1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix  main.cf configuration file specifies parameters that con‐
15       trol the operation of the Postfix mail system. Typically the file  con‐
16       tains  only  a small subset of all parameters; parameters not specified
17       are left at their default values.
18
19       The general format of the main.cf file is as follows:
20
21       ·      Each logical line has the form "parameter = value".   Whitespace
22              around the "=" is ignored, as is whitespace at the end of a log‐
23              ical line.
24
25       ·      Empty lines and whitespace-only lines are ignored, as are  lines
26              whose first non-whitespace character is a `#'.
27
28       ·      A  logical  line  starts  with  non-whitespace text. A line that
29              starts with whitespace continues a logical line.
30
31       ·      A parameter value may refer to other parameters.
32
33              ·      The expressions "$name"  and  "${name}"  are  recursively
34                     replaced  with  the  value  of  the  named parameter. The
35                     parameter name must contain only characters from the  set
36                     [a-zA-Z0-9_].  An  undefined  parameter value is replaced
37                     with the empty value.
38
39              ·      The expressions "${name?value}" and "${name?{value}}" are
40                     replaced  with  "value"  when  "$name"  is non-empty. The
41                     parameter name must contain only characters from the  set
42                     [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43                     sions >= 2.2 and >= 3.0, respectively.
44
45              ·      The expressions "${name:value}" and "${name:{value}}" are
46                     replaced  with "value" when "$name" is empty. The parame‐
47                     ter name must contain only characters from the set [a-zA-
48                     Z0-9_].  These  forms are supported with Postfix versions
49                     >= 2.2 and >= 3.0, respectively.
50
51              ·      The expression  "${name?{value1}:{value2}}"  is  replaced
52                     with   "value1"  when  "$name"  is  non-empty,  and  with
53                     "value2" when "$name" is empty.  The "{}" is required for
54                     "value1",  optional for "value2". The parameter name must
55                     contain only characters from the set [a-zA-Z0-9_].   This
56                     form is supported with Postfix versions >= 3.0.
57
58              ·      The  first  item  inside  "${...}"  may  be  a relational
59                     expression of the form: "{value3} ==  {value4}".  Besides
60                     the   "=="  (equality)  operator  Postfix  supports  "!="
61                     (inequality), "<", "<=", ">=", and ">". The comparison is
62                     numerical  when  both  operands are all digits, otherwise
63                     the comparison is lexicographical. These forms  are  sup‐
64                     ported with Postfix versions >= 3.0.
65
66              ·      Each  "value" is subject to recursive named parameter and
67                     relational expression evaluation, except where noted.
68
69              ·      Whitespace before or after each "{value}" is ignored.
70
71              ·      Specify "$$" to produce a single "$" character.
72
73              ·      The legacy form "$(...)" is equivalent to  the  preferred
74                     form "${...}".
75
76       ·      When the same parameter is defined multiple times, only the last
77              instance is remembered.
78
79       ·      Otherwise, the order of main.cf parameter definitions  does  not
80              matter.
81
82       The remainder of this document is a description of all Postfix configu‐
83       ration parameters. Default values are shown after the parameter name in
84       parentheses, and can be looked up with the "postconf -d" command.
85
86       Note:  this  is not an invitation to make changes to Postfix configura‐
87       tion parameters. Unnecessary changes can impair the  operation  of  the
88       mail system.
89

2bounce_notice_recipient (default: postmaster)

91       The  recipient  of  undeliverable  mail  that cannot be returned to the
92       sender.  This feature is enabled with the notify_classes parameter.
93

access_map_defer_code (default: 450)

95       The numerical Postfix SMTP server response code for  an  access(5)  map
96       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97       to Postfix 2.6, the response is hard-coded as "450".
98
99       Do not change this unless you have  a  complete  understanding  of  RFC
100       5321.
101
102       This feature is available in Postfix 2.6 and later.
103

access_map_reject_code (default: 554)

105       The  numerical  Postfix  SMTP server response code for an access(5) map
106       "reject" action.
107
108       Do not change this unless you have  a  complete  understanding  of  RFC
109       5321.
110

address_verify_cache_cleanup_interval (default: 12h)

112       The  amount  of  time  between  verify(8) address verification database
113       cleanup runs. This feature requires  that  the  database  supports  the
114       "delete"  and "sequence" operators.  Specify a zero interval to disable
115       database cleanup.
116
117       After each database cleanup run, the verify(8) daemon logs  the  number
118       of  entries  that were retained and dropped. A cleanup run is logged as
119       "partial" when the daemon  terminates  early  after  "postfix  reload",
120       "postfix stop", or no requests for $max_idle seconds.
121
122       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123
124       This feature is available in Postfix 2.7.
125

address_verify_default_transport (default: $default_transport)

127       Overrides the default_transport parameter setting for address verifica‐
128       tion probes.
129
130       This feature is available in Postfix 2.1 and later.
131

address_verify_local_transport (default: $local_transport)

133       Overrides the local_transport parameter setting for  address  verifica‐
134       tion probes.
135
136       This feature is available in Postfix 2.1 and later.
137

address_verify_map (default: see postconf -d output)

139       Lookup  table  for persistent address verification status storage.  The
140       table is maintained by the verify(8) service, and is opened before  the
141       process releases privileges.
142
143       The  lookup  table  is  persistent  by default (Postfix 2.7 and later).
144       Specify an empty table name to keep the information in volatile  memory
145       which  is  lost  after  "postfix reload" or "postfix stop". This is the
146       default with Postfix version 2.6 and earlier.
147
148       Specify a location in a file system that will not fill up. If the data‐
149       base  becomes  corrupted,  the world comes to an end. To recover delete
150       (NOT: truncate) the file and do "postfix reload".
151
152       Postfix daemon processes do not use root privileges when  opening  this
153       file  (Postfix 2.5 and later).  The file must therefore be stored under
154       a Postfix-owned directory such as the data_directory.  As  a  migration
155       aid, an attempt to open the file under a non-Postfix directory is redi‐
156       rected to the Postfix-owned data_directory, and a warning is logged.
157
158       Examples:
159
160       address_verify_map = hash:/var/lib/postfix/verify
161       address_verify_map = btree:/var/lib/postfix/verify
162
163       This feature is available in Postfix 2.1 and later.
164

address_verify_negative_cache (default: yes)

166       Enable caching of failed address verification probe results.  When this
167       feature  is  enabled, the cache may pollute quickly with garbage.  When
168       this feature is disabled, Postfix will generate an  address  probe  for
169       every lookup.
170
171       This feature is available in Postfix 2.1 and later.
172

address_verify_negative_expire_time (default: 3d)

174       The  time after which a failed probe expires from the address verifica‐
175       tion cache.
176
177       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178
179       This feature is available in Postfix 2.1 and later.
180

address_verify_negative_refresh_time (default: 3h)

182       The time after which a failed address verification probe  needs  to  be
183       refreshed.
184
185       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187       This feature is available in Postfix 2.1 and later.
188

address_verify_pending_request_limit (default: see postconf -d output)

190       A  safety  limit that prevents address verification requests from over‐
191       whelming the Postfix queue. By default, the number of pending  requests
192       is  limited  to  1/4  of  the  active  queue  maximum  size  (qmgr_mes‐
193       sage_active_limit). The queue manager enforces the limit by tempfailing
194       requests that exceed the limit. This affects only unknown addresses and
195       inactive addresses that have  expired,  because  the  verify(8)  daemon
196       automatically refreshes an active address before it expires.
197
198       This feature is available in Postfix 3.1 and later.
199

address_verify_poll_count (default: normal: 3, overload: 1)

201       How  many times to query the verify(8) service for the completion of an
202       address verification request in progress.
203
204       By default, the Postfix SMTP server polls the verify(8) service  up  to
205       three  times  under  non-overload  conditions, and only once when under
206       overload.  With Postfix version 2.5 and earlier, the SMTP server always
207       polls the verify(8) service up to three times by default.
208
209       Specify  1  to  implement  a crude form of greylisting, that is, always
210       defer the first delivery request for a new address.
211
212       Examples:
213
214       # Postfix <= 2.6 default
215       address_verify_poll_count = 3
216       # Poor man's greylisting
217       address_verify_poll_count = 1
218
219       This feature is available in Postfix 2.1 and later.
220

address_verify_poll_delay (default: 3s)

222       The delay between queries for the completion of an address verification
223       request in progress.
224
225       The default polling delay is 3 seconds.
226
227       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228
229       This feature is available in Postfix 2.1 and later.
230

address_verify_positive_expire_time (default: 31d)

232       The  time after which a successful probe expires from the address veri‐
233       fication cache.
234
235       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236
237       This feature is available in Postfix 2.1 and later.
238

address_verify_positive_refresh_time (default: 7d)

240       The time after which a successful address verification probe  needs  to
241       be  refreshed.  The address verification status is not updated when the
242       probe fails (optimistic caching).
243
244       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245
246       This feature is available in Postfix 2.1 and later.
247

address_verify_relay_transport (default: $relay_transport)

249       Overrides the relay_transport parameter setting for  address  verifica‐
250       tion probes.
251
252       This feature is available in Postfix 2.1 and later.
253

address_verify_relayhost (default: $relayhost)

255       Overrides  the  relayhost  parameter  setting  for address verification
256       probes. This information can be overruled with the transport(5) table.
257
258       This feature is available in Postfix 2.1 and later.
259

address_verify_sender (default: $double_bounce_sender)

261       The sender address to use in  address  verification  probes;  prior  to
262       Postfix  2.5  the  default  was  "postmaster".  To  avoid problems with
263       address probes that are sent in response to address probes, the Postfix
264       SMTP  server  excludes  the  probe sender address from all SMTPD access
265       blocks.
266
267       Specify an empty value (address_verify_sender =) or <> if you  want  to
268       use  the  null  sender address. Beware, some sites reject mail from <>,
269       even though RFCs require that such addresses be accepted.
270
271       Examples:
272
273       address_verify_sender = <>
274       address_verify_sender = postmaster@my.domain
275
276       This feature is available in Postfix 2.1 and later.
277

address_verify_sender_dependent_default_transport_maps (default:

279       $sender_dependent_default_transport_maps)
280       Overrides the sender_dependent_default_transport_maps parameter setting
281       for address verification probes.
282
283       This feature is available in Postfix 2.7 and later.
284

address_verify_sender_dependent_relayhost_maps (default: $sender_depen‐

286       dent_relayhost_maps)
287       Overrides  the  sender_dependent_relayhost_maps  parameter  setting for
288       address verification probes.
289
290       This feature is available in Postfix 2.3 and later.
291

address_verify_sender_ttl (default: 0s)

293       The time between changes in the time-dependent portion of address veri‐
294       fication probe sender addresses. The time-dependent portion is appended
295       to the  localpart  of  the  address  specified  with  the  address_ver‐
296       ify_sender  parameter.  This  feature  is ignored when the probe sender
297       addresses is the null sender, i.e. the address_verify_sender  value  is
298       empty or <>.
299
300       Historically,  the probe sender address was fixed. This has caused such
301       addresses to end up on spammer  mailing  lists,  and  has  resulted  in
302       wasted network and processing resources.
303
304       To  enable  time-dependent  probe  sender addresses, specify a non-zero
305       time value (an integral value plus an optional one-letter  suffix  that
306       specifies  the  time unit).  Specify a value of at least several hours,
307       to avoid problems with senders that use greylisting.   Avoid  nice  TTL
308       values,  to  make the result less predictable.  Time units are: s (sec‐
309       onds), m (minutes), h (hours), d (days), w (weeks).
310
311       This feature is available in Postfix 2.9 and later.
312

address_verify_service_name (default: verify)

314       The name of the verify(8) address verification  service.  This  service
315       maintains  the  status  of sender and/or recipient address verification
316       probes, and generates probes on request by other Postfix processes.
317

address_verify_transport_maps (default: $transport_maps)

319       Overrides the transport_maps parameter setting for address verification
320       probes.
321
322       This feature is available in Postfix 2.1 and later.
323

address_verify_virtual_transport (default: $virtual_transport)

325       Overrides the virtual_transport parameter setting for address verifica‐
326       tion probes.
327
328       This feature is available in Postfix 2.1 and later.
329

alias_database (default: see postconf -d output)

331       The alias  databases  for  local(8)  delivery  that  are  updated  with
332       "newaliases" or with "sendmail -bi".
333
334       This  is  a separate configuration parameter because not all the tables
335       specified with $alias_maps have to be local files.
336
337       Examples:
338
339       alias_database = hash:/etc/aliases
340       alias_database = hash:/etc/mail/aliases
341

alias_maps (default: see postconf -d output)

343       The alias databases that are used for local(8) delivery. See aliases(5)
344       for  syntax  details.   Specify zero or more "type:name" lookup tables,
345       separated by whitespace or comma. Tables will be searched in the speci‐
346       fied order until a match is found.  Note: these lookups are recursive.
347
348       The default list is system dependent.  On systems with NIS, the default
349       is to search the local alias database, then the NIS alias database.
350
351       If you change the alias  database,  run  "postalias  /etc/aliases"  (or
352       wherever  your  system  stores  the  mail  alias  file),  or simply run
353       "newaliases" to build the necessary DBM or DB file.
354
355       The local(8) delivery agent disallows regular  expression  substitution
356       of $1 etc. in alias_maps, because that would open a security hole.
357
358       The  local(8)  delivery  agent will silently ignore requests to use the
359       proxymap(8) server within alias_maps. Instead it will  open  the  table
360       directly.  Before Postfix version 2.2, the local(8) delivery agent will
361       terminate with a fatal error.
362
363       Examples:
364
365       alias_maps = hash:/etc/aliases, nis:mail.aliases
366       alias_maps = hash:/etc/aliases
367

allow_mail_to_commands (default: alias, forward)

369       Restrict local(8) mail delivery to external commands.  The  default  is
370       to  disallow delivery to "|command" in :include:  files (see aliases(5)
371       for the text that defines this terminology).
372
373       Specify zero or more of: alias, forward or include, in order  to  allow
374       commands  in aliases(5), .forward files or in :include:  files, respec‐
375       tively.
376
377       Example:
378
379       allow_mail_to_commands = alias,forward,include
380

allow_mail_to_files (default: alias, forward)

382       Restrict local(8) mail delivery to external files. The  default  is  to
383       disallow  "/file/name" destinations in :include:  files (see aliases(5)
384       for the text that defines this terminology).
385
386       Specify zero or more of: alias, forward or include, in order  to  allow
387       "/file/name"   destinations   in  aliases(5),  .forward  files  and  in
388       :include:  files, respectively.
389
390       Example:
391
392       allow_mail_to_files = alias,forward,include
393

allow_min_user (default: no)

395       Allow a sender or recipient address to have `-' as the first character.
396       By  default, this is not allowed, to avoid accidents with software that
397       passes email addresses via the command line. Such software would not be
398       able  to  distinguish a malicious address from a bona fide command-line
399       option. Although this can be prevented by inserting a "--" option  ter‐
400       minator  into  the  command  line, this is difficult to enforce consis‐
401       tently and globally.
402
403       As of Postfix version 2.5, this feature is implemented  by  trivial-re‐
404       write(8).   With  earlier  versions  this  feature  was  implemented by
405       qmgr(8) and was limited to recipient addresses only.
406

allow_percent_hack (default: yes)

408       Enable the rewriting of the form "user%domain" to "user@domain".   This
409       is enabled by default.
410
411       Note:  as of Postfix version 2.2, message header address rewriting hap‐
412       pens only when one of the following conditions is true:
413
414       ·      The message is received with the Postfix sendmail(1) command,
415
416       ·      The message is received  from  a  network  client  that  matches
417              $local_header_rewrite_clients,
418
419       ·      The   message   is   received   from   the   network,   and  the
420              remote_header_rewrite_domain  parameter  specifies  a  non-empty
421              value.
422
423       To   get   the   behavior   before   Postfix   version   2.2,   specify
424       "local_header_rewrite_clients = static:all".
425
426       Example:
427
428       allow_percent_hack = no
429

allow_untrusted_routing (default: no)

431       Forward mail with sender-specified  routing  (user[@%!]remote[@%!]site)
432       from untrusted clients to destinations matching $relay_domains.
433
434       By default, this feature is turned off.  This closes a nasty open relay
435       loophole where a backup MX host can be  tricked  into  forwarding  junk
436       mail to a primary MX host which then spams it out to the world.
437
438       This  parameter also controls if non-local addresses with sender-speci‐
439       fied  routing  can  match  Postfix  access  tables.  By  default,  such
440       addresses  cannot  match  Postfix access tables, because the address is
441       ambiguous.
442

alternate_config_directories (default: empty)

444       A list of non-default Postfix configuration  directories  that  may  be
445       specified  with  "-c config_directory" on the command line (in the case
446       of sendmail(1), with the "-C" option), or via the MAIL_CONFIG  environ‐
447       ment parameter.
448
449       This  list  must  be specified in the default Postfix main.cf file, and
450       will be used by set-gid Postfix commands such as postqueue(1) and post‐
451       drop(1).
452
453       Specify  absolute  pathnames,  separated by comma or space. Note: $name
454       expansion is not supported.
455

always_add_missing_headers (default: no)

457       Always add (Resent-) From:, To:, Date: or Message-ID: headers when  not
458       present.   Postfix  2.6  and  later add these headers only when clients
459       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
460       Postfix  versions  always add these headers; this may break DKIM signa‐
461       tures  that  cover  non-existent  headers.    The   undisclosed_recipi‐
462       ents_header  parameter  setting determines whether a To: header will be
463       added.
464

always_bcc (default: empty)

466       Optional address that receives a "blind carbon copy"  of  each  message
467       that is received by the Postfix mail system.
468
469       Note:  with Postfix 2.3 and later the BCC address is added as if it was
470       specified with NOTIFY=NONE. The sender will not be  notified  when  the
471       BCC  address  is  undeliverable,  as  long  as all down-stream software
472       implements RFC 3461.
473
474       Note: with Postfix 2.2 and earlier the sender will be notified when the
475       BCC address is undeliverable.
476
477       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
478       avoid mailer loops, automatic BCC recipients are  not  generated  after
479       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
480       itself.
481

anvil_rate_time_unit (default: 60s)

483       The time unit over which client connection rates and  other  rates  are
484       calculated.
485
486       This  feature is implemented by the anvil(8) service which is available
487       in Postfix version 2.2 and later.
488
489       The default interval is relatively short. Because of the high frequency
490       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491       mation is lost whenever the process terminates.
492
493       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
494       The default time unit is s (seconds).
495

anvil_status_update_time (default: 600s)

497       How  frequently  the  anvil(8) connection and rate limiting server logs
498       peak usage information.
499
500       This feature is available in Postfix 2.2 and later.
501
502       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
503       The default time unit is s (seconds).
504

append_at_myorigin (default: yes)

506       With  locally  submitted  mail,  append the string "@$myorigin" to mail
507       addresses without domain information.  With  remotely  submitted  mail,
508       append the string "@$remote_header_rewrite_domain" instead.
509
510       Note  1: this feature is enabled by default and must not be turned off.
511       Postfix does not support domain-less addresses.
512
513       Note 2: with Postfix version 2.2, message header address rewriting hap‐
514       pens only when one of the following conditions is true:
515
516       ·      The message is received with the Postfix sendmail(1) command,
517
518       ·      The  message  is  received  from  a  network client that matches
519              $local_header_rewrite_clients,
520
521       ·      The  message   is   received   from   the   network,   and   the
522              remote_header_rewrite_domain  parameter  specifies  a  non-empty
523              value.
524
525       To   get   the   behavior   before   Postfix   version   2.2,   specify
526       "local_header_rewrite_clients = static:all".
527

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

529       With   locally  submitted  mail,  append  the  string  ".$mydomain"  to
530       addresses that have no ".domain" information. With  remotely  submitted
531       mail, append the string ".$remote_header_rewrite_domain" instead.
532
533       Note 1: this feature is enabled by default. If disabled, users will not
534       be able to send mail to "user@partialdomainname" but will have to spec‐
535       ify full domain names instead.
536
537       Note 2: with Postfix version 2.2, message header address rewriting hap‐
538       pens only when one of the following conditions is true:
539
540       ·      The message is received with the Postfix sendmail(1) command,
541
542       ·      The message is received  from  a  network  client  that  matches
543              $local_header_rewrite_clients,
544
545       ·      The   message   is   received   from   the   network,   and  the
546              remote_header_rewrite_domain  parameter  specifies  a  non-empty
547              value.
548
549       To   get   the   behavior   before   Postfix   version   2.2,   specify
550       "local_header_rewrite_clients = static:all".
551

application_event_drain_time (default: 100s)

553       How long the postkick(1) command waits for a request to enter the Post‐
554       fix daemon process input buffer before giving up.
555
556       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
557       The default time unit is s (seconds).
558
559       This feature is available in Postfix 2.1 and later.
560

authorized_flush_users (default: static:anyone)

562       List of users who are authorized to flush the queue.
563
564       By default, all users are allowed to flush the queue.  Access is always
565       granted if the invoking user is the super-user or the $mail_owner user.
566       Otherwise, the real UID of the process is looked up in the system pass‐
567       word  file,  and access is granted only if the corresponding login name
568       is on the access list.  The username "unknown" is  used  for  processes
569       whose real UID is not found in the password file.
570
571       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
572       separated by commas and/or whitespace. The  list  is  matched  left  to
573       right,  and the search stops on the first match. A "/file/name" pattern
574       is replaced by its contents; a "type:table"  lookup  table  is  matched
575       when  a name matches a lookup key (the lookup result is ignored).  Con‐
576       tinue long lines by starting the next  line  with  whitespace.  Specify
577       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
578       supported only in Postfix version 2.4 and later.
579
580       This feature is available in Postfix 2.2 and later.
581

authorized_mailq_users (default: static:anyone)

583       List of users who are authorized to view the queue.
584
585       By default, all users are allowed to view the queue.  Access is  always
586       granted if the invoking user is the super-user or the $mail_owner user.
587       Otherwise, the real UID of the process is looked up in the system pass‐
588       word  file,  and access is granted only if the corresponding login name
589       is on the access list.  The username "unknown" is  used  for  processes
590       whose real UID is not found in the password file.
591
592       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
593       separated by commas and/or whitespace. The  list  is  matched  left  to
594       right,  and the search stops on the first match. A "/file/name" pattern
595       is replaced by its contents; a "type:table"  lookup  table  is  matched
596       when  a name matches a lookup key (the lookup result is ignored).  Con‐
597       tinue long lines by starting the next  line  with  whitespace.  Specify
598       "!pattern" to exclude a user name from the list. The form "!/file/name"
599       is supported only in Postfix version 2.4 and later.
600
601       This feature is available in Postfix 2.2 and later.
602

authorized_submit_users (default: static:anyone)

604       List of users who are authorized to submit mail  with  the  sendmail(1)
605       command (and with the privileged postdrop(1) helper command).
606
607       By  default, all users are allowed to submit mail.  Otherwise, the real
608       UID of the process is looked up in the system password file, and access
609       is  granted only if the corresponding login name is on the access list.
610       The username "unknown" is used for processes  whose  real  UID  is  not
611       found in the password file. To deny mail submission access to all users
612       specify an empty list.
613
614       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
615       separated  by  commas  and/or  whitespace.  The list is matched left to
616       right, and the search stops on the first match. A "/file/name"  pattern
617       is  replaced  by  its  contents; a "type:table" lookup table is matched
618       when a name matches a lookup key (the lookup result is ignored).   Con‐
619       tinue  long  lines  by  starting the next line with whitespace. Specify
620       "!pattern" to exclude a user name from the list. The form "!/file/name"
621       is supported only in Postfix version 2.4 and later.
622
623       Example:
624
625       authorized_submit_users = !www, static:all
626
627       This feature is available in Postfix 2.2 and later.
628

authorized_verp_clients (default: $mynetworks)

630       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
631       This command requests that mail be delivered one recipient  at  a  time
632       with a per recipient return address.
633
634       By default, only trusted clients are allowed to specify XVERP.
635
636       This  parameter  was introduced with Postfix version 1.1.  Postfix ver‐
637       sion 2.1 renamed this parameter  to  smtpd_authorized_verp_clients  and
638       changed the default to none.
639
640       Specify  a list of network/netmask patterns, separated by commas and/or
641       whitespace. The mask specifies the number of bits in the  network  part
642       of a host address. You can also specify hostnames or .domain names (the
643       initial  dot  causes  the  domain  to  match  any   name   below   it),
644       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
645       replaced by its contents; a "type:table" lookup table is matched when a
646       table  entry  matches  a  lookup string (the lookup result is ignored).
647       Continue long lines by starting the next line with whitespace.  Specify
648       "!pattern"  to  exclude  an address or network block from the list. The
649       form "!/file/name" is supported only in Postfix version 2.4 and later.
650
651       Note: IP version 6 address information must be specified inside  []  in
652       the   authorized_verp_clients   value,  and  in  files  specified  with
653       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
654       would otherwise be confused with a "type:table" pattern.
655

backwards_bounce_logfile_compatibility (default: yes)

657       Produce  additional bounce(8) logfile records that can be read by Post‐
658       fix versions before 2.0. The current and more extensible "name = value"
659       format  is  needed in order to implement more sophisticated functional‐
660       ity.
661
662       This feature is available in Postfix 2.1 and later.
663

berkeley_db_create_buffer_size (default: 16777216)

665       The per-table I/O buffer size for programs that create Berkeley DB hash
666       or btree tables.  Specify a byte count.
667
668       This feature is available in Postfix 2.0 and later.
669

berkeley_db_read_buffer_size (default: 131072)

671       The  per-table  I/O buffer size for programs that read Berkeley DB hash
672       or btree tables.  Specify a byte count.
673
674       This feature is available in Postfix 2.0 and later.
675

best_mx_transport (default: empty)

677       Where the Postfix SMTP client should deliver mail  when  it  detects  a
678       "mail  loops  back  to  myself"  error condition. This happens when the
679       local MTA is the best SMTP mail exchanger for a destination not  listed
680       in    $mydestination,    $inet_interfaces,   $proxy_interfaces,   $vir‐
681       tual_alias_domains, or $virtual_mailbox_domains.  By default, the Post‐
682       fix SMTP client returns such mail as undeliverable.
683
684       Specify, for example, "best_mx_transport = local" to pass the mail from
685       the Postfix SMTP client to the local(8) delivery agent. You can specify
686       any message delivery "transport" or "transport:nexthop" that is defined
687       in the master.cf file. See the transport(5) manual page for the  syntax
688       and meaning of "transport" or "transport:nexthop".
689
690       However,  this  feature  is expensive because it ties up a Postfix SMTP
691       client process while the local(8) delivery agent is doing its work.  It
692       is  more  efficient (for Postfix) to list all hosted domains in a table
693       or database.
694

biff (default: yes)

696       Whether or not to use the local biff service.  This service sends  "new
697       mail"  notifications  to users who have requested new mail notification
698       with the UNIX command "biff y".
699
700       For compatibility reasons this feature is on by  default.   On  systems
701       with  lots  of interactive users, the biff service can be a performance
702       drain.  Specify "biff = no" in main.cf to disable.
703

body_checks (default: empty)

705       Optional lookup tables for  content  inspection  as  specified  in  the
706       body_checks(5) manual page.
707
708       Note: with Postfix versions before 2.0, these rules inspect all content
709       after the primary message headers.
710

body_checks_size_limit (default: 51200)

712       How much text in a message body segment (or attachment, if  you  prefer
713       to  use  that term) is subjected to body_checks inspection.  The amount
714       of text is limited to avoid scanning huge attachments.
715
716       This feature is available in Postfix 2.0 and later.
717

bounce_notice_recipient (default: postmaster)

719       The recipient of postmaster notifications with the message  headers  of
720       mail  that Postfix did not deliver and of SMTP conversation transcripts
721       of mail that Postfix did not receive.  This feature is enabled with the
722       notify_classes parameter.
723

bounce_queue_lifetime (default: 5d)

725       Consider  a bounce message as undeliverable, when delivery fails with a
726       temporary  error,  and  the  time  in  the  queue   has   reached   the
727       bounce_queue_lifetime limit.  By default, this limit is the same as for
728       regular mail.
729
730       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
731       The default time unit is d (days).
732
733       Specify 0 when mail delivery should be tried only once.
734
735       This feature is available in Postfix 2.1 and later.
736

bounce_service_name (default: bounce)

738       The  name  of the bounce(8) service. This service maintains a record of
739       failed delivery attempts and generates non-delivery notifications.
740
741       This feature is available in Postfix 2.0 and later.
742

bounce_size_limit (default: 50000)

744       The maximal  amount  of  original  message  text  that  is  sent  in  a
745       non-delivery notification. Specify a byte count.  A message is returned
746       as   either   message/rfc822   (the   complete    original)    or    as
747       text/rfc822-headers  (the  headers only).  With Postfix version 2.4 and
748       earlier, a message is always returned as message/rfc822  and  is  trun‐
749       cated when it exceeds the size limit.
750
751       Notes:
752
753       ·      If  you  increase  this  limit,  then  you  should  increase the
754              mime_nesting_limit value proportionally.
755
756       ·      Be careful when making changes.  Excessively large  values  will
757              result  in the loss of non-delivery notifications, when a bounce
758              message size exceeds a local or remote MTA's message size limit.
759

bounce_template_file (default: empty)

761       Pathname of a configuration file with bounce message templates.   These
762       override  the  built-in templates of delivery status notification (DSN)
763       messages for undeliverable mail, for delayed mail, successful delivery,
764       or  delivery  verification.  The bounce(5) manual page describes how to
765       edit and test template files.
766
767       Template message body text may contain $name references to Postfix con‐
768       figuration  parameters.  The result of $name expansion can be previewed
769       with "postconf -b file_name" before the file is placed into the Postfix
770       configuration directory.
771
772       This feature is available in Postfix 2.3 and later.
773

broken_sasl_auth_clients (default: no)

775       Enable  interoperability  with  remote  SMTP  clients that implement an
776       obsolete version of the AUTH  command  (RFC  4954).  Examples  of  such
777       clients  are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778       version 5.0.
779
780       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781       support in a non-standard way.
782

canonical_classes (default: envelope_sender, envelope_recipient,

784       header_sender, header_recipient)
785       What addresses are  subject  to  canonical_maps  address  mapping.   By
786       default,  canonical_maps  address mapping is applied to envelope sender
787       and recipient addresses, and to  header  sender  and  header  recipient
788       addresses.
789
790       Specify   one   or   more   of:   envelope_sender,  envelope_recipient,
791       header_sender, header_recipient
792
793       This feature is available in Postfix 2.2 and later.
794

canonical_maps (default: empty)

796       Optional  address  mapping  lookup  tables  for  message  headers   and
797       envelopes.  The  mapping  is  applied  to  both  sender  and  recipient
798       addresses, in both envelopes and in headers,  as  controlled  with  the
799       canonical_classes  parameter.  This is typically used to clean up dirty
800       addresses from legacy mail systems, or to replace login names by First‐
801       name.Lastname.   The table format and lookups are documented in canoni‐
802       cal(5). For an  overview  of  Postfix  address  manipulations  see  the
803       ADDRESS_REWRITING_README document.
804
805       Specify zero or more "type:name" lookup tables, separated by whitespace
806       or comma. Tables will be searched in the specified order until a  match
807       is found.  Note: these lookups are recursive.
808
809       If  you use this feature, run "postmap /etc/postfix/canonical" to build
810       the necessary DBM or DB file  after  every  change.  The  changes  will
811       become visible after a minute or so.  Use "postfix reload" to eliminate
812       the delay.
813
814       Note: with Postfix version 2.2, message header address mapping  happens
815       only when message header address rewriting is enabled:
816
817       ·      The message is received with the Postfix sendmail(1) command,
818
819       ·      The  message  is  received  from  a  network client that matches
820              $local_header_rewrite_clients,
821
822       ·      The  message   is   received   from   the   network,   and   the
823              remote_header_rewrite_domain  parameter  specifies  a  non-empty
824              value.
825
826       To   get   the   behavior   before   Postfix   version   2.2,   specify
827       "local_header_rewrite_clients = static:all".
828
829       Examples:
830
831       canonical_maps = dbm:/etc/postfix/canonical
832       canonical_maps = hash:/etc/postfix/canonical
833

cleanup_service_name (default: cleanup)

835       The  name  of  the  cleanup(8) service. This service rewrites addresses
836       into the standard form, and performs canonical(5) address  mapping  and
837       virtual(5) aliasing.
838
839       This feature is available in Postfix 2.0 and later.
840

command_directory (default: see postconf -d output)

842       The location of all postfix administrative commands.
843

command_execution_directory (default: empty)

845       The  local(8) delivery agent working directory for delivery to external
846       command.  Failure  to  change  directory  causes  the  delivery  to  be
847       deferred.
848
849       The  following $name expansions are done on command_execution_directory
850       before the directory is changed. Expansion happens in  the  context  of
851       the  delivery  request.  The result of $name expansion is filtered with
852       the character set that is specified with the execution_directory_expan‐
853       sion_filter parameter.
854
855       $user  The recipient's username.
856
857       $shell The recipient's login shell pathname.
858
859       $home  The recipient's home directory.
860
861       $recipient
862              The full recipient address.
863
864       $extension
865              The optional recipient address extension.
866
867       $domain
868              The recipient domain.
869
870       $local The entire recipient localpart.
871
872       $recipient_delimiter
873              The  address extension delimiter that was found in the recipient
874              address (Postfix 2.11 and later), or the  system-wide  recipient
875              address extension delimiter (Postfix 2.10 and earlier).
876
877       ${name?value}
878              Expands to value when $name is non-empty.
879
880       ${name:value}
881              Expands to value when $name is empty.
882
883       Instead of $name you can also specify ${name} or $(name).
884
885       This feature is available in Postfix 2.2 and later.
886

command_expansion_filter (default: see postconf -d output)

888       Restrict  the  characters  that  the  local(8) delivery agent allows in
889       $name expansions of $mailbox_command and  $command_execution_directory.
890       Characters outside the allowed set are replaced by underscores.
891

command_time_limit (default: 1000s)

893       Time limit for delivery to external commands. This limit is used by the
894       local(8) delivery agent, and is the default time limit for delivery  by
895       the pipe(8) delivery agent.
896
897       Note:  if  you set this time limit to a large value you must update the
898       global ipc_timeout parameter as well.
899

compatibility_level (default: 0)

901       A safety net that  causes  Postfix  to  run  with  backwards-compatible
902       default settings after an upgrade to a newer Postfix version.
903
904       With backwards compatibility turned on (the main.cf compatibility_level
905       value is less than the Postfix built-in value), Postfix looks for  set‐
906       tings that are left at their implicit default value, and logs a message
907       when a backwards-compatible default setting is required.
908
909           using backwards-compatible default setting name=value
910               to [accept a specific client request]
911
912           using backwards-compatible default setting name=value
913               to [enable specific Postfix behavior]
914
915       See COMPATIBILITY_README for specific message details. If such  a  mes‐
916       sage  is  logged  in  the  context  of a legitimate request, the system
917       administrator should make the backwards-compatible setting permanent in
918       main.cf or master.cf, for example:
919
920           # postconf name=value
921           # postfix reload
922
923       When  no  more backwards-compatible settings need to be made permanent,
924       the administrator should turn off backwards compatibility  by  updating
925       the compatibility_level setting in main.cf:
926
927           # postconf compatibility_level=N
928           # postfix reload
929
930       For N specify the number that is logged in your postfix(1) warning mes‐
931       sage:
932
933           warning: To disable backwards compatibility use "postconf
934               compatibility_level=N" and "postfix reload"
935
936       This feature is available in Postfix 3.0 and later.
937

config_directory (default: see postconf -d output)

939       The default location of the Postfix main.cf and master.cf configuration
940       files. This can be overruled via the following mechanisms:
941
942       ·      The  MAIL_CONFIG environment variable (daemon processes and com‐
943              mands).
944
945       ·      The "-c" command-line option (commands only).
946
947       With Postfix command that run with set-gid privileges, a  config_direc‐
948       tory  override requires either root privileges, or it requires that the
949       directory is listed with the alternate_config_directories parameter  in
950       the default main.cf file.
951

confirm_delay_cleared (default: no)

953       After  sending  a  "your  message  is delayed" notification, inform the
954       sender when the delay clears up. This can result in a sudden  burst  of
955       notifications  at  the end of a prolonged network outage, and is there‐
956       fore disabled by default.
957
958       See also: delay_warning_time.
959
960       This feature is available in Postfix 3.0 and later.
961

connection_cache_protocol_timeout (default: 5s)

963       Time limit for connection cache connect, send  or  receive  operations.
964       The time limit is enforced in the client.
965
966       This feature is available in Postfix 2.3 and later.
967

connection_cache_service_name (default: scache)

969       The name of the scache(8) connection cache service.  This service main‐
970       tains a limited pool of cached sessions.
971
972       This feature is available in Postfix 2.2 and later.
973

connection_cache_status_update_time (default: 600s)

975       How frequently the scache(8) server logs usage statistics with  connec‐
976       tion cache hit and miss rates for logical destinations and for physical
977       endpoints.
978

connection_cache_ttl_limit (default: 2s)

980       The maximal time-to-live value  that  the  scache(8)  connection  cache
981       server  allows.  Requests that specify a larger TTL will be stored with
982       the maximum allowed TTL. The purpose of this additional control  is  to
983       protect  the  infrastructure  against careless people. The cache TTL is
984       already bounded by $max_idle.
985

content_filter (default: empty)

987       After the message is queued, send the entire message to  the  specified
988       transport:destination.  The transport name specifies the first field of
989       a mail delivery agent  definition  in  master.cf;  the  syntax  of  the
990       next-hop destination is described in the manual page of the correspond‐
991       ing delivery agent.  More information about external content filters is
992       in the Postfix FILTER_README file.
993
994       Notes:
995
996       ·      This  setting  has lower precedence than a FILTER action that is
997              specified in an access(5),  header_checks(5)  or  body_checks(5)
998              table.
999
1000       ·      The  meaning  of an empty next-hop filter destination is version
1001              dependent.  Postfix 2.7 and later will use the recipient domain;
1002              earlier  versions  will  use $myhostname.  Specify "default_fil‐
1003              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1004              earlier,  or  specify  a  content_filter  value with an explicit
1005              next-hop destination.
1006

cyrus_sasl_config_path (default: empty)

1008       Search path for Cyrus SASL application configuration  files,  currently
1009       used  only  to  locate the $smtpd_sasl_path.conf file.  Specify zero or
1010       more directories separated by a colon character, or an empty  value  to
1011       use Cyrus SASL's built-in search path.
1012
1013       This  feature  is available in Postfix 2.5 and later when compiled with
1014       Cyrus SASL 2.1.22 or later.
1015

daemon_directory (default: see postconf -d output)

1017       The directory with Postfix support programs and daemon programs.  These
1018       should  not  be invoked directly by humans. The directory must be owned
1019       by root.
1020

daemon_table_open_error_is_fatal (default: no)

1022       How a Postfix  daemon  process  handles  errors  while  opening  lookup
1023       tables: gradual degradation or immediate termination.
1024
1025        no  (default)
1026              Gradual  degradation:  a  daemon  process logs a message of type
1027              "error" and continues execution with reduced functionality. Fea‐
1028              tures that do not depend on the unavailable table will work nor‐
1029              mally, while features that depend on the table will result in  a
1030              type "warning" message.
1031              When  the  notify_classes  parameter  value  contains the "data"
1032              class, the Postfix SMTP server  and  client  will  report  tran‐
1033              scripts  of  sessions  with an error because a table is unavail‐
1034              able.
1035
1036        yes  (historical behavior)
1037              Immediate termination: a daemon process logs a type "fatal" mes‐
1038              sage and terminates immediately.  This option reduces the number
1039              of possible code paths through Postfix,  and  may  therefore  be
1040              slightly more secure than the default.
1041
1042       For  the sake of sanity, the number of type "error" messages is limited
1043       to 13 over the lifetime of a daemon process.
1044
1045       This feature is available in Postfix 2.9 and later.
1046

daemon_timeout (default: 18000s)

1048       How much time a Postfix daemon process may take  to  handle  a  request
1049       before it is terminated by a built-in watchdog timer.
1050
1051       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1052       The default time unit is s (seconds).
1053

data_directory (default: see postconf -d output)

1055       The directory with Postfix-writable data files  (for  example:  caches,
1056       pseudo-random numbers).  This directory must be owned by the mail_owner
1057       account, and must not be shared with non-Postfix software.
1058
1059       This feature is available in Postfix 2.5 and later.
1060

debug_peer_level (default: 2)

1062       The increment in verbose logging level when a remote client  or  server
1063       matches a pattern in the debug_peer_list parameter.
1064

debug_peer_list (default: empty)

1066       Optional  list  of  remote client or server hostname or network address
1067       patterns that cause the verbose logging level to increase by the amount
1068       specified in $debug_peer_level.
1069
1070       Specify  domain  names, network/netmask patterns, "/file/name" patterns
1071       or  "type:table"  lookup  tables.  The  right-hand  side  result   from
1072       "type:table" lookups is ignored.
1073
1074       Pattern  matching  of  domain  names  is  controlled by the presence or
1075       absence of "debug_peer_list"  in  the  parent_domain_matches_subdomains
1076       parameter value.
1077
1078       Examples:
1079
1080       debug_peer_list = 127.0.0.1
1081       debug_peer_list = example.com
1082

debugger_command (default: empty)

1084       The  external  command  to  execute  when  a  Postfix daemon program is
1085       invoked with the -D option.
1086
1087       Use "command .. & sleep 5" so that the debugger can attach  before  the
1088       process  marches  on. If you use an X-based debugger, be sure to set up
1089       your XAUTHORITY environment variable before starting Postfix.
1090
1091       Note: the command is subject to $name expansion, before it is passed to
1092       the  default  command interpreter. Specify "$$" to produce a single "$"
1093       character.
1094
1095       Example:
1096
1097       debugger_command =
1098           PATH=/usr/bin:/usr/X11R6/bin
1099           ddd $daemon_directory/$process_name $process_id & sleep 5
1100

default_database_type (default: see postconf -d output)

1102       The default database type for use in  newaliases(1),  postalias(1)  and
1103       postmap(1)  commands.  On  many UNIX systems the default type is either
1104       dbm or hash. The default setting is frozen when the Postfix  system  is
1105       built.
1106
1107       Examples:
1108
1109       default_database_type = hash
1110       default_database_type = dbm
1111

default_delivery_slot_cost (default: 5)

