1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies a small subset of all
15 the parameters that control the operation of the Postfix mail system.
16 Parameters not specified in main.cf are left at their default values.
17 The general format of the main.cf file is as follows:
19 · Each logical line has the form "parameter = value". Whitespace
21 around the "=" is ignored, as is whitespace at the end of a log‐
22 ical line.
23 · Empty lines and whitespace-only lines are ignored, as are lines
25 whose first non-whitespace character is a `#'.
26 · A logical line starts with non-whitespace text. A line that
28 starts with whitespace continues a logical line.
29 · A parameter value may refer to other parameters.
31 · The expressions "$name", "${name}" or "$(name)" are
33 recursively replaced by the value of the named parameter.
34 · The expression "${name?value}" expands to "value" when
36 "$name" is non-empty. This form is supported with Postfix
37 version 2.2 and later.
38 · The expression "${name:value}" expands to "value" when
40 "$name" is empty. This form is supported with Postfix
41 version 2.2 and later.
42 · Specify "$$" to produce a single "$" character.
44 · When the same parameter is defined multiple times, only the last
46 instance is remembered.
47 · Otherwise, the order of main.cf parameter definitions does not
49 matter.
50 The remainder of this document is a description of all Postfix configu‐
52 ration parameters. Default values are shown after the parameter name in
53 parentheses, and can be looked up with the "postconf -d" command.
54 Note: this is not an invitation to make changes to Postfix configura‐
56 tion parameters. Unnecessary changes can impair the operation of the
57 mail system.
58
60 The recipient of undeliverable mail that cannot be returned to the
61 sender. This feature is enabled with the notify_classes parameter.
62
64 The numerical Postfix SMTP server response code when a client is
65 rejected by an access(5) map restriction.
66 Do not change this unless you have a complete understanding of RFC 821.
68
70 Overrides the default_transport parameter setting for address verifica‐
71 tion probes.
72 This feature is available in Postfix 2.1 and later.
74
76 Overrides the local_transport parameter setting for address verifica‐
77 tion probes.
78 This feature is available in Postfix 2.1 and later.
80
82 Optional lookup table for persistent address verification status stor‐
83 age. The table is maintained by the verify(8) service, and is opened
84 before the process releases privileges.
85 By default, the information is kept in volatile memory, and is lost
87 after "postfix reload" or "postfix stop".
88 Specify a location in a file system that will not fill up. If the data‐
90 base becomes corrupted, the world comes to an end. To recover delete
91 the file and do "postfix reload".
92 Examples:
94 address_verify_map = hash:/etc/postfix/verify
96 address_verify_map = btree:/etc/postfix/verify
97 This feature is available in Postfix 2.1 and later.
99
101 Enable caching of failed address verification probe results. When this
102 feature is enabled, the cache may pollute quickly with garbage. When
103 this feature is disabled, Postfix will generate an address probe for
104 every lookup.
105 This feature is available in Postfix 2.1 and later.
107
109 The time after which a failed probe expires from the address verifica‐
110 tion cache.
111 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
113 This feature is available in Postfix 2.1 and later.
115
117 The time after which a failed address verification probe needs to be
118 refreshed.
119 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
121 This feature is available in Postfix 2.1 and later.
123
125 How many times to query the verify(8) service for the completion of an
126 address verification request in progress.
127 The default poll count is 3.
129 Specify 1 to implement a crude form of greylisting, that is, always
131 defer the first delivery request for a never seen before address.
132 Example:
134 address_verify_poll_count = 1
136 This feature is available in Postfix 2.1 and later.
138
140 The delay between queries for the completion of an address verification
141 request in progress.
142 The default polling delay is 3 seconds.
144 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
146 This feature is available in Postfix 2.1 and later.
148
150 The time after which a successful probe expires from the address veri‐
151 fication cache.
152 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
154 This feature is available in Postfix 2.1 and later.
156
158 The time after which a successful address verification probe needs to
159 be refreshed. The address verification status is not updated when the
160 probe fails (optimistic caching).
161 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
163 This feature is available in Postfix 2.1 and later.
165
167 Overrides the relay_transport parameter setting for address verifica‐
168 tion probes.
169 This feature is available in Postfix 2.1 and later.
171
173 Overrides the relayhost parameter setting for address verification
174 probes. This information can be overruled with the transport(5) table.
175 This feature is available in Postfix 2.1 and later.
177
179 The sender address to use in address verification probes. To avoid
180 problems with address probes that are sent in response to address
181 probes, the Postfix SMTP server excludes the probe sender address from
182 all SMTPD access blocks.
183 Specify an empty value (address_verify_sender =) or <> if you want to
185 use the null sender address. Beware, some sites reject mail from <>,
186 even though RFCs require that such addresses be accepted.
187 Examples:
189 address_verify_sender = <>
191 address_verify_sender = postmaster@my.domain
192 This feature is available in Postfix 2.1 and later.
194
196 Overrides the sender_dependent_relayhost_maps parameter setting for
197 address verification probes.
198 This feature is available in Postfix 2.3 and later.
200
202 The name of the verify(8) address verification service. This service
203 maintains the status of sender and/or recipient address verification
204 probes, and generates probes on request by other Postfix processes.
205
207 Overrides the transport_maps parameter setting for address verification
208 probes.
209 This feature is available in Postfix 2.1 and later.
211
213 Overrides the virtual_transport parameter setting for address verifica‐
214 tion probes.
215 This feature is available in Postfix 2.1 and later.
217
219 The alias databases for local(8) delivery that are updated with
220 "newaliases" or with "sendmail -bi".
221 This is a separate configuration parameter because not all the tables
223 specified with $alias_maps have to be local files.
224 Examples:
226 alias_database = hash:/etc/aliases
228 alias_database = hash:/etc/mail/aliases
229
231 The alias databases that are used for local(8) delivery. See aliases(5)
232 for syntax details.
233 The default list is system dependent. On systems with NIS, the default
235 is to search the local alias database, then the NIS alias database.
236 If you change the alias database, run "postalias /etc/aliases" (or
238 wherever your system stores the mail alias file), or simply run
239 "newaliases" to build the necessary DBM or DB file.
240 The local(8) delivery agent disallows regular expression substitution
242 of $1 etc. in alias_maps, because that would open a security hole.
243 The local(8) delivery agent will silently ignore requests to use the
245 proxymap(8) server within alias_maps. Instead it will open the table
246 directly. Before Postfix version 2.2, the local(8) delivery agent will
247 terminate with a fatal error.
248 Examples:
250 alias_maps = hash:/etc/aliases, nis:mail.aliases
252 alias_maps = hash:/etc/aliases
253
255 Restrict local(8) mail delivery to external commands. The default is
256 to disallow delivery to "|command" in :include: files (see aliases(5)
257 for the text that defines this terminology).
258 Specify zero or more of: alias, forward or include, in order to allow
260 commands in aliases(5), .forward files or in :include: files, respec‐
261 tively.
262 Example:
264 allow_mail_to_commands = alias,forward,include
266
268 Restrict local(8) mail delivery to external files. The default is to
269 disallow "/file/name" destinations in :include: files (see aliases(5)
270 for the text that defines this terminology).
271 Specify zero or more of: alias, forward or include, in order to allow
273 "/file/name" destinations in aliases(5), .forward files and in
274 :include: files, respectively.
275 Example:
277 allow_mail_to_files = alias,forward,include
279
281 Allow a recipient address to have `-' as the first character. By
282 default, this is not allowed, to avoid accidents with software that
283 passes email addresses via the command line. Such software would not be
284 able to distinguish a malicious address from a bona fide command-line
285 option. Although this can be prevented by inserting a "--" option ter‐
286 minator into the command line, this is difficult to enforce consis‐
287 tently and globally.
288
290 Enable the rewriting of the form "user%domain" to "user@domain". This
291 is enabled by default.
292 Note: with Postfix version 2.2, message header address rewriting hap‐
294 pens only when one of the following conditions is true:
295 · The message is received with the Postfix sendmail(1) command,
297 · The message is received from a network client that matches
299 $local_header_rewrite_clients,
300 · The message is received from the network, and the
302 remote_header_rewrite_domain parameter specifies a non-empty
303 value.
304 To get the behavior before Postfix version 2.2, specify
306 "local_header_rewrite_clients = static:all".
307 Example:
309 allow_percent_hack = no
311
313 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
314 from untrusted clients to destinations matching $relay_domains.
315 By default, this feature is turned off. This closes a nasty open relay
317 loophole where a backup MX host can be tricked into forwarding junk
318 mail to a primary MX host which then spams it out to the world.
319 This parameter also controls if non-local addresses with sender-speci‐
321 fied routing can match Postfix access tables. By default, such
322 addresses cannot match Postfix access tables, because the address is
323 ambiguous.
324
326 A list of non-default Postfix configuration directories that may be
327 specified with "-c config_directory" on the command line, or via the
328 MAIL_CONFIG environment parameter.
329 This list must be specified in the default Postfix configuration direc‐
331 tory, and is used by set-gid Postfix commands such as postqueue(1) and
332 postdrop(1).
333
335 Optional address that receives a "blind carbon copy" of each message
336 that is received by the Postfix mail system.
337 Note: if mail to the BCC address bounces it will be returned to the
339 sender.
340 Note: automatic BCC recipients are produced only for new mail. To
342 avoid mailer loops, automatic BCC recipients are not generated for mail
343 that Postfix forwards internally, nor for mail that Postfix generates
344 itself.
345
347 The time unit over which client connection rates and other rates are
348 calculated.
349 This feature is implemented by the anvil(8) service which is available
351 in Postfix version 2.2 and later.
352 The default interval is relatively short. Because of the high frequency
354 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
355 mation is lost whenever the process terminates.
356 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
358 The default time unit is s (seconds).
359
361 How frequently the anvil(8) connection and rate limiting server logs
362 peak usage information.
363 This feature is available in Postfix 2.2 and later.
365 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
367 The default time unit is s (seconds).
368
370 With locally submitted mail, append the string "@$myorigin" to mail
371 addresses without domain information. With remotely submitted mail,
372 append the string "@$remote_header_rewrite_domain" instead.
373 Note 1: this feature is enabled by default and must not be turned off.
375 Postfix does not support domain-less addresses.
376 Note 2: with Postfix version 2.2, message header address rewriting hap‐
378 pens only when one of the following conditions is true:
379 · The message is received with the Postfix sendmail(1) command,
381 · The message is received from a network client that matches
383 $local_header_rewrite_clients,
384 · The message is received from the network, and the
386 remote_header_rewrite_domain parameter specifies a non-empty
387 value.
388 To get the behavior before Postfix version 2.2, specify
390 "local_header_rewrite_clients = static:all".
391
393 With locally submitted mail, append the string ".$mydomain" to
394 addresses that have no ".domain" information. With remotely submitted
395 mail, append the string ".$remote_header_rewrite_domain" instead.
396 Note 1: this feature is enabled by default. If disabled, users will not
398 be able to send mail to "user@partialdomainname" but will have to spec‐
399 ify full domain names instead.
400 Note 2: with Postfix version 2.2, message header address rewriting hap‐
402 pens only when one of the following conditions is true:
403 · The message is received with the Postfix sendmail(1) command,
405 · The message is received from a network client that matches
407 $local_header_rewrite_clients,
408 · The message is received from the network, and the
410 remote_header_rewrite_domain parameter specifies a non-empty
411 value.
412 To get the behavior before Postfix version 2.2, specify
414 "local_header_rewrite_clients = static:all".
415
417 How long the postkick(1) command waits for a request to enter the
418 server's input buffer before giving up.
419 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
421 The default time unit is s (seconds).
422 This feature is available in Postfix 2.1 and later.
424
426 List of users who are authorized to flush the queue.
427 By default, all users are allowed to flush the queue. Access is always
429 granted if the invoking user is the super-user or the $mail_owner user.
430 Otherwise, the real UID of the process is looked up in the system pass‐
431 word file, and access is granted only if the corresponding login name
432 is on the access list. The username "unknown" is used for processes
433 whose real UID is not found in the password file.
434 Specify a list of user names, "/file/name" or "type:table" patterns,
436 separated by commas and/or whitespace. The list is matched left to
437 right, and the search stops on the first match. A "/file/name" pattern
438 is replaced by its contents; a "type:table" lookup table is matched
439 when a name matches a lookup key (the lookup result is ignored). Con‐
440 tinue long lines by starting the next line with whitespace. Specify
441 "!pattern" to exclude a name from the list. The form "!/file/name" is
442 supported only in Postfix version 2.4 and later.
443 This feature is available in Postfix 2.2 and later.
445
447 List of users who are authorized to view the queue.
448 By default, all users are allowed to view the queue. Access is always
450 granted if the invoking user is the super-user or the $mail_owner user.
451 Otherwise, the real UID of the process is looked up in the system pass‐
452 word file, and access is granted only if the corresponding login name
453 is on the access list. The username "unknown" is used for processes
454 whose real UID is not found in the password file.
455 Specify a list of user names, "/file/name" or "type:table" patterns,
457 separated by commas and/or whitespace. The list is matched left to
458 right, and the search stops on the first match. A "/file/name" pattern
459 is replaced by its contents; a "type:table" lookup table is matched
460 when a name matches a lookup key (the lookup result is ignored). Con‐
461 tinue long lines by starting the next line with whitespace. Specify
462 "!pattern" to exclude a user name from the list. The form "!/file/name"
463 is supported only in Postfix version 2.4 and later.
464 This feature is available in Postfix 2.2 and later.
466
468 List of users who are authorized to submit mail with the sendmail(1)
469 command (and with the privileged postdrop(1) helper command).
470 By default, all users are allowed to submit mail. Otherwise, the real
472 UID of the process is looked up in the system password file, and access
473 is granted only if the corresponding login name is on the access list.
474 The username "unknown" is used for processes whose real UID is not
475 found in the password file. To deny mail submission access to all users
476 specify an empty list.
477 Specify a list of user names, "/file/name" or "type:table" patterns,
479 separated by commas and/or whitespace. The list is matched left to
480 right, and the search stops on the first match. A "/file/name" pattern
481 is replaced by its contents; a "type:table" lookup table is matched
482 when a name matches a lookup key (the lookup result is ignored). Con‐
483 tinue long lines by starting the next line with whitespace. Specify
484 "!pattern" to exclude a user name from the list. The form "!/file/name"
485 is supported only in Postfix version 2.4 and later.
486 Example:
488 authorized_submit_users = !www, static:all
490 This feature is available in Postfix 2.2 and later.
492
494 What SMTP clients are allowed to specify the XVERP command. This com‐
495 mand requests that mail be delivered one recipient at a time with a per
496 recipient return address.
497 By default, only trusted clients are allowed to specify XVERP.
499 This parameter was introduced with Postfix version 1.1. Postfix ver‐
501 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
502 changed the default to none.
503 Specify a list of network/netmask patterns, separated by commas and/or
505 whitespace. The mask specifies the number of bits in the network part
506 of a host address. You can also specify hostnames or \&.domain names
507 (the initial dot causes the domain to match any name below it),
508 "/file/name" or "type:table" patterns. A "/file/name" pattern is
509 replaced by its contents; a "type:table" lookup table is matched when a
510 table entry matches a lookup string (the lookup result is ignored).
511 Continue long lines by starting the next line with whitespace. Specify
512 "!pattern" to exclude an address or network block from the list. The
513 form "!/file/name" is supported only in Postfix version 2.4 and later.
514 Note: IP version 6 address information must be specified inside [] in
516 the authorized_verp_clients value, and in files specified with
517 "/file/name". IP version 6 addresses contain the ":" character, and
518 would otherwise be confused with a "type:table" pattern.
519
521 Produce additional bounce(8) logfile records that can be read by Post‐
522 fix versions before 2.0. The current and more extensible "name = value"
523 format is needed in order to implement more sophisticated functional‐
524 ity.
525 This feature is available in Postfix 2.1 and later.
527
529 The per-table I/O buffer size for programs that create Berkeley DB hash
530 or btree tables. Specify a byte count.
531 This feature is available in Postfix 2.0 and later.
533
535 The per-table I/O buffer size for programs that read Berkeley DB hash
536 or btree tables. Specify a byte count.
537 This feature is available in Postfix 2.0 and later.
539
541 Where the Postfix SMTP client should deliver mail when it detects a
542 "mail loops back to myself" error condition. This happens when the
543 local MTA is the best SMTP mail exchanger for a destination not listed
544 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
545 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
546 fix SMTP client returns such mail as undeliverable.
547 Specify, for example, "best_mx_transport = local" to pass the mail from
549 the Postfix SMTP client to the local(8) delivery agent. You can specify
550 any message delivery "transport" or "transport:nexthop" that is defined
551 in the master.cf file. See the transport(5) manual page for the syntax
552 and meaning of "transport" or "transport:nexthop".
553 However, this feature is expensive because it ties up a Postfix SMTP
555 client process while the local(8) delivery agent is doing its work. It
556 is more efficient (for Postfix) to list all hosted domains in a table
557 or database.
558
560 Whether or not to use the local biff service. This service sends "new
561 mail" notifications to users who have requested new mail notification
562 with the UNIX command "biff y".
563 For compatibility reasons this feature is on by default. On systems
565 with lots of interactive users, the biff service can be a performance
566 drain. Specify "biff = no" in main.cf to disable.
567
569 Optional lookup tables for content inspection as specified in the
570 body_checks(5) manual page.
571 Note: with Postfix versions before 2.0, these rules inspect all content
573 after the primary message headers.
574
576 How much text in a message body segment (or attachment, if you prefer
577 to use that term) is subjected to body_checks inspection. The amount
578 of text is limited to avoid scanning huge attachments.
579 This feature is available in Postfix 2.0 and later.
581
583 The recipient of postmaster notifications with the message headers of
584 mail that Postfix did not deliver and of SMTP conversation transcripts
585 of mail that Postfix did not receive. This feature is enabled with the
586 notify_classes parameter.
587
589 The maximal time a bounce message is queued before it is considered
590 undeliverable. By default, this is the same as the queue life time for
591 regular mail.
592 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
594 The default time unit is d (days).
595 Specify 0 when mail delivery should be tried only once.
597 This feature is available in Postfix 2.1 and later.
599
601 The name of the bounce(8) service. This service maintains a record of
602 failed delivery attempts and generates non-delivery notifications.
603 This feature is available in Postfix 2.0 and later.
605
607 The maximal amount of original message text that is sent in a non-
608 delivery notification. Specify a byte count. If you increase this
609 limit, then you should increase the mime_nesting_limit value propor‐
610 tionally.
611
613 Pathname of a configuration file with bounce message templates. These
614 override the built-in templates of delivery status notification (DSN)
615 messages for undeliverable mail, for delayed mail, successful delivery,
616 or delivery verification. The bounce(5) manual page describes how to
617 edit and test template files.
618 Template message body text may contain $name references to Postfix con‐
620 figuration parameters. The result of $name expansion can be previewed
621 with "postconf -b file_name" before the file is placed into the Postfix
622 configuration directory.
623 This feature is available in Postfix 2.3 and later.
625
627 Enable inter-operability with SMTP clients that implement an obsolete
628 version of the AUTH command (RFC 2554). Examples of such clients are
629 MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.
630 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
632 support in a non-standard way.
633
635 header_sender, header_recipient)
636 What addresses are subject to canonical_maps address mapping. By
637 default, canonical_maps address mapping is applied to envelope sender
638 and recipient addresses, and to header sender and header recipient
639 addresses.
640 Specify one or more of: envelope_sender, envelope_recipient,
642 header_sender, header_recipient
643 This feature is available in Postfix 2.2 and later.
645
647 Optional address mapping lookup tables for message headers and
648 envelopes. The mapping is applied to both sender and recipient
649 addresses, in both envelopes and in headers, as controlled with the
650 canonical_classes parameter. This is typically used to clean up dirty
651 addresses from legacy mail systems, or to replace login names by First‐
652 name.Lastname. The table format and lookups are documented in canoni‐
653 cal(5). For an overview of Postfix address manipulations see the
654 ADDRESS_REWRITING_README document.
655 If you use this feature, run "postmap /etc/postfix/canonical" to build
657 the necessary DBM or DB file after every change. The changes will
658 become visible after a minute or so. Use "postfix reload" to eliminate
659 the delay.
660 Note: with Postfix version 2.2, message header address mapping happens
662 only when message header address rewriting is enabled:
663 · The message is received with the Postfix sendmail(1) command,
665 · The message is received from a network client that matches
667 $local_header_rewrite_clients,
668 · The message is received from the network, and the
670 remote_header_rewrite_domain parameter specifies a non-empty
671 value.
672 To get the behavior before Postfix version 2.2, specify
674 "local_header_rewrite_clients = static:all".
675 Examples:
677 canonical_maps = dbm:/etc/postfix/canonical
679 canonical_maps = hash:/etc/postfix/canonical
680
682 The name of the cleanup(8) service. This service rewrites addresses
683 into the standard form, and performs canonical(5) address mapping and
684 virtual(5) aliasing.
685 This feature is available in Postfix 2.0 and later.
687
689 The location of all postfix administrative commands.
690
692 The local(8) delivery agent working directory for delivery to external
693 command. Failure to change directory causes the delivery to be
694 deferred.
695 The following $name expansions are done on command_execution_directory
697 before the directory is changed. Expansion happens in the context of
698 the delivery request. The result of $name expansion is filtered with
699 the character set that is specified with the execution_directory_expan‐
700 sion_filter parameter.
701 $user The recipient's username.
703 $shell The recipient's login shell pathname.
705 $home The recipient's home directory.
707 $recipient
709 The full recipient address.
710 $extension
712 The optional recipient address extension.
713 $domain
715 The recipient domain.
716 $local The entire recipient localpart.
718 $recipient_delimiter
720 The system-wide recipient address extension delimiter.
721 ${name?value}
723 Expands to value when $name is non-empty.
724 ${name:value}
726 Expands to value when $name is empty.
727 Instead of $name you can also specify ${name} or $(name).
729 This feature is available in Postfix 2.2 and later.
731
733 Restrict the characters that the local(8) delivery agent allows in
734 $name expansions of $mailbox_command. Characters outside the allowed
735 set are replaced by underscores.
736
738 Time limit for delivery to external commands. This limit is used by the
739 local(8) delivery agent, and is the default time limit for delivery by
740 the pipe(8) delivery agent.
741 Note: if you set this time limit to a large value you must update the
743 global ipc_timeout parameter as well.
744
746 The default location of the Postfix main.cf and master.cf configuration
747 files. This can be overruled via the following mechanisms:
748 · The MAIL_CONFIG environment variable (daemon processes and com‐
750 mands).
751 · The "-c" command-line option (commands only).
753 With Postfix command that run with set-gid privileges, a config_direc‐
755 tory override requires either root privileges, or it requires that the
756 directory is listed with the alternate_config_directories parameter in
757 the default main.cf file.
758
760 Time limit for connection cache connect, send or receive operations.
761 The time limit is enforced in the client.
762 This feature is available in Postfix 2.3 and later.
764
766 The name of the scache(8) connection cache service. This service main‐
767 tains a limited pool of cached sessions.
768
770 How frequently the scache(8) server logs usage statistics with connec‐
771 tion cache hit and miss rates for logical destinations and for physical
772 endpoints.
773
775 The maximal time-to-live value that the scache(8) connection cache
776 server allows. Requests that specify a larger TTL will be stored with
777 the maximum allowed TTL. The purpose of this additional control is to
778 protect the infrastructure against careless people. The cache TTL is
779 already bounded by $max_idle.
780
782 The name of a mail delivery transport that filters mail after it is
783 queued.
784 This parameter uses the same syntax as the right-hand side of a Postfix
786 transport(5) table. This setting has a lower precedence than a content
787 filter that is specified with an access(5) table or in a
788 header_checks(5) or body_checks(5) table.
789
791 The directory with Postfix support programs and daemon programs. These
792 should not be invoked directly by humans. The directory must be owned
793 by root.
794
796 How much time a Postfix daemon process may take to handle a request
797 before it is terminated by a built-in watchdog timer.
798 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
800 The default time unit is s (seconds).
801
803 The increment in verbose logging level when a remote client or server
804 matches a pattern in the debug_peer_list parameter.
805
807 Optional list of remote client or server hostname or network address
808 patterns that cause the verbose logging level to increase by the amount
809 specified in $debug_peer_level.
810 Specify domain names, network/netmask patterns, "/file/name" patterns
812 or "type:table" lookup tables. The right-hand side result from
813 "type:table" lookups is ignored.
814 Pattern matching of domain names is controlled by the par‐
816 ent_domain_matches_subdomains parameter.
817 Examples:
819 debug_peer_list = 127.0.0.1
821 debug_peer_list = some.domain
822
824 The external command to execute when a Postfix daemon program is
825 invoked with the -D option.
826 Use "command .. & sleep 5" so that the debugger can attach before the
828 process marches on. If you use an X-based debugger, be sure to set up
829 your XAUTHORITY environment variable before starting Postfix.
830 Example:
832 debugger_command =
834 PATH=/usr/bin:/usr/X11R6/bin
835 xxgdb $daemon_directory/$process_name $process_id & sleep 5
836
838 The default database type for use in newaliases(1), postalias(1) and
839 postmap(1) commands. On many UNIX systems the default type is either
840 dbm or hash. The default setting is frozen when the Postfix system is
841 built.
842 Examples:
844 default_database_type = hash
846 default_database_type = dbm
847
849 How often the Postfix queue manager's scheduler is allowed to preempt
850 delivery of one message with another.
851 Each transport maintains a so-called "available delivery slot counter"
853 for each message. One message can be preempted by another one when the
854 other message can be delivered using no more delivery slots (i.e.,
855 invocations of delivery agents) than the current message counter has
856 accumulated (or will eventually accumulate - see about slot loans
857 below). This parameter controls how often is the counter incremented -
858 it happens after each default_delivery_slot_cost recipients have been
859 delivered.
860 The cost of 0 is used to disable the preempting scheduling completely.
862 The minimum value the scheduling algorithm can use is 2 - use it if you
863 want to maximize the message throughput rate. Although there is no max‐
864 imum, it doesn't make much sense to use values above say 50.
865 The only reason why the value of 2 is not the default is the way this
867 parameter affects the delivery of mailing-list mail. In the worst case,
868 their delivery can take somewhere between (cost+1/cost) and
869 (cost/cost-1) times more than if the preemptive scheduler was disabled.
870 The default value of 5 turns out to provide reasonable message response
871 times while making sure the mailing-list deliveries are not extended by
872 more than 20-25 percent even in the worst case.
873 Examples:
875 default_delivery_slot_cost = 0
877 default_delivery_slot_cost = 2
878
880 The default value for transport-specific _delivery_slot_discount set‐
881 tings.
882 This parameter speeds up the moment when a message preemption can hap‐
884 pen. Instead of waiting until the full amount of delivery slots
885 required is available, the preemption can happen when transport_deliv‐
886 ery_slot_discount percent of the required amount plus transport_deliv‐
887 ery_slot_loan still remains to be accumulated. Note that the full
888 amount will still have to be accumulated before another preemption can
889 take place later.
890
892 The default value for transport-specific _delivery_slot_loan settings.
893 This parameter speeds up the moment when a message preemption can hap‐
895 pen. Instead of waiting until the full amount of delivery slots
896 required is available, the preemption can happen when transport_deliv‐
897 ery_slot_discount percent of the required amount plus transport_deliv‐
898 ery_slot_loan still remains to be accumulated. Note that the full
899 amount will still have to be accumulated before another preemption can
900 take place later.
901
903 The default maximal number of parallel deliveries to the same destina‐
904 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
905 smtp(8) and virtual(8) delivery agents.
906
908 The default maximal number of recipients per message delivery. This is
909 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
910 virtual(8) delivery agents.
911 Setting this parameter to a value of 1 changes the meaning of the cor‐
913 responding per-destination concurrency limit from concurrency per
914 domain into concurrency per recipient.
915
917 The default value for the extra per-transport limit imposed on the num‐
918 ber of in-memory recipients. This extra recipient space is reserved
919 for the cases when the Postfix queue manager's scheduler preempts one
920 message with another and suddenly needs some extra recipients slots for
921 the chosen message in order to avoid performance degradation.
922
924 How many recipients a message must have in order to invoke the Postfix
925 queue manager's scheduling algorithm at all. Messages which would
926 never accumulate at least this many delivery slots (subject to slot
927 cost parameter as well) are never preempted.
928
930 The default rights used by the local(8) delivery agent for delivery to
931 external file or command. These rights are used when delivery is
932 requested from an aliases(5) file that is owned by root, or when deliv‐
933 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
934 POSTFIX OWNER.
935
937 The default maximal number of Postfix child processes that provide a
938 given service. This limit can be overruled for specific services in the
939 master.cf file.
940
942 The default SMTP server response template for a request that is
943 rejected by an RBL-based restriction. This template can be overruled by
944 specific entries in the optional rbl_reply_maps lookup table.
945 This feature is available in Postfix 2.0 and later.
947 The template is subject to exactly one level of $name substitution:
949 $client
951 The client hostname and IP address, formatted as name[address].
952 $client_address
954 The client IP address.
955 $client_name
957 The client hostname or "unknown". See
958 reject_unknown_client_hostname for more details.
959 $reverse_client_name
961 The client hostname from address->name lookup, or "unknown".
962 See reject_unknown_reverse_client_hostname for more details.
963 $helo_name
965 The hostname given in HELO or EHLO command or empty string.
966 $rbl_class
968 The blacklisted entity type: Client host, Helo command, Sender
969 address, or Recipient address.
970 $rbl_code
972 The numerical SMTP response code, as specified with the
973 maps_rbl_reject_code configuration parameter. Note: The numeri‐
974 cal SMTP response code is required, and must appear at the start
975 of the reply. With Postfix version 2.3 and later this informa‐
976 tion may be followed by an RFC 3463 enhanced status code.
977 $rbl_domain
979 The RBL domain where $rbl_what is blacklisted.
980 $rbl_reason
982 The reason why $rbl_what is blacklisted, or an empty string.
983 $rbl_what
985 The entity that is blacklisted (an IP address, a hostname, a
986 domain name, or an email address whose domain was blacklisted).
987 $recipient
989 The recipient address or <> in case of the null address.
990 $recipient_domain
992 The recipient domain or empty string.
993 $recipient_name
995 The recipient address localpart or <> in case of null address.
996 $sender
998 The sender address or <> in case of the null address.
999 $sender_domain
1001 The sender domain or empty string.
1002 $sender_name
1004 The sender address localpart or <> in case of the null address.
1005 ${name?text}
1007 Expands to `text' if $name is not empty.
1008 ${name:text}
1010 Expands to `text' if $name is empty.
1011 Instead of $name you can also specify ${name} or $(name).
1013 Note: when an enhanced status code is specified in an RBL reply tem‐
1015 plate, it is subject to modification. The following transformations
1016 are needed when the same RBL reply template is used for client, helo,
1017 sender, or recipient access restrictions.
