1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies a small subset of all
15 the parameters that control the operation of the Postfix mail system.
16 Parameters not specified in main.cf are left at their default values.
17 The general format of the main.cf file is as follows:
19 · Each logical line has the form "parameter = value". Whitespace
21 around the "=" is ignored, as is whitespace at the end of a log‐
22 ical line.
23 · Empty lines and whitespace-only lines are ignored, as are lines
25 whose first non-whitespace character is a `#'.
26 · A logical line starts with non-whitespace text. A line that
28 starts with whitespace continues a logical line.
29 · A parameter value may refer to other parameters.
31 · The expressions "$name", "${name}" or "$(name)" are
33 recursively replaced by the value of the named parameter.
34 · The expression "${name?value}" expands to "value" when
36 "$name" is non-empty. This form is supported with Postfix
37 version 2.2 and later.
38 · The expression "${name:value}" expands to "value" when
40 "$name" is empty. This form is supported with Postfix
41 version 2.2 and later.
42 · Specify "$$" to produce a single "$" character.
44 · When the same parameter is defined multiple times, only the last
46 instance is remembered.
47 · Otherwise, the order of main.cf parameter definitions does not
49 matter.
50 The remainder of this document is a description of all Postfix configu‐
52 ration parameters. Default values are shown after the parameter name in
53 parentheses, and can be looked up with the "postconf -d" command.
54 Note: this is not an invitation to make changes to Postfix configura‐
56 tion parameters. Unnecessary changes can impair the operation of the
57 mail system.
58
60 The recipient of undeliverable mail that cannot be returned to the
61 sender. This feature is enabled with the notify_classes parameter.
62
64 The numerical Postfix SMTP server response code for an access(5) map
65 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
66 to Postfix 2.6, the response is hard-coded as "450".
67 Do not change this unless you have a complete understanding of RFC
69 5321.
70 This feature is available in Postfix 2.6 and later.
72
74 The numerical Postfix SMTP server response code for an access(5) map
75 "reject" action.
76 Do not change this unless you have a complete understanding of RFC
78 5321.
79
81 The amount of time between verify(8) address verification database
82 cleanup runs. This feature requires that the database supports the
83 "delete" and "sequence" operators. Specify a zero interval to disable
84 database cleanup.
85 After each database cleanup run, the verify(8) daemon logs the number
87 of entries that were retained and dropped. A cleanup run is logged as
88 "partial" when the daemon terminates early after "postfix reload",
89 "postfix stop", or no requests for $max_idle seconds.
90 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
92 This feature is available in Postfix 2.7.
94
96 Overrides the default_transport parameter setting for address verifica‐
97 tion probes.
98 This feature is available in Postfix 2.1 and later.
100
102 Overrides the local_transport parameter setting for address verifica‐
103 tion probes.
104 This feature is available in Postfix 2.1 and later.
106
108 Lookup table for persistent address verification status storage. The
109 table is maintained by the verify(8) service, and is opened before the
110 process releases privileges.
111 The lookup table is persistent by default (Postfix 2.7 and later).
113 Specify an empty table name to keep the information in volatile memory
114 which is lost after "postfix reload" or "postfix stop". This is the
115 default with Postfix version 2.6 and earlier.
116 Specify a location in a file system that will not fill up. If the data‐
118 base becomes corrupted, the world comes to an end. To recover delete
119 (NOT: truncate) the file and do "postfix reload".
120 Postfix daemon processes do not use root privileges when opening this
122 file (Postfix 2.5 and later). The file must therefore be stored under
123 a Postfix-owned directory such as the data_directory. As a migration
124 aid, an attempt to open the file under a non-Postfix directory is redi‐
125 rected to the Postfix-owned data_directory, and a warning is logged.
126 Examples:
128 address_verify_map = hash:/var/lib/postfix/verify
130 address_verify_map = btree:/var/lib/postfix/verify
131 This feature is available in Postfix 2.1 and later.
133
135 Enable caching of failed address verification probe results. When this
136 feature is enabled, the cache may pollute quickly with garbage. When
137 this feature is disabled, Postfix will generate an address probe for
138 every lookup.
139 This feature is available in Postfix 2.1 and later.
141
143 The time after which a failed probe expires from the address verifica‐
144 tion cache.
145 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
147 This feature is available in Postfix 2.1 and later.
149
151 The time after which a failed address verification probe needs to be
152 refreshed.
153 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
155 This feature is available in Postfix 2.1 and later.
157
159 How many times to query the verify(8) service for the completion of an
160 address verification request in progress.
161 By default, the Postfix SMTP server polls the verify(8) service up to
163 three times under non-overload conditions, and only once when under
164 overload. With Postfix version 2.5 and earlier, the SMTP server always
165 polls the verify(8) service up to three times by default.
166 Specify 1 to implement a crude form of greylisting, that is, always
168 defer the first delivery request for a new address.
169 Examples:
171 # Postfix <= 2.6 default
173 address_verify_poll_count = 3
174 # Poor man's greylisting
175 address_verify_poll_count = 1
176 This feature is available in Postfix 2.1 and later.
178
180 The delay between queries for the completion of an address verification
181 request in progress.
182 The default polling delay is 3 seconds.
184 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186 This feature is available in Postfix 2.1 and later.
188
190 The time after which a successful probe expires from the address veri‐
191 fication cache.
192 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
194 This feature is available in Postfix 2.1 and later.
196
198 The time after which a successful address verification probe needs to
199 be refreshed. The address verification status is not updated when the
200 probe fails (optimistic caching).
201 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
203 This feature is available in Postfix 2.1 and later.
205
207 Overrides the relay_transport parameter setting for address verifica‐
208 tion probes.
209 This feature is available in Postfix 2.1 and later.
211
213 Overrides the relayhost parameter setting for address verification
214 probes. This information can be overruled with the transport(5) table.
215 This feature is available in Postfix 2.1 and later.
217
219 The sender address to use in address verification probes; prior to
220 Postfix 2.5 the default was "postmaster". To avoid problems with
221 address probes that are sent in response to address probes, the Postfix
222 SMTP server excludes the probe sender address from all SMTPD access
223 blocks.
224 Specify an empty value (address_verify_sender =) or <> if you want to
226 use the null sender address. Beware, some sites reject mail from <>,
227 even though RFCs require that such addresses be accepted.
228 Examples:
230 address_verify_sender = <>
232 address_verify_sender = postmaster@my.domain
233 This feature is available in Postfix 2.1 and later.
235
237 $sender_dependent_default_transport_maps)
238 Overrides the sender_dependent_default_transport_maps parameter setting
239 for address verification probes.
240 This feature is available in Postfix 2.7 and later.
242
244 dent_relayhost_maps)
245 Overrides the sender_dependent_relayhost_maps parameter setting for
246 address verification probes.
247 This feature is available in Postfix 2.3 and later.
249
251 The time between changes in the time-dependent portion of address veri‐
252 fication probe sender addresses. The time-dependent portion is appended
253 to the localpart of the address specified with the address_ver‐
254 ify_sender parameter. This feature is ignored when the probe sender
255 addresses is the null sender, i.e. the address_verify_sender value is
256 empty or <>.
257 Historically, the probe sender address was fixed. This has caused such
259 addresses to end up on spammer mailing lists, and has resulted in
260 wasted network and processing resources.
261 To enable time-dependent probe sender addresses, specify a non-zero
263 time value (an integral value plus an optional one-letter suffix that
264 specifies the time unit). Specify a value of at least several hours,
265 to avoid problems with senders that use greylisting. Avoid nice TTL
266 values, to make the result less predictable. Time units are: s (sec‐
267 onds), m (minutes), h (hours), d (days), w (weeks).
268 This feature is available in Postfix 2.9 and later.
270
272 The name of the verify(8) address verification service. This service
273 maintains the status of sender and/or recipient address verification
274 probes, and generates probes on request by other Postfix processes.
275
277 Overrides the transport_maps parameter setting for address verification
278 probes.
279 This feature is available in Postfix 2.1 and later.
281
283 Overrides the virtual_transport parameter setting for address verifica‐
284 tion probes.
285 This feature is available in Postfix 2.1 and later.
287
289 The alias databases for local(8) delivery that are updated with
290 "newaliases" or with "sendmail -bi".
291 This is a separate configuration parameter because not all the tables
293 specified with $alias_maps have to be local files.
294 Examples:
296 alias_database = hash:/etc/aliases
298 alias_database = hash:/etc/mail/aliases
299
301 The alias databases that are used for local(8) delivery. See aliases(5)
302 for syntax details.
303 The default list is system dependent. On systems with NIS, the default
305 is to search the local alias database, then the NIS alias database.
306 If you change the alias database, run "postalias /etc/aliases" (or
308 wherever your system stores the mail alias file), or simply run
309 "newaliases" to build the necessary DBM or DB file.
310 The local(8) delivery agent disallows regular expression substitution
312 of $1 etc. in alias_maps, because that would open a security hole.
313 The local(8) delivery agent will silently ignore requests to use the
315 proxymap(8) server within alias_maps. Instead it will open the table
316 directly. Before Postfix version 2.2, the local(8) delivery agent will
317 terminate with a fatal error.
318 Examples:
320 alias_maps = hash:/etc/aliases, nis:mail.aliases
322 alias_maps = hash:/etc/aliases
323
325 Restrict local(8) mail delivery to external commands. The default is
326 to disallow delivery to "|command" in :include: files (see aliases(5)
327 for the text that defines this terminology).
328 Specify zero or more of: alias, forward or include, in order to allow
330 commands in aliases(5), .forward files or in :include: files, respec‐
331 tively.
332 Example:
334 allow_mail_to_commands = alias,forward,include
336
338 Restrict local(8) mail delivery to external files. The default is to
339 disallow "/file/name" destinations in :include: files (see aliases(5)
340 for the text that defines this terminology).
341 Specify zero or more of: alias, forward or include, in order to allow
343 "/file/name" destinations in aliases(5), .forward files and in
344 :include: files, respectively.
345 Example:
347 allow_mail_to_files = alias,forward,include
349
351 Allow a sender or recipient address to have `-' as the first character.
352 By default, this is not allowed, to avoid accidents with software that
353 passes email addresses via the command line. Such software would not be
354 able to distinguish a malicious address from a bona fide command-line
355 option. Although this can be prevented by inserting a "--" option ter‐
356 minator into the command line, this is difficult to enforce consis‐
357 tently and globally.
358 As of Postfix version 2.5, this feature is implemented by trivial-re‐
360 write(8). With earlier versions this feature was implemented by
361 qmgr(8) and was limited to recipient addresses only.
362
364 Enable the rewriting of the form "user%domain" to "user@domain". This
365 is enabled by default.
366 Note: with Postfix version 2.2, message header address rewriting hap‐
368 pens only when one of the following conditions is true:
369 · The message is received with the Postfix sendmail(1) command,
371 · The message is received from a network client that matches
373 $local_header_rewrite_clients,
374 · The message is received from the network, and the
376 remote_header_rewrite_domain parameter specifies a non-empty
377 value.
378 To get the behavior before Postfix version 2.2, specify
380 "local_header_rewrite_clients = static:all".
381 Example:
383 allow_percent_hack = no
385
387 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
388 from untrusted clients to destinations matching $relay_domains.
389 By default, this feature is turned off. This closes a nasty open relay
391 loophole where a backup MX host can be tricked into forwarding junk
392 mail to a primary MX host which then spams it out to the world.
393 This parameter also controls if non-local addresses with sender-speci‐
395 fied routing can match Postfix access tables. By default, such
396 addresses cannot match Postfix access tables, because the address is
397 ambiguous.
398
400 A list of non-default Postfix configuration directories that may be
401 specified with "-c config_directory" on the command line, or via the
402 MAIL_CONFIG environment parameter.
403 This list must be specified in the default Postfix configuration direc‐
405 tory, and is used by set-gid Postfix commands such as postqueue(1) and
406 postdrop(1).
407
409 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
410 present. Postfix 2.6 and later add these headers only when clients
411 match the local_header_rewrite_clients parameter setting. Earlier
412 Postfix versions always add these headers; this may break DKIM signa‐
413 tures that cover non-existent headers.
414
416 Optional address that receives a "blind carbon copy" of each message
417 that is received by the Postfix mail system.
418 Note: with Postfix 2.3 and later the BCC address is added as if it was
420 specified with NOTIFY=NONE. The sender will not be notified when the
421 BCC address is undeliverable, as long as all down-stream software
422 implements RFC 3461.
423 Note: with Postfix 2.2 and earlier the sender will be notified when the
425 BCC address is undeliverable.
426 Note: automatic BCC recipients are produced only for new mail. To
428 avoid mailer loops, automatic BCC recipients are not generated after
429 Postfix forwards mail internally, or after Postfix generates mail
430 itself.
431
433 The time unit over which client connection rates and other rates are
434 calculated.
435 This feature is implemented by the anvil(8) service which is available
437 in Postfix version 2.2 and later.
438 The default interval is relatively short. Because of the high frequency
440 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
441 mation is lost whenever the process terminates.
442 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
444 The default time unit is s (seconds).
445
447 How frequently the anvil(8) connection and rate limiting server logs
448 peak usage information.
449 This feature is available in Postfix 2.2 and later.
451 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
453 The default time unit is s (seconds).
454
456 With locally submitted mail, append the string "@$myorigin" to mail
457 addresses without domain information. With remotely submitted mail,
458 append the string "@$remote_header_rewrite_domain" instead.
459 Note 1: this feature is enabled by default and must not be turned off.
461 Postfix does not support domain-less addresses.
462 Note 2: with Postfix version 2.2, message header address rewriting hap‐
464 pens only when one of the following conditions is true:
465 · The message is received with the Postfix sendmail(1) command,
467 · The message is received from a network client that matches
469 $local_header_rewrite_clients,
470 · The message is received from the network, and the
472 remote_header_rewrite_domain parameter specifies a non-empty
473 value.
474 To get the behavior before Postfix version 2.2, specify
476 "local_header_rewrite_clients = static:all".
477
479 With locally submitted mail, append the string ".$mydomain" to
480 addresses that have no ".domain" information. With remotely submitted
481 mail, append the string ".$remote_header_rewrite_domain" instead.
482 Note 1: this feature is enabled by default. If disabled, users will not
484 be able to send mail to "user@partialdomainname" but will have to spec‐
485 ify full domain names instead.
486 Note 2: with Postfix version 2.2, message header address rewriting hap‐
488 pens only when one of the following conditions is true:
489 · The message is received with the Postfix sendmail(1) command,
491 · The message is received from a network client that matches
493 $local_header_rewrite_clients,
494 · The message is received from the network, and the
496 remote_header_rewrite_domain parameter specifies a non-empty
497 value.
498 To get the behavior before Postfix version 2.2, specify
500 "local_header_rewrite_clients = static:all".
501
503 How long the postkick(1) command waits for a request to enter the Post‐
504 fix daemon process input buffer before giving up.
505 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
507 The default time unit is s (seconds).
508 This feature is available in Postfix 2.1 and later.
510
512 List of users who are authorized to flush the queue.
513 By default, all users are allowed to flush the queue. Access is always
515 granted if the invoking user is the super-user or the $mail_owner user.
516 Otherwise, the real UID of the process is looked up in the system pass‐
517 word file, and access is granted only if the corresponding login name
518 is on the access list. The username "unknown" is used for processes
519 whose real UID is not found in the password file.
520 Specify a list of user names, "/file/name" or "type:table" patterns,
522 separated by commas and/or whitespace. The list is matched left to
523 right, and the search stops on the first match. A "/file/name" pattern
524 is replaced by its contents; a "type:table" lookup table is matched
525 when a name matches a lookup key (the lookup result is ignored). Con‐
526 tinue long lines by starting the next line with whitespace. Specify
527 "!pattern" to exclude a name from the list. The form "!/file/name" is
528 supported only in Postfix version 2.4 and later.
529 This feature is available in Postfix 2.2 and later.
531
533 List of users who are authorized to view the queue.
534 By default, all users are allowed to view the queue. Access is always
536 granted if the invoking user is the super-user or the $mail_owner user.
537 Otherwise, the real UID of the process is looked up in the system pass‐
538 word file, and access is granted only if the corresponding login name
539 is on the access list. The username "unknown" is used for processes
540 whose real UID is not found in the password file.
541 Specify a list of user names, "/file/name" or "type:table" patterns,
543 separated by commas and/or whitespace. The list is matched left to
544 right, and the search stops on the first match. A "/file/name" pattern
545 is replaced by its contents; a "type:table" lookup table is matched
546 when a name matches a lookup key (the lookup result is ignored). Con‐
547 tinue long lines by starting the next line with whitespace. Specify
548 "!pattern" to exclude a user name from the list. The form "!/file/name"
549 is supported only in Postfix version 2.4 and later.
550 This feature is available in Postfix 2.2 and later.
552
554 List of users who are authorized to submit mail with the sendmail(1)
555 command (and with the privileged postdrop(1) helper command).
556 By default, all users are allowed to submit mail. Otherwise, the real
558 UID of the process is looked up in the system password file, and access
559 is granted only if the corresponding login name is on the access list.
560 The username "unknown" is used for processes whose real UID is not
561 found in the password file. To deny mail submission access to all users
562 specify an empty list.
563 Specify a list of user names, "/file/name" or "type:table" patterns,
565 separated by commas and/or whitespace. The list is matched left to
566 right, and the search stops on the first match. A "/file/name" pattern
567 is replaced by its contents; a "type:table" lookup table is matched
568 when a name matches a lookup key (the lookup result is ignored). Con‐
569 tinue long lines by starting the next line with whitespace. Specify
570 "!pattern" to exclude a user name from the list. The form "!/file/name"
571 is supported only in Postfix version 2.4 and later.
572 Example:
574 authorized_submit_users = !www, static:all
576 This feature is available in Postfix 2.2 and later.
578
580 What remote SMTP clients are allowed to specify the XVERP command.
581 This command requests that mail be delivered one recipient at a time
582 with a per recipient return address.
583 By default, only trusted clients are allowed to specify XVERP.
585 This parameter was introduced with Postfix version 1.1. Postfix ver‐
587 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
588 changed the default to none.
589 Specify a list of network/netmask patterns, separated by commas and/or
591 whitespace. The mask specifies the number of bits in the network part
592 of a host address. You can also specify hostnames or .domain names (the
593 initial dot causes the domain to match any name below it),
594 "/file/name" or "type:table" patterns. A "/file/name" pattern is
595 replaced by its contents; a "type:table" lookup table is matched when a
596 table entry matches a lookup string (the lookup result is ignored).
597 Continue long lines by starting the next line with whitespace. Specify
598 "!pattern" to exclude an address or network block from the list. The
599 form "!/file/name" is supported only in Postfix version 2.4 and later.
600 Note: IP version 6 address information must be specified inside [] in
602 the authorized_verp_clients value, and in files specified with
603 "/file/name". IP version 6 addresses contain the ":" character, and
604 would otherwise be confused with a "type:table" pattern.
605
607 Produce additional bounce(8) logfile records that can be read by Post‐
608 fix versions before 2.0. The current and more extensible "name = value"
609 format is needed in order to implement more sophisticated functional‐
610 ity.
611 This feature is available in Postfix 2.1 and later.
613
615 The per-table I/O buffer size for programs that create Berkeley DB hash
616 or btree tables. Specify a byte count.
617 This feature is available in Postfix 2.0 and later.
619
621 The per-table I/O buffer size for programs that read Berkeley DB hash
622 or btree tables. Specify a byte count.
623 This feature is available in Postfix 2.0 and later.
625
627 Where the Postfix SMTP client should deliver mail when it detects a
628 "mail loops back to myself" error condition. This happens when the
629 local MTA is the best SMTP mail exchanger for a destination not listed
630 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
631 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
632 fix SMTP client returns such mail as undeliverable.
633 Specify, for example, "best_mx_transport = local" to pass the mail from
635 the Postfix SMTP client to the local(8) delivery agent. You can specify
636 any message delivery "transport" or "transport:nexthop" that is defined
637 in the master.cf file. See the transport(5) manual page for the syntax
638 and meaning of "transport" or "transport:nexthop".
639 However, this feature is expensive because it ties up a Postfix SMTP
641 client process while the local(8) delivery agent is doing its work. It
642 is more efficient (for Postfix) to list all hosted domains in a table
643 or database.
644
646 Whether or not to use the local biff service. This service sends "new
647 mail" notifications to users who have requested new mail notification
648 with the UNIX command "biff y".
649 For compatibility reasons this feature is on by default. On systems
651 with lots of interactive users, the biff service can be a performance
652 drain. Specify "biff = no" in main.cf to disable.
653
655 Optional lookup tables for content inspection as specified in the
656 body_checks(5) manual page.
657 Note: with Postfix versions before 2.0, these rules inspect all content
659 after the primary message headers.
660
662 How much text in a message body segment (or attachment, if you prefer
663 to use that term) is subjected to body_checks inspection. The amount
664 of text is limited to avoid scanning huge attachments.
665 This feature is available in Postfix 2.0 and later.
667
669 The recipient of postmaster notifications with the message headers of
670 mail that Postfix did not deliver and of SMTP conversation transcripts
671 of mail that Postfix did not receive. This feature is enabled with the
672 notify_classes parameter.
673
675 Consider a bounce message as undeliverable, when delivery fails with a
676 temporary error, and the time in the queue has reached the
677 bounce_queue_lifetime limit. By default, this limit is the same as for
678 regular mail.
679 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
681 The default time unit is d (days).
682 Specify 0 when mail delivery should be tried only once.
684 This feature is available in Postfix 2.1 and later.
686
688 The name of the bounce(8) service. This service maintains a record of
689 failed delivery attempts and generates non-delivery notifications.
690 This feature is available in Postfix 2.0 and later.
692
694 The maximal amount of original message text that is sent in a non-
695 delivery notification. Specify a byte count. A message is returned as
696 either message/rfc822 (the complete original) or as text/rfc822-headers
697 (the headers only). With Postfix version 2.4 and earlier, a message is
698 always returned as message/rfc822 and is truncated when it exceeds the
699 size limit.
700 Notes:
702 · If you increase this limit, then you should increase the
704 mime_nesting_limit value proportionally.
705 · Be careful when making changes. Excessively large values will
707 result in the loss of non-delivery notifications, when a bounce
708 message size exceeds a local or remote MTA's message size limit.
709
711 Pathname of a configuration file with bounce message templates. These
712 override the built-in templates of delivery status notification (DSN)
713 messages for undeliverable mail, for delayed mail, successful delivery,
714 or delivery verification. The bounce(5) manual page describes how to
715 edit and test template files.
716 Template message body text may contain $name references to Postfix con‐
718 figuration parameters. The result of $name expansion can be previewed
719 with "postconf -b file_name" before the file is placed into the Postfix
720 configuration directory.
721 This feature is available in Postfix 2.3 and later.
723
725 Enable inter-operability with remote SMTP clients that implement an
726 obsolete version of the AUTH command (RFC 4954). Examples of such
727 clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
728 version 5.0.
729 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
731 support in a non-standard way.
732
734 header_sender, header_recipient)
735 What addresses are subject to canonical_maps address mapping. By
736 default, canonical_maps address mapping is applied to envelope sender
737 and recipient addresses, and to header sender and header recipient
738 addresses.
739 Specify one or more of: envelope_sender, envelope_recipient,
741 header_sender, header_recipient
742 This feature is available in Postfix 2.2 and later.
744
746 Optional address mapping lookup tables for message headers and
747 envelopes. The mapping is applied to both sender and recipient
748 addresses, in both envelopes and in headers, as controlled with the
749 canonical_classes parameter. This is typically used to clean up dirty
750 addresses from legacy mail systems, or to replace login names by First‐
751 name.Lastname. The table format and lookups are documented in canoni‐
752 cal(5). For an overview of Postfix address manipulations see the
753 ADDRESS_REWRITING_README document.
754 If you use this feature, run "postmap /etc/postfix/canonical" to build
756 the necessary DBM or DB file after every change. The changes will
757 become visible after a minute or so. Use "postfix reload" to eliminate
758 the delay.
759 Note: with Postfix version 2.2, message header address mapping happens
761 only when message header address rewriting is enabled:
762 · The message is received with the Postfix sendmail(1) command,
764 · The message is received from a network client that matches
766 $local_header_rewrite_clients,
767 · The message is received from the network, and the
769 remote_header_rewrite_domain parameter specifies a non-empty
770 value.
771 To get the behavior before Postfix version 2.2, specify
773 "local_header_rewrite_clients = static:all".
774 Examples:
776 canonical_maps = dbm:/etc/postfix/canonical
778 canonical_maps = hash:/etc/postfix/canonical
779
781 The name of the cleanup(8) service. This service rewrites addresses
782 into the standard form, and performs canonical(5) address mapping and
783 virtual(5) aliasing.
784 This feature is available in Postfix 2.0 and later.
786
788 The location of all postfix administrative commands.
789
791 The local(8) delivery agent working directory for delivery to external
792 command. Failure to change directory causes the delivery to be
793 deferred.
794 The following $name expansions are done on command_execution_directory
796 before the directory is changed. Expansion happens in the context of
797 the delivery request. The result of $name expansion is filtered with
798 the character set that is specified with the execution_directory_expan‐
799 sion_filter parameter.
800 $user The recipient's username.
802 $shell The recipient's login shell pathname.
804 $home The recipient's home directory.
806 $recipient
808 The full recipient address.
809 $extension
811 The optional recipient address extension.
812 $domain
814 The recipient domain.
815 $local The entire recipient localpart.
817 $recipient_delimiter
819 The system-wide recipient address extension delimiter.
820 ${name?value}
822 Expands to value when $name is non-empty.
823 ${name:value}
825 Expands to value when $name is empty.
826 Instead of $name you can also specify ${name} or $(name).
828 This feature is available in Postfix 2.2 and later.
830
832 Restrict the characters that the local(8) delivery agent allows in
833 $name expansions of $mailbox_command and $command_execution_directory.
834 Characters outside the allowed set are replaced by underscores.
835
837 Time limit for delivery to external commands. This limit is used by the
838 local(8) delivery agent, and is the default time limit for delivery by
839 the pipe(8) delivery agent.
840 Note: if you set this time limit to a large value you must update the
842 global ipc_timeout parameter as well.
843
845 The default location of the Postfix main.cf and master.cf configuration
846 files. This can be overruled via the following mechanisms:
847 · The MAIL_CONFIG environment variable (daemon processes and com‐
849 mands).
850 · The "-c" command-line option (commands only).
852 With Postfix command that run with set-gid privileges, a config_direc‐
854 tory override requires either root privileges, or it requires that the
855 directory is listed with the alternate_config_directories parameter in
856 the default main.cf file.
857
859 Time limit for connection cache connect, send or receive operations.
860 The time limit is enforced in the client.
861 This feature is available in Postfix 2.3 and later.
863
865 The name of the scache(8) connection cache service. This service main‐
866 tains a limited pool of cached sessions.
867 This feature is available in Postfix 2.2 and later.
869
871 How frequently the scache(8) server logs usage statistics with connec‐
872 tion cache hit and miss rates for logical destinations and for physical
873 endpoints.
874
876 The maximal time-to-live value that the scache(8) connection cache
877 server allows. Requests that specify a larger TTL will be stored with
878 the maximum allowed TTL. The purpose of this additional control is to
879 protect the infrastructure against careless people. The cache TTL is
880 already bounded by $max_idle.
881
883 After the message is queued, send the entire message to the specified
884 transport:destination. The transport name specifies the first field of
885 a mail delivery agent definition in master.cf; the syntax of the next-
886 hop destination is described in the manual page of the corresponding
887 delivery agent. More information about external content filters is in
888 the Postfix FILTER_README file.
889 Notes:
891 · This setting has lower precedence than a FILTER action that is
893 specified in an access(5), header_checks(5) or body_checks(5)
894 table.
895 · The meaning of an empty next-hop filter destination is version
897 dependent. Postfix 2.7 and later will use the recipient domain;
898 earlier versions will use $myhostname. Specify "default_fil‐
899 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
900 earlier, or specify a content_filter value with an explicit
901 next-hop destination.
902
904 Search path for Cyrus SASL application configuration files, currently
905 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
906 more directories separated by a colon character, or an empty value to
907 use Cyrus SASL's built-in search path.
908 This feature is available in Postfix 2.5 and later when compiled with
910 Cyrus SASL 2.1.22 or later.
911
913 The directory with Postfix support programs and daemon programs. These
914 should not be invoked directly by humans. The directory must be owned
915 by root.
916
918 How a Postfix daemon process handles errors while opening lookup
919 tables: gradual degradation or immediate termination.
920 no (default)
922 Gradual degradation: a daemon process logs a message of type
923 "error" and continues execution with reduced functionality. Fea‐
924 tures that do not depend on the unavailable table will work nor‐
925 mally, while features that depend on the table will result in a
926 type "warning" message.
927 When the notify_classes parameter value contains the "data"
928 class, the Postfix SMTP server and client will report tran‐
929 scripts of sessions with an error because a table is unavail‐
930 able.
931 yes (historical behavior)
933 Immediate termination: a daemon process logs a type "fatal" mes‐
934 sage and terminates immediately. This option reduces the number
935 of possible code paths through Postfix, and may therefore be
936 slightly more secure than the default.
937 For the sake of sanity, the number of type "error" messages is limited
939 to 13 over the lifetime of a daemon process.
940 This feature is available in Postfix 2.9 and later.
942
944 How much time a Postfix daemon process may take to handle a request
945 before it is terminated by a built-in watchdog timer.
946 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
948 The default time unit is s (seconds).
949
951 The directory with Postfix-writable data files (for example: caches,
952 pseudo-random numbers). This directory must be owned by the mail_owner
953 account, and must not be shared with non-Postfix software.
954 This feature is available in Postfix 2.5 and later.
956
958 The increment in verbose logging level when a remote client or server
959 matches a pattern in the debug_peer_list parameter.
960
962 Optional list of remote client or server hostname or network address
963 patterns that cause the verbose logging level to increase by the amount
964 specified in $debug_peer_level.
965 Specify domain names, network/netmask patterns, "/file/name" patterns
967 or "type:table" lookup tables. The right-hand side result from
968 "type:table" lookups is ignored.
969 Pattern matching of domain names is controlled by the par‐
971 ent_domain_matches_subdomains parameter.
972 Examples:
974 debug_peer_list = 127.0.0.1
976 debug_peer_list = example.com
977
979 The external command to execute when a Postfix daemon program is
980 invoked with the -D option.
981 Use "command .. & sleep 5" so that the debugger can attach before the
983 process marches on. If you use an X-based debugger, be sure to set up
984 your XAUTHORITY environment variable before starting Postfix.
985 Note: the command is subject to $name expansion, before it is passed to
987 the default commmand interpreter. Specify "$$" to produce a single "$"
988 character.
989 Example:
991 debugger_command =
993 PATH=/usr/bin:/usr/X11R6/bin
994 ddd $daemon_directory/$process_name $process_id & sleep 5
995
997 The default database type for use in newaliases(1), postalias(1) and
998 postmap(1) commands. On many UNIX systems the default type is either
999 dbm or hash. The default setting is frozen when the Postfix system is
1000 built.
1001 Examples:
1003 default_database_type = hash
1005 default_database_type = dbm
1006
1008 How often the Postfix queue manager's scheduler is allowed to preempt
1009 delivery of one message with another.
1010 Each transport maintains a so-called "available delivery slot counter"
1012 for each message. One message can be preempted by another one when the
1013 other message can be delivered using no more delivery slots (i.e.,
1014 invocations of delivery agents) than the current message counter has
1015 accumulated (or will eventually accumulate - see about slot loans
1016 below). This parameter controls how often is the counter incremented -
1017 it happens after each default_delivery_slot_cost recipients have been
1018 delivered.
1019 The cost of 0 is used to disable the preempting scheduling completely.
1021 The minimum value the scheduling algorithm can use is 2 - use it if you
1022 want to maximize the message throughput rate. Although there is no max‐
1023 imum, it doesn't make much sense to use values above say 50.
1024 The only reason why the value of 2 is not the default is the way this
1026 parameter affects the delivery of mailing-list mail. In the worst case,
1027 their delivery can take somewhere between (cost+1/cost) and
1028 (cost/cost-1) times more than if the preemptive scheduler was disabled.
1029 The default value of 5 turns out to provide reasonable message response
1030 times while making sure the mailing-list deliveries are not extended by
1031 more than 20-25 percent even in the worst case.
1032 Use transport_delivery_slot_cost to specify a transport-specific over‐
1034 ride, where transport is the master.cf name of the message delivery
1035 transport.
1036 Examples:
1038 default_delivery_slot_cost = 0
1040 default_delivery_slot_cost = 2
1041
1043 The default value for transport-specific _delivery_slot_discount set‐
1044 tings.
1045 This parameter speeds up the moment when a message preemption can hap‐
1047 pen. Instead of waiting until the full amount of delivery slots
1048 required is available, the preemption can happen when transport_deliv‐
1049 ery_slot_discount percent of the required amount plus transport_deliv‐
1050 ery_slot_loan still remains to be accumulated. Note that the full
1051 amount will still have to be accumulated before another preemption can
1052 take place later.
1053 Use transport_delivery_slot_discount to specify a transport-specific
1055 override, where transport is the master.cf name of the message delivery
1056 transport.
1057
1059 The default value for transport-specific _delivery_slot_loan settings.
1060 This parameter speeds up the moment when a message preemption can hap‐
1062 pen. Instead of waiting until the full amount of delivery slots
1063 required is available, the preemption can happen when transport_deliv‐
1064 ery_slot_discount percent of the required amount plus transport_deliv‐
1065 ery_slot_loan still remains to be accumulated. Note that the full
1066 amount will still have to be accumulated before another preemption can
1067 take place later.
1068 Use transport_delivery_slot_loan to specify a transport-specific over‐
1070 ride, where transport is the master.cf name of the message delivery
1071 transport.
1072
1074 How many pseudo-cohorts must suffer connection or handshake failure
1075 before a specific destination is considered unavailable (and further
1076 delivery is suspended). Specify zero to disable this feature. A desti‐
1077 nation's pseudo-cohort failure count is reset each time a delivery com‐
1078 pletes without connection or handshake failure for that specific desti‐
1079 nation.
1080 A pseudo-cohort is the number of deliveries equal to a destination's
1082 delivery concurrency.
1083 Use transport_destination_concurrency_failed_cohort_limit to specify a
1085 transport-specific override, where transport is the master.cf name of
1086 the message delivery transport.
1087 This feature is available in Postfix 2.5. The default setting is com‐
1089 patible with earlier Postfix versions.
1090
1092 The default maximal number of parallel deliveries to the same destina‐
1093 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1094 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1095 limit > 1, a destination is a domain, otherwise it is a recipient.
1096 Use transport_destination_concurrency_limit to specify a transport-spe‐
1098 cific override, where transport is the master.cf name of the message
1099 delivery transport.
1100
1102 The per-destination amount of delivery concurrency negative feedback,
1103 after a delivery completes with a connection or handshake failure.
1104 Feedback values are in the range 0..1 inclusive. With negative feed‐
1105 back, concurrency is decremented at the beginning of a sequence of
1106 length 1/feedback. This is unlike positive feedback, where concurrency
1107 is incremented at the end of a sequence of length 1/feedback.
1108 As of Postfix version 2.5, negative feedback cannot reduce delivery
1110 concurrency to zero. Instead, a destination is marked dead (further
1111 delivery suspended) after the failed pseudo-cohort count reaches
1112 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1113 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1114 uler completely immune to connection or handshake failures, specify a
1115 zero feedback value and a zero failed pseudo-cohort limit.
1116 Specify one of the following forms:
1118 number
1120 number / number
1122 Constant feedback. The value must be in the range 0..1 inclu‐
1123 sive. The default setting of "1" is compatible with Postfix
1124 versions before 2.5, where a destination's delivery concurrency
1125 is throttled down to zero (and further delivery suspended) after
1126 a single failed pseudo-cohort.
1127 number / concurrency
1129 Variable feedback of "number / (delivery concurrency)". The
1130 number must be in the range 0..1 inclusive. With number equal to
1131 "1", a destination's delivery concurrency is decremented by 1
1132 after each failed pseudo-cohort.
1133 A pseudo-cohort is the number of deliveries equal to a destination's
1135 delivery concurrency.
1136 Use transport_destination_concurrency_negative_feedback to specify a
1138 transport-specific override, where transport is the master.cf name of
1139 the message delivery transport.
1140 This feature is available in Postfix 2.5. The default setting is com‐
1142 patible with earlier Postfix versions.
1143
1145 The per-destination amount of delivery concurrency positive feedback,
1146 after a delivery completes without connection or handshake failure.
1147 Feedback values are in the range 0..1 inclusive. The concurrency
1148 increases until it reaches the per-destination maximal concurrency
1149 limit. With positive feedback, concurrency is incremented at the end of
1150 a sequence with length 1/feedback. This is unlike negative feedback,
1151 where concurrency is decremented at the start of a sequence of length
1152 1/feedback.
1153 Specify one of the following forms:
1155 number
1157 number / number
1159 Constant feedback. The value must be in the range 0..1 inclu‐
1160 sive. The default setting of "1" is compatible with Postfix ver‐
1161 sions before 2.5, where a destination's delivery concurrency
1162 doubles after each successful pseudo-cohort.
1163 number / concurrency
1165 Variable feedback of "number / (delivery concurrency)". The
1166 number must be in the range 0..1 inclusive. With number equal to
1167 "1", a destination's delivery concurrency is incremented by 1
1168 after each successful pseudo-cohort.
1169 A pseudo-cohort is the number of deliveries equal to a destination's
1171 delivery concurrency.
1172 Use transport_destination_concurrency_positive_feedback to specify a
1174 transport-specific override, where transport is the master.cf name of
1175 the message delivery transport.
1176 This feature is available in Postfix 2.5 and later.
1178
1180 The default amount of delay that is inserted between individual deliv‐
1181 eries to the same destination; the resulting behavior depends on the
1182 value of the corresponding per-destination recipient limit.
1183 · With a corresponding per-destination recipient limit > 1, the
1185 rate delay specifies the time between deliveries to the same
1186 domain. Different domains are delivered in parallel, subject to
1187 the process limits specified in master.cf.
1188 · With a corresponding per-destination recipient limit equal to 1,
1190 the rate delay specifies the time between deliveries to the same
1191 recipient. Different recipients are delivered in parallel, sub‐
1192 ject to the process limits specified in master.cf.
1193 To enable the delay, specify a non-zero time value (an integral value
1195 plus an optional one-letter suffix that specifies the time unit).
1196 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1198 The default time unit is s (seconds).
1199 NOTE: the delay is enforced by the queue manager. The delay timer state
1201 does not survive "postfix reload" or "postfix stop".
1202 Use transport_destination_rate_delay to specify a transport-specific
1204 override, where transport is the master.cf name of the message delivery
1205 transport.
1206 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1208 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1209 fix from deferring all mail for the same destination after only one
1210 connection or handshake error.
1211 This feature is available in Postfix 2.5 and later.
1213
1215 The default maximal number of recipients per message delivery. This is
1216 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1217 virtual(8) delivery agents.
1218 Setting this parameter to a value of 1 affects email deliveries as fol‐
1220 lows:
1221 · It changes the meaning of the corresponding per-destination con‐
1223 currency limit, from concurrency of deliveries to the same
1224 domain into concurrency of deliveries to the same recipient.
1225 Different recipients are delivered in parallel, subject to the
1226 process limits specified in master.cf.
1227 · It changes the meaning of the corresponding per-destination rate
1229 delay, from the delay between deliveries to the same domain into
1230 the delay between deliveries to the same recipient. Again, dif‐
1231 ferent recipients are delivered in parallel, subject to the
1232 process limits specified in master.cf.
1233 · It changes the meaning of other corresponding per-destination
1235 settings in a similar manner, from settings for delivery to the
1236 same domain into settings for delivery to the same recipient.
1237 Use transport_destination_recipient_limit to specify a transport-spe‐
1239 cific override, where transport is the master.cf name of the message
1240 delivery transport.
1241
1243 The default value for the extra per-transport limit imposed on the num‐
1244 ber of in-memory recipients. This extra recipient space is reserved
1245 for the cases when the Postfix queue manager's scheduler preempts one
1246 message with another and suddenly needs some extra recipients slots for
1247 the chosen message in order to avoid performance degradation.
1248 Use transport_extra_recipient_limit to specify a transport-specific
1250 override, where transport is the master.cf name of the message delivery
1251 transport.
1252
1254 When a content_filter or FILTER request specifies no explicit next-hop
1255 destination, use $default_filter_nexthop instead; when that value is
1256 empty, use the domain in the recipient address. Specify "default_fil‐
1257 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1258 and earlier, or specify an explicit next-hop destination with each con‐
1259 tent_filter value or FILTER action.
1260 This feature is available in Postfix 2.7 and later.
1262
1264 How many recipients a message must have in order to invoke the Postfix
1265 queue manager's scheduling algorithm at all. Messages which would
1266 never accumulate at least this many delivery slots (subject to slot
1267 cost parameter as well) are never preempted.
1268 Use transport_minimum_delivery_slots to specify a transport-specific
1270 override, where transport is the master.cf name of the message delivery
1271 transport.
1272
1274 The default rights used by the local(8) delivery agent for delivery to
1275 external file or command. These rights are used when delivery is
1276 requested from an aliases(5) file that is owned by root, or when deliv‐
1277 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1278 POSTFIX OWNER.
1279
1281 The default maximal number of Postfix child processes that provide a
1282 given service. This limit can be overruled for specific services in the
1283 master.cf file.
1284
1286 The default Postfix SMTP server response template for a request that is
1287 rejected by an RBL-based restriction. This template can be overruled by
1288 specific entries in the optional rbl_reply_maps lookup table.
1289 This feature is available in Postfix 2.0 and later.
1291 The template is subject to exactly one level of $name substitution:
1293 $client
1295 The client hostname and IP address, formatted as name[address].
1296 $client_address
1298 The client IP address.
1299 $client_name
1301 The client hostname or "unknown". See
1302 reject_unknown_client_hostname for more details.
1303 $reverse_client_name
1305 The client hostname from address->name lookup, or "unknown".
1306 See reject_unknown_reverse_client_hostname for more details.
1307 $helo_name
1309 The hostname given in HELO or EHLO command or empty string.
1310 $rbl_class
1312 The blacklisted entity type: Client host, Helo command, Sender
1313 address, or Recipient address.
1314 $rbl_code
1316 The numerical SMTP response code, as specified with the
1317 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1318 cal SMTP response code is required, and must appear at the start
1319 of the reply. With Postfix version 2.3 and later this informa‐
1320 tion may be followed by an RFC 3463 enhanced status code.
1321 $rbl_domain
1323 The RBL domain where $rbl_what is blacklisted.
1324 $rbl_reason
1326 The reason why $rbl_what is blacklisted, or an empty string.
1327 $rbl_what
1329 The entity that is blacklisted (an IP address, a hostname, a
1330 domain name, or an email address whose domain was blacklisted).
1331 $recipient
1333 The recipient address or <> in case of the null address.
1334 $recipient_domain
1336 The recipient domain or empty string.
1337 $recipient_name
1339 The recipient address localpart or <> in case of null address.
1340 $sender
1342 The sender address or <> in case of the null address.
1343 $sender_domain
1345 The sender domain or empty string.
1346 $sender_name
1348 The sender address localpart or <> in case of the null address.
1349 ${name?text}
1351 Expands to `text' if $name is not empty.
1352 ${name:text}
1354 Expands to `text' if $name is empty.
1355 Instead of $name you can also specify ${name} or $(name).
1357 Note: when an enhanced status code is specified in an RBL reply tem‐
1359 plate, it is subject to modification. The following transformations
1360 are needed when the same RBL reply template is used for client, helo,
1361 sender, or recipient access restrictions.
1362 · When rejecting a sender address, the Postfix SMTP server will
1364 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1365 corresponding sender DSN status, and vice versa.
1366 · When rejecting non-address information (such as the HELO command
1368 argument or the client hostname/address), the Postfix SMTP
1369 server will transform a sender or recipient DSN status into a
1370 generic non-address DSN status (e.g., 4.0.0).
1371
1373 The default per-transport upper limit on the number of in-memory recip‐
1374 ients. These limits take priority over the global qmgr_message_recipi‐
1375 ent_limit after the message has been assigned to the respective trans‐
1376 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1377 ent_minimum.
1378 Use transport_recipient_limit to specify a transport-specific override,
1380 where transport is the master.cf name of the message delivery trans‐
1381 port.
1382
1384 The default per-transport maximum delay between recipients refills.
1385 When not all message recipients fit into the memory at once, keep load‐
1386 ing more of them at least once every this many seconds. This is used
1387 to make sure the recipients are refilled in timely manner even when
1388 $default_recipient_refill_limit is too high for too slow deliveries.
1389 Use transport_recipient_refill_delay to specify a transport-specific
1391 override, where transport is the master.cf name of the message delivery
1392 transport.
1393 This feature is available in Postfix 2.4 and later.
1395
1397 The default per-transport limit on the number of recipients refilled at
1398 once. When not all message recipients fit into the memory at once,
1399 keep loading more of them in batches of at least this many at a time.
1400 See also $default_recipient_refill_delay, which may result in recipient
1401 batches lower than this when this limit is too high for too slow deliv‐
1402 eries.
1403 Use transport_recipient_refill_limit to specify a transport-specific
1405 override, where transport is the master.cf name of the message delivery
1406 transport.
1407 This feature is available in Postfix 2.4 and later.
1409
1411 The default mail delivery transport and next-hop destination for desti‐
1412 nations that do not match $mydestination, $inet_interfaces,
1413 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1414 $relay_domains. This information can be overruled with the
1415 sender_dependent_default_transport_maps parameter and with the trans‐
1416 port(5) table.
1417 In order of decreasing precedence, the nexthop destination is taken
1419 from $sender_dependent_default_transport_maps, $default_transport,
1420 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1421 domain.
1422 Specify a string of the form transport:nexthop, where transport is the
1424 name of a mail delivery transport defined in master.cf. The :nexthop
1425 destination is optional; its syntax is documented in the manual page of
1426 the corresponding delivery agent.
1427 Example:
1429 default_transport = uucp:relayhostname
1431
1433 The two default VERP delimiter characters. These are used when no
1434 explicit delimiters are specified with the SMTP XVERP command or with
1435 the "sendmail -V" command-line option. Specify characters that are
1436 allowed by the verp_delimiter_filter setting.
1437 This feature is available in Postfix 1.1 and later.
1439
1441 The numerical Postfix SMTP server response code when a remote SMTP
1442 client request is rejected by the "defer" restriction.
