1POSTCONF(5) File Formats Manual POSTCONF(5)
2
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies parameters that con‐
15 trol the operation of the Postfix mail system. Typically the file con‐
16 tains only a small subset of all parameters; parameters not specified
17 are left at their default values.
18 The general format of the main.cf file is as follows:
20 · Each logical line has the form "parameter = value". Whitespace
22 around the "=" is ignored, as is whitespace at the end of a log‐
23 ical line.
24 · Empty lines and whitespace-only lines are ignored, as are lines
26 whose first non-whitespace character is a `#'.
27 · A logical line starts with non-whitespace text. A line that
29 starts with whitespace continues a logical line.
30 · A parameter value may refer to other parameters.
32 · The expressions "$name" and "${name}" are recursively
34 replaced with the value of the named parameter. The
35 parameter name must contain only characters from the set
36 [a-zA-Z0-9_]. An undefined parameter value is replaced
37 with the empty value.
38 · The expressions "${name?value}" and "${name?{value}}" are
40 replaced with "value" when "$name" is non-empty. The
41 parameter name must contain only characters from the set
42 [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43 sions >= 2.2 and >= 3.0, respectively.
44 · The expressions "${name:value}" and "${name:{value}}" are
46 replaced with "value" when "$name" is empty. The parame‐
47 ter name must contain only characters from the set [a-zA-
48 Z0-9_]. These forms are supported with Postfix versions
49 >= 2.2 and >= 3.0, respectively.
50 · The expression "${name?{value1}:{value2}}" is replaced
52 with "value1" when "$name" is non-empty, and with
53 "value2" when "$name" is empty. The "{}" is required for
54 "value1", optional for "value2". The parameter name must
55 contain only characters from the set [a-zA-Z0-9_]. This
56 form is supported with Postfix versions >= 3.0.
57 · The first item inside "${...}" may be a relational
59 expression of the form: "{value3} == {value4}". Besides
60 the "==" (equality) operator Postfix supports "!="
61 (inequality), "<", "<=", ">=", and ">". The comparison is
62 numerical when both operands are all digits, otherwise
63 the comparison is lexicographical. These forms are sup‐
64 ported with Postfix versions >= 3.0.
65 · Each "value" is subject to recursive named parameter and
67 relational expression evaluation, except where noted.
68 · Whitespace before or after each "{value}" is ignored.
70 · Specify "$$" to produce a single "$" character.
72 · The legacy form "$(...)" is equivalent to the preferred
74 form "${...}".
75 · When the same parameter is defined multiple times, only the last
77 instance is remembered.
78 · Otherwise, the order of main.cf parameter definitions does not
80 matter.
81 The remainder of this document is a description of all Postfix configu‐
83 ration parameters. Default values are shown after the parameter name in
84 parentheses, and can be looked up with the "postconf -d" command.
85 Note: this is not an invitation to make changes to Postfix configura‐
87 tion parameters. Unnecessary changes can impair the operation of the
88 mail system.
89
91 The recipient of undeliverable mail that cannot be returned to the
92 sender. This feature is enabled with the notify_classes parameter.
93
95 The numerical Postfix SMTP server response code for an access(5) map
96 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97 to Postfix 2.6, the response is hard-coded as "450".
98 Do not change this unless you have a complete understanding of RFC
100 5321.
101 This feature is available in Postfix 2.6 and later.
103
105 The numerical Postfix SMTP server response code for an access(5) map
106 "reject" action.
107 Do not change this unless you have a complete understanding of RFC
109 5321.
110
112 The amount of time between verify(8) address verification database
113 cleanup runs. This feature requires that the database supports the
114 "delete" and "sequence" operators. Specify a zero interval to disable
115 database cleanup.
116 After each database cleanup run, the verify(8) daemon logs the number
118 of entries that were retained and dropped. A cleanup run is logged as
119 "partial" when the daemon terminates early after "postfix reload",
120 "postfix stop", or no requests for $max_idle seconds.
121 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123 This feature is available in Postfix 2.7.
125
127 Overrides the default_transport parameter setting for address verifica‐
128 tion probes.
129 This feature is available in Postfix 2.1 and later.
131
133 Overrides the local_transport parameter setting for address verifica‐
134 tion probes.
135 This feature is available in Postfix 2.1 and later.
137
139 Lookup table for persistent address verification status storage. The
140 table is maintained by the verify(8) service, and is opened before the
141 process releases privileges.
142 The lookup table is persistent by default (Postfix 2.7 and later).
144 Specify an empty table name to keep the information in volatile memory
145 which is lost after "postfix reload" or "postfix stop". This is the
146 default with Postfix version 2.6 and earlier.
147 Specify a location in a file system that will not fill up. If the data‐
149 base becomes corrupted, the world comes to an end. To recover delete
150 (NOT: truncate) the file and do "postfix reload".
151 Postfix daemon processes do not use root privileges when opening this
153 file (Postfix 2.5 and later). The file must therefore be stored under
154 a Postfix-owned directory such as the data_directory. As a migration
155 aid, an attempt to open the file under a non-Postfix directory is redi‐
156 rected to the Postfix-owned data_directory, and a warning is logged.
157 Examples:
159 address_verify_map = hash:/var/lib/postfix/verify
161 address_verify_map = btree:/var/lib/postfix/verify
162 This feature is available in Postfix 2.1 and later.
164
166 Enable caching of failed address verification probe results. When this
167 feature is enabled, the cache may pollute quickly with garbage. When
168 this feature is disabled, Postfix will generate an address probe for
169 every lookup.
170 This feature is available in Postfix 2.1 and later.
172
174 The time after which a failed probe expires from the address verifica‐
175 tion cache.
176 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178 This feature is available in Postfix 2.1 and later.
180
182 The time after which a failed address verification probe needs to be
183 refreshed.
184 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186 This feature is available in Postfix 2.1 and later.
188
190 A safety limit that prevents address verification requests from over‐
191 whelming the Postfix queue. By default, the number of pending requests
192 is limited to 1/4 of the active queue maximum size (qmgr_mes‐
193 sage_active_limit). The queue manager enforces the limit by tempfailing
194 requests that exceed the limit. This affects only unknown addresses and
195 inactive addresses that have expired, because the verify(8) daemon
196 automatically refreshes an active address before it expires.
197 This feature is available in Postfix 3.1 and later.
199
201 How many times to query the verify(8) service for the completion of an
202 address verification request in progress.
203 By default, the Postfix SMTP server polls the verify(8) service up to
205 three times under non-overload conditions, and only once when under
206 overload. With Postfix version 2.5 and earlier, the SMTP server always
207 polls the verify(8) service up to three times by default.
208 Specify 1 to implement a crude form of greylisting, that is, always
210 defer the first delivery request for a new address.
211 Examples:
213 # Postfix <= 2.6 default
215 address_verify_poll_count = 3
216 # Poor man's greylisting
217 address_verify_poll_count = 1
218 This feature is available in Postfix 2.1 and later.
220
222 The delay between queries for the completion of an address verification
223 request in progress.
224 The default polling delay is 3 seconds.
226 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228 This feature is available in Postfix 2.1 and later.
230
232 The time after which a successful probe expires from the address veri‐
233 fication cache.
234 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236 This feature is available in Postfix 2.1 and later.
238
240 The time after which a successful address verification probe needs to
241 be refreshed. The address verification status is not updated when the
242 probe fails (optimistic caching).
243 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245 This feature is available in Postfix 2.1 and later.
247
249 Overrides the relay_transport parameter setting for address verifica‐
250 tion probes.
251 This feature is available in Postfix 2.1 and later.
253
255 Overrides the relayhost parameter setting for address verification
256 probes. This information can be overruled with the transport(5) table.
257 This feature is available in Postfix 2.1 and later.
259
261 The sender address to use in address verification probes; prior to
262 Postfix 2.5 the default was "postmaster". To avoid problems with
263 address probes that are sent in response to address probes, the Postfix
264 SMTP server excludes the probe sender address from all SMTPD access
265 blocks.
266 Specify an empty value (address_verify_sender =) or <> if you want to
268 use the null sender address. Beware, some sites reject mail from <>,
269 even though RFCs require that such addresses be accepted.
270 Examples:
272 address_verify_sender = <>
274 address_verify_sender = postmaster@my.domain
275 This feature is available in Postfix 2.1 and later.
277
279 $sender_dependent_default_transport_maps)
280 Overrides the sender_dependent_default_transport_maps parameter setting
281 for address verification probes.
282 This feature is available in Postfix 2.7 and later.
284
286 dent_relayhost_maps)
287 Overrides the sender_dependent_relayhost_maps parameter setting for
288 address verification probes.
289 This feature is available in Postfix 2.3 and later.
291
293 The time between changes in the time-dependent portion of address veri‐
294 fication probe sender addresses. The time-dependent portion is appended
295 to the localpart of the address specified with the address_ver‐
296 ify_sender parameter. This feature is ignored when the probe sender
297 addresses is the null sender, i.e. the address_verify_sender value is
298 empty or <>.
299 Historically, the probe sender address was fixed. This has caused such
301 addresses to end up on spammer mailing lists, and has resulted in
302 wasted network and processing resources.
303 To enable time-dependent probe sender addresses, specify a non-zero
305 time value (an integral value plus an optional one-letter suffix that
306 specifies the time unit). Specify a value of at least several hours,
307 to avoid problems with senders that use greylisting. Avoid nice TTL
308 values, to make the result less predictable. Time units are: s (sec‐
309 onds), m (minutes), h (hours), d (days), w (weeks).
310 This feature is available in Postfix 2.9 and later.
312
314 The name of the verify(8) address verification service. This service
315 maintains the status of sender and/or recipient address verification
316 probes, and generates probes on request by other Postfix processes.
317
319 Overrides the transport_maps parameter setting for address verification
320 probes.
321 This feature is available in Postfix 2.1 and later.
323
325 Overrides the virtual_transport parameter setting for address verifica‐
326 tion probes.
327 This feature is available in Postfix 2.1 and later.
329
331 The alias databases for local(8) delivery that are updated with
332 "newaliases" or with "sendmail -bi".
333 This is a separate configuration parameter because not all the tables
335 specified with $alias_maps have to be local files.
336 Examples:
338 alias_database = hash:/etc/aliases
340 alias_database = hash:/etc/mail/aliases
341
343 The alias databases that are used for local(8) delivery. See aliases(5)
344 for syntax details. Specify zero or more "type:name" lookup tables,
345 separated by whitespace or comma. Tables will be searched in the speci‐
346 fied order until a match is found. Note: these lookups are recursive.
347 The default list is system dependent. On systems with NIS, the default
349 is to search the local alias database, then the NIS alias database.
350 If you change the alias database, run "postalias /etc/aliases" (or
352 wherever your system stores the mail alias file), or simply run
353 "newaliases" to build the necessary DBM or DB file.
354 The local(8) delivery agent disallows regular expression substitution
356 of $1 etc. in alias_maps, because that would open a security hole.
357 The local(8) delivery agent will silently ignore requests to use the
359 proxymap(8) server within alias_maps. Instead it will open the table
360 directly. Before Postfix version 2.2, the local(8) delivery agent will
361 terminate with a fatal error.
362 Examples:
364 alias_maps = hash:/etc/aliases, nis:mail.aliases
366 alias_maps = hash:/etc/aliases
367
369 Restrict local(8) mail delivery to external commands. The default is
370 to disallow delivery to "|command" in :include: files (see aliases(5)
371 for the text that defines this terminology).
372 Specify zero or more of: alias, forward or include, in order to allow
374 commands in aliases(5), .forward files or in :include: files, respec‐
375 tively.
376 Example:
378 allow_mail_to_commands = alias,forward,include
380
382 Restrict local(8) mail delivery to external files. The default is to
383 disallow "/file/name" destinations in :include: files (see aliases(5)
384 for the text that defines this terminology).
385 Specify zero or more of: alias, forward or include, in order to allow
387 "/file/name" destinations in aliases(5), .forward files and in
388 :include: files, respectively.
389 Example:
391 allow_mail_to_files = alias,forward,include
393
395 Allow a sender or recipient address to have `-' as the first character.
396 By default, this is not allowed, to avoid accidents with software that
397 passes email addresses via the command line. Such software would not be
398 able to distinguish a malicious address from a bona fide command-line
399 option. Although this can be prevented by inserting a "--" option ter‐
400 minator into the command line, this is difficult to enforce consis‐
401 tently and globally.
402 As of Postfix version 2.5, this feature is implemented by trivial-re‐
404 write(8). With earlier versions this feature was implemented by
405 qmgr(8) and was limited to recipient addresses only.
406
408 Enable the rewriting of the form "user%domain" to "user@domain". This
409 is enabled by default.
410 Note: as of Postfix version 2.2, message header address rewriting hap‐
412 pens only when one of the following conditions is true:
413 · The message is received with the Postfix sendmail(1) command,
415 · The message is received from a network client that matches
417 $local_header_rewrite_clients,
418 · The message is received from the network, and the
420 remote_header_rewrite_domain parameter specifies a non-empty
421 value.
422 To get the behavior before Postfix version 2.2, specify
424 "local_header_rewrite_clients = static:all".
425 Example:
427 allow_percent_hack = no
429
431 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
432 from untrusted clients to destinations matching $relay_domains.
433 By default, this feature is turned off. This closes a nasty open relay
435 loophole where a backup MX host can be tricked into forwarding junk
436 mail to a primary MX host which then spams it out to the world.
437 This parameter also controls if non-local addresses with sender-speci‐
439 fied routing can match Postfix access tables. By default, such
440 addresses cannot match Postfix access tables, because the address is
441 ambiguous.
442
444 A list of non-default Postfix configuration directories that may be
445 specified with "-c config_directory" on the command line (in the case
446 of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environ‐
447 ment parameter.
448 This list must be specified in the default Postfix main.cf file, and
450 will be used by set-gid Postfix commands such as postqueue(1) and post‐
451 drop(1).
452 Specify absolute pathnames, separated by comma or space. Note: $name
454 expansion is not supported.
455
457 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
458 present. Postfix 2.6 and later add these headers only when clients
459 match the local_header_rewrite_clients parameter setting. Earlier
460 Postfix versions always add these headers; this may break DKIM signa‐
461 tures that cover non-existent headers. The undisclosed_recipi‐
462 ents_header parameter setting determines whether a To: header will be
463 added.
464
466 Optional address that receives a "blind carbon copy" of each message
467 that is received by the Postfix mail system.
468 Note: with Postfix 2.3 and later the BCC address is added as if it was
470 specified with NOTIFY=NONE. The sender will not be notified when the
471 BCC address is undeliverable, as long as all down-stream software
472 implements RFC 3461.
473 Note: with Postfix 2.2 and earlier the sender will be notified when the
475 BCC address is undeliverable.
476 Note: automatic BCC recipients are produced only for new mail. To
478 avoid mailer loops, automatic BCC recipients are not generated after
479 Postfix forwards mail internally, or after Postfix generates mail
480 itself.
481
483 The time unit over which client connection rates and other rates are
484 calculated.
485 This feature is implemented by the anvil(8) service which is available
487 in Postfix version 2.2 and later.
488 The default interval is relatively short. Because of the high frequency
490 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491 mation is lost whenever the process terminates.
492 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
494 The default time unit is s (seconds).
495
497 How frequently the anvil(8) connection and rate limiting server logs
498 peak usage information.
499 This feature is available in Postfix 2.2 and later.
501 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
503 The default time unit is s (seconds).
504
506 With locally submitted mail, append the string "@$myorigin" to mail
507 addresses without domain information. With remotely submitted mail,
508 append the string "@$remote_header_rewrite_domain" instead.
509 Note 1: this feature is enabled by default and must not be turned off.
511 Postfix does not support domain-less addresses.
512 Note 2: with Postfix version 2.2, message header address rewriting hap‐
514 pens only when one of the following conditions is true:
515 · The message is received with the Postfix sendmail(1) command,
517 · The message is received from a network client that matches
519 $local_header_rewrite_clients,
520 · The message is received from the network, and the
522 remote_header_rewrite_domain parameter specifies a non-empty
523 value.
524 To get the behavior before Postfix version 2.2, specify
526 "local_header_rewrite_clients = static:all".
527
529 With locally submitted mail, append the string ".$mydomain" to
530 addresses that have no ".domain" information. With remotely submitted
531 mail, append the string ".$remote_header_rewrite_domain" instead.
532 Note 1: this feature is enabled by default. If disabled, users will not
534 be able to send mail to "user@partialdomainname" but will have to spec‐
535 ify full domain names instead.
536 Note 2: with Postfix version 2.2, message header address rewriting hap‐
538 pens only when one of the following conditions is true:
539 · The message is received with the Postfix sendmail(1) command,
541 · The message is received from a network client that matches
543 $local_header_rewrite_clients,
544 · The message is received from the network, and the
546 remote_header_rewrite_domain parameter specifies a non-empty
547 value.
548 To get the behavior before Postfix version 2.2, specify
550 "local_header_rewrite_clients = static:all".
551
553 How long the postkick(1) command waits for a request to enter the Post‐
554 fix daemon process input buffer before giving up.
555 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
557 The default time unit is s (seconds).
558 This feature is available in Postfix 2.1 and later.
560
562 List of users who are authorized to flush the queue.
563 By default, all users are allowed to flush the queue. Access is always
565 granted if the invoking user is the super-user or the $mail_owner user.
566 Otherwise, the real UID of the process is looked up in the system pass‐
567 word file, and access is granted only if the corresponding login name
568 is on the access list. The username "unknown" is used for processes
569 whose real UID is not found in the password file.
570 Specify a list of user names, "/file/name" or "type:table" patterns,
572 separated by commas and/or whitespace. The list is matched left to
573 right, and the search stops on the first match. A "/file/name" pattern
574 is replaced by its contents; a "type:table" lookup table is matched
575 when a name matches a lookup key (the lookup result is ignored). Con‐
576 tinue long lines by starting the next line with whitespace. Specify
577 "!pattern" to exclude a name from the list. The form "!/file/name" is
578 supported only in Postfix version 2.4 and later.
579 This feature is available in Postfix 2.2 and later.
581
583 List of users who are authorized to view the queue.
584 By default, all users are allowed to view the queue. Access is always
586 granted if the invoking user is the super-user or the $mail_owner user.
587 Otherwise, the real UID of the process is looked up in the system pass‐
588 word file, and access is granted only if the corresponding login name
589 is on the access list. The username "unknown" is used for processes
590 whose real UID is not found in the password file.
591 Specify a list of user names, "/file/name" or "type:table" patterns,
593 separated by commas and/or whitespace. The list is matched left to
594 right, and the search stops on the first match. A "/file/name" pattern
595 is replaced by its contents; a "type:table" lookup table is matched
596 when a name matches a lookup key (the lookup result is ignored). Con‐
597 tinue long lines by starting the next line with whitespace. Specify
598 "!pattern" to exclude a user name from the list. The form "!/file/name"
599 is supported only in Postfix version 2.4 and later.
600 This feature is available in Postfix 2.2 and later.
602
604 List of users who are authorized to submit mail with the sendmail(1)
605 command (and with the privileged postdrop(1) helper command).
606 By default, all users are allowed to submit mail. Otherwise, the real
608 UID of the process is looked up in the system password file, and access
609 is granted only if the corresponding login name is on the access list.
610 The username "unknown" is used for processes whose real UID is not
611 found in the password file. To deny mail submission access to all users
612 specify an empty list.
613 Specify a list of user names, "/file/name" or "type:table" patterns,
615 separated by commas and/or whitespace. The list is matched left to
616 right, and the search stops on the first match. A "/file/name" pattern
617 is replaced by its contents; a "type:table" lookup table is matched
618 when a name matches a lookup key (the lookup result is ignored). Con‐
619 tinue long lines by starting the next line with whitespace. Specify
620 "!pattern" to exclude a user name from the list. The form "!/file/name"
621 is supported only in Postfix version 2.4 and later.
622 Example:
624 authorized_submit_users = !www, static:all
626 This feature is available in Postfix 2.2 and later.
628
630 What remote SMTP clients are allowed to specify the XVERP command.
631 This command requests that mail be delivered one recipient at a time
632 with a per recipient return address.
633 By default, only trusted clients are allowed to specify XVERP.
635 This parameter was introduced with Postfix version 1.1. Postfix ver‐
637 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
638 changed the default to none.
639 Specify a list of network/netmask patterns, separated by commas and/or
641 whitespace. The mask specifies the number of bits in the network part
642 of a host address. You can also specify hostnames or .domain names (the
643 initial dot causes the domain to match any name below it),
644 "/file/name" or "type:table" patterns. A "/file/name" pattern is
645 replaced by its contents; a "type:table" lookup table is matched when a
646 table entry matches a lookup string (the lookup result is ignored).
647 Continue long lines by starting the next line with whitespace. Specify
648 "!pattern" to exclude an address or network block from the list. The
649 form "!/file/name" is supported only in Postfix version 2.4 and later.
650 Note: IP version 6 address information must be specified inside [] in
652 the authorized_verp_clients value, and in files specified with
653 "/file/name". IP version 6 addresses contain the ":" character, and
654 would otherwise be confused with a "type:table" pattern.
655
657 Produce additional bounce(8) logfile records that can be read by Post‐
658 fix versions before 2.0. The current and more extensible "name = value"
659 format is needed in order to implement more sophisticated functional‐
660 ity.
661 This feature is available in Postfix 2.1 and later.
663
665 The per-table I/O buffer size for programs that create Berkeley DB hash
666 or btree tables. Specify a byte count.
667 This feature is available in Postfix 2.0 and later.
669
671 The per-table I/O buffer size for programs that read Berkeley DB hash
672 or btree tables. Specify a byte count.
673 This feature is available in Postfix 2.0 and later.
675
677 Where the Postfix SMTP client should deliver mail when it detects a
678 "mail loops back to myself" error condition. This happens when the
679 local MTA is the best SMTP mail exchanger for a destination not listed
680 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
681 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
682 fix SMTP client returns such mail as undeliverable.
683 Specify, for example, "best_mx_transport = local" to pass the mail from
685 the Postfix SMTP client to the local(8) delivery agent. You can specify
686 any message delivery "transport" or "transport:nexthop" that is defined
687 in the master.cf file. See the transport(5) manual page for the syntax
688 and meaning of "transport" or "transport:nexthop".
689 However, this feature is expensive because it ties up a Postfix SMTP
691 client process while the local(8) delivery agent is doing its work. It
692 is more efficient (for Postfix) to list all hosted domains in a table
693 or database.
694
696 Whether or not to use the local biff service. This service sends "new
697 mail" notifications to users who have requested new mail notification
698 with the UNIX command "biff y".
699 For compatibility reasons this feature is on by default. On systems
701 with lots of interactive users, the biff service can be a performance
702 drain. Specify "biff = no" in main.cf to disable.
703
705 Optional lookup tables for content inspection as specified in the
706 body_checks(5) manual page.
707 Note: with Postfix versions before 2.0, these rules inspect all content
709 after the primary message headers.
710
712 How much text in a message body segment (or attachment, if you prefer
713 to use that term) is subjected to body_checks inspection. The amount
714 of text is limited to avoid scanning huge attachments.
715 This feature is available in Postfix 2.0 and later.
717
719 The recipient of postmaster notifications with the message headers of
720 mail that Postfix did not deliver and of SMTP conversation transcripts
721 of mail that Postfix did not receive. This feature is enabled with the
722 notify_classes parameter.
723
725 Consider a bounce message as undeliverable, when delivery fails with a
726 temporary error, and the time in the queue has reached the
727 bounce_queue_lifetime limit. By default, this limit is the same as for
728 regular mail.
729 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
731 The default time unit is d (days).
732 Specify 0 when mail delivery should be tried only once.
734 This feature is available in Postfix 2.1 and later.
736
738 The name of the bounce(8) service. This service maintains a record of
739 failed delivery attempts and generates non-delivery notifications.
740 This feature is available in Postfix 2.0 and later.
742
744 The maximal amount of original message text that is sent in a
745 non-delivery notification. Specify a byte count. A message is returned
746 as either message/rfc822 (the complete original) or as
747 text/rfc822-headers (the headers only). With Postfix version 2.4 and
748 earlier, a message is always returned as message/rfc822 and is trun‐
749 cated when it exceeds the size limit.
750 Notes:
752 · If you increase this limit, then you should increase the
754 mime_nesting_limit value proportionally.
755 · Be careful when making changes. Excessively large values will
757 result in the loss of non-delivery notifications, when a bounce
758 message size exceeds a local or remote MTA's message size limit.
759
761 Pathname of a configuration file with bounce message templates. These
762 override the built-in templates of delivery status notification (DSN)
763 messages for undeliverable mail, for delayed mail, successful delivery,
764 or delivery verification. The bounce(5) manual page describes how to
765 edit and test template files.
766 Template message body text may contain $name references to Postfix con‐
768 figuration parameters. The result of $name expansion can be previewed
769 with "postconf -b file_name" before the file is placed into the Postfix
770 configuration directory.
771 This feature is available in Postfix 2.3 and later.
773
775 Enable interoperability with remote SMTP clients that implement an
776 obsolete version of the AUTH command (RFC 4954). Examples of such
777 clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778 version 5.0.
779 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781 support in a non-standard way.
782
784 header_sender, header_recipient)
785 What addresses are subject to canonical_maps address mapping. By
786 default, canonical_maps address mapping is applied to envelope sender
787 and recipient addresses, and to header sender and header recipient
788 addresses.
789 Specify one or more of: envelope_sender, envelope_recipient,
791 header_sender, header_recipient
792 This feature is available in Postfix 2.2 and later.
794
796 Optional address mapping lookup tables for message headers and
797 envelopes. The mapping is applied to both sender and recipient
798 addresses, in both envelopes and in headers, as controlled with the
799 canonical_classes parameter. This is typically used to clean up dirty
800 addresses from legacy mail systems, or to replace login names by First‐
801 name.Lastname. The table format and lookups are documented in canoni‐
802 cal(5). For an overview of Postfix address manipulations see the
803 ADDRESS_REWRITING_README document.
804 Specify zero or more "type:name" lookup tables, separated by whitespace
806 or comma. Tables will be searched in the specified order until a match
807 is found. Note: these lookups are recursive.
808 If you use this feature, run "postmap /etc/postfix/canonical" to build
810 the necessary DBM or DB file after every change. The changes will
811 become visible after a minute or so. Use "postfix reload" to eliminate
812 the delay.
813 Note: with Postfix version 2.2, message header address mapping happens
815 only when message header address rewriting is enabled:
816 · The message is received with the Postfix sendmail(1) command,
818 · The message is received from a network client that matches
820 $local_header_rewrite_clients,
821 · The message is received from the network, and the
823 remote_header_rewrite_domain parameter specifies a non-empty
824 value.
825 To get the behavior before Postfix version 2.2, specify
827 "local_header_rewrite_clients = static:all".
828 Examples:
830 canonical_maps = dbm:/etc/postfix/canonical
832 canonical_maps = hash:/etc/postfix/canonical
833
835 The name of the cleanup(8) service. This service rewrites addresses
836 into the standard form, and performs canonical(5) address mapping and
837 virtual(5) aliasing.
838 This feature is available in Postfix 2.0 and later.
840
842 The location of all postfix administrative commands.
843
845 The local(8) delivery agent working directory for delivery to external
846 command. Failure to change directory causes the delivery to be
847 deferred.
848 The following $name expansions are done on command_execution_directory
850 before the directory is changed. Expansion happens in the context of
851 the delivery request. The result of $name expansion is filtered with
852 the character set that is specified with the execution_directory_expan‐
853 sion_filter parameter.
854 $user The recipient's username.
856 $shell The recipient's login shell pathname.
858 $home The recipient's home directory.
860 $recipient
862 The full recipient address.
863 $extension
865 The optional recipient address extension.
866 $domain
868 The recipient domain.
869 $local The entire recipient localpart.
871 $recipient_delimiter
873 The address extension delimiter that was found in the recipient
874 address (Postfix 2.11 and later), or the system-wide recipient
875 address extension delimiter (Postfix 2.10 and earlier).
876 ${name?value}
878 Expands to value when $name is non-empty.
879 ${name:value}
881 Expands to value when $name is empty.
882 Instead of $name you can also specify ${name} or $(name).
884 This feature is available in Postfix 2.2 and later.
886
888 Restrict the characters that the local(8) delivery agent allows in
889 $name expansions of $mailbox_command and $command_execution_directory.
890 Characters outside the allowed set are replaced by underscores.
891
893 Time limit for delivery to external commands. This limit is used by the
894 local(8) delivery agent, and is the default time limit for delivery by
895 the pipe(8) delivery agent.
896 Note: if you set this time limit to a large value you must update the
898 global ipc_timeout parameter as well.
899
901 A safety net that causes Postfix to run with backwards-compatible
902 default settings after an upgrade to a newer Postfix version.
903 With backwards compatibility turned on (the main.cf compatibility_level
905 value is less than the Postfix built-in value), Postfix looks for set‐
906 tings that are left at their implicit default value, and logs a message
907 when a backwards-compatible default setting is required.
908 using backwards-compatible default setting name=value
910 to [accept a specific client request]
911 using backwards-compatible default setting name=value
913 to [enable specific Postfix behavior]
914 See COMPATIBILITY_README for specific message details. If such a mes‐
916 sage is logged in the context of a legitimate request, the system
917 administrator should make the backwards-compatible setting permanent in
918 main.cf or master.cf, for example:
919 # postconf name=value
921 # postfix reload
922 When no more backwards-compatible settings need to be made permanent,
924 the administrator should turn off backwards compatibility by updating
925 the compatibility_level setting in main.cf:
926 # postconf compatibility_level=N
928 # postfix reload
929 For N specify the number that is logged in your postfix(1) warning mes‐
931 sage:
932 warning: To disable backwards compatibility use "postconf
934 compatibility_level=N" and "postfix reload"
935 This feature is available in Postfix 3.0 and later.
937
939 The default location of the Postfix main.cf and master.cf configuration
940 files. This can be overruled via the following mechanisms:
941 · The MAIL_CONFIG environment variable (daemon processes and com‐
943 mands).
944 · The "-c" command-line option (commands only).
946 With Postfix command that run with set-gid privileges, a config_direc‐
948 tory override requires either root privileges, or it requires that the
949 directory is listed with the alternate_config_directories parameter in
950 the default main.cf file.
951
953 After sending a "your message is delayed" notification, inform the
954 sender when the delay clears up. This can result in a sudden burst of
955 notifications at the end of a prolonged network outage, and is there‐
956 fore disabled by default.
957 See also: delay_warning_time.
959 This feature is available in Postfix 3.0 and later.
961
963 Time limit for connection cache connect, send or receive operations.
964 The time limit is enforced in the client.
965 This feature is available in Postfix 2.3 and later.
967
969 The name of the scache(8) connection cache service. This service main‐
970 tains a limited pool of cached sessions.
971 This feature is available in Postfix 2.2 and later.
973
975 How frequently the scache(8) server logs usage statistics with connec‐
976 tion cache hit and miss rates for logical destinations and for physical
977 endpoints.
978
980 The maximal time-to-live value that the scache(8) connection cache
981 server allows. Requests that specify a larger TTL will be stored with
982 the maximum allowed TTL. The purpose of this additional control is to
983 protect the infrastructure against careless people. The cache TTL is
984 already bounded by $max_idle.
985
987 After the message is queued, send the entire message to the specified
988 transport:destination. The transport name specifies the first field of
989 a mail delivery agent definition in master.cf; the syntax of the
990 next-hop destination is described in the manual page of the correspond‐
991 ing delivery agent. More information about external content filters is
992 in the Postfix FILTER_README file.
993 Notes:
995 · This setting has lower precedence than a FILTER action that is
997 specified in an access(5), header_checks(5) or body_checks(5)
998 table.
999 · The meaning of an empty next-hop filter destination is version
1001 dependent. Postfix 2.7 and later will use the recipient domain;
1002 earlier versions will use $myhostname. Specify "default_fil‐
1003 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1004 earlier, or specify a content_filter value with an explicit
1005 next-hop destination.
1006
1008 Search path for Cyrus SASL application configuration files, currently
1009 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
1010 more directories separated by a colon character, or an empty value to
1011 use Cyrus SASL's built-in search path.
1012 This feature is available in Postfix 2.5 and later when compiled with
1014 Cyrus SASL 2.1.22 or later.
1015
1017 The directory with Postfix support programs and daemon programs. These
1018 should not be invoked directly by humans. The directory must be owned
1019 by root.
1020
1022 How a Postfix daemon process handles errors while opening lookup
1023 tables: gradual degradation or immediate termination.
1024 no (default)
1026 Gradual degradation: a daemon process logs a message of type
1027 "error" and continues execution with reduced functionality. Fea‐
1028 tures that do not depend on the unavailable table will work nor‐
1029 mally, while features that depend on the table will result in a
1030 type "warning" message.
1031 When the notify_classes parameter value contains the "data"
1032 class, the Postfix SMTP server and client will report tran‐
1033 scripts of sessions with an error because a table is unavail‐
1034 able.
1035 yes (historical behavior)
1037 Immediate termination: a daemon process logs a type "fatal" mes‐
1038 sage and terminates immediately. This option reduces the number
1039 of possible code paths through Postfix, and may therefore be
1040 slightly more secure than the default.
1041 For the sake of sanity, the number of type "error" messages is limited
1043 to 13 over the lifetime of a daemon process.
1044 This feature is available in Postfix 2.9 and later.
1046
1048 How much time a Postfix daemon process may take to handle a request
1049 before it is terminated by a built-in watchdog timer.
1050 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1052 The default time unit is s (seconds).
1053
1055 The directory with Postfix-writable data files (for example: caches,
1056 pseudo-random numbers). This directory must be owned by the mail_owner
1057 account, and must not be shared with non-Postfix software.
1058 This feature is available in Postfix 2.5 and later.
1060
1062 The increment in verbose logging level when a remote client or server
1063 matches a pattern in the debug_peer_list parameter.
1064
1066 Optional list of remote client or server hostname or network address
1067 patterns that cause the verbose logging level to increase by the amount
1068 specified in $debug_peer_level.
1069 Specify domain names, network/netmask patterns, "/file/name" patterns
1071 or "type:table" lookup tables. The right-hand side result from
1072 "type:table" lookups is ignored.
1073 Pattern matching of domain names is controlled by the presence or
1075 absence of "debug_peer_list" in the parent_domain_matches_subdomains
1076 parameter value.
1077 Examples:
1079 debug_peer_list = 127.0.0.1
1081 debug_peer_list = example.com
1082
1084 The external command to execute when a Postfix daemon program is
1085 invoked with the -D option.
1086 Use "command .. & sleep 5" so that the debugger can attach before the
1088 process marches on. If you use an X-based debugger, be sure to set up
1089 your XAUTHORITY environment variable before starting Postfix.
1090 Note: the command is subject to $name expansion, before it is passed to
1092 the default command interpreter. Specify "$$" to produce a single "$"
1093 character.
1094 Example:
1096 debugger_command =
1098 PATH=/usr/bin:/usr/X11R6/bin
1099 ddd $daemon_directory/$process_name $process_id & sleep 5
1100
1102 The default database type for use in newaliases(1), postalias(1) and
1103 postmap(1) commands. On many UNIX systems the default type is either
1104 dbm or hash. The default setting is frozen when the Postfix system is
1105 built.
1106 Examples:
1108 default_database_type = hash
1110 default_database_type = dbm
1111
1113 How often the Postfix queue manager's scheduler is allowed to preempt
1114 delivery of one message with another.
1115 Each transport maintains a so-called "available delivery slot counter"
1117 for each message. One message can be preempted by another one when the
1118 other message can be delivered using no more delivery slots (i.e.,
1119 invocations of delivery agents) than the current message counter has
1120 accumulated (or will eventually accumulate - see about slot loans
1121 below). This parameter controls how often is the counter incremented -
1122 it happens after each default_delivery_slot_cost recipients have been
1123 delivered.
1124 The cost of 0 is used to disable the preempting scheduling completely.
1126 The minimum value the scheduling algorithm can use is 2 - use it if you
1127 want to maximize the message throughput rate. Although there is no max‐
1128 imum, it doesn't make much sense to use values above say 50.
1129 The only reason why the value of 2 is not the default is the way this
1131 parameter affects the delivery of mailing-list mail. In the worst case,
1132 their delivery can take somewhere between (cost+1/cost) and
1133 (cost/cost-1) times more than if the preemptive scheduler was disabled.
1134 The default value of 5 turns out to provide reasonable message response
1135 times while making sure the mailing-list deliveries are not extended by
1136 more than 20-25 percent even in the worst case.
1137 Use transport_delivery_slot_cost to specify a transport-specific over‐
1139 ride, where transport is the master.cf name of the message delivery
1140 transport.
1141 Examples:
1143 default_delivery_slot_cost = 0
1145 default_delivery_slot_cost = 2
1146
1148 The default value for transport-specific _delivery_slot_discount set‐
1149 tings.
1150 This parameter speeds up the moment when a message preemption can hap‐
1152 pen. Instead of waiting until the full amount of delivery slots
1153 required is available, the preemption can happen when transport_deliv‐
1154 ery_slot_discount percent of the required amount plus transport_deliv‐
1155 ery_slot_loan still remains to be accumulated. Note that the full
1156 amount will still have to be accumulated before another preemption can
1157 take place later.
1158 Use transport_delivery_slot_discount to specify a transport-specific
1160 override, where transport is the master.cf name of the message delivery
1161 transport.
1162
1164 The default value for transport-specific _delivery_slot_loan settings.
1165 This parameter speeds up the moment when a message preemption can hap‐
1167 pen. Instead of waiting until the full amount of delivery slots
1168 required is available, the preemption can happen when transport_deliv‐
1169 ery_slot_discount percent of the required amount plus transport_deliv‐
1170 ery_slot_loan still remains to be accumulated. Note that the full
1171 amount will still have to be accumulated before another preemption can
1172 take place later.
1173 Use transport_delivery_slot_loan to specify a transport-specific over‐
1175 ride, where transport is the master.cf name of the message delivery
1176 transport.
1177
1179 Optional filter to replace the delivery status code or explanatory text
1180 of successful or unsuccessful deliveries. This does not allow the
1181 replacement of a successful status code (2.X.X) with an unsuccessful
1182 status code (4.X.X or 5.X.X) or vice versa.
1183 Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
1185 recipient: when delivery is successful, when delivery is rejected with
1186 5XX, or when there are no more alternate MX or A destinations. Use
1187 smtp_reply_filter or lmtp_reply_filter to inspect responses for all
1188 delivery attempts.
1189 The following parameters can be used to implement a filter for specific
1191 delivery agents: lmtp_delivery_status_filter, local_delivery_sta‐
1192 tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1193 virtual_delivery_status_filter. These parameters support the same fil‐
1194 ter syntax as described here.
1195 Specify zero or more "type:table" lookup table names, separated by
1197 comma or whitespace. For each successful or unsuccessful delivery to a
1198 recipient, the tables are queried in the specified order with one line
1199 of text that is structured as follows:
1200 enhanced-status-code SPACE explanatory-text
1202 The first table match wins. The lookup result must have the same struc‐
1204 ture as the query, a successful status code (2.X.X) must be replaced
1205 with a successful status code, an unsuccessful status code (4.X.X or
1206 5.X.X) must be replaced with an unsuccessful status code, and the
1207 explanatory text field must be non-empty. Other results will result in
1208 a warning.
1209 Example 1: convert specific soft TLS errors into hard errors, by over‐
1211 riding the first number in the enhanced status code.
1212 /etc/postfix/main.cf:
1214 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1215 /etc/postfix/smtp_dsn_filter:
1217 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1218 5$1
1219 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1220 5$1
1221 # Do not change the following into hard bounces. They may
1222 # result from a local configuration problem.
1223 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1224 # 4.\d+.\d+ TLS is required, but unavailable
1225 # 4.\d+.\d+ Cannot start TLS: handshake failure
1226 Example 2: censor the per-recipient delivery status text so that it
1228 does not reveal the destination command or filename when a remote
1229 sender requests confirmation of successful delivery.
1230 /etc/postfix/main.cf:
1232 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1233 /etc/postfix/local_dsn_filter:
1235 /^(2\S+ delivered to file).+/ $1
1236 /^(2\S+ delivered to command).+/ $1
1237 Notes:
1239 · This feature will NOT override the soft_bounce safety net.
1241 · This feature will change the enhanced status code and text that
1243 is logged to the maillog file, and that is reported to the
1244 sender in delivery confirmation or non-delivery notifications.
1245 This feature is available in Postfix 3.0 and later.
1247
1249 How many pseudo-cohorts must suffer connection or handshake failure
1250 before a specific destination is considered unavailable (and further
1251 delivery is suspended). Specify zero to disable this feature. A desti‐
1252 nation's pseudo-cohort failure count is reset each time a delivery com‐
1253 pletes without connection or handshake failure for that specific desti‐
1254 nation.
1255 A pseudo-cohort is the number of deliveries equal to a destination's
1257 delivery concurrency.
1258 Use transport_destination_concurrency_failed_cohort_limit to specify a
1260 transport-specific override, where transport is the master.cf name of
1261 the message delivery transport.
1262 This feature is available in Postfix 2.5. The default setting is com‐
1264 patible with earlier Postfix versions.
1265
1267 The default maximal number of parallel deliveries to the same destina‐
1268 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1269 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1270 limit > 1, a destination is a domain, otherwise it is a recipient.
1271 Use transport_destination_concurrency_limit to specify a transport-spe‐
1273 cific override, where transport is the master.cf name of the message
1274 delivery transport.
1275
1277 The per-destination amount of delivery concurrency negative feedback,
1278 after a delivery completes with a connection or handshake failure.
1279 Feedback values are in the range 0..1 inclusive. With negative feed‐
1280 back, concurrency is decremented at the beginning of a sequence of
1281 length 1/feedback. This is unlike positive feedback, where concurrency
1282 is incremented at the end of a sequence of length 1/feedback.
1283 As of Postfix version 2.5, negative feedback cannot reduce delivery
1285 concurrency to zero. Instead, a destination is marked dead (further
1286 delivery suspended) after the failed pseudo-cohort count reaches
1287 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1288 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1289 uler completely immune to connection or handshake failures, specify a
1290 zero feedback value and a zero failed pseudo-cohort limit.
1291 Specify one of the following forms:
1293 number
1295 number / number
1297 Constant feedback. The value must be in the range 0..1 inclu‐
1298 sive. The default setting of "1" is compatible with Postfix
1299 versions before 2.5, where a destination's delivery concurrency
1300 is throttled down to zero (and further delivery suspended) after
1301 a single failed pseudo-cohort.
1302 number / concurrency
1304 Variable feedback of "number / (delivery concurrency)". The
1305 number must be in the range 0..1 inclusive. With number equal to
1306 "1", a destination's delivery concurrency is decremented by 1
1307 after each failed pseudo-cohort.
1308 A pseudo-cohort is the number of deliveries equal to a destination's
1310 delivery concurrency.
1311 Use transport_destination_concurrency_negative_feedback to specify a
1313 transport-specific override, where transport is the master.cf name of
1314 the message delivery transport.
1315 This feature is available in Postfix 2.5. The default setting is com‐
1317 patible with earlier Postfix versions.
1318
1320 The per-destination amount of delivery concurrency positive feedback,
1321 after a delivery completes without connection or handshake failure.
1322 Feedback values are in the range 0..1 inclusive. The concurrency
1323 increases until it reaches the per-destination maximal concurrency
1324 limit. With positive feedback, concurrency is incremented at the end of
1325 a sequence with length 1/feedback. This is unlike negative feedback,
1326 where concurrency is decremented at the start of a sequence of length
1327 1/feedback.
1328 Specify one of the following forms:
1330 number
1332 number / number
1334 Constant feedback. The value must be in the range 0..1 inclu‐
1335 sive. The default setting of "1" is compatible with Postfix ver‐
1336 sions before 2.5, where a destination's delivery concurrency
1337 doubles after each successful pseudo-cohort.
1338 number / concurrency
1340 Variable feedback of "number / (delivery concurrency)". The
1341 number must be in the range 0..1 inclusive. With number equal to
1342 "1", a destination's delivery concurrency is incremented by 1
1343 after each successful pseudo-cohort.
1344 A pseudo-cohort is the number of deliveries equal to a destination's
1346 delivery concurrency.
1347 Use transport_destination_concurrency_positive_feedback to specify a
1349 transport-specific override, where transport is the master.cf name of
1350 the message delivery transport.
1351 This feature is available in Postfix 2.5 and later.
1353
1355 The default amount of delay that is inserted between individual deliv‐
1356 eries to the same destination; the resulting behavior depends on the
1357 value of the corresponding per-destination recipient limit.
1358 · With a corresponding per-destination recipient limit > 1, the
1360 rate delay specifies the time between deliveries to the same
1361 domain. Different domains are delivered in parallel, subject to
1362 the process limits specified in master.cf.
1363 · With a corresponding per-destination recipient limit equal to 1,
1365 the rate delay specifies the time between deliveries to the same
1366 recipient. Different recipients are delivered in parallel, sub‐
1367 ject to the process limits specified in master.cf.
1368 To enable the delay, specify a non-zero time value (an integral value
1370 plus an optional one-letter suffix that specifies the time unit).
1371 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1373 The default time unit is s (seconds).
1374 NOTE: the delay is enforced by the queue manager. The delay timer state
1376 does not survive "postfix reload" or "postfix stop".
1377 Use transport_destination_rate_delay to specify a transport-specific
1379 override, where transport is the master.cf name of the message delivery
1380 transport.
1381 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1383 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1384 fix from deferring all mail for the same destination after only one
1385 connection or handshake error.
1386 This feature is available in Postfix 2.5 and later.
1388
1390 The default maximal number of recipients per message delivery. This is
1391 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1392 virtual(8) delivery agents.
1393 Setting this parameter to a value of 1 affects email deliveries as fol‐
1395 lows:
1396 · It changes the meaning of the corresponding per-destination con‐
1398 currency limit, from concurrency of deliveries to the same
1399 domain into concurrency of deliveries to the same recipient.
1400 Different recipients are delivered in parallel, subject to the
1401 process limits specified in master.cf.
1402 · It changes the meaning of the corresponding per-destination rate
1404 delay, from the delay between deliveries to the same domain into
1405 the delay between deliveries to the same recipient. Again, dif‐
1406 ferent recipients are delivered in parallel, subject to the
1407 process limits specified in master.cf.
1408 · It changes the meaning of other corresponding per-destination
1410 settings in a similar manner, from settings for delivery to the
1411 same domain into settings for delivery to the same recipient.
1412 Use transport_destination_recipient_limit to specify a transport-spe‐
1414 cific override, where transport is the master.cf name of the message
1415 delivery transport.
1416
1418 The default value for the extra per-transport limit imposed on the num‐
1419 ber of in-memory recipients. This extra recipient space is reserved
1420 for the cases when the Postfix queue manager's scheduler preempts one
1421 message with another and suddenly needs some extra recipients slots for
1422 the chosen message in order to avoid performance degradation.
1423 Use transport_extra_recipient_limit to specify a transport-specific
1425 override, where transport is the master.cf name of the message delivery
1426 transport.
1427
1429 When a content_filter or FILTER request specifies no explicit next-hop
1430 destination, use $default_filter_nexthop instead; when that value is
1431 empty, use the domain in the recipient address. Specify "default_fil‐
1432 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1433 and earlier, or specify an explicit next-hop destination with each con‐
1434 tent_filter value or FILTER action.
1435 This feature is available in Postfix 2.7 and later.
1437
1439 How many recipients a message must have in order to invoke the Postfix
1440 queue manager's scheduling algorithm at all. Messages which would
1441 never accumulate at least this many delivery slots (subject to slot
1442 cost parameter as well) are never preempted.
1443 Use transport_minimum_delivery_slots to specify a transport-specific
1445 override, where transport is the master.cf name of the message delivery
1446 transport.
1447
1449 The default rights used by the local(8) delivery agent for delivery to
1450 external file or command. These rights are used when delivery is
1451 requested from an aliases(5) file that is owned by root, or when deliv‐
1452 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1453 POSTFIX OWNER.
1454
1456 The default maximal number of Postfix child processes that provide a
1457 given service. This limit can be overruled for specific services in the
1458 master.cf file.
1459
1461 The default Postfix SMTP server response template for a request that is
1462 rejected by an RBL-based restriction. This template can be overruled by
1463 specific entries in the optional rbl_reply_maps lookup table.
1464 This feature is available in Postfix 2.0 and later.
1466 The template is subject to exactly one level of $name substitution:
1468 $client
1470 The client hostname and IP address, formatted as name[address].
1471 $client_address
1473 The client IP address.
1474 $client_name
1476 The client hostname or "unknown". See
1477 reject_unknown_client_hostname for more details.
1478 $reverse_client_name
1480 The client hostname from address->name lookup, or "unknown".
1481 See reject_unknown_reverse_client_hostname for more details.
1482 $helo_name
1484 The hostname given in HELO or EHLO command or empty string.
1485 $rbl_class
1487 The blacklisted entity type: Client host, Helo command, Sender
1488 address, or Recipient address.
1489 $rbl_code
1491 The numerical SMTP response code, as specified with the
1492 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1493 cal SMTP response code is required, and must appear at the start
1494 of the reply. With Postfix version 2.3 and later this informa‐
1495 tion may be followed by an RFC 3463 enhanced status code.
1496 $rbl_domain
1498 The RBL domain where $rbl_what is blacklisted.
1499 $rbl_reason
1501 The reason why $rbl_what is blacklisted, or an empty string.
1502 $rbl_what
1504 The entity that is blacklisted (an IP address, a hostname, a
1505 domain name, or an email address whose domain was blacklisted).
1506 $recipient
1508 The recipient address or <> in case of the null address.
1509 $recipient_domain
1511 The recipient domain or empty string.
1512 $recipient_name
1514 The recipient address localpart or <> in case of null address.
1515 $sender
1517 The sender address or <> in case of the null address.
1518 $sender_domain
1520 The sender domain or empty string.
1521 $sender_name
1523 The sender address localpart or <> in case of the null address.
1524 ${name?text}
1526 Expands to `text' if $name is not empty.
1527 ${name:text}
1529 Expands to `text' if $name is empty.
1530 Instead of $name you can also specify ${name} or $(name).
1532 Note: when an enhanced status code is specified in an RBL reply tem‐
1534 plate, it is subject to modification. The following transformations
1535 are needed when the same RBL reply template is used for client, helo,
1536 sender, or recipient access restrictions.
1537 · When rejecting a sender address, the Postfix SMTP server will
1539 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1540 corresponding sender DSN status, and vice versa.
1541 · When rejecting non-address information (such as the HELO command
1543 argument or the client hostname/address), the Postfix SMTP
1544 server will transform a sender or recipient DSN status into a
1545 generic non-address DSN status (e.g., 4.0.0).
1546
1548 The default per-transport upper limit on the number of in-memory recip‐
1549 ients. These limits take priority over the global qmgr_message_recipi‐
1550 ent_limit after the message has been assigned to the respective trans‐
1551 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1552 ent_minimum.
1553 Use transport_recipient_limit to specify a transport-specific override,
1555 where transport is the master.cf name of the message delivery trans‐
1556 port.
1557
1559 The default per-transport maximum delay between recipients refills.
1560 When not all message recipients fit into the memory at once, keep load‐
1561 ing more of them at least once every this many seconds. This is used
1562 to make sure the recipients are refilled in timely manner even when
1563 $default_recipient_refill_limit is too high for too slow deliveries.
1564 Use transport_recipient_refill_delay to specify a transport-specific
1566 override, where transport is the master.cf name of the message delivery
1567 transport.
1568 This feature is available in Postfix 2.4 and later.
1570
1572 The default per-transport limit on the number of recipients refilled at
1573 once. When not all message recipients fit into the memory at once,
1574 keep loading more of them in batches of at least this many at a time.
1575 See also $default_recipient_refill_delay, which may result in recipient
1576 batches lower than this when this limit is too high for too slow deliv‐
1577 eries.
1578 Use transport_recipient_refill_limit to specify a transport-specific
1580 override, where transport is the master.cf name of the message delivery
1581 transport.
1582 This feature is available in Postfix 2.4 and later.
1584
1586 The default mail delivery transport and next-hop destination for desti‐
1587 nations that do not match $mydestination, $inet_interfaces,
1588 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1589 $relay_domains. This information can be overruled with the
1590 sender_dependent_default_transport_maps parameter and with the trans‐
1591 port(5) table.
1592 In order of decreasing precedence, the nexthop destination is taken
1594 from $sender_dependent_default_transport_maps, $default_transport,
1595 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1596 domain.
1597 Specify a string of the form transport:nexthop, where transport is the
1599 name of a mail delivery transport defined in master.cf. The :nexthop
1600 destination is optional; its syntax is documented in the manual page of
1601 the corresponding delivery agent.
1602 Example:
1604 default_transport = uucp:relayhostname
1606
1608 The default amount of delay that is inserted between individual deliv‐
1609 eries over the same message delivery transport, regardless of destina‐
1610 tion. If non-zero, all deliveries over the same message delivery trans‐
1611 port will happen one at a time.
1612 Use transport_transport_rate_delay to specify a transport-specific
1614 override, where the initial transport is the master.cf name of the mes‐
1615 sage delivery transport.
1616 Example: throttle outbound SMTP mail to at most 3 deliveries per
1618 minute.
1619 /etc/postfix/main.cf:
1621 smtp_transport_rate_delay = 20s
1622 To enable the delay, specify a non-zero time value (an integral value
1624 plus an optional one-letter suffix that specifies the time unit).
1625 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1627 The default time unit is s (seconds).
