1POSTCONF(5) File Formats Manual POSTCONF(5)
2
3
4
6 postconf - Postfix configuration parameters
7
9 postconf parameter ...
10
11 postconf -e "parameter=value" ...
12
14 The Postfix main.cf configuration file specifies parameters that con‐
15 trol the operation of the Postfix mail system. Typically the file con‐
16 tains only a small subset of all parameters; parameters not specified
17 are left at their default values.
18
19 The general format of the main.cf file is as follows:
20
21 · Each logical line has the form "parameter = value". Whitespace
22 around the "=" is ignored, as is whitespace at the end of a log‐
23 ical line.
24
25 · Empty lines and whitespace-only lines are ignored, as are lines
26 whose first non-whitespace character is a `#'.
27
28 · A logical line starts with non-whitespace text. A line that
29 starts with whitespace continues a logical line.
30
31 · A parameter value may refer to other parameters.
32
33 · The expressions "$name" and "${name}" are recursively
34 replaced with the value of the named parameter. The
35 parameter name must contain only characters from the set
36 [a-zA-Z0-9_]. An undefined parameter value is replaced
37 with the empty value.
38
39 · The expressions "${name?value}" and "${name?{value}}" are
40 replaced with "value" when "$name" is non-empty. The
41 parameter name must contain only characters from the set
42 [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43 sions >= 2.2 and >= 3.0, respectively.
44
45 · The expressions "${name:value}" and "${name:{value}}" are
46 replaced with "value" when "$name" is empty. The parame‐
47 ter name must contain only characters from the set [a-zA-
48 Z0-9_]. These forms are supported with Postfix versions
49 >= 2.2 and >= 3.0, respectively.
50
51 · The expression "${name?{value1}:{value2}}" is replaced
52 with "value1" when "$name" is non-empty, and with
53 "value2" when "$name" is empty. The "{}" is required for
54 "value1", optional for "value2". The parameter name must
55 contain only characters from the set [a-zA-Z0-9_]. This
56 form is supported with Postfix versions >= 3.0.
57
58 · The first item inside "${...}" may be a relational
59 expression of the form: "{value3} == {value4}". Besides
60 the "==" (equality) operator Postfix supports "!="
61 (inequality), "<", "<=", ">=", and ">". The comparison is
62 numerical when both operands are all digits, otherwise
63 the comparison is lexicographical. These forms are sup‐
64 ported with Postfix versions >= 3.0.
65
66 · Each "value" is subject to recursive named parameter and
67 relational expression evaluation, except where noted.
68
69 · Whitespace before or after each "{value}" is ignored.
70
71 · Specify "$$" to produce a single "$" character.
72
73 · The legacy form "$(...)" is equivalent to the preferred
74 form "${...}".
75
76 · When the same parameter is defined multiple times, only the last
77 instance is remembered.
78
79 · Otherwise, the order of main.cf parameter definitions does not
80 matter.
81
82 The remainder of this document is a description of all Postfix configu‐
83 ration parameters. Default values are shown after the parameter name in
84 parentheses, and can be looked up with the "postconf -d" command.
85
86 Note: this is not an invitation to make changes to Postfix configura‐
87 tion parameters. Unnecessary changes can impair the operation of the
88 mail system.
89
91 The recipient of undeliverable mail that cannot be returned to the
92 sender. This feature is enabled with the notify_classes parameter.
93
95 The numerical Postfix SMTP server response code for an access(5) map
96 "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97 to Postfix 2.6, the response is hard-coded as "450".
98
99 Do not change this unless you have a complete understanding of RFC
100 5321.
101
102 This feature is available in Postfix 2.6 and later.
103
105 The numerical Postfix SMTP server response code for an access(5) map
106 "reject" action.
107
108 Do not change this unless you have a complete understanding of RFC
109 5321.
110
112 The amount of time between verify(8) address verification database
113 cleanup runs. This feature requires that the database supports the
114 "delete" and "sequence" operators. Specify a zero interval to disable
115 database cleanup.
116
117 After each database cleanup run, the verify(8) daemon logs the number
118 of entries that were retained and dropped. A cleanup run is logged as
119 "partial" when the daemon terminates early after "postfix reload",
120 "postfix stop", or no requests for $max_idle seconds.
121
122 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123
124 This feature is available in Postfix 2.7.
125
127 Overrides the default_transport parameter setting for address verifica‐
128 tion probes.
129
130 This feature is available in Postfix 2.1 and later.
131
133 Overrides the local_transport parameter setting for address verifica‐
134 tion probes.
135
136 This feature is available in Postfix 2.1 and later.
137
139 Lookup table for persistent address verification status storage. The
140 table is maintained by the verify(8) service, and is opened before the
141 process releases privileges.
142
143 The lookup table is persistent by default (Postfix 2.7 and later).
144 Specify an empty table name to keep the information in volatile memory
145 which is lost after "postfix reload" or "postfix stop". This is the
146 default with Postfix version 2.6 and earlier.
147
148 Specify a location in a file system that will not fill up. If the data‐
149 base becomes corrupted, the world comes to an end. To recover delete
150 (NOT: truncate) the file and do "postfix reload".
151
152 Postfix daemon processes do not use root privileges when opening this
153 file (Postfix 2.5 and later). The file must therefore be stored under
154 a Postfix-owned directory such as the data_directory. As a migration
155 aid, an attempt to open the file under a non-Postfix directory is redi‐
156 rected to the Postfix-owned data_directory, and a warning is logged.
157
158 Examples:
159
160 address_verify_map = hash:/var/lib/postfix/verify
161 address_verify_map = btree:/var/lib/postfix/verify
162
163 This feature is available in Postfix 2.1 and later.
164
166 Enable caching of failed address verification probe results. When this
167 feature is enabled, the cache may pollute quickly with garbage. When
168 this feature is disabled, Postfix will generate an address probe for
169 every lookup.
170
171 This feature is available in Postfix 2.1 and later.
172
174 The time after which a failed probe expires from the address verifica‐
175 tion cache.
176
177 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178
179 This feature is available in Postfix 2.1 and later.
180
182 The time after which a failed address verification probe needs to be
183 refreshed.
184
185 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187 This feature is available in Postfix 2.1 and later.
188
190 A safety limit that prevents address verification requests from over‐
191 whelming the Postfix queue. By default, the number of pending requests
192 is limited to 1/4 of the active queue maximum size (qmgr_mes‐
193 sage_active_limit). The queue manager enforces the limit by tempfailing
194 requests that exceed the limit. This affects only unknown addresses and
195 inactive addresses that have expired, because the verify(8) daemon
196 automatically refreshes an active address before it expires.
197
198 This feature is available in Postfix 3.1 and later.
199
201 How many times to query the verify(8) service for the completion of an
202 address verification request in progress.
203
204 By default, the Postfix SMTP server polls the verify(8) service up to
205 three times under non-overload conditions, and only once when under
206 overload. With Postfix version 2.5 and earlier, the SMTP server always
207 polls the verify(8) service up to three times by default.
208
209 Specify 1 to implement a crude form of greylisting, that is, always
210 defer the first delivery request for a new address.
211
212 Examples:
213
214 # Postfix <= 2.6 default
215 address_verify_poll_count = 3
216 # Poor man's greylisting
217 address_verify_poll_count = 1
218
219 This feature is available in Postfix 2.1 and later.
220
222 The delay between queries for the completion of an address verification
223 request in progress.
224
225 The default polling delay is 3 seconds.
226
227 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228
229 This feature is available in Postfix 2.1 and later.
230
232 The time after which a successful probe expires from the address veri‐
233 fication cache.
234
235 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236
237 This feature is available in Postfix 2.1 and later.
238
240 The time after which a successful address verification probe needs to
241 be refreshed. The address verification status is not updated when the
242 probe fails (optimistic caching).
243
244 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245
246 This feature is available in Postfix 2.1 and later.
247
249 Overrides the relay_transport parameter setting for address verifica‐
250 tion probes.
251
252 This feature is available in Postfix 2.1 and later.
253
255 Overrides the relayhost parameter setting for address verification
256 probes. This information can be overruled with the transport(5) table.
257
258 This feature is available in Postfix 2.1 and later.
259
261 The sender address to use in address verification probes; prior to
262 Postfix 2.5 the default was "postmaster". To avoid problems with
263 address probes that are sent in response to address probes, the Postfix
264 SMTP server excludes the probe sender address from all SMTPD access
265 blocks.
266
267 Specify an empty value (address_verify_sender =) or <> if you want to
268 use the null sender address. Beware, some sites reject mail from <>,
269 even though RFCs require that such addresses be accepted.
270
271 Examples:
272
273 address_verify_sender = <>
274 address_verify_sender = postmaster@my.domain
275
276 This feature is available in Postfix 2.1 and later.
277
279 $sender_dependent_default_transport_maps)
280 Overrides the sender_dependent_default_transport_maps parameter setting
281 for address verification probes.
282
283 This feature is available in Postfix 2.7 and later.
284
286 dent_relayhost_maps)
287 Overrides the sender_dependent_relayhost_maps parameter setting for
288 address verification probes.
289
290 This feature is available in Postfix 2.3 and later.
291
293 The time between changes in the time-dependent portion of address veri‐
294 fication probe sender addresses. The time-dependent portion is appended
295 to the localpart of the address specified with the address_ver‐
296 ify_sender parameter. This feature is ignored when the probe sender
297 addresses is the null sender, i.e. the address_verify_sender value is
298 empty or <>.
299
300 Historically, the probe sender address was fixed. This has caused such
301 addresses to end up on spammer mailing lists, and has resulted in
302 wasted network and processing resources.
303
304 To enable time-dependent probe sender addresses, specify a non-zero
305 time value (an integral value plus an optional one-letter suffix that
306 specifies the time unit). Specify a value of at least several hours,
307 to avoid problems with senders that use greylisting. Avoid nice TTL
308 values, to make the result less predictable. Time units are: s (sec‐
309 onds), m (minutes), h (hours), d (days), w (weeks).
310
311 This feature is available in Postfix 2.9 and later.
312
314 The name of the verify(8) address verification service. This service
315 maintains the status of sender and/or recipient address verification
316 probes, and generates probes on request by other Postfix processes.
317
319 Overrides the transport_maps parameter setting for address verification
320 probes.
321
322 This feature is available in Postfix 2.1 and later.
323
325 Overrides the virtual_transport parameter setting for address verifica‐
326 tion probes.
327
328 This feature is available in Postfix 2.1 and later.
329
331 The alias databases for local(8) delivery that are updated with
332 "newaliases" or with "sendmail -bi".
333
334 This is a separate configuration parameter because not all the tables
335 specified with $alias_maps have to be local files.
336
337 Examples:
338
339 alias_database = hash:/etc/aliases
340 alias_database = hash:/etc/mail/aliases
341
343 The alias databases that are used for local(8) delivery. See aliases(5)
344 for syntax details. Specify zero or more "type:name" lookup tables,
345 separated by whitespace or comma. Tables will be searched in the speci‐
346 fied order until a match is found. Note: these lookups are recursive.
347
348 The default list is system dependent. On systems with NIS, the default
349 is to search the local alias database, then the NIS alias database.
350
351 If you change the alias database, run "postalias /etc/aliases" (or
352 wherever your system stores the mail alias file), or simply run
353 "newaliases" to build the necessary DBM or DB file.
354
355 The local(8) delivery agent disallows regular expression substitution
356 of $1 etc. in alias_maps, because that would open a security hole.
357
358 The local(8) delivery agent will silently ignore requests to use the
359 proxymap(8) server within alias_maps. Instead it will open the table
360 directly. Before Postfix version 2.2, the local(8) delivery agent will
361 terminate with a fatal error.
362
363 Examples:
364
365 alias_maps = hash:/etc/aliases, nis:mail.aliases
366 alias_maps = hash:/etc/aliases
367
369 Restrict local(8) mail delivery to external commands. The default is
370 to disallow delivery to "|command" in :include: files (see aliases(5)
371 for the text that defines this terminology).
372
373 Specify zero or more of: alias, forward or include, in order to allow
374 commands in aliases(5), .forward files or in :include: files, respec‐
375 tively.
376
377 Example:
378
379 allow_mail_to_commands = alias,forward,include
380
382 Restrict local(8) mail delivery to external files. The default is to
383 disallow "/file/name" destinations in :include: files (see aliases(5)
384 for the text that defines this terminology).
385
386 Specify zero or more of: alias, forward or include, in order to allow
387 "/file/name" destinations in aliases(5), .forward files and in
388 :include: files, respectively.
389
390 Example:
391
392 allow_mail_to_files = alias,forward,include
393
395 Allow a sender or recipient address to have `-' as the first character.
396 By default, this is not allowed, to avoid accidents with software that
397 passes email addresses via the command line. Such software would not be
398 able to distinguish a malicious address from a bona fide command-line
399 option. Although this can be prevented by inserting a "--" option ter‐
400 minator into the command line, this is difficult to enforce consis‐
401 tently and globally.
402
403 As of Postfix version 2.5, this feature is implemented by trivial-re‐
404 write(8). With earlier versions this feature was implemented by
405 qmgr(8) and was limited to recipient addresses only.
406
408 Enable the rewriting of the form "user%domain" to "user@domain". This
409 is enabled by default.
410
411 Note: as of Postfix version 2.2, message header address rewriting hap‐
412 pens only when one of the following conditions is true:
413
414 · The message is received with the Postfix sendmail(1) command,
415
416 · The message is received from a network client that matches
417 $local_header_rewrite_clients,
418
419 · The message is received from the network, and the
420 remote_header_rewrite_domain parameter specifies a non-empty
421 value.
422
423 To get the behavior before Postfix version 2.2, specify
424 "local_header_rewrite_clients = static:all".
425
426 Example:
427
428 allow_percent_hack = no
429
431 Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
432 from untrusted clients to destinations matching $relay_domains.
433
434 By default, this feature is turned off. This closes a nasty open relay
435 loophole where a backup MX host can be tricked into forwarding junk
436 mail to a primary MX host which then spams it out to the world.
437
438 This parameter also controls if non-local addresses with sender-speci‐
439 fied routing can match Postfix access tables. By default, such
440 addresses cannot match Postfix access tables, because the address is
441 ambiguous.
442
444 A list of non-default Postfix configuration directories that may be
445 specified with "-c config_directory" on the command line (in the case
446 of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environ‐
447 ment parameter.
448
449 This list must be specified in the default Postfix main.cf file, and
450 will be used by set-gid Postfix commands such as postqueue(1) and post‐
451 drop(1).
452
453 Specify absolute pathnames, separated by comma or space. Note: $name
454 expansion is not supported.
455
457 Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
458 present. Postfix 2.6 and later add these headers only when clients
459 match the local_header_rewrite_clients parameter setting. Earlier
460 Postfix versions always add these headers; this may break DKIM signa‐
461 tures that cover non-existent headers. The undisclosed_recipi‐
462 ents_header parameter setting determines whether a To: header will be
463 added.
464
466 Optional address that receives a "blind carbon copy" of each message
467 that is received by the Postfix mail system.
468
469 Note: with Postfix 2.3 and later the BCC address is added as if it was
470 specified with NOTIFY=NONE. The sender will not be notified when the
471 BCC address is undeliverable, as long as all down-stream software
472 implements RFC 3461.
473
474 Note: with Postfix 2.2 and earlier the sender will be notified when the
475 BCC address is undeliverable.
476
477 Note: automatic BCC recipients are produced only for new mail. To
478 avoid mailer loops, automatic BCC recipients are not generated after
479 Postfix forwards mail internally, or after Postfix generates mail
480 itself.
481
483 The time unit over which client connection rates and other rates are
484 calculated.
485
486 This feature is implemented by the anvil(8) service which is available
487 in Postfix version 2.2 and later.
488
489 The default interval is relatively short. Because of the high frequency
490 of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491 mation is lost whenever the process terminates.
492
493 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
494 The default time unit is s (seconds).
495
497 How frequently the anvil(8) connection and rate limiting server logs
498 peak usage information.
499
500 This feature is available in Postfix 2.2 and later.
501
502 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
503 The default time unit is s (seconds).
504
506 With locally submitted mail, append the string "@$myorigin" to mail
507 addresses without domain information. With remotely submitted mail,
508 append the string "@$remote_header_rewrite_domain" instead.
509
510 Note 1: this feature is enabled by default and must not be turned off.
511 Postfix does not support domain-less addresses.
512
513 Note 2: with Postfix version 2.2, message header address rewriting hap‐
514 pens only when one of the following conditions is true:
515
516 · The message is received with the Postfix sendmail(1) command,
517
518 · The message is received from a network client that matches
519 $local_header_rewrite_clients,
520
521 · The message is received from the network, and the
522 remote_header_rewrite_domain parameter specifies a non-empty
523 value.
524
525 To get the behavior before Postfix version 2.2, specify
526 "local_header_rewrite_clients = static:all".
527
529 With locally submitted mail, append the string ".$mydomain" to
530 addresses that have no ".domain" information. With remotely submitted
531 mail, append the string ".$remote_header_rewrite_domain" instead.
532
533 Note 1: this feature is enabled by default. If disabled, users will not
534 be able to send mail to "user@partialdomainname" but will have to spec‐
535 ify full domain names instead.
536
537 Note 2: with Postfix version 2.2, message header address rewriting hap‐
538 pens only when one of the following conditions is true:
539
540 · The message is received with the Postfix sendmail(1) command,
541
542 · The message is received from a network client that matches
543 $local_header_rewrite_clients,
544
545 · The message is received from the network, and the
546 remote_header_rewrite_domain parameter specifies a non-empty
547 value.
548
549 To get the behavior before Postfix version 2.2, specify
550 "local_header_rewrite_clients = static:all".
551
553 How long the postkick(1) command waits for a request to enter the Post‐
554 fix daemon process input buffer before giving up.
555
556 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
557 The default time unit is s (seconds).
558
559 This feature is available in Postfix 2.1 and later.
560
562 List of users who are authorized to flush the queue.
563
564 By default, all users are allowed to flush the queue. Access is always
565 granted if the invoking user is the super-user or the $mail_owner user.
566 Otherwise, the real UID of the process is looked up in the system pass‐
567 word file, and access is granted only if the corresponding login name
568 is on the access list. The username "unknown" is used for processes
569 whose real UID is not found in the password file.
570
571 Specify a list of user names, "/file/name" or "type:table" patterns,
572 separated by commas and/or whitespace. The list is matched left to
573 right, and the search stops on the first match. A "/file/name" pattern
574 is replaced by its contents; a "type:table" lookup table is matched
575 when a name matches a lookup key (the lookup result is ignored). Con‐
576 tinue long lines by starting the next line with whitespace. Specify
577 "!pattern" to exclude a name from the list. The form "!/file/name" is
578 supported only in Postfix version 2.4 and later.
579
580 This feature is available in Postfix 2.2 and later.
581
583 List of users who are authorized to view the queue.
584
585 By default, all users are allowed to view the queue. Access is always
586 granted if the invoking user is the super-user or the $mail_owner user.
587 Otherwise, the real UID of the process is looked up in the system pass‐
588 word file, and access is granted only if the corresponding login name
589 is on the access list. The username "unknown" is used for processes
590 whose real UID is not found in the password file.
591
592 Specify a list of user names, "/file/name" or "type:table" patterns,
593 separated by commas and/or whitespace. The list is matched left to
594 right, and the search stops on the first match. A "/file/name" pattern
595 is replaced by its contents; a "type:table" lookup table is matched
596 when a name matches a lookup key (the lookup result is ignored). Con‐
597 tinue long lines by starting the next line with whitespace. Specify
598 "!pattern" to exclude a user name from the list. The form "!/file/name"
599 is supported only in Postfix version 2.4 and later.
600
601 This feature is available in Postfix 2.2 and later.
602
604 List of users who are authorized to submit mail with the sendmail(1)
605 command (and with the privileged postdrop(1) helper command).
606
607 By default, all users are allowed to submit mail. Otherwise, the real
608 UID of the process is looked up in the system password file, and access
609 is granted only if the corresponding login name is on the access list.
610 The username "unknown" is used for processes whose real UID is not
611 found in the password file. To deny mail submission access to all users
612 specify an empty list.
613
614 Specify a list of user names, "/file/name" or "type:table" patterns,
615 separated by commas and/or whitespace. The list is matched left to
616 right, and the search stops on the first match. A "/file/name" pattern
617 is replaced by its contents; a "type:table" lookup table is matched
618 when a name matches a lookup key (the lookup result is ignored). Con‐
619 tinue long lines by starting the next line with whitespace. Specify
620 "!pattern" to exclude a user name from the list. The form "!/file/name"
621 is supported only in Postfix version 2.4 and later.
622
623 Example:
624
625 authorized_submit_users = !www, static:all
626
627 This feature is available in Postfix 2.2 and later.
628
630 What remote SMTP clients are allowed to specify the XVERP command.
631 This command requests that mail be delivered one recipient at a time
632 with a per recipient return address.
633
634 By default, only trusted clients are allowed to specify XVERP.
635
636 This parameter was introduced with Postfix version 1.1. Postfix ver‐
637 sion 2.1 renamed this parameter to smtpd_authorized_verp_clients and
638 changed the default to none.
639
640 Specify a list of network/netmask patterns, separated by commas and/or
641 whitespace. The mask specifies the number of bits in the network part
642 of a host address. You can also specify hostnames or .domain names (the
643 initial dot causes the domain to match any name below it),
644 "/file/name" or "type:table" patterns. A "/file/name" pattern is
645 replaced by its contents; a "type:table" lookup table is matched when a
646 table entry matches a lookup string (the lookup result is ignored).
647 Continue long lines by starting the next line with whitespace. Specify
648 "!pattern" to exclude an address or network block from the list. The
649 form "!/file/name" is supported only in Postfix version 2.4 and later.
650
651 Note: IP version 6 address information must be specified inside [] in
652 the authorized_verp_clients value, and in files specified with
653 "/file/name". IP version 6 addresses contain the ":" character, and
654 would otherwise be confused with a "type:table" pattern.
655
657 Produce additional bounce(8) logfile records that can be read by Post‐
658 fix versions before 2.0. The current and more extensible "name = value"
659 format is needed in order to implement more sophisticated functional‐
660 ity.
661
662 This feature is available in Postfix 2.1 and later.
663
665 The per-table I/O buffer size for programs that create Berkeley DB hash
666 or btree tables. Specify a byte count.
667
668 This feature is available in Postfix 2.0 and later.
669
671 The per-table I/O buffer size for programs that read Berkeley DB hash
672 or btree tables. Specify a byte count.
673
674 This feature is available in Postfix 2.0 and later.
675
677 Where the Postfix SMTP client should deliver mail when it detects a
678 "mail loops back to myself" error condition. This happens when the
679 local MTA is the best SMTP mail exchanger for a destination not listed
680 in $mydestination, $inet_interfaces, $proxy_interfaces, $vir‐
681 tual_alias_domains, or $virtual_mailbox_domains. By default, the Post‐
682 fix SMTP client returns such mail as undeliverable.
683
684 Specify, for example, "best_mx_transport = local" to pass the mail from
685 the Postfix SMTP client to the local(8) delivery agent. You can specify
686 any message delivery "transport" or "transport:nexthop" that is defined
687 in the master.cf file. See the transport(5) manual page for the syntax
688 and meaning of "transport" or "transport:nexthop".
689
690 However, this feature is expensive because it ties up a Postfix SMTP
691 client process while the local(8) delivery agent is doing its work. It
692 is more efficient (for Postfix) to list all hosted domains in a table
693 or database.
694
696 Whether or not to use the local biff service. This service sends "new
697 mail" notifications to users who have requested new mail notification
698 with the UNIX command "biff y".
699
700 For compatibility reasons this feature is on by default. On systems
701 with lots of interactive users, the biff service can be a performance
702 drain. Specify "biff = no" in main.cf to disable.
703
705 Optional lookup tables for content inspection as specified in the
706 body_checks(5) manual page.
707
708 Note: with Postfix versions before 2.0, these rules inspect all content
709 after the primary message headers.
710
712 How much text in a message body segment (or attachment, if you prefer
713 to use that term) is subjected to body_checks inspection. The amount
714 of text is limited to avoid scanning huge attachments.
715
716 This feature is available in Postfix 2.0 and later.
717
719 The recipient of postmaster notifications with the message headers of
720 mail that Postfix did not deliver and of SMTP conversation transcripts
721 of mail that Postfix did not receive. This feature is enabled with the
722 notify_classes parameter.
723
725 Consider a bounce message as undeliverable, when delivery fails with a
726 temporary error, and the time in the queue has reached the
727 bounce_queue_lifetime limit. By default, this limit is the same as for
728 regular mail.
729
730 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
731 The default time unit is d (days).
732
733 Specify 0 when mail delivery should be tried only once.
734
735 This feature is available in Postfix 2.1 and later.
736
738 The name of the bounce(8) service. This service maintains a record of
739 failed delivery attempts and generates non-delivery notifications.
740
741 This feature is available in Postfix 2.0 and later.
742
744 The maximal amount of original message text that is sent in a
745 non-delivery notification. Specify a byte count. A message is returned
746 as either message/rfc822 (the complete original) or as
747 text/rfc822-headers (the headers only). With Postfix version 2.4 and
748 earlier, a message is always returned as message/rfc822 and is trun‐
749 cated when it exceeds the size limit.
750
751 Notes:
752
753 · If you increase this limit, then you should increase the
754 mime_nesting_limit value proportionally.
755
756 · Be careful when making changes. Excessively large values will
757 result in the loss of non-delivery notifications, when a bounce
758 message size exceeds a local or remote MTA's message size limit.
759
761 Pathname of a configuration file with bounce message templates. These
762 override the built-in templates of delivery status notification (DSN)
763 messages for undeliverable mail, for delayed mail, successful delivery,
764 or delivery verification. The bounce(5) manual page describes how to
765 edit and test template files.
766
767 Template message body text may contain $name references to Postfix con‐
768 figuration parameters. The result of $name expansion can be previewed
769 with "postconf -b file_name" before the file is placed into the Postfix
770 configuration directory.
771
772 This feature is available in Postfix 2.3 and later.
773
775 Enable interoperability with remote SMTP clients that implement an
776 obsolete version of the AUTH command (RFC 4954). Examples of such
777 clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778 version 5.0.
779
780 Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781 support in a non-standard way.
782
784 header_sender, header_recipient)
785 What addresses are subject to canonical_maps address mapping. By
786 default, canonical_maps address mapping is applied to envelope sender
787 and recipient addresses, and to header sender and header recipient
788 addresses.
789
790 Specify one or more of: envelope_sender, envelope_recipient,
791 header_sender, header_recipient
792
793 This feature is available in Postfix 2.2 and later.
794
796 Optional address mapping lookup tables for message headers and
797 envelopes. The mapping is applied to both sender and recipient
798 addresses, in both envelopes and in headers, as controlled with the
799 canonical_classes parameter. This is typically used to clean up dirty
800 addresses from legacy mail systems, or to replace login names by First‐
801 name.Lastname. The table format and lookups are documented in canoni‐
802 cal(5). For an overview of Postfix address manipulations see the
803 ADDRESS_REWRITING_README document.
804
805 Specify zero or more "type:name" lookup tables, separated by whitespace
806 or comma. Tables will be searched in the specified order until a match
807 is found. Note: these lookups are recursive.
808
809 If you use this feature, run "postmap /etc/postfix/canonical" to build
810 the necessary DBM or DB file after every change. The changes will
811 become visible after a minute or so. Use "postfix reload" to eliminate
812 the delay.
813
814 Note: with Postfix version 2.2, message header address mapping happens
815 only when message header address rewriting is enabled:
816
817 · The message is received with the Postfix sendmail(1) command,
818
819 · The message is received from a network client that matches
820 $local_header_rewrite_clients,
821
822 · The message is received from the network, and the
823 remote_header_rewrite_domain parameter specifies a non-empty
824 value.
825
826 To get the behavior before Postfix version 2.2, specify
827 "local_header_rewrite_clients = static:all".
828
829 Examples:
830
831 canonical_maps = dbm:/etc/postfix/canonical
832 canonical_maps = hash:/etc/postfix/canonical
833
835 The name of the cleanup(8) service. This service rewrites addresses
836 into the standard form, and performs canonical(5) address mapping and
837 virtual(5) aliasing.
838
839 This feature is available in Postfix 2.0 and later.
840
842 The location of all postfix administrative commands.
843
845 The local(8) delivery agent working directory for delivery to external
846 command. Failure to change directory causes the delivery to be
847 deferred.
848
849 The command_execution_directory value is not subject to Postfix config‐
850 uration parameter $name expansion. Instead, the following $name expan‐
851 sions are done on command_execution_directory before the directory is
852 used. Expansion happens in the context of the delivery request. The
853 result of $name expansion is filtered with the character set that is
854 specified with the execution_directory_expansion_filter parameter.
855
856 $user The recipient's username.
857
858 $shell The recipient's login shell pathname.
859
860 $home The recipient's home directory.
861
862 $recipient
863 The full recipient address.
864
865 $extension
866 The optional recipient address extension.
867
868 $domain
869 The recipient domain.
870
871 $local The entire recipient localpart.
872
873 $recipient_delimiter
874 The address extension delimiter that was found in the recipient
875 address (Postfix 2.11 and later), or the system-wide recipient
876 address extension delimiter (Postfix 2.10 and earlier).
877
878 ${name?value}
879 Expands to value when $name is non-empty.
880
881 ${name:value}
882 Expands to value when $name is empty.
883
884 Instead of $name you can also specify ${name} or $(name).
885
886 This feature is available in Postfix 2.2 and later.
887
889 Restrict the characters that the local(8) delivery agent allows in
890 $name expansions of $mailbox_command and $command_execution_directory.
891 Characters outside the allowed set are replaced by underscores.
892
894 Time limit for delivery to external commands. This limit is used by the
895 local(8) delivery agent, and is the default time limit for delivery by
896 the pipe(8) delivery agent.
897
898 Note: if you set this time limit to a large value you must update the
899 global ipc_timeout parameter as well.
900
902 A safety net that causes Postfix to run with backwards-compatible
903 default settings after an upgrade to a newer Postfix version.
904
905 With backwards compatibility turned on (the main.cf compatibility_level
906 value is less than the Postfix built-in value), Postfix looks for set‐
907 tings that are left at their implicit default value, and logs a message
908 when a backwards-compatible default setting is required.
909
910 using backwards-compatible default setting name=value
911 to [accept a specific client request]
912
913 using backwards-compatible default setting name=value
914 to [enable specific Postfix behavior]
915
916 See COMPATIBILITY_README for specific message details. If such a mes‐
917 sage is logged in the context of a legitimate request, the system
918 administrator should make the backwards-compatible setting permanent in
919 main.cf or master.cf, for example:
920
921 # postconf name=value
922 # postfix reload
923
924 When no more backwards-compatible settings need to be made permanent,
925 the administrator should turn off backwards compatibility by updating
926 the compatibility_level setting in main.cf:
927
928 # postconf compatibility_level=N
929 # postfix reload
930
931 For N specify the number that is logged in your postfix(1) warning mes‐
932 sage:
933
934 warning: To disable backwards compatibility use "postconf
935 compatibility_level=N" and "postfix reload"
936
937 This feature is available in Postfix 3.0 and later.
938
940 The default location of the Postfix main.cf and master.cf configuration
941 files. This can be overruled via the following mechanisms:
942
943 · The MAIL_CONFIG environment variable (daemon processes and com‐
944 mands).
945
946 · The "-c" command-line option (commands only).
947
948 With Postfix command that run with set-gid privileges, a config_direc‐
949 tory override requires either root privileges, or it requires that the
950 directory is listed with the alternate_config_directories parameter in
951 the default main.cf file.
952
954 After sending a "your message is delayed" notification, inform the
955 sender when the delay clears up. This can result in a sudden burst of
956 notifications at the end of a prolonged network outage, and is there‐
957 fore disabled by default.
958
959 See also: delay_warning_time.
960
961 This feature is available in Postfix 3.0 and later.
962
964 Time limit for connection cache connect, send or receive operations.
965 The time limit is enforced in the client.
966
967 This feature is available in Postfix 2.3 and later.
968
970 The name of the scache(8) connection cache service. This service main‐
971 tains a limited pool of cached sessions.
972
973 This feature is available in Postfix 2.2 and later.
974
976 How frequently the scache(8) server logs usage statistics with connec‐
977 tion cache hit and miss rates for logical destinations and for physical
978 endpoints.
979
981 The maximal time-to-live value that the scache(8) connection cache
982 server allows. Requests that specify a larger TTL will be stored with
983 the maximum allowed TTL. The purpose of this additional control is to
984 protect the infrastructure against careless people. The cache TTL is
985 already bounded by $max_idle.
986
988 After the message is queued, send the entire message to the specified
989 transport:destination. The transport name specifies the first field of
990 a mail delivery agent definition in master.cf; the syntax of the
991 next-hop destination is described in the manual page of the correspond‐
992 ing delivery agent. More information about external content filters is
993 in the Postfix FILTER_README file.
994
995 Notes:
996
997 · This setting has lower precedence than a FILTER action that is
998 specified in an access(5), header_checks(5) or body_checks(5)
999 table.
1000
1001 · The meaning of an empty next-hop filter destination is version
1002 dependent. Postfix 2.7 and later will use the recipient domain;
1003 earlier versions will use $myhostname. Specify "default_fil‐
1004 ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1005 earlier, or specify a content_filter value with an explicit
1006 next-hop destination.
1007
1009 Search path for Cyrus SASL application configuration files, currently
1010 used only to locate the $smtpd_sasl_path.conf file. Specify zero or
1011 more directories separated by a colon character, or an empty value to
1012 use Cyrus SASL's built-in search path.
1013
1014 This feature is available in Postfix 2.5 and later when compiled with
1015 Cyrus SASL 2.1.22 or later.
1016
1018 The directory with Postfix support programs and daemon programs. These
1019 should not be invoked directly by humans. The directory must be owned
1020 by root.
1021
1023 How a Postfix daemon process handles errors while opening lookup
1024 tables: gradual degradation or immediate termination.
1025
1026 no (default)
1027 Gradual degradation: a daemon process logs a message of type
1028 "error" and continues execution with reduced functionality. Fea‐
1029 tures that do not depend on the unavailable table will work nor‐
1030 mally, while features that depend on the table will result in a
1031 type "warning" message.
1032 When the notify_classes parameter value contains the "data"
1033 class, the Postfix SMTP server and client will report tran‐
1034 scripts of sessions with an error because a table is unavail‐
1035 able.
1036
1037 yes (historical behavior)
1038 Immediate termination: a daemon process logs a type "fatal" mes‐
1039 sage and terminates immediately. This option reduces the number
1040 of possible code paths through Postfix, and may therefore be
1041 slightly more secure than the default.
1042
1043 For the sake of sanity, the number of type "error" messages is limited
1044 to 13 over the lifetime of a daemon process.
1045
1046 This feature is available in Postfix 2.9 and later.
1047
1049 How much time a Postfix daemon process may take to handle a request
1050 before it is terminated by a built-in watchdog timer.
1051
1052 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1053 The default time unit is s (seconds).
1054
1056 The directory with Postfix-writable data files (for example: caches,
1057 pseudo-random numbers). This directory must be owned by the mail_owner
1058 account, and must not be shared with non-Postfix software.
1059
1060 This feature is available in Postfix 2.5 and later.
1061
1063 The increment in verbose logging level when a remote client or server
1064 matches a pattern in the debug_peer_list parameter.
1065
1067 Optional list of remote client or server hostname or network address
1068 patterns that cause the verbose logging level to increase by the amount
1069 specified in $debug_peer_level.
1070
1071 Specify domain names, network/netmask patterns, "/file/name" patterns
1072 or "type:table" lookup tables. The right-hand side result from
1073 "type:table" lookups is ignored.
1074
1075 Pattern matching of domain names is controlled by the presence or
1076 absence of "debug_peer_list" in the parent_domain_matches_subdomains
1077 parameter value.
1078
1079 Examples:
1080
1081 debug_peer_list = 127.0.0.1
1082 debug_peer_list = example.com
1083
1085 The external command to execute when a Postfix daemon program is
1086 invoked with the -D option.
1087
1088 Use "command .. & sleep 5" so that the debugger can attach before the
1089 process marches on. If you use an X-based debugger, be sure to set up
1090 your XAUTHORITY environment variable before starting Postfix.
1091
1092 Note: the command is subject to $name expansion, before it is passed to
1093 the default command interpreter. Specify "$$" to produce a single "$"
1094 character.
1095
1096 Example:
1097
1098 debugger_command =
1099 PATH=/usr/bin:/usr/X11R6/bin
1100 ddd $daemon_directory/$process_name $process_id & sleep 5
1101
1103 The default database type for use in newaliases(1), postalias(1) and
1104 postmap(1) commands. On many UNIX systems the default type is either
1105 dbm or hash. The default setting is frozen when the Postfix system is
1106 built.
1107
1108 Examples:
1109
1110 default_database_type = hash
1111 default_database_type = dbm
1112
1114 How often the Postfix queue manager's scheduler is allowed to preempt
1115 delivery of one message with another.
1116
1117 Each transport maintains a so-called "available delivery slot counter"
1118 for each message. One message can be preempted by another one when the
1119 other message can be delivered using no more delivery slots (i.e.,
1120 invocations of delivery agents) than the current message counter has
1121 accumulated (or will eventually accumulate - see about slot loans
1122 below). This parameter controls how often is the counter incremented -
1123 it happens after each default_delivery_slot_cost recipients have been
1124 delivered.
1125
1126 The cost of 0 is used to disable the preempting scheduling completely.
1127 The minimum value the scheduling algorithm can use is 2 - use it if you
1128 want to maximize the message throughput rate. Although there is no max‐
1129 imum, it doesn't make much sense to use values above say 50.
1130
1131 The only reason why the value of 2 is not the default is the way this
1132 parameter affects the delivery of mailing-list mail. In the worst case,
1133 delivery can take somewhere between (cost+1/cost) and (cost/cost-1)
1134 times more than if the preemptive scheduler was disabled. The default
1135 value of 5 turns out to provide reasonable message response times while
1136 making sure the mailing-list deliveries are not extended by more than
1137 20-25 percent even in the worst case.
1138
1139 Use transport_delivery_slot_cost to specify a transport-specific over‐
1140 ride, where transport is the master.cf name of the message delivery
1141 transport.
1142
1143 Examples:
1144
1145 default_delivery_slot_cost = 0
1146 default_delivery_slot_cost = 2
1147
1149 The default value for transport-specific _delivery_slot_discount set‐
1150 tings.
1151
1152 This parameter speeds up the moment when a message preemption can hap‐
1153 pen. Instead of waiting until the full amount of delivery slots
1154 required is available, the preemption can happen when transport_deliv‐
1155 ery_slot_discount percent of the required amount plus transport_deliv‐
1156 ery_slot_loan still remains to be accumulated. Note that the full
1157 amount will still have to be accumulated before another preemption can
1158 take place later.
1159
1160 Use transport_delivery_slot_discount to specify a transport-specific
1161 override, where transport is the master.cf name of the message delivery
1162 transport.
1163
1165 The default value for transport-specific _delivery_slot_loan settings.
1166
1167 This parameter speeds up the moment when a message preemption can hap‐
1168 pen. Instead of waiting until the full amount of delivery slots
1169 required is available, the preemption can happen when transport_deliv‐
1170 ery_slot_discount percent of the required amount plus transport_deliv‐
1171 ery_slot_loan still remains to be accumulated. Note that the full
1172 amount will still have to be accumulated before another preemption can
1173 take place later.
1174
1175 Use transport_delivery_slot_loan to specify a transport-specific over‐
1176 ride, where transport is the master.cf name of the message delivery
1177 transport.
1178
1180 Optional filter to replace the delivery status code or explanatory text
1181 of successful or unsuccessful deliveries. This does not allow the
1182 replacement of a successful status code (2.X.X) with an unsuccessful
1183 status code (4.X.X or 5.X.X) or vice versa.
1184
1185 Note: the (smtp|lmtp)_delivery_status_filter is applied only once per
1186 recipient: when delivery is successful, when delivery is rejected with
1187 5XX, or when there are no more alternate MX or A destinations. Use
1188 smtp_reply_filter or lmtp_reply_filter to inspect responses for all
1189 delivery attempts.
1190
1191 The following parameters can be used to implement a filter for specific
1192 delivery agents: lmtp_delivery_status_filter, local_delivery_sta‐
1193 tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1194 virtual_delivery_status_filter. These parameters support the same fil‐
1195 ter syntax as described here.
1196
1197 Specify zero or more "type:table" lookup table names, separated by
1198 comma or whitespace. For each successful or unsuccessful delivery to a
1199 recipient, the tables are queried in the specified order with one line
1200 of text that is structured as follows:
1201
1202 enhanced-status-code SPACE explanatory-text
1203
1204 The first table match wins. The lookup result must have the same struc‐
1205 ture as the query, a successful status code (2.X.X) must be replaced
1206 with a successful status code, an unsuccessful status code (4.X.X or
1207 5.X.X) must be replaced with an unsuccessful status code, and the
1208 explanatory text field must be non-empty. Other results will result in
1209 a warning.
1210
1211 Example 1: convert specific soft TLS errors into hard errors, by over‐
1212 riding the first number in the enhanced status code.
1213
1214 /etc/postfix/main.cf:
1215 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1216
1217 /etc/postfix/smtp_dsn_filter:
1218 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1219 5$1
1220 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1221 5$1
1222 # Do not change the following into hard bounces. They may
1223 # result from a local configuration problem.
1224 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1225 # 4.\d+.\d+ TLS is required, but unavailable
1226 # 4.\d+.\d+ Cannot start TLS: handshake failure
1227
1228 Example 2: censor the per-recipient delivery status text so that it
1229 does not reveal the destination command or filename when a remote
1230 sender requests confirmation of successful delivery.
1231
1232 /etc/postfix/main.cf:
1233 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1234
1235 /etc/postfix/local_dsn_filter:
1236 /^(2\S+ delivered to file).+/ $1
1237 /^(2\S+ delivered to command).+/ $1
1238
1239 Notes:
1240
1241 · This feature will NOT override the soft_bounce safety net.
1242
1243 · This feature will change the enhanced status code and text that
1244 is logged to the maillog file, and that is reported to the
1245 sender in delivery confirmation or non-delivery notifications.
1246
1247 This feature is available in Postfix 3.0 and later.
1248
1250 How many pseudo-cohorts must suffer connection or handshake failure
1251 before a specific destination is considered unavailable (and further
1252 delivery is suspended). Specify zero to disable this feature. A desti‐
1253 nation's pseudo-cohort failure count is reset each time a delivery com‐
1254 pletes without connection or handshake failure for that specific desti‐
1255 nation.
1256
1257 A pseudo-cohort is the number of deliveries equal to a destination's
1258 delivery concurrency.
1259
1260 Use transport_destination_concurrency_failed_cohort_limit to specify a
1261 transport-specific override, where transport is the master.cf name of
1262 the message delivery transport.
1263
1264 This feature is available in Postfix 2.5. The default setting is com‐
1265 patible with earlier Postfix versions.
1266
1268 The default maximal number of parallel deliveries to the same destina‐
1269 tion. This is the default limit for delivery via the lmtp(8), pipe(8),
1270 smtp(8) and virtual(8) delivery agents. With per-destination recipient
1271 limit > 1, a destination is a domain, otherwise it is a recipient.
1272
1273 Use transport_destination_concurrency_limit to specify a transport-spe‐
1274 cific override, where transport is the master.cf name of the message
1275 delivery transport.
1276
1278 The per-destination amount of delivery concurrency negative feedback,
1279 after a delivery completes with a connection or handshake failure.
1280 Feedback values are in the range 0..1 inclusive. With negative feed‐
1281 back, concurrency is decremented at the beginning of a sequence of
1282 length 1/feedback. This is unlike positive feedback, where concurrency
1283 is incremented at the end of a sequence of length 1/feedback.
1284
1285 As of Postfix version 2.5, negative feedback cannot reduce delivery
1286 concurrency to zero. Instead, a destination is marked dead (further
1287 delivery suspended) after the failed pseudo-cohort count reaches
1288 $default_destination_concurrency_failed_cohort_limit (or $trans‐
1289 port_destination_concurrency_failed_cohort_limit). To make the sched‐
1290 uler completely immune to connection or handshake failures, specify a
1291 zero feedback value and a zero failed pseudo-cohort limit.
1292
1293 Specify one of the following forms:
1294
1295 number
1296
1297 number / number
1298 Constant feedback. The value must be in the range 0..1 inclu‐
1299 sive. The default setting of "1" is compatible with Postfix
1300 versions before 2.5, where a destination's delivery concurrency
1301 is throttled down to zero (and further delivery suspended) after
1302 a single failed pseudo-cohort.
1303
1304 number / concurrency
1305 Variable feedback of "number / (delivery concurrency)". The
1306 number must be in the range 0..1 inclusive. With number equal to
1307 "1", a destination's delivery concurrency is decremented by 1
1308 after each failed pseudo-cohort.
1309
1310 A pseudo-cohort is the number of deliveries equal to a destination's
1311 delivery concurrency.
1312
1313 Use transport_destination_concurrency_negative_feedback to specify a
1314 transport-specific override, where transport is the master.cf name of
1315 the message delivery transport.
1316
1317 This feature is available in Postfix 2.5. The default setting is com‐
1318 patible with earlier Postfix versions.
1319
1321 The per-destination amount of delivery concurrency positive feedback,
1322 after a delivery completes without connection or handshake failure.
1323 Feedback values are in the range 0..1 inclusive. The concurrency
1324 increases until it reaches the per-destination maximal concurrency
1325 limit. With positive feedback, concurrency is incremented at the end of
1326 a sequence with length 1/feedback. This is unlike negative feedback,
1327 where concurrency is decremented at the start of a sequence of length
1328 1/feedback.
1329
1330 Specify one of the following forms:
1331
1332 number
1333
1334 number / number
1335 Constant feedback. The value must be in the range 0..1 inclu‐
1336 sive. The default setting of "1" is compatible with Postfix ver‐
1337 sions before 2.5, where a destination's delivery concurrency
1338 doubles after each successful pseudo-cohort.
1339
1340 number / concurrency
1341 Variable feedback of "number / (delivery concurrency)". The
1342 number must be in the range 0..1 inclusive. With number equal to
1343 "1", a destination's delivery concurrency is incremented by 1
1344 after each successful pseudo-cohort.
1345
1346 A pseudo-cohort is the number of deliveries equal to a destination's
1347 delivery concurrency.
1348
1349 Use transport_destination_concurrency_positive_feedback to specify a
1350 transport-specific override, where transport is the master.cf name of
1351 the message delivery transport.
1352
1353 This feature is available in Postfix 2.5 and later.
1354
1356 The default amount of delay that is inserted between individual message
1357 deliveries to the same destination and over the same message delivery
1358 transport. Specify a non-zero value to rate-limit those message deliv‐
1359 eries to at most one per $default_destination_rate_delay.
1360
1361 The resulting behavior depends on the value of the corresponding
1362 per-destination recipient limit.
1363
1364 · With a corresponding per-destination recipient limit > 1, the
1365 rate delay specifies the time between deliveries to the same
1366 domain. Different domains are delivered in parallel, subject to
1367 the process limits specified in master.cf.
1368
1369 · With a corresponding per-destination recipient limit equal to 1,
1370 the rate delay specifies the time between deliveries to the same
1371 recipient. Different recipients are delivered in parallel, sub‐
1372 ject to the process limits specified in master.cf.
1373
1374 To enable the delay, specify a non-zero time value (an integral value
1375 plus an optional one-letter suffix that specifies the time unit).
1376
1377 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1378 The default time unit is s (seconds).
1379
1380 NOTE: the delay is enforced by the queue manager. The delay timer state
1381 does not survive "postfix reload" or "postfix stop".
1382
1383 Use transport_destination_rate_delay to specify a transport-specific
1384 override, where transport is the master.cf name of the message delivery
1385 transport.
1386
1387 NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1388 tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1389 fix from deferring all mail for the same destination after only one
1390 connection or handshake error.
1391
1392 This feature is available in Postfix 2.5 and later.
1393
1395 The default maximal number of recipients per message delivery. This is
1396 the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and
1397 virtual(8) delivery agents.
1398
1399 Setting this parameter to a value of 1 affects email deliveries as fol‐
1400 lows:
1401
1402 · It changes the meaning of the corresponding per-destination con‐
1403 currency limit, from concurrency of deliveries to the same
1404 domain into concurrency of deliveries to the same recipient.
1405 Different recipients are delivered in parallel, subject to the
1406 process limits specified in master.cf.
1407
1408 · It changes the meaning of the corresponding per-destination rate
1409 delay, from the delay between deliveries to the same domain into
1410 the delay between deliveries to the same recipient. Again, dif‐
1411 ferent recipients are delivered in parallel, subject to the
1412 process limits specified in master.cf.
1413
1414 · It changes the meaning of other corresponding per-destination
1415 settings in a similar manner, from settings for delivery to the
1416 same domain into settings for delivery to the same recipient.
1417
1418 Use transport_destination_recipient_limit to specify a transport-spe‐
1419 cific override, where transport is the master.cf name of the message
1420 delivery transport.
1421
1423 The default value for the extra per-transport limit imposed on the num‐
1424 ber of in-memory recipients. This extra recipient space is reserved
1425 for the cases when the Postfix queue manager's scheduler preempts one
1426 message with another and suddenly needs some extra recipients slots for
1427 the chosen message in order to avoid performance degradation.
1428
1429 Use transport_extra_recipient_limit to specify a transport-specific
1430 override, where transport is the master.cf name of the message delivery
1431 transport.
1432
1434 When a content_filter or FILTER request specifies no explicit next-hop
1435 destination, use $default_filter_nexthop instead; when that value is
1436 empty, use the domain in the recipient address. Specify "default_fil‐
1437 ter_nexthop = $myhostname" for compatibility with Postfix version 2.6
1438 and earlier, or specify an explicit next-hop destination with each con‐
1439 tent_filter value or FILTER action.
1440
1441 This feature is available in Postfix 2.7 and later.
1442
1444 How many recipients a message must have in order to invoke the Postfix
1445 queue manager's scheduling algorithm at all. Messages which would
1446 never accumulate at least this many delivery slots (subject to slot
1447 cost parameter as well) are never preempted.
1448
1449 Use transport_minimum_delivery_slots to specify a transport-specific
1450 override, where transport is the master.cf name of the message delivery
1451 transport.
1452
1454 The default rights used by the local(8) delivery agent for delivery to
1455 external file or command. These rights are used when delivery is
1456 requested from an aliases(5) file that is owned by root, or when deliv‐
1457 ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE
1458 POSTFIX OWNER.
1459
1461 The default maximal number of Postfix child processes that provide a
1462 given service. This limit can be overruled for specific services in the
1463 master.cf file.
1464
1466 The default Postfix SMTP server response template for a request that is
1467 rejected by an RBL-based restriction. This template can be overruled by
1468 specific entries in the optional rbl_reply_maps lookup table.
1469
1470 This feature is available in Postfix 2.0 and later.
1471
1472 The template does not support Postfix configuration parameter $name
1473 substitution. Instead, it supports exactly one level of $name substitu‐
1474 tion for the following attributes:
1475
1476 $client
1477 The client hostname and IP address, formatted as name[address].
1478
1479 $client_address
1480 The client IP address.
1481
1482 $client_name
1483 The client hostname or "unknown". See
1484 reject_unknown_client_hostname for more details.
1485
1486 $reverse_client_name
1487 The client hostname from address->name lookup, or "unknown".
1488 See reject_unknown_reverse_client_hostname for more details.
1489
1490 $helo_name
1491 The hostname given in HELO or EHLO command or empty string.
1492
1493 $rbl_class
1494 The blacklisted entity type: Client host, Helo command, Sender
1495 address, or Recipient address.
1496
1497 $rbl_code
1498 The numerical SMTP response code, as specified with the
1499 maps_rbl_reject_code configuration parameter. Note: The numeri‐
1500 cal SMTP response code is required, and must appear at the start
1501 of the reply. With Postfix version 2.3 and later this informa‐
1502 tion may be followed by an RFC 3463 enhanced status code.
1503
1504 $rbl_domain
1505 The RBL domain where $rbl_what is blacklisted.
1506
1507 $rbl_reason
1508 The reason why $rbl_what is blacklisted, or an empty string.
1509
1510 $rbl_what
1511 The entity that is blacklisted (an IP address, a hostname, a
1512 domain name, or an email address whose domain was blacklisted).
1513
1514 $recipient
1515 The recipient address or <> in case of the null address.
1516
1517 $recipient_domain
1518 The recipient domain or empty string.
1519
1520 $recipient_name
1521 The recipient address localpart or <> in case of null address.
1522
1523 $sender
1524 The sender address or <> in case of the null address.
1525
1526 $sender_domain
1527 The sender domain or empty string.
1528
1529 $sender_name
1530 The sender address localpart or <> in case of the null address.
1531
1532 ${name?text}
1533 Expands to `text' if $name is not empty.
1534
1535 ${name:text}
1536 Expands to `text' if $name is empty.
1537
1538 Instead of $name you can also specify ${name} or $(name).
1539
1540 Note: when an enhanced status code is specified in an RBL reply tem‐
1541 plate, it is subject to modification. The following transformations
1542 are needed when the same RBL reply template is used for client, helo,
1543 sender, or recipient access restrictions.
1544
1545 · When rejecting a sender address, the Postfix SMTP server will
1546 transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
1547 corresponding sender DSN status, and vice versa.
1548
1549 · When rejecting non-address information (such as the HELO command
1550 argument or the client hostname/address), the Postfix SMTP
1551 server will transform a sender or recipient DSN status into a
1552 generic non-address DSN status (e.g., 4.0.0).
1553
1555 The default per-transport upper limit on the number of in-memory recip‐
1556 ients. These limits take priority over the global qmgr_message_recipi‐
1557 ent_limit after the message has been assigned to the respective trans‐
1558 ports. See also default_extra_recipient_limit and qmgr_message_recipi‐
1559 ent_minimum.
1560
1561 Use transport_recipient_limit to specify a transport-specific override,
1562 where transport is the master.cf name of the message delivery trans‐
1563 port.
1564
1566 The default per-transport maximum delay between recipients refills.
1567 When not all message recipients fit into the memory at once, keep load‐
1568 ing more of them at least once every this many seconds. This is used
1569 to make sure the recipients are refilled in timely manner even when
1570 $default_recipient_refill_limit is too high for too slow deliveries.
1571
1572 Use transport_recipient_refill_delay to specify a transport-specific
1573 override, where transport is the master.cf name of the message delivery
1574 transport.
1575
1576 This feature is available in Postfix 2.4 and later.
1577
1579 The default per-transport limit on the number of recipients refilled at
1580 once. When not all message recipients fit into the memory at once,
1581 keep loading more of them in batches of at least this many at a time.
1582 See also $default_recipient_refill_delay, which may result in recipient
1583 batches lower than this when this limit is too high for too slow deliv‐
1584 eries.
1585
1586 Use transport_recipient_refill_limit to specify a transport-specific
1587 override, where transport is the master.cf name of the message delivery
1588 transport.
1589
1590 This feature is available in Postfix 2.4 and later.
1591
1593 The default mail delivery transport and next-hop destination for desti‐
1594 nations that do not match $mydestination, $inet_interfaces,
1595 $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1596 $relay_domains. This information can be overruled with the
1597 sender_dependent_default_transport_maps parameter and with the trans‐
1598 port(5) table.
1599
1600 In order of decreasing precedence, the nexthop destination is taken
1601 from $sender_dependent_default_transport_maps, $default_transport,
1602 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
1603 domain.
1604
1605 Specify a string of the form transport:nexthop, where transport is the
1606 name of a mail delivery transport defined in master.cf. The :nexthop
1607 destination is optional; its syntax is documented in the manual page of
1608 the corresponding delivery agent.
1609
1610 Example:
1611
1612 default_transport = uucp:relayhostname
1613
1615 The default amount of delay that is inserted between individual message
1616 deliveries over the same message delivery transport, regardless of des‐
1617 tination. Specify a non-zero value to rate-limit those message deliver‐
1618 ies to at most one per $default_transport_rate_delay.
1619
1620 Use transport_transport_rate_delay to specify a transport-specific
1621 override, where the initial transport is the master.cf name of the mes‐
1622 sage delivery transport.
1623
1624 Example: throttle outbound SMTP mail to at most 3 deliveries per
1625 minute.
1626
1627 /etc/postfix/main.cf:
1628 smtp_transport_rate_delay = 20s
1629
1630 To enable the delay, specify a non-zero time value (an integral value
1631 plus an optional one-letter suffix that specifies the time unit).
1632
1633 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1634 The default time unit is s (seconds).
1635
1636 NOTE: the delay is enforced by the queue manager.
1637
1638 This feature is available in Postfix 3.1 and later.
1639
1641 The two default VERP delimiter characters. These are used when no
1642 explicit delimiters are specified with the SMTP XVERP command or with
1643 the "sendmail -V" command-line option. Specify characters that are
1644 allowed by the verp_delimiter_filter setting.
1645
1646 This feature is available in Postfix 1.1 and later.
1647
1649 The numerical Postfix SMTP server response code when a remote SMTP
1650 client request is rejected by the "defer" restriction.
1651
1652 Do not change this unless you have a complete understanding of RFC
1653 5321.
1654
1656 The name of the defer service. This service is implemented by the
1657 bounce(8) daemon and maintains a record of failed delivery attempts and
1658 generates non-delivery notifications.
1659
1660 This feature is available in Postfix 2.0 and later.
1661
1663 The names of message delivery transports that should not deliver mail
1664 unless someone issues "sendmail -q" or equivalent. Specify zero or more
1665 names of mail delivery transports names that appear in the first field
1666 of master.cf.
1667
1668 Example:
1669
1670 defer_transports = smtp
1671
1673 The maximal number of digits after the decimal point when logging
1674 sub-second delay values. Specify a number in the range 0..6.
1675
1676 Large delay values are rounded off to an integral number seconds; delay
1677 values below the delay_logging_resolution_limit are logged as "0", and
1678 delay values under 100s are logged with at most two-digit precision.
1679
1680 The format of the "delays=a/b/c/d" logging is as follows:
1681
1682 · a = time from message arrival to last active queue entry
1683
1684 · b = time from last active queue entry to connection setup
1685
1686 · c = time in connection setup, including DNS, EHLO and STARTTLS
1687
1688 · d = time in message transmission
1689
1690 This feature is available in Postfix 2.3 and later.
1691
1693 The recipient of postmaster notifications with the message headers of
1694 mail that cannot be delivered within $delay_warning_time time units.
1695
1696 See also: delay_warning_time, notify_classes.
1697
1699 The time after which the sender receives a copy of the message headers
1700 of mail that is still queued. The confirm_delay_cleared parameter con‐
1701 trols sender notification when the delay clears up.
1702
1703 To enable this feature, specify a non-zero time value (an integral
1704 value plus an optional one-letter suffix that specifies the time unit).
1705
1706 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1707 The default time unit is h (hours).
1708
1709 See also: delay_notice_recipient, notify_classes, con‐
1710 firm_delay_cleared.
1711
1713 The maximal number of attempts to acquire an exclusive lock on a mail‐
1714 box file or bounce(8) logfile.
1715
1717 The time between attempts to acquire an exclusive lock on a mailbox
1718 file or bounce(8) logfile.
1719
1720 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
1721 The default time unit is s (seconds).
1722
1724 Make the queue manager's feedback algorithm verbose for performance
1725 analysis purposes.
1726
1727 This feature is available in Postfix 2.5 and later.
1728
1730 Automatically detect 8BITMIME body content by looking at Content-Trans‐
1731 fer-Encoding: message headers; historically, this behavior was
1732 hard-coded to be "always on".
1733
1734 This feature is available in Postfix 2.5 and later.
1735
1737 Disable DNS lookups in the Postfix SMTP and LMTP clients. When dis‐
1738 abled, hosts are looked up with the getaddrinfo() system library rou‐
1739 tine which normally also looks in /etc/hosts. As of Postfix 2.11, this
1740 parameter is deprecated; use smtp_dns_support_level instead.
1741
1742 DNS lookups are enabled by default.
1743
1745 Turn off MIME processing while receiving mail. This means that no spe‐
1746 cial treatment is given to Content-Type: message headers, and that all
1747 text after the initial message headers is considered to be part of the
1748 message body.
1749
1750 This feature is available in Postfix 2.0 and later.
1751
1752 Mime input processing is enabled by default, and is needed in order to
1753 recognize MIME headers in message content.
1754
1756 Disable the conversion of 8BITMIME format to 7BIT format. Mime output
1757 conversion is needed when the destination does not advertise 8BITMIME
1758 support.
1759
1760 This feature is available in Postfix 2.0 and later.
1761
1763 Disable sending one bounce report per recipient.
1764
1765 The default, one per recipient, is what ezmlm needs.
1766
1767 This feature is available in Postfix 1.1 and later.
1768
1770 Disable the SMTP VRFY command. This stops some techniques used to har‐
1771 vest email addresses.
