfix 3.7 and later.
6634
6636 Restricted body_checks(5) tables for the Postfix SMTP client. These
6637 tables are searched while mail is being delivered. Actions that change
6638 the delivery time or destination are not available.
6639 This feature is available in Postfix 2.5 and later.
6641
6643 When the remote SMTP servername is a DNS CNAME, replace the servername
6644 with the result from CNAME expansion for the purpose of logging, SASL
6645 password lookup, TLS policy decisions, or TLS certificate verification.
6646 The value "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6647 cies against false hostname information in DNS CNAME records, and makes
6648 SASL password file lookups more predictable. This is the default set‐
6649 ting as of Postfix 2.3.
6650 When DNS CNAME records are validated with secure DNS lookups
6652 (smtp_dns_support_level = dnssec), they are always allowed to override
6653 the above servername (Postfix 2.11 and later).
6654 This feature is available in Postfix 2.2.9 and later.
6656
6658 The Postfix SMTP client time limit for completing a TCP connection, or
6659 zero (use the operating system built-in time limit).
6660 When no connection can be made within the deadline, the Postfix SMTP
6662 client tries the next address on the mail exchanger list. Specify 0 to
6663 disable the time limit (i.e. use whatever timeout is implemented by the
6664 operating system).
6665 Specify a non-negative time value (an integral value plus an optional
6667 one-letter suffix that specifies the time unit). Time units: s (sec‐
6668 onds), m (minutes), h (hours), d (days), w (weeks). The default time
6669 unit is s (seconds).
6670
6672 Permanently enable SMTP connection caching for the specified destina‐
6673 tions. With SMTP connection caching, a connection is not closed imme‐
6674 diately after completion of a mail transaction. Instead, the connec‐
6675 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
6676 This allows connections to be reused for other deliveries, and can im‐
6677 prove mail delivery performance.
6678 Specify a comma or white space separated list of destinations or
6680 pseudo-destinations:
6681 • if mail is sent without a relay host: a domain name (the
6683 right-hand side of an email address, without the [] around a nu‐
6684 meric IP address),
6685 • if mail is sent via a relay host: a relay host name (without []
6687 or non-default TCP port), as specified in main.cf or in the
6688 transport map,
6689 • if mail is sent via a UNIX-domain socket: a pathname (without
6691 the unix: prefix),
6692 • a /file/name with domain names and/or relay host names as de‐
6694 fined above,
6695 • a "type:table" with domain names and/or relay host names on the
6697 left-hand side. The right-hand side result from "type:table"
6698 lookups is ignored.
6699 This feature is available in Postfix 2.2 and later.
6701
6703 Temporarily enable SMTP connection caching while a destination has a
6704 high volume of mail in the active queue. With SMTP connection caching,
6705 a connection is not closed immediately after completion of a mail
6706 transaction. Instead, the connection is kept open for up to $smtp_con‐
6707 nection_cache_time_limit seconds. This allows connections to be reused
6708 for other deliveries, and can improve mail delivery performance.
6709 This feature is available in Postfix 2.2 and later.
6711
6713 When SMTP connection caching is enabled, the amount of time that an un‐
6714 used SMTP client socket is kept open before it is closed. Do not spec‐
6715 ify larger values without permission from the remote sites.
6716 This feature is available in Postfix 2.2 and later.
6718
6720 When SMTP connection caching is enabled, the number of times that an
6721 SMTP session may be reused before it is closed, or zero (no limit).
6722 With a reuse count limit of N, a connection is used up to N+1 times.
6723 NOTE: This feature is unsafe. When a high-volume destination has multi‐
6725 ple inbound MTAs, then the slowest inbound MTA will attract the most
6726 connections to that destination. This limitation does not exist with
6727 the smtp_connection_reuse_time_limit feature.
6728 This feature is available in Postfix 2.11.
6730
6732 The amount of time during which Postfix will use an SMTP connection re‐
6733 peatedly. The timer starts when the connection is initiated (i.e. it
6734 includes the connect, greeting and helo latency, in addition to the la‐
6735 tencies of subsequent mail delivery transactions).
6736 This feature addresses a performance stability problem with remote SMTP
6738 servers. This problem is not specific to Postfix: it can happen when
6739 any MTA sends large amounts of SMTP email to a site that has multiple
6740 MX hosts.
6741 The problem starts when one of a set of MX hosts becomes slower than
6743 the rest. Even though SMTP clients connect to fast and slow MX hosts
6744 with equal probability, the slow MX host ends up with more simultaneous
6745 inbound connections than the faster MX hosts, because the slow MX host
6746 needs more time to serve each client request.
6747 The slow MX host becomes a connection attractor. If one MX host be‐
6749 comes N times slower than the rest, it dominates mail delivery latency
6750 unless there are more than N fast MX hosts to counter the effect. And
6751 if the number of MX hosts is smaller than N, the mail delivery latency
6752 becomes effectively that of the slowest MX host divided by the total
6753 number of MX hosts.
6754 The solution uses connection caching in a way that differs from Postfix
6756 version 2.2. By limiting the amount of time during which a connection
6757 can be used repeatedly (instead of limiting the number of deliveries
6758 over that connection), Postfix not only restores fairness in the dis‐
6759 tribution of simultaneous connections across a set of MX hosts, it also
6760 favors deliveries over connections that perform well, which is exactly
6761 what we want.
6762 The default reuse time limit, 300s, is comparable to the various smtp
6764 transaction timeouts which are fair estimates of maximum excess latency
6765 for a slow delivery. Note that hosts may accept thousands of messages
6766 over a single connection within the default connection reuse time
6767 limit. This number is much larger than the default Postfix version 2.2
6768 limit of 10 messages per cached connection. It may prove necessary to
6769 lower the limit to avoid interoperability issues with MTAs that exhibit
6770 bugs when many messages are delivered via a single connection. A lower
6771 reuse time limit risks losing the benefit of connection reuse when the
6772 average connection and mail delivery latency exceeds the reuse time
6773 limit.
6774 This feature is available in Postfix 2.3 and later.
6776
6778 The Postfix SMTP client time limit for sending the SMTP ".", and for
6779 receiving the remote SMTP server response.
6780 When no response is received within the deadline, a warning is logged
6782 that the mail may be delivered multiple times.
6783 Specify a non-zero time value (an integral value plus an optional
6785 one-letter suffix that specifies the time unit). Time units: s (sec‐
6786 onds), m (minutes), h (hours), d (days), w (weeks). The default time
6787 unit is s (seconds).
6788
6790 The Postfix SMTP client time limit for sending the SMTP DATA command,
6791 and for receiving the remote SMTP server response.
6792 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6794 The default time unit is s (seconds).
6795
6797 The Postfix SMTP client time limit for sending the SMTP message con‐
6798 tent. When the connection makes no progress for more than
6799 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
6800 transfer.
6801 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6803 The default time unit is s (seconds).
6804
6806 Defer mail delivery when no MX record resolves to an IP address.
6807 The default (no) is to return the mail as undeliverable. With older
6809 Postfix versions the default was to keep trying to deliver the mail un‐
6810 til someone fixed the MX record or until the mail was too old.
6811 Note: the Postfix SMTP client always ignores MX records with equal or
6813 worse preference than the local MTA itself.
6814 This feature is available in Postfix 2.1 and later.
6816
6818 Optional filter for the smtp(8) delivery agent to change the delivery
6819 status code or explanatory text of successful or unsuccessful deliver‐
6820 ies. See default_delivery_status_filter for details.
6821 NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6823 sages that may or may not be derived from remote SMTP server responses.
6824 In contrast, the smtp_reply_filter feature modifies remote SMTP server
6825 responses only.
6826
6828 rency_limit)
6829 The maximal number of parallel deliveries to the same destination via
6830 the smtp message delivery transport. This limit is enforced by the
6831 queue manager. The message delivery transport name is the first field
6832 in the entry in the master.cf file.
6833
6835 ent_limit)
6836 The maximal number of recipients per message for the smtp message de‐
6837 livery transport. This limit is enforced by the queue manager. The mes‐
6838 sage delivery transport name is the first field in the entry in the
6839 master.cf file.
6840 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6842 tination_concurrency_limit from concurrency per domain into concurrency
6843 per recipient.
6844
6846 Lookup tables, indexed by the remote SMTP server address, with case in‐
6847 sensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6848 that the Postfix SMTP client will ignore in the EHLO response from a
6849 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6850 ble is not indexed by hostname for consistency with smtpd_dis‐
6851 card_ehlo_keyword_address_maps.
6852 Specify zero or more "type:name" lookup tables, separated by whitespace
6854 or comma. Tables will be searched in the specified order until a match
6855 is found.
6856 This feature is available in Postfix 2.2 and later.
6858
6860 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6861 etc.) that the Postfix SMTP client will ignore in the EHLO response
6862 from a remote SMTP server.
6863 This feature is available in Postfix 2.2 and later.
6865 Notes:
6867 • Specify the silent-discard pseudo keyword to prevent this action
6869 from being logged.
6870 • Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
6872 card EHLO keywords selectively.
6873
6875 Optional filter for Postfix SMTP client DNS lookup results. Specify
6876 zero or more lookup tables. The lookup tables are searched in the
6877 given order for a match with the DNS lookup result, converted to the
6878 following form:
6879 name ttl class type preference value
6881 The class field is always "IN", the preference field exists only for MX
6883 records, the names of hosts, domains, etc. end in ".", and those names
6884 are in ASCII form (xn--mumble form in the case of UTF8 names).
6885 When a match is found, the table lookup result specifies an action. By
6887 default, the table query and the action name are case-insensitive.
6888 Currently, only the IGNORE action is implemented.
6889 Notes:
6891 • Postfix DNS reply filters have no effect on implicit DNS lookups
6893 through nsswitch.conf or equivalent mechanisms.
6894 • The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and
6896 lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
6897 service (record types MX, A, AAAA, and TLSA). These lookups are
6898 also made to implement the features reject_unverified_sender and
6899 reject_unverified_recipient.
6900 • The Postfix SMTP/LMTP client defers mail delivery when a filter
6902 removes all lookup results from a successful query.
6903 • Postfix SMTP server uses smtpd_dns_reply_filter only to look up
6905 MX, A, AAAA, and TXT records to implement the features re‐
6906 ject_unknown_helo_hostname, reject_unknown_sender_domain, re‐
6907 ject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
6908 • The Postfix SMTP server logs a warning or defers mail delivery
6910 when a filter removes all lookup results from a successful
6911 query.
6912 Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6914 because Google sometimes hard-rejects mail from IPv6 clients with valid
6915 PTR etc. records.
6916 /etc/postfix/main.cf:
6918 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6919 /etc/postfix/smtp_dns_reply_filter:
6921 # /domain ttl IN AAAA address/ action, all case-insensitive.
6922 # Note: the domain name ends in ".".
6923 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6924 This feature is available in Postfix 3.0 and later.
6926
6928 DNS Resolver options for the Postfix SMTP client. Specify zero or more
6929 of the following options, separated by comma or whitespace. Option
6930 names are case-sensitive. Some options refer to domain names that are
6931 specified in the file /etc/resolv.conf or equivalent.
6932 res_defnames
6934 Append the current domain name to single-component names (those
6935 that do not contain a "." character). This can produce incorrect
6936 results, and is the hard-coded behavior prior to Postfix 2.8.
6937 res_dnsrch
6939 Search for host names in the current domain and in parent do‐
6940 mains. This can produce incorrect results and is therefore not
6941 recommended.
6942 This feature is available in Postfix 2.8 and later.
6944
6946 Level of DNS support in the Postfix SMTP client. With "smtp_dns_sup‐
6947 port_level" left at its empty default value, the legacy "dis‐
6948 able_dns_lookups" parameter controls whether DNS is enabled in the
6949 Postfix SMTP client, otherwise the legacy parameter is ignored.
6950 Specify one of the following:
6952 disabled
6954 Disable DNS lookups. No MX lookups are performed and hostname
6955 to address lookups are unconditionally "native". This setting
6956 is not appropriate for hosts that deliver mail to the public In‐
6957 ternet. Some obsolete how-to documents recommend disabling DNS
6958 lookups in some configurations with content_filters. This is no
6959 longer required and strongly discouraged.
6960 enabled
6962 Enable DNS lookups. Nexthop destination domains not enclosed in
6963 "[]" will be subject to MX lookups. If "dns" and "native" are
6964 included in the "smtp_host_lookup" parameter value, DNS will be
6965 queried first to resolve MX-host A records, followed by "native"
6966 lookups if no answer is found in DNS.
6967 dnssec Enable DNSSEC lookups. The "dnssec" setting differs from the
6969 "enabled" setting above in the following ways:
6970 • Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to re‐
6972 quest DNSSEC-validated responses. If the MX response is
6973 DNSSEC-validated the corresponding hostnames are considered val‐
6974 idated.
6975 • The address lookups of validated hostnames are also validated,
6977 (provided of course "smtp_host_lookup" includes "dns", see be‐
6978 low).
6979 • Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6981 tion block any "native" lookups. Additional "native" lookups
6982 only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6983 The Postfix SMTP client considers non-MX "[nexthop]" and "[nex‐
6985 thop]:port" destinations equivalent to statically-validated MX records
6986 of the form "nexthop. IN MX 0 nexthop." Therefore, with "dnssec" sup‐
6987 port turned on, validated hostname-to-address lookups apply to the nex‐
6988 thop domain of any "[nexthop]" or "[nexthop]:port" destination. This
6989 is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6990 LMTP hostnames are never subject to MX lookups.
6991 The "dnssec" setting is recommended only if you plan to use the dane or
6993 dane-only TLS security level, otherwise enabling DNSSEC support in
6994 Postfix offers no additional security. Postfix DNSSEC support relies
6995 on an upstream recursive nameserver that validates DNSSEC signatures.
6996 Such a DNS server will always filter out forged DNS responses, even
6997 when Postfix itself is not configured to use DNSSEC.
6998 When using Postfix DANE support the "smtp_host_lookup" parameter should
7000 include "dns", as DANE is not applicable to hosts resolved via "native"
7001 lookups.
7002 As mentioned above, Postfix is not a validating stub resolver; it re‐
7004 lies on the system's configured DNSSEC-validating recursive nameserver
7005 to perform all DNSSEC validation. Since this nameserver's DNSSEC-vali‐
7006 dated responses will be fully trusted, it is strongly recommended that
7007 the MTA host have a local DNSSEC-validating recursive caching name‐
7008 server listening on a loopback address, and be configured to use only
7009 this nameserver for all lookups. Otherwise, Postfix may remain subject
7010 to man-in-the-middle attacks that forge responses from the recursive
7011 nameserver
7012 DNSSEC support requires a version of Postfix compiled against a reason‐
7014 ably-modern DNS resolver(3) library that implements the RES_USE_DNSSEC
7015 and RES_USE_EDNS0 resolver options.
7016 This feature is available in Postfix 2.11 and later.
7018
7020 Enforcement mode: require that remote SMTP servers use TLS encryption,
7021 and never send mail in the clear. This also requires that the remote
7022 SMTP server hostname matches the information in the remote server cer‐
7023 tificate, and that the remote SMTP server certificate was issued by a
7024 CA that is trusted by the Postfix SMTP client. If the certificate
7025 doesn't verify or the hostname doesn't match, delivery is deferred and
7026 mail stays in the queue.
7027 The server hostname is matched against all names provided as dNSNames
7029 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
7030 monName is checked. The behavior may be changed with the smtp_tls_en‐
7031 force_peername option.
7032 This option is useful only if you are definitely sure that you will
7034 only connect to servers that support RFC 2487 _and_ that provide valid
7035 server certificates. Typical use is for clients that send all their
7036 email to a dedicated mailhub.
7037 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7039 and later use smtp_tls_security_level instead.
7040
7042 Optional list of relay destinations that will be used when an SMTP des‐
7043 tination is not found, or when delivery fails due to a non-permanent
7044 error. With Postfix 2.2 and earlier this parameter is called fall‐
7045 back_relay.
7046 By default, smtp_fallback_relay is empty, mail is returned to the
7048 sender when a destination is not found, and delivery is deferred after
7049 it fails due to a non-permanent error.
7050 With bulk email deliveries, it can be beneficial to run the fallback
7052 relay MTA on the same host, so that it can reuse the sender IP address.
7053 This speeds up deliveries that are delayed by IP-based reputation sys‐
7054 tems (greylist, etc.).
7055 The fallback relays must be SMTP destinations. Specify a domain, host,
7057 host:port, [host]:port, [address] or [address]:port; the form [host]
7058 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
7059 fix will try them in the specified order.
7060 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
7062 version 2.2 and later will not use the fallback relays for destinations
7063 that it is MX host for (assuming DNS lookup is turned on).
7064
7066 Optional lookup tables that perform address rewriting in the Postfix
7067 SMTP client, typically to transform a locally valid address into a
7068 globally valid address when sending mail across the Internet. This is
7069 needed when the local machine does not have its own Internet domain
7070 name, but uses something like localdomain.local instead.
7071 Specify zero or more "type:name" lookup tables, separated by whitespace
7073 or comma. Tables will be searched in the specified order until a match
7074 is found.
7075 The table format and lookups are documented in generic(5); examples are
7077 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
7078 documents.
7079 This feature is available in Postfix 2.2 and later.
7081
7083 Restricted header_checks(5) tables for the Postfix SMTP client. These
7084 tables are searched while mail is being delivered. Actions that change
7085 the delivery time or destination are not available.
7086 This feature is available in Postfix 2.5 and later.
7088
7090 The hostname to send in the SMTP HELO or EHLO command.
7091 The default value is the machine hostname. Specify a hostname or
7093 [ip.add.re.ss].
7094 This information can be specified in the main.cf file for all SMTP
7096 clients, or it can be specified in the master.cf file for a specific
7097 client, for example:
7098 /etc/postfix/master.cf:
7100 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
7101 This feature is available in Postfix 2.0 and later.
7103
7105 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
7106 mand, and for receiving the initial remote SMTP server response.
7107 Specify a non-zero time value (an integral value plus an optional
7109 one-letter suffix that specifies the time unit). Time units: s (sec‐
7110 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7111 unit is s (seconds).
7112
7114 What mechanisms the Postfix SMTP client uses to look up a host's IP ad‐
7115 dress. This parameter is ignored when DNS lookups are disabled (see:
7116 disable_dns_lookups and smtp_dns_support_level). The "dns" mechanism
7117 is always tried before "native" if both are listed.
7118 Specify one of the following:
7120 dns Hosts can be found in the DNS (preferred).
7122 native Use the native naming service only (nsswitch.conf, or equivalent
7124 mechanism).
7125 dns, native
7127 Use the native service for hosts not found in the DNS.
7128 This feature is available in Postfix 2.1 and later.
7130
7132 The maximal length of message header and body lines that Postfix will
7133 send via SMTP. This limit does not include the <CR><LF> at the end of
7134 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
7135 minimize the damage to MIME formatted mail. Specify zero to disable
7136 this limit.
7137 The Postfix limit of 998 characters not including <CR><LF> is consis‐
7139 tent with the SMTP limit of 1000 characters including <CR><LF>. The
7140 Postfix limit was 990 with Postfix 2.8 and earlier.
7141
7143 The Postfix SMTP client time limit for sending the MAIL FROM command,
7144 and for receiving the remote SMTP server response.
7145 Specify a non-zero time value (an integral value plus an optional
7147 one-letter suffix that specifies the time unit). Time units: s (sec‐
7148 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7149 unit is s (seconds).
7150
7152 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
7153 These tables are searched while mail is being delivered. Actions that
7154 change the delivery time or destination are not available.
7155 This feature is available in Postfix 2.5 and later.
7157
7159 The minimum plaintext data transfer rate in bytes/second for DATA re‐
7160 quests, when deadlines are enabled with smtp_per_request_deadline. Af‐
7161 ter a write operation transfers N plaintext message bytes (possibly af‐
7162 ter TLS encryption), and after the DATA request deadline is decremented
7163 by the elapsed time of that write operation, the DATA request deadline
7164 is incremented by N/smtp_min_data_rate seconds. However, the deadline
7165 will never be incremented beyond the time limit specified with
7166 smtp_data_xfer_timeout.
7167 This feature is available in Postfix 3.7 and later.
7169
7171 The maximal number of MX (mail exchanger) IP addresses that can result
7172 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
7173 Prior to Postfix version 2.3, this limit was disabled by default.
7174 This feature is available in Postfix 2.1 and later.
7176
7178 The maximal number of SMTP sessions per delivery request before the
7179 Postfix SMTP client gives up or delivers to a fall-back relay host, or
7180 zero (no limit). This restriction ignores sessions that fail to com‐
7181 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
7182 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
7183 and later).
7184 This feature is available in Postfix 2.1 and later.
7186
7188 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
7189 These tables are searched while mail is being delivered. Actions that
7190 change the delivery time or destination are not available.
7191 This feature is available in Postfix 2.5 and later.
7193
7195 Never send EHLO at the start of an SMTP session. See also the smtp_al‐
7196 ways_send_ehlo parameter.
7197
7199 Change the behavior of the smtp_*_timeout time limits, from a time
7200 limit per read or write system call, to a time limit to send or receive
7201 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
7202 sage content line, or TLS protocol message). This limits the impact
7203 from hostile peers that trickle data one byte at a time.
7204 Note: when per-record deadlines are enabled, a short timeout may cause
7206 problems with TLS over very slow network connections. The reasons are
7207 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
7208 and that an entire TLS protocol message must be sent or received within
7209 the per-record deadline.
7210 This feature is available in Postfix 2.9-3.6. With older Postfix re‐
7212 leases, the behavior is as if this parameter is set to "no". Postfix
7213 3.7 and later use smtp_per_request_deadline.
7214
7216 Change the behavior of the smtp_*_timeout time limits, from a time
7217 limit per plaintext or TLS read or write call, to a combined time limit
7218 for sending a complete SMTP request and for receiving a complete SMTP
7219 response. The deadline limits only the time spent waiting for plaintext
7220 or TLS read or write calls, not time spent elsewhere. The per-request
7221 deadline limits the impact from hostile peers that trickle data one
7222 byte at a time.
7223 See smtp_min_data_rate for how the per-request deadline is managed dur‐
7225 ing the DATA phase.
7226 Note: when per-request deadlines are enabled, a short time limit may
7228 cause problems with TLS over very slow network connections. The reason
7229 is that a TLS protocol message can be up to 16 kbytes long (with
7230 TLSv1), and that an entire TLS protocol message must be transferred
7231 within the per-request deadline.
7232 This feature is available in Postfix 3.7 and later. A weaker feature,
7234 called smtp_per_record_deadline, is available with Postfix 2.9-3.6.
7235 This feature is available in Postfix 3.7 and later.
7237
7239 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
7240 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
7241 Choosing too short a time makes this workaround ineffective when send‐
7243 ing large messages over slow network connections.
7244 Specify a non-zero time value (an integral value plus an optional
7246 one-letter suffix that specifies the time unit). Time units: s (sec‐
7247 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7248 unit is s (seconds).
7249
7251 Lookup tables, indexed by the remote SMTP server address, with per-des‐
7252 tination workarounds for CISCO PIX firewall bugs. The table is not in‐
7253 dexed by hostname for consistency with smtp_discard_ehlo_keyword_ad‐
7254 dress_maps.
7255 Specify zero or more "type:name" lookup tables, separated by whitespace
7257 or comma. Tables will be searched in the specified order until a match
7258 is found.
7259 This feature is available in Postfix 2.4 and later.
7261
7263 How long a message must be queued before the Postfix SMTP client turns
7264 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
7265 through firewalls with "smtp fixup" mode turned on.
7266 Specify a non-negative time value (an integral value plus an optional
7268 one-letter suffix that specifies the time unit). Time units: s (sec‐
7269 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7270 unit is s (seconds).
7271 By default, the workaround is turned off for mail that is queued for
7273 less than 500 seconds. In other words, the workaround is normally
7274 turned off for the first delivery attempt.
7275 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
7277 upon the first delivery attempt.
7278
7280 A list that specifies zero or more workarounds for CISCO PIX firewall
7281 bugs. These workarounds are implemented by the Postfix SMTP client.
7282 Workaround names are separated by comma or space, and are case insensi‐
7283 tive. This parameter setting can be overruled with per-destination
7284 smtp_pix_workaround_maps settings.
7285 delay_dotcrlf
7287 Insert a delay before sending ".<CR><LF>" after the end of the
7288 message content. The delay is subject to the smtp_pix_work‐
7289 around_delay_time and smtp_pix_workaround_threshold_time parame‐
7290 ter settings.
7291 disable_esmtp
7293 Disable all extended SMTP commands: send HELO instead of EHLO.
7294 This feature is available in Postfix 2.4 and later. The default set‐
7296 tings are backwards compatible with earlier Postfix versions.
7297
7299 The Postfix SMTP client time limit for sending the QUIT command, and
7300 for receiving the remote SMTP server response.
7301 Specify a non-zero time value (an integral value plus an optional
7303 one-letter suffix that specifies the time unit). Time units: s (sec‐
7304 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7305 unit is s (seconds).
7306
7308 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
7309 as required by RFC 5321. This includes putting quotes around an address
7310 localpart that ends in ".".
7311 The default is to comply with RFC 5321. If you have to send mail to a
7313 broken SMTP server, configure a special SMTP client in master.cf:
7314 /etc/postfix/master.cf:
7316 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
7317 and route mail for the destination in question to the "broken-smtp"
7319 message delivery with a transport(5) table.
7320 This feature is available in Postfix 2.1 and later.
7322
7324 Randomize the order of equal-preference MX host addresses. This is a
7325 performance feature of the Postfix SMTP client.
7326
7328 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
7329 mand, and for receiving the remote SMTP server response.
7330 Specify a non-zero time value (an integral value plus an optional
7332 one-letter suffix that specifies the time unit). Time units: s (sec‐
7333 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7334 unit is s (seconds).
7335
7337 A mechanism to transform replies from remote SMTP servers one line at a
7338 time. This is a last-resort tool to work around server replies that
7339 break interoperability with the Postfix SMTP client. Other uses in‐
7340 volve fault injection to test Postfix's handling of invalid responses.
7341 Notes:
7343 • In the case of a multi-line reply, the Postfix SMTP client uses
7345 the final reply line's numerical SMTP reply code and enhanced
7346 status code.
7347 • The numerical SMTP reply code (XYZ) takes precedence over the
7349 enhanced status code (X.Y.Z). When the enhanced status code
7350 initial digit differs from the SMTP reply code initial digit, or
7351 when no enhanced status code is present, the Postfix SMTP client
7352 uses a generic enhanced status code (X.0.0) instead.
7353 Specify the name of a "type:table" lookup table. The search string is a
7355 single SMTP reply line as received from the remote SMTP server, except
7356 that the trailing <CR><LF> are removed. When the lookup succeeds, the
7357 result replaces the single SMTP reply line.
7358 Examples:
7360 /etc/postfix/main.cf:
7362 smtp_reply_filter = pcre:/etc/postfix/reply_filter
7363 /etc/postfix/reply_filter:
7365 # Transform garbage into "250-filler..." so that it looks like
7366 # one line from a multi-line reply. It does not matter what we
7367 # substitute here as long it has the right syntax. The Postfix
7368 # SMTP client will use the final line's numerical SMTP reply
7369 # code and enhanced status code.
7370 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
7371 This feature is available in Postfix 2.7.
7373
7375 The Postfix SMTP client time limit for sending the RSET command, and
7376 for receiving the remote SMTP server response. The SMTP client sends
7377 RSET in order to finish a recipient address probe, or to verify that a
7378 cached session is still usable.
7379 Specify a non-zero time value (an integral value plus an optional
7381 one-letter suffix that specifies the time unit). Time units: s (sec‐
7382 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7383 unit is s (seconds).
7384 This feature is available in Postfix 2.1 and later.
7386
7388 An optional table to prevent repeated SASL authentication failures with
7389 the same remote SMTP server hostname, username and password. Each table
7390 (key, value) pair contains a server name, a username and password, and
7391 the full server response. This information is stored when a remote SMTP
7392 server rejects an authentication attempt with a 535 reply code. As
7393 long as the smtp_sasl_password_maps information does not change, and as
7394 long as the smtp_sasl_auth_cache_name information does not expire (see
7395 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
7396 tication attempts with the same server, username and password, and in‐
7397 stead bounces or defers mail as controlled with the
7398 smtp_sasl_auth_soft_bounce configuration parameter.
7399 Use a per-destination delivery concurrency of 1 (for example,
7401 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
7402 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
7403 ence a login failure at the same time.
7404 The table must be accessed via the proxywrite service, i.e. the map
7406 name must start with "proxy:". The table should be stored under the di‐
7407 rectory specified with the data_directory parameter.
7408 This feature uses cryptographic hashing to protect plain-text pass‐
7410 words, and requires that Postfix is compiled with TLS support.
7411 Example:
7413 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
7415 This feature is available in Postfix 2.5 and later.
7417
7419 The maximal age of an smtp_sasl_auth_cache_name entry before it is re‐
7420 moved.
7421 Specify a non-negative time value (an integral value plus an optional
7423 one-letter suffix that specifies the time unit). Time units: s (sec‐
7424 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7425 unit is d (days).
7426 This feature is available in Postfix 2.5 and later.
7428
7430 Enable SASL authentication in the Postfix SMTP client. By default, the
7431 Postfix SMTP client uses no authentication.
7432 Example:
7434 smtp_sasl_auth_enable = yes
7436
7438 When a remote SMTP server rejects a SASL authentication request with a
7439 535 reply code, defer mail delivery instead of returning mail as unde‐
7440 liverable. The latter behavior was hard-coded prior to Postfix version
7441 2.5.
7442 Note: the setting "yes" overrides the global soft_bounce parameter, but
7444 the setting "no" does not.
7445 Example:
7447 # Default as of Postfix 2.5
7449 smtp_sasl_auth_soft_bounce = yes
7450 # The old hard-coded default
7451 smtp_sasl_auth_soft_bounce = no
7452 This feature is available in Postfix 2.5 and later.
7454
7456 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
7457 list of offered SASL mechanisms. Different client and server implemen‐
7458 tations may support different mechanism lists; by default, the Postfix
7459 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
7460 nism_filter specifies an optional third mechanism list to intersect
7461 with.
7462 Specify mechanism names, "/file/name" patterns or "type:table" lookup
7464 tables. The right-hand side result from "type:table" lookups is ig‐
7465 nored. Specify "!pattern" to exclude a mechanism name from the list.
7466 The form "!/file/name" is supported only in Postfix version 2.4 and
7467 later.
7468 This feature is available in Postfix 2.2 and later.
7470 Examples:
7472 smtp_sasl_mechanism_filter = plain, login
7474 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7475 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7476
7478 Optional Postfix SMTP client lookup tables with one username:password
7479 entry per sender, remote hostname or next-hop domain. Per-sender lookup
7480 is done only when sender-dependent authentication is enabled. If no
7481 username:password entry is found, then the Postfix SMTP client will not
7482 attempt to authenticate to the remote host.
7483 The Postfix SMTP client opens the lookup table before going to chroot
7485 jail, so you can leave the password file in /etc/postfix.
7486 Specify zero or more "type:name" lookup tables, separated by whitespace
7488 or comma. Tables will be searched in the specified order until a match
7489 is found.
7490
7492 Implementation-specific information that the Postfix SMTP client passes
7493 through to the SASL plug-in implementation that is selected with
7494 smtp_sasl_type. Typically this specifies the name of a configuration
7495 file or rendezvous point.
7496 This feature is available in Postfix 2.3 and later.
7498
7500 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
7501 of available features depends on the SASL client implementation that is
7502 selected with smtp_sasl_type.
7503 The following security features are defined for the cyrus client SASL
7505 implementation:
7506 Specify zero or more of the following:
7508 noplaintext
7510 Disallow methods that use plaintext passwords.
7511 noactive
7513 Disallow methods subject to active (non-dictionary) attack.
7514 nodictionary
7516 Disallow methods subject to passive (dictionary) attack.
7517 noanonymous
7519 Disallow methods that allow anonymous authentication.
7520 mutual_auth
7522 Only allow methods that provide mutual authentication (not
7523 available with SASL version 1).
7524 Example:
7526 smtp_sasl_security_options = noplaintext
7528
7530 The SASL authentication security options that the Postfix SMTP client
7531 uses for TLS encrypted SMTP sessions.
7532 This feature is available in Postfix 2.2 and later.
7534
7536 tions)
7537 The SASL authentication security options that the Postfix SMTP client
7538 uses for TLS encrypted SMTP sessions with a verified server certifi‐
7539 cate.
7540 When mail is sent to the public MX host for the recipient's domain,
7542 server certificates are by default optional, and delivery proceeds even
7543 if certificate verification fails. For delivery via a submission ser‐
7544 vice that requires SASL authentication, it may be appropriate to send
7545 plaintext passwords only when the connection to the server is strongly
7546 encrypted and the server identity is verified.
7547 The smtp_sasl_tls_verified_security_options parameter makes it possible
7549 to only enable plaintext mechanisms when a secure connection to the
7550 server is available. Submission servers subject to this policy must ei‐
7551 ther have verifiable certificates or offer suitable non-plaintext SASL
7552 mechanisms.
7553 This feature is available in Postfix 2.6 and later.
7555
7557 The SASL plug-in type that the Postfix SMTP client should use for au‐
7558 thentication. The available types are listed with the "postconf -A"
7559 command.
7560 This feature is available in Postfix 2.3 and later.
7562
7564 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
7565 in SASL-authenticated SMTP sessions. The default is not to send this,
7566 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
7567 the behavior is as if "smtp_send_dummy_mail_auth = yes".
7568 This feature is available in Postfix 2.9 and later.
7570
7572 Send the non-standard XFORWARD command when the Postfix SMTP server
7573 EHLO response announces XFORWARD support.
7574 This allows a Postfix SMTP delivery agent, used for injecting mail into
7576 a content filter, to forward the name, address, protocol and HELO name
7577 of the original client to the content filter and downstream queuing
7578 SMTP server. This can produce more useful logging than local‐
7579 host[127.0.0.1] etc.
7580 This feature is available in Postfix 2.1 and later.
7582
7584 Enable sender-dependent authentication in the Postfix SMTP client; this
7585 is available only with SASL authentication, and disables SMTP connec‐
7586 tion caching to ensure that mail from different senders will use the
7587 appropriate credentials.
7588 This feature is available in Postfix 2.3 and later.
7590
7592 Skip SMTP servers that greet with a 4XX status code (go away, try again
7593 later).
7594 By default, the Postfix SMTP client moves on the next mail exchanger.
7596 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7597 immediately.
7598 This feature is available in Postfix 2.0 and earlier. Later Postfix
7600 versions always skip remote SMTP servers that greet with a 4XX status
7601 code.
7602
7604 Skip remote SMTP servers that greet with a 5XX status code.
7605 By default, the Postfix SMTP client moves on the next mail exchanger.
7607 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7608 immediately. Caution: the latter behavior appears to contradict RFC
7609 2821.
7610
7612 Do not wait for the response to the SMTP QUIT command.
7613
7615 Time limit for Postfix SMTP client write and read operations during TLS
7616 startup and shutdown handshake procedures.
7617 Specify a non-zero time value (an integral value plus an optional
7619 one-letter suffix that specifies the time unit). Time units: s (sec‐
7620 onds), m (minutes), h (hours), d (days), w (weeks). The default time
7621 unit is s (seconds).
7622 This feature is available in Postfix 2.2 and later.
7624
7626 The default TCP port that the Postfix SMTP client connects to. Specify
7627 a symbolic name (see services(5)) or a numeric port.
7628
7630 A file containing CA certificates of root CAs trusted to sign either
7631 remote SMTP server certificates or intermediate CA certificates. These
7632 are loaded into memory before the smtp(8) client enters the chroot
7633 jail. If the number of trusted roots is large, consider using
7634 smtp_tls_CApath instead, but note that the latter directory must be
7635 present in the chroot jail if the smtp(8) client is chrooted. This file
7636 may also be used to augment the client certificate trust chain, but it
7637 is best to include all the required certificates directly in
7638 $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7639 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
7641 system-supplied default Certification Authority certificates.
7642 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7644 the system-supplied default CAs and trusting third-party certificates.
7645 Example:
7647 smtp_tls_CAfile = /etc/postfix/CAcert.pem
7649 This feature is available in Postfix 2.2 and later.
7651
7653 Directory with PEM format Certification Authority certificates that the
7654 Postfix SMTP client uses to verify a remote SMTP server certificate.
7655 Don't forget to create the necessary "hash" links with, for example,
7656 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7657 To use this option in chroot mode, this directory (or a copy) must be
7659 inside the chroot jail.
7660 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
7662 the system-supplied default Certification Authority certificates.
7663 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7665 the system-supplied default CAs and trusting third-party certificates.
7666 Example:
7668 smtp_tls_CApath = /etc/postfix/certs
7670 This feature is available in Postfix 2.2 and later.
7672
7674 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
7675 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
7676 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
7677 attack would succeed with non-Postfix SMTP servers that reply to the
7678 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7679 SMTP client TLS session.
