1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies a small subset of all
15 the parameters that control the operation of the Postfix mail system.
16 Parameters not specified in main.cf are left at their default values.
17 The general format of the main.cf file is as follows:
19 · Each logical line has the form "parameter = value". Whitespace
21 around the "=" is ignored, as is whitespace at the end of a log‐
22 ical line.
23 · Empty lines and whitespace-only lines are ignored, as are lines
25 whose first non-whitespace character is a `#'.
26 · A logical line starts with non-whitespace text. A line that
28 starts with whitespace continues a logical line.
29 · A parameter value may refer to other parameters.
31 · The expressions "$name", "${name}" or "$(name)" are
33 recursively replaced by the value of the named parameter.
34 · The expression "${name?value}" expands to "value" when
36 "$name" is non-empty. This form is supported with Postfix
37 version 2.2 and later.
38 · The expression "${name:value}" expands to "value" when
40 "$name" is empty. This form is supported with Postfix
41 version 2.2 and later.
42 · Specify "$$" to produce a single "$" character.
44 · When the same parameter is defined multiple times, only the last
46 instance is remembered.
47 · Otherwise, the order of main.cf parameter definitions does not
49 matter.
50 The remainder of this document is a description of all Postfix configu‐
52 ration parameters. Default values are shown after the parameter name in
53 parentheses, and can be looked up with the "postconf -d" command.
54 Note: this is not an invitation to make changes to Postfix configura‐
56 tion parameters. Unnecessary changes can impair the operation of the
57 mail system.
58
60 The recipient of undeliverable mail that cannot be returned to the
61 sender. This feature is enabled with the notify_classes parameter.
62
64 The numerical Postfix SMTP server response code for an access(5) map
65 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
66 to Postfix 2.6, the response is hard-coded as "450".
67 Do not change this unless you have a complete understanding of RFC
69 2821.
70 This feature is available in Postfix 2.6 and later.
72
74 The numerical Postfix SMTP server response code for an access(5) map
75 "reject" action.
76 Do not change this unless you have a complete understanding of RFC
78 2821.
79
81 Overrides the default_transport parameter setting for address verifica‐
82 tion probes.
83 This feature is available in Postfix 2.1 and later.
85
87 Overrides the local_transport parameter setting for address verifica‐
88 tion probes.
89 This feature is available in Postfix 2.1 and later.
91
93 Optional lookup table for persistent address verification status stor‐
94 age. The table is maintained by the verify(8) service, and is opened
95 before the process releases privileges.
96 By default, the information is kept in volatile memory, and is lost
98 after "postfix reload" or "postfix stop".
99 Specify a location in a file system that will not fill up. If the data‐
101 base becomes corrupted, the world comes to an end. To recover delete
102 the file and do "postfix reload".
103 As of version 2.5, Postfix no longer uses root privileges when opening
105 this file. The file should now be stored under the Postfix-owned
106 data_directory. As a migration aid, an attempt to open the file under a
107 non-Postfix directory is redirected to the Postfix-owned data_direc‐
108 tory, and a warning is logged.
109 Examples:
111 address_verify_map = hash:/var/lib/postfix/verify
113 address_verify_map = btree:/var/lib/postfix/verify
114 This feature is available in Postfix 2.1 and later.
116
118 Enable caching of failed address verification probe results. When this
119 feature is enabled, the cache may pollute quickly with garbage. When
120 this feature is disabled, Postfix will generate an address probe for
121 every lookup.
122 This feature is available in Postfix 2.1 and later.
124
126 The time after which a failed probe expires from the address verifica‐
127 tion cache.
128 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
130 This feature is available in Postfix 2.1 and later.
132
134 The time after which a failed address verification probe needs to be
135 refreshed.
136 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
138 This feature is available in Postfix 2.1 and later.
140
142 How many times to query the verify(8) service for the completion of an
143 address verification request in progress.
144 By default, the Postfix SMTP server polls the verify(8) service up to
146 three times under non-overload conditions, and only once when under
147 overload. With Postfix version 2.5 and earlier, the SMTP server always
148 polls the verify(8) service up to three times by default.
149 Specify 1 to implement a crude form of greylisting, that is, always
151 defer the first delivery request for a never seen before address.
152 Example:
154 address_verify_poll_count = 1
156 This feature is available in Postfix 2.1 and later.
158
160 The delay between queries for the completion of an address verification
161 request in progress.
162 The default polling delay is 3 seconds.
164 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
166 This feature is available in Postfix 2.1 and later.
168
170 The time after which a successful probe expires from the address veri‐
171 fication cache.
172 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
174 This feature is available in Postfix 2.1 and later.
176
178 The time after which a successful address verification probe needs to
179 be refreshed. The address verification status is not updated when the
180 probe fails (optimistic caching).
181 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
183 This feature is available in Postfix 2.1 and later.
185
187 Overrides the relay_transport parameter setting for address verifica‐
188 tion probes.
189 This feature is available in Postfix 2.1 and later.
191
193 Overrides the relayhost parameter setting for address verification
194 probes. This information can be overruled with the transport(5) table.
195 This feature is available in Postfix 2.1 and later.
197
199 The sender address to use in address verification probes; prior to
200 Postfix 2.5 the default was "postmaster". To avoid problems with
201 address probes that are sent in response to address probes, the Postfix
202 SMTP server excludes the probe sender address from all SMTPD access
203 blocks.
204 Specify an empty value (address_verify_sender =) or <> if you want to
206 use the null sender address. Beware, some sites reject mail from <>,
207 even though RFCs require that such addresses be accepted.
208 Examples:
210 address_verify_sender = <>
212 address_verify_sender = postmaster@my.domain
213 This feature is available in Postfix 2.1 and later.
215
217 dent_relayhost_maps)
218 Overrides the sender_dependent_relayhost_maps parameter setting for
219 address verification probes.
220 This feature is available in Postfix 2.3 and later.
222
224 The name of the verify(8) address verification service. This service
225 maintains the status of sender and/or recipient address verification
226 probes, and generates probes on request by other Postfix processes.
227
229 Overrides the transport_maps parameter setting for address verification
230 probes.
231 This feature is available in Postfix 2.1 and later.
233
235 Overrides the virtual_transport parameter setting for address verifica‐
236 tion probes.
237 This feature is available in Postfix 2.1 and later.
239
241 The alias databases for local(8) delivery that are updated with
242 "newaliases" or with "sendmail -bi".
243 This is a separate configuration parameter because not all the tables
245 specified with $alias_maps have to be local files.
246 Examples:
248 alias_database = hash:/etc/aliases
250 alias_database = hash:/etc/mail/aliases
251
253 The alias databases that are used for local(8) delivery. See aliases(5)
254 for syntax details.
255 The default list is system dependent. On systems with NIS, the default
257 is to search the local alias database, then the NIS alias database.
258 If you change the alias database, run "postalias /etc/aliases" (or
260 wherever your system stores the mail alias file), or simply run
261 "newaliases" to build the necessary DBM or DB file.
262 The local(8) delivery agent disallows regular expression substitution
264 of $1 etc. in alias_maps, because that would open a security hole.
265 The local(8) delivery agent will silently ignore requests to use the
267 proxymap(8) server within alias_maps. Instead it will open the table
268 directly. Before Postfix version 2.2, the local(8) delivery agent will
269 terminate with a fatal error.
270 Examples:
272 alias_maps = hash:/etc/aliases, nis:mail.aliases
274 alias_maps = hash:/etc/aliases
275
277 Restrict local(8) mail delivery to external commands. The default is
278 to disallow delivery to "|command" in :include: files (see aliases(5)
279 for the text that defines this terminology).
280 Specify zero or more of: alias, forward or include, in order to allow
282 commands in aliases(5), .forward files or in :include: files, respec‐
283 tively.
284 Example:
286 allow_mail_to_commands = alias,forward,include
288
290 Restrict local(8) mail delivery to external files. The default is to
291 disallow "/file/name" destinations in :include: files (see aliases(5)
292 for the text that defines this terminology).
293 Specify zero or more of: alias, forward or include, in order to allow
295 "/file/name" destinations in aliases(5), .forward files and in
296 :include: files, respectively.
297 Example:
299 allow_mail_to_files = alias,forward,include
301
303 Allow a sender or recipient address to have `-' as the first character.
304 By default, this is not allowed, to avoid accidents with software that
305 passes email addresses via the command line. Such software would not be
306 able to distinguish a malicious address from a bona fide command-line
307 option. Although this can be prevented by inserting a "--" option ter‐
308 minator into the command line, this is difficult to enforce consis‐
309 tently and globally.
310 As of Postfix version 2.5, this feature is implemented by trivial-re‐
312 write(8). With earlier versions this feature was implemented by
313 qmgr(8) and was limited to recipient addresses only.
314
316 Enable the rewriting of the form "user%domain" to "user@domain". This
317 is enabled by default.
318 Note: with Postfix version 2.2, message header address rewriting hap‐
320 pens only when one of the following conditions is true:
321 · The message is received with the Postfix sendmail(1) command,
323 · The message is received from a network client that matches
325 $local_header_rewrite_clients,
326 · The message is received from the network, and the
328 remote_header_rewrite_domain parameter specifies a non-empty
329 value.
330 To get the behavior before Postfix version 2.2, specify
332 "local_header_rewrite_clients = static:all".
333 Example:
335 allow_percent_hack = no
337
339 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
340 from untrusted clients to destinations matching $relay_domains.
341 By default, this feature is turned off. This closes a nasty open relay
343 loophole where a backup MX host can be tricked into forwarding junk
344 mail to a primary MX host which then spams it out to the world.
345 This parameter also controls if non-local addresses with sender-speci‐
347 fied routing can match Postfix access tables. By default, such
348 addresses cannot match Postfix access tables, because the address is
349 ambiguous.
350
352 A list of non-default Postfix configuration directories that may be
353 specified with "-c config_directory" on the command line, or via the
354 MAIL_CONFIG environment parameter.
355 This list must be specified in the default Postfix configuration direc‐
357 tory, and is used by set-gid Postfix commands such as postqueue(1) and
358 postdrop(1).
359
361 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
362 present. Postfix 2.6 and later add these headers only when clients
363 match the local_header_rewrite_clients parameter setting. Earlier
364 Postfix versions always add these headers; this may break DKIM signa‐
365 tures that cover non-existent headers.
366
368 Optional address that receives a "blind carbon copy" of each message
369 that is received by the Postfix mail system.
370 Note: if mail to the BCC address bounces it will be returned to the
372 sender.
373 Note: automatic BCC recipients are produced only for new mail. To
375 avoid mailer loops, automatic BCC recipients are not generated for mail
376 that Postfix forwards internally, nor for mail that Postfix generates
377 itself.
378
380 The time unit over which client connection rates and other rates are
381 calculated.
382 This feature is implemented by the anvil(8) service which is available
384 in Postfix version 2.2 and later.
385 The default interval is relatively short. Because of the high frequency
387 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
388 mation is lost whenever the process terminates.
389 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
391 The default time unit is s (seconds).
392
394 How frequently the anvil(8) connection and rate limiting server logs
395 peak usage information.
396 This feature is available in Postfix 2.2 and later.
398 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
400 The default time unit is s (seconds).
401
403 With locally submitted mail, append the string "@$myorigin" to mail
404 addresses without domain information. With remotely submitted mail,
405 append the string "@$remote_header_rewrite_domain" instead.
406 Note 1: this feature is enabled by default and must not be turned off.
408 Postfix does not support domain-less addresses.
409 Note 2: with Postfix version 2.2, message header address rewriting hap‐
411 pens only when one of the following conditions is true:
412 · The message is received with the Postfix sendmail(1) command,
414 · The message is received from a network client that matches
416 $local_header_rewrite_clients,
417 · The message is received from the network, and the
419 remote_header_rewrite_domain parameter specifies a non-empty
420 value.
421 To get the behavior before Postfix version 2.2, specify
423 "local_header_rewrite_clients = static:all".
424
426 With locally submitted mail, append the string ".$mydomain" to
427 addresses that have no ".domain" information. With remotely submitted
428 mail, append the string ".$remote_header_rewrite_domain" instead.
429 Note 1: this feature is enabled by default. If disabled, users will not
431 be able to send mail to "user@partialdomainname" but will have to spec‐
432 ify full domain names instead.
433 Note 2: with Postfix version 2.2, message header address rewriting hap‐
435 pens only when one of the following conditions is true:
436 · The message is received with the Postfix sendmail(1) command,
438 · The message is received from a network client that matches
440 $local_header_rewrite_clients,
441 · The message is received from the network, and the
443 remote_header_rewrite_domain parameter specifies a non-empty
444 value.
445 To get the behavior before Postfix version 2.2, specify
447 "local_header_rewrite_clients = static:all".
448
450 How long the postkick(1) command waits for a request to enter the
451 server's input buffer before giving up.
452 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
454 The default time unit is s (seconds).
455 This feature is available in Postfix 2.1 and later.
457
459 List of users who are authorized to flush the queue.
460 By default, all users are allowed to flush the queue. Access is always
462 granted if the invoking user is the super-user or the $mail_owner user.
463 Otherwise, the real UID of the process is looked up in the system pass‐
464 word file, and access is granted only if the corresponding login name
465 is on the access list. The username "unknown" is used for processes
466 whose real UID is not found in the password file.
467 Specify a list of user names, "/file/name" or "type:table" patterns,
469 separated by commas and/or whitespace. The list is matched left to
470 right, and the search stops on the first match. A "/file/name" pattern
471 is replaced by its contents; a "type:table" lookup table is matched
472 when a name matches a lookup key (the lookup result is ignored). Con‐
473 tinue long lines by starting the next line with whitespace. Specify
474 "!pattern" to exclude a name from the list. The form "!/file/name" is
475 supported only in Postfix version 2.4 and later.
476 This feature is available in Postfix 2.2 and later.
478
480 List of users who are authorized to view the queue.
481 By default, all users are allowed to view the queue. Access is always
483 granted if the invoking user is the super-user or the $mail_owner user.
484 Otherwise, the real UID of the process is looked up in the system pass‐
485 word file, and access is granted only if the corresponding login name
486 is on the access list. The username "unknown" is used for processes
487 whose real UID is not found in the password file.
488 Specify a list of user names, "/file/name" or "type:table" patterns,
490 separated by commas and/or whitespace. The list is matched left to
491 right, and the search stops on the first match. A "/file/name" pattern
492 is replaced by its contents; a "type:table" lookup table is matched
493 when a name matches a lookup key (the lookup result is ignored). Con‐
494 tinue long lines by starting the next line with whitespace. Specify
495 "!pattern" to exclude a user name from the list. The form "!/file/name"
496 is supported only in Postfix version 2.4 and later.
497 This feature is available in Postfix 2.2 and later.
499
501 List of users who are authorized to submit mail with the sendmail(1)
502 command (and with the privileged postdrop(1) helper command).
503 By default, all users are allowed to submit mail. Otherwise, the real
505 UID of the process is looked up in the system password file, and access
506 is granted only if the corresponding login name is on the access list.
507 The username "unknown" is used for processes whose real UID is not
508 found in the password file. To deny mail submission access to all users
509 specify an empty list.
510 Specify a list of user names, "/file/name" or "type:table" patterns,
512 separated by commas and/or whitespace. The list is matched left to
513 right, and the search stops on the first match. A "/file/name" pattern
514 is replaced by its contents; a "type:table" lookup table is matched
515 when a name matches a lookup key (the lookup result is ignored). Con‐
516 tinue long lines by starting the next line with whitespace. Specify
517 "!pattern" to exclude a user name from the list. The form "!/file/name"
518 is supported only in Postfix version 2.4 and later.
519 Example:
521 authorized_submit_users = !www, static:all
523 This feature is available in Postfix 2.2 and later.
525
527 What SMTP clients are allowed to specify the XVERP command. This com‐
528 mand requests that mail be delivered one recipient at a time with a per
529 recipient return address.
530 By default, only trusted clients are allowed to specify XVERP.
532 This parameter was introduced with Postfix version 1.1. Postfix ver‐
534 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
535 changed the default to none.
536 Specify a list of network/netmask patterns, separated by commas and/or
538 whitespace. The mask specifies the number of bits in the network part
539 of a host address. You can also specify hostnames or .domain names (the
540 initial dot causes the domain to match any name below it),
541 "/file/name" or "type:table" patterns. A "/file/name" pattern is
542 replaced by its contents; a "type:table" lookup table is matched when a
543 table entry matches a lookup string (the lookup result is ignored).
544 Continue long lines by starting the next line with whitespace. Specify
545 "!pattern" to exclude an address or network block from the list. The
546 form "!/file/name" is supported only in Postfix version 2.4 and later.
547 Note: IP version 6 address information must be specified inside [] in
549 the authorized_verp_clients value, and in files specified with
550 "/file/name". IP version 6 addresses contain the ":" character, and
551 would otherwise be confused with a "type:table" pattern.
552
554 Produce additional bounce(8) logfile records that can be read by Post‐
555 fix versions before 2.0. The current and more extensible "name = value"
556 format is needed in order to implement more sophisticated functional‐
557 ity.
558 This feature is available in Postfix 2.1 and later.
560
562 The per-table I/O buffer size for programs that create Berkeley DB hash
563 or btree tables. Specify a byte count.
564 This feature is available in Postfix 2.0 and later.
566
568 The per-table I/O buffer size for programs that read Berkeley DB hash
569 or btree tables. Specify a byte count.
570 This feature is available in Postfix 2.0 and later.
572
574 Where the Postfix SMTP client should deliver mail when it detects a
575 "mail loops back to myself" error condition. This happens when the
576 local MTA is the best SMTP mail exchanger for a destination not listed
577 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
578 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
579 fix SMTP client returns such mail as undeliverable.
580 Specify, for example, "best_mx_transport = local" to pass the mail from
582 the Postfix SMTP client to the local(8) delivery agent. You can specify
583 any message delivery "transport" or "transport:nexthop" that is defined
584 in the master.cf file. See the transport(5) manual page for the syntax
585 and meaning of "transport" or "transport:nexthop".
586 However, this feature is expensive because it ties up a Postfix SMTP
588 client process while the local(8) delivery agent is doing its work. It
589 is more efficient (for Postfix) to list all hosted domains in a table
590 or database.
591
593 Whether or not to use the local biff service. This service sends "new
594 mail" notifications to users who have requested new mail notification
595 with the UNIX command "biff y".
596 For compatibility reasons this feature is on by default. On systems
598 with lots of interactive users, the biff service can be a performance
599 drain. Specify "biff = no" in main.cf to disable.
600
602 Optional lookup tables for content inspection as specified in the
603 body_checks(5) manual page.
604 Note: with Postfix versions before 2.0, these rules inspect all content
606 after the primary message headers.
607
609 How much text in a message body segment (or attachment, if you prefer
610 to use that term) is subjected to body_checks inspection. The amount
611 of text is limited to avoid scanning huge attachments.
612 This feature is available in Postfix 2.0 and later.
614
616 The recipient of postmaster notifications with the message headers of
617 mail that Postfix did not deliver and of SMTP conversation transcripts
618 of mail that Postfix did not receive. This feature is enabled with the
619 notify_classes parameter.
620
622 The maximal time a bounce message is queued before it is considered
623 undeliverable. By default, this is the same as the queue life time for
624 regular mail.
625 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
627 The default time unit is d (days).
628 Specify 0 when mail delivery should be tried only once.
630 This feature is available in Postfix 2.1 and later.
632
634 The name of the bounce(8) service. This service maintains a record of
635 failed delivery attempts and generates non-delivery notifications.
636 This feature is available in Postfix 2.0 and later.
638
640 The maximal amount of original message text that is sent in a non-
641 delivery notification. Specify a byte count. With Postfix 2.4 and
642 later, a message is returned as either message/rfc822 (the complete
643 original) or as text/rfc822-headers (the headers only). With earlier
644 Postfix versions, a message is always returned as message/rfc822 and is
645 truncated when it exceeds the size limit.
646 Notes:
648 · If you increase this limit, then you should increase the
650 mime_nesting_limit value proportionally.
651 · Be careful when making changes. Excessively large values will
653 result in the loss of non-delivery notifications, when a bounce
654 message size exceeds a local or remote MTA's message size limit.
655
657 Pathname of a configuration file with bounce message templates. These
658 override the built-in templates of delivery status notification (DSN)
659 messages for undeliverable mail, for delayed mail, successful delivery,
660 or delivery verification. The bounce(5) manual page describes how to
661 edit and test template files.
662 Template message body text may contain $name references to Postfix con‐
664 figuration parameters. The result of $name expansion can be previewed
665 with "postconf -b file_name" before the file is placed into the Postfix
666 configuration directory.
667 This feature is available in Postfix 2.3 and later.
669
671 Enable inter-operability with SMTP clients that implement an obsolete
672 version of the AUTH command (RFC 4954). Examples of such clients are
673 MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.
674 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
676 support in a non-standard way.
677
679 header_sender, header_recipient)
680 What addresses are subject to canonical_maps address mapping. By
681 default, canonical_maps address mapping is applied to envelope sender
682 and recipient addresses, and to header sender and header recipient
683 addresses.
684 Specify one or more of: envelope_sender, envelope_recipient,
686 header_sender, header_recipient
687 This feature is available in Postfix 2.2 and later.
689
691 Optional address mapping lookup tables for message headers and
692 envelopes. The mapping is applied to both sender and recipient
693 addresses, in both envelopes and in headers, as controlled with the
694 canonical_classes parameter. This is typically used to clean up dirty
695 addresses from legacy mail systems, or to replace login names by First‐
696 name.Lastname. The table format and lookups are documented in canoni‐
697 cal(5). For an overview of Postfix address manipulations see the
698 ADDRESS_REWRITING_README document.
699 If you use this feature, run "postmap /etc/postfix/canonical" to build
701 the necessary DBM or DB file after every change. The changes will
702 become visible after a minute or so. Use "postfix reload" to eliminate
703 the delay.
704 Note: with Postfix version 2.2, message header address mapping happens
706 only when message header address rewriting is enabled:
707 · The message is received with the Postfix sendmail(1) command,
709 · The message is received from a network client that matches
711 $local_header_rewrite_clients,
712 · The message is received from the network, and the
714 remote_header_rewrite_domain parameter specifies a non-empty
715 value.
716 To get the behavior before Postfix version 2.2, specify
718 "local_header_rewrite_clients = static:all".
719 Examples:
721 canonical_maps = dbm:/etc/postfix/canonical
723 canonical_maps = hash:/etc/postfix/canonical
724
726 The name of the cleanup(8) service. This service rewrites addresses
727 into the standard form, and performs canonical(5) address mapping and
728 virtual(5) aliasing.
729 This feature is available in Postfix 2.0 and later.
731
733 The location of all postfix administrative commands.
734
736 The local(8) delivery agent working directory for delivery to external
737 command. Failure to change directory causes the delivery to be
738 deferred.
739 The following $name expansions are done on command_execution_directory
741 before the directory is changed. Expansion happens in the context of
742 the delivery request. The result of $name expansion is filtered with
743 the character set that is specified with the execution_directory_expan‐
744 sion_filter parameter.
745 $user The recipient's username.
747 $shell The recipient's login shell pathname.
749 $home The recipient's home directory.
751 $recipient
753 The full recipient address.
754 $extension
756 The optional recipient address extension.
757 $domain
759 The recipient domain.
760 $local The entire recipient localpart.
762 $recipient_delimiter
764 The system-wide recipient address extension delimiter.
765 ${name?value}
767 Expands to value when $name is non-empty.
768 ${name:value}
770 Expands to value when $name is empty.
771 Instead of $name you can also specify ${name} or $(name).
773 This feature is available in Postfix 2.2 and later.
775
777 Restrict the characters that the local(8) delivery agent allows in
778 $name expansions of $mailbox_command and $command_execution_directory.
779 Characters outside the allowed set are replaced by underscores.
780
782 Time limit for delivery to external commands. This limit is used by the
783 local(8) delivery agent, and is the default time limit for delivery by
784 the pipe(8) delivery agent.
785 Note: if you set this time limit to a large value you must update the
787 global ipc_timeout parameter as well.
788
790 The default location of the Postfix main.cf and master.cf configuration
791 files. This can be overruled via the following mechanisms:
792 · The MAIL_CONFIG environment variable (daemon processes and com‐
794 mands).
795 · The "-c" command-line option (commands only).
797 With Postfix command that run with set-gid privileges, a config_direc‐
799 tory override requires either root privileges, or it requires that the
800 directory is listed with the alternate_config_directories parameter in
801 the default main.cf file.
802
804 Time limit for connection cache connect, send or receive operations.
805 The time limit is enforced in the client.
806 This feature is available in Postfix 2.3 and later.
808
810 The name of the scache(8) connection cache service. This service main‐
811 tains a limited pool of cached sessions.
812 This feature is available in Postfix 2.2 and later.
814
816 How frequently the scache(8) server logs usage statistics with connec‐
817 tion cache hit and miss rates for logical destinations and for physical
818 endpoints.
819
821 The maximal time-to-live value that the scache(8) connection cache
822 server allows. Requests that specify a larger TTL will be stored with
823 the maximum allowed TTL. The purpose of this additional control is to
824 protect the infrastructure against careless people. The cache TTL is
825 already bounded by $max_idle.
826
828 The name of a mail delivery transport that filters mail after it is
829 queued.
830 This parameter uses the same syntax as the right-hand side of a Postfix
832 transport(5) table. This setting has a lower precedence than a content
833 filter that is specified with an access(5) table or in a
834 header_checks(5) or body_checks(5) table.
835
837 Search path for Cyrus SASL application configuration files, currently
838 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
839 more directories separated by a colon character, or an empty value to
840 use Cyrus SASL's built-in search path.
841 This feature is available in Postfix 2.5 and later when compiled with
843 Cyrus SASL 2.1.22 or later.
844
846 The directory with Postfix support programs and daemon programs. These
847 should not be invoked directly by humans. The directory must be owned
848 by root.
849
851 How much time a Postfix daemon process may take to handle a request
852 before it is terminated by a built-in watchdog timer.
853 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
855 The default time unit is s (seconds).
856
858 The directory with Postfix-writable data files (for example: caches,
859 pseudo-random numbers). This directory must be owned by the mail_owner
860 account, and must not be shared with non-Postfix software.
861 This feature is available in Postfix 2.5 and later.
863
865 The increment in verbose logging level when a remote client or server
866 matches a pattern in the debug_peer_list parameter.
867
869 Optional list of remote client or server hostname or network address
870 patterns that cause the verbose logging level to increase by the amount
871 specified in $debug_peer_level.
872 Specify domain names, network/netmask patterns, "/file/name" patterns
874 or "type:table" lookup tables. The right-hand side result from
875 "type:table" lookups is ignored.
876 Pattern matching of domain names is controlled by the par‐
878 ent_domain_matches_subdomains parameter.
879 Examples:
881 debug_peer_list = 127.0.0.1
883 debug_peer_list = example.com
884
886 The external command to execute when a Postfix daemon program is
887 invoked with the -D option.
888 Use "command .. & sleep 5" so that the debugger can attach before the
890 process marches on. If you use an X-based debugger, be sure to set up
891 your XAUTHORITY environment variable before starting Postfix.
892 Example:
894 debugger_command =
896 PATH=/usr/bin:/usr/X11R6/bin
897 ddd $daemon_directory/$process_name $process_id & sleep 5
898
900 The default database type for use in newaliases(1), postalias(1) and
901 postmap(1) commands. On many UNIX systems the default type is either
902 dbm or hash. The default setting is frozen when the Postfix system is
903 built.
904 Examples:
906 default_database_type = hash
908 default_database_type = dbm
909
911 How often the Postfix queue manager's scheduler is allowed to preempt
912 delivery of one message with another.
913 Each transport maintains a so-called "available delivery slot counter"
915 for each message. One message can be preempted by another one when the
916 other message can be delivered using no more delivery slots (i.e.,
917 invocations of delivery agents) than the current message counter has
918 accumulated (or will eventually accumulate - see about slot loans
919 below). This parameter controls how often is the counter incremented -
920 it happens after each default_delivery_slot_cost recipients have been
921 delivered.
922 The cost of 0 is used to disable the preempting scheduling completely.
924 The minimum value the scheduling algorithm can use is 2 - use it if you
925 want to maximize the message throughput rate. Although there is no max‐
926 imum, it doesn't make much sense to use values above say 50.
927 The only reason why the value of 2 is not the default is the way this
929 parameter affects the delivery of mailing-list mail. In the worst case,
930 their delivery can take somewhere between (cost+1/cost) and
931 (cost/cost-1) times more than if the preemptive scheduler was disabled.
932 The default value of 5 turns out to provide reasonable message response
933 times while making sure the mailing-list deliveries are not extended by
934 more than 20-25 percent even in the worst case.
935 Use transport_delivery_slot_cost to specify a transport-specific over‐
937 ride, where transport is the master.cf name of the message delivery
938 transport.
939 Examples:
941 default_delivery_slot_cost = 0
943 default_delivery_slot_cost = 2
944
946 The default value for transport-specific _delivery_slot_discount set‐
947 tings.
948 This parameter speeds up the moment when a message preemption can hap‐
950 pen. Instead of waiting until the full amount of delivery slots
951 required is available, the preemption can happen when transport_deliv‐
952 ery_slot_discount percent of the required amount plus transport_deliv‐
953 ery_slot_loan still remains to be accumulated. Note that the full
954 amount will still have to be accumulated before another preemption can
955 take place later.
956 Use transport_delivery_slot_discount to specify a transport-specific
958 override, where transport is the master.cf name of the message delivery
959 transport.
960
962 The default value for transport-specific _delivery_slot_loan settings.
963 This parameter speeds up the moment when a message preemption can hap‐
965 pen. Instead of waiting until the full amount of delivery slots
966 required is available, the preemption can happen when transport_deliv‐
967 ery_slot_discount percent of the required amount plus transport_deliv‐
968 ery_slot_loan still remains to be accumulated. Note that the full
969 amount will still have to be accumulated before another preemption can
970 take place later.
971 Use transport_delivery_slot_loan to specify a transport-specific over‐
973 ride, where transport is the master.cf name of the message delivery
974 transport.
975
977 How many pseudo-cohorts must suffer connection or handshake failure
978 before a specific destination is considered unavailable (and further
979 delivery is suspended). Specify zero to disable this feature. A desti‐
980 nation's pseudo-cohort failure count is reset each time a delivery com‐
981 pletes without connection or handshake failure for that specific desti‐
982 nation.
983 A pseudo-cohort is the number of deliveries equal to a destination's
985 delivery concurrency.
986 Use transport_destination_concurrency_failed_cohort_limit to specify a
988 transport-specific override, where transport is the master.cf name of
989 the message delivery transport.
990 This feature is available in Postfix 2.5. The default setting is com‐
992 patible with earlier Postfix versions.
993
995 The default maximal number of parallel deliveries to the same destina‐
996 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
997 smtp(8) and virtual(8) delivery agents. With per-destination recipient
998 limit > 1, a destination is a domain, otherwise it is a recipient.
999 Use transport_destination_concurrency_limit to specify a transport-spe‐
1001 cific override, where transport is the master.cf name of the message
1002 delivery transport.
1003
1005 The per-destination amount of delivery concurrency negative feedback,
1006 after a delivery completes with a connection or handshake failure.
1007 Feedback values are in the range 0..1 inclusive. With negative feed‐
1008 back, concurrency is decremented at the beginning of a sequence of
1009 length 1/feedback. This is unlike positive feedback, where concurrency
1010 is incremented at the end of a sequence of length 1/feedback.
1011 As of Postfix version 2.5, negative feedback cannot reduce delivery
1013 concurrency to zero. Instead, a destination is marked dead (further
1014 delivery suspended) after the failed pseudo-cohort count reaches
1015 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1016 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1017 uler completely immune to connection or handshake failures, specify a
1018 zero feedback value and a zero failed pseudo-cohort limit.
1019 Specify one of the following forms:
1021 number
1023 number / number
1025 Constant feedback. The value must be in the range 0..1 inclu‐
1026 sive. The default setting of "1" is compatible with Postfix
1027 versions before 2.5, where a destination's delivery concurrency
1028 is throttled down to zero (and further delivery suspended) after
1029 a single failed pseudo-cohort.
1030 number / concurrency
1032 Variable feedback of "number / (delivery concurrency)". The
1033 number must be in the range 0..1 inclusive. With number equal to
1034 "1", a destination's delivery concurrency is decremented by 1
1035 after each failed pseudo-cohort.
1036 A pseudo-cohort is the number of deliveries equal to a destination's
1038 delivery concurrency.
1039 Use transport_destination_concurrency_negative_feedback to specify a
1041 transport-specific override, where transport is the master.cf name of
1042 the message delivery transport.
1043 This feature is available in Postfix 2.5. The default setting is com‐
1045 patible with earlier Postfix versions.
1046
1048 The per-destination amount of delivery concurrency positive feedback,
1049 after a delivery completes without connection or handshake failure.
1050 Feedback values are in the range 0..1 inclusive. The concurrency
1051 increases until it reaches the per-destination maximal concurrency
1052 limit. With positive feedback, concurrency is incremented at the end of
1053 a sequence with length 1/feedback. This is unlike negative feedback,
1054 where concurrency is decremented at the start of a sequence of length
1055 1/feedback.
1056 Specify one of the following forms:
1058 number
1060 number / number
1062 Constant feedback. The value must be in the range 0..1 inclu‐
1063 sive. The default setting of "1" is compatible with Postfix ver‐
1064 sions before 2.5, where a destination's delivery concurrency
1065 doubles after each successful pseudo-cohort.
1066 number / concurrency
1068 Variable feedback of "number / (delivery concurrency)". The
1069 number must be in the range 0..1 inclusive. With number equal to
1070 "1", a destination's delivery concurrency is incremented by 1
1071 after each successful pseudo-cohort.
1072 A pseudo-cohort is the number of deliveries equal to a destination's
1074 delivery concurrency.
1075 Use transport_destination_concurrency_positive_feedback to specify a
1077 transport-specific override, where transport is the master.cf name of
1078 the message delivery transport.
1079 This feature is available in Postfix 2.5 and later.
1081
1083 The default amount of delay that is inserted between individual deliv‐
1084 eries to the same destination; with per-destination recipient limit >
1085 1, a destination is a domain, otherwise it is a recipient.
1086 To enable the delay, specify a non-zero time value (an integral value
1088 plus an optional one-letter suffix that specifies the time unit).
1089 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1091 The default time unit is s (seconds).
1092 NOTE: the delay is enforced by the queue manager. The delay timer state
1094 does not survive "postfix reload" or "postfix stop".
1095 Use transport_destination_rate_delay to specify a transport-specific
1097 override, where transport is the master.cf name of the message delivery
1098 transport.
1099 This feature is available in Postfix 2.5 and later.
1101
1103 The default maximal number of recipients per message delivery. This is
1104 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1105 virtual(8) delivery agents.
1106 Setting this parameter to a value of 1 changes the meaning of the cor‐
1108 responding per-destination concurrency limit from concurrency per
1109 domain into concurrency per recipient.
1110 Use transport_destination_recipient_limit to specify a transport-spe‐
1112 cific override, where transport is the master.cf name of the message
1113 delivery transport.
1114
1116 The default value for the extra per-transport limit imposed on the num‐
1117 ber of in-memory recipients. This extra recipient space is reserved
1118 for the cases when the Postfix queue manager's scheduler preempts one
1119 message with another and suddenly needs some extra recipients slots for
1120 the chosen message in order to avoid performance degradation.
1121 Use transport_extra_recipient_limit to specify a transport-specific
1123 override, where transport is the master.cf name of the message delivery
1124 transport.
1125
1127 How many recipients a message must have in order to invoke the Postfix
1128 queue manager's scheduling algorithm at all. Messages which would
1129 never accumulate at least this many delivery slots (subject to slot
1130 cost parameter as well) are never preempted.
1131 Use transport_minimum_delivery_slots to specify a transport-specific
1133 override, where transport is the master.cf name of the message delivery
1134 transport.
1135
1137 The default rights used by the local(8) delivery agent for delivery to
1138 external file or command. These rights are used when delivery is
1139 requested from an aliases(5) file that is owned by root, or when deliv‐
1140 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1141 POSTFIX OWNER.
1142
1144 The default maximal number of Postfix child processes that provide a
1145 given service. This limit can be overruled for specific services in the
1146 master.cf file.
1147
1149 The default SMTP server response template for a request that is
1150 rejected by an RBL-based restriction. This template can be overruled by
1151 specific entries in the optional rbl_reply_maps lookup table.
1152 This feature is available in Postfix 2.0 and later.
1154 The template is subject to exactly one level of $name substitution:
1156 $client
1158 The client hostname and IP address, formatted as name[address].
1159 $client_address
1161 The client IP address.
1162 $client_name
1164 The client hostname or "unknown". See
1165 reject_unknown_client_hostname for more details.
1166 $reverse_client_name
1168 The client hostname from address->name lookup, or "unknown".
1169 See reject_unknown_reverse_client_hostname for more details.
1170 $helo_name
1172 The hostname given in HELO or EHLO command or empty string.
1173 $rbl_class
1175 The blacklisted entity type: Client host, Helo command, Sender
1176 address, or Recipient address.
