1SMTPD(8) System Manager's Manual SMTPD(8)
2
6 smtpd - Postfix SMTP server
7
9 smtpd [generic Postfix daemon options]
10
12 The SMTP server accepts network connection requests and performs zero
13 or more SMTP transactions per connection. Each received message is
14 piped through the cleanup(8) daemon, and is placed into the incoming
15 queue as one single queue file. For this mode of operation, the pro‐
16 gram expects to be run from the master(8) process manager.
17 Alternatively, the SMTP server be can run in stand-alone mode; this is
19 traditionally obtained with "sendmail -bs". When the SMTP server runs
20 stand-alone with non $mail_owner privileges, it receives mail even
21 while the mail system is not running, deposits messages directly into
22 the maildrop queue, and disables the SMTP server's access policies. As
23 of Postfix version 2.3, the SMTP server refuses to receive mail from
24 the network when it runs with non $mail_owner privileges.
25 The SMTP server implements a variety of policies for connection
27 requests, and for parameters given to HELO, ETRN, MAIL FROM, VRFY and
28 RCPT TO commands. They are detailed below and in the main.cf configura‐
29 tion file.
30
32 The SMTP server is moderately security-sensitive. It talks to SMTP
33 clients and to DNS servers on the network. The SMTP server can be run
34 chrooted at fixed low privilege.
35
37 RFC 821 (SMTP protocol)
38 RFC 1123 (Host requirements)
39 RFC 1652 (8bit-MIME transport)
40 RFC 1869 (SMTP service extensions)
41 RFC 1870 (Message Size Declaration)
42 RFC 1985 (ETRN command)
43 RFC 2034 (SMTP Enhanced Error Codes)
44 RFC 2554 (AUTH command)
45 RFC 2821 (SMTP protocol)
46 RFC 2920 (SMTP Pipelining)
47 RFC 3207 (STARTTLS command)
48 RFC 3461 (SMTP DSN Extension)
49 RFC 3463 (Enhanced Status Codes)
50
52 Problems and transactions are logged to syslogd(8).
53 Depending on the setting of the notify_classes parameter, the postmas‐
55 ter is notified of bounces, protocol problems, policy violations, and
56 of other trouble.
57
59 Changes to main.cf are picked up automatically, as smtpd(8) processes
60 run for only a limited amount of time. Use the command "postfix reload"
61 to speed up a change.
62 The text below provides only a parameter summary. See postconf(5) for
64 more details including examples.
65
67 The following parameters work around implementation errors in other
68 software, and/or allow you to override standards in order to prevent
69 undesirable use.
70 broken_sasl_auth_clients (no)
72 Enable inter-operability with SMTP clients that implement an
73 obsolete version of the AUTH command (RFC 2554).
74 disable_vrfy_command (no)
76 Disable the SMTP VRFY command.
77 smtpd_noop_commands (empty)
79 List of commands that the Postfix SMTP server replies to with
80 "250 Ok", without doing any syntax checks and without changing
81 state.
82 strict_rfc821_envelopes (no)
84 Require that addresses received in SMTP MAIL FROM and RCPT TO
85 commands are enclosed with <>, and that those addresses do not
86 contain RFC 822 style comments or phrases.
87 Available in Postfix version 2.1 and later:
89 resolve_null_domain (no)
91 Resolve an address that ends in the "@" null domain as if the
92 local hostname were specified, instead of rejecting the address
93 as invalid.
94 smtpd_reject_unlisted_sender (no)
96 Request that the Postfix SMTP server rejects mail from unknown
97 sender addresses, even when no explicit reject_unlisted_sender
98 access restriction is specified.
99 smtpd_sasl_exceptions_networks (empty)
101 What SMTP clients Postfix will not offer AUTH support to.
102 Available in Postfix version 2.2 and later:
104 smtpd_discard_ehlo_keyword_address_maps (empty)
106 Lookup tables, indexed by the remote SMTP client address, with
107 case insensitive lists of EHLO keywords (pipelining, starttls,
108 auth, etc.) that the SMTP server will not send in the EHLO
109 response to a remote SMTP client.
110 smtpd_discard_ehlo_keywords (empty)
112 A case insensitive list of EHLO keywords (pipelining, starttls,
113 auth, etc.) that the SMTP server will not send in the EHLO
114 response to a remote SMTP client.
115 smtpd_delay_open_until_valid_rcpt (yes)
117 Postpone the start of an SMTP mail transaction until a valid
118 RCPT TO command is received.
119 Available in Postfix version 2.3 and later:
121 smtpd_tls_always_issue_session_ids (yes)
123 Force the Postfix SMTP server to issue a TLS session id, even
124 when TLS session caching is turned off (smtpd_tls_ses‐
125 sion_cache_database is empty).
