1SMTP(8) System Manager's Manual SMTP(8)
2
6 smtp - Postfix SMTP+LMTP client
7
9 smtp [generic Postfix daemon options] [flags=DORX]
10
12 The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery
13 protocols. It processes message delivery requests from the queue man‐
14 ager. Each request specifies a queue file, a sender address, a domain
15 or host to deliver to, and recipient information. This program expects
16 to be run from the master(8) process manager.
17 The SMTP+LMTP client updates the queue file and marks recipients as
19 finished, or it informs the queue manager that delivery should be tried
20 again at a later time. Delivery status reports are sent to the
21 bounce(8), defer(8) or trace(8) daemon as appropriate.
22 The SMTP+LMTP client looks up a list of mail exchanger addresses for
24 the destination host, sorts the list by preference, and connects to
25 each listed address until it finds a server that responds.
26 When a server is not reachable, or when mail delivery fails due to a
28 recoverable error condition, the SMTP+LMTP client will try to deliver
29 the mail to an alternate host.
30 After a successful mail transaction, a connection may be saved to the
32 scache(8) connection cache server, so that it may be used by any
33 SMTP+LMTP client for a subsequent transaction.
34 By default, connection caching is enabled temporarily for destinations
36 that have a high volume of mail in the active queue. Connection caching
37 can be enabled permanently for specific destinations.
38
40 The Postfix SMTP+LMTP client supports multiple destinations separated
41 by comma or whitespace (Postfix 3.5 and later). SMTP destinations have
42 the following form:
43 domainname
45 domainname:port
47 Look up the mail exchangers for the specified domain, and con‐
48 nect to the specified port (default: smtp).
49 [hostname]
51 [hostname]:port
53 Look up the address(es) of the specified host, and connect to
54 the specified port (default: smtp).
55 [address]
57 [address]:port
59 Connect to the host at the specified address, and connect to the
60 specified port (default: smtp). An IPv6 address must be format‐
61 ted as [ipv6:address].
62
64 The Postfix SMTP+LMTP client supports multiple destinations separated
65 by comma or whitespace (Postfix 3.5 and later). LMTP destinations have
66 the following form:
67 unix:pathname
69 Connect to the local UNIX-domain server that is bound to the
70 specified pathname. If the process runs chrooted, an absolute
71 pathname is interpreted relative to the Postfix queue directory.
72 inet:hostname
74 inet:hostname:port
76 inet:[address]
78 inet:[address]:port
80 Connect to the specified TCP port on the specified local or re‐
81 mote host. If no port is specified, connect to the port defined
82 as lmtp in services(4). If no such service is found, the
83 lmtp_tcp_port configuration parameter (default value of 24) will
84 be used. An IPv6 address must be formatted as [ipv6:address].
85
87 By default, the Postfix SMTP+LMTP client delivers mail to multiple re‐
88 cipients per delivery request. This is undesirable when prepending a
89 Delivered-to: or X-Original-To: message header. To prevent Postfix from
90 sending multiple recipients per delivery request, specify
91 transport_destination_recipient_limit = 1
93 in the Postfix main.cf file, where transport is the name in the first
95 column of the Postfix master.cf entry for this mail delivery service.
96
98 flags=DORX (optional)
99 Optional message processing flags.
100 D Prepend a "Delivered-To: recipient" message header with
102 the envelope recipient address. Note: for this to work,
103 the transport_destination_recipient_limit must be 1 (see
104 SINGLE-RECIPIENT DELIVERY above for details).
105 The D flag also enforces loop detection: if a message al‐
107 ready contains a Delivered-To: header with the same re‐
108 cipient address, then the message is returned as undeliv‐
109 erable. The address comparison is case insensitive.
110 This feature is available as of Postfix 3.5.
112 O Prepend an "X-Original-To: recipient" message header with
114 the recipient address as given to Postfix. Note: for this
115 to work, the transport_destination_recipient_limit must
116 be 1 (see SINGLE-RECIPIENT DELIVERY above for details).
117 This feature is available as of Postfix 3.5.
119 R Prepend a "Return-Path: <sender>" message header with the
121 envelope sender address.
122 This feature is available as of Postfix 3.5.
124 X Indicates that the delivery is final. This flag affects
126 the status reported in "success" DSN (delivery status no‐
127 tification) messages, and changes it from "relayed" into
128 "delivered".
129 This feature is available as of Postfix 3.5.
131
133 The SMTP+LMTP client is moderately security-sensitive. It
134 talks to SMTP or LMTP servers and to DNS servers on the
135 network. The SMTP+LMTP client can be run chrooted at fixed
136 low privilege.