1628 NOTE: the delay is enforced by the queue manager.
1630 This feature is available in Postfix 3.1 and later.
1632
1634 The two default VERP delimiter characters. These are used when no
1635 explicit delimiters are specified with the SMTP XVERP command or with
1636 the "sendmail -V" command-line option. Specify characters that are
1637 allowed by the verp_delimiter_filter setting.
1638 This feature is available in Postfix 1.1 and later.
1640
1642 The numerical Postfix SMTP server response code when a remote SMTP
1643 client request is rejected by the "defer" restriction.
1644 Do not change this unless you have a complete understanding of RFC
1646 5321.
1647
1649 The name of the defer service. This service is implemented by the
1650 bounce(8) daemon and maintains a record of failed delivery attempts and
1651 generates non-delivery notifications.
1652 This feature is available in Postfix 2.0 and later.
1654
1656 The names of message delivery transports that should not deliver mail
1657 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1658 names of mail delivery transports names that appear in the first field
1659 of master.cf.
1660 Example:
1662 defer_transports = smtp
1664
1666 The maximal number of digits after the decimal point when logging
1667 sub-second delay values. Specify a number in the range 0..6.
1668 Large delay values are rounded off to an integral number seconds; delay
1670 values below the delay_logging_resolution_limit are logged as "0", and
1671 delay values under 100s are logged with at most two-digit precision.
1672 The format of the "delays=a/b/c/d" logging is as follows:
1674 · a = time from message arrival to last active queue entry
1676 · b = time from last active queue entry to connection setup
1678 · c = time in connection setup, including DNS, EHLO and STARTTLS
1680 · d = time in message transmission
1682 This feature is available in Postfix 2.3 and later.
1684
1686 The recipient of postmaster notifications with the message headers of
1687 mail that cannot be delivered within $delay_warning_time time units.
1688 See also: delay_warning_time, notify_classes.
1690
1692 The time after which the sender receives a copy of the message headers
1693 of mail that is still queued. The confirm_delay_cleared parameter con‐
1694 trols sender notification when the delay clears up.
1695 To enable this feature, specify a non-zero time value (an integral
1697 value plus an optional one-letter suffix that specifies the time unit).
1698 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1700 The default time unit is h (hours).
1701 See also: delay_notice_recipient, notify_classes, con‐
1703 firm_delay_cleared.
1704
1706 The maximal number of attempts to acquire an exclusive lock on a mail‐
1707 box file or bounce(8) logfile.
1708
1710 The time between attempts to acquire an exclusive lock on a mailbox
1711 file or bounce(8) logfile.
1712 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1714 The default time unit is s (seconds).
1715
1717 Make the queue manager's feedback algorithm verbose for performance
1718 analysis purposes.
1719 This feature is available in Postfix 2.5 and later.
1721
1723 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1724 fer-Encoding: message headers; historically, this behavior was
1725 hard-coded to be "always on".
1726 This feature is available in Postfix 2.5 and later.
1728
1730 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1731 abled, hosts are looked up with the getaddrinfo() system library rou‐
1732 tine which normally also looks in /etc/hosts. As of Postfix 2.11, this
1733 parameter is deprecated; use smtp_dns_support_level instead.
1734 DNS lookups are enabled by default.
1736
1738 Turn off MIME processing while receiving mail. This means that no spe‐
1739 cial treatment is given to Content-Type: message headers, and that all
1740 text after the initial message headers is considered to be part of the
1741 message body.
1742 This feature is available in Postfix 2.0 and later.
1744 Mime input processing is enabled by default, and is needed in order to
1746 recognize MIME headers in message content.
1747
1749 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1750 conversion is needed when the destination does not advertise 8BITMIME
1751 support.
1752 This feature is available in Postfix 2.0 and later.
1754
1756 Disable sending one bounce report per recipient.
1757 The default, one per recipient, is what ezmlm needs.
1759 This feature is available in Postfix 1.1 and later.
1761
1763 Disable the SMTP VRFY command. This stops some techniques used to har‐
1764 vest email addresses.
1765 Example:
1767 disable_vrfy_command = no
1769
1771 Enable a workaround for future libc incompatibility. The Postfix imple‐
1772 mentation of RFC 2308 negative reply caching relies on the promise that
1773 res_query() and res_search() invoke res_send(), which returns the
1774 server response in an application buffer even if the requested record
1775 does not exist. If this promise is broken, specify "yes" to enable a
1776 workaround for DNS reputation lookups.
1777 This feature is available in Postfix 3.1 and later.
1779
1781 A debugging aid to artificially delay DNS responses.
1782 This feature is available in Postfix 2.8.
1784
1786 The name of the dnsblog(8) service entry in master.cf. This service
1787 performs DNS white/blacklist lookups.
1788 This feature is available in Postfix 2.8 and later.
1790
1792 Don't remove queue files and save them to the "saved" mail queue. This
1793 is a debugging aid. To inspect the envelope information and content of
1794 a Postfix queue file, use the postcat(1) command.
1795
1797 The sender address of postmaster notifications that are generated by
1798 the mail system. All mail to this address is silently discarded, in
1799 order to terminate mail bounce loops.
1800
1802 The maximal number of addresses remembered by the address duplicate
1803 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1804 queue displays.
1805
1807 The sender_dependent_default_transport_maps search string that will be
1808 used instead of the null sender address.
1809 This feature is available in Postfix 2.7 and later.
1811
1813 The recipient of mail addressed to the null address. Postfix does not
1814 accept such addresses in SMTP commands, but they may still be created
1815 locally as the result of configuration or software error.
1816
1818 The sender_dependent_relayhost_maps search string that will be used
1819 instead of the null sender address.
1820 This feature is available in Postfix 2.5 and later. With earlier ver‐
1822 sions, sender_dependent_relayhost_maps lookups were skipped for the
1823 null sender address.
1824
1826 Report mail delivery errors to the address specified with the non-stan‐
1827 dard Errors-To: message header, instead of the envelope sender address
1828 (this feature is removed with Postfix version 2.2, is turned off by
1829 default with Postfix version 2.1, and is always turned on with older
1830 Postfix versions).
1831
1833 Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1834 converting UTF-8 domain names to/from the ASCII form that is used for
1835 DNS lookups. Specify "yes" for compatibility with Postfix <= 3.1 (not
1836 recommended). This affects the conversion of domain names that contain
1837 for example the German sz and the Greek zeta. See http://uni‐
1838 code.org/cldr/utility/idna.jsp for more examples.
1839 This feature is available in Postfix 3.2 and later.
1841
1843 Enable long, non-repeating, queue IDs (queue file names). The benefit
1844 of non-repeating names is simpler logfile analysis and easier queue
1845 migration (there is no need to run "postsuper" to change queue file
1846 names that don't match their message file inode number).
1847 Note: see below for how to convert long queue file names to Postfix <=
1849 2.8.
1850 Changing the parameter value to "yes" has the following effects:
1852 · Existing queue file names are not affected.
1854 · New queue files are created with names such as 3Pt2mN2VXxznjll.
1856 These are encoded in a 52-character alphabet that contains dig‐
1857 its (0-9), upper-case letters (B-Z) and lower-case letters
1858 (b-z). For safety reasons the vowels (AEIOUaeiou) are excluded
1859 from the alphabet. The name format is: 6 or more characters for
1860 the time in seconds, 4 characters for the time in microseconds,
1861 the 'z'; the remainder is the file inode number encoded in the
1862 first 51 characters of the 52-character alphabet.
1863 · New messages have a Message-ID header with queueID@myhostname.
1865 · The mailq (postqueue -p) output has a wider Queue ID column.
1867 The number of whitespace-separated fields is not changed.
1868 · The hash_queue_depth algorithm uses the first characters of the
1870 queue file creation time in microseconds, after conversion into
1871 hexadecimal representation. This produces the same queue hashing
1872 behavior as if the queue file name was created with
1873 "enable_long_queue_ids = no".
1874 Changing the parameter value to "no" has the following effects:
1876 · Existing long queue file names are renamed to the short form
1878 (while running "postfix reload" or "postsuper").
1879 · New queue files are created with names such as C3CD21F3E90 from
1881 a hexadecimal alphabet that contains digits (0-9) and upper-case
1882 letters (A-F). The name format is: 5 characters for the time in
1883 microseconds; the remainder is the file inode number.
1884 · New messages have a Message-ID header with YYYYMMDDHH‐
1886 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
1887 month, day, hour, minute and second.
1888 · The mailq (postqueue -p) output has the same format as with
1890 Postfix <= 2.8.
1891 · The hash_queue_depth algorithm uses the first characters of the
1893 queue file name, with the hexadecimal representation of the file
1894 creation time in microseconds.
1895 Before migration to Postfix <= 2.8, the following commands are required
1897 to convert long queue file names into short names:
1898 # postfix stop
1900 # postconf enable_long_queue_ids=no
1901 # postsuper
1902 Repeat the postsuper command until it reports no more queue file name
1904 changes.
1905 This feature is available in Postfix 2.9 and later.
1907
1909 Enable support for the original recipient address after an address is
1910 rewritten to a different address (for example with aliasing or with
1911 canonical mapping).
1912 The original recipient address is used as follows:
1914 Final delivery
1916 With "enable_original_recipient = yes", the original recipient
1917 address is stored in the X-Original-To message header. This
1918 header may be used to distinguish between different recipients
1919 that share the same mailbox.
1920 Recipient deduplication
1922 With "enable_original_recipient = yes", the cleanup(8) daemon
1923 performs duplicate recipient elimination based on the content of
1924 (original recipient, maybe-rewritten recipient) pairs. Other‐
1925 wise, the cleanup(8) daemon performs duplicate recipient elimi‐
1926 nation based only on the maybe-rewritten recipient address.
1927 Note: with Postfix <= 3.2 the "setting enable_original_recipient = no"
1929 breaks address verification for addresses that are aliased or otherwise
1930 rewritten (Postfix is unable to store the address verification result
1931 under the original probe destination address; instead, it can store the
1932 result only under the rewritten address).
1933 This feature is available in Postfix 2.1 and later. Postfix version 2.0
1935 behaves as if this parameter is always set to yes. Postfix versions
1936 before 2.0 have no support for the original recipient address.
1937
1939 The recipient of postmaster notifications about mail delivery problems
1940 that are caused by policy, resource, software or protocol errors.
1941 These notifications are enabled with the notify_classes parameter.
1942
1944 The name of the error(8) pseudo delivery agent. This service always
1945 returns mail as undeliverable.
1946 This feature is available in Postfix 2.0 and later.
1948
1950 Restrict the characters that the local(8) delivery agent allows in
1951 $name expansions of $command_execution_directory. Characters outside
1952 the allowed set are replaced by underscores.
1953 This feature is available in Postfix 2.2 and later.
1955
1957 When delivering to an alias "aliasname" that has an "owner-aliasname"
1958 companion alias, set the envelope sender address to the expansion of
1959 the "owner-aliasname" alias. Normally, Postfix sets the envelope
1960 sender address to the name of the "owner-aliasname" alias.
1961
1963 The list of environment variables that a Postfix process will export to
1964 non-Postfix processes. The TZ variable is needed for sane time keeping
1965 on System-V-ish systems.
1966 Specify a list of names and/or name=value pairs, separated by white‐
1968 space or comma. Specify "{ name=value }" to protect whitespace or comma
1969 in parameter values (whitespace after "{" and before "}" is ignored).
1970 The form name=value is supported with Postfix version 2.1 and later;
1971 the use of {} is supported with Postfix 3.0 and later.
1972 Example:
1974 export_environment = TZ PATH=/bin:/usr/bin
1976
1978 The maximal number of recipient addresses that Postfix will extract
1979 from message headers when mail is submitted with "sendmail -t".
1980 This feature was removed in Postfix version 2.1.
1982
1984 Optional list of relay hosts for SMTP destinations that can't be found
1985 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1986 smtp_fallback_relay.
1987 By default, mail is returned to the sender when a destination is not
1989 found, and delivery is deferred when a destination is unreachable.
1990 The fallback relays must be SMTP destinations. Specify a domain, host,
1992 host:port, [host]:port, [address] or [address]:port; the form [host]
1993 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
1994 fix will try them in the specified order.
1995 Note: before Postfix 2.2, do not use the fallback_relay feature when
1997 relaying mail for a backup or primary MX domain. Mail would loop
1998 between the Postfix MX host and the fallback_relay host when the final
1999 destination is unavailable.
2000 · In main.cf specify "relay_transport = relay",
2002 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
2004 end of the relay entry.
2005 · In transport maps, specify "relay:nexthop..." as the right-hand
2007 side for backup or primary MX domain entries.
2008 Postfix version 2.2 and later will not use the fallback_relay feature
2010 for destinations that it is MX host for.
2011
2013 Optional message delivery transport that the local(8) delivery agent
2014 should use for names that are not found in the aliases(5) or UNIX pass‐
2015 word database.
2016 The precedence of local(8) delivery features from high to low is:
2018 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2019 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2020 tory, fallback_transport_maps, fallback_transport and luser_relay.
2021
2023 Optional lookup tables with per-recipient message delivery transports
2024 for recipients that the local(8) delivery agent could not find in the
2025 aliases(5) or UNIX password database.
2026 The precedence of local(8) delivery features from high to low is:
2028 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2029 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2030 tory, fallback_transport_maps, fallback_transport and luser_relay.
2031 For safety reasons, this feature does not allow $number substitutions
2033 in regular expression maps.
2034 This feature is available in Postfix 2.3 and later.
2036
2038 Optional list of destinations that are eligible for per-destination
2039 logfiles with mail that is queued to those destinations.
2040 By default, Postfix maintains "fast flush" logfiles only for destina‐
2042 tions that the Postfix SMTP server is willing to relay to (i.e. the
2043 default is: "fast_flush_domains = $relay_domains"; see the
2044 relay_domains parameter in the postconf(5) manual).
2045 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
2047 ble" lookup tables, separated by commas and/or whitespace. Continue
2048 long lines by starting the next line with whitespace. A "/file/name"
2049 pattern is replaced by its contents; a "type:table" lookup table is
2050 matched when the domain or its parent domain appears as lookup key.
2051 Pattern matching of domain names is controlled by the presence or
2053 absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2054 parameter value.
2055 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
2057 altogether.
2058
2060 The time after which an empty per-destination "fast flush" logfile is
2061 deleted.
2062 You can specify the time as a number, or as a number followed by a let‐
2064 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2065 d=days, w=weeks. The default time unit is days.
2066
2068 The time after which a non-empty but unread per-destination "fast
2069 flush" logfile needs to be refreshed. The contents of a logfile are
2070 refreshed by requesting delivery of all messages listed in the logfile.
2071 You can specify the time as a number, or as a number followed by a let‐
2073 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2074 d=days, w=weeks. The default time unit is hours.
2075
2077 Force specific internal tests to fail, to test the handling of errors
2078 that are difficult to reproduce otherwise.
2079
2081 The name of the flush(8) service. This service maintains per-destina‐
2082 tion logfiles with the queue file names of mail that is queued for
2083 those destinations.
2084 This feature is available in Postfix 2.0 and later.
2086
2088 The maximal number of attempts to fork() a child process.
2089
2091 The delay between attempts to fork() a child process.
2092 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2094 The default time unit is s (seconds).
2095
2097 Restrict the characters that the local(8) delivery agent allows in
2098 $name expansions of $forward_path. Characters outside the allowed set
2099 are replaced by underscores.
2100
2102 The local(8) delivery agent search list for finding a .forward file
2103 with user-specified delivery methods. The first file that is found is
2104 used.
2105 The following $name expansions are done on forward_path before the
2107 search actually happens. The result of $name expansion is filtered with
2108 the character set that is specified with the forward_expansion_filter
2109 parameter.
2110 $user The recipient's username.
2112 $shell The recipient's login shell pathname.
2114 $home The recipient's home directory.
2116 $recipient
2118 The full recipient address.
2119 $extension
2121 The optional recipient address extension.
2122 $domain
2124 The recipient domain.
2125 $local The entire recipient localpart.
2127 $recipient_delimiter
2129 The address extension delimiter that was found in the recipient
2130 address (Postfix 2.11 and later), or the system-wide recipient
2131 address extension delimiter (Postfix 2.10 and earlier).
2132 ${name?value}
2134 Expands to value when $name is non-empty.
2135 ${name:value}
2137 Expands to value when $name is empty.
2138 Instead of $name you can also specify ${name} or $(name).
2140 Examples:
2142 forward_path = /var/forward/$user
2144 forward_path =
2145 /var/forward/$user/.forward$recipient_delimiter$extension,
2146 /var/forward/$user/.forward
2147
2149 Update the local(8) delivery agent's idea of the Delivered-To: address
2150 (see prepend_delivered_header) only once, at the start of a delivery
2151 attempt; do not update the Delivered-To: address while expanding
2152 aliases or .forward files.
2153 This feature is available in Postfix 2.3 and later. With older Postfix
2155 releases, the behavior is as if this parameter is set to "no". The old
2156 setting can be expensive with deeply nested aliases or .forward files.
2157 When an alias or .forward file changes the Delivered-To: address, it
2158 ties up one queue file and one cleanup process instance while mail is
2159 being forwarded.
2160
2162 The number of subdirectory levels for queue directories listed with the
2163 hash_queue_names parameter. Queue hashing is implemented by creating
2164 one or more levels of directories with one-character names. Origi‐
2165 nally, these directory names were equal to the first characters of the
2166 queue file name, with the hexadecimal representation of the file cre‐
2167 ation time in microseconds.
2168 With long queue file names, queue hashing produces the same results as
2170 with short names. The file creation time in microseconds is converted
2171 into hexadecimal form before the result is used for queue hashing. The
2172 base 16 encoding gives finer control over the number of subdirectories
2173 than is possible with the base 52 encoding of long queue file names.
2174 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2176 cute the command "postfix reload".
2177
2179 The names of queue directories that are split across multiple subdirec‐
2180 tory levels.
2181 Before Postfix version 2.2, the default list of hashed queues was sig‐
2183 nificantly larger. Claims about improvements in file system technology
2184 suggest that hashing of the incoming and active queues is no longer
2185 needed. Fewer hashed directories speed up the time needed to restart
2186 Postfix.
2187 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2189 cute the command "postfix reload".
2190
2192 The maximal number of address tokens are allowed in an address message
2193 header. Information that exceeds the limit is discarded. The limit is
2194 enforced by the cleanup(8) server.
2195
2197 Optional lookup tables for content inspection of primary non-MIME mes‐
2198 sage headers, as specified in the header_checks(5) manual page.
2199
2201 The format of the Postfix-generated From: header. This setting affects
2202 the appearance of 'full name' information when a local program such as
2203 /bin/mail submits a message without From: header through the Postfix
2204 sendmail(1) command.
2205 Specify one of the following:
2207 standard (default)
2209 Produce a header formatted as "From: name <address>". This is
2210 the default as of Postfix 3.3.
2211 obsolete
2213 Produce a header formatted as "From: address (name)". This is
2214 the behavior prior to Postfix 3.3.
2215 Notes:
2217 · Postfix generates the format "From: address" when name informa‐
2219 tion is unavailable or the envelope sender address is empty.
2220 This is the same behavior as prior to Postfix 3.3.
2221 · In the standard form, the name will be quoted if it contains
2223 specials as defined in RFC 5322, or the "!%" address operators.
2224 · The Postfix sendmail(1) command gets name information from the
2226 -F command-line option, from the NAME environment variable, or
2227 from the UNIX password file.
2228 This feature is available in Postfix 3.3 and later.
2230
2232 The maximal amount of memory in bytes for storing a message header. If
2233 a header is larger, the excess is discarded. The limit is enforced by
2234 the cleanup(8) server.
2235
2237 Log warnings about problematic configuration settings, and provide
2238 helpful suggestions.
2239 This feature is available in Postfix 2.0 and later.
2241
2243 Optional pathname of a mailbox file relative to a local(8) user's home
2244 directory.
2245 Specify a pathname ending in "/" for qmail-style delivery.
2247 The precedence of local(8) delivery features from high to low is:
2249 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2250 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2251 tory, fallback_transport_maps, fallback_transport and luser_relay.
2252 Examples:
2254 home_mailbox = Mailbox
2256 home_mailbox = Maildir/
2257
2259 The maximal number of Received: message headers that is allowed in the
2260 primary message headers. A message that exceeds the limit is bounced,
2261 in order to stop a mailer loop.
2262
2264 The location of Postfix HTML files that describe how to build, config‐
2265 ure or operate a specific Postfix subsystem or feature.
2266
2268 Ignore DNS MX lookups that produce no response. By default, the Post‐
2269 fix SMTP client defers delivery and tries again after some delay. This
2270 behavior is required by the SMTP standard.
2271 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
2273 instead. This violates the SMTP standard and can result in mis-delivery
2274 of mail.
2275
2277 The list of environment parameters that a privileged Postfix process
2278 will import from a non-Postfix parent process, or name=value environ‐
2279 ment overrides. Unprivileged utilities will enforce the name=value
2280 overrides, but otherwise will not change their process environment.
2281 Examples of relevant parameters:
2282 TZ May be needed for sane time keeping on most System-V-ish sys‐
2284 tems.
2285 DISPLAY
2287 Needed for debugging Postfix daemons with an X-windows debugger.
2288 XAUTHORITY
2290 Needed for debugging Postfix daemons with an X-windows debugger.
2291 MAIL_CONFIG
2293 Needed to make "postfix -c" work.
2294 Specify a list of names and/or name=value pairs, separated by white‐
2296 space or comma. Specify "{ name=value }" to protect whitespace or comma
2297 in parameter values (whitespace after "{" and before "}" is ignored).
2298 The form name=value is supported with Postfix version 2.1 and later;
2299 the use of {} is supported with Postfix 3.0 and later.
2300
2302 Time to pause before accepting a new message, when the message arrival
2303 rate exceeds the message delivery rate. This feature is turned on by
2304 default (it's disabled on SCO UNIX due to an SCO bug).
2305 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2307 = 1s" limits the mail inflow to 100 messages per second above the num‐
2308 ber of messages delivered per second.
2309 Specify 0 to disable the feature. Valid delays are 0..10.
2311
2313 The network interface addresses that this mail system receives mail on.
2314 Specify "all" to receive mail on all network interfaces (default), and
2315 "loopback-only" to receive mail on loopback network interfaces only
2316 (Postfix version 2.2 and later). The parameter also controls delivery
2317 of mail to user@[ip.address].
2318 Note 1: you need to stop and start Postfix when this parameter changes.
2320 Note 2: address information may be enclosed inside [], but this form is
2322 not required here.
2323 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2325 is not a loopback address, the Postfix SMTP client will use this
2326 address as the IP source address for outbound mail. Support for IPv6 is
2327 available in Postfix version 2.2 and later.
2328 On a multi-homed firewall with separate Postfix instances listening on
2330 the "inside" and "outside" interfaces, this can prevent each instance
2331 from being able to reach remote SMTP servers on the "other side" of the
2332 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2333 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2334 lem for IPv6.
2335 A better solution for multi-homed firewalls is to leave inet_interfaces
2337 at the default value and instead use explicit IP addresses in the mas‐
2338 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2339 client's loop detection, by ensuring that each side of the firewall
2340 knows that the other IP address is still the same host. Setting
2341 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2342 ful with virtual hosting of domains on secondary IP addresses, when
2343 each IP address serves a different domain (and has a different $myhost‐
2344 name setting).
2345 See also the proxy_interfaces parameter, for network addresses that are
2347 forwarded to Postfix by way of a proxy or address translator.
2348 Examples:
2350 inet_interfaces = all (DEFAULT)
2352 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2353 inet_interfaces = 127.0.0.1
2354 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2355 inet_interfaces = 192.168.1.2, 127.0.0.1
2356
2358 The Internet protocols Postfix will attempt to use when making or
2359 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
2360 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
2361 ipv6" or "ipv4", depending on whether the operating system implements
2362 IPv6.
2363 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2365 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2366 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2367 when no explicit setting is present. This compatibility workaround will
2368 be phased out as IPv6 deployment becomes more common.
2369 This feature is available in Postfix 2.2 and later.
2371 Note: you MUST stop and start Postfix after changing this parameter.
2373 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2375 will also accept IPv4 connections, even when IPv4 is turned off with
2376 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2377 Postfix will use separate server sockets for IPv6 and IPv4, and each
2378 will accept only connections for the corresponding protocol.
2379 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2381 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2382 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2383 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2384 3493).
2385 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2387 will do DNS type AAAA record lookups.
2388 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2390 will choose the protocol as specified with the smtp_address_preference
2391 parameter. Postfix versions before 2.8 attempt to connect via IPv6
2392 before attempting to use IPv4.
2393 Examples:
2395 inet_protocols = ipv4
2397 inet_protocols = all (DEFAULT)
2398 inet_protocols = ipv6
2399 inet_protocols = ipv4, ipv6
2400
2402 The initial per-destination concurrency level for parallel delivery to
2403 the same destination. With per-destination recipient limit > 1, a des‐
2404 tination is a domain, otherwise it is a recipient.
2405 Use transport_initial_destination_concurrency to specify a trans‐
2407 port-specific override, where transport is the master.cf name of the
2408 message delivery transport (Postfix 2.5 and later).
2409 Warning: with concurrency of 1, one bad message can be enough to block
2411 all mail to a site.
2412
2414 What categories of Postfix-generated mail are subject to before-queue
2415 content inspection by non_smtpd_milters, header_checks and body_checks.
2416 Specify zero or more of the following, separated by whitespace or
2417 comma.
2418 bounce Inspect the content of delivery status notifications.
2420 notify Inspect the content of postmaster notifications by the smtp(8)
2422 and smtpd(8) processes.
2423 NOTE: It's generally not safe to enable content inspection of Post‐
2425 fix-generated email messages. The user is warned.
2426 This feature is available in Postfix 2.3 and later.
2428
2430 The numerical Postfix SMTP server response code when the client HELO or
2431 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2432 restriction.
2433 Do not change this unless you have a complete understanding of RFC
2435 5321.
2436
2438 The time after which a client closes an idle internal communication
2439 channel. The purpose is to allow Postfix daemon processes to terminate
2440 voluntarily after they become idle. This is used, for example, by the
2441 Postfix address resolving and rewriting clients.
2442 With Postfix 2.4 the default value was reduced from 100s to 5s.
2444 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2446 The default time unit is s (seconds).
2447
2449 The time limit for sending or receiving information over an internal
2450 communication channel. The purpose is to break out of deadlock situa‐
2451 tions. If the time limit is exceeded the software aborts with a fatal
2452 error.
2453 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2455 The default time unit is s (seconds).
2456
2458 The time after which a client closes an active internal communication
2459 channel. The purpose is to allow Postfix daemon processes to terminate
2460 voluntarily after reaching their client limit. This is used, for exam‐
2461 ple, by the Postfix address resolving and rewriting clients.
2462 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2464 The default time unit is s (seconds).
2465 This feature is available in Postfix 2.1 and later.
2467
2469 Upon input, long lines are chopped up into pieces of at most this
2470 length; upon delivery, long lines are reconstructed.
2471
2473 The initial OpenLDAP LMDB database size limit in bytes. Each time a
2474 database becomes full, its size limit is doubled.
2475 This feature is available in Postfix 2.11 and later.
2477
2479 The LMTP-specific version of the smtp_address_preference configuration
2480 parameter. See there for details.
2481 This feature is available in Postfix 2.8 and later.
2483
2485 The LMTP-specific version of the smtp_address_verify_target configura‐
2486 tion parameter. See there for details.
2487 This feature is available in Postfix 3.0 and later.
2489
2491 When a remote LMTP server announces no DSN support, assume that the
2492 server performs final delivery, and send "delivered" delivery status
2493 notifications instead of "relayed". The default setting is backwards
2494 compatible to avoid the infinitesimal possibility of breaking existing
2495 LMTP-based content filters.
2496
2498 The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2499 tion parameter. See there for details.
2500 This feature is available in Postfix 3.3 and later.
2502
2504 The LMTP-specific version of the smtp_bind_address configuration param‐
2505 eter. See there for details.
2506 This feature is available in Postfix 2.3 and later.
2508
2510 The LMTP-specific version of the smtp_bind_address6 configuration
2511 parameter. See there for details.
2512 This feature is available in Postfix 2.3 and later.
2514
2516 The LMTP-specific version of the smtp_body_checks configuration parame‐
2517 ter. See there for details.
2518 This feature is available in Postfix 2.5 and later.
2520
2522 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2523 When the LMTP client receives a request for the same connection the
2524 connection is reused.
2525 This parameter is available in Postfix version 2.2 and earlier. With
2527 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2528 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2529 use_time_limit.
2530 The effectiveness of cached connections will be determined by the num‐
2532 ber of remote LMTP servers in use, and the concurrency limit specified
2533 for the Postfix LMTP client. Cached connections are closed under any of
2534 the following conditions:
2535 · The Postfix LMTP client idle time limit is reached. This limit
2537 is specified with the Postfix max_idle configuration parameter.
2538 · A delivery request specifies a different destination than the
2540 one currently cached.
2541 · The per-process limit on the number of delivery requests is
2543 reached. This limit is specified with the Postfix max_use con‐
2544 figuration parameter.
2545 · Upon the onset of another delivery request, the remote LMTP
2547 server associated with the current session does not respond to
2548 the RSET command.
2549 Most of these limitations have been with the Postfix a connection cache
2551 that is shared among multiple LMTP client programs.
2552
2554 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2555 figuration parameter. See there for details.
2556 This feature is available in Postfix 2.3 and later.
2558
2560 The Postfix LMTP client time limit for completing a TCP connection, or
2561 zero (use the operating system built-in time limit). When no connec‐
2562 tion can be made within the deadline, the LMTP client tries the next
2563 address on the mail exchanger list.
2564 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2566 The default time unit is s (seconds).
2567 Example:
2569 lmtp_connect_timeout = 30s
2571
2573 The LMTP-specific version of the smtp_connection_cache_destinations
2574 configuration parameter. See there for details.
2575 This feature is available in Postfix 2.3 and later.
2577
2579 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2580 figuration parameter. See there for details.
2581 This feature is available in Postfix 2.3 and later.
2583
2585 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2586 figuration parameter. See there for details.
2587 This feature is available in Postfix 2.3 and later.
2589
2591 The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2592 figuration parameter. See there for details.
2593 This feature is available in Postfix 2.11 and later.
2595
2597 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2598 figuration parameter. See there for details.
2599 This feature is available in Postfix 2.3 and later.
2601
2603 The Postfix LMTP client time limit for sending the LMTP ".", and for
2604 receiving the remote LMTP server response. When no response is
2605 received within the deadline, a warning is logged that the mail may be
2606 delivered multiple times.
2607 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2609 The default time unit is s (seconds).
2610
2612 The Postfix LMTP client time limit for sending the LMTP DATA command,
2613 and for receiving the remote LMTP server response.
2614 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2616 The default time unit is s (seconds).
2617
2619 The Postfix LMTP client time limit for sending the LMTP message con‐
2620 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2621 the LMTP client terminates the transfer.
2622 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2624 The default time unit is s (seconds).
2625
2627 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2628 figuration parameter. See there for details.
2629 This feature is available in Postfix 2.3 and later.
2631
2633 The LMTP-specific version of the smtp_delivery_status_filter configura‐
2634 tion parameter. See there for details.
2635 This feature is available in Postfix 3.0 and later.
2637
2639 rency_limit)
2640 The maximal number of parallel deliveries to the same destination via
2641 the lmtp message delivery transport. This limit is enforced by the
2642 queue manager. The message delivery transport name is the first field
2643 in the entry in the master.cf file.
2644
2646 ent_limit)
2647 The maximal number of recipients per message for the lmtp message
2648 delivery transport. This limit is enforced by the queue manager. The
2649 message delivery transport name is the first field in the entry in the
2650 master.cf file.
2651 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2653 tination_concurrency_limit from concurrency per domain into concurrency
2654 per recipient.
2655
2657 Lookup tables, indexed by the remote LMTP server address, with case
2658 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2659 that the Postfix LMTP client will ignore in the LHLO response from a
2660 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2661 ble is not indexed by hostname for consistency with smtpd_dis‐
2662 card_ehlo_keyword_address_maps.
2663 This feature is available in Postfix 2.3 and later.
2665
2667 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2668 etc.) that the Postfix LMTP client will ignore in the LHLO response
2669 from a remote LMTP server.
2670 This feature is available in Postfix 2.3 and later.
2672 Notes:
2674 · Specify the silent-discard pseudo keyword to prevent this action
2676 from being logged.
2677 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2679 card LHLO keywords selectively.
2680
2682 Optional filter for Postfix LMTP client DNS lookup results. See
2683 smtp_dns_reply_filter for details including an example.
2684 This feature is available in Postfix 3.0 and later.
2686
2688 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2689 tion parameter. See there for details.
2690 This feature is available in Postfix 2.8 and later.
2692
2694 The LMTP-specific version of the smtp_dns_support_level configuration
2695 parameter. See there for details.
2696 This feature is available in Postfix 2.11 and later.
2698
2700 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2701 ter. See there for details.
2702 This feature is available in Postfix 2.3 and later.
2704
2706 Optional list of relay hosts for LMTP destinations that can't be found
2707 or that are unreachable. In main.cf elements are separated by white‐
2708 space or commas.
2709 By default, mail is returned to the sender when a destination is not
2711 found, and delivery is deferred when a destination is unreachable.
2712 The fallback relays must be TCP destinations, specified without a lead‐
2714 ing "inet:" prefix. Specify a host or host:port. Since MX lookups do
2715 not apply with LMTP, there is no need to use the "[host]" or
2716 "[host]:port" forms. If you specify multiple LMTP destinations, Post‐
2717 fix will try them in the specified order.
2718 This feature is available in Postfix 3.1 and later.
2720
2722 The LMTP-specific version of the smtp_generic_maps configuration param‐
2723 eter. See there for details.
2724 This feature is available in Postfix 2.3 and later.
2726
2728 The LMTP-specific version of the smtp_header_checks configuration
2729 parameter. See there for details.
2730 This feature is available in Postfix 2.5 and later.
2732
2734 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2735 ter. See there for details.
2736 This feature is available in Postfix 2.3 and later.
2738
2740 The hostname to send in the LMTP LHLO command.
2741 The default value is the machine hostname. Specify a hostname or
2743 [ip.add.re.ss].
2744 This information can be specified in the main.cf file for all LMTP
2746 clients, or it can be specified in the master.cf file for a specific
2747 client, for example:
2748 /etc/postfix/master.cf:
2750 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2751 This feature is available in Postfix 2.3 and later.
2753
2755 The Postfix LMTP client time limit for sending the LHLO command, and
2756 for receiving the initial remote LMTP server response.
2757 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2759 The default time unit is s (seconds).
2760
2762 The LMTP-specific version of the smtp_line_length_limit configuration
2763 parameter. See there for details.
2764 This feature is available in Postfix 2.3 and later.
2766
2768 The Postfix LMTP client time limit for sending the MAIL FROM command,
2769 and for receiving the remote LMTP server response.
2770 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2772 The default time unit is s (seconds).
2773
2775 The LMTP-specific version of the smtp_mime_header_checks configuration
2776 parameter. See there for details.
2777 This feature is available in Postfix 2.5 and later.
2779
2781 The LMTP-specific version of the smtp_mx_address_limit configuration
2782 parameter. See there for details.
2783 This feature is available in Postfix 2.3 and later.
2785
2787 The LMTP-specific version of the smtp_mx_session_limit configuration
2788 parameter. See there for details.
2789 This feature is available in Postfix 2.3 and later.
2791
2793 The LMTP-specific version of the smtp_nested_header_checks configura‐
2794 tion parameter. See there for details.
2795 This feature is available in Postfix 2.5 and later.
2797
2799 The LMTP-specific version of the smtp_per_record_deadline configuration
2800 parameter. See there for details.
2801 This feature is available in Postfix 2.9 and later.
2803
2805 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2806 uration parameter. See there for details.
2807 This feature is available in Postfix 2.3 and later.
2809
2811 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2812 parameter. See there for details.
2813 This feature is available in Postfix 2.4 and later.
2815
2817 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2818 configuration parameter. See there for details.
2819 This feature is available in Postfix 2.3 and later.
2821
2823 The LMTP-specific version of the smtp_pix_workaround configuration
2824 parameter. See there for details.
2825 This feature is available in Postfix 2.4 and later.
2827
2829 The Postfix LMTP client time limit for sending the QUIT command, and
2830 for receiving the remote LMTP server response.
2831 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2833 The default time unit is s (seconds).
2834
2836 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2837 tion parameter. See there for details.
2838 This feature is available in Postfix 2.3 and later.
2840
2842 The LMTP-specific version of the smtp_randomize_addresses configuration
2843 parameter. See there for details.
2844 This feature is available in Postfix 2.3 and later.
2846
2848 The Postfix LMTP client time limit for sending the RCPT TO command, and
2849 for receiving the remote LMTP server response.
2850 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2852 The default time unit is s (seconds).
2853
2855 The LMTP-specific version of the smtp_reply_filter configuration param‐
2856 eter. See there for details.
2857 This feature is available in Postfix 2.7 and later.
2859
2861 The Postfix LMTP client time limit for sending the RSET command, and
2862 for receiving the remote LMTP server response. The LMTP client sends
2863 RSET in order to finish a recipient address probe, or to verify that a
2864 cached connection is still alive.
2865 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2867 The default time unit is s (seconds).
2868
2870 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2871 tion parameter. See there for details.
2872 This feature is available in Postfix 2.5 and later.
2874
2876 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2877 tion parameter. See there for details.
2878 This feature is available in Postfix 2.5 and later.
2880
2882 Enable SASL authentication in the Postfix LMTP client.
2883
2885 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2886 tion parameter. See there for details.
2887 This feature is available in Postfix 2.5 and later.
2889
2891 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2892 tion parameter. See there for details.
2893 This feature is available in Postfix 2.3 and later.
2895
2897 Optional Postfix LMTP client lookup tables with one username:password
2898 entry per host or domain. If a remote host or domain has no user‐
2899 name:password entry, then the Postfix LMTP client will not attempt to
2900 authenticate to the remote host.
2901
2903 Implementation-specific information that is passed through to the SASL
2904 plug-in implementation that is selected with lmtp_sasl_type. Typically
2905 this specifies the name of a configuration file or rendezvous point.
2906 This feature is available in Postfix 2.3 and later.
2908
2910 SASL security options; as of Postfix 2.3 the list of available features
2911 depends on the SASL client implementation that is selected with
2912 lmtp_sasl_type.
2913 The following security features are defined for the cyrus client SASL
2915 implementation:
2916 noplaintext
2918 Disallow authentication methods that use plaintext passwords.
2919 noactive
2921 Disallow authentication methods that are vulnerable to non-dic‐
2922 tionary active attacks.
2923 nodictionary
2925 Disallow authentication methods that are vulnerable to passive
2926 dictionary attack.
2927 noanonymous
2929 Disallow anonymous logins.
2930 Example:
2932 lmtp_sasl_security_options = noplaintext
2934
2936 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2937 uration parameter. See there for details.
2938 This feature is available in Postfix 2.3 and later.
2940
2942 rity_options)
2943 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2944 rity_options configuration parameter. See there for details.
2945 This feature is available in Postfix 2.3 and later.
2947
2949 The SASL plug-in type that the Postfix LMTP client should use for
2950 authentication. The available types are listed with the "postconf -A"
2951 command.
2952 This feature is available in Postfix 2.3 and later.
2954
2956 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
2957 tion parameter. See there for details.
2958 This feature is available in Postfix 2.9 and later.
2960
2962 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
2963 server response announces XFORWARD support. This allows an lmtp(8)
2964 delivery agent, used for content filter message injection, to forward
2965 the name, address, protocol and HELO name of the original client to the
2966 content filter and downstream queuing LMTP server. Before you change
2967 the value to yes, it is best to make sure that your content filter sup‐
2968 ports this command.
2969 This feature is available in Postfix 2.1 and later.
2971
2973 The LMTP-specific version of the smtp_sender_dependent_authentication
2974 configuration parameter. See there for details.
2975 This feature is available in Postfix 2.3 and later.
2977
2979 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2980 parameter. See there for details.
2981 This feature is available in Postfix 2.3 and later.
2983
2985 Wait for the response to the LMTP QUIT command.
2986
2988 The LMTP-specific version of the smtp_starttls_timeout configuration
2989 parameter. See there for details.
2990 This feature is available in Postfix 2.3 and later.
2992
2994 The default TCP port that the Postfix LMTP client connects to. Specify
2995 a symbolic name (see services(5)) or a numeric port.
2996
2998 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2999 ter. See there for details.
3000 This feature is available in Postfix 2.3 and later.
3002
3004 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
3005 ter. See there for details.
3006 This feature is available in Postfix 2.3 and later.
3008
3010 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
3011 figuration parameter. See there for details.
3012 This feature is available in Postfix 2.7 and later.
3014
3016 The LMTP-specific version of the smtp_tls_cert_file configuration
3017 parameter. See there for details.
3018 This feature is available in Postfix 2.3 and later.
3020
3022 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3023 ter. See there for details.
3024 This feature is available in Postfix 2.6 and later.
3026
3028 The LMTP-specific version of the smtp_tls_dcert_file configuration
3029 parameter. See there for details.
3030 This feature is available in Postfix 2.3 and later.
3032
3034 The LMTP-specific version of the smtp_tls_dkey_file configuration
3035 parameter. See there for details.
3036 This feature is available in Postfix 2.3 and later.
3038
3040 The LMTP-specific version of the smtp_tls_eccert_file configuration
3041 parameter. See there for details.
3042 This feature is available in Postfix 2.6 and later, when Postfix is
3044 compiled and linked with OpenSSL 1.0.0 or later.
3045
3047 The LMTP-specific version of the smtp_tls_eckey_file configuration
3048 parameter. See there for details.
3049 This feature is available in Postfix 2.6 and later, when Postfix is
3051 compiled and linked with OpenSSL 1.0.0 or later.
3052
3054 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
3055 tion parameter. See there for details.
3056 This feature is available in Postfix 2.3 and later.
3058
3060 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3061 parameter. See there for details.
3062 This feature is available in Postfix 2.3 and later.
3064
3066 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
3067 figuration parameter. See there for details.
3068 This feature is available in Postfix 2.5 and later.
3070
3072 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3073 tion parameter. See there for details.
3074 This feature is available in Postfix 2.5 and later.
3076
3078 The LMTP-specific version of the smtp_tls_force_inse‐
3079 cure_host_tlsa_lookup configuration parameter. See there for details.
3080 This feature is available in Postfix 2.11 and later.
3082
3084 The LMTP-specific version of the smtp_tls_key_file configuration param‐
3085 eter. See there for details.
3086 This feature is available in Postfix 2.3 and later.
3088
3090 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3091 eter. See there for details.
3092 This feature is available in Postfix 2.3 and later.
3094
3096 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3097 tion parameter. See there for details.
3098 This feature is available in Postfix 2.3 and later.
3100
3102 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
3103 configuration parameter. See there for details.
3104 This feature is available in Postfix 2.3 and later.
3106
3108 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3109 ration parameter. See there for details.
3110 This feature is available in Postfix 2.3 and later.
3112
3114 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3115 ration parameter. See there for details.
3116 This feature is available in Postfix 2.3 and later.
3118
3120 The LMTP-specific version of the smtp_tls_per_site configuration param‐
3121 eter. See there for details.
3122 This feature is available in Postfix 2.3 and later.
3124
3126 The LMTP-specific version of the smtp_tls_policy_maps configuration
3127 parameter. See there for details.
3128 This feature is available in Postfix 2.3 and later.
3130
3132 The LMTP-specific version of the smtp_tls_protocols configuration
3133 parameter. See there for details.
3134 This feature is available in Postfix 2.6 and later.
3136
3138 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3139 tion parameter. See there for details.
3140 This feature is available in Postfix 2.3 and later.
3142
3144 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3145 tion parameter. See there for details.
3146 This feature is available in Postfix 2.3 and later.
3148
3150 The LMTP-specific version of the smtp_tls_security_level configuration
3151 parameter. See there for details.
3152 This feature is available in Postfix 2.3 and later.
3154
3156 The LMTP-specific version of the smtp_tls_session_cache_database con‐
3157 figuration parameter. See there for details.
3158 This feature is available in Postfix 2.3 and later.
3160
3162 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3163 uration parameter. See there for details.
3164 This feature is available in Postfix 2.3 and later.
3166
3168 The LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3169 tion parameter. See there for details.
3170 This feature is available in Postfix 2.11 and later.
3172
3174 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3175 tion parameter. See there for details.
3176 This feature is available in Postfix 2.3 and later.
3178
3180 The LMTP-specific version of the smtp_use_tls configuration parameter.
3181 See there for details.
3182 This feature is available in Postfix 2.3 and later.
3184
3186 The Postfix LMTP client time limit for sending the XFORWARD command,
3187 and for receiving the remote LMTP server response.
3188 In case of problems the client does NOT try the next address on the
3190 mail exchanger list.
3191 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3193 The default time unit is s (seconds).
3194 This feature is available in Postfix 2.1 and later.
3196
3198 Optional shell program for local(8) delivery to non-Postfix command.
3199 By default, non-Postfix commands are executed directly; commands are
3200 given to given to the default shell (typically, /bin/sh) only when they
3201 contain shell meta characters or shell built-in commands.
3202 "sendmail's restricted shell" (smrsh) is what most people will use in
3204 order to restrict what programs can be run from e.g. .forward files
3205 (smrsh is part of the Sendmail distribution).
3206 Note: when a shell program is specified, it is invoked even when the
3208 command contains no shell built-in commands or meta characters.
3209 Example:
3211 local_command_shell = /some/where/smrsh -c
3213 local_command_shell = /bin/bash -c
3214
3216 Optional filter for the local(8) delivery agent to change the status
3217 code or explanatory text of successful or unsuccessful deliveries. See
3218 default_delivery_status_filter for details.
3219 This feature is available in Postfix 3.0 and later.
3221
3223 The maximal number of parallel deliveries via the local mail delivery
3224 transport to the same recipient (when "local_destination_recipi‐
3225 ent_limit = 1") or the maximal number of parallel deliveries to the
3226 same local domain (when "local_destination_recipient_limit > 1"). This
3227 limit is enforced by the queue manager. The message delivery transport
3228 name is the first field in the entry in the master.cf file.
3229 A low limit of 2 is recommended, just in case someone has an expensive
3231 shell command in a .forward file or in an alias (e.g., a mailing list
3232 manager). You don't want to run lots of those at the same time.
3233
3235 The maximal number of recipients per message delivery via the local
3236 mail delivery transport. This limit is enforced by the queue manager.
3237 The message delivery transport name is the first field in the entry in
3238 the master.cf file.
3239 Setting this parameter to a value > 1 changes the meaning of local_des‐
3241 tination_concurrency_limit from concurrency per recipient into concur‐
3242 rency per domain.
3243
3245 Rewrite message header addresses in mail from these clients and update
3246 incomplete addresses with the domain name in $myorigin or $mydomain;
3247 either don't rewrite message headers from other clients at all, or re‐
3248 write message headers and update incomplete addresses with the domain
3249 specified in the remote_header_rewrite_domain parameter.
3250 See the append_at_myorigin and append_dot_mydomain parameters for
3252 details of how domain names are appended to incomplete addresses.
3253 Specify a list of zero or more of the following:
3255 permit_inet_interfaces
3257 Append the domain name in $myorigin or $mydomain when the client
3258 IP address matches $inet_interfaces. This is enabled by default.
3259 permit_mynetworks
3261 Append the domain name in $myorigin or $mydomain when the client
3262 IP address matches any network or network address listed in
3263 $mynetworks. This setting will not prevent remote mail header
3264 address rewriting when mail from a remote client is forwarded by
3265 a neighboring system.
3266 permit_sasl_authenticated
3268 Append the domain name in $myorigin or $mydomain when the client
3269 is successfully authenticated via the RFC 4954 (AUTH) protocol.
3270 permit_tls_clientcerts
3272 Append the domain name in $myorigin or $mydomain when the remote
3273 SMTP client TLS certificate fingerprint or public key finger‐
3274 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
3275 The fingerprint digest algorithm is configurable via the
3276 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
3277 to Postfix version 2.5).
3278 permit_tls_all_clientcerts
3280 Append the domain name in $myorigin or $mydomain when the remote
3281 SMTP client TLS certificate is successfully verified, regardless
3282 of whether it is listed on the server, and regardless of the
3283 certifying authority.
3284 check_address_map type:table
3286 type:table
3288 Append the domain name in $myorigin or $mydomain when the client
3289 IP address matches the specified lookup table. The lookup
3290 result is ignored, and no subnet lookup is done. This is suit‐
3291 able for, e.g., pop-before-smtp lookup tables.
3292 Examples:
3294 The Postfix < 2.2 backwards compatible setting: always rewrite message
3296 headers, and always append my own domain to incomplete header
3297 addresses.
3298 local_header_rewrite_clients = static:all
3300 The purist (and default) setting: rewrite headers only in mail from
3302 Postfix sendmail and in SMTP mail from this machine.
3303 local_header_rewrite_clients = permit_inet_interfaces
3305 The intermediate setting: rewrite header addresses and append $myorigin
3307 or $mydomain information only with mail from Postfix sendmail, from
3308 local clients, or from authorized SMTP clients.
3309 Note: this setting will not prevent remote mail header address rewrit‐
3311 ing when mail from a remote client is forwarded by a neighboring sys‐
3312 tem.
3313 local_header_rewrite_clients = permit_mynetworks,
3315 permit_sasl_authenticated permit_tls_clientcerts
3316 check_address_map hash:/etc/postfix/pop-before-smtp
3317
3319 Lookup tables with all names or addresses of local recipients: a recip‐
3320 ient address is local when its domain matches $mydestination,
3321 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
3322 for domains that do not have a valid recipient list. Technically,
3323 tables listed with $local_recipient_maps are used as lists: Postfix
3324 needs to know only if a lookup string is found or not, but it does not
3325 use the result from table lookup.
3326 Specify zero or more "type:name" lookup tables, separated by whitespace
3328 or comma. Tables will be searched in the specified order until a match
3329 is found.
3330 If this parameter is non-empty (the default), then the Postfix SMTP
3332 server will reject mail for unknown local users.
3333 To turn off local recipient checking in the Postfix SMTP server, spec‐
3335 ify "local_recipient_maps =" (i.e. empty).
3336 The default setting assumes that you use the default Postfix local
3338 delivery agent for local delivery. You need to update the local_recipi‐
3339 ent_maps setting if:
3340 · You redefine the local delivery agent in master.cf.
3342 · You redefine the "local_transport" setting in main.cf.
3344 · You use the "luser_relay", "mailbox_transport", or "fall‐
3346 back_transport" feature of the Postfix local(8) delivery agent.
3347 Details are described in the LOCAL_RECIPIENT_README file.
3349 Beware: if the Postfix SMTP server runs chrooted, you need to access
3351 the passwd file via the proxymap(8) service, in order to overcome
3352 chroot access restrictions. The alternative, maintaining a copy of the
3353 system password file in the chroot jail is not practical.
3354 Examples:
3356 local_recipient_maps =
3358
3360 The default mail delivery transport and next-hop destination for final
3361 delivery to domains listed with mydestination, and for [ipaddress] des‐
3362 tinations that match $inet_interfaces or $proxy_interfaces. This
3363 information can be overruled with the transport(5) table.
3364 By default, local mail is delivered to the transport called "local",
3366 which is just the name of a service that is defined the master.cf file.
3367 Specify a string of the form transport:nexthop, where transport is the
3369 name of a mail delivery transport defined in master.cf. The :nexthop
3370 destination is optional; its syntax is documented in the manual page of
3371 the corresponding delivery agent.
3372 Beware: if you override the default local delivery agent then you need
3374 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3375 server may reject mail for local recipients.
3376
3378 Optional catch-all destination for unknown local(8) recipients. By
3379 default, mail for unknown recipients in domains that match $mydestina‐
3380 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3381 able.
3382 The following $name expansions are done on luser_relay:
3384 $domain
3386 The recipient domain.
3387 $extension
3389 The recipient address extension.
3390 $home The recipient's home directory.
3392 $local The entire recipient address localpart.
3394 $recipient
3396 The full recipient address.
3397 $recipient_delimiter
3399 The address extension delimiter that was found in the recipient
3400 address (Postfix 2.11 and later), or the system-wide recipient
3401 address extension delimiter (Postfix 2.10 and earlier).
3402 $shell The recipient's login shell.
3404 $user The recipient username.
3406 ${name?value}
3408 Expands to value when $name has a non-empty value.
3409 ${name:value}
3411 Expands to value when $name has an empty value.
3412 Instead of $name you can also specify ${name} or $(name).
3414 Note: luser_relay works only for the Postfix local(8) delivery agent.
3416 Note: if you use this feature for accounts not in the UNIX password
3418 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3419 the main.cf file, otherwise the Postfix SMTP server will reject mail
3420 for non-UNIX accounts with "User unknown in local recipient table".
3421 Examples:
3423 luser_relay = $user@other.host
3425 luser_relay = $local@other.host
3426 luser_relay = admin+$local
3427
3429 The mail system name that is displayed in Received: headers, in the
3430 SMTP greeting banner, and in bounced mail.
3431
3433 The UNIX system account that owns the Postfix queue and most Postfix
3434 daemon processes. Specify the name of an unprivileged user account
3435 that does not share a user or group ID with other accounts, and that
3436 owns no other files or processes on the system. In particular, don't
3437 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3438 When this parameter value is changed you need to re-run "postfix
3440 set-permissions" (with Postfix version 2.0 and earlier: "/etc/post‐
3441 fix/post-install set-permissions".