1177 $rbl_code
1179 The numerical SMTP response code, as specified with the
1180 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1181 cal SMTP response code is required, and must appear at the start
1182 of the reply. With Postfix version 2.3 and later this informa‐
1183 tion may be followed by an RFC 3463 enhanced status code.
1184 $rbl_domain
1186 The RBL domain where $rbl_what is blacklisted.
1187 $rbl_reason
1189 The reason why $rbl_what is blacklisted, or an empty string.
1190 $rbl_what
1192 The entity that is blacklisted (an IP address, a hostname, a
1193 domain name, or an email address whose domain was blacklisted).
1194 $recipient
1196 The recipient address or <> in case of the null address.
1197 $recipient_domain
1199 The recipient domain or empty string.
1200 $recipient_name
1202 The recipient address localpart or <> in case of null address.
1203 $sender
1205 The sender address or <> in case of the null address.
1206 $sender_domain
1208 The sender domain or empty string.
1209 $sender_name
1211 The sender address localpart or <> in case of the null address.
1212 ${name?text}
1214 Expands to `text' if $name is not empty.
1215 ${name:text}
1217 Expands to `text' if $name is empty.
1218 Instead of $name you can also specify ${name} or $(name).
1220 Note: when an enhanced status code is specified in an RBL reply tem‐
1222 plate, it is subject to modification. The following transformations
1223 are needed when the same RBL reply template is used for client, helo,
1224 sender, or recipient access restrictions.
1225 · When rejecting a sender address, the Postfix SMTP server will
1227 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1228 corresponding sender DSN status, and vice versa.
1229 · When rejecting non-address information (such as the HELO command
1231 argument or the client hostname/address), the Postfix SMTP
1232 server will transform a sender or recipient DSN status into a
1233 generic non-address DSN status (e.g., 4.0.0).
1234
1236 The default per-transport upper limit on the number of in-memory recip‐
1237 ients. These limits take priority over the global qmgr_message_recipi‐
1238 ent_limit after the message has been assigned to the respective trans‐
1239 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1240 ent_minimum.
1241 Use transport_recipient_limit to specify a transport-specific override,
1243 where transport is the master.cf name of the message delivery trans‐
1244 port.
1245
1247 The default per-transport maximum delay between recipients refills.
1248 When not all message recipients fit into the memory at once, keep load‐
1249 ing more of them at least once every this many seconds. This is used
1250 to make sure the recipients are refilled in timely manner even when
1251 $default_recipient_refill_limit is too high for too slow deliveries.
1252 Use transport_recipient_refill_delay to specify a transport-specific
1254 override, where transport is the master.cf name of the message delivery
1255 transport.
1256 This feature is available in Postfix 2.4 and later.
1258
1260 The default per-transport limit on the number of recipients refilled at
1261 once. When not all message recipients fit into the memory at once,
1262 keep loading more of them in batches of at least this many at a time.
1263 See also $default_recipient_refill_delay, which may result in recipient
1264 batches lower than this when this limit is too high for too slow deliv‐
1265 eries.
1266 Use transport_recipient_refill_limit to specify a transport-specific
1268 override, where transport is the master.cf name of the message delivery
1269 transport.
1270 This feature is available in Postfix 2.4 and later.
1272
1274 The default mail delivery transport and next-hop destination for desti‐
1275 nations that do not match $mydestination, $inet_interfaces,
1276 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1277 $relay_domains. In order of decreasing precedence, the nexthop desti‐
1278 nation is taken from $default_transport, $sender_dependent_relay‐
1279 host_maps, $relayhost, or from the recipient domain. This information
1280 can be overruled with the transport(5) table.
1281 Specify a string of the form transport:nexthop, where transport is the
1283 name of a mail delivery transport defined in master.cf. The :nexthop
1284 part is optional. For more details see the transport(5) manual page.
1285 Example:
1287 default_transport = uucp:relayhostname
1289
1291 The two default VERP delimiter characters. These are used when no
1292 explicit delimiters are specified with the SMTP XVERP command or with
1293 the "sendmail -V" command-line option. Specify characters that are
1294 allowed by the verp_delimiter_filter setting.
1295 This feature is available in Postfix 1.1 and later.
1297
1299 The numerical Postfix SMTP server response code when a remote SMTP
1300 client request is rejected by the "defer" restriction.
1301 Do not change this unless you have a complete understanding of RFC
1303 2821.
1304
1306 The name of the defer service. This service is implemented by the
1307 bounce(8) daemon and maintains a record of failed delivery attempts and
1308 generates non-delivery notifications.
1309 This feature is available in Postfix 2.0 and later.
1311
1313 The names of message delivery transports that should not deliver mail
1314 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1315 names of mail delivery transports names that appear in the first field
1316 of master.cf.
1317 Example:
1319 defer_transports = smtp
1321
1323 The maximal number of digits after the decimal point when logging sub-
1324 second delay values. Specify a number in the range 0..6.
1325 Large delay values are rounded off to an integral number seconds; delay
1327 values below the delay_logging_resolution_limit are logged as "0", and
1328 small delay values are logged with at most two-digit precision.
1329 The format of the "delays=a/b/c/d" logging is as follows:
1331 · a = time from message arrival to last active queue entry
1333 · b = time from last active queue entry to connection setup
1335 · c = time in connection setup, including DNS, EHLO and TLS
1337 · d = time in message transmission
1339 This feature is available in Postfix 2.3 and later.
1341
1343 The recipient of postmaster notifications with the message headers of
1344 mail that cannot be delivered within $delay_warning_time time units.
1345 This feature is enabled with the delay_warning_time parameter.
1347
1349 The time after which the sender receives the message headers of mail
1350 that is still queued.
1351 To enable this feature, specify a non-zero time value (an integral
1353 value plus an optional one-letter suffix that specifies the time unit).
1354 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1356 The default time unit is h (hours).
1357
1359 The maximal number of attempts to acquire an exclusive lock on a mail‐
1360 box file or bounce(8) logfile.
1361
1363 The time between attempts to acquire an exclusive lock on a mailbox
1364 file or bounce(8) logfile.
1365 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1367 The default time unit is s (seconds).
1368
1370 Make the queue manager's feedback algorithm verbose for performance
1371 analysis purposes.
1372 This feature is available in Postfix 2.5 and later.
1374
1376 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1377 fer-Encoding: message headers; historically, this behavior was hard-
1378 coded to be "always on".
1379 This feature is available in Postfix 2.5 and later.
1381
1383 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1384 abled, hosts are looked up with the getaddrinfo() system library rou‐
1385 tine which normally also looks in /etc/hosts.
1386 DNS lookups are enabled by default.
1388
1390 Turn off MIME processing while receiving mail. This means that no spe‐
1391 cial treatment is given to Content-Type: message headers, and that all
1392 text after the initial message headers is considered to be part of the
1393 message body.
1394 This feature is available in Postfix 2.0 and later.
1396 Mime input processing is enabled by default, and is needed in order to
1398 recognize MIME headers in message content.
1399
1401 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1402 conversion is needed when the destination does not advertise 8BITMIME
1403 support.
1404 This feature is available in Postfix 2.0 and later.
1406
1408 Disable sending one bounce report per recipient.
1409 The default, one per recipient, is what ezmlm needs.
1411 This feature is available in Postfix 1.1 and later.
1413
1415 Disable the SMTP VRFY command. This stops some techniques used to har‐
1416 vest email addresses.
1417 Example:
1419 disable_vrfy_command = no
1421
1423 Don't remove queue files and save them to the "saved" mail queue. This
1424 is a debugging aid. To inspect the envelope information and content of
1425 a Postfix queue file, use the postcat(1) command.
1426
1428 The sender address of postmaster notifications that are generated by
1429 the mail system. All mail to this address is silently discarded, in
1430 order to terminate mail bounce loops.
1431
1433 The maximal number of addresses remembered by the address duplicate
1434 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1435 queue displays.
1436
1438 The recipient of mail addressed to the null address. Postfix does not
1439 accept such addresses in SMTP commands, but they may still be created
1440 locally as the result of configuration or software error.
1441
1443 The sender_dependent_relayhost_maps search string that will be used
1444 instead of the null sender address.
1445 This feature is available in Postfix 2.5 and later. With earlier ver‐
1447 sions, sender_dependent_relayhost_maps lookups were skipped for the
1448 null sender address.
1449
1451 Report mail delivery errors to the address specified with the non-stan‐
1452 dard Errors-To: message header, instead of the envelope sender address
1453 (this feature is removed with Postfix version 2.2, is turned off by
1454 default with Postfix version 2.1, and is always turned on with older
1455 Postfix versions).
1456
1458 Enable support for the X-Original-To message header. This header is
1459 needed for multi-recipient mailboxes.
1460 When this parameter is set to yes, the cleanup(8) daemon performs
1462 duplicate elimination on distinct pairs of (original recipient, rewrit‐
1463 ten recipient), and generates non-empty original recipient queue file
1464 records.
1465 When this parameter is set to no, the cleanup(8) daemon performs dupli‐
1467 cate elimination on the rewritten recipient address only, and generates
1468 empty original recipient queue file records.
1469 This feature is available in Postfix 2.1 and later. With Postfix ver‐
1471 sion 2.0, support for the X-Original-To message header is always turned
1472 on. Postfix versions before 2.0 have no support for the X-Original-To
1473 message header.
1474
1476 The recipient of postmaster notifications about mail delivery problems
1477 that are caused by policy, resource, software or protocol errors.
1478 These notifications are enabled with the notify_classes parameter.
1479
1481 The name of the error(8) pseudo delivery agent. This service always
1482 returns mail as undeliverable.
1483 This feature is available in Postfix 2.0 and later.
1485
1487 Restrict the characters that the local(8) delivery agent allows in
1488 $name expansions of $command_execution_directory. Characters outside
1489 the allowed set are replaced by underscores.
1490 This feature is available in Postfix 2.2 and later.
1492
1494 When delivering to an alias "aliasname" that has an "owner-aliasname"
1495 companion alias, set the envelope sender address to the expansion of
1496 the "owner-aliasname" alias. Normally, Postfix sets the envelope sender
1497 address to the name of the "owner-aliasname" alias.
1498
1500 The list of environment variables that a Postfix process will export to
1501 non-Postfix processes. The TZ variable is needed for sane time keeping
1502 on System-V-ish systems.
1503 Specify a list of names and/or name=value pairs, separated by white‐
1505 space or comma. The name=value form is supported with Postfix version
1506 2.1 and later.
1507 Example:
1509 export_environment = TZ PATH=/bin:/usr/bin
1511
1513 The maximal number of recipient addresses that Postfix will extract
1514 from message headers when mail is submitted with "sendmail -t".
1515 This feature was removed in Postfix version 2.1.
1517
1519 Optional list of relay hosts for SMTP destinations that can't be found
1520 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1521 smtp_fallback_relay.
1522 By default, mail is returned to the sender when a destination is not
1524 found, and delivery is deferred when a destination is unreachable.
1525 The fallback relays must be SMTP destinations. Specify a domain, host,
1527 host:port, [host]:port, [address] or [address]:port; the form [host]
1528 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
1529 fix will try them in the specified order.
1530 Note: before Postfix 2.2, do not use the fallback_relay feature when
1532 relaying mail for a backup or primary MX domain. Mail would loop
1533 between the Postfix MX host and the fallback_relay host when the final
1534 destination is unavailable.
1535 · In main.cf specify "relay_transport = relay",
1537 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
1539 end of the relay entry.
1540 · In transport maps, specify "relay:nexthop..." as the right-hand
1542 side for backup or primary MX domain entries.
1543 Postfix version 2.2 and later will not use the fallback_relay feature
1545 for destinations that it is MX host for.
1546
1548 Optional message delivery transport that the local(8) delivery agent
1549 should use for names that are not found in the aliases(5) or UNIX pass‐
1550 word database.
1551 The precedence of local(8) delivery features from high to low is:
1553 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1554 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1555 tory, fallback_transport_maps, fallback_transport and luser_relay.
1556
1558 Optional lookup tables with per-recipient message delivery transports
1559 for recipients that the local(8) delivery agent could not find in the
1560 aliases(5) or UNIX password database.
1561 The precedence of local(8) delivery features from high to low is:
1563 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1564 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1565 tory, fallback_transport_maps, fallback_transport and luser_relay.
1566 For safety reasons, this feature does not allow $number substitutions
1568 in regular expression maps.
1569 This feature is available in Postfix 2.3 and later.
1571
1573 Optional list of destinations that are eligible for per-destination
1574 logfiles with mail that is queued to those destinations.
1575 By default, Postfix maintains "fast flush" logfiles only for destina‐
1577 tions that the Postfix SMTP server is willing to relay to (i.e. the
1578 default is: "fast_flush_domains = $relay_domains"; see the
1579 relay_domains parameter in the postconf(5) manual).
1580 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
1582 ble" lookup tables, separated by commas and/or whitespace. Continue
1583 long lines by starting the next line with whitespace. A "/file/name"
1584 pattern is replaced by its contents; a "type:table" lookup table is
1585 matched when the domain or its parent domain appears as lookup key.
1586 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
1588 altogether.
1589
1591 The time after which an empty per-destination "fast flush" logfile is
1592 deleted.
1593 You can specify the time as a number, or as a number followed by a let‐
1595 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1596 d=days, w=weeks. The default time unit is days.
1597
1599 The time after which a non-empty but unread per-destination "fast
1600 flush" logfile needs to be refreshed. The contents of a logfile are
1601 refreshed by requesting delivery of all messages listed in the logfile.
1602 You can specify the time as a number, or as a number followed by a let‐
1604 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1605 d=days, w=weeks. The default time unit is hours.
1606
1608 Force specific internal tests to fail, to test the handling of errors
1609 that are difficult to reproduce otherwise.
1610
1612 The name of the flush(8) service. This service maintains per-destina‐
1613 tion logfiles with the queue file names of mail that is queued for
1614 those destinations.
1615 This feature is available in Postfix 2.0 and later.
1617
1619 The maximal number of attempts to fork() a child process.
1620
1622 The delay between attempts to fork() a child process.
1623 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1625 The default time unit is s (seconds).
1626
1628 Restrict the characters that the local(8) delivery agent allows in
1629 $name expansions of $forward_path. Characters outside the allowed set
1630 are replaced by underscores.
1631
1633 The local(8) delivery agent search list for finding a .forward file
1634 with user-specified delivery methods. The first file that is found is
1635 used.
1636 The following $name expansions are done on forward_path before the
1638 search actually happens. The result of $name expansion is filtered with
1639 the character set that is specified with the forward_expansion_filter
1640 parameter.
1641 $user The recipient's username.
1643 $shell The recipient's login shell pathname.
1645 $home The recipient's home directory.
1647 $recipient
1649 The full recipient address.
1650 $extension
1652 The optional recipient address extension.
1653 $domain
1655 The recipient domain.
1656 $local The entire recipient localpart.
1658 $recipient_delimiter
1660 The system-wide recipient address extension delimiter.
1661 ${name?value}
1663 Expands to value when $name is non-empty.
1664 ${name:value}
1666 Expands to value when $name is empty.
1667 Instead of $name you can also specify ${name} or $(name).
1669 Examples:
1671 forward_path = /var/forward/$user
1673 forward_path =
1674 /var/forward/$user/.forward$recipient_delimiter$extension,
1675 /var/forward/$user/.forward
1676
1678 Update the local(8) delivery agent's idea of the Delivered-To: address
1679 (see prepend_delivered_header) only once, at the start of a delivery
1680 attempt; do not update the Delivered-To: address while expanding
1681 aliases or .forward files.
1682 This feature is available in Postfix 2.3 and later. With older Postfix
1684 releases, the behavior is as if this parameter is set to "no". The old
1685 setting can be expensive with deeply nested aliases or .forward files.
1686 When an alias or .forward file changes the Delivered-To: address, it
1687 ties up one queue file and one cleanup process instance while mail is
1688 being forwarded.
1689
1691 The number of subdirectory levels for queue directories listed with the
1692 hash_queue_names parameter.
1693 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1695 cute the command "postfix reload".
1696
1698 The names of queue directories that are split across multiple subdirec‐
1699 tory levels.
1700 Before Postfix version 2.2, the default list of hashed queues was sig‐
1702 nificantly larger. Claims about improvements in file system technology
1703 suggest that hashing of the incoming and active queues is no longer
1704 needed. Fewer hashed directories speed up the time needed to restart
1705 Postfix.
1706 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1708 cute the command "postfix reload".
1709
1711 The maximal number of address tokens are allowed in an address message
1712 header. Information that exceeds the limit is discarded. The limit is
1713 enforced by the cleanup(8) server.
1714
1716 Optional lookup tables for content inspection of primary non-MIME mes‐
1717 sage headers, as specified in the header_checks(5) manual page.
1718
1720 The maximal amount of memory in bytes for storing a message header. If
1721 a header is larger, the excess is discarded. The limit is enforced by
1722 the cleanup(8) server.
1723
1725 Log warnings about problematic configuration settings, and provide
1726 helpful suggestions.
1727 This feature is available in Postfix 2.0 and later.
1729
1731 Optional pathname of a mailbox file relative to a local(8) user's home
1732 directory.
1733 Specify a pathname ending in "/" for qmail-style delivery.
1735 The precedence of local(8) delivery features from high to low is:
1737 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1738 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1739 tory, fallback_transport_maps, fallback_transport and luser_relay.
1740 Examples:
1742 home_mailbox = Mailbox
1744 home_mailbox = Maildir/
1745
1747 The maximal number of Received: message headers that is allowed in the
1748 primary message headers. A message that exceeds the limit is bounced,
1749 in order to stop a mailer loop.
1750
1752 The location of Postfix HTML files that describe how to build, config‐
1753 ure or operate a specific Postfix subsystem or feature.
1754
1756 Ignore DNS MX lookups that produce no response. By default, the Post‐
1757 fix SMTP client defers delivery and tries again after some delay. This
1758 behavior is required by the SMTP standard.
1759 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
1761 instead. This violates the SMTP standard and can result in mis-delivery
1762 of mail.
1763
1765 The list of environment parameters that a Postfix process will import
1766 from a non-Postfix parent process. Examples of relevant parameters:
1767 TZ Needed for sane time keeping on most System-V-ish systems.
1769 DISPLAY
1771 Needed for debugging Postfix daemons with an X-windows debugger.
1772 XAUTHORITY
1774 Needed for debugging Postfix daemons with an X-windows debugger.
1775 MAIL_CONFIG
1777 Needed to make "postfix -c" work.
1778 Specify a list of names and/or name=value pairs, separated by white‐
1780 space or comma. The name=value form is supported with Postfix version
1781 2.1 and later.
1782
1784 Time to pause before accepting a new message, when the message arrival
1785 rate exceeds the message delivery rate. This feature is turned on by
1786 default (it's disabled on SCO UNIX due to an SCO bug).
1787 With the default 100 SMTP server process limit, "in_flow_delay = 1s"
1789 limits the mail inflow to 100 messages per second above the number of
1790 messages delivered per second.
1791 Specify 0 to disable the feature. Valid delays are 0..10.
1793
1795 The network interface addresses that this mail system receives mail on.
1796 Specify "all" to receive mail on all network interfaces (default), and
1797 "loopback-only" to receive mail on loopback network interfaces only
1798 (Postfix version 2.2 and later). The parameter also controls delivery
1799 of mail to user@[ip.address].
1800 Note 1: you need to stop and start Postfix when this parameter changes.
1802 Note 2: address information may be enclosed inside [], but this form is
1804 not required here.
1805 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
1807 is not a loopback address, the Postfix SMTP client will use this
1808 address as the IP source address for outbound mail. Support for IPv6 is
1809 available in Postfix version 2.2 and later.
1810 On a multi-homed firewall with separate Postfix instances listening on
1812 the "inside" and "outside" interfaces, this can prevent each instance
1813 from being able to reach servers on the "other side" of the firewall.
1814 Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for
1815 IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6.
1816 A better solution for multi-homed firewalls is to leave inet_interfaces
1818 at the default value and instead use explicit IP addresses in the mas‐
1819 ter.cf SMTP server definitions. This preserves the Postfix SMTP
1820 client's loop detection, by ensuring that each side of the firewall
1821 knows that the other IP address is still the same host. Setting
1822 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
1823 ful with virtual hosting of domains on secondary IP addresses, when
1824 each IP address serves a different domain (and has a different $myhost‐
1825 name setting).
1826 See also the proxy_interfaces parameter, for network addresses that are
1828 forwarded to Postfix by way of a proxy or address translator.
1829 Examples:
1831 inet_interfaces = all (DEFAULT)
1833 inet_interfaces = loopback-only (Postfix version 2.2 and later)
1834 inet_interfaces = 127.0.0.1
1835 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
1836 inet_interfaces = 192.168.1.2, 127.0.0.1
1837
1839 The Internet protocols Postfix will attempt to use when making or
1840 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
1841 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
1842 ipv6" or "ipv4", depending on whether the operating system implements
1843 IPv6.
1844 This feature is available in Postfix 2.2 and later.
1846 Note: you MUST stop and start Postfix after changing this parameter.
1848 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
1850 will also accept IPv4 connections, even when IPv4 is turned off with
1851 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
1852 Postfix will use separate server sockets for IPv6 and IPv4, and each
1853 will accept only connections for the corresponding protocol.
1854 When IPv4 support is enabled via the inet_protocols parameter, Postfix
1856 will to DNS type A record lookups, and will convert IPv4-in-IPv6 client
1857 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
1858 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
1859 3493).
1860 When IPv6 support is enabled via the inet_protocols parameter, Postfix
1862 will do DNS type AAAA record lookups.
1863 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
1865 will attempt to connect via IPv6 before attempting to use IPv4.
1866 Examples:
1868 inet_protocols = ipv4 (DEFAULT)
1870 inet_protocols = all
1871 inet_protocols = ipv6
1872 inet_protocols = ipv4, ipv6
1873
1875 The initial per-destination concurrency level for parallel delivery to
1876 the same destination. With per-destination recipient limit > 1, a des‐
1877 tination is a domain, otherwise it is a recipient.
1878 Use transport_initial_destination_concurrency to specify a transport-
1880 specific override, where transport is the master.cf name of the message
1881 delivery transport (Postfix 2.5 and later).
1882 Warning: with concurrency of 1, one bad message can be enough to block
1884 all mail to a site.
1885
1887 What categories of Postfix-generated mail are subject to before-queue
1888 content inspection by non_smtpd_milters, header_checks and body_checks.
1889 Specify zero or more of the following, separated by whitespace or
1890 comma.
1891 bounce Inspect the content of delivery status notifications.
1893 notify Inspect the content of postmaster notifications by the smtp(8)
1895 and smtpd(8) processes.
1896 NOTE: It's generally not safe to enable content inspection of Postfix-
1898 generated email messages. The user is warned.
1899 This feature is available in Postfix 2.3 and later.
1901
1903 The numerical Postfix SMTP server response code when the client HELO or
1904 EHLO command parameter is rejected by the reject_invalid_helo_hostname
1905 restriction.
1906 Do not change this unless you have a complete understanding of RFC
1908 2821.
1909
1911 The time after which a client closes an idle internal communication
1912 channel. The purpose is to allow servers to terminate voluntarily
1913 after they become idle. This is used, for example, by the address
1914 resolving and rewriting clients.
1915 With Postfix 2.4 the default value was reduced from 100s to 5s.
1917 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1919 The default time unit is s (seconds).
1920
1922 The time limit for sending or receiving information over an internal
1923 communication channel. The purpose is to break out of deadlock situa‐
1924 tions. If the time limit is exceeded the software aborts with a fatal
1925 error.
1926 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1928 The default time unit is s (seconds).
1929
1931 The time after which a client closes an active internal communication
1932 channel. The purpose is to allow servers to terminate voluntarily
1933 after reaching their client limit. This is used, for example, by the
1934 address resolving and rewriting clients.
1935 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1937 The default time unit is s (seconds).
1938 This feature is available in Postfix 2.1 and later.
1940
1942 Upon input, long lines are chopped up into pieces of at most this
1943 length; upon delivery, long lines are reconstructed.
1944
1946 When an LMTP server announces no DSN support, assume that the server
1947 performs final delivery, and send "delivered" delivery status notifica‐
1948 tions instead of "relayed". The default setting is backwards compatible
1949 to avoid the infinetisimal possibility of breaking existing LMTP-based
1950 content filters.
1951
1953 The LMTP-specific version of the smtp_bind_address configuration param‐
1954 eter. See there for details.
1955 This feature is available in Postfix 2.3 and later.
1957
1959 The LMTP-specific version of the smtp_bind_address6 configuration
1960 parameter. See there for details.
1961 This feature is available in Postfix 2.3 and later.
1963
1965 Keep Postfix LMTP client connections open for up to $max_idle seconds.
1966 When the LMTP client receives a request for the same connection the
1967 connection is reused.
1968 This parameter is available in Postfix version 2.2 and earlier. With
1970 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
1971 lmtp_connection_cache_destinations, or lmtp_connection_re‐
1972 use_time_limit.
1973 The effectiveness of cached connections will be determined by the num‐
1975 ber of LMTP servers in use, and the concurrency limit specified for the
1976 LMTP client. Cached connections are closed under any of the following
1977 conditions:
1978 · The LMTP client idle time limit is reached. This limit is spec‐
1980 ified with the Postfix max_idle configuration parameter.
1981 · A delivery request specifies a different destination than the
1983 one currently cached.
1984 · The per-process limit on the number of delivery requests is
1986 reached. This limit is specified with the Postfix max_use con‐
1987 figuration parameter.
1988 · Upon the onset of another delivery request, the LMTP server
1990 associated with the current session does not respond to the RSET
1991 command.
1992 Most of these limitations will be removed after Postfix implements a
1994 connection cache that is shared among multiple LMTP client programs.
1995
1997 The LMTP-specific version of the smtp_cname_overrides_servername con‐
1998 figuration parameter. See there for details.
1999 This feature is available in Postfix 2.3 and later.
2001
2003 The LMTP client time limit for completing a TCP connection, or zero
2004 (use the operating system built-in time limit). When no connection can
2005 be made within the deadline, the LMTP client tries the next address on
2006 the mail exchanger list.
2007 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2009 The default time unit is s (seconds).
2010 Example:
2012 lmtp_connect_timeout = 30s
2014
2016 The LMTP-specific version of the smtp_connection_cache_destinations
2017 configuration parameter. See there for details.
2018 This feature is available in Postfix 2.3 and later.
2020
2022 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2023 figuration parameter. See there for details.
2024 This feature is available in Postfix 2.3 and later.
2026
2028 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2029 figuration parameter. See there for details.
2030 This feature is available in Postfix 2.3 and later.
2032
2034 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2035 figuration parameter. See there for details.
2036 This feature is available in Postfix 2.3 and later.
2038
2040 The LMTP client time limit for sending the LMTP ".", and for receiving
2041 the server response. When no response is received within the deadline,
2042 a warning is logged that the mail may be delivered multiple times.
2043 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2045 The default time unit is s (seconds).
2046
2048 The LMTP client time limit for sending the LMTP DATA command, and for
2049 receiving the server response.
2050 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2052 The default time unit is s (seconds).
2053
2055 The LMTP client time limit for sending the LMTP message content. When
2056 the connection stalls for more than $lmtp_data_xfer_timeout the LMTP
2057 client terminates the transfer.
2058 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2060 The default time unit is s (seconds).
2061
2063 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2064 figuration parameter. See there for details.
2065 This feature is available in Postfix 2.3 and later.
2067
2069 rency_limit)
2070 The maximal number of parallel deliveries to the same destination via
2071 the lmtp message delivery transport. This limit is enforced by the
2072 queue manager. The message delivery transport name is the first field
2073 in the entry in the master.cf file.
2074
2076 ent_limit)
2077 The maximal number of recipients per message for the lmtp message
2078 delivery transport. This limit is enforced by the queue manager. The
2079 message delivery transport name is the first field in the entry in the
2080 master.cf file.
2081 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2083 tination_concurrency_limit from concurrency per domain into concurrency
2084 per recipient.
2085
2087 Lookup tables, indexed by the remote LMTP server address, with case
2088 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2089 that the LMTP client will ignore in the LHLO response from a remote
2090 LMTP server. See lmtp_discard_lhlo_keywords for details. The table is
2091 not indexed by hostname for consistency with smtpd_discard_ehlo_key‐
2092 word_address_maps.
2093 This feature is available in Postfix 2.3 and later.
2095
2097 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2098 etc.) that the LMTP client will ignore in the LHLO response from a
2099 remote LMTP server.
2100 This feature is available in Postfix 2.3 and later.
2102 Notes:
2104 · Specify the silent-discard pseudo keyword to prevent this action
2106 from being logged.
2107 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2109 card LHLO keywords selectively.
2110
2112 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2113 ter. See there for details.
2114 This feature is available in Postfix 2.3 and later.
2116
2118 The LMTP-specific version of the smtp_generic_maps configuration param‐
2119 eter. See there for details.
2120 This feature is available in Postfix 2.3 and later.
2122
2124 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2125 ter. See there for details.
2126 This feature is available in Postfix 2.3 and later.
2128
2130 The hostname to send in the LMTP LHLO command.
2131 The default value is the machine hostname. Specify a hostname or
2133 [ip.add.re.ss].
2134 This information can be specified in the main.cf file for all LMTP
2136 clients, or it can be specified in the master.cf file for a specific
2137 client, for example:
2138 /etc/postfix/master.cf:
2140 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2141 This feature is available in Postfix 2.3 and later.
2143
2145 The LMTP client time limit for sending the LHLO command, and for
2146 receiving the initial server response.
2147 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2149 The default time unit is s (seconds).
2150
2152 The LMTP-specific version of the smtp_line_length_limit configuration
2153 parameter. See there for details.
2154 This feature is available in Postfix 2.3 and later.
2156
2158 The LMTP client time limit for sending the MAIL FROM command, and for
2159 receiving the server response.
2160 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2162 The default time unit is s (seconds).
2163
2165 The LMTP-specific version of the smtp_mx_address_limit configuration
2166 parameter. See there for details.
2167 This feature is available in Postfix 2.3 and later.
2169
2171 The LMTP-specific version of the smtp_mx_session_limit configuration
2172 parameter. See there for details.
2173 This feature is available in Postfix 2.3 and later.
2175
2177 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2178 uration parameter. See there for details.
2179 This feature is available in Postfix 2.3 and later.
2181
2183 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2184 parameter. See there for details.
2185 This feature is available in Postfix 2.4 and later.
2187
2189 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2190 configuration parameter. See there for details.
2191 This feature is available in Postfix 2.3 and later.
2193
2195 The LMTP-specific version of the smtp_pix_workaround configuration
2196 parameter. See there for details.
2197 This feature is available in Postfix 2.4 and later.
2199
2201 The LMTP client time limit for sending the QUIT command, and for
2202 receiving the server response.
2203 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2205 The default time unit is s (seconds).
2206
2208 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2209 tion parameter. See there for details.
2210 This feature is available in Postfix 2.3 and later.
2212
2214 The LMTP-specific version of the smtp_randomize_addresses configuration
2215 parameter. See there for details.
2216 This feature is available in Postfix 2.3 and later.
2218
2220 The LMTP client time limit for sending the RCPT TO command, and for
2221 receiving the server response.
2222 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2224 The default time unit is s (seconds).
2225
2227 The LMTP client time limit for sending the RSET command, and for
2228 receiving the server response. The LMTP client sends RSET in order to
2229 finish a recipient address probe, or to verify that a cached connection
2230 is still alive.
2231 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2233 The default time unit is s (seconds).
2234
2236 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2237 tion parameter. See there for details.
2238 This feature is available in Postfix 2.5 and later.
2240
2242 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2243 tion parameter. See there for details.
2244 This feature is available in Postfix 2.5 and later.
2246
2248 Enable SASL authentication in the Postfix LMTP client.
2249
2251 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2252 tion parameter. See there for details.
2253 This feature is available in Postfix 2.5 and later.
2255
2257 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2258 tion parameter. See there for details.
2259 This feature is available in Postfix 2.3 and later.
2261
2263 Optional LMTP client lookup tables with one username:password entry per
2264 host or domain. If a remote host or domain has no username:password
2265 entry, then the Postfix LMTP client will not attempt to authenticate to
2266 the remote host.
2267
2269 Implementation-specific information that is passed through to the SASL
2270 plug-in implementation that is selected with lmtp_sasl_type. Typically
2271 this specifies the name of a configuration file or rendezvous point.
2272 This feature is available in Postfix 2.3 and later.
2274
2276 SASL security options; as of Postfix 2.3 the list of available features
2277 depends on the SASL client implementation that is selected with
2278 lmtp_sasl_type.
2279 The following security features are defined for the cyrus client SASL
2281 implementation:
2282 noplaintext
2284 Disallow authentication methods that use plaintext passwords.
2285 noactive
2287 Disallow authentication methods that are vulnerable to non-dic‐
2288 tionary active attacks.
2289 nodictionary
2291 Disallow authentication methods that are vulnerable to passive
2292 dictionary attack.
2293 noanonymous
2295 Disallow anonymous logins.
2296 Example:
2298 lmtp_sasl_security_options = noplaintext
2300
2302 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2303 uration parameter. See there for details.
2304 This feature is available in Postfix 2.3 and later.
2306
2308 rity_options)
2309 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2310 rity_options configuration parameter. See there for details.
2311 This feature is available in Postfix 2.3 and later.
2313
2315 The SASL plug-in type that the Postfix LMTP client should use for
2316 authentication. The available types are listed with the "postconf -A"
2317 command.
2318 This feature is available in Postfix 2.3 and later.
2320
2322 Send an XFORWARD command to the LMTP server when the LMTP LHLO server
2323 response announces XFORWARD support. This allows an lmtp(8) delivery
2324 agent, used for content filter message injection, to forward the name,
2325 address, protocol and HELO name of the original client to the content
2326 filter and downstream queuing LMTP server. Before you change the value
2327 to yes, it is best to make sure that your content filter supports this
2328 command.
2329 This feature is available in Postfix 2.1 and later.
2331
2333 The LMTP-specific version of the smtp_sender_dependent_authentication
2334 configuration parameter. See there for details.
2335 This feature is available in Postfix 2.3 and later.
2337
2339 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2340 parameter. See there for details.
2341 This feature is available in Postfix 2.3 and later.
2343
2345 Wait for the response to the LMTP QUIT command.
2346
2348 The LMTP-specific version of the smtp_starttls_timeout configuration
2349 parameter. See there for details.
2350 This feature is available in Postfix 2.3 and later.
2352
2354 The default TCP port that the Postfix LMTP client connects to.
2355
2357 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2358 ter. See there for details.
2359 This feature is available in Postfix 2.3 and later.
2361
2363 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
2364 ter. See there for details.
2365 This feature is available in Postfix 2.3 and later.
2367
2369 The LMTP-specific version of the smtp_tls_cert_file configuration
2370 parameter. See there for details.
2371 This feature is available in Postfix 2.3 and later.
2373
2375 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
2376 ter. See there for details.
2377 This feature is available in Postfix 2.6 and later.
2379
2381 The LMTP-specific version of the smtp_tls_dcert_file configuration
2382 parameter. See there for details.
2383 This feature is available in Postfix 2.3 and later.
2385
2387 The LMTP-specific version of the smtp_tls_dkey_file configuration
2388 parameter. See there for details.
2389 This feature is available in Postfix 2.3 and later.
2391
2393 The LMTP-specific version of the smtp_tls_eccert_file configuration
2394 parameter. See there for details.
2395 This feature is available in Postfix 2.6 and later, when Postfix is
2397 compiled and linked with OpenSSL 0.9.9 or later.
2398
2400 The LMTP-specific version of the smtp_tls_eckey_file configuration
2401 parameter. See there for details.
2402 This feature is available in Postfix 2.6 and later, when Postfix is
2404 compiled and linked with OpenSSL 0.9.9 or later.
2405
2407 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
2408 tion parameter. See there for details.
2409 This feature is available in Postfix 2.3 and later.
2411
2413 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
2414 parameter. See there for details.
2415 This feature is available in Postfix 2.3 and later.
2417
2419 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
2420 figuration parameter. See there for details.
2421 This feature is available in Postfix 2.5 and later.
2423
2425 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
2426 tion parameter. See there for details.
2427 This feature is available in Postfix 2.5 and later.
2429
2431 The LMTP-specific version of the smtp_tls_key_file configuration param‐
2432 eter. See there for details.
2433 This feature is available in Postfix 2.3 and later.
2435
2437 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
2438 eter. See there for details.
2439 This feature is available in Postfix 2.3 and later.
2441
2443 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
2444 tion parameter. See there for details.
2445 This feature is available in Postfix 2.3 and later.
2447
2449 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
2450 configuration parameter. See there for details.
2451 This feature is available in Postfix 2.3 and later.
2453
2455 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
2456 ration parameter. See there for details.