1113       How  often  the Postfix queue manager's scheduler is allowed to preempt
1114       delivery of one message with another.
1115
1116       Each transport maintains a so-called "available delivery slot  counter"
1117       for  each message. One message can be preempted by another one when the
1118       other message can be delivered using  no  more  delivery  slots  (i.e.,
1119       invocations  of  delivery  agents) than the current message counter has
1120       accumulated (or will eventually  accumulate  -  see  about  slot  loans
1121       below).  This parameter controls how often is the counter incremented -
1122       it happens after each default_delivery_slot_cost recipients  have  been
1123       delivered.
1124
1125       The  cost of 0 is used to disable the preempting scheduling completely.
1126       The minimum value the scheduling algorithm can use is 2 - use it if you
1127       want to maximize the message throughput rate. Although there is no max‐
1128       imum, it doesn't make much sense to use values above say 50.
1129
1130       The only reason why the value of 2 is not the default is the  way  this
1131       parameter affects the delivery of mailing-list mail. In the worst case,
1132       their  delivery  can   take   somewhere   between   (cost+1/cost)   and
1133       (cost/cost-1) times more than if the preemptive scheduler was disabled.
1134       The default value of 5 turns out to provide reasonable message response
1135       times while making sure the mailing-list deliveries are not extended by
1136       more than 20-25 percent even in the worst case.
1137
1138       Use transport_delivery_slot_cost to specify a transport-specific  over‐
1139       ride,  where  transport  is  the master.cf name of the message delivery
1140       transport.
1141
1142       Examples:
1143
1144       default_delivery_slot_cost = 0
1145       default_delivery_slot_cost = 2
1146

default_delivery_slot_discount (default: 50)

1148       The default value for transport-specific  _delivery_slot_discount  set‐
1149       tings.
1150
1151       This  parameter speeds up the moment when a message preemption can hap‐
1152       pen. Instead of  waiting  until  the  full  amount  of  delivery  slots
1153       required  is available, the preemption can happen when transport_deliv‐
1154       ery_slot_discount percent of the required amount plus  transport_deliv‐
1155       ery_slot_loan  still  remains  to  be  accumulated.  Note that the full
1156       amount will still have to be accumulated before another preemption  can
1157       take place later.
1158
1159       Use  transport_delivery_slot_discount  to  specify a transport-specific
1160       override, where transport is the master.cf name of the message delivery
1161       transport.
1162

default_delivery_slot_loan (default: 3)

1164       The default value for transport-specific _delivery_slot_loan settings.
1165
1166       This  parameter speeds up the moment when a message preemption can hap‐
1167       pen. Instead of  waiting  until  the  full  amount  of  delivery  slots
1168       required  is available, the preemption can happen when transport_deliv‐
1169       ery_slot_discount percent of the required amount plus  transport_deliv‐
1170       ery_slot_loan  still  remains  to  be  accumulated.  Note that the full
1171       amount will still have to be accumulated before another preemption  can
1172       take place later.
1173
1174       Use  transport_delivery_slot_loan to specify a transport-specific over‐
1175       ride, where transport is the master.cf name  of  the  message  delivery
1176       transport.
1177

default_delivery_status_filter (default: empty)

1179       Optional filter to replace the delivery status code or explanatory text
1180       of successful or unsuccessful deliveries.   This  does  not  allow  the
1181       replacement  of  a  successful status code (2.X.X) with an unsuccessful
1182       status code (4.X.X or 5.X.X) or vice versa.
1183
1184       Note: the (smtp|lmtp)_delivery_status_filter is applied only  once  per
1185       recipient:  when delivery is successful, when delivery is rejected with
1186       5XX, or when there are no more alternate  MX  or  A  destinations.  Use
1187       smtp_reply_filter  or  lmtp_reply_filter  to  inspect responses for all
1188       delivery attempts.
1189
1190       The following parameters can be used to implement a filter for specific
1191       delivery   agents:   lmtp_delivery_status_filter,   local_delivery_sta‐
1192       tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1193       virtual_delivery_status_filter.  These parameters support the same fil‐
1194       ter syntax as described here.
1195
1196       Specify zero or more "type:table"  lookup  table  names,  separated  by
1197       comma  or whitespace. For each successful or unsuccessful delivery to a
1198       recipient, the tables are queried in the specified order with one  line
1199       of text that is structured as follows:
1200
1201           enhanced-status-code SPACE explanatory-text
1202
1203       The first table match wins. The lookup result must have the same struc‐
1204       ture as the query, a successful status code (2.X.X)  must  be  replaced
1205       with  a  successful  status code, an unsuccessful status code (4.X.X or
1206       5.X.X) must be replaced with  an  unsuccessful  status  code,  and  the
1207       explanatory  text field must be non-empty. Other results will result in
1208       a warning.
1209
1210       Example 1: convert specific soft TLS errors into hard errors, by  over‐
1211       riding the first number in the enhanced status code.
1212
1213           /etc/postfix/main.cf:
1214               smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1215
1216           /etc/postfix/smtp_dsn_filter:
1217               /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1218                   5$1
1219               /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1220                   5$1
1221               # Do not change the following into hard bounces. They may
1222               # result from a local configuration problem.
1223               # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1224               # 4.\d+.\d+ TLS is required, but unavailable
1225               # 4.\d+.\d+ Cannot start TLS: handshake failure
1226
1227       Example  2:  censor  the  per-recipient delivery status text so that it
1228       does not reveal the destination  command  or  filename  when  a  remote
1229       sender requests confirmation of successful delivery.
1230
1231           /etc/postfix/main.cf:
1232               local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1233
1234           /etc/postfix/local_dsn_filter:
1235               /^(2\S+ delivered to file).+/    $1
1236               /^(2\S+ delivered to command).+/ $1
1237
1238       Notes:
1239
1240       ·      This feature will NOT override the soft_bounce safety net.
1241
1242       ·      This  feature will change the enhanced status code and text that
1243              is logged to the maillog file,  and  that  is  reported  to  the
1244              sender in delivery confirmation or non-delivery notifications.
1245
1246       This feature is available in Postfix 3.0 and later.
1247

default_destination_concurrency_failed_cohort_limit (default: 1)

1249       How  many  pseudo-cohorts  must  suffer connection or handshake failure
1250       before a specific destination is considered  unavailable  (and  further
1251       delivery  is suspended). Specify zero to disable this feature. A desti‐
1252       nation's pseudo-cohort failure count is reset each time a delivery com‐
1253       pletes without connection or handshake failure for that specific desti‐
1254       nation.
1255
1256       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1257       delivery concurrency.
1258
1259       Use  transport_destination_concurrency_failed_cohort_limit to specify a
1260       transport-specific override, where transport is the master.cf  name  of
1261       the message delivery transport.
1262
1263       This  feature  is available in Postfix 2.5. The default setting is com‐
1264       patible with earlier Postfix versions.
1265

default_destination_concurrency_limit (default: 20)

1267       The default maximal number of parallel deliveries to the same  destina‐
1268       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1269       smtp(8) and virtual(8) delivery agents.  With per-destination recipient
1270       limit > 1, a destination is a domain, otherwise it is a recipient.
1271
1272       Use transport_destination_concurrency_limit to specify a transport-spe‐
1273       cific override, where transport is the master.cf name  of  the  message
1274       delivery transport.
1275

default_destination_concurrency_negative_feedback (default: 1)

1277       The  per-destination  amount of delivery concurrency negative feedback,
1278       after a delivery completes with  a  connection  or  handshake  failure.
1279       Feedback  values  are  in the range 0..1 inclusive. With negative feed‐
1280       back, concurrency is decremented at the  beginning  of  a  sequence  of
1281       length  1/feedback. This is unlike positive feedback, where concurrency
1282       is incremented at the end of a sequence of length 1/feedback.
1283
1284       As of Postfix version 2.5, negative  feedback  cannot  reduce  delivery
1285       concurrency  to  zero.   Instead, a destination is marked dead (further
1286       delivery  suspended)  after  the  failed  pseudo-cohort  count  reaches
1287       $default_destination_concurrency_failed_cohort_limit     (or    $trans‐
1288       port_destination_concurrency_failed_cohort_limit).  To make the  sched‐
1289       uler  completely  immune to connection or handshake failures, specify a
1290       zero feedback value and a zero failed pseudo-cohort limit.
1291
1292       Specify one of the following forms:
1293
1294       number
1295
1296       number / number
1297              Constant feedback. The value must be in the  range  0..1  inclu‐
1298              sive.   The  default  setting  of "1" is compatible with Postfix
1299              versions before 2.5, where a destination's delivery  concurrency
1300              is throttled down to zero (and further delivery suspended) after
1301              a single failed pseudo-cohort.
1302
1303       number / concurrency
1304              Variable feedback of "number  /  (delivery  concurrency)".   The
1305              number must be in the range 0..1 inclusive. With number equal to
1306              "1", a destination's delivery concurrency is  decremented  by  1
1307              after each failed pseudo-cohort.
1308
1309       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1310       delivery concurrency.
1311
1312       Use transport_destination_concurrency_negative_feedback  to  specify  a
1313       transport-specific  override,  where transport is the master.cf name of
1314       the message delivery transport.
1315
1316       This feature is available in Postfix 2.5. The default setting  is  com‐
1317       patible with earlier Postfix versions.
1318

default_destination_concurrency_positive_feedback (default: 1)

1320       The  per-destination  amount of delivery concurrency positive feedback,
1321       after a delivery completes without  connection  or  handshake  failure.
1322       Feedback  values  are  in  the  range  0..1 inclusive.  The concurrency
1323       increases until it  reaches  the  per-destination  maximal  concurrency
1324       limit. With positive feedback, concurrency is incremented at the end of
1325       a sequence with length 1/feedback. This is  unlike  negative  feedback,
1326       where  concurrency  is decremented at the start of a sequence of length
1327       1/feedback.
1328
1329       Specify one of the following forms:
1330
1331       number
1332
1333       number / number
1334              Constant feedback.  The value must be in the range  0..1  inclu‐
1335              sive. The default setting of "1" is compatible with Postfix ver‐
1336              sions before 2.5, where  a  destination's  delivery  concurrency
1337              doubles after each successful pseudo-cohort.
1338
1339       number / concurrency
1340              Variable  feedback  of  "number  / (delivery concurrency)".  The
1341              number must be in the range 0..1 inclusive. With number equal to
1342              "1",  a  destination's  delivery concurrency is incremented by 1
1343              after each successful pseudo-cohort.
1344
1345       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1346       delivery concurrency.
1347
1348       Use  transport_destination_concurrency_positive_feedback  to  specify a
1349       transport-specific override, where transport is the master.cf  name  of
1350       the message delivery transport.
1351
1352       This feature is available in Postfix 2.5 and later.
1353

default_destination_rate_delay (default: 0s)

1355       The  default amount of delay that is inserted between individual deliv‐
1356       eries to the same destination; the resulting behavior  depends  on  the
1357       value of the corresponding per-destination recipient limit.
1358
1359       ·      With  a  corresponding  per-destination recipient limit > 1, the
1360              rate delay specifies the time between  deliveries  to  the  same
1361              domain.  Different domains are delivered in parallel, subject to
1362              the process limits specified in master.cf.
1363
1364       ·      With a corresponding per-destination recipient limit equal to 1,
1365              the rate delay specifies the time between deliveries to the same
1366              recipient. Different recipients are delivered in parallel,  sub‐
1367              ject to the process limits specified in master.cf.
1368
1369       To  enable  the delay, specify a non-zero time value (an integral value
1370       plus an optional one-letter suffix that specifies the time unit).
1371
1372       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1373       The default time unit is s (seconds).
1374
1375       NOTE: the delay is enforced by the queue manager. The delay timer state
1376       does not survive "postfix reload" or "postfix stop".
1377
1378       Use transport_destination_rate_delay to  specify  a  transport-specific
1379       override, where transport is the master.cf name of the message delivery
1380       transport.
1381
1382       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1383       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1384       fix from deferring all mail for the same  destination  after  only  one
1385       connection or handshake error.
1386
1387       This feature is available in Postfix 2.5 and later.
1388

default_destination_recipient_limit (default: 50)

1390       The default maximal number of recipients per message delivery.  This is
1391       the default limit for delivery via the lmtp(8),  pipe(8),  smtp(8)  and
1392       virtual(8) delivery agents.
1393
1394       Setting this parameter to a value of 1 affects email deliveries as fol‐
1395       lows:
1396
1397       ·      It changes the meaning of the corresponding per-destination con‐
1398              currency  limit,  from  concurrency  of  deliveries  to the same
1399              domain into concurrency of deliveries  to  the  same  recipient.
1400              Different  recipients  are delivered in parallel, subject to the
1401              process limits specified in master.cf.
1402
1403       ·      It changes the meaning of the corresponding per-destination rate
1404              delay, from the delay between deliveries to the same domain into
1405              the delay between deliveries to the same recipient.  Again, dif‐
1406              ferent  recipients  are  delivered  in  parallel, subject to the
1407              process limits specified in master.cf.
1408
1409       ·      It changes the meaning of  other  corresponding  per-destination
1410              settings  in a similar manner, from settings for delivery to the
1411              same domain into settings for delivery to the same recipient.
1412
1413       Use transport_destination_recipient_limit to specify  a  transport-spe‐
1414       cific  override,  where  transport is the master.cf name of the message
1415       delivery transport.
1416

default_extra_recipient_limit (default: 1000)

1418       The default value for the extra per-transport limit imposed on the num‐
1419       ber  of  in-memory  recipients.  This extra recipient space is reserved
1420       for the cases when the Postfix queue manager's scheduler  preempts  one
1421       message with another and suddenly needs some extra recipients slots for
1422       the chosen message in order to avoid performance degradation.
1423
1424       Use transport_extra_recipient_limit  to  specify  a  transport-specific
1425       override, where transport is the master.cf name of the message delivery
1426       transport.
1427

default_filter_nexthop (default: empty)

1429       When a content_filter or FILTER request specifies no explicit  next-hop
1430       destination,  use  $default_filter_nexthop  instead; when that value is
1431       empty, use the domain in the recipient address.  Specify  "default_fil‐
1432       ter_nexthop  =  $myhostname" for compatibility with Postfix version 2.6
1433       and earlier, or specify an explicit next-hop destination with each con‐
1434       tent_filter value or FILTER action.
1435
1436       This feature is available in Postfix 2.7 and later.
1437

default_minimum_delivery_slots (default: 3)

1439       How  many recipients a message must have in order to invoke the Postfix
1440       queue manager's scheduling algorithm  at  all.   Messages  which  would
1441       never  accumulate  at  least  this many delivery slots (subject to slot
1442       cost parameter as well) are never preempted.
1443
1444       Use transport_minimum_delivery_slots to  specify  a  transport-specific
1445       override, where transport is the master.cf name of the message delivery
1446       transport.
1447

default_privs (default: nobody)

1449       The default rights used by the local(8) delivery agent for delivery  to
1450       external  file  or  command.   These  rights  are used when delivery is
1451       requested from an aliases(5) file that is owned by root, or when deliv‐
1452       ery  is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1453       POSTFIX OWNER.
1454

default_process_limit (default: 100)

1456       The default maximal number of Postfix child processes  that  provide  a
1457       given service. This limit can be overruled for specific services in the
1458       master.cf file.
1459

default_rbl_reply (default: see postconf -d output)

1461       The default Postfix SMTP server response template for a request that is
1462       rejected by an RBL-based restriction. This template can be overruled by
1463       specific entries in the optional rbl_reply_maps lookup table.
1464
1465       This feature is available in Postfix 2.0 and later.
1466
1467       The template is subject to exactly one level of $name substitution:
1468
1469       $client
1470              The client hostname and IP address, formatted as name[address].
1471
1472       $client_address
1473              The client IP address.
1474
1475       $client_name
1476              The      client      hostname      or       "unknown".       See
1477              reject_unknown_client_hostname for more details.
1478
1479       $reverse_client_name
1480              The  client  hostname  from  address->name lookup, or "unknown".
1481              See reject_unknown_reverse_client_hostname for more details.
1482
1483       $helo_name
1484              The hostname given in HELO or EHLO command or empty string.
1485
1486       $rbl_class
1487              The blacklisted entity type: Client host, Helo  command,  Sender
1488              address, or Recipient address.
1489
1490       $rbl_code
1491              The   numerical  SMTP  response  code,  as  specified  with  the
1492              maps_rbl_reject_code configuration parameter. Note: The  numeri‐
1493              cal SMTP response code is required, and must appear at the start
1494              of the reply. With Postfix version 2.3 and later  this  informa‐
1495              tion may be followed by an RFC 3463 enhanced status code.
1496
1497       $rbl_domain
1498              The RBL domain where $rbl_what is blacklisted.
1499
1500       $rbl_reason
1501              The reason why $rbl_what is blacklisted, or an empty string.
1502
1503       $rbl_what
1504              The  entity  that  is  blacklisted (an IP address, a hostname, a
1505              domain name, or an email address whose domain was blacklisted).
1506
1507       $recipient
1508              The recipient address or <> in case of the null address.
1509
1510       $recipient_domain
1511              The recipient domain or empty string.
1512
1513       $recipient_name
1514              The recipient address localpart or <> in case of null address.
1515
1516       $sender
1517              The sender address or <> in case of the null address.
1518
1519       $sender_domain
1520              The sender domain or empty string.
1521
1522       $sender_name
1523              The sender address localpart or <> in case of the null address.
1524
1525       ${name?text}
1526              Expands to `text' if $name is not empty.
1527
1528       ${name:text}
1529              Expands to `text' if $name is empty.
1530
1531       Instead of $name you can also specify ${name} or $(name).
1532
1533       Note: when an enhanced status code is specified in an  RBL  reply  tem‐
1534       plate,  it  is  subject to modification.  The following transformations
1535       are needed when the same RBL reply template is used for  client,  helo,
1536       sender, or recipient access restrictions.
1537
1538       ·      When  rejecting  a  sender address, the Postfix SMTP server will
1539              transform a recipient DSN status (e.g.,  4.1.1-4.1.6)  into  the
1540              corresponding sender DSN status, and vice versa.
1541
1542       ·      When rejecting non-address information (such as the HELO command
1543              argument or  the  client  hostname/address),  the  Postfix  SMTP
1544              server  will  transform  a sender or recipient DSN status into a
1545              generic non-address DSN status (e.g., 4.0.0).
1546

default_recipient_limit (default: 20000)

1548       The default per-transport upper limit on the number of in-memory recip‐
1549       ients.  These limits take priority over the global qmgr_message_recipi‐
1550       ent_limit after the message has been assigned to the respective  trans‐
1551       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1552       ent_minimum.
1553
1554       Use transport_recipient_limit to specify a transport-specific override,
1555       where  transport  is  the master.cf name of the message delivery trans‐
1556       port.
1557

default_recipient_refill_delay (default: 5s)

1559       The default per-transport maximum  delay  between  recipients  refills.
1560       When not all message recipients fit into the memory at once, keep load‐
1561       ing more of them at least once every this many seconds.  This  is  used
1562       to  make  sure  the  recipients are refilled in timely manner even when
1563       $default_recipient_refill_limit is too high for too slow deliveries.
1564
1565       Use transport_recipient_refill_delay to  specify  a  transport-specific
1566       override, where transport is the master.cf name of the message delivery
1567       transport.
1568
1569       This feature is available in Postfix 2.4 and later.
1570

default_recipient_refill_limit (default: 100)

1572       The default per-transport limit on the number of recipients refilled at
1573       once.   When  not  all  message recipients fit into the memory at once,
1574       keep loading more of them in batches of at least this many at  a  time.
1575       See also $default_recipient_refill_delay, which may result in recipient
1576       batches lower than this when this limit is too high for too slow deliv‐
1577       eries.
1578
1579       Use  transport_recipient_refill_limit  to  specify a transport-specific
1580       override, where transport is the master.cf name of the message delivery
1581       transport.
1582
1583       This feature is available in Postfix 2.4 and later.
1584

default_transport (default: smtp)

1586       The default mail delivery transport and next-hop destination for desti‐
1587       nations   that   do   not   match   $mydestination,   $inet_interfaces,
1588       $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1589       $relay_domains.   This  information   can   be   overruled   with   the
1590       sender_dependent_default_transport_maps  parameter  and with the trans‐
1591       port(5) table.
1592
1593       In order of decreasing precedence, the  nexthop  destination  is  taken
1594       from    $sender_dependent_default_transport_maps,   $default_transport,
1595       $sender_dependent_relayhost_maps, $relayhost,  or  from  the  recipient
1596       domain.
1597
1598       Specify  a string of the form transport:nexthop, where transport is the
1599       name of a mail delivery transport defined in master.cf.   The  :nexthop
1600       destination is optional; its syntax is documented in the manual page of
1601       the corresponding delivery agent.
1602
1603       Example:
1604
1605       default_transport = uucp:relayhostname
1606

default_transport_rate_delay (default: 0s)

1608       The default amount of delay that is inserted between individual  deliv‐
1609       eries  over the same message delivery transport, regardless of destina‐
1610       tion. If non-zero, all deliveries over the same message delivery trans‐
1611       port will happen one at a time.
1612
1613       Use  transport_transport_rate_delay  to  specify  a  transport-specific
1614       override, where the initial transport is the master.cf name of the mes‐
1615       sage delivery transport.
1616
1617       Example:  throttle  outbound  SMTP  mail  to  at  most 3 deliveries per
1618       minute.
1619
1620       /etc/postfix/main.cf:
1621           smtp_transport_rate_delay = 20s
1622
1623       To enable the delay, specify a non-zero time value (an  integral  value
1624       plus an optional one-letter suffix that specifies the time unit).
1625
1626       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1627       The default time unit is s (seconds).
1628
1629       NOTE: the delay is enforced by the queue manager.
1630
1631       This feature is available in Postfix 3.1 and later.
1632

default_verp_delimiters (default: +=)

1634       The two default VERP delimiter  characters.  These  are  used  when  no
1635       explicit  delimiters  are specified with the SMTP XVERP command or with
1636       the "sendmail -V" command-line  option.  Specify  characters  that  are
1637       allowed by the verp_delimiter_filter setting.
1638
1639       This feature is available in Postfix 1.1 and later.
1640

defer_code (default: 450)

1642       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
1643       client request is rejected by the "defer" restriction.
1644
1645       Do not change this unless you have  a  complete  understanding  of  RFC
1646       5321.
1647

defer_service_name (default: defer)

1649       The  name  of  the  defer  service.  This service is implemented by the
1650       bounce(8) daemon and maintains a record of failed delivery attempts and
1651       generates non-delivery notifications.
1652
1653       This feature is available in Postfix 2.0 and later.
1654

defer_transports (default: empty)

1656       The  names  of message delivery transports that should not deliver mail
1657       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1658       names  of mail delivery transports names that appear in the first field
1659       of master.cf.
1660
1661       Example:
1662
1663       defer_transports = smtp
1664

delay_logging_resolution_limit (default: 2)

1666       The maximal number of digits  after  the  decimal  point  when  logging
1667       sub-second delay values.  Specify a number in the range 0..6.
1668
1669       Large delay values are rounded off to an integral number seconds; delay
1670       values below the delay_logging_resolution_limit are logged as "0",  and
1671       delay values under 100s are logged with at most two-digit precision.
1672
1673       The format of the "delays=a/b/c/d" logging is as follows:
1674
1675       ·      a = time from message arrival to last active queue entry
1676
1677       ·      b = time from last active queue entry to connection setup
1678
1679       ·      c = time in connection setup, including DNS, EHLO and STARTTLS
1680
1681       ·      d = time in message transmission
1682
1683       This feature is available in Postfix 2.3 and later.
1684

delay_notice_recipient (default: postmaster)

1686       The  recipient  of postmaster notifications with the message headers of
1687       mail that cannot be delivered within $delay_warning_time time units.
1688
1689       See also: delay_warning_time, notify_classes.
1690

delay_warning_time (default: 0h)

1692       The time after which the sender receives a copy of the message  headers
1693       of  mail that is still queued. The confirm_delay_cleared parameter con‐
1694       trols sender notification when the delay clears up.
1695
1696       To enable this feature, specify a  non-zero  time  value  (an  integral
1697       value plus an optional one-letter suffix that specifies the time unit).
1698
1699       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1700       The default time unit is h (hours).
1701
1702       See     also:     delay_notice_recipient,     notify_classes,      con‐
1703       firm_delay_cleared.
1704

deliver_lock_attempts (default: 20)

1706       The  maximal number of attempts to acquire an exclusive lock on a mail‐
1707       box file or bounce(8) logfile.
1708

deliver_lock_delay (default: 1s)

1710       The time between attempts to acquire an exclusive  lock  on  a  mailbox
1711       file or bounce(8) logfile.
1712
1713       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1714       The default time unit is s (seconds).
1715

destination_concurrency_feedback_debug (default: no)

1717       Make the queue manager's feedback  algorithm  verbose  for  performance
1718       analysis purposes.
1719
1720       This feature is available in Postfix 2.5 and later.
1721

detect_8bit_encoding_header (default: yes)

1723       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1724       fer-Encoding:  message  headers;  historically,   this   behavior   was
1725       hard-coded to be "always on".
1726
1727       This feature is available in Postfix 2.5 and later.
1728

disable_dns_lookups (default: no)

1730       Disable  DNS  lookups  in  the Postfix SMTP and LMTP clients. When dis‐
1731       abled, hosts are looked up with the getaddrinfo() system  library  rou‐
1732       tine which normally also looks in /etc/hosts.  As of Postfix 2.11, this
1733       parameter is deprecated; use smtp_dns_support_level instead.
1734
1735       DNS lookups are enabled by default.
1736

disable_mime_input_processing (default: no)

1738       Turn off MIME processing while receiving mail. This means that no  spe‐
1739       cial  treatment is given to Content-Type: message headers, and that all
1740       text after the initial message headers is considered to be part of  the
1741       message body.
1742
1743       This feature is available in Postfix 2.0 and later.
1744
1745       Mime  input processing is enabled by default, and is needed in order to
1746       recognize MIME headers in message content.
1747

disable_mime_output_conversion (default: no)

1749       Disable the conversion of 8BITMIME format to 7BIT format.  Mime  output
1750       conversion  is  needed when the destination does not advertise 8BITMIME
1751       support.
1752
1753       This feature is available in Postfix 2.0 and later.
1754

disable_verp_bounces (default: no)

1756       Disable sending one bounce report per recipient.
1757
1758       The default, one per recipient, is what ezmlm needs.
1759
1760       This feature is available in Postfix 1.1 and later.
1761

disable_vrfy_command (default: no)

1763       Disable the SMTP VRFY command. This stops some techniques used to  har‐
1764       vest email addresses.
1765
1766       Example:
1767
1768       disable_vrfy_command = no
1769

dns_ncache_ttl_fix_enable (default: no)

1771       Enable a workaround for future libc incompatibility. The Postfix imple‐
1772       mentation of RFC 2308 negative reply caching relies on the promise that
1773       res_query()  and  res_search()  invoke  res_send(),  which  returns the
1774       server response in an application buffer even if the  requested  record
1775       does  not  exist.  If this promise is broken, specify "yes" to enable a
1776       workaround for DNS reputation lookups.
1777
1778       This feature is available in Postfix 3.1 and later.
1779

dnsblog_reply_delay (default: 0s)

1781       A debugging aid to artificially delay DNS responses.
1782
1783       This feature is available in Postfix 2.8.
1784

dnsblog_service_name (default: dnsblog)

1786       The name of the dnsblog(8) service entry  in  master.cf.  This  service
1787       performs DNS white/blacklist lookups.
1788
1789       This feature is available in Postfix 2.8 and later.
1790

dont_remove (default: 0)

1792       Don't remove queue files and save them to the "saved" mail queue.  This
1793       is a debugging aid.  To inspect the envelope information and content of
1794       a Postfix queue file, use the postcat(1) command.
1795

double_bounce_sender (default: double-bounce)

1797       The  sender  address  of postmaster notifications that are generated by
1798       the mail system. All mail to this address  is  silently  discarded,  in
1799       order to terminate mail bounce loops.
1800

duplicate_filter_limit (default: 1000)

1802       The  maximal  number  of  addresses remembered by the address duplicate
1803       filter for aliases(5) or virtual(5) alias expansion,  or  for  showq(8)
1804       queue displays.
1805

empty_address_default_transport_maps_lookup_key (default: <>)

1807       The  sender_dependent_default_transport_maps search string that will be
1808       used instead of the null sender address.
1809
1810       This feature is available in Postfix 2.7 and later.
1811

empty_address_recipient (default: MAILER-DAEMON)

1813       The recipient of mail addressed to the null address.  Postfix does  not
1814       accept  such  addresses in SMTP commands, but they may still be created
1815       locally as the result of configuration or software error.
1816

empty_address_relayhost_maps_lookup_key (default: <>)

1818       The sender_dependent_relayhost_maps search string  that  will  be  used
1819       instead of the null sender address.
1820
1821       This  feature  is available in Postfix 2.5 and later. With earlier ver‐
1822       sions, sender_dependent_relayhost_maps lookups  were  skipped  for  the
1823       null sender address.
1824

enable_errors_to (default: no)

1826       Report mail delivery errors to the address specified with the non-stan‐
1827       dard Errors-To: message header, instead of the envelope sender  address
1828       (this  feature  is  removed  with Postfix version 2.2, is turned off by
1829       default with Postfix version 2.1, and is always turned  on  with  older
1830       Postfix versions).
1831

enable_idna2003_compatibility (default: no)

1833       Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1834       converting UTF-8 domain names to/from the ASCII form that is  used  for
1835       DNS  lookups.  Specify "yes" for compatibility with Postfix <= 3.1 (not
1836       recommended). This affects the conversion of domain names that  contain
1837       for  example  the  German  sz  and  the  Greek  zeta.   See http://uni
1838       code.org/cldr/utility/idna.jsp for more examples.
1839
1840       This feature is available in Postfix 3.2 and later.
1841

enable_long_queue_ids (default: no)

1843       Enable long, non-repeating, queue IDs (queue file names).  The  benefit
1844       of  non-repeating  names  is  simpler logfile analysis and easier queue
1845       migration (there is no need to run "postsuper"  to  change  queue  file
1846       names that don't match their message file inode number).
1847
1848       Note:  see below for how to convert long queue file names to Postfix <=
1849       2.8.
1850
1851       Changing the parameter value to "yes" has the following effects:
1852
1853       ·      Existing queue file names are not affected.
1854
1855       ·      New queue files are created with names such as  3Pt2mN2VXxznjll.
1856              These  are encoded in a 52-character alphabet that contains dig‐
1857              its (0-9),  upper-case  letters  (B-Z)  and  lower-case  letters
1858              (b-z).  For  safety reasons the vowels (AEIOUaeiou) are excluded
1859              from the alphabet.  The name format is: 6 or more characters for
1860              the  time in seconds, 4 characters for the time in microseconds,
1861              the 'z'; the remainder is the file inode number encoded  in  the
1862              first 51 characters of the 52-character alphabet.
1863
1864       ·      New messages have a Message-ID header with queueID@myhostname.
1865
1866       ·      The  mailq  (postqueue  -p)  output has a wider Queue ID column.
1867              The number of whitespace-separated fields is not changed.
1868
1869       ·      The hash_queue_depth algorithm uses the first characters of  the
1870              queue  file creation time in microseconds, after conversion into
1871              hexadecimal representation. This produces the same queue hashing
1872              behavior   as   if   the   queue  file  name  was  created  with
1873              "enable_long_queue_ids = no".
1874
1875       Changing the parameter value to "no" has the following effects:
1876
1877       ·      Existing long queue file names are renamed  to  the  short  form
1878              (while running "postfix reload" or "postsuper").
1879
1880       ·      New  queue files are created with names such as C3CD21F3E90 from
1881              a hexadecimal alphabet that contains digits (0-9) and upper-case
1882              letters  (A-F). The name format is: 5 characters for the time in
1883              microseconds; the remainder is the file inode number.
1884
1885       ·      New  messages  have  a  Message-ID   header   with   YYYYMMDDHH‐
1886              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
1887              month, day, hour, minute and second.
1888
1889       ·      The mailq (postqueue -p) output has  the  same  format  as  with
1890              Postfix <= 2.8.
1891
1892       ·      The  hash_queue_depth algorithm uses the first characters of the
1893              queue file name, with the hexadecimal representation of the file
1894              creation time in microseconds.
1895
1896       Before migration to Postfix <= 2.8, the following commands are required
1897       to convert long queue file names into short names:
1898
1899       # postfix stop
1900       # postconf enable_long_queue_ids=no
1901       # postsuper
1902
1903       Repeat the postsuper command until it reports no more queue  file  name
1904       changes.
1905
1906       This feature is available in Postfix 2.9 and later.
1907

enable_original_recipient (default: yes)

1909       Enable  support  for the original recipient address after an address is
1910       rewritten to a different address (for example  with  aliasing  or  with
1911       canonical mapping).
1912
1913       The original recipient address is used as follows:
1914
1915       Final delivery
1916              With  "enable_original_recipient  = yes", the original recipient
1917              address is stored in  the  X-Original-To  message  header.  This
1918              header  may  be used to distinguish between different recipients
1919              that share the same mailbox.
1920
1921       Recipient deduplication
1922              With "enable_original_recipient = yes",  the  cleanup(8)  daemon
1923              performs duplicate recipient elimination based on the content of
1924              (original recipient, maybe-rewritten recipient)  pairs.   Other‐
1925              wise,  the cleanup(8) daemon performs duplicate recipient elimi‐
1926              nation based only on the maybe-rewritten recipient address.
1927
1928       Note: with Postfix <= 3.2 the "setting enable_original_recipient =  no"
1929       breaks address verification for addresses that are aliased or otherwise
1930       rewritten (Postfix is unable to store the address  verification  result
1931       under the original probe destination address; instead, it can store the
1932       result only under the rewritten address).
1933
1934       This feature is available in Postfix 2.1 and later. Postfix version 2.0
1935       behaves  as  if  this parameter is always set to yes.  Postfix versions
1936       before 2.0 have no support for the original recipient address.
1937

error_notice_recipient (default: postmaster)

1939       The recipient of postmaster notifications about mail delivery  problems
1940       that  are  caused  by  policy,  resource,  software or protocol errors.
1941       These notifications are enabled with the notify_classes parameter.
1942

error_service_name (default: error)

1944       The name of the error(8) pseudo delivery  agent.  This  service  always
1945       returns mail as undeliverable.
1946
1947       This feature is available in Postfix 2.0 and later.
1948

execution_directory_expansion_filter (default: see postconf -d output)

1950       Restrict  the  characters  that  the  local(8) delivery agent allows in
1951       $name expansions of $command_execution_directory.   Characters  outside
1952       the allowed set are replaced by underscores.
1953
1954       This feature is available in Postfix 2.2 and later.
1955

expand_owner_alias (default: no)

1957       When  delivering  to an alias "aliasname" that has an "owner-aliasname"
1958       companion alias, set the envelope sender address to  the  expansion  of
1959       the  "owner-aliasname"  alias.   Normally,  Postfix  sets  the envelope
1960       sender address to the name of the "owner-aliasname" alias.
1961

export_environment (default: see postconf -d output)

1963       The list of environment variables that a Postfix process will export to
1964       non-Postfix  processes. The TZ variable is needed for sane time keeping
1965       on System-V-ish systems.
1966
1967       Specify a list of names and/or name=value pairs,  separated  by  white‐
1968       space or comma. Specify "{ name=value }" to protect whitespace or comma
1969       in parameter values (whitespace after "{" and before "}"  is  ignored).
1970       The  form  name=value  is supported with Postfix version 2.1 and later;
1971       the use of {} is supported with Postfix 3.0 and later.
1972
1973       Example:
1974
1975       export_environment = TZ PATH=/bin:/usr/bin
1976

extract_recipient_limit (default: 10240)

1978       The maximal number of recipient addresses  that  Postfix  will  extract
1979       from message headers when mail is submitted with "sendmail -t".
1980
1981       This feature was removed in Postfix version 2.1.
1982

fallback_relay (default: empty)

1984       Optional  list of relay hosts for SMTP destinations that can't be found
1985       or that are unreachable. With Postfix 2.3 this parameter is renamed  to
1986       smtp_fallback_relay.
1987
1988       By  default,  mail  is returned to the sender when a destination is not
1989       found, and delivery is deferred when a destination is unreachable.
1990
1991       The fallback relays must be SMTP destinations. Specify a domain,  host,
1992       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
1993       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
1994       fix will try them in the specified order.
1995
1996       Note:  before  Postfix  2.2, do not use the fallback_relay feature when
1997       relaying mail for a backup  or  primary  MX  domain.  Mail  would  loop
1998       between  the Postfix MX host and the fallback_relay host when the final
1999       destination is unavailable.
2000
2001       ·      In main.cf specify "relay_transport = relay",
2002
2003       ·      In master.cf specify "-o fallback_relay =" (i.e., empty) at  the
2004              end of the relay entry.
2005
2006       ·      In transport maps, specify "relay:nexthop..."  as the right-hand
2007              side for backup or primary MX domain entries.
2008
2009       Postfix version 2.2 and later will not use the  fallback_relay  feature
2010       for destinations that it is MX host for.
2011

fallback_transport (default: empty)

2013       Optional  message  delivery  transport that the local(8) delivery agent
2014       should use for names that are not found in the aliases(5) or UNIX pass‐
2015       word database.
2016
2017       The  precedence  of  local(8)  delivery  features  from high to low is:
2018       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2019       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2020       tory, fallback_transport_maps, fallback_transport and luser_relay.
2021

fallback_transport_maps (default: empty)

2023       Optional lookup tables with per-recipient message  delivery  transports
2024       for  recipients  that the local(8) delivery agent could not find in the
2025       aliases(5) or UNIX password database.
2026
2027       The precedence of local(8) delivery  features  from  high  to  low  is:
2028       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2029       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2030       tory, fallback_transport_maps, fallback_transport and luser_relay.
2031
2032       For  safety  reasons, this feature does not allow $number substitutions
2033       in regular expression maps.
2034
2035       This feature is available in Postfix 2.3 and later.
2036

fast_flush_domains (default: $relay_domains)

2038       Optional list of destinations that  are  eligible  for  per-destination
2039       logfiles with mail that is queued to those destinations.
2040
2041       By  default,  Postfix maintains "fast flush" logfiles only for destina‐
2042       tions that the Postfix SMTP server is willing to  relay  to  (i.e.  the
2043       default    is:   "fast_flush_domains   =   $relay_domains";   see   the
2044       relay_domains parameter in the postconf(5) manual).
2045
2046       Specify a list of hosts or domains, "/file/name" patterns or  "type:ta‐
2047       ble"  lookup  tables,  separated by commas and/or whitespace.  Continue
2048       long lines by starting the next line with  whitespace.  A  "/file/name"
2049       pattern  is  replaced  by  its contents; a "type:table" lookup table is
2050       matched when the domain or its parent domain appears as lookup key.
2051
2052       Pattern matching of domain names  is  controlled  by  the  presence  or
2053       absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2054       parameter value.
2055
2056       Specify "fast_flush_domains =" (i.e., empty)  to  disable  the  feature
2057       altogether.
2058

fast_flush_purge_time (default: 7d)

2060       The  time  after which an empty per-destination "fast flush" logfile is
2061       deleted.
2062
2063       You can specify the time as a number, or as a number followed by a let‐
2064       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2065       d=days, w=weeks.  The default time unit is days.
2066

fast_flush_refresh_time (default: 12h)

2068       The time after which  a  non-empty  but  unread  per-destination  "fast
2069       flush"  logfile  needs  to be refreshed.  The contents of a logfile are
2070       refreshed by requesting delivery of all messages listed in the logfile.
2071
2072       You can specify the time as a number, or as a number followed by a let‐
2073       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2074       d=days, w=weeks.  The default time unit is hours.
2075

fault_injection_code (default: 0)

2077       Force specific internal tests to fail, to test the handling  of  errors
2078       that are difficult to reproduce otherwise.
2079

flush_service_name (default: flush)

2081       The  name  of the flush(8) service. This service maintains per-destina‐
2082       tion logfiles with the queue file names of  mail  that  is  queued  for
2083       those destinations.
2084
2085       This feature is available in Postfix 2.0 and later.
2086

fork_attempts (default: 5)

2088       The maximal number of attempts to fork() a child process.
2089

fork_delay (default: 1s)

2091       The delay between attempts to fork() a child process.
2092
2093       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2094       The default time unit is s (seconds).
2095

forward_expansion_filter (default: see postconf -d output)

2097       Restrict the characters that the  local(8)  delivery  agent  allows  in
2098       $name  expansions of $forward_path.  Characters outside the allowed set
2099       are replaced by underscores.
2100

forward_path (default: see postconf -d output)

2102       The local(8) delivery agent search list for  finding  a  .forward  file
2103       with  user-specified  delivery methods. The first file that is found is
2104       used.
2105
2106       The following $name expansions are  done  on  forward_path  before  the
2107       search actually happens. The result of $name expansion is filtered with
2108       the character set that is specified with  the  forward_expansion_filter
2109       parameter.
2110
2111       $user  The recipient's username.
2112
2113       $shell The recipient's login shell pathname.
2114
2115       $home  The recipient's home directory.
2116
2117       $recipient
2118              The full recipient address.
2119
2120       $extension
2121              The optional recipient address extension.
2122
2123       $domain
2124              The recipient domain.
2125
2126       $local The entire recipient localpart.
2127
2128       $recipient_delimiter
2129              The  address extension delimiter that was found in the recipient
2130              address (Postfix 2.11 and later), or the  system-wide  recipient
2131              address extension delimiter (Postfix 2.10 and earlier).
2132
2133       ${name?value}
2134              Expands to value when $name is non-empty.
2135
2136       ${name:value}
2137              Expands to value when $name is empty.
2138
2139       Instead of $name you can also specify ${name} or $(name).
2140
2141       Examples:
2142
2143       forward_path = /var/forward/$user
2144       forward_path =
2145           /var/forward/$user/.forward$recipient_delimiter$extension,
2146           /var/forward/$user/.forward
2147

frozen_delivered_to (default: yes)