1018 · When rejecting a sender address, the Postfix SMTP server will
1020 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1021 corresponding sender DSN status, and vice versa.
1022 · When rejecting non-address information (such as the HELO command
1024 argument or the client hostname/address), the Postfix SMTP
1025 server will transform a sender or recipient DSN status into a
1026 generic non-address DSN status (e.g., 4.0.0).
1027
1029 The default per-transport upper limit on the number of in-memory recip‐
1030 ients. These limits take priority over the global qmgr_message_recipi‐
1031 ent_limit after the message has been assigned to the respective trans‐
1032 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1033 ent_minimum.
1034
1036 The default per-transport maximum delay between recipients refills.
1037 When not all message recipients fit into the memory at once, keep load‐
1038 ing more of them at least once every this many seconds. This is used
1039 to make sure the recipients are refilled in timely manner even when
1040 $default_recipient_refill_limit is too high for too slow deliveries.
1041
1043 The default per-transport limit on the number of recipients refilled at
1044 once. When not all message recipients fit into the memory at once,
1045 keep loading more of them in batches of at least this many at a time.
1046 See also $default_recipient_refill_delay, which may result in recipient
1047 batches lower than this when this limit is too high for too slow deliv‐
1048 eries.
1049
1051 The default mail delivery transport and next-hop destination for desti‐
1052 nations that do not match $mydestination, $inet_interfaces,
1053 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1054 $relay_domains. In order of decreasing precedence, the nexthop desti‐
1055 nation is taken from $default_transport, $sender_dependent_relay‐
1056 host_maps, $relayhost, or from the recipient domain. This information
1057 can be overruled with the transport(5) table.
1058 Specify a string of the form transport:nexthop, where transport is the
1060 name of a mail delivery transport defined in master.cf. The :nexthop
1061 part is optional. For more details see the transport(5) manual page.
1062 Example:
1064 default_transport = uucp:relayhostname
1066
1068 The two default VERP delimiter characters. These are used when no
1069 explicit delimiters are specified with the SMTP XVERP command or with
1070 the "sendmail -V" command-line option. Specify characters that are
1071 allowed by the verp_delimiter_filter setting.
1072 This feature is available in Postfix 1.1 and later.
1074
1076 The numerical Postfix SMTP server response code when a remote SMTP
1077 client request is rejected by the "defer" restriction.
1078 Do not change this unless you have a complete understanding of RFC 821.
1080
1082 The name of the defer service. This service is implemented by the
1083 bounce(8) daemon and maintains a record of failed delivery attempts and
1084 generates non-delivery notifications.
1085 This feature is available in Postfix 2.0 and later.
1087
1089 The names of message delivery transports that should not deliver mail
1090 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1091 names of mail delivery transports names that appear in the first field
1092 of master.cf.
1093 Example:
1095 defer_transports = smtp
1097
1099 The maximal number of digits after the decimal point when logging sub-
1100 second delay values. Specify a number in the range 0..6.
1101 Large delay values are rounded off to an integral number seconds; delay
1103 values below the delay_logging_resolution_limit are logged as "0", and
1104 small delay values are logged with at most two-digit precision.
1105 The format of the "delays=a/b/c/d" logging is as follows:
1107 · a = time from message arrival to last active queue entry
1109 · b = time from last active queue entry to connection setup
1111 · c = time in connection setup, including DNS, EHLO and TLS
1113 · d = time in message transmission
1115 This feature is available in Postfix 2.3 and later.
1117
1119 The recipient of postmaster notifications with the message headers of
1120 mail that cannot be delivered within $delay_warning_time time units.
1121 This feature is enabled with the delay_warning_time parameter.
1123
1125 The time after which the sender receives the message headers of mail
1126 that is still queued.
1127 To enable this feature, specify a non-zero time value (an integral
1129 value plus an optional one-letter suffix that specifies the time unit).
1130 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1132 The default time unit is h (hours).
1133
1135 The maximal number of attempts to acquire an exclusive lock on a mail‐
1136 box file or bounce(8) logfile.
1137
1139 The time between attempts to acquire an exclusive lock on a mailbox
1140 file or bounce(8) logfile.
1141 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1143 The default time unit is s (seconds).
1144
1146 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1147 abled, hosts are looked up with the getaddrinfo() system library rou‐
1148 tine which normally also looks in /etc/hosts.
1149 DNS lookups are enabled by default.
1151
1153 Turn off MIME processing while receiving mail. This means that no spe‐
1154 cial treatment is given to Content-Type: message headers, and that all
1155 text after the initial message headers is considered to be part of the
1156 message body.
1157 This feature is available in Postfix 2.0 and later.
1159 Mime input processing is enabled by default, and is needed in order to
1161 recognize MIME headers in message content.
1162
1164 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1165 conversion is needed when the destination does not advertise 8BITMIME
1166 support.
1167 This feature is available in Postfix 2.0 and later.
1169
1171 Disable sending one bounce report per recipient.
1172 The default, one per recipient, is what ezmlm needs.
1174 This feature is available in Postfix 1.1 and later.
1176
1178 Disable the SMTP VRFY command. This stops some techniques used to har‐
1179 vest email addresses.
1180 Example:
1182 disable_vrfy_command = no
1184
1186 Don't remove queue files and save them to the "saved" mail queue. This
1187 is a debugging aid. To inspect the envelope information and content of
1188 a Postfix queue file, use the postcat(1) command.
1189
1191 The sender address of postmaster notifications that are generated by
1192 the mail system. All mail to this address is silently discarded, in
1193 order to terminate mail bounce loops.
1194
1196 The maximal number of addresses remembered by the address duplicate
1197 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1198 queue displays.
1199
1201 The recipient of mail addressed to the null address. Postfix does not
1202 accept such addresses in SMTP commands, but they may still be created
1203 locally as the result of configuration or software error.
1204
1206 Report mail delivery errors to the address specified with the non-stan‐
1207 dard Errors-To: message header, instead of the envelope sender address
1208 (this feature is removed with Postfix version 2.2, is turned off by
1209 default with Postfix version 2.1, and is always turned on with older
1210 Postfix versions).
1211
1213 Enable support for the X-Original-To message header. This header is
1214 needed for multi-recipient mailboxes.
1215 When this parameter is set to yes, the cleanup(8) daemon performs
1217 duplicate elimination on distinct pairs of (original recipient, rewrit‐
1218 ten recipient), and generates non-empty original recipient queue file
1219 records.
1220 When this parameter is set to no, the cleanup(8) daemon performs dupli‐
1222 cate elimination on the rewritten recipient address only, and generates
1223 empty original recipient queue file records.
1224 This feature is available in Postfix 2.1 and later. With Postfix ver‐
1226 sion 2.0, support for the X-Original-To message header is always turned
1227 on. Postfix versions before 2.0 have no support for the X-Original-To
1228 message header.
1229
1231 The recipient of postmaster notifications about mail delivery problems
1232 that are caused by policy, resource, software or protocol errors.
1233 These notifications are enabled with the notify_classes parameter.
1234
1236 The name of the error(8) pseudo delivery agent. This service always
1237 returns mail as undeliverable.
1238 This feature is available in Postfix 2.0 and later.
1240
1242 Restrict the characters that the local(8) delivery agent allows in
1243 $name expansions of $command_execution_directory. Characters outside
1244 the allowed set are replaced by underscores.
1245 This feature is available in Postfix 2.2 and later.
1247
1249 When delivering to an alias "aliasname" that has an "owner-aliasname"
1250 companion alias, set the envelope sender address to the expansion of
1251 the "owner-aliasname" alias. Normally, Postfix sets the envelope sender
1252 address to the name of the "owner-aliasname" alias.
1253
1255 The list of environment variables that a Postfix process will export to
1256 non-Postfix processes. The TZ variable is needed for sane time keeping
1257 on System-V-ish systems.
1258 Specify a list of names and/or name=value pairs, separated by white‐
1260 space or comma. The name=value form is supported with Postfix version
1261 2.1 and later.
1262 Example:
1264 export_environment = TZ PATH=/bin:/usr/bin
1266
1268 The maximal number of recipient addresses that Postfix will extract
1269 from message headers when mail is submitted with "sendmail -t".
1270 This feature was removed in Postfix version 2.1.
1272
1274 Optional list of relay hosts for SMTP destinations that can't be found
1275 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1276 smtp_fallback_relay.
1277 By default, mail is returned to the sender when a destination is not
1279 found, and delivery is deferred when a destination is unreachable.
1280 The fallback relays must be SMTP destinations. Specify a domain, host,
1282 host:port, [host]:port, [address] or [address]:port; the form [host]
1283 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
1284 fix will try them in the specified order.
1285 Note: before Postfix 2.2, do not use the fallback_relay feature when
1287 relaying mail for a backup or primary MX domain. Mail would loop
1288 between the Postfix MX host and the fallback_relay host when the final
1289 destination is unavailable.
1290 · In main.cf specify "relay_transport = relay",
1292 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
1294 end of the relay entry.
1295 · In transport maps, specify "relay:nexthop..." as the right-hand
1297 side for backup or primary MX domain entries.
1298 Postfix version 2.2 and later will not use the fallback_relay feature
1300 for destinations that it is MX host for.
1301
1303 Optional message delivery transport that the local(8) delivery agent
1304 should use for names that are not found in the aliases(5) or UNIX pass‐
1305 word database.
1306 The precedence of local(8) delivery features from high to low is:
1308 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1309 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1310 tory, fallback_transport_maps, fallback_transport and luser_relay.
1311
1313 Optional lookup tables with per-recipient message delivery transports
1314 for recipients that the local(8) delivery agent could not find in the
1315 aliases(5) or UNIX password database.
1316 The precedence of local(8) delivery features from high to low is:
1318 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1319 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1320 tory, fallback_transport_maps, fallback_transport and luser_relay.
1321 For safety reasons, this feature does not allow $number substitutions
1323 in regular expression maps.
1324 This feature is available in Postfix 2.3 and later.
1326
1328 Optional list of destinations that are eligible for per-destination
1329 logfiles with mail that is queued to those destinations.
1330 By default, Postfix maintains "fast flush" logfiles only for destina‐
1332 tions that the Postfix SMTP server is willing to relay to (i.e. the
1333 default is: "fast_flush_domains = $relay_domains"; see the
1334 relay_domains parameter in the postconf(5) manual).
1335 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
1337 ble" lookup tables, separated by commas and/or whitespace. Continue
1338 long lines by starting the next line with whitespace. A "/file/name"
1339 pattern is replaced by its contents; a "type:table" lookup table is
1340 matched when the domain or its parent domain appears as lookup key.
1341 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
1343 altogether.
1344
1346 The time after which an empty per-destination "fast flush" logfile is
1347 deleted.
1348 You can specify the time as a number, or as a number followed by a let‐
1350 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1351 d=days, w=weeks. The default time unit is days.
1352
1354 The time after which a non-empty but unread per-destination "fast
1355 flush" logfile needs to be refreshed. The contents of a logfile are
1356 refreshed by requesting delivery of all messages listed in the logfile.
1357 You can specify the time as a number, or as a number followed by a let‐
1359 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1360 d=days, w=weeks. The default time unit is hours.
1361
1363 Force specific internal tests to fail, to test the handling of errors
1364 that are difficult to reproduce otherwise.
1365
1367 The name of the flush(8) service. This service maintains per-destina‐
1368 tion logfiles with the queue file names of mail that is queued for
1369 those destinations.
1370 This feature is available in Postfix 2.0 and later.
1372
1374 The maximal number of attempts to fork() a child process.
1375
1377 The delay between attempts to fork() a child process.
1378 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1380 The default time unit is s (seconds).
1381
1383 Restrict the characters that the local(8) delivery agent allows in
1384 $name expansions of $forward_path. Characters outside the allowed set
1385 are replaced by underscores.
1386
1388 The local(8) delivery agent search list for finding a .forward file
1389 with user-specified delivery methods. The first file that is found is
1390 used.
1391 The following $name expansions are done on forward_path before the
1393 search actually happens. The result of $name expansion is filtered with
1394 the character set that is specified with the forward_expansion_filter
1395 parameter.
1396 $user The recipient's username.
1398 $shell The recipient's login shell pathname.
1400 $home The recipient's home directory.
1402 $recipient
1404 The full recipient address.
1405 $extension
1407 The optional recipient address extension.
1408 $domain
1410 The recipient domain.
1411 $local The entire recipient localpart.
1413 $recipient_delimiter
1415 The system-wide recipient address extension delimiter.
1416 ${name?value}
1418 Expands to value when $name is non-empty.
1419 ${name:value}
1421 Expands to value when $name is empty.
1422 Instead of $name you can also specify ${name} or $(name).
1424 Examples:
1426 forward_path = /var/forward/$user
1428 forward_path =
1429 /var/forward/$user/.forward$recipient_delimiter$extension,
1430 /var/forward/$user/.forward
1431
1433 Update the local(8) delivery agent's idea of the Delivered-To: address
1434 (see prepend_delivered_header) only once, at the start of a delivery
1435 attempt; do not update the Delivered-To: address while expanding
1436 aliases or .forward files.
1437 This feature is available in Postfix 2.3 and later. With older Postfix
1439 releases, the behavior is as if this parameter is set to "no". The old
1440 setting can be expensive with deeply nested aliases or .forward files.
1441 When an alias or .forward file changes the Delivered-To: address, it
1442 ties up one queue file and one cleanup process instance while mail is
1443 being forwarded.
1444
1446 The number of subdirectory levels for queue directories listed with the
1447 hash_queue_names parameter.
1448 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1450 cute the command "postfix reload".
1451
1453 The names of queue directories that are split across multiple subdirec‐
1454 tory levels.
1455 Before Postfix version 2.2, the default list of hashed queues was sig‐
1457 nificantly larger. Claims about improvements in file system technology
1458 suggest that hashing of the incoming and active queues is no longer
1459 needed. Fewer hashed directories speed up the time needed to restart
1460 Postfix.
1461 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1463 cute the command "postfix reload".
1464
1466 The maximal number of address tokens are allowed in an address message
1467 header. Information that exceeds the limit is discarded. The limit is
1468 enforced by the cleanup(8) server.
1469
1471 Optional lookup tables for content inspection of primary non-MIME mes‐
1472 sage headers, as specified in the header_checks(5) manual page.
1473
1475 The maximal amount of memory in bytes for storing a message header. If
1476 a header is larger, the excess is discarded. The limit is enforced by
1477 the cleanup(8) server.
1478
1480 Log warnings about problematic configuration settings, and provide
1481 helpful suggestions.
1482 This feature is available in Postfix 2.0 and later.
1484
1486 Optional pathname of a mailbox file relative to a local(8) user's home
1487 directory.
1488 Specify a pathname ending in "/" for qmail-style delivery.
1490 The precedence of local(8) delivery features from high to low is:
1492 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1493 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1494 tory, fallback_transport_maps, fallback_transport and luser_relay.
1495 Examples:
1497 home_mailbox = Mailbox
1499 home_mailbox = Maildir/
1500
1502 The maximal number of Received: message headers that is allowed in the
1503 primary message headers. A message that exceeds the limit is bounced,
1504 in order to stop a mailer loop.
1505
1507 The location of Postfix HTML files that describe how to build, config‐
1508 ure or operate a specific Postfix subsystem or feature.
1509
1511 Ignore DNS MX lookups that produce no response. By default, the Post‐
1512 fix SMTP client defers delivery and tries again after some delay. This
1513 behavior is required by the SMTP standard.
1514 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
1516 instead. This violates the SMTP standard and can result in mis-delivery
1517 of mail.
1518
1520 The list of environment parameters that a Postfix process will import
1521 from a non-Postfix parent process. Examples of relevant parameters:
1522 TZ Needed for sane time keeping on most System-V-ish systems.
1524 DISPLAY
1526 Needed for debugging Postfix daemons with an X-windows debugger.
1527 XAUTHORITY
1529 Needed for debugging Postfix daemons with an X-windows debugger.
1530 MAIL_CONFIG
1532 Needed to make "postfix -c" work.
1533 Specify a list of names and/or name=value pairs, separated by white‐
1535 space or comma. The name=value form is supported with Postfix version
1536 2.1 and later.
1537
1539 Time to pause before accepting a new message, when the message arrival
1540 rate exceeds the message delivery rate. This feature is turned on by
1541 default (it's disabled on SCO UNIX due to an SCO bug).
1542 With the default 100 SMTP server process limit, "in_flow_delay = 1s"
1544 limits the mail inflow to 100 messages per second above the number of
1545 messages delivered per second.
1546 Specify 0 to disable the feature. Valid delays are 0..10.
1548
1550 The network interface addresses that this mail system receives mail on.
1551 Specify "all" to receive mail on all network interfaces (default), and
1552 "loopback-only" to receive mail on loopback network interfaces only
1553 (Postfix version 2.2 and later). The parameter also controls delivery
1554 of mail to user@[ip.address].
1555 Note 1: you need to stop and start Postfix when this parameter changes.
1557 Note 2: address information may be enclosed inside [], but this form is
1559 not required here.
1560 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
1562 is not a loopback address, the Postfix SMTP client will use this
1563 address as the IP source address for outbound mail. Support for IPv6 is
1564 available in Postfix version 2.2 and later.
1565 On a multi-homed firewall with separate Postfix instances listening on
1567 the "inside" and "outside" interfaces, this can prevent each instance
1568 from being able to reach servers on the "other side" of the firewall.
1569 Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for
1570 IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6.
1571 A better solution for multi-homed firewalls is to leave inet_interfaces
1573 at the default value and instead use explicit IP addresses in the mas‐
1574 ter.cf SMTP server definitions. This preserves the Postfix SMTP
1575 client's loop detection, by ensuring that each side of the firewall
1576 knows that the other IP address is still the same host. Setting
1577 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
1578 ful with virtual hosting of domains on secondary IP addresses, when
1579 each IP address serves a different domain (and has a different $myhost‐
1580 name setting).
1581 See also the proxy_interfaces parameter, for network addresses that are
1583 forwarded to Postfix by way of a proxy or address translator.
1584 Examples:
1586 inet_interfaces = all (DEFAULT)
1588 inet_interfaces = loopback-only (Postfix version 2.2 and later)
1589 inet_interfaces = 127.0.0.1
1590 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
1591 inet_interfaces = 192.168.1.2, 127.0.0.1
1592
1594 The Internet protocols Postfix will attempt to use when making or
1595 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
1596 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
1597 ipv6" or "ipv4", depending on whether the operating system implements
1598 IPv6.
1599 This feature is available in Postfix 2.2 and later.
1601 Note: you MUST stop and start Postfix after changing this parameter.
1603 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
1605 will also accept IPv4 connections, even when IPv4 is turned off with
1606 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
1607 Postfix will use separate server sockets for IPv6 and IPv4, and each
1608 will accept only connections for the corresponding protocol.
1609 When IPv4 support is enabled via the inet_protocols parameter, Postfix
1611 will to DNS type A record lookups, and will convert IPv4-in-IPv6 client
1612 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
1613 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
1614 3493).
1615 When IPv6 support is enabled via the inet_protocols parameter, Postfix
1617 will do DNS type AAAA record lookups.
1618 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
1620 will attempt to connect via IPv6 before attempting to use IPv4.
1621 Examples:
1623 inet_protocols = ipv4 (DEFAULT)
1625 inet_protocols = all
1626 inet_protocols = ipv6
1627 inet_protocols = ipv4, ipv6
1628
1630 The initial per-destination concurrency level for parallel delivery to
1631 the same destination. This limit applies to delivery via smtp(8), and
1632 via the pipe(8) and virtual(8) delivery agents.
1633 Warning: with concurrency of 1, one bad message can be enough to block
1635 all mail to a site.
1636
1638 What categories of Postfix-generated mail are subject to before-queue
1639 content inspection by non_smtpd_milters, header_checks and body_checks.
1640 Specify zero or more of the following, separated by whitespace or
1641 comma.
1642 bounce Inspect the content of delivery status notifications.
1644 notify Inspect the content of postmaster notifications by the smtp(8)
1646 and smtpd(8) processes.
1647 NOTE: It's generally not safe to enable content inspection of Postfix-
1649 generated email messages. The user is warned.
1650 This feature is available in Postfix 2.3 and later.
1652
1654 The numerical Postfix SMTP server response code when the client HELO or
1655 EHLO command parameter is rejected by the reject_invalid_helo_hostname
1656 restriction.
1657 Do not change this unless you have a complete understanding of RFC 821.
1659
1661 The time after which a client closes an idle internal communication
1662 channel. The purpose is to allow servers to terminate voluntarily
1663 after they become idle. This is used, for example, by the address
1664 resolving and rewriting clients.
1665 With Postfix 2.4 the default value was reduced from 100s to 5s.
1667 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1669 The default time unit is s (seconds).
1670
1672 The time limit for sending or receiving information over an internal
1673 communication channel. The purpose is to break out of deadlock situa‐
1674 tions. If the time limit is exceeded the software aborts with a fatal
1675 error.
1676 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1678 The default time unit is s (seconds).
1679
1681 The time after which a client closes an active internal communication
1682 channel. The purpose is to allow servers to terminate voluntarily
1683 after reaching their client limit. This is used, for example, by the
1684 address resolving and rewriting clients.
1685 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1687 The default time unit is s (seconds).
1688 This feature is available in Postfix 2.1 and later.
1690
1692 Upon input, long lines are chopped up into pieces of at most this
1693 length; upon delivery, long lines are reconstructed.
1694
1696 The LMTP-specific version of the smtp_bind_address configuration param‐
1697 eter. See there for details.
1698 This feature is available in Postfix 2.3 and later.
1700
1702 The LMTP-specific version of the smtp_bind_address6 configuration
1703 parameter. See there for details.
1704 This feature is available in Postfix 2.3 and later.
1706
1708 Keep Postfix LMTP client connections open for up to $max_idle seconds.
1709 When the LMTP client receives a request for the same connection the
1710 connection is reused.
1711 The effectiveness of cached connections will be determined by the num‐
1713 ber of LMTP servers in use, and the concurrency limit specified for the
1714 LMTP client. Cached connections are closed under any of the following
1715 conditions:
1716 · The LMTP client idle time limit is reached. This limit is spec‐
1718 ified with the Postfix max_idle configuration parameter.
1719 · A delivery request specifies a different destination than the
1721 one currently cached.
1722 · The per-process limit on the number of delivery requests is
1724 reached. This limit is specified with the Postfix max_use con‐
1725 figuration parameter.
1726 · Upon the onset of another delivery request, the LMTP server
1728 associated with the current session does not respond to the RSET
1729 command.
1730 Most of these limitations will be removed after Postfix implements a
1732 connection cache that is shared among multiple LMTP client programs.
1733
1735 The LMTP-specific version of the smtp_cname_overrides_servername con‐
1736 figuration parameter. See there for details.
1737 This feature is available in Postfix 2.3 and later.
1739
1741 The LMTP client time limit for completing a TCP connection, or zero
1742 (use the operating system built-in time limit). When no connection can
1743 be made within the deadline, the LMTP client tries the next address on
1744 the mail exchanger list.
1745 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1747 The default time unit is s (seconds).
1748 Example:
1750 lmtp_connect_timeout = 30s
1752
1754 The LMTP-specific version of the smtp_connection_cache_destinations
1755 configuration parameter. See there for details.
1756 This feature is available in Postfix 2.3 and later.
1758
1760 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
1761 figuration parameter. See there for details.
1762 This feature is available in Postfix 2.3 and later.
1764
1766 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
1767 figuration parameter. See there for details.
1768 This feature is available in Postfix 2.3 and later.
1770
1772 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
1773 figuration parameter. See there for details.
1774 This feature is available in Postfix 2.3 and later.
1776
1778 The LMTP client time limit for sending the LMTP ".", and for receiving
1779 the server response. When no response is received within the deadline,
1780 a warning is logged that the mail may be delivered multiple times.
1781 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1783 The default time unit is s (seconds).
1784
1786 The LMTP client time limit for sending the LMTP DATA command, and for
1787 receiving the server response.
1788 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1790 The default time unit is s (seconds).
1791
1793 The LMTP client time limit for sending the LMTP message content. When
1794 the connection stalls for more than $lmtp_data_xfer_timeout the LMTP
1795 client terminates the transfer.
1796 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1798 The default time unit is s (seconds).
1799
1801 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
1802 figuration parameter. See there for details.
1803 This feature is available in Postfix 2.3 and later.
1805
1807 rency_limit)
1808 The maximal number of parallel deliveries to the same destination via
1809 the lmtp message delivery transport. This limit is enforced by the
1810 queue manager. The message delivery transport name is the first field
1811 in the entry in the master.cf file.
1812
1814 ent_limit)
1815 The maximal number of recipients per delivery via the lmtp message
1816 delivery transport. This limit is enforced by the queue manager. The
1817 message delivery transport name is the first field in the entry in the
1818 master.cf file.
1819 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
1821 tination_concurrency_limit from concurrency per domain into concurrency
1822 per recipient.
1823
1825 Lookup tables, indexed by the remote LMTP server address, with case
1826 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
1827 that the LMTP client will ignore in the LHLO response from a remote
1828 LMTP server. See lmtp_discard_lhlo_keywords for details. The table is
1829 not indexed by hostname for consistency with smtpd_discard_ehlo_key‐
1830 word_address_maps.
1831 This feature is available in Postfix 2.3 and later.
1833
1835 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
1836 etc.) that the LMTP client will ignore in the LHLO response from a
1837 remote LMTP server.
1838 This feature is available in Postfix 2.3 and later.
1840 Notes:
1842 · Specify the silent-discard pseudo keyword to prevent this action
1844 from being logged.
1845 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
1847 card LHLO keywords selectively.
1848
1850 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
1851 ter. See there for details.
1852 This feature is available in Postfix 2.3 and later.
1854
1856 The LMTP-specific version of the smtp_generic_maps configuration param‐
1857 eter. See there for details.
1858 This feature is available in Postfix 2.3 and later.
1860
1862 The LMTP-specific version of the smtp_host_lookup configuration parame‐
1863 ter. See there for details.
1864 This feature is available in Postfix 2.3 and later.
1866
1868 The hostname to send in the LMTP LHLO command.
1869 The default value is the machine hostname. Specify a hostname or
1871 [ip.add.re.ss].
1872 This information can be specified in the main.cf file for all LMTP
1874 clients, or it can be specified in the master.cf file for a specific
1875 client, for example:
1876 /etc/postfix/master.cf:
1878 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
1879 This feature is available in Postfix 2.3 and later.
1881
1883 The LMTP client time limit for sending the LHLO command, and for
1884 receiving the initial server response.
1885 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1887 The default time unit is s (seconds).
1888
1890 The LMTP-specific version of the smtp_line_length_limit configuration
1891 parameter. See there for details.
1892 This feature is available in Postfix 2.3 and later.
1894
1896 The LMTP client time limit for sending the MAIL FROM command, and for
1897 receiving the server response.
1898 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1900 The default time unit is s (seconds).
1901
1903 The LMTP-specific version of the smtp_mx_address_limit configuration
1904 parameter. See there for details.
1905 This feature is available in Postfix 2.3 and later.
1907
1909 The LMTP-specific version of the smtp_mx_session_limit configuration
1910 parameter. See there for details.
1911 This feature is available in Postfix 2.3 and later.
1913
1915 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
1916 uration parameter. See there for details.
1917 This feature is available in Postfix 2.3 and later.
1919
1921 The LMTP-specific version of the smtp_pix_workaround_maps configuration
1922 parameter. See there for details.
1923 This feature is available in Postfix 2.4 and later.
1925
1927 The LMTP-specific version of the smtp_pix_workaround_threshold_time
1928 configuration parameter. See there for details.
1929 This feature is available in Postfix 2.3 and later.
1931
1933 The LMTP-specific version of the smtp_pix_workaround configuration
1934 parameter. See there for details.
1935 This feature is available in Postfix 2.4 and later.
1937
1939 The LMTP client time limit for sending the QUIT command, and for
1940 receiving the server response.
1941 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1943 The default time unit is s (seconds).
1944
1946 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
1947 tion parameter. See there for details.
1948 This feature is available in Postfix 2.3 and later.
1950
1952 The LMTP-specific version of the smtp_randomize_addresses configuration
1953 parameter. See there for details.
1954 This feature is available in Postfix 2.3 and later.
1956
1958 The LMTP client time limit for sending the RCPT TO command, and for
1959 receiving the server response.
1960 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1962 The default time unit is s (seconds).
1963
1965 The LMTP client time limit for sending the RSET command, and for
1966 receiving the server response. The LMTP client sends RSET in order to
1967 finish a recipient address probe, or to verify that a cached connection
1968 is still alive.
1969 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1971 The default time unit is s (seconds).
1972
1974 Enable SASL authentication in the Postfix LMTP client.
1975
1977 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
1978 tion parameter. See there for details.
1979 This feature is available in Postfix 2.3 and later.
1981
1983 Optional LMTP client lookup tables with one username:password entry per
1984 host or domain. If a remote host or domain has no username:password
1985 entry, then the Postfix LMTP client will not attempt to authenticate to
1986 the remote host.
1987
1989 Implementation-specific information that is passed through to the SASL
1990 plug-in implementation that is selected with lmtp_sasl_type. Typically
1991 this specifies the name of a configuration file or rendezvous point.
1992 This feature is available in Postfix 2.3 and later.
1994
1996 SASL security options; as of Postfix 2.3 the list of available features
1997 depends on the SASL client implementation that is selected with
1998 lmtp_sasl_type.
1999 The following security features are defined for the cyrus client SASL
2001 implementation:
2002 noplaintext
2004 Disallow authentication methods that use plaintext passwords.
2005 noactive
2007 Disallow authentication methods that are vulnerable to non-dic‐
2008 tionary active attacks.
2009 nodictionary
2011 Disallow authentication methods that are vulnerable to passive
2012 dictionary attack.
2013 noanonymous
2015 Disallow anonymous logins.
2016 Example:
2018 lmtp_sasl_security_options = noplaintext
2020
2022 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2023 uration parameter. See there for details.
2024 This feature is available in Postfix 2.3 and later.
2026
2028 rity_options)
2029 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2030 rity_options configuration parameter. See there for details.
2031 This feature is available in Postfix 2.3 and later.
2033
2035 The SASL plug-in type that the Postfix LMTP client should use for
2036 authentication. The available types are listed with the "postconf -A"
2037 command.
2038 This feature is available in Postfix 2.3 and later.
2040
2042 Send an XFORWARD command to the LMTP server when the LMTP LHLO server
2043 response announces XFORWARD support. This allows an lmtp(8) delivery
2044 agent, used for content filter message injection, to forward the name,
2045 address, protocol and HELO name of the original client to the content
2046 filter and downstream queuing LMTP server. Before you change the value
2047 to yes, it is best to make sure that your content filter supports this
2048 command.
2049 This feature is available in Postfix 2.1 and later.
2051
2053 The LMTP-specific version of the smtp_sender_dependent_authentication
2054 configuration parameter. See there for details.
2055 This feature is available in Postfix 2.3 and later.
2057
2059 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2060 parameter. See there for details.