2457 This feature is available in Postfix 2.3 and later.
2459
2461 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
2462 ration parameter. See there for details.
2463 This feature is available in Postfix 2.3 and later.
2465
2467 The LMTP-specific version of the smtp_tls_per_site configuration param‐
2468 eter. See there for details.
2469 This feature is available in Postfix 2.3 and later.
2471
2473 The LMTP-specific version of the smtp_tls_policy_maps configuration
2474 parameter. See there for details.
2475 This feature is available in Postfix 2.3 and later.
2477
2479 The LMTP-specific version of the smtp_tls_protocols configuration
2480 parameter. See there for details.
2481 This feature is available in Postfix 2.6 and later.
2483
2485 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
2486 tion parameter. See there for details.
2487 This feature is available in Postfix 2.3 and later.
2489
2491 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
2492 tion parameter. See there for details.
2493 This feature is available in Postfix 2.3 and later.
2495
2497 The LMTP-specific version of the smtp_tls_security_level configuration
2498 parameter. See there for details.
2499 This feature is available in Postfix 2.3 and later.
2501
2503 The LMTP-specific version of the smtp_tls_session_cache_database con‐
2504 figuration parameter. See there for details.
2505 This feature is available in Postfix 2.3 and later.
2507
2509 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
2510 uration parameter. See there for details.
2511 This feature is available in Postfix 2.3 and later.
2513
2515 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
2516 tion parameter. See there for details.
2517 This feature is available in Postfix 2.3 and later.
2519
2521 The LMTP-specific version of the smtp_use_tls configuration parameter.
2522 See there for details.
2523 This feature is available in Postfix 2.3 and later.
2525
2527 The LMTP client time limit for sending the XFORWARD command, and for
2528 receiving the server response.
2529 In case of problems the client does NOT try the next address on the
2531 mail exchanger list.
2532 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2534 The default time unit is s (seconds).
2535 This feature is available in Postfix 2.1 and later.
2537
2539 Optional shell program for local(8) delivery to non-Postfix command.
2540 By default, non-Postfix commands are executed directly; commands are
2541 given to given to /bin/sh only when they contain shell meta characters
2542 or shell built-in commands.
2543 "sendmail's restricted shell" (smrsh) is what most people will use in
2545 order to restrict what programs can be run from e.g. .forward files
2546 (smrsh is part of the Sendmail distribution).
2547 Note: when a shell program is specified, it is invoked even when the
2549 command contains no shell built-in commands or meta characters.
2550 Example:
2552 local_command_shell = /some/where/smrsh -c
2554
2556 The maximal number of parallel deliveries via the local mail delivery
2557 transport to the same recipient (when "local_destination_recipi‐
2558 ent_limit = 1") or the maximal number of parallel deliveries to the
2559 same local domain (when "local_destination_recipient_limit > 1"). This
2560 limit is enforced by the queue manager. The message delivery transport
2561 name is the first field in the entry in the master.cf file.
2562 A low limit of 2 is recommended, just in case someone has an expensive
2564 shell command in a .forward file or in an alias (e.g., a mailing list
2565 manager). You don't want to run lots of those at the same time.
2566
2568 The maximal number of recipients per message delivery via the local
2569 mail delivery transport. This limit is enforced by the queue manager.
2570 The message delivery transport name is the first field in the entry in
2571 the master.cf file.
2572 Setting this parameter to a value > 1 changes the meaning of local_des‐
2574 tination_concurrency_limit from concurrency per recipient into concur‐
2575 rency per domain.
2576
2578 Rewrite message header addresses in mail from these clients and update
2579 incomplete addresses with the domain name in $myorigin or $mydomain;
2580 either don't rewrite message headers from other clients at all, or re‐
2581 write message headers and update incomplete addresses with the domain
2582 specified in the remote_header_rewrite_domain parameter.
2583 See the append_at_myorigin and append_dot_mydomain parameters for
2585 details of how domain names are appended to incomplete addresses.
2586 Specify a list of zero or more of the following:
2588 permit_inet_interfaces
2590 Append the domain name in $myorigin or $mydomain when the client
2591 IP address matches $inet_interfaces. This is enabled by default.
2592 permit_mynetworks
2594 Append the domain name in $myorigin or $mydomain when the client
2595 IP address matches any network or network address listed in
2596 $mynetworks. This setting will not prevent remote mail header
2597 address rewriting when mail from a remote client is forwarded by
2598 a neighboring system.
2599 permit_sasl_authenticated
2601 Append the domain name in $myorigin or $mydomain when the client
2602 is successfully authenticated via the RFC 4954 (AUTH) protocol.
2603 permit_tls_clientcerts
2605 Append the domain name in $myorigin or $mydomain when the client
2606 TLS certificate fingerprint is listed in $relay_clientcerts.
2607 The fingerprint digest algorithm is configurable via the
2608 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
2609 to Postfix version 2.5).
2610 permit_tls_all_clientcerts
2612 Append the domain name in $myorigin or $mydomain when the client
2613 TLS certificate is successfully verified, regardless of whether
2614 it is listed on the server, and regardless of the certifying
2615 authority.
2616 check_address_map type:table
2618 type:table
2620 Append the domain name in $myorigin or $mydomain when the client
2621 IP address matches the specified lookup table. The lookup
2622 result is ignored, and no subnet lookup is done. This is suit‐
2623 able for, e.g., pop-before-smtp lookup tables.
2624 Examples:
2626 The Postfix < 2.2 backwards compatible setting: always rewrite message
2628 headers, and always append my own domain to incomplete header
2629 addresses.
2630 local_header_rewrite_clients = static:all
2632 The purist (and default) setting: rewrite headers only in mail from
2634 Postfix sendmail and in SMTP mail from this machine.
2635 local_header_rewrite_clients = permit_inet_interfaces
2637 The intermediate setting: rewrite header addresses and append $myorigin
2639 or $mydomain information only with mail from Postfix sendmail, from
2640 local clients, or from authorized SMTP clients.
2641 Note: this setting will not prevent remote mail header address rewrit‐
2643 ing when mail from a remote client is forwarded by a neighboring sys‐
2644 tem.
2645 local_header_rewrite_clients = permit_mynetworks,
2647 permit_sasl_authenticated permit_tls_clientcerts
2648 check_address_map hash:/etc/postfix/pop-before-smtp
2649
2651 Lookup tables with all names or addresses of local recipients: a recip‐
2652 ient address is local when its domain matches $mydestination,
2653 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
2654 for domains that do not have a valid recipient list. Technically,
2655 tables listed with $local_recipient_maps are used as lists: Postfix
2656 needs to know only if a lookup string is found or not, but it does not
2657 use the result from table lookup.
2658 If this parameter is non-empty (the default), then the Postfix SMTP
2660 server will reject mail for unknown local users.
2661 To turn off local recipient checking in the Postfix SMTP server, spec‐
2663 ify "local_recipient_maps =" (i.e. empty).
2664 The default setting assumes that you use the default Postfix local
2666 delivery agent for local delivery. You need to update the local_recipi‐
2667 ent_maps setting if:
2668 · You redefine the local delivery agent in master.cf.
2670 · You redefine the "local_transport" setting in main.cf.
2672 · You use the "luser_relay", "mailbox_transport", or "fall‐
2674 back_transport" feature of the Postfix local(8) delivery agent.
2675 Details are described in the LOCAL_RECIPIENT_README file.
2677 Beware: if the Postfix SMTP server runs chrooted, you need to access
2679 the passwd file via the proxymap(8) service, in order to overcome
2680 chroot access restrictions. The alternative, maintaining a copy of the
2681 system password file in the chroot jail is not practical.
2682 Examples:
2684 local_recipient_maps =
2686
2688 The default mail delivery transport and next-hop destination for final
2689 delivery to domains listed with mydestination, and for [ipaddress] des‐
2690 tinations that match $inet_interfaces or $proxy_interfaces. This
2691 information can be overruled with the transport(5) table.
2692 By default, local mail is delivered to the transport called "local",
2694 which is just the name of a service that is defined the master.cf file.
2695 Specify a string of the form transport:nexthop, where transport is the
2697 name of a mail delivery transport defined in master.cf. The :nexthop
2698 part is optional. For more details see the transport(5) manual page.
2699 Beware: if you override the default local delivery agent then you need
2701 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
2702 server may reject mail for local recipients.
2703
2705 Optional catch-all destination for unknown local(8) recipients. By
2706 default, mail for unknown recipients in domains that match $mydestina‐
2707 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
2708 able.
2709 The following $name expansions are done on luser_relay:
2711 $domain
2713 The recipient domain.
2714 $extension
2716 The recipient address extension.
2717 $home The recipient's home directory.
2719 $local The entire recipient address localpart.
2721 $recipient
2723 The full recipient address.
2724 $recipient_delimiter
2726 The system-wide recipient address extension delimiter.
2727 $shell The recipient's login shell.
2729 $user The recipient username.
2731 ${name?value}
2733 Expands to value when $name has a non-empty value.
2734 ${name:value}
2736 Expands to value when $name has an empty value.
2737 Instead of $name you can also specify ${name} or $(name).
2739 Note: luser_relay works only for the Postfix local(8) delivery agent.
2741 Note: if you use this feature for accounts not in the UNIX password
2743 file, then you must specify "local_recipient_maps =" (i.e. empty) in
2744 the main.cf file, otherwise the Postfix SMTP server will reject mail
2745 for non-UNIX accounts with "User unknown in local recipient table".
2746 Examples:
2748 luser_relay = $user@other.host
2750 luser_relay = $local@other.host
2751 luser_relay = admin+$local
2752
2754 The mail system name that is displayed in Received: headers, in the
2755 SMTP greeting banner, and in bounced mail.
2756
2758 The UNIX system account that owns the Postfix queue and most Postfix
2759 daemon processes. Specify the name of a user account that does not
2760 share a group with other accounts and that owns no other files or pro‐
2761 cesses on the system. In particular, don't specify nobody or daemon.
2762 PLEASE USE A DEDICATED USER ID AND GROUP ID.
2763 When this parameter value is changed you need to re-run "postfix set-
2765 permissions" (with Postfix version 2.0 and earlier: "/etc/postfix/post-
2766 install set-permissions".
2767
2769 The Postfix release date, in "YYYYMMDD" format.
2770
2772 The directory where local(8) UNIX-style mailboxes are kept. The default
2773 setting depends on the system type. Specify a name ending in / for
2774 maildir-style delivery.
2775 Note: maildir delivery is done with the privileges of the recipient.
2777 If you use the mail_spool_directory setting for maildir style delivery,
2778 then you must create the top-level maildir directory in advance. Post‐
2779 fix will not create it.
2780 Examples:
2782 mail_spool_directory = /var/mail
2784 mail_spool_directory = /var/spool/mail
2785
2787 The version of the mail system. Stable releases are named
2788 major.minor.patchlevel. Experimental releases also include the release
2789 date. The version string can be used in, for example, the SMTP greeting
2790 banner.
2791
2793 Optional external command that the local(8) delivery agent should use
2794 for mailbox delivery. The command is run with the user ID and the pri‐
2795 mary group ID privileges of the recipient. Exception: command delivery
2796 for root executes with $default_privs privileges. This is not a prob‐
2797 lem, because 1) mail for root should always be aliased to a real user
2798 and 2) don't log in as root, use "su" instead.
2799 The following environment variables are exported to the command:
2801 CLIENT_ADDRESS
2803 Remote client network address. Available in Postfix version 2.2
2804 and later.
2805 CLIENT_HELO
2807 Remote client EHLO command parameter. Available in Postfix ver‐
2808 sion 2.2 and later.
2809 CLIENT_HOSTNAME
2811 Remote client hostname. Available in Postfix version 2.2 and
2812 later.
2813 CLIENT_PROTOCOL
2815 Remote client protocol. Available in Postfix version 2.2 and
2816 later.
2817 DOMAIN The domain part of the recipient address.
2819 EXTENSION
2821 The optional address extension.
2822 HOME The recipient home directory.
2824 LOCAL The recipient address localpart.
2826 LOGNAME
2828 The recipient's username.
2829 ORIGINAL_RECIPIENT
2831 The entire recipient address, before any address rewriting or
2832 aliasing.
2833 RECIPIENT
2835 The full recipient address.
2836 SASL_METHOD
2838 SASL authentication method specified in the remote client AUTH
2839 command. Available in Postfix version 2.2 and later.
2840 SASL_SENDER
2842 SASL sender address specified in the remote client MAIL FROM
2843 command. Available in Postfix version 2.2 and later.
2844 SASL_USER
2846 SASL username specified in the remote client AUTH command.
2847 Available in Postfix version 2.2 and later.
2848 SENDER The full sender address.
2850 SHELL The recipient's login shell.
2852 USER The recipient username.
2854 Unlike other Postfix configuration parameters, the mailbox_command
2856 parameter is not subjected to $name substitutions. This is to make it
2857 easier to specify shell syntax (see example below).
2858 If you can, avoid shell meta characters because they will force Postfix
2860 to run an expensive shell process. If you're delivering via Procmail
2861 then running a shell won't make a noticeable difference in the total
2862 cost.
2863 Note: if you use the mailbox_command feature to deliver mail system-
2865 wide, you must set up an alias that forwards mail for root to a real
2866 user.
2867 The precedence of local(8) delivery features from high to low is:
2869 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2870 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2871 tory, fallback_transport_maps, fallback_transport and luser_relay.
2872 Examples:
2874 mailbox_command = /some/where/procmail
2876 mailbox_command = /some/where/procmail -a "$EXTENSION"
2877 mailbox_command = /some/where/maildrop -d "$USER"
2878 -f "$SENDER" "$EXTENSION"
2879
2881 Optional lookup tables with per-recipient external commands to use for
2882 local(8) mailbox delivery. Behavior is as with mailbox_command.
2883 The precedence of local(8) delivery features from high to low is:
2885 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2886 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2887 tory, fallback_transport_maps, fallback_transport and luser_relay.
2888
2890 How to lock a UNIX-style local(8) mailbox before attempting delivery.
2891 For a list of available file locking methods, use the "postconf -l"
2892 command.
2893 This setting is ignored with maildir style delivery, because such
2895 deliveries are safe without explicit locks.
2896 Note: The dotlock method requires that the recipient UID or GID has
2898 write access to the parent directory of the mailbox file.
2899 Note: the default setting of this parameter is system dependent.
2901
2903 The maximal size of any local(8) individual mailbox or maildir file, or
2904 zero (no limit). In fact, this limits the size of any file that is
2905 written to upon local delivery, including files written by external
2906 commands that are executed by the local(8) delivery agent.
2907 This limit must not be smaller than the message size limit.
2909
2911 Optional message delivery transport that the local(8) delivery agent
2912 should use for mailbox delivery to all local recipients, whether or not
2913 they are found in the UNIX passwd database.
2914 The precedence of local(8) delivery features from high to low is:
2916 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2917 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2918 tory, fallback_transport_maps, fallback_transport and luser_relay.
2919
2921 Optional lookup tables with per-recipient message delivery transports
2922 to use for local(8) mailbox delivery, whether or not the recipients are
2923 found in the UNIX passwd database.
2924 The precedence of local(8) delivery features from high to low is:
2926 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2927 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2928 tory, fallback_transport_maps, fallback_transport and luser_relay.
2929 For safety reasons, this feature does not allow $number substitutions
2931 in regular expression maps.
2932 This feature is available in Postfix 2.3 and later.
2934
2936 Sendmail compatibility feature that specifies where the Postfix
2937 mailq(1) command is installed. This command can be used to list the
2938 Postfix mail queue.
2939
2941 Where the Postfix manual pages are installed.
2942
2944 Obsolete feature: use the reject_rbl_client feature instead.
2945
2947 The numerical Postfix SMTP server response code when a remote SMTP
2948 client request is blocked by the reject_rbl_client,
2949 reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient
2950 restriction.
2951 Do not change this unless you have a complete understanding of RFC
2953 2821.
2954
2956 What addresses are subject to address masquerading.
2958 By default, address masquerading is limited to envelope sender
2960 addresses, and to header sender and header recipient addresses. This
2961 allows you to use address masquerading on a mail gateway while still
2962 being able to forward mail to users on individual machines.
2963 Specify zero or more of: envelope_sender, envelope_recipient,
2965 header_sender, header_recipient
2966
2968 Optional list of domains whose subdomain structure will be stripped off
2969 in email addresses.
2970 The list is processed left to right, and processing stops at the first
2972 match. Thus,
2973 masquerade_domains = foo.example.com example.com
2975 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
2977 strips "user@any.thing.else.example.com" to "user@example.com".
2978 A domain name prefixed with ! means do not masquerade this domain or
2980 its subdomains. Thus,
2981 masquerade_domains = !foo.example.com example.com
2983 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
2985 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
2986 ple.com".
2987 Note: with Postfix version 2.2, message header address masquerading
2989 happens only when message header address rewriting is enabled:
2990 · The message is received with the Postfix sendmail(1) command,
2992 · The message is received from a network client that matches
2994 $local_header_rewrite_clients,
2995 · The message is received from the network, and the
2997 remote_header_rewrite_domain parameter specifies a non-empty
2998 value.
2999 To get the behavior before Postfix version 2.2, specify
3001 "local_header_rewrite_clients = static:all".
3002 Example:
3004 masquerade_domains = $mydomain
3006
3008 Optional list of user names that are not subjected to address mas‐
3009 querading, even when their address matches $masquerade_domains.
3010 By default, address masquerading makes no exceptions.
3012 Specify a list of user names, "/file/name" or "type:table" patterns,
3014 separated by commas and/or whitespace. The list is matched left to
3015 right, and the search stops on the first match. A "/file/name" pattern
3016 is replaced by its contents; a "type:table" lookup table is matched
3017 when a name matches a lookup key (the lookup result is ignored). Con‐
3018 tinue long lines by starting the next line with whitespace. Specify
3019 "!pattern" to exclude a name from the list. The form "!/file/name" is
3020 supported only in Postfix version 2.4 and later.
3021 Examples:
3023 masquerade_exceptions = root, mailer-daemon
3025 masquerade_exceptions = root
3026
3028 Selectively disable master(8) listener ports by service type or by ser‐
3029 vice name and type. Specify a list of service types ("inet", "unix",
3030 "fifo", or "pass") or "name.type" tuples, where "name" is the first
3031 field of a master.cf entry and "type" is a service type. As with other
3032 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3033 tern" to exclude a service from the list. By default, all master(8)
3034 listener ports are enabled.
3035 Note: this feature does not support "/file/name" or "type:table" pat‐
3037 terns, nor does it support wildcards such as "*" or "all". This is
3038 intentional.
3039 Examples:
3041 # Turn on all master(8) listener ports (the default).
3043 master_service_disable =
3044 # Turn off only the main SMTP listener port.
3045 master_service_disable = smtp.inet
3046 # Turn off all TCP/IP listener ports.
3047 master_service_disable = inet
3048 # Turn off all TCP/IP listener ports except "foo".
3049 master_service_disable = !foo.inet, inet
3050 This feature is available in Postfix 2.6 and later.
3052
3054 The maximum amount of time that an idle Postfix daemon process waits
3055 for an incoming connection before terminating voluntarily. This param‐
3056 eter is ignored by the Postfix queue manager and by other long-lived
3057 Postfix daemon processes.
3058 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3060 The default time unit is s (seconds).
3061
3063 The maximal number of incoming connections that a Postfix daemon
3064 process will service before terminating voluntarily. This parameter is
3065 ignored by the Postfix queue manager and by other long-lived Postfix
3066 daemon processes.
3067
3069 The maximal time between attempts to deliver a deferred message.
3070 This parameter should be set to a value greater than or equal to $mini‐
3072 mal_backoff_time. See also $queue_run_delay.
3073 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3075 The default time unit is s (seconds).
3076
3078 The maximal time a message is queued before it is sent back as undeliv‐
3079 erable.
3080 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3082 The default time unit is d (days).
3083 Specify 0 when mail delivery should be tried only once.
3085
3087 The set of characters that Postfix will reject in message content. The
3088 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3089 (up to three octal digits) and \\.
3090 Example:
3092 message_reject_characters = \0
3094 This feature is available in Postfix 2.3 and later.
3096
3098 The maximal size in bytes of a message, including envelope information.
3099 Note: be careful when making changes. Excessively small values will
3101 result in the loss of non-delivery notifications, when a bounce message
3102 size exceeds the local or remote MTA's message size limit.
3103
3105 The set of characters that Postfix will remove from message content.
3106 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3107 \ddd (up to three octal digits) and \\.
3108 Example:
3110 message_strip_characters = \0
3112 This feature is available in Postfix 2.3 and later.
3114
3116 The time limit for sending an SMTP command to a Milter (mail filter)
3117 application, and for receiving the response.
3118 Specify a non-zero time value (an integral value plus an optional one-
3120 letter suffix that specifies the time unit).
3121 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3123 The default time unit is s (seconds).
3124 This feature is available in Postfix 2.3 and later.
3126
3128 The macros that are sent to Milter (mail filter) applications after
3129 completion of an SMTP connection. See MILTER_README for a list of
3130 available macro names and their meanings.
3131 This feature is available in Postfix 2.3 and later.
3133
3135 The time limit for connecting to a Milter (mail filter) application,
3136 and for negotiating protocol options.
3137 Specify a non-zero time value (an integral value plus an optional one-
3139 letter suffix that specifies the time unit).
3140 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3142 The default time unit is s (seconds).
3143 This feature is available in Postfix 2.3 and later.
3145
3147 The time limit for sending message content to a Milter (mail filter)
3148 application, and for receiving the response.
3149 Specify a non-zero time value (an integral value plus an optional one-
3151 letter suffix that specifies the time unit).
3152 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3154 The default time unit is s (seconds).
3155 This feature is available in Postfix 2.3 and later.
3157
3159 The macros that are sent to version 4 or higher Milter (mail filter)
3160 applications after the SMTP DATA command. See MILTER_README for a list
3161 of available macro names and their meanings.
3162 This feature is available in Postfix 2.3 and later.
3164
3166 The default action when a Milter (mail filter) application is unavail‐
3167 able or mis-configured. Specify one of the following:
3168 accept Proceed as if the mail filter was not present.
3170 reject Reject all further commands in this session with a permanent
3172 status code.
3173 tempfail
3175 Reject all further commands in this session with a temporary
3176 status code.
3177 quarantine
3179 Like "accept", but freeze the message in the "hold" queue.
3180 Available with Postfix 2.6 and later.
3181 This feature is available in Postfix 2.3 and later.
3183
3185 The macros that are sent to Milter (mail filter) applications after the
3186 message end-of-data. See MILTER_README for a list of available macro
3187 names and their meanings.
3188 This feature is available in Postfix 2.3 and later.
3190
3192 The macros that are sent to Milter (mail filter) applications after the
3193 end of the message header. See MILTER_README for a list of available
3194 macro names and their meanings.
3195 This feature is available in Postfix 2.5 and later.
3197
3199 The macros that are sent to Milter (mail filter) applications after the
3200 SMTP HELO or EHLO command. See MILTER_README for a list of available
3201 macro names and their meanings.
3202 This feature is available in Postfix 2.3 and later.
3204
3206 The {daemon_name} macro value for Milter (mail filter) applications.
3207 See MILTER_README for a list of available macro names and their mean‐
3208 ings.
3209 This feature is available in Postfix 2.3 and later.
3211
3213 The {v} macro value for Milter (mail filter) applications. See MIL‐
3214 TER_README for a list of available macro names and their meanings.
3215 This feature is available in Postfix 2.3 and later.
3217
3219 The macros that are sent to Milter (mail filter) applications after the
3220 SMTP MAIL FROM command. See MILTER_README for a list of available macro
3221 names and their meanings.
3222 This feature is available in Postfix 2.3 and later.
3224
3226 The mail filter protocol version and optional protocol extensions for
3227 communication with a Milter application; prior to Postfix 2.6 the
3228 default protocol is 2. Postfix sends this version number during the
3229 initial protocol handshake. It should match the version number that is
3230 expected by the mail filter application (or by its Milter library).
3231 Protocol versions:
3233 2 Use Sendmail 8 mail filter protocol version 2 (default with
3235 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
3236 3 Use Sendmail 8 mail filter protocol version 3.
3238 4 Use Sendmail 8 mail filter protocol version 4.
3240 6 Use Sendmail 8 mail filter protocol version 6 (default with
3242 Sendmail version 8.14 and Postfix version 2.6).
3243 Protocol extensions:
3245 no_header_reply
3247 Specify this when the Milter application will not reply for each
3248 individual message header.
3249 This feature is available in Postfix 2.3 and later.
3251
3253 The macros that are sent to Milter (mail filter) applications after the
3254 SMTP RCPT TO command. See MILTER_README for a list of available macro
3255 names and their meanings.
3256 This feature is available in Postfix 2.3 and later.
3258
3260 The macros that are sent to version 3 or higher Milter (mail filter)
3261 applications after an unknown SMTP command. See MILTER_README for a
3262 list of available macro names and their meanings.
3263 This feature is available in Postfix 2.3 and later.
3265
3267 The maximal length of MIME multipart boundary strings. The MIME proces‐
3268 sor is unable to distinguish between boundary strings that do not dif‐
3269 fer in the first $mime_boundary_length_limit characters.
3270 This feature is available in Postfix 2.0 and later.
3272
3274 Optional lookup tables for content inspection of MIME related message
3275 headers, as described in the header_checks(5) manual page.
3276 This feature is available in Postfix 2.0 and later.
3278
3280 The maximal recursion level that the MIME processor will handle. Post‐
3281 fix refuses mail that is nested deeper than the specified limit.
3282 This feature is available in Postfix 2.0 and later.
3284
3286 The minimal time between attempts to deliver a deferred message; prior
3287 to Postfix 2.4 the default value was 1000s.
3288 This parameter also limits the time an unreachable destination is kept
3290 in the short-term, in-memory, destination status cache.
3291 This parameter should be set greater than or equal to $queue_run_delay.
3293 See also $maximal_backoff_time.
3294 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3296 The default time unit is s (seconds).
3297
3299 An optional list of non-default Postfix configuration directories;
3300 these directories belong to additional Postfix instances that share the
3301 Postfix executable files and documentation with the default Postfix
3302 instance, and that are started, stopped, etc., together with the
3303 default Postfix instance. Specify a list of pathnames separated by
3304 comma or whitespace.
3305 When $multi_instance_directories is empty, the postfix(1) command runs
3307 in single-instance mode and operates on a single Postfix instance only.
3308 Otherwise, the postfix(1) command runs in multi-instance mode and
3309 invokes the multi-instance manager specified with the
3310 multi_instance_wrapper parameter. The multi-instance manager in turn
3311 executes postfix(1) commands for the default instance and for all Post‐
3312 fix instances in $multi_instance_directories.
3313 Currently, this parameter setting is ignored except for the default
3315 main.cf file.
3316 This feature is available in Postfix 2.6 and later.
3318
3320 Allow this Postfix instance to be started, stopped, etc., by a multi-
3321 instance manager. By default, new instances are created in a safe
3322 state that prevents them from being started inadvertently. This param‐
3323 eter is reserved for the multi-instance manager.
3324 This feature is available in Postfix 2.6 and later.
3326
3328 The optional instance group name of this Postfix instance. A group
3329 identifies closely-related Postfix instances that the multi-instance
3330 manager can start, stop, etc., as a unit. This parameter is reserved
3331 for the multi-instance manager.
3332 This feature is available in Postfix 2.6 and later.
3334
3336 The optional instance name of this Postfix instance. This name becomes
3337 also the default value for the syslog_name parameter.
3338 This feature is available in Postfix 2.6 and later.
3340
3342 The pathname of a multi-instance manager command that the postfix(1)
3343 command invokes when the multi_instance_directories parameter value is
3344 non-empty. The pathname may be followed by initial command arguments
3345 separated by whitespace; shell metacharacters such as quotes are not
3346 supported in this context.
3347 The postfix(1) command invokes the manager command with the postfix(1)
3349 non-option command arguments on the manager command line, and with all
3350 installation configuration parameters exported into the manager command
3351 process environment. The manager command in turn invokes the postfix(1)
3352 command for individual Postfix instances as "postfix -c config_direc‐
3353 tory command".
3354 This feature is available in Postfix 2.6 and later.
3356
3358 The numerical Postfix SMTP server response code when a remote SMTP
3359 client request is blocked by the reject_multi_recipient_bounce restric‐
3360 tion.
3361 Do not change this unless you have a complete understanding of RFC
3363 2821.
3364 This feature is available in Postfix 2.1 and later.
3366
3368 The list of domains that are delivered via the $local_transport mail
3369 delivery transport. By default this is the Postfix local(8) delivery
3370 agent which looks up all recipients in /etc/passwd and /etc/aliases.
3371 The SMTP server validates recipient addresses with $local_recipi‐
3372 ent_maps and rejects non-existent recipients. See also the local domain
3373 class in the ADDRESS_CLASS_README file.
3374 The default mydestination value specifies names for the local machine
3376 only. On a mail domain gateway, you should also include $mydomain.
3377 The $local_transport delivery method is also selected for mail
3379 addressed to user@[the.net.work.address] of the mail system (the IP
3380 addresses specified with the inet_interfaces and proxy_interfaces
3381 parameters).
3382 Warnings:
3384 · Do not specify the names of virtual domains - those domains are
3386 specified elsewhere. See VIRTUAL_README for more information.
3387 · Do not specify the names of domains that this machine is backup
3389 MX host for. See STANDARD_CONFIGURATION_README for how to set up
3390 backup MX hosts.
3391 · By default, the Postfix SMTP server rejects mail for recipients
3393 not listed with the local_recipient_maps parameter. See the
3394 postconf(5) manual for a description of the local_recipient_maps
3395 and unknown_local_recipient_reject_code parameters.
3396 Specify a list of host or domain names, "/file/name" or "type:table"
3398 patterns, separated by commas and/or whitespace. A "/file/name" pattern
3399 is replaced by its contents; a "type:table" lookup table is matched
3400 when a name matches a lookup key (the lookup result is ignored). Con‐
3401 tinue long lines by starting the next line with whitespace.
3402 Examples:
3404 mydestination = $myhostname, localhost.$mydomain $mydomain
3406 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
3407
3409 The internet domain name of this mail system. The default is to use
3410 $myhostname minus the first component. $mydomain is used as a default
3411 value for many other configuration parameters.
3412 Example:
3414 mydomain = domain.tld
3416
3418 The internet hostname of this mail system. The default is to use the
3419 fully-qualified domain name from gethostname(). $myhostname is used as
3420 a default value for many other configuration parameters.
3421 Example:
3423 myhostname = host.example.com
3425
3427 The list of "trusted" SMTP clients that have more privileges than
3428 "strangers".
3429 In particular, "trusted" SMTP clients are allowed to relay mail through
3431 Postfix. See the smtpd_recipient_restrictions parameter description in
3432 the postconf(5) manual.
3433 You can specify the list of "trusted" network addresses by hand or you
3435 can let Postfix do it for you (which is the default). See the descrip‐
3436 tion of the mynetworks_style parameter for more information.
3437 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
3439 works_style setting.
3440 Specify a list of network addresses or network/netmask patterns, sepa‐
3442 rated by commas and/or whitespace. Continue long lines by starting the
3443 next line with whitespace.
3444 The netmask specifies the number of bits in the network part of a host
3446 address. You can also specify "/file/name" or "type:table" patterns.
3447 A "/file/name" pattern is replaced by its contents; a "type:table"
3448 lookup table is matched when a table entry matches a lookup string (the
3449 lookup result is ignored).
3450 The list is matched left to right, and the search stops on the first
3452 match. Specify "!pattern" to exclude an address or network block from
3453 the list. The form "!/file/name" is supported only in Postfix version
3454 2.4 and later.
3455 Note: IP version 6 address information must be specified inside [] in
3457 the mynetworks value, and in files specified with "/file/name". IP
3458 version 6 addresses contain the ":" character, and would otherwise be
3459 confused with a "type:table" pattern.
3460 Examples:
3462 mynetworks = 127.0.0.0/8 168.100.189.0/28
3464 mynetworks = !192.168.0.1, 192.168.0.0/28
3465 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
3466 mynetworks = $config_directory/mynetworks
3467 mynetworks = hash:/etc/postfix/network_table
3468
3470 The method to generate the default value for the mynetworks parameter.
3471 This is the list of trusted networks for relay access control etc.
3472 · Specify "mynetworks_style = host" when Postfix should "trust"
3474 only the local machine.
3475 · Specify "mynetworks_style = subnet" when Postfix should "trust"
3477 SMTP clients in the same IP subnetworks as the local machine.
3478 On Linux, this works correctly only with interfaces specified
3479 with the "ifconfig" command.
3480 · Specify "mynetworks_style = class" when Postfix should "trust"
3482 SMTP clients in the same IP class A/B/C networks as the local
3483 machine. Don't do this with a dialup site - it would cause
3484 Postfix to "trust" your entire provider's network. Instead,
3485 specify an explicit mynetworks list by hand, as described with
3486 the mynetworks configuration parameter.
3487
3489 The domain name that locally-posted mail appears to come from, and that
3490 locally posted mail is delivered to. The default, $myhostname, is ade‐
3491 quate for small sites. If you run a domain with multiple machines, you
3492 should (1) change this to $mydomain and (2) set up a domain-wide alias
3493 database that aliases each user to user@that.users.mailhost.
3494 Example:
3496 myorigin = $mydomain
3498
3500 Optional lookup tables for content inspection of non-MIME message head‐
3501 ers in attached messages, as described in the header_checks(5) manual
3502 page.
3503 This feature is available in Postfix 2.0 and later.
3505
3507 Sendmail compatibility feature that specifies the location of the
3508 newaliases(1) command. This command can be used to rebuild the local(8)
3509 aliases(5) database.
3510
3512 The numerical Postfix SMTP server reply code when a client request is
3513 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
3514 or reject_non_fqdn_recipient restriction.
3515
3517 A list of Milter (mail filter) applications for new mail that does not
3518 arrive via the Postfix smtpd(8) server. This includes local submission
3519 via the sendmail(1) command line, new mail that arrives via the Postfix
3520 qmqpd(8) server, and old mail that is re-injected into the queue with
3521 "postsuper -r". See the MILTER_README document for details.
3522 This feature is available in Postfix 2.3 and later.
3524
3526 The list of error classes that are reported to the postmaster. The
3527 default is to report only the most serious problems. The paranoid may
3528 wish to turn on the policy (UCE and mail relaying) and protocol error
3529 (broken mail software) reports.
3530 NOTE: postmaster notifications may contain confidential information
3532 such as SASL passwords or message content. It is the system adminis‐
3533 trator's responsibility to treat such information with care.
3534 The error classes are:
3536 bounce (also implies 2bounce)
3538 Send the postmaster copies of the headers of bounced mail, and
3539 send transcripts of SMTP sessions when Postfix rejects mail. The
3540 notification is sent to the address specified with the
3541 bounce_notice_recipient configuration parameter (default: post‐
3542 master).
3543 2bounce
3545 Send undeliverable bounced mail to the postmaster. The notifica‐
3546 tion is sent to the address specified with the
3547 2bounce_notice_recipient configuration parameter (default: post‐
3548 master).
3549 delay Send the postmaster copies of the headers of delayed mail. The
3551 notification is sent to the address specified with the
3552 delay_notice_recipient configuration parameter (default: post‐
3553 master).
3554 policy Send the postmaster a transcript of the SMTP session when a
3556 client request was rejected because of (UCE) policy. The notifi‐
3557 cation is sent to the address specified with the
3558 error_notice_recipient configuration parameter (default: post‐
3559 master).
3560 protocol
3562 Send the postmaster a transcript of the SMTP session in case of
3563 client or server protocol errors. The notification is sent to
3564 the address specified with the error_notice_recipient configura‐
3565 tion parameter (default: postmaster).
3566 resource
3568 Inform the postmaster of mail not delivered due to resource
3569 problems. The notification is sent to the address specified
3570 with the error_notice_recipient configuration parameter
3571 (default: postmaster).
3572 software
3574 Inform the postmaster of mail not delivered due to software
3575 problems. The notification is sent to the address specified
3576 with the error_notice_recipient configuration parameter
3577 (default: postmaster).
3578 Examples:
3580 notify_classes = bounce, delay, policy, protocol, resource, software
3582 notify_classes = 2bounce, resource, software
3583
3585 Give special treatment to owner-listname and listname-request address
3586 localparts: don't split such addresses when the recipient_delimiter is
3587 set to "-". This feature is useful for mailing lists.
3588
3590 What Postfix features match subdomains of "domain.tld" automatically,
3591 instead of requiring an explicit ".domain.tld" pattern. This is
3592 planned backwards compatibility: eventually, all Postfix features are
3593 expected to require explicit ".domain.tld" style patterns when you
3594 really want to match subdomains.
3595
3597 Restrict the use of the permit_mx_backup SMTP access feature to only
3598 domains whose primary MX hosts match the listed networks. The parame‐
3599 ter value syntax is the same as with the mynetworks parameter; note,
3600 however, that the default value is empty.
