1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix  main.cf configuration file specifies parameters that con‐
15       trol the operation of the Postfix mail system. Typically the file  con‐
16       tains  only  a small subset of all parameters; parameters not specified
17       are left at their default values.
18
19       The general format of the main.cf file is as follows:
20
21       ·      Each logical line has the form "parameter = value".   Whitespace
22              around the "=" is ignored, as is whitespace at the end of a log‐
23              ical line.
24
25       ·      Empty lines and whitespace-only lines are ignored, as are  lines
26              whose first non-whitespace character is a `#'.
27
28       ·      A  logical  line  starts  with  non-whitespace text. A line that
29              starts with whitespace continues a logical line.
30
31       ·      A parameter value may refer to other parameters.
32
33              ·      The expressions "$name"  and  "${name}"  are  recursively
34                     replaced  with  the  value  of  the  named parameter. The
35                     parameter name must contain only characters from the  set
36                     [a-zA-Z0-9_].  An  undefined  parameter value is replaced
37                     with the empty value.
38
39              ·      The expressions "${name?value}" and "${name?{value}}" are
40                     replaced  with  "value"  when  "$name"  is non-empty. The
41                     parameter name must contain only characters from the  set
42                     [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43                     sions >= 2.2 and >= 3.0, respectively.
44
45              ·      The expressions "${name:value}" and "${name:{value}}" are
46                     replaced  with "value" when "$name" is empty. The parame‐
47                     ter name must contain only characters from the set [a-zA-
48                     Z0-9_].  These  forms are supported with Postfix versions
49                     >= 2.2 and >= 3.0, respectively.
50
51              ·      The expression  "${name?{value1}:{value2}}"  is  replaced
52                     with   "value1"  when  "$name"  is  non-empty,  and  with
53                     "value2" when "$name" is empty.  The "{}" is required for
54                     "value1",  optional for "value2". The parameter name must
55                     contain only characters from the set [a-zA-Z0-9_].   This
56                     form is supported with Postfix versions >= 3.0.
57
58              ·      The  first  item  inside  "${...}"  may  be  a relational
59                     expression of the form: "{value3} ==  {value4}".  Besides
60                     the   "=="  (equality)  operator  Postfix  supports  "!="
61                     (inequality), "<", "<=", ">=", and ">". The comparison is
62                     numerical  when  both  operands are all digits, otherwise
63                     the comparison is lexicographical. These forms  are  sup‐
64                     ported with Postfix versions >= 3.0.
65
66              ·      Each  "value" is subject to recursive named parameter and
67                     relational expression evaluation, except where noted.
68
69              ·      Whitespace before or after each "{value}" is ignored.
70
71              ·      Specify "$$" to produce a single "$" character.
72
73              ·      The legacy form "$(...)" is equivalent to  the  preferred
74                     form "${...}".
75
76       ·      When the same parameter is defined multiple times, only the last
77              instance is remembered.
78
79       ·      Otherwise, the order of main.cf parameter definitions  does  not
80              matter.
81
82       The remainder of this document is a description of all Postfix configu‐
83       ration parameters. Default values are shown after the parameter name in
84       parentheses, and can be looked up with the "postconf -d" command.
85
86       Note:  this  is not an invitation to make changes to Postfix configura‐
87       tion parameters. Unnecessary changes can impair the  operation  of  the
88       mail system.
89

2bounce_notice_recipient (default: postmaster)

91       The  recipient  of  undeliverable  mail  that cannot be returned to the
92       sender.  This feature is enabled with the notify_classes parameter.
93

access_map_defer_code (default: 450)

95       The numerical Postfix SMTP server response code for  an  access(5)  map
96       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97       to Postfix 2.6, the response is hard-coded as "450".
98
99       Do not change this unless you have  a  complete  understanding  of  RFC
100       5321.
101
102       This feature is available in Postfix 2.6 and later.
103

access_map_reject_code (default: 554)

105       The  numerical  Postfix  SMTP server response code for an access(5) map
106       "reject" action.
107
108       Do not change this unless you have  a  complete  understanding  of  RFC
109       5321.
110

address_verify_cache_cleanup_interval (default: 12h)

112       The  amount  of  time  between  verify(8) address verification database
113       cleanup runs. This feature requires  that  the  database  supports  the
114       "delete"  and "sequence" operators.  Specify a zero interval to disable
115       database cleanup.
116
117       After each database cleanup run, the verify(8) daemon logs  the  number
118       of  entries  that were retained and dropped. A cleanup run is logged as
119       "partial" when the daemon  terminates  early  after  "postfix  reload",
120       "postfix stop", or no requests for $max_idle seconds.
121
122       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123
124       This feature is available in Postfix 2.7.
125

address_verify_default_transport (default: $default_transport)

127       Overrides the default_transport parameter setting for address verifica‐
128       tion probes.
129
130       This feature is available in Postfix 2.1 and later.
131

address_verify_local_transport (default: $local_transport)

133       Overrides the local_transport parameter setting for  address  verifica‐
134       tion probes.
135
136       This feature is available in Postfix 2.1 and later.
137

address_verify_map (default: see postconf -d output)

139       Lookup  table  for persistent address verification status storage.  The
140       table is maintained by the verify(8) service, and is opened before  the
141       process releases privileges.
142
143       The  lookup  table  is  persistent  by default (Postfix 2.7 and later).
144       Specify an empty table name to keep the information in volatile  memory
145       which  is  lost  after  "postfix reload" or "postfix stop". This is the
146       default with Postfix version 2.6 and earlier.
147
148       Specify a location in a file system that will not fill up. If the data‐
149       base  becomes  corrupted,  the world comes to an end. To recover delete
150       (NOT: truncate) the file and do "postfix reload".
151
152       Postfix daemon processes do not use root privileges when  opening  this
153       file  (Postfix 2.5 and later).  The file must therefore be stored under
154       a Postfix-owned directory such as the data_directory.  As  a  migration
155       aid, an attempt to open the file under a non-Postfix directory is redi‐
156       rected to the Postfix-owned data_directory, and a warning is logged.
157
158       Examples:
159
160       address_verify_map = hash:/var/lib/postfix/verify
161       address_verify_map = btree:/var/lib/postfix/verify
162
163       This feature is available in Postfix 2.1 and later.
164

address_verify_negative_cache (default: yes)

166       Enable caching of failed address verification probe results.  When this
167       feature  is  enabled, the cache may pollute quickly with garbage.  When
168       this feature is disabled, Postfix will generate an  address  probe  for
169       every lookup.
170
171       This feature is available in Postfix 2.1 and later.
172

address_verify_negative_expire_time (default: 3d)

174       The  time after which a failed probe expires from the address verifica‐
175       tion cache.
176
177       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178
179       This feature is available in Postfix 2.1 and later.
180

address_verify_negative_refresh_time (default: 3h)

182       The time after which a failed address verification probe  needs  to  be
183       refreshed.
184
185       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187       This feature is available in Postfix 2.1 and later.
188

address_verify_pending_request_limit (default: see postconf -d output)

190       A  safety  limit that prevents address verification requests from over‐
191       whelming the Postfix queue. By default, the number of pending  requests
192       is  limited  to  1/4  of  the  active  queue  maximum  size  (qmgr_mes‐
193       sage_active_limit). The queue manager enforces the limit by tempfailing
194       requests that exceed the limit. This affects only unknown addresses and
195       inactive addresses that have  expired,  because  the  verify(8)  daemon
196       automatically refreshes an active address before it expires.
197
198       This feature is available in Postfix 3.1 and later.
199

address_verify_poll_count (default: normal: 3, overload: 1)

201       How  many times to query the verify(8) service for the completion of an
202       address verification request in progress.
203
204       By default, the Postfix SMTP server polls the verify(8) service  up  to
205       three  times  under  non-overload  conditions, and only once when under
206       overload.  With Postfix version 2.5 and earlier, the SMTP server always
207       polls the verify(8) service up to three times by default.
208
209       Specify  1  to  implement  a crude form of greylisting, that is, always
210       defer the first delivery request for a new address.
211
212       Examples:
213
214       # Postfix <= 2.6 default
215       address_verify_poll_count = 3
216       # Poor man's greylisting
217       address_verify_poll_count = 1
218
219       This feature is available in Postfix 2.1 and later.
220

address_verify_poll_delay (default: 3s)

222       The delay between queries for the completion of an address verification
223       request in progress.
224
225       The default polling delay is 3 seconds.
226
227       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228
229       This feature is available in Postfix 2.1 and later.
230

address_verify_positive_expire_time (default: 31d)

232       The  time after which a successful probe expires from the address veri‐
233       fication cache.
234
235       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236
237       This feature is available in Postfix 2.1 and later.
238

address_verify_positive_refresh_time (default: 7d)

240       The time after which a successful address verification probe  needs  to
241       be  refreshed.  The address verification status is not updated when the
242       probe fails (optimistic caching).
243
244       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245
246       This feature is available in Postfix 2.1 and later.
247

address_verify_relay_transport (default: $relay_transport)

249       Overrides the relay_transport parameter setting for  address  verifica‐
250       tion probes.
251
252       This feature is available in Postfix 2.1 and later.
253

address_verify_relayhost (default: $relayhost)

255       Overrides  the  relayhost  parameter  setting  for address verification
256       probes. This information can be overruled with the transport(5) table.
257
258       This feature is available in Postfix 2.1 and later.
259

address_verify_sender (default: $double_bounce_sender)

261       The sender address to use in  address  verification  probes;  prior  to
262       Postfix  2.5  the  default  was  "postmaster".  To  avoid problems with
263       address probes that are sent in response to address probes, the Postfix
264       SMTP  server  excludes  the  probe sender address from all SMTPD access
265       blocks.
266
267       Specify an empty value (address_verify_sender =) or <> if you  want  to
268       use  the  null  sender address. Beware, some sites reject mail from <>,
269       even though RFCs require that such addresses be accepted.
270
271       Examples:
272
273       address_verify_sender = <>
274       address_verify_sender = postmaster@my.domain
275
276       This feature is available in Postfix 2.1 and later.
277

address_verify_sender_dependent_default_transport_maps (default:

279       $sender_dependent_default_transport_maps)
280       Overrides the sender_dependent_default_transport_maps parameter setting
281       for address verification probes.
282
283       This feature is available in Postfix 2.7 and later.
284

address_verify_sender_dependent_relayhost_maps (default: $sender_depen‐

286       dent_relayhost_maps)
287       Overrides  the  sender_dependent_relayhost_maps  parameter  setting for
288       address verification probes.
289
290       This feature is available in Postfix 2.3 and later.
291

address_verify_sender_ttl (default: 0s)

293       The time between changes in the time-dependent portion of address veri‐
294       fication probe sender addresses. The time-dependent portion is appended
295       to the  localpart  of  the  address  specified  with  the  address_ver‐
296       ify_sender  parameter.  This  feature  is ignored when the probe sender
297       addresses is the null sender, i.e. the address_verify_sender  value  is
298       empty or <>.
299
300       Historically,  the probe sender address was fixed. This has caused such
301       addresses to end up on spammer  mailing  lists,  and  has  resulted  in
302       wasted network and processing resources.
303
304       To  enable  time-dependent  probe  sender addresses, specify a non-zero
305       time value (an integral value plus an optional one-letter  suffix  that
306       specifies  the  time unit).  Specify a value of at least several hours,
307       to avoid problems with senders that use greylisting.   Avoid  nice  TTL
308       values,  to  make the result less predictable.  Time units are: s (sec‐
309       onds), m (minutes), h (hours), d (days), w (weeks).
310
311       This feature is available in Postfix 2.9 and later.
312

address_verify_service_name (default: verify)

314       The name of the verify(8) address verification  service.  This  service
315       maintains  the  status  of sender and/or recipient address verification
316       probes, and generates probes on request by other Postfix processes.
317

address_verify_transport_maps (default: $transport_maps)

319       Overrides the transport_maps parameter setting for address verification
320       probes.
321
322       This feature is available in Postfix 2.1 and later.
323

address_verify_virtual_transport (default: $virtual_transport)

325       Overrides the virtual_transport parameter setting for address verifica‐
326       tion probes.
327
328       This feature is available in Postfix 2.1 and later.
329

alias_database (default: see postconf -d output)

331       The alias  databases  for  local(8)  delivery  that  are  updated  with
332       "newaliases" or with "sendmail -bi".
333
334       This  is  a separate configuration parameter because not all the tables
335       specified with $alias_maps have to be local files.
336
337       Examples:
338
339       alias_database = hash:/etc/aliases
340       alias_database = hash:/etc/mail/aliases
341

alias_maps (default: see postconf -d output)

343       The alias databases that are used for local(8) delivery. See aliases(5)
344       for  syntax  details.   Specify zero or more "type:name" lookup tables,
345       separated by whitespace or comma. Tables will be searched in the speci‐
346       fied order until a match is found.  Note: these lookups are recursive.
347
348       The default list is system dependent.  On systems with NIS, the default
349       is to search the local alias database, then the NIS alias database.
350
351       If you change the alias  database,  run  "postalias  /etc/aliases"  (or
352       wherever  your  system  stores  the  mail  alias  file),  or simply run
353       "newaliases" to build the necessary DBM or DB file.
354
355       The local(8) delivery agent disallows regular  expression  substitution
356       of $1 etc. in alias_maps, because that would open a security hole.
357
358       The  local(8)  delivery  agent will silently ignore requests to use the
359       proxymap(8) server within alias_maps. Instead it will  open  the  table
360       directly.  Before Postfix version 2.2, the local(8) delivery agent will
361       terminate with a fatal error.
362
363       Examples:
364
365       alias_maps = hash:/etc/aliases, nis:mail.aliases
366       alias_maps = hash:/etc/aliases
367

allow_mail_to_commands (default: alias, forward)

369       Restrict local(8) mail delivery to external commands.  The  default  is
370       to  disallow delivery to "|command" in :include:  files (see aliases(5)
371       for the text that defines this terminology).
372
373       Specify zero or more of: alias, forward or include, in order  to  allow
374       commands  in aliases(5), .forward files or in :include:  files, respec‐
375       tively.
376
377       Example:
378
379       allow_mail_to_commands = alias,forward,include
380

allow_mail_to_files (default: alias, forward)

382       Restrict local(8) mail delivery to external files. The  default  is  to
383       disallow  "/file/name" destinations in :include:  files (see aliases(5)
384       for the text that defines this terminology).
385
386       Specify zero or more of: alias, forward or include, in order  to  allow
387       "/file/name"   destinations   in  aliases(5),  .forward  files  and  in
388       :include:  files, respectively.
389
390       Example:
391
392       allow_mail_to_files = alias,forward,include
393

allow_min_user (default: no)

395       Allow a sender or recipient address to have `-' as the first character.
396       By  default, this is not allowed, to avoid accidents with software that
397       passes email addresses via the command line. Such software would not be
398       able  to  distinguish a malicious address from a bona fide command-line
399       option. Although this can be prevented by inserting a "--" option  ter‐
400       minator  into  the  command  line, this is difficult to enforce consis‐
401       tently and globally.
402
403       As of Postfix version 2.5, this feature is implemented  by  trivial-re‐
404       write(8).   With  earlier  versions  this  feature  was  implemented by
405       qmgr(8) and was limited to recipient addresses only.
406

allow_percent_hack (default: yes)

408       Enable the rewriting of the form "user%domain" to "user@domain".   This
409       is enabled by default.
410
411       Note:  as of Postfix version 2.2, message header address rewriting hap‐
412       pens only when one of the following conditions is true:
413
414       ·      The message is received with the Postfix sendmail(1) command,
415
416       ·      The message is received  from  a  network  client  that  matches
417              $local_header_rewrite_clients,
418
419       ·      The   message   is   received   from   the   network,   and  the
420              remote_header_rewrite_domain  parameter  specifies  a  non-empty
421              value.
422
423       To   get   the   behavior   before   Postfix   version   2.2,   specify
424       "local_header_rewrite_clients = static:all".
425
426       Example:
427
428       allow_percent_hack = no
429

allow_untrusted_routing (default: no)

431       Forward mail with sender-specified  routing  (user[@%!]remote[@%!]site)
432       from untrusted clients to destinations matching $relay_domains.
433
434       By default, this feature is turned off.  This closes a nasty open relay
435       loophole where a backup MX host can be  tricked  into  forwarding  junk
436       mail to a primary MX host which then spams it out to the world.
437
438       This  parameter also controls if non-local addresses with sender-speci‐
439       fied  routing  can  match  Postfix  access  tables.  By  default,  such
440       addresses  cannot  match  Postfix access tables, because the address is
441       ambiguous.
442

alternate_config_directories (default: empty)

444       A list of non-default Postfix configuration  directories  that  may  be
445       specified  with  "-c config_directory" on the command line (in the case
446       of sendmail(1), with the "-C" option), or via the MAIL_CONFIG  environ‐
447       ment parameter.
448
449       This  list  must  be specified in the default Postfix main.cf file, and
450       will be used by set-gid Postfix commands such as postqueue(1) and post‐
451       drop(1).
452
453       Specify  absolute  pathnames,  separated by comma or space. Note: $name
454       expansion is not supported.
455

always_add_missing_headers (default: no)

457       Always add (Resent-) From:, To:, Date: or Message-ID: headers when  not
458       present.   Postfix  2.6  and  later add these headers only when clients
459       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
460       Postfix  versions  always add these headers; this may break DKIM signa‐
461       tures  that  cover  non-existent  headers.    The   undisclosed_recipi‐
462       ents_header  parameter  setting determines whether a To: header will be
463       added.
464

always_bcc (default: empty)

466       Optional address that receives a "blind carbon copy"  of  each  message
467       that is received by the Postfix mail system.
468
469       Note:  with Postfix 2.3 and later the BCC address is added as if it was
470       specified with NOTIFY=NONE. The sender will not be  notified  when  the
471       BCC  address  is  undeliverable,  as  long  as all down-stream software
472       implements RFC 3461.
473
474       Note: with Postfix 2.2 and earlier the sender will be notified when the
475       BCC address is undeliverable.
476
477       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
478       avoid mailer loops, automatic BCC recipients are  not  generated  after
479       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
480       itself.
481

anvil_rate_time_unit (default: 60s)

483       The time unit over which client connection rates and  other  rates  are
484       calculated.
485
486       This  feature is implemented by the anvil(8) service which is available
487       in Postfix version 2.2 and later.
488
489       The default interval is relatively short. Because of the high frequency
490       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491       mation is lost whenever the process terminates.
492
493       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
494       The default time unit is s (seconds).
495

anvil_status_update_time (default: 600s)

497       How  frequently  the  anvil(8) connection and rate limiting server logs
498       peak usage information.
499
500       This feature is available in Postfix 2.2 and later.
501
502       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
503       The default time unit is s (seconds).
504

append_at_myorigin (default: yes)

506       With  locally  submitted  mail,  append the string "@$myorigin" to mail
507       addresses without domain information.  With  remotely  submitted  mail,
508       append the string "@$remote_header_rewrite_domain" instead.
509
510       Note  1: this feature is enabled by default and must not be turned off.
511       Postfix does not support domain-less addresses.
512
513       Note 2: with Postfix version 2.2, message header address rewriting hap‐
514       pens only when one of the following conditions is true:
515
516       ·      The message is received with the Postfix sendmail(1) command,
517
518       ·      The  message  is  received  from  a  network client that matches
519              $local_header_rewrite_clients,
520
521       ·      The  message   is   received   from   the   network,   and   the
522              remote_header_rewrite_domain  parameter  specifies  a  non-empty
523              value.
524
525       To   get   the   behavior   before   Postfix   version   2.2,   specify
526       "local_header_rewrite_clients = static:all".
527

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

529       With   locally  submitted  mail,  append  the  string  ".$mydomain"  to
530       addresses that have no ".domain" information. With  remotely  submitted
531       mail, append the string ".$remote_header_rewrite_domain" instead.
532
533       Note 1: this feature is enabled by default. If disabled, users will not
534       be able to send mail to "user@partialdomainname" but will have to spec‐
535       ify full domain names instead.
536
537       Note 2: with Postfix version 2.2, message header address rewriting hap‐
538       pens only when one of the following conditions is true:
539
540       ·      The message is received with the Postfix sendmail(1) command,
541
542       ·      The message is received  from  a  network  client  that  matches
543              $local_header_rewrite_clients,
544
545       ·      The   message   is   received   from   the   network,   and  the
546              remote_header_rewrite_domain  parameter  specifies  a  non-empty
547              value.
548
549       To   get   the   behavior   before   Postfix   version   2.2,   specify
550       "local_header_rewrite_clients = static:all".
551

application_event_drain_time (default: 100s)

553       How long the postkick(1) command waits for a request to enter the Post‐
554       fix daemon process input buffer before giving up.
555
556       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
557       The default time unit is s (seconds).
558
559       This feature is available in Postfix 2.1 and later.
560

authorized_flush_users (default: static:anyone)

562       List of users who are authorized to flush the queue.
563
564       By default, all users are allowed to flush the queue.  Access is always
565       granted if the invoking user is the super-user or the $mail_owner user.
566       Otherwise, the real UID of the process is looked up in the system pass‐
567       word  file,  and access is granted only if the corresponding login name
568       is on the access list.  The username "unknown" is  used  for  processes
569       whose real UID is not found in the password file.
570
571       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
572       separated by commas and/or whitespace. The  list  is  matched  left  to
573       right,  and the search stops on the first match. A "/file/name" pattern
574       is replaced by its contents; a "type:table"  lookup  table  is  matched
575       when  a name matches a lookup key (the lookup result is ignored).  Con‐
576       tinue long lines by starting the next  line  with  whitespace.  Specify
577       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
578       supported only in Postfix version 2.4 and later.
579
580       This feature is available in Postfix 2.2 and later.
581

authorized_mailq_users (default: static:anyone)

583       List of users who are authorized to view the queue.
584
585       By default, all users are allowed to view the queue.  Access is  always
586       granted if the invoking user is the super-user or the $mail_owner user.
587       Otherwise, the real UID of the process is looked up in the system pass‐
588       word  file,  and access is granted only if the corresponding login name
589       is on the access list.  The username "unknown" is  used  for  processes
590       whose real UID is not found in the password file.
591
592       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
593       separated by commas and/or whitespace. The  list  is  matched  left  to
594       right,  and the search stops on the first match. A "/file/name" pattern
595       is replaced by its contents; a "type:table"  lookup  table  is  matched
596       when  a name matches a lookup key (the lookup result is ignored).  Con‐
597       tinue long lines by starting the next  line  with  whitespace.  Specify
598       "!pattern" to exclude a user name from the list. The form "!/file/name"
599       is supported only in Postfix version 2.4 and later.
600
601       This feature is available in Postfix 2.2 and later.
602

authorized_submit_users (default: static:anyone)

604       List of users who are authorized to submit mail  with  the  sendmail(1)
605       command (and with the privileged postdrop(1) helper command).
606
607       By  default, all users are allowed to submit mail.  Otherwise, the real
608       UID of the process is looked up in the system password file, and access
609       is  granted only if the corresponding login name is on the access list.
610       The username "unknown" is used for processes  whose  real  UID  is  not
611       found in the password file. To deny mail submission access to all users
612       specify an empty list.
613
614       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
615       separated  by  commas  and/or  whitespace.  The list is matched left to
616       right, and the search stops on the first match. A "/file/name"  pattern
617       is  replaced  by  its  contents; a "type:table" lookup table is matched
618       when a name matches a lookup key (the lookup result is ignored).   Con‐
619       tinue  long  lines  by  starting the next line with whitespace. Specify
620       "!pattern" to exclude a user name from the list. The form "!/file/name"
621       is supported only in Postfix version 2.4 and later.
622
623       Example:
624
625       authorized_submit_users = !www, static:all
626
627       This feature is available in Postfix 2.2 and later.
628

authorized_verp_clients (default: $mynetworks)

630       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
631       This command requests that mail be delivered one recipient  at  a  time
632       with a per recipient return address.
633
634       By default, only trusted clients are allowed to specify XVERP.
635
636       This  parameter  was introduced with Postfix version 1.1.  Postfix ver‐
637       sion 2.1 renamed this parameter  to  smtpd_authorized_verp_clients  and
638       changed the default to none.
639
640       Specify  a list of network/netmask patterns, separated by commas and/or
641       whitespace. The mask specifies the number of bits in the  network  part
642       of a host address. You can also specify hostnames or .domain names (the
643       initial  dot  causes  the  domain  to  match  any   name   below   it),
644       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
645       replaced by its contents; a "type:table" lookup table is matched when a
646       table  entry  matches  a  lookup string (the lookup result is ignored).
647       Continue long lines by starting the next line with whitespace.  Specify
648       "!pattern"  to  exclude  an address or network block from the list. The
649       form "!/file/name" is supported only in Postfix version 2.4 and later.
650
651       Note: IP version 6 address information must be specified inside  []  in
652       the   authorized_verp_clients   value,  and  in  files  specified  with
653       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
654       would otherwise be confused with a "type:table" pattern.
655

backwards_bounce_logfile_compatibility (default: yes)

657       Produce  additional bounce(8) logfile records that can be read by Post‐
658       fix versions before 2.0. The current and more extensible "name = value"
659       format  is  needed in order to implement more sophisticated functional‐
660       ity.
661
662       This feature is available in Postfix 2.1 and later.
663

berkeley_db_create_buffer_size (default: 16777216)

665       The per-table I/O buffer size for programs that create Berkeley DB hash
666       or btree tables.  Specify a byte count.
667
668       This feature is available in Postfix 2.0 and later.
669

berkeley_db_read_buffer_size (default: 131072)

671       The  per-table  I/O buffer size for programs that read Berkeley DB hash
672       or btree tables.  Specify a byte count.
673
674       This feature is available in Postfix 2.0 and later.
675

best_mx_transport (default: empty)

677       Where the Postfix SMTP client should deliver mail  when  it  detects  a
678       "mail  loops  back  to  myself"  error condition. This happens when the
679       local MTA is the best SMTP mail exchanger for a destination not  listed
680       in    $mydestination,    $inet_interfaces,   $proxy_interfaces,   $vir‐
681       tual_alias_domains, or $virtual_mailbox_domains.  By default, the Post‐
682       fix SMTP client returns such mail as undeliverable.
683
684       Specify, for example, "best_mx_transport = local" to pass the mail from
685       the Postfix SMTP client to the local(8) delivery agent. You can specify
686       any message delivery "transport" or "transport:nexthop" that is defined
687       in the master.cf file. See the transport(5) manual page for the  syntax
688       and meaning of "transport" or "transport:nexthop".
689
690       However,  this  feature  is expensive because it ties up a Postfix SMTP
691       client process while the local(8) delivery agent is doing its work.  It
692       is  more  efficient (for Postfix) to list all hosted domains in a table
693       or database.
694

biff (default: yes)

696       Whether or not to use the local biff service.  This service sends  "new
697       mail"  notifications  to users who have requested new mail notification
698       with the UNIX command "biff y".
699
700       For compatibility reasons this feature is on by  default.   On  systems
701       with  lots  of interactive users, the biff service can be a performance
702       drain.  Specify "biff = no" in main.cf to disable.
703

body_checks (default: empty)

705       Optional lookup tables for  content  inspection  as  specified  in  the
706       body_checks(5) manual page.
707
708       Note: with Postfix versions before 2.0, these rules inspect all content
709       after the primary message headers.
710

body_checks_size_limit (default: 51200)

712       How much text in a message body segment (or attachment, if  you  prefer
713       to  use  that term) is subjected to body_checks inspection.  The amount
714       of text is limited to avoid scanning huge attachments.
715
716       This feature is available in Postfix 2.0 and later.
717

bounce_notice_recipient (default: postmaster)

719       The recipient of postmaster notifications with the message  headers  of
720       mail  that Postfix did not deliver and of SMTP conversation transcripts
721       of mail that Postfix did not receive.  This feature is enabled with the
722       notify_classes parameter.
723

bounce_queue_lifetime (default: 5d)

725       Consider  a bounce message as undeliverable, when delivery fails with a
726       temporary  error,  and  the  time  in  the  queue   has   reached   the
727       bounce_queue_lifetime limit.  By default, this limit is the same as for
728       regular mail.
729
730       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
731       The default time unit is d (days).
732
733       Specify 0 when mail delivery should be tried only once.
734
735       This feature is available in Postfix 2.1 and later.
736

bounce_service_name (default: bounce)

738       The  name  of the bounce(8) service. This service maintains a record of
739       failed delivery attempts and generates non-delivery notifications.
740
741       This feature is available in Postfix 2.0 and later.
742

bounce_size_limit (default: 50000)

744       The maximal  amount  of  original  message  text  that  is  sent  in  a
745       non-delivery notification. Specify a byte count.  A message is returned
746       as   either   message/rfc822   (the   complete    original)    or    as
747       text/rfc822-headers  (the  headers only).  With Postfix version 2.4 and
748       earlier, a message is always returned as message/rfc822  and  is  trun‐
749       cated when it exceeds the size limit.
750
751       Notes:
752
753       ·      If  you  increase  this  limit,  then  you  should  increase the
754              mime_nesting_limit value proportionally.
755
756       ·      Be careful when making changes.  Excessively large  values  will
757              result  in the loss of non-delivery notifications, when a bounce
758              message size exceeds a local or remote MTA's message size limit.
759

bounce_template_file (default: empty)

761       Pathname of a configuration file with bounce message templates.   These
762       override  the  built-in templates of delivery status notification (DSN)
763       messages for undeliverable mail, for delayed mail, successful delivery,
764       or  delivery  verification.  The bounce(5) manual page describes how to
765       edit and test template files.
766
767       Template message body text may contain $name references to Postfix con‐
768       figuration  parameters.  The result of $name expansion can be previewed
769       with "postconf -b file_name" before the file is placed into the Postfix
770       configuration directory.
771
772       This feature is available in Postfix 2.3 and later.
773

broken_sasl_auth_clients (default: no)

775       Enable  interoperability  with  remote  SMTP  clients that implement an
776       obsolete version of the AUTH  command  (RFC  4954).  Examples  of  such
777       clients  are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778       version 5.0.
779
780       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781       support in a non-standard way.
782

canonical_classes (default: envelope_sender, envelope_recipient,

784       header_sender, header_recipient)
785       What addresses are  subject  to  canonical_maps  address  mapping.   By
786       default,  canonical_maps  address mapping is applied to envelope sender
787       and recipient addresses, and to  header  sender  and  header  recipient
788       addresses.
789
790       Specify   one   or   more   of:   envelope_sender,  envelope_recipient,
791       header_sender, header_recipient
792
793       This feature is available in Postfix 2.2 and later.
794

canonical_maps (default: empty)

796       Optional  address  mapping  lookup  tables  for  message  headers   and
797       envelopes.  The  mapping  is  applied  to  both  sender  and  recipient
798       addresses, in both envelopes and in headers,  as  controlled  with  the
799       canonical_classes  parameter.  This is typically used to clean up dirty
800       addresses from legacy mail systems, or to replace login names by First‐
801       name.Lastname.   The table format and lookups are documented in canoni‐
802       cal(5). For an  overview  of  Postfix  address  manipulations  see  the
803       ADDRESS_REWRITING_README document.
804
805       Specify zero or more "type:name" lookup tables, separated by whitespace
806       or comma. Tables will be searched in the specified order until a  match
807       is found.  Note: these lookups are recursive.
808
809       If  you use this feature, run "postmap /etc/postfix/canonical" to build
810       the necessary DBM or DB file  after  every  change.  The  changes  will
811       become visible after a minute or so.  Use "postfix reload" to eliminate
812       the delay.
813
814       Note: with Postfix version 2.2, message header address mapping  happens
815       only when message header address rewriting is enabled:
816
817       ·      The message is received with the Postfix sendmail(1) command,
818
819       ·      The  message  is  received  from  a  network client that matches
820              $local_header_rewrite_clients,
821
822       ·      The  message   is   received   from   the   network,   and   the
823              remote_header_rewrite_domain  parameter  specifies  a  non-empty
824              value.
825
826       To   get   the   behavior   before   Postfix   version   2.2,   specify
827       "local_header_rewrite_clients = static:all".
828
829       Examples:
830
831       canonical_maps = dbm:/etc/postfix/canonical
832       canonical_maps = hash:/etc/postfix/canonical
833

cleanup_service_name (default: cleanup)

835       The  name  of  the  cleanup(8) service. This service rewrites addresses
836       into the standard form, and performs canonical(5) address  mapping  and
837       virtual(5) aliasing.
838
839       This feature is available in Postfix 2.0 and later.
840

command_directory (default: see postconf -d output)

842       The location of all postfix administrative commands.
843

command_execution_directory (default: empty)

845       The  local(8) delivery agent working directory for delivery to external
846       command.  Failure  to  change  directory  causes  the  delivery  to  be
847       deferred.
848
849       The command_execution_directory value is not subject to Postfix config‐
850       uration parameter $name expansion. Instead, the following $name  expan‐
851       sions  are  done on command_execution_directory before the directory is
852       used. Expansion happens in the context of the  delivery  request.   The
853       result  of  $name  expansion is filtered with the character set that is
854       specified with the execution_directory_expansion_filter parameter.
855
856       $user  The recipient's username.
857
858       $shell The recipient's login shell pathname.
859
860       $home  The recipient's home directory.
861
862       $recipient
863              The full recipient address.
864
865       $extension
866              The optional recipient address extension.
867
868       $domain
869              The recipient domain.
870
871       $local The entire recipient localpart.
872
873       $recipient_delimiter
874              The address extension delimiter that was found in the  recipient
875              address  (Postfix  2.11 and later), or the system-wide recipient
876              address extension delimiter (Postfix 2.10 and earlier).
877
878       ${name?value}
879              Expands to value when $name is non-empty.
880
881       ${name:value}
882              Expands to value when $name is empty.
883
884       Instead of $name you can also specify ${name} or $(name).
885
886       This feature is available in Postfix 2.2 and later.
887

command_expansion_filter (default: see postconf -d output)

889       Restrict the characters that the  local(8)  delivery  agent  allows  in
890       $name  expansions of $mailbox_command and $command_execution_directory.
891       Characters outside the allowed set are replaced by underscores.
892

command_time_limit (default: 1000s)

894       Time limit for delivery to external commands. This limit is used by the
895       local(8)  delivery agent, and is the default time limit for delivery by
896       the pipe(8) delivery agent.
897
898       Note: if you set this time limit to a large value you must  update  the
899       global ipc_timeout parameter as well.
900

compatibility_level (default: 0)

902       A  safety  net  that  causes  Postfix  to run with backwards-compatible
903       default settings after an upgrade to a newer Postfix version.
904
905       With backwards compatibility turned on (the main.cf compatibility_level
906       value  is less than the Postfix built-in value), Postfix looks for set‐
907       tings that are left at their implicit default value, and logs a message
908       when a backwards-compatible default setting is required.
909
910           using backwards-compatible default setting name=value
911               to [accept a specific client request]
912
913           using backwards-compatible default setting name=value
914               to [enable specific Postfix behavior]
915
916       See  COMPATIBILITY_README  for specific message details. If such a mes‐
917       sage is logged in the context  of  a  legitimate  request,  the  system
918       administrator should make the backwards-compatible setting permanent in
919       main.cf or master.cf, for example:
920
921           # postconf name=value
922           # postfix reload
923
924       When no more backwards-compatible settings need to be  made  permanent,
925       the  administrator  should turn off backwards compatibility by updating
926       the compatibility_level setting in main.cf:
927
928           # postconf compatibility_level=N
929           # postfix reload
930
931       For N specify the number that is logged in your postfix(1) warning mes‐
932       sage:
933
934           warning: To disable backwards compatibility use "postconf
935               compatibility_level=N" and "postfix reload"
936
937       This feature is available in Postfix 3.0 and later.
938

config_directory (default: see postconf -d output)

940       The default location of the Postfix main.cf and master.cf configuration
941       files. This can be overruled via the following mechanisms:
942
943       ·      The MAIL_CONFIG environment variable (daemon processes and  com‐
944              mands).
945
946       ·      The "-c" command-line option (commands only).
947
948       With  Postfix command that run with set-gid privileges, a config_direc‐
949       tory override requires either root privileges, or it requires that  the
950       directory  is listed with the alternate_config_directories parameter in
951       the default main.cf file.
952

confirm_delay_cleared (default: no)

954       After sending a "your message  is  delayed"  notification,  inform  the
955       sender  when  the delay clears up. This can result in a sudden burst of
956       notifications at the end of a prolonged network outage, and  is  there‐
957       fore disabled by default.
958
959       See also: delay_warning_time.
960
961       This feature is available in Postfix 3.0 and later.
962

connection_cache_protocol_timeout (default: 5s)

964       Time  limit  for  connection cache connect, send or receive operations.
965       The time limit is enforced in the client.
966
967       This feature is available in Postfix 2.3 and later.
968

connection_cache_service_name (default: scache)

970       The name of the scache(8) connection cache service.  This service main‐
971       tains a limited pool of cached sessions.
972
973       This feature is available in Postfix 2.2 and later.
974

connection_cache_status_update_time (default: 600s)

976       How  frequently the scache(8) server logs usage statistics with connec‐
977       tion cache hit and miss rates for logical destinations and for physical
978       endpoints.
979

connection_cache_ttl_limit (default: 2s)

981       The  maximal  time-to-live  value  that  the scache(8) connection cache
982       server allows. Requests that specify a larger TTL will be  stored  with
983       the  maximum  allowed TTL. The purpose of this additional control is to
984       protect the infrastructure against careless people. The  cache  TTL  is
985       already bounded by $max_idle.
986

content_filter (default: empty)

988       After  the  message is queued, send the entire message to the specified
989       transport:destination. The transport name specifies the first field  of
990       a  mail  delivery  agent  definition  in  master.cf;  the syntax of the
991       next-hop destination is described in the manual page of the correspond‐
992       ing delivery agent.  More information about external content filters is
993       in the Postfix FILTER_README file.
994
995       Notes:
996
997       ·      This setting has lower precedence than a FILTER action  that  is
998              specified  in  an  access(5), header_checks(5) or body_checks(5)
999              table.
1000
1001       ·      The meaning of an empty next-hop filter destination  is  version
1002              dependent.  Postfix 2.7 and later will use the recipient domain;
1003              earlier versions will use  $myhostname.   Specify  "default_fil‐
1004              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1005              earlier, or specify a  content_filter  value  with  an  explicit
1006              next-hop destination.
1007

cyrus_sasl_config_path (default: empty)

1009       Search  path  for Cyrus SASL application configuration files, currently
1010       used only to locate the $smtpd_sasl_path.conf file.   Specify  zero  or
1011       more  directories  separated by a colon character, or an empty value to
1012       use Cyrus SASL's built-in search path.
1013
1014       This feature is available in Postfix 2.5 and later when  compiled  with
1015       Cyrus SASL 2.1.22 or later.
1016

daemon_directory (default: see postconf -d output)

1018       The directory with Postfix support programs and daemon programs.  These
1019       should not be invoked directly by humans. The directory must  be  owned
1020       by root.
1021

daemon_table_open_error_is_fatal (default: no)

1023       How  a  Postfix  daemon  process  handles  errors  while opening lookup
1024       tables: gradual degradation or immediate termination.
1025
1026        no  (default)
1027              Gradual degradation: a daemon process logs  a  message  of  type
1028              "error" and continues execution with reduced functionality. Fea‐
1029              tures that do not depend on the unavailable table will work nor‐
1030              mally,  while features that depend on the table will result in a
1031              type "warning" message.
1032              When the notify_classes  parameter  value  contains  the  "data"
1033              class,  the  Postfix  SMTP  server  and client will report tran‐
1034              scripts of sessions with an error because a  table  is  unavail‐
1035              able.
1036
1037        yes  (historical behavior)
1038              Immediate termination: a daemon process logs a type "fatal" mes‐
1039              sage and terminates immediately.  This option reduces the number
1040              of  possible  code  paths  through Postfix, and may therefore be
1041              slightly more secure than the default.
1042
1043       For the sake of sanity, the number of type "error" messages is  limited
1044       to 13 over the lifetime of a daemon process.
1045
1046       This feature is available in Postfix 2.9 and later.
1047

daemon_timeout (default: 18000s)

1049       How  much  time  a  Postfix daemon process may take to handle a request
1050       before it is terminated by a built-in watchdog timer.
1051
1052       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1053       The default time unit is s (seconds).
1054

data_directory (default: see postconf -d output)

1056       The  directory  with  Postfix-writable data files (for example: caches,
1057       pseudo-random numbers).  This directory must be owned by the mail_owner
1058       account, and must not be shared with non-Postfix software.
1059
1060       This feature is available in Postfix 2.5 and later.
1061

debug_peer_level (default: 2)

1063       The  increment  in verbose logging level when a remote client or server
1064       matches a pattern in the debug_peer_list parameter.
1065

debug_peer_list (default: empty)

1067       Optional list of remote client or server hostname  or  network  address
1068       patterns that cause the verbose logging level to increase by the amount
1069       specified in $debug_peer_level.
1070
1071       Specify domain names, network/netmask patterns,  "/file/name"  patterns
1072       or   "type:table"  lookup  tables.  The  right-hand  side  result  from
1073       "type:table" lookups is ignored.
1074
1075       Pattern matching of domain names  is  controlled  by  the  presence  or
1076       absence  of  "debug_peer_list"  in the parent_domain_matches_subdomains
1077       parameter value.
1078
1079       Examples:
1080
1081       debug_peer_list = 127.0.0.1
1082       debug_peer_list = example.com
1083

debugger_command (default: empty)

1085       The external command to  execute  when  a  Postfix  daemon  program  is
1086       invoked with the -D option.
1087
1088       Use  "command  .. & sleep 5" so that the debugger can attach before the
1089       process marches on. If you use an X-based debugger, be sure to  set  up
1090       your XAUTHORITY environment variable before starting Postfix.
1091
1092       Note: the command is subject to $name expansion, before it is passed to
1093       the default command interpreter. Specify "$$" to produce a  single  "$"
1094       character.
1095
1096       Example:
1097
1098       debugger_command =
1099           PATH=/usr/bin:/usr/X11R6/bin
1100           ddd $daemon_directory/$process_name $process_id & sleep 5
1101

default_database_type (default: see postconf -d output)

1103       The  default  database  type for use in newaliases(1), postalias(1) and
1104       postmap(1) commands. On many UNIX systems the default  type  is  either
1105       dbm  or  hash. The default setting is frozen when the Postfix system is
1106       built.
1107
1108       Examples:
1109
1110       default_database_type = hash
1111       default_database_type = dbm
1112

default_delivery_slot_cost (default: 5)

1114       How often the Postfix queue manager's scheduler is allowed  to  preempt
1115       delivery of one message with another.
1116
1117       Each  transport maintains a so-called "available delivery slot counter"
1118       for each message. One message can be preempted by another one when  the
1119       other  message  can  be  delivered  using no more delivery slots (i.e.,
1120       invocations of delivery agents) than the current  message  counter  has
1121       accumulated  (or  will  eventually  accumulate  -  see about slot loans
1122       below). This parameter controls how often is the counter incremented  -
1123       it  happens  after each default_delivery_slot_cost recipients have been
1124       delivered.
1125
1126       The cost of 0 is used to disable the preempting scheduling  completely.
1127       The minimum value the scheduling algorithm can use is 2 - use it if you
1128       want to maximize the message throughput rate. Although there is no max‐
1129       imum, it doesn't make much sense to use values above say 50.
1130
1131       The  only  reason why the value of 2 is not the default is the way this
1132       parameter affects the delivery of mailing-list mail. In the worst case,
1133       delivery  can  take  somewhere  between (cost+1/cost) and (cost/cost-1)
1134       times more than if the preemptive scheduler was disabled.  The  default
1135       value of 5 turns out to provide reasonable message response times while
1136       making sure the mailing-list deliveries are not extended by  more  than
1137       20-25 percent even in the worst case.
1138
1139       Use  transport_delivery_slot_cost to specify a transport-specific over‐
1140       ride, where transport is the master.cf name  of  the  message  delivery
1141       transport.
1142
1143       Examples:
1144
1145       default_delivery_slot_cost = 0
1146       default_delivery_slot_cost = 2
1147

default_delivery_slot_discount (default: 50)

1149       The  default  value for transport-specific _delivery_slot_discount set‐
1150       tings.
1151
1152       This parameter speeds up the moment when a message preemption can  hap‐
1153       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1154       required is available, the preemption can happen when  transport_deliv‐
1155       ery_slot_discount  percent of the required amount plus transport_deliv‐
1156       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1157       amount  will still have to be accumulated before another preemption can
1158       take place later.
1159
1160       Use transport_delivery_slot_discount to  specify  a  transport-specific
1161       override, where transport is the master.cf name of the message delivery
1162       transport.
1163

default_delivery_slot_loan (default: 3)

1165       The default value for transport-specific _delivery_slot_loan settings.
1166
1167       This parameter speeds up the moment when a message preemption can  hap‐
1168       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1169       required is available, the preemption can happen when  transport_deliv‐
1170       ery_slot_discount  percent of the required amount plus transport_deliv‐
1171       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1172       amount  will still have to be accumulated before another preemption can
1173       take place later.
1174
1175       Use transport_delivery_slot_loan to specify a transport-specific  over‐
1176       ride,  where  transport  is  the master.cf name of the message delivery
1177       transport.
1178

default_delivery_status_filter (default: empty)

1180       Optional filter to replace the delivery status code or explanatory text
1181       of  successful  or  unsuccessful  deliveries.   This does not allow the
1182       replacement of a successful status code (2.X.X)  with  an  unsuccessful
1183       status code (4.X.X or 5.X.X) or vice versa.
1184
1185       Note:  the  (smtp|lmtp)_delivery_status_filter is applied only once per
1186       recipient: when delivery is successful, when delivery is rejected  with
1187       5XX,  or  when  there  are  no more alternate MX or A destinations. Use
1188       smtp_reply_filter or lmtp_reply_filter to  inspect  responses  for  all
1189       delivery attempts.
1190
1191       The following parameters can be used to implement a filter for specific
1192       delivery   agents:   lmtp_delivery_status_filter,   local_delivery_sta‐
1193       tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1194       virtual_delivery_status_filter. These parameters support the same  fil‐
1195       ter syntax as described here.
1196
1197       Specify  zero  or  more  "type:table"  lookup table names, separated by
1198       comma or whitespace. For each successful or unsuccessful delivery to  a
1199       recipient,  the tables are queried in the specified order with one line
1200       of text that is structured as follows:
1201
1202           enhanced-status-code SPACE explanatory-text
1203
1204       The first table match wins. The lookup result must have the same struc‐
1205       ture  as  the  query, a successful status code (2.X.X) must be replaced
1206       with a successful status code, an unsuccessful status  code  (4.X.X  or
1207       5.X.X)  must  be  replaced  with  an  unsuccessful status code, and the
1208       explanatory text field must be non-empty. Other results will result  in
1209       a warning.
1210
1211       Example  1: convert specific soft TLS errors into hard errors, by over‐
1212       riding the first number in the enhanced status code.
1213
1214           /etc/postfix/main.cf:
1215               smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1216
1217           /etc/postfix/smtp_dsn_filter:
1218               /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1219                   5$1
1220               /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1221                   5$1
1222               # Do not change the following into hard bounces. They may
1223               # result from a local configuration problem.
1224               # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1225               # 4.\d+.\d+ TLS is required, but unavailable
1226               # 4.\d+.\d+ Cannot start TLS: handshake failure
1227
1228       Example 2: censor the per-recipient delivery status  text  so  that  it
1229       does  not  reveal  the  destination  command  or filename when a remote
1230       sender requests confirmation of successful delivery.
1231
1232           /etc/postfix/main.cf:
1233               local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1234
1235           /etc/postfix/local_dsn_filter:
1236               /^(2\S+ delivered to file).+/    $1
1237               /^(2\S+ delivered to command).+/ $1
1238
1239       Notes:
1240
1241       ·      This feature will NOT override the soft_bounce safety net.
1242
1243       ·      This feature will change the enhanced status code and text  that
1244              is  logged  to  the  maillog  file,  and that is reported to the
1245              sender in delivery confirmation or non-delivery notifications.
1246
1247       This feature is available in Postfix 3.0 and later.
1248

default_destination_concurrency_failed_cohort_limit (default: 1)

1250       How many pseudo-cohorts must suffer  connection  or  handshake  failure
1251       before  a  specific  destination is considered unavailable (and further
1252       delivery is suspended). Specify zero to disable this feature. A  desti‐
1253       nation's pseudo-cohort failure count is reset each time a delivery com‐
1254       pletes without connection or handshake failure for that specific desti‐
1255       nation.
1256
1257       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1258       delivery concurrency.
1259
1260       Use transport_destination_concurrency_failed_cohort_limit to specify  a
1261       transport-specific  override,  where transport is the master.cf name of
1262       the message delivery transport.
1263
1264       This feature is available in Postfix 2.5. The default setting  is  com‐
1265       patible with earlier Postfix versions.
1266

default_destination_concurrency_limit (default: 20)

1268       The  default maximal number of parallel deliveries to the same destina‐
1269       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1270       smtp(8) and virtual(8) delivery agents.  With per-destination recipient
1271       limit > 1, a destination is a domain, otherwise it is a recipient.
1272
1273       Use transport_destination_concurrency_limit to specify a transport-spe‐
1274       cific  override,  where  transport is the master.cf name of the message
1275       delivery transport.
1276

default_destination_concurrency_negative_feedback (default: 1)

1278       The per-destination amount of delivery concurrency  negative  feedback,
1279       after  a  delivery  completes  with  a connection or handshake failure.
1280       Feedback values are in the range 0..1 inclusive.  With  negative  feed‐
1281       back,  concurrency  is  decremented  at  the beginning of a sequence of
1282       length 1/feedback. This is unlike positive feedback, where  concurrency
1283       is incremented at the end of a sequence of length 1/feedback.
1284
1285       As  of  Postfix  version  2.5, negative feedback cannot reduce delivery
1286       concurrency to zero.  Instead, a destination is  marked  dead  (further
1287       delivery  suspended)  after  the  failed  pseudo-cohort  count  reaches
1288       $default_destination_concurrency_failed_cohort_limit    (or     $trans‐
1289       port_destination_concurrency_failed_cohort_limit).   To make the sched‐
1290       uler completely immune to connection or handshake failures,  specify  a
1291       zero feedback value and a zero failed pseudo-cohort limit.
1292
1293       Specify one of the following forms:
1294
1295       number
1296
1297       number / number
1298              Constant  feedback.  The  value must be in the range 0..1 inclu‐
1299              sive.  The default setting of "1"  is  compatible  with  Postfix
1300              versions  before 2.5, where a destination's delivery concurrency
1301              is throttled down to zero (and further delivery suspended) after
1302              a single failed pseudo-cohort.
1303
1304       number / concurrency
1305              Variable  feedback  of  "number  / (delivery concurrency)".  The
1306              number must be in the range 0..1 inclusive. With number equal to
1307              "1",  a  destination's  delivery concurrency is decremented by 1
1308              after each failed pseudo-cohort.
1309
1310       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1311       delivery concurrency.
1312
1313       Use  transport_destination_concurrency_negative_feedback  to  specify a
1314       transport-specific override, where transport is the master.cf  name  of
1315       the message delivery transport.
1316
1317       This  feature  is available in Postfix 2.5. The default setting is com‐
1318       patible with earlier Postfix versions.
1319

default_destination_concurrency_positive_feedback (default: 1)

1321       The per-destination amount of delivery concurrency  positive  feedback,
1322       after  a  delivery  completes  without connection or handshake failure.
1323       Feedback values are in  the  range  0..1  inclusive.   The  concurrency
1324       increases  until  it  reaches  the  per-destination maximal concurrency
1325       limit. With positive feedback, concurrency is incremented at the end of
1326       a  sequence  with  length 1/feedback. This is unlike negative feedback,
1327       where concurrency is decremented at the start of a sequence  of  length
1328       1/feedback.
1329
1330       Specify one of the following forms:
1331
1332       number
1333
1334       number / number
1335              Constant  feedback.   The value must be in the range 0..1 inclu‐
1336              sive. The default setting of "1" is compatible with Postfix ver‐
1337              sions  before  2.5,  where  a destination's delivery concurrency
1338              doubles after each successful pseudo-cohort.
1339
1340       number / concurrency
1341              Variable feedback of "number  /  (delivery  concurrency)".   The
1342              number must be in the range 0..1 inclusive. With number equal to
1343              "1", a destination's delivery concurrency is  incremented  by  1
1344              after each successful pseudo-cohort.
1345
1346       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1347       delivery concurrency.
1348
1349       Use transport_destination_concurrency_positive_feedback  to  specify  a
1350       transport-specific  override,  where transport is the master.cf name of
1351       the message delivery transport.
1352
1353       This feature is available in Postfix 2.5 and later.
1354

default_destination_rate_delay (default: 0s)

1356       The default amount of delay that is inserted between individual message
1357       deliveries  to  the same destination and over the same message delivery
1358       transport. Specify a non-zero value to rate-limit those message  deliv‐
1359       eries to at most one per $default_destination_rate_delay.
1360
1361       The  resulting  behavior  depends  on  the  value  of the corresponding
1362       per-destination recipient limit.
1363
1364       ·      With a corresponding per-destination recipient limit  >  1,  the
1365              rate  delay  specifies  the  time between deliveries to the same
1366              domain.  Different domains are delivered in parallel, subject to
1367              the process limits specified in master.cf.
1368
1369       ·      With a corresponding per-destination recipient limit equal to 1,
1370              the rate delay specifies the time between deliveries to the same
1371              recipient.  Different recipients are delivered in parallel, sub‐
1372              ject to the process limits specified in master.cf.
1373
1374       To enable the delay, specify a non-zero time value (an  integral  value
1375       plus an optional one-letter suffix that specifies the time unit).
1376
1377       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1378       The default time unit is s (seconds).
1379
1380       NOTE: the delay is enforced by the queue manager. The delay timer state
1381       does not survive "postfix reload" or "postfix stop".
1382
1383       Use  transport_destination_rate_delay  to  specify a transport-specific
1384       override, where transport is the master.cf name of the message delivery
1385       transport.
1386
1387       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1388       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1389       fix  from  deferring  all  mail for the same destination after only one
1390       connection or handshake error.
1391
1392       This feature is available in Postfix 2.5 and later.
1393

default_destination_recipient_limit (default: 50)

1395       The default maximal number of recipients per message delivery.  This is
1396       the  default  limit  for delivery via the lmtp(8), pipe(8), smtp(8) and
1397       virtual(8) delivery agents.
1398
1399       Setting this parameter to a value of 1 affects email deliveries as fol‐
1400       lows:
1401
1402       ·      It changes the meaning of the corresponding per-destination con‐
1403              currency limit, from  concurrency  of  deliveries  to  the  same
1404              domain  into  concurrency  of  deliveries to the same recipient.
1405              Different recipients are delivered in parallel, subject  to  the
1406              process limits specified in master.cf.
1407
1408       ·      It changes the meaning of the corresponding per-destination rate
1409              delay, from the delay between deliveries to the same domain into
1410              the delay between deliveries to the same recipient.  Again, dif‐
1411              ferent recipients are delivered  in  parallel,  subject  to  the
1412              process limits specified in master.cf.
1413
1414       ·      It  changes  the  meaning of other corresponding per-destination
1415              settings in a similar manner, from settings for delivery to  the
1416              same domain into settings for delivery to the same recipient.
1417
1418       Use  transport_destination_recipient_limit  to specify a transport-spe‐
1419       cific override, where transport is the master.cf name  of  the  message
1420       delivery transport.
1421

default_extra_recipient_limit (default: 1000)

1423       The default value for the extra per-transport limit imposed on the num‐
1424       ber of in-memory recipients.  This extra recipient  space  is  reserved
1425       for  the  cases when the Postfix queue manager's scheduler preempts one
1426       message with another and suddenly needs some extra recipients slots for
1427       the chosen message in order to avoid performance degradation.
1428
1429       Use  transport_extra_recipient_limit  to  specify  a transport-specific
1430       override, where transport is the master.cf name of the message delivery
1431       transport.
1432

default_filter_nexthop (default: empty)

1434       When  a content_filter or FILTER request specifies no explicit next-hop
1435       destination, use $default_filter_nexthop instead; when  that  value  is
1436       empty,  use the domain in the recipient address.  Specify "default_fil‐
1437       ter_nexthop = $myhostname" for compatibility with Postfix  version  2.6
1438       and earlier, or specify an explicit next-hop destination with each con‐
1439       tent_filter value or FILTER action.
1440
1441       This feature is available in Postfix 2.7 and later.
1442

default_minimum_delivery_slots (default: 3)

1444       How many recipients a message must have in order to invoke the  Postfix
1445       queue  manager's  scheduling  algorithm  at  all.  Messages which would
1446       never accumulate at least this many delivery  slots  (subject  to  slot
1447       cost parameter as well) are never preempted.
1448
1449       Use  transport_minimum_delivery_slots  to  specify a transport-specific
1450       override, where transport is the master.cf name of the message delivery
1451       transport.
1452

default_privs (default: nobody)

1454       The  default rights used by the local(8) delivery agent for delivery to
1455       external file or command.  These  rights  are  used  when  delivery  is
1456       requested from an aliases(5) file that is owned by root, or when deliv‐
1457       ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR  THE
1458       POSTFIX OWNER.
1459

default_process_limit (default: 100)

1461       The  default  maximal  number of Postfix child processes that provide a
1462       given service. This limit can be overruled for specific services in the
1463       master.cf file.
1464

default_rbl_reply (default: see postconf -d output)

1466       The default Postfix SMTP server response template for a request that is
1467       rejected by an RBL-based restriction. This template can be overruled by
1468       specific entries in the optional rbl_reply_maps lookup table.
1469
1470       This feature is available in Postfix 2.0 and later.
1471
1472       The  template  does  not  support Postfix configuration parameter $name
1473       substitution. Instead, it supports exactly one level of $name substitu‐
1474       tion for the following attributes:
1475
1476       $client
1477              The client hostname and IP address, formatted as name[address].
1478
1479       $client_address
1480              The client IP address.
1481
1482       $client_name
1483              The       client       hostname      or      "unknown".      See
1484              reject_unknown_client_hostname for more details.
1485
1486       $reverse_client_name
1487              The client hostname from  address->name  lookup,  or  "unknown".
1488              See reject_unknown_reverse_client_hostname for more details.
1489
1490       $helo_name
1491              The hostname given in HELO or EHLO command or empty string.
1492
1493       $rbl_class
1494              The  blacklisted  entity type: Client host, Helo command, Sender
1495              address, or Recipient address.
1496
1497       $rbl_code
1498              The  numerical  SMTP  response  code,  as  specified  with   the
1499              maps_rbl_reject_code  configuration parameter. Note: The numeri‐
1500              cal SMTP response code is required, and must appear at the start
1501              of  the  reply. With Postfix version 2.3 and later this informa‐
1502              tion may be followed by an RFC 3463 enhanced status code.
1503
1504       $rbl_domain
1505              The RBL domain where $rbl_what is blacklisted.
1506
1507       $rbl_reason
1508              The reason why $rbl_what is blacklisted, or an empty string.
1509
1510       $rbl_what
1511              The entity that is blacklisted (an IP  address,  a  hostname,  a
1512              domain name, or an email address whose domain was blacklisted).
1513
1514       $recipient
1515              The recipient address or <> in case of the null address.
1516
1517       $recipient_domain
1518              The recipient domain or empty string.
1519
1520       $recipient_name
1521              The recipient address localpart or <> in case of null address.
1522
1523       $sender
1524              The sender address or <> in case of the null address.
1525
1526       $sender_domain
1527              The sender domain or empty string.
1528
1529       $sender_name
1530              The sender address localpart or <> in case of the null address.
1531
1532       ${name?text}
1533              Expands to `text' if $name is not empty.
1534
1535       ${name:text}
1536              Expands to `text' if $name is empty.
1537
1538       Instead of $name you can also specify ${name} or $(name).
1539
1540       Note:  when  an  enhanced status code is specified in an RBL reply tem‐
1541       plate, it is subject to modification.   The  following  transformations
1542       are  needed  when the same RBL reply template is used for client, helo,
1543       sender, or recipient access restrictions.
1544
1545       ·      When rejecting a sender address, the Postfix  SMTP  server  will
1546              transform  a  recipient  DSN status (e.g., 4.1.1-4.1.6) into the
1547              corresponding sender DSN status, and vice versa.
1548
1549       ·      When rejecting non-address information (such as the HELO command
1550              argument  or  the  client  hostname/address),  the  Postfix SMTP
1551              server will transform a sender or recipient DSN  status  into  a
1552              generic non-address DSN status (e.g., 4.0.0).
1553

default_recipient_limit (default: 20000)

1555       The default per-transport upper limit on the number of in-memory recip‐
1556       ients.  These limits take priority over the global qmgr_message_recipi‐
1557       ent_limit  after the message has been assigned to the respective trans‐
1558       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1559       ent_minimum.
1560
1561       Use transport_recipient_limit to specify a transport-specific override,
1562       where transport is the master.cf name of the  message  delivery  trans‐
1563       port.
1564

default_recipient_refill_delay (default: 5s)

1566       The  default  per-transport  maximum  delay between recipients refills.
1567       When not all message recipients fit into the memory at once, keep load‐
1568       ing  more  of them at least once every this many seconds.  This is used
1569       to make sure the recipients are refilled in  timely  manner  even  when
1570       $default_recipient_refill_limit is too high for too slow deliveries.
1571
1572       Use  transport_recipient_refill_delay  to  specify a transport-specific
1573       override, where transport is the master.cf name of the message delivery
1574       transport.
1575
1576       This feature is available in Postfix 2.4 and later.
1577

default_recipient_refill_limit (default: 100)

1579       The default per-transport limit on the number of recipients refilled at
1580       once.  When not all message recipients fit into  the  memory  at  once,
1581       keep  loading  more of them in batches of at least this many at a time.
1582       See also $default_recipient_refill_delay, which may result in recipient
1583       batches lower than this when this limit is too high for too slow deliv‐
1584       eries.
1585
1586       Use transport_recipient_refill_limit to  specify  a  transport-specific
1587       override, where transport is the master.cf name of the message delivery
1588       transport.
1589
1590       This feature is available in Postfix 2.4 and later.
1591

default_transport (default: smtp)

1593       The default mail delivery transport and next-hop destination for desti‐
1594       nations   that   do   not   match   $mydestination,   $inet_interfaces,
1595       $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1596       $relay_domains.    This   information   can   be   overruled  with  the
1597       sender_dependent_default_transport_maps parameter and with  the  trans‐
1598       port(5) table.
1599
1600       In  order  of  decreasing  precedence, the nexthop destination is taken
1601       from   $sender_dependent_default_transport_maps,    $default_transport,
1602       $sender_dependent_relayhost_maps,  $relayhost,  or  from  the recipient
1603       domain.
1604
1605       Specify a string of the form transport:nexthop, where transport is  the
1606       name  of  a mail delivery transport defined in master.cf.  The :nexthop
1607       destination is optional; its syntax is documented in the manual page of
1608       the corresponding delivery agent.
1609
1610       Example:
1611
1612       default_transport = uucp:relayhostname
1613

default_transport_rate_delay (default: 0s)

1615       The default amount of delay that is inserted between individual message
1616       deliveries over the same message delivery transport, regardless of des‐
1617       tination. Specify a non-zero value to rate-limit those message deliver‐
1618       ies to at most one per $default_transport_rate_delay.
1619
1620       Use  transport_transport_rate_delay  to  specify  a  transport-specific
1621       override, where the initial transport is the master.cf name of the mes‐
1622       sage delivery transport.
1623
1624       Example: throttle outbound SMTP  mail  to  at  most  3  deliveries  per
1625       minute.
1626
1627       /etc/postfix/main.cf:
1628           smtp_transport_rate_delay = 20s
1629
1630       To  enable  the delay, specify a non-zero time value (an integral value
1631       plus an optional one-letter suffix that specifies the time unit).
1632
1633       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1634       The default time unit is s (seconds).
1635
1636       NOTE: the delay is enforced by the queue manager.
1637
1638       This feature is available in Postfix 3.1 and later.
1639

default_verp_delimiters (default: +=)

1641       The  two  default  VERP  delimiter  characters.  These are used when no
1642       explicit delimiters are specified with the SMTP XVERP command  or  with
1643       the  "sendmail  -V"  command-line  option.  Specify characters that are
1644       allowed by the verp_delimiter_filter setting.
1645
1646       This feature is available in Postfix 1.1 and later.
1647

defer_code (default: 450)

1649       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
1650       client request is rejected by the "defer" restriction.
1651
1652       Do  not  change  this  unless  you have a complete understanding of RFC
1653       5321.
1654

defer_service_name (default: defer)

1656       The name of the defer service.  This  service  is  implemented  by  the
1657       bounce(8) daemon and maintains a record of failed delivery attempts and
1658       generates non-delivery notifications.
1659
1660       This feature is available in Postfix 2.0 and later.
1661

defer_transports (default: empty)

1663       The names of message delivery transports that should not  deliver  mail
1664       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1665       names of mail delivery transports names that appear in the first  field
1666       of master.cf.
1667
1668       Example:
1669
1670       defer_transports = smtp
1671

delay_logging_resolution_limit (default: 2)

1673       The  maximal  number  of  digits  after  the decimal point when logging
1674       sub-second delay values.  Specify a number in the range 0..6.
1675
1676       Large delay values are rounded off to an integral number seconds; delay
1677       values  below the delay_logging_resolution_limit are logged as "0", and
1678       delay values under 100s are logged with at most two-digit precision.
1679
1680       The format of the "delays=a/b/c/d" logging is as follows:
1681
1682       ·      a = time from message arrival to last active queue entry
1683
1684       ·      b = time from last active queue entry to connection setup
1685
1686       ·      c = time in connection setup, including DNS, EHLO and STARTTLS
1687
1688       ·      d = time in message transmission
1689
1690       This feature is available in Postfix 2.3 and later.
1691

delay_notice_recipient (default: postmaster)

1693       The recipient of postmaster notifications with the message  headers  of
1694       mail that cannot be delivered within $delay_warning_time time units.
1695
1696       See also: delay_warning_time, notify_classes.
1697

delay_warning_time (default: 0h)

1699       The  time after which the sender receives a copy of the message headers
1700       of mail that is still queued. The confirm_delay_cleared parameter  con‐
1701       trols sender notification when the delay clears up.
1702
1703       To  enable  this  feature,  specify  a non-zero time value (an integral
1704       value plus an optional one-letter suffix that specifies the time unit).
1705
1706       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1707       The default time unit is h (hours).
1708
1709       See      also:     delay_notice_recipient,     notify_classes,     con‐
1710       firm_delay_cleared.
1711

deliver_lock_attempts (default: 20)

1713       The maximal number of attempts to acquire an exclusive lock on a  mail‐
1714       box file or bounce(8) logfile.
1715

deliver_lock_delay (default: 1s)

1717       The  time  between  attempts  to acquire an exclusive lock on a mailbox
1718       file or bounce(8) logfile.
1719
1720       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1721       The default time unit is s (seconds).
1722

destination_concurrency_feedback_debug (default: no)

1724       Make  the  queue  manager's  feedback algorithm verbose for performance
1725       analysis purposes.
1726
1727       This feature is available in Postfix 2.5 and later.
1728

detect_8bit_encoding_header (default: yes)

1730       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1731       fer-Encoding:   message   headers;   historically,  this  behavior  was
1732       hard-coded to be "always on".
1733
1734       This feature is available in Postfix 2.5 and later.
1735

disable_dns_lookups (default: no)

1737       Disable DNS lookups in the Postfix SMTP and  LMTP  clients.  When  dis‐
1738       abled,  hosts  are looked up with the getaddrinfo() system library rou‐
1739       tine which normally also looks in /etc/hosts.  As of Postfix 2.11, this
1740       parameter is deprecated; use smtp_dns_support_level instead.
1741
1742       DNS lookups are enabled by default.
1743

disable_mime_input_processing (default: no)

1745       Turn  off MIME processing while receiving mail. This means that no spe‐
1746       cial treatment is given to Content-Type: message headers, and that  all
1747       text  after the initial message headers is considered to be part of the
1748       message body.
1749
1750       This feature is available in Postfix 2.0 and later.
1751
1752       Mime input processing is enabled by default, and is needed in order  to
1753       recognize MIME headers in message content.
1754

disable_mime_output_conversion (default: no)

1756       Disable  the conversion of 8BITMIME format to 7BIT format.  Mime output
1757       conversion is needed when the destination does not  advertise  8BITMIME
1758       support.
1759
1760       This feature is available in Postfix 2.0 and later.
1761

disable_verp_bounces (default: no)

1763       Disable sending one bounce report per recipient.
1764
1765       The default, one per recipient, is what ezmlm needs.
1766
1767       This feature is available in Postfix 1.1 and later.
1768

disable_vrfy_command (default: no)

1770       Disable  the SMTP VRFY command. This stops some techniques used to har‐
1771       vest email addresses.
1772
1773       Example:
1774
1775       disable_vrfy_command = no
1776

dns_ncache_ttl_fix_enable (default: no)

1778       Enable a workaround for future libc incompatibility. The Postfix imple‐
1779       mentation of RFC 2308 negative reply caching relies on the promise that
1780       res_query() and  res_search()  invoke  res_send(),  which  returns  the
1781       server  response  in an application buffer even if the requested record
1782       does not exist. If this promise is broken, specify "yes"  to  enable  a
1783       workaround for DNS reputation lookups.
1784
1785       This feature is available in Postfix 3.1 and later.
1786

dnsblog_reply_delay (default: 0s)

1788       A debugging aid to artificially delay DNS responses.
1789
1790       This feature is available in Postfix 2.8.
1791

dnsblog_service_name (default: dnsblog)

1793       The  name  of  the  dnsblog(8) service entry in master.cf. This service
1794       performs DNS white/blacklist lookups.
1795
1796       This feature is available in Postfix 2.8 and later.
1797

dont_remove (default: 0)