7680 This feature is available in Postfix 2.7.
7682
7684 File with the Postfix SMTP client RSA certificate in PEM format. This
7685 file may also contain the Postfix SMTP client private RSA key, and
7686 these may be the same as the Postfix SMTP server RSA certificate and
7687 key file. With Postfix >= 3.4 the preferred way to configure client
7688 keys and certificates is via the "smtp_tls_chain_files" parameter.
7689 Do not configure client certificates unless you must present client TLS
7691 certificates to one or more servers. Client certificates are not usu‐
7692 ally needed, and can cause problems in configurations that work well
7693 without them. The recommended setting is to let the defaults stand:
7694 smtp_tls_cert_file =
7696 smtp_tls_key_file =
7697 smtp_tls_eccert_file =
7698 smtp_tls_eckey_file =
7699 # Obsolete DSA parameters
7700 smtp_tls_dcert_file =
7701 smtp_tls_dkey_file =
7702 # Postfix >= 3.4 interface
7703 smtp_tls_chain_files =
7704 The best way to use the default settings is to comment out the above
7706 parameters in main.cf if present.
7707 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
7709 tificate, the issuing CA certificates must be made available to the
7710 server. You should include the required certificates in the client cer‐
7711 tificate file, the client certificate first, then the issuing CA(s)
7712 (bottom-up order).
7713 Example: the certificate for "client.example.com" was issued by "inter‐
7715 mediate CA" which itself has a certificate issued by "root CA". As the
7716 "root" super-user create the client.pem file with:
7717 # umask 077
7719 # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7720 If you also want to verify remote SMTP server certificates issued by
7722 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
7723 which case it is not necessary to have them in the smtp_tls_cert_file,
7724 smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7725 A certificate supplied here must be usable as an SSL client certificate
7727 and hence pass the "openssl verify -purpose sslclient ..." test.
7728 Example:
7730 smtp_tls_cert_file = /etc/postfix/chain.pem
7732 This feature is available in Postfix 2.2 and later.
7734
7736 List of one or more PEM files, each holding one or more private keys
7737 directly followed by a corresponding certificate chain. The file names
7738 are separated by commas and/or whitespace. This parameter obsoletes
7739 the legacy algorithm-specific key and certificate file settings. When
7740 this parameter is non-empty, the legacy parameters are ignored, and a
7741 warning is logged if any are also non-empty.
7742 With the proliferation of multiple private key algorithms-which, as of
7744 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7745 is increasingly impractical to use separate parameters to configure the
7746 key and certificate chain for each algorithm. Therefore, Postfix now
7747 supports storing multiple keys and corresponding certificate chains in
7748 a single file or in a set of files.
7749 Each key must appear immediately before the corresponding certificate,
7751 optionally followed by additional issuer certificates that complete the
7752 certificate chain for that key. When multiple files are specified,
7753 they are equivalent to a single file that is concatenated from those
7754 files in the given order. Thus, while a key must always precede its
7755 certificate and issuer chain, it can be in a separate file, so long as
7756 that file is listed immediately before the file that holds the corre‐
7757 sponding certificate chain. Once all the files are concatenated, the
7758 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
7759 [chain2], ..., keyN, certN, [chainN].
7760 Storing the private key in the same file as the corresponding certifi‐
7762 cate is more reliable. With the key and certificate in separate files,
7763 there is a chance that during key rollover a Postfix process might load
7764 a private key and certificate from separate files that don't match.
7765 Various operational errors may even result in a persistent broken con‐
7766 figuration in which the certificate does not match the private key.
7767 The file or files must contain at most one key of each type. If, for
7769 example, two or more RSA keys and corresponding chains are listed, de‐
7770 pending on the version of OpenSSL either only the last one will be used
7771 or a configuration error may be detected. Note that while "Ed25519"
7772 and "Ed448" are considered separate algorithms, the various ECDSA
7773 curves (typically one of prime256v1, secp384r1 or secp521r1) are con‐
7774 sidered as different parameters of a single "ECDSA" algorithm, so it is
7775 not presently possible to configure keys for more than one ECDSA curve.
7776 Example (separate files for each key and corresponding certificate
7778 chain):
7779 /etc/postfix/main.cf:
7781 smtp_tls_chain_files =
7782 ${config_directory}/ed25519.pem,
7783 ${config_directory}/ed448.pem,
7784 ${config_directory}/rsa.pem
7785 /etc/postfix/ed25519.pem:
7787 -----BEGIN PRIVATE KEY-----
7788 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7789 -----END PRIVATE KEY-----
7790 -----BEGIN CERTIFICATE-----
7791 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7792 ...
7793 nC0egv51YPDWxEHom4QA
7794 -----END CERTIFICATE-----
7795 /etc/postfix/ed448.pem:
7797 -----BEGIN PRIVATE KEY-----
7798 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7799 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7800 -----END PRIVATE KEY-----
7801 -----BEGIN CERTIFICATE-----
7802 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7803 ...
7804 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7805 -----END CERTIFICATE-----
7806 /etc/postfix/rsa.pem:
7808 -----BEGIN PRIVATE KEY-----
7809 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7810 ...
7811 ahQkZ3+krcaJvDSMgvu0tDc=
7812 -----END PRIVATE KEY-----
7813 -----BEGIN CERTIFICATE-----
7814 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7815 ...
7816 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7817 -----END CERTIFICATE-----
7818 Example (all keys and certificates in a single file):
7820 /etc/postfix/main.cf:
7822 smtp_tls_chain_files = ${config_directory}/chains.pem
7823 /etc/postfix/chains.pem:
7825 -----BEGIN PRIVATE KEY-----
7826 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7827 -----END PRIVATE KEY-----
7828 -----BEGIN CERTIFICATE-----
7829 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7830 ...
7831 nC0egv51YPDWxEHom4QA
7832 -----END CERTIFICATE-----
7833 -----BEGIN PRIVATE KEY-----
7834 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7835 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7836 -----END PRIVATE KEY-----
7837 -----BEGIN CERTIFICATE-----
7838 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7839 ...
7840 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7841 -----END CERTIFICATE-----
7842 -----BEGIN PRIVATE KEY-----
7843 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7844 ...
7845 ahQkZ3+krcaJvDSMgvu0tDc=
7846 -----END PRIVATE KEY-----
7847 -----BEGIN CERTIFICATE-----
7848 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7849 ...
7850 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7851 -----END CERTIFICATE-----
7852 This feature is available in Postfix 3.4 and later.
7854
7856 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
7857 list. As this feature applies to all TLS security levels, it is easy to
7858 create interoperability problems by choosing a non-default cipher list.
7859 Do not use a non-default TLS cipher list on hosts that deliver email to
7860 the public Internet: you will be unable to send email to servers that
7861 only support the ciphers you exclude. Using a restricted cipher list
7862 may be more appropriate for an internal MTA, where one can exert some
7863 control over the TLS software and settings of the peer servers.
7864 Note: do not use "" quotes around the parameter value.
7866 This feature is available in Postfix version 2.2. It is not used with
7868 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7869
7871 The minimum TLS cipher grade that the Postfix SMTP client will use with
7872 opportunistic TLS encryption. Cipher types listed in smtp_tls_ex‐
7873 clude_ciphers are excluded from the base definition of the selected ci‐
7874 pher grade. The default value is "medium" for Postfix releases after
7875 the middle of 2015, "export" for older releases.
7876 When TLS is mandatory the cipher grade is chosen via the
7878 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
7879 tax details. See smtp_tls_policy_maps for information on how to config‐
7880 ure ciphers on a per-destination basis.
7881 This feature is available in Postfix 2.6 and later. With earlier Post‐
7883 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
7884 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7885 ciphers.
7886
7888 Try to make multiple deliveries per TLS-encrypted connection. This
7889 uses the tlsproxy(8) service to encrypt an SMTP connection, uses the
7890 scache(8) service to save that connection, and relies on hints from the
7891 qmgr(8) daemon.
7892 See "Client-side TLS connection reuse" for background details.
7894 This feature is available in Postfix 3.4 and later.
7896
7898 The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7899 destination security level is dane, but the MX record was found via an
7900 "insecure" MX lookup. The choices are:
7901 may The TLSA records will be ignored and TLS will be optional. If
7903 the MX host does not appear to support STARTTLS, or the STARTTLS
7904 handshake fails, mail may be sent in the clear.
7905 encrypt
7907 The TLSA records will signal a requirement to use TLS. While
7908 TLS encryption will be required, authentication will not be per‐
7909 formed.
7910 dane The TLSA records will be used just as with "secure" MX records.
7912 TLS encryption will be required, and, if at least one of the
7913 TLSA records is "usable", authentication will be required. When
7914 authentication succeeds, it will be logged only as "Trusted",
7915 not "Verified", because the MX host name could have been forged.
7916 The default setting for Postfix >= 3.6 is "dane" with
7917 "smtp_tls_security_level = dane", otherwise "may". This behavior
7918 was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16.
7919 3.2.21. With earlier Postfix versions the default setting was
7920 always "dane".
7921 Though with "insecure" MX records an active attacker can compromise
7923 SMTP transport security by returning forged MX records, such attacks
7924 are "tamper-evident" since any forged MX hostnames will be recorded in
7925 the mail logs. Attackers who place a high value on staying hidden may
7926 be deterred from forging MX records.
7927 This feature is available in Postfix 3.1 and later. The may policy is
7929 backwards-compatible with earlier Postfix versions.
7930
7932 File with the Postfix SMTP client DSA certificate in PEM format. This
7933 file may also contain the Postfix SMTP client private DSA key. The DSA
7934 algorithm is obsolete and should not be used.
7935 See the discussion under smtp_tls_cert_file for more details.
7937 Example:
7939 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7941 This feature is available in Postfix 2.2 and later.
7943
7945 File with the Postfix SMTP client DSA private key in PEM format. This
7946 file may be combined with the Postfix SMTP client DSA certificate file
7947 specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete and
7948 should not be used.
7949 The private key must be accessible without a pass-phrase, i.e. it must
7951 not be encrypted. File permissions should grant read-only access to the
7952 system superuser account ("root"), and no access to anyone else.
7953 This feature is available in Postfix 2.2 and later.
7955
7957 File with the Postfix SMTP client ECDSA certificate in PEM format.
7958 This file may also contain the Postfix SMTP client ECDSA private key.
7959 With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7960 tificates is via the "smtp_tls_chain_files" parameter.
7961 See the discussion under smtp_tls_cert_file for more details.
7963 Example:
7965 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7967 This feature is available in Postfix 2.6 and later, when Postfix is
7969 compiled and linked with OpenSSL 1.0.0 or later.
7970
7972 File with the Postfix SMTP client ECDSA private key in PEM format.
7973 This file may be combined with the Postfix SMTP client ECDSA certifi‐
7974 cate file specified with $smtp_tls_eccert_file. With Postfix >= 3.4
7975 the preferred way to configure client keys and certificates is via the
7976 "smtp_tls_chain_files" parameter.
7977 The private key must be accessible without a pass-phrase, i.e. it must
7979 not be encrypted. File permissions should grant read-only access to the
7980 system superuser account ("root"), and no access to anyone else.
7981 This feature is available in Postfix 2.6 and later, when Postfix is
7983 compiled and linked with OpenSSL 1.0.0 or later.
7984
7986 With mandatory TLS encryption, require that the remote SMTP server
7987 hostname matches the information in the remote SMTP server certificate.
7988 As of RFC 2487 the requirements for hostname checking for MTA clients
7989 are not specified.
7990 This option can be set to "no" to disable strict peer name checking.
7992 This setting has no effect on sessions that are controlled via the
7993 smtp_tls_per_site table.
7994 Disabling the hostname verification can make sense in a closed environ‐
7996 ment where special CAs are created. If not used carefully, this option
7997 opens the danger of a "man-in-the-middle" attack (the CommonName of
7998 this attacker will be logged).
7999 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8001 and later use smtp_tls_security_level instead.
8002
8004 List of ciphers or cipher types to exclude from the Postfix SMTP client
8005 cipher list at all TLS security levels. This is not an OpenSSL ci‐
8006 pherlist, it is a simple list separated by whitespace and/or commas.
8007 The elements are a single cipher, or one or more "+" separated cipher
8008 properties, in which case only ciphers matching all the properties are
8009 excluded.
8010 Examples (some of these will cause problems):
8012 smtp_tls_exclude_ciphers = aNULL
8014 smtp_tls_exclude_ciphers = MD5, DES
8015 smtp_tls_exclude_ciphers = DES+MD5
8016 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
8017 smtp_tls_exclude_ciphers = kEDH+aRSA
8018 The first setting disables anonymous ciphers. The next setting disables
8020 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
8021 tion algorithm. The next setting disables ciphers that use MD5 and DES
8022 together. The next setting disables the two ciphers "AES256-SHA" and
8023 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
8024 exchange with RSA authentication.
8025 This feature is available in Postfix 2.3 and later.
8027
8029 List of acceptable remote SMTP server certificate fingerprints for the
8030 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
8031 print). At this security level, Certification Authorities are not used,
8032 and certificate expiration times are ignored. Instead, server certifi‐
8033 cates are verified directly via their certificate fingerprint or public
8034 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
8035 digest of the server certificate (or public key). The digest algorithm
8036 is selected via the smtp_tls_fingerprint_digest parameter.
8037 The colons between each pair of nibbles in the fingerprint value are
8039 optional (Postfix >= 3.6). These were required in earlier Postfix re‐
8040 leases.
8041 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
8043 security level, any "match" attributes in that entry specify the list
8044 of valid fingerprints for the corresponding destination. Multiple fin‐
8045 gerprints can be combined with a "|" delimiter in a single match attri‐
8046 bute, or multiple match attributes can be employed.
8047 Example: Certificate fingerprint verification with internal mailhub.
8049 Two matching fingerprints are listed. The relayhost may be multiple
8050 physical hosts behind a load-balancer, each with its own private/public
8051 key and self-signed certificate. Alternatively, a single relayhost may
8052 be in the process of switching from one set of private/public keys to
8053 another, and both keys are trusted just prior to the transition.
8054 relayhost = [mailhub.example.com]
8056 smtp_tls_security_level = fingerprint
8057 smtp_tls_fingerprint_digest = sha256
8058 smtp_tls_fingerprint_cert_match =
8059 cd:fc:d8:db:f8:c4:82:96:6c:...:28:71:e8:f5:8d:a5:0d:9b:d4:a6
8060 dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4
8061 Example: Certificate fingerprint verification with selected destina‐
8063 tions. As in the example above, we show two matching fingerprints:
8064 /etc/postfix/main.cf:
8066 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8067 smtp_tls_fingerprint_digest = sha256
8068 /etc/postfix/tls_policy:
8070 example.com fingerprint
8071 match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
8072 match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
8073 This feature is available in Postfix 2.5 and later.
8075
8077 The message digest algorithm used to construct remote SMTP server cer‐
8078 tificate fingerprints. At the "fingerprint" TLS security level
8079 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
8080 ified by directly matching its certificate fingerprint or its public
8081 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
8082 digest of the server certificate (or its public key) using the selected
8083 algorithm. With a digest algorithm resistant to "second pre-image" at‐
8084 tacks, it is not feasible to create a new public key and a matching
8085 certificate (or public/private key-pair) that has the same fingerprint.
8086 The default algorithm is sha256 with Postfix >= 3.6 and the compatibil‐
8088 ity_level set to 3.6 or higher. With Postfix <= 3.5, the default algo‐
8089 rithm is md5.
8090 The best-practice algorithm is now sha256. Recent advances in hash
8092 function cryptanalysis have led to md5 and sha1 being deprecated in fa‐
8093 vor of sha256. However, as long as there are no known "second pre-im‐
8094 age" attacks against the older algorithms, their use in this context,
8095 though not recommended, is still likely safe.
8096 While additional digest algorithms are often available with OpenSSL's
8098 libcrypto, only those used by libssl in SSL cipher suites are available
8099 to Postfix. You'll likely find support for md5, sha1, sha256 and
8100 sha512.
8101 To find the fingerprint of a specific certificate file, with a specific
8103 digest algorithm, run:
8104 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
8106 The text to the right of the "=" sign is the desired fingerprint. For
8108 example:
8109 $ openssl x509 -noout -fingerprint -sha256 -in cert.pem
8111 SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
8112 To extract the public key fingerprint from an X.509 certificate, you
8114 need to extract the public key from the certificate and compute the ap‐
8115 propriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
8116 key" option of the "x509" command extracts the public key always in
8117 "PEM" format. We pipe the result to another OpenSSL command that con‐
8118 verts the key to DER and then to the "dgst" command to compute the fin‐
8119 gerprint.
8120 The actual command to transform the key to DER format depends on the
8122 version of OpenSSL used. As of OpenSSL 1.0.0, the "pkey" command sup‐
8123 ports all key types.
8124 # OpenSSL >= 1.0 with SHA-256 fingerprints.
8126 $ openssl x509 -in cert.pem -noout -pubkey |
8127 openssl pkey -pubin -outform DER |
8128 openssl dgst -sha256 -c
8129 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58
8130 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
8132 gerprint and the public key fingerprint when the TLS loglevel is 2 or
8133 higher.
8134 This feature is available in Postfix 2.5 and later.
8136
8138 Lookup the associated DANE TLSA RRset even when a hostname is not an
8139 alias and its address records lie in an unsigned zone. This is un‐
8140 likely to ever yield DNSSEC validated results, since child zones of un‐
8141 signed zones are also unsigned in the absence of DLV or locally config‐
8142 ured non-root trust-anchors. We anticipate that such mechanisms will
8143 not be used for just the "_tcp" subdomain of a host. Suppressing the
8144 TLSA RRset lookup reduces latency and avoids potential interoperability
8145 problems with nameservers for unsigned zones that are not prepared to
8146 handle the new TLSA RRset.
8147 This feature is available in Postfix 2.11.
8149
8151 File with the Postfix SMTP client RSA private key in PEM format. This
8152 file may be combined with the Postfix SMTP client RSA certificate file
8153 specified with $smtp_tls_cert_file. With Postfix >= 3.4 the preferred
8154 way to configure client keys and certificates is via the
8155 "smtp_tls_chain_files" parameter.
8156 The private key must be accessible without a pass-phrase, i.e. it must
8158 not be encrypted. File permissions should grant read-only access to the
8159 system superuser account ("root"), and no access to anyone else.
8160 Example:
8162 smtp_tls_key_file = $smtp_tls_cert_file
8164 This feature is available in Postfix 2.2 and later.
8166
8168 Enable additional Postfix SMTP client logging of TLS activity. Each
8169 logging level also includes the information that is logged at a lower
8170 logging level.
8171 0 Disable logging of TLS activity.
8173 1 Log only a summary message on TLS handshake completion - no
8175 logging of remote SMTP server certificate trust-chain verifica‐
8176 tion errors if server certificate verification is not required.
8177 With Postfix 2.8 and earlier, log the summary message and uncon‐
8178 ditionally log trust-chain verification errors.
8179 2 Also log levels during TLS negotiation.
8181 3 Also log the hexadecimal and ASCII dump of the TLS negotiation
8183 process.
8184 4 Also log the hexadecimal and ASCII dump of complete transmis‐
8186 sion after STARTTLS.
8187 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
8189 lems. Use of loglevel 4 is strongly discouraged.
8190 This feature is available in Postfix 2.2 and later.
8192
8194 The minimum TLS cipher grade that the Postfix SMTP client will use with
8195 mandatory TLS encryption. The default value "medium" is suitable for
8196 most destinations with which you may want to enforce TLS, and is beyond
8197 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
8198 for information on how to configure ciphers on a per-destination basis.
8199 The following cipher grades are supported:
8201 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
8203 appropriate when all mandatory TLS destinations (e.g. when all
8204 mail is routed to a suitably capable relayhost) support at least
8205 one "HIGH" grade cipher. The underlying cipherlist is specified
8206 via the tls_high_cipherlist configuration parameter, which you
8207 are strongly encouraged not to change.
8208 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
8210 cipherlist is specified via the tls_medium_cipherlist configura‐
8211 tion parameter, which you are strongly encouraged not to change.
8212 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
8214 cation without encryption. This setting is only appropriate in
8215 the rare case that all servers are prepared to use NULL ciphers
8216 (not normally enabled in TLS servers). A plausible use-case is
8217 an LMTP server listening on a UNIX-domain socket that is config‐
8218 ured to support "NULL" ciphers. The underlying cipherlist is
8219 specified via the tls_null_cipherlist configuration parameter,
8220 which you are strongly encouraged not to change.
8221 low Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix >=
8223 3.8 this cipher grade is always identical to "medium". Recent
8224 versions of OpenSSL do not support any "LOW" grade ciphers. In
8225 earlier Postfix releases the underlying cipherlist was specified
8226 via the tls_low_cipherlist configuration parameter, which you
8227 are strongly encouraged not to change. This obsolete cipher
8228 grade SHOULD NOT be used.
8229 export Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
8231 >= 3.8 this cipher grade is always identical to "medium". Re‐
8232 cent versions of OpenSSL do not support any "EXPORT" grade ci‐
8233 phers. In earlier Postfix releases the underlying cipherlist
8234 was specified via the tls_export_cipherlist configuration param‐
8235 eter, which you are strongly encouraged not to change. This ob‐
8236 solete cipher grade SHOULD NOT be used.
8237 The underlying cipherlists for grades other than "null" include anony‐
8239 mous ciphers, but these are automatically filtered out if the Postfix
8240 SMTP client is configured to verify server certificates. You are very
8241 unlikely to need to take any steps to exclude anonymous ciphers, they
8242 are excluded automatically as necessary. If you must exclude anonymous
8243 ciphers at the "may" or "encrypt" security levels, when the Postfix
8244 SMTP client does not need or use peer certificates, set "smtp_tls_ex‐
8245 clude_ciphers = aNULL". To exclude anonymous ciphers only when TLS is
8246 enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
8247 This feature is available in Postfix 2.3 and later.
8249
8251 Additional list of ciphers or cipher types to exclude from the Postfix
8252 SMTP client cipher list at mandatory TLS security levels. This list
8253 works in addition to the exclusions listed with smtp_tls_exclude_ci‐
8254 phers (see there for syntax details).
8255 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
8257 ified on a per-destination basis via the TLS policy "exclude" attri‐
8258 bute. See smtp_tls_policy_maps for notes and examples.
8259 This feature is available in Postfix 2.3 and later.
8261
8263 TLS protocols that the Postfix SMTP client will use with mandatory TLS
8264 encryption. In main.cf the values are separated by whitespace, commas
8265 or colons. In the policy table "protocols" attribute (see smtp_tls_pol‐
8266 icy_maps) the only valid separator is colon. An empty value means allow
8267 all protocols.
8268 The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
8270 "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with Postfix
8271 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as the lowest
8272 supported TLS protocol version (see below). Older releases use the "!"
8273 exclusion syntax, also described below.
8274 As of Postfix 3.6, the preferred way to limit the range of acceptable
8276 protocols is to set a lowest acceptable TLS protocol version and/or a
8277 highest acceptable TLS protocol version. To set the lower bound in‐
8278 clude an element of the form: ">=version" where version is a either one
8279 of the TLS protocol names listed above, or a hexadecimal number corre‐
8280 sponding to the desired TLS protocol version (0301 for TLS 1.0, 0302
8281 for TLS 1.1, etc.). For the upper bound, use "<=version". There must
8282 be no whitespace between the ">=" or "<=" symbols and the protocol name
8283 or number.
8284 Hexadecimal protocol numbers make it possible to specify protocol
8286 bounds for TLS versions that are known to OpenSSL, but might not be
8287 known to Postfix. They cannot be used with the legacy exclusion syn‐
8288 tax. Leading "0" or "0x" prefixes are supported, but not required.
8289 Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
8290 "TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the
8291 upper or lower bound, and a warning will be logged. Hexadecimal ver‐
8292 sions should only be used when Postfix is linked with some future ver‐
8293 sion of OpenSSL that supports TLS 1.4 or later, but Postfix does not
8294 yet support a symbolic name for that protocol version.
8295 Hexadecimal example (Postfix >= 3.6):
8297 # Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
8299 # in some future version of OpenSSL (presently a warning is logged).
8300 smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
8301 # Allow only TLS 1.2 and up:
8302 smtp_tls_mandatory_protocols = >=0x0303
8303 With Postfix < 3.6 there is no support for a minimum or maximum ver‐
8305 sion, and the protocol range is configured via protocol exclusions. To
8306 require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2,
8307 !SSLv3". Listing the protocols to include, rather than the protocols to
8308 exclude, is supported, but not recommended. The exclusion syntax more
8309 accurately matches the underlying OpenSSL interface.
8310 When using the exclusion syntax, take care to ensure that the range of
8312 protocols supported by the Postfix SMTP client is contiguous. When a
8313 protocol version is enabled, disabling any higher version implicitly
8314 disables all versions above that higher version. Thus, for example:
8315 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
8317 also disables any protocol versions higher than TLSv1.1 leaving only
8319 "TLSv1" enabled.
8320 Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling this
8322 protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch re‐
8323 leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
8324 While the vast majority of SMTP servers with DANE TLSA records now sup‐
8326 port at least TLS 1.2, a few still only support TLS 1.0. If you use
8327 "dane" or "dane-only" it is best not to disable TLSv1, except perhaps
8328 via the policy table for destinations which you are sure will support
8329 "TLSv1.2".
8330 See the documentation of the smtp_tls_policy_maps parameter and
8332 TLS_README for more information about security levels.
8333 Example:
8335 # Preferred syntax with Postfix >= 3.6:
8336 smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
8337 # Legacy syntax:
8338 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
8339 This feature is available in Postfix 2.3 and later.
8341
8343 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
8344 is not already enabled for that server.
8345 The logfile record looks like:
8347 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
8349 This feature is available in Postfix 2.2 and later.
8351
8353 Optional lookup tables with the Postfix SMTP client TLS usage policy by
8354 next-hop destination and by remote SMTP server hostname. When both
8355 lookups succeed, the more specific per-site policy (NONE, MUST, etc.)
8356 overrides the less specific one (MAY), and the more secure per-site
8357 policy (MUST, etc.) overrides the less secure one (NONE). With Postfix
8358 2.3 and later smtp_tls_per_site is strongly discouraged: use
8359 smtp_tls_policy_maps instead.
8360 Use of the bare hostname as the per-site table lookup key is discour‐
8362 aged. Always use the full destination nexthop (enclosed in [] with a
8363 possible ":port" suffix). A recipient domain or MX-enabled transport
8364 next-hop with no port suffix may look like a bare hostname, but is
8365 still a suitable destination.
8366 Specify a next-hop destination or server hostname on the left-hand
8368 side; no wildcards are allowed. The next-hop destination is either the
8369 recipient domain, or the destination specified with a transport(5) ta‐
8370 ble, the relayhost parameter, or the relay_transport parameter. On the
8371 right hand side specify one of the following keywords:
8372 NONE Don't use TLS at all. This overrides a less specific MAY lookup
8374 result from the alternate host or next-hop lookup key, and over‐
8375 rides the global smtp_use_tls, smtp_enforce_tls, and
8376 smtp_tls_enforce_peername settings.
8377 MAY Try to use TLS if the server announces support, otherwise use an
8379 unencrypted connection. This has less precedence than a more
8380 specific result (including NONE) from the alternate host or
8381 next-hop lookup key, and has less precedence than the more spe‐
8382 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
8383 name = yes".
8384 MUST_NOPEERMATCH
8386 Require TLS encryption, but do not require that the remote SMTP
8387 server hostname matches the information in the remote SMTP
8388 server certificate, or that the server certificate was issued by
8389 a trusted CA. This overrides a less secure NONE or a less spe‐
8390 cific MAY lookup result from the alternate host or next-hop
8391 lookup key, and overrides the global smtp_use_tls, smtp_en‐
8392 force_tls and smtp_tls_enforce_peername settings.
8393 MUST Require TLS encryption, require that the remote SMTP server
8395 hostname matches the information in the remote SMTP server cer‐
8396 tificate, and require that the remote SMTP server certificate
8397 was issued by a trusted CA. This overrides a less secure NONE or
8398 MUST_NOPEERMATCH or a less specific MAY lookup result from the
8399 alternate host or next-hop lookup key, and overrides the global
8400 smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
8401 settings.
8402 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
8404 ify" security levels for the new smtp_tls_security_level parameter in‐
8405 troduced in Postfix 2.3. Starting with Postfix 2.3, and independently
8406 of how the policy is specified, the smtp_tls_mandatory_ciphers and
8407 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
8408 mandatory. Connections for which encryption is optional typically en‐
8409 able all "export" grade and better ciphers (see smtp_tls_ciphers and
8410 smtp_tls_protocols).
8411 As long as no secure DNS lookup mechanism is available, false hostnames
8413 in MX or CNAME responses can change the server hostname that Postfix
8414 uses for TLS policy lookup and server certificate verification. Even
8415 with a perfect match between the server hostname and the server cer‐
8416 tificate, there is no guarantee that Postfix is connected to the right
8417 server. See TLS_README (Closing a DNS loophole with obsolete per-site
8418 TLS policies) for a possible work-around.
8419 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8421 and later use smtp_tls_policy_maps instead.
8422
8424 Optional lookup tables with the Postfix SMTP client TLS security policy
8425 by next-hop destination; when a non-empty value is specified, this
8426 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
8427 a more detailed discussion of TLS security levels.
8428 Specify zero or more "type:name" lookup tables, separated by whitespace
8430 or comma. Tables will be searched in the specified order until a match
8431 is found.
8432 The TLS policy table is indexed by the full next-hop destination, which
8434 is either the recipient domain, or the verbatim next-hop specified in
8435 the transport table, $local_transport, $virtual_transport, $re‐
8436 lay_transport or $default_transport. This includes any enclosing square
8437 brackets and any non-default destination server port suffix. The LMTP
8438 socket type prefix (inet: or unix:) is not included in the lookup key.
8439 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
8441 sockets, is used as the nexthop name for certificate verification. The
8442 port and any enclosing square brackets are used in the table lookup
8443 key, but are not used for server name verification.
8444 When the lookup key is a domain name without enclosing square brackets
8446 or any :port suffix (typically the recipient domain), and the full do‐
8447 main is not found in the table, just as with the transport(5) table,
8448 the parent domain starting with a leading "." is matched recursively.
8449 This allows one to specify a security policy for a recipient domain and
8450 all its sub-domains.
8451 The lookup result is a security level, followed by an optional list of
8453 whitespace and/or comma separated name=value attributes that override
8454 related main.cf settings. The TLS security levels in order of increas‐
8455 ing security are:
8456 none No TLS. No additional attributes are supported at this level.
8458 may Opportunistic TLS. Since sending in the clear is acceptable, de‐
8460 manding stronger than default TLS security merely reduces inter‐
8461 operability. The optional "ciphers", "exclude", and "protocols"
8462 attributes (available for opportunistic TLS with Postfix >= 2.6)
8463 and "connection_reuse" attribute (Postfix >= 3.4) override the
8464 "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_proto‐
8465 cols", and "smtp_tls_connection_reuse" configuration parameters.
8466 In the policy table, multiple ciphers, protocols or excluded ci‐
8467 phers must be separated by colons, as attribute values may not
8468 contain whitespace or commas. When opportunistic TLS handshakes
8469 fail, Postfix retries the connection with TLS disabled. This
8470 allows mail delivery to sites with non-interoperable TLS imple‐
8471 mentations.
8472 encrypt
8474 Mandatory TLS encryption. At this level and higher, the optional
8475 "protocols" attribute overrides the main.cf smtp_tls_manda‐
8476 tory_protocols parameter, the optional "ciphers" attribute over‐
8477 rides the main.cf smtp_tls_mandatory_ciphers parameter, the op‐
8478 tional "exclude" attribute (Postfix >= 2.6) overrides the
8479 main.cf smtp_tls_mandatory_exclude_ciphers parameter, and the
8480 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8481 the main.cf smtp_tls_connection_reuse parameter. In the policy
8482 table, multiple ciphers, protocols or excluded ciphers must be
8483 separated by colons, as attribute values may not contain white‐
8484 space or commas.
8485 dane Opportunistic DANE TLS. The TLS policy for the destination is
8487 obtained via TLSA records in DNSSEC. If no TLSA records are
8488 found, the effective security level used is may. If TLSA
8489 records are found, but none are usable, the effective security
8490 level is encrypt. When usable TLSA records are obtained for the
8491 remote SMTP server, the server certificate must match the TLSA
8492 records. RFC 7672 (DANE) TLS authentication and DNSSEC support
8493 is available with Postfix 2.11 and later. The optional "connec‐
8494 tion_reuse" attribute (Postfix >= 3.4) overrides the main.cf
8495 smtp_tls_connection_reuse parameter. When the effective secu‐
8496 rity level used is may, the optional "ciphers", "exclude", and
8497 "protocols" attributes (Postfix >= 2.6) override the
8498 "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", and
8499 "smtp_tls_protocols" configuration parameters. When the effec‐
8500 tive security level used is encrypt, the optional "ciphers",
8501 "exclude", and "protocols" attributes (Postfix >= 2.6) override
8502 the "smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_ex‐
8503 clude_ciphers", and "smtp_tls_mandatory_protocols" configuration
8504 parameters.
8505 dane-only
8507 Mandatory DANE TLS. The TLS policy for the destination is ob‐
8508 tained via TLSA records in DNSSEC. If no TLSA records are
8509 found, or none are usable, no connection is made to the server.
8510 When usable TLSA records are obtained for the remote SMTP
8511 server, the server certificate must match the TLSA records. RFC
8512 7672 (DANE) TLS authentication and DNSSEC support is available
8513 with Postfix 2.11 and later. The optional "ciphers", "exclude",
8514 and "protocols" attributes (Postfix >= 2.6) override the
8515 "smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ci‐
8516 phers", and "smtp_tls_mandatory_protocols" configuration parame‐
8517 ters. The optional "connection_reuse" attribute (Postfix >= 3.4)
8518 overrides the main.cf smtp_tls_connection_reuse parameter.
8519 fingerprint
8521 Certificate fingerprint verification. Available with Postfix 2.5
8522 and later. At this security level, there are no trusted Certifi‐
8523 cation Authorities. The certificate trust chain, expiration
8524 date, ... are not checked. Instead, the optional "match" attri‐
8525 bute, or else the main.cf smtp_tls_fingerprint_cert_match param‐
8526 eter, lists the certificate fingerprints or the public key fin‐
8527 gerprint (Postfix 2.9 and later) of the valid server certifi‐
8528 cate. The digest algorithm used to calculate the fingerprint is
8529 selected by the smtp_tls_fingerprint_digest parameter. Multiple
8530 fingerprints can be combined with a "|" delimiter in a single
8531 match attribute, or multiple match attributes can be employed.
8532 The ":" character is not used as a delimiter as it occurs be‐
8533 tween each pair of fingerprint (hexadecimal) digits. The op‐
8534 tional "ciphers", "exclude", and "protocols" attributes (Postfix
8535 >= 2.6) override the "smtp_tls_mandatory_ciphers",
8536 "smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_manda‐
8537 tory_protocols" configuration parameters. The optional "connec‐
8538 tion_reuse" attribute (Postfix >= 3.4) overrides the main.cf
8539 smtp_tls_connection_reuse parameter.
8540 verify Mandatory TLS verification. At this security level, DNS MX
8542 lookups are trusted to be secure enough, and the name verified
8543 in the server certificate is usually obtained indirectly via
8544 unauthenticated DNS MX lookups. The optional "match" attribute
8545 overrides the main.cf smtp_tls_verify_cert_match parameter. In
8546 the policy table, multiple match patterns and strategies must be
8547 separated by colons. In practice explicit control over matching
8548 is more common with the "secure" policy, described below. The
8549 optional "ciphers", "exclude", and "protocols" attributes (Post‐
8550 fix >= 2.6) override the "smtp_tls_mandatory_ciphers",
8551 "smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_manda‐
8552 tory_protocols" configuration parameters. The optional "connec‐
8553 tion_reuse" attribute (Postfix >= 3.4) overrides the main.cf
8554 smtp_tls_connection_reuse parameter.
8555 secure Secure-channel TLS. At this security level, DNS MX lookups,
8557 though potentially used to determine the candidate next-hop
8558 gateway IP addresses, are not trusted to be secure enough for
8559 TLS peername verification. Instead, the default name verified in
8560 the server certificate is obtained directly from the next-hop,
8561 or is explicitly specified via the optional "match" attribute
8562 which overrides the main.cf smtp_tls_secure_cert_match parame‐
8563 ter. In the policy table, multiple match patterns and strategies
8564 must be separated by colons. The match attribute is most useful
8565 when multiple domains are supported by a common server: the pol‐
8566 icy entries for additional domains specify matching rules for
8567 the primary domain certificate. While transport table overrides
8568 that route the secondary domains to the primary nexthop also al‐
8569 low secure verification, they risk delivery to the wrong desti‐
8570 nation when domains change hands or are re-assigned to new gate‐
8571 ways. With the "match" attribute approach, routing is not per‐
8572 turbed, and mail is deferred if verification of a new MX host
8573 fails. The optional "ciphers", "exclude", and "protocols" at‐
8574 tributes (Postfix >= 2.6) override the "smtp_tls_mandatory_ci‐
8575 phers", "smtp_tls_mandatory_exclude_ciphers", and
8576 "smtp_tls_mandatory_protocols" configuration parameters. The op‐
8577 tional "connection_reuse" attribute (Postfix >= 3.4) overrides
8578 the main.cf smtp_tls_connection_reuse parameter.