126
128 See the ADDRESS_REWRITING_README document for a detailed discussion of
129 Postfix address rewriting.
130 receive_override_options (empty)
132 Enable or disable recipient validation, built-in content filter‐
133 ing, or address mapping.
134 Available in Postfix version 2.2 and later:
136 local_header_rewrite_clients (permit_inet_interfaces)
138 Rewrite message header addresses in mail from these clients and
139 update incomplete addresses with the domain name in $myorigin or
140 $mydomain; either don't rewrite message headers from other
141 clients at all, or rewrite message headers and update incomplete
142 addresses with the domain specified in the remote_header_re‐
143 write_domain parameter.
144
146 As of version 1.0, Postfix can be configured to send new mail to an
147 external content filter AFTER the mail is queued. This content filter
148 is expected to inject mail back into a (Postfix or other) MTA for fur‐
149 ther delivery. See the FILTER_README document for details.
150 content_filter (empty)
152 The name of a mail delivery transport that filters mail after it
153 is queued.
154
156 As of version 2.1, the Postfix SMTP server can be configured to send
157 incoming mail to a real-time SMTP-based content filter BEFORE mail is
158 queued. This content filter is expected to inject mail back into Post‐
159 fix. See the SMTPD_PROXY_README document for details on how to config‐
160 ure and operate this feature.
161 smtpd_proxy_filter (empty)
163 The hostname and TCP port of the mail filtering proxy server.
164 smtpd_proxy_ehlo ($myhostname)
166 How the Postfix SMTP server announces itself to the proxy fil‐
167 ter.
168 smtpd_proxy_timeout (100s)
170 The time limit for connecting to a proxy filter and for sending
171 or receiving information.
172
174 As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail
175 filter) protocol. These content filters run outside Postfix. They can
176 inspect the SMTP command stream and the message content, and can
177 request modifications before mail is queued. For details see the MIL‐
178 TER_README document.
179 smtpd_milters (empty)
181 A list of Milter (mail filter) applications for new mail that
182 arrives via the Postfix smtpd(8) server.
183 milter_protocol (2)
185 The mail filter protocol version and optional protocol exten‐
186 sions for communication with a Milter (mail filter) application.
187 milter_default_action (tempfail)
189 The default action when a Milter (mail filter) application is
190 unavailable or mis-configured.
191 milter_macro_daemon_name ($myhostname)
193 The {daemon_name} macro value for Milter (mail filter) applica‐
194 tions.
195 milter_macro_v ($mail_name $mail_version)
197 The {v} macro value for Milter (mail filter) applications.
198 milter_connect_timeout (30s)
200 The time limit for connecting to a Milter (mail filter) applica‐
201 tion, and for negotiating protocol options.
202 milter_command_timeout (30s)
204 The time limit for sending an SMTP command to a Milter (mail
205 filter) application, and for receiving the response.
206 milter_content_timeout (300s)
208 The time limit for sending message content to a Milter (mail
209 filter) application, and for receiving the response.
210 milter_connect_macros (see postconf -n output)
212 The macros that are sent to Milter (mail filter) applications
213 after completion of an SMTP connection.
214 milter_helo_macros (see postconf -n output)
216 The macros that are sent to Milter (mail filter) applications
217 after the SMTP HELO or EHLO command.
218 milter_mail_macros (see postconf -n output)
220 The macros that are sent to Milter (mail filter) applications
221 after the SMTP MAIL FROM command.
222 milter_rcpt_macros (see postconf -n output)
224 The macros that are sent to Milter (mail filter) applications
225 after the SMTP RCPT TO command.
226 milter_data_macros (see postconf -n output)
228 The macros that are sent to version 4 or higher Milter (mail
229 filter) applications after the SMTP DATA command.
230 milter_unknown_command_macros (see postconf -n output)
232 The macros that are sent to version 3 or higher Milter (mail
233 filter) applications after an unknown SMTP command.
234 milter_end_of_data_macros (see postconf -n output)
236 The macros that are sent to Milter (mail filter) applications
237 after the message end-of-data.
238
240 The following parameters are applicable for both built-in and external
241 content filters.
242 Available in Postfix version 2.1 and later:
244 receive_override_options (empty)
246 Enable or disable recipient validation, built-in content filter‐
247 ing, or address mapping.
248
250 The following parameters are applicable for both before-queue and
251 after-queue content filtering.