1799       Don't remove queue files and save them to the "saved" mail queue.  This
1800       is a debugging aid.  To inspect the envelope information and content of
1801       a Postfix queue file, use the postcat(1) command.
1802

double_bounce_sender (default: double-bounce)

1804       The sender address of postmaster notifications that  are  generated  by
1805       the  mail  system.  All  mail to this address is silently discarded, in
1806       order to terminate mail bounce loops.
1807

duplicate_filter_limit (default: 1000)

1809       The maximal number of addresses remembered  by  the  address  duplicate
1810       filter  for  aliases(5)  or virtual(5) alias expansion, or for showq(8)
1811       queue displays.
1812

empty_address_default_transport_maps_lookup_key (default: <>)

1814       The sender_dependent_default_transport_maps search string that will  be
1815       used instead of the null sender address.
1816
1817       This feature is available in Postfix 2.7 and later.
1818

empty_address_recipient (default: MAILER-DAEMON)

1820       The  recipient of mail addressed to the null address.  Postfix does not
1821       accept such addresses in SMTP commands, but they may still  be  created
1822       locally as the result of configuration or software error.
1823

empty_address_relayhost_maps_lookup_key (default: <>)

1825       The  sender_dependent_relayhost_maps  search  string  that will be used
1826       instead of the null sender address.
1827
1828       This feature is available in Postfix 2.5 and later. With  earlier  ver‐
1829       sions,  sender_dependent_relayhost_maps  lookups  were  skipped for the
1830       null sender address.
1831

enable_errors_to (default: no)

1833       Report mail delivery errors to the address specified with the non-stan‐
1834       dard  Errors-To: message header, instead of the envelope sender address
1835       (this feature is removed with Postfix version 2.2,  is  turned  off  by
1836       default  with  Postfix  version 2.1, and is always turned on with older
1837       Postfix versions).
1838

enable_idna2003_compatibility (default: no)

1840       Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1841       converting  UTF-8  domain names to/from the ASCII form that is used for
1842       DNS lookups. Specify "yes" for compatibility with Postfix <=  3.1  (not
1843       recommended).  This affects the conversion of domain names that contain
1844       for example  the  German  sz  and  the  Greek  zeta.   See  http://uni
1845       code.org/cldr/utility/idna.jsp for more examples.
1846
1847       This feature is available in Postfix 3.2 and later.
1848

enable_long_queue_ids (default: no)

1850       Enable  long, non-repeating, queue IDs (queue file names).  The benefit
1851       of non-repeating names is simpler logfile  analysis  and  easier  queue
1852       migration  (there  is  no  need to run "postsuper" to change queue file
1853       names that don't match their message file inode number).
1854
1855       Note: see below for how to convert long queue file names to Postfix  <=
1856       2.8.
1857
1858       Changing the parameter value to "yes" has the following effects:
1859
1860       ·      Existing queue file names are not affected.
1861
1862       ·      New  queue files are created with names such as 3Pt2mN2VXxznjll.
1863              These are encoded in a 52-character alphabet that contains  dig‐
1864              its  (0-9),  upper-case  letters  (B-Z)  and  lower-case letters
1865              (b-z). For safety reasons the vowels (AEIOUaeiou)  are  excluded
1866              from the alphabet.  The name format is: 6 or more characters for
1867              the time in seconds, 4 characters for the time in  microseconds,
1868              the  'z';  the remainder is the file inode number encoded in the
1869              first 51 characters of the 52-character alphabet.
1870
1871       ·      New messages have a Message-ID header with queueID@myhostname.
1872
1873       ·      The mailq (postqueue -p) output has a  wider  Queue  ID  column.
1874              The number of whitespace-separated fields is not changed.
1875
1876       ·      The  hash_queue_depth algorithm uses the first characters of the
1877              queue file creation time in microseconds, after conversion  into
1878              hexadecimal representation. This produces the same queue hashing
1879              behavior  as  if  the  queue  file   name   was   created   with
1880              "enable_long_queue_ids = no".
1881
1882       Changing the parameter value to "no" has the following effects:
1883
1884       ·      Existing  long  queue  file  names are renamed to the short form
1885              (while running "postfix reload" or "postsuper").
1886
1887       ·      New queue files are created with names such as C3CD21F3E90  from
1888              a hexadecimal alphabet that contains digits (0-9) and upper-case
1889              letters (A-F). The name format is: 5 characters for the time  in
1890              microseconds; the remainder is the file inode number.
1891
1892       ·      New   messages   have   a  Message-ID  header  with  YYYYMMDDHH‐
1893              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
1894              month, day, hour, minute and second.
1895
1896       ·      The  mailq  (postqueue  -p)  output  has the same format as with
1897              Postfix <= 2.8.
1898
1899       ·      The hash_queue_depth algorithm uses the first characters of  the
1900              queue file name, with the hexadecimal representation of the file
1901              creation time in microseconds.
1902
1903       Before migration to Postfix <= 2.8, the following commands are required
1904       to convert long queue file names into short names:
1905
1906       # postfix stop
1907       # postconf enable_long_queue_ids=no
1908       # postsuper
1909
1910       Repeat  the  postsuper command until it reports no more queue file name
1911       changes.
1912
1913       This feature is available in Postfix 2.9 and later.
1914

enable_original_recipient (default: yes)

1916       Enable support for the original recipient address after an  address  is
1917       rewritten  to  a  different  address (for example with aliasing or with
1918       canonical mapping).
1919
1920       The original recipient address is used as follows:
1921
1922       Final delivery
1923              With "enable_original_recipient = yes", the  original  recipient
1924              address  is  stored  in  the  X-Original-To message header. This
1925              header may be used to distinguish between  different  recipients
1926              that share the same mailbox.
1927
1928       Recipient deduplication
1929              With  "enable_original_recipient  =  yes", the cleanup(8) daemon
1930              performs duplicate recipient elimination based on the content of
1931              (original  recipient,  maybe-rewritten recipient) pairs.  Other‐
1932              wise, the cleanup(8) daemon performs duplicate recipient  elimi‐
1933              nation based only on the maybe-rewritten recipient address.
1934
1935       Note:  with Postfix <= 3.2 the "setting enable_original_recipient = no"
1936       breaks address verification for addresses that are aliased or otherwise
1937       rewritten  (Postfix  is unable to store the address verification result
1938       under the original probe destination address; instead, it can store the
1939       result only under the rewritten address).
1940
1941       This feature is available in Postfix 2.1 and later. Postfix version 2.0
1942       behaves as if this parameter is always set to  yes.   Postfix  versions
1943       before 2.0 have no support for the original recipient address.
1944

error_notice_recipient (default: postmaster)

1946       The  recipient of postmaster notifications about mail delivery problems
1947       that are caused by  policy,  resource,  software  or  protocol  errors.
1948       These notifications are enabled with the notify_classes parameter.
1949

error_service_name (default: error)

1951       The  name  of  the  error(8) pseudo delivery agent. This service always
1952       returns mail as undeliverable.
1953
1954       This feature is available in Postfix 2.0 and later.
1955

execution_directory_expansion_filter (default: see postconf -d output)

1957       Restrict the characters that the  local(8)  delivery  agent  allows  in
1958       $name  expansions  of $command_execution_directory.  Characters outside
1959       the allowed set are replaced by underscores.
1960
1961       This feature is available in Postfix 2.2 and later.
1962

expand_owner_alias (default: no)

1964       When delivering to an alias "aliasname" that has  an  "owner-aliasname"
1965       companion  alias,  set  the envelope sender address to the expansion of
1966       the "owner-aliasname"  alias.   Normally,  Postfix  sets  the  envelope
1967       sender address to the name of the "owner-aliasname" alias.
1968

export_environment (default: see postconf -d output)

1970       The list of environment variables that a Postfix process will export to
1971       non-Postfix processes. The TZ variable is needed for sane time  keeping
1972       on System-V-ish systems.
1973
1974       Specify  a  list  of names and/or name=value pairs, separated by white‐
1975       space or comma. Specify "{ name=value }" to protect whitespace or comma
1976       in  parameter  values  (whitespace after the opening "{" and before the
1977       closing "}" is ignored). The form name=value is supported with  Postfix
1978       version  2.1 and later; the use of {} is supported with Postfix 3.0 and
1979       later.
1980
1981       Example:
1982
1983       export_environment = TZ PATH=/bin:/usr/bin
1984

extract_recipient_limit (default: 10240)

1986       The maximal number of recipient addresses  that  Postfix  will  extract
1987       from message headers when mail is submitted with "sendmail -t".
1988
1989       This feature was removed in Postfix version 2.1.
1990

fallback_relay (default: empty)

1992       Optional  list of relay hosts for SMTP destinations that can't be found
1993       or that are unreachable. With Postfix 2.3 this parameter is renamed  to
1994       smtp_fallback_relay.
1995
1996       By  default,  mail  is returned to the sender when a destination is not
1997       found, and delivery is deferred when a destination is unreachable.
1998
1999       The fallback relays must be SMTP destinations. Specify a domain,  host,
2000       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
2001       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
2002       fix will try them in the specified order.
2003
2004       Note:  before  Postfix  2.2, do not use the fallback_relay feature when
2005       relaying mail for a backup  or  primary  MX  domain.  Mail  would  loop
2006       between  the Postfix MX host and the fallback_relay host when the final
2007       destination is unavailable.
2008
2009       ·      In main.cf specify "relay_transport = relay",
2010
2011       ·      In master.cf specify "-o fallback_relay =" (i.e., empty) at  the
2012              end of the relay entry.
2013
2014       ·      In transport maps, specify "relay:nexthop..."  as the right-hand
2015              side for backup or primary MX domain entries.
2016
2017       Postfix version 2.2 and later will not use the  fallback_relay  feature
2018       for destinations that it is MX host for.
2019

fallback_transport (default: empty)

2021       Optional  message  delivery  transport that the local(8) delivery agent
2022       should use for names that are not found in the aliases(5) or UNIX pass‐
2023       word database.
2024
2025       The  precedence  of  local(8)  delivery  features  from high to low is:
2026       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2027       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2028       tory, fallback_transport_maps, fallback_transport and luser_relay.
2029

fallback_transport_maps (default: empty)

2031       Optional lookup tables with per-recipient message  delivery  transports
2032       for  recipients  that the local(8) delivery agent could not find in the
2033       aliases(5) or UNIX password database.
2034
2035       The precedence of local(8) delivery  features  from  high  to  low  is:
2036       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2037       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2038       tory, fallback_transport_maps, fallback_transport and luser_relay.
2039
2040       For  safety  reasons, this feature does not allow $number substitutions
2041       in regular expression maps.
2042
2043       This feature is available in Postfix 2.3 and later.
2044

fast_flush_domains (default: $relay_domains)

2046       Optional list of destinations that  are  eligible  for  per-destination
2047       logfiles with mail that is queued to those destinations.
2048
2049       By  default,  Postfix maintains "fast flush" logfiles only for destina‐
2050       tions that the Postfix SMTP server is willing to  relay  to  (i.e.  the
2051       default    is:   "fast_flush_domains   =   $relay_domains";   see   the
2052       relay_domains parameter in the postconf(5) manual).
2053
2054       Specify a list of hosts or domains, "/file/name" patterns or  "type:ta‐
2055       ble"  lookup  tables,  separated by commas and/or whitespace.  Continue
2056       long lines by starting the next line with  whitespace.  A  "/file/name"
2057       pattern  is  replaced  by  its contents; a "type:table" lookup table is
2058       matched when the domain or its parent domain appears as lookup key.
2059
2060       Pattern matching of domain names  is  controlled  by  the  presence  or
2061       absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2062       parameter value.
2063
2064       Specify "fast_flush_domains =" (i.e., empty)  to  disable  the  feature
2065       altogether.
2066

fast_flush_purge_time (default: 7d)

2068       The  time  after which an empty per-destination "fast flush" logfile is
2069       deleted.
2070
2071       You can specify the time as a number, or as a number followed by a let‐
2072       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2073       d=days, w=weeks.  The default time unit is days.
2074

fast_flush_refresh_time (default: 12h)

2076       The time after which  a  non-empty  but  unread  per-destination  "fast
2077       flush"  logfile  needs  to be refreshed.  The contents of a logfile are
2078       refreshed by requesting delivery of all messages listed in the logfile.
2079
2080       You can specify the time as a number, or as a number followed by a let‐
2081       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2082       d=days, w=weeks.  The default time unit is hours.
2083

fault_injection_code (default: 0)

2085       Force specific internal tests to fail, to test the handling  of  errors
2086       that are difficult to reproduce otherwise.
2087

flush_service_name (default: flush)

2089       The  name  of the flush(8) service. This service maintains per-destina‐
2090       tion logfiles with the queue file names of  mail  that  is  queued  for
2091       those destinations.
2092
2093       This feature is available in Postfix 2.0 and later.
2094

fork_attempts (default: 5)

2096       The maximal number of attempts to fork() a child process.
2097

fork_delay (default: 1s)

2099       The delay between attempts to fork() a child process.
2100
2101       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2102       The default time unit is s (seconds).
2103

forward_expansion_filter (default: see postconf -d output)

2105       Restrict the characters that the  local(8)  delivery  agent  allows  in
2106       $name  expansions of $forward_path.  Characters outside the allowed set
2107       are replaced by underscores.
2108

forward_path (default: see postconf -d output)

2110       The local(8) delivery agent search list for  finding  a  .forward  file
2111       with  user-specified  delivery methods. The first file that is found is
2112       used.
2113
2114       The forward_path value is not subject to Postfix configuration  parame‐
2115       ter  $name  expansion. Instead, the following $name expansions are done
2116       on forward_path before the search  actually  happens.   The  result  of
2117       $name  expansion  is  filtered with the character set that is specified
2118       with the forward_expansion_filter parameter.
2119
2120       $user  The recipient's username.
2121
2122       $shell The recipient's login shell pathname.
2123
2124       $home  The recipient's home directory.
2125
2126       $recipient
2127              The full recipient address.
2128
2129       $extension
2130              The optional recipient address extension.
2131
2132       $domain
2133              The recipient domain.
2134
2135       $local The entire recipient localpart.
2136
2137       $recipient_delimiter
2138              The address extension delimiter that was found in the  recipient
2139              address  (Postfix  2.11 and later), or the system-wide recipient
2140              address extension delimiter (Postfix 2.10 and earlier).
2141
2142       ${name?value}
2143              Expands to value when $name is non-empty.
2144
2145       ${name:value}
2146              Expands to value when $name is empty.
2147
2148       Instead of $name you can also specify ${name} or $(name).
2149
2150       Examples:
2151
2152       forward_path = /var/forward/$user
2153       forward_path =
2154           /var/forward/$user/.forward$recipient_delimiter$extension,
2155           /var/forward/$user/.forward
2156

frozen_delivered_to (default: yes)

2158       Update the local(8) delivery agent's idea of the Delivered-To:  address
2159       (see  prepend_delivered_header)  only  once, at the start of a delivery
2160       attempt; do  not  update  the  Delivered-To:  address  while  expanding
2161       aliases or .forward files.
2162
2163       This  feature is available in Postfix 2.3 and later. With older Postfix
2164       releases, the behavior is as if this parameter is set to "no". The  old
2165       setting  can be expensive with deeply nested aliases or .forward files.
2166       When an alias or .forward file changes the  Delivered-To:  address,  it
2167       ties  up  one queue file and one cleanup process instance while mail is
2168       being forwarded.
2169

hash_queue_depth (default: 1)

2171       The number of subdirectory levels for queue directories listed with the
2172       hash_queue_names  parameter.  Queue  hashing is implemented by creating
2173       one or more levels of directories  with  one-character  names.   Origi‐
2174       nally,  these directory names were equal to the first characters of the
2175       queue file name, with the hexadecimal representation of the  file  cre‐
2176       ation time in microseconds.
2177
2178       With  long queue file names, queue hashing produces the same results as
2179       with short names. The file creation time in microseconds  is  converted
2180       into hexadecimal form before the result is used for queue hashing.  The
2181       base 16 encoding gives finer control over the number of  subdirectories
2182       than is possible with the base 52 encoding of long queue file names.
2183
2184       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2185       cute the command "postfix reload".
2186

hash_queue_names (default: deferred, defer)

2188       The names of queue directories that are split across multiple subdirec‐
2189       tory levels.
2190
2191       Before  Postfix version 2.2, the default list of hashed queues was sig‐
2192       nificantly larger. Claims about improvements in file system  technology
2193       suggest  that  hashing  of  the incoming and active queues is no longer
2194       needed. Fewer hashed directories speed up the time  needed  to  restart
2195       Postfix.
2196
2197       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2198       cute the command "postfix reload".
2199

header_address_token_limit (default: 10240)

2201       The maximal number of address tokens are allowed in an address  message
2202       header.  Information that exceeds the limit is discarded.  The limit is
2203       enforced by the cleanup(8) server.
2204

header_checks (default: empty)

2206       Optional lookup tables for content inspection of primary non-MIME  mes‐
2207       sage headers, as specified in the header_checks(5) manual page.
2208

header_from_format (default: standard)

2210       The  format of the Postfix-generated From: header. This setting affects
2211       the appearance of 'full name' information when a local program such  as
2212       /bin/mail  submits  a  message without From: header through the Postfix
2213       sendmail(1) command.
2214
2215       Specify one of the following:
2216
2217       standard (default)
2218              Produce a header formatted as "From: name <address>".   This  is
2219              the default as of Postfix 3.3.
2220
2221       obsolete
2222              Produce  a  header  formatted as "From: address (name)". This is
2223              the behavior prior to Postfix 3.3.
2224
2225       Notes:
2226
2227       ·      Postfix generates the format "From: address" when name  informa‐
2228              tion  is  unavailable  or  the envelope sender address is empty.
2229              This is the same behavior as prior to Postfix 3.3.
2230
2231       ·      In the standard form, the name will be  quoted  if  it  contains
2232              specials as defined in RFC 5322, or the "!%" address operators.
2233
2234       ·      The  Postfix  sendmail(1) command gets name information from the
2235              -F command-line option, from the NAME environment  variable,  or
2236              from the UNIX password file.
2237
2238       This feature is available in Postfix 3.3 and later.
2239

header_size_limit (default: 102400)

2241       The maximal amount of memory in bytes for storing a message header.  If
2242       a header is larger, the excess is discarded.  The limit is enforced  by
2243       the cleanup(8) server.
2244

helpful_warnings (default: yes)

2246       Log  warnings  about  problematic  configuration  settings, and provide
2247       helpful suggestions.
2248
2249       This feature is available in Postfix 2.0 and later.
2250

home_mailbox (default: empty)

2252       Optional pathname of a mailbox file relative to a local(8) user's  home
2253       directory.
2254
2255       Specify a pathname ending in "/" for qmail-style delivery.
2256
2257       The  precedence  of  local(8)  delivery  features  from high to low is:
2258       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2259       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2260       tory, fallback_transport_maps, fallback_transport and luser_relay.
2261
2262       Examples:
2263
2264       home_mailbox = Mailbox
2265       home_mailbox = Maildir/
2266

hopcount_limit (default: 50)

2268       The maximal number of Received:  message headers that is allowed in the
2269       primary  message  headers. A message that exceeds the limit is bounced,
2270       in order to stop a mailer loop.
2271

html_directory (default: see postconf -d output)

2273       The location of Postfix HTML files that describe how to build,  config‐
2274       ure or operate a specific Postfix subsystem or feature.
2275

ignore_mx_lookup_error (default: no)

2277       Ignore  DNS MX lookups that produce no response.  By default, the Post‐
2278       fix SMTP client defers delivery and tries again after some delay.  This
2279       behavior is required by the SMTP standard.
2280
2281       Specify  "ignore_mx_lookup_error  = yes" to force a DNS A record lookup
2282       instead. This violates the SMTP standard and can result in mis-delivery
2283       of mail.
2284

import_environment (default: see postconf -d output)

2286       The  list  of  environment parameters that a privileged Postfix process
2287       will import from a non-Postfix parent process, or  name=value  environ‐
2288       ment  overrides.   Unprivileged  utilities  will enforce the name=value
2289       overrides, but otherwise will not  change  their  process  environment.
2290       Examples of relevant parameters:
2291
2292       TZ     May  be  needed  for sane time keeping on most System-V-ish sys‐
2293              tems.
2294
2295       DISPLAY
2296              Needed for debugging Postfix daemons with an X-windows debugger.
2297
2298       XAUTHORITY
2299              Needed for debugging Postfix daemons with an X-windows debugger.
2300
2301       MAIL_CONFIG
2302              Needed to make "postfix -c" work.
2303
2304       Specify a list of names and/or name=value pairs,  separated  by  white‐
2305       space or comma. Specify "{ name=value }" to protect whitespace or comma
2306       in parameter values (whitespace after the opening "{"  and  before  the
2307       closing  "}" is ignored). The form name=value is supported with Postfix
2308       version 2.1 and later; the use of {} is supported with Postfix 3.0  and
2309       later.
2310

in_flow_delay (default: 1s)

2312       Time  to pause before accepting a new message, when the message arrival
2313       rate exceeds the message delivery rate. This feature is  turned  on  by
2314       default (it's disabled on SCO UNIX due to an SCO bug).
2315
2316       With  the default 100 Postfix SMTP server process limit, "in_flow_delay
2317       = 1s" limits the mail inflow to 100 messages per second above the  num‐
2318       ber of messages delivered per second.
2319
2320       Specify 0 to disable the feature. Valid delays are 0..10.
2321

inet_interfaces (default: all)

2323       The network interface addresses that this mail system receives mail on.
2324       Specify "all" to receive mail on all network interfaces (default),  and
2325       "loopback-only"  to  receive  mail  on loopback network interfaces only
2326       (Postfix version 2.2 and later).  The parameter also controls  delivery
2327       of mail to user@[ip.address].
2328
2329       Note 1: you need to stop and start Postfix when this parameter changes.
2330
2331       Note 2: address information may be enclosed inside [], but this form is
2332       not required here.
2333
2334       When inet_interfaces specifies just one IPv4 and/or IPv6  address  that
2335       is  not  a  loopback  address,  the  Postfix  SMTP client will use this
2336       address as the IP source address for outbound mail. Support for IPv6 is
2337       available in Postfix version 2.2 and later.
2338
2339       On  a multi-homed firewall with separate Postfix instances listening on
2340       the "inside" and "outside" interfaces, this can prevent  each  instance
2341       from being able to reach remote SMTP servers on the "other side" of the
2342       firewall. Setting smtp_bind_address to  0.0.0.0  avoids  the  potential
2343       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2344       lem for IPv6.
2345
2346       A better solution for multi-homed firewalls is to leave inet_interfaces
2347       at  the default value and instead use explicit IP addresses in the mas‐
2348       ter.cf SMTP  server  definitions.   This  preserves  the  Postfix  SMTP
2349       client's  loop  detection,  by  ensuring that each side of the firewall
2350       knows that the other  IP  address  is  still  the  same  host.  Setting
2351       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2352       ful with virtual hosting of domains on  secondary  IP  addresses,  when
2353       each IP address serves a different domain (and has a different $myhost‐
2354       name setting).
2355
2356       See also the proxy_interfaces parameter, for network addresses that are
2357       forwarded to Postfix by way of a proxy or address translator.
2358
2359       Examples:
2360
2361       inet_interfaces = all (DEFAULT)
2362       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2363       inet_interfaces = 127.0.0.1
2364       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2365       inet_interfaces = 192.168.1.2, 127.0.0.1
2366

inet_protocols (default: all)

2368       The  Internet  protocols  Postfix  will  attempt  to use when making or
2369       accepting connections. Specify one or more of "ipv4" or  "ipv6",  sepa‐
2370       rated  by  whitespace or commas. The form "all" is equivalent to "ipv4,
2371       ipv6" or "ipv4", depending on whether the operating  system  implements
2372       IPv6.
2373
2374       With  Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2375       patibility with these releases, the Postfix 2.9 and later upgrade  pro‐
2376       cedure  appends  an explicit "inet_protocols = ipv4" setting to main.cf
2377       when no explicit setting is present. This compatibility workaround will
2378       be phased out as IPv6 deployment becomes more common.
2379
2380       This feature is available in Postfix 2.2 and later.
2381
2382       Note: you MUST stop and start Postfix after changing this parameter.
2383
2384       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2385       will also accept IPv4 connections, even when IPv4 is  turned  off  with
2386       the  inet_protocols  parameter.   On  systems with IPV6_V6ONLY support,
2387       Postfix will use separate server sockets for IPv6 and  IPv4,  and  each
2388       will accept only connections for the corresponding protocol.
2389
2390       When  IPv4 support is enabled via the inet_protocols parameter, Postfix
2391       will look up DNS type A records, and will convert  IPv4-in-IPv6  client
2392       IP  addresses  (::ffff:1.2.3.4)  to their original IPv4 form (1.2.3.4).
2393       The latter is needed on hosts that pre-date  IPV6_V6ONLY  support  (RFC
2394       3493).
2395
2396       When  IPv6 support is enabled via the inet_protocols parameter, Postfix
2397       will do DNS type AAAA record lookups.
2398
2399       When both IPv4 and IPv6 support are enabled, the  Postfix  SMTP  client
2400       will  choose the protocol as specified with the smtp_address_preference
2401       parameter. Postfix versions before 2.8  attempt  to  connect  via  IPv6
2402       before attempting to use IPv4.
2403
2404       Examples:
2405
2406       inet_protocols = ipv4
2407       inet_protocols = all (DEFAULT)
2408       inet_protocols = ipv6
2409       inet_protocols = ipv4, ipv6
2410

initial_destination_concurrency (default: 5)

2412       The  initial per-destination concurrency level for parallel delivery to
2413       the same destination.  With per-destination recipient limit > 1, a des‐
2414       tination is a domain, otherwise it is a recipient.
2415
2416       Use   transport_initial_destination_concurrency  to  specify  a  trans‐
2417       port-specific override, where transport is the master.cf  name  of  the
2418       message delivery transport (Postfix 2.5 and later).
2419
2420       Warning:  with concurrency of 1, one bad message can be enough to block
2421       all mail to a site.
2422

internal_mail_filter_classes (default: empty)

2424       What categories of Postfix-generated mail are subject  to  before-queue
2425       content inspection by non_smtpd_milters, header_checks and body_checks.
2426       Specify zero or more of  the  following,  separated  by  whitespace  or
2427       comma.
2428
2429       bounce Inspect the content of delivery status notifications.
2430
2431       notify Inspect  the  content of postmaster notifications by the smtp(8)
2432              and smtpd(8) processes.
2433
2434       NOTE: It's generally not safe to enable  content  inspection  of  Post‐
2435       fix-generated email messages. The user is warned.
2436
2437       This feature is available in Postfix 2.3 and later.
2438

invalid_hostname_reject_code (default: 501)

2440       The numerical Postfix SMTP server response code when the client HELO or
2441       EHLO command parameter is rejected by the  reject_invalid_helo_hostname
2442       restriction.
2443
2444       Do  not  change  this  unless  you have a complete understanding of RFC
2445       5321.
2446

ipc_idle (default: version dependent)

2448       The time after which a client closes  an  idle  internal  communication
2449       channel.  The purpose is to allow Postfix daemon processes to terminate
2450       voluntarily after they become idle. This is used, for example,  by  the
2451       Postfix address resolving and rewriting clients.
2452
2453       With Postfix 2.4 the default value was reduced from 100s to 5s.
2454
2455       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2456       The default time unit is s (seconds).
2457

ipc_timeout (default: 3600s)

2459       The time limit for sending or receiving information  over  an  internal
2460       communication  channel.  The purpose is to break out of deadlock situa‐
2461       tions. If the time limit is exceeded the software aborts with  a  fatal
2462       error.
2463
2464       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2465       The default time unit is s (seconds).
2466

ipc_ttl (default: 1000s)

2468       The time after which a client closes an active  internal  communication
2469       channel.  The purpose is to allow Postfix daemon processes to terminate
2470       voluntarily after reaching their client limit.  This is used, for exam‐
2471       ple, by the Postfix address resolving and rewriting clients.
2472
2473       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2474       The default time unit is s (seconds).
2475
2476       This feature is available in Postfix 2.1 and later.
2477

line_length_limit (default: 2048)

2479       Upon input, long lines are chopped up  into  pieces  of  at  most  this
2480       length; upon delivery, long lines are reconstructed.
2481

lmdb_map_size (default: 16777216)

2483       The  initial  OpenLDAP  LMDB database size limit in bytes.  Each time a
2484       database becomes full, its size limit is doubled.
2485
2486       This feature is available in Postfix 2.11 and later.
2487

lmtp_address_preference (default: ipv6)

2489       The LMTP-specific version of the smtp_address_preference  configuration
2490       parameter.  See there for details.
2491
2492       This feature is available in Postfix 2.8 and later.
2493

lmtp_address_verify_target (default: rcpt)

2495       The  LMTP-specific version of the smtp_address_verify_target configura‐
2496       tion parameter.  See there for details.
2497
2498       This feature is available in Postfix 3.0 and later.
2499

lmtp_assume_final (default: no)

2501       When a remote LMTP server announces no DSN  support,  assume  that  the
2502       server  performs  final  delivery, and send "delivered" delivery status
2503       notifications instead of "relayed". The default  setting  is  backwards
2504       compatible  to avoid the infinitesimal possibility of breaking existing
2505       LMTP-based content filters.
2506

lmtp_balance_inet_protocols (default: yes)

2508       The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2509       tion parameter. See there for details.
2510
2511       This feature is available in Postfix 3.3 and later.
2512

lmtp_bind_address (default: empty)

2514       The LMTP-specific version of the smtp_bind_address configuration param‐
2515       eter.  See there for details.
2516
2517       This feature is available in Postfix 2.3 and later.
2518

lmtp_bind_address6 (default: empty)

2520       The  LMTP-specific  version  of  the  smtp_bind_address6  configuration
2521       parameter.  See there for details.
2522
2523       This feature is available in Postfix 2.3 and later.
2524

lmtp_body_checks (default: empty)

2526       The LMTP-specific version of the smtp_body_checks configuration parame‐
2527       ter. See there for details.
2528
2529       This feature is available in Postfix 2.5 and later.
2530

lmtp_cache_connection (default: yes)

2532       Keep Postfix LMTP client connections open for up to $max_idle  seconds.
2533       When  the  LMTP  client  receives a request for the same connection the
2534       connection is reused.
2535
2536       This parameter is available in Postfix version 2.2 and  earlier.   With
2537       Postfix  version  2.3  and  later, see lmtp_connection_cache_on_demand,
2538       lmtp_connection_cache_destinations,       or        lmtp_connection_re‐
2539       use_time_limit.
2540
2541       The  effectiveness of cached connections will be determined by the num‐
2542       ber of remote LMTP servers in use, and the concurrency limit  specified
2543       for the Postfix LMTP client. Cached connections are closed under any of
2544       the following conditions:
2545
2546       ·      The Postfix LMTP client idle time limit is reached.  This  limit
2547              is specified with the Postfix max_idle configuration parameter.
2548
2549       ·      A  delivery  request  specifies a different destination than the
2550              one currently cached.
2551
2552       ·      The per-process limit on the  number  of  delivery  requests  is
2553              reached.   This limit is specified with the Postfix max_use con‐
2554              figuration parameter.
2555
2556       ·      Upon the onset of another  delivery  request,  the  remote  LMTP
2557              server  associated  with the current session does not respond to
2558              the RSET command.
2559
2560       Most of these limitations have been with the Postfix a connection cache
2561       that is shared among multiple LMTP client programs.
2562

lmtp_cname_overrides_servername (default: yes)

2564       The  LMTP-specific  version of the smtp_cname_overrides_servername con‐
2565       figuration parameter.  See there for details.
2566
2567       This feature is available in Postfix 2.3 and later.
2568

lmtp_connect_timeout (default: 0s)

2570       The Postfix LMTP client time limit for completing a TCP connection,  or
2571       zero  (use  the operating system built-in time limit).  When no connec‐
2572       tion can be made within the deadline, the LMTP client  tries  the  next
2573       address on the mail exchanger list.
2574
2575       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2576       The default time unit is s (seconds).
2577
2578       Example:
2579
2580       lmtp_connect_timeout = 30s
2581

lmtp_connection_cache_destinations (default: empty)

2583       The LMTP-specific  version  of  the  smtp_connection_cache_destinations
2584       configuration parameter.  See there for details.
2585
2586       This feature is available in Postfix 2.3 and later.
2587

lmtp_connection_cache_on_demand (default: yes)

2589       The  LMTP-specific  version of the smtp_connection_cache_on_demand con‐
2590       figuration parameter.  See there for details.
2591
2592       This feature is available in Postfix 2.3 and later.
2593

lmtp_connection_cache_time_limit (default: 2s)

2595       The LMTP-specific version of the smtp_connection_cache_time_limit  con‐
2596       figuration parameter.  See there for details.
2597
2598       This feature is available in Postfix 2.3 and later.
2599

lmtp_connection_reuse_count_limit (default: 0)

2601       The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2602       figuration parameter.  See there for details.
2603
2604       This feature is available in Postfix 2.11 and later.
2605

lmtp_connection_reuse_time_limit (default: 300s)

2607       The LMTP-specific version of the smtp_connection_reuse_time_limit  con‐
2608       figuration parameter.  See there for details.
2609
2610       This feature is available in Postfix 2.3 and later.
2611

lmtp_data_done_timeout (default: 600s)

2613       The  Postfix  LMTP  client time limit for sending the LMTP ".", and for
2614       receiving the  remote  LMTP  server  response.   When  no  response  is
2615       received  within the deadline, a warning is logged that the mail may be
2616       delivered multiple times.
2617
2618       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2619       The default time unit is s (seconds).
2620

lmtp_data_init_timeout (default: 120s)

2622       The  Postfix  LMTP client time limit for sending the LMTP DATA command,
2623       and for receiving the remote LMTP server response.
2624
2625       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2626       The default time unit is s (seconds).
2627

lmtp_data_xfer_timeout (default: 180s)

2629       The  Postfix  LMTP  client time limit for sending the LMTP message con‐
2630       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2631       the LMTP client terminates the transfer.
2632
2633       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2634       The default time unit is s (seconds).
2635

lmtp_defer_if_no_mx_address_found (default: no)

2637       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2638       figuration parameter.  See there for details.
2639
2640       This feature is available in Postfix 2.3 and later.
2641

lmtp_delivery_status_filter (default: empty)

2643       The LMTP-specific version of the smtp_delivery_status_filter configura‐
2644       tion parameter.  See there for details.
2645
2646       This feature is available in Postfix 3.0 and later.
2647

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2649       rency_limit)
2650       The  maximal  number of parallel deliveries to the same destination via
2651       the lmtp message delivery transport. This  limit  is  enforced  by  the
2652       queue  manager.  The message delivery transport name is the first field
2653       in the entry in the master.cf file.
2654

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2656       ent_limit)
2657       The  maximal  number  of  recipients  per  message for the lmtp message
2658       delivery transport. This limit is enforced by the  queue  manager.  The
2659       message  delivery transport name is the first field in the entry in the
2660       master.cf file.
2661
2662       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2663       tination_concurrency_limit from concurrency per domain into concurrency
2664       per recipient.
2665

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2667       Lookup tables, indexed by the remote LMTP  server  address,  with  case
2668       insensitive  lists  of LHLO keywords (pipelining, starttls, auth, etc.)
2669       that the Postfix LMTP client will ignore in the LHLO  response  from  a
2670       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2671       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2672       card_ehlo_keyword_address_maps.
2673
2674       This feature is available in Postfix 2.3 and later.
2675

lmtp_discard_lhlo_keywords (default: empty)

2677       A  case  insensitive list of LHLO keywords (pipelining, starttls, auth,
2678       etc.) that the Postfix LMTP client will ignore  in  the  LHLO  response
2679       from a remote LMTP server.
2680
2681       This feature is available in Postfix 2.3 and later.
2682
2683       Notes:
2684
2685       ·      Specify the silent-discard pseudo keyword to prevent this action
2686              from being logged.
2687
2688       ·      Use the lmtp_discard_lhlo_keyword_address_maps feature  to  dis‐
2689              card LHLO keywords selectively.
2690

lmtp_dns_reply_filter (default: empty)

2692       Optional  filter  for  Postfix  LMTP  client  DNS  lookup results.  See
2693       smtp_dns_reply_filter for details including an example.
2694
2695       This feature is available in Postfix 3.0 and later.
2696

lmtp_dns_resolver_options (default: empty)

2698       The LMTP-specific version of the  smtp_dns_resolver_options  configura‐
2699       tion parameter.  See there for details.
2700
2701       This feature is available in Postfix 2.8 and later.
2702

lmtp_dns_support_level (default: empty)

2704       The  LMTP-specific  version of the smtp_dns_support_level configuration
2705       parameter.  See there for details.
2706
2707       This feature is available in Postfix 2.11 and later.
2708

lmtp_enforce_tls (default: no)

2710       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2711       ter.  See there for details.
2712
2713       This feature is available in Postfix 2.3 and later.
2714

lmtp_fallback_relay (default: empty)

2716       Optional  list of relay hosts for LMTP destinations that can't be found
2717       or that are unreachable.  In main.cf elements are separated  by  white‐
2718       space or commas.
2719
2720       By  default,  mail  is returned to the sender when a destination is not
2721       found, and delivery is deferred when a destination is unreachable.
2722
2723       The fallback relays must be TCP destinations, specified without a lead‐
2724       ing  "inet:" prefix.  Specify a host or host:port.  Since MX lookups do
2725       not apply  with  LMTP,  there  is  no  need  to  use  the  "[host]"  or
2726       "[host]:port"  forms.  If you specify multiple LMTP destinations, Post‐
2727       fix will try them in the specified order.
2728
2729       This feature is available in Postfix 3.1 and later.
2730

lmtp_generic_maps (default: empty)

2732       The LMTP-specific version of the smtp_generic_maps configuration param‐
2733       eter.  See there for details.
2734
2735       This feature is available in Postfix 2.3 and later.
2736

lmtp_header_checks (default: empty)

2738       The  LMTP-specific  version  of  the  smtp_header_checks  configuration
2739       parameter. See there for details.
2740
2741       This feature is available in Postfix 2.5 and later.
2742

lmtp_host_lookup (default: dns)

2744       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2745       ter.  See there for details.
2746
2747       This feature is available in Postfix 2.3 and later.
2748

lmtp_lhlo_name (default: $myhostname)

2750       The hostname to send in the LMTP LHLO command.
2751
2752       The  default  value  is  the  machine  hostname.  Specify a hostname or
2753       [ip.add.re.ss].
2754
2755       This information can be specified in the  main.cf  file  for  all  LMTP
2756       clients,  or  it  can be specified in the master.cf file for a specific
2757       client, for example:
2758
2759           /etc/postfix/master.cf:
2760               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2761
2762       This feature is available in Postfix 2.3 and later.
2763

lmtp_lhlo_timeout (default: 300s)

2765       The Postfix LMTP client time limit for sending the  LHLO  command,  and
2766       for receiving the initial remote LMTP server response.
2767
2768       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2769       The default time unit is s (seconds).
2770

lmtp_line_length_limit (default: 990)

2772       The LMTP-specific version of the  smtp_line_length_limit  configuration
2773       parameter.  See there for details.
2774
2775       This feature is available in Postfix 2.3 and later.
2776

lmtp_mail_timeout (default: 300s)

2778       The  Postfix  LMTP client time limit for sending the MAIL FROM command,
2779       and for receiving the remote LMTP server response.
2780
2781       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2782       The default time unit is s (seconds).
2783

lmtp_mime_header_checks (default: empty)

2785       The  LMTP-specific version of the smtp_mime_header_checks configuration
2786       parameter. See there for details.
2787
2788       This feature is available in Postfix 2.5 and later.
2789

lmtp_mx_address_limit (default: 5)

2791       The LMTP-specific version of  the  smtp_mx_address_limit  configuration
2792       parameter.  See there for details.
2793
2794       This feature is available in Postfix 2.3 and later.
2795

lmtp_mx_session_limit (default: 2)

2797       The  LMTP-specific  version  of the smtp_mx_session_limit configuration
2798       parameter.  See there for details.
2799
2800       This feature is available in Postfix 2.3 and later.
2801

lmtp_nested_header_checks (default: empty)

2803       The LMTP-specific version of the  smtp_nested_header_checks  configura‐
2804       tion parameter. See there for details.
2805
2806       This feature is available in Postfix 2.5 and later.
2807

lmtp_per_record_deadline (default: no)

2809       The LMTP-specific version of the smtp_per_record_deadline configuration
2810       parameter.  See there for details.
2811
2812       This feature is available in Postfix 2.9 and later.
2813

lmtp_pix_workaround_delay_time (default: 10s)

2815       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2816       uration parameter.  See there for details.
2817
2818       This feature is available in Postfix 2.3 and later.
2819

lmtp_pix_workaround_maps (default: empty)

2821       The LMTP-specific version of the smtp_pix_workaround_maps configuration
2822       parameter.  See there for details.
2823
2824       This feature is available in Postfix 2.4 and later.
2825

lmtp_pix_workaround_threshold_time (default: 500s)

2827       The LMTP-specific  version  of  the  smtp_pix_workaround_threshold_time
2828       configuration parameter.  See there for details.
2829
2830       This feature is available in Postfix 2.3 and later.
2831

lmtp_pix_workarounds (default: empty)

2833       The  LMTP-specific  version  of  the  smtp_pix_workaround configuration
2834       parameter.  See there for details.
2835
2836       This feature is available in Postfix 2.4 and later.
2837

lmtp_quit_timeout (default: 300s)

2839       The Postfix LMTP client time limit for sending the  QUIT  command,  and
2840       for receiving the remote LMTP server response.
2841
2842       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2843       The default time unit is s (seconds).
2844

lmtp_quote_rfc821_envelope (default: yes)

2846       The LMTP-specific version of the smtp_quote_rfc821_envelope  configura‐
2847       tion parameter.  See there for details.
2848
2849       This feature is available in Postfix 2.3 and later.
2850

lmtp_randomize_addresses (default: yes)

2852       The LMTP-specific version of the smtp_randomize_addresses configuration
2853       parameter.  See there for details.
2854
2855       This feature is available in Postfix 2.3 and later.
2856

lmtp_rcpt_timeout (default: 300s)

2858       The Postfix LMTP client time limit for sending the RCPT TO command, and
2859       for receiving the remote LMTP server response.
2860
2861       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2862       The default time unit is s (seconds).
2863

lmtp_reply_filter (default: empty)

2865       The LMTP-specific version of the smtp_reply_filter configuration param‐
2866       eter.  See there for details.
2867
2868       This feature is available in Postfix 2.7 and later.
2869

lmtp_rset_timeout (default: 20s)

2871       The  Postfix  LMTP  client time limit for sending the RSET command, and
2872       for receiving the remote LMTP server response. The  LMTP  client  sends
2873       RSET  in order to finish a recipient address probe, or to verify that a
2874       cached connection is still alive.
2875
2876       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2877       The default time unit is s (seconds).
2878

lmtp_sasl_auth_cache_name (default: empty)

2880       The  LMTP-specific  version of the smtp_sasl_auth_cache_name configura‐
2881       tion parameter.  See there for details.
2882
2883       This feature is available in Postfix 2.5 and later.
2884

lmtp_sasl_auth_cache_time (default: 90d)

2886       The LMTP-specific version of the  smtp_sasl_auth_cache_time  configura‐
2887       tion parameter.  See there for details.
2888
2889       This feature is available in Postfix 2.5 and later.
2890

lmtp_sasl_auth_enable (default: no)

2892       Enable SASL authentication in the Postfix LMTP client.
2893

lmtp_sasl_auth_soft_bounce (default: yes)

2895       The  LMTP-specific version of the smtp_sasl_auth_soft_bounce configura‐
2896       tion parameter.  See there for details.
2897
2898       This feature is available in Postfix 2.5 and later.
2899

lmtp_sasl_mechanism_filter (default: empty)

2901       The LMTP-specific version of the smtp_sasl_mechanism_filter  configura‐
2902       tion parameter.  See there for details.
2903
2904       This feature is available in Postfix 2.3 and later.
2905

lmtp_sasl_password_maps (default: empty)

2907       Optional  Postfix  LMTP client lookup tables with one username:password
2908       entry per host or domain.  If a remote host  or  domain  has  no  user‐
2909       name:password  entry,  then the Postfix LMTP client will not attempt to
2910       authenticate to the remote host.
2911

lmtp_sasl_path (default: empty)

2913       Implementation-specific information that is passed through to the  SASL
2914       plug-in implementation that is selected with lmtp_sasl_type.  Typically
2915       this specifies the name of a configuration file or rendezvous point.
2916
2917       This feature is available in Postfix 2.3 and later.
2918

lmtp_sasl_security_options (default: noplaintext, noanonymous)

2920       SASL security options; as of Postfix 2.3 the list of available features
2921       depends  on  the  SASL  client  implementation  that  is  selected with
2922       lmtp_sasl_type.
2923
2924       The following security features are defined for the cyrus  client  SASL
2925       implementation:
2926
2927       noplaintext
2928              Disallow authentication methods that use plaintext passwords.
2929
2930       noactive
2931              Disallow  authentication methods that are vulnerable to non-dic‐
2932              tionary active attacks.
2933
2934       nodictionary
2935              Disallow authentication methods that are vulnerable  to  passive
2936              dictionary attack.
2937
2938       noanonymous
2939              Disallow anonymous logins.
2940
2941       Example:
2942
2943       lmtp_sasl_security_options = noplaintext
2944

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

2946       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2947       uration parameter.  See there for details.
2948
2949       This feature is available in Postfix 2.3 and later.
2950

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_secu‐

2952       rity_options)
2953       The   LMTP-specific   version   of   the   smtp_sasl_tls_verified_secu‐
2954       rity_options configuration parameter.  See there for details.
2955
2956       This feature is available in Postfix 2.3 and later.
2957

lmtp_sasl_type (default: cyrus)

2959       The SASL plug-in type that the  Postfix  LMTP  client  should  use  for
2960       authentication.   The available types are listed with the "postconf -A"
2961       command.
2962
2963       This feature is available in Postfix 2.3 and later.
2964

lmtp_send_dummy_mail_auth (default: no)

2966       The LMTP-specific version of the  smtp_send_dummy_mail_auth  configura‐
2967       tion parameter.  See there for details.
2968
2969       This feature is available in Postfix 2.9 and later.
2970

lmtp_send_xforward_command (default: no)

2972       Send  an  XFORWARD command to the remote LMTP server when the LMTP LHLO
2973       server response announces XFORWARD support.   This  allows  an  lmtp(8)
2974       delivery  agent,  used for content filter message injection, to forward
2975       the name, address, protocol and HELO name of the original client to the
2976       content  filter  and downstream queuing LMTP server.  Before you change
2977       the value to yes, it is best to make sure that your content filter sup‐
2978       ports this command.
2979
2980       This feature is available in Postfix 2.1 and later.
2981

lmtp_sender_dependent_authentication (default: no)

2983       The  LMTP-specific  version of the smtp_sender_dependent_authentication
2984       configuration parameter.  See there for details.
2985
2986       This feature is available in Postfix 2.3 and later.
2987

lmtp_skip_5xx_greeting (default: yes)

2989       The LMTP-specific version of the  smtp_skip_5xx_greeting  configuration
2990       parameter.  See there for details.
2991
2992       This feature is available in Postfix 2.3 and later.
2993

lmtp_skip_quit_response (default: no)

2995       Wait for the response to the LMTP QUIT command.
2996

lmtp_starttls_timeout (default: 300s)

2998       The  LMTP-specific  version  of the smtp_starttls_timeout configuration
2999       parameter.  See there for details.
3000
3001       This feature is available in Postfix 2.3 and later.
3002

lmtp_tcp_port (default: 24)

3004       The default TCP port that the Postfix LMTP client connects to.  Specify
3005       a symbolic name (see services(5)) or a numeric port.
3006

lmtp_tls_CAfile (default: empty)

3008       The  LMTP-specific version of the smtp_tls_CAfile configuration parame‐
3009       ter.  See there for details.
3010
3011       This feature is available in Postfix 2.3 and later.
3012

lmtp_tls_CApath (default: empty)

3014       The LMTP-specific version of the smtp_tls_CApath configuration  parame‐
3015       ter.  See there for details.
3016
3017       This feature is available in Postfix 2.3 and later.
3018

lmtp_tls_block_early_mail_reply (default: empty)

3020       The  LMTP-specific  version of the smtp_tls_block_early_mail_reply con‐
3021       figuration parameter.  See there for details.
3022
3023       This feature is available in Postfix 2.7 and later.
3024

lmtp_tls_cert_file (default: empty)

3026       The  LMTP-specific  version  of  the  smtp_tls_cert_file  configuration
3027       parameter.  See there for details.
3028
3029       This feature is available in Postfix 2.3 and later.
3030

lmtp_tls_chain_files (default: empty)

3032       The  LMTP-specific  version  of  the smtp_tls_chain_files configuration
3033       parameter. See there for details.
3034
3035       This feature is available in Postfix 3.4 and later.
3036

lmtp_tls_ciphers (default: medium)

3038       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3039       ter. See there for details.
3040
3041       This feature is available in Postfix 2.6 and later.
3042

lmtp_tls_connection_reuse (default: no)

3044       The  LMTP-specific  version of the smtp_tls_connection_reuse configura‐
3045       tion parameter. See there for details.
3046
3047       This feature is available in Postfix 3.4 and later.
3048

lmtp_tls_dcert_file (default: empty)

3050       The LMTP-specific  version  of  the  smtp_tls_dcert_file  configuration
3051       parameter.  See there for details.
3052
3053       This feature is available in Postfix 2.3 and later.
3054

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

3056       The  LMTP-specific  version  of  the  smtp_tls_dkey_file  configuration
3057       parameter.  See there for details.
3058
3059       This feature is available in Postfix 2.3 and later.
3060

lmtp_tls_eccert_file (default: empty)

3062       The LMTP-specific version  of  the  smtp_tls_eccert_file  configuration
3063       parameter.  See there for details.
3064
3065       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3066       compiled and linked with OpenSSL 1.0.0 or later.
3067

lmtp_tls_eckey_file (default: empty)

3069       The LMTP-specific  version  of  the  smtp_tls_eckey_file  configuration
3070       parameter.  See there for details.
3071
3072       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
3073       compiled and linked with OpenSSL 1.0.0 or later.
3074

lmtp_tls_enforce_peername (default: yes)

3076       The LMTP-specific version of the  smtp_tls_enforce_peername  configura‐
3077       tion parameter.  See there for details.
3078
3079       This feature is available in Postfix 2.3 and later.
3080

lmtp_tls_exclude_ciphers (default: empty)

3082       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3083       parameter.  See there for details.
3084
3085       This feature is available in Postfix 2.3 and later.
3086

lmtp_tls_fingerprint_cert_match (default: empty)

3088       The LMTP-specific version of the  smtp_tls_fingerprint_cert_match  con‐
3089       figuration parameter.  See there for details.
3090
3091       This feature is available in Postfix 2.5 and later.
3092

lmtp_tls_fingerprint_digest (default: md5)

3094       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3095       tion parameter.  See there for details.
3096
3097       This feature is available in Postfix 2.5 and later.
3098

lmtp_tls_force_insecure_host_tlsa_lookup (default: no)

3100       The    LMTP-specific    version     of     the     smtp_tls_force_inse‐
3101       cure_host_tlsa_lookup configuration parameter.  See there for details.
3102
3103       This feature is available in Postfix 2.11 and later.
3104

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

3106       The LMTP-specific version of the smtp_tls_key_file configuration param‐
3107       eter.  See there for details.
3108
3109       This feature is available in Postfix 2.3 and later.
3110

lmtp_tls_loglevel (default: 0)

3112       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3113       eter.  See there for details.
3114
3115       This feature is available in Postfix 2.3 and later.
3116

lmtp_tls_mandatory_ciphers (default: medium)

3118       The  LMTP-specific version of the smtp_tls_mandatory_ciphers configura‐
3119       tion parameter.  See there for details.
3120
3121       This feature is available in Postfix 2.3 and later.
3122

lmtp_tls_mandatory_exclude_ciphers (default: empty)

3124       The LMTP-specific  version  of  the  smtp_tls_mandatory_exclude_ciphers
3125       configuration parameter.  See there for details.
3126
3127       This feature is available in Postfix 2.3 and later.
3128

lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

3130       The  LMTP-specific version of the smtp_tls_mandatory_protocols configu‐
3131       ration parameter. See there for details.
3132
3133       This feature is available in Postfix 2.3 and later.
3134

lmtp_tls_note_starttls_offer (default: no)

3136       The LMTP-specific version of the smtp_tls_note_starttls_offer  configu‐
3137       ration parameter.  See there for details.
3138
3139       This feature is available in Postfix 2.3 and later.
3140

lmtp_tls_per_site (default: empty)

3142       The LMTP-specific version of the smtp_tls_per_site configuration param‐
3143       eter.  See there for details.
3144
3145       This feature is available in Postfix 2.3 and later.
3146

lmtp_tls_policy_maps (default: empty)

3148       The LMTP-specific version  of  the  smtp_tls_policy_maps  configuration
3149       parameter. See there for details.
3150
3151       This feature is available in Postfix 2.3 and later.
3152

lmtp_tls_protocols (default: !SSLv2, !SSLv3)

3154       The  LMTP-specific  version  of  the  smtp_tls_protocols  configuration
3155       parameter. See there for details.
3156
3157       This feature is available in Postfix 2.6 and later.
3158

lmtp_tls_scert_verifydepth (default: 9)

3160       The LMTP-specific version of the smtp_tls_scert_verifydepth  configura‐
3161       tion parameter.  See there for details.
3162
3163       This feature is available in Postfix 2.3 and later.
3164

lmtp_tls_secure_cert_match (default: nexthop)

3166       The  LMTP-specific version of the smtp_tls_secure_cert_match configura‐
3167       tion parameter. See there for details.
3168
3169       This feature is available in Postfix 2.3 and later.
3170

lmtp_tls_security_level (default: empty)

3172       The LMTP-specific version of the smtp_tls_security_level  configuration
3173       parameter.  See there for details.
3174
3175       This feature is available in Postfix 2.3 and later.
3176

lmtp_tls_servername (default: empty)

3178       The  LMTP-specific  version  of  the  smtp_tls_servername configuration
3179       parameter. See there for details.
3180
3181       This feature is available in Postfix 3.4 and later.
3182

lmtp_tls_session_cache_database (default: empty)

3184       The LMTP-specific version of the  smtp_tls_session_cache_database  con‐
3185       figuration parameter. See there for details.
3186
3187       This feature is available in Postfix 2.3 and later.
3188

lmtp_tls_session_cache_timeout (default: 3600s)

3190       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3191       uration parameter.  See there for details.
3192
3193       This feature is available in Postfix 2.3 and later.
3194

lmtp_tls_trust_anchor_file (default: empty)

3196       The LMTP-specific version of the smtp_tls_trust_anchor_file  configura‐
3197       tion parameter.  See there for details.
3198
3199       This feature is available in Postfix 2.11 and later.
3200

lmtp_tls_verify_cert_match (default: hostname)

3202       The  LMTP-specific version of the smtp_tls_verify_cert_match configura‐
3203       tion parameter. See there for details.
3204
3205       This feature is available in Postfix 2.3 and later.
3206

lmtp_use_tls (default: no)

3208       The LMTP-specific version of the smtp_use_tls configuration  parameter.
3209       See there for details.
3210
3211       This feature is available in Postfix 2.3 and later.
3212

lmtp_xforward_timeout (default: 300s)

3214       The  Postfix  LMTP  client time limit for sending the XFORWARD command,
3215       and for receiving the remote LMTP server response.
3216
3217       In case of problems the client does NOT try the  next  address  on  the
3218       mail exchanger list.
3219
3220       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3221       The default time unit is s (seconds).
3222
3223       This feature is available in Postfix 2.1 and later.
3224

local_command_shell (default: empty)

3226       Optional shell program for local(8) delivery  to  non-Postfix  command.
3227       By  default,  non-Postfix  commands are executed directly; commands are
3228       given to given to the default shell (typically, /bin/sh) only when they
3229       contain shell meta characters or shell built-in commands.
3230
3231       "sendmail's  restricted  shell" (smrsh) is what most people will use in
3232       order to restrict what programs can be run  from  e.g.  .forward  files
3233       (smrsh is part of the Sendmail distribution).
3234
3235       Note:  when  a  shell program is specified, it is invoked even when the
3236       command contains no shell built-in commands or meta characters.
3237
3238       Example:
3239
3240       local_command_shell = /some/where/smrsh -c
3241       local_command_shell = /bin/bash -c
3242

local_delivery_status_filter (default: $default_delivery_status_filter)

3244       Optional filter for the local(8) delivery agent to  change  the  status
3245       code or explanatory text of successful or unsuccessful deliveries.  See
3246       default_delivery_status_filter for details.
3247
3248       This feature is available in Postfix 3.0 and later.
3249

local_destination_concurrency_limit (default: 2)

3251       The maximal number of parallel deliveries via the local  mail  delivery
3252       transport   to  the  same  recipient  (when  "local_destination_recipi‐
3253       ent_limit = 1") or the maximal number of  parallel  deliveries  to  the
3254       same  local domain (when "local_destination_recipient_limit > 1"). This
3255       limit is enforced by the queue manager. The message delivery  transport
3256       name is the first field in the entry in the master.cf file.
3257
3258       A  low limit of 2 is recommended, just in case someone has an expensive
3259       shell command in a .forward file or in an alias (e.g., a  mailing  list
3260       manager).  You don't want to run lots of those at the same time.
3261

local_destination_recipient_limit (default: 1)

3263       The  maximal  number  of  recipients per message delivery via the local
3264       mail delivery transport. This limit is enforced by the  queue  manager.
3265       The  message delivery transport name is the first field in the entry in
3266       the master.cf file.
3267
3268       Setting this parameter to a value > 1 changes the meaning of local_des‐
3269       tination_concurrency_limit  from concurrency per recipient into concur‐
3270       rency per domain.
3271

local_header_rewrite_clients (default: permit_inet_interfaces)

3273       Rewrite message header addresses in mail from these clients and  update
3274       incomplete  addresses  with  the domain name in $myorigin or $mydomain;
3275       either don't rewrite message headers from other clients at all, or  re‐
3276       write  message  headers and update incomplete addresses with the domain
3277       specified in the remote_header_rewrite_domain parameter.
3278
3279       See  the  append_at_myorigin  and  append_dot_mydomain  parameters  for
3280       details of how domain names are appended to incomplete addresses.
3281
3282       Specify a list of zero or more of the following:
3283
3284       permit_inet_interfaces
3285              Append the domain name in $myorigin or $mydomain when the client
3286              IP address matches $inet_interfaces. This is enabled by default.
3287
3288       permit_mynetworks
3289              Append the domain name in $myorigin or $mydomain when the client
3290              IP  address  matches  any  network  or network address listed in
3291              $mynetworks. This setting will not prevent  remote  mail  header
3292              address rewriting when mail from a remote client is forwarded by
3293              a neighboring system.
3294
3295       permit_sasl_authenticated
3296              Append the domain name in $myorigin or $mydomain when the client
3297              is successfully authenticated via the RFC 4954 (AUTH) protocol.
3298
3299       permit_tls_clientcerts
3300              Append the domain name in $myorigin or $mydomain when the remote
3301              SMTP client TLS certificate fingerprint or  public  key  finger‐
3302              print  (Postfix  2.9 and later) is listed in $relay_clientcerts.
3303              The  fingerprint  digest  algorithm  is  configurable  via   the
3304              smtpd_tls_fingerprint_digest  parameter (hard-coded as md5 prior
3305              to Postfix version 2.5).
3306
3307       permit_tls_all_clientcerts
3308              Append the domain name in $myorigin or $mydomain when the remote
3309              SMTP client TLS certificate is successfully verified, regardless
3310              of whether it is listed on the server,  and  regardless  of  the
3311              certifying authority.
3312
3313       check_address_map type:table
3314
3315       type:table
3316              Append the domain name in $myorigin or $mydomain when the client
3317              IP address matches  the  specified  lookup  table.   The  lookup
3318              result  is  ignored, and no subnet lookup is done. This is suit‐
3319              able for, e.g., pop-before-smtp lookup tables.
3320
3321       Examples:
3322
3323       The Postfix < 2.2 backwards compatible setting: always rewrite  message
3324       headers,   and  always  append  my  own  domain  to  incomplete  header
3325       addresses.
3326
3327           local_header_rewrite_clients = static:all
3328
3329       The purist (and default) setting: rewrite headers  only  in  mail  from
3330       Postfix sendmail and in SMTP mail from this machine.
3331
3332           local_header_rewrite_clients = permit_inet_interfaces
3333
3334       The intermediate setting: rewrite header addresses and append $myorigin
3335       or $mydomain information only with mail  from  Postfix  sendmail,  from
3336       local clients, or from authorized SMTP clients.
3337
3338       Note:  this setting will not prevent remote mail header address rewrit‐
3339       ing when mail from a remote client is forwarded by a  neighboring  sys‐
3340       tem.
3341
3342           local_header_rewrite_clients = permit_mynetworks,
3343               permit_sasl_authenticated permit_tls_clientcerts
3344               check_address_map hash:/etc/postfix/pop-before-smtp
3345

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

3347       Lookup tables with all names or addresses of local recipients: a recip‐
3348       ient  address  is  local  when  its  domain   matches   $mydestination,
3349       $inet_interfaces  or $proxy_interfaces.  Specify @domain as a wild-card
3350       for domains that do not have  a  valid  recipient  list.   Technically,
3351       tables  listed  with  $local_recipient_maps  are used as lists: Postfix
3352       needs to know only if a lookup string is found or not, but it does  not
3353       use the result from table lookup.
3354
3355       Specify zero or more "type:name" lookup tables, separated by whitespace
3356       or comma. Tables will be searched in the specified order until a  match
3357       is found.
3358
3359       If  this  parameter  is  non-empty (the default), then the Postfix SMTP
3360       server will reject mail for unknown local users.
3361
3362       To turn off local recipient checking in the Postfix SMTP server,  spec‐
3363       ify "local_recipient_maps =" (i.e. empty).
3364
3365       The  default  setting  assumes  that  you use the default Postfix local
3366       delivery agent for local delivery. You need to update the local_recipi‐
3367       ent_maps setting if:
3368
3369       ·      You redefine the local delivery agent in master.cf.
3370
3371       ·      You redefine the "local_transport" setting in main.cf.
3372
3373       ·      You   use  the  "luser_relay",  "mailbox_transport",  or  "fall‐
3374              back_transport" feature of the Postfix local(8) delivery agent.
3375
3376       Details are described in the LOCAL_RECIPIENT_README file.
3377
3378       Beware: if the Postfix SMTP server runs chrooted, you  need  to  access
3379       the  passwd  file  via  the  proxymap(8)  service, in order to overcome
3380       chroot access restrictions. The alternative, maintaining a copy of  the
3381       system password file in the chroot jail is not practical.
3382
3383       Examples:
3384
3385       local_recipient_maps =
3386

local_transport (default: local:$myhostname)

3388       The  default mail delivery transport and next-hop destination for final
3389       delivery to domains listed with mydestination, and for [ipaddress] des‐
3390       tinations  that  match  $inet_interfaces  or  $proxy_interfaces.   This
3391       information can be overruled with the transport(5) table.
3392
3393       By default, local mail is delivered to the  transport  called  "local",
3394       which is just the name of a service that is defined the master.cf file.
3395
3396       Specify  a string of the form transport:nexthop, where transport is the
3397       name of a mail delivery transport defined in master.cf.   The  :nexthop
3398       destination is optional; its syntax is documented in the manual page of
3399       the corresponding delivery agent.
3400
3401       Beware: if you override the default local delivery agent then you  need
3402       to  review  the  LOCAL_RECIPIENT_README  document,  otherwise  the SMTP
3403       server may reject mail for local recipients.
3404

luser_relay (default: empty)

3406       Optional catch-all destination for  unknown  local(8)  recipients.   By
3407       default,  mail for unknown recipients in domains that match $mydestina‐
3408       tion, $inet_interfaces or $proxy_interfaces is returned  as  undeliver‐
3409       able.
3410
3411       The luser_relay value is not subject to Postfix configuration parameter
3412       $name expansion. Instead, the following $name expansions are done:
3413
3414       $domain
3415              The recipient domain.
3416
3417       $extension
3418              The recipient address extension.
3419
3420       $home  The recipient's home directory.
3421
3422       $local The entire recipient address localpart.
3423
3424       $recipient
3425              The full recipient address.
3426
3427       $recipient_delimiter
3428              The address extension delimiter that was found in the  recipient
3429              address  (Postfix  2.11 and later), or the system-wide recipient
3430              address extension delimiter (Postfix 2.10 and earlier).
3431
3432       $shell The recipient's login shell.
3433
3434       $user  The recipient username.
3435
3436       ${name?value}
3437              Expands to value when $name has a non-empty value.
3438
3439       ${name:value}
3440              Expands to value when $name has an empty value.
3441
3442       Instead of $name you can also specify ${name} or $(name).
3443
3444       Note: luser_relay works only for the Postfix local(8) delivery agent.
3445
3446       Note: if you use this feature for accounts not  in  the  UNIX  password
3447       file,  then  you  must specify "local_recipient_maps =" (i.e. empty) in
3448       the main.cf file, otherwise the Postfix SMTP server  will  reject  mail
3449       for non-UNIX accounts with "User unknown in local recipient table".
3450
3451       Examples:
3452
3453       luser_relay = $user@other.host
3454       luser_relay = $local@other.host
3455       luser_relay = admin+$local
3456

mail_name (default: Postfix)

3458       The  mail  system  name  that is displayed in Received: headers, in the
3459       SMTP greeting banner, and in bounced mail.
3460

mail_owner (default: postfix)

3462       The UNIX system account that owns the Postfix queue  and  most  Postfix
3463       daemon  processes.   Specify  the  name of an unprivileged user account
3464       that does not share a user or group ID with other  accounts,  and  that
3465       owns  no  other files or processes on the system.  In particular, don't
3466       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3467
3468       When this parameter value  is  changed  you  need  to  re-run  "postfix
3469       set-permissions"  (with  Postfix  version  2.0 and earlier: "/etc/post‐
3470       fix/post-install set-permissions".
3471

mail_release_date (default: see postconf -d output)

3473       The Postfix release date, in "YYYYMMDD" format.
3474

mail_spool_directory (default: see postconf -d output)

3476       The directory where local(8) UNIX-style mailboxes are kept. The default
3477       setting  depends  on  the  system  type. Specify a name ending in / for
3478       maildir-style delivery.
3479
3480       Note: maildir delivery is done with the privileges  of  the  recipient.
3481       If you use the mail_spool_directory setting for maildir style delivery,
3482       then you must create the top-level maildir directory in advance.  Post‐
3483       fix will not create it.
3484
3485       Examples:
3486
3487       mail_spool_directory = /var/mail
3488       mail_spool_directory = /var/spool/mail
3489

mail_version (default: see postconf -d output)

3491       The   version   of   the   mail   system.  Stable  releases  are  named
3492       major.minor.patchlevel. Experimental releases also include the  release
3493       date. The version string can be used in, for example, the SMTP greeting
3494       banner.
3495

mailbox_command (default: empty)

3497       Optional external command that the local(8) delivery agent  should  use
3498       for mailbox delivery.  The command is run with the user ID and the pri‐
3499       mary group ID privileges of the recipient.  Exception: command delivery
3500       for  root executes with $default_privs privileges.  This is not a prob‐
3501       lem, because 1) mail for root should always be aliased to a  real  user
3502       and 2) don't log in as root, use "su" instead.
3503
3504       The following environment variables are exported to the command:
3505
3506       CLIENT_ADDRESS
3507              Remote  client network address. Available in Postfix version 2.2
3508              and later.
3509
3510       CLIENT_HELO
3511              Remote client EHLO command parameter. Available in Postfix  ver‐
3512              sion 2.2 and later.
3513
3514       CLIENT_HOSTNAME
3515              Remote  client  hostname.  Available  in Postfix version 2.2 and
3516              later.
3517
3518       CLIENT_PROTOCOL
3519              Remote client protocol. Available in  Postfix  version  2.2  and
3520              later.
3521
3522       DOMAIN The domain part of the recipient address.
3523
3524       EXTENSION
3525              The optional address extension.
3526
3527       HOME   The recipient home directory.
3528
3529       LOCAL  The recipient address localpart.
3530
3531       LOGNAME
3532              The recipient's username.
3533
3534       ORIGINAL_RECIPIENT
3535              The  entire  recipient  address, before any address rewriting or
3536              aliasing.
3537
3538       RECIPIENT
3539              The full recipient address.
3540
3541       SASL_METHOD
3542              SASL authentication method specified in the remote  client  AUTH
3543              command. Available in Postfix version 2.2 and later.
3544
3545       SASL_SENDER
3546              SASL  sender  address  specified  in the remote client MAIL FROM
3547              command. Available in Postfix version 2.2 and later.
3548
3549       SASL_USER
3550              SASL username specified  in  the  remote  client  AUTH  command.
3551              Available in Postfix version 2.2 and later.
3552
3553       SENDER The full sender address.
3554
3555       SHELL  The recipient's login shell.
3556
3557       USER   The recipient username.
3558
3559       Unlike  other  Postfix  configuration  parameters,  the mailbox_command
3560       parameter is not subjected to $name substitutions. This is to  make  it
3561       easier to specify shell syntax (see example below).
3562
3563       If you can, avoid shell meta characters because they will force Postfix
3564       to run an expensive shell process. If you're delivering via  "procmail"
3565       then  running  a  shell won't make a noticeable difference in the total
3566       cost.
3567
3568       Note: if you use the  mailbox_command  feature  to  deliver  mail  sys‐
3569       tem-wide,  you  must  set  up an alias that forwards mail for root to a
3570       real user.
3571
3572       The precedence of local(8) delivery  features  from  high  to  low  is:
3573       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3574       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3575       tory, fallback_transport_maps, fallback_transport and luser_relay.
3576
3577       Examples:
3578
3579       mailbox_command = /some/where/procmail
3580       mailbox_command = /some/where/procmail -a "$EXTENSION"
3581       mailbox_command = /some/where/maildrop -d "$USER"
3582               -f "$SENDER" "$EXTENSION"
3583

mailbox_command_maps (default: empty)