3601
3603 The name of the pickup(8) service. This service picks up local mail
3604 submissions from the Postfix maildrop queue.
3605 This feature is available in Postfix 2.0 and later.
3607
3609 The numerical Postfix SMTP server response code when a request is
3610 rejected by the reject_plaintext_session restriction.
3611 This feature is available in Postfix 2.3 and later.
3613
3615 The postfix(1) commands that the postmulti(1) instance manager treats
3616 as "control" commands, that operate on running instances. For these
3617 commands, disabled instances are skipped.
3618 This feature is available in Postfix 2.6 and later.
3620
3622 The postfix(1) commands that the postmulti(1) instance manager treats
3623 as "start" commands. For these commands, disabled instances are
3624 "checked" rather than "started", and failure to "start" a member
3625 instance of an instance group will abort the start-up of later
3626 instances.
3627 This feature is available in Postfix 2.6 and later.
3629
3631 The postfix(1) commands that the postmulti(1) instance manager treats
3632 as "stop" commands. For these commands, disabled instances are skipped,
3633 and enabled instances are processed in reverse order.
3634 This feature is available in Postfix 2.6 and later.
3636
3638 The message delivery contexts where the Postfix local(8) delivery agent
3639 prepends a Delivered-To: message header with the address that the mail
3640 was delivered to. This information is used for mail delivery loop
3641 detection.
3642 By default, the Postfix local delivery agent prepends a Delivered-To:
3644 header when forwarding mail and when delivering to file (mailbox) and
3645 command. Turning off the Delivered-To: header when forwarding mail is
3646 not recommended.
3647 Specify zero or more of forward, file, or command.
3649 Example:
3651 prepend_delivered_header = forward
3653
3655 The process ID of a Postfix command or daemon process.
3656
3658 The location of Postfix PID files relative to $queue_directory. This
3659 is a read-only parameter.
3660
3662 The process name of a Postfix command or daemon process.
3663
3665 What address lookup tables copy an address extension from the lookup
3666 key to the lookup result.
3667 For example, with a virtual(5) mapping of "joe@example.com =>
3669 joe.user@example.net", the address "joe+foo@example.com" would rewrite
3670 to "joe.user+foo@example.net".
3671 Specify zero or more of canonical, virtual, alias, forward, include or
3673 generic. These cause address extension propagation with canonical(5),
3674 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
3675 file lookups, and with smtp(8) generic maps, respectively.
3676 Note: enabling this feature for types other than canonical and virtual
3678 is likely to cause problems when mail is forwarded to other sites,
3679 especially with mail that is sent to a mailing list exploder address.
3680 Examples:
3682 propagate_unmatched_extensions = canonical, virtual, alias,
3684 forward, include
3685 propagate_unmatched_extensions = canonical, virtual
3686
3688 The network interface addresses that this mail system receives mail on
3689 by way of a proxy or network address translation unit.
3690 This feature is available in Postfix 2.0 and later.
3692 You must specify your "outside" proxy/NAT addresses when your system is
3694 a backup MX host for other domains, otherwise mail delivery loops will
3695 happen when the primary MX host is down.
3696 Example:
3698 proxy_interfaces = 1.2.3.4
3700
3702 The lookup tables that the proxymap(8) server is allowed to access for
3703 the read-only service. Table references that don't begin with proxy:
3704 are ignored.
3705 This feature is available in Postfix 2.0 and later.
3707
3709 The lookup tables that the proxymap(8) server is allowed to access for
3710 the read-write service. Postfix-owned local database files should be
3711 stored under the Postfix-owned data_directory. Table references that
3712 don't begin with proxy: are ignored.
3713 This feature is available in Postfix 2.5 and later.
3715
3717 The name of the proxymap read-only table lookup service. This service
3718 is normally implemented by the proxymap(8) daemon.
3719 This feature is available in Postfix 2.6 and later.
3721
3723 The name of the proxywrite read-write table lookup service. This ser‐
3724 vice is normally implemented by the proxymap(8) daemon.
3725 This feature is available in Postfix 2.6 and later.
3727
3729 The minimal delay between warnings that a specific destination is clog‐
3730 ging up the Postfix active queue. Specify 0 to disable.
3731 This feature is enabled with the helpful_warnings parameter.
3733 This feature is available in Postfix 2.0 and later.
3735
3737 Obsolete feature: the percentage of delivery resources that a busy mail
3738 system will use up for delivery of a large mailing list message.
3739 This feature exists only in the oqmgr(8) old queue manager. The current
3741 queue manager solves the problem in a better way.
3742
3744 The maximal number of messages in the active queue.
3745
3747 The maximal number of recipients held in memory by the Postfix queue
3748 manager, and the maximal size of the size of the short-term, in-memory
3749 "dead" destination status cache.
3750
3752 The minimal number of in-memory recipients for any message. This takes
3753 priority over any other in-memory recipient limits (i.e., the global
3754 qmgr_message_recipient_limit and the per transport _recipient_limit) if
3755 necessary. The minimum value allowed for this parameter is 1.
3756
3758 What clients are allowed to connect to the QMQP server port.
3759 By default, no client is allowed to use the service. This is because
3761 the QMQP server will relay mail to any destination.
3762 Specify a list of client patterns. A list pattern specifies a host
3764 name, a domain name, an internet address, or a network/mask pattern,
3765 where the mask specifies the number of bits in the network part. When
3766 a pattern specifies a file name, its contents are substituted for the
3767 file name; when a pattern is a "type:table" table specification, table
3768 lookup is used instead.
3769 Patterns are separated by whitespace and/or commas. In order to reverse
3771 the result, precede a pattern with an exclamation point (!). The form
3772 "!/file/name" is supported only in Postfix version 2.4 and later.
3773 Example:
3775 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
3777
3779 Enable logging of the remote QMQP client port in addition to the host‐
3780 name and IP address. The logging format is "host[address]:port".
3781 This feature is available in Postfix 2.5 and later.
3783
3785 How long the QMQP server will pause before sending a negative reply to
3786 the client. The purpose is to slow down confused or malicious clients.
3787 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3789 The default time unit is s (seconds).
3790
3792 The time limit for sending or receiving information over the network.
3793 If a read or write operation blocks for more than $qmqpd_timeout sec‐
3794 onds the QMQP server gives up and disconnects.
3795 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3797 The default time unit is s (seconds).
3798
3800 The location of the Postfix top-level queue directory. This is the root
3801 directory of Postfix daemon processes that run chrooted.
3802
3804 The maximal number of (name=value) attributes that may be stored in a
3805 Postfix queue file. The limit is enforced by the cleanup(8) server.
3806 This feature is available in Postfix 2.0 and later.
3808
3810 The minimal amount of free space in bytes in the queue file system that
3811 is needed to receive mail. This is currently used by the SMTP server
3812 to decide if it will accept any mail at all.
3813 By default, the Postfix version 2.1 SMTP server rejects MAIL FROM com‐
3815 mands when the amount of free space is less than 1.5*$mes‐
3816 sage_size_limit. To specify a higher minimum free space limit, specify
3817 a queue_minfree value that is at least 1.5*$message_size_limit.
3818 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
3820 means there is no minimum required amount of free space.
3821
3823 The time between deferred queue scans by the queue manager; prior to
3824 Postfix 2.4 the default value was 1000s.
3825 This parameter should be set less than or equal to $minimal_back‐
3827 off_time. See also $maximal_backoff_time.
3828 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3830 The default time unit is s (seconds).
3831
3833 The name of the qmgr(8) service. This service manages the Postfix queue
3834 and schedules delivery requests.
3835 This feature is available in Postfix 2.0 and later.
3837
3839 Optional lookup tables with RBL response templates. The tables are
3840 indexed by the RBL domain name. By default, Postfix uses the default
3841 template as specified with the default_rbl_reply configuration parame‐
3842 ter. See there for a discussion of the syntax of RBL reply templates.
3843 This feature is available in Postfix 2.0 and later.
3845
3847 The location of Postfix README files that describe how to build, con‐
3848 figure or operate a specific Postfix subsystem or feature.
3849
3851 Enable or disable recipient validation, built-in content filtering, or
3852 address mapping. Typically, these are specified in master.cf as com‐
3853 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
3854 Specify zero or more of the following options. The options override
3856 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
3857 pickup(8) themselves, or they are forwarded to the cleanup server.
3858 no_unknown_recipient_checks
3860 Do not try to reject unknown recipients (SMTP server only).
3861 This is typically specified AFTER an external content filter.
3862 no_address_mappings
3864 Disable canonical address mapping, virtual alias map expansion,
3865 address masquerading, and automatic BCC (blind carbon-copy)
3866 recipients. This is typically specified BEFORE an external con‐
3867 tent filter.
3868 no_header_body_checks
3870 Disable header/body_checks. This is typically specified AFTER an
3871 external content filter.
3872 no_milters
3874 Disable Milter (mail filter) applications. This is typically
3875 specified AFTER an external content filter.
3876 Note: when the "BEFORE content filter" receive_override_options setting
3878 is specified in the main.cf file, specify the "AFTER content filter"
3879 receive_override_options setting in master.cf (and vice versa).
3880 Examples:
3882 receive_override_options =
3884 no_unknown_recipient_checks, no_header_body_checks
3885 receive_override_options = no_address_mappings
3886 This feature is available in Postfix 2.1 and later.
3888
3890 Optional BCC (blind carbon-copy) address lookup tables, indexed by
3891 recipient address. The BCC address (multiple results are not sup‐
3892 ported) is added when mail enters from outside of Postfix.
3893 This feature is available in Postfix 2.1 and later.
3895 The table search order is as follows:
3897 · Look up the "user+extension@domain.tld" address including the
3899 optional address extension.
3900 · Look up the "user@domain.tld" address without the optional
3902 address extension.
3903 · Look up the "user+extension" address local part when the recipi‐
3905 ent domain equals $myorigin, $mydestination, $inet_interfaces or
3906 $proxy_interfaces.
3907 · Look up the "user" address local part when the recipient domain
3909 equals $myorigin, $mydestination, $inet_interfaces or
3910 $proxy_interfaces.
3911 · Look up the "@domain.tld" part.
3913 Specify the types and names of databases to use. After change, run
3915 "postmap /etc/postfix/recipient_bcc".
3916 Note: if mail to the BCC address bounces it will be returned to the
3918 sender.
3919 Note: automatic BCC recipients are produced only for new mail. To
3921 avoid mailer loops, automatic BCC recipients are not generated for mail
3922 that Postfix forwards internally, nor for mail that Postfix generates
3923 itself.
3924 Example:
3926 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
3928
3930 What addresses are subject to recipient_canonical_maps address mapping.
3931 By default, recipient_canonical_maps address mapping is applied to
3932 envelope recipient addresses, and to header recipient addresses.
3933 Specify one or more of: envelope_recipient, header_recipient
3935 This feature is available in Postfix 2.2 and later.
3937
3939 Optional address mapping lookup tables for envelope and header recipi‐
3940 ent addresses. The table format and lookups are documented in canoni‐
3941 cal(5).
3942 Note: $recipient_canonical_maps is processed before $canonical_maps.
3944 Example:
3946 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
3948
3950 The separator between user names and address extensions (user+foo).
3951 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
3952 this has on aliases, canonical, virtual, relocated and on .forward file
3953 lookups. Basically, the software tries user+foo and .forward+foo
3954 before trying user and .forward.
3955 Example:
3957 recipient_delimiter = +
3959
3961 The numerical Postfix SMTP server response code when a remote SMTP
3962 client request is rejected by the "reject" restriction.
3963 Do not change this unless you have a complete understanding of RFC
3965 2821.
3966
3968 The Postfix SMTP server's action when a reject-type restriction fails
3969 due to a temporary error condition. Specify "defer" to defer the remote
3970 SMTP client request immediately. With the default "defer_if_permit"
3971 action, the Postfix SMTP server continues to look for opportunities to
3972 reject mail, and defers the client request only if it would otherwise
3973 be accepted.
3974 For finer control, see: unverified_recipient_tempfail_action, unveri‐
3976 fied_sender_tempfail_action, unknown_address_tempfail_action, and
3977 unknown_helo_hostname_tempfail_action.
3978 This feature is available in Postfix 2.6 and later.
3980
3982 List of tables with remote SMTP client-certificate fingerprints for
3983 which the Postfix SMTP server will allow access with the per‐
3984 mit_tls_clientcerts feature. The fingerprint digest algorithm is con‐
3985 figurable via the smtpd_tls_fingerprint_digest parameter (hard-coded as
3986 md5 prior to Postfix version 2.5).
3987 Postfix lookup tables are in the form of (key, value) pairs. Since we
3989 only need the key, the value can be chosen freely, e.g. the name of
3990 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
3991 lutzpc.at.home
3992 Example:
3994 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
3996 For more fine-grained control, use check_ccert_access to select an
3998 appropriate access(5) policy for each client. See RESTRIC‐
3999 TION_CLASS_README.
4000 This feature is available with Postfix version 2.2.
4002
4004 rency_limit)
4005 The maximal number of parallel deliveries to the same destination via
4006 the relay message delivery transport. This limit is enforced by the
4007 queue manager. The message delivery transport name is the first field
4008 in the entry in the master.cf file.
4009 This feature is available in Postfix 2.0 and later.
4011
4013 ent_limit)
4014 The maximal number of recipients per message for the relay message
4015 delivery transport. This limit is enforced by the queue manager. The
4016 message delivery transport name is the first field in the entry in the
4017 master.cf file.
4018 Setting this parameter to a value of 1 changes the meaning of
4020 relay_destination_concurrency_limit from concurrency per domain into
4021 concurrency per recipient.
4022 This feature is available in Postfix 2.0 and later.
4024
4026 What destination domains (and subdomains thereof) this system will
4027 relay mail to. Subdomain matching is controlled with the par‐
4028 ent_domain_matches_subdomains parameter. For details about how the
4029 relay_domains value is used, see the description of the per‐
4030 mit_auth_destination and reject_unauth_destination SMTP recipient
4031 restrictions.
4032 Domains that match $relay_domains are delivered with the $relay_trans‐
4034 port mail delivery transport. The SMTP server validates recipient
4035 addresses with $relay_recipient_maps and rejects non-existent recipi‐
4036 ents. See also the relay domains address class in the
4037 ADDRESS_CLASS_README file.
4038 Note: Postfix will not automatically forward mail for domains that list
4040 this system as their primary or backup MX host. See the per‐
4041 mit_mx_backup restriction in the postconf(5) manual page.
4042 Specify a list of host or domain names, "/file/name" patterns or
4044 "type:table" lookup tables, separated by commas and/or whitespace.
4045 Continue long lines by starting the next line with whitespace. A
4046 "/file/name" pattern is replaced by its contents; a "type:table" lookup
4047 table is matched when a (parent) domain appears as lookup key. Specify
4048 "!pattern" to exclude a domain from the list. The form "!/file/name" is
4049 supported only in Postfix version 2.4 and later.
4050
4052 The numerical Postfix SMTP server response code when a client request
4053 is rejected by the reject_unauth_destination recipient restriction.
4054 Do not change this unless you have a complete understanding of RFC
4056 2821.
4057
4059 Optional lookup tables with all valid addresses in the domains that
4060 match $relay_domains. Specify @domain as a wild-card for domains that
4061 have no valid recipient list, and become a source of backscatter mail:
4062 Postfix accepts spam for non-existent recipients and then floods inno‐
4063 cent people with undeliverable mail. Technically, tables listed with
4064 $relay_recipient_maps are used as lists: Postfix needs to know only if
4065 a lookup string is found or not, but it does not use the result from
4066 table lookup.
4067 If this parameter is non-empty, then the Postfix SMTP server will
4069 reject mail to unknown relay users. This feature is off by default.
4070 See also the relay domains address class in the ADDRESS_CLASS_README
4072 file.
4073 Example:
4075 relay_recipient_maps = hash:/etc/postfix/relay_recipients
4077 This feature is available in Postfix 2.0 and later.
4079
4081 The default mail delivery transport and next-hop destination for remote
4082 delivery to domains listed with $relay_domains. In order of decreasing
4083 precedence, the nexthop destination is taken from $relay_transport,
4084 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
4085 domain. This information can be overruled with the transport(5) table.
4086 Specify a string of the form transport:nexthop, where transport is the
4088 name of a mail delivery transport defined in master.cf. The :nexthop
4089 part is optional. For more details see the transport(5) manual page.
4090 See also the relay domains address class in the ADDRESS_CLASS_README
4092 file.
4093 This feature is available in Postfix 2.0 and later.
4095
4097 The next-hop destination of non-local mail; overrides non-local domains
4098 in recipient addresses. This information is overruled with relay_trans‐
4099 port, default_transport, sender_dependent_relayhost_maps and with the
4100 transport(5) table.
4101 On an intranet, specify the organizational domain name. If your inter‐
4103 nal DNS uses no MX records, specify the name of the intranet gateway
4104 host instead.
4105 In the case of SMTP, specify a domain name, hostname, hostname:port,
4107 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
4108 name] turns off MX lookups.
4109 If you're connected via UUCP, see the UUCP_README file for useful
4111 information.
4112 Examples:
4114 relayhost = $mydomain
4116 relayhost = [gateway.example.com]
4117 relayhost = uucphost
4118 relayhost = [an.ip.add.ress]
4119
4121 Optional lookup tables with new contact information for users or
4122 domains that no longer exist. The table format and lookups are docu‐
4123 mented in relocated(5).
4124 If you use this feature, run "postmap /etc/postfix/relocated" to build
4126 the necessary DBM or DB file after change, then "postfix reload" to
4127 make the changes visible.
4128 Examples:
4130 relocated_maps = dbm:/etc/postfix/relocated
4132 relocated_maps = hash:/etc/postfix/relocated
4133
4135 Don't rewrite message headers from remote clients at all when this
4136 parameter is empty; otherwise, rewrite message headers and append the
4137 specified domain name to incomplete addresses. The local_header_re‐
4138 write_clients parameter controls what clients Postfix considers local.
4139 Examples:
4141 The safe setting: append "domain.invalid" to incomplete header
4143 addresses from remote SMTP clients, so that those addresses cannot be
4144 confused with local addresses.
4145 remote_header_rewrite_domain = domain.invalid
4147 The default, purist, setting: don't rewrite headers from remote clients
4149 at all.
4150 remote_header_rewrite_domain =
4152
4154 Whether or not a local(8) recipient's home directory must exist before
4155 mail delivery is attempted. By default this test is disabled. It can
4156 be useful for environments that import home directories to the mail
4157 server (NOT RECOMMENDED).
4158
4160 Resolve a recipient address safely instead of correctly, by looking
4161 inside quotes.
4162 By default, the Postfix address resolver does not quote the address
4164 localpart as per RFC 822, so that additional @ or % or ! operators
4165 remain visible. This behavior is safe but it is also technically incor‐
4166 rect.
4167 If you specify "resolve_dequoted_address = no", then the Postfix
4169 resolver will not know about additional @ etc. operators in the address
4170 localpart. This opens opportunities for obscure mail relay attacks with
4171 user@domain@domain addresses when Postfix provides backup MX service
4172 for Sendmail systems.
4173
4175 Resolve an address that ends in the "@" null domain as if the local
4176 hostname were specified, instead of rejecting the address as invalid.
4177 This feature is available in Postfix 2.1 and later. Earlier versions
4179 always resolve the null domain as the local hostname.
4180 The Postfix SMTP server uses this feature to reject mail from or to
4182 addresses that end in the "@" null domain, and from addresses that re‐
4183 write into a form that ends in the "@" null domain.
4184
4186 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
4187 the address as invalid.
4188 This feature is available in Postfix 2.3 and later.
4190
4192 The name of the address rewriting service. This service rewrites
4193 addresses to standard form and resolves them to a (delivery method,
4194 next-hop host, recipient) triple.
4195 This feature is available in Postfix 2.0 and later.
4197
4199 The name of the directory with example Postfix configuration files.
4200
4202 When authenticating to a remote SMTP or LMTP server with the default
4203 setting "no", send no SASL authoriZation ID (authzid); send only the
4204 SASL authentiCation ID (authcid) plus the authcid's password.
4205 The non-default setting "yes" enables the behavior of older Postfix
4207 versions. These always send a SASL authzid that is equal to the SASL
4208 authcid, but this causes inter-operability problems with some SMTP
4209 servers.
4210 This feature is available in Postfix 2.4.4 and later.
4212
4214 This parameter should not be used. It was replaced by sender_depen‐
4215 dent_relayhost_maps in Postfix version 2.3.
4216
4218 Optional BCC (blind carbon-copy) address lookup tables, indexed by
4219 sender address. The BCC address (multiple results are not supported)
4220 is added when mail enters from outside of Postfix.
4221 This feature is available in Postfix 2.1 and later.
4223 The table search order is as follows:
4225 · Look up the "user+extension@domain.tld" address including the
4227 optional address extension.
4228 · Look up the "user@domain.tld" address without the optional
4230 address extension.
4231 · Look up the "user+extension" address local part when the sender
4233 domain equals $myorigin, $mydestination, $inet_interfaces or
4234 $proxy_interfaces.
4235 · Look up the "user" address local part when the sender domain
4237 equals $myorigin, $mydestination, $inet_interfaces or
4238 $proxy_interfaces.
4239 · Look up the "@domain.tld" part.
4241 Specify the types and names of databases to use. After change, run
4243 "postmap /etc/postfix/sender_bcc".
4244 Note: if mail to the BCC address bounces it will be returned to the
4246 sender.
4247 Note: automatic BCC recipients are produced only for new mail. To
4249 avoid mailer loops, automatic BCC recipients are not generated for mail
4250 that Postfix forwards internally, nor for mail that Postfix generates
4251 itself.
4252 Example:
4254 sender_bcc_maps = hash:/etc/postfix/sender_bcc
4256
4258 What addresses are subject to sender_canonical_maps address mapping.
4259 By default, sender_canonical_maps address mapping is applied to enve‐
4260 lope sender addresses, and to header sender addresses.
4261 Specify one or more of: envelope_sender, header_sender
4263 This feature is available in Postfix 2.2 and later.
4265
4267 Optional address mapping lookup tables for envelope and header sender
4268 addresses. The table format and lookups are documented in canoni‐
4269 cal(5).
4270 Example: you want to rewrite the SENDER address "user@ugly.domain" to
4272 "user@pretty.domain", while still being able to send mail to the RECIP‐
4273 IENT address "user@ugly.domain".
4274 Note: $sender_canonical_maps is processed before $canonical_maps.
4276 Example:
4278 sender_canonical_maps = hash:/etc/postfix/sender_canonical
4280
4282 A sender-dependent override for the global relayhost parameter setting.
4283 The tables are searched by the envelope sender address and @domain. A
4284 lookup result of DUNNO terminates the search without overriding the
4285 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
4286 mation is overruled with relay_transport, default_transport and with
4287 the transport(5) table.
4288 For safety reasons, this feature does not allow $number substitutions
4290 in regular expression maps.
4291 This feature is available in Postfix 2.3 and later.
4293
4295 A Sendmail compatibility feature that specifies the location of the
4296 Postfix sendmail(1) command. This command can be used to submit mail
4297 into the Postfix queue.
4298
4300 How long the Postfix master(8) waits before forking a server that
4301 appears to be malfunctioning.
4302 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4304 The default time unit is s (seconds).
4305
4307 The group ownership of set-gid Postfix commands and of group-writable
4308 Postfix directories. When this parameter value is changed you need to
4309 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
4310 "/etc/postfix/post-install set-permissions".
4311
4313 Display the name of the recipient table in the "User unknown"
4314 responses. The extra detail makes trouble shooting easier but also
4315 reveals information that is nobody elses business.
4316 This feature is available in Postfix 2.0 and later.
4318
4320 The name of the showq(8) service. This service produces mail queue sta‐
4321 tus reports.
4322 This feature is available in Postfix 2.0 and later.
4324
4326 Always send EHLO at the start of an SMTP session.
4327 With "smtp_always_send_ehlo = no", Postfix sends EHLO only when the
4329 word "ESMTP" appears in the server greeting banner (example: 220
4330 spike.porcupine.org ESMTP Postfix).
4331
4333 An optional numerical network address that the Postfix SMTP client
4334 should bind to when making an IPv4 connection.
4335 This can be specified in the main.cf file for all SMTP clients, or it
4337 can be specified in the master.cf file for a specific client, for exam‐
4338 ple:
4339 /etc/postfix/master.cf:
4341 smtp ... smtp -o smtp_bind_address=11.22.33.44
4342 Note 1: when inet_interfaces specifies no more than one IPv4 address,
4344 and that address is a non-loopback address, it is automatically used as
4345 the smtp_bind_address. This supports virtual IP hosting, but can be a
4346 problem on multi-homed firewalls. See the inet_interfaces documentation
4347 for more detail.
4348 Note 2: address information may be enclosed inside [], but this form is
4350 not required here.
4351
4353 An optional numerical network address that the Postfix SMTP client
4354 should bind to when making an IPv6 connection.
4355 This feature is available in Postfix 2.2 and later.
4357 This can be specified in the main.cf file for all SMTP clients, or it
4359 can be specified in the master.cf file for a specific client, for exam‐
4360 ple:
4361 /etc/postfix/master.cf:
4363 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
4364 Note 1: when inet_interfaces specifies no more than one IPv6 address,
4366 and that address is a non-loopback address, it is automatically used as
4367 the smtp_bind_address6. This supports virtual IP hosting, but can be a
4368 problem on multi-homed firewalls. See the inet_interfaces documentation
4369 for more detail.
4370 Note 2: address information may be enclosed inside [], but this form is
4372 not recommended here.
4373
4375 Restricted body_checks(5) tables for the Postfix SMTP client. These
4376 tables are searched while mail is being delivered. Actions that change
4377 the delivery time or destination are not available.
4378 This feature is available in Postfix 2.5 and later.
4380
4382 Allow DNS CNAME records to override the servername that the Postfix
4383 SMTP client uses for logging, SASL password lookup, TLS policy deci‐
4384 sions, or TLS certificate verification. The value "no" hardens Postfix
4385 smtp_tls_per_site hostname-based policies against false hostname infor‐
4386 mation in DNS CNAME records, and makes SASL password file lookups more
4387 predictable. This is the default setting as of Postfix 2.3.
4388 This feature is available in Postfix 2.2.9 and later.
4390
4392 The SMTP client time limit for completing a TCP connection, or zero
4393 (use the operating system built-in time limit).
4394 When no connection can be made within the deadline, the Postfix SMTP
4396 client tries the next address on the mail exchanger list. Specify 0 to
4397 disable the time limit (i.e. use whatever timeout is implemented by the
4398 operating system).
4399 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4401 The default time unit is s (seconds).
4402
4404 Permanently enable SMTP connection caching for the specified destina‐
4405 tions. With SMTP connection caching, a connection is not closed imme‐
4406 diately after completion of a mail transaction. Instead, the connec‐
4407 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
4408 This allows connections to be reused for other deliveries, and can
4409 improve mail delivery performance.
4410 Specify a comma or white space separated list of destinations or
4412 pseudo-destinations:
4413 · if mail is sent without a relay host: a domain name (the right-
4415 hand side of an email address, without the [] around a numeric
4416 IP address),
4417 · if mail is sent via a relay host: a relay host name (without []
4419 or non-default TCP port), as specified in main.cf or in the
4420 transport map,
4421 · if mail is sent via a UNIX-domain socket: a pathname (without
4423 the unix: prefix),
4424 · a /file/name with domain names and/or relay host names as
4426 defined above,
4427 · a "type:table" with domain names and/or relay host names on the
4429 left-hand side. The right-hand side result from "type:table"
4430 lookups is ignored.
4431 This feature is available in Postfix 2.2 and later.
4433
4435 Temporarily enable SMTP connection caching while a destination has a
4436 high volume of mail in the active queue. With SMTP connection caching,
4437 a connection is not closed immediately after completion of a mail
4438 transaction. Instead, the connection is kept open for up to $smtp_con‐
4439 nection_cache_time_limit seconds. This allows connections to be reused
4440 for other deliveries, and can improve mail delivery performance.
4441 This feature is available in Postfix 2.2 and later.
4443
4445 When SMTP connection caching is enabled, the number of times that an
4446 SMTP session may be reused before it is closed.
4447 This feature is available in Postfix 2.2. In Postfix 2.3 it is replaced
4449 by $smtp_connection_reuse_time_limit.
4450
4452 When SMTP connection caching is enabled, the amount of time that an
4453 unused SMTP client socket is kept open before it is closed. Do not
4454 specify larger values without permission from the remote sites.
4455 This feature is available in Postfix 2.2 and later.
4457
4459 The amount of time during which Postfix will use an SMTP connection
4460 repeatedly. The timer starts when the connection is initiated (i.e. it
4461 includes the connect, greeting and helo latency, in addition to the
4462 latencies of subsequent mail delivery transactions).
4463 This feature addresses a performance stability problem with remote SMTP
4465 servers. This problem is not specific to Postfix: it can happen when
4466 any MTA sends large amounts of SMTP email to a site that has multiple
4467 MX hosts.
4468 The problem starts when one of a set of MX hosts becomes slower than
4470 the rest. Even though SMTP clients connect to fast and slow MX hosts
4471 with equal probability, the slow MX host ends up with more simultaneous
4472 inbound connections than the faster MX hosts, because the slow MX host
4473 needs more time to serve each client request.
4474 The slow MX host becomes a connection attractor. If one MX host
4476 becomes N times slower than the rest, it dominates mail delivery
4477 latency unless there are more than N fast MX hosts to counter the
4478 effect. And if the number of MX hosts is smaller than N, the mail
4479 delivery latency becomes effectively that of the slowest MX host
4480 divided by the total number of MX hosts.
4481 The solution uses connection caching in a way that differs from Postfix
4483 version 2.2. By limiting the amount of time during which a connection
4484 can be used repeatedly (instead of limiting the number of deliveries
4485 over that connection), Postfix not only restores fairness in the dis‐
4486 tribution of simultaneous connections across a set of MX hosts, it also
4487 favors deliveries over connections that perform well, which is exactly
4488 what we want.
4489 The default reuse time limit, 300s, is comparable to the various smtp
4491 transaction timeouts which are fair estimates of maximum excess latency
4492 for a slow delivery. Note that hosts may accept thousands of messages
4493 over a single connection within the default connection reuse time
4494 limit. This number is much larger than the default Postfix version 2.2
4495 limit of 10 messages per cached connection. It may prove necessary to
4496 lower the limit to avoid interoperability issues with MTAs that exhibit
4497 bugs when many messages are delivered via a single connection. A lower
4498 reuse time limit risks losing the benefit of connection reuse when the
4499 average connection and mail delivery latency exceeds the reuse time
4500 limit.
4501 This feature is available in Postfix 2.3 and later.
4503
4505 The SMTP client time limit for sending the SMTP ".", and for receiving
4506 the server response.
4507 When no response is received within the deadline, a warning is logged
4509 that the mail may be delivered multiple times.
4510 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4512 The default time unit is s (seconds).
4513
4515 The SMTP client time limit for sending the SMTP DATA command, and for
4516 receiving the server response.
4517 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4519 The default time unit is s (seconds).
4520
4522 The SMTP client time limit for sending the SMTP message content. When
4523 the connection makes no progress for more than $smtp_data_xfer_timeout
4524 seconds the Postfix SMTP client terminates the transfer.
4525 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4527 The default time unit is s (seconds).
4528
4530 Defer mail delivery when no MX record resolves to an IP address.
4531 The default (no) is to return the mail as undeliverable. With older
4533 Postfix versions the default was to keep trying to deliver the mail
4534 until someone fixed the MX record or until the mail was too old.
4535 Note: Postfix always ignores MX records with equal or worse preference
4537 than the local MTA itself.
4538 This feature is available in Postfix 2.1 and later.
4540
4542 rency_limit)
4543 The maximal number of parallel deliveries to the same destination via
4544 the smtp message delivery transport. This limit is enforced by the
4545 queue manager. The message delivery transport name is the first field
4546 in the entry in the master.cf file.
4547
4549 ent_limit)
4550 The maximal number of recipients per message for the smtp message
4551 delivery transport. This limit is enforced by the queue manager. The
4552 message delivery transport name is the first field in the entry in the
4553 master.cf file.
4554 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
4556 tination_concurrency_limit from concurrency per domain into concurrency
4557 per recipient.
4558
4560 Lookup tables, indexed by the remote SMTP server address, with case
4561 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4562 that the Postfix SMTP client will ignore in the EHLO response from a
4563 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
4564 ble is not indexed by hostname for consistency with smtpd_dis‐
4565 card_ehlo_keyword_address_maps.
4566 This feature is available in Postfix 2.2 and later.
4568
4570 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4571 etc.) that the Postfix SMTP client will ignore in the EHLO response
4572 from a remote SMTP server.
4573 This feature is available in Postfix 2.2 and later.
4575 Notes:
4577 · Specify the silent-discard pseudo keyword to prevent this action
4579 from being logged.
4580 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
4582 card EHLO keywords selectively.
4583
4585 Enforcement mode: require that remote SMTP servers use TLS encryption,
4586 and never send mail in the clear. This also requires that the remote
4587 SMTP server hostname matches the information in the remote server cer‐
4588 tificate, and that the remote SMTP server certificate was issued by a
4589 CA that is trusted by the Postfix SMTP client. If the certificate
4590 doesn't verify or the hostname doesn't match, delivery is deferred and
4591 mail stays in the queue.
4592 The server hostname is matched against all names provided as dNSNames
4594 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
4595 monName is checked. The behavior may be changed with the
4596 smtp_tls_enforce_peername option.
4597 This option is useful only if you are definitely sure that you will
4599 only connect to servers that support RFC 2487 _and_ that provide valid
4600 server certificates. Typical use is for clients that send all their
4601 email to a dedicated mailhub.
4602 This feature is available in Postfix 2.2 and later. With Postfix 2.3
4604 and later use smtp_tls_security_level instead.
4605
4607 Optional list of relay hosts for SMTP destinations that can't be found
4608 or that are unreachable. With Postfix 2.2 and earlier this parameter is
4609 called fallback_relay.
4610 By default, mail is returned to the sender when a destination is not
4612 found, and delivery is deferred when a destination is unreachable.
4613 The fallback relays must be SMTP destinations. Specify a domain, host,
4615 host:port, [host]:port, [address] or [address]:port; the form [host]
4616 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
4617 fix will try them in the specified order.
4618 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
4620 version 2.2 and later will not use the fallback relays for destinations
4621 that it is MX host for (assuming DNS lookup is turned on).
4622
4624 Optional lookup tables that perform address rewriting in the SMTP
4625 client, typically to transform a locally valid address into a globally
4626 valid address when sending mail across the Internet. This is needed
4627 when the local machine does not have its own Internet domain name, but
4628 uses something like localdomain.local instead.
4629 The table format and lookups are documented in generic(5); examples are
4631 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
4632 documents.
4633 This feature is available in Postfix 2.2 and later.
4635
4637 Restricted header_checks(5) tables for the Postfix SMTP client. These
4638 tables are searched while mail is being delivered. Actions that change
4639 the delivery time or destination are not available.
4640 This feature is available in Postfix 2.5 and later.
4642
4644 The hostname to send in the SMTP EHLO or HELO command.
4645 The default value is the machine hostname. Specify a hostname or
4647 [ip.add.re.ss].
4648 This information can be specified in the main.cf file for all SMTP
4650 clients, or it can be specified in the master.cf file for a specific
4651 client, for example:
4652 /etc/postfix/master.cf:
4654 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
4655 This feature is available in Postfix 2.0 and later.
4657
4659 The SMTP client time limit for sending the HELO or EHLO command, and
4660 for receiving the initial server response.
4661 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4663 The default time unit is s (seconds).
4664
4666 What mechanisms when the Postfix SMTP client uses to look up a host's
4667 IP address. This parameter is ignored when DNS lookups are disabled.
4668 Specify one of the following:
4670 dns Hosts can be found in the DNS (preferred).
4672 native Use the native naming service only (nsswitch.conf, or equivalent
4674 mechanism).
4675 dns, native
4677 Use the native service for hosts not found in the DNS.
4678 This feature is available in Postfix 2.1 and later.
4680
4682 The maximal length of message header and body lines that Postfix will
4683 send via SMTP. Longer lines are broken by inserting "<CR><LF><SPACE>".
4684 This minimizes the damage to MIME formatted mail.
4685 By default, the line length is limited to 990 characters, because some
4687 server implementations cannot receive mail with long lines.
4688
4690 The SMTP client time limit for sending the MAIL FROM command, and for
4691 receiving the server response.
4692 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4694 The default time unit is s (seconds).
4695
4697 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
4698 These tables are searched while mail is being delivered. Actions that
4699 change the delivery time or destination are not available.
4700 This feature is available in Postfix 2.5 and later.
4702
4704 The maximal number of MX (mail exchanger) IP addresses that can result
4705 from mail exchanger lookups, or zero (no limit). Prior to Postfix ver‐
4706 sion 2.3, this limit was disabled by default.
