1# This is the input file for automatically generating the postconf(5) 2# manual page, the summaries of parameters in on-line manual pages, 3# and for the postconf.5.html hyperlinked document. 4# 5# The following tools operate on information from this file: 6# 7# xpostconf 8# Extracts specific parameter definitions from this file, or 9# produces a sorted version of all the information in this 10# document. 11# 12# postconf2html 13# Adds parameter name +default headers. The result can be embedded 14# into the postconf.5.html hyperlinked document. 15# 16# postconf2man 17# Converts this file into something that can be embedded into 18# the postconf(5) UNIX-style manual page. This tool knows only 19# a limited subset of HTML as described below. 20# 21# postconf2src 22# Converts this file result into something that can be embedded 23# into Postfix source code files. 24# 25# The subset of HTML that you can use is limited by the postconf2man 26# tool: 27# 28# * Supported HTML elements are: blockquote, ul, li, dl, dt, dd, 29# p, pre, b, i, h, and the escapes for < <= >= >. Sorry, no 30# tables. 31# 32# * HTML elements must be specified in lower case. 33# 34# * Lists cannot be nested. 35# 36# * The postconf2man tool leaves unrecognized HTML in place as a 37# reminder that it is not supported. 38# 39# * Text between <!-- and --> is stripped out. The <!-- and --> 40# must appear on separate lines. 41# 42# * Use <nroffescape .sp> to request an empty line in the middle 43# of a block of text. This is needed with indented lists. 44# 45# * Blank lines are special for postconf2man: it replaces them by 46# a "new paragraph" command. Don't put any blank lines inside 47# <blockquote> text. Instead, put those blank lines between 48# </blockquote> and <blockquote>. 49# 50# * Text after a blank line must start with an HTML element. 51# 52# Also: 53# 54# * All <dt> and <dd>text must be closed with </dt> and </dd>. 55# 56# * Use <blockquote><pre>..</pre></blockquote> for examples 57# between narrative text, instead of indenting examples by hand. 58# 59# * Use <pre>..</pre> for the "Examples:" section at the end 60# of a parameter description. 61# 62# The postlink tool automatically inserts hyperlinks for the following, 63# so you must not hyperlink that information yourself: 64# 65# * Postfix manual pages 66# * URLs 67# * RFCs 68# * Postfix configuration parameters 69# * Postfix README files 70# * Address classes and other terminology. 71# 72# The xpostconf and postconf2html tools expect the file format described 73# in the comments below. The description includes the transformation 74# that is done by the postconf2html tool. 75# 76# * The format of this file is blocks of text separated by one or 77# more empty (or all whitespace) lines. 78# 79# * A text block that begins with %PARAM specifies a parameter name 80# and its default value, separated by whitespace. The text in 81# the blocks that follow is the parameter description. 82# 83# * The first line (text up to the first ". ") is used in Postfix 84# on-line manual pages, in the one-line configuration parameter 85# summaries. 86# 87# * A text block that begins with the "<" character is treated as 88# literal HTML. For example, to specify a "dl" list element one 89# would write: 90# 91# |<dt><b>name</b></dt> <dd> 92# | 93# |text that describes "name". 94# | 95# |</dd> ... 96# 97# As described below, the text that describes "name" will be 98# enclosed with <p> and </p>. 99# 100# An "ul" list element would be written like this: 101# 102# |<li> text for this list element. 103# 104# * Any text block that does not begin with < is an error. 105 106%CLASS address-verification Address verification (Postfix 2.1 and later) 107 108<p> 109Sender/recipient address verification is implemented by sending 110probe email messages that are not actually delivered. This feature 111is requested via the reject_unverified_sender and 112reject_unverified_recipient access restrictions. The status of 113verification probes is maintained by the address verification 114service. See the file ADDRESS_VERIFICATION_README for information 115about how to configure and operate the Postfix sender/recipient 116address verification service. 117</p> 118 119%CLASS smtpd-compatibility Compatibility controls 120 121%CLASS resource-control Resource controls 122 123%CLASS after-queue-filter After-queue content filter 124 125<p> 126As of version 1.0, Postfix can be configured to send new mail to 127an external content filter AFTER the mail is queued. This content 128filter is expected to inject mail back into a (Postfix or other) 129MTA for further delivery. See the FILTER_README document for 130details. 131</p> 132 133%CLASS before-queue-filter Before-queue content filter 134 135<p> 136The Postfix SMTP server can be configured to send incoming mail to 137a real-time SMTP-based content filter BEFORE mail is queued. This 138content filter is expected to inject mail back into Postfix. See 139the SMTPD_PROXY_README document for details on how to configure 140and operate this feature. 141</p> 142 143%CLASS basic-config Basic configuration parameters 144 145%CLASS smtpd-access-relay SMTP server access and relay control 146 147%CLASS smtpd-sasl SMTP server SASL authentication 148 149%CLASS unknown-recipients Rejecting mail for unknown recipients 150 151%CLASS smtpd-reply-code SMTP server response codes 152 153%CLASS other Other configuration parameters 154 155%PARAM access_map_reject_code 554 156 157<p> 158The numerical Postfix SMTP server response code for 159an access(5) map "reject" action. 