3585       Optional  lookup tables with per-recipient external commands to use for
3586       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3587
3588       The precedence of local(8) delivery  features  from  high  to  low  is:
3589       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3590       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3591       tory, fallback_transport_maps, fallback_transport and luser_relay.
3592
3593       Specify zero or more "type:name" lookup tables, separated by whitespace
3594       or comma. Tables will be searched in the specified order until a  match
3595       is found.
3596

mailbox_delivery_lock (default: see postconf -d output)

3598       How  to  lock a UNIX-style local(8) mailbox before attempting delivery.
3599       For a list of available file locking methods,  use  the  "postconf  -l"
3600       command.
3601
3602       This  setting  is  ignored  with  maildir  style delivery, because such
3603       deliveries are safe without explicit locks.
3604
3605       Note: The dotlock method requires that the recipient  UID  or  GID  has
3606       write access to the parent directory of the mailbox file.
3607
3608       Note: the default setting of this parameter is system dependent.
3609

mailbox_size_limit (default: 51200000)

3611       The maximal size of any local(8) individual mailbox or maildir file, or
3612       zero (no limit).  In fact, this limits the size of  any  file  that  is
3613       written  to  upon  local  delivery, including files written by external
3614       commands that are executed by the local(8) delivery agent.
3615
3616       This limit must not be smaller than the message size limit.
3617

mailbox_transport (default: empty)

3619       Optional message delivery transport that the  local(8)  delivery  agent
3620       should use for mailbox delivery to all local recipients, whether or not
3621       they are found in the UNIX passwd database.
3622
3623       The precedence of local(8) delivery  features  from  high  to  low  is:
3624       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3625       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3626       tory, fallback_transport_maps, fallback_transport and luser_relay.
3627

mailbox_transport_maps (default: empty)

3629       Optional  lookup  tables with per-recipient message delivery transports
3630       to use for local(8) mailbox delivery, whether or not the recipients are
3631       found in the UNIX passwd database.
3632
3633       The  precedence  of  local(8)  delivery  features  from high to low is:
3634       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3635       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3636       tory, fallback_transport_maps, fallback_transport and luser_relay.
3637
3638       Specify zero or more "type:name" lookup tables, separated by whitespace
3639       or  comma. Tables will be searched in the specified order until a match
3640       is found.
3641
3642       For safety reasons, this feature does not allow  $number  substitutions
3643       in regular expression maps.
3644
3645       This feature is available in Postfix 2.3 and later.
3646

maillog_file (default: empty)

3648       The  name  of  an optional logfile that is written by the Postfix post‐
3649       logd(8) service. A  non-empty  value  selects  logging  to  syslogd(8).
3650       Specify "/dev/stdout" to select logging to standard output. Stdout log‐
3651       ging requires that Postfix is started with "postfix start-fg".
3652
3653       Note 1: The maillog_file parameter value must contain a prefix that  is
3654       specified with the maillog_file_prefixes parameter.
3655
3656       Note  2:  Some Postfix non-daemon programs may still log information to
3657       syslogd(8), before they have processed their  configuration  parameters
3658       and command-line options.
3659
3660       This feature is available in Postfix 3.4 and later.
3661

maillog_file_compressor (default: gzip)

3663       The  program  to  run after rotating $maillog_file with "postfix logro‐
3664       tate". The command is run with the rotated logfile name  as  its  first
3665       argument.
3666
3667       This feature is available in Postfix 3.4 and later.
3668

maillog_file_prefixes (default: /var, /dev/stdout)

3670       A  list  of allowed prefixes for a maillog_file value. This is a safety
3671       feature to contain the damage  from  a  single  configuration  mistake.
3672       Specify one or more prefix strings, separated by comma or whitespace.
3673
3674       This feature is available in Postfix 3.4 and later.
3675

maillog_file_rotate_suffix (default: %Y%M%d-%H%M%S)

3677       The  format of the suffix to append to $maillog_file while rotating the
3678       file with "postfix logrotate". See strftime(3) for syntax. The  default
3679       suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3680
3681       This feature is available in Postfix 3.4 and later.
3682

mailq_path (default: see postconf -d output)

3684       Sendmail   compatibility  feature  that  specifies  where  the  Postfix
3685       mailq(1) command is installed. This command can be  used  to  list  the
3686       Postfix mail queue.
3687

manpage_directory (default: see postconf -d output)

3689       Where the Postfix manual pages are installed.
3690

maps_rbl_domains (default: empty)

3692       Obsolete feature: use the reject_rbl_client feature instead.
3693

maps_rbl_reject_code (default: 554)

3695       The  numerical  Postfix  SMTP  server  response code when a remote SMTP
3696       client    request    is    blocked    by     the     reject_rbl_client,
3697       reject_rhsbl_client,  reject_rhsbl_reverse_client,  reject_rhsbl_sender
3698       or reject_rhsbl_recipient restriction.
3699
3700       Do not change this unless you have  a  complete  understanding  of  RFC
3701       5321.
3702

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

3704
3705       What addresses are subject to address masquerading.
3706
3707       By  default,  address  masquerading  is  limited  to  envelope   sender
3708       addresses,  and  to header sender and header recipient addresses.  This
3709       allows you to use address masquerading on a mail  gateway  while  still
3710       being able to forward mail to users on individual machines.
3711
3712       Specify   zero   or   more   of:  envelope_sender,  envelope_recipient,
3713       header_sender, header_recipient
3714

masquerade_domains (default: empty)

3716       Optional list of domains whose subdomain structure will be stripped off
3717       in email addresses.
3718
3719       The  list is processed left to right, and processing stops at the first
3720       match.  Thus,
3721
3722           masquerade_domains = foo.example.com example.com
3723
3724       strips "user@any.thing.foo.example.com" to "user@foo.example.com",  but
3725       strips "user@any.thing.else.example.com" to "user@example.com".
3726
3727       A  domain  name  prefixed with ! means do not masquerade this domain or
3728       its subdomains. Thus,
3729
3730           masquerade_domains = !foo.example.com example.com
3731
3732       does not  change  "user@any.thing.foo.example.com"  or  "user@foo.exam‐
3733       ple.com",  but  strips "user@any.thing.else.example.com" to "user@exam‐
3734       ple.com".
3735
3736       Note: with Postfix version 2.2,  message  header  address  masquerading
3737       happens only when message header address rewriting is enabled:
3738
3739       ·      The message is received with the Postfix sendmail(1) command,
3740
3741       ·      The  message  is  received  from  a  network client that matches
3742              $local_header_rewrite_clients,
3743
3744       ·      The  message   is   received   from   the   network,   and   the
3745              remote_header_rewrite_domain  parameter  specifies  a  non-empty
3746              value.
3747
3748       To   get   the   behavior   before   Postfix   version   2.2,   specify
3749       "local_header_rewrite_clients = static:all".
3750
3751       Example:
3752
3753       masquerade_domains = $mydomain
3754

masquerade_exceptions (default: empty)

3756       Optional  list  of  user  names  that are not subjected to address mas‐
3757       querading, even when their addresses match $masquerade_domains.
3758
3759       By default, address masquerading makes no exceptions.
3760
3761       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
3762       separated  by  commas  and/or  whitespace.  The list is matched left to
3763       right, and the search stops on the first match. A "/file/name"  pattern
3764       is  replaced  by  its  contents; a "type:table" lookup table is matched
3765       when a name matches a lookup key (the lookup result is ignored).   Con‐
3766       tinue  long  lines  by  starting the next line with whitespace. Specify
3767       "!pattern" to exclude a name from the list. The form  "!/file/name"  is
3768       supported only in Postfix version 2.4 and later.
3769
3770       Examples:
3771
3772       masquerade_exceptions = root, mailer-daemon
3773       masquerade_exceptions = root
3774

master_service_disable (default: empty)

3776       Selectively disable master(8) listener ports by service type or by ser‐
3777       vice name and type.  Specify a list of service types  ("inet",  "unix",
3778       "fifo",  or  "pass")  or  "name/type" tuples, where "name" is the first
3779       field of a master.cf entry and "type" is a service type. As with  other
3780       Postfix  matchlists, a search stops at the first match.  Specify "!pat‐
3781       tern" to exclude a service from the list.  By  default,  all  master(8)
3782       listener ports are enabled.
3783
3784       Note:  this  feature does not support "/file/name" or "type:table" pat‐
3785       terns, nor does it support wildcards such as  "*"  or  "all".  This  is
3786       intentional.
3787
3788       Examples:
3789
3790       # With Postfix 2.6..2.10 use '.' instead of '/'.
3791       # Turn on all master(8) listener ports (the default).
3792       master_service_disable =
3793       # Turn off only the main SMTP listener port.
3794       master_service_disable = smtp/inet
3795       # Turn off all TCP/IP listener ports.
3796       master_service_disable = inet
3797       # Turn off all TCP/IP listener ports except "foo".
3798       master_service_disable = !foo/inet, inet
3799
3800       This feature is available in Postfix 2.6 and later.
3801

max_idle (default: 100s)

3803       The  maximum  amount  of time that an idle Postfix daemon process waits
3804       for an incoming connection before terminating voluntarily.  This param‐
3805       eter  is  ignored  by the Postfix queue manager and by other long-lived
3806       Postfix daemon processes.
3807
3808       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3809       The default time unit is s (seconds).
3810

max_use (default: 100)

3812       The  maximal  number  of  incoming  connections  that  a Postfix daemon
3813       process will service before terminating voluntarily.  This parameter is
3814       ignored  by  the  Postfix queue manager and by other long-lived Postfix
3815       daemon processes.
3816

maximal_backoff_time (default: 4000s)

3818       The maximal time between attempts to deliver a deferred message.
3819
3820       This parameter should be set to a value greater than or equal to $mini‐
3821       mal_backoff_time. See also $queue_run_delay.
3822
3823       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3824       The default time unit is s (seconds).
3825

maximal_queue_lifetime (default: 5d)

3827       Consider a message as undeliverable, when delivery fails with a  tempo‐
3828       rary   error,  and  the  time  in  the  queue  has  reached  the  maxi‐
3829       mal_queue_lifetime limit.
3830
3831       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3832       The default time unit is d (days).
3833
3834       Specify 0 when mail delivery should be tried only once.
3835

message_drop_headers (default: bcc, content-length, resent-bcc, return-path)

3837       Names  of  message headers that the cleanup(8) daemon will remove after
3838       applying header_checks(5) and before invoking Milter applications.  The
3839       default setting is compatible with Postfix < 3.0.
3840
3841       Specify a list of header names, separated by comma or space.  Names are
3842       matched in a case-insensitive manner.  The  list  of  supported  header
3843       names is limited only by available memory.
3844
3845       This feature is available in Postfix 3.0 and later.
3846

message_reject_characters (default: empty)

3848       The set of characters that Postfix will reject in message content.  The
3849       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3850       (up to three octal digits) and \\.
3851
3852       Note  1: this feature does not recognize text that requires MIME decod‐
3853       ing. It inspects raw  message  content,  just  like  header_checks  and
3854       body_checks.
3855
3856       Note  2:  this  feature  is  disabled  with "receive_override_options =
3857       no_header_body_checks".
3858
3859       Example:
3860
3861       message_reject_characters = \0
3862
3863       This feature is available in Postfix 2.3 and later.
3864

message_size_limit (default: 10240000)

3866       The maximal size in bytes of a message, including envelope information.
3867
3868       Note: be careful when making changes.  Excessively  small  values  will
3869       result in the loss of non-delivery notifications, when a bounce message
3870       size exceeds the local or remote MTA's message size limit.
3871

message_strip_characters (default: empty)

3873       The set of characters that Postfix will remove  from  message  content.
3874       The  usual C-like escape sequences are recognized: \a \b \f \n \r \t \v
3875       \ddd (up to three octal digits) and \\.
3876
3877       Note 1: this feature does not recognize text that requires MIME  decod‐
3878       ing.  It  inspects  raw  message  content,  just like header_checks and
3879       body_checks.
3880
3881       Note 2: this  feature  is  disabled  with  "receive_override_options  =
3882       no_header_body_checks".
3883
3884       Example:
3885
3886       message_strip_characters = \0
3887
3888       This feature is available in Postfix 2.3 and later.
3889

meta_directory (default: see 'postconf -d' output)

3891       The  location  of  non-executable  files that are shared among multiple
3892       Postfix instances,  such  as  postfix-files,  dynamicmaps.cf,  and  the
3893       multi-instance  template files main.cf.proto and master.cf.proto.  This
3894       directory should contain only Postfix-related  files.   Typically,  the
3895       meta_directory  parameter  has the same default as the config_directory
3896       parameter (/etc/postfix or /usr/local/etc/postfix).
3897
3898       For backwards compatibility with Postfix  versions  2.6..2.11,  specify
3899       "meta_directory  =  $daemon_directory"  in main.cf before installing or
3900       upgrading Postfix, or specify  "meta_directory  =  /path/name"  on  the
3901       "make makefiles", "make install" or "make upgrade" command line.
3902
3903       This feature is available in Postfix 3.0 and later.
3904

milter_command_timeout (default: 30s)

3906       The  time  limit  for sending an SMTP command to a Milter (mail filter)
3907       application, and for receiving the response.
3908
3909       Specify a non-zero time value  (an  integral  value  plus  an  optional
3910       one-letter suffix that specifies the time unit).
3911
3912       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3913       The default time unit is s (seconds).
3914
3915       This feature is available in Postfix 2.3 and later.
3916

milter_connect_macros (default: see postconf -d output)

3918       The macros that are sent to Milter  (mail  filter)  applications  after
3919       completion  of  an  SMTP  connection.  See  MILTER_README for a list of
3920       available macro names and their meanings.
3921
3922       This feature is available in Postfix 2.3 and later.
3923

milter_connect_timeout (default: 30s)

3925       The time limit for connecting to a Milter  (mail  filter)  application,
3926       and for negotiating protocol options.
3927
3928       Specify  a  non-zero  time  value  (an  integral value plus an optional
3929       one-letter suffix that specifies the time unit).
3930
3931       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3932       The default time unit is s (seconds).
3933
3934       This feature is available in Postfix 2.3 and later.
3935

milter_content_timeout (default: 300s)

3937       The  time  limit  for sending message content to a Milter (mail filter)
3938       application, and for receiving the response.
3939
3940       Specify a non-zero time value  (an  integral  value  plus  an  optional
3941       one-letter suffix that specifies the time unit).
3942
3943       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3944       The default time unit is s (seconds).
3945
3946       This feature is available in Postfix 2.3 and later.
3947

milter_data_macros (default: see postconf -d output)

3949       The macros that are sent to version 4 or higher  Milter  (mail  filter)
3950       applications  after the SMTP DATA command. See MILTER_README for a list
3951       of available macro names and their meanings.
3952
3953       This feature is available in Postfix 2.3 and later.
3954

milter_default_action (default: tempfail)

3956       The default action when a Milter (mail filter) application is  unavail‐
3957       able or mis-configured. Specify one of the following:
3958
3959       accept Proceed as if the mail filter was not present.
3960
3961       reject Reject  all  further  commands  in this session with a permanent
3962              status code.
3963
3964       tempfail
3965              Reject all further commands in this  session  with  a  temporary
3966              status code.
3967
3968       quarantine
3969              Like  "accept",  but  freeze  the  message  in the "hold" queue.
3970              Available with Postfix 2.6 and later.
3971
3972       This feature is available in Postfix 2.3 and later.
3973

milter_end_of_data_macros (default: see postconf -d output)

3975       The macros that are sent to Milter (mail filter) applications after the
3976       message  end-of-data.  See  MILTER_README for a list of available macro
3977       names and their meanings.
3978
3979       This feature is available in Postfix 2.3 and later.
3980

milter_end_of_header_macros (default: see postconf -d output)

3982       The macros that are sent to Milter (mail filter) applications after the
3983       end  of  the  message header. See MILTER_README for a list of available
3984       macro names and their meanings.
3985
3986       This feature is available in Postfix 2.5 and later.
3987

milter_header_checks (default: empty)

3989       Optional lookup tables for content inspection of message  headers  that
3990       are  produced  by Milter applications.  See the header_checks(5) manual
3991       page available actions. Currently, PREPEND is not implemented.
3992
3993       The following example sends all mail that is marked as SPAM to  a  spam
3994       handling machine. Note that matches are case-insensitive by default.
3995
3996       /etc/postfix/main.cf:
3997           milter_header_checks = pcre:/etc/postfix/milter_header_checks
3998
3999       /etc/postfix/milter_header_checks:
4000           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4001
4002       The milter_header_checks mechanism could also be used for whitelisting.
4003       For example it could be used  to  skip  heavy  content  inspection  for
4004       DKIM-signed mail from known friendly domains.
4005
4006       This  feature is available in Postfix 2.7, and as an optional patch for
4007       Postfix 2.6.
4008

milter_helo_macros (default: see postconf -d output)

4010       The macros that are sent to Milter (mail filter) applications after the
4011       SMTP  HELO  or  EHLO command. See MILTER_README for a list of available
4012       macro names and their meanings.
4013
4014       This feature is available in Postfix 2.3 and later.
4015

milter_macro_daemon_name (default: $myhostname)

4017       The {daemon_name} macro value for Milter  (mail  filter)  applications.
4018       See  MILTER_README  for a list of available macro names and their mean‐
4019       ings.
4020
4021       This feature is available in Postfix 2.3 and later.
4022

milter_macro_defaults (default: empty)

4024       Optional list of name=value pairs that specify default values for arbi‐
4025       trary  macros  that  Postfix  may  send  to Milter applications.  These
4026       defaults are used when there is no corresponding information  from  the
4027       message delivery context.
4028
4029       Specify  name=value  or {name}=value pairs separated by comma or white‐
4030       space.  Enclose a pair in "{}" when a value contains  comma  or  white‐
4031       space (this form ignores whitespace after the enclosing "{", around the
4032       "=", and before the enclosing "}").
4033
4034       This feature is available in Postfix 3.1 and later.
4035

milter_macro_v (default: $mail_name $mail_version)

4037       The {v} macro value for Milter (mail filter)  applications.   See  MIL‐
4038       TER_README for a list of available macro names and their meanings.
4039
4040       This feature is available in Postfix 2.3 and later.
4041

milter_mail_macros (default: see postconf -d output)

4043       The macros that are sent to Milter (mail filter) applications after the
4044       SMTP MAIL FROM command. See MILTER_README for a list of available macro
4045       names and their meanings.
4046
4047       This feature is available in Postfix 2.3 and later.
4048

milter_protocol (default: 6)

4050       The  mail  filter protocol version and optional protocol extensions for
4051       communication with a Milter  application;  prior  to  Postfix  2.6  the
4052       default  protocol  is  2.  Postfix sends this version number during the
4053       initial protocol handshake.  It should match the version number that is
4054       expected by the mail filter application (or by its Milter library).
4055
4056       Protocol versions:
4057
4058       2      Use  Sendmail  8  mail  filter  protocol version 2 (default with
4059              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
4060
4061       3      Use Sendmail 8 mail filter protocol version 3.
4062
4063       4      Use Sendmail 8 mail filter protocol version 4.
4064
4065       6      Use Sendmail 8 mail filter  protocol  version  6  (default  with
4066              Sendmail version 8.14 and Postfix version 2.6).
4067
4068       Protocol extensions:
4069
4070       no_header_reply
4071              Specify this when the Milter application will not reply for each
4072              individual message header.
4073
4074       This feature is available in Postfix 2.3 and later.
4075

milter_rcpt_macros (default: see postconf -d output)

4077       The macros that are sent to Milter (mail filter) applications after the
4078       SMTP  RCPT  TO command. See MILTER_README for a list of available macro
4079       names and their meanings.
4080
4081       This feature is available in Postfix 2.3 and later.
4082

milter_unknown_command_macros (default: see postconf -d output)

4084       The macros that are sent to version 3 or higher  Milter  (mail  filter)
4085       applications  after  an  unknown SMTP command.  See MILTER_README for a
4086       list of available macro names and their meanings.
4087
4088       This feature is available in Postfix 2.3 and later.
4089

mime_boundary_length_limit (default: 2048)

4091       The maximal length of MIME multipart boundary strings. The MIME proces‐
4092       sor  is unable to distinguish between boundary strings that do not dif‐
4093       fer in the first $mime_boundary_length_limit characters.
4094
4095       This feature is available in Postfix 2.0 and later.
4096

mime_header_checks (default: $header_checks)

4098       Optional lookup tables for content inspection of MIME  related  message
4099       headers, as described in the header_checks(5) manual page.
4100
4101       This feature is available in Postfix 2.0 and later.
4102

mime_nesting_limit (default: 100)

4104       The maximal recursion level that the MIME processor will handle.  Post‐
4105       fix refuses mail that is nested deeper than the specified limit.
4106
4107       This feature is available in Postfix 2.0 and later.
4108

minimal_backoff_time (default: 300s)

4110       The minimal time between attempts to deliver a deferred message;  prior
4111       to Postfix 2.4 the default value was 1000s.
4112
4113       This  parameter also limits the time an unreachable destination is kept
4114       in the short-term, in-memory, destination status cache.
4115
4116       This parameter should be set greater than or equal to $queue_run_delay.
4117       See also $maximal_backoff_time.
4118
4119       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4120       The default time unit is s (seconds).
4121

multi_instance_directories (default: empty)

4123       An optional list  of  non-default  Postfix  configuration  directories;
4124       these directories belong to additional Postfix instances that share the
4125       Postfix executable files and documentation  with  the  default  Postfix
4126       instance,  and  that  are  started,  stopped,  etc.,  together with the
4127       default Postfix instance.  Specify a list  of  pathnames  separated  by
4128       comma or whitespace.
4129
4130       When  $multi_instance_directories is empty, the postfix(1) command runs
4131       in single-instance mode and operates on a single Postfix instance only.
4132       Otherwise,  the  postfix(1)  command  runs  in  multi-instance mode and
4133       invokes    the    multi-instance    manager    specified    with    the
4134       multi_instance_wrapper  parameter.  The  multi-instance manager in turn
4135       executes postfix(1) commands for the default instance and for all Post‐
4136       fix instances in $multi_instance_directories.
4137
4138       Currently,  this  parameter  setting  is ignored except for the default
4139       main.cf file.
4140
4141       This feature is available in Postfix 2.6 and later.
4142

multi_instance_enable (default: no)

4144       Allow this  Postfix  instance  to  be  started,  stopped,  etc.,  by  a
4145       multi-instance  manager.   By  default,  new instances are created in a
4146       safe state that prevents them from being started  inadvertently.   This
4147       parameter is reserved for the multi-instance manager.
4148
4149       This feature is available in Postfix 2.6 and later.
4150

multi_instance_group (default: empty)

4152       The  optional  instance  group  name  of this Postfix instance. A group
4153       identifies closely-related Postfix instances  that  the  multi-instance
4154       manager  can  start, stop, etc., as a unit.  This parameter is reserved
4155       for the multi-instance manager.
4156
4157       This feature is available in Postfix 2.6 and later.
4158

multi_instance_name (default: empty)

4160       The optional instance name of this Postfix instance. This name  becomes
4161       also the default value for the syslog_name parameter.
4162
4163       This feature is available in Postfix 2.6 and later.
4164

multi_instance_wrapper (default: empty)

4166       The  pathname  of  a multi-instance manager command that the postfix(1)
4167       command invokes when the multi_instance_directories parameter value  is
4168       non-empty.  The  pathname  may be followed by initial command arguments
4169       separated by whitespace; shell metacharacters such as  quotes  are  not
4170       supported in this context.
4171
4172       The  postfix(1) command invokes the manager command with the postfix(1)
4173       non-option command arguments on the manager command line, and with  all
4174       installation configuration parameters exported into the manager command
4175       process environment. The manager command in turn invokes the postfix(1)
4176       command  for  individual Postfix instances as "postfix -c config_direc‐
4177       tory command".
4178
4179       This feature is available in Postfix 2.6 and later.
4180

multi_recipient_bounce_reject_code (default: 550)

4182       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
4183       client request is blocked by the reject_multi_recipient_bounce restric‐
4184       tion.
4185
4186       Do not change this unless you have  a  complete  understanding  of  RFC
4187       5321.
4188
4189       This feature is available in Postfix 2.1 and later.
4190

mydestination (default: $myhostname, localhost.$mydomain, localhost)

4192       The  list  of  domains that are delivered via the $local_transport mail
4193       delivery transport. By default this is the  Postfix  local(8)  delivery
4194       agent  which  looks  up all recipients in /etc/passwd and /etc/aliases.
4195       The SMTP  server  validates  recipient  addresses  with  $local_recipi‐
4196       ent_maps and rejects non-existent recipients. See also the local domain
4197       class in the ADDRESS_CLASS_README file.
4198
4199       The default mydestination value specifies names for the  local  machine
4200       only.  On a mail domain gateway, you should also include $mydomain.
4201
4202       The   $local_transport  delivery  method  is  also  selected  for  mail
4203       addressed to user@[the.net.work.address] of the  mail  system  (the  IP
4204       addresses  specified  with  the  inet_interfaces  and  proxy_interfaces
4205       parameters).
4206
4207       Warnings:
4208
4209       ·      Do not specify the names of virtual domains - those domains  are
4210              specified elsewhere. See VIRTUAL_README for more information.
4211
4212       ·      Do  not specify the names of domains that this machine is backup
4213              MX host for. See STANDARD_CONFIGURATION_README for how to set up
4214              backup MX hosts.
4215
4216       ·      By  default, the Postfix SMTP server rejects mail for recipients
4217              not listed with the  local_recipient_maps  parameter.   See  the
4218              postconf(5) manual for a description of the local_recipient_maps
4219              and unknown_local_recipient_reject_code parameters.
4220
4221       Specify a list of host or domain names,  "/file/name"  or  "type:table"
4222       patterns, separated by commas and/or whitespace. A "/file/name" pattern
4223       is replaced by its contents; a "type:table"  lookup  table  is  matched
4224       when  a name matches a lookup key (the lookup result is ignored).  Con‐
4225       tinue long lines by starting the next line with whitespace.
4226
4227       Examples:
4228
4229       mydestination = $myhostname, localhost.$mydomain $mydomain
4230       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4231

mydomain (default: see postconf -d output)

4233       The internet domain name of this mail system.  The default  is  to  use
4234       $myhostname  minus  the  first component, or "localdomain" (Postfix 2.3
4235       and later).  $mydomain is used as a default value for many  other  con‐
4236       figuration parameters.
4237
4238       Example:
4239
4240       mydomain = domain.tld
4241

myhostname (default: see postconf -d output)

4243       The  internet  hostname  of this mail system. The default is to use the
4244       fully-qualified domain name (FQDN) from gethostname(), or  to  use  the
4245       non-FQDN  result  from gethostname() and append ".$mydomain".  $myhost‐
4246       name is used as a default value for many  other  configuration  parame‐
4247       ters.
4248
4249       Example:
4250
4251       myhostname = host.example.com
4252

mynetworks (default: see postconf -d output)

4254       The  list  of  "trusted"  remote SMTP clients that have more privileges
4255       than "strangers".
4256
4257       In particular, "trusted" SMTP clients are allowed to relay mail through
4258       Postfix.  See the smtpd_relay_restrictions parameter description in the
4259       postconf(5) manual.
4260
4261       You can specify the list of "trusted" network addresses by hand or  you
4262       can let Postfix do it for you (which is the default).  See the descrip‐
4263       tion of the mynetworks_style parameter for more information.
4264
4265       If you specify the mynetworks list by hand, Postfix ignores the  mynet‐
4266       works_style setting.
4267
4268       Specify  a list of network addresses or network/netmask patterns, sepa‐
4269       rated by commas and/or whitespace. Continue long lines by starting  the
4270       next line with whitespace.
4271
4272       The  netmask specifies the number of bits in the network part of a host
4273       address.  You can also specify "/file/name" or  "type:table"  patterns.
4274       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
4275       lookup table is matched when a table entry matches a lookup string (the
4276       lookup result is ignored).
4277
4278       The  list  is  matched left to right, and the search stops on the first
4279       match.  Specify "!pattern" to exclude an address or network block  from
4280       the  list.  The form "!/file/name" is supported only in Postfix version
4281       2.4 and later.
4282
4283       Note 1: Pattern matching of  domain  names  is  controlled  by  the  or
4284       absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4285       ter value.
4286
4287       Note 2: IP version 6 address information must be specified inside [] in
4288       the  mynetworks  value,  and  in files specified with "/file/name".  IP
4289       version 6 addresses contain the ":" character, and would  otherwise  be
4290       confused with a "type:table" pattern.
4291
4292       Examples:
4293
4294       mynetworks = 127.0.0.0/8 168.100.189.0/28
4295       mynetworks = !192.168.0.1, 192.168.0.0/28
4296       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4297       mynetworks = $config_directory/mynetworks
4298       mynetworks = hash:/etc/postfix/network_table
4299

mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)

4301       The  method to generate the default value for the mynetworks parameter.
4302       This is the list of trusted networks for relay access control etc.
4303
4304       ·      Specify "mynetworks_style = host" when  Postfix  should  "trust"
4305              only the local machine.
4306
4307       ·      Specify  "mynetworks_style = subnet" when Postfix should "trust"
4308              remote SMTP clients in the same  IP  subnetworks  as  the  local
4309              machine.   On  Linux,  this works correctly only with interfaces
4310              specified with the "ifconfig" command.
4311
4312       ·      Specify "mynetworks_style = class" when Postfix  should  "trust"
4313              remote  SMTP  clients in the same IP class A/B/C networks as the
4314              local machine.  Caution: this may cause Postfix to "trust"  your
4315              entire  provider's network.  Instead, specify an explicit mynet‐
4316              works list by hand, as described with the mynetworks  configura‐
4317              tion parameter.
4318

myorigin (default: $myhostname)

4320       The domain name that locally-posted mail appears to come from, and that
4321       locally posted mail is delivered to. The default, $myhostname, is  ade‐
4322       quate for small sites.  If you run a domain with multiple machines, you
4323       should (1) change this to $mydomain and (2) set up a domain-wide  alias
4324       database that aliases each user to user@that.users.mailhost.
4325
4326       Example:
4327
4328       myorigin = $mydomain
4329

nested_header_checks (default: $header_checks)

4331       Optional lookup tables for content inspection of non-MIME message head‐
4332       ers in attached messages, as described in the  header_checks(5)  manual
4333       page.
4334
4335       This feature is available in Postfix 2.0 and later.
4336

newaliases_path (default: see postconf -d output)

4338       Sendmail  compatibility  feature  that  specifies  the  location of the
4339       newaliases(1) command. This command can be used to rebuild the local(8)
4340       aliases(5) database.
4341

non_fqdn_reject_code (default: 504)

4343       The  numerical  Postfix SMTP server reply code when a client request is
4344       rejected by the  reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender
4345       or reject_non_fqdn_recipient restriction.
4346

non_smtpd_milters (default: empty)

4348       A  list of Milter (mail filter) applications for new mail that does not
4349       arrive via the Postfix smtpd(8) server. This includes local  submission
4350       via the sendmail(1) command line, new mail that arrives via the Postfix
4351       qmqpd(8) server, and old mail that is re-injected into the  queue  with
4352       "postsuper  -r".   Specify  space  or  comma as separator. See the MIL‐
4353       TER_README document for details.
4354
4355       This feature is available in Postfix 2.3 and later.
4356

notify_classes (default: resource, software)

4358       The list of error classes that are  reported  to  the  postmaster.  The
4359       default  is  to report only the most serious problems. The paranoid may
4360       wish to turn on the policy (UCE and mail relaying) and  protocol  error
4361       (broken mail software) reports.
4362
4363       NOTE:  postmaster  notifications  may  contain confidential information
4364       such as SASL passwords or message content.  It is the  system  adminis‐
4365       trator's responsibility to treat such information with care.
4366
4367       The error classes are:
4368
4369       bounce (also implies 2bounce)
4370              Send  the  postmaster copies of the headers of bounced mail, and
4371              send transcripts of SMTP sessions when Postfix rejects mail. The
4372              notification   is   sent  to  the  address  specified  with  the
4373              bounce_notice_recipient configuration parameter (default:  post‐
4374              master).
4375
4376       2bounce
4377              Send undeliverable bounced mail to the postmaster. The notifica‐
4378              tion   is   sent   to   the   address   specified    with    the
4379              2bounce_notice_recipient configuration parameter (default: post‐
4380              master).
4381
4382       data   Send the postmaster a transcript of the  SMTP  session  with  an
4383              error  because a critical data file was unavailable. The notifi‐
4384              cation   is   sent   to   the   address   specified   with   the
4385              error_notice_recipient  configuration  parameter (default: post‐
4386              master).
4387              This feature is available in Postfix 2.9 and later.
4388
4389       delay  Send the postmaster copies of the headers of delayed  mail  (see
4390              delay_warning_time).  The  notification  is  sent to the address
4391              specified with the delay_notice_recipient configuration  parame‐
4392              ter (default: postmaster).
4393
4394       policy Send  the  postmaster  a  transcript  of the SMTP session when a
4395              client request was rejected because of (UCE) policy. The notifi‐
4396              cation   is   sent   to   the   address   specified   with   the
4397              error_notice_recipient configuration parameter  (default:  post‐
4398              master).
4399
4400       protocol
4401              Send  the postmaster a transcript of the SMTP session in case of
4402              client or server protocol errors. The notification  is  sent  to
4403              the address specified with the error_notice_recipient configura‐
4404              tion parameter (default: postmaster).
4405
4406       resource
4407              Inform the postmaster of mail  not  delivered  due  to  resource
4408              problems.   The  notification  is  sent to the address specified
4409              with   the   error_notice_recipient   configuration    parameter
4410              (default: postmaster).
4411
4412       software
4413              Inform  the  postmaster  of  mail  not delivered due to software
4414              problems.  The notification is sent  to  the  address  specified
4415              with    the   error_notice_recipient   configuration   parameter
4416              (default: postmaster).
4417
4418       Examples:
4419
4420       notify_classes = bounce, delay, policy, protocol, resource, software
4421       notify_classes = 2bounce, resource, software
4422

nullmx_reject_code (default: 556)

4424       The numerical reply code when the Postfix SMTP server rejects a  sender
4425       or  recipient address because its domain has a nullmx DNS record (an MX
4426       record with an empty hostname). This is one  of  the  possible  replies
4427       from      the     restrictions     reject_unknown_sender_domain     and
4428       reject_unknown_recipient_domain.
4429
4430       This feature is available in Postfix 3.0 and later.
4431

openssl_path (default: openssl)

4433       The location of the OpenSSL command line program openssl(1).   This  is
4434       used  by  the "postfix tls" command to create private keys, certificate
4435       signing requests, self-signed certificates, and to compute  public  key
4436       digests  for  DANE  TLSA records.  In multi-instance environments, this
4437       parameter is always determined from the configuration  of  the  default
4438       Postfix instance.
4439
4440       Example:
4441
4442           /etc/postfix/main.cf:
4443               # NetBSD pkgsrc:
4444               openssl_path = /usr/pkg/bin/openssl
4445               # Local build:
4446               openssl_path = /usr/local/bin/openssl
4447
4448       This feature is available in Postfix 3.1 and later.
4449

owner_request_special (default: yes)

4451       Enable  special  treatment for owner-listname entries in the aliases(5)
4452       file, and  don't  split  owner-listname  and  listname-request  address
4453       localparts when the recipient_delimiter is set to "-".  This feature is
4454       useful for mailing lists.
4455

parent_domain_matches_subdomains (default: see postconf -d output)

4457       A list of Postfix features where the pattern "example.com" also matches
4458       subdomains  of  example.com,  instead  of requiring an explicit ".exam‐
4459       ple.com" pattern.  This is planned  backwards  compatibility:   eventu‐
4460       ally,  all  Postfix  features  are expected to require explicit ".exam‐
4461       ple.com" style patterns when you really want to match subdomains.
4462
4463       The following Postfix feature names are supported.
4464
4465       Postfix version 1.0 and later
4466              debug_peer_list,    fast_flush_domains,     mynetworks,     per‐
4467              mit_mx_backup_networks, relay_domains, transport_maps
4468
4469       Postfix version 1.1 and later
4470              qmqpd_authorized_clients, smtpd_access_maps,
4471
4472       Postfix version 2.8 and later
4473              postscreen_access_list
4474
4475       Postfix version 3.0 and later
4476              smtpd_client_event_limit_exceptions
4477

permit_mx_backup_networks (default: empty)

4479       Restrict  the  use  of the permit_mx_backup SMTP access feature to only
4480       domains whose primary MX hosts match the listed networks.  The  parame‐
4481       ter  value  syntax  is the same as with the mynetworks parameter; note,
4482       however, that the default value is empty.
4483
4484       Pattern matching of domain names  is  controlled  by  the  presence  or
4485       absence      of     "permit_mx_backup_networks"     in     the     par‐
4486       ent_domain_matches_subdomains parameter value.
4487

pickup_service_name (default: pickup)

4489       The name of the pickup(8) service. This service  picks  up  local  mail
4490       submissions from the Postfix maildrop queue.
4491
4492       This feature is available in Postfix 2.0 and later.
4493

pipe_delivery_status_filter (default: $default_delivery_status_filter)

4495       Optional  filter  for the pipe(8) delivery agent to change the delivery
4496       status code or explanatory text of successful or unsuccessful  deliver‐
4497       ies.  See default_delivery_status_filter for details.
4498
4499       This feature is available in Postfix 3.0 and later.
4500

plaintext_reject_code (default: 450)

4502       The  numerical  Postfix  SMTP  server  response  code when a request is
4503       rejected by the reject_plaintext_session restriction.
4504
4505       This feature is available in Postfix 2.3 and later.
4506

postlog_service_name (default: postlog)

4508       The name of the postlogd(8) service entry in master.cf.   This  service
4509       appends  logfile  records  to  the file specified with the maillog_file
4510       parameter.
4511
4512       This feature is available in Postfix 3.4 and later.
4513

postlogd_watchdog_timeout (default: 10s)

4515       How much time a postlogd(8) process  may  take  to  process  a  request
4516       before  it is terminated by a built-in watchdog timer. This is a safety
4517       mechanism that prevents postlogd(8) from becoming non-responsive due to
4518       a bug in Postfix itself or in system software. This limit cannot be set
4519       under 10s.
4520
4521       Specify a non-zero time value  (an  integral  value  plus  an  optional
4522       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4523       onds), m (minutes), h (hours), d (days), w (weeks).
4524
4525       This feature is available in Postfix 3.4 and later.
4526

postmulti_control_commands (default: reload flush)

4528       The postfix(1) commands that the postmulti(1) instance  manager  treats
4529       as  "control"  commands,  that  operate on running instances. For these
4530       commands, disabled instances are skipped.
4531
4532       This feature is available in Postfix 2.6 and later.
4533

postmulti_start_commands (default: start)

4535       The postfix(1) commands that the postmulti(1) instance  manager  treats
4536       as  "start"  commands.  For  these  commands,  disabled  instances  are
4537       "checked" rather than  "started",  and  failure  to  "start"  a  member
4538       instance  of  an  instance  group  will  abort  the  start-up  of later
4539       instances.
4540
4541       This feature is available in Postfix 2.6 and later.
4542

postmulti_stop_commands (default: see postconf -d output)

4544       The postfix(1) commands that the postmulti(1) instance  manager  treats
4545       as "stop" commands. For these commands, disabled instances are skipped,
4546       and enabled instances are processed in reverse order.
4547
4548       This feature is available in Postfix 2.6 and later.
4549

postscreen_access_list (default: permit_mynetworks)

4551       Permanent  white/blacklist  for  remote  SMTP  client   IP   addresses.
4552       postscreen(8) searches this list immediately after a remote SMTP client
4553       connects.  Specify a comma- or whitespace-separated  list  of  commands
4554       (in  upper  or  lower case) or lookup tables. The search stops upon the
4555       first command that fires for the client IP address.
4556
4557        permit_mynetworks
4558              Whitelist the client and terminate the search if the  client  IP
4559              address  matches  $mynetworks.  Do not subject the client to any
4560              before/after 220 greeting tests.  Pass  the  connection  immedi‐
4561              ately to a Postfix SMTP server process.
4562              Pattern  matching  of domain names is controlled by the presence
4563              or   absence   of   "postscreen_access_list"   in    the    par‐
4564              ent_domain_matches_subdomains parameter value.
4565
4566        type:table
4567              Query the specified lookup table. Each table lookup result is an
4568              access list, except that access  lists  inside  a  table  cannot
4569              specify type:table entries.
4570              To  discourage  the use of hash, btree, etc. tables, there is no
4571              support for substring matching like smtpd(8).  Use  CIDR  tables
4572              instead.
4573
4574        permit
4575              Whitelist  the  client  and terminate the search. Do not subject
4576              the client to any before/after 220 greeting tests. Pass the con‐
4577              nection immediately to a Postfix SMTP server process.
4578
4579        reject
4580              Blacklist  the  client  and  terminate  the  search. Subject the
4581              client to  the  action  configured  with  the  postscreen_black‐
4582              list_action configuration parameter.
4583
4584        dunno All  postscreen(8)  access lists implicitly have this command at
4585              the end.
4586              When  dunno is executed inside a lookup table, return  from  the
4587              lookup table and evaluate the next command.
4588              When   dunno   is executed outside a lookup table, terminate the
4589              search, and subject the client to  the  configured  before/after
4590              220 greeting tests.
4591
4592       Example:
4593
4594       /etc/postfix/main.cf:
4595           postscreen_access_list = permit_mynetworks,
4596               cidr:/etc/postfix/postscreen_access.cidr
4597           postscreen_blacklist_action = enforce
4598
4599       /etc/postfix/postscreen_access.cidr:
4600           # Rules are evaluated in the order as specified.
4601           # Blacklist 192.168.* except 192.168.0.1.
4602           192.168.0.1         dunno
4603           192.168.0.0/16      reject
4604
4605       This feature is available in Postfix 2.8.
4606

postscreen_bare_newline_action (default: ignore)

4608       The  action  that postscreen(8) takes when a remote SMTP client sends a
4609       bare newline character, that is, a newline  not  preceded  by  carriage
4610       return.  Specify one of the following:
4611
4612       ignore Ignore  the failure of this test. Allow other tests to complete.
4613              Do not repeat this test before some the result from  some  other
4614              test  expires.  This option is useful for testing and collecting
4615              statistics without blocking mail permanently.
4616
4617       enforce
4618              Allow other tests to complete. Reject attempts to  deliver  mail
4619              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4620              mation.  Repeat this test the next time the client connects.
4621
4622       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4623              this test the next time the client connects.
4624
4625       This feature is available in Postfix 2.8.
4626

postscreen_bare_newline_enable (default: no)

4628       Enable  "bare newline" SMTP protocol tests in the postscreen(8) server.
4629       These tests are expensive: a remote SMTP client must  disconnect  after
4630       it passes the test, before it can talk to a real Postfix SMTP server.
4631
4632       This feature is available in Postfix 2.8.
4633

postscreen_bare_newline_ttl (default: 30d)

4635       The  amount  of time that postscreen(8) will use the result from a suc‐
4636       cessful "bare newline" SMTP protocol test. During this time, the client
4637       IP  address  is  excluded from this test. The default is long because a
4638       remote SMTP client must disconnect after it passes the test, before  it
4639       can talk to a real Postfix SMTP server.
4640
4641       Specify  a  non-zero  time  value  (an  integral value plus an optional
4642       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4643       onds), m (minutes), h (hours), d (days), w (weeks).
4644
4645       This feature is available in Postfix 2.8.
4646

postscreen_blacklist_action (default: ignore)

4648       The action that postscreen(8) takes when a remote SMTP client is perma‐
4649       nently blacklisted with the postscreen_access_list parameter.   Specify
4650       one of the following:
4651
4652       ignore (default)
4653              Ignore  this result. Allow other tests to complete.  Repeat this
4654              test the next time the client connects.  This option  is  useful
4655              for testing and collecting statistics without blocking mail.
4656
4657       enforce
4658              Allow  other  tests to complete. Reject attempts to deliver mail
4659              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4660              mation.  Repeat this test the next time the client connects.
4661
4662       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4663              this test the next time the client connects.
4664
4665       This feature is available in Postfix 2.8.
4666

postscreen_cache_cleanup_interval (default: 12h)

4668       The amount of time between postscreen(8)  cache  cleanup  runs.   Cache
4669       cleanup  increases  the load on the cache database and should therefore
4670       not be run frequently. This feature requires that  the  cache  database
4671       supports  the "delete" and "sequence" operators.  Specify a zero inter‐
4672       val to disable cache cleanup.
4673
4674       After each cache cleanup run, the postscreen(8) daemon logs the  number
4675       of  entries  that were retained and dropped. A cleanup run is logged as
4676       "partial" when the daemon  terminates  early  after  "postfix  reload",
4677       "postfix stop", or no requests for $max_idle seconds.
4678
4679       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4680
4681       This feature is available in Postfix 2.8.
4682

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

4684       Persistent storage for the postscreen(8) server decisions.
4685
4686       To   share   a   postscreen(8)  cache  between  multiple  postscreen(8)
4687       instances,  use  "postscreen_cache_map  =   proxy:btree:/path/to/file".
4688       This  requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4689       mentations don't support cache cleanup. For an alternative approach see
4690       the memcache_table(5) manpage.
4691
4692       This feature is available in Postfix 2.8.
4693

postscreen_cache_retention_time (default: 7d)

4695       The  amount  of time that postscreen(8) will cache an expired temporary
4696       whitelist entry before it is removed. This prevents clients from  being
4697       logged  as "NEW" just because their cache entry expired an hour ago. It
4698       also prevents the cache from filling up with clients that  passed  some
4699       deep protocol test once and never came back.
4700
4701       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4702
4703       This feature is available in Postfix 2.8.
4704

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

4706       tion_count_limit)
4707       How many simultaneous connections any remote SMTP client is allowed  to
4708       have  with the postscreen(8) daemon. By default, this limit is the same
4709       as with the Postfix SMTP server. Note that the triage process can  take
4710       several  seconds,  with  the time spent in postscreen_greet_wait delay,
4711       and with the time spent talking to  the  postscreen(8)  built-in  dummy
4712       SMTP protocol engine.
4713
4714       This feature is available in Postfix 2.8.
4715

postscreen_command_count_limit (default: 20)

4717       The  limit  on  the  total  number  of  commands  per  SMTP session for
4718       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
4719       or  rejects all attempts to deliver mail, therefore there is no need to
4720       enforce separate limits on the number of junk commands and  error  com‐
4721       mands.
4722
4723       This feature is available in Postfix 2.8.
4724

postscreen_command_filter (default: $smtpd_command_filter)

4726       A  mechanism  to  transform  commands  from  remote  SMTP clients.  See
4727       smtpd_command_filter for further details.
4728
4729       This feature is available in Postfix 2.8 and later.
4730

postscreen_command_time_limit (default: normal: 300s, overload: 10s)

4732       The time limit to read an  entire  command  line  with  postscreen(8)'s
4733       built-in SMTP protocol engine.
4734
4735       This feature is available in Postfix 2.8.
4736

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

4738       Disable  the  SMTP  VRFY command in the postscreen(8) daemon.  See dis‐
4739       able_vrfy_command for details.
4740
4741       This feature is available in Postfix 2.8.
4742

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

4744       card_ehlo_keyword_address_maps)
4745       Lookup  tables,  indexed  by  the remote SMTP client address, with case
4746       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
4747       that  the  postscreen(8) server will not send in the EHLO response to a
4748       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
4749       table is not searched by hostname for robustness reasons.
4750
4751       This feature is available in Postfix 2.8 and later.
4752

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

4754       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
4755       etc.) that the postscreen(8) server will not send in the EHLO  response
4756       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4757
4758       This feature is available in Postfix 2.8 and later.
4759

postscreen_dnsbl_action (default: ignore)

4761       The  action  that  postscreen(8) takes when a remote SMTP client's com‐
4762       bined DNSBL score is equal to or greater than a threshold  (as  defined
4763       with  the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4764       ters).  Specify one of the following:
4765
4766       ignore (default)
4767              Ignore the failure of this test. Allow other tests to  complete.
4768              Repeat this test the next time the client connects.  This option
4769              is useful for testing and collecting statistics without blocking
4770              mail.
4771
4772       enforce
4773              Allow  other  tests to complete. Reject attempts to deliver mail
4774              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4775              mation.  Repeat this test the next time the client connects.
4776
4777       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4778              this test the next time the client connects.
4779
4780       This feature is available in Postfix 2.8.
4781

postscreen_dnsbl_max_ttl (default:

4783       ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4784       The  maximum amount of time that postscreen(8) will use the result from
4785       a successful DNS-based reputation test before a client  IP  address  is
4786       required  to pass that test again. If the DNS reply specifies a shorter
4787       TTL value, that value will be used unless  it  would  be  smaller  than
4788       postscreen_dnsbl_min_ttl.
4789
4790       Specify  a  non-zero  time  value  (an  integral value plus an optional
4791       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4792       onds), m (minutes), h (hours), d (days), w (weeks).
4793
4794       This  feature is available in Postfix 3.1. The default setting is back‐
4795       wards-compatible with older Postfix versions.
4796

postscreen_dnsbl_min_ttl (default: 60s)

4798       The minimum amount of time that postscreen(8) will use the result  from
4799       a  successful  DNS-based  reputation test before a client IP address is
4800       required to pass that test again. If the DNS reply specifies  a  larger
4801       TTL  value,  that  value  will  be  used unless it would be larger than
4802       postscreen_dnsbl_max_ttl.
4803
4804       Specify a non-zero time value  (an  integral  value  plus  an  optional
4805       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4806       onds), m (minutes), h (hours), d (days), w (weeks).
4807
4808       This feature is available in Postfix 3.1.
4809

postscreen_dnsbl_reply_map (default: empty)

4811       A mapping from actual DNSBL domain name which includes a  secret  pass‐
4812       word,  to the DNSBL domain name that postscreen will reply with when it
4813       rejects mail.  When no mapping is found, the actual DNSBL  domain  will
4814       be used.
4815
4816       For maximal stability it is best to use a file that is read into memory
4817       such as pcre:, regexp: or texthash: (texthash:  is  similar  to  hash:,
4818       except  a)  there  is  no need to run postmap(1) before the file can be
4819       used, and b) texthash: does not detect changes after the file is read).
4820
4821       Example:
4822
4823       /etc/postfix/main.cf:
4824           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4825
4826       /etc/postfix/dnsbl_reply:
4827          secret.zen.spamhaus.org      zen.spamhaus.org
4828
4829       This feature is available in Postfix 2.8.
4830

postscreen_dnsbl_sites (default: empty)

4832       Optional list of DNS white/blacklist domains, filters and  weight  fac‐
4833       tors.  When  the  list  is  non-empty, the dnsblog(8) daemon will query
4834       these domains with  the  IP  addresses  of  remote  SMTP  clients,  and
4835       postscreen(8)  will  update  an  SMTP  client's  DNSBL  score with each
4836       non-error reply.
4837
4838       Caution: when postscreen rejects mail, it replies with the DNSBL domain
4839       name.  Use  the  postscreen_dnsbl_reply_map  feature to hide "password"
4840       information in DNSBL domain names.
4841
4842       When a client's score is equal to or greater than the threshold  speci‐
4843       fied  with  postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4844       nection with the remote SMTP client.
4845
4846       Specify a list of domain=filter*weight entries, separated by  comma  or
4847       whitespace.
4848
4849       ·      When  no  "=filter"  is  specified,  postscreen(8)  will use any
4850              non-error DNSBL reply.  Otherwise, postscreen(8) uses only DNSBL
4851              replies  that match the filter. The filter has the form d.d.d.d,
4852              where each d is a number, or a pattern inside []  that  contains
4853              one or more ";"-separated numbers or number..number ranges.
4854
4855       ·      When  no  "*weight"  is  specified, postscreen(8) increments the
4856              remote SMTP client's DNSBL score by 1.   Otherwise,  the  weight
4857              must be an integral number, and postscreen(8) adds the specified
4858              weight to the remote SMTP client's DNSBL score.  Specify a nega‐
4859              tive number for whitelisting.
4860
4861       ·      When  one  postscreen_dnsbl_sites  entry produces multiple DNSBL
4862              responses, postscreen(8) applies the weight at most once.
4863
4864       Examples:
4865
4866       To use example.com as a high-confidence blocklist, and  to  block  mail
4867       with example.net and example.org only when both agree:
4868
4869       postscreen_dnsbl_threshold = 2
4870       postscreen_dnsbl_sites = example.com*2, example.net, example.org
4871
4872       To filter only DNSBL replies containing 127.0.0.4:
4873
4874       postscreen_dnsbl_sites = example.com=127.0.0.4
4875
4876       This feature is available in Postfix 2.8.
4877

postscreen_dnsbl_threshold (default: 1)

4879       The  inclusive  lower bound for blocking a remote SMTP client, based on
4880       its combined DNSBL score as  defined  with  the  postscreen_dnsbl_sites
4881       parameter.
4882
4883       This feature is available in Postfix 2.8.
4884

postscreen_dnsbl_timeout (default: 10s)

4886       The  time  limit  for DNSBL or DNSWL lookups. This is separate from the
4887       timeouts  in  the  dnsblog(8)  daemon  which  are  defined  by   system
4888       resolver(3) routines.
4889
4890       This feature is available in Postfix 3.0.
4891

postscreen_dnsbl_ttl (default: 1h)

4893       The  amount  of time that postscreen(8) will use the result from a suc‐
4894       cessful DNS-based  reputation  test  before  a  client  IP  address  is
4895       required to pass that test again.
4896
4897       Specify  a  non-zero  time  value  (an  integral value plus an optional
4898       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4899       onds), m (minutes), h (hours), d (days), w (weeks).
4900
4901       This  feature  is  available  in  Postfix  2.8-3.0.  It was replaced by
4902       postscreen_dnsbl_max_ttl in Postfix 3.1.
4903

postscreen_dnsbl_whitelist_threshold (default: 0)

4905       Allow a remote SMTP client to skip "before" and  "after  220  greeting"
4906       protocol  tests,  based on its combined DNSBL score as defined with the
4907       postscreen_dnsbl_sites parameter.
4908
4909       Specify a negative value to enable this feature. When a  client  passes
4910       the  postscreen_dnsbl_whitelist_threshold  without  having failed other
4911       tests, all pending or disabled tests are flagged as  completed  with  a
4912       time-to-live  value  equal  to  postscreen_dnsbl_ttl.   When a test was
4913       already completed, its time-to-live value is updated  if  it  was  less
4914       than postscreen_dnsbl_ttl.
4915
4916       This feature is available in Postfix 2.11.
4917

postscreen_enforce_tls (default: $smtpd_enforce_tls)

4919       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
4920       require     that     clients     use     TLS      encryption.       See
4921       smtpd_postscreen_enforce_tls for details.
4922
4923       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
4924       postscreen_tls_security_level instead.
4925

postscreen_expansion_filter (default: see postconf -d output)

4927       List of  characters  that  are  permitted  in  postscreen_reject_footer
4928       attribute expansions.  See smtpd_expansion_filter for further details.
4929
4930       This feature is available in Postfix 2.8 and later.
4931

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

4933       List  of  commands that the postscreen(8) server considers in violation
4934       of the SMTP protocol.  See  smtpd_forbidden_commands  for  syntax,  and
4935       postscreen_non_smtp_command_action for possible actions.
4936
4937       This feature is available in Postfix 2.8.
4938

postscreen_greet_action (default: ignore)

4940       The  action  that  postscreen(8) takes when a remote SMTP client speaks
4941       before   its   turn   within    the    time    specified    with    the
4942       postscreen_greet_wait parameter.  Specify one of the following:
4943
4944       ignore (default)
4945              Ignore  the failure of this test. Allow other tests to complete.
4946              Repeat this test the next time the client connects.  This option
4947              is useful for testing and collecting statistics without blocking
4948              mail.
4949
4950       enforce
4951              Allow other tests to complete. Reject attempts to  deliver  mail
4952              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4953              mation.  Repeat this test the next time the client connects.
4954
4955       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4956              this test the next time the client connects.
4957
4958       In either case, postscreen(8) will not whitelist the remote SMTP client
4959       IP address.
4960
4961       This feature is available in Postfix 2.8.
4962

postscreen_greet_banner (default: $smtpd_banner)

4964       The  text  in  the  optional   "220-text..."   server   response   that
4965       postscreen(8)  sends  ahead  of  the  real  Postfix  SMTP server's "220
4966       text..." response, in an attempt to confuse bad SMTP  clients  so  that
4967       they  speak  before  their turn (pre-greet).  Specify an empty value to
4968       disable this feature.
4969
4970       This feature is available in Postfix 2.8.
4971

postscreen_greet_ttl (default: 1d)

4973       The amount of time that postscreen(8) will use the result from  a  suc‐
4974       cessful  PREGREET  test.  During  this  time,  the client IP address is
4975       excluded from this test. The default is  relatively  short,  because  a
4976       good client can immediately talk to a real Postfix SMTP server.
4977
4978       Specify  a  non-zero  time  value  (an  integral value plus an optional
4979       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4980       onds), m (minutes), h (hours), d (days), w (weeks).
4981
4982       This feature is available in Postfix 2.8.
4983

postscreen_greet_wait (default: normal: 6s, overload: 2s)

4985       The  amount  of time that postscreen(8) will wait for an SMTP client to
4986       send a command before its turn, and for DNS blocklist lookup results to
4987       arrive  (default:  up to 2 seconds under stress, up to 6 seconds other‐
4988       wise).
4989
4990       Specify a non-zero time value  (an  integral  value  plus  an  optional
4991       one-letter suffix that specifies the time unit).
4992
4993       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4994
4995       This feature is available in Postfix 2.8.
4996

postscreen_helo_required (default: $smtpd_helo_required)

4998       Require  that a remote SMTP client sends HELO or EHLO before commencing
4999       a MAIL transaction.
5000
5001       This feature is available in Postfix 2.8.
5002

postscreen_non_smtp_command_action (default: drop)

5004       The action that postscreen(8) takes when a  remote  SMTP  client  sends
5005       non-SMTP  commands  as specified with the postscreen_forbidden_commands
5006       parameter.  Specify one of the following:
5007
5008       ignore Ignore the failure of this test. Allow other tests to  complete.
5009              Do  not  repeat this test before some the result from some other
5010              test expires.  This option is useful for testing and  collecting
5011              statistics without blocking mail permanently.
5012
5013       enforce
5014              Allow  other  tests to complete. Reject attempts to deliver mail
5015              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5016              mation.  Repeat this test the next time the client connects.
5017
5018       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5019              this test the next time the client connects. This action is  the
5020              same  as with the Postfix SMTP server's smtpd_forbidden_commands
5021              feature.
5022
5023       This feature is available in Postfix 2.8.
5024

postscreen_non_smtp_command_enable (default: no)

5026       Enable "non-SMTP command" tests  in  the  postscreen(8)  server.  These
5027       tests are expensive: a client must disconnect after it passes the test,
5028       before it can talk to a real Postfix SMTP server.
5029
5030       This feature is available in Postfix 2.8.
5031

postscreen_non_smtp_command_ttl (default: 30d)

5033       The amount of time that postscreen(8) will use the result from  a  suc‐
5034       cessful  "non_smtp_command"  SMTP  protocol test. During this time, the
5035       client IP address is excluded from  this  test.  The  default  is  long
5036       because  a  client  must disconnect after it passes the test, before it
5037       can talk to a real Postfix SMTP server.
5038
5039       Specify a non-zero time value  (an  integral  value  plus  an  optional
5040       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5041       onds), m (minutes), h (hours), d (days), w (weeks).
5042
5043       This feature is available in Postfix 2.8.
5044

postscreen_pipelining_action (default: enforce)

5046       The action that postscreen(8) takes when a  remote  SMTP  client  sends
5047       multiple  commands  instead  of sending one command and waiting for the
5048       server to respond.  Specify one of the following:
5049
5050       ignore Ignore the failure of this test. Allow other tests to  complete.
5051              Do  not  repeat this test before some the result from some other
5052              test expires.  This option is useful for testing and  collecting
5053              statistics without blocking mail permanently.
5054
5055       enforce
5056              Allow  other  tests to complete. Reject attempts to deliver mail
5057              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5058              mation.  Repeat this test the next time the client connects.
5059
5060       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5061              this test the next time the client connects.
5062
5063       This feature is available in Postfix 2.8.
5064

postscreen_pipelining_enable (default: no)

5066       Enable "pipelining" SMTP protocol tests in  the  postscreen(8)  server.
5067       These  tests  are  expensive:  a  good  client must disconnect after it
5068       passes the test, before it can talk to a real Postfix SMTP server.
5069
5070       This feature is available in Postfix 2.8.
5071

postscreen_pipelining_ttl (default: 30d)

5073       The amount of time that postscreen(8) will use the result from  a  suc‐
5074       cessful  "pipelining"  SMTP protocol test. During this time, the client
5075       IP address is excluded from this test. The default is  long  because  a
5076       good  client  must  disconnect  after it passes the test, before it can
5077       talk to a real Postfix SMTP server.
5078
5079       Specify a non-zero time value  (an  integral  value  plus  an  optional
5080       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5081       onds), m (minutes), h (hours), d (days), w (weeks).
5082
5083       This feature is available in Postfix 2.8.
5084

postscreen_post_queue_limit (default: $default_process_limit)

5086       The number of clients that can be waiting for service from a real Post‐
5087       fix  SMTP  server  process.  When  this queue is full, all clients will
5088       receive a 421 response.
5089
5090       This feature is available in Postfix 2.8.
5091

postscreen_pre_queue_limit (default: $default_process_limit)

5093       The number of non-whitelisted clients that can be waiting for  a  deci‐
5094       sion  whether they will receive service from a real Postfix SMTP server
5095       process. When this queue is  full,  all  non-whitelisted  clients  will
5096       receive a 421 response.
5097
5098       This feature is available in Postfix 2.8.
5099
5101       Optional  information that is appended after a 4XX or 5XX postscreen(8)
5102       server response. See smtpd_reject_footer for further details.
5103
5104       This feature is available in Postfix 2.8 and later.
5105
5107       Optional lookup table for information that is appended after a  4XX  or
5108       5XX  postscreen(8)  server  response.  See smtpd_reject_footer_maps for
5109       further details.
5110
5111       This feature is available in Postfix 3.4 and later.
5112

postscreen_tls_security_level (default: $smtpd_tls_security_level)

5114       The SMTP TLS security  level  for  the  postscreen(8)  server;  when  a
5115       non-empty  value  is  specified, this overrides the obsolete parameters
5116       postscreen_use_tls  and  postscreen_enforce_tls.  See   smtpd_tls_secu‐
5117       rity_level for details.
5118
5119       This feature is available in Postfix 2.8 and later.
5120

postscreen_upstream_proxy_protocol (default: empty)

5122       The  name  of  the proxy protocol used by an optional before-postscreen
5123       proxy agent. When a proxy agent is used, this  protocol  conveys  local
5124       and     remote     address     and     port     information.    Specify
5125       "postscreen_upstream_proxy_protocol = haproxy" to  enable  the  haproxy
5126       protocol.
5127
5128       This feature is available in Postfix 2.10 and later.
5129

postscreen_upstream_proxy_timeout (default: 5s)

5131       The   time   limit   for   the   proxy   protocol  specified  with  the
5132       postscreen_upstream_proxy_protocol parameter.
5133
5134       This feature is available in Postfix 2.10 and later.
5135

postscreen_use_tls (default: $smtpd_use_tls)

5137       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
5138       but do not require that clients use TLS encryption.
5139
5140       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
5141       postscreen_tls_security_level instead.
5142

postscreen_watchdog_timeout (default: 10s)

5144       How much time a postscreen(8) process may take to respond to  a  remote
5145       SMTP client command or to perform a cache operation before it is termi‐
5146       nated by a built-in watchdog timer.  This is a  safety  mechanism  that
5147       prevents  postscreen(8)  from  becoming  non-responsive due to a bug in
5148       Postfix itself or in system software.  To avoid false alarms and unnec‐
5149       essary cache corruption this limit cannot be set under 10s.
5150
5151       Specify  a  non-zero  time  value  (an  integral value plus an optional
5152       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5153       onds), m (minutes), h (hours), d (days), w (weeks).
5154
5155       This feature is available in Postfix 2.8.
5156

postscreen_whitelist_interfaces (default: static:all)

5158       A   list   of   local   postscreen(8)   server  IP  addresses  where  a
5159       non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5160       whitelist status. This status is required before the client can talk to
5161       a Postfix SMTP  server  process.   By  default,  a  client  can  obtain
5162       postscreen(8)'s  whitelist  status on any local postscreen(8) server IP
5163       address.
5164
5165       When postscreen(8) listens on both primary and backup MX addresses, the
5166       postscreen_whitelist_interfaces parameter can be configured to give the
5167       temporary whitelist status only when a client connects to a primary  MX
5168       address.  Once  a  client  is whitelisted it can talk to a Postfix SMTP
5169       server on any address. Thus, clients that connect  only  to  backup  MX
5170       addresses  will  never become whitelisted, and will never be allowed to
5171       talk to a Postfix SMTP server process.
5172
5173       Specify a list of network addresses or network/netmask patterns,  sepa‐
5174       rated  by commas and/or whitespace. The netmask specifies the number of
5175       bits in the network part of a host  address.  Continue  long  lines  by
5176       starting the next line with whitespace.
5177
5178       You   can  also  specify  "/file/name"  or  "type:table"  patterns.   A
5179       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5180       table is matched when a table entry matches a lookup string (the lookup
5181       result is ignored).
5182
5183       The list is matched left to right, and the search stops  on  the  first
5184       match.  Specify  "!pattern" to exclude an address or network block from
5185       the list.
5186
5187       Note: IP version 6 address information must be specified inside  []  in
5188       the  postscreen_whitelist_interfaces value, and in files specified with
5189       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
5190       would otherwise be confused with a "type:table" pattern.
5191
5192       Example:
5193
5194       /etc/postfix/main.cf:
5195           # Don't whitelist connections to the backup IP address.
5196           postscreen_whitelist_interfaces = !168.100.189.8, static:all
5197
5198       This feature is available in Postfix 2.9 and later.
5199

prepend_delivered_header (default: command, file, forward)

5201       The message delivery contexts where the Postfix local(8) delivery agent
5202       prepends a Delivered-To:  message header with the address that the mail
5203       was  delivered  to.  This  information  is  used for mail delivery loop
5204       detection.
5205
5206       By default, the Postfix local delivery agent prepends  a  Delivered-To:
5207       header  when  forwarding mail and when delivering to file (mailbox) and
5208       command. Turning off the Delivered-To: header when forwarding  mail  is
5209       not recommended.
5210
5211       Specify zero or more of forward, file, or command.
5212
5213       Example:
5214
5215       prepend_delivered_header = forward
5216

process_id (read-only)

5218       The process ID of a Postfix command or daemon process.
5219

process_id_directory (default: pid)

5221       The  location  of Postfix PID files relative to $queue_directory.  This
5222       is a read-only parameter.
5223

process_name (read-only)

5225       The process name of a Postfix command or daemon process.
5226

propagate_unmatched_extensions (default: canonical, virtual)

5228       What address lookup tables copy an address extension  from  the  lookup
5229       key to the lookup result.
5230
5231       For   example,   with  a  virtual(5)  mapping  of  "joe@example.com  =>
5232       joe.user@example.net", the address "joe+foo@example.com" would  rewrite
5233       to "joe.user+foo@example.net".
5234
5235       Specify  zero or more of canonical, virtual, alias, forward, include or
5236       generic. These cause address extension propagation  with  canonical(5),
5237       virtual(5),  and  aliases(5) maps, with local(8) .forward and :include:
5238       file lookups, and with smtp(8) generic maps, respectively.
5239
5240       Note: enabling this feature for types other than canonical and  virtual
5241       is  likely  to  cause  problems  when mail is forwarded to other sites,
5242       especially with mail that is sent to a mailing list exploder address.
5243
5244       Examples:
5245
5246       propagate_unmatched_extensions = canonical, virtual, alias,
5247               forward, include
5248       propagate_unmatched_extensions = canonical, virtual
5249

proxy_interfaces (default: empty)

5251       The network interface addresses that this mail system receives mail  on
5252       by way of a proxy or network address translation unit.
5253
5254       This feature is available in Postfix 2.0 and later.
5255
5256       You must specify your "outside" proxy/NAT addresses when your system is
5257       a backup MX host for other domains, otherwise mail delivery loops  will
5258       happen when the primary MX host is down.
5259
5260       Example:
5261
5262       proxy_interfaces = 1.2.3.4
5263

proxy_read_maps (default: see postconf -d output)

5265       The  lookup tables that the proxymap(8) server is allowed to access for
5266       the read-only service.
5267
5268       Specify zero or more "type:name" lookup tables, separated by whitespace
5269       or comma.  Table references that don't begin with proxy: are ignored.
5270
5271       This feature is available in Postfix 2.0 and later.
5272

proxy_write_maps (default: see postconf -d output)

5274       The  lookup tables that the proxymap(8) server is allowed to access for
5275       the read-write service. Postfix-owned local database  files  should  be
5276       stored  under  the Postfix-owned data_directory.  Table references that
5277       don't begin with proxy: are ignored.
5278
5279       This feature is available in Postfix 2.5 and later.
5280

proxymap_service_name (default: proxymap)

5282       The name of the proxymap read-only table lookup service.  This  service
5283       is normally implemented by the proxymap(8) daemon.
5284
5285       This feature is available in Postfix 2.6 and later.
5286

proxywrite_service_name (default: proxywrite)