137
139 RFC 821 (SMTP protocol)
140 RFC 822 (ARPA Internet Text Messages)
141 RFC 1651 (SMTP service extensions)
142 RFC 1652 (8bit-MIME transport)
143 RFC 1870 (Message Size Declaration)
144 RFC 2033 (LMTP protocol)
145 RFC 2034 (SMTP Enhanced Error Codes)
146 RFC 2045 (MIME: Format of Internet Message Bodies)
147 RFC 2046 (MIME: Media Types)
148 RFC 2554 (AUTH command)
149 RFC 2821 (SMTP protocol)
150 RFC 2782 (SRV resource records)
151 RFC 2920 (SMTP Pipelining)
152 RFC 3207 (STARTTLS command)
153 RFC 3461 (SMTP DSN Extension)
154 RFC 3463 (Enhanced Status Codes)
155 RFC 4954 (AUTH command)
156 RFC 5321 (SMTP protocol)
157 RFC 6531 (Internationalized SMTP)
158 RFC 6533 (Internationalized Delivery Status Notifications)
159 RFC 7672 (SMTP security via opportunistic DANE TLS)
160
162 Problems and transactions are logged to syslogd(8) or postlogd(8).
163 Corrupted message files are marked so that the queue manager can move
164 them to the corrupt queue for further inspection.
165 Depending on the setting of the notify_classes parameter, the postmas‐
167 ter is notified of bounces, protocol problems, and of other trouble.
168
170 SMTP and LMTP connection reuse for TLS (without closing the SMTP or
171 LMTP connection) is not supported before Postfix 3.4.
172 SMTP and LMTP connection reuse assumes that SASL credentials are valid
174 for all destinations that map onto the same IP address and TCP port.
175
177 Before Postfix version 2.3, the LMTP client is a separate program that
178 implements only a subset of the functionality available with SMTP:
179 there is no support for TLS, and connections are cached in-process,
180 making it ineffective when the client is used for multiple domains.
181 Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" param‐
183 eter for the equivalent LMTP feature. This document describes only
184 those LMTP-related parameters that aren't simply "mirror" parameters.
185 Changes to main.cf are picked up automatically, as smtp(8) processes
187 run for only a limited amount of time. Use the command "postfix reload"
188 to speed up a change.
189 The text below provides only a parameter summary. See postconf(5) for
191 more details including examples.
192
194 ignore_mx_lookup_error (no)
195 Ignore DNS MX lookups that produce no response.
196 smtp_always_send_ehlo (yes)
198 Always send EHLO at the start of an SMTP session.
199 smtp_never_send_ehlo (no)
201 Never send EHLO at the start of an SMTP session.
202 smtp_defer_if_no_mx_address_found (no)
204 Defer mail delivery when no MX record resolves to an IP address.
205 smtp_line_length_limit (998)
207 The maximal length of message header and body lines that Postfix
208 will send via SMTP.
209 smtp_pix_workaround_delay_time (10s)
211 How long the Postfix SMTP client pauses before sending
212 ".<CR><LF>" in order to work around the PIX firewall
213 "<CR><LF>.<CR><LF>" bug.
214 smtp_pix_workaround_threshold_time (500s)
216 How long a message must be queued before the Postfix SMTP client
217 turns on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for
218 delivery through firewalls with "smtp fixup" mode turned on.
219 smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
221 A list that specifies zero or more workarounds for CISCO PIX
222 firewall bugs.
223 smtp_pix_workaround_maps (empty)
225 Lookup tables, indexed by the remote SMTP server address, with
226 per-destination workarounds for CISCO PIX firewall bugs.
227 smtp_quote_rfc821_envelope (yes)
229 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO
230 commands as required by RFC 5321.
231 smtp_reply_filter (empty)
233 A mechanism to transform replies from remote SMTP servers one
234 line at a time.
235 smtp_skip_5xx_greeting (yes)
237 Skip remote SMTP servers that greet with a 5XX status code.
238 smtp_skip_quit_response (yes)
240 Do not wait for the response to the SMTP QUIT command.
241 Available in Postfix version 2.0 and earlier:
243 smtp_skip_4xx_greeting (yes)
245 Skip SMTP servers that greet with a 4XX status code (go away,
246 try again later).
247 Available in Postfix version 2.2 and later:
249 smtp_discard_ehlo_keyword_address_maps (empty)
251 Lookup tables, indexed by the remote SMTP server address, with
252 case insensitive lists of EHLO keywords (pipelining, starttls,
253 auth, etc.) that the Postfix SMTP client will ignore in the EHLO
254 response from a remote SMTP server.
255 smtp_discard_ehlo_keywords (empty)
257 A case insensitive list of EHLO keywords (pipelining, starttls,
258 auth, etc.) that the Postfix SMTP client will ignore in the EHLO
259 response from a remote SMTP server.
260 smtp_generic_maps (empty)
262 Optional lookup tables that perform address rewriting in the
263 Postfix SMTP client, typically to transform a locally valid ad‐
264 dress into a globally valid address when sending mail across the
265 Internet.
266 Available in Postfix version 2.2.9 and later:
268 smtp_cname_overrides_servername (version dependent)
270 When the remote SMTP servername is a DNS CNAME, replace the
271 servername with the result from CNAME expansion for the purpose
272 of logging, SASL password lookup, TLS policy decisions, or TLS
273 certificate verification.