1772
1773 Example:
1774
1775 disable_vrfy_command = no
1776
1778 Enable a workaround for future libc incompatibility. The Postfix imple‐
1779 mentation of RFC 2308 negative reply caching relies on the promise that
1780 res_query() and res_search() invoke res_send(), which returns the
1781 server response in an application buffer even if the requested record
1782 does not exist. If this promise is broken, specify "yes" to enable a
1783 workaround for DNS reputation lookups.
1784
1785 This feature is available in Postfix 3.1 and later.
1786
1788 A debugging aid to artificially delay DNS responses.
1789
1790 This feature is available in Postfix 2.8.
1791
1793 The name of the dnsblog(8) service entry in master.cf. This service
1794 performs DNS white/blacklist lookups.
1795
1796 This feature is available in Postfix 2.8 and later.
1797
1799 Don't remove queue files and save them to the "saved" mail queue. This
1800 is a debugging aid. To inspect the envelope information and content of
1801 a Postfix queue file, use the postcat(1) command.
1802
1804 The sender address of postmaster notifications that are generated by
1805 the mail system. All mail to this address is silently discarded, in
1806 order to terminate mail bounce loops.
1807
1809 The maximal number of addresses remembered by the address duplicate
1810 filter for aliases(5) or virtual(5) alias expansion, or for showq(8)
1811 queue displays.
1812
1814 The sender_dependent_default_transport_maps search string that will be
1815 used instead of the null sender address.
1816
1817 This feature is available in Postfix 2.7 and later.
1818
1820 The recipient of mail addressed to the null address. Postfix does not
1821 accept such addresses in SMTP commands, but they may still be created
1822 locally as the result of configuration or software error.
1823
1825 The sender_dependent_relayhost_maps search string that will be used
1826 instead of the null sender address.
1827
1828 This feature is available in Postfix 2.5 and later. With earlier ver‐
1829 sions, sender_dependent_relayhost_maps lookups were skipped for the
1830 null sender address.
1831
1833 Report mail delivery errors to the address specified with the non-stan‐
1834 dard Errors-To: message header, instead of the envelope sender address
1835 (this feature is removed with Postfix version 2.2, is turned off by
1836 default with Postfix version 2.1, and is always turned on with older
1837 Postfix versions).
1838
1840 Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1841 converting UTF-8 domain names to/from the ASCII form that is used for
1842 DNS lookups. Specify "yes" for compatibility with Postfix <= 3.1 (not
1843 recommended). This affects the conversion of domain names that contain
1844 for example the German sz and the Greek zeta. See http://uni‐
1845 code.org/cldr/utility/idna.jsp for more examples.
1846
1847 This feature is available in Postfix 3.2 and later.
1848
1850 Enable long, non-repeating, queue IDs (queue file names). The benefit
1851 of non-repeating names is simpler logfile analysis and easier queue
1852 migration (there is no need to run "postsuper" to change queue file
1853 names that don't match their message file inode number).
1854
1855 Note: see below for how to convert long queue file names to Postfix <=
1856 2.8.
1857
1858 Changing the parameter value to "yes" has the following effects:
1859
1860 · Existing queue file names are not affected.
1861
1862 · New queue files are created with names such as 3Pt2mN2VXxznjll.
1863 These are encoded in a 52-character alphabet that contains dig‐
1864 its (0-9), upper-case letters (B-Z) and lower-case letters
1865 (b-z). For safety reasons the vowels (AEIOUaeiou) are excluded
1866 from the alphabet. The name format is: 6 or more characters for
1867 the time in seconds, 4 characters for the time in microseconds,
1868 the 'z'; the remainder is the file inode number encoded in the
1869 first 51 characters of the 52-character alphabet.
1870
1871 · New messages have a Message-ID header with queueID@myhostname.
1872
1873 · The mailq (postqueue -p) output has a wider Queue ID column.
1874 The number of whitespace-separated fields is not changed.
1875
1876 · The hash_queue_depth algorithm uses the first characters of the
1877 queue file creation time in microseconds, after conversion into
1878 hexadecimal representation. This produces the same queue hashing
1879 behavior as if the queue file name was created with
1880 "enable_long_queue_ids = no".
1881
1882 Changing the parameter value to "no" has the following effects:
1883
1884 · Existing long queue file names are renamed to the short form
1885 (while running "postfix reload" or "postsuper").
1886
1887 · New queue files are created with names such as C3CD21F3E90 from
1888 a hexadecimal alphabet that contains digits (0-9) and upper-case
1889 letters (A-F). The name format is: 5 characters for the time in
1890 microseconds; the remainder is the file inode number.
1891
1892 · New messages have a Message-ID header with YYYYMMDDHH‐
1893 MMSS.queueid@myhostname, where YYYYMMDDHHMMSS are the year,
1894 month, day, hour, minute and second.
1895
1896 · The mailq (postqueue -p) output has the same format as with
1897 Postfix <= 2.8.
1898
1899 · The hash_queue_depth algorithm uses the first characters of the
1900 queue file name, with the hexadecimal representation of the file
1901 creation time in microseconds.
1902
1903 Before migration to Postfix <= 2.8, the following commands are required
1904 to convert long queue file names into short names:
1905
1906 # postfix stop
1907 # postconf enable_long_queue_ids=no
1908 # postsuper
1909
1910 Repeat the postsuper command until it reports no more queue file name
1911 changes.
1912
1913 This feature is available in Postfix 2.9 and later.
1914
1916 Enable support for the original recipient address after an address is
1917 rewritten to a different address (for example with aliasing or with
1918 canonical mapping).
1919
1920 The original recipient address is used as follows:
1921
1922 Final delivery
1923 With "enable_original_recipient = yes", the original recipient
1924 address is stored in the X-Original-To message header. This
1925 header may be used to distinguish between different recipients
1926 that share the same mailbox.
1927
1928 Recipient deduplication
1929 With "enable_original_recipient = yes", the cleanup(8) daemon
1930 performs duplicate recipient elimination based on the content of
1931 (original recipient, maybe-rewritten recipient) pairs. Other‐
1932 wise, the cleanup(8) daemon performs duplicate recipient elimi‐
1933 nation based only on the maybe-rewritten recipient address.
1934
1935 Note: with Postfix <= 3.2 the "setting enable_original_recipient = no"
1936 breaks address verification for addresses that are aliased or otherwise
1937 rewritten (Postfix is unable to store the address verification result
1938 under the original probe destination address; instead, it can store the
1939 result only under the rewritten address).
1940
1941 This feature is available in Postfix 2.1 and later. Postfix version 2.0
1942 behaves as if this parameter is always set to yes. Postfix versions
1943 before 2.0 have no support for the original recipient address.
1944
1946 The recipient of postmaster notifications about mail delivery problems
1947 that are caused by policy, resource, software or protocol errors.
1948 These notifications are enabled with the notify_classes parameter.
1949
1951 The name of the error(8) pseudo delivery agent. This service always
1952 returns mail as undeliverable.
1953
1954 This feature is available in Postfix 2.0 and later.
1955
1957 Restrict the characters that the local(8) delivery agent allows in
1958 $name expansions of $command_execution_directory. Characters outside
1959 the allowed set are replaced by underscores.
1960
1961 This feature is available in Postfix 2.2 and later.
1962
1964 When delivering to an alias "aliasname" that has an "owner-aliasname"
1965 companion alias, set the envelope sender address to the expansion of
1966 the "owner-aliasname" alias. Normally, Postfix sets the envelope
1967 sender address to the name of the "owner-aliasname" alias.
1968
1970 The list of environment variables that a Postfix process will export to
1971 non-Postfix processes. The TZ variable is needed for sane time keeping
1972 on System-V-ish systems.
1973
1974 Specify a list of names and/or name=value pairs, separated by white‐
1975 space or comma. Specify "{ name=value }" to protect whitespace or comma
1976 in parameter values (whitespace after the opening "{" and before the
1977 closing "}" is ignored). The form name=value is supported with Postfix
1978 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
1979 later.
1980
1981 Example:
1982
1983 export_environment = TZ PATH=/bin:/usr/bin
1984
1986 The maximal number of recipient addresses that Postfix will extract
1987 from message headers when mail is submitted with "sendmail -t".
1988
1989 This feature was removed in Postfix version 2.1.
1990
1992 Optional list of relay hosts for SMTP destinations that can't be found
1993 or that are unreachable. With Postfix 2.3 this parameter is renamed to
1994 smtp_fallback_relay.
1995
1996 By default, mail is returned to the sender when a destination is not
1997 found, and delivery is deferred when a destination is unreachable.
1998
1999 The fallback relays must be SMTP destinations. Specify a domain, host,
2000 host:port, [host]:port, [address] or [address]:port; the form [host]
2001 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
2002 fix will try them in the specified order.
2003
2004 Note: before Postfix 2.2, do not use the fallback_relay feature when
2005 relaying mail for a backup or primary MX domain. Mail would loop
2006 between the Postfix MX host and the fallback_relay host when the final
2007 destination is unavailable.
2008
2009 · In main.cf specify "relay_transport = relay",
2010
2011 · In master.cf specify "-o fallback_relay =" (i.e., empty) at the
2012 end of the relay entry.
2013
2014 · In transport maps, specify "relay:nexthop..." as the right-hand
2015 side for backup or primary MX domain entries.
2016
2017 Postfix version 2.2 and later will not use the fallback_relay feature
2018 for destinations that it is MX host for.
2019
2021 Optional message delivery transport that the local(8) delivery agent
2022 should use for names that are not found in the aliases(5) or UNIX pass‐
2023 word database.
2024
2025 The precedence of local(8) delivery features from high to low is:
2026 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2027 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2028 tory, fallback_transport_maps, fallback_transport and luser_relay.
2029
2031 Optional lookup tables with per-recipient message delivery transports
2032 for recipients that the local(8) delivery agent could not find in the
2033 aliases(5) or UNIX password database.
2034
2035 The precedence of local(8) delivery features from high to low is:
2036 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2037 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2038 tory, fallback_transport_maps, fallback_transport and luser_relay.
2039
2040 For safety reasons, this feature does not allow $number substitutions
2041 in regular expression maps.
2042
2043 This feature is available in Postfix 2.3 and later.
2044
2046 Optional list of destinations that are eligible for per-destination
2047 logfiles with mail that is queued to those destinations.
2048
2049 By default, Postfix maintains "fast flush" logfiles only for destina‐
2050 tions that the Postfix SMTP server is willing to relay to (i.e. the
2051 default is: "fast_flush_domains = $relay_domains"; see the
2052 relay_domains parameter in the postconf(5) manual).
2053
2054 Specify a list of hosts or domains, "/file/name" patterns or "type:ta‐
2055 ble" lookup tables, separated by commas and/or whitespace. Continue
2056 long lines by starting the next line with whitespace. A "/file/name"
2057 pattern is replaced by its contents; a "type:table" lookup table is
2058 matched when the domain or its parent domain appears as lookup key.
2059
2060 Pattern matching of domain names is controlled by the presence or
2061 absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2062 parameter value.
2063
2064 Specify "fast_flush_domains =" (i.e., empty) to disable the feature
2065 altogether.
2066
2068 The time after which an empty per-destination "fast flush" logfile is
2069 deleted.
2070
2071 You can specify the time as a number, or as a number followed by a let‐
2072 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2073 d=days, w=weeks. The default time unit is days.
2074
2076 The time after which a non-empty but unread per-destination "fast
2077 flush" logfile needs to be refreshed. The contents of a logfile are
2078 refreshed by requesting delivery of all messages listed in the logfile.
2079
2080 You can specify the time as a number, or as a number followed by a let‐
2081 ter that indicates the time unit: s=seconds, m=minutes, h=hours,
2082 d=days, w=weeks. The default time unit is hours.
2083
2085 Force specific internal tests to fail, to test the handling of errors
2086 that are difficult to reproduce otherwise.
2087
2089 The name of the flush(8) service. This service maintains per-destina‐
2090 tion logfiles with the queue file names of mail that is queued for
2091 those destinations.
2092
2093 This feature is available in Postfix 2.0 and later.
2094
2096 The maximal number of attempts to fork() a child process.
2097
2099 The delay between attempts to fork() a child process.
2100
2101 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2102 The default time unit is s (seconds).
2103
2105 Restrict the characters that the local(8) delivery agent allows in
2106 $name expansions of $forward_path. Characters outside the allowed set
2107 are replaced by underscores.
2108
2110 The local(8) delivery agent search list for finding a .forward file
2111 with user-specified delivery methods. The first file that is found is
2112 used.
2113
2114 The forward_path value is not subject to Postfix configuration parame‐
2115 ter $name expansion. Instead, the following $name expansions are done
2116 on forward_path before the search actually happens. The result of
2117 $name expansion is filtered with the character set that is specified
2118 with the forward_expansion_filter parameter.
2119
2120 $user The recipient's username.
2121
2122 $shell The recipient's login shell pathname.
2123
2124 $home The recipient's home directory.
2125
2126 $recipient
2127 The full recipient address.
2128
2129 $extension
2130 The optional recipient address extension.
2131
2132 $domain
2133 The recipient domain.
2134
2135 $local The entire recipient localpart.
2136
2137 $recipient_delimiter
2138 The address extension delimiter that was found in the recipient
2139 address (Postfix 2.11 and later), or the system-wide recipient
2140 address extension delimiter (Postfix 2.10 and earlier).
2141
2142 ${name?value}
2143 Expands to value when $name is non-empty.
2144
2145 ${name:value}
2146 Expands to value when $name is empty.
2147
2148 Instead of $name you can also specify ${name} or $(name).
2149
2150 Examples:
2151
2152 forward_path = /var/forward/$user
2153 forward_path =
2154 /var/forward/$user/.forward$recipient_delimiter$extension,
2155 /var/forward/$user/.forward
2156
2158 Update the local(8) delivery agent's idea of the Delivered-To: address
2159 (see prepend_delivered_header) only once, at the start of a delivery
2160 attempt; do not update the Delivered-To: address while expanding
2161 aliases or .forward files.
2162
2163 This feature is available in Postfix 2.3 and later. With older Postfix
2164 releases, the behavior is as if this parameter is set to "no". The old
2165 setting can be expensive with deeply nested aliases or .forward files.
2166 When an alias or .forward file changes the Delivered-To: address, it
2167 ties up one queue file and one cleanup process instance while mail is
2168 being forwarded.
2169
2171 The number of subdirectory levels for queue directories listed with the
2172 hash_queue_names parameter. Queue hashing is implemented by creating
2173 one or more levels of directories with one-character names. Origi‐
2174 nally, these directory names were equal to the first characters of the
2175 queue file name, with the hexadecimal representation of the file cre‐
2176 ation time in microseconds.
2177
2178 With long queue file names, queue hashing produces the same results as
2179 with short names. The file creation time in microseconds is converted
2180 into hexadecimal form before the result is used for queue hashing. The
2181 base 16 encoding gives finer control over the number of subdirectories
2182 than is possible with the base 52 encoding of long queue file names.
2183
2184 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2185 cute the command "postfix reload".
2186
2188 The names of queue directories that are split across multiple subdirec‐
2189 tory levels.
2190
2191 Before Postfix version 2.2, the default list of hashed queues was sig‐
2192 nificantly larger. Claims about improvements in file system technology
2193 suggest that hashing of the incoming and active queues is no longer
2194 needed. Fewer hashed directories speed up the time needed to restart
2195 Postfix.
2196
2197 After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2198 cute the command "postfix reload".
2199
2201 The maximal number of address tokens are allowed in an address message
2202 header. Information that exceeds the limit is discarded. The limit is
2203 enforced by the cleanup(8) server.
2204
2206 Optional lookup tables for content inspection of primary non-MIME mes‐
2207 sage headers, as specified in the header_checks(5) manual page.
2208
2210 The format of the Postfix-generated From: header. This setting affects
2211 the appearance of 'full name' information when a local program such as
2212 /bin/mail submits a message without From: header through the Postfix
2213 sendmail(1) command.
2214
2215 Specify one of the following:
2216
2217 standard (default)
2218 Produce a header formatted as "From: name <address>". This is
2219 the default as of Postfix 3.3.
2220
2221 obsolete
2222 Produce a header formatted as "From: address (name)". This is
2223 the behavior prior to Postfix 3.3.
2224
2225 Notes:
2226
2227 · Postfix generates the format "From: address" when name informa‐
2228 tion is unavailable or the envelope sender address is empty.
2229 This is the same behavior as prior to Postfix 3.3.
2230
2231 · In the standard form, the name will be quoted if it contains
2232 specials as defined in RFC 5322, or the "!%" address operators.
2233
2234 · The Postfix sendmail(1) command gets name information from the
2235 -F command-line option, from the NAME environment variable, or
2236 from the UNIX password file.
2237
2238 This feature is available in Postfix 3.3 and later.
2239
2241 The maximal amount of memory in bytes for storing a message header. If
2242 a header is larger, the excess is discarded. The limit is enforced by
2243 the cleanup(8) server.
2244
2246 Log warnings about problematic configuration settings, and provide
2247 helpful suggestions.
2248
2249 This feature is available in Postfix 2.0 and later.
2250
2252 Optional pathname of a mailbox file relative to a local(8) user's home
2253 directory.
2254
2255 Specify a pathname ending in "/" for qmail-style delivery.
2256
2257 The precedence of local(8) delivery features from high to low is:
2258 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
2259 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
2260 tory, fallback_transport_maps, fallback_transport and luser_relay.
2261
2262 Examples:
2263
2264 home_mailbox = Mailbox
2265 home_mailbox = Maildir/
2266
2268 The maximal number of Received: message headers that is allowed in the
2269 primary message headers. A message that exceeds the limit is bounced,
2270 in order to stop a mailer loop.
2271
2273 The location of Postfix HTML files that describe how to build, config‐
2274 ure or operate a specific Postfix subsystem or feature.
2275
2277 Ignore DNS MX lookups that produce no response. By default, the Post‐
2278 fix SMTP client defers delivery and tries again after some delay. This
2279 behavior is required by the SMTP standard.
2280
2281 Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup
2282 instead. This violates the SMTP standard and can result in mis-delivery
2283 of mail.
2284
2286 The list of environment parameters that a privileged Postfix process
2287 will import from a non-Postfix parent process, or name=value environ‐
2288 ment overrides. Unprivileged utilities will enforce the name=value
2289 overrides, but otherwise will not change their process environment.
2290 Examples of relevant parameters:
2291
2292 TZ May be needed for sane time keeping on most System-V-ish sys‐
2293 tems.
2294
2295 DISPLAY
2296 Needed for debugging Postfix daemons with an X-windows debugger.
2297
2298 XAUTHORITY
2299 Needed for debugging Postfix daemons with an X-windows debugger.
2300
2301 MAIL_CONFIG
2302 Needed to make "postfix -c" work.
2303
2304 Specify a list of names and/or name=value pairs, separated by white‐
2305 space or comma. Specify "{ name=value }" to protect whitespace or comma
2306 in parameter values (whitespace after the opening "{" and before the
2307 closing "}" is ignored). The form name=value is supported with Postfix
2308 version 2.1 and later; the use of {} is supported with Postfix 3.0 and
2309 later.
2310
2312 Time to pause before accepting a new message, when the message arrival
2313 rate exceeds the message delivery rate. This feature is turned on by
2314 default (it's disabled on SCO UNIX due to an SCO bug).
2315
2316 With the default 100 Postfix SMTP server process limit, "in_flow_delay
2317 = 1s" limits the mail inflow to 100 messages per second above the num‐
2318 ber of messages delivered per second.
2319
2320 Specify 0 to disable the feature. Valid delays are 0..10.
2321
2323 The network interface addresses that this mail system receives mail on.
2324 Specify "all" to receive mail on all network interfaces (default), and
2325 "loopback-only" to receive mail on loopback network interfaces only
2326 (Postfix version 2.2 and later). The parameter also controls delivery
2327 of mail to user@[ip.address].
2328
2329 Note 1: you need to stop and start Postfix when this parameter changes.
2330
2331 Note 2: address information may be enclosed inside [], but this form is
2332 not required here.
2333
2334 When inet_interfaces specifies just one IPv4 and/or IPv6 address that
2335 is not a loopback address, the Postfix SMTP client will use this
2336 address as the IP source address for outbound mail. Support for IPv6 is
2337 available in Postfix version 2.2 and later.
2338
2339 On a multi-homed firewall with separate Postfix instances listening on
2340 the "inside" and "outside" interfaces, this can prevent each instance
2341 from being able to reach remote SMTP servers on the "other side" of the
2342 firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential
2343 problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2344 lem for IPv6.
2345
2346 A better solution for multi-homed firewalls is to leave inet_interfaces
2347 at the default value and instead use explicit IP addresses in the mas‐
2348 ter.cf SMTP server definitions. This preserves the Postfix SMTP
2349 client's loop detection, by ensuring that each side of the firewall
2350 knows that the other IP address is still the same host. Setting
2351 $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2352 ful with virtual hosting of domains on secondary IP addresses, when
2353 each IP address serves a different domain (and has a different $myhost‐
2354 name setting).
2355
2356 See also the proxy_interfaces parameter, for network addresses that are
2357 forwarded to Postfix by way of a proxy or address translator.
2358
2359 Examples:
2360
2361 inet_interfaces = all (DEFAULT)
2362 inet_interfaces = loopback-only (Postfix version 2.2 and later)
2363 inet_interfaces = 127.0.0.1
2364 inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2365 inet_interfaces = 192.168.1.2, 127.0.0.1
2366
2368 The Internet protocols Postfix will attempt to use when making or
2369 accepting connections. Specify one or more of "ipv4" or "ipv6", sepa‐
2370 rated by whitespace or commas. The form "all" is equivalent to "ipv4,
2371 ipv6" or "ipv4", depending on whether the operating system implements
2372 IPv6.
2373
2374 With Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2375 patibility with these releases, the Postfix 2.9 and later upgrade pro‐
2376 cedure appends an explicit "inet_protocols = ipv4" setting to main.cf
2377 when no explicit setting is present. This compatibility workaround will
2378 be phased out as IPv6 deployment becomes more common.
2379
2380 This feature is available in Postfix 2.2 and later.
2381
2382 Note: you MUST stop and start Postfix after changing this parameter.
2383
2384 On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2385 will also accept IPv4 connections, even when IPv4 is turned off with
2386 the inet_protocols parameter. On systems with IPV6_V6ONLY support,
2387 Postfix will use separate server sockets for IPv6 and IPv4, and each
2388 will accept only connections for the corresponding protocol.
2389
2390 When IPv4 support is enabled via the inet_protocols parameter, Postfix
2391 will look up DNS type A records, and will convert IPv4-in-IPv6 client
2392 IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4).
2393 The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC
2394 3493).
2395
2396 When IPv6 support is enabled via the inet_protocols parameter, Postfix
2397 will do DNS type AAAA record lookups.
2398
2399 When both IPv4 and IPv6 support are enabled, the Postfix SMTP client
2400 will choose the protocol as specified with the smtp_address_preference
2401 parameter. Postfix versions before 2.8 attempt to connect via IPv6
2402 before attempting to use IPv4.
2403
2404 Examples:
2405
2406 inet_protocols = ipv4
2407 inet_protocols = all (DEFAULT)
2408 inet_protocols = ipv6
2409 inet_protocols = ipv4, ipv6
2410
2412 The initial per-destination concurrency level for parallel delivery to
2413 the same destination. With per-destination recipient limit > 1, a des‐
2414 tination is a domain, otherwise it is a recipient.
2415
2416 Use transport_initial_destination_concurrency to specify a trans‐
2417 port-specific override, where transport is the master.cf name of the
2418 message delivery transport (Postfix 2.5 and later).
2419
2420 Warning: with concurrency of 1, one bad message can be enough to block
2421 all mail to a site.
2422
2424 What categories of Postfix-generated mail are subject to before-queue
2425 content inspection by non_smtpd_milters, header_checks and body_checks.
2426 Specify zero or more of the following, separated by whitespace or
2427 comma.
2428
2429 bounce Inspect the content of delivery status notifications.
2430
2431 notify Inspect the content of postmaster notifications by the smtp(8)
2432 and smtpd(8) processes.
2433
2434 NOTE: It's generally not safe to enable content inspection of Post‐
2435 fix-generated email messages. The user is warned.
2436
2437 This feature is available in Postfix 2.3 and later.
2438
2440 The numerical Postfix SMTP server response code when the client HELO or
2441 EHLO command parameter is rejected by the reject_invalid_helo_hostname
2442 restriction.
2443
2444 Do not change this unless you have a complete understanding of RFC
2445 5321.
2446
2448 The time after which a client closes an idle internal communication
2449 channel. The purpose is to allow Postfix daemon processes to terminate
2450 voluntarily after they become idle. This is used, for example, by the
2451 Postfix address resolving and rewriting clients.
2452
2453 With Postfix 2.4 the default value was reduced from 100s to 5s.
2454
2455 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2456 The default time unit is s (seconds).
2457
2459 The time limit for sending or receiving information over an internal
2460 communication channel. The purpose is to break out of deadlock situa‐
2461 tions. If the time limit is exceeded the software aborts with a fatal
2462 error.
2463
2464 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2465 The default time unit is s (seconds).
2466
2468 The time after which a client closes an active internal communication
2469 channel. The purpose is to allow Postfix daemon processes to terminate
2470 voluntarily after reaching their client limit. This is used, for exam‐
2471 ple, by the Postfix address resolving and rewriting clients.
2472
2473 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2474 The default time unit is s (seconds).
2475
2476 This feature is available in Postfix 2.1 and later.
2477
2479 Upon input, long lines are chopped up into pieces of at most this
2480 length; upon delivery, long lines are reconstructed.
2481
2483 The initial OpenLDAP LMDB database size limit in bytes. Each time a
2484 database becomes full, its size limit is doubled.
2485
2486 This feature is available in Postfix 2.11 and later.
2487
2489 The LMTP-specific version of the smtp_address_preference configuration
2490 parameter. See there for details.
2491
2492 This feature is available in Postfix 2.8 and later.
2493
2495 The LMTP-specific version of the smtp_address_verify_target configura‐
2496 tion parameter. See there for details.
2497
2498 This feature is available in Postfix 3.0 and later.
2499
2501 When a remote LMTP server announces no DSN support, assume that the
2502 server performs final delivery, and send "delivered" delivery status
2503 notifications instead of "relayed". The default setting is backwards
2504 compatible to avoid the infinitesimal possibility of breaking existing
2505 LMTP-based content filters.
2506
2508 The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2509 tion parameter. See there for details.
2510
2511 This feature is available in Postfix 3.3 and later.
2512
2514 The LMTP-specific version of the smtp_bind_address configuration param‐
2515 eter. See there for details.
2516
2517 This feature is available in Postfix 2.3 and later.
2518
2520 The LMTP-specific version of the smtp_bind_address6 configuration
2521 parameter. See there for details.
2522
2523 This feature is available in Postfix 2.3 and later.
2524
2526 The LMTP-specific version of the smtp_body_checks configuration parame‐
2527 ter. See there for details.
2528
2529 This feature is available in Postfix 2.5 and later.
2530
2532 Keep Postfix LMTP client connections open for up to $max_idle seconds.
2533 When the LMTP client receives a request for the same connection the
2534 connection is reused.
2535
2536 This parameter is available in Postfix version 2.2 and earlier. With
2537 Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
2538 lmtp_connection_cache_destinations, or lmtp_connection_re‐
2539 use_time_limit.
2540
2541 The effectiveness of cached connections will be determined by the num‐
2542 ber of remote LMTP servers in use, and the concurrency limit specified
2543 for the Postfix LMTP client. Cached connections are closed under any of
2544 the following conditions:
2545
2546 · The Postfix LMTP client idle time limit is reached. This limit
2547 is specified with the Postfix max_idle configuration parameter.
2548
2549 · A delivery request specifies a different destination than the
2550 one currently cached.
2551
2552 · The per-process limit on the number of delivery requests is
2553 reached. This limit is specified with the Postfix max_use con‐
2554 figuration parameter.
2555
2556 · Upon the onset of another delivery request, the remote LMTP
2557 server associated with the current session does not respond to
2558 the RSET command.
2559
2560 Most of these limitations have been with the Postfix a connection cache
2561 that is shared among multiple LMTP client programs.
2562
2564 The LMTP-specific version of the smtp_cname_overrides_servername con‐
2565 figuration parameter. See there for details.
2566
2567 This feature is available in Postfix 2.3 and later.
2568
2570 The Postfix LMTP client time limit for completing a TCP connection, or
2571 zero (use the operating system built-in time limit). When no connec‐
2572 tion can be made within the deadline, the LMTP client tries the next
2573 address on the mail exchanger list.
2574
2575 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2576 The default time unit is s (seconds).
2577
2578 Example:
2579
2580 lmtp_connect_timeout = 30s
2581
2583 The LMTP-specific version of the smtp_connection_cache_destinations
2584 configuration parameter. See there for details.
2585
2586 This feature is available in Postfix 2.3 and later.
2587
2589 The LMTP-specific version of the smtp_connection_cache_on_demand con‐
2590 figuration parameter. See there for details.
2591
2592 This feature is available in Postfix 2.3 and later.
2593
2595 The LMTP-specific version of the smtp_connection_cache_time_limit con‐
2596 figuration parameter. See there for details.
2597
2598 This feature is available in Postfix 2.3 and later.
2599
2601 The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2602 figuration parameter. See there for details.
2603
2604 This feature is available in Postfix 2.11 and later.
2605
2607 The LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2608 figuration parameter. See there for details.
2609
2610 This feature is available in Postfix 2.3 and later.
2611
2613 The Postfix LMTP client time limit for sending the LMTP ".", and for
2614 receiving the remote LMTP server response. When no response is
2615 received within the deadline, a warning is logged that the mail may be
2616 delivered multiple times.
2617
2618 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2619 The default time unit is s (seconds).
2620
2622 The Postfix LMTP client time limit for sending the LMTP DATA command,
2623 and for receiving the remote LMTP server response.
2624
2625 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2626 The default time unit is s (seconds).
2627
2629 The Postfix LMTP client time limit for sending the LMTP message con‐
2630 tent. When the connection stalls for more than $lmtp_data_xfer_timeout
2631 the LMTP client terminates the transfer.
2632
2633 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2634 The default time unit is s (seconds).
2635
2637 The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2638 figuration parameter. See there for details.
2639
2640 This feature is available in Postfix 2.3 and later.
2641
2643 The LMTP-specific version of the smtp_delivery_status_filter configura‐
2644 tion parameter. See there for details.
2645
2646 This feature is available in Postfix 3.0 and later.
2647
2649 rency_limit)
2650 The maximal number of parallel deliveries to the same destination via
2651 the lmtp message delivery transport. This limit is enforced by the
2652 queue manager. The message delivery transport name is the first field
2653 in the entry in the master.cf file.
2654
2656 ent_limit)
2657 The maximal number of recipients per message for the lmtp message
2658 delivery transport. This limit is enforced by the queue manager. The
2659 message delivery transport name is the first field in the entry in the
2660 master.cf file.
2661
2662 Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2663 tination_concurrency_limit from concurrency per domain into concurrency
2664 per recipient.
2665
2667 Lookup tables, indexed by the remote LMTP server address, with case
2668 insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
2669 that the Postfix LMTP client will ignore in the LHLO response from a
2670 remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2671 ble is not indexed by hostname for consistency with smtpd_dis‐
2672 card_ehlo_keyword_address_maps.
2673
2674 This feature is available in Postfix 2.3 and later.
2675
2677 A case insensitive list of LHLO keywords (pipelining, starttls, auth,
2678 etc.) that the Postfix LMTP client will ignore in the LHLO response
2679 from a remote LMTP server.
2680
2681 This feature is available in Postfix 2.3 and later.
2682
2683 Notes:
2684
2685 · Specify the silent-discard pseudo keyword to prevent this action
2686 from being logged.
2687
2688 · Use the lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2689 card LHLO keywords selectively.
2690
2692 Optional filter for Postfix LMTP client DNS lookup results. See
2693 smtp_dns_reply_filter for details including an example.
2694
2695 This feature is available in Postfix 3.0 and later.
2696
2698 The LMTP-specific version of the smtp_dns_resolver_options configura‐
2699 tion parameter. See there for details.
2700
2701 This feature is available in Postfix 2.8 and later.
2702
2704 The LMTP-specific version of the smtp_dns_support_level configuration
2705 parameter. See there for details.
2706
2707 This feature is available in Postfix 2.11 and later.
2708
2710 The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2711 ter. See there for details.
2712
2713 This feature is available in Postfix 2.3 and later.
2714
2716 Optional list of relay hosts for LMTP destinations that can't be found
2717 or that are unreachable. In main.cf elements are separated by white‐
2718 space or commas.
2719
2720 By default, mail is returned to the sender when a destination is not
2721 found, and delivery is deferred when a destination is unreachable.
2722
2723 The fallback relays must be TCP destinations, specified without a lead‐
2724 ing "inet:" prefix. Specify a host or host:port. Since MX lookups do
2725 not apply with LMTP, there is no need to use the "[host]" or
2726 "[host]:port" forms. If you specify multiple LMTP destinations, Post‐
2727 fix will try them in the specified order.
2728
2729 This feature is available in Postfix 3.1 and later.
2730
2732 The LMTP-specific version of the smtp_generic_maps configuration param‐
2733 eter. See there for details.
2734
2735 This feature is available in Postfix 2.3 and later.
2736
2738 The LMTP-specific version of the smtp_header_checks configuration
2739 parameter. See there for details.
2740
2741 This feature is available in Postfix 2.5 and later.
2742
2744 The LMTP-specific version of the smtp_host_lookup configuration parame‐
2745 ter. See there for details.
2746
2747 This feature is available in Postfix 2.3 and later.
2748
2750 The hostname to send in the LMTP LHLO command.
2751
2752 The default value is the machine hostname. Specify a hostname or
2753 [ip.add.re.ss].
2754
2755 This information can be specified in the main.cf file for all LMTP
2756 clients, or it can be specified in the master.cf file for a specific
2757 client, for example:
2758
2759 /etc/postfix/master.cf:
2760 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2761
2762 This feature is available in Postfix 2.3 and later.
2763
2765 The Postfix LMTP client time limit for sending the LHLO command, and
2766 for receiving the initial remote LMTP server response.
2767
2768 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2769 The default time unit is s (seconds).
2770
2772 The LMTP-specific version of the smtp_line_length_limit configuration
2773 parameter. See there for details.
2774
2775 This feature is available in Postfix 2.3 and later.
2776
2778 The Postfix LMTP client time limit for sending the MAIL FROM command,
2779 and for receiving the remote LMTP server response.
2780
2781 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2782 The default time unit is s (seconds).
2783
2785 The LMTP-specific version of the smtp_mime_header_checks configuration
2786 parameter. See there for details.
2787
2788 This feature is available in Postfix 2.5 and later.
2789
2791 The LMTP-specific version of the smtp_mx_address_limit configuration
2792 parameter. See there for details.
2793
2794 This feature is available in Postfix 2.3 and later.
2795
2797 The LMTP-specific version of the smtp_mx_session_limit configuration
2798 parameter. See there for details.
2799
2800 This feature is available in Postfix 2.3 and later.
2801
2803 The LMTP-specific version of the smtp_nested_header_checks configura‐
2804 tion parameter. See there for details.
2805
2806 This feature is available in Postfix 2.5 and later.
2807
2809 The LMTP-specific version of the smtp_per_record_deadline configuration
2810 parameter. See there for details.
2811
2812 This feature is available in Postfix 2.9 and later.
2813
2815 The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2816 uration parameter. See there for details.
2817
2818 This feature is available in Postfix 2.3 and later.
2819
2821 The LMTP-specific version of the smtp_pix_workaround_maps configuration
2822 parameter. See there for details.
2823
2824 This feature is available in Postfix 2.4 and later.
2825
2827 The LMTP-specific version of the smtp_pix_workaround_threshold_time
2828 configuration parameter. See there for details.
2829
2830 This feature is available in Postfix 2.3 and later.
2831
2833 The LMTP-specific version of the smtp_pix_workaround configuration
2834 parameter. See there for details.
2835
2836 This feature is available in Postfix 2.4 and later.
2837
2839 The Postfix LMTP client time limit for sending the QUIT command, and
2840 for receiving the remote LMTP server response.
2841
2842 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2843 The default time unit is s (seconds).
2844
2846 The LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2847 tion parameter. See there for details.
2848
2849 This feature is available in Postfix 2.3 and later.
2850
2852 The LMTP-specific version of the smtp_randomize_addresses configuration
2853 parameter. See there for details.
2854
2855 This feature is available in Postfix 2.3 and later.
2856
2858 The Postfix LMTP client time limit for sending the RCPT TO command, and
2859 for receiving the remote LMTP server response.
2860
2861 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2862 The default time unit is s (seconds).
2863
2865 The LMTP-specific version of the smtp_reply_filter configuration param‐
2866 eter. See there for details.
2867
2868 This feature is available in Postfix 2.7 and later.
2869
2871 The Postfix LMTP client time limit for sending the RSET command, and
2872 for receiving the remote LMTP server response. The LMTP client sends
2873 RSET in order to finish a recipient address probe, or to verify that a
2874 cached connection is still alive.
2875
2876 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
2877 The default time unit is s (seconds).
2878
2880 The LMTP-specific version of the smtp_sasl_auth_cache_name configura‐
2881 tion parameter. See there for details.
2882
2883 This feature is available in Postfix 2.5 and later.
2884
2886 The LMTP-specific version of the smtp_sasl_auth_cache_time configura‐
2887 tion parameter. See there for details.
2888
2889 This feature is available in Postfix 2.5 and later.
2890
2892 Enable SASL authentication in the Postfix LMTP client.
2893
2895 The LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2896 tion parameter. See there for details.
2897
2898 This feature is available in Postfix 2.5 and later.
2899
2901 The LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2902 tion parameter. See there for details.
2903
2904 This feature is available in Postfix 2.3 and later.
2905
2907 Optional Postfix LMTP client lookup tables with one username:password
2908 entry per host or domain. If a remote host or domain has no user‐
2909 name:password entry, then the Postfix LMTP client will not attempt to
2910 authenticate to the remote host.
2911
2913 Implementation-specific information that is passed through to the SASL
2914 plug-in implementation that is selected with lmtp_sasl_type. Typically
2915 this specifies the name of a configuration file or rendezvous point.
2916
2917 This feature is available in Postfix 2.3 and later.
2918
2920 SASL security options; as of Postfix 2.3 the list of available features
2921 depends on the SASL client implementation that is selected with
2922 lmtp_sasl_type.
2923
2924 The following security features are defined for the cyrus client SASL
2925 implementation:
2926
2927 noplaintext
2928 Disallow authentication methods that use plaintext passwords.
2929
2930 noactive
2931 Disallow authentication methods that are vulnerable to non-dic‐
2932 tionary active attacks.
2933
2934 nodictionary
2935 Disallow authentication methods that are vulnerable to passive
2936 dictionary attack.
2937
2938 noanonymous
2939 Disallow anonymous logins.
2940
2941 Example:
2942
2943 lmtp_sasl_security_options = noplaintext
2944
2946 The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2947 uration parameter. See there for details.
2948
2949 This feature is available in Postfix 2.3 and later.
2950
2952 rity_options)
2953 The LMTP-specific version of the smtp_sasl_tls_verified_secu‐
2954 rity_options configuration parameter. See there for details.
2955
2956 This feature is available in Postfix 2.3 and later.
2957
2959 The SASL plug-in type that the Postfix LMTP client should use for
2960 authentication. The available types are listed with the "postconf -A"
2961 command.
2962
2963 This feature is available in Postfix 2.3 and later.
2964
2966 The LMTP-specific version of the smtp_send_dummy_mail_auth configura‐
2967 tion parameter. See there for details.
2968
2969 This feature is available in Postfix 2.9 and later.
2970
2972 Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
2973 server response announces XFORWARD support. This allows an lmtp(8)
2974 delivery agent, used for content filter message injection, to forward
2975 the name, address, protocol and HELO name of the original client to the
2976 content filter and downstream queuing LMTP server. Before you change
2977 the value to yes, it is best to make sure that your content filter sup‐
2978 ports this command.
2979
2980 This feature is available in Postfix 2.1 and later.
2981
2983 The LMTP-specific version of the smtp_sender_dependent_authentication
2984 configuration parameter. See there for details.
2985
2986 This feature is available in Postfix 2.3 and later.
2987
2989 The LMTP-specific version of the smtp_skip_5xx_greeting configuration
2990 parameter. See there for details.
2991
2992 This feature is available in Postfix 2.3 and later.
2993
2995 Wait for the response to the LMTP QUIT command.
2996
2998 The LMTP-specific version of the smtp_starttls_timeout configuration
2999 parameter. See there for details.
3000
3001 This feature is available in Postfix 2.3 and later.
3002
3004 The default TCP port that the Postfix LMTP client connects to. Specify
3005 a symbolic name (see services(5)) or a numeric port.
3006
3008 The LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3009 ter. See there for details.
3010
3011 This feature is available in Postfix 2.3 and later.
3012
3014 The LMTP-specific version of the smtp_tls_CApath configuration parame‐
3015 ter. See there for details.
3016
3017 This feature is available in Postfix 2.3 and later.
3018
3020 The LMTP-specific version of the smtp_tls_block_early_mail_reply con‐
3021 figuration parameter. See there for details.
3022
3023 This feature is available in Postfix 2.7 and later.
3024
3026 The LMTP-specific version of the smtp_tls_cert_file configuration
3027 parameter. See there for details.
3028
3029 This feature is available in Postfix 2.3 and later.
3030
3032 The LMTP-specific version of the smtp_tls_chain_files configuration
3033 parameter. See there for details.
3034
3035 This feature is available in Postfix 3.4 and later.
3036
3038 The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3039 ter. See there for details.
3040
3041 This feature is available in Postfix 2.6 and later.
3042
3044 The LMTP-specific version of the smtp_tls_connection_reuse configura‐
3045 tion parameter. See there for details.
3046
3047 This feature is available in Postfix 3.4 and later.
3048
3050 The LMTP-specific version of the smtp_tls_dcert_file configuration
3051 parameter. See there for details.
3052
3053 This feature is available in Postfix 2.3 and later.
3054
3056 The LMTP-specific version of the smtp_tls_dkey_file configuration
3057 parameter. See there for details.
3058
3059 This feature is available in Postfix 2.3 and later.
3060
3062 The LMTP-specific version of the smtp_tls_eccert_file configuration
3063 parameter. See there for details.
3064
3065 This feature is available in Postfix 2.6 and later, when Postfix is
3066 compiled and linked with OpenSSL 1.0.0 or later.
3067
3069 The LMTP-specific version of the smtp_tls_eckey_file configuration
3070 parameter. See there for details.
3071
3072 This feature is available in Postfix 2.6 and later, when Postfix is
3073 compiled and linked with OpenSSL 1.0.0 or later.
3074
3076 The LMTP-specific version of the smtp_tls_enforce_peername configura‐
3077 tion parameter. See there for details.
3078
3079 This feature is available in Postfix 2.3 and later.
3080
3082 The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3083 parameter. See there for details.
3084
3085 This feature is available in Postfix 2.3 and later.
3086
3088 The LMTP-specific version of the smtp_tls_fingerprint_cert_match con‐
3089 figuration parameter. See there for details.
3090
3091 This feature is available in Postfix 2.5 and later.
3092
3094 The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3095 tion parameter. See there for details.
3096
3097 This feature is available in Postfix 2.5 and later.
3098
3100 The LMTP-specific version of the smtp_tls_force_inse‐
3101 cure_host_tlsa_lookup configuration parameter. See there for details.
3102
3103 This feature is available in Postfix 2.11 and later.
3104
3106 The LMTP-specific version of the smtp_tls_key_file configuration param‐
3107 eter. See there for details.
3108
3109 This feature is available in Postfix 2.3 and later.
3110
3112 The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3113 eter. See there for details.
3114
3115 This feature is available in Postfix 2.3 and later.
3116
3118 The LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3119 tion parameter. See there for details.
3120
3121 This feature is available in Postfix 2.3 and later.
3122
3124 The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers
3125 configuration parameter. See there for details.
3126
3127 This feature is available in Postfix 2.3 and later.
3128
3130 The LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3131 ration parameter. See there for details.
3132
3133 This feature is available in Postfix 2.3 and later.
3134
3136 The LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3137 ration parameter. See there for details.
3138
3139 This feature is available in Postfix 2.3 and later.
3140
3142 The LMTP-specific version of the smtp_tls_per_site configuration param‐
3143 eter. See there for details.
3144
3145 This feature is available in Postfix 2.3 and later.
3146
3148 The LMTP-specific version of the smtp_tls_policy_maps configuration
3149 parameter. See there for details.
3150
3151 This feature is available in Postfix 2.3 and later.
3152
3154 The LMTP-specific version of the smtp_tls_protocols configuration
3155 parameter. See there for details.
3156
3157 This feature is available in Postfix 2.6 and later.
3158
3160 The LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3161 tion parameter. See there for details.
3162
3163 This feature is available in Postfix 2.3 and later.
3164
3166 The LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3167 tion parameter. See there for details.
3168
3169 This feature is available in Postfix 2.3 and later.
3170
3172 The LMTP-specific version of the smtp_tls_security_level configuration
3173 parameter. See there for details.
3174
3175 This feature is available in Postfix 2.3 and later.
3176
3178 The LMTP-specific version of the smtp_tls_servername configuration
3179 parameter. See there for details.
3180
3181 This feature is available in Postfix 3.4 and later.
3182
3184 The LMTP-specific version of the smtp_tls_session_cache_database con‐
3185 figuration parameter. See there for details.
3186
3187 This feature is available in Postfix 2.3 and later.
3188
3190 The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3191 uration parameter. See there for details.
3192
3193 This feature is available in Postfix 2.3 and later.
3194
3196 The LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3197 tion parameter. See there for details.
3198
3199 This feature is available in Postfix 2.11 and later.
3200
3202 The LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3203 tion parameter. See there for details.
3204
3205 This feature is available in Postfix 2.3 and later.
3206
3208 The LMTP-specific version of the smtp_use_tls configuration parameter.
3209 See there for details.
3210
3211 This feature is available in Postfix 2.3 and later.
3212
3214 The Postfix LMTP client time limit for sending the XFORWARD command,
3215 and for receiving the remote LMTP server response.
3216
3217 In case of problems the client does NOT try the next address on the
3218 mail exchanger list.
3219
3220 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3221 The default time unit is s (seconds).
3222
3223 This feature is available in Postfix 2.1 and later.
3224
3226 Optional shell program for local(8) delivery to non-Postfix command.
3227 By default, non-Postfix commands are executed directly; commands are
3228 given to given to the default shell (typically, /bin/sh) only when they
3229 contain shell meta characters or shell built-in commands.
3230
3231 "sendmail's restricted shell" (smrsh) is what most people will use in
3232 order to restrict what programs can be run from e.g. .forward files
3233 (smrsh is part of the Sendmail distribution).
3234
3235 Note: when a shell program is specified, it is invoked even when the
3236 command contains no shell built-in commands or meta characters.
3237
3238 Example:
3239
3240 local_command_shell = /some/where/smrsh -c
3241 local_command_shell = /bin/bash -c
3242
3244 Optional filter for the local(8) delivery agent to change the status
3245 code or explanatory text of successful or unsuccessful deliveries. See
3246 default_delivery_status_filter for details.
3247
3248 This feature is available in Postfix 3.0 and later.
3249
3251 The maximal number of parallel deliveries via the local mail delivery
3252 transport to the same recipient (when "local_destination_recipi‐
3253 ent_limit = 1") or the maximal number of parallel deliveries to the
3254 same local domain (when "local_destination_recipient_limit > 1"). This
3255 limit is enforced by the queue manager. The message delivery transport
3256 name is the first field in the entry in the master.cf file.
3257
3258 A low limit of 2 is recommended, just in case someone has an expensive
3259 shell command in a .forward file or in an alias (e.g., a mailing list
3260 manager). You don't want to run lots of those at the same time.
3261
3263 The maximal number of recipients per message delivery via the local
3264 mail delivery transport. This limit is enforced by the queue manager.
3265 The message delivery transport name is the first field in the entry in
3266 the master.cf file.
3267
3268 Setting this parameter to a value > 1 changes the meaning of local_des‐
3269 tination_concurrency_limit from concurrency per recipient into concur‐
3270 rency per domain.
3271
3273 Rewrite message header addresses in mail from these clients and update
3274 incomplete addresses with the domain name in $myorigin or $mydomain;
3275 either don't rewrite message headers from other clients at all, or re‐
3276 write message headers and update incomplete addresses with the domain
3277 specified in the remote_header_rewrite_domain parameter.
3278
3279 See the append_at_myorigin and append_dot_mydomain parameters for
3280 details of how domain names are appended to incomplete addresses.
3281
3282 Specify a list of zero or more of the following:
3283
3284 permit_inet_interfaces
3285 Append the domain name in $myorigin or $mydomain when the client
3286 IP address matches $inet_interfaces. This is enabled by default.
3287
3288 permit_mynetworks
3289 Append the domain name in $myorigin or $mydomain when the client
3290 IP address matches any network or network address listed in
3291 $mynetworks. This setting will not prevent remote mail header
3292 address rewriting when mail from a remote client is forwarded by
3293 a neighboring system.
3294
3295 permit_sasl_authenticated
3296 Append the domain name in $myorigin or $mydomain when the client
3297 is successfully authenticated via the RFC 4954 (AUTH) protocol.
3298
3299 permit_tls_clientcerts
3300 Append the domain name in $myorigin or $mydomain when the remote
3301 SMTP client TLS certificate fingerprint or public key finger‐
3302 print (Postfix 2.9 and later) is listed in $relay_clientcerts.
3303 The fingerprint digest algorithm is configurable via the
3304 smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior
3305 to Postfix version 2.5).
3306
3307 permit_tls_all_clientcerts
3308 Append the domain name in $myorigin or $mydomain when the remote
3309 SMTP client TLS certificate is successfully verified, regardless
3310 of whether it is listed on the server, and regardless of the
3311 certifying authority.
3312
3313 check_address_map type:table
3314
3315 type:table
3316 Append the domain name in $myorigin or $mydomain when the client
3317 IP address matches the specified lookup table. The lookup
3318 result is ignored, and no subnet lookup is done. This is suit‐
3319 able for, e.g., pop-before-smtp lookup tables.
3320
3321 Examples:
3322
3323 The Postfix < 2.2 backwards compatible setting: always rewrite message
3324 headers, and always append my own domain to incomplete header
3325 addresses.
3326
3327 local_header_rewrite_clients = static:all
3328
3329 The purist (and default) setting: rewrite headers only in mail from
3330 Postfix sendmail and in SMTP mail from this machine.
3331
3332 local_header_rewrite_clients = permit_inet_interfaces
3333
3334 The intermediate setting: rewrite header addresses and append $myorigin
3335 or $mydomain information only with mail from Postfix sendmail, from
3336 local clients, or from authorized SMTP clients.
3337
3338 Note: this setting will not prevent remote mail header address rewrit‐
3339 ing when mail from a remote client is forwarded by a neighboring sys‐
3340 tem.
3341
3342 local_header_rewrite_clients = permit_mynetworks,
3343 permit_sasl_authenticated permit_tls_clientcerts
3344 check_address_map hash:/etc/postfix/pop-before-smtp
3345
3347 Lookup tables with all names or addresses of local recipients: a recip‐
3348 ient address is local when its domain matches $mydestination,
3349 $inet_interfaces or $proxy_interfaces. Specify @domain as a wild-card
3350 for domains that do not have a valid recipient list. Technically,
3351 tables listed with $local_recipient_maps are used as lists: Postfix
3352 needs to know only if a lookup string is found or not, but it does not
3353 use the result from table lookup.
3354
3355 Specify zero or more "type:name" lookup tables, separated by whitespace
3356 or comma. Tables will be searched in the specified order until a match
3357 is found.
3358
3359 If this parameter is non-empty (the default), then the Postfix SMTP
3360 server will reject mail for unknown local users.
3361
3362 To turn off local recipient checking in the Postfix SMTP server, spec‐
3363 ify "local_recipient_maps =" (i.e. empty).
3364
3365 The default setting assumes that you use the default Postfix local
3366 delivery agent for local delivery. You need to update the local_recipi‐
3367 ent_maps setting if:
3368
3369 · You redefine the local delivery agent in master.cf.
3370
3371 · You redefine the "local_transport" setting in main.cf.
3372
3373 · You use the "luser_relay", "mailbox_transport", or "fall‐
3374 back_transport" feature of the Postfix local(8) delivery agent.
3375
3376 Details are described in the LOCAL_RECIPIENT_README file.
3377
3378 Beware: if the Postfix SMTP server runs chrooted, you need to access
3379 the passwd file via the proxymap(8) service, in order to overcome
3380 chroot access restrictions. The alternative, maintaining a copy of the
3381 system password file in the chroot jail is not practical.
3382
3383 Examples:
3384
3385 local_recipient_maps =
3386
3388 The default mail delivery transport and next-hop destination for final
3389 delivery to domains listed with mydestination, and for [ipaddress] des‐
3390 tinations that match $inet_interfaces or $proxy_interfaces. This
3391 information can be overruled with the transport(5) table.
3392
3393 By default, local mail is delivered to the transport called "local",
3394 which is just the name of a service that is defined the master.cf file.
3395
3396 Specify a string of the form transport:nexthop, where transport is the
3397 name of a mail delivery transport defined in master.cf. The :nexthop
3398 destination is optional; its syntax is documented in the manual page of
3399 the corresponding delivery agent.
3400
3401 Beware: if you override the default local delivery agent then you need
3402 to review the LOCAL_RECIPIENT_README document, otherwise the SMTP
3403 server may reject mail for local recipients.
3404
3406 Optional catch-all destination for unknown local(8) recipients. By
3407 default, mail for unknown recipients in domains that match $mydestina‐
3408 tion, $inet_interfaces or $proxy_interfaces is returned as undeliver‐
3409 able.
3410
3411 The luser_relay value is not subject to Postfix configuration parameter
3412 $name expansion. Instead, the following $name expansions are done:
3413
3414 $domain
3415 The recipient domain.
3416
3417 $extension
3418 The recipient address extension.
3419
3420 $home The recipient's home directory.
3421
3422 $local The entire recipient address localpart.
3423
3424 $recipient
3425 The full recipient address.
3426
3427 $recipient_delimiter
3428 The address extension delimiter that was found in the recipient
3429 address (Postfix 2.11 and later), or the system-wide recipient
3430 address extension delimiter (Postfix 2.10 and earlier).
3431
3432 $shell The recipient's login shell.
3433
3434 $user The recipient username.
3435
3436 ${name?value}
3437 Expands to value when $name has a non-empty value.
3438
3439 ${name:value}
3440 Expands to value when $name has an empty value.
3441
3442 Instead of $name you can also specify ${name} or $(name).
3443
3444 Note: luser_relay works only for the Postfix local(8) delivery agent.
3445
3446 Note: if you use this feature for accounts not in the UNIX password
3447 file, then you must specify "local_recipient_maps =" (i.e. empty) in
3448 the main.cf file, otherwise the Postfix SMTP server will reject mail
3449 for non-UNIX accounts with "User unknown in local recipient table".
3450
3451 Examples:
3452
3453 luser_relay = $user@other.host
3454 luser_relay = $local@other.host
3455 luser_relay = admin+$local
3456
3458 The mail system name that is displayed in Received: headers, in the
3459 SMTP greeting banner, and in bounced mail.
3460
3462 The UNIX system account that owns the Postfix queue and most Postfix
3463 daemon processes. Specify the name of an unprivileged user account
3464 that does not share a user or group ID with other accounts, and that
3465 owns no other files or processes on the system. In particular, don't
3466 specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID.
3467
3468 When this parameter value is changed you need to re-run "postfix
3469 set-permissions" (with Postfix version 2.0 and earlier: "/etc/post‐
3470 fix/post-install set-permissions".
3471
3473 The Postfix release date, in "YYYYMMDD" format.
3474
3476 The directory where local(8) UNIX-style mailboxes are kept. The default
3477 setting depends on the system type. Specify a name ending in / for
3478 maildir-style delivery.
3479
3480 Note: maildir delivery is done with the privileges of the recipient.
3481 If you use the mail_spool_directory setting for maildir style delivery,
3482 then you must create the top-level maildir directory in advance. Post‐
3483 fix will not create it.
3484
3485 Examples:
3486
3487 mail_spool_directory = /var/mail
3488 mail_spool_directory = /var/spool/mail
3489
3491 The version of the mail system. Stable releases are named
3492 major.minor.patchlevel. Experimental releases also include the release
3493 date. The version string can be used in, for example, the SMTP greeting
3494 banner.
3495
3497 Optional external command that the local(8) delivery agent should use
3498 for mailbox delivery. The command is run with the user ID and the pri‐
3499 mary group ID privileges of the recipient. Exception: command delivery
3500 for root executes with $default_privs privileges. This is not a prob‐
3501 lem, because 1) mail for root should always be aliased to a real user
3502 and 2) don't log in as root, use "su" instead.
3503
3504 The following environment variables are exported to the command:
3505
3506 CLIENT_ADDRESS
3507 Remote client network address. Available in Postfix version 2.2
3508 and later.
3509
3510 CLIENT_HELO
3511 Remote client EHLO command parameter. Available in Postfix ver‐
3512 sion 2.2 and later.
3513
3514 CLIENT_HOSTNAME
3515 Remote client hostname. Available in Postfix version 2.2 and
3516 later.
3517
3518 CLIENT_PROTOCOL
3519 Remote client protocol. Available in Postfix version 2.2 and
3520 later.
3521
3522 DOMAIN The domain part of the recipient address.
3523
3524 EXTENSION
3525 The optional address extension.
3526
3527 HOME The recipient home directory.
3528
3529 LOCAL The recipient address localpart.
3530
3531 LOGNAME
3532 The recipient's username.
3533
3534 ORIGINAL_RECIPIENT
3535 The entire recipient address, before any address rewriting or
3536 aliasing.
3537
3538 RECIPIENT
3539 The full recipient address.
3540
3541 SASL_METHOD
3542 SASL authentication method specified in the remote client AUTH
3543 command. Available in Postfix version 2.2 and later.
3544
3545 SASL_SENDER
3546 SASL sender address specified in the remote client MAIL FROM
3547 command. Available in Postfix version 2.2 and later.
3548
3549 SASL_USER
3550 SASL username specified in the remote client AUTH command.
3551 Available in Postfix version 2.2 and later.
3552
3553 SENDER The full sender address.
3554
3555 SHELL The recipient's login shell.
3556
3557 USER The recipient username.
3558
3559 Unlike other Postfix configuration parameters, the mailbox_command
3560 parameter is not subjected to $name substitutions. This is to make it
3561 easier to specify shell syntax (see example below).
3562
3563 If you can, avoid shell meta characters because they will force Postfix
3564 to run an expensive shell process. If you're delivering via "procmail"
3565 then running a shell won't make a noticeable difference in the total
3566 cost.
3567
3568 Note: if you use the mailbox_command feature to deliver mail sys‐
3569 tem-wide, you must set up an alias that forwards mail for root to a
3570 real user.
3571
3572 The precedence of local(8) delivery features from high to low is:
3573 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3574 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3575 tory, fallback_transport_maps, fallback_transport and luser_relay.
3576
3577 Examples:
3578
3579 mailbox_command = /some/where/procmail
3580 mailbox_command = /some/where/procmail -a "$EXTENSION"
3581 mailbox_command = /some/where/maildrop -d "$USER"
3582 -f "$SENDER" "$EXTENSION"
3583
3585 Optional lookup tables with per-recipient external commands to use for
3586 local(8) mailbox delivery. Behavior is as with mailbox_command.
3587
3588 The precedence of local(8) delivery features from high to low is:
3589 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3590 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3591 tory, fallback_transport_maps, fallback_transport and luser_relay.
3592
3593 Specify zero or more "type:name" lookup tables, separated by whitespace
3594 or comma. Tables will be searched in the specified order until a match
3595 is found.
3596
3598 How to lock a UNIX-style local(8) mailbox before attempting delivery.
3599 For a list of available file locking methods, use the "postconf -l"
3600 command.
3601
3602 This setting is ignored with maildir style delivery, because such
3603 deliveries are safe without explicit locks.
3604
3605 Note: The dotlock method requires that the recipient UID or GID has
3606 write access to the parent directory of the mailbox file.
3607
3608 Note: the default setting of this parameter is system dependent.
3609
3611 The maximal size of any local(8) individual mailbox or maildir file, or
3612 zero (no limit). In fact, this limits the size of any file that is
3613 written to upon local delivery, including files written by external
3614 commands that are executed by the local(8) delivery agent.
3615
3616 This limit must not be smaller than the message size limit.
3617
3619 Optional message delivery transport that the local(8) delivery agent
3620 should use for mailbox delivery to all local recipients, whether or not
3621 they are found in the UNIX passwd database.
3622
3623 The precedence of local(8) delivery features from high to low is:
3624 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3625 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3626 tory, fallback_transport_maps, fallback_transport and luser_relay.
3627
3629 Optional lookup tables with per-recipient message delivery transports
3630 to use for local(8) mailbox delivery, whether or not the recipients are
3631 found in the UNIX passwd database.
3632
3633 The precedence of local(8) delivery features from high to low is:
3634 aliases, .forward files, mailbox_transport_maps, mailbox_transport,
3635 mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_direc‐
3636 tory, fallback_transport_maps, fallback_transport and luser_relay.