4707 This feature is available in Postfix 2.1 and later.
4709
4711 The maximal number of SMTP sessions per delivery request before giving
4712 up or delivering to a fall-back relay host, or zero (no limit). This
4713 restriction ignores sessions that fail to complete the SMTP initial
4714 handshake (Postfix version 2.2 and earlier) or that fail to complete
4715 the EHLO and TLS handshake (Postfix version 2.3 and later).
4716 This feature is available in Postfix 2.1 and later.
4718
4720 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
4721 These tables are searched while mail is being delivered. Actions that
4722 change the delivery time or destination are not available.
4723 This feature is available in Postfix 2.5 and later.
4725
4727 Never send EHLO at the start of an SMTP session. See also the
4728 smtp_always_send_ehlo parameter.
4729
4731 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
4732 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
4733 Choosing a too short time makes this workaround ineffective when send‐
4735 ing large messages over slow network connections.
4736
4738 Lookup tables, indexed by the remote SMTP server address, with per-des‐
4739 tination workarounds for CISCO PIX firewall bugs. The table is not
4740 indexed by hostname for consistency with smtp_discard_ehlo_key‐
4741 word_address_maps.
4742 This feature is available in Postfix 2.4 and later.
4744
4746 How long a message must be queued before the Postfix SMTP client turns
4747 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
4748 through firewalls with "smtp fixup" mode turned on.
4749 By default, the workaround is turned off for mail that is queued for
4751 less than 500 seconds. In other words, the workaround is normally
4752 turned off for the first delivery attempt.
4753 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
4755 upon the first delivery attempt.
4756
4758 A list that specifies zero or more workarounds for CISCO PIX firewall
4759 bugs. These workarounds are implemented by the Postfix SMTP client.
4760 Workaround names are separated by comma or space, and are case insensi‐
4761 tive. This parameter setting can be overruled with per-destination
4762 smtp_pix_workaround_maps settings.
4763 delay_dotcrlf
4765 Insert a delay before sending ".<CR><LF>" after the end of the
4766 message content. The delay is subject to the smtp_pix_work‐
4767 around_delay_time and smtp_pix_workaround_threshold_time parame‐
4768 ter settings.
4769 disable_esmtp
4771 Disable all extended SMTP commands: send HELO instead of EHLO.
4772 This feature is available in Postfix 2.4 and later. The default set‐
4774 tings are backwards compatible with earlier Postfix versions.
4775
4777 The SMTP client time limit for sending the QUIT command, and for
4778 receiving the server response.
4779 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4781 The default time unit is s (seconds).
4782
4784 Quote addresses in SMTP MAIL FROM and RCPT TO commands as required by
4785 RFC 2821. This includes putting quotes around an address localpart that
4786 ends in ".".
4787 The default is to comply with RFC 2821. If you have to send mail to a
4789 broken SMTP server, configure a special SMTP client in master.cf:
4790 /etc/postfix/master.cf:
4792 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
4793 and route mail for the destination in question to the "broken-smtp"
4795 message delivery with a transport(5) table.
4796 This feature is available in Postfix 2.1 and later.
4798
4800 Randomize the order of equal-preference MX host addresses. This is a
4801 performance feature of the Postfix SMTP client.
4802
4804 The SMTP client time limit for sending the SMTP RCPT TO command, and
4805 for receiving the server response.
4806 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4808 The default time unit is s (seconds).
4809
4811 The SMTP client time limit for sending the RSET command, and for
4812 receiving the server response. The SMTP client sends RSET in order to
4813 finish a recipient address probe, or to verify that a cached session is
4814 still usable.
4815 This feature is available in Postfix 2.1 and later.
4817
4819 An optional table to prevent repeated SASL authentication failures with
4820 the same remote SMTP server hostname, username and password. Each table
4821 (key, value) pair contains a server name, a username and password, and
4822 the full server response. This information is stored when a remote SMTP
4823 server rejects an authentication attempt with a 535 reply code. As
4824 long as the smtp_sasl_password_maps information does no change, and as
4825 long as the smtp_sasl_auth_cache_name information does not expire (see
4826 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
4827 tication attempts with the same server, username and password, and
4828 instead bounces or defers mail as controlled with the
4829 smtp_sasl_auth_soft_bounce configuration parameter.
4830 Use a per-destination delivery concurrency of 1 (for example,
4832 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
4833 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
4834 ence a login failure at the same time.
4835 The table must be accessed via the proxywrite service, i.e. the map
4837 name must start with "proxy:". The table should be stored under the
4838 directory specified with the data_directory parameter.
4839 This feature uses cryptographic hashing to protect plain-text pass‐
4841 words, and requires that Postfix is compiled with TLS support.
4842 Example:
4844 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
4846 This feature is available in Postfix 2.5 and later.
4848
4850 The maximal age of an smtp_sasl_auth_cache_name entry before it is
4851 removed.
4852 This feature is available in Postfix 2.5 and later.
4854
4856 Enable SASL authentication in the Postfix SMTP client. By default, the
4857 Postfix SMTP client uses no authentication.
4858 Example:
4860 smtp_sasl_auth_enable = yes
4862
4864 When a remote SMTP server rejects a SASL authentication request with a
4865 535 reply code, defer mail delivery instead of returning mail as unde‐
4866 liverable. The latter behavior was hard-coded prior to Postfix version
4867 2.5.
4868 Note: the setting "yes" overrides the global soft_bounce parameter, but
4870 the setting "no" does not.
4871 Example:
4873 # Default as of Postfix 2.5
4875 smtp_sasl_auth_soft_bounce = yes
4876 # The old hard-coded default
4877 smtp_sasl_auth_soft_bounce = no
4878 This feature is available in Postfix 2.5 and later.
4880
4882 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
4883 list of offered SASL mechanisms. Different client and server implemen‐
4884 tations may support different mechanism lists. By default, the Postfix
4885 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
4886 nism_filter further restricts what server mechanisms the client will
4887 take into consideration.
4888 Specify mechanism names, "/file/name" patterns or "type:table" lookup
4890 tables. The right-hand side result from "type:table" lookups is
4891 ignored. Specify "!pattern" to exclude a mechanism name from the list.
4892 The form "!/file/name" is supported only in Postfix version 2.4 and
4893 later.
4894 This feature is available in Postfix 2.2 and later.
4896 Examples:
4898 smtp_sasl_mechanism_filter = plain, login
4900 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
4901 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
4902
4904 Optional SMTP client lookup tables with one username:password entry per
4905 remote hostname or domain, or sender address when sender-dependent
4906 authentication is enabled. If no username:password entry is found,
4907 then the Postfix SMTP client will not attempt to authenticate to the
4908 remote host.
4909 The Postfix SMTP client opens the lookup table before going to chroot
4911 jail, so you can leave the password file in /etc/postfix.
4912
4914 Implementation-specific information that the Postfix SMTP client passes
4915 through to the SASL plug-in implementation that is selected with
4916 smtp_sasl_type. Typically this specifies the name of a configuration
4917 file or rendezvous point.
4918 This feature is available in Postfix 2.3 and later.
4920
4922 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
4923 of available features depends on the SASL client implementation that is
4924 selected with smtp_sasl_type.
4925 The following security features are defined for the cyrus client SASL
4927 implementation:
4928 Specify zero or more of the following:
4930 noplaintext
4932 Disallow methods that use plaintext passwords.
4933 noactive
4935 Disallow methods subject to active (non-dictionary) attack.
4936 nodictionary
4938 Disallow methods subject to passive (dictionary) attack.
4939 noanonymous
4941 Disallow methods that allow anonymous authentication.
4942 mutual_auth
4944 Only allow methods that provide mutual authentication (not
4945 available with SASL version 1).
4946 Example:
4948 smtp_sasl_security_options = noplaintext
4950
4952 The SASL authentication security options that the Postfix SMTP client
4953 uses for TLS encrypted SMTP sessions.
4954 This feature is available in Postfix 2.2 and later.
4956
4958 rity_options)
4959 The SASL authentication security options that the Postfix SMTP client
4960 uses for TLS encrypted SMTP sessions with a verified server certifi‐
4961 cate.
4962 When mail is sent to the public MX host for the recipient's domain,
4964 server certificates are by default optional, and delivery proceeds even
4965 if certificate verification fails. For delivery via a submission ser‐
4966 vice that requires SASL authentication, it may be appropriate to send
4967 plaintext passwords only when the connection to the server is strongly
4968 encrypted and the server identity is verified.
4969 The smtp_sasl_tls_verified_security_options parameter makes it possible
4971 to only enable plaintext mechanisms when a secure connection to the
4972 server is available. Submission servers subject to this policy must
4973 either have verifiable certificates or offer suitable non-plaintext
4974 SASL mechanisms.
4975 This feature is available in Postfix 2.6 and later.
4977
4979 The SASL plug-in type that the Postfix SMTP client should use for
4980 authentication. The available types are listed with the "postconf -A"
4981 command.
4982 This feature is available in Postfix 2.3 and later.
4984
4986 Send the non-standard XFORWARD command when the Postfix SMTP server
4987 EHLO response announces XFORWARD support.
4988 This allows an "smtp" delivery agent, used for injecting mail into a
4990 content filter, to forward the name, address, protocol and HELO name of
4991 the original client to the content filter and downstream queuing SMTP
4992 server. This can produce more useful logging than localhost[127.0.0.1]
4993 etc.
4994 This feature is available in Postfix 2.1 and later.
4996
4998 Enable sender-dependent authentication in the Postfix SMTP client; this
4999 is available only with SASL authentication, and disables SMTP connec‐
5000 tion caching to ensure that mail from different senders will use the
5001 appropriate credentials.
5002 This feature is available in Postfix 2.3 and later.
5004
5006 Skip SMTP servers that greet with a 4XX status code (go away, try again
5007 later).
5008 By default, Postfix moves on the next mail exchanger. Specify
5010 "smtp_skip_4xx_greeting = no" if Postfix should defer delivery immedi‐
5011 ately.
5012 This feature is available in Postfix 2.0 and earlier. Later Postfix
5014 versions always skip SMTP servers that greet with a 4XX status code.
5015
5017 Skip SMTP servers that greet with a 5XX status code (go away, do not
5018 try again later).
5019 By default, the Postfix SMTP client moves on the next mail exchanger.
5021 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
5022 immediately. The default setting is incorrect, but it is what a lot of
5023 people expect to happen.
5024
5026 Do not wait for the response to the SMTP QUIT command.
5027
5029 Time limit for Postfix SMTP client write and read operations during TLS
5030 startup and shutdown handshake procedures.
5031 This feature is available in Postfix 2.2 and later.
5033
5035 A file containing CA certificates of root CAs trusted to sign either
5036 remote SMTP server certificates or intermediate CA certificates. These
5037 are loaded into memory before the smtp(8) client enters the chroot
5038 jail. If the number of trusted roots is large, consider using
5039 smtp_tls_CApath instead, but note that the latter directory must be
5040 present in the chroot jail if the smtp(8) client is chrooted. This file
5041 may also be used to augment the client certificate trust chain, but it
5042 is best to include all the required certificates directly in
5043 $smtp_tls_cert_file.
5044 Example:
5046 smtp_tls_CAfile = /etc/postfix/CAcert.pem
5048 This feature is available in Postfix 2.2 and later.
5050
5052 Directory with PEM format certificate authority certificates that the
5053 Postfix SMTP client uses to verify a remote SMTP server certificate.
5054 Don't forget to create the necessary "hash" links with, for example,
5055 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
5056 To use this option in chroot mode, this directory (or a copy) must be
5058 inside the chroot jail.
5059 Example:
5061 smtp_tls_CApath = /etc/postfix/certs
5063 This feature is available in Postfix 2.2 and later.
5065
5067 File with the Postfix SMTP client RSA certificate in PEM format. This
5068 file may also contain the Postfix SMTP client private RSA key, and
5069 these may be the same as the Postfix SMTP server RSA certificate and
5070 key file.
5071 Do not configure client certificates unless you must present client TLS
5073 certificates to one or more servers. Client certificates are not usu‐
5074 ally needed, and can cause problems in configurations that work well
5075 without them. The recommended setting is to let the defaults stand:
5076 smtp_tls_cert_file =
5078 smtp_tls_key_file =
5079 smtp_tls_dcert_file =
5080 smtp_tls_dkey_file =
5081 smtp_tls_eccert_file =
5082 smtp_tls_eckey_file =
5083 The best way to use the default settings is to comment out the above
5085 parameters in main.cf if present.
5086 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
5088 tificate, the issuing CA certificates must be made available to the
5089 server. You should include the required certificates in the client cer‐
5090 tificate file, the client certificate first, then the issuing CA(s)
5091 (bottom-up order).
5092 Example: the certificate for "client.example.com" was issued by "inter‐
5094 mediate CA" which itself has a certificate issued by "root CA". Create
5095 the client.pem file with "cat client_cert.pem intermediate_CA.pem
5096 root_CA.pem > client.pem".
5097 If you also want to verify remote SMTP server certificates issued by
5099 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
5100 which case it is not necessary to have them in the smtp_tls_cert_file,
5101 smtp_tls_dcert_file or smtp_tls_eccert_file.
5102 A certificate supplied here must be usable as an SSL client certificate
5104 and hence pass the "openssl verify -purpose sslclient ..." test.
5105 Example:
5107 smtp_tls_cert_file = /etc/postfix/client.pem
5109 This feature is available in Postfix 2.2 and later.
5111
5113 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
5114 list. As this feature applies to all TLS security levels, it is easy to
5115 create inter-operability problems by choosing a non-default cipher
5116 list. Do not use a non-default TLS cipher list on hosts that deliver
5117 email to the public Internet: you will be unable to send email to
5118 servers that only support the ciphers you exclude. Using a restricted
5119 cipher list may be more appropriate for an internal MTA, where one can
5120 exert some control over the TLS software and settings of the peer
5121 servers.
5122 Note: do not use "" quotes around the parameter value.
5124 This feature is available in Postfix version 2.2. It is not used with
5126 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
5127
5129 The minimum TLS cipher grade that the Postfix SMTP client will use with
5130 opportunistic TLS encryption. Cipher types listed in
5131 smtp_tls_exclude_ciphers are excluded from the base definition of the
5132 selected cipher grade. The default value "export" ensures maximum
5133 inter-operability. Because encryption is optional, stronger controls
5134 are not appropriate, and this setting SHOULD NOT be changed unless the
5135 change is essential.
5136 When TLS is mandatory the cipher grade is chosen via the
5138 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
5139 tax details. See smtp_tls_policy_maps for information on how to config‐
5140 ure ciphers on a per-destination basis.
5141 Example:
5143 smtp_tls_ciphers = export
5144 This feature is available in Postfix 2.6 and later. With earlier Post‐
5146 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
5147 mented, and opportunistic TLS always uses "export" or better (i.e. all)
5148 ciphers.
5149
5151 File with the Postfix SMTP client DSA certificate in PEM format. This
5152 file may also contain the Postfix SMTP client private DSA key.
5153 See the discussion under smtp_tls_cert_file for more details.
5155 Example:
5157 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
5159 This feature is available in Postfix 2.2 and later.
5161
5163 File with the Postfix SMTP client DSA private key in PEM format. This
5164 file may be combined with the Postfix SMTP client DSA certificate file
5165 specified with $smtp_tls_dcert_file.
5166 The private key must be accessible without a pass-phrase, i.e. it must
5168 not be encrypted. File permissions should grant read-only access to the
5169 system superuser account ("root"), and no access to anyone else.
5170 This feature is available in Postfix 2.2 and later.
5172
5174 File with the Postfix SMTP client ECDSA certificate in PEM format.
5175 This file may also contain the Postfix SMTP client ECDSA private key.
5176 See the discussion under smtp_tls_cert_file for more details.
5178 Example:
5180 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
5182 This feature is available in Postfix 2.6 and later, when Postfix is
5184 compiled and linked with OpenSSL 0.9.9 or later.
5185
5187 File with the Postfix SMTP client ECDSA private key in PEM format.
5188 This file may be combined with the Postfix SMTP client ECDSA certifi‐
5189 cate file specified with $smtp_tls_eccert_file.
5190 The private key must be accessible without a pass-phrase, i.e. it must
5192 not be encrypted. File permissions should grant read-only access to the
5193 system superuser account ("root"), and no access to anyone else.
5194 This feature is available in Postfix 2.6 and later, when Postfix is
5196 compiled and linked with OpenSSL 0.9.9 or later.
5197
5199 With mandatory TLS encryption, require that the remote SMTP server
5200 hostname matches the information in the remote SMTP server certificate.
5201 As of RFC 2487 the requirements for hostname checking for MTA clients
5202 are not specified.
5203 This option can be set to "no" to disable strict peer name checking.
5205 This setting has no effect on sessions that are controlled via the
5206 smtp_tls_per_site table.
5207 Disabling the hostname verification can make sense in closed environ‐
5209 ment where special CAs are created. If not used carefully, this option
5210 opens the danger of a "man-in-the-middle" attack (the CommonName of
5211 this attacker will be logged).
5212 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5214 and later use smtp_tls_security_level instead.
5215
5217 List of ciphers or cipher types to exclude from the Postfix SMTP client
5218 cipher list at all TLS security levels. This is not an OpenSSL
5219 cipherlist, it is a simple list separated by whitespace and/or commas.
5220 The elements are a single cipher, or one or more "+" separated cipher
5221 properties, in which case only ciphers matching all the properties are
5222 excluded.
5223 Examples (some of these will cause problems):
5225 smtp_tls_exclude_ciphers = aNULL
5227 smtp_tls_exclude_ciphers = MD5, DES
5228 smtp_tls_exclude_ciphers = DES+MD5
5229 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
5230 smtp_tls_exclude_ciphers = kEDH+aRSA
5231 The first setting, disables anonymous ciphers. The next setting dis‐
5233 ables ciphers that use the MD5 digest algorithm or the (single) DES
5234 encryption algorithm. The next setting disables ciphers that use MD5
5235 and DES together. The next setting disables the two ciphers
5236 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
5237 use "EDH" key exchange with RSA authentication.
5238 This feature is available in Postfix 2.3 and later.
5240
5242 List of acceptable remote SMTP server certificate fingerprints for the
5243 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
5244 print). At this security level, certificate authorities are not used,
5245 and certificate expiration times are ignored. Instead, server certifi‐
5246 cates are verified directly via their "fingerprint". The fingerprint is
5247 a message digest of the server certificate. The digest algorithm is
5248 selected via the smtp_tls_fingerprint_digest parameter.
5249 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
5251 security level, any "match" attributes in that entry specify the list
5252 of valid fingerprints for the corresponding destination. Multiple fin‐
5253 gerprints can be combined with a "|" delimiter in a single match
5254 attribute, or multiple match attributes can be employed.
5255 Example: Certificate fingerprint verification with internal mailhub.
5257 Two matching fingerprints are listed. The relayhost may be multiple
5258 physical hosts behind a load-balancer, each with its own private/public
5259 key and self-signed certificate. Alternatively, a single relayhost may
5260 be in the process of switching from one set of private/public keys to
5261 another, and both keys are trusted just prior to the transition.
5262 relayhost = [mailhub.example.com]
5264 smtp_tls_security_level = fingerprint
5265 smtp_tls_fingerprint_digest = md5
5266 smtp_tls_fingerprint_cert_match =
5267 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5268 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5269 Example: Certificate fingerprint verification with selected destina‐
5271 tions. As in the example above, we show two matching fingerprints:
5272 /etc/postfix/main.cf:
5274 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
5275 smtp_tls_fingerprint_digest = md5
5276 /etc/postfix/tls_policy:
5278 example.com fingerprint
5279 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5280 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5281 This feature is available in Postfix 2.5 and later.
5283
5285 The message digest algorithm used to construct remote SMTP server cer‐
5286 tificate fingerprints. At the "fingerprint" TLS security level
5287 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
5288 ified by directly matching its fingerprint. The fingerprint is the mes‐
5289 sage digest of the server certificate using the selected algorithm.
5290 With a digest algorithm resistant to "second pre-image" attacks, it is
5291 not feasible to create a new public key and a matching certificate that
5292 has the same fingerprint.
5293 The default algorithm is md5; this is consistent with the backwards
5295 compatible setting of the digest used to verify client certificates in
5296 the SMTP server.
5297 The best practice algorithm is now sha1. Recent advances in hash func‐
5299 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
5300 However, as long as there are no known "second pre-image" attacks
5301 against md5, its use in this context can still be considered safe.
5302 While additional digest algorithms are often available with OpenSSL's
5304 libcrypto, only those used by libssl in SSL cipher suites are available
5305 to Postfix. For now this means just md5 or sha1.
5306 To find the fingerprint of a specific certificate file, with a specific
5308 digest algorithm, run:
5309 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
5311 The text to the right of "=" sign is the desired fingerprint. For
5313 example:
5314 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
5316 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
5317 This feature is available in Postfix 2.5 and later.
5319
5321 File with the Postfix SMTP client RSA private key in PEM format. This
5322 file may be combined with the Postfix SMTP client RSA certificate file
5323 specified with $smtp_tls_cert_file.
5324 The private key must be accessible without a pass-phrase, i.e. it must
5326 not be encrypted. File permissions should grant read-only access to the
5327 system superuser account ("root"), and no access to anyone else.
5328 Example:
5330 smtp_tls_key_file = $smtp_tls_cert_file
5332 This feature is available in Postfix 2.2 and later.
5334
5336 Enable additional Postfix SMTP client logging of TLS activity. Each
5337 logging level also includes the information that is logged at a lower
5338 logging level.
5339 0 Disable logging of TLS activity.
5341 1 Log TLS handshake and certificate information.
5343 2 Log levels during TLS negotiation.
5345 3 Log hexadecimal and ASCII dump of TLS negotiation process.
5347 4 Log hexadecimal and ASCII dump of complete transmission after
5349 STARTTLS.
5350 Use "smtp_tls_loglevel = 3" only in case of problems. Use of loglevel 4
5352 is strongly discouraged.
5353 This feature is available in Postfix 2.2 and later.
5355
5357 The minimum TLS cipher grade that the Postfix SMTP client will use with
5358 mandatory TLS encryption. The default value "medium" is suitable for
5359 most destinations with which you may want to enforce TLS, and is beyond
5360 the reach of today's crypt-analytic methods. See smtp_tls_policy_maps
5361 for information on how to configure ciphers on a per-destination basis.
5362 The following cipher grades are supported:
5364 export Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
5366 This is always used for opportunistic encryption. It is not rec‐
5367 ommended for mandatory encryption unless you must enforce TLS
5368 with "crippled" peers. The underlying cipherlist is specified
5369 via the tls_export_cipherlist configuration parameter, which you
5370 are strongly encouraged to not change. The default value of
5371 tls_export_cipherlist includes anonymous ciphers, but these are
5372 automatically filtered out if the client is configured to verify
5373 server certificates. If you must exclude anonymous ciphers also
5374 at the "encrypt" security level, set "smtp_tls_manda‐
5375 tory_exclude_ciphers = aNULL".
5376 low Enable the mainstream "LOW" grade or better OpenSSL ciphers.
5378 This setting is only appropriate for internal mail servers. The
5379 underlying cipherlist is specified via the tls_low_cipherlist
5380 configuration parameter, which you are strongly encouraged to
5381 not change. The default value of tls_low_cipherlist includes
5382 anonymous ciphers, but these are automatically filtered out if
5383 the client is configured to verify server certificates. If you
5384 must exclude anonymous ciphers also at the "encrypt" security
5385 level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
5386 medium Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.
5388 The underlying cipherlist is specified via the
5389 tls_medium_cipherlist configuration parameter, which you are
5390 strongly encouraged to not change. The default value of
5391 tls_medium_cipherlist includes anonymous ciphers, but these are
5392 automatically filtered out if the client is configured to verify
5393 server certificates. If you must exclude anonymous ciphers also
5394 at the "encrypt" security level, set "smtp_tls_manda‐
5395 tory_exclude_ciphers = aNULL".
5396 high Enable only the mainstream "HIGH" grade OpenSSL ciphers. This
5398 setting is appropriate when all mandatory TLS destinations sup‐
5399 port some of "HIGH" grade ciphers, this is not uncommon. The
5400 underlying cipherlist is specified via the tls_high_cipherlist
5401 configuration parameter, which you are strongly encouraged to
5402 not change. The default value of tls_high_cipherlist includes
5403 anonymous ciphers, but these are automatically filtered out if
5404 the client is configured to verify server certificates. If you
5405 must exclude anonymous ciphers also at the "encrypt" security
5406 level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
5407 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
5409 cation without encryption. This setting is only appropriate in
5410 the rare case that all servers are prepared to use NULL ciphers
5411 (not normally enabled in TLS servers). A plausible use-case is
5412 an LMTP server listening on a UNIX-domain socket that is config‐
5413 ured to support "NULL" ciphers. The underlying cipherlist is
5414 specified via the tls_null_cipherlist configuration parameter,
5415 which you are strongly encouraged to not change. The default
5416 value of tls_null_cipherlist excludes anonymous ciphers (OpenSSL
5417 0.9.8 has NULL ciphers that offer data integrity without encryp‐
5418 tion or authentication).
5419 This feature is available in Postfix 2.3 and later.
5421
5423 Additional list of ciphers or cipher types to exclude from the SMTP
5424 client cipher list at mandatory TLS security levels. This list works in
5425 addition to the exclusions listed with smtp_tls_exclude_ciphers (see
5426 there for syntax details).
5427 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
5429 ified on a per-destination basis via the TLS policy "exclude"
5430 attribute. See smtp_tls_policy_maps for notes and examples.
5431 This feature is available in Postfix 2.3 and later.
5433
5435 List of SSL/TLS protocols that the Postfix SMTP client will use with
5436 mandatory TLS encryption. In main.cf the values are separated by
5437 whitespace, commas or colons. In the policy table "protocols" attribute
5438 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
5439 value means allow all protocols. The valid protocol names, (see \fBfB‐
5440 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
5441 With Postfix >= 2.5 the parameter syntax is expanded to support proto‐
5443 col exclusions. One can now explicitly exclude SSLv2 by setting
5444 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
5445 SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
5446 protocols to include, rather than protocols to exclude, is still sup‐
5447 ported; use the form you find more intuitive.
5448 Since SSL version 2 has known protocol weaknesses and is now depre‐
5450 cated, the default setting excludes "SSLv2". This means that by
5451 default, SSL version 2 will not be used at the "encrypt" security level
5452 and higher.
5453 See the documentation of the smtp_tls_policy_maps parameter and
5455 TLS_README for more information about security levels.
5456 Example:
5458 smtp_tls_mandatory_protocols = TLSv1
5460 # Alternative form with Postfix >= 2.5:
5461 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
5462 This feature is available in Postfix 2.3 and later.
5464
5466 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
5467 is not already enabled for that server.
5468 The logfile record looks like:
5470 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
5472 This feature is available in Postfix 2.2 and later.
5474
5476 Optional lookup tables with the Postfix SMTP client TLS usage policy by
5477 next-hop destination and by remote SMTP server hostname. When both
5478 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
5479 overrides the less specific one (MAY), and the more secure per-site
5480 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
5481 2.3 and later smtp_tls_per_site is strongly discouraged: use
5482 smtp_tls_policy_maps instead.
5483 Use of the bare hostname as the per-site table lookup key is discour‐
5485 aged. Always use the full destination nexthop (enclosed in [] with a
5486 possible ":port" suffix). A recipient domain or MX-enabled transport
5487 next-hop with no port suffix may look like a bare hostname, but is
5488 still a suitable destination.
5489 Specify a next-hop destination or server hostname on the left-hand
5491 side; no wildcards are allowed. The next-hop destination is either the
5492 recipient domain, or the destination specified with a transport(5) ta‐
5493 ble, the relayhost parameter, or the relay_transport parameter. On the
5494 right hand side specify one of the following keywords:
5495 NONE Don't use TLS at all. This overrides a less specific MAY lookup
5497 result from the alternate host or next-hop lookup key, and over‐
5498 rides the global smtp_use_tls, smtp_enforce_tls, and
5499 smtp_tls_enforce_peername settings.
5500 MAY Try to use TLS if the server announces support, otherwise use
5502 the unencrypted connection. This has less precedence than a more
5503 specific result (including NONE) from the alternate host or
5504 next-hop lookup key, and has less precedence than the more spe‐
5505 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
5506 name = yes".
5507 MUST_NOPEERMATCH
5509 Require TLS encryption, but do not require that the remote SMTP
5510 server hostname matches the information in the remote SMTP
5511 server certificate, or that the server certificate was issued by
5512 a trusted CA. This overrides a less secure NONE or a less spe‐
5513 cific MAY lookup result from the alternate host or next-hop
5514 lookup key, and overrides the global smtp_use_tls,
5515 smtp_enforce_tls and smtp_tls_enforce_peername settings.
5516 MUST Require TLS encryption, require that the remote SMTP server
5518 hostname matches the information in the remote SMTP server cer‐
5519 tificate, and require that the remote SMTP server certificate
5520 was issued by a trusted CA. This overrides a less secure NONE
5521 and MUST_NOPEERMATCH or a less specific MAY lookup result from
5522 the alternate host or next-hop lookup key, and overrides the
5523 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
5524 name settings.
5525 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
5527 ify" security levels for the new smtp_tls_security_level parameter
5528 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
5529 of how the policy is specified, the smtp_tls_mandatory_ciphers and
5530 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
5531 mandatory. Connections for which encryption is optional typically
5532 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
5533 smtp_tls_protocols).
5534 As long as no secure DNS lookup mechanism is available, false hostnames
5536 in MX or CNAME responses can change the server hostname that Postfix
5537 uses for TLS policy lookup and server certificate verification. Even
5538 with a perfect match between the server hostname and the server cer‐
5539 tificate, there is no guarantee that Postfix is connected to the right
5540 server. See TLS_README (Closing a DNS loophole with obsolete per-site
5541 TLS policies) for a possible work-around.
5542 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5544 and later use smtp_tls_policy_maps instead.
5545
5547 Optional lookup tables with the Postfix SMTP client TLS security policy
5548 by next-hop destination; when a non-empty value is specified, this
5549 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
5550 a more detailed discussion of TLS security levels.
5551 The TLS policy table is indexed by the full next-hop destination, which
5553 is either the recipient domain, or the verbatim next-hop specified in
5554 the transport table, $local_transport, $virtual_transport,
5555 $relay_transport or $default_transport. This includes any enclosing
5556 square brackets and any non-default destination server port suffix. The
5557 LMTP socket type prefix (inet: or unix:) is not included in the lookup
5558 key.
5559 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
5561 sockets, is used as the nexthop name for certificate verification. The
5562 port and any enclosing square brackets are used in the table lookup
5563 key, but are not used for server name verification.
5564 When the lookup key is a domain name without enclosing square brackets
5566 or any :port suffix (typically the recipient domain), and the full
5567 domain is not found in the table, just as with the transport(5) table,
5568 the parent domain starting with a leading "." is matched recursively.
5569 This allows one to specify a security policy for a recipient domain and
5570 all its sub-domains.
5571 The lookup result is a security level, followed by an optional list of
5573 whitespace and/or comma separated name=value attributes that override
5574 related main.cf settings. The TLS security levels in order of increas‐
5575 ing security are:
5576 none No TLS. No additional attributes are supported at this level.
5578 may Opportunistic TLS. Since sending in the clear is acceptable,
5580 demanding stronger than default TLS security merely reduces
5581 inter-operability. The optional "ciphers", "exclude" and "proto‐
5582 cols" attributes (available for opportunistic TLS with Postfix
5583 >= 2.6) override the "smtp_tls_ciphers",
5584 "smtp_tls_exclude_ciphers" and "smtp_tls_protocols" configura‐
5585 tion parameters. When opportunistic TLS handshakes fail, Postfix
5586 retries the connection with TLS disabled. This allows mail
5587 delivery to sites with non-interoperable TLS implementations.
5588 encrypt
5590 Mandatory TLS encryption. At this level and higher, the optional
5591 "protocols" attribute overrides the main.cf smtp_tls_manda‐
5592 tory_protocols parameter, the optional "ciphers" attribute over‐
5593 rides the main.cf smtp_tls_mandatory_ciphers parameter, and the
5594 optional "exclude" attribute (Postfix >= 2.6) overrides the
5595 main.cf smtp_tls_mandatory_exclude_ciphers parameter. In the
5596 policy table, multiple protocols or excluded ciphers must be
5597 separated by colons, as attribute values may not contain white‐
5598 space or commas.
5599 fingerprint
5601 Certificate fingerprint verification. Available with Postfix 2.5
5602 and later. At this security level, there are no trusted certifi‐
5603 cate authorities. The certificate trust chain, expiration date,
5604 ... are not checked. Instead, the optional match attribute, or
5605 else the main.cf smtp_tls_fingerprint_cert_match parameter,
5606 lists the valid "fingerprints" of the server certificate. The
5607 digest algorithm used to calculate the fingerprint is selected
5608 by the smtp_tls_fingerprint_digest parameter. Multiple finger‐
5609 prints can be combined with a "|" delimiter in a single match
5610 attribute, or multiple match attributes can be employed. The ":"
5611 character is not used as a delimiter as it occurs between each
5612 pair of fingerprint (hexadecimal) digits.
5613 verify Mandatory TLS verification. At this security level, DNS MX
5615 lookups are trusted to be secure enough, and the name verified
5616 in the server certificate is usually obtained indirectly via
5617 unauthenticated DNS MX lookups. The optional "match" attribute
5618 overrides the main.cf smtp_tls_verify_cert_match parameter. In
5619 the policy table, multiple match patterns and strategies must be
5620 separated by colons. In practice explicit control over matching
5621 is more common with the "secure" policy, described below.
5622 secure Secure-channel TLS. At this security level, DNS MX lookups,
5624 though potentially used to determine the candidate next-hop
5625 gateway IP addresses, are not trusted to be secure enough for
5626 TLS peername verification. Instead, the default name verified in
5627 the server certificate is obtained directly from the next-hop,
5628 or is explicitly specified via the optional match attribute
5629 which overrides the main.cf smtp_tls_secure_cert_match parame‐
5630 ter. In the policy table, multiple match patterns and strategies
5631 must be separated by colons. The match attribute is most useful
5632 when multiple domains are supported by common server, the policy
5633 entries for additional domains specify matching rules for the
5634 primary domain certificate. While transport table overrides
5635 routing the secondary domains to the primary nexthop also allow
5636 secure verification, they risk delivery to the wrong destination
5637 when domains change hands or are re-assigned to new gateways.
5638 With the "match" attribute approach, routing is not perturbed,
5639 and mail is deferred if verification of a new MX host fails.
5640 Example:
5642 /etc/postfix/main.cf:
5644 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
5645 # Postfix 2.5 and later
5646 smtp_tls_fingerprint_digest = md5
5647 /etc/postfix/tls_policy:
5649 example.edu none
5650 example.mil may
5651 example.gov encrypt protocols=TLSv1
5652 example.com verify ciphers=high
5653 example.net secure
5654 .example.net secure match=.example.net:example.net
5655 [mail.example.org]:587 secure match=nexthop
5656 # Postfix 2.5 and later
5657 [thumb.example.org] fingerprint
5658 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5659 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5660 Note: The hostname strategy if listed in a non-default setting of
5662 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
5663 ble can render the secure level vulnerable to DNS forgery. Do not use
5664 the hostname strategy for secure-channel configurations in environments
5665 where DNS security is not assured.
5666 This feature is available in Postfix 2.3 and later.
5668
5670 List of TLS protocols that the Postfix SMTP client will exclude or
5671 include with opportunistic TLS encryption. Starting with Postfix 2.6,
5672 the Postfix SMTP client will by default not use the obsolete SSLv2 pro‐
5673 tocol.
5674 In main.cf the values are separated by whitespace, commas or colons. In
5676 the policy table (see smtp_tls_policy_maps) the only valid separator is
5677 colon. An empty value means allow all protocols. The valid protocol
5678 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
5679 To include a protocol list its name, to exclude it, prefix the name
5681 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
5682 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
5683 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
5684 to include, is supported, but not recommended. OpenSSL provides no
5685 mechanisms for excluding protocols not known at compile-time. If Post‐
5686 fix is linked against an OpenSSL library that supports additional pro‐
5687 tocol versions, they cannot be excluded using either syntax.
5688 Example:
5690 # TLSv1 only!
5691 smtp_tls_protocols = !SSLv2, !SSLv3
5692 This feature is available in Postfix 2.6 and later.
5694
5696 The verification depth for remote SMTP server certificates. A depth of
5697 1 is sufficient if the issuing CA is listed in a local CA file.
5698 The default verification depth is 9 (the OpenSSL default) for compati‐
5700 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
5701 value was 5, but the limit was not actually enforced. If you have set
5702 this to a lower non-default value, certificates with longer trust
5703 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
5704 common, deeper chains are more rare and any number between 5 and 9
5705 should suffice in practice. You can choose a lower number if, for exam‐
5706 ple, you trust certificates directly signed by an issuing CA but not
5707 any CAs it delegates to.