274 Available in Postfix version 2.3 and later:
276 lmtp_discard_lhlo_keyword_address_maps (empty)
278 Lookup tables, indexed by the remote LMTP server address, with
279 case insensitive lists of LHLO keywords (pipelining, starttls,
280 auth, etc.) that the Postfix LMTP client will ignore in the LHLO
281 response from a remote LMTP server.
282 lmtp_discard_lhlo_keywords (empty)
284 A case insensitive list of LHLO keywords (pipelining, starttls,
285 auth, etc.) that the Postfix LMTP client will ignore in the LHLO
286 response from a remote LMTP server.
287 Available in Postfix version 2.4.4 and later:
289 send_cyrus_sasl_authzid (no)
291 When authenticating to a remote SMTP or LMTP server with the de‐
292 fault setting "no", send no SASL authoriZation ID (authzid);
293 send only the SASL authentiCation ID (authcid) plus the auth‐
294 cid's password.
295 Available in Postfix version 2.5 and later:
297 smtp_header_checks (empty)
299 Restricted header_checks(5) tables for the Postfix SMTP client.
300 smtp_mime_header_checks (empty)
302 Restricted mime_header_checks(5) tables for the Postfix SMTP
303 client.
304 smtp_nested_header_checks (empty)
306 Restricted nested_header_checks(5) tables for the Postfix SMTP
307 client.
308 smtp_body_checks (empty)
310 Restricted body_checks(5) tables for the Postfix SMTP client.
311 Available in Postfix version 2.6 and later:
313 tcp_windowsize (0)
315 An optional workaround for routers that break TCP window scal‐
316 ing.
317 Available in Postfix version 2.8 and later:
319 smtp_dns_resolver_options (empty)
321 DNS Resolver options for the Postfix SMTP client.
322 Available in Postfix version 2.9 - 3.6:
324 smtp_per_record_deadline (no)
326 Change the behavior of the smtp_*_timeout time limits, from a
327 time limit per read or write system call, to a time limit to
328 send or receive a complete record (an SMTP command line, SMTP
329 response line, SMTP message content line, or TLS protocol mes‐
330 sage).
331 Available in Postfix version 2.9 and later:
333 smtp_send_dummy_mail_auth (no)
335 Whether or not to append the "AUTH=<>" option to the MAIL FROM
336 command in SASL-authenticated SMTP sessions.
337 Available in Postfix version 2.11 and later:
339 smtp_dns_support_level (empty)
341 Level of DNS support in the Postfix SMTP client.
342 Available in Postfix version 3.0 and later:
344 smtp_delivery_status_filter ($default_delivery_status_filter)
346 Optional filter for the smtp(8) delivery agent to change the de‐
347 livery status code or explanatory text of successful or unsuc‐
348 cessful deliveries.
349 smtp_dns_reply_filter (empty)
351 Optional filter for Postfix SMTP client DNS lookup results.
352 Available in Postfix version 3.3 and later:
354 smtp_balance_inet_protocols (yes)
356 When a remote destination resolves to a combination of IPv4 and
357 IPv6 addresses, ensure that the Postfix SMTP client can try both
358 address types before it runs into the smtp_mx_address_limit.
359 Available in Postfix 3.5 and later:
361 info_log_address_format (external)
363 The email address form that will be used in non-debug logging
364 (info, warning, etc.).
365 Available in Postfix 3.6 and later:
367 dnssec_probe (ns:.)
369 The DNS query type (default: "ns") and DNS query name (default:
370 ".") that Postfix may use to determine whether DNSSEC validation
371 is available.
372 known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis‐
374 sion=587)
375 Optional setting that avoids lookups in the services(5) data‐
376 base.
377 Available in Postfix version 3.7 and later:
379 smtp_per_request_deadline (no)
381 Change the behavior of the smtp_*_timeout time limits, from a
382 time limit per plaintext or TLS read or write call, to a com‐
383 bined time limit for sending a complete SMTP request and for re‐
384 ceiving a complete SMTP response.
385 smtp_min_data_rate (500)
387 The minimum plaintext data transfer rate in bytes/second for
388 DATA requests, when deadlines are enabled with smtp_per_re‐
389 quest_deadline.
390 header_from_format (standard)
392 The format of the Postfix-generated From: header.
393 Available in Postfix version 3.8 and later:
395 use_srv_lookup (empty)
397 Enables discovery for the specified service(s) using DNS SRV
398 records.
399 ignore_srv_lookup_error (no)
401 When SRV record lookup fails, fall back to MX or IP address
402 lookup as if SRV record lookup was not enabled.
403 allow_srv_lookup_fallback (no)
405 When SRV record lookup fails or no SRV record exists, fall back
406 to MX or IP address lookup as if SRV record lookup was not en‐
407 abled.