3442
3444 The Postfix release date, in "YYYYMMDD" format.
3445
3447 The directory where local(8) UNIX-style mailboxes are kept. The default
3448 setting depends on the system type. Specify a name ending in / for
3449 maildir-style delivery.
3450 Note: maildir delivery is done with the privileges of the recipient.
3452 If you use the mail_spool_directory setting for maildir style delivery,
3453 then you must create the top-level maildir directory in advance. Post‐
3454 fix will not create it.
3455 Examples:
3457 mail_spool_directory = /var/mail
3459 mail_spool_directory = /var/spool/mail
3460
3462 The version of the mail system. Stable releases are named
3463 major.minor.patchlevel. Experimental releases also include the release
3464 date. The version string can be used in, for example, the SMTP greeting
3465 banner.
3466
3468 Optional external command that the local(8) delivery agent should use
3469 for mailbox delivery. The command is run with the user ID and the pri‐
3470 mary group ID privileges of the recipient. Exception: command delivery
3471 for root executes with $default_privs privileges. This is not a prob‐
3472 lem, because 1) mail for root should always be aliased to a real user
3473 and 2) don't log in as root, use "su" instead.
3474 The following environment variables are exported to the command:
3476 CLIENT_ADDRESS
3478 Remote client network address. Available in Postfix version 2.2
3479 and later.
3480 CLIENT_HELO
3482 Remote client EHLO command parameter. Available in Postfix ver‐
3483 sion 2.2 and later.
3484 CLIENT_HOSTNAME
3486 Remote client hostname. Available in Postfix version 2.2 and
3487 later.
3488 CLIENT_PROTOCOL
3490 Remote client protocol. Available in Postfix version 2.2 and
3491 later.
3492 DOMAIN The domain part of the recipient address.
3494 EXTENSION
3496 The optional address extension.
3497 HOME The recipient home directory.
3499 LOCAL The recipient address localpart.
3501 LOGNAME
3503 The recipient's username.
3504 ORIGINAL_RECIPIENT
3506 The entire recipient address, before any address rewriting or
3507 aliasing.
3508 RECIPIENT
3510 The full recipient address.
3511 SASL_METHOD
3513 SASL authentication method specified in the remote client AUTH
3514 command. Available in Postfix version 2.2 and later.
3515 SASL_SENDER
3517 SASL sender address specified in the remote client MAIL FROM
3518 command. Available in Postfix version 2.2 and later.
3519 SASL_USER
3521 SASL username specified in the remote client AUTH command.
3522 Available in Postfix version 2.2 and later.
3523 SENDER The full sender address.
3525 SHELL The recipient's login shell.
3527 USER The recipient username.
3529 Unlike other Postfix configuration parameters, the mailbox_command
3531 parameter is not subjected to $name substitutions. This is to make it
3532 easier to specify shell syntax (see example below).
3533 If you can, avoid shell meta characters because they will force Postfix
3535 to run an expensive shell process. If you're delivering via Procmail
3536 then running a shell won't make a noticeable difference in the total
3537 cost.
3538 Note: if you use the mailbox_command feature to deliver mail sys‐
3540 tem-wide, you must set up an alias that forwards mail for root to a
3541 real user.
3542 The precedence of local(8) delivery features from high to low is:
3544 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3545 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3546 tory, fallback_transport_maps, fallback_transport and luser_relay.
3547 Examples:
3549 mailbox_command = /some/where/procmail
3551 mailbox_command = /some/where/procmail -a "$EXTENSION"
3552 mailbox_command = /some/where/maildrop -d "$USER"
3553 -f "$SENDER" "$EXTENSION"
3554
3556 Optional lookup tables with per-recipient external commands to use for
3557 local(8) mailbox delivery. Behavior is as with mailbox_command.
3558 The precedence of local(8) delivery features from high to low is:
3560 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3561 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3562 tory, fallback_transport_maps, fallback_transport and luser_relay.
3563 Specify zero or more "type:name" lookup tables, separated by whitespace
3565 or comma. Tables will be searched in the specified order until a match
3566 is found.
3567
3569 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3570 For a list of available file locking methods, use the "postconf -l"
3571 command.
3572 This setting is ignored with maildir style delivery, because such
3574 deliveries are safe without explicit locks.
3575 Note: The dotlock method requires that the recipient UID or GID has
3577 write access to the parent directory of the mailbox file.
3578 Note: the default setting of this parameter is system dependent.
3580
3582 The maximal size of any local(8) individual mailbox or maildir file, or
3583 zero (no limit). In fact, this limits the size of any file that is
3584 written to upon local delivery, including files written by external
3585 commands that are executed by the local(8) delivery agent.
3586 This limit must not be smaller than the message size limit.
3588
3590 Optional message delivery transport that the local(8) delivery agent
3591 should use for mailbox delivery to all local recipients, whether or not
3592 they are found in the UNIX passwd database.
3593 The precedence of local(8) delivery features from high to low is:
3595 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3596 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3597 tory, fallback_transport_maps, fallback_transport and luser_relay.
3598
3600 Optional lookup tables with per-recipient message delivery transports
3601 to use for local(8) mailbox delivery, whether or not the recipients are
3602 found in the UNIX passwd database.
3603 The precedence of local(8) delivery features from high to low is:
3605 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3606 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3607 tory, fallback_transport_maps, fallback_transport and luser_relay.
3608 Specify zero or more "type:name" lookup tables, separated by whitespace
3610 or comma. Tables will be searched in the specified order until a match
3611 is found.
3612 For safety reasons, this feature does not allow $number substitutions
3614 in regular expression maps.
3615 This feature is available in Postfix 2.3 and later.
3617
3619 Sendmail compatibility feature that specifies where the Postfix
3620 mailq(1) command is installed. This command can be used to list the
3621 Postfix mail queue.
3622
3624 Where the Postfix manual pages are installed.
3625
3627 Obsolete feature: use the reject_rbl_client feature instead.
3628
3630 The numerical Postfix SMTP server response code when a remote SMTP
3631 client request is blocked by the reject_rbl_client,
3632 reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender
3633 or reject_rhsbl_recipient restriction.
3634 Do not change this unless you have a complete understanding of RFC
3636 5321.
3637
3639 What addresses are subject to address masquerading.
3641 By default, address masquerading is limited to envelope sender
3643 addresses, and to header sender and header recipient addresses. This
3644 allows you to use address masquerading on a mail gateway while still
3645 being able to forward mail to users on individual machines.
3646 Specify zero or more of: envelope_sender, envelope_recipient,
3648 header_sender, header_recipient
3649
3651 Optional list of domains whose subdomain structure will be stripped off
3652 in email addresses.
3653 The list is processed left to right, and processing stops at the first
3655 match. Thus,
3656 masquerade_domains = foo.example.com example.com
3658 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3660 strips "user@any.thing.else.example.com" to "user@example.com".
3661 A domain name prefixed with ! means do not masquerade this domain or
3663 its subdomains. Thus,
3664 masquerade_domains = !foo.example.com example.com
3666 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3668 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3669 ple.com".
3670 Note: with Postfix version 2.2, message header address masquerading
3672 happens only when message header address rewriting is enabled:
3673 · The message is received with the Postfix sendmail(1) command,
3675 · The message is received from a network client that matches
3677 $local_header_rewrite_clients,
3678 · The message is received from the network, and the
3680 remote_header_rewrite_domain parameter specifies a non-empty
3681 value.
3682 To get the behavior before Postfix version 2.2, specify
3684 "local_header_rewrite_clients = static:all".
3685 Example:
3687 masquerade_domains = $mydomain
3689
3691 Optional list of user names that are not subjected to address mas‐
3692 querading, even when their address matches $masquerade_domains.
3693 By default, address masquerading makes no exceptions.
3695 Specify a list of user names, "/file/name" or "type:table" patterns,
3697 separated by commas and/or whitespace. The list is matched left to
3698 right, and the search stops on the first match. A "/file/name" pattern
3699 is replaced by its contents; a "type:table" lookup table is matched
3700 when a name matches a lookup key (the lookup result is ignored). Con‐
3701 tinue long lines by starting the next line with whitespace. Specify
3702 "!pattern" to exclude a name from the list. The form "!/file/name" is
3703 supported only in Postfix version 2.4 and later.
3704 Examples:
3706 masquerade_exceptions = root, mailer-daemon
3708 masquerade_exceptions = root
3709
3711 Selectively disable master(8) listener ports by service type or by ser‐
3712 vice name and type. Specify a list of service types ("inet", "unix",
3713 "fifo", or "pass") or "name/type" tuples, where "name" is the first
3714 field of a master.cf entry and "type" is a service type. As with other
3715 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3716 tern" to exclude a service from the list. By default, all master(8)
3717 listener ports are enabled.
3718 Note: this feature does not support "/file/name" or "type:table" pat‐
3720 terns, nor does it support wildcards such as "*" or "all". This is
3721 intentional.
3722 Examples:
3724 # With Postfix 2.6..2.10 use '.' instead of '/'.
3726 # Turn on all master(8) listener ports (the default).
3727 master_service_disable =
3728 # Turn off only the main SMTP listener port.
3729 master_service_disable = smtp/inet
3730 # Turn off all TCP/IP listener ports.
3731 master_service_disable = inet
3732 # Turn off all TCP/IP listener ports except "foo".
3733 master_service_disable = !foo/inet, inet
3734 This feature is available in Postfix 2.6 and later.
3736
3738 The maximum amount of time that an idle Postfix daemon process waits
3739 for an incoming connection before terminating voluntarily. This param‐
3740 eter is ignored by the Postfix queue manager and by other long-lived
3741 Postfix daemon processes.
3742 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3744 The default time unit is s (seconds).
3745
3747 The maximal number of incoming connections that a Postfix daemon
3748 process will service before terminating voluntarily. This parameter is
3749 ignored by the Postfix queue manager and by other long-lived Postfix
3750 daemon processes.
3751
3753 The maximal time between attempts to deliver a deferred message.
3754 This parameter should be set to a value greater than or equal to $mini‐
3756 mal_backoff_time. See also $queue_run_delay.
3757 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3759 The default time unit is s (seconds).
3760
3762 Consider a message as undeliverable, when delivery fails with a tempo‐
3763 rary error, and the time in the queue has reached the maxi‐
3764 mal_queue_lifetime limit.
3765 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3767 The default time unit is d (days).
3768 Specify 0 when mail delivery should be tried only once.
3770
3772 Names of message headers that the cleanup(8) daemon will remove after
3773 applying header_checks(5) and before invoking Milter applications. The
3774 default setting is compatible with Postfix < 3.0.
3775 Specify a list of header names, separated by comma or space. Names are
3777 matched in a case-insensitive manner. The list of supported header
3778 names is limited only by available memory.
3779 This feature is available in Postfix 3.0 and later.
3781
3783 The set of characters that Postfix will reject in message content. The
3784 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3785 (up to three octal digits) and \\.
3786 Note 1: this feature does not recognize text that requires MIME decod‐
3788 ing. It inspects raw message content, just like header_checks and
3789 body_checks.
3790 Note 2: this feature is disabled with "receive_override_options =
3792 no_header_body_checks".
3793 Example:
3795 message_reject_characters = \0
3797 This feature is available in Postfix 2.3 and later.
3799
3801 The maximal size in bytes of a message, including envelope information.
3802 Note: be careful when making changes. Excessively small values will
3804 result in the loss of non-delivery notifications, when a bounce message
3805 size exceeds the local or remote MTA's message size limit.
3806
3808 The set of characters that Postfix will remove from message content.
3809 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3810 \ddd (up to three octal digits) and \\.
3811 Note 1: this feature does not recognize text that requires MIME decod‐
3813 ing. It inspects raw message content, just like header_checks and
3814 body_checks.
3815 Note 2: this feature is disabled with "receive_override_options =
3817 no_header_body_checks".
3818 Example:
3820 message_strip_characters = \0
3822 This feature is available in Postfix 2.3 and later.
3824
3826 The location of non-executable files that are shared among multiple
3827 Postfix instances, such as postfix-files, dynamicmaps.cf, and the
3828 multi-instance template files main.cf.proto and master.cf.proto. This
3829 directory should contain only Postfix-related files. Typically, the
3830 meta_directory parameter has the same default as the config_directory
3831 parameter (/etc/postfix or /usr/local/etc/postfix).
3832 For backwards compatibility with Postfix versions 2.6..2.11, specify
3834 "meta_directory = $daemon_directory" in main.cf before installing or
3835 upgrading Postfix, or specify "meta_directory = /path/name" on the
3836 "make makefiles", "make install" or "make upgrade" command line.
3837 This feature is available in Postfix 3.0 and later.
3839
3841 The time limit for sending an SMTP command to a Milter (mail filter)
3842 application, and for receiving the response.
3843 Specify a non-zero time value (an integral value plus an optional
3845 one-letter suffix that specifies the time unit).
3846 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3848 The default time unit is s (seconds).
3849 This feature is available in Postfix 2.3 and later.
3851
3853 The macros that are sent to Milter (mail filter) applications after
3854 completion of an SMTP connection. See MILTER_README for a list of
3855 available macro names and their meanings.
3856 This feature is available in Postfix 2.3 and later.
3858
3860 The time limit for connecting to a Milter (mail filter) application,
3861 and for negotiating protocol options.
3862 Specify a non-zero time value (an integral value plus an optional
3864 one-letter suffix that specifies the time unit).
3865 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3867 The default time unit is s (seconds).
3868 This feature is available in Postfix 2.3 and later.
3870
3872 The time limit for sending message content to a Milter (mail filter)
3873 application, and for receiving the response.
3874 Specify a non-zero time value (an integral value plus an optional
3876 one-letter suffix that specifies the time unit).
3877 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3879 The default time unit is s (seconds).
3880 This feature is available in Postfix 2.3 and later.
3882
3884 The macros that are sent to version 4 or higher Milter (mail filter)
3885 applications after the SMTP DATA command. See MILTER_README for a list
3886 of available macro names and their meanings.
3887 This feature is available in Postfix 2.3 and later.
3889
3891 The default action when a Milter (mail filter) application is unavail‐
3892 able or mis-configured. Specify one of the following:
3893 accept Proceed as if the mail filter was not present.
3895 reject Reject all further commands in this session with a permanent
3897 status code.
3898 tempfail
3900 Reject all further commands in this session with a temporary
3901 status code.
3902 quarantine
3904 Like "accept", but freeze the message in the "hold" queue.
3905 Available with Postfix 2.6 and later.
3906 This feature is available in Postfix 2.3 and later.
3908
3910 The macros that are sent to Milter (mail filter) applications after the
3911 message end-of-data. See MILTER_README for a list of available macro
3912 names and their meanings.
3913 This feature is available in Postfix 2.3 and later.
3915
3917 The macros that are sent to Milter (mail filter) applications after the
3918 end of the message header. See MILTER_README for a list of available
3919 macro names and their meanings.
3920 This feature is available in Postfix 2.5 and later.
3922
3924 Optional lookup tables for content inspection of message headers that
3925 are produced by Milter applications. See the header_checks(5) manual
3926 page available actions. Currently, PREPEND is not implemented.
3927 The following example sends all mail that is marked as SPAM to a spam
3929 handling machine. Note that matches are case-insensitive by default.
3930 /etc/postfix/main.cf:
3932 milter_header_checks = pcre:/etc/postfix/milter_header_checks
3933 /etc/postfix/milter_header_checks:
3935 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3936 The milter_header_checks mechanism could also be used for whitelisting.
3938 For example it could be used to skip heavy content inspection for
3939 DKIM-signed mail from known friendly domains.
3940 This feature is available in Postfix 2.7, and as an optional patch for
3942 Postfix 2.6.
3943
3945 The macros that are sent to Milter (mail filter) applications after the
3946 SMTP HELO or EHLO command. See MILTER_README for a list of available
3947 macro names and their meanings.
3948 This feature is available in Postfix 2.3 and later.
3950
3952 The {daemon_name} macro value for Milter (mail filter) applications.
3953 See MILTER_README for a list of available macro names and their mean‐
3954 ings.
3955 This feature is available in Postfix 2.3 and later.
3957
3959 Optional list of name=value pairs that specify default values for arbi‐
3960 trary macros that Postfix may send to Milter applications. These
3961 defaults are used when there is no corresponding information from the
3962 message delivery context.
3963 Specify name=value or {name}=value pairs separated by comma or white‐
3965 space. Enclose a pair in "{}" when a value contains comma or white‐
3966 space (this form ignores whitespace after the enclosing "{", around the
3967 "=", and before the enclosing "}").
3968 This feature is available in Postfix 3.1 and later.
3970
3972 The {v} macro value for Milter (mail filter) applications. See MIL‐
3973 TER_README for a list of available macro names and their meanings.
3974 This feature is available in Postfix 2.3 and later.
3976
3978 The macros that are sent to Milter (mail filter) applications after the
3979 SMTP MAIL FROM command. See MILTER_README for a list of available macro
3980 names and their meanings.
3981 This feature is available in Postfix 2.3 and later.
3983
3985 The mail filter protocol version and optional protocol extensions for
3986 communication with a Milter application; prior to Postfix 2.6 the
3987 default protocol is 2. Postfix sends this version number during the
3988 initial protocol handshake. It should match the version number that is
3989 expected by the mail filter application (or by its Milter library).
3990 Protocol versions:
3992 2 Use Sendmail 8 mail filter protocol version 2 (default with
3994 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
3995 3 Use Sendmail 8 mail filter protocol version 3.
3997 4 Use Sendmail 8 mail filter protocol version 4.
3999 6 Use Sendmail 8 mail filter protocol version 6 (default with
4001 Sendmail version 8.14 and Postfix version 2.6).
4002 Protocol extensions:
4004 no_header_reply
4006 Specify this when the Milter application will not reply for each
4007 individual message header.
4008 This feature is available in Postfix 2.3 and later.
4010
4012 The macros that are sent to Milter (mail filter) applications after the
4013 SMTP RCPT TO command. See MILTER_README for a list of available macro
4014 names and their meanings.
4015 This feature is available in Postfix 2.3 and later.
4017
4019 The macros that are sent to version 3 or higher Milter (mail filter)
4020 applications after an unknown SMTP command. See MILTER_README for a
4021 list of available macro names and their meanings.
4022 This feature is available in Postfix 2.3 and later.
4024
4026 The maximal length of MIME multipart boundary strings. The MIME proces‐
4027 sor is unable to distinguish between boundary strings that do not dif‐
4028 fer in the first $mime_boundary_length_limit characters.
4029 This feature is available in Postfix 2.0 and later.
4031
4033 Optional lookup tables for content inspection of MIME related message
4034 headers, as described in the header_checks(5) manual page.
4035 This feature is available in Postfix 2.0 and later.
4037
4039 The maximal recursion level that the MIME processor will handle. Post‐
4040 fix refuses mail that is nested deeper than the specified limit.
4041 This feature is available in Postfix 2.0 and later.
4043
4045 The minimal time between attempts to deliver a deferred message; prior
4046 to Postfix 2.4 the default value was 1000s.
4047 This parameter also limits the time an unreachable destination is kept
4049 in the short-term, in-memory, destination status cache.
4050 This parameter should be set greater than or equal to $queue_run_delay.
4052 See also $maximal_backoff_time.
4053 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4055 The default time unit is s (seconds).
4056
4058 An optional list of non-default Postfix configuration directories;
4059 these directories belong to additional Postfix instances that share the
4060 Postfix executable files and documentation with the default Postfix
4061 instance, and that are started, stopped, etc., together with the
4062 default Postfix instance. Specify a list of pathnames separated by
4063 comma or whitespace.
4064 When $multi_instance_directories is empty, the postfix(1) command runs
4066 in single-instance mode and operates on a single Postfix instance only.
4067 Otherwise, the postfix(1) command runs in multi-instance mode and
4068 invokes the multi-instance manager specified with the
4069 multi_instance_wrapper parameter. The multi-instance manager in turn
4070 executes postfix(1) commands for the default instance and for all Post‐
4071 fix instances in $multi_instance_directories.
4072 Currently, this parameter setting is ignored except for the default
4074 main.cf file.
4075 This feature is available in Postfix 2.6 and later.
4077
4079 Allow this Postfix instance to be started, stopped, etc., by a
4080 multi-instance manager. By default, new instances are created in a
4081 safe state that prevents them from being started inadvertently. This
4082 parameter is reserved for the multi-instance manager.
4083 This feature is available in Postfix 2.6 and later.
4085
4087 The optional instance group name of this Postfix instance. A group
4088 identifies closely-related Postfix instances that the multi-instance
4089 manager can start, stop, etc., as a unit. This parameter is reserved
4090 for the multi-instance manager.
4091 This feature is available in Postfix 2.6 and later.
4093
4095 The optional instance name of this Postfix instance. This name becomes
4096 also the default value for the syslog_name parameter.
4097 This feature is available in Postfix 2.6 and later.
4099
4101 The pathname of a multi-instance manager command that the postfix(1)
4102 command invokes when the multi_instance_directories parameter value is
4103 non-empty. The pathname may be followed by initial command arguments
4104 separated by whitespace; shell metacharacters such as quotes are not
4105 supported in this context.
4106 The postfix(1) command invokes the manager command with the postfix(1)
4108 non-option command arguments on the manager command line, and with all
4109 installation configuration parameters exported into the manager command
4110 process environment. The manager command in turn invokes the postfix(1)
4111 command for individual Postfix instances as "postfix -c config_direc‐
4112 tory command".
4113 This feature is available in Postfix 2.6 and later.
4115
4117 The numerical Postfix SMTP server response code when a remote SMTP
4118 client request is blocked by the reject_multi_recipient_bounce restric‐
4119 tion.
4120 Do not change this unless you have a complete understanding of RFC
4122 5321.
4123 This feature is available in Postfix 2.1 and later.
4125
4127 The list of domains that are delivered via the $local_transport mail
4128 delivery transport. By default this is the Postfix local(8) delivery
4129 agent which looks up all recipients in /etc/passwd and /etc/aliases.
4130 The SMTP server validates recipient addresses with $local_recipi‐
4131 ent_maps and rejects non-existent recipients. See also the local domain
4132 class in the ADDRESS_CLASS_README file.
4133 The default mydestination value specifies names for the local machine
4135 only. On a mail domain gateway, you should also include $mydomain.
4136 The $local_transport delivery method is also selected for mail
4138 addressed to user@[the.net.work.address] of the mail system (the IP
4139 addresses specified with the inet_interfaces and proxy_interfaces
4140 parameters).
4141 Warnings:
4143 · Do not specify the names of virtual domains - those domains are
4145 specified elsewhere. See VIRTUAL_README for more information.
4146 · Do not specify the names of domains that this machine is backup
4148 MX host for. See STANDARD_CONFIGURATION_README for how to set up
4149 backup MX hosts.
4150 · By default, the Postfix SMTP server rejects mail for recipients
4152 not listed with the local_recipient_maps parameter. See the
4153 postconf(5) manual for a description of the local_recipient_maps
4154 and unknown_local_recipient_reject_code parameters.
4155 Specify a list of host or domain names, "/file/name" or "type:table"
4157 patterns, separated by commas and/or whitespace. A "/file/name" pattern
4158 is replaced by its contents; a "type:table" lookup table is matched
4159 when a name matches a lookup key (the lookup result is ignored). Con‐
4160 tinue long lines by starting the next line with whitespace.
4161 Examples:
4163 mydestination = $myhostname, localhost.$mydomain $mydomain
4165 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4166
4168 The internet domain name of this mail system. The default is to use
4169 $myhostname minus the first component, or "localdomain" (Postfix 2.3
4170 and later). $mydomain is used as a default value for many other con‐
4171 figuration parameters.
4172 Example:
4174 mydomain = domain.tld
4176
4178 The internet hostname of this mail system. The default is to use the
4179 fully-qualified domain name (FQDN) from gethostname(), or to use the
4180 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
4181 name is used as a default value for many other configuration parame‐
4182 ters.
4183 Example:
4185 myhostname = host.example.com
4187
4189 The list of "trusted" remote SMTP clients that have more privileges
4190 than "strangers".
4191 In particular, "trusted" SMTP clients are allowed to relay mail through
4193 Postfix. See the smtpd_relay_restrictions parameter description in the
4194 postconf(5) manual.
4195 You can specify the list of "trusted" network addresses by hand or you
4197 can let Postfix do it for you (which is the default). See the descrip‐
4198 tion of the mynetworks_style parameter for more information.
4199 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
4201 works_style setting.
4202 Specify a list of network addresses or network/netmask patterns, sepa‐
4204 rated by commas and/or whitespace. Continue long lines by starting the
4205 next line with whitespace.
4206 The netmask specifies the number of bits in the network part of a host
4208 address. You can also specify "/file/name" or "type:table" patterns.
4209 A "/file/name" pattern is replaced by its contents; a "type:table"
4210 lookup table is matched when a table entry matches a lookup string (the
4211 lookup result is ignored).
4212 The list is matched left to right, and the search stops on the first
4214 match. Specify "!pattern" to exclude an address or network block from
4215 the list. The form "!/file/name" is supported only in Postfix version
4216 2.4 and later.
4217 Note 1: Pattern matching of domain names is controlled by the or
4219 absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4220 ter value.
4221 Note 2: IP version 6 address information must be specified inside [] in
4223 the mynetworks value, and in files specified with "/file/name". IP
4224 version 6 addresses contain the ":" character, and would otherwise be
4225 confused with a "type:table" pattern.
4226 Examples:
4228 mynetworks = 127.0.0.0/8 168.100.189.0/28
4230 mynetworks = !192.168.0.1, 192.168.0.0/28
4231 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4232 mynetworks = $config_directory/mynetworks
4233 mynetworks = hash:/etc/postfix/network_table
4234
4236 The method to generate the default value for the mynetworks parameter.
4237 This is the list of trusted networks for relay access control etc.
4238 · Specify "mynetworks_style = host" when Postfix should "trust"
4240 only the local machine.
4241 · Specify "mynetworks_style = subnet" when Postfix should "trust"
4243 remote SMTP clients in the same IP subnetworks as the local
4244 machine. On Linux, this works correctly only with interfaces
4245 specified with the "ifconfig" command.
4246 · Specify "mynetworks_style = class" when Postfix should "trust"
4248 remote SMTP clients in the same IP class A/B/C networks as the
4249 local machine. Caution: this may cause Postfix to "trust" your
4250 entire provider's network. Instead, specify an explicit mynet‐
4251 works list by hand, as described with the mynetworks configura‐
4252 tion parameter.
4253
4255 The domain name that locally-posted mail appears to come from, and that
4256 locally posted mail is delivered to. The default, $myhostname, is ade‐
4257 quate for small sites. If you run a domain with multiple machines, you
4258 should (1) change this to $mydomain and (2) set up a domain-wide alias
4259 database that aliases each user to user@that.users.mailhost.
4260 Example:
4262 myorigin = $mydomain
4264
4266 Optional lookup tables for content inspection of non-MIME message head‐
4267 ers in attached messages, as described in the header_checks(5) manual
4268 page.
4269 This feature is available in Postfix 2.0 and later.
4271
4273 Sendmail compatibility feature that specifies the location of the
4274 newaliases(1) command. This command can be used to rebuild the local(8)
4275 aliases(5) database.
4276
4278 The numerical Postfix SMTP server reply code when a client request is
4279 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4280 or reject_non_fqdn_recipient restriction.
4281
4283 A list of Milter (mail filter) applications for new mail that does not
4284 arrive via the Postfix smtpd(8) server. This includes local submission
4285 via the sendmail(1) command line, new mail that arrives via the Postfix
4286 qmqpd(8) server, and old mail that is re-injected into the queue with
4287 "postsuper -r". Specify space or comma as separator. See the MIL‐
4288 TER_README document for details.
4289 This feature is available in Postfix 2.3 and later.
4291
4293 The list of error classes that are reported to the postmaster. The
4294 default is to report only the most serious problems. The paranoid may
4295 wish to turn on the policy (UCE and mail relaying) and protocol error
4296 (broken mail software) reports.
4297 NOTE: postmaster notifications may contain confidential information
4299 such as SASL passwords or message content. It is the system adminis‐
4300 trator's responsibility to treat such information with care.
4301 The error classes are:
4303 bounce (also implies 2bounce)
4305 Send the postmaster copies of the headers of bounced mail, and
4306 send transcripts of SMTP sessions when Postfix rejects mail. The
4307 notification is sent to the address specified with the
4308 bounce_notice_recipient configuration parameter (default: post‐
4309 master).
4310 2bounce
4312 Send undeliverable bounced mail to the postmaster. The notifica‐
4313 tion is sent to the address specified with the
4314 2bounce_notice_recipient configuration parameter (default: post‐
4315 master).
4316 data Send the postmaster a transcript of the SMTP session with an
4318 error because a critical data file was unavailable. The notifi‐
4319 cation is sent to the address specified with the
4320 error_notice_recipient configuration parameter (default: post‐
4321 master).
4322 This feature is available in Postfix 2.9 and later.
4323 delay Send the postmaster copies of the headers of delayed mail (see
4325 delay_warning_time). The notification is sent to the address
4326 specified with the delay_notice_recipient configuration parame‐
4327 ter (default: postmaster).
4328 policy Send the postmaster a transcript of the SMTP session when a
4330 client request was rejected because of (UCE) policy. The notifi‐
4331 cation is sent to the address specified with the
4332 error_notice_recipient configuration parameter (default: post‐
4333 master).
4334 protocol
4336 Send the postmaster a transcript of the SMTP session in case of
4337 client or server protocol errors. The notification is sent to
4338 the address specified with the error_notice_recipient configura‐
4339 tion parameter (default: postmaster).
4340 resource
4342 Inform the postmaster of mail not delivered due to resource
4343 problems. The notification is sent to the address specified
4344 with the error_notice_recipient configuration parameter
4345 (default: postmaster).
4346 software
4348 Inform the postmaster of mail not delivered due to software
4349 problems. The notification is sent to the address specified
4350 with the error_notice_recipient configuration parameter
4351 (default: postmaster).
4352 Examples:
4354 notify_classes = bounce, delay, policy, protocol, resource, software
4356 notify_classes = 2bounce, resource, software
4357
4359 The numerical reply code when the Postfix SMTP server rejects a sender
4360 or recipient address because its domain has a nullmx DNS record (an MX
4361 record with an empty hostname). This is one of the possible replies
4362 from the restrictions reject_unknown_sender_domain and
4363 reject_unknown_recipient_domain.
4364 This feature is available in Postfix 3.0 and later.
4366
4368 The location of the OpenSSL command line program openssl(1). This is
4369 used by the "postfix tls" command to create private keys, certificate
4370 signing requests, self-signed certificates, and to compute public key
4371 digests for DANE TLSA records. In multi-instance environments, this
4372 parameter is always determined from the configuration of the default
4373 Postfix instance.
4374 Example:
4376 /etc/postfix/main.cf:
4378 # NetBSD pkgsrc:
4379 openssl_path = /usr/pkg/bin/openssl
4380 # Local build:
4381 openssl_path = /usr/local/bin/openssl
4382 This feature is available in Postfix 3.1 and later.
4384
4386 Enable special treatment for owner-listname entries in the aliases(5)
4387 file, and don't split owner-listname and listname-request address
4388 localparts when the recipient_delimiter is set to "-". This feature is
4389 useful for mailing lists.
4390
4392 A list of Postfix features where the pattern "example.com" also matches
4393 subdomains of example.com, instead of requiring an explicit ".exam‐
4394 ple.com" pattern. This is planned backwards compatibility: eventu‐
4395 ally, all Postfix features are expected to require explicit ".exam‐
4396 ple.com" style patterns when you really want to match subdomains.
4397 The following Postfix feature names are supported.
4399 Postfix version 1.0 and later
4401 debug_peer_list, fast_flush_domains, mynetworks, per‐
4402 mit_mx_backup_networks, relay_domains, transport_maps
4403 Postfix version 1.1 and later
4405 qmqpd_authorized_clients, smtpd_access_maps,
4406 Postfix version 2.8 and later
4408 postscreen_access_list
4409 Postfix version 3.0 and later
4411 smtpd_client_event_limit_exceptions
4412
4414 Restrict the use of the permit_mx_backup SMTP access feature to only
4415 domains whose primary MX hosts match the listed networks. The parame‐
4416 ter value syntax is the same as with the mynetworks parameter; note,
4417 however, that the default value is empty.
4418 Pattern matching of domain names is controlled by the presence or
4420 absence of "permit_mx_backup_networks" in the par‐
4421 ent_domain_matches_subdomains parameter value.
4422
4424 The name of the pickup(8) service. This service picks up local mail
4425 submissions from the Postfix maildrop queue.
4426 This feature is available in Postfix 2.0 and later.
4428
4430 Optional filter for the pipe(8) delivery agent to change the delivery
4431 status code or explanatory text of successful or unsuccessful deliver‐
4432 ies. See default_delivery_status_filter for details.
4433 This feature is available in Postfix 3.0 and later.
4435
4437 The numerical Postfix SMTP server response code when a request is
4438 rejected by the reject_plaintext_session restriction.
4439 This feature is available in Postfix 2.3 and later.
4441
4443 The postfix(1) commands that the postmulti(1) instance manager treats
4444 as "control" commands, that operate on running instances. For these
4445 commands, disabled instances are skipped.
4446 This feature is available in Postfix 2.6 and later.
4448
4450 The postfix(1) commands that the postmulti(1) instance manager treats
4451 as "start" commands. For these commands, disabled instances are
4452 "checked" rather than "started", and failure to "start" a member
4453 instance of an instance group will abort the start-up of later
4454 instances.
4455 This feature is available in Postfix 2.6 and later.
4457
4459 The postfix(1) commands that the postmulti(1) instance manager treats
4460 as "stop" commands. For these commands, disabled instances are skipped,
4461 and enabled instances are processed in reverse order.
4462 This feature is available in Postfix 2.6 and later.
4464
4466 Permanent white/blacklist for remote SMTP client IP addresses.
4467 postscreen(8) searches this list immediately after a remote SMTP client
4468 connects. Specify a comma- or whitespace-separated list of commands
4469 (in upper or lower case) or lookup tables. The search stops upon the
4470 first command that fires for the client IP address.
4471 permit_mynetworks
4473 Whitelist the client and terminate the search if the client IP
4474 address matches $mynetworks. Do not subject the client to any
4475 before/after 220 greeting tests. Pass the connection immedi‐
4476 ately to a Postfix SMTP server process.
4477 Pattern matching of domain names is controlled by the presence
4478 or absence of "postscreen_access_list" in the par‐
4479 ent_domain_matches_subdomains parameter value.
4480 type:table
4482 Query the specified lookup table. Each table lookup result is an
4483 access list, except that access lists inside a table cannot
4484 specify type:table entries.
4485 To discourage the use of hash, btree, etc. tables, there is no
4486 support for substring matching like smtpd(8). Use CIDR tables
4487 instead.
4488 permit
4490 Whitelist the client and terminate the search. Do not subject
4491 the client to any before/after 220 greeting tests. Pass the con‐
4492 nection immediately to a Postfix SMTP server process.
4493 reject
4495 Blacklist the client and terminate the search. Subject the
4496 client to the action configured with the postscreen_black‐
4497 list_action configuration parameter.
4498 dunno All postscreen(8) access lists implicitly have this command at
4500 the end.
4501 When dunno is executed inside a lookup table, return from the
4502 lookup table and evaluate the next command.
4503 When dunno is executed outside a lookup table, terminate the
4504 search, and subject the client to the configured before/after
4505 220 greeting tests.
4506 Example:
4508 /etc/postfix/main.cf:
4510 postscreen_access_list = permit_mynetworks,
4511 cidr:/etc/postfix/postscreen_access.cidr
4512 postscreen_blacklist_action = enforce
4513 /etc/postfix/postscreen_access.cidr:
4515 # Rules are evaluated in the order as specified.
4516 # Blacklist 192.168.* except 192.168.0.1.
4517 192.168.0.1 dunno
4518 192.168.0.0/16 reject
4519 This feature is available in Postfix 2.8.
4521
4523 The action that postscreen(8) takes when a remote SMTP client sends a
4524 bare newline character, that is, a newline not preceded by carriage
4525 return. Specify one of the following:
4526 ignore Ignore the failure of this test. Allow other tests to complete.
4528 Do not repeat this test before some the result from some other
4529 test expires. This option is useful for testing and collecting
4530 statistics without blocking mail permanently.
4531 enforce
4533 Allow other tests to complete. Reject attempts to deliver mail
4534 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4535 mation. Repeat this test the next time the client connects.
4536 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4538 this test the next time the client connects.
4539 This feature is available in Postfix 2.8.
4541
4543 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4544 These tests are expensive: a remote SMTP client must disconnect after
4545 it passes the test, before it can talk to a real Postfix SMTP server.
4546 This feature is available in Postfix 2.8.
4548
4550 The amount of time that postscreen(8) will use the result from a suc‐
4551 cessful "bare newline" SMTP protocol test. During this time, the client
4552 IP address is excluded from this test. The default is long because a
4553 remote SMTP client must disconnect after it passes the test, before it
4554 can talk to a real Postfix SMTP server.
4555 Specify a non-zero time value (an integral value plus an optional
4557 one-letter suffix that specifies the time unit). Time units: s (sec‐
4558 onds), m (minutes), h (hours), d (days), w (weeks).
4559 This feature is available in Postfix 2.8.
4561
4563 The action that postscreen(8) takes when a remote SMTP client is perma‐
4564 nently blacklisted with the postscreen_access_list parameter. Specify
4565 one of the following:
4566 ignore (default)
4568 Ignore this result. Allow other tests to complete. Repeat this
4569 test the next time the client connects. This option is useful
4570 for testing and collecting statistics without blocking mail.
4571 enforce
4573 Allow other tests to complete. Reject attempts to deliver mail
4574 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4575 mation. Repeat this test the next time the client connects.
4576 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4578 this test the next time the client connects.
4579 This feature is available in Postfix 2.8.
4581
4583 The amount of time between postscreen(8) cache cleanup runs. Cache
4584 cleanup increases the load on the cache database and should therefore
4585 not be run frequently. This feature requires that the cache database
4586 supports the "delete" and "sequence" operators. Specify a zero inter‐
4587 val to disable cache cleanup.
4588 After each cache cleanup run, the postscreen(8) daemon logs the number
4590 of entries that were retained and dropped. A cleanup run is logged as
4591 "partial" when the daemon terminates early after "postfix reload",
4592 "postfix stop", or no requests for $max_idle seconds.
4593 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4595 This feature is available in Postfix 2.8.
4597
4599 Persistent storage for the postscreen(8) server decisions.
4600 To share a postscreen(8) cache between multiple postscreen(8)
4602 instances, use "postscreen_cache_map = proxy:btree:/path/to/file".
4603 This requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4604 mentations don't support cache cleanup. For an alternative approach see
4605 the memcache_table(5) manpage.
4606 This feature is available in Postfix 2.8.
4608
4610 The amount of time that postscreen(8) will cache an expired temporary
4611 whitelist entry before it is removed. This prevents clients from being
4612 logged as "NEW" just because their cache entry expired an hour ago. It
4613 also prevents the cache from filling up with clients that passed some
4614 deep protocol test once and never came back.
4615 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4617 This feature is available in Postfix 2.8.
4619
4621 tion_count_limit)
4622 How many simultaneous connections any remote SMTP client is allowed to
4623 have with the postscreen(8) daemon. By default, this limit is the same
4624 as with the Postfix SMTP server. Note that the triage process can take
4625 several seconds, with the time spent in postscreen_greet_wait delay,
4626 and with the time spent talking to the postscreen(8) built-in dummy
4627 SMTP protocol engine.
4628 This feature is available in Postfix 2.8.
4630
4632 The limit on the total number of commands per SMTP session for
4633 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
4634 or rejects all attempts to deliver mail, therefore there is no need to
4635 enforce separate limits on the number of junk commands and error com‐
4636 mands.
4637 This feature is available in Postfix 2.8.
4639
4641 A mechanism to transform commands from remote SMTP clients. See
4642 smtpd_command_filter for further details.
4643 This feature is available in Postfix 2.8 and later.
4645
4647 The time limit to read an entire command line with postscreen(8)'s
4648 built-in SMTP protocol engine.
4649 This feature is available in Postfix 2.8.
4651
4653 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
4654 able_vrfy_command for details.
4655 This feature is available in Postfix 2.8.
4657
4659 card_ehlo_keyword_address_maps)
4660 Lookup tables, indexed by the remote SMTP client address, with case
4661 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4662 that the postscreen(8) server will not send in the EHLO response to a
4663 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
4664 table is not searched by hostname for robustness reasons.
4665 This feature is available in Postfix 2.8 and later.
4667
4669 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4670 etc.) that the postscreen(8) server will not send in the EHLO response
4671 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4672 This feature is available in Postfix 2.8 and later.
4674
4676 The action that postscreen(8) takes when a remote SMTP client's com‐
4677 bined DNSBL score is equal to or greater than a threshold (as defined
4678 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4679 ters). Specify one of the following:
4680 ignore (default)
4682 Ignore the failure of this test. Allow other tests to complete.
4683 Repeat this test the next time the client connects. This option
4684 is useful for testing and collecting statistics without blocking
4685 mail.
4686 enforce
4688 Allow other tests to complete. Reject attempts to deliver mail
4689 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4690 mation. Repeat this test the next time the client connects.
4691 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4693 this test the next time the client connects.
4694 This feature is available in Postfix 2.8.
4696
4698 ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4699 The maximum amount of time that postscreen(8) will use the result from
4700 a successful DNS-based reputation test before a client IP address is
4701 required to pass that test again. If the DNS reply specifies a shorter
4702 TTL value, that value will be used unless it would be smaller than
4703 postscreen_dnsbl_min_ttl.
4704 Specify a non-zero time value (an integral value plus an optional
4706 one-letter suffix that specifies the time unit). Time units: s (sec‐
4707 onds), m (minutes), h (hours), d (days), w (weeks).
4708 This feature is available in Postfix 3.1. The default setting is back‐
4710 wards-compatible with older Postfix versions.
4711
4713 The minimum amount of time that postscreen(8) will use the result from
4714 a successful DNS-based reputation test before a client IP address is
4715 required to pass that test again. If the DNS reply specifies a larger
4716 TTL value, that value will be used unless it would be larger than
4717 postscreen_dnsbl_max_ttl.
4718 Specify a non-zero time value (an integral value plus an optional
4720 one-letter suffix that specifies the time unit). Time units: s (sec‐
4721 onds), m (minutes), h (hours), d (days), w (weeks).
4722 This feature is available in Postfix 3.1.
4724
4726 A mapping from actual DNSBL domain name which includes a secret pass‐
4727 word, to the DNSBL domain name that postscreen will reply with when it
4728 rejects mail. When no mapping is found, the actual DNSBL domain will
4729 be used.
4730 For maximal stability it is best to use a file that is read into memory
4732 such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
4733 except a) there is no need to run postmap(1) before the file can be
4734 used, and b) texthash: does not detect changes after the file is read).
4735 Example:
4737 /etc/postfix/main.cf:
4739 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4740 /etc/postfix/dnsbl_reply:
4742 secret.zen.spamhaus.org zen.spamhaus.org
4743 This feature is available in Postfix 2.8.
4745
4747 Optional list of DNS white/blacklist domains, filters and weight fac‐
4748 tors. When the list is non-empty, the dnsblog(8) daemon will query
4749 these domains with the IP addresses of remote SMTP clients, and
4750 postscreen(8) will update an SMTP client's DNSBL score with each
4751 non-error reply.
4752 Caution: when postscreen rejects mail, it replies with the DNSBL domain
4754 name. Use the postscreen_dnsbl_reply_map feature to hide "password"
4755 information in DNSBL domain names.
4756 When a client's score is equal to or greater than the threshold speci‐
4758 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4759 nection with the remote SMTP client.
4760 Specify a list of domain=filter*weight entries, separated by comma or
4762 whitespace.
4763 · When no "=filter" is specified, postscreen(8) will use any
4765 non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
4766 replies that match the filter. The filter has the form d.d.d.d,
4767 where each d is a number, or a pattern inside [] that contains
4768 one or more ";"-separated numbers or number..number ranges.
4769 · When no "*weight" is specified, postscreen(8) increments the
4771 remote SMTP client's DNSBL score by 1. Otherwise, the weight
4772 must be an integral number, and postscreen(8) adds the specified
4773 weight to the remote SMTP client's DNSBL score. Specify a nega‐
4774 tive number for whitelisting.
4775 · When one postscreen_dnsbl_sites entry produces multiple DNSBL
4777 responses, postscreen(8) applies the weight at most once.
4778 Examples:
4780 To use example.com as a high-confidence blocklist, and to block mail
4782 with example.net and example.org only when both agree:
4783 postscreen_dnsbl_threshold = 2
4785 postscreen_dnsbl_sites = example.com*2, example.net, example.org
4786 To filter only DNSBL replies containing 127.0.0.4:
4788 postscreen_dnsbl_sites = example.com=127.0.0.4
4790 This feature is available in Postfix 2.8.
4792
4794 The inclusive lower bound for blocking a remote SMTP client, based on
4795 its combined DNSBL score as defined with the postscreen_dnsbl_sites
4796 parameter.
4797 This feature is available in Postfix 2.8.
4799
4801 The time limit for DNSBL or DNSWL lookups. This is separate from the
4802 timeouts in the dnsblog(8) daemon which are defined by system
4803 resolver(3) routines.
4804 This feature is available in Postfix 3.0.
4806
4808 The amount of time that postscreen(8) will use the result from a suc‐
4809 cessful DNS-based reputation test before a client IP address is
4810 required to pass that test again.
4811 Specify a non-zero time value (an integral value plus an optional
4813 one-letter suffix that specifies the time unit). Time units: s (sec‐
4814 onds), m (minutes), h (hours), d (days), w (weeks).
4815 This feature is available in Postfix 2.8-3.0. It was replaced by
4817 postscreen_dnsbl_max_ttl in Postfix 3.1.
4818
4820 Allow a remote SMTP client to skip "before" and "after 220 greeting"
4821 protocol tests, based on its combined DNSBL score as defined with the
4822 postscreen_dnsbl_sites parameter.
4823 Specify a negative value to enable this feature. When a client passes
4825 the postscreen_dnsbl_whitelist_threshold without having failed other
4826 tests, all pending or disabled tests are flagged as completed with a
4827 time-to-live value equal to postscreen_dnsbl_ttl. When a test was
4828 already completed, its time-to-live value is updated if it was less
4829 than postscreen_dnsbl_ttl.
4830 This feature is available in Postfix 2.11.
4832
4834 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
4835 require that clients use TLS encryption. See
4836 smtpd_postscreen_enforce_tls for details.
4837 This feature is available in Postfix 2.8 and later. Preferably, use
4839 postscreen_tls_security_level instead.
4840
4842 List of characters that are permitted in postscreen_reject_footer
4843 attribute expansions. See smtpd_expansion_filter for further details.
4844 This feature is available in Postfix 2.8 and later.
4846
4848 List of commands that the postscreen(8) server considers in violation
4849 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
4850 postscreen_non_smtp_command_action for possible actions.
4851 This feature is available in Postfix 2.8.
4853
4855 The action that postscreen(8) takes when a remote SMTP client speaks
4856 before its turn within the time specified with the
4857 postscreen_greet_wait parameter. Specify one of the following:
4858 ignore (default)
4860 Ignore the failure of this test. Allow other tests to complete.
4861 Repeat this test the next time the client connects. This option
4862 is useful for testing and collecting statistics without blocking
4863 mail.
4864 enforce
4866 Allow other tests to complete. Reject attempts to deliver mail
4867 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4868 mation. Repeat this test the next time the client connects.
4869 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4871 this test the next time the client connects.
4872 In either case, postscreen(8) will not whitelist the remote SMTP client
4874 IP address.
4875 This feature is available in Postfix 2.8.
4877
4879 The text in the optional "220-text..." server response that
4880 postscreen(8) sends ahead of the real Postfix SMTP server's "220
4881 text..." response, in an attempt to confuse bad SMTP clients so that
4882 they speak before their turn (pre-greet). Specify an empty value to
4883 disable this feature.
4884 This feature is available in Postfix 2.8.
4886
4888 The amount of time that postscreen(8) will use the result from a suc‐
4889 cessful PREGREET test. During this time, the client IP address is
4890 excluded from this test. The default is relatively short, because a
4891 good client can immediately talk to a real Postfix SMTP server.
4892 Specify a non-zero time value (an integral value plus an optional
4894 one-letter suffix that specifies the time unit). Time units: s (sec‐
4895 onds), m (minutes), h (hours), d (days), w (weeks).
4896 This feature is available in Postfix 2.8.
4898
4900 The amount of time that postscreen(8) will wait for an SMTP client to
4901 send a command before its turn, and for DNS blocklist lookup results to
4902 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
4903 wise).
4904 Specify a non-zero time value (an integral value plus an optional
4906 one-letter suffix that specifies the time unit).
4907 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4909 This feature is available in Postfix 2.8.
4911
4913 Require that a remote SMTP client sends HELO or EHLO before commencing
4914 a MAIL transaction.
4915 This feature is available in Postfix 2.8.
4917
4919 The action that postscreen(8) takes when a remote SMTP client sends
4920 non-SMTP commands as specified with the postscreen_forbidden_commands
4921 parameter. Specify one of the following:
4922 ignore Ignore the failure of this test. Allow other tests to complete.
4924 Do not repeat this test before some the result from some other
4925 test expires. This option is useful for testing and collecting
4926 statistics without blocking mail permanently.
4927 enforce
4929 Allow other tests to complete. Reject attempts to deliver mail
4930 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4931 mation. Repeat this test the next time the client connects.
4932 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4934 this test the next time the client connects. This action is the
4935 same as with the Postfix SMTP server's smtpd_forbidden_commands
4936 feature.
4937 This feature is available in Postfix 2.8.
4939
4941 Enable "non-SMTP command" tests in the postscreen(8) server. These
4942 tests are expensive: a client must disconnect after it passes the test,
4943 before it can talk to a real Postfix SMTP server.
4944 This feature is available in Postfix 2.8.
4946
4948 The amount of time that postscreen(8) will use the result from a suc‐
4949 cessful "non_smtp_command" SMTP protocol test. During this time, the
4950 client IP address is excluded from this test. The default is long
4951 because a client must disconnect after it passes the test, before it
4952 can talk to a real Postfix SMTP server.
4953 Specify a non-zero time value (an integral value plus an optional
4955 one-letter suffix that specifies the time unit). Time units: s (sec‐
4956 onds), m (minutes), h (hours), d (days), w (weeks).
4957 This feature is available in Postfix 2.8.
4959
4961 The action that postscreen(8) takes when a remote SMTP client sends
4962 multiple commands instead of sending one command and waiting for the
4963 server to respond. Specify one of the following:
4964 ignore Ignore the failure of this test. Allow other tests to complete.
4966 Do not repeat this test before some the result from some other
4967 test expires. This option is useful for testing and collecting
4968 statistics without blocking mail permanently.
4969 enforce
4971 Allow other tests to complete. Reject attempts to deliver mail
4972 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4973 mation. Repeat this test the next time the client connects.
4974 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4976 this test the next time the client connects.
4977 This feature is available in Postfix 2.8.
4979
4981 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
4982 These tests are expensive: a good client must disconnect after it
4983 passes the test, before it can talk to a real Postfix SMTP server.
4984 This feature is available in Postfix 2.8.
4986
4988 The amount of time that postscreen(8) will use the result from a suc‐
4989 cessful "pipelining" SMTP protocol test. During this time, the client
4990 IP address is excluded from this test. The default is long because a
4991 good client must disconnect after it passes the test, before it can
4992 talk to a real Postfix SMTP server.
4993 Specify a non-zero time value (an integral value plus an optional
4995 one-letter suffix that specifies the time unit). Time units: s (sec‐
4996 onds), m (minutes), h (hours), d (days), w (weeks).
4997 This feature is available in Postfix 2.8.
4999
5001 The number of clients that can be waiting for service from a real Post‐
5002 fix SMTP server process. When this queue is full, all clients will
5003 receive a 421 response.
5004 This feature is available in Postfix 2.8.
5006
5008 The number of non-whitelisted clients that can be waiting for a deci‐
5009 sion whether they will receive service from a real Postfix SMTP server
5010 process. When this queue is full, all non-whitelisted clients will
5011 receive a 421 response.
5012 This feature is available in Postfix 2.8.
5014
5016 Optional information that is appended after a 4XX or 5XX postscreen(8)
5017 server response. See smtpd_reject_footer for further details.
5018 This feature is available in Postfix 2.8 and later.
5020
5022 The SMTP TLS security level for the postscreen(8) server; when a
5023 non-empty value is specified, this overrides the obsolete parameters
5024 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
5025 rity_level for details.
5026 This feature is available in Postfix 2.8 and later.
5028
5030 The name of the proxy protocol used by an optional before-postscreen
5031 proxy agent. When a proxy agent is used, this protocol conveys local
5032 and remote address and port information. Specify
5033 "postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy
5034 protocol.
5035 This feature is available in Postfix 2.10 and later.
5037
5039 The time limit for the proxy protocol specified with the
5040 postscreen_upstream_proxy_protocol parameter.
5041 This feature is available in Postfix 2.10 and later.
5043
5045 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
5046 but do not require that clients use TLS encryption.
5047 This feature is available in Postfix 2.8 and later. Preferably, use
5049 postscreen_tls_security_level instead.
5050
5052 How much time a postscreen(8) process may take to respond to a remote
5053 SMTP client command or to perform a cache operation before it is termi‐
5054 nated by a built-in watchdog timer. This is a safety mechanism that
5055 prevents postscreen(8) from becoming non-responsive due to a bug in
5056 Postfix itself or in system software. To avoid false alarms and unnec‐
5057 essary cache corruption this limit cannot be set under 10s.
