1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix  main.cf configuration file specifies parameters that con‐
15       trol the operation of the Postfix mail system. Typically the file  con‐
16       tains  only  a small subset of all parameters; parameters not specified
17       are left at their default values.
18
19       The general format of the main.cf file is as follows:
20
21       •      Each logical line has the form "parameter = value".   Whitespace
22              around the "=" is ignored, as is whitespace at the end of a log‐
23              ical line.
24
25       •      Empty lines and whitespace-only lines are ignored, as are  lines
26              whose first non-whitespace character is a `#'.
27
28       •      A  logical  line  starts  with  non-whitespace text. A line that
29              starts with whitespace continues a logical line.
30
31       •      A parameter value may refer to other parameters.
32
33              •      The expressions "$name" and "${name}" are recursively re‐
34                     placed with the value of the named parameter. The parame‐
35                     ter name must contain only characters from the set [a-zA-
36                     Z0-9_]. An undefined parameter value is replaced with the
37                     empty value.
38
39              •      The expressions "${name?value}" and "${name?{value}}" are
40                     replaced  with "value" when "$name" is non-empty. The pa‐
41                     rameter name must contain only characters  from  the  set
42                     [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43                     sions >= 2.2 and >= 3.0, respectively.
44
45              •      The expressions "${name:value}" and "${name:{value}}" are
46                     replaced  with "value" when "$name" is empty. The parame‐
47                     ter name must contain only characters from the set [a-zA-
48                     Z0-9_].  These  forms are supported with Postfix versions
49                     >= 2.2 and >= 3.0, respectively.
50
51              •      The expression  "${name?{value1}:{value2}}"  is  replaced
52                     with   "value1"  when  "$name"  is  non-empty,  and  with
53                     "value2" when "$name" is empty.  The "{}" is required for
54                     "value1",  optional for "value2". The parameter name must
55                     contain only characters from the set [a-zA-Z0-9_].   This
56                     form is supported with Postfix versions >= 3.0.
57
58              •      The  first  item  inside "${...}" may be a relational ex‐
59                     pression of the form: "{value3} == {value4}". Besides the
60                     "=="  (equality) operator Postfix supports "!=" (inequal‐
61                     ity), "<", "<=", ">=", and ">". The comparison is numeri‐
62                     cal when both operands are all digits, otherwise the com‐
63                     parison is lexicographical.  These  forms  are  supported
64                     with Postfix versions >= 3.0.
65
66              •      Each  "value" is subject to recursive named parameter and
67                     relational expression evaluation, except where noted.
68
69              •      Whitespace before or after each "{value}" is ignored.
70
71              •      Specify "$$" to produce a single "$" character.
72
73              •      The legacy form "$(...)" is equivalent to  the  preferred
74                     form "${...}".
75
76       •      When the same parameter is defined multiple times, only the last
77              instance is remembered.
78
79       •      Otherwise, the order of main.cf parameter definitions  does  not
80              matter.
81
82       The remainder of this document is a description of all Postfix configu‐
83       ration parameters. Default values are shown after the parameter name in
84       parentheses, and can be looked up with the "postconf -d" command.
85
86       Note:  this  is not an invitation to make changes to Postfix configura‐
87       tion parameters. Unnecessary changes can impair the  operation  of  the
88       mail system.
89

2bounce_notice_recipient (default: postmaster)

91       The  recipient  of  undeliverable  mail  that cannot be returned to the
92       sender.  This feature is enabled with the notify_classes parameter.
93

access_map_defer_code (default: 450)

95       The numerical Postfix SMTP server response code for  an  access(5)  map
96       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97       to Postfix 2.6, the response is hard-coded as "450".
98
99       Do not change this unless you have  a  complete  understanding  of  RFC
100       5321.
101
102       This feature is available in Postfix 2.6 and later.
103

access_map_reject_code (default: 554)

105       The  numerical  Postfix  SMTP server response code for an access(5) map
106       "reject" action.
107
108       Do not change this unless you have  a  complete  understanding  of  RFC
109       5321.
110

address_verify_cache_cleanup_interval (default: 12h)

112       The  amount  of  time  between  verify(8) address verification database
113       cleanup runs. This feature requires  that  the  database  supports  the
114       "delete"  and "sequence" operators.  Specify a zero interval to disable
115       database cleanup.
116
117       After each database cleanup run, the verify(8) daemon logs  the  number
118       of  entries  that were retained and dropped. A cleanup run is logged as
119       "partial" when the daemon  terminates  early  after  "postfix  reload",
120       "postfix stop", or no requests for $max_idle seconds.
121
122       Specify  a  non-negative time value (an integral value plus an optional
123       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
124       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
125       unit is h (hours).
126
127       This feature is available in Postfix 2.7.
128

address_verify_default_transport (default: $default_transport)

130       Overrides the default_transport parameter setting for address verifica‐
131       tion probes.
132
133       This feature is available in Postfix 2.1 and later.
134

address_verify_local_transport (default: $local_transport)

136       Overrides  the  local_transport parameter setting for address verifica‐
137       tion probes.
138
139       This feature is available in Postfix 2.1 and later.
140

address_verify_map (default: see postconf -d output)

142       Lookup table for persistent address verification status  storage.   The
143       table  is maintained by the verify(8) service, and is opened before the
144       process releases privileges.
145
146       The lookup table is persistent by  default  (Postfix  2.7  and  later).
147       Specify  an empty table name to keep the information in volatile memory
148       which is lost after "postfix reload" or "postfix stop". This is the de‐
149       fault with Postfix version 2.6 and earlier.
150
151       Specify a location in a file system that will not fill up. If the data‐
152       base becomes corrupted, the world comes to an end. To  recover,  delete
153       (NOT: truncate) the file and do "postfix reload".
154
155       Postfix  daemon  processes do not use root privileges when opening this
156       file (Postfix 2.5 and later).  The file must therefore be stored  under
157       a  Postfix-owned  directory such as the data_directory.  As a migration
158       aid, an attempt to open the file under a non-Postfix directory is redi‐
159       rected to the Postfix-owned data_directory, and a warning is logged.
160
161       Examples:
162
163       address_verify_map = hash:/var/lib/postfix/verify
164       address_verify_map = btree:/var/lib/postfix/verify
165
166       This feature is available in Postfix 2.1 and later.
167

address_verify_negative_cache (default: yes)

169       Enable caching of failed address verification probe results.  When this
170       feature is enabled, the cache may pollute quickly with  garbage.   When
171       this  feature  is  disabled, Postfix will generate an address probe for
172       every lookup.
173
174       This feature is available in Postfix 2.1 and later.
175

address_verify_negative_expire_time (default: 3d)

177       The time after which a failed probe expires from the address  verifica‐
178       tion cache.
179
180       Specify  a  non-zero  time  value  (an  integral value plus an optional
181       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
182       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
183       unit is d (days).
184
185       This feature is available in Postfix 2.1 and later.
186

address_verify_negative_refresh_time (default: 3h)

188       The time after which a failed address verification probe  needs  to  be
189       refreshed.
190
191       Specify  a  non-zero  time  value  (an  integral value plus an optional
192       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
193       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
194       unit is h (hours).
195
196       This feature is available in Postfix 2.1 and later.
197

address_verify_pending_request_limit (default: see postconf -d output)

199       A safety limit that prevents address verification requests  from  over‐
200       whelming  the Postfix queue. By default, the number of pending requests
201       is limited to 1/4 of the active queue  maximum  size  (qmgr_message_ac‐
202       tive_limit).  The  queue  manager enforces the limit by tempfailing re‐
203       quests that exceed the limit. This affects only unknown  addresses  and
204       inactive  addresses that have expired, because the verify(8) daemon au‐
205       tomatically refreshes an active address before it expires.
206
207       This feature is available in Postfix 3.1 and later.
208

address_verify_poll_count (default: normal: 3, overload: 1)

210       How many times to query the verify(8) service for the completion of  an
211       address verification request in progress.
212
213       By  default,  the Postfix SMTP server polls the verify(8) service up to
214       three times under non-overload conditions, and  only  once  when  under
215       overload.  With Postfix version 2.5 and earlier, the SMTP server always
216       polls the verify(8) service up to three times by default.
217
218       Specify 1 to implement a crude form of greylisting, that is, always de‐
219       fer the first delivery request for a new address.
220
221       Examples:
222
223       # Postfix <= 2.6 default
224       address_verify_poll_count = 3
225       # Poor man's greylisting
226       address_verify_poll_count = 1
227
228       This feature is available in Postfix 2.1 and later.
229

address_verify_poll_delay (default: 3s)

231       The delay between queries for the completion of an address verification
232       request in progress.
233
234       The default polling delay is 3 seconds.
235
236       Specify a non-zero time value  (an  integral  value  plus  an  optional
237       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
238       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
239       unit is s (seconds).
240
241       This feature is available in Postfix 2.1 and later.
242

address_verify_positive_expire_time (default: 31d)

244       The  time after which a successful probe expires from the address veri‐
245       fication cache.
246
247       Specify a non-zero time value  (an  integral  value  plus  an  optional
248       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
249       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
250       unit is d (days).
251
252       This feature is available in Postfix 2.1 and later.
253

address_verify_positive_refresh_time (default: 7d)

255       The  time  after which a successful address verification probe needs to
256       be refreshed.  The address verification status is not updated when  the
257       probe fails (optimistic caching).
258
259       Specify  a  non-zero  time  value  (an  integral value plus an optional
260       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
261       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
262       unit is d (days).
263
264       This feature is available in Postfix 2.1 and later.
265

address_verify_relay_transport (default: $relay_transport)

267       Overrides the relay_transport parameter setting for  address  verifica‐
268       tion probes.
269
270       This feature is available in Postfix 2.1 and later.
271

address_verify_relayhost (default: $relayhost)

273       Overrides  the  relayhost  parameter  setting  for address verification
274       probes. This information can be overruled with the transport(5) table.
275
276       This feature is available in Postfix 2.1 and later.
277

address_verify_sender (default: $double_bounce_sender)

279       The sender address to use in  address  verification  probes;  prior  to
280       Postfix  2.5  the  default was "postmaster". To avoid problems with ad‐
281       dress probes that are sent in response to address probes,  the  Postfix
282       SMTP  server  excludes  the  probe sender address from all SMTPD access
283       blocks.
284
285       Specify an empty value (address_verify_sender =) or <> if you  want  to
286       use  the  null  sender address. Beware, some sites reject mail from <>,
287       even though RFCs require that such addresses be accepted.
288
289       Examples:
290
291       address_verify_sender = <>
292       address_verify_sender = postmaster@mydomain
293
294       This feature is available in Postfix 2.1 and later.
295

address_verify_sender_dependent_default_transport_maps (default: $sender_de‐

297       pendent_default_transport_maps)
298       Overrides the sender_dependent_default_transport_maps parameter setting
299       for address verification probes.
300
301       This feature is available in Postfix 2.7 and later.
302

address_verify_sender_dependent_relayhost_maps (default: $sender_dependent_re‐

304       layhost_maps)
305       Overrides the sender_dependent_relayhost_maps parameter setting for ad‐
306       dress verification probes.
307
308       This feature is available in Postfix 2.3 and later.
309

address_verify_sender_ttl (default: 0s)

311       The time between changes in the time-dependent portion of address veri‐
312       fication probe sender addresses. The time-dependent portion is appended
313       to the  localpart  of  the  address  specified  with  the  address_ver‐
314       ify_sender parameter. This feature is ignored when the probe sender ad‐
315       dresses is the null sender, i.e.  the  address_verify_sender  value  is
316       empty or <>.
317
318       Historically,  the probe sender address was fixed. This has caused such
319       addresses to end up on spammer  mailing  lists,  and  has  resulted  in
320       wasted network and processing resources.
321
322       To  enable  time-dependent  probe  sender addresses, specify a non-zero
323       time value. Specify a value of at least several hours, to  avoid  prob‐
324       lems  with senders that use greylisting. Avoid nice TTL values, to make
325       the result less predictable.
326
327       Specify a non-negative time value (an integral value plus  an  optional
328       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
329       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
330       unit is s (seconds).
331
332       This feature is available in Postfix 2.9 and later.
333

address_verify_service_name (default: verify)

335       The  name  of  the verify(8) address verification service. This service
336       maintains the status of sender and/or  recipient  address  verification
337       probes, and generates probes on request by other Postfix processes.
338

address_verify_transport_maps (default: $transport_maps)

340       Overrides the transport_maps parameter setting for address verification
341       probes.
342
343       This feature is available in Postfix 2.1 and later.
344

address_verify_virtual_transport (default: $virtual_transport)

346       Overrides the virtual_transport parameter setting for address verifica‐
347       tion probes.
348
349       This feature is available in Postfix 2.1 and later.
350

alias_database (default: see postconf -d output)

352       The  alias  databases  for  local(8)  delivery  that  are  updated with
353       "newaliases" or with "sendmail -bi".
354
355       This is a separate configuration parameter because not all  the  tables
356       specified with $alias_maps have to be local files.
357
358       Examples:
359
360       alias_database = hash:/etc/aliases
361       alias_database = hash:/etc/mail/aliases
362

alias_maps (default: see postconf -d output)

364       The alias databases that are used for local(8) delivery. See aliases(5)
365       for syntax details.  Specify zero or more  "type:name"  lookup  tables,
366       separated by whitespace or comma. Tables will be searched in the speci‐
367       fied order until a match is found.  Note: these lookups are recursive.
368
369       The default list is system dependent.  On systems with NIS, the default
370       is to search the local alias database, then the NIS alias database.
371
372       If  you  change  the  alias  database, run "postalias /etc/aliases" (or
373       wherever your system  stores  the  mail  alias  file),  or  simply  run
374       "newaliases" to build the necessary DBM or DB file.
375
376       The  local(8)  delivery agent disallows regular expression substitution
377       of $1 etc. in alias_maps, because that would open a security hole.
378
379       The local(8) delivery agent will silently ignore requests  to  use  the
380       proxymap(8)  server  within  alias_maps. Instead it will open the table
381       directly. Before Postfix version 2.2, the local(8) delivery agent  will
382       terminate with a fatal error.
383
384       Examples:
385
386       alias_maps = hash:/etc/aliases, nis:mail.aliases
387       alias_maps = hash:/etc/aliases
388

allow_mail_to_commands (default: alias, forward)

390       Restrict  local(8)  mail delivery to external commands.  The default is
391       to disallow delivery to "|command" in :include:  files (see  aliases(5)
392       for the text that defines this terminology).
393
394       Specify  zero  or more of: alias, forward or include, in order to allow
395       commands in aliases(5), .forward files or in :include:  files,  respec‐
396       tively.
397
398       Example:
399
400       allow_mail_to_commands = alias,forward,include
401

allow_mail_to_files (default: alias, forward)

403       Restrict  local(8)  mail  delivery to external files. The default is to
404       disallow "/file/name" destinations in :include:  files (see  aliases(5)
405       for the text that defines this terminology).
406
407       Specify  zero  or more of: alias, forward or include, in order to allow
408       "/file/name" destinations in aliases(5), .forward  files  and  in  :in‐
409       clude:  files, respectively.
410
411       Example:
412
413       allow_mail_to_files = alias,forward,include
414

allow_min_user (default: no)

416       Allow a sender or recipient address to have `-' as the first character.
417       By default, this is not allowed, to avoid accidents with software  that
418       passes email addresses via the command line. Such software would not be
419       able to distinguish a malicious address from a bona  fide  command-line
420       option.  Although this can be prevented by inserting a "--" option ter‐
421       minator into the command line, this is  difficult  to  enforce  consis‐
422       tently and globally.
423
424       As  of  Postfix version 2.5, this feature is implemented by trivial-re‐
425       write(8).  With  earlier  versions  this  feature  was  implemented  by
426       qmgr(8) and was limited to recipient addresses only.
427

allow_percent_hack (default: yes)

429       Enable  the rewriting of the form "user%domain" to "user@domain".  This
430       is enabled by default.
431
432       Note: as of Postfix version 2.2, message header address rewriting  hap‐
433       pens only when one of the following conditions is true:
434
435       •      The message is received with the Postfix sendmail(1) command,
436
437       •      The  message is received from a network client that matches $lo‐
438              cal_header_rewrite_clients,
439
440       •      The  message  is  received  from  the  network,  and   the   re‐
441              mote_header_rewrite_domain   parameter   specifies  a  non-empty
442              value.
443
444       To  get  the  behavior  before  Postfix  version  2.2,   specify   "lo‐
445       cal_header_rewrite_clients = static:all".
446
447       Example:
448
449       allow_percent_hack = no
450

allow_srv_lookup_fallback (default: no)

452       When  SRV  record lookup fails or no SRV record exists, fall back to MX
453       or IP address lookup as if SRV record lookup was not enabled.
454
455       This feature is available in Postfix 3.8 and later.
456

allow_untrusted_routing (default: no)

458       Forward mail with sender-specified  routing  (user[@%!]remote[@%!]site)
459       from untrusted clients to destinations matching $relay_domains.
460
461       By default, this feature is turned off.  This closes a nasty open relay
462       loophole where a backup MX host can be  tricked  into  forwarding  junk
463       mail to a primary MX host which then spams it out to the world.
464
465       This  parameter also controls if non-local addresses with sender-speci‐
466       fied routing can match Postfix access  tables.  By  default,  such  ad‐
467       dresses  cannot match Postfix access tables, because the address is am‐
468       biguous.
469

alternate_config_directories (default: empty)

471       A list of non-default Postfix configuration  directories  that  may  be
472       specified  with  "-c config_directory" on the command line (in the case
473       of sendmail(1), with the "-C" option), or via the MAIL_CONFIG  environ‐
474       ment parameter.
475
476       This  list  must  be specified in the default Postfix main.cf file, and
477       will be used by set-gid Postfix commands such as postqueue(1) and post‐
478       drop(1).
479
480       Specify  absolute  pathnames,  separated by comma or space. Note: $name
481       expansion is not supported.
482

always_add_missing_headers (default: no)

484       Always add (Resent-) From:, To:, Date: or Message-ID: headers when  not
485       present.   Postfix  2.6  and  later add these headers only when clients
486       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
487       Postfix  versions  always add these headers; this may break DKIM signa‐
488       tures  that  cover  non-existent  headers.    The   undisclosed_recipi‐
489       ents_header  parameter  setting determines whether a To: header will be
490       added.
491

always_bcc (default: empty)

493       Optional address that receives a "blind carbon copy"  of  each  message
494       that is received by the Postfix mail system.
495
496       Note:  with Postfix 2.3 and later the BCC address is added as if it was
497       specified with NOTIFY=NONE. The sender will not be  notified  when  the
498       BCC  address  is undeliverable, as long as all down-stream software im‐
499       plements RFC 3461.
500
501       Note: with Postfix 2.2 and earlier the sender will be notified when the
502       BCC address is undeliverable.
503
504       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
505       avoid mailer loops, automatic BCC recipients are  not  generated  after
506       Postfix  forwards  mail internally, or after Postfix generates mail it‐
507       self.
508

anvil_rate_time_unit (default: 60s)

510       The time unit over which client connection rates and  other  rates  are
511       calculated.
512
513       This  feature is implemented by the anvil(8) service which is available
514       in Postfix version 2.2 and later.
515
516       The default interval is relatively short. Because of the high frequency
517       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
518       mation is lost whenever the process terminates.
519
520       Specify a non-zero time value  (an  integral  value  plus  an  optional
521       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
522       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
523       unit is s (seconds).
524

anvil_status_update_time (default: 600s)

526       How  frequently  the  anvil(8) connection and rate limiting server logs
527       peak usage information.
528
529       Specify a non-zero time value  (an  integral  value  plus  an  optional
530       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
531       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
532       unit is s (seconds).
533
534       This feature is available in Postfix 2.2 and later.
535

append_at_myorigin (default: yes)

537       With locally submitted mail, append the string "@$myorigin" to mail ad‐
538       dresses without domain information. With remotely submitted  mail,  ap‐
539       pend the string "@$remote_header_rewrite_domain" instead.
540
541       Note  1: this feature is enabled by default and must not be turned off.
542       Postfix does not support domain-less addresses.
543
544       Note 2: with Postfix version 2.2, message header address rewriting hap‐
545       pens only when one of the following conditions is true:
546
547       •      The message is received with the Postfix sendmail(1) command,
548
549       •      The  message is received from a network client that matches $lo‐
550              cal_header_rewrite_clients,
551
552       •      The  message  is  received  from  the  network,  and   the   re‐
553              mote_header_rewrite_domain   parameter   specifies  a  non-empty
554              value.
555
556       To  get  the  behavior  before  Postfix  version  2.2,   specify   "lo‐
557       cal_header_rewrite_clients = static:all".
558

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

560       With  locally  submitted  mail,  append  the string ".$mydomain" to ad‐
561       dresses that have no ".domain"  information.  With  remotely  submitted
562       mail, append the string ".$remote_header_rewrite_domain" instead.
563
564       Note  1:  When disabled (Postfix 3.0 and later), users will not be able
565       to send mail to "user@partialdomainname" but will have to specify  full
566       domain names instead.
567
568       Note 2: with Postfix version 2.2, message header address rewriting hap‐
569       pens only when one of the following conditions is true:
570
571       •      The message is received with the Postfix sendmail(1) command,
572
573       •      The message is received from a network client that matches  $lo‐
574              cal_header_rewrite_clients,
575
576       •      The   message   is  received  from  the  network,  and  the  re‐
577              mote_header_rewrite_domain  parameter  specifies   a   non-empty
578              value.
579
580       To   get   the  behavior  before  Postfix  version  2.2,  specify  "lo‐
581       cal_header_rewrite_clients = static:all".
582

application_event_drain_time (default: 100s)

584       How long the postkick(1) command waits for a request to enter the Post‐
585       fix daemon process input buffer before giving up.
586
587       Specify  a  non-zero  time  value  (an  integral value plus an optional
588       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
589       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
590       unit is s (seconds).
591
592       This feature is available in Postfix 2.1 and later.
593

authorized_flush_users (default: static:anyone)

595       List of users who are authorized to flush the queue.
596
597       By default, all users are allowed to flush the queue.  Access is always
598       granted if the invoking user is the super-user or the $mail_owner user.
599       Otherwise, the real UID of the process is looked up in the system pass‐
600       word  file,  and access is granted only if the corresponding login name
601       is on the access list.  The username "unknown" is  used  for  processes
602       whose real UID is not found in the password file.
603
604       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
605       separated by commas and/or whitespace. The  list  is  matched  left  to
606       right,  and the search stops on the first match. A "/file/name" pattern
607       is replaced by its contents; a "type:table"  lookup  table  is  matched
608       when  a name matches a lookup key (the lookup result is ignored).  Con‐
609       tinue long lines by starting the next  line  with  whitespace.  Specify
610       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
611       supported only in Postfix version 2.4 and later.
612
613       This feature is available in Postfix 2.2 and later.
614

authorized_mailq_users (default: static:anyone)

616       List of users who are authorized to view the queue.
617
618       By default, all users are allowed to view the queue.  Access is  always
619       granted if the invoking user is the super-user or the $mail_owner user.
620       Otherwise, the real UID of the process is looked up in the system pass‐
621       word  file,  and access is granted only if the corresponding login name
622       is on the access list.  The username "unknown" is  used  for  processes
623       whose real UID is not found in the password file.
624
625       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
626       separated by commas and/or whitespace. The  list  is  matched  left  to
627       right,  and the search stops on the first match. A "/file/name" pattern
628       is replaced by its contents; a "type:table"  lookup  table  is  matched
629       when  a name matches a lookup key (the lookup result is ignored).  Con‐
630       tinue long lines by starting the next  line  with  whitespace.  Specify
631       "!pattern" to exclude a user name from the list. The form "!/file/name"
632       is supported only in Postfix version 2.4 and later.
633
634       This feature is available in Postfix 2.2 and later.
635

authorized_submit_users (default: static:anyone)

637       List of users who are authorized to submit mail  with  the  sendmail(1)
638       command (and with the privileged postdrop(1) helper command).
639
640       By  default, all users are allowed to submit mail.  Otherwise, the real
641       UID of the process is looked up in the system password file, and access
642       is  granted only if the corresponding login name is on the access list.
643       The username "unknown" is used for processes  whose  real  UID  is  not
644       found in the password file. To deny mail submission access to all users
645       specify an empty list.
646
647       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
648       separated  by  commas  and/or  whitespace.  The list is matched left to
649       right, and the search stops on the first match. A "/file/name"  pattern
650       is  replaced  by  its  contents; a "type:table" lookup table is matched
651       when a name matches a lookup key (the lookup result is ignored).   Con‐
652       tinue  long  lines  by  starting the next line with whitespace. Specify
653       "!pattern" to exclude a user name from the list. The form "!/file/name"
654       is supported only in Postfix version 2.4 and later.
655
656       Example:
657
658       authorized_submit_users = !www, static:all
659
660       This feature is available in Postfix 2.2 and later.
661

authorized_verp_clients (default: $mynetworks)

663       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
664       This command requests that mail be delivered one recipient  at  a  time
665       with a per recipient return address.
666
667       By default, only trusted clients are allowed to specify XVERP.
668
669       This  parameter  was introduced with Postfix version 1.1.  Postfix ver‐
670       sion 2.1 renamed this parameter  to  smtpd_authorized_verp_clients  and
671       changed the default to none.
672
673       Specify  a list of network/netmask patterns, separated by commas and/or
674       whitespace. The mask specifies the number of bits in the  network  part
675       of a host address. You can also specify hostnames or .domain names (the
676       initial  dot  causes  the  domain  to  match  any   name   below   it),
677       "/file/name"  or  "type:table" patterns.  A "/file/name" pattern is re‐
678       placed by its contents; a "type:table" lookup table is matched  when  a
679       table  entry  matches  a  lookup string (the lookup result is ignored).
680       Continue long lines by starting the next line with whitespace.  Specify
681       "!pattern"  to  exclude  an address or network block from the list. The
682       form "!/file/name" is supported only in Postfix version 2.4 and later.
683
684       Note: IP version 6 address information must be specified inside  []  in
685       the   authorized_verp_clients   value,  and  in  files  specified  with
686       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
687       would otherwise be confused with a "type:table" pattern.
688

backwards_bounce_logfile_compatibility (default: yes)

690       Produce  additional bounce(8) logfile records that can be read by Post‐
691       fix versions before 2.0. The current and more extensible "name = value"
692       format  is  needed in order to implement more sophisticated functional‐
693       ity.
694
695       This feature is available in Postfix 2.1 and later.
696

berkeley_db_create_buffer_size (default: 16777216)

698       The per-table I/O buffer size for programs that create Berkeley DB hash
699       or btree tables.  Specify a byte count.
700
701       This feature is available in Postfix 2.0 and later.
702

berkeley_db_read_buffer_size (default: 131072)

704       The  per-table  I/O buffer size for programs that read Berkeley DB hash
705       or btree tables.  Specify a byte count.
706
707       This feature is available in Postfix 2.0 and later.
708

best_mx_transport (default: empty)

710       Where the Postfix SMTP client should deliver mail  when  it  detects  a
711       "mail  loops back to myself" error condition. This happens when the lo‐
712       cal MTA is the best SMTP mail exchanger for a destination not listed in
713       $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_do‐
714       mains, or  $virtual_mailbox_domains.   By  default,  the  Postfix  SMTP
715       client returns such mail as undeliverable.
716
717       Specify, for example, "best_mx_transport = local" to pass the mail from
718       the Postfix SMTP client to the local(8) delivery agent. You can specify
719       any message delivery "transport" or "transport:nexthop" that is defined
720       in the master.cf file. See the transport(5) manual page for the  syntax
721       and meaning of "transport" or "transport:nexthop".
722
723       However,  this  feature  is expensive because it ties up a Postfix SMTP
724       client process while the local(8) delivery agent is doing its work.  It
725       is  more  efficient (for Postfix) to list all hosted domains in a table
726       or database.
727

biff (default: yes)

729       Whether or not to use the local biff service.  This service sends  "new
730       mail"  notifications  to users who have requested new mail notification
731       with the UNIX command "biff y".
732
733       For compatibility reasons this feature is on by  default.   On  systems
734       with  lots  of interactive users, the biff service can be a performance
735       drain.  Specify "biff = no" in main.cf to disable.
736

body_checks (default: empty)

738       Optional lookup tables for  content  inspection  as  specified  in  the
739       body_checks(5) manual page.
740
741       Note: with Postfix versions before 2.0, these rules inspect all content
742       after the primary message headers.
743

body_checks_size_limit (default: 51200)

745       How much text in a message body segment (or attachment, if  you  prefer
746       to  use  that term) is subjected to body_checks inspection.  The amount
747       of text is limited to avoid scanning huge attachments.
748
749       This feature is available in Postfix 2.0 and later.
750

bounce_notice_recipient (default: postmaster)

752       The recipient of postmaster notifications with the message  headers  of
753       mail  that Postfix did not deliver and of SMTP conversation transcripts
754       of mail that Postfix did not receive.  This feature is enabled with the
755       notify_classes parameter.
756

bounce_queue_lifetime (default: 5d)

758       Consider  a bounce message as undeliverable, when delivery fails with a
759       temporary  error,  and  the  time  in  the  queue   has   reached   the
760       bounce_queue_lifetime limit.  By default, this limit is the same as for
761       regular mail.
762
763       Specify a non-negative time value (an integral value plus  an  optional
764       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
765       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
766       unit is d (days).
767
768       Specify 0 when mail delivery should be tried only once.
769
770       This feature is available in Postfix 2.1 and later.
771

bounce_service_name (default: bounce)

773       The  name  of the bounce(8) service. This service maintains a record of
774       failed delivery attempts and generates non-delivery notifications.
775
776       This feature is available in Postfix 2.0 and later.
777

bounce_size_limit (default: 50000)

779       The maximal amount of original message text that is sent in  a  non-de‐
780       livery  notification.  Specify  a byte count.  A message is returned as
781       either message/rfc822 (the complete original) or as text/rfc822-headers
782       (the headers only).  With Postfix version 2.4 and earlier, a message is
783       always returned as message/rfc822 and is truncated when it exceeds  the
784       size limit.
785
786       Notes:
787
788       •      If  you  increase  this  limit,  then  you  should  increase the
789              mime_nesting_limit value proportionally.
790
791       •      Be careful when making changes.  Excessively large  values  will
792              result  in the loss of non-delivery notifications, when a bounce
793              message size exceeds a local or remote MTA's message size limit.
794

bounce_template_file (default: empty)

796       Pathname of a configuration file with bounce message templates.   These
797       override  the  built-in templates of delivery status notification (DSN)
798       messages for undeliverable mail, delayed mail, successful delivery,  or
799       delivery  verification. The bounce(5) manual page describes how to edit
800       and test template files.
801
802       Template message body text may contain $name references to Postfix con‐
803       figuration  parameters.  The result of $name expansion can be previewed
804       with "postconf -b file_name" before the file is placed into the Postfix
805       configuration directory.
806
807       This feature is available in Postfix 2.3 and later.
808

broken_sasl_auth_clients (default: no)

810       Enable  interoperability with remote SMTP clients that implement an ob‐
811       solete version of the AUTH command (RFC 4954). Examples of such clients
812       are  MicroSoft Outlook Express version 4 and MicroSoft Exchange version
813       5.0.
814
815       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
816       support in a non-standard way.
817

canonical_classes (default: envelope_sender, envelope_recipient,

819       header_sender, header_recipient)
820       What addresses are subject to canonical_maps address mapping.   By  de‐
821       fault, canonical_maps address mapping is applied to envelope sender and
822       recipient addresses, and to header  sender  and  header  recipient  ad‐
823       dresses.
824
825       Specify   one   or   more   of:   envelope_sender,  envelope_recipient,
826       header_sender, header_recipient
827
828       This feature is available in Postfix 2.2 and later.
829

canonical_maps (default: empty)

831       Optional address mapping lookup tables  for  message  headers  and  en‐
832       velopes. The mapping is applied to both sender and recipient addresses,
833       in both envelopes and  in  headers,  as  controlled  with  the  canoni‐
834       cal_classes  parameter.  This  is  typically used to clean up dirty ad‐
835       dresses from legacy mail systems, or to replace login names  by  First‐
836       name.Lastname.   The table format and lookups are documented in canoni‐
837       cal(5). For an overview of Postfix address manipulations  see  the  AD‐
838       DRESS_REWRITING_README document.
839
840       Specify zero or more "type:name" lookup tables, separated by whitespace
841       or comma. Tables will be searched in the specified order until a  match
842       is found.  Note: these lookups are recursive.
843
844       If  you use this feature, run "postmap /etc/postfix/canonical" to build
845       the necessary DBM or DB file after every change. The changes  will  be‐
846       come  visible  after a minute or so.  Use "postfix reload" to eliminate
847       the delay.
848
849       Note: with Postfix version 2.2, message header address mapping  happens
850       only when message header address rewriting is enabled:
851
852       •      The message is received with the Postfix sendmail(1) command,
853
854       •      The  message is received from a network client that matches $lo‐
855              cal_header_rewrite_clients,
856
857       •      The  message  is  received  from  the  network,  and   the   re‐
858              mote_header_rewrite_domain   parameter   specifies  a  non-empty
859              value.
860
861       To  get  the  behavior  before  Postfix  version  2.2,   specify   "lo‐
862       cal_header_rewrite_clients = static:all".
863
864       Examples:
865
866       canonical_maps = dbm:/etc/postfix/canonical
867       canonical_maps = hash:/etc/postfix/canonical
868

cleanup_service_name (default: cleanup)

870       The  name  of  the  cleanup(8) service. This service rewrites addresses
871       into the standard form, and performs canonical(5) address  mapping  and
872       virtual(5) aliasing.
873
874       This feature is available in Postfix 2.0 and later.
875

command_directory (default: see postconf -d output)

877       The location of all postfix administrative commands.
878

command_execution_directory (default: empty)

880       The  local(8) delivery agent working directory for delivery to external
881       commands.  Failure to change directory causes the delivery  to  be  de‐
882       ferred.
883
884       The command_execution_directory value is not subject to Postfix config‐
885       uration parameter $name expansion. Instead, the following $name  expan‐
886       sions  are  done on command_execution_directory before the directory is
887       used. Expansion happens in the context of the  delivery  request.   The
888       result  of  $name  expansion is filtered with the character set that is
889       specified with the execution_directory_expansion_filter parameter.
890
891       $user  The recipient's username.
892
893       $shell The recipient's login shell pathname.
894
895       $home  The recipient's home directory.
896
897       $recipient
898              The full recipient address.
899
900       $extension
901              The optional recipient address extension.
902
903       $domain
904              The recipient domain.
905
906       $local The entire recipient localpart.
907
908       $recipient_delimiter
909              The address extension delimiter that was found in the  recipient
910              address  (Postfix  2.11 and later), or the system-wide recipient
911              address extension delimiter (Postfix 2.10 and earlier).
912
913       ${name?value}
914
915       ${name?{value}} (Postfix >= 3.0)
916              Expands to value when $name is non-empty.
917
918       ${name:value}
919
920       ${name:{value}} (Postfix >= 3.0)
921              Expands to value when $name is empty.
922
923       ${name?{value1}:{value2}} (Postfix >= 3.0)
924              Expands to value1 when $name is non-empty, value2 otherwise.
925
926       Instead of $name you can also specify ${name} or $(name).
927
928       This feature is available in Postfix 2.2 and later.
929

command_expansion_filter (default: see postconf -d output)

931       Restrict the characters that the  local(8)  delivery  agent  allows  in
932       $name  expansions of $mailbox_command and $command_execution_directory.
933       Characters outside the allowed set are replaced by underscores.
934

command_time_limit (default: 1000s)

936       Time limit for delivery to external commands. This limit is used by the
937       local(8)  delivery agent, and is the default time limit for delivery by
938       the pipe(8) delivery agent.
939
940       Note: if you set this time limit to a large value you must  update  the
941       global ipc_timeout parameter as well.
942

compatibility_level (default: 0)

944       A  safety  net that causes Postfix to run with backwards-compatible de‐
945       fault settings after an upgrade to a newer Postfix version.
946
947       With backwards compatibility turned on (the main.cf compatibility_level
948       value  is less than the Postfix built-in value), Postfix looks for set‐
949       tings that are left at their implicit default value, and logs a message
950       when a backwards-compatible default setting is required.
951
952           using backwards-compatible default setting name=value
953               to [accept a specific client request]
954
955           using backwards-compatible default setting name=value
956               to [enable specific Postfix behavior]
957
958       See  COMPATIBILITY_README  for specific message details. If such a mes‐
959       sage is logged in the context of a legitimate request, the  system  ad‐
960       ministrator  should  make the backwards-compatible setting permanent in
961       main.cf or master.cf, for example:
962
963           # postconf name=value
964           # postfix reload
965
966       When no more backwards-compatible settings need to be  made  permanent,
967       the  administrator  should turn off backwards compatibility by updating
968       the compatibility_level setting in main.cf:
969
970           # postconf compatibility_level=N
971           # postfix reload
972
973       For N specify the number that is logged in your postfix(1) warning mes‐
974       sage:
975
976           warning: To disable backwards compatibility use "postconf
977               compatibility_level=N" and "postfix reload"
978
979       Starting with Postfix version 3.6, the compatibility level in the above
980       warning message is the Postfix version that introduced the last  incom‐
981       patible  change.  The  level  is  formatted as major.minor.patch, where
982       patch is usually omitted and defaults to  zero.  Earlier  compatibility
983       levels are 0, 1 and 2.
984
985       NOTE:  this  also  introduces  support for the "<level", "<=level", and
986       other operators to compare compatibility levels.  With the standard op‐
987       erators  "<",  "<=",  etc., compatibility level "3.10" would be smaller
988       than "3.9" which is undesirable.
989
990       This feature is available in Postfix 3.0 and later.
991

config_directory (default: see postconf -d output)

993       The default location of the Postfix main.cf and master.cf configuration
994       files. This can be overruled via the following mechanisms:
995
996       •      The  MAIL_CONFIG environment variable (daemon processes and com‐
997              mands).
998
999       •      The "-c" command-line option (commands only).
1000
1001       With Postfix commands that run with set-gid privileges, a config_direc‐
1002       tory  override either requires root privileges, or it requires that the
1003       directory is listed with the alternate_config_directories parameter  in
1004       the default main.cf file.
1005

confirm_delay_cleared (default: no)

1007       After  sending  a  "your  message  is delayed" notification, inform the
1008       sender when the delay clears up. This can result in a sudden  burst  of
1009       notifications  at  the end of a prolonged network outage, and is there‐
1010       fore disabled by default.
1011
1012       See also: delay_warning_time.
1013
1014       This feature is available in Postfix 3.0 and later.
1015

connection_cache_protocol_timeout (default: 5s)

1017       Time limit for connection cache connect, send  or  receive  operations.
1018       The time limit is enforced in the client.
1019
1020       This feature is available in Postfix 2.3 and later.
1021

connection_cache_service_name (default: scache)

1023       The name of the scache(8) connection cache service.  This service main‐
1024       tains a limited pool of cached sessions.
1025
1026       This feature is available in Postfix 2.2 and later.
1027

connection_cache_status_update_time (default: 600s)

1029       How frequently the scache(8) server logs usage statistics with  connec‐
1030       tion cache hit and miss rates for logical destinations and for physical
1031       endpoints.
1032

connection_cache_ttl_limit (default: 2s)

1034       The maximal time-to-live value  that  the  scache(8)  connection  cache
1035       server  allows.  Requests that specify a larger TTL will be stored with
1036       the maximum allowed TTL. The purpose of this additional control  is  to
1037       protect  the  infrastructure  against careless people. The cache TTL is
1038       already bounded by $max_idle.
1039

content_filter (default: empty)

1041       After the message is queued, send the entire message to  the  specified
1042       transport:destination.  The transport name specifies the first field of
1043       a mail delivery agent  definition  in  master.cf;  the  syntax  of  the
1044       next-hop destination is described in the manual page of the correspond‐
1045       ing delivery agent.  More information about external content filters is
1046       in the Postfix FILTER_README file.
1047
1048       Notes:
1049
1050       •      This  setting  has lower precedence than a FILTER action that is
1051              specified in an access(5),  header_checks(5)  or  body_checks(5)
1052              table.
1053
1054       •      The  meaning  of an empty next-hop filter destination is version
1055              dependent.  Postfix 2.7 and later will use the recipient domain;
1056              earlier  versions  will  use $myhostname.  Specify "default_fil‐
1057              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1058              earlier,  or  specify  a  content_filter  value with an explicit
1059              next-hop destination.
1060

cyrus_sasl_config_path (default: empty)

1062       Search path for Cyrus SASL application configuration  files,  currently
1063       used  only  to  locate the $smtpd_sasl_path.conf file.  Specify zero or
1064       more directories separated by a colon character, or an empty  value  to
1065       use Cyrus SASL's built-in search path.
1066
1067       This  feature  is available in Postfix 2.5 and later when compiled with
1068       Cyrus SASL 2.1.22 or later.
1069

daemon_directory (default: see postconf -d output)

1071       The directory with Postfix support programs and daemon programs.  These
1072       should  not  be invoked directly by humans. The directory must be owned
1073       by root.
1074

daemon_table_open_error_is_fatal (default: no)

1076       How a Postfix daemon process handles errors while  opening  lookup  ta‐
1077       bles: gradual degradation or immediate termination.
1078
1079        no  (default)
1080              Gradual  degradation:  a  daemon  process logs a message of type
1081              "error" and continues execution with reduced functionality. Fea‐
1082              tures that do not depend on the unavailable table will work nor‐
1083              mally, while features that depend on the table will result in  a
1084              type "warning" message.
1085              When  the  notify_classes  parameter  value  contains the "data"
1086              class, the Postfix SMTP server  and  client  will  report  tran‐
1087              scripts  of  sessions  with an error because a table is unavail‐
1088              able.
1089
1090        yes  (historical behavior)
1091              Immediate termination: a daemon process logs a type "fatal" mes‐
1092              sage and terminates immediately.  This option reduces the number
1093              of possible code paths through Postfix,  and  may  therefore  be
1094              slightly more secure than the default.
1095
1096       For  the sake of sanity, the number of type "error" messages is limited
1097       to 13 over the lifetime of a daemon process.
1098
1099       This feature is available in Postfix 2.9 and later.
1100

daemon_timeout (default: 18000s)

1102       How much time a Postfix daemon process may take to handle a request be‐
1103       fore it is terminated by a built-in watchdog timer.
1104
1105       Specify  a  non-zero  time  value  (an  integral value plus an optional
1106       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
1107       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
1108       unit is s (seconds).
1109

data_directory (default: see postconf -d output)

1111       The directory with Postfix-writable data files  (for  example:  caches,
1112       pseudo-random numbers).  This directory must be owned by the mail_owner
1113       account, and must not be shared with non-Postfix software.
1114
1115       This feature is available in Postfix 2.5 and later.
1116

debug_peer_level (default: 2)

1118       The increment in verbose logging level when a nexthop destination,  re‐
1119       mote  client  or server name or network address matches a pattern given
1120       with the debug_peer_list parameter.
1121
1122       Per-nexthop debug logging is available in Postfix 3.6 and later.
1123

debug_peer_list (default: empty)

1125       Optional list of nexthop destination, remote client or server  name  or
1126       network  address  patterns  that, if matched, cause the verbose logging
1127       level to increase by the amount specified in $debug_peer_level.
1128
1129       Per-nexthop debug logging is available in Postfix 3.6 and later.
1130
1131       Specify domain names, network/netmask patterns,  "/file/name"  patterns
1132       or   "type:table"  lookup  tables.  The  right-hand  side  result  from
1133       "type:table" lookups is ignored.
1134
1135       Pattern matching of domain names is controlled by the presence  or  ab‐
1136       sence  of "debug_peer_list" in the parent_domain_matches_subdomains pa‐
1137       rameter value.
1138
1139       Examples:
1140
1141       debug_peer_list = 127.0.0.1
1142       debug_peer_list = example.com
1143

debugger_command (default: empty)

1145       The external command to execute when a Postfix daemon  program  is  in‐
1146       voked with the -D option.
1147
1148       Use  "command  .. & sleep 5" so that the debugger can attach before the
1149       process marches on. If you use an X-based debugger, be sure to  set  up
1150       your XAUTHORITY environment variable before starting Postfix.
1151
1152       Note: the command is subject to $name expansion, before it is passed to
1153       the default command interpreter. Specify "$$" to produce a  single  "$"
1154       character.
1155
1156       Example:
1157
1158       debugger_command =
1159           PATH=/usr/bin:/usr/X11R6/bin
1160           ddd $daemon_directory/$process_name $process_id & sleep 5
1161

default_database_type (default: see postconf -d output)

1163       The  default  database  type for use in newaliases(1), postalias(1) and
1164       postmap(1) commands. On many UNIX systems the default  type  is  either
1165       dbm  or  hash. The default setting is frozen when the Postfix system is
1166       built.
1167
1168       Examples:
1169
1170       default_database_type = hash
1171       default_database_type = dbm
1172

default_delivery_slot_cost (default: 5)

1174       How often the Postfix queue manager's scheduler is allowed  to  preempt
1175       delivery of one message with another.
1176
1177       Each  transport maintains a so-called "available delivery slot counter"
1178       for each message. One message can be preempted by another one when  the
1179       other  message can be delivered using no more delivery slots (i.e., in‐
1180       vocations of delivery agents) than the current message counter has  ac‐
1181       cumulated (or will eventually accumulate - see about slot loans below).
1182       This parameter controls how often the counter is incremented - it  hap‐
1183       pens  after each default_delivery_slot_cost recipients have been deliv‐
1184       ered.
1185
1186       The cost of 0 is used to disable the preempting scheduling  completely.
1187       The minimum value the scheduling algorithm can use is 2 - use it if you
1188       want to maximize the message throughput rate. Although there is no max‐
1189       imum, it doesn't make much sense to use values above say 50.
1190
1191       The  only  reason why the value of 2 is not the default is the way this
1192       parameter affects the delivery of mailing-list mail. In the worst case,
1193       delivery  can  take  somewhere  between (cost+1/cost) and (cost/cost-1)
1194       times more than if the preemptive scheduler was disabled.  The  default
1195       value of 5 turns out to provide reasonable message response times while
1196       making sure the mailing-list deliveries are not extended by  more  than
1197       20-25 percent even in the worst case.
1198
1199       Use  transport_delivery_slot_cost to specify a transport-specific over‐
1200       ride, where transport is the master.cf name  of  the  message  delivery
1201       transport.
1202
1203       Examples:
1204
1205       default_delivery_slot_cost = 0
1206       default_delivery_slot_cost = 2
1207

default_delivery_slot_discount (default: 50)

1209       The  default  value for transport-specific _delivery_slot_discount set‐
1210       tings.
1211
1212       This parameter speeds up the moment when a message preemption can  hap‐
1213       pen.  Instead  of  waiting  until the full amount of delivery slots re‐
1214       quired is available, the preemption can  happen  when  transport_deliv‐
1215       ery_slot_discount  percent of the required amount plus transport_deliv‐
1216       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1217       amount  will still have to be accumulated before another preemption can
1218       take place later.
1219
1220       Use transport_delivery_slot_discount to  specify  a  transport-specific
1221       override, where transport is the master.cf name of the message delivery
1222       transport.
1223

default_delivery_slot_loan (default: 3)

1225       The default value for transport-specific _delivery_slot_loan settings.
1226
1227       This parameter speeds up the moment when a message preemption can  hap‐
1228       pen.  Instead  of  waiting  until the full amount of delivery slots re‐
1229       quired is available, the preemption can  happen  when  transport_deliv‐
1230       ery_slot_discount  percent of the required amount plus transport_deliv‐
1231       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1232       amount  will still have to be accumulated before another preemption can
1233       take place later.
1234
1235       Use transport_delivery_slot_loan to specify a transport-specific  over‐
1236       ride,  where  transport  is  the master.cf name of the message delivery
1237       transport.
1238

default_delivery_status_filter (default: empty)

1240       Optional filter to replace the delivery status code or explanatory text
1241       of  successful or unsuccessful deliveries.  This does not allow the re‐
1242       placement of a successful status code (2.X.X) with an unsuccessful sta‐
1243       tus code (4.X.X or 5.X.X) or vice versa.
1244
1245       Note:  the  (smtp|lmtp)_delivery_status_filter is applied only once per
1246       recipient: when delivery is successful, when delivery is rejected  with
1247       5XX,  or  when  there  are  no more alternate MX or A destinations. Use
1248       smtp_reply_filter or lmtp_reply_filter to inspect responses for all de‐
1249       livery attempts.
1250
1251       The following parameters can be used to implement a filter for specific
1252       delivery   agents:   lmtp_delivery_status_filter,   local_delivery_sta‐
1253       tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1254       virtual_delivery_status_filter. These parameters support the same  fil‐
1255       ter syntax as described here.
1256
1257       Specify  zero  or  more  "type:table"  lookup table names, separated by
1258       comma or whitespace. For each successful or unsuccessful delivery to  a
1259       recipient,  the tables are queried in the specified order with one line
1260       of text that is structured as follows:
1261
1262           enhanced-status-code SPACE explanatory-text
1263
1264       The first table match wins. The lookup result must have the same struc‐
1265       ture  as  the  query, a successful status code (2.X.X) must be replaced
1266       with a successful status code, an unsuccessful status  code  (4.X.X  or
1267       5.X.X)  must  be replaced with an unsuccessful status code, and the ex‐
1268       planatory text field must be non-empty. Other results will result in  a
1269       warning.
1270
1271       Example  1: convert specific soft TLS errors into hard errors, by over‐
1272       riding the first number in the enhanced status code.
1273
1274           /etc/postfix/main.cf:
1275               smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1276
1277           /etc/postfix/smtp_dsn_filter:
1278               /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1279                   5$1
1280               /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1281                   5$1
1282               # Do not change the following into hard bounces. They may
1283               # result from a local configuration problem.
1284               # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1285               # 4.\d+.\d+ TLS is required, but unavailable
1286               # 4.\d+.\d+ Cannot start TLS: handshake failure
1287
1288       Example 2: censor the per-recipient delivery status  text  so  that  it
1289       does  not  reveal  the  destination  command  or filename when a remote
1290       sender requests confirmation of successful delivery.
1291
1292           /etc/postfix/main.cf:
1293               local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1294
1295           /etc/postfix/local_dsn_filter:
1296               /^(2\S+ delivered to file).+/    $1
1297               /^(2\S+ delivered to command).+/ $1
1298
1299       Notes:
1300
1301       •      This feature will NOT override the soft_bounce safety net.
1302
1303       •      This feature will change the enhanced status code and text  that
1304              is  logged  to  the  maillog  file,  and that is reported to the
1305              sender in delivery confirmation or non-delivery notifications.
1306
1307       This feature is available in Postfix 3.0 and later.
1308

default_destination_concurrency_failed_cohort_limit (default: 1)

1310       How many pseudo-cohorts must suffer connection or handshake failure be‐
1311       fore  a specific destination is considered unavailable (and further de‐
1312       livery is suspended). Specify zero to disable this feature. A  destina‐
1313       tion's  pseudo-cohort  failure count is reset each time a delivery com‐
1314       pletes without connection or handshake failure for that specific desti‐
1315       nation.
1316
1317       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1318       delivery concurrency.
1319
1320       Use transport_destination_concurrency_failed_cohort_limit to specify  a
1321       transport-specific  override,  where transport is the master.cf name of
1322       the message delivery transport.
1323
1324       This feature is available in Postfix 2.5. The default setting  is  com‐
1325       patible with earlier Postfix versions.
1326

default_destination_concurrency_limit (default: 20)

1328       The  default maximal number of parallel deliveries to the same destina‐
1329       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1330       smtp(8) and virtual(8) delivery agents.  With a per-destination recipi‐
1331       ent limit > 1, a destination is a domain, otherwise it is a recipient.
1332
1333       Use transport_destination_concurrency_limit to specify a transport-spe‐
1334       cific  override,  where  transport is the master.cf name of the message
1335       delivery transport.
1336

default_destination_concurrency_negative_feedback (default: 1)

1338       The per-destination amount of delivery concurrency  negative  feedback,
1339       after  a  delivery  completes  with  a connection or handshake failure.
1340       Feedback values are in the range 0..1 inclusive.  With  negative  feed‐
1341       back,  concurrency  is  decremented  at  the beginning of a sequence of
1342       length 1/feedback. This is unlike positive feedback, where  concurrency
1343       is incremented at the end of a sequence of length 1/feedback.
1344
1345       As  of  Postfix  version  2.5, negative feedback cannot reduce delivery
1346       concurrency to zero.  Instead, a destination is  marked  dead  (further
1347       delivery  suspended)  after the failed pseudo-cohort count reaches $de‐
1348       fault_destination_concurrency_failed_cohort_limit (or $transport_desti‐
1349       nation_concurrency_failed_cohort_limit).   To  make  the scheduler com‐
1350       pletely immune to connection or  handshake  failures,  specify  a  zero
1351       feedback value and a zero failed pseudo-cohort limit.
1352
1353       Specify one of the following forms:
1354
1355       number
1356
1357       number / number
1358              Constant  feedback.  The  value must be in the range 0..1 inclu‐
1359              sive.  The default setting of "1"  is  compatible  with  Postfix
1360              versions  before 2.5, where a destination's delivery concurrency
1361              is throttled down to zero (and further delivery suspended) after
1362              a single failed pseudo-cohort.
1363
1364       number / concurrency
1365              Variable  feedback  of  "number  / (delivery concurrency)".  The
1366              number must be in the range 0..1 inclusive. With number equal to
1367              "1",  a  destination's  delivery concurrency is decremented by 1
1368              after each failed pseudo-cohort.
1369
1370       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1371       delivery concurrency.
1372
1373       Use  transport_destination_concurrency_negative_feedback  to  specify a
1374       transport-specific override, where transport is the master.cf  name  of
1375       the message delivery transport.
1376
1377       This  feature  is available in Postfix 2.5. The default setting is com‐
1378       patible with earlier Postfix versions.
1379

default_destination_concurrency_positive_feedback (default: 1)

1381       The per-destination amount of delivery concurrency  positive  feedback,
1382       after  a  delivery  completes  without connection or handshake failure.
1383       Feedback values are in the range 0..1 inclusive.  The  concurrency  in‐
1384       creases until it reaches the per-destination maximal concurrency limit.
1385       With positive feedback, concurrency is incremented at the end of a  se‐
1386       quence  with length 1/feedback. This is unlike negative feedback, where
1387       concurrency is decremented at the start of a sequence of length 1/feed‐
1388       back.
1389
1390       Specify one of the following forms:
1391
1392       number
1393
1394       number / number
1395              Constant  feedback.   The value must be in the range 0..1 inclu‐
1396              sive. The default setting of "1" is compatible with Postfix ver‐
1397              sions  before  2.5,  where  a destination's delivery concurrency
1398              doubles after each successful pseudo-cohort.
1399
1400       number / concurrency
1401              Variable feedback of "number  /  (delivery  concurrency)".   The
1402              number must be in the range 0..1 inclusive. With number equal to
1403              "1", a destination's delivery concurrency is  incremented  by  1
1404              after each successful pseudo-cohort.
1405
1406       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1407       delivery concurrency.
1408
1409       Use transport_destination_concurrency_positive_feedback  to  specify  a
1410       transport-specific  override,  where transport is the master.cf name of
1411       the message delivery transport.
1412
1413       This feature is available in Postfix 2.5 and later.
1414

default_destination_rate_delay (default: 0s)

1416       The default amount of delay that is inserted between individual message
1417       deliveries  to  the same destination and over the same message delivery
1418       transport. Specify a non-zero value to rate-limit those message  deliv‐
1419       eries to at most one per $default_destination_rate_delay.
1420
1421       The  resulting  behavior  depends  on  the  value  of the corresponding
1422       per-destination recipient limit.
1423
1424       •      With a corresponding per-destination recipient limit  >  1,  the
1425              rate delay specifies the time between deliveries to the same do‐
1426              main.  Different domains are delivered in parallel,  subject  to
1427              the process limits specified in master.cf.
1428
1429       •      With a corresponding per-destination recipient limit equal to 1,
1430              the rate delay specifies the time between deliveries to the same
1431              recipient.  Different recipients are delivered in parallel, sub‐
1432              ject to the process limits specified in master.cf.
1433
1434       To enable the delay, specify a non-zero time value (an  integral  value
1435       plus an optional one-letter suffix that specifies the time unit).
1436
1437       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1438       The default time unit is s (seconds).
1439
1440       NOTE: the delay is enforced by the queue manager. The delay timer state
1441       does not survive "postfix reload" or "postfix stop".
1442
1443       Use  transport_destination_rate_delay  to  specify a transport-specific
1444       override, where transport is the master.cf name of the message delivery
1445       transport.
1446
1447       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1448       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1449       fix  from  deferring  all  mail for the same destination after only one
1450       connection or handshake error.
1451
1452       This feature is available in Postfix 2.5 and later.
1453

default_destination_recipient_limit (default: 50)

1455       The default maximal number of recipients per message delivery.  This is
1456       the  default  limit  for delivery via the lmtp(8), pipe(8), smtp(8) and
1457       virtual(8) delivery agents.
1458
1459       Setting this parameter to a value of 1 affects email deliveries as fol‐
1460       lows:
1461
1462       •      It changes the meaning of the corresponding per-destination con‐
1463              currency limit, from concurrency of deliveries to the  same  do‐
1464              main into concurrency of deliveries to the same recipient.  Dif‐
1465              ferent recipients are delivered  in  parallel,  subject  to  the
1466              process limits specified in master.cf.
1467
1468       •      It changes the meaning of the corresponding per-destination rate
1469              delay, from the delay between deliveries to the same domain into
1470              the delay between deliveries to the same recipient.  Again, dif‐
1471              ferent recipients are delivered  in  parallel,  subject  to  the
1472              process limits specified in master.cf.
1473
1474       •      It  changes  the  meaning of other corresponding per-destination
1475              settings in a similar manner, from settings for delivery to  the
1476              same domain into settings for delivery to the same recipient.
1477
1478       Use  transport_destination_recipient_limit  to specify a transport-spe‐
1479       cific override, where transport is the master.cf name  of  the  message
1480       delivery transport.
1481

default_extra_recipient_limit (default: 1000)

1483       The default value for the extra per-transport limit imposed on the num‐
1484       ber of in-memory recipients.  This extra recipient  space  is  reserved
1485       for  the  cases when the Postfix queue manager's scheduler preempts one
1486       message with another and suddenly needs some extra recipient slots  for
1487       the chosen message in order to avoid performance degradation.
1488
1489       Use  transport_extra_recipient_limit  to  specify  a transport-specific
1490       override, where transport is the master.cf name of the message delivery
1491       transport.
1492

default_filter_nexthop (default: empty)

1494       When  a content_filter or FILTER request specifies no explicit next-hop
1495       destination, use $default_filter_nexthop instead; when  that  value  is
1496       empty,  use the domain in the recipient address.  Specify "default_fil‐
1497       ter_nexthop = $myhostname" for compatibility with Postfix  version  2.6
1498       and earlier, or specify an explicit next-hop destination with each con‐
1499       tent_filter value or FILTER action.
1500
1501       This feature is available in Postfix 2.7 and later.
1502

default_minimum_delivery_slots (default: 3)

1504       How many recipients a message must have in order to invoke the  Postfix
1505       queue  manager's  scheduling  algorithm  at  all.  Messages which would
1506       never accumulate at least this many delivery  slots  (subject  to  slot
1507       cost parameter as well) are never preempted.
1508
1509       Use  transport_minimum_delivery_slots  to  specify a transport-specific
1510       override, where transport is the master.cf name of the message delivery
1511       transport.
1512

default_privs (default: nobody)

1514       The  default rights used by the local(8) delivery agent for delivery to
1515       an external file or command.  These rights are used  when  delivery  is
1516       requested from an aliases(5) file that is owned by root, or when deliv‐
1517       ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR  THE
1518       POSTFIX OWNER.
1519

default_process_limit (default: 100)

1521       The  default  maximal  number of Postfix child processes that provide a
1522       given service. This limit can be overruled for specific services in the
1523       master.cf file.
1524

default_rbl_reply (default: see postconf -d output)

1526       The default Postfix SMTP server response template for a request that is
1527       rejected by an RBL-based restriction. This template can be overruled by
1528       specific entries in the optional rbl_reply_maps lookup table.
1529
1530       This feature is available in Postfix 2.0 and later.
1531
1532       The  template  does  not  support Postfix configuration parameter $name
1533       substitution. Instead, it supports exactly one level of $name substitu‐
1534       tion for the following attributes:
1535
1536       $client
1537              The client hostname and IP address, formatted as name[address].
1538
1539       $client_address
1540              The client IP address.
1541
1542       $client_name
1543              The    client    hostname    or    "unknown".   See   reject_un‐
1544              known_client_hostname for more details.
1545
1546       $reverse_client_name
1547              The client hostname from  address->name  lookup,  or  "unknown".
1548              See reject_unknown_reverse_client_hostname for more details.
1549
1550       $helo_name
1551              The hostname given in HELO or EHLO command or empty string.
1552
1553       $rbl_class
1554              The  denylisted  entity  type: Client host, Helo command, Sender
1555              address, or Recipient address.
1556
1557       $rbl_code
1558              The  numerical  SMTP  response  code,  as  specified  with   the
1559              maps_rbl_reject_code  configuration parameter. Note: The numeri‐
1560              cal SMTP response code is required, and must appear at the start
1561              of  the  reply. With Postfix version 2.3 and later this informa‐
1562              tion may be followed by an RFC 3463 enhanced status code.
1563
1564       $rbl_domain
1565              The RBL domain where $rbl_what is denylisted.
1566
1567       $rbl_reason
1568              The reason why $rbl_what is denylisted, or an empty string.
1569
1570       $rbl_what
1571              The entity that is denylisted (an IP address, a hostname, a  do‐
1572              main name, or an email address whose domain was denylisted).
1573
1574       $recipient
1575              The recipient address or <> in case of the null address.
1576
1577       $recipient_domain
1578              The recipient domain or empty string.
1579
1580       $recipient_name
1581              The recipient address localpart or <> in case of null address.
1582
1583       $sender
1584              The sender address or <> in case of the null address.
1585
1586       $sender_domain
1587              The sender domain or empty string.
1588
1589       $sender_name
1590              The sender address localpart or <> in case of the null address.
1591
1592       ${name?value}
1593
1594       ${name?{value}} (Postfix >= 3.0)
1595              Expands to value when $name is non-empty.
1596
1597       ${name:value}
1598
1599       ${name:{value}} (Postfix >= 3.0)
1600              Expands to value when $name is empty.
1601
1602       ${name?{value1}:{value2}} (Postfix >= 3.0)
1603              Expands to value1 when $name is non-empty, value2 otherwise.
1604
1605       Instead of $name you can also specify ${name} or $(name).
1606
1607       Note:  when  an  enhanced status code is specified in an RBL reply tem‐
1608       plate, it is subject to modification.   The  following  transformations
1609       are  needed  when the same RBL reply template is used for client, helo,
1610       sender, or recipient access restrictions.
1611
1612       •      When rejecting a sender address, the Postfix  SMTP  server  will
1613              transform  a  recipient  DSN status (e.g., 4.1.1-4.1.6) into the
1614              corresponding sender DSN status, and vice versa.
1615
1616       •      When rejecting non-address information (such as the HELO command
1617              argument  or  the  client  hostname/address),  the  Postfix SMTP
1618              server will transform a sender or recipient DSN  status  into  a
1619              generic non-address DSN status (e.g., 4.0.0).
1620

default_recipient_limit (default: 20000)

1622       The default per-transport upper limit on the number of in-memory recip‐
1623       ients.  These limits take priority over the global qmgr_message_recipi‐
1624       ent_limit  after the message has been assigned to the respective trans‐
1625       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1626       ent_minimum.
1627
1628       Use transport_recipient_limit to specify a transport-specific override,
1629       where transport is the master.cf name of the  message  delivery  trans‐
1630       port.
1631

default_recipient_refill_delay (default: 5s)

1633       The  default  per-transport maximum delay between refilling recipients.
1634       When not all message recipients fit into memory at once,  keep  loading
1635       more  of  them  at least once every this many seconds.  This is used to
1636       make sure the recipients are refilled in a timely manner even when $de‐
1637       fault_recipient_refill_limit is too high for too slow deliveries.
1638
1639       Use  transport_recipient_refill_delay  to  specify a transport-specific
1640       override, where transport is the master.cf name of the message delivery
1641       transport.
1642
1643       This feature is available in Postfix 2.4 and later.
1644

default_recipient_refill_limit (default: 100)

1646       The default per-transport limit on the number of recipients refilled at
1647       once.  When not all message recipients fit into memory  at  once,  keep
1648       loading  more  of them in batches of at least this many at a time.  See
1649       also $default_recipient_refill_delay, which  may  result  in  recipient
1650       batches lower than this when this limit is too high for too slow deliv‐
1651       eries.
1652
1653       Use transport_recipient_refill_limit to  specify  a  transport-specific
1654       override, where transport is the master.cf name of the message delivery
1655       transport.
1656
1657       This feature is available in Postfix 2.4 and later.
1658

default_transport (default: smtp)

1660       The default mail delivery transport and next-hop destination for desti‐
1661       nations  that do not match $mydestination, $inet_interfaces, $proxy_in‐
1662       terfaces,  $virtual_alias_domains,  $virtual_mailbox_domains,  or  $re‐
1663       lay_domains.   This information can be overruled with the sender_depen‐
1664       dent_default_transport_maps parameter and with the transport(5) table.
1665
1666       In order of decreasing precedence, the  nexthop  destination  is  taken
1667       from    $sender_dependent_default_transport_maps,   $default_transport,
1668       $sender_dependent_relayhost_maps, $relayhost, or from the recipient do‐
1669       main.
1670
1671       Specify  a string of the form transport:nexthop, where transport is the
1672       name of a mail delivery transport defined in master.cf.   The  :nexthop
1673       destination is optional; its syntax is documented in the manual page of
1674       the corresponding delivery agent. In the case of SMTP or LMTP,  specify
1675       one or more destinations separated by comma or whitespace (with Postfix
1676       3.5 and later).
1677
1678       Example:
1679
1680       default_transport = uucp:relayhostname
1681

default_transport_rate_delay (default: 0s)

1683       The default amount of delay that is inserted between individual message
1684       deliveries over the same message delivery transport, regardless of des‐
1685       tination. Specify a non-zero value to rate-limit those message deliver‐
1686       ies to at most one per $default_transport_rate_delay.
1687
1688       Use  transport_transport_rate_delay  to  specify  a  transport-specific
1689       override, where the initial transport is the master.cf name of the mes‐
1690       sage delivery transport.
1691
1692       Example:  throttle  outbound  SMTP  mail  to  at  most 3 deliveries per
1693       minute.
1694
1695       /etc/postfix/main.cf:
1696           smtp_transport_rate_delay = 20s
1697
1698       To enable the delay, specify a non-zero time value (an  integral  value
1699       plus an optional one-letter suffix that specifies the time unit).
1700
1701       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1702       The default time unit is s (seconds).
1703
1704       NOTE: the delay is enforced by the queue manager.
1705
1706       This feature is available in Postfix 3.1 and later.
1707

default_verp_delimiters (default: +=)

1709       The two default VERP delimiter characters. These are used when  no  ex‐
1710       plicit delimiters are specified with the SMTP XVERP command or with the
1711       "sendmail -XV" command-line option (Postfix 2.2 and earlier: -V). Spec‐
1712       ify characters that are allowed by the verp_delimiter_filter setting.
1713
1714       This feature is available in Postfix 1.1 and later.
1715

defer_code (default: 450)

1717       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
1718       client request is rejected by the "defer" restriction.
1719
1720       Do not change this unless you have  a  complete  understanding  of  RFC
1721       5321.
1722

defer_service_name (default: defer)

1724       The  name  of  the  defer  service.  This service is implemented by the
1725       bounce(8) daemon and maintains a record of failed delivery attempts and
1726       generates non-delivery notifications.
1727
1728       This feature is available in Postfix 2.0 and later.
1729

defer_transports (default: empty)

1731       The  names  of message delivery transports that should not deliver mail
1732       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1733       mail  delivery  transport  names that appear in the first field of mas‐
1734       ter.cf.
1735
1736       Example:
1737
1738       defer_transports = smtp
1739

delay_logging_resolution_limit (default: 2)

1741       The maximal number of digits  after  the  decimal  point  when  logging
1742       sub-second delay values.  Specify a number in the range 0..6.
1743
1744       Large  delay  values  are rounded off to an integral number of seconds;
1745       delay values below the  delay_logging_resolution_limit  are  logged  as
1746       "0", and delay values under 100s are logged with at most two-digit pre‐
1747       cision.
1748
1749       The format of the "delays=a/b/c/d" logging is as follows:
1750
1751       •      a = time from message arrival to last active queue entry
1752
1753       •      b = time from last active queue entry to connection setup
1754
1755       •      c = time in connection setup, including DNS, EHLO and STARTTLS
1756
1757       •      d = time in message transmission
1758
1759       This feature is available in Postfix 2.3 and later.
1760

delay_notice_recipient (default: postmaster)

1762       The recipient of postmaster notifications with the message  headers  of
1763       mail that cannot be delivered within $delay_warning_time time units.
1764
1765       See also: delay_warning_time, notify_classes.
1766

delay_warning_time (default: 0h)

1768       The  time after which the sender receives a copy of the message headers
1769       of mail that is still queued. The confirm_delay_cleared parameter  con‐
1770       trols sender notification when the delay clears up.
1771
1772       To  enable  this  feature,  specify  a non-zero time value (an integral
1773       value plus an optional one-letter suffix that specifies the time unit).
1774
1775       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1776       The default time unit is h (hours).
1777
1778       See    also:    delay_notice_recipient,   notify_classes,   confirm_de‐
1779       lay_cleared.
1780

deliver_lock_attempts (default: 20)

1782       The maximal number of attempts to acquire an exclusive lock on a  mail‐
1783       box file or bounce(8) logfile.
1784

deliver_lock_delay (default: 1s)

1786       The  time  between  attempts  to acquire an exclusive lock on a mailbox
1787       file or bounce(8) logfile.
1788
1789       Specify a non-zero time value  (an  integral  value  plus  an  optional
1790       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
1791       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
1792       unit is s (seconds).
1793

destination_concurrency_feedback_debug (default: no)

1795       Make  the  queue  manager's  feedback algorithm verbose for performance
1796       analysis purposes.
1797
1798       This feature is available in Postfix 2.5 and later.
1799

detect_8bit_encoding_header (default: yes)

1801       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1802       fer-Encoding:   message   headers;   historically,  this  behavior  was
1803       hard-coded to be "always on".
1804
1805       This feature is available in Postfix 2.5 and later.
1806

disable_dns_lookups (default: no)

1808       Disable DNS lookups in the Postfix SMTP and  LMTP  clients.  When  dis‐
1809       abled,  hosts  are looked up with the getaddrinfo() system library rou‐
1810       tine which normally also looks in /etc/hosts.  As of Postfix 2.11, this
1811       parameter is deprecated; use smtp_dns_support_level instead.
1812
1813       DNS lookups are enabled by default.
1814

disable_mime_input_processing (default: no)

1816       Turn  off MIME processing while receiving mail. This means that no spe‐
1817       cial treatment is given to Content-Type: message headers, and that  all
1818       text  after the initial message headers is considered to be part of the
1819       message body.
1820
1821       This feature is available in Postfix 2.0 and later.
1822
1823       Mime input processing is enabled by default, and is needed in order  to
1824       recognize MIME headers in message content.
1825

disable_mime_output_conversion (default: no)

1827       Disable  the conversion of 8BITMIME format to 7BIT format.  Mime output
1828       conversion is needed when the destination does not  advertise  8BITMIME
1829       support.
1830
1831       This feature is available in Postfix 2.0 and later.
1832

disable_verp_bounces (default: no)

1834       Disable sending one bounce report per recipient.
1835
1836       The default, one per recipient, is what ezmlm needs.
1837
1838       This feature is available in Postfix 1.1 and later.
1839

disable_vrfy_command (default: no)

1841       Disable  the SMTP VRFY command. This stops some techniques used to har‐
1842       vest email addresses.
1843
1844       Example:
1845
1846       disable_vrfy_command = no
1847

dns_ncache_ttl_fix_enable (default: no)

1849       Enable a workaround for future libc incompatibility. The Postfix imple‐
1850       mentation of RFC 2308 negative reply caching relies on the promise that
1851       res_query() and  res_search()  invoke  res_send(),  which  returns  the
1852       server  response  in an application buffer even if the requested record
1853       does not exist. If this promise is broken, specify "yes"  to  enable  a
1854       workaround for DNS reputation lookups.
1855
1856       This feature is available in Postfix 3.1 and later.
1857

dnsblog_reply_delay (default: 0s)

1859       A debugging aid to artificially delay DNS responses.
1860
1861       This feature is available in Postfix 2.8.
1862

dnsblog_service_name (default: dnsblog)

1864       The  name  of  the  dnsblog(8) service entry in master.cf. This service
1865       performs DNS allow/denylist lookups.
1866
1867       This feature is available in Postfix 2.8 and later.
1868

dnssec_probe (default: ns:.)

