1POSTCONF(5)                   File Formats Manual                  POSTCONF(5)
2
3
4

NAME

6       postconf - Postfix configuration parameters
7

SYNOPSIS

9       postconf parameter ...
10
11       postconf -e "parameter=value" ...
12

DESCRIPTION

14       The  Postfix  main.cf configuration file specifies parameters that con‐
15       trol the operation of the Postfix mail system. Typically the file  con‐
16       tains  only  a small subset of all parameters; parameters not specified
17       are left at their default values.
18
19       The general format of the main.cf file is as follows:
20
21       ·      Each logical line has the form "parameter = value".   Whitespace
22              around the "=" is ignored, as is whitespace at the end of a log‐
23              ical line.
24
25       ·      Empty lines and whitespace-only lines are ignored, as are  lines
26              whose first non-whitespace character is a `#'.
27
28       ·      A  logical  line  starts  with  non-whitespace text. A line that
29              starts with whitespace continues a logical line.
30
31       ·      A parameter value may refer to other parameters.
32
33              ·      The expressions "$name"  and  "${name}"  are  recursively
34                     replaced  with  the  value  of  the  named parameter. The
35                     parameter name must contain only characters from the  set
36                     [a-zA-Z0-9_].  An  undefined  parameter value is replaced
37                     with the empty value.
38
39              ·      The expressions "${name?value}" and "${name?{value}}" are
40                     replaced  with  "value"  when  "$name"  is non-empty. The
41                     parameter name must contain only characters from the  set
42                     [a-zA-Z0-9_]. These forms are supported with Postfix ver‐
43                     sions >= 2.2 and >= 3.0, respectively.
44
45              ·      The expressions "${name:value}" and "${name:{value}}" are
46                     replaced  with "value" when "$name" is empty. The parame‐
47                     ter name must contain only characters from the set [a-zA-
48                     Z0-9_].  These  forms are supported with Postfix versions
49                     >= 2.2 and >= 3.0, respectively.
50
51              ·      The expression  "${name?{value1}:{value2}}"  is  replaced
52                     with   "value1"  when  "$name"  is  non-empty,  and  with
53                     "value2" when "$name" is empty.  The "{}" is required for
54                     "value1",  optional for "value2". The parameter name must
55                     contain only characters from the set [a-zA-Z0-9_].   This
56                     form is supported with Postfix versions >= 3.0.
57
58              ·      The  first  item  inside  "${...}"  may  be  a relational
59                     expression of the form: "{value3} ==  {value4}".  Besides
60                     the   "=="  (equality)  operator  Postfix  supports  "!="
61                     (inequality), "<", "<=", ">=", and ">". The comparison is
62                     numerical  when  both  operands are all digits, otherwise
63                     the comparison is lexicographical. These forms  are  sup‐
64                     ported with Postfix versions >= 3.0.
65
66              ·      Each  "value" is subject to recursive named parameter and
67                     relational expression evaluation, except where noted.
68
69              ·      Whitespace before or after each "{value}" is ignored.
70
71              ·      Specify "$$" to produce a single "$" character.
72
73              ·      The legacy form "$(...)" is equivalent to  the  preferred
74                     form "${...}".
75
76       ·      When the same parameter is defined multiple times, only the last
77              instance is remembered.
78
79       ·      Otherwise, the order of main.cf parameter definitions  does  not
80              matter.
81
82       The remainder of this document is a description of all Postfix configu‐
83       ration parameters. Default values are shown after the parameter name in
84       parentheses, and can be looked up with the "postconf -d" command.
85
86       Note:  this  is not an invitation to make changes to Postfix configura‐
87       tion parameters. Unnecessary changes can impair the  operation  of  the
88       mail system.
89

2bounce_notice_recipient (default: postmaster)

91       The  recipient  of  undeliverable  mail  that cannot be returned to the
92       sender.  This feature is enabled with the notify_classes parameter.
93

access_map_defer_code (default: 450)

95       The numerical Postfix SMTP server response code for  an  access(5)  map
96       "defer" action, including "defer_if_permit" or "defer_if_reject". Prior
97       to Postfix 2.6, the response is hard-coded as "450".
98
99       Do not change this unless you have  a  complete  understanding  of  RFC
100       5321.
101
102       This feature is available in Postfix 2.6 and later.
103

access_map_reject_code (default: 554)

105       The  numerical  Postfix  SMTP server response code for an access(5) map
106       "reject" action.
107
108       Do not change this unless you have  a  complete  understanding  of  RFC
109       5321.
110

address_verify_cache_cleanup_interval (default: 12h)

112       The  amount  of  time  between  verify(8) address verification database
113       cleanup runs. This feature requires  that  the  database  supports  the
114       "delete"  and "sequence" operators.  Specify a zero interval to disable
115       database cleanup.
116
117       After each database cleanup run, the verify(8) daemon logs  the  number
118       of  entries  that were retained and dropped. A cleanup run is logged as
119       "partial" when the daemon  terminates  early  after  "postfix  reload",
120       "postfix stop", or no requests for $max_idle seconds.
121
122       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
123
124       This feature is available in Postfix 2.7.
125

address_verify_default_transport (default: $default_transport)

127       Overrides the default_transport parameter setting for address verifica‐
128       tion probes.
129
130       This feature is available in Postfix 2.1 and later.
131

address_verify_local_transport (default: $local_transport)

133       Overrides the local_transport parameter setting for  address  verifica‐
134       tion probes.
135
136       This feature is available in Postfix 2.1 and later.
137

address_verify_map (default: see postconf -d output)

139       Lookup  table  for persistent address verification status storage.  The
140       table is maintained by the verify(8) service, and is opened before  the
141       process releases privileges.
142
143       The  lookup  table  is  persistent  by default (Postfix 2.7 and later).
144       Specify an empty table name to keep the information in volatile  memory
145       which  is  lost  after  "postfix reload" or "postfix stop". This is the
146       default with Postfix version 2.6 and earlier.
147
148       Specify a location in a file system that will not fill up. If the data‐
149       base  becomes  corrupted,  the world comes to an end. To recover delete
150       (NOT: truncate) the file and do "postfix reload".
151
152       Postfix daemon processes do not use root privileges when  opening  this
153       file  (Postfix 2.5 and later).  The file must therefore be stored under
154       a Postfix-owned directory such as the data_directory.  As  a  migration
155       aid, an attempt to open the file under a non-Postfix directory is redi‐
156       rected to the Postfix-owned data_directory, and a warning is logged.
157
158       Examples:
159
160       address_verify_map = hash:/var/lib/postfix/verify
161       address_verify_map = btree:/var/lib/postfix/verify
162
163       This feature is available in Postfix 2.1 and later.
164

address_verify_negative_cache (default: yes)

166       Enable caching of failed address verification probe results.  When this
167       feature  is  enabled, the cache may pollute quickly with garbage.  When
168       this feature is disabled, Postfix will generate an  address  probe  for
169       every lookup.
170
171       This feature is available in Postfix 2.1 and later.
172

address_verify_negative_expire_time (default: 3d)

174       The  time after which a failed probe expires from the address verifica‐
175       tion cache.
176
177       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
178
179       This feature is available in Postfix 2.1 and later.
180

address_verify_negative_refresh_time (default: 3h)

182       The time after which a failed address verification probe  needs  to  be
183       refreshed.
184
185       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
186
187       This feature is available in Postfix 2.1 and later.
188

address_verify_pending_request_limit (default: see postconf -d output)

190       A  safety  limit that prevents address verification requests from over‐
191       whelming the Postfix queue. By default, the number of pending  requests
192       is  limited  to  1/4  of  the  active  queue  maximum  size  (qmgr_mes‐
193       sage_active_limit). The queue manager enforces the limit by tempfailing
194       requests that exceed the limit. This affects only unknown addresses and
195       inactive addresses that have  expired,  because  the  verify(8)  daemon
196       automatically refreshes an active address before it expires.
197
198       This feature is available in Postfix 3.1 and later.
199

address_verify_poll_count (default: normal: 3, overload: 1)

201       How  many times to query the verify(8) service for the completion of an
202       address verification request in progress.
203
204       By default, the Postfix SMTP server polls the verify(8) service  up  to
205       three  times  under  non-overload  conditions, and only once when under
206       overload.  With Postfix version 2.5 and earlier, the SMTP server always
207       polls the verify(8) service up to three times by default.
208
209       Specify  1  to  implement  a crude form of greylisting, that is, always
210       defer the first delivery request for a new address.
211
212       Examples:
213
214       # Postfix <= 2.6 default
215       address_verify_poll_count = 3
216       # Poor man's greylisting
217       address_verify_poll_count = 1
218
219       This feature is available in Postfix 2.1 and later.
220

address_verify_poll_delay (default: 3s)

222       The delay between queries for the completion of an address verification
223       request in progress.
224
225       The default polling delay is 3 seconds.
226
227       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
228
229       This feature is available in Postfix 2.1 and later.
230

address_verify_positive_expire_time (default: 31d)

232       The  time after which a successful probe expires from the address veri‐
233       fication cache.
234
235       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
236
237       This feature is available in Postfix 2.1 and later.
238

address_verify_positive_refresh_time (default: 7d)

240       The time after which a successful address verification probe  needs  to
241       be  refreshed.  The address verification status is not updated when the
242       probe fails (optimistic caching).
243
244       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
245
246       This feature is available in Postfix 2.1 and later.
247

address_verify_relay_transport (default: $relay_transport)

249       Overrides the relay_transport parameter setting for  address  verifica‐
250       tion probes.
251
252       This feature is available in Postfix 2.1 and later.
253

address_verify_relayhost (default: $relayhost)

255       Overrides  the  relayhost  parameter  setting  for address verification
256       probes. This information can be overruled with the transport(5) table.
257
258       This feature is available in Postfix 2.1 and later.
259

address_verify_sender (default: $double_bounce_sender)

261       The sender address to use in  address  verification  probes;  prior  to
262       Postfix  2.5  the  default  was  "postmaster".  To  avoid problems with
263       address probes that are sent in response to address probes, the Postfix
264       SMTP  server  excludes  the  probe sender address from all SMTPD access
265       blocks.
266
267       Specify an empty value (address_verify_sender =) or <> if you  want  to
268       use  the  null  sender address. Beware, some sites reject mail from <>,
269       even though RFCs require that such addresses be accepted.
270
271       Examples:
272
273       address_verify_sender = <>
274       address_verify_sender = postmaster@my.domain
275
276       This feature is available in Postfix 2.1 and later.
277

address_verify_sender_dependent_default_transport_maps (default:

279       $sender_dependent_default_transport_maps)
280       Overrides the sender_dependent_default_transport_maps parameter setting
281       for address verification probes.
282
283       This feature is available in Postfix 2.7 and later.
284

address_verify_sender_dependent_relayhost_maps (default: $sender_depen‐

286       dent_relayhost_maps)
287       Overrides  the  sender_dependent_relayhost_maps  parameter  setting for
288       address verification probes.
289
290       This feature is available in Postfix 2.3 and later.
291

address_verify_sender_ttl (default: 0s)

293       The time between changes in the time-dependent portion of address veri‐
294       fication probe sender addresses. The time-dependent portion is appended
295       to the  localpart  of  the  address  specified  with  the  address_ver‐
296       ify_sender  parameter.  This  feature  is ignored when the probe sender
297       addresses is the null sender, i.e. the address_verify_sender  value  is
298       empty or <>.
299
300       Historically,  the probe sender address was fixed. This has caused such
301       addresses to end up on spammer  mailing  lists,  and  has  resulted  in
302       wasted network and processing resources.
303
304       To  enable  time-dependent  probe  sender addresses, specify a non-zero
305       time value (an integral value plus an optional one-letter  suffix  that
306       specifies  the  time unit).  Specify a value of at least several hours,
307       to avoid problems with senders that use greylisting.   Avoid  nice  TTL
308       values,  to  make the result less predictable.  Time units are: s (sec‐
309       onds), m (minutes), h (hours), d (days), w (weeks).
310
311       This feature is available in Postfix 2.9 and later.
312

address_verify_service_name (default: verify)

314       The name of the verify(8) address verification  service.  This  service
315       maintains  the  status  of sender and/or recipient address verification
316       probes, and generates probes on request by other Postfix processes.
317

address_verify_transport_maps (default: $transport_maps)

319       Overrides the transport_maps parameter setting for address verification
320       probes.
321
322       This feature is available in Postfix 2.1 and later.
323

address_verify_virtual_transport (default: $virtual_transport)

325       Overrides the virtual_transport parameter setting for address verifica‐
326       tion probes.
327
328       This feature is available in Postfix 2.1 and later.
329

alias_database (default: see postconf -d output)

331       The alias  databases  for  local(8)  delivery  that  are  updated  with
332       "newaliases" or with "sendmail -bi".
333
334       This  is  a separate configuration parameter because not all the tables
335       specified with $alias_maps have to be local files.
336
337       Examples:
338
339       alias_database = hash:/etc/aliases
340       alias_database = hash:/etc/mail/aliases
341

alias_maps (default: see postconf -d output)

343       The alias databases that are used for local(8) delivery. See aliases(5)
344       for  syntax  details.   Specify zero or more "type:name" lookup tables,
345       separated by whitespace or comma. Tables will be searched in the speci‐
346       fied order until a match is found.  Note: these lookups are recursive.
347
348       The default list is system dependent.  On systems with NIS, the default
349       is to search the local alias database, then the NIS alias database.
350
351       If you change the alias  database,  run  "postalias  /etc/aliases"  (or
352       wherever  your  system  stores  the  mail  alias  file),  or simply run
353       "newaliases" to build the necessary DBM or DB file.
354
355       The local(8) delivery agent disallows regular  expression  substitution
356       of $1 etc. in alias_maps, because that would open a security hole.
357
358       The  local(8)  delivery  agent will silently ignore requests to use the
359       proxymap(8) server within alias_maps. Instead it will  open  the  table
360       directly.  Before Postfix version 2.2, the local(8) delivery agent will
361       terminate with a fatal error.
362
363       Examples:
364
365       alias_maps = hash:/etc/aliases, nis:mail.aliases
366       alias_maps = hash:/etc/aliases
367

allow_mail_to_commands (default: alias, forward)

369       Restrict local(8) mail delivery to external commands.  The  default  is
370       to  disallow delivery to "|command" in :include:  files (see aliases(5)
371       for the text that defines this terminology).
372
373       Specify zero or more of: alias, forward or include, in order  to  allow
374       commands  in aliases(5), .forward files or in :include:  files, respec‐
375       tively.
376
377       Example:
378
379       allow_mail_to_commands = alias,forward,include
380

allow_mail_to_files (default: alias, forward)

382       Restrict local(8) mail delivery to external files. The  default  is  to
383       disallow  "/file/name" destinations in :include:  files (see aliases(5)
384       for the text that defines this terminology).
385
386       Specify zero or more of: alias, forward or include, in order  to  allow
387       "/file/name"   destinations   in  aliases(5),  .forward  files  and  in
388       :include:  files, respectively.
389
390       Example:
391
392       allow_mail_to_files = alias,forward,include
393

allow_min_user (default: no)

395       Allow a sender or recipient address to have `-' as the first character.
396       By  default, this is not allowed, to avoid accidents with software that
397       passes email addresses via the command line. Such software would not be
398       able  to  distinguish a malicious address from a bona fide command-line
399       option. Although this can be prevented by inserting a "--" option  ter‐
400       minator  into  the  command  line, this is difficult to enforce consis‐
401       tently and globally.
402
403       As of Postfix version 2.5, this feature is implemented  by  trivial-re‐
404       write(8).   With  earlier  versions  this  feature  was  implemented by
405       qmgr(8) and was limited to recipient addresses only.
406

allow_percent_hack (default: yes)

408       Enable the rewriting of the form "user%domain" to "user@domain".   This
409       is enabled by default.
410
411       Note:  as of Postfix version 2.2, message header address rewriting hap‐
412       pens only when one of the following conditions is true:
413
414       ·      The message is received with the Postfix sendmail(1) command,
415
416       ·      The message is received  from  a  network  client  that  matches
417              $local_header_rewrite_clients,
418
419       ·      The   message   is   received   from   the   network,   and  the
420              remote_header_rewrite_domain  parameter  specifies  a  non-empty
421              value.
422
423       To   get   the   behavior   before   Postfix   version   2.2,   specify
424       "local_header_rewrite_clients = static:all".
425
426       Example:
427
428       allow_percent_hack = no
429

allow_untrusted_routing (default: no)

431       Forward mail with sender-specified  routing  (user[@%!]remote[@%!]site)
432       from untrusted clients to destinations matching $relay_domains.
433
434       By default, this feature is turned off.  This closes a nasty open relay
435       loophole where a backup MX host can be  tricked  into  forwarding  junk
436       mail to a primary MX host which then spams it out to the world.
437
438       This  parameter also controls if non-local addresses with sender-speci‐
439       fied  routing  can  match  Postfix  access  tables.  By  default,  such
440       addresses  cannot  match  Postfix access tables, because the address is
441       ambiguous.
442

alternate_config_directories (default: empty)

444       A list of non-default Postfix configuration  directories  that  may  be
445       specified  with  "-c config_directory" on the command line (in the case
446       of sendmail(1), with the "-C" option), or via the MAIL_CONFIG  environ‐
447       ment parameter.
448
449       This  list  must  be specified in the default Postfix main.cf file, and
450       will be used by set-gid Postfix commands such as postqueue(1) and post‐
451       drop(1).
452
453       Specify  absolute  pathnames,  separated by comma or space. Note: $name
454       expansion is not supported.
455

always_add_missing_headers (default: no)

457       Always add (Resent-) From:, To:, Date: or Message-ID: headers when  not
458       present.   Postfix  2.6  and  later add these headers only when clients
459       match  the  local_header_rewrite_clients  parameter  setting.   Earlier
460       Postfix  versions  always add these headers; this may break DKIM signa‐
461       tures  that  cover  non-existent  headers.    The   undisclosed_recipi‐
462       ents_header  parameter  setting determines whether a To: header will be
463       added.
464

always_bcc (default: empty)

466       Optional address that receives a "blind carbon copy"  of  each  message
467       that is received by the Postfix mail system.
468
469       Note:  with Postfix 2.3 and later the BCC address is added as if it was
470       specified with NOTIFY=NONE. The sender will not be  notified  when  the
471       BCC  address  is  undeliverable,  as  long  as all down-stream software
472       implements RFC 3461.
473
474       Note: with Postfix 2.2 and earlier the sender will be notified when the
475       BCC address is undeliverable.
476
477       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
478       avoid mailer loops, automatic BCC recipients are  not  generated  after
479       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
480       itself.
481

anvil_rate_time_unit (default: 60s)

483       The time unit over which client connection rates and  other  rates  are
484       calculated.
485
486       This  feature is implemented by the anvil(8) service which is available
487       in Postfix version 2.2 and later.
488
489       The default interval is relatively short. Because of the high frequency
490       of updates, the anvil(8) server uses volatile memory only. Thus, infor‐
491       mation is lost whenever the process terminates.
492
493       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
494       The default time unit is s (seconds).
495

anvil_status_update_time (default: 600s)

497       How  frequently  the  anvil(8) connection and rate limiting server logs
498       peak usage information.
499
500       This feature is available in Postfix 2.2 and later.
501
502       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
503       The default time unit is s (seconds).
504

append_at_myorigin (default: yes)

506       With  locally  submitted  mail,  append the string "@$myorigin" to mail
507       addresses without domain information.  With  remotely  submitted  mail,
508       append the string "@$remote_header_rewrite_domain" instead.
509
510       Note  1: this feature is enabled by default and must not be turned off.
511       Postfix does not support domain-less addresses.
512
513       Note 2: with Postfix version 2.2, message header address rewriting hap‐
514       pens only when one of the following conditions is true:
515
516       ·      The message is received with the Postfix sendmail(1) command,
517
518       ·      The  message  is  received  from  a  network client that matches
519              $local_header_rewrite_clients,
520
521       ·      The  message   is   received   from   the   network,   and   the
522              remote_header_rewrite_domain  parameter  specifies  a  non-empty
523              value.
524
525       To   get   the   behavior   before   Postfix   version   2.2,   specify
526       "local_header_rewrite_clients = static:all".
527

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

529       With   locally  submitted  mail,  append  the  string  ".$mydomain"  to
530       addresses that have no ".domain" information. With  remotely  submitted
531       mail, append the string ".$remote_header_rewrite_domain" instead.
532
533       Note 1: this feature is enabled by default. If disabled, users will not
534       be able to send mail to "user@partialdomainname" but will have to spec‐
535       ify full domain names instead.
536
537       Note 2: with Postfix version 2.2, message header address rewriting hap‐
538       pens only when one of the following conditions is true:
539
540       ·      The message is received with the Postfix sendmail(1) command,
541
542       ·      The message is received  from  a  network  client  that  matches
543              $local_header_rewrite_clients,
544
545       ·      The   message   is   received   from   the   network,   and  the
546              remote_header_rewrite_domain  parameter  specifies  a  non-empty
547              value.
548
549       To   get   the   behavior   before   Postfix   version   2.2,   specify
550       "local_header_rewrite_clients = static:all".
551

application_event_drain_time (default: 100s)

553       How long the postkick(1) command waits for a request to enter the Post‐
554       fix daemon process input buffer before giving up.
555
556       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
557       The default time unit is s (seconds).
558
559       This feature is available in Postfix 2.1 and later.
560

authorized_flush_users (default: static:anyone)

562       List of users who are authorized to flush the queue.
563
564       By default, all users are allowed to flush the queue.  Access is always
565       granted if the invoking user is the super-user or the $mail_owner user.
566       Otherwise, the real UID of the process is looked up in the system pass‐
567       word  file,  and access is granted only if the corresponding login name
568       is on the access list.  The username "unknown" is  used  for  processes
569       whose real UID is not found in the password file.
570
571       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
572       separated by commas and/or whitespace. The  list  is  matched  left  to
573       right,  and the search stops on the first match. A "/file/name" pattern
574       is replaced by its contents; a "type:table"  lookup  table  is  matched
575       when  a name matches a lookup key (the lookup result is ignored).  Con‐
576       tinue long lines by starting the next  line  with  whitespace.  Specify
577       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
578       supported only in Postfix version 2.4 and later.
579
580       This feature is available in Postfix 2.2 and later.
581

authorized_mailq_users (default: static:anyone)

583       List of users who are authorized to view the queue.
584
585       By default, all users are allowed to view the queue.  Access is  always
586       granted if the invoking user is the super-user or the $mail_owner user.
587       Otherwise, the real UID of the process is looked up in the system pass‐
588       word  file,  and access is granted only if the corresponding login name
589       is on the access list.  The username "unknown" is  used  for  processes
590       whose real UID is not found in the password file.
591
592       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
593       separated by commas and/or whitespace. The  list  is  matched  left  to
594       right,  and the search stops on the first match. A "/file/name" pattern
595       is replaced by its contents; a "type:table"  lookup  table  is  matched
596       when  a name matches a lookup key (the lookup result is ignored).  Con‐
597       tinue long lines by starting the next  line  with  whitespace.  Specify
598       "!pattern" to exclude a user name from the list. The form "!/file/name"
599       is supported only in Postfix version 2.4 and later.
600
601       This feature is available in Postfix 2.2 and later.
602

authorized_submit_users (default: static:anyone)

604       List of users who are authorized to submit mail  with  the  sendmail(1)
605       command (and with the privileged postdrop(1) helper command).
606
607       By  default, all users are allowed to submit mail.  Otherwise, the real
608       UID of the process is looked up in the system password file, and access
609       is  granted only if the corresponding login name is on the access list.
610       The username "unknown" is used for processes  whose  real  UID  is  not
611       found in the password file. To deny mail submission access to all users
612       specify an empty list.
613
614       Specify a list of user names, "/file/name"  or  "type:table"  patterns,
615       separated  by  commas  and/or  whitespace.  The list is matched left to
616       right, and the search stops on the first match. A "/file/name"  pattern
617       is  replaced  by  its  contents; a "type:table" lookup table is matched
618       when a name matches a lookup key (the lookup result is ignored).   Con‐
619       tinue  long  lines  by  starting the next line with whitespace. Specify
620       "!pattern" to exclude a user name from the list. The form "!/file/name"
621       is supported only in Postfix version 2.4 and later.
622
623       Example:
624
625       authorized_submit_users = !www, static:all
626
627       This feature is available in Postfix 2.2 and later.
628

authorized_verp_clients (default: $mynetworks)

630       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
631       This command requests that mail be delivered one recipient  at  a  time
632       with a per recipient return address.
633
634       By default, only trusted clients are allowed to specify XVERP.
635
636       This  parameter  was introduced with Postfix version 1.1.  Postfix ver‐
637       sion 2.1 renamed this parameter  to  smtpd_authorized_verp_clients  and
638       changed the default to none.
639
640       Specify  a list of network/netmask patterns, separated by commas and/or
641       whitespace. The mask specifies the number of bits in the  network  part
642       of a host address. You can also specify hostnames or .domain names (the
643       initial  dot  causes  the  domain  to  match  any   name   below   it),
644       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
645       replaced by its contents; a "type:table" lookup table is matched when a
646       table  entry  matches  a  lookup string (the lookup result is ignored).
647       Continue long lines by starting the next line with whitespace.  Specify
648       "!pattern"  to  exclude  an address or network block from the list. The
649       form "!/file/name" is supported only in Postfix version 2.4 and later.
650
651       Note: IP version 6 address information must be specified inside  []  in
652       the   authorized_verp_clients   value,  and  in  files  specified  with
653       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
654       would otherwise be confused with a "type:table" pattern.
655

backwards_bounce_logfile_compatibility (default: yes)

657       Produce  additional bounce(8) logfile records that can be read by Post‐
658       fix versions before 2.0. The current and more extensible "name = value"
659       format  is  needed in order to implement more sophisticated functional‐
660       ity.
661
662       This feature is available in Postfix 2.1 and later.
663

berkeley_db_create_buffer_size (default: 16777216)

665       The per-table I/O buffer size for programs that create Berkeley DB hash
666       or btree tables.  Specify a byte count.
667
668       This feature is available in Postfix 2.0 and later.
669

berkeley_db_read_buffer_size (default: 131072)

671       The  per-table  I/O buffer size for programs that read Berkeley DB hash
672       or btree tables.  Specify a byte count.
673
674       This feature is available in Postfix 2.0 and later.
675

best_mx_transport (default: empty)

677       Where the Postfix SMTP client should deliver mail  when  it  detects  a
678       "mail  loops  back  to  myself"  error condition. This happens when the
679       local MTA is the best SMTP mail exchanger for a destination not  listed
680       in    $mydestination,    $inet_interfaces,   $proxy_interfaces,   $vir‐
681       tual_alias_domains, or $virtual_mailbox_domains.  By default, the Post‐
682       fix SMTP client returns such mail as undeliverable.
683
684       Specify, for example, "best_mx_transport = local" to pass the mail from
685       the Postfix SMTP client to the local(8) delivery agent. You can specify
686       any message delivery "transport" or "transport:nexthop" that is defined
687       in the master.cf file. See the transport(5) manual page for the  syntax
688       and meaning of "transport" or "transport:nexthop".
689
690       However,  this  feature  is expensive because it ties up a Postfix SMTP
691       client process while the local(8) delivery agent is doing its work.  It
692       is  more  efficient (for Postfix) to list all hosted domains in a table
693       or database.
694

biff (default: yes)

696       Whether or not to use the local biff service.  This service sends  "new
697       mail"  notifications  to users who have requested new mail notification
698       with the UNIX command "biff y".
699
700       For compatibility reasons this feature is on by  default.   On  systems
701       with  lots  of interactive users, the biff service can be a performance
702       drain.  Specify "biff = no" in main.cf to disable.
703

body_checks (default: empty)

705       Optional lookup tables for  content  inspection  as  specified  in  the
706       body_checks(5) manual page.
707
708       Note: with Postfix versions before 2.0, these rules inspect all content
709       after the primary message headers.
710

body_checks_size_limit (default: 51200)

712       How much text in a message body segment (or attachment, if  you  prefer
713       to  use  that term) is subjected to body_checks inspection.  The amount
714       of text is limited to avoid scanning huge attachments.
715
716       This feature is available in Postfix 2.0 and later.
717

bounce_notice_recipient (default: postmaster)

719       The recipient of postmaster notifications with the message  headers  of
720       mail  that Postfix did not deliver and of SMTP conversation transcripts
721       of mail that Postfix did not receive.  This feature is enabled with the
722       notify_classes parameter.
723

bounce_queue_lifetime (default: 5d)

725       Consider  a bounce message as undeliverable, when delivery fails with a
726       temporary  error,  and  the  time  in  the  queue   has   reached   the
727       bounce_queue_lifetime limit.  By default, this limit is the same as for
728       regular mail.
729
730       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
731       The default time unit is d (days).
732
733       Specify 0 when mail delivery should be tried only once.
734
735       This feature is available in Postfix 2.1 and later.
736

bounce_service_name (default: bounce)

738       The  name  of the bounce(8) service. This service maintains a record of
739       failed delivery attempts and generates non-delivery notifications.
740
741       This feature is available in Postfix 2.0 and later.
742

bounce_size_limit (default: 50000)

744       The maximal  amount  of  original  message  text  that  is  sent  in  a
745       non-delivery notification. Specify a byte count.  A message is returned
746       as   either   message/rfc822   (the   complete    original)    or    as
747       text/rfc822-headers  (the  headers only).  With Postfix version 2.4 and
748       earlier, a message is always returned as message/rfc822  and  is  trun‐
749       cated when it exceeds the size limit.
750
751       Notes:
752
753       ·      If  you  increase  this  limit,  then  you  should  increase the
754              mime_nesting_limit value proportionally.
755
756       ·      Be careful when making changes.  Excessively large  values  will
757              result  in the loss of non-delivery notifications, when a bounce
758              message size exceeds a local or remote MTA's message size limit.
759

bounce_template_file (default: empty)

761       Pathname of a configuration file with bounce message templates.   These
762       override  the  built-in templates of delivery status notification (DSN)
763       messages for undeliverable mail, for delayed mail, successful delivery,
764       or  delivery  verification.  The bounce(5) manual page describes how to
765       edit and test template files.
766
767       Template message body text may contain $name references to Postfix con‐
768       figuration  parameters.  The result of $name expansion can be previewed
769       with "postconf -b file_name" before the file is placed into the Postfix
770       configuration directory.
771
772       This feature is available in Postfix 2.3 and later.
773

broken_sasl_auth_clients (default: no)

775       Enable  interoperability  with  remote  SMTP  clients that implement an
776       obsolete version of the AUTH  command  (RFC  4954).  Examples  of  such
777       clients  are MicroSoft Outlook Express version 4 and MicroSoft Exchange
778       version 5.0.
779
780       Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH
781       support in a non-standard way.
782

canonical_classes (default: envelope_sender, envelope_recipient,

784       header_sender, header_recipient)
785       What addresses are  subject  to  canonical_maps  address  mapping.   By
786       default,  canonical_maps  address mapping is applied to envelope sender
787       and recipient addresses, and to  header  sender  and  header  recipient
788       addresses.
789
790       Specify   one   or   more   of:   envelope_sender,  envelope_recipient,
791       header_sender, header_recipient
792
793       This feature is available in Postfix 2.2 and later.
794

canonical_maps (default: empty)

796       Optional  address  mapping  lookup  tables  for  message  headers   and
797       envelopes.  The  mapping  is  applied  to  both  sender  and  recipient
798       addresses, in both envelopes and in headers,  as  controlled  with  the
799       canonical_classes  parameter.  This is typically used to clean up dirty
800       addresses from legacy mail systems, or to replace login names by First‐
801       name.Lastname.   The table format and lookups are documented in canoni‐
802       cal(5). For an  overview  of  Postfix  address  manipulations  see  the
803       ADDRESS_REWRITING_README document.
804
805       Specify zero or more "type:name" lookup tables, separated by whitespace
806       or comma. Tables will be searched in the specified order until a  match
807       is found.  Note: these lookups are recursive.
808
809       If  you use this feature, run "postmap /etc/postfix/canonical" to build
810       the necessary DBM or DB file  after  every  change.  The  changes  will
811       become visible after a minute or so.  Use "postfix reload" to eliminate
812       the delay.
813
814       Note: with Postfix version 2.2, message header address mapping  happens
815       only when message header address rewriting is enabled:
816
817       ·      The message is received with the Postfix sendmail(1) command,
818
819       ·      The  message  is  received  from  a  network client that matches
820              $local_header_rewrite_clients,
821
822       ·      The  message   is   received   from   the   network,   and   the
823              remote_header_rewrite_domain  parameter  specifies  a  non-empty
824              value.
825
826       To   get   the   behavior   before   Postfix   version   2.2,   specify
827       "local_header_rewrite_clients = static:all".
828
829       Examples:
830
831       canonical_maps = dbm:/etc/postfix/canonical
832       canonical_maps = hash:/etc/postfix/canonical
833

cleanup_service_name (default: cleanup)

835       The  name  of  the  cleanup(8) service. This service rewrites addresses
836       into the standard form, and performs canonical(5) address  mapping  and
837       virtual(5) aliasing.
838
839       This feature is available in Postfix 2.0 and later.
840

command_directory (default: see postconf -d output)

842       The location of all postfix administrative commands.
843

command_execution_directory (default: empty)

845       The  local(8) delivery agent working directory for delivery to external
846       command.  Failure  to  change  directory  causes  the  delivery  to  be
847       deferred.
848
849       The command_execution_directory value is not subject to Postfix config‐
850       uration parameter $name expansion. Instead, the following $name  expan‐
851       sions  are  done on command_execution_directory before the directory is
852       used. Expansion happens in the context of the  delivery  request.   The
853       result  of  $name  expansion is filtered with the character set that is
854       specified with the execution_directory_expansion_filter parameter.
855
856       $user  The recipient's username.
857
858       $shell The recipient's login shell pathname.
859
860       $home  The recipient's home directory.
861
862       $recipient
863              The full recipient address.
864
865       $extension
866              The optional recipient address extension.
867
868       $domain
869              The recipient domain.
870
871       $local The entire recipient localpart.
872
873       $recipient_delimiter
874              The address extension delimiter that was found in the  recipient
875              address  (Postfix  2.11 and later), or the system-wide recipient
876              address extension delimiter (Postfix 2.10 and earlier).
877
878       ${name?value}
879              Expands to value when $name is non-empty.
880
881       ${name:value}
882              Expands to value when $name is empty.
883
884       Instead of $name you can also specify ${name} or $(name).
885
886       This feature is available in Postfix 2.2 and later.
887

command_expansion_filter (default: see postconf -d output)

889       Restrict the characters that the  local(8)  delivery  agent  allows  in
890       $name  expansions of $mailbox_command and $command_execution_directory.
891       Characters outside the allowed set are replaced by underscores.
892

command_time_limit (default: 1000s)

894       Time limit for delivery to external commands. This limit is used by the
895       local(8)  delivery agent, and is the default time limit for delivery by
896       the pipe(8) delivery agent.
897
898       Note: if you set this time limit to a large value you must  update  the
899       global ipc_timeout parameter as well.
900

compatibility_level (default: 0)

902       A  safety  net  that  causes  Postfix  to run with backwards-compatible
903       default settings after an upgrade to a newer Postfix version.
904
905       With backwards compatibility turned on (the main.cf compatibility_level
906       value  is less than the Postfix built-in value), Postfix looks for set‐
907       tings that are left at their implicit default value, and logs a message
908       when a backwards-compatible default setting is required.
909
910           using backwards-compatible default setting name=value
911               to [accept a specific client request]
912
913           using backwards-compatible default setting name=value
914               to [enable specific Postfix behavior]
915
916       See  COMPATIBILITY_README  for specific message details. If such a mes‐
917       sage is logged in the context  of  a  legitimate  request,  the  system
918       administrator should make the backwards-compatible setting permanent in
919       main.cf or master.cf, for example:
920
921           # postconf name=value
922           # postfix reload
923
924       When no more backwards-compatible settings need to be  made  permanent,
925       the  administrator  should turn off backwards compatibility by updating
926       the compatibility_level setting in main.cf:
927
928           # postconf compatibility_level=N
929           # postfix reload
930
931       For N specify the number that is logged in your postfix(1) warning mes‐
932       sage:
933
934           warning: To disable backwards compatibility use "postconf
935               compatibility_level=N" and "postfix reload"
936
937       This feature is available in Postfix 3.0 and later.
938

config_directory (default: see postconf -d output)

940       The default location of the Postfix main.cf and master.cf configuration
941       files. This can be overruled via the following mechanisms:
942
943       ·      The MAIL_CONFIG environment variable (daemon processes and  com‐
944              mands).
945
946       ·      The "-c" command-line option (commands only).
947
948       With  Postfix command that run with set-gid privileges, a config_direc‐
949       tory override requires either root privileges, or it requires that  the
950       directory  is listed with the alternate_config_directories parameter in
951       the default main.cf file.
952

confirm_delay_cleared (default: no)

954       After sending a "your message  is  delayed"  notification,  inform  the
955       sender  when  the delay clears up. This can result in a sudden burst of
956       notifications at the end of a prolonged network outage, and  is  there‐
957       fore disabled by default.
958
959       See also: delay_warning_time.
960
961       This feature is available in Postfix 3.0 and later.
962

connection_cache_protocol_timeout (default: 5s)

964       Time  limit  for  connection cache connect, send or receive operations.
965       The time limit is enforced in the client.
966
967       This feature is available in Postfix 2.3 and later.
968

connection_cache_service_name (default: scache)

970       The name of the scache(8) connection cache service.  This service main‐
971       tains a limited pool of cached sessions.
972
973       This feature is available in Postfix 2.2 and later.
974

connection_cache_status_update_time (default: 600s)

976       How  frequently the scache(8) server logs usage statistics with connec‐
977       tion cache hit and miss rates for logical destinations and for physical
978       endpoints.
979

connection_cache_ttl_limit (default: 2s)

981       The  maximal  time-to-live  value  that  the scache(8) connection cache
982       server allows. Requests that specify a larger TTL will be  stored  with
983       the  maximum  allowed TTL. The purpose of this additional control is to
984       protect the infrastructure against careless people. The  cache  TTL  is
985       already bounded by $max_idle.
986

content_filter (default: empty)

988       After  the  message is queued, send the entire message to the specified
989       transport:destination. The transport name specifies the first field  of
990       a  mail  delivery  agent  definition  in  master.cf;  the syntax of the
991       next-hop destination is described in the manual page of the correspond‐
992       ing delivery agent.  More information about external content filters is
993       in the Postfix FILTER_README file.
994
995       Notes:
996
997       ·      This setting has lower precedence than a FILTER action  that  is
998              specified  in  an  access(5), header_checks(5) or body_checks(5)
999              table.
1000
1001       ·      The meaning of an empty next-hop filter destination  is  version
1002              dependent.  Postfix 2.7 and later will use the recipient domain;
1003              earlier versions will use  $myhostname.   Specify  "default_fil‐
1004              ter_nexthop = $myhostname" for compatibility with Postfix 2.6 or
1005              earlier, or specify a  content_filter  value  with  an  explicit
1006              next-hop destination.
1007

cyrus_sasl_config_path (default: empty)

1009       Search  path  for Cyrus SASL application configuration files, currently
1010       used only to locate the $smtpd_sasl_path.conf file.   Specify  zero  or
1011       more  directories  separated by a colon character, or an empty value to
1012       use Cyrus SASL's built-in search path.
1013
1014       This feature is available in Postfix 2.5 and later when  compiled  with
1015       Cyrus SASL 2.1.22 or later.
1016

daemon_directory (default: see postconf -d output)

1018       The directory with Postfix support programs and daemon programs.  These
1019       should not be invoked directly by humans. The directory must  be  owned
1020       by root.
1021

daemon_table_open_error_is_fatal (default: no)

1023       How  a  Postfix  daemon  process  handles  errors  while opening lookup
1024       tables: gradual degradation or immediate termination.
1025
1026        no  (default)
1027              Gradual degradation: a daemon process logs  a  message  of  type
1028              "error" and continues execution with reduced functionality. Fea‐
1029              tures that do not depend on the unavailable table will work nor‐
1030              mally,  while features that depend on the table will result in a
1031              type "warning" message.
1032              When the notify_classes  parameter  value  contains  the  "data"
1033              class,  the  Postfix  SMTP  server  and client will report tran‐
1034              scripts of sessions with an error because a  table  is  unavail‐
1035              able.
1036
1037        yes  (historical behavior)
1038              Immediate termination: a daemon process logs a type "fatal" mes‐
1039              sage and terminates immediately.  This option reduces the number
1040              of  possible  code  paths  through Postfix, and may therefore be
1041              slightly more secure than the default.
1042
1043       For the sake of sanity, the number of type "error" messages is  limited
1044       to 13 over the lifetime of a daemon process.
1045
1046       This feature is available in Postfix 2.9 and later.
1047

daemon_timeout (default: 18000s)

1049       How  much  time  a  Postfix daemon process may take to handle a request
1050       before it is terminated by a built-in watchdog timer.
1051
1052       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1053       The default time unit is s (seconds).
1054

data_directory (default: see postconf -d output)

1056       The  directory  with  Postfix-writable data files (for example: caches,
1057       pseudo-random numbers).  This directory must be owned by the mail_owner
1058       account, and must not be shared with non-Postfix software.
1059
1060       This feature is available in Postfix 2.5 and later.
1061

debug_peer_level (default: 2)

1063       The  increment  in verbose logging level when a remote client or server
1064       matches a pattern in the debug_peer_list parameter.
1065

debug_peer_list (default: empty)

1067       Optional list of remote client or server hostname  or  network  address
1068       patterns that cause the verbose logging level to increase by the amount
1069       specified in $debug_peer_level.
1070
1071       Specify domain names, network/netmask patterns,  "/file/name"  patterns
1072       or   "type:table"  lookup  tables.  The  right-hand  side  result  from
1073       "type:table" lookups is ignored.
1074
1075       Pattern matching of domain names  is  controlled  by  the  presence  or
1076       absence  of  "debug_peer_list"  in the parent_domain_matches_subdomains
1077       parameter value.
1078
1079       Examples:
1080
1081       debug_peer_list = 127.0.0.1
1082       debug_peer_list = example.com
1083

debugger_command (default: empty)

1085       The external command to  execute  when  a  Postfix  daemon  program  is
1086       invoked with the -D option.
1087
1088       Use  "command  .. & sleep 5" so that the debugger can attach before the
1089       process marches on. If you use an X-based debugger, be sure to  set  up
1090       your XAUTHORITY environment variable before starting Postfix.
1091
1092       Note: the command is subject to $name expansion, before it is passed to
1093       the default command interpreter. Specify "$$" to produce a  single  "$"
1094       character.
1095
1096       Example:
1097
1098       debugger_command =
1099           PATH=/usr/bin:/usr/X11R6/bin
1100           ddd $daemon_directory/$process_name $process_id & sleep 5
1101

default_database_type (default: see postconf -d output)

1103       The  default  database  type for use in newaliases(1), postalias(1) and
1104       postmap(1) commands. On many UNIX systems the default  type  is  either
1105       dbm  or  hash. The default setting is frozen when the Postfix system is
1106       built.
1107
1108       Examples:
1109
1110       default_database_type = hash
1111       default_database_type = dbm
1112

default_delivery_slot_cost (default: 5)

1114       How often the Postfix queue manager's scheduler is allowed  to  preempt
1115       delivery of one message with another.
1116
1117       Each  transport maintains a so-called "available delivery slot counter"
1118       for each message. One message can be preempted by another one when  the
1119       other  message  can  be  delivered  using no more delivery slots (i.e.,
1120       invocations of delivery agents) than the current  message  counter  has
1121       accumulated  (or  will  eventually  accumulate  -  see about slot loans
1122       below). This parameter controls how often is the counter incremented  -
1123       it  happens  after each default_delivery_slot_cost recipients have been
1124       delivered.
1125
1126       The cost of 0 is used to disable the preempting scheduling  completely.
1127       The minimum value the scheduling algorithm can use is 2 - use it if you
1128       want to maximize the message throughput rate. Although there is no max‐
1129       imum, it doesn't make much sense to use values above say 50.
1130
1131       The  only  reason why the value of 2 is not the default is the way this
1132       parameter affects the delivery of mailing-list mail. In the worst case,
1133       delivery  can  take  somewhere  between (cost+1/cost) and (cost/cost-1)
1134       times more than if the preemptive scheduler was disabled.  The  default
1135       value of 5 turns out to provide reasonable message response times while
1136       making sure the mailing-list deliveries are not extended by  more  than
1137       20-25 percent even in the worst case.
1138
1139       Use  transport_delivery_slot_cost to specify a transport-specific over‐
1140       ride, where transport is the master.cf name  of  the  message  delivery
1141       transport.
1142
1143       Examples:
1144
1145       default_delivery_slot_cost = 0
1146       default_delivery_slot_cost = 2
1147

default_delivery_slot_discount (default: 50)

1149       The  default  value for transport-specific _delivery_slot_discount set‐
1150       tings.
1151
1152       This parameter speeds up the moment when a message preemption can  hap‐
1153       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1154       required is available, the preemption can happen when  transport_deliv‐
1155       ery_slot_discount  percent of the required amount plus transport_deliv‐
1156       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1157       amount  will still have to be accumulated before another preemption can
1158       take place later.
1159
1160       Use transport_delivery_slot_discount to  specify  a  transport-specific
1161       override, where transport is the master.cf name of the message delivery
1162       transport.
1163

default_delivery_slot_loan (default: 3)

1165       The default value for transport-specific _delivery_slot_loan settings.
1166
1167       This parameter speeds up the moment when a message preemption can  hap‐
1168       pen.  Instead  of  waiting  until  the  full  amount  of delivery slots
1169       required is available, the preemption can happen when  transport_deliv‐
1170       ery_slot_discount  percent of the required amount plus transport_deliv‐
1171       ery_slot_loan still remains to be  accumulated.   Note  that  the  full
1172       amount  will still have to be accumulated before another preemption can
1173       take place later.
1174
1175       Use transport_delivery_slot_loan to specify a transport-specific  over‐
1176       ride,  where  transport  is  the master.cf name of the message delivery
1177       transport.
1178

default_delivery_status_filter (default: empty)

1180       Optional filter to replace the delivery status code or explanatory text
1181       of  successful  or  unsuccessful  deliveries.   This does not allow the
1182       replacement of a successful status code (2.X.X)  with  an  unsuccessful
1183       status code (4.X.X or 5.X.X) or vice versa.
1184
1185       Note:  the  (smtp|lmtp)_delivery_status_filter is applied only once per
1186       recipient: when delivery is successful, when delivery is rejected  with
1187       5XX,  or  when  there  are  no more alternate MX or A destinations. Use
1188       smtp_reply_filter or lmtp_reply_filter to  inspect  responses  for  all
1189       delivery attempts.
1190
1191       The following parameters can be used to implement a filter for specific
1192       delivery   agents:   lmtp_delivery_status_filter,   local_delivery_sta‐
1193       tus_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or
1194       virtual_delivery_status_filter. These parameters support the same  fil‐
1195       ter syntax as described here.
1196
1197       Specify  zero  or  more  "type:table"  lookup table names, separated by
1198       comma or whitespace. For each successful or unsuccessful delivery to  a
1199       recipient,  the tables are queried in the specified order with one line
1200       of text that is structured as follows:
1201
1202           enhanced-status-code SPACE explanatory-text
1203
1204       The first table match wins. The lookup result must have the same struc‐
1205       ture  as  the  query, a successful status code (2.X.X) must be replaced
1206       with a successful status code, an unsuccessful status  code  (4.X.X  or
1207       5.X.X)  must  be  replaced  with  an  unsuccessful status code, and the
1208       explanatory text field must be non-empty. Other results will result  in
1209       a warning.
1210
1211       Example  1: convert specific soft TLS errors into hard errors, by over‐
1212       riding the first number in the enhanced status code.
1213
1214           /etc/postfix/main.cf:
1215               smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
1216
1217           /etc/postfix/smtp_dsn_filter:
1218               /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
1219                   5$1
1220               /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
1221                   5$1
1222               # Do not change the following into hard bounces. They may
1223               # result from a local configuration problem.
1224               # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
1225               # 4.\d+.\d+ TLS is required, but unavailable
1226               # 4.\d+.\d+ Cannot start TLS: handshake failure
1227
1228       Example 2: censor the per-recipient delivery status  text  so  that  it
1229       does  not  reveal  the  destination  command  or filename when a remote
1230       sender requests confirmation of successful delivery.
1231
1232           /etc/postfix/main.cf:
1233               local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
1234
1235           /etc/postfix/local_dsn_filter:
1236               /^(2\S+ delivered to file).+/    $1
1237               /^(2\S+ delivered to command).+/ $1
1238
1239       Notes:
1240
1241       ·      This feature will NOT override the soft_bounce safety net.
1242
1243       ·      This feature will change the enhanced status code and text  that
1244              is  logged  to  the  maillog  file,  and that is reported to the
1245              sender in delivery confirmation or non-delivery notifications.
1246
1247       This feature is available in Postfix 3.0 and later.
1248

default_destination_concurrency_failed_cohort_limit (default: 1)

1250       How many pseudo-cohorts must suffer  connection  or  handshake  failure
1251       before  a  specific  destination is considered unavailable (and further
1252       delivery is suspended). Specify zero to disable this feature. A  desti‐
1253       nation's pseudo-cohort failure count is reset each time a delivery com‐
1254       pletes without connection or handshake failure for that specific desti‐
1255       nation.
1256
1257       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1258       delivery concurrency.
1259
1260       Use transport_destination_concurrency_failed_cohort_limit to specify  a
1261       transport-specific  override,  where transport is the master.cf name of
1262       the message delivery transport.
1263
1264       This feature is available in Postfix 2.5. The default setting  is  com‐
1265       patible with earlier Postfix versions.
1266

default_destination_concurrency_limit (default: 20)

1268       The  default maximal number of parallel deliveries to the same destina‐
1269       tion.  This is the default limit for delivery via the lmtp(8), pipe(8),
1270       smtp(8) and virtual(8) delivery agents.  With per-destination recipient
1271       limit > 1, a destination is a domain, otherwise it is a recipient.
1272
1273       Use transport_destination_concurrency_limit to specify a transport-spe‐
1274       cific  override,  where  transport is the master.cf name of the message
1275       delivery transport.
1276

default_destination_concurrency_negative_feedback (default: 1)

1278       The per-destination amount of delivery concurrency  negative  feedback,
1279       after  a  delivery  completes  with  a connection or handshake failure.
1280       Feedback values are in the range 0..1 inclusive.  With  negative  feed‐
1281       back,  concurrency  is  decremented  at  the beginning of a sequence of
1282       length 1/feedback. This is unlike positive feedback, where  concurrency
1283       is incremented at the end of a sequence of length 1/feedback.
1284
1285       As  of  Postfix  version  2.5, negative feedback cannot reduce delivery
1286       concurrency to zero.  Instead, a destination is  marked  dead  (further
1287       delivery  suspended)  after  the  failed  pseudo-cohort  count  reaches
1288       $default_destination_concurrency_failed_cohort_limit    (or     $trans‐
1289       port_destination_concurrency_failed_cohort_limit).   To make the sched‐
1290       uler completely immune to connection or handshake failures,  specify  a
1291       zero feedback value and a zero failed pseudo-cohort limit.
1292
1293       Specify one of the following forms:
1294
1295       number
1296
1297       number / number
1298              Constant  feedback.  The  value must be in the range 0..1 inclu‐
1299              sive.  The default setting of "1"  is  compatible  with  Postfix
1300              versions  before 2.5, where a destination's delivery concurrency
1301              is throttled down to zero (and further delivery suspended) after
1302              a single failed pseudo-cohort.
1303
1304       number / concurrency
1305              Variable  feedback  of  "number  / (delivery concurrency)".  The
1306              number must be in the range 0..1 inclusive. With number equal to
1307              "1",  a  destination's  delivery concurrency is decremented by 1
1308              after each failed pseudo-cohort.
1309
1310       A pseudo-cohort is the number of deliveries equal  to  a  destination's
1311       delivery concurrency.
1312
1313       Use  transport_destination_concurrency_negative_feedback  to  specify a
1314       transport-specific override, where transport is the master.cf  name  of
1315       the message delivery transport.
1316
1317       This  feature  is available in Postfix 2.5. The default setting is com‐
1318       patible with earlier Postfix versions.
1319

default_destination_concurrency_positive_feedback (default: 1)

1321       The per-destination amount of delivery concurrency  positive  feedback,
1322       after  a  delivery  completes  without connection or handshake failure.
1323       Feedback values are in  the  range  0..1  inclusive.   The  concurrency
1324       increases  until  it  reaches  the  per-destination maximal concurrency
1325       limit. With positive feedback, concurrency is incremented at the end of
1326       a  sequence  with  length 1/feedback. This is unlike negative feedback,
1327       where concurrency is decremented at the start of a sequence  of  length
1328       1/feedback.
1329
1330       Specify one of the following forms:
1331
1332       number
1333
1334       number / number
1335              Constant  feedback.   The value must be in the range 0..1 inclu‐
1336              sive. The default setting of "1" is compatible with Postfix ver‐
1337              sions  before  2.5,  where  a destination's delivery concurrency
1338              doubles after each successful pseudo-cohort.
1339
1340       number / concurrency
1341              Variable feedback of "number  /  (delivery  concurrency)".   The
1342              number must be in the range 0..1 inclusive. With number equal to
1343              "1", a destination's delivery concurrency is  incremented  by  1
1344              after each successful pseudo-cohort.
1345
1346       A  pseudo-cohort  is  the number of deliveries equal to a destination's
1347       delivery concurrency.
1348
1349       Use transport_destination_concurrency_positive_feedback  to  specify  a
1350       transport-specific  override,  where transport is the master.cf name of
1351       the message delivery transport.
1352
1353       This feature is available in Postfix 2.5 and later.
1354

default_destination_rate_delay (default: 0s)

1356       The default amount of delay that is inserted between individual message
1357       deliveries  to  the same destination and over the same message delivery
1358       transport. Specify a non-zero value to rate-limit those message  deliv‐
1359       eries to at most one per $default_destination_rate_delay.
1360
1361       The  resulting  behavior  depends  on  the  value  of the corresponding
1362       per-destination recipient limit.
1363
1364       ·      With a corresponding per-destination recipient limit  >  1,  the
1365              rate  delay  specifies  the  time between deliveries to the same
1366              domain.  Different domains are delivered in parallel, subject to
1367              the process limits specified in master.cf.
1368
1369       ·      With a corresponding per-destination recipient limit equal to 1,
1370              the rate delay specifies the time between deliveries to the same
1371              recipient.  Different recipients are delivered in parallel, sub‐
1372              ject to the process limits specified in master.cf.
1373
1374       To enable the delay, specify a non-zero time value (an  integral  value
1375       plus an optional one-letter suffix that specifies the time unit).
1376
1377       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
1378       The default time unit is s (seconds).
1379
1380       NOTE: the delay is enforced by the queue manager. The delay timer state
1381       does not survive "postfix reload" or "postfix stop".
1382
1383       Use  transport_destination_rate_delay  to  specify a transport-specific
1384       override, where transport is the master.cf name of the message delivery
1385       transport.
1386
1387       NOTE: with a non-zero _destination_rate_delay, specify a transport_des‐
1388       tination_concurrency_failed_cohort_limit of 10 or more to prevent Post‐
1389       fix  from  deferring  all  mail for the same destination after only one
1390       connection or handshake error.
1391
1392       This feature is available in Postfix 2.5 and later.
1393

default_destination_recipient_limit (default: 50)

1395       The default maximal number of recipients per message delivery.  This is
1396       the  default  limit  for delivery via the lmtp(8), pipe(8), smtp(8) and
1397       virtual(8) delivery agents.
1398
1399       Setting this parameter to a value of 1 affects email deliveries as fol‐
1400       lows:
1401
1402       ·      It changes the meaning of the corresponding per-destination con‐
1403              currency limit, from  concurrency  of  deliveries  to  the  same
1404              domain  into  concurrency  of  deliveries to the same recipient.
1405              Different recipients are delivered in parallel, subject  to  the
1406              process limits specified in master.cf.
1407
1408       ·      It changes the meaning of the corresponding per-destination rate
1409              delay, from the delay between deliveries to the same domain into
1410              the delay between deliveries to the same recipient.  Again, dif‐
1411              ferent recipients are delivered  in  parallel,  subject  to  the
1412              process limits specified in master.cf.
1413
1414       ·      It  changes  the  meaning of other corresponding per-destination
1415              settings in a similar manner, from settings for delivery to  the
1416              same domain into settings for delivery to the same recipient.
1417
1418       Use  transport_destination_recipient_limit  to specify a transport-spe‐
1419       cific override, where transport is the master.cf name  of  the  message
1420       delivery transport.
1421

default_extra_recipient_limit (default: 1000)

1423       The default value for the extra per-transport limit imposed on the num‐
1424       ber of in-memory recipients.  This extra recipient  space  is  reserved
1425       for  the  cases when the Postfix queue manager's scheduler preempts one
1426       message with another and suddenly needs some extra recipients slots for
1427       the chosen message in order to avoid performance degradation.
1428
1429       Use  transport_extra_recipient_limit  to  specify  a transport-specific
1430       override, where transport is the master.cf name of the message delivery
1431       transport.
1432

default_filter_nexthop (default: empty)

1434       When  a content_filter or FILTER request specifies no explicit next-hop
1435       destination, use $default_filter_nexthop instead; when  that  value  is
1436       empty,  use the domain in the recipient address.  Specify "default_fil‐
1437       ter_nexthop = $myhostname" for compatibility with Postfix  version  2.6
1438       and earlier, or specify an explicit next-hop destination with each con‐
1439       tent_filter value or FILTER action.
1440
1441       This feature is available in Postfix 2.7 and later.
1442

default_minimum_delivery_slots (default: 3)

1444       How many recipients a message must have in order to invoke the  Postfix
1445       queue  manager's  scheduling  algorithm  at  all.  Messages which would
1446       never accumulate at least this many delivery  slots  (subject  to  slot
1447       cost parameter as well) are never preempted.
1448
1449       Use  transport_minimum_delivery_slots  to  specify a transport-specific
1450       override, where transport is the master.cf name of the message delivery
1451       transport.
1452

default_privs (default: nobody)

1454       The  default rights used by the local(8) delivery agent for delivery to
1455       external file or command.  These  rights  are  used  when  delivery  is
1456       requested from an aliases(5) file that is owned by root, or when deliv‐
1457       ery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR  THE
1458       POSTFIX OWNER.
1459

default_process_limit (default: 100)

1461       The  default  maximal  number of Postfix child processes that provide a
1462       given service. This limit can be overruled for specific services in the
1463       master.cf file.
1464

default_rbl_reply (default: see postconf -d output)

1466       The default Postfix SMTP server response template for a request that is
1467       rejected by an RBL-based restriction. This template can be overruled by
1468       specific entries in the optional rbl_reply_maps lookup table.
1469
1470       This feature is available in Postfix 2.0 and later.
1471
1472       The  template  does  not  support Postfix configuration parameter $name
1473       substitution. Instead, it supports exactly one level of $name substitu‐
1474       tion for the following attributes:
1475
1476       $client
1477              The client hostname and IP address, formatted as name[address].
1478
1479       $client_address
1480              The client IP address.
1481
1482       $client_name
1483              The       client       hostname      or      "unknown".      See
1484              reject_unknown_client_hostname for more details.
1485
1486       $reverse_client_name
1487              The client hostname from  address->name  lookup,  or  "unknown".
1488              See reject_unknown_reverse_client_hostname for more details.
1489
1490       $helo_name
1491              The hostname given in HELO or EHLO command or empty string.
1492
1493       $rbl_class
1494              The  blacklisted  entity type: Client host, Helo command, Sender
1495              address, or Recipient address.
1496
1497       $rbl_code
1498              The  numerical  SMTP  response  code,  as  specified  with   the
1499              maps_rbl_reject_code  configuration parameter. Note: The numeri‐
1500              cal SMTP response code is required, and must appear at the start
1501              of  the  reply. With Postfix version 2.3 and later this informa‐
1502              tion may be followed by an RFC 3463 enhanced status code.
1503
1504       $rbl_domain
1505              The RBL domain where $rbl_what is blacklisted.
1506
1507       $rbl_reason
1508              The reason why $rbl_what is blacklisted, or an empty string.
1509
1510       $rbl_what
1511              The entity that is blacklisted (an IP  address,  a  hostname,  a
1512              domain name, or an email address whose domain was blacklisted).
1513
1514       $recipient
1515              The recipient address or <> in case of the null address.
1516
1517       $recipient_domain
1518              The recipient domain or empty string.
1519
1520       $recipient_name
1521              The recipient address localpart or <> in case of null address.
1522
1523       $sender
1524              The sender address or <> in case of the null address.
1525
1526       $sender_domain
1527              The sender domain or empty string.
1528
1529       $sender_name
1530              The sender address localpart or <> in case of the null address.
1531
1532       ${name?text}
1533              Expands to `text' if $name is not empty.
1534
1535       ${name:text}
1536              Expands to `text' if $name is empty.
1537
1538       Instead of $name you can also specify ${name} or $(name).
1539
1540       Note:  when  an  enhanced status code is specified in an RBL reply tem‐
1541       plate, it is subject to modification.   The  following  transformations
1542       are  needed  when the same RBL reply template is used for client, helo,
1543       sender, or recipient access restrictions.
1544
1545       ·      When rejecting a sender address, the Postfix  SMTP  server  will
1546              transform  a  recipient  DSN status (e.g., 4.1.1-4.1.6) into the
1547              corresponding sender DSN status, and vice versa.
1548
1549       ·      When rejecting non-address information (such as the HELO command
1550              argument  or  the  client  hostname/address),  the  Postfix SMTP
1551              server will transform a sender or recipient DSN  status  into  a
1552              generic non-address DSN status (e.g., 4.0.0).
1553

default_recipient_limit (default: 20000)

1555       The default per-transport upper limit on the number of in-memory recip‐
1556       ients.  These limits take priority over the global qmgr_message_recipi‐
1557       ent_limit  after the message has been assigned to the respective trans‐
1558       ports.  See also default_extra_recipient_limit and qmgr_message_recipi‐
1559       ent_minimum.
1560
1561       Use transport_recipient_limit to specify a transport-specific override,
1562       where transport is the master.cf name of the  message  delivery  trans‐
1563       port.
1564

default_recipient_refill_delay (default: 5s)

1566       The  default  per-transport  maximum  delay between recipients refills.
1567       When not all message recipients fit into the memory at once, keep load‐
1568       ing  more  of them at least once every this many seconds.  This is used
1569       to make sure the recipients are refilled in  timely  manner  even  when
1570       $default_recipient_refill_limit is too high for too slow deliveries.
1571
1572       Use  transport_recipient_refill_delay  to  specify a transport-specific
1573       override, where transport is the master.cf name of the message delivery
1574       transport.
1575
1576       This feature is available in Postfix 2.4 and later.
1577

default_recipient_refill_limit (default: 100)

1579       The default per-transport limit on the number of recipients refilled at
1580       once.  When not all message recipients fit into  the  memory  at  once,
1581       keep  loading  more of them in batches of at least this many at a time.
1582       See also $default_recipient_refill_delay, which may result in recipient
1583       batches lower than this when this limit is too high for too slow deliv‐
1584       eries.
1585
1586       Use transport_recipient_refill_limit to  specify  a  transport-specific
1587       override, where transport is the master.cf name of the message delivery
1588       transport.
1589
1590       This feature is available in Postfix 2.4 and later.
1591

default_transport (default: smtp)

1593       The default mail delivery transport and next-hop destination for desti‐
1594       nations   that   do   not   match   $mydestination,   $inet_interfaces,
1595       $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or
1596       $relay_domains.    This   information   can   be   overruled  with  the
1597       sender_dependent_default_transport_maps parameter and with  the  trans‐
1598       port(5) table.
1599
1600       In  order  of  decreasing  precedence, the nexthop destination is taken
1601       from   $sender_dependent_default_transport_maps,    $default_transport,
1602       $sender_dependent_relayhost_maps,  $relayhost,  or  from  the recipient
1603       domain.
1604
1605       Specify a string of the form transport:nexthop, where transport is  the
1606       name  of  a mail delivery transport defined in master.cf.  The :nexthop
1607       destination is optional; its syntax is documented in the manual page of
1608       the  corresponding delivery agent. In the case of SMTP or LMTP, specify
1609       one or more destinations separated by comma or whitespace (with Postfix
1610       3.5 and later).
1611
1612       Example:
1613
1614       default_transport = uucp:relayhostname
1615

default_transport_rate_delay (default: 0s)

1617       The default amount of delay that is inserted between individual message
1618       deliveries over the same message delivery transport, regardless of des‐
1619       tination. Specify a non-zero value to rate-limit those message deliver‐
1620       ies to at most one per $default_transport_rate_delay.
1621
1622       Use  transport_transport_rate_delay  to  specify  a  transport-specific
1623       override, where the initial transport is the master.cf name of the mes‐
1624       sage delivery transport.
1625
1626       Example: throttle outbound SMTP  mail  to  at  most  3  deliveries  per
1627       minute.
1628
1629       /etc/postfix/main.cf:
1630           smtp_transport_rate_delay = 20s
1631
1632       To  enable  the delay, specify a non-zero time value (an integral value
1633       plus an optional one-letter suffix that specifies the time unit).
1634
1635       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1636       The default time unit is s (seconds).
1637
1638       NOTE: the delay is enforced by the queue manager.
1639
1640       This feature is available in Postfix 3.1 and later.
1641

default_verp_delimiters (default: +=)

1643       The  two  default  VERP  delimiter  characters.  These are used when no
1644       explicit delimiters are specified with the SMTP XVERP command  or  with
1645       the  "sendmail  -V"  command-line  option.  Specify characters that are
1646       allowed by the verp_delimiter_filter setting.
1647
1648       This feature is available in Postfix 1.1 and later.
1649

defer_code (default: 450)

1651       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
1652       client request is rejected by the "defer" restriction.
1653
1654       Do  not  change  this  unless  you have a complete understanding of RFC
1655       5321.
1656

defer_service_name (default: defer)

1658       The name of the defer service.  This  service  is  implemented  by  the
1659       bounce(8) daemon and maintains a record of failed delivery attempts and
1660       generates non-delivery notifications.
1661
1662       This feature is available in Postfix 2.0 and later.
1663

defer_transports (default: empty)

1665       The names of message delivery transports that should not  deliver  mail
1666       unless someone issues "sendmail -q" or equivalent. Specify zero or more
1667       names of mail delivery transports names that appear in the first  field
1668       of master.cf.
1669
1670       Example:
1671
1672       defer_transports = smtp
1673

delay_logging_resolution_limit (default: 2)

1675       The  maximal  number  of  digits  after  the decimal point when logging
1676       sub-second delay values.  Specify a number in the range 0..6.
1677
1678       Large delay values are rounded off to an integral number seconds; delay
1679       values  below the delay_logging_resolution_limit are logged as "0", and
1680       delay values under 100s are logged with at most two-digit precision.
1681
1682       The format of the "delays=a/b/c/d" logging is as follows:
1683
1684       ·      a = time from message arrival to last active queue entry
1685
1686       ·      b = time from last active queue entry to connection setup
1687
1688       ·      c = time in connection setup, including DNS, EHLO and STARTTLS
1689
1690       ·      d = time in message transmission
1691
1692       This feature is available in Postfix 2.3 and later.
1693

delay_notice_recipient (default: postmaster)

1695       The recipient of postmaster notifications with the message  headers  of
1696       mail that cannot be delivered within $delay_warning_time time units.
1697
1698       See also: delay_warning_time, notify_classes.
1699

delay_warning_time (default: 0h)

1701       The  time after which the sender receives a copy of the message headers
1702       of mail that is still queued. The confirm_delay_cleared parameter  con‐
1703       trols sender notification when the delay clears up.
1704
1705       To  enable  this  feature,  specify  a non-zero time value (an integral
1706       value plus an optional one-letter suffix that specifies the time unit).
1707
1708       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1709       The default time unit is h (hours).
1710
1711       See      also:     delay_notice_recipient,     notify_classes,     con‐
1712       firm_delay_cleared.
1713

deliver_lock_attempts (default: 20)

1715       The maximal number of attempts to acquire an exclusive lock on a  mail‐
1716       box file or bounce(8) logfile.
1717

deliver_lock_delay (default: 1s)

1719       The  time  between  attempts  to acquire an exclusive lock on a mailbox
1720       file or bounce(8) logfile.
1721
1722       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
1723       The default time unit is s (seconds).
1724

destination_concurrency_feedback_debug (default: no)

1726       Make  the  queue  manager's  feedback algorithm verbose for performance
1727       analysis purposes.
1728
1729       This feature is available in Postfix 2.5 and later.
1730

detect_8bit_encoding_header (default: yes)

1732       Automatically detect 8BITMIME body content by looking at Content-Trans‐
1733       fer-Encoding:   message   headers;   historically,  this  behavior  was
1734       hard-coded to be "always on".
1735
1736       This feature is available in Postfix 2.5 and later.
1737

disable_dns_lookups (default: no)

1739       Disable DNS lookups in the Postfix SMTP and  LMTP  clients.  When  dis‐
1740       abled,  hosts  are looked up with the getaddrinfo() system library rou‐
1741       tine which normally also looks in /etc/hosts.  As of Postfix 2.11, this
1742       parameter is deprecated; use smtp_dns_support_level instead.
1743
1744       DNS lookups are enabled by default.
1745

disable_mime_input_processing (default: no)

1747       Turn  off MIME processing while receiving mail. This means that no spe‐
1748       cial treatment is given to Content-Type: message headers, and that  all
1749       text  after the initial message headers is considered to be part of the
1750       message body.
1751
1752       This feature is available in Postfix 2.0 and later.
1753
1754       Mime input processing is enabled by default, and is needed in order  to
1755       recognize MIME headers in message content.
1756

disable_mime_output_conversion (default: no)

1758       Disable  the conversion of 8BITMIME format to 7BIT format.  Mime output
1759       conversion is needed when the destination does not  advertise  8BITMIME
1760       support.
1761
1762       This feature is available in Postfix 2.0 and later.
1763

disable_verp_bounces (default: no)

1765       Disable sending one bounce report per recipient.
1766
1767       The default, one per recipient, is what ezmlm needs.
1768
1769       This feature is available in Postfix 1.1 and later.
1770

disable_vrfy_command (default: no)

1772       Disable  the SMTP VRFY command. This stops some techniques used to har‐
1773       vest email addresses.
1774
1775       Example:
1776
1777       disable_vrfy_command = no
1778

dns_ncache_ttl_fix_enable (default: no)

1780       Enable a workaround for future libc incompatibility. The Postfix imple‐
1781       mentation of RFC 2308 negative reply caching relies on the promise that
1782       res_query() and  res_search()  invoke  res_send(),  which  returns  the
1783       server  response  in an application buffer even if the requested record
1784       does not exist. If this promise is broken, specify "yes"  to  enable  a
1785       workaround for DNS reputation lookups.
1786
1787       This feature is available in Postfix 3.1 and later.
1788

dnsblog_reply_delay (default: 0s)

1790       A debugging aid to artificially delay DNS responses.
1791
1792       This feature is available in Postfix 2.8.
1793

dnsblog_service_name (default: dnsblog)

1795       The  name  of  the  dnsblog(8) service entry in master.cf. This service
1796       performs DNS white/blacklist lookups.
1797
1798       This feature is available in Postfix 2.8 and later.
1799

dont_remove (default: 0)

1801       Don't remove queue files and save them to the "saved" mail queue.  This
1802       is a debugging aid.  To inspect the envelope information and content of
1803       a Postfix queue file, use the postcat(1) command.
1804

double_bounce_sender (default: double-bounce)

1806       The sender address of postmaster notifications that  are  generated  by
1807       the  mail  system.  All  mail to this address is silently discarded, in
1808       order to terminate mail bounce loops.
1809

duplicate_filter_limit (default: 1000)

1811       The maximal number of addresses remembered  by  the  address  duplicate
1812       filter  for  aliases(5)  or virtual(5) alias expansion, or for showq(8)
1813       queue displays.
1814

empty_address_default_transport_maps_lookup_key (default: <>)

1816       The sender_dependent_default_transport_maps search string that will  be
1817       used instead of the null sender address.
1818
1819       This feature is available in Postfix 2.7 and later.
1820

empty_address_recipient (default: MAILER-DAEMON)

1822       The  recipient of mail addressed to the null address.  Postfix does not
1823       accept such addresses in SMTP commands, but they may still  be  created
1824       locally as the result of configuration or software error.
1825

empty_address_relayhost_maps_lookup_key (default: <>)

1827       The  sender_dependent_relayhost_maps  search  string  that will be used
1828       instead of the null sender address.
1829
1830       This feature is available in Postfix 2.5 and later. With  earlier  ver‐
1831       sions,  sender_dependent_relayhost_maps  lookups  were  skipped for the
1832       null sender address.
1833

enable_errors_to (default: no)