5288       The  name of the proxywrite read-write table lookup service.  This ser‐
5289       vice is normally implemented by the proxymap(8) daemon.
5290
5291       This feature is available in Postfix 2.6 and later.
5292

qmgr_clog_warn_time (default: 300s)

5294       The minimal delay between warnings that a specific destination is clog‐
5295       ging up the Postfix active queue. Specify 0 to disable.
5296
5297       This feature is enabled with the helpful_warnings parameter.
5298
5299       This feature is available in Postfix 2.0 and later.
5300

qmgr_daemon_timeout (default: 1000s)

5302       How  much  time  a  Postfix  queue manager process may take to handle a
5303       request before it is terminated by a built-in watchdog timer.
5304
5305       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5306       The default time unit is s (seconds).
5307
5308       This feature is available in Postfix 2.8 and later.
5309

qmgr_fudge_factor (default: 100)

5311       Obsolete feature: the percentage of delivery resources that a busy mail
5312       system will use up for delivery of a large mailing  list message.
5313
5314       This feature exists only in the oqmgr(8) old queue manager. The current
5315       queue manager solves the problem in a better way.
5316

qmgr_ipc_timeout (default: 60s)

5318       The  time  limit  for  the queue manager to send or receive information
5319       over an internal communication channel.  The purpose is to break out of
5320       deadlock  situations. If the time limit is exceeded the software either
5321       retries or aborts the operation.
5322
5323       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5324       The default time unit is s (seconds).
5325
5326       This feature is available in Postfix 2.8 and later.
5327

qmgr_message_active_limit (default: 20000)

5329       The maximal number of messages in the active queue.
5330

qmgr_message_recipient_limit (default: 20000)

5332       The  maximal  number  of recipients held in memory by the Postfix queue
5333       manager, and the maximal size of the short-term, in-memory "dead"  des‐
5334       tination status cache.
5335

qmgr_message_recipient_minimum (default: 10)

5337       The  minimal number of in-memory recipients for any message. This takes
5338       priority over any other in-memory recipient limits  (i.e.,  the  global
5339       qmgr_message_recipient_limit and the per transport _recipient_limit) if
5340       necessary. The minimum value allowed for this parameter is 1.
5341

qmqpd_authorized_clients (default: empty)

5343       What remote QMQP clients are allowed to connect  to  the  Postfix  QMQP
5344       server port.
5345
5346       By  default,  no  client is allowed to use the service. This is because
5347       the QMQP server will relay mail to any destination.
5348
5349       Specify a list of client patterns. A  list  pattern  specifies  a  host
5350       name,  a  domain  name, an internet address, or a network/mask pattern,
5351       where the mask specifies the number of bits in the network part.   When
5352       a  pattern  specifies a file name, its contents are substituted for the
5353       file name; when a pattern is a "type:table" table specification,  table
5354       lookup is used instead.
5355
5356       Patterns are separated by whitespace and/or commas. In order to reverse
5357       the result, precede a pattern with an exclamation point (!).  The  form
5358       "!/file/name" is supported only in Postfix version 2.4 and later.
5359
5360       Pattern  matching  of  domain  names  is  controlled by the presence or
5361       absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5362       domains parameter value.
5363
5364       Example:
5365
5366       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5367

qmqpd_client_port_logging (default: no)

5369       Enable  logging of the remote QMQP client port in addition to the host‐
5370       name and IP address. The logging format is "host[address]:port".
5371
5372       This feature is available in Postfix 2.5 and later.
5373

qmqpd_error_delay (default: 1s)

5375       How long the Postfix QMQP server will pause before sending  a  negative
5376       reply  to  the remote QMQP client. The purpose is to slow down confused
5377       or malicious clients.
5378
5379       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5380       The default time unit is s (seconds).
5381

qmqpd_timeout (default: 300s)

5383       The  time  limit for sending or receiving information over the network.
5384       If a read or write operation blocks for more than  $qmqpd_timeout  sec‐
5385       onds the Postfix QMQP server gives up and disconnects.
5386
5387       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5388       The default time unit is s (seconds).
5389

queue_directory (default: see postconf -d output)

5391       The location of the Postfix top-level queue directory. This is the root
5392       directory of Postfix daemon processes that run chrooted.
5393

queue_file_attribute_count_limit (default: 100)

5395       The  maximal  number of (name=value) attributes that may be stored in a
5396       Postfix queue file. The limit is enforced by the cleanup(8) server.
5397
5398       This feature is available in Postfix 2.0 and later.
5399

queue_minfree (default: 0)

5401       The minimal amount of free space in bytes in the queue file system that
5402       is  needed to receive mail.  This is currently used by the Postfix SMTP
5403       server to decide if it will accept any mail at all.
5404
5405       By default, the Postfix SMTP server rejects MAIL FROM commands when the
5406       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5407       sion 2.1 and later).  To specify a higher  minimum  free  space  limit,
5408       specify a queue_minfree value that is at least 1.5*$message_size_limit.
5409
5410       With  Postfix  versions  2.0 and earlier, a queue_minfree value of zero
5411       means there is no minimum required amount of free space.
5412

queue_run_delay (default: 300s)

5414       The time between deferred queue scans by the queue  manager;  prior  to
5415       Postfix 2.4 the default value was 1000s.
5416
5417       This  parameter  should  be  set  less  than or equal to $minimal_back‐
5418       off_time. See also $maximal_backoff_time.
5419
5420       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5421       The default time unit is s (seconds).
5422

queue_service_name (default: qmgr)

5424       The name of the qmgr(8) service. This service manages the Postfix queue
5425       and schedules delivery requests.
5426
5427       This feature is available in Postfix 2.0 and later.
5428

rbl_reply_maps (default: empty)

5430       Optional lookup tables with RBL  response  templates.  The  tables  are
5431       indexed  by  the  RBL domain name. By default, Postfix uses the default
5432       template as specified with the default_rbl_reply configuration  parame‐
5433       ter. See there for a discussion of the syntax of RBL reply templates.
5434
5435       This feature is available in Postfix 2.0 and later.
5436

readme_directory (default: see postconf -d output)

5438       The  location  of Postfix README files that describe how to build, con‐
5439       figure or operate a specific Postfix subsystem or feature.
5440

receive_override_options (default: empty)

5442       Enable or disable recipient validation, built-in content filtering,  or
5443       address  mapping.  Typically,  these are specified in master.cf as com‐
5444       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5445
5446       Specify zero or more of the following options.   The  options  override
5447       main.cf  settings  and are either implemented by smtpd(8), qmqpd(8), or
5448       pickup(8) themselves, or they are forwarded to the cleanup server.
5449
5450       no_unknown_recipient_checks
5451              Do not try to reject  unknown  recipients  (SMTP  server  only).
5452              This is typically specified AFTER an external content filter.
5453
5454       no_address_mappings
5455              Disable  canonical address mapping, virtual alias map expansion,
5456              address masquerading,  and  automatic  BCC  (blind  carbon-copy)
5457              recipients.  This is typically specified BEFORE an external con‐
5458              tent filter.
5459
5460       no_header_body_checks
5461              Disable header/body_checks. This is typically specified AFTER an
5462              external content filter.
5463
5464       no_milters
5465              Disable  Milter  (mail  filter)  applications. This is typically
5466              specified AFTER an external content filter.
5467
5468       Note: when the "BEFORE content filter" receive_override_options setting
5469       is  specified  in  the main.cf file, specify the "AFTER content filter"
5470       receive_override_options setting in master.cf (and vice versa).
5471
5472       Examples:
5473
5474       receive_override_options =
5475           no_unknown_recipient_checks, no_header_body_checks
5476       receive_override_options = no_address_mappings
5477
5478       This feature is available in Postfix 2.1 and later.
5479

recipient_bcc_maps (default: empty)

5481       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5482       recipient  address.   The  BCC  address  (multiple results are not sup‐
5483       ported) is added when mail enters from outside of Postfix.
5484
5485       Specify zero or more "type:name" lookup tables, separated by whitespace
5486       or  comma. Tables will be searched in the specified order until a match
5487       is found.
5488
5489       The table search order is as follows:
5490
5491       ·      Look up the "user+extension@domain.tld"  address  including  the
5492              optional address extension.
5493
5494       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5495              address extension.
5496
5497       ·      Look up the "user+extension" address local part when the recipi‐
5498              ent domain equals $myorigin, $mydestination, $inet_interfaces or
5499              $proxy_interfaces.
5500
5501       ·      Look up the "user" address local part when the recipient  domain
5502              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5503              $proxy_interfaces.
5504
5505       ·      Look up the "@domain.tld" part.
5506
5507       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5508       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5509       BCC address is undeliverable,  as  long  as  all  down-stream  software
5510       implements RFC 3461.
5511
5512       Note:  with  Postfix 2.2 and earlier the sender will unconditionally be
5513       notified when the BCC address is undeliverable.
5514
5515       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5516       avoid  mailer  loops,  automatic BCC recipients are not generated after
5517       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5518       itself.
5519
5520       Example:
5521
5522       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5523
5524       After a change, run "postmap /etc/postfix/recipient_bcc".
5525
5526       This feature is available in Postfix 2.1 and later.
5527

recipient_canonical_classes (default: envelope_recipient, header_recipient)

5529       What addresses are subject to recipient_canonical_maps address mapping.
5530       By default, recipient_canonical_maps  address  mapping  is  applied  to
5531       envelope recipient addresses, and to header recipient addresses.
5532
5533       Specify one or more of: envelope_recipient, header_recipient
5534
5535       This feature is available in Postfix 2.2 and later.
5536

recipient_canonical_maps (default: empty)

5538       Optional  address mapping lookup tables for envelope and header recipi‐
5539       ent addresses.  The table format and lookups are documented in  canoni‐
5540       cal(5).
5541
5542       Note: $recipient_canonical_maps is processed before $canonical_maps.
5543
5544       Example:
5545
5546       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5547

recipient_delimiter (default: empty)

5549       The  set of characters that can separate a user name from its extension
5550       (example: user+foo), or a .forward file name from its extension  (exam‐
5551       ple:  .forward+foo).   Basically, the software tries user+foo and .for‐
5552       ward+foo before trying user and .forward.  This  implementation  recog‐
5553       nizes  one  delimiter  character and one extension per email address or
5554       .forward file name.
5555
5556       When the recipient_delimiter set contains multiple characters  (Postfix
5557       2.11  and  later),  a user name or .forward file name is separated from
5558       its extension by the first character that matches the  recipient_delim‐
5559       iter set.
5560
5561       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5562       of recipient_delimiter on lookups in aliases, canonical,  virtual,  and
5563       relocated  maps,  and  see the propagate_unmatched_extensions parameter
5564       for propagating an extension from one email address to another.
5565
5566       When used in command_execution_directory, forward_path, or luser_relay,
5567       ${recipient_delimiter}  is replaced with the actual recipient delimiter
5568       that was found in the recipient email address (Postfix 2.11 and later),
5569       or  it is replaced with the main.cf recipient_delimiter parameter value
5570       (Postfix 2.10 and earlier).
5571
5572       The recipient_delimiter is not applied to  the  mailer-daemon  address,
5573       the  postmaster address, or the double-bounce address. With the default
5574       "owner_request_special = yes" setting, the recipient_delimiter is  also
5575       not  applied  to addresses with the special "owner-" prefix or the spe‐
5576       cial "-request" suffix.
5577
5578       Examples:
5579
5580       # Handle Postfix-style extensions.
5581       recipient_delimiter = +
5582
5583       # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5584       recipient_delimiter = +-
5585
5586       # Use .forward for mail without address extension, and for mail with
5587       # an unrecognized address extension.
5588       forward_path = $home/.forward${recipient_delimiter}${extension},
5589           $home/.forward
5590

reject_code (default: 554)

5592       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
5593       client request is rejected by the "reject" restriction.
5594
5595       Do  not  change  this  unless  you have a complete understanding of RFC
5596       5321.
5597

reject_tempfail_action (default: defer_if_permit)

5599       The Postfix SMTP server's action when a reject-type  restriction  fails
5600       due to a temporary error condition. Specify "defer" to defer the remote
5601       SMTP client request immediately.  With  the  default  "defer_if_permit"
5602       action,  the Postfix SMTP server continues to look for opportunities to
5603       reject mail, and defers the client request only if it  would  otherwise
5604       be accepted.
5605
5606       For  finer  control, see: unverified_recipient_tempfail_action, unveri‐
5607       fied_sender_tempfail_action,    unknown_address_tempfail_action,    and
5608       unknown_helo_hostname_tempfail_action.
5609
5610       This feature is available in Postfix 2.6 and later.
5611

relay_clientcerts (default: empty)

5613       List of tables with remote SMTP client-certificate fingerprints or pub‐
5614       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5615       server  will allow access with the permit_tls_clientcerts feature.  The
5616       fingerprint digest algorithm is configurable via the  smtpd_tls_finger‐
5617       print_digest  parameter  (hard-coded  as  md5  prior to Postfix version
5618       2.5).
5619
5620       Postfix lookup tables are in the form of (key, value) pairs.  Since  we
5621       only  need  the  key, the value can be chosen freely, e.g.  the name of
5622       the  user  or   host:   D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5623       lutzpc.at.home
5624
5625       Example:
5626
5627       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5628
5629       For  more  fine-grained  control,  use  check_ccert_access to select an
5630       appropriate  access(5)  policy   for   each   client.    See   RESTRIC‐
5631       TION_CLASS_README.
5632
5633       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
5634       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
5635       later.
5636
5637       This feature is available with Postfix version 2.2.
5638

relay_destination_concurrency_limit (default: $default_destination_concur‐

5640       rency_limit)
5641       The maximal number of parallel deliveries to the same  destination  via
5642       the  relay  message  delivery  transport. This limit is enforced by the
5643       queue manager. The message delivery transport name is the  first  field
5644       in the entry in the master.cf file.
5645
5646       This feature is available in Postfix 2.0 and later.
5647

relay_destination_recipient_limit (default: $default_destination_recipi‐

5649       ent_limit)
5650       The maximal number of recipients per  message  for  the  relay  message
5651       delivery  transport.  This  limit is enforced by the queue manager. The
5652       message delivery transport name is the first field in the entry in  the
5653       master.cf file.
5654
5655       Setting  this  parameter  to  a  value  of  1  changes  the  meaning of
5656       relay_destination_concurrency_limit from concurrency  per  domain  into
5657       concurrency per recipient.
5658
5659       This feature is available in Postfix 2.0 and later.
5660

relay_domains (default: Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)

5662       What  destination  domains  (and  subdomains  thereof) this system will
5663       relay mail to. For details about how the relay_domains value  is  used,
5664       see    the    description    of    the    permit_auth_destination   and
5665       reject_unauth_destination SMTP recipient restrictions.
5666
5667       Domains that match $relay_domains are delivered with the  $relay_trans‐
5668       port  mail  delivery  transport.  The  SMTP  server validates recipient
5669       addresses with $relay_recipient_maps and rejects  non-existent  recipi‐
5670       ents.   See   also   the   relay   domains   address   class   in   the
5671       ADDRESS_CLASS_README file.
5672
5673       Note: Postfix will not automatically forward mail for domains that list
5674       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
5675       mit_mx_backup restriction in the postconf(5) manual page.
5676
5677       Specify a list of  host  or  domain  names,  "/file/name"  patterns  or
5678       "type:table"  lookup  tables,  separated  by  commas and/or whitespace.
5679       Continue long lines by  starting  the  next  line  with  whitespace.  A
5680       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5681       table is matched when a (parent) domain appears as lookup key.  Specify
5682       "!pattern" to exclude a domain from the list. The form "!/file/name" is
5683       supported only in Postfix version 2.4 and later.
5684
5685       Pattern matching of domain names  is  controlled  by  the  presence  or
5686       absence  of  "relay_domains"  in  the  parent_domain_matches_subdomains
5687       parameter value.
5688

relay_domains_reject_code (default: 554)

5690       The numerical Postfix SMTP server response code when a  client  request
5691       is rejected by the reject_unauth_destination recipient restriction.
5692
5693       Do  not  change  this  unless  you have a complete understanding of RFC
5694       5321.
5695

relay_recipient_maps (default: empty)

5697       Optional lookup tables with all valid addresses  in  the  domains  that
5698       match  $relay_domains.  Specify @domain as a wild-card for domains that
5699       have no valid recipient list, and become a source of backscatter  mail:
5700       Postfix  accepts spam for non-existent recipients and then floods inno‐
5701       cent people with undeliverable mail.  Technically, tables  listed  with
5702       $relay_recipient_maps  are used as lists: Postfix needs to know only if
5703       a lookup string is found or not, but it does not use  the  result  from
5704       table lookup.
5705
5706       Specify zero or more "type:name" lookup tables, separated by whitespace
5707       or comma. Tables will be searched in the specified order until a  match
5708       is found.
5709
5710       If  this  parameter  is  non-empty,  then  the Postfix SMTP server will
5711       reject mail to unknown relay users. This feature is off by default.
5712
5713       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5714       file.
5715
5716       Example:
5717
5718       relay_recipient_maps = hash:/etc/postfix/relay_recipients
5719
5720       This feature is available in Postfix 2.0 and later.
5721

relay_transport (default: relay)

5723       The default mail delivery transport and next-hop destination for remote
5724       delivery to domains listed with $relay_domains. In order of  decreasing
5725       precedence,  the  nexthop  destination  is taken from $relay_transport,
5726       $sender_dependent_relayhost_maps, $relayhost,  or  from  the  recipient
5727       domain. This information can be overruled with the transport(5) table.
5728
5729       Specify  a string of the form transport:nexthop, where transport is the
5730       name of a mail delivery transport defined in master.cf.   The  :nexthop
5731       destination is optional; its syntax is documented in the manual page of
5732       the corresponding delivery agent.
5733
5734       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5735       file.
5736
5737       This feature is available in Postfix 2.0 and later.
5738

relayhost (default: empty)

5740       The next-hop destination of non-local mail; overrides non-local domains
5741       in recipient addresses. This information is overruled with relay_trans‐
5742       port,    sender_dependent_default_transport_maps,    default_transport,
5743       sender_dependent_relayhost_maps and with the transport(5) table.
5744
5745       On an intranet, specify the organizational domain name. If your  inter‐
5746       nal  DNS  uses  no MX records, specify the name of the intranet gateway
5747       host instead.
5748
5749       In the case of SMTP, specify a domain  name,  hostname,  hostname:port,
5750       [hostname]:port,  [hostaddress]  or [hostaddress]:port. The form [host‐
5751       name] turns off MX lookups.
5752
5753       If you're connected via UUCP,  see  the  UUCP_README  file  for  useful
5754       information.
5755
5756       Examples:
5757
5758       relayhost = $mydomain
5759       relayhost = [gateway.example.com]
5760       relayhost = uucphost
5761       relayhost = [an.ip.add.ress]
5762

relocated_maps (default: empty)

5764       Optional  lookup  tables  with  new  contact  information  for users or
5765       domains that no longer exist.  The table format and lookups  are  docu‐
5766       mented in relocated(5).
5767
5768       Specify zero or more "type:name" lookup tables, separated by whitespace
5769       or comma. Tables will be searched in the specified order until a  match
5770       is found.
5771
5772       If  you use this feature, run "postmap /etc/postfix/relocated" to build
5773       the necessary DBM or DB file after change,  then  "postfix  reload"  to
5774       make the changes visible.
5775
5776       Examples:
5777
5778       relocated_maps = dbm:/etc/postfix/relocated
5779       relocated_maps = hash:/etc/postfix/relocated
5780

remote_header_rewrite_domain (default: empty)

5782       Don't  rewrite  message  headers  from  remote clients at all when this
5783       parameter is empty; otherwise, rewrite message headers and  append  the
5784       specified  domain  name  to incomplete addresses.  The local_header_re‐
5785       write_clients parameter controls what clients Postfix considers local.
5786
5787       Examples:
5788
5789       The  safe  setting:  append  "domain.invalid"  to   incomplete   header
5790       addresses  from  remote SMTP clients, so that those addresses cannot be
5791       confused with local addresses.
5792
5793           remote_header_rewrite_domain = domain.invalid
5794
5795       The default, purist, setting: don't rewrite headers from remote clients
5796       at all.
5797
5798           remote_header_rewrite_domain =
5799

require_home_directory (default: no)

5801       Require  that  a local(8) recipient's home directory exists before mail
5802       delivery is attempted. By default this test is  disabled.   It  can  be
5803       useful for environments that import home directories to the mail server
5804       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5805

reset_owner_alias (default: no)

5807       Reset the local(8) delivery agent's idea of the owner-alias  attribute,
5808       when  delivering mail to a child alias that does not have its own owner
5809       alias.
5810
5811       This feature is available in Postfix 2.8 and later. With older  Postfix
5812       releases, the behavior is as if this parameter is set to "yes".
5813
5814       As  documented  in aliases(5), when an alias name has a companion alias
5815       named owner-name, this will replace the  envelope  sender  address,  so
5816       that delivery errors will be reported to the owner alias instead of the
5817       sender. This configuration is recommended for mailing lists.
5818
5819       A less known property of the owner alias is that  it  also  forces  the
5820       local(8)  delivery agent to write local and remote addresses from alias
5821       expansion to a new queue file, instead of attempting to deliver mail to
5822       local addresses as soon as they come out of alias expansion.
5823
5824       Writing local addresses from alias expansion to a new queue file allows
5825       for robust handling of temporary delivery errors: errors with one local
5826       member  have  no effect on deliveries to other members of the list.  On
5827       the other hand, delivery to local addresses as soon as they come out of
5828       alias  expansion  is  fragile: a temporary error with one local address
5829       from alias expansion will cause the entire alias to be expanded repeat‐
5830       edly  until  the  error  goes away, or until the message expires in the
5831       queue.  In that case, a problem with one list member results in  multi‐
5832       ple message deliveries to other list members.
5833
5834       The  default  behavior  of  Postfix  2.8  and  later  is  to  keep  the
5835       owner-alias attribute of the parent alias, when delivering  mail  to  a
5836       child  alias  that  does  not  have  its  own  owner alias. Then, local
5837       addresses from that child alias will be written to a  new  queue  file,
5838       and  a  temporary error with one local address will not affect delivery
5839       to other mailing list members.
5840
5841       Unfortunately, older Postfix releases reset the  owner-alias  attribute
5842       when  delivering mail to a child alias that does not have its own owner
5843       alias. To be precise, this resets only the decision  to  create  a  new
5844       queue  file,  not the decision to override the envelope sender address.
5845       The local(8) delivery agent then attempts to deliver local addresses as
5846       soon  as  they  come  out of child alias expansion.  If delivery to any
5847       address from child alias expansion fails with a temporary error  condi‐
5848       tion, the entire mailing list may be expanded repeatedly until the mail
5849       expires in the queue, resulting in multiple deliveries of the same mes‐
5850       sage to mailing list members.
5851

resolve_dequoted_address (default: yes)

5853       Resolve  a  recipient  address  safely instead of correctly, by looking
5854       inside quotes.
5855
5856       By default, the Postfix address resolver does  not  quote  the  address
5857       localpart  as  per  RFC  822, so that additional @ or % or !  operators
5858       remain visible. This behavior is safe but it is also technically incor‐
5859       rect.
5860
5861       If  you  specify  "resolve_dequoted_address  =  no",  then  the Postfix
5862       resolver will not know about additional @ etc. operators in the address
5863       localpart. This opens opportunities for obscure mail relay attacks with
5864       user@domain@domain addresses when Postfix provides  backup  MX  service
5865       for Sendmail systems.
5866

resolve_null_domain (default: no)

5868       Resolve  an  address  that  ends in the "@" null domain as if the local
5869       hostname were specified, instead of rejecting the address as invalid.
5870
5871       This feature is available in Postfix 2.1 and later.   Earlier  versions
5872       always resolve the null domain as the local hostname.
5873
5874       The  Postfix  SMTP  server  uses this feature to reject mail from or to
5875       addresses that end in the "@" null domain, and from addresses that  re‐
5876       write into a form that ends in the "@" null domain.
5877

resolve_numeric_domain (default: no)

5879       Resolve  "user@ipaddress"  as  "user@[ipaddress]", instead of rejecting
5880       the address as invalid.
5881
5882       This feature is available in Postfix 2.3 and later.
5883

rewrite_service_name (default: rewrite)

5885       The name of  the  address  rewriting  service.  This  service  rewrites
5886       addresses  to  standard  form  and resolves them to a (delivery method,
5887       next-hop host, recipient) triple.
5888
5889       This feature is available in Postfix 2.0 and later.
5890

sample_directory (default: /etc/postfix)

5892       The name of the directory with  example  Postfix  configuration  files.
5893       Starting  with  Postfix  2.1,  these  files have been replaced with the
5894       postconf(5) manual page.
5895

send_cyrus_sasl_authzid (default: no)

5897       When authenticating to a remote SMTP or LMTP server  with  the  default
5898       setting  "no",  send  no SASL authoriZation ID (authzid); send only the
5899       SASL authentiCation ID (authcid) plus the authcid's password.
5900
5901       The non-default setting "yes" enables the  behavior  of  older  Postfix
5902       versions.   These  always send a SASL authzid that is equal to the SASL
5903       authcid, but this  causes  interoperability  problems  with  some  SMTP
5904       servers.
5905
5906       This feature is available in Postfix 2.4.4 and later.
5907

sender_based_routing (default: no)

5909       This  parameter  should  not  be used. It was replaced by sender_depen‐
5910       dent_relayhost_maps in Postfix version 2.3.
5911

sender_bcc_maps (default: empty)

5913       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5914       sender  address.   The BCC address (multiple results are not supported)
5915       is added when mail enters from outside of Postfix.
5916
5917       Specify zero or more "type:name" lookup tables, separated by whitespace
5918       or  comma. Tables will be searched in the specified order until a match
5919       is found.
5920
5921       The table search order is as follows:
5922
5923       ·      Look up the "user+extension@domain.tld"  address  including  the
5924              optional address extension.
5925
5926       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5927              address extension.
5928
5929       ·      Look up the "user+extension" address local part when the  sender
5930              domain  equals  $myorigin,  $mydestination,  $inet_interfaces or
5931              $proxy_interfaces.
5932
5933       ·      Look up the "user" address local part  when  the  sender  domain
5934              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5935              $proxy_interfaces.
5936
5937       ·      Look up the "@domain.tld" part.
5938
5939       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5940       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5941       BCC address is undeliverable,  as  long  as  all  down-stream  software
5942       implements RFC 3461.
5943
5944       Note: with Postfix 2.2 and earlier the sender will be notified when the
5945       BCC address is undeliverable.
5946
5947       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5948       avoid  mailer  loops,  automatic BCC recipients are not generated after
5949       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5950       itself.
5951
5952       Example:
5953
5954       sender_bcc_maps = hash:/etc/postfix/sender_bcc
5955
5956       After a change, run "postmap /etc/postfix/sender_bcc".
5957
5958       This feature is available in Postfix 2.1 and later.
5959

sender_canonical_classes (default: envelope_sender, header_sender)

5961       What  addresses  are  subject to sender_canonical_maps address mapping.
5962       By default, sender_canonical_maps address mapping is applied  to  enve‐
5963       lope sender addresses, and to header sender addresses.
5964
5965       Specify one or more of: envelope_sender, header_sender
5966
5967       This feature is available in Postfix 2.2 and later.
5968

sender_canonical_maps (default: empty)

5970       Optional  address  mapping lookup tables for envelope and header sender
5971       addresses.  The table format and  lookups  are  documented  in  canoni‐
5972       cal(5).
5973
5974       Example:  you  want to rewrite the SENDER address "user@ugly.domain" to
5975       "user@pretty.domain", while still being able to send mail to the RECIP‐
5976       IENT address "user@ugly.domain".
5977
5978       Note: $sender_canonical_maps is processed before $canonical_maps.
5979
5980       Example:
5981
5982       sender_canonical_maps = hash:/etc/postfix/sender_canonical
5983

sender_dependent_default_transport_maps (default: empty)

5985       A  sender-dependent override for the global default_transport parameter
5986       setting. The tables are searched by the  envelope  sender  address  and
5987       @domain.  A  lookup result of DUNNO terminates the search without over‐
5988       riding the global default_transport parameter setting.   This  informa‐
5989       tion is overruled with the transport(5) table.
5990
5991       Specify zero or more "type:name" lookup tables, separated by whitespace
5992       or comma. Tables will be searched in the specified order until a  match
5993       is found.
5994
5995       Note:  this overrides default_transport, not transport_maps, and there‐
5996       fore the expected syntax is that of default_transport, not  the  syntax
5997       of  transport_maps.   Specifically,  this  does  not support the trans‐
5998       port_maps syntax for  null  transport,  null  nexthop,  or  null  email
5999       addresses.
6000
6001       For  safety  reasons, this feature does not allow $number substitutions
6002       in regular expression maps.
6003
6004       This feature is available in Postfix 2.7 and later.
6005

sender_dependent_relayhost_maps (default: empty)

6007       A sender-dependent override for the global relayhost parameter setting.
6008       The  tables  are searched by the envelope sender address and @domain. A
6009       lookup result of DUNNO terminates the  search  without  overriding  the
6010       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6011       mation    is    overruled    with    relay_transport,     sender_depen‐
6012       dent_default_transport_maps,  default_transport  and  with  the  trans‐
6013       port(5) table.
6014
6015       Specify zero or more "type:name" lookup tables, separated by whitespace
6016       or  comma. Tables will be searched in the specified order until a match
6017       is found.
6018
6019       For safety reasons, this feature does not allow  $number  substitutions
6020       in regular expression maps.
6021
6022       This feature is available in Postfix 2.3 and later.
6023

sendmail_fix_line_endings (default: always)

6025       Controls  how  the Postfix sendmail command converts email message line
6026       endings from <CR><LF> into UNIX format (<LF>).
6027
6028       always Always convert message lines ending in <CR><LF>. This setting is
6029              the default with Postfix 2.9 and later.
6030
6031       strict Convert message lines ending in <CR><LF> only if the first input
6032              line ends in <CR><LF>. This setting is backwards-compatible with
6033              Postfix 2.8 and earlier.
6034
6035       never  Never  convert  message  lines  ending in <CR><LF>. This setting
6036              exists for completeness only.
6037
6038       This feature is available in Postfix 2.9 and later.
6039

sendmail_path (default: see postconf -d output)

6041       A Sendmail compatibility feature that specifies  the  location  of  the
6042       Postfix  sendmail(1)  command.  This command can be used to submit mail
6043       into the Postfix queue.
6044

service_name (read-only)

6046       The master.cf service name of a Postfix daemon  process.  This  can  be
6047       used  to  distinguish  the logging from different services that use the
6048       same program name.
6049
6050       Example master.cf entries:
6051
6052       # Distinguish inbound MTA logging from submission and smtps logging.
6053       smtp      inet  n       -       n       -       -       smtpd
6054       submission inet n       -       n       -       -       smtpd
6055           -o syslog_name=postfix/$service_name
6056       smtps     inet  n       -       n       -       -       smtpd
6057           -o syslog_name=postfix/$service_name
6058
6059       # Distinguish outbound MTA logging from inbound relay logging.
6060       smtp      unix  -       -       n       -       -       smtp
6061       relay     unix  -       -       n       -       -       smtp
6062           -o syslog_name=postfix/$service_name
6063

service_throttle_time (default: 60s)

6065       How long the Postfix master(8)  waits  before  forking  a  server  that
6066       appears to be malfunctioning.
6067
6068       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6069       The default time unit is s (seconds).
6070

setgid_group (default: postdrop)

6072       The group ownership of set-gid Postfix commands and  of  group-writable
6073       Postfix  directories.  When this parameter value is changed you need to
6074       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6075       "/etc/postfix/post-install set-permissions".
6076

shlib_directory (default: see 'postconf -d' output)

6078       The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6079       and the default location of  Postfix  database  plugins  (postfix-*.so)
6080       that  have  a  relative  pathname  in  the  dynamicmaps.cf  file.   The
6081       shlib_directory  parameter  defaults  to  "no"  when  Postfix   dynami‐
6082       cally-linked  libraries  and  database  plugins are disabled at compile
6083       time,  otherwise  it  typically   defaults   to   /usr/lib/postfix   or
6084       /usr/local/lib/postfix.
6085
6086       Notes:
6087
6088       ·      The directory specified with shlib_directory should contain only
6089              Postfix-related files. Postfix dynamically-linked libraries  and
6090              database  plugins  should  not be installed in a "public" system
6091              directory such as /usr/lib or  /usr/local/lib.  Linking  Postfix
6092              dynamically-linked   library  files  or  database  plugins  into
6093              non-Postfix  programs  is  not   supported.    Postfix   dynami‐
6094              cally-linked  libraries  and  database plugins implement a Post‐
6095              fix-internal API that changes without maintaining compatibility.
6096
6097       ·      You can change the shlib_directory value after Postfix is built.
6098              However,  you  may have to run ldconfig or equivalent to prevent
6099              Postfix programs from failing because the libpostfix-*.so  files
6100              are  not  found.   No ldconfig command is needed if you keep the
6101              libpostfix-*.so files in the compiled-in  default  $shlib_direc‐
6102              tory location.
6103
6104       This feature is available in Postfix 3.0 and later.
6105

show_user_unknown_table_name (default: yes)

6107       Display  the  name  of  the  recipient  table  in  the  "User  unknown"
6108       responses.  The extra detail  makes  troubleshooting  easier  but  also
6109       reveals information that is nobody else's business.
6110
6111       This feature is available in Postfix 2.0 and later.
6112

showq_service_name (default: showq)

6114       The name of the showq(8) service. This service produces mail queue sta‐
6115       tus reports.
6116
6117       This feature is available in Postfix 2.0 and later.
6118

smtp_address_preference (default: any)

6120       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6121       will  try  first,  when  a destination has IPv6 and IPv4 addresses with
6122       equal MX preference. This feature has no effect unless the  inet_proto‐
6123       cols setting enables both IPv4 and IPv6.
6124
6125       Postfix  SMTP  client  address preference has evolved. With Postfix 2.8
6126       the default is "ipv6"; earlier implementations are hard-coded to prefer
6127       IPv6 over IPv4.
6128
6129       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6130       nectivity:
6131
6132       ·      The setting "smtp_address_preference = ipv6" is unsafe.  It  can
6133              fail  to deliver mail when there is an outage that affects IPv6,
6134              while the destination is still reachable over IPv4.
6135
6136       ·      The setting "smtp_address_preference = any" is safe. With  this,
6137              mail  will  eventually  be  delivered even if there is an outage
6138              that affects IPv6 or IPv4, as long as it does not affect both.
6139
6140       This feature is available in Postfix 2.8 and later.
6141

smtp_address_verify_target (default: rcpt)

6143       In the context of email address verification, the SMTP  protocol  stage
6144       that  determines  whether an email address is deliverable.  Specify one
6145       of "rcpt" or "data".  The latter is needed  with  remote  SMTP  servers
6146       that  reject  recipients  after the DATA command. Use transport_maps to
6147       apply this feature selectively:
6148
6149           /etc/postfix/main.cf:
6150               transport_maps = hash:/etc/postfix/transport
6151
6152           /etc/postfix/transport:
6153               smtp-domain-that-verifies-after-data    smtp-data-target:
6154               lmtp-domain-that-verifies-after-data    lmtp-data-target:
6155
6156           /etc/postfix/master.cf:
6157               smtp-data-target    unix    -    -    n    -    -    smtp
6158                   -o smtp_address_verify_target=data
6159               lmtp-data-target    unix    -    -    n    -    -    lmtp
6160                   -o lmtp_address_verify_target=data
6161
6162       Unselective use of the "data" target does no harm, but will  result  in
6163       unnecessary  "lost  connection  after  DATA" events at remote SMTP/LMTP
6164       servers.
6165
6166       This feature is available in Postfix 3.0 and later.
6167

smtp_always_send_ehlo (default: yes)

6169       Always send EHLO at the start of an SMTP session.
6170
6171       With "smtp_always_send_ehlo = no", the Postfix SMTP client  sends  EHLO
6172       only when the word "ESMTP" appears in the server greeting banner (exam‐
6173       ple: 220 spike.porcupine.org ESMTP Postfix).
6174

smtp_balance_inet_protocols (default: yes)

6176       When a remote destination resolves to a combination of  IPv4  and  IPv6
6177       addresses,  ensure  that  the  Postfix SMTP client can try both address
6178       types before it runs into the smtp_mx_address_limit.
6179
6180       This avoids an interoperability problem when a destination resolves  to
6181       primarily  IPv6  addresses,  the  smtp_address_limit feature eliminates
6182       most or all IPv4 addresses, and the destination is not  reachable  over
6183       IPv6.
6184
6185       This feature is available in Postfix 3.3 and later.
6186

smtp_bind_address (default: empty)

6188       An  optional  numerical  network  address  that the Postfix SMTP client
6189       should bind to when making an IPv4 connection.
6190
6191       This can be specified in the main.cf file for all SMTP clients,  or  it
6192       can be specified in the master.cf file for a specific client, for exam‐
6193       ple:
6194
6195           /etc/postfix/master.cf:
6196               smtp ... smtp -o smtp_bind_address=11.22.33.44
6197
6198       Note 1: when inet_interfaces specifies no more than one  IPv4  address,
6199       and that address is a non-loopback address, it is automatically used as
6200       the smtp_bind_address.  This supports virtual IP hosting, but can be  a
6201       problem on multi-homed firewalls. See the inet_interfaces documentation
6202       for more detail.
6203
6204       Note 2: address information may be enclosed inside [], but this form is
6205       not required here.
6206

smtp_bind_address6 (default: empty)

6208       An  optional  numerical  network  address  that the Postfix SMTP client
6209       should bind to when making an IPv6 connection.
6210
6211       This feature is available in Postfix 2.2 and later.
6212
6213       This can be specified in the main.cf file for all SMTP clients,  or  it
6214       can be specified in the master.cf file for a specific client, for exam‐
6215       ple:
6216
6217           /etc/postfix/master.cf:
6218               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6219
6220       Note 1: when inet_interfaces specifies no more than one  IPv6  address,
6221       and that address is a non-loopback address, it is automatically used as
6222       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
6223       problem on multi-homed firewalls. See the inet_interfaces documentation
6224       for more detail.
6225
6226       Note 2: address information may be enclosed inside [], but this form is
6227       not recommended here.
6228

smtp_body_checks (default: empty)

6230       Restricted  body_checks(5)  tables  for the Postfix SMTP client.  These
6231       tables are searched while mail is being delivered.  Actions that change
6232       the delivery time or destination are not available.
6233
6234       This feature is available in Postfix 2.5 and later.
6235

smtp_cname_overrides_servername (default: version dependent)

6237       When  the remote SMTP servername is a DNS CNAME, replace the servername
6238       with the result from CNAME expansion for the purpose of  logging,  SASL
6239       password lookup, TLS policy decisions, or TLS certificate verification.
6240       The value "no" hardens Postfix smtp_tls_per_site  hostname-based  poli‐
6241       cies against false hostname information in DNS CNAME records, and makes
6242       SASL password file lookups more predictable. This is the  default  set‐
6243       ting as of Postfix 2.3.
6244
6245       When   DNS   CNAME  records  are  validated  with  secure  DNS  lookups
6246       (smtp_dns_support_level = dnssec), they are always allowed to  override
6247       the above servername (Postfix 2.11 and later).
6248
6249       This feature is available in Postfix 2.2.9 and later.
6250

smtp_connect_timeout (default: 30s)

6252       The  Postfix SMTP client time limit for completing a TCP connection, or
6253       zero (use the operating system built-in time limit).
6254
6255       When no connection can be made within the deadline,  the  Postfix  SMTP
6256       client  tries the next address on the mail exchanger list. Specify 0 to
6257       disable the time limit (i.e. use whatever timeout is implemented by the
6258       operating system).
6259
6260       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6261       The default time unit is s (seconds).
6262

smtp_connection_cache_destinations (default: empty)

6264       Permanently enable SMTP connection caching for the  specified  destina‐
6265       tions.   With SMTP connection caching, a connection is not closed imme‐
6266       diately after completion of a mail transaction.  Instead,  the  connec‐
6267       tion  is kept open for up to $smtp_connection_cache_time_limit seconds.
6268       This allows connections to be reused  for  other  deliveries,  and  can
6269       improve mail delivery performance.
6270
6271       Specify  a  comma  or  white  space  separated  list of destinations or
6272       pseudo-destinations:
6273
6274       ·      if mail is sent  without  a  relay  host:  a  domain  name  (the
6275              right-hand  side  of  an  email address, without the [] around a
6276              numeric IP address),
6277
6278       ·      if mail is sent via a relay host: a relay host name (without  []
6279              or  non-default  TCP  port),  as  specified in main.cf or in the
6280              transport map,
6281
6282       ·      if mail is sent via a UNIX-domain socket:  a  pathname  (without
6283              the unix: prefix),
6284
6285       ·      a  /file/name  with  domain  names  and/or  relay  host names as
6286              defined above,
6287
6288       ·      a "type:table" with domain names and/or relay host names on  the
6289              left-hand  side.   The  right-hand side result from "type:table"
6290              lookups is ignored.
6291
6292       This feature is available in Postfix 2.2 and later.
6293

smtp_connection_cache_on_demand (default: yes)

6295       Temporarily enable SMTP connection caching while a  destination  has  a
6296       high volume of mail in the active queue.  With SMTP connection caching,
6297       a connection is not closed  immediately  after  completion  of  a  mail
6298       transaction.  Instead, the connection is kept open for up to $smtp_con‐
6299       nection_cache_time_limit seconds.  This allows connections to be reused
6300       for other deliveries, and can improve mail delivery performance.
6301
6302       This feature is available in Postfix 2.2 and later.
6303

smtp_connection_cache_time_limit (default: 2s)

6305       When  SMTP  connection  caching  is enabled, the amount of time that an
6306       unused SMTP client socket is kept open before it  is  closed.   Do  not
6307       specify larger values without permission from the remote sites.
6308
6309       This feature is available in Postfix 2.2 and later.
6310

smtp_connection_reuse_count_limit (default: 0)

6312       When  SMTP  connection  caching is enabled, the number of times that an
6313       SMTP session may be reused before it is closed,  or  zero  (no  limit).
6314       With a reuse count limit of N, a connection is used up to N+1 times.
6315
6316       NOTE: This feature is unsafe. When a high-volume destination has multi‐
6317       ple inbound MTAs, then the slowest inbound MTA will  attract  the  most
6318       connections  to  that destination.  This limitation does not exist with
6319       the smtp_connection_reuse_time_limit feature.
6320
6321       This feature is available in Postfix 2.11.
6322

smtp_connection_reuse_time_limit (default: 300s)

6324       The amount of time during which Postfix will  use  an  SMTP  connection
6325       repeatedly.  The timer starts when the connection is initiated (i.e. it
6326       includes the connect, greeting and helo latency,  in  addition  to  the
6327       latencies of subsequent mail delivery transactions).
6328
6329       This feature addresses a performance stability problem with remote SMTP
6330       servers. This problem is not specific to Postfix: it  can  happen  when
6331       any  MTA  sends large amounts of SMTP email to a site that has multiple
6332       MX hosts.
6333
6334       The problem starts when one of a set of MX hosts  becomes  slower  than
6335       the  rest.   Even though SMTP clients connect to fast and slow MX hosts
6336       with equal probability, the slow MX host ends up with more simultaneous
6337       inbound  connections than the faster MX hosts, because the slow MX host
6338       needs more time to serve each client request.
6339
6340       The slow MX host becomes  a  connection  attractor.   If  one  MX  host
6341       becomes  N  times  slower  than  the  rest,  it dominates mail delivery
6342       latency unless there are more than N  fast  MX  hosts  to  counter  the
6343       effect.  And  if  the  number  of  MX hosts is smaller than N, the mail
6344       delivery latency becomes  effectively  that  of  the  slowest  MX  host
6345       divided by the total number of MX hosts.
6346
6347       The solution uses connection caching in a way that differs from Postfix
6348       version 2.2.  By limiting the amount of time during which a  connection
6349       can  be  used  repeatedly (instead of limiting the number of deliveries
6350       over that connection), Postfix not only restores fairness in  the  dis‐
6351       tribution of simultaneous connections across a set of MX hosts, it also
6352       favors deliveries over connections that perform well, which is  exactly
6353       what we want.
6354
6355       The  default  reuse time limit, 300s, is comparable to the various smtp
6356       transaction timeouts which are fair estimates of maximum excess latency
6357       for  a slow delivery.  Note that hosts may accept thousands of messages
6358       over a single connection  within  the  default  connection  reuse  time
6359       limit.  This number is much larger than the default Postfix version 2.2
6360       limit of 10 messages per cached connection. It may prove  necessary  to
6361       lower the limit to avoid interoperability issues with MTAs that exhibit
6362       bugs when many messages are delivered via a single connection.  A lower
6363       reuse  time limit risks losing the benefit of connection reuse when the
6364       average connection and mail delivery latency  exceeds  the  reuse  time
6365       limit.
6366
6367       This feature is available in Postfix 2.3 and later.
6368

smtp_data_done_timeout (default: 600s)

6370       The  Postfix  SMTP  client time limit for sending the SMTP ".", and for
6371       receiving the remote SMTP server response.
6372
6373       When no response is received within the deadline, a warning  is  logged
6374       that the mail may be delivered multiple times.
6375
6376       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6377       The default time unit is s (seconds).
6378

smtp_data_init_timeout (default: 120s)

6380       The Postfix SMTP client time limit for sending the SMTP  DATA  command,
6381       and for receiving the remote SMTP server response.
6382
6383       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6384       The default time unit is s (seconds).
6385

smtp_data_xfer_timeout (default: 180s)

6387       The Postfix SMTP client time limit for sending the  SMTP  message  con‐
6388       tent.    When   the   connection   makes  no  progress  for  more  than
6389       $smtp_data_xfer_timeout seconds the Postfix SMTP client terminates  the
6390       transfer.
6391
6392       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6393       The default time unit is s (seconds).
6394

smtp_defer_if_no_mx_address_found (default: no)

6396       Defer mail delivery when no MX record resolves to an IP address.
6397
6398       The default (no) is to return the mail  as  undeliverable.  With  older
6399       Postfix  versions  the  default  was to keep trying to deliver the mail
6400       until someone fixed the MX record or until the mail was too old.
6401
6402       Note: the Postfix SMTP client always ignores MX records with  equal  or
6403       worse preference than the local MTA itself.
6404
6405       This feature is available in Postfix 2.1 and later.
6406

smtp_delivery_status_filter (default: $default_delivery_status_filter)

6408       Optional  filter  for the smtp(8) delivery agent to change the delivery
6409       status code or explanatory text of successful or unsuccessful  deliver‐
6410       ies.  See default_delivery_status_filter for details.
6411
6412       NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6413       sages that may or may not be derived from remote SMTP server responses.
6414       In  contrast, the smtp_reply_filter feature modifies remote SMTP server
6415       responses only.
6416

smtp_destination_concurrency_limit (default: $default_destination_concur‐

6418       rency_limit)
6419       The  maximal  number of parallel deliveries to the same destination via
6420       the smtp message delivery transport. This  limit  is  enforced  by  the
6421       queue  manager.  The message delivery transport name is the first field
6422       in the entry in the master.cf file.
6423

smtp_destination_recipient_limit (default: $default_destination_recipi‐

6425       ent_limit)
6426       The  maximal  number  of  recipients  per  message for the smtp message
6427       delivery transport. This limit is enforced by the  queue  manager.  The
6428       message  delivery transport name is the first field in the entry in the
6429       master.cf file.
6430
6431       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6432       tination_concurrency_limit from concurrency per domain into concurrency
6433       per recipient.
6434

smtp_discard_ehlo_keyword_address_maps (default: empty)

6436       Lookup tables, indexed by the remote SMTP  server  address,  with  case
6437       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
6438       that the Postfix SMTP client will ignore in the EHLO  response  from  a
6439       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6440       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
6441       card_ehlo_keyword_address_maps.
6442
6443       Specify zero or more "type:name" lookup tables, separated by whitespace
6444       or comma. Tables will be searched in the specified order until a  match
6445       is found.
6446
6447       This feature is available in Postfix 2.2 and later.
6448

smtp_discard_ehlo_keywords (default: empty)

6450       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
6451       etc.) that the Postfix SMTP client will ignore  in  the  EHLO  response
6452       from a remote SMTP server.
6453
6454       This feature is available in Postfix 2.2 and later.
6455
6456       Notes:
6457
6458       ·      Specify the silent-discard pseudo keyword to prevent this action
6459              from being logged.
6460
6461       ·      Use the smtp_discard_ehlo_keyword_address_maps feature  to  dis‐
6462              card EHLO keywords selectively.
6463

smtp_dns_reply_filter (default: empty)

6465       Optional  filter  for  Postfix SMTP client DNS lookup results.  Specify
6466       zero or more lookup tables.  The lookup  tables  are  searched  in  the
6467       given  order  for  a match with the DNS lookup result, converted to the
6468       following form:
6469
6470           name ttl class type preference value
6471
6472       The class field is always "IN", the preference field exists only for MX
6473       records, the names of hosts, domains, etc.  end in ".", and those names
6474       are in ASCII form (xn--mumble form in the case of UTF8 names).
6475
6476       When a match is found, the table lookup result specifies an action.  By
6477       default,  the  table  query  and  the action name are case-insensitive.
6478       Currently, only the IGNORE action is implemented.
6479
6480       Notes:
6481
6482       ·      Postfix DNS reply filters have no effect on implicit DNS lookups
6483              through nsswitch.conf or equivalent mechanisms.
6484
6485       ·      The  Postfix  SMTP/LMTP  client  uses  smtp_dns_reply_filter and
6486              lmtp_dns_reply_filter only to discover a  remote  SMTP  or  LMTP
6487              service  (record  types  MX, A, AAAAA, and TLSA).  These lookups
6488              are also made to implement the features reject_unverified_sender
6489              and reject_unverified_recipient.
6490
6491       ·      The  Postfix SMTP/LMTP client defers mail delivery when a filter
6492              removes all lookup results from a successful query.
6493
6494       ·      Postfix SMTP server uses smtpd_dns_reply_filter only to look  up
6495              MX,  A,  AAAAA,  and  TXT  records  to  implement  the  features
6496              reject_unknown_helo_hostname,      reject_unknown_sender_domain,
6497              reject_unknown_recipient_domain,        reject_rbl_*,        and
6498              reject_rhsbl_*.
6499
6500       ·      The Postfix SMTP server logs a warning or defers  mail  delivery
6501              when  a  filter  removes  all  lookup  results from a successful
6502              query.
6503
6504       Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6505       because Google sometimes hard-rejects mail from IPv6 clients with valid
6506       PTR etc. records.
6507
6508       /etc/postfix/main.cf:
6509           smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6510
6511       /etc/postfix/smtp_dns_reply_filter:
6512           # /domain ttl IN AAAA address/ action, all case-insensitive.
6513           # Note: the domain name ends in ".".
6514           /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6515
6516       This feature is available in Postfix 3.0 and later.
6517

smtp_dns_resolver_options (default: empty)

6519       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
6520       of  the  following  options,  separated by comma or whitespace.  Option
6521       names are case-sensitive. Some options refer to domain names  that  are
6522       specified in the file /etc/resolv.conf or equivalent.
6523
6524       res_defnames
6525              Append  the current domain name to single-component names (those
6526              that do not contain a "." character). This can produce incorrect
6527              results, and is the hard-coded behavior prior to Postfix 2.8.
6528
6529       res_dnsrch
6530              Search  for  host  names  in  the  current  domain and in parent
6531              domains. This can produce incorrect results and is therefore not
6532              recommended.
6533
6534       This feature is available in Postfix 2.8 and later.
6535

smtp_dns_support_level (default: empty)

6537       Level  of  DNS support in the Postfix SMTP client.  With "smtp_dns_sup‐
6538       port_level"  left  at  its  empty  default  value,  the  legacy   "dis‐
6539       able_dns_lookups"  parameter  controls  whether  DNS  is enabled in the
6540       Postfix SMTP client, otherwise the legacy parameter is ignored.
6541
6542       Specify one of the following:
6543
6544       disabled
6545              Disable DNS lookups.  No MX lookups are performed  and  hostname
6546              to  address  lookups are unconditionally "native".  This setting
6547              is not appropriate for hosts that deliver  mail  to  the  public
6548              Internet.   Some  obsolete  how-to documents recommend disabling
6549              DNS lookups in some configurations with  content_filters.   This
6550              is no longer required and strongly discouraged.
6551
6552       enabled
6553              Enable DNS lookups.  Nexthop destination domains not enclosed in
6554              "[]" will be subject to MX lookups.  If "dns" and  "native"  are
6555              included  in the "smtp_host_lookup" parameter value, DNS will be
6556              queried first to resolve MX-host A records, followed by "native"
6557              lookups if no answer is found in DNS.
6558
6559       dnssec Enable  DNSSEC  lookups.   The "dnssec" setting differs from the
6560              "enabled" setting above in the following ways:
6561
6562       ·      Any MX lookups will  set  RES_USE_DNSSEC  and  RES_USE_EDNS0  to
6563              request  DNSSEC-validated  responses.  If  the  MX  response  is
6564              DNSSEC-validated the corresponding hostnames are considered val‐
6565              idated.
6566
6567       ·      The  address  lookups of validated hostnames are also validated,
6568              (provided  of  course  "smtp_host_lookup"  includes  "dns",  see
6569              below).
6570
6571       ·      Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6572              tion block any "native" lookups.   Additional  "native"  lookups
6573              only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6574
6575       The  Postfix  SMTP  client  considers  non-MX  "[nexthop]"  and  "[nex‐
6576       thop]:port" destinations equivalent to statically-validated MX  records
6577       of the form "nexthop.  IN MX 0 nexthop."  Therefore, with "dnssec" sup‐
6578       port turned on, validated hostname-to-address lookups apply to the nex‐
6579       thop  domain  of any "[nexthop]" or "[nexthop]:port" destination.  This
6580       is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6581       LMTP hostnames are never subject to MX lookups.
6582
6583       The "dnssec" setting is recommended only if you plan to use the dane or
6584       dane-only TLS security level,  otherwise  enabling  DNSSEC  support  in
6585       Postfix  offers  no additional security.  Postfix DNSSEC support relies
6586       on an upstream recursive nameserver that validates  DNSSEC  signatures.
6587       Such  a  DNS  server  will always filter out forged DNS responses, even
6588       when Postfix itself is not configured to use DNSSEC.
6589
6590       When using Postfix DANE support the "smtp_host_lookup" parameter should
6591       include "dns", as DANE is not applicable to hosts resolved via "native"
6592       lookups.
6593
6594       As mentioned above, Postfix is  not  a  validating  stub  resolver;  it
6595       relies  on  the  system's  configured DNSSEC-validating recursive name‐
6596       server to perform  all  DNSSEC  validation.   Since  this  nameserver's
6597       DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6598       mended that the MTA  host  have  a  local  DNSSEC-validating  recursive
6599       caching  nameserver  listening on a loopback address, and be configured
6600       to use only this nameserver for all lookups.   Otherwise,  Postfix  may
6601       remain  subject  to man-in-the-middle attacks that forge responses from
6602       the recursive nameserver
6603
6604       DNSSEC support requires a version of Postfix compiled against a reason‐
6605       ably-modern  DNS resolver(3) library that implements the RES_USE_DNSSEC
6606       and RES_USE_EDNS0 resolver options.
6607
6608       This feature is available in Postfix 2.11 and later.
6609

smtp_enforce_tls (default: no)

6611       Enforcement mode: require that remote SMTP servers use TLS  encryption,
6612       and  never  send mail in the clear.  This also requires that the remote
6613       SMTP server hostname matches the information in the remote server  cer‐
6614       tificate,  and  that the remote SMTP server certificate was issued by a
6615       CA that is trusted by the  Postfix  SMTP  client.  If  the  certificate
6616       doesn't  verify or the hostname doesn't match, delivery is deferred and
6617       mail stays in the queue.
6618
6619       The server hostname is matched against all names provided  as  dNSNames
6620       in  the SubjectAlternativeName.  If no dNSNames are specified, the Com‐
6621       monName  is  checked.   The  behavior   may   be   changed   with   the
6622       smtp_tls_enforce_peername option.
6623
6624       This  option  is  useful  only if you are definitely sure that you will
6625       only connect to servers that support RFC 2487 _and_ that provide  valid
6626       server  certificates.   Typical  use is for clients that send all their
6627       email to a dedicated mailhub.
6628
6629       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
6630       and later use smtp_tls_security_level instead.
6631

smtp_fallback_relay (default: $fallback_relay)

6633       Optional  list of relay hosts for SMTP destinations that can't be found
6634       or that are unreachable. With Postfix 2.2 and earlier this parameter is
6635       called fallback_relay.
6636
6637       By  default,  mail  is returned to the sender when a destination is not
6638       found, and delivery is deferred when a destination is unreachable.
6639
6640       With bulk email deliveries, it can be beneficial to  run  the  fallback
6641       relay MTA on the same host, so that it can reuse the sender IP address.
6642       This speeds up deliveries that are delayed by IP-based reputation  sys‐
6643       tems (greylist, etc.).
6644
6645       The  fallback relays must be SMTP destinations. Specify a domain, host,
6646       host:port, [host]:port, [address] or [address]:port;  the  form  [host]
6647       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
6648       fix will try them in the specified order.
6649
6650       To prevent mailer loops between MX hosts and fall-back  hosts,  Postfix
6651       version 2.2 and later will not use the fallback relays for destinations
6652       that it is MX host for (assuming DNS lookup is turned on).
6653

smtp_generic_maps (default: empty)

6655       Optional lookup tables that perform address rewriting  in  the  Postfix
6656       SMTP  client,  typically  to  transform  a locally valid address into a
6657       globally valid address when sending mail across the Internet.  This  is
6658       needed  when  the  local  machine does not have its own Internet domain
6659       name, but uses something like localdomain.local instead.
6660
6661       Specify zero or more "type:name" lookup tables, separated by whitespace
6662       or  comma. Tables will be searched in the specified order until a match
6663       is found.
6664
6665       The table format and lookups are documented in generic(5); examples are
6666       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6667       documents.
6668
6669       This feature is available in Postfix 2.2 and later.
6670

smtp_header_checks (default: empty)

6672       Restricted header_checks(5) tables for the Postfix SMTP client.   These
6673       tables are searched while mail is being delivered.  Actions that change
6674       the delivery time or destination are not available.
6675
6676       This feature is available in Postfix 2.5 and later.
6677

smtp_helo_name (default: $myhostname)

6679       The hostname to send in the SMTP HELO or EHLO command.
6680
6681       The default value is the  machine  hostname.   Specify  a  hostname  or
6682       [ip.add.re.ss].
6683
6684       This  information  can  be  specified  in the main.cf file for all SMTP
6685       clients, or it can be specified in the master.cf file  for  a  specific
6686       client, for example:
6687
6688           /etc/postfix/master.cf:
6689               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6690
6691       This feature is available in Postfix 2.0 and later.
6692

smtp_helo_timeout (default: 300s)

6694       The  Postfix  SMTP  client time limit for sending the HELO or EHLO com‐
6695       mand, and for receiving the initial remote SMTP server response.
6696
6697       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6698       The default time unit is s (seconds).
6699

smtp_host_lookup (default: dns)

6701       What  mechanisms  the  Postfix  SMTP client uses to look up a host's IP
6702       address.  This parameter is ignored when DNS lookups are disabled (see:
6703       disable_dns_lookups  and  smtp_dns_support_level).  The "dns" mechanism
6704       is always tried before "native" if both are listed.
6705
6706       Specify one of the following:
6707
6708       dns    Hosts can be found in the DNS (preferred).
6709
6710       native Use the native naming service only (nsswitch.conf, or equivalent
6711              mechanism).
6712
6713       dns, native
6714              Use the native service for hosts not found in the DNS.
6715
6716       This feature is available in Postfix 2.1 and later.
6717

smtp_line_length_limit (default: 998)

6719       The  maximal  length of message header and body lines that Postfix will
6720       send via SMTP. This limit does not include the <CR><LF> at the  end  of
6721       each  line.  Longer lines are broken by inserting "<CR><LF><SPACE>", to
6722       minimize the damage to MIME formatted mail.
6723
6724       The Postfix limit of 998 characters not including <CR><LF>  is  consis‐
6725       tent  with  the  SMTP limit of 1000 characters including <CR><LF>.  The
6726       Postfix limit was 990 with Postfix 2.8 and earlier.
6727

smtp_mail_timeout (default: 300s)

6729       The Postfix SMTP client time limit for sending the MAIL  FROM  command,
6730       and for receiving the remote SMTP server response.
6731
6732       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6733       The default time unit is s (seconds).
6734

smtp_mime_header_checks (default: empty)

6736       Restricted mime_header_checks(5) tables for the  Postfix  SMTP  client.
6737       These  tables are searched while mail is being delivered.  Actions that
6738       change the delivery time or destination are not available.
6739
6740       This feature is available in Postfix 2.5 and later.
6741

smtp_mx_address_limit (default: 5)

6743       The maximal number of MX (mail exchanger) IP addresses that can  result
6744       from  Postfix  SMTP  client mail exchanger lookups, or zero (no limit).
6745       Prior to Postfix version 2.3, this limit was disabled by default.
6746
6747       This feature is available in Postfix 2.1 and later.
6748

smtp_mx_session_limit (default: 2)

6750       The maximal number of SMTP sessions per  delivery  request  before  the
6751       Postfix  SMTP client gives up or delivers to a fall-back relay host, or
6752       zero (no limit). This restriction ignores sessions that  fail  to  com‐
6753       plete  the  SMTP initial handshake (Postfix version 2.2 and earlier) or
6754       that fail to complete the EHLO and TLS handshake (Postfix  version  2.3
6755       and later).
6756
6757       This feature is available in Postfix 2.1 and later.
6758

smtp_nested_header_checks (default: empty)

6760       Restricted  nested_header_checks(5) tables for the Postfix SMTP client.
6761       These tables are searched while mail is being delivered.  Actions  that
6762       change the delivery time or destination are not available.
6763
6764       This feature is available in Postfix 2.5 and later.
6765

smtp_never_send_ehlo (default: no)

6767       Never  send  EHLO  at  the  start  of  an  SMTP  session.  See also the
6768       smtp_always_send_ehlo parameter.
6769

smtp_per_record_deadline (default: no)

6771       Change the behavior of the smtp_*_timeout  time  limits,  from  a  time
6772       limit per read or write system call, to a time limit to send or receive
6773       a complete record (an SMTP command line, SMTP response line, SMTP  mes‐
6774       sage  content  line,  or TLS protocol message).  This limits the impact
6775       from hostile peers that trickle data one byte at a time.
6776
6777       Note: when per-record deadlines are enabled, a short timeout may  cause
6778       problems  with TLS over very slow network connections.  The reasons are
6779       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
6780       and that an entire TLS protocol message must be sent or received within
6781       the per-record deadline.
6782
6783       This feature is available in Postfix 2.9 and later. With older  Postfix
6784       releases, the behavior is as if this parameter is set to "no".
6785

smtp_pix_workaround_delay_time (default: 10s)

6787       How  long  the Postfix SMTP client pauses before sending ".<CR><LF>" in
6788       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6789
6790       Choosing a too short time makes this workaround ineffective when  send‐
6791       ing large messages over slow network connections.
6792

smtp_pix_workaround_maps (default: empty)

6794       Lookup tables, indexed by the remote SMTP server address, with per-des‐
6795       tination workarounds for CISCO PIX firewall bugs.   The  table  is  not
6796       indexed   by   hostname  for  consistency  with  smtp_discard_ehlo_key‐
6797       word_address_maps.
6798
6799       Specify zero or more "type:name" lookup tables, separated by whitespace
6800       or  comma. Tables will be searched in the specified order until a match
6801       is found.
6802
6803       This feature is available in Postfix 2.4 and later.
6804

smtp_pix_workaround_threshold_time (default: 500s)

6806       How long a message must be queued before the Postfix SMTP client  turns
6807       on  the  PIX  firewall  "<CR><LF>.<CR><LF>" bug workaround for delivery
6808       through firewalls with "smtp fixup" mode turned on.
6809
6810       By default, the workaround is turned off for mail that  is  queued  for
6811       less  than  500  seconds.  In  other  words, the workaround is normally
6812       turned off for the first delivery attempt.
6813
6814       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6815       upon the first delivery attempt.
6816

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

6818       A  list  that specifies zero or more workarounds for CISCO PIX firewall
6819       bugs. These workarounds are implemented by  the  Postfix  SMTP  client.
6820       Workaround names are separated by comma or space, and are case insensi‐
6821       tive.  This parameter setting can  be  overruled  with  per-destination
6822       smtp_pix_workaround_maps settings.
6823
6824       delay_dotcrlf
6825              Insert  a  delay before sending ".<CR><LF>" after the end of the
6826              message content.  The delay is  subject  to  the  smtp_pix_work‐
6827              around_delay_time and smtp_pix_workaround_threshold_time parame‐
6828              ter settings.
6829
6830       disable_esmtp
6831              Disable all extended SMTP commands: send HELO instead of EHLO.
6832
6833       This feature is available in Postfix 2.4 and later.  The  default  set‐
6834       tings are backwards compatible with earlier Postfix versions.
6835

smtp_quit_timeout (default: 300s)

6837       The  Postfix  SMTP  client time limit for sending the QUIT command, and
6838       for receiving the remote SMTP server response.
6839
6840       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6841       The default time unit is s (seconds).
6842

smtp_quote_rfc821_envelope (default: yes)

6844       Quote  addresses  in Postfix SMTP client MAIL FROM and RCPT TO commands
6845       as required by RFC 5321. This includes putting quotes around an address
6846       localpart that ends in ".".
6847
6848       The  default  is to comply with RFC 5321. If you have to send mail to a
6849       broken SMTP server, configure a special SMTP client in master.cf:
6850
6851           /etc/postfix/master.cf:
6852               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6853
6854       and route mail for the destination in  question  to  the  "broken-smtp"
6855       message delivery with a transport(5) table.
6856
6857       This feature is available in Postfix 2.1 and later.
6858

smtp_randomize_addresses (default: yes)

6860       Randomize  the  order of equal-preference MX host addresses.  This is a
6861       performance feature of the Postfix SMTP client.
6862

smtp_rcpt_timeout (default: 300s)

6864       The Postfix SMTP client time limit for sending the SMTP  RCPT  TO  com‐
6865       mand, and for receiving the remote SMTP server response.
6866
6867       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6868       The default time unit is s (seconds).
6869

smtp_reply_filter (default: empty)

6871       A mechanism to transform replies from remote SMTP servers one line at a
6872       time.   This  is  a last-resort tool to work around server replies that
6873       break interoperability  with  the  Postfix  SMTP  client.   Other  uses
6874       involve   fault   injection  to  test  Postfix's  handling  of  invalid
6875       responses.
6876
6877       Notes:
6878
6879       ·      In the case of a multi-line reply, the Postfix SMTP client  uses
6880              the  final  reply  line's numerical SMTP reply code and enhanced
6881              status code.
6882
6883       ·      The numerical SMTP reply code (XYZ) takes  precedence  over  the
6884              enhanced  status  code  (X.Y.Z).   When the enhanced status code
6885              initial digit differs from the SMTP reply code initial digit, or
6886              when no enhanced status code is present, the Postfix SMTP client
6887              uses a generic enhanced status code (X.0.0) instead.
6888
6889       Specify the name of a "type:table" lookup table. The search string is a
6890       single  SMTP reply line as received from the remote SMTP server, except
6891       that the trailing <CR><LF> are removed.  When the lookup succeeds,  the
6892       result replaces the single SMTP reply line.
6893
6894       Examples:
6895
6896       /etc/postfix/main.cf:
6897           smtp_reply_filter = pcre:/etc/postfix/reply_filter
6898
6899       /etc/postfix/reply_filter:
6900           # Transform garbage into "250-filler..." so that it looks like
6901           # one line from a multi-line reply. It does not matter what we
6902           # substitute here as long it has the right syntax.  The Postfix
6903           # SMTP client will use the final line's numerical SMTP reply
6904           # code and enhanced status code.
6905           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6906
6907       This feature is available in Postfix 2.7.
6908

smtp_rset_timeout (default: 20s)

6910       The  Postfix  SMTP  client time limit for sending the RSET command, and
6911       for receiving the remote SMTP server response. The  SMTP  client  sends
6912       RSET  in order to finish a recipient address probe, or to verify that a
6913       cached session is still usable.
6914
6915       This feature is available in Postfix 2.1 and later.
6916

smtp_sasl_auth_cache_name (default: empty)

6918       An optional table to prevent repeated SASL authentication failures with
6919       the same remote SMTP server hostname, username and password. Each table
6920       (key, value) pair contains a server name, a username and password,  and
6921       the full server response. This information is stored when a remote SMTP
6922       server rejects an authentication attempt with a  535  reply  code.   As
6923       long  as the smtp_sasl_password_maps information does no change, and as
6924       long as the smtp_sasl_auth_cache_name information does not expire  (see
6925       smtp_sasl_auth_cache_time)  the Postfix SMTP client avoids SASL authen‐
6926       tication attempts with the same  server,  username  and  password,  and
6927       instead    bounces    or   defers   mail   as   controlled   with   the
6928       smtp_sasl_auth_soft_bounce configuration parameter.
6929
6930       Use  a  per-destination  delivery  concurrency  of  1   (for   example,
6931       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
6932       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6933       ence a login failure at the same time.
6934
6935       The  table  must  be  accessed via the proxywrite service, i.e. the map
6936       name must start with "proxy:". The table should  be  stored  under  the
6937       directory specified with the data_directory parameter.
6938
6939       This  feature  uses  cryptographic  hashing to protect plain-text pass‐
6940       words, and requires that Postfix is compiled with TLS support.
6941
6942       Example:
6943
6944       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6945
6946       This feature is available in Postfix 2.5 and later.
6947

smtp_sasl_auth_cache_time (default: 90d)