5708 This feature is available in Postfix 2.2 and later.
5710
5712 The server certificate peername verification method for the "secure"
5713 TLS security level. In a "secure" TLS policy table ($smtp_tls_pol‐
5714 icy_maps) entry the optional "match" attribute overrides this main.cf
5715 setting.
5716 This parameter specifies one or more patterns or strategies separated
5718 by commas, whitespace or colons. In the policy table the only valid
5719 separator is the colon character.
5720 For a description of the pattern and strategy syntax see the
5722 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
5723 avoided in this context, as in the absence of a secure global DNS,
5724 using the results of MX lookups in certificate verification is not
5725 immune to active (man-in-the-middle) attacks on DNS.
5726 Sample main.cf setting:
5728 smtp_tls_secure_cert_match = nexthop
5730 Sample policy table override:
5732 example.net secure match=example.com:.example.com
5734 .example.net secure match=example.com:.example.com
5735 This feature is available in Postfix 2.3 and later.
5737
5739 The default SMTP TLS security level for the Postfix SMTP client; when a
5740 non-empty value is specified, this overrides the obsolete parameters
5741 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
5742 Specify one of the following security levels:
5744 none TLS will not be used unless enabled for specific destinations
5746 via smtp_tls_policy_maps.
5747 may Opportunistic TLS. Use TLS if this is supported by the remote
5749 SMTP server, otherwise use plaintext. Since sending in the clear
5750 is acceptable, demanding stronger than default TLS security
5751 merely reduces inter-operability. The "smtp_tls_ciphers" and
5752 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
5753 provide control over the protocols and cipher grade used with
5754 opportunistic TLS. With earlier releases the opportunistic TLS
5755 cipher grade is always "export" and no protocols are disabled.
5756 When TLS handshakes fail, the connection is retried with TLS
5757 disabled. This allows mail delivery to sites with non-interop‐
5758 erable TLS implementations.
5759 encrypt
5761 Mandatory TLS encryption. Since a minimum level of security is
5762 intended, it is reasonable to be specific about sufficiently
5763 secure protocol versions and ciphers. At this security level and
5764 higher, the main.cf parameters smtp_tls_mandatory_protocols and
5765 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
5766 cipher grade which the administrator considers secure enough for
5767 mandatory encrypted sessions. This security level is not an
5768 appropriate default for systems delivering mail to the Internet.
5769 fingerprint
5771 Certificate fingerprint verification. Available with Postfix 2.5
5772 and later. At this security level, there are no trusted certifi‐
5773 cate authorities. The certificate trust chain, expiration date,
5774 ... are not checked. Instead, the smtp_tls_finger‐
5775 print_cert_match parameter lists the valid "fingerprints" of the
5776 server certificate. The digest algorithm used to calculate the
5777 fingerprint is selected by the smtp_tls_fingerprint_digest
5778 parameter.
5779 verify Mandatory TLS verification. At this security level, DNS MX
5781 lookups are trusted to be secure enough, and the name verified
5782 in the server certificate is usually obtained indirectly via
5783 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
5784 parameter controls how the server name is verified. In practice
5785 explicit control over matching is more common at the "secure"
5786 level, described below. This security level is not an appropri‐
5787 ate default for systems delivering mail to the Internet.
5788 secure Secure-channel TLS. At this security level, DNS MX lookups,
5790 though potentially used to determine the candidate next-hop
5791 gateway IP addresses, are not trusted to be secure enough for
5792 TLS peername verification. Instead, the default name verified in
5793 the server certificate is obtained from the next-hop domain as
5794 specified in the smtp_tls_secure_cert_match configuration param‐
5795 eter. The default matching rule is that a server certificate
5796 matches when its name is equal to or is a sub-domain of the nex‐
5797 thop domain. This security level is not an appropriate default
5798 for systems delivering mail to the Internet.
5799 Examples:
5801 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
5803 smtp_tls_security_level = none
5804 # Opportunistic TLS.
5806 smtp_tls_security_level = may
5807 # Postfix >= 2.6:
5808 # Do not tweak opportunistic ciphers unless it is essential
5809 # to do so (if a security vulnerability is found in the SSL library that
5810 # can be mitigated by disabling a particular protocol or raising the
5811 # cipher grade from "export" to "low" or "medium").
5812 smtp_tls_ciphers = export
5813 smtp_tls_protocols = !SSLv2
5814 # Mandatory (high-grade) TLS encryption.
5816 smtp_tls_security_level = encrypt
5817 smtp_tls_mandatory_ciphers = high
5818 # Mandatory TLS verification of hostname or nexthop domain.
5820 smtp_tls_security_level = verify
5821 smtp_tls_mandatory_ciphers = high
5822 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
5823 # Secure channel TLS with exact nexthop name match.
5825 smtp_tls_security_level = secure
5826 smtp_tls_mandatory_protocols = TLSv1
5827 smtp_tls_mandatory_ciphers = high
5828 smtp_tls_secure_cert_match = nexthop
5829 # Certificate fingerprint verification (Postfix >= 2.5).
5831 # The CA-less "fingerprint" security level only scales to a limited
5832 # number of destinations. As a global default rather than a per-site
5833 # setting, this is practical when mail for all recipients is sent
5834 # to a central mail hub.
5835 relayhost = [mailhub.example.com]
5836 smtp_tls_security_level = fingerprint
5837 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
5838 smtp_tls_mandatory_ciphers = high
5839 smtp_tls_fingerprint_cert_match =
5840 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
5841 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
5842 This feature is available in Postfix 2.3 and later.
5844
5846 Name of the file containing the optional Postfix SMTP client TLS ses‐
5847 sion cache. Specify a database type that supports enumeration, such as
5848 btree or sdbm; there is no need to support concurrent access. The file
5849 is created if it does not exist. The smtp(8) daemon does not use this
5850 parameter directly, rather the cache is implemented indirectly in the
5851 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
5852 of this parameter are not effective. Note, that each of the cache
5853 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
5854 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
5855 $lmtp_tls_session_cache_database), needs to be stored separately. It is
5856 not at this time possible to store multiple caches in a single data‐
5857 base.
5858 Note: dbm databases are not suitable. TLS session objects are too
5860 large.
5861 As of version 2.5, Postfix no longer uses root privileges when opening
5863 this file. The file should now be stored under the Postfix-owned
5864 data_directory. As a migration aid, an attempt to open the file under a
5865 non-Postfix directory is redirected to the Postfix-owned data_direc‐
5866 tory, and a warning is logged.
5867 Example:
5869 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
5871 This feature is available in Postfix 2.2 and later.
5873
5875 The expiration time of Postfix SMTP client TLS session cache informa‐
5876 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
5877 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
5878 this parameter is implemented in the tlsmgr(8) daemon and therefore
5879 per-smtp-instance master.cf overrides are not possible.
5880 This feature is available in Postfix 2.2 and later.
5882
5884 The server certificate peername verification method for the "verify"
5885 TLS security level. In a "verify" TLS policy table ($smtp_tls_pol‐
5886 icy_maps) entry the optional "match" attribute overrides this main.cf
5887 setting.
5888 This parameter specifies one or more patterns or strategies separated
5890 by commas, whitespace or colons. In the policy table the only valid
5891 separator is the colon character.
5892 Patterns specify domain names, or domain name suffixes:
5894 example.com
5896 Match the example.com domain, i.e. one of the names the server
5897 certificate must be example.com, upper and lower case distinc‐
5898 tions are ignored.
5899 .example.com
5901 Match subdomains of the example.com domain, i.e. match a name in
5902 the server certificate that consists of a non-zero number of
5903 labels followed by a .example.com suffix. Case distinctions are
5904 ignored.
5905 Strategies specify a transformation from the next-hop domain to the
5907 expected name in the server certificate:
5908 nexthop
5910 Match against the next-hop domain, which is either the recipient
5911 domain, or the transport next-hop configured for the domain
5912 stripped of any optional socket type prefix, enclosing square
5913 brackets and trailing port. When MX lookups are not suppressed,
5914 this is the original nexthop domain prior to the MX lookup, not
5915 the result of the MX lookup. For LMTP delivery via UNIX-domain
5916 sockets, the verified next-hop name is $myhostname. This strat‐
5917 egy is suitable for use with the "secure" policy. Case is
5918 ignored.
5919 dot-nexthop
5921 As above, but match server certificate names that are subdomains
5922 of the next-hop domain. Case is ignored.
5923 hostname
5925 Match against the hostname of the server, often obtained via an
5926 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
5927 sockets, the verified name is $myhostname. This matches the ver‐
5928 ification strategy of the "MUST" keyword in the obsolete
5929 smtp_tls_per_site table, and is suitable for use with the "ver‐
5930 ify" security level. When the next-hop name is enclosed in
5931 square brackets to suppress MX lookups, the "hostname" strategy
5932 is the same as the "nexthop" strategy. Case is ignored.
5933 Sample main.cf setting:
5935 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
5937 Sample policy table override:
5939 example.com verify match=hostname:nexthop
5941 .example.com verify match=example.com:.example.com:hostname
5942 This feature is available in Postfix 2.3 and later.
5944
5946 Opportunistic mode: use TLS when a remote SMTP server announces START‐
5947 TLS support, otherwise send the mail in the clear. Beware: some SMTP
5948 servers offer STARTTLS even if it is not configured. With Postfix <
5949 2.3, if the TLS handshake fails, and no other server is available,
5950 delivery is deferred and mail stays in the queue. If this is a concern
5951 for you, use the smtp_tls_per_site feature instead.
5952 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5954 and later use smtp_tls_security_level instead.
5955
5957 The SMTP client time limit for sending the XFORWARD command, and for
5958 receiving the server response.
5959 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5961 The default time unit is s (seconds).
5962 This feature is available in Postfix 2.1 and later.
5964
5966 What SMTP clients are allowed to specify the XVERP command. This com‐
5967 mand requests that mail be delivered one recipient at a time with a per
5968 recipient return address.
5969 By default, no clients are allowed to specify XVERP.
5971 This parameter was renamed with Postfix version 2.1. The default value
5973 is backwards compatible with Postfix version 2.0.
5974 Specify a list of network/netmask patterns, separated by commas and/or
5976 whitespace. The mask specifies the number of bits in the network part
5977 of a host address. You can also specify hostnames or .domain names (the
5978 initial dot causes the domain to match any name below it),
5979 "/file/name" or "type:table" patterns. A "/file/name" pattern is
5980 replaced by its contents; a "type:table" lookup table is matched when a
5981 table entry matches a lookup string (the lookup result is ignored).
5982 Continue long lines by starting the next line with whitespace. Specify
5983 "!pattern" to exclude an address or network block from the list. The
5984 form "!/file/name" is supported only in Postfix version 2.4 and later.
5985 Note: IP version 6 address information must be specified inside [] in
5987 the smtpd_authorized_verp_clients value, and in files specified with
5988 "/file/name". IP version 6 addresses contain the ":" character, and
5989 would otherwise be confused with a "type:table" pattern.
5990
5992 What SMTP clients are allowed to use the XCLIENT feature. This command
5993 overrides SMTP client information that is used for access control. Typ‐
5994 ical use is for SMTP-based content filters, fetchmail-like programs, or
5995 SMTP server access rule testing. See the XCLIENT_README document for
5996 details.
5997 This feature is available in Postfix 2.1 and later.
5999 By default, no clients are allowed to specify XCLIENT.
6001 Specify a list of network/netmask patterns, separated by commas and/or
6003 whitespace. The mask specifies the number of bits in the network part
6004 of a host address. You can also specify hostnames or .domain names (the
6005 initial dot causes the domain to match any name below it),
6006 "/file/name" or "type:table" patterns. A "/file/name" pattern is
6007 replaced by its contents; a "type:table" lookup table is matched when a
6008 table entry matches a lookup string (the lookup result is ignored).
6009 Continue long lines by starting the next line with whitespace. Specify
6010 "!pattern" to exclude an address or network block from the list. The
6011 form "!/file/name" is supported only in Postfix version 2.4 and later.
6012 Note: IP version 6 address information must be specified inside [] in
6014 the smtpd_authorized_xclient_hosts value, and in files specified with
6015 "/file/name". IP version 6 addresses contain the ":" character, and
6016 would otherwise be confused with a "type:table" pattern.
6017
6019 What SMTP clients are allowed to use the XFORWARD feature. This com‐
6020 mand forwards information that is used to improve logging after SMTP-
6021 based content filters. See the XFORWARD_README document for details.
6022 This feature is available in Postfix 2.1 and later.
6024 By default, no clients are allowed to specify XFORWARD.
6026 Specify a list of network/netmask patterns, separated by commas and/or
6028 whitespace. The mask specifies the number of bits in the network part
6029 of a host address. You can also specify hostnames or .domain names (the
6030 initial dot causes the domain to match any name below it),
6031 "/file/name" or "type:table" patterns. A "/file/name" pattern is
6032 replaced by its contents; a "type:table" lookup table is matched when a
6033 table entry matches a lookup string (the lookup result is ignored).
6034 Continue long lines by starting the next line with whitespace. Specify
6035 "!pattern" to exclude an address or network block from the list. The
6036 form "!/file/name" is supported only in Postfix version 2.4 and later.
6037 Note: IP version 6 address information must be specified inside [] in
6039 the smtpd_authorized_xforward_hosts value, and in files specified with
6040 "/file/name". IP version 6 addresses contain the ":" character, and
6041 would otherwise be confused with a "type:table" pattern.
6042
6044 The text that follows the 220 status code in the SMTP greeting banner.
6045 Some people like to see the mail version advertised. By default, Post‐
6046 fix shows no version.
6047 You MUST specify $myhostname at the start of the text. This is required
6049 by the SMTP protocol.
6050 Example:
6052 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
6054
6056 How many simultaneous connections any client is allowed to make to this
6057 service. By default, the limit is set to half the default process
6058 limit value.
6059 To disable this feature, specify a limit of 0.
6061 WARNING: The purpose of this feature is to limit abuse. It must not be
6063 used to regulate legitimate mail traffic.
6064 This feature is available in Postfix 2.2 and later.
6066
6068 The maximal number of connection attempts any client is allowed to make
6069 to this service per time unit. The time unit is specified with the
6070 anvil_rate_time_unit configuration parameter.
6071 By default, a client can make as many connections per time unit as
6073 Postfix can accept.
6074 To disable this feature, specify a limit of 0.
6076 WARNING: The purpose of this feature is to limit abuse. It must not be
6078 used to regulate legitimate mail traffic.
6079 This feature is available in Postfix 2.2 and later.
6081 Example:
6083 smtpd_client_connection_rate_limit = 1000
6085
6087 Clients that are excluded from connection count, connection rate, or
6088 SMTP request rate restrictions. See the mynetworks parameter descrip‐
6089 tion for the parameter value syntax.
6090 By default, clients in trusted networks are excluded. Specify a list of
6092 network blocks, hostnames or .domain names (the initial dot causes the
6093 domain to match any name below it).
6094 Note: IP version 6 address information must be specified inside [] in
6096 the smtpd_client_event_limit_exceptions value, and in files specified
6097 with "/file/name". IP version 6 addresses contain the ":" character,
6098 and would otherwise be confused with a "type:table" pattern.
6099 This feature is available in Postfix 2.2 and later.
6101
6103 The maximal number of message delivery requests that any client is
6104 allowed to make to this service per time unit, regardless of whether or
6105 not Postfix actually accepts those messages. The time unit is speci‐
6106 fied with the anvil_rate_time_unit configuration parameter.
6107 By default, a client can send as many message delivery requests per
6109 time unit as Postfix can accept.
6110 To disable this feature, specify a limit of 0.
6112 WARNING: The purpose of this feature is to limit abuse. It must not be
6114 used to regulate legitimate mail traffic.
6115 This feature is available in Postfix 2.2 and later.
6117 Example:
6119 smtpd_client_message_rate_limit = 1000
6121
6123 The maximal number of new (i.e., uncached) TLS sessions that a remote
6124 SMTP client is allowed to negotiate with this service per time unit.
6125 The time unit is specified with the anvil_rate_time_unit configuration
6126 parameter.
6127 By default, a remote SMTP client can negotiate as many new TLS sessions
6129 per time unit as Postfix can accept.
6130 To disable this feature, specify a limit of 0. Otherwise, specify a
6132 limit that is at least the per-client concurrent session limit, or else
6133 legitimate client sessions may be rejected.
6134 WARNING: The purpose of this feature is to limit abuse. It must not be
6136 used to regulate legitimate mail traffic.
6137 This feature is available in Postfix 2.3 and later.
6139 Example:
6141 smtpd_client_new_tls_session_rate_limit = 100
6143
6145 Enable logging of the remote SMTP client port in addition to the host‐
6146 name and IP address. The logging format is "host[address]:port".
6147 This feature is available in Postfix 2.5 and later.
6149
6151 The maximal number of recipient addresses that any client is allowed to
6152 send to this service per time unit, regardless of whether or not Post‐
6153 fix actually accepts those recipients. The time unit is specified with
6154 the anvil_rate_time_unit configuration parameter.
6155 By default, a client can make as many recipient addresses per time unit
6157 as Postfix can accept.
6158 To disable this feature, specify a limit of 0.
6160 WARNING: The purpose of this feature is to limit abuse. It must not be
6162 used to regulate legitimate mail traffic.
6163 This feature is available in Postfix 2.2 and later.
6165 Example:
6167 smtpd_client_recipient_rate_limit = 1000
6169
6171 Optional SMTP server access restrictions in the context of a client
6172 SMTP connection request. See SMTPD_ACCESS_README, section "Delayed
6173 evaluation of SMTP access restriction lists" for a discussion of evalu‐
6174 ation context and time.
6175 The default is to allow all connection requests.
6177 Specify a list of restrictions, separated by commas and/or whitespace.
6179 Continue long lines by starting the next line with whitespace.
6180 Restrictions are applied in the order as specified; the first restric‐
6181 tion that matches wins.
6182 The following restrictions are specific to client hostname or client
6184 network address information.
6185 check_ccert_access type:table
6187 Use the client certificate fingerprint as lookup key for the
6188 specified access(5) database; with Postfix version 2.2, also
6189 require that the SMTP client certificate is verified success‐
6190 fully. The fingerprint digest algorithm is configurable via the
6191 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
6192 to Postfix version 2.5). This feature is available with Postfix
6193 version 2.2 and later.
6194 check_client_access type:table
6196 Search the specified access database for the client hostname,
6197 parent domains, client IP address, or networks obtained by
6198 stripping least significant octets. See the access(5) manual
6199 page for details.
6200 check_reverse_client_hostname_access type:table
6202 Search the specified access database for the unverified reverse
6203 client hostname, parent domains, client IP address, or networks
6204 obtained by stripping least significant octets. See the
6205 access(5) manual page for details. Note: a result of "OK" is
6206 not allowed for safety reasons. Instead, use DUNNO in order to
6207 exclude specific hosts from blacklists. This feature is avail‐
6208 able in Postfix 2.6 and later.
6209 permit_inet_interfaces
6211 Permit the request when the client IP address matches
6212 $inet_interfaces.
6213 permit_mynetworks
6215 Permit the request when the client IP address matches any net‐
6216 work or network address listed in $mynetworks.
6217 permit_sasl_authenticated
6219 Permit the request when the client is successfully authenticated
6220 via the RFC 4954 (AUTH) protocol.
6221 permit_tls_all_clientcerts
6223 Permit the request when the remote SMTP client certificate is
6224 verified successfully. This option must be used only if a spe‐
6225 cial CA issues the certificates and only this CA is listed as
6226 trusted CA, otherwise all clients with a recognized certificate
6227 would be allowed to relay. This feature is available with Post‐
6228 fix version 2.2.
6229 permit_tls_clientcerts
6231 Permit the request when the remote SMTP client certificate fin‐
6232 gerprint is listed in $relay_clientcerts. The fingerprint
6233 digest algorithm is configurable via the smtpd_tls_finger‐
6234 print_digest parameter (hard-coded as md5 prior to Postfix ver‐
6235 sion 2.5). This feature is available with Postfix version 2.2.
6236 reject_rbl_client rbl_domain=d.d.d.d
6238 Reject the request when the reversed client network address is
6239 listed with the A record "d.d.d.d" under rbl_domain (Postfix
6240 version 2.1 and later only). If no "=d.d.d.d" is specified,
6241 reject the request when the reversed client network address is
6242 listed with any A record under rbl_domain.
6243 The maps_rbl_reject_code parameter specifies the response code
6244 for rejected requests (default: 554), the default_rbl_reply
6245 parameter specifies the default server reply, and the
6246 rbl_reply_maps parameter specifies tables with server replies
6247 indexed by rbl_domain. This feature is available in Postfix 2.0
6248 and later.
6249 reject_rhsbl_client rbl_domain=d.d.d.d
6251 Reject the request when the client hostname is listed with the A
6252 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
6253 only). If no "=d.d.d.d" is specified, reject the request when
6254 the client hostname is listed with any A record under
6255 rbl_domain. See the reject_rbl_client description above for
6256 additional RBL related configuration parameters. This feature
6257 is available in Postfix 2.0 and later.
6258 reject_unknown_client_hostname (with Postfix < 2.3:
6260 reject_unknown_client)
6261 Reject the request when 1) the client IP address->name mapping
6262 fails, 2) the name->address mapping fails, or 3) the
6263 name->address mapping does not match the client IP address.
6264 This is a stronger restriction than the
6265 reject_unknown_reverse_client_hostname feature, which triggers
6266 only under condition 1) above.
6267 The unknown_client_reject_code parameter specifies the response
6268 code for rejected requests (default: 450). The reply is always
6269 450 in case the address->name or name->address lookup failed due
6270 to a temporary problem.
6271 reject_unknown_reverse_client_hostname
6273 Reject the request when the client IP address has no
6274 address->name mapping.
6275 This is a weaker restriction than the
6276 reject_unknown_client_hostname feature, which requires not only
6277 that the address->name and name->address mappings exist, but
6278 also that the two mappings reproduce the client IP address.
6279 The unknown_client_reject_code parameter specifies the response
6280 code for rejected requests (default: 450). The reply is always
6281 450 in case the address->name lookup failed due to a temporary
6282 problem.
6283 This feature is available in Postfix 2.3 and later.
6284 In addition, you can use any of the following generic restrictions.
6286 These restrictions are applicable in any SMTP command context.
6287 check_policy_service servername
6289 Query the specified policy server. See the SMTPD_POLICY_README
6290 document for details. This feature is available in Postfix 2.1
6291 and later.
6292 defer Defer the request. The client is told to try again later. This
6294 restriction is useful at the end of a restriction list, to make
6295 the default policy explicit.
6296 The defer_code parameter specifies the SMTP server reply code
6297 (default: 450).
6298 defer_if_permit
6300 Defer the request if some later restriction would result in an
6301 explicit or implicit PERMIT action. This is useful when a
6302 blacklisting feature fails due to a temporary problem. This
6303 feature is available in Postfix version 2.1 and later.
6304 defer_if_reject
6306 Defer the request if some later restriction would result in a
6307 REJECT action. This is useful when a whitelisting feature fails
6308 due to a temporary problem. This feature is available in Post‐
6309 fix version 2.1 and later.
6310 permit Permit the request. This restriction is useful at the end of a
6312 restriction list, to make the default policy explicit.
6313 reject_multi_recipient_bounce
6315 Reject the request when the envelope sender is the null address,
6316 and the message has multiple envelope recipients. This usage has
6317 rare but legitimate applications: under certain conditions,
6318 multi-recipient mail that was posted with the DSN option
6319 NOTIFY=NEVER may be forwarded with the null sender address.
6320 Note: this restriction can only work reliably when used in
6321 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
6322 because the total number of recipients is not known at an ear‐
6323 lier stage of the SMTP conversation. Use at the RCPT stage will
6324 only reject the second etc. recipient.
6325 The multi_recipient_bounce_reject_code parameter specifies the
6326 response code for rejected requests (default: 550). This fea‐
6327 ture is available in Postfix 2.1 and later.
6328 reject_plaintext_session
6330 Reject the request when the connection is not encrypted. This
6331 restriction should not be used before the client has had a
6332 chance to negotiate encryption with the AUTH or STARTTLS com‐
6333 mands.
6334 The plaintext_reject_code parameter specifies the response code
6335 for rejected requests (default: 450). This feature is avail‐
6336 able in Postfix 2.3 and later.
6337 reject_unauth_pipelining
6339 Reject the request when the client sends SMTP commands ahead of
6340 time where it is not allowed, or when the client sends SMTP com‐
6341 mands ahead of time without knowing that Postfix actually sup‐
6342 ports ESMTP command pipelining. This stops mail from bulk mail
6343 software that improperly uses ESMTP command pipelining in order
6344 to speed up deliveries.
6345 With Postfix 2.6 and later, the SMTP server sets a per-session
6346 flag whenever it detects illegal pipelining, including pipelined
6347 EHLO or HELO commands. The reject_unauth_pipelining feature sim‐
6348 ply tests whether the flag was set at any point in time during
6349 the session.
6350 With older Postfix versions, reject_unauth_pipelining checks the
6351 current status of the input read queue, and its usage is not
6352 recommended in contexts other than smtpd_data_restrictions.
6353 reject Reject the request. This restriction is useful at the end of a
6355 restriction list, to make the default policy explicit. The
6356 reject_code configuration parameter specifies the response code
6357 for rejected requests (default: 554).
6358 sleep seconds
6360 Pause for the specified number of seconds and proceed with the
6361 next restriction in the list, if any. This may stop zombie mail
6362 when used as:
6363 /etc/postfix/main.cf:
6364 smtpd_client_restrictions =
6365 sleep 1, reject_unauth_pipelining
6366 smtpd_delay_reject = no
6367 This feature is available in Postfix 2.3.
6368 warn_if_reject
6370 Change the meaning of the next restriction, so that it logs a
6371 warning instead of rejecting a request (look for logfile records
6372 that contain "reject_warning"). This is useful for testing new
6373 restrictions in a "live" environment without risking unnecessary
6374 loss of mail.
6375 Other restrictions that are valid in this context:
6377 · SMTP command specific restrictions that are described under the
6379 smtpd_helo_restrictions, smtpd_sender_restrictions or
6380 smtpd_recipient_restrictions parameters. When helo, sender or
6381 recipient restrictions are listed under smtpd_client_restric‐
6382 tions, they have effect only with "smtpd_delay_reject = yes", so
6383 that $smtpd_client_restrictions is evaluated at the time of the
6384 RCPT TO command.
6385 Example:
6387 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
6389
6391 Optional access restrictions that the Postfix SMTP server applies in
6392 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
6393 "Delayed evaluation of SMTP access restriction lists" for a discussion
6394 of evaluation context and time.
6395 This feature is available in Postfix 2.0 and later.
6397 Specify a list of restrictions, separated by commas and/or whitespace.
6399 Continue long lines by starting the next line with whitespace.
6400 Restrictions are applied in the order as specified; the first restric‐
6401 tion that matches wins.
6402 The following restrictions are valid in this context:
6404 · Generic restrictions that can be used in any SMTP command con‐
6406 text, described under smtpd_client_restrictions.
6407 · SMTP command specific restrictions described under
6409 smtpd_client_restrictions, smtpd_helo_restrictions,
6410 smtpd_sender_restrictions or smtpd_recipient_restrictions.
6411 Examples:
6413 smtpd_data_restrictions = reject_unauth_pipelining
6415 smtpd_data_restrictions = reject_multi_recipient_bounce
6416
6418 Postpone the start of an SMTP mail transaction until a valid RCPT TO
6419 command is received. Specify "no" to create a mail transaction as soon
6420 as the SMTP server receives a valid MAIL FROM command.
6421 With sites that reject lots of mail, the default setting reduces the
6423 use of disk, CPU and memory resources. The downside is that rejected
6424 recipients are logged with NOQUEUE instead of a mail transaction ID.
6425 This complicates the logfile analysis of multi-recipient mail.
6426 This feature is available in Postfix 2.3 and later.
6428
6430 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
6431 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
6432 until the ETRN command before evaluating $smtpd_client_restrictions and
6433 $smtpd_helo_restrictions.
6434 This feature is turned on by default because some clients apparently
6436 mis-behave when the Postfix SMTP server rejects commands before RCPT
6437 TO.
6438 The default setting has one major benefit: it allows Postfix to log
6440 recipient address information when rejecting a client name/address or
6441 sender address, so that it is possible to find out whose mail is being
6442 rejected.
6443
6445 Lookup tables, indexed by the remote SMTP client address, with case
6446 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6447 that the SMTP server will not send in the EHLO response to a remote
6448 SMTP client. See smtpd_discard_ehlo_keywords for details. The table is
6449 not searched by hostname for robustness reasons.
6450 This feature is available in Postfix 2.2 and later.
6452
6454 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6455 etc.) that the SMTP server will not send in the EHLO response to a
6456 remote SMTP client.
6457 This feature is available in Postfix 2.2 and later.
6459 Notes:
6461 · Specify the silent-discard pseudo keyword to prevent this action
6463 from being logged.
6464 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
6466 card EHLO keywords selectively.
6467
6469 Optional access restrictions that the Postfix SMTP server applies in
6470 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
6471 section "Delayed evaluation of SMTP access restriction lists" for a
6472 discussion of evaluation context and time.
6473 This feature is available in Postfix 2.2 and later.
6475 See smtpd_data_restrictions for syntax details.
6477
6479 Mandatory TLS: announce STARTTLS support to SMTP clients, and require
6480 that clients use TLS encryption. According to RFC 2487 this MUST NOT
6481 be applied in case of a publicly-referenced SMTP server. This option
6482 is off by default and should be used only on dedicated servers.
6483 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
6485 Note 2: when invoked via "sendmail -bs", Postfix will never offer
6487 STARTTLS due to insufficient privileges to access the server private
6488 key. This is intended behavior.
6489 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6491 and later use smtpd_tls_security_level instead.
6492
6494 With Postfix version 2.1 and later: the SMTP server response delay
6495 after a client has made more than $smtpd_soft_error_limit errors, and
6496 fewer than $smtpd_hard_error_limit errors, without delivering mail.
6497 With Postfix version 2.0 and earlier: the SMTP server delay before
6499 sending a reject (4xx or 5xx) response, when the client has made fewer
6500 than $smtpd_soft_error_limit errors without delivering mail.
6501
6503 Optional SMTP server access restrictions in the context of a client
6504 ETRN request. See SMTPD_ACCESS_README, section "Delayed evaluation of
6505 SMTP access restriction lists" for a discussion of evaluation context
6506 and time.
6507 The Postfix ETRN implementation accepts only destinations that are eli‐
6509 gible for the Postfix "fast flush" service. See the ETRN_README file
6510 for details.
6511 Specify a list of restrictions, separated by commas and/or whitespace.
6513 Continue long lines by starting the next line with whitespace.
6514 Restrictions are applied in the order as specified; the first restric‐
6515 tion that matches wins.
6516 The following restrictions are specific to the domain name information
6518 received with the ETRN command.
6519 check_etrn_access type:table
6521 Search the specified access database for the ETRN domain name or
6522 its parent domains. See the access(5) manual page for details.
6523 Other restrictions that are valid in this context:
6525 · Generic restrictions that can be used in any SMTP command con‐
6527 text, described under smtpd_client_restrictions.
6528 · SMTP command specific restrictions described under
6530 smtpd_client_restrictions and smtpd_helo_restrictions.
6531 Example:
6533 smtpd_etrn_restrictions = permit_mynetworks, reject
6535
6537 What characters are allowed in $name expansions of RBL reply templates.
6538 Characters not in the allowed set are replaced by "_". Use C like
6539 escapes to specify special characters such as whitespace.
6540 This parameter is not subjected to $parameter expansion.
6542 This feature is available in Postfix 2.0 and later.
6544
6546 List of commands that causes the Postfix SMTP server to immediately
6547 terminate the session with a 221 code. This can be used to disconnect
6548 clients that obviously attempt to abuse the system. In addition to the
6549 commands listed in this parameter, commands that follow the "Label:"
6550 format of message headers will also cause a disconnect.
6551 This feature is available in Postfix 2.2 and later.
6553
6555 The maximal number of errors a remote SMTP client is allowed to make
6556 without delivering mail. The Postfix SMTP server disconnects when the
6557 limit is exceeded. Normally the default limit is 20, but it changes
6558 under overload to just 1 with Postfix 2.6 and later.
6559
6561 Require that a remote SMTP client introduces itself at the beginning of
6562 an SMTP session with the HELO or EHLO command.
6563 Example:
6565 smtpd_helo_required = yes
6567
6569 Optional restrictions that the Postfix SMTP server applies in the con‐
6570 text of the SMTP HELO command. See SMTPD_ACCESS_README, section
6571 "Delayed evaluation of SMTP access restriction lists" for a discussion
6572 of evaluation context and time.
6573 The default is to permit everything.
6575 Specify a list of restrictions, separated by commas and/or whitespace.
6577 Continue long lines by starting the next line with whitespace.
6578 Restrictions are applied in the order as specified; the first restric‐
6579 tion that matches wins.
6580 The following restrictions are specific to the hostname information
6582 received with the HELO or EHLO command.
6583 check_helo_access type:table
6585 Search the specified access(5) database for the HELO or EHLO
6586 hostname or parent domains, and execute the corresponding
6587 action.
6588 check_helo_mx_access type:table
6590 Search the specified access(5) database for the MX hosts for the
6591 HELO or EHLO hostname, and execute the corresponding action.
6592 Note: a result of "OK" is not allowed for safety reasons.
6593 Instead, use DUNNO in order to exclude specific hosts from
6594 blacklists. This feature is available in Postfix 2.1 and later.
6595 check_helo_ns_access type:table
6597 Search the specified access(5) database for the DNS servers for
6598 the HELO or EHLO hostname, and execute the corresponding action.
6599 Note: a result of "OK" is not allowed for safety reasons.
6600 Instead, use DUNNO in order to exclude specific hosts from
6601 blacklists. This feature is available in Postfix 2.1 and later.
6602 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
6604 name)
6605 Reject the request when the HELO or EHLO hostname syntax is
6606 invalid.
6607 The invalid_hostname_reject_code specifies the response code for
6608 rejected requests (default: 501).
6609 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
6611 reject_non_fqdn_hostname)
6612 Reject the request when the HELO or EHLO hostname is not in
6613 fully-qualified domain form, as required by the RFC.
6614 The non_fqdn_reject_code parameter specifies the response code
6615 for rejected requests (default: 504).
6616 reject_rhsbl_helo rbl_domain=d.d.d.d
6618 Reject the request when the HELO or EHLO hostname hostname is
6619 listed with the A record "d.d.d.d" under rbl_domain (Postfix
6620 version 2.1 and later only). If no "=d.d.d.d" is specified,
6621 reject the request when the HELO or EHLO hostname is listed with
6622 any A record under rbl_domain. See the reject_rbl_client
6623 description for additional RBL related configuration parameters.
6624 This feature is available in Postfix 2.0 and later.
6625 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
6627 name)
6628 Reject the request when the HELO or EHLO hostname has no DNS A
6629 or MX record.
6630 The unknown_hostname_reject_code parameter specifies the numeri‐
6631 cal response code for rejected requests (default: 450).
6632 The unknown_helo_hostname_tempfail_action parameter specifies
6633 the action after a temporary DNS error (default: defer_if_per‐
6634 mit).
6635 Other restrictions that are valid in this context:
6637 · Generic restrictions that can be used in any SMTP command con‐
6639 text, described under smtpd_client_restrictions.
6640 · Client hostname or network address specific restrictions
6642 described under smtpd_client_restrictions.
6643 · SMTP command specific restrictions described under
6645 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
6646 sender or recipient restrictions are listed under
6647 smtpd_helo_restrictions, they have effect only with
6648 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
6649 evaluated at the time of the RCPT TO command.
6650 Examples:
6652 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
6654 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
6655
6657 The maximal number of lines in the Postfix SMTP server command history
6658 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
6659
6661 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
6662 SMTP client can send before the Postfix SMTP server starts to increment
6663 the error counter with each junk command. The junk command count is
6664 reset after mail is delivered. See also the smtpd_error_sleep_time and
6665 smtpd_soft_error_limit configuration parameters. Normally the default
6666 limit is 100, but it changes under overload to just 1 with Postfix 2.6
6667 and later.
6668
6670 A list of Milter (mail filter) applications for new mail that arrives
6671 via the Postfix smtpd(8) server. See the MILTER_README document for
6672 details.
6673 This feature is available in Postfix 2.3 and later.
6675
6677 List of commands that the Postfix SMTP server replies to with "250 Ok",
6678 without doing any syntax checks and without changing state. This list
6679 overrides any commands built into the Postfix SMTP server.
6680
6682 The lookup key to be used in SMTP access(5) tables instead of the null
6683 sender address.
6684
6686 Attempt to look up the remote SMTP client hostname, and verify that the
6687 name matches the client IP address. A client name is set to "unknown"
6688 when it cannot be looked up or verified, or when name lookup is dis‐
6689 abled. Turning off name lookup reduces delays due to DNS lookup and
6690 increases the maximal inbound delivery rate.