1443 Do not change this unless you have a complete understanding of RFC
1445 5321.
1446
1448 The name of the defer service. This service is implemented by the
1449 bounce(8) daemon and maintains a record of failed delivery attempts and
1450 generates non-delivery notifications.
1451 This feature is available in Postfix 2.0 and later.
1453
1455 The names of message delivery transports that should not deliver mail
1456 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1457 names of mail delivery transports names that appear in the first field
1458 of master.cf.
1459 Example:
1461 defer_transports = smtp
1463
1465 The maximal number of digits after the decimal point when logging sub-
1466 second delay values. Specify a number in the range 0..6.
1467 Large delay values are rounded off to an integral number seconds; delay
1469 values below the delay_logging_resolution_limit are logged as "0", and
1470 small delay values are logged with at most two-digit precision.
1471 The format of the "delays=a/b/c/d" logging is as follows:
1473 · a = time from message arrival to last active queue entry
1475 · b = time from last active queue entry to connection setup
1477 · c = time in connection setup, including DNS, EHLO and STARTTLS
1479 · d = time in message transmission
1481 This feature is available in Postfix 2.3 and later.
1483
1485 The recipient of postmaster notifications with the message headers of
1486 mail that cannot be delivered within $delay_warning_time time units.
1487 See also: delay_warning_time, notify_classes.
1489
1491 The time after which the sender receives a copy of the message headers
1492 of mail that is still queued.
1493 To enable this feature, specify a non-zero time value (an integral
1495 value plus an optional one-letter suffix that specifies the time unit).
1496 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1498 The default time unit is h (hours).
1499 See also: delay_notice_recipient, notify_classes.
1501
1503 The maximal number of attempts to acquire an exclusive lock on a mail‐
1504 box file or bounce(8) logfile.
1505
1507 The time between attempts to acquire an exclusive lock on a mailbox
1508 file or bounce(8) logfile.
1509 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1511 The default time unit is s (seconds).
1512
1514 Make the queue manager's feedback algorithm verbose for performance
1515 analysis purposes.
1516 This feature is available in Postfix 2.5 and later.
1518
1520 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1521 fer-Encoding: message headers; historically, this behavior was hard-
1522 coded to be "always on".
1523 This feature is available in Postfix 2.5 and later.
1525
1527 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1528 abled, hosts are looked up with the getaddrinfo() system library rou‐
1529 tine which normally also looks in /etc/hosts.
1530 DNS lookups are enabled by default.
1532
1534 Turn off MIME processing while receiving mail. This means that no spe‐
1535 cial treatment is given to Content-Type: message headers, and that all
1536 text after the initial message headers is considered to be part of the
1537 message body.
1538 This feature is available in Postfix 2.0 and later.
1540 Mime input processing is enabled by default, and is needed in order to
1542 recognize MIME headers in message content.
1543
1545 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1546 conversion is needed when the destination does not advertise 8BITMIME
1547 support.
1548 This feature is available in Postfix 2.0 and later.
1550
1552 Disable sending one bounce report per recipient.
1553 The default, one per recipient, is what ezmlm needs.
1555 This feature is available in Postfix 1.1 and later.
1557
1559 Disable the SMTP VRFY command. This stops some techniques used to har‐
1560 vest email addresses.
1561 Example:
1563 disable_vrfy_command = no
1565
1567 A debugging aid to artificially delay DNS responses.
1568 This feature is available in Postfix 2.8.
1570
1572 The name of the dnsblog(8) service entry in master.cf. This service
1573 performs DNS white/blacklist lookups.
1574 This feature is available in Postfix 2.8 and later.
1576
1578 Don't remove queue files and save them to the "saved" mail queue. This
1579 is a debugging aid. To inspect the envelope information and content of
1580 a Postfix queue file, use the postcat(1) command.
1581
1583 The sender address of postmaster notifications that are generated by
1584 the mail system. All mail to this address is silently discarded, in
1585 order to terminate mail bounce loops.
1586
1588 The maximal number of addresses remembered by the address duplicate
1589 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1590 queue displays.
1591
1593 The sender_dependent_default_transport_maps search string that will be
1594 used instead of the null sender address.
1595 This feature is available in Postfix 2.7 and later.
1597
1599 The recipient of mail addressed to the null address. Postfix does not
1600 accept such addresses in SMTP commands, but they may still be created
1601 locally as the result of configuration or software error.
1602
1604 The sender_dependent_relayhost_maps search string that will be used
1605 instead of the null sender address.
1606 This feature is available in Postfix 2.5 and later. With earlier ver‐
1608 sions, sender_dependent_relayhost_maps lookups were skipped for the
1609 null sender address.
1610
1612 Report mail delivery errors to the address specified with the non-stan‐
1613 dard Errors-To: message header, instead of the envelope sender address
1614 (this feature is removed with Postfix version 2.2, is turned off by
1615 default with Postfix version 2.1, and is always turned on with older
1616 Postfix versions).
1617
1619 Enable long, non-repeating, queue IDs (queue file names). The benefit
1620 of non-repeating names is simpler logfile analysis and easier queue
1621 migration (there is no need to run "postsuper" to change queue file
1622 names that don't match their message file inode number).
1623 Note: see below for how to prepare long queue file names for migration
1625 to Postfix <= 2.8.
1626 Changing the parameter value to "yes" has the following effects:
1628 · Existing queue file names are not affected.
1630 · New queue files are created with names such as 3Pt2mN2VXxznjll.
1632 These are encoded in a 52-character alphabet that contains dig‐
1633 its (0-9), upper-case letters (B-Z) and lower-case letters (b-
1634 z). For safety reasons the vowels (AEIOUaeiou) are excluded from
1635 the alphabet. The name format is: 6 or more characters for the
1636 time in seconds, 4 characters for the time in microseconds, the
1637 'z'; the remainder is the file inode number encoded in the first
1638 51 characters of the 52-character alphabet.
1639 · New messages have a Message-ID header with queueID@myhostname.
1641 · The mailq (postqueue -p) output has a wider Queue ID column.
1643 The number of whitespace-separated fields is not changed.
1644 · The hash_queue_depth algorithm uses the first characters of the
1646 queue file creation time in microseconds, after conversion into
1647 hexadecimal representation. This produces the same queue hashing
1648 behavior as if the queue file name was created with
1649 "enable_long_queue_ids = no".
1650 Changing the parameter value to "no" has the following effects:
1652 · Existing long queue file names are renamed to the short form
1654 (while running "postfix reload" or "postsuper").
1655 · New queue files are created with names such as C3CD21F3E90 from
1657 a hexadecimal alphabet that contains digits (0-9) and upper-case
1658 letters (A-F). The name format is: 5 characters for the time in
1659 microseconds; the remainder is the file inode number.
1660 · New messages have a Message-ID header with YYYYMMDDHH‐
1662 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
1663 month, day, hour, minute and second.
1664 · The mailq (postqueue -p) output has the same format as with
1666 Postfix <= 2.8.
1667 · The hash_queue_depth algorithm uses the first characters of the
1669 queue file name, with the hexadecimal representation of the file
1670 creation time in microseconds.
1671 Before migration to Postfix <= 2.8, the following commands are required
1673 to convert long queue file names into short names:
1674 # postfix stop
1676 # postconf enable_long_queue_ids=no
1677 # postsuper
1678 Repeat the postsuper command until it reports no more queue file name
1680 changes.
1681 This feature is available in Postfix 2.9 and later.
1683
1685 Enable support for the X-Original-To message header. This header is
1686 needed for multi-recipient mailboxes.
1687 When this parameter is set to yes, the cleanup(8) daemon performs
1689 duplicate elimination on distinct pairs of (original recipient, rewrit‐
1690 ten recipient), and generates non-empty original recipient queue file
1691 records.
1692 When this parameter is set to no, the cleanup(8) daemon performs dupli‐
1694 cate elimination on the rewritten recipient address only, and generates
1695 empty original recipient queue file records.
1696 This feature is available in Postfix 2.1 and later. With Postfix ver‐
1698 sion 2.0, support for the X-Original-To message header is always turned
1699 on. Postfix versions before 2.0 have no support for the X-Original-To
1700 message header.
1701
1703 The recipient of postmaster notifications about mail delivery problems
1704 that are caused by policy, resource, software or protocol errors.
1705 These notifications are enabled with the notify_classes parameter.
1706
1708 The name of the error(8) pseudo delivery agent. This service always
1709 returns mail as undeliverable.
1710 This feature is available in Postfix 2.0 and later.
1712
1714 Restrict the characters that the local(8) delivery agent allows in
1715 $name expansions of $command_execution_directory. Characters outside
1716 the allowed set are replaced by underscores.
1717 This feature is available in Postfix 2.2 and later.
1719
1721 When delivering to an alias "aliasname" that has an "owner-aliasname"
1722 companion alias, set the envelope sender address to the expansion of
1723 the "owner-aliasname" alias. Normally, Postfix sets the envelope sender
1724 address to the name of the "owner-aliasname" alias.
1725
1727 The list of environment variables that a Postfix process will export to
1728 non-Postfix processes. The TZ variable is needed for sane time keeping
1729 on System-V-ish systems.
1730 Specify a list of names and/or name=value pairs, separated by white‐
1732 space or comma. The name=value form is supported with Postfix version
1733 2.1 and later.
1734 Example:
1736 export_environment = TZ PATH=/bin:/usr/bin
1738
1740 The maximal number of recipient addresses that Postfix will extract
1741 from message headers when mail is submitted with "sendmail -t".
1742 This feature was removed in Postfix version 2.1.
1744
1746 Optional list of relay hosts for SMTP destinations that can't be found
1747 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1748 smtp_fallback_relay.
1749 By default, mail is returned to the sender when a destination is not
1751 found, and delivery is deferred when a destination is unreachable.
1752 The fallback relays must be SMTP destinations. Specify a domain, host,
1754 host:port, [host]:port, [address] or [address]:port; the form [host]
1755 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
1756 fix will try them in the specified order.
1757 Note: before Postfix 2.2, do not use the fallback_relay feature when
1759 relaying mail for a backup or primary MX domain. Mail would loop
1760 between the Postfix MX host and the fallback_relay host when the final
1761 destination is unavailable.
1762 · In main.cf specify "relay_transport = relay",
1764 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
1766 end of the relay entry.
1767 · In transport maps, specify "relay:nexthop..." as the right-hand
1769 side for backup or primary MX domain entries.
1770 Postfix version 2.2 and later will not use the fallback_relay feature
1772 for destinations that it is MX host for.
1773
1775 Optional message delivery transport that the local(8) delivery agent
1776 should use for names that are not found in the aliases(5) or UNIX pass‐
1777 word database.
1778 The precedence of local(8) delivery features from high to low is:
1780 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1781 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1782 tory, fallback_transport_maps, fallback_transport and luser_relay.
1783
1785 Optional lookup tables with per-recipient message delivery transports
1786 for recipients that the local(8) delivery agent could not find in the
1787 aliases(5) or UNIX password database.
1788 The precedence of local(8) delivery features from high to low is:
1790 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1791 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1792 tory, fallback_transport_maps, fallback_transport and luser_relay.
1793 For safety reasons, this feature does not allow $number substitutions
1795 in regular expression maps.
1796 This feature is available in Postfix 2.3 and later.
1798
1800 Optional list of destinations that are eligible for per-destination
1801 logfiles with mail that is queued to those destinations.
1802 By default, Postfix maintains "fast flush" logfiles only for destina‐
1804 tions that the Postfix SMTP server is willing to relay to (i.e. the
1805 default is: "fast_flush_domains = $relay_domains"; see the
1806 relay_domains parameter in the postconf(5) manual).
1807 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
1809 ble" lookup tables, separated by commas and/or whitespace. Continue
1810 long lines by starting the next line with whitespace. A "/file/name"
1811 pattern is replaced by its contents; a "type:table" lookup table is
1812 matched when the domain or its parent domain appears as lookup key.
1813 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
1815 altogether.
1816
1818 The time after which an empty per-destination "fast flush" logfile is
1819 deleted.
1820 You can specify the time as a number, or as a number followed by a let‐
1822 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1823 d=days, w=weeks. The default time unit is days.
1824
1826 The time after which a non-empty but unread per-destination "fast
1827 flush" logfile needs to be refreshed. The contents of a logfile are
1828 refreshed by requesting delivery of all messages listed in the logfile.
1829 You can specify the time as a number, or as a number followed by a let‐
1831 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
1832 d=days, w=weeks. The default time unit is hours.
1833
1835 Force specific internal tests to fail, to test the handling of errors
1836 that are difficult to reproduce otherwise.
1837
1839 The name of the flush(8) service. This service maintains per-destina‐
1840 tion logfiles with the queue file names of mail that is queued for
1841 those destinations.
1842 This feature is available in Postfix 2.0 and later.
1844
1846 The maximal number of attempts to fork() a child process.
1847
1849 The delay between attempts to fork() a child process.
1850 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1852 The default time unit is s (seconds).
1853
1855 Restrict the characters that the local(8) delivery agent allows in
1856 $name expansions of $forward_path. Characters outside the allowed set
1857 are replaced by underscores.
1858
1860 The local(8) delivery agent search list for finding a .forward file
1861 with user-specified delivery methods. The first file that is found is
1862 used.
1863 The following $name expansions are done on forward_path before the
1865 search actually happens. The result of $name expansion is filtered with
1866 the character set that is specified with the forward_expansion_filter
1867 parameter.
1868 $user The recipient's username.
1870 $shell The recipient's login shell pathname.
1872 $home The recipient's home directory.
1874 $recipient
1876 The full recipient address.
1877 $extension
1879 The optional recipient address extension.
1880 $domain
1882 The recipient domain.
1883 $local The entire recipient localpart.
1885 $recipient_delimiter
1887 The system-wide recipient address extension delimiter.
1888 ${name?value}
1890 Expands to value when $name is non-empty.
1891 ${name:value}
1893 Expands to value when $name is empty.
1894 Instead of $name you can also specify ${name} or $(name).
1896 Examples:
1898 forward_path = /var/forward/$user
1900 forward_path =
1901 /var/forward/$user/.forward$recipient_delimiter$extension,
1902 /var/forward/$user/.forward
1903
1905 Update the local(8) delivery agent's idea of the Delivered-To: address
1906 (see prepend_delivered_header) only once, at the start of a delivery
1907 attempt; do not update the Delivered-To: address while expanding
1908 aliases or .forward files.
1909 This feature is available in Postfix 2.3 and later. With older Postfix
1911 releases, the behavior is as if this parameter is set to "no". The old
1912 setting can be expensive with deeply nested aliases or .forward files.
1913 When an alias or .forward file changes the Delivered-To: address, it
1914 ties up one queue file and one cleanup process instance while mail is
1915 being forwarded.
1916
1918 The number of subdirectory levels for queue directories listed with the
1919 hash_queue_names parameter. Queue hashing is implemented by creating
1920 one or more levels of directories with one-character names. Origi‐
1921 nally, these directory names were equal to the first characters of the
1922 queue file name, with the hexadecimal representation of the file cre‐
1923 ation time in microseconds.
1924 With long queue file names, queue hashing produces the same results as
1926 with short names. The file creation time in microseconds is converted
1927 into hexadecimal form before the result is used for queue hashing. The
1928 base 16 encoding gives finer control over the number of subdirectories
1929 than is possible with the base 52 encoding of long queue file names.
1930 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1932 cute the command "postfix reload".
1933
1935 The names of queue directories that are split across multiple subdirec‐
1936 tory levels.
1937 Before Postfix version 2.2, the default list of hashed queues was sig‐
1939 nificantly larger. Claims about improvements in file system technology
1940 suggest that hashing of the incoming and active queues is no longer
1941 needed. Fewer hashed directories speed up the time needed to restart
1942 Postfix.
1943 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
1945 cute the command "postfix reload".
1946
1948 The maximal number of address tokens are allowed in an address message
1949 header. Information that exceeds the limit is discarded. The limit is
1950 enforced by the cleanup(8) server.
1951
1953 Optional lookup tables for content inspection of primary non-MIME mes‐
1954 sage headers, as specified in the header_checks(5) manual page.
1955
1957 The maximal amount of memory in bytes for storing a message header. If
1958 a header is larger, the excess is discarded. The limit is enforced by
1959 the cleanup(8) server.
1960
1962 Log warnings about problematic configuration settings, and provide
1963 helpful suggestions.
1964 This feature is available in Postfix 2.0 and later.
1966
1968 Optional pathname of a mailbox file relative to a local(8) user's home
1969 directory.
1970 Specify a pathname ending in "/" for qmail-style delivery.
1972 The precedence of local(8) delivery features from high to low is:
1974 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
1975 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
1976 tory, fallback_transport_maps, fallback_transport and luser_relay.
1977 Examples:
1979 home_mailbox = Mailbox
1981 home_mailbox = Maildir/
1982
1984 The maximal number of Received: message headers that is allowed in the
1985 primary message headers. A message that exceeds the limit is bounced,
1986 in order to stop a mailer loop.
1987
1989 The location of Postfix HTML files that describe how to build, config‐
1990 ure or operate a specific Postfix subsystem or feature.
1991
1993 Ignore DNS MX lookups that produce no response. By default, the Post‐
1994 fix SMTP client defers delivery and tries again after some delay. This
1995 behavior is required by the SMTP standard.
1996 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
1998 instead. This violates the SMTP standard and can result in mis-delivery
1999 of mail.
2000
2002 The list of environment parameters that a Postfix process will import
2003 from a non-Postfix parent process. Examples of relevant parameters:
2004 TZ Needed for sane time keeping on most System-V-ish systems.
2006 DISPLAY
2008 Needed for debugging Postfix daemons with an X-windows debugger.
2009 XAUTHORITY
2011 Needed for debugging Postfix daemons with an X-windows debugger.
2012 MAIL_CONFIG
2014 Needed to make "postfix -c" work.
2015 Specify a list of names and/or name=value pairs, separated by white‐
2017 space or comma. The name=value form is supported with Postfix version
2018 2.1 and later.
2019
2021 Time to pause before accepting a new message, when the message arrival
2022 rate exceeds the message delivery rate. This feature is turned on by
2023 default (it's disabled on SCO UNIX due to an SCO bug).
2024 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2026 = 1s" limits the mail inflow to 100 messages per second above the num‐
2027 ber of messages delivered per second.
2028 Specify 0 to disable the feature. Valid delays are 0..10.
2030
2032 The network interface addresses that this mail system receives mail on.
2033 Specify "all" to receive mail on all network interfaces (default), and
2034 "loopback-only" to receive mail on loopback network interfaces only
2035 (Postfix version 2.2 and later). The parameter also controls delivery
2036 of mail to user@[ip.address].
2037 Note 1: you need to stop and start Postfix when this parameter changes.
2039 Note 2: address information may be enclosed inside [], but this form is
2041 not required here.
2042 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2044 is not a loopback address, the Postfix SMTP client will use this
2045 address as the IP source address for outbound mail. Support for IPv6 is
2046 available in Postfix version 2.2 and later.
2047 On a multi-homed firewall with separate Postfix instances listening on
2049 the "inside" and "outside" interfaces, this can prevent each instance
2050 from being able to reach remote SMTP servers on the "other side" of the
2051 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2052 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2053 lem for IPv6.
2054 A better solution for multi-homed firewalls is to leave inet_interfaces
2056 at the default value and instead use explicit IP addresses in the mas‐
2057 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2058 client's loop detection, by ensuring that each side of the firewall
2059 knows that the other IP address is still the same host. Setting
2060 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2061 ful with virtual hosting of domains on secondary IP addresses, when
2062 each IP address serves a different domain (and has a different $myhost‐
2063 name setting).
2064 See also the proxy_interfaces parameter, for network addresses that are
2066 forwarded to Postfix by way of a proxy or address translator.
2067 Examples:
2069 inet_interfaces = all (DEFAULT)
2071 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2072 inet_interfaces = 127.0.0.1
2073 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2074 inet_interfaces = 192.168.1.2, 127.0.0.1
2075
2077 The Internet protocols Postfix will attempt to use when making or
2078 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
2079 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
2080 ipv6" or "ipv4", depending on whether the operating system implements
2081 IPv6.
2082 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2084 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2085 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2086 when no explicit setting is present. This compatibility workaround will
2087 be phased out as IPv6 deployment becomes more common.
2088 This feature is available in Postfix 2.2 and later.
2090 Note: you MUST stop and start Postfix after changing this parameter.
2092 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2094 will also accept IPv4 connections, even when IPv4 is turned off with
2095 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2096 Postfix will use separate server sockets for IPv6 and IPv4, and each
2097 will accept only connections for the corresponding protocol.
2098 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2100 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2101 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2102 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2103 3493).
2104 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2106 will do DNS type AAAA record lookups.
2107 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2109 will attempt to connect via IPv6 before attempting to use IPv4.
2110 Examples:
2112 inet_protocols = ipv4
2114 inet_protocols = all (DEFAULT)
2115 inet_protocols = ipv6
2116 inet_protocols = ipv4, ipv6
2117
2119 The initial per-destination concurrency level for parallel delivery to
2120 the same destination. With per-destination recipient limit > 1, a des‐
2121 tination is a domain, otherwise it is a recipient.
2122 Use transport_initial_destination_concurrency to specify a transport-
2124 specific override, where transport is the master.cf name of the message
2125 delivery transport (Postfix 2.5 and later).
2126 Warning: with concurrency of 1, one bad message can be enough to block
2128 all mail to a site.
2129
2131 What categories of Postfix-generated mail are subject to before-queue
2132 content inspection by non_smtpd_milters, header_checks and body_checks.
2133 Specify zero or more of the following, separated by whitespace or
2134 comma.
2135 bounce Inspect the content of delivery status notifications.
2137 notify Inspect the content of postmaster notifications by the smtp(8)
2139 and smtpd(8) processes.
2140 NOTE: It's generally not safe to enable content inspection of Postfix-
2142 generated email messages. The user is warned.
2143 This feature is available in Postfix 2.3 and later.
2145
2147 The numerical Postfix SMTP server response code when the client HELO or
2148 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2149 restriction.
2150 Do not change this unless you have a complete understanding of RFC
2152 5321.
2153
2155 The time after which a client closes an idle internal communication
2156 channel. The purpose is to allow Postfix daemon processes to terminate
2157 voluntarily after they become idle. This is used, for example, by the
2158 Postfix address resolving and rewriting clients.
2159 With Postfix 2.4 the default value was reduced from 100s to 5s.
2161 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2163 The default time unit is s (seconds).
2164
2166 The time limit for sending or receiving information over an internal
2167 communication channel. The purpose is to break out of deadlock situa‐
2168 tions. If the time limit is exceeded the software aborts with a fatal
2169 error.
2170 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2172 The default time unit is s (seconds).
2173
2175 The time after which a client closes an active internal communication
2176 channel. The purpose is to allow Postfix daemon processes to terminate
2177 voluntarily after reaching their client limit. This is used, for exam‐
2178 ple, by the Postfix address resolving and rewriting clients.
2179 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2181 The default time unit is s (seconds).
2182 This feature is available in Postfix 2.1 and later.
2184
2186 Upon input, long lines are chopped up into pieces of at most this
2187 length; upon delivery, long lines are reconstructed.
2188
2190 The LMTP-specific version of the smtp_address_preference configuration
2191 parameter. See there for details.
2192 This feature is available in Postfix 2.8 and later.
2194
2196 When a remote LMTP server announces no DSN support, assume that the
2197 server performs final delivery, and send "delivered" delivery status
2198 notifications instead of "relayed". The default setting is backwards
2199 compatible to avoid the infinitesimal possibility of breaking existing
2200 LMTP-based content filters.
2201
2203 The LMTP-specific version of the smtp_bind_address configuration param‐
2204 eter. See there for details.
2205 This feature is available in Postfix 2.3 and later.
2207
2209 The LMTP-specific version of the smtp_bind_address6 configuration
2210 parameter. See there for details.
2211 This feature is available in Postfix 2.3 and later.
2213
2215 The LMTP-specific version of the smtp_body_checks configuration parame‐
2216 ter. See there for details.
2217 This feature is available in Postfix 2.5 and later.
2219
2221 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2222 When the LMTP client receives a request for the same connection the
2223 connection is reused.
2224 This parameter is available in Postfix version 2.2 and earlier. With
2226 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2227 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2228 use_time_limit.
2229 The effectiveness of cached connections will be determined by the num‐
2231 ber of remote LMTP servers in use, and the concurrency limit specified
2232 for the Postfix LMTP client. Cached connections are closed under any of
2233 the following conditions:
2234 · The Postfix LMTP client idle time limit is reached. This limit
2236 is specified with the Postfix max_idle configuration parameter.
2237 · A delivery request specifies a different destination than the
2239 one currently cached.
2240 · The per-process limit on the number of delivery requests is
2242 reached. This limit is specified with the Postfix max_use con‐
2243 figuration parameter.
2244 · Upon the onset of another delivery request, the remote LMTP
2246 server associated with the current session does not respond to
2247 the RSET command.
2248 Most of these limitations have been with the Postfix a connection cache
2250 that is shared among multiple LMTP client programs.
2251
2253 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2254 figuration parameter. See there for details.
2255 This feature is available in Postfix 2.3 and later.
2257
2259 The Postfix LMTP client time limit for completing a TCP connection, or
2260 zero (use the operating system built-in time limit). When no connec‐
2261 tion can be made within the deadline, the LMTP client tries the next
2262 address on the mail exchanger list.
2263 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2265 The default time unit is s (seconds).
2266 Example:
2268 lmtp_connect_timeout = 30s
2270
2272 The LMTP-specific version of the smtp_connection_cache_destinations
2273 configuration parameter. See there for details.
2274 This feature is available in Postfix 2.3 and later.
2276
2278 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2279 figuration parameter. See there for details.
2280 This feature is available in Postfix 2.3 and later.
2282
2284 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2285 figuration parameter. See there for details.
2286 This feature is available in Postfix 2.3 and later.
2288
2290 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2291 figuration parameter. See there for details.
2292 This feature is available in Postfix 2.3 and later.
2294
2296 The Postfix LMTP client time limit for sending the LMTP ".", and for
2297 receiving the remote LMTP server response. When no response is
2298 received within the deadline, a warning is logged that the mail may be
2299 delivered multiple times.
2300 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2302 The default time unit is s (seconds).
2303
2305 The Postfix LMTP client time limit for sending the LMTP DATA command,
2306 and for receiving the remote LMTP server response.
2307 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2309 The default time unit is s (seconds).
2310
2312 The Postfix LMTP client time limit for sending the LMTP message con‐
2313 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2314 the LMTP client terminates the transfer.
2315 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2317 The default time unit is s (seconds).
2318
2320 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2321 figuration parameter. See there for details.
2322 This feature is available in Postfix 2.3 and later.
2324
2326 rency_limit)
2327 The maximal number of parallel deliveries to the same destination via
2328 the lmtp message delivery transport. This limit is enforced by the
2329 queue manager. The message delivery transport name is the first field
2330 in the entry in the master.cf file.
2331
2333 ent_limit)
2334 The maximal number of recipients per message for the lmtp message
2335 delivery transport. This limit is enforced by the queue manager. The
2336 message delivery transport name is the first field in the entry in the
2337 master.cf file.
2338 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2340 tination_concurrency_limit from concurrency per domain into concurrency
2341 per recipient.
2342
2344 Lookup tables, indexed by the remote LMTP server address, with case
2345 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2346 that the Postfix LMTP client will ignore in the LHLO response from a
2347 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2348 ble is not indexed by hostname for consistency with smtpd_dis‐
2349 card_ehlo_keyword_address_maps.
2350 This feature is available in Postfix 2.3 and later.
2352
2354 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2355 etc.) that the Postfix LMTP client will ignore in the LHLO response
2356 from a remote LMTP server.
2357 This feature is available in Postfix 2.3 and later.
2359 Notes:
2361 · Specify the silent-discard pseudo keyword to prevent this action
2363 from being logged.
2364 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2366 card LHLO keywords selectively.
2367
2369 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2370 tion parameter. See there for details.
2371 This feature is available in Postfix 2.8 and later.
2373
2375 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2376 ter. See there for details.
2377 This feature is available in Postfix 2.3 and later.
2379
2381 The LMTP-specific version of the smtp_generic_maps configuration param‐
2382 eter. See there for details.
2383 This feature is available in Postfix 2.3 and later.
2385
2387 The LMTP-specific version of the smtp_header_checks configuration
2388 parameter. See there for details.
2389 This feature is available in Postfix 2.5 and later.
2391
2393 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2394 ter. See there for details.
2395 This feature is available in Postfix 2.3 and later.
2397
2399 The hostname to send in the LMTP LHLO command.
2400 The default value is the machine hostname. Specify a hostname or
2402 [ip.add.re.ss].
2403 This information can be specified in the main.cf file for all LMTP
2405 clients, or it can be specified in the master.cf file for a specific
2406 client, for example:
2407 /etc/postfix/master.cf:
2409 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2410 This feature is available in Postfix 2.3 and later.
2412
2414 The Postfix LMTP client time limit for sending the LHLO command, and
2415 for receiving the initial remote LMTP server response.
2416 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2418 The default time unit is s (seconds).
2419
2421 The LMTP-specific version of the smtp_line_length_limit configuration
2422 parameter. See there for details.
2423 This feature is available in Postfix 2.3 and later.
2425
2427 The Postfix LMTP client time limit for sending the MAIL FROM command,
2428 and for receiving the remote LMTP server response.
2429 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2431 The default time unit is s (seconds).
2432
2434 The LMTP-specific version of the smtp_mime_header_checks configuration
2435 parameter. See there for details.
2436 This feature is available in Postfix 2.5 and later.
2438
2440 The LMTP-specific version of the smtp_mx_address_limit configuration
2441 parameter. See there for details.
2442 This feature is available in Postfix 2.3 and later.
2444
2446 The LMTP-specific version of the smtp_mx_session_limit configuration
2447 parameter. See there for details.
2448 This feature is available in Postfix 2.3 and later.
2450
2452 The LMTP-specific version of the smtp_nested_header_checks configura‐
2453 tion parameter. See there for details.
2454 This feature is available in Postfix 2.5 and later.
2456
2458 The LMTP-specific version of the smtp_per_record_deadline configuration
2459 parameter. See there for details.
2460 This feature is available in Postfix 2.9 and later.
2462
2464 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2465 uration parameter. See there for details.
2466 This feature is available in Postfix 2.3 and later.
2468
2470 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2471 parameter. See there for details.
2472 This feature is available in Postfix 2.4 and later.
2474
2476 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2477 configuration parameter. See there for details.
2478 This feature is available in Postfix 2.3 and later.
2480
2482 The LMTP-specific version of the smtp_pix_workaround configuration
2483 parameter. See there for details.
2484 This feature is available in Postfix 2.4 and later.
2486
2488 The Postfix LMTP client time limit for sending the QUIT command, and
2489 for receiving the remote LMTP server response.
2490 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2492 The default time unit is s (seconds).
2493
2495 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2496 tion parameter. See there for details.
2497 This feature is available in Postfix 2.3 and later.
2499
2501 The LMTP-specific version of the smtp_randomize_addresses configuration
2502 parameter. See there for details.
2503 This feature is available in Postfix 2.3 and later.
2505
2507 The Postfix LMTP client time limit for sending the RCPT TO command, and
2508 for receiving the remote LMTP server response.
2509 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2511 The default time unit is s (seconds).
2512
2514 The LMTP-specific version of the smtp_reply_filter configuration param‐
2515 eter. See there for details.
2516 This feature is available in Postfix 2.7 and later.
2518
2520 The Postfix LMTP client time limit for sending the RSET command, and
2521 for receiving the remote LMTP server response. The LMTP client sends
2522 RSET in order to finish a recipient address probe, or to verify that a
2523 cached connection is still alive.
2524 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2526 The default time unit is s (seconds).
2527
2529 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2530 tion parameter. See there for details.
2531 This feature is available in Postfix 2.5 and later.
2533
2535 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2536 tion parameter. See there for details.
2537 This feature is available in Postfix 2.5 and later.
2539
2541 Enable SASL authentication in the Postfix LMTP client.
2542
2544 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2545 tion parameter. See there for details.
2546 This feature is available in Postfix 2.5 and later.
2548
2550 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2551 tion parameter. See there for details.
2552 This feature is available in Postfix 2.3 and later.
2554
2556 Optional Postfix LMTP client lookup tables with one username:password
2557 entry per host or domain. If a remote host or domain has no user‐
2558 name:password entry, then the Postfix LMTP client will not attempt to
2559 authenticate to the remote host.
2560
2562 Implementation-specific information that is passed through to the SASL
2563 plug-in implementation that is selected with lmtp_sasl_type. Typically
2564 this specifies the name of a configuration file or rendezvous point.
2565 This feature is available in Postfix 2.3 and later.
2567
2569 SASL security options; as of Postfix 2.3 the list of available features
2570 depends on the SASL client implementation that is selected with
2571 lmtp_sasl_type.
2572 The following security features are defined for the cyrus client SASL
2574 implementation:
2575 noplaintext
2577 Disallow authentication methods that use plaintext passwords.
2578 noactive
2580 Disallow authentication methods that are vulnerable to non-dic‐
2581 tionary active attacks.
2582 nodictionary
2584 Disallow authentication methods that are vulnerable to passive
2585 dictionary attack.
2586 noanonymous
2588 Disallow anonymous logins.
2589 Example:
2591 lmtp_sasl_security_options = noplaintext
2593
2595 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2596 uration parameter. See there for details.
2597 This feature is available in Postfix 2.3 and later.
2599
2601 rity_options)
2602 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2603 rity_options configuration parameter. See there for details.
2604 This feature is available in Postfix 2.3 and later.
2606
2608 The SASL plug-in type that the Postfix LMTP client should use for
2609 authentication. The available types are listed with the "postconf -A"
2610 command.
2611 This feature is available in Postfix 2.3 and later.
2613
2615 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
2616 tion parameter. See there for details.
2617 This feature is available in Postfix 2.9 and later.
2619
2621 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
2622 server response announces XFORWARD support. This allows an lmtp(8)
2623 delivery agent, used for content filter message injection, to forward
2624 the name, address, protocol and HELO name of the original client to the
2625 content filter and downstream queuing LMTP server. Before you change
2626 the value to yes, it is best to make sure that your content filter sup‐
2627 ports this command.
2628 This feature is available in Postfix 2.1 and later.
2630
2632 The LMTP-specific version of the smtp_sender_dependent_authentication
2633 configuration parameter. See there for details.
2634 This feature is available in Postfix 2.3 and later.
2636
2638 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2639 parameter. See there for details.
2640 This feature is available in Postfix 2.3 and later.
2642
2644 Wait for the response to the LMTP QUIT command.
2645
2647 The LMTP-specific version of the smtp_starttls_timeout configuration
2648 parameter. See there for details.
2649 This feature is available in Postfix 2.3 and later.
2651
2653 The default TCP port that the Postfix LMTP client connects to.
2654
2656 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2657 ter. See there for details.
2658 This feature is available in Postfix 2.3 and later.
2660
2662 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
2663 ter. See there for details.
2664 This feature is available in Postfix 2.3 and later.
2666
2668 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
2669 figuration parameter. See there for details.
2670 This feature is available in Postfix 2.7 and later.
2672
2674 The LMTP-specific version of the smtp_tls_cert_file configuration
2675 parameter. See there for details.
2676 This feature is available in Postfix 2.3 and later.
2678
2680 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
2681 ter. See there for details.
2682 This feature is available in Postfix 2.6 and later.
2684
2686 The LMTP-specific version of the smtp_tls_dcert_file configuration
2687 parameter. See there for details.
2688 This feature is available in Postfix 2.3 and later.
2690
2692 The LMTP-specific version of the smtp_tls_dkey_file configuration
2693 parameter. See there for details.
2694 This feature is available in Postfix 2.3 and later.
2696
2698 The LMTP-specific version of the smtp_tls_eccert_file configuration
2699 parameter. See there for details.
2700 This feature is available in Postfix 2.6 and later, when Postfix is
2702 compiled and linked with OpenSSL 1.0.0 or later.
2703
2705 The LMTP-specific version of the smtp_tls_eckey_file configuration
2706 parameter. See there for details.
2707 This feature is available in Postfix 2.6 and later, when Postfix is
2709 compiled and linked with OpenSSL 1.0.0 or later.
2710
2712 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
2713 tion parameter. See there for details.
2714 This feature is available in Postfix 2.3 and later.
2716
2718 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
2719 parameter. See there for details.
2720 This feature is available in Postfix 2.3 and later.
2722
2724 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
2725 figuration parameter. See there for details.
2726 This feature is available in Postfix 2.5 and later.
2728
2730 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
2731 tion parameter. See there for details.
2732 This feature is available in Postfix 2.5 and later.
2734
2736 The LMTP-specific version of the smtp_tls_key_file configuration param‐
2737 eter. See there for details.
2738 This feature is available in Postfix 2.3 and later.
2740
2742 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
2743 eter. See there for details.
2744 This feature is available in Postfix 2.3 and later.
2746
2748 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
2749 tion parameter. See there for details.
2750 This feature is available in Postfix 2.3 and later.
2752
2754 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
2755 configuration parameter. See there for details.
2756 This feature is available in Postfix 2.3 and later.
2758
2760 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
2761 ration parameter. See there for details.
2762 This feature is available in Postfix 2.3 and later.
2764
2766 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
2767 ration parameter. See there for details.
2768 This feature is available in Postfix 2.3 and later.
2770
2772 The LMTP-specific version of the smtp_tls_per_site configuration param‐
2773 eter. See there for details.
2774 This feature is available in Postfix 2.3 and later.
2776
2778 The LMTP-specific version of the smtp_tls_policy_maps configuration
2779 parameter. See there for details.
2780 This feature is available in Postfix 2.3 and later.
2782
2784 The LMTP-specific version of the smtp_tls_protocols configuration
2785 parameter. See there for details.
2786 This feature is available in Postfix 2.6 and later.
2788
2790 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
2791 tion parameter. See there for details.
2792 This feature is available in Postfix 2.3 and later.
2794
2796 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
2797 tion parameter. See there for details.
2798 This feature is available in Postfix 2.3 and later.
2800
2802 The LMTP-specific version of the smtp_tls_security_level configuration
2803 parameter. See there for details.
2804 This feature is available in Postfix 2.3 and later.
2806
2808 The LMTP-specific version of the smtp_tls_session_cache_database con‐
2809 figuration parameter. See there for details.
2810 This feature is available in Postfix 2.3 and later.
2812
2814 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
2815 uration parameter. See there for details.
2816 This feature is available in Postfix 2.3 and later.
2818
2820 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
2821 tion parameter. See there for details.
2822 This feature is available in Postfix 2.3 and later.
2824
2826 The LMTP-specific version of the smtp_use_tls configuration parameter.
2827 See there for details.
2828 This feature is available in Postfix 2.3 and later.
2830
2832 The Postfix LMTP client time limit for sending the XFORWARD command,
2833 and for receiving the remote LMTP server response.
2834 In case of problems the client does NOT try the next address on the
2836 mail exchanger list.
2837 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2839 The default time unit is s (seconds).
2840 This feature is available in Postfix 2.1 and later.
2842
2844 Optional shell program for local(8) delivery to non-Postfix command.
2845 By default, non-Postfix commands are executed directly; commands are
2846 given to given to the default shell (typically, /bin/sh) only when they
2847 contain shell meta characters or shell built-in commands.
2848 "sendmail's restricted shell" (smrsh) is what most people will use in
2850 order to restrict what programs can be run from e.g. .forward files
2851 (smrsh is part of the Sendmail distribution).
2852 Note: when a shell program is specified, it is invoked even when the
2854 command contains no shell built-in commands or meta characters.
2855 Example:
2857 local_command_shell = /some/where/smrsh -c
2859 local_command_shell = /bin/bash -c
2860
2862 The maximal number of parallel deliveries via the local mail delivery
2863 transport to the same recipient (when "local_destination_recipi‐
2864 ent_limit = 1") or the maximal number of parallel deliveries to the
2865 same local domain (when "local_destination_recipient_limit > 1"). This
2866 limit is enforced by the queue manager. The message delivery transport
2867 name is the first field in the entry in the master.cf file.
2868 A low limit of 2 is recommended, just in case someone has an expensive
2870 shell command in a .forward file or in an alias (e.g., a mailing list
2871 manager). You don't want to run lots of those at the same time.
2872
2874 The maximal number of recipients per message delivery via the local
2875 mail delivery transport. This limit is enforced by the queue manager.
2876 The message delivery transport name is the first field in the entry in
2877 the master.cf file.
2878 Setting this parameter to a value > 1 changes the meaning of local_des‐
2880 tination_concurrency_limit from concurrency per recipient into concur‐
2881 rency per domain.
2882
2884 Rewrite message header addresses in mail from these clients and update
2885 incomplete addresses with the domain name in $myorigin or $mydomain;
2886 either don't rewrite message headers from other clients at all, or re‐
2887 write message headers and update incomplete addresses with the domain
2888 specified in the remote_header_rewrite_domain parameter.
2889 See the append_at_myorigin and append_dot_mydomain parameters for
2891 details of how domain names are appended to incomplete addresses.
2892 Specify a list of zero or more of the following:
2894 permit_inet_interfaces
2896 Append the domain name in $myorigin or $mydomain when the client
2897 IP address matches $inet_interfaces. This is enabled by default.
2898 permit_mynetworks
2900 Append the domain name in $myorigin or $mydomain when the client
2901 IP address matches any network or network address listed in
2902 $mynetworks. This setting will not prevent remote mail header
2903 address rewriting when mail from a remote client is forwarded by
2904 a neighboring system.
2905 permit_sasl_authenticated
2907 Append the domain name in $myorigin or $mydomain when the client
2908 is successfully authenticated via the RFC 4954 (AUTH) protocol.
2909 permit_tls_clientcerts
2911 Append the domain name in $myorigin or $mydomain when the remote
2912 SMTP client TLS certificate fingerprint or public key finger‐
2913 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
2914 The fingerprint digest algorithm is configurable via the
2915 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
2916 to Postfix version 2.5).
2917 permit_tls_all_clientcerts
2919 Append the domain name in $myorigin or $mydomain when the remote
2920 SMTP client TLS certificate is successfully verified, regardless
2921 of whether it is listed on the server, and regardless of the
2922 certifying authority.
2923 check_address_map type:table
2925 type:table
2927 Append the domain name in $myorigin or $mydomain when the client
2928 IP address matches the specified lookup table. The lookup
2929 result is ignored, and no subnet lookup is done. This is suit‐
2930 able for, e.g., pop-before-smtp lookup tables.
2931 Examples:
2933 The Postfix < 2.2 backwards compatible setting: always rewrite message
2935 headers, and always append my own domain to incomplete header
2936 addresses.
2937 local_header_rewrite_clients = static:all
2939 The purist (and default) setting: rewrite headers only in mail from
2941 Postfix sendmail and in SMTP mail from this machine.
2942 local_header_rewrite_clients = permit_inet_interfaces
2944 The intermediate setting: rewrite header addresses and append $myorigin
2946 or $mydomain information only with mail from Postfix sendmail, from
2947 local clients, or from authorized SMTP clients.
2948 Note: this setting will not prevent remote mail header address rewrit‐
2950 ing when mail from a remote client is forwarded by a neighboring sys‐
2951 tem.
2952 local_header_rewrite_clients = permit_mynetworks,
2954 permit_sasl_authenticated permit_tls_clientcerts
2955 check_address_map hash:/etc/postfix/pop-before-smtp
2956
2958 Lookup tables with all names or addresses of local recipients: a recip‐
2959 ient address is local when its domain matches $mydestination,
2960 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
2961 for domains that do not have a valid recipient list. Technically,
2962 tables listed with $local_recipient_maps are used as lists: Postfix
2963 needs to know only if a lookup string is found or not, but it does not
2964 use the result from table lookup.
2965 If this parameter is non-empty (the default), then the Postfix SMTP
2967 server will reject mail for unknown local users.
2968 To turn off local recipient checking in the Postfix SMTP server, spec‐
2970 ify "local_recipient_maps =" (i.e. empty).
2971 The default setting assumes that you use the default Postfix local
2973 delivery agent for local delivery. You need to update the local_recipi‐
2974 ent_maps setting if:
2975 · You redefine the local delivery agent in master.cf.
2977 · You redefine the "local_transport" setting in main.cf.
2979 · You use the "luser_relay", "mailbox_transport", or "fall‐
2981 back_transport" feature of the Postfix local(8) delivery agent.
2982 Details are described in the LOCAL_RECIPIENT_README file.
2984 Beware: if the Postfix SMTP server runs chrooted, you need to access
2986 the passwd file via the proxymap(8) service, in order to overcome
2987 chroot access restrictions. The alternative, maintaining a copy of the
2988 system password file in the chroot jail is not practical.
2989 Examples:
2991 local_recipient_maps =
2993
2995 The default mail delivery transport and next-hop destination for final
2996 delivery to domains listed with mydestination, and for [ipaddress] des‐
2997 tinations that match $inet_interfaces or $proxy_interfaces. This
2998 information can be overruled with the transport(5) table.
2999 By default, local mail is delivered to the transport called "local",
3001 which is just the name of a service that is defined the master.cf file.
3002 Specify a string of the form transport:nexthop, where transport is the
3004 name of a mail delivery transport defined in master.cf. The :nexthop
3005 destination is optional; its syntax is documented in the manual page of
3006 the corresponding delivery agent.
3007 Beware: if you override the default local delivery agent then you need
3009 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3010 server may reject mail for local recipients.
3011
3013 Optional catch-all destination for unknown local(8) recipients. By
3014 default, mail for unknown recipients in domains that match $mydestina‐
3015 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3016 able.
3017 The following $name expansions are done on luser_relay:
3019 $domain
3021 The recipient domain.
3022 $extension
3024 The recipient address extension.
3025 $home The recipient's home directory.
3027 $local The entire recipient address localpart.
3029 $recipient
3031 The full recipient address.
3032 $recipient_delimiter
3034 The system-wide recipient address extension delimiter.
3035 $shell The recipient's login shell.
3037 $user The recipient username.
3039 ${name?value}
3041 Expands to value when $name has a non-empty value.
3042 ${name:value}
3044 Expands to value when $name has an empty value.
3045 Instead of $name you can also specify ${name} or $(name).
3047 Note: luser_relay works only for the Postfix local(8) delivery agent.
3049 Note: if you use this feature for accounts not in the UNIX password
3051 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3052 the main.cf file, otherwise the Postfix SMTP server will reject mail
3053 for non-UNIX accounts with "User unknown in local recipient table".