6949       The maximal age of an  smtp_sasl_auth_cache_name  entry  before  it  is
6950       removed.
6951
6952       This feature is available in Postfix 2.5 and later.
6953

smtp_sasl_auth_enable (default: no)

6955       Enable SASL authentication in the Postfix SMTP client.  By default, the
6956       Postfix SMTP client uses no authentication.
6957
6958       Example:
6959
6960       smtp_sasl_auth_enable = yes
6961

smtp_sasl_auth_soft_bounce (default: yes)

6963       When a remote SMTP server rejects a SASL authentication request with  a
6964       535  reply code, defer mail delivery instead of returning mail as unde‐
6965       liverable. The latter behavior was hard-coded prior to Postfix  version
6966       2.5.
6967
6968       Note: the setting "yes" overrides the global soft_bounce parameter, but
6969       the setting "no" does not.
6970
6971       Example:
6972
6973       # Default as of Postfix 2.5
6974       smtp_sasl_auth_soft_bounce = yes
6975       # The old hard-coded default
6976       smtp_sasl_auth_soft_bounce = no
6977
6978       This feature is available in Postfix 2.5 and later.
6979

smtp_sasl_mechanism_filter (default: empty)

6981       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
6982       list of offered SASL mechanisms.  Different client and server implemen‐
6983       tations may support different mechanism lists; by default, the  Postfix
6984       SMTP  client  will  use  the  intersection of the two. smtp_sasl_mecha‐
6985       nism_filter specifies an optional third  mechanism  list  to  intersect
6986       with.
6987
6988       Specify  mechanism  names, "/file/name" patterns or "type:table" lookup
6989       tables.  The  right-hand  side  result  from  "type:table"  lookups  is
6990       ignored.  Specify "!pattern" to exclude a mechanism name from the list.
6991       The form "!/file/name" is supported only in  Postfix  version  2.4  and
6992       later.
6993
6994       This feature is available in Postfix 2.2 and later.
6995
6996       Examples:
6997
6998       smtp_sasl_mechanism_filter = plain, login
6999       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7000       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7001

smtp_sasl_password_maps (default: empty)

7003       Optional  Postfix  SMTP client lookup tables with one username:password
7004       entry per sender, remote hostname or next-hop domain. Per-sender lookup
7005       is  done  only  when sender-dependent authentication is enabled.  If no
7006       username:password entry is found, then the Postfix SMTP client will not
7007       attempt to authenticate to the remote host.
7008
7009       The  Postfix  SMTP client opens the lookup table before going to chroot
7010       jail, so you can leave the password file in /etc/postfix.
7011
7012       Specify zero or more "type:name" lookup tables, separated by whitespace
7013       or  comma. Tables will be searched in the specified order until a match
7014       is found.
7015

smtp_sasl_path (default: empty)

7017       Implementation-specific information that the Postfix SMTP client passes
7018       through  to  the  SASL  plug-in  implementation  that  is selected with
7019       smtp_sasl_type.  Typically this specifies the name of  a  configuration
7020       file or rendezvous point.
7021
7022       This feature is available in Postfix 2.3 and later.
7023

smtp_sasl_security_options (default: noplaintext, noanonymous)

7025       Postfix  SMTP  client SASL security options; as of Postfix 2.3 the list
7026       of available features depends on the SASL client implementation that is
7027       selected with smtp_sasl_type.
7028
7029       The  following  security features are defined for the cyrus client SASL
7030       implementation:
7031
7032       Specify zero or more of the following:
7033
7034       noplaintext
7035              Disallow methods that use plaintext passwords.
7036
7037       noactive
7038              Disallow methods subject to active (non-dictionary) attack.
7039
7040       nodictionary
7041              Disallow methods subject to passive (dictionary) attack.
7042
7043       noanonymous
7044              Disallow methods that allow anonymous authentication.
7045
7046       mutual_auth
7047              Only allow  methods  that  provide  mutual  authentication  (not
7048              available with SASL version 1).
7049
7050       Example:
7051
7052       smtp_sasl_security_options = noplaintext
7053

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

7055       The  SASL  authentication security options that the Postfix SMTP client
7056       uses for TLS encrypted SMTP sessions.
7057
7058       This feature is available in Postfix 2.2 and later.
7059

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_secu‐

7061       rity_options)
7062       The  SASL  authentication security options that the Postfix SMTP client
7063       uses for TLS encrypted SMTP sessions with a  verified  server  certifi‐
7064       cate.
7065
7066       When  mail  is  sent  to the public MX host for the recipient's domain,
7067       server certificates are by default optional, and delivery proceeds even
7068       if  certificate  verification fails. For delivery via a submission ser‐
7069       vice that requires SASL authentication, it may be appropriate  to  send
7070       plaintext  passwords only when the connection to the server is strongly
7071       encrypted and the server identity is verified.
7072
7073       The smtp_sasl_tls_verified_security_options parameter makes it possible
7074       to  only  enable  plaintext  mechanisms when a secure connection to the
7075       server is available. Submission servers subject  to  this  policy  must
7076       either  have  verifiable  certificates  or offer suitable non-plaintext
7077       SASL mechanisms.
7078
7079       This feature is available in Postfix 2.6 and later.
7080

smtp_sasl_type (default: cyrus)

7082       The SASL plug-in type that the  Postfix  SMTP  client  should  use  for
7083       authentication.   The available types are listed with the "postconf -A"
7084       command.
7085
7086       This feature is available in Postfix 2.3 and later.
7087

smtp_send_dummy_mail_auth (default: no)

7089       Whether or not to append the "AUTH=<>" option to the MAIL FROM  command
7090       in  SASL-authenticated  SMTP sessions. The default is not to send this,
7091       to avoid problems with broken remote SMTP servers.  Before Postfix  2.9
7092       the behavior is as if "smtp_send_dummy_mail_auth = yes".
7093
7094       This feature is available in Postfix 2.9 and later.
7095

smtp_send_xforward_command (default: no)

7097       Send  the  non-standard  XFORWARD  command when the Postfix SMTP server
7098       EHLO response announces XFORWARD support.
7099
7100       This allows a Postfix SMTP delivery agent, used for injecting mail into
7101       a  content filter, to forward the name, address, protocol and HELO name
7102       of the original client to the content  filter  and  downstream  queuing
7103       SMTP   server.  This  can  produce  more  useful  logging  than  local‐
7104       host[127.0.0.1] etc.
7105
7106       This feature is available in Postfix 2.1 and later.
7107

smtp_sender_dependent_authentication (default: no)

7109       Enable sender-dependent authentication in the Postfix SMTP client; this
7110       is  available  only with SASL authentication, and disables SMTP connec‐
7111       tion caching to ensure that mail from different senders  will  use  the
7112       appropriate credentials.
7113
7114       This feature is available in Postfix 2.3 and later.
7115

smtp_skip_4xx_greeting (default: yes)

7117       Skip SMTP servers that greet with a 4XX status code (go away, try again
7118       later).
7119
7120       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7121       Specify  "smtp_skip_4xx_greeting = no" if Postfix should defer delivery
7122       immediately.
7123
7124       This feature is available in Postfix 2.0 and  earlier.   Later  Postfix
7125       versions  always  skip remote SMTP servers that greet with a 4XX status
7126       code.
7127

smtp_skip_5xx_greeting (default: yes)

7129       Skip remote SMTP servers that greet with a 5XX status code.
7130
7131       By default, the Postfix SMTP client moves on the next  mail  exchanger.
7132       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7133       immediately. Caution: the latter behavior  appears  to  contradict  RFC
7134       2821.
7135

smtp_skip_quit_response (default: yes)

7137       Do not wait for the response to the SMTP QUIT command.
7138

smtp_starttls_timeout (default: 300s)

7140       Time limit for Postfix SMTP client write and read operations during TLS
7141       startup and shutdown handshake procedures.
7142
7143       This feature is available in Postfix 2.2 and later.
7144

smtp_tcp_port (default: smtp)

7146       The default TCP port that the Postfix SMTP client connects to.  Specify
7147       a symbolic name (see services(5)) or a numeric port.
7148

smtp_tls_CAfile (default: empty)

7150       A  file  containing  CA certificates of root CAs trusted to sign either
7151       remote SMTP server certificates or intermediate CA certificates.  These
7152       are  loaded  into  memory  before  the smtp(8) client enters the chroot
7153       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
7154       smtp_tls_CApath  instead,  but  note  that the latter directory must be
7155       present in the chroot jail if the smtp(8) client is chrooted. This file
7156       may  also be used to augment the client certificate trust chain, but it
7157       is  best  to  include  all  the  required  certificates   directly   in
7158       $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7159
7160       Specify  "smtp_tls_CAfile  =  /path/to/system_CA_file"  to use ONLY the
7161       system-supplied default Certification Authority certificates.
7162
7163       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7164       the system-supplied default CAs and trusting third-party certificates.
7165
7166       Example:
7167
7168       smtp_tls_CAfile = /etc/postfix/CAcert.pem
7169
7170       This feature is available in Postfix 2.2 and later.
7171

smtp_tls_CApath (default: empty)

7173       Directory with PEM format Certification Authority certificates that the
7174       Postfix SMTP client uses to verify a remote  SMTP  server  certificate.
7175       Don't  forget  to  create the necessary "hash" links with, for example,
7176       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7177
7178       To use this option in chroot mode, this directory (or a copy)  must  be
7179       inside the chroot jail.
7180
7181       Specify  "smtp_tls_CApath  =  /path/to/system_CA_directory" to use ONLY
7182       the system-supplied default Certification Authority certificates.
7183
7184       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
7185       the system-supplied default CAs and trusting third-party certificates.
7186
7187       Example:
7188
7189       smtp_tls_CApath = /etc/postfix/certs
7190
7191       This feature is available in Postfix 2.2 and later.
7192

smtp_tls_block_early_mail_reply (default: no)

7194       Try  to detect a mail hijacking attack based on a TLS protocol vulnera‐
7195       bility (CVE-2009-3555), where  an  attacker  prepends  malicious  HELO,
7196       MAIL,  RCPT,  DATA  commands to a Postfix SMTP client TLS session.  The
7197       attack would succeed with non-Postfix SMTP servers that  reply  to  the
7198       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7199       SMTP client TLS session.
7200
7201       This feature is available in Postfix 2.7.
7202

smtp_tls_cert_file (default: empty)

7204       File with the Postfix SMTP client RSA certificate in PEM format.   This
7205       file  may  also  contain  the  Postfix SMTP client private RSA key, and
7206       these may be the same as the Postfix SMTP server  RSA  certificate  and
7207       key  file.   With  Postfix >= 3.4 the preferred way to configure client
7208       keys and certificates is via the "smtp_tls_chain_files" parameter.
7209
7210       Do not configure client certificates unless you must present client TLS
7211       certificates  to  one or more servers. Client certificates are not usu‐
7212       ally needed, and can cause problems in configurations  that  work  well
7213       without them. The recommended setting is to let the defaults stand:
7214
7215           smtp_tls_cert_file =
7216           smtp_tls_key_file =
7217           smtp_tls_eccert_file =
7218           smtp_tls_eckey_file =
7219           # Obsolete DSA parameters
7220           smtp_tls_dcert_file =
7221           smtp_tls_dkey_file =
7222           # Postfix >= 3.4 interface
7223           smtp_tls_chain_files =
7224
7225       The  best  way  to use the default settings is to comment out the above
7226       parameters in main.cf if present.
7227
7228       To enable remote SMTP servers to verify the Postfix  SMTP  client  cer‐
7229       tificate,  the  issuing  CA  certificates must be made available to the
7230       server. You should include the required certificates in the client cer‐
7231       tificate  file,  the  client  certificate first, then the issuing CA(s)
7232       (bottom-up order).
7233
7234       Example: the certificate for "client.example.com" was issued by "inter‐
7235       mediate CA" which itself has a certificate issued by "root CA".  As the
7236       "root" super-user create the client.pem file with:
7237
7238           # umask 077
7239           # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7240
7241       If you also want to verify remote SMTP server  certificates  issued  by
7242       these  CAs,  you can add the CA certificates to the smtp_tls_CAfile, in
7243       which case it is not necessary to have them in the  smtp_tls_cert_file,
7244       smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7245
7246       A certificate supplied here must be usable as an SSL client certificate
7247       and hence pass the "openssl verify -purpose sslclient ..." test.
7248
7249       Example:
7250
7251       smtp_tls_cert_file = /etc/postfix/chain.pem
7252
7253       This feature is available in Postfix 2.2 and later.
7254

smtp_tls_chain_files (default: empty)

7256       List of one or more PEM files, each holding one or  more  private  keys
7257       directly followed by a corresponding certificate chain.  The file names
7258       are separated by commas and/or whitespace.   This  parameter  obsoletes
7259       the  legacy algorithm-specific key and certificate file settings.  When
7260       this parameter is non-empty, the legacy parameters are ignored,  and  a
7261       warning is logged if any are also non-empty.
7262
7263       With  the proliferation of multiple private key algorithms-which, as of
7264       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7265       is increasingly impractical to use separate parameters to configure the
7266       key and certificate chain for each algorithm.  Therefore,  Postfix  now
7267       supports  storing multiple keys and corresponding certificate chains in
7268       a single file or in a set of files.
7269
7270       Each key must appear immediately before the corresponding  certificate,
7271       optionally followed by additional issuer certificates that complete the
7272       certificate chain for that key.  When  multiple  files  are  specified,
7273       they  are  equivalent  to a single file that is concatenated from those
7274       files in the given order.  Thus, while a key must  always  precede  its
7275       certificate  and issuer chain, it can be in a separate file, so long as
7276       that file is listed immediately before the file that holds  the  corre‐
7277       sponding  certificate  chain.  Once all the files are concatenated, the
7278       sequence of PEM objects must be: key1, cert1,  [chain1],  key2,  cert2,
7279       [chain2], ..., keyN, certN, [chainN].
7280
7281       Storing  the private key in the same file as the corresponding certifi‐
7282       cate is more reliable.  With the key and certificate in separate files,
7283       there is a chance that during key rollover a Postfix process might load
7284       a private key and certificate from separate  files  that  don't  match.
7285       Various  operational errors may even result in a persistent broken con‐
7286       figuration in which the certificate does not match the private key.
7287
7288       The file or files must contain at most one key of each type.   If,  for
7289       example,  two  or  more  RSA  keys and corresponding chains are listed,
7290       depending on the version of OpenSSL either only the last  one  will  be
7291       used  or  an  configuration  error  may  be  detected.  Note that while
7292       "Ed25519" and "Ed448" are considered separate algorithms,  the  various
7293       ECDSA  curves (typically one of prime256v1, secp384r1 or secp521r1) are
7294       considered as different parameters of a single "ECDSA" algorithm, so it
7295       is  not  presently  possible  to configure keys for more than one ECDSA
7296       curve.
7297
7298       Example (separate files for  each  key  and  corresponding  certificate
7299       chain):
7300
7301           /etc/postfix/main.cf:
7302               smtp_tls_chain_files =
7303                   ${config_directory}/ed25519.pem,
7304                   ${config_directory}/ed448.pem,
7305                   ${config_directory}/rsa.pem
7306
7307           /etc/postfix/ed25519.pem:
7308               -----BEGIN PRIVATE KEY-----
7309               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7310               -----END PRIVATE KEY-----
7311               -----BEGIN CERTIFICATE-----
7312               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7313               ...
7314               nC0egv51YPDWxEHom4QA
7315               -----END CERTIFICATE-----
7316
7317           /etc/postfix/ed448.pem:
7318               -----BEGIN PRIVATE KEY-----
7319               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7320               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7321               -----END PRIVATE KEY-----
7322               -----BEGIN CERTIFICATE-----
7323               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7324               ...
7325               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7326               -----END CERTIFICATE-----
7327
7328           /etc/postfix/rsa.pem:
7329               -----BEGIN PRIVATE KEY-----
7330               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7331               ...
7332               ahQkZ3+krcaJvDSMgvu0tDc=
7333               -----END PRIVATE KEY-----
7334               -----BEGIN CERTIFICATE-----
7335               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7336               ...
7337               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7338               -----END CERTIFICATE-----
7339
7340       Example (all keys and certificates in a single file):
7341
7342           /etc/postfix/main.cf:
7343               smtp_tls_chain_files = ${config_directory}/chains.pem
7344
7345           /etc/postfix/chains.pem:
7346               -----BEGIN PRIVATE KEY-----
7347               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7348               -----END PRIVATE KEY-----
7349               -----BEGIN CERTIFICATE-----
7350               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7351               ...
7352               nC0egv51YPDWxEHom4QA
7353               -----END CERTIFICATE-----
7354               -----BEGIN PRIVATE KEY-----
7355               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7356               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7357               -----END PRIVATE KEY-----
7358               -----BEGIN CERTIFICATE-----
7359               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7360               ...
7361               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7362               -----END CERTIFICATE-----
7363               -----BEGIN PRIVATE KEY-----
7364               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7365               ...
7366               ahQkZ3+krcaJvDSMgvu0tDc=
7367               -----END PRIVATE KEY-----
7368               -----BEGIN CERTIFICATE-----
7369               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7370               ...
7371               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7372               -----END CERTIFICATE-----
7373
7374       This feature is available in Postfix 3.4 and later.
7375

smtp_tls_cipherlist (default: empty)

7377       Obsolete  Postfix  < 2.3 control for the Postfix SMTP client TLS cipher
7378       list. As this feature applies to all TLS security levels, it is easy to
7379       create interoperability problems by choosing a non-default cipher list.
7380       Do not use a non-default TLS cipher list on hosts that deliver email to
7381       the  public  Internet: you will be unable to send email to servers that
7382       only support the ciphers you exclude. Using a  restricted  cipher  list
7383       may  be  more appropriate for an internal MTA, where one can exert some
7384       control over the TLS software and settings of the peer servers.
7385
7386       Note: do not use "" quotes around the parameter value.
7387
7388       This feature is available in Postfix version 2.2. It is not  used  with
7389       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7390

smtp_tls_ciphers (default: medium)

7392       The minimum TLS cipher grade that the Postfix SMTP client will use with
7393       opportunistic    TLS    encryption.    Cipher    types    listed     in
7394       smtp_tls_exclude_ciphers  are  excluded from the base definition of the
7395       selected cipher grade.   The default  value  is  "medium"  for  Postfix
7396       releases after the middle of 2015, "export" for older releases.
7397
7398       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
7399       smtp_tls_mandatory_ciphers configuration parameter, see there for  syn‐
7400       tax details. See smtp_tls_policy_maps for information on how to config‐
7401       ure ciphers on a per-destination basis.
7402
7403       This feature is available in Postfix 2.6 and later. With earlier  Post‐
7404       fix  releases  only  the smtp_tls_mandatory_ciphers parameter is imple‐
7405       mented, and opportunistic TLS always uses "export" or better (i.e. all)
7406       ciphers.
7407

smtp_tls_connection_reuse (default: no)

7409       Try  to  make  multiple  deliveries per TLS-encrypted connection.  This
7410       uses the tlsproxy(8) service to encrypt an SMTP  connection,  uses  the
7411       scache(8) service to save that connection, and relies on hints from the
7412       qmgr(8) daemon.
7413
7414       See "Client-side TLS connection reuse" for background details.
7415
7416       This feature is available in Postfix 3.4 and later.
7417

smtp_tls_dane_insecure_mx_policy (default: dane)

7419       The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7420       destination  security level is dane, but the MX record was found via an
7421       "insecure" MX lookup.  The choices are:
7422
7423       may    The TLSA records will be ignored and TLS will be  optional.   If
7424              the MX host does not appear to support STARTTLS, or the STARTTLS
7425              handshake fails, mail may be sent in the clear.
7426
7427       encrypt
7428              The TLSA records will signal a requirement to  use  TLS.   While
7429              TLS encryption will be required, authentication will not be per‐
7430              formed.
7431
7432       dane (default)
7433              The TLSA records will be used just as with "secure" MX  records.
7434              TLS  encryption  will  be  required, and, if at least one of the
7435              TLSA records is "usable", authentication will be required.  When
7436              authentication  succeeds,  it  will be logged only as "Trusted",
7437              not "Verified", because the MX host name could have been forged.
7438              Though with "insecure" MX records an active attacker can compro‐
7439              mise  SMTP  transport  security  by returning forged MX records,
7440              such attacks are "tamper-evident" since any forged MX  hostnames
7441              will  be  recorded in the mail logs.  Attackers who place a high
7442              value staying hidden may be deterred from forging MX records.
7443
7444       This feature is available in Postfix 3.1 and later. The may  policy  is
7445       backwards-compatible with earlier Postfix versions.
7446

smtp_tls_dcert_file (default: empty)

7448       File  with the Postfix SMTP client DSA certificate in PEM format.  This
7449       file may also contain the Postfix SMTP client private DSA key.  The DSA
7450       algorithm is obsolete and should not be used.
7451
7452       See the discussion under smtp_tls_cert_file for more details.
7453
7454       Example:
7455
7456       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7457
7458       This feature is available in Postfix 2.2 and later.
7459

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

7461       File  with the Postfix SMTP client DSA private key in PEM format.  This
7462       file may be combined with the Postfix SMTP client DSA certificate  file
7463       specified  with $smtp_tls_dcert_file. The DSA algorithm is obsolete and
7464       should not be used.
7465
7466       The private key must be accessible without a pass-phrase, i.e. it  must
7467       not be encrypted. File permissions should grant read-only access to the
7468       system superuser account ("root"), and no access to anyone else.
7469
7470       This feature is available in Postfix 2.2 and later.
7471

smtp_tls_eccert_file (default: empty)

7473       File with the Postfix SMTP client  ECDSA  certificate  in  PEM  format.
7474       This  file  may also contain the Postfix SMTP client ECDSA private key.
7475       With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7476       tificates is via the "smtp_tls_chain_files" parameter.
7477
7478       See the discussion under smtp_tls_cert_file for more details.
7479
7480       Example:
7481
7482       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7483
7484       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
7485       compiled and linked with OpenSSL 1.0.0 or later.
7486

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

7488       File with the Postfix SMTP client ECDSA  private  key  in  PEM  format.
7489       This  file  may be combined with the Postfix SMTP client ECDSA certifi‐
7490       cate file specified with $smtp_tls_eccert_file.  With  Postfix  >=  3.4
7491       the  preferred way to configure client keys and certificates is via the
7492       "smtp_tls_chain_files" parameter.
7493
7494       The private key must be accessible without a pass-phrase, i.e. it  must
7495       not be encrypted. File permissions should grant read-only access to the
7496       system superuser account ("root"), and no access to anyone else.
7497
7498       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
7499       compiled and linked with OpenSSL 1.0.0 or later.
7500

smtp_tls_enforce_peername (default: yes)

7502       With  mandatory  TLS  encryption,  require  that the remote SMTP server
7503       hostname matches the information in the remote SMTP server certificate.
7504       As  of  RFC 2487 the requirements for hostname checking for MTA clients
7505       are not specified.
7506
7507       This option can be set to "no" to disable strict  peer  name  checking.
7508       This  setting  has  no  effect  on sessions that are controlled via the
7509       smtp_tls_per_site table.
7510
7511       Disabling the hostname verification can make sense in  closed  environ‐
7512       ment where special CAs are created.  If not used carefully, this option
7513       opens the danger of a "man-in-the-middle"  attack  (the  CommonName  of
7514       this attacker will be logged).
7515
7516       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
7517       and later use smtp_tls_security_level instead.
7518

smtp_tls_exclude_ciphers (default: empty)

7520       List of ciphers or cipher types to exclude from the Postfix SMTP client
7521       cipher  list  at  all  TLS  security  levels.  This  is  not an OpenSSL
7522       cipherlist, it is a simple list separated by whitespace and/or  commas.
7523       The  elements  are a single cipher, or one or more "+" separated cipher
7524       properties, in which case only ciphers matching all the properties  are
7525       excluded.
7526
7527       Examples (some of these will cause problems):
7528
7529           smtp_tls_exclude_ciphers = aNULL
7530           smtp_tls_exclude_ciphers = MD5, DES
7531           smtp_tls_exclude_ciphers = DES+MD5
7532           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7533           smtp_tls_exclude_ciphers = kEDH+aRSA
7534
7535       The  first  setting,  disables anonymous ciphers. The next setting dis‐
7536       ables ciphers that use the MD5 digest algorithm  or  the  (single)  DES
7537       encryption  algorithm.  The  next setting disables ciphers that use MD5
7538       and  DES  together.   The  next  setting  disables  the   two   ciphers
7539       "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7540       use "EDH" key exchange with RSA authentication.
7541
7542       This feature is available in Postfix 2.3 and later.
7543

smtp_tls_fingerprint_cert_match (default: empty)

7545       List of acceptable remote SMTP server certificate fingerprints for  the
7546       "fingerprint"  TLS  security  level  (smtp_tls_security_level = finger‐
7547       print). At this security level, Certification Authorities are not used,
7548       and  certificate expiration times are ignored. Instead, server certifi‐
7549       cates are verified directly via their certificate fingerprint or public
7550       key  fingerprint  (Postfix 2.9 and later). The fingerprint is a message
7551       digest of the server certificate (or public key). The digest  algorithm
7552       is selected via the smtp_tls_fingerprint_digest parameter.
7553
7554       When  an  smtp_tls_policy_maps  table entry specifies the "fingerprint"
7555       security level, any "match" attributes in that entry specify  the  list
7556       of  valid fingerprints for the corresponding destination. Multiple fin‐
7557       gerprints can be combined with  a  "|"  delimiter  in  a  single  match
7558       attribute, or multiple match attributes can be employed.
7559
7560       Example:  Certificate  fingerprint  verification with internal mailhub.
7561       Two matching fingerprints are listed. The  relayhost  may  be  multiple
7562       physical hosts behind a load-balancer, each with its own private/public
7563       key and self-signed certificate. Alternatively, a single relayhost  may
7564       be  in  the process of switching from one set of private/public keys to
7565       another, and both keys are trusted just prior to the transition.
7566
7567           relayhost = [mailhub.example.com]
7568           smtp_tls_security_level = fingerprint
7569           smtp_tls_fingerprint_digest = md5
7570           smtp_tls_fingerprint_cert_match =
7571               3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7572               EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7573
7574       Example: Certificate fingerprint verification  with  selected  destina‐
7575       tions.  As in the example above, we show two matching fingerprints:
7576
7577           /etc/postfix/main.cf:
7578               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7579               smtp_tls_fingerprint_digest = md5
7580
7581           /etc/postfix/tls_policy:
7582               example.com fingerprint
7583                   match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7584                   match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7585
7586       This feature is available in Postfix 2.5 and later.
7587

smtp_tls_fingerprint_digest (default: md5)

7589       The  message digest algorithm used to construct remote SMTP server cer‐
7590       tificate  fingerprints.  At  the  "fingerprint"  TLS   security   level
7591       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7592       ified by directly matching its certificate fingerprint  or  its  public
7593       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7594       digest of the server certificate (or its public key) using the selected
7595       algorithm.  With  a  digest  algorithm  resistant to "second pre-image"
7596       attacks, it is not feasible to create a new public key and  a  matching
7597       certificate (or public/private key-pair) that has the same fingerprint.
7598
7599       The  default  algorithm  is  md5; this is consistent with the backwards
7600       compatible setting of the digest used to verify client certificates  in
7601       the SMTP server.
7602
7603       The  best practice algorithm is now sha1. Recent advances in hash func‐
7604       tion cryptanalysis have led to md5 being deprecated in favor  of  sha1.
7605       However,  as  long  as  there  are  no known "second pre-image" attacks
7606       against md5, its use in this context can still be considered safe.
7607
7608       While additional digest algorithms are often available  with  OpenSSL's
7609       libcrypto, only those used by libssl in SSL cipher suites are available
7610       to Postfix. For now this means just md5 or sha1.
7611
7612       To find the fingerprint of a specific certificate file, with a specific
7613       digest algorithm, run:
7614
7615           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7616
7617       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
7618       example:
7619
7620           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7621           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7622
7623       To extract the public key fingerprint from an  X.509  certificate,  you
7624       need  to  extract  the  public key from the certificate and compute the
7625       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7626       key"  option  of  the  "x509" command extracts the public key always in
7627       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
7628       verts the key to DER and then to the "dgst" command to compute the fin‐
7629       gerprint.
7630
7631       The actual command to transform the key to DER format  depends  on  the
7632       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
7633       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
7634       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
7635       ported by 0.9.8), so the "rsa" command is used.
7636
7637           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7638           $ openssl x509 -in cert.pem -noout -pubkey |
7639               openssl pkey -pubin -outform DER |
7640               openssl dgst -sha1 -c
7641           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7642
7643           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7644           $ openssl x509 -in cert.pem -noout -pubkey |
7645               openssl rsa -pubin -outform DER |
7646               openssl dgst -md5 -c
7647           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7648
7649       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7650       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
7651       higher.
7652
7653       Note: Postfix 2.9.0-2.9.5 computed the public  key  fingerprint  incor‐
7654       rectly.  To  use  public-key  fingerprints, upgrade to Postfix 2.9.6 or
7655       later.
7656
7657       This feature is available in Postfix 2.5 and later.
7658

smtp_tls_force_insecure_host_tlsa_lookup (default: no)

7660       Lookup the associated DANE TLSA RRset even when a hostname  is  not  an
7661       alias  and  its  address  records  lie  in  an  unsigned zone.  This is
7662       unlikely to ever yield DNSSEC validated results, since child  zones  of
7663       unsigned  zones are also unsigned in the absence of DLV or locally con‐
7664       figured non-root trust-anchors.  We  anticipate  that  such  mechanisms
7665       will  not be used for just the "_tcp" subdomain of a host.  Suppressing
7666       the TLSA RRset lookup reduces latency and avoids  potential  interoper‐
7667       ability  problems with nameservers for unsigned zones that are not pre‐
7668       pared to handle the new TLSA RRset.
7669
7670       This feature is available in Postfix 2.11.
7671

smtp_tls_key_file (default: $smtp_tls_cert_file)

7673       File with the Postfix SMTP client RSA private key in PEM format.   This
7674       file  may be combined with the Postfix SMTP client RSA certificate file
7675       specified with $smtp_tls_cert_file.  With Postfix >= 3.4 the  preferred
7676       way   to   configure   client   keys   and   certificates  is  via  the
7677       "smtp_tls_chain_files" parameter.
7678
7679       The private key must be accessible without a pass-phrase, i.e. it  must
7680       not be encrypted. File permissions should grant read-only access to the
7681       system superuser account ("root"), and no access to anyone else.
7682
7683       Example:
7684
7685       smtp_tls_key_file = $smtp_tls_cert_file
7686
7687       This feature is available in Postfix 2.2 and later.
7688

smtp_tls_loglevel (default: 0)

7690       Enable additional Postfix SMTP client logging of  TLS  activity.   Each
7691       logging  level  also includes the information that is logged at a lower
7692       logging level.
7693
7694              0 Disable logging of TLS activity.
7695
7696              1 Log only a summary message on TLS handshake  completion  -  no
7697              logging  of remote SMTP server certificate trust-chain verifica‐
7698              tion errors if server certificate verification is not  required.
7699              With Postfix 2.8 and earlier, log the summary message and uncon‐
7700              ditionally log trust-chain verification errors.
7701
7702              2 Also log levels during TLS negotiation.
7703
7704              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
7705              process.
7706
7707              4  Also  log hexadecimal and ASCII dump of complete transmission
7708              after STARTTLS.
7709
7710       Do not use "smtp_tls_loglevel = 2" or higher except in  case  of  prob‐
7711       lems. Use of loglevel 4 is strongly discouraged.
7712
7713       This feature is available in Postfix 2.2 and later.
7714

smtp_tls_mandatory_ciphers (default: medium)

7716       The minimum TLS cipher grade that the Postfix SMTP client will use with
7717       mandatory TLS encryption.  The default value "medium" is  suitable  for
7718       most destinations with which you may want to enforce TLS, and is beyond
7719       the reach of today's cryptanalytic  methods.  See  smtp_tls_policy_maps
7720       for information on how to configure ciphers on a per-destination basis.
7721
7722       The following cipher grades are supported:
7723
7724       export Enable "EXPORT" grade or better OpenSSL ciphers.  The underlying
7725              cipherlist is specified via the tls_export_cipherlist configura‐
7726              tion parameter, which you are strongly encouraged to not change.
7727              This choice is insecure and SHOULD NOT be used.
7728
7729       low    Enable "LOW" grade or better OpenSSL  ciphers.   The  underlying
7730              cipherlist is specified via the tls_low_cipherlist configuration
7731              parameter, which you are  strongly  encouraged  to  not  change.
7732              This choice is insecure and SHOULD NOT be used.
7733
7734       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
7735              cipherlist is specified via the tls_medium_cipherlist configura‐
7736              tion parameter, which you are strongly encouraged to not change.
7737
7738       high   Enable  only  "HIGH" grade OpenSSL ciphers.  This setting may be
7739              appropriate when all mandatory TLS destinations (e.g.  when  all
7740              mail is routed to a suitably capable relayhost) support at least
7741              one "HIGH" grade cipher. The underlying cipherlist is  specified
7742              via  the  tls_high_cipherlist configuration parameter, which you
7743              are strongly encouraged to not change.
7744
7745       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
7746              cation  without encryption.  This setting is only appropriate in
7747              the rare case that all servers are prepared to use NULL  ciphers
7748              (not  normally  enabled in TLS servers). A plausible use-case is
7749              an LMTP server listening on a UNIX-domain socket that is config‐
7750              ured  to  support  "NULL"  ciphers. The underlying cipherlist is
7751              specified via the tls_null_cipherlist  configuration  parameter,
7752              which you are strongly encouraged to not change.
7753
7754       The  underlying cipherlists for grades other than "null" include anony‐
7755       mous ciphers, but these are automatically filtered out if  the  Postfix
7756       SMTP  client is configured to verify server certificates.  You are very
7757       unlikely to need to take any steps to exclude anonymous  ciphers,  they
7758       are excluded automatically as necessary.  If you must exclude anonymous
7759       ciphers at the "may" or "encrypt" security  levels,  when  the  Postfix
7760       SMTP   client   does   not   need   or   use   peer  certificates,  set
7761       "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous  ciphers  only
7762       when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7763
7764       This feature is available in Postfix 2.3 and later.
7765

smtp_tls_mandatory_exclude_ciphers (default: empty)

7767       Additional  list of ciphers or cipher types to exclude from the Postfix
7768       SMTP client cipher list at mandatory TLS  security  levels.  This  list
7769       works     in     addition     to    the    exclusions    listed    with
7770       smtp_tls_exclude_ciphers (see there for syntax details).
7771
7772       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7773       ified   on  a  per-destination  basis  via  the  TLS  policy  "exclude"
7774       attribute. See smtp_tls_policy_maps for notes and examples.
7775
7776       This feature is available in Postfix 2.3 and later.
7777

smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

7779       List of SSL/TLS protocols that the Postfix SMTP client  will  use  with
7780       mandatory  TLS  encryption.   In  main.cf  the  values are separated by
7781       whitespace, commas or colons. In the policy table "protocols" attribute
7782       (see  smtp_tls_policy_maps) the only valid separator is colon. An empty
7783       value means allow all protocols. The valid protocol names, (see  \fBfB‐
7784       SSL_get_version(3)),  are  "SSLv2",  "SSLv3"  and  "TLSv1". The default
7785       value is "!SSLv2, !SSLv3" for Postfix  releases  after  the  middle  of
7786       2015, "!SSLv2" for older releases.
7787
7788       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7789       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
7790       "smtp_tls_mandatory_protocols  =  !SSLv2".  To exclude both "SSLv2" and
7791       "SSLv3" set "smtp_tls_mandatory_protocols =  !SSLv2,  !SSLv3".  Listing
7792       the  protocols  to  include,  rather than protocols to exclude, is sup‐
7793       ported, but not recommended. The exclusion form  more  closely  matches
7794       the underlying OpenSSL interface semantics.
7795
7796       The range of protocols advertised by an SSL/TLS client must be contigu‐
7797       ous.  When a protocol version is enabled, disabling any higher  version
7798       implicitly  disables all versions above that higher version.  Thus, for
7799       example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7800
7801           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7802       also disables any protocols version  higher  than  TLSv1  leaving  only
7803       "SSLv3" enabled.
7804
7805       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
7806       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
7807       later,  these,  or  any other new protocol versions, cannot be disabled
7808       except by also disabling "TLSv1" (typically leaving just "SSLv3").  The
7809       latest  patch  levels of Postfix >= 2.6, and all versions of Postfix >=
7810       2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7811
7812       OpenSSL 1.1.1 introduces support for "TLSv1.3".  With  Postfix  >=  3.4
7813       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7814       abled, if need be, via "!TLSv1.3".
7815
7816       At the dane and dane-only security levels, when usable TLSA records are
7817       obtained  for  the remote SMTP server, the Postfix SMTP client is obli‐
7818       gated to include the SNI TLS extension in its SSL client hello message.
7819       This  may help the remote SMTP server live up to its promise to provide
7820       a certificate that matches its  TLSA  records.   Since  TLS  extensions
7821       require  TLS 1.0 or later, the Postfix SMTP client must disable "SSLv2"
7822       and "SSLv3" when SNI is required.  If you use "dane" or "dane-only"  do
7823       not disable TLSv1, except perhaps via the policy table for destinations
7824       which you are sure will support "TLSv1.1" or "TLSv1.2".
7825
7826       See  the  documentation  of  the  smtp_tls_policy_maps  parameter   and
7827       TLS_README for more information about security levels.
7828
7829       Example:
7830
7831       # Preferred syntax with Postfix >= 2.5:
7832       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7833       # Legacy syntax:
7834       smtp_tls_mandatory_protocols = TLSv1
7835
7836       This feature is available in Postfix 2.3 and later.
7837

smtp_tls_note_starttls_offer (default: no)

7839       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7840       is not already enabled for that server.
7841
7842       The logfile record looks like:
7843
7844       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
7845
7846       This feature is available in Postfix 2.2 and later.
7847

smtp_tls_per_site (default: empty)

7849       Optional lookup tables with the Postfix SMTP client TLS usage policy by
7850       next-hop  destination  and  by  remote SMTP server hostname.  When both
7851       lookups succeed, the more specific per-site policy  (NONE,  MUST,  etc)
7852       overrides  the  less  specific  one (MAY), and the more secure per-site
7853       policy (MUST, etc) overrides the less secure one (NONE).  With  Postfix
7854       2.3   and   later   smtp_tls_per_site   is  strongly  discouraged:  use
7855       smtp_tls_policy_maps instead.
7856
7857       Use of the bare hostname as the per-site table lookup key  is  discour‐
7858       aged.  Always  use  the full destination nexthop (enclosed in [] with a
7859       possible ":port" suffix). A recipient domain  or  MX-enabled  transport
7860       next-hop  with  no  port  suffix  may look like a bare hostname, but is
7861       still a suitable destination.
7862
7863       Specify a next-hop destination or  server  hostname  on  the  left-hand
7864       side;  no wildcards are allowed. The next-hop destination is either the
7865       recipient domain, or the destination specified with a transport(5)  ta‐
7866       ble, the relayhost parameter, or the relay_transport parameter.  On the
7867       right hand side specify one of the following keywords:
7868
7869       NONE   Don't use TLS at all. This overrides a less specific MAY  lookup
7870              result from the alternate host or next-hop lookup key, and over‐
7871              rides   the   global   smtp_use_tls,    smtp_enforce_tls,    and
7872              smtp_tls_enforce_peername settings.
7873
7874       MAY    Try  to  use  TLS if the server announces support, otherwise use
7875              the unencrypted connection. This has less precedence than a more
7876              specific  result  (including  NONE)  from  the alternate host or
7877              next-hop lookup key, and has less precedence than the more  spe‐
7878              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7879              name = yes".
7880
7881       MUST_NOPEERMATCH
7882              Require TLS encryption, but do not require that the remote  SMTP
7883              server  hostname  matches  the  information  in  the remote SMTP
7884              server certificate, or that the server certificate was issued by
7885              a  trusted  CA. This overrides a less secure NONE or a less spe‐
7886              cific MAY lookup result from  the  alternate  host  or  next-hop
7887              lookup    key,    and   overrides   the   global   smtp_use_tls,
7888              smtp_enforce_tls and smtp_tls_enforce_peername settings.
7889
7890       MUST   Require TLS encryption, require  that  the  remote  SMTP  server
7891              hostname  matches the information in the remote SMTP server cer‐
7892              tificate, and require that the remote  SMTP  server  certificate
7893              was  issued  by  a trusted CA. This overrides a less secure NONE
7894              and MUST_NOPEERMATCH or a less specific MAY lookup  result  from
7895              the  alternate  host  or  next-hop lookup key, and overrides the
7896              global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7897              name settings.
7898
7899       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7900       ify" security levels  for  the  new  smtp_tls_security_level  parameter
7901       introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7902       of how the policy  is  specified,  the  smtp_tls_mandatory_ciphers  and
7903       smtp_tls_mandatory_protocols  parameters  apply  when TLS encryption is
7904       mandatory. Connections  for  which  encryption  is  optional  typically
7905       enable  all "export" grade and better ciphers (see smtp_tls_ciphers and
7906       smtp_tls_protocols).
7907
7908       As long as no secure DNS lookup mechanism is available, false hostnames
7909       in  MX  or  CNAME responses can change the server hostname that Postfix
7910       uses for TLS policy lookup and server  certificate  verification.  Even
7911       with  a  perfect  match between the server hostname and the server cer‐
7912       tificate, there is no guarantee that Postfix is connected to the  right
7913       server.   See TLS_README (Closing a DNS loophole with obsolete per-site
7914       TLS policies) for a possible work-around.
7915
7916       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
7917       and later use smtp_tls_policy_maps instead.
7918

smtp_tls_policy_maps (default: empty)

7920       Optional lookup tables with the Postfix SMTP client TLS security policy
7921       by next-hop destination; when a  non-empty  value  is  specified,  this
7922       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
7923       a more detailed discussion of TLS security levels.
7924
7925       Specify zero or more "type:name" lookup tables, separated by whitespace
7926       or  comma. Tables will be searched in the specified order until a match
7927       is found.
7928
7929       The TLS policy table is indexed by the full next-hop destination, which
7930       is  either  the recipient domain, or the verbatim next-hop specified in
7931       the    transport    table,    $local_transport,     $virtual_transport,
7932       $relay_transport  or  $default_transport.  This  includes any enclosing
7933       square brackets and any non-default destination server port suffix. The
7934       LMTP  socket type prefix (inet: or unix:) is not included in the lookup
7935       key.
7936
7937       Only the next-hop domain, or $myhostname  with  LMTP  over  UNIX-domain
7938       sockets,  is used as the nexthop name for certificate verification. The
7939       port and any enclosing square brackets are used  in  the  table  lookup
7940       key, but are not used for server name verification.
7941
7942       When  the lookup key is a domain name without enclosing square brackets
7943       or any :port suffix (typically the  recipient  domain),  and  the  full
7944       domain  is not found in the table, just as with the transport(5) table,
7945       the parent domain starting with a leading "." is  matched  recursively.
7946       This allows one to specify a security policy for a recipient domain and
7947       all its sub-domains.
7948
7949       The lookup result is a security level, followed by an optional list  of
7950       whitespace  and/or  comma separated name=value attributes that override
7951       related main.cf settings. The TLS security levels in order of  increas‐
7952       ing security are:
7953
7954       none   No TLS. No additional attributes are supported at this level.
7955
7956       may    Opportunistic  TLS.  Since  sending  in the clear is acceptable,
7957              demanding stronger than  default  TLS  security  merely  reduces
7958              interoperability. The optional "ciphers", "exclude", and "proto‐
7959              cols" attributes (available for opportunistic TLS  with  Postfix
7960              >=  2.6) and "connection_reuse" attribute (Postfix >= 3.4) over‐
7961              ride   the    "smtp_tls_ciphers",    "smtp_tls_exclude_ciphers",
7962              "smtp_tls_protocols", and "smtp_tls_connection_reuse" configura‐
7963              tion parameters. When opportunistic TLS handshakes fail, Postfix
7964              retries  the  connection  with  TLS  disabled.  This allows mail
7965              delivery to sites with non-interoperable TLS implementations.
7966
7967       encrypt
7968              Mandatory TLS encryption. At this level and higher, the optional
7969              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
7970              tory_protocols parameter, the optional "ciphers" attribute over‐
7971              rides  the  main.cf  smtp_tls_mandatory_ciphers  parameter,  the
7972              optional "exclude" attribute  (Postfix  >=  2.6)  overrides  the
7973              main.cf  smtp_tls_mandatory_exclude_ciphers  parameter,  and the
7974              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
7975              the  main.cf  smtp_tls_connection_reuse parameter. In the policy
7976              table, multiple protocols or excluded ciphers must be  separated
7977              by  colons,  as  attribute  values may not contain whitespace or
7978              commas.
7979
7980       dane   Opportunistic DANE TLS.  The TLS policy for the  destination  is
7981              obtained  via  TLSA  records  in DNSSEC.  If no TLSA records are
7982              found, the effective  security  level  used  is  may.   If  TLSA
7983              records  are  found, but none are usable, the effective security
7984              level is encrypt.  When usable TLSA records are obtained for the
7985              remote  SMTP  server, the server certificate must match the TLSA
7986              records.  RFC 7672 (DANE) TLS authentication and DNSSEC  support
7987              is  available with Postfix 2.11 and later. The optional "connec‐
7988              tion_reuse" attribute (Postfix >=  3.4)  overrides  the  main.cf
7989              smtp_tls_connection_reuse parameter.
7990
7991       dane-only
7992              Mandatory  DANE  TLS.   The  TLS  policy  for the destination is
7993              obtained via TLSA records in DNSSEC.  If  no  TLSA  records  are
7994              found,  or none are usable, no connection is made to the server.
7995              When usable TLSA  records  are  obtained  for  the  remote  SMTP
7996              server, the server certificate must match the TLSA records.  RFC
7997              7672 (DANE) TLS authentication and DNSSEC support  is  available
7998              with  Postfix  2.11  and  later. The optional "connection_reuse"
7999              attribute (Postfix >= 3.4) overrides the  main.cf  smtp_tls_con‐
8000              nection_reuse parameter.
8001
8002       fingerprint
8003              Certificate fingerprint verification. Available with Postfix 2.5
8004              and later. At this security level, there are no trusted Certifi‐
8005              cation  Authorities.  The  certificate  trust  chain, expiration
8006              date,  ...  are  not  checked.  Instead,  the   optional   match
8007              attribute,  or  else the main.cf smtp_tls_fingerprint_cert_match
8008              parameter, lists the certificate fingerprints or the public  key
8009              fingerprint (Postfix 2.9 and later) of the valid server certifi‐
8010              cate. The digest algorithm used to calculate the fingerprint  is
8011              selected  by the smtp_tls_fingerprint_digest parameter. Multiple
8012              fingerprints can be combined with a "|" delimiter  in  a  single
8013              match  attribute,  or multiple match attributes can be employed.
8014              The ":" character is not  used  as  a  delimiter  as  it  occurs
8015              between  each  pair  of  fingerprint  (hexadecimal)  digits. The
8016              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8017              the main.cf smtp_tls_connection_reuse parameter.
8018
8019       verify Mandatory  TLS  verification.   At  this  security level, DNS MX
8020              lookups are trusted to be secure enough, and the  name  verified
8021              in  the  server  certificate  is usually obtained indirectly via
8022              unauthenticated DNS MX lookups.  The optional "match"  attribute
8023              overrides  the  main.cf smtp_tls_verify_cert_match parameter. In
8024              the policy table, multiple match patterns and strategies must be
8025              separated by colons.  In practice explicit control over matching
8026              is more common with the "secure" policy,  described  below.  The
8027              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8028              the main.cf smtp_tls_connection_reuse parameter.
8029
8030       secure Secure-channel TLS. At this  security  level,  DNS  MX  lookups,
8031              though  potentially  used  to  determine  the candidate next-hop
8032              gateway IP addresses, are not trusted to be  secure  enough  for
8033              TLS peername verification. Instead, the default name verified in
8034              the server certificate is obtained directly from  the  next-hop,
8035              or  is  explicitly  specified  via  the optional match attribute
8036              which overrides the main.cf  smtp_tls_secure_cert_match  parame‐
8037              ter. In the policy table, multiple match patterns and strategies
8038              must be separated by colons.  The match attribute is most useful
8039              when multiple domains are supported by common server, the policy
8040              entries for additional domains specify matching  rules  for  the
8041              primary  domain  certificate.  While  transport  table overrides
8042              routing the secondary domains to the primary nexthop also  allow
8043              secure verification, they risk delivery to the wrong destination
8044              when domains change hands or are re-assigned  to  new  gateways.
8045              With  the  "match" attribute approach, routing is not perturbed,
8046              and mail is deferred if verification of a new MX host fails. The
8047              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8048              the main.cf smtp_tls_connection_reuse parameter.
8049
8050       Example:
8051
8052       /etc/postfix/main.cf:
8053           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8054           # Postfix 2.5 and later
8055           smtp_tls_fingerprint_digest = md5
8056
8057       /etc/postfix/tls_policy:
8058           example.edu                 none
8059           example.mil                 may
8060           example.gov                 encrypt protocols=TLSv1
8061           example.com                 verify ciphers=high
8062           example.net                 secure
8063           .example.net                secure match=.example.net:example.net
8064           [mail.example.org]:587      secure match=nexthop
8065           # Postfix 2.5 and later
8066           [thumb.example.org]          fingerprint
8067               match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8068               match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8069
8070       Note: The hostname strategy if  listed  in  a  non-default  setting  of
8071       smtp_tls_secure_cert_match  or in the match attribute in the policy ta‐
8072       ble can render the secure level vulnerable to DNS forgery. Do  not  use
8073       the hostname strategy for secure-channel configurations in environments
8074       where DNS security is not assured.
8075
8076       This feature is available in Postfix 2.3 and later.
8077

smtp_tls_protocols (default: !SSLv2, !SSLv3)

8079       List of TLS protocols that the Postfix  SMTP  client  will  exclude  or
8080       include  with  opportunistic  TLS  encryption.  The  default  value  is
8081       "!SSLv2, !SSLv3"  for  Postfix  releases  after  the  middle  of  2015,
8082       "!SSLv2"  for  older  releases.  Before  Postfix  2.6, the Postfix SMTP
8083       client would use all protocols with opportunistic TLS.
8084
8085       In main.cf the values are separated by whitespace, commas or colons. In
8086       the policy table (see smtp_tls_policy_maps) the only valid separator is
8087       colon. An empty value means allow all  protocols.  The  valid  protocol
8088       names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
8089
8090       The range of protocols advertised by an SSL/TLS client must be contigu‐
8091       ous.  When a protocol version is enabled, disabling any higher  version
8092       implicitly  disables all versions above that higher version.  Thus, for
8093       example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
8094
8095           smtp_tls_protocols = !SSLv2, !TLSv1
8096       also disables any protocols version  higher  than  TLSv1  leaving  only
8097       "SSLv3" enabled.
8098
8099       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
8100       "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all  versions
8101       of  Postfix  >=  2.10  can  explicitly disable support for "TLSv1.1" or
8102       "TLSv1.2"
8103
8104       OpenSSL 1.1.1 introduces support for "TLSv1.3".  With  Postfix  >=  3.4
8105       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
8106       abled, if need be, via "!TLSv1.3".
8107
8108       To include a protocol list its name, to exclude  it,  prefix  the  name
8109       with  a  "!"  character.  To  exclude  SSLv2  for opportunistic TLS set
8110       "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3"  set
8111       "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
8112       to include, rather than protocols to exclude,  is  supported,  but  not
8113       recommended.   The  exclusion  form more closely matches the underlying
8114       OpenSSL interface semantics.
8115
8116       Example:
8117       # TLSv1 or better:
8118       smtp_tls_protocols = !SSLv2, !SSLv3
8119
8120       This feature is available in Postfix 2.6 and later.
8121

smtp_tls_scert_verifydepth (default: 9)

8123       The verification depth for remote SMTP server certificates. A depth  of
8124       1 is sufficient if the issuing CA is listed in a local CA file.
8125
8126       The  default verification depth is 9 (the OpenSSL default) for compati‐
8127       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8128       value  was  5, but the limit was not actually enforced. If you have set
8129       this to a lower  non-default  value,  certificates  with  longer  trust
8130       chains  may  now fail to verify. Certificate chains with 1 or 2 CAs are
8131       common, deeper chains are more rare and any  number  between  5  and  9
8132       should suffice in practice. You can choose a lower number if, for exam‐
8133       ple, you trust certificates directly signed by an issuing  CA  but  not
8134       any CAs it delegates to.
8135
8136       This feature is available in Postfix 2.2 and later.
8137

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

8139       How  the  Postfix  SMTP client verifies the server certificate peername
8140       for the "secure" TLS security level. In a  "secure"  TLS  policy  table
8141       ($smtp_tls_policy_maps)  entry the optional "match" attribute overrides
8142       this main.cf setting.
8143
8144       This parameter specifies one or more patterns or  strategies  separated
8145       by  commas,  whitespace  or colons.  In the policy table the only valid
8146       separator is the colon character.
8147
8148       For  a  description  of  the  pattern  and  strategy  syntax  see   the
8149       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8150       avoided in this context, as in the absence  of  a  secure  global  DNS,
8151       using  the  results  of  MX  lookups in certificate verification is not
8152       immune to active (man-in-the-middle) attacks on DNS.
8153
8154       Sample main.cf setting:
8155
8156           smtp_tls_secure_cert_match = nexthop
8157
8158       Sample policy table override:
8159
8160           example.net     secure match=example.com:.example.com
8161           .example.net    secure match=example.com:.example.com
8162
8163       This feature is available in Postfix 2.3 and later.
8164

smtp_tls_security_level (default: empty)

8166       The default SMTP TLS security level for the Postfix SMTP client; when a
8167       non-empty  value  is  specified, this overrides the obsolete parameters
8168       smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
8169
8170       Specify one of the following security levels:
8171
8172       none   No TLS. TLS will not be used unless enabled for specific  desti‐
8173              nations via smtp_tls_policy_maps.
8174
8175       may    Opportunistic  TLS.  Use  TLS if this is supported by the remote
8176              SMTP server, otherwise use plaintext. Since sending in the clear
8177              is  acceptable,  demanding  stronger  than  default TLS security
8178              merely reduces  interoperability.   The  "smtp_tls_ciphers"  and
8179              "smtp_tls_protocols"  (Postfix  >= 2.6) configuration parameters
8180              provide control over the protocols and cipher  grade  used  with
8181              opportunistic  TLS.  With earlier releases the opportunistic TLS
8182              cipher grade is always "export" and no protocols  are  disabled.
8183              When  TLS  handshakes  fail,  the connection is retried with TLS
8184              disabled.  This allows mail delivery to sites with  non-interop‐
8185              erable TLS implementations.
8186
8187       encrypt
8188              Mandatory  TLS  encryption. Since a minimum level of security is
8189              intended, it is reasonable to  be  specific  about  sufficiently
8190              secure protocol versions and ciphers. At this security level and
8191              higher, the main.cf parameters smtp_tls_mandatory_protocols  and
8192              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8193              cipher grade which the administrator considers secure enough for
8194              mandatory  encrypted  sessions.  This  security  level is not an
8195              appropriate default for systems delivering mail to the Internet.
8196
8197       dane   Opportunistic DANE TLS.  At this security level, the TLS  policy
8198              for  the destination is obtained via DNSSEC.  For TLSA policy to
8199              be in effect, the destination domain's containing DNS zone  must
8200              be signed and the Postfix SMTP client's operating system must be
8201              configured to send its DNS queries to a recursive DNS nameserver
8202              that is able to validate the signed records.  Each MX host's DNS
8203              zone should also be signed, and should publish  DANE  TLSA  (RFC
8204              7672) records that specify how that MX host's TLS certificate is
8205              to be verified.  TLSA records do not preempt the normal SMTP  MX
8206              host selection algorithm, if some MX hosts support TLSA and oth‐
8207              ers do not, TLS security will vary from  delivery  to  delivery.
8208              It  is  up  to  the domain owner to configure their MX hosts and
8209              their DNS sensibly.  To configure the Postfix  SMTP  client  for
8210              DNSSEC  lookups  see  the  documentation  for  the smtp_dns_sup‐
8211              port_level  main.cf  parameter.   When   DNSSEC-validated   TLSA
8212              records are not found the effective tls security level is "may".
8213              When TLSA records are found, but are all unusable the  effective
8214              security  level  is  "encrypt".   For  purposes  of protocol and
8215              cipher selection, the "dane" security level is  treated  like  a
8216              "mandatory"  TLS  security level, and weak ciphers and protocols
8217              are disabled.  Since DANE authenticates server certificates  the
8218              "aNULL"  cipher-suites are transparently excluded at this level,
8219              no need to configure this manually.  RFC 7672 (DANE) TLS authen‐
8220              tication is available with Postfix 2.11 and later.
8221
8222       dane-only
8223              Mandatory  DANE  TLS.   This is just like "dane" above, but DANE
8224              TLSA authentication is required.  There is no fallback to  "may"
8225              or  "encrypt"  when  TLSA  records are missing or unusable.  RFC
8226              7672 (DANE) TLS authentication is available  with  Postfix  2.11
8227              and later.
8228
8229       fingerprint
8230              Certificate  fingerprint  verification.  At this security level,
8231              there are no trusted Certification Authorities.  The certificate
8232              trust  chain,  expiration  date, etc., are not checked. Instead,
8233              the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8234              cate  fingerprint  or  public  key  fingerprint (Postfix 2.9 and
8235              later) of the valid server  certificate.  The  digest  algorithm
8236              used   to   calculate   the   fingerprint  is  selected  by  the
8237              smtp_tls_fingerprint_digest parameter.  Available  with  Postfix
8238              2.5 and later.
8239
8240       verify Mandatory  TLS  verification.  At  this  security  level, DNS MX
8241              lookups are trusted to be secure enough, and the  name  verified
8242              in  the  server  certificate  is usually obtained indirectly via
8243              unauthenticated DNS MX lookups.  The  smtp_tls_verify_cert_match
8244              parameter  controls how the server name is verified. In practice
8245              explicit control over matching is more common  at  the  "secure"
8246              level,  described below. This security level is not an appropri‐
8247              ate default for systems delivering mail to the Internet.
8248
8249       secure Secure-channel TLS.  At this security  level,  DNS  MX  lookups,
8250              though  potentially  used  to  determine  the candidate next-hop
8251              gateway IP addresses, are not trusted to be  secure  enough  for
8252              TLS peername verification. Instead, the default name verified in
8253              the server certificate is obtained from the next-hop  domain  as
8254              specified in the smtp_tls_secure_cert_match configuration param‐
8255              eter. The default matching rule is  that  a  server  certificate
8256              matches when its name is equal to or is a sub-domain of the nex‐
8257              thop domain. This security level is not an  appropriate  default
8258              for systems delivering mail to the Internet.
8259
8260       Examples:
8261
8262       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8263       smtp_tls_security_level = none
8264
8265       # Opportunistic TLS.
8266       smtp_tls_security_level = may
8267       # Postfix >= 2.6:
8268       # Do not tweak opportunistic ciphers or protocol unless it is essential
8269       # to do so (if a security vulnerability is found in the SSL library that
8270       # can be mitigated by disabling a particular protocol or raising the
8271       # cipher grade from "export" to "low" or "medium").
8272       smtp_tls_ciphers = export
8273       smtp_tls_protocols = !SSLv2, !SSLv3
8274
8275       # Mandatory (high-grade) TLS encryption.
8276       smtp_tls_security_level = encrypt
8277       smtp_tls_mandatory_ciphers = high
8278
8279       # Mandatory TLS verification of hostname or nexthop domain.
8280       smtp_tls_security_level = verify
8281       smtp_tls_mandatory_ciphers = high
8282       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8283
8284       # Secure channel TLS with exact nexthop name match.
8285       smtp_tls_security_level = secure
8286       smtp_tls_mandatory_protocols = TLSv1
8287       smtp_tls_mandatory_ciphers = high
8288       smtp_tls_secure_cert_match = nexthop
8289
8290       # Certificate fingerprint verification (Postfix >= 2.5).
8291       # The CA-less "fingerprint" security level only scales to a limited
8292       # number of destinations. As a global default rather than a per-site
8293       # setting, this is practical when mail for all recipients is sent
8294       # to a central mail hub.
8295       relayhost = [mailhub.example.com]
8296       smtp_tls_security_level = fingerprint
8297       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8298       smtp_tls_mandatory_ciphers = high
8299       smtp_tls_fingerprint_cert_match =
8300           3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8301           EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8302
8303       This feature is available in Postfix 2.3 and later.
8304

smtp_tls_servername (default: empty)

8306       Optional  name to send to the remote SMTP server in the TLS Server Name
8307       Indication (SNI) extension.  The SNI extension is always on  when  DANE
8308       is  used to authenticate the server, and in that case the SNI name sent
8309       is the one required by RFC7672 and this parameter is ignored.
8310
8311       Some SMTP servers use the received SNI name to  select  an  appropriate
8312       certificate  chain  to  present  to the client.  While this may improve
8313       interoperability with such servers, it may reduce interoperability with
8314       other  servers that choose to abort the connection when they don't have
8315       a certificate chain configured for the requested  name.   Such  servers
8316       should  select  a default certificate chain and continue the handshake,
8317       but some may not.  Therefore, absent DANE,  no  SNI  name  is  sent  by
8318       default.
8319
8320       The  SNI  name  must be either a valid DNS hostname, or else one of the
8321       special values hostname or nexthop,  which  select  either  the  remote
8322       hostname or the nexthop domain respectively.  DNS names for SNI must be
8323       in A-label (punycode) form.  Invalid  DNS  names  log  a  configuration
8324       error warning and mail delivery is deferred.
8325
8326       Except  when  using a relayhost to forward all email, the only sensible
8327       non-empty main.cf  setting  for  this  parameter  is  hostname.   Other
8328       non-empty  values are only practical on a per-destination basis via the
8329       servername attribute of the Postfix TLS policy table.  When  in  doubt,
8330       leave  this  parameter  empty,  and  configure  per-destination  SNI as
8331       needed.
8332
8333       This feature is available in Postfix 3.4 and later.
8334

smtp_tls_session_cache_database (default: empty)

8336       Name of the file containing the optional Postfix SMTP client  TLS  ses‐
8337       sion  cache. Specify a database type that supports enumeration, such as
8338       btree or sdbm; there is no need to support concurrent access.  The file
8339       is  created  if it does not exist. The smtp(8) daemon does not use this
8340       parameter directly, rather the cache is implemented indirectly  in  the
8341       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8342       of this parameter are not effective.  Note,  that  each  of  the  cache
8343       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8344       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
8345       $lmtp_tls_session_cache_database), needs to be stored separately. It is
8346       not at this time possible to store multiple caches in  a  single  data‐
8347       base.
8348
8349       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
8350       large.
8351
8352       As of version 2.5, Postfix no longer uses root privileges when  opening
8353       this  file.  The  file  should  now  be  stored under the Postfix-owned
8354       data_directory. As a migration aid, an attempt to open the file under a
8355       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
8356       tory, and a warning is logged.
8357
8358       Example:
8359
8360       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8361
8362       This feature is available in Postfix 2.2 and later.
8363

smtp_tls_session_cache_timeout (default: 3600s)

8365       The expiration time of Postfix SMTP client TLS session  cache  informa‐
8366       tion.   A  cache cleanup is performed periodically every $smtp_tls_ses‐
8367       sion_cache_timeout seconds. As  with  $smtp_tls_session_cache_database,
8368       this  parameter  is  implemented  in the tlsmgr(8) daemon and therefore
8369       per-smtp-instance master.cf overrides are not possible.
8370
8371       As of Postfix 2.11 this setting cannot exceed 100 days.  If set  <=  0,
8372       session  caching  is  disabled.  If set to a positive value less than 2
8373       minutes, the minimum value of 2 minutes is used instead.
8374
8375       This feature is available in Postfix 2.2 and later.
8376

smtp_tls_trust_anchor_file (default: empty)

8378       Zero or more PEM-format files  with  trust-anchor  certificates  and/or
8379       public  keys.  If the parameter is not empty the root CAs in CAfile and
8380       CApath are no longer trusted.  Rather, the  Postfix  SMTP  client  will
8381       only  trust  certificate-chains signed by one of the trust-anchors con‐
8382       tained in the chosen files.  The  specified  trust-anchor  certificates
8383       and  public  keys  are  not  subject  to  expiration,  and  need not be
8384       (self-signed) root CAs.  They may, if desired, be intermediate certifi‐
8385       cates.  Therefore, these certificates also may be found "in the middle"
8386       of the trust chain  presented  by  the  remote  SMTP  server,  and  any
8387       untrusted  issuing parent certificates will be ignored.  Specify a list
8388       of pathnames separated by comma or whitespace.
8389
8390       Whether specified in  main.cf,  or  on  a  per-destination  basis,  the
8391       trust-anchor  PEM file must be accessible to the Postfix SMTP client in
8392       the chroot jail if applicable.  The trust-anchor  file  should  contain
8393       only certificates and public keys, no private key material, and must be
8394       readable by the non-privileged $mail_owner user.  This allows  destina‐
8395       tions  to  be  bound  to  a  set of specific CAs or public keys without
8396       trusting the same CAs for all destinations.
8397
8398       The main.cf parameter  supports  single-purpose  Postfix  installations
8399       that  send  mail  to  a  fixed  set  of  SMTP peers.  At most sites, if
8400       trust-anchor files are used  at  all,  they  will  be  specified  on  a
8401       per-destination  basis  via  the "tafile" attribute of the "verify" and
8402       "secure" levels in smtp_tls_policy_maps.
8403
8404       The underlying mechanism is in support of RFC 7672 (DANE  TLSA),  which
8405       defines  mechanisms for an SMTP client MTA to securely determine server
8406       TLS certificates via DNS.
8407
8408       If you want your trust anchors to be public keys, with OpenSSL you  can
8409       extract a single PEM public key from a PEM X.509 file containing a sin‐
8410       gle certificate, as follows:
8411
8412           $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8413
8414       This feature is available in Postfix 2.11 and later.
8415

smtp_tls_verify_cert_match (default: hostname)

8417       How the Postfix SMTP client verifies the  server  certificate  peername
8418       for  the  "verify"  TLS  security level. In a "verify" TLS policy table
8419       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8420       this main.cf setting.
8421
8422       This  parameter  specifies one or more patterns or strategies separated
8423       by commas, whitespace or colons.  In the policy table  the  only  valid
8424       separator is the colon character.
8425
8426       Patterns specify domain names, or domain name suffixes:
8427
8428       example.com
8429              Match  the  example.com domain, i.e. one of the names the server
8430              certificate must be example.com, upper and lower  case  distinc‐
8431              tions are ignored.
8432
8433       .example.com
8434              Match subdomains of the example.com domain, i.e. match a name in
8435              the server certificate that consists of  a  non-zero  number  of
8436              labels  followed by a .example.com suffix. Case distinctions are
8437              ignored.
8438
8439       Strategies specify a transformation from the  next-hop  domain  to  the
8440       expected name in the server certificate:
8441
8442       nexthop
8443              Match against the next-hop domain, which is either the recipient
8444              domain, or the transport  next-hop  configured  for  the  domain
8445              stripped  of  any  optional socket type prefix, enclosing square
8446              brackets and trailing port. When MX lookups are not  suppressed,
8447              this  is the original nexthop domain prior to the MX lookup, not
8448              the result of the MX lookup. For LMTP delivery  via  UNIX-domain
8449              sockets, the verified next-hop name is $myhostname.  This strat‐
8450              egy is suitable for  use  with  the  "secure"  policy.  Case  is
8451              ignored.
8452
8453       dot-nexthop
8454              As above, but match server certificate names that are subdomains
8455              of the next-hop domain. Case is ignored.
8456
8457       hostname
8458              Match against the hostname of the server, often obtained via  an
8459              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8460              sockets, the verified name is $myhostname. This matches the ver‐
8461              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
8462              smtp_tls_per_site table, and is suitable for use with the  "ver‐
8463              ify"  security  level.  When  the  next-hop  name is enclosed in
8464              square brackets to suppress MX lookups, the "hostname"  strategy
8465              is the same as the "nexthop" strategy. Case is ignored.
8466
8467       Sample main.cf setting:
8468
8469       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8470
8471       Sample policy table override:
8472
8473       example.com     verify  match=hostname:nexthop
8474       .example.com    verify  match=example.com:.example.com:hostname
8475
8476       This feature is available in Postfix 2.3 and later.
8477

smtp_tls_wrappermode (default: no)

8479       Request  that  the  Postfix SMTP client connects using the legacy SMTPS
8480       protocol instead of using the STARTTLS command.
8481
8482       This mode requires "smtp_tls_security_level = encrypt" or stronger.
8483
8484       Example: deliver all remote mail via a  provider's  server  "mail.exam‐
8485       ple.com".
8486
8487       /etc/postfix/main.cf:
8488           # Client-side SMTPS requires "encrypt" or stronger.
8489           smtp_tls_security_level = encrypt
8490           smtp_tls_wrappermode = yes
8491           # The [] suppress MX lookups.
8492           relayhost = [mail.example.com]:465
8493
8494       More  examples  are in TLS_README, including examples for older Postfix
8495       versions.
8496
8497       This feature is available in Postfix 3.0 and later.
8498

smtp_use_tls (default: no)

8500       Opportunistic mode: use TLS when a remote SMTP server announces  START‐
8501       TLS  support,  otherwise  send the mail in the clear. Beware: some SMTP
8502       servers offer STARTTLS even if it is not configured.   With  Postfix  <
8503       2.3,  if  the  TLS  handshake  fails, and no other server is available,
8504       delivery is deferred and mail stays in the queue. If this is a  concern
8505       for you, use the smtp_tls_per_site feature instead.
8506
8507       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
8508       and later use smtp_tls_security_level instead.
8509

smtp_xforward_timeout (default: 300s)