1835       Report mail delivery errors to the address specified with the non-stan‐
1836       dard  Errors-To: message header, instead of the envelope sender address
1837       (this feature is removed with Postfix version 2.2,  is  turned  off  by
1838       default  with  Postfix  version 2.1, and is always turned on with older
1839       Postfix versions).
1840

enable_idna2003_compatibility (default: no)

1842       Enable 'transitional' compatibility between IDNA2003 and IDNA2008, when
1843       converting  UTF-8  domain names to/from the ASCII form that is used for
1844       DNS lookups. Specify "yes" for compatibility with Postfix <=  3.1  (not
1845       recommended).  This affects the conversion of domain names that contain
1846       for example  the  German  sz  and  the  Greek  zeta.   See  http://uni
1847       code.org/cldr/utility/idna.jsp for more examples.
1848
1849       This feature is available in Postfix 3.2 and later.
1850

enable_long_queue_ids (default: no)

1852       Enable  long, non-repeating, queue IDs (queue file names).  The benefit
1853       of non-repeating names is simpler logfile  analysis  and  easier  queue
1854       migration  (there  is  no  need to run "postsuper" to change queue file
1855       names that don't match their message file inode number).
1856
1857       Note: see below for how to convert long queue file names to Postfix  <=
1858       2.8.
1859
1860       Changing the parameter value to "yes" has the following effects:
1861
1862       ·      Existing queue file names are not affected.
1863
1864       ·      New  queue files are created with names such as 3Pt2mN2VXxznjll.
1865              These are encoded in a 52-character alphabet that contains  dig‐
1866              its  (0-9),  upper-case  letters  (B-Z)  and  lower-case letters
1867              (b-z). For safety reasons the vowels (AEIOUaeiou)  are  excluded
1868              from the alphabet.  The name format is: 6 or more characters for
1869              the time in seconds, 4 characters for the time in  microseconds,
1870              the  'z';  the remainder is the file inode number encoded in the
1871              first 51 characters of the 52-character alphabet.
1872
1873       ·      New messages have a Message-ID header with queueID@myhostname.
1874
1875       ·      The mailq (postqueue -p) output has a  wider  Queue  ID  column.
1876              The number of whitespace-separated fields is not changed.
1877
1878       ·      The  hash_queue_depth algorithm uses the first characters of the
1879              queue file creation time in microseconds, after conversion  into
1880              hexadecimal representation. This produces the same queue hashing
1881              behavior  as  if  the  queue  file   name   was   created   with
1882              "enable_long_queue_ids = no".
1883
1884       Changing the parameter value to "no" has the following effects:
1885
1886       ·      Existing  long  queue  file  names are renamed to the short form
1887              (while running "postfix reload" or "postsuper").
1888
1889       ·      New queue files are created with names such as C3CD21F3E90  from
1890              a hexadecimal alphabet that contains digits (0-9) and upper-case
1891              letters (A-F). The name format is: 5 characters for the time  in
1892              microseconds; the remainder is the file inode number.
1893
1894       ·      New   messages   have   a  Message-ID  header  with  YYYYMMDDHH‐
1895              MMSS.queueid@myhostname,  where  YYYYMMDDHHMMSS  are  the  year,
1896              month, day, hour, minute and second.
1897
1898       ·      The  mailq  (postqueue  -p)  output  has the same format as with
1899              Postfix <= 2.8.
1900
1901       ·      The hash_queue_depth algorithm uses the first characters of  the
1902              queue file name, with the hexadecimal representation of the file
1903              creation time in microseconds.
1904
1905       Before migration to Postfix <= 2.8, the following commands are required
1906       to convert long queue file names into short names:
1907
1908       # postfix stop
1909       # postconf enable_long_queue_ids=no
1910       # postsuper
1911
1912       Repeat  the  postsuper command until it reports no more queue file name
1913       changes.
1914
1915       This feature is available in Postfix 2.9 and later.
1916

enable_original_recipient (default: yes)

1918       Enable support for the original recipient address after an  address  is
1919       rewritten  to  a  different  address (for example with aliasing or with
1920       canonical mapping).
1921
1922       The original recipient address is used as follows:
1923
1924       Final delivery
1925              With "enable_original_recipient = yes", the  original  recipient
1926              address  is  stored  in  the  X-Original-To message header. This
1927              header may be used to distinguish between  different  recipients
1928              that share the same mailbox.
1929
1930       Recipient deduplication
1931              With  "enable_original_recipient  =  yes", the cleanup(8) daemon
1932              performs duplicate recipient elimination based on the content of
1933              (original  recipient,  maybe-rewritten recipient) pairs.  Other‐
1934              wise, the cleanup(8) daemon performs duplicate recipient  elimi‐
1935              nation based only on the maybe-rewritten recipient address.
1936
1937       Note:  with Postfix <= 3.2 the "setting enable_original_recipient = no"
1938       breaks address verification for addresses that are aliased or otherwise
1939       rewritten  (Postfix  is unable to store the address verification result
1940       under the original probe destination address; instead, it can store the
1941       result only under the rewritten address).
1942
1943       This feature is available in Postfix 2.1 and later. Postfix version 2.0
1944       behaves as if this parameter is always set to  yes.   Postfix  versions
1945       before 2.0 have no support for the original recipient address.
1946

error_notice_recipient (default: postmaster)

1948       The  recipient of postmaster notifications about mail delivery problems
1949       that are caused by  policy,  resource,  software  or  protocol  errors.
1950       These notifications are enabled with the notify_classes parameter.
1951

error_service_name (default: error)

1953       The  name  of  the  error(8) pseudo delivery agent. This service always
1954       returns mail as undeliverable.
1955
1956       This feature is available in Postfix 2.0 and later.
1957

execution_directory_expansion_filter (default: see postconf -d output)

1959       Restrict the characters that the  local(8)  delivery  agent  allows  in
1960       $name  expansions  of $command_execution_directory.  Characters outside
1961       the allowed set are replaced by underscores.
1962
1963       This feature is available in Postfix 2.2 and later.
1964

expand_owner_alias (default: no)

1966       When delivering to an alias "aliasname" that has  an  "owner-aliasname"
1967       companion  alias,  set  the envelope sender address to the expansion of
1968       the "owner-aliasname"  alias.   Normally,  Postfix  sets  the  envelope
1969       sender address to the name of the "owner-aliasname" alias.
1970

export_environment (default: see postconf -d output)

1972       The list of environment variables that a Postfix process will export to
1973       non-Postfix processes. The TZ variable is needed for sane time  keeping
1974       on System-V-ish systems.
1975
1976       Specify  a  list  of names and/or name=value pairs, separated by white‐
1977       space or comma. Specify "{ name=value }" to protect whitespace or comma
1978       in  parameter  values  (whitespace after the opening "{" and before the
1979       closing "}" is ignored). The form name=value is supported with  Postfix
1980       version  2.1 and later; the use of {} is supported with Postfix 3.0 and
1981       later.
1982
1983       Example:
1984
1985       export_environment = TZ PATH=/bin:/usr/bin
1986

extract_recipient_limit (default: 10240)

1988       The maximal number of recipient addresses  that  Postfix  will  extract
1989       from message headers when mail is submitted with "sendmail -t".
1990
1991       This feature was removed in Postfix version 2.1.
1992

fallback_relay (default: empty)

1994       Optional  list of relay hosts for SMTP destinations that can't be found
1995       or that are unreachable. With Postfix 2.3 this parameter is renamed  to
1996       smtp_fallback_relay.
1997
1998       By  default,  mail  is returned to the sender when a destination is not
1999       found, and delivery is deferred when a destination is unreachable.
2000
2001       The fallback relays must be SMTP destinations. Specify a domain,  host,
2002       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
2003       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
2004       fix will try them in the specified order.
2005
2006       Note:  before  Postfix  2.2, do not use the fallback_relay feature when
2007       relaying mail for a backup  or  primary  MX  domain.  Mail  would  loop
2008       between  the Postfix MX host and the fallback_relay host when the final
2009       destination is unavailable.
2010
2011       ·      In main.cf specify "relay_transport = relay",
2012
2013       ·      In master.cf specify "-o fallback_relay =" (i.e., empty) at  the
2014              end of the relay entry.
2015
2016       ·      In transport maps, specify "relay:nexthop..."  as the right-hand
2017              side for backup or primary MX domain entries.
2018
2019       Postfix version 2.2 and later will not use the  fallback_relay  feature
2020       for destinations that it is MX host for.
2021

fallback_transport (default: empty)

2023       Optional  message  delivery  transport that the local(8) delivery agent
2024       should use for names that are not found in the aliases(5) or UNIX pass‐
2025       word database.
2026
2027       The  precedence  of  local(8)  delivery  features  from high to low is:
2028       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2029       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2030       tory, fallback_transport_maps, fallback_transport and luser_relay.
2031

fallback_transport_maps (default: empty)

2033       Optional lookup tables with per-recipient message  delivery  transports
2034       for  recipients  that the local(8) delivery agent could not find in the
2035       aliases(5) or UNIX password database.
2036
2037       The precedence of local(8) delivery  features  from  high  to  low  is:
2038       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2039       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
2040       tory, fallback_transport_maps, fallback_transport and luser_relay.
2041
2042       For  safety  reasons, this feature does not allow $number substitutions
2043       in regular expression maps.
2044
2045       This feature is available in Postfix 2.3 and later.
2046

fast_flush_domains (default: $relay_domains)

2048       Optional list of destinations that  are  eligible  for  per-destination
2049       logfiles with mail that is queued to those destinations.
2050
2051       By  default,  Postfix maintains "fast flush" logfiles only for destina‐
2052       tions that the Postfix SMTP server is willing to  relay  to  (i.e.  the
2053       default    is:   "fast_flush_domains   =   $relay_domains";   see   the
2054       relay_domains parameter in the postconf(5) manual).
2055
2056       Specify a list of hosts or domains, "/file/name" patterns or  "type:ta‐
2057       ble"  lookup  tables,  separated by commas and/or whitespace.  Continue
2058       long lines by starting the next line with  whitespace.  A  "/file/name"
2059       pattern  is  replaced  by  its contents; a "type:table" lookup table is
2060       matched when the domain or its parent domain appears as lookup key.
2061
2062       Pattern matching of domain names  is  controlled  by  the  presence  or
2063       absence of "fast_flush_domains" in the parent_domain_matches_subdomains
2064       parameter value.
2065
2066       Specify "fast_flush_domains =" (i.e., empty)  to  disable  the  feature
2067       altogether.
2068

fast_flush_purge_time (default: 7d)

2070       The  time  after which an empty per-destination "fast flush" logfile is
2071       deleted.
2072
2073       You can specify the time as a number, or as a number followed by a let‐
2074       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2075       d=days, w=weeks.  The default time unit is days.
2076

fast_flush_refresh_time (default: 12h)

2078       The time after which  a  non-empty  but  unread  per-destination  "fast
2079       flush"  logfile  needs  to be refreshed.  The contents of a logfile are
2080       refreshed by requesting delivery of all messages listed in the logfile.
2081
2082       You can specify the time as a number, or as a number followed by a let‐
2083       ter  that  indicates  the  time  unit:  s=seconds,  m=minutes, h=hours,
2084       d=days, w=weeks.  The default time unit is hours.
2085

fault_injection_code (default: 0)

2087       Force specific internal tests to fail, to test the handling  of  errors
2088       that are difficult to reproduce otherwise.
2089

flush_service_name (default: flush)

2091       The  name  of the flush(8) service. This service maintains per-destina‐
2092       tion logfiles with the queue file names of  mail  that  is  queued  for
2093       those destinations.
2094
2095       This feature is available in Postfix 2.0 and later.
2096

fork_attempts (default: 5)

2098       The maximal number of attempts to fork() a child process.
2099

fork_delay (default: 1s)

2101       The delay between attempts to fork() a child process.
2102
2103       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2104       The default time unit is s (seconds).
2105

forward_expansion_filter (default: see postconf -d output)

2107       Restrict the characters that the  local(8)  delivery  agent  allows  in
2108       $name  expansions of $forward_path.  Characters outside the allowed set
2109       are replaced by underscores.
2110

forward_path (default: see postconf -d output)

2112       The local(8) delivery agent search list for  finding  a  .forward  file
2113       with  user-specified  delivery methods. The first file that is found is
2114       used.
2115
2116       The forward_path value is not subject to Postfix configuration  parame‐
2117       ter  $name  expansion. Instead, the following $name expansions are done
2118       on forward_path before the search  actually  happens.   The  result  of
2119       $name  expansion  is  filtered with the character set that is specified
2120       with the forward_expansion_filter parameter.
2121
2122       $user  The recipient's username.
2123
2124       $shell The recipient's login shell pathname.
2125
2126       $home  The recipient's home directory.
2127
2128       $recipient
2129              The full recipient address.
2130
2131       $extension
2132              The optional recipient address extension.
2133
2134       $domain
2135              The recipient domain.
2136
2137       $local The entire recipient localpart.
2138
2139       $recipient_delimiter
2140              The address extension delimiter that was found in the  recipient
2141              address  (Postfix  2.11 and later), or the system-wide recipient
2142              address extension delimiter (Postfix 2.10 and earlier).
2143
2144       ${name?value}
2145              Expands to value when $name is non-empty.
2146
2147       ${name:value}
2148              Expands to value when $name is empty.
2149
2150       Instead of $name you can also specify ${name} or $(name).
2151
2152       Examples:
2153
2154       forward_path = /var/forward/$user
2155       forward_path =
2156           /var/forward/$user/.forward$recipient_delimiter$extension,
2157           /var/forward/$user/.forward
2158

frozen_delivered_to (default: yes)

2160       Update the local(8) delivery agent's idea of the Delivered-To:  address
2161       (see  prepend_delivered_header)  only  once, at the start of a delivery
2162       attempt; do  not  update  the  Delivered-To:  address  while  expanding
2163       aliases or .forward files.
2164
2165       This  feature is available in Postfix 2.3 and later. With older Postfix
2166       releases, the behavior is as if this parameter is set to "no". The  old
2167       setting  can be expensive with deeply nested aliases or .forward files.
2168       When an alias or .forward file changes the  Delivered-To:  address,  it
2169       ties  up  one queue file and one cleanup process instance while mail is
2170       being forwarded.
2171

hash_queue_depth (default: 1)

2173       The number of subdirectory levels for queue directories listed with the
2174       hash_queue_names  parameter.  Queue  hashing is implemented by creating
2175       one or more levels of directories  with  one-character  names.   Origi‐
2176       nally,  these directory names were equal to the first characters of the
2177       queue file name, with the hexadecimal representation of the  file  cre‐
2178       ation time in microseconds.
2179
2180       With  long queue file names, queue hashing produces the same results as
2181       with short names. The file creation time in microseconds  is  converted
2182       into hexadecimal form before the result is used for queue hashing.  The
2183       base 16 encoding gives finer control over the number of  subdirectories
2184       than is possible with the base 52 encoding of long queue file names.
2185
2186       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2187       cute the command "postfix reload".
2188

hash_queue_names (default: deferred, defer)

2190       The names of queue directories that are split across multiple subdirec‐
2191       tory levels.
2192
2193       Before  Postfix version 2.2, the default list of hashed queues was sig‐
2194       nificantly larger. Claims about improvements in file system  technology
2195       suggest  that  hashing  of  the incoming and active queues is no longer
2196       needed. Fewer hashed directories speed up the time  needed  to  restart
2197       Postfix.
2198
2199       After changing the hash_queue_names or hash_queue_depth parameter, exe‐
2200       cute the command "postfix reload".
2201

header_address_token_limit (default: 10240)

2203       The maximal number of address tokens are allowed in an address  message
2204       header.  Information that exceeds the limit is discarded.  The limit is
2205       enforced by the cleanup(8) server.
2206

header_checks (default: empty)

2208       Optional lookup tables for content inspection of primary non-MIME  mes‐
2209       sage headers, as specified in the header_checks(5) manual page.
2210

header_from_format (default: standard)

2212       The  format of the Postfix-generated From: header. This setting affects
2213       the appearance of 'full name' information when a local program such  as
2214       /bin/mail  submits  a  message without From: header through the Postfix
2215       sendmail(1) command.
2216
2217       Specify one of the following:
2218
2219       standard (default)
2220              Produce a header formatted as "From: name <address>".   This  is
2221              the default as of Postfix 3.3.
2222
2223       obsolete
2224              Produce  a  header  formatted as "From: address (name)". This is
2225              the behavior prior to Postfix 3.3.
2226
2227       Notes:
2228
2229       ·      Postfix generates the format "From: address" when name  informa‐
2230              tion  is  unavailable  or  the envelope sender address is empty.
2231              This is the same behavior as prior to Postfix 3.3.
2232
2233       ·      In the standard form, the name will be  quoted  if  it  contains
2234              specials as defined in RFC 5322, or the "!%" address operators.
2235
2236       ·      The  Postfix  sendmail(1) command gets name information from the
2237              -F command-line option, from the NAME environment  variable,  or
2238              from the UNIX password file.
2239
2240       This feature is available in Postfix 3.3 and later.
2241

header_size_limit (default: 102400)

2243       The maximal amount of memory in bytes for storing a message header.  If
2244       a header is larger, the excess is discarded.  The limit is enforced  by
2245       the cleanup(8) server.
2246

helpful_warnings (default: yes)

2248       Log  warnings  about  problematic  configuration  settings, and provide
2249       helpful suggestions.
2250
2251       This feature is available in Postfix 2.0 and later.
2252

home_mailbox (default: empty)

2254       Optional pathname of a mailbox file relative to a local(8) user's  home
2255       directory.
2256
2257       Specify a pathname ending in "/" for qmail-style delivery.
2258
2259       The  precedence  of  local(8)  delivery  features  from high to low is:
2260       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
2261       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
2262       tory, fallback_transport_maps, fallback_transport and luser_relay.
2263
2264       Examples:
2265
2266       home_mailbox = Mailbox
2267       home_mailbox = Maildir/
2268

hopcount_limit (default: 50)

2270       The maximal number of Received:  message headers that is allowed in the
2271       primary  message  headers. A message that exceeds the limit is bounced,
2272       in order to stop a mailer loop.
2273

html_directory (default: see postconf -d output)

2275       The location of Postfix HTML files that describe how to build,  config‐
2276       ure or operate a specific Postfix subsystem or feature.
2277

ignore_mx_lookup_error (default: no)

2279       Ignore  DNS MX lookups that produce no response.  By default, the Post‐
2280       fix SMTP client defers delivery and tries again after some delay.  This
2281       behavior is required by the SMTP standard.
2282
2283       Specify  "ignore_mx_lookup_error  = yes" to force a DNS A record lookup
2284       instead. This violates the SMTP standard and can result in mis-delivery
2285       of mail.
2286

import_environment (default: see postconf -d output)

2288       The  list  of  environment parameters that a privileged Postfix process
2289       will import from a non-Postfix parent process, or  name=value  environ‐
2290       ment  overrides.   Unprivileged  utilities  will enforce the name=value
2291       overrides, but otherwise will not  change  their  process  environment.
2292       Examples of relevant parameters:
2293
2294       TZ     May  be  needed  for sane time keeping on most System-V-ish sys‐
2295              tems.
2296
2297       DISPLAY
2298              Needed for debugging Postfix daemons with an X-windows debugger.
2299
2300       XAUTHORITY
2301              Needed for debugging Postfix daemons with an X-windows debugger.
2302
2303       MAIL_CONFIG
2304              Needed to make "postfix -c" work.
2305
2306       Specify a list of names and/or name=value pairs,  separated  by  white‐
2307       space or comma. Specify "{ name=value }" to protect whitespace or comma
2308       in parameter values (whitespace after the opening "{"  and  before  the
2309       closing  "}" is ignored). The form name=value is supported with Postfix
2310       version 2.1 and later; the use of {} is supported with Postfix 3.0  and
2311       later.
2312

in_flow_delay (default: 1s)

2314       Time  to pause before accepting a new message, when the message arrival
2315       rate exceeds the message delivery rate. This feature is  turned  on  by
2316       default (it's disabled on SCO UNIX due to an SCO bug).
2317
2318       With  the default 100 Postfix SMTP server process limit, "in_flow_delay
2319       = 1s" limits the mail inflow to 100 messages per second above the  num‐
2320       ber of messages delivered per second.
2321
2322       Specify 0 to disable the feature. Valid delays are 0..10.
2323

inet_interfaces (default: all)

2325       The network interface addresses that this mail system receives mail on.
2326       Specify "all" to receive mail on all network interfaces (default),  and
2327       "loopback-only"  to  receive  mail  on loopback network interfaces only
2328       (Postfix version 2.2 and later).  The parameter also controls  delivery
2329       of mail to user@[ip.address].
2330
2331       Note 1: you need to stop and start Postfix when this parameter changes.
2332
2333       Note 2: address information may be enclosed inside [], but this form is
2334       not required here.
2335
2336       When inet_interfaces specifies just one IPv4 and/or IPv6  address  that
2337       is  not  a  loopback  address,  the  Postfix  SMTP client will use this
2338       address as the IP source address for outbound mail. Support for IPv6 is
2339       available in Postfix version 2.2 and later.
2340
2341       On  a multi-homed firewall with separate Postfix instances listening on
2342       the "inside" and "outside" interfaces, this can prevent  each  instance
2343       from being able to reach remote SMTP servers on the "other side" of the
2344       firewall. Setting smtp_bind_address to  0.0.0.0  avoids  the  potential
2345       problem for IPv4, and setting smtp_bind_address6 to :: solves the prob‐
2346       lem for IPv6.
2347
2348       A better solution for multi-homed firewalls is to leave inet_interfaces
2349       at  the default value and instead use explicit IP addresses in the mas‐
2350       ter.cf SMTP  server  definitions.   This  preserves  the  Postfix  SMTP
2351       client's  loop  detection,  by  ensuring that each side of the firewall
2352       knows that the other  IP  address  is  still  the  same  host.  Setting
2353       $inet_interfaces to a single IPv4 and/or IPV6 address is primarily use‐
2354       ful with virtual hosting of domains on  secondary  IP  addresses,  when
2355       each IP address serves a different domain (and has a different $myhost‐
2356       name setting).
2357
2358       See also the proxy_interfaces parameter, for network addresses that are
2359       forwarded to Postfix by way of a proxy or address translator.
2360
2361       Examples:
2362
2363       inet_interfaces = all (DEFAULT)
2364       inet_interfaces = loopback-only (Postfix version 2.2 and later)
2365       inet_interfaces = 127.0.0.1
2366       inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
2367       inet_interfaces = 192.168.1.2, 127.0.0.1
2368

inet_protocols (default: all)

2370       The  Internet  protocols  Postfix  will  attempt  to use when making or
2371       accepting connections. Specify one or more of "ipv4" or  "ipv6",  sepa‐
2372       rated  by  whitespace or commas. The form "all" is equivalent to "ipv4,
2373       ipv6" or "ipv4", depending on whether the operating  system  implements
2374       IPv6.
2375
2376       With  Postfix 2.8 and earlier the default is "ipv4". For backwards com‐
2377       patibility with these releases, the Postfix 2.9 and later upgrade  pro‐
2378       cedure  appends  an explicit "inet_protocols = ipv4" setting to main.cf
2379       when no explicit setting is present. This compatibility workaround will
2380       be phased out as IPv6 deployment becomes more common.
2381
2382       This feature is available in Postfix 2.2 and later.
2383
2384       Note: you MUST stop and start Postfix after changing this parameter.
2385
2386       On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server
2387       will also accept IPv4 connections, even when IPv4 is  turned  off  with
2388       the  inet_protocols  parameter.   On  systems with IPV6_V6ONLY support,
2389       Postfix will use separate server sockets for IPv6 and  IPv4,  and  each
2390       will accept only connections for the corresponding protocol.
2391
2392       When  IPv4 support is enabled via the inet_protocols parameter, Postfix
2393       will look up DNS type A records, and will convert  IPv4-in-IPv6  client
2394       IP  addresses  (::ffff:1.2.3.4)  to their original IPv4 form (1.2.3.4).
2395       The latter is needed on hosts that pre-date  IPV6_V6ONLY  support  (RFC
2396       3493).
2397
2398       When  IPv6 support is enabled via the inet_protocols parameter, Postfix
2399       will do DNS type AAAA record lookups.
2400
2401       When both IPv4 and IPv6 support are enabled, the  Postfix  SMTP  client
2402       will  choose the protocol as specified with the smtp_address_preference
2403       parameter. Postfix versions before 2.8  attempt  to  connect  via  IPv6
2404       before attempting to use IPv4.
2405
2406       Examples:
2407
2408       inet_protocols = ipv4
2409       inet_protocols = all (DEFAULT)
2410       inet_protocols = ipv6
2411       inet_protocols = ipv4, ipv6
2412

info_log_address_format (default: external)

2414       The  email  address  form that will be used in non-debug logging (info,
2415       warning, etc.). As of Postfix 3.5 when an  address  localpart  contains
2416       spaces  or  other special characters, the localpart will be quoted, for
2417       example:
2418
2419               from=<"name with spaces"@example.com>
2420
2421       Older Postfix versions would log the internal (unquoted) form:
2422
2423               from=<name with spaces@example.com>
2424
2425       The external and internal forms are identical for the vast majority  of
2426       email  addresses  that contain no spaces or other special characters in
2427       the localpart.
2428
2429       The logging in external form is consistent with the address  form  that
2430       Postfix  3.2 and later prefer for most table lookups. This is therefore
2431       the more useful form for non-debug logging.
2432
2433       Specify "info_log_address_format = internal" for backwards  compatibil‐
2434       ity.
2435
2436       Postfix  uses  the  unquoted  form  internally, because an attacker can
2437       specify an email address in  different  forms  by  playing  games  with
2438       quotes  and  backslashes.  An  attacker  should not be able to use such
2439       games to circumvent Postfix access policies.
2440
2441       This feature is available in Postfix 3.5 and later.
2442

initial_destination_concurrency (default: 5)

2444       The initial per-destination concurrency level for parallel delivery  to
2445       the same destination.  With per-destination recipient limit > 1, a des‐
2446       tination is a domain, otherwise it is a recipient.
2447
2448       Use  transport_initial_destination_concurrency  to  specify  a   trans‐
2449       port-specific  override,  where  transport is the master.cf name of the
2450       message delivery transport (Postfix 2.5 and later).
2451
2452       Warning: with concurrency of 1, one bad message can be enough to  block
2453       all mail to a site.
2454

internal_mail_filter_classes (default: empty)

2456       What  categories  of Postfix-generated mail are subject to before-queue
2457       content inspection by non_smtpd_milters, header_checks and body_checks.
2458       Specify  zero  or  more  of  the  following, separated by whitespace or
2459       comma.
2460
2461       bounce Inspect the content of delivery status notifications.
2462
2463       notify Inspect the content of postmaster notifications by  the  smtp(8)
2464              and smtpd(8) processes.
2465
2466       NOTE:  It's  generally  not  safe to enable content inspection of Post‐
2467       fix-generated email messages. The user is warned.
2468
2469       This feature is available in Postfix 2.3 and later.
2470

invalid_hostname_reject_code (default: 501)

2472       The numerical Postfix SMTP server response code when the client HELO or
2473       EHLO  command parameter is rejected by the reject_invalid_helo_hostname
2474       restriction.
2475
2476       Do not change this unless you have  a  complete  understanding  of  RFC
2477       5321.
2478

ipc_idle (default: version dependent)

2480       The  time  after  which  a client closes an idle internal communication
2481       channel.  The purpose is to allow Postfix daemon processes to terminate
2482       voluntarily  after  they become idle. This is used, for example, by the
2483       Postfix address resolving and rewriting clients.
2484
2485       With Postfix 2.4 the default value was reduced from 100s to 5s.
2486
2487       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2488       The default time unit is s (seconds).
2489

ipc_timeout (default: 3600s)

2491       The  time  limit  for sending or receiving information over an internal
2492       communication channel.  The purpose is to break out of deadlock  situa‐
2493       tions.  If  the time limit is exceeded the software aborts with a fatal
2494       error.
2495
2496       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2497       The default time unit is s (seconds).
2498

ipc_ttl (default: 1000s)

2500       The  time  after which a client closes an active internal communication
2501       channel.  The purpose is to allow Postfix daemon processes to terminate
2502       voluntarily after reaching their client limit.  This is used, for exam‐
2503       ple, by the Postfix address resolving and rewriting clients.
2504
2505       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2506       The default time unit is s (seconds).
2507
2508       This feature is available in Postfix 2.1 and later.
2509

line_length_limit (default: 2048)

2511       Upon  input,  long  lines  are  chopped  up into pieces of at most this
2512       length; upon delivery, long lines are reconstructed.
2513

lmdb_map_size (default: 16777216)

2515       The initial OpenLDAP LMDB database size limit in bytes.   Each  time  a
2516       database becomes full, its size limit is doubled.
2517
2518       This feature is available in Postfix 2.11 and later.
2519

lmtp_address_preference (default: ipv6)

2521       The  LMTP-specific version of the smtp_address_preference configuration
2522       parameter.  See there for details.
2523
2524       This feature is available in Postfix 2.8 and later.
2525

lmtp_address_verify_target (default: rcpt)

2527       The LMTP-specific version of the smtp_address_verify_target  configura‐
2528       tion parameter.  See there for details.
2529
2530       This feature is available in Postfix 3.0 and later.
2531

lmtp_assume_final (default: no)

2533       When  a  remote  LMTP  server announces no DSN support, assume that the
2534       server performs final delivery, and send  "delivered"  delivery  status
2535       notifications  instead  of  "relayed". The default setting is backwards
2536       compatible to avoid the infinitesimal possibility of breaking  existing
2537       LMTP-based content filters.
2538

lmtp_balance_inet_protocols (default: yes)

2540       The LMTP-specific version of the smtp_balance_inet_protocols configura‐
2541       tion parameter. See there for details.
2542
2543       This feature is available in Postfix 3.3 and later.
2544

lmtp_bind_address (default: empty)

2546       The LMTP-specific version of the smtp_bind_address configuration param‐
2547       eter.  See there for details.
2548
2549       This feature is available in Postfix 2.3 and later.
2550

lmtp_bind_address6 (default: empty)

2552       The  LMTP-specific  version  of  the  smtp_bind_address6  configuration
2553       parameter.  See there for details.
2554
2555       This feature is available in Postfix 2.3 and later.
2556

lmtp_body_checks (default: empty)

2558       The LMTP-specific version of the smtp_body_checks configuration parame‐
2559       ter. See there for details.
2560
2561       This feature is available in Postfix 2.5 and later.
2562

lmtp_cache_connection (default: yes)

2564       Keep  Postfix LMTP client connections open for up to $max_idle seconds.
2565       When the LMTP client receives a request for  the  same  connection  the
2566       connection is reused.
2567
2568       This  parameter  is available in Postfix version 2.2 and earlier.  With
2569       Postfix version 2.3  and  later,  see  lmtp_connection_cache_on_demand,
2570       lmtp_connection_cache_destinations,        or       lmtp_connection_re‐
2571       use_time_limit.
2572
2573       The effectiveness of cached connections will be determined by the  num‐
2574       ber  of remote LMTP servers in use, and the concurrency limit specified
2575       for the Postfix LMTP client. Cached connections are closed under any of
2576       the following conditions:
2577
2578       ·      The  Postfix LMTP client idle time limit is reached.  This limit
2579              is specified with the Postfix max_idle configuration parameter.
2580
2581       ·      A delivery request specifies a different  destination  than  the
2582              one currently cached.
2583
2584       ·      The  per-process  limit  on  the  number of delivery requests is
2585              reached.  This limit is specified with the Postfix max_use  con‐
2586              figuration parameter.
2587
2588       ·      Upon  the  onset  of  another  delivery request, the remote LMTP
2589              server associated with the current session does not  respond  to
2590              the RSET command.
2591
2592       Most of these limitations have been with the Postfix a connection cache
2593       that is shared among multiple LMTP client programs.
2594

lmtp_cname_overrides_servername (default: yes)

2596       The LMTP-specific version of the  smtp_cname_overrides_servername  con‐
2597       figuration parameter.  See there for details.
2598
2599       This feature is available in Postfix 2.3 and later.
2600

lmtp_connect_timeout (default: 0s)

2602       The  Postfix LMTP client time limit for completing a TCP connection, or
2603       zero (use the operating system built-in time limit).  When  no  connec‐
2604       tion  can  be  made within the deadline, the LMTP client tries the next
2605       address on the mail exchanger list.
2606
2607       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2608       The default time unit is s (seconds).
2609
2610       Example:
2611
2612       lmtp_connect_timeout = 30s
2613

lmtp_connection_cache_destinations (default: empty)

2615       The  LMTP-specific  version  of  the smtp_connection_cache_destinations
2616       configuration parameter.  See there for details.
2617
2618       This feature is available in Postfix 2.3 and later.
2619

lmtp_connection_cache_on_demand (default: yes)

2621       The LMTP-specific version of the  smtp_connection_cache_on_demand  con‐
2622       figuration parameter.  See there for details.
2623
2624       This feature is available in Postfix 2.3 and later.
2625

lmtp_connection_cache_time_limit (default: 2s)

2627       The  LMTP-specific version of the smtp_connection_cache_time_limit con‐
2628       figuration parameter.  See there for details.
2629
2630       This feature is available in Postfix 2.3 and later.
2631

lmtp_connection_reuse_count_limit (default: 0)

2633       The LMTP-specific version of the smtp_connection_reuse_count_limit con‐
2634       figuration parameter.  See there for details.
2635
2636       This feature is available in Postfix 2.11 and later.
2637

lmtp_connection_reuse_time_limit (default: 300s)

2639       The  LMTP-specific version of the smtp_connection_reuse_time_limit con‐
2640       figuration parameter.  See there for details.
2641
2642       This feature is available in Postfix 2.3 and later.
2643

lmtp_data_done_timeout (default: 600s)

2645       The Postfix LMTP client time limit for sending the LMTP  ".",  and  for
2646       receiving  the  remote  LMTP  server  response.   When  no  response is
2647       received within the deadline, a warning is logged that the mail may  be
2648       delivered multiple times.
2649
2650       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2651       The default time unit is s (seconds).
2652

lmtp_data_init_timeout (default: 120s)

2654       The Postfix LMTP client time limit for sending the LMTP  DATA  command,
2655       and for receiving the remote LMTP server response.
2656
2657       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2658       The default time unit is s (seconds).
2659

lmtp_data_xfer_timeout (default: 180s)

2661       The Postfix LMTP client time limit for sending the  LMTP  message  con‐
2662       tent.  When the connection stalls for more than $lmtp_data_xfer_timeout
2663       the LMTP client terminates the transfer.
2664
2665       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2666       The default time unit is s (seconds).
2667

lmtp_defer_if_no_mx_address_found (default: no)

2669       The LMTP-specific version of the smtp_defer_if_no_mx_address_found con‐
2670       figuration parameter.  See there for details.
2671
2672       This feature is available in Postfix 2.3 and later.
2673

lmtp_delivery_status_filter (default: empty)

2675       The LMTP-specific version of the smtp_delivery_status_filter configura‐
2676       tion parameter.  See there for details.
2677
2678       This feature is available in Postfix 3.0 and later.
2679

lmtp_destination_concurrency_limit (default: $default_destination_concur‐

2681       rency_limit)
2682       The maximal number of parallel deliveries to the same  destination  via
2683       the  lmtp  message  delivery  transport.  This limit is enforced by the
2684       queue manager. The message delivery transport name is the  first  field
2685       in the entry in the master.cf file.
2686

lmtp_destination_recipient_limit (default: $default_destination_recipi‐

2688       ent_limit)
2689       The maximal number of recipients  per  message  for  the  lmtp  message
2690       delivery  transport.  This  limit is enforced by the queue manager. The
2691       message delivery transport name is the first field in the entry in  the
2692       master.cf file.
2693
2694       Setting this parameter to a value of 1 changes the meaning of lmtp_des‐
2695       tination_concurrency_limit from concurrency per domain into concurrency
2696       per recipient.
2697

lmtp_discard_lhlo_keyword_address_maps (default: empty)

2699       Lookup  tables,  indexed  by  the remote LMTP server address, with case
2700       insensitive lists of LHLO keywords (pipelining, starttls,  auth,  etc.)
2701       that  the  Postfix  LMTP client will ignore in the LHLO response from a
2702       remote LMTP server. See lmtp_discard_lhlo_keywords for details. The ta‐
2703       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
2704       card_ehlo_keyword_address_maps.
2705
2706       This feature is available in Postfix 2.3 and later.
2707

lmtp_discard_lhlo_keywords (default: empty)

2709       A case insensitive list of LHLO keywords (pipelining,  starttls,  auth,
2710       etc.)  that  the  Postfix  LMTP client will ignore in the LHLO response
2711       from a remote LMTP server.
2712
2713       This feature is available in Postfix 2.3 and later.
2714
2715       Notes:
2716
2717       ·      Specify the silent-discard pseudo keyword to prevent this action
2718              from being logged.
2719
2720       ·      Use  the  lmtp_discard_lhlo_keyword_address_maps feature to dis‐
2721              card LHLO keywords selectively.
2722

lmtp_dns_reply_filter (default: empty)

2724       Optional filter for  Postfix  LMTP  client  DNS  lookup  results.   See
2725       smtp_dns_reply_filter for details including an example.
2726
2727       This feature is available in Postfix 3.0 and later.
2728

lmtp_dns_resolver_options (default: empty)

2730       The  LMTP-specific  version of the smtp_dns_resolver_options configura‐
2731       tion parameter.  See there for details.
2732
2733       This feature is available in Postfix 2.8 and later.
2734

lmtp_dns_support_level (default: empty)

2736       The LMTP-specific version of the  smtp_dns_support_level  configuration
2737       parameter.  See there for details.
2738
2739       This feature is available in Postfix 2.11 and later.
2740

lmtp_enforce_tls (default: no)

2742       The LMTP-specific version of the smtp_enforce_tls configuration parame‐
2743       ter.  See there for details.
2744
2745       This feature is available in Postfix 2.3 and later.
2746

lmtp_fallback_relay (default: empty)

2748       Optional list of relay hosts for LMTP destinations that can't be  found
2749       or  that  are unreachable.  In main.cf elements are separated by white‐
2750       space or commas.
2751
2752       By default, mail is returned to the sender when a  destination  is  not
2753       found, and delivery is deferred when a destination is unreachable.
2754
2755       The fallback relays must be TCP destinations, specified without a lead‐
2756       ing "inet:" prefix.  Specify a host or host:port.  Since MX lookups  do
2757       not  apply  with  LMTP,  there  is  no  need  to  use  the  "[host]" or
2758       "[host]:port" forms.  If you specify multiple LMTP destinations,  Post‐
2759       fix will try them in the specified order.
2760
2761       This feature is available in Postfix 3.1 and later.
2762

lmtp_generic_maps (default: empty)

2764       The LMTP-specific version of the smtp_generic_maps configuration param‐
2765       eter.  See there for details.
2766
2767       This feature is available in Postfix 2.3 and later.
2768

lmtp_header_checks (default: empty)

2770       The  LMTP-specific  version  of  the  smtp_header_checks  configuration
2771       parameter. See there for details.
2772
2773       This feature is available in Postfix 2.5 and later.
2774

lmtp_host_lookup (default: dns)

2776       The LMTP-specific version of the smtp_host_lookup configuration parame‐
2777       ter.  See there for details.
2778
2779       This feature is available in Postfix 2.3 and later.
2780

lmtp_lhlo_name (default: $myhostname)

2782       The hostname to send in the LMTP LHLO command.
2783
2784       The default value is the  machine  hostname.   Specify  a  hostname  or
2785       [ip.add.re.ss].
2786
2787       This  information  can  be  specified  in the main.cf file for all LMTP
2788       clients, or it can be specified in the master.cf file  for  a  specific
2789       client, for example:
2790
2791           /etc/postfix/master.cf:
2792               mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
2793
2794       This feature is available in Postfix 2.3 and later.
2795

lmtp_lhlo_timeout (default: 300s)

2797       The  Postfix  LMTP  client time limit for sending the LHLO command, and
2798       for receiving the initial remote LMTP server response.
2799
2800       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2801       The default time unit is s (seconds).
2802

lmtp_line_length_limit (default: 990)

2804       The  LMTP-specific  version of the smtp_line_length_limit configuration
2805       parameter.  See there for details.
2806
2807       This feature is available in Postfix 2.3 and later.
2808

lmtp_mail_timeout (default: 300s)

2810       The Postfix LMTP client time limit for sending the MAIL  FROM  command,
2811       and for receiving the remote LMTP server response.
2812
2813       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2814       The default time unit is s (seconds).
2815

lmtp_mime_header_checks (default: empty)

2817       The LMTP-specific version of the smtp_mime_header_checks  configuration
2818       parameter. See there for details.
2819
2820       This feature is available in Postfix 2.5 and later.
2821

lmtp_mx_address_limit (default: 5)

2823       The  LMTP-specific  version  of the smtp_mx_address_limit configuration
2824       parameter.  See there for details.
2825
2826       This feature is available in Postfix 2.3 and later.
2827

lmtp_mx_session_limit (default: 2)

2829       The LMTP-specific version of  the  smtp_mx_session_limit  configuration
2830       parameter.  See there for details.
2831
2832       This feature is available in Postfix 2.3 and later.
2833

lmtp_nested_header_checks (default: empty)

2835       The  LMTP-specific  version of the smtp_nested_header_checks configura‐
2836       tion parameter. See there for details.
2837
2838       This feature is available in Postfix 2.5 and later.
2839

lmtp_per_record_deadline (default: no)

2841       The LMTP-specific version of the smtp_per_record_deadline configuration
2842       parameter.  See there for details.
2843
2844       This feature is available in Postfix 2.9 and later.
2845

lmtp_pix_workaround_delay_time (default: 10s)

2847       The LMTP-specific version of the smtp_pix_workaround_delay_time config‐
2848       uration parameter.  See there for details.
2849
2850       This feature is available in Postfix 2.3 and later.
2851

lmtp_pix_workaround_maps (default: empty)

2853       The LMTP-specific version of the smtp_pix_workaround_maps configuration
2854       parameter.  See there for details.
2855
2856       This feature is available in Postfix 2.4 and later.
2857

lmtp_pix_workaround_threshold_time (default: 500s)

2859       The  LMTP-specific  version  of  the smtp_pix_workaround_threshold_time
2860       configuration parameter.  See there for details.
2861
2862       This feature is available in Postfix 2.3 and later.
2863

lmtp_pix_workarounds (default: empty)

2865       The LMTP-specific  version  of  the  smtp_pix_workaround  configuration
2866       parameter.  See there for details.
2867
2868       This feature is available in Postfix 2.4 and later.
2869

lmtp_quit_timeout (default: 300s)

2871       The  Postfix  LMTP  client time limit for sending the QUIT command, and
2872       for receiving the remote LMTP server response.
2873
2874       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2875       The default time unit is s (seconds).
2876

lmtp_quote_rfc821_envelope (default: yes)

2878       The  LMTP-specific version of the smtp_quote_rfc821_envelope configura‐
2879       tion parameter.  See there for details.
2880
2881       This feature is available in Postfix 2.3 and later.
2882

lmtp_randomize_addresses (default: yes)

2884       The LMTP-specific version of the smtp_randomize_addresses configuration
2885       parameter.  See there for details.
2886
2887       This feature is available in Postfix 2.3 and later.
2888

lmtp_rcpt_timeout (default: 300s)

2890       The Postfix LMTP client time limit for sending the RCPT TO command, and
2891       for receiving the remote LMTP server response.
2892
2893       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
2894       The default time unit is s (seconds).
2895

lmtp_reply_filter (default: empty)

2897       The LMTP-specific version of the smtp_reply_filter configuration param‐
2898       eter.  See there for details.
2899
2900       This feature is available in Postfix 2.7 and later.
2901

lmtp_rset_timeout (default: 20s)

2903       The Postfix LMTP client time limit for sending the  RSET  command,  and
2904       for  receiving  the  remote LMTP server response. The LMTP client sends
2905       RSET in order to finish a recipient address probe, or to verify that  a
2906       cached connection is still alive.
2907
2908       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
2909       The default time unit is s (seconds).
2910

lmtp_sasl_auth_cache_name (default: empty)

2912       The LMTP-specific version of the  smtp_sasl_auth_cache_name  configura‐
2913       tion parameter.  See there for details.
2914
2915       This feature is available in Postfix 2.5 and later.
2916

lmtp_sasl_auth_cache_time (default: 90d)

2918       The  LMTP-specific  version of the smtp_sasl_auth_cache_time configura‐
2919       tion parameter.  See there for details.
2920
2921       This feature is available in Postfix 2.5 and later.
2922

lmtp_sasl_auth_enable (default: no)

2924       Enable SASL authentication in the Postfix LMTP client.
2925

lmtp_sasl_auth_soft_bounce (default: yes)

2927       The LMTP-specific version of the smtp_sasl_auth_soft_bounce  configura‐
2928       tion parameter.  See there for details.
2929
2930       This feature is available in Postfix 2.5 and later.
2931

lmtp_sasl_mechanism_filter (default: empty)

2933       The  LMTP-specific version of the smtp_sasl_mechanism_filter configura‐
2934       tion parameter.  See there for details.
2935
2936       This feature is available in Postfix 2.3 and later.
2937

lmtp_sasl_password_maps (default: empty)

2939       Optional Postfix LMTP client lookup tables with  one  username:password
2940       entry  per  host  or  domain.   If a remote host or domain has no user‐
2941       name:password entry, then the Postfix LMTP client will not  attempt  to
2942       authenticate to the remote host.
2943

lmtp_sasl_path (default: empty)

2945       Implementation-specific  information that is passed through to the SASL
2946       plug-in implementation that is selected with lmtp_sasl_type.  Typically
2947       this specifies the name of a configuration file or rendezvous point.
2948
2949       This feature is available in Postfix 2.3 and later.
2950

lmtp_sasl_security_options (default: noplaintext, noanonymous)

2952       SASL security options; as of Postfix 2.3 the list of available features
2953       depends on  the  SASL  client  implementation  that  is  selected  with
2954       lmtp_sasl_type.
2955
2956       The  following  security features are defined for the cyrus client SASL
2957       implementation:
2958
2959       noplaintext
2960              Disallow authentication methods that use plaintext passwords.
2961
2962       noactive
2963              Disallow authentication methods that are vulnerable to  non-dic‐
2964              tionary active attacks.
2965
2966       nodictionary
2967              Disallow  authentication  methods that are vulnerable to passive
2968              dictionary attack.
2969
2970       noanonymous
2971              Disallow anonymous logins.
2972
2973       Example:
2974
2975       lmtp_sasl_security_options = noplaintext
2976

lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)

2978       The LMTP-specific version of the smtp_sasl_tls_security_options config‐
2979       uration parameter.  See there for details.
2980
2981       This feature is available in Postfix 2.3 and later.
2982

lmtp_sasl_tls_verified_security_options (default: $lmtp_sasl_tls_secu‐

2984       rity_options)
2985       The   LMTP-specific   version   of   the   smtp_sasl_tls_verified_secu‐
2986       rity_options configuration parameter.  See there for details.
2987
2988       This feature is available in Postfix 2.3 and later.
2989

lmtp_sasl_type (default: cyrus)

2991       The  SASL  plug-in  type  that  the  Postfix LMTP client should use for
2992       authentication.  The available types are listed with the "postconf  -A"
2993       command.
2994
2995       This feature is available in Postfix 2.3 and later.
2996

lmtp_send_dummy_mail_auth (default: no)

2998       The  LMTP-specific  version of the smtp_send_dummy_mail_auth configura‐
2999       tion parameter.  See there for details.
3000
3001       This feature is available in Postfix 2.9 and later.
3002

lmtp_send_xforward_command (default: no)

3004       Send an XFORWARD command to the remote LMTP server when the  LMTP  LHLO
3005       server  response  announces  XFORWARD  support.  This allows an lmtp(8)
3006       delivery agent, used for content filter message injection,  to  forward
3007       the name, address, protocol and HELO name of the original client to the
3008       content filter and downstream queuing LMTP server.  Before  you  change
3009       the value to yes, it is best to make sure that your content filter sup‐
3010       ports this command.
3011
3012       This feature is available in Postfix 2.1 and later.
3013

lmtp_sender_dependent_authentication (default: no)

3015       The LMTP-specific version of  the  smtp_sender_dependent_authentication
3016       configuration parameter.  See there for details.
3017
3018       This feature is available in Postfix 2.3 and later.
3019

lmtp_skip_5xx_greeting (default: yes)

3021       The  LMTP-specific  version of the smtp_skip_5xx_greeting configuration
3022       parameter.  See there for details.
3023
3024       This feature is available in Postfix 2.3 and later.
3025

lmtp_skip_quit_response (default: no)

3027       Wait for the response to the LMTP QUIT command.
3028

lmtp_starttls_timeout (default: 300s)

3030       The LMTP-specific version of  the  smtp_starttls_timeout  configuration
3031       parameter.  See there for details.
3032
3033       This feature is available in Postfix 2.3 and later.
3034

lmtp_tcp_port (default: 24)

3036       The default TCP port that the Postfix LMTP client connects to.  Specify
3037       a symbolic name (see services(5)) or a numeric port.
3038

lmtp_tls_CAfile (default: empty)

3040       The LMTP-specific version of the smtp_tls_CAfile configuration  parame‐
3041       ter.  See there for details.
3042
3043       This feature is available in Postfix 2.3 and later.
3044

lmtp_tls_CApath (default: empty)

3046       The  LMTP-specific version of the smtp_tls_CApath configuration parame‐
3047       ter.  See there for details.
3048
3049       This feature is available in Postfix 2.3 and later.
3050

lmtp_tls_block_early_mail_reply (default: empty)

3052       The LMTP-specific version of the  smtp_tls_block_early_mail_reply  con‐
3053       figuration parameter.  See there for details.
3054
3055       This feature is available in Postfix 2.7 and later.
3056

lmtp_tls_cert_file (default: empty)

3058       The  LMTP-specific  version  of  the  smtp_tls_cert_file  configuration
3059       parameter.  See there for details.
3060
3061       This feature is available in Postfix 2.3 and later.
3062

lmtp_tls_chain_files (default: empty)

3064       The LMTP-specific version  of  the  smtp_tls_chain_files  configuration
3065       parameter. See there for details.
3066
3067       This feature is available in Postfix 3.4 and later.
3068

lmtp_tls_ciphers (default: medium)

3070       The LMTP-specific version of the smtp_tls_ciphers configuration parame‐
3071       ter. See there for details.
3072
3073       This feature is available in Postfix 2.6 and later.
3074

lmtp_tls_connection_reuse (default: no)

3076       The LMTP-specific version of the  smtp_tls_connection_reuse  configura‐
3077       tion parameter. See there for details.
3078
3079       This feature is available in Postfix 3.4 and later.
3080

lmtp_tls_dcert_file (default: empty)

3082       The  LMTP-specific  version  of  the  smtp_tls_dcert_file configuration
3083       parameter.  See there for details.
3084
3085       This feature is available in Postfix 2.3 and later.
3086

lmtp_tls_dkey_file (default: $lmtp_tls_dcert_file)

3088       The  LMTP-specific  version  of  the  smtp_tls_dkey_file  configuration
3089       parameter.  See there for details.
3090
3091       This feature is available in Postfix 2.3 and later.
3092

lmtp_tls_eccert_file (default: empty)

3094       The  LMTP-specific  version  of  the smtp_tls_eccert_file configuration
3095       parameter.  See there for details.
3096
3097       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
3098       compiled and linked with OpenSSL 1.0.0 or later.
3099

lmtp_tls_eckey_file (default: empty)

3101       The  LMTP-specific  version  of  the  smtp_tls_eckey_file configuration
3102       parameter.  See there for details.
3103
3104       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
3105       compiled and linked with OpenSSL 1.0.0 or later.
3106

lmtp_tls_enforce_peername (default: yes)

3108       The  LMTP-specific  version of the smtp_tls_enforce_peername configura‐
3109       tion parameter.  See there for details.
3110
3111       This feature is available in Postfix 2.3 and later.
3112

lmtp_tls_exclude_ciphers (default: empty)

3114       The LMTP-specific version of the smtp_tls_exclude_ciphers configuration
3115       parameter.  See there for details.
3116
3117       This feature is available in Postfix 2.3 and later.
3118

lmtp_tls_fingerprint_cert_match (default: empty)

3120       The  LMTP-specific  version of the smtp_tls_fingerprint_cert_match con‐
3121       figuration parameter.  See there for details.
3122
3123       This feature is available in Postfix 2.5 and later.
3124

lmtp_tls_fingerprint_digest (default: md5)

3126       The LMTP-specific version of the smtp_tls_fingerprint_digest configura‐
3127       tion parameter.  See there for details.
3128
3129       This feature is available in Postfix 2.5 and later.
3130

lmtp_tls_force_insecure_host_tlsa_lookup (default: no)

3132       The     LMTP-specific     version     of    the    smtp_tls_force_inse‐
3133       cure_host_tlsa_lookup configuration parameter.  See there for details.
3134
3135       This feature is available in Postfix 2.11 and later.
3136

lmtp_tls_key_file (default: $lmtp_tls_cert_file)

3138       The LMTP-specific version of the smtp_tls_key_file configuration param‐
3139       eter.  See there for details.
3140
3141       This feature is available in Postfix 2.3 and later.
3142

lmtp_tls_loglevel (default: 0)

3144       The LMTP-specific version of the smtp_tls_loglevel configuration param‐
3145       eter.  See there for details.
3146
3147       This feature is available in Postfix 2.3 and later.
3148

lmtp_tls_mandatory_ciphers (default: medium)

3150       The LMTP-specific version of the smtp_tls_mandatory_ciphers  configura‐
3151       tion parameter.  See there for details.
3152
3153       This feature is available in Postfix 2.3 and later.
3154

lmtp_tls_mandatory_exclude_ciphers (default: empty)

3156       The  LMTP-specific  version  of  the smtp_tls_mandatory_exclude_ciphers
3157       configuration parameter.  See there for details.
3158
3159       This feature is available in Postfix 2.3 and later.
3160

lmtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

3162       The LMTP-specific version of the smtp_tls_mandatory_protocols  configu‐
3163       ration parameter. See there for details.
3164
3165       This feature is available in Postfix 2.3 and later.
3166

lmtp_tls_note_starttls_offer (default: no)

3168       The  LMTP-specific version of the smtp_tls_note_starttls_offer configu‐
3169       ration parameter.  See there for details.
3170
3171       This feature is available in Postfix 2.3 and later.
3172

lmtp_tls_per_site (default: empty)

3174       The LMTP-specific version of the smtp_tls_per_site configuration param‐
3175       eter.  See there for details.
3176
3177       This feature is available in Postfix 2.3 and later.
3178

lmtp_tls_policy_maps (default: empty)

3180       The  LMTP-specific  version  of  the smtp_tls_policy_maps configuration
3181       parameter. See there for details.
3182
3183       This feature is available in Postfix 2.3 and later.
3184

lmtp_tls_protocols (default: !SSLv2, !SSLv3)

3186       The  LMTP-specific  version  of  the  smtp_tls_protocols  configuration
3187       parameter. See there for details.
3188
3189       This feature is available in Postfix 2.6 and later.
3190

lmtp_tls_scert_verifydepth (default: 9)

3192       The  LMTP-specific version of the smtp_tls_scert_verifydepth configura‐
3193       tion parameter.  See there for details.
3194
3195       This feature is available in Postfix 2.3 and later.
3196

lmtp_tls_secure_cert_match (default: nexthop)

3198       The LMTP-specific version of the smtp_tls_secure_cert_match  configura‐
3199       tion parameter. See there for details.
3200
3201       This feature is available in Postfix 2.3 and later.
3202

lmtp_tls_security_level (default: empty)

3204       The  LMTP-specific version of the smtp_tls_security_level configuration
3205       parameter.  See there for details.
3206
3207       This feature is available in Postfix 2.3 and later.
3208

lmtp_tls_servername (default: empty)

3210       The LMTP-specific  version  of  the  smtp_tls_servername  configuration
3211       parameter. See there for details.
3212
3213       This feature is available in Postfix 3.4 and later.
3214

lmtp_tls_session_cache_database (default: empty)

3216       The  LMTP-specific  version of the smtp_tls_session_cache_database con‐
3217       figuration parameter. See there for details.
3218
3219       This feature is available in Postfix 2.3 and later.
3220

lmtp_tls_session_cache_timeout (default: 3600s)

3222       The LMTP-specific version of the smtp_tls_session_cache_timeout config‐
3223       uration parameter.  See there for details.
3224
3225       This feature is available in Postfix 2.3 and later.
3226

lmtp_tls_trust_anchor_file (default: empty)

3228       The  LMTP-specific version of the smtp_tls_trust_anchor_file configura‐
3229       tion parameter.  See there for details.
3230
3231       This feature is available in Postfix 2.11 and later.
3232

lmtp_tls_verify_cert_match (default: hostname)

3234       The LMTP-specific version of the smtp_tls_verify_cert_match  configura‐
3235       tion parameter. See there for details.
3236
3237       This feature is available in Postfix 2.3 and later.
3238

lmtp_use_tls (default: no)

3240       The  LMTP-specific version of the smtp_use_tls configuration parameter.
3241       See there for details.
3242
3243       This feature is available in Postfix 2.3 and later.
3244

lmtp_xforward_timeout (default: 300s)

3246       The Postfix LMTP client time limit for sending  the  XFORWARD  command,
3247       and for receiving the remote LMTP server response.
3248
3249       In  case  of  problems  the client does NOT try the next address on the
3250       mail exchanger list.
3251
3252       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3253       The default time unit is s (seconds).
3254
3255       This feature is available in Postfix 2.1 and later.
3256

local_command_shell (default: empty)

3258       Optional  shell  program  for local(8) delivery to non-Postfix command.
3259       By default, non-Postfix commands are executed  directly;  commands  are
3260       given to given to the default shell (typically, /bin/sh) only when they
3261       contain shell meta characters or shell built-in commands.
3262
3263       "sendmail's restricted shell" (smrsh) is what most people will  use  in
3264       order  to  restrict  what  programs can be run from e.g. .forward files
3265       (smrsh is part of the Sendmail distribution).
3266
3267       Note: when a shell program is specified, it is invoked  even  when  the
3268       command contains no shell built-in commands or meta characters.
3269
3270       Example:
3271
3272       local_command_shell = /some/where/smrsh -c
3273       local_command_shell = /bin/bash -c
3274

local_delivery_status_filter (default: $default_delivery_status_filter)

3276       Optional  filter  for  the local(8) delivery agent to change the status
3277       code or explanatory text of successful or unsuccessful deliveries.  See
3278       default_delivery_status_filter for details.
3279
3280       This feature is available in Postfix 3.0 and later.
3281

local_destination_concurrency_limit (default: 2)

3283       The  maximal  number of parallel deliveries via the local mail delivery
3284       transport  to  the  same  recipient  (when   "local_destination_recipi‐
3285       ent_limit  =  1")  or  the maximal number of parallel deliveries to the
3286       same local domain (when "local_destination_recipient_limit > 1").  This
3287       limit  is enforced by the queue manager. The message delivery transport
3288       name is the first field in the entry in the master.cf file.
3289
3290       A low limit of 2 is recommended, just in case someone has an  expensive
3291       shell  command  in a .forward file or in an alias (e.g., a mailing list
3292       manager).  You don't want to run lots of those at the same time.
3293

local_destination_recipient_limit (default: 1)

3295       The maximal number of recipients per message  delivery  via  the  local
3296       mail  delivery  transport. This limit is enforced by the queue manager.
3297       The message delivery transport name is the first field in the entry  in
3298       the master.cf file.
3299
3300       Setting this parameter to a value > 1 changes the meaning of local_des‐
3301       tination_concurrency_limit from concurrency per recipient into  concur‐
3302       rency per domain.
3303

local_header_rewrite_clients (default: permit_inet_interfaces)

3305       Rewrite  message header addresses in mail from these clients and update
3306       incomplete addresses with the domain name in  $myorigin  or  $mydomain;
3307       either  don't rewrite message headers from other clients at all, or re‐
3308       write message headers and update incomplete addresses with  the  domain
3309       specified in the remote_header_rewrite_domain parameter.
3310
3311       See  the  append_at_myorigin  and  append_dot_mydomain  parameters  for
3312       details of how domain names are appended to incomplete addresses.
3313
3314       Specify a list of zero or more of the following:
3315
3316       permit_inet_interfaces
3317              Append the domain name in $myorigin or $mydomain when the client
3318              IP address matches $inet_interfaces. This is enabled by default.
3319
3320       permit_mynetworks
3321              Append the domain name in $myorigin or $mydomain when the client
3322              IP address matches any network  or  network  address  listed  in
3323              $mynetworks.  This  setting  will not prevent remote mail header
3324              address rewriting when mail from a remote client is forwarded by
3325              a neighboring system.
3326
3327       permit_sasl_authenticated
3328              Append the domain name in $myorigin or $mydomain when the client
3329              is successfully authenticated via the RFC 4954 (AUTH) protocol.
3330
3331       permit_tls_clientcerts
3332              Append the domain name in $myorigin or $mydomain when the remote
3333              SMTP  client  TLS  certificate fingerprint or public key finger‐
3334              print (Postfix 2.9 and later) is listed  in  $relay_clientcerts.
3335              The   fingerprint  digest  algorithm  is  configurable  via  the
3336              smtpd_tls_fingerprint_digest parameter (hard-coded as md5  prior
3337              to Postfix version 2.5).
3338
3339       permit_tls_all_clientcerts
3340              Append the domain name in $myorigin or $mydomain when the remote
3341              SMTP client TLS certificate is successfully verified, regardless
3342              of  whether  it  is  listed on the server, and regardless of the
3343              certifying authority.
3344
3345       check_address_map type:table
3346
3347       type:table
3348              Append the domain name in $myorigin or $mydomain when the client
3349              IP  address  matches  the  specified  lookup  table.  The lookup
3350              result is ignored, and no subnet lookup is done. This  is  suit‐
3351              able for, e.g., pop-before-smtp lookup tables.
3352
3353       Examples:
3354
3355       The  Postfix < 2.2 backwards compatible setting: always rewrite message
3356       headers,  and  always  append  my  own  domain  to  incomplete   header
3357       addresses.
3358
3359           local_header_rewrite_clients = static:all
3360
3361       The  purist  (and  default)  setting: rewrite headers only in mail from
3362       Postfix sendmail and in SMTP mail from this machine.
3363
3364           local_header_rewrite_clients = permit_inet_interfaces
3365
3366       The intermediate setting: rewrite header addresses and append $myorigin
3367       or  $mydomain  information  only  with mail from Postfix sendmail, from
3368       local clients, or from authorized SMTP clients.
3369
3370       Note: this setting will not prevent remote mail header address  rewrit‐
3371       ing  when  mail from a remote client is forwarded by a neighboring sys‐
3372       tem.
3373
3374           local_header_rewrite_clients = permit_mynetworks,
3375               permit_sasl_authenticated permit_tls_clientcerts
3376               check_address_map hash:/etc/postfix/pop-before-smtp
3377

local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)

3379       Lookup tables with all names or addresses of local recipients: a recip‐
3380       ient   address   is  local  when  its  domain  matches  $mydestination,
3381       $inet_interfaces or $proxy_interfaces.  Specify @domain as a  wild-card
3382       for  domains  that  do  not  have a valid recipient list.  Technically,
3383       tables listed with $local_recipient_maps are  used  as  lists:  Postfix
3384       needs  to know only if a lookup string is found or not, but it does not
3385       use the result from table lookup.
3386
3387       Specify zero or more "type:name" lookup tables, separated by whitespace
3388       or  comma. Tables will be searched in the specified order until a match
3389       is found.
3390
3391       If this parameter is non-empty (the default),  then  the  Postfix  SMTP
3392       server will reject mail for unknown local users.
3393
3394       To  turn off local recipient checking in the Postfix SMTP server, spec‐
3395       ify "local_recipient_maps =" (i.e. empty).
3396
3397       The default setting assumes that you  use  the  default  Postfix  local
3398       delivery agent for local delivery. You need to update the local_recipi‐
3399       ent_maps setting if:
3400
3401       ·      You redefine the local delivery agent in master.cf.
3402
3403       ·      You redefine the "local_transport" setting in main.cf.
3404
3405       ·      You  use  the  "luser_relay",  "mailbox_transport",  or   "fall‐
3406              back_transport" feature of the Postfix local(8) delivery agent.
3407
3408       Details are described in the LOCAL_RECIPIENT_README file.
3409
3410       Beware:  if  the  Postfix SMTP server runs chrooted, you need to access
3411       the passwd file via the  proxymap(8)  service,  in  order  to  overcome
3412       chroot  access restrictions. The alternative, maintaining a copy of the
3413       system password file in the chroot jail is not practical.
3414
3415       Examples:
3416
3417       local_recipient_maps =
3418

local_transport (default: local:$myhostname)

3420       The default mail delivery transport and next-hop destination for  final
3421       delivery to domains listed with mydestination, and for [ipaddress] des‐
3422       tinations  that  match  $inet_interfaces  or  $proxy_interfaces.   This
3423       information can be overruled with the transport(5) table.
3424
3425       By  default,  local  mail is delivered to the transport called "local",
3426       which is just the name of a service that is defined the master.cf file.
3427
3428       Specify a string of the form transport:nexthop, where transport is  the
3429       name  of  a mail delivery transport defined in master.cf.  The :nexthop
3430       destination is optional; its syntax is documented in the manual page of
3431       the corresponding delivery agent.
3432
3433       Beware:  if you override the default local delivery agent then you need
3434       to review  the  LOCAL_RECIPIENT_README  document,  otherwise  the  SMTP
3435       server may reject mail for local recipients.
3436

luser_relay (default: empty)

3438       Optional  catch-all  destination  for  unknown local(8) recipients.  By
3439       default, mail for unknown recipients in domains that match  $mydestina‐
3440       tion,  $inet_interfaces  or $proxy_interfaces is returned as undeliver‐
3441       able.
3442
3443       The luser_relay value is not subject to Postfix configuration parameter
3444       $name expansion. Instead, the following $name expansions are done:
3445
3446       $domain
3447              The recipient domain.
3448
3449       $extension
3450              The recipient address extension.
3451
3452       $home  The recipient's home directory.
3453
3454       $local The entire recipient address localpart.
3455
3456       $recipient
3457              The full recipient address.
3458
3459       $recipient_delimiter
3460              The  address extension delimiter that was found in the recipient
3461              address (Postfix 2.11 and later), or the  system-wide  recipient
3462              address extension delimiter (Postfix 2.10 and earlier).
3463
3464       $shell The recipient's login shell.
3465
3466       $user  The recipient username.
3467
3468       ${name?value}
3469              Expands to value when $name has a non-empty value.
3470
3471       ${name:value}
3472              Expands to value when $name has an empty value.
3473
3474       Instead of $name you can also specify ${name} or $(name).
3475
3476       Note: luser_relay works only for the Postfix local(8) delivery agent.
3477
3478       Note:  if  you  use  this feature for accounts not in the UNIX password
3479       file, then you must specify "local_recipient_maps ="  (i.e.  empty)  in
3480       the  main.cf  file,  otherwise the Postfix SMTP server will reject mail
3481       for non-UNIX accounts with "User unknown in local recipient table".
3482
3483       Examples:
3484
3485       luser_relay = $user@other.host
3486       luser_relay = $local@other.host
3487       luser_relay = admin+$local
3488

mail_name (default: Postfix)

3490       The mail system name that is displayed in  Received:  headers,  in  the
3491       SMTP greeting banner, and in bounced mail.
3492

mail_owner (default: postfix)

3494       The  UNIX  system  account that owns the Postfix queue and most Postfix
3495       daemon processes.  Specify the name of  an  unprivileged  user  account
3496       that  does  not  share a user or group ID with other accounts, and that
3497       owns no other files or processes on the system.  In  particular,  don't
3498       specify nobody or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
3499
3500       When  this  parameter  value  is  changed  you  need to re-run "postfix
3501       set-permissions" (with Postfix version  2.0  and  earlier:  "/etc/post‐
3502       fix/post-install set-permissions".
3503

mail_release_date (default: see postconf -d output)

3505       The Postfix release date, in "YYYYMMDD" format.
3506

mail_spool_directory (default: see postconf -d output)

3508       The directory where local(8) UNIX-style mailboxes are kept. The default
3509       setting depends on the system type. Specify a  name  ending  in  /  for
3510       maildir-style delivery.
3511
3512       Note:  maildir  delivery  is done with the privileges of the recipient.
3513       If you use the mail_spool_directory setting for maildir style delivery,
3514       then  you must create the top-level maildir directory in advance. Post‐
3515       fix will not create it.
3516
3517       Examples:
3518
3519       mail_spool_directory = /var/mail
3520       mail_spool_directory = /var/spool/mail
3521

mail_version (default: see postconf -d output)

3523       The  version  of  the  mail   system.   Stable   releases   are   named
3524       major.minor.patchlevel.  Experimental releases also include the release
3525       date. The version string can be used in, for example, the SMTP greeting
3526       banner.
3527

mailbox_command (default: empty)

3529       Optional  external  command that the local(8) delivery agent should use
3530       for mailbox delivery.  The command is run with the user ID and the pri‐
3531       mary group ID privileges of the recipient.  Exception: command delivery
3532       for root executes with $default_privs privileges.  This is not a  prob‐
3533       lem,  because  1) mail for root should always be aliased to a real user
3534       and 2) don't log in as root, use "su" instead.
3535
3536       The following environment variables are exported to the command:
3537
3538       CLIENT_ADDRESS
3539              Remote client network address. Available in Postfix version  2.2
3540              and later.
3541
3542       CLIENT_HELO
3543              Remote  client EHLO command parameter. Available in Postfix ver‐
3544              sion 2.2 and later.
3545
3546       CLIENT_HOSTNAME
3547              Remote client hostname. Available in  Postfix  version  2.2  and
3548              later.
3549
3550       CLIENT_PROTOCOL
3551              Remote  client  protocol.  Available  in Postfix version 2.2 and
3552              later.
3553
3554       DOMAIN The domain part of the recipient address.
3555
3556       EXTENSION
3557              The optional address extension.
3558
3559       HOME   The recipient home directory.
3560
3561       LOCAL  The recipient address localpart.
3562
3563       LOGNAME
3564              The recipient's username.
3565
3566       ORIGINAL_RECIPIENT
3567              The entire recipient address, before any  address  rewriting  or
3568              aliasing.
3569
3570       RECIPIENT
3571              The full recipient address.
3572
3573       SASL_METHOD
3574              SASL  authentication  method specified in the remote client AUTH
3575              command. Available in Postfix version 2.2 and later.
3576
3577       SASL_SENDER
3578              SASL sender address specified in the  remote  client  MAIL  FROM
3579              command. Available in Postfix version 2.2 and later.
3580
3581       SASL_USER
3582              SASL  username  specified  in  the  remote  client AUTH command.
3583              Available in Postfix version 2.2 and later.
3584
3585       SENDER The full sender address.
3586
3587       SHELL  The recipient's login shell.
3588
3589       USER   The recipient username.
3590
3591       Unlike other  Postfix  configuration  parameters,  the  mailbox_command
3592       parameter  is  not subjected to $name substitutions. This is to make it
3593       easier to specify shell syntax (see example below).
3594
3595       If you can, avoid shell meta characters because they will force Postfix
3596       to  run an expensive shell process. If you're delivering via "procmail"
3597       then running a shell won't make a noticeable difference  in  the  total
3598       cost.
3599
3600       Note:  if  you  use  the  mailbox_command  feature to deliver mail sys‐
3601       tem-wide, you must set up an alias that forwards mail  for  root  to  a
3602       real user.
3603
3604       The  precedence  of  local(8)  delivery  features  from high to low is:
3605       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3606       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3607       tory, fallback_transport_maps, fallback_transport and luser_relay.
3608
3609       Examples:
3610
3611       mailbox_command = /some/where/procmail
3612       mailbox_command = /some/where/procmail -a "$EXTENSION"
3613       mailbox_command = /some/where/maildrop -d "$USER"
3614               -f "$SENDER" "$EXTENSION"
3615

mailbox_command_maps (default: empty)

3617       Optional lookup tables with per-recipient external commands to use  for
3618       local(8) mailbox delivery.  Behavior is as with mailbox_command.
3619
3620       The  precedence  of  local(8)  delivery  features  from high to low is:
3621       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3622       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3623       tory, fallback_transport_maps, fallback_transport and luser_relay.
3624
3625       Specify zero or more "type:name" lookup tables, separated by whitespace
3626       or  comma. Tables will be searched in the specified order until a match
3627       is found.
3628

mailbox_delivery_lock (default: see postconf -d output)