5058 Specify a non-zero time value (an integral value plus an optional
5060 one-letter suffix that specifies the time unit). Time units: s (sec‐
5061 onds), m (minutes), h (hours), d (days), w (weeks).
5062 This feature is available in Postfix 2.8.
5064
5066 A list of local postscreen(8) server IP addresses where a
5067 non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5068 whitelist status. This status is required before the client can talk to
5069 a Postfix SMTP server process. By default, a client can obtain
5070 postscreen(8)'s whitelist status on any local postscreen(8) server IP
5071 address.
5072 When postscreen(8) listens on both primary and backup MX addresses, the
5074 postscreen_whitelist_interfaces parameter can be configured to give the
5075 temporary whitelist status only when a client connects to a primary MX
5076 address. Once a client is whitelisted it can talk to a Postfix SMTP
5077 server on any address. Thus, clients that connect only to backup MX
5078 addresses will never become whitelisted, and will never be allowed to
5079 talk to a Postfix SMTP server process.
5080 Specify a list of network addresses or network/netmask patterns, sepa‐
5082 rated by commas and/or whitespace. The netmask specifies the number of
5083 bits in the network part of a host address. Continue long lines by
5084 starting the next line with whitespace.
5085 You can also specify "/file/name" or "type:table" patterns. A
5087 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5088 table is matched when a table entry matches a lookup string (the lookup
5089 result is ignored).
5090 The list is matched left to right, and the search stops on the first
5092 match. Specify "!pattern" to exclude an address or network block from
5093 the list.
5094 Note: IP version 6 address information must be specified inside [] in
5096 the postscreen_whitelist_interfaces value, and in files specified with
5097 "/file/name". IP version 6 addresses contain the ":" character, and
5098 would otherwise be confused with a "type:table" pattern.
5099 Example:
5101 /etc/postfix/main.cf:
5103 # Don't whitelist connections to the backup IP address.
5104 postscreen_whitelist_interfaces = !168.100.189.8, static:all
5105 This feature is available in Postfix 2.9 and later.
5107
5109 The message delivery contexts where the Postfix local(8) delivery agent
5110 prepends a Delivered-To: message header with the address that the mail
5111 was delivered to. This information is used for mail delivery loop
5112 detection.
5113 By default, the Postfix local delivery agent prepends a Delivered-To:
5115 header when forwarding mail and when delivering to file (mailbox) and
5116 command. Turning off the Delivered-To: header when forwarding mail is
5117 not recommended.
5118 Specify zero or more of forward, file, or command.
5120 Example:
5122 prepend_delivered_header = forward
5124
5126 The process ID of a Postfix command or daemon process.
5127
5129 The location of Postfix PID files relative to $queue_directory. This
5130 is a read-only parameter.
5131
5133 The process name of a Postfix command or daemon process.
5134
5136 What address lookup tables copy an address extension from the lookup
5137 key to the lookup result.
5138 For example, with a virtual(5) mapping of "joe@example.com =>
5140 joe.user@example.net", the address "joe+foo@example.com" would rewrite
5141 to "joe.user+foo@example.net".
5142 Specify zero or more of canonical, virtual, alias, forward, include or
5144 generic. These cause address extension propagation with canonical(5),
5145 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
5146 file lookups, and with smtp(8) generic maps, respectively.
5147 Note: enabling this feature for types other than canonical and virtual
5149 is likely to cause problems when mail is forwarded to other sites,
5150 especially with mail that is sent to a mailing list exploder address.
5151 Examples:
5153 propagate_unmatched_extensions = canonical, virtual, alias,
5155 forward, include
5156 propagate_unmatched_extensions = canonical, virtual
5157
5159 The network interface addresses that this mail system receives mail on
5160 by way of a proxy or network address translation unit.
5161 This feature is available in Postfix 2.0 and later.
5163 You must specify your "outside" proxy/NAT addresses when your system is
5165 a backup MX host for other domains, otherwise mail delivery loops will
5166 happen when the primary MX host is down.
5167 Example:
5169 proxy_interfaces = 1.2.3.4
5171
5173 The lookup tables that the proxymap(8) server is allowed to access for
5174 the read-only service.
5175 Specify zero or more "type:name" lookup tables, separated by whitespace
5177 or comma. Table references that don't begin with proxy: are ignored.
5178 This feature is available in Postfix 2.0 and later.
5180
5182 The lookup tables that the proxymap(8) server is allowed to access for
5183 the read-write service. Postfix-owned local database files should be
5184 stored under the Postfix-owned data_directory. Table references that
5185 don't begin with proxy: are ignored.
5186 This feature is available in Postfix 2.5 and later.
5188
5190 The name of the proxymap read-only table lookup service. This service
5191 is normally implemented by the proxymap(8) daemon.
5192 This feature is available in Postfix 2.6 and later.
5194
5196 The name of the proxywrite read-write table lookup service. This ser‐
5197 vice is normally implemented by the proxymap(8) daemon.
5198 This feature is available in Postfix 2.6 and later.
5200
5202 The minimal delay between warnings that a specific destination is clog‐
5203 ging up the Postfix active queue. Specify 0 to disable.
5204 This feature is enabled with the helpful_warnings parameter.
5206 This feature is available in Postfix 2.0 and later.
5208
5210 How much time a Postfix queue manager process may take to handle a
5211 request before it is terminated by a built-in watchdog timer.
5212 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5214 The default time unit is s (seconds).
5215 This feature is available in Postfix 2.8 and later.
5217
5219 Obsolete feature: the percentage of delivery resources that a busy mail
5220 system will use up for delivery of a large mailing list message.
5221 This feature exists only in the oqmgr(8) old queue manager. The current
5223 queue manager solves the problem in a better way.
5224
5226 The time limit for the queue manager to send or receive information
5227 over an internal communication channel. The purpose is to break out of
5228 deadlock situations. If the time limit is exceeded the software either
5229 retries or aborts the operation.
5230 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5232 The default time unit is s (seconds).
5233 This feature is available in Postfix 2.8 and later.
5235
5237 The maximal number of messages in the active queue.
5238
5240 The maximal number of recipients held in memory by the Postfix queue
5241 manager, and the maximal size of the short-term, in-memory "dead" des‐
5242 tination status cache.
5243
5245 The minimal number of in-memory recipients for any message. This takes
5246 priority over any other in-memory recipient limits (i.e., the global
5247 qmgr_message_recipient_limit and the per transport _recipient_limit) if
5248 necessary. The minimum value allowed for this parameter is 1.
5249
5251 What remote QMQP clients are allowed to connect to the Postfix QMQP
5252 server port.
5253 By default, no client is allowed to use the service. This is because
5255 the QMQP server will relay mail to any destination.
5256 Specify a list of client patterns. A list pattern specifies a host
5258 name, a domain name, an internet address, or a network/mask pattern,
5259 where the mask specifies the number of bits in the network part. When
5260 a pattern specifies a file name, its contents are substituted for the
5261 file name; when a pattern is a "type:table" table specification, table
5262 lookup is used instead.
5263 Patterns are separated by whitespace and/or commas. In order to reverse
5265 the result, precede a pattern with an exclamation point (!). The form
5266 "!/file/name" is supported only in Postfix version 2.4 and later.
5267 Pattern matching of domain names is controlled by the presence or
5269 absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5270 domains parameter value.
5271 Example:
5273 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5275
5277 Enable logging of the remote QMQP client port in addition to the host‐
5278 name and IP address. The logging format is "host[address]:port".
5279 This feature is available in Postfix 2.5 and later.
5281
5283 How long the Postfix QMQP server will pause before sending a negative
5284 reply to the remote QMQP client. The purpose is to slow down confused
5285 or malicious clients.
5286 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5288 The default time unit is s (seconds).
5289
5291 The time limit for sending or receiving information over the network.
5292 If a read or write operation blocks for more than $qmqpd_timeout sec‐
5293 onds the Postfix QMQP server gives up and disconnects.
5294 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5296 The default time unit is s (seconds).
5297
5299 The location of the Postfix top-level queue directory. This is the root
5300 directory of Postfix daemon processes that run chrooted.
5301
5303 The maximal number of (name=value) attributes that may be stored in a
5304 Postfix queue file. The limit is enforced by the cleanup(8) server.
5305 This feature is available in Postfix 2.0 and later.
5307
5309 The minimal amount of free space in bytes in the queue file system that
5310 is needed to receive mail. This is currently used by the Postfix SMTP
5311 server to decide if it will accept any mail at all.
5312 By default, the Postfix SMTP server rejects MAIL FROM commands when the
5314 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5315 sion 2.1 and later). To specify a higher minimum free space limit,
5316 specify a queue_minfree value that is at least 1.5*$message_size_limit.
5317 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
5319 means there is no minimum required amount of free space.
5320
5322 The time between deferred queue scans by the queue manager; prior to
5323 Postfix 2.4 the default value was 1000s.
5324 This parameter should be set less than or equal to $minimal_back‐
5326 off_time. See also $maximal_backoff_time.
5327 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5329 The default time unit is s (seconds).
5330
5332 The name of the qmgr(8) service. This service manages the Postfix queue
5333 and schedules delivery requests.
5334 This feature is available in Postfix 2.0 and later.
5336
5338 Optional lookup tables with RBL response templates. The tables are
5339 indexed by the RBL domain name. By default, Postfix uses the default
5340 template as specified with the default_rbl_reply configuration parame‐
5341 ter. See there for a discussion of the syntax of RBL reply templates.
5342 This feature is available in Postfix 2.0 and later.
5344
5346 The location of Postfix README files that describe how to build, con‐
5347 figure or operate a specific Postfix subsystem or feature.
5348
5350 Enable or disable recipient validation, built-in content filtering, or
5351 address mapping. Typically, these are specified in master.cf as com‐
5352 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5353 Specify zero or more of the following options. The options override
5355 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
5356 pickup(8) themselves, or they are forwarded to the cleanup server.
5357 no_unknown_recipient_checks
5359 Do not try to reject unknown recipients (SMTP server only).
5360 This is typically specified AFTER an external content filter.
5361 no_address_mappings
5363 Disable canonical address mapping, virtual alias map expansion,
5364 address masquerading, and automatic BCC (blind carbon-copy)
5365 recipients. This is typically specified BEFORE an external con‐
5366 tent filter.
5367 no_header_body_checks
5369 Disable header/body_checks. This is typically specified AFTER an
5370 external content filter.
5371 no_milters
5373 Disable Milter (mail filter) applications. This is typically
5374 specified AFTER an external content filter.
5375 Note: when the "BEFORE content filter" receive_override_options setting
5377 is specified in the main.cf file, specify the "AFTER content filter"
5378 receive_override_options setting in master.cf (and vice versa).
5379 Examples:
5381 receive_override_options =
5383 no_unknown_recipient_checks, no_header_body_checks
5384 receive_override_options = no_address_mappings
5385 This feature is available in Postfix 2.1 and later.
5387
5389 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5390 recipient address. The BCC address (multiple results are not sup‐
5391 ported) is added when mail enters from outside of Postfix.
5392 Specify zero or more "type:name" lookup tables, separated by whitespace
5394 or comma. Tables will be searched in the specified order until a match
5395 is found.
5396 The table search order is as follows:
5398 · Look up the "user+extension@domain.tld" address including the
5400 optional address extension.
5401 · Look up the "user@domain.tld" address without the optional
5403 address extension.
5404 · Look up the "user+extension" address local part when the recipi‐
5406 ent domain equals $myorigin, $mydestination, $inet_interfaces or
5407 $proxy_interfaces.
5408 · Look up the "user" address local part when the recipient domain
5410 equals $myorigin, $mydestination, $inet_interfaces or
5411 $proxy_interfaces.
5412 · Look up the "@domain.tld" part.
5414 Note: with Postfix 2.3 and later the BCC address is added as if it was
5416 specified with NOTIFY=NONE. The sender will not be notified when the
5417 BCC address is undeliverable, as long as all down-stream software
5418 implements RFC 3461.
5419 Note: with Postfix 2.2 and earlier the sender will unconditionally be
5421 notified when the BCC address is undeliverable.
5422 Note: automatic BCC recipients are produced only for new mail. To
5424 avoid mailer loops, automatic BCC recipients are not generated after
5425 Postfix forwards mail internally, or after Postfix generates mail
5426 itself.
5427 Example:
5429 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5431 After a change, run "postmap /etc/postfix/recipient_bcc".
5433 This feature is available in Postfix 2.1 and later.
5435
5437 What addresses are subject to recipient_canonical_maps address mapping.
5438 By default, recipient_canonical_maps address mapping is applied to
5439 envelope recipient addresses, and to header recipient addresses.
5440 Specify one or more of: envelope_recipient, header_recipient
5442 This feature is available in Postfix 2.2 and later.
5444
5446 Optional address mapping lookup tables for envelope and header recipi‐
5447 ent addresses. The table format and lookups are documented in canoni‐
5448 cal(5).
5449 Note: $recipient_canonical_maps is processed before $canonical_maps.
5451 Example:
5453 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5455
5457 The set of characters that can separate a user name from its extension
5458 (example: user+foo), or a .forward file name from its extension (exam‐
5459 ple: .forward+foo). Basically, the software tries user+foo and .for‐
5460 ward+foo before trying user and .forward. This implementation recog‐
5461 nizes one delimiter character and one extension per email address or
5462 .forward file name.
5463 When the recipient_delimiter set contains multiple characters (Postfix
5465 2.11 and later), a user name or .forward file name is separated from
5466 its extension by the first character that matches the recipient_delim‐
5467 iter set.
5468 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5470 of recipient_delimiter on lookups in aliases, canonical, virtual, and
5471 relocated maps, and see the propagate_unmatched_extensions parameter
5472 for propagating an extension from one email address to another.
5473 When used in command_execution_directory, forward_path, or luser_relay,
5475 ${recipient_delimiter} is replaced with the actual recipient delimiter
5476 that was found in the recipient email address (Postfix 2.11 and later),
5477 or it is replaced with the main.cf recipient_delimiter parameter value
5478 (Postfix 2.10 and earlier).
5479 The recipient_delimiter is not applied to the mailer-daemon address,
5481 the postmaster address, or the double-bounce address. With the default
5482 "owner_request_special = yes" setting, the recipient_delimiter is also
5483 not applied to addresses with the special "owner-" prefix or the spe‐
5484 cial "-request" suffix.
5485 Examples:
5487 # Handle Postfix-style extensions.
5489 recipient_delimiter = +
5490 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5492 recipient_delimiter = +-
5493 # Use .forward for mail without address extension, and for mail with
5495 # an unrecognized address extension.
5496 forward_path = $home/.forward${recipient_delimiter}${extension},
5497 $home/.forward
5498
5500 The numerical Postfix SMTP server response code when a remote SMTP
5501 client request is rejected by the "reject" restriction.
5502 Do not change this unless you have a complete understanding of RFC
5504 5321.
5505
5507 The Postfix SMTP server's action when a reject-type restriction fails
5508 due to a temporary error condition. Specify "defer" to defer the remote
5509 SMTP client request immediately. With the default "defer_if_permit"
5510 action, the Postfix SMTP server continues to look for opportunities to
5511 reject mail, and defers the client request only if it would otherwise
5512 be accepted.
5513 For finer control, see: unverified_recipient_tempfail_action, unveri‐
5515 fied_sender_tempfail_action, unknown_address_tempfail_action, and
5516 unknown_helo_hostname_tempfail_action.
5517 This feature is available in Postfix 2.6 and later.
5519
5521 List of tables with remote SMTP client-certificate fingerprints or pub‐
5522 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5523 server will allow access with the permit_tls_clientcerts feature. The
5524 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
5525 print_digest parameter (hard-coded as md5 prior to Postfix version
5526 2.5).
5527 Postfix lookup tables are in the form of (key, value) pairs. Since we
5529 only need the key, the value can be chosen freely, e.g. the name of
5530 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5531 lutzpc.at.home
5532 Example:
5534 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5536 For more fine-grained control, use check_ccert_access to select an
5538 appropriate access(5) policy for each client. See RESTRIC‐
5539 TION_CLASS_README.
5540 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
5542 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
5543 later.
5544 This feature is available with Postfix version 2.2.
5546
5548 rency_limit)
5549 The maximal number of parallel deliveries to the same destination via
5550 the relay message delivery transport. This limit is enforced by the
5551 queue manager. The message delivery transport name is the first field
5552 in the entry in the master.cf file.
5553 This feature is available in Postfix 2.0 and later.
5555
5557 ent_limit)
5558 The maximal number of recipients per message for the relay message
5559 delivery transport. This limit is enforced by the queue manager. The
5560 message delivery transport name is the first field in the entry in the
5561 master.cf file.
5562 Setting this parameter to a value of 1 changes the meaning of
5564 relay_destination_concurrency_limit from concurrency per domain into
5565 concurrency per recipient.
5566 This feature is available in Postfix 2.0 and later.
5568
5570 What destination domains (and subdomains thereof) this system will
5571 relay mail to. For details about how the relay_domains value is used,
5572 see the description of the permit_auth_destination and
5573 reject_unauth_destination SMTP recipient restrictions.
5574 Domains that match $relay_domains are delivered with the $relay_trans‐
5576 port mail delivery transport. The SMTP server validates recipient
5577 addresses with $relay_recipient_maps and rejects non-existent recipi‐
5578 ents. See also the relay domains address class in the
5579 ADDRESS_CLASS_README file.
5580 Note: Postfix will not automatically forward mail for domains that list
5582 this system as their primary or backup MX host. See the per‐
5583 mit_mx_backup restriction in the postconf(5) manual page.
5584 Specify a list of host or domain names, "/file/name" patterns or
5586 "type:table" lookup tables, separated by commas and/or whitespace.
5587 Continue long lines by starting the next line with whitespace. A
5588 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5589 table is matched when a (parent) domain appears as lookup key. Specify
5590 "!pattern" to exclude a domain from the list. The form "!/file/name" is
5591 supported only in Postfix version 2.4 and later.
5592 Pattern matching of domain names is controlled by the presence or
5594 absence of "relay_domains" in the parent_domain_matches_subdomains
5595 parameter value.
5596
5598 The numerical Postfix SMTP server response code when a client request
5599 is rejected by the reject_unauth_destination recipient restriction.
5600 Do not change this unless you have a complete understanding of RFC
5602 5321.
5603
5605 Optional lookup tables with all valid addresses in the domains that
5606 match $relay_domains. Specify @domain as a wild-card for domains that
5607 have no valid recipient list, and become a source of backscatter mail:
5608 Postfix accepts spam for non-existent recipients and then floods inno‐
5609 cent people with undeliverable mail. Technically, tables listed with
5610 $relay_recipient_maps are used as lists: Postfix needs to know only if
5611 a lookup string is found or not, but it does not use the result from
5612 table lookup.
5613 Specify zero or more "type:name" lookup tables, separated by whitespace
5615 or comma. Tables will be searched in the specified order until a match
5616 is found.
5617 If this parameter is non-empty, then the Postfix SMTP server will
5619 reject mail to unknown relay users. This feature is off by default.
5620 See also the relay domains address class in the ADDRESS_CLASS_README
5622 file.
5623 Example:
5625 relay_recipient_maps = hash:/etc/postfix/relay_recipients
5627 This feature is available in Postfix 2.0 and later.
5629
5631 The default mail delivery transport and next-hop destination for remote
5632 delivery to domains listed with $relay_domains. In order of decreasing
5633 precedence, the nexthop destination is taken from $relay_transport,
5634 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
5635 domain. This information can be overruled with the transport(5) table.
5636 Specify a string of the form transport:nexthop, where transport is the
5638 name of a mail delivery transport defined in master.cf. The :nexthop
5639 destination is optional; its syntax is documented in the manual page of
5640 the corresponding delivery agent.
5641 See also the relay domains address class in the ADDRESS_CLASS_README
5643 file.
5644 This feature is available in Postfix 2.0 and later.
5646
5648 The next-hop destination of non-local mail; overrides non-local domains
5649 in recipient addresses. This information is overruled with relay_trans‐
5650 port, sender_dependent_default_transport_maps, default_transport,
5651 sender_dependent_relayhost_maps and with the transport(5) table.
5652 On an intranet, specify the organizational domain name. If your inter‐
5654 nal DNS uses no MX records, specify the name of the intranet gateway
5655 host instead.
5656 In the case of SMTP, specify a domain name, hostname, hostname:port,
5658 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
5659 name] turns off MX lookups.
5660 If you're connected via UUCP, see the UUCP_README file for useful
5662 information.
5663 Examples:
5665 relayhost = $mydomain
5667 relayhost = [gateway.example.com]
5668 relayhost = uucphost
5669 relayhost = [an.ip.add.ress]
5670
5672 Optional lookup tables with new contact information for users or
5673 domains that no longer exist. The table format and lookups are docu‐
5674 mented in relocated(5).
5675 Specify zero or more "type:name" lookup tables, separated by whitespace
5677 or comma. Tables will be searched in the specified order until a match
5678 is found.
5679 If you use this feature, run "postmap /etc/postfix/relocated" to build
5681 the necessary DBM or DB file after change, then "postfix reload" to
5682 make the changes visible.
5683 Examples:
5685 relocated_maps = dbm:/etc/postfix/relocated
5687 relocated_maps = hash:/etc/postfix/relocated
5688
5690 Don't rewrite message headers from remote clients at all when this
5691 parameter is empty; otherwise, rewrite message headers and append the
5692 specified domain name to incomplete addresses. The local_header_re‐
5693 write_clients parameter controls what clients Postfix considers local.
5694 Examples:
5696 The safe setting: append "domain.invalid" to incomplete header
5698 addresses from remote SMTP clients, so that those addresses cannot be
5699 confused with local addresses.
5700 remote_header_rewrite_domain = domain.invalid
5702 The default, purist, setting: don't rewrite headers from remote clients
5704 at all.
5705 remote_header_rewrite_domain =
5707
5709 Require that a local(8) recipient's home directory exists before mail
5710 delivery is attempted. By default this test is disabled. It can be
5711 useful for environments that import home directories to the mail server
5712 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5713
5715 Reset the local(8) delivery agent's idea of the owner-alias attribute,
5716 when delivering mail to a child alias that does not have its own owner
5717 alias.
5718 This feature is available in Postfix 2.8 and later. With older Postfix
5720 releases, the behavior is as if this parameter is set to "yes".
5721 As documented in aliases(5), when an alias name has a companion alias
5723 named owner-name, this will replace the envelope sender address, so
5724 that delivery errors will be reported to the owner alias instead of the
5725 sender. This configuration is recommended for mailing lists.
5726 A less known property of the owner alias is that it also forces the
5728 local(8) delivery agent to write local and remote addresses from alias
5729 expansion to a new queue file, instead of attempting to deliver mail to
5730 local addresses as soon as they come out of alias expansion.
5731 Writing local addresses from alias expansion to a new queue file allows
5733 for robust handling of temporary delivery errors: errors with one local
5734 member have no effect on deliveries to other members of the list. On
5735 the other hand, delivery to local addresses as soon as they come out of
5736 alias expansion is fragile: a temporary error with one local address
5737 from alias expansion will cause the entire alias to be expanded repeat‐
5738 edly until the error goes away, or until the message expires in the
5739 queue. In that case, a problem with one list member results in multi‐
5740 ple message deliveries to other list members.
5741 The default behavior of Postfix 2.8 and later is to keep the
5743 owner-alias attribute of the parent alias, when delivering mail to a
5744 child alias that does not have its own owner alias. Then, local
5745 addresses from that child alias will be written to a new queue file,
5746 and a temporary error with one local address will not affect delivery
5747 to other mailing list members.
5748 Unfortunately, older Postfix releases reset the owner-alias attribute
5750 when delivering mail to a child alias that does not have its own owner
5751 alias. To be precise, this resets only the decision to create a new
5752 queue file, not the decision to override the envelope sender address.
5753 The local(8) delivery agent then attempts to deliver local addresses as
5754 soon as they come out of child alias expansion. If delivery to any
5755 address from child alias expansion fails with a temporary error condi‐
5756 tion, the entire mailing list may be expanded repeatedly until the mail
5757 expires in the queue, resulting in multiple deliveries of the same mes‐
5758 sage to mailing list members.
5759
5761 Resolve a recipient address safely instead of correctly, by looking
5762 inside quotes.
5763 By default, the Postfix address resolver does not quote the address
5765 localpart as per RFC 822, so that additional @ or % or ! operators
5766 remain visible. This behavior is safe but it is also technically incor‐
5767 rect.
5768 If you specify "resolve_dequoted_address = no", then the Postfix
5770 resolver will not know about additional @ etc. operators in the address
5771 localpart. This opens opportunities for obscure mail relay attacks with
5772 user@domain@domain addresses when Postfix provides backup MX service
5773 for Sendmail systems.
5774
5776 Resolve an address that ends in the "@" null domain as if the local
5777 hostname were specified, instead of rejecting the address as invalid.
5778 This feature is available in Postfix 2.1 and later. Earlier versions
5780 always resolve the null domain as the local hostname.
5781 The Postfix SMTP server uses this feature to reject mail from or to
5783 addresses that end in the "@" null domain, and from addresses that re‐
5784 write into a form that ends in the "@" null domain.
5785
5787 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
5788 the address as invalid.
5789 This feature is available in Postfix 2.3 and later.
5791
5793 The name of the address rewriting service. This service rewrites
5794 addresses to standard form and resolves them to a (delivery method,
5795 next-hop host, recipient) triple.
5796 This feature is available in Postfix 2.0 and later.
5798
5800 The name of the directory with example Postfix configuration files.
5801 Starting with Postfix 2.1, these files have been replaced with the
5802 postconf(5) manual page.
5803
5805 When authenticating to a remote SMTP or LMTP server with the default
5806 setting "no", send no SASL authoriZation ID (authzid); send only the
5807 SASL authentiCation ID (authcid) plus the authcid's password.
5808 The non-default setting "yes" enables the behavior of older Postfix
5810 versions. These always send a SASL authzid that is equal to the SASL
5811 authcid, but this causes interoperability problems with some SMTP
5812 servers.
5813 This feature is available in Postfix 2.4.4 and later.
5815
5817 This parameter should not be used. It was replaced by sender_depen‐
5818 dent_relayhost_maps in Postfix version 2.3.
5819
5821 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5822 sender address. The BCC address (multiple results are not supported)
5823 is added when mail enters from outside of Postfix.
5824 Specify zero or more "type:name" lookup tables, separated by whitespace
5826 or comma. Tables will be searched in the specified order until a match
5827 is found.
5828 The table search order is as follows:
5830 · Look up the "user+extension@domain.tld" address including the
5832 optional address extension.
5833 · Look up the "user@domain.tld" address without the optional
5835 address extension.
5836 · Look up the "user+extension" address local part when the sender
5838 domain equals $myorigin, $mydestination, $inet_interfaces or
5839 $proxy_interfaces.
5840 · Look up the "user" address local part when the sender domain
5842 equals $myorigin, $mydestination, $inet_interfaces or
5843 $proxy_interfaces.
5844 · Look up the "@domain.tld" part.
5846 Note: with Postfix 2.3 and later the BCC address is added as if it was
5848 specified with NOTIFY=NONE. The sender will not be notified when the
5849 BCC address is undeliverable, as long as all down-stream software
5850 implements RFC 3461.
5851 Note: with Postfix 2.2 and earlier the sender will be notified when the
5853 BCC address is undeliverable.
5854 Note: automatic BCC recipients are produced only for new mail. To
5856 avoid mailer loops, automatic BCC recipients are not generated after
5857 Postfix forwards mail internally, or after Postfix generates mail
5858 itself.
5859 Example:
5861 sender_bcc_maps = hash:/etc/postfix/sender_bcc
5863 After a change, run "postmap /etc/postfix/sender_bcc".
5865 This feature is available in Postfix 2.1 and later.
5867
5869 What addresses are subject to sender_canonical_maps address mapping.
5870 By default, sender_canonical_maps address mapping is applied to enve‐
5871 lope sender addresses, and to header sender addresses.
5872 Specify one or more of: envelope_sender, header_sender
5874 This feature is available in Postfix 2.2 and later.
5876
5878 Optional address mapping lookup tables for envelope and header sender
5879 addresses. The table format and lookups are documented in canoni‐
5880 cal(5).
5881 Example: you want to rewrite the SENDER address "user@ugly.domain" to
5883 "user@pretty.domain", while still being able to send mail to the RECIP‐
5884 IENT address "user@ugly.domain".
5885 Note: $sender_canonical_maps is processed before $canonical_maps.
5887 Example:
5889 sender_canonical_maps = hash:/etc/postfix/sender_canonical
5891
5893 A sender-dependent override for the global default_transport parameter
5894 setting. The tables are searched by the envelope sender address and
5895 @domain. A lookup result of DUNNO terminates the search without over‐
5896 riding the global default_transport parameter setting. This informa‐
5897 tion is overruled with the transport(5) table.
5898 Specify zero or more "type:name" lookup tables, separated by whitespace
5900 or comma. Tables will be searched in the specified order until a match
5901 is found.
5902 Note: this overrides default_transport, not transport_maps, and there‐
5904 fore the expected syntax is that of default_transport, not the syntax
5905 of transport_maps. Specifically, this does not support the trans‐
5906 port_maps syntax for null transport, null nexthop, or null email
5907 addresses.
5908 For safety reasons, this feature does not allow $number substitutions
5910 in regular expression maps.
5911 This feature is available in Postfix 2.7 and later.
5913
5915 A sender-dependent override for the global relayhost parameter setting.
5916 The tables are searched by the envelope sender address and @domain. A
5917 lookup result of DUNNO terminates the search without overriding the
5918 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
5919 mation is overruled with relay_transport, sender_depen‐
5920 dent_default_transport_maps, default_transport and with the trans‐
5921 port(5) table.
5922 Specify zero or more "type:name" lookup tables, separated by whitespace
5924 or comma. Tables will be searched in the specified order until a match
5925 is found.
5926 For safety reasons, this feature does not allow $number substitutions
5928 in regular expression maps.
5929 This feature is available in Postfix 2.3 and later.
5931
5933 Controls how the Postfix sendmail command converts email message line
5934 endings from <CR><LF> into UNIX format (<LF>).
5935 always Always convert message lines ending in <CR><LF>. This setting is
5937 the default with Postfix 2.9 and later.
5938 strict Convert message lines ending in <CR><LF> only if the first input
5940 line ends in <CR><LF>. This setting is backwards-compatible with
5941 Postfix 2.8 and earlier.
5942 never Never convert message lines ending in <CR><LF>. This setting
5944 exists for completeness only.
5945 This feature is available in Postfix 2.9 and later.
5947
5949 A Sendmail compatibility feature that specifies the location of the
5950 Postfix sendmail(1) command. This command can be used to submit mail
5951 into the Postfix queue.
5952
5954 The master.cf service name of a Postfix daemon process. This can be
5955 used to distinguish the logging from different services that use the
5956 same program name.
5957 Example master.cf entries:
5959 # Distinguish inbound MTA logging from submission and smtps logging.
5961 smtp inet n - n - - smtpd
5962 submission inet n - n - - smtpd
5963 -o syslog_name=postfix/$service_name
5964 smtps inet n - n - - smtpd
5965 -o syslog_name=postfix/$service_name
5966 # Distinguish outbound MTA logging from inbound relay logging.
5968 smtp unix - - n - - smtp
5969 relay unix - - n - - smtp
5970 -o syslog_name=postfix/$service_name
5971
5973 How long the Postfix master(8) waits before forking a server that
5974 appears to be malfunctioning.
5975 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5977 The default time unit is s (seconds).
5978
5980 The group ownership of set-gid Postfix commands and of group-writable
5981 Postfix directories. When this parameter value is changed you need to
5982 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
5983 "/etc/postfix/post-install set-permissions".
5984
5986 The location of Postfix dynamically-linked libraries (libpostfix-*.so),
5987 and the default location of Postfix database plugins (postfix-*.so)
5988 that have a relative pathname in the dynamicmaps.cf file. The
5989 shlib_directory parameter defaults to "no" when Postfix dynami‐
5990 cally-linked libraries and database plugins are disabled at compile
5991 time, otherwise it typically defaults to /usr/lib/postfix or
5992 /usr/local/lib/postfix.
5993 Notes:
5995 · The directory specified with shlib_directory should contain only
5997 Postfix-related files. Postfix dynamically-linked libraries and
5998 database plugins should not be installed in a "public" system
5999 directory such as /usr/lib or /usr/local/lib. Linking Postfix
6000 dynamically-linked library files or database plugins into
6001 non-Postfix programs is not supported. Postfix dynami‐
6002 cally-linked libraries and database plugins implement a Post‐
6003 fix-internal API that changes without maintaining compatibility.
6004 · You can change the shlib_directory value after Postfix is built.
6006 However, you may have to run ldconfig or equivalent to prevent
6007 Postfix programs from failing because the libpostfix-*.so files
6008 are not found. No ldconfig command is needed if you keep the
6009 libpostfix-*.so files in the compiled-in default $shlib_direc‐
6010 tory location.
6011 This feature is available in Postfix 3.0 and later.
6013
6015 Display the name of the recipient table in the "User unknown"
6016 responses. The extra detail makes trouble shooting easier but also
6017 reveals information that is nobody elses business.
6018 This feature is available in Postfix 2.0 and later.
6020
6022 The name of the showq(8) service. This service produces mail queue sta‐
6023 tus reports.
6024 This feature is available in Postfix 2.0 and later.
6026
6028 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6029 will try first, when a destination has IPv6 and IPv4 addresses with
6030 equal MX preference. This feature has no effect unless the inet_proto‐
6031 cols setting enables both IPv4 and IPv6.
6032 Postfix SMTP client address preference has evolved. With Postfix 2.8
6034 the default is "ipv6"; earlier implementations are hard-coded to prefer
6035 IPv6 over IPv4.
6036 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6038 nectivity:
6039 · The setting "smtp_address_preference = ipv6" is unsafe. It can
6041 fail to deliver mail when there is an outage that affects IPv6,
6042 while the destination is still reachable over IPv4.
6043 · The setting "smtp_address_preference = any" is safe. With this,
6045 mail will eventually be delivered even if there is an outage
6046 that affects IPv6 or IPv4, as long as it does not affect both.
6047 This feature is available in Postfix 2.8 and later.
6049
6051 In the context of email address verification, the SMTP protocol stage
6052 that determines whether an email address is deliverable. Specify one
6053 of "rcpt" or "data". The latter is needed with remote SMTP servers
6054 that reject recipients after the DATA command. Use transport_maps to
6055 apply this feature selectively:
6056 /etc/postfix/main.cf:
6058 transport_maps = hash:/etc/postfix/transport
6059 /etc/postfix/transport:
6061 smtp-domain-that-verifies-after-data smtp-data-target:
6062 lmtp-domain-that-verifies-after-data lmtp-data-target:
6063 /etc/postfix/master.cf:
6065 smtp-data-target unix - - n - - smtp
6066 -o smtp_address_verify_target=data
6067 lmtp-data-target unix - - n - - lmtp
6068 -o lmtp_address_verify_target=data
6069 Unselective use of the "data" target does no harm, but will result in
6071 unnecessary "lost connection after DATA" events at remote SMTP/LMTP
6072 servers.
6073 This feature is available in Postfix 3.0 and later.
6075
6077 Always send EHLO at the start of an SMTP session.
6078 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
6080 only when the word "ESMTP" appears in the server greeting banner (exam‐
6081 ple: 220 spike.porcupine.org ESMTP Postfix).
6082
6084 When a remote destination resolves to a combination of IPv4 and IPv6
6085 addresses, ensure that the Postfix SMTP client can try both address
6086 types before it runs into the smtp_mx_address_limit.
6087 This avoids an interoperability problem when a destination resolves to
6089 primarily IPv6 addresses, the smtp_address_limit feature eliminates
6090 most or all IPv4 addresses, and the destination is not reachable over
6091 IPv6.
6092 This feature is available in Postfix 3.3 and later.
6094
6096 An optional numerical network address that the Postfix SMTP client
6097 should bind to when making an IPv4 connection.
6098 This can be specified in the main.cf file for all SMTP clients, or it
6100 can be specified in the master.cf file for a specific client, for exam‐
6101 ple:
6102 /etc/postfix/master.cf:
6104 smtp ... smtp -o smtp_bind_address=11.22.33.44
6105 Note 1: when inet_interfaces specifies no more than one IPv4 address,
6107 and that address is a non-loopback address, it is automatically used as
6108 the smtp_bind_address. This supports virtual IP hosting, but can be a
6109 problem on multi-homed firewalls. See the inet_interfaces documentation
6110 for more detail.
6111 Note 2: address information may be enclosed inside [], but this form is
6113 not required here.
6114
6116 An optional numerical network address that the Postfix SMTP client
6117 should bind to when making an IPv6 connection.
6118 This feature is available in Postfix 2.2 and later.
6120 This can be specified in the main.cf file for all SMTP clients, or it
6122 can be specified in the master.cf file for a specific client, for exam‐
6123 ple:
6124 /etc/postfix/master.cf:
6126 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6127 Note 1: when inet_interfaces specifies no more than one IPv6 address,
6129 and that address is a non-loopback address, it is automatically used as
6130 the smtp_bind_address6. This supports virtual IP hosting, but can be a
6131 problem on multi-homed firewalls. See the inet_interfaces documentation
6132 for more detail.
6133 Note 2: address information may be enclosed inside [], but this form is
6135 not recommended here.
6136
6138 Restricted body_checks(5) tables for the Postfix SMTP client. These
6139 tables are searched while mail is being delivered. Actions that change
6140 the delivery time or destination are not available.
6141 This feature is available in Postfix 2.5 and later.
6143
6145 When the remote SMTP servername is a DNS CNAME, replace the servername
6146 with the result from CNAME expansion for the purpose of logging, SASL
6147 password lookup, TLS policy decisions, or TLS certificate verification.
6148 The value "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6149 cies against false hostname information in DNS CNAME records, and makes
6150 SASL password file lookups more predictable. This is the default set‐
6151 ting as of Postfix 2.3.
6152 When DNS CNAME records are validated with secure DNS lookups
6154 (smtp_dns_support_level = dnssec), they are always allowed to override
6155 the above servername (Postfix 2.11 and later).
6156 This feature is available in Postfix 2.2.9 and later.
6158
6160 The Postfix SMTP client time limit for completing a TCP connection, or
6161 zero (use the operating system built-in time limit).
6162 When no connection can be made within the deadline, the Postfix SMTP
6164 client tries the next address on the mail exchanger list. Specify 0 to
6165 disable the time limit (i.e. use whatever timeout is implemented by the
6166 operating system).
6167 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6169 The default time unit is s (seconds).
6170
6172 Permanently enable SMTP connection caching for the specified destina‐
6173 tions. With SMTP connection caching, a connection is not closed imme‐
6174 diately after completion of a mail transaction. Instead, the connec‐
6175 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
6176 This allows connections to be reused for other deliveries, and can
6177 improve mail delivery performance.
6178 Specify a comma or white space separated list of destinations or
6180 pseudo-destinations:
6181 · if mail is sent without a relay host: a domain name (the
6183 right-hand side of an email address, without the [] around a
6184 numeric IP address),
6185 · if mail is sent via a relay host: a relay host name (without []
6187 or non-default TCP port), as specified in main.cf or in the
6188 transport map,
6189 · if mail is sent via a UNIX-domain socket: a pathname (without
6191 the unix: prefix),
6192 · a /file/name with domain names and/or relay host names as
6194 defined above,
6195 · a "type:table" with domain names and/or relay host names on the
6197 left-hand side. The right-hand side result from "type:table"
6198 lookups is ignored.
6199 This feature is available in Postfix 2.2 and later.
6201
6203 Temporarily enable SMTP connection caching while a destination has a
6204 high volume of mail in the active queue. With SMTP connection caching,
6205 a connection is not closed immediately after completion of a mail
6206 transaction. Instead, the connection is kept open for up to $smtp_con‐
6207 nection_cache_time_limit seconds. This allows connections to be reused
6208 for other deliveries, and can improve mail delivery performance.
6209 This feature is available in Postfix 2.2 and later.
6211
6213 When SMTP connection caching is enabled, the amount of time that an
6214 unused SMTP client socket is kept open before it is closed. Do not
6215 specify larger values without permission from the remote sites.
6216 This feature is available in Postfix 2.2 and later.
6218
6220 When SMTP connection caching is enabled, the number of times that an
6221 SMTP session may be reused before it is closed, or zero (no limit).
6222 With a reuse count limit of N, a connection is used up to N+1 times.
6223 NOTE: This feature is unsafe. When a high-volume destination has multi‐
6225 ple inbound MTAs, then the slowest inbound MTA will attract the most
6226 connections to that destination. This limitation does not exist with
6227 the smtp_connection_reuse_time_limit feature.
6228 This feature is available in Postfix 2.11.
6230
6232 The amount of time during which Postfix will use an SMTP connection
6233 repeatedly. The timer starts when the connection is initiated (i.e. it
6234 includes the connect, greeting and helo latency, in addition to the
6235 latencies of subsequent mail delivery transactions).
6236 This feature addresses a performance stability problem with remote SMTP
6238 servers. This problem is not specific to Postfix: it can happen when
6239 any MTA sends large amounts of SMTP email to a site that has multiple
6240 MX hosts.
6241 The problem starts when one of a set of MX hosts becomes slower than
6243 the rest. Even though SMTP clients connect to fast and slow MX hosts
6244 with equal probability, the slow MX host ends up with more simultaneous
6245 inbound connections than the faster MX hosts, because the slow MX host
6246 needs more time to serve each client request.
6247 The slow MX host becomes a connection attractor. If one MX host
6249 becomes N times slower than the rest, it dominates mail delivery
6250 latency unless there are more than N fast MX hosts to counter the
6251 effect. And if the number of MX hosts is smaller than N, the mail
6252 delivery latency becomes effectively that of the slowest MX host
6253 divided by the total number of MX hosts.
6254 The solution uses connection caching in a way that differs from Postfix
6256 version 2.2. By limiting the amount of time during which a connection
6257 can be used repeatedly (instead of limiting the number of deliveries
6258 over that connection), Postfix not only restores fairness in the dis‐
6259 tribution of simultaneous connections across a set of MX hosts, it also
6260 favors deliveries over connections that perform well, which is exactly
6261 what we want.
6262 The default reuse time limit, 300s, is comparable to the various smtp
6264 transaction timeouts which are fair estimates of maximum excess latency
6265 for a slow delivery. Note that hosts may accept thousands of messages
6266 over a single connection within the default connection reuse time
6267 limit. This number is much larger than the default Postfix version 2.2
6268 limit of 10 messages per cached connection. It may prove necessary to
6269 lower the limit to avoid interoperability issues with MTAs that exhibit
6270 bugs when many messages are delivered via a single connection. A lower
6271 reuse time limit risks losing the benefit of connection reuse when the
6272 average connection and mail delivery latency exceeds the reuse time
6273 limit.
6274 This feature is available in Postfix 2.3 and later.
6276
6278 The Postfix SMTP client time limit for sending the SMTP ".", and for
6279 receiving the remote SMTP server response.
6280 When no response is received within the deadline, a warning is logged
6282 that the mail may be delivered multiple times.
6283 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6285 The default time unit is s (seconds).
6286
6288 The Postfix SMTP client time limit for sending the SMTP DATA command,
6289 and for receiving the remote SMTP server response.
6290 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6292 The default time unit is s (seconds).
6293
6295 The Postfix SMTP client time limit for sending the SMTP message con‐
6296 tent. When the connection makes no progress for more than
6297 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
6298 transfer.
6299 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6301 The default time unit is s (seconds).
6302
6304 Defer mail delivery when no MX record resolves to an IP address.
6305 The default (no) is to return the mail as undeliverable. With older
6307 Postfix versions the default was to keep trying to deliver the mail
6308 until someone fixed the MX record or until the mail was too old.
6309 Note: the Postfix SMTP client always ignores MX records with equal or
6311 worse preference than the local MTA itself.
6312 This feature is available in Postfix 2.1 and later.
6314
6316 Optional filter for the smtp(8) delivery agent to change the delivery
6317 status code or explanatory text of successful or unsuccessful deliver‐
6318 ies. See default_delivery_status_filter for details.
6319 NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6321 sages that may or may not be derived from remote SMTP server responses.
6322 In contrast, the smtp_reply_filter feature modifies remote SMTP server
6323 responses only.
6324
6326 rency_limit)
6327 The maximal number of parallel deliveries to the same destination via
6328 the smtp message delivery transport. This limit is enforced by the
6329 queue manager. The message delivery transport name is the first field
6330 in the entry in the master.cf file.
6331
6333 ent_limit)
6334 The maximal number of recipients per message for the smtp message
6335 delivery transport. This limit is enforced by the queue manager. The
6336 message delivery transport name is the first field in the entry in the
6337 master.cf file.
6338 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6340 tination_concurrency_limit from concurrency per domain into concurrency
6341 per recipient.
6342
6344 Lookup tables, indexed by the remote SMTP server address, with case
6345 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6346 that the Postfix SMTP client will ignore in the EHLO response from a
6347 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6348 ble is not indexed by hostname for consistency with smtpd_dis‐
6349 card_ehlo_keyword_address_maps.
6350 Specify zero or more "type:name" lookup tables, separated by whitespace
6352 or comma. Tables will be searched in the specified order until a match
6353 is found.
6354 This feature is available in Postfix 2.2 and later.
6356
6358 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6359 etc.) that the Postfix SMTP client will ignore in the EHLO response
6360 from a remote SMTP server.
6361 This feature is available in Postfix 2.2 and later.
6363 Notes:
6365 · Specify the silent-discard pseudo keyword to prevent this action
6367 from being logged.
6368 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
6370 card EHLO keywords selectively.
6371
6373 Optional filter for Postfix SMTP client DNS lookup results. Specify
6374 zero or more lookup tables. The lookup tables are searched in the
6375 given order for a match with the DNS lookup result, converted to the
6376 following form:
6377 name ttl class type preference value
6379 The class field is always "IN", the preference field exists only for MX
6381 records, the names of hosts, domains, etc. end in ".", and those names
6382 are in ASCII form (xn--mumble form in the case of UTF8 names).
6383 When a match is found, the table lookup result specifies an action. By
6385 default, the table query and the action name are case-insensitive.
6386 Currently, only the IGNORE action is implemented.
6387 Notes:
6389 · Postfix DNS reply filters have no effect on implicit DNS lookups
6391 through nsswitch.conf or equivalent mechanisms.
6392 · The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and
6394 lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
6395 service (record types MX, A, AAAAA, and TLSA). These lookups
6396 are also made to implement the features reject_unverified_sender
6397 and reject_unverified_recipient.
6398 · The Postfix SMTP/LMTP client defers mail delivery when a filter
6400 removes all lookup results from a successful query.
6401 · Postfix SMTP server uses smtpd_dns_reply_filter only to look up
6403 MX, A, AAAAA, and TXT records to implement the features
6404 reject_unknown_helo_hostname, reject_unknown_sender_domain,
6405 reject_unknown_recipient_domain, reject_rbl_*, and
6406 reject_rhsbl_*.
6407 · The Postfix SMTP server logs a warning or defers mail delivery
6409 when a filter removes all lookup results from a successful
6410 query.
6411 Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6413 because Google sometimes hard-rejects mail from IPv6 clients with valid
6414 PTR etc. records.
6415 /etc/postfix/main.cf:
6417 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6418 /etc/postfix/smtp_dns_reply_filter:
6420 # /domain ttl IN AAAA address/ action, all case-insensitive.
6421 # Note: the domain name ends in ".".
6422 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6423 This feature is available in Postfix 3.0 and later.
6425
6427 DNS Resolver options for the Postfix SMTP client. Specify zero or more
6428 of the following options, separated by comma or whitespace. Option
6429 names are case-sensitive. Some options refer to domain names that are
6430 specified in the file /etc/resolv.conf or equivalent.
6431 res_defnames
6433 Append the current domain name to single-component names (those
6434 that do not contain a "." character). This can produce incorrect
6435 results, and is the hard-coded behavior prior to Postfix 2.8.
6436 res_dnsrch
6438 Search for host names in the current domain and in parent
6439 domains. This can produce incorrect results and is therefore not
6440 recommended.
6441 This feature is available in Postfix 2.8 and later.
6443
6445 Level of DNS support in the Postfix SMTP client. With "smtp_dns_sup‐
6446 port_level" left at its empty default value, the legacy "dis‐
6447 able_dns_lookups" parameter controls whether DNS is enabled in the
6448 Postfix SMTP client, otherwise the legacy parameter is ignored.
6449 Specify one of the following:
6451 disabled
6453 Disable DNS lookups. No MX lookups are performed and hostname
6454 to address lookups are unconditionally "native". This setting
6455 is not appropriate for hosts that deliver mail to the public
6456 Internet. Some obsolete how-to documents recommend disabling
6457 DNS lookups in some configurations with content_filters. This
6458 is no longer required and strongly discouraged.
6459 enabled
6461 Enable DNS lookups. Nexthop destination domains not enclosed in
6462 "[]" will be subject to MX lookups. If "dns" and "native" are
6463 included in the "smtp_host_lookup" parameter value, DNS will be
6464 queried first to resolve MX-host A records, followed by "native"
6465 lookups if no answer is found in DNS.
6466 dnssec Enable DNSSEC lookups. The "dnssec" setting differs from the
6468 "enabled" setting above in the following ways:
6469 · Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to
6471 request DNSSEC-validated responses. If the MX response is
6472 DNSSEC-validated the corresponding hostnames are considered val‐
6473 idated.
6474 · The address lookups of validated hostnames are also validated,
6476 (provided of course "smtp_host_lookup" includes "dns", see
6477 below).
6478 · Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6480 tion block any "native" lookups. Additional "native" lookups
6481 only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6482 The Postfix SMTP client considers non-MX "[nexthop]" and "[nex‐
6484 thop]:port" destinations equivalent to statically-validated MX records
6485 of the form "nexthop. IN MX 0 nexthop." Therefore, with "dnssec" sup‐
6486 port turned on, validated hostname-to-address lookups apply to the nex‐
6487 thop domain of any "[nexthop]" or "[nexthop]:port" destination. This
6488 is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6489 LMTP hostnames are never subject to MX lookups.
6490 The "dnssec" setting is recommended only if you plan to use the dane or
6492 dane-only TLS security level, otherwise enabling DNSSEC support in
6493 Postfix offers no additional security. Postfix DNSSEC support relies
6494 on an upstream recursive nameserver that validates DNSSEC signatures.
6495 Such a DNS server will always filter out forged DNS responses, even
6496 when Postfix itself is not configured to use DNSSEC.
6497 When using Postfix DANE support the "smtp_host_lookup" parameter should
6499 include "dns", as DANE is not applicable to hosts resolved via "native"
6500 lookups.
6501 As mentioned above, Postfix is not a validating stub resolver; it
6503 relies on the system's configured DNSSEC-validating recursive name‐
6504 server to perform all DNSSEC validation. Since this nameserver's
6505 DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6506 mended that the MTA host have a local DNSSEC-validating recursive
6507 caching nameserver listening on a loopback address, and be configured
6508 to use only this nameserver for all lookups. Otherwise, Postfix may
6509 remain subject to man-in-the-middle attacks that forge responses from
6510 the recursive nameserver
6511 DNSSEC support requires a version of Postfix compiled against a reason‐
6513 ably-modern DNS resolver(3) library that implements the RES_USE_DNSSEC
6514 and RES_USE_EDNS0 resolver options.
6515 This feature is available in Postfix 2.11 and later.
6517
6519 Enforcement mode: require that remote SMTP servers use TLS encryption,
6520 and never send mail in the clear. This also requires that the remote
6521 SMTP server hostname matches the information in the remote server cer‐
6522 tificate, and that the remote SMTP server certificate was issued by a
6523 CA that is trusted by the Postfix SMTP client. If the certificate
6524 doesn't verify or the hostname doesn't match, delivery is deferred and
6525 mail stays in the queue.
6526 The server hostname is matched against all names provided as dNSNames
6528 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
6529 monName is checked. The behavior may be changed with the
6530 smtp_tls_enforce_peername option.
6531 This option is useful only if you are definitely sure that you will
6533 only connect to servers that support RFC 2487 _and_ that provide valid
6534 server certificates. Typical use is for clients that send all their
6535 email to a dedicated mailhub.
6536 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6538 and later use smtp_tls_security_level instead.
6539
6541 Optional list of relay hosts for SMTP destinations that can't be found
6542 or that are unreachable. With Postfix 2.2 and earlier this parameter is
6543 called fallback_relay.
6544 By default, mail is returned to the sender when a destination is not
6546 found, and delivery is deferred when a destination is unreachable.
6547 With bulk email deliveries, it can be beneficial to run the fallback
6549 relay MTA on the same host, so that it can reuse the sender IP address.
6550 This speeds up deliveries that are delayed by IP-based reputation sys‐
6551 tems (greylist, etc.).
6552 The fallback relays must be SMTP destinations. Specify a domain, host,
6554 host:port, [host]:port, [address] or [address]:port; the form [host]
6555 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
6556 fix will try them in the specified order.
6557 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
6559 version 2.2 and later will not use the fallback relays for destinations
6560 that it is MX host for (assuming DNS lookup is turned on).
6561
6563 Optional lookup tables that perform address rewriting in the Postfix
6564 SMTP client, typically to transform a locally valid address into a
6565 globally valid address when sending mail across the Internet. This is
6566 needed when the local machine does not have its own Internet domain
6567 name, but uses something like localdomain.local instead.