2061 This feature is available in Postfix 2.3 and later.
2063
2065 Wait for the response to the LMTP QUIT command.
2066
2068 The LMTP-specific version of the smtp_starttls_timeout configuration
2069 parameter. See there for details.
2070 This feature is available in Postfix 2.3 and later.
2072
2074 The default TCP port that the Postfix LMTP client connects to.
2075
2077 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2078 ter. See there for details.
2079 This feature is available in Postfix 2.3 and later.
2081
2083 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
2084 ter. See there for details.
2085 This feature is available in Postfix 2.3 and later.
2087
2089 The LMTP-specific version of the smtp_tls_cert_file configuration
2090 parameter. See there for details.
2091 This feature is available in Postfix 2.3 and later.
2093
2095 The LMTP-specific version of the smtp_tls_dcert_file configuration
2096 parameter. See there for details.
2097 This feature is available in Postfix 2.3 and later.
2099
2101 The LMTP-specific version of the smtp_tls_dkey_file configuration
2102 parameter. See there for details.
2103 This feature is available in Postfix 2.3 and later.
2105
2107 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
2108 tion parameter. See there for details.
2109 This feature is available in Postfix 2.3 and later.
2111
2113 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
2114 parameter. See there for details.
2115 This feature is available in Postfix 2.3 and later.
2117
2119 The LMTP-specific version of the smtp_tls_key_file configuration param‐
2120 eter. See there for details.
2121 This feature is available in Postfix 2.3 and later.
2123
2125 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
2126 eter. See there for details.
2127 This feature is available in Postfix 2.3 and later.
2129
2131 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
2132 tion parameter. See there for details.
2133 This feature is available in Postfix 2.3 and later.
2135
2137 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
2138 configuration parameter. See there for details.
2139 This feature is available in Postfix 2.3 and later.
2141
2143 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
2144 ration parameter. See there for details.
2145 This feature is available in Postfix 2.3 and later.
2147
2149 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
2150 ration parameter. See there for details.
2151 This feature is available in Postfix 2.3 and later.
2153
2155 The LMTP-specific version of the smtp_tls_per_site configuration param‐
2156 eter. See there for details.
2157 This feature is available in Postfix 2.3 and later.
2159
2161 The LMTP-specific version of the smtp_tls_policy_maps configuration
2162 parameter. See there for details.
2163 This feature is available in Postfix 2.3 and later.
2165
2167 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
2168 tion parameter. See there for details.
2169 This feature is available in Postfix 2.3 and later.
2171
2173 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
2174 tion parameter. See there for details.
2175 This feature is available in Postfix 2.3 and later.
2177
2179 The LMTP-specific version of the smtp_tls_session_cache_database con‐
2180 figuration parameter. See there for details.
2181 This feature is available in Postfix 2.3 and later.
2183
2185 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
2186 uration parameter. See there for details.
2187 This feature is available in Postfix 2.3 and later.
2189
2191 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
2192 tion parameter. See there for details.
2193 This feature is available in Postfix 2.3 and later.
2195
2197 The LMTP-specific version of the smtp_use_tls configuration parameter.
2198 See there for details.
2199 This feature is available in Postfix 2.3 and later.
2201
2203 The LMTP client time limit for sending the XFORWARD command, and for
2204 receiving the server response.
2205 In case of problems the client does NOT try the next address on the
2207 mail exchanger list.
2208 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2210 The default time unit is s (seconds).
2211 This feature is available in Postfix 2.1 and later.
2213
2215 Optional shell program for local(8) delivery to non-Postfix command.
2216 By default, non-Postfix commands are executed directly; commands are
2217 given to given to /bin/sh only when they contain shell meta characters
2218 or shell built-in commands.
2219 "sendmail's restricted shell" (smrsh) is what most people will use in
2221 order to restrict what programs can be run from e.g. .forward files
2222 (smrsh is part of the Sendmail distribution).
2223 Note: when a shell program is specified, it is invoked even when the
2225 command contains no shell built-in commands or meta characters.
2226 Example:
2228 local_command_shell = /some/where/smrsh -c
2230
2232 The maximal number of parallel deliveries via the local mail delivery
2233 transport to the same recipient (when "local_destination_recipi‐
2234 ent_limit = 1") or the maximal number of parallel deliveries to the
2235 same local domain (when "local_destination_recipient_limit > 1"). This
2236 limit is enforced by the queue manager. The message delivery transport
2237 name is the first field in the entry in the master.cf file.
2238 A low limit of 2 is recommended, just in case someone has an expensive
2240 shell command in a .forward file or in an alias (e.g., a mailing list
2241 manager). You don't want to run lots of those at the same time.
2242
2244 The maximal number of recipients per message delivery via the local
2245 mail delivery transport. This limit is enforced by the queue manager.
2246 The message delivery transport name is the first field in the entry in
2247 the master.cf file.
2248 Setting this parameter to a value > 1 changes the meaning of local_des‐
2250 tination_concurrency_limit from concurrency per recipient into concur‐
2251 rency per domain.
2252
2254 Rewrite message header addresses in mail from these clients and update
2255 incomplete addresses with the domain name in $myorigin or $mydomain;
2256 either don't rewrite message headers from other clients at all, or re‐
2257 write message headers and update incomplete addresses with the domain
2258 specified in the remote_header_rewrite_domain parameter.
2259 See the append_at_myorigin and append_dot_mydomain parameters for
2261 details of how domain names are appended to incomplete addresses.
2262 Specify a list of zero or more of the following:
2264 permit_inet_interfaces
2266 Append the domain name in $myorigin or $mydomain when the client
2267 IP address matches $inet_interfaces. This is enabled by default.
2268 permit_mynetworks
2270 Append the domain name in $myorigin or $mydomain when the client
2271 IP address matches any network or network address listed in
2272 $mynetworks. This setting will not prevent remote mail header
2273 address rewriting when mail from a remote client is forwarded by
2274 a neighboring system.
2275 permit_sasl_authenticated
2277 Append the domain name in $myorigin or $mydomain when the client
2278 is successfully authenticated via the RFC 2554 (AUTH) protocol.
2279 permit_tls_clientcerts
2281 Append the domain name in $myorigin or $mydomain when the client
2282 TLS certificate is successfully verified, and the client cer‐
2283 tificate fingerprint is listed in $relay_clientcerts.
2284 permit_tls_all_clientcerts
2286 Append the domain name in $myorigin or $mydomain when the client
2287 TLS certificate is successfully verified, regardless of whether
2288 it is listed on the server, and regardless of the certifying
2289 authority.
2290 check_address_map type:table
2292 type:table
2294 Append the domain name in $myorigin or $mydomain when the client
2295 IP address matches the specified lookup table. The lookup
2296 result is ignored, and no subnet lookup is done. This is suit‐
2297 able for, e.g., pop-before-smtp lookup tables.
2298 Examples:
2300 The Postfix < 2.2 backwards compatible setting: always rewrite message
2302 headers, and always append my own domain to incomplete header
2303 addresses.
2304 local_header_rewrite_clients = static:all
2306 The purist (and default) setting: rewrite headers only in mail from
2308 Postfix sendmail and in SMTP mail from this machine.
2309 local_header_rewrite_clients = permit_inet_interfaces
2311 The intermediate setting: rewrite header addresses and append $myorigin
2313 or $mydomain information only with mail from Postfix sendmail, from
2314 local clients, or from authorized SMTP clients.
2315 Note: this setting will not prevent remote mail header address rewrit‐
2317 ing when mail from a remote client is forwarded by a neighboring sys‐
2318 tem.
2319 local_header_rewrite_clients = permit_mynetworks,
2321 permit_sasl_authenticated permit_tls_clientcerts
2322 check_address_map hash:/etc/postfix/pop-before-smtp
2323
2325 Lookup tables with all names or addresses of local recipients: a recip‐
2326 ient address is local when its domain matches $mydestination,
2327 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
2328 for domains that do not have a valid recipient list. Technically,
2329 tables listed with $local_recipient_maps are used as lists: Postfix
2330 needs to know only if a lookup string is found or not, but it does not
2331 use the result from table lookup.
2332 If this parameter is non-empty (the default), then the Postfix SMTP
2334 server will reject mail for unknown local users.
2335 To turn off local recipient checking in the Postfix SMTP server, spec‐
2337 ify "local_recipient_maps =" (i.e. empty).
2338 The default setting assumes that you use the default Postfix local
2340 delivery agent for local delivery. You need to update the local_recipi‐
2341 ent_maps setting if:
2342 · You redefine the local delivery agent in master.cf.
2344 · You redefine the "local_transport" setting in main.cf.
2346 · You use the "luser_relay", "mailbox_transport", or "fall‐
2348 back_transport" feature of the Postfix local(8) delivery agent.
2349 Details are described in the LOCAL_RECIPIENT_README file.
2351 Beware: if the Postfix SMTP server runs chrooted, you need to access
2353 the passwd file via the proxymap(8) service, in order to overcome
2354 chroot access restrictions. The alternative, maintaining a copy of the
2355 system password file in the chroot jail is not practical.
2356 Examples:
2358 local_recipient_maps =
2360
2362 The default mail delivery transport and next-hop destination for final
2363 delivery to domains listed with mydestination, and for [ipaddress] des‐
2364 tinations that match $inet_interfaces or $proxy_interfaces. This
2365 information can be overruled with the transport(5) table.
2366 By default, local mail is delivered to the transport called "local",
2368 which is just the name of a service that is defined the master.cf file.
2369 Specify a string of the form transport:nexthop, where transport is the
2371 name of a mail delivery transport defined in master.cf. The :nexthop
2372 part is optional. For more details see the transport(5) manual page.
2373 Beware: if you override the default local delivery agent then you need
2375 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
2376 server may reject mail for local recipients.
2377
2379 Optional catch-all destination for unknown local(8) recipients. By
2380 default, mail for unknown recipients in domains that match $mydestina‐
2381 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
2382 able.
2383 The following $name expansions are done on luser_relay:
2385 $domain
2387 The recipient domain.
2388 $extension
2390 The recipient address extension.
2391 $home The recipient's home directory.
2393 $local The entire recipient address localpart.
2395 $recipient
2397 The full recipient address.
2398 $recipient_delimiter
2400 The system-wide recipient address extension delimiter.
2401 $shell The recipient's login shell.
2403 $user The recipient username.
2405 ${name?value}
2407 Expands to value when $name has a non-empty value.
2408 ${name:value}
2410 Expands to value when $name has an empty value.
2411 Instead of $name you can also specify ${name} or $(name).
2413 Note: luser_relay works only for the Postfix local(8) delivery agent.
2415 Note: if you use this feature for accounts not in the UNIX password
2417 file, then you must specify "local_recipient_maps =" (i.e. empty) in
2418 the main.cf file, otherwise the Postfix SMTP server will reject mail
2419 for non-UNIX accounts with "User unknown in local recipient table".
2420 Examples:
2422 luser_relay = $user@other.host
2424 luser_relay = $local@other.host
2425 luser_relay = admin+$local
2426
2428 The mail system name that is displayed in Received: headers, in the
2429 SMTP greeting banner, and in bounced mail.
2430
2432 The UNIX system account that owns the Postfix queue and most Postfix
2433 daemon processes. Specify the name of a user account that does not
2434 share a group with other accounts and that owns no other files or pro‐
2435 cesses on the system. In particular, don't specify nobody or daemon.
2436 PLEASE USE A DEDICATED USER ID AND GROUP ID.
2437 When this parameter value is changed you need to re-run "postfix set-
2439 permissions" (with Postfix version 2.0 and earlier: "/etc/postfix/post-
2440 install set-permissions".
2441
2443 The Postfix release date, in "YYYYMMDD" format.
2444
2446 The directory where local(8) UNIX-style mailboxes are kept. The default
2447 setting depends on the system type. Specify a name ending in / for
2448 maildir-style delivery.
2449 Note: maildir delivery is done with the privileges of the recipient.
2451 If you use the mail_spool_directory setting for maildir style delivery,
2452 then you must create the top-level maildir directory in advance. Post‐
2453 fix will not create it.
2454 Examples:
2456 mail_spool_directory = /var/mail
2458 mail_spool_directory = /var/spool/mail
2459
2461 The version of the mail system. Stable releases are named
2462 major.minor.patchlevel. Experimental releases also include the release
2463 date. The version string can be used in, for example, the SMTP greeting
2464 banner.
2465
2467 Optional external command that the local(8) delivery agent should use
2468 for mailbox delivery. The command is run with the user ID and the pri‐
2469 mary group ID privileges of the recipient. Exception: command delivery
2470 for root executes with $default_privs privileges. This is not a prob‐
2471 lem, because 1) mail for root should always be aliased to a real user
2472 and 2) don't log in as root, use "su" instead.
2473 The following environment variables are exported to the command:
2475 CLIENT_ADDRESS
2477 Remote client network address. Available in Postfix version 2.2
2478 and later.
2479 CLIENT_HELO
2481 Remote client EHLO command parameter. Available in Postfix ver‐
2482 sion 2.2 and later.
2483 CLIENT_HOSTNAME
2485 Remote client hostname. Available in Postfix version 2.2 and
2486 later.
2487 CLIENT_PROTOCOL
2489 Remote client protocol. Available in Postfix version 2.2 and
2490 later.
2491 DOMAIN The domain part of the recipient address.
2493 EXTENSION
2495 The optional address extension.
2496 HOME The recipient home directory.
2498 LOCAL The recipient address localpart.
2500 LOGNAME
2502 The recipient's username.
2503 RECIPIENT
2505 The full recipient address.
2506 SASL_METHOD
2508 SASL authentication method specified in the remote client AUTH
2509 command. Available in Postfix version 2.2 and later.
2510 SASL_SENDER
2512 SASL sender address specified in the remote client MAIL FROM
2513 command. Available in Postfix version 2.2 and later.
2514 SASL_USER
2516 SASL username specified in the remote client AUTH command.
2517 Available in Postfix version 2.2 and later.
2518 SENDER The full sender address.
2520 SHELL The recipient's login shell.
2522 USER The recipient username.
2524 Unlike other Postfix configuration parameters, the mailbox_command
2526 parameter is not subjected to $name substitutions. This is to make it
2527 easier to specify shell syntax (see example below).
2528 If you can, avoid shell meta characters because they will force Postfix
2530 to run an expensive shell process. If you're delivering via Procmail
2531 then running a shell won't make a noticeable difference in the total
2532 cost.
2533 Note: if you use the mailbox_command feature to deliver mail system-
2535 wide, you must set up an alias that forwards mail for root to a real
2536 user.
2537 The precedence of local(8) delivery features from high to low is:
2539 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2540 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2541 tory, fallback_transport_maps, fallback_transport and luser_relay.
2542 Examples:
2544 mailbox_command = /some/where/procmail
2546 mailbox_command = /some/where/procmail -a "$EXTENSION"
2547 mailbox_command = /some/where/maildrop -d "$USER"
2548 -f "$SENDER" "$EXTENSION"
2549
2551 Optional lookup tables with per-recipient external commands to use for
2552 local(8) mailbox delivery. Behavior is as with mailbox_command.
2553 The precedence of local(8) delivery features from high to low is:
2555 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2556 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2557 tory, fallback_transport_maps, fallback_transport and luser_relay.
2558
2560 How to lock a UNIX-style local(8) mailbox before attempting delivery.
2561 For a list of available file locking methods, use the "postconf -l"
2562 command.
2563 This setting is ignored with maildir style delivery, because such
2565 deliveries are safe without explicit locks.
2566 Note: The dotlock method requires that the recipient UID or GID has
2568 write access to the parent directory of the mailbox file.
2569 Note: the default setting of this parameter is system dependent.
2571
2573 The maximal size of any local(8) individual mailbox or maildir file, or
2574 zero (no limit). In fact, this limits the size of any file that is
2575 written to upon local delivery, including files written by external
2576 commands that are executed by the local(8) delivery agent.
2577 This limit must not be smaller than the message size limit.
2579
2581 Optional message delivery transport that the local(8) delivery agent
2582 should use for mailbox delivery to all local recipients, whether or not
2583 they are found in the UNIX passwd database.
2584 The precedence of local(8) delivery features from high to low is:
2586 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2587 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2588 tory, fallback_transport_maps, fallback_transport and luser_relay.
2589
2591 Optional lookup tables with per-recipient message delivery transports
2592 to use for local(8) mailbox delivery, whether or not the recipients are
2593 found in the UNIX passwd database.
2594 The precedence of local(8) delivery features from high to low is:
2596 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2597 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2598 tory, fallback_transport_maps, fallback_transport and luser_relay.
2599 For safety reasons, this feature does not allow $number substitutions
2601 in regular expression maps.
2602 This feature is available in Postfix 2.3 and later.
2604
2606 Sendmail compatibility feature that specifies where the Postfix
2607 mailq(1) command is installed. This command can be used to list the
2608 Postfix mail queue.
2609
2611 Where the Postfix manual pages are installed.
2612
2614 Obsolete feature: use the reject_rbl_client feature instead.
2615
2617 The numerical Postfix SMTP server response code when a remote SMTP
2618 client request is blocked by the reject_rbl_client,
2619 reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient
2620 restriction.
2621 Do not change this unless you have a complete understanding of RFC 821.
2623
2625 What addresses are subject to address masquerading.
2627 By default, address masquerading is limited to envelope sender
2629 addresses, and to header sender and header recipient addresses. This
2630 allows you to use address masquerading on a mail gateway while still
2631 being able to forward mail to users on individual machines.
2632 Specify zero or more of: envelope_sender, envelope_recipient,
2634 header_sender, header_recipient
2635
2637 Optional list of domains whose subdomain structure will be stripped off
2638 in email addresses.
2639 The list is processed left to right, and processing stops at the first
2641 match. Thus,
2642 masquerade_domains = foo.example.com example.com
2644 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
2646 strips "user@any.thing.else.example.com" to "user@example.com".
2647 A domain name prefixed with ! means do not masquerade this domain or
2649 its subdomains. Thus,
2650 masquerade_domains = !foo.example.com example.com
2652 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
2654 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
2655 ple.com".
2656 Note: with Postfix version 2.2, message header address masquerading
2658 happens only when message header address rewriting is enabled:
2659 · The message is received with the Postfix sendmail(1) command,
2661 · The message is received from a network client that matches
2663 $local_header_rewrite_clients,
2664 · The message is received from the network, and the
2666 remote_header_rewrite_domain parameter specifies a non-empty
2667 value.
2668 To get the behavior before Postfix version 2.2, specify
2670 "local_header_rewrite_clients = static:all".
2671 Example:
2673 masquerade_domains = $mydomain
2675
2677 Optional list of user names that are not subjected to address mas‐
2678 querading, even when their address matches $masquerade_domains.
2679 By default, address masquerading makes no exceptions.
2681 Specify a list of user names, "/file/name" or "type:table" patterns,
2683 separated by commas and/or whitespace. The list is matched left to
2684 right, and the search stops on the first match. A "/file/name" pattern
2685 is replaced by its contents; a "type:table" lookup table is matched
2686 when a name matches a lookup key (the lookup result is ignored). Con‐
2687 tinue long lines by starting the next line with whitespace. Specify
2688 "!pattern" to exclude a name from the list. The form "!/file/name" is
2689 supported only in Postfix version 2.4 and later.
2690 Examples:
2692 masquerade_exceptions = root, mailer-daemon
2694 masquerade_exceptions = root
2695
2697 The maximum amount of time that an idle Postfix daemon process waits
2698 for an incoming connection before terminating voluntarily. This param‐
2699 eter is ignored by the Postfix queue manager and by other long-lived
2700 Postfix daemon processes.
2701 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2703 The default time unit is s (seconds).
2704
2706 The maximal number of incoming connections that a Postfix daemon
2707 process will service before terminating voluntarily. This parameter is
2708 ignored by the Postfix queue manager and by other long-lived Postfix
2709 daemon processes.
2710
2712 The maximal time between attempts to deliver a deferred message.
2713 This parameter should be set to a value greater than or equal to $mini‐
2715 mal_backoff_time. See also $queue_run_delay.
2716 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2718 The default time unit is s (seconds).
2719
2721 The maximal time a message is queued before it is sent back as undeliv‐
2722 erable.
2723 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2725 The default time unit is d (days).
2726 Specify 0 when mail delivery should be tried only once.
2728
2730 The set of characters that Postfix will reject in message content. The
2731 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
2732 (up to three octal digits) and \\.
2733 Example:
2735 message_reject_characters = \0
2737 This feature is available in Postfix 2.3 and later.
2739
2741 The maximal size in bytes of a message, including envelope information.
2742
2744 The set of characters that Postfix will remove from message content.
2745 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
2746 \ddd (up to three octal digits) and \\.
2747 Example:
2749 message_strip_characters = \0
2751 This feature is available in Postfix 2.3 and later.
2753
2755 The time limit for sending an SMTP command to a Milter (mail filter)
2756 application, and for receiving the response.
2757 Specify a non-zero time value (an integral value plus an optional one-
2759 letter suffix that specifies the time unit).
2760 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2762 The default time unit is s (seconds).
2763 This feature is available in Postfix 2.3 and later.
2765
2767 The macros that are sent to Milter (mail filter) applications after
2768 completion of an SMTP connection. See MILTER_README for a list of
2769 available macro names and their meanings.
2770 This feature is available in Postfix 2.3 and later.
2772
2774 The time limit for connecting to a Milter (mail filter) application,
2775 and for negotiating protocol options.
2776 Specify a non-zero time value (an integral value plus an optional one-
2778 letter suffix that specifies the time unit).
2779 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2781 The default time unit is s (seconds).
2782 This feature is available in Postfix 2.3 and later.
2784
2786 The time limit for sending message content to a Milter (mail filter)
2787 application, and for receiving the response.
2788 Specify a non-zero time value (an integral value plus an optional one-
2790 letter suffix that specifies the time unit).
2791 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2793 The default time unit is s (seconds).
2794 This feature is available in Postfix 2.3 and later.
2796
2798 The macros that are sent to version 4 or higher Milter (mail filter)
2799 applications after the SMTP DATA command. See MILTER_README for a list
2800 of available macro names and their meanings.
2801 This feature is available in Postfix 2.3 and later.
2803
2805 The default action when a Milter (mail filter) application is unavail‐
2806 able or mis-configured. Specify one of the following:
2807 accept Proceed as if the mail filter was not present.
2809 reject Reject all further commands in this session with a permanent
2811 status code.
2812 tempfail
2814 Reject all further commands in this session with a temporary
2815 status code.
2816 This feature is available in Postfix 2.3 and later.
2818
2820 The macros that are sent to Milter (mail filter) applications after the
2821 message end-of-data. See MILTER_README for a list of available macro
2822 names and their meanings.
2823 This feature is available in Postfix 2.3 and later.
2825
2827 The macros that are sent to Milter (mail filter) applications after the
2828 SMTP HELO or EHLO command. See MILTER_README for a list of available
2829 macro names and their meanings.
2830 This feature is available in Postfix 2.3 and later.
2832
2834 The {daemon_name} macro value for Milter (mail filter) applications.
2835 See MILTER_README for a list of available macro names and their mean‐
2836 ings.
2837 This feature is available in Postfix 2.3 and later.
2839
2841 The {v} macro value for Milter (mail filter) applications. See MIL‐
2842 TER_README for a list of available macro names and their meanings.
2843 This feature is available in Postfix 2.3 and later.
2845
2847 The macros that are sent to Milter (mail filter) applications after the
2848 SMTP MAIL FROM command. See MILTER_README for a list of available macro
2849 names and their meanings.
2850 This feature is available in Postfix 2.3 and later.
2852
2854 The mail filter protocol version and optional protocol extensions for
2855 communication with a Milter (mail filter) application. This information
2856 should match the protocol that is expected by the actual mail filter
2857 application.
2858 Protocol versions:
2860 2 Use Sendmail 8 mail filter protocol version 2.
2862 3 Use Sendmail 8 mail filter protocol version 3.
2864 4 Use Sendmail 8 mail filter protocol version 4.
2866 Protocol extensions:
2868 no_header_reply
2870 Specify this when the Milter application will not reply for each
2871 individual message header.
2872 This feature is available in Postfix 2.3 and later.
2874
2876 The macros that are sent to Milter (mail filter) applications after the
2877 SMTP RCPT TO command. See MILTER_README for a list of available macro
2878 names and their meanings.
2879 This feature is available in Postfix 2.3 and later.
2881
2883 The macros that are sent to version 3 or higher Milter (mail filter)
2884 applications after an unknown SMTP command. See MILTER_README for a
2885 list of available macro names and their meanings.
2886 This feature is available in Postfix 2.3 and later.
2888
2890 The maximal length of MIME multipart boundary strings. The MIME proces‐
2891 sor is unable to distinguish between boundary strings that do not dif‐
2892 fer in the first $mime_boundary_length_limit characters.
2893 This feature is available in Postfix 2.0 and later.
2895
2897 Optional lookup tables for content inspection of MIME related message
2898 headers, as described in the header_checks(5) manual page.
2899 This feature is available in Postfix 2.0 and later.
2901
2903 The maximal recursion level that the MIME processor will handle. Post‐
2904 fix refuses mail that is nested deeper than the specified limit.
2905 This feature is available in Postfix 2.0 and later.
2907
2909 The minimal time between attempts to deliver a deferred message; prior
2910 to Postfix 2.4 the default value was 1000s.
2911 This parameter also limits the time an unreachable destination is kept
2913 in the short-term, in-memory, destination status cache.
2914 This parameter should be set greater than or equal to $queue_run_delay.
2916 See also $maximal_backoff_time.
2917 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2919 The default time unit is s (seconds).
2920
2922 The numerical Postfix SMTP server response code when a remote SMTP
2923 client request is blocked by the reject_multi_recipient_bounce restric‐
2924 tion.
2925 Do not change this unless you have a complete understanding of RFC 821.
2927 This feature is available in Postfix 2.1 and later.
2929
2931 The list of domains that are delivered via the $local_transport mail
2932 delivery transport. By default this is the Postfix local(8) delivery
2933 agent which looks up all recipients in /etc/passwd and /etc/aliases.
2934 The SMTP server validates recipient addresses with $local_recipi‐
2935 ent_maps and rejects non-existent recipients. See also the local domain
2936 class in the ADDRESS_CLASS_README file.
2937 The default mydestination value specifies names for the local machine
2939 only. On a mail domain gateway, you should also include $mydomain.
2940 The $local_transport delivery method is also selected for mail
2942 addressed to user@[the.net.work.address] of the mail system (the IP
2943 addresses specified with the inet_interfaces and proxy_interfaces
2944 parameters).
2945 Warnings:
2947 · Do not specify the names of virtual domains - those domains are
2949 specified elsewhere. See VIRTUAL_README for more information.
2950 · Do not specify the names of domains that this machine is backup
2952 MX host for. See STANDARD_CONFIGURATION_README for how to set up
2953 backup MX hosts.
2954 · By default, the Postfix SMTP server rejects mail for recipients
2956 not listed with the local_recipient_maps parameter. See the
2957 postconf(5) manual for a description of the local_recipient_maps
2958 and unknown_local_recipient_reject_code parameters.
2959 Specify a list of host or domain names, "/file/name" or "type:table"
2961 patterns, separated by commas and/or whitespace. A "/file/name" pattern
2962 is replaced by its contents; a "type:table" lookup table is matched
2963 when a name matches a lookup key (the lookup result is ignored). Con‐
2964 tinue long lines by starting the next line with whitespace.
2965 Examples:
2967 mydestination = $myhostname, localhost.$mydomain $mydomain
2969 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
2970
2972 The internet domain name of this mail system. The default is to use
2973 $myhostname minus the first component. $mydomain is used as a default
2974 value for many other configuration parameters.
2975 Example:
2977 mydomain = domain.tld
2979
2981 The internet hostname of this mail system. The default is to use the
2982 fully-qualified domain name from gethostname(). $myhostname is used as
2983 a default value for many other configuration parameters.
2984 Example:
2986 myhostname = host.domain.tld
2988
2990 The list of "trusted" SMTP clients that have more privileges than
2991 "strangers".
2992 In particular, "trusted" SMTP clients are allowed to relay mail through
2994 Postfix. See the smtpd_recipient_restrictions parameter description in
2995 the postconf(5) manual.
2996 You can specify the list of "trusted" network addresses by hand or you
2998 can let Postfix do it for you (which is the default). See the descrip‐
2999 tion of the mynetworks_style parameter for more information.
3000 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
3002 works_style setting.
3003 Specify a list of network addresses or network/netmask patterns, sepa‐
3005 rated by commas and/or whitespace. Continue long lines by starting the
3006 next line with whitespace.
3007 The netmask specifies the number of bits in the network part of a host
3009 address. You can also specify "/file/name" or "type:table" patterns.
3010 A "/file/name" pattern is replaced by its contents; a "type:table"
3011 lookup table is matched when a table entry matches a lookup string (the
3012 lookup result is ignored).
3013 The list is matched left to right, and the search stops on the first
3015 match. Specify "!pattern" to exclude an address or network block from
3016 the list. The form "!/file/name" is supported only in Postfix version
3017 2.4 and later.
3018 Note: IP version 6 address information must be specified inside [] in
3020 the mynetworks value, and in files specified with "/file/name". IP
3021 version 6 addresses contain the ":" character, and would otherwise be
3022 confused with a "type:table" pattern.
3023 Examples:
3025 mynetworks = 127.0.0.0/8 168.100.189.0/28
3027 mynetworks = !192.168.0.1, 192.168.0.0/28
3028 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
3029 mynetworks = $config_directory/mynetworks
3030 mynetworks = hash:/etc/postfix/network_table
3031
3033 The method to generate the default value for the mynetworks parameter.
3034 This is the list of trusted networks for relay access control etc.
3035 · Specify "mynetworks_style = host" when Postfix should "trust"
3037 only the local machine.
3038 · Specify "mynetworks_style = subnet" when Postfix should "trust"
3040 SMTP clients in the same IP subnetworks as the local machine.
3041 On Linux, this works correctly only with interfaces specified
3042 with the "ifconfig" command.
3043 · Specify "mynetworks_style = class" when Postfix should "trust"
3045 SMTP clients in the same IP class A/B/C networks as the local
3046 machine. Don't do this with a dialup site - it would cause
3047 Postfix to "trust" your entire provider's network. Instead,
3048 specify an explicit mynetworks list by hand, as described with
3049 the mynetworks configuration parameter.
3050
3052 The domain name that locally-posted mail appears to come from, and that
3053 locally posted mail is delivered to. The default, $myhostname, is ade‐
3054 quate for small sites. If you run a domain with multiple machines, you
3055 should (1) change this to $mydomain and (2) set up a domain-wide alias
3056 database that aliases each user to user@that.users.mailhost.
3057 Example:
3059 myorigin = $mydomain
3061
3063 Optional lookup tables for content inspection of non-MIME message head‐
3064 ers in attached messages, as described in the header_checks(5) manual
3065 page.