1870       The DNS query type (default: "ns") and DNS query  name  (default:  ".")
1871       that  Postfix  may use to determine whether DNSSEC validation is avail‐
1872       able.
1873
1874       Background: DNSSEC validation is needed for Postfix DANE support;  this
1875       ensures  that Postfix receives TLSA records with secure TLS server cer‐
1876       tificate info. When DNSSEC validation is unavailable,  mail  deliveries
1877       using  opportunistic  DANE  will not be protected by server certificate
1878       info in TLSA records, and mail deliveries using mandatory DANE will not
1879       be made at all.
1880
1881       By  default,  a  Postfix  process will send a DNSSEC probe after 1) the
1882       process made a DNS query  that  requested  DNSSEC  validation,  2)  the
1883       process did not receive a DNSSEC validated response to this query or to
1884       an earlier query, and 3) the process did  not  already  send  a  DNSSEC
1885       probe.
1886
1887       When  the  DNSSEC  probe  has  no response, or when the response is not
1888       DNSSEC validated, Postfix logs a warning that DNSSEC validation may  be
1889       unavailable.
1890
1891       Example:
1892
1893       warning: DNSSEC validation may be unavailable
1894       warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
1895       warning: reason: dnssec_probe 'ns:.' received no response: Server failure
1896
1897       Possible reasons why DNSSEC validation may be unavailable:
1898
1899       •      The  local  /etc/resolv.conf  file specifies a DNS resolver that
1900              does  not  validate  DNSSEC  signatures  (that's   $queue_direc‐
1901              tory/etc/resolv.conf  when  a  Postfix  daemon  runs in a chroot
1902              jail).
1903
1904       •      The local system library does not pass on the "DNSSEC validated"
1905              bit  to Postfix, or Postfix does not know how to ask the library
1906              to do that.
1907
1908       By default, the DNSSEC probe asks for the DNS root zone NS records, be‐
1909       cause  resolvers should always have that information cached. If Postfix
1910       runs on a network where the DNS root zone is not reachable,  specify  a
1911       different  probe, or specify an empty dnssec_probe value to disable the
1912       feature.
1913
1914       This feature is available in Postfix 3.6 and later. It  was  backported
1915       to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.
1916

dont_remove (default: 0)

1918       Don't remove queue files and save them to the "saved" mail queue.  This
1919       is a debugging aid.  To inspect the envelope information and content of
1920       a Postfix queue file, use the postcat(1) command.
1921

double_bounce_sender (default: double-bounce)

1923       The  sender  address  of postmaster notifications that are generated by
1924       the mail system. All mail to this address is silently discarded, in or‐
1925       der to terminate mail bounce loops.
1926

duplicate_filter_limit (default: 1000)

1928       The  maximal  number  of  addresses remembered by the address duplicate
1929       filter for aliases(5) or virtual(5) alias expansion,  or  for  showq(8)
1930       queue displays.
1931

empty_address_default_transport_maps_lookup_key (default: <>)

1933       The  sender_dependent_default_transport_maps search string that will be
1934       used instead of the null sender address.
1935
1936       This feature is available in Postfix 2.7 and later.
1937

empty_address_local_login_sender_maps_lookup_key (default: <>)

1939       The lookup key to be used in local_login_sender_maps tables, instead of
1940       the null sender address.
1941
1942       This feature is available in Postfix 3.6 and later.
1943

empty_address_recipient (default: MAILER-DAEMON)

1945       The  recipient of mail addressed to the null address.  Postfix does not
1946       accept such addresses in SMTP commands, but they may still  be  created
1947       locally as the result of configuration or software error.
1948

empty_address_relayhost_maps_lookup_key (default: <>)

1950       The sender_dependent_relayhost_maps search string that will be used in‐
1951       stead of the null sender address.
1952
1953       This feature is available in Postfix 2.5 and later. With  earlier  ver‐
1954       sions,  sender_dependent_relayhost_maps  lookups  were  skipped for the
1955       null sender address.
1956

enable_errors_to (default: no)

1958       Report mail delivery errors to the address specified with the non-stan‐
1959       dard  Errors-To: message header, instead of the envelope sender address
1960       (this feature is removed with Postfix version 2.2, is turned off by de‐
1961       fault  with  Postfix  version  2.1,  and is always turned on with older
1962       Postfix versions).
1963

enable_idna2003_compatibility (default: no)

1965       Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1966       converting  UTF-8  domain names to/from the ASCII form that is used for
1967       DNS lookups. Specify "yes" for compatibility with Postfix <=  3.1  (not
1968       recommended).  This affects the conversion of domain names that contain
1969       for example  the  German  sz  and  the  Greek  zeta.   See  http://uni
1970       code.org/cldr/utility/idna.jsp for more examples.
1971
1972       This feature is available in Postfix 3.2 and later.
1973

enable_long_queue_ids (default: no)

1975       Enable  long, non-repeating, queue IDs (queue file names).  The benefit
1976       of non-repeating names is simpler logfile analysis and easier queue mi‐
1977       gration (there is no need to run "postsuper" to change queue file names
1978       that don't match their message file inode number).
1979
1980       Note: see below for how to convert long queue file names to Postfix  <=
1981       2.8.
1982
1983       Changing the parameter value to "yes" has the following effects:
1984
1985       •      Existing queue file names are not affected.
1986
1987       •      New  queue files are created with names such as 3Pt2mN2VXxznjll.
1988              These are encoded in a 52-character alphabet that contains  dig‐
1989              its  (0-9),  upper-case  letters  (B-Z)  and  lower-case letters
1990              (b-z). For safety reasons the vowels (AEIOUaeiou)  are  excluded
1991              from the alphabet.  The name format is: 6 or more characters for
1992              the time in seconds, 4 characters for the time in  microseconds,
1993              the  'z';  the remainder is the file inode number encoded in the
1994              first 51 characters of the 52-character alphabet.
1995
1996       •      New messages have a Message-ID header with queueID@myhostname.
1997
1998       •      The mailq (postqueue -p) output has a  wider  Queue  ID  column.
1999              The number of whitespace-separated fields is not changed.
2000
2001       •      The  hash_queue_depth algorithm uses the first characters of the
2002              queue file creation time in microseconds, after conversion  into
2003              hexadecimal representation. This produces the same queue hashing
2004              behavior as if  the  queue  file  name  was  created  with  "en‐
2005              able_long_queue_ids = no".
2006
2007       Changing the parameter value to "no" has the following effects:
2008
2009       •      Existing  long  queue  file  names are renamed to the short form
2010              (while running "postfix reload" or "postsuper").
2011
2012       •      New queue files are created with names such as C3CD21F3E90  from
2013              a hexadecimal alphabet that contains digits (0-9) and upper-case
2014              letters (A-F). The name format is: 5 characters for the time  in
2015              microseconds; the remainder is the file inode number.
2016
2017       •      New   messages   have   a  Message-ID  header  with  YYYYMMDDHH‐
2018              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
2019              month, day, hour, minute and second.
2020
2021       •      The  mailq  (postqueue  -p)  output  has the same format as with
2022              Postfix <= 2.8.
2023
2024       •      The hash_queue_depth algorithm uses the first characters of  the
2025              queue file name, with the hexadecimal representation of the file
2026              creation time in microseconds.
2027
2028       Before migration to Postfix <= 2.8, the following commands are required
2029       to convert long queue file names into short names:
2030
2031       # postfix stop
2032       # postconf enable_long_queue_ids=no
2033       # postsuper
2034
2035       Repeat  the  postsuper command until it reports no more queue file name
2036       changes.
2037
2038       This feature is available in Postfix 2.9 and later.
2039

enable_original_recipient (default: yes)

2041       Enable support for the original recipient address after an  address  is
2042       rewritten  to  a  different  address (for example with aliasing or with
2043       canonical mapping).
2044
2045       The original recipient address is used as follows:
2046
2047       Final delivery
2048              With "enable_original_recipient = yes", the  original  recipient
2049              address  is  stored  in  the  X-Original-To message header. This
2050              header may be used to distinguish between  different  recipients
2051              that share the same mailbox.
2052
2053       Recipient deduplication
2054              With  "enable_original_recipient  =  yes", the cleanup(8) daemon
2055              performs duplicate recipient elimination based on the content of
2056              (original  recipient,  maybe-rewritten recipient) pairs.  Other‐
2057              wise, the cleanup(8) daemon performs duplicate recipient  elimi‐
2058              nation based only on the maybe-rewritten recipient address.
2059
2060       Note:  with Postfix <= 3.2 the "setting enable_original_recipient = no"
2061       breaks address verification for addresses that are aliased or otherwise
2062       rewritten  (Postfix  is unable to store the address verification result
2063       under the original probe destination address; instead, it can store the
2064       result only under the rewritten address).
2065
2066       This feature is available in Postfix 2.1 and later. Postfix version 2.0
2067       behaves as if this parameter is always set to  yes.   Postfix  versions
2068       before 2.0 have no support for the original recipient address.
2069

enable_threaded_bounces (default: no)

2071       Enable  non-delivery, success, and delay notifications that link to the
2072       original message by including a  References:  and  In-Reply-To:  header
2073       with  the original Message-ID value. There are advantages and disadvan‐
2074       tages to consider.
2075
2076        advantage
2077              This allows mail readers to present a delivery status  notifica‐
2078              tion in the same email thread as the original message.
2079
2080        disadvantage
2081              This  makes  it  easy  for  users to mistakenly delete the whole
2082              email thread (all related messages), instead  of  deleting  only
2083              the non-delivery notification.
2084
2085       This feature is available in Postfix 3.6 and later.
2086

error_notice_recipient (default: postmaster)

2088       The  recipient of postmaster notifications about mail delivery problems
2089       that are caused by  policy,  resource,  software  or  protocol  errors.
2090       These notifications are enabled with the notify_classes parameter.
2091

error_service_name (default: error)

2093       The name of the error(8) pseudo delivery agent. This service always re‐
2094       turns mail as undeliverable.
2095
2096       This feature is available in Postfix 2.0 and later.
2097

execution_directory_expansion_filter (default: see postconf -d output)

2099       Restrict the characters that the  local(8)  delivery  agent  allows  in
2100       $name  expansions  of $command_execution_directory.  Characters outside
2101       the allowed set are replaced by underscores.
2102
2103       This feature is available in Postfix 2.2 and later.
2104

expand_owner_alias (default: no)

2106       When delivering to an alias "aliasname" that has  an  "owner-aliasname"
2107       companion  alias,  set  the envelope sender address to the expansion of
2108       the "owner-aliasname"  alias.   Normally,  Postfix  sets  the  envelope
2109       sender address to the name of the "owner-aliasname" alias.
2110

export_environment (default: see postconf -d output)

2112       The list of environment variables that a Postfix process will export to
2113       non-Postfix processes. The TZ variable is needed for sane time  keeping
2114       on System-V-ish systems.
2115
2116       Specify  a  list  of names and/or name=value pairs, separated by white‐
2117       space or comma. Specify "{ name=value }" to protect whitespace or comma
2118       in  parameter  values  (whitespace after the opening "{" and before the
2119       closing "}" is ignored). The form name=value is supported with  Postfix
2120       version  2.1 and later; the use of {} is supported with Postfix 3.0 and
2121       later.
2122
2123       Example:
2124
2125       export_environment = TZ PATH=/bin:/usr/bin
2126

extract_recipient_limit (default: 10240)

2128       The maximal number of recipient addresses  that  Postfix  will  extract
2129       from message headers when mail is submitted with "sendmail -t".
2130
2131       This feature was removed in Postfix version 2.1.
2132

fallback_relay (default: empty)

2134       Optional  list of relay hosts for SMTP destinations that can't be found
2135       or that are unreachable. With Postfix 2.3 this parameter is renamed  to
2136       smtp_fallback_relay.
2137
2138       By  default,  mail  is returned to the sender when a destination is not
2139       found, and delivery is deferred when a destination is unreachable.
2140
2141       The fallback relays must be SMTP destinations. Specify a domain,  host,
2142       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
2143       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
2144       fix will try them in the specified order.
2145
2146       Note:  before  Postfix  2.2, do not use the fallback_relay feature when
2147       relaying mail for a backup or primary MX domain. Mail  would  loop  be‐
2148       tween  the  Postfix  MX host and the fallback_relay host when the final
2149       destination is unavailable.
2150
2151       •      In main.cf specify "relay_transport = relay",
2152
2153       •      In master.cf specify "-o fallback_relay =" (i.e., empty) at  the
2154              end of the relay entry.
2155
2156       •      In transport maps, specify "relay:nexthop..."  as the right-hand
2157              side for backup or primary MX domain entries.
2158
2159       Postfix version 2.2 and later will not use the  fallback_relay  feature
2160       for destinations that it is MX host for.
2161

fallback_transport (default: empty)

2163       Optional  message  delivery  transport that the local(8) delivery agent
2164       should use for names that are not found in the aliases(5) or UNIX pass‐
2165       word database.
2166
2167       The  precedence  of  local(8)  delivery  features  from high to low is:
2168       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2169       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2170       tory, fallback_transport_maps, fallback_transport and luser_relay.
2171

fallback_transport_maps (default: empty)

2173       Optional lookup tables with per-recipient message  delivery  transports
2174       for  recipients  that the local(8) delivery agent could not find in the
2175       aliases(5) or UNIX password database.
2176
2177       The precedence of local(8) delivery  features  from  high  to  low  is:
2178       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2179       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2180       tory, fallback_transport_maps, fallback_transport and luser_relay.
2181
2182       For  safety  reasons, this feature does not allow $number substitutions
2183       in regular expression maps.
2184
2185       This feature is available in Postfix 2.3 and later.
2186

fast_flush_domains (default: $relay_domains)

2188       Optional list of destinations that  are  eligible  for  per-destination
2189       logfiles with mail that is queued to those destinations.
2190
2191       By  default,  Postfix maintains "fast flush" logfiles only for destina‐
2192       tions that the Postfix SMTP server is willing to relay to (i.e. the de‐
2193       fault  is: "fast_flush_domains = $relay_domains"; see the relay_domains
2194       parameter in the postconf(5) manual).
2195
2196       Specify a list of hosts or domains, "/file/name" patterns or  "type:ta‐
2197       ble"  lookup  tables,  separated by commas and/or whitespace.  Continue
2198       long lines by starting the next line with  whitespace.  A  "/file/name"
2199       pattern  is  replaced  by  its contents; a "type:table" lookup table is
2200       matched when the domain or its parent domain appears as lookup key.
2201
2202       Pattern matching of domain names is controlled by the presence  or  ab‐
2203       sence  of  "fast_flush_domains" in the parent_domain_matches_subdomains
2204       parameter value.
2205
2206       Specify "fast_flush_domains =" (i.e., empty) to disable the feature al‐
2207       together.
2208

fast_flush_purge_time (default: 7d)

2210       The  time  after which an empty per-destination "fast flush" logfile is
2211       deleted.
2212
2213       You can specify the time as a number, or as a number followed by a let‐
2214       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2215       d=days, w=weeks.  The default time unit is days.
2216

fast_flush_refresh_time (default: 12h)

2218       The time after which  a  non-empty  but  unread  per-destination  "fast
2219       flush"  logfile  needs  to be refreshed.  The contents of a logfile are
2220       refreshed by requesting delivery of all messages listed in the logfile.
2221
2222       You can specify the time as a number, or as a number followed by a let‐
2223       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2224       d=days, w=weeks.  The default time unit is hours.
2225

fault_injection_code (default: 0)

2227       Force specific internal tests to fail, to test the handling  of  errors
2228       that are difficult to reproduce otherwise.
2229

flush_service_name (default: flush)

2231       The  name  of the flush(8) service. This service maintains per-destina‐
2232       tion logfiles with the queue file names of  mail  that  is  queued  for
2233       those destinations.
2234
2235       This feature is available in Postfix 2.0 and later.
2236

fork_attempts (default: 5)

2238       The maximal number of attempts to fork() a child process.
2239

fork_delay (default: 1s)

2241       The delay between attempts to fork() a child process.
2242
2243       Specify  a  non-zero  time  value  (an  integral value plus an optional
2244       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
2245       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
2246       unit is s (seconds).
2247

forward_expansion_filter (default: see postconf -d output)

2249       Restrict the characters that the  local(8)  delivery  agent  allows  in
2250       $name  expansions of $forward_path.  Characters outside the allowed set
2251       are replaced by underscores.
2252

forward_path (default: see postconf -d output)

2254       The local(8) delivery agent search list for  finding  a  .forward  file
2255       with  user-specified  delivery methods. The first file that is found is
2256       used.
2257
2258       The forward_path value is not subject to Postfix configuration  parame‐
2259       ter  $name  expansion. Instead, the following $name expansions are done
2260       on forward_path before the search  actually  happens.   The  result  of
2261       $name  expansion  is  filtered with the character set that is specified
2262       with the forward_expansion_filter parameter.
2263
2264       $user  The recipient's username.
2265
2266       $shell The recipient's login shell pathname.
2267
2268       $home  The recipient's home directory.
2269
2270       $recipient
2271              The full recipient address.
2272
2273       $extension
2274              The optional recipient address extension.
2275
2276       $domain
2277              The recipient domain.
2278
2279       $local The entire recipient localpart.
2280
2281       $recipient_delimiter
2282              The address extension delimiter that was found in the  recipient
2283              address  (Postfix  2.11 and later), or the system-wide recipient
2284              address extension delimiter (Postfix 2.10 and earlier).
2285
2286       ${name?value}
2287
2288       ${name?{value}} (Postfix >= 3.0)
2289              Expands to value when $name is non-empty.
2290
2291       ${name:value}
2292
2293       ${name:{value}} (Postfix >= 3.0)
2294              Expands to value when $name is empty.
2295
2296       ${name?{value1}:{value2}} (Postfix >= 3.0)
2297              Expands to value1 when $name is non-empty, value2 otherwise.
2298
2299       Instead of $name you can also specify ${name} or $(name).
2300
2301       Examples:
2302
2303       forward_path = /var/forward/$user
2304       forward_path =
2305           /var/forward/$user/.forward$recipient_delimiter$extension,
2306           /var/forward/$user/.forward
2307

frozen_delivered_to (default: yes)

2309       Update the local(8) delivery agent's idea of the Delivered-To:  address
2310       (see  prepend_delivered_header)  only  once, at the start of a delivery
2311       attempt; do  not  update  the  Delivered-To:  address  while  expanding
2312       aliases or .forward files.
2313
2314       This  feature is available in Postfix 2.3 and later. With older Postfix
2315       releases, the behavior is as if this parameter is set to "no". The  old
2316       setting  can be expensive with deeply nested aliases or .forward files.
2317       When an alias or .forward file changes the  Delivered-To:  address,  it
2318       ties  up  one queue file and one cleanup process instance while mail is
2319       being forwarded.
2320

hash_queue_depth (default: 1)

2322       The number of subdirectory levels for queue directories listed with the
2323       hash_queue_names  parameter.  Queue  hashing is implemented by creating
2324       one or more levels of directories  with  one-character  names.   Origi‐
2325       nally,  these directory names were equal to the first characters of the
2326       queue file name, with the hexadecimal representation of the  file  cre‐
2327       ation time in microseconds.
2328
2329       With  long queue file names, queue hashing produces the same results as
2330       with short names. The file creation time in microseconds  is  converted
2331       into hexadecimal form before the result is used for queue hashing.  The
2332       base 16 encoding gives finer control over the number of  subdirectories
2333       than is possible with the base 52 encoding of long queue file names.
2334
2335       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2336       cute the command "postfix reload".
2337

hash_queue_names (default: deferred, defer)

2339       The names of queue directories that are split across multiple subdirec‐
2340       tory levels.
2341
2342       Before  Postfix version 2.2, the default list of hashed queues was sig‐
2343       nificantly larger. Claims about improvements in file system  technology
2344       suggest  that  hashing  of  the incoming and active queues is no longer
2345       needed. Fewer hashed directories speed up the time  needed  to  restart
2346       Postfix.
2347
2348       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2349       cute the command "postfix reload".
2350

header_address_token_limit (default: 10240)

2352       The maximal number of address tokens are allowed in an address  message
2353       header.  Information that exceeds the limit is discarded.  The limit is
2354       enforced by the cleanup(8) server.
2355

header_checks (default: empty)

2357       Optional lookup tables for content inspection of primary non-MIME  mes‐
2358       sage headers, as specified in the header_checks(5) manual page.
2359

header_from_format (default: standard)

2361       The  format of the Postfix-generated From: header. This setting affects
2362       the appearance of 'full name' information when a local program such  as
2363       /bin/mail  submits a message without a From: header through the Postfix
2364       sendmail(1) command.
2365
2366       Specify one of the following:
2367
2368       standard (default)
2369              Produce a header formatted as "From: name <address>".   This  is
2370              the default as of Postfix 3.3.
2371
2372       obsolete
2373              Produce  a  header  formatted as "From: address (name)". This is
2374              the behavior prior to Postfix 3.3.
2375
2376       Notes:
2377
2378       •      Postfix generates the format "From: address" when name  informa‐
2379              tion  is  unavailable  or  the envelope sender address is empty.
2380              This is the same behavior as prior to Postfix 3.3.
2381
2382       •      In the standard form, the name will be  quoted  if  it  contains
2383              specials as defined in RFC 5322, or the "!%" address operators.
2384
2385       •      The  Postfix  sendmail(1) command gets name information from the
2386              -F command-line option, from the NAME environment  variable,  or
2387              from the UNIX password file.
2388
2389       This feature is available in Postfix 3.3 and later.
2390

header_size_limit (default: 102400)

2392       The maximal amount of memory in bytes for storing a message header.  If
2393       a header is larger, the excess is discarded.  The limit is enforced  by
2394       the cleanup(8) server.
2395

helpful_warnings (default: yes)

2397       Log  warnings  about  problematic  configuration  settings, and provide
2398       helpful suggestions.
2399
2400       This feature is available in Postfix 2.0 and later.
2401

home_mailbox (default: empty)

2403       Optional pathname of a mailbox file relative to a local(8) user's  home
2404       directory.
2405
2406       Specify a pathname ending in "/" for qmail-style delivery.
2407
2408       The  precedence  of  local(8)  delivery  features  from high to low is:
2409       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2410       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2411       tory, fallback_transport_maps, fallback_transport and luser_relay.
2412
2413       Examples:
2414
2415       home_mailbox = Mailbox
2416       home_mailbox = Maildir/
2417

hopcount_limit (default: 50)

2419       The maximal number of Received:  message headers that is allowed in the
2420       primary  message  headers. A message that exceeds the limit is bounced,
2421       in order to stop a mailer loop.
2422

html_directory (default: see postconf -d output)

2424       The location of Postfix HTML files that describe how to build,  config‐
2425       ure or operate a specific Postfix subsystem or feature.
2426

ignore_mx_lookup_error (default: no)

2428       Ignore  DNS MX lookups that produce no response.  By default, the Post‐
2429       fix SMTP client defers delivery and tries again after some delay.  This
2430       behavior is required by the SMTP standard.
2431
2432       Specify  "ignore_mx_lookup_error  = yes" to force a DNS A record lookup
2433       instead. This violates the SMTP standard and can result in mis-delivery
2434       of mail.
2435

ignore_srv_lookup_error (default: no)

2437       When  SRV  record lookup fails, fall back to MX or IP address lookup as
2438       if SRV record lookup was not enabled.
2439
2440       This feature is available in Postfix 3.8 and later.
2441

import_environment (default: see postconf -d output)

2443       The list of environment variables that  a  privileged  Postfix  process
2444       will  import  from a non-Postfix parent process, or name=value environ‐
2445       ment overrides.  Unprivileged utilities  will  enforce  the  name=value
2446       overrides,  but  otherwise  will  not change their process environment.
2447       Examples of relevant environment variables:
2448
2449       TZ     May be needed for sane time keeping on  most  System-V-ish  sys‐
2450              tems.
2451
2452       DISPLAY
2453              Needed for debugging Postfix daemons with an X-windows debugger.
2454
2455       XAUTHORITY
2456              Needed for debugging Postfix daemons with an X-windows debugger.
2457
2458       MAIL_CONFIG
2459              Needed to make "postfix -c" work.
2460
2461       POSTLOG_SERVICE
2462              Needed  to  make  "maillog_file" work during daemon process ini‐
2463              tialization.
2464
2465       POSTLOG_HOSTNAME
2466              Needed to make "maillog_file" work during  daemon  process  ini‐
2467              tialization.
2468
2469       Specify  a  list  of names and/or name=value pairs, separated by white‐
2470       space or comma. Specify "{ name=value }" to protect whitespace or comma
2471       in  environment  variable  values (whitespace after the opening "{" and
2472       before the closing "}" is ignored). The form  name=value  is  supported
2473       with  Postfix  version  2.1  and later; the use of {} is supported with
2474       Postfix 3.0 and later.
2475

in_flow_delay (default: 1s)

2477       Time to pause before accepting a new message, when the message  arrival
2478       rate  exceeds  the  message delivery rate. This feature is turned on by
2479       default (it's disabled on SCO UNIX due to an SCO bug).
2480
2481       With the default 100 Postfix SMTP server process limit,  "in_flow_delay
2482       =  1s" limits the mail inflow to 100 messages per second above the num‐
2483       ber of messages delivered per second.
2484
2485       Specify 0 to disable the feature. Valid delays are 0..10.
2486

inet_interfaces (default: all)

2488       The local network interface addresses that this  mail  system  receives
2489       mail  on.  Specify "all" to receive mail on all network interfaces (de‐
2490       fault), and "loopback-only" to receive mail on loopback network  inter‐
2491       faces  only  (Postfix  version 2.2 and later).  The parameter also con‐
2492       trols delivery of mail to user@[ip.address].
2493
2494       Note 1: you need to stop and start Postfix when this parameter changes.
2495
2496       Note 2: address information may be enclosed inside [], but this form is
2497       not required here.
2498
2499       When  inet_interfaces  specifies just one IPv4 and/or IPv6 address that
2500       is not a loopback address, the Postfix SMTP client will  use  this  ad‐
2501       dress  as  the IP source address for outbound mail. Support for IPv6 is
2502       available in Postfix version 2.2 and later.
2503
2504       On a multi-homed firewall with separate Postfix instances listening  on
2505       the  "inside"  and "outside" interfaces, this can prevent each instance
2506       from being able to reach remote SMTP servers on the "other side" of the
2507       firewall.  Setting  smtp_bind_address  to  0.0.0.0 avoids the potential
2508       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2509       lem for IPv6.
2510
2511       A better solution for multi-homed firewalls is to leave inet_interfaces
2512       at the default value and instead use explicit IP addresses in the  mas‐
2513       ter.cf  SMTP  server  definitions.   This  preserves  the  Postfix SMTP
2514       client's loop detection, by ensuring that each  side  of  the  firewall
2515       knows  that  the  other  IP  address  is  still  the same host. Setting
2516       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2517       ful  with  virtual  hosting  of domains on secondary IP addresses, when
2518       each IP address serves a different domain (and has a different $myhost‐
2519       name setting).
2520
2521       See also the proxy_interfaces parameter, for network addresses that are
2522       forwarded to Postfix by way of a proxy or address translator.
2523
2524       Examples:
2525
2526       inet_interfaces = all (DEFAULT)
2527       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2528       inet_interfaces = 127.0.0.1
2529       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2530       inet_interfaces = 192.168.1.2, 127.0.0.1
2531

inet_protocols (default: see 'postconf -d output')

2533       The Internet protocols Postfix will attempt to use when making  or  ac‐
2534       cepting connections. Specify one or more of "ipv4" or "ipv6", separated
2535       by whitespace or commas. The form "all" is equivalent to  "ipv4,  ipv6"
2536       or "ipv4", depending on whether the operating system implements IPv6.
2537
2538       With  Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2539       patibility with these releases, the Postfix 2.9 and later upgrade  pro‐
2540       cedure  appends  an explicit "inet_protocols = ipv4" setting to main.cf
2541       when no explicit setting is present. This compatibility workaround will
2542       be phased out as IPv6 deployment becomes more common.
2543
2544       This feature is available in Postfix 2.2 and later.
2545
2546       Note: you MUST stop and start Postfix after changing this parameter.
2547
2548       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2549       will also accept IPv4 connections, even when IPv4 is  turned  off  with
2550       the  inet_protocols  parameter.   On  systems with IPV6_V6ONLY support,
2551       Postfix will use separate server sockets for IPv6 and  IPv4,  and  each
2552       will accept only connections for the corresponding protocol.
2553
2554       When  IPv4 support is enabled via the inet_protocols parameter, Postfix
2555       will look up DNS type A records, and will convert  IPv4-in-IPv6  client
2556       IP  addresses  (::ffff:1.2.3.4)  to their original IPv4 form (1.2.3.4).
2557       The latter is needed on hosts that pre-date  IPV6_V6ONLY  support  (RFC
2558       3493).
2559
2560       When  IPv6 support is enabled via the inet_protocols parameter, Postfix
2561       will do DNS type AAAA record lookups.
2562
2563       When both IPv4 and IPv6 support are enabled, the  Postfix  SMTP  client
2564       will  choose the protocol as specified with the smtp_address_preference
2565       parameter. Postfix versions before 2.8 attempt to connect via IPv6  be‐
2566       fore attempting to use IPv4.
2567
2568       Examples:
2569
2570       inet_protocols = ipv4
2571       inet_protocols = all (DEFAULT)
2572       inet_protocols = ipv6
2573       inet_protocols = ipv4, ipv6
2574

info_log_address_format (default: external)

2576       The  email  address  form that will be used in non-debug logging (info,
2577       warning, etc.). As of Postfix 3.5 when an  address  localpart  contains
2578       spaces  or  other special characters, the localpart will be quoted, for
2579       example:
2580
2581               from=<"name with spaces"@example.com>
2582
2583       Older Postfix versions would log the internal (unquoted) form:
2584
2585               from=<name with spaces@example.com>
2586
2587       The external and internal forms are identical for the vast majority  of
2588       email  addresses  that contain no spaces or other special characters in
2589       the localpart.
2590
2591       The logging in external form is consistent with the address  form  that
2592       Postfix  3.2 and later prefer for most table lookups. This is therefore
2593       the more useful form for non-debug logging.
2594
2595       Specify "info_log_address_format = internal" for backwards  compatibil‐
2596       ity.
2597
2598       Postfix  uses  the  unquoted  form  internally, because an attacker can
2599       specify an email address in  different  forms  by  playing  games  with
2600       quotes  and  backslashes.  An  attacker  should not be able to use such
2601       games to circumvent Postfix access policies.
2602
2603       This feature is available in Postfix 3.5 and later.
2604

initial_destination_concurrency (default: 5)

2606       The initial per-destination concurrency level for parallel delivery  to
2607       the same destination.  With per-destination recipient limit > 1, a des‐
2608       tination is a domain, otherwise it is a recipient.
2609
2610       Use  transport_initial_destination_concurrency  to  specify  a   trans‐
2611       port-specific  override,  where  transport is the master.cf name of the
2612       message delivery transport (Postfix 2.5 and later).
2613
2614       Warning: with concurrency of 1, one bad message can be enough to  block
2615       all mail to a site.
2616

internal_mail_filter_classes (default: empty)

2618       What  categories  of Postfix-generated mail are subject to before-queue
2619       content inspection by non_smtpd_milters, header_checks and body_checks.
2620       Specify  zero  or  more  of  the  following, separated by whitespace or
2621       comma.
2622
2623       bounce Inspect the content of delivery status notifications.
2624
2625       notify Inspect the content of postmaster notifications by  the  smtp(8)
2626              and smtpd(8) processes.
2627
2628       NOTE:  It's  generally  not  safe to enable content inspection of Post‐
2629       fix-generated email messages. The user is warned.
2630
2631       This feature is available in Postfix 2.3 and later.
2632

invalid_hostname_reject_code (default: 501)

2634       The numerical Postfix SMTP server response code when the client HELO or
2635       EHLO  command parameter is rejected by the reject_invalid_helo_hostname
2636       restriction.
2637
2638       Do not change this unless you have  a  complete  understanding  of  RFC
2639       5321.
2640

ipc_idle (default: version dependent)

2642       The  time  after  which  a client closes an idle internal communication
2643       channel.  The purpose is to allow Postfix daemon processes to terminate
2644       voluntarily  after  they become idle. This is used, for example, by the
2645       Postfix address resolving and rewriting clients.
2646
2647       With Postfix 2.4 the default value was reduced from 100s to 5s.
2648
2649       Specify a non-zero time value  (an  integral  value  plus  an  optional
2650       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
2651       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
2652       unit is s (seconds).
2653

ipc_timeout (default: 3600s)

2655       The  time  limit  for sending or receiving information over an internal
2656       communication channel.  The purpose is to break out of deadlock  situa‐
2657       tions.  If  the time limit is exceeded the software aborts with a fatal
2658       error.
2659
2660       Specify a non-zero time value  (an  integral  value  plus  an  optional
2661       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
2662       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
2663       unit is s (seconds).
2664

ipc_ttl (default: 1000s)

2666       The  time  after which a client closes an active internal communication
2667       channel.  The purpose is to allow Postfix daemon processes to terminate
2668       voluntarily after reaching their client limit.  This is used, for exam‐
2669       ple, by the Postfix address resolving and rewriting clients.
2670
2671       Specify a non-zero time value  (an  integral  value  plus  an  optional
2672       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
2673       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
2674       unit is s (seconds).
2675
2676       This feature is available in Postfix 2.1 and later.
2677

known_tcp_ports (default: lmtp=24, smtp=25, smtps=submissions=465, submis‐

2679       sion=587)
2680       Optional setting that avoids lookups in the services(5) database.  This
2681       feature  was  implemented to address inconsistencies in the name of the
2682       port "465" service. The ABNF is:
2683
2684           known_tcp_ports = empty | name-to-port *("," name-to-port)
2685           name-to-port = 1*(service-name "=') port-number
2686
2687       The comma is required. Whitespace is optional but it cannot appear  in‐
2688       side a service name or port number.
2689
2690       This feature is available in Postfix 3.6 and later.
2691

line_length_limit (default: 2048)

2693       Upon  input,  long  lines  are  chopped  up into pieces of at most this
2694       length; upon delivery, long lines are reconstructed.
2695

lmdb_map_size (default: 16777216)

2697       The initial OpenLDAP LMDB database size limit in bytes.   Each  time  a
2698       database becomes full, its size limit is doubled.
2699
2700       This feature is available in Postfix 2.11 and later.
2701

lmtp_address_preference (default: ipv6)

2703       The  LMTP-specific version of the smtp_address_preference configuration
2704       parameter.  See there for details.
2705
2706       This feature is available in Postfix 2.8 and later.
2707

lmtp_address_verify_target (default: rcpt)

2709       The LMTP-specific version of the smtp_address_verify_target  configura‐
2710       tion parameter.  See there for details.
2711
2712       This feature is available in Postfix 3.0 and later.
2713

lmtp_assume_final (default: no)

2715       When  a  remote  LMTP  server announces no DSN support, assume that the
2716       server performs final delivery, and send  "delivered"  delivery  status
2717       notifications  instead  of  "relayed". The default setting is backwards
2718       compatible to avoid the infinitesimal possibility of breaking  existing
2719       LMTP-based content filters.
2720

lmtp_balance_inet_protocols (default: yes)

2722       The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2723       tion parameter. See there for details.
2724
2725       This feature is available in Postfix 3.3 and later.
2726

lmtp_bind_address (default: empty)

2728       The LMTP-specific version of the smtp_bind_address configuration param‐
2729       eter.  See there for details.
2730
2731       This feature is available in Postfix 2.3 and later.
2732

lmtp_bind_address6 (default: empty)

2734       The  LMTP-specific  version of the smtp_bind_address6 configuration pa‐
2735       rameter.  See there for details.
2736
2737       This feature is available in Postfix 2.3 and later.
2738

lmtp_bind_address_enforce (default: empty)

2740       The LMTP-specific version of the  smtp_bind_address_enforce  configura‐
2741       tion parameter. See there for details.
2742
2743       This feature is available in Postfix 3.7 and later.
2744

lmtp_body_checks (default: empty)

2746       The LMTP-specific version of the smtp_body_checks configuration parame‐
2747       ter. See there for details.
2748
2749       This feature is available in Postfix 2.5 and later.
2750

lmtp_cache_connection (default: yes)

2752       Keep Postfix LMTP client connections open for up to $max_idle  seconds.
2753       When  the  LMTP  client  receives a request for the same connection the
2754       connection is reused.
2755
2756       This parameter is available in Postfix version 2.2 and  earlier.   With
2757       Postfix  version  2.3  and  later, see lmtp_connection_cache_on_demand,
2758       lmtp_connection_cache_destinations,       or        lmtp_connection_re‐
2759       use_time_limit.
2760
2761       The  effectiveness of cached connections will be determined by the num‐
2762       ber of remote LMTP servers in use, and the concurrency limit  specified
2763       for the Postfix LMTP client. Cached connections are closed under any of
2764       the following conditions:
2765
2766       •      The Postfix LMTP client idle time limit is reached.  This  limit
2767              is specified with the Postfix max_idle configuration parameter.
2768
2769       •      A  delivery  request  specifies a different destination than the
2770              one currently cached.
2771
2772       •      The per-process limit on the  number  of  delivery  requests  is
2773              reached.   This limit is specified with the Postfix max_use con‐
2774              figuration parameter.
2775
2776       •      Upon the onset of another  delivery  request,  the  remote  LMTP
2777              server  associated  with the current session does not respond to
2778              the RSET command.
2779
2780       Most of these limitations have been with the Postfix  connection  cache
2781       that is shared among multiple LMTP client programs.
2782

lmtp_cname_overrides_servername (default: yes)

2784       The  LMTP-specific  version of the smtp_cname_overrides_servername con‐
2785       figuration parameter.  See there for details.
2786
2787       This feature is available in Postfix 2.3 and later.
2788

lmtp_connect_timeout (default: 0s)

2790       The Postfix LMTP client time limit for completing a TCP connection,  or
2791       zero  (use  the operating system built-in time limit).  When no connec‐
2792       tion can be made within the deadline, the LMTP client  tries  the  next
2793       address on the mail exchanger list.
2794
2795       Specify  a  non-negative time value (an integral value plus an optional
2796       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
2797       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
2798       unit is s (seconds).
2799
2800       Example:
2801
2802       lmtp_connect_timeout = 30s
2803

lmtp_connection_cache_destinations (default: empty)

2805       The LMTP-specific  version  of  the  smtp_connection_cache_destinations
2806       configuration parameter.  See there for details.
2807
2808       This feature is available in Postfix 2.3 and later.
2809

lmtp_connection_cache_on_demand (default: yes)

2811       The  LMTP-specific  version of the smtp_connection_cache_on_demand con‐
2812       figuration parameter.  See there for details.
2813
2814       This feature is available in Postfix 2.3 and later.
2815

lmtp_connection_cache_time_limit (default: 2s)

2817       The LMTP-specific version of the smtp_connection_cache_time_limit  con‐
2818       figuration parameter.  See there for details.
2819
2820       This feature is available in Postfix 2.3 and later.
2821

lmtp_connection_reuse_count_limit (default: 0)

2823       The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2824       figuration parameter.  See there for details.
2825
2826       This feature is available in Postfix 2.11 and later.
2827

lmtp_connection_reuse_time_limit (default: 300s)

2829       The LMTP-specific version of the smtp_connection_reuse_time_limit  con‐
2830       figuration parameter.  See there for details.
2831
2832       This feature is available in Postfix 2.3 and later.
2833

lmtp_data_done_timeout (default: 600s)

2835       The  Postfix  LMTP  client time limit for sending the LMTP ".", and for
2836       receiving the remote LMTP server response.  When  no  response  is  re‐
2837       ceived  within  the  deadline, a warning is logged that the mail may be
2838       delivered multiple times.
2839
2840       Specify a non-zero time value  (an  integral  value  plus  an  optional
2841       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
2842       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
2843       unit is s (seconds).
2844

lmtp_data_init_timeout (default: 120s)

2846       The  Postfix  LMTP client time limit for sending the LMTP DATA command,
2847       and for receiving the remote LMTP server response.
2848
2849       Specify a non-zero time value  (an  integral  value  plus  an  optional
2850       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
2851       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
2852       unit is s (seconds).
2853

lmtp_data_xfer_timeout (default: 180s)

2855       The  Postfix  LMTP  client time limit for sending the LMTP message con‐
2856       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2857       the LMTP client terminates the transfer.
2858
2859       Specify  a  non-zero  time  value  (an  integral value plus an optional
2860       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
2861       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
2862       unit is s (seconds).
2863

lmtp_defer_if_no_mx_address_found (default: no)

2865       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2866       figuration parameter.  See there for details.
2867
2868       This feature is available in Postfix 2.3 and later.
2869

lmtp_delivery_status_filter (default: empty)

2871       The LMTP-specific version of the smtp_delivery_status_filter configura‐
2872       tion parameter.  See there for details.
2873
2874       This feature is available in Postfix 3.0 and later.
2875

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2877       rency_limit)
2878       The  maximal  number of parallel deliveries to the same destination via
2879       the lmtp message delivery transport. This  limit  is  enforced  by  the
2880       queue  manager.  The message delivery transport name is the first field
2881       in the entry in the master.cf file.
2882

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2884       ent_limit)
2885       The  maximal  number of recipients per message for the lmtp message de‐
2886       livery transport. This limit is enforced by the queue manager. The mes‐
2887       sage  delivery  transport  name  is the first field in the entry in the
2888       master.cf file.
2889
2890       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2891       tination_concurrency_limit from concurrency per domain into concurrency
2892       per recipient.
2893

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2895       Lookup tables, indexed by the remote LMTP server address, with case in‐
2896       sensitive  lists  of  LHLO  keywords (pipelining, starttls, auth, etc.)
2897       that the Postfix LMTP client will ignore in the LHLO  response  from  a
2898       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2899       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2900       card_ehlo_keyword_address_maps.
2901
2902       This feature is available in Postfix 2.3 and later.
2903

lmtp_discard_lhlo_keywords (default: empty)

2905       A  case  insensitive list of LHLO keywords (pipelining, starttls, auth,
2906       etc.) that the Postfix LMTP client will ignore  in  the  LHLO  response
2907       from a remote LMTP server.
2908
2909       This feature is available in Postfix 2.3 and later.
2910
2911       Notes:
2912
2913       •      Specify the silent-discard pseudo keyword to prevent this action
2914              from being logged.
2915
2916       •      Use the lmtp_discard_lhlo_keyword_address_maps feature  to  dis‐
2917              card LHLO keywords selectively.
2918

lmtp_dns_reply_filter (default: empty)

2920       Optional  filter  for  Postfix  LMTP  client  DNS  lookup results.  See
2921       smtp_dns_reply_filter for details including an example.
2922
2923       This feature is available in Postfix 3.0 and later.
2924

lmtp_dns_resolver_options (default: empty)

2926       The LMTP-specific version of the  smtp_dns_resolver_options  configura‐
2927       tion parameter.  See there for details.
2928
2929       This feature is available in Postfix 2.8 and later.
2930

lmtp_dns_support_level (default: empty)

2932       The  LMTP-specific  version of the smtp_dns_support_level configuration
2933       parameter.  See there for details.
2934
2935       This feature is available in Postfix 2.11 and later.
2936

lmtp_enforce_tls (default: no)

2938       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2939       ter.  See there for details.
2940
2941       This feature is available in Postfix 2.3 and later.
2942

lmtp_fallback_relay (default: empty)

2944       Optional  list of relay hosts for LMTP destinations that can't be found
2945       or that are unreachable.  In main.cf elements are separated  by  white‐
2946       space or commas.
2947
2948       By  default,  mail  is returned to the sender when a destination is not
2949       found, and delivery is deferred when a destination is unreachable.
2950
2951       The fallback relays must be TCP destinations, specified without a lead‐
2952       ing  "inet:" prefix.  Specify a host or host:port.  Since MX lookups do
2953       not apply  with  LMTP,  there  is  no  need  to  use  the  "[host]"  or
2954       "[host]:port"  forms.  If you specify multiple LMTP destinations, Post‐
2955       fix will try them in the specified order.
2956
2957       This feature is available in Postfix 3.1 and later.
2958

lmtp_generic_maps (default: empty)

2960       The LMTP-specific version of the smtp_generic_maps configuration param‐
2961       eter.  See there for details.
2962
2963       This feature is available in Postfix 2.3 and later.
2964

lmtp_header_checks (default: empty)

2966       The  LMTP-specific  version of the smtp_header_checks configuration pa‐
2967       rameter. See there for details.
2968
2969       This feature is available in Postfix 2.5 and later.
2970

lmtp_host_lookup (default: dns)

2972       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2973       ter.  See there for details.
2974
2975       This feature is available in Postfix 2.3 and later.
2976

lmtp_lhlo_name (default: $myhostname)

2978       The hostname to send in the LMTP LHLO command.
2979
2980       The  default  value  is  the  machine  hostname.  Specify a hostname or
2981       [ip.add.re.ss] or [ip:v6:add:re::ss].
2982
2983       This information can be specified in the  main.cf  file  for  all  LMTP
2984       clients,  or  it  can be specified in the master.cf file for a specific
2985       client, for example:
2986
2987           /etc/postfix/master.cf:
2988               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2989
2990       This feature is available in Postfix 2.3 and later.
2991

lmtp_lhlo_timeout (default: 300s)

2993       The Postfix LMTP client time limit for sending the  LHLO  command,  and
2994       for receiving the initial remote LMTP server response.
2995
2996       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2997       The default time unit is s (seconds).
2998

lmtp_line_length_limit (default: 998)

3000       The LMTP-specific version of the  smtp_line_length_limit  configuration
3001       parameter.  See there for details.
3002
3003       This feature is available in Postfix 2.3 and later.
3004

lmtp_mail_timeout (default: 300s)

3006       The  Postfix  LMTP client time limit for sending the MAIL FROM command,
3007       and for receiving the remote LMTP server response.
3008
3009       Specify a non-zero time value  (an  integral  value  plus  an  optional
3010       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
3011       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
3012       unit is s (seconds).
3013

lmtp_mime_header_checks (default: empty)

3015       The  LMTP-specific version of the smtp_mime_header_checks configuration
3016       parameter. See there for details.
3017
3018       This feature is available in Postfix 2.5 and later.
3019

lmtp_min_data_rate (default: 500)

3021       The LMTP-specific version of the smtp_min_data_rate  configuration  pa‐
3022       rameter. See there for details.
3023
3024       This feature is available in Postfix 3.7 and later.
3025

lmtp_mx_address_limit (default: 5)

3027       The  LMTP-specific  version  of the smtp_mx_address_limit configuration
3028       parameter.  See there for details.
3029
3030       This feature is available in Postfix 2.3 and later.
3031

lmtp_mx_session_limit (default: 2)

3033       The LMTP-specific version of  the  smtp_mx_session_limit  configuration
3034       parameter.  See there for details.
3035
3036       This feature is available in Postfix 2.3 and later.
3037

lmtp_nested_header_checks (default: empty)

3039       The  LMTP-specific  version of the smtp_nested_header_checks configura‐
3040       tion parameter. See there for details.
3041
3042       This feature is available in Postfix 2.5 and later.
3043

lmtp_per_record_deadline (default: no)

3045       The LMTP-specific version of the smtp_per_record_deadline configuration
3046       parameter.  See there for details.
3047
3048       This feature is available in Postfix 2.9 and later.
3049

lmtp_per_request_deadline (default: no)

3051       The  LMTP-specific  version of the smtp_per_request_deadline configura‐
3052       tion parameter. See there for details.
3053
3054       This feature is available in Postfix 3.7 and later.
3055

lmtp_pix_workaround_delay_time (default: 10s)

3057       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
3058       uration parameter.  See there for details.
3059
3060       This feature is available in Postfix 2.3 and later.
3061

lmtp_pix_workaround_maps (default: empty)

3063       The LMTP-specific version of the smtp_pix_workaround_maps configuration
3064       parameter.  See there for details.
3065
3066       This feature is available in Postfix 2.4 and later.
3067

lmtp_pix_workaround_threshold_time (default: 500s)

3069       The LMTP-specific  version  of  the  smtp_pix_workaround_threshold_time
3070       configuration parameter.  See there for details.
3071
3072       This feature is available in Postfix 2.3 and later.
3073

lmtp_pix_workarounds (default: empty)

3075       The  LMTP-specific version of the smtp_pix_workaround configuration pa‐
3076       rameter.  See there for details.
3077
3078       This feature is available in Postfix 2.4 and later.
3079

lmtp_quit_timeout (default: 300s)

3081       The Postfix LMTP client time limit for sending the  QUIT  command,  and
3082       for receiving the remote LMTP server response.
3083
3084       Specify  a  non-zero  time  value  (an  integral value plus an optional
3085       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
3086       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
3087       unit is s (seconds).
3088

lmtp_quote_rfc821_envelope (default: yes)

3090       The LMTP-specific version of the smtp_quote_rfc821_envelope  configura‐
3091       tion parameter.  See there for details.
3092
3093       This feature is available in Postfix 2.3 and later.
3094

lmtp_randomize_addresses (default: yes)

3096       The LMTP-specific version of the smtp_randomize_addresses configuration
3097       parameter.  See there for details.
3098
3099       This feature is available in Postfix 2.3 and later.
3100

lmtp_rcpt_timeout (default: 300s)

3102       The Postfix LMTP client time limit for sending the RCPT TO command, and
3103       for receiving the remote LMTP server response.
3104
3105       Specify  a  non-zero  time  value  (an  integral value plus an optional
3106       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
3107       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
3108       unit is s (seconds).
3109

lmtp_reply_filter (default: empty)

3111       The LMTP-specific version of the smtp_reply_filter configuration param‐
3112       eter.  See there for details.
3113
3114       This feature is available in Postfix 2.7 and later.
3115

lmtp_rset_timeout (default: 20s)

3117       The  Postfix  LMTP  client time limit for sending the RSET command, and
3118       for receiving the remote LMTP server response. The  LMTP  client  sends
3119       RSET  in order to finish a recipient address probe, or to verify that a
3120       cached connection is still alive.
3121
3122       Specify a non-zero time value  (an  integral  value  plus  an  optional
3123       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
3124       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
3125       unit is s (seconds).
3126

lmtp_sasl_auth_cache_name (default: empty)

3128       The  LMTP-specific  version of the smtp_sasl_auth_cache_name configura‐
3129       tion parameter.  See there for details.
3130
3131       This feature is available in Postfix 2.5 and later.
3132

lmtp_sasl_auth_cache_time (default: 90d)

3134       The LMTP-specific version of the  smtp_sasl_auth_cache_time  configura‐
3135       tion parameter.  See there for details.
3136
3137       This feature is available in Postfix 2.5 and later.
3138

lmtp_sasl_auth_enable (default: no)

3140       Enable SASL authentication in the Postfix LMTP client.
3141

lmtp_sasl_auth_soft_bounce (default: yes)

3143       The  LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
3144       tion parameter.  See there for details.
3145
3146       This feature is available in Postfix 2.5 and later.
3147

lmtp_sasl_mechanism_filter (default: empty)

3149       The LMTP-specific version of the smtp_sasl_mechanism_filter  configura‐
3150       tion parameter.  See there for details.
3151
3152       This feature is available in Postfix 2.3 and later.
3153

lmtp_sasl_password_maps (default: empty)

3155       Optional  Postfix  LMTP client lookup tables with one username:password
3156       entry per host or domain.  If a remote host  or  domain  has  no  user‐
3157       name:password  entry,  then the Postfix LMTP client will not attempt to
3158       authenticate to the remote host.
3159

lmtp_sasl_path (default: empty)

3161       Implementation-specific information that is passed through to the  SASL
3162       plug-in implementation that is selected with lmtp_sasl_type.  Typically
3163       this specifies the name of a configuration file or rendezvous point.
3164
3165       This feature is available in Postfix 2.3 and later.
3166

lmtp_sasl_security_options (default: noplaintext, noanonymous)

3168       SASL security options; as of Postfix 2.3 the list of available features
3169       depends  on  the  SASL  client  implementation  that  is  selected with
3170       lmtp_sasl_type.
3171
3172       The following security features are defined for the cyrus  client  SASL
3173       implementation:
3174
3175       noplaintext
3176              Disallow authentication methods that use plaintext passwords.
3177
3178       noactive
3179              Disallow  authentication methods that are vulnerable to non-dic‐
3180              tionary active attacks.
3181
3182       nodictionary
3183              Disallow authentication methods that are vulnerable  to  passive
3184              dictionary attacks.
3185
3186       noanonymous
3187              Disallow anonymous logins.
3188
3189       Example:
3190
3191       lmtp_sasl_security_options = noplaintext
3192

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

3194       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
3195       uration parameter.  See there for details.
3196
3197       This feature is available in Postfix 2.3 and later.
3198

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_security_op‐

3200       tions)
3201       The  LMTP-specific  version  of the smtp_sasl_tls_verified_security_op‐
3202       tions configuration parameter.  See there for details.
3203
3204       This feature is available in Postfix 2.3 and later.
3205

lmtp_sasl_type (default: cyrus)

3207       The SASL plug-in type that the Postfix LMTP client should use  for  au‐
3208       thentication.   The  available  types are listed with the "postconf -A"
3209       command.
3210
3211       This feature is available in Postfix 2.3 and later.
3212

lmtp_send_dummy_mail_auth (default: no)

3214       The LMTP-specific version of the  smtp_send_dummy_mail_auth  configura‐
3215       tion parameter.  See there for details.
3216
3217       This feature is available in Postfix 2.9 and later.
3218

lmtp_send_xforward_command (default: no)

3220       Send  an  XFORWARD command to the remote LMTP server when the LMTP LHLO
3221       server response announces XFORWARD support.  This allows an lmtp(8) de‐
3222       livery agent, used for content filter message injection, to forward the
3223       name, address, protocol and HELO name of the  original  client  to  the
3224       content filter and downstream LMTP server.  Before you change the value
3225       to yes, it is best to make sure that your content filter supports  this
3226       command.
3227
3228       This feature is available in Postfix 2.1 and later.
3229

lmtp_sender_dependent_authentication (default: no)

3231       The  LMTP-specific  version of the smtp_sender_dependent_authentication
3232       configuration parameter.  See there for details.
3233
3234       This feature is available in Postfix 2.3 and later.
3235

lmtp_skip_5xx_greeting (default: yes)

3237       The LMTP-specific version of the  smtp_skip_5xx_greeting  configuration
3238       parameter.  See there for details.
3239
3240       This feature is available in Postfix 2.3 and later.
3241

lmtp_skip_quit_response (default: no)

3243       Wait for the response to the LMTP QUIT command.
3244

lmtp_starttls_timeout (default: 300s)

3246       The  LMTP-specific  version  of the smtp_starttls_timeout configuration
3247       parameter.  See there for details.
3248
3249       This feature is available in Postfix 2.3 and later.
3250

lmtp_tcp_port (default: 24)

3252       The default TCP port that the Postfix LMTP client connects to.  Specify
3253       a symbolic name (see services(5)) or a numeric port.
3254

lmtp_tls_CAfile (default: empty)

3256       The  LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3257       ter.  See there for details.
3258
3259       This feature is available in Postfix 2.3 and later.
3260

lmtp_tls_CApath (default: empty)

3262       The LMTP-specific version of the smtp_tls_CApath configuration  parame‐
3263       ter.  See there for details.
3264
3265       This feature is available in Postfix 2.3 and later.
3266

lmtp_tls_block_early_mail_reply (default: empty)

3268       The  LMTP-specific  version of the smtp_tls_block_early_mail_reply con‐
3269       figuration parameter.  See there for details.
3270
3271       This feature is available in Postfix 2.7 and later.
3272

lmtp_tls_cert_file (default: empty)

3274       The LMTP-specific version of the smtp_tls_cert_file  configuration  pa‐
3275       rameter.  See there for details.
3276
3277       This feature is available in Postfix 2.3 and later.
3278

lmtp_tls_chain_files (default: empty)

3280       The LMTP-specific version of the smtp_tls_chain_files configuration pa‐
3281       rameter. See there for details.
3282
3283       This feature is available in Postfix 3.4 and later.
3284

lmtp_tls_ciphers (default: medium)

3286       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3287       ter. See there for details.
3288
3289       This feature is available in Postfix 2.6 and later.
3290

lmtp_tls_connection_reuse (default: no)

3292       The  LMTP-specific  version of the smtp_tls_connection_reuse configura‐
3293       tion parameter. See there for details.
3294
3295       This feature is available in Postfix 3.4 and later.
3296

lmtp_tls_dcert_file (default: empty)

3298       The LMTP-specific version of the smtp_tls_dcert_file configuration  pa‐
3299       rameter.  See there for details.
3300
3301       This feature is available in Postfix 2.3 and later.
3302

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

3304       The  LMTP-specific  version of the smtp_tls_dkey_file configuration pa‐
3305       rameter.  See there for details.
3306
3307       This feature is available in Postfix 2.3 and later.
3308

lmtp_tls_eccert_file (default: empty)

3310       The LMTP-specific version of the smtp_tls_eccert_file configuration pa‐
3311       rameter.  See there for details.
3312
3313       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3314       compiled and linked with OpenSSL 1.0.0 or later.
3315

lmtp_tls_eckey_file (default: empty)

3317       The LMTP-specific version of the smtp_tls_eckey_file configuration  pa‐
3318       rameter.  See there for details.
3319
3320       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3321       compiled and linked with OpenSSL 1.0.0 or later.
3322

lmtp_tls_enforce_peername (default: yes)

3324       The LMTP-specific version of the  smtp_tls_enforce_peername  configura‐
3325       tion parameter.  See there for details.
3326
3327       This feature is available in Postfix 2.3 and later.
3328

lmtp_tls_exclude_ciphers (default: empty)

3330       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3331       parameter.  See there for details.
3332
3333       This feature is available in Postfix 2.3 and later.
3334

lmtp_tls_fingerprint_cert_match (default: empty)

3336       The LMTP-specific version of the  smtp_tls_fingerprint_cert_match  con‐
3337       figuration parameter.  See there for details.
3338
3339       This feature is available in Postfix 2.5 and later.
3340

lmtp_tls_fingerprint_digest (default: see postconf -d output)

3342       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3343       tion parameter.  See there for details.
3344
3345       This feature is available in Postfix 2.5 and later.
3346

lmtp_tls_force_insecure_host_tlsa_lookup (default: no)

3348       The    LMTP-specific    version     of     the     smtp_tls_force_inse‐
3349       cure_host_tlsa_lookup configuration parameter.  See there for details.
3350
3351       This feature is available in Postfix 2.11 and later.
3352

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

3354       The LMTP-specific version of the smtp_tls_key_file configuration param‐
3355       eter.  See there for details.
3356
3357       This feature is available in Postfix 2.3 and later.
3358

lmtp_tls_loglevel (default: 0)

3360       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3361       eter.  See there for details.
3362
3363       This feature is available in Postfix 2.3 and later.
3364

lmtp_tls_mandatory_ciphers (default: medium)

3366       The  LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3367       tion parameter.  See there for details.
3368
3369       This feature is available in Postfix 2.3 and later.
3370

lmtp_tls_mandatory_exclude_ciphers (default: empty)

3372       The LMTP-specific  version  of  the  smtp_tls_mandatory_exclude_ciphers
3373       configuration parameter.  See there for details.
3374
3375       This feature is available in Postfix 2.3 and later.
3376

lmtp_tls_mandatory_protocols (default: see postconf -d output)

3378       The  LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3379       ration parameter. See there for details.
3380
3381       This feature is available in Postfix 2.3 and later.
3382

lmtp_tls_note_starttls_offer (default: no)

3384       The LMTP-specific version of the smtp_tls_note_starttls_offer  configu‐
3385       ration parameter.  See there for details.
3386
3387       This feature is available in Postfix 2.3 and later.
3388

lmtp_tls_per_site (default: empty)

3390       The LMTP-specific version of the smtp_tls_per_site configuration param‐
3391       eter.  See there for details.
3392
3393       This feature is available in Postfix 2.3 and later.
3394

lmtp_tls_policy_maps (default: empty)

3396       The LMTP-specific version of the smtp_tls_policy_maps configuration pa‐
3397       rameter. See there for details.
3398
3399       This feature is available in Postfix 2.3 and later.
3400

lmtp_tls_protocols (default: see postconf -d output)

3402       The  LMTP-specific  version of the smtp_tls_protocols configuration pa‐
3403       rameter. See there for details.
3404
3405       This feature is available in Postfix 2.6 and later.
3406

lmtp_tls_scert_verifydepth (default: 9)

3408       The LMTP-specific version of the smtp_tls_scert_verifydepth  configura‐
3409       tion parameter.  See there for details.
3410
3411       This feature is available in Postfix 2.3 and later.
3412

lmtp_tls_secure_cert_match (default: nexthop)

3414       The  LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3415       tion parameter. See there for details.
3416
3417       This feature is available in Postfix 2.3 and later.
3418

lmtp_tls_security_level (default: empty)

3420       The LMTP-specific version of the smtp_tls_security_level  configuration
3421       parameter.  See there for details.
3422
3423       This feature is available in Postfix 2.3 and later.
3424

lmtp_tls_servername (default: empty)

3426       The  LMTP-specific version of the smtp_tls_servername configuration pa‐
3427       rameter. See there for details.
3428
3429       This feature is available in Postfix 3.4 and later.
3430

lmtp_tls_session_cache_database (default: empty)

3432       The LMTP-specific version of the  smtp_tls_session_cache_database  con‐
3433       figuration parameter. See there for details.
3434
3435       This feature is available in Postfix 2.3 and later.
3436

lmtp_tls_session_cache_timeout (default: 3600s)

3438       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3439       uration parameter.  See there for details.
3440
3441       This feature is available in Postfix 2.3 and later.
3442

lmtp_tls_trust_anchor_file (default: empty)

3444       The LMTP-specific version of the smtp_tls_trust_anchor_file  configura‐
3445       tion parameter.  See there for details.
3446
3447       This feature is available in Postfix 2.11 and later.
3448

lmtp_tls_verify_cert_match (default: hostname)

3450       The  LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3451       tion parameter. See there for details.
3452
3453       This feature is available in Postfix 2.3 and later.
3454

lmtp_tls_wrappermode (default: no)

3456       The LMTP-specific version of the smtp_tls_wrappermode configuration pa‐
3457       rameter. See there for details.
3458
3459       This feature is available in Postfix 3.0 and later.
3460

lmtp_use_tls (default: no)

3462       The  LMTP-specific version of the smtp_use_tls configuration parameter.
3463       See there for details.
3464
3465       This feature is available in Postfix 2.3 and later.
3466

lmtp_xforward_timeout (default: 300s)

3468       The Postfix LMTP client time limit for sending  the  XFORWARD  command,
3469       and for receiving the remote LMTP server response.
3470
3471       In  case  of  problems  the client does NOT try the next address on the
3472       mail exchanger list.
3473
3474       Specify a non-zero time value  (an  integral  value  plus  an  optional
3475       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
3476       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
3477       unit is s (seconds).
3478
3479       This feature is available in Postfix 2.1 and later.
3480

local_command_shell (default: empty)

3482       Optional  shell  program for local(8) delivery to non-Postfix commands.
3483       By default, non-Postfix commands are executed  directly;  commands  are
3484       given  to the default shell (typically, /bin/sh) only when they contain
3485       shell meta characters or shell built-in commands.
3486
3487       "sendmail's restricted shell" (smrsh) is what most people will  use  in
3488       order  to  restrict  what  programs can be run from e.g. .forward files
3489       (smrsh is part of the Sendmail distribution).
3490
3491       Note: when a shell program is specified, it is invoked  even  when  the
3492       command contains no shell built-in commands or meta characters.
3493
3494       Example:
3495
3496       local_command_shell = /some/where/smrsh -c
3497       local_command_shell = /bin/bash -c
3498

local_delivery_status_filter (default: $default_delivery_status_filter)

3500       Optional  filter  for  the local(8) delivery agent to change the status
3501       code or explanatory text of successful or unsuccessful deliveries.  See
3502       default_delivery_status_filter for details.
3503
3504       This feature is available in Postfix 3.0 and later.
3505

local_destination_concurrency_limit (default: 2)

3507       The  maximal  number of parallel deliveries via the local mail delivery
3508       transport  to  the  same  recipient  (when   "local_destination_recipi‐
3509       ent_limit  =  1")  or  the maximal number of parallel deliveries to the
3510       same local domain (when "local_destination_recipient_limit > 1").  This
3511       limit  is enforced by the queue manager. The message delivery transport
3512       name is the first field in the entry in the master.cf file.
3513
3514       A low limit of 2 is recommended, just in case someone has an  expensive
3515       shell  command  in a .forward file or in an alias (e.g., a mailing list
3516       manager).  You don't want to run lots of those at the same time.
3517

local_destination_recipient_limit (default: 1)

3519       The maximal number of recipients per message  delivery  via  the  local
3520       mail  delivery  transport. This limit is enforced by the queue manager.
3521       The message delivery transport name is the first field in the entry  in
3522       the master.cf file.
3523
3524       Setting this parameter to a value > 1 changes the meaning of local_des‐
3525       tination_concurrency_limit from concurrency per recipient into  concur‐
3526       rency per domain.
3527

local_header_rewrite_clients (default: permit_inet_interfaces)

3529       Rewrite or add message headers in mail from these clients, updating in‐
3530       complete addresses with the domain name in $myorigin or $mydomain,  and
3531       adding missing headers.
3532
3533       See  the  append_at_myorigin and append_dot_mydomain parameters for de‐
3534       tails of how domain names are appended to incomplete addresses.
3535
3536       See remote_header_rewrite_domain to optionally rewrite or  add  message
3537       headers in mail from other clients.
3538
3539       Specify a list of zero or more of the following:
3540
3541       permit_inet_interfaces
3542              Append the domain name in $myorigin or $mydomain when the client
3543              IP address matches $inet_interfaces. This is enabled by default.
3544
3545       permit_mynetworks
3546              Append the domain name in $myorigin or $mydomain when the client
3547              IP  address  matches  any  network  or network address listed in
3548              $mynetworks. This setting will not prevent  remote  mail  header
3549              address rewriting when mail from a remote client is forwarded by
3550              a neighboring system.
3551
3552       permit_sasl_authenticated
3553              Append the domain name in $myorigin or $mydomain when the client
3554              is successfully authenticated via the RFC 4954 (AUTH) protocol.
3555
3556       permit_tls_clientcerts
3557              Append the domain name in $myorigin or $mydomain when the remote
3558              SMTP client TLS certificate fingerprint or  public  key  finger‐
3559              print  (Postfix  2.9 and later) is listed in $relay_clientcerts.
3560              The  fingerprint  digest  algorithm  is  configurable  via   the
3561              smtpd_tls_fingerprint_digest  parameter (hard-coded as md5 prior
3562              to Postfix version 2.5).
3563              The default algorithm is sha256 with Postfix >= 3.6 and the com‐
3564              patibility_level  set to 3.6 or higher. With Postfix <= 3.5, the
3565              default algorithm is md5.  The best-practice  algorithm  is  now
3566              sha256.  Recent advances in hash function cryptanalysis have led
3567              to md5 and sha1 being deprecated in favor of  sha256.   However,
3568              as long as there are no known "second pre-image" attacks against
3569              the older algorithms, their use in this context, though not rec‐
3570              ommended, is still likely safe.
3571
3572       permit_tls_all_clientcerts
3573              Append the domain name in $myorigin or $mydomain when the remote
3574              SMTP client TLS certificate is successfully verified, regardless
3575              of  whether  it  is  listed on the server, and regardless of the
3576              certifying authority.
3577
3578       check_address_map type:table
3579
3580       type:table
3581              Append the domain name in $myorigin or $mydomain when the client
3582              IP  address  matches the specified lookup table.  The lookup re‐
3583              sult is ignored, and no subnet lookup is done. This is  suitable
3584              for, e.g., pop-before-smtp lookup tables.
3585
3586       Examples:
3587
3588       The  Postfix < 2.2 backwards compatible setting: always rewrite message
3589       headers, and always append my  own  domain  to  incomplete  header  ad‐
3590       dresses.
3591
3592           local_header_rewrite_clients = static:all
3593
3594       The  purist  (and  default)  setting: rewrite headers only in mail from
3595       Postfix sendmail and in SMTP mail from this machine.
3596
3597           local_header_rewrite_clients = permit_inet_interfaces
3598
3599       The intermediate setting: rewrite header addresses and append $myorigin
3600       or $mydomain information only with mail from Postfix sendmail, from lo‐
3601       cal clients, or from authorized SMTP clients.
3602
3603       Note: this setting will not prevent remote mail header address  rewrit‐
3604       ing  when  mail from a remote client is forwarded by a neighboring sys‐
3605       tem.
3606
3607           local_header_rewrite_clients = permit_mynetworks,
3608               permit_sasl_authenticated permit_tls_clientcerts
3609               check_address_map hash:/etc/postfix/pop-before-smtp
3610

local_login_sender_maps (default: static:*)

3612       A list of lookup tables that are searched by the UNIX login  name,  and
3613       that  return  a  list  of allowed envelope sender patterns separated by
3614       space or comma. These sender patterns are enforced by the Postfix post‐
3615       drop(1)  command.  The  default is backwards-compatible: every user may
3616       specify any sender envelope address.
3617
3618       When no UNIX login name is  available,  the  postdrop(1)  command  will
3619       prepend "uid:" to the numerical UID and use that instead.
3620
3621       This  feature ignores address extensions in the user-specified envelope
3622       sender address.
3623
3624       The following sender patterns are special; these cannot be used as part
3625       of a longer pattern.
3626
3627        *     This pattern allows any envelope sender address.
3628
3629        <>    This  pattern  allows the empty envelope sender address. See the
3630              empty_address_local_login_sender_maps_lookup_key   configuration
3631              parameter.
3632
3633        @domain
3634              This  pattern allows an envelope sender address when the '@' and
3635              domain part match.
3636
3637       Examples:
3638
3639       /etc/postfix/main.cf:
3640           # Allow root and postfix full control, anyone else can only
3641           # send mail as themselves. Use "uid:" followed by the numerical
3642           # UID when the UID has no entry in the UNIX password file.
3643           local_login_sender_maps =
3644               inline:{ { root = * }, { postfix = * } },
3645               pcre:/etc/postfix/login_senders
3646
3647       /etc/postfix/login_senders:
3648          # Allow both the bare username and the user@domain forms.
3649           /(.+)/ $1 $1@example.com
3650
3651       This feature is available in Postfix 3.6 and later.
3652

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

3654       Lookup tables with all names or addresses of local recipients: a recip‐
3655       ient address is local when its domain matches $mydestination, $inet_in‐
3656       terfaces or $proxy_interfaces.  Specify @domain as a wild-card for  do‐
3657       mains  that  do  not  have a valid recipient list.  Technically, tables
3658       listed with $local_recipient_maps are used as lists: Postfix  needs  to
3659       know  only  if a lookup string is found or not, but it does not use the
3660       result from table lookup.
3661
3662       Specify zero or more "type:name" lookup tables, separated by whitespace
3663       or  comma. Tables will be searched in the specified order until a match
3664       is found.
3665
3666       If this parameter is non-empty (the default),  then  the  Postfix  SMTP
3667       server will reject mail for unknown local users.
3668
3669       To  turn off local recipient checking in the Postfix SMTP server, spec‐
3670       ify "local_recipient_maps =" (i.e. empty).
3671
3672       The default setting assumes that you use the default Postfix local  de‐
3673       livery  agent  for local delivery. You need to update the local_recipi‐
3674       ent_maps setting if:
3675
3676       •      You redefine the local delivery agent in master.cf.
3677
3678       •      You redefine the "local_transport" setting in main.cf.
3679
3680       •      You  use  the  "luser_relay",  "mailbox_transport",  or   "fall‐
3681              back_transport" feature of the Postfix local(8) delivery agent.
3682
3683       Details are described in the LOCAL_RECIPIENT_README file.
3684
3685       Beware:  if  the  Postfix SMTP server runs chrooted, you need to access
3686       the passwd file via the proxymap(8) service, in order to  overcome  ch‐
3687       root  access  restrictions.  The alternative, maintaining a copy of the
3688       system password file in the chroot jail is not practical.
3689
3690       Examples:
3691
3692       local_recipient_maps =
3693

local_transport (default: local:$myhostname)

3695       The default mail delivery transport and next-hop destination for  final
3696       delivery to domains listed with mydestination, and for [ipaddress] des‐
3697       tinations that match $inet_interfaces or $proxy_interfaces.   This  in‐
3698       formation can be overruled with the transport(5) table.
3699
3700       By  default,  local  mail is delivered to the transport called "local",
3701       which is just the name of a service that is defined the master.cf file.
3702
3703       Specify a string of the form transport:nexthop, where transport is  the
3704       name  of  a mail delivery transport defined in master.cf.  The :nexthop
3705       destination is optional; its syntax is documented in the manual page of
3706       the corresponding delivery agent.
3707
3708       Beware:  if you override the default local delivery agent then you need
3709       to review  the  LOCAL_RECIPIENT_README  document,  otherwise  the  SMTP
3710       server may reject mail for local recipients.
3711

luser_relay (default: empty)

3713       Optional catch-all destination for unknown local(8) recipients.  By de‐
3714       fault, mail for unknown recipients in domains  that  match  $mydestina‐
3715       tion,  $inet_interfaces  or $proxy_interfaces is returned as undeliver‐
3716       able.
3717
3718       The luser_relay value is not subject to Postfix configuration parameter
3719       $name expansion. Instead, the following $name expansions are done:
3720
3721       $domain
3722              The recipient domain.
3723
3724       $extension
3725              The recipient address extension.
3726
3727       $home  The recipient's home directory.
3728
3729       $local The entire recipient address localpart.
3730
3731       $recipient
3732              The full recipient address.
3733
3734       $recipient_delimiter
3735              The  address extension delimiter that was found in the recipient
3736              address (Postfix 2.11 and later), or the  system-wide  recipient
3737              address extension delimiter (Postfix 2.10 and earlier).
3738
3739       $shell The recipient's login shell.
3740
3741       $user  The recipient username.
3742
3743       ${name?value}
3744
3745       ${name?{value}} (Postfix >= 3.0)
3746              Expands to value when $name is non-empty.
3747
3748       ${name:value}
3749
3750       ${name:{value}} (Postfix >= 3.0)
3751              Expands to value when $name is empty.
3752
3753       ${name?{value1}:{value2}} (Postfix >= 3.0)
3754              Expands to value1 when $name is non-empty, value2 otherwise.
3755
3756       Instead of $name you can also specify ${name} or $(name).
3757
3758       Note: luser_relay works only for the Postfix local(8) delivery agent.
3759
3760       Note:  if  you  use  this feature for accounts not in the UNIX password
3761       file, then you must specify "local_recipient_maps ="  (i.e.  empty)  in
3762       the  main.cf  file,  otherwise the Postfix SMTP server will reject mail
3763       for non-UNIX accounts with "User unknown in local recipient table".
3764
3765       Examples:
3766
3767       luser_relay = $user@other.host
3768       luser_relay = $local@other.host
3769       luser_relay = admin+$local
3770

mail_name (default: Postfix)

3772       The mail system name that is displayed in  Received:  headers,  in  the
3773       SMTP greeting banner, and in bounced mail.
3774

mail_owner (default: postfix)

3776       The  UNIX  system  account that owns the Postfix queue and most Postfix
3777       daemon processes.  Specify the name of  an  unprivileged  user  account
3778       that  does  not  share a user or group ID with other accounts, and that
3779       owns no other files or processes on the system.  In  particular,  don't
3780       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3781
3782       When  this  parameter  value  is  changed  you  need to re-run "postfix
3783       set-permissions" (with Postfix version  2.0  and  earlier:  "/etc/post‐
3784       fix/post-install set-permissions".
3785

mail_release_date (default: see postconf -d output)

3787       The Postfix release date, in "YYYYMMDD" format.
3788

mail_spool_directory (default: see postconf -d output)

3790       The directory where local(8) UNIX-style mailboxes are kept. The default
3791       setting depends on the system type. Specify a  name  ending  in  /  for
3792       maildir-style delivery.
3793
3794       Note:  maildir  delivery  is done with the privileges of the recipient.
3795       If you use the mail_spool_directory setting for maildir style delivery,
3796       then  you must create the top-level maildir directory in advance. Post‐
3797       fix will not create it.
3798
3799       Examples:
3800
3801       mail_spool_directory = /var/mail
3802       mail_spool_directory = /var/spool/mail
3803

mail_version (default: see postconf -d output)

3805       The version of the mail system. Stable  releases  are  named  major.mi‐
3806       nor.patchlevel.  Experimental  releases  also include the release date.
3807       The version string can be used in, for example, the SMTP greeting  ban‐
3808       ner.
3809

mailbox_command (default: empty)

3811       Optional  external  command that the local(8) delivery agent should use
3812       for mailbox delivery.  The command is run with the user ID and the pri‐
3813       mary group ID privileges of the recipient.  Exception: command delivery
3814       for root executes with $default_privs privileges.  This is not a  prob‐
3815       lem,  because  1) mail for root should always be aliased to a real user
3816       and 2) don't log in as root, use "su" instead.
3817
3818       The following environment variables are exported to the command:
3819
3820       CLIENT_ADDRESS
3821              Remote client network address. Available in Postfix version  2.2
3822              and later.
3823
3824       CLIENT_HELO
3825              Remote  client EHLO command parameter. Available in Postfix ver‐
3826              sion 2.2 and later.
3827
3828       CLIENT_HOSTNAME
3829              Remote client hostname. Available in  Postfix  version  2.2  and
3830              later.
3831
3832       CLIENT_PROTOCOL
3833              Remote  client  protocol.  Available  in Postfix version 2.2 and
3834              later.
3835
3836       DOMAIN The domain part of the recipient address.
3837
3838       EXTENSION
3839              The optional address extension.
3840
3841       HOME   The recipient home directory.
3842
3843       LOCAL  The recipient address localpart.
3844
3845       LOGNAME
3846              The recipient's username.
3847
3848       ORIGINAL_RECIPIENT
3849              The entire recipient address, before any  address  rewriting  or
3850              aliasing.
3851
3852       RECIPIENT
3853              The full recipient address.
3854
3855       SASL_METHOD
3856              SASL  authentication  method specified in the remote client AUTH
3857              command. Available in Postfix version 2.2 and later.
3858
3859       SASL_SENDER
3860              SASL sender address specified in the  remote  client  MAIL  FROM
3861              command. Available in Postfix version 2.2 and later.
3862
3863       SASL_USER
3864              SASL  username  specified  in  the  remote  client AUTH command.
3865              Available in Postfix version 2.2 and later.
3866
3867       SENDER The full sender address.
3868
3869       SHELL  The recipient's login shell.
3870
3871       USER   The recipient username.
3872
3873       Unlike other Postfix configuration parameters, the mailbox_command  pa‐
3874       rameter  is  not  subjected  to $name substitutions. This is to make it
3875       easier to specify shell syntax (see example below).
3876
3877       If you can, avoid shell meta characters because they will force Postfix
3878       to  run an expensive shell process. If you're delivering via "procmail"
3879       then running a shell won't make a noticeable difference  in  the  total
3880       cost.
3881
3882       Note:  if  you  use  the  mailbox_command  feature to deliver mail sys‐
3883       tem-wide, you must set up an alias that forwards mail  for  root  to  a
3884       real user.
3885
3886       The  precedence  of  local(8)  delivery  features  from high to low is:
3887       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3888       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3889       tory, fallback_transport_maps, fallback_transport and luser_relay.
3890
3891       Examples:
3892
3893       mailbox_command = /some/where/procmail
3894       mailbox_command = /some/where/procmail -a "$EXTENSION"
3895       mailbox_command = /some/where/maildrop -d "$USER"
3896               -f "$SENDER" "$EXTENSION"
3897

mailbox_command_maps (default: empty)

3899       Optional lookup tables with per-recipient external commands to use  for
3900       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3901
3902       The  precedence  of  local(8)  delivery  features  from high to low is:
3903       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3904       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3905       tory, fallback_transport_maps, fallback_transport and luser_relay.
3906
3907       Specify zero or more "type:name" lookup tables, separated by whitespace
3908       or  comma. Tables will be searched in the specified order until a match
3909       is found.
3910

mailbox_delivery_lock (default: see postconf -d output)

3912       How to lock a UNIX-style local(8) mailbox before  attempting  delivery.
3913       For  a  list  of  available file locking methods, use the "postconf -l"
3914       command.
3915
3916       This setting is ignored with maildir style delivery, because  such  de‐
3917       liveries are safe without explicit locks.
3918
3919       Note:  The  dotlock  method  requires that the recipient UID or GID has
3920       write access to the parent directory of the mailbox file.
3921
3922       Note: the default setting of this parameter is system dependent.
3923

mailbox_size_limit (default: 51200000)

3925       The maximal size of any local(8) individual mailbox or maildir file, or
3926       zero  (no  limit).   In  fact, this limits the size of any file that is
3927       written to upon local delivery, including  files  written  by  external
3928       commands  that  are  executed by the local(8) delivery agent. The value
3929       cannot exceed LONG_MAX (typically, a 32-bit or 64-bit signed integer).
3930
3931       This limit must not be smaller than the message size limit.
3932

mailbox_transport (default: empty)