3054 Examples:
3056 luser_relay = $user@other.host
3058 luser_relay = $local@other.host
3059 luser_relay = admin+$local
3060
3062 The mail system name that is displayed in Received: headers, in the
3063 SMTP greeting banner, and in bounced mail.
3064
3066 The UNIX system account that owns the Postfix queue and most Postfix
3067 daemon processes. Specify the name of an unprivileged user account
3068 that does not share a user or group ID with other accounts, and that
3069 owns no other files or processes on the system. In particular, don't
3070 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3071 When this parameter value is changed you need to re-run "postfix set-
3073 permissions" (with Postfix version 2.0 and earlier: "/etc/postfix/post-
3074 install set-permissions".
3075
3077 The Postfix release date, in "YYYYMMDD" format.
3078
3080 The directory where local(8) UNIX-style mailboxes are kept. The default
3081 setting depends on the system type. Specify a name ending in / for
3082 maildir-style delivery.
3083 Note: maildir delivery is done with the privileges of the recipient.
3085 If you use the mail_spool_directory setting for maildir style delivery,
3086 then you must create the top-level maildir directory in advance. Post‐
3087 fix will not create it.
3088 Examples:
3090 mail_spool_directory = /var/mail
3092 mail_spool_directory = /var/spool/mail
3093
3095 The version of the mail system. Stable releases are named
3096 major.minor.patchlevel. Experimental releases also include the release
3097 date. The version string can be used in, for example, the SMTP greeting
3098 banner.
3099
3101 Optional external command that the local(8) delivery agent should use
3102 for mailbox delivery. The command is run with the user ID and the pri‐
3103 mary group ID privileges of the recipient. Exception: command delivery
3104 for root executes with $default_privs privileges. This is not a prob‐
3105 lem, because 1) mail for root should always be aliased to a real user
3106 and 2) don't log in as root, use "su" instead.
3107 The following environment variables are exported to the command:
3109 CLIENT_ADDRESS
3111 Remote client network address. Available in Postfix version 2.2
3112 and later.
3113 CLIENT_HELO
3115 Remote client EHLO command parameter. Available in Postfix ver‐
3116 sion 2.2 and later.
3117 CLIENT_HOSTNAME
3119 Remote client hostname. Available in Postfix version 2.2 and
3120 later.
3121 CLIENT_PROTOCOL
3123 Remote client protocol. Available in Postfix version 2.2 and
3124 later.
3125 DOMAIN The domain part of the recipient address.
3127 EXTENSION
3129 The optional address extension.
3130 HOME The recipient home directory.
3132 LOCAL The recipient address localpart.
3134 LOGNAME
3136 The recipient's username.
3137 ORIGINAL_RECIPIENT
3139 The entire recipient address, before any address rewriting or
3140 aliasing.
3141 RECIPIENT
3143 The full recipient address.
3144 SASL_METHOD
3146 SASL authentication method specified in the remote client AUTH
3147 command. Available in Postfix version 2.2 and later.
3148 SASL_SENDER
3150 SASL sender address specified in the remote client MAIL FROM
3151 command. Available in Postfix version 2.2 and later.
3152 SASL_USER
3154 SASL username specified in the remote client AUTH command.
3155 Available in Postfix version 2.2 and later.
3156 SENDER The full sender address.
3158 SHELL The recipient's login shell.
3160 USER The recipient username.
3162 Unlike other Postfix configuration parameters, the mailbox_command
3164 parameter is not subjected to $name substitutions. This is to make it
3165 easier to specify shell syntax (see example below).
3166 If you can, avoid shell meta characters because they will force Postfix
3168 to run an expensive shell process. If you're delivering via Procmail
3169 then running a shell won't make a noticeable difference in the total
3170 cost.
3171 Note: if you use the mailbox_command feature to deliver mail system-
3173 wide, you must set up an alias that forwards mail for root to a real
3174 user.
3175 The precedence of local(8) delivery features from high to low is:
3177 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3178 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3179 tory, fallback_transport_maps, fallback_transport and luser_relay.
3180 Examples:
3182 mailbox_command = /some/where/procmail
3184 mailbox_command = /some/where/procmail -a "$EXTENSION"
3185 mailbox_command = /some/where/maildrop -d "$USER"
3186 -f "$SENDER" "$EXTENSION"
3187
3189 Optional lookup tables with per-recipient external commands to use for
3190 local(8) mailbox delivery. Behavior is as with mailbox_command.
3191 The precedence of local(8) delivery features from high to low is:
3193 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3194 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3195 tory, fallback_transport_maps, fallback_transport and luser_relay.
3196
3198 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3199 For a list of available file locking methods, use the "postconf -l"
3200 command.
3201 This setting is ignored with maildir style delivery, because such
3203 deliveries are safe without explicit locks.
3204 Note: The dotlock method requires that the recipient UID or GID has
3206 write access to the parent directory of the mailbox file.
3207 Note: the default setting of this parameter is system dependent.
3209
3211 The maximal size of any local(8) individual mailbox or maildir file, or
3212 zero (no limit). In fact, this limits the size of any file that is
3213 written to upon local delivery, including files written by external
3214 commands that are executed by the local(8) delivery agent.
3215 This limit must not be smaller than the message size limit.
3217
3219 Optional message delivery transport that the local(8) delivery agent
3220 should use for mailbox delivery to all local recipients, whether or not
3221 they are found in the UNIX passwd database.
3222 The precedence of local(8) delivery features from high to low is:
3224 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3225 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3226 tory, fallback_transport_maps, fallback_transport and luser_relay.
3227
3229 Optional lookup tables with per-recipient message delivery transports
3230 to use for local(8) mailbox delivery, whether or not the recipients are
3231 found in the UNIX passwd database.
3232 The precedence of local(8) delivery features from high to low is:
3234 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3235 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3236 tory, fallback_transport_maps, fallback_transport and luser_relay.
3237 For safety reasons, this feature does not allow $number substitutions
3239 in regular expression maps.
3240 This feature is available in Postfix 2.3 and later.
3242
3244 Sendmail compatibility feature that specifies where the Postfix
3245 mailq(1) command is installed. This command can be used to list the
3246 Postfix mail queue.
3247
3249 Where the Postfix manual pages are installed.
3250
3252 Obsolete feature: use the reject_rbl_client feature instead.
3253
3255 The numerical Postfix SMTP server response code when a remote SMTP
3256 client request is blocked by the reject_rbl_client,
3257 reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender
3258 or reject_rhsbl_recipient restriction.
3259 Do not change this unless you have a complete understanding of RFC
3261 5321.
3262
3264 What addresses are subject to address masquerading.
3266 By default, address masquerading is limited to envelope sender
3268 addresses, and to header sender and header recipient addresses. This
3269 allows you to use address masquerading on a mail gateway while still
3270 being able to forward mail to users on individual machines.
3271 Specify zero or more of: envelope_sender, envelope_recipient,
3273 header_sender, header_recipient
3274
3276 Optional list of domains whose subdomain structure will be stripped off
3277 in email addresses.
3278 The list is processed left to right, and processing stops at the first
3280 match. Thus,
3281 masquerade_domains = foo.example.com example.com
3283 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3285 strips "user@any.thing.else.example.com" to "user@example.com".
3286 A domain name prefixed with ! means do not masquerade this domain or
3288 its subdomains. Thus,
3289 masquerade_domains = !foo.example.com example.com
3291 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3293 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3294 ple.com".
3295 Note: with Postfix version 2.2, message header address masquerading
3297 happens only when message header address rewriting is enabled:
3298 · The message is received with the Postfix sendmail(1) command,
3300 · The message is received from a network client that matches
3302 $local_header_rewrite_clients,
3303 · The message is received from the network, and the
3305 remote_header_rewrite_domain parameter specifies a non-empty
3306 value.
3307 To get the behavior before Postfix version 2.2, specify
3309 "local_header_rewrite_clients = static:all".
3310 Example:
3312 masquerade_domains = $mydomain
3314
3316 Optional list of user names that are not subjected to address mas‐
3317 querading, even when their address matches $masquerade_domains.
3318 By default, address masquerading makes no exceptions.
3320 Specify a list of user names, "/file/name" or "type:table" patterns,
3322 separated by commas and/or whitespace. The list is matched left to
3323 right, and the search stops on the first match. A "/file/name" pattern
3324 is replaced by its contents; a "type:table" lookup table is matched
3325 when a name matches a lookup key (the lookup result is ignored). Con‐
3326 tinue long lines by starting the next line with whitespace. Specify
3327 "!pattern" to exclude a name from the list. The form "!/file/name" is
3328 supported only in Postfix version 2.4 and later.
3329 Examples:
3331 masquerade_exceptions = root, mailer-daemon
3333 masquerade_exceptions = root
3334
3336 Selectively disable master(8) listener ports by service type or by ser‐
3337 vice name and type. Specify a list of service types ("inet", "unix",
3338 "fifo", or "pass") or "name.type" tuples, where "name" is the first
3339 field of a master.cf entry and "type" is a service type. As with other
3340 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3341 tern" to exclude a service from the list. By default, all master(8)
3342 listener ports are enabled.
3343 Note: this feature does not support "/file/name" or "type:table" pat‐
3345 terns, nor does it support wildcards such as "*" or "all". This is
3346 intentional.
3347 Examples:
3349 # Turn on all master(8) listener ports (the default).
3351 master_service_disable =
3352 # Turn off only the main SMTP listener port.
3353 master_service_disable = smtp.inet
3354 # Turn off all TCP/IP listener ports.
3355 master_service_disable = inet
3356 # Turn off all TCP/IP listener ports except "foo".
3357 master_service_disable = !foo.inet, inet
3358 This feature is available in Postfix 2.6 and later.
3360
3362 The maximum amount of time that an idle Postfix daemon process waits
3363 for an incoming connection before terminating voluntarily. This param‐
3364 eter is ignored by the Postfix queue manager and by other long-lived
3365 Postfix daemon processes.
3366 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3368 The default time unit is s (seconds).
3369
3371 The maximal number of incoming connections that a Postfix daemon
3372 process will service before terminating voluntarily. This parameter is
3373 ignored by the Postfix queue manager and by other long-lived Postfix
3374 daemon processes.
3375
3377 The maximal time between attempts to deliver a deferred message.
3378 This parameter should be set to a value greater than or equal to $mini‐
3380 mal_backoff_time. See also $queue_run_delay.
3381 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3383 The default time unit is s (seconds).
3384
3386 Consider a message as undeliverable, when delivery fails with a tempo‐
3387 rary error, and the time in the queue has reached the maxi‐
3388 mal_queue_lifetime limit.
3389 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3391 The default time unit is d (days).
3392 Specify 0 when mail delivery should be tried only once.
3394
3396 The set of characters that Postfix will reject in message content. The
3397 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3398 (up to three octal digits) and \\.
3399 Note 1: this feature does not recognize text that requires MIME decod‐
3401 ing. It inspects raw message content, just like header_checks and
3402 body_checks.
3403 Note 2: this feature is disabled with "receive_override_options =
3405 no_header_body_checks".
3406 Example:
3408 message_reject_characters = \0
3410 This feature is available in Postfix 2.3 and later.
3412
3414 The maximal size in bytes of a message, including envelope information.
3415 Note: be careful when making changes. Excessively small values will
3417 result in the loss of non-delivery notifications, when a bounce message
3418 size exceeds the local or remote MTA's message size limit.
3419
3421 The set of characters that Postfix will remove from message content.
3422 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3423 \ddd (up to three octal digits) and \\.
3424 Note 1: this feature does not recognize text that requires MIME decod‐
3426 ing. It inspects raw message content, just like header_checks and
3427 body_checks.
3428 Note 2: this feature is disabled with "receive_override_options =
3430 no_header_body_checks".
3431 Example:
3433 message_strip_characters = \0
3435 This feature is available in Postfix 2.3 and later.
3437
3439 The time limit for sending an SMTP command to a Milter (mail filter)
3440 application, and for receiving the response.
3441 Specify a non-zero time value (an integral value plus an optional one-
3443 letter suffix that specifies the time unit).
3444 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3446 The default time unit is s (seconds).
3447 This feature is available in Postfix 2.3 and later.
3449
3451 The macros that are sent to Milter (mail filter) applications after
3452 completion of an SMTP connection. See MILTER_README for a list of
3453 available macro names and their meanings.
3454 This feature is available in Postfix 2.3 and later.
3456
3458 The time limit for connecting to a Milter (mail filter) application,
3459 and for negotiating protocol options.
3460 Specify a non-zero time value (an integral value plus an optional one-
3462 letter suffix that specifies the time unit).
3463 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3465 The default time unit is s (seconds).
3466 This feature is available in Postfix 2.3 and later.
3468
3470 The time limit for sending message content to a Milter (mail filter)
3471 application, and for receiving the response.
3472 Specify a non-zero time value (an integral value plus an optional one-
3474 letter suffix that specifies the time unit).
3475 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3477 The default time unit is s (seconds).
3478 This feature is available in Postfix 2.3 and later.
3480
3482 The macros that are sent to version 4 or higher Milter (mail filter)
3483 applications after the SMTP DATA command. See MILTER_README for a list
3484 of available macro names and their meanings.
3485 This feature is available in Postfix 2.3 and later.
3487
3489 The default action when a Milter (mail filter) application is unavail‐
3490 able or mis-configured. Specify one of the following:
3491 accept Proceed as if the mail filter was not present.
3493 reject Reject all further commands in this session with a permanent
3495 status code.
3496 tempfail
3498 Reject all further commands in this session with a temporary
3499 status code.
3500 quarantine
3502 Like "accept", but freeze the message in the "hold" queue.
3503 Available with Postfix 2.6 and later.
3504 This feature is available in Postfix 2.3 and later.
3506
3508 The macros that are sent to Milter (mail filter) applications after the
3509 message end-of-data. See MILTER_README for a list of available macro
3510 names and their meanings.
3511 This feature is available in Postfix 2.3 and later.
3513
3515 The macros that are sent to Milter (mail filter) applications after the
3516 end of the message header. See MILTER_README for a list of available
3517 macro names and their meanings.
3518 This feature is available in Postfix 2.5 and later.
3520
3522 Optional lookup tables for content inspection of message headers that
3523 are produced by Milter applications. See the header_checks(5) manual
3524 page available actions. Currently, PREPEND is not implemented.
3525 The following example sends all mail that is marked as SPAM to a spam
3527 handling machine. Note that matches are case-insensitive by default.
3528 /etc/postfix/main.cf:
3530 milter_header_checks = pcre:/etc/postfix/milter_header_checks
3531 /etc/postfix/milter_header_checks:
3533 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3534 The milter_header_checks mechanism could also be used for whitelisting.
3536 For example it could be used to skip heavy content inspection for DKIM-
3537 signed mail from known friendly domains.
3538 This feature is available in Postfix 2.7, and as an optional patch for
3540 Postfix 2.6.
3541
3543 The macros that are sent to Milter (mail filter) applications after the
3544 SMTP HELO or EHLO command. See MILTER_README for a list of available
3545 macro names and their meanings.
3546 This feature is available in Postfix 2.3 and later.
3548
3550 The {daemon_name} macro value for Milter (mail filter) applications.
3551 See MILTER_README for a list of available macro names and their mean‐
3552 ings.
3553 This feature is available in Postfix 2.3 and later.
3555
3557 The {v} macro value for Milter (mail filter) applications. See MIL‐
3558 TER_README for a list of available macro names and their meanings.
3559 This feature is available in Postfix 2.3 and later.
3561
3563 The macros that are sent to Milter (mail filter) applications after the
3564 SMTP MAIL FROM command. See MILTER_README for a list of available macro
3565 names and their meanings.
3566 This feature is available in Postfix 2.3 and later.
3568
3570 The mail filter protocol version and optional protocol extensions for
3571 communication with a Milter application; prior to Postfix 2.6 the
3572 default protocol is 2. Postfix sends this version number during the
3573 initial protocol handshake. It should match the version number that is
3574 expected by the mail filter application (or by its Milter library).
3575 Protocol versions:
3577 2 Use Sendmail 8 mail filter protocol version 2 (default with
3579 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
3580 3 Use Sendmail 8 mail filter protocol version 3.
3582 4 Use Sendmail 8 mail filter protocol version 4.
3584 6 Use Sendmail 8 mail filter protocol version 6 (default with
3586 Sendmail version 8.14 and Postfix version 2.6).
3587 Protocol extensions:
3589 no_header_reply
3591 Specify this when the Milter application will not reply for each
3592 individual message header.
3593 This feature is available in Postfix 2.3 and later.
3595
3597 The macros that are sent to Milter (mail filter) applications after the
3598 SMTP RCPT TO command. See MILTER_README for a list of available macro
3599 names and their meanings.
3600 This feature is available in Postfix 2.3 and later.
3602
3604 The macros that are sent to version 3 or higher Milter (mail filter)
3605 applications after an unknown SMTP command. See MILTER_README for a
3606 list of available macro names and their meanings.
3607 This feature is available in Postfix 2.3 and later.
3609
3611 The maximal length of MIME multipart boundary strings. The MIME proces‐
3612 sor is unable to distinguish between boundary strings that do not dif‐
3613 fer in the first $mime_boundary_length_limit characters.
3614 This feature is available in Postfix 2.0 and later.
3616
3618 Optional lookup tables for content inspection of MIME related message
3619 headers, as described in the header_checks(5) manual page.
3620 This feature is available in Postfix 2.0 and later.
3622
3624 The maximal recursion level that the MIME processor will handle. Post‐
3625 fix refuses mail that is nested deeper than the specified limit.
3626 This feature is available in Postfix 2.0 and later.
3628
3630 The minimal time between attempts to deliver a deferred message; prior
3631 to Postfix 2.4 the default value was 1000s.
3632 This parameter also limits the time an unreachable destination is kept
3634 in the short-term, in-memory, destination status cache.
3635 This parameter should be set greater than or equal to $queue_run_delay.
3637 See also $maximal_backoff_time.
3638 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3640 The default time unit is s (seconds).
3641
3643 An optional list of non-default Postfix configuration directories;
3644 these directories belong to additional Postfix instances that share the
3645 Postfix executable files and documentation with the default Postfix
3646 instance, and that are started, stopped, etc., together with the
3647 default Postfix instance. Specify a list of pathnames separated by
3648 comma or whitespace.
3649 When $multi_instance_directories is empty, the postfix(1) command runs
3651 in single-instance mode and operates on a single Postfix instance only.
3652 Otherwise, the postfix(1) command runs in multi-instance mode and
3653 invokes the multi-instance manager specified with the
3654 multi_instance_wrapper parameter. The multi-instance manager in turn
3655 executes postfix(1) commands for the default instance and for all Post‐
3656 fix instances in $multi_instance_directories.
3657 Currently, this parameter setting is ignored except for the default
3659 main.cf file.
3660 This feature is available in Postfix 2.6 and later.
3662
3664 Allow this Postfix instance to be started, stopped, etc., by a multi-
3665 instance manager. By default, new instances are created in a safe
3666 state that prevents them from being started inadvertently. This param‐
3667 eter is reserved for the multi-instance manager.
3668 This feature is available in Postfix 2.6 and later.
3670
3672 The optional instance group name of this Postfix instance. A group
3673 identifies closely-related Postfix instances that the multi-instance
3674 manager can start, stop, etc., as a unit. This parameter is reserved
3675 for the multi-instance manager.
3676 This feature is available in Postfix 2.6 and later.
3678
3680 The optional instance name of this Postfix instance. This name becomes
3681 also the default value for the syslog_name parameter.
3682 This feature is available in Postfix 2.6 and later.
3684
3686 The pathname of a multi-instance manager command that the postfix(1)
3687 command invokes when the multi_instance_directories parameter value is
3688 non-empty. The pathname may be followed by initial command arguments
3689 separated by whitespace; shell metacharacters such as quotes are not
3690 supported in this context.
3691 The postfix(1) command invokes the manager command with the postfix(1)
3693 non-option command arguments on the manager command line, and with all
3694 installation configuration parameters exported into the manager command
3695 process environment. The manager command in turn invokes the postfix(1)
3696 command for individual Postfix instances as "postfix -c config_direc‐
3697 tory command".
3698 This feature is available in Postfix 2.6 and later.
3700
3702 The numerical Postfix SMTP server response code when a remote SMTP
3703 client request is blocked by the reject_multi_recipient_bounce restric‐
3704 tion.
3705 Do not change this unless you have a complete understanding of RFC
3707 5321.
3708 This feature is available in Postfix 2.1 and later.
3710
3712 The list of domains that are delivered via the $local_transport mail
3713 delivery transport. By default this is the Postfix local(8) delivery
3714 agent which looks up all recipients in /etc/passwd and /etc/aliases.
3715 The SMTP server validates recipient addresses with $local_recipi‐
3716 ent_maps and rejects non-existent recipients. See also the local domain
3717 class in the ADDRESS_CLASS_README file.
3718 The default mydestination value specifies names for the local machine
3720 only. On a mail domain gateway, you should also include $mydomain.
3721 The $local_transport delivery method is also selected for mail
3723 addressed to user@[the.net.work.address] of the mail system (the IP
3724 addresses specified with the inet_interfaces and proxy_interfaces
3725 parameters).
3726 Warnings:
3728 · Do not specify the names of virtual domains - those domains are
3730 specified elsewhere. See VIRTUAL_README for more information.
3731 · Do not specify the names of domains that this machine is backup
3733 MX host for. See STANDARD_CONFIGURATION_README for how to set up
3734 backup MX hosts.
3735 · By default, the Postfix SMTP server rejects mail for recipients
3737 not listed with the local_recipient_maps parameter. See the
3738 postconf(5) manual for a description of the local_recipient_maps
3739 and unknown_local_recipient_reject_code parameters.
3740 Specify a list of host or domain names, "/file/name" or "type:table"
3742 patterns, separated by commas and/or whitespace. A "/file/name" pattern
3743 is replaced by its contents; a "type:table" lookup table is matched
3744 when a name matches a lookup key (the lookup result is ignored). Con‐
3745 tinue long lines by starting the next line with whitespace.
3746 Examples:
3748 mydestination = $myhostname, localhost.$mydomain $mydomain
3750 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
3751
3753 The internet domain name of this mail system. The default is to use
3754 $myhostname minus the first component, or "localdomain" (Postfix 2.3
3755 and later). $mydomain is used as a default value for many other con‐
3756 figuration parameters.
3757 Example:
3759 mydomain = domain.tld
3761
3763 The internet hostname of this mail system. The default is to use the
3764 fully-qualified domain name (FQDN) from gethostname(), or to use the
3765 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
3766 name is used as a default value for many other configuration parame‐
3767 ters.
3768 Example:
3770 myhostname = host.example.com
3772
3774 The list of "trusted" remote SMTP clients that have more privileges
3775 than "strangers".
3776 In particular, "trusted" SMTP clients are allowed to relay mail through
3778 Postfix. See the smtpd_relay_restrictions parameter description in the
3779 postconf(5) manual.
3780 You can specify the list of "trusted" network addresses by hand or you
3782 can let Postfix do it for you (which is the default). See the descrip‐
3783 tion of the mynetworks_style parameter for more information.
3784 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
3786 works_style setting.
3787 Specify a list of network addresses or network/netmask patterns, sepa‐
3789 rated by commas and/or whitespace. Continue long lines by starting the
3790 next line with whitespace.
3791 The netmask specifies the number of bits in the network part of a host
3793 address. You can also specify "/file/name" or "type:table" patterns.
3794 A "/file/name" pattern is replaced by its contents; a "type:table"
3795 lookup table is matched when a table entry matches a lookup string (the
3796 lookup result is ignored).
3797 The list is matched left to right, and the search stops on the first
3799 match. Specify "!pattern" to exclude an address or network block from
3800 the list. The form "!/file/name" is supported only in Postfix version
3801 2.4 and later.
3802 Note: IP version 6 address information must be specified inside [] in
3804 the mynetworks value, and in files specified with "/file/name". IP
3805 version 6 addresses contain the ":" character, and would otherwise be
3806 confused with a "type:table" pattern.
3807 Examples:
3809 mynetworks = 127.0.0.0/8 168.100.189.0/28
3811 mynetworks = !192.168.0.1, 192.168.0.0/28
3812 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
3813 mynetworks = $config_directory/mynetworks
3814 mynetworks = hash:/etc/postfix/network_table
3815
3817 The method to generate the default value for the mynetworks parameter.
3818 This is the list of trusted networks for relay access control etc.
3819 · Specify "mynetworks_style = host" when Postfix should "trust"
3821 only the local machine.
3822 · Specify "mynetworks_style = subnet" when Postfix should "trust"
3824 remote SMTP clients in the same IP subnetworks as the local
3825 machine. On Linux, this works correctly only with interfaces
3826 specified with the "ifconfig" command.
3827 · Specify "mynetworks_style = class" when Postfix should "trust"
3829 remote SMTP clients in the same IP class A/B/C networks as the
3830 local machine. Don't do this with a dialup site - it would
3831 cause Postfix to "trust" your entire provider's network.
3832 Instead, specify an explicit mynetworks list by hand, as
3833 described with the mynetworks configuration parameter.
3834
3836 The domain name that locally-posted mail appears to come from, and that
3837 locally posted mail is delivered to. The default, $myhostname, is ade‐
3838 quate for small sites. If you run a domain with multiple machines, you
3839 should (1) change this to $mydomain and (2) set up a domain-wide alias
3840 database that aliases each user to user@that.users.mailhost.
3841 Example:
3843 myorigin = $mydomain
3845
3847 Optional lookup tables for content inspection of non-MIME message head‐
3848 ers in attached messages, as described in the header_checks(5) manual
3849 page.
3850 This feature is available in Postfix 2.0 and later.
3852
3854 Sendmail compatibility feature that specifies the location of the
3855 newaliases(1) command. This command can be used to rebuild the local(8)
3856 aliases(5) database.
3857
3859 The numerical Postfix SMTP server reply code when a client request is
3860 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
3861 or reject_non_fqdn_recipient restriction.
3862
3864 A list of Milter (mail filter) applications for new mail that does not
3865 arrive via the Postfix smtpd(8) server. This includes local submission
3866 via the sendmail(1) command line, new mail that arrives via the Postfix
3867 qmqpd(8) server, and old mail that is re-injected into the queue with
3868 "postsuper -r". Specify space or comma as separator. See the MIL‐
3869 TER_README document for details.
3870 This feature is available in Postfix 2.3 and later.
3872
3874 The list of error classes that are reported to the postmaster. The
3875 default is to report only the most serious problems. The paranoid may
3876 wish to turn on the policy (UCE and mail relaying) and protocol error
3877 (broken mail software) reports.
3878 NOTE: postmaster notifications may contain confidential information
3880 such as SASL passwords or message content. It is the system adminis‐
3881 trator's responsibility to treat such information with care.
3882 The error classes are:
3884 bounce (also implies 2bounce)
3886 Send the postmaster copies of the headers of bounced mail, and
3887 send transcripts of SMTP sessions when Postfix rejects mail. The
3888 notification is sent to the address specified with the
3889 bounce_notice_recipient configuration parameter (default: post‐
3890 master).
3891 2bounce
3893 Send undeliverable bounced mail to the postmaster. The notifica‐
3894 tion is sent to the address specified with the
3895 2bounce_notice_recipient configuration parameter (default: post‐
3896 master).
3897 data Send the postmaster a transcript of the SMTP session with an
3899 error because a critical data file was unavailable. The notifi‐
3900 cation is sent to the address specified with the
3901 error_notice_recipient configuration parameter (default: post‐
3902 master).
3903 This feature is available in Postfix 2.9 and later.
3904 delay Send the postmaster copies of the headers of delayed mail (see
3906 delay_warning_time). The notification is sent to the address
3907 specified with the delay_notice_recipient configuration parame‐
3908 ter (default: postmaster).
3909 policy Send the postmaster a transcript of the SMTP session when a
3911 client request was rejected because of (UCE) policy. The notifi‐
3912 cation is sent to the address specified with the
3913 error_notice_recipient configuration parameter (default: post‐
3914 master).
3915 protocol
3917 Send the postmaster a transcript of the SMTP session in case of
3918 client or server protocol errors. The notification is sent to
3919 the address specified with the error_notice_recipient configura‐
3920 tion parameter (default: postmaster).
3921 resource
3923 Inform the postmaster of mail not delivered due to resource
3924 problems. The notification is sent to the address specified
3925 with the error_notice_recipient configuration parameter
3926 (default: postmaster).
3927 software
3929 Inform the postmaster of mail not delivered due to software
3930 problems. The notification is sent to the address specified
3931 with the error_notice_recipient configuration parameter
3932 (default: postmaster).
3933 Examples:
3935 notify_classes = bounce, delay, policy, protocol, resource, software
3937 notify_classes = 2bounce, resource, software
3938
3940 Give special treatment to owner-listname and listname-request address
3941 localparts: don't split such addresses when the recipient_delimiter is
3942 set to "-". This feature is useful for mailing lists.
3943
3945 What Postfix features match subdomains of "domain.tld" automatically,
3946 instead of requiring an explicit ".domain.tld" pattern. This is
3947 planned backwards compatibility: eventually, all Postfix features are
3948 expected to require explicit ".domain.tld" style patterns when you
3949 really want to match subdomains.
3950
3952 Restrict the use of the permit_mx_backup SMTP access feature to only
3953 domains whose primary MX hosts match the listed networks. The parame‐
3954 ter value syntax is the same as with the mynetworks parameter; note,
3955 however, that the default value is empty.
3956
3958 The name of the pickup(8) service. This service picks up local mail
3959 submissions from the Postfix maildrop queue.
3960 This feature is available in Postfix 2.0 and later.
3962
3964 The numerical Postfix SMTP server response code when a request is
3965 rejected by the reject_plaintext_session restriction.
3966 This feature is available in Postfix 2.3 and later.
3968
3970 The postfix(1) commands that the postmulti(1) instance manager treats
3971 as "control" commands, that operate on running instances. For these
3972 commands, disabled instances are skipped.
3973 This feature is available in Postfix 2.6 and later.
3975
3977 The postfix(1) commands that the postmulti(1) instance manager treats
3978 as "start" commands. For these commands, disabled instances are
3979 "checked" rather than "started", and failure to "start" a member
3980 instance of an instance group will abort the start-up of later
3981 instances.
3982 This feature is available in Postfix 2.6 and later.
3984
3986 The postfix(1) commands that the postmulti(1) instance manager treats
3987 as "stop" commands. For these commands, disabled instances are skipped,
3988 and enabled instances are processed in reverse order.
3989 This feature is available in Postfix 2.6 and later.
3991
3993 Permanent white/blacklist for remote SMTP client IP addresses.
3994 postscreen(8) searches this list immediately after a remote SMTP client
3995 connects. Specify a comma- or whitespace-separated list of commands
3996 (in upper or lower case) or lookup tables. The search stops upon the
3997 first command that fires for the client IP address.
3998 permit_mynetworks
4000 Whitelist the client and terminate the search if the client IP
4001 address matches $mynetworks. Do not subject the client to any
4002 before/after 220 greeting tests. Pass the connection immedi‐
4003 ately to a Postfix SMTP server process.
4004 type:table
4006 Query the specified lookup table. Each table lookup result is an
4007 access list, except that access lists inside a table cannot
4008 specify type:table entries.
4009 To discourage the use of hash, btree, etc. tables, there is no
4010 support for substring matching like smtpd(8). Use CIDR tables
4011 instead.
4012 permit
4014 Whitelist the client and terminate the search. Do not subject
4015 the client to any before/after 220 greeting tests. Pass the con‐
4016 nection immediately to a Postfix SMTP server process.
4017 reject
4019 Blacklist the client and terminate the search. Subject the
4020 client to the action configured with the postscreen_black‐
4021 list_action configuration parameter.
4022 dunno All postscreen(8) access lists implicitly have this command at
4024 the end.
4025 When dunno is executed inside a lookup table, return from the
4026 lookup table and evaluate the next command.
4027 When dunno is executed outside a lookup table, terminate the
4028 search, and subject the client to the configured before/after
4029 220 greeting tests.
4030 Example:
4032 /etc/postfix/main.cf:
4034 postscreen_access_list = permit_mynetworks,
4035 cidr:/etc/postfix/postscreen_access.cidr
4036 postscreen_blacklist_action = enforce
4037 /etc/postfix/postscreen_access.cidr:
4039 # Rules are evaluated in the order as specified.
4040 # Blacklist 192.168.* except 192.168.0.1.
4041 192.168.0.1 dunno
4042 192.168.0.0/16 reject
4043 This feature is available in Postfix 2.8.
4045
4047 The action that postscreen(8) takes when a remote SMTP client sends a
4048 bare newline character, that is, a newline not preceded by carriage
4049 return. Specify one of the following:
4050 ignore Ignore the failure of this test. Allow other tests to complete.
4052 Do not repeat this test before some the result from some other
4053 test expires. This option is useful for testing and collecting
4054 statistics without blocking mail permanently.
4055 enforce
4057 Allow other tests to complete. Reject attempts to deliver mail
4058 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4059 mation. Repeat this test the next time the client connects.
4060 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4062 this test the next time the client connects.
4063 This feature is available in Postfix 2.8.
4065
4067 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4068 These tests are expensive: a remote SMTP client must disconnect after
4069 it passes the test, before it can talk to a real Postfix SMTP server.
4070 This feature is available in Postfix 2.8.
4072
4074 The amount of time that postscreen(8) will use the result from a suc‐
4075 cessful "bare newline" SMTP protocol test. During this time, the client
4076 IP address is excluded from this test. The default is long because a
4077 remote SMTP client must disconnect after it passes the test, before it
4078 can talk to a real Postfix SMTP server.
4079 Specify a non-zero time value (an integral value plus an optional one-
4081 letter suffix that specifies the time unit). Time units: s (seconds),
4082 m (minutes), h (hours), d (days), w (weeks).
4083 This feature is available in Postfix 2.8.
4085
4087 The action that postscreen(8) takes when a remote SMTP client is perma‐
4088 nently blacklisted with the postscreen_access_list parameter. Specify
4089 one of the following:
4090 ignore (default)
4092 Ignore this result. Allow other tests to complete. Repeat this
4093 test the next time the client connects. This option is useful
4094 for testing and collecting statistics without blocking mail.
4095 enforce
4097 Allow other tests to complete. Reject attempts to deliver mail
4098 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4099 mation. Repeat this test the next time the client connects.
4100 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4102 this test the next time the client connects.
4103 This feature is available in Postfix 2.8.
4105
4107 The amount of time between postscreen(8) cache cleanup runs. Cache
4108 cleanup increases the load on the cache database and should therefore
4109 not be run frequently. This feature requires that the cache database
4110 supports the "delete" and "sequence" operators. Specify a zero inter‐
4111 val to disable cache cleanup.
4112 After each cache cleanup run, the postscreen(8) daemon logs the number
4114 of entries that were retained and dropped. A cleanup run is logged as
4115 "partial" when the daemon terminates early after "postfix reload",
4116 "postfix stop", or no requests for $max_idle seconds.
4117 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4119 This feature is available in Postfix 2.8.
4121
4123 Persistent storage for the postscreen(8) server decisions.
4124 To share a postscreen(8) cache between multiple postscreen(8)
4126 instances, use "postscreen_cache_map = proxy:btree:/path/to/file".
4127 This requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4128 mentations don't support cache cleanup. For an alternative approach see
4129 the memcache_table(5) manpage.
4130 This feature is available in Postfix 2.8.
4132
4134 The amount of time that postscreen(8) will cache an expired temporary
4135 whitelist entry before it is removed. This prevents clients from being
4136 logged as "NEW" just because their cache entry expired an hour ago. It
4137 also prevents the cache from filling up with clients that passed some
4138 deep protocol test once and never came back.
4139 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4141 This feature is available in Postfix 2.8.
4143
4145 tion_count_limit)
4146 How many simultaneous connections any remote SMTP client is allowed to
4147 have with the postscreen(8) daemon. By default, this limit is the same
4148 as with the Postfix SMTP server. Note that the triage process can take
4149 several seconds, with the time spent in postscreen_greet_wait delay,
4150 and with the time spent talking to the postscreen(8) built-in dummy
4151 SMTP protocol engine.
4152 This feature is available in Postfix 2.8.
4154
4156 The limit on the total number of commands per SMTP session for
4157 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
4158 or rejects all attempts to deliver mail, therefore there is no need to
4159 enforce separate limits on the number of junk commands and error com‐
4160 mands.
4161 This feature is available in Postfix 2.8.
4163
4165 A mechanism to transform commands from remote SMTP clients. See
4166 smtpd_command_filter for further details.
4167 This feature is available in Postfix 2.8 and later.
4169
4171 The time limit to read an entire command line with postscreen(8)'s
4172 built-in SMTP protocol engine.
4173 This feature is available in Postfix 2.8.
4175
4177 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
4178 able_vrfy_command for details.
4179 This feature is available in Postfix 2.8.
4181
4183 card_ehlo_keyword_address_maps)
4184 Lookup tables, indexed by the remote SMTP client address, with case
4185 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4186 that the postscreen(8) server will not send in the EHLO response to a
4187 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
4188 table is not searched by hostname for robustness reasons.
4189 This feature is available in Postfix 2.8 and later.
4191
4193 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4194 etc.) that the postscreen(8) server will not send in the EHLO response
4195 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4196 This feature is available in Postfix 2.8 and later.
4198
4200 The action that postscreen(8) takes when a remote SMTP client's com‐
4201 bined DNSBL score is equal to or greater than a threshold (as defined
4202 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4203 ters). Specify one of the following:
4204 ignore (default)
4206 Ignore the failure of this test. Allow other tests to complete.
4207 Repeat this test the next time the client connects. This option
4208 is useful for testing and collecting statistics without blocking
4209 mail.
4210 enforce
4212 Allow other tests to complete. Reject attempts to deliver mail
4213 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4214 mation. Repeat this test the next time the client connects.
4215 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4217 this test the next time the client connects.
4218 This feature is available in Postfix 2.8.
4220
4222 A mapping from actual DNSBL domain name which includes a secret pass‐
4223 word, to the DNSBL domain name that postscreen will reply with when it
4224 rejects mail. When no mapping is found, the actual DNSBL domain will
4225 be used.
4226 For maximal stability it is best to use a file that is read into memory
4228 such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
4229 except a) there is no need to run postmap(1) before the file can be
4230 used, and b) texthash: does not detect changes after the file is read).
4231 Example:
4233 /etc/postfix/main.cf:
4235 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4236 /etc/postfix/dnsbl_reply:
4238 secret.zen.spamhaus.org zen.spamhaus.org
4239 This feature is available in Postfix 2.8.
4241
4243 Optional list of DNS white/blacklist domains, filters and weight fac‐
4244 tors. When the list is non-empty, the dnsblog(8) daemon will query
4245 these domains with the IP addresses of remote SMTP clients, and
4246 postscreen(8) will update an SMTP client's DNSBL score with each non-
4247 error reply.
4248 Caution: when postscreen rejects mail, it replies with the DNSBL domain
4250 name. Use the postscreen_dnsbl_reply_map feature to hide "password"
4251 information in DNSBL domain names.
4252 When a client's score is equal to or greater than the threshold speci‐
4254 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4255 nection with the remote SMTP client.
4256 Specify a list of domain=filter*weight entries, separated by comma or
4258 whitespace.
4259 · When no "=filter" is specified, postscreen(8) will use any non-
4261 error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
4262 replies that match the filter. The filter has the form d.d.d.d,
4263 where each d is a number, or a pattern inside [] that contains
4264 one or more ";"-separated numbers or number..number ranges.
4265 · When no "*weight" is specified, postscreen(8) increments the
4267 remote SMTP client's DNSBL score by 1. Otherwise, the weight
4268 must be an integral number, and postscreen(8) adds the specified
4269 weight to the remote SMTP client's DNSBL score. Specify a nega‐
4270 tive number for whitelisting.
4271 · When one postscreen_dnsbl_sites entry produces multiple DNSBL
4273 responses, postscreen(8) applies the weight at most once.
4274 Examples:
4276 To use example.com as a high-confidence blocklist, and to block mail
4278 with example.net and example.org only when both agree:
4279 postscreen_dnsbl_threshold = 2
4281 postscreen_dnsbl_sites = example.com*2, example.net, example.org
4282 To filter only DNSBL replies containing 127.0.0.4:
4284 postscreen_dnsbl_sites = example.com=127.0.0.4
4286 This feature is available in Postfix 2.8.
4288
4290 The inclusive lower bound for blocking a remote SMTP client, based on
4291 its combined DNSBL score as defined with the postscreen_dnsbl_sites
4292 parameter.
4293 This feature is available in Postfix 2.8.
4295
4297 The amount of time that postscreen(8) will use the result from a suc‐
4298 cessful DNS blocklist test. During this time, the client IP address is
4299 excluded from this test. The default is relatively short, because a
4300 good client can immediately talk to a real Postfix SMTP server.
4301 Specify a non-zero time value (an integral value plus an optional one-
4303 letter suffix that specifies the time unit). Time units: s (seconds),
4304 m (minutes), h (hours), d (days), w (weeks).
4305 This feature is available in Postfix 2.8.
4307
4309 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
4310 require that clients use TLS encryption. See
4311 smtpd_postscreen_enforce_tls for details.
4312 This feature is available in Postfix 2.8 and later. Preferably, use
4314 postscreen_tls_security_level instead.
4315
4317 List of characters that are permitted in postscreen_reject_footer
4318 attribute expansions. See smtpd_expansion_filter for further details.
4319 This feature is available in Postfix 2.8 and later.
4321
4323 List of commands that the postscreen(8) server considers in violation
4324 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
4325 postscreen_non_smtp_command_action for possible actions.
4326 This feature is available in Postfix 2.8.
4328
4330 The action that postscreen(8) takes when a remote SMTP client speaks
4331 before its turn within the time specified with the
4332 postscreen_greet_wait parameter. Specify one of the following:
4333 ignore (default)
4335 Ignore the failure of this test. Allow other tests to complete.
4336 Repeat this test the next time the client connects. This option
4337 is useful for testing and collecting statistics without blocking
4338 mail.
4339 enforce
4341 Allow other tests to complete. Reject attempts to deliver mail
4342 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4343 mation. Repeat this test the next time the client connects.
4344 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4346 this test the next time the client connects.
4347 In either case, postscreen(8) will not whitelist the remote SMTP client
4349 IP address.
4350 This feature is available in Postfix 2.8.
4352
4354 The text in the optional "220-text..." server response that
4355 postscreen(8) sends ahead of the real Postfix SMTP server's "220
4356 text..." response, in an attempt to confuse bad SMTP clients so that
4357 they speak before their turn (pre-greet). Specify an empty value to
4358 disable this feature.
4359 This feature is available in Postfix 2.8.
4361
4363 The amount of time that postscreen(8) will use the result from a suc‐
4364 cessful PREGREET test. During this time, the client IP address is
4365 excluded from this test. The default is relatively short, because a
4366 good client can immediately talk to a real Postfix SMTP server.
4367 Specify a non-zero time value (an integral value plus an optional one-
4369 letter suffix that specifies the time unit). Time units: s (seconds),
4370 m (minutes), h (hours), d (days), w (weeks).
4371 This feature is available in Postfix 2.8.
4373
4375 The amount of time that postscreen(8) will wait for an SMTP client to
4376 send a command before its turn, and for DNS blocklist lookup results to
4377 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
4378 wise).
4379 Specify a non-zero time value (an integral value plus an optional one-
4381 letter suffix that specifies the time unit).
4382 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4384 This feature is available in Postfix 2.8.
4386
4388 Require that a remote SMTP client sends HELO or EHLO before commencing
4389 a MAIL transaction.
4390 This feature is available in Postfix 2.8.
4392
4394 The action that postscreen(8) takes when a remote SMTP client sends
4395 non-SMTP commands as specified with the postscreen_forbidden_commands
4396 parameter. Specify one of the following:
4397 ignore Ignore the failure of this test. Allow other tests to complete.
4399 Do not repeat this test before some the result from some other
4400 test expires. This option is useful for testing and collecting
4401 statistics without blocking mail permanently.
4402 enforce
4404 Allow other tests to complete. Reject attempts to deliver mail
4405 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4406 mation. Repeat this test the next time the client connects.
4407 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4409 this test the next time the client connects. This action is the
4410 same as with the Postfix SMTP server's smtpd_forbidden_commands
4411 feature.
4412 This feature is available in Postfix 2.8.
4414
4416 Enable "non-SMTP command" tests in the postscreen(8) server. These
4417 tests are expensive: a client must disconnect after it passes the test,
4418 before it can talk to a real Postfix SMTP server.
4419 This feature is available in Postfix 2.8.
4421
4423 The amount of time that postscreen(8) will use the result from a suc‐
4424 cessful "non_smtp_command" SMTP protocol test. During this time, the
4425 client IP address is excluded from this test. The default is long
4426 because a client must disconnect after it passes the test, before it
4427 can talk to a real Postfix SMTP server.
4428 Specify a non-zero time value (an integral value plus an optional one-
4430 letter suffix that specifies the time unit). Time units: s (seconds),
4431 m (minutes), h (hours), d (days), w (weeks).
4432 This feature is available in Postfix 2.8.
4434
4436 The action that postscreen(8) takes when a remote SMTP client sends
4437 multiple commands instead of sending one command and waiting for the
4438 server to respond. Specify one of the following:
4439 ignore Ignore the failure of this test. Allow other tests to complete.
4441 Do not repeat this test before some the result from some other
4442 test expires. This option is useful for testing and collecting
4443 statistics without blocking mail permanently.
4444 enforce
4446 Allow other tests to complete. Reject attempts to deliver mail
4447 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4448 mation. Repeat this test the next time the client connects.
4449 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4451 this test the next time the client connects.
4452 This feature is available in Postfix 2.8.
4454
4456 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
4457 These tests are expensive: a good client must disconnect after it
4458 passes the test, before it can talk to a real Postfix SMTP server.
4459 This feature is available in Postfix 2.8.
4461
4463 The amount of time that postscreen(8) will use the result from a suc‐
4464 cessful "pipelining" SMTP protocol test. During this time, the client
4465 IP address is excluded from this test. The default is long because a
4466 good client must disconnect after it passes the test, before it can
4467 talk to a real Postfix SMTP server.
4468 Specify a non-zero time value (an integral value plus an optional one-
4470 letter suffix that specifies the time unit). Time units: s (seconds),
4471 m (minutes), h (hours), d (days), w (weeks).
4472 This feature is available in Postfix 2.8.
4474
4476 The number of clients that can be waiting for service from a real Post‐
4477 fix SMTP server process. When this queue is full, all clients will
4478 receive a 421 response.