3066 This feature is available in Postfix 2.0 and later.
3068
3070 Sendmail compatibility feature that specifies the location of the
3071 newaliases(1) command. This command can be used to rebuild the local(8)
3072 aliases(5) database.
3073
3075 The numerical Postfix SMTP server reply code when a client request is
3076 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
3077 or reject_non_fqdn_recipient restriction.
3078
3080 A list of Milter (mail filter) applications for new mail that does not
3081 arrive via the Postfix smtpd(8) server. This includes local submission
3082 via the sendmail(1) command line, new mail that arrives via the Postfix
3083 qmqpd(8) server, and old mail that is re-injected into the queue with
3084 "postsuper -r". See the MILTER_README document for details.
3085 This feature is available in Postfix 2.3 and later.
3087
3089 The list of error classes that are reported to the postmaster. The
3090 default is to report only the most serious problems. The paranoid may
3091 wish to turn on the policy (UCE and mail relaying) and protocol error
3092 (broken mail software) reports.
3093 NOTE: postmaster notifications may contain confidential information
3095 such as SASL passwords or message content. It is the system adminis‐
3096 trator's responsibility to treat such information with care.
3097 The error classes are:
3099 bounce (also implies 2bounce)
3101 Send the postmaster copies of the headers of bounced mail, and
3102 send transcripts of SMTP sessions when Postfix rejects mail. The
3103 notification is sent to the address specified with the
3104 bounce_notice_recipient configuration parameter (default: post‐
3105 master).
3106 2bounce
3108 Send undeliverable bounced mail to the postmaster. The notifica‐
3109 tion is sent to the address specified with the
3110 2bounce_notice_recipient configuration parameter (default: post‐
3111 master).
3112 delay Send the postmaster copies of the headers of delayed mail. The
3114 notification is sent to the address specified with the
3115 delay_notice_recipient configuration parameter (default: post‐
3116 master).
3117 policy Send the postmaster a transcript of the SMTP session when a
3119 client request was rejected because of (UCE) policy. The notifi‐
3120 cation is sent to the address specified with the
3121 error_notice_recipient configuration parameter (default: post‐
3122 master).
3123 protocol
3125 Send the postmaster a transcript of the SMTP session in case of
3126 client or server protocol errors. The notification is sent to
3127 the address specified with the error_notice_recipient configura‐
3128 tion parameter (default: postmaster).
3129 resource
3131 Inform the postmaster of mail not delivered due to resource
3132 problems. The notification is sent to the address specified
3133 with the error_notice_recipient configuration parameter
3134 (default: postmaster).
3135 software
3137 Inform the postmaster of mail not delivered due to software
3138 problems. The notification is sent to the address specified
3139 with the error_notice_recipient configuration parameter
3140 (default: postmaster).
3141 Examples:
3143 notify_classes = bounce, delay, policy, protocol, resource, software
3145 notify_classes = 2bounce, resource, software
3146
3148 Give special treatment to owner-listname and listname-request address
3149 localparts: don't split such addresses when the recipient_delimiter is
3150 set to "-". This feature is useful for mailing lists.
3151
3153 What Postfix features match subdomains of "domain.tld" automatically,
3154 instead of requiring an explicit ".domain.tld" pattern. This is
3155 planned backwards compatibility: eventually, all Postfix features are
3156 expected to require explicit ".domain.tld" style patterns when you
3157 really want to match subdomains.
3158
3160 Restrict the use of the permit_mx_backup SMTP access feature to only
3161 domains whose primary MX hosts match the listed networks.
3162
3164 The name of the pickup(8) service. This service picks up local mail
3165 submissions from the Postfix maildrop queue.
3166 This feature is available in Postfix 2.0 and later.
3168
3170 The numerical Postfix SMTP server response code when a request is
3171 rejected by the reject_plaintext_session restriction.
3172 This feature is available in Postfix 2.3 and later.
3174
3176 The message delivery contexts where the Postfix local(8) delivery agent
3177 prepends a Delivered-To: message header with the address that the mail
3178 was delivered to. This information is used for mail delivery loop
3179 detection.
3180 By default, the Postfix local delivery agent prepends a Delivered-To:
3182 header when forwarding mail and when delivering to file (mailbox) and
3183 command. Turning off the Delivered-To: header when forwarding mail is
3184 not recommended.
3185 Specify zero or more of forward, file, or command.
3187 Example:
3189 prepend_delivered_header = forward
3191
3193 The process ID of a Postfix command or daemon process.
3194
3196 The location of Postfix PID files relative to $queue_directory. This
3197 is a read-only parameter.
3198
3200 The process name of a Postfix command or daemon process.
3201
3203 What address lookup tables copy an address extension from the lookup
3204 key to the lookup result.
3205 For example, with a virtual(5) mapping of "joe@domain -> joe.user", the
3207 address "joe+foo@domain" would rewrite to "joe.user+foo".
3208 Specify zero or more of canonical, virtual, alias, forward, include or
3210 generic. These cause address extension propagation with canonical(5),
3211 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
3212 file lookups, and with smtp(8) generic maps, respectively.
3213 Note: enabling this feature for types other than canonical and virtual
3215 is likely to cause problems when mail is forwarded to other sites,
3216 especially with mail that is sent to a mailing list exploder address.
3217 Examples:
3219 propagate_unmatched_extensions = canonical, virtual, alias,
3221 forward, include
3222 propagate_unmatched_extensions = canonical, virtual
3223
3225 The network interface addresses that this mail system receives mail on
3226 by way of a proxy or network address translation unit.
3227 This feature is available in Postfix 2.0 and later.
3229 You must specify your "outside" proxy/NAT addresses when your system is
3231 a backup MX host for other domains, otherwise mail delivery loops will
3232 happen when the primary MX host is down.
3233 Example:
3235 proxy_interfaces = 1.2.3.4
3237
3239 The lookup tables that the proxymap(8) server is allowed to access.
3240 Table references that don't begin with proxy: are ignored. The prox‐
3241 ymap(8) table accesses are read-only.
3242 This feature is available in Postfix 2.0 and later.
3244
3246 The minimal delay between warnings that a specific destination is clog‐
3247 ging up the Postfix active queue. Specify 0 to disable.
3248 This feature is enabled with the helpful_warnings parameter.
3250 This feature is available in Postfix 2.0 and later.
3252
3254 Obsolete feature: the percentage of delivery resources that a busy mail
3255 system will use up for delivery of a large mailing list message.
3256 This feature exists only in the oqmgr(8) old queue manager. The current
3258 queue manager solves the problem in a better way.
3259
3261 The maximal number of messages in the active queue.
3262
3264 The maximal number of recipients held in memory by the Postfix queue
3265 manager, and the maximal size of the size of the short-term, in-memory
3266 "dead" destination status cache.
3267
3269 The minimal number of in-memory recipients for any message. This takes
3270 priority over any other in-memory recipient limits (i.e., the global
3271 qmgr_message_recipient_limit and the per transport _recipient_limit) if
3272 necessary. The minimum value allowed for this parameter is 1.
3273
3275 What clients are allowed to connect to the QMQP server port.
3276 By default, no client is allowed to use the service. This is because
3278 the QMQP server will relay mail to any destination.
3279 Specify a list of client patterns. A list pattern specifies a host
3281 name, a domain name, an internet address, or a network/mask pattern,
3282 where the mask specifies the number of bits in the network part. When
3283 a pattern specifies a file name, its contents are substituted for the
3284 file name; when a pattern is a "type:table" table specification, table
3285 lookup is used instead.
3286 Patterns are separated by whitespace and/or commas. In order to reverse
3288 the result, precede a pattern with an exclamation point (!). The form
3289 "!/file/name" is supported only in Postfix version 2.4 and later.
3290 Example:
3292 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
3294
3296 How long the QMQP server will pause before sending a negative reply to
3297 the client. The purpose is to slow down confused or malicious clients.
3298 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3300 The default time unit is s (seconds).
3301
3303 The time limit for sending or receiving information over the network.
3304 If a read or write operation blocks for more than $qmqpd_timeout sec‐
3305 onds the QMQP server gives up and disconnects.
3306 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3308 The default time unit is s (seconds).
3309
3311 The location of the Postfix top-level queue directory. This is the root
3312 directory of Postfix daemon processes that run chrooted.
3313
3315 The maximal number of (name=value) attributes that may be stored in a
3316 Postfix queue file. The limit is enforced by the cleanup(8) server.
3317 This feature is available in Postfix 2.0 and later.
3319
3321 The minimal amount of free space in bytes in the queue file system that
3322 is needed to receive mail. This is currently used by the SMTP server
3323 to decide if it will accept any mail at all.
3324 By default, the Postfix version 2.1 SMTP server rejects MAIL FROM com‐
3326 mands when the amount of free space is less than 1.5*$mes‐
3327 sage_size_limit. To specify a higher minimum free space limit, specify
3328 a queue_minfree value that is at least 1.5*$message_size_limit.
3329 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
3331 means there is no minimum required amount of free space.
3332
3334 The time between deferred queue scans by the queue manager; prior to
3335 Postfix 2.4 the default value was 1000s.
3336 This parameter should be set less than or equal to $minimal_back‐
3338 off_time. See also $maximal_backoff_time.
3339 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3341 The default time unit is s (seconds).
3342
3344 The name of the qmgr(8) service. This service manages the Postfix queue
3345 and schedules delivery requests.
3346 This feature is available in Postfix 2.0 and later.
3348
3350 Optional lookup tables with RBL response templates. The tables are
3351 indexed by the RBL domain name. By default, Postfix uses the default
3352 template as specified with the default_rbl_reply configuration parame‐
3353 ter. See there for a discussion of the syntax of RBL reply templates.
3354 This feature is available in Postfix 2.0 and later.
3356
3358 The location of Postfix README files that describe how to build, con‐
3359 figure or operate a specific Postfix subsystem or feature.
3360
3362 Enable or disable recipient validation, built-in content filtering, or
3363 address mapping. Typically, these are specified in master.cf as com‐
3364 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
3365 Specify zero or more of the following options. The options override
3367 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
3368 pickup(8) themselves, or they are forwarded to the cleanup server.
3369 no_unknown_recipient_checks
3371 Do not try to reject unknown recipients (SMTP server only).
3372 This is typically specified AFTER an external content filter.
3373 no_address_mappings
3375 Disable canonical address mapping, virtual alias map expansion,
3376 address masquerading, and automatic BCC (blind carbon-copy)
3377 recipients. This is typically specified BEFORE an external con‐
3378 tent filter.
3379 no_header_body_checks
3381 Disable header/body_checks. This is typically specified AFTER an
3382 external content filter.
3383 no_milters
3385 Disable Milter (mail filter) applications. This is typically
3386 specified AFTER an external content filter.
3387 Note: when the "BEFORE content filter" receive_override_options setting
3389 is specified in the main.cf file, specify the "AFTER content filter"
3390 receive_override_options setting in master.cf (and vice versa).
3391 Examples:
3393 receive_override_options =
3395 no_unknown_recipient_checks, no_header_body_checks
3396 receive_override_options = no_address_mappings
3397 This feature is available in Postfix 2.1 and later.
3399
3401 Optional BCC (blind carbon-copy) address lookup tables, indexed by
3402 recipient address. The BCC address (multiple results are not sup‐
3403 ported) is added when mail enters from outside of Postfix.
3404 This feature is available in Postfix 2.1 and later.
3406 The table search order is as follows:
3408 · Look up the "user+extension@domain.tld" address including the
3410 optional address extension.
3411 · Look up the "user@domain.tld" address without the optional
3413 address extension.
3414 · Look up the "user+extension" address local part when the recipi‐
3416 ent domain equals $myorigin, $mydestination, $inet_interfaces or
3417 $proxy_interfaces.
3418 · Look up the "user" address local part when the recipient domain
3420 equals $myorigin, $mydestination, $inet_interfaces or
3421 $proxy_interfaces.
3422 · Look up the "@domain.tld" part.
3424 Specify the types and names of databases to use. After change, run
3426 "postmap /etc/postfix/recipient_bcc".
3427 Note: if mail to the BCC address bounces it will be returned to the
3429 sender.
3430 Note: automatic BCC recipients are produced only for new mail. To
3432 avoid mailer loops, automatic BCC recipients are not generated for mail
3433 that Postfix forwards internally, nor for mail that Postfix generates
3434 itself.
3435 Example:
3437 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
3439
3441 What addresses are subject to recipient_canonical_maps address mapping.
3442 By default, recipient_canonical_maps address mapping is applied to
3443 envelope recipient addresses, and to header recipient addresses.
3444 Specify one or more of: envelope_recipient, header_recipient
3446 This feature is available in Postfix 2.2 and later.
3448
3450 Optional address mapping lookup tables for envelope and header recipi‐
3451 ent addresses. The table format and lookups are documented in canoni‐
3452 cal(5).
3453 Note: $recipient_canonical_maps is processed before $canonical_maps.
3455 Example:
3457 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
3459
3461 The separator between user names and address extensions (user+foo).
3462 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
3463 this has on aliases, canonical, virtual, relocated and on .forward file
3464 lookups. Basically, the software tries user+foo and .forward+foo
3465 before trying user and .forward.
3466 Example:
3468 recipient_delimiter = +
3470
3472 The numerical Postfix SMTP server response code when a remote SMTP
3473 client request is rejected by the "reject" restriction.
3474 Do not change this unless you have a complete understanding of RFC 821.
3476
3478 The list of remote SMTP client certificates for which the Postfix SMTP
3479 server will allow access with the permit_tls_clientcerts feature. This
3480 feature does not use certificate names, because Postfix list manipula‐
3481 tion routines treat whitespace and some other characters as special.
3482 Instead we use certificate fingerprints as they are difficult to fake
3483 but easy to use for lookup.
3484 Postfix lookup tables are in the form of (key, value) pairs. Since we
3486 only need the key, the value can be chosen freely, e.g. the name of
3487 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
3488 lutzpc.at.home
3489 Example:
3491 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
3493 For more fine-grained control, use check_ccert_access to select an
3495 appropriate access(5) policy for each client. See RESTRIC‐
3496 TION_CLASS_README.
3497 This feature is available with Postfix version 2.2.
3499
3501 rency_limit)
3502 The maximal number of parallel deliveries to the same destination via
3503 the relay message delivery transport. This limit is enforced by the
3504 queue manager. The message delivery transport name is the first field
3505 in the entry in the master.cf file.
3506 This feature is available in Postfix 2.0 and later.
3508
3510 ent_limit)
3511 The maximal number of recipients per delivery via the relay message
3512 delivery transport. This limit is enforced by the queue manager. The
3513 message delivery transport name is the first field in the entry in the
3514 master.cf file.
3515 Setting this parameter to a value of 1 changes the meaning of
3517 relay_destination_concurrency_limit from concurrency per domain into
3518 concurrency per recipient.
3519 This feature is available in Postfix 2.0 and later.
3521
3523 What destination domains (and subdomains thereof) this system will
3524 relay mail to. Subdomain matching is controlled with the par‐
3525 ent_domain_matches_subdomains parameter. For details about how the
3526 relay_domains value is used, see the description of the per‐
3527 mit_auth_destination and reject_unauth_destination SMTP recipient
3528 restrictions.
3529 Domains that match $relay_domains are delivered with the $relay_trans‐
3531 port mail delivery transport. The SMTP server validates recipient
3532 addresses with $relay_recipient_maps and rejects non-existent recipi‐
3533 ents. See also the relay domains address class in the
3534 ADDRESS_CLASS_README file.
3535 Note: Postfix will not automatically forward mail for domains that list
3537 this system as their primary or backup MX host. See the per‐
3538 mit_mx_backup restriction in the postconf(5) manual page.
3539 Specify a list of host or domain names, "/file/name" patterns or
3541 "type:table" lookup tables, separated by commas and/or whitespace.
3542 Continue long lines by starting the next line with whitespace. A
3543 "/file/name" pattern is replaced by its contents; a "type:table" lookup
3544 table is matched when a (parent) domain appears as lookup key. Specify
3545 "!pattern" to exclude a domain from the list. The form "!/file/name" is
3546 supported only in Postfix version 2.4 and later.
3547
3549 The numerical Postfix SMTP server response code when a client request
3550 is rejected by the reject_unauth_destination recipient restriction.
3551 Do not change this unless you have a complete understanding of RFC 821.
3553
3555 Optional lookup tables with all valid addresses in the domains that
3556 match $relay_domains. Specify @domain as a wild-card for domains that
3557 have no valid recipient list, and become a source of backscatter mail:
3558 Postfix accepts spam for non-existent recipients and then floods inno‐
3559 cent people with undeliverable mail. Technically, tables listed with
3560 $relay_recipient_maps are used as lists: Postfix needs to know only if
3561 a lookup string is found or not, but it does not use the result from
3562 table lookup.
3563 If this parameter is non-empty, then the Postfix SMTP server will
3565 reject mail to unknown relay users. This feature is off by default.
3566 See also the relay domains address class in the ADDRESS_CLASS_README
3568 file.
3569 Example:
3571 relay_recipient_maps = hash:/etc/postfix/relay_recipients
3573 This feature is available in Postfix 2.0 and later.
3575
3577 The default mail delivery transport and next-hop destination for remote
3578 delivery to domains listed with $relay_domains. In order of decreasing
3579 precedence, the nexthop destination is taken from $relay_transport,
3580 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
3581 domain. This information can be overruled with the transport(5) table.
3582 Specify a string of the form transport:nexthop, where transport is the
3584 name of a mail delivery transport defined in master.cf. The :nexthop
3585 part is optional. For more details see the transport(5) manual page.
3586 See also the relay domains address class in the ADDRESS_CLASS_README
3588 file.
3589 This feature is available in Postfix 2.0 and later.
3591
3593 The next-hop destination of non-local mail; overrides non-local domains
3594 in recipient addresses. This information is overruled with relay_trans‐
3595 port, default_transport, sender_dependent_relayhost_maps and with the
3596 transport(5) table.
3597 On an intranet, specify the organizational domain name. If your inter‐
3599 nal DNS uses no MX records, specify the name of the intranet gateway
3600 host instead.
3601 In the case of SMTP, specify a domain name, hostname, hostname:port,
3603 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
3604 name] turns off MX lookups.
3605 If you're connected via UUCP, see the UUCP_README file for useful
3607 information.
3608 Examples:
3610 relayhost = $mydomain
3612 relayhost = [gateway.my.domain]
3613 relayhost = uucphost
3614 relayhost = [an.ip.add.ress]
3615
3617 Optional lookup tables with new contact information for users or
3618 domains that no longer exist. The table format and lookups are docu‐
3619 mented in relocated(5).
3620 If you use this feature, run "postmap /etc/postfix/relocated" to build
3622 the necessary DBM or DB file after change, then "postfix reload" to
3623 make the changes visible.
3624 Examples:
3626 relocated_maps = dbm:/etc/postfix/relocated
3628 relocated_maps = hash:/etc/postfix/relocated
3629
3631 Don't rewrite message headers from remote clients at all when this
3632 parameter is empty; otherwise, rewrite message headers and append the
3633 specified domain name to incomplete addresses. The local_header_re‐
3634 write_clients parameter controls what clients Postfix considers local.
3635 Examples:
3637 The safe setting: append "domain.invalid" to incomplete header
3639 addresses from remote SMTP clients, so that those addresses cannot be
3640 confused with local addresses.
3641 remote_header_rewrite_domain = domain.invalid
3643 The default, purist, setting: don't rewrite headers from remote clients
3645 at all.
3646 remote_header_rewrite_domain =
3648
3650 Whether or not a local(8) recipient's home directory must exist before
3651 mail delivery is attempted. By default this test is disabled. It can
3652 be useful for environments that import home directories to the mail
3653 server (NOT RECOMMENDED).
3654
3656 Resolve a recipient address safely instead of correctly, by looking
3657 inside quotes.
3658 By default, the Postfix address resolver does not quote the address
3660 localpart as per RFC 822, so that additional @ or % or ! operators
3661 remain visible. This behavior is safe but it is also technically incor‐
3662 rect.
3663 If you specify "resolve_dequoted_address = no", then the Postfix
3665 resolver will not know about additional @ etc. operators in the address
3666 localpart. This opens opportunities for obscure mail relay attacks with
3667 user@domain@domain addresses when Postfix provides backup MX service
3668 for Sendmail systems.
3669
3671 Resolve an address that ends in the "@" null domain as if the local
3672 hostname were specified, instead of rejecting the address as invalid.
3673 This feature is available in Postfix 2.1 and later. Earlier versions
3675 always resolve the null domain as the local hostname.
3676 The Postfix SMTP server uses this feature to reject mail from or to
3678 addresses that end in the "@" null domain, and from addresses that re‐
3679 write into a form that ends in the "@" null domain.
3680
3682 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
3683 the address as invalid.
3684 This feature is available in Postfix 2.3 and later.
3686
3688 The name of the address rewriting service. This service rewrites
3689 addresses to standard form and resolves them to a (delivery method,
3690 next-hop host, recipient) triple.
3691 This feature is available in Postfix 2.0 and later.
3693
3695 The name of the directory with example Postfix configuration files.
3696
3698 When authenticating to a remote SMTP or LMTP server with the default
3699 setting "no", send no SASL authoriZation ID (authzid); send only the
3700 SASL authentiCation ID (authcid) plus the authcid's password.
3701 The non-default setting "yes" enables the behavior of older Postfix
3703 versions. These always send a SASL authzid that is equal to the SASL
3704 authcid, but this causes inter-operability problems with some SMTP
3705 servers.
3706 This feature is available in Postfix 2.4.4 and later.
3708
3710 This parameter should not be used. It was replaced by sender_depen‐
3711 dent_relayhost_maps in Postfix version 2.3.
3712
3714 Optional BCC (blind carbon-copy) address lookup tables, indexed by
3715 sender address. The BCC address (multiple results are not supported)
3716 is added when mail enters from outside of Postfix.
3717 This feature is available in Postfix 2.1 and later.
3719 The table search order is as follows:
3721 · Look up the "user+extension@domain.tld" address including the
3723 optional address extension.
3724 · Look up the "user@domain.tld" address without the optional
3726 address extension.
3727 · Look up the "user+extension" address local part when the sender
3729 domain equals $myorigin, $mydestination, $inet_interfaces or
3730 $proxy_interfaces.
3731 · Look up the "user" address local part when the sender domain
3733 equals $myorigin, $mydestination, $inet_interfaces or
3734 $proxy_interfaces.
3735 · Look up the "@domain.tld" part.
3737 Specify the types and names of databases to use. After change, run
3739 "postmap /etc/postfix/sender_bcc".
3740 Note: if mail to the BCC address bounces it will be returned to the
3742 sender.
3743 Note: automatic BCC recipients are produced only for new mail. To
3745 avoid mailer loops, automatic BCC recipients are not generated for mail
3746 that Postfix forwards internally, nor for mail that Postfix generates
3747 itself.
3748 Example:
3750 sender_bcc_maps = hash:/etc/postfix/sender_bcc
3752
3754 What addresses are subject to sender_canonical_maps address mapping.
3755 By default, sender_canonical_maps address mapping is applied to enve‐
3756 lope sender addresses, and to header sender addresses.
3757 Specify one or more of: envelope_sender, header_sender
3759 This feature is available in Postfix 2.2 and later.
3761
3763 Optional address mapping lookup tables for envelope and header sender
3764 addresses. The table format and lookups are documented in canoni‐
3765 cal(5).
3766 Example: you want to rewrite the SENDER address "user@ugly.domain" to
3768 "user@pretty.domain", while still being able to send mail to the RECIP‐
3769 IENT address "user@ugly.domain".
3770 Note: $sender_canonical_maps is processed before $canonical_maps.
3772 Example:
3774 sender_canonical_maps = hash:/etc/postfix/sender_canonical
3776
3778 A sender-dependent override for the global relayhost parameter setting.
3779 The tables are searched by the envelope sender address and @domain.
3780 This information is overruled with relay_transport, default_transport
3781 and with the transport(5) table.
3782 For safety reasons, this feature does not allow $number substitutions
3784 in regular expression maps.
3785 This feature is available in Postfix 2.3 and later.
3787
3789 A Sendmail compatibility feature that specifies the location of the
3790 Postfix sendmail(1) command. This command can be used to submit mail
3791 into the Postfix queue.
3792
3794 How long the Postfix master(8) waits before forking a server that
3795 appears to be malfunctioning.
3796 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3798 The default time unit is s (seconds).
3799
3801 The group ownership of set-gid Postfix commands and of group-writable
3802 Postfix directories. When this parameter value is changed you need to
3803 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
3804 "/etc/postfix/post-install set-permissions".
3805
3807 Display the name of the recipient table in the "User unknown"
3808 responses. The extra detail makes trouble shooting easier but also
3809 reveals information that is nobody elses business.
3810 This feature is available in Postfix 2.0 and later.
3812
3814 The name of the showq(8) service. This service produces mail queue sta‐
3815 tus reports.
3816 This feature is available in Postfix 2.0 and later.
3818
3820 Always send EHLO at the start of an SMTP session.
3821 With "smtp_always_send_ehlo = no", Postfix sends EHLO only when the
3823 word "ESMTP" appears in the server greeting banner (example: 220
3824 spike.porcupine.org ESMTP Postfix).
3825
3827 An optional numerical network address that the Postfix SMTP client
3828 should bind to when making an IPv4 connection.
3829 This can be specified in the main.cf file for all SMTP clients, or it
3831 can be specified in the master.cf file for a specific client, for exam‐
3832 ple:
3833 /etc/postfix/master.cf:
3835 smtp ... smtp -o smtp_bind_address=11.22.33.44
3836 Note 1: when inet_interfaces specifies no more than one IPv4 address,
3838 and that address is a non-loopback address, it is automatically used as
3839 the smtp_bind_address. This supports virtual IP hosting, but can be a
3840 problem on multi-homed firewalls. See the inet_interfaces documentation
3841 for more detail.
3842 Note 2: address information may be enclosed inside [], but this form is
3844 not required here.
3845
3847 An optional numerical network address that the Postfix SMTP client
3848 should bind to when making an IPv6 connection.
3849 This feature is available in Postfix 2.2 and later.
3851 This can be specified in the main.cf file for all SMTP clients, or it
3853 can be specified in the master.cf file for a specific client, for exam‐
3854 ple:
3855 /etc/postfix/master.cf:
3857 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
3858 Note 1: when inet_interfaces specifies no more than one IPv6 address,
3860 and that address is a non-loopback address, it is automatically used as
3861 the smtp_bind_address6. This supports virtual IP hosting, but can be a
3862 problem on multi-homed firewalls. See the inet_interfaces documentation
3863 for more detail.
3864 Note 2: address information may be enclosed inside [], but this form is
3866 not recommended here.
3867
3869 Allow DNS CNAME records to override the servername that the Postfix
3870 SMTP client uses for logging, SASL password lookup, TLS policy deci‐
3871 sions, or TLS certificate verification. The value "no" hardens Postfix
3872 smtp_tls_per_site hostname-based policies against false hostname infor‐
3873 mation in DNS CNAME records, and makes SASL password file lookups more
3874 predictable. This is the default setting as of Postfix 2.3.
3875 This feature is available in Postfix 2.2.9 and later.
3877
3879 The SMTP client time limit for completing a TCP connection, or zero
3880 (use the operating system built-in time limit).
3881 When no connection can be made within the deadline, the Postfix SMTP
3883 client tries the next address on the mail exchanger list. Specify 0 to
3884 disable the time limit (i.e. use whatever timeout is implemented by the
3885 operating system).
3886 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3888 The default time unit is s (seconds).
3889
3891 Permanently enable SMTP connection caching for the specified destina‐
3892 tions. With SMTP connection caching, a connection is not closed imme‐
3893 diately after completion of a mail transaction. Instead, the connec‐
3894 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
3895 This allows connections to be reused for other deliveries, and can
3896 improve mail delivery performance.
3897 Specify a comma or white space separated list of destinations or
3899 pseudo-destinations:
3900 · if mail is sent without a relay host: a domain name (the right-
3902 hand side of an email address, without the [] around a numeric
3903 IP address),
3904 · if mail is sent via a relay host: a relay host name (without []
3906 or non-default TCP port), as specified in main.cf or in the
3907 transport map,
3908 · if mail is sent via a UNIX-domain socket: a pathname (without
3910 the unix: prefix),
3911 · a /file/name with domain names and/or relay host names as
3913 defined above,
3914 · a "type:table" with domain names and/or relay hosts name on the
3916 left-hand side. The right-hand side result from "type:table"
3917 lookups is ignored.
3918 This feature is available in Postfix 2.2 and later.
3920
3922 Temporarily enable SMTP connection caching while a destination has a
3923 high volume of mail in the active queue. With SMTP connection caching,
3924 a connection is not closed immediately after completion of a mail
3925 transaction. Instead, the connection is kept open for up to $smtp_con‐
3926 nection_cache_time_limit seconds. This allows connections to be reused
3927 for other deliveries, and can improve mail delivery performance.
3928 This feature is available in Postfix 2.2 and later.
3930
3932 When SMTP connection caching is enabled, the number of times that an
3933 SMTP session may be reused before it is closed.
3934 This feature is available in Postfix 2.2. In Postfix 2.3 it is replaced
3936 by $smtp_connection_reuse_time_limit.
3937
3939 When SMTP connection caching is enabled, the amount of time that an
3940 unused SMTP client socket is kept open before it is closed. Do not
3941 specify larger values without permission from the remote sites.
3942 This feature is available in Postfix 2.2 and later.
3944
3946 The amount of time during which Postfix will use an SMTP connection
3947 repeatedly. The timer starts when the connection is initiated (i.e. it
3948 includes the connect, greeting and helo latency, in addition to the
3949 latencies of subsequent mail delivery transactions).
3950 This feature addresses a performance stability problem with remote SMTP
3952 servers. This problem is not specific to Postfix: it can happen when
3953 any MTA sends large amounts of SMTP email to a site that has multiple
3954 MX hosts.
3955 The problem starts when one of a set of MX hosts becomes slower than
3957 the rest. Even though SMTP clients connect to fast and slow MX hosts
3958 with equal probability, the slow MX host ends up with more simultaneous
3959 inbound connections than the faster MX hosts, because the slow MX host
3960 needs more time to serve each client request.
3961 The slow MX host becomes a connection attractor. If one MX host
3963 becomes N times slower than the rest, it dominates mail delivery
3964 latency unless there are more than N fast MX hosts to counter the
3965 effect. And if the number of MX hosts is smaller than N, the mail
3966 delivery latency becomes effectively that of the slowest MX host
3967 divided by the total number of MX hosts.
3968 The solution uses connection caching in a way that differs from Postfix
3970 version 2.2. By limiting the amount of time during which a connection
3971 can be used repeatedly (instead of limiting the number of deliveries
3972 over that connection), Postfix not only restores fairness in the dis‐
3973 tribution of simultaneous connections across a set of MX hosts, it also
3974 favors deliveries over connections that perform well, which is exactly
3975 what we want.