3630       How to lock a UNIX-style local(8) mailbox before  attempting  delivery.
3631       For  a  list  of  available file locking methods, use the "postconf -l"
3632       command.
3633
3634       This setting is ignored  with  maildir  style  delivery,  because  such
3635       deliveries are safe without explicit locks.
3636
3637       Note:  The  dotlock  method  requires that the recipient UID or GID has
3638       write access to the parent directory of the mailbox file.
3639
3640       Note: the default setting of this parameter is system dependent.
3641

mailbox_size_limit (default: 51200000)

3643       The maximal size of any local(8) individual mailbox or maildir file, or
3644       zero  (no  limit).   In  fact, this limits the size of any file that is
3645       written to upon local delivery, including  files  written  by  external
3646       commands that are executed by the local(8) delivery agent.
3647
3648       This limit must not be smaller than the message size limit.
3649

mailbox_transport (default: empty)

3651       Optional  message  delivery  transport that the local(8) delivery agent
3652       should use for mailbox delivery to all local recipients, whether or not
3653       they are found in the UNIX passwd database.
3654
3655       The  precedence  of  local(8)  delivery  features  from high to low is:
3656       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3657       mailbox_command_maps,  mailbox_command, home_mailbox, mail_spool_direc‐
3658       tory, fallback_transport_maps, fallback_transport and luser_relay.
3659

mailbox_transport_maps (default: empty)

3661       Optional lookup tables with per-recipient message  delivery  transports
3662       to use for local(8) mailbox delivery, whether or not the recipients are
3663       found in the UNIX passwd database.
3664
3665       The precedence of local(8) delivery  features  from  high  to  low  is:
3666       aliases,  .forward  files,  mailbox_transport_maps,  mailbox_transport,
3667       mailbox_command_maps, mailbox_command, home_mailbox,  mail_spool_direc‐
3668       tory, fallback_transport_maps, fallback_transport and luser_relay.
3669
3670       Specify zero or more "type:name" lookup tables, separated by whitespace
3671       or comma. Tables will be searched in the specified order until a  match
3672       is found.
3673
3674       For  safety  reasons, this feature does not allow $number substitutions
3675       in regular expression maps.
3676
3677       This feature is available in Postfix 2.3 and later.
3678

maillog_file (default: empty)

3680       The name of an optional logfile that is written by  the  Postfix  post‐
3681       logd(8) service. An empty value selects logging to syslogd(8).  Specify
3682       "/dev/stdout" to select logging  to  standard  output.  Stdout  logging
3683       requires that Postfix is started with "postfix start-fg".
3684
3685       Note  1: The maillog_file parameter value must contain a prefix that is
3686       specified with the maillog_file_prefixes parameter.
3687
3688       Note 2: Some Postfix non-daemon programs may still log  information  to
3689       syslogd(8),  before  they have processed their configuration parameters
3690       and command-line options.
3691
3692       This feature is available in Postfix 3.4 and later.
3693

maillog_file_compressor (default: gzip)

3695       The program to run after rotating $maillog_file  with  "postfix  logro‐
3696       tate".  The  command  is run with the rotated logfile name as its first
3697       argument.
3698
3699       This feature is available in Postfix 3.4 and later.
3700

maillog_file_prefixes (default: /var, /dev/stdout)

3702       A list of allowed prefixes for a maillog_file value. This is  a  safety
3703       feature  to  contain  the  damage  from a single configuration mistake.
3704       Specify one or more prefix strings, separated by comma or whitespace.
3705
3706       This feature is available in Postfix 3.4 and later.
3707

maillog_file_rotate_suffix (default: %Y%M%d-%H%M%S)

3709       The format of the suffix to append to $maillog_file while rotating  the
3710       file  with "postfix logrotate". See strftime(3) for syntax. The default
3711       suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
3712
3713       This feature is available in Postfix 3.4 and later.
3714

mailq_path (default: see postconf -d output)

3716       Sendmail  compatibility  feature  that  specifies  where  the   Postfix
3717       mailq(1)  command  is  installed.  This command can be used to list the
3718       Postfix mail queue.
3719

manpage_directory (default: see postconf -d output)

3721       Where the Postfix manual pages are installed.
3722

maps_rbl_domains (default: empty)

3724       Obsolete feature: use the reject_rbl_client feature instead.
3725

maps_rbl_reject_code (default: 554)

3727       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
3728       client     request     is    blocked    by    the    reject_rbl_client,
3729       reject_rhsbl_client,  reject_rhsbl_reverse_client,  reject_rhsbl_sender
3730       or reject_rhsbl_recipient restriction.
3731
3732       Do  not  change  this  unless  you have a complete understanding of RFC
3733       5321.
3734

masquerade_classes (default: envelope_sender, header_sender, header_recipient)

3736
3737       What addresses are subject to address masquerading.
3738
3739       By   default,  address  masquerading  is  limited  to  envelope  sender
3740       addresses, and to header sender and header recipient  addresses.   This
3741       allows  you  to  use address masquerading on a mail gateway while still
3742       being able to forward mail to users on individual machines.
3743
3744       Specify  zero  or   more   of:   envelope_sender,   envelope_recipient,
3745       header_sender, header_recipient
3746

masquerade_domains (default: empty)

3748       Optional list of domains whose subdomain structure will be stripped off
3749       in email addresses.
3750
3751       The list is processed left to right, and processing stops at the  first
3752       match.  Thus,
3753
3754           masquerade_domains = foo.example.com example.com
3755
3756       strips  "user@any.thing.foo.example.com" to "user@foo.example.com", but
3757       strips "user@any.thing.else.example.com" to "user@example.com".
3758
3759       A domain name prefixed with ! means do not masquerade  this  domain  or
3760       its subdomains. Thus,
3761
3762           masquerade_domains = !foo.example.com example.com
3763
3764       does  not  change  "user@any.thing.foo.example.com"  or "user@foo.exam‐
3765       ple.com", but strips "user@any.thing.else.example.com"  to  "user@exam‐
3766       ple.com".
3767
3768       Note:  with  Postfix  version  2.2, message header address masquerading
3769       happens only when message header address rewriting is enabled:
3770
3771       ·      The message is received with the Postfix sendmail(1) command,
3772
3773       ·      The message is received  from  a  network  client  that  matches
3774              $local_header_rewrite_clients,
3775
3776       ·      The   message   is   received   from   the   network,   and  the
3777              remote_header_rewrite_domain  parameter  specifies  a  non-empty
3778              value.
3779
3780       To   get   the   behavior   before   Postfix   version   2.2,   specify
3781       "local_header_rewrite_clients = static:all".
3782
3783       Example:
3784
3785       masquerade_domains = $mydomain
3786

masquerade_exceptions (default: empty)

3788       Optional list of user names that are  not  subjected  to  address  mas‐
3789       querading, even when their addresses match $masquerade_domains.
3790
3791       By default, address masquerading makes no exceptions.
3792
3793       Specify  a  list  of user names, "/file/name" or "type:table" patterns,
3794       separated by commas and/or whitespace. The  list  is  matched  left  to
3795       right,  and the search stops on the first match. A "/file/name" pattern
3796       is replaced by its contents; a "type:table"  lookup  table  is  matched
3797       when  a name matches a lookup key (the lookup result is ignored).  Con‐
3798       tinue long lines by starting the next  line  with  whitespace.  Specify
3799       "!pattern"  to  exclude a name from the list. The form "!/file/name" is
3800       supported only in Postfix version 2.4 and later.
3801
3802       Examples:
3803
3804       masquerade_exceptions = root, mailer-daemon
3805       masquerade_exceptions = root
3806

master_service_disable (default: empty)

3808       Selectively disable master(8) listener ports by service type or by ser‐
3809       vice  name  and type.  Specify a list of service types ("inet", "unix",
3810       "fifo", or "pass") or "name/type" tuples, where  "name"  is  the  first
3811       field  of a master.cf entry and "type" is a service type. As with other
3812       Postfix matchlists, a search stops at the first match.  Specify  "!pat‐
3813       tern"  to  exclude  a  service from the list. By default, all master(8)
3814       listener ports are enabled.
3815
3816       Note: this feature does not support "/file/name" or  "type:table"  pat‐
3817       terns,  nor  does  it  support  wildcards such as "*" or "all". This is
3818       intentional.
3819
3820       Examples:
3821
3822       # With Postfix 2.6..2.10 use '.' instead of '/'.
3823       # Turn on all master(8) listener ports (the default).
3824       master_service_disable =
3825       # Turn off only the main SMTP listener port.
3826       master_service_disable = smtp/inet
3827       # Turn off all TCP/IP listener ports.
3828       master_service_disable = inet
3829       # Turn off all TCP/IP listener ports except "foo".
3830       master_service_disable = !foo/inet, inet
3831
3832       This feature is available in Postfix 2.6 and later.
3833

max_idle (default: 100s)

3835       The maximum amount of time that an idle Postfix  daemon  process  waits
3836       for an incoming connection before terminating voluntarily.  This param‐
3837       eter is ignored by the Postfix queue manager and  by  other  long-lived
3838       Postfix daemon processes.
3839
3840       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3841       The default time unit is s (seconds).
3842

max_use (default: 100)

3844       The maximal number  of  incoming  connections  that  a  Postfix  daemon
3845       process will service before terminating voluntarily.  This parameter is
3846       ignored by the Postfix queue manager and by  other  long-lived  Postfix
3847       daemon processes.
3848

maximal_backoff_time (default: 4000s)

3850       The maximal time between attempts to deliver a deferred message.
3851
3852       This parameter should be set to a value greater than or equal to $mini‐
3853       mal_backoff_time. See also $queue_run_delay.
3854
3855       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3856       The default time unit is s (seconds).
3857

maximal_queue_lifetime (default: 5d)

3859       Consider  a message as undeliverable, when delivery fails with a tempo‐
3860       rary  error,  and  the  time  in  the  queue  has  reached  the   maxi‐
3861       mal_queue_lifetime limit.
3862
3863       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3864       The default time unit is d (days).
3865
3866       Specify 0 when mail delivery should be tried only once.
3867

message_drop_headers (default: bcc, content-length, resent-bcc, return-path)

3869       Names of message headers that the cleanup(8) daemon will  remove  after
3870       applying header_checks(5) and before invoking Milter applications.  The
3871       default setting is compatible with Postfix < 3.0.
3872
3873       Specify a list of header names, separated by comma or space.  Names are
3874       matched  in  a  case-insensitive  manner.  The list of supported header
3875       names is limited only by available memory.
3876
3877       This feature is available in Postfix 3.0 and later.
3878

message_reject_characters (default: empty)

3880       The set of characters that Postfix will reject in message content.  The
3881       usual C-like escape sequences are recognized: \a \b \f \n \r \t \v \ddd
3882       (up to three octal digits) and \\.
3883
3884       Note 1: this feature does not recognize text that requires MIME  decod‐
3885       ing.  It  inspects  raw  message  content,  just like header_checks and
3886       body_checks.
3887
3888       Note 2: this  feature  is  disabled  with  "receive_override_options  =
3889       no_header_body_checks".
3890
3891       Example:
3892
3893       message_reject_characters = \0
3894
3895       This feature is available in Postfix 2.3 and later.
3896

message_size_limit (default: 10240000)

3898       The maximal size in bytes of a message, including envelope information.
3899
3900       Note:  be  careful  when making changes.  Excessively small values will
3901       result in the loss of non-delivery notifications, when a bounce message
3902       size exceeds the local or remote MTA's message size limit.
3903

message_strip_characters (default: empty)

3905       The  set  of  characters that Postfix will remove from message content.
3906       The usual C-like escape sequences are recognized: \a \b \f \n \r \t  \v
3907       \ddd (up to three octal digits) and \\.
3908
3909       Note  1: this feature does not recognize text that requires MIME decod‐
3910       ing. It inspects raw  message  content,  just  like  header_checks  and
3911       body_checks.
3912
3913       Note  2:  this  feature  is  disabled  with "receive_override_options =
3914       no_header_body_checks".
3915
3916       Example:
3917
3918       message_strip_characters = \0
3919
3920       This feature is available in Postfix 2.3 and later.
3921

meta_directory (default: see 'postconf -d' output)

3923       The location of non-executable files that  are  shared  among  multiple
3924       Postfix  instances,  such  as  postfix-files,  dynamicmaps.cf,  and the
3925       multi-instance template files main.cf.proto and master.cf.proto.   This
3926       directory  should  contain  only Postfix-related files.  Typically, the
3927       meta_directory parameter has the same default as  the  config_directory
3928       parameter (/etc/postfix or /usr/local/etc/postfix).
3929
3930       For  backwards  compatibility  with Postfix versions 2.6..2.11, specify
3931       "meta_directory = $daemon_directory" in main.cf  before  installing  or
3932       upgrading  Postfix,  or  specify  "meta_directory  = /path/name" on the
3933       "make makefiles", "make install" or "make upgrade" command line.
3934
3935       This feature is available in Postfix 3.0 and later.
3936

milter_command_timeout (default: 30s)

3938       The time limit for sending an SMTP command to a  Milter  (mail  filter)
3939       application, and for receiving the response.
3940
3941       Specify  a  non-zero  time  value  (an  integral value plus an optional
3942       one-letter suffix that specifies the time unit).
3943
3944       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3945       The default time unit is s (seconds).
3946
3947       This feature is available in Postfix 2.3 and later.
3948

milter_connect_macros (default: see postconf -d output)

3950       The  macros  that  are  sent to Milter (mail filter) applications after
3951       completion of an SMTP connection.  See  MILTER_README  for  a  list  of
3952       available macro names and their meanings.
3953
3954       This feature is available in Postfix 2.3 and later.
3955

milter_connect_timeout (default: 30s)

3957       The  time  limit  for connecting to a Milter (mail filter) application,
3958       and for negotiating protocol options.
3959
3960       Specify a non-zero time value  (an  integral  value  plus  an  optional
3961       one-letter suffix that specifies the time unit).
3962
3963       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
3964       The default time unit is s (seconds).
3965
3966       This feature is available in Postfix 2.3 and later.
3967

milter_content_timeout (default: 300s)

3969       The time limit for sending message content to a  Milter  (mail  filter)
3970       application, and for receiving the response.
3971
3972       Specify  a  non-zero  time  value  (an  integral value plus an optional
3973       one-letter suffix that specifies the time unit).
3974
3975       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
3976       The default time unit is s (seconds).
3977
3978       This feature is available in Postfix 2.3 and later.
3979

milter_data_macros (default: see postconf -d output)

3981       The  macros  that  are sent to version 4 or higher Milter (mail filter)
3982       applications after the SMTP DATA command. See MILTER_README for a  list
3983       of available macro names and their meanings.
3984
3985       This feature is available in Postfix 2.3 and later.
3986

milter_default_action (default: tempfail)

3988       The  default action when a Milter (mail filter) response is unavailable
3989       (for example, bad Postfix configuration or Milter failure). Specify one
3990       of the following:
3991
3992       accept Proceed as if the mail filter was not present.
3993
3994       reject Reject  all  further  commands  in this session with a permanent
3995              status code.
3996
3997       tempfail
3998              Reject all further commands in this  session  with  a  temporary
3999              status code.
4000
4001       quarantine
4002              Like  "accept",  but  freeze  the  message  in the "hold" queue.
4003              Available with Postfix 2.6 and later.
4004
4005       This feature is available in Postfix 2.3 and later.
4006

milter_end_of_data_macros (default: see postconf -d output)

4008       The macros that are sent to Milter (mail filter) applications after the
4009       message  end-of-data.  See  MILTER_README for a list of available macro
4010       names and their meanings.
4011
4012       This feature is available in Postfix 2.3 and later.
4013

milter_end_of_header_macros (default: see postconf -d output)

4015       The macros that are sent to Milter (mail filter) applications after the
4016       end  of  the  message header. See MILTER_README for a list of available
4017       macro names and their meanings.
4018
4019       This feature is available in Postfix 2.5 and later.
4020

milter_header_checks (default: empty)

4022       Optional lookup tables for content inspection of message  headers  that
4023       are  produced  by Milter applications.  See the header_checks(5) manual
4024       page available actions. Currently, PREPEND is not implemented.
4025
4026       The following example sends all mail that is marked as SPAM to  a  spam
4027       handling machine. Note that matches are case-insensitive by default.
4028
4029       /etc/postfix/main.cf:
4030           milter_header_checks = pcre:/etc/postfix/milter_header_checks
4031
4032       /etc/postfix/milter_header_checks:
4033           /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
4034
4035       The milter_header_checks mechanism could also be used for whitelisting.
4036       For example it could be used  to  skip  heavy  content  inspection  for
4037       DKIM-signed mail from known friendly domains.
4038
4039       This  feature is available in Postfix 2.7, and as an optional patch for
4040       Postfix 2.6.
4041

milter_helo_macros (default: see postconf -d output)

4043       The macros that are sent to Milter (mail filter) applications after the
4044       SMTP  HELO  or  EHLO command. See MILTER_README for a list of available
4045       macro names and their meanings.
4046
4047       This feature is available in Postfix 2.3 and later.
4048

milter_macro_daemon_name (default: $myhostname)

4050       The {daemon_name} macro value for Milter  (mail  filter)  applications.
4051       See  MILTER_README  for a list of available macro names and their mean‐
4052       ings.
4053
4054       This feature is available in Postfix 2.3 and later.
4055

milter_macro_defaults (default: empty)

4057       Optional list of name=value pairs that specify default values for arbi‐
4058       trary  macros  that  Postfix  may  send  to Milter applications.  These
4059       defaults are used when there is no corresponding information  from  the
4060       message delivery context.
4061
4062       Specify  name=value  or {name}=value pairs separated by comma or white‐
4063       space.  Enclose a pair in "{}" when a value contains  comma  or  white‐
4064       space (this form ignores whitespace after the enclosing "{", around the
4065       "=", and before the enclosing "}").
4066
4067       This feature is available in Postfix 3.1 and later.
4068

milter_macro_v (default: $mail_name $mail_version)

4070       The {v} macro value for Milter (mail filter)  applications.   See  MIL‐
4071       TER_README for a list of available macro names and their meanings.
4072
4073       This feature is available in Postfix 2.3 and later.
4074

milter_mail_macros (default: see postconf -d output)

4076       The macros that are sent to Milter (mail filter) applications after the
4077       SMTP MAIL FROM command. See MILTER_README for a list of available macro
4078       names and their meanings.
4079
4080       This feature is available in Postfix 2.3 and later.
4081

milter_protocol (default: 6)

4083       The  mail  filter protocol version and optional protocol extensions for
4084       communication with a Milter  application;  prior  to  Postfix  2.6  the
4085       default  protocol  is  2.  Postfix sends this version number during the
4086       initial protocol handshake.  It should match the version number that is
4087       expected by the mail filter application (or by its Milter library).
4088
4089       Protocol versions:
4090
4091       2      Use  Sendmail  8  mail  filter  protocol version 2 (default with
4092              Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..  2.5).
4093
4094       3      Use Sendmail 8 mail filter protocol version 3.
4095
4096       4      Use Sendmail 8 mail filter protocol version 4.
4097
4098       6      Use Sendmail 8 mail filter  protocol  version  6  (default  with
4099              Sendmail version 8.14 and Postfix version 2.6).
4100
4101       Protocol extensions:
4102
4103       no_header_reply
4104              Specify this when the Milter application will not reply for each
4105              individual message header.
4106
4107       This feature is available in Postfix 2.3 and later.
4108

milter_rcpt_macros (default: see postconf -d output)

4110       The macros that are sent to Milter (mail filter) applications after the
4111       SMTP  RCPT  TO command. See MILTER_README for a list of available macro
4112       names and their meanings.
4113
4114       This feature is available in Postfix 2.3 and later.
4115

milter_unknown_command_macros (default: see postconf -d output)

4117       The macros that are sent to version 3 or higher  Milter  (mail  filter)
4118       applications  after  an  unknown SMTP command.  See MILTER_README for a
4119       list of available macro names and their meanings.
4120
4121       This feature is available in Postfix 2.3 and later.
4122

mime_boundary_length_limit (default: 2048)

4124       The maximal length of MIME multipart boundary strings. The MIME proces‐
4125       sor  is unable to distinguish between boundary strings that do not dif‐
4126       fer in the first $mime_boundary_length_limit characters.
4127
4128       This feature is available in Postfix 2.0 and later.
4129

mime_header_checks (default: $header_checks)

4131       Optional lookup tables for content inspection of MIME  related  message
4132       headers, as described in the header_checks(5) manual page.
4133
4134       This feature is available in Postfix 2.0 and later.
4135

mime_nesting_limit (default: 100)

4137       The maximal recursion level that the MIME processor will handle.  Post‐
4138       fix refuses mail that is nested deeper than the specified limit.
4139
4140       This feature is available in Postfix 2.0 and later.
4141

minimal_backoff_time (default: 300s)

4143       The minimal time between attempts to deliver a deferred message;  prior
4144       to Postfix 2.4 the default value was 1000s.
4145
4146       This  parameter also limits the time an unreachable destination is kept
4147       in the short-term, in-memory, destination status cache.
4148
4149       This parameter should be set greater than or equal to $queue_run_delay.
4150       See also $maximal_backoff_time.
4151
4152       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
4153       The default time unit is s (seconds).
4154

multi_instance_directories (default: empty)

4156       An optional list  of  non-default  Postfix  configuration  directories;
4157       these directories belong to additional Postfix instances that share the
4158       Postfix executable files and documentation  with  the  default  Postfix
4159       instance,  and  that  are  started,  stopped,  etc.,  together with the
4160       default Postfix instance.  Specify a list  of  pathnames  separated  by
4161       comma or whitespace.
4162
4163       When  $multi_instance_directories is empty, the postfix(1) command runs
4164       in single-instance mode and operates on a single Postfix instance only.
4165       Otherwise,  the  postfix(1)  command  runs  in  multi-instance mode and
4166       invokes    the    multi-instance    manager    specified    with    the
4167       multi_instance_wrapper  parameter.  The  multi-instance manager in turn
4168       executes postfix(1) commands for the default instance and for all Post‐
4169       fix instances in $multi_instance_directories.
4170
4171       Currently,  this  parameter  setting  is ignored except for the default
4172       main.cf file.
4173
4174       This feature is available in Postfix 2.6 and later.
4175

multi_instance_enable (default: no)

4177       Allow this  Postfix  instance  to  be  started,  stopped,  etc.,  by  a
4178       multi-instance  manager.   By  default,  new instances are created in a
4179       safe state that prevents them from being started  inadvertently.   This
4180       parameter is reserved for the multi-instance manager.
4181
4182       This feature is available in Postfix 2.6 and later.
4183

multi_instance_group (default: empty)

4185       The  optional  instance  group  name  of this Postfix instance. A group
4186       identifies closely-related Postfix instances  that  the  multi-instance
4187       manager  can  start, stop, etc., as a unit.  This parameter is reserved
4188       for the multi-instance manager.
4189
4190       This feature is available in Postfix 2.6 and later.
4191

multi_instance_name (default: empty)

4193       The optional instance name of this Postfix instance. This name  becomes
4194       also the default value for the syslog_name parameter.
4195
4196       This feature is available in Postfix 2.6 and later.
4197

multi_instance_wrapper (default: empty)

4199       The  pathname  of  a multi-instance manager command that the postfix(1)
4200       command invokes when the multi_instance_directories parameter value  is
4201       non-empty.  The  pathname  may be followed by initial command arguments
4202       separated by whitespace; shell metacharacters such as  quotes  are  not
4203       supported in this context.
4204
4205       The  postfix(1) command invokes the manager command with the postfix(1)
4206       non-option command arguments on the manager command line, and with  all
4207       installation configuration parameters exported into the manager command
4208       process environment. The manager command in turn invokes the postfix(1)
4209       command  for  individual Postfix instances as "postfix -c config_direc‐
4210       tory command".
4211
4212       This feature is available in Postfix 2.6 and later.
4213

multi_recipient_bounce_reject_code (default: 550)

4215       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
4216       client request is blocked by the reject_multi_recipient_bounce restric‐
4217       tion.
4218
4219       Do not change this unless you have  a  complete  understanding  of  RFC
4220       5321.
4221
4222       This feature is available in Postfix 2.1 and later.
4223

mydestination (default: $myhostname, localhost.$mydomain, localhost)

4225       The  list  of  domains that are delivered via the $local_transport mail
4226       delivery transport. By default this is the  Postfix  local(8)  delivery
4227       agent  which  looks  up all recipients in /etc/passwd and /etc/aliases.
4228       The SMTP  server  validates  recipient  addresses  with  $local_recipi‐
4229       ent_maps and rejects non-existent recipients. See also the local domain
4230       class in the ADDRESS_CLASS_README file.
4231
4232       The default mydestination value specifies names for the  local  machine
4233       only.  On a mail domain gateway, you should also include $mydomain.
4234
4235       The   $local_transport  delivery  method  is  also  selected  for  mail
4236       addressed to user@[the.net.work.address] of the  mail  system  (the  IP
4237       addresses  specified  with  the  inet_interfaces  and  proxy_interfaces
4238       parameters).
4239
4240       Warnings:
4241
4242       ·      Do not specify the names of virtual domains - those domains  are
4243              specified elsewhere. See VIRTUAL_README for more information.
4244
4245       ·      Do  not specify the names of domains that this machine is backup
4246              MX host for. See STANDARD_CONFIGURATION_README for how to set up
4247              backup MX hosts.
4248
4249       ·      By  default, the Postfix SMTP server rejects mail for recipients
4250              not listed with the  local_recipient_maps  parameter.   See  the
4251              postconf(5) manual for a description of the local_recipient_maps
4252              and unknown_local_recipient_reject_code parameters.
4253
4254       Specify a list of host or domain names,  "/file/name"  or  "type:table"
4255       patterns, separated by commas and/or whitespace. A "/file/name" pattern
4256       is replaced by its contents; a "type:table"  lookup  table  is  matched
4257       when  a name matches a lookup key (the lookup result is ignored).  Con‐
4258       tinue long lines by starting the next line with whitespace.
4259
4260       Examples:
4261
4262       mydestination = $myhostname, localhost.$mydomain $mydomain
4263       mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
4264

mydomain (default: see postconf -d output)

4266       The internet domain name of this mail system.  The default  is  to  use
4267       $myhostname  minus  the  first component, or "localdomain" (Postfix 2.3
4268       and later).  $mydomain is used as a default value for many  other  con‐
4269       figuration parameters.
4270
4271       Example:
4272
4273       mydomain = domain.tld
4274

myhostname (default: see postconf -d output)

4276       The  internet  hostname  of this mail system. The default is to use the
4277       fully-qualified domain name (FQDN) from gethostname(), or  to  use  the
4278       non-FQDN  result  from gethostname() and append ".$mydomain".  $myhost‐
4279       name is used as a default value for many  other  configuration  parame‐
4280       ters.
4281
4282       Example:
4283
4284       myhostname = host.example.com
4285

mynetworks (default: see postconf -d output)

4287       The  list  of  "trusted"  remote SMTP clients that have more privileges
4288       than "strangers".
4289
4290       In particular, "trusted" SMTP clients are allowed to relay mail through
4291       Postfix.  See the smtpd_relay_restrictions parameter description in the
4292       postconf(5) manual.
4293
4294       You can specify the list of "trusted" network addresses by hand or  you
4295       can let Postfix do it for you (which is the default).  See the descrip‐
4296       tion of the mynetworks_style parameter for more information.
4297
4298       If you specify the mynetworks list by hand, Postfix ignores the  mynet‐
4299       works_style setting.
4300
4301       Specify  a list of network addresses or network/netmask patterns, sepa‐
4302       rated by commas and/or whitespace. Continue long lines by starting  the
4303       next line with whitespace.
4304
4305       The  netmask specifies the number of bits in the network part of a host
4306       address.  You can also specify "/file/name" or  "type:table"  patterns.
4307       A  "/file/name"  pattern  is  replaced  by its contents; a "type:table"
4308       lookup table is matched when a table entry matches a lookup string (the
4309       lookup result is ignored).
4310
4311       The  list  is  matched left to right, and the search stops on the first
4312       match.  Specify "!pattern" to exclude an address or network block  from
4313       the  list.  The form "!/file/name" is supported only in Postfix version
4314       2.4 and later.
4315
4316       Note 1: Pattern matching of  domain  names  is  controlled  by  the  or
4317       absence of "mynetworks" in the parent_domain_matches_subdomains parame‐
4318       ter value.
4319
4320       Note 2: IP version 6 address information must be specified inside [] in
4321       the  mynetworks  value,  and  in files specified with "/file/name".  IP
4322       version 6 addresses contain the ":" character, and would  otherwise  be
4323       confused with a "type:table" pattern.
4324
4325       Examples:
4326
4327       mynetworks = 127.0.0.0/8 168.100.189.0/28
4328       mynetworks = !192.168.0.1, 192.168.0.0/28
4329       mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
4330       mynetworks = $config_directory/mynetworks
4331       mynetworks = hash:/etc/postfix/network_table
4332

mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)

4334       The  method to generate the default value for the mynetworks parameter.
4335       This is the list of trusted networks for relay access control etc.
4336
4337       ·      Specify "mynetworks_style = host" when  Postfix  should  "trust"
4338              only the local machine.
4339
4340       ·      Specify  "mynetworks_style = subnet" when Postfix should "trust"
4341              remote SMTP clients in the same  IP  subnetworks  as  the  local
4342              machine.   On  Linux,  this works correctly only with interfaces
4343              specified with the "ifconfig" command.
4344
4345       ·      Specify "mynetworks_style = class" when Postfix  should  "trust"
4346              remote  SMTP  clients in the same IP class A/B/C networks as the
4347              local machine.  Caution: this may cause Postfix to "trust"  your
4348              entire  provider's network.  Instead, specify an explicit mynet‐
4349              works list by hand, as described with the mynetworks  configura‐
4350              tion parameter.
4351

myorigin (default: $myhostname)

4353       The domain name that locally-posted mail appears to come from, and that
4354       locally posted mail is delivered to. The default, $myhostname, is  ade‐
4355       quate for small sites.  If you run a domain with multiple machines, you
4356       should (1) change this to $mydomain and (2) set up a domain-wide  alias
4357       database that aliases each user to user@that.users.mailhost.
4358
4359       Example:
4360
4361       myorigin = $mydomain
4362

nested_header_checks (default: $header_checks)

4364       Optional lookup tables for content inspection of non-MIME message head‐
4365       ers in attached messages, as described in the  header_checks(5)  manual
4366       page.
4367
4368       This feature is available in Postfix 2.0 and later.
4369

newaliases_path (default: see postconf -d output)

4371       Sendmail  compatibility  feature  that  specifies  the  location of the
4372       newaliases(1) command. This command can be used to rebuild the local(8)
4373       aliases(5) database.
4374

non_fqdn_reject_code (default: 504)

4376       The  numerical  Postfix SMTP server reply code when a client request is
4377       rejected by the  reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender
4378       or reject_non_fqdn_recipient restriction.
4379

non_smtpd_milters (default: empty)

4381       A  list of Milter (mail filter) applications for new mail that does not
4382       arrive via the Postfix smtpd(8) server. This includes local  submission
4383       via the sendmail(1) command line, new mail that arrives via the Postfix
4384       qmqpd(8) server, and old mail that is re-injected into the  queue  with
4385       "postsuper  -r".   Specify  space  or  comma as separator. See the MIL‐
4386       TER_README document for details.
4387
4388       This feature is available in Postfix 2.3 and later.
4389

notify_classes (default: resource, software)

4391       The list of error classes that are  reported  to  the  postmaster.  The
4392       default  is  to report only the most serious problems. The paranoid may
4393       wish to turn on the policy (UCE and mail relaying) and  protocol  error
4394       (broken mail software) reports.
4395
4396       NOTE:  postmaster  notifications  may  contain confidential information
4397       such as SASL passwords or message content.  It is the  system  adminis‐
4398       trator's responsibility to treat such information with care.
4399
4400       The error classes are:
4401
4402       bounce (also implies 2bounce)
4403              Send  the  postmaster copies of the headers of bounced mail, and
4404              send transcripts of SMTP sessions when Postfix rejects mail. The
4405              notification   is   sent  to  the  address  specified  with  the
4406              bounce_notice_recipient configuration parameter (default:  post‐
4407              master).
4408
4409       2bounce
4410              Send undeliverable bounced mail to the postmaster. The notifica‐
4411              tion   is   sent   to   the   address   specified    with    the
4412              2bounce_notice_recipient configuration parameter (default: post‐
4413              master).
4414
4415       data   Send the postmaster a transcript of the  SMTP  session  with  an
4416              error  because a critical data file was unavailable. The notifi‐
4417              cation   is   sent   to   the   address   specified   with   the
4418              error_notice_recipient  configuration  parameter (default: post‐
4419              master).
4420              This feature is available in Postfix 2.9 and later.
4421
4422       delay  Send the postmaster copies of the headers of delayed  mail  (see
4423              delay_warning_time).  The  notification  is  sent to the address
4424              specified with the delay_notice_recipient configuration  parame‐
4425              ter (default: postmaster).
4426
4427       policy Send  the  postmaster  a  transcript  of the SMTP session when a
4428              client request was rejected because of (UCE) policy. The notifi‐
4429              cation   is   sent   to   the   address   specified   with   the
4430              error_notice_recipient configuration parameter  (default:  post‐
4431              master).
4432
4433       protocol
4434              Send  the postmaster a transcript of the SMTP session in case of
4435              client or server protocol errors. The notification  is  sent  to
4436              the address specified with the error_notice_recipient configura‐
4437              tion parameter (default: postmaster).
4438
4439       resource
4440              Inform the postmaster of mail  not  delivered  due  to  resource
4441              problems.   The  notification  is  sent to the address specified
4442              with   the   error_notice_recipient   configuration    parameter
4443              (default: postmaster).
4444
4445       software
4446              Inform  the  postmaster  of  mail  not delivered due to software
4447              problems.  The notification is sent  to  the  address  specified
4448              with    the   error_notice_recipient   configuration   parameter
4449              (default: postmaster).
4450
4451       Examples:
4452
4453       notify_classes = bounce, delay, policy, protocol, resource, software
4454       notify_classes = 2bounce, resource, software
4455

nullmx_reject_code (default: 556)

4457       The numerical reply code when the Postfix SMTP server rejects a  sender
4458       or  recipient address because its domain has a nullmx DNS record (an MX
4459       record with an empty hostname). This is one  of  the  possible  replies
4460       from      the     restrictions     reject_unknown_sender_domain     and
4461       reject_unknown_recipient_domain.
4462
4463       This feature is available in Postfix 3.0 and later.
4464

openssl_path (default: openssl)

4466       The location of the OpenSSL command line program openssl(1).   This  is
4467       used  by  the "postfix tls" command to create private keys, certificate
4468       signing requests, self-signed certificates, and to compute  public  key
4469       digests  for  DANE  TLSA records.  In multi-instance environments, this
4470       parameter is always determined from the configuration  of  the  default
4471       Postfix instance.
4472
4473       Example:
4474
4475           /etc/postfix/main.cf:
4476               # NetBSD pkgsrc:
4477               openssl_path = /usr/pkg/bin/openssl
4478               # Local build:
4479               openssl_path = /usr/local/bin/openssl
4480
4481       This feature is available in Postfix 3.1 and later.
4482

owner_request_special (default: yes)

4484       Enable  special  treatment for owner-listname entries in the aliases(5)
4485       file, and  don't  split  owner-listname  and  listname-request  address
4486       localparts when the recipient_delimiter is set to "-".  This feature is
4487       useful for mailing lists.
4488

parent_domain_matches_subdomains (default: see postconf -d output)

4490       A list of Postfix features where the pattern "example.com" also matches
4491       subdomains  of  example.com,  instead  of requiring an explicit ".exam‐
4492       ple.com" pattern.  This is planned  backwards  compatibility:   eventu‐
4493       ally,  all  Postfix  features  are expected to require explicit ".exam‐
4494       ple.com" style patterns when you really want to match subdomains.
4495
4496       The following Postfix feature names are supported.
4497
4498       Postfix version 1.0 and later
4499              debug_peer_list,    fast_flush_domains,     mynetworks,     per‐
4500              mit_mx_backup_networks, relay_domains, transport_maps
4501
4502       Postfix version 1.1 and later
4503              qmqpd_authorized_clients, smtpd_access_maps,
4504
4505       Postfix version 2.8 and later
4506              postscreen_access_list
4507
4508       Postfix version 3.0 and later
4509              smtpd_client_event_limit_exceptions
4510

permit_mx_backup_networks (default: empty)

4512       Restrict  the  use  of the permit_mx_backup SMTP access feature to only
4513       domains whose primary MX hosts match the listed networks.  The  parame‐
4514       ter  value  syntax  is the same as with the mynetworks parameter; note,
4515       however, that the default value is empty.
4516
4517       Pattern matching of domain names  is  controlled  by  the  presence  or
4518       absence      of     "permit_mx_backup_networks"     in     the     par‐
4519       ent_domain_matches_subdomains parameter value.
4520

pickup_service_name (default: pickup)

4522       The name of the pickup(8) service. This service  picks  up  local  mail
4523       submissions from the Postfix maildrop queue.
4524
4525       This feature is available in Postfix 2.0 and later.
4526

pipe_delivery_status_filter (default: $default_delivery_status_filter)

4528       Optional  filter  for the pipe(8) delivery agent to change the delivery
4529       status code or explanatory text of successful or unsuccessful  deliver‐
4530       ies.  See default_delivery_status_filter for details.
4531
4532       This feature is available in Postfix 3.0 and later.
4533

plaintext_reject_code (default: 450)

4535       The  numerical  Postfix  SMTP  server  response  code when a request is
4536       rejected by the reject_plaintext_session restriction.
4537
4538       This feature is available in Postfix 2.3 and later.
4539

postlog_service_name (default: postlog)

4541       The name of the postlogd(8) service entry in master.cf.   This  service
4542       appends  logfile  records  to  the file specified with the maillog_file
4543       parameter.
4544
4545       This feature is available in Postfix 3.4 and later.
4546

postlogd_watchdog_timeout (default: 10s)

4548       How much time a postlogd(8) process  may  take  to  process  a  request
4549       before  it is terminated by a built-in watchdog timer. This is a safety
4550       mechanism that prevents postlogd(8) from becoming non-responsive due to
4551       a bug in Postfix itself or in system software. This limit cannot be set
4552       under 10s.
4553
4554       Specify a non-zero time value  (an  integral  value  plus  an  optional
4555       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4556       onds), m (minutes), h (hours), d (days), w (weeks).
4557
4558       This feature is available in Postfix 3.4 and later.
4559

postmulti_control_commands (default: reload flush)

4561       The postfix(1) commands that the postmulti(1) instance  manager  treats
4562       as  "control"  commands,  that  operate on running instances. For these
4563       commands, disabled instances are skipped.
4564
4565       This feature is available in Postfix 2.6 and later.
4566

postmulti_start_commands (default: start)

4568       The postfix(1) commands that the postmulti(1) instance  manager  treats
4569       as  "start"  commands.  For  these  commands,  disabled  instances  are
4570       "checked" rather than  "started",  and  failure  to  "start"  a  member
4571       instance  of  an  instance  group  will  abort  the  start-up  of later
4572       instances.
4573
4574       This feature is available in Postfix 2.6 and later.
4575

postmulti_stop_commands (default: see postconf -d output)

4577       The postfix(1) commands that the postmulti(1) instance  manager  treats
4578       as "stop" commands. For these commands, disabled instances are skipped,
4579       and enabled instances are processed in reverse order.
4580
4581       This feature is available in Postfix 2.6 and later.
4582

postscreen_access_list (default: permit_mynetworks)

4584       Permanent  white/blacklist  for  remote  SMTP  client   IP   addresses.
4585       postscreen(8) searches this list immediately after a remote SMTP client
4586       connects.  Specify a comma- or whitespace-separated  list  of  commands
4587       (in  upper  or  lower case) or lookup tables. The search stops upon the
4588       first command that fires for the client IP address.
4589
4590        permit_mynetworks
4591              Whitelist the client and terminate the search if the  client  IP
4592              address  matches  $mynetworks.  Do not subject the client to any
4593              before/after 220 greeting tests.  Pass  the  connection  immedi‐
4594              ately to a Postfix SMTP server process.
4595              Pattern  matching  of domain names is controlled by the presence
4596              or   absence   of   "postscreen_access_list"   in    the    par‐
4597              ent_domain_matches_subdomains parameter value.
4598
4599        type:table
4600              Query the specified lookup table. Each table lookup result is an
4601              access list, except that access  lists  inside  a  table  cannot
4602              specify type:table entries.
4603              To  discourage  the use of hash, btree, etc. tables, there is no
4604              support for substring matching like smtpd(8).  Use  CIDR  tables
4605              instead.
4606
4607        permit
4608              Whitelist  the  client  and terminate the search. Do not subject
4609              the client to any before/after 220 greeting tests. Pass the con‐
4610              nection immediately to a Postfix SMTP server process.
4611
4612        reject
4613              Blacklist  the  client  and  terminate  the  search. Subject the
4614              client to  the  action  configured  with  the  postscreen_black‐
4615              list_action configuration parameter.
4616
4617        dunno All  postscreen(8)  access lists implicitly have this command at
4618              the end.
4619              When  dunno is executed inside a lookup table, return  from  the
4620              lookup table and evaluate the next command.
4621              When   dunno   is executed outside a lookup table, terminate the
4622              search, and subject the client to  the  configured  before/after
4623              220 greeting tests.
4624
4625       Example:
4626
4627       /etc/postfix/main.cf:
4628           postscreen_access_list = permit_mynetworks,
4629               cidr:/etc/postfix/postscreen_access.cidr
4630           postscreen_blacklist_action = enforce
4631
4632       /etc/postfix/postscreen_access.cidr:
4633           # Rules are evaluated in the order as specified.
4634           # Blacklist 192.168.* except 192.168.0.1.
4635           192.168.0.1         dunno
4636           192.168.0.0/16      reject
4637
4638       This feature is available in Postfix 2.8.
4639

postscreen_bare_newline_action (default: ignore)

4641       The  action  that postscreen(8) takes when a remote SMTP client sends a
4642       bare newline character, that is, a newline  not  preceded  by  carriage
4643       return.  Specify one of the following:
4644
4645       ignore Ignore  the failure of this test. Allow other tests to complete.
4646              Do not repeat this test before some the result from  some  other
4647              test  expires.  This option is useful for testing and collecting
4648              statistics without blocking mail permanently.
4649
4650       enforce
4651              Allow other tests to complete. Reject attempts to  deliver  mail
4652              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4653              mation.  Repeat this test the next time the client connects.
4654
4655       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4656              this test the next time the client connects.
4657
4658       This feature is available in Postfix 2.8.
4659

postscreen_bare_newline_enable (default: no)

4661       Enable  "bare newline" SMTP protocol tests in the postscreen(8) server.
4662       These tests are expensive: a remote SMTP client must  disconnect  after
4663       it passes the test, before it can talk to a real Postfix SMTP server.
4664
4665       This feature is available in Postfix 2.8.
4666

postscreen_bare_newline_ttl (default: 30d)

4668       The  amount  of time that postscreen(8) will use the result from a suc‐
4669       cessful "bare newline" SMTP protocol test. During this time, the client
4670       IP  address  is  excluded from this test. The default is long because a
4671       remote SMTP client must disconnect after it passes the test, before  it
4672       can talk to a real Postfix SMTP server.
4673
4674       Specify  a  non-zero  time  value  (an  integral value plus an optional
4675       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4676       onds), m (minutes), h (hours), d (days), w (weeks).
4677
4678       This feature is available in Postfix 2.8.
4679

postscreen_blacklist_action (default: ignore)

4681       The action that postscreen(8) takes when a remote SMTP client is perma‐
4682       nently blacklisted with the postscreen_access_list parameter.   Specify
4683       one of the following:
4684
4685       ignore (default)
4686              Ignore  this result. Allow other tests to complete.  Repeat this
4687              test the next time the client connects.  This option  is  useful
4688              for testing and collecting statistics without blocking mail.
4689
4690       enforce
4691              Allow  other  tests to complete. Reject attempts to deliver mail
4692              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4693              mation.  Repeat this test the next time the client connects.
4694
4695       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4696              this test the next time the client connects.
4697
4698       This feature is available in Postfix 2.8.
4699

postscreen_cache_cleanup_interval (default: 12h)

4701       The amount of time between postscreen(8)  cache  cleanup  runs.   Cache
4702       cleanup  increases  the load on the cache database and should therefore
4703       not be run frequently. This feature requires that  the  cache  database
4704       supports  the "delete" and "sequence" operators.  Specify a zero inter‐
4705       val to disable cache cleanup.
4706
4707       After each cache cleanup run, the postscreen(8) daemon logs the  number
4708       of  entries  that were retained and dropped. A cleanup run is logged as
4709       "partial" when the daemon  terminates  early  after  "postfix  reload",
4710       "postfix stop", or no requests for $max_idle seconds.
4711
4712       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4713
4714       This feature is available in Postfix 2.8.
4715

postscreen_cache_map (default: btree:$data_directory/postscreen_cache)

4717       Persistent storage for the postscreen(8) server decisions.
4718
4719       To   share   a   postscreen(8)  cache  between  multiple  postscreen(8)
4720       instances,  use  "postscreen_cache_map  =   proxy:btree:/path/to/file".
4721       This  requires Postfix version 2.9 or later; earlier proxymap(8) imple‐
4722       mentations don't support cache cleanup. For an alternative approach see
4723       the memcache_table(5) manpage.
4724
4725       This feature is available in Postfix 2.8.
4726

postscreen_cache_retention_time (default: 7d)

4728       The  amount  of time that postscreen(8) will cache an expired temporary
4729       whitelist entry before it is removed. This prevents clients from  being
4730       logged  as "NEW" just because their cache entry expired an hour ago. It
4731       also prevents the cache from filling up with clients that  passed  some
4732       deep protocol test once and never came back.
4733
4734       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
4735
4736       This feature is available in Postfix 2.8.
4737

postscreen_client_connection_count_limit (default: $smtpd_client_connec‐

4739       tion_count_limit)
4740       How many simultaneous connections any remote SMTP client is allowed  to
4741       have  with the postscreen(8) daemon. By default, this limit is the same
4742       as with the Postfix SMTP server. Note that the triage process can  take
4743       several  seconds,  with  the time spent in postscreen_greet_wait delay,
4744       and with the time spent talking to  the  postscreen(8)  built-in  dummy
4745       SMTP protocol engine.
4746
4747       This feature is available in Postfix 2.8.
4748

postscreen_command_count_limit (default: 20)

4750       The  limit  on  the  total  number  of  commands  per  SMTP session for
4751       postscreen(8)'s built-in SMTP protocol engine.  This SMTP engine defers
4752       or  rejects all attempts to deliver mail, therefore there is no need to
4753       enforce separate limits on the number of junk commands and  error  com‐
4754       mands.
4755
4756       This feature is available in Postfix 2.8.
4757

postscreen_command_filter (default: $smtpd_command_filter)

4759       A  mechanism  to  transform  commands  from  remote  SMTP clients.  See
4760       smtpd_command_filter for further details.
4761
4762       This feature is available in Postfix 2.8 and later.
4763

postscreen_command_time_limit (default: normal: 300s, overload: 10s)

4765       The time limit to read an  entire  command  line  with  postscreen(8)'s
4766       built-in SMTP protocol engine.
4767
4768       This feature is available in Postfix 2.8.
4769

postscreen_disable_vrfy_command (default: $disable_vrfy_command)

4771       Disable  the  SMTP  VRFY command in the postscreen(8) daemon.  See dis‐
4772       able_vrfy_command for details.
4773
4774       This feature is available in Postfix 2.8.
4775

postscreen_discard_ehlo_keyword_address_maps (default: $smtpd_dis‐

4777       card_ehlo_keyword_address_maps)
4778       Lookup  tables,  indexed  by  the remote SMTP client address, with case
4779       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
4780       that  the  postscreen(8) server will not send in the EHLO response to a
4781       remote SMTP client. See smtpd_discard_ehlo_keywords for  details.   The
4782       table is not searched by hostname for robustness reasons.
4783
4784       This feature is available in Postfix 2.8 and later.
4785

postscreen_discard_ehlo_keywords (default: $smtpd_discard_ehlo_keywords)

4787       A  case  insensitive list of EHLO keywords (pipelining, starttls, auth,
4788       etc.) that the postscreen(8) server will not send in the EHLO  response
4789       to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
4790
4791       This feature is available in Postfix 2.8 and later.
4792

postscreen_dnsbl_action (default: ignore)

4794       The  action  that  postscreen(8) takes when a remote SMTP client's com‐
4795       bined DNSBL score is equal to or greater than a threshold  (as  defined
4796       with  the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parame‐
4797       ters).  Specify one of the following:
4798
4799       ignore (default)
4800              Ignore the failure of this test. Allow other tests to  complete.
4801              Repeat this test the next time the client connects.  This option
4802              is useful for testing and collecting statistics without blocking
4803              mail.
4804
4805       enforce
4806              Allow  other  tests to complete. Reject attempts to deliver mail
4807              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
4808              mation.  Repeat this test the next time the client connects.
4809
4810       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
4811              this test the next time the client connects.
4812
4813       This feature is available in Postfix 2.8.
4814

postscreen_dnsbl_max_ttl (default:

4816       ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h)
4817       The  maximum amount of time that postscreen(8) will use the result from
4818       a successful DNS-based reputation test before a client  IP  address  is
4819       required  to pass that test again. If the DNS reply specifies a shorter
4820       TTL value, that value will be used unless  it  would  be  smaller  than
4821       postscreen_dnsbl_min_ttl.
4822
4823       Specify  a  non-zero  time  value  (an  integral value plus an optional
4824       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4825       onds), m (minutes), h (hours), d (days), w (weeks).
4826
4827       This  feature is available in Postfix 3.1. The default setting is back‐
4828       wards-compatible with older Postfix versions.
4829

postscreen_dnsbl_min_ttl (default: 60s)

4831       The minimum amount of time that postscreen(8) will use the result  from
4832       a  successful  DNS-based  reputation test before a client IP address is
4833       required to pass that test again. If the DNS reply specifies  a  larger
4834       TTL  value,  that  value  will  be  used unless it would be larger than
4835       postscreen_dnsbl_max_ttl.
4836
4837       Specify a non-zero time value  (an  integral  value  plus  an  optional
4838       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
4839       onds), m (minutes), h (hours), d (days), w (weeks).
4840
4841       This feature is available in Postfix 3.1.
4842

postscreen_dnsbl_reply_map (default: empty)

4844       A mapping from actual DNSBL domain name which includes a  secret  pass‐
4845       word,  to the DNSBL domain name that postscreen will reply with when it
4846       rejects mail.  When no mapping is found, the actual DNSBL  domain  will
4847       be used.
4848
4849       For maximal stability it is best to use a file that is read into memory
4850       such as pcre:, regexp: or texthash: (texthash:  is  similar  to  hash:,
4851       except  a)  there  is  no need to run postmap(1) before the file can be
4852       used, and b) texthash: does not detect changes after the file is read).
4853
4854       Example:
4855
4856       /etc/postfix/main.cf:
4857           postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
4858
4859       /etc/postfix/dnsbl_reply:
4860          secret.zen.spamhaus.org      zen.spamhaus.org
4861
4862       This feature is available in Postfix 2.8.
4863

postscreen_dnsbl_sites (default: empty)

4865       Optional list of DNS white/blacklist domains, filters and  weight  fac‐
4866       tors.  When  the  list  is  non-empty, the dnsblog(8) daemon will query
4867       these domains with  the  IP  addresses  of  remote  SMTP  clients,  and
4868       postscreen(8)  will  update  an  SMTP  client's  DNSBL  score with each
4869       non-error reply.
4870
4871       Caution: when postscreen rejects mail, it replies with the DNSBL domain
4872       name.  Use  the  postscreen_dnsbl_reply_map  feature to hide "password"
4873       information in DNSBL domain names.
4874
4875       When a client's score is equal to or greater than the threshold  speci‐
4876       fied  with  postscreen_dnsbl_threshold, postscreen(8) can drop the con‐
4877       nection with the remote SMTP client.
4878
4879       Specify a list of domain=filter*weight entries, separated by  comma  or
4880       whitespace.
4881
4882       ·      When  no  "=filter"  is  specified,  postscreen(8)  will use any
4883              non-error DNSBL reply.  Otherwise, postscreen(8) uses only DNSBL
4884              replies  that match the filter. The filter has the form d.d.d.d,
4885              where each d is a number, or a pattern inside []  that  contains
4886              one or more ";"-separated numbers or number..number ranges.
4887
4888       ·      When  no  "*weight"  is  specified, postscreen(8) increments the
4889              remote SMTP client's DNSBL score by 1.   Otherwise,  the  weight
4890              must be an integral number, and postscreen(8) adds the specified
4891              weight to the remote SMTP client's DNSBL score.  Specify a nega‐
4892              tive number for whitelisting.
4893
4894       ·      When  one  postscreen_dnsbl_sites  entry produces multiple DNSBL
4895              responses, postscreen(8) applies the weight at most once.
4896
4897       Examples:
4898
4899       To use example.com as a high-confidence blocklist, and  to  block  mail
4900       with example.net and example.org only when both agree:
4901
4902       postscreen_dnsbl_threshold = 2
4903       postscreen_dnsbl_sites = example.com*2, example.net, example.org
4904
4905       To filter only DNSBL replies containing 127.0.0.4:
4906
4907       postscreen_dnsbl_sites = example.com=127.0.0.4
4908
4909       This feature is available in Postfix 2.8.
4910

postscreen_dnsbl_threshold (default: 1)

4912       The  inclusive  lower bound for blocking a remote SMTP client, based on
4913       its combined DNSBL score as  defined  with  the  postscreen_dnsbl_sites
4914       parameter.
4915
4916       This feature is available in Postfix 2.8.
4917

postscreen_dnsbl_timeout (default: 10s)

4919       The  time  limit  for DNSBL or DNSWL lookups. This is separate from the
4920       timeouts  in  the  dnsblog(8)  daemon  which  are  defined  by   system
4921       resolver(3) routines.
4922
4923       This feature is available in Postfix 3.0.
4924

postscreen_dnsbl_ttl (default: 1h)

4926       The  amount  of time that postscreen(8) will use the result from a suc‐
4927       cessful DNS-based  reputation  test  before  a  client  IP  address  is
4928       required to pass that test again.
4929
4930       Specify  a  non-zero  time  value  (an  integral value plus an optional
4931       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
4932       onds), m (minutes), h (hours), d (days), w (weeks).
4933
4934       This  feature  is  available  in  Postfix  2.8-3.0.  It was replaced by
4935       postscreen_dnsbl_max_ttl in Postfix 3.1.
4936

postscreen_dnsbl_whitelist_threshold (default: 0)

4938       Allow a remote SMTP client to skip "before" and  "after  220  greeting"
4939       protocol  tests,  based on its combined DNSBL score as defined with the
4940       postscreen_dnsbl_sites parameter.
4941
4942       Specify a negative value to enable this feature. When a  client  passes
4943       the  postscreen_dnsbl_whitelist_threshold  without  having failed other
4944       tests, all pending or disabled tests are flagged as  completed  with  a
4945       time-to-live  value  equal  to  postscreen_dnsbl_ttl.   When a test was
4946       already completed, its time-to-live value is updated  if  it  was  less
4947       than postscreen_dnsbl_ttl.
4948
4949       This feature is available in Postfix 2.11.
4950

postscreen_enforce_tls (default: $smtpd_enforce_tls)

4952       Mandatory  TLS:  announce  STARTTLS support to remote SMTP clients, and
4953       require     that     clients     use     TLS      encryption.       See
4954       smtpd_postscreen_enforce_tls for details.
4955
4956       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
4957       postscreen_tls_security_level instead.
4958

postscreen_expansion_filter (default: see postconf -d output)

4960       List of  characters  that  are  permitted  in  postscreen_reject_footer
4961       attribute expansions.  See smtpd_expansion_filter for further details.
4962
4963       This feature is available in Postfix 2.8 and later.
4964

postscreen_forbidden_commands (default: $smtpd_forbidden_commands)

4966       List  of  commands that the postscreen(8) server considers in violation
4967       of the SMTP protocol.  See  smtpd_forbidden_commands  for  syntax,  and
4968       postscreen_non_smtp_command_action for possible actions.
4969
4970       This feature is available in Postfix 2.8.
4971

postscreen_greet_action (default: ignore)

4973       The  action  that  postscreen(8) takes when a remote SMTP client speaks
4974       before   its   turn   within    the    time    specified    with    the
4975       postscreen_greet_wait parameter.  Specify one of the following:
4976
4977       ignore (default)
4978              Ignore  the failure of this test. Allow other tests to complete.
4979              Repeat this test the next time the client connects.  This option
4980              is useful for testing and collecting statistics without blocking
4981              mail.
4982
4983       enforce
4984              Allow other tests to complete. Reject attempts to  deliver  mail
4985              with  a 550 SMTP reply, and log the helo/sender/recipient infor‐
4986              mation.  Repeat this test the next time the client connects.
4987
4988       drop   Drop the connection immediately with a 521  SMTP  reply.  Repeat
4989              this test the next time the client connects.
4990
4991       In either case, postscreen(8) will not whitelist the remote SMTP client
4992       IP address.
4993
4994       This feature is available in Postfix 2.8.
4995

postscreen_greet_banner (default: $smtpd_banner)

4997       The  text  in  the  optional   "220-text..."   server   response   that
4998       postscreen(8)  sends  ahead  of  the  real  Postfix  SMTP server's "220
4999       text..." response, in an attempt to confuse bad SMTP  clients  so  that
5000       they  speak  before  their turn (pre-greet).  Specify an empty value to
5001       disable this feature.
5002
5003       This feature is available in Postfix 2.8.
5004

postscreen_greet_ttl (default: 1d)

5006       The amount of time that postscreen(8) will use the result from  a  suc‐
5007       cessful  PREGREET  test.  During  this  time,  the client IP address is
5008       excluded from this test. The default is  relatively  short,  because  a
5009       good client can immediately talk to a real Postfix SMTP server.
5010
5011       Specify  a  non-zero  time  value  (an  integral value plus an optional
5012       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5013       onds), m (minutes), h (hours), d (days), w (weeks).
5014
5015       This feature is available in Postfix 2.8.
5016

postscreen_greet_wait (default: normal: 6s, overload: 2s)

5018       The  amount  of time that postscreen(8) will wait for an SMTP client to
5019       send a command before its turn, and for DNS blocklist lookup results to
5020       arrive  (default:  up to 2 seconds under stress, up to 6 seconds other‐
5021       wise).
5022
5023       Specify a non-zero time value  (an  integral  value  plus  an  optional
5024       one-letter suffix that specifies the time unit).
5025
5026       Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
5027
5028       This feature is available in Postfix 2.8.
5029

postscreen_helo_required (default: $smtpd_helo_required)

5031       Require  that a remote SMTP client sends HELO or EHLO before commencing
5032       a MAIL transaction.
5033
5034       This feature is available in Postfix 2.8.
5035

postscreen_non_smtp_command_action (default: drop)

5037       The action that postscreen(8) takes when a  remote  SMTP  client  sends
5038       non-SMTP  commands  as specified with the postscreen_forbidden_commands
5039       parameter.  Specify one of the following:
5040
5041       ignore Ignore the failure of this test. Allow other tests to  complete.
5042              Do  not  repeat this test before some the result from some other
5043              test expires.  This option is useful for testing and  collecting
5044              statistics without blocking mail permanently.
5045
5046       enforce
5047              Allow  other  tests to complete. Reject attempts to deliver mail
5048              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5049              mation.  Repeat this test the next time the client connects.
5050
5051       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5052              this test the next time the client connects. This action is  the
5053              same  as with the Postfix SMTP server's smtpd_forbidden_commands
5054              feature.
5055
5056       This feature is available in Postfix 2.8.
5057

postscreen_non_smtp_command_enable (default: no)

5059       Enable "non-SMTP command" tests  in  the  postscreen(8)  server.  These
5060       tests are expensive: a client must disconnect after it passes the test,
5061       before it can talk to a real Postfix SMTP server.
5062
5063       This feature is available in Postfix 2.8.
5064

postscreen_non_smtp_command_ttl (default: 30d)

5066       The amount of time that postscreen(8) will use the result from  a  suc‐
5067       cessful  "non_smtp_command"  SMTP  protocol test. During this time, the
5068       client IP address is excluded from  this  test.  The  default  is  long
5069       because  a  client  must disconnect after it passes the test, before it
5070       can talk to a real Postfix SMTP server.
5071
5072       Specify a non-zero time value  (an  integral  value  plus  an  optional
5073       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5074       onds), m (minutes), h (hours), d (days), w (weeks).
5075
5076       This feature is available in Postfix 2.8.
5077

postscreen_pipelining_action (default: enforce)

5079       The action that postscreen(8) takes when a  remote  SMTP  client  sends
5080       multiple  commands  instead  of sending one command and waiting for the
5081       server to respond.  Specify one of the following:
5082
5083       ignore Ignore the failure of this test. Allow other tests to  complete.
5084              Do  not  repeat this test before some the result from some other
5085              test expires.  This option is useful for testing and  collecting
5086              statistics without blocking mail permanently.
5087
5088       enforce
5089              Allow  other  tests to complete. Reject attempts to deliver mail
5090              with a 550 SMTP reply, and log the helo/sender/recipient  infor‐
5091              mation.  Repeat this test the next time the client connects.
5092
5093       drop   Drop  the  connection  immediately with a 521 SMTP reply. Repeat
5094              this test the next time the client connects.
5095
5096       This feature is available in Postfix 2.8.
5097

postscreen_pipelining_enable (default: no)

5099       Enable "pipelining" SMTP protocol tests in  the  postscreen(8)  server.
5100       These  tests  are  expensive:  a  good  client must disconnect after it
5101       passes the test, before it can talk to a real Postfix SMTP server.
5102
5103       This feature is available in Postfix 2.8.
5104

postscreen_pipelining_ttl (default: 30d)

5106       The amount of time that postscreen(8) will use the result from  a  suc‐
5107       cessful  "pipelining"  SMTP protocol test. During this time, the client
5108       IP address is excluded from this test. The default is  long  because  a
5109       good  client  must  disconnect  after it passes the test, before it can
5110       talk to a real Postfix SMTP server.
5111
5112       Specify a non-zero time value  (an  integral  value  plus  an  optional
5113       one-letter  suffix  that specifies the time unit).  Time units: s (sec‐
5114       onds), m (minutes), h (hours), d (days), w (weeks).
5115
5116       This feature is available in Postfix 2.8.
5117

postscreen_post_queue_limit (default: $default_process_limit)

5119       The number of clients that can be waiting for service from a real Post‐
5120       fix  SMTP  server  process.  When  this queue is full, all clients will
5121       receive a 421 response.
5122
5123       This feature is available in Postfix 2.8.
5124

postscreen_pre_queue_limit (default: $default_process_limit)

5126       The number of non-whitelisted clients that can be waiting for  a  deci‐
5127       sion  whether they will receive service from a real Postfix SMTP server
5128       process. When this queue is  full,  all  non-whitelisted  clients  will
5129       receive a 421 response.
5130
5131       This feature is available in Postfix 2.8.
5132
5134       Optional  information that is appended after a 4XX or 5XX postscreen(8)
5135       server response. See smtpd_reject_footer for further details.
5136
5137       This feature is available in Postfix 2.8 and later.
5138
5140       Optional lookup table for information that is appended after a  4XX  or
5141       5XX  postscreen(8)  server  response.  See smtpd_reject_footer_maps for
5142       further details.
5143
5144       This feature is available in Postfix 3.4 and later.
5145

postscreen_tls_security_level (default: $smtpd_tls_security_level)

5147       The SMTP TLS security  level  for  the  postscreen(8)  server;  when  a
5148       non-empty  value  is  specified, this overrides the obsolete parameters
5149       postscreen_use_tls  and  postscreen_enforce_tls.  See   smtpd_tls_secu‐
5150       rity_level for details.
5151
5152       This feature is available in Postfix 2.8 and later.
5153

postscreen_upstream_proxy_protocol (default: empty)

5155       The  name  of  the proxy protocol used by an optional before-postscreen
5156       proxy agent. When a proxy agent is used, this  protocol  conveys  local
5157       and     remote     address     and     port     information.    Specify
5158       "postscreen_upstream_proxy_protocol = haproxy" to  enable  the  haproxy
5159       protocol; version 2 is supported with Postfix 3.5 and later.
5160
5161       This feature is available in Postfix 2.10 and later.
5162

postscreen_upstream_proxy_timeout (default: 5s)

5164       The   time   limit   for   the   proxy   protocol  specified  with  the
5165       postscreen_upstream_proxy_protocol parameter.
5166
5167       This feature is available in Postfix 2.10 and later.
5168

postscreen_use_tls (default: $smtpd_use_tls)

5170       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
5171       but do not require that clients use TLS encryption.
5172
5173       This  feature  is  available in Postfix 2.8 and later.  Preferably, use
5174       postscreen_tls_security_level instead.
5175

postscreen_watchdog_timeout (default: 10s)

5177       How much time a postscreen(8) process may take to respond to  a  remote
5178       SMTP client command or to perform a cache operation before it is termi‐
5179       nated by a built-in watchdog timer.  This is a  safety  mechanism  that
5180       prevents  postscreen(8)  from  becoming  non-responsive due to a bug in
5181       Postfix itself or in system software.  To avoid false alarms and unnec‐
5182       essary cache corruption this limit cannot be set under 10s.
5183
5184       Specify  a  non-zero  time  value  (an  integral value plus an optional
5185       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
5186       onds), m (minutes), h (hours), d (days), w (weeks).
5187
5188       This feature is available in Postfix 2.8.
5189

postscreen_whitelist_interfaces (default: static:all)

5191       A   list   of   local   postscreen(8)   server  IP  addresses  where  a
5192       non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary
5193       whitelist status. This status is required before the client can talk to
5194       a Postfix SMTP  server  process.   By  default,  a  client  can  obtain
5195       postscreen(8)'s  whitelist  status on any local postscreen(8) server IP
5196       address.
5197
5198       When postscreen(8) listens on both primary and backup MX addresses, the
5199       postscreen_whitelist_interfaces parameter can be configured to give the
5200       temporary whitelist status only when a client connects to a primary  MX
5201       address.  Once  a  client  is whitelisted it can talk to a Postfix SMTP
5202       server on any address. Thus, clients that connect  only  to  backup  MX
5203       addresses  will  never become whitelisted, and will never be allowed to
5204       talk to a Postfix SMTP server process.
5205
5206       Specify a list of network addresses or network/netmask patterns,  sepa‐
5207       rated  by commas and/or whitespace. The netmask specifies the number of
5208       bits in the network part of a host  address.  Continue  long  lines  by
5209       starting the next line with whitespace.
5210
5211       You   can  also  specify  "/file/name"  or  "type:table"  patterns.   A
5212       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5213       table is matched when a table entry matches a lookup string (the lookup
5214       result is ignored).
5215
5216       The list is matched left to right, and the search stops  on  the  first
5217       match.  Specify  "!pattern" to exclude an address or network block from
5218       the list.
5219
5220       Note: IP version 6 address information must be specified inside  []  in
5221       the  postscreen_whitelist_interfaces value, and in files specified with
5222       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
5223       would otherwise be confused with a "type:table" pattern.
5224
5225       Example:
5226
5227       /etc/postfix/main.cf:
5228           # Don't whitelist connections to the backup IP address.
5229           postscreen_whitelist_interfaces = !168.100.189.8, static:all
5230
5231       This feature is available in Postfix 2.9 and later.
5232

prepend_delivered_header (default: command, file, forward)

5234       The message delivery contexts where the Postfix local(8) delivery agent
5235       prepends a Delivered-To:  message header with the address that the mail
5236       was  delivered  to.  This  information  is  used for mail delivery loop
5237       detection.
5238
5239       By default, the Postfix local delivery agent prepends  a  Delivered-To:
5240       header  when  forwarding mail and when delivering to file (mailbox) and
5241       command. Turning off the Delivered-To: header when forwarding  mail  is
5242       not recommended.
5243
5244       Specify zero or more of forward, file, or command.
5245
5246       Example:
5247
5248       prepend_delivered_header = forward
5249

process_id (read-only)

5251       The process ID of a Postfix command or daemon process.
5252

process_id_directory (default: pid)

5254       The  location  of Postfix PID files relative to $queue_directory.  This
5255       is a read-only parameter.
5256

process_name (read-only)

5258       The process name of a Postfix command or daemon process.
5259

propagate_unmatched_extensions (default: canonical, virtual)

5261       What address lookup tables copy an address extension  from  the  lookup
5262       key to the lookup result.
5263
5264       For   example,   with  a  virtual(5)  mapping  of  "joe@example.com  =>
5265       joe.user@example.net", the address "joe+foo@example.com" would  rewrite
5266       to "joe.user+foo@example.net".
5267
5268       Specify  zero or more of canonical, virtual, alias, forward, include or
5269       generic. These cause address extension propagation  with  canonical(5),
5270       virtual(5),  and  aliases(5) maps, with local(8) .forward and :include:
5271       file lookups, and with smtp(8) generic maps, respectively.
5272
5273       Note: enabling this feature for types other than canonical and  virtual
5274       is  likely  to  cause  problems  when mail is forwarded to other sites,
5275       especially with mail that is sent to a mailing list exploder address.
5276
5277       Examples:
5278
5279       propagate_unmatched_extensions = canonical, virtual, alias,
5280               forward, include
5281       propagate_unmatched_extensions = canonical, virtual
5282

proxy_interfaces (default: empty)

5284       The network interface addresses that this mail system receives mail  on
5285       by way of a proxy or network address translation unit.
5286
5287       This feature is available in Postfix 2.0 and later.
5288
5289       You must specify your "outside" proxy/NAT addresses when your system is
5290       a backup MX host for other domains, otherwise mail delivery loops  will
5291       happen when the primary MX host is down.
5292
5293       Example:
5294
5295       proxy_interfaces = 1.2.3.4
5296

proxy_read_maps (default: see postconf -d output)

5298       The  lookup tables that the proxymap(8) server is allowed to access for
5299       the read-only service.
5300
5301       Specify zero or more "type:name" lookup tables, separated by whitespace
5302       or comma.  Table references that don't begin with proxy: are ignored.
5303
5304       This feature is available in Postfix 2.0 and later.
5305

proxy_write_maps (default: see postconf -d output)

5307       The  lookup tables that the proxymap(8) server is allowed to access for
5308       the read-write service. Postfix-owned local database  files  should  be
5309       stored  under  the Postfix-owned data_directory.  Table references that
5310       don't begin with proxy: are ignored.
5311
5312       This feature is available in Postfix 2.5 and later.
5313

proxymap_service_name (default: proxymap)

5315       The name of the proxymap read-only table lookup service.  This  service
5316       is normally implemented by the proxymap(8) daemon.
5317
5318       This feature is available in Postfix 2.6 and later.
5319

proxywrite_service_name (default: proxywrite)

5321       The  name of the proxywrite read-write table lookup service.  This ser‐
5322       vice is normally implemented by the proxymap(8) daemon.
5323
5324       This feature is available in Postfix 2.6 and later.
5325

qmgr_clog_warn_time (default: 300s)

5327       The minimal delay between warnings that a specific destination is clog‐
5328       ging up the Postfix active queue. Specify 0 to disable.
5329
5330       This feature is enabled with the helpful_warnings parameter.
5331
5332       This feature is available in Postfix 2.0 and later.
5333

qmgr_daemon_timeout (default: 1000s)

5335       How  much  time  a  Postfix  queue manager process may take to handle a
5336       request before it is terminated by a built-in watchdog timer.
5337
5338       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5339       The default time unit is s (seconds).
5340
5341       This feature is available in Postfix 2.8 and later.
5342

qmgr_fudge_factor (default: 100)

5344       Obsolete feature: the percentage of delivery resources that a busy mail
5345       system will use up for delivery of a large mailing  list message.
5346
5347       This feature exists only in the oqmgr(8) old queue manager. The current
5348       queue manager solves the problem in a better way.
5349

qmgr_ipc_timeout (default: 60s)

5351       The  time  limit  for  the queue manager to send or receive information
5352       over an internal communication channel.  The purpose is to break out of
5353       deadlock  situations. If the time limit is exceeded the software either
5354       retries or aborts the operation.
5355
5356       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5357       The default time unit is s (seconds).
5358
5359       This feature is available in Postfix 2.8 and later.
5360

qmgr_message_active_limit (default: 20000)

5362       The maximal number of messages in the active queue.
5363

qmgr_message_recipient_limit (default: 20000)

5365       The  maximal  number  of recipients held in memory by the Postfix queue
5366       manager, and the maximal size of the short-term, in-memory "dead"  des‐
5367       tination status cache.
5368

qmgr_message_recipient_minimum (default: 10)

5370       The  minimal number of in-memory recipients for any message. This takes
5371       priority over any other in-memory recipient limits  (i.e.,  the  global
5372       qmgr_message_recipient_limit and the per transport _recipient_limit) if
5373       necessary. The minimum value allowed for this parameter is 1.
5374

qmqpd_authorized_clients (default: empty)