2149       Update  the local(8) delivery agent's idea of the Delivered-To: address
2150       (see prepend_delivered_header) only once, at the start  of  a  delivery
2151       attempt;  do  not  update  the  Delivered-To:  address  while expanding
2152       aliases or .forward files.
2153
2154       This feature is available in Postfix 2.3 and later. With older  Postfix
2155       releases,  the behavior is as if this parameter is set to "no". The old
2156       setting can be expensive with deeply nested aliases or .forward  files.
2157       When  an  alias  or .forward file changes the Delivered-To: address, it
2158       ties up one queue file and one cleanup process instance while  mail  is
2159       being forwarded.
2160

hash_queue_depth (default: 1)

2162       The number of subdirectory levels for queue directories listed with the
2163       hash_queue_names parameter. Queue hashing is  implemented  by  creating
2164       one  or  more  levels  of directories with one-character names.  Origi‐
2165       nally, these directory names were equal to the first characters of  the
2166       queue  file  name, with the hexadecimal representation of the file cre‐
2167       ation time in microseconds.
2168
2169       With long queue file names, queue hashing produces the same results  as
2170       with  short  names. The file creation time in microseconds is converted
2171       into hexadecimal form before the result is used for queue hashing.  The
2172       base  16 encoding gives finer control over the number of subdirectories
2173       than is possible with the base 52 encoding of long queue file names.
2174
2175       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2176       cute the command "postfix reload".
2177

hash_queue_names (default: deferred, defer)

2179       The names of queue directories that are split across multiple subdirec‐
2180       tory levels.
2181
2182       Before Postfix version 2.2, the default list of hashed queues was  sig‐
2183       nificantly  larger. Claims about improvements in file system technology
2184       suggest that hashing of the incoming and active  queues  is  no  longer
2185       needed.  Fewer  hashed  directories speed up the time needed to restart
2186       Postfix.
2187
2188       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2189       cute the command "postfix reload".
2190

header_address_token_limit (default: 10240)

2192       The  maximal number of address tokens are allowed in an address message
2193       header. Information that exceeds the limit is discarded.  The limit  is
2194       enforced by the cleanup(8) server.
2195

header_checks (default: empty)

2197       Optional  lookup tables for content inspection of primary non-MIME mes‐
2198       sage headers, as specified in the header_checks(5) manual page.
2199

header_from_format (default: standard)

2201       The format of the Postfix-generated From: header. This setting  affects
2202       the  appearance of 'full name' information when a local program such as
2203       /bin/mail submits a message without From: header  through  the  Postfix
2204       sendmail(1) command.
2205
2206       Specify one of the following:
2207
2208       standard (default)
2209              Produce  a  header formatted as "From: name <address>".  This is
2210              the default as of Postfix 3.3.
2211
2212       obsolete
2213              Produce a header formatted as "From: address  (name)".  This  is
2214              the behavior prior to Postfix 3.3.
2215
2216       Notes:
2217
2218       ·      Postfix  generates the format "From: address" when name informa‐
2219              tion is unavailable or the envelope  sender  address  is  empty.
2220              This is the same behavior as prior to Postfix 3.3.
2221
2222       ·      In  the  standard  form,  the name will be quoted if it contains
2223              specials as defined in RFC 5322, or the "!%" address operators.
2224
2225       ·      The Postfix sendmail(1) command gets name information  from  the
2226              -F  command-line  option, from the NAME environment variable, or
2227              from the UNIX password file.
2228
2229       This feature is available in Postfix 3.3 and later.
2230

header_size_limit (default: 102400)

2232       The maximal amount of memory in bytes for storing a message header.  If
2233       a  header is larger, the excess is discarded.  The limit is enforced by
2234       the cleanup(8) server.
2235

helpful_warnings (default: yes)

2237       Log warnings about  problematic  configuration  settings,  and  provide
2238       helpful suggestions.
2239
2240       This feature is available in Postfix 2.0 and later.
2241

home_mailbox (default: empty)

2243       Optional  pathname of a mailbox file relative to a local(8) user's home
2244       directory.
2245
2246       Specify a pathname ending in "/" for qmail-style delivery.
2247
2248       The precedence of local(8) delivery  features  from  high  to  low  is:
2249       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2250       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2251       tory, fallback_transport_maps, fallback_transport and luser_relay.
2252
2253       Examples:
2254
2255       home_mailbox = Mailbox
2256       home_mailbox = Maildir/
2257

hopcount_limit (default: 50)

2259       The maximal number of Received:  message headers that is allowed in the
2260       primary message headers. A message that exceeds the limit  is  bounced,
2261       in order to stop a mailer loop.
2262

html_directory (default: see postconf -d output)

2264       The  location of Postfix HTML files that describe how to build, config‐
2265       ure or operate a specific Postfix subsystem or feature.
2266

ignore_mx_lookup_error (default: no)

2268       Ignore DNS MX lookups that produce no response.  By default, the  Post‐
2269       fix SMTP client defers delivery and tries again after some delay.  This
2270       behavior is required by the SMTP standard.
2271
2272       Specify "ignore_mx_lookup_error = yes" to force a DNS A  record  lookup
2273       instead. This violates the SMTP standard and can result in mis-delivery
2274       of mail.
2275

import_environment (default: see postconf -d output)

2277       The list of environment parameters that a  privileged  Postfix  process
2278       will  import  from a non-Postfix parent process, or name=value environ‐
2279       ment overrides.  Unprivileged utilities  will  enforce  the  name=value
2280       overrides,  but  otherwise  will  not change their process environment.
2281       Examples of relevant parameters:
2282
2283       TZ     May be needed for sane time keeping on  most  System-V-ish  sys‐
2284              tems.
2285
2286       DISPLAY
2287              Needed for debugging Postfix daemons with an X-windows debugger.
2288
2289       XAUTHORITY
2290              Needed for debugging Postfix daemons with an X-windows debugger.
2291
2292       MAIL_CONFIG
2293              Needed to make "postfix -c" work.
2294
2295       Specify  a  list  of names and/or name=value pairs, separated by white‐
2296       space or comma. Specify "{ name=value }" to protect whitespace or comma
2297       in  parameter  values (whitespace after "{" and before "}" is ignored).
2298       The form name=value is supported with Postfix version  2.1  and  later;
2299       the use of {} is supported with Postfix 3.0 and later.
2300

in_flow_delay (default: 1s)

2302       Time  to pause before accepting a new message, when the message arrival
2303       rate exceeds the message delivery rate. This feature is  turned  on  by
2304       default (it's disabled on SCO UNIX due to an SCO bug).
2305
2306       With  the default 100 Postfix SMTP server process limit, "in_flow_delay
2307       = 1s" limits the mail inflow to 100 messages per second above the  num‐
2308       ber of messages delivered per second.
2309
2310       Specify 0 to disable the feature. Valid delays are 0..10.
2311

inet_interfaces (default: all)

2313       The network interface addresses that this mail system receives mail on.
2314       Specify "all" to receive mail on all network interfaces (default),  and
2315       "loopback-only"  to  receive  mail  on loopback network interfaces only
2316       (Postfix version 2.2 and later).  The parameter also controls  delivery
2317       of mail to user@[ip.address].
2318
2319       Note 1: you need to stop and start Postfix when this parameter changes.
2320
2321       Note 2: address information may be enclosed inside [], but this form is
2322       not required here.
2323
2324       When inet_interfaces specifies just one IPv4 and/or IPv6  address  that
2325       is  not  a  loopback  address,  the  Postfix  SMTP client will use this
2326       address as the IP source address for outbound mail. Support for IPv6 is
2327       available in Postfix version 2.2 and later.
2328
2329       On  a multi-homed firewall with separate Postfix instances listening on
2330       the "inside" and "outside" interfaces, this can prevent  each  instance
2331       from being able to reach remote SMTP servers on the "other side" of the
2332       firewall. Setting smtp_bind_address to  0.0.0.0  avoids  the  potential
2333       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2334       lem for IPv6.
2335
2336       A better solution for multi-homed firewalls is to leave inet_interfaces
2337       at  the default value and instead use explicit IP addresses in the mas‐
2338       ter.cf SMTP  server  definitions.   This  preserves  the  Postfix  SMTP
2339       client's  loop  detection,  by  ensuring that each side of the firewall
2340       knows that the other  IP  address  is  still  the  same  host.  Setting
2341       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2342       ful with virtual hosting of domains on  secondary  IP  addresses,  when
2343       each IP address serves a different domain (and has a different $myhost‐
2344       name setting).
2345
2346       See also the proxy_interfaces parameter, for network addresses that are
2347       forwarded to Postfix by way of a proxy or address translator.
2348
2349       Examples:
2350
2351       inet_interfaces = all (DEFAULT)
2352       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2353       inet_interfaces = 127.0.0.1
2354       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2355       inet_interfaces = 192.168.1.2, 127.0.0.1
2356

inet_protocols (default: all)

2358       The  Internet  protocols  Postfix  will  attempt  to use when making or
2359       accepting connections. Specify one or more of "ipv4" or  "ipv6",  sepa‐
2360       rated  by  whitespace or commas. The form "all" is equivalent to "ipv4,
2361       ipv6" or "ipv4", depending on whether the operating  system  implements
2362       IPv6.
2363
2364       With  Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2365       patibility with these releases, the Postfix 2.9 and later upgrade  pro‐
2366       cedure  appends  an explicit "inet_protocols = ipv4" setting to main.cf
2367       when no explicit setting is present. This compatibility workaround will
2368       be phased out as IPv6 deployment becomes more common.
2369
2370       This feature is available in Postfix 2.2 and later.
2371
2372       Note: you MUST stop and start Postfix after changing this parameter.
2373
2374       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2375       will also accept IPv4 connections, even when IPv4 is  turned  off  with
2376       the  inet_protocols  parameter.   On  systems with IPV6_V6ONLY support,
2377       Postfix will use separate server sockets for IPv6 and  IPv4,  and  each
2378       will accept only connections for the corresponding protocol.
2379
2380       When  IPv4 support is enabled via the inet_protocols parameter, Postfix
2381       will look up DNS type A records, and will convert  IPv4-in-IPv6  client
2382       IP  addresses  (::ffff:1.2.3.4)  to their original IPv4 form (1.2.3.4).
2383       The latter is needed on hosts that pre-date  IPV6_V6ONLY  support  (RFC
2384       3493).
2385
2386       When  IPv6 support is enabled via the inet_protocols parameter, Postfix
2387       will do DNS type AAAA record lookups.
2388
2389       When both IPv4 and IPv6 support are enabled, the  Postfix  SMTP  client
2390       will  choose the protocol as specified with the smtp_address_preference
2391       parameter. Postfix versions before 2.8  attempt  to  connect  via  IPv6
2392       before attempting to use IPv4.
2393
2394       Examples:
2395
2396       inet_protocols = ipv4
2397       inet_protocols = all (DEFAULT)
2398       inet_protocols = ipv6
2399       inet_protocols = ipv4, ipv6
2400

initial_destination_concurrency (default: 5)

2402       The  initial per-destination concurrency level for parallel delivery to
2403       the same destination.  With per-destination recipient limit > 1, a des‐
2404       tination is a domain, otherwise it is a recipient.
2405
2406       Use   transport_initial_destination_concurrency  to  specify  a  trans‐
2407       port-specific override, where transport is the master.cf  name  of  the
2408       message delivery transport (Postfix 2.5 and later).
2409
2410       Warning:  with concurrency of 1, one bad message can be enough to block
2411       all mail to a site.
2412

internal_mail_filter_classes (default: empty)

2414       What categories of Postfix-generated mail are subject  to  before-queue
2415       content inspection by non_smtpd_milters, header_checks and body_checks.
2416       Specify zero or more of  the  following,  separated  by  whitespace  or
2417       comma.
2418
2419       bounce Inspect the content of delivery status notifications.
2420
2421       notify Inspect  the  content of postmaster notifications by the smtp(8)
2422              and smtpd(8) processes.
2423
2424       NOTE: It's generally not safe to enable  content  inspection  of  Post‐
2425       fix-generated email messages. The user is warned.
2426
2427       This feature is available in Postfix 2.3 and later.
2428

invalid_hostname_reject_code (default: 501)

2430       The numerical Postfix SMTP server response code when the client HELO or
2431       EHLO command parameter is rejected by the  reject_invalid_helo_hostname
2432       restriction.
2433
2434       Do  not  change  this  unless  you have a complete understanding of RFC
2435       5321.
2436

ipc_idle (default: version dependent)

2438       The time after which a client closes  an  idle  internal  communication
2439       channel.  The purpose is to allow Postfix daemon processes to terminate
2440       voluntarily after they become idle. This is used, for example,  by  the
2441       Postfix address resolving and rewriting clients.
2442
2443       With Postfix 2.4 the default value was reduced from 100s to 5s.
2444
2445       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2446       The default time unit is s (seconds).
2447

ipc_timeout (default: 3600s)

2449       The time limit for sending or receiving information  over  an  internal
2450       communication  channel.  The purpose is to break out of deadlock situa‐
2451       tions. If the time limit is exceeded the software aborts with  a  fatal
2452       error.
2453
2454       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2455       The default time unit is s (seconds).
2456

ipc_ttl (default: 1000s)

2458       The time after which a client closes an active  internal  communication
2459       channel.  The purpose is to allow Postfix daemon processes to terminate
2460       voluntarily after reaching their client limit.  This is used, for exam‐
2461       ple, by the Postfix address resolving and rewriting clients.
2462
2463       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2464       The default time unit is s (seconds).
2465
2466       This feature is available in Postfix 2.1 and later.
2467

line_length_limit (default: 2048)

2469       Upon input, long lines are chopped up  into  pieces  of  at  most  this
2470       length; upon delivery, long lines are reconstructed.
2471

lmdb_map_size (default: 16777216)

2473       The  initial  OpenLDAP  LMDB database size limit in bytes.  Each time a
2474       database becomes full, its size limit is doubled.
2475
2476       This feature is available in Postfix 2.11 and later.
2477

lmtp_address_preference (default: ipv6)

2479       The LMTP-specific version of the smtp_address_preference  configuration
2480       parameter.  See there for details.
2481
2482       This feature is available in Postfix 2.8 and later.
2483

lmtp_address_verify_target (default: rcpt)

2485       The  LMTP-specific version of the smtp_address_verify_target configura‐
2486       tion parameter.  See there for details.
2487
2488       This feature is available in Postfix 3.0 and later.
2489

lmtp_assume_final (default: no)

2491       When a remote LMTP server announces no DSN  support,  assume  that  the
2492       server  performs  final  delivery, and send "delivered" delivery status
2493       notifications instead of "relayed". The default  setting  is  backwards
2494       compatible  to avoid the infinitesimal possibility of breaking existing
2495       LMTP-based content filters.
2496

lmtp_balance_inet_protocols (default: yes)

2498       The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2499       tion parameter. See there for details.
2500
2501       This feature is available in Postfix 3.3 and later.
2502

lmtp_bind_address (default: empty)

2504       The LMTP-specific version of the smtp_bind_address configuration param‐
2505       eter.  See there for details.
2506
2507       This feature is available in Postfix 2.3 and later.
2508

lmtp_bind_address6 (default: empty)

2510       The  LMTP-specific  version  of  the  smtp_bind_address6  configuration
2511       parameter.  See there for details.
2512
2513       This feature is available in Postfix 2.3 and later.
2514

lmtp_body_checks (default: empty)

2516       The LMTP-specific version of the smtp_body_checks configuration parame‐
2517       ter. See there for details.
2518
2519       This feature is available in Postfix 2.5 and later.
2520

lmtp_cache_connection (default: yes)

2522       Keep Postfix LMTP client connections open for up to $max_idle  seconds.
2523       When  the  LMTP  client  receives a request for the same connection the
2524       connection is reused.
2525
2526       This parameter is available in Postfix version 2.2 and  earlier.   With
2527       Postfix  version  2.3  and  later, see lmtp_connection_cache_on_demand,
2528       lmtp_connection_cache_destinations,       or        lmtp_connection_re‐
2529       use_time_limit.
2530
2531       The  effectiveness of cached connections will be determined by the num‐
2532       ber of remote LMTP servers in use, and the concurrency limit  specified
2533       for the Postfix LMTP client. Cached connections are closed under any of
2534       the following conditions:
2535
2536       ·      The Postfix LMTP client idle time limit is reached.  This  limit
2537              is specified with the Postfix max_idle configuration parameter.
2538
2539       ·      A  delivery  request  specifies a different destination than the
2540              one currently cached.
2541
2542       ·      The per-process limit on the  number  of  delivery  requests  is
2543              reached.   This limit is specified with the Postfix max_use con‐
2544              figuration parameter.
2545
2546       ·      Upon the onset of another  delivery  request,  the  remote  LMTP
2547              server  associated  with the current session does not respond to
2548              the RSET command.
2549
2550       Most of these limitations have been with the Postfix a connection cache
2551       that is shared among multiple LMTP client programs.
2552

lmtp_cname_overrides_servername (default: yes)

2554       The  LMTP-specific  version of the smtp_cname_overrides_servername con‐
2555       figuration parameter.  See there for details.
2556
2557       This feature is available in Postfix 2.3 and later.
2558

lmtp_connect_timeout (default: 0s)

2560       The Postfix LMTP client time limit for completing a TCP connection,  or
2561       zero  (use  the operating system built-in time limit).  When no connec‐
2562       tion can be made within the deadline, the LMTP client  tries  the  next
2563       address on the mail exchanger list.
2564
2565       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2566       The default time unit is s (seconds).
2567
2568       Example:
2569
2570       lmtp_connect_timeout = 30s
2571

lmtp_connection_cache_destinations (default: empty)

2573       The LMTP-specific  version  of  the  smtp_connection_cache_destinations
2574       configuration parameter.  See there for details.
2575
2576       This feature is available in Postfix 2.3 and later.
2577

lmtp_connection_cache_on_demand (default: yes)

2579       The  LMTP-specific  version of the smtp_connection_cache_on_demand con‐
2580       figuration parameter.  See there for details.
2581
2582       This feature is available in Postfix 2.3 and later.
2583

lmtp_connection_cache_time_limit (default: 2s)

2585       The LMTP-specific version of the smtp_connection_cache_time_limit  con‐
2586       figuration parameter.  See there for details.
2587
2588       This feature is available in Postfix 2.3 and later.
2589

lmtp_connection_reuse_count_limit (default: 0)

2591       The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2592       figuration parameter.  See there for details.
2593
2594       This feature is available in Postfix 2.11 and later.
2595

lmtp_connection_reuse_time_limit (default: 300s)

2597       The LMTP-specific version of the smtp_connection_reuse_time_limit  con‐
2598       figuration parameter.  See there for details.
2599
2600       This feature is available in Postfix 2.3 and later.
2601

lmtp_data_done_timeout (default: 600s)

2603       The  Postfix  LMTP  client time limit for sending the LMTP ".", and for
2604       receiving the  remote  LMTP  server  response.   When  no  response  is
2605       received  within the deadline, a warning is logged that the mail may be
2606       delivered multiple times.
2607
2608       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2609       The default time unit is s (seconds).
2610

lmtp_data_init_timeout (default: 120s)

2612       The  Postfix  LMTP client time limit for sending the LMTP DATA command,
2613       and for receiving the remote LMTP server response.
2614
2615       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2616       The default time unit is s (seconds).
2617

lmtp_data_xfer_timeout (default: 180s)

2619       The  Postfix  LMTP  client time limit for sending the LMTP message con‐
2620       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2621       the LMTP client terminates the transfer.
2622
2623       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2624       The default time unit is s (seconds).
2625

lmtp_defer_if_no_mx_address_found (default: no)

2627       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2628       figuration parameter.  See there for details.
2629
2630       This feature is available in Postfix 2.3 and later.
2631

lmtp_delivery_status_filter (default: empty)

2633       The LMTP-specific version of the smtp_delivery_status_filter configura‐
2634       tion parameter.  See there for details.
2635
2636       This feature is available in Postfix 3.0 and later.
2637

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2639       rency_limit)
2640       The  maximal  number of parallel deliveries to the same destination via
2641       the lmtp message delivery transport. This  limit  is  enforced  by  the
2642       queue  manager.  The message delivery transport name is the first field
2643       in the entry in the master.cf file.
2644

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2646       ent_limit)
2647       The  maximal  number  of  recipients  per  message for the lmtp message
2648       delivery transport. This limit is enforced by the  queue  manager.  The
2649       message  delivery transport name is the first field in the entry in the
2650       master.cf file.
2651
2652       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2653       tination_concurrency_limit from concurrency per domain into concurrency
2654       per recipient.
2655

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2657       Lookup tables, indexed by the remote LMTP  server  address,  with  case
2658       insensitive  lists  of LHLO keywords (pipelining, starttls, auth, etc.)
2659       that the Postfix LMTP client will ignore in the LHLO  response  from  a
2660       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2661       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2662       card_ehlo_keyword_address_maps.
2663
2664       This feature is available in Postfix 2.3 and later.
2665

lmtp_discard_lhlo_keywords (default: empty)

2667       A  case  insensitive list of LHLO keywords (pipelining, starttls, auth,
2668       etc.) that the Postfix LMTP client will ignore  in  the  LHLO  response
2669       from a remote LMTP server.
2670
2671       This feature is available in Postfix 2.3 and later.
2672
2673       Notes:
2674
2675       ·      Specify the silent-discard pseudo keyword to prevent this action
2676              from being logged.
2677
2678       ·      Use the lmtp_discard_lhlo_keyword_address_maps feature  to  dis‐
2679              card LHLO keywords selectively.
2680

lmtp_dns_reply_filter (default: empty)

2682       Optional  filter  for  Postfix  LMTP  client  DNS  lookup results.  See
2683       smtp_dns_reply_filter for details including an example.
2684
2685       This feature is available in Postfix 3.0 and later.
2686

lmtp_dns_resolver_options (default: empty)

2688       The LMTP-specific version of the  smtp_dns_resolver_options  configura‐
2689       tion parameter.  See there for details.
2690
2691       This feature is available in Postfix 2.8 and later.
2692

lmtp_dns_support_level (default: empty)

2694       The  LMTP-specific  version of the smtp_dns_support_level configuration
2695       parameter.  See there for details.
2696
2697       This feature is available in Postfix 2.11 and later.
2698

lmtp_enforce_tls (default: no)

2700       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2701       ter.  See there for details.
2702
2703       This feature is available in Postfix 2.3 and later.
2704

lmtp_fallback_relay (default: empty)

2706       Optional  list of relay hosts for LMTP destinations that can't be found
2707       or that are unreachable.  In main.cf elements are separated  by  white‐
2708       space or commas.
2709
2710       By  default,  mail  is returned to the sender when a destination is not
2711       found, and delivery is deferred when a destination is unreachable.
2712
2713       The fallback relays must be TCP destinations, specified without a lead‐
2714       ing  "inet:" prefix.  Specify a host or host:port.  Since MX lookups do
2715       not apply  with  LMTP,  there  is  no  need  to  use  the  "[host]"  or
2716       "[host]:port"  forms.  If you specify multiple LMTP destinations, Post‐
2717       fix will try them in the specified order.
2718
2719       This feature is available in Postfix 3.1 and later.
2720

lmtp_generic_maps (default: empty)

2722       The LMTP-specific version of the smtp_generic_maps configuration param‐
2723       eter.  See there for details.
2724
2725       This feature is available in Postfix 2.3 and later.
2726

lmtp_header_checks (default: empty)

2728       The  LMTP-specific  version  of  the  smtp_header_checks  configuration
2729       parameter. See there for details.
2730
2731       This feature is available in Postfix 2.5 and later.
2732

lmtp_host_lookup (default: dns)

2734       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2735       ter.  See there for details.
2736
2737       This feature is available in Postfix 2.3 and later.
2738

lmtp_lhlo_name (default: $myhostname)

2740       The hostname to send in the LMTP LHLO command.
2741
2742       The  default  value  is  the  machine  hostname.  Specify a hostname or
2743       [ip.add.re.ss].
2744
2745       This information can be specified in the  main.cf  file  for  all  LMTP
2746       clients,  or  it  can be specified in the master.cf file for a specific
2747       client, for example:
2748
2749           /etc/postfix/master.cf:
2750               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2751
2752       This feature is available in Postfix 2.3 and later.
2753

lmtp_lhlo_timeout (default: 300s)

2755       The Postfix LMTP client time limit for sending the  LHLO  command,  and
2756       for receiving the initial remote LMTP server response.
2757
2758       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2759       The default time unit is s (seconds).
2760

lmtp_line_length_limit (default: 990)

2762       The LMTP-specific version of the  smtp_line_length_limit  configuration
2763       parameter.  See there for details.
2764
2765       This feature is available in Postfix 2.3 and later.
2766

lmtp_mail_timeout (default: 300s)

2768       The  Postfix  LMTP client time limit for sending the MAIL FROM command,
2769       and for receiving the remote LMTP server response.
2770
2771       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2772       The default time unit is s (seconds).
2773

lmtp_mime_header_checks (default: empty)

2775       The  LMTP-specific version of the smtp_mime_header_checks configuration
2776       parameter. See there for details.
2777
2778       This feature is available in Postfix 2.5 and later.
2779

lmtp_mx_address_limit (default: 5)

2781       The LMTP-specific version of  the  smtp_mx_address_limit  configuration
2782       parameter.  See there for details.
2783
2784       This feature is available in Postfix 2.3 and later.
2785

lmtp_mx_session_limit (default: 2)

2787       The  LMTP-specific  version  of the smtp_mx_session_limit configuration
2788       parameter.  See there for details.
2789
2790       This feature is available in Postfix 2.3 and later.
2791

lmtp_nested_header_checks (default: empty)

2793       The LMTP-specific version of the  smtp_nested_header_checks  configura‐
2794       tion parameter. See there for details.
2795
2796       This feature is available in Postfix 2.5 and later.
2797

lmtp_per_record_deadline (default: no)

2799       The LMTP-specific version of the smtp_per_record_deadline configuration
2800       parameter.  See there for details.
2801
2802       This feature is available in Postfix 2.9 and later.
2803

lmtp_pix_workaround_delay_time (default: 10s)

2805       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2806       uration parameter.  See there for details.
2807
2808       This feature is available in Postfix 2.3 and later.
2809

lmtp_pix_workaround_maps (default: empty)

2811       The LMTP-specific version of the smtp_pix_workaround_maps configuration
2812       parameter.  See there for details.
2813
2814       This feature is available in Postfix 2.4 and later.
2815

lmtp_pix_workaround_threshold_time (default: 500s)

2817       The LMTP-specific  version  of  the  smtp_pix_workaround_threshold_time
2818       configuration parameter.  See there for details.
2819
2820       This feature is available in Postfix 2.3 and later.
2821

lmtp_pix_workarounds (default: empty)

2823       The  LMTP-specific  version  of  the  smtp_pix_workaround configuration
2824       parameter.  See there for details.
2825
2826       This feature is available in Postfix 2.4 and later.
2827

lmtp_quit_timeout (default: 300s)

2829       The Postfix LMTP client time limit for sending the  QUIT  command,  and
2830       for receiving the remote LMTP server response.
2831
2832       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2833       The default time unit is s (seconds).
2834

lmtp_quote_rfc821_envelope (default: yes)

2836       The LMTP-specific version of the smtp_quote_rfc821_envelope  configura‐
2837       tion parameter.  See there for details.
2838
2839       This feature is available in Postfix 2.3 and later.
2840

lmtp_randomize_addresses (default: yes)

2842       The LMTP-specific version of the smtp_randomize_addresses configuration
2843       parameter.  See there for details.
2844
2845       This feature is available in Postfix 2.3 and later.
2846

lmtp_rcpt_timeout (default: 300s)

2848       The Postfix LMTP client time limit for sending the RCPT TO command, and
2849       for receiving the remote LMTP server response.
2850
2851       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2852       The default time unit is s (seconds).
2853

lmtp_reply_filter (default: empty)

2855       The LMTP-specific version of the smtp_reply_filter configuration param‐
2856       eter.  See there for details.
2857
2858       This feature is available in Postfix 2.7 and later.
2859

lmtp_rset_timeout (default: 20s)

2861       The  Postfix  LMTP  client time limit for sending the RSET command, and
2862       for receiving the remote LMTP server response. The  LMTP  client  sends
2863       RSET  in order to finish a recipient address probe, or to verify that a
2864       cached connection is still alive.
2865
2866       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2867       The default time unit is s (seconds).
2868

lmtp_sasl_auth_cache_name (default: empty)

2870       The  LMTP-specific  version of the smtp_sasl_auth_cache_name configura‐
2871       tion parameter.  See there for details.
2872
2873       This feature is available in Postfix 2.5 and later.
2874

lmtp_sasl_auth_cache_time (default: 90d)

2876       The LMTP-specific version of the  smtp_sasl_auth_cache_time  configura‐
2877       tion parameter.  See there for details.
2878
2879       This feature is available in Postfix 2.5 and later.
2880

lmtp_sasl_auth_enable (default: no)

2882       Enable SASL authentication in the Postfix LMTP client.
2883

lmtp_sasl_auth_soft_bounce (default: yes)

2885       The  LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2886       tion parameter.  See there for details.
2887
2888       This feature is available in Postfix 2.5 and later.
2889

lmtp_sasl_mechanism_filter (default: empty)

2891       The LMTP-specific version of the smtp_sasl_mechanism_filter  configura‐
2892       tion parameter.  See there for details.
2893
2894       This feature is available in Postfix 2.3 and later.
2895

lmtp_sasl_password_maps (default: empty)

2897       Optional  Postfix  LMTP client lookup tables with one username:password
2898       entry per host or domain.  If a remote host  or  domain  has  no  user‐
2899       name:password  entry,  then the Postfix LMTP client will not attempt to
2900       authenticate to the remote host.
2901

lmtp_sasl_path (default: empty)

2903       Implementation-specific information that is passed through to the  SASL
2904       plug-in implementation that is selected with lmtp_sasl_type.  Typically
2905       this specifies the name of a configuration file or rendezvous point.
2906
2907       This feature is available in Postfix 2.3 and later.
2908

lmtp_sasl_security_options (default: noplaintext, noanonymous)

2910       SASL security options; as of Postfix 2.3 the list of available features
2911       depends  on  the  SASL  client  implementation  that  is  selected with
2912       lmtp_sasl_type.
2913
2914       The following security features are defined for the cyrus  client  SASL
2915       implementation:
2916
2917       noplaintext
2918              Disallow authentication methods that use plaintext passwords.
2919
2920       noactive
2921              Disallow  authentication methods that are vulnerable to non-dic‐
2922              tionary active attacks.
2923
2924       nodictionary
2925              Disallow authentication methods that are vulnerable  to  passive
2926              dictionary attack.
2927
2928       noanonymous
2929              Disallow anonymous logins.
2930
2931       Example:
2932
2933       lmtp_sasl_security_options = noplaintext
2934

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

2936       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2937       uration parameter.  See there for details.
2938
2939       This feature is available in Postfix 2.3 and later.
2940

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_secu‐

2942       rity_options)
2943       The   LMTP-specific   version   of   the   smtp_sasl_tls_verified_secu‐
2944       rity_options configuration parameter.  See there for details.
2945
2946       This feature is available in Postfix 2.3 and later.
2947

lmtp_sasl_type (default: cyrus)

2949       The SASL plug-in type that the  Postfix  LMTP  client  should  use  for
2950       authentication.   The available types are listed with the "postconf -A"
2951       command.
2952
2953       This feature is available in Postfix 2.3 and later.
2954

lmtp_send_dummy_mail_auth (default: no)

2956       The LMTP-specific version of the  smtp_send_dummy_mail_auth  configura‐
2957       tion parameter.  See there for details.
2958
2959       This feature is available in Postfix 2.9 and later.
2960

lmtp_send_xforward_command (default: no)

2962       Send  an  XFORWARD command to the remote LMTP server when the LMTP LHLO
2963       server response announces XFORWARD support.   This  allows  an  lmtp(8)
2964       delivery  agent,  used for content filter message injection, to forward
2965       the name, address, protocol and HELO name of the original client to the
2966       content  filter  and downstream queuing LMTP server.  Before you change
2967       the value to yes, it is best to make sure that your content filter sup‐
2968       ports this command.
2969
2970       This feature is available in Postfix 2.1 and later.
2971

lmtp_sender_dependent_authentication (default: no)

2973       The  LMTP-specific  version of the smtp_sender_dependent_authentication
2974       configuration parameter.  See there for details.
2975
2976       This feature is available in Postfix 2.3 and later.
2977

lmtp_skip_5xx_greeting (default: yes)

2979       The LMTP-specific version of the  smtp_skip_5xx_greeting  configuration
2980       parameter.  See there for details.
2981
2982       This feature is available in Postfix 2.3 and later.
2983

lmtp_skip_quit_response (default: no)

2985       Wait for the response to the LMTP QUIT command.
2986

lmtp_starttls_timeout (default: 300s)

2988       The  LMTP-specific  version  of the smtp_starttls_timeout configuration
2989       parameter.  See there for details.
2990
2991       This feature is available in Postfix 2.3 and later.
2992

lmtp_tcp_port (default: 24)

2994       The default TCP port that the Postfix LMTP client connects to.  Specify
2995       a symbolic name (see services(5)) or a numeric port.
2996

lmtp_tls_CAfile (default: empty)

2998       The  LMTP-specific version of the smtp_tls_CAfile configuration parame‐
2999       ter.  See there for details.
3000
3001       This feature is available in Postfix 2.3 and later.
3002

lmtp_tls_CApath (default: empty)

3004       The LMTP-specific version of the smtp_tls_CApath configuration  parame‐
3005       ter.  See there for details.
3006
3007       This feature is available in Postfix 2.3 and later.
3008

lmtp_tls_block_early_mail_reply (default: empty)

3010       The  LMTP-specific  version of the smtp_tls_block_early_mail_reply con‐
3011       figuration parameter.  See there for details.
3012
3013       This feature is available in Postfix 2.7 and later.
3014

lmtp_tls_cert_file (default: empty)

3016       The  LMTP-specific  version  of  the  smtp_tls_cert_file  configuration
3017       parameter.  See there for details.
3018
3019       This feature is available in Postfix 2.3 and later.
3020

lmtp_tls_ciphers (default: medium)

3022       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3023       ter. See there for details.
3024
3025       This feature is available in Postfix 2.6 and later.
3026

lmtp_tls_dcert_file (default: empty)

3028       The LMTP-specific  version  of  the  smtp_tls_dcert_file  configuration
3029       parameter.  See there for details.
3030
3031       This feature is available in Postfix 2.3 and later.
3032

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

3034       The  LMTP-specific  version  of  the  smtp_tls_dkey_file  configuration
3035       parameter.  See there for details.
3036
3037       This feature is available in Postfix 2.3 and later.
3038

lmtp_tls_eccert_file (default: empty)

3040       The LMTP-specific version  of  the  smtp_tls_eccert_file  configuration
3041       parameter.  See there for details.
3042
3043       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3044       compiled and linked with OpenSSL 1.0.0 or later.
3045

lmtp_tls_eckey_file (default: empty)

3047       The LMTP-specific  version  of  the  smtp_tls_eckey_file  configuration
3048       parameter.  See there for details.
3049
3050       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3051       compiled and linked with OpenSSL 1.0.0 or later.
3052

lmtp_tls_enforce_peername (default: yes)

3054       The LMTP-specific version of the  smtp_tls_enforce_peername  configura‐
3055       tion parameter.  See there for details.
3056
3057       This feature is available in Postfix 2.3 and later.
3058

lmtp_tls_exclude_ciphers (default: empty)

3060       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3061       parameter.  See there for details.
3062
3063       This feature is available in Postfix 2.3 and later.
3064

lmtp_tls_fingerprint_cert_match (default: empty)

3066       The LMTP-specific version of the  smtp_tls_fingerprint_cert_match  con‐
3067       figuration parameter.  See there for details.
3068
3069       This feature is available in Postfix 2.5 and later.
3070

lmtp_tls_fingerprint_digest (default: md5)

3072       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3073       tion parameter.  See there for details.
3074
3075       This feature is available in Postfix 2.5 and later.
3076

lmtp_tls_force_insecure_host_tlsa_lookup (default: no)

3078       The    LMTP-specific    version     of     the     smtp_tls_force_inse‐
3079       cure_host_tlsa_lookup configuration parameter.  See there for details.
3080
3081       This feature is available in Postfix 2.11 and later.
3082

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

3084       The LMTP-specific version of the smtp_tls_key_file configuration param‐
3085       eter.  See there for details.
3086
3087       This feature is available in Postfix 2.3 and later.
3088

lmtp_tls_loglevel (default: 0)

3090       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3091       eter.  See there for details.
3092
3093       This feature is available in Postfix 2.3 and later.
3094

lmtp_tls_mandatory_ciphers (default: medium)

3096       The  LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3097       tion parameter.  See there for details.
3098
3099       This feature is available in Postfix 2.3 and later.
3100

lmtp_tls_mandatory_exclude_ciphers (default: empty)

3102       The LMTP-specific  version  of  the  smtp_tls_mandatory_exclude_ciphers
3103       configuration parameter.  See there for details.
3104
3105       This feature is available in Postfix 2.3 and later.
3106

lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

3108       The  LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3109       ration parameter. See there for details.
3110
3111       This feature is available in Postfix 2.3 and later.
3112

lmtp_tls_note_starttls_offer (default: no)

3114       The LMTP-specific version of the smtp_tls_note_starttls_offer  configu‐
3115       ration parameter.  See there for details.
3116
3117       This feature is available in Postfix 2.3 and later.
3118

lmtp_tls_per_site (default: empty)

3120       The LMTP-specific version of the smtp_tls_per_site configuration param‐
3121       eter.  See there for details.
3122
3123       This feature is available in Postfix 2.3 and later.
3124

lmtp_tls_policy_maps (default: empty)

3126       The LMTP-specific version  of  the  smtp_tls_policy_maps  configuration
3127       parameter. See there for details.
3128
3129       This feature is available in Postfix 2.3 and later.
3130

lmtp_tls_protocols (default: !SSLv2, !SSLv3)

3132       The  LMTP-specific  version  of  the  smtp_tls_protocols  configuration
3133       parameter. See there for details.
3134
3135       This feature is available in Postfix 2.6 and later.
3136

lmtp_tls_scert_verifydepth (default: 9)

3138       The LMTP-specific version of the smtp_tls_scert_verifydepth  configura‐
3139       tion parameter.  See there for details.
3140
3141       This feature is available in Postfix 2.3 and later.
3142

lmtp_tls_secure_cert_match (default: nexthop)

3144       The  LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3145       tion parameter. See there for details.
3146
3147       This feature is available in Postfix 2.3 and later.
3148

lmtp_tls_security_level (default: empty)

3150       The LMTP-specific version of the smtp_tls_security_level  configuration
3151       parameter.  See there for details.
3152
3153       This feature is available in Postfix 2.3 and later.
3154

lmtp_tls_session_cache_database (default: empty)

3156       The  LMTP-specific  version of the smtp_tls_session_cache_database con‐
3157       figuration parameter. See there for details.
3158
3159       This feature is available in Postfix 2.3 and later.
3160

lmtp_tls_session_cache_timeout (default: 3600s)

3162       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3163       uration parameter.  See there for details.
3164
3165       This feature is available in Postfix 2.3 and later.
3166

lmtp_tls_trust_anchor_file (default: empty)

3168       The  LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3169       tion parameter.  See there for details.
3170
3171       This feature is available in Postfix 2.11 and later.
3172

lmtp_tls_verify_cert_match (default: hostname)

3174       The LMTP-specific version of the smtp_tls_verify_cert_match  configura‐
3175       tion parameter. See there for details.
3176
3177       This feature is available in Postfix 2.3 and later.
3178

lmtp_use_tls (default: no)

3180       The  LMTP-specific version of the smtp_use_tls configuration parameter.
3181       See there for details.
3182
3183       This feature is available in Postfix 2.3 and later.
3184

lmtp_xforward_timeout (default: 300s)

3186       The Postfix LMTP client time limit for sending  the  XFORWARD  command,
3187       and for receiving the remote LMTP server response.
3188
3189       In  case  of  problems  the client does NOT try the next address on the
3190       mail exchanger list.
3191
3192       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3193       The default time unit is s (seconds).
3194
3195       This feature is available in Postfix 2.1 and later.
3196

local_command_shell (default: empty)

3198       Optional  shell  program  for local(8) delivery to non-Postfix command.
3199       By default, non-Postfix commands are executed  directly;  commands  are
3200       given to given to the default shell (typically, /bin/sh) only when they
3201       contain shell meta characters or shell built-in commands.
3202
3203       "sendmail's restricted shell" (smrsh) is what most people will  use  in
3204       order  to  restrict  what  programs can be run from e.g. .forward files
3205       (smrsh is part of the Sendmail distribution).
3206
3207       Note: when a shell program is specified, it is invoked  even  when  the
3208       command contains no shell built-in commands or meta characters.
3209
3210       Example:
3211
3212       local_command_shell = /some/where/smrsh -c
3213       local_command_shell = /bin/bash -c
3214

local_delivery_status_filter (default: $default_delivery_status_filter)

3216       Optional  filter  for  the local(8) delivery agent to change the status
3217       code or explanatory text of successful or unsuccessful deliveries.  See
3218       default_delivery_status_filter for details.
3219
3220       This feature is available in Postfix 3.0 and later.
3221

local_destination_concurrency_limit (default: 2)

3223       The  maximal  number of parallel deliveries via the local mail delivery
3224       transport  to  the  same  recipient  (when   "local_destination_recipi‐
3225       ent_limit  =  1")  or  the maximal number of parallel deliveries to the
3226       same local domain (when "local_destination_recipient_limit > 1").  This
3227       limit  is enforced by the queue manager. The message delivery transport
3228       name is the first field in the entry in the master.cf file.
3229
3230       A low limit of 2 is recommended, just in case someone has an  expensive
3231       shell  command  in a .forward file or in an alias (e.g., a mailing list
3232       manager).  You don't want to run lots of those at the same time.
3233

local_destination_recipient_limit (default: 1)

3235       The maximal number of recipients per message  delivery  via  the  local
3236       mail  delivery  transport. This limit is enforced by the queue manager.
3237       The message delivery transport name is the first field in the entry  in
3238       the master.cf file.
3239
3240       Setting this parameter to a value > 1 changes the meaning of local_des‐
3241       tination_concurrency_limit from concurrency per recipient into  concur‐
3242       rency per domain.
3243

local_header_rewrite_clients (default: permit_inet_interfaces)