3976 The default reuse time limit, 300s, is comparable to the various smtp
3978 transaction timeouts which are fair estimates of maximum excess latency
3979 for a slow delivery. Note that hosts may accept thousands of messages
3980 over a single connection within the default connection reuse time
3981 limit. This number is much larger than the default Postfix version 2.2
3982 limit of 10 messages per cached connection. It may prove necessary to
3983 lower the limit to avoid interoperability issues with MTAs that exhibit
3984 bugs when many messages are delivered via a single connection. A lower
3985 reuse time limit risks losing the benefit of connection reuse when the
3986 average connection and mail delivery latency exceeds the reuse time
3987 limit.
3988 This feature is available in Postfix 2.3 and later.
3990
3992 The SMTP client time limit for sending the SMTP ".", and for receiving
3993 the server response.
3994 When no response is received within the deadline, a warning is logged
3996 that the mail may be delivered multiple times.
3997 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3999 The default time unit is s (seconds).
4000
4002 The SMTP client time limit for sending the SMTP DATA command, and for
4003 receiving the server response.
4004 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4006 The default time unit is s (seconds).
4007
4009 The SMTP client time limit for sending the SMTP message content. When
4010 the connection makes no progress for more than $smtp_data_xfer_timeout
4011 seconds the Postfix SMTP client terminates the transfer.
4012 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4014 The default time unit is s (seconds).
4015
4017 Defer mail delivery when no MX record resolves to an IP address.
4018 The default (no) is to return the mail as undeliverable. With older
4020 Postfix versions the default was to keep trying to deliver the mail
4021 until someone fixed the MX record or until the mail was too old.
4022 Note: Postfix always ignores MX records with equal or worse preference
4024 than the local MTA itself.
4025 This feature is available in Postfix 2.1 and later.
4027
4029 rency_limit)
4030 The maximal number of parallel deliveries to the same destination via
4031 the smtp message delivery transport. This limit is enforced by the
4032 queue manager. The message delivery transport name is the first field
4033 in the entry in the master.cf file.
4034
4036 ent_limit)
4037 The maximal number of recipients per delivery via the smtp message
4038 delivery transport. This limit is enforced by the queue manager. The
4039 message delivery transport name is the first field in the entry in the
4040 master.cf file.
4041 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
4043 tination_concurrency_limit from concurrency per domain into concurrency
4044 per recipient.
4045
4047 Lookup tables, indexed by the remote SMTP server address, with case
4048 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4049 that the Postfix SMTP client will ignore in the EHLO response from a
4050 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
4051 ble is not indexed by hostname for consistency with smtpd_dis‐
4052 card_ehlo_keyword_address_maps.
4053 This feature is available in Postfix 2.2 and later.
4055
4057 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4058 etc.) that the Postfix SMTP client will ignore in the EHLO response
4059 from a remote SMTP server.
4060 This feature is available in Postfix 2.2 and later.
4062 Notes:
4064 · Specify the silent-discard pseudo keyword to prevent this action
4066 from being logged.
4067 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
4069 card EHLO keywords selectively.
4070
4072 Enforcement mode: require that remote SMTP servers use TLS encryption,
4073 and never send mail in the clear. This also requires that the remote
4074 SMTP server hostname matches the information in the remote server cer‐
4075 tificate, and that the remote SMTP server certificate was issued by a
4076 CA that is trusted by the Postfix SMTP client. If the certificate
4077 doesn't verify or the hostname doesn't match, delivery is deferred and
4078 mail stays in the queue.
4079 The server hostname is matched against all names provided as dNSNames
4081 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
4082 monName is checked. The behavior may be changed with the
4083 smtp_tls_enforce_peername option.
4084 This option is useful only if you are definitely sure that you will
4086 only connect to servers that support RFC 2487 _and_ that provide valid
4087 server certificates. Typical use is for clients that send all their
4088 email to a dedicated mailhub.
4089 This feature is available in Postfix 2.2 and later. With Postfix 2.3
4091 and later use smtp_tls_security_level instead.
4092
4094 Optional list of relay hosts for SMTP destinations that can't be found
4095 or that are unreachable. With Postfix 2.2 and earlier this parameter is
4096 called fallback_relay.
4097 By default, mail is returned to the sender when a destination is not
4099 found, and delivery is deferred when a destination is unreachable.
4100 The fallback relays must be SMTP destinations. Specify a domain, host,
4102 host:port, [host]:port, [address] or [address]:port; the form [host]
4103 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
4104 fix will try them in the specified order.
4105 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
4107 version 2.3 and later will not use the smtp_fallback_relay feature for
4108 destinations that it is MX host for.
4109
4111 Optional lookup tables that perform address rewriting in the SMTP
4112 client, typically to transform a locally valid address into a globally
4113 valid address when sending mail across the Internet. This is needed
4114 when the local machine does not have its own Internet domain name, but
4115 uses something like localdomain.local instead.
4116 The table format and lookups are documented in generic(5); examples are
4118 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
4119 documents.
4120 This feature is available in Postfix 2.2 and later.
4122
4124 The hostname to send in the SMTP EHLO or HELO command.
4125 The default value is the machine hostname. Specify a hostname or
4127 [ip.add.re.ss].
4128 This information can be specified in the main.cf file for all SMTP
4130 clients, or it can be specified in the master.cf file for a specific
4131 client, for example:
4132 /etc/postfix/master.cf:
4134 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
4135 This feature is available in Postfix 2.0 and later.
4137
4139 The SMTP client time limit for sending the HELO or EHLO command, and
4140 for receiving the initial server response.
4141 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4143 The default time unit is s (seconds).
4144
4146 What mechanisms when the Postfix SMTP client uses to look up a host's
4147 IP address. This parameter is ignored when DNS lookups are disabled.
4148 Specify one of the following:
4150 dns Hosts can be found in the DNS (preferred).
4152 native Use the native naming service only (nsswitch.conf, or equivalent
4154 mechanism).
4155 dns, native
4157 Use the native service for hosts not found in the DNS.
4158 This feature is available in Postfix 2.1 and later.
4160
4162 The maximal length of message header and body lines that Postfix will
4163 send via SMTP. Longer lines are broken by inserting "<CR><LF><SPACE>".
4164 This minimizes the damage to MIME formatted mail.
4165 By default, the line length is limited to 990 characters, because some
4167 server implementations cannot receive mail with long lines.
4168
4170 The SMTP client time limit for sending the MAIL FROM command, and for
4171 receiving the server response.
4172 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4174 The default time unit is s (seconds).
4175
4177 The maximal number of MX (mail exchanger) IP addresses that can result
4178 from mail exchanger lookups, or zero (no limit). Prior to Postfix ver‐
4179 sion 2.3, this limit was disabled by default.
4180 This feature is available in Postfix 2.1 and later.
4182
4184 The maximal number of SMTP sessions per delivery request before giving
4185 up or delivering to a fall-back relay host, or zero (no limit). This
4186 restriction ignores sessions that fail to complete the SMTP initial
4187 handshake (Postfix version 2.2 and earlier) or that fail to complete
4188 the EHLO and TLS handshake (Postfix version 2.3 and later).
4189 This feature is available in Postfix 2.1 and later.
4191
4193 Never send EHLO at the start of an SMTP session. See also the
4194 smtp_always_send_ehlo parameter.
4195
4197 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
4198 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
4199 Choosing a too short time makes this workaround ineffective when send‐
4201 ing large messages over slow network connections.
4202
4204 Lookup tables, indexed by the remote SMTP server address, with per-des‐
4205 tination workarounds for CISCO PIX firewall bugs. The table is not
4206 indexed by hostname for consistency with smtp_discard_ehlo_key‐
4207 word_address_maps.
4208 This feature is available in Postfix 2.4 and later.
4210
4212 How long a message must be queued before the Postfix SMTP client turns
4213 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
4214 through firewalls with "smtp fixup" mode turned on.
4215 By default, the workaround is turned off for mail that is queued for
4217 less than 500 seconds. In other words, the workaround is normally
4218 turned off for the first delivery attempt.
4219 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
4221 upon the first delivery attempt.
4222
4224 A list that specifies zero or more workarounds for CISCO PIX firewall
4225 bugs. These workarounds are implemented by the Postfix SMTP client.
4226 Workaround names are separated by comma or space, and are case insensi‐
4227 tive. This parameter setting can be overruled with per-destination
4228 smtp_pix_workaround_maps settings.
4229 delay_dotcrlf
4231 Insert a delay before sending ".<CR><LF>" after the end of the
4232 message content. The delay is subject to the smtp_pix_work‐
4233 around_delay_time and smtp_pix_workaround_threshold_time parame‐
4234 ter settings.
4235 disable_esmtp
4237 Disable all extended SMTP commands: send HELO instead of EHLO.
4238 This feature is available in Postfix 2.4 and later. The default set‐
4240 tings are backwards compatible with earlier Postfix versions.
4241
4243 The SMTP client time limit for sending the QUIT command, and for
4244 receiving the server response.
4245 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4247 The default time unit is s (seconds).
4248
4250 Quote addresses in SMTP MAIL FROM and RCPT TO commands as required by
4251 RFC 821. This includes putting quotes around an address localpart that
4252 ends in ".".
4253 The default is to comply with RFC 821. If you have to send mail to a
4255 broken SMTP server, configure a special SMTP client in master.cf:
4256 /etc/postfix/master.cf:
4258 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
4259 and route mail for the destination in question to the "broken-smtp"
4261 message delivery with a transport(5) table.
4262 This feature is available in Postfix 2.1 and later.
4264
4266 Randomize the order of equal-preference MX host addresses. This is a
4267 performance feature of the Postfix SMTP client.
4268
4270 The SMTP client time limit for sending the SMTP RCPT TO command, and
4271 for receiving the server response.
4272 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4274 The default time unit is s (seconds).
4275
4277 The SMTP client time limit for sending the RSET command, and for
4278 receiving the server response. The SMTP client sends RSET in order to
4279 finish a recipient address probe, or to verify that a cached session is
4280 still usable.
4281 This feature is available in Postfix 2.1 and later.
4283
4285 Enable SASL authentication in the Postfix SMTP client. By default, the
4286 Postfix SMTP client uses no authentication.
4287 Example:
4289 smtp_sasl_auth_enable = yes
4291
4293 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
4294 list of offered SASL mechanisms. Different client and server implemen‐
4295 tations may support different mechanism lists. By default, the Postfix
4296 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
4297 nism_filter further restricts what server mechanisms the client will
4298 take into consideration.
4299 Specify mechanism names, "/file/name" patterns or "type:table" lookup
4301 tables. The right-hand side result from "type:table" lookups is
4302 ignored. Specify "!pattern" to exclude a mechanism name from the list.
4303 The form "!/file/name" is supported only in Postfix version 2.4 and
4304 later.
4305 This feature is available in Postfix 2.2 and later.
4307 Examples:
4309 smtp_sasl_mechanism_filter = plain, login
4311 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
4312 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
4313
4315 Optional SMTP client lookup tables with one username:password entry per
4316 remote hostname or domain, or sender address when sender-dependent
4317 authentication is enabled. If no username:password entry is found,
4318 then the Postfix SMTP client will not attempt to authenticate to the
4319 remote host.
4320 The Postfix SMTP client opens the lookup table before going to chroot
4322 jail, so you can leave the password file in /etc/postfix.
4323
4325 Implementation-specific information that is passed through to the SASL
4326 plug-in implementation that is selected with smtp_sasl_type. Typically
4327 this specifies the name of a configuration file or rendezvous point.
4328 This feature is available in Postfix 2.3 and later.
4330
4332 SASL security options; as of Postfix 2.3 the list of available features
4333 depends on the SASL client implementation that is selected with
4334 smtp_sasl_type.
4335 The following security features are defined for the cyrus client SASL
4337 implementation:
4338 Specify zero or more of the following:
4340 noplaintext
4342 Disallow methods that use plaintext passwords.
4343 noactive
4345 Disallow methods subject to active (non-dictionary) attack.
4346 nodictionary
4348 Disallow methods subject to passive (dictionary) attack.
4349 noanonymous
4351 Disallow methods that allow anonymous authentication.
4352 mutual_auth
4354 Only allow methods that provide mutual authentication (not
4355 available with SASL version 1).
4356 Example:
4358 smtp_sasl_security_options = noplaintext
4360
4362 The SASL authentication security options that the Postfix SMTP client
4363 uses for TLS encrypted SMTP sessions.
4364 This feature is available in Postfix 2.2 and later.
4366
4368 rity_options)
4369 The SASL authentication security options that the Postfix SMTP client
4370 uses for TLS encrypted SMTP sessions with a verified server certifi‐
4371 cate. This feature is still under construction. It will not be included
4372 in the Postfix 2.3 release.
4373 This feature should be available in Postfix 2.4 and later.
4375
4377 The SASL plug-in type that the Postfix SMTP client should use for
4378 authentication. The available types are listed with the "postconf -A"
4379 command.
4380 This feature is available in Postfix 2.3 and later.
4382
4384 Send the non-standard XFORWARD command when the Postfix SMTP server
4385 EHLO response announces XFORWARD support.
4386 This allows an "smtp" delivery agent, used for injecting mail into a
4388 content filter, to forward the name, address, protocol and HELO name of
4389 the original client to the content filter and downstream queuing SMTP
4390 server. This can produce more useful logging than localhost[127.0.0.1]
4391 etc.
4392 This feature is available in Postfix 2.1 and later.
4394
4396 Enable sender-dependent authentication in the Postfix SMTP client; this
4397 is available only with SASL authentication, and disables SMTP connec‐
4398 tion caching to ensure that mail from different senders will use the
4399 appropriate credentials.
4400 This feature is available in Postfix 2.3 and later.
4402
4404 Skip SMTP servers that greet with a 4XX status code (go away, try again
4405 later).
4406 By default, Postfix moves on the next mail exchanger. Specify
4408 "smtp_skip_4xx_greeting = no" if Postfix should defer delivery immedi‐
4409 ately.
4410 This feature is available in Postfix 2.0 and earlier. Later Postfix
4412 versions always skip SMTP servers that greet with a 4XX status code.
4413
4415 Skip SMTP servers that greet with a 5XX status code (go away, do not
4416 try again later).
4417 By default, the Postfix SMTP client moves on the next mail exchanger.
4419 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
4420 immediately. The default setting is incorrect, but it is what a lot of
4421 people expect to happen.
4422
4424 Do not wait for the response to the SMTP QUIT command.
4425
4427 Time limit for Postfix SMTP client write and read operations during TLS
4428 startup and shutdown handshake procedures.
4429 This feature is available in Postfix 2.2 and later.
4431
4433 The file with the certificate of the certification authority (CA) that
4434 issued the Postfix SMTP client certificate. This is needed only when
4435 the CA certificate is not already present in the client certificate
4436 file.
4437 Example:
4439 smtp_tls_CAfile = /etc/postfix/CAcert.pem
4441 This feature is available in Postfix 2.2 and later.
4443
4445 Directory with PEM format certificate authority certificates that the
4446 Postfix SMTP client uses to verify a remote SMTP server certificate.
4447 Don't forget to create the necessary "hash" links with, for example,
4448 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
4449 To use this option in chroot mode, this directory (or a copy) must be
4451 inside the chroot jail.
4452 Example:
4454 smtp_tls_CApath = /etc/postfix/certs
4456 This feature is available in Postfix 2.2 and later.
4458
4460 File with the Postfix SMTP client RSA certificate in PEM format. This
4461 file may also contain the Postfix SMTP client private RSA key, and
4462 these may be the same as the Postfix SMTP server RSA certificate and
4463 key file.
4464 Do not configure client certificates unless you must present client TLS
4466 certificates to one or more servers. Client certificates are not usu‐
4467 ally needed, and can cause problems in configurations that work well
4468 without them. The recommended setting is to let the defaults stand:
4469 smtp_tls_cert_file =
4470 smtp_tls_dcert_file =
4471 smtp_tls_key_file =
4472 smtp_tls_dkey_file =
4473 The best way to use the default settings is to comment out the above
4475 parameters in main.cf if present.
4476 In order to verify certificates, the CA certificate (in case of a cer‐
4478 tificate chain, all CA certificates) must be available. You should add
4479 these certificates to the client certificate, the client certificate
4480 first, then the issuing CA(s).
4481 Example: the certificate for "client.dom.ain" was issued by "intermedi‐
4483 ate CA" which itself has a certificate of "root CA". Create the
4484 client.pem file with "cat client_cert.pem intermediate_CA.pem
4485 root_CA.pem > client.pem".
4486 If you also want to verify remote SMTP server certificates issued by
4488 these CAs, you can also add the CA certificates to the smtp_tls_CAfile,
4489 in which case it is not necessary to have them in the
4490 smtp_tls_cert_file or smtp_tls_dcert_file.
4491 A certificate supplied here must be usable as an SSL client certificate
4493 and hence pass the "openssl verify -purpose sslclient ..." test.
4494 Example:
4496 smtp_tls_cert_file = /etc/postfix/client.pem
4498 This feature is available in Postfix 2.2 and later.
4500
4502 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
4503 list. As this feature applies to all TLS security levels, it is easy to
4504 create inter-operability problems by choosing a non-default cipher
4505 list. Do not use a non-default TLS cipher list on hosts that deliver
4506 email to the public Internet: you will be unable to send email to
4507 servers that only support the ciphers you exclude. Using a restricted
4508 cipher list may be more appropriate for an internal MTA, where one can
4509 exert some control over the TLS software and settings of the peer
4510 servers.
4511 Note: do not use "" quotes around the parameter value.
4513 This feature is available in Postfix version 2.2. It is not used with
4515 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
4516
4518 File with the Postfix SMTP client DSA certificate in PEM format. This
4519 file may also contain the Postfix SMTP client private DSA key.
4520 See the discussion under smtp_tls_cert_file for more details.
4522 Example:
4524 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
4526 This feature is available in Postfix 2.2 and later.
4528
4530 File with the Postfix SMTP client DSA private key in PEM format. This
4531 file may be combined with the Postfix SMTP client DSA certificate file
4532 specified with $smtp_tls_dcert_file.
4533 The private key must be accessible without a pass-phrase, i.e. it must
4535 not be encrypted, but file permissions should grant read/write access
4536 only to the system superuser account ("root").
4537 This feature is available in Postfix 2.2 and later.
4539
4541 With mandatory TLS encryption, require that the remote SMTP server
4542 hostname matches the information in the remote SMTP server certificate.
4543 As of RFC 2487 the requirements for hostname checking for MTA clients
4544 are not specified.
4545 This option can be set to "no" to disable strict peer name checking.
4547 This setting has no effect on sessions that are controlled via the
4548 smtp_tls_per_site table.
4549 Disabling the hostname verification can make sense in closed environ‐
4551 ment where special CAs are created. If not used carefully, this option
4552 opens the danger of a "man-in-the-middle" attack (the CommonName of
4553 this attacker will be logged).
4554 This feature is available in Postfix 2.2 and later. With Postfix 2.3
4556 and later use smtp_tls_security_level instead.
4557
4559 List of ciphers or cipher types to exclude from the Postfix SMTP client
4560 cipher list at all TLS security levels. This is not an OpenSSL
4561 cipherlist, it is a simple list separated by whitespace and/or commas.
4562 The elements are a single cipher, or one or more "+" separated cipher
4563 properties, in which case only ciphers matching all the properties are
4564 excluded.
4565 Examples (some of these will cause problems):
4567 smtp_tls_exclude_ciphers = aNULL
4569 smtp_tls_exclude_ciphers = MD5, DES
4570 smtp_tls_exclude_ciphers = DES+MD5
4571 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
4572 smtp_tls_exclude_ciphers = kEDH+aRSA
4573 The first setting, disables anonymous ciphers. The next setting dis‐
4575 ables ciphers that use the MD5 digest algorithm or the (single) DES
4576 encryption algorithm. The next setting disables ciphers that use MD5
4577 and DES together. The next setting disables the two ciphers
4578 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
4579 use "EDH" key exchange with RSA authentication.
4580 This feature is available in Postfix 2.3 and later.
4582
4584 File with the Postfix SMTP client RSA private key in PEM format. This
4585 file may be combined with the Postfix SMTP client RSA certificate file
4586 specified with $smtp_tls_cert_file.
4587 The private key must be accessible without a pass-phrase, i.e. it must
4589 not be encrypted, but file permissions should grant read/write access
4590 only to the system superuser account ("root").
4591 Example:
4593 smtp_tls_key_file = $smtp_tls_cert_file
4595 This feature is available in Postfix 2.2 and later.
4597
4599 Enable additional Postfix SMTP client logging of TLS activity. Each
4600 logging level also includes the information that is logged at a lower
4601 logging level.
4602 0 Disable logging of TLS activity.
4604 1 Log TLS handshake and certificate information.
4606 2 Log levels during TLS negotiation.
4608 3 Log hexadecimal and ASCII dump of TLS negotiation process.
4610 4 Log hexadecimal and ASCII dump of complete transmission after
4612 STARTTLS.
4613 Use "smtp_tls_loglevel = 3" only in case of problems. Use of loglevel 4
4615 is strongly discouraged.
4616 This feature is available in Postfix 2.2 and later.
4618
4620 The minimum TLS cipher grade that the Postfix SMTP client will use with
4621 mandatory TLS encryption. The default value "medium" is suitable for
4622 most destinations with which you may want to enforce TLS, and is beyond
4623 the reach of today's crypt-analytic methods. See smtp_tls_policy_maps
4624 for information on how to configure ciphers on a per-destination basis.
4625 The following cipher grades are supported:
4627 export Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
4629 This is always used for opportunistic encryption. It is not rec‐
4630 ommended for mandatory encryption unless you must enforce TLS
4631 with "crippled" peers. The underlying cipherlist is specified
4632 via the tls_export_cipherlist configuration parameter, which you
4633 are strongly encouraged to not change. The default value of
4634 tls_export_cipherlist includes anonymous ciphers, but these are
4635 automatically filtered out if the client is configured to verify
4636 server certificates. If you must exclude anonymous ciphers also
4637 at the "encrypt" security level, set "smtp_tls_manda‐
4638 tory_exclude_ciphers = aNULL".
4639 low Enable the mainstream "LOW" grade or better OpenSSL ciphers.
4641 This setting is only appropriate for internal mail servers. The
4642 underlying cipherlist is specified via the tls_low_cipherlist
4643 configuration parameter, which you are strongly encouraged to
4644 not change. The default value of tls_low_cipherlist includes
4645 anonymous ciphers, but these are automatically filtered out if
4646 the client is configured to verify server certificates. If you
4647 must exclude anonymous ciphers also at the "encrypt" security
4648 level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
4649 medium Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.
4651 The underlying cipherlist is specified via the
4652 tls_medium_cipherlist configuration parameter, which you are
4653 strongly encouraged to not change. The default value of
4654 tls_medium_cipherlist includes anonymous ciphers, but these are
4655 automatically filtered out if the client is configured to verify
4656 server certificates. If you must exclude anonymous ciphers also
4657 at the "encrypt" security level, set "smtp_tls_manda‐
4658 tory_exclude_ciphers = aNULL".
4659 high Enable only the mainstream "HIGH" grade OpenSSL ciphers. This
4661 setting is appropriate when all mandatory TLS destinations sup‐
4662 port some of "HIGH" grade ciphers, this is not uncommon. The
4663 underlying cipherlist is specified via the tls_high_cipherlist
4664 configuration parameter, which you are strongly encouraged to
4665 not change. The default value of tls_high_cipherlist includes
4666 anonymous ciphers, but these are automatically filtered out if
4667 the client is configured to verify server certificates. If you
4668 must exclude anonymous ciphers also at the "encrypt" security
4669 level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
4670 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
4672 cation without encryption. This setting is only appropriate in
4673 the rare case that all servers are prepared to use NULL ciphers
4674 (not normally enabled in TLS servers). A plausible use-case is
4675 an LMTP server listening on a UNIX-domain socket that is config‐
4676 ured to support "NULL" ciphers. The underlying cipherlist is
4677 specified via the tls_null_cipherlist configuration parameter,
4678 which you are strongly encouraged to not change. The default
4679 value of tls_null_cipherlist excludes anonymous ciphers (OpenSSL
4680 0.9.8 has NULL ciphers that offer data integrity without encryp‐
4681 tion or authentication).
4682 This feature is available in Postfix 2.3 and later.
4684
4686 Additional list of ciphers or cipher types to exclude from the SMTP
4687 client cipher list at mandatory TLS security levels. This list works in
4688 addition to the exclusions listed with smtp_tls_exclude_ciphers (see
4689 there for syntax details).
4690 This feature is available in Postfix 2.3 and later.
4692
4694 List of TLS protocols that the Postfix SMTP client will use with manda‐
4695 tory TLS encryption. In main.cf the values are separated by white‐
4696 space, commas or colons. In the policy table (see smtp_tls_policy_maps)
4697 the only valid separator is colon. An empty value means allow all pro‐
4698 tocols. The valid protocol names, (see \fBfBSSL_get_version(3)), are
4699 "SSLv2", "SSLv3" and "TLSv1".
4700 Since SSL version 2 has known protocol weaknesses and is now depre‐
4702 cated, the default setting only lists "SSLv3" and "TLSv1". This means
4703 that by default, SSL version 2 will not be used at the "encrypt" secu‐
4704 rity level and higher.
4705 See the documentation of the smtp_tls_policy_maps parameter and
4707 TLS_README for more information about security levels.
4708 This feature is available in Postfix 2.3 and later.
4710
4712 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
4713 is not already enabled for that server.
4714 The logfile record looks like:
4716 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
4718 This feature is available in Postfix 2.2 and later.
4720
4722 Optional lookup tables with the Postfix SMTP client TLS usage policy by
4723 next-hop destination and by remote SMTP server hostname. When both
4724 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
4725 overrides the less specific one (MAY), and the more secure per-site
4726 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
4727 2.3 and later smtp_tls_per_site is strongly discouraged: use
4728 smtp_tls_policy_maps instead.
4729 Use of the bare hostname as the per-site table lookup key is discour‐
4731 aged. Always use the full destination nexthop (enclosed in [] with a
4732 possible ":port" suffix). A recipient domain or MX-enabled transport
4733 next-hop with no port suffix may look like a bare hostname, but is
4734 still a suitable destination.
4735 Specify a next-hop destination or server hostname on the left-hand
4737 side; no wildcards are allowed. The next-hop destination is either the
4738 recipient domain, or the destination specified with a transport(5) ta‐
4739 ble, the relayhost parameter, or the relay_transport parameter. On the
4740 right hand side specify one of the following keywords:
4741 NONE Don't use TLS at all. This overrides a less specific MAY lookup
4743 result from the alternate host or next-hop lookup key, and over‐
4744 rides the global smtp_use_tls, smtp_enforce_tls, and
4745 smtp_tls_enforce_peername settings.
4746 MAY Try to use TLS if the server announces support, otherwise use
4748 the unencrypted connection. This has less precedence than a more
4749 specific result (including NONE) from the alternate host or
4750 next-hop lookup key, and has less precedence than the more spe‐
4751 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
4752 name = yes".
4753 MUST_NOPEERMATCH
4755 Require TLS encryption, but do not require that the remote SMTP
4756 server hostname matches the information in the remote SMTP
4757 server certificate, or that the server certificate was issued by
4758 a trusted CA. This overrides a less secure NONE or a less spe‐
4759 cific MAY lookup result from the alternate host or next-hop
4760 lookup key, and overrides the global smtp_use_tls,
4761 smtp_enforce_tls and smtp_tls_enforce_peername settings.
4762 MUST Require TLS encryption, require that the remote SMTP server
4764 hostname matches the information in the remote SMTP server cer‐
4765 tificate, and require that the remote SMTP server certificate
4766 was issued by a trusted CA. This overrides a less secure NONE
4767 and MUST_NOPEERMATCH or a less specific MAY lookup result from
4768 the alternate host or next-hop lookup key, and overrides the
4769 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
4770 name settings.
4771 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
4773 ify" security levels for the new smtp_tls_security_level parameter
4774 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
4775 of how the policy is specified, the smtp_tls_mandatory_ciphers and
4776 smtp_tls_mandatory_protocols parameters only apply when TLS encryption
4777 is mandatory. Connections for which encryption is optional enable all
4778 "export" grade and better ciphers.
4779 As long as no secure DNS lookup mechanism is available, false hostnames
4781 in MX or CNAME responses can change the server hostname that Postfix
4782 uses for TLS policy lookup and server certificate verification. Even
4783 with a perfect match between the server hostname and the server cer‐
4784 tificate, there is no guarantee that Postfix is connected to the right
4785 server. See TLS_README (Closing a DNS loophole with obsolete per-site
4786 TLS policies) for a possible work-around.
4787 This feature is available in Postfix 2.2 and later. With Postfix 2.3
4789 and later use smtp_tls_policy_maps instead.
4790
4792 Optional lookup tables with the Postfix SMTP client TLS security policy
4793 by next-hop destination; when a non-empty value is specified, this
4794 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
4795 a more detailed discussion of TLS security levels.
4796 The TLS policy table is indexed by the full next-hop destination, which
4798 is either the recipient domain, or the verbatim next-hop specified in
4799 the transport table, $local_transport, $virtual_transport,
4800 $relay_transport or $default_transport. This includes any enclosing
4801 square brackets and any non-default destination server port suffix. The
4802 LMTP socket type prefix (inet: or unix:) is not included in the lookup
4803 key.
4804 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
4806 sockets, is used as the nexthop name for certificate verification. The
4807 port and any enclosing square brackets are used in the table lookup
4808 key, but are not used for server name verification.
4809 When the lookup key is a domain name without enclosing square brackets
4811 or any :port suffix (typically the recipient domain), and the full
4812 domain is not found in the table, just as with the transport(5) table,
4813 the parent domain starting with a leading "." is matched recursively.
4814 This allows one to specify a security policy for a recipient domain and
4815 all its sub-domains.
4816 The lookup result is a security level, followed by an optional list of
4818 whitespace and/or comma separated name=value attributes that override
4819 related main.cf settings. The TLS security levels in order of increas‐
4820 ing security are:
4821 none No TLS. No additional attributes are supported at this level.
4823 may Opportunistic TLS. No additional attributes are supported at
4825 this level. Since sending in the clear is acceptable, demanding
4826 stronger than default TLS security parameters merely reduces
4827 inter-operability. Postfix 2.3 and later ignore the
4828 smtp_tls_mandatory_ciphers and smtp_tls_mandatory_protocols
4829 parameters at this security level; all protocols are allowed and
4830 "export" grade or better ciphers are used. When TLS handshakes
4831 fail, the connection is retried with TLS disabled. This allows
4832 mail delivery to sites with non-interoperable TLS implementa‐
4833 tions.
4834 encrypt
4836 Mandatory TLS encryption. At this level and higher the optional
4837 "ciphers" attribute overrides the main.cf smtp_tls_manda‐
4838 tory_ciphers parameter and the optional "protocols" keyword
4839 overrides the main.cf smtp_tls_mandatory_protocols parameter.