252 Available in Postfix version 2.1 and later:
254 smtpd_authorized_xforward_hosts (empty)
256 What SMTP clients are allowed to use the XFORWARD feature.
257
259 Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP
260 clients to the Postfix SMTP server, and to authenticate the Postfix
261 SMTP client to a remote SMTP server. See the SASL_README document for
262 details.
263 broken_sasl_auth_clients (no)
265 Enable inter-operability with SMTP clients that implement an
266 obsolete version of the AUTH command (RFC 2554).
267 smtpd_sasl_auth_enable (no)
269 Enable SASL authentication in the Postfix SMTP server.
270 smtpd_sasl_local_domain (empty)
272 The name of the local SASL authentication realm.
273 smtpd_sasl_security_options (noanonymous)
275 SASL security options; as of Postfix 2.3 the list of available
276 features depends on the SASL server implementation that is
277 selected with smtpd_sasl_type.
278 smtpd_sender_login_maps (empty)
280 Optional lookup table with the SASL login names that own sender
281 (MAIL FROM) addresses.
282 Available in Postfix version 2.1 and later:
284 smtpd_sasl_exceptions_networks (empty)
286 What SMTP clients Postfix will not offer AUTH support to.
287 Available in Postfix version 2.3 and later:
289 smtpd_sasl_authenticated_header (no)
291 Report the SASL authenticated user name in the smtpd(8) Received
292 message header.
293 smtpd_sasl_path (smtpd)
295 Implementation-specific information that is passed through to
296 the SASL plug-in implementation that is selected with
297 smtpd_sasl_type.
298 smtpd_sasl_type (cyrus)
300 The SASL plug-in type that the Postfix SMTP server should use
301 for authentication.
302
304 Detailed information about STARTTLS configuration may be found in the
305 TLS_README document.
306 smtpd_tls_security_level (empty)
308 The SMTP TLS security level for the Postfix SMTP server; when a
309 non-empty value is specified, this overrides the obsolete param‐
310 eters smtpd_use_tls and smtpd_enforce_tls.
311 smtpd_sasl_tls_security_options ($smtpd_sasl_security_options)
313 The SASL authentication security options that the Postfix SMTP
314 server uses for TLS encrypted SMTP sessions.
315 smtpd_starttls_timeout (300s)
317 The time limit for Postfix SMTP server write and read operations
318 during TLS startup and shutdown handshake procedures.
319 smtpd_tls_CAfile (empty)
321 The file with the certificate of the certification authority
322 (CA) that issued the Postfix SMTP server certificate.
323 smtpd_tls_CAfile (empty)
325 The file with the certificate of the certification authority
326 (CA) that issued the Postfix SMTP server certificate.
327 smtpd_tls_always_issue_session_ids (yes)
329 Force the Postfix SMTP server to issue a TLS session id, even
330 when TLS session caching is turned off (smtpd_tls_ses‐
331 sion_cache_database is empty).
332 smtpd_tls_ask_ccert (no)
334 Ask a remote SMTP client for a client certificate.
335 smtpd_tls_auth_only (no)
337 When TLS encryption is optional in the Postfix SMTP server, do
338 not announce or accept SASL authentication over unencrypted con‐
339 nections.
340 smtpd_tls_ccert_verifydepth (5)
342 The verification depth for remote SMTP client certificates.
343 smtpd_tls_cert_file (empty)
345 File with the Postfix SMTP server RSA certificate in PEM format.
346 smtpd_tls_exclude_ciphers (empty)
348 List of ciphers or cipher types to exclude from the SMTP server
349 cipher list at all TLS security levels.
350 smtpd_tls_dcert_file (empty)
352 File with the Postfix SMTP server DSA certificate in PEM format.
353 smtpd_tls_dh1024_param_file (empty)
355 File with DH parameters that the Postfix SMTP server should use
356 with EDH ciphers.
357 smtpd_tls_dh512_param_file (empty)
359 File with DH parameters that the Postfix SMTP server should use
360 with EDH ciphers.
361 smtpd_tls_dkey_file ($smtpd_tls_dcert_file)
363 File with the Postfix SMTP server DSA private key in PEM format.
364 smtpd_tls_key_file ($smtpd_tls_cert_file)
366 File with the Postfix SMTP server RSA private key in PEM format.
367 smtpd_tls_loglevel (0)
369 Enable additional Postfix SMTP server logging of TLS activity.
370 smtpd_tls_mandatory_ciphers (medium)
372 The minimum TLS cipher grade that the Postfix SMTP server will
373 use with mandatory TLS encryption.
374 smtpd_tls_mandatory_exclude_ciphers (empty)
376 Additional list of ciphers or cipher types to exclude from the
377 SMTP server cipher list at mandatory TLS security levels.
378 smtpd_tls_mandatory_protocols (SSLv3, TLSv1)
380 The TLS protocols accepted by the Postfix SMTP server with
381 mandatory TLS encryption.