3934       Optional message delivery transport that the  local(8)  delivery  agent
3935       should use for mailbox delivery to all local recipients, whether or not
3936       they are found in the UNIX passwd database.
3937
3938       The precedence of local(8) delivery  features  from  high  to  low  is:
3939       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3940       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3941       tory, fallback_transport_maps, fallback_transport and luser_relay.
3942

mailbox_transport_maps (default: empty)

3944       Optional  lookup  tables with per-recipient message delivery transports
3945       to use for local(8) mailbox delivery, whether or not the recipients are
3946       found in the UNIX passwd database.
3947
3948       The  precedence  of  local(8)  delivery  features  from high to low is:
3949       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3950       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3951       tory, fallback_transport_maps, fallback_transport and luser_relay.
3952
3953       Specify zero or more "type:name" lookup tables, separated by whitespace
3954       or  comma. Tables will be searched in the specified order until a match
3955       is found.
3956
3957       For safety reasons, this feature does not allow  $number  substitutions
3958       in regular expression maps.
3959
3960       This feature is available in Postfix 2.3 and later.
3961

maillog_file (default: empty)

3963       The  name  of  an optional logfile that is written by the Postfix post‐
3964       logd(8) service. An empty value selects logging to syslogd(8).  Specify
3965       "/dev/stdout"  to select logging to standard output. Stdout logging re‐
3966       quires that Postfix is started with "postfix start-fg".
3967
3968       Note 1: The maillog_file parameter value must contain a prefix that  is
3969       specified with the maillog_file_prefixes parameter.
3970
3971       Note  2:  Some Postfix non-daemon programs may still log information to
3972       syslogd(8), before they have processed their  configuration  parameters
3973       and command-line options.
3974
3975       This feature is available in Postfix 3.4 and later.
3976

maillog_file_compressor (default: gzip)

3978       The  program  to  run after rotating $maillog_file with "postfix logro‐
3979       tate". The command is run with the rotated logfile name  as  its  first
3980       argument.
3981
3982       This feature is available in Postfix 3.4 and later.
3983

maillog_file_prefixes (default: /var, /dev/stdout)

3985       A  list  of allowed prefixes for a maillog_file value. This is a safety
3986       feature to contain the damage  from  a  single  configuration  mistake.
3987       Specify one or more prefix strings, separated by comma or whitespace.
3988
3989       This feature is available in Postfix 3.4 and later.
3990

maillog_file_rotate_suffix (default: %Y%m%d-%H%M%S)

3992       The  format of the suffix to append to $maillog_file while rotating the
3993       file with "postfix logrotate". See strftime(3) for syntax. The  default
3994       suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3995
3996       This feature is available in Postfix 3.4 and later.
3997

mailq_path (default: see postconf -d output)

3999       Sendmail   compatibility  feature  that  specifies  where  the  Postfix
4000       mailq(1) command is installed. This command can be  used  to  list  the
4001       Postfix mail queue.
4002

manpage_directory (default: see postconf -d output)

4004       Where the Postfix manual pages are installed.
4005

maps_rbl_domains (default: empty)

4007       Obsolete feature: use the reject_rbl_client feature instead.
4008

maps_rbl_reject_code (default: 554)

4010       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
4011       client   request   is   blocked   by   the    reject_rbl_client,    re‐
4012       ject_rhsbl_client,  reject_rhsbl_reverse_client, reject_rhsbl_sender or
4013       reject_rhsbl_recipient restriction.
4014
4015       Do not change this unless you have  a  complete  understanding  of  RFC
4016       5321.
4017

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

4019
4020       What addresses are subject to address masquerading.
4021
4022       By default, address masquerading is  limited  to  envelope  sender  ad‐
4023       dresses, and to header sender and header recipient addresses.  This al‐
4024       lows you to use address masquerading on a mail gateway while still  be‐
4025       ing able to forward mail to users on individual machines.
4026
4027       Specify   zero   or   more   of:  envelope_sender,  envelope_recipient,
4028       header_sender, header_recipient
4029

masquerade_domains (default: empty)

4031       Optional list of domains whose subdomain structure will be stripped off
4032       in email addresses.
4033
4034       The  list is processed left to right, and processing stops at the first
4035       match.  Thus,
4036
4037           masquerade_domains = foo.example.com example.com
4038
4039       strips "user@any.thing.foo.example.com" to "user@foo.example.com",  but
4040       strips "user@any.thing.else.example.com" to "user@example.com".
4041
4042       A  domain  name  prefixed with ! means do not masquerade this domain or
4043       its subdomains. Thus,
4044
4045           masquerade_domains = !foo.example.com example.com
4046
4047       does not  change  "user@any.thing.foo.example.com"  or  "user@foo.exam‐
4048       ple.com",  but  strips "user@any.thing.else.example.com" to "user@exam‐
4049       ple.com".
4050
4051       Note: with Postfix version 2.2,  message  header  address  masquerading
4052       happens only when message header address rewriting is enabled:
4053
4054       •      The message is received with the Postfix sendmail(1) command,
4055
4056       •      The  message is received from a network client that matches $lo‐
4057              cal_header_rewrite_clients,
4058
4059       •      The  message  is  received  from  the  network,  and   the   re‐
4060              mote_header_rewrite_domain   parameter   specifies  a  non-empty
4061              value.
4062
4063       To  get  the  behavior  before  Postfix  version  2.2,   specify   "lo‐
4064       cal_header_rewrite_clients = static:all".
4065
4066       Example:
4067
4068       masquerade_domains = $mydomain
4069

masquerade_exceptions (default: empty)

4071       Optional  list  of  user  names  that are not subjected to address mas‐
4072       querading, even when their addresses match $masquerade_domains.
4073
4074       By default, address masquerading makes no exceptions.
4075
4076       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
4077       separated  by  commas  and/or  whitespace.  The list is matched left to
4078       right, and the search stops on the first match. A "/file/name"  pattern
4079       is  replaced  by  its  contents; a "type:table" lookup table is matched
4080       when a name matches a lookup key (the lookup result is ignored).   Con‐
4081       tinue  long  lines  by  starting the next line with whitespace. Specify
4082       "!pattern" to exclude a name from the list. The form  "!/file/name"  is
4083       supported only in Postfix version 2.4 and later.
4084
4085       Examples:
4086
4087       masquerade_exceptions = root, mailer-daemon
4088       masquerade_exceptions = root
4089

master_service_disable (default: empty)

4091       Selectively disable master(8) listener ports by service type or by ser‐
4092       vice name and type.  Specify a list of service types  ("inet",  "unix",
4093       "fifo",  or  "pass")  or  "name/type" tuples, where "name" is the first
4094       field of a master.cf entry and "type" is a service type. As with  other
4095       Postfix  matchlists, a search stops at the first match.  Specify "!pat‐
4096       tern" to exclude a service from the list.  By  default,  all  master(8)
4097       listener ports are enabled.
4098
4099       Note:  this  feature does not support "/file/name" or "type:table" pat‐
4100       terns, nor does it support wildcards such as "*" or "all". This is  in‐
4101       tentional.
4102
4103       Examples:
4104
4105       # With Postfix 2.6..2.10 use '.' instead of '/'.
4106       # Turn on all master(8) listener ports (the default).
4107       master_service_disable =
4108       # Turn off only the main SMTP listener port.
4109       master_service_disable = smtp/inet
4110       # Turn off all TCP/IP listener ports.
4111       master_service_disable = inet
4112       # Turn off all TCP/IP listener ports except "foo".
4113       master_service_disable = !foo/inet, inet
4114
4115       This feature is available in Postfix 2.6 and later.
4116

max_idle (default: 100s)

4118       The  maximum  amount  of time that an idle Postfix daemon process waits
4119       for an incoming connection before terminating voluntarily.  This param‐
4120       eter  is  ignored  by the Postfix queue manager and by other long-lived
4121       Postfix daemon processes.
4122
4123       Specify a non-zero time value  (an  integral  value  plus  an  optional
4124       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4125       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
4126       unit is s (seconds).
4127

max_use (default: 100)

4129       The  maximal  number  of  incoming  connections  that  a Postfix daemon
4130       process will service before terminating voluntarily.  This parameter is
4131       ignored  by  the  Postfix queue manager and by other long-lived Postfix
4132       daemon processes.
4133

maximal_backoff_time (default: 4000s)

4135       The maximal time between attempts to deliver a deferred message.
4136
4137       This parameter should be set to a value greater than or equal to $mini‐
4138       mal_backoff_time. See also $queue_run_delay.
4139
4140       Specify  a  non-zero  time  value  (an  integral value plus an optional
4141       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4142       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
4143       unit is s (seconds).
4144

maximal_queue_lifetime (default: 5d)

4146       Consider a message as undeliverable, when delivery fails with a  tempo‐
4147       rary   error,  and  the  time  in  the  queue  has  reached  the  maxi‐
4148       mal_queue_lifetime limit.
4149
4150       Specify a non-negative time value (an integral value plus  an  optional
4151       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4152       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
4153       unit is d (days).
4154
4155       Specify 0 when mail delivery should be tried only once.
4156

message_drop_headers (default: bcc, content-length, resent-bcc, return-path)

4158       Names  of  message headers that the cleanup(8) daemon will remove after
4159       applying header_checks(5) and before invoking Milter applications.  The
4160       default setting is compatible with Postfix < 3.0.
4161
4162       Specify a list of header names, separated by comma or space.  Names are
4163       matched in a case-insensitive manner.  The  list  of  supported  header
4164       names is limited only by available memory.
4165
4166       This feature is available in Postfix 3.0 and later.
4167

message_reject_characters (default: empty)

4169       The set of characters that Postfix will reject in message content.  The
4170       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
4171       (up to three octal digits) and \\.
4172
4173       Note  1: this feature does not recognize text that requires MIME decod‐
4174       ing. It inspects raw  message  content,  just  like  header_checks  and
4175       body_checks.
4176
4177       Note  2:  this  feature  is  disabled  with "receive_override_options =
4178       no_header_body_checks".
4179
4180       Example:
4181
4182       message_reject_characters = \0
4183
4184       This feature is available in Postfix 2.3 and later.
4185

message_size_limit (default: 10240000)

4187       The maximal size in bytes of a message, including envelope information.
4188       The  value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit signed
4189       integer).
4190
4191       Note: be careful when making changes.  Excessively  small  values  will
4192       result in the loss of non-delivery notifications, when a bounce message
4193       size exceeds the local or remote MTA's message size limit.
4194

message_strip_characters (default: empty)

4196       The set of characters that Postfix will remove  from  message  content.
4197       The  usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
4198       \ddd (up to three octal digits) and \\.
4199
4200       Note 1: this feature does not recognize text that requires MIME  decod‐
4201       ing.  It  inspects  raw  message  content,  just like header_checks and
4202       body_checks.
4203
4204       Note 2: this  feature  is  disabled  with  "receive_override_options  =
4205       no_header_body_checks".
4206
4207       Example:
4208
4209       message_strip_characters = \0
4210
4211       This feature is available in Postfix 2.3 and later.
4212

meta_directory (default: see 'postconf -d' output)

4214       The  location  of  non-executable  files that are shared among multiple
4215       Postfix instances,  such  as  postfix-files,  dynamicmaps.cf,  and  the
4216       multi-instance  template files main.cf.proto and master.cf.proto.  This
4217       directory should contain only Postfix-related  files.   Typically,  the
4218       meta_directory  parameter  has the same default as the config_directory
4219       parameter (/etc/postfix or /usr/local/etc/postfix).
4220
4221       For backwards compatibility with Postfix  versions  2.6..2.11,  specify
4222       "meta_directory  =  $daemon_directory"  in main.cf before installing or
4223       upgrading Postfix, or specify  "meta_directory  =  /path/name"  on  the
4224       "make makefiles", "make install" or "make upgrade" command line.
4225
4226       This feature is available in Postfix 3.0 and later.
4227

milter_command_timeout (default: 30s)

4229       The  time  limit  for sending an SMTP command to a Milter (mail filter)
4230       application, and for receiving the response.
4231
4232       Specify a non-zero time value  (an  integral  value  plus  an  optional
4233       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4234       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
4235       unit is s (seconds).
4236
4237       This feature is available in Postfix 2.3 and later.
4238

milter_connect_macros (default: see postconf -d output)

4240       The  macros  that  are  sent to Milter (mail filter) applications after
4241       completion of an SMTP connection.  See  MILTER_README  for  a  list  of
4242       available macro names and their meanings.
4243
4244       This feature is available in Postfix 2.3 and later.
4245

milter_connect_timeout (default: 30s)

4247       The  time  limit  for connecting to a Milter (mail filter) application,
4248       and for negotiating protocol options.
4249
4250       Specify a non-zero time value  (an  integral  value  plus  an  optional
4251       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4252       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
4253       unit is s (seconds).
4254
4255       This feature is available in Postfix 2.3 and later.
4256

milter_content_timeout (default: 300s)

4258       The  time  limit  for sending message content to a Milter (mail filter)
4259       application, and for receiving the response.
4260
4261       Specify a non-zero time value  (an  integral  value  plus  an  optional
4262       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4263       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
4264       unit is s (seconds).
4265
4266       This feature is available in Postfix 2.3 and later.
4267

milter_data_macros (default: see postconf -d output)

4269       The  macros  that  are sent to version 4 or higher Milter (mail filter)
4270       applications after the SMTP DATA command. See MILTER_README for a  list
4271       of available macro names and their meanings.
4272
4273       This feature is available in Postfix 2.3 and later.
4274

milter_default_action (default: tempfail)

4276       The  default action when a Milter (mail filter) response is unavailable
4277       (for example, bad Postfix configuration or Milter failure). Specify one
4278       of the following:
4279
4280       accept Proceed as if the mail filter was not present.
4281
4282       reject Reject  all  further  commands  in this session with a permanent
4283              status code.
4284
4285       tempfail
4286              Reject all further commands in this  session  with  a  temporary
4287              status code.
4288
4289       quarantine
4290              Like  "accept",  but  freeze  the  message  in the "hold" queue.
4291              Available with Postfix 2.6 and later.
4292
4293       This feature is available in Postfix 2.3 and later.
4294

milter_end_of_data_macros (default: see postconf -d output)

4296       The macros that are sent to Milter (mail filter) applications after the
4297       message  end-of-data.  See  MILTER_README for a list of available macro
4298       names and their meanings.
4299
4300       This feature is available in Postfix 2.3 and later.
4301

milter_end_of_header_macros (default: see postconf -d output)

4303       The macros that are sent to Milter (mail filter) applications after the
4304       end  of  the  message header. See MILTER_README for a list of available
4305       macro names and their meanings.
4306
4307       This feature is available in Postfix 2.5 and later.
4308

milter_header_checks (default: empty)

4310       Optional lookup tables for content inspection of message  headers  that
4311       are  produced  by Milter applications.  See the header_checks(5) manual
4312       page available actions. Currently, PREPEND is not implemented.
4313
4314       The following example sends all mail that is marked as SPAM to  a  spam
4315       handling machine. Note that matches are case-insensitive by default.
4316
4317       /etc/postfix/main.cf:
4318           milter_header_checks = pcre:/etc/postfix/milter_header_checks
4319
4320       /etc/postfix/milter_header_checks:
4321           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4322
4323       The milter_header_checks mechanism could also be used for allowlisting.
4324       For example it could be used  to  skip  heavy  content  inspection  for
4325       DKIM-signed mail from known friendly domains.
4326
4327       This  feature is available in Postfix 2.7, and as an optional patch for
4328       Postfix 2.6.
4329

milter_helo_macros (default: see postconf -d output)

4331       The macros that are sent to Milter (mail filter) applications after the
4332       SMTP  HELO  or  EHLO command. See MILTER_README for a list of available
4333       macro names and their meanings.
4334
4335       This feature is available in Postfix 2.3 and later.
4336

milter_macro_daemon_name (default: $myhostname)

4338       The {daemon_name} macro value for Milter  (mail  filter)  applications.
4339       See  MILTER_README  for a list of available macro names and their mean‐
4340       ings.
4341
4342       This feature is available in Postfix 2.3 and later.
4343

milter_macro_defaults (default: empty)

4345       Optional list of name=value pairs that specify default values for arbi‐
4346       trary  macros  that Postfix may send to Milter applications.  These de‐
4347       faults are used when there is no  corresponding  information  from  the
4348       message delivery context.
4349
4350       Specify  name=value  or {name=value} pairs separated by comma or white‐
4351       space.  Enclose a pair in "{}" when a value contains  comma  or  white‐
4352       space (this form ignores whitespace after the enclosing "{", around the
4353       "=", and before the enclosing "}").
4354
4355       This feature is available in Postfix 3.1 and later.
4356

milter_macro_v (default: $mail_name $mail_version)

4358       The {v} macro value for Milter (mail filter)  applications.   See  MIL‐
4359       TER_README for a list of available macro names and their meanings.
4360
4361       This feature is available in Postfix 2.3 and later.
4362

milter_mail_macros (default: see postconf -d output)

4364       The macros that are sent to Milter (mail filter) applications after the
4365       SMTP MAIL FROM command. See MILTER_README for a list of available macro
4366       names and their meanings.
4367
4368       This feature is available in Postfix 2.3 and later.
4369

milter_protocol (default: 6)

4371       The  mail  filter protocol version and optional protocol extensions for
4372       communication with a Milter application; prior to Postfix 2.6  the  de‐
4373       fault  protocol is 2. Postfix sends this version number during the ini‐
4374       tial protocol handshake.  It should match the version  number  that  is
4375       expected by the mail filter application (or by its Milter library).
4376
4377       Protocol versions:
4378
4379       2      Use  Sendmail  8  mail  filter  protocol version 2 (default with
4380              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
4381
4382       3      Use Sendmail 8 mail filter protocol version 3.
4383
4384       4      Use Sendmail 8 mail filter protocol version 4.
4385
4386       6      Use Sendmail 8 mail filter  protocol  version  6  (default  with
4387              Sendmail version 8.14 and Postfix version 2.6).
4388
4389       Protocol extensions:
4390
4391       no_header_reply
4392              Specify this when the Milter application will not reply for each
4393              individual message header.
4394
4395       This feature is available in Postfix 2.3 and later.
4396

milter_rcpt_macros (default: see postconf -d output)

4398       The macros that are sent to Milter (mail filter) applications after the
4399       SMTP  RCPT  TO command. See MILTER_README for a list of available macro
4400       names and their meanings.
4401
4402       This feature is available in Postfix 2.3 and later.
4403

milter_unknown_command_macros (default: see postconf -d output)

4405       The macros that are sent to version 3 or higher  Milter  (mail  filter)
4406       applications  after  an  unknown SMTP command.  See MILTER_README for a
4407       list of available macro names and their meanings.
4408
4409       This feature is available in Postfix 2.3 and later.
4410

mime_boundary_length_limit (default: 2048)

4412       The maximal length of MIME multipart boundary strings. The MIME proces‐
4413       sor  is unable to distinguish between boundary strings that do not dif‐
4414       fer in the first $mime_boundary_length_limit characters.
4415
4416       This feature is available in Postfix 2.0 and later.
4417

mime_header_checks (default: $header_checks)

4419       Optional lookup tables for content inspection of MIME  related  message
4420       headers, as described in the header_checks(5) manual page.
4421
4422       This feature is available in Postfix 2.0 and later.
4423

mime_nesting_limit (default: 100)

4425       The maximal recursion level that the MIME processor will handle.  Post‐
4426       fix refuses mail that is nested deeper than the specified limit.
4427
4428       This feature is available in Postfix 2.0 and later.
4429

minimal_backoff_time (default: 300s)

4431       The minimal time between attempts to deliver a deferred message;  prior
4432       to Postfix 2.4 the default value was 1000s.
4433
4434       This  parameter also limits the time an unreachable destination is kept
4435       in the short-term, in-memory, destination status cache.
4436
4437       This parameter should be set greater than or equal to $queue_run_delay.
4438       See also $maximal_backoff_time.
4439
4440       Specify  a  non-zero  time  value  (an  integral value plus an optional
4441       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4442       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
4443       unit is s (seconds).
4444

multi_instance_directories (default: empty)

4446       An optional list  of  non-default  Postfix  configuration  directories;
4447       these directories belong to additional Postfix instances that share the
4448       Postfix executable files and documentation with the default Postfix in‐
4449       stance,  and that are started, stopped, etc., together with the default
4450       Postfix instance.  Specify a list of pathnames separated  by  comma  or
4451       whitespace.
4452
4453       When  $multi_instance_directories is empty, the postfix(1) command runs
4454       in single-instance mode and operates on a single Postfix instance only.
4455       Otherwise,  the  postfix(1) command runs in multi-instance mode and in‐
4456       vokes  the  multi-instance  manager  specified   with   the   multi_in‐
4457       stance_wrapper  parameter.  The multi-instance manager in turn executes
4458       postfix(1) commands for the default instance and for  all  Postfix  in‐
4459       stances in $multi_instance_directories.
4460
4461       Currently,  this  parameter  setting  is ignored except for the default
4462       main.cf file.
4463
4464       This feature is available in Postfix 2.6 and later.
4465

multi_instance_enable (default: no)

4467       Allow this  Postfix  instance  to  be  started,  stopped,  etc.,  by  a
4468       multi-instance  manager.   By  default,  new instances are created in a
4469       safe state that prevents them from being started  inadvertently.   This
4470       parameter is reserved for the multi-instance manager.
4471
4472       This feature is available in Postfix 2.6 and later.
4473

multi_instance_group (default: empty)

4475       The  optional  instance  group  name  of this Postfix instance. A group
4476       identifies closely-related Postfix instances  that  the  multi-instance
4477       manager  can  start, stop, etc., as a unit.  This parameter is reserved
4478       for the multi-instance manager.
4479
4480       This feature is available in Postfix 2.6 and later.
4481

multi_instance_name (default: empty)

4483       The optional instance name of this Postfix instance. This name  becomes
4484       also the default value for the syslog_name parameter.
4485
4486       This feature is available in Postfix 2.6 and later.
4487

multi_instance_wrapper (default: empty)

4489       The  pathname  of  a multi-instance manager command that the postfix(1)
4490       command invokes when the multi_instance_directories parameter value  is
4491       non-empty.  The  pathname  may be followed by initial command arguments
4492       separated by whitespace; shell metacharacters such as  quotes  are  not
4493       supported in this context.
4494
4495       The  postfix(1) command invokes the manager command with the postfix(1)
4496       non-option command arguments on the manager command line, and with  all
4497       installation configuration parameters exported into the manager command
4498       process environment. The manager command in turn invokes the postfix(1)
4499       command  for  individual Postfix instances as "postfix -c config_direc‐
4500       tory command".
4501
4502       This feature is available in Postfix 2.6 and later.
4503

multi_recipient_bounce_reject_code (default: 550)

4505       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
4506       client request is blocked by the reject_multi_recipient_bounce restric‐
4507       tion.
4508
4509       Do not change this unless you have  a  complete  understanding  of  RFC
4510       5321.
4511
4512       This feature is available in Postfix 2.1 and later.
4513

mydestination (default: $myhostname, localhost.$mydomain, localhost)

4515       The  list  of  domains that are delivered via the $local_transport mail
4516       delivery transport. By default this is the  Postfix  local(8)  delivery
4517       agent  which  looks  up all recipients in /etc/passwd and /etc/aliases.
4518       The SMTP  server  validates  recipient  addresses  with  $local_recipi‐
4519       ent_maps and rejects non-existent recipients. See also the local domain
4520       class in the ADDRESS_CLASS_README file.
4521
4522       The default mydestination value specifies names for the  local  machine
4523       only.  On a mail domain gateway, you should also include $mydomain.
4524
4525       The  $local_transport  delivery  method  is  also selected for mail ad‐
4526       dressed to user@[the.net.work.address] of the mail system (the  IP  ad‐
4527       dresses specified with the inet_interfaces and proxy_interfaces parame‐
4528       ters).
4529
4530       Warnings:
4531
4532       •      Do not specify the names of virtual domains - those domains  are
4533              specified elsewhere. See VIRTUAL_README for more information.
4534
4535       •      Do  not specify the names of domains that this machine is backup
4536              MX host for. See STANDARD_CONFIGURATION_README for how to set up
4537              backup MX hosts.
4538
4539       •      By  default, the Postfix SMTP server rejects mail for recipients
4540              not listed with the  local_recipient_maps  parameter.   See  the
4541              postconf(5) manual for a description of the local_recipient_maps
4542              and unknown_local_recipient_reject_code parameters.
4543
4544       Specify a list of host or domain names,  "/file/name"  or  "type:table"
4545       patterns, separated by commas and/or whitespace. A "/file/name" pattern
4546       is replaced by its contents; a "type:table"  lookup  table  is  matched
4547       when  a name matches a lookup key (the lookup result is ignored).  Con‐
4548       tinue long lines by starting the next line with whitespace.
4549
4550       Examples:
4551
4552       mydestination = $myhostname, localhost.$mydomain $mydomain
4553       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4554

mydomain (default: see postconf -d output)

4556       The internet domain name of this mail system.  The default  is  to  use
4557       $myhostname  minus  the  first component, or "localdomain" (Postfix 2.3
4558       and later).  $mydomain is used as a default value for many  other  con‐
4559       figuration parameters.
4560
4561       Example:
4562
4563       mydomain = domain.tld
4564

myhostname (default: see postconf -d output)

4566       The  internet  hostname  of this mail system. The default is to use the
4567       fully-qualified domain name (FQDN) from gethostname(), or  to  use  the
4568       non-FQDN  result  from gethostname() and append ".$mydomain".  $myhost‐
4569       name is used as a default value for many  other  configuration  parame‐
4570       ters.
4571
4572       Example:
4573
4574       myhostname = host.example.com
4575

mynetworks (default: see postconf -d output)

4577       The  list  of  "trusted"  remote SMTP clients that have more privileges
4578       than "strangers".
4579
4580       In particular, "trusted" SMTP clients are allowed to relay mail through
4581       Postfix.  See the smtpd_relay_restrictions parameter description in the
4582       postconf(5) manual.
4583
4584       You can specify the list of "trusted" network addresses by hand or  you
4585       can let Postfix do it for you (which is the default).  See the descrip‐
4586       tion of the mynetworks_style parameter for more information.
4587
4588       If you specify the mynetworks list by hand, Postfix ignores the  mynet‐
4589       works_style setting.
4590
4591       Specify  a list of network addresses or network/netmask patterns, sepa‐
4592       rated by commas and/or whitespace. Continue long lines by starting  the
4593       next line with whitespace.
4594
4595       The  netmask specifies the number of bits in the network part of a host
4596       address.  You can also specify "/file/name" or  "type:table"  patterns.
4597       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
4598       lookup table is matched when a table entry matches a lookup string (the
4599       lookup result is ignored).
4600
4601       The  list  is  matched left to right, and the search stops on the first
4602       match.  Specify "!pattern" to exclude an address or network block  from
4603       the  list.  The form "!/file/name" is supported only in Postfix version
4604       2.4 and later.
4605
4606       Note 1: Pattern matching of domain names is controlled by the  presence
4607       or  absence of "mynetworks" in the parent_domain_matches_subdomains pa‐
4608       rameter value.
4609
4610       Note 2: IP version 6 address information must be specified inside [] in
4611       the  mynetworks  value,  and  in files specified with "/file/name".  IP
4612       version 6 addresses contain the ":" character, and would  otherwise  be
4613       confused with a "type:table" pattern.
4614
4615       Note  3:  CIDR ranges cannot be specified in hash tables.  Use cidr ta‐
4616       bles if CIDR ranges are used.
4617
4618       Examples:
4619
4620       mynetworks = 127.0.0.0/8 168.100.189.0/28
4621       mynetworks = !192.168.0.1, 192.168.0.0/28
4622       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4623       mynetworks = $config_directory/mynetworks
4624       mynetworks = hash:/etc/postfix/network_table
4625       mynetworks = cidr:/etc/postfix/network_table.cidr
4626

mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)

4628       The method to generate the default value for the mynetworks  parameter.
4629       This is the list of trusted networks for relay access control etc.
4630
4631       •      Specify  "mynetworks_style  =  host" when Postfix should "trust"
4632              only the local machine.
4633
4634       •      Specify "mynetworks_style = subnet" when Postfix should  "trust"
4635              remote  SMTP clients in the same IP subnetworks as the local ma‐
4636              chine.  On Linux, this  works  correctly  only  with  interfaces
4637              specified with the "ifconfig" or "ip" command.
4638
4639       •      Specify  "mynetworks_style  = class" when Postfix should "trust"
4640              remote SMTP clients in the same IP class A/B/C networks  as  the
4641              local  machine.  Caution: this may cause Postfix to "trust" your
4642              entire provider's network.  Instead, specify an explicit  mynet‐
4643              works  list by hand, as described with the mynetworks configura‐
4644              tion parameter.
4645

myorigin (default: $myhostname)

4647       The domain name that locally-posted mail appears to come from, and that
4648       locally  posted mail is delivered to. The default, $myhostname, is ade‐
4649       quate for small sites.  If you run a domain with multiple machines, you
4650       should  (1) change this to $mydomain and (2) set up a domain-wide alias
4651       database that aliases each user to user@that.users.mailhost.
4652
4653       Example:
4654
4655       myorigin = $mydomain
4656

nested_header_checks (default: $header_checks)

4658       Optional lookup tables for content inspection of non-MIME message head‐
4659       ers  in  attached messages, as described in the header_checks(5) manual
4660       page.
4661
4662       This feature is available in Postfix 2.0 and later.
4663

newaliases_path (default: see postconf -d output)

4665       Sendmail compatibility feature  that  specifies  the  location  of  the
4666       newaliases(1) command. This command can be used to rebuild the local(8)
4667       aliases(5) database.
4668

non_fqdn_reject_code (default: 504)

4670       The numerical Postfix SMTP server reply code when a client  request  is
4671       rejected  by  the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4672       or reject_non_fqdn_recipient restriction.
4673

non_smtpd_milters (default: empty)

4675       A list of Milter (mail filter) applications for new mail that does  not
4676       arrive  via the Postfix smtpd(8) server. This includes local submission
4677       via the sendmail(1) command line, new mail that arrives via the Postfix
4678       qmqpd(8)  server,  and old mail that is re-injected into the queue with
4679       "postsuper -r".  Specify space or comma as a separator.  See  the  MIL‐
4680       TER_README document for details.
4681
4682       This feature is available in Postfix 2.3 and later.
4683

notify_classes (default: resource, software)

4685       The  list  of  error classes that are reported to the postmaster. These
4686       postmaster notifications do not replace user notifications. The default
4687       is  to  report only the most serious problems. The paranoid may wish to
4688       turn on the policy (UCE and mail relaying) and protocol  error  (broken
4689       mail software) reports.
4690
4691       NOTE:  postmaster  notifications  may  contain confidential information
4692       such as SASL passwords or message content.  It is the  system  adminis‐
4693       trator's responsibility to treat such information with care.
4694
4695       The error classes are:
4696
4697       bounce (also implies 2bounce)
4698              Send  the  postmaster copies of the headers of bounced mail, and
4699              send transcripts of SMTP sessions when Postfix rejects mail. The
4700              notification   is   sent  to  the  address  specified  with  the
4701              bounce_notice_recipient configuration parameter (default:  post‐
4702              master).
4703
4704       2bounce
4705              Send undeliverable bounced mail to the postmaster. The notifica‐
4706              tion is sent to  the  address  specified  with  the  2bounce_no‐
4707              tice_recipient configuration parameter (default: postmaster).
4708
4709       data   Send the postmaster a transcript of the SMTP session with an er‐
4710              ror because a critical data file was unavailable. The  notifica‐
4711              tion  is sent to the address specified with the error_notice_re‐
4712              cipient configuration parameter (default: postmaster).
4713              This feature is available in Postfix 2.9 and later.
4714
4715       delay  Send the postmaster copies of the headers of delayed  mail  (see
4716              delay_warning_time).  The  notification  is  sent to the address
4717              specified with the delay_notice_recipient configuration  parame‐
4718              ter (default: postmaster).
4719
4720       policy Send  the  postmaster  a  transcript  of the SMTP session when a
4721              client request was rejected because of (UCE) policy. The notifi‐
4722              cation  is  sent  to  the  address  specified with the error_no‐
4723              tice_recipient configuration parameter (default: postmaster).
4724
4725       protocol
4726              Send the postmaster a transcript of the SMTP session in case  of
4727              client  or  server  protocol errors. The notification is sent to
4728              the address specified with the error_notice_recipient configura‐
4729              tion parameter (default: postmaster).
4730
4731       resource
4732              Inform  the  postmaster  of  mail  not delivered due to resource
4733              problems.  The notification is sent  to  the  address  specified
4734              with  the  error_notice_recipient  configuration  parameter (de‐
4735              fault: postmaster).
4736
4737       software
4738              Inform the postmaster of mail  not  delivered  due  to  software
4739              problems.   The  notification  is  sent to the address specified
4740              with the  error_notice_recipient  configuration  parameter  (de‐
4741              fault: postmaster).
4742
4743       Examples:
4744
4745       notify_classes = bounce, delay, policy, protocol, resource, software
4746       notify_classes = 2bounce, resource, software
4747

openssl_path (default: openssl)

4749       The  location  of the OpenSSL command line program openssl(1).  This is
4750       used by the "postfix tls" command to create private  keys,  certificate
4751       signing  requests,  self-signed certificates, and to compute public key
4752       digests for DANE TLSA records.  In  multi-instance  environments,  this
4753       parameter  is  always  determined from the configuration of the default
4754       Postfix instance.
4755
4756       Example:
4757
4758           /etc/postfix/main.cf:
4759               # NetBSD pkgsrc:
4760               openssl_path = /usr/pkg/bin/openssl
4761               # Local build:
4762               openssl_path = /usr/local/bin/openssl
4763
4764       This feature is available in Postfix 3.1 and later.
4765

owner_request_special (default: yes)

4767       Enable special treatment for owner-listname entries in  the  aliases(5)
4768       file,  and  don't split owner-listname and listname-request address lo‐
4769       calparts when the recipient_delimiter is set to "-".  This  feature  is
4770       useful for mailing lists.
4771

parent_domain_matches_subdomains (default: see postconf -d output)

4773       A list of Postfix features where the pattern "example.com" also matches
4774       subdomains of example.com, instead of  requiring  an  explicit  ".exam‐
4775       ple.com"  pattern.   This  is planned backwards compatibility:  eventu‐
4776       ally, all Postfix features are expected  to  require  explicit  ".exam‐
4777       ple.com" style patterns when you really want to match subdomains.
4778
4779       The following Postfix feature names are supported.
4780
4781       Postfix version 1.0 and later
4782              debug_peer_list,     fast_flush_domains,     mynetworks,    per‐
4783              mit_mx_backup_networks, relay_domains, transport_maps
4784
4785       Postfix version 1.1 and later
4786              qmqpd_authorized_clients, smtpd_access_maps,
4787
4788       Postfix version 2.8 and later
4789              postscreen_access_list
4790
4791       Postfix version 3.0 and later
4792              smtpd_client_event_limit_exceptions
4793

permit_mx_backup_networks (default: empty)

4795       Restrict the use of the permit_mx_backup SMTP access  feature  to  only
4796       domains  whose primary MX hosts match the listed networks.  The parame‐
4797       ter value syntax is the same as with the  mynetworks  parameter;  note,
4798       however, that the default value is empty.
4799
4800       Pattern  matching  of domain names is controlled by the presence or ab‐
4801       sence of "permit_mx_backup_networks" in the  parent_domain_matches_sub‐
4802       domains parameter value.
4803

pickup_service_name (default: pickup)

4805       The  name  of  the  pickup(8) service. This service picks up local mail
4806       submissions from the Postfix maildrop queue.
4807
4808       This feature is available in Postfix 2.0 and later.
4809

pipe_delivery_status_filter (default: $default_delivery_status_filter)

4811       Optional filter for the pipe(8) delivery agent to change  the  delivery
4812       status  code or explanatory text of successful or unsuccessful deliver‐
4813       ies.  See default_delivery_status_filter for details.
4814
4815       This feature is available in Postfix 3.0 and later.
4816

plaintext_reject_code (default: 450)

4818       The numerical Postfix SMTP server response code when a request  is  re‐
4819       jected by the reject_plaintext_session restriction.
4820
4821       This feature is available in Postfix 2.3 and later.
4822

postlog_service_name (default: postlog)

4824       The  name  of the postlogd(8) service entry in master.cf.  This service
4825       appends logfile records to the file specified with the maillog_file pa‐
4826       rameter.
4827
4828       This feature is available in Postfix 3.4 and later.
4829

postlogd_watchdog_timeout (default: 10s)

4831       How  much  time a postlogd(8) process may take to process a request be‐
4832       fore it is terminated by a built-in watchdog timer. This  is  a  safety
4833       mechanism that prevents postlogd(8) from becoming non-responsive due to
4834       a bug in Postfix itself or in system software. This limit cannot be set
4835       under 10s.
4836
4837       Specify  a  non-zero  time  value  (an  integral value plus an optional
4838       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4839       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
4840       unit is s (seconds).
4841
4842       This feature is available in Postfix 3.4 and later.
4843

postmulti_control_commands (default: reload flush)

4845       The postfix(1) commands that the postmulti(1) instance  manager  treats
4846       as  "control"  commands,  that  operate on running instances. For these
4847       commands, disabled instances are skipped.
4848
4849       This feature is available in Postfix 2.6 and later.
4850

postmulti_start_commands (default: start)

4852       The postfix(1) commands that the postmulti(1) instance  manager  treats
4853       as  "start"  commands.  For  these  commands,  disabled  instances  are
4854       "checked" rather than "started", and failure to "start"  a  member  in‐
4855       stance of an instance group will abort the start-up of later instances.
4856
4857       This feature is available in Postfix 2.6 and later.
4858

postmulti_stop_commands (default: see postconf -d output)

4860       The  postfix(1)  commands that the postmulti(1) instance manager treats
4861       as "stop" commands. For these commands, disabled instances are skipped,
4862       and enabled instances are processed in reverse order.
4863
4864       This feature is available in Postfix 2.6 and later.
4865

postscreen_access_list (default: permit_mynetworks)

4867       Permanent   allow/denylist   for   remote  SMTP  client  IP  addresses.
4868       postscreen(8) searches this list immediately after a remote SMTP client
4869       connects.   Specify  a  comma- or whitespace-separated list of commands
4870       (in upper or lower case) or lookup tables. The search  stops  upon  the
4871       first command that fires for the client IP address.
4872
4873        permit_mynetworks
4874              Allowlist  the  client and terminate the search if the client IP
4875              address matches $mynetworks.  Do not subject the client  to  any
4876              before/after  220  greeting  tests.  Pass the connection immedi‐
4877              ately to a Postfix SMTP server process.
4878              Pattern matching of domain names is controlled by  the  presence
4879              or   absence   of  "postscreen_access_list"  in  the  parent_do‐
4880              main_matches_subdomains parameter value.
4881
4882        type:table
4883              Query the specified lookup table. Each table lookup result is an
4884              access  list,  except  that  access  lists inside a table cannot
4885              specify type:table entries.
4886              To discourage the use of hash, btree, etc. tables, there  is  no
4887              support  for  substring  matching like smtpd(8). Use CIDR tables
4888              instead.
4889
4890        permit
4891              Allowlist the client and terminate the search.  Do  not  subject
4892              the client to any before/after 220 greeting tests. Pass the con‐
4893              nection immediately to a Postfix SMTP server process.
4894
4895        reject
4896              Denylist the client and terminate the search. Subject the client
4897              to  the  action  configured  with the postscreen_denylist_action
4898              configuration parameter.
4899
4900        dunno All postscreen(8) access lists implicitly have this  command  at
4901              the end.
4902              When   dunno  is executed inside a lookup table, return from the
4903              lookup table and evaluate the next command.
4904              When  dunno  is executed outside a lookup table,  terminate  the
4905              search,  and  subject  the client to the configured before/after
4906              220 greeting tests.
4907
4908       Example:
4909
4910       /etc/postfix/main.cf:
4911           postscreen_access_list = permit_mynetworks,
4912               cidr:/etc/postfix/postscreen_access.cidr
4913           # Postfix < 3.6 use postscreen_blacklist_action.
4914           postscreen_denylist_action = enforce
4915
4916       /etc/postfix/postscreen_access.cidr:
4917           # Rules are evaluated in the order as specified.
4918           # Denylist 192.168.* except 192.168.0.1.
4919           192.168.0.1         dunno
4920           192.168.0.0/16      reject
4921
4922       This feature is available in Postfix 2.8.
4923

postscreen_allowlist_interfaces (default: static:all)

4925       A list of local postscreen(8)  server  IP  addresses  where  a  non-al‐
4926       lowlisted  remote  SMTP client can obtain postscreen(8)'s temporary al‐
4927       lowlist status. This status is required before the client can talk to a
4928       Postfix   SMTP  server  process.   By  default,  a  client  can  obtain
4929       postscreen(8)'s allowlist status on any local postscreen(8)  server  IP
4930       address.
4931
4932       When postscreen(8) listens on both primary and backup MX addresses, the
4933       postscreen_allowlist_interfaces parameter can be configured to give the
4934       temporary  allowlist status only when a client connects to a primary MX
4935       address. Once a client is allowlisted it can talk  to  a  Postfix  SMTP
4936       server on any address. Thus, clients that connect only to backup MX ad‐
4937       dresses will never become allowlisted, and will  never  be  allowed  to
4938       talk to a Postfix SMTP server process.
4939
4940       Specify  a list of network addresses or network/netmask patterns, sepa‐
4941       rated by commas and/or whitespace. The netmask specifies the number  of
4942       bits  in  the  network  part  of a host address. Continue long lines by
4943       starting the next line with whitespace.
4944
4945       You  can  also  specify  "/file/name"  or  "type:table"  patterns.    A
4946       "/file/name" pattern is replaced by its contents; a "type:table" lookup
4947       table is matched when a table entry matches a lookup string (the lookup
4948       result is ignored).
4949
4950       The  list  is  matched left to right, and the search stops on the first
4951       match. Specify "!pattern" to exclude an address or network  block  from
4952       the list.
4953
4954       Note:  IP  version 6 address information must be specified inside [] in
4955       the postscreen_allowlist_interfaces value, and in files specified  with
4956       "/file/name".   IP  version  6 addresses contain the ":" character, and
4957       would otherwise be confused with a "type:table" pattern.
4958
4959       Example:
4960
4961       /etc/postfix/main.cf:
4962           # Don't allowlist connections to the backup IP address.
4963           # Postfix < 3.6 use postscreen_whitelist_interfaces.
4964           postscreen_allowlist_interfaces = !168.100.189.8, static:all
4965
4966       This feature is available in Postfix 3.6 and later.
4967
4968       Available as postscreen_whitelist_interfaces in Postfix 2.9 - 3.5.
4969

postscreen_bare_newline_action (default: ignore)

4971       The action that postscreen(8) takes when a remote SMTP client  sends  a
4972       bare newline character, that is, a newline not preceded by carriage re‐
4973       turn.  Specify one of the following:
4974
4975       ignore Ignore the failure of this test. Allow other tests to  complete.
4976              Do  not  repeat this test before the result from some other test
4977              expires.  This option is useful for testing and collecting  sta‐
4978              tistics without blocking mail permanently.
4979
4980       enforce
4981              Allow  other  tests to complete. Reject attempts to deliver mail
4982              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4983              mation.  Repeat this test the next time the client connects.
4984
4985       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4986              this test the next time the client connects.
4987
4988       This feature is available in Postfix 2.8.
4989

postscreen_bare_newline_enable (default: no)

4991       Enable "bare newline" SMTP protocol tests in the postscreen(8)  server.
4992       These  tests  are expensive: a remote SMTP client must disconnect after
4993       it passes the test, before it can talk to a real Postfix SMTP server.
4994
4995       This feature is available in Postfix 2.8.
4996

postscreen_bare_newline_ttl (default: 30d)

4998       The amount of time that postscreen(8) will use the result from  a  suc‐
4999       cessful "bare newline" SMTP protocol test. During this time, the client
5000       IP address is excluded from this test. The default is  long  because  a
5001       remote  SMTP client must disconnect after it passes the test, before it
5002       can talk to a real Postfix SMTP server.
5003
5004       Specify a non-zero time value  (an  integral  value  plus  an  optional
5005       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5006       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5007       unit is d (days).
5008
5009       This feature is available in Postfix 2.8.
5010

postscreen_blacklist_action (default: ignore)

5012       Renamed to postscreen_denylist_action in Postfix 3.6.
5013
5014       This feature is available in Postfix 2.8 - 3.5.
5015

postscreen_cache_cleanup_interval (default: 12h)

5017       The  amount  of  time  between postscreen(8) cache cleanup runs.  Cache
5018       cleanup increases the load on the cache database and  should  therefore
5019       not  be  run  frequently. This feature requires that the cache database
5020       supports the "delete" and "sequence" operators.  Specify a zero  inter‐
5021       val to disable cache cleanup.
5022
5023       After  each cache cleanup run, the postscreen(8) daemon logs the number
5024       of entries that were retained and dropped. A cleanup run is  logged  as
5025       "partial"  when  the  daemon  terminates  early after "postfix reload",
5026       "postfix stop", or no requests for $max_idle seconds.
5027
5028       Specify a non-negative time value (an integral value plus  an  optional
5029       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5030       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5031       unit is h (hours).
5032
5033       This feature is available in Postfix 2.8.
5034

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

5036       Persistent storage for the postscreen(8) server decisions.
5037
5038       To  share  a  postscreen(8)  cache  between  multiple postscreen(8) in‐
5039       stances, use "postscreen_cache_map = proxy:btree:/path/to/file".   This
5040       requires  Postfix version 2.9 or later; earlier proxymap(8) implementa‐
5041       tions don't support cache cleanup. For an alternative approach see  the
5042       memcache_table(5) manpage.
5043
5044       This feature is available in Postfix 2.8.
5045

postscreen_cache_retention_time (default: 7d)

5047       The  amount  of time that postscreen(8) will cache an expired temporary
5048       allowlist entry before it is removed. This prevents clients from  being
5049       logged  as "NEW" just because their cache entry expired an hour ago. It
5050       also prevents the cache from filling up with clients that  passed  some
5051       deep protocol test once and never came back.
5052
5053       Specify  a  non-zero  time  value  (an  integral value plus an optional
5054       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5055       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5056       unit is d (days).
5057
5058       This feature is available in Postfix 2.8.
5059

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

5061       tion_count_limit)
5062       How  many simultaneous connections any remote SMTP client is allowed to
5063       have with the postscreen(8) daemon. By default, this limit is the  same
5064       as  with the Postfix SMTP server. Note that the triage process can take
5065       several seconds, with the time spent  in  postscreen_greet_wait  delay,
5066       and  with  the  time  spent talking to the postscreen(8) built-in dummy
5067       SMTP protocol engine.
5068
5069       This feature is available in Postfix 2.8.
5070

postscreen_command_count_limit (default: 20)

5072       The limit on  the  total  number  of  commands  per  SMTP  session  for
5073       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
5074       or rejects all attempts to deliver mail, therefore there is no need  to
5075       enforce  separate  limits on the number of junk commands and error com‐
5076       mands.
5077
5078       This feature is available in Postfix 2.8.
5079

postscreen_command_filter (default: $smtpd_command_filter)

5081       A mechanism to  transform  commands  from  remote  SMTP  clients.   See
5082       smtpd_command_filter for further details.
5083
5084       This feature is available in Postfix 2.8 and later.
5085

postscreen_command_time_limit (default: normal: 300s, overload: 10s)

5087       The  time  limit  to  read  an entire command line with postscreen(8)'s
5088       built-in SMTP protocol engine.
5089
5090       This feature is available in Postfix 2.8.
5091

postscreen_denylist_action (default: ignore)

5093       The action that postscreen(8) takes when a remote SMTP client is perma‐
5094       nently  denylisted  with the postscreen_access_list parameter.  Specify
5095       one of the following:
5096
5097       ignore (default)
5098              Ignore  this result. Allow other tests to complete.  Repeat this
5099              test  the  next time the client connects.  This option is useful
5100              for testing and collecting statistics without blocking mail.
5101
5102       enforce
5103              Allow other tests to complete. Reject attempts to  deliver  mail
5104              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
5105              mation.  Repeat this test the next time the client connects.
5106
5107       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
5108              this test the next time the client connects.
5109
5110       This feature is available in Postfix 3.6 and later.
5111
5112       Available as postscreen_blacklist_action in Postfix 2.8 - 3.5.
5113

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

5115       Disable  the  SMTP  VRFY command in the postscreen(8) daemon.  See dis‐
5116       able_vrfy_command for details.
5117
5118       This feature is available in Postfix 2.8.
5119

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

5121       card_ehlo_keyword_address_maps)
5122       Lookup tables, indexed by the remote SMTP client address, with case in‐
5123       sensitive lists of EHLO keywords  (pipelining,  starttls,  auth,  etc.)
5124       that  the  postscreen(8) server will not send in the EHLO response to a
5125       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
5126       table is not searched by hostname for robustness reasons.
5127
5128       This feature is available in Postfix 2.8 and later.
5129

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

5131       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
5132       etc.) that the postscreen(8) server will not send in the EHLO  response
5133       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
5134
5135       This feature is available in Postfix 2.8 and later.
5136

postscreen_dnsbl_action (default: ignore)

5138       The  action  that  postscreen(8) takes when a remote SMTP client's com‐
5139       bined DNSBL score is equal to or greater than a threshold  (as  defined
5140       with  the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
5141       ters).  Specify one of the following:
5142
5143       ignore (default)
5144              Ignore the failure of this test. Allow other tests to  complete.
5145              Repeat this test the next time the client connects.  This option
5146              is useful for testing and collecting statistics without blocking
5147              mail.
5148
5149       enforce
5150              Allow  other  tests to complete. Reject attempts to deliver mail
5151              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5152              mation.  Repeat this test the next time the client connects.
5153
5154       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5155              this test the next time the client connects.
5156
5157       This feature is available in Postfix 2.8.
5158

postscreen_dnsbl_allowlist_threshold (default: 0)

5160       Allow a remote SMTP client to skip "before" and  "after  220  greeting"
5161       protocol  tests,  based on its combined DNSBL score as defined with the
5162       postscreen_dnsbl_sites parameter.
5163
5164       Specify a negative value to enable this feature. When a  client  passes
5165       the  postscreen_dnsbl_allowlist_threshold  without  having failed other
5166       tests, all pending or disabled tests are flagged as  completed  with  a
5167       time-to-live  value equal to postscreen_dnsbl_ttl.  When a test was al‐
5168       ready completed, its time-to-live value is updated if it was less  than
5169       postscreen_dnsbl_ttl.
5170
5171       This feature is available in Postfix 3.6 and later.
5172
5173       Available  as  postscreen_dnsbl_whitelist_threshold  in  Postfix 2.11 -
5174       3.5.
5175

postscreen_dnsbl_max_ttl (default:

5177       ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
5178       The  maximum amount of time that postscreen(8) will use the result from
5179       a successful DNS-based reputation test before a client  IP  address  is
5180       required  to pass that test again. If the DNS reply specifies a shorter
5181       TTL value, that value will be used unless  it  would  be  smaller  than
5182       postscreen_dnsbl_min_ttl.
5183
5184       Specify  a  non-zero  time  value  (an  integral value plus an optional
5185       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5186       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5187       unit is h (hours).
5188
5189       This feature is available in Postfix 3.1. The default setting is  back‐
5190       wards-compatible with older Postfix versions.
5191

postscreen_dnsbl_min_ttl (default: 60s)

5193       The  minimum amount of time that postscreen(8) will use the result from
5194       a successful DNS-based reputation test before a client  IP  address  is
5195       required  to  pass that test again. If the DNS reply specifies a larger
5196       TTL value, that value will be used  unless  it  would  be  larger  than
5197       postscreen_dnsbl_max_ttl.
5198
5199       Specify  a  non-zero  time  value  (an  integral value plus an optional
5200       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5201       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5202       unit is s (seconds).
5203
5204       This feature is available in Postfix 3.1.
5205

postscreen_dnsbl_reply_map (default: empty)

5207       A mapping from an actual DNSBL domain  name  which  includes  a  secret
5208       password, to the DNSBL domain name that postscreen will reply with when
5209       it rejects mail.  When no mapping is found,  the  actual  DNSBL  domain
5210       will be used.
5211
5212       For maximal stability it is best to use a file that is read into memory
5213       such as pcre:, regexp: or texthash: (texthash: is similar to hash:, ex‐
5214       cept a) there is no need to run postmap(1) before the file can be used,
5215       and b) texthash: does not detect changes after the file is read).
5216
5217       Example:
5218
5219       /etc/postfix/main.cf:
5220           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
5221
5222       /etc/postfix/dnsbl_reply:
5223          secret.zen.spamhaus.org      zen.spamhaus.org
5224
5225       This feature is available in Postfix 2.8.
5226

postscreen_dnsbl_sites (default: empty)

5228       Optional list of patterns with DNS allow/denylist domains, filters  and
5229       weight  factors. When the list is non-empty, the dnsblog(8) daemon will
5230       query these domains with the  reversed  IP  addresses  of  remote  SMTP
5231       clients,  and  postscreen(8)  will  update an SMTP client's DNSBL score
5232       with each non-error reply as described below.
5233
5234       Caution: when postscreen rejects mail, its SMTP response  contains  the
5235       DNSBL  domain  name. Use the postscreen_dnsbl_reply_map feature to hide
5236       "password" information in DNSBL domain names.
5237
5238       When a client's score is equal to or greater than the threshold  speci‐
5239       fied  with  postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
5240       nection with the remote SMTP client.
5241
5242       Specify a list of domain=filter*weight patterns, separated by comma  or
5243       whitespace.
5244
5245       •      When  a  pattern  specifies no "=filter", postscreen(8) will use
5246              any non-error DNSBL query result.  Otherwise, postscreen(8) will
5247              use  only  DNSBL query results that match the filter. The filter
5248              has the form d.d.d.d, where each d is a number, or a pattern in‐
5249              side  [] that contains one or more ";"-separated numbers or num‐
5250              ber..number ranges.
5251
5252       •      When a pattern specifies no "*weight", the weight of the pattern
5253              is  1.  Otherwise, the weight must be an integral number.  Spec‐
5254              ify a negative number for allowlisting.
5255
5256       •      When  a  pattern  matches  one  or  more  DNSBL  query  results,
5257              postscreen(8) adds that pattern's weight once to the remote SMTP
5258              client's DNSBL score.
5259
5260       Examples:
5261
5262       To use example.com as a high-confidence blocklist, and  to  block  mail
5263       with example.net and example.org only when both agree:
5264
5265       postscreen_dnsbl_threshold = 2
5266       postscreen_dnsbl_sites = example.com*2, example.net, example.org
5267
5268       To filter only DNSBL replies containing 127.0.0.4:
5269
5270       postscreen_dnsbl_sites = example.com=127.0.0.4
5271
5272       This feature is available in Postfix 2.8.
5273

postscreen_dnsbl_threshold (default: 1)

5275       The  inclusive  lower bound for blocking a remote SMTP client, based on
5276       its combined DNSBL score as defined with the postscreen_dnsbl_sites pa‐
5277       rameter.
5278
5279       This feature is available in Postfix 2.8.
5280

postscreen_dnsbl_timeout (default: 10s)

5282       The  time  limit  for DNSBL or DNSWL lookups. This is separate from the
5283       timeouts in the dnsblog(8) daemon  which  are  defined  by  system  re‐
5284       solver(3) routines.
5285
5286       Specify  a  non-zero  time  value  (an  integral value plus an optional
5287       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5288       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5289       unit is s (seconds).
5290
5291       This feature is available in Postfix 3.0.
5292

postscreen_dnsbl_ttl (default: 1h)

5294       The amount of time that postscreen(8) will use the result from  a  suc‐
5295       cessful  DNS-based  reputation  test  before a client IP address is re‐
5296       quired to pass that test again.
5297
5298       Specify a non-zero time value  (an  integral  value  plus  an  optional
5299       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5300       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5301       unit is h (hours).
5302
5303       This  feature  is  available  in  Postfix  2.8-3.0.  It was replaced by
5304       postscreen_dnsbl_max_ttl in Postfix 3.1.
5305

postscreen_dnsbl_whitelist_threshold (default: 0)

5307       Renamed to postscreen_dnsbl_allowlist_threshold in Postfix 3.6.
5308
5309       This feature is available in Postfix 2.11 - 3.5.
5310

postscreen_enforce_tls (default: $smtpd_enforce_tls)

5312       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
5313       require  that  clients  use  TLS  encryption.  See smtpd_postscreen_en‐
5314       force_tls for details.
5315
5316       This feature is available in Postfix 2.8 and  later.   Preferably,  use
5317       postscreen_tls_security_level instead.
5318

postscreen_expansion_filter (default: see postconf -d output)

5320       List  of  characters that are permitted in postscreen_reject_footer at‐
5321       tribute expansions.  See smtpd_expansion_filter for further details.
5322
5323       This feature is available in Postfix 2.8 and later.
5324

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

5326       List of commands that the postscreen(8) server considers  in  violation
5327       of  the  SMTP  protocol.  See  smtpd_forbidden_commands for syntax, and
5328       postscreen_non_smtp_command_action for possible actions.
5329
5330       This feature is available in Postfix 2.8.
5331

postscreen_greet_action (default: ignore)

5333       The action that postscreen(8) takes when a remote  SMTP  client  speaks
5334       before    its    turn    within    the    time   specified   with   the
5335       postscreen_greet_wait parameter.  Specify one of the following:
5336
5337       ignore (default)
5338              Ignore the failure of this test. Allow other tests to  complete.
5339              Repeat this test the next time the client connects.  This option
5340              is useful for testing and collecting statistics without blocking
5341              mail.
5342
5343       enforce
5344              Allow  other  tests to complete. Reject attempts to deliver mail
5345              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5346              mation.  Repeat this test the next time the client connects.
5347
5348       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5349              this test the next time the client connects.
5350
5351       In either case, postscreen(8) will not allowlist the remote SMTP client
5352       IP address.
5353
5354       This feature is available in Postfix 2.8.
5355

postscreen_greet_banner (default: $smtpd_banner)

5357       The   text   in   the   optional  "220-text..."  server  response  that
5358       postscreen(8) sends ahead  of  the  real  Postfix  SMTP  server's  "220
5359       text..."  response,  in  an attempt to confuse bad SMTP clients so that
5360       they speak before their turn (pre-greet).  Specify an  empty  value  to
5361       disable this feature.
5362
5363       This feature is available in Postfix 2.8.
5364

postscreen_greet_ttl (default: 1d)

5366       The  amount  of time that postscreen(8) will use the result from a suc‐
5367       cessful PREGREET test. During this time, the client IP address  is  ex‐
5368       cluded  from this test. The default is relatively short, because a good
5369       client can immediately talk to a real Postfix SMTP server.
5370
5371       Specify a non-zero time value  (an  integral  value  plus  an  optional
5372       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5373       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5374       unit is d (days).
5375
5376       This feature is available in Postfix 2.8.
5377

postscreen_greet_wait (default: normal: 6s, overload: 2s)

5379       The  amount  of time that postscreen(8) will wait for an SMTP client to
5380       send a command before its turn, and for DNS blocklist lookup results to
5381       arrive  (default:  up to 2 seconds under stress, up to 6 seconds other‐
5382       wise).
5383
5384       Specify a non-zero time value  (an  integral  value  plus  an  optional
5385       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5386       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5387       unit is s (seconds).
5388
5389       This feature is available in Postfix 2.8.
5390

postscreen_helo_required (default: $smtpd_helo_required)

5392       Require  that a remote SMTP client sends HELO or EHLO before commencing
5393       a MAIL transaction.
5394
5395       This feature is available in Postfix 2.8.
5396

postscreen_non_smtp_command_action (default: drop)

5398       The action that postscreen(8) takes when a  remote  SMTP  client  sends
5399       non-SMTP  commands  as specified with the postscreen_forbidden_commands
5400       parameter.  Specify one of the following:
5401
5402       ignore Ignore the failure of this test. Allow other tests to  complete.
5403              Do  not  repeat this test before the result from some other test
5404              expires.  This option is useful for testing and collecting  sta‐
5405              tistics without blocking mail permanently.
5406
5407       enforce
5408              Allow  other  tests to complete. Reject attempts to deliver mail
5409              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5410              mation.  Repeat this test the next time the client connects.
5411
5412       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5413              this test the next time the client connects. This action is  the
5414              same  as with the Postfix SMTP server's smtpd_forbidden_commands
5415              feature.
5416
5417       This feature is available in Postfix 2.8.
5418

postscreen_non_smtp_command_enable (default: no)

5420       Enable "non-SMTP command" tests  in  the  postscreen(8)  server.  These
5421       tests are expensive: a client must disconnect after it passes the test,
5422       before it can talk to a real Postfix SMTP server.
5423
5424       This feature is available in Postfix 2.8.
5425

postscreen_non_smtp_command_ttl (default: 30d)

5427       The amount of time that postscreen(8) will use the result from  a  suc‐
5428       cessful  "non_smtp_command"  SMTP  protocol test. During this time, the
5429       client IP address is excluded from this test. The default is  long  be‐
5430       cause  a client must disconnect after it passes the test, before it can
5431       talk to a real Postfix SMTP server.
5432
5433       Specify a non-zero time value  (an  integral  value  plus  an  optional
5434       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5435       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5436       unit is d (days).
5437
5438       This feature is available in Postfix 2.8.
5439

postscreen_pipelining_action (default: enforce)

5441       The  action  that  postscreen(8)  takes when a remote SMTP client sends
5442       multiple commands instead of sending one command and  waiting  for  the
5443       server to respond.  Specify one of the following:
5444
5445       ignore Ignore  the failure of this test. Allow other tests to complete.
5446              Do not repeat this test before the result from some  other  test
5447              expires.   This option is useful for testing and collecting sta‐
5448              tistics without blocking mail permanently.
5449
5450       enforce
5451              Allow other tests to complete. Reject attempts to  deliver  mail
5452              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
5453              mation.  Repeat this test the next time the client connects.
5454
5455       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
5456              this test the next time the client connects.
5457
5458       This feature is available in Postfix 2.8.
5459

postscreen_pipelining_enable (default: no)

5461       Enable  "pipelining"  SMTP  protocol tests in the postscreen(8) server.
5462       These tests are expensive: a  good  client  must  disconnect  after  it
5463       passes the test, before it can talk to a real Postfix SMTP server.
5464
5465       This feature is available in Postfix 2.8.
5466

postscreen_pipelining_ttl (default: 30d)

5468       The  amount  of time that postscreen(8) will use the result from a suc‐
5469       cessful "pipelining" SMTP protocol test. During this time,  the  client
5470       IP  address  is  excluded from this test. The default is long because a
5471       good client must disconnect after it passes the  test,  before  it  can
5472       talk to a real Postfix SMTP server.
5473
5474       Specify  a  non-zero  time  value  (an  integral value plus an optional
5475       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5476       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5477       unit is d (days).
5478
5479       This feature is available in Postfix 2.8.
5480

postscreen_post_queue_limit (default: $default_process_limit)

5482       The number of clients that can be waiting for service from a real Post‐
5483       fix  SMTP server process. When this queue is full, all clients will re‐
5484       ceive a 421 response.
5485
5486       This feature is available in Postfix 2.8.
5487

postscreen_pre_queue_limit (default: $default_process_limit)

5489       The number of non-allowlisted clients that can be waiting for  a  deci‐
5490       sion  whether they will receive service from a real Postfix SMTP server
5491       process. When this queue is full, all non-allowlisted clients will  re‐
5492       ceive a 421 response.
5493
5494       This feature is available in Postfix 2.8.
5495
5497       Optional  information that is appended after a 4XX or 5XX postscreen(8)
5498       server response. See smtpd_reject_footer for further details.
5499
5500       This feature is available in Postfix 2.8 and later.
5501
5503       Optional lookup table for information that is appended after a  4XX  or
5504       5XX  postscreen(8)  server  response.  See smtpd_reject_footer_maps for
5505       further details.
5506
5507       This feature is available in Postfix 3.4 and later.
5508

postscreen_tls_security_level (default: $smtpd_tls_security_level)

5510       The SMTP TLS security  level  for  the  postscreen(8)  server;  when  a
5511       non-empty  value  is  specified, this overrides the obsolete parameters
5512       postscreen_use_tls  and  postscreen_enforce_tls.  See   smtpd_tls_secu‐
5513       rity_level for details.
5514
5515       This feature is available in Postfix 2.8 and later.
5516

postscreen_upstream_proxy_protocol (default: empty)

5518       The  name  of  the proxy protocol used by an optional before-postscreen
5519       proxy agent. When a proxy agent is used, this  protocol  conveys  local
5520       and  remote  address  and  port  information.  Specify  "postscreen_up‐
5521       stream_proxy_protocol = haproxy" to enable the haproxy  protocol;  ver‐
5522       sion 2 is supported with Postfix 3.5 and later.
5523
5524       This feature is available in Postfix 2.10 and later.
5525

postscreen_upstream_proxy_timeout (default: 5s)

5527       The time limit for the proxy protocol specified with the postscreen_up‐
5528       stream_proxy_protocol parameter.
5529
5530       This feature is available in Postfix 2.10 and later.
5531

postscreen_use_tls (default: $smtpd_use_tls)

5533       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
5534       but do not require that clients use TLS encryption.
5535
5536       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
5537       postscreen_tls_security_level instead.
5538

postscreen_watchdog_timeout (default: 10s)

5540       How much time a postscreen(8) process may take to respond to  a  remote
5541       SMTP client command or to perform a cache operation before it is termi‐
5542       nated by a built-in watchdog timer.  This is a  safety  mechanism  that
5543       prevents  postscreen(8)  from  becoming  non-responsive due to a bug in
5544       Postfix itself or in system software.  To avoid false alarms and unnec‐
5545       essary cache corruption this limit cannot be set under 10s.
5546
5547       Specify  a  non-zero  time  value  (an  integral value plus an optional
5548       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5549       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5550       unit is s (seconds).
5551
5552       This feature is available in Postfix 2.8.
5553

postscreen_whitelist_interfaces (default: static:all)

5555       Renamed to postscreen_allowlist_interfaces in Postfix 3.6.
5556
5557       This feature is available in Postfix 2.9 - 3.5.
5558

prepend_delivered_header (default: command, file, forward)

5560       The message delivery contexts where the Postfix local(8) delivery agent
5561       prepends a Delivered-To:  message header with the address that the mail
5562       was delivered to. This information is used for mail delivery  loop  de‐
5563       tection.
5564
5565       By  default,  the Postfix local delivery agent prepends a Delivered-To:
5566       header when forwarding mail and when delivering to file  (mailbox)  and
5567       command.  Turning  off the Delivered-To: header when forwarding mail is
5568       not recommended.
5569
5570       Specify zero or more of forward, file, or command.
5571
5572       Example:
5573
5574       prepend_delivered_header = forward
5575

process_id (read-only)

5577       The process ID of a Postfix command or daemon process.
5578

process_id_directory (default: pid)

5580       The location of Postfix PID files relative to  $queue_directory.   This
5581       is a read-only parameter.
5582

process_name (read-only)

5584       The process name of a Postfix command or daemon process.
5585

propagate_unmatched_extensions (default: canonical, virtual)

5587       What  address  lookup  tables copy an address extension from the lookup
5588       key to the lookup result.
5589
5590       For  example,  with  a  virtual(5)  mapping  of   "joe@example.com   =>
5591       joe.user@example.net",  the address "joe+foo@example.com" would rewrite
5592       to "joe.user+foo@example.net".
5593
5594       Specify zero or more of canonical, virtual, alias, forward, include  or
5595       generic.  These  cause address extension propagation with canonical(5),
5596       virtual(5), and aliases(5) maps, with local(8) .forward  and  :include:
5597       file lookups, and with smtp(8) generic maps, respectively.
5598
5599       Note:  enabling this feature for types other than canonical and virtual
5600       is likely to cause problems when mail is forwarded to other sites,  es‐
5601       pecially with mail that is sent to a mailing list exploder address.
5602
5603       Examples:
5604
5605       propagate_unmatched_extensions = canonical, virtual, alias,
5606               forward, include
5607       propagate_unmatched_extensions = canonical, virtual
5608

proxy_interfaces (default: empty)

5610       The  remote  network interface addresses that this mail system receives
5611       mail on by way of a proxy or network address translation unit.
5612
5613       This feature is available in Postfix 2.0 and later.
5614
5615       You must specify your "outside" proxy/NAT addresses when your system is
5616       a  backup MX host for other domains, otherwise mail delivery loops will
5617       happen when the primary MX host is down.
5618
5619       Example:
5620
5621       proxy_interfaces = 1.2.3.4
5622

proxy_read_maps (default: see postconf -d output)

5624       The lookup tables that the proxymap(8) server is allowed to access  for
5625       the read-only service.
5626
5627       Specify zero or more "type:name" lookup tables, separated by whitespace
5628       or comma.  Table references that don't begin with proxy: are ignored.
5629
5630       This feature is available in Postfix 2.0 and later.
5631

proxy_write_maps (default: see postconf -d output)

5633       The lookup tables that the proxymap(8) server is allowed to access  for
5634       the  read-write  service.  Postfix-owned local database files should be
5635       stored under the Postfix-owned data_directory.  Table  references  that
5636       don't begin with proxy: are ignored.
5637
5638       This feature is available in Postfix 2.5 and later.
5639

proxymap_service_name (default: proxymap)

5641       The  name of the proxymap read-only table lookup service.  This service
5642       is normally implemented by the proxymap(8) daemon.
5643
5644       This feature is available in Postfix 2.6 and later.
5645

proxywrite_service_name (default: proxywrite)

5647       The name of the proxywrite read-write table lookup service.  This  ser‐
5648       vice is normally implemented by the proxymap(8) daemon.
5649
5650       This feature is available in Postfix 2.6 and later.
5651

qmgr_clog_warn_time (default: 300s)

5653       The minimal delay between warnings that a specific destination is clog‐
5654       ging up the Postfix active queue. Specify 0 to disable.
5655
5656       Specify a non-negative time value (an integral value plus  an  optional
5657       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5658       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5659       unit is s (seconds).
5660
5661       This feature is enabled with the helpful_warnings parameter.
5662
5663       This feature is available in Postfix 2.0 and later.
5664

qmgr_daemon_timeout (default: 1000s)

5666       How  much time a Postfix queue manager process may take to handle a re‐
5667       quest before it is terminated by a built-in watchdog timer.
5668
5669       Specify a non-zero time value  (an  integral  value  plus  an  optional
5670       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5671       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5672       unit is s (seconds).
5673
5674       This feature is available in Postfix 2.8 and later.
5675

qmgr_fudge_factor (default: 100)

5677       Obsolete feature: the percentage of delivery resources that a busy mail
5678       system will use up for delivery of a large mailing  list message.
5679
5680       This feature exists only in the oqmgr(8) old queue manager. The current
5681       queue manager solves the problem in a better way.
5682

qmgr_ipc_timeout (default: 60s)

5684       The  time  limit  for  the queue manager to send or receive information
5685       over an internal communication channel.  The purpose is to break out of
5686       deadlock  situations. If the time limit is exceeded the software either
5687       retries or aborts the operation.
5688
5689       Specify a non-zero time value  (an  integral  value  plus  an  optional
5690       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5691       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5692       unit is s (seconds).
5693
5694       This feature is available in Postfix 2.8 and later.
5695

qmgr_message_active_limit (default: 20000)

5697       The maximal number of messages in the active queue.
5698

qmgr_message_recipient_limit (default: 20000)

5700       The  maximal  number  of recipients held in memory by the Postfix queue
5701       manager, and the maximal size of the short-term, in-memory "dead"  des‐
5702       tination status cache.
5703

qmgr_message_recipient_minimum (default: 10)

5705       The  minimal number of in-memory recipients for any message. This takes
5706       priority over any other in-memory recipient limits  (i.e.,  the  global
5707       qmgr_message_recipient_limit and the per transport _recipient_limit) if
5708       necessary. The minimum value allowed for this parameter is 1.
5709

qmqpd_authorized_clients (default: empty)

5711       What remote QMQP clients are allowed to connect  to  the  Postfix  QMQP
5712       server port.
5713
5714       By  default,  no  client is allowed to use the service. This is because
5715       the QMQP server will relay mail to any destination.
5716
5717       Specify a list of client patterns. A  list  pattern  specifies  a  host
5718       name,  a  domain  name, an internet address, or a network/mask pattern,
5719       where the mask specifies the number of bits in the network part.   When
5720       a  pattern  specifies a file name, its contents are substituted for the
5721       file name; when a pattern is a "type:table" table specification,  table
5722       lookup is used instead.
5723
5724       Patterns are separated by whitespace and/or commas. In order to reverse
5725       the result, precede a pattern with an exclamation point (!).  The  form
5726       "!/file/name" is supported only in Postfix version 2.4 and later.
5727
5728       Pattern  matching  of domain names is controlled by the presence or ab‐
5729       sence of "qmqpd_authorized_clients" in the parent_domain_matches_subdo‐
5730       mains parameter value.
5731
5732       Example:
5733
5734       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5735

qmqpd_client_port_logging (default: no)

5737       Enable  logging of the remote QMQP client port in addition to the host‐
5738       name and IP address. The logging format is "host[address]:port".
5739
5740       This feature is available in Postfix 2.5 and later.
5741

qmqpd_error_delay (default: 1s)

5743       How long the Postfix QMQP server will pause before sending  a  negative
5744       reply  to  the remote QMQP client. The purpose is to slow down confused
5745       or malicious clients.
5746
5747       Specify a non-negative time value (an integral value plus  an  optional
5748       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5749       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5750       unit is s (seconds).
5751

qmqpd_timeout (default: 300s)

5753       The  time  limit for sending or receiving information over the network.
5754       If a read or write operation blocks for more than  $qmqpd_timeout  sec‐
5755       onds the Postfix QMQP server gives up and disconnects.
5756
5757       Specify  a  non-zero  time  value  (an  integral value plus an optional
5758       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5759       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
5760       unit is s (seconds).
5761

queue_directory (default: see postconf -d output)

5763       The location of the Postfix top-level queue directory. This is the root
5764       directory of Postfix daemon processes that run chrooted.
5765

queue_file_attribute_count_limit (default: 100)

5767       The  maximal  number of (name=value) attributes that may be stored in a
5768       Postfix queue file. The limit is enforced by the cleanup(8) server.
5769
5770       This feature is available in Postfix 2.0 and later.
5771

queue_minfree (default: 0)

5773       The minimal amount of free space in bytes in the queue file system that
5774       is  needed to receive mail.  This is currently used by the Postfix SMTP
5775       server to decide if it will accept any mail at all.
5776
5777       By default, the Postfix SMTP server rejects MAIL FROM commands when the
5778       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5779       sion 2.1 and later).  To specify a higher  minimum  free  space  limit,
5780       specify a queue_minfree value that is at least 1.5*$message_size_limit.
5781
5782       With  Postfix  versions  2.0 and earlier, a queue_minfree value of zero
5783       means there is no minimum required amount of free space.
5784

queue_run_delay (default: 300s)

5786       The time between deferred queue scans by the queue  manager;  prior  to
5787       Postfix 2.4 the default value was 1000s.
5788
5789       This  parameter  should  be  set  less  than or equal to $minimal_back‐
5790       off_time. See also $maximal_backoff_time.
5791
5792       Specify a non-zero time value  (an  integral  value  plus  an  optional
5793       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5794       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
5795       unit is s (seconds).
5796

queue_service_name (default: qmgr)

5798       The name of the qmgr(8) service. This service manages the Postfix queue
5799       and schedules delivery requests.
5800
5801       This feature is available in Postfix 2.0 and later.
5802

rbl_reply_maps (default: empty)

5804       Optional lookup tables with RBL response templates. The tables are  in‐
5805       dexed by the RBL domain name. By default, Postfix uses the default tem‐
5806       plate as specified with the default_rbl_reply configuration  parameter.
5807       See there for a discussion of the syntax of RBL reply templates.
5808
5809       This feature is available in Postfix 2.0 and later.
5810

readme_directory (default: see postconf -d output)

5812       The  location  of Postfix README files that describe how to build, con‐
5813       figure or operate a specific Postfix subsystem or feature.
5814

receive_override_options (default: empty)

