1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtp(8) </title> 6</head> <body> <pre> 7SMTP(8) SMTP(8) 8 9<b>NAME</b> 10 smtp - Postfix SMTP+LMTP client 11 12<b>SYNOPSIS</b> 13 <b>smtp</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix SMTP+LMTP client implements the SMTP and LMTP 17 mail delivery protocols. It processes message delivery 18 requests from the queue manager. Each request specifies a 19 queue file, a sender address, a domain or host to deliver 20 to, and recipient information. This program expects to be 21 run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 22 23 The SMTP+LMTP client updates the queue file and marks 24 recipients as finished, or it informs the queue manager 25 that delivery should be tried again at a later time. 26 Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>, 27 <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. 28 29 The SMTP+LMTP client looks up a list of mail exchanger 30 addresses for the destination host, sorts the list by 31 preference, and connects to each listed address until it 32 finds a server that responds. 33 34 When a server is not reachable, or when mail delivery 35 fails due to a recoverable error condition, the SMTP+LMTP 36 client will try to deliver the mail to an alternate host. 37 38 After a successful mail transaction, a connection may be 39 saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it 40 may be used by any SMTP+LMTP client for a subsequent 41 transaction. 42 43 By default, connection caching is enabled temporarily for 44 destinations that have a high volume of mail in the active 45 queue. Connection caching can be enabled permanently for 46 specific destinations. 47 48<b>SMTP DESTINATION SYNTAX</b> 49 SMTP destinations have the following form: 50 51 <i>domainname</i> 52 53 <i>domainname</i>:<i>port</i> 54 Look up the mail exchangers for the specified 55 domain, and connect to the specified port (default: 56 <b>smtp</b>). 57 58 [<i>hostname</i>] 59 60 [<i>hostname</i>]:<i>port</i> 61 Look up the address(es) of the specified host, and 62 connect to the specified port (default: <b>smtp</b>). 63 64 [<i>address</i>] 65 66 [<i>address</i>]:<i>port</i> 67 Connect to the host at the specified address, and 68 connect to the specified port (default: <b>smtp</b>). An 69 IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>]. 70 71<b>LMTP DESTINATION SYNTAX</b> 72 LMTP destinations have the following form: 73 74 <b>unix</b>:<i>pathname</i> 75 Connect to the local UNIX-domain server that is 76 bound to the specified <i>pathname</i>. If the process 77 runs chrooted, an absolute pathname is interpreted 78 relative to the Postfix queue directory. 79 80 <b>inet</b>:<i>hostname</i> 81 82 <b>inet:</b><i>hostname</i>:<i>port</i> 83 84 <b>inet</b>:[<i>address</i>] 85 86 <b>inet</b>:[<i>address</i>]:<i>port</i> 87 Connect to the specified TCP port on the specified 88 local or remote host. If no port is specified, con- 89 nect to the port defined as <b>lmtp</b> in <b>services</b>(4). 90 If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con- 91 figuration parameter (default value of 24) will be 92 used. An IPv6 address must be formatted as 93 [<b>ipv6</b>:<i>address</i>]. 94 95<b>SECURITY</b> 96 The SMTP+LMTP client is moderately security-sensitive. It 97 talks to SMTP or LMTP servers and to DNS servers on the 98 network. The SMTP+LMTP client can be run chrooted at fixed 99 low privilege. 100 101<b>STANDARDS</b> 102 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 103 <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) 104 <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions) 105 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 106 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 107 <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol) 108 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes) 109 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies) 110 <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types) 111 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 112 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 113 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 114 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 115 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 116 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 117 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 118 119<b>DIAGNOSTICS</b> 120 Problems and transactions are logged to <b>syslogd</b>(8). Cor- 121 rupted message files are marked so that the queue manager 122 can move them to the <b>corrupt</b> queue for further inspection. 123 124 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, 125 the postmaster is notified of bounces, protocol problems, 126 and of other trouble. 127 128<b>BUGS</b> 129 SMTP and LMTP connection caching does not work with TLS. 130 The necessary support for TLS object passivation and re- 131 activation does not exist without closing the session, 132 which defeats the purpose. 133 134 SMTP and LMTP connection caching assumes that SASL creden- 135 tials are valid for all destinations that map onto the 136 same IP address and TCP port. 137 138<b>CONFIGURATION PARAMETERS</b> 139 Before Postfix version 2.3, the LMTP client is a separate 140 program that implements only a subset of the functionality 141 available with SMTP: there is no support for TLS, and con- 142 nections are cached in-process, making it ineffective when 143 the client is used for multiple domains. 144 145 Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> 146 "mirror" parameter for the equivalent LMTP feature. This 147 document describes only those LMTP-related parameters that 148 aren't simply "mirror" parameters. 149 150 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> 151 processes run for only a limited amount of time. Use the 152 command "<b>postfix reload</b>" to speed up a change. 