5376       What remote QMQP clients are allowed to connect  to  the  Postfix  QMQP
5377       server port.
5378
5379       By  default,  no  client is allowed to use the service. This is because
5380       the QMQP server will relay mail to any destination.
5381
5382       Specify a list of client patterns. A  list  pattern  specifies  a  host
5383       name,  a  domain  name, an internet address, or a network/mask pattern,
5384       where the mask specifies the number of bits in the network part.   When
5385       a  pattern  specifies a file name, its contents are substituted for the
5386       file name; when a pattern is a "type:table" table specification,  table
5387       lookup is used instead.
5388
5389       Patterns are separated by whitespace and/or commas. In order to reverse
5390       the result, precede a pattern with an exclamation point (!).  The  form
5391       "!/file/name" is supported only in Postfix version 2.4 and later.
5392
5393       Pattern  matching  of  domain  names  is  controlled by the presence or
5394       absence of "qmqpd_authorized_clients" in the parent_domain_matches_sub‐
5395       domains parameter value.
5396
5397       Example:
5398
5399       qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
5400

qmqpd_client_port_logging (default: no)

5402       Enable  logging of the remote QMQP client port in addition to the host‐
5403       name and IP address. The logging format is "host[address]:port".
5404
5405       This feature is available in Postfix 2.5 and later.
5406

qmqpd_error_delay (default: 1s)

5408       How long the Postfix QMQP server will pause before sending  a  negative
5409       reply  to  the remote QMQP client. The purpose is to slow down confused
5410       or malicious clients.
5411
5412       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5413       The default time unit is s (seconds).
5414

qmqpd_timeout (default: 300s)

5416       The  time  limit for sending or receiving information over the network.
5417       If a read or write operation blocks for more than  $qmqpd_timeout  sec‐
5418       onds the Postfix QMQP server gives up and disconnects.
5419
5420       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
5421       The default time unit is s (seconds).
5422

queue_directory (default: see postconf -d output)

5424       The location of the Postfix top-level queue directory. This is the root
5425       directory of Postfix daemon processes that run chrooted.
5426

queue_file_attribute_count_limit (default: 100)

5428       The  maximal  number of (name=value) attributes that may be stored in a
5429       Postfix queue file. The limit is enforced by the cleanup(8) server.
5430
5431       This feature is available in Postfix 2.0 and later.
5432

queue_minfree (default: 0)

5434       The minimal amount of free space in bytes in the queue file system that
5435       is  needed to receive mail.  This is currently used by the Postfix SMTP
5436       server to decide if it will accept any mail at all.
5437
5438       By default, the Postfix SMTP server rejects MAIL FROM commands when the
5439       amount of free space is less than 1.5*$message_size_limit (Postfix ver‐
5440       sion 2.1 and later).  To specify a higher  minimum  free  space  limit,
5441       specify a queue_minfree value that is at least 1.5*$message_size_limit.
5442
5443       With  Postfix  versions  2.0 and earlier, a queue_minfree value of zero
5444       means there is no minimum required amount of free space.
5445

queue_run_delay (default: 300s)

5447       The time between deferred queue scans by the queue  manager;  prior  to
5448       Postfix 2.4 the default value was 1000s.
5449
5450       This  parameter  should  be  set  less  than or equal to $minimal_back‐
5451       off_time. See also $maximal_backoff_time.
5452
5453       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
5454       The default time unit is s (seconds).
5455

queue_service_name (default: qmgr)

5457       The name of the qmgr(8) service. This service manages the Postfix queue
5458       and schedules delivery requests.
5459
5460       This feature is available in Postfix 2.0 and later.
5461

rbl_reply_maps (default: empty)

5463       Optional lookup tables with RBL  response  templates.  The  tables  are
5464       indexed  by  the  RBL domain name. By default, Postfix uses the default
5465       template as specified with the default_rbl_reply configuration  parame‐
5466       ter. See there for a discussion of the syntax of RBL reply templates.
5467
5468       This feature is available in Postfix 2.0 and later.
5469

readme_directory (default: see postconf -d output)

5471       The  location  of Postfix README files that describe how to build, con‐
5472       figure or operate a specific Postfix subsystem or feature.
5473

receive_override_options (default: empty)

5475       Enable or disable recipient validation, built-in content filtering,  or
5476       address  mapping.  Typically,  these are specified in master.cf as com‐
5477       mand-line arguments for the smtpd(8), qmqpd(8) or pickup(8) daemons.
5478
5479       Specify zero or more of the following options.   The  options  override
5480       main.cf  settings  and are either implemented by smtpd(8), qmqpd(8), or
5481       pickup(8) themselves, or they are forwarded to the cleanup server.
5482
5483       no_unknown_recipient_checks
5484              Do not try to reject  unknown  recipients  (SMTP  server  only).
5485              This is typically specified AFTER an external content filter.
5486
5487       no_address_mappings
5488              Disable  canonical address mapping, virtual alias map expansion,
5489              address masquerading,  and  automatic  BCC  (blind  carbon-copy)
5490              recipients.  This is typically specified BEFORE an external con‐
5491              tent filter.
5492
5493       no_header_body_checks
5494              Disable header/body_checks. This is typically specified AFTER an
5495              external content filter.
5496
5497       no_milters
5498              Disable  Milter  (mail  filter)  applications. This is typically
5499              specified AFTER an external content filter.
5500
5501       Note: when the "BEFORE content filter" receive_override_options setting
5502       is  specified  in  the main.cf file, specify the "AFTER content filter"
5503       receive_override_options setting in master.cf (and vice versa).
5504
5505       Examples:
5506
5507       receive_override_options =
5508           no_unknown_recipient_checks, no_header_body_checks
5509       receive_override_options = no_address_mappings
5510
5511       This feature is available in Postfix 2.1 and later.
5512

recipient_bcc_maps (default: empty)

5514       Optional BCC (blind carbon-copy)  address  lookup  tables,  indexed  by
5515       recipient  address.   The  BCC  address  (multiple results are not sup‐
5516       ported) is added when mail enters from outside of Postfix.
5517
5518       Specify zero or more "type:name" lookup tables, separated by whitespace
5519       or  comma. Tables will be searched in the specified order until a match
5520       is found.
5521
5522       The table search order is as follows:
5523
5524       ·      Look up the "user+extension@domain.tld"  address  including  the
5525              optional address extension.
5526
5527       ·      Look  up  the  "user@domain.tld"  address  without  the optional
5528              address extension.
5529
5530       ·      Look up the "user+extension" address local part when the recipi‐
5531              ent domain equals $myorigin, $mydestination, $inet_interfaces or
5532              $proxy_interfaces.
5533
5534       ·      Look up the "user" address local part when the recipient  domain
5535              equals    $myorigin,    $mydestination,    $inet_interfaces   or
5536              $proxy_interfaces.
5537
5538       ·      Look up the "@domain.tld" part.
5539
5540       Note: with Postfix 2.3 and later the BCC address is added as if it  was
5541       specified  with  NOTIFY=NONE.  The sender will not be notified when the
5542       BCC address is undeliverable,  as  long  as  all  down-stream  software
5543       implements RFC 3461.
5544
5545       Note:  with  Postfix 2.2 and earlier the sender will unconditionally be
5546       notified when the BCC address is undeliverable.
5547
5548       Note: automatic BCC recipients are produced  only  for  new  mail.   To
5549       avoid  mailer  loops,  automatic BCC recipients are not generated after
5550       Postfix forwards mail  internally,  or  after  Postfix  generates  mail
5551       itself.
5552
5553       Example:
5554
5555       recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
5556
5557       After a change, run "postmap /etc/postfix/recipient_bcc".
5558
5559       This feature is available in Postfix 2.1 and later.
5560

recipient_canonical_classes (default: envelope_recipient, header_recipient)

5562       What addresses are subject to recipient_canonical_maps address mapping.
5563       By default, recipient_canonical_maps  address  mapping  is  applied  to
5564       envelope recipient addresses, and to header recipient addresses.
5565
5566       Specify one or more of: envelope_recipient, header_recipient
5567
5568       This feature is available in Postfix 2.2 and later.
5569

recipient_canonical_maps (default: empty)

5571       Optional  address mapping lookup tables for envelope and header recipi‐
5572       ent addresses.  The table format and lookups are documented in  canoni‐
5573       cal(5).
5574
5575       Note: $recipient_canonical_maps is processed before $canonical_maps.
5576
5577       Example:
5578
5579       recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
5580

recipient_delimiter (default: empty)

5582       The  set of characters that can separate a user name from its extension
5583       (example: user+foo), or a .forward file name from its extension  (exam‐
5584       ple:  .forward+foo).   Basically, the software tries user+foo and .for‐
5585       ward+foo before trying user and .forward.  This  implementation  recog‐
5586       nizes  one  delimiter  character and one extension per email address or
5587       .forward file name.
5588
5589       When the recipient_delimiter set contains multiple characters  (Postfix
5590       2.11  and  later),  a user name or .forward file name is separated from
5591       its extension by the first character that matches the  recipient_delim‐
5592       iter set.
5593
5594       See canonical(5), local(8), relocated(5) and virtual(5) for the effects
5595       of recipient_delimiter on lookups in aliases, canonical,  virtual,  and
5596       relocated  maps,  and  see the propagate_unmatched_extensions parameter
5597       for propagating an extension from one email address to another.
5598
5599       When used in command_execution_directory, forward_path, or luser_relay,
5600       ${recipient_delimiter}  is replaced with the actual recipient delimiter
5601       that was found in the recipient email address (Postfix 2.11 and later),
5602       or  it is replaced with the main.cf recipient_delimiter parameter value
5603       (Postfix 2.10 and earlier).
5604
5605       The recipient_delimiter is not applied to  the  mailer-daemon  address,
5606       the  postmaster address, or the double-bounce address. With the default
5607       "owner_request_special = yes" setting, the recipient_delimiter is  also
5608       not  applied  to addresses with the special "owner-" prefix or the spe‐
5609       cial "-request" suffix.
5610
5611       Examples:
5612
5613       # Handle Postfix-style extensions.
5614       recipient_delimiter = +
5615
5616       # Handle both Postfix and qmail extensions (Postfix 2.11 and later).
5617       recipient_delimiter = +-
5618
5619       # Use .forward for mail without address extension, and for mail with
5620       # an unrecognized address extension.
5621       forward_path = $home/.forward${recipient_delimiter}${extension},
5622           $home/.forward
5623

reject_code (default: 554)

5625       The numerical Postfix SMTP server response  code  when  a  remote  SMTP
5626       client request is rejected by the "reject" restriction.
5627
5628       Do  not  change  this  unless  you have a complete understanding of RFC
5629       5321.
5630

reject_tempfail_action (default: defer_if_permit)

5632       The Postfix SMTP server's action when a reject-type  restriction  fails
5633       due to a temporary error condition. Specify "defer" to defer the remote
5634       SMTP client request immediately.  With  the  default  "defer_if_permit"
5635       action,  the Postfix SMTP server continues to look for opportunities to
5636       reject mail, and defers the client request only if it  would  otherwise
5637       be accepted.
5638
5639       For  finer  control, see: unverified_recipient_tempfail_action, unveri‐
5640       fied_sender_tempfail_action,    unknown_address_tempfail_action,    and
5641       unknown_helo_hostname_tempfail_action.
5642
5643       This feature is available in Postfix 2.6 and later.
5644

relay_clientcerts (default: empty)

5646       List of tables with remote SMTP client-certificate fingerprints or pub‐
5647       lic key fingerprints (Postfix 2.9 and later) for which the Postfix SMTP
5648       server  will allow access with the permit_tls_clientcerts feature.  The
5649       fingerprint digest algorithm is configurable via the  smtpd_tls_finger‐
5650       print_digest  parameter  (hard-coded  as  md5  prior to Postfix version
5651       2.5).
5652
5653       Postfix lookup tables are in the form of (key, value) pairs.  Since  we
5654       only  need  the  key, the value can be chosen freely, e.g.  the name of
5655       the  user  or   host:   D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
5656       lutzpc.at.home
5657
5658       Example:
5659
5660       relay_clientcerts = hash:/etc/postfix/relay_clientcerts
5661
5662       For  more  fine-grained  control,  use  check_ccert_access to select an
5663       appropriate  access(5)  policy   for   each   client.    See   RESTRIC‐
5664       TION_CLASS_README.
5665
5666       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
5667       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
5668       later.
5669
5670       This feature is available with Postfix version 2.2.
5671

relay_destination_concurrency_limit (default: $default_destination_concur‐

5673       rency_limit)
5674       The maximal number of parallel deliveries to the same  destination  via
5675       the  relay  message  delivery  transport. This limit is enforced by the
5676       queue manager. The message delivery transport name is the  first  field
5677       in the entry in the master.cf file.
5678
5679       This feature is available in Postfix 2.0 and later.
5680

relay_destination_recipient_limit (default: $default_destination_recipi‐

5682       ent_limit)
5683       The maximal number of recipients per  message  for  the  relay  message
5684       delivery  transport.  This  limit is enforced by the queue manager. The
5685       message delivery transport name is the first field in the entry in  the
5686       master.cf file.
5687
5688       Setting  this  parameter  to  a  value  of  1  changes  the  meaning of
5689       relay_destination_concurrency_limit from concurrency  per  domain  into
5690       concurrency per recipient.
5691
5692       This feature is available in Postfix 2.0 and later.
5693

relay_domains (default: Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)

5695       What  destination  domains  (and  subdomains  thereof) this system will
5696       relay mail to. For details about how the relay_domains value  is  used,
5697       see    the    description    of    the    permit_auth_destination   and
5698       reject_unauth_destination SMTP recipient restrictions.
5699
5700       Domains that match $relay_domains are delivered with the  $relay_trans‐
5701       port  mail  delivery  transport.  The  SMTP  server validates recipient
5702       addresses with $relay_recipient_maps and rejects  non-existent  recipi‐
5703       ents.   See   also   the   relay   domains   address   class   in   the
5704       ADDRESS_CLASS_README file.
5705
5706       Note: Postfix will not automatically forward mail for domains that list
5707       this  system  as  their  primary  or  backup  MX  host.  See  the  per‐
5708       mit_mx_backup restriction in the postconf(5) manual page.
5709
5710       Specify a list of  host  or  domain  names,  "/file/name"  patterns  or
5711       "type:table"  lookup  tables,  separated  by  commas and/or whitespace.
5712       Continue long lines by  starting  the  next  line  with  whitespace.  A
5713       "/file/name" pattern is replaced by its contents; a "type:table" lookup
5714       table is matched when a (parent) domain appears as lookup key.  Specify
5715       "!pattern" to exclude a domain from the list. The form "!/file/name" is
5716       supported only in Postfix version 2.4 and later.
5717
5718       Pattern matching of domain names  is  controlled  by  the  presence  or
5719       absence  of  "relay_domains"  in  the  parent_domain_matches_subdomains
5720       parameter value.
5721

relay_domains_reject_code (default: 554)

5723       The numerical Postfix SMTP server response code when a  client  request
5724       is rejected by the reject_unauth_destination recipient restriction.
5725
5726       Do  not  change  this  unless  you have a complete understanding of RFC
5727       5321.
5728

relay_recipient_maps (default: empty)

5730       Optional lookup tables with all valid addresses  in  the  domains  that
5731       match  $relay_domains.  Specify @domain as a wild-card for domains that
5732       have no valid recipient list, and become a source of backscatter  mail:
5733       Postfix  accepts spam for non-existent recipients and then floods inno‐
5734       cent people with undeliverable mail.  Technically, tables  listed  with
5735       $relay_recipient_maps  are used as lists: Postfix needs to know only if
5736       a lookup string is found or not, but it does not use  the  result  from
5737       table lookup.
5738
5739       Specify zero or more "type:name" lookup tables, separated by whitespace
5740       or comma. Tables will be searched in the specified order until a  match
5741       is found.
5742
5743       If  this  parameter  is  non-empty,  then  the Postfix SMTP server will
5744       reject mail to unknown relay users. This feature is off by default.
5745
5746       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5747       file.
5748
5749       Example:
5750
5751       relay_recipient_maps = hash:/etc/postfix/relay_recipients
5752
5753       This feature is available in Postfix 2.0 and later.
5754

relay_transport (default: relay)

5756       The default mail delivery transport and next-hop destination for remote
5757       delivery to domains listed with $relay_domains. In order of  decreasing
5758       precedence,  the  nexthop  destination  is taken from $relay_transport,
5759       $sender_dependent_relayhost_maps, $relayhost,  or  from  the  recipient
5760       domain. This information can be overruled with the transport(5) table.
5761
5762       Specify  a string of the form transport:nexthop, where transport is the
5763       name of a mail delivery transport defined in master.cf.   The  :nexthop
5764       destination is optional; its syntax is documented in the manual page of
5765       the corresponding delivery agent.
5766
5767       See also the relay domains address class  in  the  ADDRESS_CLASS_README
5768       file.
5769
5770       This feature is available in Postfix 2.0 and later.
5771

relayhost (default: empty)

5773       The  next-hop  destination(s)  for  non-local mail; overrides non-local
5774       domains in recipient addresses.  This  information  is  overruled  with
5775       relay_transport,               sender_dependent_default_transport_maps,
5776       default_transport, sender_dependent_relayhost_maps and with the  trans‐
5777       port(5) table.
5778
5779       On  an intranet, specify the organizational domain name. If your inter‐
5780       nal DNS uses no MX records, specify the name of  the  intranet  gateway
5781       host instead.
5782
5783       In  the case of SMTP or LMTP delivery, specify one or more destinations
5784       in the form of a domain name, hostname, hostname:port, [hostname]:port,
5785       [hostaddress]  or [hostaddress]:port, separated by comma or whitespace.
5786       The form [hostname] turns off MX  lookups.  Multiple  destinations  are
5787       supported in Postfix 3.5 and later.
5788
5789       If  you're  connected  via  UUCP,  see  the UUCP_README file for useful
5790       information.
5791
5792       Examples:
5793
5794       relayhost = $mydomain
5795       relayhost = [gateway.example.com]
5796       relayhost = mail1.example:587, mail2.example:587
5797       relayhost = [an.ip.add.ress]
5798

relocated_maps (default: empty)

5800       Optional lookup tables  with  new  contact  information  for  users  or
5801       domains  that  no longer exist.  The table format and lookups are docu‐
5802       mented in relocated(5).
5803
5804       Specify zero or more "type:name" lookup tables, separated by whitespace
5805       or  comma. Tables will be searched in the specified order until a match
5806       is found.
5807
5808       If you use this feature, run "postmap /etc/postfix/relocated" to  build
5809       the  necessary  DBM  or  DB file after change, then "postfix reload" to
5810       make the changes visible.
5811
5812       Examples:
5813
5814       relocated_maps = dbm:/etc/postfix/relocated
5815       relocated_maps = hash:/etc/postfix/relocated
5816

remote_header_rewrite_domain (default: empty)

5818       Don't rewrite message headers from remote  clients  at  all  when  this
5819       parameter  is  empty; otherwise, rewrite message headers and append the
5820       specified domain name to incomplete  addresses.   The  local_header_re‐
5821       write_clients parameter controls what clients Postfix considers local.
5822
5823       Examples:
5824
5825       The   safe   setting:  append  "domain.invalid"  to  incomplete  header
5826       addresses from remote SMTP clients, so that those addresses  cannot  be
5827       confused with local addresses.
5828
5829           remote_header_rewrite_domain = domain.invalid
5830
5831       The default, purist, setting: don't rewrite headers from remote clients
5832       at all.
5833
5834           remote_header_rewrite_domain =
5835

require_home_directory (default: no)

5837       Require that a local(8) recipient's home directory exists  before  mail
5838       delivery  is  attempted.  By  default this test is disabled.  It can be
5839       useful for environments that import home directories to the mail server
5840       (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
5841

reset_owner_alias (default: no)

5843       Reset  the local(8) delivery agent's idea of the owner-alias attribute,
5844       when delivering mail to a child alias that does not have its own  owner
5845       alias.
5846
5847       This  feature is available in Postfix 2.8 and later. With older Postfix
5848       releases, the behavior is as if this parameter is set to "yes".
5849
5850       As documented in aliases(5), when an alias name has a  companion  alias
5851       named  owner-name,  this  will  replace the envelope sender address, so
5852       that delivery errors will be reported to the owner alias instead of the
5853       sender. This configuration is recommended for mailing lists.
5854
5855       A  less  known  property  of the owner alias is that it also forces the
5856       local(8) delivery agent to write local and remote addresses from  alias
5857       expansion to a new queue file, instead of attempting to deliver mail to
5858       local addresses as soon as they come out of alias expansion.
5859
5860       Writing local addresses from alias expansion to a new queue file allows
5861       for robust handling of temporary delivery errors: errors with one local
5862       member have no effect on deliveries to other members of the  list.   On
5863       the other hand, delivery to local addresses as soon as they come out of
5864       alias expansion is fragile: a temporary error with  one  local  address
5865       from alias expansion will cause the entire alias to be expanded repeat‐
5866       edly until the error goes away, or until the  message  expires  in  the
5867       queue.   In that case, a problem with one list member results in multi‐
5868       ple message deliveries to other list members.
5869
5870       The  default  behavior  of  Postfix  2.8  and  later  is  to  keep  the
5871       owner-alias  attribute  of  the parent alias, when delivering mail to a
5872       child alias that does  not  have  its  own  owner  alias.  Then,  local
5873       addresses  from  that  child alias will be written to a new queue file,
5874       and a temporary error with one local address will not  affect  delivery
5875       to other mailing list members.
5876
5877       Unfortunately,  older  Postfix releases reset the owner-alias attribute
5878       when delivering mail to a child alias that does not have its own  owner
5879       alias.  To  be  precise,  this resets only the decision to create a new
5880       queue file, not the decision to override the envelope  sender  address.
5881       The local(8) delivery agent then attempts to deliver local addresses as
5882       soon as they come out of child alias expansion.   If  delivery  to  any
5883       address  from child alias expansion fails with a temporary error condi‐
5884       tion, the entire mailing list may be expanded repeatedly until the mail
5885       expires in the queue, resulting in multiple deliveries of the same mes‐
5886       sage to mailing list members.
5887

resolve_dequoted_address (default: yes)

5889       Resolve a recipient address safely instead  of  correctly,  by  looking
5890       inside quotes.
5891
5892       By  default,  the  Postfix  address resolver does not quote the address
5893       localpart as per RFC 822, so that additional @ or  %  or  !   operators
5894       remain visible. This behavior is safe but it is also technically incor‐
5895       rect.
5896
5897       If you  specify  "resolve_dequoted_address  =  no",  then  the  Postfix
5898       resolver will not know about additional @ etc. operators in the address
5899       localpart. This opens opportunities for obscure mail relay attacks with
5900       user@domain@domain  addresses  when  Postfix provides backup MX service
5901       for Sendmail systems.
5902

resolve_null_domain (default: no)

5904       Resolve an address that ends in the "@" null domain  as  if  the  local
5905       hostname were specified, instead of rejecting the address as invalid.
5906
5907       This  feature  is available in Postfix 2.1 and later.  Earlier versions
5908       always resolve the null domain as the local hostname.
5909
5910       The Postfix SMTP server uses this feature to reject  mail  from  or  to
5911       addresses  that end in the "@" null domain, and from addresses that re‐
5912       write into a form that ends in the "@" null domain.
5913

resolve_numeric_domain (default: no)

5915       Resolve "user@ipaddress" as "user@[ipaddress]",  instead  of  rejecting
5916       the address as invalid.
5917
5918       This feature is available in Postfix 2.3 and later.
5919

rewrite_service_name (default: rewrite)

5921       The  name  of  the  address  rewriting  service.  This service rewrites
5922       addresses to standard form and resolves them  to  a  (delivery  method,
5923       next-hop host, recipient) triple.
5924
5925       This feature is available in Postfix 2.0 and later.
5926

sample_directory (default: /etc/postfix)

5928       The  name  of  the  directory with example Postfix configuration files.
5929       Starting with Postfix 2.1, these files  have  been  replaced  with  the
5930       postconf(5) manual page.
5931

send_cyrus_sasl_authzid (default: no)

5933       When  authenticating  to  a remote SMTP or LMTP server with the default
5934       setting "no", send no SASL authoriZation ID (authzid);  send  only  the
5935       SASL authentiCation ID (authcid) plus the authcid's password.
5936
5937       The  non-default  setting  "yes"  enables the behavior of older Postfix
5938       versions.  These always send a SASL authzid that is equal to  the  SASL
5939       authcid,  but  this  causes  interoperability  problems  with some SMTP
5940       servers.
5941
5942       This feature is available in Postfix 2.4.4 and later.
5943

sender_based_routing (default: no)

5945       This parameter should not be used. It  was  replaced  by  sender_depen‐
5946       dent_relayhost_maps in Postfix version 2.3.
5947

sender_bcc_maps (default: empty)

5949       Optional  BCC  (blind  carbon-copy)  address  lookup tables, indexed by
5950       sender address.  The BCC address (multiple results are  not  supported)
5951       is added when mail enters from outside of Postfix.
5952
5953       Specify zero or more "type:name" lookup tables, separated by whitespace
5954       or comma. Tables will be searched in the specified order until a  match
5955       is found.
5956
5957       The table search order is as follows:
5958
5959       ·      Look  up  the  "user+extension@domain.tld" address including the
5960              optional address extension.
5961
5962       ·      Look up  the  "user@domain.tld"  address  without  the  optional
5963              address extension.
5964
5965       ·      Look  up the "user+extension" address local part when the sender
5966              domain equals  $myorigin,  $mydestination,  $inet_interfaces  or
5967              $proxy_interfaces.
5968
5969       ·      Look  up  the  "user"  address local part when the sender domain
5970              equals   $myorigin,    $mydestination,    $inet_interfaces    or
5971              $proxy_interfaces.
5972
5973       ·      Look up the "@domain.tld" part.
5974
5975       Note:  with Postfix 2.3 and later the BCC address is added as if it was
5976       specified with NOTIFY=NONE. The sender will not be  notified  when  the
5977       BCC  address  is  undeliverable,  as  long  as all down-stream software
5978       implements RFC 3461.
5979
5980       Note: with Postfix 2.2 and earlier the sender will be notified when the
5981       BCC address is undeliverable.
5982
5983       Note:  automatic  BCC  recipients  are  produced only for new mail.  To
5984       avoid mailer loops, automatic BCC recipients are  not  generated  after
5985       Postfix  forwards  mail  internally,  or  after  Postfix generates mail
5986       itself.
5987
5988       Example:
5989
5990       sender_bcc_maps = hash:/etc/postfix/sender_bcc
5991
5992       After a change, run "postmap /etc/postfix/sender_bcc".
5993
5994       This feature is available in Postfix 2.1 and later.
5995

sender_canonical_classes (default: envelope_sender, header_sender)

5997       What addresses are subject to  sender_canonical_maps  address  mapping.
5998       By  default,  sender_canonical_maps address mapping is applied to enve‐
5999       lope sender addresses, and to header sender addresses.
6000
6001       Specify one or more of: envelope_sender, header_sender
6002
6003       This feature is available in Postfix 2.2 and later.
6004

sender_canonical_maps (default: empty)

6006       Optional address mapping lookup tables for envelope and  header  sender
6007       addresses.   The  table  format  and  lookups are documented in canoni‐
6008       cal(5).
6009
6010       Example: you want to rewrite the SENDER address  "user@ugly.domain"  to
6011       "user@pretty.domain", while still being able to send mail to the RECIP‐
6012       IENT address "user@ugly.domain".
6013
6014       Note: $sender_canonical_maps is processed before $canonical_maps.
6015
6016       Example:
6017
6018       sender_canonical_maps = hash:/etc/postfix/sender_canonical
6019

sender_dependent_default_transport_maps (default: empty)

6021       A sender-dependent override for the global default_transport  parameter
6022       setting.  The  tables  are  searched by the envelope sender address and
6023       @domain. A lookup result of DUNNO terminates the search  without  over‐
6024       riding  the  global default_transport parameter setting.  This informa‐
6025       tion is overruled with the transport(5) table.
6026
6027       Specify zero or more "type:name" lookup tables, separated by whitespace
6028       or  comma. Tables will be searched in the specified order until a match
6029       is found.
6030
6031       Note: this overrides default_transport, not transport_maps, and  there‐
6032       fore  the  expected syntax is that of default_transport, not the syntax
6033       of transport_maps.  Specifically, this  does  not  support  the  trans‐
6034       port_maps  syntax  for  null  transport,  null  nexthop,  or null email
6035       addresses.
6036
6037       For safety reasons, this feature does not allow  $number  substitutions
6038       in regular expression maps.
6039
6040       This feature is available in Postfix 2.7 and later.
6041

sender_dependent_relayhost_maps (default: empty)

6043       A sender-dependent override for the global relayhost parameter setting.
6044       The tables are searched by the envelope sender address and  @domain.  A
6045       lookup  result  of  DUNNO  terminates the search without overriding the
6046       global relayhost parameter setting (Postfix 2.6 and later). This infor‐
6047       mation     is    overruled    with    relay_transport,    sender_depen‐
6048       dent_default_transport_maps,  default_transport  and  with  the  trans‐
6049       port(5) table.
6050
6051       Specify zero or more "type:name" lookup tables, separated by whitespace
6052       or comma. Tables will be searched in the specified order until a  match
6053       is found.
6054
6055       For  safety  reasons, this feature does not allow $number substitutions
6056       in regular expression maps.
6057
6058       This feature is available in Postfix 2.3 and later.
6059

sendmail_fix_line_endings (default: always)

6061       Controls how the Postfix sendmail command converts email  message  line
6062       endings from <CR><LF> into UNIX format (<LF>).
6063
6064       always Always convert message lines ending in <CR><LF>. This setting is
6065              the default with Postfix 2.9 and later.
6066
6067       strict Convert message lines ending in <CR><LF> only if the first input
6068              line ends in <CR><LF>. This setting is backwards-compatible with
6069              Postfix 2.8 and earlier.
6070
6071       never  Never convert message lines ending  in  <CR><LF>.  This  setting
6072              exists for completeness only.
6073
6074       This feature is available in Postfix 2.9 and later.
6075

sendmail_path (default: see postconf -d output)

6077       A  Sendmail  compatibility  feature  that specifies the location of the
6078       Postfix sendmail(1) command. This command can be used  to  submit  mail
6079       into the Postfix queue.
6080

service_name (read-only)

6082       The  master.cf  service  name  of a Postfix daemon process. This can be
6083       used to distinguish the logging from different services  that  use  the
6084       same program name.
6085
6086       Example master.cf entries:
6087
6088       # Distinguish inbound MTA logging from submission and smtps logging.
6089       smtp      inet  n       -       n       -       -       smtpd
6090       submission inet n       -       n       -       -       smtpd
6091           -o syslog_name=postfix/$service_name
6092       smtps     inet  n       -       n       -       -       smtpd
6093           -o syslog_name=postfix/$service_name
6094
6095       # Distinguish outbound MTA logging from inbound relay logging.
6096       smtp      unix  -       -       n       -       -       smtp
6097       relay     unix  -       -       n       -       -       smtp
6098           -o syslog_name=postfix/$service_name
6099

service_throttle_time (default: 60s)

6101       How  long  the  Postfix  master(8)  waits  before forking a server that
6102       appears to be malfunctioning.
6103
6104       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6105       The default time unit is s (seconds).
6106

setgid_group (default: postdrop)

6108       The  group  ownership of set-gid Postfix commands and of group-writable
6109       Postfix directories. When this parameter value is changed you  need  to
6110       re-run "postfix set-permissions" (with Postfix version 2.0 and earlier:
6111       "/etc/postfix/post-install set-permissions".
6112

shlib_directory (default: see 'postconf -d' output)

6114       The location of Postfix dynamically-linked libraries (libpostfix-*.so),
6115       and  the  default  location  of Postfix database plugins (postfix-*.so)
6116       that  have  a  relative  pathname  in  the  dynamicmaps.cf  file.   The
6117       shlib_directory   parameter  defaults  to  "no"  when  Postfix  dynami‐
6118       cally-linked libraries and database plugins  are  disabled  at  compile
6119       time,   otherwise   it   typically   defaults  to  /usr/lib/postfix  or
6120       /usr/local/lib/postfix.
6121
6122       Notes:
6123
6124       ·      The directory specified with shlib_directory should contain only
6125              Postfix-related  files. Postfix dynamically-linked libraries and
6126              database plugins should not be installed in  a  "public"  system
6127              directory  such  as  /usr/lib or /usr/local/lib. Linking Postfix
6128              dynamically-linked  library  files  or  database  plugins   into
6129              non-Postfix   programs   is   not  supported.   Postfix  dynami‐
6130              cally-linked libraries and database plugins  implement  a  Post‐
6131              fix-internal API that changes without maintaining compatibility.
6132
6133       ·      You can change the shlib_directory value after Postfix is built.
6134              However, you may have to run ldconfig or equivalent  to  prevent
6135              Postfix  programs from failing because the libpostfix-*.so files
6136              are not found.  No ldconfig command is needed if  you  keep  the
6137              libpostfix-*.so  files  in the compiled-in default $shlib_direc‐
6138              tory location.
6139
6140       This feature is available in Postfix 3.0 and later.
6141

show_user_unknown_table_name (default: yes)

6143       Display  the  name  of  the  recipient  table  in  the  "User  unknown"
6144       responses.   The  extra  detail  makes  troubleshooting easier but also
6145       reveals information that is nobody else's business.
6146
6147       This feature is available in Postfix 2.0 and later.
6148

showq_service_name (default: showq)

6150       The name of the showq(8) service. This service produces mail queue sta‐
6151       tus reports.
6152
6153       This feature is available in Postfix 2.0 and later.
6154

smtp_address_preference (default: any)

6156       The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
6157       will try first, when a destination has IPv6  and  IPv4  addresses  with
6158       equal  MX preference. This feature has no effect unless the inet_proto‐
6159       cols setting enables both IPv4 and IPv6.
6160
6161       Postfix SMTP client address preference has evolved.  With  Postfix  2.8
6162       the default is "ipv6"; earlier implementations are hard-coded to prefer
6163       IPv6 over IPv4.
6164
6165       Notes for mail delivery between sites that have both IPv4 and IPv6 con‐
6166       nectivity:
6167
6168       ·      The  setting "smtp_address_preference = ipv6" is unsafe.  It can
6169              fail to deliver mail when there is an outage that affects  IPv6,
6170              while the destination is still reachable over IPv4.
6171
6172       ·      The  setting "smtp_address_preference = any" is safe. With this,
6173              mail will eventually be delivered even if  there  is  an  outage
6174              that affects IPv6 or IPv4, as long as it does not affect both.
6175
6176       This feature is available in Postfix 2.8 and later.
6177

smtp_address_verify_target (default: rcpt)

6179       In  the  context of email address verification, the SMTP protocol stage
6180       that determines whether an email address is deliverable.   Specify  one
6181       of  "rcpt"  or  "data".   The latter is needed with remote SMTP servers
6182       that reject recipients after the DATA command.  Use  transport_maps  to
6183       apply this feature selectively:
6184
6185           /etc/postfix/main.cf:
6186               transport_maps = hash:/etc/postfix/transport
6187
6188           /etc/postfix/transport:
6189               smtp-domain-that-verifies-after-data    smtp-data-target:
6190               lmtp-domain-that-verifies-after-data    lmtp-data-target:
6191
6192           /etc/postfix/master.cf:
6193               smtp-data-target    unix    -    -    n    -    -    smtp
6194                   -o smtp_address_verify_target=data
6195               lmtp-data-target    unix    -    -    n    -    -    lmtp
6196                   -o lmtp_address_verify_target=data
6197
6198       Unselective  use  of the "data" target does no harm, but will result in
6199       unnecessary "lost connection after DATA"  events  at  remote  SMTP/LMTP
6200       servers.
6201
6202       This feature is available in Postfix 3.0 and later.
6203

smtp_always_send_ehlo (default: yes)

6205       Always send EHLO at the start of an SMTP session.
6206
6207       With  "smtp_always_send_ehlo  = no", the Postfix SMTP client sends EHLO
6208       only when the word "ESMTP" appears in the server greeting banner (exam‐
6209       ple: 220 spike.porcupine.org ESMTP Postfix).
6210

smtp_balance_inet_protocols (default: yes)

6212       When  a  remote  destination resolves to a combination of IPv4 and IPv6
6213       addresses, ensure that the Postfix SMTP client  can  try  both  address
6214       types before it runs into the smtp_mx_address_limit.
6215
6216       This  avoids an interoperability problem when a destination resolves to
6217       primarily IPv6 addresses,  the  smtp_address_limit  feature  eliminates
6218       most  or  all IPv4 addresses, and the destination is not reachable over
6219       IPv6.
6220
6221       This feature is available in Postfix 3.3 and later.
6222

smtp_bind_address (default: empty)

6224       An optional numerical network address  that  the  Postfix  SMTP  client
6225       should bind to when making an IPv4 connection.
6226
6227       This  can  be specified in the main.cf file for all SMTP clients, or it
6228       can be specified in the master.cf file for a specific client, for exam‐
6229       ple:
6230
6231           /etc/postfix/master.cf:
6232               smtp ... smtp -o smtp_bind_address=11.22.33.44
6233
6234       Note  1:  when inet_interfaces specifies no more than one IPv4 address,
6235       and that address is a non-loopback address, it is automatically used as
6236       the  smtp_bind_address.  This supports virtual IP hosting, but can be a
6237       problem on multi-homed firewalls. See the inet_interfaces documentation
6238       for more detail.
6239
6240       Note 2: address information may be enclosed inside [], but this form is
6241       not required here.
6242

smtp_bind_address6 (default: empty)

6244       An optional numerical network address  that  the  Postfix  SMTP  client
6245       should bind to when making an IPv6 connection.
6246
6247       This feature is available in Postfix 2.2 and later.
6248
6249       This  can  be specified in the main.cf file for all SMTP clients, or it
6250       can be specified in the master.cf file for a specific client, for exam‐
6251       ple:
6252
6253           /etc/postfix/master.cf:
6254               smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
6255
6256       Note  1:  when inet_interfaces specifies no more than one IPv6 address,
6257       and that address is a non-loopback address, it is automatically used as
6258       the smtp_bind_address6.  This supports virtual IP hosting, but can be a
6259       problem on multi-homed firewalls. See the inet_interfaces documentation
6260       for more detail.
6261
6262       Note 2: address information may be enclosed inside [], but this form is
6263       not recommended here.
6264

smtp_body_checks (default: empty)

6266       Restricted body_checks(5) tables for the Postfix  SMTP  client.   These
6267       tables are searched while mail is being delivered.  Actions that change
6268       the delivery time or destination are not available.
6269
6270       This feature is available in Postfix 2.5 and later.
6271

smtp_cname_overrides_servername (default: version dependent)

6273       When the remote SMTP servername is a DNS CNAME, replace the  servername
6274       with  the  result from CNAME expansion for the purpose of logging, SASL
6275       password lookup, TLS policy decisions, or TLS certificate verification.
6276       The  value  "no" hardens Postfix smtp_tls_per_site hostname-based poli‐
6277       cies against false hostname information in DNS CNAME records, and makes
6278       SASL  password  file lookups more predictable. This is the default set‐
6279       ting as of Postfix 2.3.
6280
6281       When  DNS  CNAME  records  are  validated  with  secure   DNS   lookups
6282       (smtp_dns_support_level  = dnssec), they are always allowed to override
6283       the above servername (Postfix 2.11 and later).
6284
6285       This feature is available in Postfix 2.2.9 and later.
6286

smtp_connect_timeout (default: 30s)

6288       The Postfix SMTP client time limit for completing a TCP connection,  or
6289       zero (use the operating system built-in time limit).
6290
6291       When  no  connection  can be made within the deadline, the Postfix SMTP
6292       client tries the next address on the mail exchanger list. Specify 0  to
6293       disable the time limit (i.e. use whatever timeout is implemented by the
6294       operating system).
6295
6296       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6297       The default time unit is s (seconds).
6298

smtp_connection_cache_destinations (default: empty)

6300       Permanently  enable  SMTP connection caching for the specified destina‐
6301       tions.  With SMTP connection caching, a connection is not closed  imme‐
6302       diately  after  completion of a mail transaction.  Instead, the connec‐
6303       tion is kept open for up to $smtp_connection_cache_time_limit  seconds.
6304       This  allows  connections  to  be  reused for other deliveries, and can
6305       improve mail delivery performance.
6306
6307       Specify a comma or  white  space  separated  list  of  destinations  or
6308       pseudo-destinations:
6309
6310       ·      if  mail  is  sent  without  a  relay  host:  a domain name (the
6311              right-hand side of an email address, without  the  []  around  a
6312              numeric IP address),
6313
6314       ·      if  mail is sent via a relay host: a relay host name (without []
6315              or non-default TCP port), as specified  in  main.cf  or  in  the
6316              transport map,
6317
6318       ·      if  mail  is  sent via a UNIX-domain socket: a pathname (without
6319              the unix: prefix),
6320
6321       ·      a /file/name with  domain  names  and/or  relay  host  names  as
6322              defined above,
6323
6324       ·      a  "type:table" with domain names and/or relay host names on the
6325              left-hand side.  The right-hand side  result  from  "type:table"
6326              lookups is ignored.
6327
6328       This feature is available in Postfix 2.2 and later.
6329

smtp_connection_cache_on_demand (default: yes)

6331       Temporarily  enable  SMTP  connection caching while a destination has a
6332       high volume of mail in the active queue.  With SMTP connection caching,
6333       a  connection  is  not  closed  immediately  after completion of a mail
6334       transaction.  Instead, the connection is kept open for up to $smtp_con‐
6335       nection_cache_time_limit seconds.  This allows connections to be reused
6336       for other deliveries, and can improve mail delivery performance.
6337
6338       This feature is available in Postfix 2.2 and later.
6339

smtp_connection_cache_time_limit (default: 2s)

6341       When SMTP connection caching is enabled, the amount  of  time  that  an
6342       unused  SMTP  client  socket  is kept open before it is closed.  Do not
6343       specify larger values without permission from the remote sites.
6344
6345       This feature is available in Postfix 2.2 and later.
6346

smtp_connection_reuse_count_limit (default: 0)

6348       When SMTP connection caching is enabled, the number of  times  that  an
6349       SMTP  session  may  be  reused before it is closed, or zero (no limit).
6350       With a reuse count limit of N, a connection is used up to N+1 times.
6351
6352       NOTE: This feature is unsafe. When a high-volume destination has multi‐
6353       ple  inbound  MTAs,  then the slowest inbound MTA will attract the most
6354       connections to that destination.  This limitation does not  exist  with
6355       the smtp_connection_reuse_time_limit feature.
6356
6357       This feature is available in Postfix 2.11.
6358

smtp_connection_reuse_time_limit (default: 300s)

6360       The  amount  of  time  during which Postfix will use an SMTP connection
6361       repeatedly.  The timer starts when the connection is initiated (i.e. it
6362       includes  the  connect,  greeting  and helo latency, in addition to the
6363       latencies of subsequent mail delivery transactions).
6364
6365       This feature addresses a performance stability problem with remote SMTP
6366       servers.  This  problem  is not specific to Postfix: it can happen when
6367       any MTA sends large amounts of SMTP email to a site that  has  multiple
6368       MX hosts.
6369
6370       The  problem  starts  when one of a set of MX hosts becomes slower than
6371       the rest.  Even though SMTP clients connect to fast and slow  MX  hosts
6372       with equal probability, the slow MX host ends up with more simultaneous
6373       inbound connections than the faster MX hosts, because the slow MX  host
6374       needs more time to serve each client request.
6375
6376       The  slow  MX  host  becomes  a  connection  attractor.  If one MX host
6377       becomes N times slower  than  the  rest,  it  dominates  mail  delivery
6378       latency  unless  there  are  more  than  N fast MX hosts to counter the
6379       effect. And if the number of MX hosts  is  smaller  than  N,  the  mail
6380       delivery  latency  becomes  effectively  that  of  the  slowest MX host
6381       divided by the total number of MX hosts.
6382
6383       The solution uses connection caching in a way that differs from Postfix
6384       version  2.2.  By limiting the amount of time during which a connection
6385       can be used repeatedly (instead of limiting the  number  of  deliveries
6386       over  that  connection), Postfix not only restores fairness in the dis‐
6387       tribution of simultaneous connections across a set of MX hosts, it also
6388       favors  deliveries over connections that perform well, which is exactly
6389       what we want.
6390
6391       The default reuse time limit, 300s, is comparable to the  various  smtp
6392       transaction timeouts which are fair estimates of maximum excess latency
6393       for a slow delivery.  Note that hosts may accept thousands of  messages
6394       over  a  single  connection  within  the  default connection reuse time
6395       limit. This number is much larger than the default Postfix version  2.2
6396       limit  of  10 messages per cached connection. It may prove necessary to
6397       lower the limit to avoid interoperability issues with MTAs that exhibit
6398       bugs when many messages are delivered via a single connection.  A lower
6399       reuse time limit risks losing the benefit of connection reuse when  the
6400       average  connection  and  mail  delivery latency exceeds the reuse time
6401       limit.
6402
6403       This feature is available in Postfix 2.3 and later.
6404

smtp_data_done_timeout (default: 600s)

6406       The Postfix SMTP client time limit for sending the SMTP  ".",  and  for
6407       receiving the remote SMTP server response.
6408
6409       When  no  response is received within the deadline, a warning is logged
6410       that the mail may be delivered multiple times.
6411
6412       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6413       The default time unit is s (seconds).
6414

smtp_data_init_timeout (default: 120s)

6416       The  Postfix  SMTP client time limit for sending the SMTP DATA command,
6417       and for receiving the remote SMTP server response.
6418
6419       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6420       The default time unit is s (seconds).
6421

smtp_data_xfer_timeout (default: 180s)

6423       The  Postfix  SMTP  client time limit for sending the SMTP message con‐
6424       tent.   When  the  connection  makes  no   progress   for   more   than
6425       $smtp_data_xfer_timeout  seconds the Postfix SMTP client terminates the
6426       transfer.
6427
6428       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6429       The default time unit is s (seconds).
6430

smtp_defer_if_no_mx_address_found (default: no)

6432       Defer mail delivery when no MX record resolves to an IP address.
6433
6434       The  default  (no)  is  to return the mail as undeliverable. With older
6435       Postfix versions the default was to keep trying  to  deliver  the  mail
6436       until someone fixed the MX record or until the mail was too old.
6437
6438       Note:  the  Postfix SMTP client always ignores MX records with equal or
6439       worse preference than the local MTA itself.
6440
6441       This feature is available in Postfix 2.1 and later.
6442

smtp_delivery_status_filter (default: $default_delivery_status_filter)

6444       Optional filter for the smtp(8) delivery agent to change  the  delivery
6445       status  code or explanatory text of successful or unsuccessful deliver‐
6446       ies.  See default_delivery_status_filter for details.
6447
6448       NOTE: This feature modifies Postfix SMTP client error or non-error mes‐
6449       sages that may or may not be derived from remote SMTP server responses.
6450       In contrast, the smtp_reply_filter feature modifies remote SMTP  server
6451       responses only.
6452

smtp_destination_concurrency_limit (default: $default_destination_concur‐

6454       rency_limit)
6455       The maximal number of parallel deliveries to the same  destination  via
6456       the  smtp  message  delivery  transport.  This limit is enforced by the
6457       queue manager. The message delivery transport name is the  first  field
6458       in the entry in the master.cf file.
6459

smtp_destination_recipient_limit (default: $default_destination_recipi‐

6461       ent_limit)
6462       The maximal number of recipients  per  message  for  the  smtp  message
6463       delivery  transport.  This  limit is enforced by the queue manager. The
6464       message delivery transport name is the first field in the entry in  the
6465       master.cf file.
6466
6467       Setting this parameter to a value of 1 changes the meaning of smtp_des‐
6468       tination_concurrency_limit from concurrency per domain into concurrency
6469       per recipient.
6470

smtp_discard_ehlo_keyword_address_maps (default: empty)

6472       Lookup  tables,  indexed  by  the remote SMTP server address, with case
6473       insensitive lists of EHLO keywords (pipelining, starttls,  auth,  etc.)
6474       that  the  Postfix  SMTP client will ignore in the EHLO response from a
6475       remote SMTP server. See smtp_discard_ehlo_keywords for details. The ta‐
6476       ble  is  not  indexed  by  hostname  for  consistency  with  smtpd_dis‐
6477       card_ehlo_keyword_address_maps.
6478
6479       Specify zero or more "type:name" lookup tables, separated by whitespace
6480       or  comma. Tables will be searched in the specified order until a match
6481       is found.
6482
6483       This feature is available in Postfix 2.2 and later.
6484

smtp_discard_ehlo_keywords (default: empty)

6486       A case insensitive list of EHLO keywords (pipelining,  starttls,  auth,
6487       etc.)  that  the  Postfix  SMTP client will ignore in the EHLO response
6488       from a remote SMTP server.
6489
6490       This feature is available in Postfix 2.2 and later.
6491
6492       Notes:
6493
6494       ·      Specify the silent-discard pseudo keyword to prevent this action
6495              from being logged.
6496
6497       ·      Use  the  smtp_discard_ehlo_keyword_address_maps feature to dis‐
6498              card EHLO keywords selectively.
6499

smtp_dns_reply_filter (default: empty)

6501       Optional filter for Postfix SMTP client DNS  lookup  results.   Specify
6502       zero  or  more  lookup  tables.   The lookup tables are searched in the
6503       given order for a match with the DNS lookup result,  converted  to  the
6504       following form:
6505
6506           name ttl class type preference value
6507
6508       The class field is always "IN", the preference field exists only for MX
6509       records, the names of hosts, domains, etc.  end in ".", and those names
6510       are in ASCII form (xn--mumble form in the case of UTF8 names).
6511
6512       When a match is found, the table lookup result specifies an action.  By
6513       default, the table query and  the  action  name  are  case-insensitive.
6514       Currently, only the IGNORE action is implemented.
6515
6516       Notes:
6517
6518       ·      Postfix DNS reply filters have no effect on implicit DNS lookups
6519              through nsswitch.conf or equivalent mechanisms.
6520
6521       ·      The Postfix  SMTP/LMTP  client  uses  smtp_dns_reply_filter  and
6522              lmtp_dns_reply_filter  only  to  discover  a remote SMTP or LMTP
6523              service (record types MX, A, AAAAA, and  TLSA).   These  lookups
6524              are also made to implement the features reject_unverified_sender
6525              and reject_unverified_recipient.
6526
6527       ·      The Postfix SMTP/LMTP client defers mail delivery when a  filter
6528              removes all lookup results from a successful query.
6529
6530       ·      Postfix  SMTP server uses smtpd_dns_reply_filter only to look up
6531              MX,  A,  AAAAA,  and  TXT  records  to  implement  the  features
6532              reject_unknown_helo_hostname,      reject_unknown_sender_domain,
6533              reject_unknown_recipient_domain,        reject_rbl_*,        and
6534              reject_rhsbl_*.
6535
6536       ·      The  Postfix  SMTP server logs a warning or defers mail delivery
6537              when a filter removes  all  lookup  results  from  a  successful
6538              query.
6539
6540       Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
6541       because Google sometimes hard-rejects mail from IPv6 clients with valid
6542       PTR etc. records.
6543
6544       /etc/postfix/main.cf:
6545           smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
6546
6547       /etc/postfix/smtp_dns_reply_filter:
6548           # /domain ttl IN AAAA address/ action, all case-insensitive.
6549           # Note: the domain name ends in ".".
6550           /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
6551
6552       This feature is available in Postfix 3.0 and later.
6553

smtp_dns_resolver_options (default: empty)

6555       DNS Resolver options for the Postfix SMTP client.  Specify zero or more
6556       of the following options, separated by  comma  or  whitespace.   Option
6557       names  are  case-sensitive. Some options refer to domain names that are
6558       specified in the file /etc/resolv.conf or equivalent.
6559
6560       res_defnames
6561              Append the current domain name to single-component names  (those
6562              that do not contain a "." character). This can produce incorrect
6563              results, and is the hard-coded behavior prior to Postfix 2.8.
6564
6565       res_dnsrch
6566              Search for host names  in  the  current  domain  and  in  parent
6567              domains. This can produce incorrect results and is therefore not
6568              recommended.
6569
6570       This feature is available in Postfix 2.8 and later.
6571

smtp_dns_support_level (default: empty)

6573       Level of DNS support in the Postfix SMTP client.   With  "smtp_dns_sup‐
6574       port_level"   left  at  its  empty  default  value,  the  legacy  "dis‐
6575       able_dns_lookups" parameter controls whether  DNS  is  enabled  in  the
6576       Postfix SMTP client, otherwise the legacy parameter is ignored.
6577
6578       Specify one of the following:
6579
6580       disabled
6581              Disable  DNS  lookups.  No MX lookups are performed and hostname
6582              to address lookups are unconditionally "native".   This  setting
6583              is  not  appropriate  for  hosts that deliver mail to the public
6584              Internet.  Some obsolete how-to  documents  recommend  disabling
6585              DNS  lookups  in some configurations with content_filters.  This
6586              is no longer required and strongly discouraged.
6587
6588       enabled
6589              Enable DNS lookups.  Nexthop destination domains not enclosed in
6590              "[]"  will  be subject to MX lookups.  If "dns" and "native" are
6591              included in the "smtp_host_lookup" parameter value, DNS will  be
6592              queried first to resolve MX-host A records, followed by "native"
6593              lookups if no answer is found in DNS.
6594
6595       dnssec Enable DNSSEC lookups.  The "dnssec" setting  differs  from  the
6596              "enabled" setting above in the following ways:
6597
6598       ·      Any  MX  lookups  will  set  RES_USE_DNSSEC and RES_USE_EDNS0 to
6599              request  DNSSEC-validated  responses.  If  the  MX  response  is
6600              DNSSEC-validated the corresponding hostnames are considered val‐
6601              idated.
6602
6603       ·      The address lookups of validated hostnames are  also  validated,
6604              (provided  of  course  "smtp_host_lookup"  includes  "dns",  see
6605              below).
6606
6607       ·      Temporary failures in DNSSEC-enabled hostname-to-address resolu‐
6608              tion  block  any  "native" lookups.  Additional "native" lookups
6609              only happen when DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
6610
6611       The  Postfix  SMTP  client  considers  non-MX  "[nexthop]"  and  "[nex‐
6612       thop]:port"  destinations equivalent to statically-validated MX records
6613       of the form "nexthop.  IN MX 0 nexthop."  Therefore, with "dnssec" sup‐
6614       port turned on, validated hostname-to-address lookups apply to the nex‐
6615       thop domain of any "[nexthop]" or "[nexthop]:port"  destination.   This
6616       is also true for LMTP "inet:host" and "inet:host:port" destinations, as
6617       LMTP hostnames are never subject to MX lookups.
6618
6619       The "dnssec" setting is recommended only if you plan to use the dane or
6620       dane-only  TLS  security  level,  otherwise  enabling DNSSEC support in
6621       Postfix offers no additional security.  Postfix DNSSEC  support  relies
6622       on  an  upstream recursive nameserver that validates DNSSEC signatures.
6623       Such a DNS server will always filter out  forged  DNS  responses,  even
6624       when Postfix itself is not configured to use DNSSEC.
6625
6626       When using Postfix DANE support the "smtp_host_lookup" parameter should
6627       include "dns", as DANE is not applicable to hosts resolved via "native"
6628       lookups.
6629
6630       As  mentioned  above,  Postfix  is  not  a validating stub resolver; it
6631       relies on the system's  configured  DNSSEC-validating  recursive  name‐
6632       server  to  perform  all  DNSSEC  validation.   Since this nameserver's
6633       DNSSEC-validated responses will be fully trusted, it is strongly recom‐
6634       mended  that  the  MTA  host  have  a local DNSSEC-validating recursive
6635       caching nameserver listening on a loopback address, and  be  configured
6636       to  use  only  this nameserver for all lookups.  Otherwise, Postfix may
6637       remain subject to man-in-the-middle attacks that forge  responses  from
6638       the recursive nameserver
6639
6640       DNSSEC support requires a version of Postfix compiled against a reason‐
6641       ably-modern DNS resolver(3) library that implements the  RES_USE_DNSSEC
6642       and RES_USE_EDNS0 resolver options.
6643
6644       This feature is available in Postfix 2.11 and later.
6645

smtp_enforce_tls (default: no)

6647       Enforcement  mode: require that remote SMTP servers use TLS encryption,
6648       and never send mail in the clear.  This also requires that  the  remote
6649       SMTP  server hostname matches the information in the remote server cer‐
6650       tificate, and that the remote SMTP server certificate was issued  by  a
6651       CA  that  is  trusted  by  the  Postfix SMTP client. If the certificate
6652       doesn't verify or the hostname doesn't match, delivery is deferred  and
6653       mail stays in the queue.
6654
6655       The  server  hostname is matched against all names provided as dNSNames
6656       in the SubjectAlternativeName.  If no dNSNames are specified, the  Com‐
6657       monName   is   checked.    The   behavior   may  be  changed  with  the
6658       smtp_tls_enforce_peername option.
6659
6660       This option is useful only if you are definitely  sure  that  you  will
6661       only  connect to servers that support RFC 2487 _and_ that provide valid
6662       server certificates.  Typical use is for clients that  send  all  their
6663       email to a dedicated mailhub.
6664
6665       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
6666       and later use smtp_tls_security_level instead.
6667

smtp_fallback_relay (default: $fallback_relay)

6669       Optional list of relay hosts for SMTP destinations that can't be  found
6670       or that are unreachable. With Postfix 2.2 and earlier this parameter is
6671       called fallback_relay.
6672
6673       By default, mail is returned to the sender when a  destination  is  not
6674       found, and delivery is deferred when a destination is unreachable.
6675
6676       With  bulk  email  deliveries, it can be beneficial to run the fallback
6677       relay MTA on the same host, so that it can reuse the sender IP address.
6678       This  speeds up deliveries that are delayed by IP-based reputation sys‐
6679       tems (greylist, etc.).
6680
6681       The fallback relays must be SMTP destinations. Specify a domain,  host,
6682       host:port,  [host]:port,  [address]  or [address]:port; the form [host]
6683       turns off MX lookups.  If you specify multiple SMTP destinations, Post‐
6684       fix will try them in the specified order.
6685
6686       To  prevent  mailer loops between MX hosts and fall-back hosts, Postfix
6687       version 2.2 and later will not use the fallback relays for destinations
6688       that it is MX host for (assuming DNS lookup is turned on).
6689

smtp_generic_maps (default: empty)

6691       Optional  lookup  tables  that perform address rewriting in the Postfix
6692       SMTP client, typically to transform a  locally  valid  address  into  a
6693       globally  valid address when sending mail across the Internet.  This is
6694       needed when the local machine does not have  its  own  Internet  domain
6695       name, but uses something like localdomain.local instead.
6696
6697       Specify zero or more "type:name" lookup tables, separated by whitespace
6698       or comma. Tables will be searched in the specified order until a  match
6699       is found.
6700
6701       The table format and lookups are documented in generic(5); examples are
6702       shown in the ADDRESS_REWRITING_README and STANDARD_CONFIGURATION_README
6703       documents.
6704
6705       This feature is available in Postfix 2.2 and later.
6706

smtp_header_checks (default: empty)

6708       Restricted  header_checks(5) tables for the Postfix SMTP client.  These
6709       tables are searched while mail is being delivered.  Actions that change
6710       the delivery time or destination are not available.
6711
6712       This feature is available in Postfix 2.5 and later.
6713

smtp_helo_name (default: $myhostname)

6715       The hostname to send in the SMTP HELO or EHLO command.
6716
6717       The  default  value  is  the  machine  hostname.  Specify a hostname or
6718       [ip.add.re.ss].
6719
6720       This information can be specified in the  main.cf  file  for  all  SMTP
6721       clients,  or  it  can be specified in the master.cf file for a specific
6722       client, for example:
6723
6724           /etc/postfix/master.cf:
6725               mysmtp ... smtp -o smtp_helo_name=foo.bar.com
6726
6727       This feature is available in Postfix 2.0 and later.
6728

smtp_helo_timeout (default: 300s)

6730       The Postfix SMTP client time limit for sending the HELO  or  EHLO  com‐
6731       mand, and for receiving the initial remote SMTP server response.
6732
6733       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6734       The default time unit is s (seconds).
6735

smtp_host_lookup (default: dns)

6737       What mechanisms the Postfix SMTP client uses to look  up  a  host's  IP
6738       address.  This parameter is ignored when DNS lookups are disabled (see:
6739       disable_dns_lookups and smtp_dns_support_level).  The  "dns"  mechanism
6740       is always tried before "native" if both are listed.
6741
6742       Specify one of the following:
6743
6744       dns    Hosts can be found in the DNS (preferred).
6745
6746       native Use the native naming service only (nsswitch.conf, or equivalent
6747              mechanism).
6748
6749       dns, native
6750              Use the native service for hosts not found in the DNS.
6751
6752       This feature is available in Postfix 2.1 and later.
6753

smtp_line_length_limit (default: 998)

6755       The maximal length of message header and body lines that  Postfix  will
6756       send  via  SMTP. This limit does not include the <CR><LF> at the end of
6757       each line.  Longer lines are broken by inserting "<CR><LF><SPACE>",  to
6758       minimize the damage to MIME formatted mail.
6759
6760       The  Postfix  limit of 998 characters not including <CR><LF> is consis‐
6761       tent with the SMTP limit of 1000 characters  including  <CR><LF>.   The
6762       Postfix limit was 990 with Postfix 2.8 and earlier.
6763

smtp_mail_timeout (default: 300s)

6765       The  Postfix  SMTP client time limit for sending the MAIL FROM command,
6766       and for receiving the remote SMTP server response.
6767
6768       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6769       The default time unit is s (seconds).
6770

smtp_mime_header_checks (default: empty)

6772       Restricted  mime_header_checks(5)  tables  for the Postfix SMTP client.
6773       These tables are searched while mail is being delivered.  Actions  that
6774       change the delivery time or destination are not available.
6775
6776       This feature is available in Postfix 2.5 and later.
6777

smtp_mx_address_limit (default: 5)

6779       The  maximal number of MX (mail exchanger) IP addresses that can result
6780       from Postfix SMTP client mail exchanger lookups, or  zero  (no  limit).
6781       Prior to Postfix version 2.3, this limit was disabled by default.
6782
6783       This feature is available in Postfix 2.1 and later.
6784

smtp_mx_session_limit (default: 2)

6786       The  maximal  number  of  SMTP sessions per delivery request before the
6787       Postfix SMTP client gives up or delivers to a fall-back relay host,  or
6788       zero  (no  limit).  This restriction ignores sessions that fail to com‐
6789       plete the SMTP initial handshake (Postfix version 2.2 and  earlier)  or
6790       that  fail  to complete the EHLO and TLS handshake (Postfix version 2.3
6791       and later).
6792
6793       This feature is available in Postfix 2.1 and later.
6794

smtp_nested_header_checks (default: empty)

6796       Restricted nested_header_checks(5) tables for the Postfix SMTP  client.
6797       These  tables are searched while mail is being delivered.  Actions that
6798       change the delivery time or destination are not available.
6799
6800       This feature is available in Postfix 2.5 and later.
6801

smtp_never_send_ehlo (default: no)

6803       Never send EHLO  at  the  start  of  an  SMTP  session.  See  also  the
6804       smtp_always_send_ehlo parameter.
6805

smtp_per_record_deadline (default: no)

6807       Change  the  behavior  of  the  smtp_*_timeout time limits, from a time
6808       limit per read or write system call, to a time limit to send or receive
6809       a  complete record (an SMTP command line, SMTP response line, SMTP mes‐
6810       sage content line, or TLS protocol message).  This  limits  the  impact
6811       from hostile peers that trickle data one byte at a time.
6812
6813       Note:  when per-record deadlines are enabled, a short timeout may cause
6814       problems with TLS over very slow network connections.  The reasons  are
6815       that  a  TLS protocol message can be up to 16 kbytes long (with TLSv1),
6816       and that an entire TLS protocol message must be sent or received within
6817       the per-record deadline.
6818
6819       This  feature is available in Postfix 2.9 and later. With older Postfix
6820       releases, the behavior is as if this parameter is set to "no".
6821

smtp_pix_workaround_delay_time (default: 10s)

6823       How long the Postfix SMTP client pauses before sending  ".<CR><LF>"  in
6824       order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
6825
6826       Choosing  a too short time makes this workaround ineffective when send‐
6827       ing large messages over slow network connections.
6828

smtp_pix_workaround_maps (default: empty)

6830       Lookup tables, indexed by the remote SMTP server address, with per-des‐
6831       tination  workarounds  for  CISCO  PIX firewall bugs.  The table is not
6832       indexed  by  hostname  for  consistency   with   smtp_discard_ehlo_key‐
6833       word_address_maps.
6834
6835       Specify zero or more "type:name" lookup tables, separated by whitespace
6836       or comma. Tables will be searched in the specified order until a  match
6837       is found.
6838
6839       This feature is available in Postfix 2.4 and later.
6840

smtp_pix_workaround_threshold_time (default: 500s)

6842       How  long a message must be queued before the Postfix SMTP client turns
6843       on the PIX firewall "<CR><LF>.<CR><LF>"  bug  workaround  for  delivery
6844       through firewalls with "smtp fixup" mode turned on.
6845
6846       By  default,  the  workaround is turned off for mail that is queued for
6847       less than 500 seconds. In  other  words,  the  workaround  is  normally
6848       turned off for the first delivery attempt.
6849
6850       Specify 0 to enable the PIX firewall "<CR><LF>.<CR><LF>" bug workaround
6851       upon the first delivery attempt.
6852

smtp_pix_workarounds (default: disable_esmtp, delay_dotcrlf)

6854       A list that specifies zero or more workarounds for CISCO  PIX  firewall
6855       bugs.  These  workarounds  are  implemented by the Postfix SMTP client.
6856       Workaround names are separated by comma or space, and are case insensi‐
6857       tive.   This  parameter  setting  can be overruled with per-destination
6858       smtp_pix_workaround_maps settings.
6859
6860       delay_dotcrlf
6861              Insert a delay before sending ".<CR><LF>" after the end  of  the
6862              message  content.   The  delay  is subject to the smtp_pix_work‐
6863              around_delay_time and smtp_pix_workaround_threshold_time parame‐
6864              ter settings.
6865
6866       disable_esmtp
6867              Disable all extended SMTP commands: send HELO instead of EHLO.
6868
6869       This  feature  is  available in Postfix 2.4 and later. The default set‐
6870       tings are backwards compatible with earlier Postfix versions.
6871

smtp_quit_timeout (default: 300s)

6873       The Postfix SMTP client time limit for sending the  QUIT  command,  and
6874       for receiving the remote SMTP server response.
6875
6876       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
6877       The default time unit is s (seconds).
6878

smtp_quote_rfc821_envelope (default: yes)

6880       Quote addresses in Postfix SMTP client MAIL FROM and RCPT  TO  commands
6881       as required by RFC 5321. This includes putting quotes around an address
6882       localpart that ends in ".".
6883
6884       The default is to comply with RFC 5321. If you have to send mail  to  a
6885       broken SMTP server, configure a special SMTP client in master.cf:
6886
6887           /etc/postfix/master.cf:
6888               broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
6889
6890       and  route  mail  for  the destination in question to the "broken-smtp"
6891       message delivery with a transport(5) table.
6892
6893       This feature is available in Postfix 2.1 and later.
6894

smtp_randomize_addresses (default: yes)

6896       Randomize the order of equal-preference MX host addresses.  This  is  a
6897       performance feature of the Postfix SMTP client.
6898

smtp_rcpt_timeout (default: 300s)

6900       The  Postfix  SMTP  client time limit for sending the SMTP RCPT TO com‐
6901       mand, and for receiving the remote SMTP server response.
6902
6903       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
6904       The default time unit is s (seconds).
6905

smtp_reply_filter (default: empty)

6907       A mechanism to transform replies from remote SMTP servers one line at a
6908       time.  This is a last-resort tool to work around  server  replies  that
6909       break  interoperability  with  the  Postfix  SMTP  client.   Other uses
6910       involve  fault  injection  to  test  Postfix's  handling   of   invalid
6911       responses.
6912
6913       Notes:
6914
6915       ·      In  the case of a multi-line reply, the Postfix SMTP client uses
6916              the final reply line's numerical SMTP reply  code  and  enhanced
6917              status code.
6918
6919       ·      The  numerical  SMTP  reply code (XYZ) takes precedence over the
6920              enhanced status code (X.Y.Z).  When  the  enhanced  status  code
6921              initial digit differs from the SMTP reply code initial digit, or
6922              when no enhanced status code is present, the Postfix SMTP client
6923              uses a generic enhanced status code (X.0.0) instead.
6924
6925       Specify the name of a "type:table" lookup table. The search string is a
6926       single SMTP reply line as received from the remote SMTP server,  except
6927       that  the trailing <CR><LF> are removed.  When the lookup succeeds, the
6928       result replaces the single SMTP reply line.
6929
6930       Examples:
6931
6932       /etc/postfix/main.cf:
6933           smtp_reply_filter = pcre:/etc/postfix/reply_filter
6934
6935       /etc/postfix/reply_filter:
6936           # Transform garbage into "250-filler..." so that it looks like
6937           # one line from a multi-line reply. It does not matter what we
6938           # substitute here as long it has the right syntax.  The Postfix
6939           # SMTP client will use the final line's numerical SMTP reply
6940           # code and enhanced status code.
6941           !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
6942
6943       This feature is available in Postfix 2.7.
6944

smtp_rset_timeout (default: 20s)

6946       The Postfix SMTP client time limit for sending the  RSET  command,  and
6947       for  receiving  the  remote SMTP server response. The SMTP client sends
6948       RSET in order to finish a recipient address probe, or to verify that  a
6949       cached session is still usable.
6950
6951       This feature is available in Postfix 2.1 and later.
6952

smtp_sasl_auth_cache_name (default: empty)

6954       An optional table to prevent repeated SASL authentication failures with
6955       the same remote SMTP server hostname, username and password. Each table
6956       (key,  value) pair contains a server name, a username and password, and
6957       the full server response. This information is stored when a remote SMTP
6958       server  rejects  an  authentication  attempt with a 535 reply code.  As
6959       long as the smtp_sasl_password_maps information does no change, and  as
6960       long  as the smtp_sasl_auth_cache_name information does not expire (see
6961       smtp_sasl_auth_cache_time) the Postfix SMTP client avoids SASL  authen‐
6962       tication  attempts  with  the  same  server, username and password, and
6963       instead   bounces   or   defers   mail   as   controlled    with    the
6964       smtp_sasl_auth_soft_bounce configuration parameter.
6965
6966       Use   a   per-destination  delivery  concurrency  of  1  (for  example,
6967       "smtp_destination_concurrency_limit  =  1",  "relay_destination_concur‐
6968       rency_limit = 1", etc.), otherwise multiple delivery agents may experi‐
6969       ence a login failure at the same time.
6970
6971       The table must be accessed via the proxywrite  service,  i.e.  the  map
6972       name  must  start  with  "proxy:". The table should be stored under the
6973       directory specified with the data_directory parameter.
6974
6975       This feature uses cryptographic hashing  to  protect  plain-text  pass‐
6976       words, and requires that Postfix is compiled with TLS support.
6977
6978       Example:
6979
6980       smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
6981
6982       This feature is available in Postfix 2.5 and later.
6983

smtp_sasl_auth_cache_time (default: 90d)

6985       The  maximal  age  of  an  smtp_sasl_auth_cache_name entry before it is
6986       removed.
6987
6988       This feature is available in Postfix 2.5 and later.
6989

smtp_sasl_auth_enable (default: no)

6991       Enable SASL authentication in the Postfix SMTP client.  By default, the
6992       Postfix SMTP client uses no authentication.
6993
6994       Example:
6995
6996       smtp_sasl_auth_enable = yes
6997

smtp_sasl_auth_soft_bounce (default: yes)

6999       When  a remote SMTP server rejects a SASL authentication request with a
7000       535 reply code, defer mail delivery instead of returning mail as  unde‐
7001       liverable.  The latter behavior was hard-coded prior to Postfix version
7002       2.5.
7003
7004       Note: the setting "yes" overrides the global soft_bounce parameter, but
7005       the setting "no" does not.
7006
7007       Example:
7008
7009       # Default as of Postfix 2.5
7010       smtp_sasl_auth_soft_bounce = yes
7011       # The old hard-coded default
7012       smtp_sasl_auth_soft_bounce = no
7013
7014       This feature is available in Postfix 2.5 and later.
7015

smtp_sasl_mechanism_filter (default: empty)