5816       Enable or disable recipient validation, built-in content filtering,  or
5817       address  mapping.  Typically,  these are specified in master.cf as com‐
5818       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5819
5820       Specify zero or more of the following options.   The  options  override
5821       main.cf  settings  and are either implemented by smtpd(8), qmqpd(8), or
5822       pickup(8) themselves, or they are forwarded to the cleanup server.
5823
5824       no_unknown_recipient_checks
5825              Do not try to reject  unknown  recipients  (SMTP  server  only).
5826              This is typically specified AFTER an external content filter.
5827
5828       no_address_mappings
5829              Disable  canonical address mapping, virtual alias map expansion,
5830              address masquerading, and automatic BCC (blind carbon-copy)  re‐
5831              cipients. This is typically specified BEFORE an external content
5832              filter.
5833
5834       no_header_body_checks
5835              Disable header/body_checks. This is typically specified AFTER an
5836              external content filter.
5837
5838       no_milters
5839              Disable  Milter  (mail  filter)  applications. This is typically
5840              specified AFTER an external content filter.
5841
5842       Note: when the "BEFORE content filter" receive_override_options setting
5843       is  specified  in  the main.cf file, specify the "AFTER content filter"
5844       receive_override_options setting in master.cf (and vice versa).
5845
5846       Examples:
5847
5848       receive_override_options =
5849           no_unknown_recipient_checks, no_header_body_checks
5850       receive_override_options = no_address_mappings
5851
5852       This feature is available in Postfix 2.1 and later.
5853

recipient_bcc_maps (default: empty)

5855       Optional BCC (blind carbon-copy) address lookup tables, indexed by  en‐
5856       velope  recipient  address.   The BCC address (multiple results are not
5857       supported) is added when mail enters from outside of Postfix.
5858
5859       Specify zero or more "type:name" lookup tables, separated by whitespace
5860       or  comma. Tables will be searched in the specified order until a match
5861       is found.
5862
5863       The table search order is as follows:
5864
5865       •      Look up the "user+extension@domain.tld"  address  including  the
5866              optional address extension.
5867
5868       •      Look  up  the "user@domain.tld" address without the optional ad‐
5869              dress extension.
5870
5871       •      Look up the "user+extension" address local part when the recipi‐
5872              ent domain equals $myorigin, $mydestination, $inet_interfaces or
5873              $proxy_interfaces.
5874
5875       •      Look up the "user" address local part when the recipient  domain
5876              equals $myorigin, $mydestination, $inet_interfaces or $proxy_in‐
5877              terfaces.
5878
5879       •      Look up the "@domain.tld" part.
5880
5881       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5882       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5883       BCC address is undeliverable, as long as all down-stream  software  im‐
5884       plements RFC 3461.
5885
5886       Note:  with  Postfix 2.2 and earlier the sender will unconditionally be
5887       notified when the BCC address is undeliverable.
5888
5889       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5890       avoid  mailer  loops,  automatic BCC recipients are not generated after
5891       Postfix forwards mail internally, or after Postfix generates  mail  it‐
5892       self.
5893
5894       Example:
5895
5896       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5897
5898       After a change, run "postmap /etc/postfix/recipient_bcc".
5899
5900       This feature is available in Postfix 2.1 and later.
5901

recipient_canonical_classes (default: envelope_recipient, header_recipient)

5903       What addresses are subject to recipient_canonical_maps address mapping.
5904       By default, recipient_canonical_maps address mapping is applied to  en‐
5905       velope recipient addresses, and to header recipient addresses.
5906
5907       Specify one or more of: envelope_recipient, header_recipient
5908
5909       This feature is available in Postfix 2.2 and later.
5910

recipient_canonical_maps (default: empty)

5912       Optional  address mapping lookup tables for envelope and header recipi‐
5913       ent addresses.  The table format and lookups are documented in  canoni‐
5914       cal(5).
5915
5916       Note: $recipient_canonical_maps is processed before $canonical_maps.
5917
5918       Example:
5919
5920       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5921

recipient_delimiter (default: empty)

5923       The  set  of  characters  that can separate an email address localpart,
5924       user name, or a .forward file name from its  extension.   For  example,
5925       with "recipient_delimiter = +", the software tries user+foo@example.com
5926       before trying user@example.com, user+foo before trying user, and  .for‐
5927       ward+foo before trying .forward.
5928
5929       More  formally,  an  email  address localpart or user name is separated
5930       from its extension by the first  character  that  matches  the  recipi‐
5931       ent_delimiter  set.  The  delimiter character and extension may then be
5932       used to generate an extended .forward file  name.  This  implementation
5933       recognizes  one delimiter character and one extension per email address
5934       localpart or email address. With Postfix 2.10 and earlier, the  recipi‐
5935       ent_delimiter specifies a single character.
5936
5937       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5938       of recipient_delimiter on lookups in aliases, canonical,  virtual,  and
5939       relocated  maps,  and  see the propagate_unmatched_extensions parameter
5940       for propagating an extension from one email address to another.
5941
5942       When used in command_execution_directory, forward_path, or luser_relay,
5943       ${recipient_delimiter}  is replaced with the actual recipient delimiter
5944       that was found in the recipient email address (Postfix 2.11 and later),
5945       or  it is replaced with the main.cf recipient_delimiter parameter value
5946       (Postfix 2.10 and earlier).
5947
5948       The recipient_delimiter is not applied to  the  mailer-daemon  address,
5949       the  postmaster address, or the double-bounce address. With the default
5950       "owner_request_special = yes" setting, the recipient_delimiter is  also
5951       not  applied  to addresses with the special "owner-" prefix or the spe‐
5952       cial "-request" suffix.
5953
5954       Examples:
5955
5956       # Handle Postfix-style extensions.
5957       recipient_delimiter = +
5958
5959       # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5960       recipient_delimiter = +-
5961
5962       # Use .forward for mail without address extension, and for mail with
5963       # an unrecognized address extension.
5964       forward_path = $home/.forward${recipient_delimiter}${extension},
5965           $home/.forward
5966

reject_code (default: 554)

5968       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
5969       client request is rejected by the "reject" restriction.
5970
5971       Do  not  change  this  unless  you have a complete understanding of RFC
5972       5321.
5973

reject_tempfail_action (default: defer_if_permit)

5975       The Postfix SMTP server's action when a reject-type  restriction  fails
5976       due to a temporary error condition. Specify "defer" to defer the remote
5977       SMTP client request immediately. With the default "defer_if_permit" ac‐
5978       tion,  the  Postfix  SMTP server continues to look for opportunities to
5979       reject mail, and defers the client request only if it  would  otherwise
5980       be accepted.
5981
5982       For  finer  control, see: unverified_recipient_tempfail_action, unveri‐
5983       fied_sender_tempfail_action, unknown_address_tempfail_action,  and  un‐
5984       known_helo_hostname_tempfail_action.
5985
5986       This feature is available in Postfix 2.6 and later.
5987

relay_clientcerts (default: empty)

5989       List of tables with remote SMTP client-certificate fingerprints or pub‐
5990       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5991       server  will allow access with the permit_tls_clientcerts feature.  The
5992       fingerprint digest algorithm is configurable via the  smtpd_tls_finger‐
5993       print_digest  parameter  (hard-coded  as  md5  prior to Postfix version
5994       2.5).
5995
5996       The default algorithm is sha256 with Postfix >= 3.6 and the compatibil‐
5997       ity_level  set to 3.6 or higher. With Postfix <= 3.5, the default algo‐
5998       rithm is md5.  The best-practice algorithm is now  sha256.  Recent  ad‐
5999       vances  in  hash  function cryptanalysis have led to md5 and sha1 being
6000       deprecated in favor of sha256.  However, as long as there are no  known
6001       "second  pre-image"  attacks against the older algorithms, their use in
6002       this context, though not recommended, is still likely safe.
6003
6004       Postfix lookup tables are in the form of (key, value) pairs.  Since  we
6005       only  need  the  key, the value can be chosen freely, e.g.  the name of
6006       the  user  or   host:   D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
6007       lutzpc.at.home
6008
6009       Example:
6010
6011       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
6012
6013       For  more fine-grained control, use check_ccert_access to select an ap‐
6014       propriate   access(5)   policy   for   each   client.    See   RESTRIC‐
6015       TION_CLASS_README.
6016
6017       This feature is available with Postfix version 2.2.
6018

relay_destination_concurrency_limit (default: $default_destination_concur‐

6020       rency_limit)
6021       The maximal number of parallel deliveries to the same  destination  via
6022       the  relay  message  delivery  transport. This limit is enforced by the
6023       queue manager. The message delivery transport name is the  first  field
6024       in the entry in the master.cf file.
6025
6026       This feature is available in Postfix 2.0 and later.
6027

relay_destination_recipient_limit (default: $default_destination_recipi‐

6029       ent_limit)
6030       The maximal number of recipients per message for the relay message  de‐
6031       livery transport. This limit is enforced by the queue manager. The mes‐
6032       sage delivery transport name is the first field in  the  entry  in  the
6033       master.cf file.
6034
6035       Setting  this  parameter  to  a  value  of 1 changes the meaning of re‐
6036       lay_destination_concurrency_limit from concurrency per domain into con‐
6037       currency per recipient.
6038
6039       This feature is available in Postfix 2.0 and later.
6040

relay_domains (default: Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)

6042       What  destination domains (and subdomains thereof) this system will re‐
6043       lay mail to. For details about how the relay_domains value is used, see
6044       the description of the permit_auth_destination and reject_unauth_desti‐
6045       nation SMTP recipient restrictions.
6046
6047       Domains that match $relay_domains are delivered with the  $relay_trans‐
6048       port  mail  delivery transport. The SMTP server validates recipient ad‐
6049       dresses with $relay_recipient_maps and rejects non-existent recipients.
6050       See  also  the  relay domains address class in the ADDRESS_CLASS_README
6051       file.
6052
6053       Note: Postfix will not automatically forward mail for domains that list
6054       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
6055       mit_mx_backup restriction in the postconf(5) manual page.
6056
6057       Specify a list of  host  or  domain  names,  "/file/name"  patterns  or
6058       "type:table"  lookup  tables,  separated  by  commas and/or whitespace.
6059       Continue long lines by  starting  the  next  line  with  whitespace.  A
6060       "/file/name" pattern is replaced by its contents; a "type:table" lookup
6061       table is matched when a (parent) domain appears as lookup key.  Specify
6062       "!pattern" to exclude a domain from the list. The form "!/file/name" is
6063       supported only in Postfix version 2.4 and later.
6064
6065       Pattern matching of domain names is controlled by the presence  or  ab‐
6066       sence of "relay_domains" in the parent_domain_matches_subdomains param‐
6067       eter value.
6068

relay_domains_reject_code (default: 554)

6070       The numerical Postfix SMTP server response code when a  client  request
6071       is rejected by the reject_unauth_destination recipient restriction.
6072
6073       Do  not  change  this  unless  you have a complete understanding of RFC
6074       5321.
6075

relay_recipient_maps (default: empty)

6077       Optional lookup tables with all valid addresses  in  the  domains  that
6078       match  $relay_domains.  Specify @domain as a wild-card for domains that
6079       have no valid recipient list, and become a source of backscatter  mail:
6080       Postfix  accepts spam for non-existent recipients and then floods inno‐
6081       cent people with undeliverable mail.  Technically, tables  listed  with
6082       $relay_recipient_maps  are used as lists: Postfix needs to know only if
6083       a lookup string is found or not, but it does not use  the  result  from
6084       the table lookup.
6085
6086       Specify zero or more "type:name" lookup tables, separated by whitespace
6087       or comma. Tables will be searched in the specified order until a  match
6088       is found.
6089
6090       If  this  parameter is non-empty, then the Postfix SMTP server will re‐
6091       ject mail to unknown relay users. This feature is off by default.
6092
6093       See also the relay domains address class  in  the  ADDRESS_CLASS_README
6094       file.
6095
6096       Example:
6097
6098       relay_recipient_maps = hash:/etc/postfix/relay_recipients
6099
6100       This feature is available in Postfix 2.0 and later.
6101

relay_transport (default: relay)

6103       The default mail delivery transport and next-hop destination for remote
6104       delivery to domains listed with $relay_domains. In order of  decreasing
6105       precedence,  the  nexthop  destination  is taken from $relay_transport,
6106       $sender_dependent_relayhost_maps, $relayhost, or from the recipient do‐
6107       main. This information can be overruled with the transport(5) table.
6108
6109       Specify  a string of the form transport:nexthop, where transport is the
6110       name of a mail delivery transport defined in master.cf.   The  :nexthop
6111       destination is optional; its syntax is documented in the manual page of
6112       the corresponding delivery agent.
6113
6114       See also the relay domains address class  in  the  ADDRESS_CLASS_README
6115       file.
6116
6117       This feature is available in Postfix 2.0 and later.
6118

relayhost (default: empty)

6120       The next-hop destination(s) for non-local mail; overrides non-local do‐
6121       mains in recipient addresses. This information is  overruled  with  re‐
6122       lay_transport,  sender_dependent_default_transport_maps, default_trans‐
6123       port, sender_dependent_relayhost_maps and with the transport(5) table.
6124
6125       On an intranet, specify the organizational domain name. If your  inter‐
6126       nal  DNS  uses  no MX records, specify the name of the intranet gateway
6127       host instead.
6128
6129       In the case of SMTP or LMTP delivery, specify one or more  destinations
6130       in the form of a domain name, hostname, hostname:port, [hostname]:port,
6131       [hostaddress] or [hostaddress]:port, separated by comma or  whitespace.
6132       The  form  [hostname]  turns  off MX lookups. Multiple destinations are
6133       supported in Postfix 3.5 and later.
6134
6135       If you're connected via UUCP, see the UUCP_README file for  useful  in‐
6136       formation.
6137
6138       Examples:
6139
6140       relayhost = $mydomain
6141       relayhost = [gateway.example.com]
6142       relayhost = mail1.example:587, mail2.example:587
6143       relayhost = [an.ip.add.ress]
6144

relocated_maps (default: empty)

6146       Optional  lookup  tables  with new contact information for users or do‐
6147       mains that no longer exist.  The table format  and  lookups  are  docu‐
6148       mented in relocated(5).
6149
6150       Specify zero or more "type:name" lookup tables, separated by whitespace
6151       or comma. Tables will be searched in the specified order until a  match
6152       is found.
6153
6154       If  you use this feature, run "postmap /etc/postfix/relocated" to build
6155       the necessary DBM or DB file after change,  then  "postfix  reload"  to
6156       make the changes visible.
6157
6158       Examples:
6159
6160       relocated_maps = dbm:/etc/postfix/relocated
6161       relocated_maps = hash:/etc/postfix/relocated
6162

remote_header_rewrite_domain (default: empty)

6164       Rewrite  or  add message headers in mail from remote clients if the re‐
6165       mote_header_rewrite_domain parameter value is non-empty,  updating  in‐
6166       complete  addresses  with the domain specified in the remote_header_re‐
6167       write_domain parameter, and adding missing headers.
6168
6169       The local_header_rewrite_clients parameter controls what clients  Post‐
6170       fix considers local.
6171
6172       Examples:
6173
6174       The  safe  setting:  append  "domain.invalid"  to incomplete header ad‐
6175       dresses from remote SMTP clients, so that  those  addresses  cannot  be
6176       confused with local addresses.
6177
6178           remote_header_rewrite_domain = domain.invalid
6179
6180       The default, purist, setting: don't rewrite headers from remote clients
6181       at all.
6182
6183           remote_header_rewrite_domain =
6184

require_home_directory (default: no)

6186       Require that a local(8) recipient's home directory exists  before  mail
6187       delivery  is  attempted.  By  default this test is disabled.  It can be
6188       useful for environments that import home directories to the mail server
6189       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
6190

reset_owner_alias (default: no)

6192       Reset  the local(8) delivery agent's idea of the owner-alias attribute,
6193       when delivering mail to a child alias that does not have its own  owner
6194       alias.
6195
6196       This  feature is available in Postfix 2.8 and later. With older Postfix
6197       releases, the behavior is as if this parameter is set to "yes".
6198
6199       As documented in aliases(5), when an alias name has a  companion  alias
6200       named  owner-name,  this  will  replace the envelope sender address, so
6201       that delivery errors will be reported to the owner alias instead of the
6202       sender. This configuration is recommended for mailing lists.
6203
6204       A less known property of the owner alias is that it also forces the lo‐
6205       cal(8) delivery agent to write local and remote  addresses  from  alias
6206       expansion to a new queue file, instead of attempting to deliver mail to
6207       local addresses as soon as they come out of alias expansion.
6208
6209       Writing local addresses from alias expansion to a new queue file allows
6210       for robust handling of temporary delivery errors: errors with one local
6211       member have no effect on deliveries to other members of the  list.   On
6212       the other hand, delivery to local addresses as soon as they come out of
6213       alias expansion is fragile: a temporary error with  one  local  address
6214       from alias expansion will cause the entire alias to be expanded repeat‐
6215       edly until the error goes away, or until the  message  expires  in  the
6216       queue.   In that case, a problem with one list member results in multi‐
6217       ple message deliveries to other list members.
6218
6219       The  default  behavior  of  Postfix  2.8  and  later  is  to  keep  the
6220       owner-alias  attribute  of  the parent alias, when delivering mail to a
6221       child alias that does not have its own owner  alias.  Then,  local  ad‐
6222       dresses  from that child alias will be written to a new queue file, and
6223       a temporary error with one local address will not  affect  delivery  to
6224       other mailing list members.
6225
6226       Unfortunately,  older  Postfix releases reset the owner-alias attribute
6227       when delivering mail to a child alias that does not have its own  owner
6228       alias.  To  be  precise,  this resets only the decision to create a new
6229       queue file, not the decision to override the envelope  sender  address.
6230       The local(8) delivery agent then attempts to deliver local addresses as
6231       soon as they come out of child alias expansion.  If delivery to any ad‐
6232       dress  from  child  alias expansion fails with a temporary error condi‐
6233       tion, the entire mailing list may be expanded repeatedly until the mail
6234       expires in the queue, resulting in multiple deliveries of the same mes‐
6235       sage to mailing list members.
6236

resolve_dequoted_address (default: yes)

6238       Resolve a recipient address safely instead of correctly, by looking in‐
6239       side quotes.
6240
6241       By default, the Postfix address resolver does not quote the address lo‐
6242       calpart as per RFC 822, so that additional @ or % or !   operators  re‐
6243       main  visible.  This behavior is safe but it is also technically incor‐
6244       rect.
6245
6246       If you specify "resolve_dequoted_address = no", then  the  Postfix  re‐
6247       solver  will  not know about additional @ etc. operators in the address
6248       localpart. This opens opportunities for obscure mail relay attacks with
6249       user@domain@domain  addresses  when  Postfix provides backup MX service
6250       for Sendmail systems.
6251

resolve_null_domain (default: no)

6253       Resolve an address that ends in the "@" null domain  as  if  the  local
6254       hostname were specified, instead of rejecting the address as invalid.
6255
6256       This  feature  is available in Postfix 2.1 and later.  Earlier versions
6257       always resolve the null domain as the local hostname.
6258
6259       The Postfix SMTP server uses this feature to reject mail from or to ad‐
6260       dresses  that  end  in the "@" null domain, and from addresses that re‐
6261       write into a form that ends in the "@" null domain.
6262

resolve_numeric_domain (default: no)

6264       Resolve "user@ipaddress" as "user@[ipaddress]",  instead  of  rejecting
6265       the address as invalid.
6266
6267       This feature is available in Postfix 2.3 and later.
6268

respectful_logging (default: see 'postconf -d' output)

6270       Avoid logging that implies white is better than black. Instead use 'al‐
6271       lowlist', 'denylist', and variations of those words.
6272
6273       This feature is available in Postfix 3.6 and later.
6274

rewrite_service_name (default: rewrite)

6276       The name of the address rewriting service. This  service  rewrites  ad‐
6277       dresses  to  standard  form  and  resolves  them to a (delivery method,
6278       next-hop host, recipient) triple.
6279
6280       This feature is available in Postfix 2.0 and later.
6281

sample_directory (default: /etc/postfix)

6283       The name of the directory with  example  Postfix  configuration  files.
6284       Starting  with  Postfix  2.1,  these  files have been replaced with the
6285       postconf(5) manual page.
6286

send_cyrus_sasl_authzid (default: no)

6288       When authenticating to a remote SMTP or LMTP server  with  the  default
6289       setting  "no",  send  no SASL authoriZation ID (authzid); send only the
6290       SASL authentiCation ID (authcid) plus the authcid's password.
6291
6292       The non-default setting "yes" enables the  behavior  of  older  Postfix
6293       versions.   These  always send a SASL authzid that is equal to the SASL
6294       authcid, but this  causes  interoperability  problems  with  some  SMTP
6295       servers.
6296
6297       This feature is available in Postfix 2.4.4 and later.
6298

sender_based_routing (default: no)

6300       This  parameter  should  not  be used. It was replaced by sender_depen‐
6301       dent_relayhost_maps in Postfix version 2.3.
6302

sender_bcc_maps (default: empty)

6304       Optional BCC (blind carbon-copy) address lookup tables, indexed by  en‐
6305       velope  sender address.  The BCC address (multiple results are not sup‐
6306       ported) is added when mail enters from outside of Postfix.
6307
6308       Specify zero or more "type:name" lookup tables, separated by whitespace
6309       or  comma. Tables will be searched in the specified order until a match
6310       is found.
6311
6312       The table search order is as follows:
6313
6314       •      Look up the "user+extension@domain.tld"  address  including  the
6315              optional address extension.
6316
6317       •      Look  up  the "user@domain.tld" address without the optional ad‐
6318              dress extension.
6319
6320       •      Look up the "user+extension" address local part when the  sender
6321              domain  equals  $myorigin,  $mydestination,  $inet_interfaces or
6322              $proxy_interfaces.
6323
6324       •      Look up the "user" address local part  when  the  sender  domain
6325              equals $myorigin, $mydestination, $inet_interfaces or $proxy_in‐
6326              terfaces.
6327
6328       •      Look up the "@domain.tld" part.
6329
6330       Note: with Postfix 2.3 and later the BCC address is added as if it  was
6331       specified  with  NOTIFY=NONE.  The sender will not be notified when the
6332       BCC address is undeliverable, as long as all down-stream  software  im‐
6333       plements RFC 3461.
6334
6335       Note: with Postfix 2.2 and earlier the sender will be notified when the
6336       BCC address is undeliverable.
6337
6338       Note: automatic BCC recipients are produced  only  for  new  mail.   To
6339       avoid  mailer  loops,  automatic BCC recipients are not generated after
6340       Postfix forwards mail internally, or after Postfix generates  mail  it‐
6341       self.
6342
6343       Example:
6344
6345       sender_bcc_maps = hash:/etc/postfix/sender_bcc
6346
6347       After a change, run "postmap /etc/postfix/sender_bcc".
6348
6349       This feature is available in Postfix 2.1 and later.
6350

sender_canonical_classes (default: envelope_sender, header_sender)

6352       What  addresses  are  subject to sender_canonical_maps address mapping.
6353       By default, sender_canonical_maps address mapping is applied  to  enve‐
6354       lope sender addresses, and to header sender addresses.
6355
6356       Specify one or more of: envelope_sender, header_sender
6357
6358       This feature is available in Postfix 2.2 and later.
6359

sender_canonical_maps (default: empty)

6361       Optional  address  mapping lookup tables for envelope and header sender
6362       addresses.  The table format and  lookups  are  documented  in  canoni‐
6363       cal(5).
6364
6365       Example:  you want to rewrite the SENDER address "user@ugly.example" to
6366       "user@pretty.example", while still being able to send mail to  the  RE‐
6367       CIPIENT address "user@ugly.example".
6368
6369       Note: $sender_canonical_maps is processed before $canonical_maps.
6370
6371       Example:
6372
6373       sender_canonical_maps = hash:/etc/postfix/sender_canonical
6374

sender_dependent_default_transport_maps (default: empty)

6376       A  sender-dependent override for the global default_transport parameter
6377       setting. The tables are searched by the  envelope  sender  address  and
6378       @domain.  A  lookup result of DUNNO terminates the search without over‐
6379       riding the global default_transport parameter setting.   This  informa‐
6380       tion is overruled with the transport(5) table.
6381
6382       Specify zero or more "type:name" lookup tables, separated by whitespace
6383       or comma. Tables will be searched in the specified order until a  match
6384       is found.
6385
6386       Note:  this overrides default_transport, not transport_maps, and there‐
6387       fore the expected syntax is that of default_transport, not  the  syntax
6388       of  transport_maps.   Specifically,  this  does  not support the trans‐
6389       port_maps syntax for null transport, null nexthop, or  null  email  ad‐
6390       dresses.
6391
6392       For  safety  reasons, this feature does not allow $number substitutions
6393       in regular expression maps.
6394
6395       This feature is available in Postfix 2.7 and later.
6396

sender_dependent_relayhost_maps (default: empty)

6398       A sender-dependent override for the global relayhost parameter setting.
6399       The  tables  are searched by the envelope sender address and @domain. A
6400       lookup result of DUNNO terminates the  search  without  overriding  the
6401       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6402       mation  is   overruled   with   relay_transport,   sender_dependent_de‐
6403       fault_transport_maps,  default_transport  and with the transport(5) ta‐
6404       ble.
6405
6406       Specify zero or more "type:name" lookup tables, separated by whitespace
6407       or  comma. Tables will be searched in the specified order until a match
6408       is found.
6409
6410       For safety reasons, this feature does not allow  $number  substitutions
6411       in regular expression maps.
6412
6413       This feature is available in Postfix 2.3 and later.
6414

sendmail_fix_line_endings (default: always)

6416       Controls  how  the Postfix sendmail command converts email message line
6417       endings from <CR><LF> into UNIX format (<LF>).
6418
6419       always Always convert message lines ending in <CR><LF>. This setting is
6420              the default with Postfix 2.9 and later.
6421
6422       strict Convert message lines ending in <CR><LF> only if the first input
6423              line ends in <CR><LF>. This setting is backwards-compatible with
6424              Postfix 2.8 and earlier.
6425
6426       never  Never convert message lines ending in <CR><LF>. This setting ex‐
6427              ists for completeness only.
6428
6429       This feature is available in Postfix 2.9 and later.
6430

sendmail_path (default: see postconf -d output)

6432       A Sendmail compatibility feature that specifies  the  location  of  the
6433       Postfix  sendmail(1)  command.  This command can be used to submit mail
6434       into the Postfix queue.
6435

service_name (read-only)

6437       The master.cf service name of a Postfix daemon  process.  This  can  be
6438       used  to  distinguish  the logging from different services that use the
6439       same program name.
6440
6441       Example master.cf entries:
6442
6443       # Distinguish inbound MTA logging from submission and smtps logging.
6444       smtp      inet  n       -       n       -       -       smtpd
6445       submission inet n       -       n       -       -       smtpd
6446           -o syslog_name=postfix/$service_name
6447       smtps     inet  n       -       n       -       -       smtpd
6448           -o syslog_name=postfix/$service_name
6449
6450       # Distinguish outbound MTA logging from inbound relay logging.
6451       smtp      unix  -       -       n       -       -       smtp
6452       relay     unix  -       -       n       -       -       smtp
6453           -o syslog_name=postfix/$service_name
6454

service_throttle_time (default: 60s)

6456       How long the Postfix master(8) waits before forking a server  that  ap‐
6457       pears to be malfunctioning.
6458
6459       Specify  a  non-zero  time  value  (an  integral value plus an optional
6460       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
6461       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
6462       unit is s (seconds).
6463

setgid_group (default: postdrop)

6465       The group ownership of set-gid Postfix commands and  of  group-writable
6466       Postfix  directories.  When this parameter value is changed you need to
6467       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6468       "/etc/postfix/post-install set-permissions".
6469

shlib_directory (default: see 'postconf -d' output)

6471       The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6472       and the default location of  Postfix  database  plugins  (postfix-*.so)
6473       that  have  a  relative  pathname  in  the  dynamicmaps.cf  file.   The
6474       shlib_directory  parameter  defaults  to  "no"  when  Postfix   dynami‐
6475       cally-linked  libraries  and  database  plugins are disabled at compile
6476       time, otherwise it typically defaults to /usr/lib/postfix  or  /usr/lo‐
6477       cal/lib/postfix.
6478
6479       Notes:
6480
6481       •      The directory specified with shlib_directory should contain only
6482              Postfix-related files. Postfix dynamically-linked libraries  and
6483              database  plugins  should  not be installed in a "public" system
6484              directory such as /usr/lib or  /usr/local/lib.  Linking  Postfix
6485              dynamically-linked   library  files  or  database  plugins  into
6486              non-Postfix  programs  is  not   supported.    Postfix   dynami‐
6487              cally-linked  libraries  and  database plugins implement a Post‐
6488              fix-internal API that changes without maintaining compatibility.
6489
6490       •      You can change the shlib_directory value after Postfix is built.
6491              However,  you  may have to run ldconfig or equivalent to prevent
6492              Postfix programs from failing because the libpostfix-*.so  files
6493              are  not  found.   No ldconfig command is needed if you keep the
6494              libpostfix-*.so files in the compiled-in  default  $shlib_direc‐
6495              tory location.
6496
6497       This feature is available in Postfix 3.0 and later.
6498

show_user_unknown_table_name (default: yes)

6500       Display  the  name  of  the  recipient  table in the "User unknown" re‐
6501       sponses.  The extra detail makes troubleshooting easier  but  also  re‐
6502       veals information that is nobody else's business.
6503
6504       This feature is available in Postfix 2.0 and later.
6505

showq_service_name (default: showq)

6507       The name of the showq(8) service. This service produces mail queue sta‐
6508       tus reports.
6509
6510       This feature is available in Postfix 2.0 and later.
6511

smtp_address_preference (default: any)

6513       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6514       will  try  first,  when  a destination has IPv6 and IPv4 addresses with
6515       equal MX preference. This feature has no effect unless the  inet_proto‐
6516       cols setting enables both IPv4 and IPv6.
6517
6518       Postfix  SMTP  client  address preference has evolved. With Postfix 2.8
6519       the default is "ipv6"; earlier implementations are hard-coded to prefer
6520       IPv6 over IPv4.
6521
6522       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6523       nectivity:
6524
6525       •      The setting "smtp_address_preference = ipv6" is unsafe.  It  can
6526              fail  to deliver mail when there is an outage that affects IPv6,
6527              while the destination is still reachable over IPv4.
6528
6529       •      The setting "smtp_address_preference = any" is safe. With  this,
6530              mail  will  eventually  be  delivered even if there is an outage
6531              that affects IPv6 or IPv4, as long as it does not affect both.
6532
6533       This feature is available in Postfix 2.8 and later.
6534

smtp_address_verify_target (default: rcpt)

6536       In the context of email address verification, the SMTP  protocol  stage
6537       that  determines  whether an email address is deliverable.  Specify one
6538       of "rcpt" or "data".  The latter is needed  with  remote  SMTP  servers
6539       that  reject  recipients  after the DATA command. Use transport_maps to
6540       apply this feature selectively:
6541
6542           /etc/postfix/main.cf:
6543               transport_maps = hash:/etc/postfix/transport
6544
6545           /etc/postfix/transport:
6546               smtp-domain-that-verifies-after-data    smtp-data-target:
6547               lmtp-domain-that-verifies-after-data    lmtp-data-target:
6548
6549           /etc/postfix/master.cf:
6550               smtp-data-target    unix    -    -    n    -    -    smtp
6551                   -o smtp_address_verify_target=data
6552               lmtp-data-target    unix    -    -    n    -    -    lmtp
6553                   -o lmtp_address_verify_target=data
6554
6555       Unselective use of the "data" target does no harm, but will  result  in
6556       unnecessary  "lost  connection  after  DATA" events at remote SMTP/LMTP
6557       servers.
6558
6559       This feature is available in Postfix 3.0 and later.
6560

smtp_always_send_ehlo (default: yes)

6562       Always send EHLO at the start of an SMTP session.
6563
6564       With "smtp_always_send_ehlo = no", the Postfix SMTP client  sends  EHLO
6565       only when the word "ESMTP" appears in the server greeting banner (exam‐
6566       ple: 220 spike.porcupine.org ESMTP Postfix).
6567

smtp_balance_inet_protocols (default: yes)

6569       When a remote destination resolves to a combination of  IPv4  and  IPv6
6570       addresses,  ensure  that  the  Postfix SMTP client can try both address
6571       types before it runs into the smtp_mx_address_limit.
6572
6573       This avoids an interoperability problem when a destination resolves  to
6574       primarily  IPv6  addresses,  the  smtp_address_limit feature eliminates
6575       most or all IPv4 addresses, and the destination is not  reachable  over
6576       IPv6.
6577
6578       This feature is available in Postfix 3.3 and later.
6579

smtp_bind_address (default: empty)

6581       An  optional  numerical  network  address  that the Postfix SMTP client
6582       should bind to when making an IPv4 connection.
6583
6584       This can be specified in the main.cf file for all SMTP clients,  or  it
6585       can be specified in the master.cf file for a specific client, for exam‐
6586       ple:
6587
6588           /etc/postfix/master.cf:
6589               smtp ... smtp -o smtp_bind_address=11.22.33.44
6590
6591       See smtp_bind_address_enforce for  how  Postfix  should  handle  errors
6592       (Postfix 3.7 and later).
6593
6594       Note  1:  when inet_interfaces specifies no more than one IPv4 address,
6595       and that address is a non-loopback address, it is automatically used as
6596       the  smtp_bind_address.  This supports virtual IP hosting, but can be a
6597       problem on multi-homed firewalls. See the inet_interfaces documentation
6598       for more detail.
6599
6600       Note 2: address information may be enclosed inside [], but this form is
6601       not required here.
6602

smtp_bind_address6 (default: empty)

6604       An optional numerical network address  that  the  Postfix  SMTP  client
6605       should bind to when making an IPv6 connection.
6606
6607       This feature is available in Postfix 2.2 and later.
6608
6609       This  can  be specified in the main.cf file for all SMTP clients, or it
6610       can be specified in the master.cf file for a specific client, for exam‐
6611       ple:
6612
6613           /etc/postfix/master.cf:
6614               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6615
6616       See  smtp_bind_address_enforce  for  how  Postfix  should handle errors
6617       (Postfix 3.7 and later).
6618
6619       Note 1: when inet_interfaces specifies no more than one  IPv6  address,
6620       and that address is a non-loopback address, it is automatically used as
6621       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
6622       problem on multi-homed firewalls. See the inet_interfaces documentation
6623       for more detail.
6624
6625       Note 2: address information may be enclosed inside [], but this form is
6626       not recommended here.
6627

smtp_bind_address_enforce (default: no)

6629       Defer   delivery   when  the  Postfix  SMTP  client  cannot  apply  the
6630       smtp_bind_address or smtp_bind_address6 setting. By default, the  Post‐
6631       fix SMTP client will continue delivery after logging a warning.
6632
6633       This feature is available in Postfix 3.7 and later.
6634

smtp_body_checks (default: empty)

6636       Restricted  body_checks(5)  tables  for the Postfix SMTP client.  These
6637       tables are searched while mail is being delivered.  Actions that change
6638       the delivery time or destination are not available.
6639
6640       This feature is available in Postfix 2.5 and later.
6641

smtp_cname_overrides_servername (default: version dependent)

6643       When  the remote SMTP servername is a DNS CNAME, replace the servername
6644       with the result from CNAME expansion for the purpose of  logging,  SASL
6645       password lookup, TLS policy decisions, or TLS certificate verification.
6646       The value "no" hardens Postfix smtp_tls_per_site  hostname-based  poli‐
6647       cies against false hostname information in DNS CNAME records, and makes
6648       SASL password file lookups more predictable. This is the  default  set‐
6649       ting as of Postfix 2.3.
6650
6651       When   DNS   CNAME  records  are  validated  with  secure  DNS  lookups
6652       (smtp_dns_support_level = dnssec), they are always allowed to  override
6653       the above servername (Postfix 2.11 and later).
6654
6655       This feature is available in Postfix 2.2.9 and later.
6656

smtp_connect_timeout (default: 30s)

6658       The  Postfix SMTP client time limit for completing a TCP connection, or
6659       zero (use the operating system built-in time limit).
6660
6661       When no connection can be made within the deadline,  the  Postfix  SMTP
6662       client  tries the next address on the mail exchanger list. Specify 0 to
6663       disable the time limit (i.e. use whatever timeout is implemented by the
6664       operating system).
6665
6666       Specify  a  non-negative time value (an integral value plus an optional
6667       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
6668       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
6669       unit is s (seconds).
6670

smtp_connection_cache_destinations (default: empty)

6672       Permanently enable SMTP connection caching for the  specified  destina‐
6673       tions.   With SMTP connection caching, a connection is not closed imme‐
6674       diately after completion of a mail transaction.  Instead,  the  connec‐
6675       tion  is kept open for up to $smtp_connection_cache_time_limit seconds.
6676       This allows connections to be reused for other deliveries, and can  im‐
6677       prove mail delivery performance.
6678
6679       Specify  a  comma  or  white  space  separated  list of destinations or
6680       pseudo-destinations:
6681
6682       •      if mail is sent  without  a  relay  host:  a  domain  name  (the
6683              right-hand side of an email address, without the [] around a nu‐
6684              meric IP address),
6685
6686       •      if mail is sent via a relay host: a relay host name (without  []
6687              or  non-default  TCP  port),  as  specified in main.cf or in the
6688              transport map,
6689
6690       •      if mail is sent via a UNIX-domain socket:  a  pathname  (without
6691              the unix: prefix),
6692
6693       •      a  /file/name  with  domain names and/or relay host names as de‐
6694              fined above,
6695
6696       •      a "type:table" with domain names and/or relay host names on  the
6697              left-hand  side.   The  right-hand side result from "type:table"
6698              lookups is ignored.
6699
6700       This feature is available in Postfix 2.2 and later.
6701

smtp_connection_cache_on_demand (default: yes)

6703       Temporarily enable SMTP connection caching while a  destination  has  a
6704       high volume of mail in the active queue.  With SMTP connection caching,
6705       a connection is not closed  immediately  after  completion  of  a  mail
6706       transaction.  Instead, the connection is kept open for up to $smtp_con‐
6707       nection_cache_time_limit seconds.  This allows connections to be reused
6708       for other deliveries, and can improve mail delivery performance.
6709
6710       This feature is available in Postfix 2.2 and later.
6711

smtp_connection_cache_time_limit (default: 2s)

6713       When SMTP connection caching is enabled, the amount of time that an un‐
6714       used SMTP client socket is kept open before it is closed.  Do not spec‐
6715       ify larger values without permission from the remote sites.
6716
6717       This feature is available in Postfix 2.2 and later.
6718

smtp_connection_reuse_count_limit (default: 0)

6720       When  SMTP  connection  caching is enabled, the number of times that an
6721       SMTP session may be reused before it is closed,  or  zero  (no  limit).
6722       With a reuse count limit of N, a connection is used up to N+1 times.
6723
6724       NOTE: This feature is unsafe. When a high-volume destination has multi‐
6725       ple inbound MTAs, then the slowest inbound MTA will  attract  the  most
6726       connections  to  that destination.  This limitation does not exist with
6727       the smtp_connection_reuse_time_limit feature.
6728
6729       This feature is available in Postfix 2.11.
6730

smtp_connection_reuse_time_limit (default: 300s)

6732       The amount of time during which Postfix will use an SMTP connection re‐
6733       peatedly.   The  timer starts when the connection is initiated (i.e. it
6734       includes the connect, greeting and helo latency, in addition to the la‐
6735       tencies of subsequent mail delivery transactions).
6736
6737       This feature addresses a performance stability problem with remote SMTP
6738       servers. This problem is not specific to Postfix: it  can  happen  when
6739       any  MTA  sends large amounts of SMTP email to a site that has multiple
6740       MX hosts.
6741
6742       The problem starts when one of a set of MX hosts  becomes  slower  than
6743       the  rest.   Even though SMTP clients connect to fast and slow MX hosts
6744       with equal probability, the slow MX host ends up with more simultaneous
6745       inbound  connections than the faster MX hosts, because the slow MX host
6746       needs more time to serve each client request.
6747
6748       The slow MX host becomes a connection attractor.  If one  MX  host  be‐
6749       comes  N times slower than the rest, it dominates mail delivery latency
6750       unless there are more than N fast MX hosts to counter the  effect.  And
6751       if  the number of MX hosts is smaller than N, the mail delivery latency
6752       becomes effectively that of the slowest MX host divided  by  the  total
6753       number of MX hosts.
6754
6755       The solution uses connection caching in a way that differs from Postfix
6756       version 2.2.  By limiting the amount of time during which a  connection
6757       can  be  used  repeatedly (instead of limiting the number of deliveries
6758       over that connection), Postfix not only restores fairness in  the  dis‐
6759       tribution of simultaneous connections across a set of MX hosts, it also
6760       favors deliveries over connections that perform well, which is  exactly
6761       what we want.
6762
6763       The  default  reuse time limit, 300s, is comparable to the various smtp
6764       transaction timeouts which are fair estimates of maximum excess latency
6765       for  a slow delivery.  Note that hosts may accept thousands of messages
6766       over a single connection  within  the  default  connection  reuse  time
6767       limit.  This number is much larger than the default Postfix version 2.2
6768       limit of 10 messages per cached connection. It may prove  necessary  to
6769       lower the limit to avoid interoperability issues with MTAs that exhibit
6770       bugs when many messages are delivered via a single connection.  A lower
6771       reuse  time limit risks losing the benefit of connection reuse when the
6772       average connection and mail delivery latency  exceeds  the  reuse  time
6773       limit.
6774
6775       This feature is available in Postfix 2.3 and later.
6776

smtp_data_done_timeout (default: 600s)

6778       The  Postfix  SMTP  client time limit for sending the SMTP ".", and for
6779       receiving the remote SMTP server response.
6780
6781       When no response is received within the deadline, a warning  is  logged
6782       that the mail may be delivered multiple times.
6783
6784       Specify  a  non-zero  time  value  (an  integral value plus an optional
6785       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
6786       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
6787       unit is s (seconds).
6788

smtp_data_init_timeout (default: 120s)

6790       The Postfix SMTP client time limit for sending the SMTP  DATA  command,
6791       and for receiving the remote SMTP server response.
6792
6793       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6794       The default time unit is s (seconds).
6795

smtp_data_xfer_timeout (default: 180s)

6797       The Postfix SMTP client time limit for sending the  SMTP  message  con‐
6798       tent.    When   the   connection   makes  no  progress  for  more  than
6799       $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates  the
6800       transfer.
6801
6802       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6803       The default time unit is s (seconds).
6804

smtp_defer_if_no_mx_address_found (default: no)

6806       Defer mail delivery when no MX record resolves to an IP address.
6807
6808       The default (no) is to return the mail  as  undeliverable.  With  older
6809       Postfix versions the default was to keep trying to deliver the mail un‐
6810       til someone fixed the MX record or until the mail was too old.
6811
6812       Note: the Postfix SMTP client always ignores MX records with  equal  or
6813       worse preference than the local MTA itself.
6814
6815       This feature is available in Postfix 2.1 and later.
6816

smtp_delivery_status_filter (default: $default_delivery_status_filter)

6818       Optional  filter  for the smtp(8) delivery agent to change the delivery
6819       status code or explanatory text of successful or unsuccessful  deliver‐
6820       ies.  See default_delivery_status_filter for details.
6821
6822       NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6823       sages that may or may not be derived from remote SMTP server responses.
6824       In  contrast, the smtp_reply_filter feature modifies remote SMTP server
6825       responses only.
6826

smtp_destination_concurrency_limit (default: $default_destination_concur‐

6828       rency_limit)
6829       The  maximal  number of parallel deliveries to the same destination via
6830       the smtp message delivery transport. This  limit  is  enforced  by  the
6831       queue  manager.  The message delivery transport name is the first field
6832       in the entry in the master.cf file.
6833

smtp_destination_recipient_limit (default: $default_destination_recipi‐

6835       ent_limit)
6836       The  maximal  number of recipients per message for the smtp message de‐
6837       livery transport. This limit is enforced by the queue manager. The mes‐
6838       sage  delivery  transport  name  is the first field in the entry in the
6839       master.cf file.
6840
6841       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6842       tination_concurrency_limit from concurrency per domain into concurrency
6843       per recipient.
6844

smtp_discard_ehlo_keyword_address_maps (default: empty)

6846       Lookup tables, indexed by the remote SMTP server address, with case in‐
6847       sensitive  lists  of  EHLO  keywords (pipelining, starttls, auth, etc.)
6848       that the Postfix SMTP client will ignore in the EHLO  response  from  a
6849       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6850       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
6851       card_ehlo_keyword_address_maps.
6852
6853       Specify zero or more "type:name" lookup tables, separated by whitespace
6854       or comma. Tables will be searched in the specified order until a  match
6855       is found.
6856
6857       This feature is available in Postfix 2.2 and later.
6858

smtp_discard_ehlo_keywords (default: empty)

6860       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
6861       etc.) that the Postfix SMTP client will ignore  in  the  EHLO  response
6862       from a remote SMTP server.
6863
6864       This feature is available in Postfix 2.2 and later.
6865
6866       Notes:
6867
6868       •      Specify the silent-discard pseudo keyword to prevent this action
6869              from being logged.
6870
6871       •      Use the smtp_discard_ehlo_keyword_address_maps feature  to  dis‐
6872              card EHLO keywords selectively.
6873

smtp_dns_reply_filter (default: empty)

6875       Optional  filter  for  Postfix SMTP client DNS lookup results.  Specify
6876       zero or more lookup tables.  The lookup  tables  are  searched  in  the
6877       given  order  for  a match with the DNS lookup result, converted to the
6878       following form:
6879
6880           name ttl class type preference value
6881
6882       The class field is always "IN", the preference field exists only for MX
6883       records, the names of hosts, domains, etc.  end in ".", and those names
6884       are in ASCII form (xn--mumble form in the case of UTF8 names).
6885
6886       When a match is found, the table lookup result specifies an action.  By
6887       default,  the  table  query  and  the action name are case-insensitive.
6888       Currently, only the IGNORE action is implemented.
6889
6890       Notes:
6891
6892       •      Postfix DNS reply filters have no effect on implicit DNS lookups
6893              through nsswitch.conf or equivalent mechanisms.
6894
6895       •      The  Postfix  SMTP/LMTP  client  uses  smtp_dns_reply_filter and
6896              lmtp_dns_reply_filter only to discover a  remote  SMTP  or  LMTP
6897              service (record types MX, A, AAAA, and TLSA).  These lookups are
6898              also made to implement the features reject_unverified_sender and
6899              reject_unverified_recipient.
6900
6901       •      The  Postfix SMTP/LMTP client defers mail delivery when a filter
6902              removes all lookup results from a successful query.
6903
6904       •      Postfix SMTP server uses smtpd_dns_reply_filter only to look  up
6905              MX,  A,  AAAA,  and  TXT  records  to implement the features re‐
6906              ject_unknown_helo_hostname,  reject_unknown_sender_domain,   re‐
6907              ject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*.
6908
6909       •      The  Postfix  SMTP server logs a warning or defers mail delivery
6910              when a filter removes  all  lookup  results  from  a  successful
6911              query.
6912
6913       Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6914       because Google sometimes hard-rejects mail from IPv6 clients with valid
6915       PTR etc. records.
6916
6917       /etc/postfix/main.cf:
6918           smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6919
6920       /etc/postfix/smtp_dns_reply_filter:
6921           # /domain ttl IN AAAA address/ action, all case-insensitive.
6922           # Note: the domain name ends in ".".
6923           /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6924
6925       This feature is available in Postfix 3.0 and later.
6926

smtp_dns_resolver_options (default: empty)

6928       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
6929       of the following options, separated by  comma  or  whitespace.   Option
6930       names  are  case-sensitive. Some options refer to domain names that are
6931       specified in the file /etc/resolv.conf or equivalent.
6932
6933       res_defnames
6934              Append the current domain name to single-component names  (those
6935              that do not contain a "." character). This can produce incorrect
6936              results, and is the hard-coded behavior prior to Postfix 2.8.
6937
6938       res_dnsrch
6939              Search for host names in the current domain and  in  parent  do‐
6940              mains.  This  can produce incorrect results and is therefore not
6941              recommended.
6942
6943       This feature is available in Postfix 2.8 and later.
6944

smtp_dns_support_level (default: empty)

6946       Level of DNS support in the Postfix SMTP client.   With  "smtp_dns_sup‐
6947       port_level"   left  at  its  empty  default  value,  the  legacy  "dis‐
6948       able_dns_lookups" parameter controls whether  DNS  is  enabled  in  the
6949       Postfix SMTP client, otherwise the legacy parameter is ignored.
6950
6951       Specify one of the following:
6952
6953       disabled
6954              Disable  DNS  lookups.  No MX lookups are performed and hostname
6955              to address lookups are unconditionally "native".   This  setting
6956              is not appropriate for hosts that deliver mail to the public In‐
6957              ternet.  Some obsolete how-to documents recommend disabling  DNS
6958              lookups in some configurations with content_filters.  This is no
6959              longer required and strongly discouraged.
6960
6961       enabled
6962              Enable DNS lookups.  Nexthop destination domains not enclosed in
6963              "[]"  will  be subject to MX lookups.  If "dns" and "native" are
6964              included in the "smtp_host_lookup" parameter value, DNS will  be
6965              queried first to resolve MX-host A records, followed by "native"
6966              lookups if no answer is found in DNS.
6967
6968       dnssec Enable DNSSEC lookups.  The "dnssec" setting  differs  from  the
6969              "enabled" setting above in the following ways:
6970
6971       •      Any  MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to re‐
6972              quest  DNSSEC-validated  responses.  If  the  MX   response   is
6973              DNSSEC-validated the corresponding hostnames are considered val‐
6974              idated.
6975
6976       •      The address lookups of validated hostnames are  also  validated,
6977              (provided  of  course "smtp_host_lookup" includes "dns", see be‐
6978              low).
6979
6980       •      Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6981              tion  block  any  "native" lookups.  Additional "native" lookups
6982              only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6983
6984       The  Postfix  SMTP  client  considers  non-MX  "[nexthop]"  and  "[nex‐
6985       thop]:port"  destinations equivalent to statically-validated MX records
6986       of the form "nexthop.  IN MX 0 nexthop."  Therefore, with "dnssec" sup‐
6987       port turned on, validated hostname-to-address lookups apply to the nex‐
6988       thop domain of any "[nexthop]" or "[nexthop]:port"  destination.   This
6989       is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6990       LMTP hostnames are never subject to MX lookups.
6991
6992       The "dnssec" setting is recommended only if you plan to use the dane or
6993       dane-only  TLS  security  level,  otherwise  enabling DNSSEC support in
6994       Postfix offers no additional security.  Postfix DNSSEC  support  relies
6995       on  an  upstream recursive nameserver that validates DNSSEC signatures.
6996       Such a DNS server will always filter out  forged  DNS  responses,  even
6997       when Postfix itself is not configured to use DNSSEC.
6998
6999       When using Postfix DANE support the "smtp_host_lookup" parameter should
7000       include "dns", as DANE is not applicable to hosts resolved via "native"
7001       lookups.
7002
7003       As  mentioned  above, Postfix is not a validating stub resolver; it re‐
7004       lies on the system's configured DNSSEC-validating recursive  nameserver
7005       to perform all DNSSEC validation.  Since this nameserver's DNSSEC-vali‐
7006       dated responses will be fully trusted, it is strongly recommended  that
7007       the  MTA  host  have  a local DNSSEC-validating recursive caching name‐
7008       server listening on a loopback address, and be configured to  use  only
7009       this nameserver for all lookups.  Otherwise, Postfix may remain subject
7010       to man-in-the-middle attacks that forge responses  from  the  recursive
7011       nameserver
7012
7013       DNSSEC support requires a version of Postfix compiled against a reason‐
7014       ably-modern DNS resolver(3) library that implements the  RES_USE_DNSSEC
7015       and RES_USE_EDNS0 resolver options.
7016
7017       This feature is available in Postfix 2.11 and later.
7018

smtp_enforce_tls (default: no)

7020       Enforcement  mode: require that remote SMTP servers use TLS encryption,
7021       and never send mail in the clear.  This also requires that  the  remote
7022       SMTP  server hostname matches the information in the remote server cer‐
7023       tificate, and that the remote SMTP server certificate was issued  by  a
7024       CA  that  is  trusted  by  the  Postfix SMTP client. If the certificate
7025       doesn't verify or the hostname doesn't match, delivery is deferred  and
7026       mail stays in the queue.
7027
7028       The  server  hostname is matched against all names provided as dNSNames
7029       in the SubjectAlternativeName.  If no dNSNames are specified, the  Com‐
7030       monName  is checked.  The behavior may be changed with the smtp_tls_en‐
7031       force_peername option.
7032
7033       This option is useful only if you are definitely  sure  that  you  will
7034       only  connect to servers that support RFC 2487 _and_ that provide valid
7035       server certificates.  Typical use is for clients that  send  all  their
7036       email to a dedicated mailhub.
7037
7038       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
7039       and later use smtp_tls_security_level instead.
7040

smtp_fallback_relay (default: $fallback_relay)

7042       Optional list of relay destinations that will be used when an SMTP des‐
7043       tination  is  not  found, or when delivery fails due to a non-permanent
7044       error. With Postfix 2.2 and earlier  this  parameter  is  called  fall‐
7045       back_relay.
7046
7047       By  default,  smtp_fallback_relay  is  empty,  mail  is returned to the
7048       sender when a destination is not found, and delivery is deferred  after
7049       it fails due to a non-permanent error.
7050
7051       With  bulk  email  deliveries, it can be beneficial to run the fallback
7052       relay MTA on the same host, so that it can reuse the sender IP address.
7053       This  speeds up deliveries that are delayed by IP-based reputation sys‐
7054       tems (greylist, etc.).
7055
7056       The fallback relays must be SMTP destinations. Specify a domain,  host,
7057       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
7058       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
7059       fix will try them in the specified order.
7060
7061       To  prevent  mailer loops between MX hosts and fall-back hosts, Postfix
7062       version 2.2 and later will not use the fallback relays for destinations
7063       that it is MX host for (assuming DNS lookup is turned on).
7064

smtp_generic_maps (default: empty)

7066       Optional  lookup  tables  that perform address rewriting in the Postfix
7067       SMTP client, typically to transform a  locally  valid  address  into  a
7068       globally  valid address when sending mail across the Internet.  This is
7069       needed when the local machine does not have  its  own  Internet  domain
7070       name, but uses something like localdomain.local instead.
7071
7072       Specify zero or more "type:name" lookup tables, separated by whitespace
7073       or comma. Tables will be searched in the specified order until a  match
7074       is found.
7075
7076       The table format and lookups are documented in generic(5); examples are
7077       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
7078       documents.
7079
7080       This feature is available in Postfix 2.2 and later.
7081

smtp_header_checks (default: empty)

7083       Restricted  header_checks(5) tables for the Postfix SMTP client.  These
7084       tables are searched while mail is being delivered.  Actions that change
7085       the delivery time or destination are not available.
7086
7087       This feature is available in Postfix 2.5 and later.
7088

smtp_helo_name (default: $myhostname)

7090       The hostname to send in the SMTP HELO or EHLO command.
7091
7092       The  default  value  is  the  machine  hostname.  Specify a hostname or
7093       [ip.add.re.ss].
7094
7095       This information can be specified in the  main.cf  file  for  all  SMTP
7096       clients,  or  it  can be specified in the master.cf file for a specific
7097       client, for example:
7098
7099           /etc/postfix/master.cf:
7100               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
7101
7102       This feature is available in Postfix 2.0 and later.
7103

smtp_helo_timeout (default: 300s)

7105       The Postfix SMTP client time limit for sending the HELO  or  EHLO  com‐
7106       mand, and for receiving the initial remote SMTP server response.
7107
7108       Specify  a  non-zero  time  value  (an  integral value plus an optional
7109       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7110       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7111       unit is s (seconds).
7112

smtp_host_lookup (default: dns)

7114       What mechanisms the Postfix SMTP client uses to look up a host's IP ad‐
7115       dress.   This  parameter is ignored when DNS lookups are disabled (see:
7116       disable_dns_lookups and smtp_dns_support_level).  The  "dns"  mechanism
7117       is always tried before "native" if both are listed.
7118
7119       Specify one of the following:
7120
7121       dns    Hosts can be found in the DNS (preferred).
7122
7123       native Use the native naming service only (nsswitch.conf, or equivalent
7124              mechanism).
7125
7126       dns, native
7127              Use the native service for hosts not found in the DNS.
7128
7129       This feature is available in Postfix 2.1 and later.
7130

smtp_line_length_limit (default: 998)

7132       The maximal length of message header and body lines that  Postfix  will
7133       send  via  SMTP. This limit does not include the <CR><LF> at the end of
7134       each line.  Longer lines are broken by inserting "<CR><LF><SPACE>",  to
7135       minimize  the  damage  to  MIME formatted mail. Specify zero to disable
7136       this limit.
7137
7138       The Postfix limit of 998 characters not including <CR><LF>  is  consis‐
7139       tent  with  the  SMTP limit of 1000 characters including <CR><LF>.  The
7140       Postfix limit was 990 with Postfix 2.8 and earlier.
7141

smtp_mail_timeout (default: 300s)

7143       The Postfix SMTP client time limit for sending the MAIL  FROM  command,
7144       and for receiving the remote SMTP server response.
7145
7146       Specify  a  non-zero  time  value  (an  integral value plus an optional
7147       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7148       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7149       unit is s (seconds).
7150

smtp_mime_header_checks (default: empty)

7152       Restricted mime_header_checks(5) tables for the  Postfix  SMTP  client.
7153       These  tables are searched while mail is being delivered.  Actions that
7154       change the delivery time or destination are not available.
7155
7156       This feature is available in Postfix 2.5 and later.
7157

smtp_min_data_rate (default: 500)

7159       The minimum plaintext data transfer rate in bytes/second for  DATA  re‐
7160       quests, when deadlines are enabled with smtp_per_request_deadline.  Af‐
7161       ter a write operation transfers N plaintext message bytes (possibly af‐
7162       ter TLS encryption), and after the DATA request deadline is decremented
7163       by the elapsed time of that write operation, the DATA request  deadline
7164       is  incremented by N/smtp_min_data_rate seconds.  However, the deadline
7165       will  never  be  incremented  beyond  the  time  limit  specified  with
7166       smtp_data_xfer_timeout.
7167
7168       This feature is available in Postfix 3.7 and later.
7169

smtp_mx_address_limit (default: 5)

7171       The  maximal number of MX (mail exchanger) IP addresses that can result
7172       from Postfix SMTP client mail exchanger lookups, or  zero  (no  limit).
7173       Prior to Postfix version 2.3, this limit was disabled by default.
7174
7175       This feature is available in Postfix 2.1 and later.
7176

smtp_mx_session_limit (default: 2)

7178       The  maximal  number  of  SMTP sessions per delivery request before the
7179       Postfix SMTP client gives up or delivers to a fall-back relay host,  or
7180       zero  (no  limit).  This restriction ignores sessions that fail to com‐
7181       plete the SMTP initial handshake (Postfix version 2.2 and  earlier)  or
7182       that  fail  to complete the EHLO and TLS handshake (Postfix version 2.3
7183       and later).
7184
7185       This feature is available in Postfix 2.1 and later.
7186

smtp_nested_header_checks (default: empty)

7188       Restricted nested_header_checks(5) tables for the Postfix SMTP  client.
7189       These  tables are searched while mail is being delivered.  Actions that
7190       change the delivery time or destination are not available.
7191
7192       This feature is available in Postfix 2.5 and later.
7193

smtp_never_send_ehlo (default: no)

7195       Never send EHLO at the start of an SMTP session. See also the  smtp_al‐
7196       ways_send_ehlo parameter.
7197

smtp_per_record_deadline (default: no)

7199       Change  the  behavior  of  the  smtp_*_timeout time limits, from a time
7200       limit per read or write system call, to a time limit to send or receive
7201       a  complete record (an SMTP command line, SMTP response line, SMTP mes‐
7202       sage content line, or TLS protocol message).  This  limits  the  impact
7203       from hostile peers that trickle data one byte at a time.
7204
7205       Note:  when per-record deadlines are enabled, a short timeout may cause
7206       problems with TLS over very slow network connections.  The reasons  are
7207       that  a  TLS protocol message can be up to 16 kbytes long (with TLSv1),
7208       and that an entire TLS protocol message must be sent or received within
7209       the per-record deadline.
7210
7211       This  feature  is  available in Postfix 2.9-3.6. With older Postfix re‐
7212       leases, the behavior is as if this parameter is set  to  "no".  Postfix
7213       3.7 and later use smtp_per_request_deadline.
7214

smtp_per_request_deadline (default: no)

7216       Change  the  behavior  of  the  smtp_*_timeout time limits, from a time
7217       limit per plaintext or TLS read or write call, to a combined time limit
7218       for  sending  a complete SMTP request and for receiving a complete SMTP
7219       response. The deadline limits only the time spent waiting for plaintext
7220       or  TLS  read or write calls, not time spent elsewhere. The per-request
7221       deadline limits the impact from hostile peers  that  trickle  data  one
7222       byte at a time.
7223
7224       See smtp_min_data_rate for how the per-request deadline is managed dur‐
7225       ing the DATA phase.
7226
7227       Note: when per-request deadlines are enabled, a short  time  limit  may
7228       cause  problems with TLS over very slow network connections. The reason
7229       is that a TLS protocol message can  be  up  to  16  kbytes  long  (with
7230       TLSv1),  and  that  an  entire TLS protocol message must be transferred
7231       within the per-request deadline.
7232
7233       This feature is available in Postfix 3.7 and later. A  weaker  feature,
7234       called smtp_per_record_deadline, is available with Postfix 2.9-3.6.
7235
7236       This feature is available in Postfix 3.7 and later.
7237

smtp_pix_workaround_delay_time (default: 10s)

7239       How  long  the Postfix SMTP client pauses before sending ".<CR><LF>" in
7240       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
7241
7242       Choosing too short a time makes this workaround ineffective when  send‐
7243       ing large messages over slow network connections.
7244
7245       Specify  a  non-zero  time  value  (an  integral value plus an optional
7246       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7247       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7248       unit is s (seconds).
7249

smtp_pix_workaround_maps (default: empty)

7251       Lookup tables, indexed by the remote SMTP server address, with per-des‐
7252       tination workarounds for CISCO PIX firewall bugs.  The table is not in‐
7253       dexed by hostname for  consistency  with  smtp_discard_ehlo_keyword_ad‐
7254       dress_maps.
7255
7256       Specify zero or more "type:name" lookup tables, separated by whitespace
7257       or comma. Tables will be searched in the specified order until a  match
7258       is found.
7259
7260       This feature is available in Postfix 2.4 and later.
7261

smtp_pix_workaround_threshold_time (default: 500s)

7263       How  long a message must be queued before the Postfix SMTP client turns
7264       on the PIX firewall "<CR><LF>.<CR><LF>"  bug  workaround  for  delivery
7265       through firewalls with "smtp fixup" mode turned on.
7266
7267       Specify  a  non-negative time value (an integral value plus an optional
7268       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7269       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7270       unit is s (seconds).
7271
7272       By default, the workaround is turned off for mail that  is  queued  for
7273       less  than  500  seconds.  In  other  words, the workaround is normally
7274       turned off for the first delivery attempt.
7275
7276       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
7277       upon the first delivery attempt.
7278

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

7280       A  list  that specifies zero or more workarounds for CISCO PIX firewall
7281       bugs. These workarounds are implemented by  the  Postfix  SMTP  client.
7282       Workaround names are separated by comma or space, and are case insensi‐
7283       tive.  This parameter setting can  be  overruled  with  per-destination
7284       smtp_pix_workaround_maps settings.
7285
7286       delay_dotcrlf
7287              Insert  a  delay before sending ".<CR><LF>" after the end of the
7288              message content.  The delay is  subject  to  the  smtp_pix_work‐
7289              around_delay_time and smtp_pix_workaround_threshold_time parame‐
7290              ter settings.
7291
7292       disable_esmtp
7293              Disable all extended SMTP commands: send HELO instead of EHLO.
7294
7295       This feature is available in Postfix 2.4 and later.  The  default  set‐
7296       tings are backwards compatible with earlier Postfix versions.
7297

smtp_quit_timeout (default: 300s)

7299       The  Postfix  SMTP  client time limit for sending the QUIT command, and
7300       for receiving the remote SMTP server response.
7301
7302       Specify a non-zero time value  (an  integral  value  plus  an  optional
7303       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
7304       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
7305       unit is s (seconds).
7306

smtp_quote_rfc821_envelope (default: yes)

7308       Quote  addresses  in Postfix SMTP client MAIL FROM and RCPT TO commands
7309       as required by RFC 5321. This includes putting quotes around an address
7310       localpart that ends in ".".
7311
7312       The  default  is to comply with RFC 5321. If you have to send mail to a
7313       broken SMTP server, configure a special SMTP client in master.cf:
7314
7315           /etc/postfix/master.cf:
7316               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
7317
7318       and route mail for the destination in  question  to  the  "broken-smtp"
7319       message delivery with a transport(5) table.
7320
7321       This feature is available in Postfix 2.1 and later.
7322

smtp_randomize_addresses (default: yes)

7324       Randomize  the  order of equal-preference MX host addresses.  This is a
7325       performance feature of the Postfix SMTP client.
7326

smtp_rcpt_timeout (default: 300s)

7328       The Postfix SMTP client time limit for sending the SMTP  RCPT  TO  com‐
7329       mand, and for receiving the remote SMTP server response.
7330
7331       Specify  a  non-zero  time  value  (an  integral value plus an optional
7332       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7333       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7334       unit is s (seconds).
7335

smtp_reply_filter (default: empty)

7337       A mechanism to transform replies from remote SMTP servers one line at a
7338       time.   This  is  a last-resort tool to work around server replies that
7339       break interoperability with the Postfix SMTP client.   Other  uses  in‐
7340       volve fault injection to test Postfix's handling of invalid responses.
7341
7342       Notes:
7343
7344       •      In  the case of a multi-line reply, the Postfix SMTP client uses
7345              the final reply line's numerical SMTP reply  code  and  enhanced
7346              status code.
7347
7348       •      The  numerical  SMTP  reply code (XYZ) takes precedence over the
7349              enhanced status code (X.Y.Z).  When  the  enhanced  status  code
7350              initial digit differs from the SMTP reply code initial digit, or
7351              when no enhanced status code is present, the Postfix SMTP client
7352              uses a generic enhanced status code (X.0.0) instead.
7353
7354       Specify the name of a "type:table" lookup table. The search string is a
7355       single SMTP reply line as received from the remote SMTP server,  except
7356       that  the trailing <CR><LF> are removed.  When the lookup succeeds, the
7357       result replaces the single SMTP reply line.
7358
7359       Examples:
7360
7361       /etc/postfix/main.cf:
7362           smtp_reply_filter = pcre:/etc/postfix/reply_filter
7363
7364       /etc/postfix/reply_filter:
7365           # Transform garbage into "250-filler..." so that it looks like
7366           # one line from a multi-line reply. It does not matter what we
7367           # substitute here as long it has the right syntax.  The Postfix
7368           # SMTP client will use the final line's numerical SMTP reply
7369           # code and enhanced status code.
7370           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
7371
7372       This feature is available in Postfix 2.7.
7373

smtp_rset_timeout (default: 20s)

7375       The Postfix SMTP client time limit for sending the  RSET  command,  and
7376       for  receiving  the  remote SMTP server response. The SMTP client sends
7377       RSET in order to finish a recipient address probe, or to verify that  a
7378       cached session is still usable.
7379
7380       Specify  a  non-zero  time  value  (an  integral value plus an optional
7381       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7382       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7383       unit is s (seconds).
7384
7385       This feature is available in Postfix 2.1 and later.
7386

smtp_sasl_auth_cache_name (default: empty)

7388       An optional table to prevent repeated SASL authentication failures with
7389       the same remote SMTP server hostname, username and password. Each table
7390       (key, value) pair contains a server name, a username and password,  and
7391       the full server response. This information is stored when a remote SMTP
7392       server rejects an authentication attempt with a  535  reply  code.   As
7393       long as the smtp_sasl_password_maps information does not change, and as
7394       long as the smtp_sasl_auth_cache_name information does not expire  (see
7395       smtp_sasl_auth_cache_time)  the Postfix SMTP client avoids SASL authen‐
7396       tication attempts with the same server, username and password, and  in‐
7397       stead    bounces    or    defers    mail   as   controlled   with   the
7398       smtp_sasl_auth_soft_bounce configuration parameter.
7399
7400       Use  a  per-destination  delivery  concurrency  of  1   (for   example,
7401       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
7402       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
7403       ence a login failure at the same time.
7404
7405       The  table  must  be  accessed via the proxywrite service, i.e. the map
7406       name must start with "proxy:". The table should be stored under the di‐
7407       rectory specified with the data_directory parameter.
7408
7409       This  feature  uses  cryptographic  hashing to protect plain-text pass‐
7410       words, and requires that Postfix is compiled with TLS support.
7411
7412       Example:
7413
7414       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
7415
7416       This feature is available in Postfix 2.5 and later.
7417

smtp_sasl_auth_cache_time (default: 90d)

7419       The maximal age of an smtp_sasl_auth_cache_name entry before it is  re‐
7420       moved.
7421
7422       Specify  a  non-negative time value (an integral value plus an optional
7423       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7424       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7425       unit is d (days).
7426
7427       This feature is available in Postfix 2.5 and later.
7428

smtp_sasl_auth_enable (default: no)

7430       Enable SASL authentication in the Postfix SMTP client.  By default, the
7431       Postfix SMTP client uses no authentication.
7432
7433       Example:
7434
7435       smtp_sasl_auth_enable = yes
7436

smtp_sasl_auth_soft_bounce (default: yes)

7438       When  a remote SMTP server rejects a SASL authentication request with a
7439       535 reply code, defer mail delivery instead of returning mail as  unde‐
7440       liverable.  The latter behavior was hard-coded prior to Postfix version
7441       2.5.
7442
7443       Note: the setting "yes" overrides the global soft_bounce parameter, but
7444       the setting "no" does not.
7445
7446       Example:
7447
7448       # Default as of Postfix 2.5
7449       smtp_sasl_auth_soft_bounce = yes
7450       # The old hard-coded default
7451       smtp_sasl_auth_soft_bounce = no
7452
7453       This feature is available in Postfix 2.5 and later.
7454

smtp_sasl_mechanism_filter (default: empty)

7456       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
7457       list of offered SASL mechanisms.  Different client and server implemen‐
7458       tations  may support different mechanism lists; by default, the Postfix
7459       SMTP client will use the  intersection  of  the  two.  smtp_sasl_mecha‐
7460       nism_filter  specifies  an  optional  third mechanism list to intersect
7461       with.
7462
7463       Specify mechanism names, "/file/name" patterns or  "type:table"  lookup
7464       tables.  The  right-hand  side  result from "type:table" lookups is ig‐
7465       nored. Specify "!pattern" to exclude a mechanism name  from  the  list.
7466       The  form  "!/file/name"  is  supported only in Postfix version 2.4 and
7467       later.
7468
7469       This feature is available in Postfix 2.2 and later.
7470
7471       Examples:
7472
7473       smtp_sasl_mechanism_filter = plain, login
7474       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7475       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7476

smtp_sasl_password_maps (default: empty)

7478       Optional Postfix SMTP client lookup tables with  one  username:password
7479       entry per sender, remote hostname or next-hop domain. Per-sender lookup
7480       is done only when sender-dependent authentication is  enabled.   If  no
7481       username:password entry is found, then the Postfix SMTP client will not
7482       attempt to authenticate to the remote host.
7483
7484       The Postfix SMTP client opens the lookup table before going  to  chroot
7485       jail, so you can leave the password file in /etc/postfix.
7486
7487       Specify zero or more "type:name" lookup tables, separated by whitespace
7488       or comma. Tables will be searched in the specified order until a  match
7489       is found.
7490

smtp_sasl_path (default: empty)

7492       Implementation-specific information that the Postfix SMTP client passes
7493       through to the  SASL  plug-in  implementation  that  is  selected  with
7494       smtp_sasl_type.   Typically  this specifies the name of a configuration
7495       file or rendezvous point.
7496
7497       This feature is available in Postfix 2.3 and later.
7498

smtp_sasl_security_options (default: noplaintext, noanonymous)

7500       Postfix SMTP client SASL security options; as of Postfix 2.3  the  list
7501       of available features depends on the SASL client implementation that is
7502       selected with smtp_sasl_type.
7503
7504       The following security features are defined for the cyrus  client  SASL
7505       implementation:
7506
7507       Specify zero or more of the following:
7508
7509       noplaintext
7510              Disallow methods that use plaintext passwords.
7511
7512       noactive
7513              Disallow methods subject to active (non-dictionary) attack.
7514
7515       nodictionary
7516              Disallow methods subject to passive (dictionary) attack.
7517
7518       noanonymous
7519              Disallow methods that allow anonymous authentication.
7520
7521       mutual_auth
7522              Only  allow  methods  that  provide  mutual  authentication (not
7523              available with SASL version 1).
7524
7525       Example:
7526
7527       smtp_sasl_security_options = noplaintext
7528

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

7530       The SASL authentication security options that the Postfix  SMTP  client
7531       uses for TLS encrypted SMTP sessions.
7532
7533       This feature is available in Postfix 2.2 and later.
7534

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_security_op‐

7536       tions)
7537       The SASL authentication security options that the Postfix  SMTP  client
7538       uses  for  TLS  encrypted SMTP sessions with a verified server certifi‐
7539       cate.
7540
7541       When mail is sent to the public MX host  for  the  recipient's  domain,
7542       server certificates are by default optional, and delivery proceeds even
7543       if certificate verification fails. For delivery via a  submission  ser‐
7544       vice  that  requires SASL authentication, it may be appropriate to send
7545       plaintext passwords only when the connection to the server is  strongly
7546       encrypted and the server identity is verified.
7547
7548       The smtp_sasl_tls_verified_security_options parameter makes it possible
7549       to only enable plaintext mechanisms when a  secure  connection  to  the
7550       server is available. Submission servers subject to this policy must ei‐
7551       ther have verifiable certificates or offer suitable non-plaintext  SASL
7552       mechanisms.
7553
7554       This feature is available in Postfix 2.6 and later.
7555

smtp_sasl_type (default: cyrus)

7557       The  SASL  plug-in type that the Postfix SMTP client should use for au‐
7558       thentication.  The available types are listed with  the  "postconf  -A"
7559       command.
7560
7561       This feature is available in Postfix 2.3 and later.
7562

smtp_send_dummy_mail_auth (default: no)

7564       Whether  or not to append the "AUTH=<>" option to the MAIL FROM command
7565       in SASL-authenticated SMTP sessions. The default is not to  send  this,
7566       to  avoid problems with broken remote SMTP servers.  Before Postfix 2.9
7567       the behavior is as if "smtp_send_dummy_mail_auth = yes".
7568
7569       This feature is available in Postfix 2.9 and later.
7570

smtp_send_xforward_command (default: no)

7572       Send the non-standard XFORWARD command when  the  Postfix  SMTP  server
7573       EHLO response announces XFORWARD support.
7574
7575       This allows a Postfix SMTP delivery agent, used for injecting mail into
7576       a content filter, to forward the name, address, protocol and HELO  name
7577       of  the  original  client  to the content filter and downstream queuing
7578       SMTP  server.  This  can  produce  more  useful  logging  than   local‐
7579       host[127.0.0.1] etc.
7580
7581       This feature is available in Postfix 2.1 and later.
7582

smtp_sender_dependent_authentication (default: no)

7584       Enable sender-dependent authentication in the Postfix SMTP client; this
7585       is available only with SASL authentication, and disables  SMTP  connec‐
7586       tion  caching  to  ensure that mail from different senders will use the
7587       appropriate credentials.
7588
7589       This feature is available in Postfix 2.3 and later.
7590

smtp_skip_4xx_greeting (default: yes)

7592       Skip SMTP servers that greet with a 4XX status code (go away, try again
7593       later).
7594
7595       By  default,  the Postfix SMTP client moves on the next mail exchanger.
7596       Specify "smtp_skip_4xx_greeting = no" if Postfix should defer  delivery
7597       immediately.
7598
7599       This  feature  is  available in Postfix 2.0 and earlier.  Later Postfix
7600       versions always skip remote SMTP servers that greet with a  4XX  status
7601       code.
7602

smtp_skip_5xx_greeting (default: yes)

7604       Skip remote SMTP servers that greet with a 5XX status code.
7605
7606       By  default,  the Postfix SMTP client moves on the next mail exchanger.
7607       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7608       immediately.  Caution:  the  latter  behavior appears to contradict RFC
7609       2821.
7610

smtp_skip_quit_response (default: yes)

7612       Do not wait for the response to the SMTP QUIT command.
7613

smtp_starttls_timeout (default: 300s)

7615       Time limit for Postfix SMTP client write and read operations during TLS
7616       startup and shutdown handshake procedures.
7617
7618       Specify  a  non-zero  time  value  (an  integral value plus an optional
7619       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
7620       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
7621       unit is s (seconds).
7622
7623       This feature is available in Postfix 2.2 and later.
7624

smtp_tcp_port (default: smtp)

7626       The default TCP port that the Postfix SMTP client connects to.  Specify
7627       a symbolic name (see services(5)) or a numeric port.
7628

smtp_tls_CAfile (default: empty)