6568 Specify zero or more "type:name" lookup tables, separated by whitespace
6570 or comma. Tables will be searched in the specified order until a match
6571 is found.
6572 The table format and lookups are documented in generic(5); examples are
6574 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6575 documents.
6576 This feature is available in Postfix 2.2 and later.
6578
6580 Restricted header_checks(5) tables for the Postfix SMTP client. These
6581 tables are searched while mail is being delivered. Actions that change
6582 the delivery time or destination are not available.
6583 This feature is available in Postfix 2.5 and later.
6585
6587 The hostname to send in the SMTP HELO or EHLO command.
6588 The default value is the machine hostname. Specify a hostname or
6590 [ip.add.re.ss].
6591 This information can be specified in the main.cf file for all SMTP
6593 clients, or it can be specified in the master.cf file for a specific
6594 client, for example:
6595 /etc/postfix/master.cf:
6597 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6598 This feature is available in Postfix 2.0 and later.
6600
6602 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
6603 mand, and for receiving the initial remote SMTP server response.
6604 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6606 The default time unit is s (seconds).
6607
6609 What mechanisms the Postfix SMTP client uses to look up a host's IP
6610 address. This parameter is ignored when DNS lookups are disabled (see:
6611 disable_dns_lookups and smtp_dns_support_level). The "dns" mechanism
6612 is always tried before "native" if both are listed.
6613 Specify one of the following:
6615 dns Hosts can be found in the DNS (preferred).
6617 native Use the native naming service only (nsswitch.conf, or equivalent
6619 mechanism).
6620 dns, native
6622 Use the native service for hosts not found in the DNS.
6623 This feature is available in Postfix 2.1 and later.
6625
6627 The maximal length of message header and body lines that Postfix will
6628 send via SMTP. This limit does not include the <CR><LF> at the end of
6629 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
6630 minimize the damage to MIME formatted mail.
6631 The Postfix limit of 998 characters not including <CR><LF> is consis‐
6633 tent with the SMTP limit of 1000 characters including <CR><LF>. The
6634 Postfix limit was 990 with Postfix 2.8 and earlier.
6635
6637 The Postfix SMTP client time limit for sending the MAIL FROM command,
6638 and for receiving the remote SMTP server response.
6639 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6641 The default time unit is s (seconds).
6642
6644 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
6645 These tables are searched while mail is being delivered. Actions that
6646 change the delivery time or destination are not available.
6647 This feature is available in Postfix 2.5 and later.
6649
6651 The maximal number of MX (mail exchanger) IP addresses that can result
6652 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
6653 Prior to Postfix version 2.3, this limit was disabled by default.
6654 This feature is available in Postfix 2.1 and later.
6656
6658 The maximal number of SMTP sessions per delivery request before the
6659 Postfix SMTP client gives up or delivers to a fall-back relay host, or
6660 zero (no limit). This restriction ignores sessions that fail to com‐
6661 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
6662 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
6663 and later).
6664 This feature is available in Postfix 2.1 and later.
6666
6668 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
6669 These tables are searched while mail is being delivered. Actions that
6670 change the delivery time or destination are not available.
6671 This feature is available in Postfix 2.5 and later.
6673
6675 Never send EHLO at the start of an SMTP session. See also the
6676 smtp_always_send_ehlo parameter.
6677
6679 Change the behavior of the smtp_*_timeout time limits, from a time
6680 limit per read or write system call, to a time limit to send or receive
6681 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
6682 sage content line, or TLS protocol message). This limits the impact
6683 from hostile peers that trickle data one byte at a time.
6684 Note: when per-record deadlines are enabled, a short timeout may cause
6686 problems with TLS over very slow network connections. The reasons are
6687 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
6688 and that an entire TLS protocol message must be sent or received within
6689 the per-record deadline.
6690 This feature is available in Postfix 2.9 and later. With older Postfix
6692 releases, the behavior is as if this parameter is set to "no".
6693
6695 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
6696 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6697 Choosing a too short time makes this workaround ineffective when send‐
6699 ing large messages over slow network connections.
6700
6702 Lookup tables, indexed by the remote SMTP server address, with per-des‐
6703 tination workarounds for CISCO PIX firewall bugs. The table is not
6704 indexed by hostname for consistency with smtp_discard_ehlo_key‐
6705 word_address_maps.
6706 Specify zero or more "type:name" lookup tables, separated by whitespace
6708 or comma. Tables will be searched in the specified order until a match
6709 is found.
6710 This feature is available in Postfix 2.4 and later.
6712
6714 How long a message must be queued before the Postfix SMTP client turns
6715 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
6716 through firewalls with "smtp fixup" mode turned on.
6717 By default, the workaround is turned off for mail that is queued for
6719 less than 500 seconds. In other words, the workaround is normally
6720 turned off for the first delivery attempt.
6721 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6723 upon the first delivery attempt.
6724
6726 A list that specifies zero or more workarounds for CISCO PIX firewall
6727 bugs. These workarounds are implemented by the Postfix SMTP client.
6728 Workaround names are separated by comma or space, and are case insensi‐
6729 tive. This parameter setting can be overruled with per-destination
6730 smtp_pix_workaround_maps settings.
6731 delay_dotcrlf
6733 Insert a delay before sending ".<CR><LF>" after the end of the
6734 message content. The delay is subject to the smtp_pix_work‐
6735 around_delay_time and smtp_pix_workaround_threshold_time parame‐
6736 ter settings.
6737 disable_esmtp
6739 Disable all extended SMTP commands: send HELO instead of EHLO.
6740 This feature is available in Postfix 2.4 and later. The default set‐
6742 tings are backwards compatible with earlier Postfix versions.
6743
6745 The Postfix SMTP client time limit for sending the QUIT command, and
6746 for receiving the remote SMTP server response.
6747 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6749 The default time unit is s (seconds).
6750
6752 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
6753 as required by RFC 5321. This includes putting quotes around an address
6754 localpart that ends in ".".
6755 The default is to comply with RFC 5321. If you have to send mail to a
6757 broken SMTP server, configure a special SMTP client in master.cf:
6758 /etc/postfix/master.cf:
6760 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6761 and route mail for the destination in question to the "broken-smtp"
6763 message delivery with a transport(5) table.
6764 This feature is available in Postfix 2.1 and later.
6766
6768 Randomize the order of equal-preference MX host addresses. This is a
6769 performance feature of the Postfix SMTP client.
6770
6772 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
6773 mand, and for receiving the remote SMTP server response.
6774 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6776 The default time unit is s (seconds).
6777
6779 A mechanism to transform replies from remote SMTP servers one line at a
6780 time. This is a last-resort tool to work around server replies that
6781 break interoperability with the Postfix SMTP client. Other uses
6782 involve fault injection to test Postfix's handling of invalid
6783 responses.
6784 Notes:
6786 · In the case of a multi-line reply, the Postfix SMTP client uses
6788 the final reply line's numerical SMTP reply code and enhanced
6789 status code.
6790 · The numerical SMTP reply code (XYZ) takes precedence over the
6792 enhanced status code (X.Y.Z). When the enhanced status code
6793 initial digit differs from the SMTP reply code initial digit, or
6794 when no enhanced status code is present, the Postfix SMTP client
6795 uses a generic enhanced status code (X.0.0) instead.
6796 Specify the name of a "type:table" lookup table. The search string is a
6798 single SMTP reply line as received from the remote SMTP server, except
6799 that the trailing <CR><LF> are removed. When the lookup succeeds, the
6800 result replaces the single SMTP reply line.
6801 Examples:
6803 /etc/postfix/main.cf:
6805 smtp_reply_filter = pcre:/etc/postfix/reply_filter
6806 /etc/postfix/reply_filter:
6808 # Transform garbage into "250-filler..." so that it looks like
6809 # one line from a multi-line reply. It does not matter what we
6810 # substitute here as long it has the right syntax. The Postfix
6811 # SMTP client will use the final line's numerical SMTP reply
6812 # code and enhanced status code.
6813 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6814 This feature is available in Postfix 2.7.
6816
6818 The Postfix SMTP client time limit for sending the RSET command, and
6819 for receiving the remote SMTP server response. The SMTP client sends
6820 RSET in order to finish a recipient address probe, or to verify that a
6821 cached session is still usable.
6822 This feature is available in Postfix 2.1 and later.
6824
6826 An optional table to prevent repeated SASL authentication failures with
6827 the same remote SMTP server hostname, username and password. Each table
6828 (key, value) pair contains a server name, a username and password, and
6829 the full server response. This information is stored when a remote SMTP
6830 server rejects an authentication attempt with a 535 reply code. As
6831 long as the smtp_sasl_password_maps information does no change, and as
6832 long as the smtp_sasl_auth_cache_name information does not expire (see
6833 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
6834 tication attempts with the same server, username and password, and
6835 instead bounces or defers mail as controlled with the
6836 smtp_sasl_auth_soft_bounce configuration parameter.
6837 Use a per-destination delivery concurrency of 1 (for example,
6839 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
6840 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6841 ence a login failure at the same time.
6842 The table must be accessed via the proxywrite service, i.e. the map
6844 name must start with "proxy:". The table should be stored under the
6845 directory specified with the data_directory parameter.
6846 This feature uses cryptographic hashing to protect plain-text pass‐
6848 words, and requires that Postfix is compiled with TLS support.
6849 Example:
6851 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6853 This feature is available in Postfix 2.5 and later.
6855
6857 The maximal age of an smtp_sasl_auth_cache_name entry before it is
6858 removed.
6859 This feature is available in Postfix 2.5 and later.
6861
6863 Enable SASL authentication in the Postfix SMTP client. By default, the
6864 Postfix SMTP client uses no authentication.
6865 Example:
6867 smtp_sasl_auth_enable = yes
6869
6871 When a remote SMTP server rejects a SASL authentication request with a
6872 535 reply code, defer mail delivery instead of returning mail as unde‐
6873 liverable. The latter behavior was hard-coded prior to Postfix version
6874 2.5.
6875 Note: the setting "yes" overrides the global soft_bounce parameter, but
6877 the setting "no" does not.
6878 Example:
6880 # Default as of Postfix 2.5
6882 smtp_sasl_auth_soft_bounce = yes
6883 # The old hard-coded default
6884 smtp_sasl_auth_soft_bounce = no
6885 This feature is available in Postfix 2.5 and later.
6887
6889 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6890 list of offered SASL mechanisms. Different client and server implemen‐
6891 tations may support different mechanism lists; by default, the Postfix
6892 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
6893 nism_filter specifies an optional third mechanism list to intersect
6894 with.
6895 Specify mechanism names, "/file/name" patterns or "type:table" lookup
6897 tables. The right-hand side result from "type:table" lookups is
6898 ignored. Specify "!pattern" to exclude a mechanism name from the list.
6899 The form "!/file/name" is supported only in Postfix version 2.4 and
6900 later.
6901 This feature is available in Postfix 2.2 and later.
6903 Examples:
6905 smtp_sasl_mechanism_filter = plain, login
6907 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
6908 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
6909
6911 Optional Postfix SMTP client lookup tables with one username:password
6912 entry per sender, remote hostname or next-hop domain. Per-sender lookup
6913 is done only when sender-dependent authentication is enabled. If no
6914 username:password entry is found, then the Postfix SMTP client will not
6915 attempt to authenticate to the remote host.
6916 The Postfix SMTP client opens the lookup table before going to chroot
6918 jail, so you can leave the password file in /etc/postfix.
6919 Specify zero or more "type:name" lookup tables, separated by whitespace
6921 or comma. Tables will be searched in the specified order until a match
6922 is found.
6923
6925 Implementation-specific information that the Postfix SMTP client passes
6926 through to the SASL plug-in implementation that is selected with
6927 smtp_sasl_type. Typically this specifies the name of a configuration
6928 file or rendezvous point.
6929 This feature is available in Postfix 2.3 and later.
6931
6933 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
6934 of available features depends on the SASL client implementation that is
6935 selected with smtp_sasl_type.
6936 The following security features are defined for the cyrus client SASL
6938 implementation:
6939 Specify zero or more of the following:
6941 noplaintext
6943 Disallow methods that use plaintext passwords.
6944 noactive
6946 Disallow methods subject to active (non-dictionary) attack.
6947 nodictionary
6949 Disallow methods subject to passive (dictionary) attack.
6950 noanonymous
6952 Disallow methods that allow anonymous authentication.
6953 mutual_auth
6955 Only allow methods that provide mutual authentication (not
6956 available with SASL version 1).
6957 Example:
6959 smtp_sasl_security_options = noplaintext
6961
6963 The SASL authentication security options that the Postfix SMTP client
6964 uses for TLS encrypted SMTP sessions.
6965 This feature is available in Postfix 2.2 and later.
6967
6969 rity_options)
6970 The SASL authentication security options that the Postfix SMTP client
6971 uses for TLS encrypted SMTP sessions with a verified server certifi‐
6972 cate.
6973 When mail is sent to the public MX host for the recipient's domain,
6975 server certificates are by default optional, and delivery proceeds even
6976 if certificate verification fails. For delivery via a submission ser‐
6977 vice that requires SASL authentication, it may be appropriate to send
6978 plaintext passwords only when the connection to the server is strongly
6979 encrypted and the server identity is verified.
6980 The smtp_sasl_tls_verified_security_options parameter makes it possible
6982 to only enable plaintext mechanisms when a secure connection to the
6983 server is available. Submission servers subject to this policy must
6984 either have verifiable certificates or offer suitable non-plaintext
6985 SASL mechanisms.
6986 This feature is available in Postfix 2.6 and later.
6988
6990 The SASL plug-in type that the Postfix SMTP client should use for
6991 authentication. The available types are listed with the "postconf -A"
6992 command.
6993 This feature is available in Postfix 2.3 and later.
6995
6997 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
6998 in SASL-authenticated SMTP sessions. The default is not to send this,
6999 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
7000 the behavior is as if "smtp_send_dummy_mail_auth = yes".
7001 This feature is available in Postfix 2.9 and later.
7003
7005 Send the non-standard XFORWARD command when the Postfix SMTP server
7006 EHLO response announces XFORWARD support.
7007 This allows a Postfix SMTP delivery agent, used for injecting mail into
7009 a content filter, to forward the name, address, protocol and HELO name
7010 of the original client to the content filter and downstream queuing
7011 SMTP server. This can produce more useful logging than local‐
7012 host[127.0.0.1] etc.
7013 This feature is available in Postfix 2.1 and later.
7015
7017 Enable sender-dependent authentication in the Postfix SMTP client; this
7018 is available only with SASL authentication, and disables SMTP connec‐
7019 tion caching to ensure that mail from different senders will use the
7020 appropriate credentials.
7021 This feature is available in Postfix 2.3 and later.
7023
7025 Skip SMTP servers that greet with a 4XX status code (go away, try again
7026 later).
7027 By default, the Postfix SMTP client moves on the next mail exchanger.
7029 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7030 immediately.
7031 This feature is available in Postfix 2.0 and earlier. Later Postfix
7033 versions always skip remote SMTP servers that greet with a 4XX status
7034 code.
7035
7037 Skip remote SMTP servers that greet with a 5XX status code.
7038 By default, the Postfix SMTP client moves on the next mail exchanger.
7040 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7041 immediately. Caution: the latter behavior appears to contradict RFC
7042 2821.
7043
7045 Do not wait for the response to the SMTP QUIT command.
7046
7048 Time limit for Postfix SMTP client write and read operations during TLS
7049 startup and shutdown handshake procedures.
7050 This feature is available in Postfix 2.2 and later.
7052
7054 The default TCP port that the Postfix SMTP client connects to. Specify
7055 a symbolic name (see services(5)) or a numeric port.
7056
7058 A file containing CA certificates of root CAs trusted to sign either
7059 remote SMTP server certificates or intermediate CA certificates. These
7060 are loaded into memory before the smtp(8) client enters the chroot
7061 jail. If the number of trusted roots is large, consider using
7062 smtp_tls_CApath instead, but note that the latter directory must be
7063 present in the chroot jail if the smtp(8) client is chrooted. This file
7064 may also be used to augment the client certificate trust chain, but it
7065 is best to include all the required certificates directly in
7066 $smtp_tls_cert_file.
7067 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
7069 system-supplied default Certification Authority certificates.
7070 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7072 the system-supplied default CAs and trusting third-party certificates.
7073 Example:
7075 smtp_tls_CAfile = /etc/postfix/CAcert.pem
7077 This feature is available in Postfix 2.2 and later.
7079
7081 Directory with PEM format Certification Authority certificates that the
7082 Postfix SMTP client uses to verify a remote SMTP server certificate.
7083 Don't forget to create the necessary "hash" links with, for example,
7084 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7085 To use this option in chroot mode, this directory (or a copy) must be
7087 inside the chroot jail.
7088 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
7090 the system-supplied default Certification Authority certificates.
7091 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7093 the system-supplied default CAs and trusting third-party certificates.
7094 Example:
7096 smtp_tls_CApath = /etc/postfix/certs
7098 This feature is available in Postfix 2.2 and later.
7100
7102 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
7103 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
7104 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
7105 attack would succeed with non-Postfix SMTP servers that reply to the
7106 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7107 SMTP client TLS session.
7108 This feature is available in Postfix 2.7.
7110
7112 File with the Postfix SMTP client RSA certificate in PEM format. This
7113 file may also contain the Postfix SMTP client private RSA key, and
7114 these may be the same as the Postfix SMTP server RSA certificate and
7115 key file.
7116 Do not configure client certificates unless you must present client TLS
7118 certificates to one or more servers. Client certificates are not usu‐
7119 ally needed, and can cause problems in configurations that work well
7120 without them. The recommended setting is to let the defaults stand:
7121 smtp_tls_cert_file =
7123 smtp_tls_key_file =
7124 smtp_tls_dcert_file =
7125 smtp_tls_dkey_file =
7126 smtp_tls_eccert_file =
7127 smtp_tls_eckey_file =
7128 The best way to use the default settings is to comment out the above
7130 parameters in main.cf if present.
7131 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
7133 tificate, the issuing CA certificates must be made available to the
7134 server. You should include the required certificates in the client cer‐
7135 tificate file, the client certificate first, then the issuing CA(s)
7136 (bottom-up order).
7137 Example: the certificate for "client.example.com" was issued by "inter‐
7139 mediate CA" which itself has a certificate issued by "root CA". Create
7140 the client.pem file with "cat client_cert.pem intermediate_CA.pem
7141 root_CA.pem > client.pem".
7142 If you also want to verify remote SMTP server certificates issued by
7144 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
7145 which case it is not necessary to have them in the smtp_tls_cert_file,
7146 smtp_tls_dcert_file or smtp_tls_eccert_file.
7147 A certificate supplied here must be usable as an SSL client certificate
7149 and hence pass the "openssl verify -purpose sslclient ..." test.
7150 Example:
7152 smtp_tls_cert_file = /etc/postfix/client.pem
7154 This feature is available in Postfix 2.2 and later.
7156
7158 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
7159 list. As this feature applies to all TLS security levels, it is easy to
7160 create interoperability problems by choosing a non-default cipher list.
7161 Do not use a non-default TLS cipher list on hosts that deliver email to
7162 the public Internet: you will be unable to send email to servers that
7163 only support the ciphers you exclude. Using a restricted cipher list
7164 may be more appropriate for an internal MTA, where one can exert some
7165 control over the TLS software and settings of the peer servers.
7166 Note: do not use "" quotes around the parameter value.
7168 This feature is available in Postfix version 2.2. It is not used with
7170 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7171
7173 The minimum TLS cipher grade that the Postfix SMTP client will use with
7174 opportunistic TLS encryption. Cipher types listed in
7175 smtp_tls_exclude_ciphers are excluded from the base definition of the
7176 selected cipher grade. The default value is "medium" for Postfix
7177 releases after the middle of 2015, "export" for older releases.
7178 When TLS is mandatory the cipher grade is chosen via the
7180 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
7181 tax details. See smtp_tls_policy_maps for information on how to config‐
7182 ure ciphers on a per-destination basis.
7183 This feature is available in Postfix 2.6 and later. With earlier Post‐
7185 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
7186 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7187 ciphers.
7188
7190 The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7191 destination security level is dane, but the MX record was found via an
7192 "insecure" MX lookup. The choices are:
7193 may The TLSA records will be ignored and TLS will be optional. If
7195 the MX host does not appear to support STARTTLS, or the STARTTLS
7196 handshake fails, mail may be sent in the clear.
7197 encrypt
7199 The TLSA records will signal a requirement to use TLS. While
7200 TLS encryption will be required, authentication will not be per‐
7201 formed.
7202 dane (default)
7204 The TLSA records will be used just as with "secure" MX records.
7205 TLS encryption will be required, and, if at least one of the
7206 TLSA records is "usable", authentication will be required. When
7207 authentication succeeds, it will be logged only as "Trusted",
7208 not "Verified", because the MX host name could have been forged.
7209 Though with "insecure" MX records an active attacker can compro‐
7210 mise SMTP transport security by returning forged MX records,
7211 such attacks are "tamper-evident" since any forged MX hostnames
7212 will be recorded in the mail logs. Attackers who place a high
7213 value staying hidden may be deterred from forging MX records.
7214 This feature is available in Postfix 3.1 and later. The may policy is
7216 backwards-compatible with earlier Postfix versions.
7217
7219 File with the Postfix SMTP client DSA certificate in PEM format. This
7220 file may also contain the Postfix SMTP client private DSA key.
7221 See the discussion under smtp_tls_cert_file for more details.
7223 Example:
7225 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7227 This feature is available in Postfix 2.2 and later.
7229
7231 File with the Postfix SMTP client DSA private key in PEM format. This
7232 file may be combined with the Postfix SMTP client DSA certificate file
7233 specified with $smtp_tls_dcert_file.
7234 The private key must be accessible without a pass-phrase, i.e. it must
7236 not be encrypted. File permissions should grant read-only access to the
7237 system superuser account ("root"), and no access to anyone else.
7238 This feature is available in Postfix 2.2 and later.
7240
7242 File with the Postfix SMTP client ECDSA certificate in PEM format.
7243 This file may also contain the Postfix SMTP client ECDSA private key.
7244 See the discussion under smtp_tls_cert_file for more details.
7246 Example:
7248 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7250 This feature is available in Postfix 2.6 and later, when Postfix is
7252 compiled and linked with OpenSSL 1.0.0 or later.
7253
7255 File with the Postfix SMTP client ECDSA private key in PEM format.
7256 This file may be combined with the Postfix SMTP client ECDSA certifi‐
7257 cate file specified with $smtp_tls_eccert_file.
7258 The private key must be accessible without a pass-phrase, i.e. it must
7260 not be encrypted. File permissions should grant read-only access to the
7261 system superuser account ("root"), and no access to anyone else.
7262 This feature is available in Postfix 2.6 and later, when Postfix is
7264 compiled and linked with OpenSSL 1.0.0 or later.
7265
7267 With mandatory TLS encryption, require that the remote SMTP server
7268 hostname matches the information in the remote SMTP server certificate.
7269 As of RFC 2487 the requirements for hostname checking for MTA clients
7270 are not specified.
7271 This option can be set to "no" to disable strict peer name checking.
7273 This setting has no effect on sessions that are controlled via the
7274 smtp_tls_per_site table.
7275 Disabling the hostname verification can make sense in closed environ‐
7277 ment where special CAs are created. If not used carefully, this option
7278 opens the danger of a "man-in-the-middle" attack (the CommonName of
7279 this attacker will be logged).
7280 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7282 and later use smtp_tls_security_level instead.
7283
7285 List of ciphers or cipher types to exclude from the Postfix SMTP client
7286 cipher list at all TLS security levels. This is not an OpenSSL
7287 cipherlist, it is a simple list separated by whitespace and/or commas.
7288 The elements are a single cipher, or one or more "+" separated cipher
7289 properties, in which case only ciphers matching all the properties are
7290 excluded.
7291 Examples (some of these will cause problems):
7293 smtp_tls_exclude_ciphers = aNULL
7295 smtp_tls_exclude_ciphers = MD5, DES
7296 smtp_tls_exclude_ciphers = DES+MD5
7297 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7298 smtp_tls_exclude_ciphers = kEDH+aRSA
7299 The first setting, disables anonymous ciphers. The next setting dis‐
7301 ables ciphers that use the MD5 digest algorithm or the (single) DES
7302 encryption algorithm. The next setting disables ciphers that use MD5
7303 and DES together. The next setting disables the two ciphers
7304 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7305 use "EDH" key exchange with RSA authentication.
7306 This feature is available in Postfix 2.3 and later.
7308
7310 List of acceptable remote SMTP server certificate fingerprints for the
7311 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
7312 print). At this security level, Certification Authorities are not used,
7313 and certificate expiration times are ignored. Instead, server certifi‐
7314 cates are verified directly via their certificate fingerprint or public
7315 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
7316 digest of the server certificate (or public key). The digest algorithm
7317 is selected via the smtp_tls_fingerprint_digest parameter.
7318 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
7320 security level, any "match" attributes in that entry specify the list
7321 of valid fingerprints for the corresponding destination. Multiple fin‐
7322 gerprints can be combined with a "|" delimiter in a single match
7323 attribute, or multiple match attributes can be employed.
7324 Example: Certificate fingerprint verification with internal mailhub.
7326 Two matching fingerprints are listed. The relayhost may be multiple
7327 physical hosts behind a load-balancer, each with its own private/public
7328 key and self-signed certificate. Alternatively, a single relayhost may
7329 be in the process of switching from one set of private/public keys to
7330 another, and both keys are trusted just prior to the transition.
7331 relayhost = [mailhub.example.com]
7333 smtp_tls_security_level = fingerprint
7334 smtp_tls_fingerprint_digest = md5
7335 smtp_tls_fingerprint_cert_match =
7336 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7337 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7338 Example: Certificate fingerprint verification with selected destina‐
7340 tions. As in the example above, we show two matching fingerprints:
7341 /etc/postfix/main.cf:
7343 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7344 smtp_tls_fingerprint_digest = md5
7345 /etc/postfix/tls_policy:
7347 example.com fingerprint
7348 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7349 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7350 This feature is available in Postfix 2.5 and later.
7352
7354 The message digest algorithm used to construct remote SMTP server cer‐
7355 tificate fingerprints. At the "fingerprint" TLS security level
7356 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7357 ified by directly matching its certificate fingerprint or its public
7358 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7359 digest of the server certificate (or its public key) using the selected
7360 algorithm. With a digest algorithm resistant to "second pre-image"
7361 attacks, it is not feasible to create a new public key and a matching
7362 certificate (or public/private key-pair) that has the same fingerprint.
7363 The default algorithm is md5; this is consistent with the backwards
7365 compatible setting of the digest used to verify client certificates in
7366 the SMTP server.
7367 The best practice algorithm is now sha1. Recent advances in hash func‐
7369 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7370 However, as long as there are no known "second pre-image" attacks
7371 against md5, its use in this context can still be considered safe.
7372 While additional digest algorithms are often available with OpenSSL's
7374 libcrypto, only those used by libssl in SSL cipher suites are available
7375 to Postfix. For now this means just md5 or sha1.
7376 To find the fingerprint of a specific certificate file, with a specific
7378 digest algorithm, run:
7379 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7381 The text to the right of "=" sign is the desired fingerprint. For
7383 example:
7384 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7386 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7387 To extract the public key fingerprint from an X.509 certificate, you
7389 need to extract the public key from the certificate and compute the
7390 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7391 key" option of the "x509" command extracts the public key always in
7392 "PEM" format. We pipe the result to another OpenSSL command that con‐
7393 verts the key to DER and then to the "dgst" command to compute the fin‐
7394 gerprint.
7395 The actual command to transform the key to DER format depends on the
7397 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7398 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
7399 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
7400 ported by 0.9.8), so the "rsa" command is used.
7401 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7403 $ openssl x509 -in cert.pem -noout -pubkey |
7404 openssl pkey -pubin -outform DER |
7405 openssl dgst -sha1 -c
7406 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7407 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7409 $ openssl x509 -in cert.pem -noout -pubkey |
7410 openssl rsa -pubin -outform DER |
7411 openssl dgst -md5 -c
7412 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7413 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7415 gerprint and public key fingerprint when the TLS loglevel is 2 or
7416 higher.
7417 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
7419 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
7420 later.
7421 This feature is available in Postfix 2.5 and later.
7423
7425 Lookup the associated DANE TLSA RRset even when a hostname is not an
7426 alias and its address records lie in an unsigned zone. This is
7427 unlikely to ever yield DNSSEC validated results, since child zones of
7428 unsigned zones are also unsigned in the absence of DLV or locally con‐
7429 figured non-root trust-anchors. We anticipate that such mechanisms
7430 will not be used for just the "_tcp" subdomain of a host. Suppressing
7431 the TLSA RRset lookup reduces latency and avoids potential interoper‐
7432 ability problems with nameservers for unsigned zones that are not pre‐
7433 pared to handle the new TLSA RRset.
7434 This feature is available in Postfix 2.11.
7436
7438 File with the Postfix SMTP client RSA private key in PEM format. This
7439 file may be combined with the Postfix SMTP client RSA certificate file
7440 specified with $smtp_tls_cert_file.
7441 The private key must be accessible without a pass-phrase, i.e. it must
7443 not be encrypted. File permissions should grant read-only access to the
7444 system superuser account ("root"), and no access to anyone else.
7445 Example:
7447 smtp_tls_key_file = $smtp_tls_cert_file
7449 This feature is available in Postfix 2.2 and later.
7451
7453 Enable additional Postfix SMTP client logging of TLS activity. Each
7454 logging level also includes the information that is logged at a lower
7455 logging level.
7456 0 Disable logging of TLS activity.
7458 1 Log only a summary message on TLS handshake completion - no
7460 logging of remote SMTP server certificate trust-chain verifica‐
7461 tion errors if server certificate verification is not required.
7462 With Postfix 2.8 and earlier, log the summary message and uncon‐
7463 ditionally log trust-chain verification errors.
7464 2 Also log levels during TLS negotiation.
7466 3 Also log hexadecimal and ASCII dump of TLS negotiation
7468 process.
7469 4 Also log hexadecimal and ASCII dump of complete transmission
7471 after STARTTLS.
7472 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
7474 lems. Use of loglevel 4 is strongly discouraged.
7475 This feature is available in Postfix 2.2 and later.
7477
7479 The minimum TLS cipher grade that the Postfix SMTP client will use with
7480 mandatory TLS encryption. The default value "medium" is suitable for
7481 most destinations with which you may want to enforce TLS, and is beyond
7482 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
7483 for information on how to configure ciphers on a per-destination basis.
7484 The following cipher grades are supported:
7486 export Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
7488 cipherlist is specified via the tls_export_cipherlist configura‐
7489 tion parameter, which you are strongly encouraged to not change.
7490 This choice is insecure and SHOULD NOT be used.
7491 low Enable "LOW" grade or better OpenSSL ciphers. The underlying
7493 cipherlist is specified via the tls_low_cipherlist configuration
7494 parameter, which you are strongly encouraged to not change.
7495 This choice is insecure and SHOULD NOT be used.
7496 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
7498 cipherlist is specified via the tls_medium_cipherlist configura‐
7499 tion parameter, which you are strongly encouraged to not change.
7500 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
7502 appropriate when all mandatory TLS destinations (e.g. when all
7503 mail is routed to a suitably capable relayhost) support at least
7504 one "HIGH" grade cipher. The underlying cipherlist is specified
7505 via the tls_high_cipherlist configuration parameter, which you
7506 are strongly encouraged to not change.
7507 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
7509 cation without encryption. This setting is only appropriate in
7510 the rare case that all servers are prepared to use NULL ciphers
7511 (not normally enabled in TLS servers). A plausible use-case is
7512 an LMTP server listening on a UNIX-domain socket that is config‐
7513 ured to support "NULL" ciphers. The underlying cipherlist is
7514 specified via the tls_null_cipherlist configuration parameter,
7515 which you are strongly encouraged to not change.
7516 The underlying cipherlists for grades other than "null" include anony‐
7518 mous ciphers, but these are automatically filtered out if the Postfix
7519 SMTP client is configured to verify server certificates. You are very
7520 unlikely to need to take any steps to exclude anonymous ciphers, they
7521 are excluded automatically as necessary. If you must exclude anonymous
7522 ciphers at the "may" or "encrypt" security levels, when the Postfix
7523 SMTP client does not need or use peer certificates, set
7524 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
7525 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7526 This feature is available in Postfix 2.3 and later.
7528
7530 Additional list of ciphers or cipher types to exclude from the Postfix
7531 SMTP client cipher list at mandatory TLS security levels. This list
7532 works in addition to the exclusions listed with
7533 smtp_tls_exclude_ciphers (see there for syntax details).
7534 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7536 ified on a per-destination basis via the TLS policy "exclude"
7537 attribute. See smtp_tls_policy_maps for notes and examples.
7538 This feature is available in Postfix 2.3 and later.
7540
7542 List of SSL/TLS protocols that the Postfix SMTP client will use with
7543 mandatory TLS encryption. In main.cf the values are separated by
7544 whitespace, commas or colons. In the policy table "protocols" attribute
7545 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
7546 value means allow all protocols. The valid protocol names, (see \fBfB‐
7547 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The default
7548 value is "!SSLv2, !SSLv3" for Postfix releases after the middle of
7549 2015, "!SSLv2" for older releases.
7550 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7552 col exclusions. One can explicitly exclude "SSLv2" by setting
7553 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
7554 "SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
7555 the protocols to include, rather than protocols to exclude, is sup‐
7556 ported, but not recommended. The exclusion form more closely matches
7557 the underlying OpenSSL interface semantics.
7558 The range of protocols advertised by an SSL/TLS client must be contigu‐
7560 ous. When a protocol version is enabled, disabling any higher version
7561 implicitly disables all versions above that higher version. Thus, for
7562 example:
7563 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7565 also disables any protocols version higher than TLSv1 leaving only
7566 "SSLv3" enabled.
7567 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7569 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
7570 later, these, or any other new protocol versions, cannot be disabled
7571 except by also disabling "TLSv1" (typically leaving just "SSLv3"). The
7572 latest patch levels of Postfix >= 2.6, and all versions of Postfix >=
7573 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7574 At the dane and dane-only security levels, when usable TLSA records are
7576 obtained for the remote SMTP server, the Postfix SMTP client is obli‐
7577 gated to include the SNI TLS extension in its SSL client hello message.
7578 This may help the remote SMTP server live up to its promise to provide
7579 a certificate that matches its TLSA records. Since TLS extensions
7580 require TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7581 and "SSLv3" when SNI is required. If you use "dane" or "dane-only" do
7582 not disable TLSv1, except perhaps via the policy table for destinations
7583 which you are sure will support "TLSv1.1" or "TLSv1.2".
7584 See the documentation of the smtp_tls_policy_maps parameter and
7586 TLS_README for more information about security levels.
7587 Example:
7589 # Preferred syntax with Postfix >= 2.5:
7591 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7592 # Legacy syntax:
7593 smtp_tls_mandatory_protocols = TLSv1
7594 This feature is available in Postfix 2.3 and later.
7596
7598 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7599 is not already enabled for that server.
7600 The logfile record looks like:
7602 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
7604 This feature is available in Postfix 2.2 and later.
7606
7608 Optional lookup tables with the Postfix SMTP client TLS usage policy by
7609 next-hop destination and by remote SMTP server hostname. When both
7610 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
7611 overrides the less specific one (MAY), and the more secure per-site
7612 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
7613 2.3 and later smtp_tls_per_site is strongly discouraged: use
7614 smtp_tls_policy_maps instead.
7615 Use of the bare hostname as the per-site table lookup key is discour‐
7617 aged. Always use the full destination nexthop (enclosed in [] with a
7618 possible ":port" suffix). A recipient domain or MX-enabled transport
7619 next-hop with no port suffix may look like a bare hostname, but is
7620 still a suitable destination.
7621 Specify a next-hop destination or server hostname on the left-hand
7623 side; no wildcards are allowed. The next-hop destination is either the
7624 recipient domain, or the destination specified with a transport(5) ta‐
7625 ble, the relayhost parameter, or the relay_transport parameter. On the
7626 right hand side specify one of the following keywords:
7627 NONE Don't use TLS at all. This overrides a less specific MAY lookup
7629 result from the alternate host or next-hop lookup key, and over‐
7630 rides the global smtp_use_tls, smtp_enforce_tls, and
7631 smtp_tls_enforce_peername settings.
7632 MAY Try to use TLS if the server announces support, otherwise use
7634 the unencrypted connection. This has less precedence than a more
7635 specific result (including NONE) from the alternate host or
7636 next-hop lookup key, and has less precedence than the more spe‐
7637 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7638 name = yes".
7639 MUST_NOPEERMATCH
7641 Require TLS encryption, but do not require that the remote SMTP
7642 server hostname matches the information in the remote SMTP
7643 server certificate, or that the server certificate was issued by
7644 a trusted CA. This overrides a less secure NONE or a less spe‐
7645 cific MAY lookup result from the alternate host or next-hop
7646 lookup key, and overrides the global smtp_use_tls,
7647 smtp_enforce_tls and smtp_tls_enforce_peername settings.
7648 MUST Require TLS encryption, require that the remote SMTP server
7650 hostname matches the information in the remote SMTP server cer‐
7651 tificate, and require that the remote SMTP server certificate
7652 was issued by a trusted CA. This overrides a less secure NONE
7653 and MUST_NOPEERMATCH or a less specific MAY lookup result from
7654 the alternate host or next-hop lookup key, and overrides the
7655 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7656 name settings.
7657 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7659 ify" security levels for the new smtp_tls_security_level parameter
7660 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7661 of how the policy is specified, the smtp_tls_mandatory_ciphers and
7662 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
7663 mandatory. Connections for which encryption is optional typically
7664 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
7665 smtp_tls_protocols).
7666 As long as no secure DNS lookup mechanism is available, false hostnames
7668 in MX or CNAME responses can change the server hostname that Postfix
7669 uses for TLS policy lookup and server certificate verification. Even
7670 with a perfect match between the server hostname and the server cer‐
7671 tificate, there is no guarantee that Postfix is connected to the right
7672 server. See TLS_README (Closing a DNS loophole with obsolete per-site
7673 TLS policies) for a possible work-around.
7674 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7676 and later use smtp_tls_policy_maps instead.
7677
7679 Optional lookup tables with the Postfix SMTP client TLS security policy
7680 by next-hop destination; when a non-empty value is specified, this
7681 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
7682 a more detailed discussion of TLS security levels.
7683 Specify zero or more "type:name" lookup tables, separated by whitespace
7685 or comma. Tables will be searched in the specified order until a match
7686 is found.
7687 The TLS policy table is indexed by the full next-hop destination, which
7689 is either the recipient domain, or the verbatim next-hop specified in
7690 the transport table, $local_transport, $virtual_transport,
7691 $relay_transport or $default_transport. This includes any enclosing
7692 square brackets and any non-default destination server port suffix. The
7693 LMTP socket type prefix (inet: or unix:) is not included in the lookup
7694 key.
7695 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
7697 sockets, is used as the nexthop name for certificate verification. The
7698 port and any enclosing square brackets are used in the table lookup
7699 key, but are not used for server name verification.
7700 When the lookup key is a domain name without enclosing square brackets
7702 or any :port suffix (typically the recipient domain), and the full
7703 domain is not found in the table, just as with the transport(5) table,
7704 the parent domain starting with a leading "." is matched recursively.
7705 This allows one to specify a security policy for a recipient domain and
7706 all its sub-domains.
7707 The lookup result is a security level, followed by an optional list of
7709 whitespace and/or comma separated name=value attributes that override
7710 related main.cf settings. The TLS security levels in order of increas‐
7711 ing security are:
7712 none No TLS. No additional attributes are supported at this level.
7714 may Opportunistic TLS. Since sending in the clear is acceptable,
7716 demanding stronger than default TLS security merely reduces
7717 interoperability. The optional "ciphers", "exclude" and "proto‐
7718 cols" attributes (available for opportunistic TLS with Postfix
7719 >= 2.6) override the "smtp_tls_ciphers",
7720 "smtp_tls_exclude_ciphers" and "smtp_tls_protocols" configura‐
7721 tion parameters. When opportunistic TLS handshakes fail, Postfix
7722 retries the connection with TLS disabled. This allows mail
7723 delivery to sites with non-interoperable TLS implementations.
7724 encrypt
7726 Mandatory TLS encryption. At this level and higher, the optional
7727 "protocols" attribute overrides the main.cf smtp_tls_manda‐
7728 tory_protocols parameter, the optional "ciphers" attribute over‐
7729 rides the main.cf smtp_tls_mandatory_ciphers parameter, and the
7730 optional "exclude" attribute (Postfix >= 2.6) overrides the
7731 main.cf smtp_tls_mandatory_exclude_ciphers parameter. In the
7732 policy table, multiple protocols or excluded ciphers must be
7733 separated by colons, as attribute values may not contain white‐
7734 space or commas.
7735 dane Opportunistic DANE TLS. The TLS policy for the destination is
7737 obtained via TLSA records in DNSSEC. If no TLSA records are
7738 found, the effective security level used is may. If TLSA
7739 records are found, but none are usable, the effective security
7740 level is encrypt. When usable TLSA records are obtained for the
7741 remote SMTP server, the server certificate must match the TLSA
7742 records. RFC 7672 (DANE) TLS authentication and DNSSEC support
7743 is available with Postfix 2.11 and later.
7744 dane-only
7746 Mandatory DANE TLS. The TLS policy for the destination is
7747 obtained via TLSA records in DNSSEC. If no TLSA records are
7748 found, or none are usable, no connection is made to the server.
7749 When usable TLSA records are obtained for the remote SMTP
7750 server, the server certificate must match the TLSA records. RFC
7751 7672 (DANE) TLS authentication and DNSSEC support is available
7752 with Postfix 2.11 and later.
7753 fingerprint
7755 Certificate fingerprint verification. Available with Postfix 2.5
7756 and later. At this security level, there are no trusted Certifi‐
7757 cation Authorities. The certificate trust chain, expiration
7758 date, ... are not checked. Instead, the optional match
7759 attribute, or else the main.cf smtp_tls_fingerprint_cert_match
7760 parameter, lists the certificate fingerprints or the public key
7761 fingerprint (Postfix 2.9 and later) of the valid server certifi‐
7762 cate. The digest algorithm used to calculate the fingerprint is
7763 selected by the smtp_tls_fingerprint_digest parameter. Multiple
7764 fingerprints can be combined with a "|" delimiter in a single
7765 match attribute, or multiple match attributes can be employed.
7766 The ":" character is not used as a delimiter as it occurs
7767 between each pair of fingerprint (hexadecimal) digits.
7768 verify Mandatory TLS verification. At this security level, DNS MX
7770 lookups are trusted to be secure enough, and the name verified
7771 in the server certificate is usually obtained indirectly via
7772 unauthenticated DNS MX lookups. The optional "match" attribute
7773 overrides the main.cf smtp_tls_verify_cert_match parameter. In
7774 the policy table, multiple match patterns and strategies must be
7775 separated by colons. In practice explicit control over matching
7776 is more common with the "secure" policy, described below.
7777 secure Secure-channel TLS. At this security level, DNS MX lookups,
7779 though potentially used to determine the candidate next-hop
7780 gateway IP addresses, are not trusted to be secure enough for
7781 TLS peername verification. Instead, the default name verified in
7782 the server certificate is obtained directly from the next-hop,
7783 or is explicitly specified via the optional match attribute
7784 which overrides the main.cf smtp_tls_secure_cert_match parame‐
7785 ter. In the policy table, multiple match patterns and strategies
7786 must be separated by colons. The match attribute is most useful
7787 when multiple domains are supported by common server, the policy
7788 entries for additional domains specify matching rules for the
7789 primary domain certificate. While transport table overrides
7790 routing the secondary domains to the primary nexthop also allow
7791 secure verification, they risk delivery to the wrong destination
7792 when domains change hands or are re-assigned to new gateways.
7793 With the "match" attribute approach, routing is not perturbed,
7794 and mail is deferred if verification of a new MX host fails.
7795 Example:
7797 /etc/postfix/main.cf:
7799 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7800 # Postfix 2.5 and later
7801 smtp_tls_fingerprint_digest = md5
7802 /etc/postfix/tls_policy:
7804 example.edu none
7805 example.mil may
7806 example.gov encrypt protocols=TLSv1
7807 example.com verify ciphers=high
7808 example.net secure
7809 .example.net secure match=.example.net:example.net
7810 [mail.example.org]:587 secure match=nexthop
7811 # Postfix 2.5 and later
7812 [thumb.example.org] fingerprint
7813 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7814 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7815 Note: The hostname strategy if listed in a non-default setting of
7817 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
7818 ble can render the secure level vulnerable to DNS forgery. Do not use
7819 the hostname strategy for secure-channel configurations in environments
7820 where DNS security is not assured.
7821 This feature is available in Postfix 2.3 and later.
7823
7825 List of TLS protocols that the Postfix SMTP client will exclude or
7826 include with opportunistic TLS encryption. The default value is
7827 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
7828 "!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
7829 client would use all protocols with opportunistic TLS.
7830 In main.cf the values are separated by whitespace, commas or colons. In
7832 the policy table (see smtp_tls_policy_maps) the only valid separator is
7833 colon. An empty value means allow all protocols. The valid protocol
7834 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
7835 The range of protocols advertised by an SSL/TLS client must be contigu‐
7837 ous. When a protocol version is enabled, disabling any higher version
7838 implicitly disables all versions above that higher version. Thus, for
7839 example:
7840 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7842 also disables any protocols version higher than TLSv1 leaving only
7843 "SSLv3" enabled.
7844 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7846 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
7847 of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or
7848 "TLSv1.2"
7849 To include a protocol list its name, to exclude it, prefix the name
7851 with a "!" character. To exclude SSLv2 for opportunistic TLS set
7852 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
7853 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
7854 to include, rather than protocols to exclude, is supported, but not
7855 recommended. The exclusion form more closely matches the underlying
7856 OpenSSL interface semantics.
7857 Example:
7859 # TLSv1 or better:
7860 smtp_tls_protocols = !SSLv2, !SSLv3
7861 This feature is available in Postfix 2.6 and later.
7863
7865 The verification depth for remote SMTP server certificates. A depth of
7866 1 is sufficient if the issuing CA is listed in a local CA file.
7867 The default verification depth is 9 (the OpenSSL default) for compati‐
7869 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
7870 value was 5, but the limit was not actually enforced. If you have set
7871 this to a lower non-default value, certificates with longer trust
7872 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
7873 common, deeper chains are more rare and any number between 5 and 9
7874 should suffice in practice. You can choose a lower number if, for exam‐
7875 ple, you trust certificates directly signed by an issuing CA but not
7876 any CAs it delegates to.
7877 This feature is available in Postfix 2.2 and later.
7879
7881 How the Postfix SMTP client verifies the server certificate peername
7882 for the "secure" TLS security level. In a "secure" TLS policy table
7883 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
7884 this main.cf setting.
7885 This parameter specifies one or more patterns or strategies separated
7887 by commas, whitespace or colons. In the policy table the only valid
7888 separator is the colon character.
7889 For a description of the pattern and strategy syntax see the
7891 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
7892 avoided in this context, as in the absence of a secure global DNS,
7893 using the results of MX lookups in certificate verification is not
7894 immune to active (man-in-the-middle) attacks on DNS.
7895 Sample main.cf setting:
7897 smtp_tls_secure_cert_match = nexthop
7899 Sample policy table override:
7901 example.net secure match=example.com:.example.com
7903 .example.net secure match=example.com:.example.com
7904 This feature is available in Postfix 2.3 and later.
7906
7908 The default SMTP TLS security level for the Postfix SMTP client; when a
7909 non-empty value is specified, this overrides the obsolete parameters
7910 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
7911 Specify one of the following security levels:
7913 none No TLS. TLS will not be used unless enabled for specific desti‐
7915 nations via smtp_tls_policy_maps.
7916 may Opportunistic TLS. Use TLS if this is supported by the remote
7918 SMTP server, otherwise use plaintext. Since sending in the clear
7919 is acceptable, demanding stronger than default TLS security
7920 merely reduces interoperability. The "smtp_tls_ciphers" and
7921 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
7922 provide control over the protocols and cipher grade used with
7923 opportunistic TLS. With earlier releases the opportunistic TLS
7924 cipher grade is always "export" and no protocols are disabled.
7925 When TLS handshakes fail, the connection is retried with TLS
7926 disabled. This allows mail delivery to sites with non-interop‐
7927 erable TLS implementations.
7928 encrypt
7930 Mandatory TLS encryption. Since a minimum level of security is
7931 intended, it is reasonable to be specific about sufficiently
7932 secure protocol versions and ciphers. At this security level and
7933 higher, the main.cf parameters smtp_tls_mandatory_protocols and
7934 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
7935 cipher grade which the administrator considers secure enough for
7936 mandatory encrypted sessions. This security level is not an
7937 appropriate default for systems delivering mail to the Internet.
7938 dane Opportunistic DANE TLS. At this security level, the TLS policy
7940 for the destination is obtained via DNSSEC. For TLSA policy to
7941 be in effect, the destination domain's containing DNS zone must
7942 be signed and the Postfix SMTP client's operating system must be
7943 configured to send its DNS queries to a recursive DNS nameserver
7944 that is able to validate the signed records. Each MX host's DNS
7945 zone should also be signed, and should publish DANE TLSA (RFC
7946 7672) records that specify how that MX host's TLS certificate is
7947 to be verified. TLSA records do not preempt the normal SMTP MX
7948 host selection algorithm, if some MX hosts support TLSA and oth‐
7949 ers do not, TLS security will vary from delivery to delivery.
7950 It is up to the domain owner to configure their MX hosts and
7951 their DNS sensibly. To configure the Postfix SMTP client for
7952 DNSSEC lookups see the documentation for the smtp_dns_sup‐
7953 port_level main.cf parameter. When DNSSEC-validated TLSA
7954 records are not found the effective tls security level is "may".
7955 When TLSA records are found, but are all unusable the effective
7956 security level is "encrypt". For purposes of protocol and
7957 cipher selection, the "dane" security level is treated like a
7958 "mandatory" TLS security level, and weak ciphers and protocols
7959 are disabled. Since DANE authenticates server certificates the
7960 "aNULL" cipher-suites are transparently excluded at this level,
7961 no need to configure this manually. RFC 7672 (DANE) TLS authen‐
7962 tication is available with Postfix 2.11 and later.
7963 dane-only
7965 Mandatory DANE TLS. This is just like "dane" above, but DANE
7966 TLSA authentication is required. There is no fallback to "may"
7967 or "encrypt" when TLSA records are missing or unusable. RFC
7968 7672 (DANE) TLS authentication is available with Postfix 2.11
7969 and later.
7970 fingerprint
7972 Certificate fingerprint verification. At this security level,
7973 there are no trusted Certification Authorities. The certificate
7974 trust chain, expiration date, etc., are not checked. Instead,
7975 the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
7976 cate fingerprint or public key fingerprint (Postfix 2.9 and
7977 later) of the valid server certificate. The digest algorithm
7978 used to calculate the fingerprint is selected by the
7979 smtp_tls_fingerprint_digest parameter. Available with Postfix
7980 2.5 and later.
7981 verify Mandatory TLS verification. At this security level, DNS MX
7983 lookups are trusted to be secure enough, and the name verified
7984 in the server certificate is usually obtained indirectly via
7985 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
7986 parameter controls how the server name is verified. In practice
7987 explicit control over matching is more common at the "secure"
7988 level, described below. This security level is not an appropri‐
7989 ate default for systems delivering mail to the Internet.
7990 secure Secure-channel TLS. At this security level, DNS MX lookups,
7992 though potentially used to determine the candidate next-hop
7993 gateway IP addresses, are not trusted to be secure enough for
7994 TLS peername verification. Instead, the default name verified in
7995 the server certificate is obtained from the next-hop domain as
7996 specified in the smtp_tls_secure_cert_match configuration param‐
7997 eter. The default matching rule is that a server certificate
7998 matches when its name is equal to or is a sub-domain of the nex‐
7999 thop domain. This security level is not an appropriate default
8000 for systems delivering mail to the Internet.
8001 Examples:
8003 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8005 smtp_tls_security_level = none
8006 # Opportunistic TLS.
8008 smtp_tls_security_level = may
8009 # Postfix >= 2.6:
8010 # Do not tweak opportunistic ciphers or protocol unless it is essential
8011 # to do so (if a security vulnerability is found in the SSL library that
8012 # can be mitigated by disabling a particular protocol or raising the
8013 # cipher grade from "export" to "low" or "medium").
8014 smtp_tls_ciphers = export
8015 smtp_tls_protocols = !SSLv2, !SSLv3
8016 # Mandatory (high-grade) TLS encryption.
8018 smtp_tls_security_level = encrypt
8019 smtp_tls_mandatory_ciphers = high
8020 # Mandatory TLS verification of hostname or nexthop domain.
8022 smtp_tls_security_level = verify
8023 smtp_tls_mandatory_ciphers = high
8024 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8025 # Secure channel TLS with exact nexthop name match.
8027 smtp_tls_security_level = secure
8028 smtp_tls_mandatory_protocols = TLSv1
8029 smtp_tls_mandatory_ciphers = high
8030 smtp_tls_secure_cert_match = nexthop
8031 # Certificate fingerprint verification (Postfix >= 2.5).
8033 # The CA-less "fingerprint" security level only scales to a limited
8034 # number of destinations. As a global default rather than a per-site
8035 # setting, this is practical when mail for all recipients is sent
8036 # to a central mail hub.