382 smtpd_tls_received_header (no)
384 Request that the Postfix SMTP server produces Received: message
385 headers that include information about the protocol and cipher
386 used, as well as the client CommonName and client certificate
387 issuer CommonName.
388 smtpd_tls_req_ccert (no)
390 With mandatory TLS encryption, require a remote SMTP client cer‐
391 tificate in order to allow TLS connections to proceed.
392 smtpd_tls_session_cache_database (empty)
394 Name of the file containing the optional Postfix SMTP server TLS
395 session cache.
396 smtpd_tls_session_cache_timeout (3600s)
398 The expiration time of Postfix SMTP server TLS session cache
399 information.
400 smtpd_tls_wrappermode (no)
402 Run the Postfix SMTP server in the non-standard "wrapper" mode,
403 instead of using the STARTTLS command.
404 tls_daemon_random_bytes (32)
406 The number of pseudo-random bytes that an smtp(8) or smtpd(8)
407 process requests from the tlsmgr(8) server in order to seed its
408 internal pseudo random number generator (PRNG).
409 tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
411 The OpenSSL cipherlist for "HIGH" grade ciphers.
412 tls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
414 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
415 tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)
417 The OpenSSL cipherlist for "LOW" or higher grade ciphers.
418 tls_export_cipherlist (ALL:+RC4:@STRENGTH)
420 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
421 tls_null_cipherlist (eNULL:!aNULL)
423 The OpenSSL cipherlist for "NULL" grade ciphers that provide
424 authentication without encryption.
425
427 The following configuration parameters exist for compatibility with
428 Postfix versions before 2.3. Support for these will be removed in a
429 future release.
430 smtpd_use_tls (no)
432 Opportunistic TLS: announce STARTTLS support to SMTP clients,
433 but do not require that clients use TLS encryption.
434 smtpd_enforce_tls (no)
436 Mandatory TLS: announce STARTTLS support to SMTP clients, and
437 require that clients use TLS encryption.
438 smtpd_tls_cipherlist (empty)
440 Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
441 cipher list.
442
444 With VERP style delivery, each recipient of a message receives a cus‐
445 tomized copy of the message with his/her own recipient address encoded
446 in the envelope sender address. The VERP_README file describes config‐
447 uration and operation details of Postfix support for variable envelope
448 return path addresses. VERP style delivery is requested with the SMTP
449 XVERP command or with the "sendmail -V" command-line option and is
450 available in Postfix version 1.1 and later.
451 default_verp_delimiters (+=)
453 The two default VERP delimiter characters.
454 verp_delimiter_filter (-=+)
456 The characters Postfix accepts as VERP delimiter characters on
457 the Postfix sendmail(1) command line and in SMTP commands.
458 Available in Postfix version 1.1 and 2.0:
460 authorized_verp_clients ($mynetworks)
462 What SMTP clients are allowed to specify the XVERP command.
463 Available in Postfix version 2.1 and later:
465 smtpd_authorized_verp_clients ($authorized_verp_clients)
467 What SMTP clients are allowed to specify the XVERP command.
468
470 The DEBUG_README document describes how to debug parts of the Postfix
471 mail system. The methods vary from making the software log a lot of
472 detail, to running some daemon processes under control of a call tracer
473 or debugger.
474 debug_peer_level (2)
476 The increment in verbose logging level when a remote client or
477 server matches a pattern in the debug_peer_list parameter.
478 debug_peer_list (empty)
480 Optional list of remote client or server hostname or network
481 address patterns that cause the verbose logging level to
482 increase by the amount specified in $debug_peer_level.
483 error_notice_recipient (postmaster)
485 The recipient of postmaster notifications about mail delivery
486 problems that are caused by policy, resource, software or proto‐
487 col errors.
488 internal_mail_filter_classes (empty)
490 What categories of Postfix-generated mail are subject to before-
491 queue content inspection by non_smtpd_milters, header_checks and
492 body_checks.
493 notify_classes (resource, software)
495 The list of error classes that are reported to the postmaster.
496 soft_bounce (no)
498 Safety net to keep mail queued that would otherwise be returned
499 to the sender.
500 Available in Postfix version 2.1 and later:
502 smtpd_authorized_xclient_hosts (empty)
504 What SMTP clients are allowed to use the XCLIENT feature.
505
507 As of Postfix version 2.0, the SMTP server rejects mail for unknown
508 recipients. This prevents the mail queue from clogging up with undeliv‐
509 erable MAILER-DAEMON messages. Additional information on this topic is
510 in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents.