8579 Example:
8581 /etc/postfix/main.cf:
8583 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8584 # Postfix 2.5 and later.
8585 #
8586 # The default digest is sha256 with Postfix >= 3.6 and
8587 # compatibility level >= 3.
8588 #
8589 smtp_tls_fingerprint_digest = sha256
8590 /etc/postfix/tls_policy:
8592 example.edu none
8593 example.mil may
8594 example.gov encrypt protocols=TLSv1
8595 example.com verify ciphers=high
8596 example.net secure
8597 .example.net secure match=.example.net:example.net
8598 [mail.example.org]:587 secure match=nexthop
8599 # Postfix 2.5 and later
8600 [thumb.example.org] fingerprint
8601 match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
8602 match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
8603 Note: The "hostname" strategy if listed in a non-default setting of
8605 smtp_tls_secure_cert_match or in the "match" attribute in the policy
8606 table can render the "secure" level vulnerable to DNS forgery. Do not
8607 use the "hostname" strategy for secure-channel configurations in envi‐
8608 ronments where DNS security is not assured.
8609 This feature is available in Postfix 2.3 and later.
8611
8613 TLS protocols that the Postfix SMTP client will use with opportunistic
8614 TLS encryption. In main.cf the values are separated by whitespace,
8615 commas or colons. In the policy table "protocols" attribute (see
8616 smtp_tls_policy_maps) the only valid separator is colon. An empty
8617 value means allow all protocols.
8618 The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
8620 "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with Postfix
8621 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as the lowest
8622 supported TLS protocol version (see below). Older releases use the "!"
8623 exclusion syntax, also described below.
8624 As of Postfix 3.6, the preferred way to limit the range of acceptable
8626 protocols is to set the lowest acceptable TLS protocol version and/or
8627 the highest acceptable TLS protocol version. To set the lower bound
8628 include an element of the form: ">=version" where version is either one
8629 of the TLS protocol names listed above, or a hexadecimal number corre‐
8630 sponding to the desired TLS protocol version (0301 for TLS 1.0, 0302
8631 for TLS 1.1, etc.). For the upper bound, use "<=version". There must
8632 be no whitespace between the ">=" or "<=" symbols and the protocol name
8633 or number.
8634 Hexadecimal protocol numbers make it possible to specify protocol
8636 bounds for TLS versions that are known to OpenSSL, but might not be
8637 known to Postfix. They cannot be used with the legacy exclusion syn‐
8638 tax. Leading "0" or "0x" prefixes are supported, but not required.
8639 Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
8640 "TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the
8641 upper or lower bound, and a warning will be logged. Hexadecimal ver‐
8642 sions should only be used when Postfix is linked with some future ver‐
8643 sion of OpenSSL that supports TLS 1.4 or later, but Postfix does not
8644 yet support a symbolic name for that protocol version.
8645 Hexadecimal example (Postfix >= 3.6):
8647 # Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
8649 # in some future version of OpenSSL (presently a warning is logged).
8650 smtp_tls_protocols = >=TLSv1, <=0305
8651 # Allow only TLS 1.0 and up:
8652 smtp_tls_protocols = >=0x0301
8653 With Postfix < 3.6 there is no support for a minimum or maximum ver‐
8655 sion, and the protocol range is configured via protocol exclusions. To
8656 require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3".
8657 Listing the protocols to include, rather than protocols to exclude, is
8658 supported, but not recommended. The exclusion form more accurately
8659 matches the underlying OpenSSL interface.
8660 When using the exclusion syntax, take care to ensure that the range of
8662 protocols advertised by an SSL/TLS client is contiguous. When a proto‐
8663 col version is enabled, disabling any higher version implicitly dis‐
8664 ables all versions above that higher version. Thus, for example:
8665 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
8667 also disables any protocols version higher than TLSv1.1 leaving only
8668 "TLSv1" enabled.
8669 Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling this
8671 protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch re‐
8672 leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
8673 Example:
8675 # Preferred syntax with Postfix >= 3.6:
8676 smtp_tls_protocols = >=TLSv1, <=TLSv1.3
8677 # Legacy syntax:
8678 smtp_tls_protocols = !SSLv2, !SSLv3
8679 This feature is available in Postfix 2.6 and later.
8681
8683 The verification depth for remote SMTP server certificates. A depth of
8684 1 is sufficient if the issuing CA is listed in a local CA file.
8685 The default verification depth is 9 (the OpenSSL default) for compati‐
8687 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8688 value was 5, but the limit was not actually enforced. If you have set
8689 this to a lower non-default value, certificates with longer trust
8690 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
8691 common, deeper chains are more rare and any number between 5 and 9
8692 should suffice in practice. You can choose a lower number if, for exam‐
8693 ple, you trust certificates directly signed by an issuing CA but not
8694 any CAs it delegates to.
8695 This feature is available in Postfix 2.2 and later.
8697
8699 How the Postfix SMTP client verifies the server certificate peername
8700 for the "secure" TLS security level. In a "secure" TLS policy table
8701 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8702 this main.cf setting.
8703 This parameter specifies one or more patterns or strategies separated
8705 by commas, whitespace or colons. In the policy table the only valid
8706 separator is the colon character.
8707 For a description of the pattern and strategy syntax see the
8709 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8710 avoided in this context, as in the absence of a secure global DNS, us‐
8711 ing the results of MX lookups in certificate verification is not immune
8712 to active (man-in-the-middle) attacks on DNS.
8713 Sample main.cf setting:
8715 smtp_tls_secure_cert_match = nexthop
8717 Sample policy table override:
8719 example.net secure match=example.com:.example.com
8721 .example.net secure match=example.com:.example.com
8722 This feature is available in Postfix 2.3 and later.
8724
8726 The default SMTP TLS security level for the Postfix SMTP client. When
8727 a non-empty value is specified, this overrides the obsolete parameters
8728 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername; when no
8729 value is specified for smtp_tls_enforce_peername or the obsolete param‐
8730 eters, the default SMTP TLS security level is none.
8731 Specify one of the following security levels:
8733 none No TLS. TLS will not be used unless enabled for specific desti‐
8735 nations via smtp_tls_policy_maps.
8736 may Opportunistic TLS. Use TLS if this is supported by the remote
8738 SMTP server, otherwise use plaintext. Since sending in the clear
8739 is acceptable, demanding stronger than default TLS security
8740 merely reduces interoperability. The "smtp_tls_ciphers" and
8741 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
8742 provide control over the protocols and cipher grade used with
8743 opportunistic TLS. With earlier releases the opportunistic TLS
8744 cipher grade is always "export" and no protocols are disabled.
8745 When TLS handshakes fail, the connection is retried with TLS
8746 disabled. This allows mail delivery to sites with non-interop‐
8747 erable TLS implementations.
8748 encrypt
8750 Mandatory TLS encryption. Since a minimum level of security is
8751 intended, it is reasonable to be specific about sufficiently se‐
8752 cure protocol versions and ciphers. At this security level and
8753 higher, the main.cf parameters smtp_tls_mandatory_protocols and
8754 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8755 cipher grade which the administrator considers secure enough for
8756 mandatory encrypted sessions. This security level is not an ap‐
8757 propriate default for systems delivering mail to the Internet.
8758 dane Opportunistic DANE TLS. At this security level, the TLS policy
8760 for the destination is obtained via DNSSEC. For TLSA policy to
8761 be in effect, the destination domain's containing DNS zone must
8762 be signed and the Postfix SMTP client's operating system must be
8763 configured to send its DNS queries to a recursive DNS nameserver
8764 that is able to validate the signed records. Each MX host's DNS
8765 zone should also be signed, and should publish DANE TLSA (RFC
8766 7672) records that specify how that MX host's TLS certificate is
8767 to be verified. TLSA records do not preempt the normal SMTP MX
8768 host selection algorithm, if some MX hosts support TLSA and oth‐
8769 ers do not, TLS security will vary from delivery to delivery.
8770 It is up to the domain owner to configure their MX hosts and
8771 their DNS sensibly. To configure the Postfix SMTP client for
8772 DNSSEC lookups see the documentation for the smtp_dns_sup‐
8773 port_level main.cf parameter. When DNSSEC-validated TLSA
8774 records are not found the effective tls security level is "may".
8775 When TLSA records are found, but are all unusable the effective
8776 security level is "encrypt". For purposes of protocol and ci‐
8777 pher selection, the "dane" security level is treated like a
8778 "mandatory" TLS security level, and weak ciphers and protocols
8779 are disabled. Since DANE authenticates server certificates the
8780 "aNULL" cipher-suites are transparently excluded at this level,
8781 no need to configure this manually. RFC 7672 (DANE) TLS authen‐
8782 tication is available with Postfix 2.11 and later.
8783 dane-only
8785 Mandatory DANE TLS. This is just like "dane" above, but DANE
8786 TLSA authentication is required. There is no fallback to "may"
8787 or "encrypt" when TLSA records are missing or unusable. RFC
8788 7672 (DANE) TLS authentication is available with Postfix 2.11
8789 and later.
8790 fingerprint
8792 Certificate fingerprint verification. At this security level,
8793 there are no trusted Certification Authorities. The certificate
8794 trust chain, expiration date, etc., are not checked. Instead,
8795 the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8796 cate fingerprint or public key fingerprint (Postfix 2.9 and
8797 later) of the valid server certificate. The digest algorithm
8798 used to calculate the fingerprint is selected by the
8799 smtp_tls_fingerprint_digest parameter. Available with Postfix
8800 2.5 and later.
8801 verify Mandatory TLS verification. At this security level, DNS MX
8803 lookups are trusted to be secure enough, and the name verified
8804 in the server certificate is usually obtained indirectly via
8805 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
8806 parameter controls how the server name is verified. In practice
8807 explicit control over matching is more common at the "secure"
8808 level, described below. This security level is not an appropri‐
8809 ate default for systems delivering mail to the Internet.
8810 secure Secure-channel TLS. At this security level, DNS MX lookups,
8812 though potentially used to determine the candidate next-hop
8813 gateway IP addresses, are not trusted to be secure enough for
8814 TLS peername verification. Instead, the default name verified in
8815 the server certificate is obtained from the next-hop domain as
8816 specified in the smtp_tls_secure_cert_match configuration param‐
8817 eter. The default matching rule is that a server certificate
8818 matches when its name is equal to or is a sub-domain of the nex‐
8819 thop domain. This security level is not an appropriate default
8820 for systems delivering mail to the Internet.
8821 Examples:
8823 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8825 smtp_tls_security_level = none
8826 # Opportunistic TLS.
8828 smtp_tls_security_level = may
8829 # Do not tweak opportunistic ciphers or protocols unless it is essential
8830 # to do so (if a security vulnerability is found in the SSL library that
8831 # can be mitigated by disabling a particular protocol or raising the
8832 # cipher grade).
8833 smtp_tls_ciphers = medium
8834 smtp_tls_protocols = >=TLSv1
8835 # Legacy (Postfix < 3.6) syntax:
8836 smtp_tls_protocols = !SSLv2, !SSLv3
8837 # Mandatory (high-grade) TLS encryption.
8839 smtp_tls_security_level = encrypt
8840 smtp_tls_mandatory_ciphers = high
8841 # Authenticated TLS 1.2 or better matching the nexthop domain or a
8843 # subdomain.
8844 smtp_tls_security_level = secure
8845 smtp_tls_mandatory_ciphers = high
8846 smtp_tls_mandatory_protocols = >=TLSv1.2
8847 smtp_tls_secure_cert_match = nexthop, dot-nexthop
8848 # Certificate fingerprint verification (Postfix >= 2.5).
8850 # The CA-less "fingerprint" security level only scales to a limited
8851 # number of destinations. As a global default rather than a per-site
8852 # setting, this is practical only when mail for all recipients is sent
8853 # to a central mail hub.
8854 relayhost = [mailhub.example.com]
8855 smtp_tls_security_level = fingerprint
8856 smtp_tls_mandatory_protocols = >=TLSv1.2
8857 smtp_tls_mandatory_ciphers = high
8858 smtp_tls_fingerprint_cert_match =
8859 3D:95:34:51:...:40:99:C0:C1
8860 EC:3B:2D:B0:...:A3:9D:72:F6
8861 This feature is available in Postfix 2.3 and later.
8863
8865 Optional name to send to the remote SMTP server in the TLS Server Name
8866 Indication (SNI) extension. The SNI extension is always on when DANE
8867 is used to authenticate the server, and in that case the SNI name sent
8868 is the one required by RFC7672 and this parameter is ignored.
8869 Some SMTP servers use the received SNI name to select an appropriate
8871 certificate chain to present to the client. While this may improve in‐
8872 teroperability with such servers, it may reduce interoperability with
8873 other servers that choose to abort the connection when they don't have
8874 a certificate chain configured for the requested name. Such servers
8875 should select a default certificate chain and continue the handshake,
8876 but some may not. Therefore, absent DANE, no SNI name is sent by de‐
8877 fault.
8878 The SNI name must be either a valid DNS hostname, or else one of the
8880 special values hostname or nexthop, which select either the remote
8881 hostname or the nexthop domain respectively. DNS names for SNI must be
8882 in A-label (punycode) form. Invalid DNS names log a configuration er‐
8883 ror warning and mail delivery is deferred.
8884 Except when using a relayhost to forward all email, the only sensible
8886 non-empty main.cf setting for this parameter is hostname. Other
8887 non-empty values are only practical on a per-destination basis via the
8888 servername attribute of the Postfix TLS policy table. When in doubt,
8889 leave this parameter empty, and configure per-destination SNI as
8890 needed.
8891 This feature is available in Postfix 3.4 and later.
8893
8895 Name of the file containing the optional Postfix SMTP client TLS ses‐
8896 sion cache. Specify a database type that supports enumeration, such as
8897 btree or sdbm; there is no need to support concurrent access. The file
8898 is created if it does not exist. The smtp(8) daemon does not use this
8899 parameter directly, rather the cache is implemented indirectly in the
8900 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8901 of this parameter are not effective. Note that each of the cache data‐
8902 bases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_database,
8903 $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8904 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8905 not at this time possible to store multiple caches in a single data‐
8906 base.
8907 Note: dbm databases are not suitable. TLS session objects are too
8909 large.
8910 As of version 2.5, Postfix no longer uses root privileges when opening
8912 this file. The file should now be stored under the Postfix-owned
8913 data_directory. As a migration aid, an attempt to open the file under a
8914 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8915 tory, and a warning is logged.
8916 Example:
8918 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8920 This feature is available in Postfix 2.2 and later.
8922
8924 The expiration time of Postfix SMTP client TLS session cache informa‐
8925 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
8926 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
8927 this parameter is implemented in the tlsmgr(8) daemon and therefore
8928 per-smtp-instance master.cf overrides are not possible.
8929 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
8931 session caching is disabled. If set to a positive value less than 2
8932 minutes, the minimum value of 2 minutes is used instead.
8933 Specify a non-zero time value (an integral value plus an optional
8935 one-letter suffix that specifies the time unit). Time units: s (sec‐
8936 onds), m (minutes), h (hours), d (days), w (weeks). The default time
8937 unit is s (seconds).
8938 This feature is available in Postfix 2.2 and later.
8940
8942 Zero or more PEM-format files with trust-anchor certificates and/or
8943 public keys. If the parameter is not empty the root CAs in CAfile and
8944 CApath are no longer trusted. Rather, the Postfix SMTP client will
8945 only trust certificate-chains signed by one of the trust-anchors con‐
8946 tained in the chosen files. The specified trust-anchor certificates
8947 and public keys are not subject to expiration, and need not be
8948 (self-signed) root CAs. They may, if desired, be intermediate certifi‐
8949 cates. Therefore, these certificates also may be found "in the middle"
8950 of the trust chain presented by the remote SMTP server, and any un‐
8951 trusted issuing parent certificates will be ignored. Specify a list of
8952 pathnames separated by comma or whitespace.
8953 Whether specified in main.cf, or on a per-destination basis, the
8955 trust-anchor PEM file must be accessible to the Postfix SMTP client in
8956 the chroot jail if applicable. The trust-anchor file should contain
8957 only certificates and public keys, no private key material, and must be
8958 readable by the non-privileged $mail_owner user. This allows destina‐
8959 tions to be bound to a set of specific CAs or public keys without
8960 trusting the same CAs for all destinations.
8961 The main.cf parameter supports single-purpose Postfix installations
8963 that send mail to a fixed set of SMTP peers. At most sites, if
8964 trust-anchor files are used at all, they will be specified on a
8965 per-destination basis via the "tafile" attribute of the "verify" and
8966 "secure" levels in smtp_tls_policy_maps.
8967 The underlying mechanism is in support of RFC 7672 (DANE TLSA), which
8969 defines mechanisms for an SMTP client MTA to securely determine server
8970 TLS certificates via DNS.
8971 If you want your trust anchors to be public keys, with OpenSSL you can
8973 extract a single PEM public key from a PEM X.509 file containing a sin‐
8974 gle certificate, as follows:
8975 $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8977 This feature is available in Postfix 2.11 and later.
8979
8981 How the Postfix SMTP client verifies the server certificate peername
8982 for the "verify" TLS security level. In a "verify" TLS policy table
8983 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8984 this main.cf setting.
8985 This parameter specifies one or more patterns or strategies separated
8987 by commas, whitespace or colons. In the policy table the only valid
8988 separator is the colon character.
8989 Patterns specify domain names, or domain name suffixes:
8991 example.com
8993 Match the example.com domain, i.e. one of the names in the
8994 server certificate must be example.com. Upper and lower case
8995 distinctions are ignored.
8996 .example.com
8998 Match subdomains of the example.com domain, i.e. match a name in
8999 the server certificate that consists of a non-zero number of la‐
9000 bels followed by a .example.com suffix. Case distinctions are
9001 ignored.
9002 Strategies specify a transformation from the next-hop domain to the ex‐
9004 pected name in the server certificate:
9005 nexthop
9007 Match against the next-hop domain, which is either the recipient
9008 domain, or the transport next-hop configured for the domain
9009 stripped of any optional socket type prefix, enclosing square
9010 brackets and trailing port. When MX lookups are not suppressed,
9011 this is the original nexthop domain prior to the MX lookup, not
9012 the result of the MX lookup. For LMTP delivery via UNIX-domain
9013 sockets, the verified next-hop name is $myhostname. This strat‐
9014 egy is suitable for use with the "secure" policy. Case is ig‐
9015 nored.
9016 dot-nexthop
9018 As above, but match server certificate names that are subdomains
9019 of the next-hop domain. Case is ignored.
9020 hostname
9022 Match against the hostname of the server, often obtained via an
9023 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
9024 sockets, the verified name is $myhostname. This matches the ver‐
9025 ification strategy of the "MUST" keyword in the obsolete
9026 smtp_tls_per_site table, and is suitable for use with the "ver‐
9027 ify" security level. When the next-hop name is enclosed in
9028 square brackets to suppress MX lookups, the "hostname" strategy
9029 is the same as the "nexthop" strategy. Case is ignored.
9030 Sample main.cf setting:
9032 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
9034 Sample policy table override:
9036 example.com verify match=hostname:nexthop
9038 .example.com verify match=example.com:.example.com:hostname
9039 This feature is available in Postfix 2.3 and later.
9041
9043 Request that the Postfix SMTP client connects using the SUBMIS‐
9044 SIONS/SMTPS protocol instead of using the STARTTLS command.
9045 This mode requires "smtp_tls_security_level = encrypt" or stronger.
9047 Example: deliver all remote mail via a provider's server "mail.exam‐
9049 ple.com".
9050 /etc/postfix/main.cf:
9052 # Client-side SMTPS requires "encrypt" or stronger.
9053 smtp_tls_security_level = encrypt
9054 smtp_tls_wrappermode = yes
9055 # The [] suppress MX lookups.
9056 relayhost = [mail.example.com]:465
9057 More examples are in TLS_README, including examples for older Postfix
9059 versions.
9060 This feature is available in Postfix 3.0 and later.
9062
9064 Opportunistic mode: use TLS when a remote SMTP server announces START‐
9065 TLS support, otherwise send the mail in the clear. Beware: some SMTP
9066 servers offer STARTTLS even if it is not configured. With Postfix <
9067 2.3, if the TLS handshake fails, and no other server is available, de‐
9068 livery is deferred and mail stays in the queue. If this is a concern
9069 for you, use the smtp_tls_per_site feature instead.
9070 This feature is available in Postfix 2.2 and later. With Postfix 2.3
9072 and later use smtp_tls_security_level instead.
9073
9075 The Postfix SMTP client time limit for sending the XFORWARD command,
9076 and for receiving the remote SMTP server response.
9077 Specify a non-zero time value (an integral value plus an optional
9079 one-letter suffix that specifies the time unit). Time units: s (sec‐
9080 onds), m (minutes), h (hours), d (days), w (weeks). The default time
9081 unit is s (seconds).
9082 This feature is available in Postfix 2.1 and later.
9084
9086 What remote SMTP clients are allowed to specify the XVERP command.
9087 This command requests that mail be delivered one recipient at a time
9088 with a per recipient return address.
9089 By default, no clients are allowed to specify XVERP.
9091 This parameter was renamed with Postfix version 2.1. The default value
9093 is backwards compatible with Postfix version 2.0.
9094 Specify a list of network/netmask patterns, separated by commas and/or
9096 whitespace. The mask specifies the number of bits in the network part
9097 of a host address. You can also specify hostnames or .domain names (the
9098 initial dot causes the domain to match any name below it),
9099 "/file/name" or "type:table" patterns. A "/file/name" pattern is re‐
9100 placed by its contents; a "type:table" lookup table is matched when a
9101 table entry matches a lookup string (the lookup result is ignored).
9102 Continue long lines by starting the next line with whitespace. Specify
9103 "!pattern" to exclude an address or network block from the list. The
9104 form "!/file/name" is supported only in Postfix version 2.4 and later.
9105 Note: IP version 6 address information must be specified inside [] in
9107 the smtpd_authorized_verp_clients value, and in files specified with
9108 "/file/name". IP version 6 addresses contain the ":" character, and
9109 would otherwise be confused with a "type:table" pattern.
9110
9112 What remote SMTP clients are allowed to use the XCLIENT feature. This
9113 command overrides remote SMTP client information that is used for ac‐
9114 cess control. Typical use is for SMTP-based content filters, fetch‐
9115 mail-like programs, or SMTP server access rule testing. See the
9116 XCLIENT_README document for details.
9117 This feature is available in Postfix 2.1 and later.
9119 By default, no clients are allowed to specify XCLIENT.
9121 Specify a list of network/netmask patterns, separated by commas and/or
9123 whitespace. The mask specifies the number of bits in the network part
9124 of a host address. You can also specify hostnames or .domain names (the
9125 initial dot causes the domain to match any name below it),
9126 "/file/name" or "type:table" patterns. A "/file/name" pattern is re‐
9127 placed by its contents; a "type:table" lookup table is matched when a
9128 table entry matches a lookup string (the lookup result is ignored).
9129 Continue long lines by starting the next line with whitespace. Specify
9130 "!pattern" to exclude an address or network block from the list. The
9131 form "!/file/name" is supported only in Postfix version 2.4 and later.
9132 Note: IP version 6 address information must be specified inside [] in
9134 the smtpd_authorized_xclient_hosts value, and in files specified with
9135 "/file/name". IP version 6 addresses contain the ":" character, and
9136 would otherwise be confused with a "type:table" pattern.
9137
9139 What remote SMTP clients are allowed to use the XFORWARD feature. This
9140 command forwards information that is used to improve logging after
9141 SMTP-based content filters. See the XFORWARD_README document for de‐
9142 tails.
9143 This feature is available in Postfix 2.1 and later.
9145 By default, no clients are allowed to specify XFORWARD.
9147 Specify a list of network/netmask patterns, separated by commas and/or
9149 whitespace. The mask specifies the number of bits in the network part
9150 of a host address. You can also specify hostnames or .domain names (the
9151 initial dot causes the domain to match any name below it),
9152 "/file/name" or "type:table" patterns. A "/file/name" pattern is re‐
9153 placed by its contents; a "type:table" lookup table is matched when a
9154 table entry matches a lookup string (the lookup result is ignored).
9155 Continue long lines by starting the next line with whitespace. Specify
9156 "!pattern" to exclude an address or network block from the list. The
9157 form "!/file/name" is supported only in Postfix version 2.4 and later.
9158 Note: IP version 6 address information must be specified inside [] in
9160 the smtpd_authorized_xforward_hosts value, and in files specified with
9161 "/file/name". IP version 6 addresses contain the ":" character, and
9162 would otherwise be confused with a "type:table" pattern.
9163
9165 The text that follows the 220 status code in the SMTP greeting banner.
9166 Some people like to see the mail version advertised. By default, Post‐
9167 fix shows no version.
9168 You MUST specify $myhostname at the start of the text. This is required
9170 by the SMTP protocol.
9171 Example:
9173 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
9175
9177 The maximal number of AUTH commands that any client is allowed to send
9178 to this service per time unit, regardless of whether or not Postfix ac‐
9179 tually accepts those commands. The time unit is specified with the
9180 anvil_rate_time_unit configuration parameter.
9181 By default, there is no limit on the number of AUTH commands that a
9183 client may send.
9184 To disable this feature, specify a limit of 0.
9186 WARNING: The purpose of this feature is to limit abuse. It must not be
9188 used to regulate legitimate mail traffic.
9189 This feature is available in Postfix 3.1 and later.
9191
9193 How many simultaneous connections any client is allowed to make to this
9194 service. By default, the limit is set to half the default process
9195 limit value.
9196 To disable this feature, specify a limit of 0.
9198 WARNING: The purpose of this feature is to limit abuse. It must not be
9200 used to regulate legitimate mail traffic.
9201 This feature is available in Postfix 2.2 and later.
9203
9205 The maximal number of connection attempts any client is allowed to make
9206 to this service per time unit. The time unit is specified with the
9207 anvil_rate_time_unit configuration parameter.
9208 By default, a client can make as many connections per time unit as
9210 Postfix can accept.
9211 To disable this feature, specify a limit of 0.
9213 WARNING: The purpose of this feature is to limit abuse. It must not be
9215 used to regulate legitimate mail traffic.
9216 This feature is available in Postfix 2.2 and later.
9218 Example:
9220 smtpd_client_connection_rate_limit = 1000
9222
9224 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
9225 tions. See the mynetworks parameter description for the parameter value
9226 syntax.
9227 By default, clients in trusted networks are excluded. Specify a list of
9229 network blocks, hostnames or .domain names (the initial dot causes the
9230 domain to match any name below it).
9231 Note: IP version 6 address information must be specified inside [] in
9233 the smtpd_client_event_limit_exceptions value, and in files specified
9234 with "/file/name". IP version 6 addresses contain the ":" character,
9235 and would otherwise be confused with a "type:table" pattern.
9236 Pattern matching of domain names is controlled by the presence or ab‐
9238 sence of "smtpd_client_event_limit_exceptions" in the parent_do‐
9239 main_matches_subdomains parameter value (Postfix 3.0 and later).
9240 This feature is available in Postfix 2.2 and later.
9242
9244 Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics by
9245 IPv4 network blocks with the specified network prefix. Aggregation uses
9246 fewer anvil(8) resources to maintain counters. By default, aggregation
9247 is disabled for IPv4.
9248 This feature is available in Postfix 3.8 and later.
9250
9252 Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics by
9253 IPv6 network blocks with the specified network prefix. Aggregation uses
9254 fewer the anvil(8) resources to maintain counters. By default, aggrega‐
9255 tion is enabled for IPv6.
9256 This feature is available in Postfix 3.8 and later.
9258
9260 The maximal number of message delivery requests that any client is al‐
9261 lowed to make to this service per time unit, regardless of whether or
9262 not Postfix actually accepts those messages. The time unit is speci‐
9263 fied with the anvil_rate_time_unit configuration parameter.
9264 By default, a client can send as many message delivery requests per
9266 time unit as Postfix can accept.
9267 To disable this feature, specify a limit of 0.
9269 WARNING: The purpose of this feature is to limit abuse. It must not be
9271 used to regulate legitimate mail traffic.
9272 This feature is available in Postfix 2.2 and later.
9274 Example:
9276 smtpd_client_message_rate_limit = 1000
9278
9280 The maximal number of new (i.e., uncached) TLS sessions that a remote
9281 SMTP client is allowed to negotiate with this service per time unit.
9282 The time unit is specified with the anvil_rate_time_unit configuration
9283 parameter.
9284 By default, a remote SMTP client can negotiate as many new TLS sessions
9286 per time unit as Postfix can accept.
9287 To disable this feature, specify a limit of 0. Otherwise, specify a
9289 limit that is at least the per-client concurrent session limit, or else
9290 legitimate client sessions may be rejected.
9291 WARNING: The purpose of this feature is to limit abuse. It must not be
9293 used to regulate legitimate mail traffic.
9294 This feature is available in Postfix 2.3 and later.
9296 Example:
9298 smtpd_client_new_tls_session_rate_limit = 100
9300
9302 Enable logging of the remote SMTP client port in addition to the host‐
9303 name and IP address. The logging format is "host[address]:port".
9304 This feature is available in Postfix 2.5 and later.
9306
9308 The maximal number of recipient addresses that any client is allowed to
9309 send to this service per time unit, regardless of whether or not Post‐
9310 fix actually accepts those recipients. The time unit is specified with
9311 the anvil_rate_time_unit configuration parameter.
9312 By default, a client can send as many recipient addresses per time unit
9314 as Postfix can accept.
9315 To disable this feature, specify a limit of 0.
9317 WARNING: The purpose of this feature is to limit abuse. It must not be
9319 used to regulate legitimate mail traffic.
9320 This feature is available in Postfix 2.2 and later.
9322 Example:
9324 smtpd_client_recipient_rate_limit = 1000
9326
9328 Optional restrictions that the Postfix SMTP server applies in the con‐
9329 text of a client connection request. See SMTPD_ACCESS_README, section
9330 "Delayed evaluation of SMTP access restriction lists" for a discussion
9331 of evaluation context and time.
9332 The default is to allow all connection requests.
9334 Specify a list of restrictions, separated by commas and/or whitespace.
9336 Continue long lines by starting the next line with whitespace. Re‐
9337 strictions are applied in the order as specified; the first restriction
9338 that matches wins.
9339 The following restrictions are specific to client hostname or client
9341 network address information.
9342 check_ccert_access type:table
9344 By default use the remote SMTP client certificate fingerprint or
9345 the public key fingerprint (Postfix 2.9 and later) as the lookup
9346 key for the specified access(5) database; with Postfix version
9347 2.2, also require that the remote SMTP client certificate is
9348 verified successfully. The fingerprint digest algorithm is con‐
9349 figurable via the smtpd_tls_fingerprint_digest parameter
9350 (hard-coded as md5 prior to Postfix version 2.5). This feature
9351 requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
9352 fix version 2.2 and later.
9353 The default algorithm is sha256 with Postfix >= 3.6 and the com‐
9354 patibility_level set to 3.6 or higher. With Postfix <= 3.5, the
9355 default algorithm is md5. The best-practice algorithm is now
9356 sha256. Recent advances in hash function cryptanalysis have led
9357 to md5 and sha1 being deprecated in favor of sha256. However,
9358 as long as there are no known "second pre-image" attacks against
9359 the older algorithms, their use in this context, though not rec‐
9360 ommended, is still likely safe.
9361 Alternatively, check_ccert_access accepts an explicit search or‐
9362 der (Postfix 3.5 and later). The default search order as de‐
9363 scribed above corresponds with:
9364 check_ccert_access { type:table, { search_order = cert_finger‐
9365 print, pubkey_fingerprint } }
9366 The commas are optional.
9367 check_client_access type:table
9369 Search the specified access database for the client hostname,
9370 parent domains, client IP address, or networks obtained by
9371 stripping least significant octets. See the access(5) manual
9372 page for details.
9373 check_client_a_access type:table
9375 Search the specified access(5) database for the IP addresses for
9376 the client hostname, and execute the corresponding action.
9377 Note: a result of "OK" is not allowed for safety reasons. In‐
9378 stead, use DUNNO in order to exclude specific hosts from
9379 denylists. This feature is available in Postfix 3.0 and later.
9380 check_client_mx_access type:table
9382 Search the specified access(5) database for the MX hosts for the
9383 client hostname, and execute the corresponding action. If no MX
9384 record is found, look up A or AAAA records, just like the Post‐
9385 fix SMTP client would. Note: a result of "OK" is not allowed for
9386 safety reasons. Instead, use DUNNO in order to exclude specific
9387 hosts from denylists. This feature is available in Postfix 2.7
9388 and later.
9389 check_client_ns_access type:table
9391 Search the specified access(5) database for the DNS servers for
9392 the client hostname, and execute the corresponding action.
9393 Note: a result of "OK" is not allowed for safety reasons. In‐
9394 stead, use DUNNO in order to exclude specific hosts from
9395 denylists. This feature is available in Postfix 2.7 and later.
9396 check_reverse_client_hostname_access type:table
9398 Search the specified access database for the unverified reverse
9399 client hostname, parent domains, client IP address, or networks
9400 obtained by stripping least significant octets. See the ac‐
9401 cess(5) manual page for details. Note: a result of "OK" is not
9402 allowed for safety reasons. Instead, use DUNNO in order to ex‐
9403 clude specific hosts from denylists. This feature is available
9404 in Postfix 2.6 and later.
9405 check_reverse_client_hostname_a_access type:table
9407 Search the specified access(5) database for the IP addresses for
9408 the unverified reverse client hostname, and execute the corre‐
9409 sponding action. Note: a result of "OK" is not allowed for
9410 safety reasons. Instead, use DUNNO in order to exclude specific
9411 hosts from denylists. This feature is available in Postfix 3.0
9412 and later.
9413 check_reverse_client_hostname_mx_access type:table
9415 Search the specified access(5) database for the MX hosts for the
9416 unverified reverse client hostname, and execute the correspond‐
9417 ing action. If no MX record is found, look up A or AAAA
9418 records, just like the Postfix SMTP client would. Note: a re‐
9419 sult of "OK" is not allowed for safety reasons. Instead, use
9420 DUNNO in order to exclude specific hosts from denylists. This
9421 feature is available in Postfix 2.7 and later.
9422 check_reverse_client_hostname_ns_access type:table
9424 Search the specified access(5) database for the DNS servers for
9425 the unverified reverse client hostname, and execute the corre‐
9426 sponding action. Note: a result of "OK" is not allowed for
9427 safety reasons. Instead, use DUNNO in order to exclude specific
9428 hosts from denylists. This feature is available in Postfix 2.7
9429 and later.
9430 check_sasl_access type:table
9432 Use the remote SMTP client SASL user name as the lookup key for
9433 the specified access(5) database. The lookup key has the form
9434 "username@domainname" when the smtpd_sasl_local_domain parameter
9435 value is non-empty. Unlike the check_client_access feature,
9436 check_sasl_access does not perform matches of parent domains or
9437 IP subnet ranges. This feature is available with Postfix ver‐
9438 sion 2.11 and later.
9439 permit_inet_interfaces
9441 Permit the request when the client IP address matches $inet_in‐
9442 terfaces.
9443 permit_mynetworks
9445 Permit the request when the client IP address matches any net‐
9446 work or network address listed in $mynetworks.
9447 permit_sasl_authenticated
9449 Permit the request when the client is successfully authenticated
9450 via the RFC 4954 (AUTH) protocol.
9451 permit_tls_all_clientcerts
9453 Permit the request when the remote SMTP client certificate is
9454 verified successfully. This option must be used only if a spe‐
9455 cial CA issues the certificates and only this CA is listed as a
9456 trusted CA. Otherwise, clients with a third-party certificate
9457 would also be allowed to relay. Specify "tls_append_default_CA
9458 = no" when the trusted CA is specified with smtpd_tls_CAfile or
9459 smtpd_tls_CApath, to prevent Postfix from appending the sys‐
9460 tem-supplied default CAs. This feature requires
9461 "smtpd_tls_ask_ccert = yes" and is available with Postfix ver‐
9462 sion 2.2 and later.
9463 permit_tls_clientcerts
9465 Permit the request when the remote SMTP client certificate fin‐
9466 gerprint or public key fingerprint (Postfix 2.9 and later) is
9467 listed in $relay_clientcerts. The fingerprint digest algorithm
9468 is configurable via the smtpd_tls_fingerprint_digest parameter
9469 (hard-coded as md5 prior to Postfix version 2.5). This feature
9470 requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
9471 fix version 2.2 and later.
9472 The default algorithm is sha256 with Postfix >= 3.6 and the com‐
9473 patibility_level set to 3.6 or higher. With Postfix <= 3.5, the
9474 default algorithm is md5. The best-practice algorithm is now
9475 sha256. Recent advances in hash function cryptanalysis have led
9476 to md5 and sha1 being deprecated in favor of sha256. However,
9477 as long as there are no known "second pre-image" attacks against
9478 the older algorithms, their use in this context, though not rec‐
9479 ommended, is still likely safe.