4840 In the policy table, multiple protocols must be separated by
4841 colons, as attribute values may not contain whitespace or com‐
4842 mas.
4843 verify Mandatory TLS verification. At this security level, DNS MX
4845 lookups are trusted to be secure enough, and the name verified
4846 in the server certificate is usually obtained indirectly via
4847 unauthenticated DNS MX lookups. The optional "match" attribute
4848 overrides the main.cf smtp_tls_verify_cert_match parameter. In
4849 the policy table, multiple match patterns and strategies must be
4850 separated by colons. In practice explicit control over matching
4851 is more common with the "secure" policy, described below.
4852 secure Secure-channel TLS. At this security level, DNS MX lookups,
4854 though potentially used to determine the candidate next-hop
4855 gateway IP addresses, are not trusted to be secure enough for
4856 TLS peername verification. Instead, the default name verified in
4857 the server certificate is obtained directly from the next-hop,
4858 or is explicitly specified via the optional match attribute
4859 which overrides the main.cf smtp_tls_secure_cert_match parame‐
4860 ter. In the policy table, multiple match patterns and strategies
4861 must be separated by colons. The match attribute is most useful
4862 when multiple domains are supported by common server, the policy
4863 entries for additional domains specify matching rules for the
4864 primary domain certificate. While transport table overrides
4865 routing the secondary domains to the primary nexthop also allow
4866 secure verification, they risk delivery to the wrong destination
4867 when domains change hands or are re-assigned to new gateways.
4868 With the "match" attribute approach, routing is not perturbed,
4869 and mail is deferred if verification of a new MX host fails.
4870 Example:
4872 main.cf:
4874 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
4875 tls_policy:
4876 example.edu none
4877 example.mil may
4878 example.gov encrypt protocols=TLSv1
4879 example.com verify ciphers=high
4880 example.net secure
4881 .example.net secure match=.example.net:example.net
4882 [mail.example.org]:587 secure match=nexthop
4883 Note: The hostname strategy if listed in a non-default setting of
4885 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
4886 ble can render the secure level vulnerable to DNS forgery. Do not use
4887 the hostname strategy for secure-channel configurations in environments
4888 where DNS security is not assured.
4889 This feature is available in Postfix 2.3 and later.
4891
4893 The verification depth for remote SMTP server certificates. A depth of
4894 1 is sufficient, if the certificate is directly issued by a CA listed
4895 in the CA files. The default value (5) should suffice for longer
4896 chains (the root CA issues special CA which then issues the actual cer‐
4897 tificate...).
4898 This feature is available in Postfix 2.2 and later.
4900
4902 The server certificate peername verification method for the "secure"
4903 TLS security level. In a "secure" TLS policy table ($smtp_tls_pol‐
4904 icy_maps) entry the optional "match" attribute overrides this main.cf
4905 setting.
4906 This parameter specifies one or more patterns or strategies separated
4908 by commas, whitespace or colons. In the policy table the only valid
4909 separator is the colon character.
4910 For a description of the pattern and strategy syntax see the
4912 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
4913 avoided in this context, as in the absence of a secure global DNS,
4914 using the results of MX lookups in certificate verification is not
4915 immune to active (man-in-the-middle) attacks on DNS.
4916 Sample main.cf setting:
4918 smtp_tls_secure_cert_match = nexthop
4920 Sample policy table override:
4922 example.net secure match=example.com:.example.com
4924 \&.example.net secure match=example.com:.example.com
4925 This feature is available in Postfix 2.3 and later.
4927
4929 The default SMTP TLS security level for the Postfix SMTP client; when a
4930 non-empty value is specified, this overrides the obsolete parameters
4931 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
4932 Specify one of the following security levels:
4934 none TLS will not be used unless enabled for specific destinations
4936 via smtp_tls_policy_maps.
4937 may Opportunistic TLS. TLS will be used if supported by the server.
4939 Since sending in the clear is acceptable, demanding stronger
4940 than default TLS security parameters merely reduces inter-oper‐
4941 ability. Postfix 2.3 and later ignore the smtp_tls_manda‐
4942 tory_ciphers and smtp_tls_mandatory_protocols parameters at this
4943 security level; all protocols are allowed and "export" grade or
4944 better ciphers are used. When TLS handshakes fail, the connec‐
4945 tion is retried with TLS disabled. This allows mail delivery to
4946 sites with non-interoperable TLS implementations.
4947 encrypt
4949 Mandatory TLS encryption. Since a minimum level of security is
4950 intended, it reasonable to be specific about sufficiently secure
4951 protocol versions and ciphers. At this security level and
4952 higher, the main.cf parameters smtp_tls_mandatory_protocols and
4953 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
4954 cipher grade which the administrator considers secure enough for
4955 mandatory encrypted sessions. This security level is not an
4956 appropriate default for systems delivering mail to the Internet.
4957 verify Mandatory TLS verification. At this security level, DNS MX
4959 lookups are trusted to be secure enough, and the name verified
4960 in the server certificate is usually obtained indirectly via
4961 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
4962 parameter controls how the server name is verified. In practice
4963 explicit control over matching is more common at the "secure"
4964 level, described below. This security level is not an appropri‐
4965 ate default for systems delivering mail to the Internet.
4966 secure Secure-channel TLS. At this security level, DNS MX lookups,
4968 though potentially used to determine the candidate next-hop
4969 gateway IP addresses, are not trusted to be secure enough for
4970 TLS peername verification. Instead, the default name verified in
4971 the server certificate is obtained from the next-hop domain as
4972 specified in the smtp_tls_secure_cert_match configuration param‐
4973 eter. The default matching rule is that a server certificate
4974 matches when its name is equal to or is a sub-domain of the nex‐
4975 thop domain. This security level is not an appropriate default
4976 for systems delivering mail to the Internet.
4977 Examples:
4979 No TLS, old-style: smtp_use_tls=no and smtp_enforce_tls=no.
4981 main.cf:
4982 smtp_tls_security_level = none
4983 Opportunistic TLS:
4985 main.cf:
4986 smtp_tls_security_level = may
4987 Mandatory (high-grade) TLS encryption:
4989 main.cf:
4990 smtp_tls_security_level = encrypt
4991 smtp_tls_mandatory_ciphers = high
4992 Mandatory TLS verification, of hostname or nexthop domain:
4994 main.cf:
4995 smtp_tls_security_level = verify
4996 smtp_tls_mandatory_ciphers = high
4997 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
4998 Secure channel TLS with exact nexthop name matching:
5000 main.cf:
5001 smtp_tls_security_level = secure
5002 smtp_tls_mandatory_protocols = TLSv1
5003 smtp_tls_mandatory_ciphers = high
5004 smtp_tls_secure_cert_match = nexthop
5005 This feature is available in Postfix 2.3 and later.
5007
5009 Name of the file containing the optional Postfix SMTP client TLS ses‐
5010 sion cache. Specify a database type that supports enumeration, such as
5011 btree or sdbm; there is no need to support concurrent access. The file
5012 is created if it does not exist. The smtp(8) daemon does not use this
5013 parameter directly, rather the cache is implemented indirectly in the
5014 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
5015 of this parameter are not effective. Note, that each of the cache
5016 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
5017 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
5018 $lmtp_session_cache_database), needs to be stored separately, it is not
5019 at this time possible to store multiple caches in a single database.
5020 Note: dbm databases are not suitable. TLS session objects are too
5022 large.
5023 Example:
5025 smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_scache
5027 This feature is available in Postfix 2.2 and later.
5029
5031 The expiration time of Postfix SMTP client TLS session cache informa‐
5032 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
5033 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
5034 this parameter is implemented in the tlsmgr(8) daemon and therefore
5035 per-smtp-instance master.cf overrides are not possible.
5036 This feature is available in Postfix 2.2 and later.
5038
5040 The server certificate peername verification method for the "verify"
5041 TLS security level. In a "verify" TLS policy table ($smtp_tls_pol‐
5042 icy_maps) entry the optional "match" attribute overrides this main.cf
5043 setting.
5044 This parameter specifies one or more patterns or strategies separated
5046 by commas, whitespace or colons. In the policy table the only valid
5047 separator is the colon character.
5048 Patterns specify domain names, or domain name suffixes:
5050 example.com
5052 Match the example.com domain, i.e. one of the names the server
5053 certificate must be example.com, upper and lower case distinc‐
5054 tions are ignored.
5055 .example.com
5057 Match subdomains of the example.com domain, i.e. match a name in
5058 the server certificate that consists of a non-zero number of
5059 labels followed by a .example.com suffix. Case distinctions are
5060 ignored.
5061 Strategies specify a transformation from the next-hop domain to the
5063 expected name in the server certificate:
5064 nexthop
5066 Match against the next-hop domain, which is either the recipient
5067 domain, or the transport next-hop configured for the domain
5068 stripped of any optional socket type prefix, enclosing square
5069 brackets and trailing port. When MX lookups are not suppressed,
5070 this is the original nexthop domain prior to the MX lookup, not
5071 the result of the MX lookup. For LMTP delivery via UNIX-domain
5072 sockets, the verified next-hop name is $myhostname. This strat‐
5073 egy is suitable for use with the "secure" policy. Case is
5074 ignored.
5075 dot-nexthop
5077 As above, but match server certificate names that are subdomains
5078 of the next-hop domain. Case is ignored.
5079 hostname
5081 Match against the hostname of the server, often obtained via an
5082 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
5083 sockets, the verified name is $myhostname. This matches the ver‐
5084 ification strategy of the "MUST" keyword in the obsolete
5085 smtp_tls_per_site table, and is suitable for use with the "ver‐
5086 ify" security level. When the next-hop name is enclosed in
5087 square brackets to suppress MX lookups, the "hostname" strategy
5088 is the same as the "nexthop" strategy. Case is ignored.
5089 Sample main.cf setting:
5091 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
5093 Sample policy table override:
5095 example.com verify match=hostname:nexthop
5097 \&.example.com verify match=example.com:.example.com:hostname
5098 This feature is available in Postfix 2.3 and later.
5100
5102 Opportunistic mode: use TLS when a remote SMTP server announces START‐
5103 TLS support, otherwise send the mail in the clear. Beware: some SMTP
5104 servers offer STARTTLS even if it is not configured. With Postfix <
5105 2.3, if the TLS handshake fails, and no other server is available,
5106 delivery is deferred and mail stays in the queue. If this is a concern
5107 for you, use the smtp_tls_per_site feature instead.
5108 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5110 and later use smtp_tls_security_level instead.
5111
5113 The SMTP client time limit for sending the XFORWARD command, and for
5114 receiving the server response.
5115 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5117 The default time unit is s (seconds).
5118 This feature is available in Postfix 2.1 and later.
5120
5122 What SMTP clients are allowed to specify the XVERP command. This com‐
5123 mand requests that mail be delivered one recipient at a time with a per
5124 recipient return address.
5125 By default, no clients are allowed to specify XVERP.
5127 This parameter was renamed with Postfix version 2.1. The default value
5129 is backwards compatible with Postfix version 2.0.
5130 Specify a list of network/netmask patterns, separated by commas and/or
5132 whitespace. The mask specifies the number of bits in the network part
5133 of a host address. You can also specify hostnames or \&.domain names
5134 (the initial dot causes the domain to match any name below it),
5135 "/file/name" or "type:table" patterns. A "/file/name" pattern is
5136 replaced by its contents; a "type:table" lookup table is matched when a
5137 table entry matches a lookup string (the lookup result is ignored).
5138 Continue long lines by starting the next line with whitespace. Specify
5139 "!pattern" to exclude an address or network block from the list. The
5140 form "!/file/name" is supported only in Postfix version 2.4 and later.
5141 Note: IP version 6 address information must be specified inside [] in
5143 the smtpd_authorized_verp_clients value, and in files specified with
5144 "/file/name". IP version 6 addresses contain the ":" character, and
5145 would otherwise be confused with a "type:table" pattern.
5146
5148 What SMTP clients are allowed to use the XCLIENT feature. This command
5149 overrides SMTP client information that is used for access control. Typ‐
5150 ical use is for SMTP-based content filters, fetchmail-like programs, or
5151 SMTP server access rule testing. See the XCLIENT_README document for
5152 details.
5153 This feature is available in Postfix 2.1 and later.
5155 By default, no clients are allowed to specify XCLIENT.
5157 Specify a list of network/netmask patterns, separated by commas and/or
5159 whitespace. The mask specifies the number of bits in the network part
5160 of a host address. You can also specify hostnames or \&.domain names
5161 (the initial dot causes the domain to match any name below it),
5162 "/file/name" or "type:table" patterns. A "/file/name" pattern is
5163 replaced by its contents; a "type:table" lookup table is matched when a
5164 table entry matches a lookup string (the lookup result is ignored).
5165 Continue long lines by starting the next line with whitespace. Specify
5166 "!pattern" to exclude an address or network block from the list. The
5167 form "!/file/name" is supported only in Postfix version 2.4 and later.
5168 Note: IP version 6 address information must be specified inside [] in
5170 the smtpd_authorized_xclient_hosts value, and in files specified with
5171 "/file/name". IP version 6 addresses contain the ":" character, and
5172 would otherwise be confused with a "type:table" pattern.
5173
5175 What SMTP clients are allowed to use the XFORWARD feature. This com‐
5176 mand forwards information that is used to improve logging after SMTP-
5177 based content filters. See the XFORWARD_README document for details.
5178 This feature is available in Postfix 2.1 and later.
5180 By default, no clients are allowed to specify XFORWARD.
5182 Specify a list of network/netmask patterns, separated by commas and/or
5184 whitespace. The mask specifies the number of bits in the network part
5185 of a host address. You can also specify hostnames or \&.domain names
5186 (the initial dot causes the domain to match any name below it),
5187 "/file/name" or "type:table" patterns. A "/file/name" pattern is
5188 replaced by its contents; a "type:table" lookup table is matched when a
5189 table entry matches a lookup string (the lookup result is ignored).
5190 Continue long lines by starting the next line with whitespace. Specify
5191 "!pattern" to exclude an address or network block from the list. The
5192 form "!/file/name" is supported only in Postfix version 2.4 and later.
5193 Note: IP version 6 address information must be specified inside [] in
5195 the smtpd_authorized_xforward_hosts value, and in files specified with
5196 "/file/name". IP version 6 addresses contain the ":" character, and
5197 would otherwise be confused with a "type:table" pattern.
5198
5200 The text that follows the 220 status code in the SMTP greeting banner.
5201 Some people like to see the mail version advertised. By default, Post‐
5202 fix shows no version.
5203 You MUST specify $myhostname at the start of the text. This is required
5205 by the SMTP protocol.
5206 Example:
5208 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
5210
5212 How many simultaneous connections any client is allowed to make to this
5213 service. By default, the limit is set to half the default process
5214 limit value.
5215 To disable this feature, specify a limit of 0.
5217 WARNING: The purpose of this feature is to limit abuse. It must not be
5219 used to regulate legitimate mail traffic.
5220 This feature is available in Postfix 2.2 and later.
5222
5224 The maximal number of connection attempts any client is allowed to make
5225 to this service per time unit. The time unit is specified with the
5226 anvil_rate_time_unit configuration parameter.
5227 By default, a client can make as many connections per time unit as
5229 Postfix can accept.
5230 To disable this feature, specify a limit of 0.
5232 WARNING: The purpose of this feature is to limit abuse. It must not be
5234 used to regulate legitimate mail traffic.
5235 This feature is available in Postfix 2.2 and later.
5237 Example:
5239 smtpd_client_connection_rate_limit = 1000
5241
5243 Clients that are excluded from connection count, connection rate, or
5244 SMTP request rate restrictions. See the mynetworks parameter descrip‐
5245 tion for the parameter value syntax.
5246 By default, clients in trusted networks are excluded. Specify a list of
5248 network blocks, hostnames or .domain names (the initial dot causes the
5249 domain to match any name below it).
5250 Note: IP version 6 address information must be specified inside [] in
5252 the smtpd_client_event_limit_exceptions value, and in files specified
5253 with "/file/name". IP version 6 addresses contain the ":" character,
5254 and would otherwise be confused with a "type:table" pattern.
5255 This feature is available in Postfix 2.2 and later.
5257
5259 The maximal number of message delivery requests that any client is
5260 allowed to make to this service per time unit, regardless of whether or
5261 not Postfix actually accepts those messages. The time unit is speci‐
5262 fied with the anvil_rate_time_unit configuration parameter.
5263 By default, a client can send as many message delivery requests per
5265 time unit as Postfix can accept.
5266 To disable this feature, specify a limit of 0.
5268 WARNING: The purpose of this feature is to limit abuse. It must not be
5270 used to regulate legitimate mail traffic.
5271 This feature is available in Postfix 2.2 and later.
5273 Example:
5275 smtpd_client_message_rate_limit = 1000
5277
5279 The maximal number of new (i.e., uncached) TLS sessions that a remote
5280 SMTP client is allowed to negotiate with this service per time unit.
5281 The time unit is specified with the anvil_rate_time_unit configuration
5282 parameter.
5283 By default, a remote SMTP client can negotiate as many new TLS sessions
5285 per time unit as Postfix can accept.
5286 To disable this feature, specify a limit of 0. Otherwise, specify a
5288 limit that is at least the per-client concurrent session limit, or else
5289 legitimate client sessions may be rejected.
5290 WARNING: The purpose of this feature is to limit abuse. It must not be
5292 used to regulate legitimate mail traffic.
5293 This feature is available in Postfix 2.3 and later.
5295 Example:
5297 smtpd_client_new_tls_session_rate_limit = 100
5299
5301 The maximal number of recipient addresses that any client is allowed to
5302 send to this service per time unit, regardless of whether or not Post‐
5303 fix actually accepts those recipients. The time unit is specified with
5304 the anvil_rate_time_unit configuration parameter.
5305 By default, a client can make as many recipient addresses per time unit
5307 as Postfix can accept.
5308 To disable this feature, specify a limit of 0.
5310 WARNING: The purpose of this feature is to limit abuse. It must not be
5312 used to regulate legitimate mail traffic.
5313 This feature is available in Postfix 2.2 and later.
5315 Example:
5317 smtpd_client_recipient_rate_limit = 1000
5319
5321 Optional SMTP server access restrictions in the context of a client
5322 SMTP connection request.
5323 The default is to allow all connection requests.
5325 Specify a list of restrictions, separated by commas and/or whitespace.
5327 Continue long lines by starting the next line with whitespace.
5328 Restrictions are applied in the order as specified; the first restric‐
5329 tion that matches wins.
5330 The following restrictions are specific to client hostname or client
5332 network address information.
5333 check_ccert_access type:table
5335 Use the client certificate fingerprint as lookup key for the
5336 specified access(5) database; with Postfix version 2.2, also
5337 require that the SMTP client certificate is verified success‐
5338 fully. This feature is available with Postfix version 2.2 and
5339 later.
5340 check_client_access type:table
5342 Search the specified access database for the client hostname,
5343 parent domains, client IP address, or networks obtained by
5344 stripping least significant octets. See the access(5) manual
5345 page for details.
5346 permit_inet_interfaces
5348 Permit the request when the client IP address matches
5349 $inet_interfaces.
5350 permit_mynetworks
5352 Permit the request when the client IP address matches any net‐
5353 work or network address listed in $mynetworks.
5354 permit_sasl_authenticated
5356 Permit the request when the client is successfully authenticated
5357 via the RFC 2554 (AUTH) protocol.
5358 permit_tls_all_clientcerts
5360 Permit the request when the remote SMTP client certificate is
5361 verified successfully. This option must be used only if a spe‐
5362 cial CA issues the certificates and only this CA is listed as
5363 trusted CA, otherwise all clients with a recognized certificate
5364 would be allowed to relay. This feature is available with Post‐
5365 fix version 2.2.
5366 permit_tls_clientcerts
5368 Permit the request when the remote SMTP client certificate is
5369 verified successfully, and the certificate fingerprint is listed
5370 in $relay_clientcerts. This feature is available with Postfix
5371 version 2.2.
5372 reject_rbl_client rbl_domain=d.d.d.d
5374 Reject the request when the reversed client network address is
5375 listed with the A record "d.d.d.d" under rbl_domain (Postfix
5376 version 2.1 and later only). If no "=d.d.d.d" is specified,
5377 reject the request when the reversed client network address is
5378 listed with any A record under rbl_domain.
5379 The maps_rbl_reject_code parameter specifies the response code
5380 for rejected requests (default: 554), the default_rbl_reply
5381 parameter specifies the default server reply, and the
5382 rbl_reply_maps parameter specifies tables with server replies
5383 indexed by rbl_domain. This feature is available in Postfix 2.0
5384 and later.
5385 reject_rhsbl_client rbl_domain=d.d.d.d
5387 Reject the request when the client hostname is listed with the A
5388 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
5389 only). If no "=d.d.d.d" is specified, reject the request when
5390 the client hostname is listed with any A record under
5391 rbl_domain. See the reject_rbl_client description above for
5392 additional RBL related configuration parameters. This feature
5393 is available in Postfix 2.0 and later.
5394 reject_unknown_client_hostname (with Postfix < 2.3:
5396 reject_unknown_client)
5397 Reject the request when 1) the client IP address->name mapping
5398 fails, 2) the name->address mapping fails, or 3) the
5399 name->address mapping does not match the client IP address.
5400 This is a stronger restriction than the
5401 reject_unknown_reverse_client_hostname feature, which triggers
5402 only under condition 1) above.
5403 The unknown_client_reject_code parameter specifies the response
5404 code for rejected requests (default: 450). The reply is always
5405 450 in case the address->name or name->address lookup failed due
5406 to a temporary problem.
5407 reject_unknown_reverse_client_hostname
5409 Reject the request when the client IP address has no
5410 address->name mapping.
5411 This is a weaker restriction than the
5412 reject_unknown_client_hostname feature, which requires not only
5413 that the address->name and name->address mappings exist, but
5414 also that the two mappings reproduce the client IP address.
5415 The unknown_client_reject_code parameter specifies the response
5416 code for rejected requests (default: 450). The reply is always
5417 450 in case the address->name lookup failed due to a temporary
5418 problem.
5419 This feature is available in Postfix 2.3 and later.
5420 In addition, you can use any of the following generic restrictions.
5422 These restrictions are applicable in any SMTP command context.
5423 check_policy_service servername
5425 Query the specified policy server. See the SMTPD_POLICY_README
5426 document for details. This feature is available in Postfix 2.1
5427 and later.
5428 defer Defer the request. The client is told to try again later. This
5430 restriction is useful at the end of a restriction list, to make
5431 the default policy explicit.
5432 The defer_code parameter specifies the SMTP server reply code
5433 (default: 450).
5434 defer_if_permit
5436 Defer the request if some later restriction would result in an
5437 explicit or implicit PERMIT action. This is useful when a
5438 blacklisting feature fails due to a temporary problem. This
5439 feature is available in Postfix version 2.1 and later.
5440 defer_if_reject
5442 Defer the request if some later restriction would result in a
5443 REJECT action. This is useful when a whitelisting feature fails
5444 due to a temporary problem. This feature is available in Post‐
5445 fix version 2.1 and later.
5446 permit Permit the request. This restriction is useful at the end of a
5448 restriction list, to make the default policy explicit.
5449 reject_multi_recipient_bounce
5451 Reject the request when the envelope sender is the null address,
5452 and the message has multiple envelope recipients. This usage has
5453 rare but legitimate applications: under certain conditions,
5454 multi-recipient mail that was posted with the DSN option
5455 NOTIFY=NEVER may be forwarded with the null sender address.
5456 Note: this restriction can only work reliably when used in
5457 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
5458 because the total number of recipients is not known at an ear‐
5459 lier stage of the SMTP conversation. Use at the RCPT stage will
5460 only reject the second etc. recipient.
5461 The multi_recipient_bounce_reject_code parameter specifies the
5462 response code for rejected requests (default: 550). This fea‐
5463 ture is available in Postfix 2.1 and later.
5464 reject_plaintext_session
5466 Reject the request when the connection is not encrypted. This
5467 restriction should not be used before the client has had a
5468 chance to negotiate encryption with the AUTH or STARTTLS com‐
5469 mands.
5470 The plaintext_reject_code parameter specifies the response code
5471 for rejected requests (default: 450). This feature is avail‐
5472 able in Postfix 2.3 and later.
5473 reject_unauth_pipelining
5475 Reject the request when the client sends SMTP commands ahead of
5476 time where it is not allowed, or when the client sends SMTP com‐
5477 mands ahead of time without knowing that Postfix actually sup‐
5478 ports ESMTP command pipelining. This stops mail from bulk mail
5479 software that improperly uses ESMTP command pipelining in order
5480 to speed up deliveries.
5481 Note: reject_unauth_pipelining is not useful outside
5482 smtpd_data_restrictions when 1) the client uses ESMTP (EHLO
5483 instead of HELO) and 2) with "smtpd_delay_reject = yes" (the
5484 default). The use of reject_unauth_pipelining in the other
5485 restriction contexts is therefore not recommended.
5486 reject Reject the request. This restriction is useful at the end of a
5488 restriction list, to make the default policy explicit. The
5489 reject_code configuration parameter specifies the response code
5490 to rejected requests (default: 554).
5491 sleep seconds
5493 Pause for the specified number of seconds and proceed with the
5494 next restriction in the list, if any. This may stop zombie mail
5495 when used as:
5496 /etc/postfix/main.cf:
5498 smtpd_client_restrictions =
5499 sleep 1, reject_unauth_pipelining
5500 smtpd_delay_reject = no
5501 This feature is available in Postfix 2.3.
5502 warn_if_reject
5504 Change the meaning of the next restriction, so that it logs a
5505 warning instead of rejecting a request (look for logfile records
5506 that contain "reject_warning"). This is useful for testing new
5507 restrictions in a "live" environment without risking unnecessary
5508 loss of mail.
5509 Other restrictions that are valid in this context:
5511 · SMTP command specific restrictions that are described under the
5513 smtpd_helo_restrictions, smtpd_sender_restrictions or
5514 smtpd_recipient_restrictions parameters. When helo, sender or
5515 recipient restrictions are listed under smtpd_client_restric‐
5516 tions, they have effect only with "smtpd_delay_reject = yes", so
5517 that $smtpd_client_restrictions is evaluated at the time of the
5518 RCPT TO command.
5519 Example:
5521 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
5523
5525 Optional access restrictions that the Postfix SMTP server applies in
5526 the context of the SMTP DATA command.
5527 This feature is available in Postfix 2.0 and later.
5529 Specify a list of restrictions, separated by commas and/or whitespace.
5531 Continue long lines by starting the next line with whitespace.
5532 Restrictions are applied in the order as specified; the first restric‐
5533 tion that matches wins.
5534 The following restrictions are valid in this context:
5536 · Generic restrictions that can be used in any SMTP command con‐
5538 text, described under smtpd_client_restrictions.
5539 · SMTP command specific restrictions described under
5541 smtpd_client_restrictions, smtpd_helo_restrictions,
5542 smtpd_sender_restrictions or smtpd_recipient_restrictions.
5543 Examples:
5545 smtpd_data_restrictions = reject_unauth_pipelining
5547 smtpd_data_restrictions = reject_multi_recipient_bounce
5548
5550 Postpone the start of an SMTP mail transaction until a valid RCPT TO
5551 command is received. Specify "no" to create a mail transaction as soon
5552 as the SMTP server receives a valid MAIL FROM command.
5553 With sites that reject lots of mail, the default setting reduces the
5555 use of disk, CPU and memory resources. The downside is that rejected
5556 recipients are logged with NOQUEUE instead of a mail transaction ID.
5557 This complicates the logfile analysis of multi-recipient mail.
5558 This feature is available in Postfix 2.3 and later.
5560
5562 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
5563 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
5564 until the ETRN command before evaluating $smtpd_client_restrictions and
5565 $smtpd_helo_restrictions.
5566 This feature is turned on by default because some clients apparently
5568 mis-behave when the Postfix SMTP server rejects commands before RCPT
5569 TO.
5570 The default setting has one major benefit: it allows Postfix to log
5572 recipient address information when rejecting a client name/address or
5573 sender address, so that it is possible to find out whose mail is being
5574 rejected.
5575
5577 Lookup tables, indexed by the remote SMTP client address, with case
5578 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
5579 that the SMTP server will not send in the EHLO response to a remote
5580 SMTP client. See smtpd_discard_ehlo_keywords for details. The table is
5581 not searched by hostname for robustness reasons.
5582 This feature is available in Postfix 2.2 and later.
5584
5586 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
5587 etc.) that the SMTP server will not send in the EHLO response to a
5588 remote SMTP client.
5589 This feature is available in Postfix 2.2 and later.
5591 Notes:
5593 · Specify the silent-discard pseudo keyword to prevent this action
5595 from being logged.
5596 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
5598 card EHLO keywords selectively.
5599
5601 Optional access restrictions that the Postfix SMTP server applies in
5602 the context of the SMTP END-OF-DATA command.
5603 This feature is available in Postfix 2.2 and later.
5605 See smtpd_data_restrictions for syntax details.
5607
5609 Mandatory TLS: announce STARTTLS support to SMTP clients, and require
5610 that clients use TLS encryption. According to RFC 2487 this MUST NOT
5611 be applied in case of a publicly-referenced SMTP server. This option
5612 is off by default and should be used only on dedicated servers.
5613 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
5615 Note 2: when invoked via "sendmail -bs", Postfix will never offer
5617 STARTTLS due to insufficient privileges to access the server private
5618 key. This is intended behavior.
5619 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5621 and later use smtpd_tls_security_level instead.
5622
5624 With Postfix version 2.1 and later: the SMTP server response delay
5625 after a client has made more than $smtpd_soft_error_limit errors, and
5626 fewer than $smtpd_hard_error_limit errors, without delivering mail.
5627 With Postfix version 2.0 and earlier: the SMTP server delay before
5629 sending a reject (4xx or 5xx) response, when the client has made fewer
5630 than $smtpd_soft_error_limit errors without delivering mail.
5631
5633 Optional SMTP server access restrictions in the context of a client
5634 ETRN request.
5635 The Postfix ETRN implementation accepts only destinations that are eli‐
5637 gible for the Postfix "fast flush" service. See the ETRN_README file
5638 for details.
5639 Specify a list of restrictions, separated by commas and/or whitespace.
5641 Continue long lines by starting the next line with whitespace.
5642 Restrictions are applied in the order as specified; the first restric‐
5643 tion that matches wins.
5644 The following restrictions are specific to the domain name information
5646 received with the ETRN command.
5647 check_etrn_access type:table
5649 Search the specified access database for the ETRN domain name or
5650 its parent domains. See the access(5) manual page for details.
5651 Other restrictions that are valid in this context:
5653 · Generic restrictions that can be used in any SMTP command con‐
5655 text, described under smtpd_client_restrictions.
5656 · SMTP command specific restrictions described under
5658 smtpd_client_restrictions and smtpd_helo_restrictions.