408
410 Available in Postfix version 2.0 and later:
411 disable_mime_output_conversion (no)
413 Disable the conversion of 8BITMIME format to 7BIT format.
414 mime_boundary_length_limit (2048)
416 The maximal length of MIME multipart boundary strings.
417 mime_nesting_limit (100)
419 The maximal recursion level that the MIME processor will handle.
420
422 Available in Postfix version 2.1 and later:
423 smtp_send_xforward_command (no)
425 Send the non-standard XFORWARD command when the Postfix SMTP
426 server EHLO response announces XFORWARD support.
427
429 smtp_sasl_auth_enable (no)
430 Enable SASL authentication in the Postfix SMTP client.
431 smtp_sasl_password_maps (empty)
433 Optional Postfix SMTP client lookup tables with one user‐
434 name:password entry per sender, remote hostname or next-hop do‐
435 main.
436 smtp_sasl_security_options (noplaintext, noanonymous)
438 Postfix SMTP client SASL security options; as of Postfix 2.3 the
439 list of available features depends on the SASL client implemen‐
440 tation that is selected with smtp_sasl_type.
441 Available in Postfix version 2.2 and later:
443 smtp_sasl_mechanism_filter (empty)
445 If non-empty, a Postfix SMTP client filter for the remote SMTP
446 server's list of offered SASL mechanisms.
447 Available in Postfix version 2.3 and later:
449 smtp_sender_dependent_authentication (no)
451 Enable sender-dependent authentication in the Postfix SMTP
452 client; this is available only with SASL authentication, and
453 disables SMTP connection caching to ensure that mail from dif‐
454 ferent senders will use the appropriate credentials.
455 smtp_sasl_path (empty)
457 Implementation-specific information that the Postfix SMTP client
458 passes through to the SASL plug-in implementation that is se‐
459 lected with smtp_sasl_type.
460 smtp_sasl_type (cyrus)
462 The SASL plug-in type that the Postfix SMTP client should use
463 for authentication.
464 Available in Postfix version 2.5 and later:
466 smtp_sasl_auth_cache_name (empty)
468 An optional table to prevent repeated SASL authentication fail‐
469 ures with the same remote SMTP server hostname, username and
470 password.
471 smtp_sasl_auth_cache_time (90d)
473 The maximal age of an smtp_sasl_auth_cache_name entry before it
474 is removed.
475 smtp_sasl_auth_soft_bounce (yes)
477 When a remote SMTP server rejects a SASL authentication request
478 with a 535 reply code, defer mail delivery instead of returning
479 mail as undeliverable.
480 Available in Postfix version 2.9 and later:
482 smtp_send_dummy_mail_auth (no)
484 Whether or not to append the "AUTH=<>" option to the MAIL FROM
485 command in SASL-authenticated SMTP sessions.
486
488 Detailed information about STARTTLS configuration may be found in the
489 TLS_README document.
490 smtp_tls_security_level (empty)
492 The default SMTP TLS security level for the Postfix SMTP client.
493 smtp_sasl_tls_security_options ($smtp_sasl_security_options)
495 The SASL authentication security options that the Postfix SMTP
496 client uses for TLS encrypted SMTP sessions.
497 smtp_starttls_timeout (300s)
499 Time limit for Postfix SMTP client write and read operations
500 during TLS startup and shutdown handshake procedures.
501 smtp_tls_CAfile (empty)
503 A file containing CA certificates of root CAs trusted to sign
504 either remote SMTP server certificates or intermediate CA cer‐
505 tificates.
506 smtp_tls_CApath (empty)
508 Directory with PEM format Certification Authority certificates
509 that the Postfix SMTP client uses to verify a remote SMTP server
510 certificate.
511 smtp_tls_cert_file (empty)
513 File with the Postfix SMTP client RSA certificate in PEM format.
514 smtp_tls_mandatory_ciphers (medium)
516 The minimum TLS cipher grade that the Postfix SMTP client will
517 use with mandatory TLS encryption.
518 smtp_tls_exclude_ciphers (empty)
520 List of ciphers or cipher types to exclude from the Postfix SMTP
521 client cipher list at all TLS security levels.
522 smtp_tls_mandatory_exclude_ciphers (empty)
524 Additional list of ciphers or cipher types to exclude from the
525 Postfix SMTP client cipher list at mandatory TLS security lev‐
526 els.
527 smtp_tls_dcert_file (empty)
529 File with the Postfix SMTP client DSA certificate in PEM format.
530 smtp_tls_dkey_file ($smtp_tls_dcert_file)
532 File with the Postfix SMTP client DSA private key in PEM format.
533 smtp_tls_key_file ($smtp_tls_cert_file)
535 File with the Postfix SMTP client RSA private key in PEM format.
536 smtp_tls_loglevel (0)
538 Enable additional Postfix SMTP client logging of TLS activity.
539 smtp_tls_note_starttls_offer (no)
541 Log the hostname of a remote SMTP server that offers STARTTLS,
542 when TLS is not already enabled for that server.
543 smtp_tls_policy_maps (empty)
545 Optional lookup tables with the Postfix SMTP client TLS security
546 policy by next-hop destination; when a non-empty value is speci‐
547 fied, this overrides the obsolete smtp_tls_per_site parameter.