3637
3638 Specify zero or more "type:name" lookup tables, separated by whitespace
3639 or comma. Tables will be searched in the specified order until a match
3640 is found.
3641
3642 For safety reasons, this feature does not allow $number substitutions
3643 in regular expression maps.
3644
3645 This feature is available in Postfix 2.3 and later.
3646
3648 The name of an optional logfile that is written by the Postfix post‐
3649 logd(8) service. A non-empty value selects logging to syslogd(8).
3650 Specify "/dev/stdout" to select logging to standard output. Stdout log‐
3651 ging requires that Postfix is started with "postfix start-fg".
3652
3653 Note 1: The maillog_file parameter value must contain a prefix that is
3654 specified with the maillog_file_prefixes parameter.
3655
3656 Note 2: Some Postfix non-daemon programs may still log information to
3657 syslogd(8), before they have processed their configuration parameters
3658 and command-line options.
3659
3660 This feature is available in Postfix 3.4 and later.
3661
3663 The program to run after rotating $maillog_file with "postfix logro‐
3664 tate". The command is run with the rotated logfile name as its first
3665 argument.
3666
3667 This feature is available in Postfix 3.4 and later.
3668
3670 A list of allowed prefixes for a maillog_file value. This is a safety
3671 feature to contain the damage from a single configuration mistake.
3672 Specify one or more prefix strings, separated by comma or whitespace.
3673
3674 This feature is available in Postfix 3.4 and later.
3675
3677 The format of the suffix to append to $maillog_file while rotating the
3678 file with "postfix logrotate". See strftime(3) for syntax. The default
3679 suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3680
3681 This feature is available in Postfix 3.4 and later.
3682
3684 Sendmail compatibility feature that specifies where the Postfix
3685 mailq(1) command is installed. This command can be used to list the
3686 Postfix mail queue.
3687
3689 Where the Postfix manual pages are installed.
3690
3692 Obsolete feature: use the reject_rbl_client feature instead.
3693
3695 The numerical Postfix SMTP server response code when a remote SMTP
3696 client request is blocked by the reject_rbl_client,
3697 reject_rhsbl_client, reject_rhsbl_reverse_client, reject_rhsbl_sender
3698 or reject_rhsbl_recipient restriction.
3699
3700 Do not change this unless you have a complete understanding of RFC
3701 5321.
3702
3704
3705 What addresses are subject to address masquerading.
3706
3707 By default, address masquerading is limited to envelope sender
3708 addresses, and to header sender and header recipient addresses. This
3709 allows you to use address masquerading on a mail gateway while still
3710 being able to forward mail to users on individual machines.
3711
3712 Specify zero or more of: envelope_sender, envelope_recipient,
3713 header_sender, header_recipient
3714
3716 Optional list of domains whose subdomain structure will be stripped off
3717 in email addresses.
3718
3719 The list is processed left to right, and processing stops at the first
3720 match. Thus,
3721
3722 masquerade_domains = foo.example.com example.com
3723
3724 strips "user@any.thing.foo.example.com" to "user@foo.example.com", but
3725 strips "user@any.thing.else.example.com" to "user@example.com".
3726
3727 A domain name prefixed with ! means do not masquerade this domain or
3728 its subdomains. Thus,
3729
3730 masquerade_domains = !foo.example.com example.com
3731
3732 does not change "user@any.thing.foo.example.com" or "user@foo.exam‐
3733 ple.com", but strips "user@any.thing.else.example.com" to "user@exam‐
3734 ple.com".
3735
3736 Note: with Postfix version 2.2, message header address masquerading
3737 happens only when message header address rewriting is enabled:
3738
3739 · The message is received with the Postfix sendmail(1) command,
3740
3741 · The message is received from a network client that matches
3742 $local_header_rewrite_clients,
3743
3744 · The message is received from the network, and the
3745 remote_header_rewrite_domain parameter specifies a non-empty
3746 value.
3747
3748 To get the behavior before Postfix version 2.2, specify
3749 "local_header_rewrite_clients = static:all".
3750
3751 Example:
3752
3753 masquerade_domains = $mydomain
3754
3756 Optional list of user names that are not subjected to address mas‐
3757 querading, even when their addresses match $masquerade_domains.
3758
3759 By default, address masquerading makes no exceptions.
3760
3761 Specify a list of user names, "/file/name" or "type:table" patterns,
3762 separated by commas and/or whitespace. The list is matched left to
3763 right, and the search stops on the first match. A "/file/name" pattern
3764 is replaced by its contents; a "type:table" lookup table is matched
3765 when a name matches a lookup key (the lookup result is ignored). Con‐
3766 tinue long lines by starting the next line with whitespace. Specify
3767 "!pattern" to exclude a name from the list. The form "!/file/name" is
3768 supported only in Postfix version 2.4 and later.
3769
3770 Examples:
3771
3772 masquerade_exceptions = root, mailer-daemon
3773 masquerade_exceptions = root
3774
3776 Selectively disable master(8) listener ports by service type or by ser‐
3777 vice name and type. Specify a list of service types ("inet", "unix",
3778 "fifo", or "pass") or "name/type" tuples, where "name" is the first
3779 field of a master.cf entry and "type" is a service type. As with other
3780 Postfix matchlists, a search stops at the first match. Specify "!pat‐
3781 tern" to exclude a service from the list. By default, all master(8)
3782 listener ports are enabled.
3783
3784 Note: this feature does not support "/file/name" or "type:table" pat‐
3785 terns, nor does it support wildcards such as "*" or "all". This is
3786 intentional.
3787
3788 Examples:
3789
3790 # With Postfix 2.6..2.10 use '.' instead of '/'.
3791 # Turn on all master(8) listener ports (the default).
3792 master_service_disable =
3793 # Turn off only the main SMTP listener port.
3794 master_service_disable = smtp/inet
3795 # Turn off all TCP/IP listener ports.
3796 master_service_disable = inet
3797 # Turn off all TCP/IP listener ports except "foo".
3798 master_service_disable = !foo/inet, inet
3799
3800 This feature is available in Postfix 2.6 and later.
3801
3803 The maximum amount of time that an idle Postfix daemon process waits
3804 for an incoming connection before terminating voluntarily. This param‐
3805 eter is ignored by the Postfix queue manager and by other long-lived
3806 Postfix daemon processes.
3807
3808 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3809 The default time unit is s (seconds).
3810
3812 The maximal number of incoming connections that a Postfix daemon
3813 process will service before terminating voluntarily. This parameter is
3814 ignored by the Postfix queue manager and by other long-lived Postfix
3815 daemon processes.
3816
3818 The maximal time between attempts to deliver a deferred message.
3819
3820 This parameter should be set to a value greater than or equal to $mini‐
3821 mal_backoff_time. See also $queue_run_delay.
3822
3823 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3824 The default time unit is s (seconds).
3825
3827 Consider a message as undeliverable, when delivery fails with a tempo‐
3828 rary error, and the time in the queue has reached the maxi‐
3829 mal_queue_lifetime limit.
3830
3831 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3832 The default time unit is d (days).
3833
3834 Specify 0 when mail delivery should be tried only once.
3835
3837 Names of message headers that the cleanup(8) daemon will remove after
3838 applying header_checks(5) and before invoking Milter applications. The
3839 default setting is compatible with Postfix < 3.0.
3840
3841 Specify a list of header names, separated by comma or space. Names are
3842 matched in a case-insensitive manner. The list of supported header
3843 names is limited only by available memory.
3844
3845 This feature is available in Postfix 3.0 and later.
3846
3848 The set of characters that Postfix will reject in message content. The
3849 usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3850 (up to three octal digits) and \\.
3851
3852 Note 1: this feature does not recognize text that requires MIME decod‐
3853 ing. It inspects raw message content, just like header_checks and
3854 body_checks.
3855
3856 Note 2: this feature is disabled with "receive_override_options =
3857 no_header_body_checks".
3858
3859 Example:
3860
3861 message_reject_characters = \0
3862
3863 This feature is available in Postfix 2.3 and later.
3864
3866 The maximal size in bytes of a message, including envelope information.
3867
3868 Note: be careful when making changes. Excessively small values will
3869 result in the loss of non-delivery notifications, when a bounce message
3870 size exceeds the local or remote MTA's message size limit.
3871
3873 The set of characters that Postfix will remove from message content.
3874 The usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3875 \ddd (up to three octal digits) and \\.
3876
3877 Note 1: this feature does not recognize text that requires MIME decod‐
3878 ing. It inspects raw message content, just like header_checks and
3879 body_checks.
3880
3881 Note 2: this feature is disabled with "receive_override_options =
3882 no_header_body_checks".
3883
3884 Example:
3885
3886 message_strip_characters = \0
3887
3888 This feature is available in Postfix 2.3 and later.
3889
3891 The location of non-executable files that are shared among multiple
3892 Postfix instances, such as postfix-files, dynamicmaps.cf, and the
3893 multi-instance template files main.cf.proto and master.cf.proto. This
3894 directory should contain only Postfix-related files. Typically, the
3895 meta_directory parameter has the same default as the config_directory
3896 parameter (/etc/postfix or /usr/local/etc/postfix).
3897
3898 For backwards compatibility with Postfix versions 2.6..2.11, specify
3899 "meta_directory = $daemon_directory" in main.cf before installing or
3900 upgrading Postfix, or specify "meta_directory = /path/name" on the
3901 "make makefiles", "make install" or "make upgrade" command line.
3902
3903 This feature is available in Postfix 3.0 and later.
3904
3906 The time limit for sending an SMTP command to a Milter (mail filter)
3907 application, and for receiving the response.
3908
3909 Specify a non-zero time value (an integral value plus an optional
3910 one-letter suffix that specifies the time unit).
3911
3912 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3913 The default time unit is s (seconds).
3914
3915 This feature is available in Postfix 2.3 and later.
3916
3918 The macros that are sent to Milter (mail filter) applications after
3919 completion of an SMTP connection. See MILTER_README for a list of
3920 available macro names and their meanings.
3921
3922 This feature is available in Postfix 2.3 and later.
3923
3925 The time limit for connecting to a Milter (mail filter) application,
3926 and for negotiating protocol options.
3927
3928 Specify a non-zero time value (an integral value plus an optional
3929 one-letter suffix that specifies the time unit).
3930
3931 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3932 The default time unit is s (seconds).
3933
3934 This feature is available in Postfix 2.3 and later.
3935
3937 The time limit for sending message content to a Milter (mail filter)
3938 application, and for receiving the response.
3939
3940 Specify a non-zero time value (an integral value plus an optional
3941 one-letter suffix that specifies the time unit).
3942
3943 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3944 The default time unit is s (seconds).
3945
3946 This feature is available in Postfix 2.3 and later.
3947
3949 The macros that are sent to version 4 or higher Milter (mail filter)
3950 applications after the SMTP DATA command. See MILTER_README for a list
3951 of available macro names and their meanings.
3952
3953 This feature is available in Postfix 2.3 and later.
3954
3956 The default action when a Milter (mail filter) application is unavail‐
3957 able or mis-configured. Specify one of the following:
3958
3959 accept Proceed as if the mail filter was not present.
3960
3961 reject Reject all further commands in this session with a permanent
3962 status code.
3963
3964 tempfail
3965 Reject all further commands in this session with a temporary
3966 status code.
3967
3968 quarantine
3969 Like "accept", but freeze the message in the "hold" queue.
3970 Available with Postfix 2.6 and later.
3971
3972 This feature is available in Postfix 2.3 and later.
3973
3975 The macros that are sent to Milter (mail filter) applications after the
3976 message end-of-data. See MILTER_README for a list of available macro
3977 names and their meanings.
3978
3979 This feature is available in Postfix 2.3 and later.
3980
3982 The macros that are sent to Milter (mail filter) applications after the
3983 end of the message header. See MILTER_README for a list of available
3984 macro names and their meanings.
3985
3986 This feature is available in Postfix 2.5 and later.
3987
3989 Optional lookup tables for content inspection of message headers that
3990 are produced by Milter applications. See the header_checks(5) manual
3991 page available actions. Currently, PREPEND is not implemented.
3992
3993 The following example sends all mail that is marked as SPAM to a spam
3994 handling machine. Note that matches are case-insensitive by default.
3995
3996 /etc/postfix/main.cf:
3997 milter_header_checks = pcre:/etc/postfix/milter_header_checks
3998
3999 /etc/postfix/milter_header_checks:
4000 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4001
4002 The milter_header_checks mechanism could also be used for whitelisting.
4003 For example it could be used to skip heavy content inspection for
4004 DKIM-signed mail from known friendly domains.
4005
4006 This feature is available in Postfix 2.7, and as an optional patch for
4007 Postfix 2.6.
4008
4010 The macros that are sent to Milter (mail filter) applications after the
4011 SMTP HELO or EHLO command. See MILTER_README for a list of available
4012 macro names and their meanings.
4013
4014 This feature is available in Postfix 2.3 and later.
4015
4017 The {daemon_name} macro value for Milter (mail filter) applications.
4018 See MILTER_README for a list of available macro names and their mean‐
4019 ings.
4020
4021 This feature is available in Postfix 2.3 and later.
4022
4024 Optional list of name=value pairs that specify default values for arbi‐
4025 trary macros that Postfix may send to Milter applications. These
4026 defaults are used when there is no corresponding information from the
4027 message delivery context.
4028
4029 Specify name=value or {name}=value pairs separated by comma or white‐
4030 space. Enclose a pair in "{}" when a value contains comma or white‐
4031 space (this form ignores whitespace after the enclosing "{", around the
4032 "=", and before the enclosing "}").
4033
4034 This feature is available in Postfix 3.1 and later.
4035
4037 The {v} macro value for Milter (mail filter) applications. See MIL‐
4038 TER_README for a list of available macro names and their meanings.
4039
4040 This feature is available in Postfix 2.3 and later.
4041
4043 The macros that are sent to Milter (mail filter) applications after the
4044 SMTP MAIL FROM command. See MILTER_README for a list of available macro
4045 names and their meanings.
4046
4047 This feature is available in Postfix 2.3 and later.
4048
4050 The mail filter protocol version and optional protocol extensions for
4051 communication with a Milter application; prior to Postfix 2.6 the
4052 default protocol is 2. Postfix sends this version number during the
4053 initial protocol handshake. It should match the version number that is
4054 expected by the mail filter application (or by its Milter library).
4055
4056 Protocol versions:
4057
4058 2 Use Sendmail 8 mail filter protocol version 2 (default with
4059 Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 2.5).
4060
4061 3 Use Sendmail 8 mail filter protocol version 3.
4062
4063 4 Use Sendmail 8 mail filter protocol version 4.
4064
4065 6 Use Sendmail 8 mail filter protocol version 6 (default with
4066 Sendmail version 8.14 and Postfix version 2.6).
4067
4068 Protocol extensions:
4069
4070 no_header_reply
4071 Specify this when the Milter application will not reply for each
4072 individual message header.
4073
4074 This feature is available in Postfix 2.3 and later.
4075
4077 The macros that are sent to Milter (mail filter) applications after the
4078 SMTP RCPT TO command. See MILTER_README for a list of available macro
4079 names and their meanings.
4080
4081 This feature is available in Postfix 2.3 and later.
4082
4084 The macros that are sent to version 3 or higher Milter (mail filter)
4085 applications after an unknown SMTP command. See MILTER_README for a
4086 list of available macro names and their meanings.
4087
4088 This feature is available in Postfix 2.3 and later.
4089
4091 The maximal length of MIME multipart boundary strings. The MIME proces‐
4092 sor is unable to distinguish between boundary strings that do not dif‐
4093 fer in the first $mime_boundary_length_limit characters.
4094
4095 This feature is available in Postfix 2.0 and later.
4096
4098 Optional lookup tables for content inspection of MIME related message
4099 headers, as described in the header_checks(5) manual page.
4100
4101 This feature is available in Postfix 2.0 and later.
4102
4104 The maximal recursion level that the MIME processor will handle. Post‐
4105 fix refuses mail that is nested deeper than the specified limit.
4106
4107 This feature is available in Postfix 2.0 and later.
4108
4110 The minimal time between attempts to deliver a deferred message; prior
4111 to Postfix 2.4 the default value was 1000s.
4112
4113 This parameter also limits the time an unreachable destination is kept
4114 in the short-term, in-memory, destination status cache.
4115
4116 This parameter should be set greater than or equal to $queue_run_delay.
4117 See also $maximal_backoff_time.
4118
4119 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4120 The default time unit is s (seconds).
4121
4123 An optional list of non-default Postfix configuration directories;
4124 these directories belong to additional Postfix instances that share the
4125 Postfix executable files and documentation with the default Postfix
4126 instance, and that are started, stopped, etc., together with the
4127 default Postfix instance. Specify a list of pathnames separated by
4128 comma or whitespace.
4129
4130 When $multi_instance_directories is empty, the postfix(1) command runs
4131 in single-instance mode and operates on a single Postfix instance only.
4132 Otherwise, the postfix(1) command runs in multi-instance mode and
4133 invokes the multi-instance manager specified with the
4134 multi_instance_wrapper parameter. The multi-instance manager in turn
4135 executes postfix(1) commands for the default instance and for all Post‐
4136 fix instances in $multi_instance_directories.
4137
4138 Currently, this parameter setting is ignored except for the default
4139 main.cf file.
4140
4141 This feature is available in Postfix 2.6 and later.
4142
4144 Allow this Postfix instance to be started, stopped, etc., by a
4145 multi-instance manager. By default, new instances are created in a
4146 safe state that prevents them from being started inadvertently. This
4147 parameter is reserved for the multi-instance manager.
4148
4149 This feature is available in Postfix 2.6 and later.
4150
4152 The optional instance group name of this Postfix instance. A group
4153 identifies closely-related Postfix instances that the multi-instance
4154 manager can start, stop, etc., as a unit. This parameter is reserved
4155 for the multi-instance manager.
4156
4157 This feature is available in Postfix 2.6 and later.
4158
4160 The optional instance name of this Postfix instance. This name becomes
4161 also the default value for the syslog_name parameter.
4162
4163 This feature is available in Postfix 2.6 and later.
4164
4166 The pathname of a multi-instance manager command that the postfix(1)
4167 command invokes when the multi_instance_directories parameter value is
4168 non-empty. The pathname may be followed by initial command arguments
4169 separated by whitespace; shell metacharacters such as quotes are not
4170 supported in this context.
4171
4172 The postfix(1) command invokes the manager command with the postfix(1)
4173 non-option command arguments on the manager command line, and with all
4174 installation configuration parameters exported into the manager command
4175 process environment. The manager command in turn invokes the postfix(1)
4176 command for individual Postfix instances as "postfix -c config_direc‐
4177 tory command".
4178
4179 This feature is available in Postfix 2.6 and later.
4180
4182 The numerical Postfix SMTP server response code when a remote SMTP
4183 client request is blocked by the reject_multi_recipient_bounce restric‐
4184 tion.
4185
4186 Do not change this unless you have a complete understanding of RFC
4187 5321.
4188
4189 This feature is available in Postfix 2.1 and later.
4190
4192 The list of domains that are delivered via the $local_transport mail
4193 delivery transport. By default this is the Postfix local(8) delivery
4194 agent which looks up all recipients in /etc/passwd and /etc/aliases.
4195 The SMTP server validates recipient addresses with $local_recipi‐
4196 ent_maps and rejects non-existent recipients. See also the local domain
4197 class in the ADDRESS_CLASS_README file.
4198
4199 The default mydestination value specifies names for the local machine
4200 only. On a mail domain gateway, you should also include $mydomain.
4201
4202 The $local_transport delivery method is also selected for mail
4203 addressed to user@[the.net.work.address] of the mail system (the IP
4204 addresses specified with the inet_interfaces and proxy_interfaces
4205 parameters).
4206
4207 Warnings:
4208
4209 · Do not specify the names of virtual domains - those domains are
4210 specified elsewhere. See VIRTUAL_README for more information.
4211
4212 · Do not specify the names of domains that this machine is backup
4213 MX host for. See STANDARD_CONFIGURATION_README for how to set up
4214 backup MX hosts.
4215
4216 · By default, the Postfix SMTP server rejects mail for recipients
4217 not listed with the local_recipient_maps parameter. See the
4218 postconf(5) manual for a description of the local_recipient_maps
4219 and unknown_local_recipient_reject_code parameters.
4220
4221 Specify a list of host or domain names, "/file/name" or "type:table"
4222 patterns, separated by commas and/or whitespace. A "/file/name" pattern
4223 is replaced by its contents; a "type:table" lookup table is matched
4224 when a name matches a lookup key (the lookup result is ignored). Con‐
4225 tinue long lines by starting the next line with whitespace.
4226
4227 Examples:
4228
4229 mydestination = $myhostname, localhost.$mydomain $mydomain
4230 mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4231
4233 The internet domain name of this mail system. The default is to use
4234 $myhostname minus the first component, or "localdomain" (Postfix 2.3
4235 and later). $mydomain is used as a default value for many other con‐
4236 figuration parameters.
4237
4238 Example:
4239
4240 mydomain = domain.tld
4241
4243 The internet hostname of this mail system. The default is to use the
4244 fully-qualified domain name (FQDN) from gethostname(), or to use the
4245 non-FQDN result from gethostname() and append ".$mydomain". $myhost‐
4246 name is used as a default value for many other configuration parame‐
4247 ters.
4248
4249 Example:
4250
4251 myhostname = host.example.com
4252
4254 The list of "trusted" remote SMTP clients that have more privileges
4255 than "strangers".
4256
4257 In particular, "trusted" SMTP clients are allowed to relay mail through
4258 Postfix. See the smtpd_relay_restrictions parameter description in the
4259 postconf(5) manual.
4260
4261 You can specify the list of "trusted" network addresses by hand or you
4262 can let Postfix do it for you (which is the default). See the descrip‐
4263 tion of the mynetworks_style parameter for more information.
4264
4265 If you specify the mynetworks list by hand, Postfix ignores the mynet‐
4266 works_style setting.
4267
4268 Specify a list of network addresses or network/netmask patterns, sepa‐
4269 rated by commas and/or whitespace. Continue long lines by starting the
4270 next line with whitespace.
4271
4272 The netmask specifies the number of bits in the network part of a host
4273 address. You can also specify "/file/name" or "type:table" patterns.
4274 A "/file/name" pattern is replaced by its contents; a "type:table"
4275 lookup table is matched when a table entry matches a lookup string (the
4276 lookup result is ignored).
4277
4278 The list is matched left to right, and the search stops on the first
4279 match. Specify "!pattern" to exclude an address or network block from
4280 the list. The form "!/file/name" is supported only in Postfix version
4281 2.4 and later.
4282
4283 Note 1: Pattern matching of domain names is controlled by the or
4284 absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4285 ter value.
4286
4287 Note 2: IP version 6 address information must be specified inside [] in
4288 the mynetworks value, and in files specified with "/file/name". IP
4289 version 6 addresses contain the ":" character, and would otherwise be
4290 confused with a "type:table" pattern.
4291
4292 Examples:
4293
4294 mynetworks = 127.0.0.0/8 168.100.189.0/28
4295 mynetworks = !192.168.0.1, 192.168.0.0/28
4296 mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4297 mynetworks = $config_directory/mynetworks
4298 mynetworks = hash:/etc/postfix/network_table
4299
4301 The method to generate the default value for the mynetworks parameter.
4302 This is the list of trusted networks for relay access control etc.
4303
4304 · Specify "mynetworks_style = host" when Postfix should "trust"
4305 only the local machine.
4306
4307 · Specify "mynetworks_style = subnet" when Postfix should "trust"
4308 remote SMTP clients in the same IP subnetworks as the local
4309 machine. On Linux, this works correctly only with interfaces
4310 specified with the "ifconfig" command.
4311
4312 · Specify "mynetworks_style = class" when Postfix should "trust"
4313 remote SMTP clients in the same IP class A/B/C networks as the
4314 local machine. Caution: this may cause Postfix to "trust" your
4315 entire provider's network. Instead, specify an explicit mynet‐
4316 works list by hand, as described with the mynetworks configura‐
4317 tion parameter.
4318
4320 The domain name that locally-posted mail appears to come from, and that
4321 locally posted mail is delivered to. The default, $myhostname, is ade‐
4322 quate for small sites. If you run a domain with multiple machines, you
4323 should (1) change this to $mydomain and (2) set up a domain-wide alias
4324 database that aliases each user to user@that.users.mailhost.
4325
4326 Example:
4327
4328 myorigin = $mydomain
4329
4331 Optional lookup tables for content inspection of non-MIME message head‐
4332 ers in attached messages, as described in the header_checks(5) manual
4333 page.
4334
4335 This feature is available in Postfix 2.0 and later.
4336
4338 Sendmail compatibility feature that specifies the location of the
4339 newaliases(1) command. This command can be used to rebuild the local(8)
4340 aliases(5) database.
4341
4343 The numerical Postfix SMTP server reply code when a client request is
4344 rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
4345 or reject_non_fqdn_recipient restriction.
4346
4348 A list of Milter (mail filter) applications for new mail that does not
4349 arrive via the Postfix smtpd(8) server. This includes local submission
4350 via the sendmail(1) command line, new mail that arrives via the Postfix
4351 qmqpd(8) server, and old mail that is re-injected into the queue with
4352 "postsuper -r". Specify space or comma as separator. See the MIL‐
4353 TER_README document for details.
4354
4355 This feature is available in Postfix 2.3 and later.
4356
4358 The list of error classes that are reported to the postmaster. The
4359 default is to report only the most serious problems. The paranoid may
4360 wish to turn on the policy (UCE and mail relaying) and protocol error
4361 (broken mail software) reports.
4362
4363 NOTE: postmaster notifications may contain confidential information
4364 such as SASL passwords or message content. It is the system adminis‐
4365 trator's responsibility to treat such information with care.
4366
4367 The error classes are:
4368
4369 bounce (also implies 2bounce)
4370 Send the postmaster copies of the headers of bounced mail, and
4371 send transcripts of SMTP sessions when Postfix rejects mail. The
4372 notification is sent to the address specified with the
4373 bounce_notice_recipient configuration parameter (default: post‐
4374 master).
4375
4376 2bounce
4377 Send undeliverable bounced mail to the postmaster. The notifica‐
4378 tion is sent to the address specified with the
4379 2bounce_notice_recipient configuration parameter (default: post‐
4380 master).
4381
4382 data Send the postmaster a transcript of the SMTP session with an
4383 error because a critical data file was unavailable. The notifi‐
4384 cation is sent to the address specified with the
4385 error_notice_recipient configuration parameter (default: post‐
4386 master).
4387 This feature is available in Postfix 2.9 and later.
4388
4389 delay Send the postmaster copies of the headers of delayed mail (see
4390 delay_warning_time). The notification is sent to the address
4391 specified with the delay_notice_recipient configuration parame‐
4392 ter (default: postmaster).
4393
4394 policy Send the postmaster a transcript of the SMTP session when a
4395 client request was rejected because of (UCE) policy. The notifi‐
4396 cation is sent to the address specified with the
4397 error_notice_recipient configuration parameter (default: post‐
4398 master).
4399
4400 protocol
4401 Send the postmaster a transcript of the SMTP session in case of
4402 client or server protocol errors. The notification is sent to
4403 the address specified with the error_notice_recipient configura‐
4404 tion parameter (default: postmaster).
4405
4406 resource
4407 Inform the postmaster of mail not delivered due to resource
4408 problems. The notification is sent to the address specified
4409 with the error_notice_recipient configuration parameter
4410 (default: postmaster).
4411
4412 software
4413 Inform the postmaster of mail not delivered due to software
4414 problems. The notification is sent to the address specified
4415 with the error_notice_recipient configuration parameter
4416 (default: postmaster).
4417
4418 Examples:
4419
4420 notify_classes = bounce, delay, policy, protocol, resource, software
4421 notify_classes = 2bounce, resource, software
4422
4424 The numerical reply code when the Postfix SMTP server rejects a sender
4425 or recipient address because its domain has a nullmx DNS record (an MX
4426 record with an empty hostname). This is one of the possible replies
4427 from the restrictions reject_unknown_sender_domain and
4428 reject_unknown_recipient_domain.
4429
4430 This feature is available in Postfix 3.0 and later.
4431
4433 The location of the OpenSSL command line program openssl(1). This is
4434 used by the "postfix tls" command to create private keys, certificate
4435 signing requests, self-signed certificates, and to compute public key
4436 digests for DANE TLSA records. In multi-instance environments, this
4437 parameter is always determined from the configuration of the default
4438 Postfix instance.
4439
4440 Example:
4441
4442 /etc/postfix/main.cf:
4443 # NetBSD pkgsrc:
4444 openssl_path = /usr/pkg/bin/openssl
4445 # Local build:
4446 openssl_path = /usr/local/bin/openssl
4447
4448 This feature is available in Postfix 3.1 and later.
4449
4451 Enable special treatment for owner-listname entries in the aliases(5)
4452 file, and don't split owner-listname and listname-request address
4453 localparts when the recipient_delimiter is set to "-". This feature is
4454 useful for mailing lists.
4455
4457 A list of Postfix features where the pattern "example.com" also matches
4458 subdomains of example.com, instead of requiring an explicit ".exam‐
4459 ple.com" pattern. This is planned backwards compatibility: eventu‐
4460 ally, all Postfix features are expected to require explicit ".exam‐
4461 ple.com" style patterns when you really want to match subdomains.
4462
4463 The following Postfix feature names are supported.
4464
4465 Postfix version 1.0 and later
4466 debug_peer_list, fast_flush_domains, mynetworks, per‐
4467 mit_mx_backup_networks, relay_domains, transport_maps
4468
4469 Postfix version 1.1 and later
4470 qmqpd_authorized_clients, smtpd_access_maps,
4471
4472 Postfix version 2.8 and later
4473 postscreen_access_list
4474
4475 Postfix version 3.0 and later
4476 smtpd_client_event_limit_exceptions
4477
4479 Restrict the use of the permit_mx_backup SMTP access feature to only
4480 domains whose primary MX hosts match the listed networks. The parame‐
4481 ter value syntax is the same as with the mynetworks parameter; note,
4482 however, that the default value is empty.
4483
4484 Pattern matching of domain names is controlled by the presence or
4485 absence of "permit_mx_backup_networks" in the par‐
4486 ent_domain_matches_subdomains parameter value.
4487
4489 The name of the pickup(8) service. This service picks up local mail
4490 submissions from the Postfix maildrop queue.
4491
4492 This feature is available in Postfix 2.0 and later.
4493
4495 Optional filter for the pipe(8) delivery agent to change the delivery
4496 status code or explanatory text of successful or unsuccessful deliver‐
4497 ies. See default_delivery_status_filter for details.
4498
4499 This feature is available in Postfix 3.0 and later.
4500
4502 The numerical Postfix SMTP server response code when a request is
4503 rejected by the reject_plaintext_session restriction.
4504
4505 This feature is available in Postfix 2.3 and later.
4506
4508 The name of the postlogd(8) service entry in master.cf. This service
4509 appends logfile records to the file specified with the maillog_file
4510 parameter.
4511
4512 This feature is available in Postfix 3.4 and later.
4513
4515 How much time a postlogd(8) process may take to process a request
4516 before it is terminated by a built-in watchdog timer. This is a safety
4517 mechanism that prevents postlogd(8) from becoming non-responsive due to
4518 a bug in Postfix itself or in system software. This limit cannot be set
4519 under 10s.
4520
4521 Specify a non-zero time value (an integral value plus an optional
4522 one-letter suffix that specifies the time unit). Time units: s (sec‐
4523 onds), m (minutes), h (hours), d (days), w (weeks).
4524
4525 This feature is available in Postfix 3.4 and later.
4526
4528 The postfix(1) commands that the postmulti(1) instance manager treats
4529 as "control" commands, that operate on running instances. For these
4530 commands, disabled instances are skipped.
4531
4532 This feature is available in Postfix 2.6 and later.
4533
4535 The postfix(1) commands that the postmulti(1) instance manager treats
4536 as "start" commands. For these commands, disabled instances are
4537 "checked" rather than "started", and failure to "start" a member
4538 instance of an instance group will abort the start-up of later
4539 instances.
4540
4541 This feature is available in Postfix 2.6 and later.
4542
4544 The postfix(1) commands that the postmulti(1) instance manager treats
4545 as "stop" commands. For these commands, disabled instances are skipped,
4546 and enabled instances are processed in reverse order.
4547
4548 This feature is available in Postfix 2.6 and later.
4549
4551 Permanent white/blacklist for remote SMTP client IP addresses.
4552 postscreen(8) searches this list immediately after a remote SMTP client
4553 connects. Specify a comma- or whitespace-separated list of commands
4554 (in upper or lower case) or lookup tables. The search stops upon the
4555 first command that fires for the client IP address.
4556
4557 permit_mynetworks
4558 Whitelist the client and terminate the search if the client IP
4559 address matches $mynetworks. Do not subject the client to any
4560 before/after 220 greeting tests. Pass the connection immedi‐
4561 ately to a Postfix SMTP server process.
4562 Pattern matching of domain names is controlled by the presence
4563 or absence of "postscreen_access_list" in the par‐
4564 ent_domain_matches_subdomains parameter value.
4565
4566 type:table
4567 Query the specified lookup table. Each table lookup result is an
4568 access list, except that access lists inside a table cannot
4569 specify type:table entries.
4570 To discourage the use of hash, btree, etc. tables, there is no
4571 support for substring matching like smtpd(8). Use CIDR tables
4572 instead.
4573
4574 permit
4575 Whitelist the client and terminate the search. Do not subject
4576 the client to any before/after 220 greeting tests. Pass the con‐
4577 nection immediately to a Postfix SMTP server process.
4578
4579 reject
4580 Blacklist the client and terminate the search. Subject the
4581 client to the action configured with the postscreen_black‐
4582 list_action configuration parameter.
4583
4584 dunno All postscreen(8) access lists implicitly have this command at
4585 the end.
4586 When dunno is executed inside a lookup table, return from the
4587 lookup table and evaluate the next command.
4588 When dunno is executed outside a lookup table, terminate the
4589 search, and subject the client to the configured before/after
4590 220 greeting tests.
4591
4592 Example:
4593
4594 /etc/postfix/main.cf:
4595 postscreen_access_list = permit_mynetworks,
4596 cidr:/etc/postfix/postscreen_access.cidr
4597 postscreen_blacklist_action = enforce
4598
4599 /etc/postfix/postscreen_access.cidr:
4600 # Rules are evaluated in the order as specified.
4601 # Blacklist 192.168.* except 192.168.0.1.
4602 192.168.0.1 dunno
4603 192.168.0.0/16 reject
4604
4605 This feature is available in Postfix 2.8.
4606
4608 The action that postscreen(8) takes when a remote SMTP client sends a
4609 bare newline character, that is, a newline not preceded by carriage
4610 return. Specify one of the following:
4611
4612 ignore Ignore the failure of this test. Allow other tests to complete.
4613 Do not repeat this test before some the result from some other
4614 test expires. This option is useful for testing and collecting
4615 statistics without blocking mail permanently.
4616
4617 enforce
4618 Allow other tests to complete. Reject attempts to deliver mail
4619 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4620 mation. Repeat this test the next time the client connects.
4621
4622 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4623 this test the next time the client connects.
4624
4625 This feature is available in Postfix 2.8.
4626
4628 Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
4629 These tests are expensive: a remote SMTP client must disconnect after
4630 it passes the test, before it can talk to a real Postfix SMTP server.
4631
4632 This feature is available in Postfix 2.8.
4633
4635 The amount of time that postscreen(8) will use the result from a suc‐
4636 cessful "bare newline" SMTP protocol test. During this time, the client
4637 IP address is excluded from this test. The default is long because a
4638 remote SMTP client must disconnect after it passes the test, before it
4639 can talk to a real Postfix SMTP server.
4640
4641 Specify a non-zero time value (an integral value plus an optional
4642 one-letter suffix that specifies the time unit). Time units: s (sec‐
4643 onds), m (minutes), h (hours), d (days), w (weeks).
4644
4645 This feature is available in Postfix 2.8.
4646
4648 The action that postscreen(8) takes when a remote SMTP client is perma‐
4649 nently blacklisted with the postscreen_access_list parameter. Specify
4650 one of the following:
4651
4652 ignore (default)
4653 Ignore this result. Allow other tests to complete. Repeat this
4654 test the next time the client connects. This option is useful
4655 for testing and collecting statistics without blocking mail.
4656
4657 enforce
4658 Allow other tests to complete. Reject attempts to deliver mail
4659 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4660 mation. Repeat this test the next time the client connects.
4661
4662 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4663 this test the next time the client connects.
4664
4665 This feature is available in Postfix 2.8.
4666
4668 The amount of time between postscreen(8) cache cleanup runs. Cache
4669 cleanup increases the load on the cache database and should therefore
4670 not be run frequently. This feature requires that the cache database
4671 supports the "delete" and "sequence" operators. Specify a zero inter‐
4672 val to disable cache cleanup.
4673
4674 After each cache cleanup run, the postscreen(8) daemon logs the number
4675 of entries that were retained and dropped. A cleanup run is logged as
4676 "partial" when the daemon terminates early after "postfix reload",
4677 "postfix stop", or no requests for $max_idle seconds.
4678
4679 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4680
4681 This feature is available in Postfix 2.8.
4682
4684 Persistent storage for the postscreen(8) server decisions.
4685
4686 To share a postscreen(8) cache between multiple postscreen(8)
4687 instances, use "postscreen_cache_map = proxy:btree:/path/to/file".
4688 This requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4689 mentations don't support cache cleanup. For an alternative approach see
4690 the memcache_table(5) manpage.
4691
4692 This feature is available in Postfix 2.8.
4693
4695 The amount of time that postscreen(8) will cache an expired temporary
4696 whitelist entry before it is removed. This prevents clients from being
4697 logged as "NEW" just because their cache entry expired an hour ago. It
4698 also prevents the cache from filling up with clients that passed some
4699 deep protocol test once and never came back.
4700
4701 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4702
4703 This feature is available in Postfix 2.8.
4704
4706 tion_count_limit)
4707 How many simultaneous connections any remote SMTP client is allowed to
4708 have with the postscreen(8) daemon. By default, this limit is the same
4709 as with the Postfix SMTP server. Note that the triage process can take
4710 several seconds, with the time spent in postscreen_greet_wait delay,
4711 and with the time spent talking to the postscreen(8) built-in dummy
4712 SMTP protocol engine.
4713
4714 This feature is available in Postfix 2.8.
4715
4717 The limit on the total number of commands per SMTP session for
4718 postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers
4719 or rejects all attempts to deliver mail, therefore there is no need to
4720 enforce separate limits on the number of junk commands and error com‐
4721 mands.
4722
4723 This feature is available in Postfix 2.8.
4724
4726 A mechanism to transform commands from remote SMTP clients. See
4727 smtpd_command_filter for further details.
4728
4729 This feature is available in Postfix 2.8 and later.
4730
4732 The time limit to read an entire command line with postscreen(8)'s
4733 built-in SMTP protocol engine.
4734
4735 This feature is available in Postfix 2.8.
4736
4738 Disable the SMTP VRFY command in the postscreen(8) daemon. See dis‐
4739 able_vrfy_command for details.
4740
4741 This feature is available in Postfix 2.8.
4742
4744 card_ehlo_keyword_address_maps)
4745 Lookup tables, indexed by the remote SMTP client address, with case
4746 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
4747 that the postscreen(8) server will not send in the EHLO response to a
4748 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
4749 table is not searched by hostname for robustness reasons.
4750
4751 This feature is available in Postfix 2.8 and later.
4752
4754 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
4755 etc.) that the postscreen(8) server will not send in the EHLO response
4756 to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4757
4758 This feature is available in Postfix 2.8 and later.
4759
4761 The action that postscreen(8) takes when a remote SMTP client's com‐
4762 bined DNSBL score is equal to or greater than a threshold (as defined
4763 with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4764 ters). Specify one of the following:
4765
4766 ignore (default)
4767 Ignore the failure of this test. Allow other tests to complete.
4768 Repeat this test the next time the client connects. This option
4769 is useful for testing and collecting statistics without blocking
4770 mail.
4771
4772 enforce
4773 Allow other tests to complete. Reject attempts to deliver mail
4774 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4775 mation. Repeat this test the next time the client connects.
4776
4777 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4778 this test the next time the client connects.
4779
4780 This feature is available in Postfix 2.8.
4781
4783 ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4784 The maximum amount of time that postscreen(8) will use the result from
4785 a successful DNS-based reputation test before a client IP address is
4786 required to pass that test again. If the DNS reply specifies a shorter
4787 TTL value, that value will be used unless it would be smaller than
4788 postscreen_dnsbl_min_ttl.
4789
4790 Specify a non-zero time value (an integral value plus an optional
4791 one-letter suffix that specifies the time unit). Time units: s (sec‐
4792 onds), m (minutes), h (hours), d (days), w (weeks).
4793
4794 This feature is available in Postfix 3.1. The default setting is back‐
4795 wards-compatible with older Postfix versions.
4796
4798 The minimum amount of time that postscreen(8) will use the result from
4799 a successful DNS-based reputation test before a client IP address is
4800 required to pass that test again. If the DNS reply specifies a larger
4801 TTL value, that value will be used unless it would be larger than
4802 postscreen_dnsbl_max_ttl.
4803
4804 Specify a non-zero time value (an integral value plus an optional
4805 one-letter suffix that specifies the time unit). Time units: s (sec‐
4806 onds), m (minutes), h (hours), d (days), w (weeks).
4807
4808 This feature is available in Postfix 3.1.
4809
4811 A mapping from actual DNSBL domain name which includes a secret pass‐
4812 word, to the DNSBL domain name that postscreen will reply with when it
4813 rejects mail. When no mapping is found, the actual DNSBL domain will
4814 be used.
4815
4816 For maximal stability it is best to use a file that is read into memory
4817 such as pcre:, regexp: or texthash: (texthash: is similar to hash:,
4818 except a) there is no need to run postmap(1) before the file can be
4819 used, and b) texthash: does not detect changes after the file is read).
4820
4821 Example:
4822
4823 /etc/postfix/main.cf:
4824 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4825
4826 /etc/postfix/dnsbl_reply:
4827 secret.zen.spamhaus.org zen.spamhaus.org
4828
4829 This feature is available in Postfix 2.8.
4830
4832 Optional list of DNS white/blacklist domains, filters and weight fac‐
4833 tors. When the list is non-empty, the dnsblog(8) daemon will query
4834 these domains with the IP addresses of remote SMTP clients, and
4835 postscreen(8) will update an SMTP client's DNSBL score with each
4836 non-error reply.
4837
4838 Caution: when postscreen rejects mail, it replies with the DNSBL domain
4839 name. Use the postscreen_dnsbl_reply_map feature to hide "password"
4840 information in DNSBL domain names.
4841
4842 When a client's score is equal to or greater than the threshold speci‐
4843 fied with postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4844 nection with the remote SMTP client.
4845
4846 Specify a list of domain=filter*weight entries, separated by comma or
4847 whitespace.
4848
4849 · When no "=filter" is specified, postscreen(8) will use any
4850 non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
4851 replies that match the filter. The filter has the form d.d.d.d,
4852 where each d is a number, or a pattern inside [] that contains
4853 one or more ";"-separated numbers or number..number ranges.
4854
4855 · When no "*weight" is specified, postscreen(8) increments the
4856 remote SMTP client's DNSBL score by 1. Otherwise, the weight
4857 must be an integral number, and postscreen(8) adds the specified
4858 weight to the remote SMTP client's DNSBL score. Specify a nega‐
4859 tive number for whitelisting.
4860
4861 · When one postscreen_dnsbl_sites entry produces multiple DNSBL
4862 responses, postscreen(8) applies the weight at most once.
4863
4864 Examples:
4865
4866 To use example.com as a high-confidence blocklist, and to block mail
4867 with example.net and example.org only when both agree:
4868
4869 postscreen_dnsbl_threshold = 2
4870 postscreen_dnsbl_sites = example.com*2, example.net, example.org
4871
4872 To filter only DNSBL replies containing 127.0.0.4:
4873
4874 postscreen_dnsbl_sites = example.com=127.0.0.4
4875
4876 This feature is available in Postfix 2.8.
4877
4879 The inclusive lower bound for blocking a remote SMTP client, based on
4880 its combined DNSBL score as defined with the postscreen_dnsbl_sites
4881 parameter.
4882
4883 This feature is available in Postfix 2.8.
4884
4886 The time limit for DNSBL or DNSWL lookups. This is separate from the
4887 timeouts in the dnsblog(8) daemon which are defined by system
4888 resolver(3) routines.
4889
4890 This feature is available in Postfix 3.0.
4891
4893 The amount of time that postscreen(8) will use the result from a suc‐
4894 cessful DNS-based reputation test before a client IP address is
4895 required to pass that test again.
4896
4897 Specify a non-zero time value (an integral value plus an optional
4898 one-letter suffix that specifies the time unit). Time units: s (sec‐
4899 onds), m (minutes), h (hours), d (days), w (weeks).
4900
4901 This feature is available in Postfix 2.8-3.0. It was replaced by
4902 postscreen_dnsbl_max_ttl in Postfix 3.1.
4903
4905 Allow a remote SMTP client to skip "before" and "after 220 greeting"
4906 protocol tests, based on its combined DNSBL score as defined with the
4907 postscreen_dnsbl_sites parameter.
4908
4909 Specify a negative value to enable this feature. When a client passes
4910 the postscreen_dnsbl_whitelist_threshold without having failed other
4911 tests, all pending or disabled tests are flagged as completed with a
4912 time-to-live value equal to postscreen_dnsbl_ttl. When a test was
4913 already completed, its time-to-live value is updated if it was less
4914 than postscreen_dnsbl_ttl.
4915
4916 This feature is available in Postfix 2.11.
4917
4919 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
4920 require that clients use TLS encryption. See
4921 smtpd_postscreen_enforce_tls for details.
4922
4923 This feature is available in Postfix 2.8 and later. Preferably, use
4924 postscreen_tls_security_level instead.
4925
4927 List of characters that are permitted in postscreen_reject_footer
4928 attribute expansions. See smtpd_expansion_filter for further details.
4929
4930 This feature is available in Postfix 2.8 and later.
4931
4933 List of commands that the postscreen(8) server considers in violation
4934 of the SMTP protocol. See smtpd_forbidden_commands for syntax, and
4935 postscreen_non_smtp_command_action for possible actions.
4936
4937 This feature is available in Postfix 2.8.
4938
4940 The action that postscreen(8) takes when a remote SMTP client speaks
4941 before its turn within the time specified with the
4942 postscreen_greet_wait parameter. Specify one of the following:
4943
4944 ignore (default)
4945 Ignore the failure of this test. Allow other tests to complete.
4946 Repeat this test the next time the client connects. This option
4947 is useful for testing and collecting statistics without blocking
4948 mail.
4949
4950 enforce
4951 Allow other tests to complete. Reject attempts to deliver mail
4952 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
4953 mation. Repeat this test the next time the client connects.
4954
4955 drop Drop the connection immediately with a 521 SMTP reply. Repeat
4956 this test the next time the client connects.
4957
4958 In either case, postscreen(8) will not whitelist the remote SMTP client
4959 IP address.
4960
4961 This feature is available in Postfix 2.8.
4962
4964 The text in the optional "220-text..." server response that
4965 postscreen(8) sends ahead of the real Postfix SMTP server's "220
4966 text..." response, in an attempt to confuse bad SMTP clients so that
4967 they speak before their turn (pre-greet). Specify an empty value to
4968 disable this feature.
4969
4970 This feature is available in Postfix 2.8.
4971
4973 The amount of time that postscreen(8) will use the result from a suc‐
4974 cessful PREGREET test. During this time, the client IP address is
4975 excluded from this test. The default is relatively short, because a
4976 good client can immediately talk to a real Postfix SMTP server.
4977
4978 Specify a non-zero time value (an integral value plus an optional
4979 one-letter suffix that specifies the time unit). Time units: s (sec‐
4980 onds), m (minutes), h (hours), d (days), w (weeks).
4981
4982 This feature is available in Postfix 2.8.
4983
4985 The amount of time that postscreen(8) will wait for an SMTP client to
4986 send a command before its turn, and for DNS blocklist lookup results to
4987 arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
4988 wise).
4989
4990 Specify a non-zero time value (an integral value plus an optional
4991 one-letter suffix that specifies the time unit).
4992
4993 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4994
4995 This feature is available in Postfix 2.8.
4996
4998 Require that a remote SMTP client sends HELO or EHLO before commencing
4999 a MAIL transaction.
5000
5001 This feature is available in Postfix 2.8.
5002
5004 The action that postscreen(8) takes when a remote SMTP client sends
5005 non-SMTP commands as specified with the postscreen_forbidden_commands
5006 parameter. Specify one of the following:
5007
5008 ignore Ignore the failure of this test. Allow other tests to complete.
5009 Do not repeat this test before some the result from some other
5010 test expires. This option is useful for testing and collecting
5011 statistics without blocking mail permanently.
5012
5013 enforce
5014 Allow other tests to complete. Reject attempts to deliver mail
5015 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5016 mation. Repeat this test the next time the client connects.
5017
5018 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5019 this test the next time the client connects. This action is the
5020 same as with the Postfix SMTP server's smtpd_forbidden_commands
5021 feature.
5022
5023 This feature is available in Postfix 2.8.
5024
5026 Enable "non-SMTP command" tests in the postscreen(8) server. These
5027 tests are expensive: a client must disconnect after it passes the test,
5028 before it can talk to a real Postfix SMTP server.
5029
5030 This feature is available in Postfix 2.8.
5031
5033 The amount of time that postscreen(8) will use the result from a suc‐
5034 cessful "non_smtp_command" SMTP protocol test. During this time, the
5035 client IP address is excluded from this test. The default is long
5036 because a client must disconnect after it passes the test, before it
5037 can talk to a real Postfix SMTP server.
5038
5039 Specify a non-zero time value (an integral value plus an optional
5040 one-letter suffix that specifies the time unit). Time units: s (sec‐
5041 onds), m (minutes), h (hours), d (days), w (weeks).
5042
5043 This feature is available in Postfix 2.8.
5044
5046 The action that postscreen(8) takes when a remote SMTP client sends
5047 multiple commands instead of sending one command and waiting for the
5048 server to respond. Specify one of the following:
5049
5050 ignore Ignore the failure of this test. Allow other tests to complete.
5051 Do not repeat this test before some the result from some other
5052 test expires. This option is useful for testing and collecting
5053 statistics without blocking mail permanently.
5054
5055 enforce
5056 Allow other tests to complete. Reject attempts to deliver mail
5057 with a 550 SMTP reply, and log the helo/sender/recipient infor‐
5058 mation. Repeat this test the next time the client connects.
5059
5060 drop Drop the connection immediately with a 521 SMTP reply. Repeat
5061 this test the next time the client connects.
5062
5063 This feature is available in Postfix 2.8.
5064
5066 Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
5067 These tests are expensive: a good client must disconnect after it
5068 passes the test, before it can talk to a real Postfix SMTP server.
5069
5070 This feature is available in Postfix 2.8.
5071
5073 The amount of time that postscreen(8) will use the result from a suc‐
5074 cessful "pipelining" SMTP protocol test. During this time, the client
5075 IP address is excluded from this test. The default is long because a
5076 good client must disconnect after it passes the test, before it can
5077 talk to a real Postfix SMTP server.
5078
5079 Specify a non-zero time value (an integral value plus an optional
5080 one-letter suffix that specifies the time unit). Time units: s (sec‐
5081 onds), m (minutes), h (hours), d (days), w (weeks).
5082
5083 This feature is available in Postfix 2.8.
5084
5086 The number of clients that can be waiting for service from a real Post‐
5087 fix SMTP server process. When this queue is full, all clients will
5088 receive a 421 response.
5089
5090 This feature is available in Postfix 2.8.
5091
5093 The number of non-whitelisted clients that can be waiting for a deci‐
5094 sion whether they will receive service from a real Postfix SMTP server
5095 process. When this queue is full, all non-whitelisted clients will
5096 receive a 421 response.
5097
5098 This feature is available in Postfix 2.8.
5099
5101 Optional information that is appended after a 4XX or 5XX postscreen(8)
5102 server response. See smtpd_reject_footer for further details.
5103
5104 This feature is available in Postfix 2.8 and later.
5105
5107 Optional lookup table for information that is appended after a 4XX or
5108 5XX postscreen(8) server response. See smtpd_reject_footer_maps for
5109 further details.
5110
5111 This feature is available in Postfix 3.4 and later.
5112
5114 The SMTP TLS security level for the postscreen(8) server; when a
5115 non-empty value is specified, this overrides the obsolete parameters
5116 postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_secu‐
5117 rity_level for details.
5118
5119 This feature is available in Postfix 2.8 and later.
5120
5122 The name of the proxy protocol used by an optional before-postscreen
5123 proxy agent. When a proxy agent is used, this protocol conveys local
5124 and remote address and port information. Specify
5125 "postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy
5126 protocol.
5127
5128 This feature is available in Postfix 2.10 and later.
5129
5131 The time limit for the proxy protocol specified with the
5132 postscreen_upstream_proxy_protocol parameter.
5133
5134 This feature is available in Postfix 2.10 and later.
5135
5137 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
5138 but do not require that clients use TLS encryption.
5139
5140 This feature is available in Postfix 2.8 and later. Preferably, use
5141 postscreen_tls_security_level instead.
5142
5144 How much time a postscreen(8) process may take to respond to a remote
5145 SMTP client command or to perform a cache operation before it is termi‐
5146 nated by a built-in watchdog timer. This is a safety mechanism that
5147 prevents postscreen(8) from becoming non-responsive due to a bug in
5148 Postfix itself or in system software. To avoid false alarms and unnec‐
5149 essary cache corruption this limit cannot be set under 10s.
5150
5151 Specify a non-zero time value (an integral value plus an optional
5152 one-letter suffix that specifies the time unit). Time units: s (sec‐
5153 onds), m (minutes), h (hours), d (days), w (weeks).
5154
5155 This feature is available in Postfix 2.8.
5156
5158 A list of local postscreen(8) server IP addresses where a
5159 non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5160 whitelist status. This status is required before the client can talk to
5161 a Postfix SMTP server process. By default, a client can obtain
5162 postscreen(8)'s whitelist status on any local postscreen(8) server IP
5163 address.
5164
5165 When postscreen(8) listens on both primary and backup MX addresses, the
5166 postscreen_whitelist_interfaces parameter can be configured to give the
5167 temporary whitelist status only when a client connects to a primary MX
5168 address. Once a client is whitelisted it can talk to a Postfix SMTP
5169 server on any address. Thus, clients that connect only to backup MX
5170 addresses will never become whitelisted, and will never be allowed to
5171 talk to a Postfix SMTP server process.
5172
5173 Specify a list of network addresses or network/netmask patterns, sepa‐
5174 rated by commas and/or whitespace. The netmask specifies the number of
5175 bits in the network part of a host address. Continue long lines by
5176 starting the next line with whitespace.
5177
5178 You can also specify "/file/name" or "type:table" patterns. A
5179 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5180 table is matched when a table entry matches a lookup string (the lookup
5181 result is ignored).
5182
5183 The list is matched left to right, and the search stops on the first
5184 match. Specify "!pattern" to exclude an address or network block from
5185 the list.
5186
5187 Note: IP version 6 address information must be specified inside [] in
5188 the postscreen_whitelist_interfaces value, and in files specified with
5189 "/file/name". IP version 6 addresses contain the ":" character, and
5190 would otherwise be confused with a "type:table" pattern.
5191
5192 Example:
5193
5194 /etc/postfix/main.cf:
5195 # Don't whitelist connections to the backup IP address.
5196 postscreen_whitelist_interfaces = !168.100.189.8, static:all
5197
5198 This feature is available in Postfix 2.9 and later.
5199
5201 The message delivery contexts where the Postfix local(8) delivery agent
5202 prepends a Delivered-To: message header with the address that the mail
5203 was delivered to. This information is used for mail delivery loop
5204 detection.
5205
5206 By default, the Postfix local delivery agent prepends a Delivered-To:
5207 header when forwarding mail and when delivering to file (mailbox) and
5208 command. Turning off the Delivered-To: header when forwarding mail is
5209 not recommended.
5210
5211 Specify zero or more of forward, file, or command.
5212
5213 Example:
5214
5215 prepend_delivered_header = forward
5216
5218 The process ID of a Postfix command or daemon process.
5219
5221 The location of Postfix PID files relative to $queue_directory. This
5222 is a read-only parameter.
5223
5225 The process name of a Postfix command or daemon process.
5226
5228 What address lookup tables copy an address extension from the lookup
5229 key to the lookup result.
5230
5231 For example, with a virtual(5) mapping of "joe@example.com =>
5232 joe.user@example.net", the address "joe+foo@example.com" would rewrite
5233 to "joe.user+foo@example.net".
5234
5235 Specify zero or more of canonical, virtual, alias, forward, include or
5236 generic. These cause address extension propagation with canonical(5),
5237 virtual(5), and aliases(5) maps, with local(8) .forward and :include:
5238 file lookups, and with smtp(8) generic maps, respectively.
5239
5240 Note: enabling this feature for types other than canonical and virtual
5241 is likely to cause problems when mail is forwarded to other sites,
5242 especially with mail that is sent to a mailing list exploder address.
5243
5244 Examples:
5245
5246 propagate_unmatched_extensions = canonical, virtual, alias,
5247 forward, include
5248 propagate_unmatched_extensions = canonical, virtual
5249
5251 The network interface addresses that this mail system receives mail on
5252 by way of a proxy or network address translation unit.
5253
5254 This feature is available in Postfix 2.0 and later.
5255
5256 You must specify your "outside" proxy/NAT addresses when your system is
5257 a backup MX host for other domains, otherwise mail delivery loops will
5258 happen when the primary MX host is down.
5259
5260 Example:
5261
5262 proxy_interfaces = 1.2.3.4
5263
5265 The lookup tables that the proxymap(8) server is allowed to access for
5266 the read-only service.
5267
5268 Specify zero or more "type:name" lookup tables, separated by whitespace
5269 or comma. Table references that don't begin with proxy: are ignored.
5270
5271 This feature is available in Postfix 2.0 and later.
5272
5274 The lookup tables that the proxymap(8) server is allowed to access for
5275 the read-write service. Postfix-owned local database files should be
5276 stored under the Postfix-owned data_directory. Table references that
5277 don't begin with proxy: are ignored.
5278
5279 This feature is available in Postfix 2.5 and later.
5280
5282 The name of the proxymap read-only table lookup service. This service
5283 is normally implemented by the proxymap(8) daemon.
5284
5285 This feature is available in Postfix 2.6 and later.
5286
5288 The name of the proxywrite read-write table lookup service. This ser‐
5289 vice is normally implemented by the proxymap(8) daemon.
5290
5291 This feature is available in Postfix 2.6 and later.
5292
5294 The minimal delay between warnings that a specific destination is clog‐
5295 ging up the Postfix active queue. Specify 0 to disable.
5296
5297 This feature is enabled with the helpful_warnings parameter.
5298
5299 This feature is available in Postfix 2.0 and later.
5300
5302 How much time a Postfix queue manager process may take to handle a
5303 request before it is terminated by a built-in watchdog timer.
5304
5305 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5306 The default time unit is s (seconds).
5307
5308 This feature is available in Postfix 2.8 and later.
5309
5311 Obsolete feature: the percentage of delivery resources that a busy mail
5312 system will use up for delivery of a large mailing list message.
5313
5314 This feature exists only in the oqmgr(8) old queue manager. The current
5315 queue manager solves the problem in a better way.
5316
5318 The time limit for the queue manager to send or receive information
5319 over an internal communication channel. The purpose is to break out of
5320 deadlock situations. If the time limit is exceeded the software either
5321 retries or aborts the operation.
5322
5323 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5324 The default time unit is s (seconds).
5325
5326 This feature is available in Postfix 2.8 and later.
5327
5329 The maximal number of messages in the active queue.
5330
5332 The maximal number of recipients held in memory by the Postfix queue
5333 manager, and the maximal size of the short-term, in-memory "dead" des‐
5334 tination status cache.
5335
5337 The minimal number of in-memory recipients for any message. This takes
5338 priority over any other in-memory recipient limits (i.e., the global
5339 qmgr_message_recipient_limit and the per transport _recipient_limit) if
5340 necessary. The minimum value allowed for this parameter is 1.
5341
5343 What remote QMQP clients are allowed to connect to the Postfix QMQP
5344 server port.
5345
5346 By default, no client is allowed to use the service. This is because
5347 the QMQP server will relay mail to any destination.
5348
5349 Specify a list of client patterns. A list pattern specifies a host
5350 name, a domain name, an internet address, or a network/mask pattern,
5351 where the mask specifies the number of bits in the network part. When
5352 a pattern specifies a file name, its contents are substituted for the
5353 file name; when a pattern is a "type:table" table specification, table
5354 lookup is used instead.
5355
5356 Patterns are separated by whitespace and/or commas. In order to reverse
5357 the result, precede a pattern with an exclamation point (!). The form
5358 "!/file/name" is supported only in Postfix version 2.4 and later.
5359
5360 Pattern matching of domain names is controlled by the presence or
5361 absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5362 domains parameter value.