7017       If non-empty, a Postfix SMTP client filter for the remote SMTP server's
7018       list of offered SASL mechanisms.  Different client and server implemen‐
7019       tations  may support different mechanism lists; by default, the Postfix
7020       SMTP client will use the  intersection  of  the  two.  smtp_sasl_mecha‐
7021       nism_filter  specifies  an  optional  third mechanism list to intersect
7022       with.
7023
7024       Specify mechanism names, "/file/name" patterns or  "type:table"  lookup
7025       tables.  The  right-hand  side  result  from  "type:table"  lookups  is
7026       ignored. Specify "!pattern" to exclude a mechanism name from the  list.
7027       The  form  "!/file/name"  is  supported only in Postfix version 2.4 and
7028       later.
7029
7030       This feature is available in Postfix 2.2 and later.
7031
7032       Examples:
7033
7034       smtp_sasl_mechanism_filter = plain, login
7035       smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
7036       smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
7037

smtp_sasl_password_maps (default: empty)

7039       Optional Postfix SMTP client lookup tables with  one  username:password
7040       entry per sender, remote hostname or next-hop domain. Per-sender lookup
7041       is done only when sender-dependent authentication is  enabled.   If  no
7042       username:password entry is found, then the Postfix SMTP client will not
7043       attempt to authenticate to the remote host.
7044
7045       The Postfix SMTP client opens the lookup table before going  to  chroot
7046       jail, so you can leave the password file in /etc/postfix.
7047
7048       Specify zero or more "type:name" lookup tables, separated by whitespace
7049       or comma. Tables will be searched in the specified order until a  match
7050       is found.
7051

smtp_sasl_path (default: empty)

7053       Implementation-specific information that the Postfix SMTP client passes
7054       through to the  SASL  plug-in  implementation  that  is  selected  with
7055       smtp_sasl_type.   Typically  this specifies the name of a configuration
7056       file or rendezvous point.
7057
7058       This feature is available in Postfix 2.3 and later.
7059

smtp_sasl_security_options (default: noplaintext, noanonymous)

7061       Postfix SMTP client SASL security options; as of Postfix 2.3  the  list
7062       of available features depends on the SASL client implementation that is
7063       selected with smtp_sasl_type.
7064
7065       The following security features are defined for the cyrus  client  SASL
7066       implementation:
7067
7068       Specify zero or more of the following:
7069
7070       noplaintext
7071              Disallow methods that use plaintext passwords.
7072
7073       noactive
7074              Disallow methods subject to active (non-dictionary) attack.
7075
7076       nodictionary
7077              Disallow methods subject to passive (dictionary) attack.
7078
7079       noanonymous
7080              Disallow methods that allow anonymous authentication.
7081
7082       mutual_auth
7083              Only  allow  methods  that  provide  mutual  authentication (not
7084              available with SASL version 1).
7085
7086       Example:
7087
7088       smtp_sasl_security_options = noplaintext
7089

smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)

7091       The SASL authentication security options that the Postfix  SMTP  client
7092       uses for TLS encrypted SMTP sessions.
7093
7094       This feature is available in Postfix 2.2 and later.
7095

smtp_sasl_tls_verified_security_options (default: $smtp_sasl_tls_secu‐

7097       rity_options)
7098       The SASL authentication security options that the Postfix  SMTP  client
7099       uses  for  TLS  encrypted SMTP sessions with a verified server certifi‐
7100       cate.
7101
7102       When mail is sent to the public MX host  for  the  recipient's  domain,
7103       server certificates are by default optional, and delivery proceeds even
7104       if certificate verification fails. For delivery via a  submission  ser‐
7105       vice  that  requires SASL authentication, it may be appropriate to send
7106       plaintext passwords only when the connection to the server is  strongly
7107       encrypted and the server identity is verified.
7108
7109       The smtp_sasl_tls_verified_security_options parameter makes it possible
7110       to only enable plaintext mechanisms when a  secure  connection  to  the
7111       server  is  available.  Submission  servers subject to this policy must
7112       either have verifiable certificates  or  offer  suitable  non-plaintext
7113       SASL mechanisms.
7114
7115       This feature is available in Postfix 2.6 and later.
7116

smtp_sasl_type (default: cyrus)

7118       The  SASL  plug-in  type  that  the  Postfix SMTP client should use for
7119       authentication.  The available types are listed with the "postconf  -A"
7120       command.
7121
7122       This feature is available in Postfix 2.3 and later.
7123

smtp_send_dummy_mail_auth (default: no)

7125       Whether  or not to append the "AUTH=<>" option to the MAIL FROM command
7126       in SASL-authenticated SMTP sessions. The default is not to  send  this,
7127       to  avoid problems with broken remote SMTP servers.  Before Postfix 2.9
7128       the behavior is as if "smtp_send_dummy_mail_auth = yes".
7129
7130       This feature is available in Postfix 2.9 and later.
7131

smtp_send_xforward_command (default: no)

7133       Send the non-standard XFORWARD command when  the  Postfix  SMTP  server
7134       EHLO response announces XFORWARD support.
7135
7136       This allows a Postfix SMTP delivery agent, used for injecting mail into
7137       a content filter, to forward the name, address, protocol and HELO  name
7138       of  the  original  client  to the content filter and downstream queuing
7139       SMTP  server.  This  can  produce  more  useful  logging  than   local‐
7140       host[127.0.0.1] etc.
7141
7142       This feature is available in Postfix 2.1 and later.
7143

smtp_sender_dependent_authentication (default: no)

7145       Enable sender-dependent authentication in the Postfix SMTP client; this
7146       is available only with SASL authentication, and disables  SMTP  connec‐
7147       tion  caching  to  ensure that mail from different senders will use the
7148       appropriate credentials.
7149
7150       This feature is available in Postfix 2.3 and later.
7151

smtp_skip_4xx_greeting (default: yes)

7153       Skip SMTP servers that greet with a 4XX status code (go away, try again
7154       later).
7155
7156       By  default,  the Postfix SMTP client moves on the next mail exchanger.
7157       Specify "smtp_skip_4xx_greeting = no" if Postfix should defer  delivery
7158       immediately.
7159
7160       This  feature  is  available in Postfix 2.0 and earlier.  Later Postfix
7161       versions always skip remote SMTP servers that greet with a  4XX  status
7162       code.
7163

smtp_skip_5xx_greeting (default: yes)

7165       Skip remote SMTP servers that greet with a 5XX status code.
7166
7167       By  default,  the Postfix SMTP client moves on the next mail exchanger.
7168       Specify "smtp_skip_5xx_greeting = no" if Postfix should bounce the mail
7169       immediately.  Caution:  the  latter  behavior appears to contradict RFC
7170       2821.
7171

smtp_skip_quit_response (default: yes)

7173       Do not wait for the response to the SMTP QUIT command.
7174

smtp_starttls_timeout (default: 300s)

7176       Time limit for Postfix SMTP client write and read operations during TLS
7177       startup and shutdown handshake procedures.
7178
7179       This feature is available in Postfix 2.2 and later.
7180

smtp_tcp_port (default: smtp)

7182       The default TCP port that the Postfix SMTP client connects to.  Specify
7183       a symbolic name (see services(5)) or a numeric port.
7184

smtp_tls_CAfile (default: empty)

7186       A file containing CA certificates of root CAs trusted  to  sign  either
7187       remote SMTP server certificates or intermediate CA certificates.  These
7188       are loaded into memory before the  smtp(8)  client  enters  the  chroot
7189       jail.  If  the  number  of  trusted  roots  is  large,  consider  using
7190       smtp_tls_CApath instead, but note that the  latter  directory  must  be
7191       present in the chroot jail if the smtp(8) client is chrooted. This file
7192       may also be used to augment the client certificate trust chain, but  it
7193       is   best   to  include  all  the  required  certificates  directly  in
7194       $smtp_tls_cert_file (or, Postfix >= 3.4 $smtp_tls_chain_files).
7195
7196       Specify "smtp_tls_CAfile = /path/to/system_CA_file"  to  use  ONLY  the
7197       system-supplied default Certification Authority certificates.
7198
7199       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
7200       the system-supplied default CAs and trusting third-party certificates.
7201
7202       Example:
7203
7204       smtp_tls_CAfile = /etc/postfix/CAcert.pem
7205
7206       This feature is available in Postfix 2.2 and later.
7207

smtp_tls_CApath (default: empty)

7209       Directory with PEM format Certification Authority certificates that the
7210       Postfix  SMTP  client  uses to verify a remote SMTP server certificate.
7211       Don't forget to create the necessary "hash" links  with,  for  example,
7212       "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
7213
7214       To  use  this option in chroot mode, this directory (or a copy) must be
7215       inside the chroot jail.
7216
7217       Specify "smtp_tls_CApath = /path/to/system_CA_directory"  to  use  ONLY
7218       the system-supplied default Certification Authority certificates.
7219
7220       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
7221       the system-supplied default CAs and trusting third-party certificates.
7222
7223       Example:
7224
7225       smtp_tls_CApath = /etc/postfix/certs
7226
7227       This feature is available in Postfix 2.2 and later.
7228

smtp_tls_block_early_mail_reply (default: no)

7230       Try to detect a mail hijacking attack based on a TLS protocol  vulnera‐
7231       bility  (CVE-2009-3555),  where  an  attacker  prepends malicious HELO,
7232       MAIL, RCPT, DATA commands to a Postfix SMTP client  TLS  session.   The
7233       attack  would  succeed  with non-Postfix SMTP servers that reply to the
7234       malicious HELO, MAIL, RCPT, DATA commands after negotiating the Postfix
7235       SMTP client TLS session.
7236
7237       This feature is available in Postfix 2.7.
7238

smtp_tls_cert_file (default: empty)

7240       File  with the Postfix SMTP client RSA certificate in PEM format.  This
7241       file may also contain the Postfix SMTP  client  private  RSA  key,  and
7242       these  may  be  the same as the Postfix SMTP server RSA certificate and
7243       key file.  With Postfix >= 3.4 the preferred way  to  configure  client
7244       keys and certificates is via the "smtp_tls_chain_files" parameter.
7245
7246       Do not configure client certificates unless you must present client TLS
7247       certificates to one or more servers. Client certificates are  not  usu‐
7248       ally  needed,  and  can cause problems in configurations that work well
7249       without them. The recommended setting is to let the defaults stand:
7250
7251           smtp_tls_cert_file =
7252           smtp_tls_key_file =
7253           smtp_tls_eccert_file =
7254           smtp_tls_eckey_file =
7255           # Obsolete DSA parameters
7256           smtp_tls_dcert_file =
7257           smtp_tls_dkey_file =
7258           # Postfix >= 3.4 interface
7259           smtp_tls_chain_files =
7260
7261       The best way to use the default settings is to comment  out  the  above
7262       parameters in main.cf if present.
7263
7264       To  enable  remote  SMTP servers to verify the Postfix SMTP client cer‐
7265       tificate, the issuing CA certificates must be  made  available  to  the
7266       server. You should include the required certificates in the client cer‐
7267       tificate file, the client certificate first,  then  the  issuing  CA(s)
7268       (bottom-up order).
7269
7270       Example: the certificate for "client.example.com" was issued by "inter‐
7271       mediate CA" which itself has a certificate issued by "root CA".  As the
7272       "root" super-user create the client.pem file with:
7273
7274           # umask 077
7275           # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem
7276
7277       If  you  also  want to verify remote SMTP server certificates issued by
7278       these CAs, you can add the CA certificates to the  smtp_tls_CAfile,  in
7279       which  case it is not necessary to have them in the smtp_tls_cert_file,
7280       smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.
7281
7282       A certificate supplied here must be usable as an SSL client certificate
7283       and hence pass the "openssl verify -purpose sslclient ..." test.
7284
7285       Example:
7286
7287       smtp_tls_cert_file = /etc/postfix/chain.pem
7288
7289       This feature is available in Postfix 2.2 and later.
7290

smtp_tls_chain_files (default: empty)

7292       List  of  one  or more PEM files, each holding one or more private keys
7293       directly followed by a corresponding certificate chain.  The file names
7294       are  separated  by  commas and/or whitespace.  This parameter obsoletes
7295       the legacy algorithm-specific key and certificate file settings.   When
7296       this  parameter  is non-empty, the legacy parameters are ignored, and a
7297       warning is logged if any are also non-empty.
7298
7299       With the proliferation of multiple private key algorithms-which, as  of
7300       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
7301       is increasingly impractical to use separate parameters to configure the
7302       key  and  certificate chain for each algorithm.  Therefore, Postfix now
7303       supports storing multiple keys and corresponding certificate chains  in
7304       a single file or in a set of files.
7305
7306       Each  key must appear immediately before the corresponding certificate,
7307       optionally followed by additional issuer certificates that complete the
7308       certificate  chain  for  that  key.  When multiple files are specified,
7309       they are equivalent to a single file that is  concatenated  from  those
7310       files  in  the  given order.  Thus, while a key must always precede its
7311       certificate and issuer chain, it can be in a separate file, so long  as
7312       that  file  is listed immediately before the file that holds the corre‐
7313       sponding certificate chain.  Once all the files are  concatenated,  the
7314       sequence  of  PEM  objects must be: key1, cert1, [chain1], key2, cert2,
7315       [chain2], ..., keyN, certN, [chainN].
7316
7317       Storing the private key in the same file as the corresponding  certifi‐
7318       cate is more reliable.  With the key and certificate in separate files,
7319       there is a chance that during key rollover a Postfix process might load
7320       a  private  key  and  certificate from separate files that don't match.
7321       Various operational errors may even result in a persistent broken  con‐
7322       figuration in which the certificate does not match the private key.
7323
7324       The  file  or files must contain at most one key of each type.  If, for
7325       example, two or more RSA keys  and  corresponding  chains  are  listed,
7326       depending  on  the  version of OpenSSL either only the last one will be
7327       used or an configuration  error  may  be  detected.   Note  that  while
7328       "Ed25519"  and  "Ed448" are considered separate algorithms, the various
7329       ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1)  are
7330       considered as different parameters of a single "ECDSA" algorithm, so it
7331       is not presently possible to configure keys for  more  than  one  ECDSA
7332       curve.
7333
7334       Example  (separate  files  for  each  key and corresponding certificate
7335       chain):
7336
7337           /etc/postfix/main.cf:
7338               smtp_tls_chain_files =
7339                   ${config_directory}/ed25519.pem,
7340                   ${config_directory}/ed448.pem,
7341                   ${config_directory}/rsa.pem
7342
7343           /etc/postfix/ed25519.pem:
7344               -----BEGIN PRIVATE KEY-----
7345               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7346               -----END PRIVATE KEY-----
7347               -----BEGIN CERTIFICATE-----
7348               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7349               ...
7350               nC0egv51YPDWxEHom4QA
7351               -----END CERTIFICATE-----
7352
7353           /etc/postfix/ed448.pem:
7354               -----BEGIN PRIVATE KEY-----
7355               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7356               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7357               -----END PRIVATE KEY-----
7358               -----BEGIN CERTIFICATE-----
7359               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7360               ...
7361               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7362               -----END CERTIFICATE-----
7363
7364           /etc/postfix/rsa.pem:
7365               -----BEGIN PRIVATE KEY-----
7366               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7367               ...
7368               ahQkZ3+krcaJvDSMgvu0tDc=
7369               -----END PRIVATE KEY-----
7370               -----BEGIN CERTIFICATE-----
7371               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7372               ...
7373               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7374               -----END CERTIFICATE-----
7375
7376       Example (all keys and certificates in a single file):
7377
7378           /etc/postfix/main.cf:
7379               smtp_tls_chain_files = ${config_directory}/chains.pem
7380
7381           /etc/postfix/chains.pem:
7382               -----BEGIN PRIVATE KEY-----
7383               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
7384               -----END PRIVATE KEY-----
7385               -----BEGIN CERTIFICATE-----
7386               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
7387               ...
7388               nC0egv51YPDWxEHom4QA
7389               -----END CERTIFICATE-----
7390               -----BEGIN PRIVATE KEY-----
7391               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
7392               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
7393               -----END PRIVATE KEY-----
7394               -----BEGIN CERTIFICATE-----
7395               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
7396               ...
7397               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
7398               -----END CERTIFICATE-----
7399               -----BEGIN PRIVATE KEY-----
7400               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
7401               ...
7402               ahQkZ3+krcaJvDSMgvu0tDc=
7403               -----END PRIVATE KEY-----
7404               -----BEGIN CERTIFICATE-----
7405               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
7406               ...
7407               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
7408               -----END CERTIFICATE-----
7409
7410       This feature is available in Postfix 3.4 and later.
7411

smtp_tls_cipherlist (default: empty)

7413       Obsolete Postfix < 2.3 control for the Postfix SMTP client  TLS  cipher
7414       list. As this feature applies to all TLS security levels, it is easy to
7415       create interoperability problems by choosing a non-default cipher list.
7416       Do not use a non-default TLS cipher list on hosts that deliver email to
7417       the public Internet: you will be unable to send email to  servers  that
7418       only  support  the  ciphers you exclude. Using a restricted cipher list
7419       may be more appropriate for an internal MTA, where one can  exert  some
7420       control over the TLS software and settings of the peer servers.
7421
7422       Note: do not use "" quotes around the parameter value.
7423
7424       This  feature  is available in Postfix version 2.2. It is not used with
7425       Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.
7426

smtp_tls_ciphers (default: medium)

7428       The minimum TLS cipher grade that the Postfix SMTP client will use with
7429       opportunistic     TLS    encryption.    Cipher    types    listed    in
7430       smtp_tls_exclude_ciphers are excluded from the base definition  of  the
7431       selected  cipher  grade.    The  default  value is "medium" for Postfix
7432       releases after the middle of 2015, "export" for older releases.
7433
7434       When  TLS  is  mandatory  the  cipher   grade   is   chosen   via   the
7435       smtp_tls_mandatory_ciphers  configuration parameter, see there for syn‐
7436       tax details. See smtp_tls_policy_maps for information on how to config‐
7437       ure ciphers on a per-destination basis.
7438
7439       This  feature is available in Postfix 2.6 and later. With earlier Post‐
7440       fix releases only the smtp_tls_mandatory_ciphers  parameter  is  imple‐
7441       mented, and opportunistic TLS always uses "export" or better (i.e. all)
7442       ciphers.
7443

smtp_tls_connection_reuse (default: no)

7445       Try to make multiple deliveries  per  TLS-encrypted  connection.   This
7446       uses  the  tlsproxy(8)  service to encrypt an SMTP connection, uses the
7447       scache(8) service to save that connection, and relies on hints from the
7448       qmgr(8) daemon.
7449
7450       See "Client-side TLS connection reuse" for background details.
7451
7452       This feature is available in Postfix 3.4 and later.
7453

smtp_tls_dane_insecure_mx_policy (default: dane)

7455       The TLS policy for MX hosts with "secure" TLSA records when the nexthop
7456       destination security level is dane, but the MX record was found via  an
7457       "insecure" MX lookup.  The choices are:
7458
7459       may    The  TLSA  records will be ignored and TLS will be optional.  If
7460              the MX host does not appear to support STARTTLS, or the STARTTLS
7461              handshake fails, mail may be sent in the clear.
7462
7463       encrypt
7464              The  TLSA  records  will signal a requirement to use TLS.  While
7465              TLS encryption will be required, authentication will not be per‐
7466              formed.
7467
7468       dane (default)
7469              The  TLSA records will be used just as with "secure" MX records.
7470              TLS encryption will be required, and, if at  least  one  of  the
7471              TLSA records is "usable", authentication will be required.  When
7472              authentication succeeds, it will be logged  only  as  "Trusted",
7473              not "Verified", because the MX host name could have been forged.
7474              Though with "insecure" MX records an active attacker can compro‐
7475              mise SMTP transport security by  returning  forged  MX  records,
7476              such  attacks are "tamper-evident" since any forged MX hostnames
7477              will be recorded in the mail logs.  Attackers who place  a  high
7478              value staying hidden may be deterred from forging MX records.
7479
7480       This  feature  is available in Postfix 3.1 and later. The may policy is
7481       backwards-compatible with earlier Postfix versions.
7482

smtp_tls_dcert_file (default: empty)

7484       File with the Postfix SMTP client DSA certificate in PEM format.   This
7485       file may also contain the Postfix SMTP client private DSA key.  The DSA
7486       algorithm is obsolete and should not be used.
7487
7488       See the discussion under smtp_tls_cert_file for more details.
7489
7490       Example:
7491
7492       smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
7493
7494       This feature is available in Postfix 2.2 and later.
7495

smtp_tls_dkey_file (default: $smtp_tls_dcert_file)

7497       File with the Postfix SMTP client DSA private key in PEM format.   This
7498       file  may be combined with the Postfix SMTP client DSA certificate file
7499       specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete  and
7500       should not be used.
7501
7502       The  private key must be accessible without a pass-phrase, i.e. it must
7503       not be encrypted. File permissions should grant read-only access to the
7504       system superuser account ("root"), and no access to anyone else.
7505
7506       This feature is available in Postfix 2.2 and later.
7507

smtp_tls_eccert_file (default: empty)

7509       File  with  the  Postfix  SMTP  client ECDSA certificate in PEM format.
7510       This file may also contain the Postfix SMTP client ECDSA  private  key.
7511       With Postfix >= 3.4 the preferred way to configure client keys and cer‐
7512       tificates is via the "smtp_tls_chain_files" parameter.
7513
7514       See the discussion under smtp_tls_cert_file for more details.
7515
7516       Example:
7517
7518       smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
7519
7520       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
7521       compiled and linked with OpenSSL 1.0.0 or later.
7522

smtp_tls_eckey_file (default: $smtp_tls_eccert_file)

7524       File  with  the  Postfix  SMTP  client ECDSA private key in PEM format.
7525       This file may be combined with the Postfix SMTP client  ECDSA  certifi‐
7526       cate  file  specified  with $smtp_tls_eccert_file.  With Postfix >= 3.4
7527       the preferred way to configure client keys and certificates is via  the
7528       "smtp_tls_chain_files" parameter.
7529
7530       The  private key must be accessible without a pass-phrase, i.e. it must
7531       not be encrypted. File permissions should grant read-only access to the
7532       system superuser account ("root"), and no access to anyone else.
7533
7534       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
7535       compiled and linked with OpenSSL 1.0.0 or later.
7536

smtp_tls_enforce_peername (default: yes)

7538       With mandatory TLS encryption, require  that  the  remote  SMTP  server
7539       hostname matches the information in the remote SMTP server certificate.
7540       As of RFC 2487 the requirements for hostname checking for  MTA  clients
7541       are not specified.
7542
7543       This  option  can  be set to "no" to disable strict peer name checking.
7544       This setting has no effect on sessions  that  are  controlled  via  the
7545       smtp_tls_per_site table.
7546
7547       Disabling  the  hostname verification can make sense in closed environ‐
7548       ment where special CAs are created.  If not used carefully, this option
7549       opens  the  danger  of  a "man-in-the-middle" attack (the CommonName of
7550       this attacker will be logged).
7551
7552       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
7553       and later use smtp_tls_security_level instead.
7554

smtp_tls_exclude_ciphers (default: empty)

7556       List of ciphers or cipher types to exclude from the Postfix SMTP client
7557       cipher list at  all  TLS  security  levels.  This  is  not  an  OpenSSL
7558       cipherlist,  it is a simple list separated by whitespace and/or commas.
7559       The elements are a single cipher, or one or more "+"  separated  cipher
7560       properties,  in which case only ciphers matching all the properties are
7561       excluded.
7562
7563       Examples (some of these will cause problems):
7564
7565           smtp_tls_exclude_ciphers = aNULL
7566           smtp_tls_exclude_ciphers = MD5, DES
7567           smtp_tls_exclude_ciphers = DES+MD5
7568           smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
7569           smtp_tls_exclude_ciphers = kEDH+aRSA
7570
7571       The first setting, disables anonymous ciphers. The  next  setting  dis‐
7572       ables  ciphers  that  use  the MD5 digest algorithm or the (single) DES
7573       encryption algorithm. The next setting disables ciphers  that  use  MD5
7574       and   DES   together.   The  next  setting  disables  the  two  ciphers
7575       "AES256-SHA" and "DES-CBC3-MD5". The last setting disables ciphers that
7576       use "EDH" key exchange with RSA authentication.
7577
7578       This feature is available in Postfix 2.3 and later.
7579

smtp_tls_fingerprint_cert_match (default: empty)

7581       List  of acceptable remote SMTP server certificate fingerprints for the
7582       "fingerprint" TLS security  level  (smtp_tls_security_level  =  finger‐
7583       print). At this security level, Certification Authorities are not used,
7584       and certificate expiration times are ignored. Instead, server  certifi‐
7585       cates are verified directly via their certificate fingerprint or public
7586       key fingerprint (Postfix 2.9 and later). The fingerprint is  a  message
7587       digest  of the server certificate (or public key). The digest algorithm
7588       is selected via the smtp_tls_fingerprint_digest parameter.
7589
7590       When an smtp_tls_policy_maps table entry  specifies  the  "fingerprint"
7591       security  level,  any "match" attributes in that entry specify the list
7592       of valid fingerprints for the corresponding destination. Multiple  fin‐
7593       gerprints  can  be  combined  with  a  "|"  delimiter in a single match
7594       attribute, or multiple match attributes can be employed.
7595
7596       Example: Certificate fingerprint verification  with  internal  mailhub.
7597       Two  matching  fingerprints  are  listed. The relayhost may be multiple
7598       physical hosts behind a load-balancer, each with its own private/public
7599       key  and self-signed certificate. Alternatively, a single relayhost may
7600       be in the process of switching from one set of private/public  keys  to
7601       another, and both keys are trusted just prior to the transition.
7602
7603           relayhost = [mailhub.example.com]
7604           smtp_tls_security_level = fingerprint
7605           smtp_tls_fingerprint_digest = md5
7606           smtp_tls_fingerprint_cert_match =
7607               3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7608               EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7609
7610       Example:  Certificate  fingerprint  verification with selected destina‐
7611       tions.  As in the example above, we show two matching fingerprints:
7612
7613           /etc/postfix/main.cf:
7614               smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
7615               smtp_tls_fingerprint_digest = md5
7616
7617           /etc/postfix/tls_policy:
7618               example.com fingerprint
7619                   match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
7620                   match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
7621
7622       This feature is available in Postfix 2.5 and later.
7623

smtp_tls_fingerprint_digest (default: md5)

7625       The message digest algorithm used to construct remote SMTP server  cer‐
7626       tificate   fingerprints.   At  the  "fingerprint"  TLS  security  level
7627       (smtp_tls_security_level = fingerprint), the server certificate is ver‐
7628       ified  by  directly  matching its certificate fingerprint or its public
7629       key fingerprint (Postfix 2.9 and later). The fingerprint is the message
7630       digest of the server certificate (or its public key) using the selected
7631       algorithm. With a digest  algorithm  resistant  to  "second  pre-image"
7632       attacks,  it  is not feasible to create a new public key and a matching
7633       certificate (or public/private key-pair) that has the same fingerprint.
7634
7635       The default algorithm is md5; this is  consistent  with  the  backwards
7636       compatible  setting of the digest used to verify client certificates in
7637       the SMTP server.
7638
7639       The best practice algorithm is now sha1. Recent advances in hash  func‐
7640       tion  cryptanalysis  have led to md5 being deprecated in favor of sha1.
7641       However, as long as there  are  no  known  "second  pre-image"  attacks
7642       against md5, its use in this context can still be considered safe.
7643
7644       While  additional  digest algorithms are often available with OpenSSL's
7645       libcrypto, only those used by libssl in SSL cipher suites are available
7646       to Postfix. For now this means just md5 or sha1.
7647
7648       To find the fingerprint of a specific certificate file, with a specific
7649       digest algorithm, run:
7650
7651           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
7652
7653       The text to the right of "=" sign  is  the  desired  fingerprint.   For
7654       example:
7655
7656           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
7657           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
7658
7659       To  extract  the  public key fingerprint from an X.509 certificate, you
7660       need to extract the public key from the  certificate  and  compute  the
7661       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
7662       key" option of the "x509" command extracts the  public  key  always  in
7663       "PEM"  format.  We pipe the result to another OpenSSL command that con‐
7664       verts the key to DER and then to the "dgst" command to compute the fin‐
7665       gerprint.
7666
7667       The  actual  command  to transform the key to DER format depends on the
7668       version of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey"  com‐
7669       mand  supports  all  key types. With OpenSSL 0.9.8 and earlier, the key
7670       type is always RSA (nobody uses DSA, and EC keys  are  not  fully  sup‐
7671       ported by 0.9.8), so the "rsa" command is used.
7672
7673           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
7674           $ openssl x509 -in cert.pem -noout -pubkey |
7675               openssl pkey -pubin -outform DER |
7676               openssl dgst -sha1 -c
7677           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
7678
7679           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
7680           $ openssl x509 -in cert.pem -noout -pubkey |
7681               openssl rsa -pubin -outform DER |
7682               openssl dgst -md5 -c
7683           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
7684
7685       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
7686       gerprint and public key fingerprint when  the  TLS  loglevel  is  2  or
7687       higher.
7688
7689       Note:  Postfix  2.9.0-2.9.5  computed the public key fingerprint incor‐
7690       rectly. To use public-key fingerprints, upgrade  to  Postfix  2.9.6  or
7691       later.
7692
7693       This feature is available in Postfix 2.5 and later.
7694

smtp_tls_force_insecure_host_tlsa_lookup (default: no)

7696       Lookup  the  associated  DANE TLSA RRset even when a hostname is not an
7697       alias and its address  records  lie  in  an  unsigned  zone.   This  is
7698       unlikely  to  ever yield DNSSEC validated results, since child zones of
7699       unsigned zones are also unsigned in the absence of DLV or locally  con‐
7700       figured  non-root  trust-anchors.   We  anticipate that such mechanisms
7701       will not be used for just the "_tcp" subdomain of a host.   Suppressing
7702       the  TLSA  RRset lookup reduces latency and avoids potential interoper‐
7703       ability problems with nameservers for unsigned zones that are not  pre‐
7704       pared to handle the new TLSA RRset.
7705
7706       This feature is available in Postfix 2.11.
7707

smtp_tls_key_file (default: $smtp_tls_cert_file)

7709       File  with the Postfix SMTP client RSA private key in PEM format.  This
7710       file may be combined with the Postfix SMTP client RSA certificate  file
7711       specified  with $smtp_tls_cert_file.  With Postfix >= 3.4 the preferred
7712       way  to  configure  client   keys   and   certificates   is   via   the
7713       "smtp_tls_chain_files" parameter.
7714
7715       The  private key must be accessible without a pass-phrase, i.e. it must
7716       not be encrypted. File permissions should grant read-only access to the
7717       system superuser account ("root"), and no access to anyone else.
7718
7719       Example:
7720
7721       smtp_tls_key_file = $smtp_tls_cert_file
7722
7723       This feature is available in Postfix 2.2 and later.
7724

smtp_tls_loglevel (default: 0)

7726       Enable  additional  Postfix  SMTP client logging of TLS activity.  Each
7727       logging level also includes the information that is logged at  a  lower
7728       logging level.
7729
7730              0 Disable logging of TLS activity.
7731
7732              1  Log  only  a summary message on TLS handshake completion - no
7733              logging of remote SMTP server certificate trust-chain  verifica‐
7734              tion  errors if server certificate verification is not required.
7735              With Postfix 2.8 and earlier, log the summary message and uncon‐
7736              ditionally log trust-chain verification errors.
7737
7738              2 Also log levels during TLS negotiation.
7739
7740              3  Also  log  hexadecimal  and  ASCII  dump  of  TLS negotiation
7741              process.
7742
7743              4 Also log hexadecimal and ASCII dump of  complete  transmission
7744              after STARTTLS.
7745
7746       Do  not  use  "smtp_tls_loglevel = 2" or higher except in case of prob‐
7747       lems. Use of loglevel 4 is strongly discouraged.
7748
7749       This feature is available in Postfix 2.2 and later.
7750

smtp_tls_mandatory_ciphers (default: medium)

7752       The minimum TLS cipher grade that the Postfix SMTP client will use with
7753       mandatory  TLS  encryption.  The default value "medium" is suitable for
7754       most destinations with which you may want to enforce TLS, and is beyond
7755       the  reach  of  today's cryptanalytic methods. See smtp_tls_policy_maps
7756       for information on how to configure ciphers on a per-destination basis.
7757
7758       The following cipher grades are supported:
7759
7760       export Enable "EXPORT" grade or better OpenSSL ciphers.  The underlying
7761              cipherlist is specified via the tls_export_cipherlist configura‐
7762              tion parameter, which you are strongly encouraged to not change.
7763              This choice is insecure and SHOULD NOT be used.
7764
7765       low    Enable  "LOW"  grade  or better OpenSSL ciphers.  The underlying
7766              cipherlist is specified via the tls_low_cipherlist configuration
7767              parameter,  which  you  are  strongly  encouraged to not change.
7768              This choice is insecure and SHOULD NOT be used.
7769
7770       medium Enable "MEDIUM" grade or better OpenSSL ciphers.  The underlying
7771              cipherlist is specified via the tls_medium_cipherlist configura‐
7772              tion parameter, which you are strongly encouraged to not change.
7773
7774       high   Enable only "HIGH" grade OpenSSL ciphers.  This setting  may  be
7775              appropriate  when  all mandatory TLS destinations (e.g. when all
7776              mail is routed to a suitably capable relayhost) support at least
7777              one  "HIGH" grade cipher. The underlying cipherlist is specified
7778              via the tls_high_cipherlist configuration parameter,  which  you
7779              are strongly encouraged to not change.
7780
7781       null   Enable  only the "NULL" OpenSSL ciphers, these provide authenti‐
7782              cation without encryption.  This setting is only appropriate  in
7783              the  rare case that all servers are prepared to use NULL ciphers
7784              (not normally enabled in TLS servers). A plausible  use-case  is
7785              an LMTP server listening on a UNIX-domain socket that is config‐
7786              ured to support "NULL" ciphers.  The  underlying  cipherlist  is
7787              specified  via  the tls_null_cipherlist configuration parameter,
7788              which you are strongly encouraged to not change.
7789
7790       The underlying cipherlists for grades other than "null" include  anony‐
7791       mous  ciphers,  but these are automatically filtered out if the Postfix
7792       SMTP client is configured to verify server certificates.  You are  very
7793       unlikely  to  need to take any steps to exclude anonymous ciphers, they
7794       are excluded automatically as necessary.  If you must exclude anonymous
7795       ciphers  at  the  "may"  or "encrypt" security levels, when the Postfix
7796       SMTP  client  does   not   need   or   use   peer   certificates,   set
7797       "smtp_tls_exclude_ciphers  =  aNULL". To exclude anonymous ciphers only
7798       when TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
7799
7800       This feature is available in Postfix 2.3 and later.
7801

smtp_tls_mandatory_exclude_ciphers (default: empty)

7803       Additional list of ciphers or cipher types to exclude from the  Postfix
7804       SMTP  client  cipher  list  at mandatory TLS security levels. This list
7805       works    in    addition    to    the     exclusions     listed     with
7806       smtp_tls_exclude_ciphers (see there for syntax details).
7807
7808       Starting with Postfix 2.6, the mandatory cipher exclusions can be spec‐
7809       ified  on  a  per-destination  basis  via  the  TLS  policy   "exclude"
7810       attribute. See smtp_tls_policy_maps for notes and examples.
7811
7812       This feature is available in Postfix 2.3 and later.
7813

smtp_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

7815       List  of  SSL/TLS  protocols that the Postfix SMTP client will use with
7816       mandatory TLS encryption.  In  main.cf  the  values  are  separated  by
7817       whitespace, commas or colons. In the policy table "protocols" attribute
7818       (see smtp_tls_policy_maps) the only valid separator is colon. An  empty
7819       value  means allow all protocols. The valid protocol names, (see \fBfB‐
7820       SSL_get_version(3)), are "SSLv2",  "SSLv3"  and  "TLSv1".  The  default
7821       value  is  "!SSLv2,  !SSLv3"  for  Postfix releases after the middle of
7822       2015, "!SSLv2" for older releases.
7823
7824       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
7825       col   exclusions.   One  can  explicitly  exclude  "SSLv2"  by  setting
7826       "smtp_tls_mandatory_protocols = !SSLv2". To exclude  both  "SSLv2"  and
7827       "SSLv3"  set  "smtp_tls_mandatory_protocols  = !SSLv2, !SSLv3". Listing
7828       the protocols to include, rather than protocols  to  exclude,  is  sup‐
7829       ported,  but  not  recommended. The exclusion form more closely matches
7830       the underlying OpenSSL interface semantics.
7831
7832       The range of protocols advertised by an SSL/TLS client must be contigu‐
7833       ous.   When a protocol version is enabled, disabling any higher version
7834       implicitly disables all versions above that higher version.  Thus,  for
7835       example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
7836
7837           smtp_tls_mandatory_protocols = !SSLv2, !TLSv1
7838       also  disables  any  protocols  version  higher than TLSv1 leaving only
7839       "SSLv3" enabled.
7840
7841       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
7842       "TLSv1.2".  When  Postfix  <=  2.5  is  linked against OpenSSL 1.0.1 or
7843       later, these, or any other new protocol versions,  cannot  be  disabled
7844       except by also disabling "TLSv1" (typically leaving just "SSLv3").  The
7845       latest patch levels of Postfix >= 2.6, and all versions of  Postfix  >=
7846       2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2".
7847
7848       OpenSSL  1.1.1  introduces  support for "TLSv1.3".  With Postfix >= 3.4
7849       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
7850       abled, if need be, via "!TLSv1.3".
7851
7852       At the dane and dane-only security levels, when usable TLSA records are
7853       obtained for the remote SMTP server, the Postfix SMTP client  is  obli‐
7854       gated to include the SNI TLS extension in its SSL client hello message.
7855       This may help the remote SMTP server live up to its promise to  provide
7856       a  certificate  that  matches  its  TLSA records.  Since TLS extensions
7857       require TLS 1.0 or later, the Postfix SMTP client must disable  "SSLv2"
7858       and  "SSLv3" when SNI is required.  If you use "dane" or "dane-only" do
7859       not disable TLSv1, except perhaps via the policy table for destinations
7860       which you are sure will support "TLSv1.1" or "TLSv1.2".
7861
7862       See   the  documentation  of  the  smtp_tls_policy_maps  parameter  and
7863       TLS_README for more information about security levels.
7864
7865       Example:
7866
7867       # Preferred syntax with Postfix >= 2.5:
7868       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
7869       # Legacy syntax:
7870       smtp_tls_mandatory_protocols = TLSv1
7871
7872       This feature is available in Postfix 2.3 and later.
7873

smtp_tls_note_starttls_offer (default: no)

7875       Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
7876       is not already enabled for that server.
7877
7878       The logfile record looks like:
7879
7880       postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
7881
7882       This feature is available in Postfix 2.2 and later.
7883

smtp_tls_per_site (default: empty)

7885       Optional lookup tables with the Postfix SMTP client TLS usage policy by
7886       next-hop destination and by remote SMTP  server  hostname.   When  both
7887       lookups  succeed,  the  more specific per-site policy (NONE, MUST, etc)
7888       overrides the less specific one (MAY), and  the  more  secure  per-site
7889       policy  (MUST, etc) overrides the less secure one (NONE).  With Postfix
7890       2.3  and  later  smtp_tls_per_site   is   strongly   discouraged:   use
7891       smtp_tls_policy_maps instead.
7892
7893       Use  of  the bare hostname as the per-site table lookup key is discour‐
7894       aged. Always use the full destination nexthop (enclosed in  []  with  a
7895       possible  ":port"  suffix).  A recipient domain or MX-enabled transport
7896       next-hop with no port suffix may look like  a  bare  hostname,  but  is
7897       still a suitable destination.
7898
7899       Specify  a  next-hop  destination  or  server hostname on the left-hand
7900       side; no wildcards are allowed. The next-hop destination is either  the
7901       recipient  domain, or the destination specified with a transport(5) ta‐
7902       ble, the relayhost parameter, or the relay_transport parameter.  On the
7903       right hand side specify one of the following keywords:
7904
7905       NONE   Don't  use TLS at all. This overrides a less specific MAY lookup
7906              result from the alternate host or next-hop lookup key, and over‐
7907              rides    the    global   smtp_use_tls,   smtp_enforce_tls,   and
7908              smtp_tls_enforce_peername settings.
7909
7910       MAY    Try to use TLS if the server announces  support,  otherwise  use
7911              the unencrypted connection. This has less precedence than a more
7912              specific result (including NONE)  from  the  alternate  host  or
7913              next-hop  lookup key, and has less precedence than the more spe‐
7914              cific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peer‐
7915              name = yes".
7916
7917       MUST_NOPEERMATCH
7918              Require  TLS encryption, but do not require that the remote SMTP
7919              server hostname matches  the  information  in  the  remote  SMTP
7920              server certificate, or that the server certificate was issued by
7921              a trusted CA. This overrides a less secure NONE or a  less  spe‐
7922              cific  MAY  lookup  result  from  the alternate host or next-hop
7923              lookup   key,   and   overrides   the    global    smtp_use_tls,
7924              smtp_enforce_tls and smtp_tls_enforce_peername settings.
7925
7926       MUST   Require  TLS  encryption,  require  that  the remote SMTP server
7927              hostname matches the information in the remote SMTP server  cer‐
7928              tificate,  and  require  that the remote SMTP server certificate
7929              was issued by a trusted CA. This overrides a  less  secure  NONE
7930              and  MUST_NOPEERMATCH  or a less specific MAY lookup result from
7931              the alternate host or next-hop lookup  key,  and  overrides  the
7932              global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peer‐
7933              name settings.
7934
7935       The above keywords correspond to the "none", "may", "encrypt" and "ver‐
7936       ify"  security  levels  for  the  new smtp_tls_security_level parameter
7937       introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
7938       of  how  the  policy  is  specified, the smtp_tls_mandatory_ciphers and
7939       smtp_tls_mandatory_protocols parameters apply when  TLS  encryption  is
7940       mandatory.  Connections  for  which  encryption  is  optional typically
7941       enable all "export" grade and better ciphers (see smtp_tls_ciphers  and
7942       smtp_tls_protocols).
7943
7944       As long as no secure DNS lookup mechanism is available, false hostnames
7945       in MX or CNAME responses can change the server  hostname  that  Postfix
7946       uses  for  TLS  policy lookup and server certificate verification. Even
7947       with a perfect match between the server hostname and  the  server  cer‐
7948       tificate,  there is no guarantee that Postfix is connected to the right
7949       server.  See TLS_README (Closing a DNS loophole with obsolete  per-site
7950       TLS policies) for a possible work-around.
7951
7952       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
7953       and later use smtp_tls_policy_maps instead.
7954

smtp_tls_policy_maps (default: empty)

7956       Optional lookup tables with the Postfix SMTP client TLS security policy
7957       by  next-hop  destination;  when  a  non-empty value is specified, this
7958       overrides the obsolete smtp_tls_per_site parameter.  See TLS_README for
7959       a more detailed discussion of TLS security levels.
7960
7961       Specify zero or more "type:name" lookup tables, separated by whitespace
7962       or comma. Tables will be searched in the specified order until a  match
7963       is found.
7964
7965       The TLS policy table is indexed by the full next-hop destination, which
7966       is either the recipient domain, or the verbatim next-hop  specified  in
7967       the     transport    table,    $local_transport,    $virtual_transport,
7968       $relay_transport or $default_transport.  This  includes  any  enclosing
7969       square brackets and any non-default destination server port suffix. The
7970       LMTP socket type prefix (inet: or unix:) is not included in the  lookup
7971       key.
7972
7973       Only  the  next-hop  domain,  or $myhostname with LMTP over UNIX-domain
7974       sockets, is used as the nexthop name for certificate verification.  The
7975       port  and  any  enclosing  square brackets are used in the table lookup
7976       key, but are not used for server name verification.
7977
7978       When the lookup key is a domain name without enclosing square  brackets
7979       or  any  :port  suffix  (typically  the recipient domain), and the full
7980       domain is not found in the table, just as with the transport(5)  table,
7981       the  parent  domain starting with a leading "." is matched recursively.
7982       This allows one to specify a security policy for a recipient domain and
7983       all its sub-domains.
7984
7985       The  lookup result is a security level, followed by an optional list of
7986       whitespace and/or comma separated name=value attributes  that  override
7987       related  main.cf settings. The TLS security levels in order of increas‐
7988       ing security are:
7989
7990       none   No TLS. No additional attributes are supported at this level.
7991
7992       may    Opportunistic TLS. Since sending in  the  clear  is  acceptable,
7993              demanding  stronger  than  default  TLS  security merely reduces
7994              interoperability. The optional "ciphers", "exclude", and "proto‐
7995              cols"  attributes  (available for opportunistic TLS with Postfix
7996              >= 2.6) and "connection_reuse" attribute (Postfix >= 3.4)  over‐
7997              ride    the    "smtp_tls_ciphers",   "smtp_tls_exclude_ciphers",
7998              "smtp_tls_protocols", and "smtp_tls_connection_reuse" configura‐
7999              tion parameters. When opportunistic TLS handshakes fail, Postfix
8000              retries the connection with  TLS  disabled.   This  allows  mail
8001              delivery to sites with non-interoperable TLS implementations.
8002
8003       encrypt
8004              Mandatory TLS encryption. At this level and higher, the optional
8005              "protocols"  attribute  overrides  the  main.cf  smtp_tls_manda‐
8006              tory_protocols parameter, the optional "ciphers" attribute over‐
8007              rides  the  main.cf  smtp_tls_mandatory_ciphers  parameter,  the
8008              optional  "exclude"  attribute  (Postfix  >=  2.6) overrides the
8009              main.cf smtp_tls_mandatory_exclude_ciphers  parameter,  and  the
8010              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8011              the main.cf smtp_tls_connection_reuse parameter. In  the  policy
8012              table,  multiple protocols or excluded ciphers must be separated
8013              by colons, as attribute values may  not  contain  whitespace  or
8014              commas.
8015
8016       dane   Opportunistic  DANE  TLS.  The TLS policy for the destination is
8017              obtained via TLSA records in DNSSEC.  If  no  TLSA  records  are
8018              found,  the  effective  security  level  used  is  may.  If TLSA
8019              records are found, but none are usable, the  effective  security
8020              level is encrypt.  When usable TLSA records are obtained for the
8021              remote SMTP server, the server certificate must match  the  TLSA
8022              records.   RFC 7672 (DANE) TLS authentication and DNSSEC support
8023              is available with Postfix 2.11 and later. The optional  "connec‐
8024              tion_reuse"  attribute  (Postfix  >=  3.4) overrides the main.cf
8025              smtp_tls_connection_reuse parameter.
8026
8027       dane-only
8028              Mandatory DANE TLS.  The  TLS  policy  for  the  destination  is
8029              obtained  via  TLSA  records  in DNSSEC.  If no TLSA records are
8030              found, or none are usable, no connection is made to the  server.
8031              When  usable  TLSA  records  are  obtained  for  the remote SMTP
8032              server, the server certificate must match the TLSA records.  RFC
8033              7672  (DANE)  TLS authentication and DNSSEC support is available
8034              with Postfix 2.11 and  later.  The  optional  "connection_reuse"
8035              attribute  (Postfix  >= 3.4) overrides the main.cf smtp_tls_con‐
8036              nection_reuse parameter.
8037
8038       fingerprint
8039              Certificate fingerprint verification. Available with Postfix 2.5
8040              and later. At this security level, there are no trusted Certifi‐
8041              cation Authorities.  The  certificate  trust  chain,  expiration
8042              date,   ...   are  not  checked.  Instead,  the  optional  match
8043              attribute, or else the  main.cf  smtp_tls_fingerprint_cert_match
8044              parameter,  lists the certificate fingerprints or the public key
8045              fingerprint (Postfix 2.9 and later) of the valid server certifi‐
8046              cate.  The digest algorithm used to calculate the fingerprint is
8047              selected by the smtp_tls_fingerprint_digest parameter.  Multiple
8048              fingerprints  can  be  combined with a "|" delimiter in a single
8049              match attribute, or multiple match attributes can  be  employed.
8050              The  ":"  character  is  not  used  as  a delimiter as it occurs
8051              between each  pair  of  fingerprint  (hexadecimal)  digits.  The
8052              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8053              the main.cf smtp_tls_connection_reuse parameter.
8054
8055       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
8056              lookups  are  trusted to be secure enough, and the name verified
8057              in the server certificate is  usually  obtained  indirectly  via
8058              unauthenticated  DNS MX lookups.  The optional "match" attribute
8059              overrides the main.cf smtp_tls_verify_cert_match  parameter.  In
8060              the policy table, multiple match patterns and strategies must be
8061              separated by colons.  In practice explicit control over matching
8062              is  more  common  with the "secure" policy, described below. The
8063              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8064              the main.cf smtp_tls_connection_reuse parameter.
8065
8066       secure Secure-channel  TLS.  At  this  security  level, DNS MX lookups,
8067              though potentially used  to  determine  the  candidate  next-hop
8068              gateway  IP  addresses,  are not trusted to be secure enough for
8069              TLS peername verification. Instead, the default name verified in
8070              the  server  certificate is obtained directly from the next-hop,
8071              or is explicitly specified  via  the  optional  match  attribute
8072              which  overrides  the main.cf smtp_tls_secure_cert_match parame‐
8073              ter. In the policy table, multiple match patterns and strategies
8074              must be separated by colons.  The match attribute is most useful
8075              when multiple domains are supported by common server, the policy
8076              entries  for  additional  domains specify matching rules for the
8077              primary domain  certificate.  While  transport  table  overrides
8078              routing  the secondary domains to the primary nexthop also allow
8079              secure verification, they risk delivery to the wrong destination
8080              when  domains  change  hands or are re-assigned to new gateways.
8081              With the "match" attribute approach, routing is  not  perturbed,
8082              and mail is deferred if verification of a new MX host fails. The
8083              optional "connection_reuse" attribute (Postfix >= 3.4) overrides
8084              the main.cf smtp_tls_connection_reuse parameter.
8085
8086       Example:
8087
8088       /etc/postfix/main.cf:
8089           smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
8090           # Postfix 2.5 and later
8091           smtp_tls_fingerprint_digest = md5
8092
8093       /etc/postfix/tls_policy:
8094           example.edu                 none
8095           example.mil                 may
8096           example.gov                 encrypt protocols=TLSv1
8097           example.com                 verify ciphers=high
8098           example.net                 secure
8099           .example.net                secure match=.example.net:example.net
8100           [mail.example.org]:587      secure match=nexthop
8101           # Postfix 2.5 and later
8102           [thumb.example.org]          fingerprint
8103               match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8104               match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8105
8106       Note:  The  hostname  strategy  if  listed  in a non-default setting of
8107       smtp_tls_secure_cert_match or in the match attribute in the policy  ta‐
8108       ble  can  render the secure level vulnerable to DNS forgery. Do not use
8109       the hostname strategy for secure-channel configurations in environments
8110       where DNS security is not assured.
8111
8112       This feature is available in Postfix 2.3 and later.
8113

smtp_tls_protocols (default: !SSLv2, !SSLv3)

8115       List  of  TLS  protocols  that  the Postfix SMTP client will exclude or
8116       include  with  opportunistic  TLS  encryption.  The  default  value  is
8117       "!SSLv2,  !SSLv3"  for  Postfix  releases  after  the  middle  of 2015,
8118       "!SSLv2" for older releases.  Before  Postfix  2.6,  the  Postfix  SMTP
8119       client would use all protocols with opportunistic TLS.
8120
8121       In main.cf the values are separated by whitespace, commas or colons. In
8122       the policy table (see smtp_tls_policy_maps) the only valid separator is
8123       colon.  An  empty  value  means allow all protocols. The valid protocol
8124       names, (see \fBfBSSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".
8125
8126       The range of protocols advertised by an SSL/TLS client must be contigu‐
8127       ous.   When a protocol version is enabled, disabling any higher version
8128       implicitly disables all versions above that higher version.  Thus,  for
8129       example (assuming the OpenSSL library supports both SSLv2 and SSLv3):
8130
8131           smtp_tls_protocols = !SSLv2, !TLSv1
8132       also  disables  any  protocols  version  higher than TLSv1 leaving only
8133       "SSLv3" enabled.
8134
8135       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
8136       "TLSv1.2".  The latest patch levels of Postfix >= 2.6, and all versions
8137       of Postfix >= 2.10 can explicitly  disable  support  for  "TLSv1.1"  or
8138       "TLSv1.2"
8139
8140       OpenSSL  1.1.1  introduces  support for "TLSv1.3".  With Postfix >= 3.4
8141       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
8142       abled, if need be, via "!TLSv1.3".
8143
8144       To  include  a  protocol  list its name, to exclude it, prefix the name
8145       with a "!" character.  To  exclude  SSLv2  for  opportunistic  TLS  set
8146       "smtp_tls_protocols  = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
8147       "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols
8148       to  include,  rather  than  protocols to exclude, is supported, but not
8149       recommended.  The exclusion form more closely  matches  the  underlying
8150       OpenSSL interface semantics.
8151
8152       Example:
8153       # TLSv1 or better:
8154       smtp_tls_protocols = !SSLv2, !SSLv3
8155
8156       This feature is available in Postfix 2.6 and later.
8157

smtp_tls_scert_verifydepth (default: 9)

8159       The  verification depth for remote SMTP server certificates. A depth of
8160       1 is sufficient if the issuing CA is listed in a local CA file.
8161
8162       The default verification depth is 9 (the OpenSSL default) for  compati‐
8163       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
8164       value was 5, but the limit was not actually enforced. If you  have  set
8165       this  to  a  lower  non-default  value,  certificates with longer trust
8166       chains may now fail to verify. Certificate chains with 1 or 2  CAs  are
8167       common,  deeper  chains  are  more  rare and any number between 5 and 9
8168       should suffice in practice. You can choose a lower number if, for exam‐
8169       ple,  you  trust  certificates directly signed by an issuing CA but not
8170       any CAs it delegates to.
8171
8172       This feature is available in Postfix 2.2 and later.
8173

smtp_tls_secure_cert_match (default: nexthop, dot-nexthop)

8175       How the Postfix SMTP client verifies the  server  certificate  peername
8176       for  the  "secure"  TLS  security level. In a "secure" TLS policy table
8177       ($smtp_tls_policy_maps) entry the optional "match" attribute  overrides
8178       this main.cf setting.
8179
8180       This  parameter  specifies one or more patterns or strategies separated
8181       by commas, whitespace or colons.  In the policy table  the  only  valid
8182       separator is the colon character.
8183
8184       For   a  description  of  the  pattern  and  strategy  syntax  see  the
8185       smtp_tls_verify_cert_match parameter. The "hostname" strategy should be
8186       avoided  in  this  context,  as  in the absence of a secure global DNS,
8187       using the results of MX lookups  in  certificate  verification  is  not
8188       immune to active (man-in-the-middle) attacks on DNS.
8189
8190       Sample main.cf setting:
8191
8192           smtp_tls_secure_cert_match = nexthop
8193
8194       Sample policy table override:
8195
8196           example.net     secure match=example.com:.example.com
8197           .example.net    secure match=example.com:.example.com
8198
8199       This feature is available in Postfix 2.3 and later.
8200

smtp_tls_security_level (default: empty)

8202       The default SMTP TLS security level for the Postfix SMTP client; when a
8203       non-empty value is specified, this overrides  the  obsolete  parameters
8204       smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
8205
8206       Specify one of the following security levels:
8207
8208       none   No  TLS. TLS will not be used unless enabled for specific desti‐
8209              nations via smtp_tls_policy_maps.
8210
8211       may    Opportunistic TLS. Use TLS if this is supported  by  the  remote
8212              SMTP server, otherwise use plaintext. Since sending in the clear
8213              is acceptable, demanding  stronger  than  default  TLS  security
8214              merely  reduces  interoperability.   The  "smtp_tls_ciphers" and
8215              "smtp_tls_protocols" (Postfix >= 2.6)  configuration  parameters
8216              provide  control  over  the protocols and cipher grade used with
8217              opportunistic TLS.  With earlier releases the opportunistic  TLS
8218              cipher  grade  is always "export" and no protocols are disabled.
8219              When TLS handshakes fail, the connection  is  retried  with  TLS
8220              disabled.   This allows mail delivery to sites with non-interop‐
8221              erable TLS implementations.
8222
8223       encrypt
8224              Mandatory TLS encryption. Since a minimum level of  security  is
8225              intended,  it  is  reasonable  to be specific about sufficiently
8226              secure protocol versions and ciphers. At this security level and
8227              higher,  the main.cf parameters smtp_tls_mandatory_protocols and
8228              smtp_tls_mandatory_ciphers specify the TLS protocols and minimum
8229              cipher grade which the administrator considers secure enough for
8230              mandatory encrypted sessions. This  security  level  is  not  an
8231              appropriate default for systems delivering mail to the Internet.
8232
8233       dane   Opportunistic  DANE TLS.  At this security level, the TLS policy
8234              for the destination is obtained via DNSSEC.  For TLSA policy  to
8235              be  in effect, the destination domain's containing DNS zone must
8236              be signed and the Postfix SMTP client's operating system must be
8237              configured to send its DNS queries to a recursive DNS nameserver
8238              that is able to validate the signed records.  Each MX host's DNS
8239              zone  should  also  be signed, and should publish DANE TLSA (RFC
8240              7672) records that specify how that MX host's TLS certificate is
8241              to  be verified.  TLSA records do not preempt the normal SMTP MX
8242              host selection algorithm, if some MX hosts support TLSA and oth‐
8243              ers  do  not,  TLS security will vary from delivery to delivery.
8244              It is up to the domain owner to configure  their  MX  hosts  and
8245              their  DNS  sensibly.   To configure the Postfix SMTP client for
8246              DNSSEC lookups  see  the  documentation  for  the  smtp_dns_sup‐
8247              port_level   main.cf   parameter.   When  DNSSEC-validated  TLSA
8248              records are not found the effective tls security level is "may".
8249              When  TLSA records are found, but are all unusable the effective
8250              security level is  "encrypt".   For  purposes  of  protocol  and
8251              cipher  selection,  the  "dane" security level is treated like a
8252              "mandatory" TLS security level, and weak ciphers  and  protocols
8253              are  disabled.  Since DANE authenticates server certificates the
8254              "aNULL" cipher-suites are transparently excluded at this  level,
8255              no need to configure this manually.  RFC 7672 (DANE) TLS authen‐
8256              tication is available with Postfix 2.11 and later.
8257
8258       dane-only
8259              Mandatory DANE TLS.  This is just like "dane"  above,  but  DANE
8260              TLSA  authentication is required.  There is no fallback to "may"
8261              or "encrypt" when TLSA records are  missing  or  unusable.   RFC
8262              7672  (DANE)  TLS  authentication is available with Postfix 2.11
8263              and later.
8264
8265       fingerprint
8266              Certificate fingerprint verification.  At this  security  level,
8267              there are no trusted Certification Authorities.  The certificate
8268              trust chain, expiration date, etc., are  not  checked.  Instead,
8269              the smtp_tls_fingerprint_cert_match parameter lists the certifi‐
8270              cate fingerprint or public  key  fingerprint  (Postfix  2.9  and
8271              later)  of  the  valid  server certificate. The digest algorithm
8272              used  to  calculate  the  fingerprint   is   selected   by   the
8273              smtp_tls_fingerprint_digest  parameter.  Available  with Postfix
8274              2.5 and later.
8275
8276       verify Mandatory TLS verification.  At  this  security  level,  DNS  MX
8277              lookups  are  trusted to be secure enough, and the name verified
8278              in the server certificate is  usually  obtained  indirectly  via
8279              unauthenticated  DNS  MX lookups. The smtp_tls_verify_cert_match
8280              parameter controls how the server name is verified. In  practice
8281              explicit  control  over  matching is more common at the "secure"
8282              level, described below. This security level is not an  appropri‐
8283              ate default for systems delivering mail to the Internet.
8284
8285       secure Secure-channel  TLS.   At  this  security level, DNS MX lookups,
8286              though potentially used  to  determine  the  candidate  next-hop
8287              gateway  IP  addresses,  are not trusted to be secure enough for
8288              TLS peername verification. Instead, the default name verified in
8289              the  server  certificate is obtained from the next-hop domain as
8290              specified in the smtp_tls_secure_cert_match configuration param‐
8291              eter.  The  default  matching  rule is that a server certificate
8292              matches when its name is equal to or is a sub-domain of the nex‐
8293              thop  domain.  This security level is not an appropriate default
8294              for systems delivering mail to the Internet.
8295
8296       Examples:
8297
8298       # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
8299       smtp_tls_security_level = none
8300
8301       # Opportunistic TLS.
8302       smtp_tls_security_level = may
8303       # Postfix >= 2.6:
8304       # Do not tweak opportunistic ciphers or protocol unless it is essential
8305       # to do so (if a security vulnerability is found in the SSL library that
8306       # can be mitigated by disabling a particular protocol or raising the
8307       # cipher grade from "export" to "low" or "medium").
8308       smtp_tls_ciphers = export
8309       smtp_tls_protocols = !SSLv2, !SSLv3
8310
8311       # Mandatory (high-grade) TLS encryption.
8312       smtp_tls_security_level = encrypt
8313       smtp_tls_mandatory_ciphers = high
8314
8315       # Mandatory TLS verification of hostname or nexthop domain.
8316       smtp_tls_security_level = verify
8317       smtp_tls_mandatory_ciphers = high
8318       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8319
8320       # Secure channel TLS with exact nexthop name match.
8321       smtp_tls_security_level = secure
8322       smtp_tls_mandatory_protocols = TLSv1
8323       smtp_tls_mandatory_ciphers = high
8324       smtp_tls_secure_cert_match = nexthop
8325
8326       # Certificate fingerprint verification (Postfix >= 2.5).
8327       # The CA-less "fingerprint" security level only scales to a limited
8328       # number of destinations. As a global default rather than a per-site
8329       # setting, this is practical when mail for all recipients is sent
8330       # to a central mail hub.
8331       relayhost = [mailhub.example.com]
8332       smtp_tls_security_level = fingerprint
8333       smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
8334       smtp_tls_mandatory_ciphers = high
8335       smtp_tls_fingerprint_cert_match =
8336           3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
8337           EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
8338
8339       This feature is available in Postfix 2.3 and later.
8340

smtp_tls_servername (default: empty)

8342       Optional name to send to the remote SMTP server in the TLS Server  Name
8343       Indication  (SNI)  extension.  The SNI extension is always on when DANE
8344       is used to authenticate the server, and in that case the SNI name  sent
8345       is the one required by RFC7672 and this parameter is ignored.
8346
8347       Some  SMTP  servers  use the received SNI name to select an appropriate
8348       certificate chain to present to the client.   While  this  may  improve
8349       interoperability with such servers, it may reduce interoperability with
8350       other servers that choose to abort the connection when they don't  have
8351       a  certificate  chain  configured for the requested name.  Such servers
8352       should select a default certificate chain and continue  the  handshake,
8353       but  some  may  not.   Therefore,  absent  DANE, no SNI name is sent by
8354       default.
8355
8356       The SNI name must be either a valid DNS hostname, or else  one  of  the
8357       special  values  hostname  or  nexthop,  which select either the remote
8358       hostname or the nexthop domain respectively.  DNS names for SNI must be
8359       in  A-label  (punycode)  form.   Invalid  DNS names log a configuration
8360       error warning and mail delivery is deferred.
8361
8362       Except when using a relayhost to forward all email, the  only  sensible
8363       non-empty  main.cf  setting  for  this  parameter  is  hostname.  Other
8364       non-empty values are only practical on a per-destination basis via  the
8365       servername  attribute  of the Postfix TLS policy table.  When in doubt,
8366       leave this  parameter  empty,  and  configure  per-destination  SNI  as
8367       needed.
8368
8369       This feature is available in Postfix 3.4 and later.
8370

smtp_tls_session_cache_database (default: empty)

8372       Name  of  the file containing the optional Postfix SMTP client TLS ses‐
8373       sion cache. Specify a database type that supports enumeration, such  as
8374       btree or sdbm; there is no need to support concurrent access.  The file
8375       is created if it does not exist. The smtp(8) daemon does not  use  this
8376       parameter  directly,  rather the cache is implemented indirectly in the
8377       tlsmgr(8) daemon. This means that per-smtp-instance master.cf overrides
8378       of  this  parameter  are  not  effective.  Note, that each of the cache
8379       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
8380       base,  $smtp_tls_session_cache_database (and with Postfix 2.3 and later
8381       $lmtp_tls_session_cache_database), needs to be stored separately. It is
8382       not  at  this  time possible to store multiple caches in a single data‐
8383       base.
8384
8385       Note: dbm databases are not  suitable.  TLS  session  objects  are  too
8386       large.
8387
8388       As  of version 2.5, Postfix no longer uses root privileges when opening
8389       this file. The file  should  now  be  stored  under  the  Postfix-owned
8390       data_directory. As a migration aid, an attempt to open the file under a
8391       non-Postfix directory is redirected to  the  Postfix-owned  data_direc‐
8392       tory, and a warning is logged.
8393
8394       Example:
8395
8396       smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
8397
8398       This feature is available in Postfix 2.2 and later.
8399

smtp_tls_session_cache_timeout (default: 3600s)

8401       The  expiration  time of Postfix SMTP client TLS session cache informa‐
8402       tion.  A cache cleanup is performed periodically  every  $smtp_tls_ses‐
8403       sion_cache_timeout  seconds.  As with $smtp_tls_session_cache_database,
8404       this parameter is implemented in the  tlsmgr(8)  daemon  and  therefore
8405       per-smtp-instance master.cf overrides are not possible.
8406
8407       As  of  Postfix 2.11 this setting cannot exceed 100 days.  If set <= 0,
8408       session caching is disabled.  If set to a positive value  less  than  2
8409       minutes, the minimum value of 2 minutes is used instead.
8410
8411       This feature is available in Postfix 2.2 and later.
8412

smtp_tls_trust_anchor_file (default: empty)

8414       Zero  or  more  PEM-format  files with trust-anchor certificates and/or
8415       public keys.  If the parameter is not empty the root CAs in CAfile  and
8416       CApath  are  no  longer  trusted.  Rather, the Postfix SMTP client will
8417       only trust certificate-chains signed by one of the  trust-anchors  con‐
8418       tained  in  the  chosen files.  The specified trust-anchor certificates
8419       and public keys  are  not  subject  to  expiration,  and  need  not  be
8420       (self-signed) root CAs.  They may, if desired, be intermediate certifi‐
8421       cates. Therefore, these certificates also may be found "in the  middle"
8422       of  the  trust  chain  presented  by  the  remote  SMTP server, and any
8423       untrusted issuing parent certificates will be ignored.  Specify a  list
8424       of pathnames separated by comma or whitespace.
8425
8426       Whether  specified  in  main.cf,  or  on  a  per-destination basis, the
8427       trust-anchor PEM file must be accessible to the Postfix SMTP client  in
8428       the  chroot  jail  if applicable.  The trust-anchor file should contain
8429       only certificates and public keys, no private key material, and must be
8430       readable  by the non-privileged $mail_owner user.  This allows destina‐
8431       tions to be bound to a set of  specific  CAs  or  public  keys  without
8432       trusting the same CAs for all destinations.
8433
8434       The  main.cf  parameter  supports  single-purpose Postfix installations
8435       that send mail to a fixed  set  of  SMTP  peers.   At  most  sites,  if
8436       trust-anchor  files  are  used  at  all,  they  will  be specified on a
8437       per-destination basis via the "tafile" attribute of  the  "verify"  and
8438       "secure" levels in smtp_tls_policy_maps.
8439
8440       The  underlying  mechanism is in support of RFC 7672 (DANE TLSA), which
8441       defines mechanisms for an SMTP client MTA to securely determine  server
8442       TLS certificates via DNS.
8443
8444       If  you want your trust anchors to be public keys, with OpenSSL you can
8445       extract a single PEM public key from a PEM X.509 file containing a sin‐
8446       gle certificate, as follows:
8447
8448           $ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
8449
8450       This feature is available in Postfix 2.11 and later.
8451

smtp_tls_verify_cert_match (default: hostname)

8453       How  the  Postfix  SMTP client verifies the server certificate peername
8454       for the "verify" TLS security level. In a  "verify"  TLS  policy  table
8455       ($smtp_tls_policy_maps)  entry the optional "match" attribute overrides
8456       this main.cf setting.
8457
8458       This parameter specifies one or more patterns or  strategies  separated
8459       by  commas,  whitespace  or colons.  In the policy table the only valid
8460       separator is the colon character.
8461
8462       Patterns specify domain names, or domain name suffixes:
8463
8464       example.com
8465              Match the example.com domain, i.e. one of the names  the  server
8466              certificate  must  be example.com, upper and lower case distinc‐
8467              tions are ignored.
8468
8469       .example.com
8470              Match subdomains of the example.com domain, i.e. match a name in
8471              the  server  certificate  that  consists of a non-zero number of
8472              labels followed by a .example.com suffix. Case distinctions  are
8473              ignored.
8474
8475       Strategies  specify  a  transformation  from the next-hop domain to the
8476       expected name in the server certificate:
8477
8478       nexthop
8479              Match against the next-hop domain, which is either the recipient
8480              domain,  or  the  transport  next-hop  configured for the domain
8481              stripped of any optional socket type  prefix,  enclosing  square
8482              brackets  and trailing port. When MX lookups are not suppressed,
8483              this is the original nexthop domain prior to the MX lookup,  not
8484              the  result  of the MX lookup. For LMTP delivery via UNIX-domain
8485              sockets, the verified next-hop name is $myhostname.  This strat‐
8486              egy  is  suitable  for  use  with  the  "secure" policy. Case is
8487              ignored.
8488
8489       dot-nexthop
8490              As above, but match server certificate names that are subdomains
8491              of the next-hop domain. Case is ignored.
8492
8493       hostname
8494              Match  against the hostname of the server, often obtained via an
8495              unauthenticated DNS MX lookup. For LMTP delivery via UNIX-domain
8496              sockets, the verified name is $myhostname. This matches the ver‐
8497              ification  strategy  of  the  "MUST"  keyword  in  the  obsolete
8498              smtp_tls_per_site  table, and is suitable for use with the "ver‐
8499              ify" security level. When  the  next-hop  name  is  enclosed  in
8500              square  brackets to suppress MX lookups, the "hostname" strategy
8501              is the same as the "nexthop" strategy. Case is ignored.
8502
8503       Sample main.cf setting:
8504
8505       smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
8506
8507       Sample policy table override:
8508
8509       example.com     verify  match=hostname:nexthop
8510       .example.com    verify  match=example.com:.example.com:hostname
8511
8512       This feature is available in Postfix 2.3 and later.
8513

smtp_tls_wrappermode (default: no)

8515       Request that the Postfix SMTP client connects using  the  legacy  SMTPS
8516       protocol instead of using the STARTTLS command.
8517
8518       This mode requires "smtp_tls_security_level = encrypt" or stronger.
8519
8520       Example:  deliver  all  remote mail via a provider's server "mail.exam‐
8521       ple.com".
8522
8523       /etc/postfix/main.cf:
8524           # Client-side SMTPS requires "encrypt" or stronger.
8525           smtp_tls_security_level = encrypt
8526           smtp_tls_wrappermode = yes
8527           # The [] suppress MX lookups.
8528           relayhost = [mail.example.com]:465
8529
8530       More examples are in TLS_README, including examples for  older  Postfix
8531       versions.
8532
8533       This feature is available in Postfix 3.0 and later.
8534

smtp_use_tls (default: no)

8536       Opportunistic  mode: use TLS when a remote SMTP server announces START‐
8537       TLS support, otherwise send the mail in the clear.  Beware:  some  SMTP
8538       servers  offer  STARTTLS  even if it is not configured.  With Postfix <
8539       2.3, if the TLS handshake fails, and  no  other  server  is  available,
8540       delivery  is deferred and mail stays in the queue. If this is a concern
8541       for you, use the smtp_tls_per_site feature instead.
8542
8543       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
8544       and later use smtp_tls_security_level instead.
8545

smtp_xforward_timeout (default: 300s)

8547       The  Postfix  SMTP  client time limit for sending the XFORWARD command,
8548       and for receiving the remote SMTP server response.
8549
8550       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
8551       The default time unit is s (seconds).
8552
8553       This feature is available in Postfix 2.1 and later.
8554

smtpd_authorized_verp_clients (default: $authorized_verp_clients)

8556       What  remote  SMTP  clients  are  allowed to specify the XVERP command.
8557       This command requests that mail be delivered one recipient  at  a  time
8558       with a per recipient return address.
8559
8560       By default, no clients are allowed to specify XVERP.
8561
8562       This  parameter was renamed with Postfix version 2.1. The default value
8563       is backwards compatible with Postfix version 2.0.
8564
8565       Specify a list of network/netmask patterns, separated by commas  and/or
8566       whitespace.  The  mask specifies the number of bits in the network part
8567       of a host address. You can also specify hostnames or .domain names (the
8568       initial   dot   causes   the  domain  to  match  any  name  below  it),
8569       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
8570       replaced by its contents; a "type:table" lookup table is matched when a
8571       table entry matches a lookup string (the  lookup  result  is  ignored).
8572       Continue  long lines by starting the next line with whitespace. Specify
8573       "!pattern" to exclude an address or network block from  the  list.  The
8574       form "!/file/name" is supported only in Postfix version 2.4 and later.
8575
8576       Note:  IP  version 6 address information must be specified inside [] in
8577       the smtpd_authorized_verp_clients value, and in  files  specified  with
8578       "/file/name".   IP  version  6 addresses contain the ":" character, and
8579       would otherwise be confused with a "type:table" pattern.
8580

smtpd_authorized_xclient_hosts (default: empty)