9480 reject_rbl_client rbl_domain=d.d.d.d
9482 Reject the request when the reversed client network address is
9483 listed with the A record "d.d.d.d" under rbl_domain (Postfix
9484 version 2.1 and later only). Each "d" is a number, or a pattern
9485 inside "[]" that contains one or more ";"-separated numbers or
9486 number..number ranges (Postfix version 2.8 and later). If no
9487 "=d.d.d.d" is specified, reject the request when the reversed
9488 client network address is listed with any A record under rbl_do‐
9489 main.
9490 The maps_rbl_reject_code parameter specifies the response code
9491 for rejected requests (default: 554), the default_rbl_reply
9492 parameter specifies the default server reply, and the rbl_re‐
9493 ply_maps parameter specifies tables with server replies indexed
9494 by rbl_domain. This feature is available in Postfix 2.0 and
9495 later.
9496 permit_dnswl_client dnswl_domain=d.d.d.d
9498 Accept the request when the reversed client network address is
9499 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
9500 is a number, or a pattern inside "[]" that contains one or more
9501 ";"-separated numbers or number..number ranges. If no
9502 "=d.d.d.d" is specified, accept the request when the reversed
9503 client network address is listed with any A record under
9504 dnswl_domain.
9505 For safety, permit_dnswl_client is silently ignored when it
9506 would override reject_unauth_destination. The result is DE‐
9507 FER_IF_REJECT when allowlist lookup fails. This feature is
9508 available in Postfix 2.8 and later.
9509 reject_rhsbl_client rbl_domain=d.d.d.d
9511 Reject the request when the client hostname is listed with the A
9512 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9513 only). Each "d" is a number, or a pattern inside "[]" that con‐
9514 tains one or more ";"-separated numbers or number..number ranges
9515 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9516 reject the request when the client hostname is listed with any A
9517 record under rbl_domain. See the reject_rbl_client description
9518 above for additional RBL related configuration parameters. This
9519 feature is available in Postfix 2.0 and later; with Postfix ver‐
9520 sion 2.8 and later, reject_rhsbl_reverse_client will usually
9521 produce better results.
9522 permit_rhswl_client rhswl_domain=d.d.d.d
9524 Accept the request when the client hostname is listed with the A
9525 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
9526 pattern inside "[]" that contains one or more ";"-separated num‐
9527 bers or number..number ranges. If no "=d.d.d.d" is specified,
9528 accept the request when the client hostname is listed with any A
9529 record under rhswl_domain.
9530 Caution: client name allowlisting is fragile, since the client
9531 name lookup can fail due to temporary outages. Client name al‐
9532 lowlisting should be used only to reduce false positives in e.g.
9533 DNS-based blocklists, and not for making access rule exceptions.
9534 For safety, permit_rhswl_client is silently ignored when it
9535 would override reject_unauth_destination. The result is DE‐
9536 FER_IF_REJECT when allowlist lookup fails. This feature is
9537 available in Postfix 2.8 and later.
9538 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
9540 Reject the request when the unverified reverse client hostname
9541 is listed with the A record "d.d.d.d" under rbl_domain. Each
9542 "d" is a number, or a pattern inside "[]" that contains one or
9543 more ";"-separated numbers or number..number ranges. If no
9544 "=d.d.d.d" is specified, reject the request when the unverified
9545 reverse client hostname is listed with any A record under
9546 rbl_domain. See the reject_rbl_client description above for ad‐
9547 ditional RBL related configuration parameters. This feature is
9548 available in Postfix 2.8 and later.
9549 reject_unknown_client_hostname (with Postfix < 2.3: reject_un‐
9551 known_client)
9552 Reject the request when 1) the client IP address->name mapping
9553 fails, or 2) the name->address mapping fails, or 3) the
9554 name->address mapping does not match the client IP address.
9555 This is a stronger restriction than the reject_unknown_re‐
9556 verse_client_hostname feature, which triggers only under condi‐
9557 tion 1) above.
9558 The unknown_client_reject_code parameter specifies the response
9559 code for rejected requests (default: 450). The reply is always
9560 450 in case the address->name or name->address lookup failed due
9561 to a temporary problem.
9562 reject_unknown_reverse_client_hostname
9564 Reject the request when the client IP address has no ad‐
9565 dress->name mapping.
9566 This is a weaker restriction than the reject_un‐
9567 known_client_hostname feature, which requires not only that the
9568 address->name and name->address mappings exist, but also that
9569 the two mappings reproduce the client IP address.
9570 The unknown_client_reject_code parameter specifies the response
9571 code for rejected requests (default: 450). The reply is always
9572 450 in case the address->name lookup failed due to a temporary
9573 problem.
9574 This feature is available in Postfix 2.3 and later.
9575 In addition, you can use any of the following generic restrictions.
9577 These restrictions are applicable in any SMTP command context.
9578 check_policy_service servername
9580 Query the specified policy server. See the SMTPD_POLICY_README
9581 document for details. This feature is available in Postfix 2.1
9582 and later.
9583 defer Defer the request. The client is told to try again later. This
9585 restriction is useful at the end of a restriction list, to make
9586 the default policy explicit.
9587 The defer_code parameter specifies the SMTP server reply code
9588 (default: 450).
9589 defer_if_permit
9591 Defer the request if some later restriction would result in an
9592 explicit or implicit PERMIT action. This is useful when a
9593 denylisting feature fails due to a temporary problem. This fea‐
9594 ture is available in Postfix version 2.1 and later.
9595 defer_if_reject
9597 Defer the request if some later restriction would result in a
9598 REJECT action. This is useful when an allowlisting feature
9599 fails due to a temporary problem. This feature is available in
9600 Postfix version 2.1 and later.
9601 permit Permit the request. This restriction is useful at the end of a
9603 restriction list, to make the default policy explicit.
9604 reject_multi_recipient_bounce
9606 Reject the request when the envelope sender is the null address,
9607 and the message has multiple envelope recipients. This usage has
9608 rare but legitimate applications: under certain conditions,
9609 multi-recipient mail that was posted with the DSN option NO‐
9610 TIFY=NEVER may be forwarded with the null sender address.
9611 Note: this restriction can only work reliably when used in
9612 smtpd_data_restrictions or smtpd_end_of_data_restrictions, be‐
9613 cause the total number of recipients is not known at an earlier
9614 stage of the SMTP conversation. Use at the RCPT stage will only
9615 reject the second etc. recipient.
9616 The multi_recipient_bounce_reject_code parameter specifies the
9617 response code for rejected requests (default: 550). This fea‐
9618 ture is available in Postfix 2.1 and later.
9619 reject_plaintext_session
9621 Reject the request when the connection is not encrypted. This
9622 restriction should not be used before the client has had a
9623 chance to negotiate encryption with the AUTH or STARTTLS com‐
9624 mands.
9625 The plaintext_reject_code parameter specifies the response code
9626 for rejected requests (default: 450). This feature is avail‐
9627 able in Postfix 2.3 and later.
9628 reject_unauth_pipelining
9630 Reject the request when the client sends SMTP commands ahead of
9631 time where it is not allowed, or when the client sends SMTP com‐
9632 mands ahead of time without knowing that Postfix actually sup‐
9633 ports ESMTP command pipelining. This stops mail from bulk mail
9634 software that improperly uses ESMTP command pipelining in order
9635 to speed up deliveries.
9636 With Postfix 2.6 and later, the SMTP server sets a per-session
9637 flag whenever it detects illegal pipelining, including pipelined
9638 HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9639 ply tests whether the flag was set at any point in time during
9640 the session.
9641 With older Postfix versions, reject_unauth_pipelining checks the
9642 current status of the input read queue, and its usage is not
9643 recommended in contexts other than smtpd_data_restrictions.
9644 reject Reject the request. This restriction is useful at the end of a
9646 restriction list, to make the default policy explicit. The re‐
9647 ject_code configuration parameter specifies the response code
9648 for rejected requests (default: 554).
9649 sleep seconds
9651 Pause for the specified number of seconds and proceed with the
9652 next restriction in the list, if any. This may stop zombie mail
9653 when used as:
9654 /etc/postfix/main.cf:
9655 smtpd_client_restrictions =
9656 sleep 1, reject_unauth_pipelining
9657 smtpd_delay_reject = no
9658 This feature is available in Postfix 2.3.
9659 warn_if_reject
9661 A safety net for testing. When "warn_if_reject" is placed before
9662 a reject-type restriction, access table query, or check_pol‐
9663 icy_service query, this logs a "reject_warning" message instead
9664 of rejecting a request (when a reject-type restriction fails due
9665 to a temporary error, this logs a "reject_warning" message for
9666 any implicit "defer_if_permit" actions that would normally pre‐
9667 vent mail from being accepted by some later access restriction).
9668 This feature has no effect on defer_if_reject restrictions.
9669 Other restrictions that are valid in this context:
9671 • SMTP command specific restrictions that are described under the
9673 smtpd_helo_restrictions, smtpd_sender_restrictions or smtpd_re‐
9674 cipient_restrictions parameters. When helo, sender or recipient
9675 restrictions are listed under smtpd_client_restrictions, they
9676 have effect only with "smtpd_delay_reject = yes", so that
9677 $smtpd_client_restrictions is evaluated at the time of the RCPT
9678 TO command.
9679 Example:
9681 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9683
9685 A mechanism to transform commands from remote SMTP clients. This is a
9686 last-resort tool to work around client commands that break interoper‐
9687 ability with the Postfix SMTP server. Other uses involve fault injec‐
9688 tion to test Postfix's handling of invalid commands.
9689 Specify the name of a "type:table" lookup table. The search string is
9691 the SMTP command as received from the remote SMTP client, except that
9692 initial whitespace and the trailing <CR><LF> are removed. The result
9693 value is executed by the Postfix SMTP server.
9694 There is no need to use smtpd_command_filter for the following cases:
9696 • Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9698 • Postfix already accepts the correct form "user@[ipaddress]". Use
9700 virtual_alias_maps or canonical_maps to translate these into do‐
9701 main names if necessary.
9702 • Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9704 <user@example.com>>". Postfix will ignore the "User Name" part
9705 and deliver to the <user@example.com> address.
9706 Examples of problems that can be solved with the smtpd_command_filter
9708 feature:
9709 /etc/postfix/main.cf:
9711 smtpd_command_filter = pcre:/etc/postfix/command_filter
9712 /etc/postfix/command_filter:
9714 # Work around clients that send malformed HELO commands.
9715 /^HELO\s*$/ HELO domain.invalid
9716 # Work around clients that send empty lines.
9718 /^\s*$/ NOOP
9719 # Work around clients that send RCPT TO:<'user@domain'>.
9721 # WARNING: do not lose the parameters that follow the address.
9722 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
9723 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9725 # See VERP_README for more information on how to use Postfix VERP.
9726 /^(MAIL\s+FROM:\s*<listname@example\.com>.*)/ $1 XVERP
9727 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9729 # to send bounced mail to the postmaster (with message body removed).
9730 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
9731 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
9732 This feature is available in Postfix 2.7.
9734
9736 Optional access restrictions that the Postfix SMTP server applies in
9737 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
9738 "Delayed evaluation of SMTP access restriction lists" for a discussion
9739 of evaluation context and time.
9740 This feature is available in Postfix 2.0 and later.
9742 Specify a list of restrictions, separated by commas and/or whitespace.
9744 Continue long lines by starting the next line with whitespace. Re‐
9745 strictions are applied in the order as specified; the first restriction
9746 that matches wins.
9747 The following restrictions are valid in this context:
9749 • Generic restrictions that can be used in any SMTP command con‐
9751 text, described under smtpd_client_restrictions.
9752 • SMTP command specific restrictions described under
9754 smtpd_client_restrictions, smtpd_helo_restrictions,
9755 smtpd_sender_restrictions or smtpd_recipient_restrictions.
9756 • However, no recipient information is available in the case of
9758 multi-recipient mail. Acting on only one recipient would be mis‐
9759 leading, because any decision will affect all recipients
9760 equally. Acting on all recipients would require a possibly very
9761 large amount of memory, and would also be misleading for the
9762 reasons mentioned before.
9763 Examples:
9765 smtpd_data_restrictions = reject_unauth_pipelining
9767 smtpd_data_restrictions = reject_multi_recipient_bounce
9768
9770 Postpone the start of an SMTP mail transaction until a valid RCPT TO
9771 command is received. Specify "no" to create a mail transaction as soon
9772 as the Postfix SMTP server receives a valid MAIL FROM command.
9773 With sites that reject lots of mail, the default setting reduces the
9775 use of disk, CPU and memory resources. The downside is that rejected
9776 recipients are logged with NOQUEUE instead of a mail transaction ID.
9777 This complicates the logfile analysis of multi-recipient mail.
9778 This feature is available in Postfix 2.3 and later.
9780
9782 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9783 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9784 until the ETRN command before evaluating $smtpd_client_restrictions and
9785 $smtpd_helo_restrictions.
9786 This feature is turned on by default because some clients apparently
9788 mis-behave when the Postfix SMTP server rejects commands before RCPT
9789 TO.
9790 The default setting has one major benefit: it allows Postfix to log re‐
9792 cipient address information when rejecting a client name/address or
9793 sender address, so that it is possible to find out whose mail is being
9794 rejected.
9795
9797 Lookup tables, indexed by the remote SMTP client address, with case in‐
9798 sensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
9799 that the Postfix SMTP server will not send in the EHLO response to a
9800 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
9801 tables are not searched by hostname for robustness reasons.
9802 Specify zero or more "type:name" lookup tables, separated by whitespace
9804 or comma. Tables will be searched in the specified order until a match
9805 is found.
9806 This feature is available in Postfix 2.2 and later.
9808
9810 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
9811 etc.) that the Postfix SMTP server will not send in the EHLO response
9812 to a remote SMTP client.
9813 This feature is available in Postfix 2.2 and later.
9815 Notes:
9817 • Specify the silent-discard pseudo keyword to prevent this action
9819 from being logged.
9820 • Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
9822 card EHLO keywords selectively.
9823
9825 Optional filter for Postfix SMTP server DNS lookup results. See
9826 smtp_dns_reply_filter for details including an example.
9827 This feature is available in Postfix 3.0 and later.
9829
9831 Optional access restrictions that the Postfix SMTP server applies in
9832 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
9833 section "Delayed evaluation of SMTP access restriction lists" for a
9834 discussion of evaluation context and time.
9835 This feature is available in Postfix 2.2 and later.
9837 See smtpd_data_restrictions for details and limitations.
9839
9841 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
9842 require that clients use TLS encryption. According to RFC 2487 this
9843 MUST NOT be applied in case of a publicly-referenced SMTP server. This
9844 option is therefore off by default.
9845 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9847 Note 2: when invoked via "sendmail -bs", Postfix will never offer
9849 STARTTLS due to insufficient privileges to access the server private
9850 key. This is intended behavior.
9851 This feature is available in Postfix 2.2 and later. With Postfix 2.3
9853 and later use smtpd_tls_security_level instead.
9854
9856 With Postfix version 2.1 and later: the SMTP server response delay af‐
9857 ter a client has made more than $smtpd_soft_error_limit errors, and
9858 fewer than $smtpd_hard_error_limit errors, without delivering mail.
9859 With Postfix version 2.0 and earlier: the SMTP server delay before
9861 sending a reject (4xx or 5xx) response, when the client has made fewer
9862 than $smtpd_soft_error_limit errors without delivering mail. When the
9863 client has made $smtpd_soft_error_limit or more errors, delay all re‐
9864 sponses with the larger of (number of errors) seconds or $smtpd_er‐
9865 ror_sleep_time.
9866 Specify a non-negative time value (an integral value plus an optional
9868 one-letter suffix that specifies the time unit). Time units: s (sec‐
9869 onds), m (minutes), h (hours), d (days), w (weeks). The default time
9870 unit is s (seconds).
9871
9873 Optional restrictions that the Postfix SMTP server applies in the con‐
9874 text of a client ETRN command. See SMTPD_ACCESS_README, section "De‐
9875 layed evaluation of SMTP access restriction lists" for a discussion of
9876 evaluation context and time.
9877 The Postfix ETRN implementation accepts only destinations that are eli‐
9879 gible for the Postfix "fast flush" service. See the ETRN_README file
9880 for details.
9881 Specify a list of restrictions, separated by commas and/or whitespace.
9883 Continue long lines by starting the next line with whitespace. Re‐
9884 strictions are applied in the order as specified; the first restriction
9885 that matches wins.
9886 The following restrictions are specific to the domain name information
9888 received with the ETRN command.
9889 check_etrn_access type:table
9891 Search the specified access database for the ETRN domain name or
9892 its parent domains. See the access(5) manual page for details.
9893 Other restrictions that are valid in this context:
9895 • Generic restrictions that can be used in any SMTP command con‐
9897 text, described under smtpd_client_restrictions.
9898 • SMTP command specific restrictions described under
9900 smtpd_client_restrictions and smtpd_helo_restrictions.
9901 Example:
9903 smtpd_etrn_restrictions = permit_mynetworks, reject
9905
9907 What characters are allowed in $name expansions of RBL reply templates.
9908 Characters not in the allowed set are replaced by "_". Use C like es‐
9909 capes to specify special characters such as whitespace.
9910 The smtpd_expansion_filter value is not subject to Postfix configura‐
9912 tion parameter $name expansion.
9913 This feature is available in Postfix 2.0 and later.
9915
9917 Disconnect remote SMTP clients that violate RFC 2920 (or 5321) command
9918 pipelining constraints. The server replies with "554 5.5.0 Error: SMTP
9919 protocol synchronization" and logs the unexpected remote SMTP client
9920 input. Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
9921 feature is enabled by default with Postfix >= 3.9.
9922 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10, and
9924 3.5.20.
9925
9927 gus}})
9928 List of commands that cause the Postfix SMTP server to immediately ter‐
9929 minate the session with a 221 code. This can be used to disconnect
9930 clients that obviously attempt to abuse the system. In addition to the
9931 commands listed in this parameter, commands that follow the "Label:"
9932 format of message headers will also cause a disconnect. With Postfix
9933 versions 3.6 and earlier, the default value is "CONNECT GET POST".
9934 This feature is available in Postfix 2.2 and later.
9936 Support for inline regular expressions was added in Postfix version
9938 3.7. See regexp_table(5) for a description of the syntax and features.
9939
9941 The maximal number of errors a remote SMTP client is allowed to make
9942 without delivering mail. The Postfix SMTP server disconnects when the
9943 limit is reached. Normally the default limit is 20, but it changes un‐
9944 der overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9945 always allows up to 20 errors by default. Valid values are greater
9946 than zero.
9947
9949 Require that a remote SMTP client introduces itself with the HELO or
9950 EHLO command before sending the MAIL command or other commands that re‐
9951 quire EHLO negotiation.
9952 Example:
9954 smtpd_helo_required = yes
9956
9958 Optional restrictions that the Postfix SMTP server applies in the con‐
9959 text of a client HELO command. See SMTPD_ACCESS_README, section "De‐
9960 layed evaluation of SMTP access restriction lists" for a discussion of
9961 evaluation context and time.
9962 The default is to permit everything.
9964 Note: specify "smtpd_helo_required = yes" to fully enforce this re‐
9966 striction (without "smtpd_helo_required = yes", a client can simply
9967 skip smtpd_helo_restrictions by not sending HELO or EHLO).
9968 Specify a list of restrictions, separated by commas and/or whitespace.
9970 Continue long lines by starting the next line with whitespace. Re‐
9971 strictions are applied in the order as specified; the first restriction
9972 that matches wins.
9973 The following restrictions are specific to the hostname information re‐
9975 ceived with the HELO or EHLO command.
9976 check_helo_access type:table
9978 Search the specified access(5) database for the HELO or EHLO
9979 hostname or parent domains, and execute the corresponding ac‐
9980 tion. Note: specify "smtpd_helo_required = yes" to fully en‐
9981 force this restriction (without "smtpd_helo_required = yes", a
9982 client can simply skip check_helo_access by not sending HELO or
9983 EHLO).
9984 check_helo_a_access type:table
9986 Search the specified access(5) database for the IP addresses for
9987 the HELO or EHLO hostname, and execute the corresponding action.
9988 Note 1: a result of "OK" is not allowed for safety reasons. In‐
9989 stead, use DUNNO in order to exclude specific hosts from
9990 denylists. Note 2: specify "smtpd_helo_required = yes" to fully
9991 enforce this restriction (without "smtpd_helo_required = yes", a
9992 client can simply skip check_helo_a_access by not sending HELO
9993 or EHLO). This feature is available in Postfix 3.0 and later.
9994 check_helo_mx_access type:table
9996 Search the specified access(5) database for the MX hosts for the
9997 HELO or EHLO hostname, and execute the corresponding action. If
9998 no MX record is found, look up A or AAAA records, just like the
9999 Postfix SMTP client would. Note 1: a result of "OK" is not al‐
10000 lowed for safety reasons. Instead, use DUNNO in order to exclude
10001 specific hosts from denylists. Note 2: specify "smtpd_helo_re‐
10002 quired = yes" to fully enforce this restriction (without
10003 "smtpd_helo_required = yes", a client can simply skip
10004 check_helo_mx_access by not sending HELO or EHLO). This feature
10005 is available in Postfix 2.1 and later.
10006 check_helo_ns_access type:table
10008 Search the specified access(5) database for the DNS servers for
10009 the HELO or EHLO hostname, and execute the corresponding action.
10010 Note 1: a result of "OK" is not allowed for safety reasons. In‐
10011 stead, use DUNNO in order to exclude specific hosts from
10012 denylists. Note 2: specify "smtpd_helo_required = yes" to fully
10013 enforce this restriction (without "smtpd_helo_required = yes", a
10014 client can simply skip check_helo_ns_access by not sending HELO
10015 or EHLO). This feature is available in Postfix 2.1 and later.
10016 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
10018 name)
10019 Reject the request when the HELO or EHLO hostname is malformed.
10020 Note: specify "smtpd_helo_required = yes" to fully enforce this
10021 restriction (without "smtpd_helo_required = yes", a client can
10022 simply skip reject_invalid_helo_hostname by not sending HELO or
10023 EHLO).
10024 The invalid_hostname_reject_code specifies the response code for
10025 rejected requests (default: 501).
10026 reject_non_fqdn_helo_hostname (with Postfix < 2.3: re‐
10028 ject_non_fqdn_hostname)
10029 Reject the request when the HELO or EHLO hostname is not in
10030 fully-qualified domain or address literal form, as required by
10031 the RFC. Note: specify "smtpd_helo_required = yes" to fully en‐
10032 force this restriction (without "smtpd_helo_required = yes", a
10033 client can simply skip reject_non_fqdn_helo_hostname by not
10034 sending HELO or EHLO).
10035 The non_fqdn_reject_code parameter specifies the response code
10036 for rejected requests (default: 504).
10037 reject_rhsbl_helo rbl_domain=d.d.d.d
10039 Reject the request when the HELO or EHLO hostname is listed with
10040 the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10041 later only). Each "d" is a number, or a pattern inside "[]"
10042 that contains one or more ";"-separated numbers or number..num‐
10043 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10044 specified, reject the request when the HELO or EHLO hostname is
10045 listed with any A record under rbl_domain. See the re‐
10046 ject_rbl_client description for additional RBL related configu‐
10047 ration parameters. Note: specify "smtpd_helo_required = yes" to
10048 fully enforce this restriction (without "smtpd_helo_required =
10049 yes", a client can simply skip reject_rhsbl_helo by not sending
10050 HELO or EHLO). This feature is available in Postfix 2.0 and
10051 later.
10052 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
10054 name)
10055 Reject the request when the HELO or EHLO hostname has no DNS A
10056 or MX record.
10057 The reply is specified with the unknown_hostname_reject_code pa‐
10058 rameter (default: 450) or unknown_helo_hostname_tempfail_action
10059 (default: defer_if_permit). See the respective parameter de‐
10060 scriptions for details.
10061 Note: specify "smtpd_helo_required = yes" to fully enforce this
10062 restriction (without "smtpd_helo_required = yes", a client can
10063 simply skip reject_unknown_helo_hostname by not sending HELO or
10064 EHLO).
10065 Other restrictions that are valid in this context:
10067 • Generic restrictions that can be used in any SMTP command con‐
10069 text, described under smtpd_client_restrictions.
10070 • Client hostname or network address specific restrictions de‐
10072 scribed under smtpd_client_restrictions.
10073 • SMTP command specific restrictions described under
10075 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
10076 sender or recipient restrictions are listed under smtpd_helo_re‐
10077 strictions, they have effect only with "smtpd_delay_reject =
10078 yes", so that $smtpd_helo_restrictions is evaluated at the time
10079 of the RCPT TO command.
10080 Examples:
10082 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
10084 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
10085
10087 The maximal number of lines in the Postfix SMTP server command history
10088 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
10089
10091 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
10092 SMTP client can send before the Postfix SMTP server starts to increment
10093 the error counter with each junk command. The junk command count is
10094 reset after mail is delivered. See also the smtpd_error_sleep_time and
10095 smtpd_soft_error_limit configuration parameters. Normally the default
10096 limit is 100, but it changes under overload to just 1. With Postfix 2.5
10097 and earlier, the SMTP server always allows up to 100 junk commands by
10098 default.
10099
10101 Enable logging of the named "permit" actions in SMTP server access
10102 lists (by default, the SMTP server logs "reject" actions but not "per‐
10103 mit" actions). This feature does not affect conditional actions such
10104 as "defer_if_permit".
10105 Specify a list of "permit" action names, "/file/name" or "type:table"
10107 patterns, separated by commas and/or whitespace. The list is matched
10108 left to right, and the search stops on the first match. A "/file/name"
10109 pattern is replaced by its contents; a "type:table" lookup table is
10110 matched when a name matches a lookup key (the lookup result is ig‐
10111 nored). Continue long lines by starting the next line with whitespace.
10112 Specify "!pattern" to exclude a name from the list.
10113 Examples:
10115 /etc/postfix/main.cf:
10117 # Log all "permit" actions.
10118 smtpd_log_access_permit_actions = static:all
10119 /etc/postfix/main.cf:
10121 # Log "permit_dnswl_client" only.
10122 smtpd_log_access_permit_actions = permit_dnswl_client
10123 This feature is available in Postfix 2.10 and later.
10125
10127 Lookup tables with Milter settings per remote SMTP client IP address.
10128 The lookup result overrides the smtpd_milters setting, and has the same
10129 syntax.
10130 Note: lookup tables cannot return empty responses. Specify a lookup re‐
10132 sult of DISABLE (case does not matter) to indicate that Milter support
10133 should be disabled.
10134 Example to disable Milters for local clients:
10136 /etc/postfix/main.cf:
10138 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
10139 smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
10140 /etc/postfix/smtpd_milter_map:
10142 # Disable Milters for local clients.
10143 127.0.0.0/8 DISABLE
10144 192.168.0.0/16 DISABLE
10145 ::/64 DISABLE
10146 2001:db8::/32 DISABLE
10147 This feature is available in Postfix 3.2 and later.
10149
10151 A list of Milter (mail filter) applications for new mail that arrives
10152 via the Postfix smtpd(8) server. Specify space or comma as separator.
10153 See the MILTER_README document for details.
10154 This feature is available in Postfix 2.3 and later.
10156
10158 The minimum plaintext data transfer rate in bytes/second for DATA and
10159 BDAT requests, when deadlines are enabled with smtpd_per_request_dead‐
10160 line. After a read operation transfers N plaintext message bytes (pos‐
10161 sibly after TLS decryption), and after the DATA or BDAT request dead‐
10162 line is decremented by the elapsed time of that read operation, the
10163 DATA or BDAT request deadline is incremented by N/smtpd_min_data_rate
10164 seconds. However, the deadline will never be incremented beyond the
10165 time limit specified with smtpd_timeout.
10166 This feature is available in Postfix 3.7 and later.
10168
10170 List of commands that the Postfix SMTP server replies to with "250 Ok",
10171 without doing any syntax checks and without changing state. This list
10172 overrides any commands built into the Postfix SMTP server.
10173
10175 The lookup key to be used in SMTP access(5) tables instead of the null
10176 sender address.
10177
10179 Attempt to look up the remote SMTP client hostname, and verify that the
10180 name matches the client IP address. A client name is set to "unknown"
10181 when it cannot be looked up or verified, or when name lookup is dis‐
10182 abled. Turning off name lookup reduces delays due to DNS lookup and
10183 increases the maximal inbound delivery rate.
10184 This feature is available in Postfix 2.3 and later.
10186
10188 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
10189 time limits, from a time limit per read or write system call, to a time
10190 limit to send or receive a complete record (an SMTP command line, SMTP
10191 response line, SMTP message content line, or TLS protocol message).
10192 This limits the impact from hostile peers that trickle data one byte at
10193 a time.
10194 Note: when per-record deadlines are enabled, a short timeout may cause
10196 problems with TLS over very slow network connections. The reasons are
10197 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
10198 and that an entire TLS protocol message must be sent or received within
10199 the per-record deadline.
10200 This feature is available in Postfix 2.9-3.6. With older Postfix re‐
10202 leases, the behavior is as if this parameter is set to "no". Postfix
10203 3.7 and later use smtpd_per_request_deadline.
10204
10206 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
10207 time limits, from a time limit per plaintext or TLS read or write call,
10208 to a combined time limit for receiving a complete SMTP request and for
10209 sending a complete SMTP response. The deadline limits only the time
10210 spent waiting for plaintext or TLS read or write calls, not time spent
10211 elsewhere. The per-request deadline limits the impact from hostile
10212 peers that trickle data one byte at a time.
10213 See smtpd_min_data_rate for how the per-request deadline is managed
10215 during the DATA and BDAT phase.
10216 Note: when per-request deadlines are enabled, a short time limit may
10218 cause problems with TLS over very slow network connections. The reason
10219 is that a TLS protocol message can be up to 16 kbytes long (with
10220 TLSv1), and that an entire TLS protocol message must be transferred
10221 within the per-request deadline.
10222 This feature is available in Postfix 3.7 and later. A weaker feature,
10224 called smtpd_per_record_deadline, is available with Postfix 2.9-3.6.
10225 With older Postfix releases, the behavior is as if this parameter is
10226 set to "no".
10227 This feature is available in Postfix 3.7 and later.
10229
10231 problem)
10232 The default action when an SMTPD policy service request fails. Specify
10233 "DUNNO" to behave as if the failed SMTPD policy service request was
10234 not sent, and to continue processing other access restrictions, if any.
10235 Limitations:
10237 • This parameter may specify any value that would be a valid SMTPD
10239 policy server response (or access(5) map lookup result). An ac‐
10240 cess(5) map or policy server in this parameter value may need to
10241 be declared in advance with a restriction_class setting.
10242 • If the specified action invokes another check_policy_service re‐
10244 quest, that request will have the built-in default action.
10245 This feature is available in Postfix 3.0 and later.
10247
10249 The time after which an idle SMTPD policy service connection is closed.
10250 Specify a non-zero time value (an integral value plus an optional
10252 one-letter suffix that specifies the time unit). Time units: s (sec‐
10253 onds), m (minutes), h (hours), d (days), w (weeks). The default time
10254 unit is s (seconds).
10255 This feature is available in Postfix 2.1 and later.
10257
10259 The time after which an active SMTPD policy service connection is
10260 closed.
10261 Specify a non-zero time value (an integral value plus an optional
10263 one-letter suffix that specifies the time unit). Time units: s (sec‐
10264 onds), m (minutes), h (hours), d (days), w (weeks). The default time
10265 unit is s (seconds).
10266 This feature is available in Postfix 2.1 and later.
10268
10270 Optional information that the Postfix SMTP server specifies in the
10271 "policy_context" attribute of a policy service request (originally, to
10272 share the same service endpoint among multiple check_policy_service
10273 clients).
10274 This feature is available in Postfix 3.1 and later.
10276
10278 The maximal number of requests per SMTPD policy service connection, or
10279 zero (no limit). Once a connection reaches this limit, the connection
10280 is closed and the next request will be sent over a new connection. This
10281 is a workaround to avoid error-recovery delays with policy servers that
10282 cannot maintain a persistent connection.
10283 This feature is available in Postfix 3.0 and later.
10285
10287 The delay between attempts to resend a failed SMTPD policy service re‐
10288 quest. Specify a value greater than zero.
10289 Specify a non-zero time value (an integral value plus an optional
10291 one-letter suffix that specifies the time unit). Time units: s (sec‐
10292 onds), m (minutes), h (hours), d (days), w (weeks). The default time
10293 unit is s (seconds).
10294 This feature is available in Postfix 3.0 and later.
10296
10298 The time limit for connecting to, writing to, or receiving from a dele‐
10299 gated SMTPD policy server.
10300 Specify a non-zero time value (an integral value plus an optional
10302 one-letter suffix that specifies the time unit). Time units: s (sec‐
10303 onds), m (minutes), h (hours), d (days), w (weeks). The default time
10304 unit is s (seconds).
10305 This feature is available in Postfix 2.1 and later.
10307
10309 The maximal number of attempts to send an SMTPD policy service request
10310 before giving up. Specify a value greater than zero.
10311 This feature is available in Postfix 3.0 and later.
10313
10315 How the Postfix SMTP server announces itself to the proxy filter. By
10316 default, the Postfix hostname is used.
10317 This feature is available in Postfix 2.1 and later.
10319
10321 The hostname and TCP port of the mail filtering proxy server. The
10322 proxy receives all mail from the Postfix SMTP server, and is supposed
10323 to give the result to another Postfix SMTP server process.
10324 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
10326 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
10327 as an IP address or as a symbolic name; no MX lookups are done. When
10328 no "host" or "host:" is specified, the local machine is assumed. Path‐
10329 name interpretation is relative to the Postfix queue directory.
10330 This feature is available in Postfix 2.1 and later.
10332 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
10334 later.
10335
10337 List of options that control how the Postfix SMTP server communicates
10338 with a before-queue content filter. Specify zero or more of the follow‐
10339 ing, separated by comma or whitespace.
10340 speed_adjust
10342 Do not connect to a before-queue content filter until an entire
10343 message has been received. This reduces the number of simultane‐
10344 ous before-queue content filter processes.
10345 NOTE 1: A filter must not selectively reject recipients of a multi-re‐
10347 cipient message. Rejecting all recipients is OK, as is accepting all
10348 recipients.
10349 NOTE 2: This feature increases the minimum amount of free queue space
10351 by $message_size_limit. The extra space is needed to save the message
10352 to a temporary file.
10353 This feature is available in Postfix 2.7 and later.
10355
10357 The time limit for connecting to a proxy filter and for sending or re‐
10358 ceiving information. When a connection fails the client gets a generic
10359 error message while more detailed information is logged to the maillog
10360 file.
10361 Specify a non-zero time value (an integral value plus an optional
10363 one-letter suffix that specifies the time unit). Time units: s (sec‐
10364 onds), m (minutes), h (hours), d (days), w (weeks). The default time
10365 unit is s (seconds).
10366 This feature is available in Postfix 2.1 and later.
10368
10370 The maximal number of recipients that the Postfix SMTP server accepts
10371 per message delivery request.
10372
10374 The number of recipients that a remote SMTP client can send in excess
10375 of the limit specified with $smtpd_recipient_limit, before the Postfix
10376 SMTP server increments the per-session error count for each excess re‐
10377 cipient.
10378
10380 Optional restrictions that the Postfix SMTP server applies in the con‐
10381 text of a client RCPT TO command, after smtpd_relay_restrictions. See
10382 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access re‐
10383 striction lists" for a discussion of evaluation context and time.
10384 With Postfix versions before 2.10, the rules for relay permission and
10386 spam blocking were combined under smtpd_recipient_restrictions, result‐
10387 ing in error-prone configuration. As of Postfix 2.10, relay permission
10388 rules are preferably implemented with smtpd_relay_restrictions, so that
10389 a permissive spam blocking policy under smtpd_recipient_restrictions
10390 will no longer result in a permissive mail relay policy.
10391 For backwards compatibility, sites that migrate from Postfix versions
10393 before 2.10 can set smtpd_relay_restrictions to the empty value, and
10394 use smtpd_recipient_restrictions exactly as before.
10395 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
10397 ent_restrictions parameter must specify at least one of the following
10398 restrictions. Otherwise Postfix will refuse to receive mail:
10399 reject, reject_unauth_destination
10401 defer, defer_if_permit, defer_unauth_destination
10403 Specify a list of restrictions, separated by commas and/or whitespace.
10405 Continue long lines by starting the next line with whitespace. Re‐
10406 strictions are applied in the order as specified; the first restriction
10407 that matches wins.
10408 The following restrictions are specific to the recipient address that
10410 is received with the RCPT TO command.
10411 check_recipient_access type:table
10413 Search the specified access(5) database for the resolved RCPT TO
10414 address, domain, parent domains, or localpart@, and execute the
10415 corresponding action.
10416 check_recipient_a_access type:table
10418 Search the specified access(5) database for the IP addresses for
10419 the RCPT TO domain, and execute the corresponding action. Note:
10420 a result of "OK" is not allowed for safety reasons. Instead, use
10421 DUNNO in order to exclude specific hosts from denylists. This
10422 feature is available in Postfix 3.0 and later.