5363
5364 Example:
5365
5366 qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5367
5369 Enable logging of the remote QMQP client port in addition to the host‐
5370 name and IP address. The logging format is "host[address]:port".
5371
5372 This feature is available in Postfix 2.5 and later.
5373
5375 How long the Postfix QMQP server will pause before sending a negative
5376 reply to the remote QMQP client. The purpose is to slow down confused
5377 or malicious clients.
5378
5379 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5380 The default time unit is s (seconds).
5381
5383 The time limit for sending or receiving information over the network.
5384 If a read or write operation blocks for more than $qmqpd_timeout sec‐
5385 onds the Postfix QMQP server gives up and disconnects.
5386
5387 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5388 The default time unit is s (seconds).
5389
5391 The location of the Postfix top-level queue directory. This is the root
5392 directory of Postfix daemon processes that run chrooted.
5393
5395 The maximal number of (name=value) attributes that may be stored in a
5396 Postfix queue file. The limit is enforced by the cleanup(8) server.
5397
5398 This feature is available in Postfix 2.0 and later.
5399
5401 The minimal amount of free space in bytes in the queue file system that
5402 is needed to receive mail. This is currently used by the Postfix SMTP
5403 server to decide if it will accept any mail at all.
5404
5405 By default, the Postfix SMTP server rejects MAIL FROM commands when the
5406 amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5407 sion 2.1 and later). To specify a higher minimum free space limit,
5408 specify a queue_minfree value that is at least 1.5*$message_size_limit.
5409
5410 With Postfix versions 2.0 and earlier, a queue_minfree value of zero
5411 means there is no minimum required amount of free space.
5412
5414 The time between deferred queue scans by the queue manager; prior to
5415 Postfix 2.4 the default value was 1000s.
5416
5417 This parameter should be set less than or equal to $minimal_back‐
5418 off_time. See also $maximal_backoff_time.
5419
5420 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5421 The default time unit is s (seconds).
5422
5424 The name of the qmgr(8) service. This service manages the Postfix queue
5425 and schedules delivery requests.
5426
5427 This feature is available in Postfix 2.0 and later.
5428
5430 Optional lookup tables with RBL response templates. The tables are
5431 indexed by the RBL domain name. By default, Postfix uses the default
5432 template as specified with the default_rbl_reply configuration parame‐
5433 ter. See there for a discussion of the syntax of RBL reply templates.
5434
5435 This feature is available in Postfix 2.0 and later.
5436
5438 The location of Postfix README files that describe how to build, con‐
5439 figure or operate a specific Postfix subsystem or feature.
5440
5442 Enable or disable recipient validation, built-in content filtering, or
5443 address mapping. Typically, these are specified in master.cf as com‐
5444 mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5445
5446 Specify zero or more of the following options. The options override
5447 main.cf settings and are either implemented by smtpd(8), qmqpd(8), or
5448 pickup(8) themselves, or they are forwarded to the cleanup server.
5449
5450 no_unknown_recipient_checks
5451 Do not try to reject unknown recipients (SMTP server only).
5452 This is typically specified AFTER an external content filter.
5453
5454 no_address_mappings
5455 Disable canonical address mapping, virtual alias map expansion,
5456 address masquerading, and automatic BCC (blind carbon-copy)
5457 recipients. This is typically specified BEFORE an external con‐
5458 tent filter.
5459
5460 no_header_body_checks
5461 Disable header/body_checks. This is typically specified AFTER an
5462 external content filter.
5463
5464 no_milters
5465 Disable Milter (mail filter) applications. This is typically
5466 specified AFTER an external content filter.
5467
5468 Note: when the "BEFORE content filter" receive_override_options setting
5469 is specified in the main.cf file, specify the "AFTER content filter"
5470 receive_override_options setting in master.cf (and vice versa).
5471
5472 Examples:
5473
5474 receive_override_options =
5475 no_unknown_recipient_checks, no_header_body_checks
5476 receive_override_options = no_address_mappings
5477
5478 This feature is available in Postfix 2.1 and later.
5479
5481 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5482 recipient address. The BCC address (multiple results are not sup‐
5483 ported) is added when mail enters from outside of Postfix.
5484
5485 Specify zero or more "type:name" lookup tables, separated by whitespace
5486 or comma. Tables will be searched in the specified order until a match
5487 is found.
5488
5489 The table search order is as follows:
5490
5491 · Look up the "user+extension@domain.tld" address including the
5492 optional address extension.
5493
5494 · Look up the "user@domain.tld" address without the optional
5495 address extension.
5496
5497 · Look up the "user+extension" address local part when the recipi‐
5498 ent domain equals $myorigin, $mydestination, $inet_interfaces or
5499 $proxy_interfaces.
5500
5501 · Look up the "user" address local part when the recipient domain
5502 equals $myorigin, $mydestination, $inet_interfaces or
5503 $proxy_interfaces.
5504
5505 · Look up the "@domain.tld" part.
5506
5507 Note: with Postfix 2.3 and later the BCC address is added as if it was
5508 specified with NOTIFY=NONE. The sender will not be notified when the
5509 BCC address is undeliverable, as long as all down-stream software
5510 implements RFC 3461.
5511
5512 Note: with Postfix 2.2 and earlier the sender will unconditionally be
5513 notified when the BCC address is undeliverable.
5514
5515 Note: automatic BCC recipients are produced only for new mail. To
5516 avoid mailer loops, automatic BCC recipients are not generated after
5517 Postfix forwards mail internally, or after Postfix generates mail
5518 itself.
5519
5520 Example:
5521
5522 recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5523
5524 After a change, run "postmap /etc/postfix/recipient_bcc".
5525
5526 This feature is available in Postfix 2.1 and later.
5527
5529 What addresses are subject to recipient_canonical_maps address mapping.
5530 By default, recipient_canonical_maps address mapping is applied to
5531 envelope recipient addresses, and to header recipient addresses.
5532
5533 Specify one or more of: envelope_recipient, header_recipient
5534
5535 This feature is available in Postfix 2.2 and later.
5536
5538 Optional address mapping lookup tables for envelope and header recipi‐
5539 ent addresses. The table format and lookups are documented in canoni‐
5540 cal(5).
5541
5542 Note: $recipient_canonical_maps is processed before $canonical_maps.
5543
5544 Example:
5545
5546 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5547
5549 The set of characters that can separate a user name from its extension
5550 (example: user+foo), or a .forward file name from its extension (exam‐
5551 ple: .forward+foo). Basically, the software tries user+foo and .for‐
5552 ward+foo before trying user and .forward. This implementation recog‐
5553 nizes one delimiter character and one extension per email address or
5554 .forward file name.
5555
5556 When the recipient_delimiter set contains multiple characters (Postfix
5557 2.11 and later), a user name or .forward file name is separated from
5558 its extension by the first character that matches the recipient_delim‐
5559 iter set.
5560
5561 See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5562 of recipient_delimiter on lookups in aliases, canonical, virtual, and
5563 relocated maps, and see the propagate_unmatched_extensions parameter
5564 for propagating an extension from one email address to another.
5565
5566 When used in command_execution_directory, forward_path, or luser_relay,
5567 ${recipient_delimiter} is replaced with the actual recipient delimiter
5568 that was found in the recipient email address (Postfix 2.11 and later),
5569 or it is replaced with the main.cf recipient_delimiter parameter value
5570 (Postfix 2.10 and earlier).
5571
5572 The recipient_delimiter is not applied to the mailer-daemon address,
5573 the postmaster address, or the double-bounce address. With the default
5574 "owner_request_special = yes" setting, the recipient_delimiter is also
5575 not applied to addresses with the special "owner-" prefix or the spe‐
5576 cial "-request" suffix.
5577
5578 Examples:
5579
5580 # Handle Postfix-style extensions.
5581 recipient_delimiter = +
5582
5583 # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5584 recipient_delimiter = +-
5585
5586 # Use .forward for mail without address extension, and for mail with
5587 # an unrecognized address extension.
5588 forward_path = $home/.forward${recipient_delimiter}${extension},
5589 $home/.forward
5590
5592 The numerical Postfix SMTP server response code when a remote SMTP
5593 client request is rejected by the "reject" restriction.
5594
5595 Do not change this unless you have a complete understanding of RFC
5596 5321.
5597
5599 The Postfix SMTP server's action when a reject-type restriction fails
5600 due to a temporary error condition. Specify "defer" to defer the remote
5601 SMTP client request immediately. With the default "defer_if_permit"
5602 action, the Postfix SMTP server continues to look for opportunities to
5603 reject mail, and defers the client request only if it would otherwise
5604 be accepted.
5605
5606 For finer control, see: unverified_recipient_tempfail_action, unveri‐
5607 fied_sender_tempfail_action, unknown_address_tempfail_action, and
5608 unknown_helo_hostname_tempfail_action.
5609
5610 This feature is available in Postfix 2.6 and later.
5611
5613 List of tables with remote SMTP client-certificate fingerprints or pub‐
5614 lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5615 server will allow access with the permit_tls_clientcerts feature. The
5616 fingerprint digest algorithm is configurable via the smtpd_tls_finger‐
5617 print_digest parameter (hard-coded as md5 prior to Postfix version
5618 2.5).
5619
5620 Postfix lookup tables are in the form of (key, value) pairs. Since we
5621 only need the key, the value can be chosen freely, e.g. the name of
5622 the user or host: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5623 lutzpc.at.home
5624
5625 Example:
5626
5627 relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5628
5629 For more fine-grained control, use check_ccert_access to select an
5630 appropriate access(5) policy for each client. See RESTRIC‐
5631 TION_CLASS_README.
5632
5633 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
5634 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
5635 later.
5636
5637 This feature is available with Postfix version 2.2.
5638
5640 rency_limit)
5641 The maximal number of parallel deliveries to the same destination via
5642 the relay message delivery transport. This limit is enforced by the
5643 queue manager. The message delivery transport name is the first field
5644 in the entry in the master.cf file.
5645
5646 This feature is available in Postfix 2.0 and later.
5647
5649 ent_limit)
5650 The maximal number of recipients per message for the relay message
5651 delivery transport. This limit is enforced by the queue manager. The
5652 message delivery transport name is the first field in the entry in the
5653 master.cf file.
5654
5655 Setting this parameter to a value of 1 changes the meaning of
5656 relay_destination_concurrency_limit from concurrency per domain into
5657 concurrency per recipient.
5658
5659 This feature is available in Postfix 2.0 and later.
5660
5662 What destination domains (and subdomains thereof) this system will
5663 relay mail to. For details about how the relay_domains value is used,
5664 see the description of the permit_auth_destination and
5665 reject_unauth_destination SMTP recipient restrictions.
5666
5667 Domains that match $relay_domains are delivered with the $relay_trans‐
5668 port mail delivery transport. The SMTP server validates recipient
5669 addresses with $relay_recipient_maps and rejects non-existent recipi‐
5670 ents. See also the relay domains address class in the
5671 ADDRESS_CLASS_README file.
5672
5673 Note: Postfix will not automatically forward mail for domains that list
5674 this system as their primary or backup MX host. See the per‐
5675 mit_mx_backup restriction in the postconf(5) manual page.
5676
5677 Specify a list of host or domain names, "/file/name" patterns or
5678 "type:table" lookup tables, separated by commas and/or whitespace.
5679 Continue long lines by starting the next line with whitespace. A
5680 "/file/name" pattern is replaced by its contents; a "type:table" lookup
5681 table is matched when a (parent) domain appears as lookup key. Specify
5682 "!pattern" to exclude a domain from the list. The form "!/file/name" is
5683 supported only in Postfix version 2.4 and later.
5684
5685 Pattern matching of domain names is controlled by the presence or
5686 absence of "relay_domains" in the parent_domain_matches_subdomains
5687 parameter value.
5688
5690 The numerical Postfix SMTP server response code when a client request
5691 is rejected by the reject_unauth_destination recipient restriction.
5692
5693 Do not change this unless you have a complete understanding of RFC
5694 5321.
5695
5697 Optional lookup tables with all valid addresses in the domains that
5698 match $relay_domains. Specify @domain as a wild-card for domains that
5699 have no valid recipient list, and become a source of backscatter mail:
5700 Postfix accepts spam for non-existent recipients and then floods inno‐
5701 cent people with undeliverable mail. Technically, tables listed with
5702 $relay_recipient_maps are used as lists: Postfix needs to know only if
5703 a lookup string is found or not, but it does not use the result from
5704 table lookup.
5705
5706 Specify zero or more "type:name" lookup tables, separated by whitespace
5707 or comma. Tables will be searched in the specified order until a match
5708 is found.
5709
5710 If this parameter is non-empty, then the Postfix SMTP server will
5711 reject mail to unknown relay users. This feature is off by default.
5712
5713 See also the relay domains address class in the ADDRESS_CLASS_README
5714 file.
5715
5716 Example:
5717
5718 relay_recipient_maps = hash:/etc/postfix/relay_recipients
5719
5720 This feature is available in Postfix 2.0 and later.
5721
5723 The default mail delivery transport and next-hop destination for remote
5724 delivery to domains listed with $relay_domains. In order of decreasing
5725 precedence, the nexthop destination is taken from $relay_transport,
5726 $sender_dependent_relayhost_maps, $relayhost, or from the recipient
5727 domain. This information can be overruled with the transport(5) table.
5728
5729 Specify a string of the form transport:nexthop, where transport is the
5730 name of a mail delivery transport defined in master.cf. The :nexthop
5731 destination is optional; its syntax is documented in the manual page of
5732 the corresponding delivery agent.
5733
5734 See also the relay domains address class in the ADDRESS_CLASS_README
5735 file.
5736
5737 This feature is available in Postfix 2.0 and later.
5738
5740 The next-hop destination of non-local mail; overrides non-local domains
5741 in recipient addresses. This information is overruled with relay_trans‐
5742 port, sender_dependent_default_transport_maps, default_transport,
5743 sender_dependent_relayhost_maps and with the transport(5) table.
5744
5745 On an intranet, specify the organizational domain name. If your inter‐
5746 nal DNS uses no MX records, specify the name of the intranet gateway
5747 host instead.
5748
5749 In the case of SMTP, specify a domain name, hostname, hostname:port,
5750 [hostname]:port, [hostaddress] or [hostaddress]:port. The form [host‐
5751 name] turns off MX lookups.
5752
5753 If you're connected via UUCP, see the UUCP_README file for useful
5754 information.
5755
5756 Examples:
5757
5758 relayhost = $mydomain
5759 relayhost = [gateway.example.com]
5760 relayhost = uucphost
5761 relayhost = [an.ip.add.ress]
5762
5764 Optional lookup tables with new contact information for users or
5765 domains that no longer exist. The table format and lookups are docu‐
5766 mented in relocated(5).
5767
5768 Specify zero or more "type:name" lookup tables, separated by whitespace
5769 or comma. Tables will be searched in the specified order until a match
5770 is found.
5771
5772 If you use this feature, run "postmap /etc/postfix/relocated" to build
5773 the necessary DBM or DB file after change, then "postfix reload" to
5774 make the changes visible.
5775
5776 Examples:
5777
5778 relocated_maps = dbm:/etc/postfix/relocated
5779 relocated_maps = hash:/etc/postfix/relocated
5780
5782 Don't rewrite message headers from remote clients at all when this
5783 parameter is empty; otherwise, rewrite message headers and append the
5784 specified domain name to incomplete addresses. The local_header_re‐
5785 write_clients parameter controls what clients Postfix considers local.
5786
5787 Examples:
5788
5789 The safe setting: append "domain.invalid" to incomplete header
5790 addresses from remote SMTP clients, so that those addresses cannot be
5791 confused with local addresses.
5792
5793 remote_header_rewrite_domain = domain.invalid
5794
5795 The default, purist, setting: don't rewrite headers from remote clients
5796 at all.
5797
5798 remote_header_rewrite_domain =
5799
5801 Require that a local(8) recipient's home directory exists before mail
5802 delivery is attempted. By default this test is disabled. It can be
5803 useful for environments that import home directories to the mail server
5804 (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5805
5807 Reset the local(8) delivery agent's idea of the owner-alias attribute,
5808 when delivering mail to a child alias that does not have its own owner
5809 alias.
5810
5811 This feature is available in Postfix 2.8 and later. With older Postfix
5812 releases, the behavior is as if this parameter is set to "yes".
5813
5814 As documented in aliases(5), when an alias name has a companion alias
5815 named owner-name, this will replace the envelope sender address, so
5816 that delivery errors will be reported to the owner alias instead of the
5817 sender. This configuration is recommended for mailing lists.
5818
5819 A less known property of the owner alias is that it also forces the
5820 local(8) delivery agent to write local and remote addresses from alias
5821 expansion to a new queue file, instead of attempting to deliver mail to
5822 local addresses as soon as they come out of alias expansion.
5823
5824 Writing local addresses from alias expansion to a new queue file allows
5825 for robust handling of temporary delivery errors: errors with one local
5826 member have no effect on deliveries to other members of the list. On
5827 the other hand, delivery to local addresses as soon as they come out of
5828 alias expansion is fragile: a temporary error with one local address
5829 from alias expansion will cause the entire alias to be expanded repeat‐
5830 edly until the error goes away, or until the message expires in the
5831 queue. In that case, a problem with one list member results in multi‐
5832 ple message deliveries to other list members.
5833
5834 The default behavior of Postfix 2.8 and later is to keep the
5835 owner-alias attribute of the parent alias, when delivering mail to a
5836 child alias that does not have its own owner alias. Then, local
5837 addresses from that child alias will be written to a new queue file,
5838 and a temporary error with one local address will not affect delivery
5839 to other mailing list members.
5840
5841 Unfortunately, older Postfix releases reset the owner-alias attribute
5842 when delivering mail to a child alias that does not have its own owner
5843 alias. To be precise, this resets only the decision to create a new
5844 queue file, not the decision to override the envelope sender address.
5845 The local(8) delivery agent then attempts to deliver local addresses as
5846 soon as they come out of child alias expansion. If delivery to any
5847 address from child alias expansion fails with a temporary error condi‐
5848 tion, the entire mailing list may be expanded repeatedly until the mail
5849 expires in the queue, resulting in multiple deliveries of the same mes‐
5850 sage to mailing list members.
5851
5853 Resolve a recipient address safely instead of correctly, by looking
5854 inside quotes.
5855
5856 By default, the Postfix address resolver does not quote the address
5857 localpart as per RFC 822, so that additional @ or % or ! operators
5858 remain visible. This behavior is safe but it is also technically incor‐
5859 rect.
5860
5861 If you specify "resolve_dequoted_address = no", then the Postfix
5862 resolver will not know about additional @ etc. operators in the address
5863 localpart. This opens opportunities for obscure mail relay attacks with
5864 user@domain@domain addresses when Postfix provides backup MX service
5865 for Sendmail systems.
5866
5868 Resolve an address that ends in the "@" null domain as if the local
5869 hostname were specified, instead of rejecting the address as invalid.
5870
5871 This feature is available in Postfix 2.1 and later. Earlier versions
5872 always resolve the null domain as the local hostname.
5873
5874 The Postfix SMTP server uses this feature to reject mail from or to
5875 addresses that end in the "@" null domain, and from addresses that re‐
5876 write into a form that ends in the "@" null domain.
5877
5879 Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting
5880 the address as invalid.
5881
5882 This feature is available in Postfix 2.3 and later.
5883
5885 The name of the address rewriting service. This service rewrites
5886 addresses to standard form and resolves them to a (delivery method,
5887 next-hop host, recipient) triple.
5888
5889 This feature is available in Postfix 2.0 and later.
5890
5892 The name of the directory with example Postfix configuration files.
5893 Starting with Postfix 2.1, these files have been replaced with the
5894 postconf(5) manual page.
5895
5897 When authenticating to a remote SMTP or LMTP server with the default
5898 setting "no", send no SASL authoriZation ID (authzid); send only the
5899 SASL authentiCation ID (authcid) plus the authcid's password.
5900
5901 The non-default setting "yes" enables the behavior of older Postfix
5902 versions. These always send a SASL authzid that is equal to the SASL
5903 authcid, but this causes interoperability problems with some SMTP
5904 servers.
5905
5906 This feature is available in Postfix 2.4.4 and later.
5907
5909 This parameter should not be used. It was replaced by sender_depen‐
5910 dent_relayhost_maps in Postfix version 2.3.
5911
5913 Optional BCC (blind carbon-copy) address lookup tables, indexed by
5914 sender address. The BCC address (multiple results are not supported)
5915 is added when mail enters from outside of Postfix.
5916
5917 Specify zero or more "type:name" lookup tables, separated by whitespace
5918 or comma. Tables will be searched in the specified order until a match
5919 is found.
5920
5921 The table search order is as follows:
5922
5923 · Look up the "user+extension@domain.tld" address including the
5924 optional address extension.
5925
5926 · Look up the "user@domain.tld" address without the optional
5927 address extension.
5928
5929 · Look up the "user+extension" address local part when the sender
5930 domain equals $myorigin, $mydestination, $inet_interfaces or
5931 $proxy_interfaces.
5932
5933 · Look up the "user" address local part when the sender domain
5934 equals $myorigin, $mydestination, $inet_interfaces or
5935 $proxy_interfaces.
5936
5937 · Look up the "@domain.tld" part.
5938
5939 Note: with Postfix 2.3 and later the BCC address is added as if it was
5940 specified with NOTIFY=NONE. The sender will not be notified when the
5941 BCC address is undeliverable, as long as all down-stream software
5942 implements RFC 3461.
5943
5944 Note: with Postfix 2.2 and earlier the sender will be notified when the
5945 BCC address is undeliverable.
5946
5947 Note: automatic BCC recipients are produced only for new mail. To
5948 avoid mailer loops, automatic BCC recipients are not generated after
5949 Postfix forwards mail internally, or after Postfix generates mail
5950 itself.
5951
5952 Example:
5953
5954 sender_bcc_maps = hash:/etc/postfix/sender_bcc
5955
5956 After a change, run "postmap /etc/postfix/sender_bcc".
5957
5958 This feature is available in Postfix 2.1 and later.
5959
5961 What addresses are subject to sender_canonical_maps address mapping.
5962 By default, sender_canonical_maps address mapping is applied to enve‐
5963 lope sender addresses, and to header sender addresses.
5964
5965 Specify one or more of: envelope_sender, header_sender
5966
5967 This feature is available in Postfix 2.2 and later.
5968
5970 Optional address mapping lookup tables for envelope and header sender
5971 addresses. The table format and lookups are documented in canoni‐
5972 cal(5).
5973
5974 Example: you want to rewrite the SENDER address "user@ugly.domain" to
5975 "user@pretty.domain", while still being able to send mail to the RECIP‐
5976 IENT address "user@ugly.domain".
5977
5978 Note: $sender_canonical_maps is processed before $canonical_maps.
5979
5980 Example:
5981
5982 sender_canonical_maps = hash:/etc/postfix/sender_canonical
5983
5985 A sender-dependent override for the global default_transport parameter
5986 setting. The tables are searched by the envelope sender address and
5987 @domain. A lookup result of DUNNO terminates the search without over‐
5988 riding the global default_transport parameter setting. This informa‐
5989 tion is overruled with the transport(5) table.
5990
5991 Specify zero or more "type:name" lookup tables, separated by whitespace
5992 or comma. Tables will be searched in the specified order until a match
5993 is found.
5994
5995 Note: this overrides default_transport, not transport_maps, and there‐
5996 fore the expected syntax is that of default_transport, not the syntax
5997 of transport_maps. Specifically, this does not support the trans‐
5998 port_maps syntax for null transport, null nexthop, or null email
5999 addresses.
6000
6001 For safety reasons, this feature does not allow $number substitutions
6002 in regular expression maps.
6003
6004 This feature is available in Postfix 2.7 and later.
6005
6007 A sender-dependent override for the global relayhost parameter setting.
6008 The tables are searched by the envelope sender address and @domain. A
6009 lookup result of DUNNO terminates the search without overriding the
6010 global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6011 mation is overruled with relay_transport, sender_depen‐
6012 dent_default_transport_maps, default_transport and with the trans‐
6013 port(5) table.
6014
6015 Specify zero or more "type:name" lookup tables, separated by whitespace
6016 or comma. Tables will be searched in the specified order until a match
6017 is found.
6018
6019 For safety reasons, this feature does not allow $number substitutions
6020 in regular expression maps.
6021
6022 This feature is available in Postfix 2.3 and later.
6023
6025 Controls how the Postfix sendmail command converts email message line
6026 endings from <CR><LF> into UNIX format (<LF>).
6027
6028 always Always convert message lines ending in <CR><LF>. This setting is
6029 the default with Postfix 2.9 and later.
6030
6031 strict Convert message lines ending in <CR><LF> only if the first input
6032 line ends in <CR><LF>. This setting is backwards-compatible with
6033 Postfix 2.8 and earlier.
6034
6035 never Never convert message lines ending in <CR><LF>. This setting
6036 exists for completeness only.
6037
6038 This feature is available in Postfix 2.9 and later.
6039
6041 A Sendmail compatibility feature that specifies the location of the
6042 Postfix sendmail(1) command. This command can be used to submit mail
6043 into the Postfix queue.
6044
6046 The master.cf service name of a Postfix daemon process. This can be
6047 used to distinguish the logging from different services that use the
6048 same program name.
6049
6050 Example master.cf entries:
6051
6052 # Distinguish inbound MTA logging from submission and smtps logging.
6053 smtp inet n - n - - smtpd
6054 submission inet n - n - - smtpd
6055 -o syslog_name=postfix/$service_name
6056 smtps inet n - n - - smtpd
6057 -o syslog_name=postfix/$service_name
6058
6059 # Distinguish outbound MTA logging from inbound relay logging.
6060 smtp unix - - n - - smtp
6061 relay unix - - n - - smtp
6062 -o syslog_name=postfix/$service_name
6063
6065 How long the Postfix master(8) waits before forking a server that
6066 appears to be malfunctioning.
6067
6068 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6069 The default time unit is s (seconds).
6070
6072 The group ownership of set-gid Postfix commands and of group-writable
6073 Postfix directories. When this parameter value is changed you need to
6074 re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6075 "/etc/postfix/post-install set-permissions".
6076
6078 The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6079 and the default location of Postfix database plugins (postfix-*.so)
6080 that have a relative pathname in the dynamicmaps.cf file. The
6081 shlib_directory parameter defaults to "no" when Postfix dynami‐
6082 cally-linked libraries and database plugins are disabled at compile
6083 time, otherwise it typically defaults to /usr/lib/postfix or
6084 /usr/local/lib/postfix.
6085
6086 Notes:
6087
6088 · The directory specified with shlib_directory should contain only
6089 Postfix-related files. Postfix dynamically-linked libraries and
6090 database plugins should not be installed in a "public" system
6091 directory such as /usr/lib or /usr/local/lib. Linking Postfix
6092 dynamically-linked library files or database plugins into
6093 non-Postfix programs is not supported. Postfix dynami‐
6094 cally-linked libraries and database plugins implement a Post‐
6095 fix-internal API that changes without maintaining compatibility.
6096
6097 · You can change the shlib_directory value after Postfix is built.
6098 However, you may have to run ldconfig or equivalent to prevent
6099 Postfix programs from failing because the libpostfix-*.so files
6100 are not found. No ldconfig command is needed if you keep the
6101 libpostfix-*.so files in the compiled-in default $shlib_direc‐
6102 tory location.
6103
6104 This feature is available in Postfix 3.0 and later.
6105
6107 Display the name of the recipient table in the "User unknown"
6108 responses. The extra detail makes troubleshooting easier but also
6109 reveals information that is nobody else's business.
6110
6111 This feature is available in Postfix 2.0 and later.
6112
6114 The name of the showq(8) service. This service produces mail queue sta‐
6115 tus reports.
6116
6117 This feature is available in Postfix 2.0 and later.
6118
6120 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6121 will try first, when a destination has IPv6 and IPv4 addresses with
6122 equal MX preference. This feature has no effect unless the inet_proto‐
6123 cols setting enables both IPv4 and IPv6.
6124
6125 Postfix SMTP client address preference has evolved. With Postfix 2.8
6126 the default is "ipv6"; earlier implementations are hard-coded to prefer
6127 IPv6 over IPv4.
6128
6129 Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6130 nectivity:
6131
6132 · The setting "smtp_address_preference = ipv6" is unsafe. It can
6133 fail to deliver mail when there is an outage that affects IPv6,
6134 while the destination is still reachable over IPv4.
6135
6136 · The setting "smtp_address_preference = any" is safe. With this,
6137 mail will eventually be delivered even if there is an outage
6138 that affects IPv6 or IPv4, as long as it does not affect both.
6139
6140 This feature is available in Postfix 2.8 and later.
6141
6143 In the context of email address verification, the SMTP protocol stage
6144 that determines whether an email address is deliverable. Specify one
6145 of "rcpt" or "data". The latter is needed with remote SMTP servers
6146 that reject recipients after the DATA command. Use transport_maps to
6147 apply this feature selectively:
6148
6149 /etc/postfix/main.cf:
6150 transport_maps = hash:/etc/postfix/transport
6151
6152 /etc/postfix/transport:
6153 smtp-domain-that-verifies-after-data smtp-data-target:
6154 lmtp-domain-that-verifies-after-data lmtp-data-target:
6155
6156 /etc/postfix/master.cf:
6157 smtp-data-target unix - - n - - smtp
6158 -o smtp_address_verify_target=data
6159 lmtp-data-target unix - - n - - lmtp
6160 -o lmtp_address_verify_target=data
6161
6162 Unselective use of the "data" target does no harm, but will result in
6163 unnecessary "lost connection after DATA" events at remote SMTP/LMTP
6164 servers.
6165
6166 This feature is available in Postfix 3.0 and later.
6167
6169 Always send EHLO at the start of an SMTP session.
6170
6171 With "smtp_always_send_ehlo = no", the Postfix SMTP client sends EHLO
6172 only when the word "ESMTP" appears in the server greeting banner (exam‐
6173 ple: 220 spike.porcupine.org ESMTP Postfix).
6174
6176 When a remote destination resolves to a combination of IPv4 and IPv6
6177 addresses, ensure that the Postfix SMTP client can try both address
6178 types before it runs into the smtp_mx_address_limit.
6179
6180 This avoids an interoperability problem when a destination resolves to
6181 primarily IPv6 addresses, the smtp_address_limit feature eliminates
6182 most or all IPv4 addresses, and the destination is not reachable over
6183 IPv6.
6184
6185 This feature is available in Postfix 3.3 and later.
6186
6188 An optional numerical network address that the Postfix SMTP client
6189 should bind to when making an IPv4 connection.
6190
6191 This can be specified in the main.cf file for all SMTP clients, or it
6192 can be specified in the master.cf file for a specific client, for exam‐
6193 ple:
6194
6195 /etc/postfix/master.cf:
6196 smtp ... smtp -o smtp_bind_address=11.22.33.44
6197
6198 Note 1: when inet_interfaces specifies no more than one IPv4 address,
6199 and that address is a non-loopback address, it is automatically used as
6200 the smtp_bind_address. This supports virtual IP hosting, but can be a
6201 problem on multi-homed firewalls. See the inet_interfaces documentation
6202 for more detail.
6203
6204 Note 2: address information may be enclosed inside [], but this form is
6205 not required here.
6206
6208 An optional numerical network address that the Postfix SMTP client
6209 should bind to when making an IPv6 connection.
6210
6211 This feature is available in Postfix 2.2 and later.
6212
6213 This can be specified in the main.cf file for all SMTP clients, or it
6214 can be specified in the master.cf file for a specific client, for exam‐
6215 ple:
6216
6217 /etc/postfix/master.cf:
6218 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6219
6220 Note 1: when inet_interfaces specifies no more than one IPv6 address,
6221 and that address is a non-loopback address, it is automatically used as
6222 the smtp_bind_address6. This supports virtual IP hosting, but can be a
6223 problem on multi-homed firewalls. See the inet_interfaces documentation
6224 for more detail.
6225
6226 Note 2: address information may be enclosed inside [], but this form is
6227 not recommended here.
6228
6230 Restricted body_checks(5) tables for the Postfix SMTP client. These
6231 tables are searched while mail is being delivered. Actions that change
6232 the delivery time or destination are not available.
6233
6234 This feature is available in Postfix 2.5 and later.
6235
6237 When the remote SMTP servername is a DNS CNAME, replace the servername
6238 with the result from CNAME expansion for the purpose of logging, SASL
6239 password lookup, TLS policy decisions, or TLS certificate verification.
6240 The value "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6241 cies against false hostname information in DNS CNAME records, and makes
6242 SASL password file lookups more predictable. This is the default set‐
6243 ting as of Postfix 2.3.
6244
6245 When DNS CNAME records are validated with secure DNS lookups
6246 (smtp_dns_support_level = dnssec), they are always allowed to override
6247 the above servername (Postfix 2.11 and later).
6248
6249 This feature is available in Postfix 2.2.9 and later.
6250
6252 The Postfix SMTP client time limit for completing a TCP connection, or
6253 zero (use the operating system built-in time limit).
6254
6255 When no connection can be made within the deadline, the Postfix SMTP
6256 client tries the next address on the mail exchanger list. Specify 0 to
6257 disable the time limit (i.e. use whatever timeout is implemented by the
6258 operating system).
6259
6260 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6261 The default time unit is s (seconds).
6262
6264 Permanently enable SMTP connection caching for the specified destina‐
6265 tions. With SMTP connection caching, a connection is not closed imme‐
6266 diately after completion of a mail transaction. Instead, the connec‐
6267 tion is kept open for up to $smtp_connection_cache_time_limit seconds.
6268 This allows connections to be reused for other deliveries, and can
6269 improve mail delivery performance.
6270
6271 Specify a comma or white space separated list of destinations or
6272 pseudo-destinations:
6273
6274 · if mail is sent without a relay host: a domain name (the
6275 right-hand side of an email address, without the [] around a
6276 numeric IP address),
6277
6278 · if mail is sent via a relay host: a relay host name (without []
6279 or non-default TCP port), as specified in main.cf or in the
6280 transport map,
6281
6282 · if mail is sent via a UNIX-domain socket: a pathname (without
6283 the unix: prefix),
6284
6285 · a /file/name with domain names and/or relay host names as
6286 defined above,
6287
6288 · a "type:table" with domain names and/or relay host names on the
6289 left-hand side. The right-hand side result from "type:table"
6290 lookups is ignored.
6291
6292 This feature is available in Postfix 2.2 and later.
6293
6295 Temporarily enable SMTP connection caching while a destination has a
6296 high volume of mail in the active queue. With SMTP connection caching,
6297 a connection is not closed immediately after completion of a mail
6298 transaction. Instead, the connection is kept open for up to $smtp_con‐
6299 nection_cache_time_limit seconds. This allows connections to be reused
6300 for other deliveries, and can improve mail delivery performance.
6301
6302 This feature is available in Postfix 2.2 and later.
6303
6305 When SMTP connection caching is enabled, the amount of time that an
6306 unused SMTP client socket is kept open before it is closed. Do not
6307 specify larger values without permission from the remote sites.
6308
6309 This feature is available in Postfix 2.2 and later.
6310
6312 When SMTP connection caching is enabled, the number of times that an
6313 SMTP session may be reused before it is closed, or zero (no limit).
6314 With a reuse count limit of N, a connection is used up to N+1 times.
6315
6316 NOTE: This feature is unsafe. When a high-volume destination has multi‐
6317 ple inbound MTAs, then the slowest inbound MTA will attract the most
6318 connections to that destination. This limitation does not exist with
6319 the smtp_connection_reuse_time_limit feature.
6320
6321 This feature is available in Postfix 2.11.
6322
6324 The amount of time during which Postfix will use an SMTP connection
6325 repeatedly. The timer starts when the connection is initiated (i.e. it
6326 includes the connect, greeting and helo latency, in addition to the
6327 latencies of subsequent mail delivery transactions).
6328
6329 This feature addresses a performance stability problem with remote SMTP
6330 servers. This problem is not specific to Postfix: it can happen when
6331 any MTA sends large amounts of SMTP email to a site that has multiple
6332 MX hosts.
6333
6334 The problem starts when one of a set of MX hosts becomes slower than
6335 the rest. Even though SMTP clients connect to fast and slow MX hosts
6336 with equal probability, the slow MX host ends up with more simultaneous
6337 inbound connections than the faster MX hosts, because the slow MX host
6338 needs more time to serve each client request.
6339
6340 The slow MX host becomes a connection attractor. If one MX host
6341 becomes N times slower than the rest, it dominates mail delivery
6342 latency unless there are more than N fast MX hosts to counter the
6343 effect. And if the number of MX hosts is smaller than N, the mail
6344 delivery latency becomes effectively that of the slowest MX host
6345 divided by the total number of MX hosts.
6346
6347 The solution uses connection caching in a way that differs from Postfix
6348 version 2.2. By limiting the amount of time during which a connection
6349 can be used repeatedly (instead of limiting the number of deliveries
6350 over that connection), Postfix not only restores fairness in the dis‐
6351 tribution of simultaneous connections across a set of MX hosts, it also
6352 favors deliveries over connections that perform well, which is exactly
6353 what we want.
6354
6355 The default reuse time limit, 300s, is comparable to the various smtp
6356 transaction timeouts which are fair estimates of maximum excess latency
6357 for a slow delivery. Note that hosts may accept thousands of messages
6358 over a single connection within the default connection reuse time
6359 limit. This number is much larger than the default Postfix version 2.2
6360 limit of 10 messages per cached connection. It may prove necessary to
6361 lower the limit to avoid interoperability issues with MTAs that exhibit
6362 bugs when many messages are delivered via a single connection. A lower
6363 reuse time limit risks losing the benefit of connection reuse when the
6364 average connection and mail delivery latency exceeds the reuse time
6365 limit.
6366
6367 This feature is available in Postfix 2.3 and later.
6368
6370 The Postfix SMTP client time limit for sending the SMTP ".", and for
6371 receiving the remote SMTP server response.
6372
6373 When no response is received within the deadline, a warning is logged
6374 that the mail may be delivered multiple times.
6375
6376 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6377 The default time unit is s (seconds).
6378
6380 The Postfix SMTP client time limit for sending the SMTP DATA command,
6381 and for receiving the remote SMTP server response.
6382
6383 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6384 The default time unit is s (seconds).
6385
6387 The Postfix SMTP client time limit for sending the SMTP message con‐
6388 tent. When the connection makes no progress for more than
6389 $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates the
6390 transfer.
6391
6392 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6393 The default time unit is s (seconds).
6394
6396 Defer mail delivery when no MX record resolves to an IP address.
6397
6398 The default (no) is to return the mail as undeliverable. With older
6399 Postfix versions the default was to keep trying to deliver the mail
6400 until someone fixed the MX record or until the mail was too old.
6401
6402 Note: the Postfix SMTP client always ignores MX records with equal or
6403 worse preference than the local MTA itself.
6404
6405 This feature is available in Postfix 2.1 and later.
6406
6408 Optional filter for the smtp(8) delivery agent to change the delivery
6409 status code or explanatory text of successful or unsuccessful deliver‐
6410 ies. See default_delivery_status_filter for details.
6411
6412 NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6413 sages that may or may not be derived from remote SMTP server responses.
6414 In contrast, the smtp_reply_filter feature modifies remote SMTP server
6415 responses only.
6416
6418 rency_limit)
6419 The maximal number of parallel deliveries to the same destination via
6420 the smtp message delivery transport. This limit is enforced by the
6421 queue manager. The message delivery transport name is the first field
6422 in the entry in the master.cf file.
6423
6425 ent_limit)
6426 The maximal number of recipients per message for the smtp message
6427 delivery transport. This limit is enforced by the queue manager. The
6428 message delivery transport name is the first field in the entry in the
6429 master.cf file.
6430
6431 Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6432 tination_concurrency_limit from concurrency per domain into concurrency
6433 per recipient.
6434
6436 Lookup tables, indexed by the remote SMTP server address, with case
6437 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
6438 that the Postfix SMTP client will ignore in the EHLO response from a
6439 remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6440 ble is not indexed by hostname for consistency with smtpd_dis‐
6441 card_ehlo_keyword_address_maps.
6442
6443 Specify zero or more "type:name" lookup tables, separated by whitespace
6444 or comma. Tables will be searched in the specified order until a match
6445 is found.
6446
6447 This feature is available in Postfix 2.2 and later.
6448
6450 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
6451 etc.) that the Postfix SMTP client will ignore in the EHLO response
6452 from a remote SMTP server.
6453
6454 This feature is available in Postfix 2.2 and later.
6455
6456 Notes:
6457
6458 · Specify the silent-discard pseudo keyword to prevent this action
6459 from being logged.
6460
6461 · Use the smtp_discard_ehlo_keyword_address_maps feature to dis‐
6462 card EHLO keywords selectively.
6463
6465 Optional filter for Postfix SMTP client DNS lookup results. Specify
6466 zero or more lookup tables. The lookup tables are searched in the
6467 given order for a match with the DNS lookup result, converted to the
6468 following form:
6469
6470 name ttl class type preference value
6471
6472 The class field is always "IN", the preference field exists only for MX
6473 records, the names of hosts, domains, etc. end in ".", and those names
6474 are in ASCII form (xn--mumble form in the case of UTF8 names).
6475
6476 When a match is found, the table lookup result specifies an action. By
6477 default, the table query and the action name are case-insensitive.
6478 Currently, only the IGNORE action is implemented.
6479
6480 Notes:
6481
6482 · Postfix DNS reply filters have no effect on implicit DNS lookups
6483 through nsswitch.conf or equivalent mechanisms.
6484
6485 · The Postfix SMTP/LMTP client uses smtp_dns_reply_filter and
6486 lmtp_dns_reply_filter only to discover a remote SMTP or LMTP
6487 service (record types MX, A, AAAAA, and TLSA). These lookups
6488 are also made to implement the features reject_unverified_sender
6489 and reject_unverified_recipient.
6490
6491 · The Postfix SMTP/LMTP client defers mail delivery when a filter
6492 removes all lookup results from a successful query.
6493
6494 · Postfix SMTP server uses smtpd_dns_reply_filter only to look up
6495 MX, A, AAAAA, and TXT records to implement the features
6496 reject_unknown_helo_hostname, reject_unknown_sender_domain,
6497 reject_unknown_recipient_domain, reject_rbl_*, and
6498 reject_rhsbl_*.
6499
6500 · The Postfix SMTP server logs a warning or defers mail delivery
6501 when a filter removes all lookup results from a successful
6502 query.
6503
6504 Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6505 because Google sometimes hard-rejects mail from IPv6 clients with valid
6506 PTR etc. records.
6507
6508 /etc/postfix/main.cf:
6509 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6510
6511 /etc/postfix/smtp_dns_reply_filter:
6512 # /domain ttl IN AAAA address/ action, all case-insensitive.
6513 # Note: the domain name ends in ".".
6514 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6515
6516 This feature is available in Postfix 3.0 and later.
6517
6519 DNS Resolver options for the Postfix SMTP client. Specify zero or more
6520 of the following options, separated by comma or whitespace. Option
6521 names are case-sensitive. Some options refer to domain names that are
6522 specified in the file /etc/resolv.conf or equivalent.
6523
6524 res_defnames
6525 Append the current domain name to single-component names (those
6526 that do not contain a "." character). This can produce incorrect
6527 results, and is the hard-coded behavior prior to Postfix 2.8.
6528
6529 res_dnsrch
6530 Search for host names in the current domain and in parent
6531 domains. This can produce incorrect results and is therefore not
6532 recommended.
6533
6534 This feature is available in Postfix 2.8 and later.
6535
6537 Level of DNS support in the Postfix SMTP client. With "smtp_dns_sup‐
6538 port_level" left at its empty default value, the legacy "dis‐
6539 able_dns_lookups" parameter controls whether DNS is enabled in the
6540 Postfix SMTP client, otherwise the legacy parameter is ignored.
6541
6542 Specify one of the following:
6543
6544 disabled
6545 Disable DNS lookups. No MX lookups are performed and hostname
6546 to address lookups are unconditionally "native". This setting
6547 is not appropriate for hosts that deliver mail to the public
6548 Internet. Some obsolete how-to documents recommend disabling
6549 DNS lookups in some configurations with content_filters. This
6550 is no longer required and strongly discouraged.
6551
6552 enabled
6553 Enable DNS lookups. Nexthop destination domains not enclosed in
6554 "[]" will be subject to MX lookups. If "dns" and "native" are
6555 included in the "smtp_host_lookup" parameter value, DNS will be
6556 queried first to resolve MX-host A records, followed by "native"
6557 lookups if no answer is found in DNS.
6558
6559 dnssec Enable DNSSEC lookups. The "dnssec" setting differs from the
6560 "enabled" setting above in the following ways:
6561
6562 · Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to
6563 request DNSSEC-validated responses. If the MX response is
6564 DNSSEC-validated the corresponding hostnames are considered val‐
6565 idated.
6566
6567 · The address lookups of validated hostnames are also validated,
6568 (provided of course "smtp_host_lookup" includes "dns", see
6569 below).
6570
6571 · Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6572 tion block any "native" lookups. Additional "native" lookups
6573 only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6574
6575 The Postfix SMTP client considers non-MX "[nexthop]" and "[nex‐
6576 thop]:port" destinations equivalent to statically-validated MX records
6577 of the form "nexthop. IN MX 0 nexthop." Therefore, with "dnssec" sup‐
6578 port turned on, validated hostname-to-address lookups apply to the nex‐
6579 thop domain of any "[nexthop]" or "[nexthop]:port" destination. This
6580 is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6581 LMTP hostnames are never subject to MX lookups.
6582
6583 The "dnssec" setting is recommended only if you plan to use the dane or
6584 dane-only TLS security level, otherwise enabling DNSSEC support in
6585 Postfix offers no additional security. Postfix DNSSEC support relies
6586 on an upstream recursive nameserver that validates DNSSEC signatures.
6587 Such a DNS server will always filter out forged DNS responses, even
6588 when Postfix itself is not configured to use DNSSEC.
6589
6590 When using Postfix DANE support the "smtp_host_lookup" parameter should
6591 include "dns", as DANE is not applicable to hosts resolved via "native"
6592 lookups.
6593
6594 As mentioned above, Postfix is not a validating stub resolver; it
6595 relies on the system's configured DNSSEC-validating recursive name‐
6596 server to perform all DNSSEC validation. Since this nameserver's
6597 DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6598 mended that the MTA host have a local DNSSEC-validating recursive
6599 caching nameserver listening on a loopback address, and be configured
6600 to use only this nameserver for all lookups. Otherwise, Postfix may
6601 remain subject to man-in-the-middle attacks that forge responses from
6602 the recursive nameserver
6603
6604 DNSSEC support requires a version of Postfix compiled against a reason‐
6605 ably-modern DNS resolver(3) library that implements the RES_USE_DNSSEC
6606 and RES_USE_EDNS0 resolver options.
6607
6608 This feature is available in Postfix 2.11 and later.
6609
6611 Enforcement mode: require that remote SMTP servers use TLS encryption,
6612 and never send mail in the clear. This also requires that the remote
6613 SMTP server hostname matches the information in the remote server cer‐
6614 tificate, and that the remote SMTP server certificate was issued by a
6615 CA that is trusted by the Postfix SMTP client. If the certificate
6616 doesn't verify or the hostname doesn't match, delivery is deferred and
6617 mail stays in the queue.
6618
6619 The server hostname is matched against all names provided as dNSNames
6620 in the SubjectAlternativeName. If no dNSNames are specified, the Com‐
6621 monName is checked. The behavior may be changed with the
6622 smtp_tls_enforce_peername option.
6623
6624 This option is useful only if you are definitely sure that you will
6625 only connect to servers that support RFC 2487 _and_ that provide valid
6626 server certificates. Typical use is for clients that send all their
6627 email to a dedicated mailhub.
6628
6629 This feature is available in Postfix 2.2 and later. With Postfix 2.3
6630 and later use smtp_tls_security_level instead.
6631
6633 Optional list of relay hosts for SMTP destinations that can't be found
6634 or that are unreachable. With Postfix 2.2 and earlier this parameter is
6635 called fallback_relay.
6636
6637 By default, mail is returned to the sender when a destination is not
6638 found, and delivery is deferred when a destination is unreachable.
6639
6640 With bulk email deliveries, it can be beneficial to run the fallback
6641 relay MTA on the same host, so that it can reuse the sender IP address.
6642 This speeds up deliveries that are delayed by IP-based reputation sys‐
6643 tems (greylist, etc.).
6644
6645 The fallback relays must be SMTP destinations. Specify a domain, host,
6646 host:port, [host]:port, [address] or [address]:port; the form [host]
6647 turns off MX lookups. If you specify multiple SMTP destinations, Post‐
6648 fix will try them in the specified order.
6649
6650 To prevent mailer loops between MX hosts and fall-back hosts, Postfix
6651 version 2.2 and later will not use the fallback relays for destinations
6652 that it is MX host for (assuming DNS lookup is turned on).
6653
6655 Optional lookup tables that perform address rewriting in the Postfix
6656 SMTP client, typically to transform a locally valid address into a
6657 globally valid address when sending mail across the Internet. This is
6658 needed when the local machine does not have its own Internet domain
6659 name, but uses something like localdomain.local instead.
6660
6661 Specify zero or more "type:name" lookup tables, separated by whitespace
6662 or comma. Tables will be searched in the specified order until a match
6663 is found.
6664
6665 The table format and lookups are documented in generic(5); examples are
6666 shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6667 documents.
6668
6669 This feature is available in Postfix 2.2 and later.
6670
6672 Restricted header_checks(5) tables for the Postfix SMTP client. These
6673 tables are searched while mail is being delivered. Actions that change
6674 the delivery time or destination are not available.
6675
6676 This feature is available in Postfix 2.5 and later.
6677
6679 The hostname to send in the SMTP HELO or EHLO command.
6680
6681 The default value is the machine hostname. Specify a hostname or
6682 [ip.add.re.ss].
6683
6684 This information can be specified in the main.cf file for all SMTP
6685 clients, or it can be specified in the master.cf file for a specific
6686 client, for example:
6687
6688 /etc/postfix/master.cf:
6689 mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6690
6691 This feature is available in Postfix 2.0 and later.
6692
6694 The Postfix SMTP client time limit for sending the HELO or EHLO com‐
6695 mand, and for receiving the initial remote SMTP server response.
6696
6697 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6698 The default time unit is s (seconds).
6699
6701 What mechanisms the Postfix SMTP client uses to look up a host's IP
6702 address. This parameter is ignored when DNS lookups are disabled (see:
6703 disable_dns_lookups and smtp_dns_support_level). The "dns" mechanism
6704 is always tried before "native" if both are listed.
6705
6706 Specify one of the following:
6707
6708 dns Hosts can be found in the DNS (preferred).
6709
6710 native Use the native naming service only (nsswitch.conf, or equivalent
6711 mechanism).
6712
6713 dns, native
6714 Use the native service for hosts not found in the DNS.
6715
6716 This feature is available in Postfix 2.1 and later.
6717
6719 The maximal length of message header and body lines that Postfix will
6720 send via SMTP. This limit does not include the <CR><LF> at the end of
6721 each line. Longer lines are broken by inserting "<CR><LF><SPACE>", to
6722 minimize the damage to MIME formatted mail.
6723
6724 The Postfix limit of 998 characters not including <CR><LF> is consis‐
6725 tent with the SMTP limit of 1000 characters including <CR><LF>. The
6726 Postfix limit was 990 with Postfix 2.8 and earlier.
6727
6729 The Postfix SMTP client time limit for sending the MAIL FROM command,
6730 and for receiving the remote SMTP server response.
6731
6732 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6733 The default time unit is s (seconds).
6734
6736 Restricted mime_header_checks(5) tables for the Postfix SMTP client.
6737 These tables are searched while mail is being delivered. Actions that
6738 change the delivery time or destination are not available.
6739
6740 This feature is available in Postfix 2.5 and later.
6741
6743 The maximal number of MX (mail exchanger) IP addresses that can result
6744 from Postfix SMTP client mail exchanger lookups, or zero (no limit).
6745 Prior to Postfix version 2.3, this limit was disabled by default.
6746
6747 This feature is available in Postfix 2.1 and later.
6748
6750 The maximal number of SMTP sessions per delivery request before the
6751 Postfix SMTP client gives up or delivers to a fall-back relay host, or
6752 zero (no limit). This restriction ignores sessions that fail to com‐
6753 plete the SMTP initial handshake (Postfix version 2.2 and earlier) or
6754 that fail to complete the EHLO and TLS handshake (Postfix version 2.3
6755 and later).
6756
6757 This feature is available in Postfix 2.1 and later.
6758
6760 Restricted nested_header_checks(5) tables for the Postfix SMTP client.
6761 These tables are searched while mail is being delivered. Actions that
6762 change the delivery time or destination are not available.
6763
6764 This feature is available in Postfix 2.5 and later.
6765
6767 Never send EHLO at the start of an SMTP session. See also the
6768 smtp_always_send_ehlo parameter.
6769
6771 Change the behavior of the smtp_*_timeout time limits, from a time
6772 limit per read or write system call, to a time limit to send or receive
6773 a complete record (an SMTP command line, SMTP response line, SMTP mes‐
6774 sage content line, or TLS protocol message). This limits the impact
6775 from hostile peers that trickle data one byte at a time.
6776
6777 Note: when per-record deadlines are enabled, a short timeout may cause
6778 problems with TLS over very slow network connections. The reasons are
6779 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
6780 and that an entire TLS protocol message must be sent or received within
6781 the per-record deadline.
6782
6783 This feature is available in Postfix 2.9 and later. With older Postfix
6784 releases, the behavior is as if this parameter is set to "no".
6785
6787 How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
6788 order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6789
6790 Choosing a too short time makes this workaround ineffective when send‐
6791 ing large messages over slow network connections.
6792
6794 Lookup tables, indexed by the remote SMTP server address, with per-des‐
6795 tination workarounds for CISCO PIX firewall bugs. The table is not
6796 indexed by hostname for consistency with smtp_discard_ehlo_key‐
6797 word_address_maps.
6798
6799 Specify zero or more "type:name" lookup tables, separated by whitespace
6800 or comma. Tables will be searched in the specified order until a match
6801 is found.
6802
6803 This feature is available in Postfix 2.4 and later.
6804
6806 How long a message must be queued before the Postfix SMTP client turns
6807 on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery
6808 through firewalls with "smtp fixup" mode turned on.
6809
6810 By default, the workaround is turned off for mail that is queued for
6811 less than 500 seconds. In other words, the workaround is normally
6812 turned off for the first delivery attempt.
6813
6814 Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6815 upon the first delivery attempt.
6816
6818 A list that specifies zero or more workarounds for CISCO PIX firewall
6819 bugs. These workarounds are implemented by the Postfix SMTP client.
6820 Workaround names are separated by comma or space, and are case insensi‐
6821 tive. This parameter setting can be overruled with per-destination
6822 smtp_pix_workaround_maps settings.
6823
6824 delay_dotcrlf
6825 Insert a delay before sending ".<CR><LF>" after the end of the
6826 message content. The delay is subject to the smtp_pix_work‐
6827 around_delay_time and smtp_pix_workaround_threshold_time parame‐
6828 ter settings.
6829
6830 disable_esmtp
6831 Disable all extended SMTP commands: send HELO instead of EHLO.
6832
6833 This feature is available in Postfix 2.4 and later. The default set‐
6834 tings are backwards compatible with earlier Postfix versions.
6835
6837 The Postfix SMTP client time limit for sending the QUIT command, and
6838 for receiving the remote SMTP server response.
6839
6840 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6841 The default time unit is s (seconds).
6842
6844 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
6845 as required by RFC 5321. This includes putting quotes around an address
6846 localpart that ends in ".".
6847
6848 The default is to comply with RFC 5321. If you have to send mail to a
6849 broken SMTP server, configure a special SMTP client in master.cf:
6850
6851 /etc/postfix/master.cf:
6852 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6853
6854 and route mail for the destination in question to the "broken-smtp"
6855 message delivery with a transport(5) table.
6856
6857 This feature is available in Postfix 2.1 and later.
6858
6860 Randomize the order of equal-preference MX host addresses. This is a
6861 performance feature of the Postfix SMTP client.
6862
6864 The Postfix SMTP client time limit for sending the SMTP RCPT TO com‐
6865 mand, and for receiving the remote SMTP server response.
6866
6867 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
6868 The default time unit is s (seconds).
6869
6871 A mechanism to transform replies from remote SMTP servers one line at a
6872 time. This is a last-resort tool to work around server replies that
6873 break interoperability with the Postfix SMTP client. Other uses
6874 involve fault injection to test Postfix's handling of invalid
6875 responses.
6876
6877 Notes:
6878
6879 · In the case of a multi-line reply, the Postfix SMTP client uses
6880 the final reply line's numerical SMTP reply code and enhanced
6881 status code.
6882
6883 · The numerical SMTP reply code (XYZ) takes precedence over the
6884 enhanced status code (X.Y.Z). When the enhanced status code
6885 initial digit differs from the SMTP reply code initial digit, or
6886 when no enhanced status code is present, the Postfix SMTP client
6887 uses a generic enhanced status code (X.0.0) instead.
6888
6889 Specify the name of a "type:table" lookup table. The search string is a
6890 single SMTP reply line as received from the remote SMTP server, except
6891 that the trailing <CR><LF> are removed. When the lookup succeeds, the
6892 result replaces the single SMTP reply line.
6893
6894 Examples:
6895
6896 /etc/postfix/main.cf:
6897 smtp_reply_filter = pcre:/etc/postfix/reply_filter
6898
6899 /etc/postfix/reply_filter:
6900 # Transform garbage into "250-filler..." so that it looks like
6901 # one line from a multi-line reply. It does not matter what we
6902 # substitute here as long it has the right syntax. The Postfix
6903 # SMTP client will use the final line's numerical SMTP reply
6904 # code and enhanced status code.
6905 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6906
6907 This feature is available in Postfix 2.7.
6908
6910 The Postfix SMTP client time limit for sending the RSET command, and
6911 for receiving the remote SMTP server response. The SMTP client sends
6912 RSET in order to finish a recipient address probe, or to verify that a
6913 cached session is still usable.
6914
6915 This feature is available in Postfix 2.1 and later.
6916
6918 An optional table to prevent repeated SASL authentication failures with
6919 the same remote SMTP server hostname, username and password. Each table
6920 (key, value) pair contains a server name, a username and password, and
6921 the full server response. This information is stored when a remote SMTP
6922 server rejects an authentication attempt with a 535 reply code. As
6923 long as the smtp_sasl_password_maps information does no change, and as
6924 long as the smtp_sasl_auth_cache_name information does not expire (see
6925 smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL authen‐
6926 tication attempts with the same server, username and password, and
6927 instead bounces or defers mail as controlled with the
6928 smtp_sasl_auth_soft_bounce configuration parameter.
6929
6930 Use a per-destination delivery concurrency of 1 (for example,
6931 "smtp_destination_concurrency_limit = 1", "relay_destination_concur‐
6932 rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6933 ence a login failure at the same time.
6934
6935 The table must be accessed via the proxywrite service, i.e. the map
6936 name must start with "proxy:". The table should be stored under the
6937 directory specified with the data_directory parameter.
6938
6939 This feature uses cryptographic hashing to protect plain-text pass‐
6940 words, and requires that Postfix is compiled with TLS support.
6941
6942 Example:
6943
6944 smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6945
6946 This feature is available in Postfix 2.5 and later.
6947
6949 The maximal age of an smtp_sasl_auth_cache_name entry before it is
6950 removed.
6951
6952 This feature is available in Postfix 2.5 and later.
6953
6955 Enable SASL authentication in the Postfix SMTP client. By default, the
6956 Postfix SMTP client uses no authentication.
6957
6958 Example:
6959
6960 smtp_sasl_auth_enable = yes
6961
6963 When a remote SMTP server rejects a SASL authentication request with a
6964 535 reply code, defer mail delivery instead of returning mail as unde‐
6965 liverable. The latter behavior was hard-coded prior to Postfix version
6966 2.5.
6967
6968 Note: the setting "yes" overrides the global soft_bounce parameter, but
6969 the setting "no" does not.
6970
6971 Example:
6972
6973 # Default as of Postfix 2.5
6974 smtp_sasl_auth_soft_bounce = yes
6975 # The old hard-coded default
6976 smtp_sasl_auth_soft_bounce = no
6977
6978 This feature is available in Postfix 2.5 and later.
6979
6981 If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6982 list of offered SASL mechanisms. Different client and server implemen‐
6983 tations may support different mechanism lists; by default, the Postfix
6984 SMTP client will use the intersection of the two. smtp_sasl_mecha‐
6985 nism_filter specifies an optional third mechanism list to intersect
6986 with.
6987
6988 Specify mechanism names, "/file/name" patterns or "type:table" lookup
6989 tables. The right-hand side result from "type:table" lookups is
6990 ignored. Specify "!pattern" to exclude a mechanism name from the list.
6991 The form "!/file/name" is supported only in Postfix version 2.4 and
6992 later.
6993
6994 This feature is available in Postfix 2.2 and later.
6995
6996 Examples:
6997
6998 smtp_sasl_mechanism_filter = plain, login
6999 smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7000 smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7001
7003 Optional Postfix SMTP client lookup tables with one username:password
7004 entry per sender, remote hostname or next-hop domain. Per-sender lookup
7005 is done only when sender-dependent authentication is enabled. If no
7006 username:password entry is found, then the Postfix SMTP client will not
7007 attempt to authenticate to the remote host.