6691 This feature is available in Postfix 2.3 and later.
6693
6695 The time after which an idle SMTPD policy service connection is closed.
6696 This feature is available in Postfix 2.1 and later.
6698
6700 The time after which an active SMTPD policy service connection is
6701 closed.
6702 This feature is available in Postfix 2.1 and later.
6704
6706 The time limit for connecting to, writing to or receiving from a dele‐
6707 gated SMTPD policy server.
6708 This feature is available in Postfix 2.1 and later.
6710
6712 How the Postfix SMTP server announces itself to the proxy filter. By
6713 default, the Postfix hostname is used.
6714 This feature is available in Postfix 2.1 and later.
6716
6718 The hostname and TCP port of the mail filtering proxy server. The
6719 proxy receives all mail from the Postfix SMTP server, and is supposed
6720 to give the result to another Postfix SMTP server process.
6721 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
6723 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
6724 as an IP address or as a symbolic name; no MX lookups are done. When
6725 no "host" or "host:" are specified, the local machine is assumed.
6726 Pathname interpretation is relative to the Postfix queue directory.
6727 This feature is available in Postfix 2.1 and later.
6729 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
6731 later.
6732
6734 The time limit for connecting to a proxy filter and for sending or
6735 receiving information. When a connection fails the client gets a
6736 generic error message while more detailed information is logged to the
6737 maillog file.
6738 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6740 The default time unit is s (seconds).
6741 This feature is available in Postfix 2.1 and later.
6743
6745 The maximal number of recipients that the Postfix SMTP server accepts
6746 per message delivery request.
6747
6749 The number of recipients that a remote SMTP client can send in excess
6750 of the limit specified with $smtpd_recipient_limit, before the Postfix
6751 SMTP server increments the per-session error count for each excess
6752 recipient.
6753
6755 nation)
6756 The access restrictions that the Postfix SMTP server applies in the
6757 context of the RCPT TO command. See SMTPD_ACCESS_README, section
6758 "Delayed evaluation of SMTP access restriction lists" for a discussion
6759 of evaluation context and time.
6760 By default, the Postfix SMTP server accepts:
6762 · Mail from clients whose IP address matches $mynetworks, or:
6764 · Mail to remote destinations that match $relay_domains, except
6766 for addresses that contain sender-specified routing (user@else‐
6767 where@domain), or:
6768 · Mail to local destinations that match $inet_interfaces or
6770 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
6771 $virtual_mailbox_domains.
6772 IMPORTANT: If you change this parameter setting, you must specify at
6774 least one of the following restrictions. Otherwise Postfix will refuse
6775 to receive mail:
6776 reject, defer, defer_if_permit, reject_unauth_destination
6778 Specify a list of restrictions, separated by commas and/or whitespace.
6780 Continue long lines by starting the next line with whitespace.
6781 Restrictions are applied in the order as specified; the first restric‐
6782 tion that matches wins.
6783 The following restrictions are specific to the recipient address that
6785 is received with the RCPT TO command.
6786 check_recipient_access type:table
6788 Search the specified access(5) database for the resolved RCPT TO
6789 address, domain, parent domains, or localpart@, and execute the
6790 corresponding action.
6791 check_recipient_mx_access type:table
6793 Search the specified access(5) database for the MX hosts for the
6794 RCPT TO domain, and execute the corresponding action. Note: a
6795 result of "OK" is not allowed for safety reasons. Instead, use
6796 DUNNO in order to exclude specific hosts from blacklists. This
6797 feature is available in Postfix 2.1 and later.
6798 check_recipient_ns_access type:table
6800 Search the specified access(5) database for the DNS servers for
6801 the RCPT TO domain, and execute the corresponding action. Note:
6802 a result of "OK" is not allowed for safety reasons. Instead, use
6803 DUNNO in order to exclude specific hosts from blacklists. This
6804 feature is available in Postfix 2.1 and later.
6805 permit_auth_destination
6807 Permit the request when one of the following is true:
6808 · Postfix is mail forwarder: the resolved RCPT TO domain matches
6810 $relay_domains or a subdomain thereof, and the address contains
6811 no sender-specified routing (user@elsewhere@domain),
6812 · Postfix is the final destination: the resolved RCPT TO domain
6814 matches $mydestination, $inet_interfaces, $proxy_interfaces,
6815 $virtual_alias_domains, or $virtual_mailbox_domains, and the
6816 address contains no sender-specified routing (user@else‐
6817 where@domain).
6818 permit_mx_backup
6820 Permit the request when the local mail system is backup MX for
6821 the RCPT TO domain, or when the domain is an authorized destina‐
6822 tion (see permit_auth_destination for definition).
6823 · Safety: permit_mx_backup does not accept addresses that have
6825 sender-specified routing information (example: user@else‐
6826 where@domain).
6827 · Safety: permit_mx_backup can be vulnerable to mis-use when
6829 access is not restricted with permit_mx_backup_networks.
6830 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
6832 accepts the address when the local mail system is primary MX for
6833 the recipient domain. Exception: permit_mx_backup accepts the
6834 address when it specifies an authorized destination (see per‐
6835 mit_auth_destination for definition).
6836 · Limitation: mail may be rejected in case of a temporary DNS
6838 lookup problem with Postfix prior to version 2.0.
6839 reject_non_fqdn_recipient
6841 Reject the request when the RCPT TO address is not in fully-
6842 qualified domain form, as required by the RFC.
6843 The non_fqdn_reject_code parameter specifies the response code
6844 for rejected requests (default: 504).
6845 reject_rhsbl_recipient rbl_domain=d.d.d.d
6847 Reject the request when the RCPT TO domain is listed with the A
6848 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
6849 only). If no "=d.d.d.d" is specified, reject the request when
6850 the RCPT TO domain is listed with any A record under rbl_domain.
6851 The maps_rbl_reject_code parameter specifies the response code
6852 for rejected requests (default: 554); the default_rbl_reply
6853 parameter specifies the default server reply; and the
6854 rbl_reply_maps parameter specifies tables with server replies
6855 indexed by rbl_domain. This feature is available in Postfix
6856 version 2.0 and later.
6857 reject_unauth_destination
6859 Reject the request unless one of the following is true:
6860 · Postfix is mail forwarder: the resolved RCPT TO domain matches
6862 $relay_domains or a subdomain thereof, and contains no sender-
6863 specified routing (user@elsewhere@domain),
6864 · Postfix is the final destination: the resolved RCPT TO domain
6866 matches $mydestination, $inet_interfaces, $proxy_interfaces,
6867 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
6868 tains no sender-specified routing (user@elsewhere@domain).
6869 The relay_domains_reject_code parameter specifies the response
6870 code for rejected requests (default: 554).
6871 reject_unknown_recipient_domain
6873 Reject the request when Postfix is not final destination for the
6874 recipient domain, and the RCPT TO domain has no DNS A or MX
6875 record, or when it has a malformed MX record such as a record
6876 with a zero-length MX hostname (Postfix version 2.3 and later).
6877 The unknown_address_reject_code parameter specifies the numeri‐
6878 cal response code for rejected requests (default: 450). The
6879 response is always 450 in case of a temporary DNS error.
6880 The unknown_address_tempfail_action parameter specifies the
6881 action after a temporary DNS error (default: defer_if_permit).
6882 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
6884 ent_maps)
6885 Reject the request when the RCPT TO address is not listed in the
6886 list of valid recipients for its domain class. See the
6887 smtpd_reject_unlisted_recipient parameter description for
6888 details. This feature is available in Postfix 2.1 and later.
6889 reject_unverified_recipient
6891 Reject the request when mail to the RCPT TO address is known to
6892 bounce, or when the recipient address destination is not reach‐
6893 able. Address verification information is managed by the ver‐
6894 ify(8) server; see the ADDRESS_VERIFICATION_README file for
6895 details.
6896 The unverified_recipient_reject_code parameter specifies the
6897 numerical response code when an address is known to bounce
6898 (default: 450, change into 550 when you are confident that it is
6899 safe to do so).
6900 The unverified_recipient_defer_code parameter specifies the
6901 numerical response code when an address probe failed due to a
6902 temporary problem (default: 450).
6903 The unverified_recipient_tempfail_action parameter specifies the
6904 action after addres probe failure due to a temporary problem
6905 (default: defer_if_permit).
6906 This feature is available in Postfix 2.1 and later.
6907 Other restrictions that are valid in this context:
6909 · Generic restrictions that can be used in any SMTP command con‐
6911 text, described under smtpd_client_restrictions.
6912 · SMTP command specific restrictions described under
6914 smtpd_client_restrictions, smtpd_helo_restrictions and
6915 smtpd_sender_restrictions.
6916 Example:
6918 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
6920
6922 Request that the Postfix SMTP server rejects mail for unknown recipient
6923 addresses, even when no explicit reject_unlisted_recipient access
6924 restriction is specified. This prevents the Postfix queue from filling
6925 up with undeliverable MAILER-DAEMON messages.
6926 · The recipient domain matches $mydestination, $inet_interfaces or
6928 $proxy_interfaces, but the recipient is not listed in
6929 $local_recipient_maps, and $local_recipient_maps is not null.
6930 · The recipient domain matches $virtual_alias_domains but the
6932 recipient is not listed in $virtual_alias_maps.
6933 · The recipient domain matches $virtual_mailbox_domains but the
6935 recipient is not listed in $virtual_mailbox_maps, and $vir‐
6936 tual_mailbox_maps is not null.
6937 · The recipient domain matches $relay_domains but the recipient is
6939 not listed in $relay_recipient_maps, and $relay_recipient_maps
6940 is not null.
6941 This feature is available in Postfix 2.1 and later.
6943
6945 Request that the Postfix SMTP server rejects mail from unknown sender
6946 addresses, even when no explicit reject_unlisted_sender access restric‐
6947 tion is specified. This can slow down an explosion of forged mail from
6948 worms or viruses.
6949 · The sender domain matches $mydestination, $inet_interfaces or
6951 $proxy_interfaces, but the sender is not listed in $local_recip‐
6952 ient_maps, and $local_recipient_maps is not null.
6953 · The sender domain matches $virtual_alias_domains but the sender
6955 is not listed in $virtual_alias_maps.
6956 · The sender domain matches $virtual_mailbox_domains but the
6958 sender is not listed in $virtual_mailbox_maps, and $vir‐
6959 tual_mailbox_maps is not null.
6960 · The sender domain matches $relay_domains but the sender is not
6962 listed in $relay_recipient_maps, and $relay_recipient_maps is
6963 not null.
6964 This feature is available in Postfix 2.1 and later.
6966
6968 User-defined aliases for groups of access restrictions. The aliases can
6969 be specified in smtpd_recipient_restrictions etc., and on the right-
6970 hand side of a Postfix access(5) table.
6971 One major application is for implementing per-recipient UCE control.
6973 See the RESTRICTION_CLASS_README document for other examples.
6974
6976 The application name that the Postfix SMTP server uses for SASL server
6977 initialization. This controls the name of the SASL configuration file.
6978 The default value is smtpd, corresponding to a SASL configuration file
6979 named smtpd.conf.
6980 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
6982 was renamed to smtpd_sasl_path.
6983
6985 Enable SASL authentication in the Postfix SMTP server. By default, the
6986 Postfix SMTP server does not use authentication.
6987 If a remote SMTP client is authenticated, the permit_sasl_authenticated
6989 access restriction can be used to permit relay access, like this:
6990 smtpd_recipient_restrictions =
6992 permit_mynetworks, permit_sasl_authenticated, ...
6993 To reject all SMTP connections from unauthenticated clients, specify
6995 "smtpd_delay_reject = yes" (which is the default) and use:
6996 smtpd_client_restrictions = permit_sasl_authenticated, reject
6998 See the SASL_README file for SASL configuration and operation details.
7000
7002 Report the SASL authenticated user name in the smtpd(8) Received mes‐
7003 sage header.
7004 This feature is available in Postfix 2.3 and later.
7006
7008 What remote SMTP clients the Postfix SMTP server will not offer AUTH
7009 support to.
7010 Some clients (Netscape 4 at least) have a bug that causes them to
7012 require a login and password whenever AUTH is offered, whether it's
7013 necessary or not. To work around this, specify, for example, $mynet‐
7014 works to prevent Postfix from offering AUTH to local clients.
7015 Specify a list of network/netmask patterns, separated by commas and/or
7017 whitespace. The mask specifies the number of bits in the network part
7018 of a host address. You can also "/file/name" or "type:table" patterns.
7019 A "/file/name" pattern is replaced by its contents; a "type:table"
7020 lookup table is matched when a table entry matches a lookup string (the
7021 lookup result is ignored). Continue long lines by starting the next
7022 line with whitespace. Specify "!pattern" to exclude an address or net‐
7023 work block from the list. The form "!/file/name" is supported only in
7024 Postfix version 2.4 and later.
7025 Note: IP version 6 address information must be specified inside [] in
7027 the smtpd_sasl_exceptions_networks value, and in files specified with
7028 "/file/name". IP version 6 addresses contain the ":" character, and
7029 would otherwise be confused with a "type:table" pattern.
7030 Example:
7032 smtpd_sasl_exceptions_networks = $mynetworks
7034 This feature is available in Postfix 2.1 and later.
7036
7038 The name of the Postfix SMTP server's local SASL authentication realm.
7039 By default, the local authentication realm name is the null string.
7041 Examples:
7043 smtpd_sasl_local_domain = $mydomain
7045 smtpd_sasl_local_domain = $myhostname
7046
7048 Implementation-specific information that the Postfix SMTP server passes
7049 through to the SASL plug-in implementation that is selected with
7050 smtpd_sasl_type. Typically this specifies the name of a configuration
7051 file or rendezvous point.
7052 This feature is available in Postfix 2.3 and later. In earlier releases
7054 it was called smtpd_sasl_application_name.
7055
7057 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
7058 of available features depends on the SASL server implementation that is
7059 selected with smtpd_sasl_type.
7060 The following security features are defined for the cyrus server SASL
7062 implementation:
7063 Restrict what authentication mechanisms the Postfix SMTP server will
7065 offer to the client. The list of available authentication mechanisms
7066 is system dependent.
7067 Specify zero or more of the following:
7069 noplaintext
7071 Disallow methods that use plaintext passwords.
7072 noactive
7074 Disallow methods subject to active (non-dictionary) attack.
7075 nodictionary
7077 Disallow methods subject to passive (dictionary) attack.
7078 noanonymous
7080 Disallow methods that allow anonymous authentication.
7081 forward_secrecy
7083 Only allow methods that support forward secrecy (Dovecot only).
7084 mutual_auth
7086 Only allow methods that provide mutual authentication (not
7087 available with Cyrus SASL version 1).
7088 By default, the Postfix SMTP server accepts plaintext passwords but not
7090 anonymous logins.
7091 Warning: it appears that clients try authentication methods in the
7093 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
7094 which means that if you disable plaintext passwords, clients will log
7095 in anonymously, even when they should be able to use CRAM-MD5. So, if
7096 you disable plaintext logins, disable anonymous logins too. Postfix
7097 treats anonymous login as no authentication.
7098 Example:
7100 smtpd_sasl_security_options = noanonymous, noplaintext
7102
7104 The SASL authentication security options that the Postfix SMTP server
7105 uses for TLS encrypted SMTP sessions.
7106 This feature is available in Postfix 2.2 and later.
7108
7110 The SASL plug-in type that the Postfix SMTP server should use for
7111 authentication. The available types are listed with the "postconf -a"
7112 command.
7113 This feature is available in Postfix 2.3 and later.
7115
7117 Optional lookup table with the SASL login names that own sender (MAIL
7118 FROM) addresses.
7119 Specify zero or more "type:table" lookup tables. With lookups from
7121 indexed files such as DB or DBM, or from networked tables such as NIS,
7122 LDAP or SQL, the following search operations are done with a sender
7123 address of user@domain:
7124 1) user@domain
7126 This table lookup is always done and has the highest precedence.
7127 2) user
7129 This table lookup is done only when the domain part of the
7130 sender address matches $myorigin, $mydestination, $inet_inter‐
7131 faces or $proxy_interfaces.
7132 3) @domain
7134 This table lookup is done last and has the lowest precedence.
7135 In all cases the result of table lookup must be either "not found" or a
7137 list of SASL login names separated by comma and/or whitespace.
7138
7140 Optional restrictions that the Postfix SMTP server applies in the con‐
7141 text of the MAIL FROM command. See SMTPD_ACCESS_README, section
7142 "Delayed evaluation of SMTP access restriction lists" for a discussion
7143 of evaluation context and time.
7144 The default is to permit everything.
7146 Specify a list of restrictions, separated by commas and/or whitespace.
7148 Continue long lines by starting the next line with whitespace.
7149 Restrictions are applied in the order as specified; the first restric‐
7150 tion that matches wins.
7151 The following restrictions are specific to the sender address received
7153 with the MAIL FROM command.
7154 check_sender_access type:table
7156 Search the specified access(5) database for the MAIL FROM
7157 address, domain, parent domains, or localpart@, and execute the
7158 corresponding action.
7159 check_sender_mx_access type:table
7161 Search the specified access(5) database for the MX hosts for the
7162 MAIL FROM address, and execute the corresponding action. Note:
7163 a result of "OK" is not allowed for safety reasons. Instead, use
7164 DUNNO in order to exclude specific hosts from blacklists. This
7165 feature is available in Postfix 2.1 and later.
7166 check_sender_ns_access type:table
7168 Search the specified access(5) database for the DNS servers for
7169 the MAIL FROM address, and execute the corresponding action.
7170 Note: a result of "OK" is not allowed for safety reasons.
7171 Instead, use DUNNO in order to exclude specific hosts from
7172 blacklists. This feature is available in Postfix 2.1 and later.
7173 reject_authenticated_sender_login_mismatch
7175 Enforces the reject_sender_login_mismatch restriction for
7176 authenticated clients only. This feature is available in Postfix
7177 version 2.1 and later.
7178 reject_non_fqdn_sender
7180 Reject the request when the MAIL FROM address is not in fully-
7181 qualified domain form, as required by the RFC.
7182 The non_fqdn_reject_code parameter specifies the response code
7183 for rejected requests (default: 504).
7184 reject_rhsbl_sender rbl_domain=d.d.d.d
7186 Reject the request when the MAIL FROM domain is listed with the
7187 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
7188 later only). If no "=d.d.d.d" is specified, reject the request
7189 when the MAIL FROM domain is listed with any A record under
7190 rbl_domain.
7191 The maps_rbl_reject_code parameter specifies the response code
7192 for rejected requests (default: 554); the default_rbl_reply
7193 parameter specifies the default server reply; and the
7194 rbl_reply_maps parameter specifies tables with server replies
7195 indexed by rbl_domain. This feature is available in Postfix 2.0
7196 and later.
7197 reject_sender_login_mismatch
7199 Reject the request when $smtpd_sender_login_maps specifies an
7200 owner for the MAIL FROM address, but the client is not (SASL)
7201 logged in as that MAIL FROM address owner; or when the client is
7202 (SASL) logged in, but the client login name doesn't own the MAIL
7203 FROM address according to $smtpd_sender_login_maps.
7204 reject_unauthenticated_sender_login_mismatch
7206 Enforces the reject_sender_login_mismatch restriction for unau‐
7207 thenticated clients only. This feature is available in Postfix
7208 version 2.1 and later.
7209 reject_unknown_sender_domain
7211 Reject the request when Postfix is not final destination for the
7212 sender address, and the MAIL FROM address has no DNS A or MX
7213 record, or when it has a malformed MX record such as a record
7214 with a zero-length MX hostname (Postfix version 2.3 and later).
7215 The unknown_address_reject_code parameter specifies the numeri‐
7216 cal response code for rejected requests (default: 450). The
7217 response is always 450 in case of a temporary DNS error.
7218 The unknown_address_tempfail_action parameter specifies the
7219 action after a temporary DNS error (default: defer_if_permit).
7220 reject_unlisted_sender
7222 Reject the request when the MAIL FROM address is not listed in
7223 the list of valid recipients for its domain class. See the
7224 smtpd_reject_unlisted_sender parameter description for details.
7225 This feature is available in Postfix 2.1 and later.
7226 reject_unverified_sender
7228 Reject the request when mail to the MAIL FROM address is known
7229 to bounce, or when the sender address destination is not reach‐
7230 able. Address verification information is managed by the ver‐
7231 ify(8) server; see the ADDRESS_VERIFICATION_README file for
7232 details.
7233 The unverified_sender_reject_code parameter specifies the numer‐
7234 ical response code when an address is known to bounce (default:
7235 450, change into 550 when you are confident that it is safe to
7236 do so).
7237 The unverified_sender_defer_code specifies the numerical
7238 response code when an address address probe failed due to a tem‐
7239 porary problem (default: 450).
7240 The unverified_sender_tempfail_action parameter specifies the
7241 action after address probe failure due to a temporary problem
7242 (default: defer_if_permit).
7243 This feature is available in Postfix 2.1 and later.
7244 Other restrictions that are valid in this context:
7246 · Generic restrictions that can be used in any SMTP command con‐
7248 text, described under smtpd_client_restrictions.
7249 · SMTP command specific restrictions described under
7251 smtpd_client_restrictions and smtpd_helo_restrictions.
7252 · SMTP command specific restrictions described under smtpd_recipi‐
7254 ent_restrictions. When recipient restrictions are listed under
7255 smtpd_sender_restrictions, they have effect only with
7256 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
7257 is evaluated at the time of the RCPT TO command.
7258 Examples:
7260 smtpd_sender_restrictions = reject_unknown_sender_domain
7262 smtpd_sender_restrictions = reject_unknown_sender_domain,
7263 check_sender_access hash:/etc/postfix/access
7264
7266 The number of errors a remote SMTP client is allowed to make without
7267 delivering mail before the Postfix SMTP server slows down all its
7268 responses.
7269 · With Postfix version 2.1 and later, the Postfix SMTP server
7271 delays all responses by $smtpd_error_sleep_time seconds.
7272 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
7274 delays all responses by (number of errors) seconds.
7275
7277 The time limit for Postfix SMTP server write and read operations during
7278 TLS startup and shutdown handshake procedures.
7279 This feature is available in Postfix 2.2 and later.
7281
7283 The time limit for sending a Postfix SMTP server response and for
7284 receiving a remote SMTP client request. Normally the default limit is
7285 300s, but it changes under overload to just 10s with Postfix 2.6 and
7286 later.
7287 Note: if you set SMTP time limits to very large values you may have to
7289 update the global ipc_timeout parameter.
7290 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7292 The default time unit is s (seconds).
7293
7295 A file containing (PEM format) CA certificates of root CAs trusted to
7296 sign either remote SMTP client certificates or intermediate CA certifi‐
7297 cates. These are loaded into memory before the smtpd(8) server enters
7298 the chroot jail. If the number of trusted roots is large, consider
7299 using smtpd_tls_CApath instead, but note that the latter directory must
7300 be present in the chroot jail if the smtpd(8) server is chrooted. This
7301 file may also be used to augment the server certificate trust chain,
7302 but it is best to include all the required certificates directly in the
7303 server certificate file.
7304 By default (see smtpd_tls_ask_ccert), client certificates are not
7306 requested, and smtpd_tls_CAfile should remain empty. If you do make use
7307 of client certificates, the distinguished names (DNs) of the certifi‐
7308 cate authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
7309 client in the client certificate request message. MUAs with multiple
7310 client certificates may use the list of preferred certificate authori‐
7311 ties to select the correct client certificate. You may want to put
7312 your "preferred" CA or CAs in this file, and install other trusted CAs
7313 in $smtpd_tls_CApath.
7314 Example:
7316 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
7318 This feature is available in Postfix 2.2 and later.
7320
7322 A directory containing (PEM format) CA certificates of root CAs trusted
7323 to sign either remote SMTP client certificates or intermediate CA cer‐
7324 tificates. Do not forget to create the necessary "hash" links with, for
7325 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
7326 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
7327 inside the chroot jail.
7328 By default (see smtpd_tls_ask_ccert), client certificates are not
7330 requested, and smtpd_tls_CApath should remain empty. In contrast to
7331 smtp_tls_CAfile, DNs of certificate authorities installed in
7332 $smtpd_tls_CApath are not included in the client certificate request
7333 message. MUAs with multiple client certificates may use the list of
7334 preferred certificate authorities to select the correct client certifi‐
7335 cate. You may want to put your "preferred" CA or CAs in
7336 $smtp_tls_CAfile, and install the remaining trusted CAs in
7337 $smtpd_tls_CApath.
7338 Example:
7340 smtpd_tls_CApath = /etc/postfix/certs
7342 This feature is available in Postfix 2.2 and later.
7344
7346 Force the Postfix SMTP server to issue a TLS session id, even when TLS
7347 session caching is turned off (smtpd_tls_session_cache_database is
7348 empty). This behavior is compatible with Postfix < 2.3.
7349 With Postfix 2.3 and later the Postfix SMTP server can disable session
7351 id generation when TLS session caching is turned off. This keeps
7352 clients from caching sessions that almost certainly cannot be re-used.
7353 By default, the Postfix SMTP server always generates TLS session ids.
7355 This works around a known defect in mail client applications such as MS
7356 Outlook, and may also prevent interoperability issues with other MTAs.
7357 Example:
7359 smtpd_tls_always_issue_session_ids = no
7361 This feature is available in Postfix 2.3 and later.
7363
7365 Ask a remote SMTP client for a client certificate. This information is
7366 needed for certificate based mail relaying with, for example, the per‐
7367 mit_tls_clientcerts feature.
7368 Some clients such as Netscape will either complain if no certificate is
7370 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
7371 tiple client certificates to choose from. This may be annoying, so this
7372 option is "off" by default.
7373 This feature is available in Postfix 2.2 and later.
7375
7377 When TLS encryption is optional in the Postfix SMTP server, do not
7378 announce or accept SASL authentication over unencrypted connections.
7379 This feature is available in Postfix 2.2 and later.
7381
7383 The verification depth for remote SMTP client certificates. A depth of
7384 1 is sufficient if the issuing CA is listed in a local CA file.
7385 The default verification depth is 9 (the OpenSSL default) for compati‐
7387 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
7388 value was 5, but the limit was not actually enforced. If you have set
7389 this to a lower non-default value, certificates with longer trust
7390 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
7391 common, deeper chains are more rare and any number between 5 and 9
7392 should suffice in practice. You can choose a lower number if, for exam‐
7393 ple, you trust certificates directly signed by an issuing CA but not
7394 any CAs it delegates to.
7395 This feature is available in Postfix 2.2 and later.
7397
7399 File with the Postfix SMTP server RSA certificate in PEM format. This
7400 file may also contain the Postfix SMTP server private RSA key.
7401 Public Internet MX hosts without certificates signed by a "reputable"
7403 CA must generate, and be prepared to present to most clients, a self-
7404 signed or private-CA signed certificate. The client will not be able to
7405 authenticate the server, but unless it is running Postfix 2.3 or simi‐
7406 lar software, it will still insist on a server certificate.
7407 For servers that are not public Internet MX hosts, Postfix 2.3 supports
7409 configurations with no certificates. This entails the use of just the
7410 anonymous TLS ciphers, which are not supported by typical SMTP clients.
7411 Since such clients will not, as a rule, fall back to plain text after a
7412 TLS handshake failure, the server will be unable to receive email from
7413 TLS enabled clients. To avoid accidental configurations with no cer‐
7414 tificates, Postfix 2.3 enables certificate-less operation only when the
7415 administrator explicitly sets "smtpd_tls_cert_file = none". This
7416 ensures that new Postfix configurations will not accidentally run with
7417 no certificates.
7418 Both RSA and DSA certificates are supported. When both types are
7420 present, the cipher used determines which certificate will be presented
7421 to the client. For Netscape and OpenSSL clients without special cipher
7422 choices the RSA certificate is preferred.
7423 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
7425 tificate, the issuing CA certificates must be made available to the
7426 client. You should include the required certificates in the server cer‐
7427 tificate file, the server certificate first, then the issuing CA(s)
7428 (bottom-up order).
7429 Example: the certificate for "server.example.com" was issued by "inter‐
7431 mediate CA" which itself has a certificate of "root CA". Create the
7432 server.pem file with "cat server_cert.pem intermediate_CA.pem
7433 root_CA.pem > server.pem".
7434 If you also want to verify client certificates issued by these CAs, you
7436 can add the CA certificates to the smtpd_tls_CAfile, in which case it
7437 is not necessary to have them in the smtpd_tls_cert_file or
7438 smtpd_tls_dcert_file.
7439 A certificate supplied here must be usable as an SSL server certificate
7441 and hence pass the "openssl verify -purpose sslserver ..." test.
7442 Example:
7444 smtpd_tls_cert_file = /etc/postfix/server.pem
7446 This feature is available in Postfix 2.2 and later.
7448
7450 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
7451 list. It is easy to create inter-operability problems by choosing a
7452 non-default cipher list. Do not use a non-default TLS cipherlist for MX
7453 hosts on the public Internet. Clients that begin the TLS handshake, but
7454 are unable to agree on a common cipher, may not be able to send any
7455 email to the SMTP server. Using a restricted cipher list may be more
7456 appropriate for a dedicated MSA or an internal mailhub, where one can
7457 exert some control over the TLS software and settings of the connecting
7458 clients.
7459 Note: do not use "" quotes around the parameter value.
7461 This feature is available with Postfix version 2.2. It is not used with
7463 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
7464
7466 The minimum TLS cipher grade that the Postfix SMTP server will use with
7467 opportunistic TLS encryption. Cipher types listed in
7468 smtpd_tls_exclude_ciphers are excluded from the base definition of the
7469 selected cipher grade. The default value "export" ensures maximum
7470 inter-operability. Because encryption is optional, stronger controls
7471 are not appropriate, and this setting SHOULD NOT be changed unless the
7472 change is essential.
7473 When TLS is mandatory the cipher grade is chosen via the
7475 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
7476 tax details.
7477 Example:
7479 smtpd_tls_ciphers = export
7480 This feature is available in Postfix 2.6 and later. With earlier Post‐
7482 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
7483 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7484 ciphers.
7485
7487 File with the Postfix SMTP server DSA certificate in PEM format. This
7488 file may also contain the Postfix SMTP server private DSA key.
7489 See the discussion under smtpd_tls_cert_file for more details.
7491 Example:
7493 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
7495 This feature is available in Postfix 2.2 and later.
7497
7499 File with DH parameters that the Postfix SMTP server should use with
7500 EDH ciphers.
7501 Instead of using the exact same parameter sets as distributed with
7503 other TLS packages, it is more secure to generate your own set of
7504 parameters with something like the following command:
7505 openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
7507 Your actual source for entropy may differ. Some systems have /dev/ran‐
7509 dom; on other system you may consider using the "Entropy Gathering Dae‐
7510 mon EGD", available at http://egd.sourceforge.net/
7511 Example:
7513 smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
7515 This feature is available with Postfix version 2.2.
7517
7519 File with DH parameters that the Postfix SMTP server should use with
7520 EDH ciphers.
7521 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
7523 ration parameter.
7524 Example:
7526 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
7528 This feature is available with Postfix version 2.2.
7530
7532 File with the Postfix SMTP server DSA private key in PEM format. This
7533 file may be combined with the Postfix SMTP server DSA certificate file
7534 specified with $smtpd_tls_dcert_file.
7535 The private key must be accessible without a pass-phrase, i.e. it must
7537 not be encrypted. File permissions should grant read-only access to the
7538 system superuser account ("root"), and no access to anyone else.
7539 This feature is available in Postfix 2.2 and later.
7541
7543 File with the Postfix SMTP server ECDSA certificate in PEM format.
7544 This file may also contain the Postfix SMTP server private ECDSA key.
7545 See the discussion under smtpd_tls_cert_file for more details.
7547 Example:
7549 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
7551 This feature is available in Postfix 2.6 and later, when Postfix is
7553 compiled and linked with OpenSSL 0.9.9 or later.
7554
7556 File with the Postfix SMTP server ECDSA private key in PEM format.
7557 This file may be combined with the Postfix SMTP server ECDSA certifi‐
7558 cate file specified with $smtpd_tls_eccert_file.
7559 The private key must be accessible without a pass-phrase, i.e. it must
7561 not be encrypted. File permissions should grant read-only access to the
7562 system superuser account ("root"), and no access to anyone else.
7563 This feature is available in Postfix 2.6 and later, when Postfix is
7565 compiled and linked with OpenSSL 0.9.9 or later.
7566
7568 The Postfix SMTP server security grade for ephemeral elliptic-curve
7569 Diffie-Hellman (EECDH) key exchange.
7570 The available choices are:
7572 none Don't use EECDH. Ciphers based on EECDH key exchange will be
7574 disabled. This is the default in official Postfix releases
7575 (mail_version = major.minor.patchlevel).
7576 strong Use EECDH with approximately 128 bits of security at a reason‐
7578 able computational cost. This is the current best-practice
7579 trade-off between security and computational efficiency. This is
7580 the default in Postfix snapshot releases (mail_version =
7581 major.minor-releasedate).
7582 ultra Use EECDH with approximately 192 bits of security at computa‐
7584 tional cost that is approximately twice as high as 128 bit
7585 strength ECC. Barring significant progress in attacks on ellip‐
7586 tic curve crypto-systems, the "strong" curve is sufficient for
7587 most users.
7588 This feature is available in Postfix 2.6 and later, when it is compiled
7590 and linked with OpenSSL 0.9.9 or later.
7591
7593 List of ciphers or cipher types to exclude from the SMTP server cipher
7594 list at all TLS security levels. Excluding valid ciphers can create
7595 interoperability problems. DO NOT exclude ciphers unless it is essen‐
7596 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
7597 separated by whitespace and/or commas. The elements are a single
7598 cipher, or one or more "+" separated cipher properties, in which case
7599 only ciphers matching all the properties are excluded.
7600 Examples (some of these will cause problems):
7602 smtpd_tls_exclude_ciphers = aNULL
7604 smtpd_tls_exclude_ciphers = MD5, DES
7605 smtpd_tls_exclude_ciphers = DES+MD5
7606 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7607 smtpd_tls_exclude_ciphers = kEDH+aRSA
7608 The first setting disables anonymous ciphers. The next setting disables
7610 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
7611 tion algorithm. The next setting disables ciphers that use MD5 and DES
7612 together. The next setting disables the two ciphers "AES256-SHA" and
7613 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
7614 exchange with RSA authentication.
7615 This feature is available in Postfix 2.3 and later.
7617
7619 The message digest algorithm used to construct client-certificate fin‐
7620 gerprints for check_ccert_access and permit_tls_clientcerts. The
7621 default algorithm is md5, for backwards compatibility with Postfix
7622 releases prior to 2.5.
7623 The best practice algorithm is now sha1. Recent advances in hash func‐
7625 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7626 However, as long as there are no known "second pre-image" attacks
7627 against md5, its use in this context can still be considered safe.
7628 While additional digest algorithms are often available with OpenSSL's
7630 libcrypto, only those used by libssl in SSL cipher suites are available
7631 to Postfix. For now this means just md5 or sha1.
7632 To find the fingerprint of a specific certificate file, with a specific
7634 digest algorithm, run:
7635 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7637 The text to the right of "=" sign is the desired fingerprint. For
7639 example:
7640 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7642 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7643 Example: client-certificate access table, with sha1 fingerprints:
7645 /etc/postfix/main.cf:
7647 smtpd_tls_fingerprint_digest = sha1
7648 smtpd_client_restrictions =
7649 check_ccert_access hash:/etc/postfix/access,
7650 reject
7651 /etc/postfix/access:
7652 # Action folded to next line...
7653 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
7654 OK
7655 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
7656 permit_auth_destination
7657 This feature is available in Postfix 2.5 and later.
7659
7661 File with the Postfix SMTP server RSA private key in PEM format. This
7662 file may be combined with the Postfix SMTP server RSA certificate file
7663 specified with $smtpd_tls_cert_file.
7664 The private key must be accessible without a pass-phrase, i.e. it must
7666 not be encrypted. File permissions should grant read-only access to the
7667 system superuser account ("root"), and no access to anyone else.
7668
7670 Enable additional Postfix SMTP server logging of TLS activity. Each
7671 logging level also includes the information that is logged at a lower
7672 logging level.
7673 0 Disable logging of TLS activity.
7675 1 Log TLS handshake and certificate information.
7677 2 Log levels during TLS negotiation.
7679 3 Log hexadecimal and ASCII dump of TLS negotiation process.
7681 4 Also log hexadecimal and ASCII dump of complete transmission
7683 after STARTTLS.
7684 Use "smtpd_tls_loglevel = 3" only in case of problems. Use of loglevel
7686 4 is strongly discouraged.
7687 This feature is available in Postfix 2.2 and later.
7689
7691 The minimum TLS cipher grade that the Postfix SMTP server will use with
7692 mandatory TLS encryption. Cipher types listed in smtpd_tls_manda‐
7693 tory_exclude_ciphers or smtpd_tls_exclude_ciphers are excluded from the
7694 base definition of the selected cipher grade. See smtpd_tls_ciphers for
7695 cipher controls that apply to opportunistic TLS.