7630       A  file  containing  CA certificates of root CAs trusted to sign either
7631       remote SMTP server certificates or intermediate CA certificates.  These
7632       are  loaded  into  memory  before  the smtp(8) client enters the chroot
7633       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
7634       smtp_tls_CApath  instead,  but  note  that the latter directory must be
7635       present in the chroot jail if the smtp(8) client is chrooted. This file
7636       may  also be used to augment the client certificate trust chain, but it
7637       is  best  to  include  all  the  required  certificates   directly   in
7638       $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7639
7640       Specify  "smtp_tls_CAfile  =  /path/to/system_CA_file"  to use ONLY the
7641       system-supplied default Certification Authority certificates.
7642
7643       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7644       the system-supplied default CAs and trusting third-party certificates.
7645
7646       Example:
7647
7648       smtp_tls_CAfile = /etc/postfix/CAcert.pem
7649
7650       This feature is available in Postfix 2.2 and later.
7651

smtp_tls_CApath (default: empty)

7653       Directory with PEM format Certification Authority certificates that the
7654       Postfix SMTP client uses to verify a remote  SMTP  server  certificate.
7655       Don't  forget  to  create the necessary "hash" links with, for example,
7656       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7657
7658       To use this option in chroot mode, this directory (or a copy)  must  be
7659       inside the chroot jail.
7660
7661       Specify  "smtp_tls_CApath  =  /path/to/system_CA_directory" to use ONLY
7662       the system-supplied default Certification Authority certificates.
7663
7664       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7665       the system-supplied default CAs and trusting third-party certificates.
7666
7667       Example:
7668
7669       smtp_tls_CApath = /etc/postfix/certs
7670
7671       This feature is available in Postfix 2.2 and later.
7672

smtp_tls_block_early_mail_reply (default: no)

7674       Try  to detect a mail hijacking attack based on a TLS protocol vulnera‐
7675       bility (CVE-2009-3555), where  an  attacker  prepends  malicious  HELO,
7676       MAIL,  RCPT,  DATA  commands to a Postfix SMTP client TLS session.  The
7677       attack would succeed with non-Postfix SMTP servers that  reply  to  the
7678       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7679       SMTP client TLS session.
7680
7681       This feature is available in Postfix 2.7.
7682

smtp_tls_cert_file (default: empty)

7684       File with the Postfix SMTP client RSA certificate in PEM format.   This
7685       file  may  also  contain  the  Postfix SMTP client private RSA key, and
7686       these may be the same as the Postfix SMTP server  RSA  certificate  and
7687       key  file.   With  Postfix >= 3.4 the preferred way to configure client
7688       keys and certificates is via the "smtp_tls_chain_files" parameter.
7689
7690       Do not configure client certificates unless you must present client TLS
7691       certificates  to  one or more servers. Client certificates are not usu‐
7692       ally needed, and can cause problems in configurations  that  work  well
7693       without them. The recommended setting is to let the defaults stand:
7694
7695           smtp_tls_cert_file =
7696           smtp_tls_key_file =
7697           smtp_tls_eccert_file =
7698           smtp_tls_eckey_file =
7699           # Obsolete DSA parameters
7700           smtp_tls_dcert_file =
7701           smtp_tls_dkey_file =
7702           # Postfix >= 3.4 interface
7703           smtp_tls_chain_files =
7704
7705       The  best  way  to use the default settings is to comment out the above
7706       parameters in main.cf if present.
7707
7708       To enable remote SMTP servers to verify the Postfix  SMTP  client  cer‐
7709       tificate,  the  issuing  CA  certificates must be made available to the
7710       server. You should include the required certificates in the client cer‐
7711       tificate  file,  the  client  certificate first, then the issuing CA(s)
7712       (bottom-up order).
7713
7714       Example: the certificate for "client.example.com" was issued by "inter‐
7715       mediate CA" which itself has a certificate issued by "root CA".  As the
7716       "root" super-user create the client.pem file with:
7717
7718           # umask 077
7719           # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7720
7721       If you also want to verify remote SMTP server  certificates  issued  by
7722       these  CAs,  you can add the CA certificates to the smtp_tls_CAfile, in
7723       which case it is not necessary to have them in the  smtp_tls_cert_file,
7724       smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7725
7726       A certificate supplied here must be usable as an SSL client certificate
7727       and hence pass the "openssl verify -purpose sslclient ..." test.
7728
7729       Example:
7730
7731       smtp_tls_cert_file = /etc/postfix/chain.pem
7732
7733       This feature is available in Postfix 2.2 and later.
7734

smtp_tls_chain_files (default: empty)

7736       List of one or more PEM files, each holding one or  more  private  keys
7737       directly followed by a corresponding certificate chain.  The file names
7738       are separated by commas and/or whitespace.   This  parameter  obsoletes
7739       the  legacy algorithm-specific key and certificate file settings.  When
7740       this parameter is non-empty, the legacy parameters are ignored,  and  a
7741       warning is logged if any are also non-empty.
7742
7743       With  the proliferation of multiple private key algorithms-which, as of
7744       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7745       is increasingly impractical to use separate parameters to configure the
7746       key and certificate chain for each algorithm.  Therefore,  Postfix  now
7747       supports  storing multiple keys and corresponding certificate chains in
7748       a single file or in a set of files.
7749
7750       Each key must appear immediately before the corresponding  certificate,
7751       optionally followed by additional issuer certificates that complete the
7752       certificate chain for that key.  When  multiple  files  are  specified,
7753       they  are  equivalent  to a single file that is concatenated from those
7754       files in the given order.  Thus, while a key must  always  precede  its
7755       certificate  and issuer chain, it can be in a separate file, so long as
7756       that file is listed immediately before the file that holds  the  corre‐
7757       sponding  certificate  chain.  Once all the files are concatenated, the
7758       sequence of PEM objects must be: key1, cert1,  [chain1],  key2,  cert2,
7759       [chain2], ..., keyN, certN, [chainN].
7760
7761       Storing  the private key in the same file as the corresponding certifi‐
7762       cate is more reliable.  With the key and certificate in separate files,
7763       there is a chance that during key rollover a Postfix process might load
7764       a private key and certificate from separate  files  that  don't  match.
7765       Various  operational errors may even result in a persistent broken con‐
7766       figuration in which the certificate does not match the private key.
7767
7768       The file or files must contain at most one key of each type.   If,  for
7769       example,  two or more RSA keys and corresponding chains are listed, de‐
7770       pending on the version of OpenSSL either only the last one will be used
7771       or  a  configuration  error may be detected.  Note that while "Ed25519"
7772       and "Ed448" are  considered  separate  algorithms,  the  various  ECDSA
7773       curves  (typically  one of prime256v1, secp384r1 or secp521r1) are con‐
7774       sidered as different parameters of a single "ECDSA" algorithm, so it is
7775       not presently possible to configure keys for more than one ECDSA curve.
7776
7777       Example  (separate  files  for  each  key and corresponding certificate
7778       chain):
7779
7780           /etc/postfix/main.cf:
7781               smtp_tls_chain_files =
7782                   ${config_directory}/ed25519.pem,
7783                   ${config_directory}/ed448.pem,
7784                   ${config_directory}/rsa.pem
7785
7786           /etc/postfix/ed25519.pem:
7787               -----BEGIN PRIVATE KEY-----
7788               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7789               -----END PRIVATE KEY-----
7790               -----BEGIN CERTIFICATE-----
7791               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7792               ...
7793               nC0egv51YPDWxEHom4QA
7794               -----END CERTIFICATE-----
7795
7796           /etc/postfix/ed448.pem:
7797               -----BEGIN PRIVATE KEY-----
7798               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7799               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7800               -----END PRIVATE KEY-----
7801               -----BEGIN CERTIFICATE-----
7802               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7803               ...
7804               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7805               -----END CERTIFICATE-----
7806
7807           /etc/postfix/rsa.pem:
7808               -----BEGIN PRIVATE KEY-----
7809               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7810               ...
7811               ahQkZ3+krcaJvDSMgvu0tDc=
7812               -----END PRIVATE KEY-----
7813               -----BEGIN CERTIFICATE-----
7814               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7815               ...
7816               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7817               -----END CERTIFICATE-----
7818
7819       Example (all keys and certificates in a single file):
7820
7821           /etc/postfix/main.cf:
7822               smtp_tls_chain_files = ${config_directory}/chains.pem
7823
7824           /etc/postfix/chains.pem:
7825               -----BEGIN PRIVATE KEY-----
7826               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7827               -----END PRIVATE KEY-----
7828               -----BEGIN CERTIFICATE-----
7829               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7830               ...
7831               nC0egv51YPDWxEHom4QA
7832               -----END CERTIFICATE-----
7833               -----BEGIN PRIVATE KEY-----
7834               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7835               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7836               -----END PRIVATE KEY-----
7837               -----BEGIN CERTIFICATE-----
7838               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7839               ...
7840               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7841               -----END CERTIFICATE-----
7842               -----BEGIN PRIVATE KEY-----
7843               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7844               ...
7845               ahQkZ3+krcaJvDSMgvu0tDc=
7846               -----END PRIVATE KEY-----
7847               -----BEGIN CERTIFICATE-----
7848               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7849               ...
7850               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7851               -----END CERTIFICATE-----
7852
7853       This feature is available in Postfix 3.4 and later.
7854

smtp_tls_cipherlist (default: empty)

7856       Obsolete Postfix < 2.3 control for the Postfix SMTP client  TLS  cipher
7857       list. As this feature applies to all TLS security levels, it is easy to
7858       create interoperability problems by choosing a non-default cipher list.
7859       Do not use a non-default TLS cipher list on hosts that deliver email to
7860       the public Internet: you will be unable to send email to  servers  that
7861       only  support  the  ciphers you exclude. Using a restricted cipher list
7862       may be more appropriate for an internal MTA, where one can  exert  some
7863       control over the TLS software and settings of the peer servers.
7864
7865       Note: do not use "" quotes around the parameter value.
7866
7867       This  feature  is available in Postfix version 2.2. It is not used with
7868       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7869

smtp_tls_ciphers (default: medium)

7871       The minimum TLS cipher grade that the Postfix SMTP client will use with
7872       opportunistic  TLS  encryption.  Cipher  types  listed  in smtp_tls_ex‐
7873       clude_ciphers are excluded from the base definition of the selected ci‐
7874       pher  grade.   The default value is "medium" for Postfix releases after
7875       the middle of 2015, "export" for older releases.
7876
7877       When  TLS  is  mandatory  the  cipher   grade   is   chosen   via   the
7878       smtp_tls_mandatory_ciphers  configuration parameter, see there for syn‐
7879       tax details. See smtp_tls_policy_maps for information on how to config‐
7880       ure ciphers on a per-destination basis.
7881
7882       This  feature is available in Postfix 2.6 and later. With earlier Post‐
7883       fix releases only the smtp_tls_mandatory_ciphers  parameter  is  imple‐
7884       mented, and opportunistic TLS always uses "export" or better (i.e. all)
7885       ciphers.
7886

smtp_tls_connection_reuse (default: no)

7888       Try to make multiple deliveries  per  TLS-encrypted  connection.   This
7889       uses  the  tlsproxy(8)  service to encrypt an SMTP connection, uses the
7890       scache(8) service to save that connection, and relies on hints from the
7891       qmgr(8) daemon.
7892
7893       See "Client-side TLS connection reuse" for background details.
7894
7895       This feature is available in Postfix 3.4 and later.
7896

smtp_tls_dane_insecure_mx_policy (default: see postconf -d output)

7898       The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7899       destination security level is dane, but the MX record was found via  an
7900       "insecure" MX lookup.  The choices are:
7901
7902       may    The  TLSA  records will be ignored and TLS will be optional.  If
7903              the MX host does not appear to support STARTTLS, or the STARTTLS
7904              handshake fails, mail may be sent in the clear.
7905
7906       encrypt
7907              The  TLSA  records  will signal a requirement to use TLS.  While
7908              TLS encryption will be required, authentication will not be per‐
7909              formed.
7910
7911       dane   The  TLSA records will be used just as with "secure" MX records.
7912              TLS encryption will be required, and, if at  least  one  of  the
7913              TLSA records is "usable", authentication will be required.  When
7914              authentication succeeds, it will be logged  only  as  "Trusted",
7915              not "Verified", because the MX host name could have been forged.
7916              The   default   setting  for  Postfix  >=  3.6  is  "dane"  with
7917              "smtp_tls_security_level = dane", otherwise "may". This behavior
7918              was  backported  to  Postfix  versions  3.5.9,  3.4.19,  3.3.16.
7919              3.2.21.  With earlier Postfix versions the default  setting  was
7920              always "dane".
7921
7922       Though  with  "insecure"  MX  records an active attacker can compromise
7923       SMTP transport security by returning forged MX  records,  such  attacks
7924       are  "tamper-evident" since any forged MX hostnames will be recorded in
7925       the mail logs.  Attackers who place a high value on staying hidden  may
7926       be deterred from forging MX records.
7927
7928       This  feature  is available in Postfix 3.1 and later. The may policy is
7929       backwards-compatible with earlier Postfix versions.
7930

smtp_tls_dcert_file (default: empty)

7932       File with the Postfix SMTP client DSA certificate in PEM format.   This
7933       file may also contain the Postfix SMTP client private DSA key.  The DSA
7934       algorithm is obsolete and should not be used.
7935
7936       See the discussion under smtp_tls_cert_file for more details.
7937
7938       Example:
7939
7940       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7941
7942       This feature is available in Postfix 2.2 and later.
7943

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

7945       File with the Postfix SMTP client DSA private key in PEM format.   This
7946       file  may be combined with the Postfix SMTP client DSA certificate file
7947       specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete  and
7948       should not be used.
7949
7950       The  private key must be accessible without a pass-phrase, i.e. it must
7951       not be encrypted. File permissions should grant read-only access to the
7952       system superuser account ("root"), and no access to anyone else.
7953
7954       This feature is available in Postfix 2.2 and later.
7955

smtp_tls_eccert_file (default: empty)

7957       File  with  the  Postfix  SMTP  client ECDSA certificate in PEM format.
7958       This file may also contain the Postfix SMTP client ECDSA  private  key.
7959       With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7960       tificates is via the "smtp_tls_chain_files" parameter.
7961
7962       See the discussion under smtp_tls_cert_file for more details.
7963
7964       Example:
7965
7966       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7967
7968       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
7969       compiled and linked with OpenSSL 1.0.0 or later.
7970

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

7972       File  with  the  Postfix  SMTP  client ECDSA private key in PEM format.
7973       This file may be combined with the Postfix SMTP client  ECDSA  certifi‐
7974       cate  file  specified  with $smtp_tls_eccert_file.  With Postfix >= 3.4
7975       the preferred way to configure client keys and certificates is via  the
7976       "smtp_tls_chain_files" parameter.
7977
7978       The  private key must be accessible without a pass-phrase, i.e. it must
7979       not be encrypted. File permissions should grant read-only access to the
7980       system superuser account ("root"), and no access to anyone else.
7981
7982       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
7983       compiled and linked with OpenSSL 1.0.0 or later.
7984

smtp_tls_enforce_peername (default: yes)

7986       With mandatory TLS encryption, require  that  the  remote  SMTP  server
7987       hostname matches the information in the remote SMTP server certificate.
7988       As of RFC 2487 the requirements for hostname checking for  MTA  clients
7989       are not specified.
7990
7991       This  option  can  be set to "no" to disable strict peer name checking.
7992       This setting has no effect on sessions  that  are  controlled  via  the
7993       smtp_tls_per_site table.
7994
7995       Disabling the hostname verification can make sense in a closed environ‐
7996       ment where special CAs are created.  If not used carefully, this option
7997       opens  the  danger  of  a "man-in-the-middle" attack (the CommonName of
7998       this attacker will be logged).
7999
8000       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
8001       and later use smtp_tls_security_level instead.
8002

smtp_tls_exclude_ciphers (default: empty)

8004       List of ciphers or cipher types to exclude from the Postfix SMTP client
8005       cipher list at all TLS security levels. This  is  not  an  OpenSSL  ci‐
8006       pherlist,  it  is  a simple list separated by whitespace and/or commas.
8007       The elements are a single cipher, or one or more "+"  separated  cipher
8008       properties,  in which case only ciphers matching all the properties are
8009       excluded.
8010
8011       Examples (some of these will cause problems):
8012
8013           smtp_tls_exclude_ciphers = aNULL
8014           smtp_tls_exclude_ciphers = MD5, DES
8015           smtp_tls_exclude_ciphers = DES+MD5
8016           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
8017           smtp_tls_exclude_ciphers = kEDH+aRSA
8018
8019       The first setting disables anonymous ciphers. The next setting disables
8020       ciphers  that  use the MD5 digest algorithm or the (single) DES encryp‐
8021       tion algorithm. The next setting disables ciphers that use MD5 and  DES
8022       together.   The  next setting disables the two ciphers "AES256-SHA" and
8023       "DES-CBC3-MD5". The last setting disables ciphers that  use  "EDH"  key
8024       exchange with RSA authentication.
8025
8026       This feature is available in Postfix 2.3 and later.
8027

smtp_tls_fingerprint_cert_match (default: empty)

8029       List  of acceptable remote SMTP server certificate fingerprints for the
8030       "fingerprint" TLS security  level  (smtp_tls_security_level  =  finger‐
8031       print). At this security level, Certification Authorities are not used,
8032       and certificate expiration times are ignored. Instead, server  certifi‐
8033       cates are verified directly via their certificate fingerprint or public
8034       key fingerprint (Postfix 2.9 and later). The fingerprint is  a  message
8035       digest  of the server certificate (or public key). The digest algorithm
8036       is selected via the smtp_tls_fingerprint_digest parameter.
8037
8038       The colons between each pair of nibbles in the  fingerprint  value  are
8039       optional  (Postfix  >= 3.6). These were required in earlier Postfix re‐
8040       leases.
8041
8042       When an smtp_tls_policy_maps table entry  specifies  the  "fingerprint"
8043       security  level,  any "match" attributes in that entry specify the list
8044       of valid fingerprints for the corresponding destination. Multiple  fin‐
8045       gerprints can be combined with a "|" delimiter in a single match attri‐
8046       bute, or multiple match attributes can be employed.
8047
8048       Example: Certificate fingerprint verification  with  internal  mailhub.
8049       Two  matching  fingerprints  are  listed. The relayhost may be multiple
8050       physical hosts behind a load-balancer, each with its own private/public
8051       key  and self-signed certificate. Alternatively, a single relayhost may
8052       be in the process of switching from one set of private/public  keys  to
8053       another, and both keys are trusted just prior to the transition.
8054
8055           relayhost = [mailhub.example.com]
8056           smtp_tls_security_level = fingerprint
8057           smtp_tls_fingerprint_digest = sha256
8058           smtp_tls_fingerprint_cert_match =
8059               cd:fc:d8:db:f8:c4:82:96:6c:...:28:71:e8:f5:8d:a5:0d:9b:d4:a6
8060               dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4
8061
8062       Example:  Certificate  fingerprint  verification with selected destina‐
8063       tions.  As in the example above, we show two matching fingerprints:
8064
8065           /etc/postfix/main.cf:
8066               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8067               smtp_tls_fingerprint_digest = sha256
8068
8069           /etc/postfix/tls_policy:
8070               example.com fingerprint
8071                   match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
8072                   match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
8073
8074       This feature is available in Postfix 2.5 and later.
8075

smtp_tls_fingerprint_digest (default: see postconf -d output)

8077       The message digest algorithm used to construct remote SMTP server  cer‐
8078       tificate   fingerprints.   At  the  "fingerprint"  TLS  security  level
8079       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
8080       ified  by  directly  matching its certificate fingerprint or its public
8081       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
8082       digest of the server certificate (or its public key) using the selected
8083       algorithm. With a digest algorithm resistant to "second pre-image"  at‐
8084       tacks,  it  is  not  feasible to create a new public key and a matching
8085       certificate (or public/private key-pair) that has the same fingerprint.
8086
8087       The default algorithm is sha256 with Postfix >= 3.6 and the compatibil‐
8088       ity_level  set to 3.6 or higher. With Postfix <= 3.5, the default algo‐
8089       rithm is md5.
8090
8091       The best-practice algorithm is now  sha256.  Recent  advances  in  hash
8092       function cryptanalysis have led to md5 and sha1 being deprecated in fa‐
8093       vor of sha256.  However, as long as there are no known "second  pre-im‐
8094       age"  attacks  against the older algorithms, their use in this context,
8095       though not recommended, is still likely safe.
8096
8097       While additional digest algorithms are often available  with  OpenSSL's
8098       libcrypto, only those used by libssl in SSL cipher suites are available
8099       to Postfix.  You'll likely find  support  for  md5,  sha1,  sha256  and
8100       sha512.
8101
8102       To find the fingerprint of a specific certificate file, with a specific
8103       digest algorithm, run:
8104
8105           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
8106
8107       The text to the right of the "=" sign is the desired fingerprint.   For
8108       example:
8109
8110           $ openssl x509 -noout -fingerprint -sha256 -in cert.pem
8111           SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
8112
8113       To  extract  the  public key fingerprint from an X.509 certificate, you
8114       need to extract the public key from the certificate and compute the ap‐
8115       propriate  digest  of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
8116       key" option of the "x509" command extracts the  public  key  always  in
8117       "PEM"  format.  We pipe the result to another OpenSSL command that con‐
8118       verts the key to DER and then to the "dgst" command to compute the fin‐
8119       gerprint.
8120
8121       The  actual  command  to transform the key to DER format depends on the
8122       version of OpenSSL used. As of OpenSSL 1.0.0, the "pkey"  command  sup‐
8123       ports all key types.
8124
8125           # OpenSSL >= 1.0 with SHA-256 fingerprints.
8126           $ openssl x509 -in cert.pem -noout -pubkey |
8127               openssl pkey -pubin -outform DER |
8128               openssl dgst -sha256 -c
8129           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58
8130
8131       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
8132       gerprint and the public key fingerprint when the TLS loglevel is  2  or
8133       higher.
8134
8135       This feature is available in Postfix 2.5 and later.
8136

smtp_tls_force_insecure_host_tlsa_lookup (default: no)

8138       Lookup  the  associated  DANE TLSA RRset even when a hostname is not an
8139       alias and its address records lie in an unsigned  zone.   This  is  un‐
8140       likely to ever yield DNSSEC validated results, since child zones of un‐
8141       signed zones are also unsigned in the absence of DLV or locally config‐
8142       ured  non-root  trust-anchors.  We anticipate that such mechanisms will
8143       not be used for just the "_tcp" subdomain of a host.   Suppressing  the
8144       TLSA RRset lookup reduces latency and avoids potential interoperability
8145       problems with nameservers for unsigned zones that are not  prepared  to
8146       handle the new TLSA RRset.
8147
8148       This feature is available in Postfix 2.11.
8149

smtp_tls_key_file (default: $smtp_tls_cert_file)

8151       File  with the Postfix SMTP client RSA private key in PEM format.  This
8152       file may be combined with the Postfix SMTP client RSA certificate  file
8153       specified  with $smtp_tls_cert_file.  With Postfix >= 3.4 the preferred
8154       way  to  configure  client   keys   and   certificates   is   via   the
8155       "smtp_tls_chain_files" parameter.
8156
8157       The  private key must be accessible without a pass-phrase, i.e. it must
8158       not be encrypted. File permissions should grant read-only access to the
8159       system superuser account ("root"), and no access to anyone else.
8160
8161       Example:
8162
8163       smtp_tls_key_file = $smtp_tls_cert_file
8164
8165       This feature is available in Postfix 2.2 and later.
8166

smtp_tls_loglevel (default: 0)

8168       Enable  additional  Postfix  SMTP client logging of TLS activity.  Each
8169       logging level also includes the information that is logged at  a  lower
8170       logging level.
8171
8172              0 Disable logging of TLS activity.
8173
8174              1  Log  only  a summary message on TLS handshake completion - no
8175              logging of remote SMTP server certificate trust-chain  verifica‐
8176              tion  errors if server certificate verification is not required.
8177              With Postfix 2.8 and earlier, log the summary message and uncon‐
8178              ditionally log trust-chain verification errors.
8179
8180              2 Also log levels during TLS negotiation.
8181
8182              3 Also log the hexadecimal and ASCII dump of the TLS negotiation
8183              process.
8184
8185              4 Also log the hexadecimal and ASCII dump of complete  transmis‐
8186              sion after STARTTLS.
8187
8188       Do  not  use  "smtp_tls_loglevel = 2" or higher except in case of prob‐
8189       lems. Use of loglevel 4 is strongly discouraged.
8190
8191       This feature is available in Postfix 2.2 and later.
8192

smtp_tls_mandatory_ciphers (default: medium)

8194       The minimum TLS cipher grade that the Postfix SMTP client will use with
8195       mandatory  TLS  encryption.  The default value "medium" is suitable for
8196       most destinations with which you may want to enforce TLS, and is beyond
8197       the  reach  of  today's cryptanalytic methods. See smtp_tls_policy_maps
8198       for information on how to configure ciphers on a per-destination basis.
8199
8200       The following cipher grades are supported:
8201
8202       high   Enable only "HIGH" grade OpenSSL ciphers.  This setting  may  be
8203              appropriate  when  all mandatory TLS destinations (e.g. when all
8204              mail is routed to a suitably capable relayhost) support at least
8205              one  "HIGH" grade cipher. The underlying cipherlist is specified
8206              via the tls_high_cipherlist configuration parameter,  which  you
8207              are strongly encouraged not to change.
8208
8209       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
8210              cipherlist is specified via the tls_medium_cipherlist configura‐
8211              tion parameter, which you are strongly encouraged not to change.
8212
8213       null   Enable  only the "NULL" OpenSSL ciphers, these provide authenti‐
8214              cation without encryption.  This setting is only appropriate  in
8215              the  rare case that all servers are prepared to use NULL ciphers
8216              (not normally enabled in TLS servers). A plausible  use-case  is
8217              an LMTP server listening on a UNIX-domain socket that is config‐
8218              ured to support "NULL" ciphers.  The  underlying  cipherlist  is
8219              specified  via  the tls_null_cipherlist configuration parameter,
8220              which you are strongly encouraged not to change.
8221
8222       low    Enable "LOW" grade or stronger OpenSSL ciphers.  In  Postfix  >=
8223              3.8  this  cipher grade is always identical to "medium".  Recent
8224              versions of OpenSSL do not support any "LOW" grade ciphers.   In
8225              earlier Postfix releases the underlying cipherlist was specified
8226              via the tls_low_cipherlist configuration  parameter,  which  you
8227              are  strongly  encouraged  not  to change.  This obsolete cipher
8228              grade SHOULD NOT be used.
8229
8230       export Enable "EXPORT" grade or stronger OpenSSL ciphers.   In  Postfix
8231              >=  3.8  this cipher grade is always identical to "medium".  Re‐
8232              cent versions of OpenSSL do not support any "EXPORT"  grade  ci‐
8233              phers.   In  earlier  Postfix releases the underlying cipherlist
8234              was specified via the tls_export_cipherlist configuration param‐
8235              eter, which you are strongly encouraged not to change.  This ob‐
8236              solete cipher grade SHOULD NOT be used.
8237
8238       The underlying cipherlists for grades other than "null" include  anony‐
8239       mous  ciphers,  but these are automatically filtered out if the Postfix
8240       SMTP client is configured to verify server certificates.  You are  very
8241       unlikely  to  need to take any steps to exclude anonymous ciphers, they
8242       are excluded automatically as necessary.  If you must exclude anonymous
8243       ciphers  at  the  "may"  or "encrypt" security levels, when the Postfix
8244       SMTP client does not need or use peer certificates,  set  "smtp_tls_ex‐
8245       clude_ciphers  =  aNULL". To exclude anonymous ciphers only when TLS is
8246       enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
8247
8248       This feature is available in Postfix 2.3 and later.
8249

smtp_tls_mandatory_exclude_ciphers (default: empty)

8251       Additional list of ciphers or cipher types to exclude from the  Postfix
8252       SMTP  client  cipher  list  at mandatory TLS security levels. This list
8253       works in addition to the exclusions  listed  with  smtp_tls_exclude_ci‐
8254       phers (see there for syntax details).
8255
8256       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
8257       ified on a per-destination basis via the TLS  policy  "exclude"  attri‐
8258       bute. See smtp_tls_policy_maps for notes and examples.
8259
8260       This feature is available in Postfix 2.3 and later.
8261

smtp_tls_mandatory_protocols (default: see postconf -d output)

8263       TLS  protocols that the Postfix SMTP client will use with mandatory TLS
8264       encryption.  In main.cf the values are separated by whitespace,  commas
8265       or colons. In the policy table "protocols" attribute (see smtp_tls_pol‐
8266       icy_maps) the only valid separator is colon. An empty value means allow
8267       all protocols.
8268
8269       The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
8270       "TLSv1", "TLSv1.1", "TLSv1.2" and  "TLSv1.3".   Starting  with  Postfix
8271       3.6,  the  default value is ">=TLSv1", which sets TLS 1.0 as the lowest
8272       supported TLS protocol version (see below).  Older releases use the "!"
8273       exclusion syntax, also described below.
8274
8275       As  of  Postfix 3.6, the preferred way to limit the range of acceptable
8276       protocols is to set a lowest acceptable TLS protocol version  and/or  a
8277       highest  acceptable  TLS  protocol version.  To set the lower bound in‐
8278       clude an element of the form: ">=version" where version is a either one
8279       of  the TLS protocol names listed above, or a hexadecimal number corre‐
8280       sponding to the desired TLS protocol version (0301 for  TLS  1.0,  0302
8281       for  TLS 1.1, etc.).  For the upper bound, use "<=version".  There must
8282       be no whitespace between the ">=" or "<=" symbols and the protocol name
8283       or number.
8284
8285       Hexadecimal  protocol  numbers  make  it  possible  to specify protocol
8286       bounds for TLS versions that are known to OpenSSL,  but  might  not  be
8287       known  to  Postfix.  They cannot be used with the legacy exclusion syn‐
8288       tax.  Leading "0" or "0x" prefixes are  supported,  but  not  required.
8289       Therefore,  "301",  "0301",  "0x301" and "0x0301" are all equivalent to
8290       "TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set  the
8291       upper  or  lower bound, and a warning will be logged.  Hexadecimal ver‐
8292       sions should only be used when Postfix is linked with some future  ver‐
8293       sion  of  OpenSSL  that supports TLS 1.4 or later, but Postfix does not
8294       yet support a symbolic name for that protocol version.
8295
8296       Hexadecimal example (Postfix >= 3.6):
8297
8298           # Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
8299           # in some future version of OpenSSL (presently a warning is logged).
8300           smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
8301           # Allow only TLS 1.2 and up:
8302           smtp_tls_mandatory_protocols = >=0x0303
8303
8304       With Postfix < 3.6 there is no support for a minimum  or  maximum  ver‐
8305       sion, and the protocol range is configured via protocol exclusions.  To
8306       require at least TLS 1.0, set "smtp_tls_mandatory_protocols  =  !SSLv2,
8307       !SSLv3". Listing the protocols to include, rather than the protocols to
8308       exclude, is supported, but not recommended.  The exclusion syntax  more
8309       accurately matches the underlying OpenSSL interface.
8310
8311       When  using the exclusion syntax, take care to ensure that the range of
8312       protocols supported by the Postfix SMTP client is contiguous.   When  a
8313       protocol  version  is  enabled, disabling any higher version implicitly
8314       disables all versions above that higher version.  Thus, for example:
8315
8316           smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
8317
8318       also disables any protocol versions higher than  TLSv1.1  leaving  only
8319       "TLSv1" enabled.
8320
8321       Support  for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling this
8322       protocol via "!TLSv1.3" is supported since Postfix 3.4  (or  patch  re‐
8323       leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
8324
8325       While the vast majority of SMTP servers with DANE TLSA records now sup‐
8326       port at least TLS 1.2, a few still only support TLS 1.0.   If  you  use
8327       "dane"  or  "dane-only" it is best not to disable TLSv1, except perhaps
8328       via the policy table for destinations which you are sure  will  support
8329       "TLSv1.2".
8330
8331       See   the  documentation  of  the  smtp_tls_policy_maps  parameter  and
8332       TLS_README for more information about security levels.
8333
8334       Example:
8335       # Preferred syntax with Postfix >= 3.6:
8336       smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
8337       # Legacy syntax:
8338       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
8339
8340       This feature is available in Postfix 2.3 and later.
8341

smtp_tls_note_starttls_offer (default: no)

8343       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
8344       is not already enabled for that server.
8345
8346       The logfile record looks like:
8347
8348       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
8349
8350       This feature is available in Postfix 2.2 and later.
8351

smtp_tls_per_site (default: empty)

8353       Optional lookup tables with the Postfix SMTP client TLS usage policy by
8354       next-hop destination and by remote SMTP  server  hostname.   When  both
8355       lookups  succeed,  the more specific per-site policy (NONE, MUST, etc.)
8356       overrides the less specific one (MAY), and  the  more  secure  per-site
8357       policy (MUST, etc.) overrides the less secure one (NONE).  With Postfix
8358       2.3  and  later  smtp_tls_per_site   is   strongly   discouraged:   use
8359       smtp_tls_policy_maps instead.
8360
8361       Use  of  the bare hostname as the per-site table lookup key is discour‐
8362       aged. Always use the full destination nexthop (enclosed in  []  with  a
8363       possible  ":port"  suffix).  A recipient domain or MX-enabled transport
8364       next-hop with no port suffix may look like  a  bare  hostname,  but  is
8365       still a suitable destination.
8366
8367       Specify  a  next-hop  destination  or  server hostname on the left-hand
8368       side; no wildcards are allowed. The next-hop destination is either  the
8369       recipient  domain, or the destination specified with a transport(5) ta‐
8370       ble, the relayhost parameter, or the relay_transport parameter.  On the
8371       right hand side specify one of the following keywords:
8372
8373       NONE   Don't  use TLS at all. This overrides a less specific MAY lookup
8374              result from the alternate host or next-hop lookup key, and over‐
8375              rides    the    global   smtp_use_tls,   smtp_enforce_tls,   and
8376              smtp_tls_enforce_peername settings.
8377
8378       MAY    Try to use TLS if the server announces support, otherwise use an
8379              unencrypted  connection.  This  has  less precedence than a more
8380              specific result (including NONE)  from  the  alternate  host  or
8381              next-hop  lookup key, and has less precedence than the more spe‐
8382              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
8383              name = yes".
8384
8385       MUST_NOPEERMATCH
8386              Require  TLS encryption, but do not require that the remote SMTP
8387              server hostname matches  the  information  in  the  remote  SMTP
8388              server certificate, or that the server certificate was issued by
8389              a trusted CA. This overrides a less secure NONE or a  less  spe‐
8390              cific  MAY  lookup  result  from  the alternate host or next-hop
8391              lookup key, and  overrides  the  global  smtp_use_tls,  smtp_en‐
8392              force_tls and smtp_tls_enforce_peername settings.
8393
8394       MUST   Require  TLS  encryption,  require  that  the remote SMTP server
8395              hostname matches the information in the remote SMTP server  cer‐
8396              tificate,  and  require  that the remote SMTP server certificate
8397              was issued by a trusted CA. This overrides a less secure NONE or
8398              MUST_NOPEERMATCH  or  a less specific MAY lookup result from the
8399              alternate host or next-hop lookup key, and overrides the  global
8400              smtp_use_tls,   smtp_enforce_tls  and  smtp_tls_enforce_peername
8401              settings.
8402
8403       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
8404       ify"  security levels for the new smtp_tls_security_level parameter in‐
8405       troduced in Postfix 2.3. Starting with Postfix 2.3,  and  independently
8406       of  how  the  policy  is  specified, the smtp_tls_mandatory_ciphers and
8407       smtp_tls_mandatory_protocols parameters apply when  TLS  encryption  is
8408       mandatory.  Connections  for which encryption is optional typically en‐
8409       able all "export" grade and better ciphers  (see  smtp_tls_ciphers  and
8410       smtp_tls_protocols).
8411
8412       As long as no secure DNS lookup mechanism is available, false hostnames
8413       in MX or CNAME responses can change the server  hostname  that  Postfix
8414       uses  for  TLS  policy lookup and server certificate verification. Even
8415       with a perfect match between the server hostname and  the  server  cer‐
8416       tificate,  there is no guarantee that Postfix is connected to the right
8417       server.  See TLS_README (Closing a DNS loophole with obsolete  per-site
8418       TLS policies) for a possible work-around.
8419
8420       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
8421       and later use smtp_tls_policy_maps instead.
8422

smtp_tls_policy_maps (default: empty)

8424       Optional lookup tables with the Postfix SMTP client TLS security policy
8425       by  next-hop  destination;  when  a  non-empty value is specified, this
8426       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
8427       a more detailed discussion of TLS security levels.
8428
8429       Specify zero or more "type:name" lookup tables, separated by whitespace
8430       or comma. Tables will be searched in the specified order until a  match
8431       is found.
8432
8433       The TLS policy table is indexed by the full next-hop destination, which
8434       is either the recipient domain, or the verbatim next-hop  specified  in
8435       the   transport   table,   $local_transport,  $virtual_transport,  $re‐
8436       lay_transport or $default_transport. This includes any enclosing square
8437       brackets  and  any non-default destination server port suffix. The LMTP
8438       socket type prefix (inet: or unix:) is not included in the lookup key.
8439
8440       Only the next-hop domain, or $myhostname  with  LMTP  over  UNIX-domain
8441       sockets,  is used as the nexthop name for certificate verification. The
8442       port and any enclosing square brackets are used  in  the  table  lookup
8443       key, but are not used for server name verification.
8444
8445       When  the lookup key is a domain name without enclosing square brackets
8446       or any :port suffix (typically the recipient domain), and the full  do‐
8447       main  is  not  found in the table, just as with the transport(5) table,
8448       the parent domain starting with a leading "." is  matched  recursively.
8449       This allows one to specify a security policy for a recipient domain and
8450       all its sub-domains.
8451
8452       The lookup result is a security level, followed by an optional list  of
8453       whitespace  and/or  comma separated name=value attributes that override
8454       related main.cf settings. The TLS security levels in order of  increas‐
8455       ing security are:
8456
8457       none   No TLS. No additional attributes are supported at this level.
8458
8459       may    Opportunistic TLS. Since sending in the clear is acceptable, de‐
8460              manding stronger than default TLS security merely reduces inter‐
8461              operability.  The optional "ciphers", "exclude", and "protocols"
8462              attributes (available for opportunistic TLS with Postfix >= 2.6)
8463              and  "connection_reuse"  attribute (Postfix >= 3.4) override the
8464              "smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_proto‐
8465              cols", and "smtp_tls_connection_reuse" configuration parameters.
8466              In the policy table, multiple ciphers, protocols or excluded ci‐
8467              phers  must  be separated by colons, as attribute values may not
8468              contain whitespace or commas. When opportunistic TLS  handshakes
8469              fail,  Postfix  retries  the connection with TLS disabled.  This
8470              allows mail delivery to sites with non-interoperable TLS  imple‐
8471              mentations.
8472
8473       encrypt
8474              Mandatory TLS encryption. At this level and higher, the optional
8475              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
8476              tory_protocols parameter, the optional "ciphers" attribute over‐
8477              rides the main.cf smtp_tls_mandatory_ciphers parameter, the  op‐
8478              tional  "exclude"  attribute  (Postfix  >=  2.6)  overrides  the
8479              main.cf smtp_tls_mandatory_exclude_ciphers  parameter,  and  the
8480              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8481              the main.cf smtp_tls_connection_reuse parameter. In  the  policy
8482              table,  multiple  ciphers, protocols or excluded ciphers must be
8483              separated by colons, as attribute values may not contain  white‐
8484              space or commas.
8485
8486       dane   Opportunistic  DANE  TLS.  The TLS policy for the destination is
8487              obtained via TLSA records in DNSSEC.  If  no  TLSA  records  are
8488              found,  the  effective  security  level  used  is  may.  If TLSA
8489              records are found, but none are usable, the  effective  security
8490              level is encrypt.  When usable TLSA records are obtained for the
8491              remote SMTP server, the server certificate must match  the  TLSA
8492              records.   RFC 7672 (DANE) TLS authentication and DNSSEC support
8493              is available with Postfix 2.11 and later. The optional  "connec‐
8494              tion_reuse"  attribute  (Postfix  >=  3.4) overrides the main.cf
8495              smtp_tls_connection_reuse parameter.  When the  effective  secu‐
8496              rity  level  used is may, the optional "ciphers", "exclude", and
8497              "protocols"   attributes   (Postfix   >=   2.6)   override   the
8498              "smtp_tls_ciphers",        "smtp_tls_exclude_ciphers",       and
8499              "smtp_tls_protocols" configuration parameters.  When the  effec‐
8500              tive  security  level  used  is encrypt, the optional "ciphers",
8501              "exclude", and "protocols" attributes (Postfix >= 2.6)  override
8502              the     "smtp_tls_mandatory_ciphers",    "smtp_tls_mandatory_ex‐
8503              clude_ciphers", and "smtp_tls_mandatory_protocols" configuration
8504              parameters.
8505
8506       dane-only
8507              Mandatory  DANE  TLS.  The TLS policy for the destination is ob‐
8508              tained via TLSA records in  DNSSEC.   If  no  TLSA  records  are
8509              found,  or none are usable, no connection is made to the server.
8510              When usable TLSA  records  are  obtained  for  the  remote  SMTP
8511              server, the server certificate must match the TLSA records.  RFC
8512              7672 (DANE) TLS authentication and DNSSEC support  is  available
8513              with  Postfix 2.11 and later. The optional "ciphers", "exclude",
8514              and  "protocols"  attributes  (Postfix  >=  2.6)  override   the
8515              "smtp_tls_mandatory_ciphers",    "smtp_tls_mandatory_exclude_ci‐
8516              phers", and "smtp_tls_mandatory_protocols" configuration parame‐
8517              ters. The optional "connection_reuse" attribute (Postfix >= 3.4)
8518              overrides the main.cf smtp_tls_connection_reuse parameter.
8519
8520       fingerprint
8521              Certificate fingerprint verification. Available with Postfix 2.5
8522              and later. At this security level, there are no trusted Certifi‐
8523              cation Authorities.  The  certificate  trust  chain,  expiration
8524              date,  ... are not checked. Instead, the optional "match" attri‐
8525              bute, or else the main.cf smtp_tls_fingerprint_cert_match param‐
8526              eter,  lists the certificate fingerprints or the public key fin‐
8527              gerprint (Postfix 2.9 and later) of the  valid  server  certifi‐
8528              cate.  The digest algorithm used to calculate the fingerprint is
8529              selected by the smtp_tls_fingerprint_digest parameter.  Multiple
8530              fingerprints  can  be  combined with a "|" delimiter in a single
8531              match attribute, or multiple match attributes can  be  employed.
8532              The  ":"  character  is not used as a delimiter as it occurs be‐
8533              tween each pair of fingerprint  (hexadecimal)  digits.  The  op‐
8534              tional "ciphers", "exclude", and "protocols" attributes (Postfix
8535              >=    2.6)    override     the     "smtp_tls_mandatory_ciphers",
8536              "smtp_tls_mandatory_exclude_ciphers",    and    "smtp_tls_manda‐
8537              tory_protocols" configuration parameters. The optional  "connec‐
8538              tion_reuse"  attribute  (Postfix  >=  3.4) overrides the main.cf
8539              smtp_tls_connection_reuse parameter.
8540
8541       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
8542              lookups  are  trusted to be secure enough, and the name verified
8543              in the server certificate is  usually  obtained  indirectly  via
8544              unauthenticated  DNS MX lookups.  The optional "match" attribute
8545              overrides the main.cf smtp_tls_verify_cert_match  parameter.  In
8546              the policy table, multiple match patterns and strategies must be
8547              separated by colons.  In practice explicit control over matching
8548              is  more  common  with the "secure" policy, described below. The
8549              optional "ciphers", "exclude", and "protocols" attributes (Post‐
8550              fix   >=   2.6)   override   the   "smtp_tls_mandatory_ciphers",
8551              "smtp_tls_mandatory_exclude_ciphers",    and    "smtp_tls_manda‐
8552              tory_protocols"  configuration parameters. The optional "connec‐
8553              tion_reuse" attribute (Postfix >=  3.4)  overrides  the  main.cf
8554              smtp_tls_connection_reuse parameter.
8555
8556       secure Secure-channel  TLS.  At  this  security  level, DNS MX lookups,
8557              though potentially used  to  determine  the  candidate  next-hop
8558              gateway  IP  addresses,  are not trusted to be secure enough for
8559              TLS peername verification. Instead, the default name verified in
8560              the  server  certificate is obtained directly from the next-hop,
8561              or is explicitly specified via the  optional  "match"  attribute
8562              which  overrides  the main.cf smtp_tls_secure_cert_match parame‐
8563              ter. In the policy table, multiple match patterns and strategies
8564              must be separated by colons.  The match attribute is most useful
8565              when multiple domains are supported by a common server: the pol‐
8566              icy  entries  for  additional domains specify matching rules for
8567              the primary domain certificate. While transport table  overrides
8568              that route the secondary domains to the primary nexthop also al‐
8569              low secure verification, they risk delivery to the wrong  desti‐
8570              nation when domains change hands or are re-assigned to new gate‐
8571              ways. With the "match" attribute approach, routing is  not  per‐
8572              turbed,  and  mail  is deferred if verification of a new MX host
8573              fails. The optional "ciphers", "exclude",  and  "protocols"  at‐
8574              tributes  (Postfix  >= 2.6) override the "smtp_tls_mandatory_ci‐
8575              phers",        "smtp_tls_mandatory_exclude_ciphers",         and
8576              "smtp_tls_mandatory_protocols" configuration parameters. The op‐
8577              tional "connection_reuse" attribute (Postfix >=  3.4)  overrides
8578              the main.cf smtp_tls_connection_reuse parameter.
8579
8580       Example:
8581
8582       /etc/postfix/main.cf:
8583           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8584           # Postfix 2.5 and later.
8585           #
8586           # The default digest is sha256 with Postfix >= 3.6 and
8587           # compatibility level >= 3.
8588           #
8589           smtp_tls_fingerprint_digest = sha256
8590
8591       /etc/postfix/tls_policy:
8592           example.edu                 none
8593           example.mil                 may
8594           example.gov                 encrypt protocols=TLSv1
8595           example.com                 verify ciphers=high
8596           example.net                 secure
8597           .example.net                secure match=.example.net:example.net
8598           [mail.example.org]:587      secure match=nexthop
8599           # Postfix 2.5 and later
8600           [thumb.example.org]          fingerprint
8601               match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
8602               match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
8603
8604       Note:  The  "hostname"  strategy  if listed in a non-default setting of
8605       smtp_tls_secure_cert_match or in the "match" attribute  in  the  policy
8606       table  can  render the "secure" level vulnerable to DNS forgery. Do not
8607       use the "hostname" strategy for secure-channel configurations in  envi‐
8608       ronments where DNS security is not assured.
8609
8610       This feature is available in Postfix 2.3 and later.
8611

smtp_tls_protocols (default: see postconf -d output)

8613       TLS  protocols that the Postfix SMTP client will use with opportunistic
8614       TLS encryption.  In main.cf the values  are  separated  by  whitespace,
8615       commas  or  colons.  In  the  policy  table  "protocols" attribute (see
8616       smtp_tls_policy_maps) the only valid  separator  is  colon.   An  empty
8617       value means allow all protocols.
8618
8619       The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
8620       "TLSv1", "TLSv1.1", "TLSv1.2" and  "TLSv1.3".   Starting  with  Postfix
8621       3.6,  the  default value is ">=TLSv1", which sets TLS 1.0 as the lowest
8622       supported TLS protocol version (see below).  Older releases use the "!"
8623       exclusion syntax, also described below.
8624
8625       As  of  Postfix 3.6, the preferred way to limit the range of acceptable
8626       protocols is to set the lowest acceptable TLS protocol  version  and/or
8627       the  highest  acceptable  TLS protocol version.  To set the lower bound
8628       include an element of the form: ">=version" where version is either one
8629       of  the TLS protocol names listed above, or a hexadecimal number corre‐
8630       sponding to the desired TLS protocol version (0301 for  TLS  1.0,  0302
8631       for  TLS 1.1, etc.).  For the upper bound, use "<=version".  There must
8632       be no whitespace between the ">=" or "<=" symbols and the protocol name
8633       or number.
8634
8635       Hexadecimal  protocol  numbers  make  it  possible  to specify protocol
8636       bounds for TLS versions that are known to OpenSSL,  but  might  not  be
8637       known  to  Postfix.  They cannot be used with the legacy exclusion syn‐
8638       tax.  Leading "0" or "0x" prefixes are  supported,  but  not  required.
8639       Therefore,  "301",  "0301",  "0x301" and "0x0301" are all equivalent to
8640       "TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set  the
8641       upper  or  lower bound, and a warning will be logged.  Hexadecimal ver‐
8642       sions should only be used when Postfix is linked with some future  ver‐
8643       sion  of  OpenSSL  that supports TLS 1.4 or later, but Postfix does not
8644       yet support a symbolic name for that protocol version.
8645
8646       Hexadecimal example (Postfix >= 3.6):
8647
8648           # Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
8649           # in some future version of OpenSSL (presently a warning is logged).
8650           smtp_tls_protocols = >=TLSv1, <=0305
8651           # Allow only TLS 1.0 and up:
8652           smtp_tls_protocols = >=0x0301
8653
8654       With Postfix < 3.6 there is no support for a minimum  or  maximum  ver‐
8655       sion, and the protocol range is configured via protocol exclusions.  To
8656       require at least TLS 1.0, set "smtp_tls_protocols  =  !SSLv2,  !SSLv3".
8657       Listing  the protocols to include, rather than protocols to exclude, is
8658       supported, but not recommended.  The  exclusion  form  more  accurately
8659       matches the underlying OpenSSL interface.
8660
8661       When  using the exclusion syntax, take care to ensure that the range of
8662       protocols advertised by an SSL/TLS client is contiguous.  When a proto‐
8663       col  version  is  enabled, disabling any higher version implicitly dis‐
8664       ables all versions above that higher version.  Thus, for example:
8665
8666           smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
8667       also disables any protocols version higher than  TLSv1.1  leaving  only
8668       "TLSv1" enabled.
8669
8670       Support  for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling this
8671       protocol via "!TLSv1.3" is supported since Postfix 3.4  (or  patch  re‐
8672       leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
8673
8674       Example:
8675       # Preferred syntax with Postfix >= 3.6:
8676       smtp_tls_protocols = >=TLSv1, <=TLSv1.3
8677       # Legacy syntax:
8678       smtp_tls_protocols = !SSLv2, !SSLv3
8679
8680       This feature is available in Postfix 2.6 and later.
8681

smtp_tls_scert_verifydepth (default: 9)

8683       The  verification depth for remote SMTP server certificates. A depth of
8684       1 is sufficient if the issuing CA is listed in a local CA file.
8685
8686       The default verification depth is 9 (the OpenSSL default) for  compati‐
8687       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8688       value was 5, but the limit was not actually enforced. If you  have  set
8689       this  to  a  lower  non-default  value,  certificates with longer trust
8690       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
8691       common,  deeper  chains  are  more  rare and any number between 5 and 9
8692       should suffice in practice. You can choose a lower number if, for exam‐
8693       ple,  you  trust  certificates directly signed by an issuing CA but not
8694       any CAs it delegates to.
8695
8696       This feature is available in Postfix 2.2 and later.
8697

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

8699       How the Postfix SMTP client verifies the  server  certificate  peername
8700       for  the  "secure"  TLS  security level. In a "secure" TLS policy table
8701       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8702       this main.cf setting.
8703
8704       This  parameter  specifies one or more patterns or strategies separated
8705       by commas, whitespace or colons.  In the policy table  the  only  valid
8706       separator is the colon character.
8707
8708       For   a  description  of  the  pattern  and  strategy  syntax  see  the
8709       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8710       avoided  in this context, as in the absence of a secure global DNS, us‐
8711       ing the results of MX lookups in certificate verification is not immune
8712       to active (man-in-the-middle) attacks on DNS.
8713
8714       Sample main.cf setting:
8715
8716           smtp_tls_secure_cert_match = nexthop
8717
8718       Sample policy table override:
8719
8720           example.net     secure match=example.com:.example.com
8721           .example.net    secure match=example.com:.example.com
8722
8723       This feature is available in Postfix 2.3 and later.
8724

smtp_tls_security_level (default: empty)

8726       The  default SMTP TLS security level for the Postfix SMTP client.  When
8727       a non-empty value is specified, this overrides the obsolete  parameters
8728       smtp_use_tls,  smtp_enforce_tls, and smtp_tls_enforce_peername; when no
8729       value is specified for smtp_tls_enforce_peername or the obsolete param‐
8730       eters, the default SMTP TLS security level is none.
8731
8732       Specify one of the following security levels:
8733
8734       none   No  TLS. TLS will not be used unless enabled for specific desti‐
8735              nations via smtp_tls_policy_maps.
8736
8737       may    Opportunistic TLS. Use TLS if this is supported  by  the  remote
8738              SMTP server, otherwise use plaintext. Since sending in the clear
8739              is acceptable, demanding  stronger  than  default  TLS  security
8740              merely  reduces  interoperability.   The  "smtp_tls_ciphers" and
8741              "smtp_tls_protocols" (Postfix >= 2.6)  configuration  parameters
8742              provide  control  over  the protocols and cipher grade used with
8743              opportunistic TLS.  With earlier releases the opportunistic  TLS
8744              cipher  grade  is always "export" and no protocols are disabled.
8745              When TLS handshakes fail, the connection  is  retried  with  TLS
8746              disabled.   This allows mail delivery to sites with non-interop‐
8747              erable TLS implementations.
8748
8749       encrypt
8750              Mandatory TLS encryption. Since a minimum level of  security  is
8751              intended, it is reasonable to be specific about sufficiently se‐
8752              cure protocol versions and ciphers. At this security  level  and
8753              higher,  the main.cf parameters smtp_tls_mandatory_protocols and
8754              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8755              cipher grade which the administrator considers secure enough for
8756              mandatory encrypted sessions. This security level is not an  ap‐
8757              propriate default for systems delivering mail to the Internet.
8758
8759       dane   Opportunistic  DANE TLS.  At this security level, the TLS policy
8760              for the destination is obtained via DNSSEC.  For TLSA policy  to
8761              be  in effect, the destination domain's containing DNS zone must
8762              be signed and the Postfix SMTP client's operating system must be
8763              configured to send its DNS queries to a recursive DNS nameserver
8764              that is able to validate the signed records.  Each MX host's DNS
8765              zone  should  also  be signed, and should publish DANE TLSA (RFC
8766              7672) records that specify how that MX host's TLS certificate is
8767              to  be verified.  TLSA records do not preempt the normal SMTP MX
8768              host selection algorithm, if some MX hosts support TLSA and oth‐
8769              ers  do  not,  TLS security will vary from delivery to delivery.
8770              It is up to the domain owner to configure  their  MX  hosts  and
8771              their  DNS  sensibly.   To configure the Postfix SMTP client for
8772              DNSSEC lookups  see  the  documentation  for  the  smtp_dns_sup‐
8773              port_level   main.cf   parameter.   When  DNSSEC-validated  TLSA
8774              records are not found the effective tls security level is "may".
8775              When  TLSA records are found, but are all unusable the effective
8776              security level is "encrypt".  For purposes of protocol  and  ci‐
8777              pher  selection,  the  "dane"  security  level is treated like a
8778              "mandatory" TLS security level, and weak ciphers  and  protocols
8779              are  disabled.  Since DANE authenticates server certificates the
8780              "aNULL" cipher-suites are transparently excluded at this  level,
8781              no need to configure this manually.  RFC 7672 (DANE) TLS authen‐
8782              tication is available with Postfix 2.11 and later.
8783
8784       dane-only
8785              Mandatory DANE TLS.  This is just like "dane"  above,  but  DANE
8786              TLSA  authentication is required.  There is no fallback to "may"
8787              or "encrypt" when TLSA records are  missing  or  unusable.   RFC
8788              7672  (DANE)  TLS  authentication is available with Postfix 2.11
8789              and later.
8790
8791       fingerprint
8792              Certificate fingerprint verification.  At this  security  level,
8793              there are no trusted Certification Authorities.  The certificate
8794              trust chain, expiration date, etc., are  not  checked.  Instead,
8795              the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8796              cate fingerprint or public  key  fingerprint  (Postfix  2.9  and
8797              later)  of  the  valid  server certificate. The digest algorithm
8798              used  to  calculate  the  fingerprint   is   selected   by   the
8799              smtp_tls_fingerprint_digest  parameter.  Available  with Postfix
8800              2.5 and later.
8801
8802       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
8803              lookups  are  trusted to be secure enough, and the name verified
8804              in the server certificate is  usually  obtained  indirectly  via
8805              unauthenticated  DNS  MX lookups. The smtp_tls_verify_cert_match
8806              parameter controls how the server name is verified. In  practice
8807              explicit  control  over  matching is more common at the "secure"
8808              level, described below. This security level is not an  appropri‐
8809              ate default for systems delivering mail to the Internet.
8810
8811       secure Secure-channel  TLS.   At  this  security level, DNS MX lookups,
8812              though potentially used  to  determine  the  candidate  next-hop
8813              gateway  IP  addresses,  are not trusted to be secure enough for
8814              TLS peername verification. Instead, the default name verified in
8815              the  server  certificate is obtained from the next-hop domain as
8816              specified in the smtp_tls_secure_cert_match configuration param‐
8817              eter.  The  default  matching  rule is that a server certificate
8818              matches when its name is equal to or is a sub-domain of the nex‐
8819              thop  domain.  This security level is not an appropriate default
8820              for systems delivering mail to the Internet.
8821
8822       Examples:
8823
8824       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8825       smtp_tls_security_level = none
8826
8827       # Opportunistic TLS.
8828       smtp_tls_security_level = may
8829       # Do not tweak opportunistic ciphers or protocols unless it is essential
8830       # to do so (if a security vulnerability is found in the SSL library that
8831       # can be mitigated by disabling a particular protocol or raising the
8832       # cipher grade).
8833       smtp_tls_ciphers = medium
8834       smtp_tls_protocols = >=TLSv1
8835       # Legacy (Postfix < 3.6) syntax:
8836       smtp_tls_protocols = !SSLv2, !SSLv3
8837
8838       # Mandatory (high-grade) TLS encryption.
8839       smtp_tls_security_level = encrypt
8840       smtp_tls_mandatory_ciphers = high
8841
8842       # Authenticated TLS 1.2 or better matching the nexthop domain or a
8843       # subdomain.
8844       smtp_tls_security_level = secure
8845       smtp_tls_mandatory_ciphers = high
8846       smtp_tls_mandatory_protocols = >=TLSv1.2
8847       smtp_tls_secure_cert_match = nexthop, dot-nexthop
8848
8849       # Certificate fingerprint verification (Postfix >= 2.5).
8850       # The CA-less "fingerprint" security level only scales to a limited
8851       # number of destinations. As a global default rather than a per-site
8852       # setting, this is practical only when mail for all recipients is sent
8853       # to a central mail hub.
8854       relayhost = [mailhub.example.com]
8855       smtp_tls_security_level = fingerprint
8856       smtp_tls_mandatory_protocols = >=TLSv1.2
8857       smtp_tls_mandatory_ciphers = high
8858       smtp_tls_fingerprint_cert_match =
8859           3D:95:34:51:...:40:99:C0:C1
8860           EC:3B:2D:B0:...:A3:9D:72:F6
8861
8862       This feature is available in Postfix 2.3 and later.
8863

smtp_tls_servername (default: empty)

8865       Optional name to send to the remote SMTP server in the TLS Server  Name
8866       Indication  (SNI)  extension.  The SNI extension is always on when DANE
8867       is used to authenticate the server, and in that case the SNI name  sent
8868       is the one required by RFC7672 and this parameter is ignored.
8869
8870       Some  SMTP  servers  use the received SNI name to select an appropriate
8871       certificate chain to present to the client.  While this may improve in‐
8872       teroperability  with  such servers, it may reduce interoperability with
8873       other servers that choose to abort the connection when they don't  have
8874       a  certificate  chain  configured for the requested name.  Such servers
8875       should select a default certificate chain and continue  the  handshake,
8876       but  some  may not.  Therefore, absent DANE, no SNI name is sent by de‐
8877       fault.
8878
8879       The SNI name must be either a valid DNS hostname, or else  one  of  the
8880       special  values  hostname  or  nexthop,  which select either the remote
8881       hostname or the nexthop domain respectively.  DNS names for SNI must be
8882       in  A-label (punycode) form.  Invalid DNS names log a configuration er‐
8883       ror warning and mail delivery is deferred.
8884
8885       Except when using a relayhost to forward all email, the  only  sensible
8886       non-empty  main.cf  setting  for  this  parameter  is  hostname.  Other
8887       non-empty values are only practical on a per-destination basis via  the
8888       servername  attribute  of the Postfix TLS policy table.  When in doubt,
8889       leave this  parameter  empty,  and  configure  per-destination  SNI  as
8890       needed.
8891
8892       This feature is available in Postfix 3.4 and later.
8893

smtp_tls_session_cache_database (default: empty)

8895       Name  of  the file containing the optional Postfix SMTP client TLS ses‐
8896       sion cache. Specify a database type that supports enumeration, such  as
8897       btree or sdbm; there is no need to support concurrent access.  The file
8898       is created if it does not exist. The smtp(8) daemon does not  use  this
8899       parameter  directly,  rather the cache is implemented indirectly in the
8900       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8901       of this parameter are not effective.  Note that each of the cache data‐
8902       bases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_database,
8903       $smtp_tls_session_cache_database   (and  with  Postfix  2.3  and  later
8904       $lmtp_tls_session_cache_database), needs to be stored separately. It is
8905       not  at  this  time possible to store multiple caches in a single data‐
8906       base.
8907
8908       Note: dbm databases are not  suitable.  TLS  session  objects  are  too
8909       large.
8910
8911       As  of version 2.5, Postfix no longer uses root privileges when opening
8912       this file. The file  should  now  be  stored  under  the  Postfix-owned
8913       data_directory. As a migration aid, an attempt to open the file under a
8914       non-Postfix directory is redirected to  the  Postfix-owned  data_direc‐
8915       tory, and a warning is logged.
8916
8917       Example:
8918
8919       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8920
8921       This feature is available in Postfix 2.2 and later.
8922

smtp_tls_session_cache_timeout (default: 3600s)

8924       The  expiration  time of Postfix SMTP client TLS session cache informa‐
8925       tion.  A cache cleanup is performed periodically  every  $smtp_tls_ses‐
8926       sion_cache_timeout  seconds.  As with $smtp_tls_session_cache_database,
8927       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
8928       per-smtp-instance master.cf overrides are not possible.
8929
8930       As  of  Postfix 2.11 this setting cannot exceed 100 days.  If set <= 0,
8931       session caching is disabled.  If set to a positive value  less  than  2
8932       minutes, the minimum value of 2 minutes is used instead.
8933
8934       Specify  a  non-zero  time  value  (an  integral value plus an optional
8935       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
8936       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
8937       unit is s (seconds).
8938
8939       This feature is available in Postfix 2.2 and later.
8940

smtp_tls_trust_anchor_file (default: empty)

8942       Zero or more PEM-format files  with  trust-anchor  certificates  and/or
8943       public  keys.  If the parameter is not empty the root CAs in CAfile and
8944       CApath are no longer trusted.  Rather, the  Postfix  SMTP  client  will
8945       only  trust  certificate-chains signed by one of the trust-anchors con‐
8946       tained in the chosen files.  The  specified  trust-anchor  certificates
8947       and  public  keys  are  not  subject  to  expiration,  and  need not be
8948       (self-signed) root CAs.  They may, if desired, be intermediate certifi‐
8949       cates.  Therefore, these certificates also may be found "in the middle"
8950       of the trust chain presented by the remote SMTP  server,  and  any  un‐
8951       trusted issuing parent certificates will be ignored.  Specify a list of
8952       pathnames separated by comma or whitespace.
8953
8954       Whether specified in  main.cf,  or  on  a  per-destination  basis,  the
8955       trust-anchor  PEM file must be accessible to the Postfix SMTP client in
8956       the chroot jail if applicable.  The trust-anchor  file  should  contain
8957       only certificates and public keys, no private key material, and must be
8958       readable by the non-privileged $mail_owner user.  This allows  destina‐
8959       tions  to  be  bound  to  a  set of specific CAs or public keys without
8960       trusting the same CAs for all destinations.
8961
8962       The main.cf parameter  supports  single-purpose  Postfix  installations
8963       that  send  mail  to  a  fixed  set  of  SMTP peers.  At most sites, if
8964       trust-anchor files are used  at  all,  they  will  be  specified  on  a
8965       per-destination  basis  via  the "tafile" attribute of the "verify" and
8966       "secure" levels in smtp_tls_policy_maps.
8967
8968       The underlying mechanism is in support of RFC 7672 (DANE  TLSA),  which
8969       defines  mechanisms for an SMTP client MTA to securely determine server
8970       TLS certificates via DNS.
8971
8972       If you want your trust anchors to be public keys, with OpenSSL you  can
8973       extract a single PEM public key from a PEM X.509 file containing a sin‐
8974       gle certificate, as follows:
8975
8976           $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8977
8978       This feature is available in Postfix 2.11 and later.
8979

smtp_tls_verify_cert_match (default: hostname)

8981       How the Postfix SMTP client verifies the  server  certificate  peername
8982       for  the  "verify"  TLS  security level. In a "verify" TLS policy table
8983       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8984       this main.cf setting.
8985
8986       This  parameter  specifies one or more patterns or strategies separated
8987       by commas, whitespace or colons.  In the policy table  the  only  valid
8988       separator is the colon character.
8989
8990       Patterns specify domain names, or domain name suffixes:
8991
8992       example.com
8993              Match  the  example.com  domain,  i.e.  one  of the names in the
8994              server certificate must be example.com.  Upper  and  lower  case
8995              distinctions are ignored.
8996
8997       .example.com
8998              Match subdomains of the example.com domain, i.e. match a name in
8999              the server certificate that consists of a non-zero number of la‐
9000              bels  followed  by  a .example.com suffix. Case distinctions are
9001              ignored.
9002
9003       Strategies specify a transformation from the next-hop domain to the ex‐
9004       pected name in the server certificate:
9005
9006       nexthop
9007              Match against the next-hop domain, which is either the recipient
9008              domain, or the transport  next-hop  configured  for  the  domain
9009              stripped  of  any  optional socket type prefix, enclosing square
9010              brackets and trailing port. When MX lookups are not  suppressed,
9011              this  is the original nexthop domain prior to the MX lookup, not
9012              the result of the MX lookup. For LMTP delivery  via  UNIX-domain
9013              sockets, the verified next-hop name is $myhostname.  This strat‐
9014              egy is suitable for use with the "secure" policy.  Case  is  ig‐
9015              nored.
9016
9017       dot-nexthop
9018              As above, but match server certificate names that are subdomains
9019              of the next-hop domain. Case is ignored.
9020
9021       hostname
9022              Match against the hostname of the server, often obtained via  an
9023              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
9024              sockets, the verified name is $myhostname. This matches the ver‐
9025              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
9026              smtp_tls_per_site table, and is suitable for use with the  "ver‐
9027              ify"  security  level.  When  the  next-hop  name is enclosed in
9028              square brackets to suppress MX lookups, the "hostname"  strategy
9029              is the same as the "nexthop" strategy. Case is ignored.
9030
9031       Sample main.cf setting:
9032
9033       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
9034
9035       Sample policy table override:
9036
9037       example.com     verify  match=hostname:nexthop
9038       .example.com    verify  match=example.com:.example.com:hostname
9039
9040       This feature is available in Postfix 2.3 and later.
9041

smtp_tls_wrappermode (default: no)

9043       Request  that  the  Postfix  SMTP  client  connects  using  the SUBMIS‐
9044       SIONS/SMTPS protocol instead of using the STARTTLS command.
9045
9046       This mode requires "smtp_tls_security_level = encrypt" or stronger.
9047
9048       Example: deliver all remote mail via a  provider's  server  "mail.exam‐
9049       ple.com".
9050
9051       /etc/postfix/main.cf:
9052           # Client-side SMTPS requires "encrypt" or stronger.
9053           smtp_tls_security_level = encrypt
9054           smtp_tls_wrappermode = yes
9055           # The [] suppress MX lookups.
9056           relayhost = [mail.example.com]:465
9057
9058       More  examples  are in TLS_README, including examples for older Postfix
9059       versions.
9060
9061       This feature is available in Postfix 3.0 and later.
9062

smtp_use_tls (default: no)

9064       Opportunistic mode: use TLS when a remote SMTP server announces  START‐
9065       TLS  support,  otherwise  send the mail in the clear. Beware: some SMTP
9066       servers offer STARTTLS even if it is not configured.   With  Postfix  <
9067       2.3,  if the TLS handshake fails, and no other server is available, de‐
9068       livery is deferred and mail stays in the queue. If this  is  a  concern
9069       for you, use the smtp_tls_per_site feature instead.
9070
9071       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
9072       and later use smtp_tls_security_level instead.
9073

smtp_xforward_timeout (default: 300s)

9075       The Postfix SMTP client time limit for sending  the  XFORWARD  command,
9076       and for receiving the remote SMTP server response.
9077
9078       Specify  a  non-zero  time  value  (an  integral value plus an optional
9079       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
9080       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
9081       unit is s (seconds).
9082
9083       This feature is available in Postfix 2.1 and later.
9084

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

9086       What remote SMTP clients are allowed  to  specify  the  XVERP  command.
9087       This  command  requests  that mail be delivered one recipient at a time
9088       with a per recipient return address.
9089
9090       By default, no clients are allowed to specify XVERP.
9091
9092       This parameter was renamed with Postfix version 2.1. The default  value
9093       is backwards compatible with Postfix version 2.0.
9094
9095       Specify  a list of network/netmask patterns, separated by commas and/or
9096       whitespace. The mask specifies the number of bits in the  network  part
9097       of a host address. You can also specify hostnames or .domain names (the
9098       initial  dot  causes  the  domain  to  match  any   name   below   it),
9099       "/file/name"  or  "type:table" patterns.  A "/file/name" pattern is re‐
9100       placed by its contents; a "type:table" lookup table is matched  when  a
9101       table  entry  matches  a  lookup string (the lookup result is ignored).
9102       Continue long lines by starting the next line with whitespace.  Specify
9103       "!pattern"  to  exclude  an address or network block from the list. The
9104       form "!/file/name" is supported only in Postfix version 2.4 and later.
9105
9106       Note: IP version 6 address information must be specified inside  []  in
9107       the  smtpd_authorized_verp_clients  value,  and in files specified with
9108       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
9109       would otherwise be confused with a "type:table" pattern.
9110

smtpd_authorized_xclient_hosts (default: empty)

9112       What  remote SMTP clients are allowed to use the XCLIENT feature.  This
9113       command overrides remote SMTP client information that is used  for  ac‐
9114       cess  control.  Typical  use  is for SMTP-based content filters, fetch‐
9115       mail-like programs,  or  SMTP  server  access  rule  testing.  See  the
9116       XCLIENT_README document for details.
9117
9118       This feature is available in Postfix 2.1 and later.
9119
9120       By default, no clients are allowed to specify XCLIENT.
9121
9122       Specify  a list of network/netmask patterns, separated by commas and/or
9123       whitespace. The mask specifies the number of bits in the  network  part
9124       of a host address. You can also specify hostnames or .domain names (the
9125       initial  dot  causes  the  domain  to  match  any   name   below   it),
9126       "/file/name"  or  "type:table" patterns.  A "/file/name" pattern is re‐
9127       placed by its contents; a "type:table" lookup table is matched  when  a
9128       table  entry  matches  a  lookup string (the lookup result is ignored).
9129       Continue long lines by starting the next line with whitespace.  Specify
9130       "!pattern"  to  exclude  an address or network block from the list. The
9131       form "!/file/name" is supported only in Postfix version 2.4 and later.
9132
9133       Note: IP version 6 address information must be specified inside  []  in
9134       the  smtpd_authorized_xclient_hosts  value, and in files specified with
9135       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
9136       would otherwise be confused with a "type:table" pattern.
9137

smtpd_authorized_xforward_hosts (default: empty)

9139       What remote SMTP clients are allowed to use the XFORWARD feature.  This
9140       command forwards information that is  used  to  improve  logging  after
9141       SMTP-based  content  filters.  See the XFORWARD_README document for de‐
9142       tails.
9143
9144       This feature is available in Postfix 2.1 and later.
9145
9146       By default, no clients are allowed to specify XFORWARD.
9147
9148       Specify a list of network/netmask patterns, separated by commas  and/or
9149       whitespace.  The  mask specifies the number of bits in the network part
9150       of a host address. You can also specify hostnames or .domain names (the
9151       initial   dot   causes   the  domain  to  match  any  name  below  it),
9152       "/file/name" or "type:table" patterns.  A "/file/name" pattern  is  re‐
9153       placed  by  its contents; a "type:table" lookup table is matched when a
9154       table entry matches a lookup string (the  lookup  result  is  ignored).
9155       Continue  long lines by starting the next line with whitespace. Specify
9156       "!pattern" to exclude an address or network block from  the  list.  The
9157       form "!/file/name" is supported only in Postfix version 2.4 and later.
9158
9159       Note:  IP  version 6 address information must be specified inside [] in
9160       the smtpd_authorized_xforward_hosts value, and in files specified  with
9161       "/file/name".   IP  version  6 addresses contain the ":" character, and
9162       would otherwise be confused with a "type:table" pattern.
9163

smtpd_banner (default: $myhostname ESMTP $mail_name)

9165       The text that follows the 220 status code in the SMTP greeting  banner.
9166       Some  people like to see the mail version advertised. By default, Post‐
9167       fix shows no version.
9168
9169       You MUST specify $myhostname at the start of the text. This is required
9170       by the SMTP protocol.
9171
9172       Example:
9173
9174       smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
9175

smtpd_client_auth_rate_limit (default: 0)

9177       The  maximal number of AUTH commands that any client is allowed to send
9178       to this service per time unit, regardless of whether or not Postfix ac‐
9179       tually  accepts  those  commands.   The time unit is specified with the
9180       anvil_rate_time_unit configuration parameter.
9181
9182       By default, there is no limit on the number of  AUTH  commands  that  a
9183       client may send.
9184
9185       To disable this feature, specify a limit of 0.
9186
9187       WARNING:  The purpose of this feature is to limit abuse. It must not be
9188       used to regulate legitimate mail traffic.
9189
9190       This feature is available in Postfix 3.1 and later.
9191

smtpd_client_connection_count_limit (default: 50)

9193       How many simultaneous connections any client is allowed to make to this
9194       service.   By  default,  the  limit  is set to half the default process
9195       limit value.
9196
9197       To disable this feature, specify a limit of 0.
9198
9199       WARNING: The purpose of this feature is to limit abuse. It must not  be
9200       used to regulate legitimate mail traffic.
9201
9202       This feature is available in Postfix 2.2 and later.
9203

smtpd_client_connection_rate_limit (default: 0)

9205       The maximal number of connection attempts any client is allowed to make
9206       to this service per time unit.  The time unit  is  specified  with  the
9207       anvil_rate_time_unit configuration parameter.
9208
9209       By  default,  a  client  can  make as many connections per time unit as
9210       Postfix can accept.
9211
9212       To disable this feature, specify a limit of 0.
9213
9214       WARNING: The purpose of this feature is to limit abuse. It must not  be
9215       used to regulate legitimate mail traffic.
9216
9217       This feature is available in Postfix 2.2 and later.
9218
9219       Example:
9220
9221       smtpd_client_connection_rate_limit = 1000
9222

smtpd_client_event_limit_exceptions (default: $mynetworks)

9224       Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
9225       tions. See the mynetworks parameter description for the parameter value
9226       syntax.
9227
9228       By default, clients in trusted networks are excluded. Specify a list of
9229       network blocks, hostnames or .domain names (the initial dot causes  the
9230       domain to match any name below it).
9231
9232       Note:  IP  version 6 address information must be specified inside [] in
9233       the smtpd_client_event_limit_exceptions value, and in  files  specified
9234       with  "/file/name".   IP version 6 addresses contain the ":" character,
9235       and would otherwise be confused with a "type:table" pattern.
9236
9237       Pattern matching of domain names is controlled by the presence  or  ab‐
9238       sence   of   "smtpd_client_event_limit_exceptions"  in  the  parent_do‐
9239       main_matches_subdomains parameter value (Postfix 3.0 and later).
9240
9241       This feature is available in Postfix 2.2 and later.
9242

smtpd_client_ipv4_prefix_length (default: 32)

9244       Aggregate smtpd_client_*_count and  smtpd_client_*_rate  statistics  by
9245       IPv4 network blocks with the specified network prefix. Aggregation uses
9246       fewer anvil(8) resources to maintain counters. By default,  aggregation
9247       is disabled for IPv4.
9248
9249       This feature is available in Postfix 3.8 and later.
9250

smtpd_client_ipv6_prefix_length (default: 84)

9252       Aggregate  smtpd_client_*_count  and  smtpd_client_*_rate statistics by
9253       IPv6 network blocks with the specified network prefix. Aggregation uses
9254       fewer the anvil(8) resources to maintain counters. By default, aggrega‐
9255       tion is enabled for IPv6.
9256
9257       This feature is available in Postfix 3.8 and later.
9258

smtpd_client_message_rate_limit (default: 0)