3245       Rewrite  message header addresses in mail from these clients and update
3246       incomplete addresses with the domain name in  $myorigin  or  $mydomain;
3247       either  don't rewrite message headers from other clients at all, or re‐
3248       write message headers and update incomplete addresses with  the  domain
3249       specified in the remote_header_rewrite_domain parameter.
3250
3251       See  the  append_at_myorigin  and  append_dot_mydomain  parameters  for
3252       details of how domain names are appended to incomplete addresses.
3253
3254       Specify a list of zero or more of the following:
3255
3256       permit_inet_interfaces
3257              Append the domain name in $myorigin or $mydomain when the client
3258              IP address matches $inet_interfaces. This is enabled by default.
3259
3260       permit_mynetworks
3261              Append the domain name in $myorigin or $mydomain when the client
3262              IP address matches any network  or  network  address  listed  in
3263              $mynetworks.  This  setting  will not prevent remote mail header
3264              address rewriting when mail from a remote client is forwarded by
3265              a neighboring system.
3266
3267       permit_sasl_authenticated
3268              Append the domain name in $myorigin or $mydomain when the client
3269              is successfully authenticated via the RFC 4954 (AUTH) protocol.
3270
3271       permit_tls_clientcerts
3272              Append the domain name in $myorigin or $mydomain when the remote
3273              SMTP  client  TLS  certificate fingerprint or public key finger‐
3274              print (Postfix 2.9 and later) is listed  in  $relay_clientcerts.
3275              The   fingerprint  digest  algorithm  is  configurable  via  the
3276              smtpd_tls_fingerprint_digest parameter (hard-coded as md5  prior
3277              to Postfix version 2.5).
3278
3279       permit_tls_all_clientcerts
3280              Append the domain name in $myorigin or $mydomain when the remote
3281              SMTP client TLS certificate is successfully verified, regardless
3282              of  whether  it  is  listed on the server, and regardless of the
3283              certifying authority.
3284
3285       check_address_map type:table
3286
3287       type:table
3288              Append the domain name in $myorigin or $mydomain when the client
3289              IP  address  matches  the  specified  lookup  table.  The lookup
3290              result is ignored, and no subnet lookup is done. This  is  suit‐
3291              able for, e.g., pop-before-smtp lookup tables.
3292
3293       Examples:
3294
3295       The  Postfix < 2.2 backwards compatible setting: always rewrite message
3296       headers,  and  always  append  my  own  domain  to  incomplete   header
3297       addresses.
3298
3299           local_header_rewrite_clients = static:all
3300
3301       The  purist  (and  default)  setting: rewrite headers only in mail from
3302       Postfix sendmail and in SMTP mail from this machine.
3303
3304           local_header_rewrite_clients = permit_inet_interfaces
3305
3306       The intermediate setting: rewrite header addresses and append $myorigin
3307       or  $mydomain  information  only  with mail from Postfix sendmail, from
3308       local clients, or from authorized SMTP clients.
3309
3310       Note: this setting will not prevent remote mail header address  rewrit‐
3311       ing  when  mail from a remote client is forwarded by a neighboring sys‐
3312       tem.
3313
3314           local_header_rewrite_clients = permit_mynetworks,
3315               permit_sasl_authenticated permit_tls_clientcerts
3316               check_address_map hash:/etc/postfix/pop-before-smtp
3317

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

3319       Lookup tables with all names or addresses of local recipients: a recip‐
3320       ient   address   is  local  when  its  domain  matches  $mydestination,
3321       $inet_interfaces or $proxy_interfaces.  Specify @domain as a  wild-card
3322       for  domains  that  do  not  have a valid recipient list.  Technically,
3323       tables listed with $local_recipient_maps are  used  as  lists:  Postfix
3324       needs  to know only if a lookup string is found or not, but it does not
3325       use the result from table lookup.
3326
3327       Specify zero or more "type:name" lookup tables, separated by whitespace
3328       or  comma. Tables will be searched in the specified order until a match
3329       is found.
3330
3331       If this parameter is non-empty (the default),  then  the  Postfix  SMTP
3332       server will reject mail for unknown local users.
3333
3334       To  turn off local recipient checking in the Postfix SMTP server, spec‐
3335       ify "local_recipient_maps =" (i.e. empty).
3336
3337       The default setting assumes that you  use  the  default  Postfix  local
3338       delivery agent for local delivery. You need to update the local_recipi‐
3339       ent_maps setting if:
3340
3341       ·      You redefine the local delivery agent in master.cf.
3342
3343       ·      You redefine the "local_transport" setting in main.cf.
3344
3345       ·      You  use  the  "luser_relay",  "mailbox_transport",  or   "fall‐
3346              back_transport" feature of the Postfix local(8) delivery agent.
3347
3348       Details are described in the LOCAL_RECIPIENT_README file.
3349
3350       Beware:  if  the  Postfix SMTP server runs chrooted, you need to access
3351       the passwd file via the  proxymap(8)  service,  in  order  to  overcome
3352       chroot  access restrictions. The alternative, maintaining a copy of the
3353       system password file in the chroot jail is not practical.
3354
3355       Examples:
3356
3357       local_recipient_maps =
3358

local_transport (default: local:$myhostname)

3360       The default mail delivery transport and next-hop destination for  final
3361       delivery to domains listed with mydestination, and for [ipaddress] des‐
3362       tinations  that  match  $inet_interfaces  or  $proxy_interfaces.   This
3363       information can be overruled with the transport(5) table.
3364
3365       By  default,  local  mail is delivered to the transport called "local",
3366       which is just the name of a service that is defined the master.cf file.
3367
3368       Specify a string of the form transport:nexthop, where transport is  the
3369       name  of  a mail delivery transport defined in master.cf.  The :nexthop
3370       destination is optional; its syntax is documented in the manual page of
3371       the corresponding delivery agent.
3372
3373       Beware:  if you override the default local delivery agent then you need
3374       to review  the  LOCAL_RECIPIENT_README  document,  otherwise  the  SMTP
3375       server may reject mail for local recipients.
3376

luser_relay (default: empty)

3378       Optional  catch-all  destination  for  unknown local(8) recipients.  By
3379       default, mail for unknown recipients in domains that match  $mydestina‐
3380       tion,  $inet_interfaces  or $proxy_interfaces is returned as undeliver‐
3381       able.
3382
3383       The following $name expansions are done on luser_relay:
3384
3385       $domain
3386              The recipient domain.
3387
3388       $extension
3389              The recipient address extension.
3390
3391       $home  The recipient's home directory.
3392
3393       $local The entire recipient address localpart.
3394
3395       $recipient
3396              The full recipient address.
3397
3398       $recipient_delimiter
3399              The address extension delimiter that was found in the  recipient
3400              address  (Postfix  2.11 and later), or the system-wide recipient
3401              address extension delimiter (Postfix 2.10 and earlier).
3402
3403       $shell The recipient's login shell.
3404
3405       $user  The recipient username.
3406
3407       ${name?value}
3408              Expands to value when $name has a non-empty value.
3409
3410       ${name:value}
3411              Expands to value when $name has an empty value.
3412
3413       Instead of $name you can also specify ${name} or $(name).
3414
3415       Note: luser_relay works only for the Postfix local(8) delivery agent.
3416
3417       Note: if you use this feature for accounts not  in  the  UNIX  password
3418       file,  then  you  must specify "local_recipient_maps =" (i.e. empty) in
3419       the main.cf file, otherwise the Postfix SMTP server  will  reject  mail
3420       for non-UNIX accounts with "User unknown in local recipient table".
3421
3422       Examples:
3423
3424       luser_relay = $user@other.host
3425       luser_relay = $local@other.host
3426       luser_relay = admin+$local
3427

mail_name (default: Postfix)

3429       The  mail  system  name  that is displayed in Received: headers, in the
3430       SMTP greeting banner, and in bounced mail.
3431

mail_owner (default: postfix)

3433       The UNIX system account that owns the Postfix queue  and  most  Postfix
3434       daemon  processes.   Specify  the  name of an unprivileged user account
3435       that does not share a user or group ID with other  accounts,  and  that
3436       owns  no  other files or processes on the system.  In particular, don't
3437       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3438
3439       When this parameter value  is  changed  you  need  to  re-run  "postfix
3440       set-permissions"  (with  Postfix  version  2.0 and earlier: "/etc/post‐
3441       fix/post-install set-permissions".
3442

mail_release_date (default: see postconf -d output)

3444       The Postfix release date, in "YYYYMMDD" format.
3445

mail_spool_directory (default: see postconf -d output)

3447       The directory where local(8) UNIX-style mailboxes are kept. The default
3448       setting  depends  on  the  system  type. Specify a name ending in / for
3449       maildir-style delivery.
3450
3451       Note: maildir delivery is done with the privileges  of  the  recipient.
3452       If you use the mail_spool_directory setting for maildir style delivery,
3453       then you must create the top-level maildir directory in advance.  Post‐
3454       fix will not create it.
3455
3456       Examples:
3457
3458       mail_spool_directory = /var/mail
3459       mail_spool_directory = /var/spool/mail
3460

mail_version (default: see postconf -d output)

3462       The   version   of   the   mail   system.  Stable  releases  are  named
3463       major.minor.patchlevel. Experimental releases also include the  release
3464       date. The version string can be used in, for example, the SMTP greeting
3465       banner.
3466

mailbox_command (default: empty)

3468       Optional external command that the local(8) delivery agent  should  use
3469       for mailbox delivery.  The command is run with the user ID and the pri‐
3470       mary group ID privileges of the recipient.  Exception: command delivery
3471       for  root executes with $default_privs privileges.  This is not a prob‐
3472       lem, because 1) mail for root should always be aliased to a  real  user
3473       and 2) don't log in as root, use "su" instead.
3474
3475       The following environment variables are exported to the command:
3476
3477       CLIENT_ADDRESS
3478              Remote  client network address. Available in Postfix version 2.2
3479              and later.
3480
3481       CLIENT_HELO
3482              Remote client EHLO command parameter. Available in Postfix  ver‐
3483              sion 2.2 and later.
3484
3485       CLIENT_HOSTNAME
3486              Remote  client  hostname.  Available  in Postfix version 2.2 and
3487              later.
3488
3489       CLIENT_PROTOCOL
3490              Remote client protocol. Available in  Postfix  version  2.2  and
3491              later.
3492
3493       DOMAIN The domain part of the recipient address.
3494
3495       EXTENSION
3496              The optional address extension.
3497
3498       HOME   The recipient home directory.
3499
3500       LOCAL  The recipient address localpart.
3501
3502       LOGNAME
3503              The recipient's username.
3504
3505       ORIGINAL_RECIPIENT
3506              The  entire  recipient  address, before any address rewriting or
3507              aliasing.
3508
3509       RECIPIENT
3510              The full recipient address.
3511
3512       SASL_METHOD
3513              SASL authentication method specified in the remote  client  AUTH
3514              command. Available in Postfix version 2.2 and later.
3515
3516       SASL_SENDER
3517              SASL  sender  address  specified  in the remote client MAIL FROM
3518              command. Available in Postfix version 2.2 and later.
3519
3520       SASL_USER
3521              SASL username specified  in  the  remote  client  AUTH  command.
3522              Available in Postfix version 2.2 and later.
3523
3524       SENDER The full sender address.
3525
3526       SHELL  The recipient's login shell.
3527
3528       USER   The recipient username.
3529
3530       Unlike  other  Postfix  configuration  parameters,  the mailbox_command
3531       parameter is not subjected to $name substitutions. This is to  make  it
3532       easier to specify shell syntax (see example below).
3533
3534       If you can, avoid shell meta characters because they will force Postfix
3535       to run an expensive shell process. If you're  delivering  via  Procmail
3536       then  running  a  shell won't make a noticeable difference in the total
3537       cost.
3538
3539       Note: if you use the  mailbox_command  feature  to  deliver  mail  sys‐
3540       tem-wide,  you  must  set  up an alias that forwards mail for root to a
3541       real user.
3542
3543       The precedence of local(8) delivery  features  from  high  to  low  is:
3544       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3545       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3546       tory, fallback_transport_maps, fallback_transport and luser_relay.
3547
3548       Examples:
3549
3550       mailbox_command = /some/where/procmail
3551       mailbox_command = /some/where/procmail -a "$EXTENSION"
3552       mailbox_command = /some/where/maildrop -d "$USER"
3553               -f "$SENDER" "$EXTENSION"
3554

mailbox_command_maps (default: empty)

3556       Optional  lookup tables with per-recipient external commands to use for
3557       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3558
3559       The precedence of local(8) delivery  features  from  high  to  low  is:
3560       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3561       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3562       tory, fallback_transport_maps, fallback_transport and luser_relay.
3563
3564       Specify zero or more "type:name" lookup tables, separated by whitespace
3565       or comma. Tables will be searched in the specified order until a  match
3566       is found.
3567

mailbox_delivery_lock (default: see postconf -d output)

3569       How  to  lock a UNIX-style local(8) mailbox before attempting delivery.
3570       For a list of available file locking methods,  use  the  "postconf  -l"
3571       command.
3572
3573       This  setting  is  ignored  with  maildir  style delivery, because such
3574       deliveries are safe without explicit locks.
3575
3576       Note: The dotlock method requires that the recipient  UID  or  GID  has
3577       write access to the parent directory of the mailbox file.
3578
3579       Note: the default setting of this parameter is system dependent.
3580

mailbox_size_limit (default: 51200000)

3582       The maximal size of any local(8) individual mailbox or maildir file, or
3583       zero (no limit).  In fact, this limits the size of  any  file  that  is
3584       written  to  upon  local  delivery, including files written by external
3585       commands that are executed by the local(8) delivery agent.
3586
3587       This limit must not be smaller than the message size limit.
3588

mailbox_transport (default: empty)

3590       Optional message delivery transport that the  local(8)  delivery  agent
3591       should use for mailbox delivery to all local recipients, whether or not
3592       they are found in the UNIX passwd database.
3593
3594       The precedence of local(8) delivery  features  from  high  to  low  is:
3595       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3596       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3597       tory, fallback_transport_maps, fallback_transport and luser_relay.
3598

mailbox_transport_maps (default: empty)

3600       Optional  lookup  tables with per-recipient message delivery transports
3601       to use for local(8) mailbox delivery, whether or not the recipients are
3602       found in the UNIX passwd database.
3603
3604       The  precedence  of  local(8)  delivery  features  from high to low is:
3605       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3606       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3607       tory, fallback_transport_maps, fallback_transport and luser_relay.
3608
3609       Specify zero or more "type:name" lookup tables, separated by whitespace
3610       or  comma. Tables will be searched in the specified order until a match
3611       is found.
3612
3613       For safety reasons, this feature does not allow  $number  substitutions
3614       in regular expression maps.
3615
3616       This feature is available in Postfix 2.3 and later.
3617

mailq_path (default: see postconf -d output)

3619       Sendmail   compatibility  feature  that  specifies  where  the  Postfix
3620       mailq(1) command is installed. This command can be  used  to  list  the
3621       Postfix mail queue.
3622

manpage_directory (default: see postconf -d output)

3624       Where the Postfix manual pages are installed.
3625

maps_rbl_domains (default: empty)

3627       Obsolete feature: use the reject_rbl_client feature instead.
3628

maps_rbl_reject_code (default: 554)

3630       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
3631       client    request    is    blocked    by     the     reject_rbl_client,
3632       reject_rhsbl_client,  reject_rhsbl_reverse_client,  reject_rhsbl_sender
3633       or reject_rhsbl_recipient restriction.
3634
3635       Do not change this unless you have  a  complete  understanding  of  RFC
3636       5321.
3637

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

3639
3640       What addresses are subject to address masquerading.
3641
3642       By  default,  address  masquerading  is  limited  to  envelope   sender
3643       addresses,  and  to header sender and header recipient addresses.  This
3644       allows you to use address masquerading on a mail  gateway  while  still
3645       being able to forward mail to users on individual machines.
3646
3647       Specify   zero   or   more   of:  envelope_sender,  envelope_recipient,
3648       header_sender, header_recipient
3649

masquerade_domains (default: empty)

3651       Optional list of domains whose subdomain structure will be stripped off
3652       in email addresses.
3653
3654       The  list is processed left to right, and processing stops at the first
3655       match.  Thus,
3656
3657           masquerade_domains = foo.example.com example.com
3658
3659       strips "user@any.thing.foo.example.com" to "user@foo.example.com",  but
3660       strips "user@any.thing.else.example.com" to "user@example.com".
3661
3662       A  domain  name  prefixed with ! means do not masquerade this domain or
3663       its subdomains. Thus,
3664
3665           masquerade_domains = !foo.example.com example.com
3666
3667       does not  change  "user@any.thing.foo.example.com"  or  "user@foo.exam‐
3668       ple.com",  but  strips "user@any.thing.else.example.com" to "user@exam‐
3669       ple.com".
3670
3671       Note: with Postfix version 2.2,  message  header  address  masquerading
3672       happens only when message header address rewriting is enabled:
3673
3674       ·      The message is received with the Postfix sendmail(1) command,
3675
3676       ·      The  message  is  received  from  a  network client that matches
3677              $local_header_rewrite_clients,
3678
3679       ·      The  message   is   received   from   the   network,   and   the
3680              remote_header_rewrite_domain  parameter  specifies  a  non-empty
3681              value.
3682
3683       To   get   the   behavior   before   Postfix   version   2.2,   specify
3684       "local_header_rewrite_clients = static:all".
3685
3686       Example:
3687
3688       masquerade_domains = $mydomain
3689

masquerade_exceptions (default: empty)

3691       Optional  list  of  user  names  that are not subjected to address mas‐
3692       querading, even when their address matches $masquerade_domains.
3693
3694       By default, address masquerading makes no exceptions.
3695
3696       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
3697       separated  by  commas  and/or  whitespace.  The list is matched left to
3698       right, and the search stops on the first match. A "/file/name"  pattern
3699       is  replaced  by  its  contents; a "type:table" lookup table is matched
3700       when a name matches a lookup key (the lookup result is ignored).   Con‐
3701       tinue  long  lines  by  starting the next line with whitespace. Specify
3702       "!pattern" to exclude a name from the list. The form  "!/file/name"  is
3703       supported only in Postfix version 2.4 and later.
3704
3705       Examples:
3706
3707       masquerade_exceptions = root, mailer-daemon
3708       masquerade_exceptions = root
3709

master_service_disable (default: empty)

3711       Selectively disable master(8) listener ports by service type or by ser‐
3712       vice name and type.  Specify a list of service types  ("inet",  "unix",
3713       "fifo",  or  "pass")  or  "name/type" tuples, where "name" is the first
3714       field of a master.cf entry and "type" is a service type. As with  other
3715       Postfix  matchlists, a search stops at the first match.  Specify "!pat‐
3716       tern" to exclude a service from the list.  By  default,  all  master(8)
3717       listener ports are enabled.
3718
3719       Note:  this  feature does not support "/file/name" or "type:table" pat‐
3720       terns, nor does it support wildcards such as  "*"  or  "all".  This  is
3721       intentional.
3722
3723       Examples:
3724
3725       # With Postfix 2.6..2.10 use '.' instead of '/'.
3726       # Turn on all master(8) listener ports (the default).
3727       master_service_disable =
3728       # Turn off only the main SMTP listener port.
3729       master_service_disable = smtp/inet
3730       # Turn off all TCP/IP listener ports.
3731       master_service_disable = inet
3732       # Turn off all TCP/IP listener ports except "foo".
3733       master_service_disable = !foo/inet, inet
3734
3735       This feature is available in Postfix 2.6 and later.
3736

max_idle (default: 100s)

3738       The  maximum  amount  of time that an idle Postfix daemon process waits
3739       for an incoming connection before terminating voluntarily.  This param‐
3740       eter  is  ignored  by the Postfix queue manager and by other long-lived
3741       Postfix daemon processes.
3742
3743       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3744       The default time unit is s (seconds).
3745

max_use (default: 100)

3747       The  maximal  number  of  incoming  connections  that  a Postfix daemon
3748       process will service before terminating voluntarily.  This parameter is
3749       ignored  by  the  Postfix queue manager and by other long-lived Postfix
3750       daemon processes.
3751

maximal_backoff_time (default: 4000s)

3753       The maximal time between attempts to deliver a deferred message.
3754
3755       This parameter should be set to a value greater than or equal to $mini‐
3756       mal_backoff_time. See also $queue_run_delay.
3757
3758       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3759       The default time unit is s (seconds).
3760

maximal_queue_lifetime (default: 5d)

3762       Consider a message as undeliverable, when delivery fails with a  tempo‐
3763       rary   error,  and  the  time  in  the  queue  has  reached  the  maxi‐
3764       mal_queue_lifetime limit.
3765
3766       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3767       The default time unit is d (days).
3768
3769       Specify 0 when mail delivery should be tried only once.
3770

message_drop_headers (default: bcc, content-length, resent-bcc, return-path)

3772       Names  of  message headers that the cleanup(8) daemon will remove after
3773       applying header_checks(5) and before invoking Milter applications.  The
3774       default setting is compatible with Postfix < 3.0.
3775
3776       Specify a list of header names, separated by comma or space.  Names are
3777       matched in a case-insensitive manner.  The  list  of  supported  header
3778       names is limited only by available memory.
3779
3780       This feature is available in Postfix 3.0 and later.
3781

message_reject_characters (default: empty)

3783       The set of characters that Postfix will reject in message content.  The
3784       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3785       (up to three octal digits) and \\.
3786
3787       Note  1: this feature does not recognize text that requires MIME decod‐
3788       ing. It inspects raw  message  content,  just  like  header_checks  and
3789       body_checks.
3790
3791       Note  2:  this  feature  is  disabled  with "receive_override_options =
3792       no_header_body_checks".
3793
3794       Example:
3795
3796       message_reject_characters = \0
3797
3798       This feature is available in Postfix 2.3 and later.
3799

message_size_limit (default: 10240000)

3801       The maximal size in bytes of a message, including envelope information.
3802
3803       Note: be careful when making changes.  Excessively  small  values  will
3804       result in the loss of non-delivery notifications, when a bounce message
3805       size exceeds the local or remote MTA's message size limit.
3806

message_strip_characters (default: empty)

3808       The set of characters that Postfix will remove  from  message  content.
3809       The  usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3810       \ddd (up to three octal digits) and \\.
3811
3812       Note 1: this feature does not recognize text that requires MIME  decod‐
3813       ing.  It  inspects  raw  message  content,  just like header_checks and
3814       body_checks.
3815
3816       Note 2: this  feature  is  disabled  with  "receive_override_options  =
3817       no_header_body_checks".
3818
3819       Example:
3820
3821       message_strip_characters = \0
3822
3823       This feature is available in Postfix 2.3 and later.
3824

meta_directory (default: see 'postconf -d' output)

3826       The  location  of  non-executable  files that are shared among multiple
3827       Postfix instances,  such  as  postfix-files,  dynamicmaps.cf,  and  the
3828       multi-instance  template files main.cf.proto and master.cf.proto.  This
3829       directory should contain only Postfix-related  files.   Typically,  the
3830       meta_directory  parameter  has the same default as the config_directory
3831       parameter (/etc/postfix or /usr/local/etc/postfix).
3832
3833       For backwards compatibility with Postfix  versions  2.6..2.11,  specify
3834       "meta_directory  =  $daemon_directory"  in main.cf before installing or
3835       upgrading Postfix, or specify  "meta_directory  =  /path/name"  on  the
3836       "make makefiles", "make install" or "make upgrade" command line.
3837
3838       This feature is available in Postfix 3.0 and later.
3839

milter_command_timeout (default: 30s)

3841       The  time  limit  for sending an SMTP command to a Milter (mail filter)
3842       application, and for receiving the response.
3843
3844       Specify a non-zero time value  (an  integral  value  plus  an  optional
3845       one-letter suffix that specifies the time unit).
3846
3847       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3848       The default time unit is s (seconds).
3849
3850       This feature is available in Postfix 2.3 and later.
3851

milter_connect_macros (default: see postconf -d output)

3853       The macros that are sent to Milter  (mail  filter)  applications  after
3854       completion  of  an  SMTP  connection.  See  MILTER_README for a list of
3855       available macro names and their meanings.
3856
3857       This feature is available in Postfix 2.3 and later.
3858

milter_connect_timeout (default: 30s)

3860       The time limit for connecting to a Milter  (mail  filter)  application,
3861       and for negotiating protocol options.
3862
3863       Specify  a  non-zero  time  value  (an  integral value plus an optional
3864       one-letter suffix that specifies the time unit).
3865
3866       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3867       The default time unit is s (seconds).
3868
3869       This feature is available in Postfix 2.3 and later.
3870

milter_content_timeout (default: 300s)

3872       The  time  limit  for sending message content to a Milter (mail filter)
3873       application, and for receiving the response.
3874
3875       Specify a non-zero time value  (an  integral  value  plus  an  optional
3876       one-letter suffix that specifies the time unit).
3877
3878       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3879       The default time unit is s (seconds).
3880
3881       This feature is available in Postfix 2.3 and later.
3882

milter_data_macros (default: see postconf -d output)

3884       The macros that are sent to version 4 or higher  Milter  (mail  filter)
3885       applications  after the SMTP DATA command. See MILTER_README for a list
3886       of available macro names and their meanings.
3887
3888       This feature is available in Postfix 2.3 and later.
3889

milter_default_action (default: tempfail)

3891       The default action when a Milter (mail filter) application is  unavail‐
3892       able or mis-configured. Specify one of the following:
3893
3894       accept Proceed as if the mail filter was not present.
3895
3896       reject Reject  all  further  commands  in this session with a permanent
3897              status code.
3898
3899       tempfail
3900              Reject all further commands in this  session  with  a  temporary
3901              status code.
3902
3903       quarantine
3904              Like  "accept",  but  freeze  the  message  in the "hold" queue.
3905              Available with Postfix 2.6 and later.
3906
3907       This feature is available in Postfix 2.3 and later.
3908

milter_end_of_data_macros (default: see postconf -d output)

3910       The macros that are sent to Milter (mail filter) applications after the
3911       message  end-of-data.  See  MILTER_README for a list of available macro
3912       names and their meanings.
3913
3914       This feature is available in Postfix 2.3 and later.
3915

milter_end_of_header_macros (default: see postconf -d output)

3917       The macros that are sent to Milter (mail filter) applications after the
3918       end  of  the  message header. See MILTER_README for a list of available
3919       macro names and their meanings.
3920
3921       This feature is available in Postfix 2.5 and later.
3922

milter_header_checks (default: empty)

3924       Optional lookup tables for content inspection of message  headers  that
3925       are  produced  by Milter applications.  See the header_checks(5) manual
3926       page available actions. Currently, PREPEND is not implemented.
3927
3928       The following example sends all mail that is marked as SPAM to  a  spam
3929       handling machine. Note that matches are case-insensitive by default.
3930
3931       /etc/postfix/main.cf:
3932           milter_header_checks = pcre:/etc/postfix/milter_header_checks
3933
3934       /etc/postfix/milter_header_checks:
3935           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
3936
3937       The milter_header_checks mechanism could also be used for whitelisting.
3938       For example it could be used  to  skip  heavy  content  inspection  for
3939       DKIM-signed mail from known friendly domains.
3940
3941       This  feature is available in Postfix 2.7, and as an optional patch for
3942       Postfix 2.6.
3943

milter_helo_macros (default: see postconf -d output)

3945       The macros that are sent to Milter (mail filter) applications after the
3946       SMTP  HELO  or  EHLO command. See MILTER_README for a list of available
3947       macro names and their meanings.
3948
3949       This feature is available in Postfix 2.3 and later.
3950

milter_macro_daemon_name (default: $myhostname)

3952       The {daemon_name} macro value for Milter  (mail  filter)  applications.
3953       See  MILTER_README  for a list of available macro names and their mean‐
3954       ings.
3955
3956       This feature is available in Postfix 2.3 and later.
3957

milter_macro_defaults (default: empty)

3959       Optional list of name=value pairs that specify default values for arbi‐
3960       trary  macros  that  Postfix  may  send  to Milter applications.  These
3961       defaults are used when there is no corresponding information  from  the
3962       message delivery context.
3963
3964       Specify  name=value  or {name}=value pairs separated by comma or white‐
3965       space.  Enclose a pair in "{}" when a value contains  comma  or  white‐
3966       space (this form ignores whitespace after the enclosing "{", around the
3967       "=", and before the enclosing "}").
3968
3969       This feature is available in Postfix 3.1 and later.
3970

milter_macro_v (default: $mail_name $mail_version)

3972       The {v} macro value for Milter (mail filter)  applications.   See  MIL‐
3973       TER_README for a list of available macro names and their meanings.
3974
3975       This feature is available in Postfix 2.3 and later.
3976

milter_mail_macros (default: see postconf -d output)

3978       The macros that are sent to Milter (mail filter) applications after the
3979       SMTP MAIL FROM command. See MILTER_README for a list of available macro
3980       names and their meanings.
3981
3982       This feature is available in Postfix 2.3 and later.
3983

milter_protocol (default: 6)

3985       The  mail  filter protocol version and optional protocol extensions for
3986       communication with a Milter  application;  prior  to  Postfix  2.6  the
3987       default  protocol  is  2.  Postfix sends this version number during the
3988       initial protocol handshake.  It should match the version number that is
3989       expected by the mail filter application (or by its Milter library).
3990
3991       Protocol versions:
3992
3993       2      Use  Sendmail  8  mail  filter  protocol version 2 (default with
3994              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
3995
3996       3      Use Sendmail 8 mail filter protocol version 3.
3997
3998       4      Use Sendmail 8 mail filter protocol version 4.
3999
4000       6      Use Sendmail 8 mail filter  protocol  version  6  (default  with
4001              Sendmail version 8.14 and Postfix version 2.6).
4002
4003       Protocol extensions:
4004
4005       no_header_reply
4006              Specify this when the Milter application will not reply for each
4007              individual message header.
4008
4009       This feature is available in Postfix 2.3 and later.
4010

milter_rcpt_macros (default: see postconf -d output)

4012       The macros that are sent to Milter (mail filter) applications after the
4013       SMTP  RCPT  TO command. See MILTER_README for a list of available macro
4014       names and their meanings.
4015
4016       This feature is available in Postfix 2.3 and later.
4017

milter_unknown_command_macros (default: see postconf -d output)

4019       The macros that are sent to version 3 or higher  Milter  (mail  filter)
4020       applications  after  an  unknown SMTP command.  See MILTER_README for a
4021       list of available macro names and their meanings.
4022
4023       This feature is available in Postfix 2.3 and later.
4024

mime_boundary_length_limit (default: 2048)

4026       The maximal length of MIME multipart boundary strings. The MIME proces‐
4027       sor  is unable to distinguish between boundary strings that do not dif‐
4028       fer in the first $mime_boundary_length_limit characters.
4029
4030       This feature is available in Postfix 2.0 and later.
4031

mime_header_checks (default: $header_checks)

4033       Optional lookup tables for content inspection of MIME  related  message
4034       headers, as described in the header_checks(5) manual page.
4035
4036       This feature is available in Postfix 2.0 and later.
4037

mime_nesting_limit (default: 100)

4039       The maximal recursion level that the MIME processor will handle.  Post‐
4040       fix refuses mail that is nested deeper than the specified limit.
4041
4042       This feature is available in Postfix 2.0 and later.
4043

minimal_backoff_time (default: 300s)

4045       The minimal time between attempts to deliver a deferred message;  prior
4046       to Postfix 2.4 the default value was 1000s.
4047
4048       This  parameter also limits the time an unreachable destination is kept
4049       in the short-term, in-memory, destination status cache.
4050
4051       This parameter should be set greater than or equal to $queue_run_delay.
4052       See also $maximal_backoff_time.
4053
4054       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4055       The default time unit is s (seconds).
4056

multi_instance_directories (default: empty)

4058       An optional list  of  non-default  Postfix  configuration  directories;
4059       these directories belong to additional Postfix instances that share the
4060       Postfix executable files and documentation  with  the  default  Postfix
4061       instance,  and  that  are  started,  stopped,  etc.,  together with the
4062       default Postfix instance.  Specify a list  of  pathnames  separated  by
4063       comma or whitespace.
4064
4065       When  $multi_instance_directories is empty, the postfix(1) command runs
4066       in single-instance mode and operates on a single Postfix instance only.
4067       Otherwise,  the  postfix(1)  command  runs  in  multi-instance mode and
4068       invokes    the    multi-instance    manager    specified    with    the
4069       multi_instance_wrapper  parameter.  The  multi-instance manager in turn
4070       executes postfix(1) commands for the default instance and for all Post‐
4071       fix instances in $multi_instance_directories.
4072
4073       Currently,  this  parameter  setting  is ignored except for the default
4074       main.cf file.
4075
4076       This feature is available in Postfix 2.6 and later.
4077

multi_instance_enable (default: no)

4079       Allow this  Postfix  instance  to  be  started,  stopped,  etc.,  by  a
4080       multi-instance  manager.   By  default,  new instances are created in a
4081       safe state that prevents them from being started  inadvertently.   This
4082       parameter is reserved for the multi-instance manager.
4083
4084       This feature is available in Postfix 2.6 and later.
4085

multi_instance_group (default: empty)

4087       The  optional  instance  group  name  of this Postfix instance. A group
4088       identifies closely-related Postfix instances  that  the  multi-instance
4089       manager  can  start, stop, etc., as a unit.  This parameter is reserved
4090       for the multi-instance manager.
4091
4092       This feature is available in Postfix 2.6 and later.
4093

multi_instance_name (default: empty)

4095       The optional instance name of this Postfix instance. This name  becomes
4096       also the default value for the syslog_name parameter.
4097
4098       This feature is available in Postfix 2.6 and later.
4099

multi_instance_wrapper (default: empty)

4101       The  pathname  of  a multi-instance manager command that the postfix(1)
4102       command invokes when the multi_instance_directories parameter value  is
4103       non-empty.  The  pathname  may be followed by initial command arguments
4104       separated by whitespace; shell metacharacters such as  quotes  are  not
4105       supported in this context.
4106
4107       The  postfix(1) command invokes the manager command with the postfix(1)
4108       non-option command arguments on the manager command line, and with  all
4109       installation configuration parameters exported into the manager command
4110       process environment. The manager command in turn invokes the postfix(1)
4111       command  for  individual Postfix instances as "postfix -c config_direc‐
4112       tory command".
4113
4114       This feature is available in Postfix 2.6 and later.
4115

multi_recipient_bounce_reject_code (default: 550)

4117       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
4118       client request is blocked by the reject_multi_recipient_bounce restric‐
4119       tion.
4120
4121       Do not change this unless you have  a  complete  understanding  of  RFC
4122       5321.
4123
4124       This feature is available in Postfix 2.1 and later.
4125

mydestination (default: $myhostname, localhost.$mydomain, localhost)

4127       The  list  of  domains that are delivered via the $local_transport mail
4128       delivery transport. By default this is the  Postfix  local(8)  delivery
4129       agent  which  looks  up all recipients in /etc/passwd and /etc/aliases.
4130       The SMTP  server  validates  recipient  addresses  with  $local_recipi‐
4131       ent_maps and rejects non-existent recipients. See also the local domain
4132       class in the ADDRESS_CLASS_README file.
4133
4134       The default mydestination value specifies names for the  local  machine
4135       only.  On a mail domain gateway, you should also include $mydomain.
4136
4137       The   $local_transport  delivery  method  is  also  selected  for  mail
4138       addressed to user@[the.net.work.address] of the  mail  system  (the  IP
4139       addresses  specified  with  the  inet_interfaces  and  proxy_interfaces
4140       parameters).
4141
4142       Warnings:
4143
4144       ·      Do not specify the names of virtual domains - those domains  are
4145              specified elsewhere. See VIRTUAL_README for more information.
4146
4147       ·      Do  not specify the names of domains that this machine is backup
4148              MX host for. See STANDARD_CONFIGURATION_README for how to set up
4149              backup MX hosts.
4150
4151       ·      By  default, the Postfix SMTP server rejects mail for recipients
4152              not listed with the  local_recipient_maps  parameter.   See  the
4153              postconf(5) manual for a description of the local_recipient_maps
4154              and unknown_local_recipient_reject_code parameters.
4155
4156       Specify a list of host or domain names,  "/file/name"  or  "type:table"
4157       patterns, separated by commas and/or whitespace. A "/file/name" pattern
4158       is replaced by its contents; a "type:table"  lookup  table  is  matched
4159       when  a name matches a lookup key (the lookup result is ignored).  Con‐
4160       tinue long lines by starting the next line with whitespace.
4161
4162       Examples:
4163
4164       mydestination = $myhostname, localhost.$mydomain $mydomain
4165       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4166

mydomain (default: see postconf -d output)

4168       The internet domain name of this mail system.  The default  is  to  use
4169       $myhostname  minus  the  first component, or "localdomain" (Postfix 2.3
4170       and later).  $mydomain is used as a default value for many  other  con‐
4171       figuration parameters.
4172
4173       Example:
4174
4175       mydomain = domain.tld
4176

myhostname (default: see postconf -d output)

4178       The  internet  hostname  of this mail system. The default is to use the
4179       fully-qualified domain name (FQDN) from gethostname(), or  to  use  the
4180       non-FQDN  result  from gethostname() and append ".$mydomain".  $myhost‐
4181       name is used as a default value for many  other  configuration  parame‐
4182       ters.
4183
4184       Example:
4185
4186       myhostname = host.example.com
4187

mynetworks (default: see postconf -d output)

4189       The  list  of  "trusted"  remote SMTP clients that have more privileges
4190       than "strangers".
4191
4192       In particular, "trusted" SMTP clients are allowed to relay mail through
4193       Postfix.  See the smtpd_relay_restrictions parameter description in the
4194       postconf(5) manual.
4195
4196       You can specify the list of "trusted" network addresses by hand or  you
4197       can let Postfix do it for you (which is the default).  See the descrip‐
4198       tion of the mynetworks_style parameter for more information.
4199
4200       If you specify the mynetworks list by hand, Postfix ignores the  mynet‐
4201       works_style setting.
4202
4203       Specify  a list of network addresses or network/netmask patterns, sepa‐
4204       rated by commas and/or whitespace. Continue long lines by starting  the
4205       next line with whitespace.
4206
4207       The  netmask specifies the number of bits in the network part of a host
4208       address.  You can also specify "/file/name" or  "type:table"  patterns.
4209       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
4210       lookup table is matched when a table entry matches a lookup string (the
4211       lookup result is ignored).
4212
4213       The  list  is  matched left to right, and the search stops on the first
4214       match.  Specify "!pattern" to exclude an address or network block  from
4215       the  list.  The form "!/file/name" is supported only in Postfix version
4216       2.4 and later.
4217
4218       Note 1: Pattern matching of  domain  names  is  controlled  by  the  or
4219       absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4220       ter value.
4221
4222       Note 2: IP version 6 address information must be specified inside [] in
4223       the  mynetworks  value,  and  in files specified with "/file/name".  IP
4224       version 6 addresses contain the ":" character, and would  otherwise  be
4225       confused with a "type:table" pattern.
4226
4227       Examples:
4228
4229       mynetworks = 127.0.0.0/8 168.100.189.0/28
4230       mynetworks = !192.168.0.1, 192.168.0.0/28
4231       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4232       mynetworks = $config_directory/mynetworks
4233       mynetworks = hash:/etc/postfix/network_table
4234

mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)

4236       The  method to generate the default value for the mynetworks parameter.
4237       This is the list of trusted networks for relay access control etc.
4238
4239       ·      Specify "mynetworks_style = host" when  Postfix  should  "trust"
4240              only the local machine.
4241
4242       ·      Specify  "mynetworks_style = subnet" when Postfix should "trust"
4243              remote SMTP clients in the same  IP  subnetworks  as  the  local
4244              machine.   On  Linux,  this works correctly only with interfaces
4245              specified with the "ifconfig" command.
4246
4247       ·      Specify "mynetworks_style = class" when Postfix  should  "trust"
4248              remote  SMTP  clients in the same IP class A/B/C networks as the
4249              local machine.  Caution: this may cause Postfix to "trust"  your
4250              entire  provider's network.  Instead, specify an explicit mynet‐
4251              works list by hand, as described with the mynetworks  configura‐
4252              tion parameter.
4253

myorigin (default: $myhostname)

4255       The domain name that locally-posted mail appears to come from, and that
4256       locally posted mail is delivered to. The default, $myhostname, is  ade‐
4257       quate for small sites.  If you run a domain with multiple machines, you
4258       should (1) change this to $mydomain and (2) set up a domain-wide  alias
4259       database that aliases each user to user@that.users.mailhost.
4260
4261       Example:
4262
4263       myorigin = $mydomain
4264

nested_header_checks (default: $header_checks)

4266       Optional lookup tables for content inspection of non-MIME message head‐
4267       ers in attached messages, as described in the  header_checks(5)  manual
4268       page.
4269
4270       This feature is available in Postfix 2.0 and later.
4271

newaliases_path (default: see postconf -d output)

4273       Sendmail  compatibility  feature  that  specifies  the  location of the
4274       newaliases(1) command. This command can be used to rebuild the local(8)
4275       aliases(5) database.
4276

non_fqdn_reject_code (default: 504)

4278       The  numerical  Postfix SMTP server reply code when a client request is
4279       rejected by the  reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender
4280       or reject_non_fqdn_recipient restriction.
4281

non_smtpd_milters (default: empty)

4283       A  list of Milter (mail filter) applications for new mail that does not
4284       arrive via the Postfix smtpd(8) server. This includes local  submission
4285       via the sendmail(1) command line, new mail that arrives via the Postfix
4286       qmqpd(8) server, and old mail that is re-injected into the  queue  with
4287       "postsuper  -r".   Specify  space  or  comma as separator. See the MIL‐
4288       TER_README document for details.
4289
4290       This feature is available in Postfix 2.3 and later.
4291

notify_classes (default: resource, software)