4479 This feature is available in Postfix 2.8.
4481
4483 The number of non-whitelisted clients that can be waiting for a deci‐
4484 sion whether they will receive service from a real Postfix SMTP server
4485 process. When this queue is full, all non-whitelisted clients will
4486 receive a 421 response.
4487 This feature is available in Postfix 2.8.
4489
4491 Optional information that is appended after a 4XX or 5XX postscreen(8)
4492 server response. See smtpd_reject_footer for further details.
4493 This feature is available in Postfix 2.8 and later.
4495
4497 The SMTP TLS security level for the postscreen(8) server; when a non-
4498 empty value is specified, this overrides the obsolete parameters
4499 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
4500 rity_level for details.
4501 This feature is available in Postfix 2.8 and later.
4503
4505 The name of the proxy protocol used by an optional before-postscreen
4506 proxy agent. When a proxy agent is used, this protocol conveys local
4507 and remote address and port information. Specify
4508 "postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy
4509 protocol.
4510 This feature is available in Postfix 2.10 and later.
4512
4514 The time limit for the proxy protocol specified with the
4515 postscreen_upstream_proxy_protocol parameter.
4516 This feature is available in Postfix 2.10 and later.
4518
4520 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
4521 but do not require that clients use TLS encryption.
4522 This feature is available in Postfix 2.8 and later. Preferably, use
4524 postscreen_tls_security_level instead.
4525
4527 How much time a postscreen(8) process may take to respond to a remote
4528 SMTP client command or to perform a cache operation before it is termi‐
4529 nated by a built-in watchdog timer. This is a safety mechanism that
4530 prevents postscreen(8) from becoming non-responsive due to a bug in
4531 Postfix itself or in system software. To avoid false alarms and unnec‐
4532 essary cache corruption this limit cannot be set under 10s.
4533 Specify a non-zero time value (an integral value plus an optional one-
4535 letter suffix that specifies the time unit). Time units: s (seconds),
4536 m (minutes), h (hours), d (days), w (weeks).
4537 This feature is available in Postfix 2.8.
4539
4541 A list of local postscreen(8) server IP addresses where a non-
4542 whitelisted remote SMTP client can obtain postscreen(8)'s temporary
4543 whitelist status. This status is required before the client can talk to
4544 a Postfix SMTP server process. By default, a client can obtain
4545 postscreen(8)'s whitelist status on any local postscreen(8) server IP
4546 address.
4547 When postscreen(8) listens on both primary and backup MX addresses, the
4549 postscreen_whitelist_interfaces parameter can be configured to give the
4550 temporary whitelist status only when a client connects to a primary MX
4551 address. Once a client is whitelisted it can talk to a Postfix SMTP
4552 server on any address. Thus, clients that connect only to backup MX
4553 addresses will never become whitelisted, and will never be allowed to
4554 talk to a Postfix SMTP server process.
4555 Specify a list of network addresses or network/netmask patterns, sepa‐
4557 rated by commas and/or whitespace. The netmask specifies the number of
4558 bits in the network part of a host address. Continue long lines by
4559 starting the next line with whitespace.
4560 You can also specify "/file/name" or "type:table" patterns. A
4562 "/file/name" pattern is replaced by its contents; a "type:table" lookup
4563 table is matched when a table entry matches a lookup string (the lookup
4564 result is ignored).
4565 The list is matched left to right, and the search stops on the first
4567 match. Specify "!pattern" to exclude an address or network block from
4568 the list.
4569 Note: IP version 6 address information must be specified inside [] in
4571 the postscreen_whitelist_interfaces value, and in files specified with
4572 "/file/name". IP version 6 addresses contain the ":" character, and
4573 would otherwise be confused with a "type:table" pattern.
4574 Example:
4576 /etc/postfix/main.cf:
4578 # Don't whitelist connections to the backup IP address.
4579 postscreen_whitelist_interfaces = !168.100.189.8, static:all
4580 This feature is available in Postfix 2.9 and later.
4582
4584 The message delivery contexts where the Postfix local(8) delivery agent
4585 prepends a Delivered-To: message header with the address that the mail
4586 was delivered to. This information is used for mail delivery loop
4587 detection.
4588 By default, the Postfix local delivery agent prepends a Delivered-To:
4590 header when forwarding mail and when delivering to file (mailbox) and
4591 command. Turning off the Delivered-To: header when forwarding mail is
4592 not recommended.
4593 Specify zero or more of forward, file, or command.
4595 Example:
4597 prepend_delivered_header = forward
4599
4601 The process ID of a Postfix command or daemon process.
4602
4604 The location of Postfix PID files relative to $queue_directory. This
4605 is a read-only parameter.
4606
4608 The process name of a Postfix command or daemon process.
4609
4611 What address lookup tables copy an address extension from the lookup
4612 key to the lookup result.
4613 For example, with a virtual(5) mapping of "joe@example.com =>
4615 joe.user@example.net", the address "joe+foo@example.com" would rewrite
4616 to "joe.user+foo@example.net".
4617 Specify zero or more of canonical, virtual, alias, forward, include or
4619 generic. These cause address extension propagation with canonical(5),
4620 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
4621 file lookups, and with smtp(8) generic maps, respectively.
4622 Note: enabling this feature for types other than canonical and virtual
4624 is likely to cause problems when mail is forwarded to other sites,
4625 especially with mail that is sent to a mailing list exploder address.
4626 Examples:
4628 propagate_unmatched_extensions = canonical, virtual, alias,
4630 forward, include
4631 propagate_unmatched_extensions = canonical, virtual
4632
4634 The network interface addresses that this mail system receives mail on
4635 by way of a proxy or network address translation unit.
4636 This feature is available in Postfix 2.0 and later.
4638 You must specify your "outside" proxy/NAT addresses when your system is
4640 a backup MX host for other domains, otherwise mail delivery loops will
4641 happen when the primary MX host is down.
4642 Example:
4644 proxy_interfaces = 1.2.3.4
4646
4648 The lookup tables that the proxymap(8) server is allowed to access for
4649 the read-only service. Table references that don't begin with proxy:
4650 are ignored.
4651 This feature is available in Postfix 2.0 and later.
4653
4655 The lookup tables that the proxymap(8) server is allowed to access for
4656 the read-write service. Postfix-owned local database files should be
4657 stored under the Postfix-owned data_directory. Table references that
4658 don't begin with proxy: are ignored.
4659 This feature is available in Postfix 2.5 and later.
4661
4663 The name of the proxymap read-only table lookup service. This service
4664 is normally implemented by the proxymap(8) daemon.
4665 This feature is available in Postfix 2.6 and later.
4667
4669 The name of the proxywrite read-write table lookup service. This ser‐
4670 vice is normally implemented by the proxymap(8) daemon.
4671 This feature is available in Postfix 2.6 and later.
4673
4675 The minimal delay between warnings that a specific destination is clog‐
4676 ging up the Postfix active queue. Specify 0 to disable.
4677 This feature is enabled with the helpful_warnings parameter.
4679 This feature is available in Postfix 2.0 and later.
4681
4683 How much time a Postfix queue manager process may take to handle a
4684 request before it is terminated by a built-in watchdog timer.
4685 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4687 The default time unit is s (seconds).
4688 This feature is available in Postfix 2.8 and later.
4690
4692 Obsolete feature: the percentage of delivery resources that a busy mail
4693 system will use up for delivery of a large mailing list message.
4694 This feature exists only in the oqmgr(8) old queue manager. The current
4696 queue manager solves the problem in a better way.
4697
4699 The time limit for the queue manager to send or receive information
4700 over an internal communication channel. The purpose is to break out of
4701 deadlock situations. If the time limit is exceeded the software either
4702 retries or aborts the operation.
4703 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4705 The default time unit is s (seconds).
4706 This feature is available in Postfix 2.8 and later.
4708
4710 The maximal number of messages in the active queue.
4711
4713 The maximal number of recipients held in memory by the Postfix queue
4714 manager, and the maximal size of the short-term, in-memory "dead" des‐
4715 tination status cache.
4716
4718 The minimal number of in-memory recipients for any message. This takes
4719 priority over any other in-memory recipient limits (i.e., the global
4720 qmgr_message_recipient_limit and the per transport _recipient_limit) if
4721 necessary. The minimum value allowed for this parameter is 1.
4722
4724 What remote QMQP clients are allowed to connect to the Postfix QMQP
4725 server port.
4726 By default, no client is allowed to use the service. This is because
4728 the QMQP server will relay mail to any destination.
4729 Specify a list of client patterns. A list pattern specifies a host
4731 name, a domain name, an internet address, or a network/mask pattern,
4732 where the mask specifies the number of bits in the network part. When
4733 a pattern specifies a file name, its contents are substituted for the
4734 file name; when a pattern is a "type:table" table specification, table
4735 lookup is used instead.
4736 Patterns are separated by whitespace and/or commas. In order to reverse
4738 the result, precede a pattern with an exclamation point (!). The form
4739 "!/file/name" is supported only in Postfix version 2.4 and later.
4740 Example:
4742 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
4744
4746 Enable logging of the remote QMQP client port in addition to the host‐
4747 name and IP address. The logging format is "host[address]:port".
4748 This feature is available in Postfix 2.5 and later.
4750
4752 How long the Postfix QMQP server will pause before sending a negative
4753 reply to the remote QMQP client. The purpose is to slow down confused
4754 or malicious clients.
4755 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4757 The default time unit is s (seconds).
4758
4760 The time limit for sending or receiving information over the network.
4761 If a read or write operation blocks for more than $qmqpd_timeout sec‐
4762 onds the Postfix QMQP server gives up and disconnects.
4763 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4765 The default time unit is s (seconds).
4766
4768 The location of the Postfix top-level queue directory. This is the root
4769 directory of Postfix daemon processes that run chrooted.
4770
4772 The maximal number of (name=value) attributes that may be stored in a
4773 Postfix queue file. The limit is enforced by the cleanup(8) server.
4774 This feature is available in Postfix 2.0 and later.
4776
4778 The minimal amount of free space in bytes in the queue file system that
4779 is needed to receive mail. This is currently used by the Postfix SMTP
4780 server to decide if it will accept any mail at all.
4781 By default, the Postfix SMTP server rejects MAIL FROM commands when the
4783 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
4784 sion 2.1 and later). To specify a higher minimum free space limit,
4785 specify a queue_minfree value that is at least 1.5*$message_size_limit.
4786 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
4788 means there is no minimum required amount of free space.
4789
4791 The time between deferred queue scans by the queue manager; prior to
4792 Postfix 2.4 the default value was 1000s.
4793 This parameter should be set less than or equal to $minimal_back‐
4795 off_time. See also $maximal_backoff_time.
4796 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4798 The default time unit is s (seconds).
4799
4801 The name of the qmgr(8) service. This service manages the Postfix queue
4802 and schedules delivery requests.
4803 This feature is available in Postfix 2.0 and later.
4805
4807 Optional lookup tables with RBL response templates. The tables are
4808 indexed by the RBL domain name. By default, Postfix uses the default
4809 template as specified with the default_rbl_reply configuration parame‐
4810 ter. See there for a discussion of the syntax of RBL reply templates.
4811 This feature is available in Postfix 2.0 and later.
4813
4815 The location of Postfix README files that describe how to build, con‐
4816 figure or operate a specific Postfix subsystem or feature.
4817
4819 Enable or disable recipient validation, built-in content filtering, or
4820 address mapping. Typically, these are specified in master.cf as com‐
4821 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
4822 Specify zero or more of the following options. The options override
4824 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
4825 pickup(8) themselves, or they are forwarded to the cleanup server.
4826 no_unknown_recipient_checks
4828 Do not try to reject unknown recipients (SMTP server only).
4829 This is typically specified AFTER an external content filter.
4830 no_address_mappings
4832 Disable canonical address mapping, virtual alias map expansion,
4833 address masquerading, and automatic BCC (blind carbon-copy)
4834 recipients. This is typically specified BEFORE an external con‐
4835 tent filter.
4836 no_header_body_checks
4838 Disable header/body_checks. This is typically specified AFTER an
4839 external content filter.
4840 no_milters
4842 Disable Milter (mail filter) applications. This is typically
4843 specified AFTER an external content filter.
4844 Note: when the "BEFORE content filter" receive_override_options setting
4846 is specified in the main.cf file, specify the "AFTER content filter"
4847 receive_override_options setting in master.cf (and vice versa).
4848 Examples:
4850 receive_override_options =
4852 no_unknown_recipient_checks, no_header_body_checks
4853 receive_override_options = no_address_mappings
4854 This feature is available in Postfix 2.1 and later.
4856
4858 Optional BCC (blind carbon-copy) address lookup tables, indexed by
4859 recipient address. The BCC address (multiple results are not sup‐
4860 ported) is added when mail enters from outside of Postfix.
4861 This feature is available in Postfix 2.1 and later.
4863 The table search order is as follows:
4865 · Look up the "user+extension@domain.tld" address including the
4867 optional address extension.
4868 · Look up the "user@domain.tld" address without the optional
4870 address extension.
4871 · Look up the "user+extension" address local part when the recipi‐
4873 ent domain equals $myorigin, $mydestination, $inet_interfaces or
4874 $proxy_interfaces.
4875 · Look up the "user" address local part when the recipient domain
4877 equals $myorigin, $mydestination, $inet_interfaces or
4878 $proxy_interfaces.
4879 · Look up the "@domain.tld" part.
4881 Specify the types and names of databases to use. After change, run
4883 "postmap /etc/postfix/recipient_bcc".
4884 Note: with Postfix 2.3 and later the BCC address is added as if it was
4886 specified with NOTIFY=NONE. The sender will not be notified when the
4887 BCC address is undeliverable, as long as all down-stream software
4888 implements RFC 3461.
4889 Note: with Postfix 2.2 and earlier the sender will be notified when the
4891 BCC address is undeliverable.
4892 Note: automatic BCC recipients are produced only for new mail. To
4894 avoid mailer loops, automatic BCC recipients are not generated after
4895 Postfix forwards mail internally, or after Postfix generates mail
4896 itself.
4897 Example:
4899 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
4901
4903 What addresses are subject to recipient_canonical_maps address mapping.
4904 By default, recipient_canonical_maps address mapping is applied to
4905 envelope recipient addresses, and to header recipient addresses.
4906 Specify one or more of: envelope_recipient, header_recipient
4908 This feature is available in Postfix 2.2 and later.
4910
4912 Optional address mapping lookup tables for envelope and header recipi‐
4913 ent addresses. The table format and lookups are documented in canoni‐
4914 cal(5).
4915 Note: $recipient_canonical_maps is processed before $canonical_maps.
4917 Example:
4919 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
4921
4923 The separator between user names and address extensions (user+foo).
4924 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
4925 this has on aliases, canonical, virtual, relocated and on .forward file
4926 lookups. Basically, the software tries user+foo and .forward+foo
4927 before trying user and .forward.
4928 Example:
4930 recipient_delimiter = +
4932
4934 The numerical Postfix SMTP server response code when a remote SMTP
4935 client request is rejected by the "reject" restriction.
4936 Do not change this unless you have a complete understanding of RFC
4938 5321.
4939
4941 The Postfix SMTP server's action when a reject-type restriction fails
4942 due to a temporary error condition. Specify "defer" to defer the remote
4943 SMTP client request immediately. With the default "defer_if_permit"
4944 action, the Postfix SMTP server continues to look for opportunities to
4945 reject mail, and defers the client request only if it would otherwise
4946 be accepted.
4947 For finer control, see: unverified_recipient_tempfail_action, unveri‐
4949 fied_sender_tempfail_action, unknown_address_tempfail_action, and
4950 unknown_helo_hostname_tempfail_action.
4951 This feature is available in Postfix 2.6 and later.
4953
4955 List of tables with remote SMTP client-certificate fingerprints or pub‐
4956 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
4957 server will allow access with the permit_tls_clientcerts feature. The
4958 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
4959 print_digest parameter (hard-coded as md5 prior to Postfix version
4960 2.5).
4961 Postfix lookup tables are in the form of (key, value) pairs. Since we
4963 only need the key, the value can be chosen freely, e.g. the name of
4964 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
4965 lutzpc.at.home
4966 Example:
4968 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
4970 For more fine-grained control, use check_ccert_access to select an
4972 appropriate access(5) policy for each client. See RESTRIC‐
4973 TION_CLASS_README.
4974 Note: Postfix 2.9.0–2.9.5 computed the public key fingerprint
4976 incorrectly. To use public-key fingerprints, upgrade to Postfix 2.9.6
4977 or later.
4978 This feature is available with Postfix version 2.2.
4980
4982 rency_limit)
4983 The maximal number of parallel deliveries to the same destination via
4984 the relay message delivery transport. This limit is enforced by the
4985 queue manager. The message delivery transport name is the first field
4986 in the entry in the master.cf file.
4987 This feature is available in Postfix 2.0 and later.
4989
4991 ent_limit)
4992 The maximal number of recipients per message for the relay message
4993 delivery transport. This limit is enforced by the queue manager. The
4994 message delivery transport name is the first field in the entry in the
4995 master.cf file.
4996 Setting this parameter to a value of 1 changes the meaning of
4998 relay_destination_concurrency_limit from concurrency per domain into
4999 concurrency per recipient.
5000 This feature is available in Postfix 2.0 and later.
5002
5004 What destination domains (and subdomains thereof) this system will
5005 relay mail to. Subdomain matching is controlled with the par‐
5006 ent_domain_matches_subdomains parameter. For details about how the
5007 relay_domains value is used, see the description of the per‐
5008 mit_auth_destination and reject_unauth_destination SMTP recipient
5009 restrictions.
5010 Domains that match $relay_domains are delivered with the $relay_trans‐
5012 port mail delivery transport. The SMTP server validates recipient
5013 addresses with $relay_recipient_maps and rejects non-existent recipi‐
5014 ents. See also the relay domains address class in the
5015 ADDRESS_CLASS_README file.
5016 Note: Postfix will not automatically forward mail for domains that list
5018 this system as their primary or backup MX host. See the per‐
5019 mit_mx_backup restriction in the postconf(5) manual page.
5020 Specify a list of host or domain names, "/file/name" patterns or
5022 "type:table" lookup tables, separated by commas and/or whitespace.
5023 Continue long lines by starting the next line with whitespace. A
5024 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5025 table is matched when a (parent) domain appears as lookup key. Specify
5026 "!pattern" to exclude a domain from the list. The form "!/file/name" is
5027 supported only in Postfix version 2.4 and later.
5028
5030 The numerical Postfix SMTP server response code when a client request
5031 is rejected by the reject_unauth_destination recipient restriction.
5032 Do not change this unless you have a complete understanding of RFC
5034 5321.
5035
5037 Optional lookup tables with all valid addresses in the domains that
5038 match $relay_domains. Specify @domain as a wild-card for domains that
5039 have no valid recipient list, and become a source of backscatter mail:
5040 Postfix accepts spam for non-existent recipients and then floods inno‐
5041 cent people with undeliverable mail. Technically, tables listed with
5042 $relay_recipient_maps are used as lists: Postfix needs to know only if
5043 a lookup string is found or not, but it does not use the result from
5044 table lookup.
5045 If this parameter is non-empty, then the Postfix SMTP server will
5047 reject mail to unknown relay users. This feature is off by default.
5048 See also the relay domains address class in the ADDRESS_CLASS_README
5050 file.
5051 Example:
5053 relay_recipient_maps = hash:/etc/postfix/relay_recipients
5055 This feature is available in Postfix 2.0 and later.
5057
5059 The default mail delivery transport and next-hop destination for remote
5060 delivery to domains listed with $relay_domains. In order of decreasing
5061 precedence, the nexthop destination is taken from $relay_transport,
5062 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
5063 domain. This information can be overruled with the transport(5) table.
5064 Specify a string of the form transport:nexthop, where transport is the
5066 name of a mail delivery transport defined in master.cf. The :nexthop
5067 destination is optional; its syntax is documented in the manual page of
5068 the corresponding delivery agent.
5069 See also the relay domains address class in the ADDRESS_CLASS_README
5071 file.
5072 This feature is available in Postfix 2.0 and later.
5074
5076 The next-hop destination of non-local mail; overrides non-local domains
5077 in recipient addresses. This information is overruled with relay_trans‐
5078 port, sender_dependent_default_transport_maps, default_transport,
5079 sender_dependent_relayhost_maps and with the transport(5) table.
5080 On an intranet, specify the organizational domain name. If your inter‐
5082 nal DNS uses no MX records, specify the name of the intranet gateway
5083 host instead.
5084 In the case of SMTP, specify a domain name, hostname, hostname:port,
5086 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
5087 name] turns off MX lookups.
5088 If you're connected via UUCP, see the UUCP_README file for useful
5090 information.
5091 Examples:
5093 relayhost = $mydomain
5095 relayhost = [gateway.example.com]
5096 relayhost = uucphost
5097 relayhost = [an.ip.add.ress]
5098
5100 Optional lookup tables with new contact information for users or
5101 domains that no longer exist. The table format and lookups are docu‐
5102 mented in relocated(5).
5103 If you use this feature, run "postmap /etc/postfix/relocated" to build
5105 the necessary DBM or DB file after change, then "postfix reload" to
5106 make the changes visible.
5107 Examples:
5109 relocated_maps = dbm:/etc/postfix/relocated
5111 relocated_maps = hash:/etc/postfix/relocated
5112
5114 Don't rewrite message headers from remote clients at all when this
5115 parameter is empty; otherwise, rewrite message headers and append the
5116 specified domain name to incomplete addresses. The local_header_re‐
5117 write_clients parameter controls what clients Postfix considers local.
5118 Examples:
5120 The safe setting: append "domain.invalid" to incomplete header
5122 addresses from remote SMTP clients, so that those addresses cannot be
5123 confused with local addresses.
5124 remote_header_rewrite_domain = domain.invalid
5126 The default, purist, setting: don't rewrite headers from remote clients
5128 at all.
5129 remote_header_rewrite_domain =
5131
5133 Require that a local(8) recipient's home directory exists before mail
5134 delivery is attempted. By default this test is disabled. It can be
5135 useful for environments that import home directories to the mail server
5136 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5137
5139 Reset the local(8) delivery agent's idea of the owner-alias attribute,
5140 when delivering mail to a child alias that does not have its own owner
5141 alias.
5142 This feature is available in Postfix 2.8 and later. With older Postfix
5144 releases, the behavior is as if this parameter is set to "yes".
5145 As documented in aliases(5), when an alias name has a companion alias
5147 named owner-name, delivery errors will be reported to the owner alias
5148 instead of the sender. This configuration is recommended for mailing
5149 lists.
5150 A less known property of the owner alias is that it also forces the
5152 local(8) delivery agent to write local and remote addresses from alias
5153 expansion to a new queue file, instead of attempting to deliver mail to
5154 local addresses as soon as they come out of alias expansion.
5155 Writing local addresses from alias expansion to a new queue file allows
5157 for robust handling of temporary delivery errors: errors with one local
5158 member have no effect on deliveries to other members of the list. On
5159 the other hand, delivery to local addresses as soon as they come out of
5160 alias expansion is fragile: a temporary error with one local address
5161 from alias expansion will cause the entire alias to be expanded repeat‐
5162 edly until the error goes away, or until the message expires in the
5163 queue. In that case, a problem with one list member results in multi‐
5164 ple message deliveries to other list members.
5165 The default behavior of Postfix 2.8 and later is to keep the owner-
5167 alias attribute of the parent alias, when delivering mail to a child
5168 alias that does not have its own owner alias. Then, local addresses
5169 from that child alias will be written to a new queue file, and a tempo‐
5170 rary error with one local address will not affect delivery to other
5171 mailing list members.
5172 Unfortunately, older Postfix releases reset the owner-alias attribute
5174 when delivering mail to a child alias that does not have its own owner
5175 alias. The local(8) delivery agent then attempts to deliver local
5176 addresses as soon as they come out of child alias expansion. If deliv‐
5177 ery to any address from child alias expansion fails with a temporary
5178 error condition, the entire mailing list may be expanded repeatedly
5179 until the mail expires in the queue, resulting in multiple deliveries
5180 of the same message to mailing list members.
5181
5183 Resolve a recipient address safely instead of correctly, by looking
5184 inside quotes.
5185 By default, the Postfix address resolver does not quote the address
5187 localpart as per RFC 822, so that additional @ or % or ! operators
5188 remain visible. This behavior is safe but it is also technically incor‐
5189 rect.
5190 If you specify "resolve_dequoted_address = no", then the Postfix
5192 resolver will not know about additional @ etc. operators in the address
5193 localpart. This opens opportunities for obscure mail relay attacks with
5194 user@domain@domain addresses when Postfix provides backup MX service
5195 for Sendmail systems.
5196
5198 Resolve an address that ends in the "@" null domain as if the local
5199 hostname were specified, instead of rejecting the address as invalid.
5200 This feature is available in Postfix 2.1 and later. Earlier versions
5202 always resolve the null domain as the local hostname.
5203 The Postfix SMTP server uses this feature to reject mail from or to
5205 addresses that end in the "@" null domain, and from addresses that re‐
5206 write into a form that ends in the "@" null domain.
5207
5209 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
5210 the address as invalid.
5211 This feature is available in Postfix 2.3 and later.
5213
5215 The name of the address rewriting service. This service rewrites
5216 addresses to standard form and resolves them to a (delivery method,
5217 next-hop host, recipient) triple.
5218 This feature is available in Postfix 2.0 and later.
5220
5222 The name of the directory with example Postfix configuration files.
5223 Starting with Postfix 2.1, these files have been replaced with the
5224 postconf(5) manual page.
5225
5227 When authenticating to a remote SMTP or LMTP server with the default
5228 setting "no", send no SASL authoriZation ID (authzid); send only the
5229 SASL authentiCation ID (authcid) plus the authcid's password.
5230 The non-default setting "yes" enables the behavior of older Postfix
5232 versions. These always send a SASL authzid that is equal to the SASL
5233 authcid, but this causes inter-operability problems with some SMTP
5234 servers.
5235 This feature is available in Postfix 2.4.4 and later.
5237
5239 This parameter should not be used. It was replaced by sender_depen‐
5240 dent_relayhost_maps in Postfix version 2.3.
5241
5243 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5244 sender address. The BCC address (multiple results are not supported)
5245 is added when mail enters from outside of Postfix.
5246 This feature is available in Postfix 2.1 and later.
5248 The table search order is as follows:
5250 · Look up the "user+extension@domain.tld" address including the
5252 optional address extension.
5253 · Look up the "user@domain.tld" address without the optional
5255 address extension.
5256 · Look up the "user+extension" address local part when the sender
5258 domain equals $myorigin, $mydestination, $inet_interfaces or
5259 $proxy_interfaces.
5260 · Look up the "user" address local part when the sender domain
5262 equals $myorigin, $mydestination, $inet_interfaces or
5263 $proxy_interfaces.
5264 · Look up the "@domain.tld" part.
5266 Specify the types and names of databases to use. After change, run
5268 "postmap /etc/postfix/sender_bcc".
5269 Note: with Postfix 2.3 and later the BCC address is added as if it was
5271 specified with NOTIFY=NONE. The sender will not be notified when the
5272 BCC address is undeliverable, as long as all down-stream software
5273 implements RFC 3461.
5274 Note: with Postfix 2.2 and earlier the sender will be notified when the
5276 BCC address is undeliverable.
5277 Note: automatic BCC recipients are produced only for new mail. To
5279 avoid mailer loops, automatic BCC recipients are not generated after
5280 Postfix forwards mail internally, or after Postfix generates mail
5281 itself.
5282 Example:
5284 sender_bcc_maps = hash:/etc/postfix/sender_bcc
5286
5288 What addresses are subject to sender_canonical_maps address mapping.
5289 By default, sender_canonical_maps address mapping is applied to enve‐
5290 lope sender addresses, and to header sender addresses.
5291 Specify one or more of: envelope_sender, header_sender
5293 This feature is available in Postfix 2.2 and later.
5295
5297 Optional address mapping lookup tables for envelope and header sender
5298 addresses. The table format and lookups are documented in canoni‐
5299 cal(5).
5300 Example: you want to rewrite the SENDER address "user@ugly.domain" to
5302 "user@pretty.domain", while still being able to send mail to the RECIP‐
5303 IENT address "user@ugly.domain".
5304 Note: $sender_canonical_maps is processed before $canonical_maps.
5306 Example:
5308 sender_canonical_maps = hash:/etc/postfix/sender_canonical
5310
5312 A sender-dependent override for the global default_transport parameter
5313 setting. The tables are searched by the envelope sender address and
5314 @domain. A lookup result of DUNNO terminates the search without over‐
5315 riding the global default_transport parameter setting. This informa‐
5316 tion is overruled with the transport(5) table.
5317 Note: this overrides default_transport, not transport_maps, and there‐
5319 fore the expected syntax is that of default_transport, not the syntax
5320 of transport_maps. Specifically, this does not support the trans‐
5321 port_maps syntax for null transport, null nexthop, or null email
5322 addresses.
5323 For safety reasons, this feature does not allow $number substitutions
5325 in regular expression maps.
5326 This feature is available in Postfix 2.7 and later.
5328
5330 A sender-dependent override for the global relayhost parameter setting.
5331 The tables are searched by the envelope sender address and @domain. A
5332 lookup result of DUNNO terminates the search without overriding the
5333 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
5334 mation is overruled with relay_transport, sender_depen‐
5335 dent_default_transport_maps, default_transport and with the trans‐
5336 port(5) table.
5337 For safety reasons, this feature does not allow $number substitutions
5339 in regular expression maps.
5340 This feature is available in Postfix 2.3 and later.
5342
5344 Controls how the Postfix sendmail command converts email message line
5345 endings from <CR><LF> into UNIX format (<LF>).
5346 always Always convert message lines ending in <CR><LF>. This setting is
5348 the default with Postfix 2.9 and later.
5349 strict Convert message lines ending in <CR><LF> only if the first input
5351 line ends in <CR><LF>. This setting is backwards-compatible with
5352 Postfix 2.8 and earlier.
5353 never Never convert message lines ending in <CR><LF>. This setting
5355 exists for completeness only.
5356 This feature is available in Postfix 2.9 and later.
5358
5360 A Sendmail compatibility feature that specifies the location of the
5361 Postfix sendmail(1) command. This command can be used to submit mail
5362 into the Postfix queue.
5363
5365 How long the Postfix master(8) waits before forking a server that
5366 appears to be malfunctioning.
5367 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5369 The default time unit is s (seconds).
5370
5372 The group ownership of set-gid Postfix commands and of group-writable
5373 Postfix directories. When this parameter value is changed you need to
5374 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
5375 "/etc/postfix/post-install set-permissions".
5376
5378 Display the name of the recipient table in the "User unknown"
5379 responses. The extra detail makes trouble shooting easier but also
5380 reveals information that is nobody elses business.
5381 This feature is available in Postfix 2.0 and later.
5383
5385 The name of the showq(8) service. This service produces mail queue sta‐
5386 tus reports.
5387 This feature is available in Postfix 2.0 and later.
5389
5391 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
5392 will try first, when a destination has IPv6 and IPv4 addresses with
5393 equal MX preference. This feature has no effect unless the inet_proto‐
5394 cols setting enables both IPv4 and IPv6. With Postfix 2.8 the default
5395 is "ipv6".
5396 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
5398 nectivity:
5399 · The setting "smtp_address_preference = ipv6" is unsafe. It can
5401 fail to deliver mail when there is an outage that affects IPv6,
5402 while the destination is still reachable over IPv4.
5403 · The setting "smtp_address_preference = any" is safe. With this,
5405 mail will eventually be delivered even if there is an outage
5406 that affects IPv6 or IPv4, as long as it does not affect both.
5407 This feature is available in Postfix 2.8 and later.
5409
5411 Always send EHLO at the start of an SMTP session.
5412 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
5414 only when the word "ESMTP" appears in the server greeting banner (exam‐
5415 ple: 220 spike.porcupine.org ESMTP Postfix).
5416
5418 An optional numerical network address that the Postfix SMTP client
5419 should bind to when making an IPv4 connection.
5420 This can be specified in the main.cf file for all SMTP clients, or it
5422 can be specified in the master.cf file for a specific client, for exam‐
5423 ple:
5424 /etc/postfix/master.cf:
5426 smtp ... smtp -o smtp_bind_address=11.22.33.44
5427 Note 1: when inet_interfaces specifies no more than one IPv4 address,
5429 and that address is a non-loopback address, it is automatically used as
5430 the smtp_bind_address. This supports virtual IP hosting, but can be a
5431 problem on multi-homed firewalls. See the inet_interfaces documentation
5432 for more detail.
5433 Note 2: address information may be enclosed inside [], but this form is
5435 not required here.
5436
5438 An optional numerical network address that the Postfix SMTP client
5439 should bind to when making an IPv6 connection.
5440 This feature is available in Postfix 2.2 and later.
5442 This can be specified in the main.cf file for all SMTP clients, or it
5444 can be specified in the master.cf file for a specific client, for exam‐
5445 ple:
5446 /etc/postfix/master.cf:
5448 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
5449 Note 1: when inet_interfaces specifies no more than one IPv6 address,
5451 and that address is a non-loopback address, it is automatically used as
5452 the smtp_bind_address6. This supports virtual IP hosting, but can be a
5453 problem on multi-homed firewalls. See the inet_interfaces documentation
5454 for more detail.
5455 Note 2: address information may be enclosed inside [], but this form is
5457 not recommended here.
5458
5460 Restricted body_checks(5) tables for the Postfix SMTP client. These
5461 tables are searched while mail is being delivered. Actions that change
5462 the delivery time or destination are not available.
5463 This feature is available in Postfix 2.5 and later.
5465
5467 Allow DNS CNAME records to override the servername that the Postfix
5468 SMTP client uses for logging, SASL password lookup, TLS policy deci‐
5469 sions, or TLS certificate verification. The value "no" hardens Postfix
5470 smtp_tls_per_site hostname-based policies against false hostname infor‐
5471 mation in DNS CNAME records, and makes SASL password file lookups more
5472 predictable. This is the default setting as of Postfix 2.3.
5473 This feature is available in Postfix 2.2.9 and later.
5475
5477 The Postfix SMTP client time limit for completing a TCP connection, or
5478 zero (use the operating system built-in time limit).
5479 When no connection can be made within the deadline, the Postfix SMTP
5481 client tries the next address on the mail exchanger list. Specify 0 to
5482 disable the time limit (i.e. use whatever timeout is implemented by the
5483 operating system).
5484 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5486 The default time unit is s (seconds).
5487
5489 Permanently enable SMTP connection caching for the specified destina‐
5490 tions. With SMTP connection caching, a connection is not closed imme‐
5491 diately after completion of a mail transaction. Instead, the connec‐
5492 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
5493 This allows connections to be reused for other deliveries, and can
5494 improve mail delivery performance.
5495 Specify a comma or white space separated list of destinations or
5497 pseudo-destinations:
5498 · if mail is sent without a relay host: a domain name (the right-
5500 hand side of an email address, without the [] around a numeric
5501 IP address),
5502 · if mail is sent via a relay host: a relay host name (without []
5504 or non-default TCP port), as specified in main.cf or in the
5505 transport map,
5506 · if mail is sent via a UNIX-domain socket: a pathname (without
5508 the unix: prefix),
5509 · a /file/name with domain names and/or relay host names as
5511 defined above,
5512 · a "type:table" with domain names and/or relay host names on the
5514 left-hand side. The right-hand side result from "type:table"
5515 lookups is ignored.
5516 This feature is available in Postfix 2.2 and later.
5518
5520 Temporarily enable SMTP connection caching while a destination has a
5521 high volume of mail in the active queue. With SMTP connection caching,
5522 a connection is not closed immediately after completion of a mail
5523 transaction. Instead, the connection is kept open for up to $smtp_con‐
5524 nection_cache_time_limit seconds. This allows connections to be reused
5525 for other deliveries, and can improve mail delivery performance.
5526 This feature is available in Postfix 2.2 and later.
5528
5530 When SMTP connection caching is enabled, the number of times that an
5531 SMTP session may be reused before it is closed.
5532 This feature is available in Postfix 2.2. In Postfix 2.3 it is replaced
5534 by $smtp_connection_reuse_time_limit.
5535
5537 When SMTP connection caching is enabled, the amount of time that an
5538 unused SMTP client socket is kept open before it is closed. Do not
5539 specify larger values without permission from the remote sites.
5540 This feature is available in Postfix 2.2 and later.
5542
5544 The amount of time during which Postfix will use an SMTP connection
5545 repeatedly. The timer starts when the connection is initiated (i.e. it
5546 includes the connect, greeting and helo latency, in addition to the
5547 latencies of subsequent mail delivery transactions).
5548 This feature addresses a performance stability problem with remote SMTP
5550 servers. This problem is not specific to Postfix: it can happen when
5551 any MTA sends large amounts of SMTP email to a site that has multiple
5552 MX hosts.
5553 The problem starts when one of a set of MX hosts becomes slower than
5555 the rest. Even though SMTP clients connect to fast and slow MX hosts
5556 with equal probability, the slow MX host ends up with more simultaneous
5557 inbound connections than the faster MX hosts, because the slow MX host
5558 needs more time to serve each client request.
5559 The slow MX host becomes a connection attractor. If one MX host
5561 becomes N times slower than the rest, it dominates mail delivery
5562 latency unless there are more than N fast MX hosts to counter the
5563 effect. And if the number of MX hosts is smaller than N, the mail
5564 delivery latency becomes effectively that of the slowest MX host
5565 divided by the total number of MX hosts.
5566 The solution uses connection caching in a way that differs from Postfix
5568 version 2.2. By limiting the amount of time during which a connection
5569 can be used repeatedly (instead of limiting the number of deliveries
5570 over that connection), Postfix not only restores fairness in the dis‐
5571 tribution of simultaneous connections across a set of MX hosts, it also
5572 favors deliveries over connections that perform well, which is exactly
5573 what we want.
5574 The default reuse time limit, 300s, is comparable to the various smtp
5576 transaction timeouts which are fair estimates of maximum excess latency
5577 for a slow delivery. Note that hosts may accept thousands of messages
5578 over a single connection within the default connection reuse time
5579 limit. This number is much larger than the default Postfix version 2.2
5580 limit of 10 messages per cached connection. It may prove necessary to
5581 lower the limit to avoid interoperability issues with MTAs that exhibit
5582 bugs when many messages are delivered via a single connection. A lower
5583 reuse time limit risks losing the benefit of connection reuse when the
5584 average connection and mail delivery latency exceeds the reuse time
5585 limit.
5586 This feature is available in Postfix 2.3 and later.
5588
5590 The Postfix SMTP client time limit for sending the SMTP ".", and for
5591 receiving the remote SMTP server response.
5592 When no response is received within the deadline, a warning is logged
5594 that the mail may be delivered multiple times.
5595 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5597 The default time unit is s (seconds).
5598
5600 The Postfix SMTP client time limit for sending the SMTP DATA command,
5601 and for receiving the remote SMTP server response.
5602 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5604 The default time unit is s (seconds).
5605
5607 The Postfix SMTP client time limit for sending the SMTP message con‐
5608 tent. When the connection makes no progress for more than
5609 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
5610 transfer.
5611 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5613 The default time unit is s (seconds).
5614
5616 Defer mail delivery when no MX record resolves to an IP address.
5617 The default (no) is to return the mail as undeliverable. With older
5619 Postfix versions the default was to keep trying to deliver the mail
5620 until someone fixed the MX record or until the mail was too old.
5621 Note: the Postfix SMTP client always ignores MX records with equal or
5623 worse preference than the local MTA itself.
5624 This feature is available in Postfix 2.1 and later.
5626
5628 rency_limit)
5629 The maximal number of parallel deliveries to the same destination via
5630 the smtp message delivery transport. This limit is enforced by the
5631 queue manager. The message delivery transport name is the first field
5632 in the entry in the master.cf file.
5633
5635 ent_limit)
5636 The maximal number of recipients per message for the smtp message
5637 delivery transport. This limit is enforced by the queue manager. The
5638 message delivery transport name is the first field in the entry in the
5639 master.cf file.
5640 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
5642 tination_concurrency_limit from concurrency per domain into concurrency
5643 per recipient.
5644
5646 Lookup tables, indexed by the remote SMTP server address, with case
5647 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
5648 that the Postfix SMTP client will ignore in the EHLO response from a
5649 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
5650 ble is not indexed by hostname for consistency with smtpd_dis‐
5651 card_ehlo_keyword_address_maps.
5652 This feature is available in Postfix 2.2 and later.
5654
5656 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
5657 etc.) that the Postfix SMTP client will ignore in the EHLO response
5658 from a remote SMTP server.
5659 This feature is available in Postfix 2.2 and later.
5661 Notes:
5663 · Specify the silent-discard pseudo keyword to prevent this action
5665 from being logged.
5666 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
5668 card EHLO keywords selectively.
5669
5671 DNS Resolver options for the Postfix SMTP client. Specify zero or more
5672 of the following options, separated by comma or whitespace. Option
5673 names are case-sensitive. Some options refer to domain names that are
5674 specified in the file /etc/resolv.conf or equivalent.
5675 res_defnames
5677 Append the current domain name to single-component names (those
5678 that do not contain a "." character). This can produce incorrect
5679 results, and is the hard-coded behavior prior to Postfix 2.8.
5680 res_dnsrch
5682 Search for host names in the current domain and in parent
5683 domains. This can produce incorrect results and is therefore not
5684 recommended.
5685 This feature is available in Postfix 2.8 and later.
5687
5689 Enforcement mode: require that remote SMTP servers use TLS encryption,
5690 and never send mail in the clear. This also requires that the remote
5691 SMTP server hostname matches the information in the remote server cer‐
5692 tificate, and that the remote SMTP server certificate was issued by a
5693 CA that is trusted by the Postfix SMTP client. If the certificate
5694 doesn't verify or the hostname doesn't match, delivery is deferred and
5695 mail stays in the queue.
5696 The server hostname is matched against all names provided as dNSNames
5698 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
5699 monName is checked. The behavior may be changed with the
5700 smtp_tls_enforce_peername option.
5701 This option is useful only if you are definitely sure that you will
5703 only connect to servers that support RFC 2487 _and_ that provide valid
5704 server certificates. Typical use is for clients that send all their
5705 email to a dedicated mailhub.
5706 This feature is available in Postfix 2.2 and later. With Postfix 2.3
5708 and later use smtp_tls_security_level instead.
5709
5711 Optional list of relay hosts for SMTP destinations that can't be found
5712 or that are unreachable. With Postfix 2.2 and earlier this parameter is
5713 called fallback_relay.
5714 By default, mail is returned to the sender when a destination is not
5716 found, and delivery is deferred when a destination is unreachable.
5717 With bulk email deliveries, it can be beneficial to run the fallback
5719 relay MTA on the same host, so that it can reuse the sender IP address.
5720 This speeds up deliveries that are delayed by IP-based reputation sys‐
5721 tems (greylist, etc.).
5722 The fallback relays must be SMTP destinations. Specify a domain, host,
5724 host:port, [host]:port, [address] or [address]:port; the form [host]
5725 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
5726 fix will try them in the specified order.
5727 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
5729 version 2.2 and later will not use the fallback relays for destinations
5730 that it is MX host for (assuming DNS lookup is turned on).
5731
5733 Optional lookup tables that perform address rewriting in the Postfix
5734 SMTP client, typically to transform a locally valid address into a
5735 globally valid address when sending mail across the Internet. This is
5736 needed when the local machine does not have its own Internet domain
5737 name, but uses something like localdomain.local instead.
5738 The table format and lookups are documented in generic(5); examples are
5740 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
5741 documents.
5742 This feature is available in Postfix 2.2 and later.
5744
5746 Restricted header_checks(5) tables for the Postfix SMTP client. These
5747 tables are searched while mail is being delivered. Actions that change
5748 the delivery time or destination are not available.
5749 This feature is available in Postfix 2.5 and later.
5751
5753 The hostname to send in the SMTP EHLO or HELO command.
5754 The default value is the machine hostname. Specify a hostname or
5756 [ip.add.re.ss].
5757 This information can be specified in the main.cf file for all SMTP
5759 clients, or it can be specified in the master.cf file for a specific
5760 client, for example:
5761 /etc/postfix/master.cf:
5763 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
5764 This feature is available in Postfix 2.0 and later.
5766
5768 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
5769 mand, and for receiving the initial remote SMTP server response.
5770 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5772 The default time unit is s (seconds).
5773
5775 What mechanisms the Postfix SMTP client uses to look up a host's IP
5776 address. This parameter is ignored when DNS lookups are disabled (see:
5777 disable_dns_lookups).
5778 Specify one of the following:
5780 dns Hosts can be found in the DNS (preferred).
5782 native Use the native naming service only (nsswitch.conf, or equivalent
5784 mechanism).
5785 dns, native
5787 Use the native service for hosts not found in the DNS.
5788 This feature is available in Postfix 2.1 and later.
5790
5792 The maximal length of message header and body lines that Postfix will
5793 send via SMTP. This limit does not include the <CR><LF> at the end of
5794 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
5795 minimize the damage to MIME formatted mail.
5796 The Postfix limit of 998 characters not including <CR><LF> is consis‐
5798 tent with the SMTP limit of 1000 characters including <CR><LF>. The
5799 Postfix limit was 990 with Postfix 2.8 and earlier.
5800
5802 The Postfix SMTP client time limit for sending the MAIL FROM command,
5803 and for receiving the remote SMTP server response.
5804 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5806 The default time unit is s (seconds).
5807
5809 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
5810 These tables are searched while mail is being delivered. Actions that
5811 change the delivery time or destination are not available.
5812 This feature is available in Postfix 2.5 and later.
5814
5816 The maximal number of MX (mail exchanger) IP addresses that can result
5817 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
5818 Prior to Postfix version 2.3, this limit was disabled by default.
5819 This feature is available in Postfix 2.1 and later.
5821
5823 The maximal number of SMTP sessions per delivery request before the
5824 Postfix SMTP client gives up or delivers to a fall-back relay host, or
5825 zero (no limit). This restriction ignores sessions that fail to com‐
5826 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
5827 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
5828 and later).
5829 This feature is available in Postfix 2.1 and later.
5831
5833 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
5834 These tables are searched while mail is being delivered. Actions that
5835 change the delivery time or destination are not available.
5836 This feature is available in Postfix 2.5 and later.
5838
5840 Never send EHLO at the start of an SMTP session. See also the
5841 smtp_always_send_ehlo parameter.