548 smtp_tls_mandatory_protocols (see 'postconf -d' output)
550 TLS protocols that the Postfix SMTP client will use with manda‐
551 tory TLS encryption.
552 smtp_tls_scert_verifydepth (9)
554 The verification depth for remote SMTP server certificates.
555 smtp_tls_secure_cert_match (nexthop, dot-nexthop)
557 How the Postfix SMTP client verifies the server certificate
558 peername for the "secure" TLS security level.
559 smtp_tls_session_cache_database (empty)
561 Name of the file containing the optional Postfix SMTP client TLS
562 session cache.
563 smtp_tls_session_cache_timeout (3600s)
565 The expiration time of Postfix SMTP client TLS session cache in‐
566 formation.
567 smtp_tls_verify_cert_match (hostname)
569 How the Postfix SMTP client verifies the server certificate
570 peername for the "verify" TLS security level.
571 tls_daemon_random_bytes (32)
573 The number of pseudo-random bytes that an smtp(8) or smtpd(8)
574 process requests from the tlsmgr(8) server in order to seed its
575 internal pseudo random number generator (PRNG).
576 tls_high_cipherlist (see 'postconf -d' output)
578 The OpenSSL cipherlist for "high" grade ciphers.
579 tls_medium_cipherlist (see 'postconf -d' output)
581 The OpenSSL cipherlist for "medium" or higher grade ciphers.
582 tls_null_cipherlist (eNULL:!aNULL)
584 The OpenSSL cipherlist for "NULL" grade ciphers that provide au‐
585 thentication without encryption.
586 Available in in Postfix version 2.3..3.7:
588 tls_low_cipherlist (see 'postconf -d' output)
590 The OpenSSL cipherlist for "low" or higher grade ciphers.
591 tls_export_cipherlist (see 'postconf -d' output)
593 The OpenSSL cipherlist for "export" or higher grade ciphers.
594 Available in Postfix version 2.4 and later:
596 smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_op‐
598 tions)
599 The SASL authentication security options that the Postfix SMTP
600 client uses for TLS encrypted SMTP sessions with a verified
601 server certificate.
602 Available in Postfix version 2.5 and later:
604 smtp_tls_fingerprint_cert_match (empty)
606 List of acceptable remote SMTP server certificate fingerprints
607 for the "fingerprint" TLS security level (smtp_tls_secu‐
608 rity_level = fingerprint).
609 smtp_tls_fingerprint_digest (see 'postconf -d' output)
611 The message digest algorithm used to construct remote SMTP
612 server certificate fingerprints.
613 Available in Postfix version 2.6 and later:
615 smtp_tls_protocols (see postconf -d output)
617 TLS protocols that the Postfix SMTP client will use with oppor‐
618 tunistic TLS encryption.
619 smtp_tls_ciphers (medium)
621 The minimum TLS cipher grade that the Postfix SMTP client will
622 use with opportunistic TLS encryption.
623 smtp_tls_eccert_file (empty)
625 File with the Postfix SMTP client ECDSA certificate in PEM for‐
626 mat.
627 smtp_tls_eckey_file ($smtp_tls_eccert_file)
629 File with the Postfix SMTP client ECDSA private key in PEM for‐
630 mat.
631 Available in Postfix version 2.7 and later:
633 smtp_tls_block_early_mail_reply (no)
635 Try to detect a mail hijacking attack based on a TLS protocol
636 vulnerability (CVE-2009-3555), where an attacker prepends mali‐
637 cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
638 TLS session.
639 Available in Postfix version 2.8 and later:
641 tls_disable_workarounds (see 'postconf -d' output)
643 List or bit-mask of OpenSSL bug work-arounds to disable.
644 Available in Postfix version 2.11-3.1:
646 tls_dane_digest_agility (on)
648 Configure RFC7671 DANE TLSA digest algorithm agility.
649 tls_dane_trust_anchor_digest_enable (yes)
651 Enable support for RFC 6698 (DANE TLSA) DNS records that contain
652 digests of trust-anchors with certificate usage "2".
653 Available in Postfix version 2.11 and later:
655 smtp_tls_trust_anchor_file (empty)
657 Zero or more PEM-format files with trust-anchor certificates
658 and/or public keys.
659 smtp_tls_force_insecure_host_tlsa_lookup (no)
661 Lookup the associated DANE TLSA RRset even when a hostname is
662 not an alias and its address records lie in an unsigned zone.
663 tlsmgr_service_name (tlsmgr)
665 The name of the tlsmgr(8) service entry in master.cf.
666 Available in Postfix version 3.0 and later:
668 smtp_tls_wrappermode (no)
670 Request that the Postfix SMTP client connects using the SUBMIS‐
671 SIONS/SMTPS protocol instead of using the STARTTLS command.
672 Available in Postfix version 3.1 and later:
674 smtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)
676 The TLS policy for MX hosts with "secure" TLSA records when the
677 nexthop destination security level is dane, but the MX record
678 was found via an "insecure" MX lookup.