7696 The following cipher grades are supported:
7698 export Enable the mainstream "EXPORT" grade or better OpenSSL ciphers.
7700 This is the most appropriate setting for public MX hosts, and is
7701 always used with opportunistic TLS encryption. The underlying
7702 cipherlist is specified via the tls_export_cipherlist configura‐
7703 tion parameter, which you are strongly encouraged to not change.
7704 The default value of tls_export_cipherlist includes anonymous
7705 ciphers, but these are automatically filtered out if the server
7706 is configured to ask for client certificates. If you must always
7707 exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
7708 aNULL". To exclude anonymous ciphers only when TLS is enforced,
7709 set "smtpd_tls_mandatory_exclude_ciphers = aNULL".
7710 low Enable the mainstream "LOW" grade or better OpenSSL ciphers. The
7712 underlying cipherlist is specified via the tls_low_cipherlist
7713 configuration parameter, which you are strongly encouraged to
7714 not change. The default value of tls_low_cipherlist includes
7715 anonymous ciphers, but these are automatically filtered out if
7716 the server is configured to ask for client certificates. If you
7717 must always exclude anonymous ciphers, set
7718 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous
7719 ciphers only when TLS is enforced, set "smtpd_tls_manda‐
7720 tory_exclude_ciphers = aNULL".
7721 medium Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers.
7723 These are essentially the 128-bit or stronger ciphers. This is
7724 the default minimum strength for mandatory TLS encryption. MSAs
7725 that enforce TLS and have clients that do not support any
7726 "MEDIUM" or "HIGH" grade ciphers, may need to configure a weaker
7727 ("low" or "export") minimum cipher grade. The underlying
7728 cipherlist is specified via the tls_medium_cipherlist configura‐
7729 tion parameter, which you are strongly encouraged to not change.
7730 The default value of tls_medium_cipherlist includes anonymous
7731 ciphers, but these are automatically filtered out if the server
7732 is configured to ask for client certificates. If you must always
7733 exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers =
7734 aNULL". To exclude anonymous ciphers only when TLS is enforced,
7735 set "smtpd_tls_mandatory_exclude_ciphers = aNULL".
7736 high Enable only the mainstream "HIGH" grade OpenSSL ciphers. The
7738 underlying cipherlist is specified via the tls_high_cipherlist
7739 configuration parameter, which you are strongly encouraged to
7740 not change. The default value of tls_high_cipherlist includes
7741 anonymous ciphers, but these are automatically filtered out if
7742 the server is configured to ask for client certificates. If you
7743 must always exclude anonymous ciphers, set
7744 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous
7745 ciphers only when TLS is enforced, set "smtpd_tls_manda‐
7746 tory_exclude_ciphers = aNULL".
7747 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
7749 cation without encryption. This setting is only appropriate in
7750 the rare case that all clients are prepared to use NULL ciphers
7751 (not normally enabled in TLS clients). The underlying cipherlist
7752 is specified via the tls_null_cipherlist configuration parame‐
7753 ter, which you are strongly encouraged to not change. The
7754 default value of tls_null_cipherlist excludes anonymous ciphers
7755 (OpenSSL 0.9.8 has NULL ciphers that offer data integrity with‐
7756 out encryption or authentication).
7757 This feature is available in Postfix 2.3 and later.
7759
7761 Additional list of ciphers or cipher types to exclude from the SMTP
7762 server cipher list at mandatory TLS security levels. This list works in
7763 addition to the exclusions listed with smtpd_tls_exclude_ciphers (see
7764 there for syntax details).
7765 This feature is available in Postfix 2.3 and later.
7767
7769 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
7770 tory TLS encryption. If the list is empty, the server supports all
7771 available SSL/TLS protocol versions. A non-empty value is a list of
7772 protocol names separated by whitespace, commas or colons. The supported
7773 protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sen‐
7774 sitive.
7775 With Postfix >= 2.5 the parameter syntax is expanded to support proto‐
7777 col exclusions. One can now explicitly exclude SSLv2 by setting
7778 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
7779 SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
7780 protocols to include, rather than protocols to exclude, is still sup‐
7781 ported, use the form you find more intuitive.
7782 Since SSL version 2 has known protocol weaknesses and is now depre‐
7784 cated, the default setting excludes "SSLv2". This means that by
7785 default, SSL version 2 will not be used at the "encrypt" security
7786 level.
7787 Example:
7789 smtpd_tls_mandatory_protocols = TLSv1
7791 # Alternative form with Postfix >= 2.5:
7792 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
7793 This feature is available in Postfix 2.3 and later.
7795
7797 List of TLS protocols that the Postfix SMTP server will exclude or
7798 include with opportunistic TLS encryption. This parameter SHOULD be
7799 left at its default empty value, allowing all protocols to be used with
7800 opportunistic TLS.
7801 In main.cf the values are separated by whitespace, commas or colons. An
7803 empty value means allow all protocols. The valid protocol names, (see
7804 \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". In
7805 smtp_tls_policy_maps table entries, "protocols" attribute values are
7806 separated by a colon.
7807 To include a protocol list its name, to exclude it, prefix the name
7809 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
7810 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
7811 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
7812 cols to include, is supported, but not recommended. OpenSSL provides no
7813 mechanisms for excluding protocols not known at compile-time. If Post‐
7814 fix is linked against an OpenSSL library that supports additional pro‐
7815 tocol versions, they cannot be excluded using either syntax.
7816 Example:
7818 smtpd_tls_protocols = !SSLv2
7819 This feature is available in Postfix 2.6 and later.
7821
7823 Request that the Postfix SMTP server produces Received: message head‐
7824 ers that include information about the protocol and cipher used, as
7825 well as the client CommonName and client certificate issuer CommonName.
7826 This is disabled by default, as the information may be modified in
7827 transit through other mail servers. Only information that was recorded
7828 by the final destination can be trusted.
7829 This feature is available in Postfix 2.2 and later.
7831
7833 With mandatory TLS encryption, require a trusted remote SMTP client
7834 certificate in order to allow TLS connections to proceed. This option
7835 implies "smtpd_tls_ask_ccert = yes".
7836 When TLS encryption is optional, this setting is ignored with a warning
7838 written to the mail log.
7839 This feature is available in Postfix 2.2 and later.
7841
7843 The SMTP TLS security level for the Postfix SMTP server; when a non-
7844 empty value is specified, this overrides the obsolete parameters
7845 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
7846 "smtpd_tls_wrappermode = yes".
7847 Specify one of the following security levels:
7849 none TLS will not be used.
7851 may Opportunistic TLS: announce STARTTLS support to SMTP clients,
7853 but do not require that clients use TLS encryption.
7854 encrypt
7856 Mandatory TLS encryption: announce STARTTLS support to SMTP
7857 clients, and require that clients use TLS encryption. According
7858 to RFC 2487 this MUST NOT be applied in case of a publicly-ref‐
7859 erenced SMTP server. Instead, this option should be used only on
7860 dedicated servers.
7861 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
7863 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
7864 instead. To verify SMTP client certificates, see TLS_README for a dis‐
7865 cussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
7866 mit_tls_clientcerts features.
7867 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
7869 implies "smtpd_tls_auth_only = yes".
7870 Note 3: when invoked via "sendmail -bs", Postfix will never offer
7872 STARTTLS due to insufficient privileges to access the server private
7873 key. This is intended behavior.
7874 This feature is available in Postfix 2.3 and later.
7876
7878 Name of the file containing the optional Postfix SMTP server TLS ses‐
7879 sion cache. Specify a database type that supports enumeration, such as
7880 btree or sdbm; there is no need to support concurrent access. The file
7881 is created if it does not exist. The smtpd(8) daemon does not use this
7882 parameter directly, rather the cache is implemented indirectly in the
7883 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
7884 rides of this parameter are not effective. Note, that each of the cache
7885 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
7886 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
7887 $lmtp_tls_session_cache_database), needs to be stored separately. It is
7888 not at this time possible to store multiple caches in a single data‐
7889 base.
7890 Note: dbm databases are not suitable. TLS session objects are too
7892 large.
7893 As of version 2.5, Postfix no longer uses root privileges when opening
7895 this file. The file should now be stored under the Postfix-owned
7896 data_directory. As a migration aid, an attempt to open the file under a
7897 non-Postfix directory is redirected to the Postfix-owned data_direc‐
7898 tory, and a warning is logged.
7899 Example:
7901 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
7903 This feature is available in Postfix 2.2 and later.
7905
7907 The expiration time of Postfix SMTP server TLS session cache informa‐
7908 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
7909 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
7910 this parameter is implemented in the tlsmgr(8) daemon and therefore
7911 per-smtpd-instance master.cf overrides are not possible.
7912 This feature is available in Postfix 2.2 and later.
7914
7916 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
7917 of using the STARTTLS command.
7918 If you want to support this service, enable a special port in mas‐
7920 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
7921 command line. Port 465 (smtps) was once chosen for this purpose.
7922 This feature is available in Postfix 2.2 and later.
7924
7926 Opportunistic TLS: announce STARTTLS support to SMTP clients, but do
7927 not require that clients use TLS encryption.
7928 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
7930 TLS due to insufficient privileges to access the server private key.
7931 This is intended behavior.
7932 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7934 and later use smtpd_tls_security_level instead.
7935
7937 Safety net to keep mail queued that would otherwise be returned to the
7938 sender. This parameter disables locally-generated bounces, and pre‐
7939 vents the Postfix SMTP server from rejecting mail permanently, by
7940 changing 5xx reply codes into 4xx. However, soft_bounce is no cure for
7941 address rewriting mistakes or mail routing mistakes.
7942 Example:
7944 soft_bounce = yes
7946
7948 The time after which a stale exclusive mailbox lockfile is removed.
7949 This is used for delivery to file or mailbox.
7950 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7952 The default time unit is s (seconds).
7953
7955 This feature is documented in the STRESS_README document.
7956 This feature is available in Postfix 2.5 and later.
7958
7960 Reject mail with 8-bit text in message headers. This blocks mail from
7961 poorly written applications.
7962 This feature should not be enabled on a general purpose mail server,
7964 because it is likely to reject legitimate email.
7965 This feature is available in Postfix 2.0 and later.
7967
7969 Enable both strict_7bit_headers and strict_8bitmime_body.
7970 This feature should not be enabled on a general purpose mail server,
7972 because it is likely to reject legitimate email.
7973 This feature is available in Postfix 2.0 and later.
7975
7977 Reject 8-bit message body text without 8-bit MIME content encoding
7978 information. This blocks mail from poorly written applications.
7979 Unfortunately, this also rejects majordomo approval requests when the
7981 included request contains valid 8-bit MIME mail, and it rejects bounces
7982 from mailers that do not MIME encapsulate 8-bit content (for example,
7983 bounces from qmail or from old versions of Postfix).
7984 This feature should not be enabled on a general purpose mail server,
7986 because it is likely to reject legitimate email.
7987 This feature is available in Postfix 2.0 and later.
7989
7991 Defer delivery when a mailbox file is not owned by its recipient. The
7992 default setting is not backwards compatible.
7993 This feature is available in Postfix 2.5.3 and later.
7995
7997 Reject mail with invalid Content-Transfer-Encoding: information for the
7998 message/* or multipart/* MIME content types. This blocks mail from
7999 poorly written software.
8000 This feature should not be enabled on a general purpose mail server,
8002 because it will reject mail after a single violation.
8003 This feature is available in Postfix 2.0 and later.
8005
8007 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
8008 are enclosed with <>, and that those addresses do not contain RFC 822
8009 style comments or phrases. This stops mail from poorly written soft‐
8010 ware.
8011 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
8013 and RCPT TO addresses.
8014
8016 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
8017 box_delivery_lock = dotlock".
8018
8020 Enable the rewriting of "site!user" into "user@site". This is neces‐
8021 sary if your machine is connected to UUCP networks. It is enabled by
8022 default.
8023 Note: with Postfix version 2.2, message header address rewriting hap‐
8025 pens only when one of the following conditions is true:
8026 · The message is received with the Postfix sendmail(1) command,
8028 · The message is received from a network client that matches
8030 $local_header_rewrite_clients,
8031 · The message is received from the network, and the
8033 remote_header_rewrite_domain parameter specifies a non-empty
8034 value.
8035 To get the behavior before Postfix version 2.2, specify
8037 "local_header_rewrite_clients = static:all".
8038 Example:
8040 swap_bangpath = no
8042
8044 The syslog facility of Postfix logging. Specify a facility as defined
8045 in syslog.conf(5). The default facility is "mail".
8046 Warning: a non-default syslog_facility setting takes effect only after
8048 a Postfix process has completed initialization. Errors during process
8049 initialization will be logged with the default facility. Examples are
8050 errors while parsing the command line arguments, and errors while
8051 accessing the Postfix main.cf configuration file.
8052
8054 The mail system name that is prepended to the process name in syslog
8055 records, so that "smtpd" becomes, for example, "postfix/smtpd".
8056 Warning: a non-default syslog_name setting takes effect only after a
8058 Postfix process has completed initialization. Errors during process
8059 initialization will be logged with the default name. Examples are
8060 errors while parsing the command line arguments, and errors while
8061 accessing the Postfix main.cf configuration file.
8062
8064 An optional workaround for routers that break TCP window scaling.
8065 Specify a value > 0 and < 65536 to enable this feature. With Postfix
8066 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
8067 Postfix master(8) daemon.
8068 To change this parameter without stopping Postfix, you need to first
8070 terminate all Postfix TCP servers:
8071 # postconf -e master_service_disable=inet
8073 # postfix reload
8074 This immediately terminates all processes that accept network connec‐
8076 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
8077 dowsize setting:
8078 # postconf -e tcp_windowsize=65535 master_service_disable=
8080 # postfix reload
8081 If you skip these steps with a running Postfix system, then the
8083 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
8084 lmtp(8)).
8085 This feature is available in Postfix 2.6 and later.
8087
8089 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
8090 requests from the tlsmgr(8) server in order to seed its internal pseudo
8091 random number generator (PRNG). The default of 32 bytes (equivalent to
8092 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
8093 This feature is available in Postfix 2.2 and later.
8095
8097 The elliptic curve used by the SMTP server for sensibly strong
8098 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
8099 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
8100 strong" means approximately 128-bit security based on best known
8101 attacks. The selected curve must be implemented by OpenSSL (as reported
8102 by ecparam(1) with the "-list_curves" option) and be one of the curves
8103 listed in Section 5.1.1 of RFC 4492. You should not generally change
8104 this setting.
8105 This default curve is specified in NSA "Suite B" Cryptography (see
8107 http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
8108 classified as SECRET.
8109 Note: elliptic curve names are poorly standardized; different standards
8111 groups are assigning different names to the same underlying curves.
8112 The curve with the X9.62 name "prime256v1" is also known under the SECG
8113 name "secp256r1", but OpenSSL does not recognize the latter name.
8114 This feature is available in Postfix 2.6 and later, when it is compiled
8116 and linked with OpenSSL 0.9.9 or later.
8117
8119 The elliptic curve used by the SMTP server for maximally strong
8120 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
8121 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
8122 strong" means approximately 192-bit security based on best known
8123 attacks. This additional strength comes at a significant computational
8124 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
8125 The selected curve must be implemented by OpenSSL (as reported by
8126 ecparam(1) with the "-list_curves" option) and be one of the curves
8127 listed in Section 5.1.1 of RFC 4492. You should not generally change
8128 this setting.
8129 This default "ultra" curve is specified in NSA "Suite B" Cryptography
8131 (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
8132 classified as TOP SECRET.
8133 This feature is available in Postfix 2.6 and later, when it is compiled
8135 and linked with OpenSSL 0.9.9 or later.
8136
8138 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
8139 defines the meaning of the "export" setting in smtpd_tls_manda‐
8140 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
8141 tory_ciphers. This is the cipherlist for the opportunistic ("may") TLS
8142 client security level and is the default cipherlist for the SMTP
8143 server. You are strongly encouraged to not change this setting.
8144 This feature is available in Postfix 2.3 and later.
8146
8148 The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the mean‐
8149 ing of the "high" setting in smtpd_tls_mandatory_ciphers,
8150 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
8151 strongly encouraged to not change this setting.
8152 This feature is available in Postfix 2.3 and later.
8154
8156 The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
8157 the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
8158 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
8159 strongly encouraged to not change this setting.
8160 This feature is available in Postfix 2.3 and later.
8162
8164 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
8165 defines the meaning of the "medium" setting in smtpd_tls_manda‐
8166 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
8167 tory_ciphers. This is the default cipherlist for mandatory TLS encryp‐
8168 tion in the TLS client (with anonymous ciphers disabled when verifying
8169 server certificates). You are strongly encouraged to not change this
8170 setting.
8171 This feature is available in Postfix 2.3 and later.
8173
8175 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
8176 cation without encryption. This defines the meaning of the "null" set‐
8177 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
8178 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
8179 this setting.
8180 This feature is available in Postfix 2.3 and later.
8182
8184 The number of bytes that tlsmgr(8) reads from $tls_random_source when
8185 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
8186 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
8187 keys. If using EGD or a device file, a maximum of 255 bytes is read.
8188 This feature is available in Postfix 2.2 and later.
8190
8192 Name of the pseudo random number generator (PRNG) state file that is
8193 maintained by tlsmgr(8). The file is created when it does not exist,
8194 and its length is fixed at 1024 bytes.
8195 As of version 2.5, Postfix no longer uses root privileges when opening
8197 this file, and the default file location was changed from ${con‐
8198 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
8199 tion aid, an attempt to open the file under a non-Postfix directory is
8200 redirected to the Postfix-owned data_directory, and a warning is
8201 logged.
8202 This feature is available in Postfix 2.2 and later.
8204
8206 The time between attempts by tlsmgr(8) to save the state of the pseudo
8207 random number generator (PRNG) to the file specified with $tls_ran‐
8208 dom_exchange_name.
8209 This feature is available in Postfix 2.2 and later.
8211
8213 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
8214 pseudo random number generator (PRNG) pool from external sources. The
8215 actual time between re-seeding attempts is calculated using the PRNG,
8216 and is between 0 and the time specified.
8217 This feature is available in Postfix 2.2 and later.
8219
8221 The external entropy source for the in-memory tlsmgr(8) pseudo random
8222 number generator (PRNG) pool. Be sure to specify a non-blocking source.
8223 If this source is not a regular file, the entropy source type must be
8224 prepended: egd:/path/to/egd_socket for a source with EGD compatible
8225 socket interface, or dev:/path/to/device for a device file.
8226 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
8228 timeout errors.
8229 This feature is available in Postfix 2.2 and later.
8231
8233 The name of the trace service. This service is implemented by the
8234 bounce(8) daemon and maintains a record of mail deliveries and produces
8235 a mail delivery report when verbose delivery is requested with "send‐
8236 mail -v".
8237 This feature is available in Postfix 2.1 and later.
8239
8241 A transport-specific override for the default_delivery_slot_cost param‐
8242 eter value, where transport is the master.cf name of the message deliv‐
8243 ery transport.
8244
8246 A transport-specific override for the default_delivery_slot_discount
8247 parameter value, where transport is the master.cf name of the message
8248 delivery transport.
8249
8251 A transport-specific override for the default_delivery_slot_loan param‐
8252 eter value, where transport is the master.cf name of the message deliv‐
8253 ery transport.
8254
8256 tination_concurrency_failed_cohort_limit)
8257 A transport-specific override for the default_destination_concur‐
8258 rency_failed_cohort_limit parameter value, where transport is the mas‐
8259 ter.cf name of the message delivery transport.
8260 This feature is available in Postfix 2.5 and later.
8262
8264 rency_limit)
8265 A transport-specific override for the default_destination_concur‐
8266 rency_limit parameter value, where transport is the master.cf name of
8267 the message delivery transport.
8268
8270 nation_concurrency_negative_feedback)
8271 A transport-specific override for the default_destination_concur‐
8272 rency_negative_feedback parameter value, where transport is the mas‐
8273 ter.cf name of the message delivery transport.
8274 This feature is available in Postfix 2.5 and later.
8276
8278 nation_concurrency_positive_feedback)
8279 A transport-specific override for the default_destination_concur‐
8280 rency_positive_feedback parameter value, where transport is the mas‐
8281 ter.cf name of the message delivery transport.
8282 This feature is available in Postfix 2.5 and later.
8284
8286 A transport-specific override for the default_destination_rate_delay
8287 parameter value, where transport is the master.cf name of the message
8288 delivery transport.
8289 This feature is available in Postfix 2.5 and later.
8291
8293 ent_limit)
8294 A transport-specific override for the default_destination_recipi‐
8295 ent_limit parameter value, where transport is the master.cf name of the
8296 message delivery transport.
8297
8299 A transport-specific override for the default_extra_recipient_limit
8300 parameter value, where transport is the master.cf name of the message
8301 delivery transport.
8302
8304 currency)
8305 A transport-specific override for the initial_destination_concurrency
8306 parameter value, where transport is the master.cf name of the message
8307 delivery transport.
8308 This feature is available in Postfix 2.5 and later.
8310
8312 Optional lookup tables with mappings from recipient address to (message
8313 delivery transport, next-hop destination). See transport(5) for
8314 details.
8315 Specify zero or more "type:table" lookup tables. If you use this fea‐
8317 ture with local files, run "postmap /etc/postfix/transport" after mak‐
8318 ing a change.
8319 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
8321 ber substitutions in regular expression maps.
8322 Examples:
8324 transport_maps = dbm:/etc/postfix/transport
8326 transport_maps = hash:/etc/postfix/transport
8327
8329 A transport-specific override for the default_minimum_delivery_slots
8330 parameter value, where transport is the master.cf name of the message
8331 delivery transport.
8332
8334 A transport-specific override for the default_recipient_limit parameter
8335 value, where transport is the master.cf name of the message delivery
8336 transport.
8337
8339 A transport-specific override for the default_recipient_refill_delay
8340 parameter value, where transport is the master.cf name of the message
8341 delivery transport.
8342 This feature is available in Postfix 2.4 and later.
8344
8346 A transport-specific override for the default_recipient_refill_limit
8347 parameter value, where transport is the master.cf name of the message
8348 delivery transport.
8349 This feature is available in Postfix 2.4 and later.
8351
8353 The time between attempts by the Postfix queue manager to contact a
8354 malfunctioning message delivery transport.
8355 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8357 The default time unit is s (seconds).
8358
8360 A transport-specific override for the command_time_limit parameter
8361 value, where transport is the master.cf name of the message delivery
8362 transport.
8363
8365 The time limit for sending a trigger to a Postfix daemon (for example,
8366 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
8367 from getting stuck when the mail system is under heavy load.
8368 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8370 The default time unit is s (seconds).
8371
8373 Message header that the Postfix cleanup(8) server inserts when a mes‐
8374 sage contains no To: or Cc: message header. With Postfix 2.4 and later,
8375 specify an empty value to disable this feature.
8376
8378 The numerical Postfix SMTP server response code when a sender or recip‐
8379 ient address is rejected by the reject_unknown_sender_domain or
8380 reject_unknown_recipient_domain restriction. The response is always
8381 450 in case of a temporary DNS error.
8382 Do not change this unless you have a complete understanding of RFC
8384 2821.
8385
8387 The Postfix SMTP server's action when reject_unknown_sender_domain or
8388 reject_unknown_recipient_domain fail due to a temporary error condi‐
8389 tion. Specify "defer" to defer the remote SMTP client request immedi‐
8390 ately. With the default "defer_if_permit" action, the Postfix SMTP
8391 server continues to look for opportunities to reject mail, and defers
8392 the client request only if it would otherwise be accepted.
8393 This feature is available in Postfix 2.6 and later.
8395
8397 The numerical Postfix SMTP server response code when a client without
8398 valid address <=> name mapping is rejected by the
8399 reject_unknown_client_hostname restriction. The SMTP server always
8400 replies with 450 when the mapping failed due to a temporary error con‐
8401 dition.
8402 Do not change this unless you have a complete understanding of RFC
8404 2821.
8405
8407 The Postfix SMTP server's action when reject_unknown_helo_hostname
8408 fails due to an temporary error condition. Specify "defer" to defer the
8409 remote SMTP client request immediately. With the default "defer_if_per‐
8410 mit" action, the Postfix SMTP server continues to look for opportuni‐
8411 ties to reject mail, and defers the client request only if it would
8412 otherwise be accepted.
8413 This feature is available in Postfix 2.6 and later.
8415
8417 The numerical Postfix SMTP server response code when the hostname spec‐
8418 ified with the HELO or EHLO command is rejected by the
8419 reject_unknown_helo_hostname restriction.
8420 Do not change this unless you have a complete understanding of RFC
8422 2821.
8423
8425 The numerical Postfix SMTP server response code when a recipient
8426 address is local, and $local_recipient_maps specifies a list of lookup
8427 tables that does not match the recipient. A recipient address is local
8428 when its domain matches $mydestination, $proxy_interfaces or
8429 $inet_interfaces.
8430 The default setting is 550 (reject mail) but it is safer to initially
8432 use 450 (try again later) so you have time to find out if your
8433 local_recipient_maps settings are OK.
8434 Example:
8436 unknown_local_recipient_reject_code = 450
8438 This feature is available in Postfix 2.0 and later.
8440
8442 The numerical Postfix SMTP server reply code when a recipient address
8443 matches $relay_domains, and relay_recipient_maps specifies a list of
8444 lookup tables that does not match the recipient address.
8445 This feature is available in Postfix 2.0 and later.
8447
8449 The SMTP server reply code when a recipient address matches $vir‐
8450 tual_alias_domains, and $virtual_alias_maps specifies a list of lookup
8451 tables that does not match the recipient address.
8452 This feature is available in Postfix 2.0 and later.
8454
8456 The SMTP server reply code when a recipient address matches $vir‐
8457 tual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
8458 lookup tables that does not match the recipient address.
8459 This feature is available in Postfix 2.0 and later.
8461
8463 The numerical Postfix SMTP server response when a recipient address
8464 probe fails due to a temporary error condition.
8465 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8467 address anyway.
8468 Do not change this unless you have a complete understanding of RFC
8470 2821.
8471 This feature is available in Postfix 2.6 and later.
8473
8475 The numerical Postfix SMTP server response when a recipient address is
8476 rejected by the reject_unverified_recipient restriction.
8477 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8479 address anyway.
8480 Do not change this unless you have a complete understanding of RFC
8482 2821.
8483 This feature is available in Postfix 2.1 and later.
8485
8487 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
8488 fied_recipient. Do not include the numeric SMTP reply code or the
8489 enhanced status code. By default, the response includes actual address
8490 verification details.
8491 Example:
8493 unverified_recipient_reject_reason = Recipient address lookup failed
8495 This feature is available in Postfix 2.6 and later.
8497
8499 The Postfix SMTP server's action when reject_unverified_recipient fails
8500 due to a temporary error condition. Specify "defer" to defer the remote
8501 SMTP client request immediately. With the default "defer_if_permit"
8502 action, the Postfix SMTP server continues to look for opportunities to
8503 reject mail, and defers the client request only if it would otherwise
8504 be accepted.
8505 This feature is available in Postfix 2.6 and later.
8507
8509 The numerical Postfix SMTP server response code when a sender address
8510 probe fails due to a temporary error condition.
8511 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8513 address anyway.
8514 Do not change this unless you have a complete understanding of RFC
8516 2821.
8517 This feature is available in Postfix 2.6 and later.
8519
8521 The numerical Postfix SMTP server response code when a recipient
8522 address is rejected by the reject_unverified_sender restriction.
8523 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
8525 address anyway.
8526 Do not change this unless you have a complete understanding of RFC
8528 2821.
8529 This feature is available in Postfix 2.1 and later.
8531
8533 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
8534 fied_sender. Do not include the numeric SMTP reply code or the enhanced
8535 status code. By default, the response includes actual address verifica‐
8536 tion details.
8537 Example:
8539 unverified_sender_reject_reason = Sender address lookup failed
8541 This feature is available in Postfix 2.6 and later.
8543
8545 The Postfix SMTP server's action when reject_unverified_sender fails
8546 due to a temporary error condition. Specify "defer" to defer the remote
8547 SMTP client request immediately. With the default "defer_if_permit"
8548 action, the Postfix SMTP server continues to look for opportunities to
8549 reject mail, and defers the client request only if it would otherwise
8550 be accepted.
8551 This feature is available in Postfix 2.6 and later.
8553
8555 The characters Postfix accepts as VERP delimiter characters on the
8556 Postfix sendmail(1) command line and in SMTP commands.
8557 This feature is available in Postfix 1.1 and later.
8559
8561 Postfix is final destination for the specified list of virtual alias
8562 domains, that is, domains for which all addresses are aliased to
8563 addresses in other local or remote domains. The SMTP server validates
8564 recipient addresses with $virtual_alias_maps and rejects non-existent
8565 recipients. See also the virtual alias domain class in the
8566 ADDRESS_CLASS_README file
8567 This feature is available in Postfix 2.0 and later. The default value
8569 is backwards compatible with Postfix version 1.1.
8570 The default value is $virtual_alias_maps so that you can keep all
8572 information about virtual alias domains in one place. If you have many
8573 users, it is better to separate information that changes more fre‐
8574 quently (virtual address -> local or remote address mapping) from
8575 information that changes less frequently (the list of virtual domain
8576 names).
8577 Specify a list of host or domain names, "/file/name" or "type:table"
8579 patterns, separated by commas and/or whitespace. A "/file/name" pattern
8580 is replaced by its contents; a "type:table" lookup table is matched
8581 when a table entry matches a lookup string (the lookup result is
8582 ignored). Continue long lines by starting the next line with white‐
8583 space. Specify "!pattern" to exclude a host or domain name from the
8584 list. The form "!/file/name" is supported only in Postfix version 2.4
8585 and later.
8586 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
8588 ther information.
8589 Example:
8591 virtual_alias_domains = virtual1.tld virtual2.tld
8593
8595 The maximal number of addresses that virtual alias expansion produces
8596 from each original recipient.
8597 This feature is available in Postfix 2.1 and later.
8599
8601 Optional lookup tables that alias specific mail addresses or domains to
8602 other local or remote address. The table format and lookups are docu‐
8603 mented in virtual(5). For an overview of Postfix address manipulations
8604 see the ADDRESS_REWRITING_README document.
8605 This feature is available in Postfix 2.0 and later. The default value
8607 is backwards compatible with Postfix version 1.1.
8608 If you use this feature with indexed files, run "postmap /etc/post‐
8610 fix/virtual" after changing the file.
8611 Examples:
8613 virtual_alias_maps = dbm:/etc/postfix/virtual
8615 virtual_alias_maps = hash:/etc/postfix/virtual
8616
8618 The maximal nesting depth of virtual alias expansion. Currently the
8619 recursion limit is applied only to the left branch of the expansion
8620 graph, so the depth of the tree can in the worst case reach the sum of
8621 the expansion and recursion limits. This may change in the future.
8622 This feature is available in Postfix 2.1 and later.
8624
8626 rency_limit)
8627 The maximal number of parallel deliveries to the same destination via
8628 the virtual message delivery transport. This limit is enforced by the
8629 queue manager. The message delivery transport name is the first field
8630 in the entry in the master.cf file.
8631
8633 ent_limit)
8634 The maximal number of recipients per message for the virtual message
8635 delivery transport. This limit is enforced by the queue manager. The
8636 message delivery transport name is the first field in the entry in the
8637 master.cf file.
8638 Setting this parameter to a value of 1 changes the meaning of vir‐
8640 tual_destination_concurrency_limit from concurrency per domain into
8641 concurrency per recipient.
8642
8644 Lookup tables with the per-recipient group ID for virtual(8) mailbox
8645 delivery.
8646 In a lookup table, specify a left-hand side of "@domain.tld" to match
8648 any user in the specified domain that does not have a specific
8649 "user@domain.tld" entry.
8650 When a recipient address has an optional address extension
8652 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
8653 address first, and when the lookup fails, it looks up the unextended
8654 address (user@domain.tld).
8655 Note 1: for security reasons, the virtual(8) delivery agent disallows
8657 regular expression substitution of $1 etc. in regular expression lookup
8658 tables, because that would open a security hole.
8659 Note 2: for security reasons, the virtual(8) delivery agent will
8661 silently ignore requests to use the proxymap(8) server. Instead it will
8662 open the table directly. Before Postfix version 2.2, the virtual(8)
8663 delivery agent will terminate with a fatal error.
8664
8666 A prefix that the virtual(8) delivery agent prepends to all pathname
8667 results from $virtual_mailbox_maps table lookups. This is a safety
8668 measure to ensure that an out of control map doesn't litter the file
8669 system with mailboxes. While virtual_mailbox_base could be set to "/",
8670 this setting isn't recommended.
8671 Example:
8673 virtual_mailbox_base = /var/mail
8675
8677 Postfix is final destination for the specified list of domains; mail is
8678 delivered via the $virtual_transport mail delivery transport. By
8679 default this is the Postfix virtual(8) delivery agent. The SMTP server
8680 validates recipient addresses with $virtual_mailbox_maps and rejects
8681 mail for non-existent recipients. See also the virtual mailbox domain
8682 class in the ADDRESS_CLASS_README file.
8683 This parameter expects the same syntax as the mydestination configura‐
8685 tion parameter.
8686 This feature is available in Postfix 2.0 and later. The default value
8688 is backwards compatible with Postfix version 1.1.
8689
8691 The maximal size in bytes of an individual mailbox or maildir file, or
8692 zero (no limit).
8693
8695 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
8696 For a list of available file locking methods, use the "postconf -l"
8697 command.
8698 This setting is ignored with maildir style delivery, because such
8700 deliveries are safe without application-level locks.
8701 Note 1: the dotlock method requires that the recipient UID or GID has
8703 write access to the parent directory of the recipient's mailbox file.
8704 Note 2: the default setting of this parameter is system dependent.
8706
8708 Optional lookup tables with all valid addresses in the domains that
8709 match $virtual_mailbox_domains.
8710 In a lookup table, specify a left-hand side of "@domain.tld" to match
8712 any user in the specified domain that does not have a specific
8713 "user@domain.tld" entry.
8714 The virtual(8) delivery agent uses this table to look up the per-recip‐
8716 ient mailbox or maildir pathname. If the lookup result ends in a slash
8717 ("/"), maildir-style delivery is carried out, otherwise the path is
8718 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
8719 box_base is unconditionally prepended to this path.
8720 When a recipient address has an optional address extension
8722 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
8723 address first, and when the lookup fails, it looks up the unextended
8724 address (user@domain.tld).
8725 Note 1: for security reasons, the virtual(8) delivery agent disallows
8727 regular expression substitution of $1 etc. in regular expression lookup
8728 tables, because that would open a security hole.
8729 Note 2: for security reasons, the virtual(8) delivery agent will
8731 silently ignore requests to use the proxymap(8) server. Instead it will
8732 open the table directly. Before Postfix version 2.2, the virtual(8)
8733 delivery agent will terminate with a fatal error.
8734
8736 Optional lookup tables with a) names of domains for which all addresses
8737 are aliased to addresses in other local or remote domains, and b)
8738 addresses that are aliased to addresses in other local or remote
8739 domains. Available before Postfix version 2.0. With Postfix version
8740 2.0 and later, this is replaced by separate controls: vir‐
8741 tual_alias_domains and virtual_alias_maps.
8742
8744 The minimum user ID value that the virtual(8) delivery agent accepts as
8745 a result from $virtual_uid_maps table lookup. Returned values less
8746 than this will be rejected, and the message will be deferred.
8747
8749 The default mail delivery transport and next-hop destination for final
8750 delivery to domains listed with $virtual_mailbox_domains. This infor‐
8751 mation can be overruled with the transport(5) table.
8752 Specify a string of the form transport:nexthop, where transport is the
8754 name of a mail delivery transport defined in master.cf. The :nexthop
8755 part is optional. For more details see the transport(5) manual page.
8756 This feature is available in Postfix 2.0 and later.
8758
8760 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
8761 ery agent uses while writing to the recipient's mailbox.
8762 In a lookup table, specify a left-hand side of "@domain.tld" to match
8764 any user in the specified domain that does not have a specific
8765 "user@domain.tld" entry.
8766 When a recipient address has an optional address extension
8768 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
8769 address first, and when the lookup fails, it looks up the unextended
8770 address (user@domain.tld).
8771 Note 1: for security reasons, the virtual(8) delivery agent disallows
8773 regular expression substitution of $1 etc. in regular expression lookup
8774 tables, because that would open a security hole.
8775 Note 2: for security reasons, the virtual(8) delivery agent will
8777 silently ignore requests to use the proxymap(8) server. Instead it will
8778 open the table directly. Before Postfix version 2.2, the virtual(8)
8779 delivery agent will terminate with a fatal error.
8780
8782 postconf(1), Postfix configuration parameter maintenance
8783 master(5), Postfix daemon configuration maintenance
8784
8786 The Secure Mailer license must be distributed with this software.
8787
8789 Wietse Venema
8790 IBM T.J. Watson Research
8791 P.O. Box 704
8792 Yorktown Heights, NY 10598, USA
8793 POSTCONF(5)