5842
5844 Change the behavior of the smtp_*_timeout time limits, from a time
5845 limit per read or write system call, to a time limit to send or receive
5846 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
5847 sage content line, or TLS protocol message). This limits the impact
5848 from hostile peers that trickle data one byte at a time.
5849 Note: when per-record deadlines are enabled, a short timeout may cause
5851 problems with TLS over very slow network connections. The reasons are
5852 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
5853 and that an entire TLS protocol message must be sent or received within
5854 the per-record deadline.
5855 This feature is available in Postfix 2.9 and later. With older Postfix
5857 releases, the behavior is as if this parameter is set to "no".
5858
5860 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
5861 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
5862 Choosing a too short time makes this workaround ineffective when send‐
5864 ing large messages over slow network connections.
5865
5867 Lookup tables, indexed by the remote SMTP server address, with per-des‐
5868 tination workarounds for CISCO PIX firewall bugs. The table is not
5869 indexed by hostname for consistency with smtp_discard_ehlo_key‐
5870 word_address_maps.
5871 This feature is available in Postfix 2.4 and later.
5873
5875 How long a message must be queued before the Postfix SMTP client turns
5876 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
5877 through firewalls with "smtp fixup" mode turned on.
5878 By default, the workaround is turned off for mail that is queued for
5880 less than 500 seconds. In other words, the workaround is normally
5881 turned off for the first delivery attempt.
5882 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
5884 upon the first delivery attempt.
5885
5887 A list that specifies zero or more workarounds for CISCO PIX firewall
5888 bugs. These workarounds are implemented by the Postfix SMTP client.
5889 Workaround names are separated by comma or space, and are case insensi‐
5890 tive. This parameter setting can be overruled with per-destination
5891 smtp_pix_workaround_maps settings.
5892 delay_dotcrlf
5894 Insert a delay before sending ".<CR><LF>" after the end of the
5895 message content. The delay is subject to the smtp_pix_work‐
5896 around_delay_time and smtp_pix_workaround_threshold_time parame‐
5897 ter settings.
5898 disable_esmtp
5900 Disable all extended SMTP commands: send HELO instead of EHLO.
5901 This feature is available in Postfix 2.4 and later. The default set‐
5903 tings are backwards compatible with earlier Postfix versions.
5904
5906 The Postfix SMTP client time limit for sending the QUIT command, and
5907 for receiving the remote SMTP server response.
5908 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5910 The default time unit is s (seconds).
5911
5913 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
5914 as required by RFC 5321. This includes putting quotes around an address
5915 localpart that ends in ".".
5916 The default is to comply with RFC 5321. If you have to send mail to a
5918 broken SMTP server, configure a special SMTP client in master.cf:
5919 /etc/postfix/master.cf:
5921 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
5922 and route mail for the destination in question to the "broken-smtp"
5924 message delivery with a transport(5) table.
5925 This feature is available in Postfix 2.1 and later.
5927
5929 Randomize the order of equal-preference MX host addresses. This is a
5930 performance feature of the Postfix SMTP client.
5931
5933 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
5934 mand, and for receiving the remote SMTP server response.
5935 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5937 The default time unit is s (seconds).
5938
5940 A mechanism to transform replies from remote SMTP servers one line at a
5941 time. This is a last-resort tool to work around server replies that
5942 break inter-operability with the Postfix SMTP client. Other uses
5943 involve fault injection to test Postfix's handling of invalid
5944 responses.
5945 Notes:
5947 · In the case of a multi-line reply, the Postfix SMTP client uses
5949 the final reply line's numerical SMTP reply code and enhanced
5950 status code.
5951 · The numerical SMTP reply code (XYZ) takes precedence over the
5953 enhanced status code (X.Y.Z). When the enhanced status code
5954 initial digit differs from the SMTP reply code initial digit, or
5955 when no enhanced status code is present, the Postfix SMTP client
5956 uses a generic enhanced status code (X.0.0) instead.
5957 Specify the name of a "type:table" lookup table. The search string is a
5959 single SMTP reply line as received from the remote SMTP server, except
5960 that the trailing <CR><LF> are removed. When the lookup succeeds, the
5961 result replaces the single SMTP reply line.
5962 Examples:
5964 /etc/postfix/main.cf:
5966 smtp_reply_filter = pcre:/etc/postfix/reply_filter
5967 /etc/postfix/reply_filter:
5969 # Transform garbage into "250-filler..." so that it looks like
5970 # one line from a multi-line reply. It does not matter what we
5971 # substitute here as long it has the right syntax. The Postfix
5972 # SMTP client will use the final line's numerical SMTP reply
5973 # code and enhanced status code.
5974 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
5975 This feature is available in Postfix 2.7.
5977
5979 The Postfix SMTP client time limit for sending the RSET command, and
5980 for receiving the remote SMTP server response. The SMTP client sends
5981 RSET in order to finish a recipient address probe, or to verify that a
5982 cached session is still usable.
5983 This feature is available in Postfix 2.1 and later.
5985
5987 An optional table to prevent repeated SASL authentication failures with
5988 the same remote SMTP server hostname, username and password. Each table
5989 (key, value) pair contains a server name, a username and password, and
5990 the full server response. This information is stored when a remote SMTP
5991 server rejects an authentication attempt with a 535 reply code. As
5992 long as the smtp_sasl_password_maps information does no change, and as
5993 long as the smtp_sasl_auth_cache_name information does not expire (see
5994 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
5995 tication attempts with the same server, username and password, and
5996 instead bounces or defers mail as controlled with the
5997 smtp_sasl_auth_soft_bounce configuration parameter.
5998 Use a per-destination delivery concurrency of 1 (for example,
6000 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
6001 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6002 ence a login failure at the same time.
6003 The table must be accessed via the proxywrite service, i.e. the map
6005 name must start with "proxy:". The table should be stored under the
6006 directory specified with the data_directory parameter.
6007 This feature uses cryptographic hashing to protect plain-text pass‐
6009 words, and requires that Postfix is compiled with TLS support.
6010 Example:
6012 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6014 This feature is available in Postfix 2.5 and later.
6016
6018 The maximal age of an smtp_sasl_auth_cache_name entry before it is
6019 removed.
6020 This feature is available in Postfix 2.5 and later.
6022
6024 Enable SASL authentication in the Postfix SMTP client. By default, the
6025 Postfix SMTP client uses no authentication.
6026 Example:
6028 smtp_sasl_auth_enable = yes
6030
6032 When a remote SMTP server rejects a SASL authentication request with a
6033 535 reply code, defer mail delivery instead of returning mail as unde‐
6034 liverable. The latter behavior was hard-coded prior to Postfix version
6035 2.5.
6036 Note: the setting "yes" overrides the global soft_bounce parameter, but
6038 the setting "no" does not.
6039 Example:
6041 # Default as of Postfix 2.5
6043 smtp_sasl_auth_soft_bounce = yes
6044 # The old hard-coded default
6045 smtp_sasl_auth_soft_bounce = no
6046 This feature is available in Postfix 2.5 and later.
6048
6050 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6051 list of offered SASL mechanisms. Different client and server implemen‐
6052 tations may support different mechanism lists; by default, the Postfix
6053 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
6054 nism_filter specifies an optional third mechanism list to intersect
6055 with.
6056 Specify mechanism names, "/file/name" patterns or "type:table" lookup
6058 tables. The right-hand side result from "type:table" lookups is
6059 ignored. Specify "!pattern" to exclude a mechanism name from the list.
6060 The form "!/file/name" is supported only in Postfix version 2.4 and
6061 later.
6062 This feature is available in Postfix 2.2 and later.
6064 Examples:
6066 smtp_sasl_mechanism_filter = plain, login
6068 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
6069 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
6070
6072 Optional Postfix SMTP client lookup tables with one username:password
6073 entry per remote hostname or domain, or sender address when sender-
6074 dependent authentication is enabled. If no username:password entry is
6075 found, then the Postfix SMTP client will not attempt to authenticate to
6076 the remote host.
6077 The Postfix SMTP client opens the lookup table before going to chroot
6079 jail, so you can leave the password file in /etc/postfix.
6080
6082 Implementation-specific information that the Postfix SMTP client passes
6083 through to the SASL plug-in implementation that is selected with
6084 smtp_sasl_type. Typically this specifies the name of a configuration
6085 file or rendezvous point.
6086 This feature is available in Postfix 2.3 and later.
6088
6090 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
6091 of available features depends on the SASL client implementation that is
6092 selected with smtp_sasl_type.
6093 The following security features are defined for the cyrus client SASL
6095 implementation:
6096 Specify zero or more of the following:
6098 noplaintext
6100 Disallow methods that use plaintext passwords.
6101 noactive
6103 Disallow methods subject to active (non-dictionary) attack.
6104 nodictionary
6106 Disallow methods subject to passive (dictionary) attack.
6107 noanonymous
6109 Disallow methods that allow anonymous authentication.
6110 mutual_auth
6112 Only allow methods that provide mutual authentication (not
6113 available with SASL version 1).
6114 Example:
6116 smtp_sasl_security_options = noplaintext
6118
6120 The SASL authentication security options that the Postfix SMTP client
6121 uses for TLS encrypted SMTP sessions.
6122 This feature is available in Postfix 2.2 and later.
6124
6126 rity_options)
6127 The SASL authentication security options that the Postfix SMTP client
6128 uses for TLS encrypted SMTP sessions with a verified server certifi‐
6129 cate.
6130 When mail is sent to the public MX host for the recipient's domain,
6132 server certificates are by default optional, and delivery proceeds even
6133 if certificate verification fails. For delivery via a submission ser‐
6134 vice that requires SASL authentication, it may be appropriate to send
6135 plaintext passwords only when the connection to the server is strongly
6136 encrypted and the server identity is verified.
6137 The smtp_sasl_tls_verified_security_options parameter makes it possible
6139 to only enable plaintext mechanisms when a secure connection to the
6140 server is available. Submission servers subject to this policy must
6141 either have verifiable certificates or offer suitable non-plaintext
6142 SASL mechanisms.
6143 This feature is available in Postfix 2.6 and later.
6145
6147 The SASL plug-in type that the Postfix SMTP client should use for
6148 authentication. The available types are listed with the "postconf -A"
6149 command.
6150 This feature is available in Postfix 2.3 and later.
6152
6154 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
6155 in SASL-authenticated SMTP sessions. The default is not to send this,
6156 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
6157 the behavior is as if "smtp_send_dummy_mail_auth = yes".
6158 This feature is available in Postfix 2.9 and later.
6160
6162 Send the non-standard XFORWARD command when the Postfix SMTP server
6163 EHLO response announces XFORWARD support.
6164 This allows a Postfix SMTP delivery agent, used for injecting mail into
6166 a content filter, to forward the name, address, protocol and HELO name
6167 of the original client to the content filter and downstream queuing
6168 SMTP server. This can produce more useful logging than local‐
6169 host[127.0.0.1] etc.
6170 This feature is available in Postfix 2.1 and later.
6172
6174 Enable sender-dependent authentication in the Postfix SMTP client; this
6175 is available only with SASL authentication, and disables SMTP connec‐
6176 tion caching to ensure that mail from different senders will use the
6177 appropriate credentials.
6178 This feature is available in Postfix 2.3 and later.
6180
6182 Skip SMTP servers that greet with a 4XX status code (go away, try again
6183 later).
6184 By default, the Postfix SMTP client moves on the next mail exchanger.
6186 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
6187 immediately.
6188 This feature is available in Postfix 2.0 and earlier. Later Postfix
6190 versions always skip remote SMTP servers that greet with a 4XX status
6191 code.
6192
6194 Skip remote SMTP servers that greet with a 5XX status code (go away, do
6195 not try again later).
6196 By default, the Postfix SMTP client moves on the next mail exchanger.
6198 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
6199 immediately. The default setting is incorrect, but it is what a lot of
6200 people expect to happen.
6201
6203 Do not wait for the response to the SMTP QUIT command.
6204
6206 Time limit for Postfix SMTP client write and read operations during TLS
6207 startup and shutdown handshake procedures.
6208 This feature is available in Postfix 2.2 and later.
6210
6212 A file containing CA certificates of root CAs trusted to sign either
6213 remote SMTP server certificates or intermediate CA certificates. These
6214 are loaded into memory before the smtp(8) client enters the chroot
6215 jail. If the number of trusted roots is large, consider using
6216 smtp_tls_CApath instead, but note that the latter directory must be
6217 present in the chroot jail if the smtp(8) client is chrooted. This file
6218 may also be used to augment the client certificate trust chain, but it
6219 is best to include all the required certificates directly in
6220 $smtp_tls_cert_file.
6221 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
6223 system-supplied default certificate authority certificates.
6224 Specify "tls_append_default_CA = no" to prevent Postfix from appending
6226 the system-supplied default CAs and trusting third-party certificates.
6227 Example:
6229 smtp_tls_CAfile = /etc/postfix/CAcert.pem
6231 This feature is available in Postfix 2.2 and later.
6233
6235 Directory with PEM format certificate authority certificates that the
6236 Postfix SMTP client uses to verify a remote SMTP server certificate.
6237 Don't forget to create the necessary "hash" links with, for example,
6238 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
6239 To use this option in chroot mode, this directory (or a copy) must be
6241 inside the chroot jail.
6242 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
6244 the system-supplied default certificate authority certificates.
6245 Specify "tls_append_default_CA = no" to prevent Postfix from appending
6247 the system-supplied default CAs and trusting third-party certificates.
6248 Example:
6250 smtp_tls_CApath = /etc/postfix/certs
6252 This feature is available in Postfix 2.2 and later.
6254
6256 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
6257 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
6258 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
6259 attack would succeed with non-Postfix SMTP servers that reply to the
6260 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
6261 SMTP client TLS session.
6262 This feature is available in Postfix 2.7.
6264
6266 File with the Postfix SMTP client RSA certificate in PEM format. This
6267 file may also contain the Postfix SMTP client private RSA key, and
6268 these may be the same as the Postfix SMTP server RSA certificate and
6269 key file.
6270 Do not configure client certificates unless you must present client TLS
6272 certificates to one or more servers. Client certificates are not usu‐
6273 ally needed, and can cause problems in configurations that work well
6274 without them. The recommended setting is to let the defaults stand:
6275 smtp_tls_cert_file =
6277 smtp_tls_key_file =
6278 smtp_tls_dcert_file =
6279 smtp_tls_dkey_file =
6280 smtp_tls_eccert_file =
6281 smtp_tls_eckey_file =
6282 The best way to use the default settings is to comment out the above
6284 parameters in main.cf if present.
6285 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
6287 tificate, the issuing CA certificates must be made available to the
6288 server. You should include the required certificates in the client cer‐
6289 tificate file, the client certificate first, then the issuing CA(s)
6290 (bottom-up order).
6291 Example: the certificate for "client.example.com" was issued by "inter‐
6293 mediate CA" which itself has a certificate issued by "root CA". Create
6294 the client.pem file with "cat client_cert.pem intermediate_CA.pem
6295 root_CA.pem > client.pem".
6296 If you also want to verify remote SMTP server certificates issued by
6298 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
6299 which case it is not necessary to have them in the smtp_tls_cert_file,
6300 smtp_tls_dcert_file or smtp_tls_eccert_file.
6301 A certificate supplied here must be usable as an SSL client certificate
6303 and hence pass the "openssl verify -purpose sslclient ..." test.
6304 Example:
6306 smtp_tls_cert_file = /etc/postfix/client.pem
6308 This feature is available in Postfix 2.2 and later.
6310
6312 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
6313 list. As this feature applies to all TLS security levels, it is easy to
6314 create inter-operability problems by choosing a non-default cipher
6315 list. Do not use a non-default TLS cipher list on hosts that deliver
6316 email to the public Internet: you will be unable to send email to
6317 servers that only support the ciphers you exclude. Using a restricted
6318 cipher list may be more appropriate for an internal MTA, where one can
6319 exert some control over the TLS software and settings of the peer
6320 servers.
6321 Note: do not use "" quotes around the parameter value.
6323 This feature is available in Postfix version 2.2. It is not used with
6325 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
6326
6328 The minimum TLS cipher grade that the Postfix SMTP client will use with
6329 opportunistic TLS encryption. Cipher types listed in
6330 smtp_tls_exclude_ciphers are excluded from the base definition of the
6331 selected cipher grade. The default value "export" ensures maximum
6332 inter-operability. Because encryption is optional, stronger controls
6333 are not appropriate, and this setting SHOULD NOT be changed unless the
6334 change is essential.
6335 When TLS is mandatory the cipher grade is chosen via the
6337 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
6338 tax details. See smtp_tls_policy_maps for information on how to config‐
6339 ure ciphers on a per-destination basis.
6340 Example:
6342 smtp_tls_ciphers = export
6343 This feature is available in Postfix 2.6 and later. With earlier Post‐
6345 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
6346 mented, and opportunistic TLS always uses "export" or better (i.e. all)
6347 ciphers.
6348
6350 File with the Postfix SMTP client DSA certificate in PEM format. This
6351 file may also contain the Postfix SMTP client private DSA key.
6352 See the discussion under smtp_tls_cert_file for more details.
6354 Example:
6356 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
6358 This feature is available in Postfix 2.2 and later.
6360
6362 File with the Postfix SMTP client DSA private key in PEM format. This
6363 file may be combined with the Postfix SMTP client DSA certificate file
6364 specified with $smtp_tls_dcert_file.
6365 The private key must be accessible without a pass-phrase, i.e. it must
6367 not be encrypted. File permissions should grant read-only access to the
6368 system superuser account ("root"), and no access to anyone else.
6369 This feature is available in Postfix 2.2 and later.
6371
6373 File with the Postfix SMTP client ECDSA certificate in PEM format.
6374 This file may also contain the Postfix SMTP client ECDSA private key.
6375 See the discussion under smtp_tls_cert_file for more details.
6377 Example:
6379 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
6381 This feature is available in Postfix 2.6 and later, when Postfix is
6383 compiled and linked with OpenSSL 1.0.0 or later.
6384
6386 File with the Postfix SMTP client ECDSA private key in PEM format.
6387 This file may be combined with the Postfix SMTP client ECDSA certifi‐
6388 cate file specified with $smtp_tls_eccert_file.
6389 The private key must be accessible without a pass-phrase, i.e. it must
6391 not be encrypted. File permissions should grant read-only access to the
6392 system superuser account ("root"), and no access to anyone else.
6393 This feature is available in Postfix 2.6 and later, when Postfix is
6395 compiled and linked with OpenSSL 1.0.0 or later.
6396
6398 With mandatory TLS encryption, require that the remote SMTP server
6399 hostname matches the information in the remote SMTP server certificate.
6400 As of RFC 2487 the requirements for hostname checking for MTA clients
6401 are not specified.
6402 This option can be set to "no" to disable strict peer name checking.
6404 This setting has no effect on sessions that are controlled via the
6405 smtp_tls_per_site table.
6406 Disabling the hostname verification can make sense in closed environ‐
6408 ment where special CAs are created. If not used carefully, this option
6409 opens the danger of a "man-in-the-middle" attack (the CommonName of
6410 this attacker will be logged).
6411 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6413 and later use smtp_tls_security_level instead.
6414
6416 List of ciphers or cipher types to exclude from the Postfix SMTP client
6417 cipher list at all TLS security levels. This is not an OpenSSL
6418 cipherlist, it is a simple list separated by whitespace and/or commas.
6419 The elements are a single cipher, or one or more "+" separated cipher
6420 properties, in which case only ciphers matching all the properties are
6421 excluded.
6422 Examples (some of these will cause problems):
6424 smtp_tls_exclude_ciphers = aNULL
6426 smtp_tls_exclude_ciphers = MD5, DES
6427 smtp_tls_exclude_ciphers = DES+MD5
6428 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
6429 smtp_tls_exclude_ciphers = kEDH+aRSA
6430 The first setting, disables anonymous ciphers. The next setting dis‐
6432 ables ciphers that use the MD5 digest algorithm or the (single) DES
6433 encryption algorithm. The next setting disables ciphers that use MD5
6434 and DES together. The next setting disables the two ciphers
6435 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
6436 use "EDH" key exchange with RSA authentication.
6437 This feature is available in Postfix 2.3 and later.
6439
6441 List of acceptable remote SMTP server certificate fingerprints for the
6442 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
6443 print). At this security level, certificate authorities are not used,
6444 and certificate expiration times are ignored. Instead, server certifi‐
6445 cates are verified directly via their certificate fingerprint or public
6446 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
6447 digest of the server certificate (or public key). The digest algorithm
6448 is selected via the smtp_tls_fingerprint_digest parameter.
6449 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
6451 security level, any "match" attributes in that entry specify the list
6452 of valid fingerprints for the corresponding destination. Multiple fin‐
6453 gerprints can be combined with a "|" delimiter in a single match
6454 attribute, or multiple match attributes can be employed.
6455 Example: Certificate fingerprint verification with internal mailhub.
6457 Two matching fingerprints are listed. The relayhost may be multiple
6458 physical hosts behind a load-balancer, each with its own private/public
6459 key and self-signed certificate. Alternatively, a single relayhost may
6460 be in the process of switching from one set of private/public keys to
6461 another, and both keys are trusted just prior to the transition.
6462 relayhost = [mailhub.example.com]
6464 smtp_tls_security_level = fingerprint
6465 smtp_tls_fingerprint_digest = md5
6466 smtp_tls_fingerprint_cert_match =
6467 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6468 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6469 Example: Certificate fingerprint verification with selected destina‐
6471 tions. As in the example above, we show two matching fingerprints:
6472 /etc/postfix/main.cf:
6474 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
6475 smtp_tls_fingerprint_digest = md5
6476 /etc/postfix/tls_policy:
6478 example.com fingerprint
6479 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6480 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6481 This feature is available in Postfix 2.5 and later.
6483
6485 The message digest algorithm used to construct remote SMTP server cer‐
6486 tificate fingerprints. At the "fingerprint" TLS security level
6487 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
6488 ified by directly matching its certificate fingerprint or its public
6489 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
6490 digest of the server certificate (or its public key) using the selected
6491 algorithm. With a digest algorithm resistant to "second pre-image"
6492 attacks, it is not feasible to create a new public key and a matching
6493 certificate (or public/private key-pair) that has the same fingerprint.
6494 The default algorithm is md5; this is consistent with the backwards
6496 compatible setting of the digest used to verify client certificates in
6497 the SMTP server.
6498 The best practice algorithm is now sha1. Recent advances in hash func‐
6500 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
6501 However, as long as there are no known "second pre-image" attacks
6502 against md5, its use in this context can still be considered safe.
6503 While additional digest algorithms are often available with OpenSSL's
6505 libcrypto, only those used by libssl in SSL cipher suites are available
6506 to Postfix. For now this means just md5 or sha1.
6507 To find the fingerprint of a specific certificate file, with a specific
6509 digest algorithm, run:
6510 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
6512 The text to the right of "=" sign is the desired fingerprint. For
6514 example:
6515 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
6517 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
6518 To extract the public key fingerprint from an X.509 certificate, you
6520 need to extract the public key from the certificate and compute the
6521 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
6522 key" option of the "x509" command extracts the public key always in
6523 "PEM" format. We pipe the result to another OpenSSL command that con‐
6524 verts the key to DER and then to the "dgst" command to compute the fin‐
6525 gerprint.
6526 The actual command to transform the key to DER format depends on the
6528 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
6529 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
6530 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
6531 ported by 0.9.8), so the "rsa" command is used.
6532 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
6534 $ openssl x509 -in cert.pem -noout -pubkey |
6535 openssl pkey -pubin -outform DER |
6536 openssl dgst -sha1 -c
6537 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
6538 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
6540 $ openssl x509 -in cert.pem -noout -pubkey |
6541 openssl rsa -pubin -outform DER |
6542 openssl dgst -md5 -c
6543 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
6544 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
6546 gerprint and public key fingerprint when the TLS loglevel is 2 or
6547 higher.
6548 Note: Postfix 2.9.0–2.9.5 computed the public key fingerprint
6550 incorrectly. To use public-key fingerprints, upgrade to Postfix 2.9.6
6551 or later.
6552 This feature is available in Postfix 2.5 and later.
6554
6556 File with the Postfix SMTP client RSA private key in PEM format. This
6557 file may be combined with the Postfix SMTP client RSA certificate file
6558 specified with $smtp_tls_cert_file.
6559 The private key must be accessible without a pass-phrase, i.e. it must
6561 not be encrypted. File permissions should grant read-only access to the
6562 system superuser account ("root"), and no access to anyone else.
6563 Example:
6565 smtp_tls_key_file = $smtp_tls_cert_file
6567 This feature is available in Postfix 2.2 and later.
6569
6571 Enable additional Postfix SMTP client logging of TLS activity. Each
6572 logging level also includes the information that is logged at a lower
6573 logging level.
6574 0 Log only a summary message on TLS handshake completion —
6576 no logging of remote SMTP server certificate trust-chain verifi‐
6577 cation errors if server certificate verification is not
6578 required. With Postfix 2.8 and earlier, disable logging of TLS
6579 activity.
6580 1 Also log remote SMTP server trust-chain verification errors
6582 and peer certificate summary information. With Postfix 2.8 and
6583 earlier, log TLS handshake and certificate information.
6584 2 Also log levels during TLS negotiation.
6586 3 Also log hexadecimal and ASCII dump of TLS negotiation
6588 process.
6589 4 Also log hexadecimal and ASCII dump of complete transmission
6591 after STARTTLS.
6592 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
6594 lems. Use of loglevel 4 is strongly discouraged.
6595 This feature is available in Postfix 2.2 and later.
6597
6599 The minimum TLS cipher grade that the Postfix SMTP client will use with
6600 mandatory TLS encryption. The default value "medium" is suitable for
6601 most destinations with which you may want to enforce TLS, and is beyond
6602 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
6603 for information on how to configure ciphers on a per-destination basis.
6604 The following cipher grades are supported:
6606 export Enable "EXPORT" grade or better OpenSSL ciphers. This is the
6608 default for opportunistic encryption. It is not recommended for
6609 mandatory encryption unless you must enforce TLS with "crippled"
6610 peers. The underlying cipherlist is specified via the
6611 tls_export_cipherlist configuration parameter, which you are
6612 strongly encouraged to not change.
6613 low Enable "LOW" grade or better OpenSSL ciphers. This setting is
6615 only appropriate for internal mail servers. The underlying
6616 cipherlist is specified via the tls_low_cipherlist configuration
6617 parameter, which you are strongly encouraged to not change.
6618 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
6620 cipherlist is specified via the tls_medium_cipherlist configura‐
6621 tion parameter, which you are strongly encouraged to not change.
6622 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
6624 appropriate when all mandatory TLS destinations (e.g. when all
6625 mail is routed to a suitably capable relayhost) support at least
6626 one "HIGH" grade cipher. The underlying cipherlist is specified
6627 via the tls_high_cipherlist configuration parameter, which you
6628 are strongly encouraged to not change.
6629 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
6631 cation without encryption. This setting is only appropriate in
6632 the rare case that all servers are prepared to use NULL ciphers
6633 (not normally enabled in TLS servers). A plausible use-case is
6634 an LMTP server listening on a UNIX-domain socket that is config‐
6635 ured to support "NULL" ciphers. The underlying cipherlist is
6636 specified via the tls_null_cipherlist configuration parameter,
6637 which you are strongly encouraged to not change.
6638 The underlying cipherlists for grades other than "null" include anony‐
6640 mous ciphers, but these are automatically filtered out if the Postfix
6641 SMTP client is configured to verify server certificates. You are very
6642 unlikely to need to take any steps to exclude anonymous ciphers, they
6643 are excluded automatically as necessary. If you must exclude anonymous
6644 ciphers at the "may" or "encrypt" security levels, when the Postfix
6645 SMTP client does not need or use peer certificates, set
6646 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
6647 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
6648 This feature is available in Postfix 2.3 and later.
6650
6652 Additional list of ciphers or cipher types to exclude from the Postfix
6653 SMTP client cipher list at mandatory TLS security levels. This list
6654 works in addition to the exclusions listed with
6655 smtp_tls_exclude_ciphers (see there for syntax details).
6656 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
6658 ified on a per-destination basis via the TLS policy "exclude"
6659 attribute. See smtp_tls_policy_maps for notes and examples.
6660 This feature is available in Postfix 2.3 and later.
6662
6664 List of SSL/TLS protocols that the Postfix SMTP client will use with
6665 mandatory TLS encryption. In main.cf the values are separated by
6666 whitespace, commas or colons. In the policy table "protocols" attribute
6667 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
6668 value means allow all protocols. The valid protocol names, (see \fBfB‐
6669 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
6670 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
6672 "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1
6673 or later, these, or any other new protocol versions, are uncondition‐
6674 ally enabled.
6675 With Postfix >= 2.5 the parameter syntax is expanded to support proto‐
6677 col exclusions. One can now explicitly exclude SSLv2 by setting
6678 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
6679 SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
6680 protocols to include, rather than protocols to exclude, is supported,
6681 but not recommended. The exclusion form more closely matches the behav‐
6682 ior when the OpenSSL library is newer than Postfix.
6683 Since SSL version 2 has known protocol weaknesses and is now depre‐
6685 cated, the default setting excludes "SSLv2". This means that by
6686 default, SSL version 2 will not be used at the "encrypt" security level
6687 and higher.
6688 See the documentation of the smtp_tls_policy_maps parameter and
6690 TLS_README for more information about security levels.
6691 Example:
6693 # Preferred form with Postfix >= 2.5:
6695 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
6696 # Alternative form.
6697 smtp_tls_mandatory_protocols = TLSv1
6698 This feature is available in Postfix 2.3 and later.
6700
6702 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
6703 is not already enabled for that server.
6704 The logfile record looks like:
6706 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
6708 This feature is available in Postfix 2.2 and later.
6710
6712 Optional lookup tables with the Postfix SMTP client TLS usage policy by
6713 next-hop destination and by remote SMTP server hostname. When both
6714 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
6715 overrides the less specific one (MAY), and the more secure per-site
6716 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
6717 2.3 and later smtp_tls_per_site is strongly discouraged: use
6718 smtp_tls_policy_maps instead.
6719 Use of the bare hostname as the per-site table lookup key is discour‐
6721 aged. Always use the full destination nexthop (enclosed in [] with a
6722 possible ":port" suffix). A recipient domain or MX-enabled transport
6723 next-hop with no port suffix may look like a bare hostname, but is
6724 still a suitable destination.
6725 Specify a next-hop destination or server hostname on the left-hand
6727 side; no wildcards are allowed. The next-hop destination is either the
6728 recipient domain, or the destination specified with a transport(5) ta‐
6729 ble, the relayhost parameter, or the relay_transport parameter. On the
6730 right hand side specify one of the following keywords:
6731 NONE Don't use TLS at all. This overrides a less specific MAY lookup
6733 result from the alternate host or next-hop lookup key, and over‐
6734 rides the global smtp_use_tls, smtp_enforce_tls, and
6735 smtp_tls_enforce_peername settings.
6736 MAY Try to use TLS if the server announces support, otherwise use
6738 the unencrypted connection. This has less precedence than a more
6739 specific result (including NONE) from the alternate host or
6740 next-hop lookup key, and has less precedence than the more spe‐
6741 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
6742 name = yes".
6743 MUST_NOPEERMATCH
6745 Require TLS encryption, but do not require that the remote SMTP
6746 server hostname matches the information in the remote SMTP
6747 server certificate, or that the server certificate was issued by
6748 a trusted CA. This overrides a less secure NONE or a less spe‐
6749 cific MAY lookup result from the alternate host or next-hop
6750 lookup key, and overrides the global smtp_use_tls,
6751 smtp_enforce_tls and smtp_tls_enforce_peername settings.
6752 MUST Require TLS encryption, require that the remote SMTP server
6754 hostname matches the information in the remote SMTP server cer‐
6755 tificate, and require that the remote SMTP server certificate
6756 was issued by a trusted CA. This overrides a less secure NONE
6757 and MUST_NOPEERMATCH or a less specific MAY lookup result from
6758 the alternate host or next-hop lookup key, and overrides the
6759 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
6760 name settings.
6761 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
6763 ify" security levels for the new smtp_tls_security_level parameter
6764 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
6765 of how the policy is specified, the smtp_tls_mandatory_ciphers and
6766 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
6767 mandatory. Connections for which encryption is optional typically
6768 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
6769 smtp_tls_protocols).
6770 As long as no secure DNS lookup mechanism is available, false hostnames
6772 in MX or CNAME responses can change the server hostname that Postfix
6773 uses for TLS policy lookup and server certificate verification. Even
6774 with a perfect match between the server hostname and the server cer‐
6775 tificate, there is no guarantee that Postfix is connected to the right
6776 server. See TLS_README (Closing a DNS loophole with obsolete per-site
6777 TLS policies) for a possible work-around.
6778 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6780 and later use smtp_tls_policy_maps instead.
6781
6783 Optional lookup tables with the Postfix SMTP client TLS security policy
6784 by next-hop destination; when a non-empty value is specified, this
6785 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
6786 a more detailed discussion of TLS security levels.
6787 The TLS policy table is indexed by the full next-hop destination, which
6789 is either the recipient domain, or the verbatim next-hop specified in
6790 the transport table, $local_transport, $virtual_transport,
6791 $relay_transport or $default_transport. This includes any enclosing
6792 square brackets and any non-default destination server port suffix. The
6793 LMTP socket type prefix (inet: or unix:) is not included in the lookup
6794 key.
6795 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
6797 sockets, is used as the nexthop name for certificate verification. The
6798 port and any enclosing square brackets are used in the table lookup
6799 key, but are not used for server name verification.
6800 When the lookup key is a domain name without enclosing square brackets
6802 or any :port suffix (typically the recipient domain), and the full
6803 domain is not found in the table, just as with the transport(5) table,
6804 the parent domain starting with a leading "." is matched recursively.
6805 This allows one to specify a security policy for a recipient domain and
6806 all its sub-domains.
6807 The lookup result is a security level, followed by an optional list of
6809 whitespace and/or comma separated name=value attributes that override
6810 related main.cf settings. The TLS security levels in order of increas‐
6811 ing security are:
6812 none No TLS. No additional attributes are supported at this level.
6814 may Opportunistic TLS. Since sending in the clear is acceptable,
6816 demanding stronger than default TLS security merely reduces
6817 inter-operability. The optional "ciphers", "exclude" and "proto‐
6818 cols" attributes (available for opportunistic TLS with Postfix
6819 >= 2.6) override the "smtp_tls_ciphers",
6820 "smtp_tls_exclude_ciphers" and "smtp_tls_protocols" configura‐
6821 tion parameters. When opportunistic TLS handshakes fail, Postfix
6822 retries the connection with TLS disabled. This allows mail
6823 delivery to sites with non-interoperable TLS implementations.
6824 encrypt
6826 Mandatory TLS encryption. At this level and higher, the optional
6827 "protocols" attribute overrides the main.cf smtp_tls_manda‐
6828 tory_protocols parameter, the optional "ciphers" attribute over‐
6829 rides the main.cf smtp_tls_mandatory_ciphers parameter, and the
6830 optional "exclude" attribute (Postfix >= 2.6) overrides the
6831 main.cf smtp_tls_mandatory_exclude_ciphers parameter. In the
6832 policy table, multiple protocols or excluded ciphers must be
6833 separated by colons, as attribute values may not contain white‐
6834 space or commas.
6835 fingerprint
6837 Certificate fingerprint verification. Available with Postfix 2.5
6838 and later. At this security level, there are no trusted certifi‐
6839 cate authorities. The certificate trust chain, expiration date,
6840 ... are not checked. Instead, the optional match attribute, or
6841 else the main.cf smtp_tls_fingerprint_cert_match parameter,
6842 lists the certificate fingerprints or the public key fingerprint
6843 (Postfix 2.9 and later) of the valid server certificate. The
6844 digest algorithm used to calculate the fingerprint is selected
6845 by the smtp_tls_fingerprint_digest parameter. Multiple finger‐
6846 prints can be combined with a "|" delimiter in a single match
6847 attribute, or multiple match attributes can be employed. The ":"
6848 character is not used as a delimiter as it occurs between each
6849 pair of fingerprint (hexadecimal) digits.
6850 verify Mandatory TLS verification. At this security level, DNS MX
6852 lookups are trusted to be secure enough, and the name verified
6853 in the server certificate is usually obtained indirectly via
6854 unauthenticated DNS MX lookups. The optional "match" attribute
6855 overrides the main.cf smtp_tls_verify_cert_match parameter. In
6856 the policy table, multiple match patterns and strategies must be
6857 separated by colons. In practice explicit control over matching
6858 is more common with the "secure" policy, described below.
6859 secure Secure-channel TLS. At this security level, DNS MX lookups,
6861 though potentially used to determine the candidate next-hop
6862 gateway IP addresses, are not trusted to be secure enough for
6863 TLS peername verification. Instead, the default name verified in
6864 the server certificate is obtained directly from the next-hop,
6865 or is explicitly specified via the optional match attribute
6866 which overrides the main.cf smtp_tls_secure_cert_match parame‐
6867 ter. In the policy table, multiple match patterns and strategies
6868 must be separated by colons. The match attribute is most useful
6869 when multiple domains are supported by common server, the policy
6870 entries for additional domains specify matching rules for the
6871 primary domain certificate. While transport table overrides
6872 routing the secondary domains to the primary nexthop also allow
6873 secure verification, they risk delivery to the wrong destination
6874 when domains change hands or are re-assigned to new gateways.
6875 With the "match" attribute approach, routing is not perturbed,
6876 and mail is deferred if verification of a new MX host fails.
6877 Example:
6879 /etc/postfix/main.cf:
6881 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
6882 # Postfix 2.5 and later
6883 smtp_tls_fingerprint_digest = md5
6884 /etc/postfix/tls_policy:
6886 example.edu none
6887 example.mil may
6888 example.gov encrypt protocols=TLSv1
6889 example.com verify ciphers=high
6890 example.net secure
6891 .example.net secure match=.example.net:example.net
6892 [mail.example.org]:587 secure match=nexthop
6893 # Postfix 2.5 and later
6894 [thumb.example.org] fingerprint
6895 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
6896 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
6897 Note: The hostname strategy if listed in a non-default setting of
6899 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
6900 ble can render the secure level vulnerable to DNS forgery. Do not use
6901 the hostname strategy for secure-channel configurations in environments
6902 where DNS security is not assured.
6903 This feature is available in Postfix 2.3 and later.
6905
6907 List of TLS protocols that the Postfix SMTP client will exclude or
6908 include with opportunistic TLS encryption. Starting with Postfix 2.6,
6909 the Postfix SMTP client will by default not use the obsolete SSLv2 pro‐
6910 tocol.
6911 In main.cf the values are separated by whitespace, commas or colons. In
6913 the policy table (see smtp_tls_policy_maps) the only valid separator is
6914 colon. An empty value means allow all protocols. The valid protocol
6915 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
6916 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
6918 "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1
6919 or later, these, or any other new protocol versions, are uncondition‐
6920 ally enabled.
6921 To include a protocol list its name, to exclude it, prefix the name
6923 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
6924 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
6925 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
6926 to include, rather than protocols to exclude, is supported, but not
6927 recommended. The exclusion form more closely matches the behavior when
6928 the OpenSSL library is newer than Postfix.
6929 Example:
6931 # TLSv1 only!
6932 smtp_tls_protocols = !SSLv2, !SSLv3
6933 This feature is available in Postfix 2.6 and later.
6935
6937 The verification depth for remote SMTP server certificates. A depth of
6938 1 is sufficient if the issuing CA is listed in a local CA file.
6939 The default verification depth is 9 (the OpenSSL default) for compati‐
6941 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
6942 value was 5, but the limit was not actually enforced. If you have set
6943 this to a lower non-default value, certificates with longer trust
6944 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
6945 common, deeper chains are more rare and any number between 5 and 9
6946 should suffice in practice. You can choose a lower number if, for exam‐
6947 ple, you trust certificates directly signed by an issuing CA but not
6948 any CAs it delegates to.
6949 This feature is available in Postfix 2.2 and later.
6951
6953 How the Postfix SMTP client verifies the server certificate peername
6954 for the "secure" TLS security level. In a "secure" TLS policy table
6955 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
6956 this main.cf setting.
6957 This parameter specifies one or more patterns or strategies separated
6959 by commas, whitespace or colons. In the policy table the only valid
6960 separator is the colon character.
6961 For a description of the pattern and strategy syntax see the
6963 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
6964 avoided in this context, as in the absence of a secure global DNS,
6965 using the results of MX lookups in certificate verification is not
6966 immune to active (man-in-the-middle) attacks on DNS.
6967 Sample main.cf setting:
6969 smtp_tls_secure_cert_match = nexthop
6971 Sample policy table override:
6973 example.net secure match=example.com:.example.com
6975 .example.net secure match=example.com:.example.com
6976 This feature is available in Postfix 2.3 and later.
6978
6980 The default SMTP TLS security level for the Postfix SMTP client; when a
6981 non-empty value is specified, this overrides the obsolete parameters
6982 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
6983 Specify one of the following security levels:
6985 none TLS will not be used unless enabled for specific destinations
6987 via smtp_tls_policy_maps.
6988 may Opportunistic TLS. Use TLS if this is supported by the remote
6990 SMTP server, otherwise use plaintext. Since sending in the clear
6991 is acceptable, demanding stronger than default TLS security
6992 merely reduces inter-operability. The "smtp_tls_ciphers" and
6993 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
6994 provide control over the protocols and cipher grade used with
6995 opportunistic TLS. With earlier releases the opportunistic TLS
6996 cipher grade is always "export" and no protocols are disabled.
6997 When TLS handshakes fail, the connection is retried with TLS
6998 disabled. This allows mail delivery to sites with non-interop‐
6999 erable TLS implementations.
7000 encrypt
7002 Mandatory TLS encryption. Since a minimum level of security is
7003 intended, it is reasonable to be specific about sufficiently
7004 secure protocol versions and ciphers. At this security level and
7005 higher, the main.cf parameters smtp_tls_mandatory_protocols and
7006 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
7007 cipher grade which the administrator considers secure enough for
7008 mandatory encrypted sessions. This security level is not an
7009 appropriate default for systems delivering mail to the Internet.
7010 fingerprint
7012 Certificate fingerprint verification. Available with Postfix 2.5
7013 and later. At this security level, there are no trusted certifi‐
7014 cate authorities. The certificate trust chain, expiration date,
7015 ... are not checked. Instead, the smtp_tls_finger‐
7016 print_cert_match parameter lists the certificate fingerprint or
7017 public key fingerprint (Postfix 2.9 and later) of the valid
7018 server certificate. The digest algorithm used to calculate the
7019 fingerprint is selected by the smtp_tls_fingerprint_digest
7020 parameter.
7021 verify Mandatory TLS verification. At this security level, DNS MX
7023 lookups are trusted to be secure enough, and the name verified
7024 in the server certificate is usually obtained indirectly via
7025 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
7026 parameter controls how the server name is verified. In practice
7027 explicit control over matching is more common at the "secure"
7028 level, described below. This security level is not an appropri‐
7029 ate default for systems delivering mail to the Internet.
7030 secure Secure-channel TLS. At this security level, DNS MX lookups,
7032 though potentially used to determine the candidate next-hop
7033 gateway IP addresses, are not trusted to be secure enough for
7034 TLS peername verification. Instead, the default name verified in
7035 the server certificate is obtained from the next-hop domain as
7036 specified in the smtp_tls_secure_cert_match configuration param‐
7037 eter. The default matching rule is that a server certificate
7038 matches when its name is equal to or is a sub-domain of the nex‐
7039 thop domain. This security level is not an appropriate default
7040 for systems delivering mail to the Internet.
7041 Examples:
7043 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
7045 smtp_tls_security_level = none
7046 # Opportunistic TLS.
7048 smtp_tls_security_level = may
7049 # Postfix >= 2.6:
7050 # Do not tweak opportunistic ciphers or protocol unless it is essential
7051 # to do so (if a security vulnerability is found in the SSL library that
7052 # can be mitigated by disabling a particular protocol or raising the
7053 # cipher grade from "export" to "low" or "medium").
7054 smtp_tls_ciphers = export
7055 smtp_tls_protocols = !SSLv2
7056 # Mandatory (high-grade) TLS encryption.
7058 smtp_tls_security_level = encrypt
7059 smtp_tls_mandatory_ciphers = high
7060 # Mandatory TLS verification of hostname or nexthop domain.
7062 smtp_tls_security_level = verify
7063 smtp_tls_mandatory_ciphers = high
7064 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
7065 # Secure channel TLS with exact nexthop name match.
7067 smtp_tls_security_level = secure
7068 smtp_tls_mandatory_protocols = TLSv1
7069 smtp_tls_mandatory_ciphers = high
7070 smtp_tls_secure_cert_match = nexthop
7071 # Certificate fingerprint verification (Postfix >= 2.5).
7073 # The CA-less "fingerprint" security level only scales to a limited
7074 # number of destinations. As a global default rather than a per-site
7075 # setting, this is practical when mail for all recipients is sent
7076 # to a central mail hub.
7077 relayhost = [mailhub.example.com]
7078 smtp_tls_security_level = fingerprint
7079 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7080 smtp_tls_mandatory_ciphers = high
7081 smtp_tls_fingerprint_cert_match =
7082 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7083 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7084 This feature is available in Postfix 2.3 and later.
7086
7088 Name of the file containing the optional Postfix SMTP client TLS ses‐
7089 sion cache. Specify a database type that supports enumeration, such as
7090 btree or sdbm; there is no need to support concurrent access. The file
7091 is created if it does not exist. The smtp(8) daemon does not use this
7092 parameter directly, rather the cache is implemented indirectly in the
7093 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
7094 of this parameter are not effective. Note, that each of the cache
7095 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
7096 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
7097 $lmtp_tls_session_cache_database), needs to be stored separately. It is
7098 not at this time possible to store multiple caches in a single data‐
7099 base.
7100 Note: dbm databases are not suitable. TLS session objects are too
7102 large.
7103 As of version 2.5, Postfix no longer uses root privileges when opening
7105 this file. The file should now be stored under the Postfix-owned
7106 data_directory. As a migration aid, an attempt to open the file under a
7107 non-Postfix directory is redirected to the Postfix-owned data_direc‐
7108 tory, and a warning is logged.
7109 Example:
7111 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
7113 This feature is available in Postfix 2.2 and later.
7115
7117 The expiration time of Postfix SMTP client TLS session cache informa‐
7118 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
7119 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
7120 this parameter is implemented in the tlsmgr(8) daemon and therefore
7121 per-smtp-instance master.cf overrides are not possible.
7122 This feature is available in Postfix 2.2 and later.
7124
7126 How the Postfix SMTP client verifies the server certificate peername
7127 for the "verify" TLS security level. In a "verify" TLS policy table
7128 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
7129 this main.cf setting.