160</p> 161 162<p> 163Do not change this unless you have a complete understanding of RFC 5321. 164</p> 165 166%PARAM access_map_defer_code 450 167 168<p> 169The numerical Postfix SMTP server response code for 170an access(5) map "defer" action, including "defer_if_permit" 171or "defer_if_reject". Prior to Postfix 2.6, the response 172is hard-coded as "450". 173</p> 174 175<p> 176Do not change this unless you have a complete understanding of RFC 5321. 177</p> 178 179<p> 180This feature is available in Postfix 2.6 and later. 181</p> 182 183%PARAM address_verify_default_transport $default_transport 184 185<p> 186Overrides the default_transport parameter setting for address 187verification probes. 188</p> 189 190<p> 191This feature is available in Postfix 2.1 and later. 192</p> 193 194%PARAM address_verify_local_transport $local_transport 195 196<p> 197Overrides the local_transport parameter setting for address 198verification probes. 199</p> 200 201<p> 202This feature is available in Postfix 2.1 and later. 203</p> 204 205%PARAM address_verify_map see "postconf -d" output 206 207<p> 208Lookup table for persistent address verification status 209storage. The table is maintained by the verify(8) service, and 210is opened before the process releases privileges. 211</p> 212 213<p> 214The lookup table is persistent by default (Postfix 2.7 and later). 215Specify an empty table name to keep the information in volatile 216memory which is lost after "<b>postfix reload</b>" or "<b>postfix 217stop</b>". This is the default with Postfix version 2.6 and earlier. 218</p> 219 220<p> 221Specify a location in a file system that will not fill up. If the 222database becomes corrupted, the world comes to an end. To recover, 223delete (NOT: truncate) the file and do "<b>postfix reload</b>". 224</p> 225 226<p> Postfix daemon processes do not use root privileges when opening 227this file (Postfix 2.5 and later). The file must therefore be 228stored under a Postfix-owned directory such as the data_directory. 229As a migration aid, an attempt to open the file under a non-Postfix 230directory is redirected to the Postfix-owned data_directory, and a 231warning is logged. </p> 232 233<p> 234Examples: 235</p> 236 237<pre> 238address_verify_map = hash:/var/db/postfix/verify 239address_verify_map = btree:/var/db/postfix/verify 240</pre> 241 242<p> 243This feature is available in Postfix 2.1 and later. 244</p> 245 246%PARAM address_verify_negative_cache yes 247 248<p> 249Enable caching of failed address verification probe results. When 250this feature is enabled, the cache may pollute quickly with garbage. 251When this feature is disabled, Postfix will generate an address 252probe for every lookup. 253</p> 254 255<p> 256This feature is available in Postfix 2.1 and later. 257</p> 258 259%PARAM address_verify_negative_expire_time 3d 260 261<p> 262The time after which a failed probe expires from the address 263verification cache. 264</p> 265 266<p> Specify a non-zero time value (an integral value plus an optional 267one-letter suffix that specifies the time unit). Time units: s 268(seconds), m (minutes), h (hours), d (days), w (weeks). 269The default time unit is d (days). </p> 270 271<p> 272This feature is available in Postfix 2.1 and later. 273</p> 274 275%PARAM address_verify_negative_refresh_time 3h 276 277<p> 278The time after which a failed address verification probe needs to 279be refreshed. 280</p> 281 282<p> Specify a non-zero time value (an integral value plus an optional 283one-letter suffix that specifies the time unit). Time units: s 284(seconds), m (minutes), h (hours), d (days), w (weeks). 285The default time unit is h (hours). </p> 286 287<p> 288This feature is available in Postfix 2.1 and later. 289</p> 290 291%PARAM address_verify_cache_cleanup_interval 12h 292 293<p> The amount of time between verify(8) address verification 294database cleanup runs. This feature requires that the database 295supports the "delete" and "sequence" operators. Specify a zero 296interval to disable database cleanup. </p> 297 298<p> After each database cleanup run, the verify(8) daemon logs the 299number of entries that were retained and dropped. A cleanup run is 300logged as "partial" when the daemon terminates early after "<b>postfix 301reload</b>", "<b>postfix stop</b>", or no requests for $max_idle 302seconds. </p> 303 304<p> Specify a non-negative time value (an integral value plus an optional 305one-letter suffix that specifies the time unit). Time units: s 306(seconds), m (minutes), h (hours), d (days), w (weeks). 307The default time unit is h (hours). </p> 308 309<p> This feature is available in Postfix 2.7. </p> 310 311%PARAM address_verify_poll_count normal: 3, overload: 1 312 313<p> 314How many times to query the verify(8) service for the completion 315of an address verification request in progress. 316</p> 317 318<p> By default, the Postfix SMTP server polls the verify(8) service 319up to three times under non-overload conditions, and only once when 320under overload. With Postfix version 2.5 and earlier, the SMTP 321server always polls the verify(8) service up to three times by 322default. </p> 323 324<p> 325Specify 1 to implement a crude form of greylisting, that is, always 326defer the first delivery request for a new address. 327</p> 328 329<p> 330Examples: 331</p> 332 333<pre> 334# Postfix ≤ 2.6 default 335address_verify_poll_count = 3 336# Poor man's greylisting 337address_verify_poll_count = 1 338</pre> 339 340<p> 341This feature is available in Postfix 2.1 and later. 342</p> 343 344%PARAM address_verify_poll_delay 3s 345 346<p> 347The delay between queries for the completion of an address 348verification request in progress. 