8511       The Postfix SMTP client time limit for sending  the  XFORWARD  command,
8512       and for receiving the remote SMTP server response.
8513
8514       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
8515       The default time unit is s (seconds).
8516
8517       This feature is available in Postfix 2.1 and later.
8518

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

8520       What remote SMTP clients are allowed  to  specify  the  XVERP  command.
8521       This  command  requests  that mail be delivered one recipient at a time
8522       with a per recipient return address.
8523
8524       By default, no clients are allowed to specify XVERP.
8525
8526       This parameter was renamed with Postfix version 2.1. The default  value
8527       is backwards compatible with Postfix version 2.0.
8528
8529       Specify  a list of network/netmask patterns, separated by commas and/or
8530       whitespace. The mask specifies the number of bits in the  network  part
8531       of a host address. You can also specify hostnames or .domain names (the
8532       initial  dot  causes  the  domain  to  match  any   name   below   it),
8533       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8534       replaced by its contents; a "type:table" lookup table is matched when a
8535       table  entry  matches  a  lookup string (the lookup result is ignored).
8536       Continue long lines by starting the next line with whitespace.  Specify
8537       "!pattern"  to  exclude  an address or network block from the list. The
8538       form "!/file/name" is supported only in Postfix version 2.4 and later.
8539
8540       Note: IP version 6 address information must be specified inside  []  in
8541       the  smtpd_authorized_verp_clients  value,  and in files specified with
8542       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8543       would otherwise be confused with a "type:table" pattern.
8544

smtpd_authorized_xclient_hosts (default: empty)

8546       What  remote SMTP clients are allowed to use the XCLIENT feature.  This
8547       command overrides remote SMTP  client  information  that  is  used  for
8548       access  control.  Typical use is for SMTP-based content filters, fetch‐
8549       mail-like programs,  or  SMTP  server  access  rule  testing.  See  the
8550       XCLIENT_README document for details.
8551
8552       This feature is available in Postfix 2.1 and later.
8553
8554       By default, no clients are allowed to specify XCLIENT.
8555
8556       Specify  a list of network/netmask patterns, separated by commas and/or
8557       whitespace. The mask specifies the number of bits in the  network  part
8558       of a host address. You can also specify hostnames or .domain names (the
8559       initial  dot  causes  the  domain  to  match  any   name   below   it),
8560       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8561       replaced by its contents; a "type:table" lookup table is matched when a
8562       table  entry  matches  a  lookup string (the lookup result is ignored).
8563       Continue long lines by starting the next line with whitespace.  Specify
8564       "!pattern"  to  exclude  an address or network block from the list. The
8565       form "!/file/name" is supported only in Postfix version 2.4 and later.
8566
8567       Note: IP version 6 address information must be specified inside  []  in
8568       the  smtpd_authorized_xclient_hosts  value, and in files specified with
8569       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8570       would otherwise be confused with a "type:table" pattern.
8571

smtpd_authorized_xforward_hosts (default: empty)

8573       What remote SMTP clients are allowed to use the XFORWARD feature.  This
8574       command forwards information that is  used  to  improve  logging  after
8575       SMTP-based  content  filters.  See  the  XFORWARD_README  document  for
8576       details.
8577
8578       This feature is available in Postfix 2.1 and later.
8579
8580       By default, no clients are allowed to specify XFORWARD.
8581
8582       Specify a list of network/netmask patterns, separated by commas  and/or
8583       whitespace.  The  mask specifies the number of bits in the network part
8584       of a host address. You can also specify hostnames or .domain names (the
8585       initial   dot   causes   the  domain  to  match  any  name  below  it),
8586       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
8587       replaced by its contents; a "type:table" lookup table is matched when a
8588       table entry matches a lookup string (the  lookup  result  is  ignored).
8589       Continue  long lines by starting the next line with whitespace. Specify
8590       "!pattern" to exclude an address or network block from  the  list.  The
8591       form "!/file/name" is supported only in Postfix version 2.4 and later.
8592
8593       Note:  IP  version 6 address information must be specified inside [] in
8594       the smtpd_authorized_xforward_hosts value, and in files specified  with
8595       "/file/name".   IP  version  6 addresses contain the ":" character, and
8596       would otherwise be confused with a "type:table" pattern.
8597

smtpd_banner (default: $myhostname ESMTP $mail_name)

8599       The text that follows the 220 status code in the SMTP greeting  banner.
8600       Some  people like to see the mail version advertised. By default, Post‐
8601       fix shows no version.
8602
8603       You MUST specify $myhostname at the start of the text. This is required
8604       by the SMTP protocol.
8605
8606       Example:
8607
8608       smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8609

smtpd_client_auth_rate_limit (default: 0)

8611       The  maximal number of AUTH commands that any client is allowed to send
8612       to this service per time unit, regardless of  whether  or  not  Postfix
8613       actually  accepts  those commands.  The time unit is specified with the
8614       anvil_rate_time_unit configuration parameter.
8615
8616       By default, there is no limit on the number AUTH commands that a client
8617       may send.
8618
8619       To disable this feature, specify a limit of 0.
8620
8621       WARNING:  The purpose of this feature is to limit abuse. It must not be
8622       used to regulate legitimate mail traffic.
8623
8624       This feature is available in Postfix 3.1 and later.
8625

smtpd_client_connection_count_limit (default: 50)

8627       How many simultaneous connections any client is allowed to make to this
8628       service.   By  default,  the  limit  is set to half the default process
8629       limit value.
8630
8631       To disable this feature, specify a limit of 0.
8632
8633       WARNING: The purpose of this feature is to limit abuse. It must not  be
8634       used to regulate legitimate mail traffic.
8635
8636       This feature is available in Postfix 2.2 and later.
8637

smtpd_client_connection_rate_limit (default: 0)

8639       The maximal number of connection attempts any client is allowed to make
8640       to this service per time unit.  The time unit  is  specified  with  the
8641       anvil_rate_time_unit configuration parameter.
8642
8643       By  default,  a  client  can  make as many connections per time unit as
8644       Postfix can accept.
8645
8646       To disable this feature, specify a limit of 0.
8647
8648       WARNING: The purpose of this feature is to limit abuse. It must not  be
8649       used to regulate legitimate mail traffic.
8650
8651       This feature is available in Postfix 2.2 and later.
8652
8653       Example:
8654
8655       smtpd_client_connection_rate_limit = 1000
8656

smtpd_client_event_limit_exceptions (default: $mynetworks)

8658       Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8659       tions. See the mynetworks parameter description for the parameter value
8660       syntax.
8661
8662       By default, clients in trusted networks are excluded. Specify a list of
8663       network blocks, hostnames or .domain names (the initial dot causes  the
8664       domain to match any name below it).
8665
8666       Note:  IP  version 6 address information must be specified inside [] in
8667       the smtpd_client_event_limit_exceptions value, and in  files  specified
8668       with  "/file/name".   IP version 6 addresses contain the ":" character,
8669       and would otherwise be confused with a "type:table" pattern.
8670
8671       Pattern matching of domain names  is  controlled  by  the  presence  or
8672       absence    of   "smtpd_client_event_limit_exceptions"   in   the   par‐
8673       ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8674
8675       This feature is available in Postfix 2.2 and later.
8676

smtpd_client_message_rate_limit (default: 0)

8678       The maximal number of message delivery  requests  that  any  client  is
8679       allowed to make to this service per time unit, regardless of whether or
8680       not Postfix actually accepts those messages.  The time unit  is  speci‐
8681       fied with the anvil_rate_time_unit configuration parameter.
8682
8683       By  default,  a  client  can send as many message delivery requests per
8684       time unit as Postfix can accept.
8685
8686       To disable this feature, specify a limit of 0.
8687
8688       WARNING: The purpose of this feature is to limit abuse. It must not  be
8689       used to regulate legitimate mail traffic.
8690
8691       This feature is available in Postfix 2.2 and later.
8692
8693       Example:
8694
8695       smtpd_client_message_rate_limit = 1000
8696

smtpd_client_new_tls_session_rate_limit (default: 0)

8698       The  maximal  number of new (i.e., uncached) TLS sessions that a remote
8699       SMTP client is allowed to negotiate with this service  per  time  unit.
8700       The  time unit is specified with the anvil_rate_time_unit configuration
8701       parameter.
8702
8703       By default, a remote SMTP client can negotiate as many new TLS sessions
8704       per time unit as Postfix can accept.
8705
8706       To  disable  this  feature,  specify a limit of 0. Otherwise, specify a
8707       limit that is at least the per-client concurrent session limit, or else
8708       legitimate client sessions may be rejected.
8709
8710       WARNING:  The purpose of this feature is to limit abuse. It must not be
8711       used to regulate legitimate mail traffic.
8712
8713       This feature is available in Postfix 2.3 and later.
8714
8715       Example:
8716
8717       smtpd_client_new_tls_session_rate_limit = 100
8718

smtpd_client_port_logging (default: no)

8720       Enable logging of the remote SMTP client port in addition to the  host‐
8721       name and IP address. The logging format is "host[address]:port".
8722
8723       This feature is available in Postfix 2.5 and later.
8724

smtpd_client_recipient_rate_limit (default: 0)

8726       The maximal number of recipient addresses that any client is allowed to
8727       send to this service per time unit, regardless of whether or not  Post‐
8728       fix actually accepts those recipients.  The time unit is specified with
8729       the anvil_rate_time_unit configuration parameter.
8730
8731       By default, a client can send as many recipient addresses per time unit
8732       as Postfix can accept.
8733
8734       To disable this feature, specify a limit of 0.
8735
8736       WARNING:  The purpose of this feature is to limit abuse. It must not be
8737       used to regulate legitimate mail traffic.
8738
8739       This feature is available in Postfix 2.2 and later.
8740
8741       Example:
8742
8743       smtpd_client_recipient_rate_limit = 1000
8744

smtpd_client_restrictions (default: empty)

8746       Optional restrictions that the Postfix SMTP server applies in the  con‐
8747       text  of a client connection request.  See SMTPD_ACCESS_README, section
8748       "Delayed evaluation of SMTP access restriction lists" for a  discussion
8749       of evaluation context and time.
8750
8751       The default is to allow all connection requests.
8752
8753       Specify  a list of restrictions, separated by commas and/or whitespace.
8754       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8755       Restrictions  are applied in the order as specified; the first restric‐
8756       tion that matches wins.
8757
8758       The following restrictions are specific to client  hostname  or  client
8759       network address information.
8760
8761       check_ccert_access type:table
8762              Use the remote SMTP client certificate fingerprint or the public
8763              key fingerprint (Postfix 2.9 and later) as lookup  key  for  the
8764              specified  access(5)  database;  with  Postfix version 2.2, also
8765              require that the remote SMTP client certificate is verified suc‐
8766              cessfully.  The fingerprint digest algorithm is configurable via
8767              the smtpd_tls_fingerprint_digest parameter  (hard-coded  as  md5
8768              prior  to  Postfix version 2.5).  This feature is available with
8769              Postfix version 2.2 and later.
8770
8771       check_client_access type:table
8772              Search the specified access database for  the  client  hostname,
8773              parent  domains,  client  IP  address,  or  networks obtained by
8774              stripping least significant octets.  See  the  access(5)  manual
8775              page for details.
8776
8777       check_client_a_access type:table
8778              Search the specified access(5) database for the IP addresses for
8779              the client  hostname,  and  execute  the  corresponding  action.
8780              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
8781              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8782              blacklists.  This feature is available in Postfix 3.0 and later.
8783
8784       check_client_mx_access type:table
8785              Search the specified access(5) database for the MX hosts for the
8786              client hostname, and execute the corresponding action.  Note:  a
8787              result  of  "OK" is not allowed for safety reasons. Instead, use
8788              DUNNO in order to exclude specific hosts from blacklists.   This
8789              feature is available in Postfix 2.7 and later.
8790
8791       check_client_ns_access type:table
8792              Search  the specified access(5) database for the DNS servers for
8793              the client  hostname,  and  execute  the  corresponding  action.
8794              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
8795              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
8796              blacklists.  This feature is available in Postfix 2.7 and later.
8797
8798       check_reverse_client_hostname_access type:table
8799              Search  the specified access database for the unverified reverse
8800              client hostname, parent domains, client IP address, or  networks
8801              obtained   by   stripping  least  significant  octets.  See  the
8802              access(5) manual page for details.  Note: a result  of  "OK"  is
8803              not  allowed for safety reasons.  Instead, use DUNNO in order to
8804              exclude specific hosts from blacklists.  This feature is  avail‐
8805              able in Postfix 2.6 and later.
8806
8807       check_reverse_client_hostname_a_access type:table
8808              Search the specified access(5) database for the IP addresses for
8809              the unverified reverse client hostname, and execute  the  corre‐
8810              sponding  action.   Note:  a  result  of "OK" is not allowed for
8811              safety reasons.  Instead, use DUNNO in order to exclude specific
8812              hosts from blacklists.  This feature is available in Postfix 3.0
8813              and later.
8814
8815       check_reverse_client_hostname_mx_access type:table
8816              Search the specified access(5) database for the MX hosts for the
8817              unverified  reverse client hostname, and execute the correspond‐
8818              ing action.  Note: a result of "OK" is not  allowed  for  safety
8819              reasons.   Instead, use DUNNO in order to exclude specific hosts
8820              from blacklists.  This feature is available in Postfix  2.7  and
8821              later.
8822
8823       check_reverse_client_hostname_ns_access type:table
8824              Search  the specified access(5) database for the DNS servers for
8825              the unverified reverse client hostname, and execute  the  corre‐
8826              sponding  action.   Note:  a  result  of "OK" is not allowed for
8827              safety reasons.  Instead, use DUNNO in order to exclude specific
8828              hosts from blacklists.  This feature is available in Postfix 2.7
8829              and later.
8830
8831       check_sasl_access type:table
8832              Use the remote SMTP client SASL user name as lookup key for  the
8833              specified access(5) database. The lookup key has the form "user‐
8834              name@domainname"  when  the  smtpd_sasl_local_domain   parameter
8835              value  is  non-empty.   Unlike  the check_client_access feature,
8836              check_sasl_access does not perform matches of parent domains  or
8837              IP  subnet  ranges.  This feature is available with Postfix ver‐
8838              sion 2.11 and later.
8839
8840       permit_inet_interfaces
8841              Permit  the  request  when  the  client   IP   address   matches
8842              $inet_interfaces.
8843
8844       permit_mynetworks
8845              Permit  the  request when the client IP address matches any net‐
8846              work or network address listed in  $mynetworks.
8847
8848       permit_sasl_authenticated
8849              Permit the request when the client is successfully authenticated
8850              via the RFC 4954 (AUTH) protocol.
8851
8852       permit_tls_all_clientcerts
8853              Permit  the  request  when the remote SMTP client certificate is
8854              verified successfully.  This option must be used only if a  spe‐
8855              cial  CA  issues  the certificates and only this CA is listed as
8856              trusted CA. Otherwise, clients with  a  third-party  certificate
8857              would  also be allowed to relay.  Specify "tls_append_default_CA
8858              = no" when the trusted CA is specified with smtpd_tls_CAfile  or
8859              smtpd_tls_CApath,  to  prevent  Postfix  from appending the sys‐
8860              tem-supplied default CAs.  This feature is available with  Post‐
8861              fix version 2.2.
8862
8863       permit_tls_clientcerts
8864              Permit  the request when the remote SMTP client certificate fin‐
8865              gerprint or public key fingerprint (Postfix 2.9  and  later)  is
8866              listed  in $relay_clientcerts.  The fingerprint digest algorithm
8867              is configurable via the  smtpd_tls_fingerprint_digest  parameter
8868              (hard-coded  as md5 prior to Postfix version 2.5).  This feature
8869              is available with Postfix version 2.2.
8870
8871       reject_rbl_client rbl_domain=d.d.d.d
8872              Reject the request when the reversed client network  address  is
8873              listed  with  the  A  record "d.d.d.d" under rbl_domain (Postfix
8874              version 2.1 and later only).  Each "d" is a number, or a pattern
8875              inside  "[]"  that contains one or more ";"-separated numbers or
8876              number..number ranges (Postfix version 2.8 and  later).   If  no
8877              "=d.d.d.d"  is  specified,  reject the request when the reversed
8878              client network  address  is  listed  with  any  A  record  under
8879              rbl_domain.
8880              The  maps_rbl_reject_code  parameter specifies the response code
8881              for rejected requests  (default:   554),  the  default_rbl_reply
8882              parameter   specifies   the   default   server  reply,  and  the
8883              rbl_reply_maps  parameter specifies tables with  server  replies
8884              indexed by rbl_domain.  This feature is available in Postfix 2.0
8885              and later.
8886
8887       permit_dnswl_client dnswl_domain=d.d.d.d
8888              Accept the request when the reversed client network  address  is
8889              listed with the A record "d.d.d.d" under dnswl_domain.  Each "d"
8890              is a number, or a pattern inside "[]" that contains one or  more
8891              ";"-separated   numbers   or   number..number   ranges.   If  no
8892              "=d.d.d.d" is specified, accept the request  when  the  reversed
8893              client  network  address  is  listed  with  any  A  record under
8894              dnswl_domain.
8895              For safety, permit_dnswl_client  is  silently  ignored  when  it
8896              would   override   reject_unauth_destination.    The  result  is
8897              DEFER_IF_REJECT when whitelist lookup fails.   This  feature  is
8898              available in Postfix 2.8 and later.
8899
8900       reject_rhsbl_client rbl_domain=d.d.d.d
8901              Reject the request when the client hostname is listed with the A
8902              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8903              only).  Each "d" is a number, or a pattern inside "[]" that con‐
8904              tains one or more ";"-separated numbers or number..number ranges
8905              (Postfix version 2.8 and later).  If no "=d.d.d.d" is specified,
8906              reject the request when the client hostname is listed with any A
8907              record  under  rbl_domain. See the reject_rbl_client description
8908              above for additional RBL related configuration parameters.  This
8909              feature is available in Postfix 2.0 and later; with Postfix ver‐
8910              sion 2.8 and  later,  reject_rhsbl_reverse_client  will  usually
8911              produce better results.
8912
8913       permit_rhswl_client rhswl_domain=d.d.d.d
8914              Accept the request when the client hostname is listed with the A
8915              record "d.d.d.d" under rhswl_domain.  Each "d" is a number, or a
8916              pattern inside "[]" that contains one or more ";"-separated num‐
8917              bers or number..number ranges. If no  "=d.d.d.d"  is  specified,
8918              accept the request when the client hostname is listed with any A
8919              record under rhswl_domain.
8920              Caution: client name whitelisting is fragile, since  the  client
8921              name  lookup  can  fail  due  to temporary outages.  Client name
8922              whitelisting should be used only to reduce  false  positives  in
8923              e.g.   DNS-based  blocklists,  and  not  for  making access rule
8924              exceptions.
8925              For safety, permit_rhswl_client  is  silently  ignored  when  it
8926              would   override   reject_unauth_destination.    The  result  is
8927              DEFER_IF_REJECT when whitelist lookup fails.   This  feature  is
8928              available in Postfix 2.8 and later.
8929
8930       reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8931              Reject  the  request when the unverified reverse client hostname
8932              is listed with the A record "d.d.d.d"  under  rbl_domain.   Each
8933              "d"  is  a number, or a pattern inside "[]" that contains one or
8934              more ";"-separated numbers  or  number..number  ranges.   If  no
8935              "=d.d.d.d"  is specified, reject the request when the unverified
8936              reverse client hostname  is  listed  with  any  A  record  under
8937              rbl_domain.  See  the  reject_rbl_client  description  above for
8938              additional RBL related configuration parameters.   This  feature
8939              is available in Postfix 2.8 and later.
8940
8941       reject_unknown_client_hostname      (with      Postfix      <      2.3:
8942       reject_unknown_client)
8943              Reject the request when 1) the client IP  address->name  mapping
8944              fails,  or  2)  the  name->address  mapping  fails,  or  3)  the
8945              name->address mapping does not match the client IP address.
8946              This     is     a     stronger     restriction     than      the
8947              reject_unknown_reverse_client_hostname  feature,  which triggers
8948              only under condition 1) above.
8949              The unknown_client_reject_code parameter specifies the  response
8950              code  for  rejected requests (default: 450). The reply is always
8951              450 in case the address->name or name->address lookup failed due
8952              to a temporary problem.
8953
8954       reject_unknown_reverse_client_hostname
8955              Reject   the   request   when  the  client  IP  address  has  no
8956              address->name mapping.
8957              This     is     a     weaker      restriction      than      the
8958              reject_unknown_client_hostname  feature, which requires not only
8959              that the address->name and  name->address  mappings  exist,  but
8960              also that the two mappings reproduce the client IP address.
8961              The  unknown_client_reject_code parameter specifies the response
8962              code for rejected requests (default: 450).  The reply is  always
8963              450  in  case the address->name lookup failed due to a temporary
8964              problem.
8965              This feature is available in Postfix 2.3 and later.
8966
8967       In addition, you can use any of  the  following  generic  restrictions.
8968       These restrictions are applicable in any SMTP command context.
8969
8970       check_policy_service servername
8971              Query  the  specified policy server. See the SMTPD_POLICY_README
8972              document for details. This feature is available in  Postfix  2.1
8973              and later.
8974
8975       defer  Defer  the  request. The client is told to try again later. This
8976              restriction is useful at the end of a restriction list, to  make
8977              the default policy explicit.
8978              The  defer_code  parameter  specifies the SMTP server reply code
8979              (default: 450).
8980
8981       defer_if_permit
8982              Defer the request if some later restriction would result  in  an
8983              explicit  or  implicit  PERMIT  action.   This  is useful when a
8984              blacklisting feature fails due to  a  temporary  problem.   This
8985              feature is available in Postfix version 2.1 and later.
8986
8987       defer_if_reject
8988              Defer  the  request  if some later restriction would result in a
8989              REJECT action.  This is useful when a whitelisting feature fails
8990              due  to a temporary problem.  This feature is available in Post‐
8991              fix version 2.1 and later.
8992
8993       permit Permit the request. This restriction is useful at the end  of  a
8994              restriction list, to make the default policy explicit.
8995
8996       reject_multi_recipient_bounce
8997              Reject the request when the envelope sender is the null address,
8998              and the message has multiple envelope recipients. This usage has
8999              rare  but  legitimate  applications:  under  certain conditions,
9000              multi-recipient  mail  that  was  posted  with  the  DSN  option
9001              NOTIFY=NEVER may be forwarded with the null sender address.
9002              Note:  this  restriction  can  only  work  reliably when used in
9003              smtpd_data_restrictions    or    smtpd_end_of_data_restrictions,
9004              because  the  total number of recipients is not known at an ear‐
9005              lier stage of the SMTP conversation.  Use at the RCPT stage will
9006              only reject the second etc.  recipient.
9007              The  multi_recipient_bounce_reject_code  parameter specifies the
9008              response code for rejected requests (default:  550).  This  fea‐
9009              ture is available in Postfix 2.1 and later.
9010
9011       reject_plaintext_session
9012              Reject  the  request  when the connection is not encrypted. This
9013              restriction should not be used  before  the  client  has  had  a
9014              chance  to  negotiate  encryption with the AUTH or STARTTLS com‐
9015              mands.
9016              The plaintext_reject_code parameter specifies the response  code
9017              for  rejected  requests (default:  450).  This feature is avail‐
9018              able in Postfix 2.3 and later.
9019
9020       reject_unauth_pipelining
9021              Reject the request when the client sends SMTP commands ahead  of
9022              time where it is not allowed, or when the client sends SMTP com‐
9023              mands ahead of time without knowing that Postfix  actually  sup‐
9024              ports  ESMTP  command pipelining. This stops mail from bulk mail
9025              software that improperly uses ESMTP command pipelining in  order
9026              to speed up deliveries.
9027              With  Postfix  2.6 and later, the SMTP server sets a per-session
9028              flag whenever it detects illegal pipelining, including pipelined
9029              HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9030              ply tests whether the flag was set at any point in  time  during
9031              the session.
9032              With older Postfix versions, reject_unauth_pipelining checks the
9033              current status of the input read queue, and  its  usage  is  not
9034              recommended in contexts other than smtpd_data_restrictions.
9035
9036       reject Reject  the  request. This restriction is useful at the end of a
9037              restriction list, to make  the  default  policy  explicit.   The
9038              reject_code  configuration parameter specifies the response code
9039              for rejected requests (default: 554).
9040
9041       sleep seconds
9042              Pause for the specified number of seconds and proceed  with  the
9043              next  restriction in the list, if any. This may stop zombie mail
9044              when used as:
9045              /etc/postfix/main.cf:
9046                  smtpd_client_restrictions =
9047                      sleep 1, reject_unauth_pipelining
9048                  smtpd_delay_reject = no
9049              This feature is available in Postfix 2.3.
9050
9051       warn_if_reject
9052              A safety net for testing. When "warn_if_reject" is placed before
9053              a  reject-type  restriction,  access  table query, or check_pol‐
9054              icy_service query, this logs a "reject_warning" message  instead
9055              of rejecting a request (when a reject-type restriction fails due
9056              to a temporary error, this logs a "reject_warning"  message  for
9057              any  implicit "defer_if_permit" actions that would normally pre‐
9058              vent mail from being accepted by some later access restriction).
9059              This feature has no effect on defer_if_reject restrictions.
9060
9061       Other restrictions that are valid in this context:
9062
9063       ·      SMTP  command specific restrictions that are described under the
9064              smtpd_helo_restrictions,      smtpd_sender_restrictions       or
9065              smtpd_recipient_restrictions  parameters.  When  helo, sender or
9066              recipient restrictions are  listed  under  smtpd_client_restric‐
9067              tions, they have effect only with "smtpd_delay_reject = yes", so
9068              that $smtpd_client_restrictions is evaluated at the time of  the
9069              RCPT TO command.
9070
9071       Example:
9072
9073       smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9074

smtpd_command_filter (default: empty)

9076       A  mechanism to transform commands from remote SMTP clients.  This is a
9077       last-resort tool to work around client commands that  break  interoper‐
9078       ability  with the Postfix SMTP server.  Other uses involve fault injec‐
9079       tion to test Postfix's handling of invalid commands.
9080
9081       Specify the name of a "type:table" lookup table. The search  string  is
9082       the  SMTP  command as received from the remote SMTP client, except that
9083       initial whitespace and the trailing <CR><LF> are removed.   The  result
9084       value is executed by the Postfix SMTP server.
9085
9086       There is no need to use smtpd_command_filter for the following cases:
9087
9088       ·      Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9089
9090       ·      Postfix already accepts the correct form "user@[ipaddress]". Use
9091              virtual_alias_maps or canonical_maps  to  translate  these  into
9092              domain names if necessary.
9093
9094       ·      Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9095              <user@example.com>>". Postfix will ignore the "User  Name"  part
9096              and deliver to the <user@example.com> address.
9097
9098       Examples  of  problems that can be solved with the smtpd_command_filter
9099       feature:
9100
9101       /etc/postfix/main.cf:
9102           smtpd_command_filter = pcre:/etc/postfix/command_filter
9103
9104       /etc/postfix/command_filter:
9105           # Work around clients that send malformed HELO commands.
9106           /^HELO\s*$/ HELO domain.invalid
9107
9108           # Work around clients that send empty lines.
9109           /^\s*$/     NOOP
9110
9111           # Work around clients that send RCPT TO:<'user@domain'>.
9112           # WARNING: do not lose the parameters that follow the address.
9113           /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/     $1$2$3
9114
9115           # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9116           # See VERP_README for more information on how to use Postfix VERP.
9117           /^(MAIL FROM:\s*<listname@example\.com>.*)/   $1 XVERP
9118
9119           # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9120           # to send bounced mail to the postmaster (with message body removed).
9121           /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
9122           /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
9123
9124       This feature is available in Postfix 2.7.
9125

smtpd_data_restrictions (default: empty)

9127       Optional access restrictions that the Postfix SMTP  server  applies  in
9128       the context of the SMTP DATA command.  See SMTPD_ACCESS_README, section
9129       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9130       of evaluation context and time.
9131
9132       This feature is available in Postfix 2.0 and later.
9133
9134       Specify  a list of restrictions, separated by commas and/or whitespace.
9135       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9136       Restrictions  are applied in the order as specified; the first restric‐
9137       tion that matches wins.
9138
9139       The following restrictions are valid in this context:
9140
9141       ·      Generic restrictions that can be used in any SMTP  command  con‐
9142              text, described under smtpd_client_restrictions.
9143
9144       ·      SMTP    command    specific    restrictions    described   under
9145              smtpd_client_restrictions,              smtpd_helo_restrictions,
9146              smtpd_sender_restrictions or smtpd_recipient_restrictions.
9147
9148       ·      However,  no  recipient  information is available in the case of
9149              multi-recipient mail. Acting on only one recipient would be mis‐
9150              leading,   because  any  decision  will  affect  all  recipients
9151              equally. Acting on all recipients would require a possibly  very
9152              large  amount  of  memory,  and would also be misleading for the
9153              reasons mentioned before.
9154
9155       Examples:
9156
9157       smtpd_data_restrictions = reject_unauth_pipelining
9158       smtpd_data_restrictions = reject_multi_recipient_bounce
9159

smtpd_delay_open_until_valid_rcpt (default: yes)

9161       Postpone the start of an SMTP mail transaction until a  valid  RCPT  TO
9162       command  is received. Specify "no" to create a mail transaction as soon
9163       as the Postfix SMTP server receives a valid MAIL FROM command.
9164
9165       With sites that reject lots of mail, the default  setting  reduces  the
9166       use  of  disk,  CPU and memory resources. The downside is that rejected
9167       recipients are logged with NOQUEUE instead of a  mail  transaction  ID.
9168       This complicates the logfile analysis of multi-recipient mail.
9169
9170       This feature is available in Postfix 2.3 and later.
9171

smtpd_delay_reject (default: yes)

9173       Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9174       tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9175       until the ETRN command before evaluating $smtpd_client_restrictions and
9176       $smtpd_helo_restrictions.
9177
9178       This feature is turned on by default because  some  clients  apparently
9179       mis-behave  when  the  Postfix SMTP server rejects commands before RCPT
9180       TO.
9181
9182       The default setting has one major benefit: it  allows  Postfix  to  log
9183       recipient  address  information when rejecting a client name/address or
9184       sender address, so that it is possible to find out whose mail is  being
9185       rejected.
9186

smtpd_discard_ehlo_keyword_address_maps (default: empty)

9188       Lookup  tables,  indexed  by  the remote SMTP client address, with case
9189       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
9190       that  the  Postfix  SMTP server will not send in the EHLO response to a
9191       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
9192       tables are not searched by hostname for robustness reasons.
9193
9194       Specify zero or more "type:name" lookup tables, separated by whitespace
9195       or comma. Tables will be searched in the specified order until a  match
9196       is found.
9197
9198       This feature is available in Postfix 2.2 and later.
9199

smtpd_discard_ehlo_keywords (default: empty)

9201       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
9202       etc.) that the Postfix SMTP server will not send in the  EHLO  response
9203       to a remote SMTP client.
9204
9205       This feature is available in Postfix 2.2 and later.
9206
9207       Notes:
9208
9209       ·      Specify the silent-discard pseudo keyword to prevent this action
9210              from being logged.
9211
9212       ·      Use the smtpd_discard_ehlo_keyword_address_maps feature to  dis‐
9213              card EHLO keywords selectively.
9214

smtpd_dns_reply_filter (default: empty)

9216       Optional  filter  for  Postfix  SMTP  server  DNS  lookup results.  See
9217       smtp_dns_reply_filter for details including an example.
9218
9219       This feature is available in Postfix 3.0 and later.
9220

smtpd_end_of_data_restrictions (default: empty)

9222       Optional access restrictions that the Postfix SMTP  server  applies  in
9223       the  context of the SMTP END-OF-DATA command.  See SMTPD_ACCESS_README,
9224       section "Delayed evaluation of SMTP access  restriction  lists"  for  a
9225       discussion of evaluation context and time.
9226
9227       This feature is available in Postfix 2.2 and later.
9228
9229       See smtpd_data_restrictions for details and limitations.
9230

smtpd_enforce_tls (default: no)

9232       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
9233       require that clients use TLS encryption.  According to  RFC  2487  this
9234       MUST NOT be applied in case of a publicly-referenced SMTP server.  This
9235       option is therefore off by default.
9236
9237       Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9238
9239       Note 2: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
9240       STARTTLS  due  to  insufficient privileges to access the server private
9241       key. This is intended behavior.
9242
9243       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
9244       and later use smtpd_tls_security_level instead.
9245

smtpd_error_sleep_time (default: 1s)

9247       With  Postfix  version  2.1  and  later: the SMTP server response delay
9248       after a client has made more than $smtpd_soft_error_limit  errors,  and
9249       fewer than $smtpd_hard_error_limit errors, without delivering mail.
9250
9251       With  Postfix  version  2.0  and  earlier: the SMTP server delay before
9252       sending a reject (4xx or 5xx) response, when the client has made  fewer
9253       than $smtpd_soft_error_limit errors without delivering mail.
9254

smtpd_etrn_restrictions (default: empty)

9256       Optional  restrictions that the Postfix SMTP server applies in the con‐
9257       text of  a  client  ETRN  command.   See  SMTPD_ACCESS_README,  section
9258       "Delayed  evaluation of SMTP access restriction lists" for a discussion
9259       of evaluation context and time.
9260
9261       The Postfix ETRN implementation accepts only destinations that are eli‐
9262       gible  for  the  Postfix "fast flush" service. See the ETRN_README file
9263       for details.
9264
9265       Specify a list of restrictions, separated by commas and/or  whitespace.
9266       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9267       Restrictions are applied in the order as specified; the first  restric‐
9268       tion that matches wins.
9269
9270       The  following restrictions are specific to the domain name information
9271       received with the ETRN command.
9272
9273       check_etrn_access type:table
9274              Search the specified access database for the ETRN domain name or
9275              its parent domains. See the access(5) manual page for details.
9276
9277       Other restrictions that are valid in this context:
9278
9279       ·      Generic  restrictions  that can be used in any SMTP command con‐
9280              text, described under smtpd_client_restrictions.
9281
9282       ·      SMTP   command    specific    restrictions    described    under
9283              smtpd_client_restrictions and smtpd_helo_restrictions.
9284
9285       Example:
9286
9287       smtpd_etrn_restrictions = permit_mynetworks, reject
9288

smtpd_expansion_filter (default: see postconf -d output)

9290       What characters are allowed in $name expansions of RBL reply templates.
9291       Characters not in the allowed set are replaced  by  "_".   Use  C  like
9292       escapes to specify special characters such as whitespace.
9293
9294       The  smtpd_expansion_filter  value is not subject to Postfix configura‐
9295       tion parameter $name expansion.
9296
9297       This feature is available in Postfix 2.0 and later.
9298

smtpd_forbidden_commands (default: CONNECT, GET, POST)

9300       List of commands that cause the Postfix SMTP server to immediately ter‐
9301       minate  the  session  with  a  221 code. This can be used to disconnect
9302       clients that obviously attempt to abuse the system. In addition to  the
9303       commands  listed  in  this parameter, commands that follow the "Label:"
9304       format of message headers will also cause a disconnect.
9305
9306       This feature is available in Postfix 2.2 and later.
9307

smtpd_hard_error_limit (default: normal: 20, overload: 1)

9309       The maximal number of errors a remote SMTP client is  allowed  to  make
9310       without  delivering  mail. The Postfix SMTP server disconnects when the
9311       limit is exceeded. Normally the default limit is  20,  but  it  changes
9312       under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9313       always allows up to 20 errors by default.
9314

smtpd_helo_required (default: no)

9316       Require that a remote SMTP client introduces itself with  the  HELO  or
9317       EHLO  command  before  sending  the MAIL command or other commands that
9318       require EHLO negotiation.
9319
9320       Example:
9321
9322       smtpd_helo_required = yes
9323

smtpd_helo_restrictions (default: empty)

9325       Optional restrictions that the Postfix SMTP server applies in the  con‐
9326       text  of  a  client  HELO  command.   See  SMTPD_ACCESS_README, section
9327       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9328       of evaluation context and time.
9329
9330       The default is to permit everything.
9331
9332       Note:  specify  "smtpd_helo_required  =  yes"  to  fully  enforce  this
9333       restriction (without "smtpd_helo_required = yes", a client  can  simply
9334       skip smtpd_helo_restrictions by not sending HELO or EHLO).
9335
9336       Specify  a list of restrictions, separated by commas and/or whitespace.
9337       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9338       Restrictions  are applied in the order as specified; the first restric‐
9339       tion that matches wins.
9340
9341       The following restrictions are specific  to  the  hostname  information
9342       received with the HELO or EHLO command.
9343
9344       check_helo_access type:table
9345              Search  the  specified  access(5)  database for the HELO or EHLO
9346              hostname  or  parent  domains,  and  execute  the  corresponding
9347              action.   Note:  specify  "smtpd_helo_required  =  yes" to fully
9348              enforce this restriction (without "smtpd_helo_required = yes", a
9349              client  can simply skip check_helo_access by not sending HELO or
9350              EHLO).
9351
9352       check_helo_a_access type:table
9353              Search the specified access(5) database for the IP addresses for
9354              the HELO or EHLO hostname, and execute the corresponding action.
9355              Note 1: a result of "OK" is  not  allowed  for  safety  reasons.
9356              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
9357              blacklists.  Note 2:  specify  "smtpd_helo_required  =  yes"  to
9358              fully  enforce  this restriction (without "smtpd_helo_required =
9359              yes", a client can simply skip check_helo_a_access by not  send‐
9360              ing HELO or EHLO).  This feature is available in Postfix 3.0 and
9361              later.
9362
9363       check_helo_mx_access type:table
9364              Search the specified access(5) database for the MX hosts for the
9365              HELO  or  EHLO  hostname,  and execute the corresponding action.
9366              Note 1: a result of "OK" is  not  allowed  for  safety  reasons.
9367              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
9368              blacklists.  Note 2:  specify  "smtpd_helo_required  =  yes"  to
9369              fully  enforce  this restriction (without "smtpd_helo_required =
9370              yes", a client can simply skip check_helo_mx_access by not send‐
9371              ing HELO or EHLO).  This feature is available in Postfix 2.1 and
9372              later.
9373
9374       check_helo_ns_access type:table
9375              Search the specified access(5) database for the DNS servers  for
9376              the HELO or EHLO hostname, and execute the corresponding action.
9377              Note 1: a result of "OK" is  not  allowed  for  safety  reasons.
9378              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
9379              blacklists.  Note 2:  specify  "smtpd_helo_required  =  yes"  to
9380              fully  enforce  this restriction (without "smtpd_helo_required =
9381              yes", a client can simply skip check_helo_ns_access by not send‐
9382              ing  HELO or EHLO). This feature is available in Postfix 2.1 and
9383              later.
9384
9385       reject_invalid_helo_hostname (with Postfix < 2.3:  reject_invalid_host‐
9386       name)
9387              Reject  the request when the HELO or EHLO hostname is malformed.
9388              Note: specify "smtpd_helo_required = yes" to fully enforce  this
9389              restriction  (without  "smtpd_helo_required = yes", a client can
9390              simply skip reject_invalid_helo_hostname by not sending HELO  or
9391              EHLO).
9392              The invalid_hostname_reject_code specifies the response code for
9393              rejected requests (default: 501).
9394
9395       reject_non_fqdn_helo_hostname      (with      Postfix      <       2.3:
9396       reject_non_fqdn_hostname)
9397              Reject  the  request  when  the  HELO or EHLO hostname is not in
9398              fully-qualified domain or address literal form, as  required  by
9399              the  RFC.  Note:  specify  "smtpd_helo_required  = yes" to fully
9400              enforce this restriction (without "smtpd_helo_required = yes", a
9401              client  can  simply  skip  reject_non_fqdn_helo_hostname  by not
9402              sending HELO or EHLO).
9403              The non_fqdn_reject_code parameter specifies the  response  code
9404              for rejected requests (default: 504).
9405
9406       reject_rhsbl_helo rbl_domain=d.d.d.d
9407              Reject the request when the HELO or EHLO hostname is listed with
9408              the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9409              later  only).   Each  "d"  is a number, or a pattern inside "[]"
9410              that contains one or more ";"-separated numbers or  number..num‐
9411              ber ranges (Postfix version 2.8 and later).  If no "=d.d.d.d" is
9412              specified, reject the request when the HELO or EHLO hostname  is
9413              listed   with   any   A   record   under   rbl_domain.  See  the
9414              reject_rbl_client description for additional RBL related config‐
9415              uration  parameters.   Note: specify "smtpd_helo_required = yes"
9416              to fully enforce this restriction (without  "smtpd_helo_required
9417              =  yes", a client can simply skip reject_rhsbl_helo by not send‐
9418              ing HELO or EHLO). This feature is available in Postfix 2.0  and
9419              later.
9420
9421       reject_unknown_helo_hostname  (with Postfix < 2.3: reject_unknown_host‐
9422       name)
9423              Reject the request when the HELO or EHLO hostname has no  DNS  A
9424              or MX record.
9425              The  reply  is  specified  with the unknown_hostname_reject_code
9426              parameter   (default:   450)   or    unknown_helo_hostname_temp‐
9427              fail_action  (default:  defer_if_permit).   See  the  respective
9428              parameter descriptions for details.
9429              Note: specify "smtpd_helo_required = yes" to fully enforce  this
9430              restriction  (without  "smtpd_helo_required = yes", a client can
9431              simply skip reject_unknown_helo_hostname by not sending HELO  or
9432              EHLO).
9433
9434       Other restrictions that are valid in this context:
9435
9436       ·      Generic  restrictions  that can be used in any SMTP command con‐
9437              text, described under smtpd_client_restrictions.
9438
9439       ·      Client  hostname  or  network  address   specific   restrictions
9440              described under smtpd_client_restrictions.
9441
9442       ·      SMTP    command    specific    restrictions    described   under
9443              smtpd_sender_restrictions or smtpd_recipient_restrictions.  When
9444              sender    or    recipient    restrictions   are   listed   under
9445              smtpd_helo_restrictions,   they   have    effect    only    with
9446              "smtpd_delay_reject  = yes", so that $smtpd_helo_restrictions is
9447              evaluated at the time of the RCPT TO command.
9448
9449       Examples:
9450
9451       smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9452       smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9453

smtpd_history_flush_threshold (default: 100)

9455       The maximal number of lines in the Postfix SMTP server command  history
9456       before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9457

smtpd_junk_command_limit (default: normal: 100, overload: 1)

9459       The  number  of  junk commands (NOOP, VRFY, ETRN or RSET) that a remote
9460       SMTP client can send before the Postfix SMTP server starts to increment
9461       the  error  counter  with each junk command.  The junk command count is
9462       reset after mail is delivered.  See also the smtpd_error_sleep_time and
9463       smtpd_soft_error_limit  configuration parameters.  Normally the default
9464       limit is 100, but it changes under overload to just 1. With Postfix 2.5
9465       and  earlier,  the SMTP server always allows up to 100 junk commands by
9466       default.
9467

smtpd_log_access_permit_actions (default: empty)

9469       Enable logging of the named "permit"  actions  in  SMTP  server  access
9470       lists  (by default, the SMTP server logs "reject" actions but not "per‐
9471       mit" actions).  This feature does not affect conditional  actions  such
9472       as "defer_if_permit".
9473
9474       Specify  a  list of "permit" action names, "/file/name" or "type:table"
9475       patterns, separated by commas and/or whitespace. The  list  is  matched
9476       left  to right, and the search stops on the first match. A "/file/name"
9477       pattern is replaced by its contents; a  "type:table"  lookup  table  is
9478       matched  when  a  name  matches  a  lookup  key  (the  lookup result is
9479       ignored).  Continue long lines by starting the next  line  with  white‐
9480       space. Specify "!pattern" to exclude a name from the list.
9481
9482       Examples:
9483
9484       /etc/postfix/main.cf:
9485           # Log all "permit" actions.
9486           smtpd_log_access_permit_actions = static:all
9487
9488       /etc/postfix/main.cf:
9489           # Log "permit_dnswl_client" only.
9490           smtpd_log_access_permit_actions = permit_dnswl_client
9491
9492       This feature is available in Postfix 2.10 and later.
9493

smtpd_milter_maps (default: empty)

9495       Lookup  tables  with Milter settings per remote SMTP client IP address.
9496       The lookup result overrides the smtpd_milters setting, and has the same
9497       syntax.
9498
9499       Note:  lookup  tables  cannot  return empty responses. Specify a lookup
9500       result of DISABLE (case does not matter) to indicate that  Milter  sup‐
9501       port should be disabled.
9502
9503       Example to disable Milters for local clients:
9504
9505       /etc/postfix/main.cf:
9506           smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9507           smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9508
9509       /etc/postfix/smtpd_milter_map:
9510           # Disable Milters for local clients.
9511           127.0.0.0/8    DISABLE
9512           192.168.0.0/16 DISABLE
9513           ::/64          DISABLE
9514           2001:db8::/32  DISABLE
9515
9516       This feature is available in Postfix 3.2 and later.
9517

smtpd_milters (default: empty)

9519       A  list  of Milter (mail filter) applications for new mail that arrives
9520       via the Postfix smtpd(8) server. Specify space or comma  as  separator.
9521       See the MILTER_README document for details.
9522
9523       This feature is available in Postfix 2.3 and later.
9524

smtpd_noop_commands (default: empty)

9526       List of commands that the Postfix SMTP server replies to with "250 Ok",
9527       without doing any syntax checks and without changing state.  This  list
9528       overrides any commands built into the Postfix SMTP server.
9529

smtpd_null_access_lookup_key (default: <>)

9531       The  lookup key to be used in SMTP access(5) tables instead of the null
9532       sender address.
9533

smtpd_peername_lookup (default: yes)

9535       Attempt to look up the remote SMTP client hostname, and verify that the
9536       name  matches  the client IP address. A client name is set to "unknown"
9537       when it cannot be looked up or verified, or when name  lookup  is  dis‐
9538       abled.   Turning  off  name lookup reduces delays due to DNS lookup and
9539       increases the maximal inbound delivery rate.
9540
9541       This feature is available in Postfix 2.3 and later.
9542

smtpd_per_record_deadline (default: normal: no, overload: yes)

9544       Change the behavior of  the  smtpd_timeout  and  smtpd_starttls_timeout
9545       time limits, from a time limit per read or write system call, to a time
9546       limit to send or receive a complete record (an SMTP command line,  SMTP
9547       response  line,  SMTP  message  content line, or TLS protocol message).
9548       This limits the impact from hostile peers that trickle data one byte at
9549       a time.
9550
9551       Note:  when per-record deadlines are enabled, a short timeout may cause
9552       problems with TLS over very slow network connections.  The reasons  are
9553       that  a  TLS protocol message can be up to 16 kbytes long (with TLSv1),
9554       and that an entire TLS protocol message must be sent or received within
9555       the per-record deadline.
9556
9557       This  feature is available in Postfix 2.9 and later. With older Postfix
9558       releases, the behavior is as if this parameter is set to "no".
9559

smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration

9561       problem)
9562       The default action when an SMTPD policy service request fails.  Specify
9563       "DUNNO" to behave as if the failed  SMTPD policy  service  request  was
9564       not sent, and to continue processing other access restrictions, if any.
9565
9566       Limitations:
9567
9568       ·      This parameter may specify any value that would be a valid SMTPD
9569              policy server response (or access(5)  map  lookup  result).   An
9570              access(5)  map or policy server in this parameter value may need
9571              to be declared in advance with a restriction_class setting.
9572
9573       ·      If the specified  action  invokes  another  check_policy_service
9574              request, that request will have the built-in default action.
9575
9576       This feature is available in Postfix 3.0 and later.
9577

smtpd_policy_service_max_idle (default: 300s)

9579       The time after which an idle SMTPD policy service connection is closed.
9580
9581       This feature is available in Postfix 2.1 and later.
9582

smtpd_policy_service_max_ttl (default: 1000s)

9584       The  time  after  which  an  active  SMTPD policy service connection is
9585       closed.
9586
9587       This feature is available in Postfix 2.1 and later.
9588

smtpd_policy_service_policy_context (default: empty)

9590       Optional information that the Postfix  SMTP  server  specifies  in  the
9591       "policy_context"  attribute of a policy service request (originally, to
9592       share the same service  endpoint  among  multiple  check_policy_service
9593       clients).
9594
9595       This feature is available in Postfix 3.1 and later.
9596

smtpd_policy_service_request_limit (default: 0)

9598       The  maximal number of requests per SMTPD policy service connection, or
9599       zero (no limit). Once a connection reaches this limit,  the  connection
9600       is closed and the next request will be sent over a new connection. This
9601       is a workaround to avoid error-recovery delays with policy servers that
9602       cannot maintain a persistent connection.
9603
9604       This feature is available in Postfix 3.0 and later.
9605

smtpd_policy_service_retry_delay (default: 1s)

9607       The  delay  between  attempts  to  resend a failed SMTPD policy service
9608       request. Specify a value greater than zero.
9609
9610       This feature is available in Postfix 3.0 and later.
9611

smtpd_policy_service_timeout (default: 100s)

9613       The time limit for connecting to, writing to, or receiving from a dele‐
9614       gated SMTPD policy server.
9615
9616       This feature is available in Postfix 2.1 and later.
9617

smtpd_policy_service_try_limit (default: 2)

9619       The  maximal number of attempts to send an SMTPD policy service request
9620       before giving up. Specify a value greater than zero.
9621
9622       This feature is available in Postfix 3.0 and later.
9623

smtpd_proxy_ehlo (default: $myhostname)

9625       How the Postfix SMTP server announces itself to the proxy  filter.   By
9626       default, the Postfix hostname is used.
9627
9628       This feature is available in Postfix 2.1 and later.
9629

smtpd_proxy_filter (default: empty)

9631       The  hostname  and  TCP  port  of the mail filtering proxy server.  The
9632       proxy receives all mail from the Postfix SMTP server, and  is  supposed
9633       to give the result to another Postfix SMTP server process.
9634
9635       Specify   "host:port"  or  "inet:host:port"  for  a  TCP  endpoint,  or
9636       "unix:pathname" for a UNIX-domain endpoint. The host can  be  specified
9637       as  an  IP address or as a symbolic name; no MX lookups are done.  When
9638       no "host" or "host:"  are specified,  the  local  machine  is  assumed.
9639       Pathname interpretation is relative to the Postfix queue directory.
9640
9641       This feature is available in Postfix 2.1 and later.
9642
9643       The  "inet:"  and  "unix:"  prefixes  are  available in Postfix 2.3 and
9644       later.
9645

smtpd_proxy_options (default: empty)

9647       List of options that control how the Postfix SMTP  server  communicates
9648       with a before-queue content filter. Specify zero or more of the follow‐
9649       ing, separated by comma or whitespace.
9650
9651       speed_adjust
9652              Do not connect to a before-queue content filter until an  entire
9653              message has been received. This reduces the number of simultane‐
9654              ous before-queue content filter processes.
9655
9656       NOTE  1:  A  filter  must  not  selectively  reject  recipients  of   a
9657       multi-recipient message.  Rejecting all recipients is OK, as is accept‐
9658       ing all recipients.
9659
9660       NOTE 2: This feature increases the minimum amount of free  queue  space
9661       by  $message_size_limit.  The extra space is needed to save the message
9662       to a temporary file.
9663
9664       This feature is available in Postfix 2.7 and later.
9665

smtpd_proxy_timeout (default: 100s)

9667       The time limit for connecting to a proxy  filter  and  for  sending  or
9668       receiving  information.   When  a  connection  fails  the client gets a
9669       generic error message while more detailed information is logged to  the
9670       maillog file.
9671
9672       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
9673       The default time unit is s (seconds).
9674
9675       This feature is available in Postfix 2.1 and later.
9676

smtpd_recipient_limit (default: 1000)

9678       The maximal number of recipients that the Postfix SMTP  server  accepts
9679       per message delivery request.
9680

smtpd_recipient_overshoot_limit (default: 1000)

9682       The  number  of recipients that a remote SMTP client can send in excess
9683       of the limit specified with $smtpd_recipient_limit, before the  Postfix
9684       SMTP  server  increments  the  per-session  error count for each excess
9685       recipient.
9686

smtpd_recipient_restrictions (default: see postconf -d output)

9688       Optional restrictions that the Postfix SMTP server applies in the  con‐
9689       text  of a client RCPT TO command, after smtpd_relay_restrictions.  See
9690       SMTPD_ACCESS_README,  section  "Delayed  evaluation  of   SMTP   access
9691       restriction lists" for a discussion of evaluation context and time.
9692
9693       With  Postfix  versions before 2.10, the rules for relay permission and
9694       spam blocking were combined under smtpd_recipient_restrictions, result‐
9695       ing in error-prone configuration.  As of Postfix 2.10, relay permission
9696       rules are preferably implemented with smtpd_relay_restrictions, so that
9697       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
9698       will no longer result in a permissive mail relay policy.
9699
9700       For backwards compatibility, sites that migrate from  Postfix  versions
9701       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
9702       use smtpd_recipient_restrictions exactly as before.
9703
9704       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
9705       ent_restrictions  parameter  must specify at least one of the following
9706       restrictions. Otherwise Postfix will refuse to receive mail:
9707
9708           reject, reject_unauth_destination
9709
9710           defer, defer_if_permit, defer_unauth_destination
9711
9712       Specify a list of restrictions, separated by commas and/or  whitespace.
9713       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9714       Restrictions are applied in the order as specified; the first  restric‐
9715       tion that matches wins.
9716
9717       The  following  restrictions are specific to the recipient address that
9718       is received with the RCPT TO command.
9719
9720       check_recipient_access type:table
9721              Search the specified access(5) database for the resolved RCPT TO
9722              address,  domain, parent domains, or localpart@, and execute the
9723              corresponding action.
9724
9725       check_recipient_a_access type:table
9726              Search the specified access(5) database for the IP addresses for
9727              the RCPT TO domain, and execute the corresponding action.  Note:
9728              a result of "OK" is not allowed for safety reasons. Instead, use
9729              DUNNO  in order to exclude specific hosts from blacklists.  This
9730              feature is available in Postfix 3.0 and later.
9731
9732       check_recipient_mx_access type:table
9733              Search the specified access(5) database for the MX hosts for the
9734              RCPT  TO  domain, and execute the corresponding action.  Note: a
9735              result of "OK" is not allowed for safety reasons.  Instead,  use
9736              DUNNO  in order to exclude specific hosts from blacklists.  This
9737              feature is available in Postfix 2.1 and later.
9738
9739       check_recipient_ns_access type:table
9740              Search the specified access(5) database for the DNS servers  for
9741              the RCPT TO domain, and execute the corresponding action.  Note:
9742              a result of "OK" is not allowed for safety reasons. Instead, use
9743              DUNNO  in order to exclude specific hosts from blacklists.  This
9744              feature is available in Postfix 2.1 and later.
9745
9746       permit_auth_destination
9747              Permit the request when one of the following is true:
9748
9749       ·      Postfix is mail forwarder: the resolved RCPT TO  domain  matches
9750              $relay_domains  or a subdomain thereof, and the address contains
9751              no sender-specified routing (user@elsewhere@domain),
9752
9753       ·      Postfix is the final destination: the resolved  RCPT  TO  domain
9754              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
9755              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and  the
9756              address   contains   no   sender-specified  routing  (user@else‐
9757              where@domain).
9758
9759       permit_mx_backup
9760              Permit the request when the local mail system is backup  MX  for
9761              the RCPT TO domain, or when the domain is an authorized destina‐
9762              tion (see permit_auth_destination for definition).
9763
9764       ·      Safety: permit_mx_backup does not  accept  addresses  that  have
9765              sender-specified   routing   information   (example:  user@else‐
9766              where@domain).
9767
9768       ·      Safety: permit_mx_backup  can  be  vulnerable  to  mis-use  when
9769              access is not restricted with permit_mx_backup_networks.
9770
9771       ·      Safety:  as  of  Postfix version 2.3, permit_mx_backup no longer
9772              accepts the address when the local mail system is primary MX for
9773              the  recipient  domain.  Exception: permit_mx_backup accepts the
9774              address when it specifies an authorized  destination  (see  per‐
9775              mit_auth_destination for definition).
9776
9777       ·      Limitation:  mail  may  be  rejected  in case of a temporary DNS
9778              lookup problem with Postfix prior to version 2.0.
9779
9780       reject_non_fqdn_recipient
9781              Reject the request when the RCPT TO address specifies  a  domain
9782              that  is  not in fully-qualified domain form, as required by the
9783              RFC.
9784              The non_fqdn_reject_code parameter specifies the  response  code
9785              for rejected requests (default: 504).
9786
9787       reject_rhsbl_recipient rbl_domain=d.d.d.d
9788              Reject  the request when the RCPT TO domain is listed with the A
9789              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9790              only).  Each "d" is a number, or a pattern inside "[]" that con‐
9791              tains one or more ";"-separated numbers or number..number ranges
9792              (Postfix  version 2.8 and later). If no "=d.d.d.d" is specified,
9793              reject the request when the RCPT TO domain is listed with any  A
9794              record under rbl_domain.
9795              The  maps_rbl_reject_code  parameter specifies the response code
9796              for rejected  requests  (default:  554);  the  default_rbl_reply
9797              parameter   specifies   the   default   server  reply;  and  the
9798              rbl_reply_maps parameter specifies tables  with  server  replies
9799              indexed  by  rbl_domain.   This  feature is available in Postfix
9800              version 2.0 and later.
9801
9802       reject_unauth_destination
9803              Reject the request unless one of the following is true:
9804
9805       ·      Postfix is mail forwarder: the resolved RCPT TO  domain  matches
9806              $relay_domains   or   a   subdomain  thereof,  and  contains  no
9807              sender-specified routing (user@elsewhere@domain),
9808
9809       ·      Postfix is the final destination: the resolved  RCPT  TO  domain
9810              matches   $mydestination,  $inet_interfaces,  $proxy_interfaces,
9811              $virtual_alias_domains, or  $virtual_mailbox_domains,  and  con‐
9812              tains no sender-specified routing (user@elsewhere@domain).
9813              The  relay_domains_reject_code  parameter specifies the response
9814              code for rejected requests (default: 554).
9815
9816       defer_unauth_destination
9817              Reject the same requests as  reject_unauth_destination,  with  a
9818              non-permanent  error code.  This feature is available in Postfix
9819              2.10 and later.
9820
9821       reject_unknown_recipient_domain
9822              Reject the request when Postfix is not final destination for the
9823              recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9824              DNS A record or 2) a malformed MX record such as a record with a
9825              zero-length MX hostname (Postfix version 2.3 and later).
9826              The  reply  is  specified  with  the unknown_address_reject_code
9827              parameter   (default:   450),    unknown_address_tempfail_action
9828              (default:  defer_if_permit),  or  556  (nullmx,  Postfix 3.0 and
9829              later). See the respective parameter descriptions for details.
9830
9831       reject_unlisted_recipient  (with  Postfix  version  2.0:  check_recipi‐
9832       ent_maps)
9833              Reject the request when the RCPT TO address is not listed in the
9834              list  of  valid  recipients  for  its  domain  class.  See   the
9835              smtpd_reject_unlisted_recipient    parameter   description   for
9836              details.  This feature is available in Postfix 2.1 and later.
9837
9838       reject_unverified_recipient
9839              Reject the request when mail to the RCPT TO address is known  to
9840              bounce,  or when the recipient address destination is not reach‐
9841              able.  Address verification information is managed by  the  ver‐
9842              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
9843              details.
9844              The  unverified_recipient_reject_code  parameter  specifies  the
9845              numerical  response  code  when  an  address  is known to bounce
9846              (default: 450, change into 550 when you are confident that it is
9847              safe to do so).
9848              The   unverified_recipient_defer_code  parameter  specifies  the
9849              numerical response code when an address probe failed  due  to  a
9850              temporary problem (default: 450).
9851              The unverified_recipient_tempfail_action parameter specifies the
9852              action after address probe failure due to  a  temporary  problem
9853              (default: defer_if_permit).
9854              This  feature  breaks  for aliased addresses with "enable_origi‐
9855              nal_recipient = no" (Postfix <= 3.2).
9856              This feature is available in Postfix 2.1 and later.
9857
9858       Other restrictions that are valid in this context:
9859
9860       ·      Generic restrictions that can be used in any SMTP  command  con‐
9861              text, described under smtpd_client_restrictions.
9862
9863       ·      SMTP    command    specific    restrictions    described   under
9864              smtpd_client_restrictions,      smtpd_helo_restrictions      and
9865              smtpd_sender_restrictions.
9866
9867       Example:
9868
9869       # The Postfix before 2.10 default mail relay policy. Later Postfix
9870       # versions implement this preferably with smtpd_relay_restrictions.
9871       smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9872
9874       Optional  information  that  is appended after each Postfix SMTP server
9875       4XX or 5XX response.
9876
9877       The following example uses "\c" at the start of the template (supported
9878       in Postfix 2.10 and later) to suppress the line break between the reply
9879       text and the footer text. With earlier  Postfix  versions,  the  footer
9880       text always begins on a new line, and the "\c" is output literally.
9881
9882       /etc/postfix/main.cf:
9883           smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9884            Please provide the following information in your problem report:
9885            time ($localtime), client ($client_address) and server
9886            ($server_name).
9887
9888       Server response:
9889
9890           550-5.5.1 <user@example> Recipient address rejected: User
9891           unknown. For assistance, call 800-555-0101. Please provide the
9892           following information in your problem report: time (Jan 4 15:42:00),
9893           client (192.168.1.248) and server (mail1.example.com).
9894
9895       Note:  the  above  text  is meant to make it easier to find the Postfix
9896       logfile records for a failed SMTP  session.  The  text  itself  is  not
9897       logged to the Postfix SMTP server's maillog file.
9898
9899       Be  sure  to keep the text as short as possible. Long text may be trun‐
9900       cated before it is logged to the remote SMTP client's maillog file,  or
9901       before it is returned to the sender in a delivery status notification.
9902
9903       The  template  text  is  not subject to Postfix configuration parameter
9904       $name expansion. Instead, this feature supports  a  limited  number  of
9905       $name attributes in the footer text. These attributes are replaced with
9906       their current value for the SMTP session.
9907
9908       Note: specify $$name in footer text that is looked up from  regexp:  or
9909       pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
9910       not use the footer text and will log a warning instead.
9911
9912       client_address
9913              The Client IP address that is logged in the maillog file.
9914
9915       client_port
9916              The client TCP port that is logged in the maillog file.
9917
9918       localtime
9919              The server local time (Mmm dd hh:mm:ss) that is  logged  in  the
9920              maillog file.
9921
9922       server_name
9923              The server's myhostname value.  This attribute is made available
9924              for sites with multiple MTAs (perhaps behind  a  load-balancer),
9925              where  the  server  name  can  help  the  server support team to
9926              quickly find the right log files.
9927
9928       Notes:
9929
9930       ·      NOT SUPPORTED are other attributes such as sender, recipient, or
9931              main.cf parameters.
9932
9933       ·      For  safety  reasons,  text  that  does  not match $smtpd_expan‐
9934              sion_filter is censored.
9935
9936       This feature supports the two-character sequence \n as a request for  a
9937       line break in the footer text. Postfix automatically inserts after each
9938       line break the three-digit SMTP reply code (and optional enhanced  sta‐
9939       tus code) from the original Postfix reject message.
9940
9941       To work around mail software that mis-handles multi-line replies, spec‐
9942       ify the two-character sequence \c at the start of the  template.   This
9943       suppresses  the  line  break between the reply text and the footer text
9944       (Postfix 2.10 and later).
9945
9946       This feature is available in Postfix 2.8 and later.
9947
9949       Lookup tables, indexed by the complete Postfix SMTP server 4xx  or  5xx
9950       response,  with  reject  footer  templates. See smtpd_reject_footer for
9951       details.
9952
9953       Specify zero or more "type:name" lookup tables, separated by whitespace
9954       or  comma. Tables will be searched in the specified order until a match
9955       is found.
9956
9957       This feature is available in Postfix 3.4 and later.
9958

smtpd_reject_unlisted_recipient (default: yes)

9960       Request that the Postfix SMTP server rejects mail for unknown recipient
9961       addresses,  even  when  no  explicit  reject_unlisted_recipient  access
9962       restriction is specified. This prevents the Postfix queue from  filling
9963       up with undeliverable MAILER-DAEMON messages.
9964
9965       An  address  is  always considered "known" when it matches a virtual(5)
9966       alias or a canonical(5) mapping.
9967
9968       ·      The recipient domain matches $mydestination, $inet_interfaces or
9969              $proxy_interfaces,   but   the   recipient   is  not  listed  in
9970              $local_recipient_maps, and $local_recipient_maps is not null.
9971
9972       ·      The recipient  domain  matches  $virtual_alias_domains  but  the
9973              recipient is not listed in $virtual_alias_maps.
9974
9975       ·      The  recipient  domain  matches $virtual_mailbox_domains but the
9976              recipient is not  listed  in  $virtual_mailbox_maps,  and  $vir‐
9977              tual_mailbox_maps is not null.
9978
9979       ·      The recipient domain matches $relay_domains but the recipient is
9980              not listed in $relay_recipient_maps,  and  $relay_recipient_maps
9981              is not null.
9982
9983       This feature is available in Postfix 2.1 and later.
9984

smtpd_reject_unlisted_sender (default: no)

9986       Request  that  the Postfix SMTP server rejects mail from unknown sender
9987       addresses, even when no explicit reject_unlisted_sender access restric‐
9988       tion  is specified. This can slow down an explosion of forged mail from
9989       worms or viruses.
9990
9991       An address is always considered "known" when it  matches  a  virtual(5)
9992       alias or a canonical(5) mapping.
9993
9994       ·      The  sender  domain  matches $mydestination, $inet_interfaces or
9995              $proxy_interfaces, but the sender is not listed in $local_recip‐
9996              ient_maps, and $local_recipient_maps is not null.
9997
9998       ·      The  sender domain matches $virtual_alias_domains but the sender
9999              is not listed in $virtual_alias_maps.
10000
10001       ·      The  sender  domain  matches  $virtual_mailbox_domains  but  the
10002              sender   is  not  listed  in  $virtual_mailbox_maps,  and  $vir‐
10003              tual_mailbox_maps is not null.
10004
10005       ·      The sender domain matches $relay_domains but the sender  is  not
10006              listed  in  $relay_recipient_maps,  and $relay_recipient_maps is
10007              not null.
10008
10009       This feature is available in Postfix 2.1 and later.
10010

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenti‐

10012       cated, defer_unauth_destination)
10013       Access restrictions for mail relay control that the Postfix SMTP server
10014       applies in the context of the RCPT  TO  command,  before  smtpd_recipi‐
10015       ent_restrictions.  See SMTPD_ACCESS_README, section "Delayed evaluation
10016       of SMTP access restriction lists" for a discussion of  evaluation  con‐
10017       text and time.
10018
10019       With  Postfix  versions before 2.10, the rules for relay permission and
10020       spam blocking were combined under smtpd_recipient_restrictions, result‐
10021       ing in error-prone configuration.  As of Postfix 2.10, relay permission
10022       rules are preferably implemented with smtpd_relay_restrictions, so that
10023       a  permissive  spam  blocking policy under smtpd_recipient_restrictions
10024       will no longer result in a permissive mail relay policy.
10025
10026       For backwards compatibility, sites that migrate from  Postfix  versions
10027       before  2.10  can  set smtpd_relay_restrictions to the empty value, and
10028       use smtpd_recipient_restrictions exactly as before.
10029
10030       By default, the Postfix SMTP server accepts:
10031
10032       ·      Mail from clients whose IP address matches $mynetworks, or:
10033
10034       ·      Mail to remote destinations that  match  $relay_domains,  except
10035              for  addresses that contain sender-specified routing (user@else‐
10036              where@domain), or:
10037
10038       ·      Mail  to  local  destinations  that  match  $inet_interfaces  or
10039              $proxy_interfaces,  $mydestination,  $virtual_alias_domains,  or
10040              $virtual_mailbox_domains.
10041
10042       IMPORTANT: Either the  smtpd_relay_restrictions  or  the  smtpd_recipi‐
10043       ent_restrictions  parameter  must specify at least one of the following
10044       restrictions. Otherwise Postfix will refuse to receive mail:
10045
10046           reject, reject_unauth_destination
10047
10048           defer, defer_if_permit, defer_unauth_destination
10049
10050       Specify a list of restrictions, separated by commas and/or  whitespace.
10051       Continue  long  lines  by  starting the next line with whitespace.  The
10052       same restrictions  are  available  as  documented  under  smtpd_recipi‐
10053       ent_restrictions.
10054
10055       This feature is available in Postix 2.10 and later.
10056

smtpd_restriction_classes (default: empty)

10058       User-defined aliases for groups of access restrictions. The aliases can
10059       be  specified  in  smtpd_recipient_restrictions  etc.,   and   on   the
10060       right-hand side of a Postfix access(5) table.
10061
10062       One  major  application  is for implementing per-recipient UCE control.
10063       See the RESTRICTION_CLASS_README document for other examples.
10064

smtpd_sasl_application_name (default: smtpd)

10066       The application name that the Postfix SMTP server uses for SASL  server
10067       initialization.  This controls the name of the SASL configuration file.
10068       The default value is smtpd, corresponding to a SASL configuration  file
10069       named smtpd.conf.
10070
10071       This  feature  is available in Postfix 2.1 and 2.2. With Postfix 2.3 it
10072       was renamed to smtpd_sasl_path.
10073

smtpd_sasl_auth_enable (default: no)