7130 This parameter specifies one or more patterns or strategies separated
7132 by commas, whitespace or colons. In the policy table the only valid
7133 separator is the colon character.
7134 Patterns specify domain names, or domain name suffixes:
7136 example.com
7138 Match the example.com domain, i.e. one of the names the server
7139 certificate must be example.com, upper and lower case distinc‐
7140 tions are ignored.
7141 .example.com
7143 Match subdomains of the example.com domain, i.e. match a name in
7144 the server certificate that consists of a non-zero number of
7145 labels followed by a .example.com suffix. Case distinctions are
7146 ignored.
7147 Strategies specify a transformation from the next-hop domain to the
7149 expected name in the server certificate:
7150 nexthop
7152 Match against the next-hop domain, which is either the recipient
7153 domain, or the transport next-hop configured for the domain
7154 stripped of any optional socket type prefix, enclosing square
7155 brackets and trailing port. When MX lookups are not suppressed,
7156 this is the original nexthop domain prior to the MX lookup, not
7157 the result of the MX lookup. For LMTP delivery via UNIX-domain
7158 sockets, the verified next-hop name is $myhostname. This strat‐
7159 egy is suitable for use with the "secure" policy. Case is
7160 ignored.
7161 dot-nexthop
7163 As above, but match server certificate names that are subdomains
7164 of the next-hop domain. Case is ignored.
7165 hostname
7167 Match against the hostname of the server, often obtained via an
7168 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
7169 sockets, the verified name is $myhostname. This matches the ver‐
7170 ification strategy of the "MUST" keyword in the obsolete
7171 smtp_tls_per_site table, and is suitable for use with the "ver‐
7172 ify" security level. When the next-hop name is enclosed in
7173 square brackets to suppress MX lookups, the "hostname" strategy
7174 is the same as the "nexthop" strategy. Case is ignored.
7175 Sample main.cf setting:
7177 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
7179 Sample policy table override:
7181 example.com verify match=hostname:nexthop
7183 .example.com verify match=example.com:.example.com:hostname
7184 This feature is available in Postfix 2.3 and later.
7186
7188 Opportunistic mode: use TLS when a remote SMTP server announces START‐
7189 TLS support, otherwise send the mail in the clear. Beware: some SMTP
7190 servers offer STARTTLS even if it is not configured. With Postfix <
7191 2.3, if the TLS handshake fails, and no other server is available,
7192 delivery is deferred and mail stays in the queue. If this is a concern
7193 for you, use the smtp_tls_per_site feature instead.
7194 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7196 and later use smtp_tls_security_level instead.
7197
7199 The Postfix SMTP client time limit for sending the XFORWARD command,
7200 and for receiving the remote SMTP server response.
7201 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
7203 The default time unit is s (seconds).
7204 This feature is available in Postfix 2.1 and later.
7206
7208 What remote SMTP clients are allowed to specify the XVERP command.
7209 This command requests that mail be delivered one recipient at a time
7210 with a per recipient return address.
7211 By default, no clients are allowed to specify XVERP.
7213 This parameter was renamed with Postfix version 2.1. The default value
7215 is backwards compatible with Postfix version 2.0.
7216 Specify a list of network/netmask patterns, separated by commas and/or
7218 whitespace. The mask specifies the number of bits in the network part
7219 of a host address. You can also specify hostnames or .domain names (the
7220 initial dot causes the domain to match any name below it),
7221 "/file/name" or "type:table" patterns. A "/file/name" pattern is
7222 replaced by its contents; a "type:table" lookup table is matched when a
7223 table entry matches a lookup string (the lookup result is ignored).
7224 Continue long lines by starting the next line with whitespace. Specify
7225 "!pattern" to exclude an address or network block from the list. The
7226 form "!/file/name" is supported only in Postfix version 2.4 and later.
7227 Note: IP version 6 address information must be specified inside [] in
7229 the smtpd_authorized_verp_clients value, and in files specified with
7230 "/file/name". IP version 6 addresses contain the ":" character, and
7231 would otherwise be confused with a "type:table" pattern.
7232
7234 What remote SMTP clients are allowed to use the XCLIENT feature. This
7235 command overrides remote SMTP client information that is used for
7236 access control. Typical use is for SMTP-based content filters, fetch‐
7237 mail-like programs, or SMTP server access rule testing. See the
7238 XCLIENT_README document for details.
7239 This feature is available in Postfix 2.1 and later.
7241 By default, no clients are allowed to specify XCLIENT.
7243 Specify a list of network/netmask patterns, separated by commas and/or
7245 whitespace. The mask specifies the number of bits in the network part
7246 of a host address. You can also specify hostnames or .domain names (the
7247 initial dot causes the domain to match any name below it),
7248 "/file/name" or "type:table" patterns. A "/file/name" pattern is
7249 replaced by its contents; a "type:table" lookup table is matched when a
7250 table entry matches a lookup string (the lookup result is ignored).
7251 Continue long lines by starting the next line with whitespace. Specify
7252 "!pattern" to exclude an address or network block from the list. The
7253 form "!/file/name" is supported only in Postfix version 2.4 and later.
7254 Note: IP version 6 address information must be specified inside [] in
7256 the smtpd_authorized_xclient_hosts value, and in files specified with
7257 "/file/name". IP version 6 addresses contain the ":" character, and
7258 would otherwise be confused with a "type:table" pattern.
7259
7261 What remote SMTP clients are allowed to use the XFORWARD feature. This
7262 command forwards information that is used to improve logging after
7263 SMTP-based content filters. See the XFORWARD_README document for
7264 details.
7265 This feature is available in Postfix 2.1 and later.
7267 By default, no clients are allowed to specify XFORWARD.
7269 Specify a list of network/netmask patterns, separated by commas and/or
7271 whitespace. The mask specifies the number of bits in the network part
7272 of a host address. You can also specify hostnames or .domain names (the
7273 initial dot causes the domain to match any name below it),
7274 "/file/name" or "type:table" patterns. A "/file/name" pattern is
7275 replaced by its contents; a "type:table" lookup table is matched when a
7276 table entry matches a lookup string (the lookup result is ignored).
7277 Continue long lines by starting the next line with whitespace. Specify
7278 "!pattern" to exclude an address or network block from the list. The
7279 form "!/file/name" is supported only in Postfix version 2.4 and later.
7280 Note: IP version 6 address information must be specified inside [] in
7282 the smtpd_authorized_xforward_hosts value, and in files specified with
7283 "/file/name". IP version 6 addresses contain the ":" character, and
7284 would otherwise be confused with a "type:table" pattern.
7285
7287 The text that follows the 220 status code in the SMTP greeting banner.
7288 Some people like to see the mail version advertised. By default, Post‐
7289 fix shows no version.
7290 You MUST specify $myhostname at the start of the text. This is required
7292 by the SMTP protocol.
7293 Example:
7295 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
7297
7299 How many simultaneous connections any client is allowed to make to this
7300 service. By default, the limit is set to half the default process
7301 limit value.
7302 To disable this feature, specify a limit of 0.
7304 WARNING: The purpose of this feature is to limit abuse. It must not be
7306 used to regulate legitimate mail traffic.
7307 This feature is available in Postfix 2.2 and later.
7309
7311 The maximal number of connection attempts any client is allowed to make
7312 to this service per time unit. The time unit is specified with the
7313 anvil_rate_time_unit configuration parameter.
7314 By default, a client can make as many connections per time unit as
7316 Postfix can accept.
7317 To disable this feature, specify a limit of 0.
7319 WARNING: The purpose of this feature is to limit abuse. It must not be
7321 used to regulate legitimate mail traffic.
7322 This feature is available in Postfix 2.2 and later.
7324 Example:
7326 smtpd_client_connection_rate_limit = 1000
7328
7330 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
7331 tions. See the mynetworks parameter description for the parameter value
7332 syntax.
7333 By default, clients in trusted networks are excluded. Specify a list of
7335 network blocks, hostnames or .domain names (the initial dot causes the
7336 domain to match any name below it).
7337 Note: IP version 6 address information must be specified inside [] in
7339 the smtpd_client_event_limit_exceptions value, and in files specified
7340 with "/file/name". IP version 6 addresses contain the ":" character,
7341 and would otherwise be confused with a "type:table" pattern.
7342 This feature is available in Postfix 2.2 and later.
7344
7346 The maximal number of message delivery requests that any client is
7347 allowed to make to this service per time unit, regardless of whether or
7348 not Postfix actually accepts those messages. The time unit is speci‐
7349 fied with the anvil_rate_time_unit configuration parameter.
7350 By default, a client can send as many message delivery requests per
7352 time unit as Postfix can accept.
7353 To disable this feature, specify a limit of 0.
7355 WARNING: The purpose of this feature is to limit abuse. It must not be
7357 used to regulate legitimate mail traffic.
7358 This feature is available in Postfix 2.2 and later.
7360 Example:
7362 smtpd_client_message_rate_limit = 1000
7364
7366 The maximal number of new (i.e., uncached) TLS sessions that a remote
7367 SMTP client is allowed to negotiate with this service per time unit.
7368 The time unit is specified with the anvil_rate_time_unit configuration
7369 parameter.
7370 By default, a remote SMTP client can negotiate as many new TLS sessions
7372 per time unit as Postfix can accept.
7373 To disable this feature, specify a limit of 0. Otherwise, specify a
7375 limit that is at least the per-client concurrent session limit, or else
7376 legitimate client sessions may be rejected.
7377 WARNING: The purpose of this feature is to limit abuse. It must not be
7379 used to regulate legitimate mail traffic.
7380 This feature is available in Postfix 2.3 and later.
7382 Example:
7384 smtpd_client_new_tls_session_rate_limit = 100
7386
7388 Enable logging of the remote SMTP client port in addition to the host‐
7389 name and IP address. The logging format is "host[address]:port".
7390 This feature is available in Postfix 2.5 and later.
7392
7394 The maximal number of recipient addresses that any client is allowed to
7395 send to this service per time unit, regardless of whether or not Post‐
7396 fix actually accepts those recipients. The time unit is specified with
7397 the anvil_rate_time_unit configuration parameter.
7398 By default, a client can send as many recipient addresses per time unit
7400 as Postfix can accept.
7401 To disable this feature, specify a limit of 0.
7403 WARNING: The purpose of this feature is to limit abuse. It must not be
7405 used to regulate legitimate mail traffic.
7406 This feature is available in Postfix 2.2 and later.
7408 Example:
7410 smtpd_client_recipient_rate_limit = 1000
7412
7414 Optional restrictions that the Postfix SMTP server applies in the con‐
7415 text of a client connection request. See SMTPD_ACCESS_README, section
7416 "Delayed evaluation of SMTP access restriction lists" for a discussion
7417 of evaluation context and time.
7418 The default is to allow all connection requests.
7420 Specify a list of restrictions, separated by commas and/or whitespace.
7422 Continue long lines by starting the next line with whitespace.
7423 Restrictions are applied in the order as specified; the first restric‐
7424 tion that matches wins.
7425 The following restrictions are specific to client hostname or client
7427 network address information.
7428 check_ccert_access type:table
7430 Use the remote SMTP client certificate fingerprint or the public
7431 key fingerprint (Postfix 2.9 and later) as lookup key for the
7432 specified access(5) database; with Postfix version 2.2, also
7433 require that the remote SMTP client certificate is verified suc‐
7434 cessfully. The fingerprint digest algorithm is configurable via
7435 the smtpd_tls_fingerprint_digest parameter (hard-coded as md5
7436 prior to Postfix version 2.5). This feature is available with
7437 Postfix version 2.2 and later.
7438 check_client_access type:table
7440 Search the specified access database for the client hostname,
7441 parent domains, client IP address, or networks obtained by
7442 stripping least significant octets. See the access(5) manual
7443 page for details.
7444 check_client_mx_access type:table
7446 Search the specified access(5) database for the MX hosts for the
7447 client hostname, and execute the corresponding action. Note: a
7448 result of "OK" is not allowed for safety reasons. Instead, use
7449 DUNNO in order to exclude specific hosts from blacklists. This
7450 feature is available in Postfix 2.7 and later.
7451 check_client_ns_access type:table
7453 Search the specified access(5) database for the DNS servers for
7454 the client hostname, and execute the corresponding action.
7455 Note: a result of "OK" is not allowed for safety reasons.
7456 Instead, use DUNNO in order to exclude specific hosts from
7457 blacklists. This feature is available in Postfix 2.7 and later.
7458 check_reverse_client_hostname_access type:table
7460 Search the specified access database for the unverified reverse
7461 client hostname, parent domains, client IP address, or networks
7462 obtained by stripping least significant octets. See the
7463 access(5) manual page for details. Note: a result of "OK" is
7464 not allowed for safety reasons. Instead, use DUNNO in order to
7465 exclude specific hosts from blacklists. This feature is avail‐
7466 able in Postfix 2.6 and later.
7467 check_reverse_client_hostname_mx_access type:table
7469 Search the specified access(5) database for the MX hosts for the
7470 unverified reverse client hostname, and execute the correspond‐
7471 ing action. Note: a result of "OK" is not allowed for safety
7472 reasons. Instead, use DUNNO in order to exclude specific hosts
7473 from blacklists. This feature is available in Postfix 2.7 and
7474 later.
7475 check_reverse_client_hostname_ns_access type:table
7477 Search the specified access(5) database for the DNS servers for
7478 the unverified reverse client hostname, and execute the corre‐
7479 sponding action. Note: a result of "OK" is not allowed for
7480 safety reasons. Instead, use DUNNO in order to exclude specific
7481 hosts from blacklists. This feature is available in Postfix 2.7
7482 and later.
7483 permit_inet_interfaces
7485 Permit the request when the client IP address matches
7486 $inet_interfaces.
7487 permit_mynetworks
7489 Permit the request when the client IP address matches any net‐
7490 work or network address listed in $mynetworks.
7491 permit_sasl_authenticated
7493 Permit the request when the client is successfully authenticated
7494 via the RFC 4954 (AUTH) protocol.
7495 permit_tls_all_clientcerts
7497 Permit the request when the remote SMTP client certificate is
7498 verified successfully. This option must be used only if a spe‐
7499 cial CA issues the certificates and only this CA is listed as
7500 trusted CA. Otherwise, clients with a third-party certificate
7501 would also be allowed to relay. Specify "tls_append_default_CA
7502 = no" when the trusted CA is specified with smtpd_tls_CAfile or
7503 smtpd_tls_CApath, to prevent Postfix from appending the system-
7504 supplied default CAs. This feature is available with Postfix
7505 version 2.2.
7506 permit_tls_clientcerts
7508 Permit the request when the remote SMTP client certificate fin‐
7509 gerprint or public key fingerprint (Postfix 2.9 and later) is
7510 listed in $relay_clientcerts. The fingerprint digest algorithm
7511 is configurable via the smtpd_tls_fingerprint_digest parameter
7512 (hard-coded as md5 prior to Postfix version 2.5). This feature
7513 is available with Postfix version 2.2.
7514 reject_rbl_client rbl_domain=d.d.d.d
7516 Reject the request when the reversed client network address is
7517 listed with the A record "d.d.d.d" under rbl_domain (Postfix
7518 version 2.1 and later only). Each "d" is a number, or a pattern
7519 inside "[]" that contains one or more ";"-separated numbers or
7520 number..number ranges (Postfix version 2.8 and later). If no
7521 "=d.d.d.d" is specified, reject the request when the reversed
7522 client network address is listed with any A record under
7523 rbl_domain.
7524 The maps_rbl_reject_code parameter specifies the response code
7525 for rejected requests (default: 554), the default_rbl_reply
7526 parameter specifies the default server reply, and the
7527 rbl_reply_maps parameter specifies tables with server replies
7528 indexed by rbl_domain. This feature is available in Postfix 2.0
7529 and later.
7530 permit_dnswl_client dnswl_domain=d.d.d.d
7532 Accept the request when the reversed client network address is
7533 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
7534 is a number, or a pattern inside "[]" that contains one or more
7535 ";"-separated numbers or number..number ranges. If no
7536 "=d.d.d.d" is specified, accept the request when the reversed
7537 client network address is listed with any A record under
7538 dnswl_domain.
7539 For safety, permit_dnswl_client is silently ignored when it
7540 would override reject_unauth_destination. The result is
7541 DEFER_IF_REJECT when whitelist lookup fails. This feature is
7542 available in Postfix 2.8 and later.
7543 reject_rhsbl_client rbl_domain=d.d.d.d
7545 Reject the request when the client hostname is listed with the A
7546 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
7547 only). Each "d" is a number, or a pattern inside "[]" that con‐
7548 tains one or more ";"-separated numbers or number..number ranges
7549 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
7550 reject the request when the client hostname is listed with any A
7551 record under rbl_domain. See the reject_rbl_client description
7552 above for additional RBL related configuration parameters. This
7553 feature is available in Postfix 2.0 and later; with Postfix ver‐
7554 sion 2.8 and later, reject_rhsbl_reverse_client will usually
7555 produce better results.
7556 permit_rhswl_client rhswl_domain=d.d.d.d
7558 Accept the request when the client hostname is listed with the A
7559 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
7560 pattern inside "[]" that contains one or more ";"-separated num‐
7561 bers or number..number ranges. If no "=d.d.d.d" is specified,
7562 accept the request when the client hostname is listed with any A
7563 record under rhswl_domain.
7564 Caution: client name whitelisting is fragile, since the client
7565 name lookup can fail due to temporary outages. Client name
7566 whitelisting should be used only to reduce false positives in
7567 e.g. DNS-based blocklists, and not for making access rule
7568 exceptions.
7569 For safety, permit_rhswl_client is silently ignored when it
7570 would override reject_unauth_destination. The result is
7571 DEFER_IF_REJECT when whitelist lookup fails. This feature is
7572 available in Postfix 2.8 and later.
7573 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
7575 Reject the request when the unverified reverse client hostname
7576 is listed with the A record "d.d.d.d" under rbl_domain. Each
7577 "d" is a number, or a pattern inside "[]" that contains one or
7578 more ";"-separated numbers or number..number ranges. If no
7579 "=d.d.d.d" is specified, reject the request when the unverified
7580 reverse client hostname is listed with any A record under
7581 rbl_domain. See the reject_rbl_client description above for
7582 additional RBL related configuration parameters. This feature
7583 is available in Postfix 2.8 and later.
7584 reject_unknown_client_hostname (with Postfix < 2.3:
7586 reject_unknown_client)
7587 Reject the request when 1) the client IP address->name mapping
7588 fails, 2) the name->address mapping fails, or 3) the
7589 name->address mapping does not match the client IP address.
7590 This is a stronger restriction than the
7591 reject_unknown_reverse_client_hostname feature, which triggers
7592 only under condition 1) above.
7593 The unknown_client_reject_code parameter specifies the response
7594 code for rejected requests (default: 450). The reply is always
7595 450 in case the address->name or name->address lookup failed due
7596 to a temporary problem.
7597 reject_unknown_reverse_client_hostname
7599 Reject the request when the client IP address has no
7600 address->name mapping.
7601 This is a weaker restriction than the
7602 reject_unknown_client_hostname feature, which requires not only
7603 that the address->name and name->address mappings exist, but
7604 also that the two mappings reproduce the client IP address.
7605 The unknown_client_reject_code parameter specifies the response
7606 code for rejected requests (default: 450). The reply is always
7607 450 in case the address->name lookup failed due to a temporary
7608 problem.
7609 This feature is available in Postfix 2.3 and later.
7610 In addition, you can use any of the following generic restrictions.
7612 These restrictions are applicable in any SMTP command context.
7613 check_policy_service servername
7615 Query the specified policy server. See the SMTPD_POLICY_README
7616 document for details. This feature is available in Postfix 2.1
7617 and later.
7618 defer Defer the request. The client is told to try again later. This
7620 restriction is useful at the end of a restriction list, to make
7621 the default policy explicit.
7622 The defer_code parameter specifies the SMTP server reply code
7623 (default: 450).
7624 defer_if_permit
7626 Defer the request if some later restriction would result in an
7627 explicit or implicit PERMIT action. This is useful when a
7628 blacklisting feature fails due to a temporary problem. This
7629 feature is available in Postfix version 2.1 and later.
7630 defer_if_reject
7632 Defer the request if some later restriction would result in a
7633 REJECT action. This is useful when a whitelisting feature fails
7634 due to a temporary problem. This feature is available in Post‐
7635 fix version 2.1 and later.
7636 permit Permit the request. This restriction is useful at the end of a
7638 restriction list, to make the default policy explicit.
7639 reject_multi_recipient_bounce
7641 Reject the request when the envelope sender is the null address,
7642 and the message has multiple envelope recipients. This usage has
7643 rare but legitimate applications: under certain conditions,
7644 multi-recipient mail that was posted with the DSN option
7645 NOTIFY=NEVER may be forwarded with the null sender address.
7646 Note: this restriction can only work reliably when used in
7647 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
7648 because the total number of recipients is not known at an ear‐
7649 lier stage of the SMTP conversation. Use at the RCPT stage will
7650 only reject the second etc. recipient.
7651 The multi_recipient_bounce_reject_code parameter specifies the
7652 response code for rejected requests (default: 550). This fea‐
7653 ture is available in Postfix 2.1 and later.
7654 reject_plaintext_session
7656 Reject the request when the connection is not encrypted. This
7657 restriction should not be used before the client has had a
7658 chance to negotiate encryption with the AUTH or STARTTLS com‐
7659 mands.
7660 The plaintext_reject_code parameter specifies the response code
7661 for rejected requests (default: 450). This feature is avail‐
7662 able in Postfix 2.3 and later.
7663 reject_unauth_pipelining
7665 Reject the request when the client sends SMTP commands ahead of
7666 time where it is not allowed, or when the client sends SMTP com‐
7667 mands ahead of time without knowing that Postfix actually sup‐
7668 ports ESMTP command pipelining. This stops mail from bulk mail
7669 software that improperly uses ESMTP command pipelining in order
7670 to speed up deliveries.
7671 With Postfix 2.6 and later, the SMTP server sets a per-session
7672 flag whenever it detects illegal pipelining, including pipelined
7673 EHLO or HELO commands. The reject_unauth_pipelining feature sim‐
7674 ply tests whether the flag was set at any point in time during
7675 the session.
7676 With older Postfix versions, reject_unauth_pipelining checks the
7677 current status of the input read queue, and its usage is not
7678 recommended in contexts other than smtpd_data_restrictions.
7679 reject Reject the request. This restriction is useful at the end of a
7681 restriction list, to make the default policy explicit. The
7682 reject_code configuration parameter specifies the response code
7683 for rejected requests (default: 554).
7684 sleep seconds
7686 Pause for the specified number of seconds and proceed with the
7687 next restriction in the list, if any. This may stop zombie mail
7688 when used as:
7689 /etc/postfix/main.cf:
7690 smtpd_client_restrictions =
7691 sleep 1, reject_unauth_pipelining
7692 smtpd_delay_reject = no
7693 This feature is available in Postfix 2.3.
7694 warn_if_reject
7696 A safety net for testing. When "warn_if_reject" is placed before
7697 a reject-type restriction, access table query, or check_pol‐
7698 icy_service query, this logs a "reject_warning" message instead
7699 of rejecting a request (when a reject-type restriction fails due
7700 to a temporary error, this logs a "reject_warning" message for
7701 any implicit "defer_if_permit" actions that would normally pre‐
7702 vent mail from being accepted by some later access restriction).
7703 This feature has no effect on defer_if_reject restrictions.
7704 Other restrictions that are valid in this context:
7706 · SMTP command specific restrictions that are described under the
7708 smtpd_helo_restrictions, smtpd_sender_restrictions or
7709 smtpd_recipient_restrictions parameters. When helo, sender or
7710 recipient restrictions are listed under smtpd_client_restric‐
7711 tions, they have effect only with "smtpd_delay_reject = yes", so
7712 that $smtpd_client_restrictions is evaluated at the time of the
7713 RCPT TO command.
7714 Example:
7716 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
7718
7720 A mechanism to transform commands from remote SMTP clients. This is a
7721 last-resort tool to work around client commands that break inter-oper‐
7722 ability with the Postfix SMTP server. Other uses involve fault injec‐
7723 tion to test Postfix's handling of invalid commands.
7724 Specify the name of a "type:table" lookup table. The search string is
7726 the SMTP command as received from the remote SMTP client, except that
7727 initial whitespace and the trailing <CR><LF> are removed. The result
7728 value is executed by the Postfix SMTP server.
7729 There is no need to use smtpd_command_filter for the following cases:
7731 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
7733 · Postfix already accepts the correct form "user@[ipaddress]". Use
7735 virtual_alias_maps or canonical_maps to translate these into
7736 domain names if necessary.
7737 · Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
7739 <user@example.com>>". Postfix will ignore the "User Name" part
7740 and deliver to the <user@example.com> address.
7741 Examples of problems that can be solved with the smtpd_command_filter
7743 feature:
7744 /etc/postfix/main.cf:
7746 smtpd_command_filter = pcre:/etc/postfix/command_filter
7747 /etc/postfix/command_filter:
7749 # Work around clients that send malformed HELO commands.
7750 /^HELO\s*$/ HELO domain.invalid
7751 # Work around clients that send empty lines.
7753 /^\s*$/ NOOP
7754 # Work around clients that send RCPT TO:<'user@domain'>.
7756 # WARNING: do not lose the parameters that follow the address.
7757 /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2
7758 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
7760 # See VERP_README for more information on how to use Postfix VERP.
7761 /^(MAIL FROM:<listname@example\.com>.*)/ $1 XVERP
7762 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
7764 # to send bounced mail to the postmaster (with message body removed).
7765 /^(RCPT\s+TO:<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
7766 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
7767 This feature is available in Postfix 2.7.
7769
7771 Optional access restrictions that the Postfix SMTP server applies in
7772 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
7773 "Delayed evaluation of SMTP access restriction lists" for a discussion
7774 of evaluation context and time.
7775 This feature is available in Postfix 2.0 and later.
7777 Specify a list of restrictions, separated by commas and/or whitespace.
7779 Continue long lines by starting the next line with whitespace.
7780 Restrictions are applied in the order as specified; the first restric‐
7781 tion that matches wins.
7782 The following restrictions are valid in this context:
7784 · Generic restrictions that can be used in any SMTP command con‐
7786 text, described under smtpd_client_restrictions.
7787 · SMTP command specific restrictions described under
7789 smtpd_client_restrictions, smtpd_helo_restrictions,
7790 smtpd_sender_restrictions or smtpd_recipient_restrictions.
7791 · However, no recipient information is available in the case of
7793 multi-recipient mail. Acting on only one recipient would be mis‐
7794 leading, because any decision will affect all recipients
7795 equally. Acting on all recipients would require a possibly very
7796 large amount of memory, and would also be misleading for the
7797 reasons mentioned before.
7798 Examples:
7800 smtpd_data_restrictions = reject_unauth_pipelining
7802 smtpd_data_restrictions = reject_multi_recipient_bounce
7803
7805 Postpone the start of an SMTP mail transaction until a valid RCPT TO
7806 command is received. Specify "no" to create a mail transaction as soon
7807 as the Postfix SMTP server receives a valid MAIL FROM command.
7808 With sites that reject lots of mail, the default setting reduces the
7810 use of disk, CPU and memory resources. The downside is that rejected
7811 recipients are logged with NOQUEUE instead of a mail transaction ID.
7812 This complicates the logfile analysis of multi-recipient mail.
7813 This feature is available in Postfix 2.3 and later.
7815
7817 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
7818 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
7819 until the ETRN command before evaluating $smtpd_client_restrictions and
7820 $smtpd_helo_restrictions.
7821 This feature is turned on by default because some clients apparently
7823 mis-behave when the Postfix SMTP server rejects commands before RCPT
7824 TO.
7825 The default setting has one major benefit: it allows Postfix to log
7827 recipient address information when rejecting a client name/address or
7828 sender address, so that it is possible to find out whose mail is being
7829 rejected.
7830
7832 Lookup tables, indexed by the remote SMTP client address, with case
7833 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
7834 that the Postfix SMTP server will not send in the EHLO response to a
7835 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
7836 table is not searched by hostname for robustness reasons.
7837 This feature is available in Postfix 2.2 and later.
7839
7841 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
7842 etc.) that the Postfix SMTP server will not send in the EHLO response
7843 to a remote SMTP client.
7844 This feature is available in Postfix 2.2 and later.
7846 Notes:
7848 · Specify the silent-discard pseudo keyword to prevent this action
7850 from being logged.
7851 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
7853 card EHLO keywords selectively.
7854
7856 Optional access restrictions that the Postfix SMTP server applies in
7857 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
7858 section "Delayed evaluation of SMTP access restriction lists" for a
7859 discussion of evaluation context and time.
7860 This feature is available in Postfix 2.2 and later.
7862 See smtpd_data_restrictions for details and limitations.
7864
7866 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
7867 require that clients use TLS encryption. According to RFC 2487 this
7868 MUST NOT be applied in case of a publicly-referenced SMTP server. This
7869 option is therefore off by default.
7870 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
7872 Note 2: when invoked via "sendmail -bs", Postfix will never offer
7874 STARTTLS due to insufficient privileges to access the server private
7875 key. This is intended behavior.
7876 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7878 and later use smtpd_tls_security_level instead.
7879
7881 With Postfix version 2.1 and later: the SMTP server response delay
7882 after a client has made more than $smtpd_soft_error_limit errors, and
7883 fewer than $smtpd_hard_error_limit errors, without delivering mail.
7884 With Postfix version 2.0 and earlier: the SMTP server delay before
7886 sending a reject (4xx or 5xx) response, when the client has made fewer
7887 than $smtpd_soft_error_limit errors without delivering mail.
7888
7890 Optional restrictions that the Postfix SMTP server applies in the con‐
7891 text of a client ETRN command. See SMTPD_ACCESS_README, section
7892 "Delayed evaluation of SMTP access restriction lists" for a discussion
7893 of evaluation context and time.
7894 The Postfix ETRN implementation accepts only destinations that are eli‐
7896 gible for the Postfix "fast flush" service. See the ETRN_README file
7897 for details.
7898 Specify a list of restrictions, separated by commas and/or whitespace.
7900 Continue long lines by starting the next line with whitespace.
7901 Restrictions are applied in the order as specified; the first restric‐
7902 tion that matches wins.
7903 The following restrictions are specific to the domain name information
7905 received with the ETRN command.
7906 check_etrn_access type:table
7908 Search the specified access database for the ETRN domain name or
7909 its parent domains. See the access(5) manual page for details.
7910 Other restrictions that are valid in this context:
7912 · Generic restrictions that can be used in any SMTP command con‐
7914 text, described under smtpd_client_restrictions.
7915 · SMTP command specific restrictions described under
7917 smtpd_client_restrictions and smtpd_helo_restrictions.
7918 Example:
7920 smtpd_etrn_restrictions = permit_mynetworks, reject
7922
7924 What characters are allowed in $name expansions of RBL reply templates.
7925 Characters not in the allowed set are replaced by "_". Use C like
7926 escapes to specify special characters such as whitespace.
7927 This parameter is not subjected to $parameter expansion.
7929 This feature is available in Postfix 2.0 and later.
7931
7933 List of commands that cause the Postfix SMTP server to immediately ter‐
7934 minate the session with a 221 code. This can be used to disconnect
7935 clients that obviously attempt to abuse the system. In addition to the
7936 commands listed in this parameter, commands that follow the "Label:"
7937 format of message headers will also cause a disconnect.
7938 This feature is available in Postfix 2.2 and later.
7940
7942 The maximal number of errors a remote SMTP client is allowed to make
7943 without delivering mail. The Postfix SMTP server disconnects when the
7944 limit is exceeded. Normally the default limit is 20, but it changes
7945 under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
7946 always allows up to 20 errors by default.
7947
7949 Require that a remote SMTP client introduces itself with the HELO or
7950 EHLO command before sending the MAIL command or other commands that
7951 require EHLO negotiation.
7952 Example:
7954 smtpd_helo_required = yes
7956
7958 Optional restrictions that the Postfix SMTP server applies in the con‐
7959 text of a client HELO command. See SMTPD_ACCESS_README, section
7960 "Delayed evaluation of SMTP access restriction lists" for a discussion
7961 of evaluation context and time.
7962 The default is to permit everything.
7964 Note: specify "smtpd_helo_required = yes" to fully enforce this
7966 restriction (without "smtpd_helo_required = yes", a client can simply
7967 skip smtpd_helo_restrictions by not sending HELO or EHLO).
7968 Specify a list of restrictions, separated by commas and/or whitespace.
7970 Continue long lines by starting the next line with whitespace.
7971 Restrictions are applied in the order as specified; the first restric‐
7972 tion that matches wins.
7973 The following restrictions are specific to the hostname information
7975 received with the HELO or EHLO command.
7976 check_helo_access type:table
7978 Search the specified access(5) database for the HELO or EHLO
7979 hostname or parent domains, and execute the corresponding
7980 action. Note: specify "smtpd_helo_required = yes" to fully
7981 enforce this restriction (without "smtpd_helo_required = yes", a
7982 client can simply skip check_helo_access by not sending HELO or
7983 EHLO).
7984 check_helo_mx_access type:table
7986 Search the specified access(5) database for the MX hosts for the
7987 HELO or EHLO hostname, and execute the corresponding action.
7988 Note 1: a result of "OK" is not allowed for safety reasons.
7989 Instead, use DUNNO in order to exclude specific hosts from
7990 blacklists. Note 2: specify "smtpd_helo_required = yes" to
7991 fully enforce this restriction (without "smtpd_helo_required =
7992 yes", a client can simply skip check_helo_mx_access by not send‐
7993 ing HELO or EHLO). This feature is available in Postfix 2.1 and
7994 later.
7995 check_helo_ns_access type:table
7997 Search the specified access(5) database for the DNS servers for
7998 the HELO or EHLO hostname, and execute the corresponding action.
7999 Note 1: a result of "OK" is not allowed for safety reasons.
8000 Instead, use DUNNO in order to exclude specific hosts from
8001 blacklists. Note 2: specify "smtpd_helo_required = yes" to
8002 fully enforce this restriction (without "smtpd_helo_required =
8003 yes", a client can simply skip check_helo_ns_access by not send‐
8004 ing HELO or EHLO). This feature is available in Postfix 2.1 and
8005 later.
8006 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
8008 name)
8009 Reject the request when the HELO or EHLO hostname is malformed.
8010 Note: specify "smtpd_helo_required = yes" to fully enforce this
8011 restriction (without "smtpd_helo_required = yes", a client can
8012 simply skip reject_invalid_helo_hostname by not sending HELO or
8013 EHLO).
8014 The invalid_hostname_reject_code specifies the response code for
8015 rejected requests (default: 501).
8016 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
8018 reject_non_fqdn_hostname)
8019 Reject the request when the HELO or EHLO hostname is not in
8020 fully-qualified domain form, as required by the RFC. Note: spec‐
8021 ify "smtpd_helo_required = yes" to fully enforce this restric‐
8022 tion (without "smtpd_helo_required = yes", a client can simply
8023 skip reject_non_fqdn_helo_hostname by not sending HELO or EHLO).
8024 The non_fqdn_reject_code parameter specifies the response code
8025 for rejected requests (default: 504).
8026 reject_rhsbl_helo rbl_domain=d.d.d.d
8028 Reject the request when the HELO or EHLO hostname hostname is
8029 listed with the A record "d.d.d.d" under rbl_domain (Postfix
8030 version 2.1 and later only). Each "d" is a number, or a pattern
8031 inside "[]" that contains one or more ";"-separated numbers or
8032 number..number ranges (Postfix version 2.8 and later). If no
8033 "=d.d.d.d" is specified, reject the request when the HELO or
8034 EHLO hostname is listed with any A record under rbl_domain. See
8035 the reject_rbl_client description for additional RBL related
8036 configuration parameters. Note: specify "smtpd_helo_required =
8037 yes" to fully enforce this restriction (without
8038 "smtpd_helo_required = yes", a client can simply skip
8039 reject_rhsbl_helo by not sending HELO or EHLO). This feature is
8040 available in Postfix 2.0 and later.
8041 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
8043 name)
8044 Reject the request when the HELO or EHLO hostname has no DNS A
8045 or MX record.
8046 The unknown_hostname_reject_code parameter specifies the numeri‐
8047 cal response code for rejected requests (default: 450).
8048 The unknown_helo_hostname_tempfail_action parameter specifies
8049 the action after a temporary DNS error (default: defer_if_per‐
8050 mit). Note: specify "smtpd_helo_required = yes" to fully enforce
8051 this restriction (without "smtpd_helo_required = yes", a client
8052 can simply skip reject_unknown_helo_hostname by not sending HELO
8053 or EHLO).
8054 Other restrictions that are valid in this context:
8056 · Generic restrictions that can be used in any SMTP command con‐
8058 text, described under smtpd_client_restrictions.
8059 · Client hostname or network address specific restrictions
8061 described under smtpd_client_restrictions.
8062 · SMTP command specific restrictions described under
8064 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
8065 sender or recipient restrictions are listed under
8066 smtpd_helo_restrictions, they have effect only with
8067 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
8068 evaluated at the time of the RCPT TO command.
8069 Examples:
8071 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
8073 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
8074
8076 The maximal number of lines in the Postfix SMTP server command history
8077 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
8078
8080 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
8081 SMTP client can send before the Postfix SMTP server starts to increment
8082 the error counter with each junk command. The junk command count is
8083 reset after mail is delivered. See also the smtpd_error_sleep_time and
8084 smtpd_soft_error_limit configuration parameters. Normally the default
8085 limit is 100, but it changes under overload to just 1. With Postfix 2.5
8086 and earlier, the SMTP server always allows up to 100 junk commands by
8087 default.
8088
8090 Enable logging of the named "permit" actions in SMTP server access
8091 lists (by default, the SMTP server logs "reject" actions but not "per‐
8092 mit" actions). This feature does not affect conditional actions such
8093 as "defer_if_permit".
8094 Specify a list of "permit" action names, "/file/name" or "type:table"
8096 patterns, separated by commas and/or whitespace. The list is matched
8097 left to right, and the search stops on the first match. A "/file/name"
8098 pattern is replaced by its contents; a "type:table" lookup table is
8099 matched when a name matches a lookup key (the lookup result is
8100 ignored). Continue long lines by starting the next line with white‐
8101 space. Specify "!pattern" to exclude a name from the list.
8102 Examples:
8104 /etc/postfix/main.cf:
8106 # Log all "permit" actions.
8107 smtpd_log_access_permit_actions = static:all
8108 /etc/postfix/main.cf:
8110 # Log "permit_dnswl_client" only.
8111 smtpd_log_access_permit_actions = permit_dnswl_client
8112 This feature is available in Postfix 2.10 and later.
8114
8116 A list of Milter (mail filter) applications for new mail that arrives
8117 via the Postfix smtpd(8) server. Specify space or comma as separator.
8118 See the MILTER_README document for details.
8119 This feature is available in Postfix 2.3 and later.
8121
8123 List of commands that the Postfix SMTP server replies to with "250 Ok",
8124 without doing any syntax checks and without changing state. This list
8125 overrides any commands built into the Postfix SMTP server.
8126
8128 The lookup key to be used in SMTP access(5) tables instead of the null
8129 sender address.
8130
8132 Attempt to look up the remote SMTP client hostname, and verify that the
8133 name matches the client IP address. A client name is set to "unknown"
8134 when it cannot be looked up or verified, or when name lookup is dis‐
8135 abled. Turning off name lookup reduces delays due to DNS lookup and
8136 increases the maximal inbound delivery rate.
8137 This feature is available in Postfix 2.3 and later.
8139
8141 Change the behavior of the smtpd_timeout time limit, from a time limit
8142 per read or write system call, to a time limit to send or receive a
8143 complete record (an SMTP command line, SMTP response line, SMTP message
8144 content line, or TLS protocol message). This limits the impact from
8145 hostile peers that trickle data one byte at a time.
8146 Note: when per-record deadlines are enabled, a short timeout may cause
8148 problems with TLS over very slow network connections. The reasons are
8149 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
8150 and that an entire TLS protocol message must be sent or received within
8151 the per-record deadline.
8152 This feature is available in Postfix 2.9 and later. With older Postfix
8154 releases, the behavior is as if this parameter is set to "no".
8155
8157 The time after which an idle SMTPD policy service connection is closed.
8158 This feature is available in Postfix 2.1 and later.
8160
8162 The time after which an active SMTPD policy service connection is
8163 closed.
8164 This feature is available in Postfix 2.1 and later.
8166
8168 The time limit for connecting to, writing to or receiving from a dele‐
8169 gated SMTPD policy server.
8170 This feature is available in Postfix 2.1 and later.
8172
8174 How the Postfix SMTP server announces itself to the proxy filter. By
8175 default, the Postfix hostname is used.
8176 This feature is available in Postfix 2.1 and later.
8178
8180 The hostname and TCP port of the mail filtering proxy server. The
8181 proxy receives all mail from the Postfix SMTP server, and is supposed
8182 to give the result to another Postfix SMTP server process.
8183 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
8185 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
8186 as an IP address or as a symbolic name; no MX lookups are done. When
8187 no "host" or "host:" are specified, the local machine is assumed.
8188 Pathname interpretation is relative to the Postfix queue directory.
8189 This feature is available in Postfix 2.1 and later.
8191 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
8193 later.
8194
8196 List of options that control how the Postfix SMTP server communicates
8197 with a before-queue content filter. Specify zero or more of the follow‐
8198 ing, separated by comma or whitespace.
8199 speed_adjust
8201 Do not connect to a before-queue content filter until an entire
8202 message has been received. This reduces the number of simultane‐
8203 ous before-queue content filter processes.
8204 NOTE 1: A filter must not selectively reject recipients of a multi-
8206 recipient message. Rejecting all recipients is OK, as is accepting all
8207 recipients.
8208 NOTE 2: This feature increases the minimum amount of free queue space
8210 by $message_size_limit. The extra space is needed to save the message
8211 to a temporary file.
8212 This feature is available in Postfix 2.7 and later.
8214
8216 The time limit for connecting to a proxy filter and for sending or
8217 receiving information. When a connection fails the client gets a
8218 generic error message while more detailed information is logged to the
8219 maillog file.
8220 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8222 The default time unit is s (seconds).
8223 This feature is available in Postfix 2.1 and later.
8225
8227 The maximal number of recipients that the Postfix SMTP server accepts
8228 per message delivery request.
8229
8231 The number of recipients that a remote SMTP client can send in excess
8232 of the limit specified with $smtpd_recipient_limit, before the Postfix
8233 SMTP server increments the per-session error count for each excess
8234 recipient.
8235
8237 Optional restrictions that the Postfix SMTP server applies in the con‐
8238 text of a client RCPT TO command, after smtpd_relay_restrictions. See
8239 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
8240 restriction lists" for a discussion of evaluation context and time.
8241 With Postfix versions before 2.10, the rules for relay permission and
8243 spam blocking were combined under smtpd_recipient_restrictions, result‐
8244 ing in error-prone configuration. As of Postfix 2.10, relay permission
8245 rules are preferably implemented with smtpd_relay_restrictions, so that
8246 a permissive spam blocking policy under smtpd_recipient_restrictions
8247 will no longer result in a permissive mail relay policy.
8248 For backwards compatibility, sites that migrate from Postfix versions
8250 before 2.10 can set smtpd_relay_restrictions to the empty value, and
8251 use smtpd_recipient_restrictions exactly as before.
8252 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
8254 ent_restrictions parameter must specify at least one of the following
8255 restrictions. Otherwise Postfix will refuse to receive mail:
8256 reject, reject_unauth_destination
8258 defer, defer_if_permit, defer_unauth_destination
8260 Specify a list of restrictions, separated by commas and/or whitespace.
8262 Continue long lines by starting the next line with whitespace.
8263 Restrictions are applied in the order as specified; the first restric‐
8264 tion that matches wins.
8265 The following restrictions are specific to the recipient address that
8267 is received with the RCPT TO command.
8268 check_recipient_access type:table
8270 Search the specified access(5) database for the resolved RCPT TO
8271 address, domain, parent domains, or localpart@, and execute the
8272 corresponding action.
8273 check_recipient_mx_access type:table
8275 Search the specified access(5) database for the MX hosts for the
8276 RCPT TO domain, and execute the corresponding action. Note: a
8277 result of "OK" is not allowed for safety reasons. Instead, use
8278 DUNNO in order to exclude specific hosts from blacklists. This
8279 feature is available in Postfix 2.1 and later.
8280 check_recipient_ns_access type:table
8282 Search the specified access(5) database for the DNS servers for
8283 the RCPT TO domain, and execute the corresponding action. Note:
8284 a result of "OK" is not allowed for safety reasons. Instead, use
8285 DUNNO in order to exclude specific hosts from blacklists. This
8286 feature is available in Postfix 2.1 and later.
8287 permit_auth_destination
8289 Permit the request when one of the following is true:
8290 · Postfix is mail forwarder: the resolved RCPT TO domain matches
8292 $relay_domains or a subdomain thereof, and the address contains
8293 no sender-specified routing (user@elsewhere@domain),
8294 · Postfix is the final destination: the resolved RCPT TO domain
8296 matches $mydestination, $inet_interfaces, $proxy_interfaces,
8297 $virtual_alias_domains, or $virtual_mailbox_domains, and the
8298 address contains no sender-specified routing (user@else‐
8299 where@domain).
8300 permit_mx_backup
8302 Permit the request when the local mail system is backup MX for
8303 the RCPT TO domain, or when the domain is an authorized destina‐
8304 tion (see permit_auth_destination for definition).
8305 · Safety: permit_mx_backup does not accept addresses that have
8307 sender-specified routing information (example: user@else‐
8308 where@domain).
8309 · Safety: permit_mx_backup can be vulnerable to mis-use when
8311 access is not restricted with permit_mx_backup_networks.
8312 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
8314 accepts the address when the local mail system is primary MX for
8315 the recipient domain. Exception: permit_mx_backup accepts the
8316 address when it specifies an authorized destination (see per‐
8317 mit_auth_destination for definition).
8318 · Limitation: mail may be rejected in case of a temporary DNS
8320 lookup problem with Postfix prior to version 2.0.
8321 reject_non_fqdn_recipient
8323 Reject the request when the RCPT TO address is not in fully-
8324 qualified domain form, as required by the RFC.
8325 The non_fqdn_reject_code parameter specifies the response code
8326 for rejected requests (default: 504).