349</p> 350 351<p> 352The default polling delay is 3 seconds. 353</p> 354 355<p> Specify a non-zero time value (an integral value plus an optional 356one-letter suffix that specifies the time unit). Time units: s 357(seconds), m (minutes), h (hours), d (days), w (weeks). 358The default time unit is s (seconds). </p> 359 360<p> 361This feature is available in Postfix 2.1 and later. 362</p> 363 364%PARAM address_verify_positive_expire_time 31d 365 366<p> 367The time after which a successful probe expires from the address 368verification cache. 369</p> 370 371<p> Specify a non-zero time value (an integral value plus an optional 372one-letter suffix that specifies the time unit). Time units: s 373(seconds), m (minutes), h (hours), d (days), w (weeks). 374The default time unit is d (days). </p> 375 376<p> 377This feature is available in Postfix 2.1 and later. 378</p> 379 380%PARAM address_verify_positive_refresh_time 7d 381 382<p> 383The time after which a successful address verification probe needs 384to be refreshed. The address verification status is not updated 385when the probe fails (optimistic caching). 386</p> 387 388<p> Specify a non-zero time value (an integral value plus an optional 389one-letter suffix that specifies the time unit). Time units: s 390(seconds), m (minutes), h (hours), d (days), w (weeks). 391The default time unit is d (days). </p> 392 393<p> 394This feature is available in Postfix 2.1 and later. 395</p> 396 397%PARAM address_verify_relay_transport $relay_transport 398 399<p> 400Overrides the relay_transport parameter setting for address 401verification probes. 402</p> 403 404<p> 405This feature is available in Postfix 2.1 and later. 406</p> 407 408%PARAM address_verify_relayhost $relayhost 409 410<p> 411Overrides the relayhost parameter setting for address verification 412probes. This information can be overruled with the transport(5) table. 413</p> 414 415<p> 416This feature is available in Postfix 2.1 and later. 417</p> 418 419%PARAM address_verify_sender $double_bounce_sender 420 421<p> The sender address to use in address verification probes; prior 422to Postfix 2.5 the default was "postmaster". To 423avoid problems with address probes that are sent in response to 424address probes, the Postfix SMTP server excludes the probe sender 425address from all SMTPD access blocks. </p> 426 427<p> 428Specify an empty value (address_verify_sender =) or <> if you want 429to use the null sender address. Beware, some sites reject mail from 430<>, even though RFCs require that such addresses be accepted. 431</p> 432 433<p> 434Examples: 435</p> 436 437<pre> 438address_verify_sender = <> 439address_verify_sender = postmaster@mydomain 440</pre> 441 442<p> 443This feature is available in Postfix 2.1 and later. 444</p> 445 446%PARAM address_verify_transport_maps $transport_maps 447 448<p> 449Overrides the transport_maps parameter setting for address verification 450probes. 451</p> 452 453<p> 454This feature is available in Postfix 2.1 and later. 455</p> 456 457%PARAM address_verify_virtual_transport $virtual_transport 458 459<p> 460Overrides the virtual_transport parameter setting for address 461verification probes. 462</p> 463 464<p> 465This feature is available in Postfix 2.1 and later. 466</p> 467 468%PARAM alias_database see "postconf -d" output 469 470<p> 471The alias databases for local(8) delivery that are updated with 472"<b>newaliases</b>" or with "<b>sendmail -bi</b>". 473</p> 474 475<p> 476This is a separate configuration parameter because not all the 477tables specified with $alias_maps have to be local files. 478</p> 479 480<p> 481Examples: 482</p> 483 484<pre> 485alias_database = hash:/etc/aliases 486alias_database = hash:/etc/mail/aliases 487</pre> 488 489%PARAM alias_maps see "postconf -d" output 490 491<p> 492The alias databases that are used for local(8) delivery. See 493aliases(5) for syntax details. 494Specify zero or more "type:name" lookup tables, separated by 495whitespace or comma. Tables will be searched in the specified order 496until a match is found. 497Note: these lookups are recursive. 498</p> 499 500<p> 501The default list is system dependent. On systems with NIS, the 502default is to search the local alias database, then the NIS alias 503database. 504</p> 505 506<p> 507If you change the alias database, run "<b>postalias /etc/aliases</b>" 508(or wherever your system stores the mail alias file), or simply 509run "<b>newaliases</b>" to build the necessary DBM or DB file. 510</p> 511 512<p> 513The local(8) delivery agent disallows regular expression substitution 514of $1 etc. in alias_maps, because that would open a security hole. 515</p> 516 517<p> 518The local(8) delivery agent will silently ignore requests to use 519the proxymap(8) server within alias_maps. Instead it will open the 520table directly. Before Postfix version 2.2, the local(8) delivery 521agent will terminate with a fatal error. 522</p> 523 524<p> 525Examples: 526</p> 527 528<pre> 529alias_maps = hash:/etc/aliases, nis:mail.aliases 530alias_maps = hash:/etc/aliases 531</pre> 532 533%PARAM allow_mail_to_commands alias, forward 534 535<p> 536Restrict local(8) mail delivery to external commands. The default 537is to disallow delivery to "|command" in :include: files (see 538aliases(5) for the text that defines this terminology). 539</p> 540 541<p> 542Specify zero or more of: <b>alias</b>, <b>forward</b> or <b>include</b>, 543in order to allow commands in aliases(5), .forward files or in 544:include: files, respectively. 