153 154 The text below provides only a parameter summary. See 155 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. 156 157<b>COMPATIBILITY CONTROLS</b> 158 <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b> 159 Ignore DNS MX lookups that produce no response. 160 161 <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b> 162 Always send EHLO at the start of an SMTP session. 163 164 <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b> 165 Never send EHLO at the start of an SMTP session. 166 167 <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b> 168 Defer mail delivery when no MX record resolves to 169 an IP address. 170 171 <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (998)</b> 172 The maximal length of message header and body lines 173 that Postfix will send via SMTP. 174 175 <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> 176 How long the Postfix SMTP client pauses before 177 sending ".<CR><LF>" in order to work around the PIX 178 firewall "<CR><LF>.<CR><LF>" bug. 179 180 <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> 181 How long a message must be queued before the Post- 182 fix SMTP client turns on the PIX firewall 183 "<CR><LF>.<CR><LF>" bug workaround for delivery 184 through firewalls with "smtp fixup" mode turned on. 185 186 <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> 187 A list that specifies zero or more workarounds for 188 CISCO PIX firewall bugs. 189 190 <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> 191 Lookup tables, indexed by the remote SMTP server 192 address, with per-destination workarounds for CISCO 193 PIX firewall bugs. 194 195 <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> 196 Quote addresses in Postfix SMTP client MAIL FROM 197 and RCPT TO commands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. 198 199 <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b> 200 A mechanism to transform replies from remote SMTP 201 servers one line at a time. 202 203 <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> 204 Skip remote SMTP servers that greet with a 5XX sta- 205 tus code (go away, do not try again later). 206 207 <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b> 208 Do not wait for the response to the SMTP QUIT com- 209 mand. 210 211 Available in Postfix version 2.0 and earlier: 212 213 <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> 214 Skip SMTP servers that greet with a 4XX status code 215 (go away, try again later). 216 217 Available in Postfix version 2.2 and later: 218 219 <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> 220 Lookup tables, indexed by the remote SMTP server 221 address, with case insensitive lists of EHLO key- 222 words (pipelining, starttls, auth, etc.) that the 223 Postfix SMTP client will ignore in the EHLO 224 response from a remote SMTP server. 225 226 <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> 227 A case insensitive list of EHLO keywords (pipelin- 228 ing, starttls, auth, etc.) that the Postfix SMTP 229 client will ignore in the EHLO response from a 230 remote SMTP server. 231 232 <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> 233 Optional lookup tables that perform address rewrit- 234 ing in the Postfix SMTP client, typically to trans- 235 form a locally valid address into a globally valid 236 address when sending mail across the Internet. 237 238 Available in Postfix version 2.2.9 and later: 239 240 <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> 241 Allow DNS CNAME records to override the servername 242 that the Postfix SMTP client uses for logging, SASL 243 password lookup, TLS policy decisions, or TLS cer- 244 tificate verification. 245 246 Available in Postfix version 2.3 and later: 247 248 <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> 249 Lookup tables, indexed by the remote LMTP server 250 address, with case insensitive lists of LHLO key- 251 words (pipelining, starttls, auth, etc.) that the 252 Postfix LMTP client will ignore in the LHLO 253 response from a remote LMTP server. 254 255 <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> 256 A case insensitive list of LHLO keywords (pipelin- 257 ing, starttls, auth, etc.) that the Postfix LMTP 258 client will ignore in the LHLO response from a 259 remote LMTP server. 260 261 Available in Postfix version 2.4.4 and later: 262 263 <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> 264 When authenticating to a remote SMTP or LMTP server 265 with the default setting "no", send no SASL autho- 266 riZation ID (authzid); send only the SASL authenti- 267 Cation ID (authcid) plus the authcid's password. 268 269 Available in Postfix version 2.5 and later: 270 271 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> 272 Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix 273 SMTP client. 274 275 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> 276 Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the 277 Postfix SMTP client. 278 279 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> 280 Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the 281 Postfix SMTP client. 282 283 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> 284 Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables for the Postfix 285 SMTP client. 286 287 Available in Postfix version 2.6 and later: 288 289 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 290 An optional workaround for routers that break TCP 291 window scaling. 292 293 Available in Postfix version 2.8 and later: 294 295 <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b> 296 DNS Resolver options for the Postfix SMTP client. 297 298 Available in Postfix version 2.9 and later: 299 300 <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> 301 Change the behavior of the smtp_*_timeout time lim- 302 its, from a time limit per read or write system 303 call, to a time limit to send or receive a complete 304 record (an SMTP command line, SMTP response line, 305 SMTP message content line, or TLS protocol mes- 306 sage). 