9260       The maximal number of message delivery requests that any client is  al‐
9261       lowed  to  make to this service per time unit, regardless of whether or
9262       not Postfix actually accepts those messages.  The time unit  is  speci‐
9263       fied with the anvil_rate_time_unit configuration parameter.
9264
9265       By  default,  a  client  can send as many message delivery requests per
9266       time unit as Postfix can accept.
9267
9268       To disable this feature, specify a limit of 0.
9269
9270       WARNING: The purpose of this feature is to limit abuse. It must not  be
9271       used to regulate legitimate mail traffic.
9272
9273       This feature is available in Postfix 2.2 and later.
9274
9275       Example:
9276
9277       smtpd_client_message_rate_limit = 1000
9278

smtpd_client_new_tls_session_rate_limit (default: 0)

9280       The  maximal  number of new (i.e., uncached) TLS sessions that a remote
9281       SMTP client is allowed to negotiate with this service  per  time  unit.
9282       The  time unit is specified with the anvil_rate_time_unit configuration
9283       parameter.
9284
9285       By default, a remote SMTP client can negotiate as many new TLS sessions
9286       per time unit as Postfix can accept.
9287
9288       To  disable  this  feature,  specify a limit of 0. Otherwise, specify a
9289       limit that is at least the per-client concurrent session limit, or else
9290       legitimate client sessions may be rejected.
9291
9292       WARNING:  The purpose of this feature is to limit abuse. It must not be
9293       used to regulate legitimate mail traffic.
9294
9295       This feature is available in Postfix 2.3 and later.
9296
9297       Example:
9298
9299       smtpd_client_new_tls_session_rate_limit = 100
9300

smtpd_client_port_logging (default: no)

9302       Enable logging of the remote SMTP client port in addition to the  host‐
9303       name and IP address. The logging format is "host[address]:port".
9304
9305       This feature is available in Postfix 2.5 and later.
9306

smtpd_client_recipient_rate_limit (default: 0)

9308       The maximal number of recipient addresses that any client is allowed to
9309       send to this service per time unit, regardless of whether or not  Post‐
9310       fix actually accepts those recipients.  The time unit is specified with
9311       the anvil_rate_time_unit configuration parameter.
9312
9313       By default, a client can send as many recipient addresses per time unit
9314       as Postfix can accept.
9315
9316       To disable this feature, specify a limit of 0.
9317
9318       WARNING:  The purpose of this feature is to limit abuse. It must not be
9319       used to regulate legitimate mail traffic.
9320
9321       This feature is available in Postfix 2.2 and later.
9322
9323       Example:
9324
9325       smtpd_client_recipient_rate_limit = 1000
9326

smtpd_client_restrictions (default: empty)

9328       Optional restrictions that the Postfix SMTP server applies in the  con‐
9329       text  of a client connection request.  See SMTPD_ACCESS_README, section
9330       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9331       of evaluation context and time.
9332
9333       The default is to allow all connection requests.
9334
9335       Specify  a list of restrictions, separated by commas and/or whitespace.
9336       Continue long lines by starting the next  line  with  whitespace.   Re‐
9337       strictions are applied in the order as specified; the first restriction
9338       that matches wins.
9339
9340       The following restrictions are specific to client  hostname  or  client
9341       network address information.
9342
9343       check_ccert_access type:table
9344              By default use the remote SMTP client certificate fingerprint or
9345              the public key fingerprint (Postfix 2.9 and later) as the lookup
9346              key  for  the specified access(5) database; with Postfix version
9347              2.2, also require that the remote  SMTP  client  certificate  is
9348              verified successfully.  The fingerprint digest algorithm is con‐
9349              figurable   via   the   smtpd_tls_fingerprint_digest   parameter
9350              (hard-coded  as md5 prior to Postfix version 2.5).  This feature
9351              requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
9352              fix version 2.2 and later.
9353              The default algorithm is sha256 with Postfix >= 3.6 and the com‐
9354              patibility_level set to 3.6 or higher. With Postfix <= 3.5,  the
9355              default  algorithm  is  md5.  The best-practice algorithm is now
9356              sha256. Recent advances in hash function cryptanalysis have  led
9357              to  md5  and sha1 being deprecated in favor of sha256.  However,
9358              as long as there are no known "second pre-image" attacks against
9359              the older algorithms, their use in this context, though not rec‐
9360              ommended, is still likely safe.
9361              Alternatively, check_ccert_access accepts an explicit search or‐
9362              der  (Postfix  3.5  and  later). The default search order as de‐
9363              scribed above corresponds with:
9364              check_ccert_access { type:table, { search_order  =  cert_finger‐
9365              print, pubkey_fingerprint } }
9366              The commas are optional.
9367
9368       check_client_access type:table
9369              Search  the  specified  access database for the client hostname,
9370              parent domains, client  IP  address,  or  networks  obtained  by
9371              stripping  least  significant  octets.  See the access(5) manual
9372              page for details.
9373
9374       check_client_a_access type:table
9375              Search the specified access(5) database for the IP addresses for
9376              the  client  hostname,  and  execute  the  corresponding action.
9377              Note: a result of "OK" is not allowed for  safety  reasons.  In‐
9378              stead,  use  DUNNO  in  order  to  exclude  specific  hosts from
9379              denylists.  This feature is available in Postfix 3.0 and later.
9380
9381       check_client_mx_access type:table
9382              Search the specified access(5) database for the MX hosts for the
9383              client hostname, and execute the corresponding action.  If no MX
9384              record is found, look up A or AAAA records, just like the  Post‐
9385              fix SMTP client would. Note: a result of "OK" is not allowed for
9386              safety reasons. Instead, use DUNNO in order to exclude  specific
9387              hosts  from denylists.  This feature is available in Postfix 2.7
9388              and later.
9389
9390       check_client_ns_access type:table
9391              Search the specified access(5) database for the DNS servers  for
9392              the  client  hostname,  and  execute  the  corresponding action.
9393              Note: a result of "OK" is not allowed for  safety  reasons.  In‐
9394              stead,  use  DUNNO  in  order  to  exclude  specific  hosts from
9395              denylists.  This feature is available in Postfix 2.7 and later.
9396
9397       check_reverse_client_hostname_access type:table
9398              Search the specified access database for the unverified  reverse
9399              client  hostname, parent domains, client IP address, or networks
9400              obtained by stripping least  significant  octets.  See  the  ac‐
9401              cess(5)  manual page for details.  Note: a result of "OK" is not
9402              allowed for safety reasons.  Instead, use DUNNO in order to  ex‐
9403              clude  specific hosts from denylists.  This feature is available
9404              in Postfix 2.6 and later.
9405
9406       check_reverse_client_hostname_a_access type:table
9407              Search the specified access(5) database for the IP addresses for
9408              the  unverified  reverse client hostname, and execute the corre‐
9409              sponding action.  Note: a result of  "OK"  is  not  allowed  for
9410              safety reasons.  Instead, use DUNNO in order to exclude specific
9411              hosts from denylists.  This feature is available in Postfix  3.0
9412              and later.
9413
9414       check_reverse_client_hostname_mx_access type:table
9415              Search the specified access(5) database for the MX hosts for the
9416              unverified reverse client hostname, and execute the  correspond‐
9417              ing  action.   If  no  MX  record  is  found,  look up A or AAAA
9418              records, just like the Postfix SMTP client would.  Note:  a  re‐
9419              sult  of  "OK"  is not allowed for safety reasons.  Instead, use
9420              DUNNO in order to exclude specific hosts from  denylists.   This
9421              feature is available in Postfix 2.7 and later.
9422
9423       check_reverse_client_hostname_ns_access type:table
9424              Search  the specified access(5) database for the DNS servers for
9425              the unverified reverse client hostname, and execute  the  corre‐
9426              sponding  action.   Note:  a  result  of "OK" is not allowed for
9427              safety reasons.  Instead, use DUNNO in order to exclude specific
9428              hosts  from denylists.  This feature is available in Postfix 2.7
9429              and later.
9430
9431       check_sasl_access type:table
9432              Use the remote SMTP client SASL user name as the lookup key  for
9433              the  specified  access(5)  database. The lookup key has the form
9434              "username@domainname" when the smtpd_sasl_local_domain parameter
9435              value  is  non-empty.   Unlike  the check_client_access feature,
9436              check_sasl_access does not perform matches of parent domains  or
9437              IP  subnet  ranges.  This feature is available with Postfix ver‐
9438              sion 2.11 and later.
9439
9440       permit_inet_interfaces
9441              Permit the request when the client IP address matches  $inet_in‐
9442              terfaces.
9443
9444       permit_mynetworks
9445              Permit  the  request when the client IP address matches any net‐
9446              work or network address listed in  $mynetworks.
9447
9448       permit_sasl_authenticated
9449              Permit the request when the client is successfully authenticated
9450              via the RFC 4954 (AUTH) protocol.
9451
9452       permit_tls_all_clientcerts
9453              Permit  the  request  when the remote SMTP client certificate is
9454              verified successfully.  This option must be used only if a  spe‐
9455              cial  CA issues the certificates and only this CA is listed as a
9456              trusted CA. Otherwise, clients with  a  third-party  certificate
9457              would  also be allowed to relay.  Specify "tls_append_default_CA
9458              = no" when the trusted CA is specified with smtpd_tls_CAfile  or
9459              smtpd_tls_CApath,  to  prevent  Postfix  from appending the sys‐
9460              tem-supplied    default    CAs.     This    feature     requires
9461              "smtpd_tls_ask_ccert  =  yes" and is available with Postfix ver‐
9462              sion 2.2 and later.
9463
9464       permit_tls_clientcerts
9465              Permit the request when the remote SMTP client certificate  fin‐
9466              gerprint  or  public  key fingerprint (Postfix 2.9 and later) is
9467              listed in $relay_clientcerts.  The fingerprint digest  algorithm
9468              is  configurable  via the smtpd_tls_fingerprint_digest parameter
9469              (hard-coded as md5 prior to Postfix version 2.5).  This  feature
9470              requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
9471              fix version 2.2 and later.
9472              The default algorithm is sha256 with Postfix >= 3.6 and the com‐
9473              patibility_level  set to 3.6 or higher. With Postfix <= 3.5, the
9474              default algorithm is md5.  The best-practice  algorithm  is  now
9475              sha256.  Recent advances in hash function cryptanalysis have led
9476              to md5 and sha1 being deprecated in favor of  sha256.   However,
9477              as long as there are no known "second pre-image" attacks against
9478              the older algorithms, their use in this context, though not rec‐
9479              ommended, is still likely safe.
9480
9481       reject_rbl_client rbl_domain=d.d.d.d
9482              Reject  the  request when the reversed client network address is
9483              listed with the A record  "d.d.d.d"  under  rbl_domain  (Postfix
9484              version 2.1 and later only).  Each "d" is a number, or a pattern
9485              inside "[]" that contains one or more ";"-separated  numbers  or
9486              number..number  ranges  (Postfix  version 2.8 and later).  If no
9487              "=d.d.d.d" is specified, reject the request  when  the  reversed
9488              client network address is listed with any A record under rbl_do‐
9489              main.
9490              The maps_rbl_reject_code parameter specifies the  response  code
9491              for  rejected  requests  (default:   554), the default_rbl_reply
9492              parameter specifies the default server reply,  and  the  rbl_re‐
9493              ply_maps  parameter specifies tables with server replies indexed
9494              by rbl_domain.  This feature is available  in  Postfix  2.0  and
9495              later.
9496
9497       permit_dnswl_client dnswl_domain=d.d.d.d
9498              Accept  the  request when the reversed client network address is
9499              listed with the A record "d.d.d.d" under dnswl_domain.  Each "d"
9500              is  a number, or a pattern inside "[]" that contains one or more
9501              ";"-separated  numbers  or   number..number   ranges.    If   no
9502              "=d.d.d.d"  is  specified,  accept the request when the reversed
9503              client network  address  is  listed  with  any  A  record  under
9504              dnswl_domain.
9505              For  safety,  permit_dnswl_client  is  silently  ignored when it
9506              would override reject_unauth_destination.   The  result  is  DE‐
9507              FER_IF_REJECT  when  allowlist  lookup  fails.   This feature is
9508              available in Postfix 2.8 and later.
9509
9510       reject_rhsbl_client rbl_domain=d.d.d.d
9511              Reject the request when the client hostname is listed with the A
9512              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9513              only).  Each "d" is a number, or a pattern inside "[]" that con‐
9514              tains one or more ";"-separated numbers or number..number ranges
9515              (Postfix version 2.8 and later).  If no "=d.d.d.d" is specified,
9516              reject the request when the client hostname is listed with any A
9517              record under rbl_domain. See the  reject_rbl_client  description
9518              above for additional RBL related configuration parameters.  This
9519              feature is available in Postfix 2.0 and later; with Postfix ver‐
9520              sion  2.8  and  later,  reject_rhsbl_reverse_client will usually
9521              produce better results.
9522
9523       permit_rhswl_client rhswl_domain=d.d.d.d
9524              Accept the request when the client hostname is listed with the A
9525              record "d.d.d.d" under rhswl_domain.  Each "d" is a number, or a
9526              pattern inside "[]" that contains one or more ";"-separated num‐
9527              bers  or  number..number  ranges. If no "=d.d.d.d" is specified,
9528              accept the request when the client hostname is listed with any A
9529              record under rhswl_domain.
9530              Caution:  client  name allowlisting is fragile, since the client
9531              name lookup can fail due to temporary outages.  Client name  al‐
9532              lowlisting should be used only to reduce false positives in e.g.
9533              DNS-based blocklists, and not for making access rule exceptions.
9534              For safety, permit_rhswl_client  is  silently  ignored  when  it
9535              would  override  reject_unauth_destination.   The  result is DE‐
9536              FER_IF_REJECT when allowlist  lookup  fails.   This  feature  is
9537              available in Postfix 2.8 and later.
9538
9539       reject_rhsbl_reverse_client rbl_domain=d.d.d.d
9540              Reject  the  request when the unverified reverse client hostname
9541              is listed with the A record "d.d.d.d"  under  rbl_domain.   Each
9542              "d"  is  a number, or a pattern inside "[]" that contains one or
9543              more ";"-separated numbers  or  number..number  ranges.   If  no
9544              "=d.d.d.d"  is specified, reject the request when the unverified
9545              reverse client hostname  is  listed  with  any  A  record  under
9546              rbl_domain.  See the reject_rbl_client description above for ad‐
9547              ditional RBL related configuration parameters.  This feature  is
9548              available in Postfix 2.8 and later.
9549
9550       reject_unknown_client_hostname   (with   Postfix   <   2.3:  reject_un‐
9551       known_client)
9552              Reject the request when 1) the client IP  address->name  mapping
9553              fails,  or  2)  the  name->address  mapping  fails,  or  3)  the
9554              name->address mapping does not match the client IP address.
9555              This is  a  stronger  restriction  than  the  reject_unknown_re‐
9556              verse_client_hostname  feature, which triggers only under condi‐
9557              tion 1) above.
9558              The unknown_client_reject_code parameter specifies the  response
9559              code  for  rejected requests (default: 450). The reply is always
9560              450 in case the address->name or name->address lookup failed due
9561              to a temporary problem.
9562
9563       reject_unknown_reverse_client_hostname
9564              Reject  the  request  when  the  client  IP  address  has no ad‐
9565              dress->name mapping.
9566              This   is   a   weaker   restriction   than    the    reject_un‐
9567              known_client_hostname  feature, which requires not only that the
9568              address->name and name->address mappings exist,  but  also  that
9569              the two mappings reproduce the client IP address.
9570              The  unknown_client_reject_code parameter specifies the response
9571              code for rejected requests (default: 450).  The reply is  always
9572              450  in  case the address->name lookup failed due to a temporary
9573              problem.
9574              This feature is available in Postfix 2.3 and later.
9575
9576       In addition, you can use any of  the  following  generic  restrictions.
9577       These restrictions are applicable in any SMTP command context.
9578
9579       check_policy_service servername
9580              Query  the  specified policy server. See the SMTPD_POLICY_README
9581              document for details. This feature is available in  Postfix  2.1
9582              and later.
9583
9584       defer  Defer  the  request. The client is told to try again later. This
9585              restriction is useful at the end of a restriction list, to  make
9586              the default policy explicit.
9587              The  defer_code  parameter  specifies the SMTP server reply code
9588              (default: 450).
9589
9590       defer_if_permit
9591              Defer the request if some later restriction would result  in  an
9592              explicit  or  implicit  PERMIT  action.   This  is useful when a
9593              denylisting feature fails due to a temporary problem.  This fea‐
9594              ture is available in Postfix version 2.1 and later.
9595
9596       defer_if_reject
9597              Defer  the  request  if some later restriction would result in a
9598              REJECT action.  This is  useful  when  an  allowlisting  feature
9599              fails  due to a temporary problem.  This feature is available in
9600              Postfix version 2.1 and later.
9601
9602       permit Permit the request. This restriction is useful at the end  of  a
9603              restriction list, to make the default policy explicit.
9604
9605       reject_multi_recipient_bounce
9606              Reject the request when the envelope sender is the null address,
9607              and the message has multiple envelope recipients. This usage has
9608              rare  but  legitimate  applications:  under  certain conditions,
9609              multi-recipient mail that was posted with  the  DSN  option  NO‐
9610              TIFY=NEVER may be forwarded with the null sender address.
9611              Note:  this  restriction  can  only  work  reliably when used in
9612              smtpd_data_restrictions or  smtpd_end_of_data_restrictions,  be‐
9613              cause  the total number of recipients is not known at an earlier
9614              stage of the SMTP conversation.  Use at the RCPT stage will only
9615              reject the second etc.  recipient.
9616              The  multi_recipient_bounce_reject_code  parameter specifies the
9617              response code for rejected requests (default:  550).  This  fea‐
9618              ture is available in Postfix 2.1 and later.
9619
9620       reject_plaintext_session
9621              Reject  the  request  when the connection is not encrypted. This
9622              restriction should not be used  before  the  client  has  had  a
9623              chance  to  negotiate  encryption with the AUTH or STARTTLS com‐
9624              mands.
9625              The plaintext_reject_code parameter specifies the response  code
9626              for  rejected  requests (default:  450).  This feature is avail‐
9627              able in Postfix 2.3 and later.
9628
9629       reject_unauth_pipelining
9630              Reject the request when the client sends SMTP commands ahead  of
9631              time where it is not allowed, or when the client sends SMTP com‐
9632              mands ahead of time without knowing that Postfix  actually  sup‐
9633              ports  ESMTP  command pipelining. This stops mail from bulk mail
9634              software that improperly uses ESMTP command pipelining in  order
9635              to speed up deliveries.
9636              With  Postfix  2.6 and later, the SMTP server sets a per-session
9637              flag whenever it detects illegal pipelining, including pipelined
9638              HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9639              ply tests whether the flag was set at any point in  time  during
9640              the session.
9641              With older Postfix versions, reject_unauth_pipelining checks the
9642              current status of the input read queue, and  its  usage  is  not
9643              recommended in contexts other than smtpd_data_restrictions.
9644
9645       reject Reject  the  request. This restriction is useful at the end of a
9646              restriction list, to make the default policy explicit.  The  re‐
9647              ject_code  configuration  parameter  specifies the response code
9648              for rejected requests (default: 554).
9649
9650       sleep seconds
9651              Pause for the specified number of seconds and proceed  with  the
9652              next  restriction in the list, if any. This may stop zombie mail
9653              when used as:
9654              /etc/postfix/main.cf:
9655                  smtpd_client_restrictions =
9656                      sleep 1, reject_unauth_pipelining
9657                  smtpd_delay_reject = no
9658              This feature is available in Postfix 2.3.
9659
9660       warn_if_reject
9661              A safety net for testing. When "warn_if_reject" is placed before
9662              a  reject-type  restriction,  access  table query, or check_pol‐
9663              icy_service query, this logs a "reject_warning" message  instead
9664              of rejecting a request (when a reject-type restriction fails due
9665              to a temporary error, this logs a "reject_warning"  message  for
9666              any  implicit "defer_if_permit" actions that would normally pre‐
9667              vent mail from being accepted by some later access restriction).
9668              This feature has no effect on defer_if_reject restrictions.
9669
9670       Other restrictions that are valid in this context:
9671
9672       •      SMTP  command specific restrictions that are described under the
9673              smtpd_helo_restrictions, smtpd_sender_restrictions or  smtpd_re‐
9674              cipient_restrictions  parameters. When helo, sender or recipient
9675              restrictions are listed  under  smtpd_client_restrictions,  they
9676              have  effect  only  with  "smtpd_delay_reject  =  yes",  so that
9677              $smtpd_client_restrictions is evaluated at the time of the  RCPT
9678              TO command.
9679
9680       Example:
9681
9682       smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9683

smtpd_command_filter (default: empty)

9685       A  mechanism to transform commands from remote SMTP clients.  This is a
9686       last-resort tool to work around client commands that  break  interoper‐
9687       ability  with the Postfix SMTP server.  Other uses involve fault injec‐
9688       tion to test Postfix's handling of invalid commands.
9689
9690       Specify the name of a "type:table" lookup table. The search  string  is
9691       the  SMTP  command as received from the remote SMTP client, except that
9692       initial whitespace and the trailing <CR><LF> are removed.   The  result
9693       value is executed by the Postfix SMTP server.
9694
9695       There is no need to use smtpd_command_filter for the following cases:
9696
9697       •      Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9698
9699       •      Postfix already accepts the correct form "user@[ipaddress]". Use
9700              virtual_alias_maps or canonical_maps to translate these into do‐
9701              main names if necessary.
9702
9703       •      Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9704              <user@example.com>>". Postfix will ignore the "User  Name"  part
9705              and deliver to the <user@example.com> address.
9706
9707       Examples  of  problems that can be solved with the smtpd_command_filter
9708       feature:
9709
9710       /etc/postfix/main.cf:
9711           smtpd_command_filter = pcre:/etc/postfix/command_filter
9712
9713       /etc/postfix/command_filter:
9714           # Work around clients that send malformed HELO commands.
9715           /^HELO\s*$/ HELO domain.invalid
9716
9717           # Work around clients that send empty lines.
9718           /^\s*$/     NOOP
9719
9720           # Work around clients that send RCPT TO:<'user@domain'>.
9721           # WARNING: do not lose the parameters that follow the address.
9722           /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/     $1$2$3
9723
9724           # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9725           # See VERP_README for more information on how to use Postfix VERP.
9726           /^(MAIL\s+FROM:\s*<listname@example\.com>.*)/   $1 XVERP
9727
9728           # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9729           # to send bounced mail to the postmaster (with message body removed).
9730           /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
9731           /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
9732
9733       This feature is available in Postfix 2.7.
9734

smtpd_data_restrictions (default: empty)

9736       Optional access restrictions that the Postfix SMTP  server  applies  in
9737       the context of the SMTP DATA command.  See SMTPD_ACCESS_README, section
9738       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9739       of evaluation context and time.
9740
9741       This feature is available in Postfix 2.0 and later.
9742
9743       Specify  a list of restrictions, separated by commas and/or whitespace.
9744       Continue long lines by starting the next  line  with  whitespace.   Re‐
9745       strictions are applied in the order as specified; the first restriction
9746       that matches wins.
9747
9748       The following restrictions are valid in this context:
9749
9750       •      Generic restrictions that can be used in any SMTP  command  con‐
9751              text, described under smtpd_client_restrictions.
9752
9753       •      SMTP    command    specific    restrictions    described   under
9754              smtpd_client_restrictions,              smtpd_helo_restrictions,
9755              smtpd_sender_restrictions or smtpd_recipient_restrictions.
9756
9757       •      However,  no  recipient  information is available in the case of
9758              multi-recipient mail. Acting on only one recipient would be mis‐
9759              leading,   because  any  decision  will  affect  all  recipients
9760              equally. Acting on all recipients would require a possibly  very
9761              large  amount  of  memory,  and would also be misleading for the
9762              reasons mentioned before.
9763
9764       Examples:
9765
9766       smtpd_data_restrictions = reject_unauth_pipelining
9767       smtpd_data_restrictions = reject_multi_recipient_bounce
9768

smtpd_delay_open_until_valid_rcpt (default: yes)

9770       Postpone the start of an SMTP mail transaction until a  valid  RCPT  TO
9771       command  is received. Specify "no" to create a mail transaction as soon
9772       as the Postfix SMTP server receives a valid MAIL FROM command.
9773
9774       With sites that reject lots of mail, the default  setting  reduces  the
9775       use  of  disk,  CPU and memory resources. The downside is that rejected
9776       recipients are logged with NOQUEUE instead of a  mail  transaction  ID.
9777       This complicates the logfile analysis of multi-recipient mail.
9778
9779       This feature is available in Postfix 2.3 and later.
9780

smtpd_delay_reject (default: yes)

9782       Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9783       tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9784       until the ETRN command before evaluating $smtpd_client_restrictions and
9785       $smtpd_helo_restrictions.
9786
9787       This feature is turned on by default because  some  clients  apparently
9788       mis-behave  when  the  Postfix SMTP server rejects commands before RCPT
9789       TO.
9790
9791       The default setting has one major benefit: it allows Postfix to log re‐
9792       cipient  address  information  when  rejecting a client name/address or
9793       sender address, so that it is possible to find out whose mail is  being
9794       rejected.
9795

smtpd_discard_ehlo_keyword_address_maps (default: empty)

9797       Lookup tables, indexed by the remote SMTP client address, with case in‐
9798       sensitive lists of EHLO keywords  (pipelining,  starttls,  auth,  etc.)
9799       that  the  Postfix  SMTP server will not send in the EHLO response to a
9800       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
9801       tables are not searched by hostname for robustness reasons.
9802
9803       Specify zero or more "type:name" lookup tables, separated by whitespace
9804       or comma. Tables will be searched in the specified order until a  match
9805       is found.
9806
9807       This feature is available in Postfix 2.2 and later.
9808

smtpd_discard_ehlo_keywords (default: empty)

9810       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
9811       etc.) that the Postfix SMTP server will not send in the  EHLO  response
9812       to a remote SMTP client.
9813
9814       This feature is available in Postfix 2.2 and later.
9815
9816       Notes:
9817
9818       •      Specify the silent-discard pseudo keyword to prevent this action
9819              from being logged.
9820
9821       •      Use the smtpd_discard_ehlo_keyword_address_maps feature to  dis‐
9822              card EHLO keywords selectively.
9823

smtpd_dns_reply_filter (default: empty)

9825       Optional  filter  for  Postfix  SMTP  server  DNS  lookup results.  See
9826       smtp_dns_reply_filter for details including an example.
9827
9828       This feature is available in Postfix 3.0 and later.
9829

smtpd_end_of_data_restrictions (default: empty)

9831       Optional access restrictions that the Postfix SMTP  server  applies  in
9832       the  context of the SMTP END-OF-DATA command.  See SMTPD_ACCESS_README,
9833       section "Delayed evaluation of SMTP access  restriction  lists"  for  a
9834       discussion of evaluation context and time.
9835
9836       This feature is available in Postfix 2.2 and later.
9837
9838       See smtpd_data_restrictions for details and limitations.
9839

smtpd_enforce_tls (default: no)

9841       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
9842       require that clients use TLS encryption.  According to  RFC  2487  this
9843       MUST NOT be applied in case of a publicly-referenced SMTP server.  This
9844       option is therefore off by default.
9845
9846       Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9847
9848       Note 2: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
9849       STARTTLS  due  to  insufficient privileges to access the server private
9850       key. This is intended behavior.
9851
9852       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
9853       and later use smtpd_tls_security_level instead.
9854

smtpd_error_sleep_time (default: 1s)

9856       With  Postfix version 2.1 and later: the SMTP server response delay af‐
9857       ter a client has made more  than  $smtpd_soft_error_limit  errors,  and
9858       fewer than $smtpd_hard_error_limit errors, without delivering mail.
9859
9860       With  Postfix  version  2.0  and  earlier: the SMTP server delay before
9861       sending a reject (4xx or 5xx) response, when the client has made  fewer
9862       than  $smtpd_soft_error_limit  errors without delivering mail. When the
9863       client has made $smtpd_soft_error_limit or more errors, delay  all  re‐
9864       sponses  with  the  larger  of (number of errors) seconds or $smtpd_er‐
9865       ror_sleep_time.
9866
9867       Specify a non-negative time value (an integral value plus  an  optional
9868       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
9869       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
9870       unit is s (seconds).
9871

smtpd_etrn_restrictions (default: empty)

9873       Optional  restrictions that the Postfix SMTP server applies in the con‐
9874       text of a client ETRN command.  See SMTPD_ACCESS_README,  section  "De‐
9875       layed  evaluation of SMTP access restriction lists" for a discussion of
9876       evaluation context and time.
9877
9878       The Postfix ETRN implementation accepts only destinations that are eli‐
9879       gible  for  the  Postfix "fast flush" service. See the ETRN_README file
9880       for details.
9881
9882       Specify a list of restrictions, separated by commas and/or  whitespace.
9883       Continue  long  lines  by  starting the next line with whitespace.  Re‐
9884       strictions are applied in the order as specified; the first restriction
9885       that matches wins.
9886
9887       The  following restrictions are specific to the domain name information
9888       received with the ETRN command.
9889
9890       check_etrn_access type:table
9891              Search the specified access database for the ETRN domain name or
9892              its parent domains. See the access(5) manual page for details.
9893
9894       Other restrictions that are valid in this context:
9895
9896       •      Generic  restrictions  that can be used in any SMTP command con‐
9897              text, described under smtpd_client_restrictions.
9898
9899       •      SMTP   command    specific    restrictions    described    under
9900              smtpd_client_restrictions and smtpd_helo_restrictions.
9901
9902       Example:
9903
9904       smtpd_etrn_restrictions = permit_mynetworks, reject
9905

smtpd_expansion_filter (default: see postconf -d output)

9907       What characters are allowed in $name expansions of RBL reply templates.
9908       Characters not in the allowed set are replaced by "_".  Use C like  es‐
9909       capes to specify special characters such as whitespace.
9910
9911       The  smtpd_expansion_filter  value is not subject to Postfix configura‐
9912       tion parameter $name expansion.
9913
9914       This feature is available in Postfix 2.0 and later.
9915

smtpd_forbid_unauth_pipelining (default: Postfix >= 3.9: yes)

9917       Disconnect remote SMTP clients that violate RFC 2920 (or 5321)  command
9918       pipelining  constraints. The server replies with "554 5.5.0 Error: SMTP
9919       protocol synchronization" and logs the unexpected  remote  SMTP  client
9920       input.  Specify  "smtpd_forbid_unauth_pipelining = yes" to enable. This
9921       feature is enabled by default with Postfix >= 3.9.
9922
9923       This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10,  and
9924       3.5.20.
9925

smtpd_forbidden_commands (default: CONNECT GET POST regexp:{{/^[^A-Z]/ Bo‐

9927       gus}})
9928       List of commands that cause the Postfix SMTP server to immediately ter‐
9929       minate  the  session  with  a  221 code. This can be used to disconnect
9930       clients that obviously attempt to abuse the system. In addition to  the
9931       commands  listed  in  this parameter, commands that follow the "Label:"
9932       format of message headers will also cause a  disconnect.  With  Postfix
9933       versions 3.6 and earlier, the default value is "CONNECT GET POST".
9934
9935       This feature is available in Postfix 2.2 and later.
9936
9937       Support  for  inline  regular  expressions was added in Postfix version
9938       3.7. See regexp_table(5) for a description of the syntax and features.
9939

smtpd_hard_error_limit (default: normal: 20, overload: 1)

9941       The maximal number of errors a remote SMTP client is  allowed  to  make
9942       without  delivering  mail. The Postfix SMTP server disconnects when the
9943       limit is reached. Normally the default limit is 20, but it changes  un‐
9944       der  overload  to just 1. With Postfix 2.5 and earlier, the SMTP server
9945       always allows up to 20 errors by default.   Valid  values  are  greater
9946       than zero.
9947

smtpd_helo_required (default: no)

9949       Require  that  a  remote SMTP client introduces itself with the HELO or
9950       EHLO command before sending the MAIL command or other commands that re‐
9951       quire EHLO negotiation.
9952
9953       Example:
9954
9955       smtpd_helo_required = yes
9956

smtpd_helo_restrictions (default: empty)

9958       Optional  restrictions that the Postfix SMTP server applies in the con‐
9959       text of a client HELO command.  See SMTPD_ACCESS_README,  section  "De‐
9960       layed  evaluation of SMTP access restriction lists" for a discussion of
9961       evaluation context and time.
9962
9963       The default is to permit everything.
9964
9965       Note: specify "smtpd_helo_required = yes" to  fully  enforce  this  re‐
9966       striction  (without  "smtpd_helo_required  =  yes", a client can simply
9967       skip smtpd_helo_restrictions by not sending HELO or EHLO).
9968
9969       Specify a list of restrictions, separated by commas and/or  whitespace.
9970       Continue  long  lines  by  starting the next line with whitespace.  Re‐
9971       strictions are applied in the order as specified; the first restriction
9972       that matches wins.
9973
9974       The following restrictions are specific to the hostname information re‐
9975       ceived with the HELO or EHLO command.
9976
9977       check_helo_access type:table
9978              Search the specified access(5) database for  the  HELO  or  EHLO
9979              hostname  or  parent  domains, and execute the corresponding ac‐
9980              tion.  Note: specify "smtpd_helo_required = yes"  to  fully  en‐
9981              force  this  restriction (without "smtpd_helo_required = yes", a
9982              client can simply skip check_helo_access by not sending HELO  or
9983              EHLO).
9984
9985       check_helo_a_access type:table
9986              Search the specified access(5) database for the IP addresses for
9987              the HELO or EHLO hostname, and execute the corresponding action.
9988              Note  1: a result of "OK" is not allowed for safety reasons. In‐
9989              stead, use  DUNNO  in  order  to  exclude  specific  hosts  from
9990              denylists.  Note 2: specify "smtpd_helo_required = yes" to fully
9991              enforce this restriction (without "smtpd_helo_required = yes", a
9992              client  can  simply skip check_helo_a_access by not sending HELO
9993              or EHLO).  This feature is available in Postfix 3.0 and later.
9994
9995       check_helo_mx_access type:table
9996              Search the specified access(5) database for the MX hosts for the
9997              HELO or EHLO hostname, and execute the corresponding action.  If
9998              no MX record is found, look up A or AAAA records, just like  the
9999              Postfix  SMTP client would.  Note 1: a result of "OK" is not al‐
10000              lowed for safety reasons. Instead, use DUNNO in order to exclude
10001              specific  hosts from denylists.  Note 2: specify "smtpd_helo_re‐
10002              quired  =  yes"  to  fully  enforce  this  restriction  (without
10003              "smtpd_helo_required   =   yes",   a   client  can  simply  skip
10004              check_helo_mx_access by not sending HELO or EHLO).  This feature
10005              is available in Postfix 2.1 and later.
10006
10007       check_helo_ns_access type:table
10008              Search  the specified access(5) database for the DNS servers for
10009              the HELO or EHLO hostname, and execute the corresponding action.
10010              Note  1: a result of "OK" is not allowed for safety reasons. In‐
10011              stead, use  DUNNO  in  order  to  exclude  specific  hosts  from
10012              denylists.  Note 2: specify "smtpd_helo_required = yes" to fully
10013              enforce this restriction (without "smtpd_helo_required = yes", a
10014              client  can simply skip check_helo_ns_access by not sending HELO
10015              or EHLO). This feature is available in Postfix 2.1 and later.
10016
10017       reject_invalid_helo_hostname (with Postfix < 2.3:  reject_invalid_host‐
10018       name)
10019              Reject  the request when the HELO or EHLO hostname is malformed.
10020              Note: specify "smtpd_helo_required = yes" to fully enforce  this
10021              restriction  (without  "smtpd_helo_required = yes", a client can
10022              simply skip reject_invalid_helo_hostname by not sending HELO  or
10023              EHLO).
10024              The invalid_hostname_reject_code specifies the response code for
10025              rejected requests (default: 501).
10026
10027       reject_non_fqdn_helo_hostname    (with    Postfix    <     2.3:     re‐
10028       ject_non_fqdn_hostname)
10029              Reject  the  request  when  the  HELO or EHLO hostname is not in
10030              fully-qualified domain or address literal form, as  required  by
10031              the  RFC. Note: specify "smtpd_helo_required = yes" to fully en‐
10032              force this restriction (without "smtpd_helo_required =  yes",  a
10033              client  can  simply  skip  reject_non_fqdn_helo_hostname  by not
10034              sending HELO or EHLO).
10035              The non_fqdn_reject_code parameter specifies the  response  code
10036              for rejected requests (default: 504).
10037
10038       reject_rhsbl_helo rbl_domain=d.d.d.d
10039              Reject the request when the HELO or EHLO hostname is listed with
10040              the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10041              later  only).   Each  "d"  is a number, or a pattern inside "[]"
10042              that contains one or more ";"-separated numbers or  number..num‐
10043              ber ranges (Postfix version 2.8 and later).  If no "=d.d.d.d" is
10044              specified, reject the request when the HELO or EHLO hostname  is
10045              listed   with  any  A  record  under  rbl_domain.  See  the  re‐
10046              ject_rbl_client description for additional RBL related  configu‐
10047              ration parameters.  Note: specify "smtpd_helo_required = yes" to
10048              fully enforce this restriction (without  "smtpd_helo_required  =
10049              yes",  a client can simply skip reject_rhsbl_helo by not sending
10050              HELO or EHLO). This feature is  available  in  Postfix  2.0  and
10051              later.
10052
10053       reject_unknown_helo_hostname  (with Postfix < 2.3: reject_unknown_host‐
10054       name)
10055              Reject the request when the HELO or EHLO hostname has no  DNS  A
10056              or MX record.
10057              The reply is specified with the unknown_hostname_reject_code pa‐
10058              rameter (default: 450) or  unknown_helo_hostname_tempfail_action
10059              (default:  defer_if_permit).   See  the respective parameter de‐
10060              scriptions for details.
10061              Note: specify "smtpd_helo_required = yes" to fully enforce  this
10062              restriction  (without  "smtpd_helo_required = yes", a client can
10063              simply skip reject_unknown_helo_hostname by not sending HELO  or
10064              EHLO).
10065
10066       Other restrictions that are valid in this context:
10067
10068       •      Generic  restrictions  that can be used in any SMTP command con‐
10069              text, described under smtpd_client_restrictions.
10070
10071       •      Client hostname or network  address  specific  restrictions  de‐
10072              scribed under smtpd_client_restrictions.
10073
10074       •      SMTP    command    specific    restrictions    described   under
10075              smtpd_sender_restrictions or smtpd_recipient_restrictions.  When
10076              sender or recipient restrictions are listed under smtpd_helo_re‐
10077              strictions, they have effect  only  with  "smtpd_delay_reject  =
10078              yes",  so that $smtpd_helo_restrictions is evaluated at the time
10079              of the RCPT TO command.
10080
10081       Examples:
10082
10083       smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
10084       smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
10085

smtpd_history_flush_threshold (default: 100)

10087       The maximal number of lines in the Postfix SMTP server command  history
10088       before it is flushed upon receipt of EHLO, RSET, or end of DATA.
10089

smtpd_junk_command_limit (default: normal: 100, overload: 1)

10091       The  number  of  junk commands (NOOP, VRFY, ETRN or RSET) that a remote
10092       SMTP client can send before the Postfix SMTP server starts to increment
10093       the  error  counter  with each junk command.  The junk command count is
10094       reset after mail is delivered.  See also the smtpd_error_sleep_time and
10095       smtpd_soft_error_limit  configuration parameters.  Normally the default
10096       limit is 100, but it changes under overload to just 1. With Postfix 2.5
10097       and  earlier,  the SMTP server always allows up to 100 junk commands by
10098       default.
10099

smtpd_log_access_permit_actions (default: empty)

10101       Enable logging of the named "permit"  actions  in  SMTP  server  access
10102       lists  (by default, the SMTP server logs "reject" actions but not "per‐
10103       mit" actions).  This feature does not affect conditional  actions  such
10104       as "defer_if_permit".
10105
10106       Specify  a  list of "permit" action names, "/file/name" or "type:table"
10107       patterns, separated by commas and/or whitespace. The  list  is  matched
10108       left  to right, and the search stops on the first match. A "/file/name"
10109       pattern is replaced by its contents; a  "type:table"  lookup  table  is
10110       matched  when  a  name  matches  a lookup key (the lookup result is ig‐
10111       nored).  Continue long lines by starting the next line with whitespace.
10112       Specify "!pattern" to exclude a name from the list.
10113
10114       Examples:
10115
10116       /etc/postfix/main.cf:
10117           # Log all "permit" actions.
10118           smtpd_log_access_permit_actions = static:all
10119
10120       /etc/postfix/main.cf:
10121           # Log "permit_dnswl_client" only.
10122           smtpd_log_access_permit_actions = permit_dnswl_client
10123
10124       This feature is available in Postfix 2.10 and later.
10125

smtpd_milter_maps (default: empty)

10127       Lookup  tables  with Milter settings per remote SMTP client IP address.
10128       The lookup result overrides the smtpd_milters setting, and has the same
10129       syntax.
10130
10131       Note: lookup tables cannot return empty responses. Specify a lookup re‐
10132       sult of DISABLE (case does not matter) to indicate that Milter  support
10133       should be disabled.
10134
10135       Example to disable Milters for local clients:
10136
10137       /etc/postfix/main.cf:
10138           smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
10139           smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
10140
10141       /etc/postfix/smtpd_milter_map:
10142           # Disable Milters for local clients.
10143           127.0.0.0/8    DISABLE
10144           192.168.0.0/16 DISABLE
10145           ::/64          DISABLE
10146           2001:db8::/32  DISABLE
10147
10148       This feature is available in Postfix 3.2 and later.
10149

smtpd_milters (default: empty)

10151       A  list  of Milter (mail filter) applications for new mail that arrives
10152       via the Postfix smtpd(8) server. Specify space or comma  as  separator.
10153       See the MILTER_README document for details.
10154
10155       This feature is available in Postfix 2.3 and later.
10156

smtpd_min_data_rate (default: 500)

10158       The  minimum  plaintext data transfer rate in bytes/second for DATA and
10159       BDAT requests, when deadlines are enabled with  smtpd_per_request_dead‐
10160       line.  After a read operation transfers N plaintext message bytes (pos‐
10161       sibly after TLS decryption), and after the DATA or BDAT  request  dead‐
10162       line  is  decremented  by  the elapsed time of that read operation, the
10163       DATA or BDAT request deadline is incremented  by  N/smtpd_min_data_rate
10164       seconds.  However,  the  deadline  will never be incremented beyond the
10165       time limit specified with smtpd_timeout.
10166
10167       This feature is available in Postfix 3.7 and later.
10168

smtpd_noop_commands (default: empty)

10170       List of commands that the Postfix SMTP server replies to with "250 Ok",
10171       without  doing any syntax checks and without changing state.  This list
10172       overrides any commands built into the Postfix SMTP server.
10173

smtpd_null_access_lookup_key (default: <>)

10175       The lookup key to be used in SMTP access(5) tables instead of the  null
10176       sender address.
10177

smtpd_peername_lookup (default: yes)

10179       Attempt to look up the remote SMTP client hostname, and verify that the
10180       name matches the client IP address. A client name is set  to  "unknown"
10181       when  it  cannot  be looked up or verified, or when name lookup is dis‐
10182       abled.  Turning off name lookup reduces delays due to  DNS  lookup  and
10183       increases the maximal inbound delivery rate.
10184
10185       This feature is available in Postfix 2.3 and later.
10186

smtpd_per_record_deadline (default: normal: no, overload: yes)

10188       Change  the  behavior  of  the smtpd_timeout and smtpd_starttls_timeout
10189       time limits, from a time limit per read or write system call, to a time
10190       limit  to send or receive a complete record (an SMTP command line, SMTP
10191       response line, SMTP message content line,  or  TLS  protocol  message).
10192       This limits the impact from hostile peers that trickle data one byte at
10193       a time.
10194
10195       Note: when per-record deadlines are enabled, a short timeout may  cause
10196       problems  with TLS over very slow network connections.  The reasons are
10197       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
10198       and that an entire TLS protocol message must be sent or received within
10199       the per-record deadline.
10200
10201       This feature is available in Postfix 2.9-3.6. With  older  Postfix  re‐
10202       leases,  the  behavior  is as if this parameter is set to "no". Postfix
10203       3.7 and later use smtpd_per_request_deadline.
10204

smtpd_per_request_deadline (default: normal: no, overload: yes)

10206       Change the behavior of  the  smtpd_timeout  and  smtpd_starttls_timeout
10207       time limits, from a time limit per plaintext or TLS read or write call,
10208       to a combined time limit for receiving a complete SMTP request and  for
10209       sending  a  complete  SMTP  response. The deadline limits only the time
10210       spent waiting for plaintext or TLS read or write calls, not time  spent
10211       elsewhere.  The  per-request  deadline  limits  the impact from hostile
10212       peers that trickle data one byte at a time.
10213
10214       See smtpd_min_data_rate for how the  per-request  deadline  is  managed
10215       during the DATA and BDAT phase.
10216
10217       Note:  when  per-request  deadlines are enabled, a short time limit may
10218       cause problems with TLS over very slow network connections. The  reason
10219       is  that  a  TLS  protocol  message  can  be up to 16 kbytes long (with
10220       TLSv1), and that an entire TLS protocol  message  must  be  transferred
10221       within the per-request deadline.
10222
10223       This  feature  is available in Postfix 3.7 and later. A weaker feature,
10224       called smtpd_per_record_deadline, is available  with  Postfix  2.9-3.6.
10225       With  older  Postfix  releases, the behavior is as if this parameter is
10226       set to "no".
10227
10228       This feature is available in Postfix 3.7 and later.
10229

smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration

10231       problem)
10232       The default action when an SMTPD policy service request fails.  Specify
10233       "DUNNO" to behave as if the failed  SMTPD policy  service  request  was
10234       not sent, and to continue processing other access restrictions, if any.
10235
10236       Limitations:
10237
10238       •      This parameter may specify any value that would be a valid SMTPD
10239              policy server response (or access(5) map lookup result).  An ac‐
10240              cess(5) map or policy server in this parameter value may need to
10241              be declared in advance with a restriction_class setting.
10242
10243       •      If the specified action invokes another check_policy_service re‐
10244              quest, that request will have the built-in default action.
10245
10246       This feature is available in Postfix 3.0 and later.
10247

smtpd_policy_service_max_idle (default: 300s)

10249       The time after which an idle SMTPD policy service connection is closed.
10250
10251       Specify  a  non-zero  time  value  (an  integral value plus an optional
10252       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
10253       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
10254       unit is s (seconds).
10255
10256       This feature is available in Postfix 2.1 and later.
10257

smtpd_policy_service_max_ttl (default: 1000s)

10259       The time after which an  active  SMTPD  policy  service  connection  is
10260       closed.
10261
10262       Specify  a  non-zero  time  value  (an  integral value plus an optional
10263       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
10264       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
10265       unit is s (seconds).
10266
10267       This feature is available in Postfix 2.1 and later.
10268

smtpd_policy_service_policy_context (default: empty)

10270       Optional information that the Postfix  SMTP  server  specifies  in  the
10271       "policy_context"  attribute of a policy service request (originally, to
10272       share the same service  endpoint  among  multiple  check_policy_service
10273       clients).
10274
10275       This feature is available in Postfix 3.1 and later.
10276

smtpd_policy_service_request_limit (default: 0)

10278       The  maximal number of requests per SMTPD policy service connection, or
10279       zero (no limit). Once a connection reaches this limit,  the  connection
10280       is closed and the next request will be sent over a new connection. This
10281       is a workaround to avoid error-recovery delays with policy servers that
10282       cannot maintain a persistent connection.
10283
10284       This feature is available in Postfix 3.0 and later.
10285

smtpd_policy_service_retry_delay (default: 1s)

10287       The  delay between attempts to resend a failed SMTPD policy service re‐
10288       quest. Specify a value greater than zero.
10289
10290       Specify a non-zero time value  (an  integral  value  plus  an  optional
10291       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
10292       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
10293       unit is s (seconds).
10294
10295       This feature is available in Postfix 3.0 and later.
10296

smtpd_policy_service_timeout (default: 100s)

10298       The time limit for connecting to, writing to, or receiving from a dele‐
10299       gated SMTPD policy server.
10300
10301       Specify a non-zero time value  (an  integral  value  plus  an  optional
10302       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
10303       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
10304       unit is s (seconds).
10305
10306       This feature is available in Postfix 2.1 and later.
10307

smtpd_policy_service_try_limit (default: 2)

10309       The  maximal number of attempts to send an SMTPD policy service request
10310       before giving up. Specify a value greater than zero.
10311
10312       This feature is available in Postfix 3.0 and later.
10313

smtpd_proxy_ehlo (default: $myhostname)

10315       How the Postfix SMTP server announces itself to the proxy  filter.   By
10316       default, the Postfix hostname is used.
10317
10318       This feature is available in Postfix 2.1 and later.
10319

smtpd_proxy_filter (default: empty)

10321       The  hostname  and  TCP  port  of the mail filtering proxy server.  The
10322       proxy receives all mail from the Postfix SMTP server, and  is  supposed
10323       to give the result to another Postfix SMTP server process.
10324
10325       Specify   "host:port"  or  "inet:host:port"  for  a  TCP  endpoint,  or
10326       "unix:pathname" for a UNIX-domain endpoint. The host can  be  specified
10327       as  an  IP address or as a symbolic name; no MX lookups are done.  When
10328       no "host" or "host:" is specified, the local machine is assumed.  Path‐
10329       name interpretation is relative to the Postfix queue directory.
10330
10331       This feature is available in Postfix 2.1 and later.
10332
10333       The  "inet:"  and  "unix:"  prefixes  are  available in Postfix 2.3 and
10334       later.
10335

smtpd_proxy_options (default: empty)

10337       List of options that control how the Postfix SMTP  server  communicates
10338       with a before-queue content filter. Specify zero or more of the follow‐
10339       ing, separated by comma or whitespace.
10340
10341       speed_adjust
10342              Do not connect to a before-queue content filter until an  entire
10343              message has been received. This reduces the number of simultane‐
10344              ous before-queue content filter processes.
10345
10346       NOTE 1: A filter must not selectively reject recipients of a  multi-re‐
10347       cipient  message.   Rejecting all recipients is OK, as is accepting all
10348       recipients.
10349
10350       NOTE 2: This feature increases the minimum amount of free  queue  space
10351       by  $message_size_limit.  The extra space is needed to save the message
10352       to a temporary file.
10353
10354       This feature is available in Postfix 2.7 and later.
10355

smtpd_proxy_timeout (default: 100s)

10357       The time limit for connecting to a proxy filter and for sending or  re‐
10358       ceiving information.  When a connection fails the client gets a generic
10359       error message while more detailed information is logged to the  maillog
10360       file.
10361
10362       Specify  a  non-zero  time  value  (an  integral value plus an optional
10363       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
10364       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
10365       unit is s (seconds).
10366
10367       This feature is available in Postfix 2.1 and later.
10368

smtpd_recipient_limit (default: 1000)

10370       The maximal number of recipients that the Postfix SMTP  server  accepts
10371       per message delivery request.
10372

smtpd_recipient_overshoot_limit (default: 1000)

10374       The  number  of recipients that a remote SMTP client can send in excess
10375       of the limit specified with $smtpd_recipient_limit, before the  Postfix
10376       SMTP  server increments the per-session error count for each excess re‐
10377       cipient.
10378

smtpd_recipient_restrictions (default: see postconf -d output)

10380       Optional restrictions that the Postfix SMTP server applies in the  con‐
10381       text  of a client RCPT TO command, after smtpd_relay_restrictions.  See
10382       SMTPD_ACCESS_README, section "Delayed evaluation  of  SMTP  access  re‐
10383       striction lists" for a discussion of evaluation context and time.
10384
10385       With  Postfix  versions before 2.10, the rules for relay permission and
10386       spam blocking were combined under smtpd_recipient_restrictions, result‐
10387       ing in error-prone configuration.  As of Postfix 2.10, relay permission
10388       rules are preferably implemented with smtpd_relay_restrictions, so that
10389       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
10390       will no longer result in a permissive mail relay policy.
10391
10392       For backwards compatibility, sites that migrate from  Postfix  versions
10393       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
10394       use smtpd_recipient_restrictions exactly as before.
10395
10396       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
10397       ent_restrictions  parameter  must specify at least one of the following
10398       restrictions. Otherwise Postfix will refuse to receive mail:
10399
10400           reject, reject_unauth_destination
10401
10402           defer, defer_if_permit, defer_unauth_destination
10403
10404       Specify a list of restrictions, separated by commas and/or  whitespace.
10405       Continue  long  lines  by  starting the next line with whitespace.  Re‐
10406       strictions are applied in the order as specified; the first restriction
10407       that matches wins.
10408
10409       The  following  restrictions are specific to the recipient address that
10410       is received with the RCPT TO command.
10411
10412       check_recipient_access type:table
10413              Search the specified access(5) database for the resolved RCPT TO
10414              address,  domain, parent domains, or localpart@, and execute the
10415              corresponding action.
10416
10417       check_recipient_a_access type:table
10418              Search the specified access(5) database for the IP addresses for
10419              the RCPT TO domain, and execute the corresponding action.  Note:
10420              a result of "OK" is not allowed for safety reasons. Instead, use
10421              DUNNO  in  order to exclude specific hosts from denylists.  This
10422              feature is available in Postfix 3.0 and later.
10423
10424       check_recipient_mx_access type:table
10425              Search the specified access(5) database for the MX hosts for the
10426              RCPT  TO domain, and execute the corresponding action.  If no MX
10427              record is found, look up A or AAAA records, just like the  Post‐
10428              fix SMTP client would. Note: a result of "OK" is not allowed for
10429              safety reasons. Instead, use DUNNO in order to exclude  specific
10430              hosts  from denylists.  This feature is available in Postfix 2.1
10431              and later.
10432
10433       check_recipient_ns_access type:table
10434              Search the specified access(5) database for the DNS servers  for
10435              the RCPT TO domain, and execute the corresponding action.  Note:
10436              a result of "OK" is not allowed for safety reasons. Instead, use
10437              DUNNO  in  order to exclude specific hosts from denylists.  This
10438              feature is available in Postfix 2.1 and later.
10439
10440       permit_auth_destination
10441              Permit the request when one of the following is true:
10442
10443       •      Postfix is a mail forwarder: the resolved RCPT TO domain matches
10444              $relay_domains  or a subdomain thereof, and the address contains
10445              no sender-specified routing (user@elsewhere@domain),
10446
10447       •      Postfix is the final destination: the resolved  RCPT  TO  domain
10448              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
10449              $virtual_alias_domains, or $virtual_mailbox_domains, and the ad‐
10450              dress  contains  no sender-specified routing (user@elsewhere@do‐
10451              main).
10452
10453       permit_mx_backup
10454              Permit the request when the local mail system is a backup MX for
10455              the RCPT TO domain, or when the domain is an authorized destina‐
10456              tion (see permit_auth_destination for definition).
10457
10458       •      Safety: permit_mx_backup does not  accept  addresses  that  have
10459              sender-specified   routing   information   (example:  user@else‐
10460              where@domain).
10461
10462       •      Safety: permit_mx_backup can be vulnerable to mis-use  when  ac‐
10463              cess is not restricted with permit_mx_backup_networks.
10464
10465       •      Safety:  as  of  Postfix version 2.3, permit_mx_backup no longer
10466              accepts the address when the local mail system is a  primary  MX
10467              for  the  recipient domain.  Exception: permit_mx_backup accepts
10468              the address when it specifies  an  authorized  destination  (see
10469              permit_auth_destination for definition).
10470
10471       •      Limitation:  mail  may  be  rejected  in case of a temporary DNS
10472              lookup problem with Postfix prior to version 2.0.
10473
10474       reject_non_fqdn_recipient
10475              Reject the request when the RCPT TO address specifies  a  domain
10476              that  is  not in fully-qualified domain form, as required by the
10477              RFC.
10478              The non_fqdn_reject_code parameter specifies the  response  code
10479              for rejected requests (default: 504).
10480
10481       reject_rhsbl_recipient rbl_domain=d.d.d.d
10482              Reject  the request when the RCPT TO domain is listed with the A
10483              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
10484              only).  Each "d" is a number, or a pattern inside "[]" that con‐
10485              tains one or more ";"-separated numbers or number..number ranges
10486              (Postfix  version 2.8 and later). If no "=d.d.d.d" is specified,
10487              reject the request when the RCPT TO domain is listed with any  A
10488              record under rbl_domain.
10489              The  maps_rbl_reject_code  parameter specifies the response code
10490              for rejected requests (default: 554); the default_rbl_reply  pa‐
10491              rameter  specifies  the  default  server  reply; and the rbl_re‐
10492              ply_maps parameter specifies tables with server replies  indexed
10493              by rbl_domain.  This feature is available in Postfix version 2.0
10494              and later.
10495
10496       reject_unauth_destination
10497              Reject the request unless one of the following is true:
10498
10499       •      Postfix is a mail forwarder: the resolved RCPT TO domain matches
10500              $relay_domains   or   a   subdomain  thereof,  and  contains  no
10501              sender-specified routing (user@elsewhere@domain),
10502
10503       •      Postfix is the final destination: the resolved  RCPT  TO  domain
10504              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
10505              $virtual_alias_domains, or  $virtual_mailbox_domains,  and  con‐
10506              tains no sender-specified routing (user@elsewhere@domain).
10507              The  relay_domains_reject_code  parameter specifies the response
10508              code for rejected requests (default: 554).
10509
10510       defer_unauth_destination
10511              Reject the same requests as  reject_unauth_destination,  with  a
10512              non-permanent  error code.  This feature is available in Postfix
10513              2.10 and later.
10514
10515       reject_unknown_recipient_domain
10516              Reject the request when Postfix is not final destination for the
10517              recipient domain, and the RCPT TO domain has 1) no DNS MX and no
10518              DNS A record or 2) a malformed MX record such as a record with a
10519              zero-length MX hostname (Postfix version 2.3 and later).
10520              The  reply is specified with the unknown_address_reject_code pa‐
10521              rameter  (default:  450),  unknown_address_tempfail_action  (de‐
10522              fault: defer_if_permit), or 556 (nullmx, Postfix 3.0 and later).
10523              See the respective parameter descriptions for details.
10524
10525       reject_unlisted_recipient  (with  Postfix  version  2.0:  check_recipi‐
10526       ent_maps)
10527              Reject the request when the RCPT TO address is not listed in the
10528              list of valid recipients for its domain class. See the smtpd_re‐
10529              ject_unlisted_recipient parameter description for details.  This
10530              feature is available in Postfix 2.1 and later.
10531
10532       reject_unverified_recipient
10533              Reject the request when mail to the RCPT TO address is known  to
10534              bounce,  or when the recipient address destination is not reach‐
10535              able.  Address verification information is managed by  the  ver‐
10536              ify(8)  server; see the ADDRESS_VERIFICATION_README file for de‐
10537              tails.
10538              The unverified_recipient_reject_code parameter specifies the nu‐
10539              merical  response  code  when an address is known to bounce (de‐
10540              fault: 450, change it to 550 when you are confident that  it  is
10541              safe to do so).
10542              The  unverified_recipient_defer_code parameter specifies the nu‐
10543              merical response code when an address probe failed due to a tem‐
10544              porary problem (default: 450).
10545              The unverified_recipient_tempfail_action parameter specifies the
10546              action after address probe failure due to  a  temporary  problem
10547              (default: defer_if_permit).
10548              This  feature  breaks  for aliased addresses with "enable_origi‐
10549              nal_recipient = no" (Postfix <= 3.2).
10550              This feature is available in Postfix 2.1 and later.
10551
10552       Other restrictions that are valid in this context:
10553
10554       •      Generic restrictions that can be used in any SMTP  command  con‐
10555              text, described under smtpd_client_restrictions.
10556
10557       •      SMTP    command    specific    restrictions    described   under
10558              smtpd_client_restrictions,      smtpd_helo_restrictions      and
10559              smtpd_sender_restrictions.
10560
10561       Example:
10562
10563       # The Postfix before 2.10 default mail relay policy. Later Postfix
10564       # versions implement this preferably with smtpd_relay_restrictions.
10565       smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
10566
10568       Optional  information  that  is appended after each Postfix SMTP server
10569       4XX or 5XX response.
10570
10571       The following example uses "\c" at the start of the template (supported
10572       in Postfix 2.10 and later) to suppress the line break between the reply
10573       text and the footer text. With earlier  Postfix  versions,  the  footer
10574       text always begins on a new line, and the "\c" is output literally.
10575
10576       /etc/postfix/main.cf:
10577           smtpd_reject_footer = \c. For assistance, call 800-555-0101.
10578            Please provide the following information in your problem report:
10579            time ($localtime), client ($client_address) and server
10580            ($server_name).
10581
10582       Server response:
10583
10584           550-5.5.1 <user@example> Recipient address rejected: User
10585           unknown. For assistance, call 800-555-0101. Please provide the
10586           following information in your problem report: time (Jan 4 15:42:00),
10587           client (192.168.1.248) and server (mail1.example.com).
10588
10589       Note:  the  above  text  is meant to make it easier to find the Postfix
10590       logfile records for a failed SMTP  session.  The  text  itself  is  not
10591       logged to the Postfix SMTP server's maillog file.
10592
10593       Be  sure  to keep the text as short as possible. Long text may be trun‐
10594       cated before it is logged to the remote SMTP client's maillog file,  or
10595       before it is returned to the sender in a delivery status notification.
10596
10597       The  template  text  is  not subject to Postfix configuration parameter
10598       $name expansion. Instead, this feature supports  a  limited  number  of
10599       $name attributes in the footer text. These attributes are replaced with
10600       their current value for the SMTP session.
10601
10602       Note: specify $$name in footer text that is looked up from  regexp:  or
10603       pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
10604       not use the footer text and will log a warning instead.
10605
10606       client_address
10607              The Client IP address that is logged in the maillog file.
10608
10609       client_port
10610              The client TCP port that is logged in the maillog file.
10611
10612       localtime
10613              The server local time (Mmm dd hh:mm:ss) that is  logged  in  the
10614              maillog file.
10615
10616       server_name
10617              The server's myhostname value.  This attribute is made available
10618              for sites with multiple MTAs (perhaps behind  a  load-balancer),
10619              where  the  server  name  can  help  the  server support team to
10620              quickly find the right log files.
10621
10622       Notes:
10623
10624       •      NOT SUPPORTED are other attributes such as sender, recipient, or
10625              main.cf parameters.
10626
10627       •      For  safety  reasons,  text  that  does  not match $smtpd_expan‐
10628              sion_filter is censored.
10629
10630       This feature supports the two-character sequence \n as a request for  a
10631       line break in the footer text. Postfix automatically inserts after each
10632       line break the three-digit SMTP reply code (and optional enhanced  sta‐
10633       tus code) from the original Postfix reject message.
10634
10635       To work around mail software that mis-handles multi-line replies, spec‐
10636       ify the two-character sequence \c at the start of the  template.   This
10637       suppresses  the  line  break between the reply text and the footer text
10638       (Postfix 2.10 and later).
10639
10640       This feature is available in Postfix 2.8 and later.
10641
10643       Lookup tables, indexed by the complete Postfix SMTP server 4xx  or  5xx
10644       response, with reject footer templates. See smtpd_reject_footer for de‐
10645       tails.
10646
10647       Specify zero or more "type:name" lookup tables, separated by whitespace
10648       or  comma. Tables will be searched in the specified order until a match
10649       is found.
10650
10651       This feature is available in Postfix 3.4 and later.
10652

smtpd_reject_unlisted_recipient (default: yes)

10654       Request that the Postfix SMTP server rejects mail for unknown recipient
10655       addresses,  even  when no explicit reject_unlisted_recipient access re‐
10656       striction is specified. This prevents the Postfix queue from filling up
10657       with undeliverable MAILER-DAEMON messages.
10658
10659       An  address  is  considered  "unknown" when 1) it does not match a vir‐
10660       tual(5) alias or canonical(5) mapping, and 2) the address is not  valid
10661       for  its address class. For a definition of class-based address valida‐
10662       tion, see ADDRESS_CLASS_README.
10663
10664       This feature is available in Postfix 2.1 and later.
10665

smtpd_reject_unlisted_sender (default: no)

10667       Request that the Postfix SMTP server rejects mail from  unknown  sender
10668       addresses, even when no explicit reject_unlisted_sender access restric‐
10669       tion is specified. This can slow down an explosion of forged mail  from
10670       worms or viruses.
10671
10672       An  address  is  considered  "unknown" when 1) it does not match a vir‐
10673       tual(5) alias or canonical(5) mapping, and 2) the address is not  valid
10674       for  its address class. For a definition of class-based address valida‐
10675       tion, see ADDRESS_CLASS_README.
10676
10677       This feature is available in Postfix 2.1 and later.
10678

smtpd_relay_before_recipient_restrictions (default: see postconf -d output)

10680       Evaluate smtpd_relay_restrictions before  smtpd_recipient_restrictions.
10681       Historically, smtpd_relay_restrictions was evaluated after smtpd_recip‐
10682       ient_restrictions, contradicting documented behavior.
10683
10684       Background: the smtpd_relay_restrictions feature is primarily  designed
10685       to  enforce  a mail relaying policy, while smtpd_recipient_restrictions
10686       is primarily designed to enforce spam blocking policy. Both are  evalu‐
10687       ated  while  replying to the RCPT TO command, and both support the same
10688       features.
10689
10690       This feature is available in Postfix 3.6 and later.
10691

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenti‐

10693       cated, defer_unauth_destination)
10694       Access restrictions for mail relay control that the Postfix SMTP server
10695       applies in the context of the RCPT  TO  command,  before  smtpd_recipi‐
10696       ent_restrictions.  See SMTPD_ACCESS_README, section "Delayed evaluation
10697       of SMTP access restriction lists" for a discussion of  evaluation  con‐
10698       text and time.
10699
10700       With  Postfix  versions before 2.10, the rules for relay permission and
10701       spam blocking were combined under smtpd_recipient_restrictions, result‐
10702       ing in error-prone configuration.  As of Postfix 2.10, relay permission
10703       rules are preferably implemented with smtpd_relay_restrictions, so that
10704       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
10705       will no longer result in a permissive mail relay policy.
10706
10707       For backwards compatibility, sites that migrate from  Postfix  versions
10708       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
10709       use smtpd_recipient_restrictions exactly as before.
10710
10711       By default, the Postfix SMTP server accepts:
10712
10713       •      Mail from clients whose IP address matches $mynetworks, or:
10714
10715       •      Mail from clients who are SASL authenticated, or:
10716
10717       •      Mail to remote destinations that  match  $relay_domains,  except
10718              for  addresses that contain sender-specified routing (user@else‐
10719              where@domain), or:
10720
10721       •      Mail  to  local  destinations  that  match  $inet_interfaces  or
10722              $proxy_interfaces,  $mydestination,  $virtual_alias_domains,  or
10723              $virtual_mailbox_domains.
10724
10725       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
10726       ent_restrictions  parameter  must specify at least one of the following
10727       restrictions. Otherwise Postfix will refuse to receive mail:
10728
10729           reject, reject_unauth_destination
10730
10731           defer, defer_if_permit, defer_unauth_destination
10732
10733       Specify a list of restrictions, separated by commas and/or  whitespace.
10734       Continue  long  lines  by  starting the next line with whitespace.  The
10735       same restrictions are available as documented under smtpd_recipient_re‐
10736       strictions.
10737
10738       This feature is available in Postix 2.10 and later.
10739

smtpd_restriction_classes (default: empty)

10741       User-defined aliases for groups of access restrictions. The aliases can
10742       be  specified  in  smtpd_recipient_restrictions  etc.,   and   on   the
10743       right-hand side of a Postfix access(5) table.
10744
10745       One  major  application  is for implementing per-recipient UCE control.
10746       See the RESTRICTION_CLASS_README document for other examples.
10747

smtpd_sasl_application_name (default: smtpd)

10749       The application name that the Postfix SMTP server uses for SASL  server
10750       initialization.  This controls the name of the SASL configuration file.
10751       The default value is smtpd, corresponding to a SASL configuration  file
10752       named smtpd.conf.
10753
10754       This  feature  is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10755       was renamed to smtpd_sasl_path.
10756

smtpd_sasl_auth_enable (default: no)

10758       Enable SASL authentication in the Postfix SMTP server. By default,  the
10759       Postfix SMTP server does not use authentication.
10760
10761       If a remote SMTP client is authenticated, the permit_sasl_authenticated
10762       access restriction can be used to permit relay access, like this:
10763
10764           # With Postfix 2.10 and later, the mail relay policy is
10765           # preferably specified under smtpd_relay_restrictions.
10766           smtpd_relay_restrictions =
10767               permit_mynetworks, permit_sasl_authenticated, ...
10768
10769       # With Postfix before 2.10, the relay policy can be
10770       # specified only under smtpd_recipient_restrictions.
10771       smtpd_recipient_restrictions =
10772           permit_mynetworks, permit_sasl_authenticated, ...
10773
10774       To reject all SMTP connections from  unauthenticated  clients,  specify
10775       "smtpd_delay_reject = yes" (which is the default) and use:
10776
10777           smtpd_client_restrictions = permit_sasl_authenticated, reject
10778
10779       See the SASL_README file for SASL configuration and operation details.
10780

smtpd_sasl_authenticated_header (default: no)

10782       Report  the  SASL authenticated user name in the smtpd(8) Received mes‐
10783       sage header.
10784
10785       This feature is available in Postfix 2.3 and later.
10786

smtpd_sasl_exceptions_networks (default: empty)

10788       What remote SMTP clients the Postfix SMTP server will  not  offer  AUTH
10789       support to.
10790
10791       Some  clients  (Netscape 4 at least) have a bug that causes them to re‐
10792       quire a login and password whenever AUTH is offered, whether it's  nec‐
10793       essary  or  not. To work around this, specify, for example, $mynetworks
10794       to prevent Postfix from offering AUTH to local clients.
10795
10796       Specify a list of network/netmask patterns, separated by commas  and/or
10797       whitespace.  The  mask specifies the number of bits in the network part
10798       of a host address. You can also specify  "/file/name"  or  "type:table"
10799       patterns.   A  "/file/name"  pattern  is  replaced  by  its contents; a
10800       "type:table" lookup table is matched  when  a  table  entry  matches  a
10801       lookup  string  (the lookup result is ignored).  Continue long lines by
10802       starting the next line with whitespace. Specify "!pattern"  to  exclude
10803       an  address  or network block from the list.  The form "!/file/name" is
10804       supported only in Postfix version 2.4 and later.
10805
10806       Note: IP version 6 address information must be specified inside  []  in
10807       the  smtpd_sasl_exceptions_networks  value, and in files specified with
10808       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
10809       would otherwise be confused with a "type:table" pattern.
10810
10811       Example:
10812
10813       smtpd_sasl_exceptions_networks = $mynetworks
10814
10815       This feature is available in Postfix 2.1 and later.
10816

smtpd_sasl_local_domain (default: empty)

10818       The name of the Postfix SMTP server's local SASL authentication realm.
10819
10820       By default, the local authentication realm name is the null string.
10821
10822       Examples:
10823
10824       smtpd_sasl_local_domain = $mydomain
10825       smtpd_sasl_local_domain = $myhostname
10826

smtpd_sasl_mechanism_filter (default: !external, static:rest)

10828       If  non-empty,  a  filter for the SASL mechanism names that the Postfix
10829       SMTP server will announce in the EHLO response. By default, the Postfix
10830       SMTP  server  will not announce the EXTERNAL mechanism, because Postfix
10831       support for that is not implemented.
10832
10833       Specify mechanism names, "/file/name" patterns, or "type:table"  lookup
10834       tables,  separated  by  comma or whitespace. The right-hand side result
10835       from "type:table" lookups is ignored. Specify "!pattern" to  exclude  a
10836       mechanism name from the list.
10837
10838       Examples:
10839
10840       smtpd_sasl_mechanism_filter = !external, !gssapi, static:rest
10841       smtpd_sasl_mechanism_filter = login, plain
10842       smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs
10843
10844       This feature is available in Postfix 3.6 and later.
10845

smtpd_sasl_path (default: smtpd)

10847       Implementation-specific information that the Postfix SMTP server passes
10848       through to the  SASL  plug-in  implementation  that  is  selected  with
10849       smtpd_sasl_type.   Typically this specifies the name of a configuration
10850       file or rendezvous point.
10851
10852       This feature is available in Postfix 2.3 and later. In earlier releases
10853       it was called smtpd_sasl_application_name.
10854

smtpd_sasl_response_limit (default: 12288)

10856       The  maximum  length of a SASL client's response to a server challenge.
10857       When the client's "initial response" is longer than  the  normal  limit
10858       for  SMTP commands, the client must omit its initial response, and wait
10859       for an empty server challenge; it can then send what  would  have  been
10860       its  "initial  response"  as  a response to the empty server challenge.
10861       RFC4954 requires the server to accept client responses up to  at  least
10862       12288  octets  of  base64-encoded text.  The default value is therefore
10863       also the minimum value accepted for this parameter.
10864
10865       This feature is available in Postfix 3.4 and later. Prior versions  use
10866       "line_length_limit",  which may need to be raised to accommodate larger
10867       client responses, as may be needed with GSSAPI authentication  of  Win‐
10868       dows AD users who are members of many groups.
10869

smtpd_sasl_security_options (default: noanonymous)

10871       Postfix  SMTP  server SASL security options; as of Postfix 2.3 the list
10872       of available features depends on the SASL server implementation that is
10873       selected with smtpd_sasl_type.
10874
10875       The  following  security features are defined for the cyrus server SASL
10876       implementation:
10877
10878       Restrict what authentication mechanisms the Postfix  SMTP  server  will
10879       offer  to  the client.  The list of available authentication mechanisms
10880       is system dependent.
10881
10882       Specify zero or more of the following:
10883
10884       noplaintext
10885              Disallow methods that use plaintext passwords.
10886
10887       noactive
10888              Disallow methods subject to active (non-dictionary) attack.
10889
10890       nodictionary
10891              Disallow methods subject to passive (dictionary) attack.
10892
10893       noanonymous
10894              Disallow methods that allow anonymous authentication.
10895
10896       forward_secrecy
10897              Only allow methods that support forward secrecy (Dovecot only).
10898
10899       mutual_auth
10900              Only allow  methods  that  provide  mutual  authentication  (not
10901              available with Cyrus SASL version 1).
10902
10903       By default, the Postfix SMTP server accepts plaintext passwords but not
10904       anonymous logins.
10905
10906       Warning: it appears that clients try authentication methods in the  or‐
10907       der  as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) which
10908       means that if you disable plaintext  passwords,  clients  will  log  in
10909       anonymously, even when they should be able to use CRAM-MD5.  So, if you
10910       disable plaintext logins, disable anonymous logins too.  Postfix treats
10911       anonymous login as no authentication.
10912
10913       Example:
10914
10915       smtpd_sasl_security_options = noanonymous, noplaintext
10916

smtpd_sasl_service (default: smtp)

10918       The  service  name  that is passed to the SASL plug-in that is selected
10919       with smtpd_sasl_type and smtpd_sasl_path.
10920
10921       This feature is available in Postfix 2.11 and later. Prior versions be‐
10922       have as if "smtp" is specified.
10923

smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)

10925       The  SASL  authentication security options that the Postfix SMTP server
10926       uses for TLS encrypted SMTP sessions.
10927
10928       This feature is available in Postfix 2.2 and later.
10929

smtpd_sasl_type (default: cyrus)

10931       The SASL plug-in type that the Postfix SMTP server should use  for  au‐
10932       thentication.  The  available  types  are listed with the "postconf -a"
10933       command.
10934
10935       This feature is available in Postfix 2.3 and later.
10936

smtpd_sender_login_maps (default: empty)

10938       Optional lookup table with the SASL login names  that  own  the  sender
10939       (MAIL FROM) addresses.
10940
10941       Specify zero or more "type:name" lookup tables, separated by whitespace
10942       or comma. Tables will be searched in the specified order until a  match
10943       is  found.   With lookups from indexed files such as DB or DBM, or from
10944       networked tables such as NIS, LDAP or SQL, the following search  opera‐
10945       tions are done with a sender address of user@domain:
10946
10947       1) user@domain
10948              This table lookup is always done and has the highest precedence.
10949
10950       2) user
10951              This  table  lookup  is  done  only  when the domain part of the
10952              sender address matches $myorigin,  $mydestination,  $inet_inter‐
10953              faces or $proxy_interfaces.
10954
10955       3) @domain
10956              This table lookup is done last and has the lowest precedence.
10957
10958       In all cases the result of table lookup must be either "not found" or a
10959       list of SASL login names separated by comma and/or whitespace.
10960

smtpd_sender_restrictions (default: empty)