545</p> 546 547<p> 548Example: 549</p> 550 551<pre> 552allow_mail_to_commands = alias,forward,include 553</pre> 554 555%PARAM allow_mail_to_files alias, forward 556 557<p> 558Restrict local(8) mail delivery to external files. The default is 559to disallow "/file/name" destinations in :include: files (see 560aliases(5) for the text that defines this terminology). 561</p> 562 563<p> 564Specify zero or more of: <b>alias</b>, <b>forward</b> or <b>include</b>, 565in order to allow "/file/name" destinations in aliases(5), .forward 566files and in :include: files, respectively. 567</p> 568 569<p> 570Example: 571</p> 572 573<pre> 574allow_mail_to_files = alias,forward,include 575</pre> 576 577%PARAM allow_min_user no 578 579<p> 580Allow a sender or recipient address to have `-' as the first 581character. By 582default, this is not allowed, to avoid accidents with software that 583passes email addresses via the command line. Such software 584would not be able to distinguish a malicious address from a 585bona fide command-line option. Although this can be prevented by 586inserting a "--" option terminator into the command line, this is 587difficult to enforce consistently and globally. </p> 588 589<p> As of Postfix version 2.5, this feature is implemented by 590trivial-rewrite(8). With earlier versions this feature was implemented 591by qmgr(8) and was limited to recipient addresses only. </p> 592 593%PARAM allow_percent_hack yes 594 595<p> 596Enable the rewriting of the form "user%domain" to "user@domain". 597This is enabled by default. 598</p> 599 600<p> Note: as of Postfix version 2.2, message header address rewriting 601happens only when one of the following conditions is true: </p> 602 603<ul> 604 605<li> The message is received with the Postfix sendmail(1) command, 606 607<li> The message is received from a network client that matches 608$local_header_rewrite_clients, 609 610<li> The message is received from the network, and the 611remote_header_rewrite_domain parameter specifies a non-empty value. 612 613</ul> 614 615<p> To get the behavior before Postfix version 2.2, specify 616"local_header_rewrite_clients = static:all". </p> 617 618<p> 619Example: 620</p> 621 622<pre> 623allow_percent_hack = no 624</pre> 625 626%PARAM allow_untrusted_routing no 627 628<p> 629Forward mail with sender-specified routing (user[@%!]remote[@%!]site) 630from untrusted clients to destinations matching $relay_domains. 631</p> 632 633<p> 634By default, this feature is turned off. This closes a nasty open 635relay loophole where a backup MX host can be tricked into forwarding 636junk mail to a primary MX host which then spams it out to the world. 637</p> 638 639<p> 640This parameter also controls if non-local addresses with sender-specified 641routing can match Postfix access tables. By default, such addresses 642cannot match Postfix access tables, because the address is ambiguous. 643</p> 644 645%PARAM always_bcc 646 647<p> 648Optional address that receives a "blind carbon copy" of each message 649that is received by the Postfix mail system. 650</p> 651 652<p> 653Note: with Postfix 2.3 and later the BCC address is added as if it 654was specified with NOTIFY=NONE. The sender will not be notified 655when the BCC address is undeliverable, as long as all down-stream 656software implements RFC 3461. 657</p> 658 659<p> 660Note: with Postfix 2.2 and earlier the sender will be notified 661when the BCC address is undeliverable. 662</p> 663 664<p> Note: automatic BCC recipients are produced only for new mail. 665To avoid mailer loops, automatic BCC recipients are not generated 666after Postfix forwards mail internally, or after Postfix generates 667mail itself. </p> 668 669%PARAM berkeley_db_create_buffer_size 16777216 670 671<p> 672The per-table I/O buffer size for programs that create Berkeley DB 673hash or btree tables. Specify a byte count. 674</p> 675 676<p> 677This feature is available in Postfix 2.0 and later. 678</p> 679 680%PARAM berkeley_db_read_buffer_size 131072 681 682<p> 683The per-table I/O buffer size for programs that read Berkeley DB 684hash or btree tables. Specify a byte count. 685</p> 686 687<p> 688This feature is available in Postfix 2.0 and later. 689</p> 690 691%PARAM best_mx_transport 692 693<p> 694Where the Postfix SMTP client should deliver mail when it detects 695a "mail loops back to myself" error condition. This happens when 696the local MTA is the best SMTP mail exchanger for a destination 697not listed in $mydestination, $inet_interfaces, $proxy_interfaces, 698$virtual_alias_domains, or $virtual_mailbox_domains. By default, 699the Postfix SMTP client returns such mail as undeliverable. 700</p> 701 702<p> 703Specify, for example, "best_mx_transport = local" to pass the mail 704from the Postfix SMTP client to the local(8) delivery agent. You 705can specify 706any message delivery "transport" or "transport:nexthop" that is 707defined in the master.cf file. See the transport(5) manual page 708for the syntax and meaning of "transport" or "transport:nexthop". 709</p> 710 711<p> 712However, this feature is expensive because it ties up a Postfix 713SMTP client process while the local(8) delivery agent is doing its 714work. It is more efficient (for Postfix) to list all hosted domains 715in a table or database. 716</p> 717 718%PARAM biff yes 719 720<p> 721Whether or not to use the local biff service. This service sends 722"new mail" notifications to users who have requested new mail 723notification with the UNIX command "biff y". 724</p> 725 726<p> 727For compatibility reasons this feature is on by default. On systems 728with lots of interactive users, the biff service can be a performance 729drain. Specify "biff = no" in main.cf to disable. 