307 308 <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> 309 Whether or not to append the "AUTH=<>" option to 310 the MAIL FROM command in SASL-authenticated SMTP 311 sessions. 312 313<b>MIME PROCESSING CONTROLS</b> 314 Available in Postfix version 2.0 and later: 315 316 <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> 317 Disable the conversion of 8BITMIME format to 7BIT 318 format. 319 320 <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> 321 The maximal length of MIME multipart boundary 322 strings. 323 324 <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b> 325 The maximal recursion level that the MIME processor 326 will handle. 327 328<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 329 Available in Postfix version 2.1 and later: 330 331 <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> 332 Send the non-standard XFORWARD command when the 333 Postfix SMTP server EHLO response announces XFOR- 334 WARD support. 335 336<b>SASL AUTHENTICATION CONTROLS</b> 337 <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> 338 Enable SASL authentication in the Postfix SMTP 339 client. 340 341 <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> 342 Optional Postfix SMTP client lookup tables with one 343 username:password entry per remote hostname or 344 domain, or sender address when sender-dependent 345 authentication is enabled. 346 347 <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> 348 Postfix SMTP client SASL security options; as of 349 Postfix 2.3 the list of available features depends 350 on the SASL client implementation that is selected 351 with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 352 353 Available in Postfix version 2.2 and later: 354 355 <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> 356 If non-empty, a Postfix SMTP client filter for the 357 remote SMTP server's list of offered SASL mecha- 358 nisms. 359 360 Available in Postfix version 2.3 and later: 361 362 <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> 363 Enable sender-dependent authentication in the Post- 364 fix SMTP client; this is available only with SASL 365 authentication, and disables SMTP connection 366 caching to ensure that mail from different senders 367 will use the appropriate credentials. 368 369 <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> 370 Implementation-specific information that the Post- 371 fix SMTP client passes through to the SASL plug-in 372 implementation that is selected with 373 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 374 375 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> 376 The SASL plug-in type that the Postfix SMTP client 377 should use for authentication. 378 379 Available in Postfix version 2.5 and later: 380 381 <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> 382 An optional table to prevent repeated SASL authen- 383 tication failures with the same remote SMTP server 384 hostname, username and password. 385 386 <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> 387 The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> 388 entry before it is removed. 389 390 <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> 391 When a remote SMTP server rejects a SASL authenti- 392 cation request with a 535 reply code, defer mail 393 delivery instead of returning mail as undeliver- 394 able. 395 396 Available in Postfix version 2.9 and later: 397 398 <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> 399 Whether or not to append the "AUTH=<>" option to 400 the MAIL FROM command in SASL-authenticated SMTP 401 sessions. 402 403<b>STARTTLS SUPPORT CONTROLS</b> 404 Detailed information about STARTTLS configuration may be 405 found in the <a href="TLS_README.html">TLS_README</a> document. 406 407 <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> 408 The default SMTP TLS security level for the Postfix 409 SMTP client; when a non-empty value is specified, 410 this overrides the obsolete parameters 411 <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and 412 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. 413 414 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b> 415 <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b> 416 The SASL authentication security options that the 417 Postfix SMTP client uses for TLS encrypted SMTP 418 sessions. 419 420 <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> 421 Time limit for Postfix SMTP client write and read 422 operations during TLS startup and shutdown hand- 423 shake procedures. 424 425 <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> 426 A file containing CA certificates of root CAs 427 trusted to sign either remote SMTP server certifi- 428 cates or intermediate CA certificates. 429 430 <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> 431 Directory with PEM format certificate authority 432 certificates that the Postfix SMTP client uses to 433 verify a remote SMTP server certificate. 434 435 <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> 436 File with the Postfix SMTP client RSA certificate 437 in PEM format. 438 439 <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> 440 The minimum TLS cipher grade that the Postfix SMTP 441 client will use with mandatory TLS encryption. 442 443 <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> 444 List of ciphers or cipher types to exclude from the 445 Postfix SMTP client cipher list at all TLS security 446 levels. 447 448 <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> 449 Additional list of ciphers or cipher types to 450 exclude from the Postfix SMTP client cipher list at 451 mandatory TLS security levels. 452 453 <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> 454 File with the Postfix SMTP client DSA certificate 455 in PEM format. 456 457 <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 458 File with the Postfix SMTP client DSA private key 459 in PEM format. 