10962       Optional restrictions that the Postfix SMTP server applies in the  con‐
10963       text  of  a client MAIL FROM command.  See SMTPD_ACCESS_README, section
10964       "Delayed evaluation of SMTP access restriction lists" for a  discussion
10965       of evaluation context and time.
10966
10967       The default is to permit everything.
10968
10969       Specify  a list of restrictions, separated by commas and/or whitespace.
10970       Continue long lines by starting the next  line  with  whitespace.   Re‐
10971       strictions are applied in the order as specified; the first restriction
10972       that matches wins.
10973
10974       The following restrictions are specific to the sender address  received
10975       with the MAIL FROM command.
10976
10977       check_sender_access type:table
10978              Search  the  specified  access(5) database for the MAIL FROM ad‐
10979              dress, domain, parent domains, or localpart@,  and  execute  the
10980              corresponding action.
10981
10982       check_sender_a_access type:table
10983              Search the specified access(5) database for the IP addresses for
10984              the MAIL FROM domain,  and  execute  the  corresponding  action.
10985              Note:  a  result  of "OK" is not allowed for safety reasons. In‐
10986              stead, use  DUNNO  in  order  to  exclude  specific  hosts  from
10987              denylists.  This feature is available in Postfix 3.0 and later.
10988
10989       check_sender_mx_access type:table
10990              Search the specified access(5) database for the MX hosts for the
10991              MAIL FROM domain, and execute the corresponding action.   If  no
10992              MX  record  is  found,  look up A or AAAA records, just like the
10993              Postfix SMTP client would. Note: a result of "OK" is not allowed
10994              for  safety reasons. Instead, use DUNNO in order to exclude spe‐
10995              cific hosts from denylists.  This feature is available in  Post‐
10996              fix 2.1 and later.
10997
10998       check_sender_ns_access type:table
10999              Search  the specified access(5) database for the DNS servers for
11000              the MAIL FROM domain,  and  execute  the  corresponding  action.
11001              Note:  a  result  of "OK" is not allowed for safety reasons. In‐
11002              stead, use  DUNNO  in  order  to  exclude  specific  hosts  from
11003              denylists.  This feature is available in Postfix 2.1 and later.
11004
11005       reject_authenticated_sender_login_mismatch
11006              Reject  the  request when the client is authenticated with SASL,
11007              but  either  the  MAIL   FROM   address   is   not   listed   in
11008              $smtpd_sender_login_maps, or the SASL login name is not an owner
11009              for that address.
11010              This prevents an authenticated client from using a MAIL FROM ad‐
11011              dress that they do not explicitly own.
11012              This feature is available in Postfix version 2.1 and later.
11013
11014       reject_known_sender_login_mismatch
11015              When  the  client is authenticated with SASL, reject the request
11016              when the  MAIL  FROM  address  is  listed  in  $smtpd_sender_lo‐
11017              gin_maps,  but  the SASL login name is not an owner for that ad‐
11018              dress.
11019              When the client is not authenticated with SASL, reject  the  re‐
11020              quest  when SASL is enabled, and the MAIL FROM address is listed
11021              in $smtpd_sender_login_maps.
11022              This  protects  any  MAIL  FROM  address  that  is   listed   in
11023              $smtpd_sender_login_maps,  while  still allowing a client to use
11024              any unlisted MAIL FROM address.
11025              This feature is available in Postfix version 2.11 and later.
11026
11027       reject_non_fqdn_sender
11028              Reject the request when the MAIL FROM address specifies a domain
11029              that  is  not  in fully-qualified domain form as required by the
11030              RFC.
11031              The non_fqdn_reject_code parameter specifies the  response  code
11032              for rejected requests (default: 504).
11033
11034       reject_rhsbl_sender rbl_domain=d.d.d.d
11035              Reject  the request when the MAIL FROM domain is listed with the
11036              A record "d.d.d.d" under rbl_domain  (Postfix  version  2.1  and
11037              later  only).   Each  "d"  is a number, or a pattern inside "[]"
11038              that contains one or more ";"-separated numbers or  number..num‐
11039              ber  ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
11040              specified, reject the request  when  the  MAIL  FROM  domain  is
11041              listed with any A record under rbl_domain.
11042              The  maps_rbl_reject_code  parameter specifies the response code
11043              for rejected requests (default:  554); the default_rbl_reply pa‐
11044              rameter  specifies  the  default  server  reply; and the rbl_re‐
11045              ply_maps parameter specifies tables with server replies  indexed
11046              by  rbl_domain.   This  feature  is available in Postfix 2.0 and
11047              later.
11048
11049       reject_sender_login_mismatch
11050              As of Postfix  2.1,  this  is  an  alias  for  "reject_authenti‐
11051              cated_sender_login_mismatch,   reject_unauthenticated_sender_lo‐
11052              gin_mismatch".
11053
11054       reject_unauthenticated_sender_login_mismatch
11055              Reject the request when SASL is enabled, the MAIL  FROM  address
11056              is listed in $smtpd_sender_login_maps, but the client is not au‐
11057              thenticated with SASL.
11058              With SASL enabled, this prevents an unauthenticated client  from
11059              using  any MAIL FROM address that is listed in $smtpd_sender_lo‐
11060              gin_maps.
11061              This feature is available in Postfix version 2.1 and later.
11062
11063       reject_unknown_sender_domain
11064              Reject the request when Postfix is not the final destination for
11065              the  sender  address,  and the MAIL FROM domain has 1) no DNS MX
11066              and no DNS A record, or 2) a  malformed  MX  record  such  as  a
11067              record  with  a zero-length MX hostname (Postfix version 2.3 and
11068              later).
11069              The reply is specified with the unknown_address_reject_code  pa‐
11070              rameter  (default:  450),  unknown_address_tempfail_action  (de‐
11071              fault: defer_if_permit), or 550 (nullmx, Postfix 3.0 and later).
11072              See the respective parameter descriptions for details.
11073
11074       reject_unlisted_sender
11075              Reject  the  request when the MAIL FROM address is not listed in
11076              the list of valid recipients  for  its  domain  class.  See  the
11077              smtpd_reject_unlisted_sender  parameter description for details.
11078              This feature is available in Postfix 2.1 and later.
11079
11080       reject_unverified_sender
11081              Reject the request when mail to the MAIL FROM address  is  known
11082              to  bounce, or when the sender address destination is not reach‐
11083              able.  Address verification information is managed by  the  ver‐
11084              ify(8)  server; see the ADDRESS_VERIFICATION_README file for de‐
11085              tails.
11086              The unverified_sender_reject_code parameter specifies the numer‐
11087              ical  response code when an address is known to bounce (default:
11088              450, change into 550 when you are confident that it is  safe  to
11089              do so).
11090              The  unverified_sender_defer_code  specifies  the  numerical re‐
11091              sponse code when an address probe  failed  due  to  a  temporary
11092              problem (default: 450).
11093              The  unverified_sender_tempfail_action  parameter  specifies the
11094              action after address probe failure due to  a  temporary  problem
11095              (default: defer_if_permit).
11096              This  feature  breaks  for aliased addresses with "enable_origi‐
11097              nal_recipient = no" (Postfix <= 3.2).
11098              This feature is available in Postfix 2.1 and later.
11099
11100       Other restrictions that are valid in this context:
11101
11102       •      Generic restrictions that can be used in any SMTP  command  con‐
11103              text, described under smtpd_client_restrictions.
11104
11105       •      SMTP    command    specific    restrictions    described   under
11106              smtpd_client_restrictions and smtpd_helo_restrictions.
11107
11108       •      SMTP command specific restrictions described under smtpd_recipi‐
11109              ent_restrictions.  When  recipient restrictions are listed under
11110              smtpd_sender_restrictions, they have effect only with "smtpd_de‐
11111              lay_reject  = yes", so that $smtpd_sender_restrictions is evalu‐
11112              ated at the time of the RCPT TO command.
11113
11114       Examples:
11115
11116       smtpd_sender_restrictions = reject_unknown_sender_domain
11117       smtpd_sender_restrictions = reject_unknown_sender_domain,
11118           check_sender_access hash:/etc/postfix/access
11119

smtpd_service_name (default: smtpd)

11121       The internal service that postscreen(8) hands off  allowed  connections
11122       to. In a future version there may be different classes of SMTP service.
11123
11124       This feature is available in Postfix 2.8.
11125

smtpd_soft_error_limit (default: 10)

11127       The  number  of  errors a remote SMTP client is allowed to make without
11128       delivering mail before the Postfix SMTP server slows down all  its  re‐
11129       sponses.
11130
11131       •      With  Postfix  version  2.1 and later, when the error count is >
11132              $smtpd_soft_error_limit, the Postfix SMTP server delays all  re‐
11133              sponses by $smtpd_error_sleep_time.
11134
11135       •      With Postfix versions 2.0 and earlier, when the error count is >
11136              $smtpd_soft_error_limit, the Postfix SMTP server delays all  re‐
11137              sponses   by  the  larger  of  (number  of  errors)  seconds  or
11138              $smtpd_error_sleep_time.
11139
11140       •      With Postfix versions 2.0 and earlier, when the error  count  is
11141              <=  $smtpd_soft_error_limit,  the Postfix SMTP server delays 4XX
11142              and 5XX responses by $smtpd_error_sleep_time.
11143

smtpd_starttls_timeout (default: see postconf -d output)

11145       The time limit for Postfix SMTP server write and read operations during
11146       TLS  startup  and  shutdown  handshake  procedures. The current default
11147       value is stress-dependent. Before Postfix version 2.8, it was fixed  at
11148       300s.
11149
11150       Specify  a  non-zero  time  value  (an  integral value plus an optional
11151       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
11152       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
11153       unit is s (seconds).
11154
11155       This feature is available in Postfix 2.2 and later.
11156

smtpd_timeout (default: normal: 300s, overload: 10s)

11158       When the Postfix SMTP server wants to send an SMTP server response, how
11159       long  the Postfix SMTP server will wait for an underlying network write
11160       operation to complete; and when the Postfix SMTP server  Postfix  wants
11161       to  receive  an  SMTP  client request, how long the Postfix SMTP server
11162       will wait for an underlying network read operation to complete. See the
11163       smtpd_per_request_deadline  for  how  this  time  limit may be enforced
11164       (with Postfix 2.9-3.6 see smtpd_per_record_deadline).
11165
11166       Normally the default limit is 300s, but it changes  under  overload  to
11167       just  10s.  With Postfix 2.5 and earlier, the SMTP server always uses a
11168       time limit of 300s by default.
11169
11170       Note: if you set SMTP time limits to very large values you may have  to
11171       update the global ipc_timeout parameter.
11172
11173       Specify  a  non-zero  time  value  (an  integral value plus an optional
11174       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
11175       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
11176       unit is s (seconds).
11177

smtpd_tls_CAfile (default: empty)

11179       A file containing (PEM format) CA certificates of root CAs  trusted  to
11180       sign either remote SMTP client certificates or intermediate CA certifi‐
11181       cates.  These are loaded into memory before the smtpd(8) server  enters
11182       the  chroot jail. If the number of trusted roots is large, consider us‐
11183       ing smtpd_tls_CApath instead, but note that the latter  directory  must
11184       be  present in the chroot jail if the smtpd(8) server is chrooted. This
11185       file may also be used to augment the server  certificate  trust  chain,
11186       but it is best to include all the required certificates directly in the
11187       server certificate file.
11188
11189       Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to  use  ONLY  the
11190       system-supplied default Certification Authority certificates.
11191
11192       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
11193       the system-supplied default CAs and trusting third-party certificates.
11194
11195       By default (see smtpd_tls_ask_ccert), client certificates are  not  re‐
11196       quested,  and  smtpd_tls_CAfile should remain empty. If you do make use
11197       of client certificates, the distinguished names (DNs) of the Certifica‐
11198       tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
11199       client in the client certificate request message.  MUAs  with  multiple
11200       client certificates may use the list of preferred Certification Author‐
11201       ities to select the correct client certificate.  You may  want  to  put
11202       your  "preferred" CA or CAs in this file, and install other trusted CAs
11203       in $smtpd_tls_CApath.
11204
11205       Example:
11206
11207       smtpd_tls_CAfile = /etc/postfix/CAcert.pem
11208
11209       This feature is available in Postfix 2.2 and later.
11210

smtpd_tls_CApath (default: empty)

11212       A directory containing (PEM format) CA certificates of root CAs trusted
11213       to  sign either remote SMTP client certificates or intermediate CA cer‐
11214       tificates. Do not forget to create the necessary "hash" links with, for
11215       example,   "$OPENSSL_HOME/bin/c_rehash   /etc/postfix/certs".   To  use
11216       smtpd_tls_CApath in chroot mode, this directory (or a copy) must be in‐
11217       side the chroot jail.
11218
11219       Specify  "smtpd_tls_CApath  = /path/to/system_CA_directory" to use ONLY
11220       the system-supplied default Certification Authority certificates.
11221
11222       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
11223       the system-supplied default CAs and trusting third-party certificates.
11224
11225       By  default  (see smtpd_tls_ask_ccert), client certificates are not re‐
11226       quested, and smtpd_tls_CApath  should  remain  empty.  In  contrast  to
11227       smtpd_tls_CAfile,   DNs   of  Certification  Authorities  installed  in
11228       $smtpd_tls_CApath are not included in the  client  certificate  request
11229       message.  MUAs  with  multiple  client certificates may use the list of
11230       preferred Certification Authorities to select the correct  client  cer‐
11231       tificate.   You  may  want  to  put  your  "preferred"  CA  or  CAs  in
11232       $smtpd_tls_CAfile,  and  install   the   remaining   trusted   CAs   in
11233       $smtpd_tls_CApath.
11234
11235       Example:
11236
11237       smtpd_tls_CApath = /etc/postfix/certs
11238
11239       This feature is available in Postfix 2.2 and later.
11240

smtpd_tls_always_issue_session_ids (default: yes)

11242       Force  the Postfix SMTP server to issue a TLS session id, even when TLS
11243       session caching  is  turned  off  (smtpd_tls_session_cache_database  is
11244       empty). This behavior is compatible with Postfix < 2.3.
11245
11246       With  Postfix 2.3 and later the Postfix SMTP server can disable session
11247       id generation when TLS session caching is turned off. This keeps remote
11248       SMTP  clients  from  caching  sessions  that almost certainly cannot be
11249       re-used.
11250
11251       By default, the Postfix SMTP server always generates TLS  session  ids.
11252       This works around a known defect in mail client applications such as MS
11253       Outlook, and may also prevent interoperability issues with other MTAs.
11254
11255       Example:
11256
11257       smtpd_tls_always_issue_session_ids = no
11258
11259       This feature is available in Postfix 2.3 and later.
11260

smtpd_tls_ask_ccert (default: no)

11262       Ask a remote SMTP client for a client certificate. This information  is
11263       needed  for certificate based mail relaying with, for example, the per‐
11264       mit_tls_clientcerts feature.
11265
11266       Some clients such as Netscape will either complain if no certificate is
11267       available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
11268       tiple client certificates to choose from. This may be annoying, so this
11269       option is "off" by default.
11270
11271       This feature is available in Postfix 2.2 and later.
11272

smtpd_tls_auth_only (default: no)

11274       When  TLS encryption is optional in the Postfix SMTP server, do not an‐
11275       nounce or accept SASL authentication over unencrypted connections.
11276
11277       This feature is available in Postfix 2.2 and later.
11278

smtpd_tls_ccert_verifydepth (default: 9)

11280       The verification depth for remote SMTP client certificates. A depth  of
11281       1 is sufficient if the issuing CA is listed in a local CA file.
11282
11283       The  default verification depth is 9 (the OpenSSL default) for compati‐
11284       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
11285       value  was  5, but the limit was not actually enforced. If you have set
11286       this to a lower  non-default  value,  certificates  with  longer  trust
11287       chains  may  now fail to verify. Certificate chains with 1 or 2 CAs are
11288       common, deeper chains are more rare and any  number  between  5  and  9
11289       should suffice in practice. You can choose a lower number if, for exam‐
11290       ple, you trust certificates directly signed by an issuing  CA  but  not
11291       any CAs it delegates to.
11292
11293       This feature is available in Postfix 2.2 and later.
11294

smtpd_tls_cert_file (default: empty)

11296       File  with the Postfix SMTP server RSA certificate in PEM format.  This
11297       file may also contain the Postfix SMTP server private  RSA  key.   With
11298       Postfix  >= 3.4 the preferred way to configure server keys and certifi‐
11299       cates is via the "smtpd_tls_chain_files" parameter.
11300
11301       Public Internet MX hosts without certificates signed by  a  "reputable"
11302       CA  must  generate,  and  be  prepared  to  present  to most clients, a
11303       self-signed or private-CA signed certificate. The client  will  not  be
11304       able  to  authenticate the server, but unless it is running Postfix 2.3
11305       or similar software, it will still insist on a server certificate.
11306
11307       For servers that are not public Internet  MX  hosts,  Postfix  supports
11308       configurations  with  no certificates. This entails the use of just the
11309       anonymous TLS ciphers, which are not supported by typical SMTP clients.
11310       Since  some  clients  may not fall back to plain text after a TLS hand‐
11311       shake failure, a certificate-less Postfix SMTP server will be unable to
11312       receive  email  from some TLS-enabled clients. To avoid accidental con‐
11313       figurations with no certificates, Postfix enables certificate-less  op‐
11314       eration     only     when    the    administrator    explicitly    sets
11315       "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
11316       configurations will not accidentally enable TLS without certificates.
11317
11318       Note that server certificates are not optional in TLS 1.3. To run with‐
11319       out certificates you'd have to disable the TLS 1.3 protocol by  includ‐
11320       ing    '!TLSv1.3'    in    "smtpd_tls_protocols"   and   perhaps   also
11321       "smtpd_tls_mandatory_protocols".  It is simpler instead to just config‐
11322       ure  a  certificate  chain.   Certificate-less  operation is not recom‐
11323       mended.
11324
11325       Both RSA and DSA certificates  are  supported.   When  both  types  are
11326       present, the cipher used determines which certificate will be presented
11327       to the client.  For Netscape and OpenSSL clients without special cipher
11328       choices the RSA certificate is preferred.
11329
11330       To  enable  a remote SMTP client to verify the Postfix SMTP server cer‐
11331       tificate, the issuing CA certificates must be  made  available  to  the
11332       client. You should include the required certificates in the server cer‐
11333       tificate file, the server certificate first,  then  the  issuing  CA(s)
11334       (bottom-up order).
11335
11336       Example: the certificate for "server.example.com" was issued by "inter‐
11337       mediate CA" which itself has a certificate of "root  CA".   Create  the
11338       server.pem   file   with   "cat   server_cert.pem   intermediate_CA.pem
11339       root_CA.pem > server.pem".
11340
11341       If you also want to verify client certificates issued by these CAs, you
11342       can  add  the CA certificates to the smtpd_tls_CAfile, in which case it
11343       is  not  necessary   to   have   them   in   the   smtpd_tls_cert_file,
11344       smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
11345
11346       A certificate supplied here must be usable as an SSL server certificate
11347       and hence pass the "openssl verify -purpose sslserver ..." test.
11348
11349       Example:
11350
11351       smtpd_tls_cert_file = /etc/postfix/server.pem
11352
11353       This feature is available in Postfix 2.2 and later.
11354

smtpd_tls_chain_files (default: empty)

11356       List of one or more PEM files, each holding one or  more  private  keys
11357       directly followed by a corresponding certificate chain.  The file names
11358       are separated by commas and/or whitespace.   This  parameter  obsoletes
11359       the  legacy algorithm-specific key and certificate file settings.  When
11360       this parameter is non-empty, the legacy parameters are ignored,  and  a
11361       warning is logged if any are also non-empty.
11362
11363       With  the proliferation of multiple private key algorithms-which, as of
11364       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
11365       is increasingly impractical to use separate parameters to configure the
11366       key and certificate chain for each algorithm.  Therefore,  Postfix  now
11367       supports  storing multiple keys and corresponding certificate chains in
11368       a single file or in a set of files.
11369
11370       Each key must appear immediately before the corresponding  certificate,
11371       optionally followed by additional issuer certificates that complete the
11372       certificate chain for that key.  When  multiple  files  are  specified,
11373       they  are  equivalent  to a single file that is concatenated from those
11374       files in the given order.  Thus, while a key must  always  precede  its
11375       certificate  and issuer chain, it can be in a separate file, so long as
11376       that file is listed immediately before the file that holds  the  corre‐
11377       sponding  certificate  chain.  Once all the files are concatenated, the
11378       sequence of PEM objects must be: key1, cert1,  [chain1],  key2,  cert2,
11379       [chain2], ..., keyN, certN, [chainN].
11380
11381       Storing  the private key in the same file as the corresponding certifi‐
11382       cate is more reliable.  With the key and certificate in separate files,
11383       there is a chance that during key rollover a Postfix process might load
11384       a private key and certificate from separate  files  that  don't  match.
11385       Various  operational errors may even result in a persistent broken con‐
11386       figuration in which the certificate does not match the private key.
11387
11388       The file or files must contain at most one key of each type.   If,  for
11389       example,  two or more RSA keys and corresponding chains are listed, de‐
11390       pending on the version of OpenSSL either only the last one will be used
11391       or  a  configuration  error may be detected.  Note that while "Ed25519"
11392       and "Ed448" are  considered  separate  algorithms,  the  various  ECDSA
11393       curves  (typically  one of prime256v1, secp384r1 or secp521r1) are con‐
11394       sidered as different parameters of a single "ECDSA" algorithm, so it is
11395       not presently possible to configure keys for more than one ECDSA curve.
11396
11397       RSA  is  still  the  most  widely supported algorithm.  Presently (late
11398       2018), ECDSA support is common, but not yet universal, and Ed25519  and
11399       Ed448 support is mostly absent.  Therefore, an RSA key should generally
11400       be configured, along with any additional keys for the other  algorithms
11401       when desired.
11402
11403       Example  (separate  files  for  each  key and corresponding certificate
11404       chain):
11405
11406           /etc/postfix/main.cf:
11407               smtpd_tls_chain_files =
11408                   ${config_directory}/ed25519.pem,
11409                   ${config_directory}/ed448.pem,
11410                   ${config_directory}/rsa.pem
11411
11412           /etc/postfix/ed25519.pem:
11413               -----BEGIN PRIVATE KEY-----
11414               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
11415               -----END PRIVATE KEY-----
11416               -----BEGIN CERTIFICATE-----
11417               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
11418               ...
11419               nC0egv51YPDWxEHom4QA
11420               -----END CERTIFICATE-----
11421
11422           /etc/postfix/ed448.pem:
11423               -----BEGIN PRIVATE KEY-----
11424               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
11425               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
11426               -----END PRIVATE KEY-----
11427               -----BEGIN CERTIFICATE-----
11428               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
11429               ...
11430               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
11431               -----END CERTIFICATE-----
11432
11433           /etc/postfix/rsa.pem:
11434               -----BEGIN PRIVATE KEY-----
11435               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
11436               ...
11437               ahQkZ3+krcaJvDSMgvu0tDc=
11438               -----END PRIVATE KEY-----
11439               -----BEGIN CERTIFICATE-----
11440               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
11441               ...
11442               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
11443               -----END CERTIFICATE-----
11444
11445       Example (all keys and certificates in a single file):
11446
11447           /etc/postfix/main.cf:
11448               smtpd_tls_chain_files = ${config_directory}/chains.pem
11449
11450           /etc/postfix/chains.pem:
11451               -----BEGIN PRIVATE KEY-----
11452               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
11453               -----END PRIVATE KEY-----
11454               -----BEGIN CERTIFICATE-----
11455               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
11456               ...
11457               nC0egv51YPDWxEHom4QA
11458               -----END CERTIFICATE-----
11459               -----BEGIN PRIVATE KEY-----
11460               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
11461               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
11462               -----END PRIVATE KEY-----
11463               -----BEGIN CERTIFICATE-----
11464               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
11465               ...
11466               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
11467               -----END CERTIFICATE-----
11468               -----BEGIN PRIVATE KEY-----
11469               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
11470               ...
11471               ahQkZ3+krcaJvDSMgvu0tDc=
11472               -----END PRIVATE KEY-----
11473               -----BEGIN CERTIFICATE-----
11474               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
11475               ...
11476               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
11477               -----END CERTIFICATE-----
11478
11479       This feature is available in Postfix 3.4 and later.
11480

smtpd_tls_cipherlist (default: empty)

11482       Obsolete Postfix < 2.3 control for the Postfix SMTP server  TLS  cipher
11483       list.  It  is  easy  to  create interoperability problems by choosing a
11484       non-default cipher list. Do not use a non-default TLS cipherlist for MX
11485       hosts on the public Internet. Clients that begin the TLS handshake, but
11486       are unable to agree on a common cipher, may not be  able  to  send  any
11487       email  to  the  SMTP server. Using a restricted cipher list may be more
11488       appropriate for a dedicated MSA or an internal mailhub, where  one  can
11489       exert some control over the TLS software and settings of the connecting
11490       clients.
11491
11492       Note: do not use "" quotes around the parameter value.
11493
11494       This feature is available with Postfix version 2.2. It is not used with
11495       Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
11496

smtpd_tls_ciphers (default: medium)

11498       The minimum TLS cipher grade that the Postfix SMTP server will use with
11499       opportunistic TLS encryption.  Cipher  types  listed  in  smtpd_tls_ex‐
11500       clude_ciphers are excluded from the base definition of the selected ci‐
11501       pher grade.  The default value is "medium" for Postfix  releases  after
11502       the middle of 2015, "export" for older releases.
11503
11504       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
11505       smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
11506       tax details.
11507
11508       This  feature is available in Postfix 2.6 and later. With earlier Post‐
11509       fix releases only the smtpd_tls_mandatory_ciphers parameter  is  imple‐
11510       mented, and opportunistic TLS always uses "export" or better (i.e. all)
11511       ciphers.
11512

smtpd_tls_dcert_file (default: empty)

11514       File with the Postfix SMTP server DSA certificate in PEM format.   This
11515       file may also contain the Postfix SMTP server private DSA key.  The DSA
11516       algorithm is obsolete and should not be used.
11517
11518       See the discussion under smtpd_tls_cert_file for more details.
11519
11520       Example:
11521
11522       smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
11523
11524       This feature is available in Postfix 2.2 and later.
11525

smtpd_tls_dh1024_param_file (default: empty)

11527       File with DH parameters that the Postfix SMTP server  should  use  with
11528       non-export EDH ciphers.
11529
11530       With  Postfix  >= 3.7, built with OpenSSL version is 3.0.0 or later, if
11531       the parameter value is either empty or "auto", then  the  DH  parameter
11532       selection  is delegated to the OpenSSL library, which selects appropri‐
11533       ate parameters based on the TLS handshake.  This choice is likely to be
11534       the  most  interoperable with SMTP clients using various TLS libraries,
11535       and custom local parameters are no longer recommended when using  Post‐
11536       fix >= 3.7 built against OpenSSL 3.0.0.
11537
11538       The  best-practice choice of parameters uses a 2048-bit prime.  This is
11539       fine, despite the historical "1024" in the parameter name.  Do  not  be
11540       tempted  to  use  much larger values, performance degrades quickly, and
11541       you may also cease to interoperate with some mainstream  SMTP  clients.
11542       As  of  Postfix 3.1, the compiled-in default prime is 2048-bits, and it
11543       is not strictly necessary, though perhaps somewhat beneficial to gener‐
11544       ate custom DH parameters.
11545
11546       Instead  of  using  the  exact  same parameter sets as distributed with
11547       other TLS packages, it is more secure to generate your own set  of  pa‐
11548       rameters with something like the following commands:
11549
11550           openssl dhparam -out /etc/postfix/dh2048.pem 2048
11551           openssl dhparam -out /etc/postfix/dh1024.pem 1024
11552           # As of Postfix 3.6, export-grade 512-bit DH parameters are no longer
11553           # supported or needed.
11554           openssl dhparam -out /etc/postfix/dh512.pem 512
11555
11556       It is safe to share the same DH parameters between multiple Postfix in‐
11557       stances.  If you prefer, you can generate separate parameters for  each
11558       instance.
11559
11560       If you want to take maximal advantage of ciphers that offer forward se‐
11561       crecy see the Getting started section of  FORWARD_SECRECY_README.   The
11562       full document conveniently presents all information about Postfix "per‐
11563       fect" forward secrecy support in one place: what  forward  secrecy  is,
11564       how to tweak settings, and what you can expect to see when Postfix uses
11565       ciphers with forward secrecy.
11566
11567       Example:
11568
11569       smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
11570
11571       This feature is available in Postfix 2.2 and later.
11572

smtpd_tls_dh512_param_file (default: empty)

11574       File with DH parameters that the Postfix SMTP server  should  use  with
11575       export-grade  EDH  ciphers.   The  default  SMTP server cipher grade is
11576       "medium" with Postfix releases after the middle of 2015, and as  a  re‐
11577       sult export-grade cipher suites are by default not used.
11578
11579       With  Postfix  >=  3.6  export-grade  Diffie-Hellman key exchange is no
11580       longer supported, and this parameter is silently ignored.
11581
11582       See also the discussion under the smtpd_tls_dh1024_param_file  configu‐
11583       ration parameter.
11584
11585       Example:
11586
11587       smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
11588
11589       This  feature  is available in Postfix 2.2 and later, but is ignored in
11590       Postfix 3.6 and later.
11591

smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)

11593       File with the Postfix SMTP server DSA private key in PEM format.   This
11594       file  may be combined with the Postfix SMTP server DSA certificate file
11595       specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
11596       should not be used.
11597
11598       The  private key must be accessible without a pass-phrase, i.e. it must
11599       not be encrypted. File permissions should grant read-only access to the
11600       system superuser account ("root"), and no access to anyone else.
11601
11602       This feature is available in Postfix 2.2 and later.
11603

smtpd_tls_eccert_file (default: empty)

11605       File  with  the  Postfix  SMTP  server ECDSA certificate in PEM format.
11606       This file may also contain the Postfix SMTP server private  ECDSA  key.
11607       With Postfix >= 3.4 the preferred way to configure server keys and cer‐
11608       tificates is via the "smtpd_tls_chain_files" parameter.
11609
11610       See the discussion under smtpd_tls_cert_file for more details.
11611
11612       Example:
11613
11614       smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
11615
11616       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
11617       compiled and linked with OpenSSL 1.0.0 or later.
11618

smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)

11620       File  with  the  Postfix  SMTP  server ECDSA private key in PEM format.
11621       This file may be combined with the Postfix SMTP server  ECDSA  certifi‐
11622       cate  file  specified with $smtpd_tls_eccert_file.  With Postfix >= 3.4
11623       the preferred way to configure server keys and certificates is via  the
11624       "smtpd_tls_chain_files" parameter.
11625
11626       The  private key must be accessible without a pass-phrase, i.e. it must
11627       not be encrypted. File permissions should grant read-only access to the
11628       system superuser account ("root"), and no access to anyone else.
11629
11630       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
11631       compiled and linked with OpenSSL 1.0.0 or later.
11632

smtpd_tls_eecdh_grade (default: see postconf -d output)

11634       The Postfix SMTP server security  grade  for  ephemeral  elliptic-curve
11635       Diffie-Hellman  (EECDH) key exchange.   As of Postfix 3.6, the value of
11636       this parameter is always ignored, and Postfix  behaves  as  though  the
11637       auto value (described below) was chosen.
11638
11639       The available choices are:
11640
11641       auto   Use  the  most  preferred  curve  that  is supported by both the
11642              client and the server.  This setting  requires  Postfix  >=  3.2
11643              compiled  and linked with OpenSSL >= 1.0.2.  This is the default
11644              setting under the above conditions (and the  only  setting  used
11645              with Postfix >= 3.6).
11646
11647       none   Don't  use  EECDH.  Ciphers  based on EECDH key exchange will be
11648              disabled. This is the default in Postfix versions 2.6 and 2.7.
11649
11650       strong Use EECDH with approximately 128 bits of security at  a  reason‐
11651              able computational cost. This is the default in Postfix versions
11652              2.8-3.5.
11653
11654       ultra  Use EECDH with approximately 192 bits of  security  at  computa‐
11655              tional  cost  that  is  approximately  twice  as high as 128 bit
11656              strength ECC.
11657
11658       If you want to take maximal advantage of ciphers that offer forward se‐
11659       crecy  see  the Getting started section of FORWARD_SECRECY_README.  The
11660       full document conveniently presents all information about Postfix "per‐
11661       fect"  forward  secrecy  support in one place: what forward secrecy is,
11662       how to tweak settings, and what you can expect to see when Postfix uses
11663       ciphers with forward secrecy.
11664
11665       This feature is available in Postfix 2.6 and later, when it is compiled
11666       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11667       have not been disabled by the vendor.
11668

smtpd_tls_exclude_ciphers (default: empty)

11670       List  of ciphers or cipher types to exclude from the SMTP server cipher
11671       list at all TLS security levels. Excluding valid ciphers can create in‐
11672       teroperability  problems. DO NOT exclude ciphers unless it is essential
11673       to do so. This is not an OpenSSL cipherlist; it is a simple list  sepa‐
11674       rated by whitespace and/or commas. The elements are a single cipher, or
11675       one or more "+" separated cipher properties, in which case only ciphers
11676       matching all the properties are excluded.
11677
11678       Examples (some of these will cause problems):
11679
11680           smtpd_tls_exclude_ciphers = aNULL
11681           smtpd_tls_exclude_ciphers = MD5, DES
11682           smtpd_tls_exclude_ciphers = DES+MD5
11683           smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
11684           smtpd_tls_exclude_ciphers = kEDH+aRSA
11685
11686       The first setting disables anonymous ciphers. The next setting disables
11687       ciphers that use the MD5 digest algorithm or the (single)  DES  encryp‐
11688       tion  algorithm. The next setting disables ciphers that use MD5 and DES
11689       together.  The next setting disables the two ciphers  "AES256-SHA"  and
11690       "DES-CBC3-MD5".  The  last  setting disables ciphers that use "EDH" key
11691       exchange with RSA authentication.
11692
11693       This feature is available in Postfix 2.3 and later.
11694

smtpd_tls_fingerprint_digest (default: see postconf -d output)

11696       The message digest algorithm to construct remote  SMTP  client-certifi‐
11697       cate  fingerprints  or  public key fingerprints (Postfix 2.9 and later)
11698       for check_ccert_access and permit_tls_clientcerts.
11699
11700       The default algorithm is sha256 with Postfix >= 3.6 and the compatibil‐
11701       ity_level  set to 3.6 or higher. With Postfix <= 3.5, the default algo‐
11702       rithm is md5.
11703
11704       The best-practice algorithm is now  sha256.  Recent  advances  in  hash
11705       function cryptanalysis have led to md5 and sha1 being deprecated in fa‐
11706       vor of sha256.  However, as long as there are no known "second  pre-im‐
11707       age"  attacks  against the older algorithms, their use in this context,
11708       though not recommended, is still likely safe.
11709
11710       While additional digest algorithms are often available  with  OpenSSL's
11711       libcrypto, only those used by libssl in SSL cipher suites are available
11712       to Postfix.  You'll likely find  support  for  md5,  sha1,  sha256  and
11713       sha512.
11714
11715       To find the fingerprint of a specific certificate file, with a specific
11716       digest algorithm, run:
11717
11718           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
11719
11720       The text to the right of "=" sign is the desired fingerprint.  For  ex‐
11721       ample:
11722
11723           $ openssl x509 -noout -fingerprint -sha256 -in cert.pem
11724           SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
11725
11726       To  extract  the  public key fingerprint from an X.509 certificate, you
11727       need to extract the public key from the certificate and compute the ap‐
11728       propriate  digest  of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
11729       key" option of the "x509" command extracts the  public  key  always  in
11730       "PEM"  format.  We pipe the result to another OpenSSL command that con‐
11731       verts the key to DER and then to the "dgst" command to compute the fin‐
11732       gerprint.
11733
11734       Example:
11735
11736           $ openssl x509 -in cert.pem -noout -pubkey |
11737               openssl pkey -pubin -outform DER |
11738               openssl dgst -sha256 -c
11739           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
11740
11741       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
11742       gerprint and public key fingerprint when  the  TLS  loglevel  is  2  or
11743       higher.
11744
11745       Example: client-certificate access table, with sha256 fingerprints:
11746
11747           /etc/postfix/main.cf:
11748               smtpd_tls_fingerprint_digest = sha256
11749               smtpd_client_restrictions =
11750                   check_ccert_access hash:/etc/postfix/access,
11751                   reject
11752           /etc/postfix/access:
11753               # Action folded to next line...
11754               AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B
11755                   OK
11756               85:16:78:FD:73:6E:CE:70:E0:...:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11757                   permit_auth_destination
11758
11759       This feature is available in Postfix 2.5 and later.
11760

smtpd_tls_key_file (default: $smtpd_tls_cert_file)

11762       File  with the Postfix SMTP server RSA private key in PEM format.  This
11763       file may be combined with the Postfix SMTP server RSA certificate  file
11764       specified with $smtpd_tls_cert_file.  With Postfix >= 3.4 the preferred
11765       way  to  configure  server   keys   and   certificates   is   via   the
11766       "smtpd_tls_chain_files" parameter.
11767
11768       The  private key must be accessible without a pass-phrase, i.e. it must
11769       not be encrypted. File permissions should grant read-only access to the
11770       system superuser account ("root"), and no access to anyone else.
11771

smtpd_tls_loglevel (default: 0)

11773       Enable  additional  Postfix  SMTP server logging of TLS activity.  Each
11774       logging level also includes the information that is logged at  a  lower
11775       logging level.
11776
11777              0 Disable logging of TLS activity.
11778
11779              1  Log  only  a summary message on TLS handshake completion - no
11780              logging of client certificate trust-chain verification errors if
11781              client  certificate  verification is not required.  With Postfix
11782              2.8 and earlier, log the summary message, peer certificate  sum‐
11783              mary  information  and unconditionally log trust-chain verifica‐
11784              tion errors.
11785
11786              2 Also log levels during TLS negotiation.
11787
11788              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
11789              process.
11790
11791              4  Also  log hexadecimal and ASCII dump of complete transmission
11792              after STARTTLS.
11793
11794       Do not use "smtpd_tls_loglevel = 2" or higher except in case  of  prob‐
11795       lems. Use of loglevel 4 is strongly discouraged.
11796
11797       This feature is available in Postfix 2.2 and later.
11798

smtpd_tls_mandatory_ciphers (default: medium)

11800       The minimum TLS cipher grade that the Postfix SMTP server will use with
11801       mandatory TLS encryption. The default grade ("medium") is  sufficiently
11802       strong  that  any  benefit  from globally restricting TLS sessions to a
11803       more stringent grade is likely negligible, especially  given  the  fact
11804       that  many  implementations  still  do  not  offer any stronger ("high"
11805       grade) ciphers, while those that do, will always use "high"  grade  ci‐
11806       phers.  So  insisting on "high" grade ciphers is generally counter-pro‐
11807       ductive. Allowing "export" or "low" ciphers is  typically  not  a  good
11808       idea,  as  systems  limited  to  just  these  are  limited  to obsolete
11809       browsers. No known SMTP clients fail to support at least  one  "medium"
11810       or "high" grade cipher.
11811
11812       The following cipher grades are supported:
11813
11814       high   Enable  only  "HIGH"  grade  OpenSSL ciphers. The underlying ci‐
11815              pherlist is specified via the tls_high_cipherlist  configuration
11816              parameter, which you are strongly encouraged to not change.
11817
11818       medium Enable  "MEDIUM"  grade  or  stronger OpenSSL ciphers. These use
11819              128-bit or longer symmetric bulk-encryption keys.  This  is  the
11820              default  minimum  strength for mandatory TLS encryption. The un‐
11821              derlying cipherlist is specified via  the  tls_medium_cipherlist
11822              configuration  parameter,  which you are strongly encouraged not
11823              to change.
11824
11825       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
11826              cation  without encryption.  This setting is only appropriate in
11827              the rare case that all clients are prepared to use NULL  ciphers
11828              (not normally enabled in TLS clients). The underlying cipherlist
11829              is specified via the tls_null_cipherlist  configuration  parame‐
11830              ter, which you are strongly encouraged not to change.
11831
11832       low    Enable  "LOW"  grade or stronger OpenSSL ciphers.  In Postfix >=
11833              3.8 this cipher grade is always identical to  "medium".   Recent
11834              versions  of OpenSSL do not support any "LOW" grade ciphers.  In
11835              earlier Postfix releases the underlying cipherlist was specified
11836              via  the  tls_low_cipherlist  configuration parameter, which you
11837              are strongly encouraged not to  change.   This  obsolete  cipher
11838              grade SHOULD NOT be used.
11839
11840       export Enable  "EXPORT"  grade or stronger OpenSSL ciphers.  In Postfix
11841              >= 3.8 this cipher grade is always identical to  "medium".   Re‐
11842              cent  versions  of OpenSSL do not support any "EXPORT" grade ci‐
11843              phers.  In earlier Postfix releases  the  underlying  cipherlist
11844              was specified via the tls_export_cipherlist configuration param‐
11845              eter, which you are strongly encouraged not to change.  This ob‐
11846              solete cipher grade SHOULD NOT be used.
11847
11848       Cipher   types   listed   in   smtpd_tls_mandatory_exclude_ciphers   or
11849       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
11850       selected  cipher  grade. See smtpd_tls_ciphers for cipher controls that
11851       apply to opportunistic TLS.
11852
11853       The underlying cipherlists for grades other than "null" include  anony‐
11854       mous ciphers, but these are automatically filtered out if the server is
11855       configured to ask for remote SMTP client certificates.   You  are  very
11856       unlikely  to  need to take any steps to exclude anonymous ciphers, they
11857       are excluded automatically as required.  If you must exclude  anonymous
11858       ciphers  even  when Postfix does not need or use peer certificates, set
11859       "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers  only
11860       when  TLS  is  enforced, set "smtpd_tls_mandatory_exclude_ciphers = aN‐
11861       ULL".
11862
11863       This feature is available in Postfix 2.3 and later.
11864

smtpd_tls_mandatory_exclude_ciphers (default: empty)

11866       Additional list of ciphers or cipher types to exclude from the  Postfix
11867       SMTP  server  cipher  list at mandatory TLS security levels.  This list
11868       works in addition to the exclusions listed  with  smtpd_tls_exclude_ci‐
11869       phers (see there for syntax details).
11870
11871       This feature is available in Postfix 2.3 and later.
11872

smtpd_tls_mandatory_protocols (default: see postconf -d output)

11874       TLS  protocols  accepted  by the Postfix SMTP server with mandatory TLS
11875       encryption.  If the list is empty, the server  supports  all  available
11876       TLS  protocol  versions.  A non-empty value is a list of protocol names
11877       to include or exclude, separated by whitespace, commas or colons.
11878
11879       The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
11880       "TLSv1",  "TLSv1.1",  "TLSv1.2"  and  "TLSv1.3".  Starting with Postfix
11881       3.6, the default value is ">=TLSv1", which sets TLS 1.0 as  the  lowest
11882       supported TLS protocol version (see below).  Older releases use the "!"
11883       exclusion syntax, also described below.
11884
11885       As of Postfix 3.6, the preferred way to limit the range  of  acceptable
11886       protocols  is  to set the lowest acceptable TLS protocol version and/or
11887       the highest acceptable TLS protocol version.  To set  the  lower  bound
11888       include  an  element of the form: ">=version" where version is a either
11889       one of the TLS protocol names listed above,  or  a  hexadecimal  number
11890       corresponding  to  the  desired TLS protocol version (0301 for TLS 1.0,
11891       0302 for TLS 1.1, etc.).  For the upper bound, use "<=version".   There
11892       must be no whitespace between the ">=" or "<=" symbols and the protocol
11893       name or number.
11894
11895       Hexadecimal protocol numbers  make  it  possible  to  specify  protocol
11896       bounds  for  TLS  versions  that are known to OpenSSL, but might not be
11897       known to Postfix.  They cannot be used with the legacy  exclusion  syn‐
11898       tax.   Leading  "0"  or  "0x" prefixes are supported, but not required.
11899       Therefore, "301", "0301", "0x301" and "0x0301" are  all  equivalent  to
11900       "TLSv1".   Hexadecimal versions unknown to OpenSSL will fail to set the
11901       upper or lower bound, and a warning will be logged.   Hexadecimal  ver‐
11902       sions  should only be used when Postfix is linked with some future ver‐
11903       sion of OpenSSL that supports TLS 1.4 or later, but  Postfix  does  not
11904       yet support a symbolic name for that protocol version.
11905
11906       Hexadecimal example (Postfix >= 3.6):
11907
11908           # Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
11909           # in some future version of OpenSSL (presently a warning is logged).
11910           smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
11911           # Allow only TLS 1.2 and up:
11912           smtpd_tls_mandatory_protocols = >=0x0303
11913
11914       With  Postfix  <  3.6 there is no support for a minimum or maximum ver‐
11915       sion, and the protocol range is configured via protocol exclusions.  To
11916       require  at least TLS 1.0, set "smtpd_tls_mandatory_protocols = !SSLv2,
11917       !SSLv3".  Listing the protocols to include, rather  than  protocols  to
11918       exclude,  is  supported,  but not recommended.  The exclusion form more
11919       accurately matches the underlying OpenSSL interface.
11920
11921       Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling  this
11922       protocol  via  "!TLSv1.3"  is supported since Postfix 3.4 (or patch re‐
11923       leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
11924
11925       Example:
11926
11927       # Preferred syntax with Postfix >= 3.6:
11928       smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
11929       # Legacy syntax:
11930       smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
11931
11932       This feature is available in Postfix 2.3 and later.
11933

smtpd_tls_protocols (default: see postconf -d output)

11935       TLS protocols accepted by the Postfix SMTP  server  with  opportunistic
11936       TLS encryption. If the list is empty, the server supports all available
11937       TLS protocol versions.  A non-empty value is a list of  protocol  names
11938       to include or exclude, separated by whitespace, commas or colons.
11939
11940       The valid protocol names (see SSL_get_version(3)) are "SSLv2", "SSLv3",
11941       "TLSv1", "TLSv1.1", "TLSv1.2" and  "TLSv1.3".   Starting  with  Postfix
11942       3.6,  the  default value is ">=TLSv1", which sets TLS 1.0 as the lowest
11943       supported TLS protocol version (see below).  Older releases use the "!"
11944       exclusion syntax, also described below.
11945
11946       As  of  Postfix 3.6, the preferred way to limit the range of acceptable
11947       protocols is to set the lowest acceptable TLS protocol  version  and/or
11948       the  highest  acceptable  TLS protocol version.  To set the lower bound
11949       include an element of the form: ">=version" where version is  a  either
11950       one  of  the  TLS  protocol names listed above, or a hexadecimal number
11951       corresponding to the desired TLS protocol version (0301  for  TLS  1.0,
11952       0302  for TLS 1.1, etc.).  For the upper bound, use "<=version".  There
11953       must be no whitespace between the ">=" or "<=" symbols and the protocol
11954       name or number.
11955
11956       Hexadecimal  protocol  numbers  make  it  possible  to specify protocol
11957       bounds for TLS versions that are known to OpenSSL,  but  might  not  be
11958       known  to  Postfix.  They cannot be used with the legacy exclusion syn‐
11959       tax.  Leading "0" or "0x" prefixes are  supported,  but  not  required.
11960       Therefore,  "301",  "0301",  "0x301" and "0x0301" are all equivalent to
11961       "TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set  the
11962       upper  or  lower bound, and a warning will be logged.  Hexadecimal ver‐
11963       sions should only be used when Postfix is linked with some future  ver‐
11964       sion  of  OpenSSL  that supports TLS 1.4 or later, but Postfix does not
11965       yet support a symbolic name for that protocol version.
11966
11967       Hexadecimal example (Postfix >= 3.6):
11968
11969           # Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
11970           # in some future version of OpenSSL (presently a warning is logged).
11971           smtpd_tls_protocols = >=TLSv1, <=0305
11972           # Allow only TLS 1.0 and up:
11973           smtpd_tls_protocols = >=0x0301
11974
11975       With Postfix < 3.6 there is no support for a minimum  or  maximum  ver‐
11976       sion, and the protocol range is configured via protocol exclusions.  To
11977       require at least TLS 1.0, set "smtpd_tls_protocols =  !SSLv2,  !SSLv3".
11978       Listing  the protocols to include, rather than protocols to exclude, is
11979       supported, but not recommended.  The  exclusion  form  more  accurately
11980       matches the underlying OpenSSL interface.
11981
11982       Support  for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling this
11983       protocol via "!TLSv1.3" is supported since Postfix 3.4  (or  patch  re‐
11984       leases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2).
11985
11986       Example:
11987       # Preferred syntax with Postfix >= 3.6:
11988       smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
11989       # Legacy syntax:
11990       smtpd_tls_protocols = !SSLv2, !SSLv3
11991
11992       This feature is available in Postfix 2.6 and later.
11993

smtpd_tls_received_header (default: no)

11995       Request  that the Postfix SMTP server produces Received:  message head‐
11996       ers that include information about the protocol  and  cipher  used,  as
11997       well as the remote SMTP client CommonName and client certificate issuer
11998       CommonName.  This is disabled by default, as  the  information  may  be
11999       modified  in transit through other mail servers.  Only information that
12000       was recorded by the final destination can be trusted.
12001
12002       This feature is available in Postfix 2.2 and later.
12003

smtpd_tls_req_ccert (default: no)

12005       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
12006       certificate  in order to allow TLS connections to proceed.  This option
12007       implies "smtpd_tls_ask_ccert = yes".
12008
12009       When TLS encryption is optional, this setting is ignored with a warning
12010       written to the mail log.
12011
12012       This feature is available in Postfix 2.2 and later.
12013

smtpd_tls_security_level (default: empty)

12015       The  SMTP  TLS  security  level  for  the  Postfix  SMTP server; when a
12016       non-empty value is specified, this overrides  the  obsolete  parameters
12017       smtpd_use_tls  and  smtpd_enforce_tls.  This  parameter is ignored with
12018       "smtpd_tls_wrappermode = yes".
12019
12020       Specify one of the following security levels:
12021
12022       none   TLS will not be used.
12023
12024       may    Opportunistic TLS: announce  STARTTLS  support  to  remote  SMTP
12025              clients, but do not require that clients use TLS encryption.
12026
12027       encrypt
12028              Mandatory  TLS  encryption:  announce STARTTLS support to remote
12029              SMTP clients, and require that clients use TLS  encryption.  Ac‐
12030              cording  to  RFC 2487 this MUST NOT be applied in case of a pub‐
12031              licly-referenced SMTP server. Instead,  this  option  should  be
12032              used only on dedicated servers.
12033
12034       Note  1:  the  "fingerprint", "verify" and "secure" levels are not sup‐
12035       ported here.  The Postfix SMTP server logs a warning and uses "encrypt"
12036       instead.  To verify remote SMTP client certificates, see TLS_README for
12037       a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and  per‐
12038       mit_tls_clientcerts features.
12039
12040       Note  2: The parameter setting "smtpd_tls_security_level = encrypt" im‐
12041       plies "smtpd_tls_auth_only = yes".
12042
12043       Note 3: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
12044       STARTTLS  due  to  insufficient privileges to access the server private
12045       key. This is intended behavior.
12046
12047       This feature is available in Postfix 2.3 and later.
12048

smtpd_tls_session_cache_database (default: empty)

12050       Name of the file containing the optional Postfix SMTP server  TLS  ses‐
12051       sion  cache. Specify a database type that supports enumeration, such as
12052       btree or sdbm; there is no need to support concurrent access.  The file
12053       is  created if it does not exist. The smtpd(8) daemon does not use this
12054       parameter directly, rather the cache is implemented indirectly  in  the
12055       tlsmgr(8)  daemon.  This  means that per-smtpd-instance master.cf over‐
12056       rides of this parameter are not effective. Note that each of the  cache
12057       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
12058       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
12059       $lmtp_tls_session_cache_database), needs to be stored separately. It is
12060       not at this time possible to store multiple caches in  a  single  data‐
12061       base.
12062
12063       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
12064       large.
12065
12066       As of version 2.5, Postfix no longer uses root privileges when  opening
12067       this  file.  The  file  should  now  be  stored under the Postfix-owned
12068       data_directory. As a migration aid, an attempt to open the file under a
12069       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
12070       tory, and a warning is logged.
12071
12072       As of Postfix 2.11 the preferred mechanism for  session  resumption  is
12073       RFC  5077 TLS session tickets, which don't require server-side storage.
12074       Consequently, for Postfix >= 2.11 this parameter  should  generally  be
12075       left  empty.   TLS session tickets require an OpenSSL library (at least
12076       version 0.9.8h) that provides full support for this TLS extension.  See
12077       also smtpd_tls_session_cache_timeout.
12078
12079       Example:
12080
12081       smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
12082
12083       This feature is available in Postfix 2.2 and later.
12084

smtpd_tls_session_cache_timeout (default: 3600s)

12086       The  expiration  time of Postfix SMTP server TLS session cache informa‐
12087       tion. A cache cleanup is performed periodically  every  $smtpd_tls_ses‐
12088       sion_cache_timeout  seconds. As with $smtpd_tls_session_cache_database,
12089       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
12090       per-smtpd-instance master.cf overrides are not possible.
12091
12092       As  of  Postfix 2.11 this setting cannot exceed 100 days.  If set <= 0,
12093       session caching is disabled, not just via the database,  but  also  via
12094       RFC  5077 TLS session tickets, which don't require server-side storage.
12095       If set to a positive value less than 2 minutes, the minimum value of  2
12096       minutes  is  used  instead.  TLS session tickets require an OpenSSL li‐
12097       brary (at least version 0.9.8h) that provides full support for this TLS
12098       extension.
12099
12100       Specify  a  non-negative time value (an integral value plus an optional
12101       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
12102       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
12103       unit is s (seconds).
12104
12105       This feature is available in Postfix 2.2 and later, and updated for TLS
12106       session ticket support in Postfix 2.11.
12107

smtpd_tls_wrappermode (default: no)

12109       Run the Postfix SMTP server in TLS "wrapper" mode, instead of using the
12110       STARTTLS command.
12111
12112       If you want to support this service, enable  a  special  port  in  mas‐
12113       ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
12114       command line. Port 465 (submissions/smtps) is reserved  for  this  pur‐
12115       pose.
12116
12117       This feature is available in Postfix 2.2 and later.
12118

smtpd_upstream_proxy_protocol (default: empty)

12120       The  name  of the proxy protocol used by an optional before-smtpd proxy
12121       agent. When a proxy agent is used, this protocol conveys local and  re‐
12122       mote  address and port information.  Specify "smtpd_upstream_proxy_pro‐
12123       tocol = haproxy" to enable the haproxy protocol; version 2 is supported
12124       with Postfix 3.5 and later.
12125
12126       NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
12127       with smtpd_authorized_xclient_hosts. This supports SASL  authentication
12128       in the proxy agent (Postfix 2.9 and later).
12129
12130       This feature is available in Postfix 2.10 and later.
12131

smtpd_upstream_proxy_timeout (default: 5s)

12133       The  time  limit  for  the  proxy protocol specified with the smtpd_up‐
12134       stream_proxy_protocol parameter.
12135
12136       Specify a non-zero time value  (an  integral  value  plus  an  optional
12137       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
12138       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
12139       unit is s (seconds).
12140
12141       This feature is available in Postfix 2.10 and later.
12142

smtpd_use_tls (default: no)

12144       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
12145       but do not require that clients use TLS encryption.
12146
12147       Note: when invoked via "sendmail -bs", Postfix will never offer  START‐
12148       TLS  due  to  insufficient privileges to access the server private key.
12149       This is intended behavior.
12150
12151       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
12152       and later use smtpd_tls_security_level instead.
12153

smtputf8_autodetect_classes (default: sendmail, verify)

12155       Detect  that a message requires SMTPUTF8 support for the specified mail
12156       origin classes.  This is a workaround to avoid chicken-and-egg problems
12157       during  the initial SMTPUTF8 roll-out in environments with pre-existing
12158       mail flows that contain UTF8. Those mail flows should not break because
12159       Postfix  suddenly refuses to deliver such mail to down-stream MTAs that
12160       don't announce SMTPUTF8 support.
12161
12162       The problem is that Postfix cannot rely solely on the sender's declara‐
12163       tion  that a message requires SMTPUTF8 support, because UTF8 may be in‐
12164       troduced during local processing (for example, the client  hostname  in
12165       Postfix's  Received:  header, adding @$myorigin or .$mydomain to an in‐
12166       complete address, address rewriting, alias expansion, automatic BCC re‐
12167       cipients, local forwarding, and changes made by header checks or Milter
12168       applications).
12169
12170       For now, the default is to  enable  "SMTPUTF8  required"  autodetection
12171       only  for Postfix sendmail command-line submissions and address verifi‐
12172       cation probes.  This may change once SMTPUTF8  support  achieves  world
12173       domination.   However, sites that add UTF8 content via local processing
12174       (see above) should autodetect the need for  SMTPUTF8  support  for  all
12175       email.
12176
12177       Specify one or more of the following:
12178
12179        sendmail
12180              Submission with the Postfix sendmail(1) command.
12181
12182        smtpd Mail received with the smtpd(8) daemon.
12183
12184        qmqpd Mail received with the qmqpd(8) daemon.
12185
12186        forward
12187              Local  forwarding  or aliasing.  When a message is received with
12188              "SMTPUTF8 required", then the forwarded (aliased) message always
12189              has "SMTPUTF8 required".
12190
12191        bounce
12192              Submission  by the bounce(8) daemon.  When a message is received
12193              with "SMTPUTF8 required", then the delivery status  notification
12194              always has "SMTPUTF8 required".
12195
12196        notify
12197              Postmaster notification from the smtp(8) or smtpd(8) daemon.
12198
12199        verify
12200              Address verification probe from the verify(8) daemon.
12201
12202        all   Enable SMTPUTF8 autodetection for all mail.
12203
12204       This feature is available in Postfix 3.0 and later.
12205

smtputf8_enable (default: yes)

12207       Enable  preliminary SMTPUTF8 support for the protocols described in RFC
12208       6531, RFC 6532, and RFC 6533. This requires that Postfix  is  built  to
12209       support these protocols.
12210
12211       This feature is available in Postfix 3.0 and later.
12212

soft_bounce (default: no)

12214       Safety  net to keep mail queued that would otherwise be returned to the
12215       sender.  This parameter disables locally-generated bounces, changes the
12216       handling  of negative responses from remote servers, content filters or
12217       plugins, and prevents the Postfix SMTP server from rejecting mail  per‐
12218       manently by changing 5xx reply codes into 4xx.  However, soft_bounce is
12219       no cure for address rewriting mistakes or mail routing mistakes.
12220
12221       Note: "soft_bounce = yes" is in some  cases  implemented  by  modifying
12222       server  responses. Therefore, the response that Postfix logs may differ
12223       from the response that Postfix actually sends or receives.
12224
12225       Example:
12226
12227       soft_bounce = yes
12228

stale_lock_time (default: 500s)

12230       The time after which a stale exclusive  mailbox  lockfile  is  removed.
12231       This is used for delivery to file or mailbox.
12232
12233       Specify  a  non-zero  time  value  (an  integral value plus an optional
12234       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
12235       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
12236       unit is s (seconds).
12237

stress (default: empty)

12239       This feature is documented in the STRESS_README document.
12240
12241       This feature is available in Postfix 2.5 and later.
12242

strict_7bit_headers (default: no)

12244       Reject mail with 8-bit text in message headers. This blocks  mail  from
12245       poorly written applications.
12246
12247       This  feature  should  not be enabled on a general purpose mail server,
12248       because it is likely to reject legitimate email.
12249
12250       This feature is available in Postfix 2.0 and later.
12251

strict_8bitmime (default: no)

12253       Enable both strict_7bit_headers and strict_8bitmime_body.
12254
12255       This feature should not be enabled on a general  purpose  mail  server,
12256       because it is likely to reject legitimate email.
12257
12258       This feature is available in Postfix 2.0 and later.
12259

strict_8bitmime_body (default: no)

12261       Reject  8-bit message body text without 8-bit MIME content encoding in‐
12262       formation.  This blocks mail from poorly written applications.
12263
12264       Unfortunately, this also rejects majordomo approval requests  when  the
12265       included request contains valid 8-bit MIME mail, and it rejects bounces
12266       from mailers that do not MIME encapsulate 8-bit content  (for  example,
12267       bounces from qmail or from old versions of Postfix).
12268
12269       This  feature  should  not be enabled on a general purpose mail server,
12270       because it is likely to reject legitimate email.
12271
12272       This feature is available in Postfix 2.0 and later.
12273

strict_mailbox_ownership (default: yes)

12275       Defer delivery when a mailbox file is not owned by its recipient.   The
12276       default setting is not backwards compatible.
12277
12278       This feature is available in Postfix 2.5.3 and later.
12279

strict_mime_encoding_domain (default: no)

12281       Reject mail with invalid Content-Transfer-Encoding: information for the
12282       message/* or multipart/* MIME content types.   This  blocks  mail  from
12283       poorly written software.
12284
12285       This  feature  should  not be enabled on a general purpose mail server,
12286       because it will reject mail after a single violation.
12287
12288       This feature is available in Postfix 2.0 and later.
12289

strict_rfc821_envelopes (default: no)

12291       Require that addresses received in SMTP MAIL FROM and RCPT TO  commands
12292       are  enclosed  with <>, and that those addresses do not contain RFC 822
12293       style comments or phrases.  This stops mail from poorly  written  soft‐
12294       ware.
12295
12296       By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
12297       and RCPT TO addresses.
12298

strict_smtputf8 (default: no)

12300       Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix  SMTP
12301       server  accepts UTF8 sender or recipient addresses only when the client
12302       requests an SMTPUTF8 mail transaction.
12303
12304       This feature is available in Postfix 3.0 and later.
12305

sun_mailtool_compatibility (default: no)

12307       Obsolete SUN mailtool compatibility feature. Instead, use  "mailbox_de‐
12308       livery_lock = dotlock".
12309

swap_bangpath (default: yes)

12311       Enable  the  rewriting of "site!user" into "user@site".  This is neces‐
12312       sary if your machine is connected to UUCP networks.  It is  enabled  by
12313       default.
12314
12315       Note:  with  Postfix version 2.2, message header address rewriting hap‐
12316       pens only when one of the following conditions is true:
12317
12318       •      The message is received with the Postfix sendmail(1) command,
12319
12320       •      The message is received from a network client that matches  $lo‐
12321              cal_header_rewrite_clients,
12322
12323       •      The   message   is  received  from  the  network,  and  the  re‐
12324              mote_header_rewrite_domain  parameter  specifies   a   non-empty
12325              value.
12326
12327       To   get   the  behavior  before  Postfix  version  2.2,  specify  "lo‐
12328       cal_header_rewrite_clients = static:all".
12329
12330       Example:
12331
12332       swap_bangpath = no
12333

syslog_facility (default: mail)

12335       The syslog facility of Postfix logging. Specify a facility  as  defined
12336       in syslog.conf(5). The default facility is "mail".
12337
12338       Warning:  a non-default syslog_facility setting takes effect only after
12339       a Postfix process has completed initialization.  Errors during  process
12340       initialization  will be logged with the default facility.  Examples are
12341       errors while parsing the command line arguments, and errors  while  ac‐
12342       cessing the Postfix main.cf configuration file.
12343

syslog_name (default: see postconf -d output)

12345       A  prefix  that  is prepended to the process name in syslog records, so
12346       that, for example, "smtpd" becomes "prefix/smtpd".
12347
12348       Warning: a non-default syslog_name setting takes effect  only  after  a
12349       Postfix  process  has  completed  initialization. Errors during process
12350       initialization will be logged with the default name. Examples  are  er‐
12351       rors while parsing the command line arguments, and errors while access‐
12352       ing the Postfix main.cf configuration file.
12353

tcp_windowsize (default: 0)

12355       An optional workaround for  routers  that  break  TCP  window  scaling.
12356       Specify  a  value > 0 and < 65536 to enable this feature.  With Postfix
12357       TCP servers (smtpd(8), qmqpd(8)), this feature is  implemented  by  the
12358       Postfix master(8) daemon.
12359
12360       To  change  this  parameter without stopping Postfix, you need to first
12361       terminate all Postfix TCP servers:
12362
12363           # postconf -e master_service_disable=inet
12364           # postfix reload
12365
12366       This immediately terminates all processes that accept  network  connec‐
12367       tions.   Next, you enable Postfix TCP servers with the updated tcp_win‐
12368       dowsize setting:
12369
12370           # postconf -e tcp_windowsize=65535 master_service_disable=
12371           # postfix reload
12372
12373       If you skip these  steps  with  a  running  Postfix  system,  then  the
12374       tcp_windowsize  change will work only for Postfix TCP clients (smtp(8),
12375       lmtp(8)).
12376
12377       This feature is available in Postfix 2.6 and later.
12378

tls_append_default_CA (default: no)

12380       Append the system-supplied default Certification Authority certificates
12381       to  the  ones specified with *_tls_CApath or *_tls_CAfile.  The default
12382       is "no"; this prevents Postfix from trusting  third-party  certificates
12383       and giving them relay permission with permit_tls_all_clientcerts.
12384
12385       This  feature  is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
12386       later versions. Specify "tls_append_default_CA  =  yes"  for  backwards
12387       compatibility,  to  avoid  breaking certificate verification with sites
12388       that don't use permit_tls_all_clientcerts.
12389

tls_config_file (default: default)

12391       Optional configuration file with baseline  OpenSSL  settings.   OpenSSL
12392       loads any SSL settings found in the configuration file for the selected
12393       application name (see tls_config_name) or else the built-in application
12394       name "openssl_conf" when no application name is specified, or no corre‐
12395       sponding configuration section is present.
12396
12397       With OpenSSL releases 1.1.1 and 1.1.1a, applications  (including  Post‐
12398       fix)  can  neither specify an alternative configuration file, nor avoid
12399       loading the default configuration file.
12400
12401       With OpenSSL 1.1.1b or later, this parameter may be set to one of:
12402
12403       default (default)
12404              Load the system-wide "openssl.cnf" configuration file.
12405
12406       none (recommended, OpenSSL 1.1.1b or later only)
12407              This setting disables loading of  the system-wide  "openssl.cnf"
12408              file.
12409
12410       /absolute-path (OpenSSL 1.1.1b or later only)
12411              Load  the  configuration file specified by /absolute-path.  With
12412              this setting it is an error for the file to not contain any set‐
12413              tings for the selected tls_config_name.  There is no fallback to
12414              the default "openssl_conf" name.
12415
12416       Failures in processing of the built-in default configuration file,  are
12417       silently  ignored.   Any  errors in loading a non-default configuration
12418       file are detected by Postfix, and cause TLS support to be disabled.
12419
12420       The OpenSSL configuration file format is not  documented  here,  beyond
12421       giving two examples.
12422
12423       Example: Default settings for all applications.
12424
12425           # The name 'openssl_conf' is the default application name
12426           # The section name to the right of the '=' sign is arbitrary,
12427           # any name will do, so long as it refers to the desired section.
12428           #
12429           # The name 'system_default' selects the settings applied internally
12430           # by the SSL library as part of SSL object creation.  Applications
12431           # can then apply any additional settings of their choice.
12432           #
12433           # In this example, TLS versions prior to 1.2 are disabled by default.
12434           #
12435           openssl_conf = system_wide_settings
12436           [system_wide_settings]
12437           ssl_conf = ssl_library_settings
12438           [ssl_library_settings]
12439           system_default = initial_ssl_settings
12440           [initial_ssl_settings]
12441           MinProtocol = TLSv1.2
12442
12443       Example: Custom settings for an application named "postfix".
12444
12445           # The mapping from an application name to the corresponding configuration
12446           # section must appear near the top of the file, (in what is sometimes called
12447           # the "default section") prior to the start of any explicitly named
12448           # "[sections]".  The named sections can appear in any order and don't nest.
12449           #
12450           postfix = postfix_settings
12451           [postfix_settings]
12452           ssl_conf = postfix_ssl_settings
12453           [postfix_ssl_settings]
12454           system_default = baseline_postfix_settings
12455           [baseline_postfix_settings]
12456           MinProtocol = TLSv1
12457
12458       This  feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10, and
12459       3.5.20.
12460

tls_config_name (default: empty)

12462       The application name passed by Postfix to OpenSSL  library  initializa‐
12463       tion  functions.  This name is used to select the desired configuration
12464       "section" in the OpenSSL configuration file specified via the  tls_con‐
12465       fig_file  parameter.   When  empty,  or  when  the selected name is not
12466       present  in  the  configuration  file,  the  default  application  name
12467       ("openssl_conf") is used as a fallback.
12468
12469       This  feature is available in Postfix >= 3.9, 3.8.1, 3.7.6, 3.6.10, and
12470       3.5.20.
12471

tls_daemon_random_bytes (default: 32)

12473       The number of pseudo-random bytes that an smtp(8) or  smtpd(8)  process
12474       requests from the tlsmgr(8) server in order to seed its internal pseudo
12475       random number generator (PRNG).  The default of 32 bytes (equivalent to
12476       256 bits) is sufficient to generate a 128bit (or 168bit) session key.
12477
12478       This feature is available in Postfix 2.2 and later.
12479

tls_dane_digest_agility (default: on)

12481       Configure  RFC7671  DANE  TLSA digest algorithm agility.  Do not change
12482       this setting from its default value.
12483
12484       See Section 8 of RFC7671 for correct key rotation procedures.
12485
12486       This feature is available in Postfix 2.11 through 3.1.  Postfix 3.2 and
12487       later  ignore this configuration parameter and behave as though it were
12488       set to "on".
12489

tls_dane_digests (default: sha512 sha256)

12491       DANE TLSA (RFC 6698, RFC  7671,  RFC  7672)  resource-record  "matching
12492       type" digest algorithms in descending preference order.  All the speci‐
12493       fied algorithms must be supported by the  underlying  OpenSSL  library,
12494       otherwise the Postfix SMTP client will not support DANE TLSA security.
12495
12496       Specify  a  list of digest names separated by commas and/or whitespace.
12497       Each digest name may be followed by  an  optional  "=<number>"  suffix.
12498       For  example,  "sha512"  may  instead  be  specified  as "sha512=2" and
12499       "sha256" may instead be specified as "sha256=1".  The  optional  number
12500       must  match  the <a href="https://www.iana.org/assignments/dane-parame
12501       ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
12502       type  number  the  algorithm in question.  Postfix will check this con‐
12503       straint for the algorithms it knows about.   Additional  matching  type
12504       algorithms registered with IANA can be added with explicit numbers pro‐
12505       vided they are supported by OpenSSL.
12506
12507       Invalid list elements are logged with a warning and disable  DANE  sup‐
12508       port.   TLSA  RRs that specify digests not included in the list are ig‐
12509       nored with a warning.
12510
12511       Note: It is unwise to omit sha256 from the digest  list.   This  digest
12512       algorithm  is  the  only mandatory to implement digest algorithm in RFC
12513       6698, and many servers are expected to publish TLSA records  with  just
12514       sha256  digests.   Unless one of the standard digests is seriously com‐
12515       promised and servers have had ample time to update their  TLSA  records
12516       you  should  not  omit any standard digests, just arrange them in order
12517       from strongest to weakest.
12518
12519       This feature is available in Postfix 2.11 and later.
12520

tls_dane_trust_anchor_digest_enable (default: yes)

12522       Enable support for RFC 6698 (DANE TLSA) DNS records  that  contain  di‐
12523       gests  of trust-anchors with certificate usage "2".  Do not change this
12524       setting from its default value.
12525
12526       This feature is available in Postfix 2.11 through  3.1.   It  has  been
12527       withdrawn  in  Postfix 3.2, as trust-anchor TLSA records are now widely
12528       used and have proved sufficiently reliable.  Postfix 3.2 and later  ig‐
12529       nore  this configuration parameter and behaves as though it were set to
12530       "yes".
12531

tls_disable_workarounds (default: see postconf -d output)

12533       List or bit-mask of OpenSSL bug work-arounds to disable.
12534
12535       The OpenSSL toolkit includes a set of work-arounds  for  buggy  SSL/TLS
12536       implementations.  Applications,  such as Postfix, that want to maximize
12537       interoperability ask the OpenSSL library to enable the full set of rec‐
12538       ommended work-arounds.
12539
12540       From  time to time, it is discovered that a work-around creates a secu‐
12541       rity issue, and should no longer be used. If  upgrading  OpenSSL  to  a
12542       fixed  version  is  not  an  option or an upgrade is not available in a
12543       timely manner, or in closed environments  where  no  buggy  clients  or
12544       servers  exist,  it  may  be  appropriate to disable some or all of the
12545       OpenSSL interoperability work-arounds. This parameter  specifies  which
12546       bug work-arounds to disable.
12547
12548       If  the  value  of the parameter is a hexadecimal long integer starting
12549       with "0x", the bug work-arounds corresponding to the bits specified  in
12550       its  value  are  removed  from the SSL_OP_ALL work-around bit-mask (see
12551       openssl/ssl.h and SSL_CTX_set_options(3)). You can  specify  more  bits
12552       than  are  present  in  SSL_OP_ALL, excess bits are ignored. Specifying
12553       0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
12554       also  be  sufficient  on 64-bit systems, until OpenSSL abandons support
12555       for 32-bit systems and starts using  the  high  32  bits  of  a  64-bit
12556       bug-workaround mask.
12557
12558       Otherwise,  the  parameter  is a white-space or comma separated list of
12559       specific named bug work-arounds chosen from the list below. It is  pos‐
12560       sible that your OpenSSL version includes new bug work-arounds added af‐
12561       ter your Postfix source code was last updated, in  that  case  you  can
12562       only disable one of these via the hexadecimal syntax above.
12563
12564       CRYPTOPRO_TLSEXT_BUG
12565              New with GOST support in OpenSSL 1.0.0.
12566
12567       DONT_INSERT_EMPTY_FRAGMENTS
12568              See SSL_CTX_set_options(3)
12569
12570       LEGACY_SERVER_CONNECT
12571              See SSL_CTX_set_options(3)
12572
12573       MICROSOFT_BIG_SSLV3_BUFFER
12574              See SSL_CTX_set_options(3)
12575
12576       MICROSOFT_SESS_ID_BUG
12577              See SSL_CTX_set_options(3)
12578
12579       MSIE_SSLV2_RSA_PADDING
12580              also   aliased  as  CVE-2005-2969.  Postfix  2.8  disables  this
12581              work-around by default with OpenSSL versions  that  may  predate
12582              the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
12583
12584       NETSCAPE_CHALLENGE_BUG
12585              See SSL_CTX_set_options(3)
12586
12587       NETSCAPE_REUSE_CIPHER_CHANGE_BUG
12588              also   aliased  as  CVE-2010-4180.  Postfix  2.8  disables  this
12589              work-around by default with OpenSSL versions  that  may  predate
12590              the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
12591
12592       SSLEAY_080_CLIENT_DH_BUG
12593              See SSL_CTX_set_options(3)
12594
12595       SSLREF2_REUSE_CERT_TYPE_BUG
12596              See SSL_CTX_set_options(3)
12597
12598       TLS_BLOCK_PADDING_BUG
12599              See SSL_CTX_set_options(3)
12600
12601       TLS_D5_BUG
12602              See SSL_CTX_set_options(3)
12603
12604       TLS_ROLLBACK_BUG
12605              See  SSL_CTX_set_options(3).   This is disabled in OpenSSL 0.9.7
12606              and later. Nobody should still be using 0.9.6!
12607
12608       TLSEXT_PADDING
12609              Postfix >= 3.4. See SSL_CTX_set_options(3).
12610
12611       This feature is available in Postfix 2.8 and later.
12612

tls_eecdh_auto_curves (default: see postconf -d output)

12614       The prioritized list of elliptic curves supported by the  Postfix  SMTP
12615       client  and  server.   These curves are used by the Postfix SMTP server
12616       when "smtpd_tls_eecdh_grade = auto".  The selected curves must  be  im‐
12617       plemented by OpenSSL and be standardized for use in TLS (RFC 8422).  It
12618       is unwise to list only "bleeding-edge" curves supported by a small sub‐
12619       set of clients.  The default list is suitable for most users.
12620
12621       Postfix  skips  curve  names  that  are unknown to OpenSSL, or that are
12622       known but not yet implemented.  This makes it possible to  "anticipate"
12623       support  for curves that should be used once they become available.  In
12624       particular, in some OpenSSL versions, the new RFC 8031 curves  "X25519"
12625       and  "X448"  may  be known by name, but ECDH support for either or both
12626       may be missing.  These curves may appear in the default value  of  this
12627       parameter,  even  though  they'll only be usable with later versions of
12628       OpenSSL.
12629
12630       See also the "tls_ffdhe_auto_groups"  parameter,  which  supports  cus‐
12631       tomizing  the  list of FFDHE groups enabled with TLS 1.3.  That setting
12632       is introduced with Postfix 3.8,  when  built  against  OpenSSL  3.0  or
12633       later.
12634
12635       This feature is available in Postfix 3.2 and later, when it is compiled
12636       and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
12637       have not been disabled by the vendor.
12638

tls_eecdh_strong_curve (default: prime256v1)