730</p> 731 732%PARAM body_checks 733 734<p> Optional lookup tables for content inspection as specified in 735the body_checks(5) manual page. </p> 736 737<p> Note: with Postfix versions before 2.0, these rules inspect 738all content after the primary message headers. </p> 739 740%PARAM body_checks_size_limit 51200 741 742<p> 743How much text in a message body segment (or attachment, if you 744prefer to use that term) is subjected to body_checks inspection. 745The amount of text is limited to avoid scanning huge attachments. 746</p> 747 748<p> 749This feature is available in Postfix 2.0 and later. 750</p> 751 752%PARAM bounce_queue_lifetime 5d 753 754<p> 755Consider a bounce message as undeliverable, when delivery fails 756with a temporary error, and the time in the queue has reached the 757bounce_queue_lifetime limit. By default, this limit is the same 758as for regular mail. 759</p> 760 761<p> Specify a non-negative time value (an integral value plus an optional 762one-letter suffix that specifies the time unit). Time units: s 763(seconds), m (minutes), h (hours), d (days), w (weeks). 764The default time unit is d (days). </p> 765 766<p> 767Specify 0 when mail delivery should be tried only once. 768</p> 769 770<p> 771This feature is available in Postfix 2.1 and later. 772</p> 773 774%PARAM bounce_size_limit 50000 775 776<p> The maximal amount of original message text that is sent in a 777non-delivery notification. Specify a byte count. A message is 778returned as either message/rfc822 (the complete original) or as 779text/rfc822-headers (the headers only). With Postfix version 2.4 780and earlier, a message is always returned as message/rfc822 and is 781truncated when it exceeds the size limit. 782</p> 783 784<p> Notes: </p> 785 786<ul> 787 788<li> <p> If you increase this limit, then you should increase the 789mime_nesting_limit value proportionally. </p> 790 791<li> <p> Be careful when making changes. Excessively large values 792will result in the loss of non-delivery notifications, when a bounce 793message size exceeds a local or remote MTA's message size limit. 794</p> 795 796</ul> 797 798%PARAM canonical_maps 799 800<p> 801Optional address mapping lookup tables for message headers and 802envelopes. The mapping is applied to both sender and recipient 803addresses, in both envelopes and in headers, as controlled 804with the canonical_classes parameter. This is typically used 805to clean up dirty addresses from legacy mail systems, or to replace 806login names by Firstname.Lastname. The table format and lookups 807are documented in canonical(5). For an overview of Postfix address 808manipulations see the ADDRESS_REWRITING_README document. 809</p> 810 811<p> 812Specify zero or more "type:name" lookup tables, separated by 813whitespace or comma. Tables will be searched in the specified order 814until a match is found. 815Note: these lookups are recursive. 816</p> 817 818<p> 819If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to 820build the necessary DBM or DB file after every change. The changes 821will become visible after a minute or so. Use "<b>postfix reload</b>" 822to eliminate the delay. 823</p> 824 825<p> Note: with Postfix version 2.2, message header address mapping 826happens only when message header address rewriting is enabled: </p> 827 828<ul> 829 830<li> The message is received with the Postfix sendmail(1) command, 831 832<li> The message is received from a network client that matches 833$local_header_rewrite_clients, 834 835<li> The message is received from the network, and the 836remote_header_rewrite_domain parameter specifies a non-empty value. 837 838</ul> 839 840<p> To get the behavior before Postfix version 2.2, specify 841"local_header_rewrite_clients = static:all". </p> 842 843<p> 844Examples: 845</p> 846 847<pre> 848canonical_maps = dbm:/etc/postfix/canonical 849canonical_maps = hash:/etc/postfix/canonical 850</pre> 851 852%PARAM canonical_classes envelope_sender, envelope_recipient, header_sender, header_recipient 853 854<p> What addresses are subject to canonical_maps address mapping. 855By default, canonical_maps address mapping is applied to envelope 856sender and recipient addresses, and to header sender and header 857recipient addresses. </p> 858 859<p> Specify one or more of: envelope_sender, envelope_recipient, 860header_sender, header_recipient </p> 861 862<p> This feature is available in Postfix 2.2 and later. </p> 863 864%PARAM sender_canonical_classes envelope_sender, header_sender 865 866<p> What addresses are subject to sender_canonical_maps address 867mapping. By default, sender_canonical_maps address mapping is 868applied to envelope sender addresses, and to header sender addresses. 869</p> 870 871<p> Specify one or more of: envelope_sender, header_sender </p> 872 873<p> This feature is available in Postfix 2.2 and later. </p> 874 875%PARAM recipient_canonical_classes envelope_recipient, header_recipient 876 877<p> What addresses are subject to recipient_canonical_maps address 878mapping. By default, recipient_canonical_maps address mapping is 879applied to envelope recipient addresses, and to header recipient 880addresses. </p> 881 882<p> Specify one or more of: envelope_recipient, header_recipient 883</p> 884 885<p> This feature is available in Postfix 2.2 and later. </p> 886 887%PARAM command_directory see "postconf -d" output 888 889<p> 890The location of all postfix administrative commands. 891</p> 892 893%PARAM command_time_limit 1000s 894 895<p> 896Time limit for delivery to external commands. This limit is used 897by the local(8) delivery agent, and is the default time limit for 898delivery by the pipe(8) delivery agent. 