4293       The list of error classes that are  reported  to  the  postmaster.  The
4294       default  is  to report only the most serious problems. The paranoid may
4295       wish to turn on the policy (UCE and mail relaying) and  protocol  error
4296       (broken mail software) reports.
4297
4298       NOTE:  postmaster  notifications  may  contain confidential information
4299       such as SASL passwords or message content.  It is the  system  adminis‐
4300       trator's responsibility to treat such information with care.
4301
4302       The error classes are:
4303
4304       bounce (also implies 2bounce)
4305              Send  the  postmaster copies of the headers of bounced mail, and
4306              send transcripts of SMTP sessions when Postfix rejects mail. The
4307              notification   is   sent  to  the  address  specified  with  the
4308              bounce_notice_recipient configuration parameter (default:  post‐
4309              master).
4310
4311       2bounce
4312              Send undeliverable bounced mail to the postmaster. The notifica‐
4313              tion   is   sent   to   the   address   specified    with    the
4314              2bounce_notice_recipient configuration parameter (default: post‐
4315              master).
4316
4317       data   Send the postmaster a transcript of the  SMTP  session  with  an
4318              error  because a critical data file was unavailable. The notifi‐
4319              cation   is   sent   to   the   address   specified   with   the
4320              error_notice_recipient  configuration  parameter (default: post‐
4321              master).
4322              This feature is available in Postfix 2.9 and later.
4323
4324       delay  Send the postmaster copies of the headers of delayed  mail  (see
4325              delay_warning_time).  The  notification  is  sent to the address
4326              specified with the delay_notice_recipient configuration  parame‐
4327              ter (default: postmaster).
4328
4329       policy Send  the  postmaster  a  transcript  of the SMTP session when a
4330              client request was rejected because of (UCE) policy. The notifi‐
4331              cation   is   sent   to   the   address   specified   with   the
4332              error_notice_recipient configuration parameter  (default:  post‐
4333              master).
4334
4335       protocol
4336              Send  the postmaster a transcript of the SMTP session in case of
4337              client or server protocol errors. The notification  is  sent  to
4338              the address specified with the error_notice_recipient configura‐
4339              tion parameter (default: postmaster).
4340
4341       resource
4342              Inform the postmaster of mail  not  delivered  due  to  resource
4343              problems.   The  notification  is  sent to the address specified
4344              with   the   error_notice_recipient   configuration    parameter
4345              (default: postmaster).
4346
4347       software
4348              Inform  the  postmaster  of  mail  not delivered due to software
4349              problems.  The notification is sent  to  the  address  specified
4350              with    the   error_notice_recipient   configuration   parameter
4351              (default: postmaster).
4352
4353       Examples:
4354
4355       notify_classes = bounce, delay, policy, protocol, resource, software
4356       notify_classes = 2bounce, resource, software
4357

nullmx_reject_code (default: 556)

4359       The numerical reply code when the Postfix SMTP server rejects a  sender
4360       or  recipient address because its domain has a nullmx DNS record (an MX
4361       record with an empty hostname). This is one  of  the  possible  replies
4362       from      the     restrictions     reject_unknown_sender_domain     and
4363       reject_unknown_recipient_domain.
4364
4365       This feature is available in Postfix 3.0 and later.
4366

openssl_path (default: openssl)

4368       The location of the OpenSSL command line program openssl(1).   This  is
4369       used  by  the "postfix tls" command to create private keys, certificate
4370       signing requests, self-signed certificates, and to compute  public  key
4371       digests  for  DANE  TLSA records.  In multi-instance environments, this
4372       parameter is always determined from the configuration  of  the  default
4373       Postfix instance.
4374
4375       Example:
4376
4377           /etc/postfix/main.cf:
4378               # NetBSD pkgsrc:
4379               openssl_path = /usr/pkg/bin/openssl
4380               # Local build:
4381               openssl_path = /usr/local/bin/openssl
4382
4383       This feature is available in Postfix 3.1 and later.
4384

owner_request_special (default: yes)

4386       Enable  special  treatment for owner-listname entries in the aliases(5)
4387       file, and  don't  split  owner-listname  and  listname-request  address
4388       localparts when the recipient_delimiter is set to "-".  This feature is
4389       useful for mailing lists.
4390

parent_domain_matches_subdomains (default: see postconf -d output)

4392       A list of Postfix features where the pattern "example.com" also matches
4393       subdomains  of  example.com,  instead  of requiring an explicit ".exam‐
4394       ple.com" pattern.  This is planned  backwards  compatibility:   eventu‐
4395       ally,  all  Postfix  features  are expected to require explicit ".exam‐
4396       ple.com" style patterns when you really want to match subdomains.
4397
4398       The following Postfix feature names are supported.
4399
4400       Postfix version 1.0 and later
4401              debug_peer_list,    fast_flush_domains,     mynetworks,     per‐
4402              mit_mx_backup_networks, relay_domains, transport_maps
4403
4404       Postfix version 1.1 and later
4405              qmqpd_authorized_clients, smtpd_access_maps,
4406
4407       Postfix version 2.8 and later
4408              postscreen_access_list
4409
4410       Postfix version 3.0 and later
4411              smtpd_client_event_limit_exceptions
4412

permit_mx_backup_networks (default: empty)

4414       Restrict  the  use  of the permit_mx_backup SMTP access feature to only
4415       domains whose primary MX hosts match the listed networks.  The  parame‐
4416       ter  value  syntax  is the same as with the mynetworks parameter; note,
4417       however, that the default value is empty.
4418
4419       Pattern matching of domain names  is  controlled  by  the  presence  or
4420       absence      of     "permit_mx_backup_networks"     in     the     par‐
4421       ent_domain_matches_subdomains parameter value.
4422

pickup_service_name (default: pickup)

4424       The name of the pickup(8) service. This service  picks  up  local  mail
4425       submissions from the Postfix maildrop queue.
4426
4427       This feature is available in Postfix 2.0 and later.
4428

pipe_delivery_status_filter (default: $default_delivery_status_filter)

4430       Optional  filter  for the pipe(8) delivery agent to change the delivery
4431       status code or explanatory text of successful or unsuccessful  deliver‐
4432       ies.  See default_delivery_status_filter for details.
4433
4434       This feature is available in Postfix 3.0 and later.
4435

plaintext_reject_code (default: 450)

4437       The  numerical  Postfix  SMTP  server  response  code when a request is
4438       rejected by the reject_plaintext_session restriction.
4439
4440       This feature is available in Postfix 2.3 and later.
4441

postmulti_control_commands (default: reload flush)

4443       The postfix(1) commands that the postmulti(1) instance  manager  treats
4444       as  "control"  commands,  that  operate on running instances. For these
4445       commands, disabled instances are skipped.
4446
4447       This feature is available in Postfix 2.6 and later.
4448

postmulti_start_commands (default: start)

4450       The postfix(1) commands that the postmulti(1) instance  manager  treats
4451       as  "start"  commands.  For  these  commands,  disabled  instances  are
4452       "checked" rather than  "started",  and  failure  to  "start"  a  member
4453       instance  of  an  instance  group  will  abort  the  start-up  of later
4454       instances.
4455
4456       This feature is available in Postfix 2.6 and later.
4457

postmulti_stop_commands (default: see postconf -d output)

4459       The postfix(1) commands that the postmulti(1) instance  manager  treats
4460       as "stop" commands. For these commands, disabled instances are skipped,
4461       and enabled instances are processed in reverse order.
4462
4463       This feature is available in Postfix 2.6 and later.
4464

postscreen_access_list (default: permit_mynetworks)

4466       Permanent  white/blacklist  for  remote  SMTP  client   IP   addresses.
4467       postscreen(8) searches this list immediately after a remote SMTP client
4468       connects.  Specify a comma- or whitespace-separated  list  of  commands
4469       (in  upper  or  lower case) or lookup tables. The search stops upon the
4470       first command that fires for the client IP address.
4471
4472        permit_mynetworks
4473              Whitelist the client and terminate the search if the  client  IP
4474              address  matches  $mynetworks.  Do not subject the client to any
4475              before/after 220 greeting tests.  Pass  the  connection  immedi‐
4476              ately to a Postfix SMTP server process.
4477              Pattern  matching  of domain names is controlled by the presence
4478              or   absence   of   "postscreen_access_list"   in    the    par‐
4479              ent_domain_matches_subdomains parameter value.
4480
4481        type:table
4482              Query the specified lookup table. Each table lookup result is an
4483              access list, except that access  lists  inside  a  table  cannot
4484              specify type:table entries.
4485              To  discourage  the use of hash, btree, etc. tables, there is no
4486              support for substring matching like smtpd(8).  Use  CIDR  tables
4487              instead.
4488
4489        permit
4490              Whitelist  the  client  and terminate the search. Do not subject
4491              the client to any before/after 220 greeting tests. Pass the con‐
4492              nection immediately to a Postfix SMTP server process.
4493
4494        reject
4495              Blacklist  the  client  and  terminate  the  search. Subject the
4496              client to  the  action  configured  with  the  postscreen_black‐
4497              list_action configuration parameter.
4498
4499        dunno All  postscreen(8)  access lists implicitly have this command at
4500              the end.
4501              When  dunno is executed inside a lookup table, return  from  the
4502              lookup table and evaluate the next command.
4503              When   dunno   is executed outside a lookup table, terminate the
4504              search, and subject the client to  the  configured  before/after
4505              220 greeting tests.
4506
4507       Example:
4508
4509       /etc/postfix/main.cf:
4510           postscreen_access_list = permit_mynetworks,
4511                       cidr:/etc/postfix/postscreen_access.cidr
4512           postscreen_blacklist_action = enforce
4513
4514       /etc/postfix/postscreen_access.cidr:
4515           # Rules are evaluated in the order as specified.
4516           # Blacklist 192.168.* except 192.168.0.1.
4517           192.168.0.1         dunno
4518           192.168.0.0/16      reject
4519
4520       This feature is available in Postfix 2.8.
4521

postscreen_bare_newline_action (default: ignore)

4523       The  action  that postscreen(8) takes when a remote SMTP client sends a
4524       bare newline character, that is, a newline  not  preceded  by  carriage
4525       return.  Specify one of the following:
4526
4527       ignore Ignore  the failure of this test. Allow other tests to complete.
4528              Do not repeat this test before some the result from  some  other
4529              test  expires.  This option is useful for testing and collecting
4530              statistics without blocking mail permanently.
4531
4532       enforce
4533              Allow other tests to complete. Reject attempts to  deliver  mail
4534              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4535              mation.  Repeat this test the next time the client connects.
4536
4537       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4538              this test the next time the client connects.
4539
4540       This feature is available in Postfix 2.8.
4541

postscreen_bare_newline_enable (default: no)

4543       Enable  "bare newline" SMTP protocol tests in the postscreen(8) server.
4544       These tests are expensive: a remote SMTP client must  disconnect  after
4545       it passes the test, before it can talk to a real Postfix SMTP server.
4546
4547       This feature is available in Postfix 2.8.
4548

postscreen_bare_newline_ttl (default: 30d)

4550       The  amount  of time that postscreen(8) will use the result from a suc‐
4551       cessful "bare newline" SMTP protocol test. During this time, the client
4552       IP  address  is  excluded from this test. The default is long because a
4553       remote SMTP client must disconnect after it passes the test, before  it
4554       can talk to a real Postfix SMTP server.
4555
4556       Specify  a  non-zero  time  value  (an  integral value plus an optional
4557       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4558       onds), m (minutes), h (hours), d (days), w (weeks).
4559
4560       This feature is available in Postfix 2.8.
4561

postscreen_blacklist_action (default: ignore)

4563       The action that postscreen(8) takes when a remote SMTP client is perma‐
4564       nently blacklisted with the postscreen_access_list parameter.   Specify
4565       one of the following:
4566
4567       ignore (default)
4568              Ignore  this result. Allow other tests to complete.  Repeat this
4569              test the next time the client connects.  This option  is  useful
4570              for testing and collecting statistics without blocking mail.
4571
4572       enforce
4573              Allow  other  tests to complete. Reject attempts to deliver mail
4574              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4575              mation.  Repeat this test the next time the client connects.
4576
4577       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4578              this test the next time the client connects.
4579
4580       This feature is available in Postfix 2.8.
4581

postscreen_cache_cleanup_interval (default: 12h)

4583       The amount of time between postscreen(8)  cache  cleanup  runs.   Cache
4584       cleanup  increases  the load on the cache database and should therefore
4585       not be run frequently. This feature requires that  the  cache  database
4586       supports  the "delete" and "sequence" operators.  Specify a zero inter‐
4587       val to disable cache cleanup.
4588
4589       After each cache cleanup run, the postscreen(8) daemon logs the  number
4590       of  entries  that were retained and dropped. A cleanup run is logged as
4591       "partial" when the daemon  terminates  early  after  "postfix  reload",
4592       "postfix stop", or no requests for $max_idle seconds.
4593
4594       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4595
4596       This feature is available in Postfix 2.8.
4597

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

4599       Persistent storage for the postscreen(8) server decisions.
4600
4601       To   share   a   postscreen(8)  cache  between  multiple  postscreen(8)
4602       instances,  use  "postscreen_cache_map  =   proxy:btree:/path/to/file".
4603       This  requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4604       mentations don't support cache cleanup. For an alternative approach see
4605       the memcache_table(5) manpage.
4606
4607       This feature is available in Postfix 2.8.
4608

postscreen_cache_retention_time (default: 7d)

4610       The  amount  of time that postscreen(8) will cache an expired temporary
4611       whitelist entry before it is removed. This prevents clients from  being
4612       logged  as "NEW" just because their cache entry expired an hour ago. It
4613       also prevents the cache from filling up with clients that  passed  some
4614       deep protocol test once and never came back.
4615
4616       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4617
4618       This feature is available in Postfix 2.8.
4619

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

4621       tion_count_limit)
4622       How many simultaneous connections any remote SMTP client is allowed  to
4623       have  with the postscreen(8) daemon. By default, this limit is the same
4624       as with the Postfix SMTP server. Note that the triage process can  take
4625       several  seconds,  with  the time spent in postscreen_greet_wait delay,
4626       and with the time spent talking to  the  postscreen(8)  built-in  dummy
4627       SMTP protocol engine.
4628
4629       This feature is available in Postfix 2.8.
4630

postscreen_command_count_limit (default: 20)

4632       The  limit  on  the  total  number  of  commands  per  SMTP session for
4633       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
4634       or  rejects all attempts to deliver mail, therefore there is no need to
4635       enforce separate limits on the number of junk commands and  error  com‐
4636       mands.
4637
4638       This feature is available in Postfix 2.8.
4639

postscreen_command_filter (default: $smtpd_command_filter)

4641       A  mechanism  to  transform  commands  from  remote  SMTP clients.  See
4642       smtpd_command_filter for further details.
4643
4644       This feature is available in Postfix 2.8 and later.
4645

postscreen_command_time_limit (default: normal: 300s, overload: 10s)

4647       The time limit to read an  entire  command  line  with  postscreen(8)'s
4648       built-in SMTP protocol engine.
4649
4650       This feature is available in Postfix 2.8.
4651

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

4653       Disable  the  SMTP  VRFY command in the postscreen(8) daemon.  See dis‐
4654       able_vrfy_command for details.
4655
4656       This feature is available in Postfix 2.8.
4657

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

4659       card_ehlo_keyword_address_maps)
4660       Lookup  tables,  indexed  by  the remote SMTP client address, with case
4661       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
4662       that  the  postscreen(8) server will not send in the EHLO response to a
4663       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
4664       table is not searched by hostname for robustness reasons.
4665
4666       This feature is available in Postfix 2.8 and later.
4667

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

4669       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
4670       etc.) that the postscreen(8) server will not send in the EHLO  response
4671       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4672
4673       This feature is available in Postfix 2.8 and later.
4674

postscreen_dnsbl_action (default: ignore)

4676       The  action  that  postscreen(8) takes when a remote SMTP client's com‐
4677       bined DNSBL score is equal to or greater than a threshold  (as  defined
4678       with  the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4679       ters).  Specify one of the following:
4680
4681       ignore (default)
4682              Ignore the failure of this test. Allow other tests to  complete.
4683              Repeat this test the next time the client connects.  This option
4684              is useful for testing and collecting statistics without blocking
4685              mail.
4686
4687       enforce
4688              Allow  other  tests to complete. Reject attempts to deliver mail
4689              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4690              mation.  Repeat this test the next time the client connects.
4691
4692       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4693              this test the next time the client connects.
4694
4695       This feature is available in Postfix 2.8.
4696

postscreen_dnsbl_max_ttl (default:

4698       ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4699       The  maximum amount of time that postscreen(8) will use the result from
4700       a successful DNS-based reputation test before a client  IP  address  is
4701       required  to pass that test again. If the DNS reply specifies a shorter
4702       TTL value, that value will be used unless  it  would  be  smaller  than
4703       postscreen_dnsbl_min_ttl.
4704
4705       Specify  a  non-zero  time  value  (an  integral value plus an optional
4706       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4707       onds), m (minutes), h (hours), d (days), w (weeks).
4708
4709       This  feature is available in Postfix 3.1. The default setting is back‐
4710       wards-compatible with older Postfix versions.
4711

postscreen_dnsbl_min_ttl (default: 60s)

4713       The minimum amount of time that postscreen(8) will use the result  from
4714       a  successful  DNS-based  reputation test before a client IP address is
4715       required to pass that test again. If the DNS reply specifies  a  larger
4716       TTL  value,  that  value  will  be  used unless it would be larger than
4717       postscreen_dnsbl_max_ttl.
4718
4719       Specify a non-zero time value  (an  integral  value  plus  an  optional
4720       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4721       onds), m (minutes), h (hours), d (days), w (weeks).
4722
4723       This feature is available in Postfix 3.1.
4724

postscreen_dnsbl_reply_map (default: empty)

4726       A mapping from actual DNSBL domain name which includes a  secret  pass‐
4727       word,  to the DNSBL domain name that postscreen will reply with when it
4728       rejects mail.  When no mapping is found, the actual DNSBL  domain  will
4729       be used.
4730
4731       For maximal stability it is best to use a file that is read into memory
4732       such as pcre:, regexp: or texthash: (texthash:  is  similar  to  hash:,
4733       except  a)  there  is  no need to run postmap(1) before the file can be
4734       used, and b) texthash: does not detect changes after the file is read).
4735
4736       Example:
4737
4738       /etc/postfix/main.cf:
4739           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4740
4741       /etc/postfix/dnsbl_reply:
4742          secret.zen.spamhaus.org      zen.spamhaus.org
4743
4744       This feature is available in Postfix 2.8.
4745

postscreen_dnsbl_sites (default: empty)

4747       Optional list of DNS white/blacklist domains, filters and  weight  fac‐
4748       tors.  When  the  list  is  non-empty, the dnsblog(8) daemon will query
4749       these domains with  the  IP  addresses  of  remote  SMTP  clients,  and
4750       postscreen(8)  will  update  an  SMTP  client's  DNSBL  score with each
4751       non-error reply.
4752
4753       Caution: when postscreen rejects mail, it replies with the DNSBL domain
4754       name.  Use  the  postscreen_dnsbl_reply_map  feature to hide "password"
4755       information in DNSBL domain names.
4756
4757       When a client's score is equal to or greater than the threshold  speci‐
4758       fied  with  postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4759       nection with the remote SMTP client.
4760
4761       Specify a list of domain=filter*weight entries, separated by  comma  or
4762       whitespace.
4763
4764       ·      When  no  "=filter"  is  specified,  postscreen(8)  will use any
4765              non-error DNSBL reply.  Otherwise, postscreen(8) uses only DNSBL
4766              replies  that match the filter. The filter has the form d.d.d.d,
4767              where each d is a number, or a pattern inside []  that  contains
4768              one or more ";"-separated numbers or number..number ranges.
4769
4770       ·      When  no  "*weight"  is  specified, postscreen(8) increments the
4771              remote SMTP client's DNSBL score by 1.   Otherwise,  the  weight
4772              must be an integral number, and postscreen(8) adds the specified
4773              weight to the remote SMTP client's DNSBL score.  Specify a nega‐
4774              tive number for whitelisting.
4775
4776       ·      When  one  postscreen_dnsbl_sites  entry produces multiple DNSBL
4777              responses, postscreen(8) applies the weight at most once.
4778
4779       Examples:
4780
4781       To use example.com as a high-confidence blocklist, and  to  block  mail
4782       with example.net and example.org only when both agree:
4783
4784       postscreen_dnsbl_threshold = 2
4785       postscreen_dnsbl_sites = example.com*2, example.net, example.org
4786
4787       To filter only DNSBL replies containing 127.0.0.4:
4788
4789       postscreen_dnsbl_sites = example.com=127.0.0.4
4790
4791       This feature is available in Postfix 2.8.
4792

postscreen_dnsbl_threshold (default: 1)

4794       The  inclusive  lower bound for blocking a remote SMTP client, based on
4795       its combined DNSBL score as  defined  with  the  postscreen_dnsbl_sites
4796       parameter.
4797
4798       This feature is available in Postfix 2.8.
4799

postscreen_dnsbl_timeout (default: 10s)

4801       The  time  limit  for DNSBL or DNSWL lookups. This is separate from the
4802       timeouts  in  the  dnsblog(8)  daemon  which  are  defined  by   system
4803       resolver(3) routines.
4804
4805       This feature is available in Postfix 3.0.
4806

postscreen_dnsbl_ttl (default: 1h)

4808       The  amount  of time that postscreen(8) will use the result from a suc‐
4809       cessful DNS-based  reputation  test  before  a  client  IP  address  is
4810       required to pass that test again.
4811
4812       Specify  a  non-zero  time  value  (an  integral value plus an optional
4813       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4814       onds), m (minutes), h (hours), d (days), w (weeks).
4815
4816       This  feature  is  available  in  Postfix  2.8-3.0.  It was replaced by
4817       postscreen_dnsbl_max_ttl in Postfix 3.1.
4818

postscreen_dnsbl_whitelist_threshold (default: 0)

4820       Allow a remote SMTP client to skip "before" and  "after  220  greeting"
4821       protocol  tests,  based on its combined DNSBL score as defined with the
4822       postscreen_dnsbl_sites parameter.
4823
4824       Specify a negative value to enable this feature. When a  client  passes
4825       the  postscreen_dnsbl_whitelist_threshold  without  having failed other
4826       tests, all pending or disabled tests are flagged as  completed  with  a
4827       time-to-live  value  equal  to  postscreen_dnsbl_ttl.   When a test was
4828       already completed, its time-to-live value is updated  if  it  was  less
4829       than postscreen_dnsbl_ttl.
4830
4831       This feature is available in Postfix 2.11.
4832

postscreen_enforce_tls (default: $smtpd_enforce_tls)

4834       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
4835       require     that     clients     use     TLS      encryption.       See
4836       smtpd_postscreen_enforce_tls for details.
4837
4838       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
4839       postscreen_tls_security_level instead.
4840

postscreen_expansion_filter (default: see postconf -d output)

4842       List of  characters  that  are  permitted  in  postscreen_reject_footer
4843       attribute expansions.  See smtpd_expansion_filter for further details.
4844
4845       This feature is available in Postfix 2.8 and later.
4846

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

4848       List  of  commands that the postscreen(8) server considers in violation
4849       of the SMTP protocol.  See  smtpd_forbidden_commands  for  syntax,  and
4850       postscreen_non_smtp_command_action for possible actions.
4851
4852       This feature is available in Postfix 2.8.
4853

postscreen_greet_action (default: ignore)

4855       The  action  that  postscreen(8) takes when a remote SMTP client speaks
4856       before   its   turn   within    the    time    specified    with    the
4857       postscreen_greet_wait parameter.  Specify one of the following:
4858
4859       ignore (default)
4860              Ignore  the failure of this test. Allow other tests to complete.
4861              Repeat this test the next time the client connects.  This option
4862              is useful for testing and collecting statistics without blocking
4863              mail.
4864
4865       enforce
4866              Allow other tests to complete. Reject attempts to  deliver  mail
4867              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4868              mation.  Repeat this test the next time the client connects.
4869
4870       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4871              this test the next time the client connects.
4872
4873       In either case, postscreen(8) will not whitelist the remote SMTP client
4874       IP address.
4875
4876       This feature is available in Postfix 2.8.
4877

postscreen_greet_banner (default: $smtpd_banner)

4879       The  text  in  the  optional   "220-text..."   server   response   that
4880       postscreen(8)  sends  ahead  of  the  real  Postfix  SMTP server's "220
4881       text..." response, in an attempt to confuse bad SMTP  clients  so  that
4882       they  speak  before  their turn (pre-greet).  Specify an empty value to
4883       disable this feature.
4884
4885       This feature is available in Postfix 2.8.
4886

postscreen_greet_ttl (default: 1d)

4888       The amount of time that postscreen(8) will use the result from  a  suc‐
4889       cessful  PREGREET  test.  During  this  time,  the client IP address is
4890       excluded from this test. The default is  relatively  short,  because  a
4891       good client can immediately talk to a real Postfix SMTP server.
4892
4893       Specify  a  non-zero  time  value  (an  integral value plus an optional
4894       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4895       onds), m (minutes), h (hours), d (days), w (weeks).
4896
4897       This feature is available in Postfix 2.8.
4898

postscreen_greet_wait (default: normal: 6s, overload: 2s)

4900       The  amount  of time that postscreen(8) will wait for an SMTP client to
4901       send a command before its turn, and for DNS blocklist lookup results to
4902       arrive  (default:  up to 2 seconds under stress, up to 6 seconds other‐
4903       wise).
4904
4905       Specify a non-zero time value  (an  integral  value  plus  an  optional
4906       one-letter suffix that specifies the time unit).
4907
4908       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4909
4910       This feature is available in Postfix 2.8.
4911

postscreen_helo_required (default: $smtpd_helo_required)

4913       Require  that a remote SMTP client sends HELO or EHLO before commencing
4914       a MAIL transaction.
4915
4916       This feature is available in Postfix 2.8.
4917

postscreen_non_smtp_command_action (default: drop)

4919       The action that postscreen(8) takes when a  remote  SMTP  client  sends
4920       non-SMTP  commands  as specified with the postscreen_forbidden_commands
4921       parameter.  Specify one of the following:
4922
4923       ignore Ignore the failure of this test. Allow other tests to  complete.
4924              Do  not  repeat this test before some the result from some other
4925              test expires.  This option is useful for testing and  collecting
4926              statistics without blocking mail permanently.
4927
4928       enforce
4929              Allow  other  tests to complete. Reject attempts to deliver mail
4930              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4931              mation.  Repeat this test the next time the client connects.
4932
4933       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4934              this test the next time the client connects. This action is  the
4935              same  as with the Postfix SMTP server's smtpd_forbidden_commands
4936              feature.
4937
4938       This feature is available in Postfix 2.8.
4939

postscreen_non_smtp_command_enable (default: no)

4941       Enable "non-SMTP command" tests  in  the  postscreen(8)  server.  These
4942       tests are expensive: a client must disconnect after it passes the test,
4943       before it can talk to a real Postfix SMTP server.
4944
4945       This feature is available in Postfix 2.8.
4946

postscreen_non_smtp_command_ttl (default: 30d)

4948       The amount of time that postscreen(8) will use the result from  a  suc‐
4949       cessful  "non_smtp_command"  SMTP  protocol test. During this time, the
4950       client IP address is excluded from  this  test.  The  default  is  long
4951       because  a  client  must disconnect after it passes the test, before it
4952       can talk to a real Postfix SMTP server.
4953
4954       Specify a non-zero time value  (an  integral  value  plus  an  optional
4955       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4956       onds), m (minutes), h (hours), d (days), w (weeks).
4957
4958       This feature is available in Postfix 2.8.
4959

postscreen_pipelining_action (default: enforce)

4961       The action that postscreen(8) takes when a  remote  SMTP  client  sends
4962       multiple  commands  instead  of sending one command and waiting for the
4963       server to respond.  Specify one of the following:
4964
4965       ignore Ignore the failure of this test. Allow other tests to  complete.
4966              Do  not  repeat this test before some the result from some other
4967              test expires.  This option is useful for testing and  collecting
4968              statistics without blocking mail permanently.
4969
4970       enforce
4971              Allow  other  tests to complete. Reject attempts to deliver mail
4972              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4973              mation.  Repeat this test the next time the client connects.
4974
4975       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4976              this test the next time the client connects.
4977
4978       This feature is available in Postfix 2.8.
4979

postscreen_pipelining_enable (default: no)

4981       Enable "pipelining" SMTP protocol tests in  the  postscreen(8)  server.
4982       These  tests  are  expensive:  a  good  client must disconnect after it
4983       passes the test, before it can talk to a real Postfix SMTP server.
4984
4985       This feature is available in Postfix 2.8.
4986

postscreen_pipelining_ttl (default: 30d)

4988       The amount of time that postscreen(8) will use the result from  a  suc‐
4989       cessful  "pipelining"  SMTP protocol test. During this time, the client
4990       IP address is excluded from this test. The default is  long  because  a
4991       good  client  must  disconnect  after it passes the test, before it can
4992       talk to a real Postfix SMTP server.
4993
4994       Specify a non-zero time value  (an  integral  value  plus  an  optional
4995       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4996       onds), m (minutes), h (hours), d (days), w (weeks).
4997
4998       This feature is available in Postfix 2.8.
4999

postscreen_post_queue_limit (default: $default_process_limit)

5001       The number of clients that can be waiting for service from a real Post‐
5002       fix  SMTP  server  process.  When  this queue is full, all clients will
5003       receive a 421 response.
5004
5005       This feature is available in Postfix 2.8.
5006

postscreen_pre_queue_limit (default: $default_process_limit)

5008       The number of non-whitelisted clients that can be waiting for  a  deci‐
5009       sion  whether they will receive service from a real Postfix SMTP server
5010       process. When this queue is  full,  all  non-whitelisted  clients  will
5011       receive a 421 response.
5012
5013       This feature is available in Postfix 2.8.
5014
5016       Optional  information that is appended after a 4XX or 5XX postscreen(8)
5017       server response. See smtpd_reject_footer for further details.
5018
5019       This feature is available in Postfix 2.8 and later.
5020

postscreen_tls_security_level (default: $smtpd_tls_security_level)

5022       The SMTP TLS security  level  for  the  postscreen(8)  server;  when  a
5023       non-empty  value  is  specified, this overrides the obsolete parameters
5024       postscreen_use_tls  and  postscreen_enforce_tls.  See   smtpd_tls_secu‐
5025       rity_level for details.
5026
5027       This feature is available in Postfix 2.8 and later.
5028

postscreen_upstream_proxy_protocol (default: empty)

5030       The  name  of  the proxy protocol used by an optional before-postscreen
5031       proxy agent. When a proxy agent is used, this  protocol  conveys  local
5032       and     remote     address     and     port     information.    Specify
5033       "postscreen_upstream_proxy_protocol = haproxy" to  enable  the  haproxy
5034       protocol.
5035
5036       This feature is available in Postfix 2.10 and later.
5037

postscreen_upstream_proxy_timeout (default: 5s)

5039       The   time   limit   for   the   proxy   protocol  specified  with  the
5040       postscreen_upstream_proxy_protocol parameter.
5041
5042       This feature is available in Postfix 2.10 and later.
5043

postscreen_use_tls (default: $smtpd_use_tls)

5045       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
5046       but do not require that clients use TLS encryption.
5047
5048       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
5049       postscreen_tls_security_level instead.
5050

postscreen_watchdog_timeout (default: 10s)

5052       How much time a postscreen(8) process may take to respond to  a  remote
5053       SMTP client command or to perform a cache operation before it is termi‐
5054       nated by a built-in watchdog timer.  This is a  safety  mechanism  that
5055       prevents  postscreen(8)  from  becoming  non-responsive due to a bug in
5056       Postfix itself or in system software.  To avoid false alarms and unnec‐
5057       essary cache corruption this limit cannot be set under 10s.
5058
5059       Specify  a  non-zero  time  value  (an  integral value plus an optional
5060       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5061       onds), m (minutes), h (hours), d (days), w (weeks).
5062
5063       This feature is available in Postfix 2.8.
5064

postscreen_whitelist_interfaces (default: static:all)

5066       A   list   of   local   postscreen(8)   server  IP  addresses  where  a
5067       non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5068       whitelist status. This status is required before the client can talk to
5069       a Postfix SMTP  server  process.   By  default,  a  client  can  obtain
5070       postscreen(8)'s  whitelist  status on any local postscreen(8) server IP
5071       address.
5072
5073       When postscreen(8) listens on both primary and backup MX addresses, the
5074       postscreen_whitelist_interfaces parameter can be configured to give the
5075       temporary whitelist status only when a client connects to a primary  MX
5076       address.  Once  a  client  is whitelisted it can talk to a Postfix SMTP
5077       server on any address. Thus, clients that connect  only  to  backup  MX
5078       addresses  will  never become whitelisted, and will never be allowed to
5079       talk to a Postfix SMTP server process.
5080
5081       Specify a list of network addresses or network/netmask patterns,  sepa‐
5082       rated  by commas and/or whitespace. The netmask specifies the number of
5083       bits in the network part of a host  address.  Continue  long  lines  by
5084       starting the next line with whitespace.
5085
5086       You   can  also  specify  "/file/name"  or  "type:table"  patterns.   A
5087       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5088       table is matched when a table entry matches a lookup string (the lookup
5089       result is ignored).
5090
5091       The list is matched left to right, and the search stops  on  the  first
5092       match.  Specify  "!pattern" to exclude an address or network block from
5093       the list.
5094
5095       Note: IP version 6 address information must be specified inside  []  in
5096       the  postscreen_whitelist_interfaces value, and in files specified with
5097       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
5098       would otherwise be confused with a "type:table" pattern.
5099
5100       Example:
5101
5102       /etc/postfix/main.cf:
5103           # Don't whitelist connections to the backup IP address.
5104           postscreen_whitelist_interfaces = !168.100.189.8, static:all
5105
5106       This feature is available in Postfix 2.9 and later.
5107

prepend_delivered_header (default: command, file, forward)

5109       The message delivery contexts where the Postfix local(8) delivery agent
5110       prepends a Delivered-To:  message header with the address that the mail
5111       was  delivered  to.  This  information  is  used for mail delivery loop
5112       detection.
5113
5114       By default, the Postfix local delivery agent prepends  a  Delivered-To:
5115       header  when  forwarding mail and when delivering to file (mailbox) and
5116       command. Turning off the Delivered-To: header when forwarding  mail  is
5117       not recommended.
5118
5119       Specify zero or more of forward, file, or command.
5120
5121       Example:
5122
5123       prepend_delivered_header = forward
5124

process_id (read-only)

5126       The process ID of a Postfix command or daemon process.
5127

process_id_directory (default: pid)

5129       The  location  of Postfix PID files relative to $queue_directory.  This
5130       is a read-only parameter.
5131

process_name (read-only)

5133       The process name of a Postfix command or daemon process.
5134

propagate_unmatched_extensions (default: canonical, virtual)

5136       What address lookup tables copy an address extension  from  the  lookup
5137       key to the lookup result.
5138
5139       For   example,   with  a  virtual(5)  mapping  of  "joe@example.com  =>
5140       joe.user@example.net", the address "joe+foo@example.com" would  rewrite
5141       to "joe.user+foo@example.net".
5142
5143       Specify  zero or more of canonical, virtual, alias, forward, include or
5144       generic. These cause address extension propagation  with  canonical(5),
5145       virtual(5),  and  aliases(5) maps, with local(8) .forward and :include:
5146       file lookups, and with smtp(8) generic maps, respectively.
5147
5148       Note: enabling this feature for types other than canonical and  virtual
5149       is  likely  to  cause  problems  when mail is forwarded to other sites,
5150       especially with mail that is sent to a mailing list exploder address.
5151
5152       Examples:
5153
5154       propagate_unmatched_extensions = canonical, virtual, alias,
5155               forward, include
5156       propagate_unmatched_extensions = canonical, virtual
5157

proxy_interfaces (default: empty)

5159       The network interface addresses that this mail system receives mail  on
5160       by way of a proxy or network address translation unit.
5161
5162       This feature is available in Postfix 2.0 and later.
5163
5164       You must specify your "outside" proxy/NAT addresses when your system is
5165       a backup MX host for other domains, otherwise mail delivery loops  will
5166       happen when the primary MX host is down.
5167
5168       Example:
5169
5170       proxy_interfaces = 1.2.3.4
5171

proxy_read_maps (default: see postconf -d output)

5173       The  lookup tables that the proxymap(8) server is allowed to access for
5174       the read-only service.
5175
5176       Specify zero or more "type:name" lookup tables, separated by whitespace
5177       or comma.  Table references that don't begin with proxy: are ignored.
5178
5179       This feature is available in Postfix 2.0 and later.
5180

proxy_write_maps (default: see postconf -d output)

5182       The  lookup tables that the proxymap(8) server is allowed to access for
5183       the read-write service. Postfix-owned local database  files  should  be
5184       stored  under  the Postfix-owned data_directory.  Table references that
5185       don't begin with proxy: are ignored.
5186
5187       This feature is available in Postfix 2.5 and later.
5188

proxymap_service_name (default: proxymap)

5190       The name of the proxymap read-only table lookup service.  This  service
5191       is normally implemented by the proxymap(8) daemon.
5192
5193       This feature is available in Postfix 2.6 and later.
5194

proxywrite_service_name (default: proxywrite)

5196       The  name of the proxywrite read-write table lookup service.  This ser‐
5197       vice is normally implemented by the proxymap(8) daemon.
5198
5199       This feature is available in Postfix 2.6 and later.
5200

qmgr_clog_warn_time (default: 300s)

5202       The minimal delay between warnings that a specific destination is clog‐
5203       ging up the Postfix active queue. Specify 0 to disable.
5204
5205       This feature is enabled with the helpful_warnings parameter.
5206
5207       This feature is available in Postfix 2.0 and later.
5208

qmgr_daemon_timeout (default: 1000s)

5210       How  much  time  a  Postfix  queue manager process may take to handle a
5211       request before it is terminated by a built-in watchdog timer.
5212
5213       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5214       The default time unit is s (seconds).
5215
5216       This feature is available in Postfix 2.8 and later.
5217

qmgr_fudge_factor (default: 100)

5219       Obsolete feature: the percentage of delivery resources that a busy mail
5220       system will use up for delivery of a large mailing  list message.
5221
5222       This feature exists only in the oqmgr(8) old queue manager. The current
5223       queue manager solves the problem in a better way.
5224

qmgr_ipc_timeout (default: 60s)

5226       The  time  limit  for  the queue manager to send or receive information
5227       over an internal communication channel.  The purpose is to break out of
5228       deadlock  situations. If the time limit is exceeded the software either
5229       retries or aborts the operation.
5230
5231       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5232       The default time unit is s (seconds).
5233
5234       This feature is available in Postfix 2.8 and later.
5235

qmgr_message_active_limit (default: 20000)

5237       The maximal number of messages in the active queue.
5238

qmgr_message_recipient_limit (default: 20000)

5240       The  maximal  number  of recipients held in memory by the Postfix queue
5241       manager, and the maximal size of the short-term, in-memory "dead"  des‐
5242       tination status cache.
5243

qmgr_message_recipient_minimum (default: 10)

5245       The  minimal number of in-memory recipients for any message. This takes
5246       priority over any other in-memory recipient limits  (i.e.,  the  global
5247       qmgr_message_recipient_limit and the per transport _recipient_limit) if
5248       necessary. The minimum value allowed for this parameter is 1.
5249

qmqpd_authorized_clients (default: empty)

5251       What remote QMQP clients are allowed to connect  to  the  Postfix  QMQP
5252       server port.
5253
5254       By  default,  no  client is allowed to use the service. This is because
5255       the QMQP server will relay mail to any destination.
5256
5257       Specify a list of client patterns. A  list  pattern  specifies  a  host
5258       name,  a  domain  name, an internet address, or a network/mask pattern,
5259       where the mask specifies the number of bits in the network part.   When
5260       a  pattern  specifies a file name, its contents are substituted for the
5261       file name; when a pattern is a "type:table" table specification,  table
5262       lookup is used instead.
5263
5264       Patterns are separated by whitespace and/or commas. In order to reverse
5265       the result, precede a pattern with an exclamation point (!).  The  form
5266       "!/file/name" is supported only in Postfix version 2.4 and later.
5267
5268       Pattern  matching  of  domain  names  is  controlled by the presence or
5269       absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5270       domains parameter value.
5271
5272       Example:
5273
5274       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5275

qmqpd_client_port_logging (default: no)

5277       Enable  logging of the remote QMQP client port in addition to the host‐
5278       name and IP address. The logging format is "host[address]:port".
5279
5280       This feature is available in Postfix 2.5 and later.
5281

qmqpd_error_delay (default: 1s)

5283       How long the Postfix QMQP server will pause before sending  a  negative
5284       reply  to  the remote QMQP client. The purpose is to slow down confused
5285       or malicious clients.
5286
5287       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5288       The default time unit is s (seconds).
5289

qmqpd_timeout (default: 300s)

5291       The  time  limit for sending or receiving information over the network.
5292       If a read or write operation blocks for more than  $qmqpd_timeout  sec‐
5293       onds the Postfix QMQP server gives up and disconnects.
5294
5295       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5296       The default time unit is s (seconds).
5297

queue_directory (default: see postconf -d output)

5299       The location of the Postfix top-level queue directory. This is the root
5300       directory of Postfix daemon processes that run chrooted.
5301

queue_file_attribute_count_limit (default: 100)

5303       The  maximal  number of (name=value) attributes that may be stored in a
5304       Postfix queue file. The limit is enforced by the cleanup(8) server.
5305
5306       This feature is available in Postfix 2.0 and later.
5307

queue_minfree (default: 0)

5309       The minimal amount of free space in bytes in the queue file system that
5310       is  needed to receive mail.  This is currently used by the Postfix SMTP
5311       server to decide if it will accept any mail at all.
5312
5313       By default, the Postfix SMTP server rejects MAIL FROM commands when the
5314       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5315       sion 2.1 and later).  To specify a higher  minimum  free  space  limit,
5316       specify a queue_minfree value that is at least 1.5*$message_size_limit.
5317
5318       With  Postfix  versions  2.0 and earlier, a queue_minfree value of zero
5319       means there is no minimum required amount of free space.
5320

queue_run_delay (default: 300s)

5322       The time between deferred queue scans by the queue  manager;  prior  to
5323       Postfix 2.4 the default value was 1000s.
5324
5325       This  parameter  should  be  set  less  than or equal to $minimal_back‐
5326       off_time. See also $maximal_backoff_time.
5327
5328       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5329       The default time unit is s (seconds).
5330

queue_service_name (default: qmgr)

5332       The name of the qmgr(8) service. This service manages the Postfix queue
5333       and schedules delivery requests.
5334
5335       This feature is available in Postfix 2.0 and later.
5336

rbl_reply_maps (default: empty)