7008
7009 The Postfix SMTP client opens the lookup table before going to chroot
7010 jail, so you can leave the password file in /etc/postfix.
7011
7012 Specify zero or more "type:name" lookup tables, separated by whitespace
7013 or comma. Tables will be searched in the specified order until a match
7014 is found.
7015
7017 Implementation-specific information that the Postfix SMTP client passes
7018 through to the SASL plug-in implementation that is selected with
7019 smtp_sasl_type. Typically this specifies the name of a configuration
7020 file or rendezvous point.
7021
7022 This feature is available in Postfix 2.3 and later.
7023
7025 Postfix SMTP client SASL security options; as of Postfix 2.3 the list
7026 of available features depends on the SASL client implementation that is
7027 selected with smtp_sasl_type.
7028
7029 The following security features are defined for the cyrus client SASL
7030 implementation:
7031
7032 Specify zero or more of the following:
7033
7034 noplaintext
7035 Disallow methods that use plaintext passwords.
7036
7037 noactive
7038 Disallow methods subject to active (non-dictionary) attack.
7039
7040 nodictionary
7041 Disallow methods subject to passive (dictionary) attack.
7042
7043 noanonymous
7044 Disallow methods that allow anonymous authentication.
7045
7046 mutual_auth
7047 Only allow methods that provide mutual authentication (not
7048 available with SASL version 1).
7049
7050 Example:
7051
7052 smtp_sasl_security_options = noplaintext
7053
7055 The SASL authentication security options that the Postfix SMTP client
7056 uses for TLS encrypted SMTP sessions.
7057
7058 This feature is available in Postfix 2.2 and later.
7059
7061 rity_options)
7062 The SASL authentication security options that the Postfix SMTP client
7063 uses for TLS encrypted SMTP sessions with a verified server certifi‐
7064 cate.
7065
7066 When mail is sent to the public MX host for the recipient's domain,
7067 server certificates are by default optional, and delivery proceeds even
7068 if certificate verification fails. For delivery via a submission ser‐
7069 vice that requires SASL authentication, it may be appropriate to send
7070 plaintext passwords only when the connection to the server is strongly
7071 encrypted and the server identity is verified.
7072
7073 The smtp_sasl_tls_verified_security_options parameter makes it possible
7074 to only enable plaintext mechanisms when a secure connection to the
7075 server is available. Submission servers subject to this policy must
7076 either have verifiable certificates or offer suitable non-plaintext
7077 SASL mechanisms.
7078
7079 This feature is available in Postfix 2.6 and later.
7080
7082 The SASL plug-in type that the Postfix SMTP client should use for
7083 authentication. The available types are listed with the "postconf -A"
7084 command.
7085
7086 This feature is available in Postfix 2.3 and later.
7087
7089 Whether or not to append the "AUTH=<>" option to the MAIL FROM command
7090 in SASL-authenticated SMTP sessions. The default is not to send this,
7091 to avoid problems with broken remote SMTP servers. Before Postfix 2.9
7092 the behavior is as if "smtp_send_dummy_mail_auth = yes".
7093
7094 This feature is available in Postfix 2.9 and later.
7095
7097 Send the non-standard XFORWARD command when the Postfix SMTP server
7098 EHLO response announces XFORWARD support.
7099
7100 This allows a Postfix SMTP delivery agent, used for injecting mail into
7101 a content filter, to forward the name, address, protocol and HELO name
7102 of the original client to the content filter and downstream queuing
7103 SMTP server. This can produce more useful logging than local‐
7104 host[127.0.0.1] etc.
7105
7106 This feature is available in Postfix 2.1 and later.
7107
7109 Enable sender-dependent authentication in the Postfix SMTP client; this
7110 is available only with SASL authentication, and disables SMTP connec‐
7111 tion caching to ensure that mail from different senders will use the
7112 appropriate credentials.
7113
7114 This feature is available in Postfix 2.3 and later.
7115
7117 Skip SMTP servers that greet with a 4XX status code (go away, try again
7118 later).
7119
7120 By default, the Postfix SMTP client moves on the next mail exchanger.
7121 Specify "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7122 immediately.
7123
7124 This feature is available in Postfix 2.0 and earlier. Later Postfix
7125 versions always skip remote SMTP servers that greet with a 4XX status
7126 code.
7127
7129 Skip remote SMTP servers that greet with a 5XX status code.
7130
7131 By default, the Postfix SMTP client moves on the next mail exchanger.
7132 Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7133 immediately. Caution: the latter behavior appears to contradict RFC
7134 2821.
7135
7137 Do not wait for the response to the SMTP QUIT command.
7138
7140 Time limit for Postfix SMTP client write and read operations during TLS
7141 startup and shutdown handshake procedures.
7142
7143 This feature is available in Postfix 2.2 and later.
7144
7146 The default TCP port that the Postfix SMTP client connects to. Specify
7147 a symbolic name (see services(5)) or a numeric port.
7148
7150 A file containing CA certificates of root CAs trusted to sign either
7151 remote SMTP server certificates or intermediate CA certificates. These
7152 are loaded into memory before the smtp(8) client enters the chroot
7153 jail. If the number of trusted roots is large, consider using
7154 smtp_tls_CApath instead, but note that the latter directory must be
7155 present in the chroot jail if the smtp(8) client is chrooted. This file
7156 may also be used to augment the client certificate trust chain, but it
7157 is best to include all the required certificates directly in
7158 $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7159
7160 Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use ONLY the
7161 system-supplied default Certification Authority certificates.
7162
7163 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7164 the system-supplied default CAs and trusting third-party certificates.
7165
7166 Example:
7167
7168 smtp_tls_CAfile = /etc/postfix/CAcert.pem
7169
7170 This feature is available in Postfix 2.2 and later.
7171
7173 Directory with PEM format Certification Authority certificates that the
7174 Postfix SMTP client uses to verify a remote SMTP server certificate.
7175 Don't forget to create the necessary "hash" links with, for example,
7176 "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7177
7178 To use this option in chroot mode, this directory (or a copy) must be
7179 inside the chroot jail.
7180
7181 Specify "smtp_tls_CApath = /path/to/system_CA_directory" to use ONLY
7182 the system-supplied default Certification Authority certificates.
7183
7184 Specify "tls_append_default_CA = no" to prevent Postfix from appending
7185 the system-supplied default CAs and trusting third-party certificates.
7186
7187 Example:
7188
7189 smtp_tls_CApath = /etc/postfix/certs
7190
7191 This feature is available in Postfix 2.2 and later.
7192
7194 Try to detect a mail hijacking attack based on a TLS protocol vulnera‐
7195 bility (CVE-2009-3555), where an attacker prepends malicious HELO,
7196 MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. The
7197 attack would succeed with non-Postfix SMTP servers that reply to the
7198 malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7199 SMTP client TLS session.
7200
7201 This feature is available in Postfix 2.7.
7202
7204 File with the Postfix SMTP client RSA certificate in PEM format. This
7205 file may also contain the Postfix SMTP client private RSA key, and
7206 these may be the same as the Postfix SMTP server RSA certificate and
7207 key file. With Postfix >= 3.4 the preferred way to configure client
7208 keys and certificates is via the "smtp_tls_chain_files" parameter.
7209
7210 Do not configure client certificates unless you must present client TLS
7211 certificates to one or more servers. Client certificates are not usu‐
7212 ally needed, and can cause problems in configurations that work well
7213 without them. The recommended setting is to let the defaults stand:
7214
7215 smtp_tls_cert_file =
7216 smtp_tls_key_file =
7217 smtp_tls_eccert_file =
7218 smtp_tls_eckey_file =
7219 # Obsolete DSA parameters
7220 smtp_tls_dcert_file =
7221 smtp_tls_dkey_file =
7222 # Postfix >= 3.4 interface
7223 smtp_tls_chain_files =
7224
7225 The best way to use the default settings is to comment out the above
7226 parameters in main.cf if present.
7227
7228 To enable remote SMTP servers to verify the Postfix SMTP client cer‐
7229 tificate, the issuing CA certificates must be made available to the
7230 server. You should include the required certificates in the client cer‐
7231 tificate file, the client certificate first, then the issuing CA(s)
7232 (bottom-up order).
7233
7234 Example: the certificate for "client.example.com" was issued by "inter‐
7235 mediate CA" which itself has a certificate issued by "root CA". As the
7236 "root" super-user create the client.pem file with:
7237
7238 # umask 077
7239 # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7240
7241 If you also want to verify remote SMTP server certificates issued by
7242 these CAs, you can add the CA certificates to the smtp_tls_CAfile, in
7243 which case it is not necessary to have them in the smtp_tls_cert_file,
7244 smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7245
7246 A certificate supplied here must be usable as an SSL client certificate
7247 and hence pass the "openssl verify -purpose sslclient ..." test.
7248
7249 Example:
7250
7251 smtp_tls_cert_file = /etc/postfix/chain.pem
7252
7253 This feature is available in Postfix 2.2 and later.
7254
7256 List of one or more PEM files, each holding one or more private keys
7257 directly followed by a corresponding certificate chain. The file names
7258 are separated by commas and/or whitespace. This parameter obsoletes
7259 the legacy algorithm-specific key and certificate file settings. When
7260 this parameter is non-empty, the legacy parameters are ignored, and a
7261 warning is logged if any are also non-empty.
7262
7263 With the proliferation of multiple private key algorithms-which, as of
7264 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7265 is increasingly impractical to use separate parameters to configure the
7266 key and certificate chain for each algorithm. Therefore, Postfix now
7267 supports storing multiple keys and corresponding certificate chains in
7268 a single file or in a set of files.
7269
7270 Each key must appear immediately before the corresponding certificate,
7271 optionally followed by additional issuer certificates that complete the
7272 certificate chain for that key. When multiple files are specified,
7273 they are equivalent to a single file that is concatenated from those
7274 files in the given order. Thus, while a key must always precede its
7275 certificate and issuer chain, it can be in a separate file, so long as
7276 that file is listed immediately before the file that holds the corre‐
7277 sponding certificate chain. Once all the files are concatenated, the
7278 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
7279 [chain2], ..., keyN, certN, [chainN].
7280
7281 Storing the private key in the same file as the corresponding certifi‐
7282 cate is more reliable. With the key and certificate in separate files,
7283 there is a chance that during key rollover a Postfix process might load
7284 a private key and certificate from separate files that don't match.
7285 Various operational errors may even result in a persistent broken con‐
7286 figuration in which the certificate does not match the private key.
7287
7288 The file or files must contain at most one key of each type. If, for
7289 example, two or more RSA keys and corresponding chains are listed,
7290 depending on the version of OpenSSL either only the last one will be
7291 used or an configuration error may be detected. Note that while
7292 "Ed25519" and "Ed448" are considered separate algorithms, the various
7293 ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
7294 considered as different parameters of a single "ECDSA" algorithm, so it
7295 is not presently possible to configure keys for more than one ECDSA
7296 curve.
7297
7298 Example (separate files for each key and corresponding certificate
7299 chain):
7300
7301 /etc/postfix/main.cf:
7302 smtp_tls_chain_files =
7303 ${config_directory}/ed25519.pem,
7304 ${config_directory}/ed448.pem,
7305 ${config_directory}/rsa.pem
7306
7307 /etc/postfix/ed25519.pem:
7308 -----BEGIN PRIVATE KEY-----
7309 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7310 -----END PRIVATE KEY-----
7311 -----BEGIN CERTIFICATE-----
7312 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7313 ...
7314 nC0egv51YPDWxEHom4QA
7315 -----END CERTIFICATE-----
7316
7317 /etc/postfix/ed448.pem:
7318 -----BEGIN PRIVATE KEY-----
7319 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7320 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7321 -----END PRIVATE KEY-----
7322 -----BEGIN CERTIFICATE-----
7323 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7324 ...
7325 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7326 -----END CERTIFICATE-----
7327
7328 /etc/postfix/rsa.pem:
7329 -----BEGIN PRIVATE KEY-----
7330 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7331 ...
7332 ahQkZ3+krcaJvDSMgvu0tDc=
7333 -----END PRIVATE KEY-----
7334 -----BEGIN CERTIFICATE-----
7335 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7336 ...
7337 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7338 -----END CERTIFICATE-----
7339
7340 Example (all keys and certificates in a single file):
7341
7342 /etc/postfix/main.cf:
7343 smtp_tls_chain_files = ${config_directory}/chains.pem
7344
7345 /etc/postfix/chains.pem:
7346 -----BEGIN PRIVATE KEY-----
7347 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7348 -----END PRIVATE KEY-----
7349 -----BEGIN CERTIFICATE-----
7350 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7351 ...
7352 nC0egv51YPDWxEHom4QA
7353 -----END CERTIFICATE-----
7354 -----BEGIN PRIVATE KEY-----
7355 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7356 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7357 -----END PRIVATE KEY-----
7358 -----BEGIN CERTIFICATE-----
7359 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7360 ...
7361 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7362 -----END CERTIFICATE-----
7363 -----BEGIN PRIVATE KEY-----
7364 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7365 ...
7366 ahQkZ3+krcaJvDSMgvu0tDc=
7367 -----END PRIVATE KEY-----
7368 -----BEGIN CERTIFICATE-----
7369 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7370 ...
7371 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7372 -----END CERTIFICATE-----
7373
7374 This feature is available in Postfix 3.4 and later.
7375
7377 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
7378 list. As this feature applies to all TLS security levels, it is easy to
7379 create interoperability problems by choosing a non-default cipher list.
7380 Do not use a non-default TLS cipher list on hosts that deliver email to
7381 the public Internet: you will be unable to send email to servers that
7382 only support the ciphers you exclude. Using a restricted cipher list
7383 may be more appropriate for an internal MTA, where one can exert some
7384 control over the TLS software and settings of the peer servers.
7385
7386 Note: do not use "" quotes around the parameter value.
7387
7388 This feature is available in Postfix version 2.2. It is not used with
7389 Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7390
7392 The minimum TLS cipher grade that the Postfix SMTP client will use with
7393 opportunistic TLS encryption. Cipher types listed in
7394 smtp_tls_exclude_ciphers are excluded from the base definition of the
7395 selected cipher grade. The default value is "medium" for Postfix
7396 releases after the middle of 2015, "export" for older releases.
7397
7398 When TLS is mandatory the cipher grade is chosen via the
7399 smtp_tls_mandatory_ciphers configuration parameter, see there for syn‐
7400 tax details. See smtp_tls_policy_maps for information on how to config‐
7401 ure ciphers on a per-destination basis.
7402
7403 This feature is available in Postfix 2.6 and later. With earlier Post‐
7404 fix releases only the smtp_tls_mandatory_ciphers parameter is imple‐
7405 mented, and opportunistic TLS always uses "export" or better (i.e. all)
7406 ciphers.
7407
7409 Try to make multiple deliveries per TLS-encrypted connection. This
7410 uses the tlsproxy(8) service to encrypt an SMTP connection, uses the
7411 scache(8) service to save that connection, and relies on hints from the
7412 qmgr(8) daemon.
7413
7414 See "Client-side TLS connection reuse" for background details.
7415
7416 This feature is available in Postfix 3.4 and later.
7417
7419 The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7420 destination security level is dane, but the MX record was found via an
7421 "insecure" MX lookup. The choices are:
7422
7423 may The TLSA records will be ignored and TLS will be optional. If
7424 the MX host does not appear to support STARTTLS, or the STARTTLS
7425 handshake fails, mail may be sent in the clear.
7426
7427 encrypt
7428 The TLSA records will signal a requirement to use TLS. While
7429 TLS encryption will be required, authentication will not be per‐
7430 formed.
7431
7432 dane (default)
7433 The TLSA records will be used just as with "secure" MX records.
7434 TLS encryption will be required, and, if at least one of the
7435 TLSA records is "usable", authentication will be required. When
7436 authentication succeeds, it will be logged only as "Trusted",
7437 not "Verified", because the MX host name could have been forged.
7438 Though with "insecure" MX records an active attacker can compro‐
7439 mise SMTP transport security by returning forged MX records,
7440 such attacks are "tamper-evident" since any forged MX hostnames
7441 will be recorded in the mail logs. Attackers who place a high
7442 value staying hidden may be deterred from forging MX records.
7443
7444 This feature is available in Postfix 3.1 and later. The may policy is
7445 backwards-compatible with earlier Postfix versions.
7446
7448 File with the Postfix SMTP client DSA certificate in PEM format. This
7449 file may also contain the Postfix SMTP client private DSA key. The DSA
7450 algorithm is obsolete and should not be used.
7451
7452 See the discussion under smtp_tls_cert_file for more details.
7453
7454 Example:
7455
7456 smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7457
7458 This feature is available in Postfix 2.2 and later.
7459
7461 File with the Postfix SMTP client DSA private key in PEM format. This
7462 file may be combined with the Postfix SMTP client DSA certificate file
7463 specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete and
7464 should not be used.
7465
7466 The private key must be accessible without a pass-phrase, i.e. it must
7467 not be encrypted. File permissions should grant read-only access to the
7468 system superuser account ("root"), and no access to anyone else.
7469
7470 This feature is available in Postfix 2.2 and later.
7471
7473 File with the Postfix SMTP client ECDSA certificate in PEM format.
7474 This file may also contain the Postfix SMTP client ECDSA private key.
7475 With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7476 tificates is via the "smtp_tls_chain_files" parameter.
7477
7478 See the discussion under smtp_tls_cert_file for more details.
7479
7480 Example:
7481
7482 smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7483
7484 This feature is available in Postfix 2.6 and later, when Postfix is
7485 compiled and linked with OpenSSL 1.0.0 or later.
7486
7488 File with the Postfix SMTP client ECDSA private key in PEM format.
7489 This file may be combined with the Postfix SMTP client ECDSA certifi‐
7490 cate file specified with $smtp_tls_eccert_file. With Postfix >= 3.4
7491 the preferred way to configure client keys and certificates is via the
7492 "smtp_tls_chain_files" parameter.
7493
7494 The private key must be accessible without a pass-phrase, i.e. it must
7495 not be encrypted. File permissions should grant read-only access to the
7496 system superuser account ("root"), and no access to anyone else.
7497
7498 This feature is available in Postfix 2.6 and later, when Postfix is
7499 compiled and linked with OpenSSL 1.0.0 or later.
7500
7502 With mandatory TLS encryption, require that the remote SMTP server
7503 hostname matches the information in the remote SMTP server certificate.
7504 As of RFC 2487 the requirements for hostname checking for MTA clients
7505 are not specified.
7506
7507 This option can be set to "no" to disable strict peer name checking.
7508 This setting has no effect on sessions that are controlled via the
7509 smtp_tls_per_site table.
7510
7511 Disabling the hostname verification can make sense in closed environ‐
7512 ment where special CAs are created. If not used carefully, this option
7513 opens the danger of a "man-in-the-middle" attack (the CommonName of
7514 this attacker will be logged).
7515
7516 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7517 and later use smtp_tls_security_level instead.
7518
7520 List of ciphers or cipher types to exclude from the Postfix SMTP client
7521 cipher list at all TLS security levels. This is not an OpenSSL
7522 cipherlist, it is a simple list separated by whitespace and/or commas.
7523 The elements are a single cipher, or one or more "+" separated cipher
7524 properties, in which case only ciphers matching all the properties are
7525 excluded.
7526
7527 Examples (some of these will cause problems):
7528
7529 smtp_tls_exclude_ciphers = aNULL
7530 smtp_tls_exclude_ciphers = MD5, DES
7531 smtp_tls_exclude_ciphers = DES+MD5
7532 smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7533 smtp_tls_exclude_ciphers = kEDH+aRSA
7534
7535 The first setting, disables anonymous ciphers. The next setting dis‐
7536 ables ciphers that use the MD5 digest algorithm or the (single) DES
7537 encryption algorithm. The next setting disables ciphers that use MD5
7538 and DES together. The next setting disables the two ciphers
7539 "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7540 use "EDH" key exchange with RSA authentication.
7541
7542 This feature is available in Postfix 2.3 and later.
7543
7545 List of acceptable remote SMTP server certificate fingerprints for the
7546 "fingerprint" TLS security level (smtp_tls_security_level = finger‐
7547 print). At this security level, Certification Authorities are not used,
7548 and certificate expiration times are ignored. Instead, server certifi‐
7549 cates are verified directly via their certificate fingerprint or public
7550 key fingerprint (Postfix 2.9 and later). The fingerprint is a message
7551 digest of the server certificate (or public key). The digest algorithm
7552 is selected via the smtp_tls_fingerprint_digest parameter.
7553
7554 When an smtp_tls_policy_maps table entry specifies the "fingerprint"
7555 security level, any "match" attributes in that entry specify the list
7556 of valid fingerprints for the corresponding destination. Multiple fin‐
7557 gerprints can be combined with a "|" delimiter in a single match
7558 attribute, or multiple match attributes can be employed.
7559
7560 Example: Certificate fingerprint verification with internal mailhub.
7561 Two matching fingerprints are listed. The relayhost may be multiple
7562 physical hosts behind a load-balancer, each with its own private/public
7563 key and self-signed certificate. Alternatively, a single relayhost may
7564 be in the process of switching from one set of private/public keys to
7565 another, and both keys are trusted just prior to the transition.
7566
7567 relayhost = [mailhub.example.com]
7568 smtp_tls_security_level = fingerprint
7569 smtp_tls_fingerprint_digest = md5
7570 smtp_tls_fingerprint_cert_match =
7571 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7572 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7573
7574 Example: Certificate fingerprint verification with selected destina‐
7575 tions. As in the example above, we show two matching fingerprints:
7576
7577 /etc/postfix/main.cf:
7578 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7579 smtp_tls_fingerprint_digest = md5
7580
7581 /etc/postfix/tls_policy:
7582 example.com fingerprint
7583 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7584 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7585
7586 This feature is available in Postfix 2.5 and later.
7587
7589 The message digest algorithm used to construct remote SMTP server cer‐
7590 tificate fingerprints. At the "fingerprint" TLS security level
7591 (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7592 ified by directly matching its certificate fingerprint or its public
7593 key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7594 digest of the server certificate (or its public key) using the selected
7595 algorithm. With a digest algorithm resistant to "second pre-image"
7596 attacks, it is not feasible to create a new public key and a matching
7597 certificate (or public/private key-pair) that has the same fingerprint.
7598
7599 The default algorithm is md5; this is consistent with the backwards
7600 compatible setting of the digest used to verify client certificates in
7601 the SMTP server.
7602
7603 The best practice algorithm is now sha1. Recent advances in hash func‐
7604 tion cryptanalysis have led to md5 being deprecated in favor of sha1.
7605 However, as long as there are no known "second pre-image" attacks
7606 against md5, its use in this context can still be considered safe.
7607
7608 While additional digest algorithms are often available with OpenSSL's
7609 libcrypto, only those used by libssl in SSL cipher suites are available
7610 to Postfix. For now this means just md5 or sha1.
7611
7612 To find the fingerprint of a specific certificate file, with a specific
7613 digest algorithm, run:
7614
7615 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7616
7617 The text to the right of "=" sign is the desired fingerprint. For
7618 example:
7619
7620 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7621 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7622
7623 To extract the public key fingerprint from an X.509 certificate, you
7624 need to extract the public key from the certificate and compute the
7625 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7626 key" option of the "x509" command extracts the public key always in
7627 "PEM" format. We pipe the result to another OpenSSL command that con‐
7628 verts the key to DER and then to the "dgst" command to compute the fin‐
7629 gerprint.
7630
7631 The actual command to transform the key to DER format depends on the
7632 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7633 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
7634 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
7635 ported by 0.9.8), so the "rsa" command is used.
7636
7637 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7638 $ openssl x509 -in cert.pem -noout -pubkey |
7639 openssl pkey -pubin -outform DER |
7640 openssl dgst -sha1 -c
7641 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7642
7643 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7644 $ openssl x509 -in cert.pem -noout -pubkey |
7645 openssl rsa -pubin -outform DER |
7646 openssl dgst -md5 -c
7647 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7648
7649 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7650 gerprint and public key fingerprint when the TLS loglevel is 2 or
7651 higher.
7652
7653 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
7654 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
7655 later.
7656
7657 This feature is available in Postfix 2.5 and later.
7658
7660 Lookup the associated DANE TLSA RRset even when a hostname is not an
7661 alias and its address records lie in an unsigned zone. This is
7662 unlikely to ever yield DNSSEC validated results, since child zones of
7663 unsigned zones are also unsigned in the absence of DLV or locally con‐
7664 figured non-root trust-anchors. We anticipate that such mechanisms
7665 will not be used for just the "_tcp" subdomain of a host. Suppressing
7666 the TLSA RRset lookup reduces latency and avoids potential interoper‐
7667 ability problems with nameservers for unsigned zones that are not pre‐
7668 pared to handle the new TLSA RRset.
7669
7670 This feature is available in Postfix 2.11.
7671
7673 File with the Postfix SMTP client RSA private key in PEM format. This
7674 file may be combined with the Postfix SMTP client RSA certificate file
7675 specified with $smtp_tls_cert_file. With Postfix >= 3.4 the preferred
7676 way to configure client keys and certificates is via the
7677 "smtp_tls_chain_files" parameter.
7678
7679 The private key must be accessible without a pass-phrase, i.e. it must
7680 not be encrypted. File permissions should grant read-only access to the
7681 system superuser account ("root"), and no access to anyone else.
7682
7683 Example:
7684
7685 smtp_tls_key_file = $smtp_tls_cert_file
7686
7687 This feature is available in Postfix 2.2 and later.
7688
7690 Enable additional Postfix SMTP client logging of TLS activity. Each
7691 logging level also includes the information that is logged at a lower
7692 logging level.
7693
7694 0 Disable logging of TLS activity.
7695
7696 1 Log only a summary message on TLS handshake completion - no
7697 logging of remote SMTP server certificate trust-chain verifica‐
7698 tion errors if server certificate verification is not required.
7699 With Postfix 2.8 and earlier, log the summary message and uncon‐
7700 ditionally log trust-chain verification errors.
7701
7702 2 Also log levels during TLS negotiation.
7703
7704 3 Also log hexadecimal and ASCII dump of TLS negotiation
7705 process.
7706
7707 4 Also log hexadecimal and ASCII dump of complete transmission
7708 after STARTTLS.
7709
7710 Do not use "smtp_tls_loglevel = 2" or higher except in case of prob‐
7711 lems. Use of loglevel 4 is strongly discouraged.
7712
7713 This feature is available in Postfix 2.2 and later.
7714
7716 The minimum TLS cipher grade that the Postfix SMTP client will use with
7717 mandatory TLS encryption. The default value "medium" is suitable for
7718 most destinations with which you may want to enforce TLS, and is beyond
7719 the reach of today's cryptanalytic methods. See smtp_tls_policy_maps
7720 for information on how to configure ciphers on a per-destination basis.
7721
7722 The following cipher grades are supported:
7723
7724 export Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
7725 cipherlist is specified via the tls_export_cipherlist configura‐
7726 tion parameter, which you are strongly encouraged to not change.
7727 This choice is insecure and SHOULD NOT be used.
7728
7729 low Enable "LOW" grade or better OpenSSL ciphers. The underlying
7730 cipherlist is specified via the tls_low_cipherlist configuration
7731 parameter, which you are strongly encouraged to not change.
7732 This choice is insecure and SHOULD NOT be used.
7733
7734 medium Enable "MEDIUM" grade or better OpenSSL ciphers. The underlying
7735 cipherlist is specified via the tls_medium_cipherlist configura‐
7736 tion parameter, which you are strongly encouraged to not change.
7737
7738 high Enable only "HIGH" grade OpenSSL ciphers. This setting may be
7739 appropriate when all mandatory TLS destinations (e.g. when all
7740 mail is routed to a suitably capable relayhost) support at least
7741 one "HIGH" grade cipher. The underlying cipherlist is specified
7742 via the tls_high_cipherlist configuration parameter, which you
7743 are strongly encouraged to not change.
7744
7745 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
7746 cation without encryption. This setting is only appropriate in
7747 the rare case that all servers are prepared to use NULL ciphers
7748 (not normally enabled in TLS servers). A plausible use-case is
7749 an LMTP server listening on a UNIX-domain socket that is config‐
7750 ured to support "NULL" ciphers. The underlying cipherlist is
7751 specified via the tls_null_cipherlist configuration parameter,
7752 which you are strongly encouraged to not change.
7753
7754 The underlying cipherlists for grades other than "null" include anony‐
7755 mous ciphers, but these are automatically filtered out if the Postfix
7756 SMTP client is configured to verify server certificates. You are very
7757 unlikely to need to take any steps to exclude anonymous ciphers, they
7758 are excluded automatically as necessary. If you must exclude anonymous
7759 ciphers at the "may" or "encrypt" security levels, when the Postfix
7760 SMTP client does not need or use peer certificates, set
7761 "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
7762 when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7763
7764 This feature is available in Postfix 2.3 and later.
7765
7767 Additional list of ciphers or cipher types to exclude from the Postfix
7768 SMTP client cipher list at mandatory TLS security levels. This list
7769 works in addition to the exclusions listed with
7770 smtp_tls_exclude_ciphers (see there for syntax details).
7771
7772 Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7773 ified on a per-destination basis via the TLS policy "exclude"
7774 attribute. See smtp_tls_policy_maps for notes and examples.
7775
7776 This feature is available in Postfix 2.3 and later.
7777
7779 List of SSL/TLS protocols that the Postfix SMTP client will use with
7780 mandatory TLS encryption. In main.cf the values are separated by
7781 whitespace, commas or colons. In the policy table "protocols" attribute
7782 (see smtp_tls_policy_maps) the only valid separator is colon. An empty
7783 value means allow all protocols. The valid protocol names, (see \fBfB‐
7784 SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". The default
7785 value is "!SSLv2, !SSLv3" for Postfix releases after the middle of
7786 2015, "!SSLv2" for older releases.
7787
7788 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7789 col exclusions. One can explicitly exclude "SSLv2" by setting
7790 "smtp_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
7791 "SSLv3" set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
7792 the protocols to include, rather than protocols to exclude, is sup‐
7793 ported, but not recommended. The exclusion form more closely matches
7794 the underlying OpenSSL interface semantics.
7795
7796 The range of protocols advertised by an SSL/TLS client must be contigu‐
7797 ous. When a protocol version is enabled, disabling any higher version
7798 implicitly disables all versions above that higher version. Thus, for
7799 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7800
7801 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7802 also disables any protocols version higher than TLSv1 leaving only
7803 "SSLv3" enabled.
7804
7805 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7806 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
7807 later, these, or any other new protocol versions, cannot be disabled
7808 except by also disabling "TLSv1" (typically leaving just "SSLv3"). The
7809 latest patch levels of Postfix >= 2.6, and all versions of Postfix >=
7810 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7811
7812 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
7813 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7814 abled, if need be, via "!TLSv1.3".
7815
7816 At the dane and dane-only security levels, when usable TLSA records are
7817 obtained for the remote SMTP server, the Postfix SMTP client is obli‐
7818 gated to include the SNI TLS extension in its SSL client hello message.
7819 This may help the remote SMTP server live up to its promise to provide
7820 a certificate that matches its TLSA records. Since TLS extensions
7821 require TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7822 and "SSLv3" when SNI is required. If you use "dane" or "dane-only" do
7823 not disable TLSv1, except perhaps via the policy table for destinations
7824 which you are sure will support "TLSv1.1" or "TLSv1.2".
7825
7826 See the documentation of the smtp_tls_policy_maps parameter and
7827 TLS_README for more information about security levels.
7828
7829 Example:
7830
7831 # Preferred syntax with Postfix >= 2.5:
7832 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7833 # Legacy syntax:
7834 smtp_tls_mandatory_protocols = TLSv1
7835
7836 This feature is available in Postfix 2.3 and later.
7837
7839 Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7840 is not already enabled for that server.
7841
7842 The logfile record looks like:
7843
7844 postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
7845
7846 This feature is available in Postfix 2.2 and later.
7847
7849 Optional lookup tables with the Postfix SMTP client TLS usage policy by
7850 next-hop destination and by remote SMTP server hostname. When both
7851 lookups succeed, the more specific per-site policy (NONE, MUST, etc)
7852 overrides the less specific one (MAY), and the more secure per-site
7853 policy (MUST, etc) overrides the less secure one (NONE). With Postfix
7854 2.3 and later smtp_tls_per_site is strongly discouraged: use
7855 smtp_tls_policy_maps instead.
7856
7857 Use of the bare hostname as the per-site table lookup key is discour‐
7858 aged. Always use the full destination nexthop (enclosed in [] with a
7859 possible ":port" suffix). A recipient domain or MX-enabled transport
7860 next-hop with no port suffix may look like a bare hostname, but is
7861 still a suitable destination.
7862
7863 Specify a next-hop destination or server hostname on the left-hand
7864 side; no wildcards are allowed. The next-hop destination is either the
7865 recipient domain, or the destination specified with a transport(5) ta‐
7866 ble, the relayhost parameter, or the relay_transport parameter. On the
7867 right hand side specify one of the following keywords:
7868
7869 NONE Don't use TLS at all. This overrides a less specific MAY lookup
7870 result from the alternate host or next-hop lookup key, and over‐
7871 rides the global smtp_use_tls, smtp_enforce_tls, and
7872 smtp_tls_enforce_peername settings.
7873
7874 MAY Try to use TLS if the server announces support, otherwise use
7875 the unencrypted connection. This has less precedence than a more
7876 specific result (including NONE) from the alternate host or
7877 next-hop lookup key, and has less precedence than the more spe‐
7878 cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7879 name = yes".
7880
7881 MUST_NOPEERMATCH
7882 Require TLS encryption, but do not require that the remote SMTP
7883 server hostname matches the information in the remote SMTP
7884 server certificate, or that the server certificate was issued by
7885 a trusted CA. This overrides a less secure NONE or a less spe‐
7886 cific MAY lookup result from the alternate host or next-hop
7887 lookup key, and overrides the global smtp_use_tls,
7888 smtp_enforce_tls and smtp_tls_enforce_peername settings.
7889
7890 MUST Require TLS encryption, require that the remote SMTP server
7891 hostname matches the information in the remote SMTP server cer‐
7892 tificate, and require that the remote SMTP server certificate
7893 was issued by a trusted CA. This overrides a less secure NONE
7894 and MUST_NOPEERMATCH or a less specific MAY lookup result from
7895 the alternate host or next-hop lookup key, and overrides the
7896 global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7897 name settings.
7898
7899 The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7900 ify" security levels for the new smtp_tls_security_level parameter
7901 introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7902 of how the policy is specified, the smtp_tls_mandatory_ciphers and
7903 smtp_tls_mandatory_protocols parameters apply when TLS encryption is
7904 mandatory. Connections for which encryption is optional typically
7905 enable all "export" grade and better ciphers (see smtp_tls_ciphers and
7906 smtp_tls_protocols).
7907
7908 As long as no secure DNS lookup mechanism is available, false hostnames
7909 in MX or CNAME responses can change the server hostname that Postfix
7910 uses for TLS policy lookup and server certificate verification. Even
7911 with a perfect match between the server hostname and the server cer‐
7912 tificate, there is no guarantee that Postfix is connected to the right
7913 server. See TLS_README (Closing a DNS loophole with obsolete per-site
7914 TLS policies) for a possible work-around.
7915
7916 This feature is available in Postfix 2.2 and later. With Postfix 2.3
7917 and later use smtp_tls_policy_maps instead.
7918
7920 Optional lookup tables with the Postfix SMTP client TLS security policy
7921 by next-hop destination; when a non-empty value is specified, this
7922 overrides the obsolete smtp_tls_per_site parameter. See TLS_README for
7923 a more detailed discussion of TLS security levels.
7924
7925 Specify zero or more "type:name" lookup tables, separated by whitespace
7926 or comma. Tables will be searched in the specified order until a match
7927 is found.
7928
7929 The TLS policy table is indexed by the full next-hop destination, which
7930 is either the recipient domain, or the verbatim next-hop specified in
7931 the transport table, $local_transport, $virtual_transport,
7932 $relay_transport or $default_transport. This includes any enclosing
7933 square brackets and any non-default destination server port suffix. The
7934 LMTP socket type prefix (inet: or unix:) is not included in the lookup
7935 key.
7936
7937 Only the next-hop domain, or $myhostname with LMTP over UNIX-domain
7938 sockets, is used as the nexthop name for certificate verification. The
7939 port and any enclosing square brackets are used in the table lookup
7940 key, but are not used for server name verification.
7941
7942 When the lookup key is a domain name without enclosing square brackets
7943 or any :port suffix (typically the recipient domain), and the full
7944 domain is not found in the table, just as with the transport(5) table,
7945 the parent domain starting with a leading "." is matched recursively.
7946 This allows one to specify a security policy for a recipient domain and
7947 all its sub-domains.
7948
7949 The lookup result is a security level, followed by an optional list of
7950 whitespace and/or comma separated name=value attributes that override
7951 related main.cf settings. The TLS security levels in order of increas‐
7952 ing security are:
7953
7954 none No TLS. No additional attributes are supported at this level.
7955
7956 may Opportunistic TLS. Since sending in the clear is acceptable,
7957 demanding stronger than default TLS security merely reduces
7958 interoperability. The optional "ciphers", "exclude", and "proto‐
7959 cols" attributes (available for opportunistic TLS with Postfix
7960 >= 2.6) and "connection_reuse" attribute (Postfix >= 3.4) over‐
7961 ride the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers",
7962 "smtp_tls_protocols", and "smtp_tls_connection_reuse" configura‐
7963 tion parameters. When opportunistic TLS handshakes fail, Postfix
7964 retries the connection with TLS disabled. This allows mail
7965 delivery to sites with non-interoperable TLS implementations.
7966
7967 encrypt
7968 Mandatory TLS encryption. At this level and higher, the optional
7969 "protocols" attribute overrides the main.cf smtp_tls_manda‐
7970 tory_protocols parameter, the optional "ciphers" attribute over‐
7971 rides the main.cf smtp_tls_mandatory_ciphers parameter, the
7972 optional "exclude" attribute (Postfix >= 2.6) overrides the
7973 main.cf smtp_tls_mandatory_exclude_ciphers parameter, and the
7974 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
7975 the main.cf smtp_tls_connection_reuse parameter. In the policy
7976 table, multiple protocols or excluded ciphers must be separated
7977 by colons, as attribute values may not contain whitespace or
7978 commas.
7979
7980 dane Opportunistic DANE TLS. The TLS policy for the destination is
7981 obtained via TLSA records in DNSSEC. If no TLSA records are
7982 found, the effective security level used is may. If TLSA
7983 records are found, but none are usable, the effective security
7984 level is encrypt. When usable TLSA records are obtained for the
7985 remote SMTP server, the server certificate must match the TLSA
7986 records. RFC 7672 (DANE) TLS authentication and DNSSEC support
7987 is available with Postfix 2.11 and later. The optional "connec‐
7988 tion_reuse" attribute (Postfix >= 3.4) overrides the main.cf
7989 smtp_tls_connection_reuse parameter.
7990
7991 dane-only
7992 Mandatory DANE TLS. The TLS policy for the destination is
7993 obtained via TLSA records in DNSSEC. If no TLSA records are
7994 found, or none are usable, no connection is made to the server.
7995 When usable TLSA records are obtained for the remote SMTP
7996 server, the server certificate must match the TLSA records. RFC
7997 7672 (DANE) TLS authentication and DNSSEC support is available
7998 with Postfix 2.11 and later. The optional "connection_reuse"
7999 attribute (Postfix >= 3.4) overrides the main.cf smtp_tls_con‐
8000 nection_reuse parameter.
8001
8002 fingerprint
8003 Certificate fingerprint verification. Available with Postfix 2.5
8004 and later. At this security level, there are no trusted Certifi‐
8005 cation Authorities. The certificate trust chain, expiration
8006 date, ... are not checked. Instead, the optional match
8007 attribute, or else the main.cf smtp_tls_fingerprint_cert_match
8008 parameter, lists the certificate fingerprints or the public key
8009 fingerprint (Postfix 2.9 and later) of the valid server certifi‐
8010 cate. The digest algorithm used to calculate the fingerprint is
8011 selected by the smtp_tls_fingerprint_digest parameter. Multiple
8012 fingerprints can be combined with a "|" delimiter in a single
8013 match attribute, or multiple match attributes can be employed.
8014 The ":" character is not used as a delimiter as it occurs
8015 between each pair of fingerprint (hexadecimal) digits. The
8016 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8017 the main.cf smtp_tls_connection_reuse parameter.
8018
8019 verify Mandatory TLS verification. At this security level, DNS MX
8020 lookups are trusted to be secure enough, and the name verified
8021 in the server certificate is usually obtained indirectly via
8022 unauthenticated DNS MX lookups. The optional "match" attribute
8023 overrides the main.cf smtp_tls_verify_cert_match parameter. In
8024 the policy table, multiple match patterns and strategies must be
8025 separated by colons. In practice explicit control over matching
8026 is more common with the "secure" policy, described below. The
8027 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8028 the main.cf smtp_tls_connection_reuse parameter.
8029
8030 secure Secure-channel TLS. At this security level, DNS MX lookups,
8031 though potentially used to determine the candidate next-hop
8032 gateway IP addresses, are not trusted to be secure enough for
8033 TLS peername verification. Instead, the default name verified in
8034 the server certificate is obtained directly from the next-hop,
8035 or is explicitly specified via the optional match attribute
8036 which overrides the main.cf smtp_tls_secure_cert_match parame‐
8037 ter. In the policy table, multiple match patterns and strategies
8038 must be separated by colons. The match attribute is most useful
8039 when multiple domains are supported by common server, the policy
8040 entries for additional domains specify matching rules for the
8041 primary domain certificate. While transport table overrides
8042 routing the secondary domains to the primary nexthop also allow
8043 secure verification, they risk delivery to the wrong destination
8044 when domains change hands or are re-assigned to new gateways.
8045 With the "match" attribute approach, routing is not perturbed,
8046 and mail is deferred if verification of a new MX host fails. The
8047 optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8048 the main.cf smtp_tls_connection_reuse parameter.
8049
8050 Example:
8051
8052 /etc/postfix/main.cf:
8053 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8054 # Postfix 2.5 and later
8055 smtp_tls_fingerprint_digest = md5
8056
8057 /etc/postfix/tls_policy:
8058 example.edu none
8059 example.mil may
8060 example.gov encrypt protocols=TLSv1
8061 example.com verify ciphers=high
8062 example.net secure
8063 .example.net secure match=.example.net:example.net
8064 [mail.example.org]:587 secure match=nexthop
8065 # Postfix 2.5 and later
8066 [thumb.example.org] fingerprint
8067 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8068 match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8069
8070 Note: The hostname strategy if listed in a non-default setting of
8071 smtp_tls_secure_cert_match or in the match attribute in the policy ta‐
8072 ble can render the secure level vulnerable to DNS forgery. Do not use
8073 the hostname strategy for secure-channel configurations in environments
8074 where DNS security is not assured.
8075
8076 This feature is available in Postfix 2.3 and later.
8077
8079 List of TLS protocols that the Postfix SMTP client will exclude or
8080 include with opportunistic TLS encryption. The default value is
8081 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015,
8082 "!SSLv2" for older releases. Before Postfix 2.6, the Postfix SMTP
8083 client would use all protocols with opportunistic TLS.
8084
8085 In main.cf the values are separated by whitespace, commas or colons. In
8086 the policy table (see smtp_tls_policy_maps) the only valid separator is
8087 colon. An empty value means allow all protocols. The valid protocol
8088 names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
8089
8090 The range of protocols advertised by an SSL/TLS client must be contigu‐
8091 ous. When a protocol version is enabled, disabling any higher version
8092 implicitly disables all versions above that higher version. Thus, for
8093 example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
8094
8095 smtp_tls_protocols = !SSLv2, !TLSv1
8096 also disables any protocols version higher than TLSv1 leaving only
8097 "SSLv3" enabled.
8098
8099 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
8100 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
8101 of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or
8102 "TLSv1.2"
8103
8104 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
8105 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
8106 abled, if need be, via "!TLSv1.3".
8107
8108 To include a protocol list its name, to exclude it, prefix the name
8109 with a "!" character. To exclude SSLv2 for opportunistic TLS set
8110 "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
8111 "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
8112 to include, rather than protocols to exclude, is supported, but not
8113 recommended. The exclusion form more closely matches the underlying
8114 OpenSSL interface semantics.
8115
8116 Example:
8117 # TLSv1 or better:
8118 smtp_tls_protocols = !SSLv2, !SSLv3
8119
8120 This feature is available in Postfix 2.6 and later.
8121
8123 The verification depth for remote SMTP server certificates. A depth of
8124 1 is sufficient if the issuing CA is listed in a local CA file.
8125
8126 The default verification depth is 9 (the OpenSSL default) for compati‐
8127 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8128 value was 5, but the limit was not actually enforced. If you have set
8129 this to a lower non-default value, certificates with longer trust
8130 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
8131 common, deeper chains are more rare and any number between 5 and 9
8132 should suffice in practice. You can choose a lower number if, for exam‐
8133 ple, you trust certificates directly signed by an issuing CA but not
8134 any CAs it delegates to.
8135
8136 This feature is available in Postfix 2.2 and later.
8137
8139 How the Postfix SMTP client verifies the server certificate peername
8140 for the "secure" TLS security level. In a "secure" TLS policy table
8141 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8142 this main.cf setting.
8143
8144 This parameter specifies one or more patterns or strategies separated
8145 by commas, whitespace or colons. In the policy table the only valid
8146 separator is the colon character.
8147
8148 For a description of the pattern and strategy syntax see the
8149 smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8150 avoided in this context, as in the absence of a secure global DNS,
8151 using the results of MX lookups in certificate verification is not
8152 immune to active (man-in-the-middle) attacks on DNS.
8153
8154 Sample main.cf setting:
8155
8156 smtp_tls_secure_cert_match = nexthop
8157
8158 Sample policy table override:
8159
8160 example.net secure match=example.com:.example.com
8161 .example.net secure match=example.com:.example.com
8162
8163 This feature is available in Postfix 2.3 and later.
8164
8166 The default SMTP TLS security level for the Postfix SMTP client; when a
8167 non-empty value is specified, this overrides the obsolete parameters
8168 smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
8169
8170 Specify one of the following security levels:
8171
8172 none No TLS. TLS will not be used unless enabled for specific desti‐
8173 nations via smtp_tls_policy_maps.
8174
8175 may Opportunistic TLS. Use TLS if this is supported by the remote
8176 SMTP server, otherwise use plaintext. Since sending in the clear
8177 is acceptable, demanding stronger than default TLS security
8178 merely reduces interoperability. The "smtp_tls_ciphers" and
8179 "smtp_tls_protocols" (Postfix >= 2.6) configuration parameters
8180 provide control over the protocols and cipher grade used with
8181 opportunistic TLS. With earlier releases the opportunistic TLS
8182 cipher grade is always "export" and no protocols are disabled.
8183 When TLS handshakes fail, the connection is retried with TLS
8184 disabled. This allows mail delivery to sites with non-interop‐
8185 erable TLS implementations.
8186
8187 encrypt
8188 Mandatory TLS encryption. Since a minimum level of security is
8189 intended, it is reasonable to be specific about sufficiently
8190 secure protocol versions and ciphers. At this security level and
8191 higher, the main.cf parameters smtp_tls_mandatory_protocols and
8192 smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8193 cipher grade which the administrator considers secure enough for
8194 mandatory encrypted sessions. This security level is not an
8195 appropriate default for systems delivering mail to the Internet.
8196
8197 dane Opportunistic DANE TLS. At this security level, the TLS policy
8198 for the destination is obtained via DNSSEC. For TLSA policy to
8199 be in effect, the destination domain's containing DNS zone must
8200 be signed and the Postfix SMTP client's operating system must be
8201 configured to send its DNS queries to a recursive DNS nameserver
8202 that is able to validate the signed records. Each MX host's DNS
8203 zone should also be signed, and should publish DANE TLSA (RFC
8204 7672) records that specify how that MX host's TLS certificate is
8205 to be verified. TLSA records do not preempt the normal SMTP MX
8206 host selection algorithm, if some MX hosts support TLSA and oth‐
8207 ers do not, TLS security will vary from delivery to delivery.
8208 It is up to the domain owner to configure their MX hosts and
8209 their DNS sensibly. To configure the Postfix SMTP client for
8210 DNSSEC lookups see the documentation for the smtp_dns_sup‐
8211 port_level main.cf parameter. When DNSSEC-validated TLSA
8212 records are not found the effective tls security level is "may".
8213 When TLSA records are found, but are all unusable the effective
8214 security level is "encrypt". For purposes of protocol and
8215 cipher selection, the "dane" security level is treated like a
8216 "mandatory" TLS security level, and weak ciphers and protocols
8217 are disabled. Since DANE authenticates server certificates the
8218 "aNULL" cipher-suites are transparently excluded at this level,
8219 no need to configure this manually. RFC 7672 (DANE) TLS authen‐
8220 tication is available with Postfix 2.11 and later.
8221
8222 dane-only
8223 Mandatory DANE TLS. This is just like "dane" above, but DANE
8224 TLSA authentication is required. There is no fallback to "may"
8225 or "encrypt" when TLSA records are missing or unusable. RFC
8226 7672 (DANE) TLS authentication is available with Postfix 2.11
8227 and later.
8228
8229 fingerprint
8230 Certificate fingerprint verification. At this security level,
8231 there are no trusted Certification Authorities. The certificate
8232 trust chain, expiration date, etc., are not checked. Instead,
8233 the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8234 cate fingerprint or public key fingerprint (Postfix 2.9 and
8235 later) of the valid server certificate. The digest algorithm
8236 used to calculate the fingerprint is selected by the
8237 smtp_tls_fingerprint_digest parameter. Available with Postfix
8238 2.5 and later.
8239
8240 verify Mandatory TLS verification. At this security level, DNS MX
8241 lookups are trusted to be secure enough, and the name verified
8242 in the server certificate is usually obtained indirectly via
8243 unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match
8244 parameter controls how the server name is verified. In practice
8245 explicit control over matching is more common at the "secure"
8246 level, described below. This security level is not an appropri‐
8247 ate default for systems delivering mail to the Internet.
8248
8249 secure Secure-channel TLS. At this security level, DNS MX lookups,
8250 though potentially used to determine the candidate next-hop
8251 gateway IP addresses, are not trusted to be secure enough for
8252 TLS peername verification. Instead, the default name verified in
8253 the server certificate is obtained from the next-hop domain as
8254 specified in the smtp_tls_secure_cert_match configuration param‐
8255 eter. The default matching rule is that a server certificate
8256 matches when its name is equal to or is a sub-domain of the nex‐
8257 thop domain. This security level is not an appropriate default
8258 for systems delivering mail to the Internet.
8259
8260 Examples:
8261
8262 # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8263 smtp_tls_security_level = none
8264
8265 # Opportunistic TLS.
8266 smtp_tls_security_level = may
8267 # Postfix >= 2.6:
8268 # Do not tweak opportunistic ciphers or protocol unless it is essential
8269 # to do so (if a security vulnerability is found in the SSL library that
8270 # can be mitigated by disabling a particular protocol or raising the
8271 # cipher grade from "export" to "low" or "medium").
8272 smtp_tls_ciphers = export
8273 smtp_tls_protocols = !SSLv2, !SSLv3
8274
8275 # Mandatory (high-grade) TLS encryption.
8276 smtp_tls_security_level = encrypt
8277 smtp_tls_mandatory_ciphers = high
8278
8279 # Mandatory TLS verification of hostname or nexthop domain.
8280 smtp_tls_security_level = verify
8281 smtp_tls_mandatory_ciphers = high
8282 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8283
8284 # Secure channel TLS with exact nexthop name match.
8285 smtp_tls_security_level = secure
8286 smtp_tls_mandatory_protocols = TLSv1
8287 smtp_tls_mandatory_ciphers = high
8288 smtp_tls_secure_cert_match = nexthop
8289
8290 # Certificate fingerprint verification (Postfix >= 2.5).
8291 # The CA-less "fingerprint" security level only scales to a limited
8292 # number of destinations. As a global default rather than a per-site
8293 # setting, this is practical when mail for all recipients is sent
8294 # to a central mail hub.
8295 relayhost = [mailhub.example.com]
8296 smtp_tls_security_level = fingerprint
8297 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8298 smtp_tls_mandatory_ciphers = high
8299 smtp_tls_fingerprint_cert_match =
8300 3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8301 EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8302
8303 This feature is available in Postfix 2.3 and later.
8304
8306 Optional name to send to the remote SMTP server in the TLS Server Name
8307 Indication (SNI) extension. The SNI extension is always on when DANE
8308 is used to authenticate the server, and in that case the SNI name sent
8309 is the one required by RFC7672 and this parameter is ignored.
8310
8311 Some SMTP servers use the received SNI name to select an appropriate
8312 certificate chain to present to the client. While this may improve
8313 interoperability with such servers, it may reduce interoperability with
8314 other servers that choose to abort the connection when they don't have
8315 a certificate chain configured for the requested name. Such servers
8316 should select a default certificate chain and continue the handshake,
8317 but some may not. Therefore, absent DANE, no SNI name is sent by
8318 default.
8319
8320 The SNI name must be either a valid DNS hostname, or else one of the
8321 special values hostname or nexthop, which select either the remote
8322 hostname or the nexthop domain respectively. DNS names for SNI must be
8323 in A-label (punycode) form. Invalid DNS names log a configuration
8324 error warning and mail delivery is deferred.
8325
8326 Except when using a relayhost to forward all email, the only sensible
8327 non-empty main.cf setting for this parameter is hostname. Other
8328 non-empty values are only practical on a per-destination basis via the
8329 servername attribute of the Postfix TLS policy table. When in doubt,
8330 leave this parameter empty, and configure per-destination SNI as
8331 needed.
8332
8333 This feature is available in Postfix 3.4 and later.
8334
8336 Name of the file containing the optional Postfix SMTP client TLS ses‐
8337 sion cache. Specify a database type that supports enumeration, such as
8338 btree or sdbm; there is no need to support concurrent access. The file
8339 is created if it does not exist. The smtp(8) daemon does not use this
8340 parameter directly, rather the cache is implemented indirectly in the
8341 tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8342 of this parameter are not effective. Note, that each of the cache
8343 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8344 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8345 $lmtp_tls_session_cache_database), needs to be stored separately. It is
8346 not at this time possible to store multiple caches in a single data‐
8347 base.
8348
8349 Note: dbm databases are not suitable. TLS session objects are too
8350 large.
8351
8352 As of version 2.5, Postfix no longer uses root privileges when opening
8353 this file. The file should now be stored under the Postfix-owned
8354 data_directory. As a migration aid, an attempt to open the file under a
8355 non-Postfix directory is redirected to the Postfix-owned data_direc‐
8356 tory, and a warning is logged.
8357
8358 Example:
8359
8360 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8361
8362 This feature is available in Postfix 2.2 and later.
8363
8365 The expiration time of Postfix SMTP client TLS session cache informa‐
8366 tion. A cache cleanup is performed periodically every $smtp_tls_ses‐
8367 sion_cache_timeout seconds. As with $smtp_tls_session_cache_database,
8368 this parameter is implemented in the tlsmgr(8) daemon and therefore
8369 per-smtp-instance master.cf overrides are not possible.
8370
8371 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
8372 session caching is disabled. If set to a positive value less than 2
8373 minutes, the minimum value of 2 minutes is used instead.
8374
8375 This feature is available in Postfix 2.2 and later.
8376
8378 Zero or more PEM-format files with trust-anchor certificates and/or
8379 public keys. If the parameter is not empty the root CAs in CAfile and
8380 CApath are no longer trusted. Rather, the Postfix SMTP client will
8381 only trust certificate-chains signed by one of the trust-anchors con‐
8382 tained in the chosen files. The specified trust-anchor certificates
8383 and public keys are not subject to expiration, and need not be
8384 (self-signed) root CAs. They may, if desired, be intermediate certifi‐
8385 cates. Therefore, these certificates also may be found "in the middle"
8386 of the trust chain presented by the remote SMTP server, and any
8387 untrusted issuing parent certificates will be ignored. Specify a list
8388 of pathnames separated by comma or whitespace.
8389
8390 Whether specified in main.cf, or on a per-destination basis, the
8391 trust-anchor PEM file must be accessible to the Postfix SMTP client in
8392 the chroot jail if applicable. The trust-anchor file should contain
8393 only certificates and public keys, no private key material, and must be
8394 readable by the non-privileged $mail_owner user. This allows destina‐
8395 tions to be bound to a set of specific CAs or public keys without
8396 trusting the same CAs for all destinations.
8397
8398 The main.cf parameter supports single-purpose Postfix installations
8399 that send mail to a fixed set of SMTP peers. At most sites, if
8400 trust-anchor files are used at all, they will be specified on a
8401 per-destination basis via the "tafile" attribute of the "verify" and
8402 "secure" levels in smtp_tls_policy_maps.
8403
8404 The underlying mechanism is in support of RFC 7672 (DANE TLSA), which
8405 defines mechanisms for an SMTP client MTA to securely determine server
8406 TLS certificates via DNS.
8407
8408 If you want your trust anchors to be public keys, with OpenSSL you can
8409 extract a single PEM public key from a PEM X.509 file containing a sin‐
8410 gle certificate, as follows:
8411
8412 $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8413
8414 This feature is available in Postfix 2.11 and later.
8415
8417 How the Postfix SMTP client verifies the server certificate peername
8418 for the "verify" TLS security level. In a "verify" TLS policy table
8419 ($smtp_tls_policy_maps) entry the optional "match" attribute overrides
8420 this main.cf setting.
8421
8422 This parameter specifies one or more patterns or strategies separated
8423 by commas, whitespace or colons. In the policy table the only valid
8424 separator is the colon character.
8425
8426 Patterns specify domain names, or domain name suffixes:
8427
8428 example.com
8429 Match the example.com domain, i.e. one of the names the server
8430 certificate must be example.com, upper and lower case distinc‐
8431 tions are ignored.
8432
8433 .example.com
8434 Match subdomains of the example.com domain, i.e. match a name in
8435 the server certificate that consists of a non-zero number of
8436 labels followed by a .example.com suffix. Case distinctions are
8437 ignored.
8438
8439 Strategies specify a transformation from the next-hop domain to the
8440 expected name in the server certificate:
8441
8442 nexthop
8443 Match against the next-hop domain, which is either the recipient
8444 domain, or the transport next-hop configured for the domain
8445 stripped of any optional socket type prefix, enclosing square
8446 brackets and trailing port. When MX lookups are not suppressed,
8447 this is the original nexthop domain prior to the MX lookup, not
8448 the result of the MX lookup. For LMTP delivery via UNIX-domain
8449 sockets, the verified next-hop name is $myhostname. This strat‐
8450 egy is suitable for use with the "secure" policy. Case is
8451 ignored.
8452
8453 dot-nexthop
8454 As above, but match server certificate names that are subdomains
8455 of the next-hop domain. Case is ignored.
8456
8457 hostname
8458 Match against the hostname of the server, often obtained via an
8459 unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8460 sockets, the verified name is $myhostname. This matches the ver‐
8461 ification strategy of the "MUST" keyword in the obsolete
8462 smtp_tls_per_site table, and is suitable for use with the "ver‐
8463 ify" security level. When the next-hop name is enclosed in
8464 square brackets to suppress MX lookups, the "hostname" strategy
8465 is the same as the "nexthop" strategy. Case is ignored.
8466
8467 Sample main.cf setting:
8468
8469 smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8470
8471 Sample policy table override:
8472
8473 example.com verify match=hostname:nexthop
8474 .example.com verify match=example.com:.example.com:hostname
8475
8476 This feature is available in Postfix 2.3 and later.
8477
8479 Request that the Postfix SMTP client connects using the legacy SMTPS
8480 protocol instead of using the STARTTLS command.
8481
8482 This mode requires "smtp_tls_security_level = encrypt" or stronger.
8483
8484 Example: deliver all remote mail via a provider's server "mail.exam‐
8485 ple.com".
8486
8487 /etc/postfix/main.cf:
8488 # Client-side SMTPS requires "encrypt" or stronger.
8489 smtp_tls_security_level = encrypt
8490 smtp_tls_wrappermode = yes
8491 # The [] suppress MX lookups.
8492 relayhost = [mail.example.com]:465
8493
8494 More examples are in TLS_README, including examples for older Postfix
8495 versions.
8496
8497 This feature is available in Postfix 3.0 and later.
8498
8500 Opportunistic mode: use TLS when a remote SMTP server announces START‐
8501 TLS support, otherwise send the mail in the clear. Beware: some SMTP
8502 servers offer STARTTLS even if it is not configured. With Postfix <
8503 2.3, if the TLS handshake fails, and no other server is available,
8504 delivery is deferred and mail stays in the queue. If this is a concern
8505 for you, use the smtp_tls_per_site feature instead.
8506
8507 This feature is available in Postfix 2.2 and later. With Postfix 2.3
8508 and later use smtp_tls_security_level instead.
8509
8511 The Postfix SMTP client time limit for sending the XFORWARD command,
8512 and for receiving the remote SMTP server response.