5659 Example:
5661 smtpd_etrn_restrictions = permit_mynetworks, reject
5663
5665 What characters are allowed in $name expansions of RBL reply templates.
5666 Characters not in the allowed set are replaced by "_". Use C like
5667 escapes to specify special characters such as whitespace.
5668 This parameter is not subjected to $parameter expansion.
5670 This feature is available in Postfix 2.0 and later.
5672
5674 List of commands that causes the Postfix SMTP server to immediately
5675 terminate the session with a 221 code. This can be used to disconnect
5676 clients that obviously attempt to abuse the system. In addition to the
5677 commands listed in this parameter, commands that follow the "Label:"
5678 format of message headers will also cause a disconnect.
5679 This feature is available in Postfix 2.2 and later.
5681
5683 The maximal number of errors a remote SMTP client is allowed to make
5684 without delivering mail. The Postfix SMTP server disconnects when the
5685 limit is exceeded.
5686
5688 Require that a remote SMTP client introduces itself at the beginning of
5689 an SMTP session with the HELO or EHLO command.
5690 Example:
5692 smtpd_helo_required = yes
5694
5696 Optional restrictions that the Postfix SMTP server applies in the con‐
5697 text of the SMTP HELO command.
5698 The default is to permit everything.
5700 Specify a list of restrictions, separated by commas and/or whitespace.
5702 Continue long lines by starting the next line with whitespace.
5703 Restrictions are applied in the order as specified; the first restric‐
5704 tion that matches wins.
5705 The following restrictions are specific to the hostname information
5707 received with the HELO or EHLO command.
5708 check_helo_access type:table
5710 Search the specified access(5) database for the HELO or EHLO
5711 hostname or parent domains, and execute the corresponding
5712 action.
5713 check_helo_mx_access type:table
5715 Search the specified access(5) database for the MX hosts for the
5716 HELO or EHLO hostname, and execute the corresponding action.
5717 Note: a result of "OK" is not allowed for safety reasons.
5718 Instead, use DUNNO in order to exclude specific hosts from
5719 blacklists. This feature is available in Postfix 2.1 and later.
5720 check_helo_ns_access type:table
5722 Search the specified access(5) database for the DNS servers for
5723 the HELO or EHLO hostname, and execute the corresponding action.
5724 Note: a result of "OK" is not allowed for safety reasons.
5725 Instead, use DUNNO in order to exclude specific hosts from
5726 blacklists. This feature is available in Postfix 2.1 and later.
5727 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
5729 name)
5730 Reject the request when the HELO or EHLO hostname syntax is
5731 invalid.
5732 The invalid_hostname_reject_code specifies the response code to
5733 rejected requests (default: 501).
5734 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
5736 reject_non_fqdn_hostname)
5737 Reject the request when the HELO or EHLO hostname is not in
5738 fully-qualified domain form, as required by the RFC.
5739 The non_fqdn_reject_code parameter specifies the response code
5740 to rejected requests (default: 504).
5741 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
5743 name)
5744 Reject the request when the HELO or EHLO hostname has no DNS A
5745 or MX record.
5746 The unknown_hostname_reject_code specifies the response code to
5747 rejected requests (default: 450).
5748 Other restrictions that are valid in this context:
5750 · Generic restrictions that can be used in any SMTP command con‐
5752 text, described under smtpd_client_restrictions.
5753 · Client hostname or network address specific restrictions
5755 described under smtpd_client_restrictions.
5756 · SMTP command specific restrictions described under
5758 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
5759 sender or recipient restrictions are listed under
5760 smtpd_helo_restrictions, they have effect only with
5761 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
5762 evaluated at the time of the RCPT TO command.
5763 Examples:
5765 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
5767 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
5768
5770 The maximal number of lines in the Postfix SMTP server command history
5771 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
5772
5774 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
5775 SMTP client can send before the Postfix SMTP server starts to increment
5776 the error counter with each junk command. The junk command count is
5777 reset after mail is delivered. See also the smtpd_error_sleep_time and
5778 smtpd_soft_error_limit configuration parameters.
5779
5781 A list of Milter (mail filter) applications for new mail that arrives
5782 via the Postfix smtpd(8) server. See the MILTER_README document for
5783 details.
5784 This feature is available in Postfix 2.3 and later.
5786
5788 List of commands that the Postfix SMTP server replies to with "250 Ok",
5789 without doing any syntax checks and without changing state. This list
5790 overrides any commands built into the Postfix SMTP server.
5791
5793 The lookup key to be used in SMTP access(5) tables instead of the null
5794 sender address.
5795
5797 Attempt to look up the remote SMTP client hostname, and verify that the
5798 name matches the client IP address. A client name is set to "unknown"
5799 when it cannot be looked up or verified, or when name lookup is dis‐
5800 abled. Turning off name lookup reduces delays due to DNS lookup and
5801 increases the maximal inbound delivery rate.
5802 This feature is available in Postfix 2.3 and later.
5804
5806 The time after which an idle SMTPD policy service connection is closed.
5807 This feature is available in Postfix 2.1 and later.
5809
5811 The time after which an active SMTPD policy service connection is
5812 closed.
5813 This feature is available in Postfix 2.1 and later.
5815
5817 The time limit for connecting to, writing to or receiving from a dele‐
5818 gated SMTPD policy server.
5819 This feature is available in Postfix 2.1 and later.
5821
5823 How the Postfix SMTP server announces itself to the proxy filter. By
5824 default, the Postfix hostname is used.
5825 This feature is available in Postfix 2.1 and later.
5827
5829 The hostname and TCP port of the mail filtering proxy server. The
5830 proxy receives all mail from the Postfix SMTP server, and is supposed
5831 to give the result to another Postfix SMTP server process.
5832 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
5834 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
5835 as an IP address or as a symbolic name; no MX lookups are done. When
5836 no "host" or "host:" are specified, the local machine is assumed.
5837 Pathname interpretation is relative to the Postfix queue directory.
5838 This feature is available in Postfix 2.1 and later.
5840 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
5842 later.
5843
5845 The time limit for connecting to a proxy filter and for sending or
5846 receiving information. When a connection fails the client gets a
5847 generic error message while more detailed information is logged to the
5848 maillog file.
5849 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5851 The default time unit is s (seconds).
5852 This feature is available in Postfix 2.1 and later.
5854
5856 The maximal number of recipients that the Postfix SMTP server accepts
5857 per message delivery request.
5858
5860 The number of recipients that a remote SMTP client can send in excess
5861 of the limit specified with $smtpd_recipient_limit, before the Postfix
5862 SMTP server increments the per-session error count for each excess
5863 recipient.
5864
5866 nation)
5867 The access restrictions that the Postfix SMTP server applies in the
5868 context of the RCPT TO command.
5869 By default, the Postfix SMTP server accepts:
5871 · Mail from clients whose IP address matches $mynetworks, or:
5873 · Mail to remote destinations that match $relay_domains, except
5875 for addresses that contain sender-specified routing (user@else‐
5876 where@domain), or:
5877 · Mail to local destinations that match $inet_interfaces or
5879 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
5880 $virtual_mailbox_domains.
5881 IMPORTANT: If you change this parameter setting, you must specify at
5883 least one of the following restrictions. Otherwise Postfix will refuse
5884 to receive mail:
5885 reject, defer, defer_if_permit, reject_unauth_destination
5887 Specify a list of restrictions, separated by commas and/or whitespace.
5889 Continue long lines by starting the next line with whitespace.
5890 Restrictions are applied in the order as specified; the first restric‐
5891 tion that matches wins.
5892 The following restrictions are specific to the recipient address that
5894 is received with the RCPT TO command.
5895 check_recipient_access type:table
5897 Search the specified access(5) database for the resolved RCPT TO
5898 address, domain, parent domains, or localpart@, and execute the
5899 corresponding action.
5900 check_recipient_mx_access type:table
5902 Search the specified access(5) database for the MX hosts for the
5903 RCPT TO address, and execute the corresponding action. Note: a
5904 result of "OK" is not allowed for safety reasons. Instead, use
5905 DUNNO in order to exclude specific hosts from blacklists. This
5906 feature is available in Postfix 2.1 and later.
5907 check_recipient_ns_access type:table
5909 Search the specified access(5) database for the DNS servers for
5910 the RCPT TO address, and execute the corresponding action.
5911 Note: a result of "OK" is not allowed for safety reasons.
5912 Instead, use DUNNO in order to exclude specific hosts from
5913 blacklists. This feature is available in Postfix 2.1 and later.
5914 permit_auth_destination
5916 Permit the request when one of the following is true:
5917 · Postfix is mail forwarder: the resolved RCPT TO address matches
5919 $relay_domains or a subdomain thereof, and the address contains
5920 no sender-specified routing (user@elsewhere@domain),
5921 · Postfix is the final destination: the resolved RCPT TO address
5923 matches $mydestination, $inet_interfaces, $proxy_interfaces,
5924 $virtual_alias_domains, or $virtual_mailbox_domains, and the
5925 address contains no sender-specified routing (user@else‐
5926 where@domain).
5927 permit_mx_backup
5929 Permit the request when the local mail system is backup MX for
5930 the RCPT TO address, or when the address is an authorized desti‐
5931 nation (see permit_auth_destination for definition).
5932 · Safety: permit_mx_backup does not accept addresses that have
5934 sender-specified routing information (example: user@else‐
5935 where@domain).
5936 · Safety: permit_mx_backup can be vulnerable to mis-use when
5938 access is not restricted with permit_mx_backup_networks.
5939 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
5941 accepts the address when the local mail system is primary MX for
5942 the recipient domain. Exception: permit_mx_backup accepts the
5943 address when it specifies an authorized destination (see per‐
5944 mit_auth_destination for definition).
5945 · Limitation: mail may be rejected in case of a temporary DNS
5947 lookup problem with Postfix prior to version 2.0.
5948 reject_non_fqdn_recipient
5950 Reject the request when the RCPT TO address is not in fully-
5951 qualified domain form, as required by the RFC.
5952 The non_fqdn_reject_code parameter specifies the response code
5953 to rejected requests (default: 504).
5954 reject_rhsbl_recipient rbl_domain=d.d.d.d
5956 Reject the request when the RCPT TO domain is listed with the A
5957 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
5958 only). If no "=d.d.d.d" is specified, reject the request when
5959 the RCPT TO domain is listed with any A record under rbl_domain.
5960 The maps_rbl_reject_code parameter specifies the response code
5961 for rejected requests (default: 554); the default_rbl_reply
5962 parameter specifies the default server reply; and the
5963 rbl_reply_maps parameter specifies tables with server replies
5964 indexed by rbl_domain. This feature is available in Postfix
5965 version 2.0 and later.
5966 reject_unauth_destination
5968 Reject the request unless one of the following is true:
5969 · Postfix is mail forwarder: the resolved RCPT TO address matches
5971 $relay_domains or a subdomain thereof, and contains no sender-
5972 specified routing (user@elsewhere@domain),
5973 · Postfix is the final destination: the resolved RCPT TO address
5975 matches $mydestination, $inet_interfaces, $proxy_interfaces,
5976 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
5977 tains no sender-specified routing (user@elsewhere@domain).
5978 The relay_domains_reject_code parameter specifies the response
5979 code for rejected requests (default: 554).
5980 reject_unknown_recipient_domain
5982 Reject the request when Postfix is not final destination for the
5983 recipient address, and the RCPT TO address has no DNS A or MX
5984 record, or when it has a malformed MX record such as a record
5985 with a zero-length MX hostname (Postfix version 2.3 and later).
5986 The unknown_address_reject_code parameter specifies the response
5987 code for rejected requests (default: 450). The response is
5988 always 450 in case of a temporary DNS error.
5989 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
5991 ent_maps)
5992 Reject the request when the RCPT TO address is not listed in the
5993 list of valid recipients for its domain class. See the
5994 smtpd_reject_unlisted_recipient parameter description for
5995 details. This feature is available in Postfix 2.1 and later.
5996 reject_unverified_recipient
5998 Reject the request when mail to the RCPT TO address is known to
5999 bounce, or when the recipient address destination is not reach‐
6000 able. Address verification information is managed by the ver‐
6001 ify(8) server; see the ADDRESS_VERIFICATION_README file for
6002 details.
6003 The unverified_recipient_reject_code parameter specifies the
6004 response when an address is known to bounce (default: 450,
6005 change into 550 when you are confident that it is safe to do
6006 so). Postfix replies with 450 when an address probe failed due
6007 to a temporary problem. This feature is available in Postfix
6008 2.1 and later.
6009 Other restrictions that are valid in this context:
6011 · Generic restrictions that can be used in any SMTP command con‐
6013 text, described under smtpd_client_restrictions.
6014 · SMTP command specific restrictions described under
6016 smtpd_client_restrictions, smtpd_helo_restrictions and
6017 smtpd_sender_restrictions.
6018 Example:
6020 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
6022
6024 Request that the Postfix SMTP server rejects mail for unknown recipient
6025 addresses, even when no explicit reject_unlisted_recipient access
6026 restriction is specified. This prevents the Postfix queue from filling
6027 up with undeliverable MAILER-DAEMON messages.
6028 · The recipient domain matches $mydestination, $inet_interfaces or
6030 $proxy_interfaces, but the recipient is not listed in
6031 $local_recipient_maps, and $local_recipient_maps is not null.
6032 · The recipient domain matches $virtual_alias_domains but the
6034 recipient is not listed in $virtual_alias_maps.
6035 · The recipient domain matches $virtual_mailbox_domains but the
6037 recipient is not listed in $virtual_mailbox_maps, and $vir‐
6038 tual_mailbox_maps is not null.
6039 · The recipient domain matches $relay_domains but the recipient is
6041 not listed in $relay_recipient_maps, and $relay_recipient_maps
6042 is not null.
6043 This feature is available in Postfix 2.1 and later.
6045
6047 Request that the Postfix SMTP server rejects mail from unknown sender
6048 addresses, even when no explicit reject_unlisted_sender access restric‐
6049 tion is specified. This can slow down an explosion of forged mail from
6050 worms or viruses.
6051 · The sender domain matches $mydestination, $inet_interfaces or
6053 $proxy_interfaces, but the sender is not listed in $local_recip‐
6054 ient_maps, and $local_recipient_maps is not null.
6055 · The sender domain matches $virtual_alias_domains but the sender
6057 is not listed in $virtual_alias_maps.
6058 · The sender domain matches $virtual_mailbox_domains but the
6060 sender is not listed in $virtual_mailbox_maps, and $vir‐
6061 tual_mailbox_maps is not null.
6062 · The sender domain matches $relay_domains but the sender is not
6064 listed in $relay_recipient_maps, and $relay_recipient_maps is
6065 not null.
6066 This feature is available in Postfix 2.1 and later.
6068
6070 User-defined aliases for groups of access restrictions. The aliases can
6071 be specified in smtpd_recipient_restrictions etc., and on the right-
6072 hand side of a Postfix access(5) table.
6073 One major application is for implementing per-recipient UCE control.
6075 See the RESTRICTION_CLASS_README document for other examples.
6076
6078 The application name used for SASL server initialization. This controls
6079 the name of the SASL configuration file. The default value is smtpd,
6080 corresponding to a SASL configuration file named smtpd.conf.
6081 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
6083 was renamed to smtpd_sasl_path.
6084
6086 Enable SASL authentication in the Postfix SMTP server. By default, the
6087 Postfix SMTP server does not use authentication.
6088 If a remote SMTP client is authenticated, the permit_sasl_authenticated
6090 access restriction can be used to permit relay access, like this:
6091 smtpd_recipient_restrictions =
6093 permit_mynetworks, permit_sasl_authenticated, ...
6094 To reject all SMTP connections from unauthenticated clients, specify
6096 "smtpd_delay_reject = yes" (which is the default) and use:
6097 smtpd_client_restrictions = permit_sasl_authenticated, reject
6099 See the SASL_README file for SASL configuration and operation details.
6101
6103 Report the SASL authenticated user name in the smtpd(8) Received mes‐
6104 sage header.
6105 This feature is available in Postfix 2.3 and later.
6107
6109 What SMTP clients Postfix will not offer AUTH support to.
6110 Some clients (Netscape 4 at least) have a bug that causes them to
6112 require a login and password whenever AUTH is offered, whether it's
6113 necessary or not. To work around this, specify, for example, $mynet‐
6114 works to prevent Postfix from offering AUTH to local clients.
6115 Specify a list of network/netmask patterns, separated by commas and/or
6117 whitespace. The mask specifies the number of bits in the network part
6118 of a host address. You can also "/file/name" or "type:table" patterns.
6119 A "/file/name" pattern is replaced by its contents; a "type:table"
6120 lookup table is matched when a table entry matches a lookup string (the
6121 lookup result is ignored). Continue long lines by starting the next
6122 line with whitespace. Specify "!pattern" to exclude an address or net‐
6123 work block from the list. The form "!/file/name" is supported only in
6124 Postfix version 2.4 and later.
6125 Note: IP version 6 address information must be specified inside [] in
6127 the smtpd_sasl_exceptions_networks value, and in files specified with
6128 "/file/name". IP version 6 addresses contain the ":" character, and
6129 would otherwise be confused with a "type:table" pattern.
6130 Example:
6132 smtpd_sasl_exceptions_networks = $mynetworks
6134 This feature is available in Postfix 2.1 and later.
6136
6138 The name of the local SASL authentication realm.
6139 By default, the local authentication realm name is the null string.
6141 Examples:
6143 smtpd_sasl_local_domain = $mydomain
6145 smtpd_sasl_local_domain = $myhostname
6146
6148 Implementation-specific information that is passed through to the SASL
6149 plug-in implementation that is selected with smtpd_sasl_type. Typi‐
6150 cally this specifies the name of a configuration file or rendezvous
6151 point.
6152 This feature is available in Postfix 2.3 and later. In earlier releases
6154 it was called smtpd_sasl_application.
6155
6157 SASL security options; as of Postfix 2.3 the list of available features
6158 depends on the SASL server implementation that is selected with
6159 smtpd_sasl_type.
6160 The following security features are defined for the cyrus server SASL
6162 implementation:
6163 Restrict what authentication mechanisms the Postfix SMTP server will
6165 offer to the client. The list of available authentication mechanisms
6166 is system dependent.
6167 Specify zero or more of the following:
6169 noplaintext
6171 Disallow methods that use plaintext passwords.
6172 noactive
6174 Disallow methods subject to active (non-dictionary) attack.
6175 nodictionary
6177 Disallow methods subject to passive (dictionary) attack.
6178 noanonymous
6180 Disallow methods that allow anonymous authentication.
6181 mutual_auth
6183 Only allow methods that provide mutual authentication (not
6184 available with SASL version 1).
6185 By default, the Postfix SMTP server accepts plaintext passwords but not
6187 anonymous logins.
6188 Warning: it appears that clients try authentication methods in the
6190 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
6191 which means that if you disable plaintext passwords, clients will log
6192 in anonymously, even when they should be able to use CRAM-MD5. So, if
6193 you disable plaintext logins, disable anonymous logins too. Postfix
6194 treats anonymous login as no authentication.
6195 Example:
6197 smtpd_sasl_security_options = noanonymous, noplaintext
6199
6201 The SASL authentication security options that the Postfix SMTP server
6202 uses for TLS encrypted SMTP sessions.
6203 This feature is available in Postfix 2.2 and later.
6205
6207 The SASL plug-in type that the Postfix SMTP server should use for
6208 authentication. The available types are listed with the "postconf -a"
6209 command.
6210 This feature is available in Postfix 2.3 and later.
6212
6214 Optional lookup table with the SASL login names that own sender (MAIL
6215 FROM) addresses.
6216 Specify zero or more "type:table" lookup tables. With lookups from
6218 indexed files such as DB or DBM, or from networked tables such as NIS,
6219 LDAP or SQL, the following search operations are done with a sender
6220 address of user@domain:
6221 1) user@domain
6223 This table lookup is always done and has the highest precedence.
6224 2) user
6226 This table lookup is done only when the domain part of the
6227 sender address matches $myorigin, $mydestination, $inet_inter‐
6228 faces or $proxy_interfaces.
6229 3) @domain
6231 This table lookup is done last and has the lowest precedence.
6232 In all cases the result of table lookup must be either "not found" or a
6234 list of SASL login names separated by comma and/or whitespace.
6235
6237 Optional restrictions that the Postfix SMTP server applies in the con‐
6238 text of the MAIL FROM command.
6239 The default is to permit everything.
6241 Specify a list of restrictions, separated by commas and/or whitespace.
6243 Continue long lines by starting the next line with whitespace.
6244 Restrictions are applied in the order as specified; the first restric‐
6245 tion that matches wins.
6246 The following restrictions are specific to the sender address received
6248 with the MAIL FROM command.
6249 check_sender_access type:table
6251 Search the specified access(5) database for the MAIL FROM
6252 address, domain, parent domains, or localpart@, and execute the
6253 corresponding action.
6254 check_sender_mx_access type:table
6256 Search the specified access(5) database for the MX hosts for the
6257 MAIL FROM address, and execute the corresponding action. Note:
6258 a result of "OK" is not allowed for safety reasons. Instead, use
6259 DUNNO in order to exclude specific hosts from blacklists. This
6260 feature is available in Postfix 2.1 and later.
6261 check_sender_ns_access type:table
6263 Search the specified access(5) database for the DNS servers for
6264 the MAIL FROM address, and execute the corresponding action.
6265 Note: a result of "OK" is not allowed for safety reasons.
6266 Instead, use DUNNO in order to exclude specific hosts from
6267 blacklists. This feature is available in Postfix 2.1 and later.
6268 reject_authenticated_sender_login_mismatch
6270 Enforces the reject_sender_login_mismatch restriction for
6271 authenticated clients only. This feature is available in Postfix
6272 version 2.1 and later.
6273 reject_non_fqdn_sender
6275 Reject the request when the MAIL FROM address is not in fully-
6276 qualified domain form, as required by the RFC.
6277 The non_fqdn_reject_code parameter specifies the response code
6278 to rejected requests (default: 504).
6279 reject_rhsbl_sender rbl_domain=d.d.d.d
6281 Reject the request when the MAIL FROM domain is listed with the
6282 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
6283 later only). If no "=d.d.d.d" is specified, reject the request
6284 when the MAIL FROM domain is listed with any A record under
6285 rbl_domain.
6286 The maps_rbl_reject_code parameter specifies the response code
6287 for rejected requests (default: 554); the default_rbl_reply
6288 parameter specifies the default server reply; and the
6289 rbl_reply_maps parameter specifies tables with server replies
6290 indexed by rbl_domain. This feature is available in Postfix 2.0
6291 and later.
6292 reject_sender_login_mismatch
6294 Reject the request when $smtpd_sender_login_maps specifies an
6295 owner for the MAIL FROM address, but the client is not (SASL)
6296 logged in as that MAIL FROM address owner; or when the client is
6297 (SASL) logged in, but the client login name doesn't own the MAIL
6298 FROM address according to $smtpd_sender_login_maps.
6299 reject_unauthenticated_sender_login_mismatch
6301 Enforces the reject_sender_login_mismatch restriction for unau‐
6302 thenticated clients only. This feature is available in Postfix
6303 version 2.1 and later.
6304 reject_unknown_sender_domain
6306 Reject the request when Postfix is not final destination for the
6307 sender address, and the MAIL FROM address has no DNS A or MX
6308 record, or when it has a malformed MX record such as a record
6309 with a zero-length MX hostname (Postfix version 2.3 and later).
6310 The unknown_address_reject_code parameter specifies the response
6311 code for rejected requests (default: 450). The response is
6312 always 450 in case of a temporary DNS error.
6313 reject_unlisted_sender
6315 Reject the request when the MAIL FROM address is not listed in
6316 the list of valid recipients for its domain class. See the
6317 smtpd_reject_unlisted_sender parameter description for details.
6318 This feature is available in Postfix 2.1 and later.
6319 reject_unverified_sender
6321 Reject the request when mail to the MAIL FROM address is known
6322 to bounce, or when the sender address destination is not reach‐
6323 able. Address verification information is managed by the ver‐
6324 ify(8) server; see the ADDRESS_VERIFICATION_README file for
6325 details.
6326 The unverified_sender_reject_code parameter specifies the
6327 response when an address is known to bounce (default: 450,
6328 change into 550 when you are confident that it is safe to do
6329 so). Postfix replies with 450 when an address probe failed due
6330 to a temporary problem. This feature is available in Postfix
6331 2.1 and later.
6332 Other restrictions that are valid in this context:
6334 · Generic restrictions that can be used in any SMTP command con‐
6336 text, described under smtpd_client_restrictions.
6337 · SMTP command specific restrictions described under
6339 smtpd_client_restrictions and smtpd_helo_restrictions.
6340 · SMTP command specific restrictions described under smtpd_recipi‐
6342 ent_restrictions. When recipient restrictions are listed under
6343 smtpd_sender_restrictions, they have effect only with
6344 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
6345 is evaluated at the time of the RCPT TO command.
6346 Examples:
6348 smtpd_sender_restrictions = reject_unknown_sender_domain
6350 smtpd_sender_restrictions = reject_unknown_sender_domain,
6351 check_sender_access hash:/etc/postfix/access
6352
6354 The number of errors a remote SMTP client is allowed to make without
6355 delivering mail before the Postfix SMTP server slows down all its
6356 responses.
6357 · With Postfix version 2.1 and later, the Postfix SMTP server
6359 delays all responses by $smtpd_error_sleep_time seconds.
6360 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
6362 delays all responses by (number of errors) seconds.
6363
6365 The time limit for Postfix SMTP server write and read operations during
6366 TLS startup and shutdown handshake procedures.
6367 This feature is available in Postfix 2.2 and later.
6369
6371 The time limit for sending a Postfix SMTP server response and for
6372 receiving a remote SMTP client request.
6373 Note: if you set SMTP time limits to very large values you may have to
6375 update the global ipc_timeout parameter.
6376 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6378 The default time unit is s (seconds).
6379
6381 The file with the certificate of the certification authority (CA) that
6382 issued the Postfix SMTP server certificate. This is needed only when
6383 the CA certificate is not already present in the server certificate
6384 file. This file may also contain the CA certificates of other trusted
6385 CAs. You must use this file for the list of trusted CAs if you want to
6386 use chroot-mode.
6387 Example:
6389 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
6391 This feature is available in Postfix 2.2 and later.
6393
6395 Directory with PEM format certificate authority certificates that the
6396 Postfix SMTP server offers to remote SMTP clients for the purpose of
6397 client certificate verification. Do not forget to create the necessary
6398 "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/post‐
6399 fix/certs".
6400 To use this option in chroot mode, this directory (or a copy) must be
6402 inside the chroot jail. Please note that in this case the CA certifi‐
6403 cates are not offered to the client, so that e.g. Netscape clients
6404 might not offer certificates issued by them. Use of this feature is
6405 therefore not recommended.
6406 Example:
6408 smtpd_tls_CApath = /etc/postfix/certs
6410 This feature is available in Postfix 2.2 and later.
6412
6414 Force the Postfix SMTP server to issue a TLS session id, even when TLS
6415 session caching is turned off (smtpd_tls_session_cache_database is
6416 empty). This behavior is compatible with Postfix < 2.3.
6417 With Postfix 2.3 and later the Postfix SMTP server can disable session
6419 id generation when TLS session caching is turned off. This keeps
6420 clients from caching sessions that almost certainly cannot be re-used.
6421 By default, the Postfix SMTP server always generates TLS session ids.
6423 This works around a known defect in mail client applications such as MS
6424 Outlook, and may also prevent interoperability issues with other MTAs.
6425 Example:
6427 smtpd_tls_always_issue_session_ids = no
6428 This feature is available in Postfix 2.3 and later.
6430
6432 Ask a remote SMTP client for a client certificate. This information is
6433 needed for certificate based mail relaying with, for example, the per‐
6434 mit_tls_clientcerts feature.
6435 Some clients such as Netscape will either complain if no certificate is
6437 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
6438 tiple client certificates to choose from. This may be annoying, so this
6439 option is "off" by default.
6440 This feature is available in Postfix 2.2 and later.
6442
6444 When TLS encryption is optional in the Postfix SMTP server, do not
6445 announce or accept SASL authentication over unencrypted connections.
6446 This feature is available in Postfix 2.2 and later.
6448
6450 The verification depth for remote SMTP client certificates. A depth of
6451 1 is sufficient if the issuing CA is listed in a local CA file. The
6452 default value should also suffice for longer chains (the root CA issues
6453 special CA which then issues the actual certificate...).
6454 This feature is available in Postfix 2.2 and later.
6456
6458 File with the Postfix SMTP server RSA certificate in PEM format. This
6459 file may also contain the Postfix SMTP server private RSA key.
6460 Public Internet MX hosts without certificates signed by a "reputable"
6462 CA must generate, and be prepared to present to most clients, a self-
6463 signed or private-CA signed certificate. The client will not be able to
6464 authenticate the server, but unless it is running Postfix 2.3 or simi‐
6465 lar software, it will still insist on a server certificate.
6466 For servers that are not public Internet MX hosts, Postfix 2.3 supports
6468 configurations with no certificates. This entails the use of just the
6469 anonymous TLS ciphers, which are not supported by typical SMTP clients.
6470 Since such clients will not, as a rule, fall back to plain text after a
6471 TLS handshake failure, the server will be unable to receive email from
6472 TLS enabled clients. To avoid accidental configurations with no cer‐
6473 tificates, Postfix 2.3 enables certificate-less operation only when the
6474 administrator explicitly sets "smtpd_tls_cert_file = none". This
6475 ensures that new Postfix configurations will not accidentally run with
6476 no certificates.
6477 Both RSA and DSA certificates are supported. When both types are
6479 present, the cipher used determines which certificate will be presented
6480 to the client. For Netscape and OpenSSL clients without special cipher
6481 choices the RSA certificate is preferred.
6482 In order to verify a certificate, the CA certificate (in case of a cer‐
6484 tificate chain, all CA certificates) must be available. You should add
6485 these certificates to the server certificate, the server certificate
6486 first, then the issuing CA(s).
6487 Example: the certificate for "server.dom.ain" was issued by "intermedi‐
6489 ate CA" which itself has a certificate of "root CA". Create the
6490 server.pem file with "cat server_cert.pem intermediate_CA.pem
6491 root_CA.pem > server.pem".
6492 If you also want to verify client certificates issued by these CAs, you
6494 can add the CA certificates to the smtpd_tls_CAfile, in which case it
6495 is not necessary to have them in the smtpd_tls_cert_file or
6496 smtpd_tls_dcert_file.
6497 A certificate supplied here must be usable as an SSL server certificate
6499 and hence pass the "openssl verify -purpose sslserver ..." test.
6500 Example:
6502 smtpd_tls_cert_file = /etc/postfix/server.pem
6504 This feature is available in Postfix 2.2 and later.
6506
6508 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
6509 list. It is easy to create inter-operability problems by choosing a
6510 non-default cipher list. Do not use a non-default TLS cipherlist for MX
6511 hosts on the public Internet. Clients that begin the TLS handshake, but
6512 are unable to agree on a common cipher, may not be able to send any
6513 email to the SMTP server. Using a restricted cipher list may be more
6514 appropriate for a dedicated MSA or an internal mailhub, where one can
6515 exert some control over the TLS software and settings of the connecting
6516 clients.