8582       What remote SMTP clients are allowed to use the XCLIENT feature.   This
8583       command  overrides  remote  SMTP  client  information  that is used for
8584       access control. Typical use is for SMTP-based content  filters,  fetch‐
8585       mail-like  programs,  or  SMTP  server  access  rule  testing.  See the
8586       XCLIENT_README document for details.
8587
8588       This feature is available in Postfix 2.1 and later.
8589
8590       By default, no clients are allowed to specify XCLIENT.
8591
8592       Specify a list of network/netmask patterns, separated by commas  and/or
8593       whitespace.  The  mask specifies the number of bits in the network part
8594       of a host address. You can also specify hostnames or .domain names (the
8595       initial   dot   causes   the  domain  to  match  any  name  below  it),
8596       "/file/name" or  "type:table"  patterns.   A  "/file/name"  pattern  is
8597       replaced by its contents; a "type:table" lookup table is matched when a
8598       table entry matches a lookup string (the  lookup  result  is  ignored).
8599       Continue  long lines by starting the next line with whitespace. Specify
8600       "!pattern" to exclude an address or network block from  the  list.  The
8601       form "!/file/name" is supported only in Postfix version 2.4 and later.
8602
8603       Note:  IP  version 6 address information must be specified inside [] in
8604       the smtpd_authorized_xclient_hosts value, and in files  specified  with
8605       "/file/name".   IP  version  6 addresses contain the ":" character, and
8606       would otherwise be confused with a "type:table" pattern.
8607

smtpd_authorized_xforward_hosts (default: empty)

8609       What remote SMTP clients are allowed to use the XFORWARD feature.  This
8610       command  forwards  information  that  is  used to improve logging after
8611       SMTP-based  content  filters.  See  the  XFORWARD_README  document  for
8612       details.
8613
8614       This feature is available in Postfix 2.1 and later.
8615
8616       By default, no clients are allowed to specify XFORWARD.
8617
8618       Specify  a list of network/netmask patterns, separated by commas and/or
8619       whitespace. The mask specifies the number of bits in the  network  part
8620       of a host address. You can also specify hostnames or .domain names (the
8621       initial  dot  causes  the  domain  to  match  any   name   below   it),
8622       "/file/name"  or  "type:table"  patterns.   A  "/file/name"  pattern is
8623       replaced by its contents; a "type:table" lookup table is matched when a
8624       table  entry  matches  a  lookup string (the lookup result is ignored).
8625       Continue long lines by starting the next line with whitespace.  Specify
8626       "!pattern"  to  exclude  an address or network block from the list. The
8627       form "!/file/name" is supported only in Postfix version 2.4 and later.
8628
8629       Note: IP version 6 address information must be specified inside  []  in
8630       the  smtpd_authorized_xforward_hosts value, and in files specified with
8631       "/file/name".  IP version 6 addresses contain the  ":"  character,  and
8632       would otherwise be confused with a "type:table" pattern.
8633

smtpd_banner (default: $myhostname ESMTP $mail_name)

8635       The  text that follows the 220 status code in the SMTP greeting banner.
8636       Some people like to see the mail version advertised. By default,  Post‐
8637       fix shows no version.
8638
8639       You MUST specify $myhostname at the start of the text. This is required
8640       by the SMTP protocol.
8641
8642       Example:
8643
8644       smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
8645

smtpd_client_auth_rate_limit (default: 0)

8647       The maximal number of AUTH commands that any client is allowed to  send
8648       to  this  service  per  time unit, regardless of whether or not Postfix
8649       actually accepts those commands.  The time unit is specified  with  the
8650       anvil_rate_time_unit configuration parameter.
8651
8652       By default, there is no limit on the number AUTH commands that a client
8653       may send.
8654
8655       To disable this feature, specify a limit of 0.
8656
8657       WARNING: The purpose of this feature is to limit abuse. It must not  be
8658       used to regulate legitimate mail traffic.
8659
8660       This feature is available in Postfix 3.1 and later.
8661

smtpd_client_connection_count_limit (default: 50)

8663       How many simultaneous connections any client is allowed to make to this
8664       service.  By default, the limit is set  to  half  the  default  process
8665       limit value.
8666
8667       To disable this feature, specify a limit of 0.
8668
8669       WARNING:  The purpose of this feature is to limit abuse. It must not be
8670       used to regulate legitimate mail traffic.
8671
8672       This feature is available in Postfix 2.2 and later.
8673

smtpd_client_connection_rate_limit (default: 0)

8675       The maximal number of connection attempts any client is allowed to make
8676       to  this  service  per  time unit.  The time unit is specified with the
8677       anvil_rate_time_unit configuration parameter.
8678
8679       By default, a client can make as many  connections  per  time  unit  as
8680       Postfix can accept.
8681
8682       To disable this feature, specify a limit of 0.
8683
8684       WARNING:  The purpose of this feature is to limit abuse. It must not be
8685       used to regulate legitimate mail traffic.
8686
8687       This feature is available in Postfix 2.2 and later.
8688
8689       Example:
8690
8691       smtpd_client_connection_rate_limit = 1000
8692

smtpd_client_event_limit_exceptions (default: $mynetworks)

8694       Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
8695       tions. See the mynetworks parameter description for the parameter value
8696       syntax.
8697
8698       By default, clients in trusted networks are excluded. Specify a list of
8699       network  blocks, hostnames or .domain names (the initial dot causes the
8700       domain to match any name below it).
8701
8702       Note: IP version 6 address information must be specified inside  []  in
8703       the  smtpd_client_event_limit_exceptions  value, and in files specified
8704       with "/file/name".  IP version 6 addresses contain the  ":"  character,
8705       and would otherwise be confused with a "type:table" pattern.
8706
8707       Pattern  matching  of  domain  names  is  controlled by the presence or
8708       absence   of   "smtpd_client_event_limit_exceptions"   in   the    par‐
8709       ent_domain_matches_subdomains parameter value (postfix 3.0 and later).
8710
8711       This feature is available in Postfix 2.2 and later.
8712

smtpd_client_message_rate_limit (default: 0)

8714       The  maximal  number  of  message  delivery requests that any client is
8715       allowed to make to this service per time unit, regardless of whether or
8716       not  Postfix  actually accepts those messages.  The time unit is speci‐
8717       fied with the anvil_rate_time_unit configuration parameter.
8718
8719       By default, a client can send as many  message  delivery  requests  per
8720       time unit as Postfix can accept.
8721
8722       To disable this feature, specify a limit of 0.
8723
8724       WARNING:  The purpose of this feature is to limit abuse. It must not be
8725       used to regulate legitimate mail traffic.
8726
8727       This feature is available in Postfix 2.2 and later.
8728
8729       Example:
8730
8731       smtpd_client_message_rate_limit = 1000
8732

smtpd_client_new_tls_session_rate_limit (default: 0)

8734       The maximal number of new (i.e., uncached) TLS sessions that  a  remote
8735       SMTP  client  is  allowed to negotiate with this service per time unit.
8736       The time unit is specified with the anvil_rate_time_unit  configuration
8737       parameter.
8738
8739       By default, a remote SMTP client can negotiate as many new TLS sessions
8740       per time unit as Postfix can accept.
8741
8742       To disable this feature, specify a limit of  0.  Otherwise,  specify  a
8743       limit that is at least the per-client concurrent session limit, or else
8744       legitimate client sessions may be rejected.
8745
8746       WARNING: The purpose of this feature is to limit abuse. It must not  be
8747       used to regulate legitimate mail traffic.
8748
8749       This feature is available in Postfix 2.3 and later.
8750
8751       Example:
8752
8753       smtpd_client_new_tls_session_rate_limit = 100
8754

smtpd_client_port_logging (default: no)

8756       Enable  logging of the remote SMTP client port in addition to the host‐
8757       name and IP address. The logging format is "host[address]:port".
8758
8759       This feature is available in Postfix 2.5 and later.
8760

smtpd_client_recipient_rate_limit (default: 0)

8762       The maximal number of recipient addresses that any client is allowed to
8763       send  to this service per time unit, regardless of whether or not Post‐
8764       fix actually accepts those recipients.  The time unit is specified with
8765       the anvil_rate_time_unit configuration parameter.
8766
8767       By default, a client can send as many recipient addresses per time unit
8768       as Postfix can accept.
8769
8770       To disable this feature, specify a limit of 0.
8771
8772       WARNING: The purpose of this feature is to limit abuse. It must not  be
8773       used to regulate legitimate mail traffic.
8774
8775       This feature is available in Postfix 2.2 and later.
8776
8777       Example:
8778
8779       smtpd_client_recipient_rate_limit = 1000
8780

smtpd_client_restrictions (default: empty)

8782       Optional  restrictions that the Postfix SMTP server applies in the con‐
8783       text of a client connection request.  See SMTPD_ACCESS_README,  section
8784       "Delayed  evaluation of SMTP access restriction lists" for a discussion
8785       of evaluation context and time.
8786
8787       The default is to allow all connection requests.
8788
8789       Specify a list of restrictions, separated by commas and/or  whitespace.
8790       Continue  long  lines  by  starting  the  next  line  with  whitespace.
8791       Restrictions are applied in the order as specified; the first  restric‐
8792       tion that matches wins.
8793
8794       The  following  restrictions  are specific to client hostname or client
8795       network address information.
8796
8797       check_ccert_access type:table
8798              By default use the remote SMTP client certificate fingerprint or
8799              the public key fingerprint (Postfix 2.9 and later) as lookup key
8800              for the specified access(5) database; with Postfix version  2.2,
8801              also require that the remote SMTP client certificate is verified
8802              successfully.  The fingerprint digest algorithm is  configurable
8803              via  the  smtpd_tls_fingerprint_digest  parameter (hard-coded as
8804              md5 prior  to  Postfix  version  2.5).   This  feature  requires
8805              "smtpd_tls_ask_ccert  =  yes" and is available with Postfix ver‐
8806              sion 2.2 and later.
8807              Alternatively, check_ccert_access  accepts  an  explicit  search
8808              order  (Postfix  3.5  and  later).  The  default search order as
8809              described above corresponds with:
8810              check_ccert_access { type:table, { search_order  =  cert_finger‐
8811              print, pubkey_fingerprint } }
8812              The commas are optional.
8813
8814       check_client_access type:table
8815              Search  the  specified  access database for the client hostname,
8816              parent domains, client  IP  address,  or  networks  obtained  by
8817              stripping  least  significant  octets.  See the access(5) manual
8818              page for details.
8819
8820       check_client_a_access type:table
8821              Search the specified access(5) database for the IP addresses for
8822              the  client  hostname,  and  execute  the  corresponding action.
8823              Note: a result of  "OK"  is  not  allowed  for  safety  reasons.
8824              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
8825              blacklists.  This feature is available in Postfix 3.0 and later.
8826
8827       check_client_mx_access type:table
8828              Search the specified access(5) database for the MX hosts for the
8829              client  hostname, and execute the corresponding action.  Note: a
8830              result of "OK" is not allowed for safety reasons.  Instead,  use
8831              DUNNO  in order to exclude specific hosts from blacklists.  This
8832              feature is available in Postfix 2.7 and later.
8833
8834       check_client_ns_access type:table
8835              Search the specified access(5) database for the DNS servers  for
8836              the  client  hostname,  and  execute  the  corresponding action.
8837              Note: a result of  "OK"  is  not  allowed  for  safety  reasons.
8838              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
8839              blacklists.  This feature is available in Postfix 2.7 and later.
8840
8841       check_reverse_client_hostname_access type:table
8842              Search the specified access database for the unverified  reverse
8843              client  hostname, parent domains, client IP address, or networks
8844              obtained  by  stripping  least  significant  octets.   See   the
8845              access(5)  manual  page  for details.  Note: a result of "OK" is
8846              not allowed for safety reasons.  Instead, use DUNNO in order  to
8847              exclude  specific hosts from blacklists.  This feature is avail‐
8848              able in Postfix 2.6 and later.
8849
8850       check_reverse_client_hostname_a_access type:table
8851              Search the specified access(5) database for the IP addresses for
8852              the  unverified  reverse client hostname, and execute the corre‐
8853              sponding action.  Note: a result of  "OK"  is  not  allowed  for
8854              safety reasons.  Instead, use DUNNO in order to exclude specific
8855              hosts from blacklists.  This feature is available in Postfix 3.0
8856              and later.
8857
8858       check_reverse_client_hostname_mx_access type:table
8859              Search the specified access(5) database for the MX hosts for the
8860              unverified reverse client hostname, and execute the  correspond‐
8861              ing  action.   Note:  a result of "OK" is not allowed for safety
8862              reasons.  Instead, use DUNNO in order to exclude specific  hosts
8863              from  blacklists.   This feature is available in Postfix 2.7 and
8864              later.
8865
8866       check_reverse_client_hostname_ns_access type:table
8867              Search the specified access(5) database for the DNS servers  for
8868              the  unverified  reverse client hostname, and execute the corre‐
8869              sponding action.  Note: a result of  "OK"  is  not  allowed  for
8870              safety reasons.  Instead, use DUNNO in order to exclude specific
8871              hosts from blacklists.  This feature is available in Postfix 2.7
8872              and later.
8873
8874       check_sasl_access type:table
8875              Use  the remote SMTP client SASL user name as lookup key for the
8876              specified access(5) database. The lookup key has the form "user‐
8877              name@domainname"   when  the  smtpd_sasl_local_domain  parameter
8878              value is non-empty.   Unlike  the  check_client_access  feature,
8879              check_sasl_access  does not perform matches of parent domains or
8880              IP subnet ranges.  This feature is available with  Postfix  ver‐
8881              sion 2.11 and later.
8882
8883       permit_inet_interfaces
8884              Permit   the   request   when  the  client  IP  address  matches
8885              $inet_interfaces.
8886
8887       permit_mynetworks
8888              Permit the request when the client IP address matches  any  net‐
8889              work or network address listed in  $mynetworks.
8890
8891       permit_sasl_authenticated
8892              Permit the request when the client is successfully authenticated
8893              via the RFC 4954 (AUTH) protocol.
8894
8895       permit_tls_all_clientcerts
8896              Permit the request when the remote SMTP  client  certificate  is
8897              verified  successfully.  This option must be used only if a spe‐
8898              cial CA issues the certificates and only this CA  is  listed  as
8899              trusted  CA.  Otherwise,  clients with a third-party certificate
8900              would also be allowed to relay.  Specify  "tls_append_default_CA
8901              =  no" when the trusted CA is specified with smtpd_tls_CAfile or
8902              smtpd_tls_CApath, to prevent Postfix  from  appending  the  sys‐
8903              tem-supplied     default    CAs.     This    feature    requires
8904              "smtpd_tls_ask_ccert = yes" and is available with  Postfix  ver‐
8905              sion 2.2 and later.
8906
8907       permit_tls_clientcerts
8908              Permit  the request when the remote SMTP client certificate fin‐
8909              gerprint or public key fingerprint (Postfix 2.9  and  later)  is
8910              listed  in $relay_clientcerts.  The fingerprint digest algorithm
8911              is configurable via the  smtpd_tls_fingerprint_digest  parameter
8912              (hard-coded  as md5 prior to Postfix version 2.5).  This feature
8913              requires "smtpd_tls_ask_ccert = yes" and is available with Post‐
8914              fix version 2.2 and later.
8915
8916       reject_rbl_client rbl_domain=d.d.d.d
8917              Reject  the  request when the reversed client network address is
8918              listed with the A record  "d.d.d.d"  under  rbl_domain  (Postfix
8919              version 2.1 and later only).  Each "d" is a number, or a pattern
8920              inside "[]" that contains one or more ";"-separated  numbers  or
8921              number..number  ranges  (Postfix  version 2.8 and later).  If no
8922              "=d.d.d.d" is specified, reject the request  when  the  reversed
8923              client  network  address  is  listed  with  any  A  record under
8924              rbl_domain.
8925              The maps_rbl_reject_code parameter specifies the  response  code
8926              for  rejected  requests  (default:   554), the default_rbl_reply
8927              parameter  specifies  the  default   server   reply,   and   the
8928              rbl_reply_maps   parameter  specifies tables with server replies
8929              indexed by rbl_domain.  This feature is available in Postfix 2.0
8930              and later.
8931
8932       permit_dnswl_client dnswl_domain=d.d.d.d
8933              Accept  the  request when the reversed client network address is
8934              listed with the A record "d.d.d.d" under dnswl_domain.  Each "d"
8935              is  a number, or a pattern inside "[]" that contains one or more
8936              ";"-separated  numbers  or   number..number   ranges.    If   no
8937              "=d.d.d.d"  is  specified,  accept the request when the reversed
8938              client network  address  is  listed  with  any  A  record  under
8939              dnswl_domain.
8940              For  safety,  permit_dnswl_client  is  silently  ignored when it
8941              would  override  reject_unauth_destination.    The   result   is
8942              DEFER_IF_REJECT  when  whitelist  lookup fails.  This feature is
8943              available in Postfix 2.8 and later.
8944
8945       reject_rhsbl_client rbl_domain=d.d.d.d
8946              Reject the request when the client hostname is listed with the A
8947              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
8948              only).  Each "d" is a number, or a pattern inside "[]" that con‐
8949              tains one or more ";"-separated numbers or number..number ranges
8950              (Postfix version 2.8 and later).  If no "=d.d.d.d" is specified,
8951              reject the request when the client hostname is listed with any A
8952              record under rbl_domain. See the  reject_rbl_client  description
8953              above for additional RBL related configuration parameters.  This
8954              feature is available in Postfix 2.0 and later; with Postfix ver‐
8955              sion  2.8  and  later,  reject_rhsbl_reverse_client will usually
8956              produce better results.
8957
8958       permit_rhswl_client rhswl_domain=d.d.d.d
8959              Accept the request when the client hostname is listed with the A
8960              record "d.d.d.d" under rhswl_domain.  Each "d" is a number, or a
8961              pattern inside "[]" that contains one or more ";"-separated num‐
8962              bers  or  number..number  ranges. If no "=d.d.d.d" is specified,
8963              accept the request when the client hostname is listed with any A
8964              record under rhswl_domain.
8965              Caution:  client  name whitelisting is fragile, since the client
8966              name lookup can fail due  to  temporary  outages.   Client  name
8967              whitelisting  should  be  used only to reduce false positives in
8968              e.g.  DNS-based blocklists,  and  not  for  making  access  rule
8969              exceptions.
8970              For  safety,  permit_rhswl_client  is  silently  ignored when it
8971              would  override  reject_unauth_destination.    The   result   is
8972              DEFER_IF_REJECT  when  whitelist  lookup fails.  This feature is
8973              available in Postfix 2.8 and later.
8974
8975       reject_rhsbl_reverse_client rbl_domain=d.d.d.d
8976              Reject the request when the unverified reverse  client  hostname
8977              is  listed  with  the A record "d.d.d.d" under rbl_domain.  Each
8978              "d" is a number, or a pattern inside "[]" that contains  one  or
8979              more  ";"-separated  numbers  or  number..number  ranges.  If no
8980              "=d.d.d.d" is specified, reject the request when the  unverified
8981              reverse  client  hostname  is  listed  with  any  A record under
8982              rbl_domain. See  the  reject_rbl_client  description  above  for
8983              additional  RBL  related configuration parameters.  This feature
8984              is available in Postfix 2.8 and later.
8985
8986       reject_unknown_client_hostname      (with      Postfix      <      2.3:
8987       reject_unknown_client)
8988              Reject  the  request when 1) the client IP address->name mapping
8989              fails,  or  2)  the  name->address  mapping  fails,  or  3)  the
8990              name->address mapping does not match the client IP address.
8991              This      is     a     stronger     restriction     than     the
8992              reject_unknown_reverse_client_hostname feature,  which  triggers
8993              only under condition 1) above.
8994              The  unknown_client_reject_code parameter specifies the response
8995              code for rejected requests (default: 450). The reply  is  always
8996              450 in case the address->name or name->address lookup failed due
8997              to a temporary problem.
8998
8999       reject_unknown_reverse_client_hostname
9000              Reject  the  request  when  the  client  IP   address   has   no
9001              address->name mapping.
9002              This      is      a      weaker     restriction     than     the
9003              reject_unknown_client_hostname feature, which requires not  only
9004              that  the  address->name  and  name->address mappings exist, but
9005              also that the two mappings reproduce the client IP address.
9006              The unknown_client_reject_code parameter specifies the  response
9007              code  for rejected requests (default: 450).  The reply is always
9008              450 in case the address->name lookup failed due to  a  temporary
9009              problem.
9010              This feature is available in Postfix 2.3 and later.
9011
9012       In  addition,  you  can  use any of the following generic restrictions.
9013       These restrictions are applicable in any SMTP command context.
9014
9015       check_policy_service servername
9016              Query the specified policy server. See  the  SMTPD_POLICY_README
9017              document  for  details. This feature is available in Postfix 2.1
9018              and later.
9019
9020       defer  Defer the request. The client is told to try again  later.  This
9021              restriction  is useful at the end of a restriction list, to make
9022              the default policy explicit.
9023              The defer_code parameter specifies the SMTP  server  reply  code
9024              (default: 450).
9025
9026       defer_if_permit
9027              Defer  the  request if some later restriction would result in an
9028              explicit or implicit PERMIT  action.   This  is  useful  when  a
9029              blacklisting  feature  fails  due  to a temporary problem.  This
9030              feature is available in Postfix version 2.1 and later.
9031
9032       defer_if_reject
9033              Defer the request if some later restriction would  result  in  a
9034              REJECT action.  This is useful when a whitelisting feature fails
9035              due to a temporary problem.  This feature is available in  Post‐
9036              fix version 2.1 and later.
9037
9038       permit Permit  the  request. This restriction is useful at the end of a
9039              restriction list, to make the default policy explicit.
9040
9041       reject_multi_recipient_bounce
9042              Reject the request when the envelope sender is the null address,
9043              and the message has multiple envelope recipients. This usage has
9044              rare but  legitimate  applications:  under  certain  conditions,
9045              multi-recipient  mail  that  was  posted  with  the  DSN  option
9046              NOTIFY=NEVER may be forwarded with the null sender address.
9047              Note: this restriction can  only  work  reliably  when  used  in
9048              smtpd_data_restrictions    or    smtpd_end_of_data_restrictions,
9049              because the total number of recipients is not known at  an  ear‐
9050              lier stage of the SMTP conversation.  Use at the RCPT stage will
9051              only reject the second etc.  recipient.
9052              The multi_recipient_bounce_reject_code parameter  specifies  the
9053              response  code for rejected requests (default:  550).  This fea‐
9054              ture is available in Postfix 2.1 and later.
9055
9056       reject_plaintext_session
9057              Reject the request when the connection is  not  encrypted.  This
9058              restriction  should  not  be  used  before  the client has had a
9059              chance to negotiate encryption with the AUTH  or  STARTTLS  com‐
9060              mands.
9061              The  plaintext_reject_code parameter specifies the response code
9062              for rejected requests (default:  450).  This feature  is  avail‐
9063              able in Postfix 2.3 and later.
9064
9065       reject_unauth_pipelining
9066              Reject  the request when the client sends SMTP commands ahead of
9067              time where it is not allowed, or when the client sends SMTP com‐
9068              mands  ahead  of time without knowing that Postfix actually sup‐
9069              ports ESMTP command pipelining. This stops mail from  bulk  mail
9070              software  that improperly uses ESMTP command pipelining in order
9071              to speed up deliveries.
9072              With Postfix 2.6 and later, the SMTP server sets  a  per-session
9073              flag whenever it detects illegal pipelining, including pipelined
9074              HELO or EHLO commands. The reject_unauth_pipelining feature sim‐
9075              ply  tests  whether the flag was set at any point in time during
9076              the session.
9077              With older Postfix versions, reject_unauth_pipelining checks the
9078              current  status  of  the  input read queue, and its usage is not
9079              recommended in contexts other than smtpd_data_restrictions.
9080
9081       reject Reject the request. This restriction is useful at the end  of  a
9082              restriction  list,  to  make  the  default policy explicit.  The
9083              reject_code configuration parameter specifies the response  code
9084              for rejected requests (default: 554).
9085
9086       sleep seconds
9087              Pause  for  the specified number of seconds and proceed with the
9088              next restriction in the list, if any. This may stop zombie  mail
9089              when used as:
9090              /etc/postfix/main.cf:
9091                  smtpd_client_restrictions =
9092                      sleep 1, reject_unauth_pipelining
9093                  smtpd_delay_reject = no
9094              This feature is available in Postfix 2.3.
9095
9096       warn_if_reject
9097              A safety net for testing. When "warn_if_reject" is placed before
9098              a reject-type restriction, access  table  query,  or  check_pol‐
9099              icy_service  query, this logs a "reject_warning" message instead
9100              of rejecting a request (when a reject-type restriction fails due
9101              to  a  temporary error, this logs a "reject_warning" message for
9102              any implicit "defer_if_permit" actions that would normally  pre‐
9103              vent mail from being accepted by some later access restriction).
9104              This feature has no effect on defer_if_reject restrictions.
9105
9106       Other restrictions that are valid in this context:
9107
9108       ·      SMTP command specific restrictions that are described under  the
9109              smtpd_helo_restrictions,       smtpd_sender_restrictions      or
9110              smtpd_recipient_restrictions parameters. When  helo,  sender  or
9111              recipient  restrictions  are  listed under smtpd_client_restric‐
9112              tions, they have effect only with "smtpd_delay_reject = yes", so
9113              that  $smtpd_client_restrictions is evaluated at the time of the
9114              RCPT TO command.
9115
9116       Example:
9117
9118       smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
9119

smtpd_command_filter (default: empty)

9121       A mechanism to transform commands from remote SMTP clients.  This is  a
9122       last-resort  tool  to work around client commands that break interoper‐
9123       ability with the Postfix SMTP server.  Other uses involve fault  injec‐
9124       tion to test Postfix's handling of invalid commands.
9125
9126       Specify  the  name of a "type:table" lookup table. The search string is
9127       the SMTP command as received from the remote SMTP client,  except  that
9128       initial  whitespace  and the trailing <CR><LF> are removed.  The result
9129       value is executed by the Postfix SMTP server.
9130
9131       There is no need to use smtpd_command_filter for the following cases:
9132
9133       ·      Use "resolve_numeric_domain = yes" to accept "user@ipaddress".
9134
9135       ·      Postfix already accepts the correct form "user@[ipaddress]". Use
9136              virtual_alias_maps  or  canonical_maps  to  translate these into
9137              domain names if necessary.
9138
9139       ·      Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User Name
9140              <user@example.com>>".  Postfix  will ignore the "User Name" part
9141              and deliver to the <user@example.com> address.
9142
9143       Examples of problems that can be solved with  the  smtpd_command_filter
9144       feature:
9145
9146       /etc/postfix/main.cf:
9147           smtpd_command_filter = pcre:/etc/postfix/command_filter
9148
9149       /etc/postfix/command_filter:
9150           # Work around clients that send malformed HELO commands.
9151           /^HELO\s*$/ HELO domain.invalid
9152
9153           # Work around clients that send empty lines.
9154           /^\s*$/     NOOP
9155
9156           # Work around clients that send RCPT TO:<'user@domain'>.
9157           # WARNING: do not lose the parameters that follow the address.
9158           /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/     $1$2$3
9159
9160           # Append XVERP to MAIL FROM commands to request VERP-style delivery.
9161           # See VERP_README for more information on how to use Postfix VERP.
9162           /^(MAIL FROM:\s*<listname@example\.com>.*)/   $1 XVERP
9163
9164           # Bounce-never mail sink. Use notify_classes=bounce,resource,software
9165           # to send bounced mail to the postmaster (with message body removed).
9166           /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
9167           /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
9168
9169       This feature is available in Postfix 2.7.
9170

smtpd_data_restrictions (default: empty)

9172       Optional  access  restrictions  that the Postfix SMTP server applies in
9173       the context of the SMTP DATA command.  See SMTPD_ACCESS_README, section
9174       "Delayed  evaluation of SMTP access restriction lists" for a discussion
9175       of evaluation context and time.
9176
9177       This feature is available in Postfix 2.0 and later.
9178
9179       Specify a list of restrictions, separated by commas and/or  whitespace.
9180       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9181       Restrictions are applied in the order as specified; the first  restric‐
9182       tion that matches wins.
9183
9184       The following restrictions are valid in this context:
9185
9186       ·      Generic  restrictions  that can be used in any SMTP command con‐
9187              text, described under smtpd_client_restrictions.
9188
9189       ·      SMTP   command    specific    restrictions    described    under
9190              smtpd_client_restrictions,              smtpd_helo_restrictions,
9191              smtpd_sender_restrictions or smtpd_recipient_restrictions.
9192
9193       ·      However, no recipient information is available in  the  case  of
9194              multi-recipient mail. Acting on only one recipient would be mis‐
9195              leading,  because  any  decision  will  affect  all   recipients
9196              equally.  Acting on all recipients would require a possibly very
9197              large amount of memory, and would also  be  misleading  for  the
9198              reasons mentioned before.
9199
9200       Examples:
9201
9202       smtpd_data_restrictions = reject_unauth_pipelining
9203       smtpd_data_restrictions = reject_multi_recipient_bounce
9204

smtpd_delay_open_until_valid_rcpt (default: yes)

9206       Postpone  the  start  of an SMTP mail transaction until a valid RCPT TO
9207       command is received. Specify "no" to create a mail transaction as  soon
9208       as the Postfix SMTP server receives a valid MAIL FROM command.
9209
9210       With  sites  that  reject lots of mail, the default setting reduces the
9211       use of disk, CPU and memory resources. The downside  is  that  rejected
9212       recipients  are  logged  with NOQUEUE instead of a mail transaction ID.
9213       This complicates the logfile analysis of multi-recipient mail.
9214
9215       This feature is available in Postfix 2.3 and later.
9216

smtpd_delay_reject (default: yes)

9218       Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
9219       tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
9220       until the ETRN command before evaluating $smtpd_client_restrictions and
9221       $smtpd_helo_restrictions.
9222
9223       This  feature  is  turned on by default because some clients apparently
9224       mis-behave when the Postfix SMTP server rejects  commands  before  RCPT
9225       TO.
9226
9227       The  default  setting  has  one major benefit: it allows Postfix to log
9228       recipient address information when rejecting a client  name/address  or
9229       sender  address, so that it is possible to find out whose mail is being
9230       rejected.
9231

smtpd_discard_ehlo_keyword_address_maps (default: empty)

9233       Lookup tables, indexed by the remote SMTP  client  address,  with  case
9234       insensitive  lists  of EHLO keywords (pipelining, starttls, auth, etc.)
9235       that the Postfix SMTP server will not send in the EHLO  response  to  a
9236       remote  SMTP  client. See smtpd_discard_ehlo_keywords for details.  The
9237       tables are not searched by hostname for robustness reasons.
9238
9239       Specify zero or more "type:name" lookup tables, separated by whitespace
9240       or  comma. Tables will be searched in the specified order until a match
9241       is found.
9242
9243       This feature is available in Postfix 2.2 and later.
9244

smtpd_discard_ehlo_keywords (default: empty)

9246       A case insensitive list of EHLO keywords (pipelining,  starttls,  auth,
9247       etc.)  that  the Postfix SMTP server will not send in the EHLO response
9248       to a remote SMTP client.
9249
9250       This feature is available in Postfix 2.2 and later.
9251
9252       Notes:
9253
9254       ·      Specify the silent-discard pseudo keyword to prevent this action
9255              from being logged.
9256
9257       ·      Use  the smtpd_discard_ehlo_keyword_address_maps feature to dis‐
9258              card EHLO keywords selectively.
9259

smtpd_dns_reply_filter (default: empty)

9261       Optional filter for  Postfix  SMTP  server  DNS  lookup  results.   See
9262       smtp_dns_reply_filter for details including an example.
9263
9264       This feature is available in Postfix 3.0 and later.
9265

smtpd_end_of_data_restrictions (default: empty)

9267       Optional  access  restrictions  that the Postfix SMTP server applies in
9268       the context of the SMTP END-OF-DATA command.  See  SMTPD_ACCESS_README,
9269       section  "Delayed  evaluation  of  SMTP access restriction lists" for a
9270       discussion of evaluation context and time.
9271
9272       This feature is available in Postfix 2.2 and later.
9273
9274       See smtpd_data_restrictions for details and limitations.
9275

smtpd_enforce_tls (default: no)

9277       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
9278       require  that  clients  use TLS encryption.  According to RFC 2487 this
9279       MUST NOT be applied in case of a publicly-referenced SMTP server.  This
9280       option is therefore off by default.
9281
9282       Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".
9283
9284       Note  2:  when  invoked  via  "sendmail  -bs", Postfix will never offer
9285       STARTTLS due to insufficient privileges to access  the  server  private
9286       key. This is intended behavior.
9287
9288       This  feature  is  available in Postfix 2.2 and later. With Postfix 2.3
9289       and later use smtpd_tls_security_level instead.
9290

smtpd_error_sleep_time (default: 1s)

9292       With Postfix version 2.1 and later:  the  SMTP  server  response  delay
9293       after  a  client has made more than $smtpd_soft_error_limit errors, and
9294       fewer than $smtpd_hard_error_limit errors, without delivering mail.
9295
9296       With Postfix version 2.0 and earlier:  the  SMTP  server  delay  before
9297       sending  a reject (4xx or 5xx) response, when the client has made fewer
9298       than $smtpd_soft_error_limit errors without delivering mail.
9299

smtpd_etrn_restrictions (default: empty)

9301       Optional restrictions that the Postfix SMTP server applies in the  con‐
9302       text  of  a  client  ETRN  command.   See  SMTPD_ACCESS_README, section
9303       "Delayed evaluation of SMTP access restriction lists" for a  discussion
9304       of evaluation context and time.
9305
9306       The Postfix ETRN implementation accepts only destinations that are eli‐
9307       gible for the Postfix "fast flush" service. See  the  ETRN_README  file
9308       for details.
9309
9310       Specify  a list of restrictions, separated by commas and/or whitespace.
9311       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9312       Restrictions  are applied in the order as specified; the first restric‐
9313       tion that matches wins.
9314
9315       The following restrictions are specific to the domain name  information
9316       received with the ETRN command.
9317
9318       check_etrn_access type:table
9319              Search the specified access database for the ETRN domain name or
9320              its parent domains. See the access(5) manual page for details.
9321
9322       Other restrictions that are valid in this context:
9323
9324       ·      Generic restrictions that can be used in any SMTP  command  con‐
9325              text, described under smtpd_client_restrictions.
9326
9327       ·      SMTP    command    specific    restrictions    described   under
9328              smtpd_client_restrictions and smtpd_helo_restrictions.
9329
9330       Example:
9331
9332       smtpd_etrn_restrictions = permit_mynetworks, reject
9333

smtpd_expansion_filter (default: see postconf -d output)

9335       What characters are allowed in $name expansions of RBL reply templates.
9336       Characters  not  in  the  allowed  set are replaced by "_".  Use C like
9337       escapes to specify special characters such as whitespace.
9338
9339       The smtpd_expansion_filter value is not subject to  Postfix  configura‐
9340       tion parameter $name expansion.
9341
9342       This feature is available in Postfix 2.0 and later.
9343

smtpd_forbidden_commands (default: CONNECT, GET, POST)

9345       List of commands that cause the Postfix SMTP server to immediately ter‐
9346       minate the session with a 221 code. This  can  be  used  to  disconnect
9347       clients  that obviously attempt to abuse the system. In addition to the
9348       commands listed in this parameter, commands that  follow  the  "Label:"
9349       format of message headers will also cause a disconnect.
9350
9351       This feature is available in Postfix 2.2 and later.
9352

smtpd_hard_error_limit (default: normal: 20, overload: 1)

9354       The  maximal  number  of errors a remote SMTP client is allowed to make
9355       without delivering mail. The Postfix SMTP server disconnects  when  the
9356       limit  is  exceeded.  Normally  the default limit is 20, but it changes
9357       under overload to just 1. With Postfix 2.5 and earlier, the SMTP server
9358       always allows up to 20 errors by default.
9359

smtpd_helo_required (default: no)

9361       Require  that  a  remote SMTP client introduces itself with the HELO or
9362       EHLO command before sending the MAIL command  or  other  commands  that
9363       require EHLO negotiation.
9364
9365       Example:
9366
9367       smtpd_helo_required = yes
9368

smtpd_helo_restrictions (default: empty)

9370       Optional  restrictions that the Postfix SMTP server applies in the con‐
9371       text of  a  client  HELO  command.   See  SMTPD_ACCESS_README,  section
9372       "Delayed  evaluation of SMTP access restriction lists" for a discussion
9373       of evaluation context and time.
9374
9375       The default is to permit everything.
9376
9377       Note:  specify  "smtpd_helo_required  =  yes"  to  fully  enforce  this
9378       restriction  (without  "smtpd_helo_required = yes", a client can simply
9379       skip smtpd_helo_restrictions by not sending HELO or EHLO).
9380
9381       Specify a list of restrictions, separated by commas and/or  whitespace.
9382       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9383       Restrictions are applied in the order as specified; the first  restric‐
9384       tion that matches wins.
9385
9386       The  following  restrictions  are  specific to the hostname information
9387       received with the HELO or EHLO command.
9388
9389       check_helo_access type:table
9390              Search the specified access(5) database for  the  HELO  or  EHLO
9391              hostname  or  parent  domains,  and  execute  the  corresponding
9392              action.  Note: specify  "smtpd_helo_required  =  yes"  to  fully
9393              enforce this restriction (without "smtpd_helo_required = yes", a
9394              client can simply skip check_helo_access by not sending HELO  or
9395              EHLO).
9396
9397       check_helo_a_access type:table
9398              Search the specified access(5) database for the IP addresses for
9399              the HELO or EHLO hostname, and execute the corresponding action.
9400              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
9401              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9402              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
9403              fully enforce this restriction (without  "smtpd_helo_required  =
9404              yes",  a client can simply skip check_helo_a_access by not send‐
9405              ing HELO or EHLO).  This feature is available in Postfix 3.0 and
9406              later.
9407
9408       check_helo_mx_access type:table
9409              Search the specified access(5) database for the MX hosts for the
9410              HELO or EHLO hostname, and  execute  the  corresponding  action.
9411              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
9412              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9413              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
9414              fully enforce this restriction (without  "smtpd_helo_required  =
9415              yes", a client can simply skip check_helo_mx_access by not send‐
9416              ing HELO or EHLO).  This feature is available in Postfix 2.1 and
9417              later.
9418
9419       check_helo_ns_access type:table
9420              Search  the specified access(5) database for the DNS servers for
9421              the HELO or EHLO hostname, and execute the corresponding action.
9422              Note  1:  a  result  of  "OK" is not allowed for safety reasons.
9423              Instead, use DUNNO in  order  to  exclude  specific  hosts  from
9424              blacklists.   Note  2:  specify  "smtpd_helo_required  = yes" to
9425              fully enforce this restriction (without  "smtpd_helo_required  =
9426              yes", a client can simply skip check_helo_ns_access by not send‐
9427              ing HELO or EHLO). This feature is available in Postfix 2.1  and
9428              later.
9429
9430       reject_invalid_helo_hostname  (with Postfix < 2.3: reject_invalid_host‐
9431       name)
9432              Reject the request when the HELO or EHLO hostname is  malformed.
9433              Note:  specify "smtpd_helo_required = yes" to fully enforce this
9434              restriction (without "smtpd_helo_required = yes", a  client  can
9435              simply  skip reject_invalid_helo_hostname by not sending HELO or
9436              EHLO).
9437              The invalid_hostname_reject_code specifies the response code for
9438              rejected requests (default: 501).
9439
9440       reject_non_fqdn_helo_hostname       (with      Postfix      <      2.3:
9441       reject_non_fqdn_hostname)
9442              Reject the request when the HELO or  EHLO  hostname  is  not  in
9443              fully-qualified  domain  or address literal form, as required by
9444              the RFC. Note: specify  "smtpd_helo_required  =  yes"  to  fully
9445              enforce this restriction (without "smtpd_helo_required = yes", a
9446              client can  simply  skip  reject_non_fqdn_helo_hostname  by  not
9447              sending HELO or EHLO).
9448              The  non_fqdn_reject_code  parameter specifies the response code
9449              for rejected requests (default: 504).
9450
9451       reject_rhsbl_helo rbl_domain=d.d.d.d
9452              Reject the request when the HELO or EHLO hostname is listed with
9453              the A record "d.d.d.d" under rbl_domain (Postfix version 2.1 and
9454              later only).  Each "d" is a number, or  a  pattern  inside  "[]"
9455              that  contains one or more ";"-separated numbers or number..num‐
9456              ber ranges (Postfix version 2.8 and later).  If no "=d.d.d.d" is
9457              specified,  reject the request when the HELO or EHLO hostname is
9458              listed  with  any   A   record   under   rbl_domain.   See   the
9459              reject_rbl_client description for additional RBL related config‐
9460              uration parameters.  Note: specify "smtpd_helo_required  =  yes"
9461              to  fully enforce this restriction (without "smtpd_helo_required
9462              = yes", a client can simply skip reject_rhsbl_helo by not  send‐
9463              ing  HELO or EHLO). This feature is available in Postfix 2.0 and
9464              later.
9465
9466       reject_unknown_helo_hostname (with Postfix < 2.3:  reject_unknown_host‐
9467       name)
9468              Reject  the  request when the HELO or EHLO hostname has no DNS A
9469              or MX record.
9470              The reply is  specified  with  the  unknown_hostname_reject_code
9471              parameter    (default:   450)   or   unknown_helo_hostname_temp‐
9472              fail_action  (default:  defer_if_permit).   See  the  respective
9473              parameter descriptions for details.
9474              Note:  specify "smtpd_helo_required = yes" to fully enforce this
9475              restriction (without "smtpd_helo_required = yes", a  client  can
9476              simply  skip reject_unknown_helo_hostname by not sending HELO or
9477              EHLO).
9478
9479       Other restrictions that are valid in this context:
9480
9481       ·      Generic restrictions that can be used in any SMTP  command  con‐
9482              text, described under smtpd_client_restrictions.
9483
9484       ·      Client   hostname   or  network  address  specific  restrictions
9485              described under smtpd_client_restrictions.
9486
9487       ·      SMTP   command    specific    restrictions    described    under
9488              smtpd_sender_restrictions or smtpd_recipient_restrictions.  When
9489              sender   or   recipient   restrictions    are    listed    under
9490              smtpd_helo_restrictions,    they    have    effect   only   with
9491              "smtpd_delay_reject = yes", so that $smtpd_helo_restrictions  is
9492              evaluated at the time of the RCPT TO command.
9493
9494       Examples:
9495
9496       smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
9497       smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
9498

smtpd_history_flush_threshold (default: 100)

9500       The  maximal number of lines in the Postfix SMTP server command history
9501       before it is flushed upon receipt of EHLO, RSET, or end of DATA.
9502

smtpd_junk_command_limit (default: normal: 100, overload: 1)

9504       The number of junk commands (NOOP, VRFY, ETRN or RSET)  that  a  remote
9505       SMTP client can send before the Postfix SMTP server starts to increment
9506       the error counter with each junk command.  The junk  command  count  is
9507       reset after mail is delivered.  See also the smtpd_error_sleep_time and
9508       smtpd_soft_error_limit configuration parameters.  Normally the  default
9509       limit is 100, but it changes under overload to just 1. With Postfix 2.5
9510       and earlier, the SMTP server always allows up to 100 junk  commands  by
9511       default.
9512

smtpd_log_access_permit_actions (default: empty)

9514       Enable  logging  of  the  named  "permit" actions in SMTP server access
9515       lists (by default, the SMTP server logs "reject" actions but not  "per‐
9516       mit"  actions).   This feature does not affect conditional actions such
9517       as "defer_if_permit".
9518
9519       Specify a list of "permit" action names, "/file/name"  or  "type:table"
9520       patterns,  separated  by  commas and/or whitespace. The list is matched
9521       left to right, and the search stops on the first match. A  "/file/name"
9522       pattern  is  replaced  by  its contents; a "type:table" lookup table is
9523       matched when a  name  matches  a  lookup  key  (the  lookup  result  is
9524       ignored).   Continue  long  lines by starting the next line with white‐
9525       space. Specify "!pattern" to exclude a name from the list.
9526
9527       Examples:
9528
9529       /etc/postfix/main.cf:
9530           # Log all "permit" actions.
9531           smtpd_log_access_permit_actions = static:all
9532
9533       /etc/postfix/main.cf:
9534           # Log "permit_dnswl_client" only.
9535           smtpd_log_access_permit_actions = permit_dnswl_client
9536
9537       This feature is available in Postfix 2.10 and later.
9538

smtpd_milter_maps (default: empty)

9540       Lookup tables with Milter settings per remote SMTP client  IP  address.
9541       The lookup result overrides the smtpd_milters setting, and has the same
9542       syntax.
9543
9544       Note: lookup tables cannot return empty  responses.  Specify  a  lookup
9545       result  of  DISABLE (case does not matter) to indicate that Milter sup‐
9546       port should be disabled.
9547
9548       Example to disable Milters for local clients:
9549
9550       /etc/postfix/main.cf:
9551           smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
9552           smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
9553
9554       /etc/postfix/smtpd_milter_map:
9555           # Disable Milters for local clients.
9556           127.0.0.0/8    DISABLE
9557           192.168.0.0/16 DISABLE
9558           ::/64          DISABLE
9559           2001:db8::/32  DISABLE
9560
9561       This feature is available in Postfix 3.2 and later.
9562

smtpd_milters (default: empty)

9564       A list of Milter (mail filter) applications for new mail  that  arrives
9565       via  the  Postfix smtpd(8) server. Specify space or comma as separator.
9566       See the MILTER_README document for details.
9567
9568       This feature is available in Postfix 2.3 and later.
9569

smtpd_noop_commands (default: empty)

9571       List of commands that the Postfix SMTP server replies to with "250 Ok",
9572       without  doing any syntax checks and without changing state.  This list
9573       overrides any commands built into the Postfix SMTP server.
9574

smtpd_null_access_lookup_key (default: <>)

9576       The lookup key to be used in SMTP access(5) tables instead of the  null
9577       sender address.
9578

smtpd_peername_lookup (default: yes)

9580       Attempt to look up the remote SMTP client hostname, and verify that the
9581       name matches the client IP address. A client name is set  to  "unknown"
9582       when  it  cannot  be looked up or verified, or when name lookup is dis‐
9583       abled.  Turning off name lookup reduces delays due to  DNS  lookup  and
9584       increases the maximal inbound delivery rate.
9585
9586       This feature is available in Postfix 2.3 and later.
9587

smtpd_per_record_deadline (default: normal: no, overload: yes)

9589       Change  the  behavior  of  the smtpd_timeout and smtpd_starttls_timeout
9590       time limits, from a time limit per read or write system call, to a time
9591       limit  to send or receive a complete record (an SMTP command line, SMTP
9592       response line, SMTP message content line,  or  TLS  protocol  message).
9593       This limits the impact from hostile peers that trickle data one byte at
9594       a time.
9595
9596       Note: when per-record deadlines are enabled, a short timeout may  cause
9597       problems  with TLS over very slow network connections.  The reasons are
9598       that a TLS protocol message can be up to 16 kbytes long  (with  TLSv1),
9599       and that an entire TLS protocol message must be sent or received within
9600       the per-record deadline.
9601
9602       This feature is available in Postfix 2.9 and later. With older  Postfix
9603       releases, the behavior is as if this parameter is set to "no".
9604

smtpd_policy_service_default_action (default: 451 4.3.5 Server configuration

9606       problem)
9607       The default action when an SMTPD policy service request fails.  Specify
9608       "DUNNO"  to  behave  as if the failed  SMTPD policy service request was
9609       not sent, and to continue processing other access restrictions, if any.
9610
9611       Limitations:
9612
9613       ·      This parameter may specify any value that would be a valid SMTPD
9614              policy  server  response  (or  access(5) map lookup result).  An
9615              access(5) map or policy server in this parameter value may  need
9616              to be declared in advance with a restriction_class setting.
9617
9618       ·      If  the  specified  action  invokes another check_policy_service
9619              request, that request will have the built-in default action.
9620
9621       This feature is available in Postfix 3.0 and later.
9622

smtpd_policy_service_max_idle (default: 300s)

9624       The time after which an idle SMTPD policy service connection is closed.
9625
9626       This feature is available in Postfix 2.1 and later.
9627

smtpd_policy_service_max_ttl (default: 1000s)

9629       The time after which an  active  SMTPD  policy  service  connection  is
9630       closed.
9631
9632       This feature is available in Postfix 2.1 and later.
9633

smtpd_policy_service_policy_context (default: empty)

9635       Optional  information  that  the  Postfix  SMTP server specifies in the
9636       "policy_context" attribute of a policy service request (originally,  to
9637       share  the  same  service  endpoint among multiple check_policy_service
9638       clients).
9639
9640       This feature is available in Postfix 3.1 and later.
9641

smtpd_policy_service_request_limit (default: 0)

9643       The maximal number of requests per SMTPD policy service connection,  or
9644       zero  (no  limit). Once a connection reaches this limit, the connection
9645       is closed and the next request will be sent over a new connection. This
9646       is a workaround to avoid error-recovery delays with policy servers that
9647       cannot maintain a persistent connection.
9648
9649       This feature is available in Postfix 3.0 and later.
9650

smtpd_policy_service_retry_delay (default: 1s)

9652       The delay between attempts to resend  a  failed  SMTPD  policy  service
9653       request. Specify a value greater than zero.
9654
9655       This feature is available in Postfix 3.0 and later.
9656

smtpd_policy_service_timeout (default: 100s)

9658       The time limit for connecting to, writing to, or receiving from a dele‐
9659       gated SMTPD policy server.
9660
9661       This feature is available in Postfix 2.1 and later.
9662

smtpd_policy_service_try_limit (default: 2)

9664       The maximal number of attempts to send an SMTPD policy service  request
9665       before giving up. Specify a value greater than zero.
9666
9667       This feature is available in Postfix 3.0 and later.
9668

smtpd_proxy_ehlo (default: $myhostname)

9670       How  the  Postfix SMTP server announces itself to the proxy filter.  By
9671       default, the Postfix hostname is used.
9672
9673       This feature is available in Postfix 2.1 and later.
9674

smtpd_proxy_filter (default: empty)

9676       The hostname and TCP port of the  mail  filtering  proxy  server.   The
9677       proxy  receives  all mail from the Postfix SMTP server, and is supposed
9678       to give the result to another Postfix SMTP server process.
9679
9680       Specify  "host:port"  or  "inet:host:port"  for  a  TCP  endpoint,   or
9681       "unix:pathname"  for  a UNIX-domain endpoint. The host can be specified
9682       as an IP address or as a symbolic name; no MX lookups are  done.   When
9683       no  "host"  or  "host:"   are  specified, the local machine is assumed.
9684       Pathname interpretation is relative to the Postfix queue directory.
9685
9686       This feature is available in Postfix 2.1 and later.
9687
9688       The "inet:" and "unix:" prefixes  are  available  in  Postfix  2.3  and
9689       later.
9690

smtpd_proxy_options (default: empty)

9692       List  of  options that control how the Postfix SMTP server communicates
9693       with a before-queue content filter. Specify zero or more of the follow‐
9694       ing, separated by comma or whitespace.
9695
9696       speed_adjust
9697              Do  not connect to a before-queue content filter until an entire
9698              message has been received. This reduces the number of simultane‐
9699              ous before-queue content filter processes.
9700
9701       NOTE   1:  A  filter  must  not  selectively  reject  recipients  of  a
9702       multi-recipient message.  Rejecting all recipients is OK, as is accept‐
9703       ing all recipients.
9704
9705       NOTE  2:  This feature increases the minimum amount of free queue space
9706       by $message_size_limit. The extra space is needed to save  the  message
9707       to a temporary file.
9708
9709       This feature is available in Postfix 2.7 and later.
9710

smtpd_proxy_timeout (default: 100s)

9712       The  time  limit  for  connecting  to a proxy filter and for sending or
9713       receiving information.  When a  connection  fails  the  client  gets  a
9714       generic  error message while more detailed information is logged to the
9715       maillog file.
9716
9717       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
9718       The default time unit is s (seconds).
9719
9720       This feature is available in Postfix 2.1 and later.
9721

smtpd_recipient_limit (default: 1000)

9723       The  maximal  number of recipients that the Postfix SMTP server accepts
9724       per message delivery request.
9725

smtpd_recipient_overshoot_limit (default: 1000)

9727       The number of recipients that a remote SMTP client can send  in  excess
9728       of  the limit specified with $smtpd_recipient_limit, before the Postfix
9729       SMTP server increments the per-session  error  count  for  each  excess
9730       recipient.
9731

smtpd_recipient_restrictions (default: see postconf -d output)

9733       Optional  restrictions that the Postfix SMTP server applies in the con‐
9734       text of a client RCPT TO command, after smtpd_relay_restrictions.   See
9735       SMTPD_ACCESS_README,   section   "Delayed  evaluation  of  SMTP  access
9736       restriction lists" for a discussion of evaluation context and time.
9737
9738       With Postfix versions before 2.10, the rules for relay  permission  and
9739       spam blocking were combined under smtpd_recipient_restrictions, result‐
9740       ing in error-prone configuration.  As of Postfix 2.10, relay permission
9741       rules are preferably implemented with smtpd_relay_restrictions, so that
9742       a permissive spam blocking  policy  under  smtpd_recipient_restrictions
9743       will no longer result in a permissive mail relay policy.
9744
9745       For  backwards  compatibility, sites that migrate from Postfix versions
9746       before 2.10 can set smtpd_relay_restrictions to the  empty  value,  and
9747       use smtpd_recipient_restrictions exactly as before.
9748
9749       IMPORTANT:  Either  the  smtpd_relay_restrictions  or the smtpd_recipi‐
9750       ent_restrictions parameter must specify at least one of  the  following
9751       restrictions. Otherwise Postfix will refuse to receive mail:
9752
9753           reject, reject_unauth_destination
9754
9755           defer, defer_if_permit, defer_unauth_destination
9756
9757       Specify  a list of restrictions, separated by commas and/or whitespace.
9758       Continue  long  lines  by  starting  the  next  line  with  whitespace.
9759       Restrictions  are applied in the order as specified; the first restric‐
9760       tion that matches wins.
9761
9762       The following restrictions are specific to the recipient  address  that
9763       is received with the RCPT TO command.
9764
9765       check_recipient_access type:table
9766              Search the specified access(5) database for the resolved RCPT TO
9767              address, domain, parent domains, or localpart@, and execute  the
9768              corresponding action.
9769
9770       check_recipient_a_access type:table
9771              Search the specified access(5) database for the IP addresses for
9772              the RCPT TO domain, and execute the corresponding action.  Note:
9773              a result of "OK" is not allowed for safety reasons. Instead, use
9774              DUNNO in order to exclude specific hosts from blacklists.   This
9775              feature is available in Postfix 3.0 and later.
9776
9777       check_recipient_mx_access type:table
9778              Search the specified access(5) database for the MX hosts for the
9779              RCPT TO domain, and execute the corresponding action.   Note:  a
9780              result  of  "OK" is not allowed for safety reasons. Instead, use
9781              DUNNO in order to exclude specific hosts from blacklists.   This
9782              feature is available in Postfix 2.1 and later.
9783
9784       check_recipient_ns_access type:table
9785              Search  the specified access(5) database for the DNS servers for
9786              the RCPT TO domain, and execute the corresponding action.  Note:
9787              a result of "OK" is not allowed for safety reasons. Instead, use
9788              DUNNO in order to exclude specific hosts from blacklists.   This
9789              feature is available in Postfix 2.1 and later.
9790
9791       permit_auth_destination
9792              Permit the request when one of the following is true:
9793
9794       ·      Postfix  is  mail forwarder: the resolved RCPT TO domain matches
9795              $relay_domains or a subdomain thereof, and the address  contains
9796              no sender-specified routing (user@elsewhere@domain),
9797
9798       ·      Postfix  is  the  final destination: the resolved RCPT TO domain
9799              matches  $mydestination,  $inet_interfaces,   $proxy_interfaces,
9800              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and  the
9801              address  contains  no   sender-specified   routing   (user@else‐
9802              where@domain).
9803
9804       permit_mx_backup
9805              Permit  the  request when the local mail system is backup MX for
9806              the RCPT TO domain, or when the domain is an authorized destina‐
9807              tion (see permit_auth_destination for definition).
9808
9809       ·      Safety:  permit_mx_backup  does  not  accept addresses that have
9810              sender-specified  routing   information   (example:   user@else‐
9811              where@domain).
9812
9813       ·      Safety:  permit_mx_backup  can  be  vulnerable  to  mis-use when
9814              access is not restricted with permit_mx_backup_networks.
9815
9816       ·      Safety: as of Postfix version 2.3,  permit_mx_backup  no  longer
9817              accepts the address when the local mail system is primary MX for
9818              the recipient domain.  Exception: permit_mx_backup  accepts  the
9819              address  when  it  specifies an authorized destination (see per‐
9820              mit_auth_destination for definition).
9821
9822       ·      Limitation: mail may be rejected in  case  of  a  temporary  DNS
9823              lookup problem with Postfix prior to version 2.0.
9824
9825       reject_non_fqdn_recipient
9826              Reject  the  request when the RCPT TO address specifies a domain
9827              that is not in fully-qualified domain form, as required  by  the
9828              RFC.
9829              The  non_fqdn_reject_code  parameter specifies the response code
9830              for rejected requests (default: 504).
9831
9832       reject_rhsbl_recipient rbl_domain=d.d.d.d
9833              Reject the request when the RCPT TO domain is listed with the  A
9834              record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later
9835              only).  Each "d" is a number, or a pattern inside "[]" that con‐
9836              tains one or more ";"-separated numbers or number..number ranges
9837              (Postfix version 2.8 and later). If no "=d.d.d.d" is  specified,
9838              reject  the request when the RCPT TO domain is listed with any A
9839              record under rbl_domain.
9840              The maps_rbl_reject_code parameter specifies the  response  code
9841              for  rejected  requests  (default:  554);  the default_rbl_reply
9842              parameter  specifies  the  default   server   reply;   and   the
9843              rbl_reply_maps  parameter  specifies  tables with server replies
9844              indexed by rbl_domain.  This feature  is  available  in  Postfix
9845              version 2.0 and later.
9846
9847       reject_unauth_destination
9848              Reject the request unless one of the following is true:
9849
9850       ·      Postfix  is  mail forwarder: the resolved RCPT TO domain matches
9851              $relay_domains  or  a  subdomain  thereof,   and   contains   no
9852              sender-specified routing (user@elsewhere@domain),
9853
9854       ·      Postfix  is  the  final destination: the resolved RCPT TO domain
9855              matches  $mydestination,  $inet_interfaces,   $proxy_interfaces,
9856              $virtual_alias_domains,  or  $virtual_mailbox_domains,  and con‐
9857              tains no sender-specified routing (user@elsewhere@domain).
9858              The relay_domains_reject_code parameter specifies  the  response
9859              code for rejected requests (default: 554).
9860
9861       defer_unauth_destination
9862              Reject  the  same  requests as reject_unauth_destination, with a
9863              non-permanent error code.  This feature is available in  Postfix
9864              2.10 and later.
9865
9866       reject_unknown_recipient_domain
9867              Reject the request when Postfix is not final destination for the
9868              recipient domain, and the RCPT TO domain has 1) no DNS MX and no
9869              DNS A record or 2) a malformed MX record such as a record with a
9870              zero-length MX hostname (Postfix version 2.3 and later).
9871              The reply  is  specified  with  the  unknown_address_reject_code
9872              parameter    (default:   450),   unknown_address_tempfail_action
9873              (default: defer_if_permit), or  556  (nullmx,  Postfix  3.0  and
9874              later). See the respective parameter descriptions for details.
9875
9876       reject_unlisted_recipient  (with  Postfix  version  2.0:  check_recipi‐
9877       ent_maps)
9878              Reject the request when the RCPT TO address is not listed in the
9879              list   of  valid  recipients  for  its  domain  class.  See  the
9880              smtpd_reject_unlisted_recipient   parameter   description    for
9881              details.  This feature is available in Postfix 2.1 and later.
9882
9883       reject_unverified_recipient
9884              Reject  the request when mail to the RCPT TO address is known to
9885              bounce, or when the recipient address destination is not  reach‐
9886              able.   Address  verification information is managed by the ver‐
9887              ify(8) server;  see  the  ADDRESS_VERIFICATION_README  file  for
9888              details.
9889              The  unverified_recipient_reject_code  parameter  specifies  the
9890              numerical response code when  an  address  is  known  to  bounce
9891              (default: 450, change into 550 when you are confident that it is
9892              safe to do so).
9893              The  unverified_recipient_defer_code  parameter  specifies   the
9894              numerical  response  code  when an address probe failed due to a
9895              temporary problem (default: 450).
9896              The unverified_recipient_tempfail_action parameter specifies the
9897              action  after  address  probe failure due to a temporary problem
9898              (default: defer_if_permit).
9899              This feature breaks for aliased  addresses  with  "enable_origi‐
9900              nal_recipient = no" (Postfix <= 3.2).
9901              This feature is available in Postfix 2.1 and later.
9902
9903       Other restrictions that are valid in this context:
9904
9905       ·      Generic  restrictions  that can be used in any SMTP command con‐
9906              text, described under smtpd_client_restrictions.
9907
9908       ·      SMTP   command    specific    restrictions    described    under
9909              smtpd_client_restrictions,      smtpd_helo_restrictions      and
9910              smtpd_sender_restrictions.
9911
9912       Example:
9913
9914       # The Postfix before 2.10 default mail relay policy. Later Postfix
9915       # versions implement this preferably with smtpd_relay_restrictions.
9916       smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
9917
9919       Optional information that is appended after each  Postfix  SMTP  server
9920       4XX or 5XX response.
9921
9922       The following example uses "\c" at the start of the template (supported
9923       in Postfix 2.10 and later) to suppress the line break between the reply
9924       text  and  the  footer  text. With earlier Postfix versions, the footer
9925       text always begins on a new line, and the "\c" is output literally.
9926
9927       /etc/postfix/main.cf:
9928           smtpd_reject_footer = \c. For assistance, call 800-555-0101.
9929            Please provide the following information in your problem report:
9930            time ($localtime), client ($client_address) and server
9931            ($server_name).
9932
9933       Server response:
9934
9935           550-5.5.1 <user@example> Recipient address rejected: User
9936           unknown. For assistance, call 800-555-0101. Please provide the
9937           following information in your problem report: time (Jan 4 15:42:00),
9938           client (192.168.1.248) and server (mail1.example.com).
9939
9940       Note: the above text is meant to make it easier  to  find  the  Postfix
9941       logfile  records  for  a  failed  SMTP  session. The text itself is not
9942       logged to the Postfix SMTP server's maillog file.
9943
9944       Be sure to keep the text as short as possible. Long text may  be  trun‐
9945       cated  before it is logged to the remote SMTP client's maillog file, or
9946       before it is returned to the sender in a delivery status notification.
9947
9948       The template text is not subject  to  Postfix  configuration  parameter
9949       $name  expansion.  Instead,  this  feature supports a limited number of
9950       $name attributes in the footer text. These attributes are replaced with
9951       their current value for the SMTP session.
9952
9953       Note:  specify  $$name in footer text that is looked up from regexp: or
9954       pcre:-based smtpd_reject_footer_maps, otherwise the Postfix server will
9955       not use the footer text and will log a warning instead.
9956
9957       client_address
9958              The Client IP address that is logged in the maillog file.
9959
9960       client_port
9961              The client TCP port that is logged in the maillog file.
9962
9963       localtime
9964              The  server  local  time (Mmm dd hh:mm:ss) that is logged in the
9965              maillog file.
9966
9967       server_name
9968              The server's myhostname value.  This attribute is made available
9969              for  sites  with multiple MTAs (perhaps behind a load-balancer),
9970              where the server name  can  help  the  server  support  team  to
9971              quickly find the right log files.
9972
9973       Notes:
9974
9975       ·      NOT SUPPORTED are other attributes such as sender, recipient, or
9976              main.cf parameters.
9977
9978       ·      For safety reasons,  text  that  does  not  match  $smtpd_expan‐
9979              sion_filter is censored.
9980
9981       This  feature supports the two-character sequence \n as a request for a
9982       line break in the footer text. Postfix automatically inserts after each
9983       line  break the three-digit SMTP reply code (and optional enhanced sta‐
9984       tus code) from the original Postfix reject message.
9985
9986       To work around mail software that mis-handles multi-line replies, spec‐
9987       ify  the  two-character sequence \c at the start of the template.  This
9988       suppresses the line break between the reply text and  the  footer  text
9989       (Postfix 2.10 and later).
9990
9991       This feature is available in Postfix 2.8 and later.
9992
9994       Lookup  tables,  indexed by the complete Postfix SMTP server 4xx or 5xx
9995       response, with reject footer  templates.  See  smtpd_reject_footer  for
9996       details.
9997
9998       Specify zero or more "type:name" lookup tables, separated by whitespace
9999       or comma. Tables will be searched in the specified order until a  match
10000       is found.
10001
10002       This feature is available in Postfix 3.4 and later.
10003

smtpd_reject_unlisted_recipient (default: yes)

10005       Request that the Postfix SMTP server rejects mail for unknown recipient
10006       addresses,  even  when  no  explicit  reject_unlisted_recipient  access
10007       restriction  is specified. This prevents the Postfix queue from filling
10008       up with undeliverable MAILER-DAEMON messages.
10009
10010       An address is always considered "known" when it  matches  a  virtual(5)
10011       alias or a canonical(5) mapping.
10012
10013       ·      The recipient domain matches $mydestination, $inet_interfaces or
10014              $proxy_interfaces,  but  the  recipient   is   not   listed   in
10015              $local_recipient_maps, and $local_recipient_maps is not null.
10016
10017       ·      The  recipient  domain  matches  $virtual_alias_domains  but the
10018              recipient is not listed in $virtual_alias_maps.
10019
10020       ·      The recipient domain matches  $virtual_mailbox_domains  but  the
10021              recipient  is  not  listed  in  $virtual_mailbox_maps, and $vir‐
10022              tual_mailbox_maps is not null.
10023
10024       ·      The recipient domain matches $relay_domains but the recipient is
10025              not  listed  in $relay_recipient_maps, and $relay_recipient_maps
10026              is not null.
10027
10028       This feature is available in Postfix 2.1 and later.
10029

smtpd_reject_unlisted_sender (default: no)

10031       Request that the Postfix SMTP server rejects mail from  unknown  sender
10032       addresses, even when no explicit reject_unlisted_sender access restric‐
10033       tion is specified. This can slow down an explosion of forged mail  from
10034       worms or viruses.
10035
10036       An  address  is  always considered "known" when it matches a virtual(5)
10037       alias or a canonical(5) mapping.
10038
10039       ·      The sender domain matches  $mydestination,  $inet_interfaces  or
10040              $proxy_interfaces, but the sender is not listed in $local_recip‐
10041              ient_maps, and $local_recipient_maps is not null.
10042
10043       ·      The sender domain matches $virtual_alias_domains but the  sender
10044              is not listed in $virtual_alias_maps.
10045
10046       ·      The  sender  domain  matches  $virtual_mailbox_domains  but  the
10047              sender  is  not  listed  in  $virtual_mailbox_maps,  and   $vir‐
10048              tual_mailbox_maps is not null.
10049
10050       ·      The  sender  domain matches $relay_domains but the sender is not
10051              listed in $relay_recipient_maps,  and  $relay_recipient_maps  is
10052              not null.
10053
10054       This feature is available in Postfix 2.1 and later.
10055

smtpd_relay_restrictions (default: permit_mynetworks, permit_sasl_authenti‐

10057       cated, defer_unauth_destination)
10058       Access restrictions for mail relay control that the Postfix SMTP server
10059       applies  in  the  context  of the RCPT TO command, before smtpd_recipi‐
10060       ent_restrictions.  See SMTPD_ACCESS_README, section "Delayed evaluation
10061       of  SMTP  access restriction lists" for a discussion of evaluation con‐
10062       text and time.
10063
10064       With Postfix versions before 2.10, the rules for relay  permission  and
10065       spam blocking were combined under smtpd_recipient_restrictions, result‐
10066       ing in error-prone configuration.  As of Postfix 2.10, relay permission
10067       rules are preferably implemented with smtpd_relay_restrictions, so that
10068       a permissive spam blocking  policy  under  smtpd_recipient_restrictions
10069       will no longer result in a permissive mail relay policy.
10070
10071       For  backwards  compatibility, sites that migrate from Postfix versions
10072       before 2.10 can set smtpd_relay_restrictions to the  empty  value,  and
10073       use smtpd_recipient_restrictions exactly as before.
10074
10075       By default, the Postfix SMTP server accepts:
10076
10077       ·      Mail from clients whose IP address matches $mynetworks, or:
10078
10079       ·      Mail  to  remote  destinations that match $relay_domains, except
10080              for addresses that contain sender-specified routing  (user@else‐
10081              where@domain), or:
10082
10083       ·      Mail  to  local  destinations  that  match  $inet_interfaces  or
10084              $proxy_interfaces,  $mydestination,  $virtual_alias_domains,  or
10085              $virtual_mailbox_domains.
10086
10087       IMPORTANT:  Either  the  smtpd_relay_restrictions  or the smtpd_recipi‐
10088       ent_restrictions parameter must specify at least one of  the  following
10089       restrictions. Otherwise Postfix will refuse to receive mail:
10090
10091           reject, reject_unauth_destination
10092
10093           defer, defer_if_permit, defer_unauth_destination
10094
10095       Specify  a list of restrictions, separated by commas and/or whitespace.
10096       Continue long lines by starting the next  line  with  whitespace.   The
10097       same  restrictions  are  available  as  documented  under smtpd_recipi‐
10098       ent_restrictions.
10099
10100       This feature is available in Postix 2.10 and later.
10101

smtpd_restriction_classes (default: empty)

10103       User-defined aliases for groups of access restrictions. The aliases can
10104       be   specified   in   smtpd_recipient_restrictions  etc.,  and  on  the
10105       right-hand side of a Postfix access(5) table.
10106
10107       One major application is for implementing  per-recipient  UCE  control.
10108       See the RESTRICTION_CLASS_README document for other examples.
10109

smtpd_sasl_application_name (default: smtpd)

10111       The  application name that the Postfix SMTP server uses for SASL server
10112       initialization. This controls the name of the SASL configuration  file.
10113       The  default value is smtpd, corresponding to a SASL configuration file
10114       named smtpd.conf.
10115
10116       This feature is available in Postfix 2.1 and 2.2. With Postfix  2.3  it
10117       was renamed to smtpd_sasl_path.
10118

smtpd_sasl_auth_enable (default: no)

10120       Enable  SASL authentication in the Postfix SMTP server. By default, the
10121       Postfix SMTP server does not use authentication.
10122
10123       If a remote SMTP client is authenticated, the permit_sasl_authenticated
10124       access restriction can be used to permit relay access, like this:
10125
10126           # With Postfix 2.10 and later, the mail relay policy is
10127           # preferably specified under smtpd_relay_restrictions.
10128           smtpd_relay_restrictions =
10129               permit_mynetworks, permit_sasl_authenticated, ...
10130
10131       # With Postfix before 2.10, the relay policy can be
10132       # specified only under smtpd_recipient_restrictions.
10133       smtpd_recipient_restrictions =
10134           permit_mynetworks, permit_sasl_authenticated, ...
10135
10136       To  reject  all  SMTP connections from unauthenticated clients, specify
10137       "smtpd_delay_reject = yes" (which is the default) and use:
10138
10139           smtpd_client_restrictions = permit_sasl_authenticated, reject
10140
10141       See the SASL_README file for SASL configuration and operation details.
10142

smtpd_sasl_authenticated_header (default: no)

10144       Report the SASL authenticated user name in the smtpd(8)  Received  mes‐
10145       sage header.
10146
10147       This feature is available in Postfix 2.3 and later.
10148

smtpd_sasl_exceptions_networks (default: empty)