899</p> 900 901<p> 902Note: if you set this time limit to a large value you must update the 903global ipc_timeout parameter as well. 904</p> 905 906%PARAM daemon_directory see "postconf -d" output 907 908<p> 909The directory with Postfix support programs and daemon programs. 910These should not be invoked directly by humans. The directory must 911be owned by root. 912</p> 913 914%PARAM daemon_timeout 18000s 915 916<p> How much time a Postfix daemon process may take to handle a 917request before it is terminated by a built-in watchdog timer. </p> 918 919<p> Specify a non-zero time value (an integral value plus an optional 920one-letter suffix that specifies the time unit). Time units: s 921(seconds), m (minutes), h (hours), d (days), w (weeks). 922The default time unit is s (seconds). </p> 923 924%PARAM debug_peer_level 2 925 926<p> The increment in verbose logging level when a nexthop destination, 927remote client or server name or network address matches a pattern 928given with the debug_peer_list parameter. </p> 929 930<p> Per-nexthop debug logging is available in Postfix 3.6 and later. </p> 931 932%PARAM debug_peer_list 933 934<p> Optional list of nexthop destination, remote client or server 935name or network address patterns that, if matched, cause the verbose 936logging level to increase by the amount specified in $debug_peer_level. 937</p> 938 939<p> Per-nexthop debug logging is available in Postfix 3.6 and later. </p> 940 941<p> Specify domain names, network/netmask patterns, "/file/name" 942patterns or "type:table" lookup tables. The right-hand side result 943from "type:table" lookups is ignored. </p> 944 945<p> Pattern matching of domain names is controlled by the presence 946or absence of "debug_peer_list" in the parent_domain_matches_subdomains 947parameter value. </p> 948 949<p> 950Examples: 951</p> 952 953<pre> 954debug_peer_list = 127.0.0.1 955debug_peer_list = example.com 956</pre> 957 958%PARAM default_database_type see "postconf -d" output 959 960<p> 961The default database type for use in newaliases(1), postalias(1) 962and postmap(1) commands. On many UNIX systems the default type is 963either <b>dbm</b> or <b>hash</b>. The default setting is frozen 964when the Postfix system is built. 965</p> 966 967<p> 968Examples: 969</p> 970 971<pre> 972default_database_type = hash 973default_database_type = dbm 974</pre> 975 976%PARAM default_delivery_slot_cost 5 977 978<p> 979How often the Postfix queue manager's scheduler is allowed to 980preempt delivery of one message with another. 981</p> 982 983<p> 984Each transport maintains a so-called "available delivery slot counter" 985for each message. One message can be preempted by another one when 986the other message can be delivered using no more delivery slots 987(i.e., invocations of delivery agents) than the current message 988counter has accumulated (or will eventually accumulate - see about 989slot loans below). This parameter controls how often the counter is 990incremented - it happens after each default_delivery_slot_cost 991recipients have been delivered. 992</p> 993 994<p> 995The cost of 0 is used to disable the preempting scheduling completely. 996The minimum value the scheduling algorithm can use is 2 - use it 997if you want to maximize the message throughput rate. Although there 998is no maximum, it doesn't make much sense to use values above say 99950. 1000</p> 1001 1002<p> 1003The only reason why the value of 2 is not the default is the way 1004this parameter affects the delivery of mailing-list mail. In the 1005worst case, delivery can take somewhere between (cost+1/cost) 1006and (cost/cost-1) times more than if the preemptive scheduler was 1007disabled. The default value of 5 turns out to provide reasonable 1008message response times while making sure the mailing-list deliveries 1009are not extended by more than 20-25 percent even in the worst case. 1010</p> 1011 1012<p> Use <i>transport</i>_delivery_slot_cost to specify a 1013transport-specific override, where <i>transport</i> is the master.cf 1014name of the message delivery transport. 1015</p> 1016 1017<p> 1018Examples: 1019</p> 1020 1021<pre> 1022default_delivery_slot_cost = 0 1023default_delivery_slot_cost = 2 1024</pre> 1025 1026%PARAM default_destination_concurrency_limit 20 1027 1028<p> 1029The default maximal number of parallel deliveries to the same 1030destination. This is the default limit for delivery via the lmtp(8), 1031pipe(8), smtp(8) and virtual(8) delivery agents. 1032With a per-destination recipient limit > 1, a destination is a domain, 1033otherwise it is a recipient. 1034</p> 1035 1036<p> Use <i>transport</i>_destination_concurrency_limit to specify a 1037transport-specific override, where <i>transport</i> is the master.cf 1038name of the message delivery transport. 1039</p> 1040 1041%PARAM default_destination_recipient_limit 50 1042 1043<p> 1044The default maximal number of recipients per message delivery. 1045This is the default limit for delivery via the lmtp(8), pipe(8), 1046smtp(8) and virtual(8) delivery agents. 1047</p> 1048 1049<p> Setting this parameter to a value of 1 affects email deliveries 1050as follows:</p> 1051 1052<ul> 1053 1054<li> <p> It changes the meaning of the corresponding per-destination 1055concurrency limit, from concurrency of deliveries to the <i>same 1056domain</i> into concurrency of deliveries to the <i>same recipient</i>. 