10075       Enable SASL authentication in the Postfix SMTP server. By default,  the
10076       Postfix SMTP server does not use authentication.
10077
10078       If a remote SMTP client is authenticated, the permit_sasl_authenticated
10079       access restriction can be used to permit relay access, like this:
10080
10081           # With Postfix 2.10 and later, the mail relay policy is
10082           # preferably specified under smtpd_relay_restrictions.
10083           smtpd_relay_restrictions =
10084               permit_mynetworks, permit_sasl_authenticated, ...
10085
10086       # With Postfix before 2.10, the relay policy can be
10087       # specified only under smtpd_recipient_restrictions.
10088       smtpd_recipient_restrictions =
10089           permit_mynetworks, permit_sasl_authenticated, ...
10090
10091       To reject all SMTP connections from  unauthenticated  clients,  specify
10092       "smtpd_delay_reject = yes" (which is the default) and use:
10093
10094           smtpd_client_restrictions = permit_sasl_authenticated, reject
10095
10096       See the SASL_README file for SASL configuration and operation details.
10097

smtpd_sasl_authenticated_header (default: no)

10099       Report  the  SASL authenticated user name in the smtpd(8) Received mes‐
10100       sage header.
10101
10102       This feature is available in Postfix 2.3 and later.
10103

smtpd_sasl_exceptions_networks (default: empty)

10105       What remote SMTP clients the Postfix SMTP server will  not  offer  AUTH
10106       support to.
10107
10108       Some  clients  (Netscape  4  at  least)  have a bug that causes them to
10109       require a login and password whenever AUTH  is  offered,  whether  it's
10110       necessary  or  not.  To work around this, specify, for example, $mynet‐
10111       works to prevent Postfix from offering AUTH to local clients.
10112
10113       Specify a list of network/netmask patterns, separated by commas  and/or
10114       whitespace.  The  mask specifies the number of bits in the network part
10115       of a host address. You can also "/file/name" or "type:table"  patterns.
10116       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
10117       lookup table is matched when a table entry matches a lookup string (the
10118       lookup  result  is  ignored).  Continue long lines by starting the next
10119       line with whitespace. Specify "!pattern" to exclude an address or  net‐
10120       work  block from the list.  The form "!/file/name" is supported only in
10121       Postfix version 2.4 and later.
10122
10123       Note: IP version 6 address information must be specified inside  []  in
10124       the  smtpd_sasl_exceptions_networks  value, and in files specified with
10125       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
10126       would otherwise be confused with a "type:table" pattern.
10127
10128       Example:
10129
10130       smtpd_sasl_exceptions_networks = $mynetworks
10131
10132       This feature is available in Postfix 2.1 and later.
10133

smtpd_sasl_local_domain (default: empty)

10135       The name of the Postfix SMTP server's local SASL authentication realm.
10136
10137       By default, the local authentication realm name is the null string.
10138
10139       Examples:
10140
10141       smtpd_sasl_local_domain = $mydomain
10142       smtpd_sasl_local_domain = $myhostname
10143

smtpd_sasl_path (default: smtpd)

10145       Implementation-specific information that the Postfix SMTP server passes
10146       through to the  SASL  plug-in  implementation  that  is  selected  with
10147       smtpd_sasl_type.   Typically this specifies the name of a configuration
10148       file or rendezvous point.
10149
10150       This feature is available in Postfix 2.3 and later. In earlier releases
10151       it was called smtpd_sasl_application_name.
10152

smtpd_sasl_response_limit (default: 12288)

10154       The  maximum  length of a SASL client's response to a server challenge.
10155       When the client's "initial response" is longer than  the  normal  limit
10156       for  SMTP commands, the client must omit its initial response, and wait
10157       for an empty server challenge; it can then send what  would  have  been
10158       its  "initial  response"  as  a response to the empty server challenge.
10159       RFC4954 requires the server to accept client responses up to  at  least
10160       12288  octets  of  base64-encoded text.  The default value is therefore
10161       also the minimum value accepted for this parameter.
10162
10163       This feature is available in Postfix 3.4 and later. Prior versions  use
10164       "line_length_limit",  which may need to be raised to accommodate larger
10165       client responses, as may be needed with GSSAPI authentication  of  Win‐
10166       dows AD users who are members of many groups.
10167

smtpd_sasl_security_options (default: noanonymous)

10169       Postfix  SMTP  server SASL security options; as of Postfix 2.3 the list
10170       of available features depends on the SASL server implementation that is
10171       selected with smtpd_sasl_type.
10172
10173       The  following  security features are defined for the cyrus server SASL
10174       implementation:
10175
10176       Restrict what authentication mechanisms the Postfix  SMTP  server  will
10177       offer  to  the client.  The list of available authentication mechanisms
10178       is system dependent.
10179
10180       Specify zero or more of the following:
10181
10182       noplaintext
10183              Disallow methods that use plaintext passwords.
10184
10185       noactive
10186              Disallow methods subject to active (non-dictionary) attack.
10187
10188       nodictionary
10189              Disallow methods subject to passive (dictionary) attack.
10190
10191       noanonymous
10192              Disallow methods that allow anonymous authentication.
10193
10194       forward_secrecy
10195              Only allow methods that support forward secrecy (Dovecot only).
10196
10197       mutual_auth
10198              Only allow  methods  that  provide  mutual  authentication  (not
10199              available with Cyrus SASL version 1).
10200
10201       By default, the Postfix SMTP server accepts plaintext passwords but not
10202       anonymous logins.
10203
10204       Warning: it appears that clients  try  authentication  methods  in  the
10205       order  as  advertised  by  the  server (e.g., PLAIN ANONYMOUS CRAM-MD5)
10206       which means that if you disable plaintext passwords, clients  will  log
10207       in  anonymously, even when they should be able to use CRAM-MD5.  So, if
10208       you disable plaintext logins, disable anonymous  logins  too.   Postfix
10209       treats anonymous login as no authentication.
10210
10211       Example:
10212
10213       smtpd_sasl_security_options = noanonymous, noplaintext
10214

smtpd_sasl_service (default: smtp)

10216       The  service  name  that is passed to the SASL plug-in that is selected
10217       with smtpd_sasl_type and smtpd_sasl_path.
10218
10219       This feature is available in Postfix 2.11  and  later.  Prior  versions
10220       behave as if "smtp" is specified.
10221

smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)

10223       The  SASL  authentication security options that the Postfix SMTP server
10224       uses for TLS encrypted SMTP sessions.
10225
10226       This feature is available in Postfix 2.2 and later.
10227

smtpd_sasl_type (default: cyrus)

10229       The SASL plug-in type that the  Postfix  SMTP  server  should  use  for
10230       authentication.  The  available types are listed with the "postconf -a"
10231       command.
10232
10233       This feature is available in Postfix 2.3 and later.
10234

smtpd_sender_login_maps (default: empty)

10236       Optional lookup table with the SASL login names  that  own  the  sender
10237       (MAIL FROM) addresses.
10238
10239       Specify zero or more "type:name" lookup tables, separated by whitespace
10240       or comma. Tables will be searched in the specified order until a  match
10241       is  found.   With lookups from indexed files such as DB or DBM, or from
10242       networked tables such as NIS, LDAP or SQL, the following search  opera‐
10243       tions are done with a sender address of user@domain:
10244
10245       1) user@domain
10246              This table lookup is always done and has the highest precedence.
10247
10248       2) user
10249              This  table  lookup  is  done  only  when the domain part of the
10250              sender address matches $myorigin,  $mydestination,  $inet_inter‐
10251              faces or $proxy_interfaces.
10252
10253       3) @domain
10254              This table lookup is done last and has the lowest precedence.
10255
10256       In all cases the result of table lookup must be either "not found" or a
10257       list of SASL login names separated by comma and/or whitespace.
10258

smtpd_sender_restrictions (default: empty)

10260       Optional restrictions that the Postfix SMTP server applies in the  con‐
10261       text  of  a client MAIL FROM command.  See SMTPD_ACCESS_README, section
10262       "Delayed evaluation of SMTP access restriction lists" for a  discussion
10263       of evaluation context and time.
10264
10265       The default is to permit everything.
10266
10267       Specify  a list of restrictions, separated by commas and/or whitespace.
10268       Continue  long  lines  by  starting  the  next  line  with  whitespace.
10269       Restrictions  are applied in the order as specified; the first restric‐
10270       tion that matches wins.
10271
10272       The following restrictions are specific to the sender address  received
10273       with the MAIL FROM command.
10274
10275       check_sender_access type:table
10276              Search  the  specified  access(5)  database  for  the  MAIL FROM
10277              address, domain, parent domains, or localpart@, and execute  the
10278              corresponding action.
10279
10280       check_sender_a_access type:table
10281              Search the specified access(5) database for the IP addresses for
10282              the MAIL FROM domain,  and  execute  the  corresponding  action.
10283              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
10284              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
10285              blacklists.  This feature is available in Postfix 3.0 and later.
10286
10287       check_sender_mx_access type:table
10288              Search the specified access(5) database for the MX hosts for the
10289              MAIL FROM domain, and execute the corresponding action.  Note: a
10290              result  of  "OK" is not allowed for safety reasons. Instead, use
10291              DUNNO in order to exclude specific hosts from blacklists.   This
10292              feature is available in Postfix 2.1 and later.
10293
10294       check_sender_ns_access type:table
10295              Search  the specified access(5) database for the DNS servers for
10296              the MAIL FROM domain,  and  execute  the  corresponding  action.
10297              Note:  a  result  of  "OK"  is  not  allowed for safety reasons.
10298              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
10299              blacklists.  This feature is available in Postfix 2.1 and later.
10300
10301       reject_authenticated_sender_login_mismatch
10302              Enforces   the   reject_sender_login_mismatch   restriction  for
10303              authenticated clients only. This feature is available in Postfix
10304              version 2.1 and later.
10305
10306       reject_known_sender_login_mismatch
10307              Apply  the reject_sender_login_mismatch restriction only to MAIL
10308              FROM addresses that are known in $smtpd_sender_login_maps.  This
10309              feature is available in Postfix version 2.11 and later.
10310
10311       reject_non_fqdn_sender
10312              Reject the request when the MAIL FROM address specifies a domain
10313              that is not in fully-qualified domain form as  required  by  the
10314              RFC.
10315              The  non_fqdn_reject_code  parameter specifies the response code
10316              for rejected requests (default: 504).
10317
10318       reject_rhsbl_sender rbl_domain=d.d.d.d
10319              Reject the request when the MAIL FROM domain is listed with  the
10320              A  record  "d.d.d.d"  under  rbl_domain (Postfix version 2.1 and
10321              later only).  Each "d" is a number, or  a  pattern  inside  "[]"
10322              that  contains one or more ";"-separated numbers or number..num‐
10323              ber ranges (Postfix version 2.8 and later). If no "=d.d.d.d"  is
10324              specified,  reject  the  request  when  the  MAIL FROM domain is
10325              listed with any A record under rbl_domain.
10326              The maps_rbl_reject_code parameter specifies the  response  code
10327              for  rejected  requests  (default:   554); the default_rbl_reply
10328              parameter  specifies  the  default   server   reply;   and   the
10329              rbl_reply_maps  parameter  specifies  tables with server replies
10330              indexed by rbl_domain.  This feature is available in Postfix 2.0
10331              and later.
10332
10333       reject_sender_login_mismatch
10334              Reject  the  request  when $smtpd_sender_login_maps specifies an
10335              owner for the MAIL FROM address, but the client  is  not  (SASL)
10336              logged in as that MAIL FROM address owner; or when the client is
10337              (SASL) logged in, but the client login name doesn't own the MAIL
10338              FROM address according to $smtpd_sender_login_maps.
10339
10340       reject_unauthenticated_sender_login_mismatch
10341              Enforces  the reject_sender_login_mismatch restriction for unau‐
10342              thenticated clients only. This feature is available  in  Postfix
10343              version 2.1 and later.
10344
10345       reject_unknown_sender_domain
10346              Reject the request when Postfix is not final destination for the
10347              sender address, and the MAIL FROM domain has 1) no DNS MX and no
10348              DNS  A record, or 2) a malformed MX record such as a record with
10349              a zero-length MX hostname (Postfix version 2.3 and later).
10350              The reply  is  specified  with  the  unknown_address_reject_code
10351              parameter    (default:   450),   unknown_address_tempfail_action
10352              (default: defer_if_permit), or  550  (nullmx,  Postfix  3.0  and
10353              later). See the respective parameter descriptions for details.
10354
10355       reject_unlisted_sender
10356              Reject  the  request when the MAIL FROM address is not listed in
10357              the list of valid recipients  for  its  domain  class.  See  the
10358              smtpd_reject_unlisted_sender  parameter description for details.
10359              This feature is available in Postfix 2.1 and later.
10360
10361       reject_unverified_sender
10362              Reject the request when mail to the MAIL FROM address  is  known
10363              to  bounce, or when the sender address destination is not reach‐
10364              able.  Address verification information is managed by  the  ver‐
10365              ify(8)  server;  see  the  ADDRESS_VERIFICATION_README  file for
10366              details.
10367              The unverified_sender_reject_code parameter specifies the numer‐
10368              ical  response code when an address is known to bounce (default:
10369              450, change into 550 when you are confident that it is  safe  to
10370              do so).
10371              The   unverified_sender_defer_code   specifies   the   numerical
10372              response code when an address probe failed due  to  a  temporary
10373              problem (default: 450).
10374              The  unverified_sender_tempfail_action  parameter  specifies the
10375              action after address probe failure due to  a  temporary  problem
10376              (default: defer_if_permit).
10377              This  feature  breaks  for aliased addresses with "enable_origi‐
10378              nal_recipient = no" (Postfix <= 3.2).
10379              This feature is available in Postfix 2.1 and later.
10380
10381       Other restrictions that are valid in this context:
10382
10383       ·      Generic restrictions that can be used in any SMTP  command  con‐
10384              text, described under smtpd_client_restrictions.
10385
10386       ·      SMTP    command    specific    restrictions    described   under
10387              smtpd_client_restrictions and smtpd_helo_restrictions.
10388
10389       ·      SMTP command specific restrictions described under smtpd_recipi‐
10390              ent_restrictions.  When  recipient restrictions are listed under
10391              smtpd_sender_restrictions,   they   have   effect   only    with
10392              "smtpd_delay_reject  =  yes", so that $smtpd_sender_restrictions
10393              is evaluated at the time of the RCPT TO command.
10394
10395       Examples:
10396
10397       smtpd_sender_restrictions = reject_unknown_sender_domain
10398       smtpd_sender_restrictions = reject_unknown_sender_domain,
10399           check_sender_access hash:/etc/postfix/access
10400

smtpd_service_name (default: smtpd)

10402       The internal service that postscreen(8) hands off  allowed  connections
10403       to. In a future version there may be different classes of SMTP service.
10404
10405       This feature is available in Postfix 2.8.
10406

smtpd_soft_error_limit (default: 10)

10408       The  number  of  errors a remote SMTP client is allowed to make without
10409       delivering mail before the Postfix  SMTP  server  slows  down  all  its
10410       responses.
10411
10412       ·      With  Postfix  version  2.1  and  later, the Postfix SMTP server
10413              delays all responses by $smtpd_error_sleep_time seconds.
10414
10415       ·      With Postfix versions 2.0 and earlier, the Postfix  SMTP  server
10416              delays all responses by (number of errors) seconds.
10417

smtpd_starttls_timeout (default: see postconf -d output)

10419       The time limit for Postfix SMTP server write and read operations during
10420       TLS startup and shutdown  handshake  procedures.  The  current  default
10421       value  is stress-dependent. Before Postfix version 2.8, it was fixed at
10422       300s.
10423
10424       This feature is available in Postfix 2.2 and later.
10425

smtpd_timeout (default: normal: 300s, overload: 10s)

10427       The time limit for sending a  Postfix  SMTP  server  response  and  for
10428       receiving  a  remote SMTP client request. Normally the default limit is
10429       300s, but it changes under overload to just 10s. With Postfix  2.5  and
10430       earlier, the SMTP server always uses a time limit of 300s by default.
10431
10432       Note:  if you set SMTP time limits to very large values you may have to
10433       update the global ipc_timeout parameter.
10434
10435       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
10436       The default time unit is s (seconds).
10437

smtpd_tls_CAfile (default: empty)

10439       A  file  containing (PEM format) CA certificates of root CAs trusted to
10440       sign either remote SMTP client certificates or intermediate CA certifi‐
10441       cates.   These are loaded into memory before the smtpd(8) server enters
10442       the chroot jail. If the number of  trusted  roots  is  large,  consider
10443       using smtpd_tls_CApath instead, but note that the latter directory must
10444       be present in the chroot jail if the smtpd(8) server is chrooted.  This
10445       file  may  also  be used to augment the server certificate trust chain,
10446       but it is best to include all the required certificates directly in the
10447       server certificate file.
10448
10449       Specify  "smtpd_tls_CAfile  =  /path/to/system_CA_file" to use ONLY the
10450       system-supplied default Certification Authority certificates.
10451
10452       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
10453       the system-supplied default CAs and trusting third-party certificates.
10454
10455       By  default  (see  smtpd_tls_ask_ccert),  client  certificates  are not
10456       requested, and smtpd_tls_CAfile should remain empty. If you do make use
10457       of client certificates, the distinguished names (DNs) of the Certifica‐
10458       tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10459       client  in  the  client certificate request message. MUAs with multiple
10460       client certificates may use the list of preferred Certification Author‐
10461       ities  to  select  the correct client certificate.  You may want to put
10462       your "preferred" CA or CAs in this file, and install other trusted  CAs
10463       in $smtpd_tls_CApath.
10464
10465       Example:
10466
10467       smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10468
10469       This feature is available in Postfix 2.2 and later.
10470

smtpd_tls_CApath (default: empty)

10472       A directory containing (PEM format) CA certificates of root CAs trusted
10473       to sign either remote SMTP client certificates or intermediate CA  cer‐
10474       tificates. Do not forget to create the necessary "hash" links with, for
10475       example,  "$OPENSSL_HOME/bin/c_rehash   /etc/postfix/certs".   To   use
10476       smtpd_tls_CApath  in  chroot  mode,  this directory (or a copy) must be
10477       inside the chroot jail.
10478
10479       Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to  use  ONLY
10480       the system-supplied default Certification Authority certificates.
10481
10482       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
10483       the system-supplied default CAs and trusting third-party certificates.
10484
10485       By default  (see  smtpd_tls_ask_ccert),  client  certificates  are  not
10486       requested,  and  smtpd_tls_CApath  should  remain empty. In contrast to
10487       smtpd_tls_CAfile,  DNs  of  Certification  Authorities   installed   in
10488       $smtpd_tls_CApath  are  not  included in the client certificate request
10489       message. MUAs with multiple client certificates may  use  the  list  of
10490       preferred  Certification  Authorities to select the correct client cer‐
10491       tificate.   You  may  want  to  put  your  "preferred"  CA  or  CAs  in
10492       $smtpd_tls_CAfile,   and   install   the   remaining   trusted  CAs  in
10493       $smtpd_tls_CApath.
10494
10495       Example:
10496
10497       smtpd_tls_CApath = /etc/postfix/certs
10498
10499       This feature is available in Postfix 2.2 and later.
10500

smtpd_tls_always_issue_session_ids (default: yes)

10502       Force the Postfix SMTP server to issue a TLS session id, even when  TLS
10503       session  caching  is  turned  off  (smtpd_tls_session_cache_database is
10504       empty). This behavior is compatible with Postfix < 2.3.
10505
10506       With Postfix 2.3 and later the Postfix SMTP server can disable  session
10507       id generation when TLS session caching is turned off. This keeps remote
10508       SMTP clients from caching sessions  that  almost  certainly  cannot  be
10509       re-used.
10510
10511       By  default,  the Postfix SMTP server always generates TLS session ids.
10512       This works around a known defect in mail client applications such as MS
10513       Outlook, and may also prevent interoperability issues with other MTAs.
10514
10515       Example:
10516
10517       smtpd_tls_always_issue_session_ids = no
10518
10519       This feature is available in Postfix 2.3 and later.
10520

smtpd_tls_ask_ccert (default: no)

10522       Ask  a remote SMTP client for a client certificate. This information is
10523       needed for certificate based mail relaying with, for example, the  per‐
10524       mit_tls_clientcerts feature.
10525
10526       Some clients such as Netscape will either complain if no certificate is
10527       available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10528       tiple client certificates to choose from. This may be annoying, so this
10529       option is "off" by default.
10530
10531       This feature is available in Postfix 2.2 and later.
10532

smtpd_tls_auth_only (default: no)

10534       When TLS encryption is optional in the  Postfix  SMTP  server,  do  not
10535       announce or accept SASL authentication over unencrypted connections.
10536
10537       This feature is available in Postfix 2.2 and later.
10538

smtpd_tls_ccert_verifydepth (default: 9)

10540       The  verification depth for remote SMTP client certificates. A depth of
10541       1 is sufficient if the issuing CA is listed in a local CA file.
10542
10543       The default verification depth is 9 (the OpenSSL default) for  compati‐
10544       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10545       value was 5, but the limit was not actually enforced. If you  have  set
10546       this  to  a  lower  non-default  value,  certificates with longer trust
10547       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
10548       common,  deeper  chains  are  more  rare and any number between 5 and 9
10549       should suffice in practice. You can choose a lower number if, for exam‐
10550       ple,  you  trust  certificates directly signed by an issuing CA but not
10551       any CAs it delegates to.
10552
10553       This feature is available in Postfix 2.2 and later.
10554

smtpd_tls_cert_file (default: empty)

10556       File with the Postfix SMTP server RSA certificate in PEM format.   This
10557       file  may  also  contain the Postfix SMTP server private RSA key.  With
10558       Postfix >= 3.4 the preferred way to configure server keys and  certifi‐
10559       cates is via the "smtpd_tls_chain_files" parameter.
10560
10561       Public  Internet  MX hosts without certificates signed by a "reputable"
10562       CA must generate, and  be  prepared  to  present  to  most  clients,  a
10563       self-signed  or  private-CA  signed certificate. The client will not be
10564       able to authenticate the server, but unless it is running  Postfix  2.3
10565       or similar software, it will still insist on a server certificate.
10566
10567       For  servers  that  are  not public Internet MX hosts, Postfix supports
10568       configurations with no certificates. This entails the use of  just  the
10569       anonymous TLS ciphers, which are not supported by typical SMTP clients.
10570       Since some clients may not fall back to plain text after  a  TLS  hand‐
10571       shake failure, a certificate-less Postfix SMTP server will be unable to
10572       receive email from some TLS-enabled clients. To avoid  accidental  con‐
10573       figurations  with  no  certificates,  Postfix  enables certificate-less
10574       operation    only    when    the    administrator    explicitly    sets
10575       "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
10576       configurations will not accidentally enable TLS without certificates.
10577
10578       Note that server certificates are not optional in TLS 1.3. To run with‐
10579       out  certificates you'd have to disable the TLS 1.3 protocol by includ‐
10580       ing   '!TLSv1.3'   in   "smtpd_tls_protocols"    and    perhaps    also
10581       "smtpd_tls_mandatory_protocols".  It is simpler instead to just config‐
10582       ure a certificate chain.   Certificate-less  operation  is  not  recom‐
10583       mended.
10584
10585       Both  RSA  and  DSA  certificates  are  supported.  When both types are
10586       present, the cipher used determines which certificate will be presented
10587       to the client.  For Netscape and OpenSSL clients without special cipher
10588       choices the RSA certificate is preferred.
10589
10590       To enable a remote SMTP client to verify the Postfix SMTP  server  cer‐
10591       tificate,  the  issuing  CA  certificates must be made available to the
10592       client. You should include the required certificates in the server cer‐
10593       tificate  file,  the  server  certificate first, then the issuing CA(s)
10594       (bottom-up order).
10595
10596       Example: the certificate for "server.example.com" was issued by "inter‐
10597       mediate  CA"  which  itself has a certificate of "root CA".  Create the
10598       server.pem   file   with   "cat   server_cert.pem   intermediate_CA.pem
10599       root_CA.pem > server.pem".
10600
10601       If you also want to verify client certificates issued by these CAs, you
10602       can add the CA certificates to the smtpd_tls_CAfile, in which  case  it
10603       is   not   necessary   to   have   them   in  the  smtpd_tls_cert_file,
10604       smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
10605
10606       A certificate supplied here must be usable as an SSL server certificate
10607       and hence pass the "openssl verify -purpose sslserver ..." test.
10608
10609       Example:
10610
10611       smtpd_tls_cert_file = /etc/postfix/server.pem
10612
10613       This feature is available in Postfix 2.2 and later.
10614

smtpd_tls_chain_files (default: empty)

10616       List  of  one  or more PEM files, each holding one or more private keys
10617       directly followed by a corresponding certificate chain.  The file names
10618       are  separated  by  commas and/or whitespace.  This parameter obsoletes
10619       the legacy algorithm-specific key and certificate file settings.   When
10620       this  parameter  is non-empty, the legacy parameters are ignored, and a
10621       warning is logged if any are also non-empty.
10622
10623       With the proliferation of multiple private key algorithms-which, as  of
10624       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
10625       is increasingly impractical to use separate parameters to configure the
10626       key  and  certificate chain for each algorithm.  Therefore, Postfix now
10627       supports storing multiple keys and corresponding certificate chains  in
10628       a single file or in a set of files.
10629
10630       Each  key must appear immediately before the corresponding certificate,
10631       optionally followed by additional issuer certificates that complete the
10632       certificate  chain  for  that  key.  When multiple files are specified,
10633       they are equivalent to a single file that is  concatenated  from  those
10634       files  in  the  given order.  Thus, while a key must always precede its
10635       certificate and issuer chain, it can be in a separate file, so long  as
10636       that  file  is listed immediately before the file that holds the corre‐
10637       sponding certificate chain.  Once all the files are  concatenated,  the
10638       sequence  of  PEM  objects must be: key1, cert1, [chain1], key2, cert2,
10639       [chain2], ..., keyN, certN, [chainN].
10640
10641       Storing the private key in the same file as the corresponding  certifi‐
10642       cate is more reliable.  With the key and certificate in separate files,
10643       there is a chance that during key rollover a Postfix process might load
10644       a  private  key  and  certificate from separate files that don't match.
10645       Various operational errors may even result in a persistent broken  con‐
10646       figuration in which the certificate does not match the private key.
10647
10648       The  file  or files must contain at most one key of each type.  If, for
10649       example, two or more RSA keys  and  corresponding  chains  are  listed,
10650       depending  on  the  version of OpenSSL either only the last one will be
10651       used or an configuration  error  may  be  detected.   Note  that  while
10652       "Ed25519"  and  "Ed448" are considered separate algorithms, the various
10653       ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1)  are
10654       considered as different parameters of a single "ECDSA" algorithm, so it
10655       is not presently possible to configure keys for  more  than  one  ECDSA
10656       curve.
10657
10658       RSA  is  still  the  most  widely supported algorithm.  Presently (late
10659       2018), ECDSA support is common, but not yet universal, and Ed25519  and
10660       Ed448 support is mostly absent.  Therefore, an RSA key should generally
10661       be configured, along with any additional keys for the other  algorithms
10662       when desired.
10663
10664       Example  (separate  files  for  each  key and corresponding certificate
10665       chain):
10666
10667           /etc/postfix/main.cf:
10668               smtpd_tls_chain_files =
10669                   ${config_directory}/ed25519.pem,
10670                   ${config_directory}/ed448.pem,
10671                   ${config_directory}/rsa.pem
10672
10673           /etc/postfix/ed25519.pem:
10674               -----BEGIN PRIVATE KEY-----
10675               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10676               -----END PRIVATE KEY-----
10677               -----BEGIN CERTIFICATE-----
10678               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10679               ...
10680               nC0egv51YPDWxEHom4QA
10681               -----END CERTIFICATE-----
10682
10683           /etc/postfix/ed448.pem:
10684               -----BEGIN PRIVATE KEY-----
10685               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10686               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10687               -----END PRIVATE KEY-----
10688               -----BEGIN CERTIFICATE-----
10689               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10690               ...
10691               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10692               -----END CERTIFICATE-----
10693
10694           /etc/postfix/rsa.pem:
10695               -----BEGIN PRIVATE KEY-----
10696               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10697               ...
10698               ahQkZ3+krcaJvDSMgvu0tDc=
10699               -----END PRIVATE KEY-----
10700               -----BEGIN CERTIFICATE-----
10701               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10702               ...
10703               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10704               -----END CERTIFICATE-----
10705
10706       Example (all keys and certificates in a single file):
10707
10708           /etc/postfix/main.cf:
10709               smtpd_tls_chain_files = ${config_directory}/chains.pem
10710
10711           /etc/postfix/chains.pem:
10712               -----BEGIN PRIVATE KEY-----
10713               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10714               -----END PRIVATE KEY-----
10715               -----BEGIN CERTIFICATE-----
10716               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10717               ...
10718               nC0egv51YPDWxEHom4QA
10719               -----END CERTIFICATE-----
10720               -----BEGIN PRIVATE KEY-----
10721               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10722               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10723               -----END PRIVATE KEY-----
10724               -----BEGIN CERTIFICATE-----
10725               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10726               ...
10727               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10728               -----END CERTIFICATE-----
10729               -----BEGIN PRIVATE KEY-----
10730               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10731               ...
10732               ahQkZ3+krcaJvDSMgvu0tDc=
10733               -----END PRIVATE KEY-----
10734               -----BEGIN CERTIFICATE-----
10735               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10736               ...
10737               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10738               -----END CERTIFICATE-----
10739
10740       This feature is available in Postfix 3.4 and later.
10741

smtpd_tls_cipherlist (default: empty)

10743       Obsolete Postfix < 2.3 control for the Postfix SMTP server  TLS  cipher
10744       list.  It  is  easy  to  create interoperability problems by choosing a
10745       non-default cipher list. Do not use a non-default TLS cipherlist for MX
10746       hosts on the public Internet. Clients that begin the TLS handshake, but
10747       are unable to agree on a common cipher, may not be  able  to  send  any
10748       email  to  the  SMTP server. Using a restricted cipher list may be more
10749       appropriate for a dedicated MSA or an internal mailhub, where  one  can
10750       exert some control over the TLS software and settings of the connecting
10751       clients.
10752
10753       Note: do not use "" quotes around the parameter value.
10754
10755       This feature is available with Postfix version 2.2. It is not used with
10756       Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10757

smtpd_tls_ciphers (default: medium)

10759       The minimum TLS cipher grade that the Postfix SMTP server will use with
10760       opportunistic    TLS    encryption.    Cipher    types    listed     in
10761       smtpd_tls_exclude_ciphers  are excluded from the base definition of the
10762       selected cipher grade.  The  default  value  is  "medium"  for  Postfix
10763       releases after the middle of 2015, "export" for older releases.
10764
10765       When   TLS   is   mandatory   the   cipher  grade  is  chosen  via  the
10766       smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10767       tax details.
10768
10769       This  feature is available in Postfix 2.6 and later. With earlier Post‐
10770       fix releases only the smtpd_tls_mandatory_ciphers parameter  is  imple‐
10771       mented, and opportunistic TLS always uses "export" or better (i.e. all)
10772       ciphers.
10773

smtpd_tls_dcert_file (default: empty)

10775       File with the Postfix SMTP server DSA certificate in PEM format.   This
10776       file may also contain the Postfix SMTP server private DSA key.  The DSA
10777       algorithm is obsolete and should not be used.
10778
10779       See the discussion under smtpd_tls_cert_file for more details.
10780
10781       Example:
10782
10783       smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10784
10785       This feature is available in Postfix 2.2 and later.
10786

smtpd_tls_dh1024_param_file (default: empty)

10788       File with DH parameters that the Postfix SMTP server  should  use  with
10789       non-export EDH ciphers.
10790
10791       Instead  of  using  the  exact  same parameter sets as distributed with
10792       other TLS packages, it is more secure  to  generate  your  own  set  of
10793       parameters with something like the following commands:
10794
10795           openssl dhparam -out /etc/postfix/dh512.pem 512
10796           openssl dhparam -out /etc/postfix/dh1024.pem 1024
10797           openssl dhparam -out /etc/postfix/dh2048.pem 2048
10798
10799       It  is  safe  to  share the same DH parameters between multiple Postfix
10800       instances.  If you prefer, you can  generate  separate  parameters  for
10801       each instance.
10802
10803       If  you  want  to  take maximal advantage of ciphers that offer forward
10804       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10805       full document conveniently presents all information about Postfix "per‐
10806       fect" forward secrecy support in one place: what  forward  secrecy  is,
10807       how to tweak settings, and what you can expect to see when Postfix uses
10808       ciphers with forward secrecy.
10809
10810       Example:
10811
10812       smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10813
10814       This feature is available with Postfix version 2.2.
10815

smtpd_tls_dh512_param_file (default: empty)

10817       File with DH parameters that the Postfix SMTP server  should  use  with
10818       export-grade  EDH  ciphers.   The  default  SMTP server cipher grade is
10819       "medium" with Postfix releases after the  middle  of  2015,  and  as  a
10820       result export-grade cipher suites are by default not used.
10821
10822       See  also the discussion under the smtpd_tls_dh1024_param_file configu‐
10823       ration parameter.
10824
10825       Example:
10826
10827       smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10828
10829       This feature is available with Postfix version 2.2.
10830

smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)

10832       File with the Postfix SMTP server DSA private key in PEM format.   This
10833       file  may be combined with the Postfix SMTP server DSA certificate file
10834       specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
10835       should not be used.
10836
10837       The  private key must be accessible without a pass-phrase, i.e. it must
10838       not be encrypted. File permissions should grant read-only access to the
10839       system superuser account ("root"), and no access to anyone else.
10840
10841       This feature is available in Postfix 2.2 and later.
10842

smtpd_tls_eccert_file (default: empty)

10844       File  with  the  Postfix  SMTP  server ECDSA certificate in PEM format.
10845       This file may also contain the Postfix SMTP server private  ECDSA  key.
10846       With Postfix >= 3.4 the preferred way to configure server keys and cer‐
10847       tificates is via the "smtpd_tls_chain_files" parameter.
10848
10849       See the discussion under smtpd_tls_cert_file for more details.
10850
10851       Example:
10852
10853       smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10854
10855       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
10856       compiled and linked with OpenSSL 1.0.0 or later.
10857

smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)

10859       File  with  the  Postfix  SMTP  server ECDSA private key in PEM format.
10860       This file may be combined with the Postfix SMTP server  ECDSA  certifi‐
10861       cate  file  specified with $smtpd_tls_eccert_file.  With Postfix >= 3.4
10862       the preferred way to configure server keys and certificates is via  the
10863       "smtpd_tls_chain_files" parameter.
10864
10865       The  private key must be accessible without a pass-phrase, i.e. it must
10866       not be encrypted. File permissions should grant read-only access to the
10867       system superuser account ("root"), and no access to anyone else.
10868
10869       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
10870       compiled and linked with OpenSSL 1.0.0 or later.
10871

smtpd_tls_eecdh_grade (default: see postconf -d output)

10873       The Postfix SMTP server security  grade  for  ephemeral  elliptic-curve
10874       Diffie-Hellman (EECDH) key exchange.
10875
10876       The available choices are:
10877
10878       none   Don't  use  EECDH.  Ciphers  based on EECDH key exchange will be
10879              disabled. This is the default in Postfix versions 2.6 and 2.7.
10880
10881       strong Use EECDH with approximately 128 bits of security at  a  reason‐
10882              able  computational  cost.  This  is  the  current best-practice
10883              trade-off between security and computational efficiency. This is
10884              the default in Postfix version 2.8 and later.
10885
10886       ultra  Use  EECDH  with  approximately 192 bits of security at computa‐
10887              tional cost that is approximately  twice  as  high  as  128  bit
10888              strength  ECC. Barring significant progress in attacks on ellip‐
10889              tic curve crypto-systems, the "strong" curve is  sufficient  for
10890              most users.
10891
10892       auto   Use  the  most  preferred  curve  that  is supported by both the
10893              client and the server.  This setting  requires  Postfix  >=  3.2
10894              compiled  and linked with OpenSSL >= 1.0.2.  This is the default
10895              setting under the above conditions.
10896
10897       If you want to take maximal advantage of  ciphers  that  offer  forward
10898       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10899       full document conveniently presents all information about Postfix "per‐
10900       fect"  forward  secrecy  support in one place: what forward secrecy is,
10901       how to tweak settings, and what you can expect to see when Postfix uses
10902       ciphers with forward secrecy.
10903
10904       This feature is available in Postfix 2.6 and later, when it is compiled
10905       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10906       have not been disabled by the vendor.
10907

smtpd_tls_exclude_ciphers (default: empty)

10909       List  of ciphers or cipher types to exclude from the SMTP server cipher
10910       list at all TLS security levels. Excluding  valid  ciphers  can  create
10911       interoperability  problems.  DO NOT exclude ciphers unless it is essen‐
10912       tial to do so. This is not an OpenSSL cipherlist; it is a  simple  list
10913       separated  by  whitespace  and/or  commas.  The  elements  are a single
10914       cipher, or one or more "+" separated cipher properties, in  which  case
10915       only ciphers matching all the properties are excluded.
10916
10917       Examples (some of these will cause problems):
10918
10919           smtpd_tls_exclude_ciphers = aNULL
10920           smtpd_tls_exclude_ciphers = MD5, DES
10921           smtpd_tls_exclude_ciphers = DES+MD5
10922           smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10923           smtpd_tls_exclude_ciphers = kEDH+aRSA
10924
10925       The first setting disables anonymous ciphers. The next setting disables
10926       ciphers that use the MD5 digest algorithm or the (single)  DES  encryp‐
10927       tion  algorithm. The next setting disables ciphers that use MD5 and DES
10928       together.  The next setting disables the two ciphers  "AES256-SHA"  and
10929       "DES-CBC3-MD5".  The  last  setting disables ciphers that use "EDH" key
10930       exchange with RSA authentication.
10931
10932       This feature is available in Postfix 2.3 and later.
10933

smtpd_tls_fingerprint_digest (default: md5)

10935       The message digest algorithm to construct remote  SMTP  client-certifi‐
10936       cate  fingerprints  or  public key fingerprints (Postfix 2.9 and later)
10937       for check_ccert_access and permit_tls_clientcerts.  The  default  algo‐
10938       rithm  is  md5, for backwards compatibility with Postfix releases prior
10939       to 2.5.
10940
10941       Advances in hash function cryptanalysis have led to  md5  being  depre‐
10942       cated in favor of sha1.  However, as long as there are no known "second
10943       pre-image" attacks against md5, its use in this context  can  still  be
10944       considered safe.
10945
10946       While  additional  digest algorithms are often available with OpenSSL's
10947       libcrypto, only those used by libssl in SSL cipher suites are available
10948       to Postfix.
10949
10950       To find the fingerprint of a specific certificate file, with a specific
10951       digest algorithm, run:
10952
10953           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10954
10955       The text to the right of "=" sign  is  the  desired  fingerprint.   For
10956       example:
10957
10958           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
10959           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
10960
10961       To  extract  the  public key fingerprint from an X.509 certificate, you
10962       need to extract the public key from the  certificate  and  compute  the
10963       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
10964       key" option of the "x509" command extracts the  public  key  always  in
10965       "PEM"  format.  We pipe the result to another OpenSSL command that con‐
10966       verts the key to DER and then to the "dgst" command to compute the fin‐
10967       gerprint.
10968
10969       The  actual  command  to transform the key to DER format depends on the
10970       version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey"  com‐
10971       mand  supports  all  key types. With OpenSSL 0.9.8 and earlier, the key
10972       type is always RSA (nobody uses DSA, and EC keys  are  not  fully  sup‐
10973       ported by 0.9.8), so the "rsa" command is used.
10974
10975           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
10976           $ openssl x509 -in cert.pem -noout -pubkey |
10977               openssl pkey -pubin -outform DER |
10978               openssl dgst -sha1 -c
10979           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
10980
10981           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
10982           $ openssl x509 -in cert.pem -noout -pubkey |
10983               openssl rsa -pubin -outform DER |
10984               openssl dgst -md5 -c
10985           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
10986
10987       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
10988       gerprint and public key fingerprint when  the  TLS  loglevel  is  2  or
10989       higher.
10990
10991       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
10992       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
10993       later.
10994
10995       Example: client-certificate access table, with sha1 fingerprints:
10996
10997           /etc/postfix/main.cf:
10998               smtpd_tls_fingerprint_digest = sha1
10999               smtpd_client_restrictions =
11000                   check_ccert_access hash:/etc/postfix/access,
11001                   reject
11002           /etc/postfix/access:
11003               # Action folded to next line...
11004               AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
11005                   OK
11006               85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11007                   permit_auth_destination
11008
11009       This feature is available in Postfix 2.5 and later.
11010

smtpd_tls_key_file (default: $smtpd_tls_cert_file)

11012       File  with the Postfix SMTP server RSA private key in PEM format.  This
11013       file may be combined with the Postfix SMTP server RSA certificate  file
11014       specified with $smtpd_tls_cert_file.  With Postfix >= 3.4 the preferred
11015       way  to  configure  server   keys   and   certificates   is   via   the
11016       "smtpd_tls_chain_files" parameter.
11017
11018       The  private key must be accessible without a pass-phrase, i.e. it must
11019       not be encrypted. File permissions should grant read-only access to the
11020       system superuser account ("root"), and no access to anyone else.
11021

smtpd_tls_loglevel (default: 0)

11023       Enable  additional  Postfix  SMTP server logging of TLS activity.  Each
11024       logging level also includes the information that is logged at  a  lower
11025       logging level.
11026
11027              0 Disable logging of TLS activity.
11028
11029              1  Log  only  a summary message on TLS handshake completion - no
11030              logging of client certificate trust-chain verification errors if
11031              client  certificate  verification is not required.  With Postfix
11032              2.8 and earlier, log the summary message, peer certificate  sum‐
11033              mary  information  and unconditionally log trust-chain verifica‐
11034              tion errors.
11035
11036              2 Also log levels during TLS negotiation.
11037
11038              3 Also  log  hexadecimal  and  ASCII  dump  of  TLS  negotiation
11039              process.
11040
11041              4  Also  log hexadecimal and ASCII dump of complete transmission
11042              after STARTTLS.
11043
11044       Do not use "smtpd_tls_loglevel = 2" or higher except in case  of  prob‐
11045       lems. Use of loglevel 4 is strongly discouraged.
11046
11047       This feature is available in Postfix 2.2 and later.
11048

smtpd_tls_mandatory_ciphers (default: medium)

11050       The minimum TLS cipher grade that the Postfix SMTP server will use with
11051       mandatory TLS encryption. The default grade ("medium") is  sufficiently
11052       strong  that  any  benefit  from globally restricting TLS sessions to a
11053       more stringent grade is likely negligible, especially  given  the  fact
11054       that  many  implementations  still  do  not  offer any stronger ("high"
11055       grade) ciphers, while those that  do,  will  always  use  "high"  grade
11056       ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
11057       ductive. Allowing "export" or "low" ciphers is  typically  not  a  good
11058       idea,  as  systems  limited  to  just  these  are  limited  to obsolete
11059       browsers. No known SMTP clients fail to support at least  one  "medium"
11060       or "high" grade cipher.
11061
11062       The following cipher grades are supported:
11063
11064       export Enable "EXPORT" grade or stronger OpenSSL ciphers.  The underly‐
11065              ing cipherlist is specified via the  tls_export_cipherlist  con‐
11066              figuration  parameter,  which you are strongly encouraged to not
11067              change.  This choice is insecure and SHOULD NOT be used.
11068
11069       low    Enable "LOW" grade or stronger OpenSSL ciphers.  The  underlying
11070              cipherlist is specified via the tls_low_cipherlist configuration
11071              parameter, which you are  strongly  encouraged  to  not  change.
11072              This choice is insecure and SHOULD NOT be used.
11073
11074       medium Enable  "MEDIUM"  grade  or  stronger OpenSSL ciphers. These use
11075              128-bit or longer symmetric bulk-encryption keys.  This  is  the
11076              default  minimum  strength  for  mandatory  TLS  encryption. The
11077              underlying cipherlist is specified via the tls_medium_cipherlist
11078              configuration  parameter,  which  you are strongly encouraged to
11079              not change.
11080
11081       high   Enable  only  "HIGH"  grade  OpenSSL  ciphers.  The   underlying
11082              cipherlist  is  specified via the tls_high_cipherlist configura‐
11083              tion parameter, which you are strongly encouraged to not change.
11084
11085       null   Enable only the "NULL" OpenSSL ciphers, these provide  authenti‐
11086              cation  without encryption.  This setting is only appropriate in
11087              the rare case that all clients are prepared to use NULL  ciphers
11088              (not normally enabled in TLS clients). The underlying cipherlist
11089              is specified via the tls_null_cipherlist  configuration  parame‐
11090              ter, which you are strongly encouraged to not change.
11091
11092       Cipher   types   listed   in   smtpd_tls_mandatory_exclude_ciphers   or
11093       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
11094       selected  cipher  grade. See smtpd_tls_ciphers for cipher controls that
11095       apply to opportunistic TLS.
11096
11097       The underlying cipherlists for grades other than "null" include  anony‐
11098       mous ciphers, but these are automatically filtered out if the server is
11099       configured to ask for remote SMTP client certificates.   You  are  very
11100       unlikely  to  need to take any steps to exclude anonymous ciphers, they
11101       are excluded automatically as required.  If you must exclude  anonymous
11102       ciphers  even  when Postfix does not need or use peer certificates, set
11103       "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers  only
11104       when   TLS  is  enforced,  set  "smtpd_tls_mandatory_exclude_ciphers  =
11105       aNULL".
11106
11107       This feature is available in Postfix 2.3 and later.
11108

smtpd_tls_mandatory_exclude_ciphers (default: empty)

11110       Additional list of ciphers or cipher types to exclude from the  Postfix
11111       SMTP  server  cipher  list at mandatory TLS security levels.  This list
11112       works    in    addition    to    the     exclusions     listed     with
11113       smtpd_tls_exclude_ciphers (see there for syntax details).
11114
11115       This feature is available in Postfix 2.3 and later.
11116

smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

11118       The  SSL/TLS  protocols accepted by the Postfix SMTP server with manda‐
11119       tory TLS encryption. If the list is  empty,  the  server  supports  all
11120       available  SSL/TLS  protocol  versions.  A non-empty value is a list of
11121       protocol names separated by whitespace, commas  or  colons.   The  sup‐
11122       ported  protocol  names  are  "SSLv2", "SSLv3" and "TLSv1", and are not
11123       case sensitive. The default  value  is  "!SSLv2,  !SSLv3"  for  Postfix
11124       releases after the middle of 2015, "!SSLv2" for older releases.
11125
11126       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
11127       col  exclusions.  One  can  explicitly  exclude  "SSLv2"   by   setting
11128       "smtpd_tls_mandatory_protocols  =  !SSLv2". To exclude both "SSLv2" and
11129       "SSLv3" set "smtpd_tls_mandatory_protocols = !SSLv2,  !SSLv3".  Listing
11130       the  protocols  to  include,  rather than protocols to exclude, is sup‐
11131       ported, but not recommended. The exclusion form  more  closely  matches
11132       the underlying OpenSSL interface semantics.
11133
11134       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11135       "TLSv1.2". When Postfix <= 2.5  is  linked  against  OpenSSL  1.0.1  or
11136       later,  these,  or any other new protocol versions, cannot be disabled.
11137       The latest patch levels of Postfix >= 2.6, and all versions of  Postfix
11138       >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11139
11140       OpenSSL  1.1.1  introduces  support for "TLSv1.3".  With Postfix >= 3.4
11141       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11142       abled, if need be, via "!TLSv1.3".
11143
11144       Example:
11145
11146       # Preferred syntax with Postfix >= 2.5:
11147       smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
11148       # Legacy syntax:
11149       smtpd_tls_mandatory_protocols = TLSv1
11150
11151       This feature is available in Postfix 2.3 and later.
11152

smtpd_tls_protocols (default: !SSLv2, !SSLv3)

11154       List  of  TLS  protocols  that  the Postfix SMTP server will exclude or
11155       include  with  opportunistic  TLS  encryption.  The  default  value  is
11156       "!SSLv2,  !SSLv3"  for Postfix releases after the middle of 2015, empty
11157       for older releases allowing all protocols to be used with opportunistic
11158       TLS.  A non-empty value is a list of protocol names separated by white‐
11159       space, commas or colons.  The supported  protocol  names  are  "SSLv2",
11160       "SSLv3" and "TLSv1", and are not case sensitive.
11161
11162       Note:  As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and
11163       "TLSv1.2". The latest patch levels of Postfix >= 2.6, and all  versions
11164       of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11165
11166       OpenSSL  1.1.1  introduces  support for "TLSv1.3".  With Postfix >= 3.4
11167       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11168       abled, if need be, via "!TLSv1.3".
11169
11170       To  include  a  protocol  list its name, to exclude it, prefix the name
11171       with a "!" character.  To  exclude  SSLv2  for  opportunistic  TLS  set
11172       "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
11173       "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing  the  proto‐
11174       cols  to  include,  rather than protocols to exclude, is supported, but
11175       not recommended.  The exclusion form more closely matches the  underly‐
11176       ing OpenSSL interface semantics.
11177
11178       Example:
11179       smtpd_tls_protocols = !SSLv2, !SSLv3
11180
11181       This feature is available in Postfix 2.6 and later.
11182

smtpd_tls_received_header (default: no)

11184       Request  that the Postfix SMTP server produces Received:  message head‐
11185       ers that include information about the protocol  and  cipher  used,  as
11186       well as the remote SMTP client CommonName and client certificate issuer
11187       CommonName.  This is disabled by default, as  the  information  may  be
11188       modified  in transit through other mail servers.  Only information that
11189       was recorded by the final destination can be trusted.
11190
11191       This feature is available in Postfix 2.2 and later.
11192

smtpd_tls_req_ccert (default: no)

11194       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
11195       certificate  in order to allow TLS connections to proceed.  This option
11196       implies "smtpd_tls_ask_ccert = yes".
11197
11198       When TLS encryption is optional, this setting is ignored with a warning
11199       written to the mail log.
11200
11201       This feature is available in Postfix 2.2 and later.
11202

smtpd_tls_security_level (default: empty)

11204       The  SMTP  TLS  security  level  for  the  Postfix  SMTP server; when a
11205       non-empty value is specified, this overrides  the  obsolete  parameters
11206       smtpd_use_tls  and  smtpd_enforce_tls.  This  parameter is ignored with
11207       "smtpd_tls_wrappermode = yes".
11208
11209       Specify one of the following security levels:
11210
11211       none   TLS will not be used.
11212
11213       may    Opportunistic TLS: announce  STARTTLS  support  to  remote  SMTP
11214              clients, but do not require that clients use TLS encryption.
11215
11216       encrypt
11217              Mandatory  TLS  encryption:  announce STARTTLS support to remote
11218              SMTP clients, and  require  that  clients  use  TLS  encryption.
11219              According to RFC 2487 this MUST NOT be applied in case of a pub‐
11220              licly-referenced SMTP server. Instead,  this  option  should  be
11221              used only on dedicated servers.
11222
11223       Note  1:  the  "fingerprint", "verify" and "secure" levels are not sup‐
11224       ported here.  The Postfix SMTP server logs a warning and uses "encrypt"
11225       instead.  To verify remote SMTP client certificates, see TLS_README for
11226       a discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and  per‐
11227       mit_tls_clientcerts features.
11228
11229       Note  2:  The  parameter  setting  "smtpd_tls_security_level = encrypt"
11230       implies "smtpd_tls_auth_only = yes".
11231
11232       Note 3: when invoked via  "sendmail  -bs",  Postfix  will  never  offer
11233       STARTTLS  due  to  insufficient privileges to access the server private
11234       key. This is intended behavior.
11235
11236       This feature is available in Postfix 2.3 and later.
11237

smtpd_tls_session_cache_database (default: empty)

11239       Name of the file containing the optional Postfix SMTP server  TLS  ses‐
11240       sion  cache. Specify a database type that supports enumeration, such as
11241       btree or sdbm; there is no need to support concurrent access.  The file
11242       is  created if it does not exist. The smtpd(8) daemon does not use this
11243       parameter directly, rather the cache is implemented indirectly  in  the
11244       tlsmgr(8)  daemon.  This  means that per-smtpd-instance master.cf over‐
11245       rides of this parameter are not effective. Note, that each of the cache
11246       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
11247       base, $smtp_tls_session_cache_database (and with Postfix 2.3 and  later
11248       $lmtp_tls_session_cache_database), needs to be stored separately. It is
11249       not at this time possible to store multiple caches in  a  single  data‐
11250       base.
11251
11252       Note:  dbm  databases  are  not  suitable.  TLS session objects are too
11253       large.
11254
11255       As of version 2.5, Postfix no longer uses root privileges when  opening
11256       this  file.  The  file  should  now  be  stored under the Postfix-owned
11257       data_directory. As a migration aid, an attempt to open the file under a
11258       non-Postfix  directory  is  redirected to the Postfix-owned data_direc‐
11259       tory, and a warning is logged.
11260
11261       As of Postfix 2.11 the preferred mechanism for  session  resumption  is
11262       RFC  5077 TLS session tickets, which don't require server-side storage.
11263       Consequently, for Postfix >= 2.11 this parameter  should  generally  be
11264       left  empty.   TLS session tickets require an OpenSSL library (at least
11265       version 0.9.8h) that provides full support for this TLS extension.  See
11266       also smtpd_tls_session_cache_timeout.
11267
11268       Example:
11269
11270       smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
11271
11272       This feature is available in Postfix 2.2 and later.
11273

smtpd_tls_session_cache_timeout (default: 3600s)

11275       The  expiration  time of Postfix SMTP server TLS session cache informa‐
11276       tion. A cache cleanup is performed periodically  every  $smtpd_tls_ses‐
11277       sion_cache_timeout  seconds. As with $smtpd_tls_session_cache_database,
11278       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
11279       per-smtpd-instance master.cf overrides are not possible.
11280
11281       As  of  Postfix 2.11 this setting cannot exceed 100 days.  If set <= 0,
11282       session caching is disabled, not just via the database,  but  also  via
11283       RFC  5077 TLS session tickets, which don't require server-side storage.
11284       If set to a positive value less than 2 minutes, the minimum value of  2
11285       minutes  is  used  instead.   TLS  session  tickets  require an OpenSSL
11286       library (at least version 0.9.8h) that provides full support  for  this
11287       TLS extension.
11288
11289       This feature is available in Postfix 2.2 and later, and updated for TLS
11290       session ticket support in Postfix 2.11.
11291

smtpd_tls_wrappermode (default: no)

11293       Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
11294       of using the STARTTLS command.
11295
11296       If  you  want  to  support  this service, enable a special port in mas‐
11297       ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
11298       command line. Port 465 (smtps) was once chosen for this purpose.
11299
11300       This feature is available in Postfix 2.2 and later.
11301

smtpd_upstream_proxy_protocol (default: empty)

11303       The  name  of the proxy protocol used by an optional before-smtpd proxy
11304       agent. When a proxy agent is used,  this  protocol  conveys  local  and
11305       remote       address      and      port      information.       Specify
11306       "smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy  proto‐
11307       col.
11308
11309       NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
11310       with smtpd_authorized_xclient_hosts. This supports SASL  authentication
11311       in the proxy agent (Postfix 2.9 and later).
11312
11313       This feature is available in Postfix 2.10 and later.
11314

smtpd_upstream_proxy_timeout (default: 5s)

11316       The   time   limit   for   the   proxy   protocol  specified  with  the
11317       smtpd_upstream_proxy_protocol parameter.
11318
11319       This feature is available in Postfix 2.10 and later.
11320

smtpd_use_tls (default: no)

11322       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
11323       but do not require that clients use TLS encryption.
11324
11325       Note:  when invoked via "sendmail -bs", Postfix will never offer START‐
11326       TLS due to insufficient privileges to access the  server  private  key.
11327       This is intended behavior.
11328
11329       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
11330       and later use smtpd_tls_security_level instead.
11331

smtputf8_autodetect_classes (default: sendmail, verify)

11333       Detect that a message requires SMTPUTF8 support for the specified  mail
11334       origin classes.  This is a workaround to avoid chicken-and-egg problems
11335       during the initial SMTPUTF8 roll-out in environments with  pre-existing
11336       mail flows that contain UTF8. Those mail flows should not break because
11337       Postfix suddenly refuses to deliver such mail to down-stream MTAs  that
11338       don't announce SMTPUTF8 support.
11339
11340       The problem is that Postfix cannot rely solely on the sender's declara‐
11341       tion that a message requires SMTPUTF8  support,  because  UTF8  may  be
11342       introduced during local processing (for example, the client hostname in
11343       Postfix's Received: header,  adding  @$myorigin  or  .$mydomain  to  an
11344       incomplete  address,  address rewriting, alias expansion, automatic BCC
11345       recipients, local forwarding, and changes made by header checks or Mil‐
11346       ter applications).
11347
11348       For  now,  the  default  is to enable "SMTPUTF8 required" autodetection
11349       only for Postfix sendmail command-line submissions and address  verifi‐
11350       cation  probes.   This  may change once SMTPUTF8 support achieves world
11351       domination.  However, sites that add UTF8 content via local  processing
11352       (see  above)  should  autodetect  the need for SMTPUTF8 support for all
11353       email.
11354
11355       Specify one or more of the following:
11356
11357        sendmail
11358              Submission with the Postfix sendmail(1) command.
11359
11360        smtpd Mail received with the smtpd(8) daemon.
11361
11362        qmqpd Mail received with the qmqpd(8) daemon.
11363
11364        forward
11365              Local forwarding or aliasing.  When a message is  received  with
11366              "SMTPUTF8 required", then the forwarded (aliased) message always
11367              has "SMTPUTF8 required".
11368
11369        bounce
11370              Submission by the bounce(8) daemon.  When a message is  received
11371              with  "SMTPUTF8 required", then the delivery status notification
11372              always has "SMTPUTF8 required".
11373
11374        notify
11375              Postmaster notification from the smtp(8) or smtpd(8) daemon.
11376
11377        verify
11378              Address verification probe from the verify(8) daemon.
11379
11380        all   Enable SMTPUTF8 autodetection for all mail.
11381
11382       This feature is available in Postfix 3.0 and later.
11383

smtputf8_enable (default: yes)

11385       Enable preliminary SMTPUTF8 support for the protocols described in  RFC
11386       6531..6533. This requires that Postfix is built to support these proto‐
11387       cols.
11388
11389       This feature is available in Postfix 3.0 and later.
11390

soft_bounce (default: no)

11392       Safety net to keep mail queued that would otherwise be returned to  the
11393       sender.  This parameter disables locally-generated bounces, changes the
11394       handling of negative responses from remote servers, content filters  or
11395       plugins,  and prevents the Postfix SMTP server from rejecting mail per‐
11396       manently by changing 5xx reply codes into 4xx.  However, soft_bounce is
11397       no cure for address rewriting mistakes or mail routing mistakes.
11398
11399       Note:  "soft_bounce  =  yes"  is in some cases implemented by modifying
11400       server responses. Therefore, the response that Postfix logs may  differ
11401       from the response that Postfix actually sends or receives.
11402
11403       Example:
11404
11405       soft_bounce = yes
11406

stale_lock_time (default: 500s)

11408       The  time  after  which  a stale exclusive mailbox lockfile is removed.
11409       This is used for delivery to file or mailbox.
11410
11411       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
11412       The default time unit is s (seconds).
11413

stress (default: empty)

11415       This feature is documented in the STRESS_README document.
11416
11417       This feature is available in Postfix 2.5 and later.
11418

strict_7bit_headers (default: no)

11420       Reject  mail  with 8-bit text in message headers. This blocks mail from
11421       poorly written applications.
11422
11423       This feature should not be enabled on a general  purpose  mail  server,
11424       because it is likely to reject legitimate email.
11425
11426       This feature is available in Postfix 2.0 and later.
11427

strict_8bitmime (default: no)

11429       Enable both strict_7bit_headers and strict_8bitmime_body.
11430
11431       This  feature  should  not be enabled on a general purpose mail server,
11432       because it is likely to reject legitimate email.
11433
11434       This feature is available in Postfix 2.0 and later.
11435

strict_8bitmime_body (default: no)

11437       Reject 8-bit message body text  without  8-bit  MIME  content  encoding
11438       information.  This blocks mail from poorly written applications.
11439
11440       Unfortunately,  this  also rejects majordomo approval requests when the
11441       included request contains valid 8-bit MIME mail, and it rejects bounces
11442       from  mailers  that do not MIME encapsulate 8-bit content (for example,
11443       bounces from qmail or from old versions of Postfix).
11444
11445       This feature should not be enabled on a general  purpose  mail  server,
11446       because it is likely to reject legitimate email.
11447
11448       This feature is available in Postfix 2.0 and later.
11449

strict_mailbox_ownership (default: yes)

11451       Defer  delivery when a mailbox file is not owned by its recipient.  The
11452       default setting is not backwards compatible.
11453
11454       This feature is available in Postfix 2.5.3 and later.
11455

strict_mime_encoding_domain (default: no)

11457       Reject mail with invalid Content-Transfer-Encoding: information for the
11458       message/*  or  multipart/*  MIME  content types.  This blocks mail from
11459       poorly written software.
11460
11461       This feature should not be enabled on a general  purpose  mail  server,
11462       because it will reject mail after a single violation.
11463
11464       This feature is available in Postfix 2.0 and later.
11465

strict_rfc821_envelopes (default: no)

11467       Require  that addresses received in SMTP MAIL FROM and RCPT TO commands
11468       are enclosed with <>, and that those addresses do not contain  RFC  822
11469       style  comments  or phrases.  This stops mail from poorly written soft‐
11470       ware.
11471
11472       By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11473       and RCPT TO addresses.
11474

strict_smtputf8 (default: no)

11476       Enable  stricter enforcement of the SMTPUTF8 protocol. The Postfix SMTP
11477       server accepts UTF8 sender or recipient addresses only when the  client
11478       requests an SMTPUTF8 mail transaction.
11479
11480       This feature is available in Postfix 3.0 and later.
11481

sun_mailtool_compatibility (default: no)

11483       Obsolete  SUN  mailtool  compatibility  feature.  Instead,  use  "mail‐
11484       box_delivery_lock = dotlock".
11485

swap_bangpath (default: yes)

11487       Enable the rewriting of "site!user" into "user@site".  This  is  neces‐
11488       sary  if  your machine is connected to UUCP networks.  It is enabled by
11489       default.
11490
11491       Note: with Postfix version 2.2, message header address  rewriting  hap‐
11492       pens only when one of the following conditions is true:
11493
11494       ·      The message is received with the Postfix sendmail(1) command,
11495
11496       ·      The  message  is  received  from  a  network client that matches
11497              $local_header_rewrite_clients,
11498
11499       ·      The  message   is   received   from   the   network,   and   the
11500              remote_header_rewrite_domain  parameter  specifies  a  non-empty
11501              value.
11502
11503       To   get   the   behavior   before   Postfix   version   2.2,   specify
11504       "local_header_rewrite_clients = static:all".
11505
11506       Example:
11507
11508       swap_bangpath = no
11509

syslog_facility (default: mail)

11511       The  syslog  facility of Postfix logging. Specify a facility as defined
11512       in syslog.conf(5). The default facility is "mail".
11513
11514       Warning: a non-default syslog_facility setting takes effect only  after
11515       a  Postfix process has completed initialization.  Errors during process
11516       initialization will be logged with the default facility.  Examples  are
11517       errors  while  parsing  the  command  line  arguments, and errors while
11518       accessing the Postfix main.cf configuration file.
11519

syslog_name (default: see postconf -d output)

11521       A prefix that is prepended to the process name in  syslog  records,  so
11522       that, for example, "smtpd" becomes "prefix/smtpd".
11523
11524       Warning:  a  non-default  syslog_name setting takes effect only after a
11525       Postfix process has completed  initialization.  Errors  during  process
11526       initialization  will  be  logged  with  the  default name. Examples are
11527       errors while parsing the  command  line  arguments,  and  errors  while
11528       accessing the Postfix main.cf configuration file.
11529

tcp_windowsize (default: 0)

11531       An  optional  workaround  for  routers  that  break TCP window scaling.
11532       Specify a value > 0 and < 65536 to enable this feature.   With  Postfix
11533       TCP  servers  (smtpd(8),  qmqpd(8)), this feature is implemented by the
11534       Postfix master(8) daemon.
11535
11536       To change this parameter without stopping Postfix, you  need  to  first
11537       terminate all Postfix TCP servers:
11538
11539           # postconf -e master_service_disable=inet
11540           # postfix reload
11541
11542       This  immediately  terminates all processes that accept network connec‐
11543       tions.  Next, you enable Postfix TCP servers with the updated  tcp_win‐
11544       dowsize setting:
11545
11546           # postconf -e tcp_windowsize=65535 master_service_disable=
11547           # postfix reload
11548
11549       If  you  skip  these  steps  with  a  running  Postfix system, then the
11550       tcp_windowsize change will work only for Postfix TCP clients  (smtp(8),
11551       lmtp(8)).
11552
11553       This feature is available in Postfix 2.6 and later.
11554

tls_append_default_CA (default: no)

11556       Append the system-supplied default Certification Authority certificates
11557       to the ones specified with *_tls_CApath or *_tls_CAfile.   The  default
11558       is  "no";  this prevents Postfix from trusting third-party certificates
11559       and giving them relay permission with permit_tls_all_clientcerts.
11560
11561       This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,  2.7.2  and
11562       later  versions.  Specify  "tls_append_default_CA  = yes" for backwards
11563       compatibility, to avoid breaking certificate  verification  with  sites
11564       that don't use permit_tls_all_clientcerts.
11565

tls_daemon_random_bytes (default: 32)

11567       The  number  of pseudo-random bytes that an smtp(8) or smtpd(8) process
11568       requests from the tlsmgr(8) server in order to seed its internal pseudo
11569       random number generator (PRNG).  The default of 32 bytes (equivalent to
11570       256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11571
11572       This feature is available in Postfix 2.2 and later.
11573

tls_dane_digest_agility (default: on)

11575       Configure RFC7671 DANE TLSA digest algorithm agility.   Do  not  change
11576       this setting from its default value.
11577
11578       See Section 8 of RFC7671 for correct key rotation procedures.
11579
11580       This feature is available in Postfix 2.11 through 3.1.  Postfix 3.2 and
11581       later ignore this configuration parameter and behave as though it  were
11582       set to "on".
11583

tls_dane_digests (default: sha512 sha256)

11585       DANE  TLSA  (RFC  6698,  RFC  7671, RFC 7672) resource-record "matching
11586       type" digest algorithms in descending preference order.  All the speci‐
11587       fied  algorithms  must  be supported by the underlying OpenSSL library,
11588       otherwise the Postfix SMTP client will not support DANE TLSA security.
11589
11590       Specify a list of digest names separated by commas  and/or  whitespace.
11591       Each  digest  name  may  be followed by an optional "=<number>" suffix.
11592       For example, "sha512"  may  instead  be  specified  as  "sha512=2"  and
11593       "sha256"  may  instead be specified as "sha256=1".  The optional number
11594       must match the  <a  href="https://www.iana.org/assignments/dane-parame
11595       ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11596       type number the algorithm in question.  Postfix will  check  this  con‐
11597       straint  for  the  algorithms it knows about.  Additional matching type
11598       algorithms registered with IANA can be added with explicit numbers pro‐
11599       vided they are supported by OpenSSL.
11600
11601       Invalid  list  elements are logged with a warning and disable DANE sup‐
11602       port.  TLSA RRs that specify digests  not  included  in  the  list  are
11603       ignored with a warning.
11604
11605       Note:  It  is  unwise to omit sha256 from the digest list.  This digest
11606       algorithm is the only mandatory to implement digest  algorithm  in  RFC
11607       6698,  and  many  servers  are  expected publish TLSA records with just
11608       sha256 digests.  Unless one of the standard digests is  seriously  com‐
11609       promised  and  servers have had ample time to update their TLSA records
11610       you should not omit any standard digests, just arrange  them  in  order
11611       from strongest to weakest.
11612
11613       This feature is available in Postfix 2.11 and later.
11614

tls_dane_trust_anchor_digest_enable (default: yes)

11616       Enable  support  for  RFC  6698  (DANE  TLSA)  DNS records that contain
11617       digests of trust-anchors with certificate usage  "2".   Do  not  change
11618       this setting from its default value.
11619
11620       This  feature  is  available  in Postfix 2.11 through 3.1.  It has been
11621       withdrawn in Postfix 3.2, as trust-anchor TLSA records are  now  widely
11622       used  and  have  proved  sufficiently  reliable.  Postfix 3.2 and later
11623       ignore this configuration parameter and behaves as though it  were  set
11624       to "yes".
11625

tls_disable_workarounds (default: see postconf -d output)