460 461 <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 462 File with the Postfix SMTP client RSA private key 463 in PEM format. 464 465 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 466 Enable additional Postfix SMTP client logging of 467 TLS activity. 468 469 <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> 470 Log the hostname of a remote SMTP server that 471 offers STARTTLS, when TLS is not already enabled 472 for that server. 473 474 <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> 475 Optional lookup tables with the Postfix SMTP client 476 TLS security policy by next-hop destination; when a 477 non-empty value is specified, this overrides the 478 obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. 479 480 <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b> 481 List of SSL/TLS protocols that the Postfix SMTP 482 client will use with mandatory TLS encryption. 483 484 <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> 485 The verification depth for remote SMTP server cer- 486 tificates. 487 488 <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> 489 How the Postfix SMTP client verifies the server 490 certificate peername for the "secure" TLS security 491 level. 492 493 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 494 Name of the file containing the optional Postfix 495 SMTP client TLS session cache. 496 497 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 498 The expiration time of Postfix SMTP client TLS ses- 499 sion cache information. 500 501 <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> 502 How the Postfix SMTP client verifies the server 503 certificate peername for the "verify" TLS security 504 level. 505 506 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 507 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> 508 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 509 server in order to seed its internal pseudo random 510 number generator (PRNG). 511 512 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> 513 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 514 The OpenSSL cipherlist for "HIGH" grade ciphers. 515 516 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 517 The OpenSSL cipherlist for "MEDIUM" or higher grade 518 ciphers. 519 520 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 521 The OpenSSL cipherlist for "LOW" or higher grade 522 ciphers. 523 524 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 525 The OpenSSL cipherlist for "EXPORT" or higher grade 526 ciphers. 527 528 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 529 The OpenSSL cipherlist for "NULL" grade ciphers 530 that provide authentication without encryption. 531 532 Available in Postfix version 2.4 and later: 533 534 <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b> 535 <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b> 536 The SASL authentication security options that the 537 Postfix SMTP client uses for TLS encrypted SMTP 538 sessions with a verified server certificate. 539 540 Available in Postfix version 2.5 and later: 541 542 <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> 543 List of acceptable remote SMTP server certificate 544 fingerprints for the "fingerprint" TLS security 545 level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint). 546 547 <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> 548 The message digest algorithm used to construct 549 remote SMTP server certificate fingerprints. 550 551 Available in Postfix version 2.6 and later: 552 553 <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> 554 List of TLS protocols that the Postfix SMTP client 555 will exclude or include with opportunistic TLS 556 encryption. 557 558 <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> 559 The minimum TLS cipher grade that the Postfix SMTP 560 client will use with opportunistic TLS encryption. 561 562 <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> 563 File with the Postfix SMTP client ECDSA certificate 564 in PEM format. 565 566 <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 567 File with the Postfix SMTP client ECDSA private key 568 in PEM format. 569 570 Available in Postfix version 2.7 and later: 571 572 <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> 573 Try to detect a mail hijacking attack based on a 574 TLS protocol vulnerability (CVE-2009-3555), where 575 an attacker prepends malicious HELO, MAIL, RCPT, 576 DATA commands to a Postfix SMTP client TLS session. 577 578 Available in Postfix version 2.8 and later: 579 580 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> 581 List or bit-mask of OpenSSL bug work-arounds to 582 disable. 583 584<b>OBSOLETE STARTTLS CONTROLS</b> 585 The following configuration parameters exist for compati- 586 bility with Postfix versions before 2.3. Support for these 587 will be removed in a future release. 588 589 <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> 590 Opportunistic mode: use TLS when a remote SMTP 591 server announces STARTTLS support, otherwise send 592 the mail in the clear. 593 594 <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> 595 Enforcement mode: require that remote SMTP servers 596 use TLS encryption, and never send mail in the 597 clear. 598 599 <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> 600 With mandatory TLS encryption, require that the 601 remote SMTP server hostname matches the information 602 in the remote SMTP server certificate. 603 604 <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> 605 Optional lookup tables with the Postfix SMTP client 606 TLS usage policy by next-hop destination and by 607 remote SMTP server hostname. 