1057Different recipients are delivered in parallel, subject to the 1058process limits specified in master.cf. </p> 1059 1060<li> <p> It changes the meaning of the corresponding per-destination 1061rate delay, from the delay between deliveries to the <i>same 1062domain</i> into the delay between deliveries to the <i>same 1063recipient</i>. Again, different recipients are delivered in parallel, 1064subject to the process limits specified in master.cf. </p> 1065 1066<li> <p> It changes the meaning of other corresponding per-destination 1067settings in a similar manner, from settings for delivery to the 1068<i>same domain</i> into settings for delivery to the <i>same 1069recipient</i>. 1070 1071</ul> 1072 1073<p> Use <i>transport</i>_destination_recipient_limit to specify a 1074transport-specific override, where <i>transport</i> is the master.cf 1075name of the message delivery transport. 1076</p> 1077 1078%PARAM default_extra_recipient_limit 1000 1079 1080<p> 1081The default value for the extra per-transport limit imposed on the 1082number of in-memory recipients. This extra recipient space is 1083reserved for the cases when the Postfix queue manager's scheduler 1084preempts one message with another and suddenly needs some extra 1085recipient slots for the chosen message in order to avoid performance 1086degradation. 1087</p> 1088 1089<p> Use <i>transport</i>_extra_recipient_limit to specify a 1090transport-specific override, where <i>transport</i> is the master.cf 1091name of the message delivery transport. 1092</p> 1093 1094%PARAM default_minimum_delivery_slots 3 1095 1096<p> 1097How many recipients a message must have in order to invoke the 1098Postfix queue manager's scheduling algorithm at all. Messages 1099which would never accumulate at least this many delivery slots 1100(subject to slot cost parameter as well) are never preempted. 1101</p> 1102 1103<p> Use <i>transport</i>_minimum_delivery_slots to specify a 1104transport-specific override, where <i>transport</i> is the master.cf 1105name of the message delivery transport. 1106</p> 1107 1108%PARAM default_privs nobody 1109 1110<p> 1111The default rights used by the local(8) delivery agent for delivery 1112to an external file or command. These rights are used when delivery 1113is requested from an aliases(5) file that is owned by <b>root</b>, or 1114when delivery is done on behalf of <b>root</b>. <b>DO NOT SPECIFY A 1115PRIVILEGED USER OR THE POSTFIX OWNER</b>. 1116</p> 1117 1118%PARAM default_process_limit 100 1119 1120<p> 1121The default maximal number of Postfix child processes that provide 1122a given service. This limit can be overruled for specific services 1123in the master.cf file. 1124</p> 1125 1126%PARAM default_rbl_reply see "postconf -d" output 1127 1128<p> 1129The default Postfix SMTP server response template for a request that is 1130rejected by an RBL-based restriction. This template can be overruled 1131by specific entries in the optional rbl_reply_maps lookup table. 1132</p> 1133 1134<p> 1135This feature is available in Postfix 2.0 and later. 1136</p> 1137 1138<p> 1139The template does not support Postfix configuration parameter $name 1140substitution. Instead, it supports exactly one level of $name 1141substitution for the following attributes: 1142</p> 1143 1144<dl> 1145 1146<dt><b>$client</b></dt> 1147 1148<dd>The client hostname and IP address, formatted as name[address]. </dd> 1149 1150<dt><b>$client_address</b></dt> 1151 1152<dd>The client IP address. </dd> 1153 1154<dt><b>$client_name</b></dt> 1155 1156<dd>The client hostname or "unknown". See reject_unknown_client_hostname 1157for more details. </dd> 1158 1159<dt><b>$reverse_client_name</b></dt> 1160 1161<dd>The client hostname from address->name lookup, or "unknown". 1162See reject_unknown_reverse_client_hostname for more details. </dd> 1163 1164#<dt><b>$forward_client_name</b></dt> 1165# 1166#<dd>The client hostname from address->name lookup followed by 1167#name->address lookup, or "unknown". See 1168#reject_unknown_forward_client_hostname for more details. </dd> 1169 1170<dt><b>$helo_name</b></dt> 1171 1172<dd>The hostname given in HELO or EHLO command or empty string. </dd> 1173 1174<dt><b>$rbl_class</b></dt> 1175 1176<dd>The denylisted entity type: Client host, Helo command, Sender 1177address, or Recipient address. </dd> 1178 1179<dt><b>$rbl_code</b></dt> 1180 1181<dd>The numerical SMTP response code, as specified with the 1182maps_rbl_reject_code configuration parameter. Note: The numerical 1183SMTP response code is required, and must appear at the start of the 1184reply. With Postfix version 2.3 and later this information may be followed 1185by an RFC 3463 enhanced status code. </dd> 1186 1187<dt><b>$rbl_domain</b></dt> 1188 1189<dd>The RBL domain where $rbl_what is denylisted. </dd> 1190 1191<dt><b>$rbl_reason</b></dt> 1192 1193<dd>The reason why $rbl_what is denylisted, or an empty string. </dd> 1194 1195<dt><b>$rbl_what</b></dt> 1196 1197<dd>The entity that is denylisted (an IP address, a hostname, a domain 1198name, or an email address whose domain was denylisted). </dd> 1199 1200<dt><b>$recipient</b></dt> 1201 1202<dd>The recipient address or <> in case of the null address. </dd> 1203 1204<dt><b>$recipient_domain</b></dt> 1205 1206<dd>The recipient domain or empty string. </dd> 1207 1208<dt><b>$recipient_name</b></dt> 1209 1210<dd>The recipient address localpart or <> in case of null address. </dd> 1211 1212<dt><b>$sender</b></dt> 1213 1214<dd>The sender address or <> in case of the null address. </dd> 1215 1216<dt><b>$sender_domain</b></dt> 1217 1218<dd>The sender domain or empty string. </dd> 1219 1220<dt><b>$sender_name</b></dt> 1221 1222<dd>The sender address localpart or <> in case of the null address. </dd> 1223 1224<dt><b>${name?value}</b></dt> 1225 1226<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt> 1227 1228<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd> 1229 1230<dt><b>${name:value}</b></dt> 1231 1232<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt> 1233 1234<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd> 1235 1236<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt> 1237 1238<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty, 1239<i>value2</i> otherwise. </dd> 1240 1241</dl> 1242 1243<p> 1244Instead of $name you can also specify ${name} or $(name). 