11627       List or bit-mask of OpenSSL bug work-arounds to disable.
11628
11629       The  OpenSSL  toolkit  includes a set of work-arounds for buggy SSL/TLS
11630       implementations. Applications, such as Postfix, that want  to  maximize
11631       interoperability ask the OpenSSL library to enable the full set of rec‐
11632       ommended work-arounds.
11633
11634       From time to time, it is discovered that a work-around creates a  secu‐
11635       rity  issue,  and  should  no longer be used. If upgrading OpenSSL to a
11636       fixed version is not an option or an upgrade  is  not  available  in  a
11637       timely  manner,  or  in  closed  environments where no buggy clients or
11638       servers exist, it may be appropriate to disable  some  or  all  of  the
11639       OpenSSL  interoperability  work-arounds. This parameter specifies which
11640       bug work-arounds to disable.
11641
11642       If the value of the parameter is a hexadecimal  long  integer  starting
11643       with  "0x", the bug work-arounds corresponding to the bits specified in
11644       its value are removed from the  SSL_OP_ALL  work-around  bit-mask  (see
11645       openssl/ssl.h  and  SSL_CTX_set_options(3)).  You can specify more bits
11646       than are present in SSL_OP_ALL, excess  bits  are  ignored.  Specifying
11647       0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11648       also be sufficient on 64-bit systems, until  OpenSSL  abandons  support
11649       for  32-bit  systems  and  starts  using  the  high 32 bits of a 64-bit
11650       bug-workaround mask.
11651
11652       Otherwise, the parameter is a white-space or comma  separated  list  of
11653       specific  named bug work-arounds chosen from the list below. It is pos‐
11654       sible that your OpenSSL version includes  new  bug  work-arounds  added
11655       after  your  Postfix source code was last updated, in that case you can
11656       only disable one of these via the hexadecimal syntax above.
11657
11658       CRYPTOPRO_TLSEXT_BUG
11659              New with GOST support in OpenSSL 1.0.0.
11660
11661       DONT_INSERT_EMPTY_FRAGMENTS
11662              See SSL_CTX_set_options(3)
11663
11664       LEGACY_SERVER_CONNECT
11665              See SSL_CTX_set_options(3)
11666
11667       MICROSOFT_BIG_SSLV3_BUFFER
11668              See SSL_CTX_set_options(3)
11669
11670       MICROSOFT_SESS_ID_BUG
11671              See SSL_CTX_set_options(3)
11672
11673       MSIE_SSLV2_RSA_PADDING
11674              also  aliased  as  CVE-2005-2969.  Postfix  2.8  disables   this
11675              work-around  by  default  with OpenSSL versions that may predate
11676              the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11677
11678       NETSCAPE_CHALLENGE_BUG
11679              See SSL_CTX_set_options(3)
11680
11681       NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11682              also  aliased  as  CVE-2010-4180.  Postfix  2.8  disables   this
11683              work-around  by  default  with OpenSSL versions that may predate
11684              the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11685
11686       SSLEAY_080_CLIENT_DH_BUG
11687              See SSL_CTX_set_options(3)
11688
11689       SSLREF2_REUSE_CERT_TYPE_BUG
11690              See SSL_CTX_set_options(3)
11691
11692       TLS_BLOCK_PADDING_BUG
11693              See SSL_CTX_set_options(3)
11694
11695       TLS_D5_BUG
11696              See SSL_CTX_set_options(3)
11697
11698       TLS_ROLLBACK_BUG
11699              See SSL_CTX_set_options(3).  This is disabled in  OpenSSL  0.9.7
11700              and later. Nobody should still be using 0.9.6!
11701
11702       TLSEXT_PADDING
11703              Postfix >= 3.4. See SSL_CTX_set_options(3).
11704
11705       This feature is available in Postfix 2.8 and later.
11706

tls_eecdh_auto_curves (default: see postconf -d output)

11708       The  prioritized  list of elliptic curves supported by the Postfix SMTP
11709       client and server.  These curves are used by the  Postfix  SMTP  server
11710       when  "smtpd_tls_eecdh_grade  =  auto".   The  selected  curves must be
11711       implemented by OpenSSL and be standardized for use in TLS (RFC 4492  or
11712       its  imminent  successor).   It  is unwise to list only "bleeding-edge"
11713       curves supported by a small subset of clients.   The  default  list  is
11714       suitable for most users.
11715
11716       Postfix  skips  curve  names  that  are unknown to OpenSSL, or that are
11717       known but not yet implemented.  This makes it possible to  "anticipate"
11718       support  for curves that should be used once they become available.  In
11719       particular, in some OpenSSL versions, the new RFC 8031 curves  "X25519"
11720       and  "X448"  may  be known by name, but ECDH support for either or both
11721       may be missing.  These curves may appear in the default value  of  this
11722       parameter,  even  though  they'll only be usable with later versions of
11723       OpenSSL.
11724
11725       This feature is available in Postfix 3.2 and later, when it is compiled
11726       and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11727       have not been disabled by the vendor.
11728

tls_eecdh_strong_curve (default: prime256v1)

11730       The elliptic curve used by the Postfix SMTP server for sensibly  strong
11731       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
11732       server when "smtpd_tls_eecdh_grade  =  strong".  The  phrase  "sensibly
11733       strong"  means  approximately  128-bit  security  based  on  best known
11734       attacks. The selected curve must be implemented by OpenSSL (as reported
11735       by  ecparam(1) with the "-list_curves" option) and be one of the curves
11736       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
11737       this  setting.   Remote  SMTP  client implementations must support this
11738       curve for EECDH key exchange to take place.  It is unwise to choose  an
11739       "bleeding-edge" curve supported by only a small subset of clients.
11740
11741       The  default  "strong"  curve  is  rated in NSA Suite B for information
11742       classified up to SECRET.
11743
11744       Note: elliptic curve names are poorly standardized; different standards
11745       groups  are  assigning  different  names to the same underlying curves.
11746       The curve with the X9.62 name "prime256v1" is also known under the SECG
11747       name "secp256r1", but OpenSSL does not recognize the latter name.
11748
11749       If  you  want  to  take maximal advantage of ciphers that offer forward
11750       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11751       full document conveniently presents all information about Postfix "per‐
11752       fect" forward secrecy support in one place: what  forward  secrecy  is,
11753       how to tweak settings, and what you can expect to see when Postfix uses
11754       ciphers with forward secrecy.
11755
11756       This feature is available in Postfix 2.6 and later, when it is compiled
11757       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11758       have not been disabled by the vendor.
11759

tls_eecdh_ultra_curve (default: secp384r1)

11761       The elliptic curve used by the Postfix SMTP server for maximally strong
11762       ephemeral  ECDH  key  exchange.  This curve is used by the Postfix SMTP
11763       server when "smtpd_tls_eecdh_grade  =  ultra".  The  phrase  "maximally
11764       strong"  means  approximately  192-bit  security  based  on  best known
11765       attacks.  This additional strength comes at a significant computational
11766       cost,  most  users should instead set "smtpd_tls_eecdh_grade = strong".
11767       The selected curve must be  implemented  by  OpenSSL  (as  reported  by
11768       ecparam(1)  with  the  "-list_curves"  option) and be one of the curves
11769       listed in Section 5.1.1 of RFC 4492. You should  not  generally  change
11770       this setting.
11771
11772       This  default  "ultra"  curve  is  rated in NSA Suite B for information
11773       classified up to TOP SECRET.
11774
11775       If you want to take maximal advantage of  ciphers  that  offer  forward
11776       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11777       full document conveniently presents all information about Postfix "per‐
11778       fect"  forward  secrecy  support in one place: what forward secrecy is,
11779       how to tweak settings, and what you can expect to see when Postfix uses
11780       ciphers with forward secrecy.
11781
11782       This feature is available in Postfix 2.6 and later, when it is compiled
11783       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11784       have not been disabled by the vendor.
11785

tls_export_cipherlist (default: see postconf -d output)

11787       The  OpenSSL  cipherlist  for  "export"  or  higher grade ciphers. This
11788       defines the meaning  of  the  "export"  setting  in  smtpd_tls_ciphers,
11789       smtpd_tls_mandatory_ciphers,      smtp_tls_ciphers,     smtp_tls_manda‐
11790       tory_ciphers, lmtp_tls_ciphers, and  lmtp_tls_mandatory_ciphers.   With
11791       Postfix  releases  before  the  middle  of  2015  this  is  the default
11792       cipherlist for the opportunistic ("may") TLS client security level  and
11793       also  the  default  cipherlist  for  the  SMTP server. You are strongly
11794       encouraged to not change this setting.
11795
11796       This feature is available in Postfix 2.3 and later.
11797

tls_high_cipherlist (default: see postconf -d output)

11799       The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11800       ing  of  the  "high"  setting  in  smtpd_tls_ciphers,  smtpd_tls_manda‐
11801       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11802       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11803       encouraged to not change this setting.
11804
11805       This feature is available in Postfix 2.3 and later.
11806

tls_legacy_public_key_fingerprints (default: no)

11808       A temporary migration aid for sites  that  use  certificate  public-key
11809       fingerprints  with  Postfix  2.9.0..2.9.5, which use an incorrect algo‐
11810       rithm. This parameter has no effect on the certificate fingerprint sup‐
11811       port that is available since Postfix 2.2.
11812
11813       Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11814       a  migration  from   configuration   files   with   incorrect   Postfix
11815       2.9.0..2.9.5  certificate public-key finger prints, to the correct fin‐
11816       gerprints used by Postfix 2.9.6 and later.  To compute the correct cer‐
11817       tificate public-key fingerprints, see TLS_README.
11818
11819       This feature is available in Postfix 2.9.6 and later.
11820

tls_low_cipherlist (default: see postconf -d output)

11822       The  OpenSSL cipherlist for "low" or higher grade ciphers. This defines
11823       the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11824       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11825       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11826       encouraged to not change this setting.
11827
11828       This feature is available in Postfix 2.3 and later.
11829

tls_medium_cipherlist (default: see postconf -d output)

11831       The  OpenSSL  cipherlist  for  "medium"  or  higher grade ciphers. This
11832       defines the meaning  of  the  "medium"  setting  in  smtpd_tls_ciphers,
11833       smtpd_tls_mandatory_ciphers,      smtp_tls_ciphers,     smtp_tls_manda‐
11834       tory_ciphers, lmtp_tls_ciphers, and  lmtp_tls_mandatory_ciphers.   This
11835       is  the  default  cipherlist  for  mandatory  TLS encryption in the TLS
11836       client (with anonymous ciphers disabled when verifying server  certifi‐
11837       cates).   This  is  the  default  cipherlist for opportunistic TLS with
11838       Postfix releases after the middle of 2015.  You are strongly encouraged
11839       to not change this setting.
11840
11841       This feature is available in Postfix 2.3 and later.
11842

tls_null_cipherlist (default: eNULL:!aNULL)

11844       The  OpenSSL cipherlist for "NULL" grade ciphers that provide authenti‐
11845       cation without encryption. This defines the meaning of the "null"  set‐
11846       ting  in  smtpd_mandatory_tls_ciphers,  smtp_tls_mandatory_ciphers  and
11847       lmtp_tls_mandatory_ciphers.  You are strongly encouraged to not  change
11848       this setting.
11849
11850       This feature is available in Postfix 2.3 and later.
11851

tls_preempt_cipherlist (default: no)

11853       With  SSLv3  and later, use the Postfix SMTP server's cipher preference
11854       order instead of the remote client's cipher preference order.
11855
11856       By default, the OpenSSL server  selects  the  client's  most  preferred
11857       cipher  that  the server supports. With SSLv3 and later, the server may
11858       choose its own most preferred cipher that is supported (offered) by the
11859       client.  Setting  "tls_preempt_cipherlist  = yes" enables server cipher
11860       preferences.
11861
11862       While server cipher selection may in some cases lead to a  more  secure
11863       or  performant  cipher  choice,  there is some risk of interoperability
11864       issues. In the past,  some  SSL  clients  have  listed  lower  priority
11865       ciphers  that they did not implement correctly. If the server chooses a
11866       cipher that the client prefers less,  it  may  select  a  cipher  whose
11867       client  implementation  is  flawed. Most notably Windows 2003 Microsoft
11868       Exchange servers have flawed  implementations  of  DES-CBC3-SHA,  which
11869       OpenSSL  considers stronger than RC4-SHA.  Enabling server cipher-suite
11870       selection may create interoperability issues with Windows  2003  Micro‐
11871       soft Exchange clients.
11872
11873       This feature is available in Postfix 2.8 and later, in combination with
11874       OpenSSL 0.9.7 and later.
11875

tls_random_bytes (default: 32)

11877       The number of bytes that tlsmgr(8) reads from  $tls_random_source  when
11878       (re)seeding  the  in-memory pseudo random number generator (PRNG) pool.
11879       The default of 32 bytes (256 bits) is good enough for 128bit  symmetric
11880       keys.  If using EGD or a device file, a maximum of 255 bytes is read.
11881
11882       This feature is available in Postfix 2.2 and later.
11883

tls_random_exchange_name (default: see postconf -d output)

11885       Name  of  the  pseudo random number generator (PRNG) state file that is
11886       maintained by tlsmgr(8). The file is created when it  does  not  exist,
11887       and its length is fixed at 1024 bytes.
11888
11889       As  of version 2.5, Postfix no longer uses root privileges when opening
11890       this file, and the  default  file  location  was  changed  from  ${con‐
11891       fig_directory}/prng_exch  to  ${data_directory}/prng_exch.  As a migra‐
11892       tion aid, an attempt to open the file under a non-Postfix directory  is
11893       redirected  to  the  Postfix-owned  data_directory,  and  a  warning is
11894       logged.
11895
11896       This feature is available in Postfix 2.2 and later.
11897

tls_random_prng_update_period (default: 3600s)

11899       The time between attempts by tlsmgr(8) to save the state of the  pseudo
11900       random  number  generator  (PRNG)  to the file specified with $tls_ran‐
11901       dom_exchange_name.
11902
11903       This feature is available in Postfix 2.2 and later.
11904

tls_random_reseed_period (default: 3600s)

11906       The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11907       pseudo  random number generator (PRNG) pool from external sources.  The
11908       actual time between re-seeding attempts is calculated using  the  PRNG,
11909       and is between 0 and the time specified.
11910
11911       This feature is available in Postfix 2.2 and later.
11912

tls_random_source (default: see postconf -d output)

11914       The  external  entropy source for the in-memory tlsmgr(8) pseudo random
11915       number generator (PRNG) pool. Be sure to specify a non-blocking source.
11916       If  this  source is not a regular file, the entropy source type must be
11917       prepended:  egd:/path/to/egd_socket for a source  with  EGD  compatible
11918       socket interface, or dev:/path/to/device for a device file.
11919
11920       Note:  on  OpenBSD systems specify /dev/arandom when /dev/urandom gives
11921       timeout errors.
11922
11923       This feature is available in Postfix 2.2 and later.
11924

tls_server_sni_maps (default: empty)

11926       Optional lookup tables that map names received from remote SMTP clients
11927       via  the  TLS Server Name Indication (SNI) extension to the appropriate
11928       keys and certificate chains.  This  parameter  is  implemented  in  the
11929       Postfix  TLS  library, and applies to both smtpd(8) and the SMTP server
11930       mode of tlsproxy(8).
11931
11932       The lookup key is either the verbatim SNI domain name  or  an  ancestor
11933       domain prefixed with a leading dot.  For internationalized domains, the
11934       lookup key must be in IDNA 2008 A-label form (as required  in  the  TLS
11935       SNI extension).
11936
11937       When  this  parameter is non-empty, the Postfix SMTP server enables SNI
11938       extension processing, and logs SNI values that  are  invalid  or  don't
11939       match  an entry in the the specified tables.  When an entry does match,
11940       the SNI name is logged as part of the connection summary at log  levels
11941       1 and higher.
11942
11943       Note  that  the  SNI  lookup  tables  should  also have entries for the
11944       domains that correspond to the Postfix SMTP server's  default  certifi‐
11945       cate(s).  This  ensures that the remote SMTP client's TLS SNI extension
11946       gets a positive response when it specifies  one  of  the  Postfix  SMTP
11947       server's default domains, and ensures that the Postfix SMTP server will
11948       not log an SNI name mismatch for  such  a  domain.   The  Postfix  SMTP
11949       server's  default certificates are then only used when the client sends
11950       no SNI or when it sends SNI with a domain that the server knows no cer‐
11951       tificate(s) for.
11952
11953       The mapping from an SNI domain name to a certificate chain is typically
11954       indirect.  In the input source files  for  "cdb",  "hash",  "btree"  or
11955       other   tables   that  are  converted  to  on-disk  indexed  files  via
11956       postmap(1), the value specified for each key is a  list  of  filenames.
11957       When  postmap(1) is used with the -F option, the generated table stores
11958       for each lookup key  the  base64-encoded  contents  of  the  associated
11959       files.   When  querying  tables  via  postmap  -Fq,  the table value is
11960       decoded from base64, yielding the original file  content,  plus  a  new
11961       line.
11962
11963       With  "regexp",  "pcre",  "inline",  "texthash",  "static"  and similar
11964       tables that are interpreted at run-time,  and  don't  have  a  separate
11965       source  format, the table value is again a list files, that are read-in
11966       when the table is opened.
11967
11968       Thus, for example:
11969
11970           $ postmap -Fq "" static:/etc/postfix/chain.pem | openssl dgst -sha1
11971           (stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
11972
11973       produces the same output as:
11974
11975           $ (cat /etc/postfix/chain.pem; echo) | openssl dgst -sha1
11976           (stdin)= da39a3ee5e6b4b0d3255bfef95601890afd80709
11977
11978       With tables whose content is managed outside of Postfix, such as  LDAP,
11979       MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
11980       of the desired PEM keys and certificate chains, that  is  then  further
11981       encoded  to yield a single-line base64 string.  Creation of such tables
11982       and secure storage are outside the  responsibility  of  Postfix.   With
11983       "socketmap" and "tcp" the data would be transmitted in the clear.  With
11984       LDAP and SQL, you should generally use TLS  to  protect  the  sensitive
11985       data in transit.
11986
11987       Typically  there  is  only  private  key  and its chain of certificates
11988       starting with the "leaf" certificate corresponding  to  that  key,  and
11989       continuing  with  the  appropriate intermediate issuer CA certificates,
11990       with each certificate ideally followed by  its  issuer.   Servers  that
11991       have  keys  and certificates for more than one algorithm (e.g.  both an
11992       RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use  mul‐
11993       tiple  chains  concatenated together, with the key always listed before
11994       the corresponding certificates.
11995
11996       This feature is available in Postfix 3.4 and later.
11997

tls_session_ticket_cipher (default: Postfix >= 3.0: aes-256-cbc, Postfix <

11999       3.0: aes-128-cbc)
12000       Algorithm  used to encrypt RFC5077 TLS session tickets.  This algorithm
12001       must use CBC mode, have a 128-bit block  size,  and  must  have  a  key
12002       length between 128 and 256 bits.  The default is aes-256-cbc.  Overrid‐
12003       ing the default to choose a different algorithm is discouraged.
12004
12005       Setting this parameter empty disables session  ticket  support  in  the
12006       Postfix  SMTP server.  Another way to disable session ticket support is
12007       via the tls_ssl_options parameter.
12008
12009       This feature is available in Postfix 3.0 and later.
12010

tls_ssl_options (default: empty)

12012       List or bit-mask of OpenSSL options to enable.
12013
12014       The OpenSSL toolkit provides a set of  options  that  applications  can
12015       enable to tune the OpenSSL behavior.  Some of these work around bugs in
12016       other implementations and are on by default.  You can use the  tls_dis‐
12017       able_workarounds  parameter  to  selectively disable some or all of the
12018       bug work-arounds, making OpenSSL more strict at the cost of  non-inter‐
12019       operability with SSL clients or servers that exhibit the bugs.
12020
12021       Other  options are off by default, and typically enable or disable fea‐
12022       tures rather than bug work-arounds.  These may be turned on (with care)
12023       via the tls_ssl_options parameter.  The value is a white-space or comma
12024       separated list of named options chosen from the list below.  The  names
12025       are  not  case-sensitive,  you  can  use lower-case if you prefer.  The
12026       upper case values below match the corresponding macro name in the ssl.h
12027       header  file with the SSL_OP_ prefix removed.  It is possible that your
12028       OpenSSL version includes new options added after  your  Postfix  source
12029       code  was  last  updated, in that case you can only enable one of these
12030       via the hexadecimal syntax below.
12031
12032       You should only enable features via the hexadecimal mask when the  need
12033       to control the feature is critical (to deal with a new vulnerability or
12034       a serious interoperability problem).  Postfix DOES  NOT  promise  back‐
12035       wards  compatible  behavior  with  respect to the mask bits.  A feature
12036       enabled via the mask in one release may be enabled by other means in  a
12037       later  release,  and the mask bit will then be ignored.  Therefore, use
12038       of the hexadecimal mask is only a temporary measure until a new Postfix
12039       or OpenSSL release provides a better solution.
12040
12041       If  the  value  of the parameter is a hexadecimal long integer starting
12042       with "0x", the options corresponding to the bits specified in its value
12043       are  enabled  (see  openssl/ssl.h and SSL_CTX_set_options(3)).  You can
12044       only enable options not already controlled by other  Postfix  settings.
12045       For example, you cannot disable protocols or enable server cipher pref‐
12046       erence.  Do not attempt to turn all features by specifying  0xFFFFFFFF,
12047       this  is  unlikely  to  be a good idea.  Some bug work-arounds are also
12048       valid here, allowing them to be re-enabled if/when  they're  no  longer
12049       enabled by default.  The supported values include:
12050
12051       ENABLE_MIDDLEBOX_COMPAT
12052              Postfix >= 3.4. See SSL_CTX_set_options(3).
12053
12054       LEGACY_SERVER_CONNECT
12055              See SSL_CTX_set_options(3).
12056
12057       NO_TICKET
12058              Enabled  by default when needed in fully-patched Postfix >= 2.7.
12059              Not needed at all for Postfix >= 2.11, unless  for  some  reason
12060              you do not want to support TLS session resumption.  Best not set
12061              explicitly.  See SSL_CTX_set_options(3).
12062
12063       NO_COMPRESSION
12064              Disable  SSL  compression  even  if  supported  by  the  OpenSSL
12065              library.   Compression  is CPU-intensive, and compression before
12066              encryption does not always improve security.
12067
12068       NO_RENEGOTIATION
12069              Postfix >= 3.4.  This can reduce opportunities for  a  potential
12070              CPU exhaustion attack.  See SSL_CTX_set_options(3).
12071
12072       NO_SESSION_RESUMPTION_ON_RENEGOTIATION
12073              Postfix >= 3.4. See SSL_CTX_set_options(3).
12074
12075       PRIORITIZE_CHACHA
12076              Postfix >= 3.4. See SSL_CTX_set_options(3).
12077
12078       TLSEXT_PADDING
12079              Postfix >= 3.4. See SSL_CTX_set_options(3).
12080
12081       This feature is available in Postfix 2.11 and later.
12082

tls_wildcard_matches_multiple_labels (default: yes)

12084       Match multiple DNS labels with "*" in wildcard certificates.
12085
12086       Some  mail service providers prepend the customer domain name to a base
12087       domain for which they have a wildcard TLS  certificate.   For  example,
12088       the MX records for example.com hosted by example.net may be:
12089
12090           example.com. IN MX 0 example.com.mx1.example.net.
12091           example.com. IN MX 0 example.com.mx2.example.net.
12092
12093       and the TLS certificate may be for "*.example.net". The "*" then corre‐
12094       sponds with multiple labels in the  mail  server  domain  name.   While
12095       multi-label  wildcards are not widely supported, and are not blessed by
12096       any standard, there is little to be gained by disallowing their use  in
12097       this context.
12098
12099       Notes:
12100
12101       ·      In  a  certificate name, the "*" is special only when it is used
12102              as the first label.
12103
12104       ·      While Postfix (2.11 or later) can match "*" with multiple domain
12105              name labels, other implementations likely will not.
12106
12107       ·      Earlier   Postfix   implementations   behave  as  if  "tls_wild‐
12108              card_matches_multiple_labels = no".
12109
12110       This feature is available in Postfix 2.11 and later.
12111

tlsmgr_service_name (default: tlsmgr)

12113       The name of the tlsmgr(8) service  entry  in  master.cf.  This  service
12114       maintains TLS session caches and other information in support of TLS.
12115
12116       This feature is available in Postfix 2.11 and later.
12117

tlsproxy_client_CAfile (default: $smtp_tls_CAfile)

12119       A  file  containing  CA certificates of root CAs trusted to sign either
12120       remote TLS server certificates or intermediate  CA  certificates.   See
12121       smtp_tls_CAfile for further details.
12122
12123       This feature is available in Postfix 3.4 and later.
12124

tlsproxy_client_CApath (default: $smtp_tls_CApath)

12126       Directory with PEM format Certification Authority certificates that the
12127       Postfix tlsproxy(8) client uses to verify a remote TLS server  certifi‐
12128       cate. See smtp_tls_CApath for further details.
12129
12130       This feature is available in Postfix 3.4 and later.
12131

tlsproxy_client_cert_file (default: $smtp_tls_cert_file)

12133       File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
12134       See smtp_tls_cert_file for further details.  The preferred way to  con‐
12135       figure   tlsproxy   client   keys   and   certificates   is   via   the
12136       "tlsproxy_client_chain_files" parameter.
12137
12138       This feature is available in Postfix 3.4 and later.
12139

tlsproxy_client_chain_files (default: $smtp_tls_chain_files)

12141       Files with the Postfix tlsproxy(8) client keys and  certificate  chains
12142       in PEM format. See smtp_tls_chain_files for further details.
12143
12144       This feature is available in Postfix 3.4 and later.
12145

tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file)

12147       File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
12148       See smtp_tls_dcert_file for further details. DSA is obsolete and should
12149       not be used.
12150
12151       This feature is available in Postfix 3.4 and later.
12152

tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file)

12154       File with the Postfix tlsproxy(8) client DSA private key in PEM format.
12155       See smtp_tls_dkey_file for further details. DSA is obsolete and  should
12156       not be used.
12157
12158       This feature is available in Postfix 3.4 and later.
12159

tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file)

12161       File  with the Postfix tlsproxy(8) client ECDSA certificate in PEM for‐
12162       mat. See smtp_tls_eccert_file for further details. The preferred way to
12163       configure   tlsproxy   client   keys   and   certificates  is  via  the
12164       "tlsproxy_client_chain_files" parameter.
12165
12166       This feature is available in Postfix 3.4 and later.
12167

tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file)

12169       File with the Postfix tlsproxy(8) client ECDSA private key in PEM  for‐
12170       mat. See smtp_tls_eckey_file for further details.  The preferred way to
12171       configure  tlsproxy  client  keys   and   certificates   is   via   the
12172       "tlsproxy_client_chain_files" parameter.
12173
12174       This feature is available in Postfix 3.4 and later.
12175

tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)

12177       Enforcement  mode:  require  that SMTP servers use TLS encryption.  See
12178       smtp_enforce_tls for further details.
12179
12180       This feature is available in Postfix 3.4 and later.
12181

tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)

12183       The message digest algorithm used to construct remote TLS  server  cer‐
12184       tificate  fingerprints.  See  smtp_tls_fingerprint_digest  for  further
12185       details.
12186
12187       This feature is available in Postfix 3.4 and later.
12188

tlsproxy_client_key_file (default: $smtp_tls_key_file)

12190       File with the Postfix tlsproxy(8) client RSA private key in PEM format.
12191       See smtp_tls_key_file for further details. The preferred way to config‐
12192       ure   tlsproxy   client   keys   and   certificates    is    via    the
12193       "tlsproxy_client_chain_files" parameter.
12194
12195       This feature is available in Postfix 3.4 and later.
12196

tlsproxy_client_loglevel (default: $smtp_tls_loglevel)

12198       Enable  additional  Postfix tlsproxy(8) client logging of TLS activity.
12199       See smtp_tls_loglevel for further details.
12200
12201       This feature is available in Postfix 3.4 and later.
12202

tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel)

12204       The name of the parameter that  provides  the  tlsproxy_client_loglevel
12205       value.
12206
12207       This feature is available in Postfix 3.4 and later.
12208

tlsproxy_client_per_site (default: $smtp_tls_per_site)

12210       Optional  lookup  tables  with the Postfix tlsproxy(8) client TLS usage
12211       policy by next-hop destination and by remote TLS server hostname.   See
12212       smtp_tls_per_site for further details.
12213
12214       This feature is available in Postfix 3.4 and later.
12215

tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps)

12217       Optional lookup tables with the Postfix tlsproxy(8) client TLS security
12218       policy by next-hop destination. See  smtp_tls_policy_maps  for  further
12219       details.
12220
12221       This feature is available in Postfix 3.4 and later.
12222

tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth)

12224       The  verification  depth  for  remote  TLS  server  certificates.   See
12225       smtp_tls_scert_verifydepth for further details.
12226
12227       This feature is available in Postfix 3.4 and later.
12228

tlsproxy_client_security_level (default: $smtp_tls_security_level)

12230       The default TLS security level for the Postfix tlsproxy(8) client.  See
12231       smtp_tls_security_level for further details.
12232
12233       This feature is available in Postfix 3.4 and later.
12234

tlsproxy_client_use_tls (default: $smtp_use_tls)

12236       Opportunistic mode: use TLS when a remote server announces TLS support.
12237       See smtp_use_tls for further details.
12238
12239       This feature is available in Postfix 3.4 and later.
12240

tlsproxy_enforce_tls (default: $smtpd_enforce_tls)

12242       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
12243       require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
12244       ther details.
12245
12246       This feature is available in Postfix 2.8 and later.
12247

tlsproxy_service_name (default: tlsproxy)

12249       The name of the tlsproxy(8) service entry in  master.cf.  This  service
12250       performs plaintext <=> TLS ciphertext conversion.
12251
12252       This feature is available in Postfix 2.8 and later.
12253

tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile)

12255       A  file  containing (PEM format) CA certificates of root CAs trusted to
12256       sign either remote SMTP client certificates or intermediate CA certifi‐
12257       cates.  See smtpd_tls_CAfile for further details.
12258
12259       This feature is available in Postfix 2.8 and later.
12260

tlsproxy_tls_CApath (default: $smtpd_tls_CApath)

12262       A directory containing (PEM format) CA certificates of root CAs trusted
12263       to sign either remote SMTP client certificates or intermediate CA  cer‐
12264       tificates. See smtpd_tls_CApath for further details.
12265
12266       This feature is available in Postfix 2.8 and later.
12267

tlsproxy_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_ses‐

12269       sion_ids)
12270       Force the Postfix tlsproxy(8) server to issue a TLS  session  id,  even
12271       when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
12272       sion_ids for further details.
12273
12274       This feature is available in Postfix 2.8 and later.
12275

tlsproxy_tls_ask_ccert (default: $smtpd_tls_ask_ccert)

12277       Ask  a   remote   SMTP   client   for   a   client   certificate.   See
12278       smtpd_tls_ask_ccert for further details.
12279
12280       This feature is available in Postfix 2.8 and later.
12281

tlsproxy_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth)

12283       The  verification depth for remote SMTP client certificates. A depth of
12284       1 is sufficient if the issuing CA is listed in a  local  CA  file.  See
12285       smtpd_tls_ccert_verifydepth for further details.
12286
12287       This feature is available in Postfix 2.8 and later.
12288

tlsproxy_tls_cert_file (default: $smtpd_tls_cert_file)

12290       File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
12291       This file may also contain the Postfix tlsproxy(8) server  private  RSA
12292       key.  See smtpd_tls_cert_file for further details.  With Postfix >= 3.4
12293       the preferred way to configure tlsproxy server keys and certificates is
12294       via the "tlsproxy_tls_chain_files" parameter.
12295
12296       This feature is available in Postfix 2.8 and later.
12297

tlsproxy_tls_chain_files (default: $smtpd_tls_chain_files)

12299       Files  with  the Postfix tlsproxy(8) server keys and certificate chains
12300       in PEM format. See smtpd_tls_chain_files for further details.
12301
12302       This feature is available in Postfix 3.4 and later.
12303

tlsproxy_tls_ciphers (default: $smtpd_tls_ciphers)

12305       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
12306       use  with  opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
12307       ther details.
12308
12309       This feature is available in Postfix 2.8 and later.
12310

tlsproxy_tls_dcert_file (default: $smtpd_tls_dcert_file)

12312       File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
12313       This  file  may also contain the Postfix tlsproxy(8) server private DSA
12314       key.  DSA is obsolete and should not be used.  See smtpd_tls_dcert_file
12315       for further details.
12316
12317       This feature is available in Postfix 2.8 and later.
12318

tlsproxy_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file)

12320       File  with DH parameters that the Postfix tlsproxy(8) server should use
12321       with non-export EDH ciphers. See smtpd_tls_dh1024_param_file  for  fur‐
12322       ther details.
12323
12324       This feature is available in Postfix 2.8 and later.
12325

tlsproxy_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file)

12327       File  with DH parameters that the Postfix tlsproxy(8) server should use
12328       with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for  fur‐
12329       ther  details.   The  default SMTP server cipher grade is "medium" with
12330       Postfix releases after the middle of 2015, and as a result export-grade
12331       cipher suites are by default not used.
12332
12333       This feature is available in Postfix 2.8 and later.
12334

tlsproxy_tls_dkey_file (default: $smtpd_tls_dkey_file)

12336       File with the Postfix tlsproxy(8) server DSA private key in PEM format.
12337       This file may be combined with the Postfix tlsproxy(8) server DSA  cer‐
12338       tificate  file  specified  with $smtpd_tls_dcert_file.  DSA is obsolete
12339       and should not be used.  See smtpd_tls_dkey_file for further details.
12340
12341       This feature is available in Postfix 2.8 and later.
12342

tlsproxy_tls_eccert_file (default: $smtpd_tls_eccert_file)

12344       File with the Postfix tlsproxy(8) server ECDSA certificate in PEM  for‐
12345       mat.  This file may also contain the Postfix tlsproxy(8) server private
12346       ECDSA key.  See smtpd_tls_eccert_file for further details.  With  Post‐
12347       fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
12348       tificates is via the "tlsproxy_tls_chain_files" parameter.
12349
12350       This feature is available in Postfix 2.8 and later.
12351

tlsproxy_tls_eckey_file (default: $smtpd_tls_eckey_file)

12353       File with the Postfix tlsproxy(8) server ECDSA private key in PEM  for‐
12354       mat.   This  file  may  be combined with the Postfix tlsproxy(8) server
12355       ECDSA certificate  file  specified  with  $smtpd_tls_eccert_file.   See
12356       smtpd_tls_eckey_file for further details.  With Postfix >= 3.4 the pre‐
12357       ferred way to configure tlsproxy server keys and  certificates  is  via
12358       the "tlsproxy_tls_chain_files" parameter.
12359
12360       This feature is available in Postfix 2.8 and later.
12361

tlsproxy_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade)

12363       The  Postfix  tlsproxy(8)  server  security  grade for ephemeral ellip‐
12364       tic-curve     Diffie-Hellman     (EECDH)     key     exchange.      See
12365       smtpd_tls_eecdh_grade for further details.
12366
12367       This feature is available in Postfix 2.8 and later.
12368

tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)

12370       List  of ciphers or cipher types to exclude from the tlsproxy(8) server
12371       cipher list at all TLS security levels.  See  smtpd_tls_exclude_ciphers
12372       for further details.
12373
12374       This feature is available in Postfix 2.8 and later.
12375

tlsproxy_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest)

12377       The  message  digest algorithm to construct remote SMTP client-certifi‐
12378       cate  fingerprints.  See   smtpd_tls_fingerprint_digest   for   further
12379       details.
12380
12381       This feature is available in Postfix 2.8 and later.
12382

tlsproxy_tls_key_file (default: $smtpd_tls_key_file)

12384       File with the Postfix tlsproxy(8) server RSA private key in PEM format.
12385       This file may be combined with the Postfix tlsproxy(8) server RSA  cer‐
12386       tificate     file    specified    with    $smtpd_tls_cert_file.     See
12387       smtpd_tls_key_file for further details.  With Postfix >= 3.4  the  pre‐
12388       ferred  way  to  configure tlsproxy server keys and certificates is via
12389       the "tlsproxy_tls_chain_files" parameter.
12390
12391       This feature is available in Postfix 2.8 and later.
12392

tlsproxy_tls_loglevel (default: $smtpd_tls_loglevel)

12394       Enable additional Postfix tlsproxy(8) server logging of  TLS  activity.
12395       Each  logging  level  also includes the information that is logged at a
12396       lower logging level. See smtpd_tls_loglevel for further details.
12397
12398       This feature is available in Postfix 2.8 and later.
12399

tlsproxy_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers)

12401       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
12402       use  with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
12403       further details.
12404
12405       This feature is available in Postfix 2.8 and later.
12406

tlsproxy_tls_mandatory_exclude_ciphers (default: $smtpd_tls_manda‐

12408       tory_exclude_ciphers)
12409       Additional  list  of  ciphers  or  cipher  types  to  exclude  from the
12410       tlsproxy(8) server cipher list at mandatory TLS security  levels.   See
12411       smtpd_tls_mandatory_exclude_ciphers for further details.
12412
12413       This feature is available in Postfix 2.8 and later.
12414

tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)

12416       The  SSL/TLS  protocols accepted by the Postfix tlsproxy(8) server with
12417       mandatory TLS encryption. If the list is empty, the server supports all
12418       available SSL/TLS protocol versions.  See smtpd_tls_mandatory_protocols
12419       for further details.
12420
12421       This feature is available in Postfix 2.8 and later.
12422

tlsproxy_tls_protocols (default: $smtpd_tls_protocols)

12424       List of TLS protocols that the Postfix tlsproxy(8) server will  exclude
12425       or  include  with opportunistic TLS encryption. See smtpd_tls_protocols
12426       for further details.
12427
12428       This feature is available in Postfix 2.8 and later.
12429

tlsproxy_tls_req_ccert (default: $smtpd_tls_req_ccert)

12431       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
12432       certificate  in  order  to  allow  TLS  connections  to  proceed.   See
12433       smtpd_tls_req_ccert for further details.
12434
12435       This feature is available in Postfix 2.8 and later.
12436

tlsproxy_tls_security_level (default: $smtpd_tls_security_level)

12438       The SMTP TLS security level for the Postfix tlsproxy(8) server; when  a
12439       non-empty  value  is  specified, this overrides the obsolete parameters
12440       smtpd_use_tls and smtpd_enforce_tls. See  smtpd_tls_security_level  for
12441       further details.
12442
12443       This feature is available in Postfix 2.8 and later.
12444

tlsproxy_tls_session_cache_timeout (default: $smtpd_tls_session_cache_timeout)

12446
12447       Obsolete expiration time of  Postfix  tlsproxy(8)  server  TLS  session
12448       cache  information. Since the cache is shared with smtpd(8) and managed
12449       by tlsmgr(8), there is only one expiration time  for  the  SMTP  server
12450       cache   shared   by   all   three   services,   namely   smtpd_tls_ses‐
12451       sion_cache_timeout.
12452
12453       This feature is available in Postfix 2.8 and later.
12454

tlsproxy_use_tls (default: $smtpd_use_tls)

12456       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
12457       but  do  not require that clients use TLS encryption. See smtpd_use_tls
12458       for further details.
12459
12460       This feature is available in Postfix 2.8 and later.
12461

tlsproxy_watchdog_timeout (default: 10s)

12463       How much time a tlsproxy(8) process may take to process local or remote
12464       I/O  before  it  is terminated by a built-in watchdog timer.  This is a
12465       safety mechanism that prevents tlsproxy(8) from becoming non-responsive
12466       due  to  a bug in Postfix itself or in system software.  To avoid false
12467       alarms and unnecessary cache corruption this limit cannot be set  under
12468       10s.
12469
12470       Specify  a  non-zero  time  value  (an  integral value plus an optional
12471       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
12472       onds), m (minutes), h (hours), d (days), w (weeks).
12473
12474       This feature is available in Postfix 2.8 and later
12475

trace_service_name (default: trace)

12477       The  name  of  the  trace  service.  This service is implemented by the
12478       bounce(8) daemon and maintains a record of mail deliveries and produces
12479       a  mail  delivery report when verbose delivery is requested with "send‐
12480       mail -v".
12481
12482       This feature is available in Postfix 2.1 and later.
12483

transport_delivery_slot_cost (default: $default_delivery_slot_cost)

12485       A transport-specific override for the default_delivery_slot_cost param‐
12486       eter value, where transport is the master.cf name of the message deliv‐
12487       ery transport.
12488
12489       Note: transport_delivery_slot_cost  parameters  will  not  show  up  in
12490       "postconf"  command output before Postfix version 2.9.  This limitation
12491       applies to many parameters whose name is a combination of  a  master.cf
12492       service   name   and   a   built-in  suffix  (in  this  case:  "_deliv‐
12493       ery_slot_cost").
12494

transport_delivery_slot_discount (default: $default_delivery_slot_discount)

12496       A transport-specific override  for  the  default_delivery_slot_discount
12497       parameter  value,  where transport is the master.cf name of the message
12498       delivery transport.
12499
12500       Note: transport_delivery_slot_discount parameters will not show  up  in
12501       "postconf"  command output before Postfix version 2.9.  This limitation
12502       applies to many parameters whose name is a combination of  a  master.cf
12503       service  name and a built-in suffix (in this case: "_delivery_slot_dis‐
12504       count").
12505

transport_delivery_slot_loan (default: $default_delivery_slot_loan)

12507       A transport-specific override for the default_delivery_slot_loan param‐
12508       eter value, where transport is the master.cf name of the message deliv‐
12509       ery transport.
12510
12511       Note: transport_delivery_slot_loan  parameters  will  not  show  up  in
12512       "postconf"  command output before Postfix version 2.9.  This limitation
12513       applies to many parameters whose name is a combination of  a  master.cf
12514       service   name   and   a   built-in  suffix  (in  this  case:  "_deliv‐
12515       ery_slot_loan").
12516

transport_destination_concurrency_failed_cohort_limit (default: $default_des‐

12518       tination_concurrency_failed_cohort_limit)
12519       A   transport-specific  override  for  the  default_destination_concur‐
12520       rency_failed_cohort_limit parameter value, where transport is the  mas‐
12521       ter.cf name of the message delivery transport.
12522
12523       Note: some transport_destination_concurrency_failed_cohort_limit param‐
12524       eters will not show up in "postconf" command output before Postfix ver‐
12525       sion  2.9.   This limitation applies to many parameters whose name is a
12526       combination of a master.cf service name and a built-in suffix (in  this
12527       case: "_destination_concurrency_failed_cohort_limit").
12528
12529       This feature is available in Postfix 2.5 and later.
12530

transport_destination_concurrency_limit (default: $default_destination_concur‐

12532       rency_limit)
12533       A  transport-specific  override  for  the   default_destination_concur‐
12534       rency_limit  parameter  value, where transport is the master.cf name of
12535       the message delivery transport.
12536
12537       Note: some transport_destination_concurrency_limit parameters will  not
12538       show  up in "postconf" command output before Postfix version 2.9.  This
12539       limitation applies to many parameters whose name is a combination of  a
12540       master.cf  service name and a built-in suffix (in this case: "_destina‐
12541       tion_concurrency_limit").
12542

transport_destination_concurrency_negative_feedback (default: $default_desti‐

12544       nation_concurrency_negative_feedback)
12545       A   transport-specific  override  for  the  default_destination_concur‐
12546       rency_negative_feedback parameter value, where transport  is  the  mas‐
12547       ter.cf name of the message delivery transport.
12548
12549       Note:  some transport_destination_concurrency_negative_feedback parame‐
12550       ters will not show up in "postconf" command output before Postfix  ver‐
12551       sion  2.9.   This limitation applies to many parameters whose name is a
12552       combination of a master.cf service name and a built-in suffix (in  this
12553       case: "_destination_concurrency_negative_feedback").
12554
12555       This feature is available in Postfix 2.5 and later.
12556

transport_destination_concurrency_positive_feedback (default: $default_desti‐

12558       nation_concurrency_positive_feedback)
12559       A  transport-specific  override  for  the   default_destination_concur‐
12560       rency_positive_feedback  parameter  value,  where transport is the mas‐
12561       ter.cf name of the message delivery transport.
12562
12563       Note: some transport_destination_concurrency_positive_feedback  parame‐
12564       ters  will not show up in "postconf" command output before Postfix ver‐
12565       sion 2.9.  This limitation applies to many parameters whose name  is  a
12566       combination  of a master.cf service name and a built-in suffix (in this
12567       case: "_destination_concurrency_positive_feedback").
12568
12569       This feature is available in Postfix 2.5 and later.
12570

transport_destination_rate_delay (default: $default_destination_rate_delay)

12572       A transport-specific override  for  the  default_destination_rate_delay
12573       parameter  value,  where transport is the master.cf name of the message
12574       delivery transport.
12575
12576       Note: some transport_destination_rate_delay parameters will not show up
12577       in  "postconf" command output before Postfix version 2.9.  This limita‐
12578       tion applies to many parameters whose name is a combination of  a  mas‐
12579       ter.cf  service  name  and  a built-in suffix (in this case: "_destina‐
12580       tion_rate_delay").
12581
12582       This feature is available in Postfix 2.5 and later.
12583

transport_destination_recipient_limit (default: $default_destination_recipi‐

12585       ent_limit)
12586       A   transport-specific  override  for  the  default_destination_recipi‐
12587       ent_limit parameter value, where transport is the master.cf name of the
12588       message delivery transport.
12589
12590       Note:  some  transport_destination_recipient_limit  parameters will not
12591       show up in "postconf" command output before Postfix version 2.9.   This
12592       limitation  applies to many parameters whose name is a combination of a
12593       master.cf service name and a built-in suffix (in this case:  "_destina‐
12594       tion_recipient_limit").
12595

transport_extra_recipient_limit (default: $default_extra_recipient_limit)

12597       A  transport-specific  override  for  the default_extra_recipient_limit
12598       parameter value, where transport is the master.cf name of  the  message
12599       delivery transport.
12600
12601       Note:  transport_extra_recipient_limit  parameters  will not show up in
12602       "postconf" command output before Postfix version 2.9.  This  limitation
12603       applies  to  many parameters whose name is a combination of a master.cf
12604       service name and a  built-in  suffix  (in  this  case:  "_extra_recipi‐
12605       ent_limit").
12606

transport_initial_destination_concurrency (default: $initial_destination_con‐

12608       currency)
12609       A transport-specific override for  the  initial_destination_concurrency
12610       parameter  value,  where transport is the master.cf name of the message
12611       delivery transport.
12612
12613       Note: some  transport_initial_destination_concurrency  parameters  will
12614       not  show  up  in "postconf" command output before Postfix version 2.9.
12615       This limitation applies to many parameters whose name is a  combination
12616       of a master.cf service name and a built-in suffix (in this case: "_ini‐
12617       tial_destination_concurrency").
12618
12619       This feature is available in Postfix 2.5 and later.
12620

transport_maps (default: empty)

12622       Optional lookup tables with mappings from recipient address to (message
12623       delivery   transport,  next-hop  destination).   See  transport(5)  for
12624       details.
12625
12626       Specify zero or more "type:table" lookup tables,  separated  by  white‐
12627       space  or comma. Tables will be searched in the specified order until a
12628       match is found.  If you use this feature with local files, run "postmap
12629       /etc/postfix/transport" after making a change.
12630
12631       Pattern  matching  of  domain  names  is  controlled by the presence or
12632       absence of  "transport_maps"  in  the  parent_domain_matches_subdomains
12633       parameter value.
12634
12635       For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
12636       ber substitutions in regular expression maps.
12637
12638       Examples:
12639
12640       transport_maps = dbm:/etc/postfix/transport
12641       transport_maps = hash:/etc/postfix/transport
12642

transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)

12644       A transport-specific override  for  the  default_minimum_delivery_slots
12645       parameter  value,  where transport is the master.cf name of the message
12646       delivery transport.
12647
12648       Note: transport_minimum_delivery_slots parameters will not show  up  in
12649       "postconf"  command output before Postfix version 2.9.  This limitation
12650       applies to many parameters whose name is a combination of  a  master.cf
12651       service  name  and  a  built-in  suffix (in this case: "_minimum_deliv‐
12652       ery_slots").
12653

transport_recipient_limit (default: $default_recipient_limit)

12655       A transport-specific override for the default_recipient_limit parameter
12656       value,  where  transport  is the master.cf name of the message delivery
12657       transport.
12658
12659       Note: some transport_recipient_limit parameters will  not  show  up  in
12660       "postconf"  command output before Postfix version 2.9.  This limitation
12661       applies to many parameters whose name is a combination of  a  master.cf
12662       service name and a built-in suffix (in this case: "_recipient_limit").
12663

transport_recipient_refill_delay (default: $default_recipient_refill_delay)

12665       A  transport-specific  override  for the default_recipient_refill_delay
12666       parameter value, where transport is the master.cf name of  the  message
12667       delivery transport.
12668
12669       Note:  transport_recipient_refill_delay  parameters will not show up in
12670       "postconf" command output before Postfix version 2.9.  This  limitation
12671       applies  to  many parameters whose name is a combination of a master.cf
12672       service  name  and  a  built-in  suffix  (in   this   case:   "_recipi‐
12673       ent_refill_delay").
12674
12675       This feature is available in Postfix 2.4 and later.
12676

transport_recipient_refill_limit (default: $default_recipient_refill_limit)

12678       A  transport-specific  override  for the default_recipient_refill_limit
12679       parameter value, where transport is the master.cf name of  the  message
12680       delivery transport.
12681
12682       Note:  transport_recipient_refill_limit  parameters will not show up in
12683       "postconf" command output before Postfix version 2.9.  This  limitation
12684       applies  to  many parameters whose name is a combination of a master.cf
12685       service  name  and  a  built-in  suffix  (in   this   case:   "_recipi‐
12686       ent_refill_limit").
12687
12688       This feature is available in Postfix 2.4 and later.
12689

transport_retry_time (default: 60s)

12691       The  time  between  attempts  by the Postfix queue manager to contact a
12692       malfunctioning message delivery transport.
12693
12694       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
12695       The default time unit is s (seconds).
12696

transport_time_limit (default: $command_time_limit)

12698       A  transport-specific  override  for  the  command_time_limit parameter
12699       value, where transport is the master.cf name of  the  message  delivery
12700       transport.
12701
12702       Note:  transport_time_limit  parameters  will not show up in "postconf"
12703       command output before Postfix version 2.9.  This limitation applies  to
12704       many parameters whose name is a combination of a master.cf service name
12705       and a built-in suffix (in this case: "_time_limit").
12706

transport_transport_rate_delay (default: $default_transport_rate_delay)

12708       A  transport-specific  override  for  the  default_transport_rate_delay
12709       parameter  value,  where the initial transport in the parameter name is
12710       the master.cf name of the message delivery transport.
12711

trigger_timeout (default: 10s)

12713       The time limit for sending a trigger to a Postfix daemon (for  example,
12714       the  pickup(8)  or  qmgr(8)  daemon). This time limit prevents programs
12715       from getting stuck when the mail system is under heavy load.
12716
12717       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
12718       The default time unit is s (seconds).
12719

undisclosed_recipients_header (default: see postconf -d output)

12721       Message  header  that the Postfix cleanup(8) server inserts when a mes‐
12722       sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12723       the  default  value  is  empty.  With Postfix 2.4-2.7, specify an empty
12724       value to disable this feature.
12725
12726       Example:
12727
12728       # Default value before Postfix 2.8.
12729       # Note: the ":" and ";" are both required.
12730       undisclosed_recipients_header = To: undisclosed-recipients:;
12731

unknown_address_reject_code (default: 450)

12733       The numerical response code when the  Postfix  SMTP  server  rejects  a
12734       sender or recipient address because its domain is unknown.  This is one
12735       of     the     possible     replies     from      the      restrictions
12736       reject_unknown_sender_domain and reject_unknown_recipient_domain.
12737
12738       Do  not  change  this  unless  you have a complete understanding of RFC
12739       5321.
12740

unknown_address_tempfail_action (default: $reject_tempfail_action)

12742       The Postfix SMTP server's action when  reject_unknown_sender_domain  or
12743       reject_unknown_recipient_domain  fail  due  to a temporary error condi‐
12744       tion. Specify "defer" to defer the remote SMTP client  request  immedi‐
12745       ately.  With  the  default  "defer_if_permit"  action, the Postfix SMTP
12746       server continues to look for opportunities to reject mail,  and  defers
12747       the client request only if it would otherwise be accepted.
12748
12749       This feature is available in Postfix 2.6 and later.
12750

unknown_client_reject_code (default: 450)

12752       The  numerical  Postfix SMTP server response code when a client without
12753       valid   address   <=>    name    mapping    is    rejected    by    the
12754       reject_unknown_client_hostname  restriction.  The  SMTP  server  always
12755       replies with 450 when the mapping failed due to a temporary error  con‐
12756       dition.
12757
12758       Do  not  change  this  unless  you have a complete understanding of RFC
12759       5321.
12760

unknown_helo_hostname_tempfail_action (default: $reject_tempfail_action)

12762       The Postfix  SMTP  server's  action  when  reject_unknown_helo_hostname
12763       fails  due to a temporary error condition. Specify "defer" to defer the
12764       remote SMTP client request immediately. With the default "defer_if_per‐
12765       mit"  action,  the Postfix SMTP server continues to look for opportuni‐
12766       ties to reject mail, and defers the client request  only  if  it  would
12767       otherwise be accepted.
12768
12769       This feature is available in Postfix 2.6 and later.
12770

unknown_hostname_reject_code (default: 450)

12772       The numerical Postfix SMTP server response code when the hostname spec‐
12773       ified  with  the  HELO   or   EHLO   command   is   rejected   by   the
12774       reject_unknown_helo_hostname restriction.
12775
12776       Do  not  change  this  unless  you have a complete understanding of RFC
12777       5321.
12778

unknown_local_recipient_reject_code (default: 550)

12780       The numerical Postfix  SMTP  server  response  code  when  a  recipient
12781       address  is local, and $local_recipient_maps specifies a list of lookup
12782       tables that does not match the recipient.  A recipient address is local
12783       when   its   domain   matches   $mydestination,   $proxy_interfaces  or
12784       $inet_interfaces.
12785
12786       The default setting is 550 (reject mail) but it is safer  to  initially
12787       use  450  (try  again  later)  so  you  have  time  to find out if your
12788       local_recipient_maps settings are OK.
12789
12790       Example:
12791
12792       unknown_local_recipient_reject_code = 450
12793
12794       This feature is available in Postfix 2.0 and later.
12795

unknown_relay_recipient_reject_code (default: 550)

12797       The numerical Postfix SMTP server reply code when a  recipient  address
12798       matches  $relay_domains,  and  relay_recipient_maps specifies a list of
12799       lookup tables that does not match the recipient address.
12800
12801       This feature is available in Postfix 2.0 and later.
12802

unknown_virtual_alias_reject_code (default: 550)

12804       The Postfix SMTP server reply code when  a  recipient  address  matches
12805       $virtual_alias_domains,  and  $virtual_alias_maps  specifies  a list of
12806       lookup tables that does not match the recipient address.
12807
12808       This feature is available in Postfix 2.0 and later.
12809

unknown_virtual_mailbox_reject_code (default: 550)

12811       The Postfix SMTP server reply code when  a  recipient  address  matches
12812       $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12813       lookup tables that does not match the recipient address.
12814
12815       This feature is available in Postfix 2.0 and later.
12816

unverified_recipient_defer_code (default: 450)

12818       The numerical Postfix SMTP server response  when  a  recipient  address
12819       probe fails due to a temporary error condition.
12820
12821       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12822       address anyway.
12823
12824       Do not change this unless you have  a  complete  understanding  of  RFC
12825       5321.
12826
12827       This feature is available in Postfix 2.6 and later.
12828

unverified_recipient_reject_code (default: 450)

12830       The  numerical Postfix SMTP server response when a recipient address is
12831       rejected by the reject_unverified_recipient restriction.
12832
12833       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12834       address anyway.
12835
12836       Do  not  change  this  unless  you have a complete understanding of RFC
12837       5321.
12838
12839       This feature is available in Postfix 2.1 and later.
12840

unverified_recipient_reject_reason (default: empty)

12842       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12843       fied_recipient.  Do  not  include  the  numeric  SMTP reply code or the
12844       enhanced status code. By default, the response includes actual  address
12845       verification details.
12846
12847       Example:
12848
12849       unverified_recipient_reject_reason = Recipient address lookup failed
12850
12851       This feature is available in Postfix 2.6 and later.
12852

unverified_recipient_tempfail_action (default: $reject_tempfail_action)

12854       The Postfix SMTP server's action when reject_unverified_recipient fails
12855       due to a temporary error condition. Specify "defer" to defer the remote
12856       SMTP  client  request  immediately.  With the default "defer_if_permit"
12857       action, the Postfix SMTP server continues to look for opportunities  to
12858       reject  mail,  and defers the client request only if it would otherwise
12859       be accepted.
12860
12861       This feature is available in Postfix 2.6 and later.
12862

unverified_sender_defer_code (default: 450)

12864       The numerical Postfix SMTP server response code when a  sender  address
12865       probe fails due to a temporary error condition.
12866
12867       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12868       address anyway.
12869
12870       Do not change this unless you have  a  complete  understanding  of  RFC
12871       5321.
12872
12873       This feature is available in Postfix 2.6 and later.
12874

unverified_sender_reject_code (default: 450)

12876       The  numerical  Postfix  SMTP  server  response  code  when a recipient
12877       address is rejected by the reject_unverified_sender restriction.
12878
12879       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12880       address anyway.
12881
12882       Do  not  change  this  unless  you have a complete understanding of RFC
12883       5321.
12884
12885       This feature is available in Postfix 2.1 and later.
12886

unverified_sender_reject_reason (default: empty)

12888       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12889       fied_sender. Do not include the numeric SMTP reply code or the enhanced
12890       status code. By default, the response includes actual address verifica‐
12891       tion details.
12892
12893       Example:
12894
12895       unverified_sender_reject_reason = Sender address lookup failed
12896
12897       This feature is available in Postfix 2.6 and later.
12898

unverified_sender_tempfail_action (default: $reject_tempfail_action)

12900       The  Postfix  SMTP  server's action when reject_unverified_sender fails
12901       due to a temporary error condition. Specify "defer" to defer the remote
12902       SMTP  client  request  immediately.  With the default "defer_if_permit"
12903       action, the Postfix SMTP server continues to look for opportunities  to
12904       reject  mail,  and defers the client request only if it would otherwise
12905       be accepted.
12906
12907       This feature is available in Postfix 2.6 and later.
12908

verp_delimiter_filter (default: -=+)

12910       The characters Postfix accepts as  VERP  delimiter  characters  on  the
12911       Postfix sendmail(1) command line and in SMTP commands.
12912
12913       This feature is available in Postfix 1.1 and later.
12914

virtual_alias_address_length_limit (default: 1000)

12916       The  maximal  length of an email address after virtual alias expansion.
12917       This stops virtual aliasing loops  that  increase  the  address  length
12918       exponentially.
12919
12920       This feature is available in Postfix 3.0 and later.
12921

virtual_alias_domains (default: $virtual_alias_maps)

12923       Postfix  is  final  destination for the specified list of virtual alias
12924       domains, that is, domains  for  which  all  addresses  are  aliased  to
12925       addresses  in  other local or remote domains. The SMTP server validates
12926       recipient addresses with $virtual_alias_maps and  rejects  non-existent
12927       recipients.   See   also   the   virtual  alias  domain  class  in  the
12928       ADDRESS_CLASS_README file
12929
12930       This feature is available in Postfix 2.0 and later. The  default  value
12931       is backwards compatible with Postfix version 1.1.
12932
12933       The  default  value  is  $virtual_alias_maps  so  that you can keep all
12934       information about virtual alias domains in one place.  If you have many
12935       users,  it  is  better  to  separate information that changes more fre‐
12936       quently (virtual address ->  local  or  remote  address  mapping)  from
12937       information  that  changes  less frequently (the list of virtual domain
12938       names).
12939
12940       Specify a list of host or domain names,  "/file/name"  or  "type:table"
12941       patterns, separated by commas and/or whitespace. A "/file/name" pattern
12942       is replaced by its contents; a "type:table"  lookup  table  is  matched
12943       when  a  table  entry  matches  a  lookup  string (the lookup result is
12944       ignored).  Continue long lines by starting the next  line  with  white‐
12945       space.  Specify  "!pattern"  to  exclude a host or domain name from the
12946       list. The form "!/file/name" is supported only in Postfix  version  2.4
12947       and later.
12948
12949       See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
12950       ther information.
12951
12952       Example:
12953
12954       virtual_alias_domains = virtual1.tld virtual2.tld
12955

virtual_alias_expansion_limit (default: 1000)

12957       The maximal number of addresses that virtual alias  expansion  produces
12958       from each original recipient.
12959
12960       This feature is available in Postfix 2.1 and later.
12961

virtual_alias_maps (default: $virtual_maps)

12963       Optional lookup tables that alias specific mail addresses or domains to
12964       other local or remote address.  The table format and lookups are  docu‐
12965       mented  in virtual(5). For an overview of Postfix address manipulations
12966       see the ADDRESS_REWRITING_README document.
12967
12968       This feature is available in Postfix 2.0 and later. The  default  value
12969       is backwards compatible with Postfix version 1.1.
12970
12971       Specify zero or more "type:name" lookup tables, separated by whitespace
12972       or comma. Tables will be searched in the specified order until a  match
12973       is found.  Note: these lookups are recursive.
12974
12975       If  you  use  this  feature with indexed files, run "postmap /etc/post‐
12976       fix/virtual" after changing the file.
12977
12978       Examples:
12979
12980       virtual_alias_maps = dbm:/etc/postfix/virtual
12981       virtual_alias_maps = hash:/etc/postfix/virtual
12982

virtual_alias_recursion_limit (default: 1000)

12984       The maximal nesting depth of virtual alias  expansion.   Currently  the
12985       recursion  limit  is  applied  only to the left branch of the expansion
12986       graph, so the depth of the tree can in the worst case reach the sum  of
12987       the expansion and recursion limits.  This may change in the future.
12988
12989       This feature is available in Postfix 2.1 and later.
12990

virtual_delivery_status_filter (default: $default_delivery_status_filter)

12992       Optional  filter for the virtual(8) delivery agent to change the deliv‐
12993       ery status code or  explanatory  text  of  successful  or  unsuccessful
12994       deliveries.  See default_delivery_status_filter for details.
12995
12996       This feature is available in Postfix 3.0 and later.
12997

virtual_destination_concurrency_limit (default: $default_destination_concur‐

12999       rency_limit)
13000       The maximal number of parallel deliveries to the same  destination  via
13001       the  virtual  message delivery transport. This limit is enforced by the
13002       queue manager. The message delivery transport name is the  first  field
13003       in the entry in the master.cf file.
13004

virtual_destination_recipient_limit (default: $default_destination_recipi‐

13006       ent_limit)
13007       The maximal number of recipients per message for  the  virtual  message
13008       delivery  transport.  This  limit is enforced by the queue manager. The
13009       message delivery transport name is the first field in the entry in  the
13010       master.cf file.
13011
13012       Setting  this  parameter  to  a  value of 1 changes the meaning of vir‐
13013       tual_destination_concurrency_limit from  concurrency  per  domain  into
13014       concurrency per recipient.
13015

virtual_gid_maps (default: empty)

13017       Lookup  tables  with  the per-recipient group ID for virtual(8) mailbox
13018       delivery.
13019
13020       This parameter is specific to the virtual(8) delivery agent.   It  does
13021       not  apply  when  mail is delivered with a different mail delivery pro‐
13022       gram.
13023
13024       Specify zero or more "type:name" lookup tables, separated by whitespace
13025       or  comma. Tables will be searched in the specified order until a match
13026       is found.
13027
13028       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
13029       any  user  in  the  specified  domain  that  does  not  have a specific
13030       "user@domain.tld" entry.
13031
13032       When  a  recipient  address   has   an   optional   address   extension
13033       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
13034       address first, and when the lookup fails, it looks  up  the  unextended
13035       address (user@domain.tld).
13036
13037       Note  1:  for security reasons, the virtual(8) delivery agent disallows
13038       regular expression substitution of $1 etc. in regular expression lookup
13039       tables, because that would open a security hole.
13040
13041       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
13042       silently ignore requests to use the proxymap(8) server. Instead it will
13043       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
13044       delivery agent will terminate with a fatal error.
13045

virtual_mailbox_base (default: empty)

13047       A prefix that the virtual(8) delivery agent prepends  to  all  pathname
13048       results  from  $virtual_mailbox_maps  table  lookups.  This is a safety
13049       measure to ensure that an out of control map doesn't  litter  the  file
13050       system with mailboxes.  While virtual_mailbox_base could be set to "/",
13051       this setting isn't recommended.
13052
13053       This parameter is specific to the virtual(8) delivery agent.   It  does
13054       not  apply  when  mail is delivered with a different mail delivery pro‐
13055       gram.
13056
13057       Example:
13058
13059       virtual_mailbox_base = /var/mail
13060

virtual_mailbox_domains (default: $virtual_mailbox_maps)

13062       Postfix is final destination for the specified list of domains; mail is
13063       delivered  via  the  $virtual_transport  mail  delivery  transport.  By
13064       default this is the Postfix virtual(8) delivery agent.  The SMTP server
13065       validates  recipient  addresses  with $virtual_mailbox_maps and rejects
13066       mail for non-existent recipients.  See also the virtual mailbox  domain
13067       class in the ADDRESS_CLASS_README file.
13068
13069       This  parameter expects the same syntax as the mydestination configura‐
13070       tion parameter.
13071
13072       This feature is available in Postfix 2.0 and later. The  default  value
13073       is backwards compatible with Postfix version 1.1.
13074

virtual_mailbox_limit (default: 51200000)

13076       The  maximal  size  in  bytes  of  an  individual virtual(8) mailbox or
13077       maildir file, or zero (no limit).
13078
13079       This parameter is specific to the virtual(8) delivery agent.   It  does
13080       not  apply  when  mail is delivered with a different mail delivery pro‐
13081       gram.
13082

virtual_mailbox_lock (default: see postconf -d output)

13084       How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
13085       For  a  list  of  available file locking methods, use the "postconf -l"
13086       command.
13087
13088       This parameter is specific to the virtual(8) delivery agent.   It  does
13089       not  apply  when  mail is delivered with a different mail delivery pro‐
13090       gram.
13091
13092       This setting is ignored  with  maildir  style  delivery,  because  such
13093       deliveries are safe without application-level locks.
13094
13095       Note  1:  the dotlock method requires that the recipient UID or GID has
13096       write access to the parent directory of the recipient's mailbox file.
13097
13098       Note 2: the default setting of this parameter is system dependent.
13099

virtual_mailbox_maps (default: empty)

13101       Optional lookup tables with all valid addresses  in  the  domains  that
13102       match $virtual_mailbox_domains.
13103
13104       Specify zero or more "type:name" lookup tables, separated by whitespace
13105       or comma. Tables will be searched in the specified order until a  match
13106       is found.
13107
13108       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
13109       any user in  the  specified  domain  that  does  not  have  a  specific
13110       "user@domain.tld" entry.
13111
13112       The  remainder  of  this  text  is  specific to the virtual(8) delivery
13113       agent.  It does not apply when mail is delivered with a different  mail
13114       delivery program.
13115
13116       The virtual(8) delivery agent uses this table to look up the per-recip‐
13117       ient mailbox or maildir pathname.  If the lookup result ends in a slash
13118       ("/"),  maildir-style  delivery  is  carried out, otherwise the path is
13119       assumed to specify a UNIX-style mailbox file.  Note that $virtual_mail‐
13120       box_base is unconditionally prepended to this path.
13121
13122       When   a   recipient   address   has   an  optional  address  extension
13123       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
13124       address  first,  and  when the lookup fails, it looks up the unextended
13125       address (user@domain.tld).
13126
13127       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
13128       regular expression substitution of $1 etc. in regular expression lookup
13129       tables, because that would open a security hole.
13130
13131       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
13132       silently ignore requests to use the proxymap(8) server. Instead it will
13133       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
13134       delivery agent will terminate with a fatal error.
13135

virtual_maps (default: empty)

13137       Optional lookup tables with a) names of domains for which all addresses
13138       are aliased to addresses in other  local  or  remote  domains,  and  b)
13139       addresses  that  are  aliased  to  addresses  in  other local or remote
13140       domains.  Available before Postfix version 2.0.  With  Postfix  version
13141       2.0   and   later,   this   is  replaced  by  separate  controls:  vir‐
13142       tual_alias_domains and virtual_alias_maps.
13143

virtual_minimum_uid (default: 100)

13145       The minimum user ID value that the virtual(8) delivery agent accepts as
13146       a  result  from  $virtual_uid_maps  table lookup.  Returned values less
13147       than this will be rejected, and the message will be deferred.
13148
13149       This parameter is specific to the virtual(8) delivery agent.   It  does
13150       not  apply  when  mail is delivered with a different mail delivery pro‐
13151       gram.
13152

virtual_transport (default: virtual)

13154       The default mail delivery transport and next-hop destination for  final
13155       delivery  to domains listed with $virtual_mailbox_domains.  This infor‐
13156       mation can be overruled with the transport(5) table.
13157
13158       Specify a string of the form transport:nexthop, where transport is  the
13159       name  of  a mail delivery transport defined in master.cf.  The :nexthop
13160       destination is optional; its syntax is documented in the manual page of
13161       the corresponding delivery agent.
13162
13163       This feature is available in Postfix 2.0 and later.
13164

virtual_uid_maps (default: empty)

13166       Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
13167       ery agent uses while writing to the recipient's mailbox.
13168
13169       This parameter is specific to the virtual(8) delivery agent.   It  does
13170       not  apply  when  mail is delivered with a different mail delivery pro‐
13171       gram.
13172
13173       Specify zero or more "type:name" lookup tables, separated by whitespace
13174       or  comma. Tables will be searched in the specified order until a match
13175       is found.
13176
13177       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
13178       any  user  in  the  specified  domain  that  does  not  have a specific
13179       "user@domain.tld" entry.
13180
13181       When  a  recipient  address   has   an   optional   address   extension
13182       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
13183       address first, and when the lookup fails, it looks  up  the  unextended
13184       address (user@domain.tld).
13185
13186       Note  1:  for security reasons, the virtual(8) delivery agent disallows
13187       regular expression substitution of $1 etc. in regular expression lookup
13188       tables, because that would open a security hole.
13189
13190       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
13191       silently ignore requests to use the proxymap(8) server. Instead it will
13192       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
13193       delivery agent will terminate with a fatal error.
13194

SEE ALSO

13196       postconf(1), Postfix configuration parameter maintenance
13197       master(5), Postfix daemon configuration maintenance
13198

LICENSE

13200       The Secure Mailer license must be distributed with this software.
13201

AUTHOR(S)

13203       Wietse Venema
13204       IBM T.J. Watson Research
13205       P.O. Box 704
13206       Yorktown Heights, NY 10598, USA
13207
13208       Wietse Venema
13209       Google, Inc.
13210       111 8th Avenue
13211       New York, NY 10011, USA
13212
13213       Viktor Dukhovni
13214
13215
13216
13217                                                                   POSTCONF(5)
Impressum