8513
8514 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
8515 The default time unit is s (seconds).
8516
8517 This feature is available in Postfix 2.1 and later.
8518
8520 What remote SMTP clients are allowed to specify the XVERP command.
8521 This command requests that mail be delivered one recipient at a time
8522 with a per recipient return address.
8523
8524 By default, no clients are allowed to specify XVERP.
8525
8526 This parameter was renamed with Postfix version 2.1. The default value
8527 is backwards compatible with Postfix version 2.0.
8528
8529 Specify a list of network/netmask patterns, separated by commas and/or
8530 whitespace. The mask specifies the number of bits in the network part
8531 of a host address. You can also specify hostnames or .domain names (the
8532 initial dot causes the domain to match any name below it),
8533 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8534 replaced by its contents; a "type:table" lookup table is matched when a
8535 table entry matches a lookup string (the lookup result is ignored).
8536 Continue long lines by starting the next line with whitespace. Specify
8537 "!pattern" to exclude an address or network block from the list. The
8538 form "!/file/name" is supported only in Postfix version 2.4 and later.
8539
8540 Note: IP version 6 address information must be specified inside [] in
8541 the smtpd_authorized_verp_clients value, and in files specified with
8542 "/file/name". IP version 6 addresses contain the ":" character, and
8543 would otherwise be confused with a "type:table" pattern.
8544
8546 What remote SMTP clients are allowed to use the XCLIENT feature. This
8547 command overrides remote SMTP client information that is used for
8548 access control. Typical use is for SMTP-based content filters, fetch‐
8549 mail-like programs, or SMTP server access rule testing. See the
8550 XCLIENT_README document for details.
8551
8552 This feature is available in Postfix 2.1 and later.
8553
8554 By default, no clients are allowed to specify XCLIENT.
8555
8556 Specify a list of network/netmask patterns, separated by commas and/or
8557 whitespace. The mask specifies the number of bits in the network part
8558 of a host address. You can also specify hostnames or .domain names (the
8559 initial dot causes the domain to match any name below it),
8560 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8561 replaced by its contents; a "type:table" lookup table is matched when a
8562 table entry matches a lookup string (the lookup result is ignored).
8563 Continue long lines by starting the next line with whitespace. Specify
8564 "!pattern" to exclude an address or network block from the list. The
8565 form "!/file/name" is supported only in Postfix version 2.4 and later.
8566
8567 Note: IP version 6 address information must be specified inside [] in
8568 the smtpd_authorized_xclient_hosts value, and in files specified with
8569 "/file/name". IP version 6 addresses contain the ":" character, and
8570 would otherwise be confused with a "type:table" pattern.
8571
8573 What remote SMTP clients are allowed to use the XFORWARD feature. This
8574 command forwards information that is used to improve logging after
8575 SMTP-based content filters. See the XFORWARD_README document for
8576 details.
8577
8578 This feature is available in Postfix 2.1 and later.
8579
8580 By default, no clients are allowed to specify XFORWARD.
8581
8582 Specify a list of network/netmask patterns, separated by commas and/or
8583 whitespace. The mask specifies the number of bits in the network part
8584 of a host address. You can also specify hostnames or .domain names (the
8585 initial dot causes the domain to match any name below it),
8586 "/file/name" or "type:table" patterns. A "/file/name" pattern is
8587 replaced by its contents; a "type:table" lookup table is matched when a
8588 table entry matches a lookup string (the lookup result is ignored).
8589 Continue long lines by starting the next line with whitespace. Specify
8590 "!pattern" to exclude an address or network block from the list. The
8591 form "!/file/name" is supported only in Postfix version 2.4 and later.
8592
8593 Note: IP version 6 address information must be specified inside [] in
8594 the smtpd_authorized_xforward_hosts value, and in files specified with
8595 "/file/name". IP version 6 addresses contain the ":" character, and
8596 would otherwise be confused with a "type:table" pattern.
8597
8599 The text that follows the 220 status code in the SMTP greeting banner.
8600 Some people like to see the mail version advertised. By default, Post‐
8601 fix shows no version.
8602
8603 You MUST specify $myhostname at the start of the text. This is required
8604 by the SMTP protocol.
8605
8606 Example:
8607
8608 smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8609
8611 The maximal number of AUTH commands that any client is allowed to send
8612 to this service per time unit, regardless of whether or not Postfix
8613 actually accepts those commands. The time unit is specified with the
8614 anvil_rate_time_unit configuration parameter.
8615
8616 By default, there is no limit on the number AUTH commands that a client
8617 may send.
8618
8619 To disable this feature, specify a limit of 0.
8620
8621 WARNING: The purpose of this feature is to limit abuse. It must not be
8622 used to regulate legitimate mail traffic.
8623
8624 This feature is available in Postfix 3.1 and later.
8625
8627 How many simultaneous connections any client is allowed to make to this
8628 service. By default, the limit is set to half the default process
8629 limit value.
8630
8631 To disable this feature, specify a limit of 0.
8632
8633 WARNING: The purpose of this feature is to limit abuse. It must not be
8634 used to regulate legitimate mail traffic.
8635
8636 This feature is available in Postfix 2.2 and later.
8637
8639 The maximal number of connection attempts any client is allowed to make
8640 to this service per time unit. The time unit is specified with the
8641 anvil_rate_time_unit configuration parameter.
8642
8643 By default, a client can make as many connections per time unit as
8644 Postfix can accept.
8645
8646 To disable this feature, specify a limit of 0.
8647
8648 WARNING: The purpose of this feature is to limit abuse. It must not be
8649 used to regulate legitimate mail traffic.
8650
8651 This feature is available in Postfix 2.2 and later.
8652
8653 Example:
8654
8655 smtpd_client_connection_rate_limit = 1000
8656
8658 Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8659 tions. See the mynetworks parameter description for the parameter value
8660 syntax.
8661
8662 By default, clients in trusted networks are excluded. Specify a list of
8663 network blocks, hostnames or .domain names (the initial dot causes the
8664 domain to match any name below it).
8665
8666 Note: IP version 6 address information must be specified inside [] in
8667 the smtpd_client_event_limit_exceptions value, and in files specified
8668 with "/file/name". IP version 6 addresses contain the ":" character,
8669 and would otherwise be confused with a "type:table" pattern.
8670
8671 Pattern matching of domain names is controlled by the presence or
8672 absence of "smtpd_client_event_limit_exceptions" in the par‐
8673 ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8674
8675 This feature is available in Postfix 2.2 and later.
8676
8678 The maximal number of message delivery requests that any client is
8679 allowed to make to this service per time unit, regardless of whether or
8680 not Postfix actually accepts those messages. The time unit is speci‐
8681 fied with the anvil_rate_time_unit configuration parameter.
8682
8683 By default, a client can send as many message delivery requests per
8684 time unit as Postfix can accept.
8685
8686 To disable this feature, specify a limit of 0.
8687
8688 WARNING: The purpose of this feature is to limit abuse. It must not be
8689 used to regulate legitimate mail traffic.
8690
8691 This feature is available in Postfix 2.2 and later.
8692
8693 Example:
8694
8695 smtpd_client_message_rate_limit = 1000
8696
8698 The maximal number of new (i.e., uncached) TLS sessions that a remote
8699 SMTP client is allowed to negotiate with this service per time unit.
8700 The time unit is specified with the anvil_rate_time_unit configuration
8701 parameter.
8702
8703 By default, a remote SMTP client can negotiate as many new TLS sessions
8704 per time unit as Postfix can accept.
8705
8706 To disable this feature, specify a limit of 0. Otherwise, specify a
8707 limit that is at least the per-client concurrent session limit, or else
8708 legitimate client sessions may be rejected.
8709
8710 WARNING: The purpose of this feature is to limit abuse. It must not be
8711 used to regulate legitimate mail traffic.
8712
8713 This feature is available in Postfix 2.3 and later.
8714
8715 Example:
8716
8717 smtpd_client_new_tls_session_rate_limit = 100
8718
8720 Enable logging of the remote SMTP client port in addition to the host‐
8721 name and IP address. The logging format is "host[address]:port".
8722
8723 This feature is available in Postfix 2.5 and later.
8724
8726 The maximal number of recipient addresses that any client is allowed to
8727 send to this service per time unit, regardless of whether or not Post‐
8728 fix actually accepts those recipients. The time unit is specified with
8729 the anvil_rate_time_unit configuration parameter.
8730
8731 By default, a client can send as many recipient addresses per time unit
8732 as Postfix can accept.
8733
8734 To disable this feature, specify a limit of 0.
8735
8736 WARNING: The purpose of this feature is to limit abuse. It must not be
8737 used to regulate legitimate mail traffic.
8738
8739 This feature is available in Postfix 2.2 and later.
8740
8741 Example:
8742
8743 smtpd_client_recipient_rate_limit = 1000
8744
8746 Optional restrictions that the Postfix SMTP server applies in the con‐
8747 text of a client connection request. See SMTPD_ACCESS_README, section
8748 "Delayed evaluation of SMTP access restriction lists" for a discussion
8749 of evaluation context and time.
8750
8751 The default is to allow all connection requests.
8752
8753 Specify a list of restrictions, separated by commas and/or whitespace.
8754 Continue long lines by starting the next line with whitespace.
8755 Restrictions are applied in the order as specified; the first restric‐
8756 tion that matches wins.
8757
8758 The following restrictions are specific to client hostname or client
8759 network address information.
8760
8761 check_ccert_access type:table
8762 Use the remote SMTP client certificate fingerprint or the public
8763 key fingerprint (Postfix 2.9 and later) as lookup key for the
8764 specified access(5) database; with Postfix version 2.2, also
8765 require that the remote SMTP client certificate is verified suc‐
8766 cessfully. The fingerprint digest algorithm is configurable via
8767 the smtpd_tls_fingerprint_digest parameter (hard-coded as md5
8768 prior to Postfix version 2.5). This feature is available with
8769 Postfix version 2.2 and later.
8770
8771 check_client_access type:table
8772 Search the specified access database for the client hostname,
8773 parent domains, client IP address, or networks obtained by
8774 stripping least significant octets. See the access(5) manual
8775 page for details.
8776
8777 check_client_a_access type:table
8778 Search the specified access(5) database for the IP addresses for
8779 the client hostname, and execute the corresponding action.
8780 Note: a result of "OK" is not allowed for safety reasons.
8781 Instead, use DUNNO in order to exclude specific hosts from
8782 blacklists. This feature is available in Postfix 3.0 and later.
8783
8784 check_client_mx_access type:table
8785 Search the specified access(5) database for the MX hosts for the
8786 client hostname, and execute the corresponding action. Note: a
8787 result of "OK" is not allowed for safety reasons. Instead, use
8788 DUNNO in order to exclude specific hosts from blacklists. This
8789 feature is available in Postfix 2.7 and later.
8790
8791 check_client_ns_access type:table
8792 Search the specified access(5) database for the DNS servers for
8793 the client hostname, and execute the corresponding action.
8794 Note: a result of "OK" is not allowed for safety reasons.
8795 Instead, use DUNNO in order to exclude specific hosts from
8796 blacklists. This feature is available in Postfix 2.7 and later.
8797
8798 check_reverse_client_hostname_access type:table
8799 Search the specified access database for the unverified reverse
8800 client hostname, parent domains, client IP address, or networks
8801 obtained by stripping least significant octets. See the
8802 access(5) manual page for details. Note: a result of "OK" is
8803 not allowed for safety reasons. Instead, use DUNNO in order to
8804 exclude specific hosts from blacklists. This feature is avail‐
8805 able in Postfix 2.6 and later.
8806
8807 check_reverse_client_hostname_a_access type:table
8808 Search the specified access(5) database for the IP addresses for
8809 the unverified reverse client hostname, and execute the corre‐
8810 sponding action. Note: a result of "OK" is not allowed for
8811 safety reasons. Instead, use DUNNO in order to exclude specific
8812 hosts from blacklists. This feature is available in Postfix 3.0
8813 and later.
8814
8815 check_reverse_client_hostname_mx_access type:table
8816 Search the specified access(5) database for the MX hosts for the
8817 unverified reverse client hostname, and execute the correspond‐
8818 ing action. Note: a result of "OK" is not allowed for safety
8819 reasons. Instead, use DUNNO in order to exclude specific hosts
8820 from blacklists. This feature is available in Postfix 2.7 and
8821 later.
8822
8823 check_reverse_client_hostname_ns_access type:table
8824 Search the specified access(5) database for the DNS servers for
8825 the unverified reverse client hostname, and execute the corre‐
8826 sponding action. Note: a result of "OK" is not allowed for
8827 safety reasons. Instead, use DUNNO in order to exclude specific
8828 hosts from blacklists. This feature is available in Postfix 2.7
8829 and later.
8830
8831 check_sasl_access type:table
8832 Use the remote SMTP client SASL user name as lookup key for the
8833 specified access(5) database. The lookup key has the form "user‐
8834 name@domainname" when the smtpd_sasl_local_domain parameter
8835 value is non-empty. Unlike the check_client_access feature,
8836 check_sasl_access does not perform matches of parent domains or
8837 IP subnet ranges. This feature is available with Postfix ver‐
8838 sion 2.11 and later.
8839
8840 permit_inet_interfaces
8841 Permit the request when the client IP address matches
8842 $inet_interfaces.
8843
8844 permit_mynetworks
8845 Permit the request when the client IP address matches any net‐
8846 work or network address listed in $mynetworks.
8847
8848 permit_sasl_authenticated
8849 Permit the request when the client is successfully authenticated
8850 via the RFC 4954 (AUTH) protocol.
8851
8852 permit_tls_all_clientcerts
8853 Permit the request when the remote SMTP client certificate is
8854 verified successfully. This option must be used only if a spe‐
8855 cial CA issues the certificates and only this CA is listed as
8856 trusted CA. Otherwise, clients with a third-party certificate
8857 would also be allowed to relay. Specify "tls_append_default_CA
8858 = no" when the trusted CA is specified with smtpd_tls_CAfile or
8859 smtpd_tls_CApath, to prevent Postfix from appending the sys‐
8860 tem-supplied default CAs. This feature is available with Post‐
8861 fix version 2.2.
8862
8863 permit_tls_clientcerts
8864 Permit the request when the remote SMTP client certificate fin‐
8865 gerprint or public key fingerprint (Postfix 2.9 and later) is
8866 listed in $relay_clientcerts. The fingerprint digest algorithm
8867 is configurable via the smtpd_tls_fingerprint_digest parameter
8868 (hard-coded as md5 prior to Postfix version 2.5). This feature
8869 is available with Postfix version 2.2.
8870
8871 reject_rbl_client rbl_domain=d.d.d.d
8872 Reject the request when the reversed client network address is
8873 listed with the A record "d.d.d.d" under rbl_domain (Postfix
8874 version 2.1 and later only). Each "d" is a number, or a pattern
8875 inside "[]" that contains one or more ";"-separated numbers or
8876 number..number ranges (Postfix version 2.8 and later). If no
8877 "=d.d.d.d" is specified, reject the request when the reversed
8878 client network address is listed with any A record under
8879 rbl_domain.
8880 The maps_rbl_reject_code parameter specifies the response code
8881 for rejected requests (default: 554), the default_rbl_reply
8882 parameter specifies the default server reply, and the
8883 rbl_reply_maps parameter specifies tables with server replies
8884 indexed by rbl_domain. This feature is available in Postfix 2.0
8885 and later.
8886
8887 permit_dnswl_client dnswl_domain=d.d.d.d
8888 Accept the request when the reversed client network address is
8889 listed with the A record "d.d.d.d" under dnswl_domain. Each "d"
8890 is a number, or a pattern inside "[]" that contains one or more
8891 ";"-separated numbers or number..number ranges. If no
8892 "=d.d.d.d" is specified, accept the request when the reversed
8893 client network address is listed with any A record under
8894 dnswl_domain.
8895 For safety, permit_dnswl_client is silently ignored when it
8896 would override reject_unauth_destination. The result is
8897 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8898 available in Postfix 2.8 and later.
8899
8900 reject_rhsbl_client rbl_domain=d.d.d.d
8901 Reject the request when the client hostname is listed with the A
8902 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8903 only). Each "d" is a number, or a pattern inside "[]" that con‐
8904 tains one or more ";"-separated numbers or number..number ranges
8905 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
8906 reject the request when the client hostname is listed with any A
8907 record under rbl_domain. See the reject_rbl_client description
8908 above for additional RBL related configuration parameters. This
8909 feature is available in Postfix 2.0 and later; with Postfix ver‐
8910 sion 2.8 and later, reject_rhsbl_reverse_client will usually
8911 produce better results.
8912
8913 permit_rhswl_client rhswl_domain=d.d.d.d
8914 Accept the request when the client hostname is listed with the A
8915 record "d.d.d.d" under rhswl_domain. Each "d" is a number, or a
8916 pattern inside "[]" that contains one or more ";"-separated num‐
8917 bers or number..number ranges. If no "=d.d.d.d" is specified,
8918 accept the request when the client hostname is listed with any A
8919 record under rhswl_domain.
8920 Caution: client name whitelisting is fragile, since the client
8921 name lookup can fail due to temporary outages. Client name
8922 whitelisting should be used only to reduce false positives in
8923 e.g. DNS-based blocklists, and not for making access rule
8924 exceptions.
8925 For safety, permit_rhswl_client is silently ignored when it
8926 would override reject_unauth_destination. The result is
8927 DEFER_IF_REJECT when whitelist lookup fails. This feature is
8928 available in Postfix 2.8 and later.
8929
8930 reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8931 Reject the request when the unverified reverse client hostname
8932 is listed with the A record "d.d.d.d" under rbl_domain. Each
8933 "d" is a number, or a pattern inside "[]" that contains one or
8934 more ";"-separated numbers or number..number ranges. If no
8935 "=d.d.d.d" is specified, reject the request when the unverified
8936 reverse client hostname is listed with any A record under
8937 rbl_domain. See the reject_rbl_client description above for
8938 additional RBL related configuration parameters. This feature
8939 is available in Postfix 2.8 and later.
8940
8941 reject_unknown_client_hostname (with Postfix < 2.3:
8942 reject_unknown_client)
8943 Reject the request when 1) the client IP address->name mapping
8944 fails, or 2) the name->address mapping fails, or 3) the
8945 name->address mapping does not match the client IP address.
8946 This is a stronger restriction than the
8947 reject_unknown_reverse_client_hostname feature, which triggers
8948 only under condition 1) above.
8949 The unknown_client_reject_code parameter specifies the response
8950 code for rejected requests (default: 450). The reply is always
8951 450 in case the address->name or name->address lookup failed due
8952 to a temporary problem.
8953
8954 reject_unknown_reverse_client_hostname
8955 Reject the request when the client IP address has no
8956 address->name mapping.
8957 This is a weaker restriction than the
8958 reject_unknown_client_hostname feature, which requires not only
8959 that the address->name and name->address mappings exist, but
8960 also that the two mappings reproduce the client IP address.
8961 The unknown_client_reject_code parameter specifies the response
8962 code for rejected requests (default: 450). The reply is always
8963 450 in case the address->name lookup failed due to a temporary
8964 problem.
8965 This feature is available in Postfix 2.3 and later.
8966
8967 In addition, you can use any of the following generic restrictions.
8968 These restrictions are applicable in any SMTP command context.
8969
8970 check_policy_service servername
8971 Query the specified policy server. See the SMTPD_POLICY_README
8972 document for details. This feature is available in Postfix 2.1
8973 and later.
8974
8975 defer Defer the request. The client is told to try again later. This
8976 restriction is useful at the end of a restriction list, to make
8977 the default policy explicit.
8978 The defer_code parameter specifies the SMTP server reply code
8979 (default: 450).
8980
8981 defer_if_permit
8982 Defer the request if some later restriction would result in an
8983 explicit or implicit PERMIT action. This is useful when a
8984 blacklisting feature fails due to a temporary problem. This
8985 feature is available in Postfix version 2.1 and later.
8986
8987 defer_if_reject
8988 Defer the request if some later restriction would result in a
8989 REJECT action. This is useful when a whitelisting feature fails
8990 due to a temporary problem. This feature is available in Post‐
8991 fix version 2.1 and later.
8992
8993 permit Permit the request. This restriction is useful at the end of a
8994 restriction list, to make the default policy explicit.
8995
8996 reject_multi_recipient_bounce
8997 Reject the request when the envelope sender is the null address,
8998 and the message has multiple envelope recipients. This usage has
8999 rare but legitimate applications: under certain conditions,
9000 multi-recipient mail that was posted with the DSN option
9001 NOTIFY=NEVER may be forwarded with the null sender address.
9002 Note: this restriction can only work reliably when used in
9003 smtpd_data_restrictions or smtpd_end_of_data_restrictions,
9004 because the total number of recipients is not known at an ear‐
9005 lier stage of the SMTP conversation. Use at the RCPT stage will
9006 only reject the second etc. recipient.
9007 The multi_recipient_bounce_reject_code parameter specifies the
9008 response code for rejected requests (default: 550). This fea‐
9009 ture is available in Postfix 2.1 and later.
9010
9011 reject_plaintext_session
9012 Reject the request when the connection is not encrypted. This
9013 restriction should not be used before the client has had a
9014 chance to negotiate encryption with the AUTH or STARTTLS com‐
9015 mands.
9016 The plaintext_reject_code parameter specifies the response code
9017 for rejected requests (default: 450). This feature is avail‐
9018 able in Postfix 2.3 and later.
9019
9020 reject_unauth_pipelining
9021 Reject the request when the client sends SMTP commands ahead of
9022 time where it is not allowed, or when the client sends SMTP com‐
9023 mands ahead of time without knowing that Postfix actually sup‐
9024 ports ESMTP command pipelining. This stops mail from bulk mail
9025 software that improperly uses ESMTP command pipelining in order
9026 to speed up deliveries.
9027 With Postfix 2.6 and later, the SMTP server sets a per-session
9028 flag whenever it detects illegal pipelining, including pipelined
9029 HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9030 ply tests whether the flag was set at any point in time during
9031 the session.
9032 With older Postfix versions, reject_unauth_pipelining checks the
9033 current status of the input read queue, and its usage is not
9034 recommended in contexts other than smtpd_data_restrictions.
9035
9036 reject Reject the request. This restriction is useful at the end of a
9037 restriction list, to make the default policy explicit. The
9038 reject_code configuration parameter specifies the response code
9039 for rejected requests (default: 554).
9040
9041 sleep seconds
9042 Pause for the specified number of seconds and proceed with the
9043 next restriction in the list, if any. This may stop zombie mail
9044 when used as:
9045 /etc/postfix/main.cf:
9046 smtpd_client_restrictions =
9047 sleep 1, reject_unauth_pipelining
9048 smtpd_delay_reject = no
9049 This feature is available in Postfix 2.3.
9050
9051 warn_if_reject
9052 A safety net for testing. When "warn_if_reject" is placed before
9053 a reject-type restriction, access table query, or check_pol‐
9054 icy_service query, this logs a "reject_warning" message instead
9055 of rejecting a request (when a reject-type restriction fails due
9056 to a temporary error, this logs a "reject_warning" message for
9057 any implicit "defer_if_permit" actions that would normally pre‐
9058 vent mail from being accepted by some later access restriction).
9059 This feature has no effect on defer_if_reject restrictions.
9060
9061 Other restrictions that are valid in this context:
9062
9063 · SMTP command specific restrictions that are described under the
9064 smtpd_helo_restrictions, smtpd_sender_restrictions or
9065 smtpd_recipient_restrictions parameters. When helo, sender or
9066 recipient restrictions are listed under smtpd_client_restric‐
9067 tions, they have effect only with "smtpd_delay_reject = yes", so
9068 that $smtpd_client_restrictions is evaluated at the time of the
9069 RCPT TO command.
9070
9071 Example:
9072
9073 smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9074
9076 A mechanism to transform commands from remote SMTP clients. This is a
9077 last-resort tool to work around client commands that break interoper‐
9078 ability with the Postfix SMTP server. Other uses involve fault injec‐
9079 tion to test Postfix's handling of invalid commands.
9080
9081 Specify the name of a "type:table" lookup table. The search string is
9082 the SMTP command as received from the remote SMTP client, except that
9083 initial whitespace and the trailing <CR><LF> are removed. The result
9084 value is executed by the Postfix SMTP server.
9085
9086 There is no need to use smtpd_command_filter for the following cases:
9087
9088 · Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9089
9090 · Postfix already accepts the correct form "user@[ipaddress]". Use
9091 virtual_alias_maps or canonical_maps to translate these into
9092 domain names if necessary.
9093
9094 · Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9095 <user@example.com>>". Postfix will ignore the "User Name" part
9096 and deliver to the <user@example.com> address.
9097
9098 Examples of problems that can be solved with the smtpd_command_filter
9099 feature:
9100
9101 /etc/postfix/main.cf:
9102 smtpd_command_filter = pcre:/etc/postfix/command_filter
9103
9104 /etc/postfix/command_filter:
9105 # Work around clients that send malformed HELO commands.
9106 /^HELO\s*$/ HELO domain.invalid
9107
9108 # Work around clients that send empty lines.
9109 /^\s*$/ NOOP
9110
9111 # Work around clients that send RCPT TO:<'user@domain'>.
9112 # WARNING: do not lose the parameters that follow the address.
9113 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3
9114
9115 # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9116 # See VERP_README for more information on how to use Postfix VERP.
9117 /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
9118
9119 # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9120 # to send bounced mail to the postmaster (with message body removed).
9121 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2
9122 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER
9123
9124 This feature is available in Postfix 2.7.
9125
9127 Optional access restrictions that the Postfix SMTP server applies in
9128 the context of the SMTP DATA command. See SMTPD_ACCESS_README, section
9129 "Delayed evaluation of SMTP access restriction lists" for a discussion
9130 of evaluation context and time.
9131
9132 This feature is available in Postfix 2.0 and later.
9133
9134 Specify a list of restrictions, separated by commas and/or whitespace.
9135 Continue long lines by starting the next line with whitespace.
9136 Restrictions are applied in the order as specified; the first restric‐
9137 tion that matches wins.
9138
9139 The following restrictions are valid in this context:
9140
9141 · Generic restrictions that can be used in any SMTP command con‐
9142 text, described under smtpd_client_restrictions.
9143
9144 · SMTP command specific restrictions described under
9145 smtpd_client_restrictions, smtpd_helo_restrictions,
9146 smtpd_sender_restrictions or smtpd_recipient_restrictions.
9147
9148 · However, no recipient information is available in the case of
9149 multi-recipient mail. Acting on only one recipient would be mis‐
9150 leading, because any decision will affect all recipients
9151 equally. Acting on all recipients would require a possibly very
9152 large amount of memory, and would also be misleading for the
9153 reasons mentioned before.
9154
9155 Examples:
9156
9157 smtpd_data_restrictions = reject_unauth_pipelining
9158 smtpd_data_restrictions = reject_multi_recipient_bounce
9159
9161 Postpone the start of an SMTP mail transaction until a valid RCPT TO
9162 command is received. Specify "no" to create a mail transaction as soon
9163 as the Postfix SMTP server receives a valid MAIL FROM command.
9164
9165 With sites that reject lots of mail, the default setting reduces the
9166 use of disk, CPU and memory resources. The downside is that rejected
9167 recipients are logged with NOQUEUE instead of a mail transaction ID.
9168 This complicates the logfile analysis of multi-recipient mail.
9169
9170 This feature is available in Postfix 2.3 and later.
9171
9173 Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9174 tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9175 until the ETRN command before evaluating $smtpd_client_restrictions and
9176 $smtpd_helo_restrictions.
9177
9178 This feature is turned on by default because some clients apparently
9179 mis-behave when the Postfix SMTP server rejects commands before RCPT
9180 TO.
9181
9182 The default setting has one major benefit: it allows Postfix to log
9183 recipient address information when rejecting a client name/address or
9184 sender address, so that it is possible to find out whose mail is being
9185 rejected.
9186
9188 Lookup tables, indexed by the remote SMTP client address, with case
9189 insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
9190 that the Postfix SMTP server will not send in the EHLO response to a
9191 remote SMTP client. See smtpd_discard_ehlo_keywords for details. The
9192 tables are not searched by hostname for robustness reasons.
9193
9194 Specify zero or more "type:name" lookup tables, separated by whitespace
9195 or comma. Tables will be searched in the specified order until a match
9196 is found.
9197
9198 This feature is available in Postfix 2.2 and later.
9199
9201 A case insensitive list of EHLO keywords (pipelining, starttls, auth,
9202 etc.) that the Postfix SMTP server will not send in the EHLO response
9203 to a remote SMTP client.
9204
9205 This feature is available in Postfix 2.2 and later.
9206
9207 Notes:
9208
9209 · Specify the silent-discard pseudo keyword to prevent this action
9210 from being logged.
9211
9212 · Use the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
9213 card EHLO keywords selectively.
9214
9216 Optional filter for Postfix SMTP server DNS lookup results. See
9217 smtp_dns_reply_filter for details including an example.
9218
9219 This feature is available in Postfix 3.0 and later.
9220
9222 Optional access restrictions that the Postfix SMTP server applies in
9223 the context of the SMTP END-OF-DATA command. See SMTPD_ACCESS_README,
9224 section "Delayed evaluation of SMTP access restriction lists" for a
9225 discussion of evaluation context and time.
9226
9227 This feature is available in Postfix 2.2 and later.
9228
9229 See smtpd_data_restrictions for details and limitations.
9230
9232 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
9233 require that clients use TLS encryption. According to RFC 2487 this
9234 MUST NOT be applied in case of a publicly-referenced SMTP server. This
9235 option is therefore off by default.
9236
9237 Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9238
9239 Note 2: when invoked via "sendmail -bs", Postfix will never offer
9240 STARTTLS due to insufficient privileges to access the server private
9241 key. This is intended behavior.
9242
9243 This feature is available in Postfix 2.2 and later. With Postfix 2.3
9244 and later use smtpd_tls_security_level instead.
9245
9247 With Postfix version 2.1 and later: the SMTP server response delay
9248 after a client has made more than $smtpd_soft_error_limit errors, and
9249 fewer than $smtpd_hard_error_limit errors, without delivering mail.
9250
9251 With Postfix version 2.0 and earlier: the SMTP server delay before
9252 sending a reject (4xx or 5xx) response, when the client has made fewer
9253 than $smtpd_soft_error_limit errors without delivering mail.
9254
9256 Optional restrictions that the Postfix SMTP server applies in the con‐
9257 text of a client ETRN command. See SMTPD_ACCESS_README, section
9258 "Delayed evaluation of SMTP access restriction lists" for a discussion
9259 of evaluation context and time.
9260
9261 The Postfix ETRN implementation accepts only destinations that are eli‐
9262 gible for the Postfix "fast flush" service. See the ETRN_README file
9263 for details.
9264
9265 Specify a list of restrictions, separated by commas and/or whitespace.
9266 Continue long lines by starting the next line with whitespace.
9267 Restrictions are applied in the order as specified; the first restric‐
9268 tion that matches wins.
9269
9270 The following restrictions are specific to the domain name information
9271 received with the ETRN command.
9272
9273 check_etrn_access type:table
9274 Search the specified access database for the ETRN domain name or
9275 its parent domains. See the access(5) manual page for details.
9276
9277 Other restrictions that are valid in this context:
9278
9279 · Generic restrictions that can be used in any SMTP command con‐
9280 text, described under smtpd_client_restrictions.
9281
9282 · SMTP command specific restrictions described under
9283 smtpd_client_restrictions and smtpd_helo_restrictions.
9284
9285 Example:
9286
9287 smtpd_etrn_restrictions = permit_mynetworks, reject
9288
9290 What characters are allowed in $name expansions of RBL reply templates.
9291 Characters not in the allowed set are replaced by "_". Use C like
9292 escapes to specify special characters such as whitespace.
9293
9294 The smtpd_expansion_filter value is not subject to Postfix configura‐
9295 tion parameter $name expansion.
9296
9297 This feature is available in Postfix 2.0 and later.
9298
9300 List of commands that cause the Postfix SMTP server to immediately ter‐
9301 minate the session with a 221 code. This can be used to disconnect
9302 clients that obviously attempt to abuse the system. In addition to the
9303 commands listed in this parameter, commands that follow the "Label:"
9304 format of message headers will also cause a disconnect.
9305
9306 This feature is available in Postfix 2.2 and later.
9307
9309 The maximal number of errors a remote SMTP client is allowed to make
9310 without delivering mail. The Postfix SMTP server disconnects when the
9311 limit is exceeded. Normally the default limit is 20, but it changes
9312 under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9313 always allows up to 20 errors by default.
9314
9316 Require that a remote SMTP client introduces itself with the HELO or
9317 EHLO command before sending the MAIL command or other commands that
9318 require EHLO negotiation.
9319
9320 Example:
9321
9322 smtpd_helo_required = yes
9323
9325 Optional restrictions that the Postfix SMTP server applies in the con‐
9326 text of a client HELO command. See SMTPD_ACCESS_README, section
9327 "Delayed evaluation of SMTP access restriction lists" for a discussion
9328 of evaluation context and time.
9329
9330 The default is to permit everything.
9331
9332 Note: specify "smtpd_helo_required = yes" to fully enforce this
9333 restriction (without "smtpd_helo_required = yes", a client can simply
9334 skip smtpd_helo_restrictions by not sending HELO or EHLO).
9335
9336 Specify a list of restrictions, separated by commas and/or whitespace.
9337 Continue long lines by starting the next line with whitespace.
9338 Restrictions are applied in the order as specified; the first restric‐
9339 tion that matches wins.
9340
9341 The following restrictions are specific to the hostname information
9342 received with the HELO or EHLO command.
9343
9344 check_helo_access type:table
9345 Search the specified access(5) database for the HELO or EHLO
9346 hostname or parent domains, and execute the corresponding
9347 action. Note: specify "smtpd_helo_required = yes" to fully
9348 enforce this restriction (without "smtpd_helo_required = yes", a
9349 client can simply skip check_helo_access by not sending HELO or
9350 EHLO).
9351
9352 check_helo_a_access type:table
9353 Search the specified access(5) database for the IP addresses for
9354 the HELO or EHLO hostname, and execute the corresponding action.
9355 Note 1: a result of "OK" is not allowed for safety reasons.
9356 Instead, use DUNNO in order to exclude specific hosts from
9357 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9358 fully enforce this restriction (without "smtpd_helo_required =
9359 yes", a client can simply skip check_helo_a_access by not send‐
9360 ing HELO or EHLO). This feature is available in Postfix 3.0 and
9361 later.
9362
9363 check_helo_mx_access type:table
9364 Search the specified access(5) database for the MX hosts for the
9365 HELO or EHLO hostname, and execute the corresponding action.
9366 Note 1: a result of "OK" is not allowed for safety reasons.
9367 Instead, use DUNNO in order to exclude specific hosts from
9368 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9369 fully enforce this restriction (without "smtpd_helo_required =
9370 yes", a client can simply skip check_helo_mx_access by not send‐
9371 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9372 later.
9373
9374 check_helo_ns_access type:table
9375 Search the specified access(5) database for the DNS servers for
9376 the HELO or EHLO hostname, and execute the corresponding action.
9377 Note 1: a result of "OK" is not allowed for safety reasons.
9378 Instead, use DUNNO in order to exclude specific hosts from
9379 blacklists. Note 2: specify "smtpd_helo_required = yes" to
9380 fully enforce this restriction (without "smtpd_helo_required =
9381 yes", a client can simply skip check_helo_ns_access by not send‐
9382 ing HELO or EHLO). This feature is available in Postfix 2.1 and
9383 later.
9384
9385 reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_host‐
9386 name)
9387 Reject the request when the HELO or EHLO hostname is malformed.
9388 Note: specify "smtpd_helo_required = yes" to fully enforce this
9389 restriction (without "smtpd_helo_required = yes", a client can
9390 simply skip reject_invalid_helo_hostname by not sending HELO or
9391 EHLO).
9392 The invalid_hostname_reject_code specifies the response code for
9393 rejected requests (default: 501).
9394
9395 reject_non_fqdn_helo_hostname (with Postfix < 2.3:
9396 reject_non_fqdn_hostname)
9397 Reject the request when the HELO or EHLO hostname is not in
9398 fully-qualified domain or address literal form, as required by
9399 the RFC. Note: specify "smtpd_helo_required = yes" to fully
9400 enforce this restriction (without "smtpd_helo_required = yes", a
9401 client can simply skip reject_non_fqdn_helo_hostname by not
9402 sending HELO or EHLO).
9403 The non_fqdn_reject_code parameter specifies the response code
9404 for rejected requests (default: 504).
9405
9406 reject_rhsbl_helo rbl_domain=d.d.d.d
9407 Reject the request when the HELO or EHLO hostname is listed with
9408 the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9409 later only). Each "d" is a number, or a pattern inside "[]"
9410 that contains one or more ";"-separated numbers or number..num‐
9411 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
9412 specified, reject the request when the HELO or EHLO hostname is
9413 listed with any A record under rbl_domain. See the
9414 reject_rbl_client description for additional RBL related config‐
9415 uration parameters. Note: specify "smtpd_helo_required = yes"
9416 to fully enforce this restriction (without "smtpd_helo_required
9417 = yes", a client can simply skip reject_rhsbl_helo by not send‐
9418 ing HELO or EHLO). This feature is available in Postfix 2.0 and
9419 later.
9420
9421 reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_host‐
9422 name)
9423 Reject the request when the HELO or EHLO hostname has no DNS A
9424 or MX record.
9425 The reply is specified with the unknown_hostname_reject_code
9426 parameter (default: 450) or unknown_helo_hostname_temp‐
9427 fail_action (default: defer_if_permit). See the respective
9428 parameter descriptions for details.
9429 Note: specify "smtpd_helo_required = yes" to fully enforce this
9430 restriction (without "smtpd_helo_required = yes", a client can
9431 simply skip reject_unknown_helo_hostname by not sending HELO or
9432 EHLO).
9433
9434 Other restrictions that are valid in this context:
9435
9436 · Generic restrictions that can be used in any SMTP command con‐
9437 text, described under smtpd_client_restrictions.
9438
9439 · Client hostname or network address specific restrictions
9440 described under smtpd_client_restrictions.
9441
9442 · SMTP command specific restrictions described under
9443 smtpd_sender_restrictions or smtpd_recipient_restrictions. When
9444 sender or recipient restrictions are listed under
9445 smtpd_helo_restrictions, they have effect only with
9446 "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions is
9447 evaluated at the time of the RCPT TO command.
9448
9449 Examples:
9450
9451 smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9452 smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9453
9455 The maximal number of lines in the Postfix SMTP server command history
9456 before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9457
9459 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9460 SMTP client can send before the Postfix SMTP server starts to increment
9461 the error counter with each junk command. The junk command count is
9462 reset after mail is delivered. See also the smtpd_error_sleep_time and
9463 smtpd_soft_error_limit configuration parameters. Normally the default
9464 limit is 100, but it changes under overload to just 1. With Postfix 2.5
9465 and earlier, the SMTP server always allows up to 100 junk commands by
9466 default.
9467
9469 Enable logging of the named "permit" actions in SMTP server access
9470 lists (by default, the SMTP server logs "reject" actions but not "per‐
9471 mit" actions). This feature does not affect conditional actions such
9472 as "defer_if_permit".
9473
9474 Specify a list of "permit" action names, "/file/name" or "type:table"
9475 patterns, separated by commas and/or whitespace. The list is matched
9476 left to right, and the search stops on the first match. A "/file/name"
9477 pattern is replaced by its contents; a "type:table" lookup table is
9478 matched when a name matches a lookup key (the lookup result is
9479 ignored). Continue long lines by starting the next line with white‐
9480 space. Specify "!pattern" to exclude a name from the list.
9481
9482 Examples:
9483
9484 /etc/postfix/main.cf:
9485 # Log all "permit" actions.
9486 smtpd_log_access_permit_actions = static:all
9487
9488 /etc/postfix/main.cf:
9489 # Log "permit_dnswl_client" only.
9490 smtpd_log_access_permit_actions = permit_dnswl_client
9491
9492 This feature is available in Postfix 2.10 and later.
9493
9495 Lookup tables with Milter settings per remote SMTP client IP address.
9496 The lookup result overrides the smtpd_milters setting, and has the same
9497 syntax.
9498
9499 Note: lookup tables cannot return empty responses. Specify a lookup
9500 result of DISABLE (case does not matter) to indicate that Milter sup‐
9501 port should be disabled.
9502
9503 Example to disable Milters for local clients:
9504
9505 /etc/postfix/main.cf:
9506 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9507 smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9508
9509 /etc/postfix/smtpd_milter_map:
9510 # Disable Milters for local clients.
9511 127.0.0.0/8 DISABLE
9512 192.168.0.0/16 DISABLE
9513 ::/64 DISABLE
9514 2001:db8::/32 DISABLE
9515
9516 This feature is available in Postfix 3.2 and later.
9517
9519 A list of Milter (mail filter) applications for new mail that arrives
9520 via the Postfix smtpd(8) server. Specify space or comma as separator.
9521 See the MILTER_README document for details.
9522
9523 This feature is available in Postfix 2.3 and later.
9524
9526 List of commands that the Postfix SMTP server replies to with "250 Ok",
9527 without doing any syntax checks and without changing state. This list
9528 overrides any commands built into the Postfix SMTP server.
9529
9531 The lookup key to be used in SMTP access(5) tables instead of the null
9532 sender address.
9533
9535 Attempt to look up the remote SMTP client hostname, and verify that the
9536 name matches the client IP address. A client name is set to "unknown"
9537 when it cannot be looked up or verified, or when name lookup is dis‐
9538 abled. Turning off name lookup reduces delays due to DNS lookup and
9539 increases the maximal inbound delivery rate.
9540
9541 This feature is available in Postfix 2.3 and later.
9542
9544 Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
9545 time limits, from a time limit per read or write system call, to a time
9546 limit to send or receive a complete record (an SMTP command line, SMTP
9547 response line, SMTP message content line, or TLS protocol message).
9548 This limits the impact from hostile peers that trickle data one byte at
9549 a time.
9550
9551 Note: when per-record deadlines are enabled, a short timeout may cause
9552 problems with TLS over very slow network connections. The reasons are
9553 that a TLS protocol message can be up to 16 kbytes long (with TLSv1),
9554 and that an entire TLS protocol message must be sent or received within
9555 the per-record deadline.
9556
9557 This feature is available in Postfix 2.9 and later. With older Postfix
9558 releases, the behavior is as if this parameter is set to "no".
9559
9561 problem)
9562 The default action when an SMTPD policy service request fails. Specify
9563 "DUNNO" to behave as if the failed SMTPD policy service request was
9564 not sent, and to continue processing other access restrictions, if any.
9565
9566 Limitations:
9567
9568 · This parameter may specify any value that would be a valid SMTPD
9569 policy server response (or access(5) map lookup result). An
9570 access(5) map or policy server in this parameter value may need
9571 to be declared in advance with a restriction_class setting.
9572
9573 · If the specified action invokes another check_policy_service
9574 request, that request will have the built-in default action.
9575
9576 This feature is available in Postfix 3.0 and later.
9577
9579 The time after which an idle SMTPD policy service connection is closed.
9580
9581 This feature is available in Postfix 2.1 and later.
9582
9584 The time after which an active SMTPD policy service connection is
9585 closed.
9586
9587 This feature is available in Postfix 2.1 and later.
9588
9590 Optional information that the Postfix SMTP server specifies in the
9591 "policy_context" attribute of a policy service request (originally, to
9592 share the same service endpoint among multiple check_policy_service
9593 clients).
9594
9595 This feature is available in Postfix 3.1 and later.
9596
9598 The maximal number of requests per SMTPD policy service connection, or
9599 zero (no limit). Once a connection reaches this limit, the connection
9600 is closed and the next request will be sent over a new connection. This
9601 is a workaround to avoid error-recovery delays with policy servers that
9602 cannot maintain a persistent connection.
9603
9604 This feature is available in Postfix 3.0 and later.
9605
9607 The delay between attempts to resend a failed SMTPD policy service
9608 request. Specify a value greater than zero.
9609
9610 This feature is available in Postfix 3.0 and later.
9611
9613 The time limit for connecting to, writing to, or receiving from a dele‐
9614 gated SMTPD policy server.
9615
9616 This feature is available in Postfix 2.1 and later.
9617
9619 The maximal number of attempts to send an SMTPD policy service request
9620 before giving up. Specify a value greater than zero.
9621
9622 This feature is available in Postfix 3.0 and later.
9623
9625 How the Postfix SMTP server announces itself to the proxy filter. By
9626 default, the Postfix hostname is used.
9627
9628 This feature is available in Postfix 2.1 and later.
9629
9631 The hostname and TCP port of the mail filtering proxy server. The
9632 proxy receives all mail from the Postfix SMTP server, and is supposed
9633 to give the result to another Postfix SMTP server process.
9634
9635 Specify "host:port" or "inet:host:port" for a TCP endpoint, or
9636 "unix:pathname" for a UNIX-domain endpoint. The host can be specified
9637 as an IP address or as a symbolic name; no MX lookups are done. When
9638 no "host" or "host:" are specified, the local machine is assumed.
9639 Pathname interpretation is relative to the Postfix queue directory.
9640
9641 This feature is available in Postfix 2.1 and later.
9642
9643 The "inet:" and "unix:" prefixes are available in Postfix 2.3 and
9644 later.
9645
9647 List of options that control how the Postfix SMTP server communicates
9648 with a before-queue content filter. Specify zero or more of the follow‐
9649 ing, separated by comma or whitespace.
9650
9651 speed_adjust
9652 Do not connect to a before-queue content filter until an entire
9653 message has been received. This reduces the number of simultane‐
9654 ous before-queue content filter processes.
9655
9656 NOTE 1: A filter must not selectively reject recipients of a
9657 multi-recipient message. Rejecting all recipients is OK, as is accept‐
9658 ing all recipients.
9659
9660 NOTE 2: This feature increases the minimum amount of free queue space
9661 by $message_size_limit. The extra space is needed to save the message
9662 to a temporary file.
9663
9664 This feature is available in Postfix 2.7 and later.
9665
9667 The time limit for connecting to a proxy filter and for sending or
9668 receiving information. When a connection fails the client gets a
9669 generic error message while more detailed information is logged to the
9670 maillog file.
9671
9672 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
9673 The default time unit is s (seconds).
9674
9675 This feature is available in Postfix 2.1 and later.
9676
9678 The maximal number of recipients that the Postfix SMTP server accepts
9679 per message delivery request.
9680
9682 The number of recipients that a remote SMTP client can send in excess
9683 of the limit specified with $smtpd_recipient_limit, before the Postfix
9684 SMTP server increments the per-session error count for each excess
9685 recipient.
9686
9688 Optional restrictions that the Postfix SMTP server applies in the con‐
9689 text of a client RCPT TO command, after smtpd_relay_restrictions. See
9690 SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
9691 restriction lists" for a discussion of evaluation context and time.
9692
9693 With Postfix versions before 2.10, the rules for relay permission and
9694 spam blocking were combined under smtpd_recipient_restrictions, result‐
9695 ing in error-prone configuration. As of Postfix 2.10, relay permission
9696 rules are preferably implemented with smtpd_relay_restrictions, so that
9697 a permissive spam blocking policy under smtpd_recipient_restrictions
9698 will no longer result in a permissive mail relay policy.
9699
9700 For backwards compatibility, sites that migrate from Postfix versions
9701 before 2.10 can set smtpd_relay_restrictions to the empty value, and
9702 use smtpd_recipient_restrictions exactly as before.
9703
9704 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
9705 ent_restrictions parameter must specify at least one of the following
9706 restrictions. Otherwise Postfix will refuse to receive mail:
9707
9708 reject, reject_unauth_destination
9709
9710 defer, defer_if_permit, defer_unauth_destination
9711
9712 Specify a list of restrictions, separated by commas and/or whitespace.
9713 Continue long lines by starting the next line with whitespace.
9714 Restrictions are applied in the order as specified; the first restric‐
9715 tion that matches wins.
9716
9717 The following restrictions are specific to the recipient address that
9718 is received with the RCPT TO command.
9719
9720 check_recipient_access type:table
9721 Search the specified access(5) database for the resolved RCPT TO
9722 address, domain, parent domains, or localpart@, and execute the
9723 corresponding action.
9724
9725 check_recipient_a_access type:table
9726 Search the specified access(5) database for the IP addresses for
9727 the RCPT TO domain, and execute the corresponding action. Note:
9728 a result of "OK" is not allowed for safety reasons. Instead, use
9729 DUNNO in order to exclude specific hosts from blacklists. This
9730 feature is available in Postfix 3.0 and later.
9731
9732 check_recipient_mx_access type:table
9733 Search the specified access(5) database for the MX hosts for the
9734 RCPT TO domain, and execute the corresponding action. Note: a
9735 result of "OK" is not allowed for safety reasons. Instead, use
9736 DUNNO in order to exclude specific hosts from blacklists. This
9737 feature is available in Postfix 2.1 and later.
9738
9739 check_recipient_ns_access type:table
9740 Search the specified access(5) database for the DNS servers for
9741 the RCPT TO domain, and execute the corresponding action. Note:
9742 a result of "OK" is not allowed for safety reasons. Instead, use
9743 DUNNO in order to exclude specific hosts from blacklists. This
9744 feature is available in Postfix 2.1 and later.
9745
9746 permit_auth_destination
9747 Permit the request when one of the following is true:
9748
9749 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9750 $relay_domains or a subdomain thereof, and the address contains
9751 no sender-specified routing (user@elsewhere@domain),
9752
9753 · Postfix is the final destination: the resolved RCPT TO domain
9754 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9755 $virtual_alias_domains, or $virtual_mailbox_domains, and the
9756 address contains no sender-specified routing (user@else‐
9757 where@domain).
9758
9759 permit_mx_backup
9760 Permit the request when the local mail system is backup MX for
9761 the RCPT TO domain, or when the domain is an authorized destina‐
9762 tion (see permit_auth_destination for definition).
9763
9764 · Safety: permit_mx_backup does not accept addresses that have
9765 sender-specified routing information (example: user@else‐
9766 where@domain).
9767
9768 · Safety: permit_mx_backup can be vulnerable to mis-use when
9769 access is not restricted with permit_mx_backup_networks.
9770
9771 · Safety: as of Postfix version 2.3, permit_mx_backup no longer
9772 accepts the address when the local mail system is primary MX for
9773 the recipient domain. Exception: permit_mx_backup accepts the
9774 address when it specifies an authorized destination (see per‐
9775 mit_auth_destination for definition).
9776
9777 · Limitation: mail may be rejected in case of a temporary DNS
9778 lookup problem with Postfix prior to version 2.0.
9779
9780 reject_non_fqdn_recipient
9781 Reject the request when the RCPT TO address specifies a domain
9782 that is not in fully-qualified domain form, as required by the
9783 RFC.
9784 The non_fqdn_reject_code parameter specifies the response code
9785 for rejected requests (default: 504).
9786
9787 reject_rhsbl_recipient rbl_domain=d.d.d.d
9788 Reject the request when the RCPT TO domain is listed with the A
9789 record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9790 only). Each "d" is a number, or a pattern inside "[]" that con‐
9791 tains one or more ";"-separated numbers or number..number ranges
9792 (Postfix version 2.8 and later). If no "=d.d.d.d" is specified,
9793 reject the request when the RCPT TO domain is listed with any A
9794 record under rbl_domain.
9795 The maps_rbl_reject_code parameter specifies the response code
9796 for rejected requests (default: 554); the default_rbl_reply
9797 parameter specifies the default server reply; and the
9798 rbl_reply_maps parameter specifies tables with server replies
9799 indexed by rbl_domain. This feature is available in Postfix
9800 version 2.0 and later.
9801
9802 reject_unauth_destination
9803 Reject the request unless one of the following is true:
9804
9805 · Postfix is mail forwarder: the resolved RCPT TO domain matches
9806 $relay_domains or a subdomain thereof, and contains no
9807 sender-specified routing (user@elsewhere@domain),
9808
9809 · Postfix is the final destination: the resolved RCPT TO domain
9810 matches $mydestination, $inet_interfaces, $proxy_interfaces,
9811 $virtual_alias_domains, or $virtual_mailbox_domains, and con‐
9812 tains no sender-specified routing (user@elsewhere@domain).
9813 The relay_domains_reject_code parameter specifies the response
9814 code for rejected requests (default: 554).
9815
9816 defer_unauth_destination
9817 Reject the same requests as reject_unauth_destination, with a
9818 non-permanent error code. This feature is available in Postfix
9819 2.10 and later.
9820
9821 reject_unknown_recipient_domain
9822 Reject the request when Postfix is not final destination for the
9823 recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9824 DNS A record or 2) a malformed MX record such as a record with a
9825 zero-length MX hostname (Postfix version 2.3 and later).
9826 The reply is specified with the unknown_address_reject_code
9827 parameter (default: 450), unknown_address_tempfail_action
9828 (default: defer_if_permit), or 556 (nullmx, Postfix 3.0 and
9829 later). See the respective parameter descriptions for details.
9830
9831 reject_unlisted_recipient (with Postfix version 2.0: check_recipi‐
9832 ent_maps)
9833 Reject the request when the RCPT TO address is not listed in the
9834 list of valid recipients for its domain class. See the
9835 smtpd_reject_unlisted_recipient parameter description for
9836 details. This feature is available in Postfix 2.1 and later.
9837
9838 reject_unverified_recipient
9839 Reject the request when mail to the RCPT TO address is known to
9840 bounce, or when the recipient address destination is not reach‐
9841 able. Address verification information is managed by the ver‐
9842 ify(8) server; see the ADDRESS_VERIFICATION_README file for
9843 details.
9844 The unverified_recipient_reject_code parameter specifies the
9845 numerical response code when an address is known to bounce
9846 (default: 450, change into 550 when you are confident that it is
9847 safe to do so).
9848 The unverified_recipient_defer_code parameter specifies the
9849 numerical response code when an address probe failed due to a
9850 temporary problem (default: 450).
9851 The unverified_recipient_tempfail_action parameter specifies the
9852 action after address probe failure due to a temporary problem
9853 (default: defer_if_permit).
9854 This feature breaks for aliased addresses with "enable_origi‐
9855 nal_recipient = no" (Postfix <= 3.2).
9856 This feature is available in Postfix 2.1 and later.
9857
9858 Other restrictions that are valid in this context:
9859
9860 · Generic restrictions that can be used in any SMTP command con‐
9861 text, described under smtpd_client_restrictions.
9862
9863 · SMTP command specific restrictions described under
9864 smtpd_client_restrictions, smtpd_helo_restrictions and
9865 smtpd_sender_restrictions.
9866
9867 Example:
9868
9869 # The Postfix before 2.10 default mail relay policy. Later Postfix
9870 # versions implement this preferably with smtpd_relay_restrictions.
9871 smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9872
9874 Optional information that is appended after each Postfix SMTP server
9875 4XX or 5XX response.
9876
9877 The following example uses "\c" at the start of the template (supported
9878 in Postfix 2.10 and later) to suppress the line break between the reply
9879 text and the footer text. With earlier Postfix versions, the footer
9880 text always begins on a new line, and the "\c" is output literally.
9881
9882 /etc/postfix/main.cf:
9883 smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9884 Please provide the following information in your problem report:
9885 time ($localtime), client ($client_address) and server
9886 ($server_name).
9887
9888 Server response:
9889
9890 550-5.5.1 <user@example> Recipient address rejected: User
9891 unknown. For assistance, call 800-555-0101. Please provide the
9892 following information in your problem report: time (Jan 4 15:42:00),
9893 client (192.168.1.248) and server (mail1.example.com).
9894
9895 Note: the above text is meant to make it easier to find the Postfix
9896 logfile records for a failed SMTP session. The text itself is not
9897 logged to the Postfix SMTP server's maillog file.
9898
9899 Be sure to keep the text as short as possible. Long text may be trun‐
9900 cated before it is logged to the remote SMTP client's maillog file, or
9901 before it is returned to the sender in a delivery status notification.
9902
9903 The template text is not subject to Postfix configuration parameter
9904 $name expansion. Instead, this feature supports a limited number of
9905 $name attributes in the footer text. These attributes are replaced with
9906 their current value for the SMTP session.
9907
9908 Note: specify $$name in footer text that is looked up from regexp: or
9909 pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
9910 not use the footer text and will log a warning instead.
9911
9912 client_address
9913 The Client IP address that is logged in the maillog file.
9914
9915 client_port
9916 The client TCP port that is logged in the maillog file.
9917
9918 localtime
9919 The server local time (Mmm dd hh:mm:ss) that is logged in the
9920 maillog file.
9921
9922 server_name
9923 The server's myhostname value. This attribute is made available
9924 for sites with multiple MTAs (perhaps behind a load-balancer),
9925 where the server name can help the server support team to
9926 quickly find the right log files.
9927
9928 Notes:
9929
9930 · NOT SUPPORTED are other attributes such as sender, recipient, or
9931 main.cf parameters.
9932
9933 · For safety reasons, text that does not match $smtpd_expan‐
9934 sion_filter is censored.
9935
9936 This feature supports the two-character sequence \n as a request for a
9937 line break in the footer text. Postfix automatically inserts after each
9938 line break the three-digit SMTP reply code (and optional enhanced sta‐
9939 tus code) from the original Postfix reject message.
9940
9941 To work around mail software that mis-handles multi-line replies, spec‐
9942 ify the two-character sequence \c at the start of the template. This
9943 suppresses the line break between the reply text and the footer text
9944 (Postfix 2.10 and later).
9945
9946 This feature is available in Postfix 2.8 and later.
9947
9949 Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx
9950 response, with reject footer templates. See smtpd_reject_footer for
9951 details.
9952
9953 Specify zero or more "type:name" lookup tables, separated by whitespace
9954 or comma. Tables will be searched in the specified order until a match
9955 is found.
9956
9957 This feature is available in Postfix 3.4 and later.
9958
9960 Request that the Postfix SMTP server rejects mail for unknown recipient
9961 addresses, even when no explicit reject_unlisted_recipient access
9962 restriction is specified. This prevents the Postfix queue from filling
9963 up with undeliverable MAILER-DAEMON messages.
9964
9965 An address is always considered "known" when it matches a virtual(5)
9966 alias or a canonical(5) mapping.
9967
9968 · The recipient domain matches $mydestination, $inet_interfaces or
9969 $proxy_interfaces, but the recipient is not listed in
9970 $local_recipient_maps, and $local_recipient_maps is not null.
9971
9972 · The recipient domain matches $virtual_alias_domains but the
9973 recipient is not listed in $virtual_alias_maps.
9974
9975 · The recipient domain matches $virtual_mailbox_domains but the
9976 recipient is not listed in $virtual_mailbox_maps, and $vir‐
9977 tual_mailbox_maps is not null.
9978
9979 · The recipient domain matches $relay_domains but the recipient is
9980 not listed in $relay_recipient_maps, and $relay_recipient_maps
9981 is not null.
9982
9983 This feature is available in Postfix 2.1 and later.
9984
9986 Request that the Postfix SMTP server rejects mail from unknown sender
9987 addresses, even when no explicit reject_unlisted_sender access restric‐
9988 tion is specified. This can slow down an explosion of forged mail from
9989 worms or viruses.
9990
9991 An address is always considered "known" when it matches a virtual(5)
9992 alias or a canonical(5) mapping.
9993
9994 · The sender domain matches $mydestination, $inet_interfaces or
9995 $proxy_interfaces, but the sender is not listed in $local_recip‐
9996 ient_maps, and $local_recipient_maps is not null.
9997
9998 · The sender domain matches $virtual_alias_domains but the sender
9999 is not listed in $virtual_alias_maps.
10000
10001 · The sender domain matches $virtual_mailbox_domains but the
10002 sender is not listed in $virtual_mailbox_maps, and $vir‐
10003 tual_mailbox_maps is not null.
10004
10005 · The sender domain matches $relay_domains but the sender is not
10006 listed in $relay_recipient_maps, and $relay_recipient_maps is
10007 not null.
10008
10009 This feature is available in Postfix 2.1 and later.
10010
10012 cated, defer_unauth_destination)
10013 Access restrictions for mail relay control that the Postfix SMTP server
10014 applies in the context of the RCPT TO command, before smtpd_recipi‐
10015 ent_restrictions. See SMTPD_ACCESS_README, section "Delayed evaluation
10016 of SMTP access restriction lists" for a discussion of evaluation con‐
10017 text and time.
10018
10019 With Postfix versions before 2.10, the rules for relay permission and
10020 spam blocking were combined under smtpd_recipient_restrictions, result‐
10021 ing in error-prone configuration. As of Postfix 2.10, relay permission
10022 rules are preferably implemented with smtpd_relay_restrictions, so that
10023 a permissive spam blocking policy under smtpd_recipient_restrictions
10024 will no longer result in a permissive mail relay policy.
10025
10026 For backwards compatibility, sites that migrate from Postfix versions
10027 before 2.10 can set smtpd_relay_restrictions to the empty value, and
10028 use smtpd_recipient_restrictions exactly as before.
10029
10030 By default, the Postfix SMTP server accepts:
10031
10032 · Mail from clients whose IP address matches $mynetworks, or:
10033
10034 · Mail to remote destinations that match $relay_domains, except
10035 for addresses that contain sender-specified routing (user@else‐
10036 where@domain), or:
10037
10038 · Mail to local destinations that match $inet_interfaces or
10039 $proxy_interfaces, $mydestination, $virtual_alias_domains, or
10040 $virtual_mailbox_domains.