10423 check_recipient_mx_access type:table
10425 Search the specified access(5) database for the MX hosts for the
10426 RCPT TO domain, and execute the corresponding action. If no MX
10427 record is found, look up A or AAAA records, just like the Post‐
10428 fix SMTP client would. Note: a result of "OK" is not allowed for
10429 safety reasons. Instead, use DUNNO in order to exclude specific
10430 hosts from denylists. This feature is available in Postfix 2.1
10431 and later.
10432 check_recipient_ns_access type:table
10434 Search the specified access(5) database for the DNS servers for
10435 the RCPT TO domain, and execute the corresponding action. Note:
10436 a result of "OK" is not allowed for safety reasons. Instead, use
10437 DUNNO in order to exclude specific hosts from denylists. This
10438 feature is available in Postfix 2.1 and later.
10439 permit_auth_destination
10441 Permit the request when one of the following is true:
10442 • Postfix is a mail forwarder: the resolved RCPT TO domain matches
10444 $relay_domains or a subdomain thereof, and the address contains
10445 no sender-specified routing (user@elsewhere@domain),
10446 • Postfix is the final destination: the resolved RCPT TO domain
10448 matches $mydestination, $inet_interfaces, $proxy_interfaces,
10449 $virtual_alias_domains, or $virtual_mailbox_domains, and the ad‐
10450 dress contains no sender-specified routing (user@elsewhere@do‐
10451 main).
10452 permit_mx_backup
10454 Permit the request when the local mail system is a backup MX for
10455 the RCPT TO domain, or when the domain is an authorized destina‐
10456 tion (see permit_auth_destination for definition).
10457 • Safety: permit_mx_backup does not accept addresses that have
10459 sender-specified routing information (example: user@else‐
10460 where@domain).
10461 • Safety: permit_mx_backup can be vulnerable to mis-use when ac‐
10463 cess is not restricted with permit_mx_backup_networks.
10464 • Safety: as of Postfix version 2.3, permit_mx_backup no longer
10466 accepts the address when the local mail system is a primary MX
10467 for the recipient domain. Exception: permit_mx_backup accepts
10468 the address when it specifies an authorized destination (see
10469 permit_auth_destination for definition).
10470 • Limitation: mail may be rejected in case of a temporary DNS
10472 lookup problem with Postfix prior to version 2.0.
10473 reject_non_fqdn_recipient
10475 Reject the request when the RCPT TO address specifies a domain
10476 that is not in fully-qualified domain form, as required by the
10477 RFC.
10478 The non_fqdn_reject_code parameter specifies the response code
10479 for rejected requests (default: 504).
10480 reject_rhsbl_recipient rbl_domain=d.d.d.d
10482 Reject the request when the RCPT TO domain is listed with the A
10483 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
10484 only). Each "d" is a number, or a pattern inside "[]" that con‐
10485 tains one or more ";"-separated numbers or number..number ranges
10486 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
10487 reject the request when the RCPT TO domain is listed with any A
10488 record under rbl_domain.
10489 The maps_rbl_reject_code parameter specifies the response code
10490 for rejected requests (default: 554); the default_rbl_reply pa‐
10491 rameter specifies the default server reply; and the rbl_re‐
10492 ply_maps parameter specifies tables with server replies indexed
10493 by rbl_domain. This feature is available in Postfix version 2.0
10494 and later.
10495 reject_unauth_destination
10497 Reject the request unless one of the following is true:
10498 • Postfix is a mail forwarder: the resolved RCPT TO domain matches
10500 $relay_domains or a subdomain thereof, and contains no
10501 sender-specified routing (user@elsewhere@domain),
10502 • Postfix is the final destination: the resolved RCPT TO domain
10504 matches $mydestination, $inet_interfaces, $proxy_interfaces,
10505 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
10506 tains no sender-specified routing (user@elsewhere@domain).
10507 The relay_domains_reject_code parameter specifies the response
10508 code for rejected requests (default: 554).
10509 defer_unauth_destination
10511 Reject the same requests as reject_unauth_destination, with a
10512 non-permanent error code. This feature is available in Postfix
10513 2.10 and later.
10514 reject_unknown_recipient_domain
10516 Reject the request when Postfix is not final destination for the
10517 recipient domain, and the RCPT TO domain has 1) no DNS MX and no
10518 DNS A record or 2) a malformed MX record such as a record with a
10519 zero-length MX hostname (Postfix version 2.3 and later).
10520 The reply is specified with the unknown_address_reject_code pa‐
10521 rameter (default: 450), unknown_address_tempfail_action (de‐
10522 fault: defer_if_permit), or 556 (nullmx, Postfix 3.0 and later).
10523 See the respective parameter descriptions for details.
10524 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
10526 ent_maps)
10527 Reject the request when the RCPT TO address is not listed in the
10528 list of valid recipients for its domain class. See the smtpd_re‐
10529 ject_unlisted_recipient parameter description for details. This
10530 feature is available in Postfix 2.1 and later.
10531 reject_unverified_recipient
10533 Reject the request when mail to the RCPT TO address is known to
10534 bounce, or when the recipient address destination is not reach‐
10535 able. Address verification information is managed by the ver‐
10536 ify(8) server; see the ADDRESS_VERIFICATION_README file for de‐
10537 tails.
10538 The unverified_recipient_reject_code parameter specifies the nu‐
10539 merical response code when an address is known to bounce (de‐
10540 fault: 450, change it to 550 when you are confident that it is
10541 safe to do so).
10542 The unverified_recipient_defer_code parameter specifies the nu‐
10543 merical response code when an address probe failed due to a tem‐
10544 porary problem (default: 450).
10545 The unverified_recipient_tempfail_action parameter specifies the
10546 action after address probe failure due to a temporary problem
10547 (default: defer_if_permit).
10548 This feature breaks for aliased addresses with "enable_origi‐
10549 nal_recipient = no" (Postfix <= 3.2).
10550 This feature is available in Postfix 2.1 and later.
10551 Other restrictions that are valid in this context:
10553 • Generic restrictions that can be used in any SMTP command con‐
10555 text, described under smtpd_client_restrictions.
10556 • SMTP command specific restrictions described under
10558 smtpd_client_restrictions, smtpd_helo_restrictions and
10559 smtpd_sender_restrictions.
10560 Example:
10562 # The Postfix before 2.10 default mail relay policy. Later Postfix
10564 # versions implement this preferably with smtpd_relay_restrictions.
10565 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
10566
10568 Optional information that is appended after each Postfix SMTP server
10569 4XX or 5XX response.
10570 The following example uses "\c" at the start of the template (supported
10572 in Postfix 2.10 and later) to suppress the line break between the reply
10573 text and the footer text. With earlier Postfix versions, the footer
10574 text always begins on a new line, and the "\c" is output literally.
10575 /etc/postfix/main.cf:
10577 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
10578 Please provide the following information in your problem report:
10579 time ($localtime), client ($client_address) and server
10580 ($server_name).
10581 Server response:
10583 550-5.5.1 <user@example> Recipient address rejected: User
10585 unknown. For assistance, call 800-555-0101. Please provide the
10586 following information in your problem report: time (Jan 4 15:42:00),
10587 client (192.168.1.248) and server (mail1.example.com).
10588 Note: the above text is meant to make it easier to find the Postfix
10590 logfile records for a failed SMTP session. The text itself is not
10591 logged to the Postfix SMTP server's maillog file.
10592 Be sure to keep the text as short as possible. Long text may be trun‐
10594 cated before it is logged to the remote SMTP client's maillog file, or
10595 before it is returned to the sender in a delivery status notification.
10596 The template text is not subject to Postfix configuration parameter
10598 $name expansion. Instead, this feature supports a limited number of
10599 $name attributes in the footer text. These attributes are replaced with
10600 their current value for the SMTP session.
10601 Note: specify $$name in footer text that is looked up from regexp: or
10603 pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
10604 not use the footer text and will log a warning instead.
10605 client_address
10607 The Client IP address that is logged in the maillog file.
10608 client_port
10610 The client TCP port that is logged in the maillog file.
10611 localtime
10613 The server local time (Mmm dd hh:mm:ss) that is logged in the
10614 maillog file.
10615 server_name
10617 The server's myhostname value. This attribute is made available
10618 for sites with multiple MTAs (perhaps behind a load-balancer),
10619 where the server name can help the server support team to
10620 quickly find the right log files.
10621 Notes:
10623 • NOT SUPPORTED are other attributes such as sender, recipient, or
10625 main.cf parameters.
10626 • For safety reasons, text that does not match $smtpd_expan‐
10628 sion_filter is censored.
10629 This feature supports the two-character sequence \n as a request for a
10631 line break in the footer text. Postfix automatically inserts after each
10632 line break the three-digit SMTP reply code (and optional enhanced sta‐
10633 tus code) from the original Postfix reject message.
10634 To work around mail software that mis-handles multi-line replies, spec‐
10636 ify the two-character sequence \c at the start of the template. This
10637 suppresses the line break between the reply text and the footer text
10638 (Postfix 2.10 and later).
10639 This feature is available in Postfix 2.8 and later.
10641
10643 Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx
10644 response, with reject footer templates. See smtpd_reject_footer for de‐
10645 tails.
10646 Specify zero or more "type:name" lookup tables, separated by whitespace
10648 or comma. Tables will be searched in the specified order until a match
10649 is found.
10650 This feature is available in Postfix 3.4 and later.
10652
10654 Request that the Postfix SMTP server rejects mail for unknown recipient
10655 addresses, even when no explicit reject_unlisted_recipient access re‐
10656 striction is specified. This prevents the Postfix queue from filling up
10657 with undeliverable MAILER-DAEMON messages.
10658 An address is considered "unknown" when 1) it does not match a vir‐
10660 tual(5) alias or canonical(5) mapping, and 2) the address is not valid
10661 for its address class. For a definition of class-based address valida‐
10662 tion, see ADDRESS_CLASS_README.
10663 This feature is available in Postfix 2.1 and later.
10665
10667 Request that the Postfix SMTP server rejects mail from unknown sender
10668 addresses, even when no explicit reject_unlisted_sender access restric‐
10669 tion is specified. This can slow down an explosion of forged mail from
10670 worms or viruses.
10671 An address is considered "unknown" when 1) it does not match a vir‐
10673 tual(5) alias or canonical(5) mapping, and 2) the address is not valid
10674 for its address class. For a definition of class-based address valida‐
10675 tion, see ADDRESS_CLASS_README.
10676 This feature is available in Postfix 2.1 and later.
10678
10680 Evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions.
10681 Historically, smtpd_relay_restrictions was evaluated after smtpd_recip‐
10682 ient_restrictions, contradicting documented behavior.
10683 Background: the smtpd_relay_restrictions feature is primarily designed
10685 to enforce a mail relaying policy, while smtpd_recipient_restrictions
10686 is primarily designed to enforce spam blocking policy. Both are evalu‐
10687 ated while replying to the RCPT TO command, and both support the same
10688 features.
10689 This feature is available in Postfix 3.6 and later.
10691
10693 cated, defer_unauth_destination)
10694 Access restrictions for mail relay control that the Postfix SMTP server
10695 applies in the context of the RCPT TO command, before smtpd_recipi‐
10696 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
10697 of SMTP access restriction lists" for a discussion of evaluation con‐
10698 text and time.
10699 With Postfix versions before 2.10, the rules for relay permission and
10701 spam blocking were combined under smtpd_recipient_restrictions, result‐
10702 ing in error-prone configuration. As of Postfix 2.10, relay permission
10703 rules are preferably implemented with smtpd_relay_restrictions, so that
10704 a permissive spam blocking policy under smtpd_recipient_restrictions
10705 will no longer result in a permissive mail relay policy.
10706 For backwards compatibility, sites that migrate from Postfix versions
10708 before 2.10 can set smtpd_relay_restrictions to the empty value, and
10709 use smtpd_recipient_restrictions exactly as before.
10710 By default, the Postfix SMTP server accepts:
10712 • Mail from clients whose IP address matches $mynetworks, or:
10714 • Mail from clients who are SASL authenticated, or:
10716 • Mail to remote destinations that match $relay_domains, except
10718 for addresses that contain sender-specified routing (user@else‐
10719 where@domain), or:
10720 • Mail to local destinations that match $inet_interfaces or
10722 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
10723 $virtual_mailbox_domains.
10724 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
10726 ent_restrictions parameter must specify at least one of the following
10727 restrictions. Otherwise Postfix will refuse to receive mail:
10728 reject, reject_unauth_destination
10730 defer, defer_if_permit, defer_unauth_destination
10732 Specify a list of restrictions, separated by commas and/or whitespace.
10734 Continue long lines by starting the next line with whitespace. The
10735 same restrictions are available as documented under smtpd_recipient_re‐
10736 strictions.
10737 This feature is available in Postix 2.10 and later.
10739
10741 User-defined aliases for groups of access restrictions. The aliases can
10742 be specified in smtpd_recipient_restrictions etc., and on the
10743 right-hand side of a Postfix access(5) table.
10744 One major application is for implementing per-recipient UCE control.
10746 See the RESTRICTION_CLASS_README document for other examples.
10747
10749 The application name that the Postfix SMTP server uses for SASL server
10750 initialization. This controls the name of the SASL configuration file.
10751 The default value is smtpd, corresponding to a SASL configuration file
10752 named smtpd.conf.
10753 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10755 was renamed to smtpd_sasl_path.
10756
10758 Enable SASL authentication in the Postfix SMTP server. By default, the
10759 Postfix SMTP server does not use authentication.
10760 If a remote SMTP client is authenticated, the permit_sasl_authenticated
10762 access restriction can be used to permit relay access, like this:
10763 # With Postfix 2.10 and later, the mail relay policy is
10765 # preferably specified under smtpd_relay_restrictions.
10766 smtpd_relay_restrictions =
10767 permit_mynetworks, permit_sasl_authenticated, ...
10768 # With Postfix before 2.10, the relay policy can be
10770 # specified only under smtpd_recipient_restrictions.
10771 smtpd_recipient_restrictions =
10772 permit_mynetworks, permit_sasl_authenticated, ...
10773 To reject all SMTP connections from unauthenticated clients, specify
10775 "smtpd_delay_reject = yes" (which is the default) and use:
10776 smtpd_client_restrictions = permit_sasl_authenticated, reject
10778 See the SASL_README file for SASL configuration and operation details.
10780
10782 Report the SASL authenticated user name in the smtpd(8) Received mes‐
10783 sage header.
10784 This feature is available in Postfix 2.3 and later.
10786
10788 What remote SMTP clients the Postfix SMTP server will not offer AUTH
10789 support to.
10790 Some clients (Netscape 4 at least) have a bug that causes them to re‐
10792 quire a login and password whenever AUTH is offered, whether it's nec‐
10793 essary or not. To work around this, specify, for example, $mynetworks
10794 to prevent Postfix from offering AUTH to local clients.
10795 Specify a list of network/netmask patterns, separated by commas and/or
10797 whitespace. The mask specifies the number of bits in the network part
10798 of a host address. You can also specify "/file/name" or "type:table"
10799 patterns. A "/file/name" pattern is replaced by its contents; a
10800 "type:table" lookup table is matched when a table entry matches a
10801 lookup string (the lookup result is ignored). Continue long lines by
10802 starting the next line with whitespace. Specify "!pattern" to exclude
10803 an address or network block from the list. The form "!/file/name" is
10804 supported only in Postfix version 2.4 and later.
10805 Note: IP version 6 address information must be specified inside [] in
10807 the smtpd_sasl_exceptions_networks value, and in files specified with
10808 "/file/name". IP version 6 addresses contain the ":" character, and
10809 would otherwise be confused with a "type:table" pattern.
10810 Example:
10812 smtpd_sasl_exceptions_networks = $mynetworks
10814 This feature is available in Postfix 2.1 and later.
10816
10818 The name of the Postfix SMTP server's local SASL authentication realm.
10819 By default, the local authentication realm name is the null string.
10821 Examples:
10823 smtpd_sasl_local_domain = $mydomain
10825 smtpd_sasl_local_domain = $myhostname
10826
10828 If non-empty, a filter for the SASL mechanism names that the Postfix
10829 SMTP server will announce in the EHLO response. By default, the Postfix
10830 SMTP server will not announce the EXTERNAL mechanism, because Postfix
10831 support for that is not implemented.
10832 Specify mechanism names, "/file/name" patterns, or "type:table" lookup
10834 tables, separated by comma or whitespace. The right-hand side result
10835 from "type:table" lookups is ignored. Specify "!pattern" to exclude a
10836 mechanism name from the list.
10837 Examples:
10839 smtpd_sasl_mechanism_filter = !external, !gssapi, static:rest
10841 smtpd_sasl_mechanism_filter = login, plain
10842 smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs
10843 This feature is available in Postfix 3.6 and later.
10845
10847 Implementation-specific information that the Postfix SMTP server passes
10848 through to the SASL plug-in implementation that is selected with
10849 smtpd_sasl_type. Typically this specifies the name of a configuration
10850 file or rendezvous point.
10851 This feature is available in Postfix 2.3 and later. In earlier releases
10853 it was called smtpd_sasl_application_name.
10854
10856 The maximum length of a SASL client's response to a server challenge.
10857 When the client's "initial response" is longer than the normal limit
10858 for SMTP commands, the client must omit its initial response, and wait
10859 for an empty server challenge; it can then send what would have been
10860 its "initial response" as a response to the empty server challenge.
10861 RFC4954 requires the server to accept client responses up to at least
10862 12288 octets of base64-encoded text. The default value is therefore
10863 also the minimum value accepted for this parameter.
10864 This feature is available in Postfix 3.4 and later. Prior versions use
10866 "line_length_limit", which may need to be raised to accommodate larger
10867 client responses, as may be needed with GSSAPI authentication of Win‐
10868 dows AD users who are members of many groups.
10869
10871 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
10872 of available features depends on the SASL server implementation that is
10873 selected with smtpd_sasl_type.
10874 The following security features are defined for the cyrus server SASL
10876 implementation:
10877 Restrict what authentication mechanisms the Postfix SMTP server will
10879 offer to the client. The list of available authentication mechanisms
10880 is system dependent.
10881 Specify zero or more of the following:
10883 noplaintext
10885 Disallow methods that use plaintext passwords.
10886 noactive
10888 Disallow methods subject to active (non-dictionary) attack.
10889 nodictionary
10891 Disallow methods subject to passive (dictionary) attack.
10892 noanonymous
10894 Disallow methods that allow anonymous authentication.
10895 forward_secrecy
10897 Only allow methods that support forward secrecy (Dovecot only).
10898 mutual_auth
10900 Only allow methods that provide mutual authentication (not
10901 available with Cyrus SASL version 1).
10902 By default, the Postfix SMTP server accepts plaintext passwords but not
10904 anonymous logins.
10905 Warning: it appears that clients try authentication methods in the or‐
10907 der as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) which
10908 means that if you disable plaintext passwords, clients will log in
10909 anonymously, even when they should be able to use CRAM-MD5. So, if you
10910 disable plaintext logins, disable anonymous logins too. Postfix treats
10911 anonymous login as no authentication.
10912 Example:
10914 smtpd_sasl_security_options = noanonymous, noplaintext
10916
10918 The service name that is passed to the SASL plug-in that is selected
10919 with smtpd_sasl_type and smtpd_sasl_path.
10920 This feature is available in Postfix 2.11 and later. Prior versions be‐
10922 have as if "smtp" is specified.
10923
10925 The SASL authentication security options that the Postfix SMTP server
10926 uses for TLS encrypted SMTP sessions.
10927 This feature is available in Postfix 2.2 and later.
10929
10931 The SASL plug-in type that the Postfix SMTP server should use for au‐
10932 thentication. The available types are listed with the "postconf -a"
10933 command.
10934 This feature is available in Postfix 2.3 and later.
10936
10938 Optional lookup table with the SASL login names that own the sender
10939 (MAIL FROM) addresses.
10940 Specify zero or more "type:name" lookup tables, separated by whitespace
10942 or comma. Tables will be searched in the specified order until a match
10943 is found. With lookups from indexed files such as DB or DBM, or from
10944 networked tables such as NIS, LDAP or SQL, the following search opera‐
10945 tions are done with a sender address of user@domain:
10946 1) user@domain
10948 This table lookup is always done and has the highest precedence.
10949 2) user
10951 This table lookup is done only when the domain part of the
10952 sender address matches $myorigin, $mydestination, $inet_inter‐
10953 faces or $proxy_interfaces.
10954 3) @domain
10956 This table lookup is done last and has the lowest precedence.
10957 In all cases the result of table lookup must be either "not found" or a
10959 list of SASL login names separated by comma and/or whitespace.
10960
10962 Optional restrictions that the Postfix SMTP server applies in the con‐
10963 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
10964 "Delayed evaluation of SMTP access restriction lists" for a discussion
10965 of evaluation context and time.
10966 The default is to permit everything.
10968 Specify a list of restrictions, separated by commas and/or whitespace.
10970 Continue long lines by starting the next line with whitespace. Re‐
10971 strictions are applied in the order as specified; the first restriction
10972 that matches wins.
10973 The following restrictions are specific to the sender address received
10975 with the MAIL FROM command.
10976 check_sender_access type:table
10978 Search the specified access(5) database for the MAIL FROM ad‐
10979 dress, domain, parent domains, or localpart@, and execute the
10980 corresponding action.
10981 check_sender_a_access type:table
10983 Search the specified access(5) database for the IP addresses for
10984 the MAIL FROM domain, and execute the corresponding action.
10985 Note: a result of "OK" is not allowed for safety reasons. In‐
10986 stead, use DUNNO in order to exclude specific hosts from
10987 denylists. This feature is available in Postfix 3.0 and later.
10988 check_sender_mx_access type:table
10990 Search the specified access(5) database for the MX hosts for the
10991 MAIL FROM domain, and execute the corresponding action. If no
10992 MX record is found, look up A or AAAA records, just like the
10993 Postfix SMTP client would. Note: a result of "OK" is not allowed
10994 for safety reasons. Instead, use DUNNO in order to exclude spe‐
10995 cific hosts from denylists. This feature is available in Post‐
10996 fix 2.1 and later.
10997 check_sender_ns_access type:table
10999 Search the specified access(5) database for the DNS servers for
11000 the MAIL FROM domain, and execute the corresponding action.
11001 Note: a result of "OK" is not allowed for safety reasons. In‐
11002 stead, use DUNNO in order to exclude specific hosts from
11003 denylists. This feature is available in Postfix 2.1 and later.
11004 reject_authenticated_sender_login_mismatch
11006 Reject the request when the client is authenticated with SASL,
11007 but either the MAIL FROM address is not listed in
11008 $smtpd_sender_login_maps, or the SASL login name is not an owner
11009 for that address.
11010 This prevents an authenticated client from using a MAIL FROM ad‐
11011 dress that they do not explicitly own.
11012 This feature is available in Postfix version 2.1 and later.
11013 reject_known_sender_login_mismatch
11015 When the client is authenticated with SASL, reject the request
11016 when the MAIL FROM address is listed in $smtpd_sender_lo‐
11017 gin_maps, but the SASL login name is not an owner for that ad‐
11018 dress.
11019 When the client is not authenticated with SASL, reject the re‐
11020 quest when SASL is enabled, and the MAIL FROM address is listed
11021 in $smtpd_sender_login_maps.
11022 This protects any MAIL FROM address that is listed in
11023 $smtpd_sender_login_maps, while still allowing a client to use
11024 any unlisted MAIL FROM address.
11025 This feature is available in Postfix version 2.11 and later.
11026 reject_non_fqdn_sender
11028 Reject the request when the MAIL FROM address specifies a domain
11029 that is not in fully-qualified domain form as required by the
11030 RFC.
11031 The non_fqdn_reject_code parameter specifies the response code
11032 for rejected requests (default: 504).
11033 reject_rhsbl_sender rbl_domain=d.d.d.d
11035 Reject the request when the MAIL FROM domain is listed with the
11036 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
11037 later only). Each "d" is a number, or a pattern inside "[]"
11038 that contains one or more ";"-separated numbers or number..num‐
11039 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
11040 specified, reject the request when the MAIL FROM domain is
11041 listed with any A record under rbl_domain.
11042 The maps_rbl_reject_code parameter specifies the response code
11043 for rejected requests (default: 554); the default_rbl_reply pa‐
11044 rameter specifies the default server reply; and the rbl_re‐
11045 ply_maps parameter specifies tables with server replies indexed
11046 by rbl_domain. This feature is available in Postfix 2.0 and
11047 later.
11048 reject_sender_login_mismatch
11050 As of Postfix 2.1, this is an alias for "reject_authenti‐
11051 cated_sender_login_mismatch, reject_unauthenticated_sender_lo‐
11052 gin_mismatch".
11053 reject_unauthenticated_sender_login_mismatch
11055 Reject the request when SASL is enabled, the MAIL FROM address
11056 is listed in $smtpd_sender_login_maps, but the client is not au‐
11057 thenticated with SASL.
11058 With SASL enabled, this prevents an unauthenticated client from
11059 using any MAIL FROM address that is listed in $smtpd_sender_lo‐
11060 gin_maps.
11061 This feature is available in Postfix version 2.1 and later.
11062 reject_unknown_sender_domain
11064 Reject the request when Postfix is not the final destination for
11065 the sender address, and the MAIL FROM domain has 1) no DNS MX
11066 and no DNS A record, or 2) a malformed MX record such as a
11067 record with a zero-length MX hostname (Postfix version 2.3 and
11068 later).
11069 The reply is specified with the unknown_address_reject_code pa‐
11070 rameter (default: 450), unknown_address_tempfail_action (de‐
11071 fault: defer_if_permit), or 550 (nullmx, Postfix 3.0 and later).
11072 See the respective parameter descriptions for details.
11073 reject_unlisted_sender
11075 Reject the request when the MAIL FROM address is not listed in
11076 the list of valid recipients for its domain class. See the
11077 smtpd_reject_unlisted_sender parameter description for details.
11078 This feature is available in Postfix 2.1 and later.
11079 reject_unverified_sender
11081 Reject the request when mail to the MAIL FROM address is known
11082 to bounce, or when the sender address destination is not reach‐
11083 able. Address verification information is managed by the ver‐
11084 ify(8) server; see the ADDRESS_VERIFICATION_README file for de‐
11085 tails.
11086 The unverified_sender_reject_code parameter specifies the numer‐
11087 ical response code when an address is known to bounce (default:
11088 450, change into 550 when you are confident that it is safe to
11089 do so).
11090 The unverified_sender_defer_code specifies the numerical re‐
11091 sponse code when an address probe failed due to a temporary
11092 problem (default: 450).
11093 The unverified_sender_tempfail_action parameter specifies the
11094 action after address probe failure due to a temporary problem
11095 (default: defer_if_permit).
11096 This feature breaks for aliased addresses with "enable_origi‐
11097 nal_recipient = no" (Postfix <= 3.2).
11098 This feature is available in Postfix 2.1 and later.
11099 Other restrictions that are valid in this context:
11101 • Generic restrictions that can be used in any SMTP command con‐
11103 text, described under smtpd_client_restrictions.
11104 • SMTP command specific restrictions described under
11106 smtpd_client_restrictions and smtpd_helo_restrictions.
11107 • SMTP command specific restrictions described under smtpd_recipi‐
11109 ent_restrictions. When recipient restrictions are listed under
11110 smtpd_sender_restrictions, they have effect only with "smtpd_de‐
11111 lay_reject = yes", so that $smtpd_sender_restrictions is evalu‐
11112 ated at the time of the RCPT TO command.
11113 Examples:
11115 smtpd_sender_restrictions = reject_unknown_sender_domain
11117 smtpd_sender_restrictions = reject_unknown_sender_domain,
11118 check_sender_access hash:/etc/postfix/access
11119
11121 The internal service that postscreen(8) hands off allowed connections
11122 to. In a future version there may be different classes of SMTP service.
11123 This feature is available in Postfix 2.8.
11125
11127 The number of errors a remote SMTP client is allowed to make without
11128 delivering mail before the Postfix SMTP server slows down all its re‐
11129 sponses.
11130 • With Postfix version 2.1 and later, when the error count is >
11132 $smtpd_soft_error_limit, the Postfix SMTP server delays all re‐
11133 sponses by $smtpd_error_sleep_time.
11134 • With Postfix versions 2.0 and earlier, when the error count is >
11136 $smtpd_soft_error_limit, the Postfix SMTP server delays all re‐
11137 sponses by the larger of (number of errors) seconds or
11138 $smtpd_error_sleep_time.
11139 • With Postfix versions 2.0 and earlier, when the error count is
11141 <= $smtpd_soft_error_limit, the Postfix SMTP server delays 4XX
11142 and 5XX responses by $smtpd_error_sleep_time.
11143
11145 The time limit for Postfix SMTP server write and read operations during
11146 TLS startup and shutdown handshake procedures. The current default
11147 value is stress-dependent. Before Postfix version 2.8, it was fixed at
11148 300s.
11149 Specify a non-zero time value (an integral value plus an optional
11151 one-letter suffix that specifies the time unit). Time units: s (sec‐
11152 onds), m (minutes), h (hours), d (days), w (weeks). The default time
11153 unit is s (seconds).
11154 This feature is available in Postfix 2.2 and later.
11156
11158 When the Postfix SMTP server wants to send an SMTP server response, how
11159 long the Postfix SMTP server will wait for an underlying network write
11160 operation to complete; and when the Postfix SMTP server Postfix wants
11161 to receive an SMTP client request, how long the Postfix SMTP server
11162 will wait for an underlying network read operation to complete. See the
11163 smtpd_per_request_deadline for how this time limit may be enforced
11164 (with Postfix 2.9-3.6 see smtpd_per_record_deadline).
11165 Normally the default limit is 300s, but it changes under overload to
11167 just 10s. With Postfix 2.5 and earlier, the SMTP server always uses a
11168 time limit of 300s by default.
11169 Note: if you set SMTP time limits to very large values you may have to
11171 update the global ipc_timeout parameter.
11172 Specify a non-zero time value (an integral value plus an optional
11174 one-letter suffix that specifies the time unit). Time units: s (sec‐
11175 onds), m (minutes), h (hours), d (days), w (weeks). The default time
11176 unit is s (seconds).
11177
11179 A file containing (PEM format) CA certificates of root CAs trusted to
11180 sign either remote SMTP client certificates or intermediate CA certifi‐
11181 cates. These are loaded into memory before the smtpd(8) server enters
11182 the chroot jail. If the number of trusted roots is large, consider us‐
11183 ing smtpd_tls_CApath instead, but note that the latter directory must
11184 be present in the chroot jail if the smtpd(8) server is chrooted. This
11185 file may also be used to augment the server certificate trust chain,
11186 but it is best to include all the required certificates directly in the
11187 server certificate file.
11188 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
11190 system-supplied default Certification Authority certificates.
11191 Specify "tls_append_default_CA = no" to prevent Postfix from appending
11193 the system-supplied default CAs and trusting third-party certificates.
11194 By default (see smtpd_tls_ask_ccert), client certificates are not re‐
11196 quested, and smtpd_tls_CAfile should remain empty. If you do make use
11197 of client certificates, the distinguished names (DNs) of the Certifica‐
11198 tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
11199 client in the client certificate request message. MUAs with multiple
11200 client certificates may use the list of preferred Certification Author‐
11201 ities to select the correct client certificate. You may want to put
11202 your "preferred" CA or CAs in this file, and install other trusted CAs
11203 in $smtpd_tls_CApath.
11204 Example:
11206 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
11208 This feature is available in Postfix 2.2 and later.
11210
11212 A directory containing (PEM format) CA certificates of root CAs trusted
11213 to sign either remote SMTP client certificates or intermediate CA cer‐
11214 tificates. Do not forget to create the necessary "hash" links with, for
11215 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
11216 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be in‐
11217 side the chroot jail.
11218 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
11220 the system-supplied default Certification Authority certificates.
11221 Specify "tls_append_default_CA = no" to prevent Postfix from appending
11223 the system-supplied default CAs and trusting third-party certificates.
11224 By default (see smtpd_tls_ask_ccert), client certificates are not re‐
11226 quested, and smtpd_tls_CApath should remain empty. In contrast to
11227 smtpd_tls_CAfile, DNs of Certification Authorities installed in
11228 $smtpd_tls_CApath are not included in the client certificate request
11229 message. MUAs with multiple client certificates may use the list of
11230 preferred Certification Authorities to select the correct client cer‐
11231 tificate. You may want to put your "preferred" CA or CAs in
11232 $smtpd_tls_CAfile, and install the remaining trusted CAs in
11233 $smtpd_tls_CApath.
11234 Example:
11236 smtpd_tls_CApath = /etc/postfix/certs
11238 This feature is available in Postfix 2.2 and later.
11240
11242 Force the Postfix SMTP server to issue a TLS session id, even when TLS
11243 session caching is turned off (smtpd_tls_session_cache_database is
11244 empty). This behavior is compatible with Postfix < 2.3.
11245 With Postfix 2.3 and later the Postfix SMTP server can disable session
11247 id generation when TLS session caching is turned off. This keeps remote
11248 SMTP clients from caching sessions that almost certainly cannot be
11249 re-used.
11250 By default, the Postfix SMTP server always generates TLS session ids.
11252 This works around a known defect in mail client applications such as MS
11253 Outlook, and may also prevent interoperability issues with other MTAs.
11254 Example:
11256 smtpd_tls_always_issue_session_ids = no
11258 This feature is available in Postfix 2.3 and later.
11260
11262 Ask a remote SMTP client for a client certificate. This information is
11263 needed for certificate based mail relaying with, for example, the per‐
11264 mit_tls_clientcerts feature.
11265 Some clients such as Netscape will either complain if no certificate is
11267 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
11268 tiple client certificates to choose from. This may be annoying, so this
11269 option is "off" by default.
11270 This feature is available in Postfix 2.2 and later.
11272
11274 When TLS encryption is optional in the Postfix SMTP server, do not an‐
11275 nounce or accept SASL authentication over unencrypted connections.
11276 This feature is available in Postfix 2.2 and later.
11278
11280 The verification depth for remote SMTP client certificates. A depth of
11281 1 is sufficient if the issuing CA is listed in a local CA file.
11282 The default verification depth is 9 (the OpenSSL default) for compati‐
11284 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
11285 value was 5, but the limit was not actually enforced. If you have set
11286 this to a lower non-default value, certificates with longer trust
11287 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
11288 common, deeper chains are more rare and any number between 5 and 9
11289 should suffice in practice. You can choose a lower number if, for exam‐
11290 ple, you trust certificates directly signed by an issuing CA but not
11291 any CAs it delegates to.
11292 This feature is available in Postfix 2.2 and later.
11294
11296 File with the Postfix SMTP server RSA certificate in PEM format. This
11297 file may also contain the Postfix SMTP server private RSA key. With
11298 Postfix >= 3.4 the preferred way to configure server keys and certifi‐
11299 cates is via the "smtpd_tls_chain_files" parameter.
11300 Public Internet MX hosts without certificates signed by a "reputable"
11302 CA must generate, and be prepared to present to most clients, a
11303 self-signed or private-CA signed certificate. The client will not be
11304 able to authenticate the server, but unless it is running Postfix 2.3
11305 or similar software, it will still insist on a server certificate.
11306 For servers that are not public Internet MX hosts, Postfix supports
11308 configurations with no certificates. This entails the use of just the
11309 anonymous TLS ciphers, which are not supported by typical SMTP clients.
11310 Since some clients may not fall back to plain text after a TLS hand‐
11311 shake failure, a certificate-less Postfix SMTP server will be unable to
11312 receive email from some TLS-enabled clients. To avoid accidental con‐
11313 figurations with no certificates, Postfix enables certificate-less op‐
11314 eration only when the administrator explicitly sets
11315 "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
11316 configurations will not accidentally enable TLS without certificates.
11317 Note that server certificates are not optional in TLS 1.3. To run with‐
11319 out certificates you'd have to disable the TLS 1.3 protocol by includ‐
11320 ing '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also
11321 "smtpd_tls_mandatory_protocols". It is simpler instead to just config‐
11322 ure a certificate chain. Certificate-less operation is not recom‐
11323 mended.
11324 Both RSA and DSA certificates are supported. When both types are
11326 present, the cipher used determines which certificate will be presented
11327 to the client. For Netscape and OpenSSL clients without special cipher
11328 choices the RSA certificate is preferred.
11329 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
11331 tificate, the issuing CA certificates must be made available to the
11332 client. You should include the required certificates in the server cer‐
11333 tificate file, the server certificate first, then the issuing CA(s)
11334 (bottom-up order).
11335 Example: the certificate for "server.example.com" was issued by "inter‐
11337 mediate CA" which itself has a certificate of "root CA". Create the
11338 server.pem file with "cat server_cert.pem intermediate_CA.pem
11339 root_CA.pem > server.pem".
11340 If you also want to verify client certificates issued by these CAs, you
11342 can add the CA certificates to the smtpd_tls_CAfile, in which case it
11343 is not necessary to have them in the smtpd_tls_cert_file,
11344 smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
11345 A certificate supplied here must be usable as an SSL server certificate
11347 and hence pass the "openssl verify -purpose sslserver ..." test.
11348 Example:
11350 smtpd_tls_cert_file = /etc/postfix/server.pem
11352 This feature is available in Postfix 2.2 and later.
11354
11356 List of one or more PEM files, each holding one or more private keys
11357 directly followed by a corresponding certificate chain. The file names
11358 are separated by commas and/or whitespace. This parameter obsoletes
11359 the legacy algorithm-specific key and certificate file settings. When
11360 this parameter is non-empty, the legacy parameters are ignored, and a
11361 warning is logged if any are also non-empty.