608 609 <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> 610 Obsolete Postfix < 2.3 control for the Postfix SMTP 611 client TLS cipher list. 612 613<b>RESOURCE AND RATE CONTROLS</b> 614 <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> 615 <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> 616 The maximal number of parallel deliveries to the 617 same destination via the smtp message delivery 618 transport. 619 620 <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> 621 <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> 622 The maximal number of recipients per message for 623 the smtp message delivery transport. 624 625 <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> 626 The Postfix SMTP client time limit for completing a 627 TCP connection, or zero (use the operating system 628 built-in time limit). 629 630 <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> 631 The Postfix SMTP client time limit for sending the 632 HELO or EHLO command, and for receiving the initial 633 remote SMTP server response. 634 635 <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> 636 The Postfix LMTP client time limit for sending the 637 LHLO command, and for receiving the initial remote 638 LMTP server response. 639 640 <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b> 641 The Postfix SMTP client time limit for sending the 642 XFORWARD command, and for receiving the remote SMTP 643 server response. 644 645 <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> 646 The Postfix SMTP client time limit for sending the 647 MAIL FROM command, and for receiving the remote 648 SMTP server response. 649 650 <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> 651 The Postfix SMTP client time limit for sending the 652 SMTP RCPT TO command, and for receiving the remote 653 SMTP server response. 654 655 <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> 656 The Postfix SMTP client time limit for sending the 657 SMTP DATA command, and for receiving the remote 658 SMTP server response. 659 660 <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> 661 The Postfix SMTP client time limit for sending the 662 SMTP message content. 663 664 <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> 665 The Postfix SMTP client time limit for sending the 666 SMTP ".", and for receiving the remote SMTP server 667 response. 668 669 <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> 670 The Postfix SMTP client time limit for sending the 671 QUIT command, and for receiving the remote SMTP 672 server response. 673 674 Available in Postfix version 2.1 and later: 675 676 <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> 677 The maximal number of MX (mail exchanger) IP 678 addresses that can result from Postfix SMTP client 679 mail exchanger lookups, or zero (no limit). 680 681 <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> 682 The maximal number of SMTP sessions per delivery 683 request before the Postfix SMTP client gives up or 684 delivers to a fall-back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no 685 limit). 686 687 <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> 688 The Postfix SMTP client time limit for sending the 689 RSET command, and for receiving the remote SMTP 690 server response. 691 692 Available in Postfix version 2.2 and earlier: 693 694 <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> 695 Keep Postfix LMTP client connections open for up to 696 $<a href="postconf.5.html#max_idle">max_idle</a> seconds. 697 698 Available in Postfix version 2.2 and later: 699 700 <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> 701 Permanently enable SMTP connection caching for the 702 specified destinations. 703 704 <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> 705 Temporarily enable SMTP connection caching while a 706 destination has a high volume of mail in the active 707 queue. 708 709 <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> 710 The amount of time during which Postfix will use an 711 SMTP connection repeatedly. 712 713 <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> 714 When SMTP connection caching is enabled, the amount 715 of time that an unused SMTP client socket is kept 716 open before it is closed. 717 718 Available in Postfix version 2.3 and later: 719 720 <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> 721 Time limit for connection cache connect, send or 722 receive operations. 723 724 Available in Postfix version 2.9 and later: 725 726 <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> 727 Change the behavior of the smtp_*_timeout time lim- 728 its, from a time limit per read or write system 729 call, to a time limit to send or receive a complete 730 record (an SMTP command line, SMTP response line, 731 SMTP message content line, or TLS protocol mes- 732 sage). 733 734<b>TROUBLE SHOOTING CONTROLS</b> 735 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 736 The increment in verbose logging level when a 737 remote client or server matches a pattern in the 738 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 739 740 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 741 Optional list of remote client or server hostname 742 or network address patterns that cause the verbose 743 logging level to increase by the amount specified 744 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 745 746 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 747 The recipient of postmaster notifications about 748 mail delivery problems that are caused by policy, 749 resource, software or protocol errors. 750 751 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 752 What categories of Postfix-generated mail are sub- 753 ject to before-queue content inspection by 754 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. 755 756 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 757 The list of error classes that are reported to the 758 postmaster. 759 760<b>MISCELLANEOUS CONTROLS</b> 761 <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> 762 Where the Postfix SMTP client should deliver mail 763 when it detects a "mail loops back to myself" error 764 condition. 