511 show_user_unknown_table_name (yes)
513 Display the name of the recipient table in the "User unknown"
514 responses.
515 canonical_maps (empty)
517 Optional address mapping lookup tables for message headers and
518 envelopes.
519 recipient_canonical_maps (empty)
521 Optional address mapping lookup tables for envelope and header
522 recipient addresses.
523 Parameters concerning known/unknown local recipients:
525 mydestination ($myhostname, localhost.$mydomain, localhost)
527 The list of domains that are delivered via the $local_transport
528 mail delivery transport.
529 inet_interfaces (all)
531 The network interface addresses that this mail system receives
532 mail on.
533 proxy_interfaces (empty)
535 The network interface addresses that this mail system receives
536 mail on by way of a proxy or network address translation unit.
537 inet_protocols (ipv4)
539 The Internet protocols Postfix will attempt to use when making
540 or accepting connections.
541 local_recipient_maps (proxy:unix:passwd.byname $alias_maps)
543 Lookup tables with all names or addresses of local recipients: a
544 recipient address is local when its domain matches $mydestina‐
545 tion, $inet_interfaces or $proxy_interfaces.
546 unknown_local_recipient_reject_code (550)
548 The numerical Postfix SMTP server response code when a recipient
549 address is local, and $local_recipient_maps specifies a list of
550 lookup tables that does not match the recipient.
551 Parameters concerning known/unknown recipients of relay destinations:
553 relay_domains ($mydestination)
555 What destination domains (and subdomains thereof) this system
556 will relay mail to.
557 relay_recipient_maps (empty)
559 Optional lookup tables with all valid addresses in the domains
560 that match $relay_domains.
561 unknown_relay_recipient_reject_code (550)
563 The numerical Postfix SMTP server reply code when a recipient
564 address matches $relay_domains, and relay_recipient_maps speci‐
565 fies a list of lookup tables that does not match the recipient
566 address.
567 Parameters concerning known/unknown recipients in virtual alias
569 domains:
570 virtual_alias_domains ($virtual_alias_maps)
572 Postfix is final destination for the specified list of virtual
573 alias domains, that is, domains for which all addresses are
574 aliased to addresses in other local or remote domains.
575 virtual_alias_maps ($virtual_maps)
577 Optional lookup tables that alias specific mail addresses or
578 domains to other local or remote address.
579 unknown_virtual_alias_reject_code (550)
581 The SMTP server reply code when a recipient address matches
582 $virtual_alias_domains, and $virtual_alias_maps specifies a list
583 of lookup tables that does not match the recipient address.
584 Parameters concerning known/unknown recipients in virtual mailbox
586 domains:
587 virtual_mailbox_domains ($virtual_mailbox_maps)
589 Postfix is final destination for the specified list of domains;
590 mail is delivered via the $virtual_transport mail delivery
591 transport.
592 virtual_mailbox_maps (empty)
594 Optional lookup tables with all valid addresses in the domains
595 that match $virtual_mailbox_domains.
596 unknown_virtual_mailbox_reject_code (550)
598 The SMTP server reply code when a recipient address matches
599 $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a
600 list of lookup tables that does not match the recipient address.
601
603 The following parameters limit resource usage by the SMTP server and/or
604 control client request rates.
605 line_length_limit (2048)
607 Upon input, long lines are chopped up into pieces of at most
608 this length; upon delivery, long lines are reconstructed.
609 queue_minfree (0)
611 The minimal amount of free space in bytes in the queue file sys‐
612 tem that is needed to receive mail.
613 message_size_limit (10240000)
615 The maximal size in bytes of a message, including envelope
616 information.
617 smtpd_recipient_limit (1000)
619 The maximal number of recipients that the Postfix SMTP server
620 accepts per message delivery request.
621 smtpd_timeout (300s)
623 The time limit for sending a Postfix SMTP server response and
624 for receiving a remote SMTP client request.
625 smtpd_history_flush_threshold (100)
627 The maximal number of lines in the Postfix SMTP server command
628 history before it is flushed upon receipt of EHLO, RSET, or end
629 of DATA.
630 Available in Postfix version 2.3 and later:
632 smtpd_peername_lookup (yes)
634 Attempt to look up the remote SMTP client hostname, and verify
635 that the name matches the client IP address.
636 The per SMTP client connection count and request rate limits are imple‐
638 mented in co-operation with the anvil(8) service, and are available in
639 Postfix version 2.2 and later.
640 smtpd_client_connection_count_limit (50)
642 How many simultaneous connections any client is allowed to make
643 to this service.