11362 With the proliferation of multiple private key algorithms-which, as of
11364 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
11365 is increasingly impractical to use separate parameters to configure the
11366 key and certificate chain for each algorithm. Therefore, Postfix now
11367 supports storing multiple keys and corresponding certificate chains in
11368 a single file or in a set of files.
11369 Each key must appear immediately before the corresponding certificate,
11371 optionally followed by additional issuer certificates that complete the
11372 certificate chain for that key. When multiple files are specified,
11373 they are equivalent to a single file that is concatenated from those
11374 files in the given order. Thus, while a key must always precede its
11375 certificate and issuer chain, it can be in a separate file, so long as
11376 that file is listed immediately before the file that holds the corre‐
11377 sponding certificate chain. Once all the files are concatenated, the
11378 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
11379 [chain2], ..., keyN, certN, [chainN].
11380 Storing the private key in the same file as the corresponding certifi‐
11382 cate is more reliable. With the key and certificate in separate files,
11383 there is a chance that during key rollover a Postfix process might load
11384 a private key and certificate from separate files that don't match.
11385 Various operational errors may even result in a persistent broken con‐
11386 figuration in which the certificate does not match the private key.
11387 The file or files must contain at most one key of each type. If, for
11389 example, two or more RSA keys and corresponding chains are listed, de‐
11390 pending on the version of OpenSSL either only the last one will be used
11391 or a configuration error may be detected. Note that while "Ed25519"
11392 and "Ed448" are considered separate algorithms, the various ECDSA
11393 curves (typically one of prime256v1, secp384r1 or secp521r1) are con‐
11394 sidered as different parameters of a single "ECDSA" algorithm, so it is
11395 not presently possible to configure keys for more than one ECDSA curve.
11396 RSA is still the most widely supported algorithm. Presently (late
11398 2018), ECDSA support is common, but not yet universal, and Ed25519 and
11399 Ed448 support is mostly absent. Therefore, an RSA key should generally
11400 be configured, along with any additional keys for the other algorithms
11401 when desired.
11402 Example (separate files for each key and corresponding certificate
11404 chain):
11405 /etc/postfix/main.cf:
11407 smtpd_tls_chain_files =
11408 ${config_directory}/ed25519.pem,
11409 ${config_directory}/ed448.pem,
11410 ${config_directory}/rsa.pem
11411 /etc/postfix/ed25519.pem:
11413 -----BEGIN PRIVATE KEY-----
11414 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
11415 -----END PRIVATE KEY-----
11416 -----BEGIN CERTIFICATE-----
11417 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
11418 ...
11419 nC0egv51YPDWxEHom4QA
11420 -----END CERTIFICATE-----
11421 /etc/postfix/ed448.pem:
11423 -----BEGIN PRIVATE KEY-----
11424 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
11425 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
11426 -----END PRIVATE KEY-----
11427 -----BEGIN CERTIFICATE-----
11428 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
11429 ...
11430 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
11431 -----END CERTIFICATE-----
11432 /etc/postfix/rsa.pem:
11434 -----BEGIN PRIVATE KEY-----
11435 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
11436 ...
11437 ahQkZ3+krcaJvDSMgvu0tDc=
11438 -----END PRIVATE KEY-----
11439 -----BEGIN CERTIFICATE-----
11440 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
11441 ...
11442 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
11443 -----END CERTIFICATE-----
11444 Example (all keys and certificates in a single file):
11446 /etc/postfix/main.cf:
11448 smtpd_tls_chain_files = ${config_directory}/chains.pem
11449 /etc/postfix/chains.pem:
11451 -----BEGIN PRIVATE KEY-----
11452 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
11453 -----END PRIVATE KEY-----
11454 -----BEGIN CERTIFICATE-----
11455 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
11456 ...
11457 nC0egv51YPDWxEHom4QA
11458 -----END CERTIFICATE-----
11459 -----BEGIN PRIVATE KEY-----
11460 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
11461 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
11462 -----END PRIVATE KEY-----
11463 -----BEGIN CERTIFICATE-----
11464 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
11465 ...
11466 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
11467 -----END CERTIFICATE-----
11468 -----BEGIN PRIVATE KEY-----
11469 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
11470 ...
11471 ahQkZ3+krcaJvDSMgvu0tDc=
11472 -----END PRIVATE KEY-----
11473 -----BEGIN CERTIFICATE-----
11474 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
11475 ...
11476 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
11477 -----END CERTIFICATE-----
11478 This feature is available in Postfix 3.4 and later.
11480
11482 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
11483 list. It is easy to create interoperability problems by choosing a
11484 non-default cipher list. Do not use a non-default TLS cipherlist for MX
11485 hosts on the public Internet. Clients that begin the TLS handshake, but
11486 are unable to agree on a common cipher, may not be able to send any
11487 email to the SMTP server. Using a restricted cipher list may be more
11488 appropriate for a dedicated MSA or an internal mailhub, where one can
11489 exert some control over the TLS software and settings of the connecting
11490 clients.
11491 Note: do not use "" quotes around the parameter value.
11493 This feature is available with Postfix version 2.2. It is not used with
11495 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
11496
11498 The minimum TLS cipher grade that the Postfix SMTP server will use with
11499 opportunistic TLS encryption. Cipher types listed in smtpd_tls_ex‐
11500 clude_ciphers are excluded from the base definition of the selected ci‐
11501 pher grade. The default value is "medium" for Postfix releases after
11502 the middle of 2015, "export" for older releases.
11503 When TLS is mandatory the cipher grade is chosen via the
11505 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
11506 tax details.
11507 This feature is available in Postfix 2.6 and later. With earlier Post‐
11509 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
11510 mented, and opportunistic TLS always uses "export" or better (i.e. all)
11511 ciphers.
11512
11514 File with the Postfix SMTP server DSA certificate in PEM format. This
11515 file may also contain the Postfix SMTP server private DSA key. The DSA
11516 algorithm is obsolete and should not be used.
11517 See the discussion under smtpd_tls_cert_file for more details.
11519 Example:
11521 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
11523 This feature is available in Postfix 2.2 and later.
11525
11527 File with DH parameters that the Postfix SMTP server should use with
11528 non-export EDH ciphers.
11529 With Postfix >= 3.7, built with OpenSSL version is 3.0.0 or later, if
11531 the parameter value is either empty or "auto", then the DH parameter
11532 selection is delegated to the OpenSSL library, which selects appropri‐
11533 ate parameters based on the TLS handshake. This choice is likely to be
11534 the most interoperable with SMTP clients using various TLS libraries,
11535 and custom local parameters are no longer recommended when using Post‐
11536 fix >= 3.7 built against OpenSSL 3.0.0.
11537 The best-practice choice of parameters uses a 2048-bit prime. This is
11539 fine, despite the historical "1024" in the parameter name. Do not be
11540 tempted to use much larger values, performance degrades quickly, and
11541 you may also cease to interoperate with some mainstream SMTP clients.
11542 As of Postfix 3.1, the compiled-in default prime is 2048-bits, and it
11543 is not strictly necessary, though perhaps somewhat beneficial to gener‐
11544 ate custom DH parameters.
11545 Instead of using the exact same parameter sets as distributed with
11547 other TLS packages, it is more secure to generate your own set of pa‐
11548 rameters with something like the following commands:
11549 openssl dhparam -out /etc/postfix/dh2048.pem 2048
11551 openssl dhparam -out /etc/postfix/dh1024.pem 1024
11552 # As of Postfix 3.6, export-grade 512-bit DH parameters are no longer
11553 # supported or needed.
11554 openssl dhparam -out /etc/postfix/dh512.pem 512
11555 It is safe to share the same DH parameters between multiple Postfix in‐
11557 stances. If you prefer, you can generate separate parameters for each
11558 instance.
11559 If you want to take maximal advantage of ciphers that offer forward se‐
11561 crecy see the Getting started section of FORWARD_SECRECY_README. The
11562 full document conveniently presents all information about Postfix "per‐
11563 fect" forward secrecy support in one place: what forward secrecy is,
11564 how to tweak settings, and what you can expect to see when Postfix uses
11565 ciphers with forward secrecy.
11566 Example:
11568 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
11570 This feature is available in Postfix 2.2 and later.
11572
11574 File with DH parameters that the Postfix SMTP server should use with
11575 export-grade EDH ciphers. The default SMTP server cipher grade is
11576 "medium" with Postfix releases after the middle of 2015, and as a re‐
11577 sult export-grade cipher suites are by default not used.
11578 With Postfix >= 3.6 export-grade Diffie-Hellman key exchange is no
11580 longer supported, and this parameter is silently ignored.
11581 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
11583 ration parameter.
11584 Example:
11586 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
11588 This feature is available in Postfix 2.2 and later, but is ignored in
11590 Postfix 3.6 and later.
11591
11593 File with the Postfix SMTP server DSA private key in PEM format. This
11594 file may be combined with the Postfix SMTP server DSA certificate file
11595 specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
11596 should not be used.
11597 The private key must be accessible without a pass-phrase, i.e. it must
11599 not be encrypted. File permissions should grant read-only access to the
11600 system superuser account ("root"), and no access to anyone else.
11601 This feature is available in Postfix 2.2 and later.
11603
11605 File with the Postfix SMTP server ECDSA certificate in PEM format.
11606 This file may also contain the Postfix SMTP server private ECDSA key.
11607 With Postfix >= 3.4 the preferred way to configure server keys and cer‐
11608 tificates is via the "smtpd_tls_chain_files" parameter.
11609 See the discussion under smtpd_tls_cert_file for more details.
11611 Example:
11613 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
11615 This feature is available in Postfix 2.6 and later, when Postfix is
11617 compiled and linked with OpenSSL 1.0.0 or later.
11618
11620 File with the Postfix SMTP server ECDSA private key in PEM format.
11621 This file may be combined with the Postfix SMTP server ECDSA certifi‐
11622 cate file specified with $smtpd_tls_eccert_file. With Postfix >= 3.4
11623 the preferred way to configure server keys and certificates is via the
11624 "smtpd_tls_chain_files" parameter.
11625 The private key must be accessible without a pass-phrase, i.e. it must
11627 not be encrypted. File permissions should grant read-only access to the
11628 system superuser account ("root"), and no access to anyone else.
11629 This feature is available in Postfix 2.6 and later, when Postfix is
11631 compiled and linked with OpenSSL 1.0.0 or later.
11632
11634 The Postfix SMTP server security grade for ephemeral elliptic-curve
11635 Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of
11636 this parameter is always ignored, and Postfix behaves as though the
11637 auto value (described below) was chosen.
11638 The available choices are:
11640 auto Use the most preferred curve that is supported by both the
11642 client and the server. This setting requires Postfix >= 3.2
11643 compiled and linked with OpenSSL >= 1.0.2. This is the default
11644 setting under the above conditions (and the only setting used
11645 with Postfix >= 3.6).
11646 none Don't use EECDH. Ciphers based on EECDH key exchange will be
11648 disabled. This is the default in Postfix versions 2.6 and 2.7.
11649 strong Use EECDH with approximately 128 bits of security at a reason‐
11651 able computational cost. This is the default in Postfix versions
11652 2.8-3.5.
11653 ultra Use EECDH with approximately 192 bits of security at computa‐
11655 tional cost that is approximately twice as high as 128 bit
11656 strength ECC.
11657 If you want to take maximal advantage of ciphers that offer forward se‐
11659 crecy see the Getting started section of FORWARD_SECRECY_README. The
11660 full document conveniently presents all information about Postfix "per‐
11661 fect" forward secrecy support in one place: what forward secrecy is,
11662 how to tweak settings, and what you can expect to see when Postfix uses
11663 ciphers with forward secrecy.
11664 This feature is available in Postfix 2.6 and later, when it is compiled
11666 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11667 have not been disabled by the vendor.
11668
11670 List of ciphers or cipher types to exclude from the SMTP server cipher
11671 list at all TLS security levels. Excluding valid ciphers can create in‐
11672 teroperability problems. DO NOT exclude ciphers unless it is essential
11673 to do so. This is not an OpenSSL cipherlist; it is a simple list sepa‐
11674 rated by whitespace and/or commas. The elements are a single cipher, or
11675 one or more "+" separated cipher properties, in which case only ciphers
11676 matching all the properties are excluded.
11677 Examples (some of these will cause problems):
11679 smtpd_tls_exclude_ciphers = aNULL
11681 smtpd_tls_exclude_ciphers = MD5, DES
11682 smtpd_tls_exclude_ciphers = DES+MD5
11683 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
11684 smtpd_tls_exclude_ciphers = kEDH+aRSA
11685 The first setting disables anonymous ciphers. The next setting disables
11687 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
11688 tion algorithm. The next setting disables ciphers that use MD5 and DES
11689 together. The next setting disables the two ciphers "AES256-SHA" and
11690 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
11691 exchange with RSA authentication.
11692 This feature is available in Postfix 2.3 and later.
11694
11696 The message digest algorithm to construct remote SMTP client-certifi‐
11697 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
11698 for check_ccert_access and permit_tls_clientcerts.
11699 The default algorithm is sha256 with Postfix >= 3.6 and the compatibil‐
11701 ity_level set to 3.6 or higher. With Postfix <= 3.5, the default algo‐
11702 rithm is md5.
11703 The best-practice algorithm is now sha256. Recent advances in hash
11705 function cryptanalysis have led to md5 and sha1 being deprecated in fa‐
11706 vor of sha256. However, as long as there are no known "second pre-im‐
11707 age" attacks against the older algorithms, their use in this context,
11708 though not recommended, is still likely safe.
11709 While additional digest algorithms are often available with OpenSSL's
11711 libcrypto, only those used by libssl in SSL cipher suites are available
11712 to Postfix. You'll likely find support for md5, sha1, sha256 and
11713 sha512.
11714 To find the fingerprint of a specific certificate file, with a specific
11716 digest algorithm, run:
11717 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
11719 The text to the right of "=" sign is the desired fingerprint. For ex‐
11721 ample:
11722 $ openssl x509 -noout -fingerprint -sha256 -in cert.pem
11724 SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
11725 To extract the public key fingerprint from an X.509 certificate, you
11727 need to extract the public key from the certificate and compute the ap‐
11728 propriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
11729 key" option of the "x509" command extracts the public key always in
11730 "PEM" format. We pipe the result to another OpenSSL command that con‐
11731 verts the key to DER and then to the "dgst" command to compute the fin‐
11732 gerprint.
11733 Example:
11735 $ openssl x509 -in cert.pem -noout -pubkey |
11737 openssl pkey -pubin -outform DER |
11738 openssl dgst -sha256 -c
11739 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
11740 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
11742 gerprint and public key fingerprint when the TLS loglevel is 2 or
11743 higher.
11744 Example: client-certificate access table, with sha256 fingerprints:
11746 /etc/postfix/main.cf:
11748 smtpd_tls_fingerprint_digest = sha256
11749 smtpd_client_restrictions =
11750 check_ccert_access hash:/etc/postfix/access,
11751 reject
11752 /etc/postfix/access:
11753 # Action folded to next line...
11754 AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B
11755 OK
11756 85:16:78:FD:73:6E:CE:70:E0:...:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11757 permit_auth_destination
11758 This feature is available in Postfix 2.5 and later.
11760
11762 File with the Postfix SMTP server RSA private key in PEM format. This
11763 file may be combined with the Postfix SMTP server RSA certificate file
11764 specified with $smtpd_tls_cert_file. With Postfix >= 3.4 the preferred
11765 way to configure server keys and certificates is via the
11766 "smtpd_tls_chain_files" parameter.
11767 The private key must be accessible without a pass-phrase, i.e. it must
11769 not be encrypted. File permissions should grant read-only access to the
11770 system superuser account ("root"), and no access to anyone else.
11771
11773 Enable additional Postfix SMTP server logging of TLS activity. Each
11774 logging level also includes the information that is logged at a lower
11775 logging level.
11776 0 Disable logging of TLS activity.
11778 1 Log only a summary message on TLS handshake completion - no
11780 logging of client certificate trust-chain verification errors if
11781 client certificate verification is not required. With Postfix
11782 2.8 and earlier, log the summary message, peer certificate sum‐
11783 mary information and unconditionally log trust-chain verifica‐
11784 tion errors.
11785 2 Also log levels during TLS negotiation.
11787 3 Also log hexadecimal and ASCII dump of TLS negotiation
11789 process.
11790 4 Also log hexadecimal and ASCII dump of complete transmission
11792 after STARTTLS.
11793 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
11795 lems. Use of loglevel 4 is strongly discouraged.
11796 This feature is available in Postfix 2.2 and later.
11798
11800 The minimum TLS cipher grade that the Postfix SMTP server will use with
11801 mandatory TLS encryption. The default grade ("medium") is sufficiently
11802 strong that any benefit from globally restricting TLS sessions to a
11803 more stringent grade is likely negligible, especially given the fact
11804 that many implementations still do not offer any stronger ("high"
11805 grade) ciphers, while those that do, will always use "high" grade ci‐
11806 phers. So insisting on "high" grade ciphers is generally counter-pro‐
11807 ductive. Allowing "export" or "low" ciphers is typically not a good
11808 idea, as systems limited to just these are limited to obsolete
11809 browsers. No known SMTP clients fail to support at least one "medium"
11810 or "high" grade cipher.
11811 The following cipher grades are supported:
11813 high Enable only "HIGH" grade OpenSSL ciphers. The underlying ci‐
11815 pherlist is specified via the tls_high_cipherlist configuration
11816 parameter, which you are strongly encouraged to not change.
11817 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
11819 128-bit or longer symmetric bulk-encryption keys. This is the
11820 default minimum strength for mandatory TLS encryption. The un‐
11821 derlying cipherlist is specified via the tls_medium_cipherlist
11822 configuration parameter, which you are strongly encouraged not
11823 to change.
11824 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
11826 cation without encryption. This setting is only appropriate in
11827 the rare case that all clients are prepared to use NULL ciphers
11828 (not normally enabled in TLS clients). The underlying cipherlist
11829 is specified via the tls_null_cipherlist configuration parame‐
11830 ter, which you are strongly encouraged not to change.
11831 low Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix >=
11833 3.8 this cipher grade is always identical to "medium". Recent
11834 versions of OpenSSL do not support any "LOW" grade ciphers. In
11835 earlier Postfix releases the underlying cipherlist was specified
11836 via the tls_low_cipherlist configuration parameter, which you
11837 are strongly encouraged not to change. This obsolete cipher
11838 grade SHOULD NOT be used.
11839 export Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix
11841 >= 3.8 this cipher grade is always identical to "medium". Re‐
11842 cent versions of OpenSSL do not support any "EXPORT" grade ci‐
11843 phers. In earlier Postfix releases the underlying cipherlist
11844 was specified via the tls_export_cipherlist configuration param‐
11845 eter, which you are strongly encouraged not to change. This ob‐
11846 solete cipher grade SHOULD NOT be used.
11847 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
11849 smtpd_tls_exclude_ciphers are excluded from the base definition of the
11850 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
11851 apply to opportunistic TLS.
11852 The underlying cipherlists for grades other than "null" include anony‐
11854 mous ciphers, but these are automatically filtered out if the server is
11855 configured to ask for remote SMTP client certificates. You are very
11856 unlikely to need to take any steps to exclude anonymous ciphers, they
11857 are excluded automatically as required. If you must exclude anonymous
11858 ciphers even when Postfix does not need or use peer certificates, set
11859 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
11860 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = aN‐
11861 ULL".
11862 This feature is available in Postfix 2.3 and later.
11864
11866 Additional list of ciphers or cipher types to exclude from the Postfix
11867 SMTP server cipher list at mandatory TLS security levels. This list
11868 works in addition to the exclusions listed with smtpd_tls_exclude_ci‐
11869 phers (see there for syntax details).
11870 This feature is available in Postfix 2.3 and later.
11872
11874 TLS protocols accepted by the Postfix SMTP server with mandatory TLS
11875 encryption. If the list is empty, the server supports all available
11876 TLS protocol versions. A non-empty value is a list of protocol names
11877 to include or exclude, separated by whitespace, commas or colons.
11878 The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
11880 "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with Postfix
11881 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as the lowest
11882 supported TLS protocol version (see below). Older releases use the "!"
11883 exclusion syntax, also described below.
11884 As of Postfix 3.6, the preferred way to limit the range of acceptable
11886 protocols is to set the lowest acceptable TLS protocol version and/or
11887 the highest acceptable TLS protocol version. To set the lower bound
11888 include an element of the form: ">=version" where version is a either
11889 one of the TLS protocol names listed above, or a hexadecimal number
11890 corresponding to the desired TLS protocol version (0301 for TLS 1.0,
11891 0302 for TLS 1.1, etc.). For the upper bound, use "<=version". There
11892 must be no whitespace between the ">=" or "<=" symbols and the protocol
11893 name or number.
11894 Hexadecimal protocol numbers make it possible to specify protocol
11896 bounds for TLS versions that are known to OpenSSL, but might not be
11897 known to Postfix. They cannot be used with the legacy exclusion syn‐
11898 tax. Leading "0" or "0x" prefixes are supported, but not required.
11899 Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
11900 "TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the
11901 upper or lower bound, and a warning will be logged. Hexadecimal ver‐
11902 sions should only be used when Postfix is linked with some future ver‐
11903 sion of OpenSSL that supports TLS 1.4 or later, but Postfix does not
11904 yet support a symbolic name for that protocol version.
11905 Hexadecimal example (Postfix >= 3.6):
11907 # Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
11909 # in some future version of OpenSSL (presently a warning is logged).
11910 smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
11911 # Allow only TLS 1.2 and up:
11912 smtpd_tls_mandatory_protocols = >=0x0303
11913 With Postfix < 3.6 there is no support for a minimum or maximum ver‐
11915 sion, and the protocol range is configured via protocol exclusions. To
11916 require at least TLS 1.0, set "smtpd_tls_mandatory_protocols = !SSLv2,
11917 !SSLv3". Listing the protocols to include, rather than protocols to
11918 exclude, is supported, but not recommended. The exclusion form more
11919 accurately matches the underlying OpenSSL interface.
11920 Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling this
11922 protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch re‐
11923 leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
11924 Example:
11926 # Preferred syntax with Postfix >= 3.6:
11928 smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
11929 # Legacy syntax:
11930 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
11931 This feature is available in Postfix 2.3 and later.
11933
11935 TLS protocols accepted by the Postfix SMTP server with opportunistic
11936 TLS encryption. If the list is empty, the server supports all available
11937 TLS protocol versions. A non-empty value is a list of protocol names
11938 to include or exclude, separated by whitespace, commas or colons.
11939 The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
11941 "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with Postfix
11942 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as the lowest
11943 supported TLS protocol version (see below). Older releases use the "!"
11944 exclusion syntax, also described below.
11945 As of Postfix 3.6, the preferred way to limit the range of acceptable
11947 protocols is to set the lowest acceptable TLS protocol version and/or
11948 the highest acceptable TLS protocol version. To set the lower bound
11949 include an element of the form: ">=version" where version is a either
11950 one of the TLS protocol names listed above, or a hexadecimal number
11951 corresponding to the desired TLS protocol version (0301 for TLS 1.0,
11952 0302 for TLS 1.1, etc.). For the upper bound, use "<=version". There
11953 must be no whitespace between the ">=" or "<=" symbols and the protocol
11954 name or number.
11955 Hexadecimal protocol numbers make it possible to specify protocol
11957 bounds for TLS versions that are known to OpenSSL, but might not be
11958 known to Postfix. They cannot be used with the legacy exclusion syn‐
11959 tax. Leading "0" or "0x" prefixes are supported, but not required.
11960 Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
11961 "TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the
11962 upper or lower bound, and a warning will be logged. Hexadecimal ver‐
11963 sions should only be used when Postfix is linked with some future ver‐
11964 sion of OpenSSL that supports TLS 1.4 or later, but Postfix does not
11965 yet support a symbolic name for that protocol version.
11966 Hexadecimal example (Postfix >= 3.6):
11968 # Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
11970 # in some future version of OpenSSL (presently a warning is logged).
11971 smtpd_tls_protocols = >=TLSv1, <=0305
11972 # Allow only TLS 1.0 and up:
11973 smtpd_tls_protocols = >=0x0301
11974 With Postfix < 3.6 there is no support for a minimum or maximum ver‐
11976 sion, and the protocol range is configured via protocol exclusions. To
11977 require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3".
11978 Listing the protocols to include, rather than protocols to exclude, is
11979 supported, but not recommended. The exclusion form more accurately
11980 matches the underlying OpenSSL interface.
11981 Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling this
11983 protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch re‐
11984 leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
11985 Example:
11987 # Preferred syntax with Postfix >= 3.6:
11988 smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
11989 # Legacy syntax:
11990 smtpd_tls_protocols = !SSLv2, !SSLv3
11991 This feature is available in Postfix 2.6 and later.
11993
11995 Request that the Postfix SMTP server produces Received: message head‐
11996 ers that include information about the protocol and cipher used, as
11997 well as the remote SMTP client CommonName and client certificate issuer
11998 CommonName. This is disabled by default, as the information may be
11999 modified in transit through other mail servers. Only information that
12000 was recorded by the final destination can be trusted.
12001 This feature is available in Postfix 2.2 and later.
12003
12005 With mandatory TLS encryption, require a trusted remote SMTP client
12006 certificate in order to allow TLS connections to proceed. This option
12007 implies "smtpd_tls_ask_ccert = yes".
12008 When TLS encryption is optional, this setting is ignored with a warning
12010 written to the mail log.
12011 This feature is available in Postfix 2.2 and later.
12013
12015 The SMTP TLS security level for the Postfix SMTP server; when a
12016 non-empty value is specified, this overrides the obsolete parameters
12017 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
12018 "smtpd_tls_wrappermode = yes".
12019 Specify one of the following security levels:
12021 none TLS will not be used.
12023 may Opportunistic TLS: announce STARTTLS support to remote SMTP
12025 clients, but do not require that clients use TLS encryption.
12026 encrypt
12028 Mandatory TLS encryption: announce STARTTLS support to remote
12029 SMTP clients, and require that clients use TLS encryption. Ac‐
12030 cording to RFC 2487 this MUST NOT be applied in case of a pub‐
12031 licly-referenced SMTP server. Instead, this option should be
12032 used only on dedicated servers.
12033 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
12035 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
12036 instead. To verify remote SMTP client certificates, see TLS_README for
12037 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
12038 mit_tls_clientcerts features.
12039 Note 2: The parameter setting "smtpd_tls_security_level = encrypt" im‐
12041 plies "smtpd_tls_auth_only = yes".
12042 Note 3: when invoked via "sendmail -bs", Postfix will never offer
12044 STARTTLS due to insufficient privileges to access the server private
12045 key. This is intended behavior.
12046 This feature is available in Postfix 2.3 and later.
12048
12050 Name of the file containing the optional Postfix SMTP server TLS ses‐
12051 sion cache. Specify a database type that supports enumeration, such as
12052 btree or sdbm; there is no need to support concurrent access. The file
12053 is created if it does not exist. The smtpd(8) daemon does not use this
12054 parameter directly, rather the cache is implemented indirectly in the
12055 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
12056 rides of this parameter are not effective. Note that each of the cache
12057 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
12058 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
12059 $lmtp_tls_session_cache_database), needs to be stored separately. It is
12060 not at this time possible to store multiple caches in a single data‐
12061 base.
12062 Note: dbm databases are not suitable. TLS session objects are too
12064 large.
12065 As of version 2.5, Postfix no longer uses root privileges when opening
12067 this file. The file should now be stored under the Postfix-owned
12068 data_directory. As a migration aid, an attempt to open the file under a
12069 non-Postfix directory is redirected to the Postfix-owned data_direc‐
12070 tory, and a warning is logged.
12071 As of Postfix 2.11 the preferred mechanism for session resumption is
12073 RFC 5077 TLS session tickets, which don't require server-side storage.
12074 Consequently, for Postfix >= 2.11 this parameter should generally be
12075 left empty. TLS session tickets require an OpenSSL library (at least
12076 version 0.9.8h) that provides full support for this TLS extension. See
12077 also smtpd_tls_session_cache_timeout.
12078 Example:
12080 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
12082 This feature is available in Postfix 2.2 and later.
12084
12086 The expiration time of Postfix SMTP server TLS session cache informa‐
12087 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
12088 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
12089 this parameter is implemented in the tlsmgr(8) daemon and therefore
12090 per-smtpd-instance master.cf overrides are not possible.
12091 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
12093 session caching is disabled, not just via the database, but also via
12094 RFC 5077 TLS session tickets, which don't require server-side storage.
12095 If set to a positive value less than 2 minutes, the minimum value of 2
12096 minutes is used instead. TLS session tickets require an OpenSSL li‐
12097 brary (at least version 0.9.8h) that provides full support for this TLS
12098 extension.
12099 Specify a non-negative time value (an integral value plus an optional
12101 one-letter suffix that specifies the time unit). Time units: s (sec‐
12102 onds), m (minutes), h (hours), d (days), w (weeks). The default time
12103 unit is s (seconds).
12104 This feature is available in Postfix 2.2 and later, and updated for TLS
12106 session ticket support in Postfix 2.11.
12107
12109 Run the Postfix SMTP server in TLS "wrapper" mode, instead of using the
12110 STARTTLS command.
12111 If you want to support this service, enable a special port in mas‐
12113 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
12114 command line. Port 465 (submissions/smtps) is reserved for this pur‐
12115 pose.
12116 This feature is available in Postfix 2.2 and later.
12118
12120 The name of the proxy protocol used by an optional before-smtpd proxy
12121 agent. When a proxy agent is used, this protocol conveys local and re‐
12122 mote address and port information. Specify "smtpd_upstream_proxy_pro‐
12123 tocol = haproxy" to enable the haproxy protocol; version 2 is supported
12124 with Postfix 3.5 and later.
12125 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
12127 with smtpd_authorized_xclient_hosts. This supports SASL authentication
12128 in the proxy agent (Postfix 2.9 and later).
12129 This feature is available in Postfix 2.10 and later.
12131
12133 The time limit for the proxy protocol specified with the smtpd_up‐
12134 stream_proxy_protocol parameter.
12135 Specify a non-zero time value (an integral value plus an optional
12137 one-letter suffix that specifies the time unit). Time units: s (sec‐
12138 onds), m (minutes), h (hours), d (days), w (weeks). The default time
12139 unit is s (seconds).
12140 This feature is available in Postfix 2.10 and later.
12142
12144 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
12145 but do not require that clients use TLS encryption.
12146 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
12148 TLS due to insufficient privileges to access the server private key.
12149 This is intended behavior.
12150 This feature is available in Postfix 2.2 and later. With Postfix 2.3
12152 and later use smtpd_tls_security_level instead.
12153
12155 Detect that a message requires SMTPUTF8 support for the specified mail
12156 origin classes. This is a workaround to avoid chicken-and-egg problems
12157 during the initial SMTPUTF8 roll-out in environments with pre-existing
12158 mail flows that contain UTF8. Those mail flows should not break because
12159 Postfix suddenly refuses to deliver such mail to down-stream MTAs that
12160 don't announce SMTPUTF8 support.
12161 The problem is that Postfix cannot rely solely on the sender's declara‐
12163 tion that a message requires SMTPUTF8 support, because UTF8 may be in‐
12164 troduced during local processing (for example, the client hostname in
12165 Postfix's Received: header, adding @$myorigin or .$mydomain to an in‐
12166 complete address, address rewriting, alias expansion, automatic BCC re‐
12167 cipients, local forwarding, and changes made by header checks or Milter
12168 applications).
12169 For now, the default is to enable "SMTPUTF8 required" autodetection
12171 only for Postfix sendmail command-line submissions and address verifi‐
12172 cation probes. This may change once SMTPUTF8 support achieves world
12173 domination. However, sites that add UTF8 content via local processing
12174 (see above) should autodetect the need for SMTPUTF8 support for all
12175 email.
12176 Specify one or more of the following:
12178 sendmail
12180 Submission with the Postfix sendmail(1) command.
12181 smtpd Mail received with the smtpd(8) daemon.
12183 qmqpd Mail received with the qmqpd(8) daemon.
12185 forward
12187 Local forwarding or aliasing. When a message is received with
12188 "SMTPUTF8 required", then the forwarded (aliased) message always
12189 has "SMTPUTF8 required".
12190 bounce
12192 Submission by the bounce(8) daemon. When a message is received
12193 with "SMTPUTF8 required", then the delivery status notification
12194 always has "SMTPUTF8 required".
12195 notify
12197 Postmaster notification from the smtp(8) or smtpd(8) daemon.
12198 verify
12200 Address verification probe from the verify(8) daemon.
12201 all Enable SMTPUTF8 autodetection for all mail.
12203 This feature is available in Postfix 3.0 and later.
12205
12207 Enable preliminary SMTPUTF8 support for the protocols described in RFC
12208 6531, RFC 6532, and RFC 6533. This requires that Postfix is built to
12209 support these protocols.
12210 This feature is available in Postfix 3.0 and later.
12212
12214 Safety net to keep mail queued that would otherwise be returned to the
12215 sender. This parameter disables locally-generated bounces, changes the
12216 handling of negative responses from remote servers, content filters or
12217 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
12218 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
12219 no cure for address rewriting mistakes or mail routing mistakes.
12220 Note: "soft_bounce = yes" is in some cases implemented by modifying
12222 server responses. Therefore, the response that Postfix logs may differ
12223 from the response that Postfix actually sends or receives.
12224 Example:
12226 soft_bounce = yes
12228
12230 The time after which a stale exclusive mailbox lockfile is removed.
12231 This is used for delivery to file or mailbox.
12232 Specify a non-zero time value (an integral value plus an optional
12234 one-letter suffix that specifies the time unit). Time units: s (sec‐
12235 onds), m (minutes), h (hours), d (days), w (weeks). The default time
12236 unit is s (seconds).
12237
12239 This feature is documented in the STRESS_README document.
12240 This feature is available in Postfix 2.5 and later.
12242
12244 Reject mail with 8-bit text in message headers. This blocks mail from
12245 poorly written applications.
12246 This feature should not be enabled on a general purpose mail server,
12248 because it is likely to reject legitimate email.
12249 This feature is available in Postfix 2.0 and later.
12251
12253 Enable both strict_7bit_headers and strict_8bitmime_body.
12254 This feature should not be enabled on a general purpose mail server,
12256 because it is likely to reject legitimate email.
12257 This feature is available in Postfix 2.0 and later.
12259
12261 Reject 8-bit message body text without 8-bit MIME content encoding in‐
12262 formation. This blocks mail from poorly written applications.
12263 Unfortunately, this also rejects majordomo approval requests when the
12265 included request contains valid 8-bit MIME mail, and it rejects bounces
12266 from mailers that do not MIME encapsulate 8-bit content (for example,
12267 bounces from qmail or from old versions of Postfix).
12268 This feature should not be enabled on a general purpose mail server,
12270 because it is likely to reject legitimate email.
12271 This feature is available in Postfix 2.0 and later.
12273
12275 Defer delivery when a mailbox file is not owned by its recipient. The
12276 default setting is not backwards compatible.
12277 This feature is available in Postfix 2.5.3 and later.
12279
12281 Reject mail with invalid Content-Transfer-Encoding: information for the
12282 message/* or multipart/* MIME content types. This blocks mail from
12283 poorly written software.
12284 This feature should not be enabled on a general purpose mail server,
12286 because it will reject mail after a single violation.
12287 This feature is available in Postfix 2.0 and later.
12289
12291 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
12292 are enclosed with <>, and that those addresses do not contain RFC 822
12293 style comments or phrases. This stops mail from poorly written soft‐
12294 ware.
12295 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
12297 and RCPT TO addresses.
12298
12300 Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
12301 server accepts UTF8 sender or recipient addresses only when the client
12302 requests an SMTPUTF8 mail transaction.
12303 This feature is available in Postfix 3.0 and later.
12305
12307 Obsolete SUN mailtool compatibility feature. Instead, use "mailbox_de‐
12308 livery_lock = dotlock".
12309
12311 Enable the rewriting of "site!user" into "user@site". This is neces‐
12312 sary if your machine is connected to UUCP networks. It is enabled by
12313 default.
12314 Note: with Postfix version 2.2, message header address rewriting hap‐
12316 pens only when one of the following conditions is true:
12317 • The message is received with the Postfix sendmail(1) command,
12319 • The message is received from a network client that matches $lo‐
12321 cal_header_rewrite_clients,
12322 • The message is received from the network, and the re‐
12324 mote_header_rewrite_domain parameter specifies a non-empty
12325 value.
12326 To get the behavior before Postfix version 2.2, specify "lo‐
12328 cal_header_rewrite_clients = static:all".
12329 Example:
12331 swap_bangpath = no
12333
12335 The syslog facility of Postfix logging. Specify a facility as defined
12336 in syslog.conf(5). The default facility is "mail".
12337 Warning: a non-default syslog_facility setting takes effect only after
12339 a Postfix process has completed initialization. Errors during process
12340 initialization will be logged with the default facility. Examples are
12341 errors while parsing the command line arguments, and errors while ac‐
12342 cessing the Postfix main.cf configuration file.