765 766 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 767 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and 768 <a href="master.5.html">master.cf</a> configuration files. 769 770 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 771 How much time a Postfix daemon process may take to 772 handle a request before it is terminated by a 773 built-in watchdog timer. 774 775 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 776 The maximal number of digits after the decimal 777 point when logging sub-second delay values. 778 779 <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> 780 Disable DNS lookups in the Postfix SMTP and LMTP 781 clients. 782 783 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 784 The network interface addresses that this mail sys- 785 tem receives mail on. 786 787 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b> 788 The Internet protocols Postfix will attempt to use 789 when making or accepting connections. 790 791 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 792 The time limit for sending or receiving information 793 over an internal communication channel. 794 795 <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> 796 When a remote LMTP server announces no DSN support, 797 assume that the server performs final delivery, and 798 send "delivered" delivery status notifications 799 instead of "relayed". 800 801 <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> 802 The default TCP port that the Postfix LMTP client 803 connects to. 804 805 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 806 The maximum amount of time that an idle Postfix 807 daemon process waits for an incoming connection 808 before terminating voluntarily. 809 810 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 811 The maximal number of incoming connections that a 812 Postfix daemon process will service before termi- 813 nating voluntarily. 814 815 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 816 The process ID of a Postfix command or daemon 817 process. 818 819 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 820 The process name of a Postfix command or daemon 821 process. 822 823 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 824 The network interface addresses that this mail sys- 825 tem receives mail on by way of a proxy or network 826 address translation unit. 827 828 <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b> 829 The address type ("ipv6", "ipv4" or "any") that the 830 Postfix SMTP client will try first, when a destina- 831 tion has IPv6 and IPv4 addresses with equal MX 832 preference. 833 834 <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> 835 An optional numerical network address that the 836 Postfix SMTP client should bind to when making an 837 IPv4 connection. 838 839 <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> 840 An optional numerical network address that the 841 Postfix SMTP client should bind to when making an 842 IPv6 connection. 843 844 <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 845 The hostname to send in the SMTP EHLO or HELO com- 846 mand. 847 848 <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 849 The hostname to send in the LMTP LHLO command. 850 851 <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> 852 What mechanisms the Postfix SMTP client uses to 853 look up a host's IP address. 854 855 <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> 856 Randomize the order of equal-preference MX host 857 addresses. 858 859 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 860 The syslog facility of Postfix logging. 861 862 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 863 The mail system name that is prepended to the 864 process name in syslog records, so that "smtpd" 865 becomes, for example, "postfix/smtpd". 866 867 Available with Postfix 2.2 and earlier: 868 869 <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b> 870 Optional list of relay hosts for SMTP destinations 871 that can't be found or that are unreachable. 872 873 Available with Postfix 2.3 and later: 874 875 <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> 876 Optional list of relay hosts for SMTP destinations 877 that can't be found or that are unreachable. 878 879<b>SEE ALSO</b> 880 <a href="generic.5.html">generic(5)</a>, output address rewriting 881 <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection 882 <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection 883 <a href="qmgr.8.html">qmgr(8)</a>, queue manager 884 <a href="bounce.8.html">bounce(8)</a>, delivery status reports 885 <a href="scache.8.html">scache(8)</a>, connection cache server 886 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 887 <a href="master.5.html">master(5)</a>, generic daemon options 888 <a href="master.8.html">master(8)</a>, process manager 889 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 890 syslogd(8), system logging 891 892<b>README FILES</b> 893 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 894 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 895 896<b>LICENSE</b> 897 The Secure Mailer license must be distributed with this 898 software. 899 900<b>AUTHOR(S)</b> 901 Wietse Venema 902 IBM T.J. Watson Research 903 P.O. Box 704 904 Yorktown Heights, NY 10598, USA 905 906 Command pipelining in cooperation with: 907 Jon Ribbens 908 Oaktree Internet Solutions Ltd., 909 Internet House, 910 Canal Basin, 911 Coventry, 912 CV1 4LY, United Kingdom. 913 914 SASL support originally by: 915 Till Franke 916 SuSE Rhein/Main AG 917 65760 Eschborn, Germany 918 919 TLS support originally by: 920 Lutz Jaenicke 921 BTU Cottbus 922 Allgemeine Elektrotechnik 923 Universitaetsplatz 3-4 924 D-03044 Cottbus, Germany 925 926 Revised TLS and SMTP connection cache support by: 927 Victor Duchovni 928 Morgan Stanley 929 930 SMTP(8) 931</pre> </body> </html> 932