12640       The  elliptic curve used by the Postfix SMTP server for sensibly strong
12641       ephemeral ECDH key exchange. This curve is used  by  the  Postfix  SMTP
12642       server  when  "smtpd_tls_eecdh_grade  =  strong".  The phrase "sensibly
12643       strong" means approximately 128-bit security based on  best  known  at‐
12644       tacks.  The  selected curve must be implemented by OpenSSL (as reported
12645       by ecparam(1) with the "-list_curves" option) and be one of the  curves
12646       listed  in  Section  5.1.1 of RFC 8422. You should not generally change
12647       this setting.  Remote SMTP client  implementations  must  support  this
12648       curve  for  EECDH  key  exchange to take place.  It is unwise to choose
12649       only "bleeding-edge"  curves  supported  by  only  a  small  subset  of
12650       clients.
12651
12652       The  default  "strong"  curve  is  rated in NSA Suite B for information
12653       classified up to SECRET.
12654
12655       Note: elliptic curve names are poorly standardized; different standards
12656       groups  are  assigning  different  names to the same underlying curves.
12657       The curve with the X9.62 name "prime256v1" is also known under the SECG
12658       name "secp256r1", but OpenSSL does not recognize the latter name.
12659
12660       If you want to take maximal advantage of ciphers that offer forward se‐
12661       crecy see the Getting started section of  FORWARD_SECRECY_README.   The
12662       full document conveniently presents all information about Postfix "per‐
12663       fect" forward secrecy support in one place: what  forward  secrecy  is,
12664       how to tweak settings, and what you can expect to see when Postfix uses
12665       ciphers with forward secrecy.
12666
12667       This feature is available in Postfix 2.6 and later, when it is compiled
12668       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
12669       have not been disabled by the vendor.
12670

tls_eecdh_ultra_curve (default: secp384r1)

12672       The elliptic curve used by the Postfix SMTP server for maximally strong
12673       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
12674       server when "smtpd_tls_eecdh_grade  =  ultra".  The  phrase  "maximally
12675       strong"  means  approximately  192-bit security based on best known at‐
12676       tacks.  This additional strength comes at a  significant  computational
12677       cost,  most  users should instead set "smtpd_tls_eecdh_grade = strong".
12678       The selected curve must be implemented by OpenSSL (as reported  by  ec‐
12679       param(1)  with  the  "-list_curves"  option)  and  be one of the curves
12680       listed in Section 5.1.1 of RFC 8422. You should  not  generally  change
12681       this  setting.   Remote  SMTP  client implementations must support this
12682       curve for EECDH key exchange to take place.  It  is  unwise  to  choose
12683       only  "bleeding-edge"  curves  supported  by  only  a  small  subset of
12684       clients.
12685
12686       This default "ultra" curve is rated in  NSA  Suite  B  for  information
12687       classified up to TOP SECRET.
12688
12689       If you want to take maximal advantage of ciphers that offer forward se‐
12690       crecy see the Getting started section of  FORWARD_SECRECY_README.   The
12691       full document conveniently presents all information about Postfix "per‐
12692       fect" forward secrecy support in one place: what  forward  secrecy  is,
12693       how to tweak settings, and what you can expect to see when Postfix uses
12694       ciphers with forward secrecy.
12695
12696       This feature is available in Postfix 2.6 and later, when it is compiled
12697       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
12698       have not been disabled by the vendor.
12699

tls_export_cipherlist (default: see postconf -d output)

12701       The OpenSSL cipherlist for "export" or higher grade  ciphers.   Ignored
12702       as  of Postfix 3.8.  In earlier Postfix releases this defined the mean‐
12703       ing of the  "export"  setting  in  smtpd_tls_ciphers,  smtpd_tls_manda‐
12704       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
12705       lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers.  You are strongly en‐
12706       couraged not to change this setting.
12707
12708       This feature is available in Postfix 2.3 and later.
12709

tls_fast_shutdown_enable (default: yes)

12711       A  workaround for implementations that hang Postfix while shutting down
12712       a TLS session, until Postfix times out. With this enabled, Postfix will
12713       not  wait for the remote TLS peer to respond to a TLS 'close' notifica‐
12714       tion. This behavior is recommended for TLSv1.0 and later.
12715

tls_ffdhe_auto_groups (default: see postconf -d output)

12717       The prioritized list of finite-field Diffie-Hellman  ephemeral  (FFDHE)
12718       key  exchange  groups  supported by the Postfix SMTP client and server.
12719       OpenSSL 3.0 adds support for  FFDHE  key  agreement  in  TLS  1.3.   In
12720       OpenSSL 1.1.1, TLS 1.3 was only supported with elliptic-curve based key
12721       agreement.  The "tls_ffdhe_auto_groups" parameter makes it possible  to
12722       configure  the  list  of FFDHE groups that the Postfix client or server
12723       will enable in OpenSSL 3.0 and up.  This parameter has no  effect  when
12724       Postfix is built against earlier OpenSSL versions.
12725
12726       The  default  list  of FFDHE groups that Postfix enables in OpenSSL 3.0
12727       and up includes just the 2048  and  3072-bit  groups.   Stronger  FFDHE
12728       groups  perform  poorly  and EC groups are a much better choice for the
12729       same security level.  Postfix ignores group names that are  unknown  to
12730       OpenSSL,  or  that are known but not yet implemented.  The FFDHE groups
12731       are largely a backup, in case some peer does not  support  EC  key  ex‐
12732       change,  or EC key exchange needs to be disabled for some pressing rea‐
12733       son.
12734
12735       Setting this  parameter  empty  disables  FFDHE  support  in  TLS  1.3.
12736       Whether  FFDHE  key agreement is enabled in TLS 1.2 and earlier depends
12737       on whether any of the "kDHE" ciphers are included in the cipherlist.
12738
12739       Conversely, setting "tls_eecdh_auto_curves" empty disables TLS  1.3  EC
12740       key  agreement  in  OpenSSL  3.0  and later.  Note that at least one of
12741       "tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be  non-empty,
12742       this  is required by OpenSSL 3.0.  If both are inadvertently set empty,
12743       Postfix will fall back to the compiled-in defaults.
12744
12745       All the default groups and EC curves should sufficiently strong to make
12746       "pruning"  the  defaults  unwise.   At  a minimum, "X25519" and "P-256"
12747       (a.k.a. "prime256v1") should be among  the  enabled  EC  curves,  while
12748       "dhe2048" and "dhe3072" should be among the FFDHE groups.
12749
12750       This feature is available in Postfix 3.8 and later, when it is compiled
12751       and linked with OpenSSL 3.0 or later.
12752

tls_high_cipherlist (default: see postconf -d output)

12754       The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
12755       ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_mandatory_ci‐
12756       phers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,  lmtp_tls_ciphers,
12757       and  lmtp_tls_mandatory_ciphers.  You  are  strongly  encouraged not to
12758       change this setting.
12759
12760       This feature is available in Postfix 2.3 and later.
12761

tls_legacy_public_key_fingerprints (default: no)

12763       A temporary migration aid for sites  that  use  certificate  public-key
12764       fingerprints  with  Postfix  2.9.0..2.9.5, which use an incorrect algo‐
12765       rithm. This parameter has no effect on the certificate fingerprint sup‐
12766       port that is available since Postfix 2.2.
12767
12768       Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
12769       a  migration  from   configuration   files   with   incorrect   Postfix
12770       2.9.0..2.9.5  certificate public-key finger prints, to the correct fin‐
12771       gerprints used by Postfix 2.9.6 and later.  To compute the correct cer‐
12772       tificate public-key fingerprints, see TLS_README.
12773
12774       This feature is available in Postfix 2.9.6 and later.
12775

tls_low_cipherlist (default: see postconf -d output)

12777       The  OpenSSL  cipherlist for "low" or higher grade ciphers.  Ignored as
12778       of Postfix 3.8.  In earlier Postfix releases this defined  the  meaning
12779       of the "low" setting in smtpd_tls_ciphers, smtpd_tls_mandatory_ciphers,
12780       smtp_tls_ciphers,  smtp_tls_mandatory_ciphers,  lmtp_tls_ciphers,   and
12781       lmtp_tls_mandatory_ciphers.  You  are strongly encouraged not to change
12782       this setting.
12783
12784       This feature is available in Postfix 2.3 and later.
12785

tls_medium_cipherlist (default: see postconf -d output)

12787       The OpenSSL cipherlist for "medium" or higher grade ciphers.  This  de‐
12788       fines  the  meaning  of  the  "medium"  setting  in  smtpd_tls_ciphers,
12789       smtpd_tls_mandatory_ciphers,  smtp_tls_ciphers,  smtp_tls_mandatory_ci‐
12790       phers,  lmtp_tls_ciphers,  and lmtp_tls_mandatory_ciphers.  This is the
12791       default cipherlist for mandatory TLS encryption in the TLS client (with
12792       anonymous  ciphers  disabled when verifying server certificates).  This
12793       is the default cipherlist for opportunistic TLS with  Postfix  releases
12794       after  the  middle  of 2015.  You are strongly encouraged not to change
12795       this setting.
12796
12797       This feature is available in Postfix 2.3 and later.
12798

tls_null_cipherlist (default: eNULL:!aNULL)

12800       The OpenSSL cipherlist for "NULL" grade ciphers that provide  authenti‐
12801       cation  without encryption. This defines the meaning of the "null" set‐
12802       ting  in  smtpd_tls_mandatory_ciphers,  smtp_tls_mandatory_ciphers  and
12803       lmtp_tls_mandatory_ciphers.   You are strongly encouraged not to change
12804       this setting.
12805
12806       This feature is available in Postfix 2.3 and later.
12807

tls_preempt_cipherlist (default: no)

12809       With SSLv3 and later, use the Postfix SMTP server's  cipher  preference
12810       order instead of the remote client's cipher preference order.
12811
12812       By  default, the OpenSSL server selects the client's most preferred ci‐
12813       pher that the server supports. With SSLv3 and  later,  the  server  may
12814       choose its own most preferred cipher that is supported (offered) by the
12815       client. Setting "tls_preempt_cipherlist = yes"  enables  server  cipher
12816       preferences.
12817
12818       While  server  cipher selection may in some cases lead to a more secure
12819       or performant cipher choice, there is some risk of interoperability is‐
12820       sues.  In the past, some SSL clients have listed lower priority ciphers
12821       that they did not implement correctly. If the server chooses  a  cipher
12822       that  the  client prefers less, it may select a cipher whose client im‐
12823       plementation is flawed. Most notably Windows  2003  Microsoft  Exchange
12824       servers have flawed implementations of DES-CBC3-SHA, which OpenSSL con‐
12825       siders stronger than RC4-SHA.  Enabling server  cipher-suite  selection
12826       may create interoperability issues with Windows 2003 Microsoft Exchange
12827       clients.
12828
12829       This feature is available in Postfix 2.8 and later, in combination with
12830       OpenSSL 0.9.7 and later.
12831

tls_random_bytes (default: 32)

12833       The  number  of bytes that tlsmgr(8) reads from $tls_random_source when
12834       (re)seeding the in-memory pseudo random number generator  (PRNG)  pool.
12835       The  default of 32 bytes (256 bits) is good enough for 128bit symmetric
12836       keys.  If using EGD or a device file, a maximum of 255 bytes is read.
12837
12838       This feature is available in Postfix 2.2 and later.
12839

tls_random_exchange_name (default: see postconf -d output)

12841       Name of the pseudo random number generator (PRNG) state  file  that  is
12842       maintained  by  tlsmgr(8).  The file is created when it does not exist,
12843       and its length is fixed at 1024 bytes.
12844
12845       As of version 2.5, Postfix no longer uses root privileges when  opening
12846       this  file, and the default file location was changed from ${config_di‐
12847       rectory}/prng_exch to ${data_directory}/prng_exch.  As a migration aid,
12848       an attempt to open the file under a non-Postfix directory is redirected
12849       to the Postfix-owned data_directory, and a warning is logged.
12850
12851       This feature is available in Postfix 2.2 and later.
12852

tls_random_prng_update_period (default: 3600s)

12854       The time between attempts by tlsmgr(8) to save the state of the  pseudo
12855       random  number  generator  (PRNG)  to the file specified with $tls_ran‐
12856       dom_exchange_name.
12857
12858       Specify a non-zero time value  (an  integral  value  plus  an  optional
12859       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
12860       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
12861       unit is s (seconds).
12862
12863       This feature is available in Postfix 2.2 and later.
12864

tls_random_reseed_period (default: 3600s)

12866       The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
12867       pseudo random number generator (PRNG) pool from external sources.   The
12868       actual  time  between re-seeding attempts is calculated using the PRNG,
12869       and is between 0 and the time specified.
12870
12871       Specify a non-zero time value  (an  integral  value  plus  an  optional
12872       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
12873       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
12874       unit is s (seconds).
12875
12876       This feature is available in Postfix 2.2 and later.
12877

tls_random_source (default: see postconf -d output)

12879       The  external  entropy source for the in-memory tlsmgr(8) pseudo random
12880       number generator (PRNG) pool. Be sure to specify a non-blocking source.
12881       If  this  source is not a regular file, the entropy source type must be
12882       prepended:  egd:/path/to/egd_socket for a source  with  EGD  compatible
12883       socket interface, or dev:/path/to/device for a device file.
12884
12885       Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
12886       gives timeout errors.
12887
12888       This feature is available in Postfix 2.2 and later.
12889

tls_server_sni_maps (default: empty)

12891       Optional lookup tables that map names received from remote SMTP clients
12892       via  the  TLS Server Name Indication (SNI) extension to the appropriate
12893       keys and certificate chains.  This  parameter  is  implemented  in  the
12894       Postfix  TLS  library, and applies to both smtpd(8) and the SMTP server
12895       mode of tlsproxy(8).
12896
12897       When this parameter is non-empty, the Postfix SMTP server  enables  SNI
12898       extension  processing,  and  logs  SNI values that are invalid or don't
12899       match an entry in the specified tables.  When an entry does match,  the
12900       SNI  name  is  logged as part of the connection summary at log levels 1
12901       and higher.
12902
12903       The lookup key is either the verbatim SNI domain name  or  an  ancestor
12904       domain prefixed with a leading dot.  For internationalized domains, the
12905       lookup key must be in IDNA 2008 A-label form (as required  in  the  TLS
12906       SNI extension).
12907
12908       The   syntax   of   the   lookup   value   is  the  same  as  with  the
12909       smtp_tls_chain_files parameter (see there for additional details),  but
12910       here  scoped to just TLS connections in which the client sends a match‐
12911       ing SNI domain name.
12912
12913       Example:
12914
12915           /etc/postfix/main.cf:
12916               #
12917               # The indexed SNI table must be created with "postmap -F"
12918               #
12919               indexed = ${default_database_type}:${config_directory}/
12920               tls_server_sni_maps = ${indexed}sni
12921
12922           /etc/postfix/sni:
12923               #
12924               # The example.com domain has both an RSA and ECDSA certificate
12925               # chain.  The chain files MUST start with the private key,
12926               # with the certificate chain next, starting with the leaf
12927               # (server) certificate, and then the issuer certificates.
12928               #
12929               example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
12930                           /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
12931               #
12932               # The example.net domain has a wildcard certificate, and two
12933               # additional DNS names.  So its certificate chain is also used
12934               # with any subdomain, plus the additional names.
12935               #
12936               example.net /etc/postfix/sni-chains/example.net.pem
12937               .example.net /etc/postfix/sni-chains/example.net.pem
12938               example.info /etc/postfix/sni-chains/example.net.pem
12939               example.org /etc/postfix/sni-chains/example.net.pem
12940
12941       Note that the SNI lookup tables should also have entries  for  the  do‐
12942       mains  that  correspond  to  the Postfix SMTP server's default certifi‐
12943       cate(s). This ensures that the remote SMTP client's TLS  SNI  extension
12944       gets  a  positive  response  when  it specifies one of the Postfix SMTP
12945       server's default domains, and ensures that the Postfix SMTP server will
12946       not  log  an  SNI  name  mismatch  for such a domain.  The Postfix SMTP
12947       server's default certificates are then only used when the client  sends
12948       no SNI or when it sends SNI with a domain that the server knows no cer‐
12949       tificate(s) for.
12950
12951       The mapping from an SNI domain name to a certificate chain is indirect.
12952       In  the  input  source files for "cdb", "hash", "btree" or other tables
12953       that are converted to on-disk indexed files via postmap(1),  the  value
12954       specified for each key is a list of filenames.  When postmap(1) is used
12955       with the -F option, the generated table stores for each lookup key  the
12956       base64-encoded  contents of the associated files.  When querying tables
12957       via postmap -Fq, the table value is decoded from base64,  yielding  the
12958       original file content, plus a new line.
12959
12960       With  "regexp",  "pcre", "inline", "texthash", "static" and similar ta‐
12961       bles that are interpreted at run-time, and don't have a separate source
12962       format,  the  table  value  is again a list files, that are loaded into
12963       memory when the table is opened.
12964
12965       With tables whose content is managed outside of Postfix, such as  LDAP,
12966       MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
12967       of the desired PEM keys and certificate chains, that  is  then  further
12968       encoded  to yield a single-line base64 string.  Creation of such tables
12969       and secure storage (the value includes private key material)  are  out‐
12970       side the responsibility of Postfix.
12971
12972       With  "socketmap"  and "tcp" the data will be transmitted in the clear,
12973       and there is no query access control, so these are generally unsuitable
12974       for  storing  SNI  chains.  With LDAP and SQL, you should restrict read
12975       access and use TLS to protect the sensitive data in transit.
12976
12977       Typically there is only one private key and its chain  of  certificates
12978       starting  with  the  "leaf"  certificate corresponding to that key, and
12979       continuing with the appropriate intermediate  issuer  CA  certificates,
12980       with  each  certificate  ideally  followed by its issuer.  Servers that
12981       have keys and certificates for more than one algorithm (e.g.   both  an
12982       RSA  key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use mul‐
12983       tiple chains concatenated together, with the key always  listed  before
12984       the corresponding certificates.
12985
12986       This feature is available in Postfix 3.4 and later.
12987

tls_session_ticket_cipher (default: Postfix >= 3.0: aes-256-cbc, Postfix <

12989       3.0: aes-128-cbc)
12990       Algorithm used to encrypt RFC5077 TLS session tickets.  This  algorithm
12991       must  use  CBC  mode,  have  a  128-bit block size, and must have a key
12992       length between 128 and 256 bits.  The default is aes-256-cbc.  Overrid‐
12993       ing the default to choose a different algorithm is discouraged.
12994
12995       Setting  this  parameter  empty  disables session ticket support in the
12996       Postfix SMTP server.  Another way to disable session ticket support  is
12997       via the tls_ssl_options parameter.
12998
12999       This feature is available in Postfix 3.0 and later.
13000

tls_ssl_options (default: empty)

13002       List or bit-mask of OpenSSL options to enable.
13003
13004       The OpenSSL toolkit provides a set of options that applications can en‐
13005       able to tune the OpenSSL behavior.  Some of these work around  bugs  in
13006       other  implementations and are on by default.  You can use the tls_dis‐
13007       able_workarounds parameter to selectively disable some or  all  of  the
13008       bug  work-arounds, making OpenSSL more strict at the cost of non-inter‐
13009       operability with SSL clients or servers that exhibit the bugs.
13010
13011       Other options are off by default, and typically enable or disable  fea‐
13012       tures rather than bug work-arounds.  These may be turned on (with care)
13013       via the tls_ssl_options parameter.  The value is a white-space or comma
13014       separated  list of named options chosen from the list below.  The names
13015       are not case-sensitive, you can use lower-case if you prefer.  The  up‐
13016       per  case  values below match the corresponding macro name in the ssl.h
13017       header file with the SSL_OP_ prefix removed.  It is possible that  your
13018       OpenSSL  version  includes  new options added after your Postfix source
13019       code was last updated, in that case you can only enable  one  of  these
13020       via the hexadecimal syntax below.
13021
13022       You  should only enable features via the hexadecimal mask when the need
13023       to control the feature is critical (to deal with a new vulnerability or
13024       a  serious  interoperability  problem).  Postfix DOES NOT promise back‐
13025       wards compatible behavior with respect to the mask bits.  A feature en‐
13026       abled  via  the  mask in one release may be enabled by other means in a
13027       later release, and the mask bit will then be ignored.   Therefore,  use
13028       of the hexadecimal mask is only a temporary measure until a new Postfix
13029       or OpenSSL release provides a better solution.
13030
13031       If the value of the parameter is a hexadecimal  long  integer  starting
13032       with "0x", the options corresponding to the bits specified in its value
13033       are enabled (see openssl/ssl.h and  SSL_CTX_set_options(3)).   You  can
13034       only  enable  options not already controlled by other Postfix settings.
13035       For example, you cannot disable protocols or enable server cipher pref‐
13036       erence.    Do   not  attempt  to  enable  all  features  by  specifying
13037       0xFFFFFFFF, this is unlikely to be a good idea.  Some bug  work-arounds
13038       are  also valid here, allowing them to be re-enabled if/when they're no
13039       longer enabled by default.  The supported values include:
13040
13041       ENABLE_MIDDLEBOX_COMPAT
13042              Postfix >= 3.4. See SSL_CTX_set_options(3).
13043
13044       LEGACY_SERVER_CONNECT
13045              See SSL_CTX_set_options(3).
13046
13047       NO_TICKET
13048              Enabled by default when needed in fully-patched Postfix >=  2.7.
13049              Not  needed  at  all for Postfix >= 2.11, unless for some reason
13050              you do not want to support TLS session resumption.  Best not set
13051              explicitly.  See SSL_CTX_set_options(3).
13052
13053       NO_COMPRESSION
13054              Disable  SSL  compression  even  if supported by the OpenSSL li‐
13055              brary.  Compression is CPU-intensive, and compression before en‐
13056              cryption does not always improve security.
13057
13058       NO_RENEGOTIATION
13059              Postfix  >=  3.4.  This can reduce opportunities for a potential
13060              CPU exhaustion attack.  See SSL_CTX_set_options(3).
13061
13062       NO_SESSION_RESUMPTION_ON_RENEGOTIATION
13063              Postfix >= 3.4. See SSL_CTX_set_options(3).
13064
13065       PRIORITIZE_CHACHA
13066              Postfix >= 3.4. See SSL_CTX_set_options(3).
13067
13068       This feature is available in Postfix 2.11 and later.
13069

tls_wildcard_matches_multiple_labels (default: yes)

13071       Match multiple DNS labels with "*" in wildcard certificates.
13072
13073       Some mail service providers prepend the customer domain name to a  base
13074       domain  for  which  they have a wildcard TLS certificate.  For example,
13075       the MX records for example.com hosted by example.net may be:
13076
13077           example.com. IN MX 0 example.com.mx1.example.net.
13078           example.com. IN MX 0 example.com.mx2.example.net.
13079
13080       and the TLS certificate may be for "*.example.net". The "*" then corre‐
13081       sponds  with  multiple  labels  in  the mail server domain name.  While
13082       multi-label wildcards are not widely supported, and are not blessed  by
13083       any  standard, there is little to be gained by disallowing their use in
13084       this context.
13085
13086       Notes:
13087
13088       •      In a certificate name, the "*" is special only when it  is  used
13089              as the first label.
13090
13091       •      While Postfix (2.11 or later) can match "*" with multiple domain
13092              name labels, other implementations likely will not.
13093
13094       •      Earlier  Postfix  implementations  behave   as   if   "tls_wild‐
13095              card_matches_multiple_labels = no".
13096
13097       This feature is available in Postfix 2.11 and later.
13098

tlsmgr_service_name (default: tlsmgr)

13100       The  name  of  the  tlsmgr(8)  service entry in master.cf. This service
13101       maintains TLS session caches and other information in support of TLS.
13102
13103       This feature is available in Postfix 2.11 and later.
13104

tlsproxy_client_CAfile (default: $smtp_tls_CAfile)

13106       A file containing CA certificates of root CAs trusted  to  sign  either
13107       remote  TLS  server  certificates or intermediate CA certificates.  See
13108       smtp_tls_CAfile for further details.
13109
13110       This feature is available in Postfix 3.4 and later.
13111

tlsproxy_client_CApath (default: $smtp_tls_CApath)

13113       Directory with PEM format Certification Authority certificates that the
13114       Postfix  tlsproxy(8) client uses to verify a remote TLS server certifi‐
13115       cate. See smtp_tls_CApath for further details.
13116
13117       This feature is available in Postfix 3.4 and later.
13118

tlsproxy_client_cert_file (default: $smtp_tls_cert_file)

13120       File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
13121       See  smtp_tls_cert_file for further details.  The preferred way to con‐
13122       figure  tlsproxy  client  keys  and  certificates  is  via   the   "tl‐
13123       sproxy_client_chain_files" parameter.
13124
13125       This feature is available in Postfix 3.4 and later.
13126

tlsproxy_client_chain_files (default: $smtp_tls_chain_files)

13128       Files  with  the Postfix tlsproxy(8) client keys and certificate chains
13129       in PEM format. See smtp_tls_chain_files for further details.
13130
13131       This feature is available in Postfix 3.4 and later.
13132

tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file)

13134       File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
13135       See smtp_tls_dcert_file for further details. DSA is obsolete and should
13136       not be used.
13137
13138       This feature is available in Postfix 3.4 and later.
13139

tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file)

13141       File with the Postfix tlsproxy(8) client DSA private key in PEM format.
13142       See  smtp_tls_dkey_file for further details. DSA is obsolete and should
13143       not be used.
13144
13145       This feature is available in Postfix 3.4 and later.
13146

tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file)

13148       File with the Postfix tlsproxy(8) client ECDSA certificate in PEM  for‐
13149       mat. See smtp_tls_eccert_file for further details. The preferred way to
13150       configure tlsproxy  client  keys  and  certificates  is  via  the  "tl‐
13151       sproxy_client_chain_files" parameter.
13152
13153       This feature is available in Postfix 3.4 and later.
13154

tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file)

13156       File  with the Postfix tlsproxy(8) client ECDSA private key in PEM for‐
13157       mat. See smtp_tls_eckey_file for further details.  The preferred way to
13158       configure  tlsproxy  client  keys  and  certificates  is  via  the "tl‐
13159       sproxy_client_chain_files" parameter.
13160
13161       This feature is available in Postfix 3.4 and later.
13162

tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)

13164       Enforcement mode: require that SMTP servers use  TLS  encryption.   See
13165       smtp_enforce_tls   for   further   details.  Use  tlsproxy_client_secu‐
13166       rity_level instead.
13167
13168       This feature is available in Postfix 3.4 and later.
13169

tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)

13171       The message digest algorithm used to construct remote TLS  server  cer‐
13172       tificate  fingerprints. See smtp_tls_fingerprint_digest for further de‐
13173       tails.
13174
13175       This feature is available in Postfix 3.4 and later.
13176

tlsproxy_client_key_file (default: $smtp_tls_key_file)

13178       File with the Postfix tlsproxy(8) client RSA private key in PEM format.
13179       See smtp_tls_key_file for further details. The preferred way to config‐
13180       ure  tlsproxy  client  keys  and   certificates   is   via   the   "tl‐
13181       sproxy_client_chain_files" parameter.
13182
13183       This feature is available in Postfix 3.4 and later.
13184

tlsproxy_client_level (default: $smtp_tls_security_level)

13186       The  default TLS security level for the Postfix tlsproxy(8) client. See
13187       smtp_tls_security_level for further details.
13188
13189       This feature is available in Postfix 3.4 - 3.6. It was renamed  to  tl‐
13190       sproxy_client_security_level in Postfix 3.7.
13191

tlsproxy_client_loglevel (default: $smtp_tls_loglevel)

13193       Enable  additional  Postfix tlsproxy(8) client logging of TLS activity.
13194       See smtp_tls_loglevel for further details.
13195
13196       This feature is available in Postfix 3.4 and later.
13197

tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel)

13199       The name of the parameter that  provides  the  tlsproxy_client_loglevel
13200       value.
13201
13202       This feature is available in Postfix 3.4 and later.
13203

tlsproxy_client_per_site (default: $smtp_tls_per_site)

13205       Optional  lookup  tables  with the Postfix tlsproxy(8) client TLS usage
13206       policy by next-hop destination and by remote TLS server hostname.   See
13207       smtp_tls_per_site for further details.
13208
13209       This feature is available in Postfix 3.4 and later.
13210

tlsproxy_client_policy (default: $smtp_tls_policy_maps)

13212       Optional lookup tables with the Postfix tlsproxy(8) client TLS security
13213       policy by next-hop destination. See  smtp_tls_policy_maps  for  further
13214       details.
13215
13216       This  feature  is available in Postfix 3.4 - 3.6. It was renamed to tl‐
13217       sproxy_client_policy_maps in Postfix 3.7.
13218

tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps)

13220       Optional lookup tables with the Postfix tlsproxy(8) client TLS security
13221       policy  by  next-hop  destination. See smtp_tls_policy_maps for further
13222       details.
13223
13224       This feature is available in Postfix 3.7 and later. It  was  previously
13225       called tlsproxy_client_policy.
13226

tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth)

13228       The  verification  depth  for  remote  TLS  server  certificates.   See
13229       smtp_tls_scert_verifydepth for further details.
13230
13231       This feature is available in Postfix 3.4 and later.
13232

tlsproxy_client_security_level (default: $smtp_tls_security_level)

13234       The default TLS security level for the Postfix tlsproxy(8) client.  See
13235       smtp_tls_security_level for further details.
13236
13237       This  feature  is available in Postfix 3.7 and later. It was previously
13238       called tlsproxy_client_level.
13239

tlsproxy_client_use_tls (default: $smtp_use_tls)

13241       Opportunistic mode: use TLS when a remote server announces TLS support.
13242       See   smtp_use_tls   for  further  details.  Use  tlsproxy_client_secu‐
13243       rity_level instead.
13244
13245       This feature is available in Postfix 3.4 and later.
13246

tlsproxy_enforce_tls (default: $smtpd_enforce_tls)

13248       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
13249       require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
13250       ther details. Use tlsproxy_tls_security_level instead.
13251
13252       This feature is available in Postfix 2.8 and later.
13253

tlsproxy_service_name (default: tlsproxy)

13255       The name of the tlsproxy(8) service entry in  master.cf.  This  service
13256       performs plaintext <=> TLS ciphertext conversion.
13257
13258       This feature is available in Postfix 2.8 and later.
13259

tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile)

13261       A  file  containing (PEM format) CA certificates of root CAs trusted to
13262       sign either remote SMTP client certificates or intermediate CA certifi‐
13263       cates.  See smtpd_tls_CAfile for further details.
13264
13265       This feature is available in Postfix 2.8 and later.
13266

tlsproxy_tls_CApath (default: $smtpd_tls_CApath)

13268       A directory containing (PEM format) CA certificates of root CAs trusted
13269       to sign either remote SMTP client certificates or intermediate CA  cer‐
13270       tificates. See smtpd_tls_CApath for further details.
13271
13272       This feature is available in Postfix 2.8 and later.
13273

tlsproxy_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_ses‐

13275       sion_ids)
13276       Force the Postfix tlsproxy(8) server to issue a TLS  session  id,  even
13277       when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
13278       sion_ids for further details.
13279
13280       This feature is available in Postfix 2.8 and later.
13281

tlsproxy_tls_ask_ccert (default: $smtpd_tls_ask_ccert)

13283       Ask  a   remote   SMTP   client   for   a   client   certificate.   See
13284       smtpd_tls_ask_ccert for further details.
13285
13286       This feature is available in Postfix 2.8 and later.
13287

tlsproxy_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth)

13289       The  verification depth for remote SMTP client certificates. A depth of
13290       1 is sufficient if the issuing CA is listed in a  local  CA  file.  See
13291       smtpd_tls_ccert_verifydepth for further details.
13292
13293       This feature is available in Postfix 2.8 and later.
13294

tlsproxy_tls_cert_file (default: $smtpd_tls_cert_file)

13296       File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
13297       This file may also contain the Postfix tlsproxy(8) server  private  RSA
13298       key.  See smtpd_tls_cert_file for further details.  With Postfix >= 3.4
13299       the preferred way to configure tlsproxy server keys and certificates is
13300       via the "tlsproxy_tls_chain_files" parameter.
13301
13302       This feature is available in Postfix 2.8 and later.
13303

tlsproxy_tls_chain_files (default: $smtpd_tls_chain_files)

13305       Files  with  the Postfix tlsproxy(8) server keys and certificate chains
13306       in PEM format. See smtpd_tls_chain_files for further details.
13307
13308       This feature is available in Postfix 3.4 and later.
13309

tlsproxy_tls_ciphers (default: $smtpd_tls_ciphers)

13311       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
13312       use  with  opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
13313       ther details.
13314
13315       This feature is available in Postfix 2.8 and later.
13316

tlsproxy_tls_dcert_file (default: $smtpd_tls_dcert_file)

13318       File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
13319       This  file  may also contain the Postfix tlsproxy(8) server private DSA
13320       key.  DSA is obsolete and should not be used.  See smtpd_tls_dcert_file
13321       for further details.
13322
13323       This feature is available in Postfix 2.8 and later.
13324

tlsproxy_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file)

13326       File  with DH parameters that the Postfix tlsproxy(8) server should use
13327       with non-export EDH ciphers. See smtpd_tls_dh1024_param_file  for  fur‐
13328       ther details.
13329
13330       This feature is available in Postfix 2.8 and later.
13331

tlsproxy_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file)

13333       File  with DH parameters that the Postfix tlsproxy(8) server should use
13334       with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for  fur‐
13335       ther  details.   The  default SMTP server cipher grade is "medium" with
13336       Postfix releases after the middle of 2015, and as a result export-grade
13337       cipher suites are by default not used.
13338
13339       With  Postfix  >=  3.6  export-grade  Diffie-Hellman key exchange is no
13340       longer supported, and this parameter is silently ignored.
13341
13342       This feature is available in Postfix 2.8 and later.
13343

tlsproxy_tls_dkey_file (default: $smtpd_tls_dkey_file)

13345       File with the Postfix tlsproxy(8) server DSA private key in PEM format.
13346       This  file may be combined with the Postfix tlsproxy(8) server DSA cer‐
13347       tificate file specified with $smtpd_tls_dcert_file.   DSA  is  obsolete
13348       and should not be used.  See smtpd_tls_dkey_file for further details.
13349
13350       This feature is available in Postfix 2.8 and later.
13351

tlsproxy_tls_eccert_file (default: $smtpd_tls_eccert_file)

13353       File  with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
13354       mat.  This file may also contain the Postfix tlsproxy(8) server private
13355       ECDSA  key.  See smtpd_tls_eccert_file for further details.  With Post‐
13356       fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
13357       tificates is via the "tlsproxy_tls_chain_files" parameter.
13358
13359       This feature is available in Postfix 2.8 and later.
13360

tlsproxy_tls_eckey_file (default: $smtpd_tls_eckey_file)

13362       File  with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
13363       mat.  This file may be combined with  the  Postfix  tlsproxy(8)  server
13364       ECDSA  certificate  file  specified  with  $smtpd_tls_eccert_file.  See
13365       smtpd_tls_eckey_file for further details.  With Postfix >= 3.4 the pre‐
13366       ferred  way  to  configure tlsproxy server keys and certificates is via
13367       the "tlsproxy_tls_chain_files" parameter.
13368
13369       This feature is available in Postfix 2.8 and later.
13370

tlsproxy_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade)

13372       The Postfix tlsproxy(8) server  security  grade  for  ephemeral  ellip‐
13373       tic-curve      Diffie-Hellman     (EECDH)     key     exchange.     See
13374       smtpd_tls_eecdh_grade for further details.
13375
13376       This feature is available in Postfix 2.8 and later.
13377

tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)

13379       List of ciphers or cipher types to exclude from the tlsproxy(8)  server
13380       cipher  list  at all TLS security levels. See smtpd_tls_exclude_ciphers
13381       for further details.
13382
13383       This feature is available in Postfix 2.8 and later.
13384

tlsproxy_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest)

13386       The message digest algorithm to construct remote  SMTP  client-certifi‐
13387       cate  fingerprints.  See  smtpd_tls_fingerprint_digest  for further de‐
13388       tails.
13389
13390       This feature is available in Postfix 2.8 and later.
13391

tlsproxy_tls_key_file (default: $smtpd_tls_key_file)

13393       File with the Postfix tlsproxy(8) server RSA private key in PEM format.
13394       This  file may be combined with the Postfix tlsproxy(8) server RSA cer‐
13395       tificate    file    specified    with    $smtpd_tls_cert_file.      See
13396       smtpd_tls_key_file  for  further details.  With Postfix >= 3.4 the pre‐
13397       ferred way to configure tlsproxy server keys and  certificates  is  via
13398       the "tlsproxy_tls_chain_files" parameter.
13399
13400       This feature is available in Postfix 2.8 and later.
13401

tlsproxy_tls_loglevel (default: $smtpd_tls_loglevel)

13403       Enable  additional  Postfix tlsproxy(8) server logging of TLS activity.
13404       Each logging level also includes the information that is  logged  at  a
13405       lower logging level. See smtpd_tls_loglevel for further details.
13406
13407       This feature is available in Postfix 2.8 and later.
13408

tlsproxy_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers)

13410       The  minimum  TLS cipher grade that the Postfix tlsproxy(8) server will
13411       use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers  for
13412       further details.
13413
13414       This feature is available in Postfix 2.8 and later.
13415

tlsproxy_tls_mandatory_exclude_ciphers (default: $smtpd_tls_mandatory_ex‐

13417       clude_ciphers)
13418       Additional list of ciphers or cipher types  to  exclude  from  the  tl‐
13419       sproxy(8)  server  cipher  list  at mandatory TLS security levels.  See
13420       smtpd_tls_mandatory_exclude_ciphers for further details.
13421
13422       This feature is available in Postfix 2.8 and later.
13423

tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)

13425       The SSL/TLS protocols accepted by the Postfix tlsproxy(8)  server  with
13426       mandatory TLS encryption. If the list is empty, the server supports all
13427       available SSL/TLS protocol versions.  See smtpd_tls_mandatory_protocols
13428       for further details.
13429
13430       This feature is available in Postfix 2.8 and later.
13431

tlsproxy_tls_protocols (default: $smtpd_tls_protocols)

13433       List  of TLS protocols that the Postfix tlsproxy(8) server will exclude
13434       or include with opportunistic TLS encryption.  See  smtpd_tls_protocols
13435       for further details.
13436
13437       This feature is available in Postfix 2.8 and later.
13438

tlsproxy_tls_req_ccert (default: $smtpd_tls_req_ccert)

13440       With  mandatory  TLS  encryption,  require a trusted remote SMTP client
13441       certificate  in  order  to  allow  TLS  connections  to  proceed.   See
13442       smtpd_tls_req_ccert for further details.
13443
13444       This feature is available in Postfix 2.8 and later.
13445

tlsproxy_tls_security_level (default: $smtpd_tls_security_level)

13447       The  SMTP TLS security level for the Postfix tlsproxy(8) server; when a
13448       non-empty value is specified, this overrides  the  obsolete  parameters
13449       smtpd_use_tls  and  smtpd_enforce_tls. See smtpd_tls_security_level for
13450       further details.
13451
13452       This feature is available in Postfix 2.8 and later.
13453

tlsproxy_tls_session_cache_timeout (default: $smtpd_tls_session_cache_timeout)

13455
13456       Obsolete  expiration  time  of  Postfix  tlsproxy(8) server TLS session
13457       cache information. Since the cache is shared with smtpd(8) and  managed
13458       by  tlsmgr(8),  there  is  only one expiration time for the SMTP server
13459       cache   shared   by   all   three   services,   namely   smtpd_tls_ses‐
13460       sion_cache_timeout.
13461
13462       This feature is available in Postfix 2.8 and later.
13463

tlsproxy_use_tls (default: $smtpd_use_tls)

13465       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
13466       but do not require that clients use TLS encryption.  See  smtpd_use_tls
13467       for further details. Use tlsproxy_tls_security_level instead.
13468
13469       This feature is available in Postfix 2.8 and later.
13470

tlsproxy_watchdog_timeout (default: 10s)

13472       How much time a tlsproxy(8) process may take to process local or remote
13473       I/O before it is terminated by a built-in watchdog timer.   This  is  a
13474       safety mechanism that prevents tlsproxy(8) from becoming non-responsive
13475       due to a bug in Postfix itself or in system software.  To  avoid  false
13476       alarms  and unnecessary cache corruption this limit cannot be set under
13477       10s.
13478
13479       Specify a non-zero time value  (an  integral  value  plus  an  optional
13480       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
13481       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
13482       unit is s (seconds).
13483
13484       This feature is available in Postfix 2.8 and later
13485

trace_service_name (default: trace)

13487       The  name  of  the  trace  service.  This service is implemented by the
13488       bounce(8) daemon and maintains a record of mail deliveries and produces
13489       a  mail  delivery report when verbose delivery is requested with "send‐
13490       mail -v".
13491
13492       This feature is available in Postfix 2.1 and later.
13493

transport_delivery_slot_cost (default: $default_delivery_slot_cost)

13495       A transport-specific override for the default_delivery_slot_cost param‐
13496       eter value, where transport is the master.cf name of the message deliv‐
13497       ery transport.
13498
13499       Note: transport_delivery_slot_cost  parameters  will  not  show  up  in
13500       "postconf"  command output before Postfix version 2.9.  This limitation
13501       applies to many parameters whose name is a combination of  a  master.cf
13502       service   name   and   a   built-in  suffix  (in  this  case:  "_deliv‐
13503       ery_slot_cost").
13504

transport_delivery_slot_discount (default: $default_delivery_slot_discount)

13506       A transport-specific override  for  the  default_delivery_slot_discount
13507       parameter  value,  where transport is the master.cf name of the message
13508       delivery transport.
13509
13510       Note: transport_delivery_slot_discount parameters will not show  up  in
13511       "postconf"  command output before Postfix version 2.9.  This limitation
13512       applies to many parameters whose name is a combination of  a  master.cf
13513       service  name and a built-in suffix (in this case: "_delivery_slot_dis‐
13514       count").
13515

transport_delivery_slot_loan (default: $default_delivery_slot_loan)

13517       A transport-specific override for the default_delivery_slot_loan param‐
13518       eter value, where transport is the master.cf name of the message deliv‐
13519       ery transport.
13520
13521       Note: transport_delivery_slot_loan  parameters  will  not  show  up  in
13522       "postconf"  command output before Postfix version 2.9.  This limitation
13523       applies to many parameters whose name is a combination of  a  master.cf
13524       service   name   and   a   built-in  suffix  (in  this  case:  "_deliv‐
13525       ery_slot_loan").
13526

transport_destination_concurrency_failed_cohort_limit (default: $default_des‐

13528       tination_concurrency_failed_cohort_limit)
13529       A   transport-specific  override  for  the  default_destination_concur‐
13530       rency_failed_cohort_limit parameter value, where transport is the  mas‐
13531       ter.cf name of the message delivery transport.
13532
13533       Note: some transport_destination_concurrency_failed_cohort_limit param‐
13534       eters will not show up in "postconf" command output before Postfix ver‐
13535       sion  2.9.   This limitation applies to many parameters whose name is a
13536       combination of a master.cf service name and a built-in suffix (in  this
13537       case: "_destination_concurrency_failed_cohort_limit").
13538
13539       This feature is available in Postfix 2.5 and later.
13540

transport_destination_concurrency_limit (default: $default_destination_concur‐

13542       rency_limit)
13543       A  transport-specific  override  for  the   default_destination_concur‐
13544       rency_limit  parameter  value, where transport is the master.cf name of
13545       the message delivery transport.
13546
13547       Note: some transport_destination_concurrency_limit parameters will  not
13548       show  up in "postconf" command output before Postfix version 2.9.  This
13549       limitation applies to many parameters whose name is a combination of  a
13550       master.cf  service name and a built-in suffix (in this case: "_destina‐
13551       tion_concurrency_limit").
13552

transport_destination_concurrency_negative_feedback (default: $default_desti‐

13554       nation_concurrency_negative_feedback)
13555       A   transport-specific  override  for  the  default_destination_concur‐
13556       rency_negative_feedback parameter value, where transport  is  the  mas‐
13557       ter.cf name of the message delivery transport.
13558
13559       Note:  some transport_destination_concurrency_negative_feedback parame‐
13560       ters will not show up in "postconf" command output before Postfix  ver‐
13561       sion  2.9.   This limitation applies to many parameters whose name is a
13562       combination of a master.cf service name and a built-in suffix (in  this
13563       case: "_destination_concurrency_negative_feedback").
13564
13565       This feature is available in Postfix 2.5 and later.
13566

transport_destination_concurrency_positive_feedback (default: $default_desti‐

13568       nation_concurrency_positive_feedback)
13569       A  transport-specific  override  for  the   default_destination_concur‐
13570       rency_positive_feedback  parameter  value,  where transport is the mas‐
13571       ter.cf name of the message delivery transport.
13572
13573       Note: some transport_destination_concurrency_positive_feedback  parame‐
13574       ters  will not show up in "postconf" command output before Postfix ver‐
13575       sion 2.9.  This limitation applies to many parameters whose name  is  a
13576       combination  of a master.cf service name and a built-in suffix (in this
13577       case: "_destination_concurrency_positive_feedback").
13578
13579       This feature is available in Postfix 2.5 and later.
13580

transport_destination_rate_delay (default: $default_destination_rate_delay)

13582       A transport-specific override  for  the  default_destination_rate_delay
13583       parameter  value,  where transport is the master.cf name of the message
13584       delivery transport.
13585
13586       Note: some transport_destination_rate_delay parameters will not show up
13587       in  "postconf" command output before Postfix version 2.9.  This limita‐
13588       tion applies to many parameters whose name is a combination of  a  mas‐
13589       ter.cf  service  name  and  a built-in suffix (in this case: "_destina‐
13590       tion_rate_delay").
13591
13592       This feature is available in Postfix 2.5 and later.
13593

transport_destination_recipient_limit (default: $default_destination_recipi‐

13595       ent_limit)
13596       A   transport-specific  override  for  the  default_destination_recipi‐
13597       ent_limit parameter value, where transport is the master.cf name of the
13598       message delivery transport.
13599
13600       Note:  some  transport_destination_recipient_limit  parameters will not
13601       show up in "postconf" command output before Postfix version 2.9.   This
13602       limitation  applies to many parameters whose name is a combination of a
13603       master.cf service name and a built-in suffix (in this case:  "_destina‐
13604       tion_recipient_limit").
13605

transport_extra_recipient_limit (default: $default_extra_recipient_limit)

13607       A transport-specific override for the default_extra_recipient_limit pa‐
13608       rameter value, where transport is the master.cf name of the message de‐
13609       livery transport.
13610
13611       Note:  transport_extra_recipient_limit  parameters  will not show up in
13612       "postconf" command output before Postfix version 2.9.  This  limitation
13613       applies  to  many parameters whose name is a combination of a master.cf
13614       service name and a  built-in  suffix  (in  this  case:  "_extra_recipi‐
13615       ent_limit").
13616

transport_initial_destination_concurrency (default: $initial_destination_con‐

13618       currency)
13619       A transport-specific override for  the  initial_destination_concurrency
13620       parameter  value,  where transport is the master.cf name of the message
13621       delivery transport.
13622
13623       Note: some  transport_initial_destination_concurrency  parameters  will
13624       not  show  up  in "postconf" command output before Postfix version 2.9.
13625       This limitation applies to many parameters whose name is a  combination
13626       of a master.cf service name and a built-in suffix (in this case: "_ini‐
13627       tial_destination_concurrency").
13628
13629       This feature is available in Postfix 2.5 and later.
13630

transport_maps (default: empty)

13632       Optional lookup tables with mappings from recipient address to (message
13633       delivery  transport,  next-hop  destination).  See transport(5) for de‐
13634       tails.
13635
13636       Specify zero or more "type:table" lookup tables,  separated  by  white‐
13637       space  or comma. Tables will be searched in the specified order until a
13638       match is found.  If you use this feature with local files, run "postmap
13639       /etc/postfix/transport" after making a change.
13640
13641       Pattern  matching  of domain names is controlled by the presence or ab‐
13642       sence of "transport_maps" in the  parent_domain_matches_subdomains  pa‐
13643       rameter value.
13644
13645       For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
13646       ber substitutions in regular expression maps.
13647
13648       Examples:
13649
13650       transport_maps = dbm:/etc/postfix/transport
13651       transport_maps = hash:/etc/postfix/transport
13652

transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)

13654       A transport-specific override  for  the  default_minimum_delivery_slots
13655       parameter  value,  where transport is the master.cf name of the message
13656       delivery transport.
13657
13658       Note: transport_minimum_delivery_slots parameters will not show  up  in
13659       "postconf"  command output before Postfix version 2.9.  This limitation
13660       applies to many parameters whose name is a combination of  a  master.cf
13661       service  name  and  a  built-in  suffix (in this case: "_minimum_deliv‐
13662       ery_slots").
13663

transport_recipient_limit (default: $default_recipient_limit)

13665       A transport-specific override for the default_recipient_limit parameter
13666       value,  where  transport  is the master.cf name of the message delivery
13667       transport.
13668
13669       Note: some transport_recipient_limit parameters will  not  show  up  in
13670       "postconf"  command output before Postfix version 2.9.  This limitation
13671       applies to many parameters whose name is a combination of  a  master.cf
13672       service name and a built-in suffix (in this case: "_recipient_limit").
13673

transport_recipient_refill_delay (default: $default_recipient_refill_delay)

13675       A  transport-specific  override  for the default_recipient_refill_delay
13676       parameter value, where transport is the master.cf name of  the  message
13677       delivery transport.
13678
13679       Note:  transport_recipient_refill_delay  parameters will not show up in
13680       "postconf" command output before Postfix version 2.9.  This  limitation
13681       applies  to  many parameters whose name is a combination of a master.cf
13682       service name and a  built-in  suffix  (in  this  case:  "_recipient_re‐
13683       fill_delay").
13684
13685       This feature is available in Postfix 2.4 and later.
13686

transport_recipient_refill_limit (default: $default_recipient_refill_limit)

13688       A  transport-specific  override  for the default_recipient_refill_limit
13689       parameter value, where transport is the master.cf name of  the  message
13690       delivery transport.
13691
13692       Note:  transport_recipient_refill_limit  parameters will not show up in
13693       "postconf" command output before Postfix version 2.9.  This  limitation
13694       applies  to  many parameters whose name is a combination of a master.cf
13695       service name and a  built-in  suffix  (in  this  case:  "_recipient_re‐
13696       fill_limit").
13697
13698       This feature is available in Postfix 2.4 and later.
13699

transport_retry_time (default: 60s)

13701       The  time  between  attempts  by the Postfix queue manager to contact a
13702       malfunctioning message delivery transport.
13703
13704       Specify a non-zero time value  (an  integral  value  plus  an  optional
13705       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
13706       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
13707       unit is s (seconds).
13708

transport_time_limit (default: $command_time_limit)

13710       A  transport-specific  override  for  the  command_time_limit parameter
13711       value, where transport is the master.cf name of  the  message  delivery
13712       transport.
13713
13714       Specify  a  non-zero  time  value  (an  integral value plus an optional
13715       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
13716       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
13717       unit is s (seconds).
13718
13719       Note: transport_time_limit parameters will not show  up  in  "postconf"
13720       command  output before Postfix version 2.9.  This limitation applies to
13721       many parameters whose name is a combination of a master.cf service name
13722       and a built-in suffix (in this case: "_time_limit").
13723

transport_transport_rate_delay (default: $default_transport_rate_delay)

13725       A  transport-specific override for the default_transport_rate_delay pa‐
13726       rameter value, where the initial transport in the parameter name is the
13727       master.cf name of the message delivery transport.
13728
13729       Specify  a  non-negative time value (an integral value plus an optional
13730       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
13731       onds),  m  (minutes), h (hours), d (days), w (weeks).  The default time
13732       unit is s (seconds).
13733
13734       Note: transport_transport_rate_delay parameters will  not  show  up  in
13735       "postconf"  command output before Postfix version 2.9.  This limitation
13736       applies to many parameters whose name is a combination of  a  master.cf
13737       service  name and a built-in suffix (in this case: "_transport_rate_de‐
13738       lay").
13739

trigger_timeout (default: 10s)

13741       The time limit for sending a trigger to a Postfix daemon (for  example,
13742       the  pickup(8)  or  qmgr(8)  daemon). This time limit prevents programs
13743       from getting stuck when the mail system is under heavy load.
13744
13745       Specify a non-zero time value  (an  integral  value  plus  an  optional
13746       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
13747       onds), m (minutes), h (hours), d (days), w (weeks).  The  default  time
13748       unit is s (seconds).
13749

undisclosed_recipients_header (default: see postconf -d output)

13751       Message  header  that the Postfix cleanup(8) server inserts when a mes‐
13752       sage contains no To: or Cc: message header. With Postfix 2.8 and later,
13753       the  default  value  is  empty.  With Postfix 2.4-2.7, specify an empty
13754       value to disable this feature.
13755
13756       Example:
13757
13758       # Default value before Postfix 2.8.
13759       # Note: the ":" and ";" are both required.
13760       undisclosed_recipients_header = To: undisclosed-recipients:;
13761

unknown_address_reject_code (default: 450)

13763       The numerical response code when the  Postfix  SMTP  server  rejects  a
13764       sender or recipient address because its domain is unknown.  This is one
13765       of the possible replies from the restrictions reject_unknown_sender_do‐
13766       main and reject_unknown_recipient_domain.
13767
13768       Do  not  change  this  unless  you have a complete understanding of RFC
13769       5321.
13770

unknown_address_tempfail_action (default: $reject_tempfail_action)

13772       The Postfix SMTP server's action when  reject_unknown_sender_domain  or
13773       reject_unknown_recipient_domain  fail  due  to a temporary error condi‐
13774       tion. Specify "defer" to defer the remote SMTP client  request  immedi‐
13775       ately.  With  the  default  "defer_if_permit"  action, the Postfix SMTP
13776       server continues to look for opportunities to reject mail,  and  defers
13777       the client request only if it would otherwise be accepted.
13778
13779       This feature is available in Postfix 2.6 and later.
13780

unknown_client_reject_code (default: 450)

13782       The  numerical  Postfix SMTP server response code when a client without
13783       valid  address  <=>  name  mapping  is  rejected  by   the   reject_un‐
13784       known_client_hostname  restriction. The SMTP server always replies with
13785       450 when the mapping failed due to a temporary error condition.
13786
13787       Do not change this unless you have  a  complete  understanding  of  RFC
13788       5321.
13789

unknown_helo_hostname_tempfail_action (default: $reject_tempfail_action)

13791       The  Postfix  SMTP  server's  action  when reject_unknown_helo_hostname
13792       fails due to a temporary error condition. Specify "defer" to defer  the
13793       remote SMTP client request immediately. With the default "defer_if_per‐
13794       mit" action, the Postfix SMTP server continues to look  for  opportuni‐
13795       ties  to  reject  mail,  and defers the client request only if it would
13796       otherwise be accepted.
13797
13798       This feature is available in Postfix 2.6 and later.
13799

unknown_hostname_reject_code (default: 450)

13801       The numerical Postfix SMTP server response code when the hostname spec‐
13802       ified  with  the  HELO  or  EHLO  command is rejected by the reject_un‐
13803       known_helo_hostname restriction.
13804
13805       Do not change this unless you have  a  complete  understanding  of  RFC
13806       5321.
13807

unknown_local_recipient_reject_code (default: 550)

13809       The  numerical  Postfix  SMTP server response code when a recipient ad‐
13810       dress is local, and $local_recipient_maps specifies a  list  of  lookup
13811       tables that does not match the recipient.  A recipient address is local
13812       when its domain matches $mydestination, $proxy_interfaces or  $inet_in‐
13813       terfaces.
13814
13815       The  default  setting is 550 (reject mail) but it is safer to initially
13816       use 450 (try again later) so you have time to  find  out  if  your  lo‐
13817       cal_recipient_maps settings are OK.
13818
13819       Example:
13820
13821       unknown_local_recipient_reject_code = 450
13822
13823       This feature is available in Postfix 2.0 and later.
13824

unknown_relay_recipient_reject_code (default: 550)

13826       The  numerical  Postfix SMTP server reply code when a recipient address
13827       matches $relay_domains, and relay_recipient_maps specifies  a  list  of
13828       lookup tables that does not match the recipient address.
13829
13830       This feature is available in Postfix 2.0 and later.
13831

unknown_virtual_alias_reject_code (default: 550)

13833       The  Postfix  SMTP  server  reply code when a recipient address matches
13834       $virtual_alias_domains, and $virtual_alias_maps  specifies  a  list  of
13835       lookup tables that does not match the recipient address.
13836
13837       This feature is available in Postfix 2.0 and later.
13838

unknown_virtual_mailbox_reject_code (default: 550)

13840       The  Postfix  SMTP  server  reply code when a recipient address matches
13841       $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
13842       lookup tables that does not match the recipient address.
13843
13844       This feature is available in Postfix 2.0 and later.
13845

unverified_recipient_defer_code (default: 450)

13847       The  numerical  Postfix  SMTP  server response when a recipient address
13848       probe fails due to a temporary error condition.
13849
13850       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13851       address anyway.
13852
13853       Do  not  change  this  unless  you have a complete understanding of RFC
13854       5321.
13855
13856       This feature is available in Postfix 2.6 and later.
13857

unverified_recipient_reject_code (default: 450)

13859       The numerical Postfix SMTP server response when a recipient address  is
13860       rejected by the reject_unverified_recipient restriction.
13861
13862       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13863       address anyway.
13864
13865       Do not change this unless you have  a  complete  understanding  of  RFC
13866       5321.
13867
13868       This feature is available in Postfix 2.1 and later.
13869

unverified_recipient_reject_reason (default: empty)

13871       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
13872       fied_recipient. Do not include the numeric SMTP reply code or  the  en‐
13873       hanced  status  code.  By default, the response includes actual address
13874       verification details.
13875
13876       Example:
13877
13878       unverified_recipient_reject_reason = Recipient address lookup failed
13879
13880       This feature is available in Postfix 2.6 and later.
13881

unverified_recipient_tempfail_action (default: $reject_tempfail_action)

13883       The Postfix SMTP server's action when reject_unverified_recipient fails
13884       due to a temporary error condition. Specify "defer" to defer the remote
13885       SMTP client request immediately. With the default "defer_if_permit" ac‐
13886       tion,  the  Postfix  SMTP server continues to look for opportunities to
13887       reject mail, and defers the client request only if it  would  otherwise
13888       be accepted.
13889
13890       This feature is available in Postfix 2.6 and later.
13891

unverified_sender_defer_code (default: 450)

13893       The  numerical  Postfix SMTP server response code when a sender address
13894       probe fails due to a temporary error condition.
13895
13896       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13897       address anyway.
13898
13899       Do  not  change  this  unless  you have a complete understanding of RFC
13900       5321.
13901
13902       This feature is available in Postfix 2.6 and later.
13903

unverified_sender_reject_code (default: 450)

13905       The numerical Postfix SMTP server response code when  a  recipient  ad‐
13906       dress is rejected by the reject_unverified_sender restriction.
13907
13908       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
13909       address anyway.
13910
13911       Do not change this unless you have  a  complete  understanding  of  RFC
13912       5321.
13913
13914       This feature is available in Postfix 2.1 and later.
13915

unverified_sender_reject_reason (default: empty)

13917       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
13918       fied_sender. Do not include the numeric SMTP reply code or the enhanced
13919       status code. By default, the response includes actual address verifica‐
13920       tion details.
13921
13922       Example:
13923
13924       unverified_sender_reject_reason = Sender address lookup failed
13925
13926       This feature is available in Postfix 2.6 and later.
13927

unverified_sender_tempfail_action (default: $reject_tempfail_action)

13929       The Postfix SMTP server's action  when  reject_unverified_sender  fails
13930       due to a temporary error condition. Specify "defer" to defer the remote
13931       SMTP client request immediately. With the default "defer_if_permit" ac‐
13932       tion,  the  Postfix  SMTP server continues to look for opportunities to
13933       reject mail, and defers the client request only if it  would  otherwise
13934       be accepted.
13935
13936       This feature is available in Postfix 2.6 and later.
13937

use_srv_lookup (default: empty)

13939       Enables  discovery  for the specified service(s) using DNS SRV records.
13940       For example, with "use_srv_lookup = submission" and "relayhost =  exam‐
13941       ple.com:submission",  the  Postfix  SMTP  client  will  look up DNS SRV
13942       records for _submission._tcp.example.com, and will relay email  through
13943       the hosts and ports that are specified with those records. See RFC 2782
13944       for details of the host selection process.
13945
13946       Specify zero or more service names separated  by  comma  and/or  white‐
13947       space. Any name in the services(5) database may be specified, though in
13948       practice only submission, submissions, and smtp make sense.
13949
13950       When SRV record lookup is enabled with use_srv_lookup, you can  enclose
13951       a  domain name in "[]" to force IP address lookup instead of SRV record
13952       lookup.
13953
13954       Example 1: MUA-to-MTA submission using SRV record lookup for the  "sub‐
13955       mission"  service  for domain "example.com". This uses the default SMTP
13956       delivery agent with STARTTLS, and looks up SRV  records  for  "_submis‐
13957       sion._tcp.example.com".
13958
13959       /etc/postfix/main.cf:
13960           use_srv_lookup = submission
13961           relayhost = example.com:submission
13962           smtp_tls_security_level = may
13963           ...see SASL_README for sasl configuration...
13964
13965       Example  2: MUA-to-MTA submission using SRV record lookup for the "sub‐
13966       missions" service for domain "example.org". This uses a dedicated  SMTP
13967       delivery agent (smtp-wraptls) with tls_wrappermode turned on, and looks
13968       up SRV records for "_submissions._tcp.example.org".
13969
13970       Note: specify the older name "smtps" instead of  "submissions"  when  a
13971       provider  has DNS SRV records like "_smtps._tcp.example.org" instead of
13972       "_submissions._tcp.example.org".
13973
13974       /etc/postfix/main.cf:
13975           use_srv_lookup = submissions
13976           default_transport = smtp-wraptls:example.org:submissions
13977           ...see SASL_README for sasl configuration...
13978
13979       /etc/postfix/master.cf:
13980           smtp-wraptls   unix   ...   ...   ...   ...   ...   smtp
13981               -o { smtp_tls_wrappermode = yes }
13982               -o { smtp_tls_security_level = encrypt }
13983
13984       Example 3: Sender-dependent selection for a combination  of  MUA-to-MTA
13985       submission  services.  This  combines examples 1 and 2 with examples of
13986       how to disable SRV and look up IP address records for "smtp-relay.exam‐
13987       ple.net" and "smtp-relay.other.example".  Again, specify the older name
13988       "smtps" instead of "submissions" when a provider has  DNS  SRV  records
13989       like   "_smtps._tcp.example.org"  instead  of  "_submissions._tcp.exam‐
13990       ple.org".
13991
13992       /etc/postfix/main.cf:
13993           use_srv_lookup = submission, submissions
13994           sender_dependent_default_transport_maps = inline:{
13995               # Destinations that support SRV record lookup.
13996               { user1@example.com = smtp:example.com:submission }
13997               { user2@example.org = smtp-wraptls:example.org:submissions }
13998               # Use [destination] to force IP address lookups.
13999               { user3@example.net = smtp:[smtp-relay.example.net]:submission }
14000               { user4@other.example =
14001                     smtp-wraptls:[smtp-relay.other.example]:submissions } }
14002           ...see SASL_README for sasl configuration...
14003
14004       Example 4: MTA-to-MTA traffic, using SRV record  lookup  for  the  SMTP
14005       service.  This  is useful for Postfix tests, and may be useful in envi‐
14006       ronments where ports are dynamically assigned to servers.
14007
14008       /etc/postfix/main.cf:
14009           use_srv_lookup = smtp
14010           # Fall back to MX record lookup when SRV records are unavailable.
14011           #allow_srv_lookup_fallback = yes
14012           #ignore_srv_lookup_error = yes
14013
14014       This feature is available in Postfix 3.8 and later.
14015

verp_delimiter_filter (default: -=+)

14017       The characters Postfix accepts as  VERP  delimiter  characters  on  the
14018       Postfix sendmail(1) command line and in SMTP commands.
14019
14020       This feature is available in Postfix 1.1 and later.
14021

virtual_alias_address_length_limit (default: 1000)

14023       The  maximal  length of an email address after virtual alias expansion.
14024       This stops virtual aliasing loops that increase the address length  ex‐
14025       ponentially.
14026
14027       This feature is available in Postfix 3.0 and later.
14028

virtual_alias_domains (default: $virtual_alias_maps)

14030       Postfix  is  the  final  destination  for the specified list of virtual
14031       alias domains, that is, domains for which all addresses are aliased  to
14032       addresses  in  other local or remote domains. The SMTP server validates
14033       recipient addresses with $virtual_alias_maps and  rejects  non-existent
14034       recipients.  See  also  the  virtual  alias  domain  class  in  the AD‐
14035       DRESS_CLASS_README file
14036
14037       This feature is available in Postfix 2.0 and later. The  default  value
14038       is backwards compatible with Postfix version 1.1.
14039
14040       The  default  value is $virtual_alias_maps so that you can keep all in‐
14041       formation about virtual alias domains in one place.  If you  have  many
14042       users,  it  is  better  to  separate information that changes more fre‐
14043       quently (virtual address -> local or remote address mapping)  from  in‐
14044       formation  that  changes  less  frequently  (the list of virtual domain
14045       names).
14046
14047       Specify a list of host or domain names,  "/file/name"  or  "type:table"
14048       patterns, separated by commas and/or whitespace. A "/file/name" pattern
14049       is replaced by its contents; a "type:table"  lookup  table  is  matched
14050       when  a table entry matches a host or domain name (the lookup result is
14051       ignored).  Continue long lines by starting the next  line  with  white‐
14052       space.  Specify  "!pattern"  to  exclude a host or domain name from the
14053       list. The form "!/file/name" is supported only in Postfix  version  2.4
14054       and later.
14055
14056       See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
14057       ther information.
14058
14059       Example:
14060
14061       virtual_alias_domains = virtual1.tld virtual2.tld
14062

virtual_alias_expansion_limit (default: 1000)

14064       The maximal number of addresses that virtual alias  expansion  produces
14065       from each original recipient.
14066
14067       This feature is available in Postfix 2.1 and later.
14068

virtual_alias_maps (default: $virtual_maps)

14070       Optional lookup tables that alias specific mail addresses or domains to
14071       other local or remote addresses.  The table format and lookups are doc‐
14072       umented in virtual(5). For an overview of Postfix address manipulations
14073       see the ADDRESS_REWRITING_README document.
14074
14075       This feature is available in Postfix 2.0 and later. The  default  value
14076       is backwards compatible with Postfix version 1.1.
14077
14078       Specify zero or more "type:name" lookup tables, separated by whitespace
14079       or comma. Tables will be searched in the specified order until a  match
14080       is found.  Note: these lookups are recursive.
14081
14082       If  you  use  this  feature with indexed files, run "postmap /etc/post‐
14083       fix/virtual" after changing the file.
14084
14085       Examples:
14086
14087       virtual_alias_maps = dbm:/etc/postfix/virtual
14088       virtual_alias_maps = hash:/etc/postfix/virtual
14089

virtual_alias_recursion_limit (default: 1000)

14091       The maximal nesting depth of virtual alias  expansion.   Currently  the
14092       recursion  limit  is  applied  only to the left branch of the expansion
14093       graph, so the depth of the tree can in the worst case reach the sum  of
14094       the expansion and recursion limits.  This may change in the future.
14095
14096       This feature is available in Postfix 2.1 and later.
14097

virtual_delivery_status_filter (default: $default_delivery_status_filter)

14099       Optional  filter for the virtual(8) delivery agent to change the deliv‐
14100       ery status code or explanatory text of successful or  unsuccessful  de‐
14101       liveries.  See default_delivery_status_filter for details.
14102
14103       This feature is available in Postfix 3.0 and later.
14104

virtual_destination_concurrency_limit (default: $default_destination_concur‐

14106       rency_limit)
14107       The maximal number of parallel deliveries to the same  destination  via
14108       the  virtual  message delivery transport. This limit is enforced by the
14109       queue manager. The message delivery transport name is the  first  field
14110       in the entry in the master.cf file.
14111

virtual_destination_recipient_limit (default: $default_destination_recipi‐

14113       ent_limit)
14114       The maximal number of recipients per message for  the  virtual  message
14115       delivery  transport.  This  limit is enforced by the queue manager. The
14116       message delivery transport name is the first field in the entry in  the
14117       master.cf file.
14118
14119       Setting  this  parameter  to  a  value of 1 changes the meaning of vir‐
14120       tual_destination_concurrency_limit from  concurrency  per  domain  into
14121       concurrency per recipient.
14122

virtual_gid_maps (default: empty)

14124       Lookup  tables  with  the per-recipient group ID for virtual(8) mailbox
14125       delivery.
14126
14127       This parameter is specific to the virtual(8) delivery agent.   It  does
14128       not  apply  when  mail is delivered with a different mail delivery pro‐
14129       gram.
14130
14131       Specify zero or more "type:name" lookup tables, separated by whitespace
14132       or  comma. Tables will be searched in the specified order until a match
14133       is found.
14134
14135       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
14136       any  user  in  the  specified  domain  that  does  not  have a specific
14137       "user@domain.tld" entry.
14138
14139       When  a  recipient  address   has   an   optional   address   extension
14140       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
14141       address first, and when the lookup fails, it looks  up  the  unextended
14142       address (user@domain.tld).
14143
14144       Note  1:  for security reasons, the virtual(8) delivery agent disallows
14145       regular expression substitution of $1 etc. in regular expression lookup
14146       tables, because that would open a security hole.
14147
14148       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
14149       silently ignore requests to use the proxymap(8) server. Instead it will
14150       open the table directly. Before Postfix version 2.2, the virtual(8) de‐
14151       livery agent will terminate with a fatal error.
14152

virtual_mailbox_base (default: empty)

14154       A prefix that the virtual(8) delivery agent prepends  to  all  pathname
14155       results  from  $virtual_mailbox_maps  table  lookups.  This is a safety
14156       measure to ensure that an out of control map doesn't  litter  the  file
14157       system with mailboxes.  While virtual_mailbox_base could be set to "/",
14158       this setting isn't recommended.
14159
14160       This parameter is specific to the virtual(8) delivery agent.   It  does
14161       not  apply  when  mail is delivered with a different mail delivery pro‐
14162       gram.
14163
14164       Example:
14165
14166       virtual_mailbox_base = /var/mail
14167

virtual_mailbox_domains (default: $virtual_mailbox_maps)

14169       Postfix is the final destination for the  specified  list  of  domains;
14170       mail  is  delivered via the $virtual_transport mail delivery transport.
14171       By default this is the Postfix virtual(8)  delivery  agent.   The  SMTP
14172       server validates recipient addresses with $virtual_mailbox_maps and re‐
14173       jects mail for non-existent recipients.  See also the  virtual  mailbox
14174       domain class in the ADDRESS_CLASS_README file.
14175
14176       This  parameter expects the same syntax as the mydestination configura‐
14177       tion parameter.
14178
14179       This feature is available in Postfix 2.0 and later. The  default  value
14180       is backwards compatible with Postfix version 1.1.
14181

virtual_mailbox_limit (default: 51200000)

14183       The  maximal  size  in  bytes  of  an  individual virtual(8) mailbox or
14184       maildir file, or zero (no limit).
14185
14186       This parameter is specific to the virtual(8) delivery agent.   It  does
14187       not  apply  when  mail is delivered with a different mail delivery pro‐
14188       gram.
14189

virtual_mailbox_lock (default: see postconf -d output)

14191       How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
14192       For  a  list  of  available file locking methods, use the "postconf -l"
14193       command.
14194
14195       This parameter is specific to the virtual(8) delivery agent.   It  does
14196       not  apply  when  mail is delivered with a different mail delivery pro‐
14197       gram.
14198
14199       This setting is ignored with maildir style delivery, because  such  de‐
14200       liveries are safe without application-level locks.
14201
14202       Note  1:  the dotlock method requires that the recipient UID or GID has
14203       write access to the parent directory of the recipient's mailbox file.
14204
14205       Note 2: the default setting of this parameter is system dependent.
14206

virtual_mailbox_maps (default: empty)

14208       Optional lookup tables with all valid addresses  in  the  domains  that
14209       match $virtual_mailbox_domains.
14210
14211       Specify zero or more "type:name" lookup tables, separated by whitespace
14212       or comma. Tables will be searched in the specified order until a  match
14213       is found.
14214
14215       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
14216       any user in  the  specified  domain  that  does  not  have  a  specific
14217       "user@domain.tld" entry.
14218
14219       With  the  default  "virtual_mailbox_domains  = $virtual_mailbox_maps",
14220       lookup tables also need entries with a left-hand side  of  "domain.tld"
14221       to  satisfy  virtual_mailbox_domain lookups (the right-hand side is re‐
14222       quired but will not be used).
14223
14224       The remainder of this text  is  specific  to  the  virtual(8)  delivery
14225       agent.   It does not apply when mail is delivered with a different mail
14226       delivery program.
14227
14228       The virtual(8) delivery agent uses this table to look up the per-recip‐
14229       ient mailbox or maildir pathname.  If the lookup result ends in a slash
14230       ("/"), maildir-style delivery is carried out, otherwise the path is as‐
14231       sumed  to  specify a UNIX-style mailbox file.  Note that $virtual_mail‐
14232       box_base is unconditionally prepended to this path.
14233
14234       When  a  recipient  address   has   an   optional   address   extension
14235       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
14236       address first, and when the lookup fails, it looks  up  the  unextended
14237       address (user@domain.tld).
14238
14239       Note  1:  for security reasons, the virtual(8) delivery agent disallows
14240       regular expression substitution of $1 etc. in regular expression lookup
14241       tables, because that would open a security hole.
14242
14243       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
14244       silently ignore requests to use the proxymap(8) server. Instead it will
14245       open the table directly. Before Postfix version 2.2, the virtual(8) de‐
14246       livery agent will terminate with a fatal error.
14247

virtual_maps (default: empty)

14249       Optional lookup tables with a) names of domains for which all addresses
14250       are  aliased  to addresses in other local or remote domains, and b) ad‐
14251       dresses that are aliased to addresses in other local or remote domains.
14252       Available  before  Postfix  version  2.0.  With Postfix version 2.0 and
14253       later, this is replaced by separate controls: virtual_alias_domains and
14254       virtual_alias_maps.
14255

virtual_minimum_uid (default: 100)

14257       The minimum user ID value that the virtual(8) delivery agent accepts as
14258       a result from $virtual_uid_maps table  lookup.   Returned  values  less
14259       than this will be rejected, and the message will be deferred.
14260
14261       This  parameter  is specific to the virtual(8) delivery agent.  It does
14262       not apply when mail is delivered with a different  mail  delivery  pro‐
14263       gram.
14264

virtual_transport (default: virtual)

14266       The  default mail delivery transport and next-hop destination for final
14267       delivery to domains listed with $virtual_mailbox_domains.  This  infor‐
14268       mation can be overruled with the transport(5) table.
14269
14270       Specify  a string of the form transport:nexthop, where transport is the
14271       name of a mail delivery transport defined in master.cf.   The  :nexthop
14272       destination is optional; its syntax is documented in the manual page of
14273       the corresponding delivery agent.
14274
14275       This feature is available in Postfix 2.0 and later.
14276

virtual_uid_maps (default: empty)

14278       Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
14279       ery agent uses while writing to the recipient's mailbox.
14280
14281       This  parameter  is specific to the virtual(8) delivery agent.  It does
14282       not apply when mail is delivered with a different  mail  delivery  pro‐
14283       gram.
14284
14285       Specify zero or more "type:name" lookup tables, separated by whitespace
14286       or comma. Tables will be searched in the specified order until a  match
14287       is found.
14288
14289       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
14290       any user in  the  specified  domain  that  does  not  have  a  specific
14291       "user@domain.tld" entry.
14292
14293       When   a   recipient   address   has   an  optional  address  extension
14294       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
14295       address  first,  and  when the lookup fails, it looks up the unextended
14296       address (user@domain.tld).
14297
14298       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
14299       regular expression substitution of $1 etc. in regular expression lookup
14300       tables, because that would open a security hole.
14301
14302       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
14303       silently ignore requests to use the proxymap(8) server. Instead it will
14304       open the table directly. Before Postfix version 2.2, the virtual(8) de‐
14305       livery agent will terminate with a fatal error.
14306

SEE ALSO

14308       postconf(1), Postfix configuration parameter maintenance
14309       master(5), Postfix daemon configuration maintenance
14310

LICENSE

14312       The Secure Mailer license must be distributed with this software.
14313

AUTHOR(S)

14315       Wietse Venema
14316       IBM T.J. Watson Research
14317       P.O. Box 704
14318       Yorktown Heights, NY 10598, USA
14319
14320       Wietse Venema
14321       Google, Inc.
14322       111 8th Avenue
14323       New York, NY 10011, USA
14324
14325       Viktor Dukhovni
14326
14327
14328
14329                                                                   POSTCONF(5)
Impressum