12343
12345 A prefix that is prepended to the process name in syslog records, so
12346 that, for example, "smtpd" becomes "prefix/smtpd".
12347 Warning: a non-default syslog_name setting takes effect only after a
12349 Postfix process has completed initialization. Errors during process
12350 initialization will be logged with the default name. Examples are er‐
12351 rors while parsing the command line arguments, and errors while access‐
12352 ing the Postfix main.cf configuration file.
12353
12355 An optional workaround for routers that break TCP window scaling.
12356 Specify a value > 0 and < 65536 to enable this feature. With Postfix
12357 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
12358 Postfix master(8) daemon.
12359 To change this parameter without stopping Postfix, you need to first
12361 terminate all Postfix TCP servers:
12362 # postconf -e master_service_disable=inet
12364 # postfix reload
12365 This immediately terminates all processes that accept network connec‐
12367 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
12368 dowsize setting:
12369 # postconf -e tcp_windowsize=65535 master_service_disable=
12371 # postfix reload
12372 If you skip these steps with a running Postfix system, then the
12374 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
12375 lmtp(8)).
12376 This feature is available in Postfix 2.6 and later.
12378
12380 Append the system-supplied default Certification Authority certificates
12381 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
12382 is "no"; this prevents Postfix from trusting third-party certificates
12383 and giving them relay permission with permit_tls_all_clientcerts.
12384 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
12386 later versions. Specify "tls_append_default_CA = yes" for backwards
12387 compatibility, to avoid breaking certificate verification with sites
12388 that don't use permit_tls_all_clientcerts.
12389
12391 Optional configuration file with baseline OpenSSL settings. OpenSSL
12392 loads any SSL settings found in the configuration file for the selected
12393 application name (see tls_config_name) or else the built-in application
12394 name "openssl_conf" when no application name is specified, or no corre‐
12395 sponding configuration section is present.
12396 With OpenSSL releases 1.1.1 and 1.1.1a, applications (including Post‐
12398 fix) can neither specify an alternative configuration file, nor avoid
12399 loading the default configuration file.
12400 With OpenSSL 1.1.1b or later, this parameter may be set to one of:
12402 default (default)
12404 Load the system-wide "openssl.cnf" configuration file.
12405 none (recommended, OpenSSL 1.1.1b or later only)
12407 This setting disables loading of the system-wide "openssl.cnf"
12408 file.
12409 /absolute-path (OpenSSL 1.1.1b or later only)
12411 Load the configuration file specified by /absolute-path. With
12412 this setting it is an error for the file to not contain any set‐
12413 tings for the selected tls_config_name. There is no fallback to
12414 the default "openssl_conf" name.
12415 Failures in processing of the built-in default configuration file, are
12417 silently ignored. Any errors in loading a non-default configuration
12418 file are detected by Postfix, and cause TLS support to be disabled.
12419 The OpenSSL configuration file format is not documented here, beyond
12421 giving two examples.
12422 Example: Default settings for all applications.
12424 # The name 'openssl_conf' is the default application name
12426 # The section name to the right of the '=' sign is arbitrary,
12427 # any name will do, so long as it refers to the desired section.
12428 #
12429 # The name 'system_default' selects the settings applied internally
12430 # by the SSL library as part of SSL object creation. Applications
12431 # can then apply any additional settings of their choice.
12432 #
12433 # In this example, TLS versions prior to 1.2 are disabled by default.
12434 #
12435 openssl_conf = system_wide_settings
12436 [system_wide_settings]
12437 ssl_conf = ssl_library_settings
12438 [ssl_library_settings]
12439 system_default = initial_ssl_settings
12440 [initial_ssl_settings]
12441 MinProtocol = TLSv1.2
12442 Example: Custom settings for an application named "postfix".
12444 # The mapping from an application name to the corresponding configuration
12446 # section must appear near the top of the file, (in what is sometimes called
12447 # the "default section") prior to the start of any explicitly named
12448 # "[sections]". The named sections can appear in any order and don't nest.
12449 #
12450 postfix = postfix_settings
12451 [postfix_settings]
12452 ssl_conf = postfix_ssl_settings
12453 [postfix_ssl_settings]
12454 system_default = baseline_postfix_settings
12455 [baseline_postfix_settings]
12456 MinProtocol = TLSv1
12457 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10, and
12459 3.5.20.
12460
12462 The application name passed by Postfix to OpenSSL library initializa‐
12463 tion functions. This name is used to select the desired configuration
12464 "section" in the OpenSSL configuration file specified via the tls_con‐
12465 fig_file parameter. When empty, or when the selected name is not
12466 present in the configuration file, the default application name
12467 ("openssl_conf") is used as a fallback.
12468 This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10, and
12470 3.5.20.
12471
12473 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
12474 requests from the tlsmgr(8) server in order to seed its internal pseudo
12475 random number generator (PRNG). The default of 32 bytes (equivalent to
12476 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
12477 This feature is available in Postfix 2.2 and later.
12479
12481 Configure RFC7671 DANE TLSA digest algorithm agility. Do not change
12482 this setting from its default value.
12483 See Section 8 of RFC7671 for correct key rotation procedures.
12485 This feature is available in Postfix 2.11 through 3.1. Postfix 3.2 and
12487 later ignore this configuration parameter and behave as though it were
12488 set to "on".
12489
12491 DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching
12492 type" digest algorithms in descending preference order. All the speci‐
12493 fied algorithms must be supported by the underlying OpenSSL library,
12494 otherwise the Postfix SMTP client will not support DANE TLSA security.
12495 Specify a list of digest names separated by commas and/or whitespace.
12497 Each digest name may be followed by an optional "=<number>" suffix.
12498 For example, "sha512" may instead be specified as "sha512=2" and
12499 "sha256" may instead be specified as "sha256=1". The optional number
12500 must match the <a href="https://www.iana.org/assignments/dane-parame‐
12501 ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
12502 type number the algorithm in question. Postfix will check this con‐
12503 straint for the algorithms it knows about. Additional matching type
12504 algorithms registered with IANA can be added with explicit numbers pro‐
12505 vided they are supported by OpenSSL.
12506 Invalid list elements are logged with a warning and disable DANE sup‐
12508 port. TLSA RRs that specify digests not included in the list are ig‐
12509 nored with a warning.
12510 Note: It is unwise to omit sha256 from the digest list. This digest
12512 algorithm is the only mandatory to implement digest algorithm in RFC
12513 6698, and many servers are expected to publish TLSA records with just
12514 sha256 digests. Unless one of the standard digests is seriously com‐
12515 promised and servers have had ample time to update their TLSA records
12516 you should not omit any standard digests, just arrange them in order
12517 from strongest to weakest.
12518 This feature is available in Postfix 2.11 and later.
12520
12522 Enable support for RFC 6698 (DANE TLSA) DNS records that contain di‐
12523 gests of trust-anchors with certificate usage "2". Do not change this
12524 setting from its default value.
12525 This feature is available in Postfix 2.11 through 3.1. It has been
12527 withdrawn in Postfix 3.2, as trust-anchor TLSA records are now widely
12528 used and have proved sufficiently reliable. Postfix 3.2 and later ig‐
12529 nore this configuration parameter and behaves as though it were set to
12530 "yes".
12531
12533 List or bit-mask of OpenSSL bug work-arounds to disable.
12534 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
12536 implementations. Applications, such as Postfix, that want to maximize
12537 interoperability ask the OpenSSL library to enable the full set of rec‐
12538 ommended work-arounds.
12539 From time to time, it is discovered that a work-around creates a secu‐
12541 rity issue, and should no longer be used. If upgrading OpenSSL to a
12542 fixed version is not an option or an upgrade is not available in a
12543 timely manner, or in closed environments where no buggy clients or
12544 servers exist, it may be appropriate to disable some or all of the
12545 OpenSSL interoperability work-arounds. This parameter specifies which
12546 bug work-arounds to disable.
12547 If the value of the parameter is a hexadecimal long integer starting
12549 with "0x", the bug work-arounds corresponding to the bits specified in
12550 its value are removed from the SSL_OP_ALL work-around bit-mask (see
12551 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
12552 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
12553 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
12554 also be sufficient on 64-bit systems, until OpenSSL abandons support
12555 for 32-bit systems and starts using the high 32 bits of a 64-bit
12556 bug-workaround mask.
12557 Otherwise, the parameter is a white-space or comma separated list of
12559 specific named bug work-arounds chosen from the list below. It is pos‐
12560 sible that your OpenSSL version includes new bug work-arounds added af‐
12561 ter your Postfix source code was last updated, in that case you can
12562 only disable one of these via the hexadecimal syntax above.
12563 CRYPTOPRO_TLSEXT_BUG
12565 New with GOST support in OpenSSL 1.0.0.
12566 DONT_INSERT_EMPTY_FRAGMENTS
12568 See SSL_CTX_set_options(3)
12569 LEGACY_SERVER_CONNECT
12571 See SSL_CTX_set_options(3)
12572 MICROSOFT_BIG_SSLV3_BUFFER
12574 See SSL_CTX_set_options(3)
12575 MICROSOFT_SESS_ID_BUG
12577 See SSL_CTX_set_options(3)
12578 MSIE_SSLV2_RSA_PADDING
12580 also aliased as CVE-2005-2969. Postfix 2.8 disables this
12581 work-around by default with OpenSSL versions that may predate
12582 the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
12583 NETSCAPE_CHALLENGE_BUG
12585 See SSL_CTX_set_options(3)
12586 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
12588 also aliased as CVE-2010-4180. Postfix 2.8 disables this
12589 work-around by default with OpenSSL versions that may predate
12590 the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
12591 SSLEAY_080_CLIENT_DH_BUG
12593 See SSL_CTX_set_options(3)
12594 SSLREF2_REUSE_CERT_TYPE_BUG
12596 See SSL_CTX_set_options(3)
12597 TLS_BLOCK_PADDING_BUG
12599 See SSL_CTX_set_options(3)
12600 TLS_D5_BUG
12602 See SSL_CTX_set_options(3)
12603 TLS_ROLLBACK_BUG
12605 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
12606 and later. Nobody should still be using 0.9.6!
12607 TLSEXT_PADDING
12609 Postfix >= 3.4. See SSL_CTX_set_options(3).
12610 This feature is available in Postfix 2.8 and later.
12612
12614 The prioritized list of elliptic curves supported by the Postfix SMTP
12615 client and server. These curves are used by the Postfix SMTP server
12616 when "smtpd_tls_eecdh_grade = auto". The selected curves must be im‐
12617 plemented by OpenSSL and be standardized for use in TLS (RFC 8422). It
12618 is unwise to list only "bleeding-edge" curves supported by a small sub‐
12619 set of clients. The default list is suitable for most users.
12620 Postfix skips curve names that are unknown to OpenSSL, or that are
12622 known but not yet implemented. This makes it possible to "anticipate"
12623 support for curves that should be used once they become available. In
12624 particular, in some OpenSSL versions, the new RFC 8031 curves "X25519"
12625 and "X448" may be known by name, but ECDH support for either or both
12626 may be missing. These curves may appear in the default value of this
12627 parameter, even though they'll only be usable with later versions of
12628 OpenSSL.
12629 See also the "tls_ffdhe_auto_groups" parameter, which supports cus‐
12631 tomizing the list of FFDHE groups enabled with TLS 1.3. That setting
12632 is introduced with Postfix 3.8, when built against OpenSSL 3.0 or
12633 later.
12634 This feature is available in Postfix 3.2 and later, when it is compiled
12636 and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
12637 have not been disabled by the vendor.
12638
12640 The elliptic curve used by the Postfix SMTP server for sensibly strong
12641 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
12642 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
12643 strong" means approximately 128-bit security based on best known at‐
12644 tacks. The selected curve must be implemented by OpenSSL (as reported
12645 by ecparam(1) with the "-list_curves" option) and be one of the curves
12646 listed in Section 5.1.1 of RFC 8422. You should not generally change
12647 this setting. Remote SMTP client implementations must support this
12648 curve for EECDH key exchange to take place. It is unwise to choose
12649 only "bleeding-edge" curves supported by only a small subset of
12650 clients.
12651 The default "strong" curve is rated in NSA Suite B for information
12653 classified up to SECRET.
12654 Note: elliptic curve names are poorly standardized; different standards
12656 groups are assigning different names to the same underlying curves.
12657 The curve with the X9.62 name "prime256v1" is also known under the SECG
12658 name "secp256r1", but OpenSSL does not recognize the latter name.
12659 If you want to take maximal advantage of ciphers that offer forward se‐
12661 crecy see the Getting started section of FORWARD_SECRECY_README. The
12662 full document conveniently presents all information about Postfix "per‐
12663 fect" forward secrecy support in one place: what forward secrecy is,
12664 how to tweak settings, and what you can expect to see when Postfix uses
12665 ciphers with forward secrecy.
12666 This feature is available in Postfix 2.6 and later, when it is compiled
12668 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
12669 have not been disabled by the vendor.
12670
12672 The elliptic curve used by the Postfix SMTP server for maximally strong
12673 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
12674 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
12675 strong" means approximately 192-bit security based on best known at‐
12676 tacks. This additional strength comes at a significant computational
12677 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
12678 The selected curve must be implemented by OpenSSL (as reported by ec‐
12679 param(1) with the "-list_curves" option) and be one of the curves
12680 listed in Section 5.1.1 of RFC 8422. You should not generally change
12681 this setting. Remote SMTP client implementations must support this
12682 curve for EECDH key exchange to take place. It is unwise to choose
12683 only "bleeding-edge" curves supported by only a small subset of
12684 clients.
12685 This default "ultra" curve is rated in NSA Suite B for information
12687 classified up to TOP SECRET.
12688 If you want to take maximal advantage of ciphers that offer forward se‐
12690 crecy see the Getting started section of FORWARD_SECRECY_README. The
12691 full document conveniently presents all information about Postfix "per‐
12692 fect" forward secrecy support in one place: what forward secrecy is,
12693 how to tweak settings, and what you can expect to see when Postfix uses
12694 ciphers with forward secrecy.
12695 This feature is available in Postfix 2.6 and later, when it is compiled
12697 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
12698 have not been disabled by the vendor.
12699
12701 The OpenSSL cipherlist for "export" or higher grade ciphers. Ignored
12702 as of Postfix 3.8. In earlier Postfix releases this defined the mean‐
12703 ing of the "export" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
12704 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
12705 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly en‐
12706 couraged not to change this setting.
12707 This feature is available in Postfix 2.3 and later.
12709
12711 A workaround for implementations that hang Postfix while shutting down
12712 a TLS session, until Postfix times out. With this enabled, Postfix will
12713 not wait for the remote TLS peer to respond to a TLS 'close' notifica‐
12714 tion. This behavior is recommended for TLSv1.0 and later.
12715
12717 The prioritized list of finite-field Diffie-Hellman ephemeral (FFDHE)
12718 key exchange groups supported by the Postfix SMTP client and server.
12719 OpenSSL 3.0 adds support for FFDHE key agreement in TLS 1.3. In
12720 OpenSSL 1.1.1, TLS 1.3 was only supported with elliptic-curve based key
12721 agreement. The "tls_ffdhe_auto_groups" parameter makes it possible to
12722 configure the list of FFDHE groups that the Postfix client or server
12723 will enable in OpenSSL 3.0 and up. This parameter has no effect when
12724 Postfix is built against earlier OpenSSL versions.
12725 The default list of FFDHE groups that Postfix enables in OpenSSL 3.0
12727 and up includes just the 2048 and 3072-bit groups. Stronger FFDHE
12728 groups perform poorly and EC groups are a much better choice for the
12729 same security level. Postfix ignores group names that are unknown to
12730 OpenSSL, or that are known but not yet implemented. The FFDHE groups
12731 are largely a backup, in case some peer does not support EC key ex‐
12732 change, or EC key exchange needs to be disabled for some pressing rea‐
12733 son.
12734 Setting this parameter empty disables FFDHE support in TLS 1.3.
12736 Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends
12737 on whether any of the "kDHE" ciphers are included in the cipherlist.
12738 Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 EC
12740 key agreement in OpenSSL 3.0 and later. Note that at least one of
12741 "tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non-empty,
12742 this is required by OpenSSL 3.0. If both are inadvertently set empty,
12743 Postfix will fall back to the compiled-in defaults.
12744 All the default groups and EC curves should sufficiently strong to make
12746 "pruning" the defaults unwise. At a minimum, "X25519" and "P-256"
12747 (a.k.a. "prime256v1") should be among the enabled EC curves, while
12748 "dhe2048" and "dhe3072" should be among the FFDHE groups.
12749 This feature is available in Postfix 3.8 and later, when it is compiled
12751 and linked with OpenSSL 3.0 or later.
12752
12754 The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
12755 ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_mandatory_ci‐
12756 phers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, lmtp_tls_ciphers,
12757 and lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
12758 change this setting.
12759 This feature is available in Postfix 2.3 and later.
12761
12763 A temporary migration aid for sites that use certificate public-key
12764 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
12765 rithm. This parameter has no effect on the certificate fingerprint sup‐
12766 port that is available since Postfix 2.2.
12767 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
12769 a migration from configuration files with incorrect Postfix
12770 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
12771 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
12772 tificate public-key fingerprints, see TLS_README.
12773 This feature is available in Postfix 2.9.6 and later.
12775
12777 The OpenSSL cipherlist for "low" or higher grade ciphers. Ignored as
12778 of Postfix 3.8. In earlier Postfix releases this defined the meaning
12779 of the "low" setting in smtpd_tls_ciphers, smtpd_tls_mandatory_ciphers,
12780 smtp_tls_ciphers, smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and
12781 lmtp_tls_mandatory_ciphers. You are strongly encouraged not to change
12782 this setting.
12783 This feature is available in Postfix 2.3 and later.
12785
12787 The OpenSSL cipherlist for "medium" or higher grade ciphers. This de‐
12788 fines the meaning of the "medium" setting in smtpd_tls_ciphers,
12789 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ci‐
12790 phers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This is the
12791 default cipherlist for mandatory TLS encryption in the TLS client (with
12792 anonymous ciphers disabled when verifying server certificates). This
12793 is the default cipherlist for opportunistic TLS with Postfix releases
12794 after the middle of 2015. You are strongly encouraged not to change
12795 this setting.
12796 This feature is available in Postfix 2.3 and later.
12798
12800 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
12801 cation without encryption. This defines the meaning of the "null" set‐
12802 ting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and
12803 lmtp_tls_mandatory_ciphers. You are strongly encouraged not to change
12804 this setting.
12805 This feature is available in Postfix 2.3 and later.
12807
12809 With SSLv3 and later, use the Postfix SMTP server's cipher preference
12810 order instead of the remote client's cipher preference order.
12811 By default, the OpenSSL server selects the client's most preferred ci‐
12813 pher that the server supports. With SSLv3 and later, the server may
12814 choose its own most preferred cipher that is supported (offered) by the
12815 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
12816 preferences.
12817 While server cipher selection may in some cases lead to a more secure
12819 or performant cipher choice, there is some risk of interoperability is‐
12820 sues. In the past, some SSL clients have listed lower priority ciphers
12821 that they did not implement correctly. If the server chooses a cipher
12822 that the client prefers less, it may select a cipher whose client im‐
12823 plementation is flawed. Most notably Windows 2003 Microsoft Exchange
12824 servers have flawed implementations of DES-CBC3-SHA, which OpenSSL con‐
12825 siders stronger than RC4-SHA. Enabling server cipher-suite selection
12826 may create interoperability issues with Windows 2003 Microsoft Exchange
12827 clients.
12828 This feature is available in Postfix 2.8 and later, in combination with
12830 OpenSSL 0.9.7 and later.
12831
12833 The number of bytes that tlsmgr(8) reads from $tls_random_source when
12834 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
12835 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
12836 keys. If using EGD or a device file, a maximum of 255 bytes is read.
12837 This feature is available in Postfix 2.2 and later.
12839
12841 Name of the pseudo random number generator (PRNG) state file that is
12842 maintained by tlsmgr(8). The file is created when it does not exist,
12843 and its length is fixed at 1024 bytes.
12844 As of version 2.5, Postfix no longer uses root privileges when opening
12846 this file, and the default file location was changed from ${config_di‐
12847 rectory}/prng_exch to ${data_directory}/prng_exch. As a migration aid,
12848 an attempt to open the file under a non-Postfix directory is redirected
12849 to the Postfix-owned data_directory, and a warning is logged.
12850 This feature is available in Postfix 2.2 and later.
12852
12854 The time between attempts by tlsmgr(8) to save the state of the pseudo
12855 random number generator (PRNG) to the file specified with $tls_ran‐
12856 dom_exchange_name.
12857 Specify a non-zero time value (an integral value plus an optional
12859 one-letter suffix that specifies the time unit). Time units: s (sec‐
12860 onds), m (minutes), h (hours), d (days), w (weeks). The default time
12861 unit is s (seconds).
12862 This feature is available in Postfix 2.2 and later.
12864
12866 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
12867 pseudo random number generator (PRNG) pool from external sources. The
12868 actual time between re-seeding attempts is calculated using the PRNG,
12869 and is between 0 and the time specified.
12870 Specify a non-zero time value (an integral value plus an optional
12872 one-letter suffix that specifies the time unit). Time units: s (sec‐
12873 onds), m (minutes), h (hours), d (days), w (weeks). The default time
12874 unit is s (seconds).
12875 This feature is available in Postfix 2.2 and later.
12877
12879 The external entropy source for the in-memory tlsmgr(8) pseudo random
12880 number generator (PRNG) pool. Be sure to specify a non-blocking source.
12881 If this source is not a regular file, the entropy source type must be
12882 prepended: egd:/path/to/egd_socket for a source with EGD compatible
12883 socket interface, or dev:/path/to/device for a device file.
12884 Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
12886 gives timeout errors.
12887 This feature is available in Postfix 2.2 and later.
12889
12891 Optional lookup tables that map names received from remote SMTP clients
12892 via the TLS Server Name Indication (SNI) extension to the appropriate
12893 keys and certificate chains. This parameter is implemented in the
12894 Postfix TLS library, and applies to both smtpd(8) and the SMTP server
12895 mode of tlsproxy(8).
12896 When this parameter is non-empty, the Postfix SMTP server enables SNI
12898 extension processing, and logs SNI values that are invalid or don't
12899 match an entry in the specified tables. When an entry does match, the
12900 SNI name is logged as part of the connection summary at log levels 1
12901 and higher.
12902 The lookup key is either the verbatim SNI domain name or an ancestor
12904 domain prefixed with a leading dot. For internationalized domains, the
12905 lookup key must be in IDNA 2008 A-label form (as required in the TLS
12906 SNI extension).
12907 The syntax of the lookup value is the same as with the
12909 smtp_tls_chain_files parameter (see there for additional details), but
12910 here scoped to just TLS connections in which the client sends a match‐
12911 ing SNI domain name.
12912 Example:
12914 /etc/postfix/main.cf:
12916 #
12917 # The indexed SNI table must be created with "postmap -F"
12918 #
12919 indexed = ${default_database_type}:${config_directory}/
12920 tls_server_sni_maps = ${indexed}sni
12921 /etc/postfix/sni:
12923 #
12924 # The example.com domain has both an RSA and ECDSA certificate
12925 # chain. The chain files MUST start with the private key,
12926 # with the certificate chain next, starting with the leaf
12927 # (server) certificate, and then the issuer certificates.
12928 #
12929 example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
12930 /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
12931 #
12932 # The example.net domain has a wildcard certificate, and two
12933 # additional DNS names. So its certificate chain is also used
12934 # with any subdomain, plus the additional names.
12935 #
12936 example.net /etc/postfix/sni-chains/example.net.pem
12937 .example.net /etc/postfix/sni-chains/example.net.pem
12938 example.info /etc/postfix/sni-chains/example.net.pem
12939 example.org /etc/postfix/sni-chains/example.net.pem
12940 Note that the SNI lookup tables should also have entries for the do‐
12942 mains that correspond to the Postfix SMTP server's default certifi‐
12943 cate(s). This ensures that the remote SMTP client's TLS SNI extension
12944 gets a positive response when it specifies one of the Postfix SMTP
12945 server's default domains, and ensures that the Postfix SMTP server will
12946 not log an SNI name mismatch for such a domain. The Postfix SMTP
12947 server's default certificates are then only used when the client sends
12948 no SNI or when it sends SNI with a domain that the server knows no cer‐
12949 tificate(s) for.
12950 The mapping from an SNI domain name to a certificate chain is indirect.
12952 In the input source files for "cdb", "hash", "btree" or other tables
12953 that are converted to on-disk indexed files via postmap(1), the value
12954 specified for each key is a list of filenames. When postmap(1) is used
12955 with the -F option, the generated table stores for each lookup key the
12956 base64-encoded contents of the associated files. When querying tables
12957 via postmap -Fq, the table value is decoded from base64, yielding the
12958 original file content, plus a new line.
12959 With "regexp", "pcre", "inline", "texthash", "static" and similar ta‐
12961 bles that are interpreted at run-time, and don't have a separate source
12962 format, the table value is again a list files, that are loaded into
12963 memory when the table is opened.
12964 With tables whose content is managed outside of Postfix, such as LDAP,
12966 MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
12967 of the desired PEM keys and certificate chains, that is then further
12968 encoded to yield a single-line base64 string. Creation of such tables
12969 and secure storage (the value includes private key material) are out‐
12970 side the responsibility of Postfix.
12971 With "socketmap" and "tcp" the data will be transmitted in the clear,
12973 and there is no query access control, so these are generally unsuitable
12974 for storing SNI chains. With LDAP and SQL, you should restrict read
12975 access and use TLS to protect the sensitive data in transit.
12976 Typically there is only one private key and its chain of certificates
12978 starting with the "leaf" certificate corresponding to that key, and
12979 continuing with the appropriate intermediate issuer CA certificates,
12980 with each certificate ideally followed by its issuer. Servers that
12981 have keys and certificates for more than one algorithm (e.g. both an
12982 RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use mul‐
12983 tiple chains concatenated together, with the key always listed before
12984 the corresponding certificates.
12985 This feature is available in Postfix 3.4 and later.
12987
12989 3.0: aes-128-cbc)
12990 Algorithm used to encrypt RFC5077 TLS session tickets. This algorithm
12991 must use CBC mode, have a 128-bit block size, and must have a key
12992 length between 128 and 256 bits. The default is aes-256-cbc. Overrid‐
12993 ing the default to choose a different algorithm is discouraged.
12994 Setting this parameter empty disables session ticket support in the
12996 Postfix SMTP server. Another way to disable session ticket support is
12997 via the tls_ssl_options parameter.
12998 This feature is available in Postfix 3.0 and later.
13000
13002 List or bit-mask of OpenSSL options to enable.
13003 The OpenSSL toolkit provides a set of options that applications can en‐
13005 able to tune the OpenSSL behavior. Some of these work around bugs in
13006 other implementations and are on by default. You can use the tls_dis‐
13007 able_workarounds parameter to selectively disable some or all of the
13008 bug work-arounds, making OpenSSL more strict at the cost of non-inter‐
13009 operability with SSL clients or servers that exhibit the bugs.
13010 Other options are off by default, and typically enable or disable fea‐
13012 tures rather than bug work-arounds. These may be turned on (with care)
13013 via the tls_ssl_options parameter. The value is a white-space or comma
13014 separated list of named options chosen from the list below. The names
13015 are not case-sensitive, you can use lower-case if you prefer. The up‐
13016 per case values below match the corresponding macro name in the ssl.h
13017 header file with the SSL_OP_ prefix removed. It is possible that your
13018 OpenSSL version includes new options added after your Postfix source
13019 code was last updated, in that case you can only enable one of these
13020 via the hexadecimal syntax below.
13021 You should only enable features via the hexadecimal mask when the need
13023 to control the feature is critical (to deal with a new vulnerability or
13024 a serious interoperability problem). Postfix DOES NOT promise back‐
13025 wards compatible behavior with respect to the mask bits. A feature en‐
13026 abled via the mask in one release may be enabled by other means in a
13027 later release, and the mask bit will then be ignored. Therefore, use
13028 of the hexadecimal mask is only a temporary measure until a new Postfix
13029 or OpenSSL release provides a better solution.
13030 If the value of the parameter is a hexadecimal long integer starting
13032 with "0x", the options corresponding to the bits specified in its value
13033 are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can
13034 only enable options not already controlled by other Postfix settings.
13035 For example, you cannot disable protocols or enable server cipher pref‐
13036 erence. Do not attempt to enable all features by specifying
13037 0xFFFFFFFF, this is unlikely to be a good idea. Some bug work-arounds
13038 are also valid here, allowing them to be re-enabled if/when they're no
13039 longer enabled by default. The supported values include:
13040 ENABLE_MIDDLEBOX_COMPAT
13042 Postfix >= 3.4. See SSL_CTX_set_options(3).
13043 LEGACY_SERVER_CONNECT
13045 See SSL_CTX_set_options(3).
13046 NO_TICKET
13048 Enabled by default when needed in fully-patched Postfix >= 2.7.
13049 Not needed at all for Postfix >= 2.11, unless for some reason
13050 you do not want to support TLS session resumption. Best not set
13051 explicitly. See SSL_CTX_set_options(3).
13052 NO_COMPRESSION
13054 Disable SSL compression even if supported by the OpenSSL li‐
13055 brary. Compression is CPU-intensive, and compression before en‐
13056 cryption does not always improve security.
13057 NO_RENEGOTIATION
13059 Postfix >= 3.4. This can reduce opportunities for a potential
13060 CPU exhaustion attack. See SSL_CTX_set_options(3).
13061 NO_SESSION_RESUMPTION_ON_RENEGOTIATION
13063 Postfix >= 3.4. See SSL_CTX_set_options(3).
13064 PRIORITIZE_CHACHA
13066 Postfix >= 3.4. See SSL_CTX_set_options(3).
13067 This feature is available in Postfix 2.11 and later.
13069
13071 Match multiple DNS labels with "*" in wildcard certificates.
13072 Some mail service providers prepend the customer domain name to a base
13074 domain for which they have a wildcard TLS certificate. For example,
13075 the MX records for example.com hosted by example.net may be:
13076 example.com. IN MX 0 example.com.mx1.example.net.
13078 example.com. IN MX 0 example.com.mx2.example.net.
13079 and the TLS certificate may be for "*.example.net". The "*" then corre‐
13081 sponds with multiple labels in the mail server domain name. While
13082 multi-label wildcards are not widely supported, and are not blessed by
13083 any standard, there is little to be gained by disallowing their use in
13084 this context.
13085 Notes:
13087 • In a certificate name, the "*" is special only when it is used
13089 as the first label.
13090 • While Postfix (2.11 or later) can match "*" with multiple domain
13092 name labels, other implementations likely will not.
13093 • Earlier Postfix implementations behave as if "tls_wild‐
13095 card_matches_multiple_labels = no".
13096 This feature is available in Postfix 2.11 and later.
13098
13100 The name of the tlsmgr(8) service entry in master.cf. This service
13101 maintains TLS session caches and other information in support of TLS.
13102 This feature is available in Postfix 2.11 and later.
13104
13106 A file containing CA certificates of root CAs trusted to sign either
13107 remote TLS server certificates or intermediate CA certificates. See
13108 smtp_tls_CAfile for further details.
13109 This feature is available in Postfix 3.4 and later.
13111
13113 Directory with PEM format Certification Authority certificates that the
13114 Postfix tlsproxy(8) client uses to verify a remote TLS server certifi‐
13115 cate. See smtp_tls_CApath for further details.
13116 This feature is available in Postfix 3.4 and later.
13118
13120 File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
13121 See smtp_tls_cert_file for further details. The preferred way to con‐
13122 figure tlsproxy client keys and certificates is via the "tl‐
13123 sproxy_client_chain_files" parameter.
13124 This feature is available in Postfix 3.4 and later.
13126
13128 Files with the Postfix tlsproxy(8) client keys and certificate chains
13129 in PEM format. See smtp_tls_chain_files for further details.
13130 This feature is available in Postfix 3.4 and later.
13132
13134 File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
13135 See smtp_tls_dcert_file for further details. DSA is obsolete and should
13136 not be used.
13137 This feature is available in Postfix 3.4 and later.
13139
13141 File with the Postfix tlsproxy(8) client DSA private key in PEM format.
13142 See smtp_tls_dkey_file for further details. DSA is obsolete and should
13143 not be used.
13144 This feature is available in Postfix 3.4 and later.
13146
13148 File with the Postfix tlsproxy(8) client ECDSA certificate in PEM for‐
13149 mat. See smtp_tls_eccert_file for further details. The preferred way to
13150 configure tlsproxy client keys and certificates is via the "tl‐
13151 sproxy_client_chain_files" parameter.
13152 This feature is available in Postfix 3.4 and later.
13154
13156 File with the Postfix tlsproxy(8) client ECDSA private key in PEM for‐
13157 mat. See smtp_tls_eckey_file for further details. The preferred way to
13158 configure tlsproxy client keys and certificates is via the "tl‐
13159 sproxy_client_chain_files" parameter.
13160 This feature is available in Postfix 3.4 and later.
13162
13164 Enforcement mode: require that SMTP servers use TLS encryption. See
13165 smtp_enforce_tls for further details. Use tlsproxy_client_secu‐
13166 rity_level instead.
13167 This feature is available in Postfix 3.4 and later.
13169
13171 The message digest algorithm used to construct remote TLS server cer‐
13172 tificate fingerprints. See smtp_tls_fingerprint_digest for further de‐
13173 tails.
13174 This feature is available in Postfix 3.4 and later.
13176
13178 File with the Postfix tlsproxy(8) client RSA private key in PEM format.
13179 See smtp_tls_key_file for further details. The preferred way to config‐
13180 ure tlsproxy client keys and certificates is via the "tl‐
13181 sproxy_client_chain_files" parameter.
13182 This feature is available in Postfix 3.4 and later.
13184
13186 The default TLS security level for the Postfix tlsproxy(8) client. See
13187 smtp_tls_security_level for further details.
13188 This feature is available in Postfix 3.4 - 3.6. It was renamed to tl‐
13190 sproxy_client_security_level in Postfix 3.7.
13191
13193 Enable additional Postfix tlsproxy(8) client logging of TLS activity.
13194 See smtp_tls_loglevel for further details.
13195 This feature is available in Postfix 3.4 and later.
13197
13199 The name of the parameter that provides the tlsproxy_client_loglevel
13200 value.
13201 This feature is available in Postfix 3.4 and later.
13203
13205 Optional lookup tables with the Postfix tlsproxy(8) client TLS usage
13206 policy by next-hop destination and by remote TLS server hostname. See
13207 smtp_tls_per_site for further details.
13208 This feature is available in Postfix 3.4 and later.
13210
13212 Optional lookup tables with the Postfix tlsproxy(8) client TLS security
13213 policy by next-hop destination. See smtp_tls_policy_maps for further
13214 details.
13215 This feature is available in Postfix 3.4 - 3.6. It was renamed to tl‐
13217 sproxy_client_policy_maps in Postfix 3.7.
13218
13220 Optional lookup tables with the Postfix tlsproxy(8) client TLS security
13221 policy by next-hop destination. See smtp_tls_policy_maps for further
13222 details.
13223 This feature is available in Postfix 3.7 and later. It was previously
13225 called tlsproxy_client_policy.
13226
13228 The verification depth for remote TLS server certificates. See
13229 smtp_tls_scert_verifydepth for further details.
13230 This feature is available in Postfix 3.4 and later.
13232
13234 The default TLS security level for the Postfix tlsproxy(8) client. See
13235 smtp_tls_security_level for further details.
13236 This feature is available in Postfix 3.7 and later. It was previously
13238 called tlsproxy_client_level.
13239
13241 Opportunistic mode: use TLS when a remote server announces TLS support.
13242 See smtp_use_tls for further details. Use tlsproxy_client_secu‐
13243 rity_level instead.
13244 This feature is available in Postfix 3.4 and later.
13246
13248 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
13249 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
13250 ther details. Use tlsproxy_tls_security_level instead.
13251 This feature is available in Postfix 2.8 and later.
13253
13255 The name of the tlsproxy(8) service entry in master.cf. This service
13256 performs plaintext <=> TLS ciphertext conversion.
13257 This feature is available in Postfix 2.8 and later.
13259
13261 A file containing (PEM format) CA certificates of root CAs trusted to
13262 sign either remote SMTP client certificates or intermediate CA certifi‐
13263 cates. See smtpd_tls_CAfile for further details.
13264 This feature is available in Postfix 2.8 and later.
13266
13268 A directory containing (PEM format) CA certificates of root CAs trusted
13269 to sign either remote SMTP client certificates or intermediate CA cer‐
13270 tificates. See smtpd_tls_CApath for further details.
13271 This feature is available in Postfix 2.8 and later.
13273
13275 sion_ids)
13276 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
13277 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
13278 sion_ids for further details.
13279 This feature is available in Postfix 2.8 and later.
13281
13283 Ask a remote SMTP client for a client certificate. See
13284 smtpd_tls_ask_ccert for further details.