679 Available in Postfix version 3.2 and later:
681 tls_eecdh_auto_curves (see 'postconf -d' output)
683 The prioritized list of elliptic curves supported by the Postfix
684 SMTP client and server.
685 Available in Postfix version 3.4 and later:
687 smtp_tls_connection_reuse (no)
689 Try to make multiple deliveries per TLS-encrypted connection.
690 smtp_tls_chain_files (empty)
692 List of one or more PEM files, each holding one or more private
693 keys directly followed by a corresponding certificate chain.
694 smtp_tls_servername (empty)
696 Optional name to send to the remote SMTP server in the TLS
697 Server Name Indication (SNI) extension.
698 Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
700 tls_fast_shutdown_enable (yes)
702 A workaround for implementations that hang Postfix while shut‐
703 ting down a TLS session, until Postfix times out.
704 Available in Postfix version 3.8 and later:
706 tls_ffdhe_auto_groups (see 'postconf -d' output)
708 The prioritized list of finite-field Diffie-Hellman ephemeral
709 (FFDHE) key exchange groups supported by the Postfix SMTP client
710 and server.
711 Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
713 tls_config_file (default)
715 Optional configuration file with baseline OpenSSL settings.
716 tls_config_name (empty)
718 The application name passed by Postfix to OpenSSL library ini‐
719 tialization functions.
720
722 The following configuration parameters exist for compatibility with
723 Postfix versions before 2.3. Support for these will be removed in a fu‐
724 ture release.
725 smtp_use_tls (no)
727 Opportunistic mode: use TLS when a remote SMTP server announces
728 STARTTLS support, otherwise send the mail in the clear.
729 smtp_enforce_tls (no)
731 Enforcement mode: require that remote SMTP servers use TLS en‐
732 cryption, and never send mail in the clear.
733 smtp_tls_enforce_peername (yes)
735 With mandatory TLS encryption, require that the remote SMTP
736 server hostname matches the information in the remote SMTP
737 server certificate.
738 smtp_tls_per_site (empty)
740 Optional lookup tables with the Postfix SMTP client TLS usage
741 policy by next-hop destination and by remote SMTP server host‐
742 name.
743 smtp_tls_cipherlist (empty)
745 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
746 cipher list.
747
749 smtp_connect_timeout (30s)
750 The Postfix SMTP client time limit for completing a TCP connec‐
751 tion, or zero (use the operating system built-in time limit).
752 smtp_helo_timeout (300s)
754 The Postfix SMTP client time limit for sending the HELO or EHLO
755 command, and for receiving the initial remote SMTP server re‐
756 sponse.
757 lmtp_lhlo_timeout (300s)
759 The Postfix LMTP client time limit for sending the LHLO command,
760 and for receiving the initial remote LMTP server response.
761 smtp_xforward_timeout (300s)
763 The Postfix SMTP client time limit for sending the XFORWARD com‐
764 mand, and for receiving the remote SMTP server response.
765 smtp_mail_timeout (300s)
767 The Postfix SMTP client time limit for sending the MAIL FROM
768 command, and for receiving the remote SMTP server response.
769 smtp_rcpt_timeout (300s)
771 The Postfix SMTP client time limit for sending the SMTP RCPT TO
772 command, and for receiving the remote SMTP server response.
773 smtp_data_init_timeout (120s)
775 The Postfix SMTP client time limit for sending the SMTP DATA
776 command, and for receiving the remote SMTP server response.
777 smtp_data_xfer_timeout (180s)
779 The Postfix SMTP client time limit for sending the SMTP message
780 content.
781 smtp_data_done_timeout (600s)
783 The Postfix SMTP client time limit for sending the SMTP ".", and
784 for receiving the remote SMTP server response.
785 smtp_quit_timeout (300s)
787 The Postfix SMTP client time limit for sending the QUIT command,
788 and for receiving the remote SMTP server response.
789 Available in Postfix version 2.1 and later:
791 smtp_mx_address_limit (5)
793 The maximal number of MX (mail exchanger) IP addresses that can
794 result from Postfix SMTP client mail exchanger lookups, or zero
795 (no limit).
796 smtp_mx_session_limit (2)
798 The maximal number of SMTP sessions per delivery request before
799 the Postfix SMTP client gives up or delivers to a fall-back re‐
800 lay host, or zero (no limit).
801 smtp_rset_timeout (20s)
803 The Postfix SMTP client time limit for sending the RSET command,
804 and for receiving the remote SMTP server response.
805 Available in Postfix version 2.2 and earlier:
807 lmtp_cache_connection (yes)
809 Keep Postfix LMTP client connections open for up to $max_idle
810 seconds.
811 Available in Postfix version 2.2 and later:
813 smtp_connection_cache_destinations (empty)
815 Permanently enable SMTP connection caching for the specified
816 destinations.
817 smtp_connection_cache_on_demand (yes)
819 Temporarily enable SMTP connection caching while a destination
820 has a high volume of mail in the active queue.