5338       Optional lookup tables with RBL  response  templates.  The  tables  are
5339       indexed  by  the  RBL domain name. By default, Postfix uses the default
5340       template as specified with the default_rbl_reply configuration  parame‐
5341       ter. See there for a discussion of the syntax of RBL reply templates.
5342
5343       This feature is available in Postfix 2.0 and later.
5344

readme_directory (default: see postconf -d output)

5346       The  location  of Postfix README files that describe how to build, con‐
5347       figure or operate a specific Postfix subsystem or feature.
5348

receive_override_options (default: empty)

5350       Enable or disable recipient validation, built-in content filtering,  or
5351       address  mapping.  Typically,  these are specified in master.cf as com‐
5352       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5353
5354       Specify zero or more of the following options.   The  options  override
5355       main.cf  settings  and are either implemented by smtpd(8), qmqpd(8), or
5356       pickup(8) themselves, or they are forwarded to the cleanup server.
5357
5358       no_unknown_recipient_checks
5359              Do not try to reject  unknown  recipients  (SMTP  server  only).
5360              This is typically specified AFTER an external content filter.
5361
5362       no_address_mappings
5363              Disable  canonical address mapping, virtual alias map expansion,
5364              address masquerading,  and  automatic  BCC  (blind  carbon-copy)
5365              recipients.  This is typically specified BEFORE an external con‐
5366              tent filter.
5367
5368       no_header_body_checks
5369              Disable header/body_checks. This is typically specified AFTER an
5370              external content filter.
5371
5372       no_milters
5373              Disable  Milter  (mail  filter)  applications. This is typically
5374              specified AFTER an external content filter.
5375
5376       Note: when the "BEFORE content filter" receive_override_options setting
5377       is  specified  in  the main.cf file, specify the "AFTER content filter"
5378       receive_override_options setting in master.cf (and vice versa).
5379
5380       Examples:
5381
5382       receive_override_options =
5383           no_unknown_recipient_checks, no_header_body_checks
5384       receive_override_options = no_address_mappings
5385
5386       This feature is available in Postfix 2.1 and later.
5387

recipient_bcc_maps (default: empty)

5389       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5390       recipient  address.   The  BCC  address  (multiple results are not sup‐
5391       ported) is added when mail enters from outside of Postfix.
5392
5393       Specify zero or more "type:name" lookup tables, separated by whitespace
5394       or  comma. Tables will be searched in the specified order until a match
5395       is found.
5396
5397       The table search order is as follows:
5398
5399       ·      Look up the "user+extension@domain.tld"  address  including  the
5400              optional address extension.
5401
5402       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5403              address extension.
5404
5405       ·      Look up the "user+extension" address local part when the recipi‐
5406              ent domain equals $myorigin, $mydestination, $inet_interfaces or
5407              $proxy_interfaces.
5408
5409       ·      Look up the "user" address local part when the recipient  domain
5410              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5411              $proxy_interfaces.
5412
5413       ·      Look up the "@domain.tld" part.
5414
5415       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5416       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5417       BCC address is undeliverable,  as  long  as  all  down-stream  software
5418       implements RFC 3461.
5419
5420       Note:  with  Postfix 2.2 and earlier the sender will unconditionally be
5421       notified when the BCC address is undeliverable.
5422
5423       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5424       avoid  mailer  loops,  automatic BCC recipients are not generated after
5425       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5426       itself.
5427
5428       Example:
5429
5430       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5431
5432       After a change, run "postmap /etc/postfix/recipient_bcc".
5433
5434       This feature is available in Postfix 2.1 and later.
5435

recipient_canonical_classes (default: envelope_recipient, header_recipient)

5437       What addresses are subject to recipient_canonical_maps address mapping.
5438       By default, recipient_canonical_maps  address  mapping  is  applied  to
5439       envelope recipient addresses, and to header recipient addresses.
5440
5441       Specify one or more of: envelope_recipient, header_recipient
5442
5443       This feature is available in Postfix 2.2 and later.
5444

recipient_canonical_maps (default: empty)

5446       Optional  address mapping lookup tables for envelope and header recipi‐
5447       ent addresses.  The table format and lookups are documented in  canoni‐
5448       cal(5).
5449
5450       Note: $recipient_canonical_maps is processed before $canonical_maps.
5451
5452       Example:
5453
5454       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5455

recipient_delimiter (default: empty)

5457       The  set of characters that can separate a user name from its extension
5458       (example: user+foo), or a .forward file name from its extension  (exam‐
5459       ple:  .forward+foo).   Basically, the software tries user+foo and .for‐
5460       ward+foo before trying user and .forward.  This  implementation  recog‐
5461       nizes  one  delimiter  character and one extension per email address or
5462       .forward file name.
5463
5464       When the recipient_delimiter set contains multiple characters  (Postfix
5465       2.11  and  later),  a user name or .forward file name is separated from
5466       its extension by the first character that matches the  recipient_delim‐
5467       iter set.
5468
5469       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5470       of recipient_delimiter on lookups in aliases, canonical,  virtual,  and
5471       relocated  maps,  and  see the propagate_unmatched_extensions parameter
5472       for propagating an extension from one email address to another.
5473
5474       When used in command_execution_directory, forward_path, or luser_relay,
5475       ${recipient_delimiter}  is replaced with the actual recipient delimiter
5476       that was found in the recipient email address (Postfix 2.11 and later),
5477       or  it is replaced with the main.cf recipient_delimiter parameter value
5478       (Postfix 2.10 and earlier).
5479
5480       The recipient_delimiter is not applied to  the  mailer-daemon  address,
5481       the  postmaster address, or the double-bounce address. With the default
5482       "owner_request_special = yes" setting, the recipient_delimiter is  also
5483       not  applied  to addresses with the special "owner-" prefix or the spe‐
5484       cial "-request" suffix.
5485
5486       Examples:
5487
5488       # Handle Postfix-style extensions.
5489       recipient_delimiter = +
5490
5491       # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5492       recipient_delimiter = +-
5493
5494       # Use .forward for mail without address extension, and for mail with
5495       # an unrecognized address extension.
5496       forward_path = $home/.forward${recipient_delimiter}${extension},
5497           $home/.forward
5498

reject_code (default: 554)

5500       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
5501       client request is rejected by the "reject" restriction.
5502
5503       Do  not  change  this  unless  you have a complete understanding of RFC
5504       5321.
5505

reject_tempfail_action (default: defer_if_permit)

5507       The Postfix SMTP server's action when a reject-type  restriction  fails
5508       due to a temporary error condition. Specify "defer" to defer the remote
5509       SMTP client request immediately.  With  the  default  "defer_if_permit"
5510       action,  the Postfix SMTP server continues to look for opportunities to
5511       reject mail, and defers the client request only if it  would  otherwise
5512       be accepted.
5513
5514       For  finer  control, see: unverified_recipient_tempfail_action, unveri‐
5515       fied_sender_tempfail_action,    unknown_address_tempfail_action,    and
5516       unknown_helo_hostname_tempfail_action.
5517
5518       This feature is available in Postfix 2.6 and later.
5519

relay_clientcerts (default: empty)

5521       List of tables with remote SMTP client-certificate fingerprints or pub‐
5522       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5523       server  will allow access with the permit_tls_clientcerts feature.  The
5524       fingerprint digest algorithm is configurable via the  smtpd_tls_finger‐
5525       print_digest  parameter  (hard-coded  as  md5  prior to Postfix version
5526       2.5).
5527
5528       Postfix lookup tables are in the form of (key, value) pairs.  Since  we
5529       only  need  the  key, the value can be chosen freely, e.g.  the name of
5530       the  user  or   host:   D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5531       lutzpc.at.home
5532
5533       Example:
5534
5535       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5536
5537       For  more  fine-grained  control,  use  check_ccert_access to select an
5538       appropriate  access(5)  policy   for   each   client.    See   RESTRIC‐
5539       TION_CLASS_README.
5540
5541       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
5542       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
5543       later.
5544
5545       This feature is available with Postfix version 2.2.
5546

relay_destination_concurrency_limit (default: $default_destination_concur‐

5548       rency_limit)
5549       The maximal number of parallel deliveries to the same  destination  via
5550       the  relay  message  delivery  transport. This limit is enforced by the
5551       queue manager. The message delivery transport name is the  first  field
5552       in the entry in the master.cf file.
5553
5554       This feature is available in Postfix 2.0 and later.
5555

relay_destination_recipient_limit (default: $default_destination_recipi‐

5557       ent_limit)
5558       The maximal number of recipients per  message  for  the  relay  message
5559       delivery  transport.  This  limit is enforced by the queue manager. The
5560       message delivery transport name is the first field in the entry in  the
5561       master.cf file.
5562
5563       Setting  this  parameter  to  a  value  of  1  changes  the  meaning of
5564       relay_destination_concurrency_limit from concurrency  per  domain  into
5565       concurrency per recipient.
5566
5567       This feature is available in Postfix 2.0 and later.
5568

relay_domains (default: Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)

5570       What  destination  domains  (and  subdomains  thereof) this system will
5571       relay mail to. For details about how the relay_domains value  is  used,
5572       see    the    description    of    the    permit_auth_destination   and
5573       reject_unauth_destination SMTP recipient restrictions.
5574
5575       Domains that match $relay_domains are delivered with the  $relay_trans‐
5576       port  mail  delivery  transport.  The  SMTP  server validates recipient
5577       addresses with $relay_recipient_maps and rejects  non-existent  recipi‐
5578       ents.   See   also   the   relay   domains   address   class   in   the
5579       ADDRESS_CLASS_README file.
5580
5581       Note: Postfix will not automatically forward mail for domains that list
5582       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
5583       mit_mx_backup restriction in the postconf(5) manual page.
5584
5585       Specify a list of  host  or  domain  names,  "/file/name"  patterns  or
5586       "type:table"  lookup  tables,  separated  by  commas and/or whitespace.
5587       Continue long lines by  starting  the  next  line  with  whitespace.  A
5588       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5589       table is matched when a (parent) domain appears as lookup key.  Specify
5590       "!pattern" to exclude a domain from the list. The form "!/file/name" is
5591       supported only in Postfix version 2.4 and later.
5592
5593       Pattern matching of domain names  is  controlled  by  the  presence  or
5594       absence  of  "relay_domains"  in  the  parent_domain_matches_subdomains
5595       parameter value.
5596

relay_domains_reject_code (default: 554)

5598       The numerical Postfix SMTP server response code when a  client  request
5599       is rejected by the reject_unauth_destination recipient restriction.
5600
5601       Do  not  change  this  unless  you have a complete understanding of RFC
5602       5321.
5603

relay_recipient_maps (default: empty)

5605       Optional lookup tables with all valid addresses  in  the  domains  that
5606       match  $relay_domains.  Specify @domain as a wild-card for domains that
5607       have no valid recipient list, and become a source of backscatter  mail:
5608       Postfix  accepts spam for non-existent recipients and then floods inno‐
5609       cent people with undeliverable mail.  Technically, tables  listed  with
5610       $relay_recipient_maps  are used as lists: Postfix needs to know only if
5611       a lookup string is found or not, but it does not use  the  result  from
5612       table lookup.
5613
5614       Specify zero or more "type:name" lookup tables, separated by whitespace
5615       or comma. Tables will be searched in the specified order until a  match
5616       is found.
5617
5618       If  this  parameter  is  non-empty,  then  the Postfix SMTP server will
5619       reject mail to unknown relay users. This feature is off by default.
5620
5621       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5622       file.
5623
5624       Example:
5625
5626       relay_recipient_maps = hash:/etc/postfix/relay_recipients
5627
5628       This feature is available in Postfix 2.0 and later.
5629

relay_transport (default: relay)

5631       The default mail delivery transport and next-hop destination for remote
5632       delivery to domains listed with $relay_domains. In order of  decreasing
5633       precedence,  the  nexthop  destination  is taken from $relay_transport,
5634       $sender_dependent_relayhost_maps, $relayhost,  or  from  the  recipient
5635       domain. This information can be overruled with the transport(5) table.
5636
5637       Specify  a string of the form transport:nexthop, where transport is the
5638       name of a mail delivery transport defined in master.cf.   The  :nexthop
5639       destination is optional; its syntax is documented in the manual page of
5640       the corresponding delivery agent.
5641
5642       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5643       file.
5644
5645       This feature is available in Postfix 2.0 and later.
5646

relayhost (default: empty)

5648       The next-hop destination of non-local mail; overrides non-local domains
5649       in recipient addresses. This information is overruled with relay_trans‐
5650       port,    sender_dependent_default_transport_maps,    default_transport,
5651       sender_dependent_relayhost_maps and with the transport(5) table.
5652
5653       On an intranet, specify the organizational domain name. If your  inter‐
5654       nal  DNS  uses  no MX records, specify the name of the intranet gateway
5655       host instead.
5656
5657       In the case of SMTP, specify a domain  name,  hostname,  hostname:port,
5658       [hostname]:port,  [hostaddress]  or [hostaddress]:port. The form [host‐
5659       name] turns off MX lookups.
5660
5661       If you're connected via UUCP,  see  the  UUCP_README  file  for  useful
5662       information.
5663
5664       Examples:
5665
5666       relayhost = $mydomain
5667       relayhost = [gateway.example.com]
5668       relayhost = uucphost
5669       relayhost = [an.ip.add.ress]
5670

relocated_maps (default: empty)

5672       Optional  lookup  tables  with  new  contact  information  for users or
5673       domains that no longer exist.  The table format and lookups  are  docu‐
5674       mented in relocated(5).
5675
5676       Specify zero or more "type:name" lookup tables, separated by whitespace
5677       or comma. Tables will be searched in the specified order until a  match
5678       is found.
5679
5680       If  you use this feature, run "postmap /etc/postfix/relocated" to build
5681       the necessary DBM or DB file after change,  then  "postfix  reload"  to
5682       make the changes visible.
5683
5684       Examples:
5685
5686       relocated_maps = dbm:/etc/postfix/relocated
5687       relocated_maps = hash:/etc/postfix/relocated
5688

remote_header_rewrite_domain (default: empty)

5690       Don't  rewrite  message  headers  from  remote clients at all when this
5691       parameter is empty; otherwise, rewrite message headers and  append  the
5692       specified  domain  name  to incomplete addresses.  The local_header_re‐
5693       write_clients parameter controls what clients Postfix considers local.
5694
5695       Examples:
5696
5697       The  safe  setting:  append  "domain.invalid"  to   incomplete   header
5698       addresses  from  remote SMTP clients, so that those addresses cannot be
5699       confused with local addresses.
5700
5701           remote_header_rewrite_domain = domain.invalid
5702
5703       The default, purist, setting: don't rewrite headers from remote clients
5704       at all.
5705
5706           remote_header_rewrite_domain =
5707

require_home_directory (default: no)

5709       Require  that  a local(8) recipient's home directory exists before mail
5710       delivery is attempted. By default this test is  disabled.   It  can  be
5711       useful for environments that import home directories to the mail server
5712       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5713

reset_owner_alias (default: no)

5715       Reset the local(8) delivery agent's idea of the owner-alias  attribute,
5716       when  delivering mail to a child alias that does not have its own owner
5717       alias.
5718
5719       This feature is available in Postfix 2.8 and later. With older  Postfix
5720       releases, the behavior is as if this parameter is set to "yes".
5721
5722       As  documented  in aliases(5), when an alias name has a companion alias
5723       named owner-name, this will replace the  envelope  sender  address,  so
5724       that delivery errors will be reported to the owner alias instead of the
5725       sender. This configuration is recommended for mailing lists.
5726
5727       A less known property of the owner alias is that  it  also  forces  the
5728       local(8)  delivery agent to write local and remote addresses from alias
5729       expansion to a new queue file, instead of attempting to deliver mail to
5730       local addresses as soon as they come out of alias expansion.
5731
5732       Writing local addresses from alias expansion to a new queue file allows
5733       for robust handling of temporary delivery errors: errors with one local
5734       member  have  no effect on deliveries to other members of the list.  On
5735       the other hand, delivery to local addresses as soon as they come out of
5736       alias  expansion  is  fragile: a temporary error with one local address
5737       from alias expansion will cause the entire alias to be expanded repeat‐
5738       edly  until  the  error  goes away, or until the message expires in the
5739       queue.  In that case, a problem with one list member results in  multi‐
5740       ple message deliveries to other list members.
5741
5742       The  default  behavior  of  Postfix  2.8  and  later  is  to  keep  the
5743       owner-alias attribute of the parent alias, when delivering  mail  to  a
5744       child  alias  that  does  not  have  its  own  owner alias. Then, local
5745       addresses from that child alias will be written to a  new  queue  file,
5746       and  a  temporary error with one local address will not affect delivery
5747       to other mailing list members.
5748
5749       Unfortunately, older Postfix releases reset the  owner-alias  attribute
5750       when  delivering mail to a child alias that does not have its own owner
5751       alias. To be precise, this resets only the decision  to  create  a  new
5752       queue  file,  not the decision to override the envelope sender address.
5753       The local(8) delivery agent then attempts to deliver local addresses as
5754       soon  as  they  come  out of child alias expansion.  If delivery to any
5755       address from child alias expansion fails with a temporary error  condi‐
5756       tion, the entire mailing list may be expanded repeatedly until the mail
5757       expires in the queue, resulting in multiple deliveries of the same mes‐
5758       sage to mailing list members.
5759

resolve_dequoted_address (default: yes)

5761       Resolve  a  recipient  address  safely instead of correctly, by looking
5762       inside quotes.
5763
5764       By default, the Postfix address resolver does  not  quote  the  address
5765       localpart  as  per  RFC  822, so that additional @ or % or !  operators
5766       remain visible. This behavior is safe but it is also technically incor‐
5767       rect.
5768
5769       If  you  specify  "resolve_dequoted_address  =  no",  then  the Postfix
5770       resolver will not know about additional @ etc. operators in the address
5771       localpart. This opens opportunities for obscure mail relay attacks with
5772       user@domain@domain addresses when Postfix provides  backup  MX  service
5773       for Sendmail systems.
5774

resolve_null_domain (default: no)

5776       Resolve  an  address  that  ends in the "@" null domain as if the local
5777       hostname were specified, instead of rejecting the address as invalid.
5778
5779       This feature is available in Postfix 2.1 and later.   Earlier  versions
5780       always resolve the null domain as the local hostname.
5781
5782       The  Postfix  SMTP  server  uses this feature to reject mail from or to
5783       addresses that end in the "@" null domain, and from addresses that  re‐
5784       write into a form that ends in the "@" null domain.
5785

resolve_numeric_domain (default: no)

5787       Resolve  "user@ipaddress"  as  "user@[ipaddress]", instead of rejecting
5788       the address as invalid.
5789
5790       This feature is available in Postfix 2.3 and later.
5791

rewrite_service_name (default: rewrite)

5793       The name of  the  address  rewriting  service.  This  service  rewrites
5794       addresses  to  standard  form  and resolves them to a (delivery method,
5795       next-hop host, recipient) triple.
5796
5797       This feature is available in Postfix 2.0 and later.
5798

sample_directory (default: /etc/postfix)

5800       The name of the directory with  example  Postfix  configuration  files.
5801       Starting  with  Postfix  2.1,  these  files have been replaced with the
5802       postconf(5) manual page.
5803

send_cyrus_sasl_authzid (default: no)

5805       When authenticating to a remote SMTP or LMTP server  with  the  default
5806       setting  "no",  send  no SASL authoriZation ID (authzid); send only the
5807       SASL authentiCation ID (authcid) plus the authcid's password.
5808
5809       The non-default setting "yes" enables the  behavior  of  older  Postfix
5810       versions.   These  always send a SASL authzid that is equal to the SASL
5811       authcid, but this  causes  interoperability  problems  with  some  SMTP
5812       servers.
5813
5814       This feature is available in Postfix 2.4.4 and later.
5815

sender_based_routing (default: no)

5817       This  parameter  should  not  be used. It was replaced by sender_depen‐
5818       dent_relayhost_maps in Postfix version 2.3.
5819

sender_bcc_maps (default: empty)

5821       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5822       sender  address.   The BCC address (multiple results are not supported)
5823       is added when mail enters from outside of Postfix.
5824
5825       Specify zero or more "type:name" lookup tables, separated by whitespace
5826       or  comma. Tables will be searched in the specified order until a match
5827       is found.
5828
5829       The table search order is as follows:
5830
5831       ·      Look up the "user+extension@domain.tld"  address  including  the
5832              optional address extension.
5833
5834       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5835              address extension.
5836
5837       ·      Look up the "user+extension" address local part when the  sender
5838              domain  equals  $myorigin,  $mydestination,  $inet_interfaces or
5839              $proxy_interfaces.
5840
5841       ·      Look up the "user" address local part  when  the  sender  domain
5842              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5843              $proxy_interfaces.
5844
5845       ·      Look up the "@domain.tld" part.
5846
5847       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5848       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5849       BCC address is undeliverable,  as  long  as  all  down-stream  software
5850       implements RFC 3461.
5851
5852       Note: with Postfix 2.2 and earlier the sender will be notified when the
5853       BCC address is undeliverable.
5854
5855       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5856       avoid  mailer  loops,  automatic BCC recipients are not generated after
5857       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5858       itself.
5859
5860       Example:
5861
5862       sender_bcc_maps = hash:/etc/postfix/sender_bcc
5863
5864       After a change, run "postmap /etc/postfix/sender_bcc".
5865
5866       This feature is available in Postfix 2.1 and later.
5867

sender_canonical_classes (default: envelope_sender, header_sender)

5869       What  addresses  are  subject to sender_canonical_maps address mapping.
5870       By default, sender_canonical_maps address mapping is applied  to  enve‐
5871       lope sender addresses, and to header sender addresses.
5872
5873       Specify one or more of: envelope_sender, header_sender
5874
5875       This feature is available in Postfix 2.2 and later.
5876

sender_canonical_maps (default: empty)

5878       Optional  address  mapping lookup tables for envelope and header sender
5879       addresses.  The table format and  lookups  are  documented  in  canoni‐
5880       cal(5).
5881
5882       Example:  you  want to rewrite the SENDER address "user@ugly.domain" to
5883       "user@pretty.domain", while still being able to send mail to the RECIP‐
5884       IENT address "user@ugly.domain".
5885
5886       Note: $sender_canonical_maps is processed before $canonical_maps.
5887
5888       Example:
5889
5890       sender_canonical_maps = hash:/etc/postfix/sender_canonical
5891

sender_dependent_default_transport_maps (default: empty)

5893       A  sender-dependent override for the global default_transport parameter
5894       setting. The tables are searched by the  envelope  sender  address  and
5895       @domain.  A  lookup result of DUNNO terminates the search without over‐
5896       riding the global default_transport parameter setting.   This  informa‐
5897       tion is overruled with the transport(5) table.
5898
5899       Specify zero or more "type:name" lookup tables, separated by whitespace
5900       or comma. Tables will be searched in the specified order until a  match
5901       is found.
5902
5903       Note:  this overrides default_transport, not transport_maps, and there‐
5904       fore the expected syntax is that of default_transport, not  the  syntax
5905       of  transport_maps.   Specifically,  this  does  not support the trans‐
5906       port_maps syntax for  null  transport,  null  nexthop,  or  null  email
5907       addresses.
5908
5909       For  safety  reasons, this feature does not allow $number substitutions
5910       in regular expression maps.
5911
5912       This feature is available in Postfix 2.7 and later.
5913

sender_dependent_relayhost_maps (default: empty)

5915       A sender-dependent override for the global relayhost parameter setting.
5916       The  tables  are searched by the envelope sender address and @domain. A
5917       lookup result of DUNNO terminates the  search  without  overriding  the
5918       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
5919       mation    is    overruled    with    relay_transport,     sender_depen‐
5920       dent_default_transport_maps,  default_transport  and  with  the  trans‐
5921       port(5) table.
5922
5923       Specify zero or more "type:name" lookup tables, separated by whitespace
5924       or  comma. Tables will be searched in the specified order until a match
5925       is found.
5926
5927       For safety reasons, this feature does not allow  $number  substitutions
5928       in regular expression maps.
5929
5930       This feature is available in Postfix 2.3 and later.
5931

sendmail_fix_line_endings (default: always)

5933       Controls  how  the Postfix sendmail command converts email message line
5934       endings from <CR><LF> into UNIX format (<LF>).
5935
5936       always Always convert message lines ending in <CR><LF>. This setting is
5937              the default with Postfix 2.9 and later.
5938
5939       strict Convert message lines ending in <CR><LF> only if the first input
5940              line ends in <CR><LF>. This setting is backwards-compatible with
5941              Postfix 2.8 and earlier.
5942
5943       never  Never  convert  message  lines  ending in <CR><LF>. This setting
5944              exists for completeness only.
5945
5946       This feature is available in Postfix 2.9 and later.
5947

sendmail_path (default: see postconf -d output)

5949       A Sendmail compatibility feature that specifies  the  location  of  the
5950       Postfix  sendmail(1)  command.  This command can be used to submit mail
5951       into the Postfix queue.
5952

service_name (read-only)

5954       The master.cf service name of a Postfix daemon  process.  This  can  be
5955       used  to  distinguish  the logging from different services that use the
5956       same program name.
5957
5958       Example master.cf entries:
5959
5960       # Distinguish inbound MTA logging from submission and smtps logging.
5961       smtp      inet  n       -       n       -       -       smtpd
5962       submission inet n       -       n       -       -       smtpd
5963           -o syslog_name=postfix/$service_name
5964       smtps     inet  n       -       n       -       -       smtpd
5965           -o syslog_name=postfix/$service_name
5966
5967       # Distinguish outbound MTA logging from inbound relay logging.
5968       smtp      unix  -       -       n       -       -       smtp
5969       relay     unix  -       -       n       -       -       smtp
5970           -o syslog_name=postfix/$service_name
5971

service_throttle_time (default: 60s)

5973       How long the Postfix master(8)  waits  before  forking  a  server  that
5974       appears to be malfunctioning.
5975
5976       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5977       The default time unit is s (seconds).
5978

setgid_group (default: postdrop)

5980       The group ownership of set-gid Postfix commands and  of  group-writable
5981       Postfix  directories.  When this parameter value is changed you need to
5982       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
5983       "/etc/postfix/post-install set-permissions".
5984

shlib_directory (default: see 'postconf -d' output)

5986       The location of Postfix dynamically-linked libraries (libpostfix-*.so),
5987       and the default location of  Postfix  database  plugins  (postfix-*.so)
5988       that  have  a  relative  pathname  in  the  dynamicmaps.cf  file.   The
5989       shlib_directory  parameter  defaults  to  "no"  when  Postfix   dynami‐
5990       cally-linked  libraries  and  database  plugins are disabled at compile
5991       time,  otherwise  it  typically   defaults   to   /usr/lib/postfix   or
5992       /usr/local/lib/postfix.
5993
5994       Notes:
5995
5996       ·      The directory specified with shlib_directory should contain only
5997              Postfix-related files. Postfix dynamically-linked libraries  and
5998              database  plugins  should  not be installed in a "public" system
5999              directory such as /usr/lib or  /usr/local/lib.  Linking  Postfix
6000              dynamically-linked   library  files  or  database  plugins  into
6001              non-Postfix  programs  is  not   supported.    Postfix   dynami‐
6002              cally-linked  libraries  and  database plugins implement a Post‐
6003              fix-internal API that changes without maintaining compatibility.
6004
6005       ·      You can change the shlib_directory value after Postfix is built.
6006              However,  you  may have to run ldconfig or equivalent to prevent
6007              Postfix programs from failing because the libpostfix-*.so  files
6008              are  not  found.   No ldconfig command is needed if you keep the
6009              libpostfix-*.so files in the compiled-in  default  $shlib_direc‐
6010              tory location.
6011
6012       This feature is available in Postfix 3.0 and later.
6013

show_user_unknown_table_name (default: yes)

6015       Display  the  name  of  the  recipient  table  in  the  "User  unknown"
6016       responses.  The extra detail makes trouble  shooting  easier  but  also
6017       reveals information that is nobody elses business.
6018
6019       This feature is available in Postfix 2.0 and later.
6020

showq_service_name (default: showq)

6022       The name of the showq(8) service. This service produces mail queue sta‐
6023       tus reports.
6024
6025       This feature is available in Postfix 2.0 and later.
6026

smtp_address_preference (default: any)

6028       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6029       will  try  first,  when  a destination has IPv6 and IPv4 addresses with
6030       equal MX preference. This feature has no effect unless the  inet_proto‐
6031       cols setting enables both IPv4 and IPv6.
6032
6033       Postfix  SMTP  client  address preference has evolved. With Postfix 2.8
6034       the default is "ipv6"; earlier implementations are hard-coded to prefer
6035       IPv6 over IPv4.
6036
6037       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6038       nectivity:
6039
6040       ·      The setting "smtp_address_preference = ipv6" is unsafe.  It  can
6041              fail  to deliver mail when there is an outage that affects IPv6,
6042              while the destination is still reachable over IPv4.
6043
6044       ·      The setting "smtp_address_preference = any" is safe. With  this,
6045              mail  will  eventually  be  delivered even if there is an outage
6046              that affects IPv6 or IPv4, as long as it does not affect both.
6047
6048       This feature is available in Postfix 2.8 and later.
6049

smtp_address_verify_target (default: rcpt)

6051       In the context of email address verification, the SMTP  protocol  stage
6052       that  determines  whether an email address is deliverable.  Specify one
6053       of "rcpt" or "data".  The latter is needed  with  remote  SMTP  servers
6054       that  reject  recipients  after the DATA command. Use transport_maps to
6055       apply this feature selectively:
6056
6057           /etc/postfix/main.cf:
6058               transport_maps = hash:/etc/postfix/transport
6059
6060           /etc/postfix/transport:
6061               smtp-domain-that-verifies-after-data    smtp-data-target:
6062               lmtp-domain-that-verifies-after-data    lmtp-data-target:
6063
6064           /etc/postfix/master.cf:
6065               smtp-data-target    unix    -    -    n    -    -    smtp
6066                   -o smtp_address_verify_target=data
6067               lmtp-data-target    unix    -    -    n    -    -    lmtp
6068                   -o lmtp_address_verify_target=data
6069
6070       Unselective use of the "data" target does no harm, but will  result  in
6071       unnecessary  "lost  connection  after  DATA" events at remote SMTP/LMTP
6072       servers.
6073
6074       This feature is available in Postfix 3.0 and later.
6075

smtp_always_send_ehlo (default: yes)

6077       Always send EHLO at the start of an SMTP session.
6078
6079       With "smtp_always_send_ehlo = no", the Postfix SMTP client  sends  EHLO
6080       only when the word "ESMTP" appears in the server greeting banner (exam‐
6081       ple: 220 spike.porcupine.org ESMTP Postfix).
6082

smtp_balance_inet_protocols (default: yes)

6084       When a remote destination resolves to a combination of  IPv4  and  IPv6
6085       addresses,  ensure  that  the  Postfix SMTP client can try both address
6086       types before it runs into the smtp_mx_address_limit.
6087
6088       This avoids an interoperability problem when a destination resolves  to
6089       primarily  IPv6  addresses,  the  smtp_address_limit feature eliminates
6090       most or all IPv4 addresses, and the destination is not  reachable  over
6091       IPv6.
6092
6093       This feature is available in Postfix 3.3 and later.
6094

smtp_bind_address (default: empty)

6096       An  optional  numerical  network  address  that the Postfix SMTP client
6097       should bind to when making an IPv4 connection.
6098
6099       This can be specified in the main.cf file for all SMTP clients,  or  it
6100       can be specified in the master.cf file for a specific client, for exam‐
6101       ple:
6102
6103           /etc/postfix/master.cf:
6104               smtp ... smtp -o smtp_bind_address=11.22.33.44
6105
6106       Note 1: when inet_interfaces specifies no more than one  IPv4  address,
6107       and that address is a non-loopback address, it is automatically used as
6108       the smtp_bind_address.  This supports virtual IP hosting, but can be  a
6109       problem on multi-homed firewalls. See the inet_interfaces documentation
6110       for more detail.
6111
6112       Note 2: address information may be enclosed inside [], but this form is
6113       not required here.
6114

smtp_bind_address6 (default: empty)

6116       An  optional  numerical  network  address  that the Postfix SMTP client
6117       should bind to when making an IPv6 connection.
6118
6119       This feature is available in Postfix 2.2 and later.
6120
6121       This can be specified in the main.cf file for all SMTP clients,  or  it
6122       can be specified in the master.cf file for a specific client, for exam‐
6123       ple:
6124
6125           /etc/postfix/master.cf:
6126               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6127
6128       Note 1: when inet_interfaces specifies no more than one  IPv6  address,
6129       and that address is a non-loopback address, it is automatically used as
6130       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
6131       problem on multi-homed firewalls. See the inet_interfaces documentation
6132       for more detail.
6133
6134       Note 2: address information may be enclosed inside [], but this form is
6135       not recommended here.
6136

smtp_body_checks (default: empty)

6138       Restricted  body_checks(5)  tables  for the Postfix SMTP client.  These
6139       tables are searched while mail is being delivered.  Actions that change
6140       the delivery time or destination are not available.
6141
6142       This feature is available in Postfix 2.5 and later.
6143

smtp_cname_overrides_servername (default: version dependent)

6145       When  the remote SMTP servername is a DNS CNAME, replace the servername
6146       with the result from CNAME expansion for the purpose of  logging,  SASL
6147       password lookup, TLS policy decisions, or TLS certificate verification.
6148       The value "no" hardens Postfix smtp_tls_per_site  hostname-based  poli‐
6149       cies against false hostname information in DNS CNAME records, and makes
6150       SASL password file lookups more predictable. This is the  default  set‐
6151       ting as of Postfix 2.3.
6152
6153       When   DNS   CNAME  records  are  validated  with  secure  DNS  lookups
6154       (smtp_dns_support_level = dnssec), they are always allowed to  override
6155       the above servername (Postfix 2.11 and later).
6156
6157       This feature is available in Postfix 2.2.9 and later.
6158

smtp_connect_timeout (default: 30s)

6160       The  Postfix SMTP client time limit for completing a TCP connection, or
6161       zero (use the operating system built-in time limit).
6162
6163       When no connection can be made within the deadline,  the  Postfix  SMTP
6164       client  tries the next address on the mail exchanger list. Specify 0 to
6165       disable the time limit (i.e. use whatever timeout is implemented by the
6166       operating system).
6167
6168       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6169       The default time unit is s (seconds).
6170

smtp_connection_cache_destinations (default: empty)

6172       Permanently enable SMTP connection caching for the  specified  destina‐
6173       tions.   With SMTP connection caching, a connection is not closed imme‐
6174       diately after completion of a mail transaction.  Instead,  the  connec‐
6175       tion  is kept open for up to $smtp_connection_cache_time_limit seconds.
6176       This allows connections to be reused  for  other  deliveries,  and  can
6177       improve mail delivery performance.
6178
6179       Specify  a  comma  or  white  space  separated  list of destinations or
6180       pseudo-destinations:
6181
6182       ·      if mail is sent  without  a  relay  host:  a  domain  name  (the
6183              right-hand  side  of  an  email address, without the [] around a
6184              numeric IP address),
6185
6186       ·      if mail is sent via a relay host: a relay host name (without  []
6187              or  non-default  TCP  port),  as  specified in main.cf or in the
6188              transport map,
6189
6190       ·      if mail is sent via a UNIX-domain socket:  a  pathname  (without
6191              the unix: prefix),
6192
6193       ·      a  /file/name  with  domain  names  and/or  relay  host names as
6194              defined above,
6195
6196       ·      a "type:table" with domain names and/or relay host names on  the
6197              left-hand  side.   The  right-hand side result from "type:table"
6198              lookups is ignored.
6199
6200       This feature is available in Postfix 2.2 and later.
6201

smtp_connection_cache_on_demand (default: yes)

6203       Temporarily enable SMTP connection caching while a  destination  has  a
6204       high volume of mail in the active queue.  With SMTP connection caching,
6205       a connection is not closed  immediately  after  completion  of  a  mail
6206       transaction.  Instead, the connection is kept open for up to $smtp_con‐
6207       nection_cache_time_limit seconds.  This allows connections to be reused
6208       for other deliveries, and can improve mail delivery performance.
6209
6210       This feature is available in Postfix 2.2 and later.
6211

smtp_connection_cache_time_limit (default: 2s)

6213       When  SMTP  connection  caching  is enabled, the amount of time that an
6214       unused SMTP client socket is kept open before it  is  closed.   Do  not
6215       specify larger values without permission from the remote sites.
6216
6217       This feature is available in Postfix 2.2 and later.
6218

smtp_connection_reuse_count_limit (default: 0)

6220       When  SMTP  connection  caching is enabled, the number of times that an
6221       SMTP session may be reused before it is closed,  or  zero  (no  limit).
6222       With a reuse count limit of N, a connection is used up to N+1 times.
6223
6224       NOTE: This feature is unsafe. When a high-volume destination has multi‐
6225       ple inbound MTAs, then the slowest inbound MTA will  attract  the  most
6226       connections  to  that destination.  This limitation does not exist with
6227       the smtp_connection_reuse_time_limit feature.
6228
6229       This feature is available in Postfix 2.11.
6230

smtp_connection_reuse_time_limit (default: 300s)

6232       The amount of time during which Postfix will  use  an  SMTP  connection
6233       repeatedly.  The timer starts when the connection is initiated (i.e. it
6234       includes the connect, greeting and helo latency,  in  addition  to  the
6235       latencies of subsequent mail delivery transactions).
6236
6237       This feature addresses a performance stability problem with remote SMTP
6238       servers. This problem is not specific to Postfix: it  can  happen  when
6239       any  MTA  sends large amounts of SMTP email to a site that has multiple
6240       MX hosts.
6241
6242       The problem starts when one of a set of MX hosts  becomes  slower  than
6243       the  rest.   Even though SMTP clients connect to fast and slow MX hosts
6244       with equal probability, the slow MX host ends up with more simultaneous
6245       inbound  connections than the faster MX hosts, because the slow MX host
6246       needs more time to serve each client request.
6247
6248       The slow MX host becomes  a  connection  attractor.   If  one  MX  host
6249       becomes  N  times  slower  than  the  rest,  it dominates mail delivery
6250       latency unless there are more than N  fast  MX  hosts  to  counter  the
6251       effect.  And  if  the  number  of  MX hosts is smaller than N, the mail
6252       delivery latency becomes  effectively  that  of  the  slowest  MX  host
6253       divided by the total number of MX hosts.
6254
6255       The solution uses connection caching in a way that differs from Postfix
6256       version 2.2.  By limiting the amount of time during which a  connection
6257       can  be  used  repeatedly (instead of limiting the number of deliveries
6258       over that connection), Postfix not only restores fairness in  the  dis‐
6259       tribution of simultaneous connections across a set of MX hosts, it also
6260       favors deliveries over connections that perform well, which is  exactly
6261       what we want.
6262
6263       The  default  reuse time limit, 300s, is comparable to the various smtp
6264       transaction timeouts which are fair estimates of maximum excess latency
6265       for  a slow delivery.  Note that hosts may accept thousands of messages
6266       over a single connection  within  the  default  connection  reuse  time
6267       limit.  This number is much larger than the default Postfix version 2.2
6268       limit of 10 messages per cached connection. It may prove  necessary  to
6269       lower the limit to avoid interoperability issues with MTAs that exhibit
6270       bugs when many messages are delivered via a single connection.  A lower
6271       reuse  time limit risks losing the benefit of connection reuse when the
6272       average connection and mail delivery latency  exceeds  the  reuse  time
6273       limit.
6274
6275       This feature is available in Postfix 2.3 and later.
6276

smtp_data_done_timeout (default: 600s)

6278       The  Postfix  SMTP  client time limit for sending the SMTP ".", and for
6279       receiving the remote SMTP server response.
6280
6281       When no response is received within the deadline, a warning  is  logged
6282       that the mail may be delivered multiple times.
6283
6284       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6285       The default time unit is s (seconds).
6286

smtp_data_init_timeout (default: 120s)

6288       The Postfix SMTP client time limit for sending the SMTP  DATA  command,
6289       and for receiving the remote SMTP server response.
6290
6291       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6292       The default time unit is s (seconds).
6293

smtp_data_xfer_timeout (default: 180s)

6295       The Postfix SMTP client time limit for sending the  SMTP  message  con‐
6296       tent.    When   the   connection   makes  no  progress  for  more  than
6297       $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates  the
6298       transfer.
6299
6300       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6301       The default time unit is s (seconds).
6302

smtp_defer_if_no_mx_address_found (default: no)

6304       Defer mail delivery when no MX record resolves to an IP address.
6305
6306       The default (no) is to return the mail  as  undeliverable.  With  older
6307       Postfix  versions  the  default  was to keep trying to deliver the mail
6308       until someone fixed the MX record or until the mail was too old.
6309
6310       Note: the Postfix SMTP client always ignores MX records with  equal  or
6311       worse preference than the local MTA itself.
6312
6313       This feature is available in Postfix 2.1 and later.
6314

smtp_delivery_status_filter (default: $default_delivery_status_filter)

6316       Optional  filter  for the smtp(8) delivery agent to change the delivery
6317       status code or explanatory text of successful or unsuccessful  deliver‐
6318       ies.  See default_delivery_status_filter for details.
6319
6320       NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6321       sages that may or may not be derived from remote SMTP server responses.
6322       In  contrast, the smtp_reply_filter feature modifies remote SMTP server
6323       responses only.
6324

smtp_destination_concurrency_limit (default: $default_destination_concur‐

6326       rency_limit)
6327       The  maximal  number of parallel deliveries to the same destination via
6328       the smtp message delivery transport. This  limit  is  enforced  by  the
6329       queue  manager.  The message delivery transport name is the first field
6330       in the entry in the master.cf file.
6331

smtp_destination_recipient_limit (default: $default_destination_recipi‐

6333       ent_limit)
6334       The  maximal  number  of  recipients  per  message for the smtp message
6335       delivery transport. This limit is enforced by the  queue  manager.  The
6336       message  delivery transport name is the first field in the entry in the
6337       master.cf file.
6338
6339       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6340       tination_concurrency_limit from concurrency per domain into concurrency
6341       per recipient.
6342

smtp_discard_ehlo_keyword_address_maps (default: empty)