644 smtpd_client_connection_rate_limit (0)
646 The maximal number of connection attempts any client is allowed
647 to make to this service per time unit.
648 smtpd_client_message_rate_limit (0)
650 The maximal number of message delivery requests that any client
651 is allowed to make to this service per time unit, regardless of
652 whether or not Postfix actually accepts those messages.
653 smtpd_client_recipient_rate_limit (0)
655 The maximal number of recipient addresses that any client is
656 allowed to send to this service per time unit, regardless of
657 whether or not Postfix actually accepts those recipients.
658 smtpd_client_event_limit_exceptions ($mynetworks)
660 Clients that are excluded from connection count, connection
661 rate, or SMTP request rate restrictions.
662 Available in Postfix version 2.3 and later:
664 smtpd_client_new_tls_session_rate_limit (0)
666 The maximal number of new (i.e., uncached) TLS sessions that a
667 remote SMTP client is allowed to negotiate with this service per
668 time unit.
669
671 When a remote SMTP client makes errors, the Postfix SMTP server can
672 insert delays before responding. This can help to slow down run-away
673 software. The behavior is controlled by an error counter that counts
674 the number of errors within an SMTP session that a client makes without
675 delivering mail.
676 smtpd_error_sleep_time (1s)
678 With Postfix version 2.1 and later: the SMTP server response
679 delay after a client has made more than $smtpd_soft_error_limit
680 errors, and fewer than $smtpd_hard_error_limit errors, without
681 delivering mail.
682 smtpd_soft_error_limit (10)
684 The number of errors a remote SMTP client is allowed to make
685 without delivering mail before the Postfix SMTP server slows
686 down all its responses.
687 smtpd_hard_error_limit (20)
689 The maximal number of errors a remote SMTP client is allowed to
690 make without delivering mail.
691 smtpd_junk_command_limit (100)
693 The number of junk commands (NOOP, VRFY, ETRN or RSET) that a
694 remote SMTP client can send before the Postfix SMTP server
695 starts to increment the error counter with each junk command.
696 Available in Postfix version 2.1 and later:
698 smtpd_recipient_overshoot_limit (1000)
700 The number of recipients that a remote SMTP client can send in
701 excess of the limit specified with $smtpd_recipient_limit,
702 before the Postfix SMTP server increments the per-session error
703 count for each excess recipient.
704
706 As of version 2.1, Postfix can be configured to delegate access policy
707 decisions to an external server that runs outside Postfix. See the
708 file SMTPD_POLICY_README for more information.
709 smtpd_policy_service_max_idle (300s)
711 The time after which an idle SMTPD policy service connection is
712 closed.
713 smtpd_policy_service_max_ttl (1000s)
715 The time after which an active SMTPD policy service connection
716 is closed.
717 smtpd_policy_service_timeout (100s)
719 The time limit for connecting to, writing to or receiving from a
720 delegated SMTPD policy server.
721
723 The SMTPD_ACCESS_README document gives an introduction to all the SMTP
724 server access control features.
725 smtpd_delay_reject (yes)
727 Wait until the RCPT TO command before evaluating
728 $smtpd_client_restrictions, $smtpd_helo_restrictions and
729 $smtpd_sender_restrictions, or wait until the ETRN command
730 before evaluating $smtpd_client_restrictions and
731 $smtpd_helo_restrictions.
732 parent_domain_matches_subdomains (see 'postconf -d' output)
734 What Postfix features match subdomains of "domain.tld" automati‐
735 cally, instead of requiring an explicit ".domain.tld" pattern.
736 smtpd_client_restrictions (empty)
738 Optional SMTP server access restrictions in the context of a
739 client SMTP connection request.
740 smtpd_helo_required (no)
742 Require that a remote SMTP client introduces itself at the
743 beginning of an SMTP session with the HELO or EHLO command.
744 smtpd_helo_restrictions (empty)
746 Optional restrictions that the Postfix SMTP server applies in
747 the context of the SMTP HELO command.
748 smtpd_sender_restrictions (empty)
750 Optional restrictions that the Postfix SMTP server applies in
751 the context of the MAIL FROM command.
752 smtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destina‐
754 tion)
755 The access restrictions that the Postfix SMTP server applies in
756 the context of the RCPT TO command.
757 smtpd_etrn_restrictions (empty)
759 Optional SMTP server access restrictions in the context of a
760 client ETRN request.
761 allow_untrusted_routing (no)
763 Forward mail with sender-specified routing
764 (user[@%!]remote[@%!]site) from untrusted clients to destina‐
765 tions matching $relay_domains.