821 smtp_connection_reuse_time_limit (300s)
823 The amount of time during which Postfix will use an SMTP connec‐
824 tion repeatedly.
825 smtp_connection_cache_time_limit (2s)
827 When SMTP connection caching is enabled, the amount of time that
828 an unused SMTP client socket is kept open before it is closed.
829 Available in Postfix version 2.3 and later:
831 connection_cache_protocol_timeout (5s)
833 Time limit for connection cache connect, send or receive opera‐
834 tions.
835 Available in Postfix version 2.9 - 3.6:
837 smtp_per_record_deadline (no)
839 Change the behavior of the smtp_*_timeout time limits, from a
840 time limit per read or write system call, to a time limit to
841 send or receive a complete record (an SMTP command line, SMTP
842 response line, SMTP message content line, or TLS protocol mes‐
843 sage).
844 Available in Postfix version 2.11 and later:
846 smtp_connection_reuse_count_limit (0)
848 When SMTP connection caching is enabled, the number of times
849 that an SMTP session may be reused before it is closed, or zero
850 (no limit).
851 Available in Postfix version 3.4 and later:
853 smtp_tls_connection_reuse (no)
855 Try to make multiple deliveries per TLS-encrypted connection.
856 Available in Postfix version 3.7 and later:
858 smtp_per_request_deadline (no)
860 Change the behavior of the smtp_*_timeout time limits, from a
861 time limit per plaintext or TLS read or write call, to a com‐
862 bined time limit for sending a complete SMTP request and for re‐
863 ceiving a complete SMTP response.
864 smtp_min_data_rate (500)
866 The minimum plaintext data transfer rate in bytes/second for
867 DATA requests, when deadlines are enabled with smtp_per_re‐
868 quest_deadline.
869 Implemented in the qmgr(8) daemon:
871 transport_destination_concurrency_limit ($default_destination_concur‐
873 rency_limit)
874 A transport-specific override for the default_destination_con‐
875 currency_limit parameter value, where transport is the master.cf
876 name of the message delivery transport.
877 transport_destination_recipient_limit ($default_destination_recipi‐
879 ent_limit)
880 A transport-specific override for the default_destination_recip‐
881 ient_limit parameter value, where transport is the master.cf
882 name of the message delivery transport.
883
885 Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
886 smtputf8_enable (yes)
888 Enable preliminary SMTPUTF8 support for the protocols described
889 in RFC 6531, RFC 6532, and RFC 6533.
890 smtputf8_autodetect_classes (sendmail, verify)
892 Detect that a message requires SMTPUTF8 support for the speci‐
893 fied mail origin classes.
894 Available in Postfix version 3.2 and later:
896 enable_idna2003_compatibility (no)
898 Enable 'transitional' compatibility between IDNA2003 and
899 IDNA2008, when converting UTF-8 domain names to/from the ASCII
900 form that is used for DNS lookups.
901
903 debug_peer_level (2)
904 The increment in verbose logging level when a nexthop destina‐
905 tion, remote client or server name or network address matches a
906 pattern given with the debug_peer_list parameter.
907 debug_peer_list (empty)
909 Optional list of nexthop destination, remote client or server
910 name or network address patterns that, if matched, cause the
911 verbose logging level to increase by the amount specified in
912 $debug_peer_level.
913 error_notice_recipient (postmaster)
915 The recipient of postmaster notifications about mail delivery
916 problems that are caused by policy, resource, software or proto‐
917 col errors.
918 internal_mail_filter_classes (empty)
920 What categories of Postfix-generated mail are subject to be‐
921 fore-queue content inspection by non_smtpd_milters,
922 header_checks and body_checks.
923 notify_classes (resource, software)
925 The list of error classes that are reported to the postmaster.
926
928 best_mx_transport (empty)
929 Where the Postfix SMTP client should deliver mail when it de‐
930 tects a "mail loops back to myself" error condition.
931 config_directory (see 'postconf -d' output)
933 The default location of the Postfix main.cf and master.cf con‐
934 figuration files.
935 daemon_timeout (18000s)
937 How much time a Postfix daemon process may take to handle a re‐
938 quest before it is terminated by a built-in watchdog timer.
939 delay_logging_resolution_limit (2)
941 The maximal number of digits after the decimal point when log‐
942 ging sub-second delay values.
943 disable_dns_lookups (no)
945 Disable DNS lookups in the Postfix SMTP and LMTP clients.
946 inet_interfaces (all)
948 The local network interface addresses that this mail system re‐
949 ceives mail on.
950 inet_protocols (see 'postconf -d output')
952 The Internet protocols Postfix will attempt to use when making
953 or accepting connections.
954 ipc_timeout (3600s)
956 The time limit for sending or receiving information over an in‐
957 ternal communication channel.
958 lmtp_assume_final (no)
960 When a remote LMTP server announces no DSN support, assume that
961 the server performs final delivery, and send "delivered" deliv‐
962 ery status notifications instead of "relayed".