8037 relayhost = [mailhub.example.com]
8038 smtp_tls_security_level = fingerprint
8039 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8040 smtp_tls_mandatory_ciphers = high
8041 smtp_tls_fingerprint_cert_match =
8042 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8043 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8044 This feature is available in Postfix 2.3 and later.
8046
8048 Name of the file containing the optional Postfix SMTP client TLS ses‐
8049 sion cache. Specify a database type that supports enumeration, such as
8050 btree or sdbm; there is no need to support concurrent access. The file
8051 is created if it does not exist. The smtp(8) daemon does not use this
8052 parameter directly, rather the cache is implemented indirectly in the
8053 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8054 of this parameter are not effective. Note, that each of the cache
8055 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8056 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8057 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8058 not at this time possible to store multiple caches in a single data‐
8059 base.
8060 Note: dbm databases are not suitable. TLS session objects are too
8062 large.
8063 As of version 2.5, Postfix no longer uses root privileges when opening
8065 this file. The file should now be stored under the Postfix-owned
8066 data_directory. As a migration aid, an attempt to open the file under a
8067 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8068 tory, and a warning is logged.
8069 Example:
8071 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8073 This feature is available in Postfix 2.2 and later.
8075
8077 The expiration time of Postfix SMTP client TLS session cache informa‐
8078 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
8079 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
8080 this parameter is implemented in the tlsmgr(8) daemon and therefore
8081 per-smtp-instance master.cf overrides are not possible.
8082 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
8084 session caching is disabled. If set to a positive value less than 2
8085 minutes, the minimum value of 2 minutes is used instead.
8086 This feature is available in Postfix 2.2 and later.
8088
8090 Zero or more PEM-format files with trust-anchor certificates and/or
8091 public keys. If the parameter is not empty the root CAs in CAfile and
8092 CApath are no longer trusted. Rather, the Postfix SMTP client will
8093 only trust certificate-chains signed by one of the trust-anchors con‐
8094 tained in the chosen files. The specified trust-anchor certificates
8095 and public keys are not subject to expiration, and need not be
8096 (self-signed) root CAs. They may, if desired, be intermediate certifi‐
8097 cates. Therefore, these certificates also may be found "in the middle"
8098 of the trust chain presented by the remote SMTP server, and any
8099 untrusted issuing parent certificates will be ignored. Specify a list
8100 of pathnames separated by comma or whitespace.
8101 Whether specified in main.cf, or on a per-destination basis, the
8103 trust-anchor PEM file must be accessible to the Postfix SMTP client in
8104 the chroot jail if applicable. The trust-anchor file should contain
8105 only certificates and public keys, no private key material, and must be
8106 readable by the non-privileged $mail_owner user. This allows destina‐
8107 tions to be bound to a set of specific CAs or public keys without
8108 trusting the same CAs for all destinations.
8109 The main.cf parameter supports single-purpose Postfix installations
8111 that send mail to a fixed set of SMTP peers. At most sites, if
8112 trust-anchor files are used at all, they will be specified on a
8113 per-destination basis via the "tafile" attribute of the "verify" and
8114 "secure" levels in smtp_tls_policy_maps.
8115 The underlying mechanism is in support of RFC 7672 (DANE TLSA), which
8117 defines mechanisms for an SMTP client MTA to securely determine server
8118 TLS certificates via DNS.
8119 If you want your trust anchors to be public keys, with OpenSSL you can
8121 extract a single PEM public key from a PEM X.509 file containing a sin‐
8122 gle certificate, as follows:
8123 $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8125 This feature is available in Postfix 2.11 and later.
8127
8129 How the Postfix SMTP client verifies the server certificate peername
8130 for the "verify" TLS security level. In a "verify" TLS policy table
8131 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8132 this main.cf setting.
8133 This parameter specifies one or more patterns or strategies separated
8135 by commas, whitespace or colons. In the policy table the only valid
8136 separator is the colon character.
8137 Patterns specify domain names, or domain name suffixes:
8139 example.com
8141 Match the example.com domain, i.e. one of the names the server
8142 certificate must be example.com, upper and lower case distinc‐
8143 tions are ignored.
8144 .example.com
8146 Match subdomains of the example.com domain, i.e. match a name in
8147 the server certificate that consists of a non-zero number of
8148 labels followed by a .example.com suffix. Case distinctions are
8149 ignored.
8150 Strategies specify a transformation from the next-hop domain to the
8152 expected name in the server certificate:
8153 nexthop
8155 Match against the next-hop domain, which is either the recipient
8156 domain, or the transport next-hop configured for the domain
8157 stripped of any optional socket type prefix, enclosing square
8158 brackets and trailing port. When MX lookups are not suppressed,
8159 this is the original nexthop domain prior to the MX lookup, not
8160 the result of the MX lookup. For LMTP delivery via UNIX-domain
8161 sockets, the verified next-hop name is $myhostname. This strat‐
8162 egy is suitable for use with the "secure" policy. Case is
8163 ignored.
8164 dot-nexthop
8166 As above, but match server certificate names that are subdomains
8167 of the next-hop domain. Case is ignored.
8168 hostname
8170 Match against the hostname of the server, often obtained via an
8171 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8172 sockets, the verified name is $myhostname. This matches the ver‐
8173 ification strategy of the "MUST" keyword in the obsolete
8174 smtp_tls_per_site table, and is suitable for use with the "ver‐
8175 ify" security level. When the next-hop name is enclosed in
8176 square brackets to suppress MX lookups, the "hostname" strategy
8177 is the same as the "nexthop" strategy. Case is ignored.
8178 Sample main.cf setting:
8180 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8182 Sample policy table override:
8184 example.com verify match=hostname:nexthop
8186 .example.com verify match=example.com:.example.com:hostname
8187 This feature is available in Postfix 2.3 and later.
8189
8191 Request that the Postfix SMTP client connects using the legacy SMTPS
8192 protocol instead of using the STARTTLS command.
8193 This mode requires "smtp_tls_security_level = encrypt" or stronger.
8195 Example: deliver all remote mail via a provider's server "mail.exam‐
8197 ple.com".
8198 /etc/postfix/main.cf:
8200 # Client-side SMTPS requires "encrypt" or stronger.
8201 smtp_tls_security_level = encrypt
8202 smtp_tls_wrappermode = yes
8203 # The [] suppress MX lookups.
8204 relayhost = [mail.example.com]:465
8205 More examples are in TLS_README, including examples for older Postfix
8207 versions.
8208 This feature is available in Postfix 3.0 and later.
8210
8212 Opportunistic mode: use TLS when a remote SMTP server announces START‐
8213 TLS support, otherwise send the mail in the clear. Beware: some SMTP
8214 servers offer STARTTLS even if it is not configured. With Postfix <
8215 2.3, if the TLS handshake fails, and no other server is available,
8216 delivery is deferred and mail stays in the queue. If this is a concern
8217 for you, use the smtp_tls_per_site feature instead.
8218 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8220 and later use smtp_tls_security_level instead.
8221
8223 The Postfix SMTP client time limit for sending the XFORWARD command,
8224 and for receiving the remote SMTP server response.
8225 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8227 The default time unit is s (seconds).
8228 This feature is available in Postfix 2.1 and later.
8230
8232 What remote SMTP clients are allowed to specify the XVERP command.
8233 This command requests that mail be delivered one recipient at a time
8234 with a per recipient return address.
8235 By default, no clients are allowed to specify XVERP.
8237 This parameter was renamed with Postfix version 2.1. The default value
8239 is backwards compatible with Postfix version 2.0.
8240 Specify a list of network/netmask patterns, separated by commas and/or
8242 whitespace. The mask specifies the number of bits in the network part
8243 of a host address. You can also specify hostnames or .domain names (the
8244 initial dot causes the domain to match any name below it),
8245 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8246 replaced by its contents; a "type:table" lookup table is matched when a
8247 table entry matches a lookup string (the lookup result is ignored).
8248 Continue long lines by starting the next line with whitespace. Specify
8249 "!pattern" to exclude an address or network block from the list. The
8250 form "!/file/name" is supported only in Postfix version 2.4 and later.
8251 Note: IP version 6 address information must be specified inside [] in
8253 the smtpd_authorized_verp_clients value, and in files specified with
8254 "/file/name". IP version 6 addresses contain the ":" character, and
8255 would otherwise be confused with a "type:table" pattern.
8256
8258 What remote SMTP clients are allowed to use the XCLIENT feature. This
8259 command overrides remote SMTP client information that is used for
8260 access control. Typical use is for SMTP-based content filters, fetch‐
8261 mail-like programs, or SMTP server access rule testing. See the
8262 XCLIENT_README document for details.
8263 This feature is available in Postfix 2.1 and later.
8265 By default, no clients are allowed to specify XCLIENT.
8267 Specify a list of network/netmask patterns, separated by commas and/or
8269 whitespace. The mask specifies the number of bits in the network part
8270 of a host address. You can also specify hostnames or .domain names (the
8271 initial dot causes the domain to match any name below it),
8272 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8273 replaced by its contents; a "type:table" lookup table is matched when a
8274 table entry matches a lookup string (the lookup result is ignored).
8275 Continue long lines by starting the next line with whitespace. Specify
8276 "!pattern" to exclude an address or network block from the list. The
8277 form "!/file/name" is supported only in Postfix version 2.4 and later.
8278 Note: IP version 6 address information must be specified inside [] in
8280 the smtpd_authorized_xclient_hosts value, and in files specified with
8281 "/file/name". IP version 6 addresses contain the ":" character, and
8282 would otherwise be confused with a "type:table" pattern.
8283
8285 What remote SMTP clients are allowed to use the XFORWARD feature. This
8286 command forwards information that is used to improve logging after
8287 SMTP-based content filters. See the XFORWARD_README document for
8288 details.
8289 This feature is available in Postfix 2.1 and later.
8291 By default, no clients are allowed to specify XFORWARD.
8293 Specify a list of network/netmask patterns, separated by commas and/or
8295 whitespace. The mask specifies the number of bits in the network part
8296 of a host address. You can also specify hostnames or .domain names (the
8297 initial dot causes the domain to match any name below it),
8298 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8299 replaced by its contents; a "type:table" lookup table is matched when a
8300 table entry matches a lookup string (the lookup result is ignored).
8301 Continue long lines by starting the next line with whitespace. Specify
8302 "!pattern" to exclude an address or network block from the list. The
8303 form "!/file/name" is supported only in Postfix version 2.4 and later.
8304 Note: IP version 6 address information must be specified inside [] in
8306 the smtpd_authorized_xforward_hosts value, and in files specified with
8307 "/file/name". IP version 6 addresses contain the ":" character, and
8308 would otherwise be confused with a "type:table" pattern.
8309
8311 The text that follows the 220 status code in the SMTP greeting banner.
8312 Some people like to see the mail version advertised. By default, Post‐
8313 fix shows no version.
8314 You MUST specify $myhostname at the start of the text. This is required
8316 by the SMTP protocol.
8317 Example:
8319 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8321
8323 The maximal number of AUTH commands that any client is allowed to send
8324 to this service per time unit, regardless of whether or not Postfix
8325 actually accepts those commands. The time unit is specified with the
8326 anvil_rate_time_unit configuration parameter.
8327 By default, there is no limit on the number AUTH commands that a client
8329 may send.
8330 To disable this feature, specify a limit of 0.
8332 WARNING: The purpose of this feature is to limit abuse. It must not be
8334 used to regulate legitimate mail traffic.
8335 This feature is available in Postfix 3.1 and later.
8337
8339 How many simultaneous connections any client is allowed to make to this
8340 service. By default, the limit is set to half the default process
8341 limit value.
8342 To disable this feature, specify a limit of 0.
8344 WARNING: The purpose of this feature is to limit abuse. It must not be
8346 used to regulate legitimate mail traffic.
8347 This feature is available in Postfix 2.2 and later.
8349
8351 The maximal number of connection attempts any client is allowed to make
8352 to this service per time unit. The time unit is specified with the
8353 anvil_rate_time_unit configuration parameter.
8354 By default, a client can make as many connections per time unit as
8356 Postfix can accept.
8357 To disable this feature, specify a limit of 0.
8359 WARNING: The purpose of this feature is to limit abuse. It must not be
8361 used to regulate legitimate mail traffic.
8362 This feature is available in Postfix 2.2 and later.
8364 Example:
8366 smtpd_client_connection_rate_limit = 1000
8368
8370 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8371 tions. See the mynetworks parameter description for the parameter value
8372 syntax.
8373 By default, clients in trusted networks are excluded. Specify a list of
8375 network blocks, hostnames or .domain names (the initial dot causes the
8376 domain to match any name below it).
8377 Note: IP version 6 address information must be specified inside [] in
8379 the smtpd_client_event_limit_exceptions value, and in files specified
8380 with "/file/name". IP version 6 addresses contain the ":" character,
8381 and would otherwise be confused with a "type:table" pattern.
8382 Pattern matching of domain names is controlled by the presence or
8384 absence of "smtpd_client_event_limit_exceptions" in the par‐
8385 ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8386 This feature is available in Postfix 2.2 and later.
8388
8390 The maximal number of message delivery requests that any client is
8391 allowed to make to this service per time unit, regardless of whether or
8392 not Postfix actually accepts those messages. The time unit is speci‐
8393 fied with the anvil_rate_time_unit configuration parameter.
8394 By default, a client can send as many message delivery requests per
8396 time unit as Postfix can accept.
8397 To disable this feature, specify a limit of 0.
8399 WARNING: The purpose of this feature is to limit abuse. It must not be
8401 used to regulate legitimate mail traffic.
8402 This feature is available in Postfix 2.2 and later.
8404 Example:
8406 smtpd_client_message_rate_limit = 1000
8408
8410 The maximal number of new (i.e., uncached) TLS sessions that a remote
8411 SMTP client is allowed to negotiate with this service per time unit.
8412 The time unit is specified with the anvil_rate_time_unit configuration
8413 parameter.
8414 By default, a remote SMTP client can negotiate as many new TLS sessions
8416 per time unit as Postfix can accept.
8417 To disable this feature, specify a limit of 0. Otherwise, specify a
8419 limit that is at least the per-client concurrent session limit, or else
8420 legitimate client sessions may be rejected.
8421 WARNING: The purpose of this feature is to limit abuse. It must not be
8423 used to regulate legitimate mail traffic.
8424 This feature is available in Postfix 2.3 and later.
8426 Example:
8428 smtpd_client_new_tls_session_rate_limit = 100
8430
8432 Enable logging of the remote SMTP client port in addition to the host‐
8433 name and IP address. The logging format is "host[address]:port".
8434 This feature is available in Postfix 2.5 and later.
8436
8438 The maximal number of recipient addresses that any client is allowed to
8439 send to this service per time unit, regardless of whether or not Post‐
8440 fix actually accepts those recipients. The time unit is specified with
8441 the anvil_rate_time_unit configuration parameter.
8442 By default, a client can send as many recipient addresses per time unit
8444 as Postfix can accept.
8445 To disable this feature, specify a limit of 0.
8447 WARNING: The purpose of this feature is to limit abuse. It must not be
8449 used to regulate legitimate mail traffic.
8450 This feature is available in Postfix 2.2 and later.
8452 Example:
8454 smtpd_client_recipient_rate_limit = 1000
8456
8458 Optional restrictions that the Postfix SMTP server applies in the con‐
8459 text of a client connection request. See SMTPD_ACCESS_README, section
8460 "Delayed evaluation of SMTP access restriction lists" for a discussion
8461 of evaluation context and time.
8462 The default is to allow all connection requests.
8464 Specify a list of restrictions, separated by commas and/or whitespace.
8466 Continue long lines by starting the next line with whitespace.
8467 Restrictions are applied in the order as specified; the first restric‐
8468 tion that matches wins.
8469 The following restrictions are specific to client hostname or client
8471 network address information.
8472 check_ccert_access type:table
8474 Use the remote SMTP client certificate fingerprint or the public
8475 key fingerprint (Postfix 2.9 and later) as lookup key for the
8476 specified access(5) database; with Postfix version 2.2, also
8477 require that the remote SMTP client certificate is verified suc‐
8478 cessfully. The fingerprint digest algorithm is configurable via
8479 the smtpd_tls_fingerprint_digest parameter (hard-coded as md5
8480 prior to Postfix version 2.5). This feature is available with
8481 Postfix version 2.2 and later.
8482 check_client_access type:table
8484 Search the specified access database for the client hostname,
8485 parent domains, client IP address, or networks obtained by
8486 stripping least significant octets. See the access(5) manual
8487 page for details.
8488 check_client_a_access type:table
8490 Search the specified access(5) database for the IP addresses for
8491 the client hostname, and execute the corresponding action.
8492 Note: a result of "OK" is not allowed for safety reasons.
8493 Instead, use DUNNO in order to exclude specific hosts from
8494 blacklists. This feature is available in Postfix 3.0 and later.
8495 check_client_mx_access type:table
8497 Search the specified access(5) database for the MX hosts for the
8498 client hostname, and execute the corresponding action. Note: a
8499 result of "OK" is not allowed for safety reasons. Instead, use
8500 DUNNO in order to exclude specific hosts from blacklists. This
8501 feature is available in Postfix 2.7 and later.
8502 check_client_ns_access type:table
8504 Search the specified access(5) database for the DNS servers for
8505 the client hostname, and execute the corresponding action.
8506 Note: a result of "OK" is not allowed for safety reasons.
8507 Instead, use DUNNO in order to exclude specific hosts from
8508 blacklists. This feature is available in Postfix 2.7 and later.
8509 check_reverse_client_hostname_access type:table
8511 Search the specified access database for the unverified reverse
8512 client hostname, parent domains, client IP address, or networks
8513 obtained by stripping least significant octets. See the
8514 access(5) manual page for details. Note: a result of "OK" is
8515 not allowed for safety reasons. Instead, use DUNNO in order to
8516 exclude specific hosts from blacklists. This feature is avail‐
8517 able in Postfix 2.6 and later.
8518 check_reverse_client_hostname_a_access type:table
8520 Search the specified access(5) database for the IP addresses for
8521 the unverified reverse client hostname, and execute the corre‐
8522 sponding action. Note: a result of "OK" is not allowed for
8523 safety reasons. Instead, use DUNNO in order to exclude specific
8524 hosts from blacklists. This feature is available in Postfix 3.0
8525 and later.
8526 check_reverse_client_hostname_mx_access type:table
8528 Search the specified access(5) database for the MX hosts for the
8529 unverified reverse client hostname, and execute the correspond‐
8530 ing action. Note: a result of "OK" is not allowed for safety
8531 reasons. Instead, use DUNNO in order to exclude specific hosts
8532 from blacklists. This feature is available in Postfix 2.7 and
8533 later.
8534 check_reverse_client_hostname_ns_access type:table
8536 Search the specified access(5) database for the DNS servers for
8537 the unverified reverse client hostname, and execute the corre‐
8538 sponding action. Note: a result of "OK" is not allowed for
8539 safety reasons. Instead, use DUNNO in order to exclude specific
8540 hosts from blacklists. This feature is available in Postfix 2.7
8541 and later.
8542 check_sasl_access type:table
8544 Use the remote SMTP client SASL user name as lookup key for the
8545 specified access(5) database. The lookup key has the form "user‐
8546 name@domainname" when the smtpd_sasl_local_domain parameter
8547 value is non-empty. Unlike the check_client_access feature,
8548 check_sasl_access does not perform matches of parent domains or
8549 IP subnet ranges. This feature is available with Postfix ver‐
8550 sion 2.11 and later.
8551 permit_inet_interfaces
8553 Permit the request when the client IP address matches
8554 $inet_interfaces.
8555 permit_mynetworks
8557 Permit the request when the client IP address matches any net‐
8558 work or network address listed in $mynetworks.
8559 permit_sasl_authenticated
8561 Permit the request when the client is successfully authenticated
8562 via the RFC 4954 (AUTH) protocol.
8563 permit_tls_all_clientcerts
8565 Permit the request when the remote SMTP client certificate is
8566 verified successfully. This option must be used only if a spe‐
8567 cial CA issues the certificates and only this CA is listed as
8568 trusted CA. Otherwise, clients with a third-party certificate
8569 would also be allowed to relay. Specify "tls_append_default_CA
8570 = no" when the trusted CA is specified with smtpd_tls_CAfile or
8571 smtpd_tls_CApath, to prevent Postfix from appending the sys‐
8572 tem-supplied default CAs. This feature is available with Post‐
8573 fix version 2.2.
8574 permit_tls_clientcerts
8576 Permit the request when the remote SMTP client certificate fin‐
8577 gerprint or public key fingerprint (Postfix 2.9 and later) is
8578 listed in $relay_clientcerts. The fingerprint digest algorithm
8579 is configurable via the smtpd_tls_fingerprint_digest parameter
8580 (hard-coded as md5 prior to Postfix version 2.5). This feature
8581 is available with Postfix version 2.2.
8582 reject_rbl_client rbl_domain=d.d.d.d
8584 Reject the request when the reversed client network address is
8585 listed with the A record "d.d.d.d" under rbl_domain (Postfix
8586 version 2.1 and later only). Each "d" is a number, or a pattern
8587 inside "[]" that contains one or more ";"-separated numbers or
8588 number..number ranges (Postfix version 2.8 and later). If no
8589 "=d.d.d.d" is specified, reject the request when the reversed
8590 client network address is listed with any A record under
8591 rbl_domain.
8592 The maps_rbl_reject_code parameter specifies the response code
8593 for rejected requests (default: 554), the default_rbl_reply
8594 parameter specifies the default server reply, and the
8595 rbl_reply_maps parameter specifies tables with server replies
8596 indexed by rbl_domain. This feature is available in Postfix 2.0
8597 and later.
8598 permit_dnswl_client dnswl_domain=d.d.d.d
8600 Accept the request when the reversed client network address is
8601 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
8602 is a number, or a pattern inside "[]" that contains one or more
8603 ";"-separated numbers or number..number ranges. If no
8604 "=d.d.d.d" is specified, accept the request when the reversed
8605 client network address is listed with any A record under
8606 dnswl_domain.
8607 For safety, permit_dnswl_client is silently ignored when it
8608 would override reject_unauth_destination. The result is
8609 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8610 available in Postfix 2.8 and later.
8611 reject_rhsbl_client rbl_domain=d.d.d.d
8613 Reject the request when the client hostname is listed with the A
8614 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8615 only). Each "d" is a number, or a pattern inside "[]" that con‐
8616 tains one or more ";"-separated numbers or number..number ranges
8617 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
8618 reject the request when the client hostname is listed with any A
8619 record under rbl_domain. See the reject_rbl_client description
8620 above for additional RBL related configuration parameters. This
8621 feature is available in Postfix 2.0 and later; with Postfix ver‐
8622 sion 2.8 and later, reject_rhsbl_reverse_client will usually
8623 produce better results.
8624 permit_rhswl_client rhswl_domain=d.d.d.d
8626 Accept the request when the client hostname is listed with the A
8627 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
8628 pattern inside "[]" that contains one or more ";"-separated num‐
8629 bers or number..number ranges. If no "=d.d.d.d" is specified,
8630 accept the request when the client hostname is listed with any A
8631 record under rhswl_domain.
8632 Caution: client name whitelisting is fragile, since the client
8633 name lookup can fail due to temporary outages. Client name
8634 whitelisting should be used only to reduce false positives in
8635 e.g. DNS-based blocklists, and not for making access rule
8636 exceptions.
8637 For safety, permit_rhswl_client is silently ignored when it
8638 would override reject_unauth_destination. The result is
8639 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8640 available in Postfix 2.8 and later.
8641 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8643 Reject the request when the unverified reverse client hostname
8644 is listed with the A record "d.d.d.d" under rbl_domain. Each
8645 "d" is a number, or a pattern inside "[]" that contains one or
8646 more ";"-separated numbers or number..number ranges. If no
8647 "=d.d.d.d" is specified, reject the request when the unverified
8648 reverse client hostname is listed with any A record under
8649 rbl_domain. See the reject_rbl_client description above for
8650 additional RBL related configuration parameters. This feature
8651 is available in Postfix 2.8 and later.
8652 reject_unknown_client_hostname (with Postfix < 2.3:
8654 reject_unknown_client)
8655 Reject the request when 1) the client IP address->name mapping
8656 fails, 2) the name->address mapping fails, or 3) the
8657 name->address mapping does not match the client IP address.
8658 This is a stronger restriction than the
8659 reject_unknown_reverse_client_hostname feature, which triggers
8660 only under condition 1) above.
8661 The unknown_client_reject_code parameter specifies the response
8662 code for rejected requests (default: 450). The reply is always
8663 450 in case the address->name or name->address lookup failed due
8664 to a temporary problem.
8665 reject_unknown_reverse_client_hostname
8667 Reject the request when the client IP address has no
8668 address->name mapping.
8669 This is a weaker restriction than the
8670 reject_unknown_client_hostname feature, which requires not only
8671 that the address->name and name->address mappings exist, but
8672 also that the two mappings reproduce the client IP address.
8673 The unknown_client_reject_code parameter specifies the response
8674 code for rejected requests (default: 450). The reply is always
8675 450 in case the address->name lookup failed due to a temporary
8676 problem.
8677 This feature is available in Postfix 2.3 and later.
8678 In addition, you can use any of the following generic restrictions.
8680 These restrictions are applicable in any SMTP command context.
8681 check_policy_service servername
8683 Query the specified policy server. See the SMTPD_POLICY_README
8684 document for details. This feature is available in Postfix 2.1
8685 and later.
8686 defer Defer the request. The client is told to try again later. This
8688 restriction is useful at the end of a restriction list, to make
8689 the default policy explicit.
8690 The defer_code parameter specifies the SMTP server reply code
8691 (default: 450).
8692 defer_if_permit
8694 Defer the request if some later restriction would result in an
8695 explicit or implicit PERMIT action. This is useful when a
8696 blacklisting feature fails due to a temporary problem. This
8697 feature is available in Postfix version 2.1 and later.
8698 defer_if_reject
8700 Defer the request if some later restriction would result in a
8701 REJECT action. This is useful when a whitelisting feature fails
8702 due to a temporary problem. This feature is available in Post‐
8703 fix version 2.1 and later.
8704 permit Permit the request. This restriction is useful at the end of a
8706 restriction list, to make the default policy explicit.
8707 reject_multi_recipient_bounce
8709 Reject the request when the envelope sender is the null address,
8710 and the message has multiple envelope recipients. This usage has
8711 rare but legitimate applications: under certain conditions,
8712 multi-recipient mail that was posted with the DSN option
8713 NOTIFY=NEVER may be forwarded with the null sender address.
8714 Note: this restriction can only work reliably when used in
8715 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
8716 because the total number of recipients is not known at an ear‐
8717 lier stage of the SMTP conversation. Use at the RCPT stage will
8718 only reject the second etc. recipient.
8719 The multi_recipient_bounce_reject_code parameter specifies the
8720 response code for rejected requests (default: 550). This fea‐
8721 ture is available in Postfix 2.1 and later.
8722 reject_plaintext_session
8724 Reject the request when the connection is not encrypted. This
8725 restriction should not be used before the client has had a
8726 chance to negotiate encryption with the AUTH or STARTTLS com‐
8727 mands.
8728 The plaintext_reject_code parameter specifies the response code
8729 for rejected requests (default: 450). This feature is avail‐
8730 able in Postfix 2.3 and later.
8731 reject_unauth_pipelining
8733 Reject the request when the client sends SMTP commands ahead of
8734 time where it is not allowed, or when the client sends SMTP com‐
8735 mands ahead of time without knowing that Postfix actually sup‐
8736 ports ESMTP command pipelining. This stops mail from bulk mail
8737 software that improperly uses ESMTP command pipelining in order
8738 to speed up deliveries.
8739 With Postfix 2.6 and later, the SMTP server sets a per-session
8740 flag whenever it detects illegal pipelining, including pipelined
8741 HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
8742 ply tests whether the flag was set at any point in time during
8743 the session.
8744 With older Postfix versions, reject_unauth_pipelining checks the
8745 current status of the input read queue, and its usage is not
8746 recommended in contexts other than smtpd_data_restrictions.
8747 reject Reject the request. This restriction is useful at the end of a
8749 restriction list, to make the default policy explicit. The
8750 reject_code configuration parameter specifies the response code
8751 for rejected requests (default: 554).
8752 sleep seconds
8754 Pause for the specified number of seconds and proceed with the
8755 next restriction in the list, if any. This may stop zombie mail
8756 when used as:
8757 /etc/postfix/main.cf:
8758 smtpd_client_restrictions =
8759 sleep 1, reject_unauth_pipelining
8760 smtpd_delay_reject = no
8761 This feature is available in Postfix 2.3.
8762 warn_if_reject
8764 A safety net for testing. When "warn_if_reject" is placed before
8765 a reject-type restriction, access table query, or check_pol‐
8766 icy_service query, this logs a "reject_warning" message instead
8767 of rejecting a request (when a reject-type restriction fails due
8768 to a temporary error, this logs a "reject_warning" message for
8769 any implicit "defer_if_permit" actions that would normally pre‐
8770 vent mail from being accepted by some later access restriction).
8771 This feature has no effect on defer_if_reject restrictions.
8772 Other restrictions that are valid in this context:
8774 · SMTP command specific restrictions that are described under the
8776 smtpd_helo_restrictions, smtpd_sender_restrictions or
8777 smtpd_recipient_restrictions parameters. When helo, sender or
8778 recipient restrictions are listed under smtpd_client_restric‐
8779 tions, they have effect only with "smtpd_delay_reject = yes", so
8780 that $smtpd_client_restrictions is evaluated at the time of the
8781 RCPT TO command.
8782 Example:
8784 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
8786
8788 A mechanism to transform commands from remote SMTP clients. This is a
8789 last-resort tool to work around client commands that break interoper‐
8790 ability with the Postfix SMTP server. Other uses involve fault injec‐
8791 tion to test Postfix's handling of invalid commands.
8792 Specify the name of a "type:table" lookup table. The search string is
8794 the SMTP command as received from the remote SMTP client, except that
8795 initial whitespace and the trailing <CR><LF> are removed. The result
8796 value is executed by the Postfix SMTP server.
8797 There is no need to use smtpd_command_filter for the following cases:
8799 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
8801 · Postfix already accepts the correct form "user@[ipaddress]". Use
8803 virtual_alias_maps or canonical_maps to translate these into
8804 domain names if necessary.
8805 · Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
8807 <user@example.com>>". Postfix will ignore the "User Name" part
8808 and deliver to the <user@example.com> address.
8809 Examples of problems that can be solved with the smtpd_command_filter
8811 feature:
8812 /etc/postfix/main.cf:
8814 smtpd_command_filter = pcre:/etc/postfix/command_filter
8815 /etc/postfix/command_filter:
8817 # Work around clients that send malformed HELO commands.
8818 /^HELO\s*$/ HELO domain.invalid
8819 # Work around clients that send empty lines.
8821 /^\s*$/ NOOP
8822 # Work around clients that send RCPT TO:<'user@domain'>.
8824 # WARNING: do not lose the parameters that follow the address.
8825 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
8826 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
8828 # See VERP_README for more information on how to use Postfix VERP.
8829 /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
8830 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
8832 # to send bounced mail to the postmaster (with message body removed).
8833 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
8834 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
8835 This feature is available in Postfix 2.7.
8837
8839 Optional access restrictions that the Postfix SMTP server applies in
8840 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
8841 "Delayed evaluation of SMTP access restriction lists" for a discussion
8842 of evaluation context and time.
8843 This feature is available in Postfix 2.0 and later.
8845 Specify a list of restrictions, separated by commas and/or whitespace.
8847 Continue long lines by starting the next line with whitespace.
8848 Restrictions are applied in the order as specified; the first restric‐
8849 tion that matches wins.
8850 The following restrictions are valid in this context:
8852 · Generic restrictions that can be used in any SMTP command con‐
8854 text, described under smtpd_client_restrictions.
8855 · SMTP command specific restrictions described under
8857 smtpd_client_restrictions, smtpd_helo_restrictions,
8858 smtpd_sender_restrictions or smtpd_recipient_restrictions.
8859 · However, no recipient information is available in the case of
8861 multi-recipient mail. Acting on only one recipient would be mis‐
8862 leading, because any decision will affect all recipients
8863 equally. Acting on all recipients would require a possibly very
8864 large amount of memory, and would also be misleading for the
8865 reasons mentioned before.
8866 Examples:
8868 smtpd_data_restrictions = reject_unauth_pipelining
8870 smtpd_data_restrictions = reject_multi_recipient_bounce
8871
8873 Postpone the start of an SMTP mail transaction until a valid RCPT TO
8874 command is received. Specify "no" to create a mail transaction as soon
8875 as the Postfix SMTP server receives a valid MAIL FROM command.
8876 With sites that reject lots of mail, the default setting reduces the
8878 use of disk, CPU and memory resources. The downside is that rejected
8879 recipients are logged with NOQUEUE instead of a mail transaction ID.
8880 This complicates the logfile analysis of multi-recipient mail.
8881 This feature is available in Postfix 2.3 and later.
8883
8885 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
8886 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
8887 until the ETRN command before evaluating $smtpd_client_restrictions and
8888 $smtpd_helo_restrictions.
8889 This feature is turned on by default because some clients apparently
8891 mis-behave when the Postfix SMTP server rejects commands before RCPT
8892 TO.
8893 The default setting has one major benefit: it allows Postfix to log
8895 recipient address information when rejecting a client name/address or
8896 sender address, so that it is possible to find out whose mail is being
8897 rejected.
8898
8900 Lookup tables, indexed by the remote SMTP client address, with case
8901 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
8902 that the Postfix SMTP server will not send in the EHLO response to a
8903 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
8904 tables are not searched by hostname for robustness reasons.
8905 Specify zero or more "type:name" lookup tables, separated by whitespace
8907 or comma. Tables will be searched in the specified order until a match
8908 is found.
8909 This feature is available in Postfix 2.2 and later.
8911
8913 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
8914 etc.) that the Postfix SMTP server will not send in the EHLO response
8915 to a remote SMTP client.
8916 This feature is available in Postfix 2.2 and later.
8918 Notes:
8920 · Specify the silent-discard pseudo keyword to prevent this action
8922 from being logged.
8923 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
8925 card EHLO keywords selectively.
8926
8928 Optional filter for Postfix SMTP server DNS lookup results. See
8929 smtp_dns_reply_filter for details including an example.
8930 This feature is available in Postfix 3.0 and later.
8932
8934 Optional access restrictions that the Postfix SMTP server applies in
8935 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
8936 section "Delayed evaluation of SMTP access restriction lists" for a
8937 discussion of evaluation context and time.
8938 This feature is available in Postfix 2.2 and later.
8940 See smtpd_data_restrictions for details and limitations.
8942
8944 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
8945 require that clients use TLS encryption. According to RFC 2487 this
8946 MUST NOT be applied in case of a publicly-referenced SMTP server. This
8947 option is therefore off by default.
8948 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
8950 Note 2: when invoked via "sendmail -bs", Postfix will never offer
8952 STARTTLS due to insufficient privileges to access the server private
8953 key. This is intended behavior.
8954 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8956 and later use smtpd_tls_security_level instead.
8957
8959 With Postfix version 2.1 and later: the SMTP server response delay
8960 after a client has made more than $smtpd_soft_error_limit errors, and
8961 fewer than $smtpd_hard_error_limit errors, without delivering mail.
8962 With Postfix version 2.0 and earlier: the SMTP server delay before
8964 sending a reject (4xx or 5xx) response, when the client has made fewer
8965 than $smtpd_soft_error_limit errors without delivering mail.
8966
8968 Optional restrictions that the Postfix SMTP server applies in the con‐
8969 text of a client ETRN command. See SMTPD_ACCESS_README, section
8970 "Delayed evaluation of SMTP access restriction lists" for a discussion
8971 of evaluation context and time.
8972 The Postfix ETRN implementation accepts only destinations that are eli‐
8974 gible for the Postfix "fast flush" service. See the ETRN_README file
8975 for details.
8976 Specify a list of restrictions, separated by commas and/or whitespace.
8978 Continue long lines by starting the next line with whitespace.
8979 Restrictions are applied in the order as specified; the first restric‐
8980 tion that matches wins.
8981 The following restrictions are specific to the domain name information
8983 received with the ETRN command.
8984 check_etrn_access type:table
8986 Search the specified access database for the ETRN domain name or
8987 its parent domains. See the access(5) manual page for details.
8988 Other restrictions that are valid in this context:
8990 · Generic restrictions that can be used in any SMTP command con‐
8992 text, described under smtpd_client_restrictions.
8993 · SMTP command specific restrictions described under
8995 smtpd_client_restrictions and smtpd_helo_restrictions.
8996 Example:
8998 smtpd_etrn_restrictions = permit_mynetworks, reject
9000
9002 What characters are allowed in $name expansions of RBL reply templates.
9003 Characters not in the allowed set are replaced by "_". Use C like
9004 escapes to specify special characters such as whitespace.
9005 This parameter is not subjected to $parameter expansion.
9007 This feature is available in Postfix 2.0 and later.
9009
9011 List of commands that cause the Postfix SMTP server to immediately ter‐
9012 minate the session with a 221 code. This can be used to disconnect
9013 clients that obviously attempt to abuse the system. In addition to the
9014 commands listed in this parameter, commands that follow the "Label:"
9015 format of message headers will also cause a disconnect.
9016 This feature is available in Postfix 2.2 and later.
9018
9020 The maximal number of errors a remote SMTP client is allowed to make
9021 without delivering mail. The Postfix SMTP server disconnects when the
9022 limit is exceeded. Normally the default limit is 20, but it changes
9023 under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9024 always allows up to 20 errors by default.
9025
9027 Require that a remote SMTP client introduces itself with the HELO or
9028 EHLO command before sending the MAIL command or other commands that
9029 require EHLO negotiation.
9030 Example:
9032 smtpd_helo_required = yes
9034
9036 Optional restrictions that the Postfix SMTP server applies in the con‐
9037 text of a client HELO command. See SMTPD_ACCESS_README, section
9038 "Delayed evaluation of SMTP access restriction lists" for a discussion
9039 of evaluation context and time.
9040 The default is to permit everything.
9042 Note: specify "smtpd_helo_required = yes" to fully enforce this
9044 restriction (without "smtpd_helo_required = yes", a client can simply
9045 skip smtpd_helo_restrictions by not sending HELO or EHLO).
9046 Specify a list of restrictions, separated by commas and/or whitespace.
9048 Continue long lines by starting the next line with whitespace.
9049 Restrictions are applied in the order as specified; the first restric‐
9050 tion that matches wins.
9051 The following restrictions are specific to the hostname information
9053 received with the HELO or EHLO command.
9054 check_helo_access type:table
9056 Search the specified access(5) database for the HELO or EHLO
9057 hostname or parent domains, and execute the corresponding
9058 action. Note: specify "smtpd_helo_required = yes" to fully
9059 enforce this restriction (without "smtpd_helo_required = yes", a
9060 client can simply skip check_helo_access by not sending HELO or
9061 EHLO).
9062 check_helo_a_access type:table
9064 Search the specified access(5) database for the IP addresses for
9065 the HELO or EHLO hostname, and execute the corresponding action.
9066 Note 1: a result of "OK" is not allowed for safety reasons.
9067 Instead, use DUNNO in order to exclude specific hosts from
9068 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9069 fully enforce this restriction (without "smtpd_helo_required =
9070 yes", a client can simply skip check_helo_a_access by not send‐
9071 ing HELO or EHLO). This feature is available in Postfix 3.0 and
9072 later.
9073 check_helo_mx_access type:table
9075 Search the specified access(5) database for the MX hosts for the
9076 HELO or EHLO hostname, and execute the corresponding action.
9077 Note 1: a result of "OK" is not allowed for safety reasons.
9078 Instead, use DUNNO in order to exclude specific hosts from
9079 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9080 fully enforce this restriction (without "smtpd_helo_required =
9081 yes", a client can simply skip check_helo_mx_access by not send‐
9082 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9083 later.
9084 check_helo_ns_access type:table
9086 Search the specified access(5) database for the DNS servers for
9087 the HELO or EHLO hostname, and execute the corresponding action.
9088 Note 1: a result of "OK" is not allowed for safety reasons.
9089 Instead, use DUNNO in order to exclude specific hosts from
9090 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9091 fully enforce this restriction (without "smtpd_helo_required =
9092 yes", a client can simply skip check_helo_ns_access by not send‐
9093 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9094 later.
9095 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
9097 name)
9098 Reject the request when the HELO or EHLO hostname is malformed.
9099 Note: specify "smtpd_helo_required = yes" to fully enforce this
9100 restriction (without "smtpd_helo_required = yes", a client can
9101 simply skip reject_invalid_helo_hostname by not sending HELO or
9102 EHLO).
9103 The invalid_hostname_reject_code specifies the response code for
9104 rejected requests (default: 501).
9105 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
9107 reject_non_fqdn_hostname)
9108 Reject the request when the HELO or EHLO hostname is not in
9109 fully-qualified domain or address literal form, as required by
9110 the RFC. Note: specify "smtpd_helo_required = yes" to fully
9111 enforce this restriction (without "smtpd_helo_required = yes", a
9112 client can simply skip reject_non_fqdn_helo_hostname by not
9113 sending HELO or EHLO).
9114 The non_fqdn_reject_code parameter specifies the response code
9115 for rejected requests (default: 504).
9116 reject_rhsbl_helo rbl_domain=d.d.d.d
9118 Reject the request when the HELO or EHLO hostname is listed with
9119 the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9120 later only). Each "d" is a number, or a pattern inside "[]"
9121 that contains one or more ";"-separated numbers or number..num‐
9122 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
9123 specified, reject the request when the HELO or EHLO hostname is
9124 listed with any A record under rbl_domain. See the
9125 reject_rbl_client description for additional RBL related config‐
9126 uration parameters. Note: specify "smtpd_helo_required = yes"
9127 to fully enforce this restriction (without "smtpd_helo_required
9128 = yes", a client can simply skip reject_rhsbl_helo by not send‐
9129 ing HELO or EHLO). This feature is available in Postfix 2.0 and
9130 later.
9131 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
9133 name)
9134 Reject the request when the HELO or EHLO hostname has no DNS A
9135 or MX record.
9136 The reply is specified with the unknown_hostname_reject_code
9137 parameter (default: 450) or unknown_helo_hostname_temp‐
9138 fail_action (default: defer_if_permit). See the respective
9139 parameter descriptions for details.
9140 Note: specify "smtpd_helo_required = yes" to fully enforce this
9141 restriction (without "smtpd_helo_required = yes", a client can
9142 simply skip reject_unknown_helo_hostname by not sending HELO or
9143 EHLO).
9144 Other restrictions that are valid in this context:
9146 · Generic restrictions that can be used in any SMTP command con‐
9148 text, described under smtpd_client_restrictions.
9149 · Client hostname or network address specific restrictions
9151 described under smtpd_client_restrictions.
9152 · SMTP command specific restrictions described under
9154 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
9155 sender or recipient restrictions are listed under
9156 smtpd_helo_restrictions, they have effect only with
9157 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
9158 evaluated at the time of the RCPT TO command.
9159 Examples:
9161 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9163 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9164
9166 The maximal number of lines in the Postfix SMTP server command history
9167 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9168
9170 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9171 SMTP client can send before the Postfix SMTP server starts to increment
9172 the error counter with each junk command. The junk command count is
9173 reset after mail is delivered. See also the smtpd_error_sleep_time and
9174 smtpd_soft_error_limit configuration parameters. Normally the default
9175 limit is 100, but it changes under overload to just 1. With Postfix 2.5
9176 and earlier, the SMTP server always allows up to 100 junk commands by
9177 default.
9178
9180 Enable logging of the named "permit" actions in SMTP server access
9181 lists (by default, the SMTP server logs "reject" actions but not "per‐
9182 mit" actions). This feature does not affect conditional actions such
9183 as "defer_if_permit".
9184 Specify a list of "permit" action names, "/file/name" or "type:table"
9186 patterns, separated by commas and/or whitespace. The list is matched
9187 left to right, and the search stops on the first match. A "/file/name"
9188 pattern is replaced by its contents; a "type:table" lookup table is
9189 matched when a name matches a lookup key (the lookup result is
9190 ignored). Continue long lines by starting the next line with white‐
9191 space. Specify "!pattern" to exclude a name from the list.
9192 Examples:
9194 /etc/postfix/main.cf:
9196 # Log all "permit" actions.
9197 smtpd_log_access_permit_actions = static:all
9198 /etc/postfix/main.cf:
9200 # Log "permit_dnswl_client" only.
9201 smtpd_log_access_permit_actions = permit_dnswl_client
9202 This feature is available in Postfix 2.10 and later.
9204
9206 Lookup tables with Milter settings per remote SMTP client IP address.
9207 The lookup result overrides the smtpd_milters setting, and has the same
9208 syntax.
9209 Note: lookup tables cannot return empty responses. Specify a lookup
9211 result of DISABLE (case does not matter) to indicate that Milter sup‐
9212 port should be disabled.
9213 Example to disable Milters for local clients:
9215 /etc/postfix/main.cf:
9217 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9218 smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9219 /etc/postfix/smtpd_milter_map:
9221 # Disable Milters for local clients.
9222 127.0.0.0/8 DISABLE
9223 192.168.0.0/16 DISABLE
9224 ::/64 DISABLE
9225 2001:db8::/32 DISABLE
9226 This feature is available in Postfix 3.2 and later.
9228
9230 A list of Milter (mail filter) applications for new mail that arrives
9231 via the Postfix smtpd(8) server. Specify space or comma as separator.
9232 See the MILTER_README document for details.
9233 This feature is available in Postfix 2.3 and later.
9235
9237 List of commands that the Postfix SMTP server replies to with "250 Ok",
9238 without doing any syntax checks and without changing state. This list
9239 overrides any commands built into the Postfix SMTP server.
9240
9242 The lookup key to be used in SMTP access(5) tables instead of the null
9243 sender address.
9244
9246 Attempt to look up the remote SMTP client hostname, and verify that the
9247 name matches the client IP address. A client name is set to "unknown"
9248 when it cannot be looked up or verified, or when name lookup is dis‐
9249 abled. Turning off name lookup reduces delays due to DNS lookup and
9250 increases the maximal inbound delivery rate.
9251 This feature is available in Postfix 2.3 and later.
9253
9255 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
9256 time limits, from a time limit per read or write system call, to a time
9257 limit to send or receive a complete record (an SMTP command line, SMTP
9258 response line, SMTP message content line, or TLS protocol message).
9259 This limits the impact from hostile peers that trickle data one byte at
9260 a time.
9261 Note: when per-record deadlines are enabled, a short timeout may cause
9263 problems with TLS over very slow network connections. The reasons are
9264 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
9265 and that an entire TLS protocol message must be sent or received within
9266 the per-record deadline.
9267 This feature is available in Postfix 2.9 and later. With older Postfix
9269 releases, the behavior is as if this parameter is set to "no".
9270
9272 problem)
9273 The default action when an SMTPD policy service request fails. Specify
9274 "DUNNO" to behave as if the failed SMTPD policy service request was
9275 not sent, and to continue processing other access restrictions, if any.
9276 Limitations:
9278 · This parameter may specify any value that would be a valid SMTPD
9280 policy server response (or access(5) map lookup result). An
9281 access(5) map or policy server in this parameter value may need
9282 to be declared in advance with a restriction_class setting.
9283 · If the specified action invokes another check_policy_service
9285 request, that request will have the built-in default action.
9286 This feature is available in Postfix 3.0 and later.
9288
9290 The time after which an idle SMTPD policy service connection is closed.
9291 This feature is available in Postfix 2.1 and later.
9293
9295 The time after which an active SMTPD policy service connection is
9296 closed.
9297 This feature is available in Postfix 2.1 and later.
9299
9301 Optional information that the Postfix SMTP server specifies in the
9302 "policy_context" attribute of a policy service request (originally, to
9303 share the same service endpoint among multiple check_policy_service
9304 clients).
9305 This feature is available in Postfix 3.1 and later.
9307
9309 The maximal number of requests per SMTPD policy service connection, or
9310 zero (no limit). Once a connection reaches this limit, the connection
9311 is closed and the next request will be sent over a new connection. This
9312 is a workaround to avoid error-recovery delays with policy servers that
9313 cannot maintain a persistent connection.
9314 This feature is available in Postfix 3.0 and later.
9316
9318 The delay between attempts to resend a failed SMTPD policy service
9319 request. Specify a value greater than zero.
9320 This feature is available in Postfix 3.0 and later.
9322
9324 The time limit for connecting to, writing to, or receiving from a dele‐
9325 gated SMTPD policy server.
9326 This feature is available in Postfix 2.1 and later.
9328
9330 The maximal number of attempts to send an SMTPD policy service request
9331 before giving up. Specify a value greater than zero.
9332 This feature is available in Postfix 3.0 and later.
9334
9336 How the Postfix SMTP server announces itself to the proxy filter. By
9337 default, the Postfix hostname is used.
9338 This feature is available in Postfix 2.1 and later.
9340
9342 The hostname and TCP port of the mail filtering proxy server. The
9343 proxy receives all mail from the Postfix SMTP server, and is supposed
9344 to give the result to another Postfix SMTP server process.
9345 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
9347 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
9348 as an IP address or as a symbolic name; no MX lookups are done. When
9349 no "host" or "host:" are specified, the local machine is assumed.
9350 Pathname interpretation is relative to the Postfix queue directory.
9351 This feature is available in Postfix 2.1 and later.
9353 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
9355 later.
9356
9358 List of options that control how the Postfix SMTP server communicates
9359 with a before-queue content filter. Specify zero or more of the follow‐
9360 ing, separated by comma or whitespace.
9361 speed_adjust
9363 Do not connect to a before-queue content filter until an entire
9364 message has been received. This reduces the number of simultane‐
9365 ous before-queue content filter processes.
9366 NOTE 1: A filter must not selectively reject recipients of a
9368 multi-recipient message. Rejecting all recipients is OK, as is accept‐
9369 ing all recipients.
9370 NOTE 2: This feature increases the minimum amount of free queue space
9372 by $message_size_limit. The extra space is needed to save the message
9373 to a temporary file.
9374 This feature is available in Postfix 2.7 and later.
9376
9378 The time limit for connecting to a proxy filter and for sending or
9379 receiving information. When a connection fails the client gets a
9380 generic error message while more detailed information is logged to the
9381 maillog file.
9382 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
9384 The default time unit is s (seconds).
9385 This feature is available in Postfix 2.1 and later.
9387
9389 The maximal number of recipients that the Postfix SMTP server accepts
9390 per message delivery request.
9391
9393 The number of recipients that a remote SMTP client can send in excess
9394 of the limit specified with $smtpd_recipient_limit, before the Postfix
9395 SMTP server increments the per-session error count for each excess
9396 recipient.
9397
9399 Optional restrictions that the Postfix SMTP server applies in the con‐
9400 text of a client RCPT TO command, after smtpd_relay_restrictions. See
9401 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
9402 restriction lists" for a discussion of evaluation context and time.
9403 With Postfix versions before 2.10, the rules for relay permission and
9405 spam blocking were combined under smtpd_recipient_restrictions, result‐
9406 ing in error-prone configuration. As of Postfix 2.10, relay permission
9407 rules are preferably implemented with smtpd_relay_restrictions, so that
9408 a permissive spam blocking policy under smtpd_recipient_restrictions
9409 will no longer result in a permissive mail relay policy.
9410 For backwards compatibility, sites that migrate from Postfix versions
9412 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9413 use smtpd_recipient_restrictions exactly as before.
9414 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9416 ent_restrictions parameter must specify at least one of the following
9417 restrictions. Otherwise Postfix will refuse to receive mail:
9418 reject, reject_unauth_destination
9420 defer, defer_if_permit, defer_unauth_destination
9422 Specify a list of restrictions, separated by commas and/or whitespace.
9424 Continue long lines by starting the next line with whitespace.
9425 Restrictions are applied in the order as specified; the first restric‐
9426 tion that matches wins.
9427 The following restrictions are specific to the recipient address that
9429 is received with the RCPT TO command.
9430 check_recipient_access type:table
9432 Search the specified access(5) database for the resolved RCPT TO
9433 address, domain, parent domains, or localpart@, and execute the
9434 corresponding action.
9435 check_recipient_a_access type:table
9437 Search the specified access(5) database for the IP addresses for
9438 the RCPT TO domain, and execute the corresponding action. Note:
9439 a result of "OK" is not allowed for safety reasons. Instead, use
9440 DUNNO in order to exclude specific hosts from blacklists. This
9441 feature is available in Postfix 3.0 and later.
9442 check_recipient_mx_access type:table
9444 Search the specified access(5) database for the MX hosts for the
9445 RCPT TO domain, and execute the corresponding action. Note: a
9446 result of "OK" is not allowed for safety reasons. Instead, use
9447 DUNNO in order to exclude specific hosts from blacklists. This
9448 feature is available in Postfix 2.1 and later.
9449 check_recipient_ns_access type:table
9451 Search the specified access(5) database for the DNS servers for
9452 the RCPT TO domain, and execute the corresponding action. Note:
9453 a result of "OK" is not allowed for safety reasons. Instead, use
9454 DUNNO in order to exclude specific hosts from blacklists. This
9455 feature is available in Postfix 2.1 and later.
9456 permit_auth_destination
9458 Permit the request when one of the following is true:
9459 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9461 $relay_domains or a subdomain thereof, and the address contains
9462 no sender-specified routing (user@elsewhere@domain),
9463 · Postfix is the final destination: the resolved RCPT TO domain
9465 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9466 $virtual_alias_domains, or $virtual_mailbox_domains, and the
9467 address contains no sender-specified routing (user@else‐
9468 where@domain).