766 smtpd_restriction_classes (empty)
768 User-defined aliases for groups of access restrictions.
769 smtpd_null_access_lookup_key (<>)
771 The lookup key to be used in SMTP access(5) tables instead of
772 the null sender address.
773 permit_mx_backup_networks (empty)
775 Restrict the use of the permit_mx_backup SMTP access feature to
776 only domains whose primary MX hosts match the listed networks.
777 Available in Postfix version 2.0 and later:
779 smtpd_data_restrictions (empty)
781 Optional access restrictions that the Postfix SMTP server
782 applies in the context of the SMTP DATA command.
783 smtpd_expansion_filter (see 'postconf -d' output)
785 What characters are allowed in $name expansions of RBL reply
786 templates.
787 Available in Postfix version 2.1 and later:
789 smtpd_reject_unlisted_sender (no)
791 Request that the Postfix SMTP server rejects mail from unknown
792 sender addresses, even when no explicit reject_unlisted_sender
793 access restriction is specified.
794 smtpd_reject_unlisted_recipient (yes)
796 Request that the Postfix SMTP server rejects mail for unknown
797 recipient addresses, even when no explicit
798 reject_unlisted_recipient access restriction is specified.
799 Available in Postfix version 2.2 and later:
801 smtpd_end_of_data_restrictions (empty)
803 Optional access restrictions that the Postfix SMTP server
804 applies in the context of the SMTP END-OF-DATA command.
805
807 Postfix version 2.1 introduces sender and recipient address verifica‐
808 tion. This feature is implemented by sending probe email messages that
809 are not actually delivered. This feature is requested via the
810 reject_unverified_sender and reject_unverified_recipient access
811 restrictions. The status of verification probes is maintained by the
812 verify(8) server. See the file ADDRESS_VERIFICATION_README for infor‐
813 mation about how to configure and operate the Postfix sender/recipient
814 address verification service.
815 address_verify_poll_count (3)
817 How many times to query the verify(8) service for the completion
818 of an address verification request in progress.
819 address_verify_poll_delay (3s)
821 The delay between queries for the completion of an address veri‐
822 fication request in progress.
823 address_verify_sender (postmaster)
825 The sender address to use in address verification probes.
826 unverified_sender_reject_code (450)
828 The numerical Postfix SMTP server response code when a recipient
829 address is rejected by the reject_unverified_sender restriction.
830 unverified_recipient_reject_code (450)
832 The numerical Postfix SMTP server response when a recipient
833 address is rejected by the reject_unverified_recipient restric‐
834 tion.
835
837 The following parameters control numerical SMTP reply codes and/or text
838 responses.
839 access_map_reject_code (554)
841 The numerical Postfix SMTP server response code when a client is
842 rejected by an access(5) map restriction.
843 defer_code (450)
845 The numerical Postfix SMTP server response code when a remote
846 SMTP client request is rejected by the "defer" restriction.
847 invalid_hostname_reject_code (501)
849 The numerical Postfix SMTP server response code when the client
850 HELO or EHLO command parameter is rejected by the
851 reject_invalid_helo_hostname restriction.
852 maps_rbl_reject_code (554)
854 The numerical Postfix SMTP server response code when a remote
855 SMTP client request is blocked by the reject_rbl_client,
856 reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipi‐
857 ent restriction.
858 non_fqdn_reject_code (504)
860 The numerical Postfix SMTP server reply code when a client
861 request is rejected by the reject_non_fqdn_helo_hostname,
862 reject_non_fqdn_sender or reject_non_fqdn_recipient restriction.
863 plaintext_reject_code (450)
865 The numerical Postfix SMTP server response code when a request
866 is rejected by the reject_plaintext_session restriction.
867 reject_code (554)
869 The numerical Postfix SMTP server response code when a remote
870 SMTP client request is rejected by the "reject" restriction.
871 relay_domains_reject_code (554)
873 The numerical Postfix SMTP server response code when a client
874 request is rejected by the reject_unauth_destination recipient
875 restriction.
876 unknown_address_reject_code (450)
878 The numerical Postfix SMTP server response code when a sender or
879 recipient address is rejected by the
880 reject_unknown_sender_domain or reject_unknown_recipient_domain
881 restriction.
882 unknown_client_reject_code (450)
884 The numerical Postfix SMTP server response code when a client
885 without valid address <=> name mapping is rejected by the
886 reject_unknown_client_hostname restriction.
887 unknown_hostname_reject_code (450)
889 The numerical Postfix SMTP server response code when the host‐
890 name specified with the HELO or EHLO command is rejected by the
891 reject_unknown_helo_hostname restriction.