10150       What  remote  SMTP  clients the Postfix SMTP server will not offer AUTH
10151       support to.
10152
10153       Some clients (Netscape 4 at least) have  a  bug  that  causes  them  to
10154       require  a  login  and  password whenever AUTH is offered, whether it's
10155       necessary or not. To work around this, specify,  for  example,  $mynet‐
10156       works to prevent Postfix from offering AUTH to local clients.
10157
10158       Specify  a list of network/netmask patterns, separated by commas and/or
10159       whitespace. The mask specifies the number of bits in the  network  part
10160       of  a host address. You can also "/file/name" or "type:table" patterns.
10161       A "/file/name" pattern is replaced  by  its  contents;  a  "type:table"
10162       lookup table is matched when a table entry matches a lookup string (the
10163       lookup result is ignored).  Continue long lines by  starting  the  next
10164       line  with whitespace. Specify "!pattern" to exclude an address or net‐
10165       work block from the list.  The form "!/file/name" is supported only  in
10166       Postfix version 2.4 and later.
10167
10168       Note:  IP  version 6 address information must be specified inside [] in
10169       the smtpd_sasl_exceptions_networks value, and in files  specified  with
10170       "/file/name".   IP  version  6 addresses contain the ":" character, and
10171       would otherwise be confused with a "type:table" pattern.
10172
10173       Example:
10174
10175       smtpd_sasl_exceptions_networks = $mynetworks
10176
10177       This feature is available in Postfix 2.1 and later.
10178

smtpd_sasl_local_domain (default: empty)

10180       The name of the Postfix SMTP server's local SASL authentication realm.
10181
10182       By default, the local authentication realm name is the null string.
10183
10184       Examples:
10185
10186       smtpd_sasl_local_domain = $mydomain
10187       smtpd_sasl_local_domain = $myhostname
10188

smtpd_sasl_path (default: smtpd)

10190       Implementation-specific information that the Postfix SMTP server passes
10191       through  to  the  SASL  plug-in  implementation  that  is selected with
10192       smtpd_sasl_type.  Typically this specifies the name of a  configuration
10193       file or rendezvous point.
10194
10195       This feature is available in Postfix 2.3 and later. In earlier releases
10196       it was called smtpd_sasl_application_name.
10197

smtpd_sasl_response_limit (default: 12288)

10199       The maximum length of a SASL client's response to a  server  challenge.
10200       When  the  client's  "initial response" is longer than the normal limit
10201       for SMTP commands, the client must omit its initial response, and  wait
10202       for  an  empty  server challenge; it can then send what would have been
10203       its "initial response" as a response to  the  empty  server  challenge.
10204       RFC4954  requires  the server to accept client responses up to at least
10205       12288 octets of base64-encoded text.  The default  value  is  therefore
10206       also the minimum value accepted for this parameter.
10207
10208       This  feature is available in Postfix 3.4 and later. Prior versions use
10209       "line_length_limit", which may need to be raised to accommodate  larger
10210       client  responses,  as may be needed with GSSAPI authentication of Win‐
10211       dows AD users who are members of many groups.
10212

smtpd_sasl_security_options (default: noanonymous)

10214       Postfix SMTP server SASL security options; as of Postfix 2.3  the  list
10215       of available features depends on the SASL server implementation that is
10216       selected with smtpd_sasl_type.
10217
10218       The following security features are defined for the cyrus  server  SASL
10219       implementation:
10220
10221       Restrict  what  authentication  mechanisms the Postfix SMTP server will
10222       offer to the client.  The list of available  authentication  mechanisms
10223       is system dependent.
10224
10225       Specify zero or more of the following:
10226
10227       noplaintext
10228              Disallow methods that use plaintext passwords.
10229
10230       noactive
10231              Disallow methods subject to active (non-dictionary) attack.
10232
10233       nodictionary
10234              Disallow methods subject to passive (dictionary) attack.
10235
10236       noanonymous
10237              Disallow methods that allow anonymous authentication.
10238
10239       forward_secrecy
10240              Only allow methods that support forward secrecy (Dovecot only).
10241
10242       mutual_auth
10243              Only  allow  methods  that  provide  mutual  authentication (not
10244              available with Cyrus SASL version 1).
10245
10246       By default, the Postfix SMTP server accepts plaintext passwords but not
10247       anonymous logins.
10248
10249       Warning:  it  appears  that  clients  try authentication methods in the
10250       order as advertised by the  server  (e.g.,  PLAIN  ANONYMOUS  CRAM-MD5)
10251       which  means  that if you disable plaintext passwords, clients will log
10252       in anonymously, even when they should be able to use CRAM-MD5.  So,  if
10253       you  disable  plaintext  logins, disable anonymous logins too.  Postfix
10254       treats anonymous login as no authentication.
10255
10256       Example:
10257
10258       smtpd_sasl_security_options = noanonymous, noplaintext
10259

smtpd_sasl_service (default: smtp)

10261       The service name that is passed to the SASL plug-in  that  is  selected
10262       with smtpd_sasl_type and smtpd_sasl_path.
10263
10264       This  feature  is  available  in Postfix 2.11 and later. Prior versions
10265       behave as if "smtp" is specified.
10266

smtpd_sasl_tls_security_options (default: $smtpd_sasl_security_options)

10268       The SASL authentication security options that the Postfix  SMTP  server
10269       uses for TLS encrypted SMTP sessions.
10270
10271       This feature is available in Postfix 2.2 and later.
10272

smtpd_sasl_type (default: cyrus)

10274       The  SASL  plug-in  type  that  the  Postfix SMTP server should use for
10275       authentication. The available types are listed with the  "postconf  -a"
10276       command.
10277
10278       This feature is available in Postfix 2.3 and later.
10279

smtpd_sender_login_maps (default: empty)

10281       Optional  lookup  table  with  the SASL login names that own the sender
10282       (MAIL FROM) addresses.
10283
10284       Specify zero or more "type:name" lookup tables, separated by whitespace
10285       or  comma. Tables will be searched in the specified order until a match
10286       is found.  With lookups from indexed files such as DB or DBM,  or  from
10287       networked  tables such as NIS, LDAP or SQL, the following search opera‐
10288       tions are done with a sender address of user@domain:
10289
10290       1) user@domain
10291              This table lookup is always done and has the highest precedence.
10292
10293       2) user
10294              This table lookup is done only  when  the  domain  part  of  the
10295              sender  address  matches $myorigin, $mydestination, $inet_inter‐
10296              faces or $proxy_interfaces.
10297
10298       3) @domain
10299              This table lookup is done last and has the lowest precedence.
10300
10301       In all cases the result of table lookup must be either "not found" or a
10302       list of SASL login names separated by comma and/or whitespace.
10303

smtpd_sender_restrictions (default: empty)

10305       Optional  restrictions that the Postfix SMTP server applies in the con‐
10306       text of a client MAIL FROM command.  See  SMTPD_ACCESS_README,  section
10307       "Delayed  evaluation of SMTP access restriction lists" for a discussion
10308       of evaluation context and time.
10309
10310       The default is to permit everything.
10311
10312       Specify a list of restrictions, separated by commas and/or  whitespace.
10313       Continue  long  lines  by  starting  the  next  line  with  whitespace.
10314       Restrictions are applied in the order as specified; the first  restric‐
10315       tion that matches wins.
10316
10317       The  following restrictions are specific to the sender address received
10318       with the MAIL FROM command.
10319
10320       check_sender_access type:table
10321              Search the  specified  access(5)  database  for  the  MAIL  FROM
10322              address,  domain, parent domains, or localpart@, and execute the
10323              corresponding action.
10324
10325       check_sender_a_access type:table
10326              Search the specified access(5) database for the IP addresses for
10327              the  MAIL  FROM  domain,  and  execute the corresponding action.
10328              Note: a result of  "OK"  is  not  allowed  for  safety  reasons.
10329              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
10330              blacklists.  This feature is available in Postfix 3.0 and later.
10331
10332       check_sender_mx_access type:table
10333              Search the specified access(5) database for the MX hosts for the
10334              MAIL FROM domain, and execute the corresponding action.  Note: a
10335              result of "OK" is not allowed for safety reasons.  Instead,  use
10336              DUNNO  in order to exclude specific hosts from blacklists.  This
10337              feature is available in Postfix 2.1 and later.
10338
10339       check_sender_ns_access type:table
10340              Search the specified access(5) database for the DNS servers  for
10341              the  MAIL  FROM  domain,  and  execute the corresponding action.
10342              Note: a result of  "OK"  is  not  allowed  for  safety  reasons.
10343              Instead,  use  DUNNO  in  order  to  exclude specific hosts from
10344              blacklists.  This feature is available in Postfix 2.1 and later.
10345
10346       reject_authenticated_sender_login_mismatch
10347              Enforces  the   reject_sender_login_mismatch   restriction   for
10348              authenticated clients only. This feature is available in Postfix
10349              version 2.1 and later.
10350
10351       reject_known_sender_login_mismatch
10352              Apply the reject_sender_login_mismatch restriction only to  MAIL
10353              FROM addresses that are known in $smtpd_sender_login_maps.  This
10354              feature is available in Postfix version 2.11 and later.
10355
10356       reject_non_fqdn_sender
10357              Reject the request when the MAIL FROM address specifies a domain
10358              that  is  not  in fully-qualified domain form as required by the
10359              RFC.
10360              The non_fqdn_reject_code parameter specifies the  response  code
10361              for rejected requests (default: 504).
10362
10363       reject_rhsbl_sender rbl_domain=d.d.d.d
10364              Reject  the request when the MAIL FROM domain is listed with the
10365              A record "d.d.d.d" under rbl_domain  (Postfix  version  2.1  and
10366              later  only).   Each  "d"  is a number, or a pattern inside "[]"
10367              that contains one or more ";"-separated numbers or  number..num‐
10368              ber  ranges (Postfix version 2.8 and later). If no "=d.d.d.d" is
10369              specified, reject the request  when  the  MAIL  FROM  domain  is
10370              listed with any A record under rbl_domain.
10371              The  maps_rbl_reject_code  parameter specifies the response code
10372              for rejected requests  (default:   554);  the  default_rbl_reply
10373              parameter   specifies   the   default   server  reply;  and  the
10374              rbl_reply_maps parameter specifies tables  with  server  replies
10375              indexed by rbl_domain.  This feature is available in Postfix 2.0
10376              and later.
10377
10378       reject_sender_login_mismatch
10379              Reject the request when  $smtpd_sender_login_maps  specifies  an
10380              owner  for  the  MAIL FROM address, but the client is not (SASL)
10381              logged in as that MAIL FROM address owner; or when the client is
10382              (SASL) logged in, but the client login name doesn't own the MAIL
10383              FROM address according to $smtpd_sender_login_maps.
10384
10385       reject_unauthenticated_sender_login_mismatch
10386              Enforces the reject_sender_login_mismatch restriction for  unau‐
10387              thenticated  clients  only. This feature is available in Postfix
10388              version 2.1 and later.
10389
10390       reject_unknown_sender_domain
10391              Reject the request when Postfix is not final destination for the
10392              sender address, and the MAIL FROM domain has 1) no DNS MX and no
10393              DNS A record, or 2) a malformed MX record such as a record  with
10394              a zero-length MX hostname (Postfix version 2.3 and later).
10395              The  reply  is  specified  with  the unknown_address_reject_code
10396              parameter   (default:   450),    unknown_address_tempfail_action
10397              (default:  defer_if_permit),  or  550  (nullmx,  Postfix 3.0 and
10398              later). See the respective parameter descriptions for details.
10399
10400       reject_unlisted_sender
10401              Reject the request when the MAIL FROM address is not  listed  in
10402              the  list  of  valid  recipients  for  its domain class. See the
10403              smtpd_reject_unlisted_sender parameter description for  details.
10404              This feature is available in Postfix 2.1 and later.
10405
10406       reject_unverified_sender
10407              Reject  the  request when mail to the MAIL FROM address is known
10408              to bounce, or when the sender address destination is not  reach‐
10409              able.   Address  verification information is managed by the ver‐
10410              ify(8) server;  see  the  ADDRESS_VERIFICATION_README  file  for
10411              details.
10412              The unverified_sender_reject_code parameter specifies the numer‐
10413              ical response code when an address is known to bounce  (default:
10414              450,  change  into 550 when you are confident that it is safe to
10415              do so).
10416              The   unverified_sender_defer_code   specifies   the   numerical
10417              response  code  when  an address probe failed due to a temporary
10418              problem (default: 450).
10419              The unverified_sender_tempfail_action  parameter  specifies  the
10420              action  after  address  probe failure due to a temporary problem
10421              (default: defer_if_permit).
10422              This feature breaks for aliased  addresses  with  "enable_origi‐
10423              nal_recipient = no" (Postfix <= 3.2).
10424              This feature is available in Postfix 2.1 and later.
10425
10426       Other restrictions that are valid in this context:
10427
10428       ·      Generic  restrictions  that can be used in any SMTP command con‐
10429              text, described under smtpd_client_restrictions.
10430
10431       ·      SMTP   command    specific    restrictions    described    under
10432              smtpd_client_restrictions and smtpd_helo_restrictions.
10433
10434       ·      SMTP command specific restrictions described under smtpd_recipi‐
10435              ent_restrictions. When recipient restrictions are  listed  under
10436              smtpd_sender_restrictions,    they   have   effect   only   with
10437              "smtpd_delay_reject = yes", so  that  $smtpd_sender_restrictions
10438              is evaluated at the time of the RCPT TO command.
10439
10440       Examples:
10441
10442       smtpd_sender_restrictions = reject_unknown_sender_domain
10443       smtpd_sender_restrictions = reject_unknown_sender_domain,
10444           check_sender_access hash:/etc/postfix/access
10445

smtpd_service_name (default: smtpd)

10447       The  internal  service that postscreen(8) hands off allowed connections
10448       to. In a future version there may be different classes of SMTP service.
10449
10450       This feature is available in Postfix 2.8.
10451

smtpd_soft_error_limit (default: 10)

10453       The number of errors a remote SMTP client is allowed  to  make  without
10454       delivering  mail  before  the  Postfix  SMTP  server slows down all its
10455       responses.
10456
10457       ·      With Postfix version 2.1 and  later,  the  Postfix  SMTP  server
10458              delays all responses by $smtpd_error_sleep_time seconds.
10459
10460       ·      With  Postfix  versions 2.0 and earlier, the Postfix SMTP server
10461              delays all responses by (number of errors) seconds.
10462

smtpd_starttls_timeout (default: see postconf -d output)

10464       The time limit for Postfix SMTP server write and read operations during
10465       TLS  startup  and  shutdown  handshake  procedures. The current default
10466       value is stress-dependent. Before Postfix version 2.8, it was fixed  at
10467       300s.
10468
10469       This feature is available in Postfix 2.2 and later.
10470

smtpd_timeout (default: normal: 300s, overload: 10s)

10472       The  time  limit  for  sending  a  Postfix SMTP server response and for
10473       receiving a remote SMTP client request. Normally the default  limit  is
10474       300s,  but  it changes under overload to just 10s. With Postfix 2.5 and
10475       earlier, the SMTP server always uses a time limit of 300s by default.
10476
10477       Note: if you set SMTP time limits to very large values you may have  to
10478       update the global ipc_timeout parameter.
10479
10480       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
10481       The default time unit is s (seconds).
10482

smtpd_tls_CAfile (default: empty)

10484       A file containing (PEM format) CA certificates of root CAs  trusted  to
10485       sign either remote SMTP client certificates or intermediate CA certifi‐
10486       cates.  These are loaded into memory before the smtpd(8) server  enters
10487       the  chroot  jail.  If  the  number of trusted roots is large, consider
10488       using smtpd_tls_CApath instead, but note that the latter directory must
10489       be  present in the chroot jail if the smtpd(8) server is chrooted. This
10490       file may also be used to augment the server  certificate  trust  chain,
10491       but it is best to include all the required certificates directly in the
10492       server certificate file.
10493
10494       Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to  use  ONLY  the
10495       system-supplied default Certification Authority certificates.
10496
10497       Specify  "tls_append_default_CA = no" to prevent Postfix from appending
10498       the system-supplied default CAs and trusting third-party certificates.
10499
10500       By default  (see  smtpd_tls_ask_ccert),  client  certificates  are  not
10501       requested, and smtpd_tls_CAfile should remain empty. If you do make use
10502       of client certificates, the distinguished names (DNs) of the Certifica‐
10503       tion Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP
10504       client in the client certificate request message.  MUAs  with  multiple
10505       client certificates may use the list of preferred Certification Author‐
10506       ities to select the correct client certificate.  You may  want  to  put
10507       your  "preferred" CA or CAs in this file, and install other trusted CAs
10508       in $smtpd_tls_CApath.
10509
10510       Example:
10511
10512       smtpd_tls_CAfile = /etc/postfix/CAcert.pem
10513
10514       This feature is available in Postfix 2.2 and later.
10515

smtpd_tls_CApath (default: empty)

10517       A directory containing (PEM format) CA certificates of root CAs trusted
10518       to  sign either remote SMTP client certificates or intermediate CA cer‐
10519       tificates. Do not forget to create the necessary "hash" links with, for
10520       example,   "$OPENSSL_HOME/bin/c_rehash   /etc/postfix/certs".   To  use
10521       smtpd_tls_CApath in chroot mode, this directory (or  a  copy)  must  be
10522       inside the chroot jail.
10523
10524       Specify  "smtpd_tls_CApath  = /path/to/system_CA_directory" to use ONLY
10525       the system-supplied default Certification Authority certificates.
10526
10527       Specify "tls_append_default_CA = no" to prevent Postfix from  appending
10528       the system-supplied default CAs and trusting third-party certificates.
10529
10530       By  default  (see  smtpd_tls_ask_ccert),  client  certificates  are not
10531       requested, and smtpd_tls_CApath should remain  empty.  In  contrast  to
10532       smtpd_tls_CAfile,   DNs   of  Certification  Authorities  installed  in
10533       $smtpd_tls_CApath are not included in the  client  certificate  request
10534       message.  MUAs  with  multiple  client certificates may use the list of
10535       preferred Certification Authorities to select the correct  client  cer‐
10536       tificate.   You  may  want  to  put  your  "preferred"  CA  or  CAs  in
10537       $smtpd_tls_CAfile,  and  install   the   remaining   trusted   CAs   in
10538       $smtpd_tls_CApath.
10539
10540       Example:
10541
10542       smtpd_tls_CApath = /etc/postfix/certs
10543
10544       This feature is available in Postfix 2.2 and later.
10545

smtpd_tls_always_issue_session_ids (default: yes)

10547       Force  the Postfix SMTP server to issue a TLS session id, even when TLS
10548       session caching  is  turned  off  (smtpd_tls_session_cache_database  is
10549       empty). This behavior is compatible with Postfix < 2.3.
10550
10551       With  Postfix 2.3 and later the Postfix SMTP server can disable session
10552       id generation when TLS session caching is turned off. This keeps remote
10553       SMTP  clients  from  caching  sessions  that almost certainly cannot be
10554       re-used.
10555
10556       By default, the Postfix SMTP server always generates TLS  session  ids.
10557       This works around a known defect in mail client applications such as MS
10558       Outlook, and may also prevent interoperability issues with other MTAs.
10559
10560       Example:
10561
10562       smtpd_tls_always_issue_session_ids = no
10563
10564       This feature is available in Postfix 2.3 and later.
10565

smtpd_tls_ask_ccert (default: no)

10567       Ask a remote SMTP client for a client certificate. This information  is
10568       needed  for certificate based mail relaying with, for example, the per‐
10569       mit_tls_clientcerts feature.
10570
10571       Some clients such as Netscape will either complain if no certificate is
10572       available (for the list of CAs in $smtpd_tls_CAfile) or will offer mul‐
10573       tiple client certificates to choose from. This may be annoying, so this
10574       option is "off" by default.
10575
10576       This feature is available in Postfix 2.2 and later.
10577

smtpd_tls_auth_only (default: no)

10579       When  TLS  encryption  is  optional  in the Postfix SMTP server, do not
10580       announce or accept SASL authentication over unencrypted connections.
10581
10582       This feature is available in Postfix 2.2 and later.
10583

smtpd_tls_ccert_verifydepth (default: 9)

10585       The verification depth for remote SMTP client certificates. A depth  of
10586       1 is sufficient if the issuing CA is listed in a local CA file.
10587
10588       The  default verification depth is 9 (the OpenSSL default) for compati‐
10589       bility with earlier Postfix behavior. Prior to Postfix 2.5, the default
10590       value  was  5, but the limit was not actually enforced. If you have set
10591       this to a lower  non-default  value,  certificates  with  longer  trust
10592       chains  may  now fail to verify. Certificate chains with 1 or 2 CAs are
10593       common, deeper chains are more rare and any  number  between  5  and  9
10594       should suffice in practice. You can choose a lower number if, for exam‐
10595       ple, you trust certificates directly signed by an issuing  CA  but  not
10596       any CAs it delegates to.
10597
10598       This feature is available in Postfix 2.2 and later.
10599

smtpd_tls_cert_file (default: empty)

10601       File  with the Postfix SMTP server RSA certificate in PEM format.  This
10602       file may also contain the Postfix SMTP server private  RSA  key.   With
10603       Postfix  >= 3.4 the preferred way to configure server keys and certifi‐
10604       cates is via the "smtpd_tls_chain_files" parameter.
10605
10606       Public Internet MX hosts without certificates signed by  a  "reputable"
10607       CA  must  generate,  and  be  prepared  to  present  to most clients, a
10608       self-signed or private-CA signed certificate. The client  will  not  be
10609       able  to  authenticate the server, but unless it is running Postfix 2.3
10610       or similar software, it will still insist on a server certificate.
10611
10612       For servers that are not public Internet  MX  hosts,  Postfix  supports
10613       configurations  with  no certificates. This entails the use of just the
10614       anonymous TLS ciphers, which are not supported by typical SMTP clients.
10615       Since  some  clients  may not fall back to plain text after a TLS hand‐
10616       shake failure, a certificate-less Postfix SMTP server will be unable to
10617       receive  email  from some TLS-enabled clients. To avoid accidental con‐
10618       figurations with  no  certificates,  Postfix  enables  certificate-less
10619       operation    only    when    the    administrator    explicitly    sets
10620       "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server
10621       configurations will not accidentally enable TLS without certificates.
10622
10623       Note that server certificates are not optional in TLS 1.3. To run with‐
10624       out certificates you'd have to disable the TLS 1.3 protocol by  includ‐
10625       ing    '!TLSv1.3'    in    "smtpd_tls_protocols"   and   perhaps   also
10626       "smtpd_tls_mandatory_protocols".  It is simpler instead to just config‐
10627       ure  a  certificate  chain.   Certificate-less  operation is not recom‐
10628       mended.
10629
10630       Both RSA and DSA certificates  are  supported.   When  both  types  are
10631       present, the cipher used determines which certificate will be presented
10632       to the client.  For Netscape and OpenSSL clients without special cipher
10633       choices the RSA certificate is preferred.
10634
10635       To  enable  a remote SMTP client to verify the Postfix SMTP server cer‐
10636       tificate, the issuing CA certificates must be  made  available  to  the
10637       client. You should include the required certificates in the server cer‐
10638       tificate file, the server certificate first,  then  the  issuing  CA(s)
10639       (bottom-up order).
10640
10641       Example: the certificate for "server.example.com" was issued by "inter‐
10642       mediate CA" which itself has a certificate of "root  CA".   Create  the
10643       server.pem   file   with   "cat   server_cert.pem   intermediate_CA.pem
10644       root_CA.pem > server.pem".
10645
10646       If you also want to verify client certificates issued by these CAs, you
10647       can  add  the CA certificates to the smtpd_tls_CAfile, in which case it
10648       is  not  necessary   to   have   them   in   the   smtpd_tls_cert_file,
10649       smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.
10650
10651       A certificate supplied here must be usable as an SSL server certificate
10652       and hence pass the "openssl verify -purpose sslserver ..." test.
10653
10654       Example:
10655
10656       smtpd_tls_cert_file = /etc/postfix/server.pem
10657
10658       This feature is available in Postfix 2.2 and later.
10659

smtpd_tls_chain_files (default: empty)

10661       List of one or more PEM files, each holding one or  more  private  keys
10662       directly followed by a corresponding certificate chain.  The file names
10663       are separated by commas and/or whitespace.   This  parameter  obsoletes
10664       the  legacy algorithm-specific key and certificate file settings.  When
10665       this parameter is non-empty, the legacy parameters are ignored,  and  a
10666       warning is logged if any are also non-empty.
10667
10668       With  the proliferation of multiple private key algorithms-which, as of
10669       OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 and Ed448-it
10670       is increasingly impractical to use separate parameters to configure the
10671       key and certificate chain for each algorithm.  Therefore,  Postfix  now
10672       supports  storing multiple keys and corresponding certificate chains in
10673       a single file or in a set of files.
10674
10675       Each key must appear immediately before the corresponding  certificate,
10676       optionally followed by additional issuer certificates that complete the
10677       certificate chain for that key.  When  multiple  files  are  specified,
10678       they  are  equivalent  to a single file that is concatenated from those
10679       files in the given order.  Thus, while a key must  always  precede  its
10680       certificate  and issuer chain, it can be in a separate file, so long as
10681       that file is listed immediately before the file that holds  the  corre‐
10682       sponding  certificate  chain.  Once all the files are concatenated, the
10683       sequence of PEM objects must be: key1, cert1,  [chain1],  key2,  cert2,
10684       [chain2], ..., keyN, certN, [chainN].
10685
10686       Storing  the private key in the same file as the corresponding certifi‐
10687       cate is more reliable.  With the key and certificate in separate files,
10688       there is a chance that during key rollover a Postfix process might load
10689       a private key and certificate from separate  files  that  don't  match.
10690       Various  operational errors may even result in a persistent broken con‐
10691       figuration in which the certificate does not match the private key.
10692
10693       The file or files must contain at most one key of each type.   If,  for
10694       example,  two  or  more  RSA  keys and corresponding chains are listed,
10695       depending on the version of OpenSSL either only the last  one  will  be
10696       used  or  an  configuration  error  may  be  detected.  Note that while
10697       "Ed25519" and "Ed448" are considered separate algorithms,  the  various
10698       ECDSA  curves (typically one of prime256v1, secp384r1 or secp521r1) are
10699       considered as different parameters of a single "ECDSA" algorithm, so it
10700       is  not  presently  possible  to configure keys for more than one ECDSA
10701       curve.
10702
10703       RSA is still the most  widely  supported  algorithm.   Presently  (late
10704       2018),  ECDSA support is common, but not yet universal, and Ed25519 and
10705       Ed448 support is mostly absent.  Therefore, an RSA key should generally
10706       be  configured, along with any additional keys for the other algorithms
10707       when desired.
10708
10709       Example (separate files for  each  key  and  corresponding  certificate
10710       chain):
10711
10712           /etc/postfix/main.cf:
10713               smtpd_tls_chain_files =
10714                   ${config_directory}/ed25519.pem,
10715                   ${config_directory}/ed448.pem,
10716                   ${config_directory}/rsa.pem
10717
10718           /etc/postfix/ed25519.pem:
10719               -----BEGIN PRIVATE KEY-----
10720               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10721               -----END PRIVATE KEY-----
10722               -----BEGIN CERTIFICATE-----
10723               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10724               ...
10725               nC0egv51YPDWxEHom4QA
10726               -----END CERTIFICATE-----
10727
10728           /etc/postfix/ed448.pem:
10729               -----BEGIN PRIVATE KEY-----
10730               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10731               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10732               -----END PRIVATE KEY-----
10733               -----BEGIN CERTIFICATE-----
10734               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10735               ...
10736               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10737               -----END CERTIFICATE-----
10738
10739           /etc/postfix/rsa.pem:
10740               -----BEGIN PRIVATE KEY-----
10741               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10742               ...
10743               ahQkZ3+krcaJvDSMgvu0tDc=
10744               -----END PRIVATE KEY-----
10745               -----BEGIN CERTIFICATE-----
10746               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10747               ...
10748               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10749               -----END CERTIFICATE-----
10750
10751       Example (all keys and certificates in a single file):
10752
10753           /etc/postfix/main.cf:
10754               smtpd_tls_chain_files = ${config_directory}/chains.pem
10755
10756           /etc/postfix/chains.pem:
10757               -----BEGIN PRIVATE KEY-----
10758               MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
10759               -----END PRIVATE KEY-----
10760               -----BEGIN CERTIFICATE-----
10761               MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
10762               ...
10763               nC0egv51YPDWxEHom4QA
10764               -----END CERTIFICATE-----
10765               -----BEGIN PRIVATE KEY-----
10766               MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
10767               LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
10768               -----END PRIVATE KEY-----
10769               -----BEGIN CERTIFICATE-----
10770               MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
10771               ...
10772               pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
10773               -----END CERTIFICATE-----
10774               -----BEGIN PRIVATE KEY-----
10775               MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
10776               ...
10777               ahQkZ3+krcaJvDSMgvu0tDc=
10778               -----END PRIVATE KEY-----
10779               -----BEGIN CERTIFICATE-----
10780               MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
10781               ...
10782               Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
10783               -----END CERTIFICATE-----
10784
10785       This feature is available in Postfix 3.4 and later.
10786

smtpd_tls_cipherlist (default: empty)

10788       Obsolete  Postfix  < 2.3 control for the Postfix SMTP server TLS cipher
10789       list. It is easy to create  interoperability  problems  by  choosing  a
10790       non-default cipher list. Do not use a non-default TLS cipherlist for MX
10791       hosts on the public Internet. Clients that begin the TLS handshake, but
10792       are  unable  to  agree  on a common cipher, may not be able to send any
10793       email to the SMTP server. Using a restricted cipher list  may  be  more
10794       appropriate  for  a dedicated MSA or an internal mailhub, where one can
10795       exert some control over the TLS software and settings of the connecting
10796       clients.
10797
10798       Note: do not use "" quotes around the parameter value.
10799
10800       This feature is available with Postfix version 2.2. It is not used with
10801       Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.
10802

smtpd_tls_ciphers (default: medium)

10804       The minimum TLS cipher grade that the Postfix SMTP server will use with
10805       opportunistic     TLS    encryption.    Cipher    types    listed    in
10806       smtpd_tls_exclude_ciphers are excluded from the base definition of  the
10807       selected  cipher  grade.   The  default  value  is "medium" for Postfix
10808       releases after the middle of 2015, "export" for older releases.
10809
10810       When  TLS  is  mandatory  the  cipher   grade   is   chosen   via   the
10811       smtpd_tls_mandatory_ciphers configuration parameter, see there for syn‐
10812       tax details.
10813
10814       This feature is available in Postfix 2.6 and later. With earlier  Post‐
10815       fix  releases  only the smtpd_tls_mandatory_ciphers parameter is imple‐
10816       mented, and opportunistic TLS always uses "export" or better (i.e. all)
10817       ciphers.
10818

smtpd_tls_dcert_file (default: empty)

10820       File  with the Postfix SMTP server DSA certificate in PEM format.  This
10821       file may also contain the Postfix SMTP server private DSA key.  The DSA
10822       algorithm is obsolete and should not be used.
10823
10824       See the discussion under smtpd_tls_cert_file for more details.
10825
10826       Example:
10827
10828       smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
10829
10830       This feature is available in Postfix 2.2 and later.
10831

smtpd_tls_dh1024_param_file (default: empty)

10833       File  with  DH  parameters that the Postfix SMTP server should use with
10834       non-export EDH ciphers.
10835
10836       Instead of using the exact same  parameter  sets  as  distributed  with
10837       other  TLS  packages,  it  is  more  secure to generate your own set of
10838       parameters with something like the following commands:
10839
10840           openssl dhparam -out /etc/postfix/dh512.pem 512
10841           openssl dhparam -out /etc/postfix/dh1024.pem 1024
10842           openssl dhparam -out /etc/postfix/dh2048.pem 2048
10843
10844       It is safe to share the same DH  parameters  between  multiple  Postfix
10845       instances.   If  you  prefer,  you can generate separate parameters for
10846       each instance.
10847
10848       If you want to take maximal advantage of  ciphers  that  offer  forward
10849       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10850       full document conveniently presents all information about Postfix "per‐
10851       fect"  forward  secrecy  support in one place: what forward secrecy is,
10852       how to tweak settings, and what you can expect to see when Postfix uses
10853       ciphers with forward secrecy.
10854
10855       Example:
10856
10857       smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
10858
10859       This feature is available with Postfix version 2.2.
10860

smtpd_tls_dh512_param_file (default: empty)

10862       File  with  DH  parameters that the Postfix SMTP server should use with
10863       export-grade EDH ciphers.  The default  SMTP  server  cipher  grade  is
10864       "medium"  with  Postfix  releases  after  the  middle of 2015, and as a
10865       result export-grade cipher suites are by default not used.
10866
10867       See also the discussion under the smtpd_tls_dh1024_param_file  configu‐
10868       ration parameter.
10869
10870       Example:
10871
10872       smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
10873
10874       This feature is available with Postfix version 2.2.
10875

smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)

10877       File  with the Postfix SMTP server DSA private key in PEM format.  This
10878       file may be combined with the Postfix SMTP server DSA certificate  file
10879       specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete and
10880       should not be used.
10881
10882       The private key must be accessible without a pass-phrase, i.e. it  must
10883       not be encrypted. File permissions should grant read-only access to the
10884       system superuser account ("root"), and no access to anyone else.
10885
10886       This feature is available in Postfix 2.2 and later.
10887

smtpd_tls_eccert_file (default: empty)

10889       File with the Postfix SMTP server  ECDSA  certificate  in  PEM  format.
10890       This  file  may also contain the Postfix SMTP server private ECDSA key.
10891       With Postfix >= 3.4 the preferred way to configure server keys and cer‐
10892       tificates is via the "smtpd_tls_chain_files" parameter.
10893
10894       See the discussion under smtpd_tls_cert_file for more details.
10895
10896       Example:
10897
10898       smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
10899
10900       This  feature  is  available  in Postfix 2.6 and later, when Postfix is
10901       compiled and linked with OpenSSL 1.0.0 or later.
10902

smtpd_tls_eckey_file (default: $smtpd_tls_eccert_file)

10904       File with the Postfix SMTP server ECDSA  private  key  in  PEM  format.
10905       This  file  may be combined with the Postfix SMTP server ECDSA certifi‐
10906       cate file specified with $smtpd_tls_eccert_file.  With Postfix  >=  3.4
10907       the  preferred way to configure server keys and certificates is via the
10908       "smtpd_tls_chain_files" parameter.
10909
10910       The private key must be accessible without a pass-phrase, i.e. it  must
10911       not be encrypted. File permissions should grant read-only access to the
10912       system superuser account ("root"), and no access to anyone else.
10913
10914       This feature is available in Postfix 2.6 and  later,  when  Postfix  is
10915       compiled and linked with OpenSSL 1.0.0 or later.
10916

smtpd_tls_eecdh_grade (default: see postconf -d output)

10918       The  Postfix  SMTP  server  security grade for ephemeral elliptic-curve
10919       Diffie-Hellman (EECDH) key exchange.
10920
10921       The available choices are:
10922
10923       none   Don't use EECDH. Ciphers based on EECDH  key  exchange  will  be
10924              disabled. This is the default in Postfix versions 2.6 and 2.7.
10925
10926       strong Use  EECDH  with approximately 128 bits of security at a reason‐
10927              able computational  cost.  This  is  the  current  best-practice
10928              trade-off between security and computational efficiency. This is
10929              the default in Postfix version 2.8 and later.
10930
10931       ultra  Use EECDH with approximately 192 bits of  security  at  computa‐
10932              tional  cost  that  is  approximately  twice  as high as 128 bit
10933              strength ECC. Barring significant progress in attacks on  ellip‐
10934              tic  curve  crypto-systems, the "strong" curve is sufficient for
10935              most users.
10936
10937       auto   Use the most preferred curve  that  is  supported  by  both  the
10938              client  and  the  server.   This setting requires Postfix >= 3.2
10939              compiled and linked with OpenSSL >= 1.0.2.  This is the  default
10940              setting under the above conditions.
10941
10942       If  you  want  to  take maximal advantage of ciphers that offer forward
10943       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
10944       full document conveniently presents all information about Postfix "per‐
10945       fect" forward secrecy support in one place: what  forward  secrecy  is,
10946       how to tweak settings, and what you can expect to see when Postfix uses
10947       ciphers with forward secrecy.
10948
10949       This feature is available in Postfix 2.6 and later, when it is compiled
10950       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
10951       have not been disabled by the vendor.
10952

smtpd_tls_exclude_ciphers (default: empty)

10954       List of ciphers or cipher types to exclude from the SMTP server  cipher
10955       list  at  all  TLS  security levels. Excluding valid ciphers can create
10956       interoperability problems. DO NOT exclude ciphers unless it  is  essen‐
10957       tial  to  do so. This is not an OpenSSL cipherlist; it is a simple list
10958       separated by whitespace  and/or  commas.  The  elements  are  a  single
10959       cipher,  or  one or more "+" separated cipher properties, in which case
10960       only ciphers matching all the properties are excluded.
10961
10962       Examples (some of these will cause problems):
10963
10964           smtpd_tls_exclude_ciphers = aNULL
10965           smtpd_tls_exclude_ciphers = MD5, DES
10966           smtpd_tls_exclude_ciphers = DES+MD5
10967           smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
10968           smtpd_tls_exclude_ciphers = kEDH+aRSA
10969
10970       The first setting disables anonymous ciphers. The next setting disables
10971       ciphers  that  use the MD5 digest algorithm or the (single) DES encryp‐
10972       tion algorithm. The next setting disables ciphers that use MD5 and  DES
10973       together.   The  next setting disables the two ciphers "AES256-SHA" and
10974       "DES-CBC3-MD5". The last setting disables ciphers that  use  "EDH"  key
10975       exchange with RSA authentication.
10976
10977       This feature is available in Postfix 2.3 and later.
10978

smtpd_tls_fingerprint_digest (default: md5)

10980       The  message  digest algorithm to construct remote SMTP client-certifi‐
10981       cate fingerprints or public key fingerprints (Postfix  2.9  and  later)
10982       for  check_ccert_access  and  permit_tls_clientcerts. The default algo‐
10983       rithm is md5, for backwards compatibility with Postfix  releases  prior
10984       to 2.5.
10985
10986       Advances  in  hash  function cryptanalysis have led to md5 being depre‐
10987       cated in favor of sha1.  However, as long as there are no known "second
10988       pre-image"  attacks  against  md5, its use in this context can still be
10989       considered safe.
10990
10991       While additional digest algorithms are often available  with  OpenSSL's
10992       libcrypto, only those used by libssl in SSL cipher suites are available
10993       to Postfix.
10994
10995       To find the fingerprint of a specific certificate file, with a specific
10996       digest algorithm, run:
10997
10998           $ openssl x509 -noout -fingerprint -digest -in certfile.pem
10999
11000       The  text  to  the  right  of "=" sign is the desired fingerprint.  For
11001       example:
11002
11003           $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
11004           SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
11005
11006       To extract the public key fingerprint from an  X.509  certificate,  you
11007       need  to  extract  the  public key from the certificate and compute the
11008       appropriate digest of its DER (ASN.1) encoding. With OpenSSL the "-pub‐
11009       key"  option  of  the  "x509" command extracts the public key always in
11010       "PEM" format. We pipe the result to another OpenSSL command  that  con‐
11011       verts the key to DER and then to the "dgst" command to compute the fin‐
11012       gerprint.
11013
11014       The actual command to transform the key to DER format  depends  on  the
11015       version  of OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" com‐
11016       mand supports all key types. With OpenSSL 0.9.8 and  earlier,  the  key
11017       type  is  always  RSA  (nobody uses DSA, and EC keys are not fully sup‐
11018       ported by 0.9.8), so the "rsa" command is used.
11019
11020           # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
11021           $ openssl x509 -in cert.pem -noout -pubkey |
11022               openssl pkey -pubin -outform DER |
11023               openssl dgst -sha1 -c
11024           (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
11025
11026           # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
11027           $ openssl x509 -in cert.pem -noout -pubkey |
11028               openssl rsa -pubin -outform DER |
11029               openssl dgst -md5 -c
11030           (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
11031
11032       The Postfix SMTP server and client log the peer (leaf) certificate fin‐
11033       gerprint  and  public  key  fingerprint  when  the TLS loglevel is 2 or
11034       higher.
11035
11036       Note: Postfix 2.9.0-2.9.5 computed the public  key  fingerprint  incor‐
11037       rectly.  To  use  public-key  fingerprints, upgrade to Postfix 2.9.6 or
11038       later.
11039
11040       Example: client-certificate access table, with sha1 fingerprints:
11041
11042           /etc/postfix/main.cf:
11043               smtpd_tls_fingerprint_digest = sha1
11044               smtpd_client_restrictions =
11045                   check_ccert_access hash:/etc/postfix/access,
11046                   reject
11047           /etc/postfix/access:
11048               # Action folded to next line...
11049               AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
11050                   OK
11051               85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
11052                   permit_auth_destination
11053
11054       This feature is available in Postfix 2.5 and later.
11055

smtpd_tls_key_file (default: $smtpd_tls_cert_file)

11057       File with the Postfix SMTP server RSA private key in PEM format.   This
11058       file  may be combined with the Postfix SMTP server RSA certificate file
11059       specified with $smtpd_tls_cert_file.  With Postfix >= 3.4 the preferred
11060       way   to   configure   server   keys   and   certificates  is  via  the
11061       "smtpd_tls_chain_files" parameter.
11062
11063       The private key must be accessible without a pass-phrase, i.e. it  must
11064       not be encrypted. File permissions should grant read-only access to the
11065       system superuser account ("root"), and no access to anyone else.
11066

smtpd_tls_loglevel (default: 0)

11068       Enable additional Postfix SMTP server logging of  TLS  activity.   Each
11069       logging  level  also includes the information that is logged at a lower
11070       logging level.
11071
11072              0 Disable logging of TLS activity.
11073
11074              1 Log only a summary message on TLS handshake  completion  -  no
11075              logging of client certificate trust-chain verification errors if
11076              client certificate verification is not required.   With  Postfix
11077              2.8  and earlier, log the summary message, peer certificate sum‐
11078              mary information and unconditionally log  trust-chain  verifica‐
11079              tion errors.
11080
11081              2 Also log levels during TLS negotiation.
11082
11083              3  Also  log  hexadecimal  and  ASCII  dump  of  TLS negotiation
11084              process.
11085
11086              4 Also log hexadecimal and ASCII dump of  complete  transmission
11087              after STARTTLS.
11088
11089       Do  not  use "smtpd_tls_loglevel = 2" or higher except in case of prob‐
11090       lems. Use of loglevel 4 is strongly discouraged.
11091
11092       This feature is available in Postfix 2.2 and later.
11093

smtpd_tls_mandatory_ciphers (default: medium)

11095       The minimum TLS cipher grade that the Postfix SMTP server will use with
11096       mandatory  TLS encryption. The default grade ("medium") is sufficiently
11097       strong that any benefit from globally restricting  TLS  sessions  to  a
11098       more  stringent  grade  is likely negligible, especially given the fact
11099       that many implementations still  do  not  offer  any  stronger  ("high"
11100       grade)  ciphers,  while  those  that  do,  will always use "high" grade
11101       ciphers. So insisting on "high" grade ciphers is generally counter-pro‐
11102       ductive.  Allowing  "export"  or  "low" ciphers is typically not a good
11103       idea, as  systems  limited  to  just  these  are  limited  to  obsolete
11104       browsers.  No  known SMTP clients fail to support at least one "medium"
11105       or "high" grade cipher.
11106
11107       The following cipher grades are supported:
11108
11109       export Enable "EXPORT" grade or stronger OpenSSL ciphers.  The underly‐
11110              ing  cipherlist  is specified via the tls_export_cipherlist con‐
11111              figuration parameter, which you are strongly encouraged  to  not
11112              change.  This choice is insecure and SHOULD NOT be used.
11113
11114       low    Enable  "LOW"  grade or stronger OpenSSL ciphers. The underlying
11115              cipherlist is specified via the tls_low_cipherlist configuration
11116              parameter,  which  you  are  strongly  encouraged to not change.
11117              This choice is insecure and SHOULD NOT be used.
11118
11119       medium Enable "MEDIUM" grade or stronger  OpenSSL  ciphers.  These  use
11120              128-bit  or  longer  symmetric bulk-encryption keys. This is the
11121              default minimum  strength  for  mandatory  TLS  encryption.  The
11122              underlying cipherlist is specified via the tls_medium_cipherlist
11123              configuration parameter, which you are  strongly  encouraged  to
11124              not change.
11125
11126       high   Enable   only  "HIGH"  grade  OpenSSL  ciphers.  The  underlying
11127              cipherlist is specified via the  tls_high_cipherlist  configura‐
11128              tion parameter, which you are strongly encouraged to not change.
11129
11130       null   Enable  only the "NULL" OpenSSL ciphers, these provide authenti‐
11131              cation without encryption.  This setting is only appropriate  in
11132              the  rare case that all clients are prepared to use NULL ciphers
11133              (not normally enabled in TLS clients). The underlying cipherlist
11134              is  specified  via the tls_null_cipherlist configuration parame‐
11135              ter, which you are strongly encouraged to not change.
11136
11137       Cipher   types   listed   in   smtpd_tls_mandatory_exclude_ciphers   or
11138       smtpd_tls_exclude_ciphers  are excluded from the base definition of the
11139       selected cipher grade. See smtpd_tls_ciphers for cipher  controls  that
11140       apply to opportunistic TLS.
11141
11142       The  underlying cipherlists for grades other than "null" include anony‐
11143       mous ciphers, but these are automatically filtered out if the server is
11144       configured  to  ask  for remote SMTP client certificates.  You are very
11145       unlikely to need to take any steps to exclude anonymous  ciphers,  they
11146       are  excluded automatically as required.  If you must exclude anonymous
11147       ciphers even when Postfix does not need or use peer  certificates,  set
11148       "smtpd_tls_exclude_ciphers  = aNULL". To exclude anonymous ciphers only
11149       when  TLS  is  enforced,  set  "smtpd_tls_mandatory_exclude_ciphers   =
11150       aNULL".
11151
11152       This feature is available in Postfix 2.3 and later.
11153

smtpd_tls_mandatory_exclude_ciphers (default: empty)

11155       Additional  list of ciphers or cipher types to exclude from the Postfix
11156       SMTP server cipher list at mandatory TLS security  levels.   This  list
11157       works     in     addition     to    the    exclusions    listed    with
11158       smtpd_tls_exclude_ciphers (see there for syntax details).
11159
11160       This feature is available in Postfix 2.3 and later.
11161

smtpd_tls_mandatory_protocols (default: !SSLv2, !SSLv3)

11163       The SSL/TLS protocols accepted by the Postfix SMTP server  with  manda‐
11164       tory  TLS  encryption.  If  the  list is empty, the server supports all
11165       available SSL/TLS protocol versions.  A non-empty value is  a  list  of
11166       protocol  names  separated  by  whitespace, commas or colons.  The sup‐
11167       ported protocol names are "SSLv2", "SSLv3" and  "TLSv1",  and  are  not
11168       case  sensitive.  The  default  value  is  "!SSLv2, !SSLv3" for Postfix
11169       releases after the middle of 2015, "!SSLv2" for older releases.
11170
11171       With Postfix >= 2.5 the parameter syntax was expanded to support proto‐
11172       col   exclusions.   One  can  explicitly  exclude  "SSLv2"  by  setting
11173       "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both  "SSLv2"  and
11174       "SSLv3"  set  "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
11175       the protocols to include, rather than protocols  to  exclude,  is  sup‐
11176       ported,  but  not  recommended. The exclusion form more closely matches
11177       the underlying OpenSSL interface semantics.
11178
11179       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
11180       "TLSv1.2".  When  Postfix  <=  2.5  is  linked against OpenSSL 1.0.1 or
11181       later, these, or any other new protocol versions, cannot  be  disabled.
11182       The  latest patch levels of Postfix >= 2.6, and all versions of Postfix
11183       >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11184
11185       OpenSSL 1.1.1 introduces support for "TLSv1.3".  With  Postfix  >=  3.4
11186       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11187       abled, if need be, via "!TLSv1.3".
11188
11189       Example:
11190
11191       # Preferred syntax with Postfix >= 2.5:
11192       smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
11193       # Legacy syntax:
11194       smtpd_tls_mandatory_protocols = TLSv1
11195
11196       This feature is available in Postfix 2.3 and later.
11197

smtpd_tls_protocols (default: !SSLv2, !SSLv3)

11199       List of TLS protocols that the Postfix  SMTP  server  will  exclude  or
11200       include  with  opportunistic  TLS  encryption.  The  default  value  is
11201       "!SSLv2, !SSLv3" for Postfix releases after the middle of  2015,  empty
11202       for older releases allowing all protocols to be used with opportunistic
11203       TLS.  A non-empty value is a list of protocol names separated by white‐
11204       space,  commas  or  colons.   The supported protocol names are "SSLv2",
11205       "SSLv3" and "TLSv1", and are not case sensitive.
11206
11207       Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1"  and
11208       "TLSv1.2".  The latest patch levels of Postfix >= 2.6, and all versions
11209       of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
11210
11211       OpenSSL 1.1.1 introduces support for "TLSv1.3".  With  Postfix  >=  3.4
11212       (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) this can be dis‐
11213       abled, if need be, via "!TLSv1.3".
11214
11215       To include a protocol list its name, to exclude  it,  prefix  the  name
11216       with  a  "!"  character.  To  exclude  SSLv2  for opportunistic TLS set
11217       "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
11218       "smtpd_tls_protocols  =  !SSLv2, !SSLv3". Explicitly listing the proto‐
11219       cols to include, rather than protocols to exclude,  is  supported,  but
11220       not  recommended.  The exclusion form more closely matches the underly‐
11221       ing OpenSSL interface semantics.
11222
11223       Example:
11224       smtpd_tls_protocols = !SSLv2, !SSLv3
11225
11226       This feature is available in Postfix 2.6 and later.
11227

smtpd_tls_received_header (default: no)

11229       Request that the Postfix SMTP server produces Received:  message  head‐
11230       ers  that  include  information  about the protocol and cipher used, as
11231       well as the remote SMTP client CommonName and client certificate issuer
11232       CommonName.   This  is  disabled  by default, as the information may be
11233       modified in transit through other mail servers.  Only information  that
11234       was recorded by the final destination can be trusted.
11235
11236       This feature is available in Postfix 2.2 and later.
11237

smtpd_tls_req_ccert (default: no)

11239       With  mandatory  TLS  encryption,  require a trusted remote SMTP client
11240       certificate in order to allow TLS connections to proceed.  This  option
11241       implies "smtpd_tls_ask_ccert = yes".
11242
11243       When TLS encryption is optional, this setting is ignored with a warning
11244       written to the mail log.
11245
11246       This feature is available in Postfix 2.2 and later.
11247

smtpd_tls_security_level (default: empty)

11249       The SMTP TLS security  level  for  the  Postfix  SMTP  server;  when  a
11250       non-empty  value  is  specified, this overrides the obsolete parameters
11251       smtpd_use_tls and smtpd_enforce_tls. This  parameter  is  ignored  with
11252       "smtpd_tls_wrappermode = yes".
11253
11254       Specify one of the following security levels:
11255
11256       none   TLS will not be used.
11257
11258       may    Opportunistic  TLS:  announce  STARTTLS  support  to remote SMTP
11259              clients, but do not require that clients use TLS encryption.
11260
11261       encrypt
11262              Mandatory TLS encryption: announce STARTTLS  support  to  remote
11263              SMTP  clients,  and  require  that  clients  use TLS encryption.
11264              According to RFC 2487 this MUST NOT be applied in case of a pub‐
11265              licly-referenced  SMTP  server.  Instead,  this option should be
11266              used only on dedicated servers.
11267
11268       Note 1: the "fingerprint", "verify" and "secure" levels  are  not  sup‐
11269       ported here.  The Postfix SMTP server logs a warning and uses "encrypt"
11270       instead.  To verify remote SMTP client certificates, see TLS_README for
11271       a  discussion of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and per‐
11272       mit_tls_clientcerts features.
11273
11274       Note 2: The  parameter  setting  "smtpd_tls_security_level  =  encrypt"
11275       implies "smtpd_tls_auth_only = yes".
11276
11277       Note  3:  when  invoked  via  "sendmail  -bs", Postfix will never offer
11278       STARTTLS due to insufficient privileges to access  the  server  private
11279       key. This is intended behavior.
11280
11281       This feature is available in Postfix 2.3 and later.
11282

smtpd_tls_session_cache_database (default: empty)

11284       Name  of  the file containing the optional Postfix SMTP server TLS ses‐
11285       sion cache. Specify a database type that supports enumeration, such  as
11286       btree or sdbm; there is no need to support concurrent access.  The file
11287       is created if it does not exist. The smtpd(8) daemon does not use  this
11288       parameter  directly,  rather the cache is implemented indirectly in the
11289       tlsmgr(8) daemon. This means that  per-smtpd-instance  master.cf  over‐
11290       rides of this parameter are not effective. Note, that each of the cache
11291       databases supported by tlsmgr(8) daemon: $smtpd_tls_session_cache_data‐
11292       base,  $smtp_tls_session_cache_database (and with Postfix 2.3 and later
11293       $lmtp_tls_session_cache_database), needs to be stored separately. It is
11294       not  at  this  time possible to store multiple caches in a single data‐
11295       base.
11296
11297       Note: dbm databases are not  suitable.  TLS  session  objects  are  too
11298       large.
11299
11300       As  of version 2.5, Postfix no longer uses root privileges when opening
11301       this file. The file  should  now  be  stored  under  the  Postfix-owned
11302       data_directory. As a migration aid, an attempt to open the file under a
11303       non-Postfix directory is redirected to  the  Postfix-owned  data_direc‐
11304       tory, and a warning is logged.
11305
11306       As  of  Postfix  2.11 the preferred mechanism for session resumption is
11307       RFC 5077 TLS session tickets, which don't require server-side  storage.
11308       Consequently,  for  Postfix  >= 2.11 this parameter should generally be
11309       left empty.  TLS session tickets require an OpenSSL library  (at  least
11310       version 0.9.8h) that provides full support for this TLS extension.  See
11311       also smtpd_tls_session_cache_timeout.
11312
11313       Example:
11314
11315       smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
11316
11317       This feature is available in Postfix 2.2 and later.
11318

smtpd_tls_session_cache_timeout (default: 3600s)

11320       The expiration time of Postfix SMTP server TLS session  cache  informa‐
11321       tion.  A  cache cleanup is performed periodically every $smtpd_tls_ses‐
11322       sion_cache_timeout seconds. As with  $smtpd_tls_session_cache_database,
11323       this  parameter  is  implemented  in the tlsmgr(8) daemon and therefore
11324       per-smtpd-instance master.cf overrides are not possible.
11325
11326       As of Postfix 2.11 this setting cannot exceed 100 days.  If set  <=  0,
11327       session  caching  is  disabled, not just via the database, but also via
11328       RFC 5077 TLS session tickets, which don't require server-side  storage.
11329       If  set to a positive value less than 2 minutes, the minimum value of 2
11330       minutes is used  instead.   TLS  session  tickets  require  an  OpenSSL
11331       library  (at  least version 0.9.8h) that provides full support for this
11332       TLS extension.
11333
11334       This feature is available in Postfix 2.2 and later, and updated for TLS
11335       session ticket support in Postfix 2.11.
11336

smtpd_tls_wrappermode (default: no)

11338       Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
11339       of using the STARTTLS command.
11340
11341       If you want to support this service, enable  a  special  port  in  mas‐
11342       ter.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP server's
11343       command line. Port 465 (smtps) was once chosen for this purpose.
11344
11345       This feature is available in Postfix 2.2 and later.
11346

smtpd_upstream_proxy_protocol (default: empty)

11348       The name of the proxy protocol used by an optional  before-smtpd  proxy
11349       agent.  When  a  proxy  agent  is used, this protocol conveys local and
11350       remote      address      and      port      information.        Specify
11351       "smtpd_upstream_proxy_protocol  = haproxy" to enable the haproxy proto‐
11352       col; version 2 is supported with Postfix 3.5 and later.
11353
11354       NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT protocol
11355       with  smtpd_authorized_xclient_hosts. This supports SASL authentication
11356       in the proxy agent (Postfix 2.9 and later).
11357
11358       This feature is available in Postfix 2.10 and later.
11359

smtpd_upstream_proxy_timeout (default: 5s)

11361       The  time  limit  for   the   proxy   protocol   specified   with   the
11362       smtpd_upstream_proxy_protocol parameter.
11363
11364       This feature is available in Postfix 2.10 and later.
11365

smtpd_use_tls (default: no)

11367       Opportunistic  TLS:  announce  STARTTLS support to remote SMTP clients,
11368       but do not require that clients use TLS encryption.
11369
11370       Note: when invoked via "sendmail -bs", Postfix will never offer  START‐
11371       TLS  due  to  insufficient privileges to access the server private key.
11372       This is intended behavior.
11373
11374       This feature is available in Postfix 2.2 and later.  With  Postfix  2.3
11375       and later use smtpd_tls_security_level instead.
11376

smtputf8_autodetect_classes (default: sendmail, verify)

11378       Detect  that a message requires SMTPUTF8 support for the specified mail
11379       origin classes.  This is a workaround to avoid chicken-and-egg problems
11380       during  the initial SMTPUTF8 roll-out in environments with pre-existing
11381       mail flows that contain UTF8. Those mail flows should not break because
11382       Postfix  suddenly refuses to deliver such mail to down-stream MTAs that
11383       don't announce SMTPUTF8 support.
11384
11385       The problem is that Postfix cannot rely solely on the sender's declara‐
11386       tion  that  a  message  requires  SMTPUTF8 support, because UTF8 may be
11387       introduced during local processing (for example, the client hostname in
11388       Postfix's  Received:  header,  adding  @$myorigin  or  .$mydomain to an
11389       incomplete address, address rewriting, alias expansion,  automatic  BCC
11390       recipients, local forwarding, and changes made by header checks or Mil‐
11391       ter applications).
11392
11393       For now, the default is to  enable  "SMTPUTF8  required"  autodetection
11394       only  for Postfix sendmail command-line submissions and address verifi‐
11395       cation probes.  This may change once SMTPUTF8  support  achieves  world
11396       domination.   However, sites that add UTF8 content via local processing
11397       (see above) should autodetect the need for  SMTPUTF8  support  for  all
11398       email.
11399
11400       Specify one or more of the following:
11401
11402        sendmail
11403              Submission with the Postfix sendmail(1) command.
11404
11405        smtpd Mail received with the smtpd(8) daemon.
11406
11407        qmqpd Mail received with the qmqpd(8) daemon.
11408
11409        forward
11410              Local  forwarding  or aliasing.  When a message is received with
11411              "SMTPUTF8 required", then the forwarded (aliased) message always
11412              has "SMTPUTF8 required".
11413
11414        bounce
11415              Submission  by the bounce(8) daemon.  When a message is received
11416              with "SMTPUTF8 required", then the delivery status  notification
11417              always has "SMTPUTF8 required".
11418
11419        notify
11420              Postmaster notification from the smtp(8) or smtpd(8) daemon.
11421
11422        verify
11423              Address verification probe from the verify(8) daemon.
11424
11425        all   Enable SMTPUTF8 autodetection for all mail.
11426
11427       This feature is available in Postfix 3.0 and later.
11428

smtputf8_enable (default: yes)

11430       Enable  preliminary SMTPUTF8 support for the protocols described in RFC
11431       6531..6533. This requires that Postfix is built to support these proto‐
11432       cols.
11433
11434       This feature is available in Postfix 3.0 and later.
11435

soft_bounce (default: no)

11437       Safety  net to keep mail queued that would otherwise be returned to the
11438       sender.  This parameter disables locally-generated bounces, changes the
11439       handling  of negative responses from remote servers, content filters or
11440       plugins, and prevents the Postfix SMTP server from rejecting mail  per‐
11441       manently by changing 5xx reply codes into 4xx.  However, soft_bounce is
11442       no cure for address rewriting mistakes or mail routing mistakes.
11443
11444       Note: "soft_bounce = yes" is in some  cases  implemented  by  modifying
11445       server  responses. Therefore, the response that Postfix logs may differ
11446       from the response that Postfix actually sends or receives.
11447
11448       Example:
11449
11450       soft_bounce = yes
11451

stale_lock_time (default: 500s)

11453       The time after which a stale exclusive  mailbox  lockfile  is  removed.
11454       This is used for delivery to file or mailbox.
11455
11456       Time  units:  s (seconds), m (minutes), h (hours), d (days), w (weeks).
11457       The default time unit is s (seconds).
11458

stress (default: empty)

11460       This feature is documented in the STRESS_README document.
11461
11462       This feature is available in Postfix 2.5 and later.
11463

strict_7bit_headers (default: no)

11465       Reject mail with 8-bit text in message headers. This blocks  mail  from
11466       poorly written applications.
11467
11468       This  feature  should  not be enabled on a general purpose mail server,
11469       because it is likely to reject legitimate email.
11470
11471       This feature is available in Postfix 2.0 and later.
11472

strict_8bitmime (default: no)

11474       Enable both strict_7bit_headers and strict_8bitmime_body.
11475
11476       This feature should not be enabled on a general  purpose  mail  server,
11477       because it is likely to reject legitimate email.
11478
11479       This feature is available in Postfix 2.0 and later.
11480

strict_8bitmime_body (default: no)

11482       Reject  8-bit  message  body  text  without 8-bit MIME content encoding
11483       information.  This blocks mail from poorly written applications.
11484
11485       Unfortunately, this also rejects majordomo approval requests  when  the
11486       included request contains valid 8-bit MIME mail, and it rejects bounces
11487       from mailers that do not MIME encapsulate 8-bit content  (for  example,
11488       bounces from qmail or from old versions of Postfix).
11489
11490       This  feature  should  not be enabled on a general purpose mail server,
11491       because it is likely to reject legitimate email.
11492
11493       This feature is available in Postfix 2.0 and later.
11494

strict_mailbox_ownership (default: yes)

11496       Defer delivery when a mailbox file is not owned by its recipient.   The
11497       default setting is not backwards compatible.
11498
11499       This feature is available in Postfix 2.5.3 and later.
11500

strict_mime_encoding_domain (default: no)

11502       Reject mail with invalid Content-Transfer-Encoding: information for the
11503       message/* or multipart/* MIME content types.   This  blocks  mail  from
11504       poorly written software.
11505
11506       This  feature  should  not be enabled on a general purpose mail server,
11507       because it will reject mail after a single violation.
11508
11509       This feature is available in Postfix 2.0 and later.
11510

strict_rfc821_envelopes (default: no)

11512       Require that addresses received in SMTP MAIL FROM and RCPT TO  commands
11513       are  enclosed  with <>, and that those addresses do not contain RFC 822
11514       style comments or phrases.  This stops mail from poorly  written  soft‐
11515       ware.
11516
11517       By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM
11518       and RCPT TO addresses.
11519

strict_smtputf8 (default: no)

11521       Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix  SMTP
11522       server  accepts UTF8 sender or recipient addresses only when the client
11523       requests an SMTPUTF8 mail transaction.
11524
11525       This feature is available in Postfix 3.0 and later.
11526

sun_mailtool_compatibility (default: no)

11528       Obsolete  SUN  mailtool  compatibility  feature.  Instead,  use  "mail‐
11529       box_delivery_lock = dotlock".
11530

swap_bangpath (default: yes)

11532       Enable  the  rewriting of "site!user" into "user@site".  This is neces‐
11533       sary if your machine is connected to UUCP networks.  It is  enabled  by
11534       default.
11535
11536       Note:  with  Postfix version 2.2, message header address rewriting hap‐
11537       pens only when one of the following conditions is true:
11538
11539       ·      The message is received with the Postfix sendmail(1) command,
11540
11541       ·      The message is received  from  a  network  client  that  matches
11542              $local_header_rewrite_clients,
11543
11544       ·      The   message   is   received   from   the   network,   and  the
11545              remote_header_rewrite_domain  parameter  specifies  a  non-empty
11546              value.
11547
11548       To   get   the   behavior   before   Postfix   version   2.2,   specify
11549       "local_header_rewrite_clients = static:all".
11550
11551       Example:
11552
11553       swap_bangpath = no
11554

syslog_facility (default: mail)

11556       The syslog facility of Postfix logging. Specify a facility  as  defined
11557       in syslog.conf(5). The default facility is "mail".
11558
11559       Warning:  a non-default syslog_facility setting takes effect only after
11560       a Postfix process has completed initialization.  Errors during  process
11561       initialization  will be logged with the default facility.  Examples are
11562       errors while parsing the  command  line  arguments,  and  errors  while
11563       accessing the Postfix main.cf configuration file.
11564

syslog_name (default: see postconf -d output)

11566       A  prefix  that  is prepended to the process name in syslog records, so
11567       that, for example, "smtpd" becomes "prefix/smtpd".
11568
11569       Warning: a non-default syslog_name setting takes effect  only  after  a
11570       Postfix  process  has  completed  initialization. Errors during process
11571       initialization will be logged  with  the  default  name.  Examples  are
11572       errors  while  parsing  the  command  line  arguments, and errors while
11573       accessing the Postfix main.cf configuration file.
11574

tcp_windowsize (default: 0)

11576       An optional workaround for  routers  that  break  TCP  window  scaling.
11577       Specify  a  value > 0 and < 65536 to enable this feature.  With Postfix
11578       TCP servers (smtpd(8), qmqpd(8)), this feature is  implemented  by  the
11579       Postfix master(8) daemon.
11580
11581       To  change  this  parameter without stopping Postfix, you need to first
11582       terminate all Postfix TCP servers:
11583
11584           # postconf -e master_service_disable=inet
11585           # postfix reload
11586
11587       This immediately terminates all processes that accept  network  connec‐
11588       tions.   Next, you enable Postfix TCP servers with the updated tcp_win‐
11589       dowsize setting:
11590
11591           # postconf -e tcp_windowsize=65535 master_service_disable=
11592           # postfix reload
11593
11594       If you skip these  steps  with  a  running  Postfix  system,  then  the
11595       tcp_windowsize  change will work only for Postfix TCP clients (smtp(8),
11596       lmtp(8)).
11597
11598       This feature is available in Postfix 2.6 and later.
11599

tls_append_default_CA (default: no)

11601       Append the system-supplied default Certification Authority certificates
11602       to  the  ones specified with *_tls_CApath or *_tls_CAfile.  The default
11603       is "no"; this prevents Postfix from trusting  third-party  certificates
11604       and giving them relay permission with permit_tls_all_clientcerts.
11605
11606       This  feature  is available in Postfix 2.4.15, 2.5.11, 2.6.8, 2.7.2 and
11607       later versions. Specify "tls_append_default_CA  =  yes"  for  backwards
11608       compatibility,  to  avoid  breaking certificate verification with sites
11609       that don't use permit_tls_all_clientcerts.
11610

tls_daemon_random_bytes (default: 32)

11612       The number of pseudo-random bytes that an smtp(8) or  smtpd(8)  process
11613       requests from the tlsmgr(8) server in order to seed its internal pseudo
11614       random number generator (PRNG).  The default of 32 bytes (equivalent to
11615       256 bits) is sufficient to generate a 128bit (or 168bit) session key.
11616
11617       This feature is available in Postfix 2.2 and later.
11618

tls_dane_digest_agility (default: on)

11620       Configure  RFC7671  DANE  TLSA digest algorithm agility.  Do not change
11621       this setting from its default value.
11622
11623       See Section 8 of RFC7671 for correct key rotation procedures.
11624
11625       This feature is available in Postfix 2.11 through 3.1.  Postfix 3.2 and
11626       later  ignore this configuration parameter and behave as though it were
11627       set to "on".
11628

tls_dane_digests (default: sha512 sha256)

11630       DANE TLSA (RFC 6698, RFC  7671,  RFC  7672)  resource-record  "matching
11631       type" digest algorithms in descending preference order.  All the speci‐
11632       fied algorithms must be supported by the  underlying  OpenSSL  library,
11633       otherwise the Postfix SMTP client will not support DANE TLSA security.
11634
11635       Specify  a  list of digest names separated by commas and/or whitespace.
11636       Each digest name may be followed by  an  optional  "=<number>"  suffix.
11637       For  example,  "sha512"  may  instead  be  specified  as "sha512=2" and
11638       "sha256" may instead be specified as "sha256=1".  The  optional  number
11639       must  match  the <a href="https://www.iana.org/assignments/dane-parame
11640       ters/dane-parameters.xhtml#matching-types" >IANA assigned TLSA matching
11641       type  number  the  algorithm in question.  Postfix will check this con‐
11642       straint for the algorithms it knows about.   Additional  matching  type
11643       algorithms registered with IANA can be added with explicit numbers pro‐
11644       vided they are supported by OpenSSL.
11645
11646       Invalid list elements are logged with a warning and disable  DANE  sup‐
11647       port.   TLSA  RRs  that  specify  digests  not included in the list are
11648       ignored with a warning.
11649
11650       Note: It is unwise to omit sha256 from the digest  list.   This  digest
11651       algorithm  is  the  only mandatory to implement digest algorithm in RFC
11652       6698, and many servers are expected  publish  TLSA  records  with  just
11653       sha256  digests.   Unless one of the standard digests is seriously com‐
11654       promised and servers have had ample time to update their  TLSA  records
11655       you  should  not  omit any standard digests, just arrange them in order
11656       from strongest to weakest.
11657
11658       This feature is available in Postfix 2.11 and later.
11659

tls_dane_trust_anchor_digest_enable (default: yes)

11661       Enable support for RFC  6698  (DANE  TLSA)  DNS  records  that  contain
11662       digests  of  trust-anchors  with  certificate usage "2".  Do not change
11663       this setting from its default value.
11664
11665       This feature is available in Postfix 2.11 through  3.1.   It  has  been
11666       withdrawn  in  Postfix 3.2, as trust-anchor TLSA records are now widely
11667       used and have proved sufficiently  reliable.   Postfix  3.2  and  later
11668       ignore  this  configuration parameter and behaves as though it were set
11669       to "yes".
11670

tls_disable_workarounds (default: see postconf -d output)

11672       List or bit-mask of OpenSSL bug work-arounds to disable.
11673
11674       The OpenSSL toolkit includes a set of work-arounds  for  buggy  SSL/TLS
11675       implementations.  Applications,  such as Postfix, that want to maximize
11676       interoperability ask the OpenSSL library to enable the full set of rec‐
11677       ommended work-arounds.
11678
11679       From  time to time, it is discovered that a work-around creates a secu‐
11680       rity issue, and should no longer be used. If  upgrading  OpenSSL  to  a
11681       fixed  version  is  not  an  option or an upgrade is not available in a
11682       timely manner, or in closed environments  where  no  buggy  clients  or
11683       servers  exist,  it  may  be  appropriate to disable some or all of the
11684       OpenSSL interoperability work-arounds. This parameter  specifies  which
11685       bug work-arounds to disable.
11686
11687       If  the  value  of the parameter is a hexadecimal long integer starting
11688       with "0x", the bug work-arounds corresponding to the bits specified  in
11689       its  value  are  removed  from the SSL_OP_ALL work-around bit-mask (see
11690       openssl/ssl.h and SSL_CTX_set_options(3)). You can  specify  more  bits
11691       than  are  present  in  SSL_OP_ALL, excess bits are ignored. Specifying
11692       0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
11693       also  be  sufficient  on 64-bit systems, until OpenSSL abandons support
11694       for 32-bit systems and starts using  the  high  32  bits  of  a  64-bit
11695       bug-workaround mask.
11696
11697       Otherwise,  the  parameter  is a white-space or comma separated list of
11698       specific named bug work-arounds chosen from the list below. It is  pos‐
11699       sible  that  your  OpenSSL  version includes new bug work-arounds added
11700       after your Postfix source code was last updated, in that case  you  can
11701       only disable one of these via the hexadecimal syntax above.
11702
11703       CRYPTOPRO_TLSEXT_BUG
11704              New with GOST support in OpenSSL 1.0.0.
11705
11706       DONT_INSERT_EMPTY_FRAGMENTS
11707              See SSL_CTX_set_options(3)
11708
11709       LEGACY_SERVER_CONNECT
11710              See SSL_CTX_set_options(3)
11711
11712       MICROSOFT_BIG_SSLV3_BUFFER
11713              See SSL_CTX_set_options(3)
11714
11715       MICROSOFT_SESS_ID_BUG
11716              See SSL_CTX_set_options(3)
11717
11718       MSIE_SSLV2_RSA_PADDING
11719              also   aliased  as  CVE-2005-2969.  Postfix  2.8  disables  this
11720              work-around by default with OpenSSL versions  that  may  predate
11721              the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
11722
11723       NETSCAPE_CHALLENGE_BUG
11724              See SSL_CTX_set_options(3)
11725
11726       NETSCAPE_REUSE_CIPHER_CHANGE_BUG
11727              also   aliased  as  CVE-2010-4180.  Postfix  2.8  disables  this
11728              work-around by default with OpenSSL versions  that  may  predate
11729              the fix. Fixed in OpenSSL 0.9.8q and OpenSSL 1.0.0c.
11730
11731       SSLEAY_080_CLIENT_DH_BUG
11732              See SSL_CTX_set_options(3)
11733
11734       SSLREF2_REUSE_CERT_TYPE_BUG
11735              See SSL_CTX_set_options(3)
11736
11737       TLS_BLOCK_PADDING_BUG
11738              See SSL_CTX_set_options(3)
11739
11740       TLS_D5_BUG
11741              See SSL_CTX_set_options(3)
11742
11743       TLS_ROLLBACK_BUG
11744              See  SSL_CTX_set_options(3).   This is disabled in OpenSSL 0.9.7
11745              and later. Nobody should still be using 0.9.6!
11746
11747       TLSEXT_PADDING
11748              Postfix >= 3.4. See SSL_CTX_set_options(3).
11749
11750       This feature is available in Postfix 2.8 and later.
11751

tls_eecdh_auto_curves (default: see postconf -d output)