8327 reject_rhsbl_recipient rbl_domain=d.d.d.d
8329 Reject the request when the RCPT TO domain is listed with the A
8330 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8331 only). Each "d" is a number, or a pattern inside "[]" that con‐
8332 tains one or more ";"-separated numbers or number..number ranges
8333 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
8334 reject the request when the RCPT TO domain is listed with any A
8335 record under rbl_domain.
8336 The maps_rbl_reject_code parameter specifies the response code
8337 for rejected requests (default: 554); the default_rbl_reply
8338 parameter specifies the default server reply; and the
8339 rbl_reply_maps parameter specifies tables with server replies
8340 indexed by rbl_domain. This feature is available in Postfix
8341 version 2.0 and later.
8342 reject_unauth_destination
8344 Reject the request unless one of the following is true:
8345 · Postfix is mail forwarder: the resolved RCPT TO domain matches
8347 $relay_domains or a subdomain thereof, and contains no sender-
8348 specified routing (user@elsewhere@domain),
8349 · Postfix is the final destination: the resolved RCPT TO domain
8351 matches $mydestination, $inet_interfaces, $proxy_interfaces,
8352 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
8353 tains no sender-specified routing (user@elsewhere@domain).
8354 The relay_domains_reject_code parameter specifies the response
8355 code for rejected requests (default: 554).
8356 defer_unauth_destination
8358 Reject the same requests as reject_unauth_destination, with a
8359 non-permanent error code. This feature is available in Postfix
8360 2.10 and later.
8361 reject_unknown_recipient_domain
8363 Reject the request when Postfix is not final destination for the
8364 recipient domain, and the RCPT TO domain has 1) no DNS A or MX
8365 record or 2) a malformed MX record such as a record with a zero-
8366 length MX hostname (Postfix version 2.3 and later).
8367 The unknown_address_reject_code parameter specifies the numeri‐
8368 cal response code for rejected requests (default: 450). The
8369 response is always 450 in case of a temporary DNS error.
8370 The unknown_address_tempfail_action parameter specifies the
8371 action after a temporary DNS error (default: defer_if_permit).
8372 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
8374 ent_maps)
8375 Reject the request when the RCPT TO address is not listed in the
8376 list of valid recipients for its domain class. See the
8377 smtpd_reject_unlisted_recipient parameter description for
8378 details. This feature is available in Postfix 2.1 and later.
8379 reject_unverified_recipient
8381 Reject the request when mail to the RCPT TO address is known to
8382 bounce, or when the recipient address destination is not reach‐
8383 able. Address verification information is managed by the ver‐
8384 ify(8) server; see the ADDRESS_VERIFICATION_README file for
8385 details.
8386 The unverified_recipient_reject_code parameter specifies the
8387 numerical response code when an address is known to bounce
8388 (default: 450, change into 550 when you are confident that it is
8389 safe to do so).
8390 The unverified_recipient_defer_code parameter specifies the
8391 numerical response code when an address probe failed due to a
8392 temporary problem (default: 450).
8393 The unverified_recipient_tempfail_action parameter specifies the
8394 action after addres probe failure due to a temporary problem
8395 (default: defer_if_permit).
8396 This feature is available in Postfix 2.1 and later.
8397 Other restrictions that are valid in this context:
8399 · Generic restrictions that can be used in any SMTP command con‐
8401 text, described under smtpd_client_restrictions.
8402 · SMTP command specific restrictions described under
8404 smtpd_client_restrictions, smtpd_helo_restrictions and
8405 smtpd_sender_restrictions.
8406 Example:
8408 # The Postfix before 2.10 default mail relay policy. Later Postfix
8410 # versions implement this preferably with smtpd_relay_restrictions.
8411 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
8412
8414 Optional information that is appended after each Postfix SMTP server
8415 4XX or 5XX response.
8416 The following example uses "\c" at the start of the template (supported
8418 in Postfix 2.10 and later) to suppress the line break between the reply
8419 text and the footer text. With earlier Postfix versions, the footer
8420 text always begins on a new line, and the "\c" is output literally.
8421 /etc/postfix/main.cf:
8423 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
8424 Please provide the following information in your problem report:
8425 time ($localtime), client ($client_address) and server
8426 ($server_name).
8427 Server response:
8429 550-5.5.1 <user@example> Recipient address rejected: User
8431 unknown. For assistance, call 800-555-0101. Please provide the
8432 following information in your problem report: time (Jan 4 15:42:00),
8433 client (192.168.1.248) and server (mail1.example.com).
8434 Note: the above text is meant to make it easier to find the Postfix
8436 logfile records for a failed SMTP session. The text itself is not
8437 logged to the Postfix SMTP server's maillog file.
8438 Be sure to keep the text as short as possible. Long text may be trun‐
8440 cated before it is logged to the remote SMTP client's maillog file, or
8441 before it is returned to the sender in a delivery status notification.
8442 This feature supports a limited number of $name attributes in the
8444 footer text. These are replaced by their current value for the SMTP
8445 session:
8446 client_address
8448 The Client IP address that is logged in the maillog file.
8449 client_port
8451 The client TCP port that is logged in the maillog file.
8452 localtime
8454 The server local time (Mmm dd hh:mm:ss) that is logged in the
8455 maillog file.
8456 server_name
8458 The server's myhostname value. This attribute is made available
8459 for sites with multiple MTAs (perhaps behind a load-balancer),
8460 where the server name can help the server support team to
8461 quickly find the right log files.
8462 Notes:
8464 · NOT SUPPORTED are other attributes such as sender, recipient, or
8466 main.cf parameters.
8467 · For safety reasons, text that does not match $smtpd_expan‐
8469 sion_filter is censored.
8470 This feature supports the two-character sequence \n as a request for a
8472 line break in the footer text. Postfix automatically inserts after each
8473 line break the three-digit SMTP reply code (and optional enhanced sta‐
8474 tus code) from the original Postfix reject message.
8475 To work around mail software that mis-handles multi-line replies, spec‐
8477 ify the two-character sequence \c at the start of the template. This
8478 suppresses the line break between the reply text and the footer text
8479 (Postfix 2.10 and later).
8480 This feature is available in Postfix 2.8 and later.
8482
8484 Request that the Postfix SMTP server rejects mail for unknown recipient
8485 addresses, even when no explicit reject_unlisted_recipient access
8486 restriction is specified. This prevents the Postfix queue from filling
8487 up with undeliverable MAILER-DAEMON messages.
8488 An address is always considered "known" when it matches a virtual(5)
8490 alias or a canonical(5) mapping.
8491 · The recipient domain matches $mydestination, $inet_interfaces or
8493 $proxy_interfaces, but the recipient is not listed in
8494 $local_recipient_maps, and $local_recipient_maps is not null.
8495 · The recipient domain matches $virtual_alias_domains but the
8497 recipient is not listed in $virtual_alias_maps.
8498 · The recipient domain matches $virtual_mailbox_domains but the
8500 recipient is not listed in $virtual_mailbox_maps, and $vir‐
8501 tual_mailbox_maps is not null.
8502 · The recipient domain matches $relay_domains but the recipient is
8504 not listed in $relay_recipient_maps, and $relay_recipient_maps
8505 is not null.
8506 This feature is available in Postfix 2.1 and later.
8508
8510 Request that the Postfix SMTP server rejects mail from unknown sender
8511 addresses, even when no explicit reject_unlisted_sender access restric‐
8512 tion is specified. This can slow down an explosion of forged mail from
8513 worms or viruses.
8514 An address is always considered "known" when it matches a virtual(5)
8516 alias or a canonical(5) mapping.
8517 · The sender domain matches $mydestination, $inet_interfaces or
8519 $proxy_interfaces, but the sender is not listed in $local_recip‐
8520 ient_maps, and $local_recipient_maps is not null.
8521 · The sender domain matches $virtual_alias_domains but the sender
8523 is not listed in $virtual_alias_maps.
8524 · The sender domain matches $virtual_mailbox_domains but the
8526 sender is not listed in $virtual_mailbox_maps, and $vir‐
8527 tual_mailbox_maps is not null.
8528 · The sender domain matches $relay_domains but the sender is not
8530 listed in $relay_recipient_maps, and $relay_recipient_maps is
8531 not null.
8532 This feature is available in Postfix 2.1 and later.
8534
8536 cated, defer_unauth_destination)
8537 Access restrictions for mail relay control that the Postfix SMTP server
8538 applies in the context of the RCPT TO command, before smtpd_recipi‐
8539 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
8540 of SMTP access restriction lists" for a discussion of evaluation con‐
8541 text and time.
8542 With Postfix versions before 2.10, the rules for relay permission and
8544 spam blocking were combined under smtpd_recipient_restrictions, result‐
8545 ing in error-prone configuration. As of Postfix 2.10, relay permission
8546 rules are preferably implemented with smtpd_relay_restrictions, so that
8547 a permissive spam blocking policy under smtpd_recipient_restrictions
8548 will no longer result in a permissive mail relay policy.
8549 For backwards compatibility, sites that migrate from Postfix versions
8551 before 2.10 can set smtpd_relay_restrictions to the empty value, and
8552 use smtpd_recipient_restrictions exactly as before.
8553 By default, the Postfix SMTP server accepts:
8555 · Mail from clients whose IP address matches $mynetworks, or:
8557 · Mail to remote destinations that match $relay_domains, except
8559 for addresses that contain sender-specified routing (user@else‐
8560 where@domain), or:
8561 · Mail to local destinations that match $inet_interfaces or
8563 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
8564 $virtual_mailbox_domains.
8565 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
8567 ent_restrictions parameter must specify at least one of the following
8568 restrictions. Otherwise Postfix will refuse to receive mail:
8569 reject, reject_unauth_destination
8571 defer, defer_if_permit, defer_unauth_destination
8573 Specify a list of restrictions, separated by commas and/or whitespace.
8575 Continue long lines by starting the next line with whitespace. The
8576 same restrictions are available as documented under smtpd_recipi‐
8577 ent_restrictions.
8578 This feature is available in Postix 2.10 and later.
8580
8582 User-defined aliases for groups of access restrictions. The aliases can
8583 be specified in smtpd_recipient_restrictions etc., and on the right-
8584 hand side of a Postfix access(5) table.
8585 One major application is for implementing per-recipient UCE control.
8587 See the RESTRICTION_CLASS_README document for other examples.
8588
8590 The application name that the Postfix SMTP server uses for SASL server
8591 initialization. This controls the name of the SASL configuration file.
8592 The default value is smtpd, corresponding to a SASL configuration file
8593 named smtpd.conf.
8594 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
8596 was renamed to smtpd_sasl_path.
8597
8599 Enable SASL authentication in the Postfix SMTP server. By default, the
8600 Postfix SMTP server does not use authentication.
8601 If a remote SMTP client is authenticated, the permit_sasl_authenticated
8603 access restriction can be used to permit relay access, like this:
8604 # With Postfix 2.10 and later, the mail relay policy is
8606 # preferably specified under smtpd_relay_restrictions.
8607 smtpd_relay_restrictions =
8608 permit_mynetworks, permit_sasl_authenticated, ...
8609 # With Postfix before 2.10, the relay policy can be
8611 # specified only under smtpd_recipient_restrictions.
8612 smtpd_recipient_restrictions =
8613 permit_mynetworks, permit_sasl_authenticated, ...
8614 To reject all SMTP connections from unauthenticated clients, specify
8616 "smtpd_delay_reject = yes" (which is the default) and use:
8617 smtpd_client_restrictions = permit_sasl_authenticated, reject
8619 See the SASL_README file for SASL configuration and operation details.
8621
8623 Report the SASL authenticated user name in the smtpd(8) Received mes‐
8624 sage header.
8625 This feature is available in Postfix 2.3 and later.
8627
8629 What remote SMTP clients the Postfix SMTP server will not offer AUTH
8630 support to.
8631 Some clients (Netscape 4 at least) have a bug that causes them to
8633 require a login and password whenever AUTH is offered, whether it's
8634 necessary or not. To work around this, specify, for example, $mynet‐
8635 works to prevent Postfix from offering AUTH to local clients.
8636 Specify a list of network/netmask patterns, separated by commas and/or
8638 whitespace. The mask specifies the number of bits in the network part
8639 of a host address. You can also "/file/name" or "type:table" patterns.
8640 A "/file/name" pattern is replaced by its contents; a "type:table"
8641 lookup table is matched when a table entry matches a lookup string (the
8642 lookup result is ignored). Continue long lines by starting the next
8643 line with whitespace. Specify "!pattern" to exclude an address or net‐
8644 work block from the list. The form "!/file/name" is supported only in
8645 Postfix version 2.4 and later.
8646 Note: IP version 6 address information must be specified inside [] in
8648 the smtpd_sasl_exceptions_networks value, and in files specified with
8649 "/file/name". IP version 6 addresses contain the ":" character, and
8650 would otherwise be confused with a "type:table" pattern.
8651 Example:
8653 smtpd_sasl_exceptions_networks = $mynetworks
8655 This feature is available in Postfix 2.1 and later.
8657
8659 The name of the Postfix SMTP server's local SASL authentication realm.
8660 By default, the local authentication realm name is the null string.
8662 Examples:
8664 smtpd_sasl_local_domain = $mydomain
8666 smtpd_sasl_local_domain = $myhostname
8667
8669 Implementation-specific information that the Postfix SMTP server passes
8670 through to the SASL plug-in implementation that is selected with
8671 smtpd_sasl_type. Typically this specifies the name of a configuration
8672 file or rendezvous point.
8673 This feature is available in Postfix 2.3 and later. In earlier releases
8675 it was called smtpd_sasl_application_name.
8676
8678 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
8679 of available features depends on the SASL server implementation that is
8680 selected with smtpd_sasl_type.
8681 The following security features are defined for the cyrus server SASL
8683 implementation:
8684 Restrict what authentication mechanisms the Postfix SMTP server will
8686 offer to the client. The list of available authentication mechanisms
8687 is system dependent.
8688 Specify zero or more of the following:
8690 noplaintext
8692 Disallow methods that use plaintext passwords.
8693 noactive
8695 Disallow methods subject to active (non-dictionary) attack.
8696 nodictionary
8698 Disallow methods subject to passive (dictionary) attack.
8699 noanonymous
8701 Disallow methods that allow anonymous authentication.
8702 forward_secrecy
8704 Only allow methods that support forward secrecy (Dovecot only).
8705 mutual_auth
8707 Only allow methods that provide mutual authentication (not
8708 available with Cyrus SASL version 1).
8709 By default, the Postfix SMTP server accepts plaintext passwords but not
8711 anonymous logins.
8712 Warning: it appears that clients try authentication methods in the
8714 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
8715 which means that if you disable plaintext passwords, clients will log
8716 in anonymously, even when they should be able to use CRAM-MD5. So, if
8717 you disable plaintext logins, disable anonymous logins too. Postfix
8718 treats anonymous login as no authentication.
8719 Example:
8721 smtpd_sasl_security_options = noanonymous, noplaintext
8723
8725 The SASL authentication security options that the Postfix SMTP server
8726 uses for TLS encrypted SMTP sessions.
8727 This feature is available in Postfix 2.2 and later.
8729
8731 The SASL plug-in type that the Postfix SMTP server should use for
8732 authentication. The available types are listed with the "postconf -a"
8733 command.
8734 This feature is available in Postfix 2.3 and later.
8736
8738 Optional lookup table with the SASL login names that own sender (MAIL
8739 FROM) addresses.
8740 Specify zero or more "type:table" lookup tables. With lookups from
8742 indexed files such as DB or DBM, or from networked tables such as NIS,
8743 LDAP or SQL, the following search operations are done with a sender
8744 address of user@domain:
8745 1) user@domain
8747 This table lookup is always done and has the highest precedence.
8748 2) user
8750 This table lookup is done only when the domain part of the
8751 sender address matches $myorigin, $mydestination, $inet_inter‐
8752 faces or $proxy_interfaces.
8753 3) @domain
8755 This table lookup is done last and has the lowest precedence.
8756 In all cases the result of table lookup must be either "not found" or a
8758 list of SASL login names separated by comma and/or whitespace.
8759
8761 Optional restrictions that the Postfix SMTP server applies in the con‐
8762 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
8763 "Delayed evaluation of SMTP access restriction lists" for a discussion
8764 of evaluation context and time.
8765 The default is to permit everything.
8767 Specify a list of restrictions, separated by commas and/or whitespace.
8769 Continue long lines by starting the next line with whitespace.
8770 Restrictions are applied in the order as specified; the first restric‐
8771 tion that matches wins.
8772 The following restrictions are specific to the sender address received
8774 with the MAIL FROM command.
8775 check_sender_access type:table
8777 Search the specified access(5) database for the MAIL FROM
8778 address, domain, parent domains, or localpart@, and execute the
8779 corresponding action.
8780 check_sender_mx_access type:table
8782 Search the specified access(5) database for the MX hosts for the
8783 MAIL FROM address, and execute the corresponding action. Note:
8784 a result of "OK" is not allowed for safety reasons. Instead, use
8785 DUNNO in order to exclude specific hosts from blacklists. This
8786 feature is available in Postfix 2.1 and later.
8787 check_sender_ns_access type:table
8789 Search the specified access(5) database for the DNS servers for
8790 the MAIL FROM address, and execute the corresponding action.
8791 Note: a result of "OK" is not allowed for safety reasons.
8792 Instead, use DUNNO in order to exclude specific hosts from
8793 blacklists. This feature is available in Postfix 2.1 and later.
8794 reject_authenticated_sender_login_mismatch
8796 Enforces the reject_sender_login_mismatch restriction for
8797 authenticated clients only. This feature is available in Postfix
8798 version 2.1 and later.
8799 reject_non_fqdn_sender
8801 Reject the request when the MAIL FROM address is not in fully-
8802 qualified domain form, as required by the RFC.
8803 The non_fqdn_reject_code parameter specifies the response code
8804 for rejected requests (default: 504).
8805 reject_rhsbl_sender rbl_domain=d.d.d.d
8807 Reject the request when the MAIL FROM domain is listed with the
8808 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
8809 later only). Each "d" is a number, or a pattern inside "[]"
8810 that contains one or more ";"-separated numbers or number..num‐
8811 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
8812 specified, reject the request when the MAIL FROM domain is
8813 listed with any A record under rbl_domain.
8814 The maps_rbl_reject_code parameter specifies the response code
8815 for rejected requests (default: 554); the default_rbl_reply
8816 parameter specifies the default server reply; and the
8817 rbl_reply_maps parameter specifies tables with server replies
8818 indexed by rbl_domain. This feature is available in Postfix 2.0
8819 and later.
8820 reject_sender_login_mismatch
8822 Reject the request when $smtpd_sender_login_maps specifies an
8823 owner for the MAIL FROM address, but the client is not (SASL)
8824 logged in as that MAIL FROM address owner; or when the client is
8825 (SASL) logged in, but the client login name doesn't own the MAIL
8826 FROM address according to $smtpd_sender_login_maps.
8827 reject_unauthenticated_sender_login_mismatch
8829 Enforces the reject_sender_login_mismatch restriction for unau‐
8830 thenticated clients only. This feature is available in Postfix
8831 version 2.1 and later.
8832 reject_unknown_sender_domain
8834 Reject the request when Postfix is not final destination for the
8835 sender address, and the MAIL FROM domain has 1) no DNS A or MX
8836 record, or 2) a malformed MX record such as a record with a
8837 zero-length MX hostname (Postfix version 2.3 and later).
8838 The unknown_address_reject_code parameter specifies the numeri‐
8839 cal response code for rejected requests (default: 450). The
8840 response is always 450 in case of a temporary DNS error.
8841 The unknown_address_tempfail_action parameter specifies the
8842 action after a temporary DNS error (default: defer_if_permit).
8843 reject_unlisted_sender
8845 Reject the request when the MAIL FROM address is not listed in
8846 the list of valid recipients for its domain class. See the
8847 smtpd_reject_unlisted_sender parameter description for details.
8848 This feature is available in Postfix 2.1 and later.
8849 reject_unverified_sender
8851 Reject the request when mail to the MAIL FROM address is known
8852 to bounce, or when the sender address destination is not reach‐
8853 able. Address verification information is managed by the ver‐
8854 ify(8) server; see the ADDRESS_VERIFICATION_README file for
8855 details.
8856 The unverified_sender_reject_code parameter specifies the numer‐
8857 ical response code when an address is known to bounce (default:
8858 450, change into 550 when you are confident that it is safe to
8859 do so).
8860 The unverified_sender_defer_code specifies the numerical
8861 response code when an address address probe failed due to a tem‐
8862 porary problem (default: 450).
8863 The unverified_sender_tempfail_action parameter specifies the
8864 action after address probe failure due to a temporary problem
8865 (default: defer_if_permit).
8866 This feature is available in Postfix 2.1 and later.
8867 Other restrictions that are valid in this context:
8869 · Generic restrictions that can be used in any SMTP command con‐
8871 text, described under smtpd_client_restrictions.
8872 · SMTP command specific restrictions described under
8874 smtpd_client_restrictions and smtpd_helo_restrictions.
8875 · SMTP command specific restrictions described under smtpd_recipi‐
8877 ent_restrictions. When recipient restrictions are listed under
8878 smtpd_sender_restrictions, they have effect only with
8879 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
8880 is evaluated at the time of the RCPT TO command.
8881 Examples:
8883 smtpd_sender_restrictions = reject_unknown_sender_domain
8885 smtpd_sender_restrictions = reject_unknown_sender_domain,
8886 check_sender_access hash:/etc/postfix/access
8887
8889 The internal service that postscreen(8) hands off allowed connections
8890 to. In a future version there may be different classes of SMTP service.
8891 This feature is available in Postfix 2.8.
8893
8895 The number of errors a remote SMTP client is allowed to make without
8896 delivering mail before the Postfix SMTP server slows down all its
8897 responses.
8898 · With Postfix version 2.1 and later, the Postfix SMTP server
8900 delays all responses by $smtpd_error_sleep_time seconds.
8901 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
8903 delays all responses by (number of errors) seconds.
8904
8906 The time limit for Postfix SMTP server write and read operations during
8907 TLS startup and shutdown handshake procedures. The current default
8908 value is stress-dependent. Before Postfix version 2.8, it was fixed at
8909 300s.
8910 This feature is available in Postfix 2.2 and later.
8912
8914 The time limit for sending a Postfix SMTP server response and for
8915 receiving a remote SMTP client request. Normally the default limit is
8916 300s, but it changes under overload to just 10s. With Postfix 2.5 and
8917 earlier, the SMTP server always uses a time limit of 300s by default.
8918 Note: if you set SMTP time limits to very large values you may have to
8920 update the global ipc_timeout parameter.
8921 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8923 The default time unit is s (seconds).
8924
8926 A file containing (PEM format) CA certificates of root CAs trusted to
8927 sign either remote SMTP client certificates or intermediate CA certifi‐
8928 cates. These are loaded into memory before the smtpd(8) server enters
8929 the chroot jail. If the number of trusted roots is large, consider
8930 using smtpd_tls_CApath instead, but note that the latter directory must
8931 be present in the chroot jail if the smtpd(8) server is chrooted. This
8932 file may also be used to augment the server certificate trust chain,
8933 but it is best to include all the required certificates directly in the
8934 server certificate file.
8935 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
8937 system-supplied default certificate authority certificates.
8938 Specify "tls_append_default_CA = no" to prevent Postfix from appending
8940 the system-supplied default CAs and trusting third-party certificates.
8941 By default (see smtpd_tls_ask_ccert), client certificates are not
8943 requested, and smtpd_tls_CAfile should remain empty. If you do make use
8944 of client certificates, the distinguished names (DNs) of the certifi‐
8945 cate authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
8946 client in the client certificate request message. MUAs with multiple
8947 client certificates may use the list of preferred certificate authori‐
8948 ties to select the correct client certificate. You may want to put
8949 your "preferred" CA or CAs in this file, and install other trusted CAs
8950 in $smtpd_tls_CApath.
8951 Example:
8953 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
8955 This feature is available in Postfix 2.2 and later.
8957
8959 A directory containing (PEM format) CA certificates of root CAs trusted
8960 to sign either remote SMTP client certificates or intermediate CA cer‐
8961 tificates. Do not forget to create the necessary "hash" links with, for
8962 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
8963 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
8964 inside the chroot jail.
8965 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
8967 the system-supplied default certificate authority certificates.
8968 Specify "tls_append_default_CA = no" to prevent Postfix from appending
8970 the system-supplied default CAs and trusting third-party certificates.
8971 By default (see smtpd_tls_ask_ccert), client certificates are not
8973 requested, and smtpd_tls_CApath should remain empty. In contrast to
8974 smtpd_tls_CAfile, DNs of certificate authorities installed in
8975 $smtpd_tls_CApath are not included in the client certificate request
8976 message. MUAs with multiple client certificates may use the list of
8977 preferred certificate authorities to select the correct client certifi‐
8978 cate. You may want to put your "preferred" CA or CAs in
8979 $smtpd_tls_CAfile, and install the remaining trusted CAs in
8980 $smtpd_tls_CApath.
8981 Example:
8983 smtpd_tls_CApath = /etc/postfix/certs
8985 This feature is available in Postfix 2.2 and later.
8987
8989 Force the Postfix SMTP server to issue a TLS session id, even when TLS
8990 session caching is turned off (smtpd_tls_session_cache_database is
8991 empty). This behavior is compatible with Postfix < 2.3.
8992 With Postfix 2.3 and later the Postfix SMTP server can disable session
8994 id generation when TLS session caching is turned off. This keeps remote
8995 SMTP clients from caching sessions that almost certainly cannot be re-
8996 used.
8997 By default, the Postfix SMTP server always generates TLS session ids.
8999 This works around a known defect in mail client applications such as MS
9000 Outlook, and may also prevent interoperability issues with other MTAs.
9001 Example:
9003 smtpd_tls_always_issue_session_ids = no
9005 This feature is available in Postfix 2.3 and later.
9007
9009 Ask a remote SMTP client for a client certificate. This information is
9010 needed for certificate based mail relaying with, for example, the per‐
9011 mit_tls_clientcerts feature.
9012 Some clients such as Netscape will either complain if no certificate is
9014 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
9015 tiple client certificates to choose from. This may be annoying, so this
9016 option is "off" by default.
9017 This feature is available in Postfix 2.2 and later.
9019
9021 When TLS encryption is optional in the Postfix SMTP server, do not
9022 announce or accept SASL authentication over unencrypted connections.
9023 This feature is available in Postfix 2.2 and later.
9025
9027 The verification depth for remote SMTP client certificates. A depth of
9028 1 is sufficient if the issuing CA is listed in a local CA file.
9029 The default verification depth is 9 (the OpenSSL default) for compati‐
9031 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
9032 value was 5, but the limit was not actually enforced. If you have set
9033 this to a lower non-default value, certificates with longer trust
9034 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
9035 common, deeper chains are more rare and any number between 5 and 9
9036 should suffice in practice. You can choose a lower number if, for exam‐
9037 ple, you trust certificates directly signed by an issuing CA but not
9038 any CAs it delegates to.
9039 This feature is available in Postfix 2.2 and later.
9041
9043 File with the Postfix SMTP server RSA certificate in PEM format. This
9044 file may also contain the Postfix SMTP server private RSA key.
9045 Public Internet MX hosts without certificates signed by a "reputable"
9047 CA must generate, and be prepared to present to most clients, a self-
9048 signed or private-CA signed certificate. The client will not be able to
9049 authenticate the server, but unless it is running Postfix 2.3 or simi‐
9050 lar software, it will still insist on a server certificate.
9051 For servers that are not public Internet MX hosts, Postfix 2.3 supports
9053 configurations with no certificates. This entails the use of just the
9054 anonymous TLS ciphers, which are not supported by typical SMTP clients.
9055 Since such clients will not, as a rule, fall back to plain text after a
9056 TLS handshake failure, the server will be unable to receive email from
9057 TLS enabled clients. To avoid accidental configurations with no cer‐
9058 tificates, Postfix 2.3 enables certificate-less operation only when the
9059 administrator explicitly sets "smtpd_tls_cert_file = none". This
9060 ensures that new Postfix configurations will not accidentally run with
9061 no certificates.
9062 Both RSA and DSA certificates are supported. When both types are
9064 present, the cipher used determines which certificate will be presented
9065 to the client. For Netscape and OpenSSL clients without special cipher
9066 choices the RSA certificate is preferred.
9067 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
9069 tificate, the issuing CA certificates must be made available to the
9070 client. You should include the required certificates in the server cer‐
9071 tificate file, the server certificate first, then the issuing CA(s)
9072 (bottom-up order).
9073 Example: the certificate for "server.example.com" was issued by "inter‐
9075 mediate CA" which itself has a certificate of "root CA". Create the
9076 server.pem file with "cat server_cert.pem intermediate_CA.pem
9077 root_CA.pem > server.pem".
9078 If you also want to verify client certificates issued by these CAs, you
9080 can add the CA certificates to the smtpd_tls_CAfile, in which case it
9081 is not necessary to have them in the smtpd_tls_cert_file or
9082 smtpd_tls_dcert_file.
9083 A certificate supplied here must be usable as an SSL server certificate
9085 and hence pass the "openssl verify -purpose sslserver ..." test.
9086 Example:
9088 smtpd_tls_cert_file = /etc/postfix/server.pem
9090 This feature is available in Postfix 2.2 and later.
9092
9094 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
9095 list. It is easy to create inter-operability problems by choosing a
9096 non-default cipher list. Do not use a non-default TLS cipherlist for MX
9097 hosts on the public Internet. Clients that begin the TLS handshake, but
9098 are unable to agree on a common cipher, may not be able to send any
9099 email to the SMTP server. Using a restricted cipher list may be more
9100 appropriate for a dedicated MSA or an internal mailhub, where one can
9101 exert some control over the TLS software and settings of the connecting
9102 clients.
9103 Note: do not use "" quotes around the parameter value.
9105 This feature is available with Postfix version 2.2. It is not used with
9107 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
9108
9110 The minimum TLS cipher grade that the Postfix SMTP server will use with
9111 opportunistic TLS encryption. Cipher types listed in
9112 smtpd_tls_exclude_ciphers are excluded from the base definition of the
9113 selected cipher grade. The default value "export" ensures maximum
9114 inter-operability. Because encryption is optional, stronger controls
9115 are not appropriate, and this setting SHOULD NOT be changed unless the
9116 change is essential.
9117 When TLS is mandatory the cipher grade is chosen via the
9119 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
9120 tax details.
9121 Example:
9123 smtpd_tls_ciphers = export
9124 This feature is available in Postfix 2.6 and later. With earlier Post‐
9126 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
9127 mented, and opportunistic TLS always uses "export" or better (i.e. all)
9128 ciphers.
9129
9131 File with the Postfix SMTP server DSA certificate in PEM format. This
9132 file may also contain the Postfix SMTP server private DSA key.
9133 See the discussion under smtpd_tls_cert_file for more details.
9135 Example:
9137 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
9139 This feature is available in Postfix 2.2 and later.
9141
9143 File with DH parameters that the Postfix SMTP server should use with
9144 EDH ciphers.
9145 Instead of using the exact same parameter sets as distributed with
9147 other TLS packages, it is more secure to generate your own set of
9148 parameters with something like the following command:
9149 openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
9151 Your actual source for entropy may differ. Some systems have /dev/ran‐
9153 dom; on other system you may consider using the "Entropy Gathering Dae‐
9154 mon EGD", available at http://egd.sourceforge.net/
9155 Example:
9157 smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
9159 This feature is available with Postfix version 2.2.
9161
9163 File with DH parameters that the Postfix SMTP server should use with
9164 EDH ciphers.
9165 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
9167 ration parameter.
9168 Example:
9170 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
9172 This feature is available with Postfix version 2.2.
9174
9176 File with the Postfix SMTP server DSA private key in PEM format. This
9177 file may be combined with the Postfix SMTP server DSA certificate file
9178 specified with $smtpd_tls_dcert_file.
9179 The private key must be accessible without a pass-phrase, i.e. it must
9181 not be encrypted. File permissions should grant read-only access to the
9182 system superuser account ("root"), and no access to anyone else.
9183 This feature is available in Postfix 2.2 and later.
9185
9187 File with the Postfix SMTP server ECDSA certificate in PEM format.
9188 This file may also contain the Postfix SMTP server private ECDSA key.
9189 See the discussion under smtpd_tls_cert_file for more details.
9191 Example:
9193 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
9195 This feature is available in Postfix 2.6 and later, when Postfix is
9197 compiled and linked with OpenSSL 1.0.0 or later.
9198
9200 File with the Postfix SMTP server ECDSA private key in PEM format.
9201 This file may be combined with the Postfix SMTP server ECDSA certifi‐
9202 cate file specified with $smtpd_tls_eccert_file.
9203 The private key must be accessible without a pass-phrase, i.e. it must
9205 not be encrypted. File permissions should grant read-only access to the
9206 system superuser account ("root"), and no access to anyone else.
9207 This feature is available in Postfix 2.6 and later, when Postfix is
9209 compiled and linked with OpenSSL 1.0.0 or later.
9210
9212 The Postfix SMTP server security grade for ephemeral elliptic-curve
9213 Diffie-Hellman (EECDH) key exchange.
9214 The available choices are:
9216 none Don't use EECDH. Ciphers based on EECDH key exchange will be
9218 disabled. This is the default in Postfix versions 2.6 and 2.7.
9219 strong Use EECDH with approximately 128 bits of security at a reason‐
9221 able computational cost. This is the current best-practice
9222 trade-off between security and computational efficiency. This is
9223 the default in Postfix version 2.8 and later.
9224 ultra Use EECDH with approximately 192 bits of security at computa‐
9226 tional cost that is approximately twice as high as 128 bit
9227 strength ECC. Barring significant progress in attacks on ellip‐
9228 tic curve crypto-systems, the "strong" curve is sufficient for
9229 most users.
9230 This feature is available in Postfix 2.6 and later, when it is compiled
9232 and linked with OpenSSL 1.0.0 or later.
9233
9235 List of ciphers or cipher types to exclude from the SMTP server cipher
9236 list at all TLS security levels. Excluding valid ciphers can create
9237 interoperability problems. DO NOT exclude ciphers unless it is essen‐
9238 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
9239 separated by whitespace and/or commas. The elements are a single
9240 cipher, or one or more "+" separated cipher properties, in which case
9241 only ciphers matching all the properties are excluded.
9242 Examples (some of these will cause problems):
9244 smtpd_tls_exclude_ciphers = aNULL
9246 smtpd_tls_exclude_ciphers = MD5, DES
9247 smtpd_tls_exclude_ciphers = DES+MD5
9248 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
9249 smtpd_tls_exclude_ciphers = kEDH+aRSA
9250 The first setting disables anonymous ciphers. The next setting disables
9252 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
9253 tion algorithm. The next setting disables ciphers that use MD5 and DES
9254 together. The next setting disables the two ciphers "AES256-SHA" and
9255 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
9256 exchange with RSA authentication.
9257 This feature is available in Postfix 2.3 and later.
9259
9261 The message digest algorithm to construct remote SMTP client-certifi‐
9262 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
9263 for check_ccert_access and permit_tls_clientcerts. The default algo‐
9264 rithm is md5, for backwards compatibility with Postfix releases prior
9265 to 2.5.
9266 Advances in hash function cryptanalysis have led to md5 being depre‐
9268 cated in favor of sha1. However, as long as there are no known "second
9269 pre-image" attacks against md5, its use in this context can still be
9270 considered safe.
9271 While additional digest algorithms are often available with OpenSSL's
9273 libcrypto, only those used by libssl in SSL cipher suites are available
9274 to Postfix.
9275 To find the fingerprint of a specific certificate file, with a specific
9277 digest algorithm, run:
9278 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
9280 The text to the right of "=" sign is the desired fingerprint. For
9282 example:
9283 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
9285 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
9286 To extract the public key fingerprint from an X.509 certificate, you
9288 need to extract the public key from the certificate and compute the
9289 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
9290 key" option of the "x509" command extracts the public key always in
9291 "PEM" format. We pipe the result to another OpenSSL command that con‐
9292 verts the key to DER and then to the "dgst" command to compute the fin‐
9293 gerprint.
9294 The actual command to transform the key to DER format depends on the
9296 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
9297 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
9298 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
9299 ported by 0.9.8), so the "rsa" command is used.
9300 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
9302 $ openssl x509 -in cert.pem -noout -pubkey |
9303 openssl pkey -pubin -outform DER |
9304 openssl dgst -sha1 -c
9305 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
9306 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
9308 $ openssl x509 -in cert.pem -noout -pubkey |
9309 openssl rsa -pubin -outform DER |
9310 openssl dgst -md5 -c
9311 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
9312 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
9314 gerprint and public key fingerprint when the TLS loglevel is 2 or
9315 higher.
9316 Note: Postfix 2.9.0–2.9.5 computed the public key fingerprint
9318 incorrectly. To use public-key fingerprints, upgrade to Postfix 2.9.6
9319 or later.
9320 Example: client-certificate access table, with sha1 fingerprints:
9322 /etc/postfix/main.cf:
9324 smtpd_tls_fingerprint_digest = sha1
9325 smtpd_client_restrictions =
9326 check_ccert_access hash:/etc/postfix/access,
9327 reject
9328 /etc/postfix/access:
9329 # Action folded to next line...
9330 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
9331 OK
9332 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
9333 permit_auth_destination
9334 This feature is available in Postfix 2.5 and later.
9336
9338 File with the Postfix SMTP server RSA private key in PEM format. This
9339 file may be combined with the Postfix SMTP server RSA certificate file
9340 specified with $smtpd_tls_cert_file.
9341 The private key must be accessible without a pass-phrase, i.e. it must
9343 not be encrypted. File permissions should grant read-only access to the
9344 system superuser account ("root"), and no access to anyone else.
9345
9347 Enable additional Postfix SMTP server logging of TLS activity. Each
9348 logging level also includes the information that is logged at a lower
9349 logging level.
9350 0 Log only a summary message on TLS handshake completion —
9352 no logging of remote SMTP client certificate trust-chain verifi‐
9353 cation errors if client certificate verification is not
9354 required. With Postfix 2.8 and earlier, disable logging of TLS
9355 activity.
9356 1 Also log trust-chain verification errors and peer certificate
9358 name and issuer. With Postfix 2.8 and earlier, log TLS handshake
9359 and certificate information.
9360 2 Also log levels during TLS negotiation.
9362 3 Also log hexadecimal and ASCII dump of TLS negotiation
9364 process.
9365 4 Also log hexadecimal and ASCII dump of complete transmission
9367 after STARTTLS.
9368 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
9370 lems. Use of loglevel 4 is strongly discouraged.
9371 This feature is available in Postfix 2.2 and later.
9373
9375 The minimum TLS cipher grade that the Postfix SMTP server will use with
9376 mandatory TLS encryption. The default grade ("medium") is sufficiently
9377 strong that any benefit from globally restricting TLS sessions to a
9378 more stringent grade is likely negligible, especially given the fact
9379 that many implementations still do not offer any stronger ("high"
9380 grade) ciphers, while those that do, will always use "high" grade
9381 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
9382 ductive. Allowing "export" or "low" ciphers is typically not a good
9383 idea, as systems limited to just these are limited to obsolete
9384 browsers. No known SMTP clients fail to support at least one "medium"
9385 or "high" grade cipher.
9386 The following cipher grades are supported:
9388 export Enable "EXPORT" grade or stronger OpenSSL ciphers. This is the
9390 most appropriate setting for public MX hosts, and is always used
9391 with opportunistic TLS encryption. The underlying cipherlist is
9392 specified via the tls_export_cipherlist configuration parameter,
9393 which you are strongly encouraged to not change.
9394 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
9396 cipherlist is specified via the tls_low_cipherlist configuration
9397 parameter, which you are strongly encouraged to not change.
9398 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
9400 128-bit or longer symmetric bulk-encryption keys. This is the
9401 default minimum strength for mandatory TLS encryption. The
9402 underlying cipherlist is specified via the tls_medium_cipherlist
9403 configuration parameter, which you are strongly encouraged to
9404 not change.
9405 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
9407 cipherlist is specified via the tls_high_cipherlist configura‐
9408 tion parameter, which you are strongly encouraged to not change.
9409 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
9411 cation without encryption. This setting is only appropriate in
9412 the rare case that all clients are prepared to use NULL ciphers
9413 (not normally enabled in TLS clients). The underlying cipherlist
9414 is specified via the tls_null_cipherlist configuration parame‐
9415 ter, which you are strongly encouraged to not change.
9416 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
9418 smtpd_tls_exclude_ciphers are excluded from the base definition of the
9419 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
9420 apply to opportunistic TLS.
9421 The underlying cipherlists for grades other than "null" include anony‐
9423 mous ciphers, but these are automatically filtered out if the server is
9424 configured to ask for remote SMTP client certificates. You are very
9425 unlikely to need to take any steps to exclude anonymous ciphers, they
9426 are excluded automatically as required. If you must exclude anonymous
9427 ciphers even when Postfix does not need or use peer certificates, set
9428 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
9429 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
9430 aNULL".
9431 This feature is available in Postfix 2.3 and later.
9433
9435 Additional list of ciphers or cipher types to exclude from the Postfix
9436 SMTP server cipher list at mandatory TLS security levels. This list
9437 works in addition to the exclusions listed with
9438 smtpd_tls_exclude_ciphers (see there for syntax details).
9439 This feature is available in Postfix 2.3 and later.
9441
9443 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
9444 tory TLS encryption. If the list is empty, the server supports all
9445 available SSL/TLS protocol versions. A non-empty value is a list of
9446 protocol names separated by whitespace, commas or colons. The supported
9447 protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not case sen‐
9448 sitive.
9449 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
9451 "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1
9452 or later, these, or any other new protocol versions, are uncondition‐
9453 ally enabled.
9454 With Postfix >= 2.5 the parameter syntax is expanded to support proto‐
9456 col exclusions. One can now explicitly exclude SSLv2 by setting
9457 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and
9458 SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the
9459 protocols to include, rather than protocols to exclude, is supported,
9460 but not recommended. The exclusion form more closely matches the behav‐
9461 ior when the OpenSSL library is newer than Postfix.
9462 Since SSL version 2 has known protocol weaknesses and is now depre‐
9464 cated, the default setting excludes "SSLv2". This means that by
9465 default, SSL version 2 will not be used at the "encrypt" security
9466 level.
9467 Example:
9469 smtpd_tls_mandatory_protocols = TLSv1
9471 # Alternative form with Postfix >= 2.5:
9472 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
9473 This feature is available in Postfix 2.3 and later.
9475
9477 List of TLS protocols that the Postfix SMTP server will exclude or
9478 include with opportunistic TLS encryption. This parameter SHOULD be
9479 left at its default empty value, allowing all protocols to be used with
9480 opportunistic TLS.
9481 In main.cf the values are separated by whitespace, commas or colons. An
9483 empty value means allow all protocols. The valid protocol names, (see
9484 \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". In
9485 smtp_tls_policy_maps table entries, "protocols" attribute values are
9486 separated by a colon.
9487 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
9489 "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1
9490 or later, these, or any other new protocol versions, are uncondition‐
9491 ally enabled.
9492 To include a protocol list its name, to exclude it, prefix the name
9494 with a "!" character. To exclude SSLv2 even for opportunistic TLS set
9495 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
9496 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
9497 cols to include, rather than protocols to exclude, is supported, but
9498 not recommended. The exclusion form more closely matches the behavior
9499 when the OpenSSL library is newer than Postfix.
9500 Example:
9502 smtpd_tls_protocols = !SSLv2
9503 This feature is available in Postfix 2.6 and later.
9505
9507 Request that the Postfix SMTP server produces Received: message head‐
9508 ers that include information about the protocol and cipher used, as
9509 well as the remote SMTP client CommonName and client certificate issuer
9510 CommonName. This is disabled by default, as the information may be
9511 modified in transit through other mail servers. Only information that
9512 was recorded by the final destination can be trusted.
9513 This feature is available in Postfix 2.2 and later.
9515
9517 With mandatory TLS encryption, require a trusted remote SMTP client
9518 certificate in order to allow TLS connections to proceed. This option
9519 implies "smtpd_tls_ask_ccert = yes".
9520 When TLS encryption is optional, this setting is ignored with a warning
9522 written to the mail log.
9523 This feature is available in Postfix 2.2 and later.
9525
9527 The SMTP TLS security level for the Postfix SMTP server; when a non-
9528 empty value is specified, this overrides the obsolete parameters
9529 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
9530 "smtpd_tls_wrappermode = yes".
9531 Specify one of the following security levels:
9533 none TLS will not be used.
9535 may Opportunistic TLS: announce STARTTLS support to remote SMTP
9537 clients, but do not require that clients use TLS encryption.
9538 encrypt
9540 Mandatory TLS encryption: announce STARTTLS support to remote
9541 SMTP clients, and require that clients use TLS encryption.
9542 According to RFC 2487 this MUST NOT be applied in case of a pub‐
9543 licly-referenced SMTP server. Instead, this option should be
9544 used only on dedicated servers.
9545 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
9547 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
9548 instead. To verify remote SMTP client certificates, see TLS_README for
9549 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
9550 mit_tls_clientcerts features.
9551 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
9553 implies "smtpd_tls_auth_only = yes".
9554 Note 3: when invoked via "sendmail -bs", Postfix will never offer
9556 STARTTLS due to insufficient privileges to access the server private
9557 key. This is intended behavior.
9558 This feature is available in Postfix 2.3 and later.
9560
9562 Name of the file containing the optional Postfix SMTP server TLS ses‐
9563 sion cache. Specify a database type that supports enumeration, such as
9564 btree or sdbm; there is no need to support concurrent access. The file
9565 is created if it does not exist. The smtpd(8) daemon does not use this
9566 parameter directly, rather the cache is implemented indirectly in the
9567 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
9568 rides of this parameter are not effective. Note, that each of the cache
9569 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
9570 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
9571 $lmtp_tls_session_cache_database), needs to be stored separately. It is
9572 not at this time possible to store multiple caches in a single data‐
9573 base.
9574 Note: dbm databases are not suitable. TLS session objects are too
9576 large.
9577 As of version 2.5, Postfix no longer uses root privileges when opening
9579 this file. The file should now be stored under the Postfix-owned
9580 data_directory. As a migration aid, an attempt to open the file under a
9581 non-Postfix directory is redirected to the Postfix-owned data_direc‐
9582 tory, and a warning is logged.
9583 Example:
9585 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
9587 This feature is available in Postfix 2.2 and later.
9589
9591 The expiration time of Postfix SMTP server TLS session cache informa‐
9592 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
9593 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
9594 this parameter is implemented in the tlsmgr(8) daemon and therefore
9595 per-smtpd-instance master.cf overrides are not possible.