892 Available in Postfix version 2.0 and later:
894 default_rbl_reply (see 'postconf -d' output)
896 The default SMTP server response template for a request that is
897 rejected by an RBL-based restriction.
898 multi_recipient_bounce_reject_code (550)
900 The numerical Postfix SMTP server response code when a remote
901 SMTP client request is blocked by the reject_multi_recipi‐
902 ent_bounce restriction.
903 rbl_reply_maps (empty)
905 Optional lookup tables with RBL response templates.
906
908 config_directory (see 'postconf -d' output)
909 The default location of the Postfix main.cf and master.cf con‐
910 figuration files.
911 daemon_timeout (18000s)
913 How much time a Postfix daemon process may take to handle a
914 request before it is terminated by a built-in watchdog timer.
915 command_directory (see 'postconf -d' output)
917 The location of all postfix administrative commands.
918 double_bounce_sender (double-bounce)
920 The sender address of postmaster notifications that are gener‐
921 ated by the mail system.
922 ipc_timeout (3600s)
924 The time limit for sending or receiving information over an
925 internal communication channel.
926 mail_name (Postfix)
928 The mail system name that is displayed in Received: headers, in
929 the SMTP greeting banner, and in bounced mail.
930 mail_owner (postfix)
932 The UNIX system account that owns the Postfix queue and most
933 Postfix daemon processes.
934 max_idle (100s)
936 The maximum amount of time that an idle Postfix daemon process
937 waits for an incoming connection before terminating voluntarily.
938 max_use (100)
940 The maximal number of incoming connections that a Postfix daemon
941 process will service before terminating voluntarily.
942 myhostname (see 'postconf -d' output)
944 The internet hostname of this mail system.
945 mynetworks (see 'postconf -d' output)
947 The list of "trusted" SMTP clients that have more privileges
948 than "strangers".
949 myorigin ($myhostname)
951 The domain name that locally-posted mail appears to come from,
952 and that locally posted mail is delivered to.
953 process_id (read-only)
955 The process ID of a Postfix command or daemon process.
956 process_name (read-only)
958 The process name of a Postfix command or daemon process.
959 queue_directory (see 'postconf -d' output)
961 The location of the Postfix top-level queue directory.
962 recipient_delimiter (empty)
964 The separator between user names and address extensions
965 (user+foo).
966 smtpd_banner ($myhostname ESMTP $mail_name)
968 The text that follows the 220 status code in the SMTP greeting
969 banner.
970 syslog_facility (mail)
972 The syslog facility of Postfix logging.
973 syslog_name (postfix)
975 The mail system name that is prepended to the process name in
976 syslog records, so that "smtpd" becomes, for example, "post‐
977 fix/smtpd".
978 Available in Postfix version 2.2 and later:
980 smtpd_forbidden_commands (CONNECT, GET, POST)
982 List of commands that causes the Postfix SMTP server to immedi‐
983 ately terminate the session with a 221 code.
984
986 anvil(8), connection/rate limiting
987 cleanup(8), message canonicalization
988 tlsmgr(8), TLS session and PRNG management
989 trivial-rewrite(8), address resolver
990 verify(8), address verification service
991 postconf(5), configuration parameters
992 master(5), generic daemon options
993 master(8), process manager
994 syslogd(8), system logging
995
997 Use "postconf readme_directory" or "postconf html_directory" to locate
998 this information.
999 ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
1000 ADDRESS_REWRITING_README Postfix address manipulation
1001 FILTER_README, external after-queue content filter
1002 LOCAL_RECIPIENT_README, blocking unknown local recipients
1003 MILTER_README, before-queue mail filter applications
1004 SMTPD_ACCESS_README, built-in access policies
1005 SMTPD_POLICY_README, external policy server
1006 SMTPD_PROXY_README, external before-queue content filter
1007 SASL_README, Postfix SASL howto
1008 TLS_README, Postfix STARTTLS howto
1009 VERP_README, Postfix XVERP extension
1010 XCLIENT_README, Postfix XCLIENT extension
1011 XFORWARD_README, Postfix XFORWARD extension
1012
1014 The Secure Mailer license must be distributed with this software.
1015
1017 Wietse Venema
1018 IBM T.J. Watson Research
1019 P.O. Box 704
1020 Yorktown Heights, NY 10598, USA
1021 SASL support originally by:
1023 Till Franke
1024 SuSE Rhein/Main AG
1025 65760 Eschborn, Germany
1026 TLS support originally by:
1028 Lutz Jaenicke
1029 BTU Cottbus
1030 Allgemeine Elektrotechnik
1031 Universitaetsplatz 3-4
1032 D-03044 Cottbus, Germany
1033 SMTPD(8)