10041
10042 IMPORTANT: Either the smtpd_relay_restrictions or the smtpd_recipi‐
10043 ent_restrictions parameter must specify at least one of the following
10044 restrictions. Otherwise Postfix will refuse to receive mail:
10045
10046 reject, reject_unauth_destination
10047
10048 defer, defer_if_permit, defer_unauth_destination
10049
10050 Specify a list of restrictions, separated by commas and/or whitespace.
10051 Continue long lines by starting the next line with whitespace. The
10052 same restrictions are available as documented under smtpd_recipi‐
10053 ent_restrictions.
10054
10055 This feature is available in Postix 2.10 and later.
10056
10058 User-defined aliases for groups of access restrictions. The aliases can
10059 be specified in smtpd_recipient_restrictions etc., and on the
10060 right-hand side of a Postfix access(5) table.
10061
10062 One major application is for implementing per-recipient UCE control.
10063 See the RESTRICTION_CLASS_README document for other examples.
10064
10066 The application name that the Postfix SMTP server uses for SASL server
10067 initialization. This controls the name of the SASL configuration file.
10068 The default value is smtpd, corresponding to a SASL configuration file
10069 named smtpd.conf.
10070
10071 This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10072 was renamed to smtpd_sasl_path.
10073
10075 Enable SASL authentication in the Postfix SMTP server. By default, the
10076 Postfix SMTP server does not use authentication.
10077
10078 If a remote SMTP client is authenticated, the permit_sasl_authenticated
10079 access restriction can be used to permit relay access, like this:
10080
10081 # With Postfix 2.10 and later, the mail relay policy is
10082 # preferably specified under smtpd_relay_restrictions.
10083 smtpd_relay_restrictions =
10084 permit_mynetworks, permit_sasl_authenticated, ...
10085
10086 # With Postfix before 2.10, the relay policy can be
10087 # specified only under smtpd_recipient_restrictions.
10088 smtpd_recipient_restrictions =
10089 permit_mynetworks, permit_sasl_authenticated, ...
10090
10091 To reject all SMTP connections from unauthenticated clients, specify
10092 "smtpd_delay_reject = yes" (which is the default) and use:
10093
10094 smtpd_client_restrictions = permit_sasl_authenticated, reject
10095
10096 See the SASL_README file for SASL configuration and operation details.
10097
10099 Report the SASL authenticated user name in the smtpd(8) Received mes‐
10100 sage header.
10101
10102 This feature is available in Postfix 2.3 and later.
10103
10105 What remote SMTP clients the Postfix SMTP server will not offer AUTH
10106 support to.
10107
10108 Some clients (Netscape 4 at least) have a bug that causes them to
10109 require a login and password whenever AUTH is offered, whether it's
10110 necessary or not. To work around this, specify, for example, $mynet‐
10111 works to prevent Postfix from offering AUTH to local clients.
10112
10113 Specify a list of network/netmask patterns, separated by commas and/or
10114 whitespace. The mask specifies the number of bits in the network part
10115 of a host address. You can also "/file/name" or "type:table" patterns.
10116 A "/file/name" pattern is replaced by its contents; a "type:table"
10117 lookup table is matched when a table entry matches a lookup string (the
10118 lookup result is ignored). Continue long lines by starting the next
10119 line with whitespace. Specify "!pattern" to exclude an address or net‐
10120 work block from the list. The form "!/file/name" is supported only in
10121 Postfix version 2.4 and later.
10122
10123 Note: IP version 6 address information must be specified inside [] in
10124 the smtpd_sasl_exceptions_networks value, and in files specified with
10125 "/file/name". IP version 6 addresses contain the ":" character, and
10126 would otherwise be confused with a "type:table" pattern.
10127
10128 Example:
10129
10130 smtpd_sasl_exceptions_networks = $mynetworks
10131
10132 This feature is available in Postfix 2.1 and later.
10133
10135 The name of the Postfix SMTP server's local SASL authentication realm.
10136
10137 By default, the local authentication realm name is the null string.
10138
10139 Examples:
10140
10141 smtpd_sasl_local_domain = $mydomain
10142 smtpd_sasl_local_domain = $myhostname
10143
10145 Implementation-specific information that the Postfix SMTP server passes
10146 through to the SASL plug-in implementation that is selected with
10147 smtpd_sasl_type. Typically this specifies the name of a configuration
10148 file or rendezvous point.
10149
10150 This feature is available in Postfix 2.3 and later. In earlier releases
10151 it was called smtpd_sasl_application_name.
10152
10154 The maximum length of a SASL client's response to a server challenge.
10155 When the client's "initial response" is longer than the normal limit
10156 for SMTP commands, the client must omit its initial response, and wait
10157 for an empty server challenge; it can then send what would have been
10158 its "initial response" as a response to the empty server challenge.
10159 RFC4954 requires the server to accept client responses up to at least
10160 12288 octets of base64-encoded text. The default value is therefore
10161 also the minimum value accepted for this parameter.
10162
10163 This feature is available in Postfix 3.4 and later. Prior versions use
10164 "line_length_limit", which may need to be raised to accommodate larger
10165 client responses, as may be needed with GSSAPI authentication of Win‐
10166 dows AD users who are members of many groups.
10167
10169 Postfix SMTP server SASL security options; as of Postfix 2.3 the list
10170 of available features depends on the SASL server implementation that is
10171 selected with smtpd_sasl_type.
10172
10173 The following security features are defined for the cyrus server SASL
10174 implementation:
10175
10176 Restrict what authentication mechanisms the Postfix SMTP server will
10177 offer to the client. The list of available authentication mechanisms
10178 is system dependent.
10179
10180 Specify zero or more of the following:
10181
10182 noplaintext
10183 Disallow methods that use plaintext passwords.
10184
10185 noactive
10186 Disallow methods subject to active (non-dictionary) attack.
10187
10188 nodictionary
10189 Disallow methods subject to passive (dictionary) attack.
10190
10191 noanonymous
10192 Disallow methods that allow anonymous authentication.
10193
10194 forward_secrecy
10195 Only allow methods that support forward secrecy (Dovecot only).
10196
10197 mutual_auth
10198 Only allow methods that provide mutual authentication (not
10199 available with Cyrus SASL version 1).
10200
10201 By default, the Postfix SMTP server accepts plaintext passwords but not
10202 anonymous logins.
10203
10204 Warning: it appears that clients try authentication methods in the
10205 order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
10206 which means that if you disable plaintext passwords, clients will log
10207 in anonymously, even when they should be able to use CRAM-MD5. So, if
10208 you disable plaintext logins, disable anonymous logins too. Postfix
10209 treats anonymous login as no authentication.
10210
10211 Example:
10212
10213 smtpd_sasl_security_options = noanonymous, noplaintext
10214
10216 The service name that is passed to the SASL plug-in that is selected
10217 with smtpd_sasl_type and smtpd_sasl_path.
10218
10219 This feature is available in Postfix 2.11 and later. Prior versions
10220 behave as if "smtp" is specified.
10221
10223 The SASL authentication security options that the Postfix SMTP server
10224 uses for TLS encrypted SMTP sessions.
10225
10226 This feature is available in Postfix 2.2 and later.
10227
10229 The SASL plug-in type that the Postfix SMTP server should use for
10230 authentication. The available types are listed with the "postconf -a"
10231 command.
10232
10233 This feature is available in Postfix 2.3 and later.
10234
10236 Optional lookup table with the SASL login names that own the sender
10237 (MAIL FROM) addresses.
10238
10239 Specify zero or more "type:name" lookup tables, separated by whitespace
10240 or comma. Tables will be searched in the specified order until a match
10241 is found. With lookups from indexed files such as DB or DBM, or from
10242 networked tables such as NIS, LDAP or SQL, the following search opera‐
10243 tions are done with a sender address of user@domain:
10244
10245 1) user@domain
10246 This table lookup is always done and has the highest precedence.
10247
10248 2) user
10249 This table lookup is done only when the domain part of the
10250 sender address matches $myorigin, $mydestination, $inet_inter‐
10251 faces or $proxy_interfaces.
10252
10253 3) @domain
10254 This table lookup is done last and has the lowest precedence.
10255
10256 In all cases the result of table lookup must be either "not found" or a
10257 list of SASL login names separated by comma and/or whitespace.
10258
10260 Optional restrictions that the Postfix SMTP server applies in the con‐
10261 text of a client MAIL FROM command. See SMTPD_ACCESS_README, section
10262 "Delayed evaluation of SMTP access restriction lists" for a discussion
10263 of evaluation context and time.
10264
10265 The default is to permit everything.
10266
10267 Specify a list of restrictions, separated by commas and/or whitespace.
10268 Continue long lines by starting the next line with whitespace.
10269 Restrictions are applied in the order as specified; the first restric‐
10270 tion that matches wins.
10271
10272 The following restrictions are specific to the sender address received
10273 with the MAIL FROM command.
10274
10275 check_sender_access type:table
10276 Search the specified access(5) database for the MAIL FROM
10277 address, domain, parent domains, or localpart@, and execute the
10278 corresponding action.
10279
10280 check_sender_a_access type:table
10281 Search the specified access(5) database for the IP addresses for
10282 the MAIL FROM domain, and execute the corresponding action.
10283 Note: a result of "OK" is not allowed for safety reasons.
10284 Instead, use DUNNO in order to exclude specific hosts from
10285 blacklists. This feature is available in Postfix 3.0 and later.
10286
10287 check_sender_mx_access type:table
10288 Search the specified access(5) database for the MX hosts for the
10289 MAIL FROM domain, and execute the corresponding action. Note: a
10290 result of "OK" is not allowed for safety reasons. Instead, use
10291 DUNNO in order to exclude specific hosts from blacklists. This
10292 feature is available in Postfix 2.1 and later.
10293
10294 check_sender_ns_access type:table
10295 Search the specified access(5) database for the DNS servers for
10296 the MAIL FROM domain, and execute the corresponding action.
10297 Note: a result of "OK" is not allowed for safety reasons.
10298 Instead, use DUNNO in order to exclude specific hosts from
10299 blacklists. This feature is available in Postfix 2.1 and later.
10300
10301 reject_authenticated_sender_login_mismatch
10302 Enforces the reject_sender_login_mismatch restriction for
10303 authenticated clients only. This feature is available in Postfix
10304 version 2.1 and later.
10305
10306 reject_known_sender_login_mismatch
10307 Apply the reject_sender_login_mismatch restriction only to MAIL
10308 FROM addresses that are known in $smtpd_sender_login_maps. This
10309 feature is available in Postfix version 2.11 and later.
10310
10311 reject_non_fqdn_sender
10312 Reject the request when the MAIL FROM address specifies a domain
10313 that is not in fully-qualified domain form as required by the
10314 RFC.
10315 The non_fqdn_reject_code parameter specifies the response code
10316 for rejected requests (default: 504).
10317
10318 reject_rhsbl_sender rbl_domain=d.d.d.d
10319 Reject the request when the MAIL FROM domain is listed with the
10320 A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
10321 later only). Each "d" is a number, or a pattern inside "[]"
10322 that contains one or more ";"-separated numbers or number..num‐
10323 ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10324 specified, reject the request when the MAIL FROM domain is
10325 listed with any A record under rbl_domain.
10326 The maps_rbl_reject_code parameter specifies the response code
10327 for rejected requests (default: 554); the default_rbl_reply
10328 parameter specifies the default server reply; and the
10329 rbl_reply_maps parameter specifies tables with server replies
10330 indexed by rbl_domain. This feature is available in Postfix 2.0
10331 and later.
10332
10333 reject_sender_login_mismatch
10334 Reject the request when $smtpd_sender_login_maps specifies an
10335 owner for the MAIL FROM address, but the client is not (SASL)
10336 logged in as that MAIL FROM address owner; or when the client is
10337 (SASL) logged in, but the client login name doesn't own the MAIL
10338 FROM address according to $smtpd_sender_login_maps.
10339
10340 reject_unauthenticated_sender_login_mismatch
10341 Enforces the reject_sender_login_mismatch restriction for unau‐
10342 thenticated clients only. This feature is available in Postfix
10343 version 2.1 and later.
10344
10345 reject_unknown_sender_domain
10346 Reject the request when Postfix is not final destination for the
10347 sender address, and the MAIL FROM domain has 1) no DNS MX and no
10348 DNS A record, or 2) a malformed MX record such as a record with
10349 a zero-length MX hostname (Postfix version 2.3 and later).
10350 The reply is specified with the unknown_address_reject_code
10351 parameter (default: 450), unknown_address_tempfail_action
10352 (default: defer_if_permit), or 550 (nullmx, Postfix 3.0 and
10353 later). See the respective parameter descriptions for details.
10354
10355 reject_unlisted_sender
10356 Reject the request when the MAIL FROM address is not listed in
10357 the list of valid recipients for its domain class. See the
10358 smtpd_reject_unlisted_sender parameter description for details.
10359 This feature is available in Postfix 2.1 and later.
10360
10361 reject_unverified_sender
10362 Reject the request when mail to the MAIL FROM address is known
10363 to bounce, or when the sender address destination is not reach‐
10364 able. Address verification information is managed by the ver‐
10365 ify(8) server; see the ADDRESS_VERIFICATION_README file for
10366 details.
10367 The unverified_sender_reject_code parameter specifies the numer‐
10368 ical response code when an address is known to bounce (default:
10369 450, change into 550 when you are confident that it is safe to
10370 do so).
10371 The unverified_sender_defer_code specifies the numerical
10372 response code when an address probe failed due to a temporary
10373 problem (default: 450).
10374 The unverified_sender_tempfail_action parameter specifies the
10375 action after address probe failure due to a temporary problem
10376 (default: defer_if_permit).
10377 This feature breaks for aliased addresses with "enable_origi‐
10378 nal_recipient = no" (Postfix <= 3.2).
10379 This feature is available in Postfix 2.1 and later.
10380
10381 Other restrictions that are valid in this context:
10382
10383 · Generic restrictions that can be used in any SMTP command con‐
10384 text, described under smtpd_client_restrictions.
10385
10386 · SMTP command specific restrictions described under
10387 smtpd_client_restrictions and smtpd_helo_restrictions.
10388
10389 · SMTP command specific restrictions described under smtpd_recipi‐
10390 ent_restrictions. When recipient restrictions are listed under
10391 smtpd_sender_restrictions, they have effect only with
10392 "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions
10393 is evaluated at the time of the RCPT TO command.
10394
10395 Examples:
10396
10397 smtpd_sender_restrictions = reject_unknown_sender_domain
10398 smtpd_sender_restrictions = reject_unknown_sender_domain,
10399 check_sender_access hash:/etc/postfix/access
10400
10402 The internal service that postscreen(8) hands off allowed connections
10403 to. In a future version there may be different classes of SMTP service.
10404
10405 This feature is available in Postfix 2.8.
10406
10408 The number of errors a remote SMTP client is allowed to make without
10409 delivering mail before the Postfix SMTP server slows down all its
10410 responses.
10411
10412 · With Postfix version 2.1 and later, the Postfix SMTP server
10413 delays all responses by $smtpd_error_sleep_time seconds.
10414
10415 · With Postfix versions 2.0 and earlier, the Postfix SMTP server
10416 delays all responses by (number of errors) seconds.
10417
10419 The time limit for Postfix SMTP server write and read operations during
10420 TLS startup and shutdown handshake procedures. The current default
10421 value is stress-dependent. Before Postfix version 2.8, it was fixed at
10422 300s.
10423
10424 This feature is available in Postfix 2.2 and later.
10425
10427 The time limit for sending a Postfix SMTP server response and for
10428 receiving a remote SMTP client request. Normally the default limit is
10429 300s, but it changes under overload to just 10s. With Postfix 2.5 and
10430 earlier, the SMTP server always uses a time limit of 300s by default.
10431
10432 Note: if you set SMTP time limits to very large values you may have to
10433 update the global ipc_timeout parameter.
10434
10435 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
10436 The default time unit is s (seconds).
10437
10439 A file containing (PEM format) CA certificates of root CAs trusted to
10440 sign either remote SMTP client certificates or intermediate CA certifi‐
10441 cates. These are loaded into memory before the smtpd(8) server enters
10442 the chroot jail. If the number of trusted roots is large, consider
10443 using smtpd_tls_CApath instead, but note that the latter directory must
10444 be present in the chroot jail if the smtpd(8) server is chrooted. This
10445 file may also be used to augment the server certificate trust chain,
10446 but it is best to include all the required certificates directly in the
10447 server certificate file.
10448
10449 Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY the
10450 system-supplied default Certification Authority certificates.
10451
10452 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10453 the system-supplied default CAs and trusting third-party certificates.
10454
10455 By default (see smtpd_tls_ask_ccert), client certificates are not
10456 requested, and smtpd_tls_CAfile should remain empty. If you do make use
10457 of client certificates, the distinguished names (DNs) of the Certifica‐
10458 tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10459 client in the client certificate request message. MUAs with multiple
10460 client certificates may use the list of preferred Certification Author‐
10461 ities to select the correct client certificate. You may want to put
10462 your "preferred" CA or CAs in this file, and install other trusted CAs
10463 in $smtpd_tls_CApath.
10464
10465 Example:
10466
10467 smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10468
10469 This feature is available in Postfix 2.2 and later.
10470
10472 A directory containing (PEM format) CA certificates of root CAs trusted
10473 to sign either remote SMTP client certificates or intermediate CA cer‐
10474 tificates. Do not forget to create the necessary "hash" links with, for
10475 example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
10476 smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
10477 inside the chroot jail.
10478
10479 Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to use ONLY
10480 the system-supplied default Certification Authority certificates.
10481
10482 Specify "tls_append_default_CA = no" to prevent Postfix from appending
10483 the system-supplied default CAs and trusting third-party certificates.
10484
10485 By default (see smtpd_tls_ask_ccert), client certificates are not
10486 requested, and smtpd_tls_CApath should remain empty. In contrast to
10487 smtpd_tls_CAfile, DNs of Certification Authorities installed in
10488 $smtpd_tls_CApath are not included in the client certificate request
10489 message. MUAs with multiple client certificates may use the list of
10490 preferred Certification Authorities to select the correct client cer‐
10491 tificate. You may want to put your "preferred" CA or CAs in
10492 $smtpd_tls_CAfile, and install the remaining trusted CAs in
10493 $smtpd_tls_CApath.
10494
10495 Example:
10496
10497 smtpd_tls_CApath = /etc/postfix/certs
10498
10499 This feature is available in Postfix 2.2 and later.
10500
10502 Force the Postfix SMTP server to issue a TLS session id, even when TLS
10503 session caching is turned off (smtpd_tls_session_cache_database is
10504 empty). This behavior is compatible with Postfix < 2.3.
10505
10506 With Postfix 2.3 and later the Postfix SMTP server can disable session
10507 id generation when TLS session caching is turned off. This keeps remote
10508 SMTP clients from caching sessions that almost certainly cannot be
10509 re-used.
10510
10511 By default, the Postfix SMTP server always generates TLS session ids.
10512 This works around a known defect in mail client applications such as MS
10513 Outlook, and may also prevent interoperability issues with other MTAs.
10514
10515 Example:
10516
10517 smtpd_tls_always_issue_session_ids = no
10518
10519 This feature is available in Postfix 2.3 and later.
10520
10522 Ask a remote SMTP client for a client certificate. This information is
10523 needed for certificate based mail relaying with, for example, the per‐
10524 mit_tls_clientcerts feature.
10525
10526 Some clients such as Netscape will either complain if no certificate is
10527 available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10528 tiple client certificates to choose from. This may be annoying, so this
10529 option is "off" by default.
10530
10531 This feature is available in Postfix 2.2 and later.
10532
10534 When TLS encryption is optional in the Postfix SMTP server, do not
10535 announce or accept SASL authentication over unencrypted connections.
10536
10537 This feature is available in Postfix 2.2 and later.
10538
10540 The verification depth for remote SMTP client certificates. A depth of
10541 1 is sufficient if the issuing CA is listed in a local CA file.
10542
10543 The default verification depth is 9 (the OpenSSL default) for compati‐
10544 bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10545 value was 5, but the limit was not actually enforced. If you have set
10546 this to a lower non-default value, certificates with longer trust
10547 chains may now fail to verify. Certificate chains with 1 or 2 CAs are
10548 common, deeper chains are more rare and any number between 5 and 9
10549 should suffice in practice. You can choose a lower number if, for exam‐
10550 ple, you trust certificates directly signed by an issuing CA but not
10551 any CAs it delegates to.
10552
10553 This feature is available in Postfix 2.2 and later.
10554
10556 File with the Postfix SMTP server RSA certificate in PEM format. This
10557 file may also contain the Postfix SMTP server private RSA key. With
10558 Postfix >= 3.4 the preferred way to configure server keys and certifi‐
10559 cates is via the "smtpd_tls_chain_files" parameter.
10560
10561 Public Internet MX hosts without certificates signed by a "reputable"
10562 CA must generate, and be prepared to present to most clients, a
10563 self-signed or private-CA signed certificate. The client will not be
10564 able to authenticate the server, but unless it is running Postfix 2.3
10565 or similar software, it will still insist on a server certificate.
10566
10567 For servers that are not public Internet MX hosts, Postfix supports
10568 configurations with no certificates. This entails the use of just the
10569 anonymous TLS ciphers, which are not supported by typical SMTP clients.
10570 Since some clients may not fall back to plain text after a TLS hand‐
10571 shake failure, a certificate-less Postfix SMTP server will be unable to
10572 receive email from some TLS-enabled clients. To avoid accidental con‐
10573 figurations with no certificates, Postfix enables certificate-less
10574 operation only when the administrator explicitly sets
10575 "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
10576 configurations will not accidentally enable TLS without certificates.
10577
10578 Note that server certificates are not optional in TLS 1.3. To run with‐
10579 out certificates you'd have to disable the TLS 1.3 protocol by includ‐
10580 ing '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also
10581 "smtpd_tls_mandatory_protocols". It is simpler instead to just config‐
10582 ure a certificate chain. Certificate-less operation is not recom‐
10583 mended.
10584
10585 Both RSA and DSA certificates are supported. When both types are
10586 present, the cipher used determines which certificate will be presented
10587 to the client. For Netscape and OpenSSL clients without special cipher
10588 choices the RSA certificate is preferred.
10589
10590 To enable a remote SMTP client to verify the Postfix SMTP server cer‐
10591 tificate, the issuing CA certificates must be made available to the
10592 client. You should include the required certificates in the server cer‐
10593 tificate file, the server certificate first, then the issuing CA(s)
10594 (bottom-up order).
10595
10596 Example: the certificate for "server.example.com" was issued by "inter‐
10597 mediate CA" which itself has a certificate of "root CA". Create the
10598 server.pem file with "cat server_cert.pem intermediate_CA.pem
10599 root_CA.pem > server.pem".
10600
10601 If you also want to verify client certificates issued by these CAs, you
10602 can add the CA certificates to the smtpd_tls_CAfile, in which case it
10603 is not necessary to have them in the smtpd_tls_cert_file,
10604 smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
10605
10606 A certificate supplied here must be usable as an SSL server certificate
10607 and hence pass the "openssl verify -purpose sslserver ..." test.
10608
10609 Example:
10610
10611 smtpd_tls_cert_file = /etc/postfix/server.pem
10612
10613 This feature is available in Postfix 2.2 and later.
10614
10616 List of one or more PEM files, each holding one or more private keys
10617 directly followed by a corresponding certificate chain. The file names
10618 are separated by commas and/or whitespace. This parameter obsoletes
10619 the legacy algorithm-specific key and certificate file settings. When
10620 this parameter is non-empty, the legacy parameters are ignored, and a
10621 warning is logged if any are also non-empty.
10622
10623 With the proliferation of multiple private key algorithms-which, as of
10624 OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
10625 is increasingly impractical to use separate parameters to configure the
10626 key and certificate chain for each algorithm. Therefore, Postfix now
10627 supports storing multiple keys and corresponding certificate chains in
10628 a single file or in a set of files.
10629
10630 Each key must appear immediately before the corresponding certificate,
10631 optionally followed by additional issuer certificates that complete the
10632 certificate chain for that key. When multiple files are specified,
10633 they are equivalent to a single file that is concatenated from those
10634 files in the given order. Thus, while a key must always precede its
10635 certificate and issuer chain, it can be in a separate file, so long as
10636 that file is listed immediately before the file that holds the corre‐
10637 sponding certificate chain. Once all the files are concatenated, the
10638 sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2,
10639 [chain2], ..., keyN, certN, [chainN].
10640
10641 Storing the private key in the same file as the corresponding certifi‐
10642 cate is more reliable. With the key and certificate in separate files,
10643 there is a chance that during key rollover a Postfix process might load
10644 a private key and certificate from separate files that don't match.
10645 Various operational errors may even result in a persistent broken con‐
10646 figuration in which the certificate does not match the private key.
10647
10648 The file or files must contain at most one key of each type. If, for
10649 example, two or more RSA keys and corresponding chains are listed,
10650 depending on the version of OpenSSL either only the last one will be
10651 used or an configuration error may be detected. Note that while
10652 "Ed25519" and "Ed448" are considered separate algorithms, the various
10653 ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
10654 considered as different parameters of a single "ECDSA" algorithm, so it
10655 is not presently possible to configure keys for more than one ECDSA
10656 curve.
10657
10658 RSA is still the most widely supported algorithm. Presently (late
10659 2018), ECDSA support is common, but not yet universal, and Ed25519 and
10660 Ed448 support is mostly absent. Therefore, an RSA key should generally
10661 be configured, along with any additional keys for the other algorithms
10662 when desired.
10663
10664 Example (separate files for each key and corresponding certificate
10665 chain):
10666
10667 /etc/postfix/main.cf:
10668 smtpd_tls_chain_files =
10669 ${config_directory}/ed25519.pem,
10670 ${config_directory}/ed448.pem,
10671 ${config_directory}/rsa.pem
10672
10673 /etc/postfix/ed25519.pem:
10674 -----BEGIN PRIVATE KEY-----
10675 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10676 -----END PRIVATE KEY-----
10677 -----BEGIN CERTIFICATE-----
10678 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10679 ...
10680 nC0egv51YPDWxEHom4QA
10681 -----END CERTIFICATE-----
10682
10683 /etc/postfix/ed448.pem:
10684 -----BEGIN PRIVATE KEY-----
10685 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10686 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10687 -----END PRIVATE KEY-----
10688 -----BEGIN CERTIFICATE-----
10689 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10690 ...
10691 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10692 -----END CERTIFICATE-----
10693
10694 /etc/postfix/rsa.pem:
10695 -----BEGIN PRIVATE KEY-----
10696 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10697 ...
10698 ahQkZ3+krcaJvDSMgvu0tDc=
10699 -----END PRIVATE KEY-----
10700 -----BEGIN CERTIFICATE-----
10701 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10702 ...
10703 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10704 -----END CERTIFICATE-----
10705
10706 Example (all keys and certificates in a single file):
10707
10708 /etc/postfix/main.cf:
10709 smtpd_tls_chain_files = ${config_directory}/chains.pem
10710
10711 /etc/postfix/chains.pem:
10712 -----BEGIN PRIVATE KEY-----
10713 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10714 -----END PRIVATE KEY-----
10715 -----BEGIN CERTIFICATE-----
10716 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10717 ...
10718 nC0egv51YPDWxEHom4QA
10719 -----END CERTIFICATE-----
10720 -----BEGIN PRIVATE KEY-----
10721 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10722 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10723 -----END PRIVATE KEY-----
10724 -----BEGIN CERTIFICATE-----
10725 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10726 ...
10727 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10728 -----END CERTIFICATE-----
10729 -----BEGIN PRIVATE KEY-----
10730 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10731 ...
10732 ahQkZ3+krcaJvDSMgvu0tDc=
10733 -----END PRIVATE KEY-----
10734 -----BEGIN CERTIFICATE-----
10735 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10736 ...
10737 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10738 -----END CERTIFICATE-----
10739
10740 This feature is available in Postfix 3.4 and later.
10741
10743 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
10744 list. It is easy to create interoperability problems by choosing a
10745 non-default cipher list. Do not use a non-default TLS cipherlist for MX
10746 hosts on the public Internet. Clients that begin the TLS handshake, but
10747 are unable to agree on a common cipher, may not be able to send any
10748 email to the SMTP server. Using a restricted cipher list may be more
10749 appropriate for a dedicated MSA or an internal mailhub, where one can
10750 exert some control over the TLS software and settings of the connecting
10751 clients.
10752
10753 Note: do not use "" quotes around the parameter value.
10754
10755 This feature is available with Postfix version 2.2. It is not used with
10756 Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10757
10759 The minimum TLS cipher grade that the Postfix SMTP server will use with
10760 opportunistic TLS encryption. Cipher types listed in
10761 smtpd_tls_exclude_ciphers are excluded from the base definition of the
10762 selected cipher grade. The default value is "medium" for Postfix
10763 releases after the middle of 2015, "export" for older releases.
10764
10765 When TLS is mandatory the cipher grade is chosen via the
10766 smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10767 tax details.
10768
10769 This feature is available in Postfix 2.6 and later. With earlier Post‐
10770 fix releases only the smtpd_tls_mandatory_ciphers parameter is imple‐
10771 mented, and opportunistic TLS always uses "export" or better (i.e. all)
10772 ciphers.
10773
10775 File with the Postfix SMTP server DSA certificate in PEM format. This
10776 file may also contain the Postfix SMTP server private DSA key. The DSA
10777 algorithm is obsolete and should not be used.
10778
10779 See the discussion under smtpd_tls_cert_file for more details.
10780
10781 Example:
10782
10783 smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10784
10785 This feature is available in Postfix 2.2 and later.
10786
10788 File with DH parameters that the Postfix SMTP server should use with
10789 non-export EDH ciphers.
10790
10791 Instead of using the exact same parameter sets as distributed with
10792 other TLS packages, it is more secure to generate your own set of
10793 parameters with something like the following commands:
10794
10795 openssl dhparam -out /etc/postfix/dh512.pem 512
10796 openssl dhparam -out /etc/postfix/dh1024.pem 1024
10797 openssl dhparam -out /etc/postfix/dh2048.pem 2048
10798
10799 It is safe to share the same DH parameters between multiple Postfix
10800 instances. If you prefer, you can generate separate parameters for
10801 each instance.
10802
10803 If you want to take maximal advantage of ciphers that offer forward
10804 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10805 full document conveniently presents all information about Postfix "per‐
10806 fect" forward secrecy support in one place: what forward secrecy is,
10807 how to tweak settings, and what you can expect to see when Postfix uses
10808 ciphers with forward secrecy.
10809
10810 Example:
10811
10812 smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10813
10814 This feature is available with Postfix version 2.2.
10815
10817 File with DH parameters that the Postfix SMTP server should use with
10818 export-grade EDH ciphers. The default SMTP server cipher grade is
10819 "medium" with Postfix releases after the middle of 2015, and as a
10820 result export-grade cipher suites are by default not used.
10821
10822 See also the discussion under the smtpd_tls_dh1024_param_file configu‐
10823 ration parameter.
10824
10825 Example:
10826
10827 smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10828
10829 This feature is available with Postfix version 2.2.
10830
10832 File with the Postfix SMTP server DSA private key in PEM format. This
10833 file may be combined with the Postfix SMTP server DSA certificate file
10834 specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
10835 should not be used.
10836
10837 The private key must be accessible without a pass-phrase, i.e. it must
10838 not be encrypted. File permissions should grant read-only access to the
10839 system superuser account ("root"), and no access to anyone else.
10840
10841 This feature is available in Postfix 2.2 and later.
10842
10844 File with the Postfix SMTP server ECDSA certificate in PEM format.
10845 This file may also contain the Postfix SMTP server private ECDSA key.
10846 With Postfix >= 3.4 the preferred way to configure server keys and cer‐
10847 tificates is via the "smtpd_tls_chain_files" parameter.
10848
10849 See the discussion under smtpd_tls_cert_file for more details.
10850
10851 Example:
10852
10853 smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10854
10855 This feature is available in Postfix 2.6 and later, when Postfix is
10856 compiled and linked with OpenSSL 1.0.0 or later.
10857
10859 File with the Postfix SMTP server ECDSA private key in PEM format.
10860 This file may be combined with the Postfix SMTP server ECDSA certifi‐
10861 cate file specified with $smtpd_tls_eccert_file. With Postfix >= 3.4
10862 the preferred way to configure server keys and certificates is via the
10863 "smtpd_tls_chain_files" parameter.
10864
10865 The private key must be accessible without a pass-phrase, i.e. it must
10866 not be encrypted. File permissions should grant read-only access to the
10867 system superuser account ("root"), and no access to anyone else.
10868
10869 This feature is available in Postfix 2.6 and later, when Postfix is
10870 compiled and linked with OpenSSL 1.0.0 or later.
10871
10873 The Postfix SMTP server security grade for ephemeral elliptic-curve
10874 Diffie-Hellman (EECDH) key exchange.
10875
10876 The available choices are:
10877
10878 none Don't use EECDH. Ciphers based on EECDH key exchange will be
10879 disabled. This is the default in Postfix versions 2.6 and 2.7.
10880
10881 strong Use EECDH with approximately 128 bits of security at a reason‐
10882 able computational cost. This is the current best-practice
10883 trade-off between security and computational efficiency. This is
10884 the default in Postfix version 2.8 and later.
10885
10886 ultra Use EECDH with approximately 192 bits of security at computa‐
10887 tional cost that is approximately twice as high as 128 bit
10888 strength ECC. Barring significant progress in attacks on ellip‐
10889 tic curve crypto-systems, the "strong" curve is sufficient for
10890 most users.
10891
10892 auto Use the most preferred curve that is supported by both the
10893 client and the server. This setting requires Postfix >= 3.2
10894 compiled and linked with OpenSSL >= 1.0.2. This is the default
10895 setting under the above conditions.
10896
10897 If you want to take maximal advantage of ciphers that offer forward
10898 secrecy see the Getting started section of FORWARD_SECRECY_README. The
10899 full document conveniently presents all information about Postfix "per‐
10900 fect" forward secrecy support in one place: what forward secrecy is,
10901 how to tweak settings, and what you can expect to see when Postfix uses
10902 ciphers with forward secrecy.
10903
10904 This feature is available in Postfix 2.6 and later, when it is compiled
10905 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10906 have not been disabled by the vendor.
10907
10909 List of ciphers or cipher types to exclude from the SMTP server cipher
10910 list at all TLS security levels. Excluding valid ciphers can create
10911 interoperability problems. DO NOT exclude ciphers unless it is essen‐
10912 tial to do so. This is not an OpenSSL cipherlist; it is a simple list
10913 separated by whitespace and/or commas. The elements are a single
10914 cipher, or one or more "+" separated cipher properties, in which case
10915 only ciphers matching all the properties are excluded.
10916
10917 Examples (some of these will cause problems):
10918
10919 smtpd_tls_exclude_ciphers = aNULL
10920 smtpd_tls_exclude_ciphers = MD5, DES
10921 smtpd_tls_exclude_ciphers = DES+MD5
10922 smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10923 smtpd_tls_exclude_ciphers = kEDH+aRSA
10924
10925 The first setting disables anonymous ciphers. The next setting disables
10926 ciphers that use the MD5 digest algorithm or the (single) DES encryp‐
10927 tion algorithm. The next setting disables ciphers that use MD5 and DES
10928 together. The next setting disables the two ciphers "AES256-SHA" and
10929 "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" key
10930 exchange with RSA authentication.
10931
10932 This feature is available in Postfix 2.3 and later.
10933
10935 The message digest algorithm to construct remote SMTP client-certifi‐
10936 cate fingerprints or public key fingerprints (Postfix 2.9 and later)
10937 for check_ccert_access and permit_tls_clientcerts. The default algo‐
10938 rithm is md5, for backwards compatibility with Postfix releases prior
10939 to 2.5.
10940
10941 Advances in hash function cryptanalysis have led to md5 being depre‐
10942 cated in favor of sha1. However, as long as there are no known "second
10943 pre-image" attacks against md5, its use in this context can still be
10944 considered safe.
10945
10946 While additional digest algorithms are often available with OpenSSL's
10947 libcrypto, only those used by libssl in SSL cipher suites are available
10948 to Postfix.
10949
10950 To find the fingerprint of a specific certificate file, with a specific
10951 digest algorithm, run:
10952
10953 $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10954
10955 The text to the right of "=" sign is the desired fingerprint. For
10956 example:
10957
10958 $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
10959 SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
10960
10961 To extract the public key fingerprint from an X.509 certificate, you
10962 need to extract the public key from the certificate and compute the
10963 appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
10964 key" option of the "x509" command extracts the public key always in
10965 "PEM" format. We pipe the result to another OpenSSL command that con‐
10966 verts the key to DER and then to the "dgst" command to compute the fin‐
10967 gerprint.
10968
10969 The actual command to transform the key to DER format depends on the
10970 version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
10971 mand supports all key types. With OpenSSL 0.9.8 and earlier, the key
10972 type is always RSA (nobody uses DSA, and EC keys are not fully sup‐
10973 ported by 0.9.8), so the "rsa" command is used.
10974
10975 # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
10976 $ openssl x509 -in cert.pem -noout -pubkey |
10977 openssl pkey -pubin -outform DER |
10978 openssl dgst -sha1 -c
10979 (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
10980
10981 # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
10982 $ openssl x509 -in cert.pem -noout -pubkey |
10983 openssl rsa -pubin -outform DER |
10984 openssl dgst -md5 -c
10985 (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
10986
10987 The Postfix SMTP server and client log the peer (leaf) certificate fin‐
10988 gerprint and public key fingerprint when the TLS loglevel is 2 or
10989 higher.
10990
10991 Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incor‐
10992 rectly. To use public-key fingerprints, upgrade to Postfix 2.9.6 or
10993 later.
10994
10995 Example: client-certificate access table, with sha1 fingerprints:
10996
10997 /etc/postfix/main.cf:
10998 smtpd_tls_fingerprint_digest = sha1
10999 smtpd_client_restrictions =
11000 check_ccert_access hash:/etc/postfix/access,
11001 reject
11002 /etc/postfix/access:
11003 # Action folded to next line...
11004 AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
11005 OK
11006 85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11007 permit_auth_destination
11008
11009 This feature is available in Postfix 2.5 and later.
11010
11012 File with the Postfix SMTP server RSA private key in PEM format. This
11013 file may be combined with the Postfix SMTP server RSA certificate file
11014 specified with $smtpd_tls_cert_file. With Postfix >= 3.4 the preferred
11015 way to configure server keys and certificates is via the
11016 "smtpd_tls_chain_files" parameter.
11017
11018 The private key must be accessible without a pass-phrase, i.e. it must
11019 not be encrypted. File permissions should grant read-only access to the
11020 system superuser account ("root"), and no access to anyone else.
11021
11023 Enable additional Postfix SMTP server logging of TLS activity. Each
11024 logging level also includes the information that is logged at a lower
11025 logging level.
11026
11027 0 Disable logging of TLS activity.
11028
11029 1 Log only a summary message on TLS handshake completion - no
11030 logging of client certificate trust-chain verification errors if
11031 client certificate verification is not required. With Postfix
11032 2.8 and earlier, log the summary message, peer certificate sum‐
11033 mary information and unconditionally log trust-chain verifica‐
11034 tion errors.
11035
11036 2 Also log levels during TLS negotiation.
11037
11038 3 Also log hexadecimal and ASCII dump of TLS negotiation
11039 process.
11040
11041 4 Also log hexadecimal and ASCII dump of complete transmission
11042 after STARTTLS.
11043
11044 Do not use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
11045 lems. Use of loglevel 4 is strongly discouraged.
11046
11047 This feature is available in Postfix 2.2 and later.
11048
11050 The minimum TLS cipher grade that the Postfix SMTP server will use with
11051 mandatory TLS encryption. The default grade ("medium") is sufficiently
11052 strong that any benefit from globally restricting TLS sessions to a
11053 more stringent grade is likely negligible, especially given the fact
11054 that many implementations still do not offer any stronger ("high"
11055 grade) ciphers, while those that do, will always use "high" grade
11056 ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
11057 ductive. Allowing "export" or "low" ciphers is typically not a good
11058 idea, as systems limited to just these are limited to obsolete
11059 browsers. No known SMTP clients fail to support at least one "medium"
11060 or "high" grade cipher.
11061
11062 The following cipher grades are supported:
11063
11064 export Enable "EXPORT" grade or stronger OpenSSL ciphers. The underly‐
11065 ing cipherlist is specified via the tls_export_cipherlist con‐
11066 figuration parameter, which you are strongly encouraged to not
11067 change. This choice is insecure and SHOULD NOT be used.
11068
11069 low Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
11070 cipherlist is specified via the tls_low_cipherlist configuration
11071 parameter, which you are strongly encouraged to not change.
11072 This choice is insecure and SHOULD NOT be used.
11073
11074 medium Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use
11075 128-bit or longer symmetric bulk-encryption keys. This is the
11076 default minimum strength for mandatory TLS encryption. The
11077 underlying cipherlist is specified via the tls_medium_cipherlist
11078 configuration parameter, which you are strongly encouraged to
11079 not change.
11080
11081 high Enable only "HIGH" grade OpenSSL ciphers. The underlying
11082 cipherlist is specified via the tls_high_cipherlist configura‐
11083 tion parameter, which you are strongly encouraged to not change.
11084
11085 null Enable only the "NULL" OpenSSL ciphers, these provide authenti‐
11086 cation without encryption. This setting is only appropriate in
11087 the rare case that all clients are prepared to use NULL ciphers
11088 (not normally enabled in TLS clients). The underlying cipherlist
11089 is specified via the tls_null_cipherlist configuration parame‐
11090 ter, which you are strongly encouraged to not change.
11091
11092 Cipher types listed in smtpd_tls_mandatory_exclude_ciphers or
11093 smtpd_tls_exclude_ciphers are excluded from the base definition of the
11094 selected cipher grade. See smtpd_tls_ciphers for cipher controls that
11095 apply to opportunistic TLS.
11096
11097 The underlying cipherlists for grades other than "null" include anony‐
11098 mous ciphers, but these are automatically filtered out if the server is
11099 configured to ask for remote SMTP client certificates. You are very
11100 unlikely to need to take any steps to exclude anonymous ciphers, they
11101 are excluded automatically as required. If you must exclude anonymous
11102 ciphers even when Postfix does not need or use peer certificates, set
11103 "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only
11104 when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers =
11105 aNULL".
11106
11107 This feature is available in Postfix 2.3 and later.
11108
11110 Additional list of ciphers or cipher types to exclude from the Postfix
11111 SMTP server cipher list at mandatory TLS security levels. This list
11112 works in addition to the exclusions listed with
11113 smtpd_tls_exclude_ciphers (see there for syntax details).
11114
11115 This feature is available in Postfix 2.3 and later.
11116
11118 The SSL/TLS protocols accepted by the Postfix SMTP server with manda‐
11119 tory TLS encryption. If the list is empty, the server supports all
11120 available SSL/TLS protocol versions. A non-empty value is a list of
11121 protocol names separated by whitespace, commas or colons. The sup‐
11122 ported protocol names are "SSLv2", "SSLv3" and "TLSv1", and are not
11123 case sensitive. The default value is "!SSLv2, !SSLv3" for Postfix
11124 releases after the middle of 2015, "!SSLv2" for older releases.
11125
11126 With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
11127 col exclusions. One can explicitly exclude "SSLv2" by setting
11128 "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both "SSLv2" and
11129 "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
11130 the protocols to include, rather than protocols to exclude, is sup‐
11131 ported, but not recommended. The exclusion form more closely matches
11132 the underlying OpenSSL interface semantics.
11133
11134 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11135 "TLSv1.2". When Postfix <= 2.5 is linked against OpenSSL 1.0.1 or
11136 later, these, or any other new protocol versions, cannot be disabled.
11137 The latest patch levels of Postfix >= 2.6, and all versions of Postfix
11138 >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11139
11140 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
11141 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11142 abled, if need be, via "!TLSv1.3".
11143
11144 Example:
11145
11146 # Preferred syntax with Postfix >= 2.5:
11147 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
11148 # Legacy syntax:
11149 smtpd_tls_mandatory_protocols = TLSv1
11150
11151 This feature is available in Postfix 2.3 and later.
11152
11154 List of TLS protocols that the Postfix SMTP server will exclude or
11155 include with opportunistic TLS encryption. The default value is
11156 "!SSLv2, !SSLv3" for Postfix releases after the middle of 2015, empty
11157 for older releases allowing all protocols to be used with opportunistic
11158 TLS. A non-empty value is a list of protocol names separated by white‐
11159 space, commas or colons. The supported protocol names are "SSLv2",
11160 "SSLv3" and "TLSv1", and are not case sensitive.
11161
11162 Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11163 "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all versions
11164 of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11165
11166 OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix >= 3.4
11167 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11168 abled, if need be, via "!TLSv1.3".
11169
11170 To include a protocol list its name, to exclude it, prefix the name
11171 with a "!" character. To exclude SSLv2 for opportunistic TLS set
11172 "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
11173 "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the proto‐
11174 cols to include, rather than protocols to exclude, is supported, but
11175 not recommended. The exclusion form more closely matches the underly‐
11176 ing OpenSSL interface semantics.
11177
11178 Example:
11179 smtpd_tls_protocols = !SSLv2, !SSLv3
11180
11181 This feature is available in Postfix 2.6 and later.
11182
11184 Request that the Postfix SMTP server produces Received: message head‐
11185 ers that include information about the protocol and cipher used, as
11186 well as the remote SMTP client CommonName and client certificate issuer
11187 CommonName. This is disabled by default, as the information may be
11188 modified in transit through other mail servers. Only information that
11189 was recorded by the final destination can be trusted.
11190
11191 This feature is available in Postfix 2.2 and later.
11192
11194 With mandatory TLS encryption, require a trusted remote SMTP client
11195 certificate in order to allow TLS connections to proceed. This option
11196 implies "smtpd_tls_ask_ccert = yes".
11197
11198 When TLS encryption is optional, this setting is ignored with a warning
11199 written to the mail log.
11200
11201 This feature is available in Postfix 2.2 and later.
11202
11204 The SMTP TLS security level for the Postfix SMTP server; when a
11205 non-empty value is specified, this overrides the obsolete parameters
11206 smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with
11207 "smtpd_tls_wrappermode = yes".
11208
11209 Specify one of the following security levels:
11210
11211 none TLS will not be used.
11212
11213 may Opportunistic TLS: announce STARTTLS support to remote SMTP
11214 clients, but do not require that clients use TLS encryption.
11215
11216 encrypt
11217 Mandatory TLS encryption: announce STARTTLS support to remote
11218 SMTP clients, and require that clients use TLS encryption.
11219 According to RFC 2487 this MUST NOT be applied in case of a pub‐
11220 licly-referenced SMTP server. Instead, this option should be
11221 used only on dedicated servers.
11222
11223 Note 1: the "fingerprint", "verify" and "secure" levels are not sup‐
11224 ported here. The Postfix SMTP server logs a warning and uses "encrypt"
11225 instead. To verify remote SMTP client certificates, see TLS_README for
11226 a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
11227 mit_tls_clientcerts features.
11228
11229 Note 2: The parameter setting "smtpd_tls_security_level = encrypt"
11230 implies "smtpd_tls_auth_only = yes".
11231
11232 Note 3: when invoked via "sendmail -bs", Postfix will never offer
11233 STARTTLS due to insufficient privileges to access the server private
11234 key. This is intended behavior.
11235
11236 This feature is available in Postfix 2.3 and later.
11237
11239 Name of the file containing the optional Postfix SMTP server TLS ses‐
11240 sion cache. Specify a database type that supports enumeration, such as
11241 btree or sdbm; there is no need to support concurrent access. The file
11242 is created if it does not exist. The smtpd(8) daemon does not use this
11243 parameter directly, rather the cache is implemented indirectly in the
11244 tlsmgr(8) daemon. This means that per-smtpd-instance master.cf over‐
11245 rides of this parameter are not effective. Note, that each of the cache
11246 databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
11247 base, $smtp_tls_session_cache_database (and with Postfix 2.3 and later
11248 $lmtp_tls_session_cache_database), needs to be stored separately. It is
11249 not at this time possible to store multiple caches in a single data‐
11250 base.
11251
11252 Note: dbm databases are not suitable. TLS session objects are too
11253 large.
11254
11255 As of version 2.5, Postfix no longer uses root privileges when opening
11256 this file. The file should now be stored under the Postfix-owned
11257 data_directory. As a migration aid, an attempt to open the file under a
11258 non-Postfix directory is redirected to the Postfix-owned data_direc‐
11259 tory, and a warning is logged.
11260
11261 As of Postfix 2.11 the preferred mechanism for session resumption is
11262 RFC 5077 TLS session tickets, which don't require server-side storage.
11263 Consequently, for Postfix >= 2.11 this parameter should generally be
11264 left empty. TLS session tickets require an OpenSSL library (at least
11265 version 0.9.8h) that provides full support for this TLS extension. See
11266 also smtpd_tls_session_cache_timeout.
11267
11268 Example:
11269
11270 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
11271
11272 This feature is available in Postfix 2.2 and later.
11273
11275 The expiration time of Postfix SMTP server TLS session cache informa‐
11276 tion. A cache cleanup is performed periodically every $smtpd_tls_ses‐
11277 sion_cache_timeout seconds. As with $smtpd_tls_session_cache_database,
11278 this parameter is implemented in the tlsmgr(8) daemon and therefore
11279 per-smtpd-instance master.cf overrides are not possible.
11280
11281 As of Postfix 2.11 this setting cannot exceed 100 days. If set <= 0,
11282 session caching is disabled, not just via the database, but also via
11283 RFC 5077 TLS session tickets, which don't require server-side storage.
11284 If set to a positive value less than 2 minutes, the minimum value of 2
11285 minutes is used instead. TLS session tickets require an OpenSSL
11286 library (at least version 0.9.8h) that provides full support for this
11287 TLS extension.
11288
11289 This feature is available in Postfix 2.2 and later, and updated for TLS
11290 session ticket support in Postfix 2.11.
11291
11293 Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
11294 of using the STARTTLS command.
11295
11296 If you want to support this service, enable a special port in mas‐
11297 ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
11298 command line. Port 465 (smtps) was once chosen for this purpose.
11299
11300 This feature is available in Postfix 2.2 and later.
11301
11303 The name of the proxy protocol used by an optional before-smtpd proxy
11304 agent. When a proxy agent is used, this protocol conveys local and
11305 remote address and port information. Specify
11306 "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy proto‐
11307 col.
11308
11309 NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
11310 with smtpd_authorized_xclient_hosts. This supports SASL authentication
11311 in the proxy agent (Postfix 2.9 and later).
11312
11313 This feature is available in Postfix 2.10 and later.
11314
11316 The time limit for the proxy protocol specified with the
11317 smtpd_upstream_proxy_protocol parameter.
11318
11319 This feature is available in Postfix 2.10 and later.
11320
11322 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
11323 but do not require that clients use TLS encryption.
11324
11325 Note: when invoked via "sendmail -bs", Postfix will never offer START‐
11326 TLS due to insufficient privileges to access the server private key.
11327 This is intended behavior.
11328
11329 This feature is available in Postfix 2.2 and later. With Postfix 2.3
11330 and later use smtpd_tls_security_level instead.
11331
11333 Detect that a message requires SMTPUTF8 support for the specified mail
11334 origin classes. This is a workaround to avoid chicken-and-egg problems
11335 during the initial SMTPUTF8 roll-out in environments with pre-existing
11336 mail flows that contain UTF8. Those mail flows should not break because
11337 Postfix suddenly refuses to deliver such mail to down-stream MTAs that
11338 don't announce SMTPUTF8 support.
11339
11340 The problem is that Postfix cannot rely solely on the sender's declara‐
11341 tion that a message requires SMTPUTF8 support, because UTF8 may be
11342 introduced during local processing (for example, the client hostname in
11343 Postfix's Received: header, adding @$myorigin or .$mydomain to an
11344 incomplete address, address rewriting, alias expansion, automatic BCC
11345 recipients, local forwarding, and changes made by header checks or Mil‐
11346 ter applications).
11347
11348 For now, the default is to enable "SMTPUTF8 required" autodetection
11349 only for Postfix sendmail command-line submissions and address verifi‐
11350 cation probes. This may change once SMTPUTF8 support achieves world
11351 domination. However, sites that add UTF8 content via local processing
11352 (see above) should autodetect the need for SMTPUTF8 support for all
11353 email.
11354
11355 Specify one or more of the following:
11356
11357 sendmail
11358 Submission with the Postfix sendmail(1) command.
11359
11360 smtpd Mail received with the smtpd(8) daemon.
11361
11362 qmqpd Mail received with the qmqpd(8) daemon.
11363
11364 forward
11365 Local forwarding or aliasing. When a message is received with
11366 "SMTPUTF8 required", then the forwarded (aliased) message always
11367 has "SMTPUTF8 required".
11368
11369 bounce
11370 Submission by the bounce(8) daemon. When a message is received
11371 with "SMTPUTF8 required", then the delivery status notification
11372 always has "SMTPUTF8 required".
11373
11374 notify
11375 Postmaster notification from the smtp(8) or smtpd(8) daemon.
11376
11377 verify
11378 Address verification probe from the verify(8) daemon.
11379
11380 all Enable SMTPUTF8 autodetection for all mail.
11381
11382 This feature is available in Postfix 3.0 and later.
11383
11385 Enable preliminary SMTPUTF8 support for the protocols described in RFC
11386 6531..6533. This requires that Postfix is built to support these proto‐
11387 cols.
11388
11389 This feature is available in Postfix 3.0 and later.
11390
11392 Safety net to keep mail queued that would otherwise be returned to the
11393 sender. This parameter disables locally-generated bounces, changes the
11394 handling of negative responses from remote servers, content filters or
11395 plugins, and prevents the Postfix SMTP server from rejecting mail per‐
11396 manently by changing 5xx reply codes into 4xx. However, soft_bounce is
11397 no cure for address rewriting mistakes or mail routing mistakes.
11398
11399 Note: "soft_bounce = yes" is in some cases implemented by modifying
11400 server responses. Therefore, the response that Postfix logs may differ
11401 from the response that Postfix actually sends or receives.
11402
11403 Example:
11404
11405 soft_bounce = yes
11406
11408 The time after which a stale exclusive mailbox lockfile is removed.
11409 This is used for delivery to file or mailbox.
11410
11411 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
11412 The default time unit is s (seconds).
11413
11415 This feature is documented in the STRESS_README document.
11416
11417 This feature is available in Postfix 2.5 and later.
11418
11420 Reject mail with 8-bit text in message headers. This blocks mail from
11421 poorly written applications.
11422
11423 This feature should not be enabled on a general purpose mail server,
11424 because it is likely to reject legitimate email.
11425
11426 This feature is available in Postfix 2.0 and later.
11427
11429 Enable both strict_7bit_headers and strict_8bitmime_body.
11430
11431 This feature should not be enabled on a general purpose mail server,
11432 because it is likely to reject legitimate email.
11433
11434 This feature is available in Postfix 2.0 and later.
11435
11437 Reject 8-bit message body text without 8-bit MIME content encoding
11438 information. This blocks mail from poorly written applications.
11439
11440 Unfortunately, this also rejects majordomo approval requests when the
11441 included request contains valid 8-bit MIME mail, and it rejects bounces
11442 from mailers that do not MIME encapsulate 8-bit content (for example,
11443 bounces from qmail or from old versions of Postfix).
11444
11445 This feature should not be enabled on a general purpose mail server,
11446 because it is likely to reject legitimate email.
11447
11448 This feature is available in Postfix 2.0 and later.
11449
11451 Defer delivery when a mailbox file is not owned by its recipient. The
11452 default setting is not backwards compatible.
11453
11454 This feature is available in Postfix 2.5.3 and later.
11455
11457 Reject mail with invalid Content-Transfer-Encoding: information for the
11458 message/* or multipart/* MIME content types. This blocks mail from
11459 poorly written software.
11460
11461 This feature should not be enabled on a general purpose mail server,
11462 because it will reject mail after a single violation.
11463
11464 This feature is available in Postfix 2.0 and later.
11465
11467 Require that addresses received in SMTP MAIL FROM and RCPT TO commands
11468 are enclosed with <>, and that those addresses do not contain RFC 822
11469 style comments or phrases. This stops mail from poorly written soft‐
11470 ware.
11471
11472 By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11473 and RCPT TO addresses.
11474
11476 Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11477 server accepts UTF8 sender or recipient addresses only when the client
11478 requests an SMTPUTF8 mail transaction.
11479
11480 This feature is available in Postfix 3.0 and later.
11481
11483 Obsolete SUN mailtool compatibility feature. Instead, use "mail‐
11484 box_delivery_lock = dotlock".
11485
11487 Enable the rewriting of "site!user" into "user@site". This is neces‐
11488 sary if your machine is connected to UUCP networks. It is enabled by
11489 default.
11490
11491 Note: with Postfix version 2.2, message header address rewriting hap‐
11492 pens only when one of the following conditions is true:
11493
11494 · The message is received with the Postfix sendmail(1) command,
11495
11496 · The message is received from a network client that matches
11497 $local_header_rewrite_clients,
11498
11499 · The message is received from the network, and the
11500 remote_header_rewrite_domain parameter specifies a non-empty
11501 value.
11502
11503 To get the behavior before Postfix version 2.2, specify
11504 "local_header_rewrite_clients = static:all".
11505
11506 Example:
11507
11508 swap_bangpath = no
11509
11511 The syslog facility of Postfix logging. Specify a facility as defined
11512 in syslog.conf(5). The default facility is "mail".
11513
11514 Warning: a non-default syslog_facility setting takes effect only after
11515 a Postfix process has completed initialization. Errors during process
11516 initialization will be logged with the default facility. Examples are
11517 errors while parsing the command line arguments, and errors while
11518 accessing the Postfix main.cf configuration file.
11519
11521 A prefix that is prepended to the process name in syslog records, so
11522 that, for example, "smtpd" becomes "prefix/smtpd".
11523
11524 Warning: a non-default syslog_name setting takes effect only after a
11525 Postfix process has completed initialization. Errors during process
11526 initialization will be logged with the default name. Examples are
11527 errors while parsing the command line arguments, and errors while
11528 accessing the Postfix main.cf configuration file.
11529
11531 An optional workaround for routers that break TCP window scaling.
11532 Specify a value > 0 and < 65536 to enable this feature. With Postfix
11533 TCP servers (smtpd(8), qmqpd(8)), this feature is implemented by the
11534 Postfix master(8) daemon.
11535
11536 To change this parameter without stopping Postfix, you need to first
11537 terminate all Postfix TCP servers:
11538
11539 # postconf -e master_service_disable=inet
11540 # postfix reload
11541
11542 This immediately terminates all processes that accept network connec‐
11543 tions. Next, you enable Postfix TCP servers with the updated tcp_win‐
11544 dowsize setting:
11545
11546 # postconf -e tcp_windowsize=65535 master_service_disable=
11547 # postfix reload
11548
11549 If you skip these steps with a running Postfix system, then the
11550 tcp_windowsize change will work only for Postfix TCP clients (smtp(8),
11551 lmtp(8)).
11552
11553 This feature is available in Postfix 2.6 and later.
11554
11556 Append the system-supplied default Certification Authority certificates
11557 to the ones specified with *_tls_CApath or *_tls_CAfile. The default
11558 is "no"; this prevents Postfix from trusting third-party certificates
11559 and giving them relay permission with permit_tls_all_clientcerts.
11560
11561 This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
11562 later versions. Specify "tls_append_default_CA = yes" for backwards
11563 compatibility, to avoid breaking certificate verification with sites
11564 that don't use permit_tls_all_clientcerts.
11565
11567 The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
11568 requests from the tlsmgr(8) server in order to seed its internal pseudo
11569 random number generator (PRNG). The default of 32 bytes (equivalent to
11570 256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11571
11572 This feature is available in Postfix 2.2 and later.
11573
11575 Configure RFC7671 DANE TLSA digest algorithm agility. Do not change
11576 this setting from its default value.
11577
11578 See Section 8 of RFC7671 for correct key rotation procedures.
11579
11580 This feature is available in Postfix 2.11 through 3.1. Postfix 3.2 and
11581 later ignore this configuration parameter and behave as though it were
11582 set to "on".
11583
11585 DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching
11586 type" digest algorithms in descending preference order. All the speci‐
11587 fied algorithms must be supported by the underlying OpenSSL library,
11588 otherwise the Postfix SMTP client will not support DANE TLSA security.
11589
11590 Specify a list of digest names separated by commas and/or whitespace.
11591 Each digest name may be followed by an optional "=<number>" suffix.
11592 For example, "sha512" may instead be specified as "sha512=2" and
11593 "sha256" may instead be specified as "sha256=1". The optional number
11594 must match the <a href="https://www.iana.org/assignments/dane-parame‐
11595 ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11596 type number the algorithm in question. Postfix will check this con‐
11597 straint for the algorithms it knows about. Additional matching type
11598 algorithms registered with IANA can be added with explicit numbers pro‐
11599 vided they are supported by OpenSSL.