6344       Lookup tables, indexed by the remote SMTP  server  address,  with  case
6345       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
6346       that the Postfix SMTP client will ignore in the EHLO  response  from  a
6347       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6348       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
6349       card_ehlo_keyword_address_maps.
6350
6351       Specify zero or more "type:name" lookup tables, separated by whitespace
6352       or comma. Tables will be searched in the specified order until a  match
6353       is found.
6354
6355       This feature is available in Postfix 2.2 and later.
6356

smtp_discard_ehlo_keywords (default: empty)

6358       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
6359       etc.) that the Postfix SMTP client will ignore  in  the  EHLO  response
6360       from a remote SMTP server.
6361
6362       This feature is available in Postfix 2.2 and later.
6363
6364       Notes:
6365
6366       ·      Specify the silent-discard pseudo keyword to prevent this action
6367              from being logged.
6368
6369       ·      Use the smtp_discard_ehlo_keyword_address_maps feature  to  dis‐
6370              card EHLO keywords selectively.
6371

smtp_dns_reply_filter (default: empty)

6373       Optional  filter  for  Postfix SMTP client DNS lookup results.  Specify
6374       zero or more lookup tables.  The lookup  tables  are  searched  in  the
6375       given  order  for  a match with the DNS lookup result, converted to the
6376       following form:
6377
6378           name ttl class type preference value
6379
6380       The class field is always "IN", the preference field exists only for MX
6381       records, the names of hosts, domains, etc.  end in ".", and those names
6382       are in ASCII form (xn--mumble form in the case of UTF8 names).
6383
6384       When a match is found, the table lookup result specifies an action.  By
6385       default,  the  table  query  and  the action name are case-insensitive.
6386       Currently, only the IGNORE action is implemented.
6387
6388       Notes:
6389
6390       ·      Postfix DNS reply filters have no effect on implicit DNS lookups
6391              through nsswitch.conf or equivalent mechanisms.
6392
6393       ·      The  Postfix  SMTP/LMTP  client  uses  smtp_dns_reply_filter and
6394              lmtp_dns_reply_filter only to discover a  remote  SMTP  or  LMTP
6395              service  (record  types  MX, A, AAAAA, and TLSA).  These lookups
6396              are also made to implement the features reject_unverified_sender
6397              and reject_unverified_recipient.
6398
6399       ·      The  Postfix SMTP/LMTP client defers mail delivery when a filter
6400              removes all lookup results from a successful query.
6401
6402       ·      Postfix SMTP server uses smtpd_dns_reply_filter only to look  up
6403              MX,  A,  AAAAA,  and  TXT  records  to  implement  the  features
6404              reject_unknown_helo_hostname,      reject_unknown_sender_domain,
6405              reject_unknown_recipient_domain,        reject_rbl_*,        and
6406              reject_rhsbl_*.
6407
6408       ·      The Postfix SMTP server logs a warning or defers  mail  delivery
6409              when  a  filter  removes  all  lookup  results from a successful
6410              query.
6411
6412       Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6413       because Google sometimes hard-rejects mail from IPv6 clients with valid
6414       PTR etc. records.
6415
6416       /etc/postfix/main.cf:
6417           smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6418
6419       /etc/postfix/smtp_dns_reply_filter:
6420           # /domain ttl IN AAAA address/ action, all case-insensitive.
6421           # Note: the domain name ends in ".".
6422           /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6423
6424       This feature is available in Postfix 3.0 and later.
6425

smtp_dns_resolver_options (default: empty)

6427       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
6428       of  the  following  options,  separated by comma or whitespace.  Option
6429       names are case-sensitive. Some options refer to domain names  that  are
6430       specified in the file /etc/resolv.conf or equivalent.
6431
6432       res_defnames
6433              Append  the current domain name to single-component names (those
6434              that do not contain a "." character). This can produce incorrect
6435              results, and is the hard-coded behavior prior to Postfix 2.8.
6436
6437       res_dnsrch
6438              Search  for  host  names  in  the  current  domain and in parent
6439              domains. This can produce incorrect results and is therefore not
6440              recommended.
6441
6442       This feature is available in Postfix 2.8 and later.
6443

smtp_dns_support_level (default: empty)

6445       Level  of  DNS support in the Postfix SMTP client.  With "smtp_dns_sup‐
6446       port_level"  left  at  its  empty  default  value,  the  legacy   "dis‐
6447       able_dns_lookups"  parameter  controls  whether  DNS  is enabled in the
6448       Postfix SMTP client, otherwise the legacy parameter is ignored.
6449
6450       Specify one of the following:
6451
6452       disabled
6453              Disable DNS lookups.  No MX lookups are performed  and  hostname
6454              to  address  lookups are unconditionally "native".  This setting
6455              is not appropriate for hosts that deliver  mail  to  the  public
6456              Internet.   Some  obsolete  how-to documents recommend disabling
6457              DNS lookups in some configurations with  content_filters.   This
6458              is no longer required and strongly discouraged.
6459
6460       enabled
6461              Enable DNS lookups.  Nexthop destination domains not enclosed in
6462              "[]" will be subject to MX lookups.  If "dns" and  "native"  are
6463              included  in the "smtp_host_lookup" parameter value, DNS will be
6464              queried first to resolve MX-host A records, followed by "native"
6465              lookups if no answer is found in DNS.
6466
6467       dnssec Enable  DNSSEC  lookups.   The "dnssec" setting differs from the
6468              "enabled" setting above in the following ways:
6469
6470       ·      Any MX lookups will  set  RES_USE_DNSSEC  and  RES_USE_EDNS0  to
6471              request  DNSSEC-validated  responses.  If  the  MX  response  is
6472              DNSSEC-validated the corresponding hostnames are considered val‐
6473              idated.
6474
6475       ·      The  address  lookups of validated hostnames are also validated,
6476              (provided  of  course  "smtp_host_lookup"  includes  "dns",  see
6477              below).
6478
6479       ·      Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6480              tion block any "native" lookups.   Additional  "native"  lookups
6481              only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6482
6483       The  Postfix  SMTP  client  considers  non-MX  "[nexthop]"  and  "[nex‐
6484       thop]:port" destinations equivalent to statically-validated MX  records
6485       of the form "nexthop.  IN MX 0 nexthop."  Therefore, with "dnssec" sup‐
6486       port turned on, validated hostname-to-address lookups apply to the nex‐
6487       thop  domain  of any "[nexthop]" or "[nexthop]:port" destination.  This
6488       is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6489       LMTP hostnames are never subject to MX lookups.
6490
6491       The "dnssec" setting is recommended only if you plan to use the dane or
6492       dane-only TLS security level,  otherwise  enabling  DNSSEC  support  in
6493       Postfix  offers  no additional security.  Postfix DNSSEC support relies
6494       on an upstream recursive nameserver that validates  DNSSEC  signatures.
6495       Such  a  DNS  server  will always filter out forged DNS responses, even
6496       when Postfix itself is not configured to use DNSSEC.
6497
6498       When using Postfix DANE support the "smtp_host_lookup" parameter should
6499       include "dns", as DANE is not applicable to hosts resolved via "native"
6500       lookups.
6501
6502       As mentioned above, Postfix is  not  a  validating  stub  resolver;  it
6503       relies  on  the  system's  configured DNSSEC-validating recursive name‐
6504       server to perform  all  DNSSEC  validation.   Since  this  nameserver's
6505       DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6506       mended that the MTA  host  have  a  local  DNSSEC-validating  recursive
6507       caching  nameserver  listening on a loopback address, and be configured
6508       to use only this nameserver for all lookups.   Otherwise,  Postfix  may
6509       remain  subject  to man-in-the-middle attacks that forge responses from
6510       the recursive nameserver
6511
6512       DNSSEC support requires a version of Postfix compiled against a reason‐
6513       ably-modern  DNS resolver(3) library that implements the RES_USE_DNSSEC
6514       and RES_USE_EDNS0 resolver options.
6515
6516       This feature is available in Postfix 2.11 and later.
6517

smtp_enforce_tls (default: no)

6519       Enforcement mode: require that remote SMTP servers use TLS  encryption,
6520       and  never  send mail in the clear.  This also requires that the remote
6521       SMTP server hostname matches the information in the remote server  cer‐
6522       tificate,  and  that the remote SMTP server certificate was issued by a
6523       CA that is trusted by the  Postfix  SMTP  client.  If  the  certificate
6524       doesn't  verify or the hostname doesn't match, delivery is deferred and
6525       mail stays in the queue.
6526
6527       The server hostname is matched against all names provided  as  dNSNames
6528       in  the SubjectAlternativeName.  If no dNSNames are specified, the Com‐
6529       monName  is  checked.   The  behavior   may   be   changed   with   the
6530       smtp_tls_enforce_peername option.
6531
6532       This  option  is  useful  only if you are definitely sure that you will
6533       only connect to servers that support RFC 2487 _and_ that provide  valid
6534       server  certificates.   Typical  use is for clients that send all their
6535       email to a dedicated mailhub.
6536
6537       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
6538       and later use smtp_tls_security_level instead.
6539

smtp_fallback_relay (default: $fallback_relay)

6541       Optional  list of relay hosts for SMTP destinations that can't be found
6542       or that are unreachable. With Postfix 2.2 and earlier this parameter is
6543       called fallback_relay.
6544
6545       By  default,  mail  is returned to the sender when a destination is not
6546       found, and delivery is deferred when a destination is unreachable.
6547
6548       With bulk email deliveries, it can be beneficial to  run  the  fallback
6549       relay MTA on the same host, so that it can reuse the sender IP address.
6550       This speeds up deliveries that are delayed by IP-based reputation  sys‐
6551       tems (greylist, etc.).
6552
6553       The  fallback relays must be SMTP destinations. Specify a domain, host,
6554       host:port, [host]:port, [address] or [address]:port;  the  form  [host]
6555       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
6556       fix will try them in the specified order.
6557
6558       To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
6559       version 2.2 and later will not use the fallback relays for destinations
6560       that it is MX host for (assuming DNS lookup is turned on).
6561

smtp_generic_maps (default: empty)

6563       Optional lookup tables that perform address rewriting  in  the  Postfix
6564       SMTP  client,  typically  to  transform  a locally valid address into a
6565       globally valid address when sending mail across the Internet.  This  is
6566       needed  when  the  local  machine does not have its own Internet domain
6567       name, but uses something like localdomain.local instead.
6568
6569       Specify zero or more "type:name" lookup tables, separated by whitespace
6570       or  comma. Tables will be searched in the specified order until a match
6571       is found.
6572
6573       The table format and lookups are documented in generic(5); examples are
6574       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6575       documents.
6576
6577       This feature is available in Postfix 2.2 and later.
6578

smtp_header_checks (default: empty)

6580       Restricted header_checks(5) tables for the Postfix SMTP client.   These
6581       tables are searched while mail is being delivered.  Actions that change
6582       the delivery time or destination are not available.
6583
6584       This feature is available in Postfix 2.5 and later.
6585

smtp_helo_name (default: $myhostname)

6587       The hostname to send in the SMTP HELO or EHLO command.
6588
6589       The default value is the  machine  hostname.   Specify  a  hostname  or
6590       [ip.add.re.ss].
6591
6592       This  information  can  be  specified  in the main.cf file for all SMTP
6593       clients, or it can be specified in the master.cf file  for  a  specific
6594       client, for example:
6595
6596           /etc/postfix/master.cf:
6597               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6598
6599       This feature is available in Postfix 2.0 and later.
6600

smtp_helo_timeout (default: 300s)

6602       The  Postfix  SMTP  client time limit for sending the HELO or EHLO com‐
6603       mand, and for receiving the initial remote SMTP server response.
6604
6605       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6606       The default time unit is s (seconds).
6607

smtp_host_lookup (default: dns)

6609       What  mechanisms  the  Postfix  SMTP client uses to look up a host's IP
6610       address.  This parameter is ignored when DNS lookups are disabled (see:
6611       disable_dns_lookups  and  smtp_dns_support_level).  The "dns" mechanism
6612       is always tried before "native" if both are listed.
6613
6614       Specify one of the following:
6615
6616       dns    Hosts can be found in the DNS (preferred).
6617
6618       native Use the native naming service only (nsswitch.conf, or equivalent
6619              mechanism).
6620
6621       dns, native
6622              Use the native service for hosts not found in the DNS.
6623
6624       This feature is available in Postfix 2.1 and later.
6625

smtp_line_length_limit (default: 998)

6627       The  maximal  length of message header and body lines that Postfix will
6628       send via SMTP. This limit does not include the <CR><LF> at the  end  of
6629       each  line.  Longer lines are broken by inserting "<CR><LF><SPACE>", to
6630       minimize the damage to MIME formatted mail.
6631
6632       The Postfix limit of 998 characters not including <CR><LF>  is  consis‐
6633       tent  with  the  SMTP limit of 1000 characters including <CR><LF>.  The
6634       Postfix limit was 990 with Postfix 2.8 and earlier.
6635

smtp_mail_timeout (default: 300s)

6637       The Postfix SMTP client time limit for sending the MAIL  FROM  command,
6638       and for receiving the remote SMTP server response.
6639
6640       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6641       The default time unit is s (seconds).
6642

smtp_mime_header_checks (default: empty)

6644       Restricted mime_header_checks(5) tables for the  Postfix  SMTP  client.
6645       These  tables are searched while mail is being delivered.  Actions that
6646       change the delivery time or destination are not available.
6647
6648       This feature is available in Postfix 2.5 and later.
6649

smtp_mx_address_limit (default: 5)

6651       The maximal number of MX (mail exchanger) IP addresses that can  result
6652       from  Postfix  SMTP  client mail exchanger lookups, or zero (no limit).
6653       Prior to Postfix version 2.3, this limit was disabled by default.
6654
6655       This feature is available in Postfix 2.1 and later.
6656

smtp_mx_session_limit (default: 2)

6658       The maximal number of SMTP sessions per  delivery  request  before  the
6659       Postfix  SMTP client gives up or delivers to a fall-back relay host, or
6660       zero (no limit). This restriction ignores sessions that  fail  to  com‐
6661       plete  the  SMTP initial handshake (Postfix version 2.2 and earlier) or
6662       that fail to complete the EHLO and TLS handshake (Postfix  version  2.3
6663       and later).
6664
6665       This feature is available in Postfix 2.1 and later.
6666

smtp_nested_header_checks (default: empty)

6668       Restricted  nested_header_checks(5) tables for the Postfix SMTP client.
6669       These tables are searched while mail is being delivered.  Actions  that
6670       change the delivery time or destination are not available.
6671
6672       This feature is available in Postfix 2.5 and later.
6673

smtp_never_send_ehlo (default: no)

6675       Never  send  EHLO  at  the  start  of  an  SMTP  session.  See also the
6676       smtp_always_send_ehlo parameter.
6677

smtp_per_record_deadline (default: no)

6679       Change the behavior of the smtp_*_timeout  time  limits,  from  a  time
6680       limit per read or write system call, to a time limit to send or receive
6681       a complete record (an SMTP command line, SMTP response line, SMTP  mes‐
6682       sage  content  line,  or TLS protocol message).  This limits the impact
6683       from hostile peers that trickle data one byte at a time.
6684
6685       Note: when per-record deadlines are enabled, a short timeout may  cause
6686       problems  with TLS over very slow network connections.  The reasons are
6687       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
6688       and that an entire TLS protocol message must be sent or received within
6689       the per-record deadline.
6690
6691       This feature is available in Postfix 2.9 and later. With older  Postfix
6692       releases, the behavior is as if this parameter is set to "no".
6693

smtp_pix_workaround_delay_time (default: 10s)

6695       How  long  the Postfix SMTP client pauses before sending ".<CR><LF>" in
6696       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6697
6698       Choosing a too short time makes this workaround ineffective when  send‐
6699       ing large messages over slow network connections.
6700

smtp_pix_workaround_maps (default: empty)

6702       Lookup tables, indexed by the remote SMTP server address, with per-des‐
6703       tination workarounds for CISCO PIX firewall bugs.   The  table  is  not
6704       indexed   by   hostname  for  consistency  with  smtp_discard_ehlo_key‐
6705       word_address_maps.
6706
6707       Specify zero or more "type:name" lookup tables, separated by whitespace
6708       or  comma. Tables will be searched in the specified order until a match
6709       is found.
6710
6711       This feature is available in Postfix 2.4 and later.
6712

smtp_pix_workaround_threshold_time (default: 500s)

6714       How long a message must be queued before the Postfix SMTP client  turns
6715       on  the  PIX  firewall  "<CR><LF>.<CR><LF>" bug workaround for delivery
6716       through firewalls with "smtp fixup" mode turned on.
6717
6718       By default, the workaround is turned off for mail that  is  queued  for
6719       less  than  500  seconds.  In  other  words, the workaround is normally
6720       turned off for the first delivery attempt.
6721
6722       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6723       upon the first delivery attempt.
6724

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

6726       A  list  that specifies zero or more workarounds for CISCO PIX firewall
6727       bugs. These workarounds are implemented by  the  Postfix  SMTP  client.
6728       Workaround names are separated by comma or space, and are case insensi‐
6729       tive.  This parameter setting can  be  overruled  with  per-destination
6730       smtp_pix_workaround_maps settings.
6731
6732       delay_dotcrlf
6733              Insert  a  delay before sending ".<CR><LF>" after the end of the
6734              message content.  The delay is  subject  to  the  smtp_pix_work‐
6735              around_delay_time and smtp_pix_workaround_threshold_time parame‐
6736              ter settings.
6737
6738       disable_esmtp
6739              Disable all extended SMTP commands: send HELO instead of EHLO.
6740
6741       This feature is available in Postfix 2.4 and later.  The  default  set‐
6742       tings are backwards compatible with earlier Postfix versions.
6743

smtp_quit_timeout (default: 300s)

6745       The  Postfix  SMTP  client time limit for sending the QUIT command, and
6746       for receiving the remote SMTP server response.
6747
6748       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6749       The default time unit is s (seconds).
6750

smtp_quote_rfc821_envelope (default: yes)

6752       Quote  addresses  in Postfix SMTP client MAIL FROM and RCPT TO commands
6753       as required by RFC 5321. This includes putting quotes around an address
6754       localpart that ends in ".".
6755
6756       The  default  is to comply with RFC 5321. If you have to send mail to a
6757       broken SMTP server, configure a special SMTP client in master.cf:
6758
6759           /etc/postfix/master.cf:
6760               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6761
6762       and route mail for the destination in  question  to  the  "broken-smtp"
6763       message delivery with a transport(5) table.
6764
6765       This feature is available in Postfix 2.1 and later.
6766

smtp_randomize_addresses (default: yes)

6768       Randomize  the  order of equal-preference MX host addresses.  This is a
6769       performance feature of the Postfix SMTP client.
6770

smtp_rcpt_timeout (default: 300s)

6772       The Postfix SMTP client time limit for sending the SMTP  RCPT  TO  com‐
6773       mand, and for receiving the remote SMTP server response.
6774
6775       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6776       The default time unit is s (seconds).
6777

smtp_reply_filter (default: empty)

6779       A mechanism to transform replies from remote SMTP servers one line at a
6780       time.   This  is  a last-resort tool to work around server replies that
6781       break interoperability  with  the  Postfix  SMTP  client.   Other  uses
6782       involve   fault   injection  to  test  Postfix's  handling  of  invalid
6783       responses.
6784
6785       Notes:
6786
6787       ·      In the case of a multi-line reply, the Postfix SMTP client  uses
6788              the  final  reply  line's numerical SMTP reply code and enhanced
6789              status code.
6790
6791       ·      The numerical SMTP reply code (XYZ) takes  precedence  over  the
6792              enhanced  status  code  (X.Y.Z).   When the enhanced status code
6793              initial digit differs from the SMTP reply code initial digit, or
6794              when no enhanced status code is present, the Postfix SMTP client
6795              uses a generic enhanced status code (X.0.0) instead.
6796
6797       Specify the name of a "type:table" lookup table. The search string is a
6798       single  SMTP reply line as received from the remote SMTP server, except
6799       that the trailing <CR><LF> are removed.  When the lookup succeeds,  the
6800       result replaces the single SMTP reply line.
6801
6802       Examples:
6803
6804       /etc/postfix/main.cf:
6805           smtp_reply_filter = pcre:/etc/postfix/reply_filter
6806
6807       /etc/postfix/reply_filter:
6808           # Transform garbage into "250-filler..." so that it looks like
6809           # one line from a multi-line reply. It does not matter what we
6810           # substitute here as long it has the right syntax.  The Postfix
6811           # SMTP client will use the final line's numerical SMTP reply
6812           # code and enhanced status code.
6813           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6814
6815       This feature is available in Postfix 2.7.
6816

smtp_rset_timeout (default: 20s)

6818       The  Postfix  SMTP  client time limit for sending the RSET command, and
6819       for receiving the remote SMTP server response. The  SMTP  client  sends
6820       RSET  in order to finish a recipient address probe, or to verify that a
6821       cached session is still usable.
6822
6823       This feature is available in Postfix 2.1 and later.
6824

smtp_sasl_auth_cache_name (default: empty)

6826       An optional table to prevent repeated SASL authentication failures with
6827       the same remote SMTP server hostname, username and password. Each table
6828       (key, value) pair contains a server name, a username and password,  and
6829       the full server response. This information is stored when a remote SMTP
6830       server rejects an authentication attempt with a  535  reply  code.   As
6831       long  as the smtp_sasl_password_maps information does no change, and as
6832       long as the smtp_sasl_auth_cache_name information does not expire  (see
6833       smtp_sasl_auth_cache_time)  the Postfix SMTP client avoids SASL authen‐
6834       tication attempts with the same  server,  username  and  password,  and
6835       instead    bounces    or   defers   mail   as   controlled   with   the
6836       smtp_sasl_auth_soft_bounce configuration parameter.
6837
6838       Use  a  per-destination  delivery  concurrency  of  1   (for   example,
6839       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
6840       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6841       ence a login failure at the same time.
6842
6843       The  table  must  be  accessed via the proxywrite service, i.e. the map
6844       name must start with "proxy:". The table should  be  stored  under  the
6845       directory specified with the data_directory parameter.
6846
6847       This  feature  uses  cryptographic  hashing to protect plain-text pass‐
6848       words, and requires that Postfix is compiled with TLS support.
6849
6850       Example:
6851
6852       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6853
6854       This feature is available in Postfix 2.5 and later.
6855

smtp_sasl_auth_cache_time (default: 90d)

6857       The maximal age of an  smtp_sasl_auth_cache_name  entry  before  it  is
6858       removed.
6859
6860       This feature is available in Postfix 2.5 and later.
6861

smtp_sasl_auth_enable (default: no)

6863       Enable SASL authentication in the Postfix SMTP client.  By default, the
6864       Postfix SMTP client uses no authentication.
6865
6866       Example:
6867
6868       smtp_sasl_auth_enable = yes
6869

smtp_sasl_auth_soft_bounce (default: yes)

6871       When a remote SMTP server rejects a SASL authentication request with  a
6872       535  reply code, defer mail delivery instead of returning mail as unde‐
6873       liverable. The latter behavior was hard-coded prior to Postfix  version
6874       2.5.
6875
6876       Note: the setting "yes" overrides the global soft_bounce parameter, but
6877       the setting "no" does not.
6878
6879       Example:
6880
6881       # Default as of Postfix 2.5
6882       smtp_sasl_auth_soft_bounce = yes
6883       # The old hard-coded default
6884       smtp_sasl_auth_soft_bounce = no
6885
6886       This feature is available in Postfix 2.5 and later.
6887

smtp_sasl_mechanism_filter (default: empty)

6889       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6890       list of offered SASL mechanisms.  Different client and server implemen‐
6891       tations may support different mechanism lists; by default, the  Postfix
6892       SMTP  client  will  use  the  intersection of the two. smtp_sasl_mecha‐
6893       nism_filter specifies an optional third  mechanism  list  to  intersect
6894       with.
6895
6896       Specify  mechanism  names, "/file/name" patterns or "type:table" lookup
6897       tables.  The  right-hand  side  result  from  "type:table"  lookups  is
6898       ignored.  Specify "!pattern" to exclude a mechanism name from the list.
6899       The form "!/file/name" is supported only in  Postfix  version  2.4  and
6900       later.
6901
6902       This feature is available in Postfix 2.2 and later.
6903
6904       Examples:
6905
6906       smtp_sasl_mechanism_filter = plain, login
6907       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
6908       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
6909

smtp_sasl_password_maps (default: empty)

6911       Optional  Postfix  SMTP client lookup tables with one username:password
6912       entry per sender, remote hostname or next-hop domain. Per-sender lookup
6913       is  done  only  when sender-dependent authentication is enabled.  If no
6914       username:password entry is found, then the Postfix SMTP client will not
6915       attempt to authenticate to the remote host.
6916
6917       The  Postfix  SMTP client opens the lookup table before going to chroot
6918       jail, so you can leave the password file in /etc/postfix.
6919
6920       Specify zero or more "type:name" lookup tables, separated by whitespace
6921       or  comma. Tables will be searched in the specified order until a match
6922       is found.
6923

smtp_sasl_path (default: empty)

6925       Implementation-specific information that the Postfix SMTP client passes
6926       through  to  the  SASL  plug-in  implementation  that  is selected with
6927       smtp_sasl_type.  Typically this specifies the name of  a  configuration
6928       file or rendezvous point.
6929
6930       This feature is available in Postfix 2.3 and later.
6931

smtp_sasl_security_options (default: noplaintext, noanonymous)

6933       Postfix  SMTP  client SASL security options; as of Postfix 2.3 the list
6934       of available features depends on the SASL client implementation that is
6935       selected with smtp_sasl_type.
6936
6937       The  following  security features are defined for the cyrus client SASL
6938       implementation:
6939
6940       Specify zero or more of the following:
6941
6942       noplaintext
6943              Disallow methods that use plaintext passwords.
6944
6945       noactive
6946              Disallow methods subject to active (non-dictionary) attack.
6947
6948       nodictionary
6949              Disallow methods subject to passive (dictionary) attack.
6950
6951       noanonymous
6952              Disallow methods that allow anonymous authentication.
6953
6954       mutual_auth
6955              Only allow  methods  that  provide  mutual  authentication  (not
6956              available with SASL version 1).
6957
6958       Example:
6959
6960       smtp_sasl_security_options = noplaintext
6961

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

6963       The  SASL  authentication security options that the Postfix SMTP client
6964       uses for TLS encrypted SMTP sessions.
6965
6966       This feature is available in Postfix 2.2 and later.
6967

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_secu‐

6969       rity_options)
6970       The  SASL  authentication security options that the Postfix SMTP client
6971       uses for TLS encrypted SMTP sessions with a  verified  server  certifi‐
6972       cate.
6973
6974       When  mail  is  sent  to the public MX host for the recipient's domain,
6975       server certificates are by default optional, and delivery proceeds even
6976       if  certificate  verification fails. For delivery via a submission ser‐
6977       vice that requires SASL authentication, it may be appropriate  to  send
6978       plaintext  passwords only when the connection to the server is strongly
6979       encrypted and the server identity is verified.
6980
6981       The smtp_sasl_tls_verified_security_options parameter makes it possible
6982       to  only  enable  plaintext  mechanisms when a secure connection to the
6983       server is available. Submission servers subject  to  this  policy  must
6984       either  have  verifiable  certificates  or offer suitable non-plaintext
6985       SASL mechanisms.
6986
6987       This feature is available in Postfix 2.6 and later.
6988

smtp_sasl_type (default: cyrus)

6990       The SASL plug-in type that the  Postfix  SMTP  client  should  use  for
6991       authentication.   The available types are listed with the "postconf -A"
6992       command.
6993
6994       This feature is available in Postfix 2.3 and later.
6995

smtp_send_dummy_mail_auth (default: no)

6997       Whether or not to append the "AUTH=<>" option to the MAIL FROM  command
6998       in  SASL-authenticated  SMTP sessions. The default is not to send this,
6999       to avoid problems with broken remote SMTP servers.  Before Postfix  2.9
7000       the behavior is as if "smtp_send_dummy_mail_auth = yes".
7001
7002       This feature is available in Postfix 2.9 and later.
7003

smtp_send_xforward_command (default: no)

7005       Send  the  non-standard  XFORWARD  command when the Postfix SMTP server
7006       EHLO response announces XFORWARD support.
7007
7008       This allows a Postfix SMTP delivery agent, used for injecting mail into
7009       a  content filter, to forward the name, address, protocol and HELO name
7010       of the original client to the content  filter  and  downstream  queuing
7011       SMTP   server.  This  can  produce  more  useful  logging  than  local‐
7012       host[127.0.0.1] etc.
7013
7014       This feature is available in Postfix 2.1 and later.
7015

smtp_sender_dependent_authentication (default: no)

7017       Enable sender-dependent authentication in the Postfix SMTP client; this
7018       is  available  only with SASL authentication, and disables SMTP connec‐
7019       tion caching to ensure that mail from different senders  will  use  the
7020       appropriate credentials.
7021
7022       This feature is available in Postfix 2.3 and later.
7023

smtp_skip_4xx_greeting (default: yes)

7025       Skip SMTP servers that greet with a 4XX status code (go away, try again
7026       later).
7027
7028       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7029       Specify  "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7030       immediately.
7031
7032       This feature is available in Postfix 2.0 and  earlier.   Later  Postfix
7033       versions  always  skip remote SMTP servers that greet with a 4XX status
7034       code.
7035

smtp_skip_5xx_greeting (default: yes)

7037       Skip remote SMTP servers that greet with a 5XX status code.
7038
7039       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7040       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7041       immediately. Caution: the latter behavior  appears  to  contradict  RFC
7042       2821.
7043

smtp_skip_quit_response (default: yes)

7045       Do not wait for the response to the SMTP QUIT command.
7046

smtp_starttls_timeout (default: 300s)

7048       Time limit for Postfix SMTP client write and read operations during TLS
7049       startup and shutdown handshake procedures.
7050
7051       This feature is available in Postfix 2.2 and later.
7052

smtp_tcp_port (default: smtp)

7054       The default TCP port that the Postfix SMTP client connects to.  Specify
7055       a symbolic name (see services(5)) or a numeric port.
7056

smtp_tls_CAfile (default: empty)

7058       A  file  containing  CA certificates of root CAs trusted to sign either
7059       remote SMTP server certificates or intermediate CA certificates.  These
7060       are  loaded  into  memory  before  the smtp(8) client enters the chroot
7061       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
7062       smtp_tls_CApath  instead,  but  note  that the latter directory must be
7063       present in the chroot jail if the smtp(8) client is chrooted. This file
7064       may  also be used to augment the client certificate trust chain, but it
7065       is  best  to  include  all  the  required  certificates   directly   in
7066       $smtp_tls_cert_file.
7067
7068       Specify  "smtp_tls_CAfile  =  /path/to/system_CA_file"  to use ONLY the
7069       system-supplied default Certification Authority certificates.
7070
7071       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7072       the system-supplied default CAs and trusting third-party certificates.
7073
7074       Example:
7075
7076       smtp_tls_CAfile = /etc/postfix/CAcert.pem
7077
7078       This feature is available in Postfix 2.2 and later.
7079

smtp_tls_CApath (default: empty)

7081       Directory with PEM format Certification Authority certificates that the
7082       Postfix SMTP client uses to verify a remote  SMTP  server  certificate.
7083       Don't  forget  to  create the necessary "hash" links with, for example,
7084       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7085
7086       To use this option in chroot mode, this directory (or a copy)  must  be
7087       inside the chroot jail.
7088
7089       Specify  "smtp_tls_CApath  =  /path/to/system_CA_directory" to use ONLY
7090       the system-supplied default Certification Authority certificates.
7091
7092       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7093       the system-supplied default CAs and trusting third-party certificates.
7094
7095       Example:
7096
7097       smtp_tls_CApath = /etc/postfix/certs
7098
7099       This feature is available in Postfix 2.2 and later.
7100

smtp_tls_block_early_mail_reply (default: no)

7102       Try  to detect a mail hijacking attack based on a TLS protocol vulnera‐
7103       bility (CVE-2009-3555), where  an  attacker  prepends  malicious  HELO,
7104       MAIL,  RCPT,  DATA  commands to a Postfix SMTP client TLS session.  The
7105       attack would succeed with non-Postfix SMTP servers that  reply  to  the
7106       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7107       SMTP client TLS session.
7108
7109       This feature is available in Postfix 2.7.
7110

smtp_tls_cert_file (default: empty)

7112       File with the Postfix SMTP client RSA certificate in PEM format.   This
7113       file  may  also  contain  the  Postfix SMTP client private RSA key, and
7114       these may be the same as the Postfix SMTP server  RSA  certificate  and
7115       key file.
7116
7117       Do not configure client certificates unless you must present client TLS
7118       certificates to one or more servers. Client certificates are  not  usu‐
7119       ally  needed,  and  can cause problems in configurations that work well
7120       without them. The recommended setting is to let the defaults stand:
7121
7122           smtp_tls_cert_file =
7123           smtp_tls_key_file =
7124           smtp_tls_dcert_file =
7125           smtp_tls_dkey_file =
7126           smtp_tls_eccert_file =
7127           smtp_tls_eckey_file =
7128
7129       The best way to use the default settings is to comment  out  the  above
7130       parameters in main.cf if present.
7131
7132       To  enable  remote  SMTP servers to verify the Postfix SMTP client cer‐
7133       tificate, the issuing CA certificates must be  made  available  to  the
7134       server. You should include the required certificates in the client cer‐
7135       tificate file, the client certificate first,  then  the  issuing  CA(s)
7136       (bottom-up order).
7137
7138       Example: the certificate for "client.example.com" was issued by "inter‐
7139       mediate CA" which itself has a certificate issued by "root CA".  Create
7140       the  client.pem  file  with  "cat  client_cert.pem  intermediate_CA.pem
7141       root_CA.pem > client.pem".
7142
7143       If you also want to verify remote SMTP server  certificates  issued  by
7144       these  CAs,  you can add the CA certificates to the smtp_tls_CAfile, in
7145       which case it is not necessary to have them in the  smtp_tls_cert_file,
7146       smtp_tls_dcert_file or smtp_tls_eccert_file.
7147
7148       A certificate supplied here must be usable as an SSL client certificate
7149       and hence pass the "openssl verify -purpose sslclient ..." test.
7150
7151       Example:
7152
7153       smtp_tls_cert_file = /etc/postfix/client.pem
7154
7155       This feature is available in Postfix 2.2 and later.
7156

smtp_tls_cipherlist (default: empty)

7158       Obsolete Postfix < 2.3 control for the Postfix SMTP client  TLS  cipher
7159       list. As this feature applies to all TLS security levels, it is easy to
7160       create interoperability problems by choosing a non-default cipher list.
7161       Do not use a non-default TLS cipher list on hosts that deliver email to
7162       the public Internet: you will be unable to send email to  servers  that
7163       only  support  the  ciphers you exclude. Using a restricted cipher list
7164       may be more appropriate for an internal MTA, where one can  exert  some
7165       control over the TLS software and settings of the peer servers.
7166
7167       Note: do not use "" quotes around the parameter value.
7168
7169       This  feature  is available in Postfix version 2.2. It is not used with
7170       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7171

smtp_tls_ciphers (default: medium)

7173       The minimum TLS cipher grade that the Postfix SMTP client will use with
7174       opportunistic     TLS    encryption.    Cipher    types    listed    in
7175       smtp_tls_exclude_ciphers are excluded from the base definition  of  the
7176       selected  cipher  grade.    The  default  value is "medium" for Postfix
7177       releases after the middle of 2015, "export" for older releases.
7178
7179       When  TLS  is  mandatory  the  cipher   grade   is   chosen   via   the
7180       smtp_tls_mandatory_ciphers  configuration parameter, see there for syn‐
7181       tax details. See smtp_tls_policy_maps for information on how to config‐
7182       ure ciphers on a per-destination basis.
7183
7184       This  feature is available in Postfix 2.6 and later. With earlier Post‐
7185       fix releases only the smtp_tls_mandatory_ciphers  parameter  is  imple‐
7186       mented, and opportunistic TLS always uses "export" or better (i.e. all)
7187       ciphers.
7188

smtp_tls_dane_insecure_mx_policy (default: dane)

7190       The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7191       destination  security level is dane, but the MX record was found via an
7192       "insecure" MX lookup.  The choices are:
7193
7194       may    The TLSA records will be ignored and TLS will be  optional.   If
7195              the MX host does not appear to support STARTTLS, or the STARTTLS
7196              handshake fails, mail may be sent in the clear.
7197
7198       encrypt
7199              The TLSA records will signal a requirement to  use  TLS.   While
7200              TLS encryption will be required, authentication will not be per‐
7201              formed.
7202
7203       dane (default)
7204              The TLSA records will be used just as with "secure" MX  records.
7205              TLS  encryption  will  be  required, and, if at least one of the
7206              TLSA records is "usable", authentication will be required.  When
7207              authentication  succeeds,  it  will be logged only as "Trusted",
7208              not "Verified", because the MX host name could have been forged.
7209              Though with "insecure" MX records an active attacker can compro‐
7210              mise  SMTP  transport  security  by returning forged MX records,
7211              such attacks are "tamper-evident" since any forged MX  hostnames
7212              will  be  recorded in the mail logs.  Attackers who place a high
7213              value staying hidden may be deterred from forging MX records.
7214
7215       This feature is available in Postfix 3.1 and later. The may  policy  is
7216       backwards-compatible with earlier Postfix versions.
7217

smtp_tls_dcert_file (default: empty)

7219       File  with the Postfix SMTP client DSA certificate in PEM format.  This
7220       file may also contain the Postfix SMTP client private DSA key.
7221
7222       See the discussion under smtp_tls_cert_file for more details.
7223
7224       Example:
7225
7226       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7227
7228       This feature is available in Postfix 2.2 and later.
7229

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

7231       File with the Postfix SMTP client DSA private key in PEM format.   This
7232       file  may be combined with the Postfix SMTP client DSA certificate file
7233       specified with $smtp_tls_dcert_file.
7234
7235       The private key must be accessible without a pass-phrase, i.e. it  must
7236       not be encrypted. File permissions should grant read-only access to the
7237       system superuser account ("root"), and no access to anyone else.
7238
7239       This feature is available in Postfix 2.2 and later.
7240

smtp_tls_eccert_file (default: empty)

7242       File with the Postfix SMTP client  ECDSA  certificate  in  PEM  format.
7243       This file may also contain the Postfix SMTP client ECDSA private key.
7244
7245       See the discussion under smtp_tls_cert_file for more details.
7246
7247       Example:
7248
7249       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7250
7251       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
7252       compiled and linked with OpenSSL 1.0.0 or later.
7253

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

7255       File with the Postfix SMTP client ECDSA  private  key  in  PEM  format.
7256       This  file  may be combined with the Postfix SMTP client ECDSA certifi‐
7257       cate file specified with $smtp_tls_eccert_file.
7258
7259       The private key must be accessible without a pass-phrase, i.e. it  must
7260       not be encrypted. File permissions should grant read-only access to the
7261       system superuser account ("root"), and no access to anyone else.
7262
7263       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
7264       compiled and linked with OpenSSL 1.0.0 or later.
7265

smtp_tls_enforce_peername (default: yes)

7267       With  mandatory  TLS  encryption,  require  that the remote SMTP server
7268       hostname matches the information in the remote SMTP server certificate.
7269       As  of  RFC 2487 the requirements for hostname checking for MTA clients
7270       are not specified.
7271
7272       This option can be set to "no" to disable strict  peer  name  checking.
7273       This  setting  has  no  effect  on sessions that are controlled via the
7274       smtp_tls_per_site table.
7275
7276       Disabling the hostname verification can make sense in  closed  environ‐
7277       ment where special CAs are created.  If not used carefully, this option
7278       opens the danger of a "man-in-the-middle"  attack  (the  CommonName  of
7279       this attacker will be logged).
7280
7281       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
7282       and later use smtp_tls_security_level instead.
7283

smtp_tls_exclude_ciphers (default: empty)

7285       List of ciphers or cipher types to exclude from the Postfix SMTP client
7286       cipher  list  at  all  TLS  security  levels.  This  is  not an OpenSSL
7287       cipherlist, it is a simple list separated by whitespace and/or  commas.
7288       The  elements  are a single cipher, or one or more "+" separated cipher
7289       properties, in which case only ciphers matching all the properties  are
7290       excluded.
7291
7292       Examples (some of these will cause problems):
7293
7294           smtp_tls_exclude_ciphers = aNULL
7295           smtp_tls_exclude_ciphers = MD5, DES
7296           smtp_tls_exclude_ciphers = DES+MD5
7297           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7298           smtp_tls_exclude_ciphers = kEDH+aRSA
7299
7300       The  first  setting,  disables anonymous ciphers. The next setting dis‐
7301       ables ciphers that use the MD5 digest algorithm  or  the  (single)  DES
7302       encryption  algorithm.  The  next setting disables ciphers that use MD5
7303       and  DES  together.   The  next  setting  disables  the   two   ciphers
7304       "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7305       use "EDH" key exchange with RSA authentication.
7306
7307       This feature is available in Postfix 2.3 and later.
7308

smtp_tls_fingerprint_cert_match (default: empty)

7310       List of acceptable remote SMTP server certificate fingerprints for  the
7311       "fingerprint"  TLS  security  level  (smtp_tls_security_level = finger‐
7312       print). At this security level, Certification Authorities are not used,
7313       and  certificate expiration times are ignored. Instead, server certifi‐
7314       cates are verified directly via their certificate fingerprint or public
7315       key  fingerprint  (Postfix 2.9 and later). The fingerprint is a message
7316       digest of the server certificate (or public key). The digest  algorithm
7317       is selected via the smtp_tls_fingerprint_digest parameter.
7318
7319       When  an  smtp_tls_policy_maps  table entry specifies the "fingerprint"
7320       security level, any "match" attributes in that entry specify  the  list
7321       of  valid fingerprints for the corresponding destination. Multiple fin‐
7322       gerprints can be combined with  a  "|"  delimiter  in  a  single  match
7323       attribute, or multiple match attributes can be employed.
7324
7325       Example:  Certificate  fingerprint  verification with internal mailhub.
7326       Two matching fingerprints are listed. The  relayhost  may  be  multiple
7327       physical hosts behind a load-balancer, each with its own private/public
7328       key and self-signed certificate. Alternatively, a single relayhost  may
7329       be  in  the process of switching from one set of private/public keys to
7330       another, and both keys are trusted just prior to the transition.
7331
7332           relayhost = [mailhub.example.com]
7333           smtp_tls_security_level = fingerprint
7334           smtp_tls_fingerprint_digest = md5
7335           smtp_tls_fingerprint_cert_match =
7336               3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7337               EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7338
7339       Example: Certificate fingerprint verification  with  selected  destina‐
7340       tions.  As in the example above, we show two matching fingerprints:
7341
7342           /etc/postfix/main.cf:
7343               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7344               smtp_tls_fingerprint_digest = md5
7345
7346           /etc/postfix/tls_policy:
7347               example.com fingerprint
7348                   match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7349                   match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7350
7351       This feature is available in Postfix 2.5 and later.
7352

smtp_tls_fingerprint_digest (default: md5)