11753       The prioritized list of elliptic curves supported by the  Postfix  SMTP
11754       client  and  server.   These curves are used by the Postfix SMTP server
11755       when "smtpd_tls_eecdh_grade =  auto".   The  selected  curves  must  be
11756       implemented  by OpenSSL and be standardized for use in TLS (RFC 4492 or
11757       its imminent successor).  It is unwise  to  list  only  "bleeding-edge"
11758       curves  supported  by  a  small subset of clients.  The default list is
11759       suitable for most users.
11760
11761       Postfix skips curve names that are unknown  to  OpenSSL,  or  that  are
11762       known  but not yet implemented.  This makes it possible to "anticipate"
11763       support for curves that should be used once they become available.   In
11764       particular,  in some OpenSSL versions, the new RFC 8031 curves "X25519"
11765       and "X448" may be known by name, but ECDH support for  either  or  both
11766       may  be  missing.  These curves may appear in the default value of this
11767       parameter, even though they'll only be usable with  later  versions  of
11768       OpenSSL.
11769
11770       This feature is available in Postfix 3.2 and later, when it is compiled
11771       and linked with OpenSSL 1.0.2 or later on platforms where EC algorithms
11772       have not been disabled by the vendor.
11773

tls_eecdh_strong_curve (default: prime256v1)

11775       The  elliptic curve used by the Postfix SMTP server for sensibly strong
11776       ephemeral ECDH key exchange. This curve is used  by  the  Postfix  SMTP
11777       server  when  "smtpd_tls_eecdh_grade  =  strong".  The phrase "sensibly
11778       strong" means  approximately  128-bit  security  based  on  best  known
11779       attacks. The selected curve must be implemented by OpenSSL (as reported
11780       by ecparam(1) with the "-list_curves" option) and be one of the  curves
11781       listed  in  Section  5.1.1 of RFC 4492. You should not generally change
11782       this setting.  Remote SMTP client  implementations  must  support  this
11783       curve  for EECDH key exchange to take place.  It is unwise to choose an
11784       "bleeding-edge" curve supported by only a small subset of clients.
11785
11786       The default "strong" curve is rated in  NSA  Suite  B  for  information
11787       classified up to SECRET.
11788
11789       Note: elliptic curve names are poorly standardized; different standards
11790       groups are assigning different names to  the  same  underlying  curves.
11791       The curve with the X9.62 name "prime256v1" is also known under the SECG
11792       name "secp256r1", but OpenSSL does not recognize the latter name.
11793
11794       If you want to take maximal advantage of  ciphers  that  offer  forward
11795       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11796       full document conveniently presents all information about Postfix "per‐
11797       fect"  forward  secrecy  support in one place: what forward secrecy is,
11798       how to tweak settings, and what you can expect to see when Postfix uses
11799       ciphers with forward secrecy.
11800
11801       This feature is available in Postfix 2.6 and later, when it is compiled
11802       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11803       have not been disabled by the vendor.
11804

tls_eecdh_ultra_curve (default: secp384r1)

11806       The elliptic curve used by the Postfix SMTP server for maximally strong
11807       ephemeral ECDH key exchange. This curve is used  by  the  Postfix  SMTP
11808       server  when  "smtpd_tls_eecdh_grade  =  ultra".  The phrase "maximally
11809       strong" means  approximately  192-bit  security  based  on  best  known
11810       attacks.  This additional strength comes at a significant computational
11811       cost, most users should instead set "smtpd_tls_eecdh_grade  =  strong".
11812       The  selected  curve  must  be  implemented  by OpenSSL (as reported by
11813       ecparam(1) with the "-list_curves" option) and be  one  of  the  curves
11814       listed  in  Section  5.1.1 of RFC 4492. You should not generally change
11815       this setting.
11816
11817       This default "ultra" curve is rated in  NSA  Suite  B  for  information
11818       classified up to TOP SECRET.
11819
11820       If  you  want  to  take maximal advantage of ciphers that offer forward
11821       secrecy see the Getting started section of FORWARD_SECRECY_README.  The
11822       full document conveniently presents all information about Postfix "per‐
11823       fect" forward secrecy support in one place: what  forward  secrecy  is,
11824       how to tweak settings, and what you can expect to see when Postfix uses
11825       ciphers with forward secrecy.
11826
11827       This feature is available in Postfix 2.6 and later, when it is compiled
11828       and linked with OpenSSL 1.0.0 or later on platforms where EC algorithms
11829       have not been disabled by the vendor.
11830

tls_export_cipherlist (default: see postconf -d output)

11832       The OpenSSL cipherlist for  "export"  or  higher  grade  ciphers.  This
11833       defines  the  meaning  of  the  "export"  setting in smtpd_tls_ciphers,
11834       smtpd_tls_mandatory_ciphers,     smtp_tls_ciphers,      smtp_tls_manda‐
11835       tory_ciphers,  lmtp_tls_ciphers,  and lmtp_tls_mandatory_ciphers.  With
11836       Postfix releases  before  the  middle  of  2015  this  is  the  default
11837       cipherlist  for the opportunistic ("may") TLS client security level and
11838       also the default cipherlist for  the  SMTP  server.  You  are  strongly
11839       encouraged to not change this setting.
11840
11841       This feature is available in Postfix 2.3 and later.
11842

tls_fast_shutdown_enable (default: yes)

11844       A  workaround for implementations that hang Postfix while shutting down
11845       a TLS session, until Postfix times out. With this enabled, Postfix will
11846       not wait for the remote TLS peer to respond to a TLS later.
11847

tls_high_cipherlist (default: see postconf -d output)

11849       The OpenSSL cipherlist for "high" grade ciphers. This defines the mean‐
11850       ing  of  the  "high"  setting  in  smtpd_tls_ciphers,  smtpd_tls_manda‐
11851       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11852       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11853       encouraged to not change this setting.
11854
11855       This feature is available in Postfix 2.3 and later.
11856

tls_legacy_public_key_fingerprints (default: no)

11858       A  temporary  migration  aid  for sites that use certificate public-key
11859       fingerprints with Postfix 2.9.0..2.9.5, which use  an  incorrect  algo‐
11860       rithm. This parameter has no effect on the certificate fingerprint sup‐
11861       port that is available since Postfix 2.2.
11862
11863       Specify "tls_legacy_public_key_fingerprints = yes" temporarily, pending
11864       a   migration   from   configuration   files   with  incorrect  Postfix
11865       2.9.0..2.9.5 certificate public-key finger prints, to the correct  fin‐
11866       gerprints used by Postfix 2.9.6 and later.  To compute the correct cer‐
11867       tificate public-key fingerprints, see TLS_README.
11868
11869       This feature is available in Postfix 2.9.6 and later.
11870

tls_low_cipherlist (default: see postconf -d output)

11872       The OpenSSL cipherlist for "low" or higher grade ciphers. This  defines
11873       the meaning of the "low" setting in smtpd_tls_ciphers, smtpd_tls_manda‐
11874       tory_ciphers,       smtp_tls_ciphers,       smtp_tls_mandatory_ciphers,
11875       lmtp_tls_ciphers,  and  lmtp_tls_mandatory_ciphers.  You  are  strongly
11876       encouraged to not change this setting.
11877
11878       This feature is available in Postfix 2.3 and later.
11879

tls_medium_cipherlist (default: see postconf -d output)

11881       The OpenSSL cipherlist for  "medium"  or  higher  grade  ciphers.  This
11882       defines  the  meaning  of  the  "medium"  setting in smtpd_tls_ciphers,
11883       smtpd_tls_mandatory_ciphers,     smtp_tls_ciphers,      smtp_tls_manda‐
11884       tory_ciphers,  lmtp_tls_ciphers,  and lmtp_tls_mandatory_ciphers.  This
11885       is the default cipherlist for  mandatory  TLS  encryption  in  the  TLS
11886       client  (with anonymous ciphers disabled when verifying server certifi‐
11887       cates).  This is the default  cipherlist  for  opportunistic  TLS  with
11888       Postfix releases after the middle of 2015.  You are strongly encouraged
11889       to not change this setting.
11890
11891       This feature is available in Postfix 2.3 and later.
11892

tls_null_cipherlist (default: eNULL:!aNULL)

11894       The OpenSSL cipherlist for "NULL" grade ciphers that provide  authenti‐
11895       cation  without encryption. This defines the meaning of the "null" set‐
11896       ting  in  smtpd_mandatory_tls_ciphers,  smtp_tls_mandatory_ciphers  and
11897       lmtp_tls_mandatory_ciphers.   You are strongly encouraged to not change
11898       this setting.
11899
11900       This feature is available in Postfix 2.3 and later.
11901

tls_preempt_cipherlist (default: no)

11903       With SSLv3 and later, use the Postfix SMTP server's  cipher  preference
11904       order instead of the remote client's cipher preference order.
11905
11906       By  default,  the  OpenSSL  server  selects the client's most preferred
11907       cipher that the server supports. With SSLv3 and later, the  server  may
11908       choose its own most preferred cipher that is supported (offered) by the
11909       client. Setting "tls_preempt_cipherlist = yes"  enables  server  cipher
11910       preferences.
11911
11912       While  server  cipher selection may in some cases lead to a more secure
11913       or performant cipher choice, there is  some  risk  of  interoperability
11914       issues.  In  the  past,  some  SSL  clients  have listed lower priority
11915       ciphers that they did not implement correctly. If the server chooses  a
11916       cipher  that  the  client  prefers  less,  it may select a cipher whose
11917       client implementation is flawed. Most notably  Windows  2003  Microsoft
11918       Exchange  servers  have  flawed  implementations of DES-CBC3-SHA, which
11919       OpenSSL considers stronger than RC4-SHA.  Enabling server  cipher-suite
11920       selection  may  create interoperability issues with Windows 2003 Micro‐
11921       soft Exchange clients.
11922
11923       This feature is available in Postfix 2.8 and later, in combination with
11924       OpenSSL 0.9.7 and later.
11925

tls_random_bytes (default: 32)

11927       The  number  of bytes that tlsmgr(8) reads from $tls_random_source when
11928       (re)seeding the in-memory pseudo random number generator  (PRNG)  pool.
11929       The  default of 32 bytes (256 bits) is good enough for 128bit symmetric
11930       keys.  If using EGD or a device file, a maximum of 255 bytes is read.
11931
11932       This feature is available in Postfix 2.2 and later.
11933

tls_random_exchange_name (default: see postconf -d output)

11935       Name of the pseudo random number generator (PRNG) state  file  that  is
11936       maintained  by  tlsmgr(8).  The file is created when it does not exist,
11937       and its length is fixed at 1024 bytes.
11938
11939       As of version 2.5, Postfix no longer uses root privileges when  opening
11940       this  file,  and  the  default  file  location  was changed from ${con‐
11941       fig_directory}/prng_exch to ${data_directory}/prng_exch.  As  a  migra‐
11942       tion  aid, an attempt to open the file under a non-Postfix directory is
11943       redirected to  the  Postfix-owned  data_directory,  and  a  warning  is
11944       logged.
11945
11946       This feature is available in Postfix 2.2 and later.
11947

tls_random_prng_update_period (default: 3600s)

11949       The  time between attempts by tlsmgr(8) to save the state of the pseudo
11950       random number generator (PRNG) to the  file  specified  with  $tls_ran‐
11951       dom_exchange_name.
11952
11953       This feature is available in Postfix 2.2 and later.
11954

tls_random_reseed_period (default: 3600s)

11956       The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
11957       pseudo random number generator (PRNG) pool from external sources.   The
11958       actual  time  between re-seeding attempts is calculated using the PRNG,
11959       and is between 0 and the time specified.
11960
11961       This feature is available in Postfix 2.2 and later.
11962

tls_random_source (default: see postconf -d output)

11964       The external entropy source for the in-memory tlsmgr(8)  pseudo  random
11965       number generator (PRNG) pool. Be sure to specify a non-blocking source.
11966       If this source is not a regular file, the entropy source type  must  be
11967       prepended:   egd:/path/to/egd_socket  for  a source with EGD compatible
11968       socket interface, or dev:/path/to/device for a device file.
11969
11970       Note: on OpenBSD systems specify /dev/arandom when  /dev/urandom  gives
11971       timeout errors.
11972
11973       This feature is available in Postfix 2.2 and later.
11974

tls_server_sni_maps (default: empty)

11976       Optional lookup tables that map names received from remote SMTP clients
11977       via the TLS Server Name Indication (SNI) extension to  the  appropriate
11978       keys  and  certificate  chains.   This  parameter is implemented in the
11979       Postfix TLS library, and applies to both smtpd(8) and the  SMTP  server
11980       mode of tlsproxy(8).
11981
11982       When  this  parameter is non-empty, the Postfix SMTP server enables SNI
11983       extension processing, and logs SNI values that  are  invalid  or  don't
11984       match  an entry in the the specified tables.  When an entry does match,
11985       the SNI name is logged as part of the connection summary at log  levels
11986       1 and higher.
11987
11988       The  lookup  key  is either the verbatim SNI domain name or an ancestor
11989       domain prefixed with a leading dot.  For internationalized domains, the
11990       lookup  key  must  be in IDNA 2008 A-label form (as required in the TLS
11991       SNI extension).
11992
11993       The  syntax  of  the  lookup  value   is   the   same   as   with   the
11994       smtp_tls_chain_files  parameter (see there for additional details), but
11995       here scoped to just TLS connections in which the client sends a  match‐
11996       ing SNI domain name.
11997
11998       Example:
11999
12000           /etc/postfix/main.cf:
12001               #
12002               # The indexed SNI table must be created with "postmap -F"
12003               #
12004               indexed = ${default_database_type}:${config_directory}/
12005               tls_server_sni_maps = ${indexed}sni
12006
12007           /etc/postfix/sni:
12008               #
12009               # The example.com domain has both an RSA and ECDSA certificate
12010               # chain.  The chain files MUST start with the private key,
12011               # with the certificate chain next, starting with the leaf
12012               # (server) certificate, and then the issuer certificates.
12013               #
12014               example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
12015                           /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
12016               #
12017               # The example.net domain has a wildcard certificate, and two
12018               # additional DNS names.  So its certificate chain is also used
12019               # with any subdomain, plus the additional names.
12020               #
12021               example.net /etc/postfix/sni-chains/example.net.pem
12022               .example.net /etc/postfix/sni-chains/example.net.pem
12023               example.info /etc/postfix/sni-chains/example.net.pem
12024               example.org /etc/postfix/sni-chains/example.net.pem
12025
12026       Note  that  the  SNI  lookup  tables  should  also have entries for the
12027       domains that correspond to the Postfix SMTP server's  default  certifi‐
12028       cate(s).  This  ensures that the remote SMTP client's TLS SNI extension
12029       gets a positive response when it specifies  one  of  the  Postfix  SMTP
12030       server's default domains, and ensures that the Postfix SMTP server will
12031       not log an SNI name mismatch for  such  a  domain.   The  Postfix  SMTP
12032       server's  default certificates are then only used when the client sends
12033       no SNI or when it sends SNI with a domain that the server knows no cer‐
12034       tificate(s) for.
12035
12036       The mapping from an SNI domain name to a certificate chain is indirect.
12037       In the input source files for "cdb", "hash", "btree"  or  other  tables
12038       that  are  converted to on-disk indexed files via postmap(1), the value
12039       specified for each key is a list of filenames.  When postmap(1) is used
12040       with  the -F option, the generated table stores for each lookup key the
12041       base64-encoded contents of the associated files.  When querying  tables
12042       via  postmap  -Fq, the table value is decoded from base64, yielding the
12043       original file content, plus a new line.
12044
12045       With "regexp",  "pcre",  "inline",  "texthash",  "static"  and  similar
12046       tables  that  are  interpreted  at  run-time, and don't have a separate
12047       source format, the table value is again a list files, that  are  loaded
12048       into memory when the table is opened.
12049
12050       With  tables whose content is managed outside of Postfix, such as LDAP,
12051       MySQL, PostgreSQL, socketmap and tcp, the value must be a concatenation
12052       of  the  desired  PEM keys and certificate chains, that is then further
12053       encoded to yield a single-line base64 string.  Creation of such  tables
12054       and  secure  storage (the value includes private key material) are out‐
12055       side the responsibility of Postfix.
12056
12057       With "socketmap" and "tcp" the data will be transmitted in  the  clear,
12058       and there is no query access control, so these are generally unsuitable
12059       for storing SNI chains.  With LDAP and SQL, you  should  restrict  read
12060       access and use TLS to protect the sensitive data in transit.
12061
12062       Typically  there  is only one private key and its chain of certificates
12063       starting with the "leaf" certificate corresponding  to  that  key,  and
12064       continuing  with  the  appropriate intermediate issuer CA certificates,
12065       with each certificate ideally followed by  its  issuer.   Servers  that
12066       have  keys  and certificates for more than one algorithm (e.g.  both an
12067       RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) can use  mul‐
12068       tiple  chains  concatenated together, with the key always listed before
12069       the corresponding certificates.
12070
12071       This feature is available in Postfix 3.4 and later.
12072

tls_session_ticket_cipher (default: Postfix >= 3.0: aes-256-cbc, Postfix <

12074       3.0: aes-128-cbc)
12075       Algorithm  used to encrypt RFC5077 TLS session tickets.  This algorithm
12076       must use CBC mode, have a 128-bit block  size,  and  must  have  a  key
12077       length between 128 and 256 bits.  The default is aes-256-cbc.  Overrid‐
12078       ing the default to choose a different algorithm is discouraged.
12079
12080       Setting this parameter empty disables session  ticket  support  in  the
12081       Postfix  SMTP server.  Another way to disable session ticket support is
12082       via the tls_ssl_options parameter.
12083
12084       This feature is available in Postfix 3.0 and later.
12085

tls_ssl_options (default: empty)

12087       List or bit-mask of OpenSSL options to enable.
12088
12089       The OpenSSL toolkit provides a set of  options  that  applications  can
12090       enable to tune the OpenSSL behavior.  Some of these work around bugs in
12091       other implementations and are on by default.  You can use the  tls_dis‐
12092       able_workarounds  parameter  to  selectively disable some or all of the
12093       bug work-arounds, making OpenSSL more strict at the cost of  non-inter‐
12094       operability with SSL clients or servers that exhibit the bugs.
12095
12096       Other  options are off by default, and typically enable or disable fea‐
12097       tures rather than bug work-arounds.  These may be turned on (with care)
12098       via the tls_ssl_options parameter.  The value is a white-space or comma
12099       separated list of named options chosen from the list below.  The  names
12100       are  not  case-sensitive,  you  can  use lower-case if you prefer.  The
12101       upper case values below match the corresponding macro name in the ssl.h
12102       header  file with the SSL_OP_ prefix removed.  It is possible that your
12103       OpenSSL version includes new options added after  your  Postfix  source
12104       code  was  last  updated, in that case you can only enable one of these
12105       via the hexadecimal syntax below.
12106
12107       You should only enable features via the hexadecimal mask when the  need
12108       to control the feature is critical (to deal with a new vulnerability or
12109       a serious interoperability problem).  Postfix DOES  NOT  promise  back‐
12110       wards  compatible  behavior  with  respect to the mask bits.  A feature
12111       enabled via the mask in one release may be enabled by other means in  a
12112       later  release,  and the mask bit will then be ignored.  Therefore, use
12113       of the hexadecimal mask is only a temporary measure until a new Postfix
12114       or OpenSSL release provides a better solution.
12115
12116       If  the  value  of the parameter is a hexadecimal long integer starting
12117       with "0x", the options corresponding to the bits specified in its value
12118       are  enabled  (see  openssl/ssl.h and SSL_CTX_set_options(3)).  You can
12119       only enable options not already controlled by other  Postfix  settings.
12120       For example, you cannot disable protocols or enable server cipher pref‐
12121       erence.  Do not attempt to turn all features by specifying  0xFFFFFFFF,
12122       this  is  unlikely  to  be a good idea.  Some bug work-arounds are also
12123       valid here, allowing them to be re-enabled if/when  they're  no  longer
12124       enabled by default.  The supported values include:
12125
12126       ENABLE_MIDDLEBOX_COMPAT
12127              Postfix >= 3.4. See SSL_CTX_set_options(3).
12128
12129       LEGACY_SERVER_CONNECT
12130              See SSL_CTX_set_options(3).
12131
12132       NO_TICKET
12133              Enabled  by default when needed in fully-patched Postfix >= 2.7.
12134              Not needed at all for Postfix >= 2.11, unless  for  some  reason
12135              you do not want to support TLS session resumption.  Best not set
12136              explicitly.  See SSL_CTX_set_options(3).
12137
12138       NO_COMPRESSION
12139              Disable  SSL  compression  even  if  supported  by  the  OpenSSL
12140              library.   Compression  is CPU-intensive, and compression before
12141              encryption does not always improve security.
12142
12143       NO_RENEGOTIATION
12144              Postfix >= 3.4.  This can reduce opportunities for  a  potential
12145              CPU exhaustion attack.  See SSL_CTX_set_options(3).
12146
12147       NO_SESSION_RESUMPTION_ON_RENEGOTIATION
12148              Postfix >= 3.4. See SSL_CTX_set_options(3).
12149
12150       PRIORITIZE_CHACHA
12151              Postfix >= 3.4. See SSL_CTX_set_options(3).
12152
12153       This feature is available in Postfix 2.11 and later.
12154

tls_wildcard_matches_multiple_labels (default: yes)

12156       Match multiple DNS labels with "*" in wildcard certificates.
12157
12158       Some  mail service providers prepend the customer domain name to a base
12159       domain for which they have a wildcard TLS  certificate.   For  example,
12160       the MX records for example.com hosted by example.net may be:
12161
12162           example.com. IN MX 0 example.com.mx1.example.net.
12163           example.com. IN MX 0 example.com.mx2.example.net.
12164
12165       and the TLS certificate may be for "*.example.net". The "*" then corre‐
12166       sponds with multiple labels in the  mail  server  domain  name.   While
12167       multi-label  wildcards are not widely supported, and are not blessed by
12168       any standard, there is little to be gained by disallowing their use  in
12169       this context.
12170
12171       Notes:
12172
12173       ·      In  a  certificate name, the "*" is special only when it is used
12174              as the first label.
12175
12176       ·      While Postfix (2.11 or later) can match "*" with multiple domain
12177              name labels, other implementations likely will not.
12178
12179       ·      Earlier   Postfix   implementations   behave  as  if  "tls_wild‐
12180              card_matches_multiple_labels = no".
12181
12182       This feature is available in Postfix 2.11 and later.
12183

tlsmgr_service_name (default: tlsmgr)

12185       The name of the tlsmgr(8) service  entry  in  master.cf.  This  service
12186       maintains TLS session caches and other information in support of TLS.
12187
12188       This feature is available in Postfix 2.11 and later.
12189

tlsproxy_client_CAfile (default: $smtp_tls_CAfile)

12191       A  file  containing  CA certificates of root CAs trusted to sign either
12192       remote TLS server certificates or intermediate  CA  certificates.   See
12193       smtp_tls_CAfile for further details.
12194
12195       This feature is available in Postfix 3.4 and later.
12196

tlsproxy_client_CApath (default: $smtp_tls_CApath)

12198       Directory with PEM format Certification Authority certificates that the
12199       Postfix tlsproxy(8) client uses to verify a remote TLS server  certifi‐
12200       cate. See smtp_tls_CApath for further details.
12201
12202       This feature is available in Postfix 3.4 and later.
12203

tlsproxy_client_cert_file (default: $smtp_tls_cert_file)

12205       File with the Postfix tlsproxy(8) client RSA certificate in PEM format.
12206       See smtp_tls_cert_file for further details.  The preferred way to  con‐
12207       figure   tlsproxy   client   keys   and   certificates   is   via   the
12208       "tlsproxy_client_chain_files" parameter.
12209
12210       This feature is available in Postfix 3.4 and later.
12211

tlsproxy_client_chain_files (default: $smtp_tls_chain_files)

12213       Files with the Postfix tlsproxy(8) client keys and  certificate  chains
12214       in PEM format. See smtp_tls_chain_files for further details.
12215
12216       This feature is available in Postfix 3.4 and later.
12217

tlsproxy_client_dcert_file (default: $smtp_tls_dcert_file)

12219       File with the Postfix tlsproxy(8) client DSA certificate in PEM format.
12220       See smtp_tls_dcert_file for further details. DSA is obsolete and should
12221       not be used.
12222
12223       This feature is available in Postfix 3.4 and later.
12224

tlsproxy_client_dkey_file (default: $smtp_tls_dkey_file)

12226       File with the Postfix tlsproxy(8) client DSA private key in PEM format.
12227       See smtp_tls_dkey_file for further details. DSA is obsolete and  should
12228       not be used.
12229
12230       This feature is available in Postfix 3.4 and later.
12231

tlsproxy_client_eccert_file (default: $smtp_tls_eccert_file)

12233       File  with the Postfix tlsproxy(8) client ECDSA certificate in PEM for‐
12234       mat. See smtp_tls_eccert_file for further details. The preferred way to
12235       configure   tlsproxy   client   keys   and   certificates  is  via  the
12236       "tlsproxy_client_chain_files" parameter.
12237
12238       This feature is available in Postfix 3.4 and later.
12239

tlsproxy_client_eckey_file (default: $smtp_tls_eckey_file)

12241       File with the Postfix tlsproxy(8) client ECDSA private key in PEM  for‐
12242       mat. See smtp_tls_eckey_file for further details.  The preferred way to
12243       configure  tlsproxy  client  keys   and   certificates   is   via   the
12244       "tlsproxy_client_chain_files" parameter.
12245
12246       This feature is available in Postfix 3.4 and later.
12247

tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)

12249       Enforcement  mode:  require  that SMTP servers use TLS encryption.  See
12250       smtp_enforce_tls for further details.
12251
12252       This feature is available in Postfix 3.4 and later.
12253

tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)

12255       The message digest algorithm used to construct remote TLS  server  cer‐
12256       tificate  fingerprints.  See  smtp_tls_fingerprint_digest  for  further
12257       details.
12258
12259       This feature is available in Postfix 3.4 and later.
12260

tlsproxy_client_key_file (default: $smtp_tls_key_file)

12262       File with the Postfix tlsproxy(8) client RSA private key in PEM format.
12263       See smtp_tls_key_file for further details. The preferred way to config‐
12264       ure   tlsproxy   client   keys   and   certificates    is    via    the
12265       "tlsproxy_client_chain_files" parameter.
12266
12267       This feature is available in Postfix 3.4 and later.
12268

tlsproxy_client_loglevel (default: $smtp_tls_loglevel)

12270       Enable  additional  Postfix tlsproxy(8) client logging of TLS activity.
12271       See smtp_tls_loglevel for further details.
12272
12273       This feature is available in Postfix 3.4 and later.
12274

tlsproxy_client_loglevel_parameter (default: smtp_tls_loglevel)

12276       The name of the parameter that  provides  the  tlsproxy_client_loglevel
12277       value.
12278
12279       This feature is available in Postfix 3.4 and later.
12280

tlsproxy_client_per_site (default: $smtp_tls_per_site)

12282       Optional  lookup  tables  with the Postfix tlsproxy(8) client TLS usage
12283       policy by next-hop destination and by remote TLS server hostname.   See
12284       smtp_tls_per_site for further details.
12285
12286       This feature is available in Postfix 3.4 and later.
12287

tlsproxy_client_policy_maps (default: $smtp_tls_policy_maps)

12289       Optional lookup tables with the Postfix tlsproxy(8) client TLS security
12290       policy by next-hop destination. See  smtp_tls_policy_maps  for  further
12291       details.
12292
12293       This feature is available in Postfix 3.4 and later.
12294

tlsproxy_client_scert_verifydepth (default: $smtp_tls_scert_verifydepth)

12296       The  verification  depth  for  remote  TLS  server  certificates.   See
12297       smtp_tls_scert_verifydepth for further details.
12298
12299       This feature is available in Postfix 3.4 and later.
12300

tlsproxy_client_security_level (default: $smtp_tls_security_level)

12302       The default TLS security level for the Postfix tlsproxy(8) client.  See
12303       smtp_tls_security_level for further details.
12304
12305       This feature is available in Postfix 3.4 and later.
12306

tlsproxy_client_use_tls (default: $smtp_use_tls)

12308       Opportunistic mode: use TLS when a remote server announces TLS support.
12309       See smtp_use_tls for further details.
12310
12311       This feature is available in Postfix 3.4 and later.
12312

tlsproxy_enforce_tls (default: $smtpd_enforce_tls)

12314       Mandatory TLS: announce STARTTLS support to remote  SMTP  clients,  and
12315       require that clients use TLS encryption. See smtpd_enforce_tls for fur‐
12316       ther details.
12317
12318       This feature is available in Postfix 2.8 and later.
12319

tlsproxy_service_name (default: tlsproxy)

12321       The name of the tlsproxy(8) service entry in  master.cf.  This  service
12322       performs plaintext <=> TLS ciphertext conversion.
12323
12324       This feature is available in Postfix 2.8 and later.
12325

tlsproxy_tls_CAfile (default: $smtpd_tls_CAfile)

12327       A  file  containing (PEM format) CA certificates of root CAs trusted to
12328       sign either remote SMTP client certificates or intermediate CA certifi‐
12329       cates.  See smtpd_tls_CAfile for further details.
12330
12331       This feature is available in Postfix 2.8 and later.
12332

tlsproxy_tls_CApath (default: $smtpd_tls_CApath)

12334       A directory containing (PEM format) CA certificates of root CAs trusted
12335       to sign either remote SMTP client certificates or intermediate CA  cer‐
12336       tificates. See smtpd_tls_CApath for further details.
12337
12338       This feature is available in Postfix 2.8 and later.
12339

tlsproxy_tls_always_issue_session_ids (default: $smtpd_tls_always_issue_ses‐

12341       sion_ids)
12342       Force the Postfix tlsproxy(8) server to issue a TLS  session  id,  even
12343       when TLS session caching is turned off. See smtpd_tls_always_issue_ses‐
12344       sion_ids for further details.
12345
12346       This feature is available in Postfix 2.8 and later.
12347

tlsproxy_tls_ask_ccert (default: $smtpd_tls_ask_ccert)

12349       Ask  a   remote   SMTP   client   for   a   client   certificate.   See
12350       smtpd_tls_ask_ccert for further details.
12351
12352       This feature is available in Postfix 2.8 and later.
12353

tlsproxy_tls_ccert_verifydepth (default: $smtpd_tls_ccert_verifydepth)

12355       The  verification depth for remote SMTP client certificates. A depth of
12356       1 is sufficient if the issuing CA is listed in a  local  CA  file.  See
12357       smtpd_tls_ccert_verifydepth for further details.
12358
12359       This feature is available in Postfix 2.8 and later.
12360

tlsproxy_tls_cert_file (default: $smtpd_tls_cert_file)

12362       File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
12363       This file may also contain the Postfix tlsproxy(8) server  private  RSA
12364       key.  See smtpd_tls_cert_file for further details.  With Postfix >= 3.4
12365       the preferred way to configure tlsproxy server keys and certificates is
12366       via the "tlsproxy_tls_chain_files" parameter.
12367
12368       This feature is available in Postfix 2.8 and later.
12369

tlsproxy_tls_chain_files (default: $smtpd_tls_chain_files)

12371       Files  with  the Postfix tlsproxy(8) server keys and certificate chains
12372       in PEM format. See smtpd_tls_chain_files for further details.
12373
12374       This feature is available in Postfix 3.4 and later.
12375

tlsproxy_tls_ciphers (default: $smtpd_tls_ciphers)

12377       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
12378       use  with  opportunistic TLS encryption. See smtpd_tls_ciphers for fur‐
12379       ther details.
12380
12381       This feature is available in Postfix 2.8 and later.
12382

tlsproxy_tls_dcert_file (default: $smtpd_tls_dcert_file)

12384       File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
12385       This  file  may also contain the Postfix tlsproxy(8) server private DSA
12386       key.  DSA is obsolete and should not be used.  See smtpd_tls_dcert_file
12387       for further details.
12388
12389       This feature is available in Postfix 2.8 and later.
12390

tlsproxy_tls_dh1024_param_file (default: $smtpd_tls_dh1024_param_file)

12392       File  with DH parameters that the Postfix tlsproxy(8) server should use
12393       with non-export EDH ciphers. See smtpd_tls_dh1024_param_file  for  fur‐
12394       ther details.
12395
12396       This feature is available in Postfix 2.8 and later.
12397

tlsproxy_tls_dh512_param_file (default: $smtpd_tls_dh512_param_file)

12399       File  with DH parameters that the Postfix tlsproxy(8) server should use
12400       with export-grade EDH ciphers. See smtpd_tls_dh512_param_file for  fur‐
12401       ther  details.   The  default SMTP server cipher grade is "medium" with
12402       Postfix releases after the middle of 2015, and as a result export-grade
12403       cipher suites are by default not used.
12404
12405       This feature is available in Postfix 2.8 and later.
12406

tlsproxy_tls_dkey_file (default: $smtpd_tls_dkey_file)

12408       File with the Postfix tlsproxy(8) server DSA private key in PEM format.
12409       This file may be combined with the Postfix tlsproxy(8) server DSA  cer‐
12410       tificate  file  specified  with $smtpd_tls_dcert_file.  DSA is obsolete
12411       and should not be used.  See smtpd_tls_dkey_file for further details.
12412
12413       This feature is available in Postfix 2.8 and later.
12414

tlsproxy_tls_eccert_file (default: $smtpd_tls_eccert_file)

12416       File with the Postfix tlsproxy(8) server ECDSA certificate in PEM  for‐
12417       mat.  This file may also contain the Postfix tlsproxy(8) server private
12418       ECDSA key.  See smtpd_tls_eccert_file for further details.  With  Post‐
12419       fix >= 3.4 the preferred way to configure tlsproxy server keys and cer‐
12420       tificates is via the "tlsproxy_tls_chain_files" parameter.
12421
12422       This feature is available in Postfix 2.8 and later.
12423

tlsproxy_tls_eckey_file (default: $smtpd_tls_eckey_file)

12425       File with the Postfix tlsproxy(8) server ECDSA private key in PEM  for‐
12426       mat.   This  file  may  be combined with the Postfix tlsproxy(8) server
12427       ECDSA certificate  file  specified  with  $smtpd_tls_eccert_file.   See
12428       smtpd_tls_eckey_file for further details.  With Postfix >= 3.4 the pre‐
12429       ferred way to configure tlsproxy server keys and  certificates  is  via
12430       the "tlsproxy_tls_chain_files" parameter.
12431
12432       This feature is available in Postfix 2.8 and later.
12433

tlsproxy_tls_eecdh_grade (default: $smtpd_tls_eecdh_grade)

12435       The  Postfix  tlsproxy(8)  server  security  grade for ephemeral ellip‐
12436       tic-curve     Diffie-Hellman     (EECDH)     key     exchange.      See
12437       smtpd_tls_eecdh_grade for further details.
12438
12439       This feature is available in Postfix 2.8 and later.
12440

tlsproxy_tls_exclude_ciphers (default: $smtpd_tls_exclude_ciphers)

12442       List  of ciphers or cipher types to exclude from the tlsproxy(8) server
12443       cipher list at all TLS security levels.  See  smtpd_tls_exclude_ciphers
12444       for further details.
12445
12446       This feature is available in Postfix 2.8 and later.
12447

tlsproxy_tls_fingerprint_digest (default: $smtpd_tls_fingerprint_digest)

12449       The  message  digest algorithm to construct remote SMTP client-certifi‐
12450       cate  fingerprints.  See   smtpd_tls_fingerprint_digest   for   further
12451       details.
12452
12453       This feature is available in Postfix 2.8 and later.
12454

tlsproxy_tls_key_file (default: $smtpd_tls_key_file)

12456       File with the Postfix tlsproxy(8) server RSA private key in PEM format.
12457       This file may be combined with the Postfix tlsproxy(8) server RSA  cer‐
12458       tificate     file    specified    with    $smtpd_tls_cert_file.     See
12459       smtpd_tls_key_file for further details.  With Postfix >= 3.4  the  pre‐
12460       ferred  way  to  configure tlsproxy server keys and certificates is via
12461       the "tlsproxy_tls_chain_files" parameter.
12462
12463       This feature is available in Postfix 2.8 and later.
12464

tlsproxy_tls_loglevel (default: $smtpd_tls_loglevel)

12466       Enable additional Postfix tlsproxy(8) server logging of  TLS  activity.
12467       Each  logging  level  also includes the information that is logged at a
12468       lower logging level. See smtpd_tls_loglevel for further details.
12469
12470       This feature is available in Postfix 2.8 and later.
12471

tlsproxy_tls_mandatory_ciphers (default: $smtpd_tls_mandatory_ciphers)

12473       The minimum TLS cipher grade that the Postfix tlsproxy(8)  server  will
12474       use  with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers for
12475       further details.
12476
12477       This feature is available in Postfix 2.8 and later.
12478

tlsproxy_tls_mandatory_exclude_ciphers (default: $smtpd_tls_manda‐

12480       tory_exclude_ciphers)
12481       Additional  list  of  ciphers  or  cipher  types  to  exclude  from the
12482       tlsproxy(8) server cipher list at mandatory TLS security  levels.   See
12483       smtpd_tls_mandatory_exclude_ciphers for further details.
12484
12485       This feature is available in Postfix 2.8 and later.
12486

tlsproxy_tls_mandatory_protocols (default: $smtpd_tls_mandatory_protocols)

12488       The  SSL/TLS  protocols accepted by the Postfix tlsproxy(8) server with
12489       mandatory TLS encryption. If the list is empty, the server supports all
12490       available SSL/TLS protocol versions.  See smtpd_tls_mandatory_protocols
12491       for further details.
12492
12493       This feature is available in Postfix 2.8 and later.
12494

tlsproxy_tls_protocols (default: $smtpd_tls_protocols)

12496       List of TLS protocols that the Postfix tlsproxy(8) server will  exclude
12497       or  include  with opportunistic TLS encryption. See smtpd_tls_protocols
12498       for further details.
12499
12500       This feature is available in Postfix 2.8 and later.
12501

tlsproxy_tls_req_ccert (default: $smtpd_tls_req_ccert)

12503       With mandatory TLS encryption, require a  trusted  remote  SMTP  client
12504       certificate  in  order  to  allow  TLS  connections  to  proceed.   See
12505       smtpd_tls_req_ccert for further details.
12506
12507       This feature is available in Postfix 2.8 and later.
12508

tlsproxy_tls_security_level (default: $smtpd_tls_security_level)

12510       The SMTP TLS security level for the Postfix tlsproxy(8) server; when  a
12511       non-empty  value  is  specified, this overrides the obsolete parameters
12512       smtpd_use_tls and smtpd_enforce_tls. See  smtpd_tls_security_level  for
12513       further details.
12514
12515       This feature is available in Postfix 2.8 and later.
12516

tlsproxy_tls_session_cache_timeout (default: $smtpd_tls_session_cache_timeout)

12518
12519       Obsolete expiration time of  Postfix  tlsproxy(8)  server  TLS  session
12520       cache  information. Since the cache is shared with smtpd(8) and managed
12521       by tlsmgr(8), there is only one expiration time  for  the  SMTP  server
12522       cache   shared   by   all   three   services,   namely   smtpd_tls_ses‐
12523       sion_cache_timeout.
12524
12525       This feature is available in Postfix 2.8 and later.
12526

tlsproxy_use_tls (default: $smtpd_use_tls)

12528       Opportunistic TLS: announce STARTTLS support to  remote  SMTP  clients,
12529       but  do  not require that clients use TLS encryption. See smtpd_use_tls
12530       for further details.
12531
12532       This feature is available in Postfix 2.8 and later.
12533

tlsproxy_watchdog_timeout (default: 10s)

12535       How much time a tlsproxy(8) process may take to process local or remote
12536       I/O  before  it  is terminated by a built-in watchdog timer.  This is a
12537       safety mechanism that prevents tlsproxy(8) from becoming non-responsive
12538       due  to  a bug in Postfix itself or in system software.  To avoid false
12539       alarms and unnecessary cache corruption this limit cannot be set  under
12540       10s.
12541
12542       Specify  a  non-zero  time  value  (an  integral value plus an optional
12543       one-letter suffix that specifies the time unit).  Time units:  s  (sec‐
12544       onds), m (minutes), h (hours), d (days), w (weeks).
12545
12546       This feature is available in Postfix 2.8 and later
12547

trace_service_name (default: trace)

12549       The  name  of  the  trace  service.  This service is implemented by the
12550       bounce(8) daemon and maintains a record of mail deliveries and produces
12551       a  mail  delivery report when verbose delivery is requested with "send‐
12552       mail -v".
12553
12554       This feature is available in Postfix 2.1 and later.
12555

transport_delivery_slot_cost (default: $default_delivery_slot_cost)

12557       A transport-specific override for the default_delivery_slot_cost param‐
12558       eter value, where transport is the master.cf name of the message deliv‐
12559       ery transport.
12560
12561       Note: transport_delivery_slot_cost  parameters  will  not  show  up  in
12562       "postconf"  command output before Postfix version 2.9.  This limitation
12563       applies to many parameters whose name is a combination of  a  master.cf
12564       service   name   and   a   built-in  suffix  (in  this  case:  "_deliv‐
12565       ery_slot_cost").
12566

transport_delivery_slot_discount (default: $default_delivery_slot_discount)

12568       A transport-specific override  for  the  default_delivery_slot_discount
12569       parameter  value,  where transport is the master.cf name of the message
12570       delivery transport.
12571
12572       Note: transport_delivery_slot_discount parameters will not show  up  in
12573       "postconf"  command output before Postfix version 2.9.  This limitation
12574       applies to many parameters whose name is a combination of  a  master.cf
12575       service  name and a built-in suffix (in this case: "_delivery_slot_dis‐
12576       count").
12577

transport_delivery_slot_loan (default: $default_delivery_slot_loan)

12579       A transport-specific override for the default_delivery_slot_loan param‐
12580       eter value, where transport is the master.cf name of the message deliv‐
12581       ery transport.
12582
12583       Note: transport_delivery_slot_loan  parameters  will  not  show  up  in
12584       "postconf"  command output before Postfix version 2.9.  This limitation
12585       applies to many parameters whose name is a combination of  a  master.cf
12586       service   name   and   a   built-in  suffix  (in  this  case:  "_deliv‐
12587       ery_slot_loan").
12588

transport_destination_concurrency_failed_cohort_limit (default: $default_des‐

12590       tination_concurrency_failed_cohort_limit)
12591       A   transport-specific  override  for  the  default_destination_concur‐
12592       rency_failed_cohort_limit parameter value, where transport is the  mas‐
12593       ter.cf name of the message delivery transport.
12594
12595       Note: some transport_destination_concurrency_failed_cohort_limit param‐
12596       eters will not show up in "postconf" command output before Postfix ver‐
12597       sion  2.9.   This limitation applies to many parameters whose name is a
12598       combination of a master.cf service name and a built-in suffix (in  this
12599       case: "_destination_concurrency_failed_cohort_limit").
12600
12601       This feature is available in Postfix 2.5 and later.
12602

transport_destination_concurrency_limit (default: $default_destination_concur‐

12604       rency_limit)
12605       A  transport-specific  override  for  the   default_destination_concur‐
12606       rency_limit  parameter  value, where transport is the master.cf name of
12607       the message delivery transport.
12608
12609       Note: some transport_destination_concurrency_limit parameters will  not
12610       show  up in "postconf" command output before Postfix version 2.9.  This
12611       limitation applies to many parameters whose name is a combination of  a
12612       master.cf  service name and a built-in suffix (in this case: "_destina‐
12613       tion_concurrency_limit").
12614

transport_destination_concurrency_negative_feedback (default: $default_desti‐

12616       nation_concurrency_negative_feedback)
12617       A   transport-specific  override  for  the  default_destination_concur‐
12618       rency_negative_feedback parameter value, where transport  is  the  mas‐
12619       ter.cf name of the message delivery transport.
12620
12621       Note:  some transport_destination_concurrency_negative_feedback parame‐
12622       ters will not show up in "postconf" command output before Postfix  ver‐
12623       sion  2.9.   This limitation applies to many parameters whose name is a
12624       combination of a master.cf service name and a built-in suffix (in  this
12625       case: "_destination_concurrency_negative_feedback").
12626
12627       This feature is available in Postfix 2.5 and later.
12628

transport_destination_concurrency_positive_feedback (default: $default_desti‐

12630       nation_concurrency_positive_feedback)
12631       A  transport-specific  override  for  the   default_destination_concur‐
12632       rency_positive_feedback  parameter  value,  where transport is the mas‐
12633       ter.cf name of the message delivery transport.
12634
12635       Note: some transport_destination_concurrency_positive_feedback  parame‐
12636       ters  will not show up in "postconf" command output before Postfix ver‐
12637       sion 2.9.  This limitation applies to many parameters whose name  is  a
12638       combination  of a master.cf service name and a built-in suffix (in this
12639       case: "_destination_concurrency_positive_feedback").
12640
12641       This feature is available in Postfix 2.5 and later.
12642

transport_destination_rate_delay (default: $default_destination_rate_delay)

12644       A transport-specific override  for  the  default_destination_rate_delay
12645       parameter  value,  where transport is the master.cf name of the message
12646       delivery transport.
12647
12648       Note: some transport_destination_rate_delay parameters will not show up
12649       in  "postconf" command output before Postfix version 2.9.  This limita‐
12650       tion applies to many parameters whose name is a combination of  a  mas‐
12651       ter.cf  service  name  and  a built-in suffix (in this case: "_destina‐
12652       tion_rate_delay").
12653
12654       This feature is available in Postfix 2.5 and later.
12655

transport_destination_recipient_limit (default: $default_destination_recipi‐

12657       ent_limit)
12658       A   transport-specific  override  for  the  default_destination_recipi‐
12659       ent_limit parameter value, where transport is the master.cf name of the
12660       message delivery transport.
12661
12662       Note:  some  transport_destination_recipient_limit  parameters will not
12663       show up in "postconf" command output before Postfix version 2.9.   This
12664       limitation  applies to many parameters whose name is a combination of a
12665       master.cf service name and a built-in suffix (in this case:  "_destina‐
12666       tion_recipient_limit").
12667

transport_extra_recipient_limit (default: $default_extra_recipient_limit)

12669       A  transport-specific  override  for  the default_extra_recipient_limit
12670       parameter value, where transport is the master.cf name of  the  message
12671       delivery transport.
12672
12673       Note:  transport_extra_recipient_limit  parameters  will not show up in
12674       "postconf" command output before Postfix version 2.9.  This  limitation
12675       applies  to  many parameters whose name is a combination of a master.cf
12676       service name and a  built-in  suffix  (in  this  case:  "_extra_recipi‐
12677       ent_limit").
12678

transport_initial_destination_concurrency (default: $initial_destination_con‐

12680       currency)
12681       A transport-specific override for  the  initial_destination_concurrency
12682       parameter  value,  where transport is the master.cf name of the message
12683       delivery transport.
12684
12685       Note: some  transport_initial_destination_concurrency  parameters  will
12686       not  show  up  in "postconf" command output before Postfix version 2.9.
12687       This limitation applies to many parameters whose name is a  combination
12688       of a master.cf service name and a built-in suffix (in this case: "_ini‐
12689       tial_destination_concurrency").
12690
12691       This feature is available in Postfix 2.5 and later.
12692

transport_maps (default: empty)

12694       Optional lookup tables with mappings from recipient address to (message
12695       delivery   transport,  next-hop  destination).   See  transport(5)  for
12696       details.
12697
12698       Specify zero or more "type:table" lookup tables,  separated  by  white‐
12699       space  or comma. Tables will be searched in the specified order until a
12700       match is found.  If you use this feature with local files, run "postmap
12701       /etc/postfix/transport" after making a change.
12702
12703       Pattern  matching  of  domain  names  is  controlled by the presence or
12704       absence of  "transport_maps"  in  the  parent_domain_matches_subdomains
12705       parameter value.
12706
12707       For safety reasons, as of Postfix 2.3 this feature does not allow $num‐
12708       ber substitutions in regular expression maps.
12709
12710       Examples:
12711
12712       transport_maps = dbm:/etc/postfix/transport
12713       transport_maps = hash:/etc/postfix/transport
12714

transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)

12716       A transport-specific override  for  the  default_minimum_delivery_slots
12717       parameter  value,  where transport is the master.cf name of the message
12718       delivery transport.
12719
12720       Note: transport_minimum_delivery_slots parameters will not show  up  in
12721       "postconf"  command output before Postfix version 2.9.  This limitation
12722       applies to many parameters whose name is a combination of  a  master.cf
12723       service  name  and  a  built-in  suffix (in this case: "_minimum_deliv‐
12724       ery_slots").
12725

transport_recipient_limit (default: $default_recipient_limit)

12727       A transport-specific override for the default_recipient_limit parameter
12728       value,  where  transport  is the master.cf name of the message delivery
12729       transport.
12730
12731       Note: some transport_recipient_limit parameters will  not  show  up  in
12732       "postconf"  command output before Postfix version 2.9.  This limitation
12733       applies to many parameters whose name is a combination of  a  master.cf
12734       service name and a built-in suffix (in this case: "_recipient_limit").
12735

transport_recipient_refill_delay (default: $default_recipient_refill_delay)

12737       A  transport-specific  override  for the default_recipient_refill_delay
12738       parameter value, where transport is the master.cf name of  the  message
12739       delivery transport.
12740
12741       Note:  transport_recipient_refill_delay  parameters will not show up in
12742       "postconf" command output before Postfix version 2.9.  This  limitation
12743       applies  to  many parameters whose name is a combination of a master.cf
12744       service  name  and  a  built-in  suffix  (in   this   case:   "_recipi‐
12745       ent_refill_delay").
12746
12747       This feature is available in Postfix 2.4 and later.
12748

transport_recipient_refill_limit (default: $default_recipient_refill_limit)

12750       A  transport-specific  override  for the default_recipient_refill_limit
12751       parameter value, where transport is the master.cf name of  the  message
12752       delivery transport.
12753
12754       Note:  transport_recipient_refill_limit  parameters will not show up in
12755       "postconf" command output before Postfix version 2.9.  This  limitation
12756       applies  to  many parameters whose name is a combination of a master.cf
12757       service  name  and  a  built-in  suffix  (in   this   case:   "_recipi‐
12758       ent_refill_limit").
12759
12760       This feature is available in Postfix 2.4 and later.
12761

transport_retry_time (default: 60s)

12763       The  time  between  attempts  by the Postfix queue manager to contact a
12764       malfunctioning message delivery transport.
12765
12766       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
12767       The default time unit is s (seconds).
12768

transport_time_limit (default: $command_time_limit)

12770       A  transport-specific  override  for  the  command_time_limit parameter
12771       value, where transport is the master.cf name of  the  message  delivery
12772       transport.
12773
12774       Note:  transport_time_limit  parameters  will not show up in "postconf"
12775       command output before Postfix version 2.9.  This limitation applies  to
12776       many parameters whose name is a combination of a master.cf service name
12777       and a built-in suffix (in this case: "_time_limit").
12778

transport_transport_rate_delay (default: $default_transport_rate_delay)

12780       A  transport-specific  override  for  the  default_transport_rate_delay
12781       parameter  value,  where the initial transport in the parameter name is
12782       the master.cf name of the message delivery transport.
12783

trigger_timeout (default: 10s)

12785       The time limit for sending a trigger to a Postfix daemon (for  example,
12786       the  pickup(8)  or  qmgr(8)  daemon). This time limit prevents programs
12787       from getting stuck when the mail system is under heavy load.
12788
12789       Time units: s (seconds), m (minutes), h (hours), d (days),  w  (weeks).
12790       The default time unit is s (seconds).
12791

undisclosed_recipients_header (default: see postconf -d output)

12793       Message  header  that the Postfix cleanup(8) server inserts when a mes‐
12794       sage contains no To: or Cc: message header. With Postfix 2.8 and later,
12795       the  default  value  is  empty.  With Postfix 2.4-2.7, specify an empty
12796       value to disable this feature.
12797
12798       Example:
12799
12800       # Default value before Postfix 2.8.
12801       # Note: the ":" and ";" are both required.
12802       undisclosed_recipients_header = To: undisclosed-recipients:;
12803

unknown_address_reject_code (default: 450)

12805       The numerical response code when the  Postfix  SMTP  server  rejects  a
12806       sender or recipient address because its domain is unknown.  This is one
12807       of     the     possible     replies     from      the      restrictions
12808       reject_unknown_sender_domain and reject_unknown_recipient_domain.
12809
12810       Do  not  change  this  unless  you have a complete understanding of RFC
12811       5321.
12812

unknown_address_tempfail_action (default: $reject_tempfail_action)

12814       The Postfix SMTP server's action when  reject_unknown_sender_domain  or
12815       reject_unknown_recipient_domain  fail  due  to a temporary error condi‐
12816       tion. Specify "defer" to defer the remote SMTP client  request  immedi‐
12817       ately.  With  the  default  "defer_if_permit"  action, the Postfix SMTP
12818       server continues to look for opportunities to reject mail,  and  defers
12819       the client request only if it would otherwise be accepted.
12820
12821       This feature is available in Postfix 2.6 and later.
12822

unknown_client_reject_code (default: 450)

12824       The  numerical  Postfix SMTP server response code when a client without
12825       valid   address   <=>    name    mapping    is    rejected    by    the
12826       reject_unknown_client_hostname  restriction.  The  SMTP  server  always
12827       replies with 450 when the mapping failed due to a temporary error  con‐
12828       dition.
12829
12830       Do  not  change  this  unless  you have a complete understanding of RFC
12831       5321.
12832

unknown_helo_hostname_tempfail_action (default: $reject_tempfail_action)

12834       The Postfix  SMTP  server's  action  when  reject_unknown_helo_hostname
12835       fails  due to a temporary error condition. Specify "defer" to defer the
12836       remote SMTP client request immediately. With the default "defer_if_per‐
12837       mit"  action,  the Postfix SMTP server continues to look for opportuni‐
12838       ties to reject mail, and defers the client request  only  if  it  would
12839       otherwise be accepted.
12840
12841       This feature is available in Postfix 2.6 and later.
12842

unknown_hostname_reject_code (default: 450)

12844       The numerical Postfix SMTP server response code when the hostname spec‐
12845       ified  with  the  HELO   or   EHLO   command   is   rejected   by   the
12846       reject_unknown_helo_hostname restriction.
12847
12848       Do  not  change  this  unless  you have a complete understanding of RFC
12849       5321.
12850

unknown_local_recipient_reject_code (default: 550)

12852       The numerical Postfix  SMTP  server  response  code  when  a  recipient
12853       address  is local, and $local_recipient_maps specifies a list of lookup
12854       tables that does not match the recipient.  A recipient address is local
12855       when   its   domain   matches   $mydestination,   $proxy_interfaces  or
12856       $inet_interfaces.
12857
12858       The default setting is 550 (reject mail) but it is safer  to  initially
12859       use  450  (try  again  later)  so  you  have  time  to find out if your
12860       local_recipient_maps settings are OK.
12861
12862       Example:
12863
12864       unknown_local_recipient_reject_code = 450
12865
12866       This feature is available in Postfix 2.0 and later.
12867

unknown_relay_recipient_reject_code (default: 550)

12869       The numerical Postfix SMTP server reply code when a  recipient  address
12870       matches  $relay_domains,  and  relay_recipient_maps specifies a list of
12871       lookup tables that does not match the recipient address.
12872
12873       This feature is available in Postfix 2.0 and later.
12874

unknown_virtual_alias_reject_code (default: 550)

12876       The Postfix SMTP server reply code when  a  recipient  address  matches
12877       $virtual_alias_domains,  and  $virtual_alias_maps  specifies  a list of
12878       lookup tables that does not match the recipient address.
12879
12880       This feature is available in Postfix 2.0 and later.
12881

unknown_virtual_mailbox_reject_code (default: 550)

12883       The Postfix SMTP server reply code when  a  recipient  address  matches
12884       $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
12885       lookup tables that does not match the recipient address.
12886
12887       This feature is available in Postfix 2.0 and later.
12888

unverified_recipient_defer_code (default: 450)

12890       The numerical Postfix SMTP server response  when  a  recipient  address
12891       probe fails due to a temporary error condition.
12892
12893       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12894       address anyway.
12895
12896       Do not change this unless you have  a  complete  understanding  of  RFC
12897       5321.
12898
12899       This feature is available in Postfix 2.6 and later.
12900

unverified_recipient_reject_code (default: 450)

12902       The  numerical Postfix SMTP server response when a recipient address is
12903       rejected by the reject_unverified_recipient restriction.
12904
12905       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12906       address anyway.
12907
12908       Do  not  change  this  unless  you have a complete understanding of RFC
12909       5321.
12910
12911       This feature is available in Postfix 2.1 and later.
12912

unverified_recipient_reject_reason (default: empty)

12914       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12915       fied_recipient.  Do  not  include  the  numeric  SMTP reply code or the
12916       enhanced status code. By default, the response includes actual  address
12917       verification details.
12918
12919       Example:
12920
12921       unverified_recipient_reject_reason = Recipient address lookup failed
12922
12923       This feature is available in Postfix 2.6 and later.
12924

unverified_recipient_tempfail_action (default: $reject_tempfail_action)

12926       The Postfix SMTP server's action when reject_unverified_recipient fails
12927       due to a temporary error condition. Specify "defer" to defer the remote
12928       SMTP  client  request  immediately.  With the default "defer_if_permit"
12929       action, the Postfix SMTP server continues to look for opportunities  to
12930       reject  mail,  and defers the client request only if it would otherwise
12931       be accepted.
12932
12933       This feature is available in Postfix 2.6 and later.
12934

unverified_sender_defer_code (default: 450)

12936       The numerical Postfix SMTP server response code when a  sender  address
12937       probe fails due to a temporary error condition.
12938
12939       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12940       address anyway.
12941
12942       Do not change this unless you have  a  complete  understanding  of  RFC
12943       5321.
12944
12945       This feature is available in Postfix 2.6 and later.
12946

unverified_sender_reject_code (default: 450)

12948       The  numerical  Postfix  SMTP  server  response  code  when a recipient
12949       address is rejected by the reject_unverified_sender restriction.
12950
12951       Unlike elsewhere in Postfix, you can specify 250 in order to accept the
12952       address anyway.
12953
12954       Do  not  change  this  unless  you have a complete understanding of RFC
12955       5321.
12956
12957       This feature is available in Postfix 2.1 and later.
12958

unverified_sender_reject_reason (default: empty)

12960       The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
12961       fied_sender. Do not include the numeric SMTP reply code or the enhanced
12962       status code. By default, the response includes actual address verifica‐
12963       tion details.
12964
12965       Example:
12966
12967       unverified_sender_reject_reason = Sender address lookup failed
12968
12969       This feature is available in Postfix 2.6 and later.
12970

unverified_sender_tempfail_action (default: $reject_tempfail_action)

12972       The  Postfix  SMTP  server's action when reject_unverified_sender fails
12973       due to a temporary error condition. Specify "defer" to defer the remote
12974       SMTP  client  request  immediately.  With the default "defer_if_permit"
12975       action, the Postfix SMTP server continues to look for opportunities  to
12976       reject  mail,  and defers the client request only if it would otherwise
12977       be accepted.
12978
12979       This feature is available in Postfix 2.6 and later.
12980

verp_delimiter_filter (default: -=+)

12982       The characters Postfix accepts as  VERP  delimiter  characters  on  the
12983       Postfix sendmail(1) command line and in SMTP commands.
12984
12985       This feature is available in Postfix 1.1 and later.
12986

virtual_alias_address_length_limit (default: 1000)

12988       The  maximal  length of an email address after virtual alias expansion.
12989       This stops virtual aliasing loops  that  increase  the  address  length
12990       exponentially.
12991
12992       This feature is available in Postfix 3.0 and later.
12993

virtual_alias_domains (default: $virtual_alias_maps)

12995       Postfix  is  final  destination for the specified list of virtual alias
12996       domains, that is, domains  for  which  all  addresses  are  aliased  to
12997       addresses  in  other local or remote domains. The SMTP server validates
12998       recipient addresses with $virtual_alias_maps and  rejects  non-existent
12999       recipients.   See   also   the   virtual  alias  domain  class  in  the
13000       ADDRESS_CLASS_README file
13001
13002       This feature is available in Postfix 2.0 and later. The  default  value
13003       is backwards compatible with Postfix version 1.1.
13004
13005       The  default  value  is  $virtual_alias_maps  so  that you can keep all
13006       information about virtual alias domains in one place.  If you have many
13007       users,  it  is  better  to  separate information that changes more fre‐
13008       quently (virtual address ->  local  or  remote  address  mapping)  from
13009       information  that  changes  less frequently (the list of virtual domain
13010       names).
13011
13012       Specify a list of host or domain names,  "/file/name"  or  "type:table"
13013       patterns, separated by commas and/or whitespace. A "/file/name" pattern
13014       is replaced by its contents; a "type:table"  lookup  table  is  matched
13015       when  a  table  entry  matches  a  lookup  string (the lookup result is
13016       ignored).  Continue long lines by starting the next  line  with  white‐
13017       space.  Specify  "!pattern"  to  exclude a host or domain name from the
13018       list. The form "!/file/name" is supported only in Postfix  version  2.4
13019       and later.
13020
13021       See also the VIRTUAL_README and ADDRESS_CLASS_README documents for fur‐
13022       ther information.
13023
13024       Example:
13025
13026       virtual_alias_domains = virtual1.tld virtual2.tld
13027

virtual_alias_expansion_limit (default: 1000)

13029       The maximal number of addresses that virtual alias  expansion  produces
13030       from each original recipient.
13031
13032       This feature is available in Postfix 2.1 and later.
13033

virtual_alias_maps (default: $virtual_maps)

13035       Optional lookup tables that alias specific mail addresses or domains to
13036       other local or remote address.  The table format and lookups are  docu‐
13037       mented  in virtual(5). For an overview of Postfix address manipulations
13038       see the ADDRESS_REWRITING_README document.
13039
13040       This feature is available in Postfix 2.0 and later. The  default  value
13041       is backwards compatible with Postfix version 1.1.
13042
13043       Specify zero or more "type:name" lookup tables, separated by whitespace
13044       or comma. Tables will be searched in the specified order until a  match
13045       is found.  Note: these lookups are recursive.
13046
13047       If  you  use  this  feature with indexed files, run "postmap /etc/post‐
13048       fix/virtual" after changing the file.
13049
13050       Examples:
13051
13052       virtual_alias_maps = dbm:/etc/postfix/virtual
13053       virtual_alias_maps = hash:/etc/postfix/virtual
13054

virtual_alias_recursion_limit (default: 1000)

13056       The maximal nesting depth of virtual alias  expansion.   Currently  the
13057       recursion  limit  is  applied  only to the left branch of the expansion
13058       graph, so the depth of the tree can in the worst case reach the sum  of
13059       the expansion and recursion limits.  This may change in the future.
13060
13061       This feature is available in Postfix 2.1 and later.
13062

virtual_delivery_status_filter (default: $default_delivery_status_filter)

13064       Optional  filter for the virtual(8) delivery agent to change the deliv‐
13065       ery status code or  explanatory  text  of  successful  or  unsuccessful
13066       deliveries.  See default_delivery_status_filter for details.
13067
13068       This feature is available in Postfix 3.0 and later.
13069

virtual_destination_concurrency_limit (default: $default_destination_concur‐

13071       rency_limit)
13072       The maximal number of parallel deliveries to the same  destination  via
13073       the  virtual  message delivery transport. This limit is enforced by the
13074       queue manager. The message delivery transport name is the  first  field
13075       in the entry in the master.cf file.
13076

virtual_destination_recipient_limit (default: $default_destination_recipi‐

13078       ent_limit)
13079       The maximal number of recipients per message for  the  virtual  message
13080       delivery  transport.  This  limit is enforced by the queue manager. The
13081       message delivery transport name is the first field in the entry in  the
13082       master.cf file.
13083
13084       Setting  this  parameter  to  a  value of 1 changes the meaning of vir‐
13085       tual_destination_concurrency_limit from  concurrency  per  domain  into
13086       concurrency per recipient.
13087

virtual_gid_maps (default: empty)

13089       Lookup  tables  with  the per-recipient group ID for virtual(8) mailbox
13090       delivery.
13091
13092       This parameter is specific to the virtual(8) delivery agent.   It  does
13093       not  apply  when  mail is delivered with a different mail delivery pro‐
13094       gram.
13095
13096       Specify zero or more "type:name" lookup tables, separated by whitespace
13097       or  comma. Tables will be searched in the specified order until a match
13098       is found.
13099
13100       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
13101       any  user  in  the  specified  domain  that  does  not  have a specific
13102       "user@domain.tld" entry.
13103
13104       When  a  recipient  address   has   an   optional   address   extension
13105       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
13106       address first, and when the lookup fails, it looks  up  the  unextended
13107       address (user@domain.tld).
13108
13109       Note  1:  for security reasons, the virtual(8) delivery agent disallows
13110       regular expression substitution of $1 etc. in regular expression lookup
13111       tables, because that would open a security hole.
13112
13113       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
13114       silently ignore requests to use the proxymap(8) server. Instead it will
13115       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
13116       delivery agent will terminate with a fatal error.
13117

virtual_mailbox_base (default: empty)

13119       A prefix that the virtual(8) delivery agent prepends  to  all  pathname
13120       results  from  $virtual_mailbox_maps  table  lookups.  This is a safety
13121       measure to ensure that an out of control map doesn't  litter  the  file
13122       system with mailboxes.  While virtual_mailbox_base could be set to "/",
13123       this setting isn't recommended.
13124
13125       This parameter is specific to the virtual(8) delivery agent.   It  does
13126       not  apply  when  mail is delivered with a different mail delivery pro‐
13127       gram.
13128
13129       Example:
13130
13131       virtual_mailbox_base = /var/mail
13132

virtual_mailbox_domains (default: $virtual_mailbox_maps)

13134       Postfix is final destination for the specified list of domains; mail is
13135       delivered  via  the  $virtual_transport  mail  delivery  transport.  By
13136       default this is the Postfix virtual(8) delivery agent.  The SMTP server
13137       validates  recipient  addresses  with $virtual_mailbox_maps and rejects
13138       mail for non-existent recipients.  See also the virtual mailbox  domain
13139       class in the ADDRESS_CLASS_README file.
13140
13141       This  parameter expects the same syntax as the mydestination configura‐
13142       tion parameter.
13143
13144       This feature is available in Postfix 2.0 and later. The  default  value
13145       is backwards compatible with Postfix version 1.1.
13146

virtual_mailbox_limit (default: 51200000)

13148       The  maximal  size  in  bytes  of  an  individual virtual(8) mailbox or
13149       maildir file, or zero (no limit).
13150
13151       This parameter is specific to the virtual(8) delivery agent.   It  does
13152       not  apply  when  mail is delivered with a different mail delivery pro‐
13153       gram.
13154

virtual_mailbox_lock (default: see postconf -d output)

13156       How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
13157       For  a  list  of  available file locking methods, use the "postconf -l"
13158       command.
13159
13160       This parameter is specific to the virtual(8) delivery agent.   It  does
13161       not  apply  when  mail is delivered with a different mail delivery pro‐
13162       gram.
13163
13164       This setting is ignored  with  maildir  style  delivery,  because  such
13165       deliveries are safe without application-level locks.
13166
13167       Note  1:  the dotlock method requires that the recipient UID or GID has
13168       write access to the parent directory of the recipient's mailbox file.
13169
13170       Note 2: the default setting of this parameter is system dependent.
13171

virtual_mailbox_maps (default: empty)

13173       Optional lookup tables with all valid addresses  in  the  domains  that
13174       match $virtual_mailbox_domains.
13175
13176       Specify zero or more "type:name" lookup tables, separated by whitespace
13177       or comma. Tables will be searched in the specified order until a  match
13178       is found.
13179
13180       In  a  lookup table, specify a left-hand side of "@domain.tld" to match
13181       any user in  the  specified  domain  that  does  not  have  a  specific
13182       "user@domain.tld" entry.
13183
13184       The  remainder  of  this  text  is  specific to the virtual(8) delivery
13185       agent.  It does not apply when mail is delivered with a different  mail
13186       delivery program.
13187
13188       The virtual(8) delivery agent uses this table to look up the per-recip‐
13189       ient mailbox or maildir pathname.  If the lookup result ends in a slash
13190       ("/"),  maildir-style  delivery  is  carried out, otherwise the path is
13191       assumed to specify a UNIX-style mailbox file.  Note that $virtual_mail‐
13192       box_base is unconditionally prepended to this path.
13193
13194       When   a   recipient   address   has   an  optional  address  extension
13195       (user+foo@domain.tld), the virtual(8) delivery agent looks up the  full
13196       address  first,  and  when the lookup fails, it looks up the unextended
13197       address (user@domain.tld).
13198
13199       Note 1: for security reasons, the virtual(8) delivery  agent  disallows
13200       regular expression substitution of $1 etc. in regular expression lookup
13201       tables, because that would open a security hole.
13202
13203       Note 2: for  security  reasons,  the  virtual(8)  delivery  agent  will
13204       silently ignore requests to use the proxymap(8) server. Instead it will
13205       open the table directly. Before Postfix  version  2.2,  the  virtual(8)
13206       delivery agent will terminate with a fatal error.
13207

virtual_maps (default: empty)

13209       Optional lookup tables with a) names of domains for which all addresses
13210       are aliased to addresses in other  local  or  remote  domains,  and  b)
13211       addresses  that  are  aliased  to  addresses  in  other local or remote
13212       domains.  Available before Postfix version 2.0.  With  Postfix  version
13213       2.0   and   later,   this   is  replaced  by  separate  controls:  vir‐
13214       tual_alias_domains and virtual_alias_maps.
13215

virtual_minimum_uid (default: 100)

13217       The minimum user ID value that the virtual(8) delivery agent accepts as
13218       a  result  from  $virtual_uid_maps  table lookup.  Returned values less
13219       than this will be rejected, and the message will be deferred.
13220
13221       This parameter is specific to the virtual(8) delivery agent.   It  does
13222       not  apply  when  mail is delivered with a different mail delivery pro‐
13223       gram.
13224

virtual_transport (default: virtual)

13226       The default mail delivery transport and next-hop destination for  final
13227       delivery  to domains listed with $virtual_mailbox_domains.  This infor‐
13228       mation can be overruled with the transport(5) table.
13229
13230       Specify a string of the form transport:nexthop, where transport is  the
13231       name  of  a mail delivery transport defined in master.cf.  The :nexthop
13232       destination is optional; its syntax is documented in the manual page of
13233       the corresponding delivery agent.
13234
13235       This feature is available in Postfix 2.0 and later.
13236

virtual_uid_maps (default: empty)

13238       Lookup tables with the per-recipient user ID that the virtual(8) deliv‐
13239       ery agent uses while writing to the recipient's mailbox.
13240
13241       This parameter is specific to the virtual(8) delivery agent.   It  does
13242       not  apply  when  mail is delivered with a different mail delivery pro‐
13243       gram.
13244
13245       Specify zero or more "type:name" lookup tables, separated by whitespace
13246       or  comma. Tables will be searched in the specified order until a match
13247       is found.
13248
13249       In a lookup table, specify a left-hand side of "@domain.tld"  to  match
13250       any  user  in  the  specified  domain  that  does  not  have a specific
13251       "user@domain.tld" entry.
13252
13253       When  a  recipient  address   has   an   optional   address   extension
13254       (user+foo@domain.tld),  the virtual(8) delivery agent looks up the full
13255       address first, and when the lookup fails, it looks  up  the  unextended
13256       address (user@domain.tld).
13257
13258       Note  1:  for security reasons, the virtual(8) delivery agent disallows
13259       regular expression substitution of $1 etc. in regular expression lookup
13260       tables, because that would open a security hole.
13261
13262       Note  2:  for  security  reasons,  the  virtual(8)  delivery agent will
13263       silently ignore requests to use the proxymap(8) server. Instead it will
13264       open  the  table  directly.  Before Postfix version 2.2, the virtual(8)
13265       delivery agent will terminate with a fatal error.
13266

SEE ALSO

13268       postconf(1), Postfix configuration parameter maintenance
13269       master(5), Postfix daemon configuration maintenance
13270

LICENSE

13272       The Secure Mailer license must be distributed with this software.
13273

AUTHOR(S)

13275       Wietse Venema
13276       IBM T.J. Watson Research
13277       P.O. Box 704
13278       Yorktown Heights, NY 10598, USA
13279
13280       Wietse Venema
13281       Google, Inc.
13282       111 8th Avenue
13283       New York, NY 10011, USA
13284
13285       Viktor Dukhovni
13286
13287
13288
13289                                                                   POSTCONF(5)
Impressum