13285 This feature is available in Postfix 2.8 and later.
13287
13289 The verification depth for remote SMTP client certificates. A depth of
13290 1 is sufficient if the issuing CA is listed in a local CA file. See
13291 smtpd_tls_ccert_verifydepth for further details.
13292 This feature is available in Postfix 2.8 and later.
13294
13296 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
13297 This file may also contain the Postfix tlsproxy(8) server private RSA
13298 key. See smtpd_tls_cert_file for further details. With Postfix >= 3.4
13299 the preferred way to configure tlsproxy server keys and certificates is
13300 via the "tlsproxy_tls_chain_files" parameter.
13301 This feature is available in Postfix 2.8 and later.
13303
13305 Files with the Postfix tlsproxy(8) server keys and certificate chains
13306 in PEM format. See smtpd_tls_chain_files for further details.
13307 This feature is available in Postfix 3.4 and later.
13309
13311 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
13312 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
13313 ther details.
13314 This feature is available in Postfix 2.8 and later.
13316
13318 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
13319 This file may also contain the Postfix tlsproxy(8) server private DSA
13320 key. DSA is obsolete and should not be used. See smtpd_tls_dcert_file
13321 for further details.
13322 This feature is available in Postfix 2.8 and later.
13324
13326 File with DH parameters that the Postfix tlsproxy(8) server should use
13327 with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
13328 ther details.
13329 This feature is available in Postfix 2.8 and later.
13331
13333 File with DH parameters that the Postfix tlsproxy(8) server should use
13334 with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
13335 ther details. The default SMTP server cipher grade is "medium" with
13336 Postfix releases after the middle of 2015, and as a result export-grade
13337 cipher suites are by default not used.
13338 With Postfix >= 3.6 export-grade Diffie-Hellman key exchange is no
13340 longer supported, and this parameter is silently ignored.
13341 This feature is available in Postfix 2.8 and later.
13343
13345 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
13346 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
13347 tificate file specified with $smtpd_tls_dcert_file. DSA is obsolete
13348 and should not be used. See smtpd_tls_dkey_file for further details.
13349 This feature is available in Postfix 2.8 and later.
13351
13353 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
13354 mat. This file may also contain the Postfix tlsproxy(8) server private
13355 ECDSA key. See smtpd_tls_eccert_file for further details. With Post‐
13356 fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
13357 tificates is via the "tlsproxy_tls_chain_files" parameter.
13358 This feature is available in Postfix 2.8 and later.
13360
13362 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
13363 mat. This file may be combined with the Postfix tlsproxy(8) server
13364 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
13365 smtpd_tls_eckey_file for further details. With Postfix >= 3.4 the pre‐
13366 ferred way to configure tlsproxy server keys and certificates is via
13367 the "tlsproxy_tls_chain_files" parameter.
13368 This feature is available in Postfix 2.8 and later.
13370
13372 The Postfix tlsproxy(8) server security grade for ephemeral ellip‐
13373 tic-curve Diffie-Hellman (EECDH) key exchange. See
13374 smtpd_tls_eecdh_grade for further details.
13375 This feature is available in Postfix 2.8 and later.
13377
13379 List of ciphers or cipher types to exclude from the tlsproxy(8) server
13380 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
13381 for further details.
13382 This feature is available in Postfix 2.8 and later.
13384
13386 The message digest algorithm to construct remote SMTP client-certifi‐
13387 cate fingerprints. See smtpd_tls_fingerprint_digest for further de‐
13388 tails.
13389 This feature is available in Postfix 2.8 and later.
13391
13393 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
13394 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
13395 tificate file specified with $smtpd_tls_cert_file. See
13396 smtpd_tls_key_file for further details. With Postfix >= 3.4 the pre‐
13397 ferred way to configure tlsproxy server keys and certificates is via
13398 the "tlsproxy_tls_chain_files" parameter.
13399 This feature is available in Postfix 2.8 and later.
13401
13403 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
13404 Each logging level also includes the information that is logged at a
13405 lower logging level. See smtpd_tls_loglevel for further details.
13406 This feature is available in Postfix 2.8 and later.
13408
13410 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
13411 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
13412 further details.
13413 This feature is available in Postfix 2.8 and later.
13415
13417 clude_ciphers)
13418 Additional list of ciphers or cipher types to exclude from the tl‐
13419 sproxy(8) server cipher list at mandatory TLS security levels. See
13420 smtpd_tls_mandatory_exclude_ciphers for further details.
13421 This feature is available in Postfix 2.8 and later.
13423
13425 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
13426 mandatory TLS encryption. If the list is empty, the server supports all
13427 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
13428 for further details.
13429 This feature is available in Postfix 2.8 and later.
13431
13433 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
13434 or include with opportunistic TLS encryption. See smtpd_tls_protocols
13435 for further details.
13436 This feature is available in Postfix 2.8 and later.
13438
13440 With mandatory TLS encryption, require a trusted remote SMTP client
13441 certificate in order to allow TLS connections to proceed. See
13442 smtpd_tls_req_ccert for further details.
13443 This feature is available in Postfix 2.8 and later.
13445
13447 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
13448 non-empty value is specified, this overrides the obsolete parameters
13449 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
13450 further details.
13451 This feature is available in Postfix 2.8 and later.
13453
13455 Obsolete expiration time of Postfix tlsproxy(8) server TLS session
13457 cache information. Since the cache is shared with smtpd(8) and managed
13458 by tlsmgr(8), there is only one expiration time for the SMTP server
13459 cache shared by all three services, namely smtpd_tls_ses‐
13460 sion_cache_timeout.
13461 This feature is available in Postfix 2.8 and later.
13463
13465 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
13466 but do not require that clients use TLS encryption. See smtpd_use_tls
13467 for further details. Use tlsproxy_tls_security_level instead.
13468 This feature is available in Postfix 2.8 and later.
13470
13472 How much time a tlsproxy(8) process may take to process local or remote
13473 I/O before it is terminated by a built-in watchdog timer. This is a
13474 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
13475 due to a bug in Postfix itself or in system software. To avoid false
13476 alarms and unnecessary cache corruption this limit cannot be set under
13477 10s.
13478 Specify a non-zero time value (an integral value plus an optional
13480 one-letter suffix that specifies the time unit). Time units: s (sec‐
13481 onds), m (minutes), h (hours), d (days), w (weeks). The default time
13482 unit is s (seconds).
13483 This feature is available in Postfix 2.8 and later
13485
13487 The name of the trace service. This service is implemented by the
13488 bounce(8) daemon and maintains a record of mail deliveries and produces
13489 a mail delivery report when verbose delivery is requested with "send‐
13490 mail -v".
13491 This feature is available in Postfix 2.1 and later.
13493
13495 A transport-specific override for the default_delivery_slot_cost param‐
13496 eter value, where transport is the master.cf name of the message deliv‐
13497 ery transport.
13498 Note: transport_delivery_slot_cost parameters will not show up in
13500 "postconf" command output before Postfix version 2.9. This limitation
13501 applies to many parameters whose name is a combination of a master.cf
13502 service name and a built-in suffix (in this case: "_deliv‐
13503 ery_slot_cost").
13504
13506 A transport-specific override for the default_delivery_slot_discount
13507 parameter value, where transport is the master.cf name of the message
13508 delivery transport.
13509 Note: transport_delivery_slot_discount parameters will not show up in
13511 "postconf" command output before Postfix version 2.9. This limitation
13512 applies to many parameters whose name is a combination of a master.cf
13513 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
13514 count").
13515
13517 A transport-specific override for the default_delivery_slot_loan param‐
13518 eter value, where transport is the master.cf name of the message deliv‐
13519 ery transport.
13520 Note: transport_delivery_slot_loan parameters will not show up in
13522 "postconf" command output before Postfix version 2.9. This limitation
13523 applies to many parameters whose name is a combination of a master.cf
13524 service name and a built-in suffix (in this case: "_deliv‐
13525 ery_slot_loan").
13526
13528 tination_concurrency_failed_cohort_limit)
13529 A transport-specific override for the default_destination_concur‐
13530 rency_failed_cohort_limit parameter value, where transport is the mas‐
13531 ter.cf name of the message delivery transport.
13532 Note: some transport_destination_concurrency_failed_cohort_limit param‐
13534 eters will not show up in "postconf" command output before Postfix ver‐
13535 sion 2.9. This limitation applies to many parameters whose name is a
13536 combination of a master.cf service name and a built-in suffix (in this
13537 case: "_destination_concurrency_failed_cohort_limit").
13538 This feature is available in Postfix 2.5 and later.
13540
13542 rency_limit)
13543 A transport-specific override for the default_destination_concur‐
13544 rency_limit parameter value, where transport is the master.cf name of
13545 the message delivery transport.
13546 Note: some transport_destination_concurrency_limit parameters will not
13548 show up in "postconf" command output before Postfix version 2.9. This
13549 limitation applies to many parameters whose name is a combination of a
13550 master.cf service name and a built-in suffix (in this case: "_destina‐
13551 tion_concurrency_limit").
13552
13554 nation_concurrency_negative_feedback)
13555 A transport-specific override for the default_destination_concur‐
13556 rency_negative_feedback parameter value, where transport is the mas‐
13557 ter.cf name of the message delivery transport.
13558 Note: some transport_destination_concurrency_negative_feedback parame‐
13560 ters will not show up in "postconf" command output before Postfix ver‐
13561 sion 2.9. This limitation applies to many parameters whose name is a
13562 combination of a master.cf service name and a built-in suffix (in this
13563 case: "_destination_concurrency_negative_feedback").
13564 This feature is available in Postfix 2.5 and later.
13566
13568 nation_concurrency_positive_feedback)
13569 A transport-specific override for the default_destination_concur‐
13570 rency_positive_feedback parameter value, where transport is the mas‐
13571 ter.cf name of the message delivery transport.
13572 Note: some transport_destination_concurrency_positive_feedback parame‐
13574 ters will not show up in "postconf" command output before Postfix ver‐
13575 sion 2.9. This limitation applies to many parameters whose name is a
13576 combination of a master.cf service name and a built-in suffix (in this
13577 case: "_destination_concurrency_positive_feedback").
13578 This feature is available in Postfix 2.5 and later.
13580
13582 A transport-specific override for the default_destination_rate_delay
13583 parameter value, where transport is the master.cf name of the message
13584 delivery transport.
13585 Note: some transport_destination_rate_delay parameters will not show up
13587 in "postconf" command output before Postfix version 2.9. This limita‐
13588 tion applies to many parameters whose name is a combination of a mas‐
13589 ter.cf service name and a built-in suffix (in this case: "_destina‐
13590 tion_rate_delay").
13591 This feature is available in Postfix 2.5 and later.
13593
13595 ent_limit)
13596 A transport-specific override for the default_destination_recipi‐
13597 ent_limit parameter value, where transport is the master.cf name of the
13598 message delivery transport.
13599 Note: some transport_destination_recipient_limit parameters will not
13601 show up in "postconf" command output before Postfix version 2.9. This
13602 limitation applies to many parameters whose name is a combination of a
13603 master.cf service name and a built-in suffix (in this case: "_destina‐
13604 tion_recipient_limit").
13605
13607 A transport-specific override for the default_extra_recipient_limit pa‐
13608 rameter value, where transport is the master.cf name of the message de‐
13609 livery transport.
13610 Note: transport_extra_recipient_limit parameters will not show up in
13612 "postconf" command output before Postfix version 2.9. This limitation
13613 applies to many parameters whose name is a combination of a master.cf
13614 service name and a built-in suffix (in this case: "_extra_recipi‐
13615 ent_limit").
13616
13618 currency)
13619 A transport-specific override for the initial_destination_concurrency
13620 parameter value, where transport is the master.cf name of the message
13621 delivery transport.
13622 Note: some transport_initial_destination_concurrency parameters will
13624 not show up in "postconf" command output before Postfix version 2.9.
13625 This limitation applies to many parameters whose name is a combination
13626 of a master.cf service name and a built-in suffix (in this case: "_ini‐
13627 tial_destination_concurrency").
13628 This feature is available in Postfix 2.5 and later.
13630
13632 Optional lookup tables with mappings from recipient address to (message
13633 delivery transport, next-hop destination). See transport(5) for de‐
13634 tails.
13635 Specify zero or more "type:table" lookup tables, separated by white‐
13637 space or comma. Tables will be searched in the specified order until a
13638 match is found. If you use this feature with local files, run "postmap
13639 /etc/postfix/transport" after making a change.
13640 Pattern matching of domain names is controlled by the presence or ab‐
13642 sence of "transport_maps" in the parent_domain_matches_subdomains pa‐
13643 rameter value.
13644 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
13646 ber substitutions in regular expression maps.
13647 Examples:
13649 transport_maps = dbm:/etc/postfix/transport
13651 transport_maps = hash:/etc/postfix/transport
13652
13654 A transport-specific override for the default_minimum_delivery_slots
13655 parameter value, where transport is the master.cf name of the message
13656 delivery transport.
13657 Note: transport_minimum_delivery_slots parameters will not show up in
13659 "postconf" command output before Postfix version 2.9. This limitation
13660 applies to many parameters whose name is a combination of a master.cf
13661 service name and a built-in suffix (in this case: "_minimum_deliv‐
13662 ery_slots").
13663
13665 A transport-specific override for the default_recipient_limit parameter
13666 value, where transport is the master.cf name of the message delivery
13667 transport.
13668 Note: some transport_recipient_limit parameters will not show up in
13670 "postconf" command output before Postfix version 2.9. This limitation
13671 applies to many parameters whose name is a combination of a master.cf
13672 service name and a built-in suffix (in this case: "_recipient_limit").
13673
13675 A transport-specific override for the default_recipient_refill_delay
13676 parameter value, where transport is the master.cf name of the message
13677 delivery transport.
13678 Note: transport_recipient_refill_delay parameters will not show up in
13680 "postconf" command output before Postfix version 2.9. This limitation
13681 applies to many parameters whose name is a combination of a master.cf
13682 service name and a built-in suffix (in this case: "_recipient_re‐
13683 fill_delay").
13684 This feature is available in Postfix 2.4 and later.
13686
13688 A transport-specific override for the default_recipient_refill_limit
13689 parameter value, where transport is the master.cf name of the message
13690 delivery transport.
13691 Note: transport_recipient_refill_limit parameters will not show up in
13693 "postconf" command output before Postfix version 2.9. This limitation
13694 applies to many parameters whose name is a combination of a master.cf
13695 service name and a built-in suffix (in this case: "_recipient_re‐
13696 fill_limit").
13697 This feature is available in Postfix 2.4 and later.
13699
13701 The time between attempts by the Postfix queue manager to contact a
13702 malfunctioning message delivery transport.
13703 Specify a non-zero time value (an integral value plus an optional
13705 one-letter suffix that specifies the time unit). Time units: s (sec‐
13706 onds), m (minutes), h (hours), d (days), w (weeks). The default time
13707 unit is s (seconds).
13708
13710 A transport-specific override for the command_time_limit parameter
13711 value, where transport is the master.cf name of the message delivery
13712 transport.
13713 Specify a non-zero time value (an integral value plus an optional
13715 one-letter suffix that specifies the time unit). Time units: s (sec‐
13716 onds), m (minutes), h (hours), d (days), w (weeks). The default time
13717 unit is s (seconds).
13718 Note: transport_time_limit parameters will not show up in "postconf"
13720 command output before Postfix version 2.9. This limitation applies to
13721 many parameters whose name is a combination of a master.cf service name
13722 and a built-in suffix (in this case: "_time_limit").
13723
13725 A transport-specific override for the default_transport_rate_delay pa‐
13726 rameter value, where the initial transport in the parameter name is the
13727 master.cf name of the message delivery transport.
13728 Specify a non-negative time value (an integral value plus an optional
13730 one-letter suffix that specifies the time unit). Time units: s (sec‐
13731 onds), m (minutes), h (hours), d (days), w (weeks). The default time
13732 unit is s (seconds).
13733 Note: transport_transport_rate_delay parameters will not show up in
13735 "postconf" command output before Postfix version 2.9. This limitation
13736 applies to many parameters whose name is a combination of a master.cf
13737 service name and a built-in suffix (in this case: "_transport_rate_de‐
13738 lay").
13739
13741 The time limit for sending a trigger to a Postfix daemon (for example,
13742 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
13743 from getting stuck when the mail system is under heavy load.
13744 Specify a non-zero time value (an integral value plus an optional
13746 one-letter suffix that specifies the time unit). Time units: s (sec‐
13747 onds), m (minutes), h (hours), d (days), w (weeks). The default time
13748 unit is s (seconds).
13749
13751 Message header that the Postfix cleanup(8) server inserts when a mes‐
13752 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
13753 the default value is empty. With Postfix 2.4-2.7, specify an empty
13754 value to disable this feature.
13755 Example:
13757 # Default value before Postfix 2.8.
13759 # Note: the ":" and ";" are both required.
13760 undisclosed_recipients_header = To: undisclosed-recipients:;
13761
13763 The numerical response code when the Postfix SMTP server rejects a
13764 sender or recipient address because its domain is unknown. This is one
13765 of the possible replies from the restrictions reject_unknown_sender_do‐
13766 main and reject_unknown_recipient_domain.
13767 Do not change this unless you have a complete understanding of RFC
13769 5321.
13770
13772 The Postfix SMTP server's action when reject_unknown_sender_domain or
13773 reject_unknown_recipient_domain fail due to a temporary error condi‐
13774 tion. Specify "defer" to defer the remote SMTP client request immedi‐
13775 ately. With the default "defer_if_permit" action, the Postfix SMTP
13776 server continues to look for opportunities to reject mail, and defers
13777 the client request only if it would otherwise be accepted.
13778 This feature is available in Postfix 2.6 and later.
13780
13782 The numerical Postfix SMTP server response code when a client without
13783 valid address <=> name mapping is rejected by the reject_un‐
13784 known_client_hostname restriction. The SMTP server always replies with
13785 450 when the mapping failed due to a temporary error condition.
13786 Do not change this unless you have a complete understanding of RFC
13788 5321.
13789
13791 The Postfix SMTP server's action when reject_unknown_helo_hostname
13792 fails due to a temporary error condition. Specify "defer" to defer the
13793 remote SMTP client request immediately. With the default "defer_if_per‐
13794 mit" action, the Postfix SMTP server continues to look for opportuni‐
13795 ties to reject mail, and defers the client request only if it would
13796 otherwise be accepted.
13797 This feature is available in Postfix 2.6 and later.
13799
13801 The numerical Postfix SMTP server response code when the hostname spec‐
13802 ified with the HELO or EHLO command is rejected by the reject_un‐
13803 known_helo_hostname restriction.
13804 Do not change this unless you have a complete understanding of RFC
13806 5321.
13807
13809 The numerical Postfix SMTP server response code when a recipient ad‐
13810 dress is local, and $local_recipient_maps specifies a list of lookup
13811 tables that does not match the recipient. A recipient address is local
13812 when its domain matches $mydestination, $proxy_interfaces or $inet_in‐
13813 terfaces.
13814 The default setting is 550 (reject mail) but it is safer to initially
13816 use 450 (try again later) so you have time to find out if your lo‐
13817 cal_recipient_maps settings are OK.
13818 Example:
13820 unknown_local_recipient_reject_code = 450
13822 This feature is available in Postfix 2.0 and later.
13824
13826 The numerical Postfix SMTP server reply code when a recipient address
13827 matches $relay_domains, and relay_recipient_maps specifies a list of
13828 lookup tables that does not match the recipient address.
13829 This feature is available in Postfix 2.0 and later.
13831
13833 The Postfix SMTP server reply code when a recipient address matches
13834 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
13835 lookup tables that does not match the recipient address.
13836 This feature is available in Postfix 2.0 and later.
13838
13840 The Postfix SMTP server reply code when a recipient address matches
13841 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
13842 lookup tables that does not match the recipient address.
13843 This feature is available in Postfix 2.0 and later.
13845
13847 The numerical Postfix SMTP server response when a recipient address
13848 probe fails due to a temporary error condition.
13849 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13851 address anyway.
13852 Do not change this unless you have a complete understanding of RFC
13854 5321.
13855 This feature is available in Postfix 2.6 and later.
13857
13859 The numerical Postfix SMTP server response when a recipient address is
13860 rejected by the reject_unverified_recipient restriction.
13861 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13863 address anyway.
13864 Do not change this unless you have a complete understanding of RFC
13866 5321.
13867 This feature is available in Postfix 2.1 and later.
13869
13871 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
13872 fied_recipient. Do not include the numeric SMTP reply code or the en‐
13873 hanced status code. By default, the response includes actual address
13874 verification details.
13875 Example:
13877 unverified_recipient_reject_reason = Recipient address lookup failed
13879 This feature is available in Postfix 2.6 and later.
13881
13883 The Postfix SMTP server's action when reject_unverified_recipient fails
13884 due to a temporary error condition. Specify "defer" to defer the remote
13885 SMTP client request immediately. With the default "defer_if_permit" ac‐
13886 tion, the Postfix SMTP server continues to look for opportunities to
13887 reject mail, and defers the client request only if it would otherwise
13888 be accepted.
13889 This feature is available in Postfix 2.6 and later.
13891
13893 The numerical Postfix SMTP server response code when a sender address
13894 probe fails due to a temporary error condition.
13895 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13897 address anyway.
13898 Do not change this unless you have a complete understanding of RFC
13900 5321.
13901 This feature is available in Postfix 2.6 and later.
13903
13905 The numerical Postfix SMTP server response code when a recipient ad‐
13906 dress is rejected by the reject_unverified_sender restriction.
13907 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13909 address anyway.
13910 Do not change this unless you have a complete understanding of RFC
13912 5321.
13913 This feature is available in Postfix 2.1 and later.
13915
13917 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
13918 fied_sender. Do not include the numeric SMTP reply code or the enhanced
13919 status code. By default, the response includes actual address verifica‐
13920 tion details.
13921 Example:
13923 unverified_sender_reject_reason = Sender address lookup failed
13925 This feature is available in Postfix 2.6 and later.
13927
13929 The Postfix SMTP server's action when reject_unverified_sender fails
13930 due to a temporary error condition. Specify "defer" to defer the remote
13931 SMTP client request immediately. With the default "defer_if_permit" ac‐
13932 tion, the Postfix SMTP server continues to look for opportunities to
13933 reject mail, and defers the client request only if it would otherwise
13934 be accepted.
13935 This feature is available in Postfix 2.6 and later.
13937
13939 Enables discovery for the specified service(s) using DNS SRV records.
13940 For example, with "use_srv_lookup = submission" and "relayhost = exam‐
13941 ple.com:submission", the Postfix SMTP client will look up DNS SRV
13942 records for _submission._tcp.example.com, and will relay email through
13943 the hosts and ports that are specified with those records. See RFC 2782
13944 for details of the host selection process.
13945 Specify zero or more service names separated by comma and/or white‐
13947 space. Any name in the services(5) database may be specified, though in
13948 practice only submission, submissions, and smtp make sense.
13949 When SRV record lookup is enabled with use_srv_lookup, you can enclose
13951 a domain name in "[]" to force IP address lookup instead of SRV record
13952 lookup.
13953 Example 1: MUA-to-MTA submission using SRV record lookup for the "sub‐
13955 mission" service for domain "example.com". This uses the default SMTP
13956 delivery agent with STARTTLS, and looks up SRV records for "_submis‐
13957 sion._tcp.example.com".
13958 /etc/postfix/main.cf:
13960 use_srv_lookup = submission
13961 relayhost = example.com:submission
13962 smtp_tls_security_level = may
13963 ...see SASL_README for sasl configuration...
13964 Example 2: MUA-to-MTA submission using SRV record lookup for the "sub‐
13966 missions" service for domain "example.org". This uses a dedicated SMTP
13967 delivery agent (smtp-wraptls) with tls_wrappermode turned on, and looks
13968 up SRV records for "_submissions._tcp.example.org".
13969 Note: specify the older name "smtps" instead of "submissions" when a
13971 provider has DNS SRV records like "_smtps._tcp.example.org" instead of
13972 "_submissions._tcp.example.org".
13973 /etc/postfix/main.cf:
13975 use_srv_lookup = submissions
13976 default_transport = smtp-wraptls:example.org:submissions
13977 ...see SASL_README for sasl configuration...
13978 /etc/postfix/master.cf:
13980 smtp-wraptls unix ... ... ... ... ... smtp
13981 -o { smtp_tls_wrappermode = yes }
13982 -o { smtp_tls_security_level = encrypt }
13983 Example 3: Sender-dependent selection for a combination of MUA-to-MTA
13985 submission services. This combines examples 1 and 2 with examples of
13986 how to disable SRV and look up IP address records for "smtp-relay.exam‐
13987 ple.net" and "smtp-relay.other.example". Again, specify the older name
13988 "smtps" instead of "submissions" when a provider has DNS SRV records
13989 like "_smtps._tcp.example.org" instead of "_submissions._tcp.exam‐
13990 ple.org".
13991 /etc/postfix/main.cf:
13993 use_srv_lookup = submission, submissions
13994 sender_dependent_default_transport_maps = inline:{
13995 # Destinations that support SRV record lookup.
13996 { user1@example.com = smtp:example.com:submission }
13997 { user2@example.org = smtp-wraptls:example.org:submissions }
13998 # Use [destination] to force IP address lookups.
13999 { user3@example.net = smtp:[smtp-relay.example.net]:submission }
14000 { user4@other.example =
14001 smtp-wraptls:[smtp-relay.other.example]:submissions } }
14002 ...see SASL_README for sasl configuration...
14003 Example 4: MTA-to-MTA traffic, using SRV record lookup for the SMTP
14005 service. This is useful for Postfix tests, and may be useful in envi‐
14006 ronments where ports are dynamically assigned to servers.
14007 /etc/postfix/main.cf:
14009 use_srv_lookup = smtp
14010 # Fall back to MX record lookup when SRV records are unavailable.
14011 #allow_srv_lookup_fallback = yes
14012 #ignore_srv_lookup_error = yes
14013 This feature is available in Postfix 3.8 and later.
14015
14017 The characters Postfix accepts as VERP delimiter characters on the
14018 Postfix sendmail(1) command line and in SMTP commands.
14019 This feature is available in Postfix 1.1 and later.
14021
14023 The maximal length of an email address after virtual alias expansion.
14024 This stops virtual aliasing loops that increase the address length ex‐
14025 ponentially.
14026 This feature is available in Postfix 3.0 and later.
14028
14030 Postfix is the final destination for the specified list of virtual
14031 alias domains, that is, domains for which all addresses are aliased to
14032 addresses in other local or remote domains. The SMTP server validates
14033 recipient addresses with $virtual_alias_maps and rejects non-existent
14034 recipients. See also the virtual alias domain class in the AD‐
14035 DRESS_CLASS_README file
14036 This feature is available in Postfix 2.0 and later. The default value
14038 is backwards compatible with Postfix version 1.1.
14039 The default value is $virtual_alias_maps so that you can keep all in‐
14041 formation about virtual alias domains in one place. If you have many
14042 users, it is better to separate information that changes more fre‐
14043 quently (virtual address -> local or remote address mapping) from in‐
14044 formation that changes less frequently (the list of virtual domain
14045 names).
14046 Specify a list of host or domain names, "/file/name" or "type:table"
14048 patterns, separated by commas and/or whitespace. A "/file/name" pattern
14049 is replaced by its contents; a "type:table" lookup table is matched
14050 when a table entry matches a host or domain name (the lookup result is
14051 ignored). Continue long lines by starting the next line with white‐
14052 space. Specify "!pattern" to exclude a host or domain name from the
14053 list. The form "!/file/name" is supported only in Postfix version 2.4
14054 and later.
14055 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
14057 ther information.
14058 Example:
14060 virtual_alias_domains = virtual1.tld virtual2.tld
14062
14064 The maximal number of addresses that virtual alias expansion produces
14065 from each original recipient.
14066 This feature is available in Postfix 2.1 and later.
14068
14070 Optional lookup tables that alias specific mail addresses or domains to
14071 other local or remote addresses. The table format and lookups are doc‐
14072 umented in virtual(5). For an overview of Postfix address manipulations
14073 see the ADDRESS_REWRITING_README document.
14074 This feature is available in Postfix 2.0 and later. The default value
14076 is backwards compatible with Postfix version 1.1.
14077 Specify zero or more "type:name" lookup tables, separated by whitespace
14079 or comma. Tables will be searched in the specified order until a match
14080 is found. Note: these lookups are recursive.
14081 If you use this feature with indexed files, run "postmap /etc/post‐
14083 fix/virtual" after changing the file.
14084 Examples:
14086 virtual_alias_maps = dbm:/etc/postfix/virtual
14088 virtual_alias_maps = hash:/etc/postfix/virtual
14089
14091 The maximal nesting depth of virtual alias expansion. Currently the
14092 recursion limit is applied only to the left branch of the expansion
14093 graph, so the depth of the tree can in the worst case reach the sum of
14094 the expansion and recursion limits. This may change in the future.
14095 This feature is available in Postfix 2.1 and later.
14097
14099 Optional filter for the virtual(8) delivery agent to change the deliv‐
14100 ery status code or explanatory text of successful or unsuccessful de‐
14101 liveries. See default_delivery_status_filter for details.
14102 This feature is available in Postfix 3.0 and later.
14104
14106 rency_limit)
14107 The maximal number of parallel deliveries to the same destination via
14108 the virtual message delivery transport. This limit is enforced by the
14109 queue manager. The message delivery transport name is the first field
14110 in the entry in the master.cf file.
14111
14113 ent_limit)
14114 The maximal number of recipients per message for the virtual message
14115 delivery transport. This limit is enforced by the queue manager. The
14116 message delivery transport name is the first field in the entry in the
14117 master.cf file.
14118 Setting this parameter to a value of 1 changes the meaning of vir‐
14120 tual_destination_concurrency_limit from concurrency per domain into
14121 concurrency per recipient.
14122
14124 Lookup tables with the per-recipient group ID for virtual(8) mailbox
14125 delivery.
14126 This parameter is specific to the virtual(8) delivery agent. It does
14128 not apply when mail is delivered with a different mail delivery pro‐
14129 gram.
14130 Specify zero or more "type:name" lookup tables, separated by whitespace
14132 or comma. Tables will be searched in the specified order until a match
14133 is found.
14134 In a lookup table, specify a left-hand side of "@domain.tld" to match
14136 any user in the specified domain that does not have a specific
14137 "user@domain.tld" entry.
14138 When a recipient address has an optional address extension
14140 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
14141 address first, and when the lookup fails, it looks up the unextended
14142 address (user@domain.tld).
14143 Note 1: for security reasons, the virtual(8) delivery agent disallows
14145 regular expression substitution of $1 etc. in regular expression lookup
14146 tables, because that would open a security hole.
14147 Note 2: for security reasons, the virtual(8) delivery agent will
14149 silently ignore requests to use the proxymap(8) server. Instead it will
14150 open the table directly. Before Postfix version 2.2, the virtual(8) de‐
14151 livery agent will terminate with a fatal error.
14152
14154 A prefix that the virtual(8) delivery agent prepends to all pathname
14155 results from $virtual_mailbox_maps table lookups. This is a safety
14156 measure to ensure that an out of control map doesn't litter the file
14157 system with mailboxes. While virtual_mailbox_base could be set to "/",
14158 this setting isn't recommended.
14159 This parameter is specific to the virtual(8) delivery agent. It does
14161 not apply when mail is delivered with a different mail delivery pro‐
14162 gram.
14163 Example:
14165 virtual_mailbox_base = /var/mail
14167
14169 Postfix is the final destination for the specified list of domains;
14170 mail is delivered via the $virtual_transport mail delivery transport.
14171 By default this is the Postfix virtual(8) delivery agent. The SMTP
14172 server validates recipient addresses with $virtual_mailbox_maps and re‐
14173 jects mail for non-existent recipients. See also the virtual mailbox
14174 domain class in the ADDRESS_CLASS_README file.
14175 This parameter expects the same syntax as the mydestination configura‐
14177 tion parameter.
14178 This feature is available in Postfix 2.0 and later. The default value
14180 is backwards compatible with Postfix version 1.1.
14181
14183 The maximal size in bytes of an individual virtual(8) mailbox or
14184 maildir file, or zero (no limit).
14185 This parameter is specific to the virtual(8) delivery agent. It does
14187 not apply when mail is delivered with a different mail delivery pro‐
14188 gram.
14189
14191 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
14192 For a list of available file locking methods, use the "postconf -l"
14193 command.
14194 This parameter is specific to the virtual(8) delivery agent. It does
14196 not apply when mail is delivered with a different mail delivery pro‐
14197 gram.
14198 This setting is ignored with maildir style delivery, because such de‐
14200 liveries are safe without application-level locks.
14201 Note 1: the dotlock method requires that the recipient UID or GID has
14203 write access to the parent directory of the recipient's mailbox file.
14204 Note 2: the default setting of this parameter is system dependent.
14206
14208 Optional lookup tables with all valid addresses in the domains that
14209 match $virtual_mailbox_domains.
14210 Specify zero or more "type:name" lookup tables, separated by whitespace
14212 or comma. Tables will be searched in the specified order until a match
14213 is found.
14214 In a lookup table, specify a left-hand side of "@domain.tld" to match
14216 any user in the specified domain that does not have a specific
14217 "user@domain.tld" entry.
14218 With the default "virtual_mailbox_domains = $virtual_mailbox_maps",
14220 lookup tables also need entries with a left-hand side of "domain.tld"
14221 to satisfy virtual_mailbox_domain lookups (the right-hand side is re‐
14222 quired but will not be used).
14223 The remainder of this text is specific to the virtual(8) delivery
14225 agent. It does not apply when mail is delivered with a different mail
14226 delivery program.
14227 The virtual(8) delivery agent uses this table to look up the per-recip‐
14229 ient mailbox or maildir pathname. If the lookup result ends in a slash
14230 ("/"), maildir-style delivery is carried out, otherwise the path is as‐
14231 sumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
14232 box_base is unconditionally prepended to this path.
14233 When a recipient address has an optional address extension
14235 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
14236 address first, and when the lookup fails, it looks up the unextended
14237 address (user@domain.tld).
14238 Note 1: for security reasons, the virtual(8) delivery agent disallows
14240 regular expression substitution of $1 etc. in regular expression lookup
14241 tables, because that would open a security hole.
14242 Note 2: for security reasons, the virtual(8) delivery agent will
14244 silently ignore requests to use the proxymap(8) server. Instead it will
14245 open the table directly. Before Postfix version 2.2, the virtual(8) de‐
14246 livery agent will terminate with a fatal error.
14247
14249 Optional lookup tables with a) names of domains for which all addresses
14250 are aliased to addresses in other local or remote domains, and b) ad‐
14251 dresses that are aliased to addresses in other local or remote domains.
14252 Available before Postfix version 2.0. With Postfix version 2.0 and
14253 later, this is replaced by separate controls: virtual_alias_domains and
14254 virtual_alias_maps.
14255
14257 The minimum user ID value that the virtual(8) delivery agent accepts as
14258 a result from $virtual_uid_maps table lookup. Returned values less
14259 than this will be rejected, and the message will be deferred.
14260 This parameter is specific to the virtual(8) delivery agent. It does
14262 not apply when mail is delivered with a different mail delivery pro‐
14263 gram.
14264
14266 The default mail delivery transport and next-hop destination for final
14267 delivery to domains listed with $virtual_mailbox_domains. This infor‐
14268 mation can be overruled with the transport(5) table.
14269 Specify a string of the form transport:nexthop, where transport is the
14271 name of a mail delivery transport defined in master.cf. The :nexthop
14272 destination is optional; its syntax is documented in the manual page of
14273 the corresponding delivery agent.
14274 This feature is available in Postfix 2.0 and later.
14276
14278 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
14279 ery agent uses while writing to the recipient's mailbox.
14280 This parameter is specific to the virtual(8) delivery agent. It does
14282 not apply when mail is delivered with a different mail delivery pro‐
14283 gram.
14284 Specify zero or more "type:name" lookup tables, separated by whitespace
14286 or comma. Tables will be searched in the specified order until a match
14287 is found.
14288 In a lookup table, specify a left-hand side of "@domain.tld" to match
14290 any user in the specified domain that does not have a specific
14291 "user@domain.tld" entry.
14292 When a recipient address has an optional address extension
14294 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
14295 address first, and when the lookup fails, it looks up the unextended
14296 address (user@domain.tld).
14297 Note 1: for security reasons, the virtual(8) delivery agent disallows
14299 regular expression substitution of $1 etc. in regular expression lookup
14300 tables, because that would open a security hole.
14301 Note 2: for security reasons, the virtual(8) delivery agent will
14303 silently ignore requests to use the proxymap(8) server. Instead it will
14304 open the table directly. Before Postfix version 2.2, the virtual(8) de‐
14305 livery agent will terminate with a fatal error.
14306
14308 postconf(1), Postfix configuration parameter maintenance
14309 master(5), Postfix daemon configuration maintenance
14310
14312 The Secure Mailer license must be distributed with this software.
14313
14315 Wietse Venema
14316 IBM T.J. Watson Research
14317 P.O. Box 704
14318 Yorktown Heights, NY 10598, USA
14319 Wietse Venema
14321 Google, Inc.
14322 111 8th Avenue
14323 New York, NY 10011, USA
14324 Viktor Dukhovni
14326 POSTCONF(5)