7354       The  message digest algorithm used to construct remote SMTP server cer‐
7355       tificate  fingerprints.  At  the  "fingerprint"  TLS   security   level
7356       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7357       ified by directly matching its certificate fingerprint  or  its  public
7358       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7359       digest of the server certificate (or its public key) using the selected
7360       algorithm.  With  a  digest  algorithm  resistant to "second pre-image"
7361       attacks, it is not feasible to create a new public key and  a  matching
7362       certificate (or public/private key-pair) that has the same fingerprint.
7363
7364       The  default  algorithm  is  md5; this is consistent with the backwards
7365       compatible setting of the digest used to verify client certificates  in
7366       the SMTP server.
7367
7368       The  best practice algorithm is now sha1. Recent advances in hash func‐
7369       tion cryptanalysis have led to md5 being deprecated in favor  of  sha1.
7370       However,  as  long  as  there  are  no known "second pre-image" attacks
7371       against md5, its use in this context can still be considered safe.
7372
7373       While additional digest algorithms are often available  with  OpenSSL's
7374       libcrypto, only those used by libssl in SSL cipher suites are available
7375       to Postfix. For now this means just md5 or sha1.
7376
7377       To find the fingerprint of a specific certificate file, with a specific
7378       digest algorithm, run:
7379
7380           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7381
7382       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
7383       example:
7384
7385           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7386           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7387
7388       To extract the public key fingerprint from an  X.509  certificate,  you
7389       need  to  extract  the  public key from the certificate and compute the
7390       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7391       key"  option  of  the  "x509" command extracts the public key always in
7392       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
7393       verts the key to DER and then to the "dgst" command to compute the fin‐
7394       gerprint.
7395
7396       The actual command to transform the key to DER format  depends  on  the
7397       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7398       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
7399       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
7400       ported by 0.9.8), so the "rsa" command is used.
7401
7402           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7403           $ openssl x509 -in cert.pem -noout -pubkey |
7404               openssl pkey -pubin -outform DER |
7405               openssl dgst -sha1 -c
7406           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7407
7408           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7409           $ openssl x509 -in cert.pem -noout -pubkey |
7410               openssl rsa -pubin -outform DER |
7411               openssl dgst -md5 -c
7412           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7413
7414       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7415       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
7416       higher.
7417
7418       Note: Postfix 2.9.0-2.9.5 computed the public  key  fingerprint  incor‐
7419       rectly.  To  use  public-key  fingerprints, upgrade to Postfix 2.9.6 or
7420       later.
7421
7422       This feature is available in Postfix 2.5 and later.
7423

smtp_tls_force_insecure_host_tlsa_lookup (default: no)

7425       Lookup the associated DANE TLSA RRset even when a hostname  is  not  an
7426       alias  and  its  address  records  lie  in  an  unsigned zone.  This is
7427       unlikely to ever yield DNSSEC validated results, since child  zones  of
7428       unsigned  zones are also unsigned in the absence of DLV or locally con‐
7429       figured non-root trust-anchors.  We  anticipate  that  such  mechanisms
7430       will  not be used for just the "_tcp" subdomain of a host.  Suppressing
7431       the TLSA RRset lookup reduces latency and avoids  potential  interoper‐
7432       ability  problems with nameservers for unsigned zones that are not pre‐
7433       pared to handle the new TLSA RRset.
7434
7435       This feature is available in Postfix 2.11.
7436

smtp_tls_key_file (default: $smtp_tls_cert_file)

7438       File with the Postfix SMTP client RSA private key in PEM format.   This
7439       file  may be combined with the Postfix SMTP client RSA certificate file
7440       specified with $smtp_tls_cert_file.
7441
7442       The private key must be accessible without a pass-phrase, i.e. it  must
7443       not be encrypted. File permissions should grant read-only access to the
7444       system superuser account ("root"), and no access to anyone else.
7445
7446       Example:
7447
7448       smtp_tls_key_file = $smtp_tls_cert_file
7449
7450       This feature is available in Postfix 2.2 and later.
7451

smtp_tls_loglevel (default: 0)

7453       Enable additional Postfix SMTP client logging of  TLS  activity.   Each
7454       logging  level  also includes the information that is logged at a lower
7455       logging level.
7456
7457              0 Disable logging of TLS activity.
7458
7459              1 Log only a summary message on TLS handshake  completion  -  no
7460              logging  of remote SMTP server certificate trust-chain verifica‐
7461              tion errors if server certificate verification is not  required.
7462              With Postfix 2.8 and earlier, log the summary message and uncon‐
7463              ditionally log trust-chain verification errors.
7464
7465              2 Also log levels during TLS negotiation.
7466
7467              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
7468              process.
7469
7470              4  Also  log hexadecimal and ASCII dump of complete transmission
7471              after STARTTLS.
7472
7473       Do not use "smtp_tls_loglevel = 2" or higher except in  case  of  prob‐
7474       lems. Use of loglevel 4 is strongly discouraged.
7475
7476       This feature is available in Postfix 2.2 and later.
7477

smtp_tls_mandatory_ciphers (default: medium)

7479       The minimum TLS cipher grade that the Postfix SMTP client will use with
7480       mandatory TLS encryption.  The default value "medium" is  suitable  for
7481       most destinations with which you may want to enforce TLS, and is beyond
7482       the reach of today's cryptanalytic  methods.  See  smtp_tls_policy_maps
7483       for information on how to configure ciphers on a per-destination basis.
7484
7485       The following cipher grades are supported:
7486
7487       export Enable "EXPORT" grade or better OpenSSL ciphers.  The underlying
7488              cipherlist is specified via the tls_export_cipherlist configura‐
7489              tion parameter, which you are strongly encouraged to not change.
7490              This choice is insecure and SHOULD NOT be used.
7491
7492       low    Enable "LOW" grade or better OpenSSL  ciphers.   The  underlying
7493              cipherlist is specified via the tls_low_cipherlist configuration
7494              parameter, which you are  strongly  encouraged  to  not  change.
7495              This choice is insecure and SHOULD NOT be used.
7496
7497       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
7498              cipherlist is specified via the tls_medium_cipherlist configura‐
7499              tion parameter, which you are strongly encouraged to not change.
7500
7501       high   Enable  only  "HIGH" grade OpenSSL ciphers.  This setting may be
7502              appropriate when all mandatory TLS destinations (e.g.  when  all
7503              mail is routed to a suitably capable relayhost) support at least
7504              one "HIGH" grade cipher. The underlying cipherlist is  specified
7505              via  the  tls_high_cipherlist configuration parameter, which you
7506              are strongly encouraged to not change.
7507
7508       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
7509              cation  without encryption.  This setting is only appropriate in
7510              the rare case that all servers are prepared to use NULL  ciphers
7511              (not  normally  enabled in TLS servers). A plausible use-case is
7512              an LMTP server listening on a UNIX-domain socket that is config‐
7513              ured  to  support  "NULL"  ciphers. The underlying cipherlist is
7514              specified via the tls_null_cipherlist  configuration  parameter,
7515              which you are strongly encouraged to not change.
7516
7517       The  underlying cipherlists for grades other than "null" include anony‐
7518       mous ciphers, but these are automatically filtered out if  the  Postfix
7519       SMTP  client is configured to verify server certificates.  You are very
7520       unlikely to need to take any steps to exclude anonymous  ciphers,  they
7521       are excluded automatically as necessary.  If you must exclude anonymous
7522       ciphers at the "may" or "encrypt" security  levels,  when  the  Postfix
7523       SMTP   client   does   not   need   or   use   peer  certificates,  set
7524       "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous  ciphers  only
7525       when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7526
7527       This feature is available in Postfix 2.3 and later.
7528

smtp_tls_mandatory_exclude_ciphers (default: empty)

7530       Additional  list of ciphers or cipher types to exclude from the Postfix
7531       SMTP client cipher list at mandatory TLS  security  levels.  This  list
7532       works     in     addition     to    the    exclusions    listed    with
7533       smtp_tls_exclude_ciphers (see there for syntax details).
7534
7535       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7536       ified   on  a  per-destination  basis  via  the  TLS  policy  "exclude"
7537       attribute. See smtp_tls_policy_maps for notes and examples.
7538
7539       This feature is available in Postfix 2.3 and later.
7540

smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

7542       List of SSL/TLS protocols that the Postfix SMTP client  will  use  with
7543       mandatory  TLS  encryption.   In  main.cf  the  values are separated by
7544       whitespace, commas or colons. In the policy table "protocols" attribute
7545       (see  smtp_tls_policy_maps) the only valid separator is colon. An empty
7546       value means allow all protocols. The valid protocol names, (see  \fBfB‐
7547       SSL_get_version(3)),  are  "SSLv2",  "SSLv3"  and  "TLSv1". The default
7548       value is "!SSLv2, !SSLv3" for Postfix  releases  after  the  middle  of
7549       2015, "!SSLv2" for older releases.
7550
7551       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7552       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
7553       "smtp_tls_mandatory_protocols  =  !SSLv2".  To exclude both "SSLv2" and
7554       "SSLv3" set "smtp_tls_mandatory_protocols =  !SSLv2,  !SSLv3".  Listing
7555       the  protocols  to  include,  rather than protocols to exclude, is sup‐
7556       ported, but not recommended. The exclusion form  more  closely  matches
7557       the underlying OpenSSL interface semantics.
7558
7559       The range of protocols advertised by an SSL/TLS client must be contigu‐
7560       ous.  When a protocol version is enabled, disabling any higher  version
7561       implicitly  disables all versions above that higher version.  Thus, for
7562       example:
7563
7564           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7565       also disables any protocols version  higher  than  TLSv1  leaving  only
7566       "SSLv3" enabled.
7567
7568       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7569       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
7570       later,  these,  or  any other new protocol versions, cannot be disabled
7571       except by also disabling "TLSv1" (typically leaving just "SSLv3").  The
7572       latest  patch  levels of Postfix >= 2.6, and all versions of Postfix >=
7573       2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7574
7575       At the dane and dane-only security levels, when usable TLSA records are
7576       obtained  for  the remote SMTP server, the Postfix SMTP client is obli‐
7577       gated to include the SNI TLS extension in its SSL client hello message.
7578       This  may help the remote SMTP server live up to its promise to provide
7579       a certificate that matches its  TLSA  records.   Since  TLS  extensions
7580       require  TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7581       and "SSLv3" when SNI is required.  If you use "dane" or "dane-only"  do
7582       not disable TLSv1, except perhaps via the policy table for destinations
7583       which you are sure will support "TLSv1.1" or "TLSv1.2".
7584
7585       See  the  documentation  of  the  smtp_tls_policy_maps  parameter   and
7586       TLS_README for more information about security levels.
7587
7588       Example:
7589
7590       # Preferred syntax with Postfix >= 2.5:
7591       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7592       # Legacy syntax:
7593       smtp_tls_mandatory_protocols = TLSv1
7594
7595       This feature is available in Postfix 2.3 and later.
7596

smtp_tls_note_starttls_offer (default: no)

7598       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7599       is not already enabled for that server.
7600
7601       The logfile record looks like:
7602
7603       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
7604
7605       This feature is available in Postfix 2.2 and later.
7606

smtp_tls_per_site (default: empty)

7608       Optional lookup tables with the Postfix SMTP client TLS usage policy by
7609       next-hop  destination  and  by  remote SMTP server hostname.  When both
7610       lookups succeed, the more specific per-site policy  (NONE,  MUST,  etc)
7611       overrides  the  less  specific  one (MAY), and the more secure per-site
7612       policy (MUST, etc) overrides the less secure one (NONE).  With  Postfix
7613       2.3   and   later   smtp_tls_per_site   is  strongly  discouraged:  use
7614       smtp_tls_policy_maps instead.
7615
7616       Use of the bare hostname as the per-site table lookup key  is  discour‐
7617       aged.  Always  use  the full destination nexthop (enclosed in [] with a
7618       possible ":port" suffix). A recipient domain  or  MX-enabled  transport
7619       next-hop  with  no  port  suffix  may look like a bare hostname, but is
7620       still a suitable destination.
7621
7622       Specify a next-hop destination or  server  hostname  on  the  left-hand
7623       side;  no wildcards are allowed. The next-hop destination is either the
7624       recipient domain, or the destination specified with a transport(5)  ta‐
7625       ble, the relayhost parameter, or the relay_transport parameter.  On the
7626       right hand side specify one of the following keywords:
7627
7628       NONE   Don't use TLS at all. This overrides a less specific MAY  lookup
7629              result from the alternate host or next-hop lookup key, and over‐
7630              rides   the   global   smtp_use_tls,    smtp_enforce_tls,    and
7631              smtp_tls_enforce_peername settings.
7632
7633       MAY    Try  to  use  TLS if the server announces support, otherwise use
7634              the unencrypted connection. This has less precedence than a more
7635              specific  result  (including  NONE)  from  the alternate host or
7636              next-hop lookup key, and has less precedence than the more  spe‐
7637              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7638              name = yes".
7639
7640       MUST_NOPEERMATCH
7641              Require TLS encryption, but do not require that the remote  SMTP
7642              server  hostname  matches  the  information  in  the remote SMTP
7643              server certificate, or that the server certificate was issued by
7644              a  trusted  CA. This overrides a less secure NONE or a less spe‐
7645              cific MAY lookup result from  the  alternate  host  or  next-hop
7646              lookup    key,    and   overrides   the   global   smtp_use_tls,
7647              smtp_enforce_tls and smtp_tls_enforce_peername settings.
7648
7649       MUST   Require TLS encryption, require  that  the  remote  SMTP  server
7650              hostname  matches the information in the remote SMTP server cer‐
7651              tificate, and require that the remote  SMTP  server  certificate
7652              was  issued  by  a trusted CA. This overrides a less secure NONE
7653              and MUST_NOPEERMATCH or a less specific MAY lookup  result  from
7654              the  alternate  host  or  next-hop lookup key, and overrides the
7655              global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7656              name settings.
7657
7658       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7659       ify" security levels  for  the  new  smtp_tls_security_level  parameter
7660       introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7661       of how the policy  is  specified,  the  smtp_tls_mandatory_ciphers  and
7662       smtp_tls_mandatory_protocols  parameters  apply  when TLS encryption is
7663       mandatory. Connections  for  which  encryption  is  optional  typically
7664       enable  all "export" grade and better ciphers (see smtp_tls_ciphers and
7665       smtp_tls_protocols).
7666
7667       As long as no secure DNS lookup mechanism is available, false hostnames
7668       in  MX  or  CNAME responses can change the server hostname that Postfix
7669       uses for TLS policy lookup and server  certificate  verification.  Even
7670       with  a  perfect  match between the server hostname and the server cer‐
7671       tificate, there is no guarantee that Postfix is connected to the  right
7672       server.   See TLS_README (Closing a DNS loophole with obsolete per-site
7673       TLS policies) for a possible work-around.
7674
7675       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
7676       and later use smtp_tls_policy_maps instead.
7677

smtp_tls_policy_maps (default: empty)

7679       Optional lookup tables with the Postfix SMTP client TLS security policy
7680       by next-hop destination; when a  non-empty  value  is  specified,  this
7681       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
7682       a more detailed discussion of TLS security levels.
7683
7684       Specify zero or more "type:name" lookup tables, separated by whitespace
7685       or  comma. Tables will be searched in the specified order until a match
7686       is found.
7687
7688       The TLS policy table is indexed by the full next-hop destination, which
7689       is  either  the recipient domain, or the verbatim next-hop specified in
7690       the    transport    table,    $local_transport,     $virtual_transport,
7691       $relay_transport  or  $default_transport.  This  includes any enclosing
7692       square brackets and any non-default destination server port suffix. The
7693       LMTP  socket type prefix (inet: or unix:) is not included in the lookup
7694       key.
7695
7696       Only the next-hop domain, or $myhostname  with  LMTP  over  UNIX-domain
7697       sockets,  is used as the nexthop name for certificate verification. The
7698       port and any enclosing square brackets are used  in  the  table  lookup
7699       key, but are not used for server name verification.
7700
7701       When  the lookup key is a domain name without enclosing square brackets
7702       or any :port suffix (typically the  recipient  domain),  and  the  full
7703       domain  is not found in the table, just as with the transport(5) table,
7704       the parent domain starting with a leading "." is  matched  recursively.
7705       This allows one to specify a security policy for a recipient domain and
7706       all its sub-domains.
7707
7708       The lookup result is a security level, followed by an optional list  of
7709       whitespace  and/or  comma separated name=value attributes that override
7710       related main.cf settings. The TLS security levels in order of  increas‐
7711       ing security are:
7712
7713       none   No TLS. No additional attributes are supported at this level.
7714
7715       may    Opportunistic  TLS.  Since  sending  in the clear is acceptable,
7716              demanding stronger than  default  TLS  security  merely  reduces
7717              interoperability.  The optional "ciphers", "exclude" and "proto‐
7718              cols" attributes (available for opportunistic TLS  with  Postfix
7719              >=       2.6)       override       the       "smtp_tls_ciphers",
7720              "smtp_tls_exclude_ciphers" and  "smtp_tls_protocols"  configura‐
7721              tion parameters. When opportunistic TLS handshakes fail, Postfix
7722              retries the connection with  TLS  disabled.   This  allows  mail
7723              delivery to sites with non-interoperable TLS implementations.
7724
7725       encrypt
7726              Mandatory TLS encryption. At this level and higher, the optional
7727              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
7728              tory_protocols parameter, the optional "ciphers" attribute over‐
7729              rides the main.cf smtp_tls_mandatory_ciphers parameter, and  the
7730              optional  "exclude"  attribute  (Postfix  >=  2.6) overrides the
7731              main.cf  smtp_tls_mandatory_exclude_ciphers  parameter.  In  the
7732              policy  table,  multiple  protocols  or excluded ciphers must be
7733              separated by colons, as attribute values may not contain  white‐
7734              space or commas.
7735
7736       dane   Opportunistic  DANE  TLS.  The TLS policy for the destination is
7737              obtained via TLSA records in DNSSEC.  If  no  TLSA  records  are
7738              found,  the  effective  security  level  used  is  may.  If TLSA
7739              records are found, but none are usable, the  effective  security
7740              level is encrypt.  When usable TLSA records are obtained for the
7741              remote SMTP server, the server certificate must match  the  TLSA
7742              records.   RFC 7672 (DANE) TLS authentication and DNSSEC support
7743              is available with Postfix 2.11 and later.
7744
7745       dane-only
7746              Mandatory DANE TLS.  The  TLS  policy  for  the  destination  is
7747              obtained  via  TLSA  records  in DNSSEC.  If no TLSA records are
7748              found, or none are usable, no connection is made to the  server.
7749              When  usable  TLSA  records  are  obtained  for  the remote SMTP
7750              server, the server certificate must match the TLSA records.  RFC
7751              7672  (DANE)  TLS authentication and DNSSEC support is available
7752              with Postfix 2.11 and later.
7753
7754       fingerprint
7755              Certificate fingerprint verification. Available with Postfix 2.5
7756              and later. At this security level, there are no trusted Certifi‐
7757              cation Authorities.  The  certificate  trust  chain,  expiration
7758              date,   ...   are  not  checked.  Instead,  the  optional  match
7759              attribute, or else the  main.cf  smtp_tls_fingerprint_cert_match
7760              parameter,  lists the certificate fingerprints or the public key
7761              fingerprint (Postfix 2.9 and later) of the valid server certifi‐
7762              cate.  The digest algorithm used to calculate the fingerprint is
7763              selected by the smtp_tls_fingerprint_digest parameter.  Multiple
7764              fingerprints  can  be  combined with a "|" delimiter in a single
7765              match attribute, or multiple match attributes can  be  employed.
7766              The  ":"  character  is  not  used  as  a delimiter as it occurs
7767              between each pair of fingerprint (hexadecimal) digits.
7768
7769       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
7770              lookups  are  trusted to be secure enough, and the name verified
7771              in the server certificate is  usually  obtained  indirectly  via
7772              unauthenticated  DNS MX lookups.  The optional "match" attribute
7773              overrides the main.cf smtp_tls_verify_cert_match  parameter.  In
7774              the policy table, multiple match patterns and strategies must be
7775              separated by colons.  In practice explicit control over matching
7776              is more common with the "secure" policy, described below.
7777
7778       secure Secure-channel  TLS.  At  this  security  level, DNS MX lookups,
7779              though potentially used  to  determine  the  candidate  next-hop
7780              gateway  IP  addresses,  are not trusted to be secure enough for
7781              TLS peername verification. Instead, the default name verified in
7782              the  server  certificate is obtained directly from the next-hop,
7783              or is explicitly specified  via  the  optional  match  attribute
7784              which  overrides  the main.cf smtp_tls_secure_cert_match parame‐
7785              ter. In the policy table, multiple match patterns and strategies
7786              must be separated by colons.  The match attribute is most useful
7787              when multiple domains are supported by common server, the policy
7788              entries  for  additional  domains specify matching rules for the
7789              primary domain  certificate.  While  transport  table  overrides
7790              routing  the secondary domains to the primary nexthop also allow
7791              secure verification, they risk delivery to the wrong destination
7792              when  domains  change  hands or are re-assigned to new gateways.
7793              With the "match" attribute approach, routing is  not  perturbed,
7794              and mail is deferred if verification of a new MX host fails.
7795
7796       Example:
7797
7798       /etc/postfix/main.cf:
7799           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7800           # Postfix 2.5 and later
7801           smtp_tls_fingerprint_digest = md5
7802
7803       /etc/postfix/tls_policy:
7804           example.edu                 none
7805           example.mil                 may
7806           example.gov                 encrypt protocols=TLSv1
7807           example.com                 verify ciphers=high
7808           example.net                 secure
7809           .example.net                secure match=.example.net:example.net
7810           [mail.example.org]:587      secure match=nexthop
7811           # Postfix 2.5 and later
7812           [thumb.example.org]          fingerprint
7813               match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7814               match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7815
7816       Note:  The  hostname  strategy  if  listed  in a non-default setting of
7817       smtp_tls_secure_cert_match or in the match attribute in the policy  ta‐
7818       ble  can  render the secure level vulnerable to DNS forgery. Do not use
7819       the hostname strategy for secure-channel configurations in environments
7820       where DNS security is not assured.
7821
7822       This feature is available in Postfix 2.3 and later.
7823

smtp_tls_protocols (default: !SSLv2, !SSLv3)

7825       List  of  TLS  protocols  that  the Postfix SMTP client will exclude or
7826       include  with  opportunistic  TLS  encryption.  The  default  value  is
7827       "!SSLv2,  !SSLv3"  for  Postfix  releases  after  the  middle  of 2015,
7828       "!SSLv2" for older releases.  Before  Postfix  2.6,  the  Postfix  SMTP
7829       client would use all protocols with opportunistic TLS.
7830
7831       In main.cf the values are separated by whitespace, commas or colons. In
7832       the policy table (see smtp_tls_policy_maps) the only valid separator is
7833       colon.  An  empty  value  means allow all protocols. The valid protocol
7834       names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
7835
7836       The range of protocols advertised by an SSL/TLS client must be contigu‐
7837       ous.   When a protocol version is enabled, disabling any higher version
7838       implicitly disables all versions above that higher version.  Thus,  for
7839       example:
7840
7841           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7842       also  disables  any  protocols  version  higher than TLSv1 leaving only
7843       "SSLv3" enabled.
7844
7845       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
7846       "TLSv1.2".  The latest patch levels of Postfix >= 2.6, and all versions
7847       of Postfix >= 2.10 can explicitly  disable  support  for  "TLSv1.1"  or
7848       "TLSv1.2"
7849
7850       To  include  a  protocol  list its name, to exclude it, prefix the name
7851       with a "!" character.  To  exclude  SSLv2  for  opportunistic  TLS  set
7852       "smtp_tls_protocols  = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
7853       "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
7854       to  include,  rather  than  protocols to exclude, is supported, but not
7855       recommended.  The exclusion form more closely  matches  the  underlying
7856       OpenSSL interface semantics.
7857
7858       Example:
7859       # TLSv1 or better:
7860       smtp_tls_protocols = !SSLv2, !SSLv3
7861
7862       This feature is available in Postfix 2.6 and later.
7863

smtp_tls_scert_verifydepth (default: 9)

7865       The  verification depth for remote SMTP server certificates. A depth of
7866       1 is sufficient if the issuing CA is listed in a local CA file.
7867
7868       The default verification depth is 9 (the OpenSSL default) for  compati‐
7869       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
7870       value was 5, but the limit was not actually enforced. If you  have  set
7871       this  to  a  lower  non-default  value,  certificates with longer trust
7872       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
7873       common,  deeper  chains  are  more  rare and any number between 5 and 9
7874       should suffice in practice. You can choose a lower number if, for exam‐
7875       ple,  you  trust  certificates directly signed by an issuing CA but not
7876       any CAs it delegates to.
7877
7878       This feature is available in Postfix 2.2 and later.
7879

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

7881       How the Postfix SMTP client verifies the  server  certificate  peername
7882       for  the  "secure"  TLS  security level. In a "secure" TLS policy table
7883       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
7884       this main.cf setting.
7885
7886       This  parameter  specifies one or more patterns or strategies separated
7887       by commas, whitespace or colons.  In the policy table  the  only  valid
7888       separator is the colon character.
7889
7890       For   a  description  of  the  pattern  and  strategy  syntax  see  the
7891       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
7892       avoided  in  this  context,  as  in the absence of a secure global DNS,
7893       using the results of MX lookups  in  certificate  verification  is  not
7894       immune to active (man-in-the-middle) attacks on DNS.
7895
7896       Sample main.cf setting:
7897
7898           smtp_tls_secure_cert_match = nexthop
7899
7900       Sample policy table override:
7901
7902           example.net     secure match=example.com:.example.com
7903           .example.net    secure match=example.com:.example.com
7904
7905       This feature is available in Postfix 2.3 and later.
7906

smtp_tls_security_level (default: empty)

7908       The default SMTP TLS security level for the Postfix SMTP client; when a
7909       non-empty value is specified, this overrides  the  obsolete  parameters
7910       smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
7911
7912       Specify one of the following security levels:
7913
7914       none   No  TLS. TLS will not be used unless enabled for specific desti‐
7915              nations via smtp_tls_policy_maps.
7916
7917       may    Opportunistic TLS. Use TLS if this is supported  by  the  remote
7918              SMTP server, otherwise use plaintext. Since sending in the clear
7919              is acceptable, demanding  stronger  than  default  TLS  security
7920              merely  reduces  interoperability.   The  "smtp_tls_ciphers" and
7921              "smtp_tls_protocols" (Postfix >= 2.6)  configuration  parameters
7922              provide  control  over  the protocols and cipher grade used with
7923              opportunistic TLS.  With earlier releases the opportunistic  TLS
7924              cipher  grade  is always "export" and no protocols are disabled.
7925              When TLS handshakes fail, the connection  is  retried  with  TLS
7926              disabled.   This allows mail delivery to sites with non-interop‐
7927              erable TLS implementations.
7928
7929       encrypt
7930              Mandatory TLS encryption. Since a minimum level of  security  is
7931              intended,  it  is  reasonable  to be specific about sufficiently
7932              secure protocol versions and ciphers. At this security level and
7933              higher,  the main.cf parameters smtp_tls_mandatory_protocols and
7934              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
7935              cipher grade which the administrator considers secure enough for
7936              mandatory encrypted sessions. This  security  level  is  not  an
7937              appropriate default for systems delivering mail to the Internet.
7938
7939       dane   Opportunistic  DANE TLS.  At this security level, the TLS policy
7940              for the destination is obtained via DNSSEC.  For TLSA policy  to
7941              be  in effect, the destination domain's containing DNS zone must
7942              be signed and the Postfix SMTP client's operating system must be
7943              configured to send its DNS queries to a recursive DNS nameserver
7944              that is able to validate the signed records.  Each MX host's DNS
7945              zone  should  also  be signed, and should publish DANE TLSA (RFC
7946              7672) records that specify how that MX host's TLS certificate is
7947              to  be verified.  TLSA records do not preempt the normal SMTP MX
7948              host selection algorithm, if some MX hosts support TLSA and oth‐
7949              ers  do  not,  TLS security will vary from delivery to delivery.
7950              It is up to the domain owner to configure  their  MX  hosts  and
7951              their  DNS  sensibly.   To configure the Postfix SMTP client for
7952              DNSSEC lookups  see  the  documentation  for  the  smtp_dns_sup‐
7953              port_level   main.cf   parameter.   When  DNSSEC-validated  TLSA
7954              records are not found the effective tls security level is "may".
7955              When  TLSA records are found, but are all unusable the effective
7956              security level is  "encrypt".   For  purposes  of  protocol  and
7957              cipher  selection,  the  "dane" security level is treated like a
7958              "mandatory" TLS security level, and weak ciphers  and  protocols
7959              are  disabled.  Since DANE authenticates server certificates the
7960              "aNULL" cipher-suites are transparently excluded at this  level,
7961              no need to configure this manually.  RFC 7672 (DANE) TLS authen‐
7962              tication is available with Postfix 2.11 and later.
7963
7964       dane-only
7965              Mandatory DANE TLS.  This is just like "dane"  above,  but  DANE
7966              TLSA  authentication is required.  There is no fallback to "may"
7967              or "encrypt" when TLSA records are  missing  or  unusable.   RFC
7968              7672  (DANE)  TLS  authentication is available with Postfix 2.11
7969              and later.
7970
7971       fingerprint
7972              Certificate fingerprint verification.  At this  security  level,
7973              there are no trusted Certification Authorities.  The certificate
7974              trust chain, expiration date, etc., are  not  checked.  Instead,
7975              the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
7976              cate fingerprint or public  key  fingerprint  (Postfix  2.9  and
7977              later)  of  the  valid  server certificate. The digest algorithm
7978              used  to  calculate  the  fingerprint   is   selected   by   the
7979              smtp_tls_fingerprint_digest  parameter.  Available  with Postfix
7980              2.5 and later.
7981
7982       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
7983              lookups  are  trusted to be secure enough, and the name verified
7984              in the server certificate is  usually  obtained  indirectly  via
7985              unauthenticated  DNS  MX lookups. The smtp_tls_verify_cert_match
7986              parameter controls how the server name is verified. In  practice
7987              explicit  control  over  matching is more common at the "secure"
7988              level, described below. This security level is not an  appropri‐
7989              ate default for systems delivering mail to the Internet.
7990
7991       secure Secure-channel  TLS.   At  this  security level, DNS MX lookups,
7992              though potentially used  to  determine  the  candidate  next-hop
7993              gateway  IP  addresses,  are not trusted to be secure enough for
7994              TLS peername verification. Instead, the default name verified in
7995              the  server  certificate is obtained from the next-hop domain as
7996              specified in the smtp_tls_secure_cert_match configuration param‐
7997              eter.  The  default  matching  rule is that a server certificate
7998              matches when its name is equal to or is a sub-domain of the nex‐
7999              thop  domain.  This security level is not an appropriate default
8000              for systems delivering mail to the Internet.
8001
8002       Examples:
8003
8004       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8005       smtp_tls_security_level = none
8006
8007       # Opportunistic TLS.
8008       smtp_tls_security_level = may
8009       # Postfix >= 2.6:
8010       # Do not tweak opportunistic ciphers or protocol unless it is essential
8011       # to do so (if a security vulnerability is found in the SSL library that
8012       # can be mitigated by disabling a particular protocol or raising the
8013       # cipher grade from "export" to "low" or "medium").
8014       smtp_tls_ciphers = export
8015       smtp_tls_protocols = !SSLv2, !SSLv3
8016
8017       # Mandatory (high-grade) TLS encryption.
8018       smtp_tls_security_level = encrypt
8019       smtp_tls_mandatory_ciphers = high
8020
8021       # Mandatory TLS verification of hostname or nexthop domain.
8022       smtp_tls_security_level = verify
8023       smtp_tls_mandatory_ciphers = high
8024       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8025
8026       # Secure channel TLS with exact nexthop name match.
8027       smtp_tls_security_level = secure
8028       smtp_tls_mandatory_protocols = TLSv1
8029       smtp_tls_mandatory_ciphers = high
8030       smtp_tls_secure_cert_match = nexthop
8031
8032       # Certificate fingerprint verification (Postfix >= 2.5).
8033       # The CA-less "fingerprint" security level only scales to a limited
8034       # number of destinations. As a global default rather than a per-site
8035       # setting, this is practical when mail for all recipients is sent
8036       # to a central mail hub.
8037       relayhost = [mailhub.example.com]
8038       smtp_tls_security_level = fingerprint
8039       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8040       smtp_tls_mandatory_ciphers = high
8041       smtp_tls_fingerprint_cert_match =
8042           3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8043           EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8044
8045       This feature is available in Postfix 2.3 and later.
8046

smtp_tls_session_cache_database (default: empty)

8048       Name of the file containing the optional Postfix SMTP client  TLS  ses‐
8049       sion  cache. Specify a database type that supports enumeration, such as
8050       btree or sdbm; there is no need to support concurrent access.  The file
8051       is  created  if it does not exist. The smtp(8) daemon does not use this
8052       parameter directly, rather the cache is implemented indirectly  in  the
8053       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8054       of this parameter are not effective.  Note,  that  each  of  the  cache
8055       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8056       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
8057       $lmtp_tls_session_cache_database), needs to be stored separately. It is
8058       not at this time possible to store multiple caches in  a  single  data‐
8059       base.
8060
8061       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
8062       large.
8063
8064       As of version 2.5, Postfix no longer uses root privileges when  opening
8065       this  file.  The  file  should  now  be  stored under the Postfix-owned
8066       data_directory. As a migration aid, an attempt to open the file under a
8067       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
8068       tory, and a warning is logged.
8069
8070       Example:
8071
8072       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8073
8074       This feature is available in Postfix 2.2 and later.
8075

smtp_tls_session_cache_timeout (default: 3600s)

8077       The expiration time of Postfix SMTP client TLS session  cache  informa‐
8078       tion.   A  cache cleanup is performed periodically every $smtp_tls_ses‐
8079       sion_cache_timeout seconds. As  with  $smtp_tls_session_cache_database,
8080       this  parameter  is  implemented  in the tlsmgr(8) daemon and therefore
8081       per-smtp-instance master.cf overrides are not possible.
8082
8083       As of Postfix 2.11 this setting cannot exceed 100 days.  If set  <=  0,
8084       session  caching  is  disabled.  If set to a positive value less than 2
8085       minutes, the minimum value of 2 minutes is used instead.
8086
8087       This feature is available in Postfix 2.2 and later.
8088

smtp_tls_trust_anchor_file (default: empty)

8090       Zero or more PEM-format files  with  trust-anchor  certificates  and/or
8091       public  keys.  If the parameter is not empty the root CAs in CAfile and
8092       CApath are no longer trusted.  Rather, the  Postfix  SMTP  client  will
8093       only  trust  certificate-chains signed by one of the trust-anchors con‐
8094       tained in the chosen files.  The  specified  trust-anchor  certificates
8095       and  public  keys  are  not  subject  to  expiration,  and  need not be
8096       (self-signed) root CAs.  They may, if desired, be intermediate certifi‐
8097       cates.  Therefore, these certificates also may be found "in the middle"
8098       of the trust chain  presented  by  the  remote  SMTP  server,  and  any
8099       untrusted  issuing parent certificates will be ignored.  Specify a list
8100       of pathnames separated by comma or whitespace.
8101
8102       Whether specified in  main.cf,  or  on  a  per-destination  basis,  the
8103       trust-anchor  PEM file must be accessible to the Postfix SMTP client in
8104       the chroot jail if applicable.  The trust-anchor  file  should  contain
8105       only certificates and public keys, no private key material, and must be
8106       readable by the non-privileged $mail_owner user.  This allows  destina‐
8107       tions  to  be  bound  to  a  set of specific CAs or public keys without
8108       trusting the same CAs for all destinations.
8109
8110       The main.cf parameter  supports  single-purpose  Postfix  installations
8111       that  send  mail  to  a  fixed  set  of  SMTP peers.  At most sites, if
8112       trust-anchor files are used  at  all,  they  will  be  specified  on  a
8113       per-destination  basis  via  the "tafile" attribute of the "verify" and
8114       "secure" levels in smtp_tls_policy_maps.
8115
8116       The underlying mechanism is in support of RFC 7672 (DANE  TLSA),  which
8117       defines  mechanisms for an SMTP client MTA to securely determine server
8118       TLS certificates via DNS.
8119
8120       If you want your trust anchors to be public keys, with OpenSSL you  can
8121       extract a single PEM public key from a PEM X.509 file containing a sin‐
8122       gle certificate, as follows:
8123
8124           $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8125
8126       This feature is available in Postfix 2.11 and later.
8127

smtp_tls_verify_cert_match (default: hostname)

8129       How the Postfix SMTP client verifies the  server  certificate  peername
8130       for  the  "verify"  TLS  security level. In a "verify" TLS policy table
8131       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8132       this main.cf setting.
8133
8134       This  parameter  specifies one or more patterns or strategies separated
8135       by commas, whitespace or colons.  In the policy table  the  only  valid
8136       separator is the colon character.
8137
8138       Patterns specify domain names, or domain name suffixes:
8139
8140       example.com
8141              Match  the  example.com domain, i.e. one of the names the server
8142              certificate must be example.com, upper and lower  case  distinc‐
8143              tions are ignored.
8144
8145       .example.com
8146              Match subdomains of the example.com domain, i.e. match a name in
8147              the server certificate that consists of  a  non-zero  number  of
8148              labels  followed by a .example.com suffix. Case distinctions are
8149              ignored.
8150
8151       Strategies specify a transformation from the  next-hop  domain  to  the
8152       expected name in the server certificate:
8153
8154       nexthop
8155              Match against the next-hop domain, which is either the recipient
8156              domain, or the transport  next-hop  configured  for  the  domain
8157              stripped  of  any  optional socket type prefix, enclosing square
8158              brackets and trailing port. When MX lookups are not  suppressed,
8159              this  is the original nexthop domain prior to the MX lookup, not
8160              the result of the MX lookup. For LMTP delivery  via  UNIX-domain
8161              sockets, the verified next-hop name is $myhostname.  This strat‐
8162              egy is suitable for  use  with  the  "secure"  policy.  Case  is
8163              ignored.
8164
8165       dot-nexthop
8166              As above, but match server certificate names that are subdomains
8167              of the next-hop domain. Case is ignored.
8168
8169       hostname
8170              Match against the hostname of the server, often obtained via  an
8171              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8172              sockets, the verified name is $myhostname. This matches the ver‐
8173              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
8174              smtp_tls_per_site table, and is suitable for use with the  "ver‐
8175              ify"  security  level.  When  the  next-hop  name is enclosed in
8176              square brackets to suppress MX lookups, the "hostname"  strategy
8177              is the same as the "nexthop" strategy. Case is ignored.
8178
8179       Sample main.cf setting:
8180
8181       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8182
8183       Sample policy table override:
8184
8185       example.com     verify  match=hostname:nexthop
8186       .example.com    verify  match=example.com:.example.com:hostname
8187
8188       This feature is available in Postfix 2.3 and later.
8189

smtp_tls_wrappermode (default: no)

8191       Request  that  the  Postfix SMTP client connects using the legacy SMTPS
8192       protocol instead of using the STARTTLS command.
8193
8194       This mode requires "smtp_tls_security_level = encrypt" or stronger.
8195
8196       Example: deliver all remote mail via a  provider's  server  "mail.exam‐
8197       ple.com".
8198
8199       /etc/postfix/main.cf:
8200           # Client-side SMTPS requires "encrypt" or stronger.
8201           smtp_tls_security_level = encrypt
8202           smtp_tls_wrappermode = yes
8203           # The [] suppress MX lookups.
8204           relayhost = [mail.example.com]:465
8205
8206       More  examples  are in TLS_README, including examples for older Postfix
8207       versions.
8208
8209       This feature is available in Postfix 3.0 and later.
8210

smtp_use_tls (default: no)

8212       Opportunistic mode: use TLS when a remote SMTP server announces  START‐
8213       TLS  support,  otherwise  send the mail in the clear. Beware: some SMTP
8214       servers offer STARTTLS even if it is not configured.   With  Postfix  <
8215       2.3,  if  the  TLS  handshake  fails, and no other server is available,
8216       delivery is deferred and mail stays in the queue. If this is a  concern
8217       for you, use the smtp_tls_per_site feature instead.
8218
8219       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
8220       and later use smtp_tls_security_level instead.
8221

smtp_xforward_timeout (default: 300s)

8223       The Postfix SMTP client time limit for sending  the  XFORWARD  command,
8224       and for receiving the remote SMTP server response.
8225
8226       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
8227       The default time unit is s (seconds).
8228
8229       This feature is available in Postfix 2.1 and later.
8230

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

8232       What remote SMTP clients are allowed  to  specify  the  XVERP  command.
8233       This  command  requests  that mail be delivered one recipient at a time
8234       with a per recipient return address.
8235
8236       By default, no clients are allowed to specify XVERP.
8237
8238       This parameter was renamed with Postfix version 2.1. The default  value
8239       is backwards compatible with Postfix version 2.0.
8240
8241       Specify  a list of network/netmask patterns, separated by commas and/or
8242       whitespace. The mask specifies the number of bits in the  network  part
8243       of a host address. You can also specify hostnames or .domain names (the
8244       initial  dot  causes  the  domain  to  match  any   name   below   it),
8245       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8246       replaced by its contents; a "type:table" lookup table is matched when a
8247       table  entry  matches  a  lookup string (the lookup result is ignored).
8248       Continue long lines by starting the next line with whitespace.  Specify
8249       "!pattern"  to  exclude  an address or network block from the list. The
8250       form "!/file/name" is supported only in Postfix version 2.4 and later.