9469 permit_mx_backup
9471 Permit the request when the local mail system is backup MX for
9472 the RCPT TO domain, or when the domain is an authorized destina‐
9473 tion (see permit_auth_destination for definition).
9474 · Safety: permit_mx_backup does not accept addresses that have
9476 sender-specified routing information (example: user@else‐
9477 where@domain).
9478 · Safety: permit_mx_backup can be vulnerable to mis-use when
9480 access is not restricted with permit_mx_backup_networks.
9481 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
9483 accepts the address when the local mail system is primary MX for
9484 the recipient domain. Exception: permit_mx_backup accepts the
9485 address when it specifies an authorized destination (see per‐
9486 mit_auth_destination for definition).
9487 · Limitation: mail may be rejected in case of a temporary DNS
9489 lookup problem with Postfix prior to version 2.0.
9490 reject_non_fqdn_recipient
9492 Reject the request when the RCPT TO address specifies a domain
9493 that is not in fully-qualified domain form, as required by the
9494 RFC.
9495 The non_fqdn_reject_code parameter specifies the response code
9496 for rejected requests (default: 504).
9497 reject_rhsbl_recipient rbl_domain=d.d.d.d
9499 Reject the request when the RCPT TO domain is listed with the A
9500 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9501 only). Each "d" is a number, or a pattern inside "[]" that con‐
9502 tains one or more ";"-separated numbers or number..number ranges
9503 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9504 reject the request when the RCPT TO domain is listed with any A
9505 record under rbl_domain.
9506 The maps_rbl_reject_code parameter specifies the response code
9507 for rejected requests (default: 554); the default_rbl_reply
9508 parameter specifies the default server reply; and the
9509 rbl_reply_maps parameter specifies tables with server replies
9510 indexed by rbl_domain. This feature is available in Postfix
9511 version 2.0 and later.
9512 reject_unauth_destination
9514 Reject the request unless one of the following is true:
9515 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9517 $relay_domains or a subdomain thereof, and contains no
9518 sender-specified routing (user@elsewhere@domain),
9519 · Postfix is the final destination: the resolved RCPT TO domain
9521 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9522 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
9523 tains no sender-specified routing (user@elsewhere@domain).
9524 The relay_domains_reject_code parameter specifies the response
9525 code for rejected requests (default: 554).
9526 defer_unauth_destination
9528 Reject the same requests as reject_unauth_destination, with a
9529 non-permanent error code. This feature is available in Postfix
9530 2.10 and later.
9531 reject_unknown_recipient_domain
9533 Reject the request when Postfix is not final destination for the
9534 recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9535 DNS A record or 2) a malformed MX record such as a record with a
9536 zero-length MX hostname (Postfix version 2.3 and later).
9537 The reply is specified with the unknown_address_reject_code
9538 parameter (default: 450), unknown_address_tempfail_action
9539 (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and
9540 later). See the respective parameter descriptions for details.
9541 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
9543 ent_maps)
9544 Reject the request when the RCPT TO address is not listed in the
9545 list of valid recipients for its domain class. See the
9546 smtpd_reject_unlisted_recipient parameter description for
9547 details. This feature is available in Postfix 2.1 and later.
9548 reject_unverified_recipient
9550 Reject the request when mail to the RCPT TO address is known to
9551 bounce, or when the recipient address destination is not reach‐
9552 able. Address verification information is managed by the ver‐
9553 ify(8) server; see the ADDRESS_VERIFICATION_README file for
9554 details.
9555 The unverified_recipient_reject_code parameter specifies the
9556 numerical response code when an address is known to bounce
9557 (default: 450, change into 550 when you are confident that it is
9558 safe to do so).
9559 The unverified_recipient_defer_code parameter specifies the
9560 numerical response code when an address probe failed due to a
9561 temporary problem (default: 450).
9562 The unverified_recipient_tempfail_action parameter specifies the
9563 action after address probe failure due to a temporary problem
9564 (default: defer_if_permit).
9565 This feature breaks for aliased addresses with "enable_origi‐
9566 nal_recipient = no" (Postfix <= 3.2).
9567 This feature is available in Postfix 2.1 and later.
9568 Other restrictions that are valid in this context:
9570 · Generic restrictions that can be used in any SMTP command con‐
9572 text, described under smtpd_client_restrictions.
9573 · SMTP command specific restrictions described under
9575 smtpd_client_restrictions, smtpd_helo_restrictions and
9576 smtpd_sender_restrictions.
9577 Example:
9579 # The Postfix before 2.10 default mail relay policy. Later Postfix
9581 # versions implement this preferably with smtpd_relay_restrictions.
9582 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9583
9585 Optional information that is appended after each Postfix SMTP server
9586 4XX or 5XX response.
9587 The following example uses "\c" at the start of the template (supported
9589 in Postfix 2.10 and later) to suppress the line break between the reply
9590 text and the footer text. With earlier Postfix versions, the footer
9591 text always begins on a new line, and the "\c" is output literally.
9592 /etc/postfix/main.cf:
9594 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9595 Please provide the following information in your problem report:
9596 time ($localtime), client ($client_address) and server
9597 ($server_name).
9598 Server response:
9600 550-5.5.1 <user@example> Recipient address rejected: User
9602 unknown. For assistance, call 800-555-0101. Please provide the
9603 following information in your problem report: time (Jan 4 15:42:00),
9604 client (192.168.1.248) and server (mail1.example.com).
9605 Note: the above text is meant to make it easier to find the Postfix
9607 logfile records for a failed SMTP session. The text itself is not
9608 logged to the Postfix SMTP server's maillog file.
9609 Be sure to keep the text as short as possible. Long text may be trun‐
9611 cated before it is logged to the remote SMTP client's maillog file, or
9612 before it is returned to the sender in a delivery status notification.
9613 This feature supports a limited number of $name attributes in the
9615 footer text. These are replaced by their current value for the SMTP
9616 session:
9617 client_address
9619 The Client IP address that is logged in the maillog file.
9620 client_port
9622 The client TCP port that is logged in the maillog file.
9623 localtime
9625 The server local time (Mmm dd hh:mm:ss) that is logged in the
9626 maillog file.
9627 server_name
9629 The server's myhostname value. This attribute is made available
9630 for sites with multiple MTAs (perhaps behind a load-balancer),
9631 where the server name can help the server support team to
9632 quickly find the right log files.
9633 Notes:
9635 · NOT SUPPORTED are other attributes such as sender, recipient, or
9637 main.cf parameters.
9638 · For safety reasons, text that does not match $smtpd_expan‐
9640 sion_filter is censored.
9641 This feature supports the two-character sequence \n as a request for a
9643 line break in the footer text. Postfix automatically inserts after each
9644 line break the three-digit SMTP reply code (and optional enhanced sta‐
9645 tus code) from the original Postfix reject message.
9646 To work around mail software that mis-handles multi-line replies, spec‐
9648 ify the two-character sequence \c at the start of the template. This
9649 suppresses the line break between the reply text and the footer text
9650 (Postfix 2.10 and later).
9651 This feature is available in Postfix 2.8 and later.
9653
9655 Request that the Postfix SMTP server rejects mail for unknown recipient
9656 addresses, even when no explicit reject_unlisted_recipient access
9657 restriction is specified. This prevents the Postfix queue from filling
9658 up with undeliverable MAILER-DAEMON messages.
9659 An address is always considered "known" when it matches a virtual(5)
9661 alias or a canonical(5) mapping.
9662 · The recipient domain matches $mydestination, $inet_interfaces or
9664 $proxy_interfaces, but the recipient is not listed in
9665 $local_recipient_maps, and $local_recipient_maps is not null.
9666 · The recipient domain matches $virtual_alias_domains but the
9668 recipient is not listed in $virtual_alias_maps.
9669 · The recipient domain matches $virtual_mailbox_domains but the
9671 recipient is not listed in $virtual_mailbox_maps, and $vir‐
9672 tual_mailbox_maps is not null.
9673 · The recipient domain matches $relay_domains but the recipient is
9675 not listed in $relay_recipient_maps, and $relay_recipient_maps
9676 is not null.
9677 This feature is available in Postfix 2.1 and later.
9679
9681 Request that the Postfix SMTP server rejects mail from unknown sender
9682 addresses, even when no explicit reject_unlisted_sender access restric‐
9683 tion is specified. This can slow down an explosion of forged mail from
9684 worms or viruses.
9685 An address is always considered "known" when it matches a virtual(5)
9687 alias or a canonical(5) mapping.
9688 · The sender domain matches $mydestination, $inet_interfaces or
9690 $proxy_interfaces, but the sender is not listed in $local_recip‐
9691 ient_maps, and $local_recipient_maps is not null.
9692 · The sender domain matches $virtual_alias_domains but the sender
9694 is not listed in $virtual_alias_maps.
9695 · The sender domain matches $virtual_mailbox_domains but the
9697 sender is not listed in $virtual_mailbox_maps, and $vir‐
9698 tual_mailbox_maps is not null.
9699 · The sender domain matches $relay_domains but the sender is not
9701 listed in $relay_recipient_maps, and $relay_recipient_maps is
9702 not null.
9703 This feature is available in Postfix 2.1 and later.
9705
9707 cated, defer_unauth_destination)
9708 Access restrictions for mail relay control that the Postfix SMTP server
9709 applies in the context of the RCPT TO command, before smtpd_recipi‐
9710 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
9711 of SMTP access restriction lists" for a discussion of evaluation con‐
9712 text and time.
9713 With Postfix versions before 2.10, the rules for relay permission and
9715 spam blocking were combined under smtpd_recipient_restrictions, result‐
9716 ing in error-prone configuration. As of Postfix 2.10, relay permission
9717 rules are preferably implemented with smtpd_relay_restrictions, so that
9718 a permissive spam blocking policy under smtpd_recipient_restrictions
9719 will no longer result in a permissive mail relay policy.
9720 For backwards compatibility, sites that migrate from Postfix versions
9722 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9723 use smtpd_recipient_restrictions exactly as before.
9724 By default, the Postfix SMTP server accepts:
9726 · Mail from clients whose IP address matches $mynetworks, or:
9728 · Mail to remote destinations that match $relay_domains, except
9730 for addresses that contain sender-specified routing (user@else‐
9731 where@domain), or:
9732 · Mail to local destinations that match $inet_interfaces or
9734 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
9735 $virtual_mailbox_domains.
9736 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9738 ent_restrictions parameter must specify at least one of the following
9739 restrictions. Otherwise Postfix will refuse to receive mail:
9740 reject, reject_unauth_destination
9742 defer, defer_if_permit, defer_unauth_destination
9744 Specify a list of restrictions, separated by commas and/or whitespace.
9746 Continue long lines by starting the next line with whitespace. The
9747 same restrictions are available as documented under smtpd_recipi‐
9748 ent_restrictions.
9749 This feature is available in Postix 2.10 and later.
9751
9753 User-defined aliases for groups of access restrictions. The aliases can
9754 be specified in smtpd_recipient_restrictions etc., and on the
9755 right-hand side of a Postfix access(5) table.
9756 One major application is for implementing per-recipient UCE control.
9758 See the RESTRICTION_CLASS_README document for other examples.
9759
9761 The application name that the Postfix SMTP server uses for SASL server
9762 initialization. This controls the name of the SASL configuration file.
9763 The default value is smtpd, corresponding to a SASL configuration file
9764 named smtpd.conf.
9765 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
9767 was renamed to smtpd_sasl_path.
9768
9770 Enable SASL authentication in the Postfix SMTP server. By default, the
9771 Postfix SMTP server does not use authentication.
9772 If a remote SMTP client is authenticated, the permit_sasl_authenticated
9774 access restriction can be used to permit relay access, like this:
9775 # With Postfix 2.10 and later, the mail relay policy is
9777 # preferably specified under smtpd_relay_restrictions.
9778 smtpd_relay_restrictions =
9779 permit_mynetworks, permit_sasl_authenticated, ...
9780 # With Postfix before 2.10, the relay policy can be
9782 # specified only under smtpd_recipient_restrictions.
9783 smtpd_recipient_restrictions =
9784 permit_mynetworks, permit_sasl_authenticated, ...
9785 To reject all SMTP connections from unauthenticated clients, specify
9787 "smtpd_delay_reject = yes" (which is the default) and use:
9788 smtpd_client_restrictions = permit_sasl_authenticated, reject
9790 See the SASL_README file for SASL configuration and operation details.
9792
9794 Report the SASL authenticated user name in the smtpd(8) Received mes‐
9795 sage header.
9796 This feature is available in Postfix 2.3 and later.
9798
9800 What remote SMTP clients the Postfix SMTP server will not offer AUTH
9801 support to.
9802 Some clients (Netscape 4 at least) have a bug that causes them to
9804 require a login and password whenever AUTH is offered, whether it's
9805 necessary or not. To work around this, specify, for example, $mynet‐
9806 works to prevent Postfix from offering AUTH to local clients.
9807 Specify a list of network/netmask patterns, separated by commas and/or
9809 whitespace. The mask specifies the number of bits in the network part
9810 of a host address. You can also "/file/name" or "type:table" patterns.
9811 A "/file/name" pattern is replaced by its contents; a "type:table"
9812 lookup table is matched when a table entry matches a lookup string (the
9813 lookup result is ignored). Continue long lines by starting the next
9814 line with whitespace. Specify "!pattern" to exclude an address or net‐
9815 work block from the list. The form "!/file/name" is supported only in
9816 Postfix version 2.4 and later.
9817 Note: IP version 6 address information must be specified inside [] in
9819 the smtpd_sasl_exceptions_networks value, and in files specified with
9820 "/file/name". IP version 6 addresses contain the ":" character, and
9821 would otherwise be confused with a "type:table" pattern.
9822 Example:
9824 smtpd_sasl_exceptions_networks = $mynetworks
9826 This feature is available in Postfix 2.1 and later.
9828
9830 The name of the Postfix SMTP server's local SASL authentication realm.
9831 By default, the local authentication realm name is the null string.
9833 Examples:
9835 smtpd_sasl_local_domain = $mydomain
9837 smtpd_sasl_local_domain = $myhostname
9838
9840 Implementation-specific information that the Postfix SMTP server passes
9841 through to the SASL plug-in implementation that is selected with
9842 smtpd_sasl_type. Typically this specifies the name of a configuration
9843 file or rendezvous point.
9844 This feature is available in Postfix 2.3 and later. In earlier releases
9846 it was called smtpd_sasl_application_name.
9847
9849 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
9850 of available features depends on the SASL server implementation that is
9851 selected with smtpd_sasl_type.
9852 The following security features are defined for the cyrus server SASL
9854 implementation:
9855 Restrict what authentication mechanisms the Postfix SMTP server will
9857 offer to the client. The list of available authentication mechanisms
9858 is system dependent.
9859 Specify zero or more of the following:
9861 noplaintext
9863 Disallow methods that use plaintext passwords.
9864 noactive
9866 Disallow methods subject to active (non-dictionary) attack.
9867 nodictionary
9869 Disallow methods subject to passive (dictionary) attack.
9870 noanonymous
9872 Disallow methods that allow anonymous authentication.
9873 forward_secrecy
9875 Only allow methods that support forward secrecy (Dovecot only).
9876 mutual_auth
9878 Only allow methods that provide mutual authentication (not
9879 available with Cyrus SASL version 1).
9880 By default, the Postfix SMTP server accepts plaintext passwords but not
9882 anonymous logins.
9883 Warning: it appears that clients try authentication methods in the
9885 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
9886 which means that if you disable plaintext passwords, clients will log
9887 in anonymously, even when they should be able to use CRAM-MD5. So, if
9888 you disable plaintext logins, disable anonymous logins too. Postfix
9889 treats anonymous login as no authentication.
9890 Example:
9892 smtpd_sasl_security_options = noanonymous, noplaintext
9894
9896 The service name that is passed to the SASL plug-in that is selected
9897 with smtpd_sasl_type and smtpd_sasl_path.
9898 This feature is available in Postfix 2.11 and later. Prior versions
9900 behave as if "smtp" is specified.
9901
9903 The SASL authentication security options that the Postfix SMTP server
9904 uses for TLS encrypted SMTP sessions.
9905 This feature is available in Postfix 2.2 and later.
9907
9909 The SASL plug-in type that the Postfix SMTP server should use for
9910 authentication. The available types are listed with the "postconf -a"
9911 command.
9912 This feature is available in Postfix 2.3 and later.
9914
9916 Optional lookup table with the SASL login names that own the sender
9917 (MAIL FROM) addresses.
9918 Specify zero or more "type:name" lookup tables, separated by whitespace
9920 or comma. Tables will be searched in the specified order until a match
9921 is found. With lookups from indexed files such as DB or DBM, or from
9922 networked tables such as NIS, LDAP or SQL, the following search opera‐
9923 tions are done with a sender address of user@domain:
9924 1) user@domain
9926 This table lookup is always done and has the highest precedence.
9927 2) user
9929 This table lookup is done only when the domain part of the
9930 sender address matches $myorigin, $mydestination, $inet_inter‐
9931 faces or $proxy_interfaces.
9932 3) @domain
9934 This table lookup is done last and has the lowest precedence.
9935 In all cases the result of table lookup must be either "not found" or a
9937 list of SASL login names separated by comma and/or whitespace.
9938
9940 Optional restrictions that the Postfix SMTP server applies in the con‐
9941 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
9942 "Delayed evaluation of SMTP access restriction lists" for a discussion
9943 of evaluation context and time.
9944 The default is to permit everything.
9946 Specify a list of restrictions, separated by commas and/or whitespace.
9948 Continue long lines by starting the next line with whitespace.
9949 Restrictions are applied in the order as specified; the first restric‐
9950 tion that matches wins.
9951 The following restrictions are specific to the sender address received
9953 with the MAIL FROM command.
9954 check_sender_access type:table
9956 Search the specified access(5) database for the MAIL FROM
9957 address, domain, parent domains, or localpart@, and execute the
9958 corresponding action.
9959 check_sender_a_access type:table
9961 Search the specified access(5) database for the IP addresses for
9962 the MAIL FROM domain, and execute the corresponding action.
9963 Note: a result of "OK" is not allowed for safety reasons.
9964 Instead, use DUNNO in order to exclude specific hosts from
9965 blacklists. This feature is available in Postfix 3.0 and later.
9966 check_sender_mx_access type:table
9968 Search the specified access(5) database for the MX hosts for the
9969 MAIL FROM domain, and execute the corresponding action. Note: a
9970 result of "OK" is not allowed for safety reasons. Instead, use
9971 DUNNO in order to exclude specific hosts from blacklists. This
9972 feature is available in Postfix 2.1 and later.
9973 check_sender_ns_access type:table
9975 Search the specified access(5) database for the DNS servers for
9976 the MAIL FROM domain, and execute the corresponding action.
9977 Note: a result of "OK" is not allowed for safety reasons.
9978 Instead, use DUNNO in order to exclude specific hosts from
9979 blacklists. This feature is available in Postfix 2.1 and later.
9980 reject_authenticated_sender_login_mismatch
9982 Enforces the reject_sender_login_mismatch restriction for
9983 authenticated clients only. This feature is available in Postfix
9984 version 2.1 and later.
9985 reject_known_sender_login_mismatch
9987 Apply the reject_sender_login_mismatch restriction only to MAIL
9988 FROM addresses that are known in $smtpd_sender_login_maps. This
9989 feature is available in Postfix version 2.11 and later.
9990 reject_non_fqdn_sender
9992 Reject the request when the MAIL FROM address specifies a domain
9993 that is not in fully-qualified domain form as required by the
9994 RFC.
9995 The non_fqdn_reject_code parameter specifies the response code
9996 for rejected requests (default: 504).
9997 reject_rhsbl_sender rbl_domain=d.d.d.d
9999 Reject the request when the MAIL FROM domain is listed with the
10000 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10001 later only). Each "d" is a number, or a pattern inside "[]"
10002 that contains one or more ";"-separated numbers or number..num‐
10003 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10004 specified, reject the request when the MAIL FROM domain is
10005 listed with any A record under rbl_domain.
10006 The maps_rbl_reject_code parameter specifies the response code
10007 for rejected requests (default: 554); the default_rbl_reply
10008 parameter specifies the default server reply; and the
10009 rbl_reply_maps parameter specifies tables with server replies
10010 indexed by rbl_domain. This feature is available in Postfix 2.0
10011 and later.
10012 reject_sender_login_mismatch
10014 Reject the request when $smtpd_sender_login_maps specifies an
10015 owner for the MAIL FROM address, but the client is not (SASL)
10016 logged in as that MAIL FROM address owner; or when the client is
10017 (SASL) logged in, but the client login name doesn't own the MAIL
10018 FROM address according to $smtpd_sender_login_maps.
10019 reject_unauthenticated_sender_login_mismatch
10021 Enforces the reject_sender_login_mismatch restriction for unau‐
10022 thenticated clients only. This feature is available in Postfix
10023 version 2.1 and later.
10024 reject_unknown_sender_domain
10026 Reject the request when Postfix is not final destination for the
10027 sender address, and the MAIL FROM domain has 1) no DNS MX and no
10028 DNS A record, or 2) a malformed MX record such as a record with
10029 a zero-length MX hostname (Postfix version 2.3 and later).
10030 The reply is specified with the unknown_address_reject_code
10031 parameter (default: 450), unknown_address_tempfail_action
10032 (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and
10033 later). See the respective parameter descriptions for details.
10034 reject_unlisted_sender
10036 Reject the request when the MAIL FROM address is not listed in
10037 the list of valid recipients for its domain class. See the
10038 smtpd_reject_unlisted_sender parameter description for details.
10039 This feature is available in Postfix 2.1 and later.
10040 reject_unverified_sender
10042 Reject the request when mail to the MAIL FROM address is known
10043 to bounce, or when the sender address destination is not reach‐
10044 able. Address verification information is managed by the ver‐
10045 ify(8) server; see the ADDRESS_VERIFICATION_README file for
10046 details.
10047 The unverified_sender_reject_code parameter specifies the numer‐
10048 ical response code when an address is known to bounce (default:
10049 450, change into 550 when you are confident that it is safe to
10050 do so).
10051 The unverified_sender_defer_code specifies the numerical
10052 response code when an address probe failed due to a temporary
10053 problem (default: 450).
10054 The unverified_sender_tempfail_action parameter specifies the
10055 action after address probe failure due to a temporary problem
10056 (default: defer_if_permit).
10057 This feature breaks for aliased addresses with "enable_origi‐
10058 nal_recipient = no" (Postfix <= 3.2).
10059 This feature is available in Postfix 2.1 and later.
10060 Other restrictions that are valid in this context:
10062 · Generic restrictions that can be used in any SMTP command con‐
10064 text, described under smtpd_client_restrictions.
10065 · SMTP command specific restrictions described under
10067 smtpd_client_restrictions and smtpd_helo_restrictions.
10068 · SMTP command specific restrictions described under smtpd_recipi‐
10070 ent_restrictions. When recipient restrictions are listed under
10071 smtpd_sender_restrictions, they have effect only with
10072 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
10073 is evaluated at the time of the RCPT TO command.
10074 Examples:
10076 smtpd_sender_restrictions = reject_unknown_sender_domain
10078 smtpd_sender_restrictions = reject_unknown_sender_domain,
10079 check_sender_access hash:/etc/postfix/access
10080
10082 The internal service that postscreen(8) hands off allowed connections
10083 to. In a future version there may be different classes of SMTP service.
10084 This feature is available in Postfix 2.8.
10086
10088 The number of errors a remote SMTP client is allowed to make without
10089 delivering mail before the Postfix SMTP server slows down all its
10090 responses.
10091 · With Postfix version 2.1 and later, the Postfix SMTP server
10093 delays all responses by $smtpd_error_sleep_time seconds.
10094 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
10096 delays all responses by (number of errors) seconds.
10097
10099 The time limit for Postfix SMTP server write and read operations during
10100 TLS startup and shutdown handshake procedures. The current default
10101 value is stress-dependent. Before Postfix version 2.8, it was fixed at
10102 300s.
10103 This feature is available in Postfix 2.2 and later.
10105
10107 The time limit for sending a Postfix SMTP server response and for
10108 receiving a remote SMTP client request. Normally the default limit is
10109 300s, but it changes under overload to just 10s. With Postfix 2.5 and
10110 earlier, the SMTP server always uses a time limit of 300s by default.
10111 Note: if you set SMTP time limits to very large values you may have to
10113 update the global ipc_timeout parameter.
10114 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10116 The default time unit is s (seconds).
10117
10119 A file containing (PEM format) CA certificates of root CAs trusted to
10120 sign either remote SMTP client certificates or intermediate CA certifi‐
10121 cates. These are loaded into memory before the smtpd(8) server enters
10122 the chroot jail. If the number of trusted roots is large, consider
10123 using smtpd_tls_CApath instead, but note that the latter directory must
10124 be present in the chroot jail if the smtpd(8) server is chrooted. This
10125 file may also be used to augment the server certificate trust chain,
10126 but it is best to include all the required certificates directly in the
10127 server certificate file.
10128 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
10130 system-supplied default Certification Authority certificates.
10131 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10133 the system-supplied default CAs and trusting third-party certificates.
10134 By default (see smtpd_tls_ask_ccert), client certificates are not
10136 requested, and smtpd_tls_CAfile should remain empty. If you do make use
10137 of client certificates, the distinguished names (DNs) of the Certifica‐
10138 tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10139 client in the client certificate request message. MUAs with multiple
10140 client certificates may use the list of preferred Certification Author‐
10141 ities to select the correct client certificate. You may want to put
10142 your "preferred" CA or CAs in this file, and install other trusted CAs
10143 in $smtpd_tls_CApath.
10144 Example:
10146 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10148 This feature is available in Postfix 2.2 and later.
10150
10152 A directory containing (PEM format) CA certificates of root CAs trusted
10153 to sign either remote SMTP client certificates or intermediate CA cer‐
10154 tificates. Do not forget to create the necessary "hash" links with, for
10155 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
10156 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
10157 inside the chroot jail.
10158 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
10160 the system-supplied default Certification Authority certificates.
10161 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10163 the system-supplied default CAs and trusting third-party certificates.
10164 By default (see smtpd_tls_ask_ccert), client certificates are not
10166 requested, and smtpd_tls_CApath should remain empty. In contrast to
10167 smtpd_tls_CAfile, DNs of Certification Authorities installed in
10168 $smtpd_tls_CApath are not included in the client certificate request
10169 message. MUAs with multiple client certificates may use the list of
10170 preferred Certification Authorities to select the correct client cer‐
10171 tificate. You may want to put your "preferred" CA or CAs in
10172 $smtpd_tls_CAfile, and install the remaining trusted CAs in
10173 $smtpd_tls_CApath.
10174 Example:
10176 smtpd_tls_CApath = /etc/postfix/certs
10178 This feature is available in Postfix 2.2 and later.
10180
10182 Force the Postfix SMTP server to issue a TLS session id, even when TLS
10183 session caching is turned off (smtpd_tls_session_cache_database is
10184 empty). This behavior is compatible with Postfix < 2.3.
10185 With Postfix 2.3 and later the Postfix SMTP server can disable session
10187 id generation when TLS session caching is turned off. This keeps remote
10188 SMTP clients from caching sessions that almost certainly cannot be
10189 re-used.
10190 By default, the Postfix SMTP server always generates TLS session ids.
10192 This works around a known defect in mail client applications such as MS
10193 Outlook, and may also prevent interoperability issues with other MTAs.
10194 Example:
10196 smtpd_tls_always_issue_session_ids = no
10198 This feature is available in Postfix 2.3 and later.
10200
10202 Ask a remote SMTP client for a client certificate. This information is
10203 needed for certificate based mail relaying with, for example, the per‐
10204 mit_tls_clientcerts feature.
10205 Some clients such as Netscape will either complain if no certificate is
10207 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10208 tiple client certificates to choose from. This may be annoying, so this
10209 option is "off" by default.
10210 This feature is available in Postfix 2.2 and later.
10212
10214 When TLS encryption is optional in the Postfix SMTP server, do not
10215 announce or accept SASL authentication over unencrypted connections.
10216 This feature is available in Postfix 2.2 and later.
10218
10220 The verification depth for remote SMTP client certificates. A depth of
10221 1 is sufficient if the issuing CA is listed in a local CA file.
10222 The default verification depth is 9 (the OpenSSL default) for compati‐
10224 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10225 value was 5, but the limit was not actually enforced. If you have set
10226 this to a lower non-default value, certificates with longer trust
10227 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
10228 common, deeper chains are more rare and any number between 5 and 9
10229 should suffice in practice. You can choose a lower number if, for exam‐
10230 ple, you trust certificates directly signed by an issuing CA but not
10231 any CAs it delegates to.
10232 This feature is available in Postfix 2.2 and later.
10234
10236 File with the Postfix SMTP server RSA certificate in PEM format. This
10237 file may also contain the Postfix SMTP server private RSA key.
10238 Public Internet MX hosts without certificates signed by a "reputable"
10240 CA must generate, and be prepared to present to most clients, a
10241 self-signed or private-CA signed certificate. The client will not be
10242 able to authenticate the server, but unless it is running Postfix 2.3
10243 or similar software, it will still insist on a server certificate.
10244 For servers that are not public Internet MX hosts, Postfix 2.3 supports
10246 configurations with no certificates. This entails the use of just the
10247 anonymous TLS ciphers, which are not supported by typical SMTP clients.
10248 Since such clients will not, as a rule, fall back to plain text after a
10249 TLS handshake failure, the server will be unable to receive email from
10250 TLS enabled clients. To avoid accidental configurations with no cer‐
10251 tificates, Postfix 2.3 enables certificate-less operation only when the
10252 administrator explicitly sets "smtpd_tls_cert_file = none". This
10253 ensures that new Postfix configurations will not accidentally run with
10254 no certificates.
10255 Both RSA and DSA certificates are supported. When both types are
10257 present, the cipher used determines which certificate will be presented
10258 to the client. For Netscape and OpenSSL clients without special cipher
10259 choices the RSA certificate is preferred.
10260 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
10262 tificate, the issuing CA certificates must be made available to the
10263 client. You should include the required certificates in the server cer‐
10264 tificate file, the server certificate first, then the issuing CA(s)
10265 (bottom-up order).
10266 Example: the certificate for "server.example.com" was issued by "inter‐
10268 mediate CA" which itself has a certificate of "root CA". Create the
10269 server.pem file with "cat server_cert.pem intermediate_CA.pem
10270 root_CA.pem > server.pem".
10271 If you also want to verify client certificates issued by these CAs, you
10273 can add the CA certificates to the smtpd_tls_CAfile, in which case it
10274 is not necessary to have them in the smtpd_tls_cert_file or
10275 smtpd_tls_dcert_file.
10276 A certificate supplied here must be usable as an SSL server certificate
10278 and hence pass the "openssl verify -purpose sslserver ..." test.
10279 Example:
10281 smtpd_tls_cert_file = /etc/postfix/server.pem
10283 This feature is available in Postfix 2.2 and later.
10285
10287 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
10288 list. It is easy to create interoperability problems by choosing a
10289 non-default cipher list. Do not use a non-default TLS cipherlist for MX
10290 hosts on the public Internet. Clients that begin the TLS handshake, but
10291 are unable to agree on a common cipher, may not be able to send any
10292 email to the SMTP server. Using a restricted cipher list may be more
10293 appropriate for a dedicated MSA or an internal mailhub, where one can
10294 exert some control over the TLS software and settings of the connecting
10295 clients.
10296 Note: do not use "" quotes around the parameter value.
10298 This feature is available with Postfix version 2.2. It is not used with
10300 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10301
10303 The minimum TLS cipher grade that the Postfix SMTP server will use with
10304 opportunistic TLS encryption. Cipher types listed in
10305 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10306 selected cipher grade. The default value is "medium" for Postfix
10307 releases after the middle of 2015, "export" for older releases.
10308 When TLS is mandatory the cipher grade is chosen via the
10310 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10311 tax details.
10312 This feature is available in Postfix 2.6 and later. With earlier Post‐
10314 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
10315 mented, and opportunistic TLS always uses "export" or better (i.e. all)
10316 ciphers.
10317
10319 File with the Postfix SMTP server DSA certificate in PEM format. This
10320 file may also contain the Postfix SMTP server private DSA key.
10321 See the discussion under smtpd_tls_cert_file for more details.
10323 Example:
10325 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10327 This feature is available in Postfix 2.2 and later.
10329
10331 File with DH parameters that the Postfix SMTP server should use with
10332 non-export EDH ciphers.
10333 Instead of using the exact same parameter sets as distributed with
10335 other TLS packages, it is more secure to generate your own set of
10336 parameters with something like the following commands:
10337 openssl dhparam -out /etc/postfix/dh512.pem 512
10339 openssl dhparam -out /etc/postfix/dh1024.pem 1024
10340 openssl dhparam -out /etc/postfix/dh2048.pem 2048
10341 It is safe to share the same DH parameters between multiple Postfix
10343 instances. If you prefer, you can generate separate parameters for
10344 each instance.
10345 If you want to take maximal advantage of ciphers that offer forward
10347 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10348 full document conveniently presents all information about Postfix "per‐
10349 fect" forward secrecy support in one place: what forward secrecy is,
10350 how to tweak settings, and what you can expect to see when Postfix uses
10351 ciphers with forward secrecy.
10352 Example:
10354 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10356 This feature is available with Postfix version 2.2.
10358
10360 File with DH parameters that the Postfix SMTP server should use with
10361 export-grade EDH ciphers. The default SMTP server cipher grade is
10362 "medium" with Postfix releases after the middle of 2015, and as a
10363 result export-grade cipher suites are by default not used.
10364 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
10366 ration parameter.
10367 Example:
10369 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10371 This feature is available with Postfix version 2.2.
10373
10375 File with the Postfix SMTP server DSA private key in PEM format. This
10376 file may be combined with the Postfix SMTP server DSA certificate file
10377 specified with $smtpd_tls_dcert_file.
10378 The private key must be accessible without a pass-phrase, i.e. it must
10380 not be encrypted. File permissions should grant read-only access to the
10381 system superuser account ("root"), and no access to anyone else.
10382 This feature is available in Postfix 2.2 and later.
10384
10386 File with the Postfix SMTP server ECDSA certificate in PEM format.
10387 This file may also contain the Postfix SMTP server private ECDSA key.
10388 See the discussion under smtpd_tls_cert_file for more details.
10390 Example:
10392 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10394 This feature is available in Postfix 2.6 and later, when Postfix is
10396 compiled and linked with OpenSSL 1.0.0 or later.
10397
10399 File with the Postfix SMTP server ECDSA private key in PEM format.
10400 This file may be combined with the Postfix SMTP server ECDSA certifi‐
10401 cate file specified with $smtpd_tls_eccert_file.
10402 The private key must be accessible without a pass-phrase, i.e. it must
10404 not be encrypted. File permissions should grant read-only access to the
10405 system superuser account ("root"), and no access to anyone else.
10406 This feature is available in Postfix 2.6 and later, when Postfix is
10408 compiled and linked with OpenSSL 1.0.0 or later.
10409
10411 The Postfix SMTP server security grade for ephemeral elliptic-curve
10412 Diffie-Hellman (EECDH) key exchange.
10413 The available choices are:
10415 none Don't use EECDH. Ciphers based on EECDH key exchange will be
10417 disabled. This is the default in Postfix versions 2.6 and 2.7.
10418 strong Use EECDH with approximately 128 bits of security at a reason‐
10420 able computational cost. This is the current best-practice
10421 trade-off between security and computational efficiency. This is
10422 the default in Postfix version 2.8 and later.
10423 ultra Use EECDH with approximately 192 bits of security at computa‐
10425 tional cost that is approximately twice as high as 128 bit
10426 strength ECC. Barring significant progress in attacks on ellip‐
10427 tic curve crypto-systems, the "strong" curve is sufficient for
10428 most users.
10429 auto Use the most preferred curve that is supported by both the
10431 client and the server. This setting requires Postfix >= 3.2
10432 compiled and linked with OpenSSL >= 1.0.2. This is the default
10433 setting under the above conditions.
10434 If you want to take maximal advantage of ciphers that offer forward
10436 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10437 full document conveniently presents all information about Postfix "per‐
10438 fect" forward secrecy support in one place: what forward secrecy is,
10439 how to tweak settings, and what you can expect to see when Postfix uses
10440 ciphers with forward secrecy.
10441 This feature is available in Postfix 2.6 and later, when it is compiled
10443 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10444 have not been disabled by the vendor.
10445
10447 List of ciphers or cipher types to exclude from the SMTP server cipher
10448 list at all TLS security levels. Excluding valid ciphers can create
10449 interoperability problems. DO NOT exclude ciphers unless it is essen‐
10450 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
10451 separated by whitespace and/or commas. The elements are a single
10452 cipher, or one or more "+" separated cipher properties, in which case
10453 only ciphers matching all the properties are excluded.
10454 Examples (some of these will cause problems):
10456 smtpd_tls_exclude_ciphers = aNULL
10458 smtpd_tls_exclude_ciphers = MD5, DES
10459 smtpd_tls_exclude_ciphers = DES+MD5
10460 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10461 smtpd_tls_exclude_ciphers = kEDH+aRSA
10462 The first setting disables anonymous ciphers. The next setting disables
10464 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
10465 tion algorithm. The next setting disables ciphers that use MD5 and DES
10466 together. The next setting disables the two ciphers "AES256-SHA" and
10467 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
10468 exchange with RSA authentication.
10469 This feature is available in Postfix 2.3 and later.
10471
10473 The message digest algorithm to construct remote SMTP client-certifi‐
10474 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
10475 for check_ccert_access and permit_tls_clientcerts. The default algo‐
10476 rithm is md5, for backwards compatibility with Postfix releases prior
10477 to 2.5.
10478 Advances in hash function cryptanalysis have led to md5 being depre‐
10480 cated in favor of sha1. However, as long as there are no known "second
10481 pre-image" attacks against md5, its use in this context can still be
10482 considered safe.
10483 While additional digest algorithms are often available with OpenSSL's
10485 libcrypto, only those used by libssl in SSL cipher suites are available
10486 to Postfix.
10487 To find the fingerprint of a specific certificate file, with a specific
10489 digest algorithm, run:
10490 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10492 The text to the right of "=" sign is the desired fingerprint. For
10494 example:
10495 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
10497 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
10498 To extract the public key fingerprint from an X.509 certificate, you
10500 need to extract the public key from the certificate and compute the
10501 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
10502 key" option of the "x509" command extracts the public key always in
10503 "PEM" format. We pipe the result to another OpenSSL command that con‐
10504 verts the key to DER and then to the "dgst" command to compute the fin‐
10505 gerprint.
10506 The actual command to transform the key to DER format depends on the
10508 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
10509 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
10510 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
10511 ported by 0.9.8), so the "rsa" command is used.
10512 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
10514 $ openssl x509 -in cert.pem -noout -pubkey |
10515 openssl pkey -pubin -outform DER |
10516 openssl dgst -sha1 -c
10517 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
10518 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
10520 $ openssl x509 -in cert.pem -noout -pubkey |
10521 openssl rsa -pubin -outform DER |
10522 openssl dgst -md5 -c
10523 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
10524 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
10526 gerprint and public key fingerprint when the TLS loglevel is 2 or
10527 higher.
10528 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
10530 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
10531 later.
10532 Example: client-certificate access table, with sha1 fingerprints:
10534 /etc/postfix/main.cf:
10536 smtpd_tls_fingerprint_digest = sha1
10537 smtpd_client_restrictions =
10538 check_ccert_access hash:/etc/postfix/access,
10539 reject
10540 /etc/postfix/access:
10541 # Action folded to next line...
10542 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
10543 OK
10544 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
10545 permit_auth_destination
10546 This feature is available in Postfix 2.5 and later.
10548
10550 File with the Postfix SMTP server RSA private key in PEM format. This
10551 file may be combined with the Postfix SMTP server RSA certificate file
10552 specified with $smtpd_tls_cert_file.
10553 The private key must be accessible without a pass-phrase, i.e. it must
10555 not be encrypted. File permissions should grant read-only access to the
10556 system superuser account ("root"), and no access to anyone else.
10557
10559 Enable additional Postfix SMTP server logging of TLS activity. Each
10560 logging level also includes the information that is logged at a lower
10561 logging level.
10562 0 Disable logging of TLS activity.
10564 1 Log only a summary message on TLS handshake completion - no
10566 logging of client certificate trust-chain verification errors if
10567 client certificate verification is not required. With Postfix
10568 2.8 and earlier, log the summary message, peer certificate sum‐
10569 mary information and unconditionally log trust-chain verifica‐
10570 tion errors.
10571 2 Also log levels during TLS negotiation.
10573 3 Also log hexadecimal and ASCII dump of TLS negotiation
10575 process.
10576 4 Also log hexadecimal and ASCII dump of complete transmission
10578 after STARTTLS.
10579 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
10581 lems. Use of loglevel 4 is strongly discouraged.
10582 This feature is available in Postfix 2.2 and later.
10584
10586 The minimum TLS cipher grade that the Postfix SMTP server will use with
10587 mandatory TLS encryption. The default grade ("medium") is sufficiently
10588 strong that any benefit from globally restricting TLS sessions to a
10589 more stringent grade is likely negligible, especially given the fact
10590 that many implementations still do not offer any stronger ("high"
10591 grade) ciphers, while those that do, will always use "high" grade
10592 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
10593 ductive. Allowing "export" or "low" ciphers is typically not a good
10594 idea, as systems limited to just these are limited to obsolete
10595 browsers. No known SMTP clients fail to support at least one "medium"
10596 or "high" grade cipher.
10597 The following cipher grades are supported:
10599 export Enable "EXPORT" grade or stronger OpenSSL ciphers. The underly‐
10601 ing cipherlist is specified via the tls_export_cipherlist con‐
10602 figuration parameter, which you are strongly encouraged to not
10603 change. This choice is insecure and SHOULD NOT be used.
10604 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
10606 cipherlist is specified via the tls_low_cipherlist configuration
10607 parameter, which you are strongly encouraged to not change.
10608 This choice is insecure and SHOULD NOT be used.
10609 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
10611 128-bit or longer symmetric bulk-encryption keys. This is the
10612 default minimum strength for mandatory TLS encryption. The
10613 underlying cipherlist is specified via the tls_medium_cipherlist
10614 configuration parameter, which you are strongly encouraged to
10615 not change.
10616 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
10618 cipherlist is specified via the tls_high_cipherlist configura‐
10619 tion parameter, which you are strongly encouraged to not change.
10620 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
10622 cation without encryption. This setting is only appropriate in
10623 the rare case that all clients are prepared to use NULL ciphers
10624 (not normally enabled in TLS clients). The underlying cipherlist
10625 is specified via the tls_null_cipherlist configuration parame‐
10626 ter, which you are strongly encouraged to not change.
10627 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
10629 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10630 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
10631 apply to opportunistic TLS.
10632 The underlying cipherlists for grades other than "null" include anony‐
10634 mous ciphers, but these are automatically filtered out if the server is
10635 configured to ask for remote SMTP client certificates. You are very
10636 unlikely to need to take any steps to exclude anonymous ciphers, they
10637 are excluded automatically as required. If you must exclude anonymous
10638 ciphers even when Postfix does not need or use peer certificates, set
10639 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
10640 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
10641 aNULL".
10642 This feature is available in Postfix 2.3 and later.
10644
10646 Additional list of ciphers or cipher types to exclude from the Postfix
10647 SMTP server cipher list at mandatory TLS security levels. This list
10648 works in addition to the exclusions listed with
10649 smtpd_tls_exclude_ciphers (see there for syntax details).
10650 This feature is available in Postfix 2.3 and later.
10652
10654 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
10655 tory TLS encryption. If the list is empty, the server supports all
10656 available SSL/TLS protocol versions. A non-empty value is a list of
10657 protocol names separated by whitespace, commas or colons. The sup‐
10658 ported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not
10659 case sensitive. The default value is "!SSLv2, !SSLv3" for Postfix
10660 releases after the middle of 2015, "!SSLv2" for older releases.
10661 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
10663 col exclusions. One can explicitly exclude "SSLv2" by setting
10664 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
10665 "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
10666 the protocols to include, rather than protocols to exclude, is sup‐
10667 ported, but not recommended. The exclusion form more closely matches
10668 the underlying OpenSSL interface semantics.
10669 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
10671 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
10672 later, these, or any other new protocol versions, cannot be disabled.
10673 The latest patch levels of Postfix >= 2.6, and all versions of Postfix
10674 >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
10675 Example:
10677 # Preferred syntax with Postfix >= 2.5:
10679 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
10680 # Legacy syntax:
10681 smtpd_tls_mandatory_protocols = TLSv1
10682 This feature is available in Postfix 2.3 and later.
10684
10686 List of TLS protocols that the Postfix SMTP server will exclude or
10687 include with opportunistic TLS encryption. The default value is
10688 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, empty
10689 for older releases allowing all protocols to be used with opportunistic
10690 TLS. A non-empty value is a list of protocol names separated by white‐
10691 space, commas or colons. The supported protocol names are "SSLv2",
10692 "SSLv3" and "TLSv1", and are not case sensitive.
10693 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
10695 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
10696 of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
10697 To include a protocol list its name, to exclude it, prefix the name
10699 with a "!" character. To exclude SSLv2 for opportunistic TLS set
10700 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
10701 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
10702 cols to include, rather than protocols to exclude, is supported, but
10703 not recommended. The exclusion form more closely matches the underly‐
10704 ing OpenSSL interface semantics.
10705 Example:
10707 smtpd_tls_protocols = !SSLv2, !SSLv3
10708 This feature is available in Postfix 2.6 and later.
10710
10712 Request that the Postfix SMTP server produces Received: message head‐
10713 ers that include information about the protocol and cipher used, as
10714 well as the remote SMTP client CommonName and client certificate issuer
10715 CommonName. This is disabled by default, as the information may be
10716 modified in transit through other mail servers. Only information that
10717 was recorded by the final destination can be trusted.
10718 This feature is available in Postfix 2.2 and later.
10720
10722 With mandatory TLS encryption, require a trusted remote SMTP client
10723 certificate in order to allow TLS connections to proceed. This option
10724 implies "smtpd_tls_ask_ccert = yes".
10725 When TLS encryption is optional, this setting is ignored with a warning
10727 written to the mail log.
10728 This feature is available in Postfix 2.2 and later.
10730
10732 The SMTP TLS security level for the Postfix SMTP server; when a
10733 non-empty value is specified, this overrides the obsolete parameters
10734 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
10735 "smtpd_tls_wrappermode = yes".
10736 Specify one of the following security levels:
10738 none TLS will not be used.
10740 may Opportunistic TLS: announce STARTTLS support to remote SMTP
10742 clients, but do not require that clients use TLS encryption.
10743 encrypt
10745 Mandatory TLS encryption: announce STARTTLS support to remote
10746 SMTP clients, and require that clients use TLS encryption.
10747 According to RFC 2487 this MUST NOT be applied in case of a pub‐
10748 licly-referenced SMTP server. Instead, this option should be
10749 used only on dedicated servers.
10750 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
10752 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
10753 instead. To verify remote SMTP client certificates, see TLS_README for
10754 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
10755 mit_tls_clientcerts features.
10756 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
10758 implies "smtpd_tls_auth_only = yes".
10759 Note 3: when invoked via "sendmail -bs", Postfix will never offer
10761 STARTTLS due to insufficient privileges to access the server private
10762 key. This is intended behavior.
10763 This feature is available in Postfix 2.3 and later.
10765
10767 Name of the file containing the optional Postfix SMTP server TLS ses‐
10768 sion cache. Specify a database type that supports enumeration, such as
10769 btree or sdbm; there is no need to support concurrent access. The file
10770 is created if it does not exist. The smtpd(8) daemon does not use this
10771 parameter directly, rather the cache is implemented indirectly in the
10772 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
10773 rides of this parameter are not effective. Note, that each of the cache
10774 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
10775 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
10776 $lmtp_tls_session_cache_database), needs to be stored separately. It is
10777 not at this time possible to store multiple caches in a single data‐
10778 base.
10779 Note: dbm databases are not suitable. TLS session objects are too
10781 large.
10782 As of version 2.5, Postfix no longer uses root privileges when opening
10784 this file. The file should now be stored under the Postfix-owned
10785 data_directory. As a migration aid, an attempt to open the file under a
10786 non-Postfix directory is redirected to the Postfix-owned data_direc‐
10787 tory, and a warning is logged.
10788 As of Postfix 2.11 the preferred mechanism for session resumption is
10790 RFC 5077 TLS session tickets, which don't require server-side storage.
10791 Consequently, for Postfix >= 2.11 this parameter should generally be
10792 left empty. TLS session tickets require an OpenSSL library (at least
10793 version 0.9.8h) that provides full support for this TLS extension. See
10794 also smtpd_tls_session_cache_timeout.
10795 Example:
10797 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
10799 This feature is available in Postfix 2.2 and later.
10801
10803 The expiration time of Postfix SMTP server TLS session cache informa‐
10804 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
10805 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
10806 this parameter is implemented in the tlsmgr(8) daemon and therefore
10807 per-smtpd-instance master.cf overrides are not possible.
10808 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
10810 session caching is disabled, not just via the database, but also via
10811 RFC 5077 TLS session tickets, which don't require server-side storage.
10812 If set to a positive value less than 2 minutes, the minimum value of 2
10813 minutes is used instead. TLS session tickets require an OpenSSL
10814 library (at least version 0.9.8h) that provides full support for this
10815 TLS extension.
10816 This feature is available in Postfix 2.2 and later, and updated for TLS
10818 session ticket support in Postfix 2.11.
10819
10821 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
10822 of using the STARTTLS command.
10823 If you want to support this service, enable a special port in mas‐
10825 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
10826 command line. Port 465 (smtps) was once chosen for this purpose.
10827 This feature is available in Postfix 2.2 and later.
10829
10831 The name of the proxy protocol used by an optional before-smtpd proxy
10832 agent. When a proxy agent is used, this protocol conveys local and
10833 remote address and port information. Specify
10834 "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy proto‐
10835 col.
10836 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
10838 with smtpd_authorized_xclient_hosts. This supports SASL authentication
10839 in the proxy agent (Postfix 2.9 and later).
10840 This feature is available in Postfix 2.10 and later.
10842
10844 The time limit for the proxy protocol specified with the
10845 smtpd_upstream_proxy_protocol parameter.
10846 This feature is available in Postfix 2.10 and later.
10848
10850 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
10851 but do not require that clients use TLS encryption.
10852 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
10854 TLS due to insufficient privileges to access the server private key.
10855 This is intended behavior.
10856 This feature is available in Postfix 2.2 and later. With Postfix 2.3
10858 and later use smtpd_tls_security_level instead.
10859
10861 Detect that a message requires SMTPUTF8 support for the specified mail
10862 origin classes. This is a workaround to avoid chicken-and-egg problems
10863 during the initial SMTPUTF8 roll-out in environments with pre-existing
10864 mail flows that contain UTF8. Those mail flows should not break because
10865 Postfix suddenly refuses to deliver such mail to down-stream MTAs that
10866 don't announce SMTPUTF8 support.
10867 The problem is that Postfix cannot rely solely on the sender's declara‐
10869 tion that a message requires SMTPUTF8 support, because UTF8 may be
10870 introduced during local processing (for example, the client hostname in
10871 Postfix's Received: header, adding @$myorigin or .$mydomain to an
10872 incomplete address, address rewriting, alias expansion, automatic BCC
10873 recipients, local forwarding, and changes made by header checks or Mil‐
10874 ter applications).
10875 For now, the default is to enable "SMTPUTF8 required" autodetection
10877 only for Postfix sendmail command-line submissions and address verifi‐
10878 cation probes. This may change once SMTPUTF8 support achieves world
10879 domination. However, sites that add UTF8 content via local processing
10880 (see above) should autodetect the need for SMTPUTF8 support for all
10881 email.
10882 Specify one or more of the following:
10884 sendmail
10886 Submission with the Postfix sendmail(1) command.
10887 smtpd Mail received with the smtpd(8) daemon.
10889 qmqpd Mail received with the qmqpd(8) daemon.
10891 forward
10893 Local forwarding or aliasing. When a message is received with
10894 "SMTPUTF8 required", then the forwarded (aliased) message always
10895 has "SMTPUTF8 required".
10896 bounce
10898 Submission by the bounce(8) daemon. When a message is received
10899 with "SMTPUTF8 required", then the delivery status notification
10900 always has "SMTPUTF8 required".
10901 notify
10903 Postmaster notification from the smtp(8) or smtpd(8) daemon.
10904 verify
10906 Address verification probe from the verify(8) daemon.
10907 all Enable SMTPUTF8 autodetection for all mail.
10909 This feature is available in Postfix 3.0 and later.
10911
10913 Enable preliminary SMTPUTF8 support for the protocols described in RFC
10914 6531..6533. This requires that Postfix is built to support these proto‐
10915 cols.
10916 This feature is available in Postfix 3.0 and later.
10918
10920 Safety net to keep mail queued that would otherwise be returned to the
10921 sender. This parameter disables locally-generated bounces, changes the
10922 handling of negative responses from remote servers, content filters or
10923 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
10924 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
10925 no cure for address rewriting mistakes or mail routing mistakes.
10926 Note: "soft_bounce = yes" is in some cases implemented by modifying
10928 server responses. Therefore, the response that Postfix logs may differ
10929 from the response that Postfix actually sends or receives.
10930 Example:
10932 soft_bounce = yes
10934
10936 The time after which a stale exclusive mailbox lockfile is removed.
10937 This is used for delivery to file or mailbox.
10938 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10940 The default time unit is s (seconds).
10941
10943 This feature is documented in the STRESS_README document.
10944 This feature is available in Postfix 2.5 and later.
10946
10948 Reject mail with 8-bit text in message headers. This blocks mail from
10949 poorly written applications.