6517 Note: do not use "" quotes around the parameter value.
6519 This feature is available with Postfix version 2.2. It is not used with
6521 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
6522
6524 File with the Postfix SMTP server DSA certificate in PEM format. This
6525 file may also contain the Postfix SMTP server private key.
6526 See the discussion under smtpd_tls_cert_file for more details.
6528 Example:
6530 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
6532 This feature is available in Postfix 2.2 and later.
6534
6536 File with DH parameters that the Postfix SMTP server should use with
6537 EDH ciphers.
6538 Instead of using the exact same parameter sets as distributed with
6540 other TLS packages, it is more secure to generate your own set of
6541 parameters with something like the following command:
6542 openssl gendh -out /etc/postfix/dh_1024.pem -2 -rand /var/run/egd-pool 1024
6544 Your actual source for entropy may differ. Some systems have /dev/ran‐
6546 dom; on other system you may consider using the "Entropy Gathering Dae‐
6547 mon EGD", available at http://egd.sourceforge.net/
6548 Example:
6550 smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
6552 This feature is available with Postfix version 2.2.
6554
6556 File with DH parameters that the Postfix SMTP server should use with
6557 EDH ciphers.
6558 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
6560 ration parameter.
6561 Example:
6563 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
6565 This feature is available with Postfix version 2.2.
6567
6569 File with the Postfix SMTP server DSA private key in PEM format. This
6570 file may be combined with the Postfix SMTP server DSA certificate file
6571 specified with $smtpd_tls_dcert_file.
6572 The private key must be accessible without a pass-phrase, i.e. it must
6574 not be encrypted, but file permissions should grant read/write access
6575 only to the system superuser account ("root").
6576 This feature is available in Postfix 2.2 and later.
6578
6580 List of ciphers or cipher types to exclude from the SMTP server cipher
6581 list at all TLS security levels. Excluding valid ciphers can create
6582 interoperability problems. DO NOT exclude ciphers unless it is essen‐
6583 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
6584 separated by whitespace and/or commas. The elements are a single
6585 cipher, or one or more "+" separated cipher properties, in which case
6586 only ciphers matching all the properties are excluded.
6587 Examples (some of these will cause problems):
6589 smtpd_tls_exclude_ciphers = aNULL
6591 smtpd_tls_exclude_ciphers = MD5, DES
6592 smtpd_tls_exclude_ciphers = DES+MD5
6593 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
6594 smtpd_tls_exclude_ciphers = kEDH+aRSA
6595 The first setting disables anonymous ciphers. The next setting disables
6597 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
6598 tion algorithm. The next setting disables ciphers that use MD5 and DES
6599 together. The next setting disables the two ciphers "AES256-SHA" and
6600 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
6601 exchange with RSA authentication.
6602 This feature is available in Postfix 2.3 and later.
6604
6606 File with the Postfix SMTP server RSA private key in PEM format. This
6607 file may be combined with the Postfix SMTP server certificate file
6608 specified with $smtpd_tls_cert_file.
6609 The private key must be accessible without a pass-phrase, i.e. it must
6611 not be encrypted, but file permissions should grant read/write access
6612 only to the system superuser account ("root").
6613
6615 Enable additional Postfix SMTP server logging of TLS activity. Each
6616 logging level also includes the information that is logged at a lower
6617 logging level.
6618 0 Disable logging of TLS activity.
6620 1 Log TLS handshake and certificate information.
6622 2 Log levels during TLS negotiation.
6624 3 Log hexadecimal and ASCII dump of TLS negotiation process.
6626 4 Also log hexadecimal and ASCII dump of complete transmission
6628 after STARTTLS.
6629 Use "smtpd_tls_loglevel = 3" only in case of problems. Use of loglevel
6631 4 is strongly discouraged.
6632 This feature is available in Postfix 2.2 and later.
6634
6636 The minimum TLS cipher grade that the Postfix SMTP server will use with
6637 mandatory TLS encryption. Cipher types listed in smtpd_tls_manda‐
6638 tory_exclude_ciphers or smtpd_tls_exclude_ciphers are excluded from the
6639 base definition of the selected cipher grade. With opportunistic TLS
6640 encryption, the "export" grade is used unconditionally with exclusions
6641 specified only via smtpd_tls_exclude_ciphers.
6642 The following cipher grades are supported:
6644 export Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
6646 This is the most appropriate setting for public MX hosts, and is
6647 always used with opportunistic TLS encryption. The underlying
6648 cipherlist is specified via the tls_export_cipherlist configura‐
6649 tion parameter, which you are strongly encouraged to not change.
6650 The default value of tls_export_cipherlist includes anonymous
6651 ciphers, but these are automatically filtered out if the server
6652 is configured to ask for client certificates. If you must always
6653 exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
6654 aNULL". To exclude anonymous ciphers only when TLS is enforced,
6655 set "smtpd_tls_mandatory_exclude_ciphers = aNULL".
6656 low Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
6658 underlying cipherlist is specified via the tls_low_cipherlist
6659 configuration parameter, which you are strongly encouraged to
6660 not change. The default value of tls_low_cipherlist includes
6661 anonymous ciphers, but these are automatically filtered out if
6662 the server is configured to ask for client certificates. If you
6663 must always exclude anonymous ciphers, set
6664 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous
6665 ciphers only when TLS is enforced, set "smtpd_tls_manda‐
6666 tory_exclude_ciphers = aNULL".
6667 medium Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.
6669 These are essentially the 128-bit or stronger ciphers. This is
6670 the default minimum strength for mandatory TLS encryption. MSAs
6671 that enforce TLS and have clients that do not support any
6672 "MEDIUM" or "HIGH" grade ciphers, may need to configure a weaker
6673 ("low" or "export") minimum cipher grade. The underlying
6674 cipherlist is specified via the tls_medium_cipherlist configura‐
6675 tion parameter, which you are strongly encouraged to not change.
6676 The default value of tls_medium_cipherlist includes anonymous
6677 ciphers, but these are automatically filtered out if the server
6678 is configured to ask for client certificates. If you must always
6679 exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
6680 aNULL". To exclude anonymous ciphers only when TLS is enforced,
6681 set "smtpd_tls_mandatory_exclude_ciphers = aNULL".
6682 high Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
6684 underlying cipherlist is specified via the tls_high_cipherlist
6685 configuration parameter, which you are strongly encouraged to
6686 not change. The default value of tls_high_cipherlist includes
6687 anonymous ciphers, but these are automatically filtered out if
6688 the server is configured to ask for client certificates. If you
6689 must always exclude anonymous ciphers, set
6690 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous
6691 ciphers only when TLS is enforced, set "smtpd_tls_manda‐
6692 tory_exclude_ciphers = aNULL".
6693 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
6695 cation without encryption. This setting is only appropriate in
6696 the rare case that all clients are prepared to use NULL ciphers
6697 (not normally enabled in TLS clients). The underlying cipherlist
6698 is specified via the tls_null_cipherlist configuration parame‐
6699 ter, which you are strongly encouraged to not change. The
6700 default value of tls_null_cipherlist excludes anonymous ciphers
6701 (OpenSSL 0.9.8 has NULL ciphers that offer data integrity with‐
6702 out encryption or authentication).
6703 This feature is available in Postfix 2.3 and later.
6705
6707 Additional list of ciphers or cipher types to exclude from the SMTP
6708 server cipher list at mandatory TLS security levels. This list works in
6709 addition to the exclusions listed with smtpd_tls_exclude_ciphers (see
6710 there for syntax details).
6711 This feature is available in Postfix 2.3 and later.
6713
6715 The TLS protocols accepted by the Postfix SMTP server with mandatory
6716 TLS encryption. With opportunistic TLS encryption, all protocols are
6717 always accepted. If the list is empty, the server supports all avail‐
6718 able TLS protocol versions. A non-empty value is a list of protocol
6719 names separated by whitespace, commas or colons. The supported protocol
6720 names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.
6721 Example:
6723 smtpd_tls_mandatory_protocols = SSLv3, TLSv1
6725 This feature is available in Postfix 2.3 and later.
6727
6729 Request that the Postfix SMTP server produces Received: message head‐
6730 ers that include information about the protocol and cipher used, as
6731 well as the client CommonName and client certificate issuer CommonName.
6732 This is disabled by default, as the information may be modified in
6733 transit through other mail servers. Only information that was recorded
6734 by the final destination can be trusted.
6735 This feature is available in Postfix 2.2 and later.
6737
6739 With mandatory TLS encryption, require a remote SMTP client certificate
6740 in order to allow TLS connections to proceed. This option implies
6741 "smtpd_tls_ask_ccert = yes".
6742 When TLS encryption is optional, this setting is ignored with a warning
6744 written to the mail log.
6745 This feature is available in Postfix 2.2 and later.
6747
6749 The SMTP TLS security level for the Postfix SMTP server; when a non-
6750 empty value is specified, this overrides the obsolete parameters
6751 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
6752 "smtpd_tls_wrappermode = yes".
6753 Specify one of the following security levels:
6755 none TLS will not be used.
6757 may Opportunistic TLS: announce STARTTLS support to SMTP clients,
6759 but do not require that clients use TLS encryption.
6760 encrypt
6762 Mandatory TLS encryption: announce STARTTLS support to SMTP
6763 clients, and require that clients use TLS encryption. According
6764 to RFC 2487 this MUST NOT be applied in case of a publicly-ref‐
6765 erenced SMTP server. Instead, this option should be used only on
6766 dedicated servers.
6767 Note 1: the "verify" and "secure" levels are not supported. The Post‐
6769 fix SMTP server logs a warning and uses "encrypt" instead. To verify
6770 SMTP client certificates, see TLS_README for a discussion of the
6771 smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts
6772 features.
6773 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
6775 implies "smtpd_tls_auth_only = yes".
6776 Note 3: when invoked via "sendmail -bs", Postfix will never offer
6778 STARTTLS due to insufficient privileges to access the server private
6779 key. This is intended behavior.
6780 This feature is available in Postfix 2.3 and later.
6782
6784 Name of the file containing the optional Postfix SMTP server TLS ses‐
6785 sion cache. Specify a database type that supports enumeration, such as
6786 btree or sdbm; there is no need to support concurrent access. The file
6787 is created if it does not exist. The smtpd(8) daemon does not use this
6788 parameter directly, rather the cache is implemented indirectly in the
6789 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
6790 rides of this parameter are not effective. Note, that each of the cache
6791 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
6792 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
6793 $lmtp_session_cache_database), needs to be stored separately, it is not
6794 at this time possible to store multiple caches in a single database.
6795 Note: dbm databases are not suitable. TLS session objects are too
6797 large.
6798 Example:
6800 smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_scache
6802 This feature is available in Postfix 2.2 and later.
6804
6806 The expiration time of Postfix SMTP server TLS session cache informa‐
6807 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
6808 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
6809 this parameter is implemented in the tlsmgr(8) daemon and therefore
6810 per-smtpd-instance master.cf overrides are not possible.
6811 This feature is available in Postfix 2.2 and later.
6813
6815 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
6816 of using the STARTTLS command.
6817 If you want to support this service, enable a special port in mas‐
6819 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
6820 command line. Port 465 (smtps) was once chosen for this purpose.
6821 This feature is available in Postfix 2.2 and later.
6823
6825 Opportunistic TLS: announce STARTTLS support to SMTP clients, but do
6826 not require that clients use TLS encryption.
6827 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
6829 TLS due to insufficient privileges to access the server private key.
6830 This is intended behavior.
6831 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6833 and later use smtpd_tls_security_level instead.
6834
6836 Safety net to keep mail queued that would otherwise be returned to the
6837 sender. This parameter disables locally-generated bounces, and pre‐
6838 vents the Postfix SMTP server from rejecting mail permanently, by
6839 changing 5xx reply codes into 4xx. However, soft_bounce is no cure for
6840 address rewriting mistakes or mail routing mistakes.
6841 Example:
6843 soft_bounce = yes
6845
6847 The time after which a stale exclusive mailbox lockfile is removed.
6848 This is used for delivery to file or mailbox.
6849 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6851 The default time unit is s (seconds).
6852
6854 Reject mail with 8-bit text in message headers. This blocks mail from
6855 poorly written applications.
6856 This feature should not be enabled on a general purpose mail server,
6858 because it is likely to reject legitimate email.
6859 This feature is available in Postfix 2.0 and later.
6861
6863 Enable both strict_7bit_headers and strict_8bitmime_body.
6864 This feature should not be enabled on a general purpose mail server,
6866 because it is likely to reject legitimate email.
6867 This feature is available in Postfix 2.0 and later.
6869
6871 Reject 8-bit message body text without 8-bit MIME content encoding
6872 information. This blocks mail from poorly written applications.
6873 Unfortunately, this also rejects majordomo approval requests when the
6875 included request contains valid 8-bit MIME mail, and it rejects bounces
6876 from mailers that do not MIME encapsulate 8-bit content (for example,
6877 bounces from qmail or from old versions of Postfix).
6878 This feature should not be enabled on a general purpose mail server,
6880 because it is likely to reject legitimate email.
6881 This feature is available in Postfix 2.0 and later.
6883
6885 Reject mail with invalid Content-Transfer-Encoding: information for the
6886 message/* or multipart/* MIME content types. This blocks mail from
6887 poorly written software.
6888 This feature should not be enabled on a general purpose mail server,
6890 because it will reject mail after a single violation.
6891 This feature is available in Postfix 2.0 and later.
6893
6895 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
6896 are enclosed with <>, and that those addresses do not contain RFC 822
6897 style comments or phrases. This stops mail from poorly written soft‐
6898 ware.
6899 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
6901 and RCPT TO addresses.
6902
6904 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
6905 box_delivery_lock = dotlock".
6906
6908 Enable the rewriting of "site!user" into "user@site". This is neces‐
6909 sary if your machine is connected to UUCP networks. It is enabled by
6910 default.
6911 Note: with Postfix version 2.2, message header address rewriting hap‐
6913 pens only when one of the following conditions is true:
6914 · The message is received with the Postfix sendmail(1) command,
6916 · The message is received from a network client that matches
6918 $local_header_rewrite_clients,
6919 · The message is received from the network, and the
6921 remote_header_rewrite_domain parameter specifies a non-empty
6922 value.
6923 To get the behavior before Postfix version 2.2, specify
6925 "local_header_rewrite_clients = static:all".
6926 Example:
6928 swap_bangpath = no
6930
6932 The syslog facility of Postfix logging. Specify a facility as defined
6933 in syslog.conf(5). The default facility is "mail".
6934 Warning: a non-default syslog_facility setting takes effect only after
6936 a Postfix process has completed initialization. Errors during process
6937 initialization will be logged with the default facility. Examples are
6938 errors while parsing the command line arguments, and errors while
6939 accessing the Postfix main.cf configuration file.
6940
6942 The mail system name that is prepended to the process name in syslog
6943 records, so that "smtpd" becomes, for example, "postfix/smtpd".
6944 Warning: a non-default syslog_name setting takes effect only after a
6946 Postfix process has completed initialization. Errors during process
6947 initialization will be logged with the default name. Examples are
6948 errors while parsing the command line arguments, and errors while
6949 accessing the Postfix main.cf configuration file.
6950
6952 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
6953 requests from the tlsmgr(8) server in order to seed its internal pseudo
6954 random number generator (PRNG). The default of 32 bytes (equivalent to
6955 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
6956 This feature is available in Postfix 2.2 and later.
6958
6960 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
6961 defines the meaning of the "export" setting in smtpd_tls_manda‐
6962 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
6963 tory_ciphers. This is the cipherlist for the opportunistic ("may") TLS
6964 client security level and is the default cipherlist for the SMTP
6965 server. You are strongly encouraged to not change this setting.
6966 This feature is available in Postfix 2.3 and later.
6968
6970 The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the mean‐
6971 ing of the "high" setting in smtpd_tls_mandatory_ciphers,
6972 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
6973 strongly encouraged to not change this setting.
6974 This feature is available in Postfix 2.3 and later.
6976
6978 The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
6979 the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
6980 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
6981 strongly encouraged to not change this setting.
6982 This feature is available in Postfix 2.3 and later.
6984
6986 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
6987 defines the meaning of the "medium" setting in smtpd_tls_manda‐
6988 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
6989 tory_ciphers. This is the default cipherlist for mandatory TLS encryp‐
6990 tion in the TLS client (with anonymous ciphers disabled when verifying
6991 server certificates). You are strongly encouraged to not change this
6992 setting.
6993 This feature is available in Postfix 2.3 and later.
6995
6997 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
6998 cation without encryption. This defines the meaning of the "null" set‐
6999 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
7000 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
7001 this setting.
7002 This feature is available in Postfix 2.3 and later.
7004
7006 The number of bytes that tlsmgr(8) reads from $tls_random_source when
7007 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
7008 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
7009 keys. If using EGD or a device file, a maximum of 255 bytes is read.
7010 This feature is available in Postfix 2.2 and later.
7012
7014 Name of the pseudo random number generator (PRNG) state file that is
7015 maintained by tlsmgr(8). The file is created when it does not exist,
7016 and its length is fixed at 1024 bytes.
7017 Since this file is modified by Postfix, it should probably be kept in
7019 the /var file system, instead of under $config_directory. The location
7020 should not be inside the chroot jail.
7021 This feature is available in Postfix 2.2 and later.
7023
7025 The time between attempts by tlsmgr(8) to save the state of the pseudo
7026 random number generator (PRNG) to the file specified with $tls_ran‐
7027 dom_exchange_name.
7028 This feature is available in Postfix 2.2 and later.
7030
7032 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
7033 pseudo random number generator (PRNG) pool from external sources. The
7034 actual time between re-seeding attempts is calculated using the PRNG,
7035 and is between 0 and the time specified.
7036 This feature is available in Postfix 2.2 and later.
7038
7040 The external entropy source for the in-memory tlsmgr(8) pseudo random
7041 number generator (PRNG) pool. Be sure to specify a non-blocking source.
7042 If this source is not a regular file, the entropy source type must be
7043 prepended: egd:/path/to/egd_socket for a source with EGD compatible
7044 socket interface, or dev:/path/to/device for a device file.
7045 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
7047 timeout errors.
7048 This feature is available in Postfix 2.2 and later.
7050
7052 The name of the trace service. This service is implemented by the
7053 bounce(8) daemon and maintains a record of mail deliveries and produces
7054 a mail delivery report when verbose delivery is requested with "send‐
7055 mail -v".
7056 This feature is available in Postfix 2.1 and later.
7058
7060 Optional lookup tables with mappings from recipient address to (message
7061 delivery transport, next-hop destination). See transport(5) for
7062 details.
7063 Specify zero or more "type:table" lookup tables. If you use this fea‐
7065 ture with local files, run "postmap /etc/postfix/transport" after mak‐
7066 ing a change.
7067 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
7069 ber substitutions in regular expression maps.
7070 Examples:
7072 transport_maps = dbm:/etc/postfix/transport
7074 transport_maps = hash:/etc/postfix/transport
7075
7077 The time between attempts by the Postfix queue manager to contact a
7078 malfunctioning message delivery transport.
7079 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7081 The default time unit is s (seconds).
7082
7084 The time limit for sending a trigger to a Postfix daemon (for example,
7085 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
7086 from getting stuck when the mail system is under heavy load.
7087 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7089 The default time unit is s (seconds).
7090
7092 Message header that the Postfix cleanup(8) server inserts when a mes‐
7093 sage contains no To: or Cc: message header.
7094
7096 The numerical Postfix SMTP server response code when a sender or recip‐
7097 ient address is rejected by the reject_unknown_sender_domain or
7098 reject_unknown_recipient_domain restriction. The response is always
7099 450 in case of a temporary DNS error.
7100 Do not change this unless you have a complete understanding of RFC 821.
7102
7104 The numerical Postfix SMTP server response code when a client without
7105 valid address <=> name mapping is rejected by the
7106 reject_unknown_client_hostname restriction. The SMTP server always
7107 replies with 450 when the mapping failed due to a temporary error con‐
7108 dition.
7109 Do not change this unless you have a complete understanding of RFC 821.
7111
7113 The numerical Postfix SMTP server response code when the hostname spec‐
7114 ified with the HELO or EHLO command is rejected by the
7115 reject_unknown_helo_hostname restriction.
7116 Do not change this unless you have a complete understanding of RFC 821.
7118
7120 The numerical Postfix SMTP server response code when a recipient
7121 address is local, and $local_recipient_maps specifies a list of lookup
7122 tables that does not match the recipient. A recipient address is local
7123 when its domain matches $mydestination, $proxy_interfaces or
7124 $inet_interfaces.
7125 The default setting is 550 (reject mail) but it is safer to initially
7127 use 450 (try again later) so you have time to find out if your
7128 local_recipient_maps settings are OK.
7129 Example:
7131 unknown_local_recipient_reject_code = 450
7133 This feature is available in Postfix 2.0 and later.
7135
7137 The numerical Postfix SMTP server reply code when a recipient address
7138 matches $relay_domains, and relay_recipient_maps specifies a list of
7139 lookup tables that does not match the recipient address.
7140 This feature is available in Postfix 2.0 and later.
7142
7144 The SMTP server reply code when a recipient address matches $vir‐
7145 tual_alias_domains, and $virtual_alias_maps specifies a list of lookup
7146 tables that does not match the recipient address.
7147 This feature is available in Postfix 2.0 and later.
7149
7151 The SMTP server reply code when a recipient address matches $vir‐
7152 tual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
7153 lookup tables that does not match the recipient address.
7154 This feature is available in Postfix 2.0 and later.
7156
7158 The numerical Postfix SMTP server response when a recipient address is
7159 rejected by the reject_unverified_recipient restriction.
7160 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
7162 address anyway.
7163 Do not change this unless you have a complete understanding of RFC 821.
7165 This feature is available in Postfix 2.1 and later.
7167
7169 The numerical Postfix SMTP server response code when a recipient
7170 address is rejected by the reject_unverified_sender restriction.
7171 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
7173 address anyway.
7174 Do not change this unless you have a complete understanding of RFC 821.
7176 This feature is available in Postfix 2.1 and later.
7178
7180 The characters Postfix accepts as VERP delimiter characters on the
7181 Postfix sendmail(1) command line and in SMTP commands.
7182 This feature is available in Postfix 1.1 and later.
7184
7186 Postfix is final destination for the specified list of virtual alias
7187 domains, that is, domains for which all addresses are aliased to
7188 addresses in other local or remote domains. The SMTP server validates
7189 recipient addresses with $virtual_alias_maps and rejects non-existent
7190 recipients. See also the virtual alias domain class in the
7191 ADDRESS_CLASS_README file
7192 This feature is available in Postfix 2.0 and later. The default value
7194 is backwards compatible with Postfix version 1.1.
7195 The default value is $virtual_alias_maps so that you can keep all
7197 information about virtual alias domains in one place. If you have many
7198 users, it is better to separate information that changes more fre‐
7199 quently (virtual address -> local or remote address mapping) from
7200 information that changes less frequently (the list of virtual domain
7201 names).
7202 Specify a list of host or domain names, "/file/name" or "type:table"
7204 patterns, separated by commas and/or whitespace. A "/file/name" pattern
7205 is replaced by its contents; a "type:table" lookup table is matched
7206 when a table entry matches a lookup string (the lookup result is
7207 ignored). Continue long lines by starting the next line with white‐
7208 space. Specify "!pattern" to exclude a host or domain name from the
7209 list. The form "!/file/name" is supported only in Postfix version 2.4
7210 and later.
7211 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
7213 ther information.
7214 Example:
7216 virtual_alias_domains = virtual1.tld virtual2.tld
7218
7220 The maximal number of addresses that virtual alias expansion produces
7221 from each original recipient.
7222 This feature is available in Postfix 2.1 and later.
7224
7226 Optional lookup tables that alias specific mail addresses or domains to
7227 other local or remote address. The table format and lookups are docu‐
7228 mented in virtual(5). For an overview of Postfix address manipulations
7229 see the ADDRESS_REWRITING_README document.
7230 This feature is available in Postfix 2.0 and later. The default value
7232 is backwards compatible with Postfix version 1.1.
7233 If you use this feature with indexed files, run "postmap /etc/post‐
7235 fix/virtual" after changing the file.
7236 Examples:
7238 virtual_alias_maps = dbm:/etc/postfix/virtual
7240 virtual_alias_maps = hash:/etc/postfix/virtual
7241
7243 The maximal nesting depth of virtual alias expansion. Currently the
7244 recursion limit is applied only to the left branch of the expansion
7245 graph, so the depth of the tree can in the worst case reach the sum of
7246 the expansion and recursion limits. This may change in the future.
7247 This feature is available in Postfix 2.1 and later.
7249
7251 rency_limit)
7252 The maximal number of parallel deliveries to the same destination via
7253 the virtual message delivery transport. This limit is enforced by the
7254 queue manager. The message delivery transport name is the first field
7255 in the entry in the master.cf file.
7256
7258 ent_limit)
7259 The maximal number of recipients per delivery via the virtual message
7260 delivery transport. This limit is enforced by the queue manager. The
7261 message delivery transport name is the first field in the entry in the
7262 master.cf file.
7263 Setting this parameter to a value of 1 changes the meaning of vir‐
7265 tual_destination_concurrency_limit from concurrency per domain into
7266 concurrency per recipient.
7267
7269 Lookup tables with the per-recipient group ID for virtual(8) mailbox
7270 delivery.
7271 In a lookup table, specify a left-hand side of "@domain.tld" to match
7273 any user in the specified domain that does not have a specific
7274 "user@domain.tld" entry.
7275 When a recipient address has an optional address extension
7277 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
7278 address first, and when the lookup fails, it looks up the unextended
7279 address (user@domain.tld).
7280 Note 1: for security reasons, the virtual(8) delivery agent disallows
7282 regular expression substitution of $1 etc. in regular expression lookup
7283 tables, because that would open a security hole.
7284 Note 2: for security reasons, the virtual(8) delivery agent will
7286 silently ignore requests to use the proxymap(8) server. Instead it will
7287 open the table directly. Before Postfix version 2.2, the virtual(8)
7288 delivery agent will terminate with a fatal error.
7289
7291 A prefix that the virtual(8) delivery agent prepends to all pathname
7292 results from $virtual_mailbox_maps table lookups. This is a safety
7293 measure to ensure that an out of control map doesn't litter the file
7294 system with mailboxes. While virtual_mailbox_base could be set to "/",
7295 this setting isn't recommended.
7296 Example:
7298 virtual_mailbox_base = /var/mail
7300
7302 Postfix is final destination for the specified list of domains; mail is
7303 delivered via the $virtual_transport mail delivery transport. By
7304 default this is the Postfix virtual(8) delivery agent. The SMTP server
7305 validates recipient addresses with $virtual_mailbox_maps and rejects
7306 mail for non-existent recipients. See also the virtual mailbox domain
7307 class in the ADDRESS_CLASS_README file.
7308 This parameter expects the same syntax as the mydestination configura‐
7310 tion parameter.
7311 This feature is available in Postfix 2.0 and later. The default value
7313 is backwards compatible with Postfix version 1.1.
7314
7316 The maximal size in bytes of an individual mailbox or maildir file, or
7317 zero (no limit).
7318
7320 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
7321 For a list of available file locking methods, use the "postconf -l"
7322 command.
7323 This setting is ignored with maildir style delivery, because such
7325 deliveries are safe without application-level locks.
7326 Note 1: the dotlock method requires that the recipient UID or GID has
7328 write access to the parent directory of the recipient's mailbox file.
7329 Note 2: the default setting of this parameter is system dependent.
7331
7333 Optional lookup tables with all valid addresses in the domains that
7334 match $virtual_mailbox_domains.
7335 In a lookup table, specify a left-hand side of "@domain.tld" to match
7337 any user in the specified domain that does not have a specific
7338 "user@domain.tld" entry.
7339 The virtual(8) delivery agent uses this table to look up the per-recip‐
7341 ient mailbox or maildir pathname. If the lookup result ends in a slash
7342 ("/"), maildir-style delivery is carried out, otherwise the path is
7343 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
7344 box_base is unconditionally prepended to this path.
7345 When a recipient address has an optional address extension
7347 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
7348 address first, and when the lookup fails, it looks up the unextended
7349 address (user@domain.tld).
7350 Note 1: for security reasons, the virtual(8) delivery agent disallows
7352 regular expression substitution of $1 etc. in regular expression lookup
7353 tables, because that would open a security hole.
7354 Note 2: for security reasons, the virtual(8) delivery agent will
7356 silently ignore requests to use the proxymap(8) server. Instead it will
7357 open the table directly. Before Postfix version 2.2, the virtual(8)
7358 delivery agent will terminate with a fatal error.
7359
7361 Optional lookup tables with a) names of domains for which all addresses
7362 are aliased to addresses in other local or remote domains, and b)
7363 addresses that are aliased to addresses in other local or remote
7364 domains. Available before Postfix version 2.0. With Postfix version
7365 2.0 and later, this is replaced by separate controls: vir‐
7366 tual_alias_domains and virtual_alias_maps.
7367
7369 The minimum user ID value that the virtual(8) delivery agent accepts as
7370 a result from $virtual_uid_maps table lookup. Returned values less
7371 than this will be rejected, and the message will be deferred.
7372
7374 The default mail delivery transport and next-hop destination for final
7375 delivery to domains listed with $virtual_mailbox_domains. This infor‐
7376 mation can be overruled with the transport(5) table.
7377 Specify a string of the form transport:nexthop, where transport is the
7379 name of a mail delivery transport defined in master.cf. The :nexthop
7380 part is optional. For more details see the transport(5) manual page.
7381 This feature is available in Postfix 2.0 and later.
7383
7385 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
7386 ery agent uses while writing to the recipient's mailbox.
7387 In a lookup table, specify a left-hand side of "@domain.tld" to match
7389 any user in the specified domain that does not have a specific
7390 "user@domain.tld" entry.
7391 When a recipient address has an optional address extension
7393 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
7394 address first, and when the lookup fails, it looks up the unextended
7395 address (user@domain.tld).
7396 Note 1: for security reasons, the virtual(8) delivery agent disallows
7398 regular expression substitution of $1 etc. in regular expression lookup
7399 tables, because that would open a security hole.
7400 Note 2: for security reasons, the virtual(8) delivery agent will
7402 silently ignore requests to use the proxymap(8) server. Instead it will
7403 open the table directly. Before Postfix version 2.2, the virtual(8)
7404 delivery agent will terminate with a fatal error.
7405
7407 postconf(1), Postfix configuration parameter maintenance
7408 master(5), Postfix daemon configuration maintenance
7409
7411 The Secure Mailer license must be distributed with this software.
7412
7414 Wietse Venema
7415 IBM T.J. Watson Research
7416 P.O. Box 704
7417 Yorktown Heights, NY 10598, USA
7418 POSTCONF(5)