9596 This feature is available in Postfix 2.2 and later.
9598
9600 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
9601 of using the STARTTLS command.
9602 If you want to support this service, enable a special port in mas‐
9604 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
9605 command line. Port 465 (smtps) was once chosen for this purpose.
9606 This feature is available in Postfix 2.2 and later.
9608
9610 The name of the proxy protocol used by an optional before-smtpd proxy
9611 agent. When a proxy agent is used, this protocol conveys local and
9612 remote address and port information. Specify
9613 "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy proto‐
9614 col.
9615 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
9617 with smtpd_authorized_xclient_hosts. This supports SASL authentication
9618 in the proxy agent (Postfix 2.9 and later).
9619 This feature is available in Postfix 2.10 and later.
9621
9623 The time limit for the proxy protocol specified with the
9624 smtpd_upstream_proxy_protocol parameter.
9625 This feature is available in Postfix 2.10 and later.
9627
9629 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
9630 but do not require that clients use TLS encryption.
9631 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
9633 TLS due to insufficient privileges to access the server private key.
9634 This is intended behavior.
9635 This feature is available in Postfix 2.2 and later. With Postfix 2.3
9637 and later use smtpd_tls_security_level instead.
9638
9640 Safety net to keep mail queued that would otherwise be returned to the
9641 sender. This parameter disables locally-generated bounces, changes the
9642 handling of negative responses from remote servers, content filters or
9643 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
9644 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
9645 no cure for address rewriting mistakes or mail routing mistakes.
9646 Note: "soft_bounce = yes" is in some cases implemented by modifying
9648 server responses. Therefore, the response that Postfix logs may differ
9649 from the response that Postfix actually sends or receives.
9650 Example:
9652 soft_bounce = yes
9654
9656 The time after which a stale exclusive mailbox lockfile is removed.
9657 This is used for delivery to file or mailbox.
9658 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
9660 The default time unit is s (seconds).
9661
9663 This feature is documented in the STRESS_README document.
9664 This feature is available in Postfix 2.5 and later.
9666
9668 Reject mail with 8-bit text in message headers. This blocks mail from
9669 poorly written applications.
9670 This feature should not be enabled on a general purpose mail server,
9672 because it is likely to reject legitimate email.
9673 This feature is available in Postfix 2.0 and later.
9675
9677 Enable both strict_7bit_headers and strict_8bitmime_body.
9678 This feature should not be enabled on a general purpose mail server,
9680 because it is likely to reject legitimate email.
9681 This feature is available in Postfix 2.0 and later.
9683
9685 Reject 8-bit message body text without 8-bit MIME content encoding
9686 information. This blocks mail from poorly written applications.
9687 Unfortunately, this also rejects majordomo approval requests when the
9689 included request contains valid 8-bit MIME mail, and it rejects bounces
9690 from mailers that do not MIME encapsulate 8-bit content (for example,
9691 bounces from qmail or from old versions of Postfix).
9692 This feature should not be enabled on a general purpose mail server,
9694 because it is likely to reject legitimate email.
9695 This feature is available in Postfix 2.0 and later.
9697
9699 Defer delivery when a mailbox file is not owned by its recipient. The
9700 default setting is not backwards compatible.
9701 This feature is available in Postfix 2.5.3 and later.
9703
9705 Reject mail with invalid Content-Transfer-Encoding: information for the
9706 message/* or multipart/* MIME content types. This blocks mail from
9707 poorly written software.
9708 This feature should not be enabled on a general purpose mail server,
9710 because it will reject mail after a single violation.
9711 This feature is available in Postfix 2.0 and later.
9713
9715 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
9716 are enclosed with <>, and that those addresses do not contain RFC 822
9717 style comments or phrases. This stops mail from poorly written soft‐
9718 ware.
9719 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
9721 and RCPT TO addresses.
9722
9724 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
9725 box_delivery_lock = dotlock".
9726
9728 Enable the rewriting of "site!user" into "user@site". This is neces‐
9729 sary if your machine is connected to UUCP networks. It is enabled by
9730 default.
9731 Note: with Postfix version 2.2, message header address rewriting hap‐
9733 pens only when one of the following conditions is true:
9734 · The message is received with the Postfix sendmail(1) command,
9736 · The message is received from a network client that matches
9738 $local_header_rewrite_clients,
9739 · The message is received from the network, and the
9741 remote_header_rewrite_domain parameter specifies a non-empty
9742 value.
9743 To get the behavior before Postfix version 2.2, specify
9745 "local_header_rewrite_clients = static:all".
9746 Example:
9748 swap_bangpath = no
9750
9752 The syslog facility of Postfix logging. Specify a facility as defined
9753 in syslog.conf(5). The default facility is "mail".
9754 Warning: a non-default syslog_facility setting takes effect only after
9756 a Postfix process has completed initialization. Errors during process
9757 initialization will be logged with the default facility. Examples are
9758 errors while parsing the command line arguments, and errors while
9759 accessing the Postfix main.cf configuration file.
9760
9762 The mail system name that is prepended to the process name in syslog
9763 records, so that "smtpd" becomes, for example, "postfix/smtpd".
9764 Warning: a non-default syslog_name setting takes effect only after a
9766 Postfix process has completed initialization. Errors during process
9767 initialization will be logged with the default name. Examples are
9768 errors while parsing the command line arguments, and errors while
9769 accessing the Postfix main.cf configuration file.
9770
9772 An optional workaround for routers that break TCP window scaling.
9773 Specify a value > 0 and < 65536 to enable this feature. With Postfix
9774 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
9775 Postfix master(8) daemon.
9776 To change this parameter without stopping Postfix, you need to first
9778 terminate all Postfix TCP servers:
9779 # postconf -e master_service_disable=inet
9781 # postfix reload
9782 This immediately terminates all processes that accept network connec‐
9784 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
9785 dowsize setting:
9786 # postconf -e tcp_windowsize=65535 master_service_disable=
9788 # postfix reload
9789 If you skip these steps with a running Postfix system, then the
9791 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
9792 lmtp(8)).
9793 This feature is available in Postfix 2.6 and later.
9795
9797 Append the system-supplied default certificate authority certificates
9798 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
9799 is "no"; this prevents Postfix from trusting third-party certificates
9800 and giving them relay permission with permit_tls_all_clientcerts.
9801 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
9803 later versions. Specify "tls_append_default_CA = yes" for backwards
9804 compatibility, to avoid breaking certificate verification with sites
9805 that don't use permit_tls_all_clientcerts.
9806
9808 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
9809 requests from the tlsmgr(8) server in order to seed its internal pseudo
9810 random number generator (PRNG). The default of 32 bytes (equivalent to
9811 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
9812 This feature is available in Postfix 2.2 and later.
9814
9816 List or bit-mask of OpenSSL bug work-arounds to disable.
9817 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
9819 implementations. Applications, such as Postfix, that want to maximize
9820 interoperability ask the OpenSSL library to enable the full set of rec‐
9821 ommended work-arounds.
9822 From time to time, it is discovered that a work-around creates a secu‐
9824 rity issue, and should no longer be used. If upgrading OpenSSL to a
9825 fixed version is not an option or an upgrade is not available in a
9826 timely manner, or in closed environments where no buggy clients or
9827 servers exist, it may be appropriate to disable some or all of the
9828 OpenSSL interoperability work-arounds. This parameter specifies which
9829 bug work-arounds to disable.
9830 If the value of the parameter is a hexadecimal long integer starting
9832 with "0x", the bug work-arounds corresponding to the bits specified in
9833 its value are removed from the SSL_OP_ALL work-around bit-mask (see
9834 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
9835 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
9836 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
9837 also be sufficient on 64-bit systems, until OpenSSL abandons support
9838 for 32-bit systems and starts using the high 32 bits of a 64-bit bug-
9839 workaround mask.
9840 Otherwise, the parameter is a white-space or comma separated list of
9842 specific named bug work-arounds chosen from the list below. It is pos‐
9843 sible that your OpenSSL version includes new bug work-arounds added
9844 after your Postfix source code was last updated, in that case you can
9845 only disable one of these via the hexadecimal syntax above.
9846 MICROSOFT_SESS_ID_BUG
9848 See SSL_CTX_set_options(3)
9849 NETSCAPE_CHALLENGE_BUG
9851 See SSL_CTX_set_options(3)
9852 LEGACY_SERVER_CONNECT
9854 See SSL_CTX_set_options(3)
9855 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
9857 also aliased as CVE-2010-4180. Postfix 2.8 disables this work-
9858 around by default with OpenSSL versions that may predate the
9859 fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
9860 SSLREF2_REUSE_CERT_TYPE_BUG
9862 See SSL_CTX_set_options(3)
9863 MICROSOFT_BIG_SSLV3_BUFFER
9865 See SSL_CTX_set_options(3)
9866 MSIE_SSLV2_RSA_PADDING
9868 also aliased as CVE-2005-2969. Postfix 2.8 disables this work-
9869 around by default with OpenSSL versions that may predate the
9870 fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
9871 SSLEAY_080_CLIENT_DH_BUG
9873 See SSL_CTX_set_options(3)
9874 TLS_D5_BUG
9876 See SSL_CTX_set_options(3)
9877 TLS_BLOCK_PADDING_BUG
9879 See SSL_CTX_set_options(3)
9880 TLS_ROLLBACK_BUG
9882 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
9883 and later. Nobody should still be using 0.9.6!
9884 DONT_INSERT_EMPTY_FRAGMENTS
9886 See SSL_CTX_set_options(3)
9887 CRYPTOPRO_TLSEXT_BUG
9889 New with GOST support in OpenSSL 1.0.0.
9890 This feature is available in Postfix 2.8 and later.
9892
9894 The elliptic curve used by the Postfix SMTP server for sensibly strong
9895 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
9896 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
9897 strong" means approximately 128-bit security based on best known
9898 attacks. The selected curve must be implemented by OpenSSL (as reported
9899 by ecparam(1) with the "-list_curves" option) and be one of the curves
9900 listed in Section 5.1.1 of RFC 4492. You should not generally change
9901 this setting.
9902 This default curve is specified in NSA "Suite B" Cryptography (see
9904 http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
9905 classified as SECRET.
9906 Note: elliptic curve names are poorly standardized; different standards
9908 groups are assigning different names to the same underlying curves.
9909 The curve with the X9.62 name "prime256v1" is also known under the SECG
9910 name "secp256r1", but OpenSSL does not recognize the latter name.
9911 This feature is available in Postfix 2.6 and later, when it is compiled
9913 and linked with OpenSSL 1.0.0 or later.
9914
9916 The elliptic curve used by the Postfix SMTP server for maximally strong
9917 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
9918 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
9919 strong" means approximately 192-bit security based on best known
9920 attacks. This additional strength comes at a significant computational
9921 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
9922 The selected curve must be implemented by OpenSSL (as reported by
9923 ecparam(1) with the "-list_curves" option) and be one of the curves
9924 listed in Section 5.1.1 of RFC 4492. You should not generally change
9925 this setting.
9926 This default "ultra" curve is specified in NSA "Suite B" Cryptography
9928 (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information
9929 classified as TOP SECRET.
9930 This feature is available in Postfix 2.6 and later, when it is compiled
9932 and linked with OpenSSL 1.0.0 or later.
9933
9935 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This
9936 defines the meaning of the "export" setting in smtpd_tls_manda‐
9937 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
9938 tory_ciphers. This is the cipherlist for the opportunistic ("may") TLS
9939 client security level and is the default cipherlist for the SMTP
9940 server. You are strongly encouraged to not change this setting. With
9941 OpenSSL 1.0.0 and later the cipherlist may start with an "aNULL:" pre‐
9942 fix, which restores the 0.9.8-compatible ordering of the aNULL ciphers
9943 to the top of the list when they are enabled. This prefix is not needed
9944 with previous OpenSSL releases.
9945 This feature is available in Postfix 2.3 and later.
9947
9949 The OpenSSL cipherlist for "HIGH" grade ciphers. This defines the mean‐
9950 ing of the "high" setting in smtpd_tls_mandatory_ciphers,
9951 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
9952 strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
9953 later the cipherlist may start with an "aNULL:" prefix, which restores
9954 the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
9955 list when they are enabled. This prefix is not needed with previous
9956 OpenSSL releases.
9957 This feature is available in Postfix 2.3 and later.
9959
9961 A temporary migration aid for sites that use certificate public-key
9962 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
9963 rithm. This parameter has no effect on the certificate fingerprint sup‐
9964 port that is available since Postfix 2.2.
9965 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
9967 a migration from configuration files with incorrect Postfix
9968 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
9969 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
9970 tificate public-key fingerprints, see TLS_README.
9971 This feature is available in Postfix 2.9.6 and later.
9973
9975 The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
9976 the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
9977 smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are
9978 strongly encouraged to not change this setting. With OpenSSL 1.0.0 and
9979 later the cipherlist may start with an "aNULL:" prefix, which restores
9980 the 0.9.8-compatible ordering of the aNULL ciphers to the top of the
9981 list when they are enabled. This prefix is not needed with previous
9982 OpenSSL releases.
9983 This feature is available in Postfix 2.3 and later.
9985
9987 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This
9988 defines the meaning of the "medium" setting in smtpd_tls_manda‐
9989 tory_ciphers, smtp_tls_mandatory_ciphers and lmtp_tls_manda‐
9990 tory_ciphers. This is the default cipherlist for mandatory TLS encryp‐
9991 tion in the TLS client (with anonymous ciphers disabled when verifying
9992 server certificates). You are strongly encouraged to not change this
9993 setting. With OpenSSL 1.0.0 and later the cipherlist may start with an
9994 "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the
9995 aNULL ciphers to the top of the list when they are enabled. This prefix
9996 is not needed with previous OpenSSL releases.
9997 This feature is available in Postfix 2.3 and later.
9999
10001 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
10002 cation without encryption. This defines the meaning of the "null" set‐
10003 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
10004 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
10005 this setting.
10006 This feature is available in Postfix 2.3 and later.
10008
10010 With SSLv3 and later, use the Postfix SMTP server's cipher preference
10011 order instead of the remote client's cipher preference order.
10012 By default, the OpenSSL server selects the client's most preferred
10014 cipher that the server supports. With SSLv3 and later, the server may
10015 choose its own most preferred cipher that is supported (offered) by the
10016 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
10017 preferences.
10018 While server cipher selection may in some cases lead to a more secure
10020 or performant cipher choice, there is some risk of interoperability
10021 issues. In the past, some SSL clients have listed lower priority
10022 ciphers that they did not implement correctly. If the server chooses a
10023 cipher that the client prefers less, it may select a cipher whose
10024 client implementation is flawed.
10025 This feature is available in Postfix 2.8 and later, in combination with
10027 OpenSSL 0.9.7 and later.
10028
10030 The number of bytes that tlsmgr(8) reads from $tls_random_source when
10031 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
10032 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
10033 keys. If using EGD or a device file, a maximum of 255 bytes is read.
10034 This feature is available in Postfix 2.2 and later.
10036
10038 Name of the pseudo random number generator (PRNG) state file that is
10039 maintained by tlsmgr(8). The file is created when it does not exist,
10040 and its length is fixed at 1024 bytes.
10041 As of version 2.5, Postfix no longer uses root privileges when opening
10043 this file, and the default file location was changed from ${con‐
10044 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
10045 tion aid, an attempt to open the file under a non-Postfix directory is
10046 redirected to the Postfix-owned data_directory, and a warning is
10047 logged.
10048 This feature is available in Postfix 2.2 and later.
10050
10052 The time between attempts by tlsmgr(8) to save the state of the pseudo
10053 random number generator (PRNG) to the file specified with $tls_ran‐
10054 dom_exchange_name.
10055 This feature is available in Postfix 2.2 and later.
10057
10059 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
10060 pseudo random number generator (PRNG) pool from external sources. The
10061 actual time between re-seeding attempts is calculated using the PRNG,
10062 and is between 0 and the time specified.
10063 This feature is available in Postfix 2.2 and later.
10065
10067 The external entropy source for the in-memory tlsmgr(8) pseudo random
10068 number generator (PRNG) pool. Be sure to specify a non-blocking source.
10069 If this source is not a regular file, the entropy source type must be
10070 prepended: egd:/path/to/egd_socket for a source with EGD compatible
10071 socket interface, or dev:/path/to/device for a device file.
10072 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
10074 timeout errors.
10075 This feature is available in Postfix 2.2 and later.
10077
10079 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
10080 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
10081 ther details.
10082 This feature is available in Postfix 2.8 and later.
10084
10086 The name of the tlsproxy(8) service entry in master.cf. This service
10087 performs plaintext <=> TLS ciphertext conversion.
10088 This feature is available in Postfix 2.8 and later.
10090
10092 A file containing (PEM format) CA certificates of root CAs trusted to
10093 sign either remote SMTP client certificates or intermediate CA certifi‐
10094 cates. See smtpd_tls_CAfile for further details.
10095 This feature is available in Postfix 2.8 and later.
10097
10099 A directory containing (PEM format) CA certificates of root CAs trusted
10100 to sign either remote SMTP client certificates or intermediate CA cer‐
10101 tificates. See smtpd_tls_CApath for further details.
10102 This feature is available in Postfix 2.8 and later.
10104
10106 sion_ids)
10107 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
10108 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
10109 sion_ids for further details.
10110 This feature is available in Postfix 2.8 and later.
10112
10114 Ask a remote SMTP client for a client certificate. See
10115 smtpd_tls_ask_ccert for further details.
10116 This feature is available in Postfix 2.8 and later.
10118
10120 The verification depth for remote SMTP client certificates. A depth of
10121 1 is sufficient if the issuing CA is listed in a local CA file. See
10122 smtpd_tls_ccert_verifydepth for further details.
10123 This feature is available in Postfix 2.8 and later.
10125
10127 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
10128 This file may also contain the Postfix tlsproxy(8) server private RSA
10129 key. See smtpd_tls_cert_file for further details.
10130 This feature is available in Postfix 2.8 and later.
10132
10134 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
10135 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
10136 ther details.
10137 This feature is available in Postfix 2.8 and later.
10139
10141 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
10142 This file may also contain the Postfix tlsproxy(8) server private DSA
10143 key. See smtpd_tls_dcert_file for further details.
10144 This feature is available in Postfix 2.8 and later.
10146
10148 File with DH parameters that the Postfix tlsproxy(8) server should use
10149 with EDH ciphers. See smtpd_tls_dh1024_param_file for further details.
10150 This feature is available in Postfix 2.8 and later.
10152
10154 File with DH parameters that the Postfix tlsproxy(8) server should use
10155 with EDH ciphers. See smtpd_tls_dh512_param_file for further details.
10156 This feature is available in Postfix 2.8 and later.
10158
10160 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
10161 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
10162 tificate file specified with $smtpd_tls_dcert_file. See
10163 smtpd_tls_dkey_file for further details.
10164 This feature is available in Postfix 2.8 and later.
10166
10168 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
10169 mat. This file may also contain the Postfix tlsproxy(8) server private
10170 ECDSA key. See smtpd_tls_eccert_file for further details.
10171 This feature is available in Postfix 2.8 and later.
10173
10175 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
10176 mat. This file may be combined with the Postfix tlsproxy(8) server
10177 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
10178 smtpd_tls_eckey_file for further details.
10179 This feature is available in Postfix 2.8 and later.
10181
10183 The Postfix tlsproxy(8) server security grade for ephemeral elliptic-
10184 curve Diffie-Hellman (EECDH) key exchange. See smtpd_tls_eecdh_grade
10185 for further details.
10186 This feature is available in Postfix 2.8 and later.
10188
10190 List of ciphers or cipher types to exclude from the tlsproxy(8) server
10191 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
10192 for further details.
10193 This feature is available in Postfix 2.8 and later.
10195
10197 The message digest algorithm to construct remote SMTP client-certifi‐
10198 cate fingerprints. See smtpd_tls_fingerprint_digest for further
10199 details.
10200 This feature is available in Postfix 2.8 and later.
10202
10204 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
10205 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
10206 tificate file specified with $smtpd_tls_cert_file. See
10207 smtpd_tls_key_file for further details.
10208 This feature is available in Postfix 2.8 and later.
10210
10212 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
10213 Each logging level also includes the information that is logged at a
10214 lower logging level. See smtpd_tls_loglevel for further details.
10215 This feature is available in Postfix 2.8 and later.
10217
10219 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
10220 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
10221 further details.
10222 This feature is available in Postfix 2.8 and later.
10224
10226 tory_exclude_ciphers)
10227 Additional list of ciphers or cipher types to exclude from the
10228 tlsproxy(8) server cipher list at mandatory TLS security levels. See
10229 smtpd_tls_mandatory_exclude_ciphers for further details.
10230 This feature is available in Postfix 2.8 and later.
10232
10234 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
10235 mandatory TLS encryption. If the list is empty, the server supports all
10236 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
10237 for further details.
10238 This feature is available in Postfix 2.8 and later.
10240
10242 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
10243 or include with opportunistic TLS encryption. See smtpd_tls_protocols
10244 for further details.
10245 This feature is available in Postfix 2.8 and later.
10247
10249 With mandatory TLS encryption, require a trusted remote SMTP client
10250 certificate in order to allow TLS connections to proceed. See
10251 smtpd_tls_req_ccert for further details.
10252 This feature is available in Postfix 2.8 and later.
10254
10256 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
10257 non-empty value is specified, this overrides the obsolete parameters
10258 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
10259 further details.
10260 This feature is available in Postfix 2.8 and later.
10262
10264 The expiration time of Postfix tlsproxy(8) server TLS session cache
10266 information. A cache cleanup is performed periodically every
10267 $smtpd_tls_session_cache_timeout seconds. See smtpd_tls_ses‐
10268 sion_cache_timeout for further details.
10269 This feature is available in Postfix 2.8 and later.
10271
10273 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
10274 but do not require that clients use TLS encryption. See smtpd_use_tls
10275 for further details.
10276 This feature is available in Postfix 2.8 and later.
10278
10280 How much time a tlsproxy(8) process may take to process local or remote
10281 I/O before it is terminated by a built-in watchdog timer. This is a
10282 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
10283 due to a bug in Postfix itself or in system software. To avoid false
10284 alarms and unnecessary cache corruption this limit cannot be set under
10285 10s.
10286 Specify a non-zero time value (an integral value plus an optional one-
10288 letter suffix that specifies the time unit). Time units: s (seconds),
10289 m (minutes), h (hours), d (days), w (weeks).
10290 This feature is available in Postfix 2.8.
10292
10294 The name of the trace service. This service is implemented by the
10295 bounce(8) daemon and maintains a record of mail deliveries and produces
10296 a mail delivery report when verbose delivery is requested with "send‐
10297 mail -v".
10298 This feature is available in Postfix 2.1 and later.
10300
10302 A transport-specific override for the default_delivery_slot_cost param‐
10303 eter value, where transport is the master.cf name of the message deliv‐
10304 ery transport.
10305 Note: transport_delivery_slot_cost parameters will not show up in
10307 "postconf" command output before Postfix version 2.9. This limitation
10308 applies to many parameters whose name is a combination of a master.cf
10309 service name and a built-in suffix (in this case: "_deliv‐
10310 ery_slot_cost").
10311
10313 A transport-specific override for the default_delivery_slot_discount
10314 parameter value, where transport is the master.cf name of the message
10315 delivery transport.
10316 Note: transport_delivery_slot_discount parameters will not show up in
10318 "postconf" command output before Postfix version 2.9. This limitation
10319 applies to many parameters whose name is a combination of a master.cf
10320 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
10321 count").
10322
10324 A transport-specific override for the default_delivery_slot_loan param‐
10325 eter value, where transport is the master.cf name of the message deliv‐
10326 ery transport.
10327 Note: transport_delivery_slot_loan parameters will not show up in
10329 "postconf" command output before Postfix version 2.9. This limitation
10330 applies to many parameters whose name is a combination of a master.cf
10331 service name and a built-in suffix (in this case: "_deliv‐
10332 ery_slot_loan").
10333
10335 tination_concurrency_failed_cohort_limit)
10336 A transport-specific override for the default_destination_concur‐
10337 rency_failed_cohort_limit parameter value, where transport is the mas‐
10338 ter.cf name of the message delivery transport.
10339 Note: some transport_destination_concurrency_failed_cohort_limit param‐
10341 eters will not show up in "postconf" command output before Postfix ver‐
10342 sion 2.9. This limitation applies to many parameters whose name is a
10343 combination of a master.cf service name and a built-in suffix (in this
10344 case: "_destination_concurrency_failed_cohort_limit").
10345 This feature is available in Postfix 2.5 and later.
10347
10349 rency_limit)
10350 A transport-specific override for the default_destination_concur‐
10351 rency_limit parameter value, where transport is the master.cf name of
10352 the message delivery transport.
10353 Note: some transport_destination_concurrency_limit parameters will not
10355 show up in "postconf" command output before Postfix version 2.9. This
10356 limitation applies to many parameters whose name is a combination of a
10357 master.cf service name and a built-in suffix (in this case: "_destina‐
10358 tion_concurrency_limit").
10359
10361 nation_concurrency_negative_feedback)
10362 A transport-specific override for the default_destination_concur‐
10363 rency_negative_feedback parameter value, where transport is the mas‐
10364 ter.cf name of the message delivery transport.
10365 Note: some transport_destination_concurrency_negative_feedback parame‐
10367 ters will not show up in "postconf" command output before Postfix ver‐
10368 sion 2.9. This limitation applies to many parameters whose name is a
10369 combination of a master.cf service name and a built-in suffix (in this
10370 case: "_destination_concurrency_negative_feedback").
10371 This feature is available in Postfix 2.5 and later.
10373
10375 nation_concurrency_positive_feedback)
10376 A transport-specific override for the default_destination_concur‐
10377 rency_positive_feedback parameter value, where transport is the mas‐
10378 ter.cf name of the message delivery transport.
10379 Note: some transport_destination_concurrency_positive_feedback parame‐
10381 ters will not show up in "postconf" command output before Postfix ver‐
10382 sion 2.9. This limitation applies to many parameters whose name is a
10383 combination of a master.cf service name and a built-in suffix (in this
10384 case: "_destination_concurrency_positive_feedback").
10385 This feature is available in Postfix 2.5 and later.
10387
10389 A transport-specific override for the default_destination_rate_delay
10390 parameter value, where transport is the master.cf name of the message
10391 delivery transport.
10392 Note: some transport_destination_rate_delay parameters will not show up
10394 in "postconf" command output before Postfix version 2.9. This limita‐
10395 tion applies to many parameters whose name is a combination of a mas‐
10396 ter.cf service name and a built-in suffix (in this case: "_destina‐
10397 tion_rate_delay").
10398 This feature is available in Postfix 2.5 and later.
10400
10402 ent_limit)
10403 A transport-specific override for the default_destination_recipi‐
10404 ent_limit parameter value, where transport is the master.cf name of the
10405 message delivery transport.
10406 Note: some transport_destination_recipient_limit parameters will not
10408 show up in "postconf" command output before Postfix version 2.9. This
10409 limitation applies to many parameters whose name is a combination of a
10410 master.cf service name and a built-in suffix (in this case: "_destina‐
10411 tion_recipient_limit").
10412
10414 A transport-specific override for the default_extra_recipient_limit
10415 parameter value, where transport is the master.cf name of the message
10416 delivery transport.
10417 Note: transport_extra_recipient_limit parameters will not show up in
10419 "postconf" command output before Postfix version 2.9. This limitation
10420 applies to many parameters whose name is a combination of a master.cf
10421 service name and a built-in suffix (in this case: "_extra_recipi‐
10422 ent_limit").
10423
10425 currency)
10426 A transport-specific override for the initial_destination_concurrency
10427 parameter value, where transport is the master.cf name of the message
10428 delivery transport.
10429 Note: some transport_initial_destination_concurrency parameters will
10431 not show up in "postconf" command output before Postfix version 2.9.
10432 This limitation applies to many parameters whose name is a combination
10433 of a master.cf service name and a built-in suffix (in this case: "_ini‐
10434 tial_destination_concurrency").
10435 This feature is available in Postfix 2.5 and later.
10437
10439 Optional lookup tables with mappings from recipient address to (message
10440 delivery transport, next-hop destination). See transport(5) for
10441 details.
10442 Specify zero or more "type:table" lookup tables. If you use this fea‐
10444 ture with local files, run "postmap /etc/postfix/transport" after mak‐
10445 ing a change.
10446 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
10448 ber substitutions in regular expression maps.
10449 Examples:
10451 transport_maps = dbm:/etc/postfix/transport
10453 transport_maps = hash:/etc/postfix/transport
10454
10456 A transport-specific override for the default_minimum_delivery_slots
10457 parameter value, where transport is the master.cf name of the message
10458 delivery transport.
10459 Note: transport_minimum_delivery_slots parameters will not show up in
10461 "postconf" command output before Postfix version 2.9. This limitation
10462 applies to many parameters whose name is a combination of a master.cf
10463 service name and a built-in suffix (in this case: "_minimum_deliv‐
10464 ery_slots").
10465
10467 A transport-specific override for the default_recipient_limit parameter
10468 value, where transport is the master.cf name of the message delivery
10469 transport.
10470 Note: some transport_recipient_limit parameters will not show up in
10472 "postconf" command output before Postfix version 2.9. This limitation
10473 applies to many parameters whose name is a combination of a master.cf
10474 service name and a built-in suffix (in this case: "_recipient_limit").
10475
10477 A transport-specific override for the default_recipient_refill_delay
10478 parameter value, where transport is the master.cf name of the message
10479 delivery transport.
10480 Note: transport_recipient_refill_delay parameters will not show up in
10482 "postconf" command output before Postfix version 2.9. This limitation
10483 applies to many parameters whose name is a combination of a master.cf
10484 service name and a built-in suffix (in this case: "_recipi‐
10485 ent_refill_delay").
10486 This feature is available in Postfix 2.4 and later.
10488
10490 A transport-specific override for the default_recipient_refill_limit
10491 parameter value, where transport is the master.cf name of the message
10492 delivery transport.
10493 Note: transport_recipient_refill_limit parameters will not show up in
10495 "postconf" command output before Postfix version 2.9. This limitation
10496 applies to many parameters whose name is a combination of a master.cf
10497 service name and a built-in suffix (in this case: "_recipi‐
10498 ent_refill_limit").
10499 This feature is available in Postfix 2.4 and later.
10501
10503 The time between attempts by the Postfix queue manager to contact a
10504 malfunctioning message delivery transport.
10505 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10507 The default time unit is s (seconds).
10508
10510 A transport-specific override for the command_time_limit parameter
10511 value, where transport is the master.cf name of the message delivery
10512 transport.
10513 Note: transport_time_limit parameters will not show up in "postconf"
10515 command output before Postfix version 2.9. This limitation applies to
10516 many parameters whose name is a combination of a master.cf service name
10517 and a built-in suffix (in this case: "_time_limit").
10518
10520 The time limit for sending a trigger to a Postfix daemon (for example,
10521 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
10522 from getting stuck when the mail system is under heavy load.
10523 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10525 The default time unit is s (seconds).
10526
10528 Message header that the Postfix cleanup(8) server inserts when a mes‐
10529 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
10530 the default value is empty. With Postfix 2.4-2.7, specify an empty
10531 value to disable this feature.
10532 Example:
10534 # Default value before Postfix 2.8.
10536 # Note: the ":" and ";" are both required.
10537 undisclosed_recipients_header = To: undisclosed-recipients:;
10538
10540 The numerical Postfix SMTP server response code when a sender or recip‐
10541 ient address is rejected by the reject_unknown_sender_domain or
10542 reject_unknown_recipient_domain restriction. The response is always
10543 450 in case of a temporary DNS error.
10544 Do not change this unless you have a complete understanding of RFC
10546 5321.
10547
10549 The Postfix SMTP server's action when reject_unknown_sender_domain or
10550 reject_unknown_recipient_domain fail due to a temporary error condi‐
10551 tion. Specify "defer" to defer the remote SMTP client request immedi‐
10552 ately. With the default "defer_if_permit" action, the Postfix SMTP
10553 server continues to look for opportunities to reject mail, and defers
10554 the client request only if it would otherwise be accepted.
10555 This feature is available in Postfix 2.6 and later.
10557
10559 The numerical Postfix SMTP server response code when a client without
10560 valid address <=> name mapping is rejected by the
10561 reject_unknown_client_hostname restriction. The SMTP server always
10562 replies with 450 when the mapping failed due to a temporary error con‐
10563 dition.
10564 Do not change this unless you have a complete understanding of RFC
10566 5321.
10567
10569 The Postfix SMTP server's action when reject_unknown_helo_hostname
10570 fails due to an temporary error condition. Specify "defer" to defer the
10571 remote SMTP client request immediately. With the default "defer_if_per‐
10572 mit" action, the Postfix SMTP server continues to look for opportuni‐
10573 ties to reject mail, and defers the client request only if it would
10574 otherwise be accepted.
10575 This feature is available in Postfix 2.6 and later.
10577
10579 The numerical Postfix SMTP server response code when the hostname spec‐
10580 ified with the HELO or EHLO command is rejected by the
10581 reject_unknown_helo_hostname restriction.
10582 Do not change this unless you have a complete understanding of RFC
10584 5321.
10585
10587 The numerical Postfix SMTP server response code when a recipient
10588 address is local, and $local_recipient_maps specifies a list of lookup
10589 tables that does not match the recipient. A recipient address is local
10590 when its domain matches $mydestination, $proxy_interfaces or
10591 $inet_interfaces.
10592 The default setting is 550 (reject mail) but it is safer to initially
10594 use 450 (try again later) so you have time to find out if your
10595 local_recipient_maps settings are OK.
10596 Example:
10598 unknown_local_recipient_reject_code = 450
10600 This feature is available in Postfix 2.0 and later.
10602
10604 The numerical Postfix SMTP server reply code when a recipient address
10605 matches $relay_domains, and relay_recipient_maps specifies a list of
10606 lookup tables that does not match the recipient address.
10607 This feature is available in Postfix 2.0 and later.
10609
10611 The Postfix SMTP server reply code when a recipient address matches
10612 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
10613 lookup tables that does not match the recipient address.
10614 This feature is available in Postfix 2.0 and later.
10616
10618 The Postfix SMTP server reply code when a recipient address matches
10619 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
10620 lookup tables that does not match the recipient address.
10621 This feature is available in Postfix 2.0 and later.
10623
10625 The numerical Postfix SMTP server response when a recipient address
10626 probe fails due to a temporary error condition.
10627 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10629 address anyway.
10630 Do not change this unless you have a complete understanding of RFC
10632 5321.
10633 This feature is available in Postfix 2.6 and later.
10635
10637 The numerical Postfix SMTP server response when a recipient address is
10638 rejected by the reject_unverified_recipient restriction.
10639 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10641 address anyway.
10642 Do not change this unless you have a complete understanding of RFC
10644 5321.
10645 This feature is available in Postfix 2.1 and later.
10647
10649 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
10650 fied_recipient. Do not include the numeric SMTP reply code or the
10651 enhanced status code. By default, the response includes actual address
10652 verification details.
10653 Example:
10655 unverified_recipient_reject_reason = Recipient address lookup failed
10657 This feature is available in Postfix 2.6 and later.
10659
10661 The Postfix SMTP server's action when reject_unverified_recipient fails
10662 due to a temporary error condition. Specify "defer" to defer the remote
10663 SMTP client request immediately. With the default "defer_if_permit"
10664 action, the Postfix SMTP server continues to look for opportunities to
10665 reject mail, and defers the client request only if it would otherwise
10666 be accepted.
10667 This feature is available in Postfix 2.6 and later.
10669
10671 The numerical Postfix SMTP server response code when a sender address
10672 probe fails due to a temporary error condition.
10673 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10675 address anyway.
10676 Do not change this unless you have a complete understanding of RFC
10678 5321.
10679 This feature is available in Postfix 2.6 and later.
10681
10683 The numerical Postfix SMTP server response code when a recipient
10684 address is rejected by the reject_unverified_sender restriction.
10685 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
10687 address anyway.
10688 Do not change this unless you have a complete understanding of RFC
10690 5321.
10691 This feature is available in Postfix 2.1 and later.
10693
10695 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
10696 fied_sender. Do not include the numeric SMTP reply code or the enhanced
10697 status code. By default, the response includes actual address verifica‐
10698 tion details.
10699 Example:
10701 unverified_sender_reject_reason = Sender address lookup failed
10703 This feature is available in Postfix 2.6 and later.
10705
10707 The Postfix SMTP server's action when reject_unverified_sender fails
10708 due to a temporary error condition. Specify "defer" to defer the remote
10709 SMTP client request immediately. With the default "defer_if_permit"
10710 action, the Postfix SMTP server continues to look for opportunities to
10711 reject mail, and defers the client request only if it would otherwise
10712 be accepted.
10713 This feature is available in Postfix 2.6 and later.
10715
10717 The characters Postfix accepts as VERP delimiter characters on the
10718 Postfix sendmail(1) command line and in SMTP commands.
10719 This feature is available in Postfix 1.1 and later.
10721
10723 Postfix is final destination for the specified list of virtual alias
10724 domains, that is, domains for which all addresses are aliased to
10725 addresses in other local or remote domains. The SMTP server validates
10726 recipient addresses with $virtual_alias_maps and rejects non-existent
10727 recipients. See also the virtual alias domain class in the
10728 ADDRESS_CLASS_README file
10729 This feature is available in Postfix 2.0 and later. The default value
10731 is backwards compatible with Postfix version 1.1.
10732 The default value is $virtual_alias_maps so that you can keep all
10734 information about virtual alias domains in one place. If you have many
10735 users, it is better to separate information that changes more fre‐
10736 quently (virtual address -> local or remote address mapping) from
10737 information that changes less frequently (the list of virtual domain
10738 names).
10739 Specify a list of host or domain names, "/file/name" or "type:table"
10741 patterns, separated by commas and/or whitespace. A "/file/name" pattern
10742 is replaced by its contents; a "type:table" lookup table is matched
10743 when a table entry matches a lookup string (the lookup result is
10744 ignored). Continue long lines by starting the next line with white‐
10745 space. Specify "!pattern" to exclude a host or domain name from the
10746 list. The form "!/file/name" is supported only in Postfix version 2.4
10747 and later.
10748 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
10750 ther information.
10751 Example:
10753 virtual_alias_domains = virtual1.tld virtual2.tld
10755
10757 The maximal number of addresses that virtual alias expansion produces
10758 from each original recipient.
10759 This feature is available in Postfix 2.1 and later.
10761
10763 Optional lookup tables that alias specific mail addresses or domains to
10764 other local or remote address. The table format and lookups are docu‐
10765 mented in virtual(5). For an overview of Postfix address manipulations
10766 see the ADDRESS_REWRITING_README document.
10767 This feature is available in Postfix 2.0 and later. The default value
10769 is backwards compatible with Postfix version 1.1.
10770 If you use this feature with indexed files, run "postmap /etc/post‐
10772 fix/virtual" after changing the file.
10773 Examples:
10775 virtual_alias_maps = dbm:/etc/postfix/virtual
10777 virtual_alias_maps = hash:/etc/postfix/virtual
10778
10780 The maximal nesting depth of virtual alias expansion. Currently the
10781 recursion limit is applied only to the left branch of the expansion
10782 graph, so the depth of the tree can in the worst case reach the sum of
10783 the expansion and recursion limits. This may change in the future.
10784 This feature is available in Postfix 2.1 and later.
10786
10788 rency_limit)
10789 The maximal number of parallel deliveries to the same destination via
10790 the virtual message delivery transport. This limit is enforced by the
10791 queue manager. The message delivery transport name is the first field
10792 in the entry in the master.cf file.
10793
10795 ent_limit)
10796 The maximal number of recipients per message for the virtual message
10797 delivery transport. This limit is enforced by the queue manager. The
10798 message delivery transport name is the first field in the entry in the
10799 master.cf file.
10800 Setting this parameter to a value of 1 changes the meaning of vir‐
10802 tual_destination_concurrency_limit from concurrency per domain into
10803 concurrency per recipient.
10804
10806 Lookup tables with the per-recipient group ID for virtual(8) mailbox
10807 delivery.
10808 This parameter is specific to the virtual(8) delivery agent. It does
10810 not apply when mail is delivered with a different mail delivery pro‐
10811 gram.
10812 In a lookup table, specify a left-hand side of "@domain.tld" to match
10814 any user in the specified domain that does not have a specific
10815 "user@domain.tld" entry.
10816 When a recipient address has an optional address extension
10818 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
10819 address first, and when the lookup fails, it looks up the unextended
10820 address (user@domain.tld).
10821 Note 1: for security reasons, the virtual(8) delivery agent disallows
10823 regular expression substitution of $1 etc. in regular expression lookup
10824 tables, because that would open a security hole.
10825 Note 2: for security reasons, the virtual(8) delivery agent will
10827 silently ignore requests to use the proxymap(8) server. Instead it will
10828 open the table directly. Before Postfix version 2.2, the virtual(8)
10829 delivery agent will terminate with a fatal error.
10830
10832 A prefix that the virtual(8) delivery agent prepends to all pathname
10833 results from $virtual_mailbox_maps table lookups. This is a safety
10834 measure to ensure that an out of control map doesn't litter the file
10835 system with mailboxes. While virtual_mailbox_base could be set to "/",
10836 this setting isn't recommended.
10837 This parameter is specific to the virtual(8) delivery agent. It does
10839 not apply when mail is delivered with a different mail delivery pro‐
10840 gram.
10841 Example:
10843 virtual_mailbox_base = /var/mail
10845
10847 Postfix is final destination for the specified list of domains; mail is
10848 delivered via the $virtual_transport mail delivery transport. By
10849 default this is the Postfix virtual(8) delivery agent. The SMTP server
10850 validates recipient addresses with $virtual_mailbox_maps and rejects
10851 mail for non-existent recipients. See also the virtual mailbox domain
10852 class in the ADDRESS_CLASS_README file.
10853 This parameter expects the same syntax as the mydestination configura‐
10855 tion parameter.
10856 This feature is available in Postfix 2.0 and later. The default value
10858 is backwards compatible with Postfix version 1.1.
10859
10861 The maximal size in bytes of an individual virtual(8) mailbox or
10862 maildir file, or zero (no limit).
10863 This parameter is specific to the virtual(8) delivery agent. It does
10865 not apply when mail is delivered with a different mail delivery pro‐
10866 gram.
10867
10869 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
10870 For a list of available file locking methods, use the "postconf -l"
10871 command.
10872 This parameter is specific to the virtual(8) delivery agent. It does
10874 not apply when mail is delivered with a different mail delivery pro‐
10875 gram.
10876 This setting is ignored with maildir style delivery, because such
10878 deliveries are safe without application-level locks.
10879 Note 1: the dotlock method requires that the recipient UID or GID has
10881 write access to the parent directory of the recipient's mailbox file.
10882 Note 2: the default setting of this parameter is system dependent.
10884
10886 Optional lookup tables with all valid addresses in the domains that
10887 match $virtual_mailbox_domains.
10888 In a lookup table, specify a left-hand side of "@domain.tld" to match
10890 any user in the specified domain that does not have a specific
10891 "user@domain.tld" entry.
10892 The remainder of this text is specific to the virtual(8) delivery
10894 agent. It does not apply when mail is delivered with a different mail
10895 delivery program.
10896 The virtual(8) delivery agent uses this table to look up the per-recip‐
10898 ient mailbox or maildir pathname. If the lookup result ends in a slash
10899 ("/"), maildir-style delivery is carried out, otherwise the path is
10900 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
10901 box_base is unconditionally prepended to this path.
10902 When a recipient address has an optional address extension
10904 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
10905 address first, and when the lookup fails, it looks up the unextended
10906 address (user@domain.tld).
10907 Note 1: for security reasons, the virtual(8) delivery agent disallows
10909 regular expression substitution of $1 etc. in regular expression lookup
10910 tables, because that would open a security hole.
10911 Note 2: for security reasons, the virtual(8) delivery agent will
10913 silently ignore requests to use the proxymap(8) server. Instead it will
10914 open the table directly. Before Postfix version 2.2, the virtual(8)
10915 delivery agent will terminate with a fatal error.
10916
10918 Optional lookup tables with a) names of domains for which all addresses
10919 are aliased to addresses in other local or remote domains, and b)
10920 addresses that are aliased to addresses in other local or remote
10921 domains. Available before Postfix version 2.0. With Postfix version
10922 2.0 and later, this is replaced by separate controls: vir‐
10923 tual_alias_domains and virtual_alias_maps.
10924
10926 The minimum user ID value that the virtual(8) delivery agent accepts as
10927 a result from $virtual_uid_maps table lookup. Returned values less
10928 than this will be rejected, and the message will be deferred.
10929 This parameter is specific to the virtual(8) delivery agent. It does
10931 not apply when mail is delivered with a different mail delivery pro‐
10932 gram.
10933
10935 The default mail delivery transport and next-hop destination for final
10936 delivery to domains listed with $virtual_mailbox_domains. This infor‐
10937 mation can be overruled with the transport(5) table.
10938 Specify a string of the form transport:nexthop, where transport is the
10940 name of a mail delivery transport defined in master.cf. The :nexthop
10941 destination is optional; its syntax is documented in the manual page of
10942 the corresponding delivery agent.
10943 This feature is available in Postfix 2.0 and later.
10945
10947 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
10948 ery agent uses while writing to the recipient's mailbox.
10949 This parameter is specific to the virtual(8) delivery agent. It does
10951 not apply when mail is delivered with a different mail delivery pro‐
10952 gram.
10953 In a lookup table, specify a left-hand side of "@domain.tld" to match
10955 any user in the specified domain that does not have a specific
10956 "user@domain.tld" entry.
10957 When a recipient address has an optional address extension
10959 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
10960 address first, and when the lookup fails, it looks up the unextended
10961 address (user@domain.tld).
10962 Note 1: for security reasons, the virtual(8) delivery agent disallows
10964 regular expression substitution of $1 etc. in regular expression lookup
10965 tables, because that would open a security hole.
10966 Note 2: for security reasons, the virtual(8) delivery agent will
10968 silently ignore requests to use the proxymap(8) server. Instead it will
10969 open the table directly. Before Postfix version 2.2, the virtual(8)
10970 delivery agent will terminate with a fatal error.
10971
10973 postconf(1), Postfix configuration parameter maintenance
10974 master(5), Postfix daemon configuration maintenance
10975
10977 The Secure Mailer license must be distributed with this software.
10978
10980 Wietse Venema
10981 IBM T.J. Watson Research
10982 P.O. Box 704
10983 Yorktown Heights, NY 10598, USA
10984 POSTCONF(5)