10950 This feature should not be enabled on a general purpose mail server,
10952 because it is likely to reject legitimate email.
10953 This feature is available in Postfix 2.0 and later.
10955
10957 Enable both strict_7bit_headers and strict_8bitmime_body.
10958 This feature should not be enabled on a general purpose mail server,
10960 because it is likely to reject legitimate email.
10961 This feature is available in Postfix 2.0 and later.
10963
10965 Reject 8-bit message body text without 8-bit MIME content encoding
10966 information. This blocks mail from poorly written applications.
10967 Unfortunately, this also rejects majordomo approval requests when the
10969 included request contains valid 8-bit MIME mail, and it rejects bounces
10970 from mailers that do not MIME encapsulate 8-bit content (for example,
10971 bounces from qmail or from old versions of Postfix).
10972 This feature should not be enabled on a general purpose mail server,
10974 because it is likely to reject legitimate email.
10975 This feature is available in Postfix 2.0 and later.
10977
10979 Defer delivery when a mailbox file is not owned by its recipient. The
10980 default setting is not backwards compatible.
10981 This feature is available in Postfix 2.5.3 and later.
10983
10985 Reject mail with invalid Content-Transfer-Encoding: information for the
10986 message/* or multipart/* MIME content types. This blocks mail from
10987 poorly written software.
10988 This feature should not be enabled on a general purpose mail server,
10990 because it will reject mail after a single violation.
10991 This feature is available in Postfix 2.0 and later.
10993
10995 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
10996 are enclosed with <>, and that those addresses do not contain RFC 822
10997 style comments or phrases. This stops mail from poorly written soft‐
10998 ware.
10999 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11001 and RCPT TO addresses.
11002
11004 Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11005 server accepts UTF8 sender or recipient addresses only when the client
11006 requests an SMTPUTF8 mail transaction.
11007 This feature is available in Postfix 3.0 and later.
11009
11011 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
11012 box_delivery_lock = dotlock".
11013
11015 Enable the rewriting of "site!user" into "user@site". This is neces‐
11016 sary if your machine is connected to UUCP networks. It is enabled by
11017 default.
11018 Note: with Postfix version 2.2, message header address rewriting hap‐
11020 pens only when one of the following conditions is true:
11021 · The message is received with the Postfix sendmail(1) command,
11023 · The message is received from a network client that matches
11025 $local_header_rewrite_clients,
11026 · The message is received from the network, and the
11028 remote_header_rewrite_domain parameter specifies a non-empty
11029 value.
11030 To get the behavior before Postfix version 2.2, specify
11032 "local_header_rewrite_clients = static:all".
11033 Example:
11035 swap_bangpath = no
11037
11039 The syslog facility of Postfix logging. Specify a facility as defined
11040 in syslog.conf(5). The default facility is "mail".
11041 Warning: a non-default syslog_facility setting takes effect only after
11043 a Postfix process has completed initialization. Errors during process
11044 initialization will be logged with the default facility. Examples are
11045 errors while parsing the command line arguments, and errors while
11046 accessing the Postfix main.cf configuration file.
11047
11049 A prefix that is prepended to the process name in syslog records, so
11050 that, for example, "smtpd" becomes "prefix/smtpd".
11051 Warning: a non-default syslog_name setting takes effect only after a
11053 Postfix process has completed initialization. Errors during process
11054 initialization will be logged with the default name. Examples are
11055 errors while parsing the command line arguments, and errors while
11056 accessing the Postfix main.cf configuration file.
11057
11059 An optional workaround for routers that break TCP window scaling.
11060 Specify a value > 0 and < 65536 to enable this feature. With Postfix
11061 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
11062 Postfix master(8) daemon.
11063 To change this parameter without stopping Postfix, you need to first
11065 terminate all Postfix TCP servers:
11066 # postconf -e master_service_disable=inet
11068 # postfix reload
11069 This immediately terminates all processes that accept network connec‐
11071 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
11072 dowsize setting:
11073 # postconf -e tcp_windowsize=65535 master_service_disable=
11075 # postfix reload
11076 If you skip these steps with a running Postfix system, then the
11078 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
11079 lmtp(8)).
11080 This feature is available in Postfix 2.6 and later.
11082
11084 Append the system-supplied default Certification Authority certificates
11085 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
11086 is "no"; this prevents Postfix from trusting third-party certificates
11087 and giving them relay permission with permit_tls_all_clientcerts.
11088 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
11090 later versions. Specify "tls_append_default_CA = yes" for backwards
11091 compatibility, to avoid breaking certificate verification with sites
11092 that don't use permit_tls_all_clientcerts.
11093
11095 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
11096 requests from the tlsmgr(8) server in order to seed its internal pseudo
11097 random number generator (PRNG). The default of 32 bytes (equivalent to
11098 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11099 This feature is available in Postfix 2.2 and later.
11101
11103 Configure RFC7671 DANE TLSA digest algorithm agility. Do not change
11104 this setting from its default value.
11105 See Section 8 of RFC7671 for correct key rotation procedures.
11107 This feature is available in Postfix 2.11 through 3.1. Postfix 3.2 and
11109 later ignore this configuration parameter and behave as though it were
11110 set to "on".
11111
11113 DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching
11114 type" digest algorithms in descending preference order. All the speci‐
11115 fied algorithms must be supported by the underlying OpenSSL library,
11116 otherwise the Postfix SMTP client will not support DANE TLSA security.
11117 Specify a list of digest names separated by commas and/or whitespace.
11119 Each digest name may be followed by an optional "=<number>" suffix.
11120 For example, "sha512" may instead be specified as "sha512=2" and
11121 "sha256" may instead be specified as "sha256=1". The optional number
11122 must match the <a href="https://www.iana.org/assignments/dane-parame‐
11123 ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11124 type number the algorithm in question. Postfix will check this con‐
11125 straint for the algorithms it knows about. Additional matching type
11126 algorithms registered with IANA can be added with explicit numbers pro‐
11127 vided they are supported by OpenSSL.
11128 Invalid list elements are logged with a warning and disable DANE sup‐
11130 port. TLSA RRs that specify digests not included in the list are
11131 ignored with a warning.
11132 Note: It is unwise to omit sha256 from the digest list. This digest
11134 algorithm is the only mandatory to implement digest algorithm in RFC
11135 6698, and many servers are expected publish TLSA records with just
11136 sha256 digests. Unless one of the standard digests is seriously com‐
11137 promised and servers have had ample time to update their TLSA records
11138 you should not omit any standard digests, just arrange them in order
11139 from strongest to weakest.
11140 This feature is available in Postfix 2.11 and later.
11142
11144 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
11145 digests of trust-anchors with certificate usage "2". Do not change
11146 this setting from its default value.
11147 This feature is available in Postfix 2.11 through 3.1. It has been
11149 withdrawn in Postfix 3.2, as trust-anchor TLSA records are now widely
11150 used and have proved sufficiently reliable. Postfix 3.2 and later
11151 ignore this configuration parameter and behaves as though it were set
11152 to "yes".
11153
11155 List or bit-mask of OpenSSL bug work-arounds to disable.
11156 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
11158 implementations. Applications, such as Postfix, that want to maximize
11159 interoperability ask the OpenSSL library to enable the full set of rec‐
11160 ommended work-arounds.
11161 From time to time, it is discovered that a work-around creates a secu‐
11163 rity issue, and should no longer be used. If upgrading OpenSSL to a
11164 fixed version is not an option or an upgrade is not available in a
11165 timely manner, or in closed environments where no buggy clients or
11166 servers exist, it may be appropriate to disable some or all of the
11167 OpenSSL interoperability work-arounds. This parameter specifies which
11168 bug work-arounds to disable.
11169 If the value of the parameter is a hexadecimal long integer starting
11171 with "0x", the bug work-arounds corresponding to the bits specified in
11172 its value are removed from the SSL_OP_ALL work-around bit-mask (see
11173 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
11174 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
11175 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11176 also be sufficient on 64-bit systems, until OpenSSL abandons support
11177 for 32-bit systems and starts using the high 32 bits of a 64-bit
11178 bug-workaround mask.
11179 Otherwise, the parameter is a white-space or comma separated list of
11181 specific named bug work-arounds chosen from the list below. It is pos‐
11182 sible that your OpenSSL version includes new bug work-arounds added
11183 after your Postfix source code was last updated, in that case you can
11184 only disable one of these via the hexadecimal syntax above.
11185 MICROSOFT_SESS_ID_BUG
11187 See SSL_CTX_set_options(3)
11188 NETSCAPE_CHALLENGE_BUG
11190 See SSL_CTX_set_options(3)
11191 LEGACY_SERVER_CONNECT
11193 See SSL_CTX_set_options(3)
11194 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11196 also aliased as CVE-2010-4180. Postfix 2.8 disables this
11197 work-around by default with OpenSSL versions that may predate
11198 the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11199 SSLREF2_REUSE_CERT_TYPE_BUG
11201 See SSL_CTX_set_options(3)
11202 MICROSOFT_BIG_SSLV3_BUFFER
11204 See SSL_CTX_set_options(3)
11205 MSIE_SSLV2_RSA_PADDING
11207 also aliased as CVE-2005-2969. Postfix 2.8 disables this
11208 work-around by default with OpenSSL versions that may predate
11209 the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11210 SSLEAY_080_CLIENT_DH_BUG
11212 See SSL_CTX_set_options(3)
11213 TLS_D5_BUG
11215 See SSL_CTX_set_options(3)
11216 TLS_BLOCK_PADDING_BUG
11218 See SSL_CTX_set_options(3)
11219 TLS_ROLLBACK_BUG
11221 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
11222 and later. Nobody should still be using 0.9.6!
11223 DONT_INSERT_EMPTY_FRAGMENTS
11225 See SSL_CTX_set_options(3)
11226 CRYPTOPRO_TLSEXT_BUG
11228 New with GOST support in OpenSSL 1.0.0.
11229 This feature is available in Postfix 2.8 and later.
11231
11233 The prioritized list of elliptic curves supported by the Postfix SMTP
11234 client and server. These curves are used by the Postfix SMTP server
11235 when "smtpd_tls_eecdh_grade = auto". The selected curves must be
11236 implemented by OpenSSL and be standardized for use in TLS (RFC 4492 or
11237 its imminent successor). It is unwise to list only "bleeding-edge"
11238 curves supported by a small subset of clients. The default list is
11239 suitable for most users.
11240 Postfix skips curve names that are unknown to OpenSSL, or that are
11242 known but not yet implemented. This makes it possible to "anticipate"
11243 support for curves that should be used once they become available. In
11244 particular, in some OpenSSL versions, the new RFC 8031 curves "X25519"
11245 and "X448" may be known by name, but ECDH support for either or both
11246 may be missing. These curves may appear in the default value of this
11247 parameter, even though they'll only be usable with later versions of
11248 OpenSSL.
11249 This feature is available in Postfix 3.2 and later, when it is compiled
11251 and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11252 have not been disabled by the vendor.
11253
11255 The elliptic curve used by the Postfix SMTP server for sensibly strong
11256 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11257 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
11258 strong" means approximately 128-bit security based on best known
11259 attacks. The selected curve must be implemented by OpenSSL (as reported
11260 by ecparam(1) with the "-list_curves" option) and be one of the curves
11261 listed in Section 5.1.1 of RFC 4492. You should not generally change
11262 this setting. Remote SMTP client implementations must support this
11263 curve for EECDH key exchange to take place. It is unwise to choose an
11264 "bleeding-edge" curve supported by only a small subset of clients.
11265 The default "strong" curve is rated in NSA Suite B for information
11267 classified up to SECRET.
11268 Note: elliptic curve names are poorly standardized; different standards
11270 groups are assigning different names to the same underlying curves.
11271 The curve with the X9.62 name "prime256v1" is also known under the SECG
11272 name "secp256r1", but OpenSSL does not recognize the latter name.
11273 If you want to take maximal advantage of ciphers that offer forward
11275 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11276 full document conveniently presents all information about Postfix "per‐
11277 fect" forward secrecy support in one place: what forward secrecy is,
11278 how to tweak settings, and what you can expect to see when Postfix uses
11279 ciphers with forward secrecy.
11280 This feature is available in Postfix 2.6 and later, when it is compiled
11282 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11283 have not been disabled by the vendor.
11284
11286 The elliptic curve used by the Postfix SMTP server for maximally strong
11287 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11288 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
11289 strong" means approximately 192-bit security based on best known
11290 attacks. This additional strength comes at a significant computational
11291 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
11292 The selected curve must be implemented by OpenSSL (as reported by
11293 ecparam(1) with the "-list_curves" option) and be one of the curves
11294 listed in Section 5.1.1 of RFC 4492. You should not generally change
11295 this setting.
11296 This default "ultra" curve is rated in NSA Suite B for information
11298 classified up to TOP SECRET.
11299 If you want to take maximal advantage of ciphers that offer forward
11301 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11302 full document conveniently presents all information about Postfix "per‐
11303 fect" forward secrecy support in one place: what forward secrecy is,
11304 how to tweak settings, and what you can expect to see when Postfix uses
11305 ciphers with forward secrecy.
11306 This feature is available in Postfix 2.6 and later, when it is compiled
11308 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11309 have not been disabled by the vendor.
11310
11312 The OpenSSL cipherlist for "export" or higher grade ciphers. This
11313 defines the meaning of the "export" setting in smtpd_tls_ciphers,
11314 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11315 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With
11316 Postfix releases before the middle of 2015 this is the default
11317 cipherlist for the opportunistic ("may") TLS client security level and
11318 also the default cipherlist for the SMTP server. You are strongly
11319 encouraged to not change this setting.
11320 This feature is available in Postfix 2.3 and later.
11322
11324 The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11325 ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11326 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11327 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11328 encouraged to not change this setting.
11329 This feature is available in Postfix 2.3 and later.
11331
11333 A temporary migration aid for sites that use certificate public-key
11334 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
11335 rithm. This parameter has no effect on the certificate fingerprint sup‐
11336 port that is available since Postfix 2.2.
11337 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11339 a migration from configuration files with incorrect Postfix
11340 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
11341 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
11342 tificate public-key fingerprints, see TLS_README.
11343 This feature is available in Postfix 2.9.6 and later.
11345
11347 The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11348 the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11349 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11350 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11351 encouraged to not change this setting.
11352 This feature is available in Postfix 2.3 and later.
11354
11356 The OpenSSL cipherlist for "medium" or higher grade ciphers. This
11357 defines the meaning of the "medium" setting in smtpd_tls_ciphers,
11358 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11359 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This
11360 is the default cipherlist for mandatory TLS encryption in the TLS
11361 client (with anonymous ciphers disabled when verifying server certifi‐
11362 cates). This is the default cipherlist for opportunistic TLS with
11363 Postfix releases after the middle of 2015. You are strongly encouraged
11364 to not change this setting.
11365 This feature is available in Postfix 2.3 and later.
11367
11369 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11370 cation without encryption. This defines the meaning of the "null" set‐
11371 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
11372 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
11373 this setting.
11374 This feature is available in Postfix 2.3 and later.
11376
11378 With SSLv3 and later, use the Postfix SMTP server's cipher preference
11379 order instead of the remote client's cipher preference order.
11380 By default, the OpenSSL server selects the client's most preferred
11382 cipher that the server supports. With SSLv3 and later, the server may
11383 choose its own most preferred cipher that is supported (offered) by the
11384 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
11385 preferences.
11386 While server cipher selection may in some cases lead to a more secure
11388 or performant cipher choice, there is some risk of interoperability
11389 issues. In the past, some SSL clients have listed lower priority
11390 ciphers that they did not implement correctly. If the server chooses a
11391 cipher that the client prefers less, it may select a cipher whose
11392 client implementation is flawed. Most notably Windows 2003 Microsoft
11393 Exchange servers have flawed implementations of DES-CBC3-SHA, which
11394 OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite
11395 selection may create interoperability issues with Windows 2003 Micro‐
11396 soft Exchange clients.
11397 This feature is available in Postfix 2.8 and later, in combination with
11399 OpenSSL 0.9.7 and later.
11400
11402 The number of bytes that tlsmgr(8) reads from $tls_random_source when
11403 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
11404 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
11405 keys. If using EGD or a device file, a maximum of 255 bytes is read.
11406 This feature is available in Postfix 2.2 and later.
11408
11410 Name of the pseudo random number generator (PRNG) state file that is
11411 maintained by tlsmgr(8). The file is created when it does not exist,
11412 and its length is fixed at 1024 bytes.
11413 As of version 2.5, Postfix no longer uses root privileges when opening
11415 this file, and the default file location was changed from ${con‐
11416 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
11417 tion aid, an attempt to open the file under a non-Postfix directory is
11418 redirected to the Postfix-owned data_directory, and a warning is
11419 logged.
11420 This feature is available in Postfix 2.2 and later.
11422
11424 The time between attempts by tlsmgr(8) to save the state of the pseudo
11425 random number generator (PRNG) to the file specified with $tls_ran‐
11426 dom_exchange_name.
11427 This feature is available in Postfix 2.2 and later.
11429
11431 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11432 pseudo random number generator (PRNG) pool from external sources. The
11433 actual time between re-seeding attempts is calculated using the PRNG,
11434 and is between 0 and the time specified.
11435 This feature is available in Postfix 2.2 and later.
11437
11439 The external entropy source for the in-memory tlsmgr(8) pseudo random
11440 number generator (PRNG) pool. Be sure to specify a non-blocking source.
11441 If this source is not a regular file, the entropy source type must be
11442 prepended: egd:/path/to/egd_socket for a source with EGD compatible
11443 socket interface, or dev:/path/to/device for a device file.
11444 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
11446 timeout errors.
11447 This feature is available in Postfix 2.2 and later.
11449
11451 3.0: aes-128-cbc)
11452 Algorithm used to encrypt RFC5077 TLS session tickets. This algorithm
11453 must use CBC mode, have a 128-bit block size, and must have a key
11454 length between 128 and 256 bits. The default is aes-256-cbc. Overrid‐
11455 ing the default to choose a different algorithm is discouraged.
11456 Setting this parameter empty disables session ticket support in the
11458 Postfix SMTP server. Another way to disable session ticket support is
11459 via the tls_ssl_options parameter.
11460 This feature is available in Postfix 3.0 and later.
11462
11464 List or bit-mask of OpenSSL options to enable.
11465 The OpenSSL toolkit provides a set of options that applications can
11467 enable to tune the OpenSSL behavior. Some of these work around bugs in
11468 other implementations and are on by default. You can use the tls_dis‐
11469 able_workarounds parameter to selectively disable some or all of the
11470 bug work-arounds, making OpenSSL more strict at the cost of non-inter‐
11471 operability with SSL clients or servers that exhibit the bugs.
11472 Other options are off by default, and typically enable or disable fea‐
11474 tures rather than bug work-arounds. These may be turned on (with care)
11475 via the tls_ssl_options parameter. The value is a white-space or comma
11476 separated list of named options chosen from the list below. The names
11477 are not case-sensitive, you can use lower-case if you prefer. The
11478 upper case values below match the corresponding macro name in the ssl.h
11479 header file with the SSL_OP_ prefix removed. It is possible that your
11480 OpenSSL version includes new options added after your Postfix source
11481 code was last updated, in that case you can only enable one of these
11482 via the hexadecimal syntax below.
11483 You should only enable features via the hexadecimal mask when the need
11485 to control the feature is critical (to deal with a new vulnerability or
11486 a serious interoperability problem). Postfix DOES NOT promise back‐
11487 wards compatible behavior with respect to the mask bits. A feature
11488 enabled via the mask in one release may be enabled by other means in a
11489 later release, and the mask bit will then be ignored. Therefore, use
11490 of the hexadecimal mask is only a temporary measure until a new Postfix
11491 or OpenSSL release provides a better solution.
11492 If the value of the parameter is a hexadecimal long integer starting
11494 with "0x", the options corresponding to the bits specified in its value
11495 are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can
11496 only enable options not already controlled by other Postfix settings.
11497 For example, you cannot disable protocols or enable server cipher pref‐
11498 erence. Do not attempt to turn all features by specifying 0xFFFFFFFF,
11499 this is unlikely to be a good idea.
11500 LEGACY_SERVER_CONNECT
11502 See SSL_CTX_set_options(3).
11503 NO_TICKET
11505 See SSL_CTX_set_options(3).
11506 NO_COMPRESSION
11508 Disable SSL compression even if supported by the OpenSSL
11509 library. Compression is CPU-intensive, and compression before
11510 encryption does not always improve security.
11511 This feature is available in Postfix 2.11 and later.
11513
11515 Match multiple DNS labels with "*" in wildcard certificates.
11516 Some mail service providers prepend the customer domain name to a base
11518 domain for which they have a wildcard TLS certificate. For example,
11519 the MX records for example.com hosted by example.net may be:
11520 example.com. IN MX 0 example.com.mx1.example.net.
11522 example.com. IN MX 0 example.com.mx2.example.net.
11523 and the TLS certificate may be for "*.example.net". The "*" then corre‐
11525 sponds with multiple labels in the mail server domain name. While
11526 multi-label wildcards are not widely supported, and are not blessed by
11527 any standard, there is little to be gained by disallowing their use in
11528 this context.
11529 Notes:
11531 · In a certificate name, the "*" is special only when it is used
11533 as the first label.
11534 · While Postfix (2.11 or later) can match "*" with multiple domain
11536 name labels, other implementations likely will not.
11537 · Earlier Postfix implementations behave as if "tls_wild‐
11539 card_matches_multiple_labels = no".
11540 This feature is available in Postfix 2.11 and later.
11542
11544 The name of the tlsmgr(8) service entry in master.cf. This service
11545 maintains TLS session caches and other information in support of TLS.
11546 This feature is available in Postfix 2.11 and later.
11548
11550 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
11551 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
11552 ther details.
11553 This feature is available in Postfix 2.8 and later.
11555
11557 The name of the tlsproxy(8) service entry in master.cf. This service
11558 performs plaintext <=> TLS ciphertext conversion.
11559 This feature is available in Postfix 2.8 and later.
11561
11563 A file containing (PEM format) CA certificates of root CAs trusted to
11564 sign either remote SMTP client certificates or intermediate CA certifi‐
11565 cates. See smtpd_tls_CAfile for further details.
11566 This feature is available in Postfix 2.8 and later.
11568
11570 A directory containing (PEM format) CA certificates of root CAs trusted
11571 to sign either remote SMTP client certificates or intermediate CA cer‐
11572 tificates. See smtpd_tls_CApath for further details.
11573 This feature is available in Postfix 2.8 and later.
11575
11577 sion_ids)
11578 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
11579 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
11580 sion_ids for further details.
11581 This feature is available in Postfix 2.8 and later.
11583
11585 Ask a remote SMTP client for a client certificate. See
11586 smtpd_tls_ask_ccert for further details.
11587 This feature is available in Postfix 2.8 and later.
11589
11591 The verification depth for remote SMTP client certificates. A depth of
11592 1 is sufficient if the issuing CA is listed in a local CA file. See
11593 smtpd_tls_ccert_verifydepth for further details.
11594 This feature is available in Postfix 2.8 and later.
11596
11598 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
11599 This file may also contain the Postfix tlsproxy(8) server private RSA
11600 key. See smtpd_tls_cert_file for further details.
11601 This feature is available in Postfix 2.8 and later.
11603
11605 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
11606 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
11607 ther details.
11608 This feature is available in Postfix 2.8 and later.
11610
11612 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
11613 This file may also contain the Postfix tlsproxy(8) server private DSA
11614 key. See smtpd_tls_dcert_file for further details.
11615 This feature is available in Postfix 2.8 and later.
11617
11619 File with DH parameters that the Postfix tlsproxy(8) server should use
11620 with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
11621 ther details.
11622 This feature is available in Postfix 2.8 and later.
11624
11626 File with DH parameters that the Postfix tlsproxy(8) server should use
11627 with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
11628 ther details. The default SMTP server cipher grade is "medium" with
11629 Postfix releases after the middle of 2015, and as a result export-grade
11630 cipher suites are by default not used.
11631 This feature is available in Postfix 2.8 and later.
11633
11635 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
11636 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
11637 tificate file specified with $smtpd_tls_dcert_file. See
11638 smtpd_tls_dkey_file for further details.
11639 This feature is available in Postfix 2.8 and later.
11641
11643 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
11644 mat. This file may also contain the Postfix tlsproxy(8) server private
11645 ECDSA key. See smtpd_tls_eccert_file for further details.
11646 This feature is available in Postfix 2.8 and later.
11648
11650 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
11651 mat. This file may be combined with the Postfix tlsproxy(8) server
11652 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
11653 smtpd_tls_eckey_file for further details.
11654 This feature is available in Postfix 2.8 and later.
11656
11658 The Postfix tlsproxy(8) server security grade for ephemeral ellip‐
11659 tic-curve Diffie-Hellman (EECDH) key exchange. See
11660 smtpd_tls_eecdh_grade for further details.
11661 This feature is available in Postfix 2.8 and later.
11663
11665 List of ciphers or cipher types to exclude from the tlsproxy(8) server
11666 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
11667 for further details.
11668 This feature is available in Postfix 2.8 and later.
11670
11672 The message digest algorithm to construct remote SMTP client-certifi‐
11673 cate fingerprints. See smtpd_tls_fingerprint_digest for further
11674 details.
11675 This feature is available in Postfix 2.8 and later.
11677
11679 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
11680 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
11681 tificate file specified with $smtpd_tls_cert_file. See
11682 smtpd_tls_key_file for further details.
11683 This feature is available in Postfix 2.8 and later.
11685
11687 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
11688 Each logging level also includes the information that is logged at a
11689 lower logging level. See smtpd_tls_loglevel for further details.
11690 This feature is available in Postfix 2.8 and later.
11692
11694 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
11695 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
11696 further details.
11697 This feature is available in Postfix 2.8 and later.
11699
11701 tory_exclude_ciphers)
11702 Additional list of ciphers or cipher types to exclude from the
11703 tlsproxy(8) server cipher list at mandatory TLS security levels. See
11704 smtpd_tls_mandatory_exclude_ciphers for further details.
11705 This feature is available in Postfix 2.8 and later.
11707
11709 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
11710 mandatory TLS encryption. If the list is empty, the server supports all
11711 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
11712 for further details.
11713 This feature is available in Postfix 2.8 and later.
11715
11717 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
11718 or include with opportunistic TLS encryption. See smtpd_tls_protocols
11719 for further details.
11720 This feature is available in Postfix 2.8 and later.
11722
11724 With mandatory TLS encryption, require a trusted remote SMTP client
11725 certificate in order to allow TLS connections to proceed. See
11726 smtpd_tls_req_ccert for further details.
11727 This feature is available in Postfix 2.8 and later.
11729
11731 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
11732 non-empty value is specified, this overrides the obsolete parameters
11733 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
11734 further details.
11735 This feature is available in Postfix 2.8 and later.
11737
11739 Obsolete expiration time of Postfix tlsproxy(8) server TLS session
11741 cache information. Since the cache is shared with smtpd(8) and managed
11742 by tlsmgr(8), there is only one expiration time for the SMTP server
11743 cache shared by all three services, namely smtpd_tls_ses‐
11744 sion_cache_timeout.
11745 This feature is available in Postfix 2.8 and later.
11747
11749 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
11750 but do not require that clients use TLS encryption. See smtpd_use_tls
11751 for further details.
11752 This feature is available in Postfix 2.8 and later.
11754
11756 How much time a tlsproxy(8) process may take to process local or remote
11757 I/O before it is terminated by a built-in watchdog timer. This is a
11758 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
11759 due to a bug in Postfix itself or in system software. To avoid false
11760 alarms and unnecessary cache corruption this limit cannot be set under
11761 10s.
11762 Specify a non-zero time value (an integral value plus an optional
11764 one-letter suffix that specifies the time unit). Time units: s (sec‐
11765 onds), m (minutes), h (hours), d (days), w (weeks).
11766 This feature is available in Postfix 2.8.
11768
11770 The name of the trace service. This service is implemented by the
11771 bounce(8) daemon and maintains a record of mail deliveries and produces
11772 a mail delivery report when verbose delivery is requested with "send‐
11773 mail -v".
11774 This feature is available in Postfix 2.1 and later.
11776
11778 A transport-specific override for the default_delivery_slot_cost param‐
11779 eter value, where transport is the master.cf name of the message deliv‐
11780 ery transport.
11781 Note: transport_delivery_slot_cost parameters will not show up in
11783 "postconf" command output before Postfix version 2.9. This limitation
11784 applies to many parameters whose name is a combination of a master.cf
11785 service name and a built-in suffix (in this case: "_deliv‐
11786 ery_slot_cost").
11787
11789 A transport-specific override for the default_delivery_slot_discount
11790 parameter value, where transport is the master.cf name of the message
11791 delivery transport.
11792 Note: transport_delivery_slot_discount parameters will not show up in
11794 "postconf" command output before Postfix version 2.9. This limitation
11795 applies to many parameters whose name is a combination of a master.cf
11796 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
11797 count").
11798
11800 A transport-specific override for the default_delivery_slot_loan param‐
11801 eter value, where transport is the master.cf name of the message deliv‐
11802 ery transport.
11803 Note: transport_delivery_slot_loan parameters will not show up in
11805 "postconf" command output before Postfix version 2.9. This limitation
11806 applies to many parameters whose name is a combination of a master.cf
11807 service name and a built-in suffix (in this case: "_deliv‐
11808 ery_slot_loan").
11809
11811 tination_concurrency_failed_cohort_limit)
11812 A transport-specific override for the default_destination_concur‐
11813 rency_failed_cohort_limit parameter value, where transport is the mas‐
11814 ter.cf name of the message delivery transport.
11815 Note: some transport_destination_concurrency_failed_cohort_limit param‐
11817 eters will not show up in "postconf" command output before Postfix ver‐
11818 sion 2.9. This limitation applies to many parameters whose name is a
11819 combination of a master.cf service name and a built-in suffix (in this
11820 case: "_destination_concurrency_failed_cohort_limit").
11821 This feature is available in Postfix 2.5 and later.
11823
11825 rency_limit)
11826 A transport-specific override for the default_destination_concur‐
11827 rency_limit parameter value, where transport is the master.cf name of
11828 the message delivery transport.
11829 Note: some transport_destination_concurrency_limit parameters will not
11831 show up in "postconf" command output before Postfix version 2.9. This
11832 limitation applies to many parameters whose name is a combination of a
11833 master.cf service name and a built-in suffix (in this case: "_destina‐
11834 tion_concurrency_limit").
11835
11837 nation_concurrency_negative_feedback)
11838 A transport-specific override for the default_destination_concur‐
11839 rency_negative_feedback parameter value, where transport is the mas‐
11840 ter.cf name of the message delivery transport.
11841 Note: some transport_destination_concurrency_negative_feedback parame‐
11843 ters will not show up in "postconf" command output before Postfix ver‐
11844 sion 2.9. This limitation applies to many parameters whose name is a
11845 combination of a master.cf service name and a built-in suffix (in this
11846 case: "_destination_concurrency_negative_feedback").
11847 This feature is available in Postfix 2.5 and later.
11849
11851 nation_concurrency_positive_feedback)
11852 A transport-specific override for the default_destination_concur‐
11853 rency_positive_feedback parameter value, where transport is the mas‐
11854 ter.cf name of the message delivery transport.
11855 Note: some transport_destination_concurrency_positive_feedback parame‐
11857 ters will not show up in "postconf" command output before Postfix ver‐
11858 sion 2.9. This limitation applies to many parameters whose name is a
11859 combination of a master.cf service name and a built-in suffix (in this
11860 case: "_destination_concurrency_positive_feedback").
11861 This feature is available in Postfix 2.5 and later.
11863
11865 A transport-specific override for the default_destination_rate_delay
11866 parameter value, where transport is the master.cf name of the message
11867 delivery transport.
11868 Note: some transport_destination_rate_delay parameters will not show up
11870 in "postconf" command output before Postfix version 2.9. This limita‐
11871 tion applies to many parameters whose name is a combination of a mas‐
11872 ter.cf service name and a built-in suffix (in this case: "_destina‐
11873 tion_rate_delay").
11874 This feature is available in Postfix 2.5 and later.
11876
11878 ent_limit)
11879 A transport-specific override for the default_destination_recipi‐
11880 ent_limit parameter value, where transport is the master.cf name of the
11881 message delivery transport.
11882 Note: some transport_destination_recipient_limit parameters will not
11884 show up in "postconf" command output before Postfix version 2.9. This
11885 limitation applies to many parameters whose name is a combination of a
11886 master.cf service name and a built-in suffix (in this case: "_destina‐
11887 tion_recipient_limit").
11888
11890 A transport-specific override for the default_extra_recipient_limit
11891 parameter value, where transport is the master.cf name of the message
11892 delivery transport.
11893 Note: transport_extra_recipient_limit parameters will not show up in
11895 "postconf" command output before Postfix version 2.9. This limitation
11896 applies to many parameters whose name is a combination of a master.cf
11897 service name and a built-in suffix (in this case: "_extra_recipi‐
11898 ent_limit").
11899
11901 currency)
11902 A transport-specific override for the initial_destination_concurrency
11903 parameter value, where transport is the master.cf name of the message
11904 delivery transport.
11905 Note: some transport_initial_destination_concurrency parameters will
11907 not show up in "postconf" command output before Postfix version 2.9.
11908 This limitation applies to many parameters whose name is a combination
11909 of a master.cf service name and a built-in suffix (in this case: "_ini‐
11910 tial_destination_concurrency").
11911 This feature is available in Postfix 2.5 and later.
11913
11915 Optional lookup tables with mappings from recipient address to (message
11916 delivery transport, next-hop destination). See transport(5) for
11917 details.
11918 Specify zero or more "type:table" lookup tables, separated by white‐
11920 space or comma. Tables will be searched in the specified order until a
11921 match is found. If you use this feature with local files, run "postmap
11922 /etc/postfix/transport" after making a change.
11923 Pattern matching of domain names is controlled by the presence or
11925 absence of "transport_maps" in the parent_domain_matches_subdomains
11926 parameter value.
11927 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
11929 ber substitutions in regular expression maps.
11930 Examples:
11932 transport_maps = dbm:/etc/postfix/transport
11934 transport_maps = hash:/etc/postfix/transport
11935
11937 A transport-specific override for the default_minimum_delivery_slots
11938 parameter value, where transport is the master.cf name of the message
11939 delivery transport.
11940 Note: transport_minimum_delivery_slots parameters will not show up in
11942 "postconf" command output before Postfix version 2.9. This limitation
11943 applies to many parameters whose name is a combination of a master.cf
11944 service name and a built-in suffix (in this case: "_minimum_deliv‐
11945 ery_slots").
11946
11948 A transport-specific override for the default_recipient_limit parameter
11949 value, where transport is the master.cf name of the message delivery
11950 transport.
11951 Note: some transport_recipient_limit parameters will not show up in
11953 "postconf" command output before Postfix version 2.9. This limitation
11954 applies to many parameters whose name is a combination of a master.cf
11955 service name and a built-in suffix (in this case: "_recipient_limit").
11956
11958 A transport-specific override for the default_recipient_refill_delay
11959 parameter value, where transport is the master.cf name of the message
11960 delivery transport.
11961 Note: transport_recipient_refill_delay parameters will not show up in
11963 "postconf" command output before Postfix version 2.9. This limitation
11964 applies to many parameters whose name is a combination of a master.cf
11965 service name and a built-in suffix (in this case: "_recipi‐
11966 ent_refill_delay").
11967 This feature is available in Postfix 2.4 and later.
11969
11971 A transport-specific override for the default_recipient_refill_limit
11972 parameter value, where transport is the master.cf name of the message
11973 delivery transport.
11974 Note: transport_recipient_refill_limit parameters will not show up in
11976 "postconf" command output before Postfix version 2.9. This limitation
11977 applies to many parameters whose name is a combination of a master.cf
11978 service name and a built-in suffix (in this case: "_recipi‐
11979 ent_refill_limit").
11980 This feature is available in Postfix 2.4 and later.
11982
11984 The time between attempts by the Postfix queue manager to contact a
11985 malfunctioning message delivery transport.
11986 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
11988 The default time unit is s (seconds).
11989
11991 A transport-specific override for the command_time_limit parameter
11992 value, where transport is the master.cf name of the message delivery
11993 transport.
11994 Note: transport_time_limit parameters will not show up in "postconf"
11996 command output before Postfix version 2.9. This limitation applies to
11997 many parameters whose name is a combination of a master.cf service name
11998 and a built-in suffix (in this case: "_time_limit").
11999
12001 A transport-specific override for the default_transport_rate_delay
12002 parameter value, where the initial transport in the parameter name is
12003 the master.cf name of the message delivery transport.
12004
12006 The time limit for sending a trigger to a Postfix daemon (for example,
12007 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
12008 from getting stuck when the mail system is under heavy load.
12009 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12011 The default time unit is s (seconds).
12012
12014 Message header that the Postfix cleanup(8) server inserts when a mes‐
12015 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12016 the default value is empty. With Postfix 2.4-2.7, specify an empty
12017 value to disable this feature.
12018 Example:
12020 # Default value before Postfix 2.8.
12022 # Note: the ":" and ";" are both required.
12023 undisclosed_recipients_header = To: undisclosed-recipients:;
12024
12026 The numerical response code when the Postfix SMTP server rejects a
12027 sender or recipient address because its domain is unknown. This is one
12028 of the possible replies from the restrictions
12029 reject_unknown_sender_domain and reject_unknown_recipient_domain.
12030 Do not change this unless you have a complete understanding of RFC
12032 5321.
12033
12035 The Postfix SMTP server's action when reject_unknown_sender_domain or
12036 reject_unknown_recipient_domain fail due to a temporary error condi‐
12037 tion. Specify "defer" to defer the remote SMTP client request immedi‐
12038 ately. With the default "defer_if_permit" action, the Postfix SMTP
12039 server continues to look for opportunities to reject mail, and defers
12040 the client request only if it would otherwise be accepted.
12041 This feature is available in Postfix 2.6 and later.
12043
12045 The numerical Postfix SMTP server response code when a client without
12046 valid address <=> name mapping is rejected by the
12047 reject_unknown_client_hostname restriction. The SMTP server always
12048 replies with 450 when the mapping failed due to a temporary error con‐
12049 dition.
12050 Do not change this unless you have a complete understanding of RFC
12052 5321.
12053
12055 The Postfix SMTP server's action when reject_unknown_helo_hostname
12056 fails due to an temporary error condition. Specify "defer" to defer the
12057 remote SMTP client request immediately. With the default "defer_if_per‐
12058 mit" action, the Postfix SMTP server continues to look for opportuni‐
12059 ties to reject mail, and defers the client request only if it would
12060 otherwise be accepted.
12061 This feature is available in Postfix 2.6 and later.
12063
12065 The numerical Postfix SMTP server response code when the hostname spec‐
12066 ified with the HELO or EHLO command is rejected by the
12067 reject_unknown_helo_hostname restriction.
12068 Do not change this unless you have a complete understanding of RFC
12070 5321.
12071
12073 The numerical Postfix SMTP server response code when a recipient
12074 address is local, and $local_recipient_maps specifies a list of lookup
12075 tables that does not match the recipient. A recipient address is local
12076 when its domain matches $mydestination, $proxy_interfaces or
12077 $inet_interfaces.
12078 The default setting is 550 (reject mail) but it is safer to initially
12080 use 450 (try again later) so you have time to find out if your
12081 local_recipient_maps settings are OK.
12082 Example:
12084 unknown_local_recipient_reject_code = 450
12086 This feature is available in Postfix 2.0 and later.
12088
12090 The numerical Postfix SMTP server reply code when a recipient address
12091 matches $relay_domains, and relay_recipient_maps specifies a list of
12092 lookup tables that does not match the recipient address.
12093 This feature is available in Postfix 2.0 and later.
12095
12097 The Postfix SMTP server reply code when a recipient address matches
12098 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
12099 lookup tables that does not match the recipient address.
12100 This feature is available in Postfix 2.0 and later.
12102
12104 The Postfix SMTP server reply code when a recipient address matches
12105 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12106 lookup tables that does not match the recipient address.
12107 This feature is available in Postfix 2.0 and later.
12109
12111 The numerical Postfix SMTP server response when a recipient address
12112 probe fails due to a temporary error condition.
12113 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12115 address anyway.
12116 Do not change this unless you have a complete understanding of RFC
12118 5321.
12119 This feature is available in Postfix 2.6 and later.
12121
12123 The numerical Postfix SMTP server response when a recipient address is
12124 rejected by the reject_unverified_recipient restriction.
12125 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12127 address anyway.
12128 Do not change this unless you have a complete understanding of RFC
12130 5321.
12131 This feature is available in Postfix 2.1 and later.
12133
12135 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12136 fied_recipient. Do not include the numeric SMTP reply code or the
12137 enhanced status code. By default, the response includes actual address
12138 verification details.
12139 Example:
12141 unverified_recipient_reject_reason = Recipient address lookup failed
12143 This feature is available in Postfix 2.6 and later.
12145
12147 The Postfix SMTP server's action when reject_unverified_recipient fails
12148 due to a temporary error condition. Specify "defer" to defer the remote
12149 SMTP client request immediately. With the default "defer_if_permit"
12150 action, the Postfix SMTP server continues to look for opportunities to
12151 reject mail, and defers the client request only if it would otherwise
12152 be accepted.
12153 This feature is available in Postfix 2.6 and later.
12155
12157 The numerical Postfix SMTP server response code when a sender address
12158 probe fails due to a temporary error condition.
12159 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12161 address anyway.
12162 Do not change this unless you have a complete understanding of RFC
12164 5321.
12165 This feature is available in Postfix 2.6 and later.
12167
12169 The numerical Postfix SMTP server response code when a recipient
12170 address is rejected by the reject_unverified_sender restriction.
12171 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12173 address anyway.
12174 Do not change this unless you have a complete understanding of RFC
12176 5321.
12177 This feature is available in Postfix 2.1 and later.
12179
12181 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12182 fied_sender. Do not include the numeric SMTP reply code or the enhanced
12183 status code. By default, the response includes actual address verifica‐
12184 tion details.
12185 Example:
12187 unverified_sender_reject_reason = Sender address lookup failed
12189 This feature is available in Postfix 2.6 and later.
12191
12193 The Postfix SMTP server's action when reject_unverified_sender fails
12194 due to a temporary error condition. Specify "defer" to defer the remote
12195 SMTP client request immediately. With the default "defer_if_permit"
12196 action, the Postfix SMTP server continues to look for opportunities to
12197 reject mail, and defers the client request only if it would otherwise
12198 be accepted.
12199 This feature is available in Postfix 2.6 and later.
12201
12203 The characters Postfix accepts as VERP delimiter characters on the
12204 Postfix sendmail(1) command line and in SMTP commands.
12205 This feature is available in Postfix 1.1 and later.
12207
12209 The maximal length of an email address after virtual alias expansion.
12210 This stops virtual aliasing loops that increase the address length
12211 exponentially.
12212 This feature is available in Postfix 3.0 and later.
12214
12216 Postfix is final destination for the specified list of virtual alias
12217 domains, that is, domains for which all addresses are aliased to
12218 addresses in other local or remote domains. The SMTP server validates
12219 recipient addresses with $virtual_alias_maps and rejects non-existent
12220 recipients. See also the virtual alias domain class in the
12221 ADDRESS_CLASS_README file
12222 This feature is available in Postfix 2.0 and later. The default value
12224 is backwards compatible with Postfix version 1.1.
12225 The default value is $virtual_alias_maps so that you can keep all
12227 information about virtual alias domains in one place. If you have many
12228 users, it is better to separate information that changes more fre‐
12229 quently (virtual address -> local or remote address mapping) from
12230 information that changes less frequently (the list of virtual domain
12231 names).
12232 Specify a list of host or domain names, "/file/name" or "type:table"
12234 patterns, separated by commas and/or whitespace. A "/file/name" pattern
12235 is replaced by its contents; a "type:table" lookup table is matched
12236 when a table entry matches a lookup string (the lookup result is
12237 ignored). Continue long lines by starting the next line with white‐
12238 space. Specify "!pattern" to exclude a host or domain name from the
12239 list. The form "!/file/name" is supported only in Postfix version 2.4
12240 and later.
12241 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
12243 ther information.
12244 Example:
12246 virtual_alias_domains = virtual1.tld virtual2.tld
12248
12250 The maximal number of addresses that virtual alias expansion produces
12251 from each original recipient.
12252 This feature is available in Postfix 2.1 and later.
12254
12256 Optional lookup tables that alias specific mail addresses or domains to
12257 other local or remote address. The table format and lookups are docu‐
12258 mented in virtual(5). For an overview of Postfix address manipulations
12259 see the ADDRESS_REWRITING_README document.
12260 This feature is available in Postfix 2.0 and later. The default value
12262 is backwards compatible with Postfix version 1.1.
12263 Specify zero or more "type:name" lookup tables, separated by whitespace
12265 or comma. Tables will be searched in the specified order until a match
12266 is found. Note: these lookups are recursive.
12267 If you use this feature with indexed files, run "postmap /etc/post‐
12269 fix/virtual" after changing the file.
12270 Examples:
12272 virtual_alias_maps = dbm:/etc/postfix/virtual
12274 virtual_alias_maps = hash:/etc/postfix/virtual
12275
12277 The maximal nesting depth of virtual alias expansion. Currently the
12278 recursion limit is applied only to the left branch of the expansion
12279 graph, so the depth of the tree can in the worst case reach the sum of
12280 the expansion and recursion limits. This may change in the future.
12281 This feature is available in Postfix 2.1 and later.
12283
12285 Optional filter for the virtual(8) delivery agent to change the deliv‐
12286 ery status code or explanatory text of successful or unsuccessful
12287 deliveries. See default_delivery_status_filter for details.
12288 This feature is available in Postfix 3.0 and later.
12290
12292 rency_limit)
12293 The maximal number of parallel deliveries to the same destination via
12294 the virtual message delivery transport. This limit is enforced by the
12295 queue manager. The message delivery transport name is the first field
12296 in the entry in the master.cf file.
12297
12299 ent_limit)
12300 The maximal number of recipients per message for the virtual message
12301 delivery transport. This limit is enforced by the queue manager. The
12302 message delivery transport name is the first field in the entry in the
12303 master.cf file.
12304 Setting this parameter to a value of 1 changes the meaning of vir‐
12306 tual_destination_concurrency_limit from concurrency per domain into
12307 concurrency per recipient.
12308
12310 Lookup tables with the per-recipient group ID for virtual(8) mailbox
12311 delivery.
12312 This parameter is specific to the virtual(8) delivery agent. It does
12314 not apply when mail is delivered with a different mail delivery pro‐
12315 gram.
12316 Specify zero or more "type:name" lookup tables, separated by whitespace
12318 or comma. Tables will be searched in the specified order until a match
12319 is found.
12320 In a lookup table, specify a left-hand side of "@domain.tld" to match
12322 any user in the specified domain that does not have a specific
12323 "user@domain.tld" entry.
12324 When a recipient address has an optional address extension
12326 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
12327 address first, and when the lookup fails, it looks up the unextended
12328 address (user@domain.tld).
12329 Note 1: for security reasons, the virtual(8) delivery agent disallows
12331 regular expression substitution of $1 etc. in regular expression lookup
12332 tables, because that would open a security hole.
12333 Note 2: for security reasons, the virtual(8) delivery agent will
12335 silently ignore requests to use the proxymap(8) server. Instead it will
12336 open the table directly. Before Postfix version 2.2, the virtual(8)
12337 delivery agent will terminate with a fatal error.
12338
12340 A prefix that the virtual(8) delivery agent prepends to all pathname
12341 results from $virtual_mailbox_maps table lookups. This is a safety
12342 measure to ensure that an out of control map doesn't litter the file
12343 system with mailboxes. While virtual_mailbox_base could be set to "/",
12344 this setting isn't recommended.
12345 This parameter is specific to the virtual(8) delivery agent. It does
12347 not apply when mail is delivered with a different mail delivery pro‐
12348 gram.
12349 Example:
12351 virtual_mailbox_base = /var/mail
12353
12355 Postfix is final destination for the specified list of domains; mail is
12356 delivered via the $virtual_transport mail delivery transport. By
12357 default this is the Postfix virtual(8) delivery agent. The SMTP server
12358 validates recipient addresses with $virtual_mailbox_maps and rejects
12359 mail for non-existent recipients. See also the virtual mailbox domain
12360 class in the ADDRESS_CLASS_README file.
12361 This parameter expects the same syntax as the mydestination configura‐
12363 tion parameter.
12364 This feature is available in Postfix 2.0 and later. The default value
12366 is backwards compatible with Postfix version 1.1.
12367
12369 The maximal size in bytes of an individual virtual(8) mailbox or
12370 maildir file, or zero (no limit).
12371 This parameter is specific to the virtual(8) delivery agent. It does
12373 not apply when mail is delivered with a different mail delivery pro‐
12374 gram.
12375
12377 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
12378 For a list of available file locking methods, use the "postconf -l"
12379 command.
12380 This parameter is specific to the virtual(8) delivery agent. It does
12382 not apply when mail is delivered with a different mail delivery pro‐
12383 gram.
12384 This setting is ignored with maildir style delivery, because such
12386 deliveries are safe without application-level locks.
12387 Note 1: the dotlock method requires that the recipient UID or GID has
12389 write access to the parent directory of the recipient's mailbox file.
12390 Note 2: the default setting of this parameter is system dependent.
12392
12394 Optional lookup tables with all valid addresses in the domains that
12395 match $virtual_mailbox_domains.
12396 Specify zero or more "type:name" lookup tables, separated by whitespace
12398 or comma. Tables will be searched in the specified order until a match
12399 is found.
12400 In a lookup table, specify a left-hand side of "@domain.tld" to match
12402 any user in the specified domain that does not have a specific
12403 "user@domain.tld" entry.
12404 The remainder of this text is specific to the virtual(8) delivery
12406 agent. It does not apply when mail is delivered with a different mail
12407 delivery program.
12408 The virtual(8) delivery agent uses this table to look up the per-recip‐
12410 ient mailbox or maildir pathname. If the lookup result ends in a slash
12411 ("/"), maildir-style delivery is carried out, otherwise the path is
12412 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
12413 box_base is unconditionally prepended to this path.
12414 When a recipient address has an optional address extension
12416 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
12417 address first, and when the lookup fails, it looks up the unextended
12418 address (user@domain.tld).
12419 Note 1: for security reasons, the virtual(8) delivery agent disallows
12421 regular expression substitution of $1 etc. in regular expression lookup
12422 tables, because that would open a security hole.
12423 Note 2: for security reasons, the virtual(8) delivery agent will
12425 silently ignore requests to use the proxymap(8) server. Instead it will
12426 open the table directly. Before Postfix version 2.2, the virtual(8)
12427 delivery agent will terminate with a fatal error.
12428
12430 Optional lookup tables with a) names of domains for which all addresses
12431 are aliased to addresses in other local or remote domains, and b)
12432 addresses that are aliased to addresses in other local or remote
12433 domains. Available before Postfix version 2.0. With Postfix version
12434 2.0 and later, this is replaced by separate controls: vir‐
12435 tual_alias_domains and virtual_alias_maps.
12436
12438 The minimum user ID value that the virtual(8) delivery agent accepts as
12439 a result from $virtual_uid_maps table lookup. Returned values less
12440 than this will be rejected, and the message will be deferred.
12441 This parameter is specific to the virtual(8) delivery agent. It does
12443 not apply when mail is delivered with a different mail delivery pro‐
12444 gram.
12445
12447 The default mail delivery transport and next-hop destination for final
12448 delivery to domains listed with $virtual_mailbox_domains. This infor‐
12449 mation can be overruled with the transport(5) table.
12450 Specify a string of the form transport:nexthop, where transport is the
12452 name of a mail delivery transport defined in master.cf. The :nexthop
12453 destination is optional; its syntax is documented in the manual page of
12454 the corresponding delivery agent.
12455 This feature is available in Postfix 2.0 and later.
12457
12459 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
12460 ery agent uses while writing to the recipient's mailbox.
12461 This parameter is specific to the virtual(8) delivery agent. It does
12463 not apply when mail is delivered with a different mail delivery pro‐
12464 gram.
12465 Specify zero or more "type:name" lookup tables, separated by whitespace
12467 or comma. Tables will be searched in the specified order until a match
12468 is found.
12469 In a lookup table, specify a left-hand side of "@domain.tld" to match
12471 any user in the specified domain that does not have a specific
12472 "user@domain.tld" entry.
12473 When a recipient address has an optional address extension
12475 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
12476 address first, and when the lookup fails, it looks up the unextended
12477 address (user@domain.tld).
12478 Note 1: for security reasons, the virtual(8) delivery agent disallows
12480 regular expression substitution of $1 etc. in regular expression lookup
12481 tables, because that would open a security hole.
12482 Note 2: for security reasons, the virtual(8) delivery agent will
12484 silently ignore requests to use the proxymap(8) server. Instead it will
12485 open the table directly. Before Postfix version 2.2, the virtual(8)
12486 delivery agent will terminate with a fatal error.
12487
12489 postconf(1), Postfix configuration parameter maintenance
12490 master(5), Postfix daemon configuration maintenance
12491
12493 The Secure Mailer license must be distributed with this software.
12494
12496 Wietse Venema
12497 IBM T.J. Watson Research
12498 P.O. Box 704
12499 Yorktown Heights, NY 10598, USA
12500 Wietse Venema
12502 Google, Inc.
12503 111 8th Avenue
12504 New York, NY 10011, USA
12505 Viktor Dukhovni
12507 POSTCONF(5)