11600
11601 Invalid list elements are logged with a warning and disable DANE sup‐
11602 port. TLSA RRs that specify digests not included in the list are
11603 ignored with a warning.
11604
11605 Note: It is unwise to omit sha256 from the digest list. This digest
11606 algorithm is the only mandatory to implement digest algorithm in RFC
11607 6698, and many servers are expected publish TLSA records with just
11608 sha256 digests. Unless one of the standard digests is seriously com‐
11609 promised and servers have had ample time to update their TLSA records
11610 you should not omit any standard digests, just arrange them in order
11611 from strongest to weakest.
11612
11613 This feature is available in Postfix 2.11 and later.
11614
11616 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
11617 digests of trust-anchors with certificate usage "2". Do not change
11618 this setting from its default value.
11619
11620 This feature is available in Postfix 2.11 through 3.1. It has been
11621 withdrawn in Postfix 3.2, as trust-anchor TLSA records are now widely
11622 used and have proved sufficiently reliable. Postfix 3.2 and later
11623 ignore this configuration parameter and behaves as though it were set
11624 to "yes".
11625
11627 List or bit-mask of OpenSSL bug work-arounds to disable.
11628
11629 The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
11630 implementations. Applications, such as Postfix, that want to maximize
11631 interoperability ask the OpenSSL library to enable the full set of rec‐
11632 ommended work-arounds.
11633
11634 From time to time, it is discovered that a work-around creates a secu‐
11635 rity issue, and should no longer be used. If upgrading OpenSSL to a
11636 fixed version is not an option or an upgrade is not available in a
11637 timely manner, or in closed environments where no buggy clients or
11638 servers exist, it may be appropriate to disable some or all of the
11639 OpenSSL interoperability work-arounds. This parameter specifies which
11640 bug work-arounds to disable.
11641
11642 If the value of the parameter is a hexadecimal long integer starting
11643 with "0x", the bug work-arounds corresponding to the bits specified in
11644 its value are removed from the SSL_OP_ALL work-around bit-mask (see
11645 openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more bits
11646 than are present in SSL_OP_ALL, excess bits are ignored. Specifying
11647 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11648 also be sufficient on 64-bit systems, until OpenSSL abandons support
11649 for 32-bit systems and starts using the high 32 bits of a 64-bit
11650 bug-workaround mask.
11651
11652 Otherwise, the parameter is a white-space or comma separated list of
11653 specific named bug work-arounds chosen from the list below. It is pos‐
11654 sible that your OpenSSL version includes new bug work-arounds added
11655 after your Postfix source code was last updated, in that case you can
11656 only disable one of these via the hexadecimal syntax above.
11657
11658 CRYPTOPRO_TLSEXT_BUG
11659 New with GOST support in OpenSSL 1.0.0.
11660
11661 DONT_INSERT_EMPTY_FRAGMENTS
11662 See SSL_CTX_set_options(3)
11663
11664 LEGACY_SERVER_CONNECT
11665 See SSL_CTX_set_options(3)
11666
11667 MICROSOFT_BIG_SSLV3_BUFFER
11668 See SSL_CTX_set_options(3)
11669
11670 MICROSOFT_SESS_ID_BUG
11671 See SSL_CTX_set_options(3)
11672
11673 MSIE_SSLV2_RSA_PADDING
11674 also aliased as CVE-2005-2969. Postfix 2.8 disables this
11675 work-around by default with OpenSSL versions that may predate
11676 the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11677
11678 NETSCAPE_CHALLENGE_BUG
11679 See SSL_CTX_set_options(3)
11680
11681 NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11682 also aliased as CVE-2010-4180. Postfix 2.8 disables this
11683 work-around by default with OpenSSL versions that may predate
11684 the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11685
11686 SSLEAY_080_CLIENT_DH_BUG
11687 See SSL_CTX_set_options(3)
11688
11689 SSLREF2_REUSE_CERT_TYPE_BUG
11690 See SSL_CTX_set_options(3)
11691
11692 TLS_BLOCK_PADDING_BUG
11693 See SSL_CTX_set_options(3)
11694
11695 TLS_D5_BUG
11696 See SSL_CTX_set_options(3)
11697
11698 TLS_ROLLBACK_BUG
11699 See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7
11700 and later. Nobody should still be using 0.9.6!
11701
11702 TLSEXT_PADDING
11703 Postfix >= 3.4. See SSL_CTX_set_options(3).
11704
11705 This feature is available in Postfix 2.8 and later.
11706
11708 The prioritized list of elliptic curves supported by the Postfix SMTP
11709 client and server. These curves are used by the Postfix SMTP server
11710 when "smtpd_tls_eecdh_grade = auto". The selected curves must be
11711 implemented by OpenSSL and be standardized for use in TLS (RFC 4492 or
11712 its imminent successor). It is unwise to list only "bleeding-edge"
11713 curves supported by a small subset of clients. The default list is
11714 suitable for most users.
11715
11716 Postfix skips curve names that are unknown to OpenSSL, or that are
11717 known but not yet implemented. This makes it possible to "anticipate"
11718 support for curves that should be used once they become available. In
11719 particular, in some OpenSSL versions, the new RFC 8031 curves "X25519"
11720 and "X448" may be known by name, but ECDH support for either or both
11721 may be missing. These curves may appear in the default value of this
11722 parameter, even though they'll only be usable with later versions of
11723 OpenSSL.
11724
11725 This feature is available in Postfix 3.2 and later, when it is compiled
11726 and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11727 have not been disabled by the vendor.
11728
11730 The elliptic curve used by the Postfix SMTP server for sensibly strong
11731 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11732 server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly
11733 strong" means approximately 128-bit security based on best known
11734 attacks. The selected curve must be implemented by OpenSSL (as reported
11735 by ecparam(1) with the "-list_curves" option) and be one of the curves
11736 listed in Section 5.1.1 of RFC 4492. You should not generally change
11737 this setting. Remote SMTP client implementations must support this
11738 curve for EECDH key exchange to take place. It is unwise to choose an
11739 "bleeding-edge" curve supported by only a small subset of clients.
11740
11741 The default "strong" curve is rated in NSA Suite B for information
11742 classified up to SECRET.
11743
11744 Note: elliptic curve names are poorly standardized; different standards
11745 groups are assigning different names to the same underlying curves.
11746 The curve with the X9.62 name "prime256v1" is also known under the SECG
11747 name "secp256r1", but OpenSSL does not recognize the latter name.
11748
11749 If you want to take maximal advantage of ciphers that offer forward
11750 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11751 full document conveniently presents all information about Postfix "per‐
11752 fect" forward secrecy support in one place: what forward secrecy is,
11753 how to tweak settings, and what you can expect to see when Postfix uses
11754 ciphers with forward secrecy.
11755
11756 This feature is available in Postfix 2.6 and later, when it is compiled
11757 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11758 have not been disabled by the vendor.
11759
11761 The elliptic curve used by the Postfix SMTP server for maximally strong
11762 ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
11763 server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally
11764 strong" means approximately 192-bit security based on best known
11765 attacks. This additional strength comes at a significant computational
11766 cost, most users should instead set "smtpd_tls_eecdh_grade = strong".
11767 The selected curve must be implemented by OpenSSL (as reported by
11768 ecparam(1) with the "-list_curves" option) and be one of the curves
11769 listed in Section 5.1.1 of RFC 4492. You should not generally change
11770 this setting.
11771
11772 This default "ultra" curve is rated in NSA Suite B for information
11773 classified up to TOP SECRET.
11774
11775 If you want to take maximal advantage of ciphers that offer forward
11776 secrecy see the Getting started section of FORWARD_SECRECY_README. The
11777 full document conveniently presents all information about Postfix "per‐
11778 fect" forward secrecy support in one place: what forward secrecy is,
11779 how to tweak settings, and what you can expect to see when Postfix uses
11780 ciphers with forward secrecy.
11781
11782 This feature is available in Postfix 2.6 and later, when it is compiled
11783 and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11784 have not been disabled by the vendor.
11785
11787 The OpenSSL cipherlist for "export" or higher grade ciphers. This
11788 defines the meaning of the "export" setting in smtpd_tls_ciphers,
11789 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11790 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With
11791 Postfix releases before the middle of 2015 this is the default
11792 cipherlist for the opportunistic ("may") TLS client security level and
11793 also the default cipherlist for the SMTP server. You are strongly
11794 encouraged to not change this setting.
11795
11796 This feature is available in Postfix 2.3 and later.
11797
11799 The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11800 ing of the "high" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11801 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11802 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11803 encouraged to not change this setting.
11804
11805 This feature is available in Postfix 2.3 and later.
11806
11808 A temporary migration aid for sites that use certificate public-key
11809 fingerprints with Postfix 2.9.0..2.9.5, which use an incorrect algo‐
11810 rithm. This parameter has no effect on the certificate fingerprint sup‐
11811 port that is available since Postfix 2.2.
11812
11813 Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11814 a migration from configuration files with incorrect Postfix
11815 2.9.0..2.9.5 certificate public-key finger prints, to the correct fin‐
11816 gerprints used by Postfix 2.9.6 and later. To compute the correct cer‐
11817 tificate public-key fingerprints, see TLS_README.
11818
11819 This feature is available in Postfix 2.9.6 and later.
11820
11822 The OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11823 the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11824 tory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
11825 lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
11826 encouraged to not change this setting.
11827
11828 This feature is available in Postfix 2.3 and later.
11829
11831 The OpenSSL cipherlist for "medium" or higher grade ciphers. This
11832 defines the meaning of the "medium" setting in smtpd_tls_ciphers,
11833 smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_manda‐
11834 tory_ciphers, lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This
11835 is the default cipherlist for mandatory TLS encryption in the TLS
11836 client (with anonymous ciphers disabled when verifying server certifi‐
11837 cates). This is the default cipherlist for opportunistic TLS with
11838 Postfix releases after the middle of 2015. You are strongly encouraged
11839 to not change this setting.
11840
11841 This feature is available in Postfix 2.3 and later.
11842
11844 The OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11845 cation without encryption. This defines the meaning of the "null" set‐
11846 ting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
11847 lmtp_tls_mandatory_ciphers. You are strongly encouraged to not change
11848 this setting.
11849
11850 This feature is available in Postfix 2.3 and later.
11851
11853 With SSLv3 and later, use the Postfix SMTP server's cipher preference
11854 order instead of the remote client's cipher preference order.
11855
11856 By default, the OpenSSL server selects the client's most preferred
11857 cipher that the server supports. With SSLv3 and later, the server may
11858 choose its own most preferred cipher that is supported (offered) by the
11859 client. Setting "tls_preempt_cipherlist = yes" enables server cipher
11860 preferences.
11861
11862 While server cipher selection may in some cases lead to a more secure
11863 or performant cipher choice, there is some risk of interoperability
11864 issues. In the past, some SSL clients have listed lower priority
11865 ciphers that they did not implement correctly. If the server chooses a
11866 cipher that the client prefers less, it may select a cipher whose
11867 client implementation is flawed. Most notably Windows 2003 Microsoft
11868 Exchange servers have flawed implementations of DES-CBC3-SHA, which
11869 OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite
11870 selection may create interoperability issues with Windows 2003 Micro‐
11871 soft Exchange clients.
11872
11873 This feature is available in Postfix 2.8 and later, in combination with
11874 OpenSSL 0.9.7 and later.
11875
11877 The number of bytes that tlsmgr(8) reads from $tls_random_source when
11878 (re)seeding the in-memory pseudo random number generator (PRNG) pool.
11879 The default of 32 bytes (256 bits) is good enough for 128bit symmetric
11880 keys. If using EGD or a device file, a maximum of 255 bytes is read.
11881
11882 This feature is available in Postfix 2.2 and later.
11883
11885 Name of the pseudo random number generator (PRNG) state file that is
11886 maintained by tlsmgr(8). The file is created when it does not exist,
11887 and its length is fixed at 1024 bytes.
11888
11889 As of version 2.5, Postfix no longer uses root privileges when opening
11890 this file, and the default file location was changed from ${con‐
11891 fig_directory}/prng_exch to ${data_directory}/prng_exch. As a migra‐
11892 tion aid, an attempt to open the file under a non-Postfix directory is
11893 redirected to the Postfix-owned data_directory, and a warning is
11894 logged.
11895
11896 This feature is available in Postfix 2.2 and later.
11897
11899 The time between attempts by tlsmgr(8) to save the state of the pseudo
11900 random number generator (PRNG) to the file specified with $tls_ran‐
11901 dom_exchange_name.
11902
11903 This feature is available in Postfix 2.2 and later.
11904
11906 The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11907 pseudo random number generator (PRNG) pool from external sources. The
11908 actual time between re-seeding attempts is calculated using the PRNG,
11909 and is between 0 and the time specified.
11910
11911 This feature is available in Postfix 2.2 and later.
11912
11914 The external entropy source for the in-memory tlsmgr(8) pseudo random
11915 number generator (PRNG) pool. Be sure to specify a non-blocking source.
11916 If this source is not a regular file, the entropy source type must be
11917 prepended: egd:/path/to/egd_socket for a source with EGD compatible
11918 socket interface, or dev:/path/to/device for a device file.
11919
11920 Note: on OpenBSD systems specify /dev/arandom when /dev/urandom gives
11921 timeout errors.
11922
11923 This feature is available in Postfix 2.2 and later.
11924
11926 Optional lookup tables that map names received from remote SMTP clients
11927 via the TLS Server Name Indication (SNI) extension to the appropriate
11928 keys and certificate chains. This parameter is implemented in the
11929 Postfix TLS library, and applies to both smtpd(8) and the SMTP server
11930 mode of tlsproxy(8).
11931
11932 The lookup key is either the verbatim SNI domain name or an ancestor
11933 domain prefixed with a leading dot. For internationalized domains, the
11934 lookup key must be in IDNA 2008 A-label form (as required in the TLS
11935 SNI extension).
11936
11937 When this parameter is non-empty, the Postfix SMTP server enables SNI
11938 extension processing, and logs SNI values that are invalid or don't
11939 match an entry in the the specified tables. When an entry does match,
11940 the SNI name is logged as part of the connection summary at log levels
11941 1 and higher.
11942
11943 Note that the SNI lookup tables should also have entries for the
11944 domains that correspond to the Postfix SMTP server's default certifi‐
11945 cate(s). This ensures that the remote SMTP client's TLS SNI extension
11946 gets a positive response when it specifies one of the Postfix SMTP
11947 server's default domains, and ensures that the Postfix SMTP server will
11948 not log an SNI name mismatch for such a domain. The Postfix SMTP
11949 server's default certificates are then only used when the client sends
11950 no SNI or when it sends SNI with a domain that the server knows no cer‐
11951 tificate(s) for.
11952
11953 The mapping from an SNI domain name to a certificate chain is typically
11954 indirect. In the input source files for "cdb", "hash", "btree" or
11955 other tables that are converted to on-disk indexed files via
11956 postmap(1), the value specified for each key is a list of filenames.
11957 When postmap(1) is used with the -F option, the generated table stores
11958 for each lookup key the base64-encoded contents of the associated
11959 files. When querying tables via postmap -Fq, the table value is
11960 decoded from base64, yielding the original file content, plus a new
11961 line.
11962
11963 With "regexp", "pcre", "inline", "texthash", "static" and similar
11964 tables that are interpreted at run-time, and don't have a separate
11965 source format, the table value is again a list files, that are read-in
11966 when the table is opened.
11967
11968 Thus, for example:
11969
11970 $ postmap -Fq "" static:/etc/postfix/chain.pem | openssl dgst -sha1
11971 (stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
11972
11973 produces the same output as:
11974
11975 $ (cat /etc/postfix/chain.pem; echo) | openssl dgst -sha1
11976 (stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
11977
11978 With tables whose content is managed outside of Postfix, such as LDAP,
11979 MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
11980 of the desired PEM keys and certificate chains, that is then further
11981 encoded to yield a single-line base64 string. Creation of such tables
11982 and secure storage are outside the responsibility of Postfix. With
11983 "socketmap" and "tcp" the data would be transmitted in the clear. With
11984 LDAP and SQL, you should generally use TLS to protect the sensitive
11985 data in transit.
11986
11987 Typically there is only private key and its chain of certificates
11988 starting with the "leaf" certificate corresponding to that key, and
11989 continuing with the appropriate intermediate issuer CA certificates,
11990 with each certificate ideally followed by its issuer. Servers that
11991 have keys and certificates for more than one algorithm (e.g. both an
11992 RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use mul‐
11993 tiple chains concatenated together, with the key always listed before
11994 the corresponding certificates.
11995
11996 This feature is available in Postfix 3.4 and later.
11997
11999 3.0: aes-128-cbc)
12000 Algorithm used to encrypt RFC5077 TLS session tickets. This algorithm
12001 must use CBC mode, have a 128-bit block size, and must have a key
12002 length between 128 and 256 bits. The default is aes-256-cbc. Overrid‐
12003 ing the default to choose a different algorithm is discouraged.
12004
12005 Setting this parameter empty disables session ticket support in the
12006 Postfix SMTP server. Another way to disable session ticket support is
12007 via the tls_ssl_options parameter.
12008
12009 This feature is available in Postfix 3.0 and later.
12010
12012 List or bit-mask of OpenSSL options to enable.
12013
12014 The OpenSSL toolkit provides a set of options that applications can
12015 enable to tune the OpenSSL behavior. Some of these work around bugs in
12016 other implementations and are on by default. You can use the tls_dis‐
12017 able_workarounds parameter to selectively disable some or all of the
12018 bug work-arounds, making OpenSSL more strict at the cost of non-inter‐
12019 operability with SSL clients or servers that exhibit the bugs.
12020
12021 Other options are off by default, and typically enable or disable fea‐
12022 tures rather than bug work-arounds. These may be turned on (with care)
12023 via the tls_ssl_options parameter. The value is a white-space or comma
12024 separated list of named options chosen from the list below. The names
12025 are not case-sensitive, you can use lower-case if you prefer. The
12026 upper case values below match the corresponding macro name in the ssl.h
12027 header file with the SSL_OP_ prefix removed. It is possible that your
12028 OpenSSL version includes new options added after your Postfix source
12029 code was last updated, in that case you can only enable one of these
12030 via the hexadecimal syntax below.
12031
12032 You should only enable features via the hexadecimal mask when the need
12033 to control the feature is critical (to deal with a new vulnerability or
12034 a serious interoperability problem). Postfix DOES NOT promise back‐
12035 wards compatible behavior with respect to the mask bits. A feature
12036 enabled via the mask in one release may be enabled by other means in a
12037 later release, and the mask bit will then be ignored. Therefore, use
12038 of the hexadecimal mask is only a temporary measure until a new Postfix
12039 or OpenSSL release provides a better solution.
12040
12041 If the value of the parameter is a hexadecimal long integer starting
12042 with "0x", the options corresponding to the bits specified in its value
12043 are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). You can
12044 only enable options not already controlled by other Postfix settings.
12045 For example, you cannot disable protocols or enable server cipher pref‐
12046 erence. Do not attempt to turn all features by specifying 0xFFFFFFFF,
12047 this is unlikely to be a good idea. Some bug work-arounds are also
12048 valid here, allowing them to be re-enabled if/when they're no longer
12049 enabled by default. The supported values include:
12050
12051 ENABLE_MIDDLEBOX_COMPAT
12052 Postfix >= 3.4. See SSL_CTX_set_options(3).
12053
12054 LEGACY_SERVER_CONNECT
12055 See SSL_CTX_set_options(3).
12056
12057 NO_TICKET
12058 Enabled by default when needed in fully-patched Postfix >= 2.7.
12059 Not needed at all for Postfix >= 2.11, unless for some reason
12060 you do not want to support TLS session resumption. Best not set
12061 explicitly. See SSL_CTX_set_options(3).
12062
12063 NO_COMPRESSION
12064 Disable SSL compression even if supported by the OpenSSL
12065 library. Compression is CPU-intensive, and compression before
12066 encryption does not always improve security.
12067
12068 NO_RENEGOTIATION
12069 Postfix >= 3.4. This can reduce opportunities for a potential
12070 CPU exhaustion attack. See SSL_CTX_set_options(3).
12071
12072 NO_SESSION_RESUMPTION_ON_RENEGOTIATION
12073 Postfix >= 3.4. See SSL_CTX_set_options(3).
12074
12075 PRIORITIZE_CHACHA
12076 Postfix >= 3.4. See SSL_CTX_set_options(3).
12077
12078 TLSEXT_PADDING
12079 Postfix >= 3.4. See SSL_CTX_set_options(3).
12080
12081 This feature is available in Postfix 2.11 and later.
12082
12084 Match multiple DNS labels with "*" in wildcard certificates.
12085
12086 Some mail service providers prepend the customer domain name to a base
12087 domain for which they have a wildcard TLS certificate. For example,
12088 the MX records for example.com hosted by example.net may be:
12089
12090 example.com. IN MX 0 example.com.mx1.example.net.
12091 example.com. IN MX 0 example.com.mx2.example.net.
12092
12093 and the TLS certificate may be for "*.example.net". The "*" then corre‐
12094 sponds with multiple labels in the mail server domain name. While
12095 multi-label wildcards are not widely supported, and are not blessed by
12096 any standard, there is little to be gained by disallowing their use in
12097 this context.
12098
12099 Notes:
12100
12101 · In a certificate name, the "*" is special only when it is used
12102 as the first label.
12103
12104 · While Postfix (2.11 or later) can match "*" with multiple domain
12105 name labels, other implementations likely will not.
12106
12107 · Earlier Postfix implementations behave as if "tls_wild‐
12108 card_matches_multiple_labels = no".
12109
12110 This feature is available in Postfix 2.11 and later.
12111
12113 The name of the tlsmgr(8) service entry in master.cf. This service
12114 maintains TLS session caches and other information in support of TLS.
12115
12116 This feature is available in Postfix 2.11 and later.
12117
12119 A file containing CA certificates of root CAs trusted to sign either
12120 remote TLS server certificates or intermediate CA certificates. See
12121 smtp_tls_CAfile for further details.
12122
12123 This feature is available in Postfix 3.4 and later.
12124
12126 Directory with PEM format Certification Authority certificates that the
12127 Postfix tlsproxy(8) client uses to verify a remote TLS server certifi‐
12128 cate. See smtp_tls_CApath for further details.
12129
12130 This feature is available in Postfix 3.4 and later.
12131
12133 File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
12134 See smtp_tls_cert_file for further details. The preferred way to con‐
12135 figure tlsproxy client keys and certificates is via the
12136 "tlsproxy_client_chain_files" parameter.
12137
12138 This feature is available in Postfix 3.4 and later.
12139
12141 Files with the Postfix tlsproxy(8) client keys and certificate chains
12142 in PEM format. See smtp_tls_chain_files for further details.
12143
12144 This feature is available in Postfix 3.4 and later.
12145
12147 File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
12148 See smtp_tls_dcert_file for further details. DSA is obsolete and should
12149 not be used.
12150
12151 This feature is available in Postfix 3.4 and later.
12152
12154 File with the Postfix tlsproxy(8) client DSA private key in PEM format.
12155 See smtp_tls_dkey_file for further details. DSA is obsolete and should
12156 not be used.
12157
12158 This feature is available in Postfix 3.4 and later.
12159
12161 File with the Postfix tlsproxy(8) client ECDSA certificate in PEM for‐
12162 mat. See smtp_tls_eccert_file for further details. The preferred way to
12163 configure tlsproxy client keys and certificates is via the
12164 "tlsproxy_client_chain_files" parameter.
12165
12166 This feature is available in Postfix 3.4 and later.
12167
12169 File with the Postfix tlsproxy(8) client ECDSA private key in PEM for‐
12170 mat. See smtp_tls_eckey_file for further details. The preferred way to
12171 configure tlsproxy client keys and certificates is via the
12172 "tlsproxy_client_chain_files" parameter.
12173
12174 This feature is available in Postfix 3.4 and later.
12175
12177 Enforcement mode: require that SMTP servers use TLS encryption. See
12178 smtp_enforce_tls for further details.
12179
12180 This feature is available in Postfix 3.4 and later.
12181
12183 The message digest algorithm used to construct remote TLS server cer‐
12184 tificate fingerprints. See smtp_tls_fingerprint_digest for further
12185 details.
12186
12187 This feature is available in Postfix 3.4 and later.
12188
12190 File with the Postfix tlsproxy(8) client RSA private key in PEM format.
12191 See smtp_tls_key_file for further details. The preferred way to config‐
12192 ure tlsproxy client keys and certificates is via the
12193 "tlsproxy_client_chain_files" parameter.
12194
12195 This feature is available in Postfix 3.4 and later.
12196
12198 Enable additional Postfix tlsproxy(8) client logging of TLS activity.
12199 See smtp_tls_loglevel for further details.
12200
12201 This feature is available in Postfix 3.4 and later.
12202
12204 The name of the parameter that provides the tlsproxy_client_loglevel
12205 value.
12206
12207 This feature is available in Postfix 3.4 and later.
12208
12210 Optional lookup tables with the Postfix tlsproxy(8) client TLS usage
12211 policy by next-hop destination and by remote TLS server hostname. See
12212 smtp_tls_per_site for further details.
12213
12214 This feature is available in Postfix 3.4 and later.
12215
12217 Optional lookup tables with the Postfix tlsproxy(8) client TLS security
12218 policy by next-hop destination. See smtp_tls_policy_maps for further
12219 details.
12220
12221 This feature is available in Postfix 3.4 and later.
12222
12224 The verification depth for remote TLS server certificates. See
12225 smtp_tls_scert_verifydepth for further details.
12226
12227 This feature is available in Postfix 3.4 and later.
12228
12230 The default TLS security level for the Postfix tlsproxy(8) client. See
12231 smtp_tls_security_level for further details.
12232
12233 This feature is available in Postfix 3.4 and later.
12234
12236 Opportunistic mode: use TLS when a remote server announces TLS support.
12237 See smtp_use_tls for further details.
12238
12239 This feature is available in Postfix 3.4 and later.
12240
12242 Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
12243 require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
12244 ther details.
12245
12246 This feature is available in Postfix 2.8 and later.
12247
12249 The name of the tlsproxy(8) service entry in master.cf. This service
12250 performs plaintext <=> TLS ciphertext conversion.
12251
12252 This feature is available in Postfix 2.8 and later.
12253
12255 A file containing (PEM format) CA certificates of root CAs trusted to
12256 sign either remote SMTP client certificates or intermediate CA certifi‐
12257 cates. See smtpd_tls_CAfile for further details.
12258
12259 This feature is available in Postfix 2.8 and later.
12260
12262 A directory containing (PEM format) CA certificates of root CAs trusted
12263 to sign either remote SMTP client certificates or intermediate CA cer‐
12264 tificates. See smtpd_tls_CApath for further details.
12265
12266 This feature is available in Postfix 2.8 and later.
12267
12269 sion_ids)
12270 Force the Postfix tlsproxy(8) server to issue a TLS session id, even
12271 when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
12272 sion_ids for further details.
12273
12274 This feature is available in Postfix 2.8 and later.
12275
12277 Ask a remote SMTP client for a client certificate. See
12278 smtpd_tls_ask_ccert for further details.
12279
12280 This feature is available in Postfix 2.8 and later.
12281
12283 The verification depth for remote SMTP client certificates. A depth of
12284 1 is sufficient if the issuing CA is listed in a local CA file. See
12285 smtpd_tls_ccert_verifydepth for further details.
12286
12287 This feature is available in Postfix 2.8 and later.
12288
12290 File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
12291 This file may also contain the Postfix tlsproxy(8) server private RSA
12292 key. See smtpd_tls_cert_file for further details. With Postfix >= 3.4
12293 the preferred way to configure tlsproxy server keys and certificates is
12294 via the "tlsproxy_tls_chain_files" parameter.
12295
12296 This feature is available in Postfix 2.8 and later.
12297
12299 Files with the Postfix tlsproxy(8) server keys and certificate chains
12300 in PEM format. See smtpd_tls_chain_files for further details.
12301
12302 This feature is available in Postfix 3.4 and later.
12303
12305 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
12306 use with opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
12307 ther details.
12308
12309 This feature is available in Postfix 2.8 and later.
12310
12312 File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
12313 This file may also contain the Postfix tlsproxy(8) server private DSA
12314 key. DSA is obsolete and should not be used. See smtpd_tls_dcert_file
12315 for further details.
12316
12317 This feature is available in Postfix 2.8 and later.
12318
12320 File with DH parameters that the Postfix tlsproxy(8) server should use
12321 with non-export EDH ciphers. See smtpd_tls_dh1024_param_file for fur‐
12322 ther details.
12323
12324 This feature is available in Postfix 2.8 and later.
12325
12327 File with DH parameters that the Postfix tlsproxy(8) server should use
12328 with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for fur‐
12329 ther details. The default SMTP server cipher grade is "medium" with
12330 Postfix releases after the middle of 2015, and as a result export-grade
12331 cipher suites are by default not used.
12332
12333 This feature is available in Postfix 2.8 and later.
12334
12336 File with the Postfix tlsproxy(8) server DSA private key in PEM format.
12337 This file may be combined with the Postfix tlsproxy(8) server DSA cer‐
12338 tificate file specified with $smtpd_tls_dcert_file. DSA is obsolete
12339 and should not be used. See smtpd_tls_dkey_file for further details.
12340
12341 This feature is available in Postfix 2.8 and later.
12342
12344 File with the Postfix tlsproxy(8) server ECDSA certificate in PEM for‐
12345 mat. This file may also contain the Postfix tlsproxy(8) server private
12346 ECDSA key. See smtpd_tls_eccert_file for further details. With Post‐
12347 fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
12348 tificates is via the "tlsproxy_tls_chain_files" parameter.
12349
12350 This feature is available in Postfix 2.8 and later.
12351
12353 File with the Postfix tlsproxy(8) server ECDSA private key in PEM for‐
12354 mat. This file may be combined with the Postfix tlsproxy(8) server
12355 ECDSA certificate file specified with $smtpd_tls_eccert_file. See
12356 smtpd_tls_eckey_file for further details. With Postfix >= 3.4 the pre‐
12357 ferred way to configure tlsproxy server keys and certificates is via
12358 the "tlsproxy_tls_chain_files" parameter.
12359
12360 This feature is available in Postfix 2.8 and later.
12361
12363 The Postfix tlsproxy(8) server security grade for ephemeral ellip‐
12364 tic-curve Diffie-Hellman (EECDH) key exchange. See
12365 smtpd_tls_eecdh_grade for further details.
12366
12367 This feature is available in Postfix 2.8 and later.
12368
12370 List of ciphers or cipher types to exclude from the tlsproxy(8) server
12371 cipher list at all TLS security levels. See smtpd_tls_exclude_ciphers
12372 for further details.
12373
12374 This feature is available in Postfix 2.8 and later.
12375
12377 The message digest algorithm to construct remote SMTP client-certifi‐
12378 cate fingerprints. See smtpd_tls_fingerprint_digest for further
12379 details.
12380
12381 This feature is available in Postfix 2.8 and later.
12382
12384 File with the Postfix tlsproxy(8) server RSA private key in PEM format.
12385 This file may be combined with the Postfix tlsproxy(8) server RSA cer‐
12386 tificate file specified with $smtpd_tls_cert_file. See
12387 smtpd_tls_key_file for further details. With Postfix >= 3.4 the pre‐
12388 ferred way to configure tlsproxy server keys and certificates is via
12389 the "tlsproxy_tls_chain_files" parameter.
12390
12391 This feature is available in Postfix 2.8 and later.
12392
12394 Enable additional Postfix tlsproxy(8) server logging of TLS activity.
12395 Each logging level also includes the information that is logged at a
12396 lower logging level. See smtpd_tls_loglevel for further details.
12397
12398 This feature is available in Postfix 2.8 and later.
12399
12401 The minimum TLS cipher grade that the Postfix tlsproxy(8) server will
12402 use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
12403 further details.
12404
12405 This feature is available in Postfix 2.8 and later.
12406
12408 tory_exclude_ciphers)
12409 Additional list of ciphers or cipher types to exclude from the
12410 tlsproxy(8) server cipher list at mandatory TLS security levels. See
12411 smtpd_tls_mandatory_exclude_ciphers for further details.
12412
12413 This feature is available in Postfix 2.8 and later.
12414
12416 The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
12417 mandatory TLS encryption. If the list is empty, the server supports all
12418 available SSL/TLS protocol versions. See smtpd_tls_mandatory_protocols
12419 for further details.
12420
12421 This feature is available in Postfix 2.8 and later.
12422
12424 List of TLS protocols that the Postfix tlsproxy(8) server will exclude
12425 or include with opportunistic TLS encryption. See smtpd_tls_protocols
12426 for further details.
12427
12428 This feature is available in Postfix 2.8 and later.
12429
12431 With mandatory TLS encryption, require a trusted remote SMTP client
12432 certificate in order to allow TLS connections to proceed. See
12433 smtpd_tls_req_ccert for further details.
12434
12435 This feature is available in Postfix 2.8 and later.
12436
12438 The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
12439 non-empty value is specified, this overrides the obsolete parameters
12440 smtpd_use_tls and smtpd_enforce_tls. See smtpd_tls_security_level for
12441 further details.
12442
12443 This feature is available in Postfix 2.8 and later.
12444
12446
12447 Obsolete expiration time of Postfix tlsproxy(8) server TLS session
12448 cache information. Since the cache is shared with smtpd(8) and managed
12449 by tlsmgr(8), there is only one expiration time for the SMTP server
12450 cache shared by all three services, namely smtpd_tls_ses‐
12451 sion_cache_timeout.
12452
12453 This feature is available in Postfix 2.8 and later.
12454
12456 Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
12457 but do not require that clients use TLS encryption. See smtpd_use_tls
12458 for further details.
12459
12460 This feature is available in Postfix 2.8 and later.
12461
12463 How much time a tlsproxy(8) process may take to process local or remote
12464 I/O before it is terminated by a built-in watchdog timer. This is a
12465 safety mechanism that prevents tlsproxy(8) from becoming non-responsive
12466 due to a bug in Postfix itself or in system software. To avoid false
12467 alarms and unnecessary cache corruption this limit cannot be set under
12468 10s.
12469
12470 Specify a non-zero time value (an integral value plus an optional
12471 one-letter suffix that specifies the time unit). Time units: s (sec‐
12472 onds), m (minutes), h (hours), d (days), w (weeks).
12473
12474 This feature is available in Postfix 2.8 and later
12475
12477 The name of the trace service. This service is implemented by the
12478 bounce(8) daemon and maintains a record of mail deliveries and produces
12479 a mail delivery report when verbose delivery is requested with "send‐
12480 mail -v".
12481
12482 This feature is available in Postfix 2.1 and later.
12483
12485 A transport-specific override for the default_delivery_slot_cost param‐
12486 eter value, where transport is the master.cf name of the message deliv‐
12487 ery transport.
12488
12489 Note: transport_delivery_slot_cost parameters will not show up in
12490 "postconf" command output before Postfix version 2.9. This limitation
12491 applies to many parameters whose name is a combination of a master.cf
12492 service name and a built-in suffix (in this case: "_deliv‐
12493 ery_slot_cost").
12494
12496 A transport-specific override for the default_delivery_slot_discount
12497 parameter value, where transport is the master.cf name of the message
12498 delivery transport.
12499
12500 Note: transport_delivery_slot_discount parameters will not show up in
12501 "postconf" command output before Postfix version 2.9. This limitation
12502 applies to many parameters whose name is a combination of a master.cf
12503 service name and a built-in suffix (in this case: "_delivery_slot_dis‐
12504 count").
12505
12507 A transport-specific override for the default_delivery_slot_loan param‐
12508 eter value, where transport is the master.cf name of the message deliv‐
12509 ery transport.
12510
12511 Note: transport_delivery_slot_loan parameters will not show up in
12512 "postconf" command output before Postfix version 2.9. This limitation
12513 applies to many parameters whose name is a combination of a master.cf
12514 service name and a built-in suffix (in this case: "_deliv‐
12515 ery_slot_loan").
12516
12518 tination_concurrency_failed_cohort_limit)
12519 A transport-specific override for the default_destination_concur‐
12520 rency_failed_cohort_limit parameter value, where transport is the mas‐
12521 ter.cf name of the message delivery transport.
12522
12523 Note: some transport_destination_concurrency_failed_cohort_limit param‐
12524 eters will not show up in "postconf" command output before Postfix ver‐
12525 sion 2.9. This limitation applies to many parameters whose name is a
12526 combination of a master.cf service name and a built-in suffix (in this
12527 case: "_destination_concurrency_failed_cohort_limit").
12528
12529 This feature is available in Postfix 2.5 and later.
12530
12532 rency_limit)
12533 A transport-specific override for the default_destination_concur‐
12534 rency_limit parameter value, where transport is the master.cf name of
12535 the message delivery transport.
12536
12537 Note: some transport_destination_concurrency_limit parameters will not
12538 show up in "postconf" command output before Postfix version 2.9. This
12539 limitation applies to many parameters whose name is a combination of a
12540 master.cf service name and a built-in suffix (in this case: "_destina‐
12541 tion_concurrency_limit").
12542
12544 nation_concurrency_negative_feedback)
12545 A transport-specific override for the default_destination_concur‐
12546 rency_negative_feedback parameter value, where transport is the mas‐
12547 ter.cf name of the message delivery transport.
12548
12549 Note: some transport_destination_concurrency_negative_feedback parame‐
12550 ters will not show up in "postconf" command output before Postfix ver‐
12551 sion 2.9. This limitation applies to many parameters whose name is a
12552 combination of a master.cf service name and a built-in suffix (in this
12553 case: "_destination_concurrency_negative_feedback").
12554
12555 This feature is available in Postfix 2.5 and later.
12556
12558 nation_concurrency_positive_feedback)
12559 A transport-specific override for the default_destination_concur‐
12560 rency_positive_feedback parameter value, where transport is the mas‐
12561 ter.cf name of the message delivery transport.
12562
12563 Note: some transport_destination_concurrency_positive_feedback parame‐
12564 ters will not show up in "postconf" command output before Postfix ver‐
12565 sion 2.9. This limitation applies to many parameters whose name is a
12566 combination of a master.cf service name and a built-in suffix (in this
12567 case: "_destination_concurrency_positive_feedback").
12568
12569 This feature is available in Postfix 2.5 and later.
12570
12572 A transport-specific override for the default_destination_rate_delay
12573 parameter value, where transport is the master.cf name of the message
12574 delivery transport.
12575
12576 Note: some transport_destination_rate_delay parameters will not show up
12577 in "postconf" command output before Postfix version 2.9. This limita‐
12578 tion applies to many parameters whose name is a combination of a mas‐
12579 ter.cf service name and a built-in suffix (in this case: "_destina‐
12580 tion_rate_delay").
12581
12582 This feature is available in Postfix 2.5 and later.
12583
12585 ent_limit)
12586 A transport-specific override for the default_destination_recipi‐
12587 ent_limit parameter value, where transport is the master.cf name of the
12588 message delivery transport.
12589
12590 Note: some transport_destination_recipient_limit parameters will not
12591 show up in "postconf" command output before Postfix version 2.9. This
12592 limitation applies to many parameters whose name is a combination of a
12593 master.cf service name and a built-in suffix (in this case: "_destina‐
12594 tion_recipient_limit").
12595
12597 A transport-specific override for the default_extra_recipient_limit
12598 parameter value, where transport is the master.cf name of the message
12599 delivery transport.
12600
12601 Note: transport_extra_recipient_limit parameters will not show up in
12602 "postconf" command output before Postfix version 2.9. This limitation
12603 applies to many parameters whose name is a combination of a master.cf
12604 service name and a built-in suffix (in this case: "_extra_recipi‐
12605 ent_limit").
12606
12608 currency)
12609 A transport-specific override for the initial_destination_concurrency
12610 parameter value, where transport is the master.cf name of the message
12611 delivery transport.
12612
12613 Note: some transport_initial_destination_concurrency parameters will
12614 not show up in "postconf" command output before Postfix version 2.9.
12615 This limitation applies to many parameters whose name is a combination
12616 of a master.cf service name and a built-in suffix (in this case: "_ini‐
12617 tial_destination_concurrency").
12618
12619 This feature is available in Postfix 2.5 and later.
12620
12622 Optional lookup tables with mappings from recipient address to (message
12623 delivery transport, next-hop destination). See transport(5) for
12624 details.
12625
12626 Specify zero or more "type:table" lookup tables, separated by white‐
12627 space or comma. Tables will be searched in the specified order until a
12628 match is found. If you use this feature with local files, run "postmap
12629 /etc/postfix/transport" after making a change.
12630
12631 Pattern matching of domain names is controlled by the presence or
12632 absence of "transport_maps" in the parent_domain_matches_subdomains
12633 parameter value.
12634
12635 For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
12636 ber substitutions in regular expression maps.
12637
12638 Examples:
12639
12640 transport_maps = dbm:/etc/postfix/transport
12641 transport_maps = hash:/etc/postfix/transport
12642
12644 A transport-specific override for the default_minimum_delivery_slots
12645 parameter value, where transport is the master.cf name of the message
12646 delivery transport.
12647
12648 Note: transport_minimum_delivery_slots parameters will not show up in
12649 "postconf" command output before Postfix version 2.9. This limitation
12650 applies to many parameters whose name is a combination of a master.cf
12651 service name and a built-in suffix (in this case: "_minimum_deliv‐
12652 ery_slots").
12653
12655 A transport-specific override for the default_recipient_limit parameter
12656 value, where transport is the master.cf name of the message delivery
12657 transport.
12658
12659 Note: some transport_recipient_limit parameters will not show up in
12660 "postconf" command output before Postfix version 2.9. This limitation
12661 applies to many parameters whose name is a combination of a master.cf
12662 service name and a built-in suffix (in this case: "_recipient_limit").
12663
12665 A transport-specific override for the default_recipient_refill_delay
12666 parameter value, where transport is the master.cf name of the message
12667 delivery transport.
12668
12669 Note: transport_recipient_refill_delay parameters will not show up in
12670 "postconf" command output before Postfix version 2.9. This limitation
12671 applies to many parameters whose name is a combination of a master.cf
12672 service name and a built-in suffix (in this case: "_recipi‐
12673 ent_refill_delay").
12674
12675 This feature is available in Postfix 2.4 and later.
12676
12678 A transport-specific override for the default_recipient_refill_limit
12679 parameter value, where transport is the master.cf name of the message
12680 delivery transport.
12681
12682 Note: transport_recipient_refill_limit parameters will not show up in
12683 "postconf" command output before Postfix version 2.9. This limitation
12684 applies to many parameters whose name is a combination of a master.cf
12685 service name and a built-in suffix (in this case: "_recipi‐
12686 ent_refill_limit").
12687
12688 This feature is available in Postfix 2.4 and later.
12689
12691 The time between attempts by the Postfix queue manager to contact a
12692 malfunctioning message delivery transport.
12693
12694 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12695 The default time unit is s (seconds).
12696
12698 A transport-specific override for the command_time_limit parameter
12699 value, where transport is the master.cf name of the message delivery
12700 transport.
12701
12702 Note: transport_time_limit parameters will not show up in "postconf"
12703 command output before Postfix version 2.9. This limitation applies to
12704 many parameters whose name is a combination of a master.cf service name
12705 and a built-in suffix (in this case: "_time_limit").
12706
12708 A transport-specific override for the default_transport_rate_delay
12709 parameter value, where the initial transport in the parameter name is
12710 the master.cf name of the message delivery transport.
12711
12713 The time limit for sending a trigger to a Postfix daemon (for example,
12714 the pickup(8) or qmgr(8) daemon). This time limit prevents programs
12715 from getting stuck when the mail system is under heavy load.
12716
12717 Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
12718 The default time unit is s (seconds).
12719
12721 Message header that the Postfix cleanup(8) server inserts when a mes‐
12722 sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12723 the default value is empty. With Postfix 2.4-2.7, specify an empty
12724 value to disable this feature.
12725
12726 Example:
12727
12728 # Default value before Postfix 2.8.
12729 # Note: the ":" and ";" are both required.
12730 undisclosed_recipients_header = To: undisclosed-recipients:;
12731
12733 The numerical response code when the Postfix SMTP server rejects a
12734 sender or recipient address because its domain is unknown. This is one
12735 of the possible replies from the restrictions
12736 reject_unknown_sender_domain and reject_unknown_recipient_domain.
12737
12738 Do not change this unless you have a complete understanding of RFC
12739 5321.
12740
12742 The Postfix SMTP server's action when reject_unknown_sender_domain or
12743 reject_unknown_recipient_domain fail due to a temporary error condi‐
12744 tion. Specify "defer" to defer the remote SMTP client request immedi‐
12745 ately. With the default "defer_if_permit" action, the Postfix SMTP
12746 server continues to look for opportunities to reject mail, and defers
12747 the client request only if it would otherwise be accepted.
12748
12749 This feature is available in Postfix 2.6 and later.
12750
12752 The numerical Postfix SMTP server response code when a client without
12753 valid address <=> name mapping is rejected by the
12754 reject_unknown_client_hostname restriction. The SMTP server always
12755 replies with 450 when the mapping failed due to a temporary error con‐
12756 dition.
12757
12758 Do not change this unless you have a complete understanding of RFC
12759 5321.
12760
12762 The Postfix SMTP server's action when reject_unknown_helo_hostname
12763 fails due to a temporary error condition. Specify "defer" to defer the
12764 remote SMTP client request immediately. With the default "defer_if_per‐
12765 mit" action, the Postfix SMTP server continues to look for opportuni‐
12766 ties to reject mail, and defers the client request only if it would
12767 otherwise be accepted.
12768
12769 This feature is available in Postfix 2.6 and later.
12770
12772 The numerical Postfix SMTP server response code when the hostname spec‐
12773 ified with the HELO or EHLO command is rejected by the
12774 reject_unknown_helo_hostname restriction.
12775
12776 Do not change this unless you have a complete understanding of RFC
12777 5321.
12778
12780 The numerical Postfix SMTP server response code when a recipient
12781 address is local, and $local_recipient_maps specifies a list of lookup
12782 tables that does not match the recipient. A recipient address is local
12783 when its domain matches $mydestination, $proxy_interfaces or
12784 $inet_interfaces.
12785
12786 The default setting is 550 (reject mail) but it is safer to initially
12787 use 450 (try again later) so you have time to find out if your
12788 local_recipient_maps settings are OK.
12789
12790 Example:
12791
12792 unknown_local_recipient_reject_code = 450
12793
12794 This feature is available in Postfix 2.0 and later.
12795
12797 The numerical Postfix SMTP server reply code when a recipient address
12798 matches $relay_domains, and relay_recipient_maps specifies a list of
12799 lookup tables that does not match the recipient address.
12800
12801 This feature is available in Postfix 2.0 and later.
12802
12804 The Postfix SMTP server reply code when a recipient address matches
12805 $virtual_alias_domains, and $virtual_alias_maps specifies a list of
12806 lookup tables that does not match the recipient address.
12807
12808 This feature is available in Postfix 2.0 and later.
12809
12811 The Postfix SMTP server reply code when a recipient address matches
12812 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12813 lookup tables that does not match the recipient address.
12814
12815 This feature is available in Postfix 2.0 and later.
12816
12818 The numerical Postfix SMTP server response when a recipient address
12819 probe fails due to a temporary error condition.
12820
12821 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12822 address anyway.
12823
12824 Do not change this unless you have a complete understanding of RFC
12825 5321.
12826
12827 This feature is available in Postfix 2.6 and later.
12828
12830 The numerical Postfix SMTP server response when a recipient address is
12831 rejected by the reject_unverified_recipient restriction.
12832
12833 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12834 address anyway.
12835
12836 Do not change this unless you have a complete understanding of RFC
12837 5321.
12838
12839 This feature is available in Postfix 2.1 and later.
12840
12842 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12843 fied_recipient. Do not include the numeric SMTP reply code or the
12844 enhanced status code. By default, the response includes actual address
12845 verification details.
12846
12847 Example:
12848
12849 unverified_recipient_reject_reason = Recipient address lookup failed
12850
12851 This feature is available in Postfix 2.6 and later.
12852
12854 The Postfix SMTP server's action when reject_unverified_recipient fails
12855 due to a temporary error condition. Specify "defer" to defer the remote
12856 SMTP client request immediately. With the default "defer_if_permit"
12857 action, the Postfix SMTP server continues to look for opportunities to
12858 reject mail, and defers the client request only if it would otherwise
12859 be accepted.
12860
12861 This feature is available in Postfix 2.6 and later.
12862
12864 The numerical Postfix SMTP server response code when a sender address
12865 probe fails due to a temporary error condition.
12866
12867 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12868 address anyway.
12869
12870 Do not change this unless you have a complete understanding of RFC
12871 5321.
12872
12873 This feature is available in Postfix 2.6 and later.
12874
12876 The numerical Postfix SMTP server response code when a recipient
12877 address is rejected by the reject_unverified_sender restriction.
12878
12879 Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12880 address anyway.
12881
12882 Do not change this unless you have a complete understanding of RFC
12883 5321.
12884
12885 This feature is available in Postfix 2.1 and later.
12886
12888 The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12889 fied_sender. Do not include the numeric SMTP reply code or the enhanced
12890 status code. By default, the response includes actual address verifica‐
12891 tion details.
12892
12893 Example:
12894
12895 unverified_sender_reject_reason = Sender address lookup failed
12896
12897 This feature is available in Postfix 2.6 and later.
12898
12900 The Postfix SMTP server's action when reject_unverified_sender fails
12901 due to a temporary error condition. Specify "defer" to defer the remote
12902 SMTP client request immediately. With the default "defer_if_permit"
12903 action, the Postfix SMTP server continues to look for opportunities to
12904 reject mail, and defers the client request only if it would otherwise
12905 be accepted.
12906
12907 This feature is available in Postfix 2.6 and later.
12908
12910 The characters Postfix accepts as VERP delimiter characters on the
12911 Postfix sendmail(1) command line and in SMTP commands.
12912
12913 This feature is available in Postfix 1.1 and later.
12914
12916 The maximal length of an email address after virtual alias expansion.
12917 This stops virtual aliasing loops that increase the address length
12918 exponentially.
12919
12920 This feature is available in Postfix 3.0 and later.
12921
12923 Postfix is final destination for the specified list of virtual alias
12924 domains, that is, domains for which all addresses are aliased to
12925 addresses in other local or remote domains. The SMTP server validates
12926 recipient addresses with $virtual_alias_maps and rejects non-existent
12927 recipients. See also the virtual alias domain class in the
12928 ADDRESS_CLASS_README file
12929
12930 This feature is available in Postfix 2.0 and later. The default value
12931 is backwards compatible with Postfix version 1.1.
12932
12933 The default value is $virtual_alias_maps so that you can keep all
12934 information about virtual alias domains in one place. If you have many
12935 users, it is better to separate information that changes more fre‐
12936 quently (virtual address -> local or remote address mapping) from
12937 information that changes less frequently (the list of virtual domain
12938 names).
12939
12940 Specify a list of host or domain names, "/file/name" or "type:table"
12941 patterns, separated by commas and/or whitespace. A "/file/name" pattern
12942 is replaced by its contents; a "type:table" lookup table is matched
12943 when a table entry matches a lookup string (the lookup result is
12944 ignored). Continue long lines by starting the next line with white‐
12945 space. Specify "!pattern" to exclude a host or domain name from the
12946 list. The form "!/file/name" is supported only in Postfix version 2.4
12947 and later.
12948
12949 See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
12950 ther information.
12951
12952 Example:
12953
12954 virtual_alias_domains = virtual1.tld virtual2.tld
12955
12957 The maximal number of addresses that virtual alias expansion produces
12958 from each original recipient.
12959
12960 This feature is available in Postfix 2.1 and later.
12961
12963 Optional lookup tables that alias specific mail addresses or domains to
12964 other local or remote address. The table format and lookups are docu‐
12965 mented in virtual(5). For an overview of Postfix address manipulations
12966 see the ADDRESS_REWRITING_README document.
12967
12968 This feature is available in Postfix 2.0 and later. The default value
12969 is backwards compatible with Postfix version 1.1.
12970
12971 Specify zero or more "type:name" lookup tables, separated by whitespace
12972 or comma. Tables will be searched in the specified order until a match
12973 is found. Note: these lookups are recursive.
12974
12975 If you use this feature with indexed files, run "postmap /etc/post‐
12976 fix/virtual" after changing the file.
12977
12978 Examples:
12979
12980 virtual_alias_maps = dbm:/etc/postfix/virtual
12981 virtual_alias_maps = hash:/etc/postfix/virtual
12982
12984 The maximal nesting depth of virtual alias expansion. Currently the
12985 recursion limit is applied only to the left branch of the expansion
12986 graph, so the depth of the tree can in the worst case reach the sum of
12987 the expansion and recursion limits. This may change in the future.
12988
12989 This feature is available in Postfix 2.1 and later.
12990
12992 Optional filter for the virtual(8) delivery agent to change the deliv‐
12993 ery status code or explanatory text of successful or unsuccessful
12994 deliveries. See default_delivery_status_filter for details.
12995
12996 This feature is available in Postfix 3.0 and later.
12997
12999 rency_limit)
13000 The maximal number of parallel deliveries to the same destination via
13001 the virtual message delivery transport. This limit is enforced by the
13002 queue manager. The message delivery transport name is the first field
13003 in the entry in the master.cf file.
13004
13006 ent_limit)
13007 The maximal number of recipients per message for the virtual message
13008 delivery transport. This limit is enforced by the queue manager. The
13009 message delivery transport name is the first field in the entry in the
13010 master.cf file.
13011
13012 Setting this parameter to a value of 1 changes the meaning of vir‐
13013 tual_destination_concurrency_limit from concurrency per domain into
13014 concurrency per recipient.
13015
13017 Lookup tables with the per-recipient group ID for virtual(8) mailbox
13018 delivery.
13019
13020 This parameter is specific to the virtual(8) delivery agent. It does
13021 not apply when mail is delivered with a different mail delivery pro‐
13022 gram.
13023
13024 Specify zero or more "type:name" lookup tables, separated by whitespace
13025 or comma. Tables will be searched in the specified order until a match
13026 is found.
13027
13028 In a lookup table, specify a left-hand side of "@domain.tld" to match
13029 any user in the specified domain that does not have a specific
13030 "user@domain.tld" entry.
13031
13032 When a recipient address has an optional address extension
13033 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13034 address first, and when the lookup fails, it looks up the unextended
13035 address (user@domain.tld).
13036
13037 Note 1: for security reasons, the virtual(8) delivery agent disallows
13038 regular expression substitution of $1 etc. in regular expression lookup
13039 tables, because that would open a security hole.
13040
13041 Note 2: for security reasons, the virtual(8) delivery agent will
13042 silently ignore requests to use the proxymap(8) server. Instead it will
13043 open the table directly. Before Postfix version 2.2, the virtual(8)
13044 delivery agent will terminate with a fatal error.
13045
13047 A prefix that the virtual(8) delivery agent prepends to all pathname
13048 results from $virtual_mailbox_maps table lookups. This is a safety
13049 measure to ensure that an out of control map doesn't litter the file
13050 system with mailboxes. While virtual_mailbox_base could be set to "/",
13051 this setting isn't recommended.
13052
13053 This parameter is specific to the virtual(8) delivery agent. It does
13054 not apply when mail is delivered with a different mail delivery pro‐
13055 gram.
13056
13057 Example:
13058
13059 virtual_mailbox_base = /var/mail
13060
13062 Postfix is final destination for the specified list of domains; mail is
13063 delivered via the $virtual_transport mail delivery transport. By
13064 default this is the Postfix virtual(8) delivery agent. The SMTP server
13065 validates recipient addresses with $virtual_mailbox_maps and rejects
13066 mail for non-existent recipients. See also the virtual mailbox domain
13067 class in the ADDRESS_CLASS_README file.
13068
13069 This parameter expects the same syntax as the mydestination configura‐
13070 tion parameter.
13071
13072 This feature is available in Postfix 2.0 and later. The default value
13073 is backwards compatible with Postfix version 1.1.
13074
13076 The maximal size in bytes of an individual virtual(8) mailbox or
13077 maildir file, or zero (no limit).
13078
13079 This parameter is specific to the virtual(8) delivery agent. It does
13080 not apply when mail is delivered with a different mail delivery pro‐
13081 gram.
13082
13084 How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
13085 For a list of available file locking methods, use the "postconf -l"
13086 command.
13087
13088 This parameter is specific to the virtual(8) delivery agent. It does
13089 not apply when mail is delivered with a different mail delivery pro‐
13090 gram.
13091
13092 This setting is ignored with maildir style delivery, because such
13093 deliveries are safe without application-level locks.
13094
13095 Note 1: the dotlock method requires that the recipient UID or GID has
13096 write access to the parent directory of the recipient's mailbox file.
13097
13098 Note 2: the default setting of this parameter is system dependent.
13099
13101 Optional lookup tables with all valid addresses in the domains that
13102 match $virtual_mailbox_domains.
13103
13104 Specify zero or more "type:name" lookup tables, separated by whitespace
13105 or comma. Tables will be searched in the specified order until a match
13106 is found.
13107
13108 In a lookup table, specify a left-hand side of "@domain.tld" to match
13109 any user in the specified domain that does not have a specific
13110 "user@domain.tld" entry.
13111
13112 The remainder of this text is specific to the virtual(8) delivery
13113 agent. It does not apply when mail is delivered with a different mail
13114 delivery program.
13115
13116 The virtual(8) delivery agent uses this table to look up the per-recip‐
13117 ient mailbox or maildir pathname. If the lookup result ends in a slash
13118 ("/"), maildir-style delivery is carried out, otherwise the path is
13119 assumed to specify a UNIX-style mailbox file. Note that $virtual_mail‐
13120 box_base is unconditionally prepended to this path.
13121
13122 When a recipient address has an optional address extension
13123 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13124 address first, and when the lookup fails, it looks up the unextended
13125 address (user@domain.tld).
13126
13127 Note 1: for security reasons, the virtual(8) delivery agent disallows
13128 regular expression substitution of $1 etc. in regular expression lookup
13129 tables, because that would open a security hole.
13130
13131 Note 2: for security reasons, the virtual(8) delivery agent will
13132 silently ignore requests to use the proxymap(8) server. Instead it will
13133 open the table directly. Before Postfix version 2.2, the virtual(8)
13134 delivery agent will terminate with a fatal error.
13135
13137 Optional lookup tables with a) names of domains for which all addresses
13138 are aliased to addresses in other local or remote domains, and b)
13139 addresses that are aliased to addresses in other local or remote
13140 domains. Available before Postfix version 2.0. With Postfix version
13141 2.0 and later, this is replaced by separate controls: vir‐
13142 tual_alias_domains and virtual_alias_maps.
13143
13145 The minimum user ID value that the virtual(8) delivery agent accepts as
13146 a result from $virtual_uid_maps table lookup. Returned values less
13147 than this will be rejected, and the message will be deferred.
13148
13149 This parameter is specific to the virtual(8) delivery agent. It does
13150 not apply when mail is delivered with a different mail delivery pro‐
13151 gram.
13152
13154 The default mail delivery transport and next-hop destination for final
13155 delivery to domains listed with $virtual_mailbox_domains. This infor‐
13156 mation can be overruled with the transport(5) table.
13157
13158 Specify a string of the form transport:nexthop, where transport is the
13159 name of a mail delivery transport defined in master.cf. The :nexthop
13160 destination is optional; its syntax is documented in the manual page of
13161 the corresponding delivery agent.
13162
13163 This feature is available in Postfix 2.0 and later.
13164
13166 Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
13167 ery agent uses while writing to the recipient's mailbox.
13168
13169 This parameter is specific to the virtual(8) delivery agent. It does
13170 not apply when mail is delivered with a different mail delivery pro‐
13171 gram.
13172
13173 Specify zero or more "type:name" lookup tables, separated by whitespace
13174 or comma. Tables will be searched in the specified order until a match
13175 is found.
13176
13177 In a lookup table, specify a left-hand side of "@domain.tld" to match
13178 any user in the specified domain that does not have a specific
13179 "user@domain.tld" entry.
13180
13181 When a recipient address has an optional address extension
13182 (user+foo@domain.tld), the virtual(8) delivery agent looks up the full
13183 address first, and when the lookup fails, it looks up the unextended
13184 address (user@domain.tld).
13185
13186 Note 1: for security reasons, the virtual(8) delivery agent disallows
13187 regular expression substitution of $1 etc. in regular expression lookup
13188 tables, because that would open a security hole.
13189
13190 Note 2: for security reasons, the virtual(8) delivery agent will
13191 silently ignore requests to use the proxymap(8) server. Instead it will
13192 open the table directly. Before Postfix version 2.2, the virtual(8)
13193 delivery agent will terminate with a fatal error.
13194
13196 postconf(1), Postfix configuration parameter maintenance
13197 master(5), Postfix daemon configuration maintenance
13198
13200 The Secure Mailer license must be distributed with this software.
13201
13203 Wietse Venema
13204 IBM T.J. Watson Research
13205 P.O. Box 704
13206 Yorktown Heights, NY 10598, USA
13207
13208 Wietse Venema
13209 Google, Inc.
13210 111 8th Avenue
13211 New York, NY 10011, USA
13212
13213 Viktor Dukhovni
13214
13215
13216
13217 POSTCONF(5)