963 lmtp_tcp_port (24)
965 The default TCP port that the Postfix LMTP client connects to.
966 max_idle (100s)
968 The maximum amount of time that an idle Postfix daemon process
969 waits for an incoming connection before terminating voluntarily.
970 max_use (100)
972 The maximal number of incoming connections that a Postfix daemon
973 process will service before terminating voluntarily.
974 process_id (read-only)
976 The process ID of a Postfix command or daemon process.
977 process_name (read-only)
979 The process name of a Postfix command or daemon process.
980 proxy_interfaces (empty)
982 The remote network interface addresses that this mail system re‐
983 ceives mail on by way of a proxy or network address translation
984 unit.
985 smtp_address_preference (any)
987 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
988 client will try first, when a destination has IPv6 and IPv4 ad‐
989 dresses with equal MX preference.
990 smtp_bind_address (empty)
992 An optional numerical network address that the Postfix SMTP
993 client should bind to when making an IPv4 connection.
994 smtp_bind_address6 (empty)
996 An optional numerical network address that the Postfix SMTP
997 client should bind to when making an IPv6 connection.
998 smtp_helo_name ($myhostname)
1000 The hostname to send in the SMTP HELO or EHLO command.
1001 lmtp_lhlo_name ($myhostname)
1003 The hostname to send in the LMTP LHLO command.
1004 smtp_host_lookup (dns)
1006 What mechanisms the Postfix SMTP client uses to look up a host's
1007 IP address.
1008 smtp_randomize_addresses (yes)
1010 Randomize the order of equal-preference MX host addresses.
1011 syslog_facility (mail)
1013 The syslog facility of Postfix logging.
1014 syslog_name (see 'postconf -d' output)
1016 A prefix that is prepended to the process name in syslog
1017 records, so that, for example, "smtpd" becomes "prefix/smtpd".
1018 Available with Postfix 2.2 and earlier:
1020 fallback_relay (empty)
1022 Optional list of relay hosts for SMTP destinations that can't be
1023 found or that are unreachable.
1024 Available with Postfix 2.3 and later:
1026 smtp_fallback_relay ($fallback_relay)
1028 Optional list of relay destinations that will be used when an
1029 SMTP destination is not found, or when delivery fails due to a
1030 non-permanent error.
1031 Available with Postfix 3.0 and later:
1033 smtp_address_verify_target (rcpt)
1035 In the context of email address verification, the SMTP protocol
1036 stage that determines whether an email address is deliverable.
1037 Available with Postfix 3.1 and later:
1039 lmtp_fallback_relay (empty)
1041 Optional list of relay hosts for LMTP destinations that can't be
1042 found or that are unreachable.
1043 Available with Postfix 3.2 and later:
1045 smtp_tcp_port (smtp)
1047 The default TCP port that the Postfix SMTP client connects to.
1048 Available in Postfix 3.3 and later:
1050 service_name (read-only)
1052 The master.cf service name of a Postfix daemon process.
1053 Available in Postfix 3.7 and later:
1055 smtp_bind_address_enforce (no)
1057 Defer delivery when the Postfix SMTP client cannot apply the
1058 smtp_bind_address or smtp_bind_address6 setting.
1059
1061 generic(5), output address rewriting
1062 header_checks(5), message header content inspection
1063 body_checks(5), body parts content inspection
1064 qmgr(8), queue manager
1065 bounce(8), delivery status reports
1066 scache(8), connection cache server
1067 postconf(5), configuration parameters
1068 master(5), generic daemon options
1069 master(8), process manager
1070 tlsmgr(8), TLS session and PRNG management
1071 postlogd(8), Postfix logging
1072 syslogd(8), system logging
1073
1075 Use "postconf readme_directory" or "postconf html_directory" to locate
1076 this information.
1077 SASL_README, Postfix SASL howto
1078 TLS_README, Postfix STARTTLS howto
1079
1081 The Secure Mailer license must be distributed with this software.
1082
1084 Wietse Venema
1085 IBM T.J. Watson Research
1086 P.O. Box 704
1087 Yorktown Heights, NY 10598, USA
1088 Wietse Venema
1090 Google, Inc.
1091 111 8th Avenue
1092 New York, NY 10011, USA
1093 Command pipelining in cooperation with:
1095 Jon Ribbens
1096 Oaktree Internet Solutions Ltd.,
1097 Internet House,
1098 Canal Basin,
1099 Coventry,
1100 CV1 4LY, United Kingdom.
1101 SASL support originally by:
1103 Till Franke
1104 SuSE Rhein/Main AG
1105 65760 Eschborn, Germany
1106 TLS support originally by:
1108 Lutz Jaenicke
1109 BTU Cottbus
1110 Allgemeine Elektrotechnik
1111 Universitaetsplatz 3-4
1112 D-03044 Cottbus, Germany
1113 Revised TLS and SMTP connection cache support by:
1115 Victor Duchovni
1116 Morgan Stanley
1117 SMTP(8)