1245</p> 1246 1247<p> Note: when an enhanced status code is specified in an RBL reply 1248template, it is subject to modification. The following transformations 1249are needed when the same RBL reply template is used for client, 1250helo, sender, or recipient access restrictions. </p> 1251 1252<ul> 1253 1254<li> <p> When rejecting a sender address, the Postfix SMTP server 1255will transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the 1256corresponding sender DSN status, and vice versa. </p> 1257 1258<li> <p> When rejecting non-address information (such as the HELO 1259command argument or the client hostname/address), the Postfix SMTP 1260server will transform a sender or recipient DSN status into a generic 1261non-address DSN status (e.g., 4.0.0). </p> 1262 1263</ul> 1264 1265%PARAM default_recipient_limit 20000 1266 1267<p> 1268The default per-transport upper limit on the number of in-memory 1269recipients. These limits take priority over the global 1270qmgr_message_recipient_limit after the message has been assigned 1271to the respective transports. See also default_extra_recipient_limit 1272and qmgr_message_recipient_minimum. 1273</p> 1274 1275<p> Use <i>transport</i>_recipient_limit to specify a 1276transport-specific override, where <i>transport</i> is the master.cf 1277name of the message delivery transport. 1278</p> 1279 1280%PARAM default_recipient_refill_limit 100 1281 1282<p> 1283The default per-transport limit on the number of recipients refilled at 1284once. When not all message recipients fit into memory at once, keep 1285loading more of them in batches of at least this many at a time. See also 1286$default_recipient_refill_delay, which may result in recipient batches 1287lower than this when this limit is too high for too slow deliveries. 1288</p> 1289 1290<p> Use <i>transport</i>_recipient_refill_limit to specify a 1291transport-specific override, where <i>transport</i> is the master.cf 1292name of the message delivery transport. 1293</p> 1294 1295<p> This feature is available in Postfix 2.4 and later. </p> 1296 1297%PARAM default_recipient_refill_delay 5s 1298 1299<p> 1300The default per-transport maximum delay between refilling recipients. 1301When not all message recipients fit into memory at once, keep loading 1302more of them at least once every this many seconds. This is used to 1303make sure the recipients are refilled in a timely manner even when 1304$default_recipient_refill_limit is too high for too slow deliveries. 1305</p> 1306 1307<p> Use <i>transport</i>_recipient_refill_delay to specify a 1308transport-specific override, where <i>transport</i> is the master.cf 1309name of the message delivery transport. 1310</p> 1311 1312<p> This feature is available in Postfix 2.4 and later. </p> 1313 1314%PARAM default_transport smtp 1315 1316<p> 1317The default mail delivery transport and next-hop destination for 1318destinations that do not match $mydestination, $inet_interfaces, 1319$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, 1320or $relay_domains. This information can be overruled with the 1321sender_dependent_default_transport_maps parameter and with the 1322transport(5) table. </p> 1323 1324<p> 1325In order of decreasing precedence, the nexthop destination is taken 1326from $sender_dependent_default_transport_maps, $default_transport, 1327$sender_dependent_relayhost_maps, $relayhost, or from the recipient 1328domain. 1329</p> 1330 1331<p> 1332Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> 1333is the name of a mail delivery transport defined in master.cf. 1334The <i>:nexthop</i> destination is optional; its syntax is documented 1335in the manual page of the corresponding delivery agent. In the case of 1336SMTP or LMTP, specify one or more destinations separated by comma or 1337whitespace (with Postfix 3.5 and later). 1338</p> 1339 1340<p> 1341Example: 1342</p> 1343 1344<pre> 1345default_transport = uucp:relayhostname 1346</pre> 1347 1348%PARAM defer_code 450 1349 1350<p> 1351The numerical Postfix SMTP server response code when a remote SMTP 1352client request is rejected by the "defer" restriction. 1353</p> 1354 1355<p> 1356Do not change this unless you have a complete understanding of RFC 5321. 1357</p> 1358 1359%PARAM defer_transports 1360 1361<p> 1362The names of message delivery transports that should not deliver mail 1363unless someone issues "<b>sendmail -q</b>" or equivalent. Specify zero 1364or more mail delivery transport names that appear in the 1365first field of master.cf. 1366</p> 1367 1368<p> 1369Example: 1370</p> 1371 1372<pre> 1373defer_transports = smtp 1374</pre> 1375 1376%PARAM deliver_lock_attempts 20 1377 1378<p> 1379The maximal number of attempts to acquire an exclusive lock on a 1380mailbox file or bounce(8) logfile. 1381</p> 1382 1383%PARAM deliver_lock_delay 1s 1384 1385<p> 1386The time between attempts to acquire an exclusive lock on a mailbox 1387file or bounce(8) logfile. 1388</p> 1389 1390<p> Specify a non-zero time value (an integral value plus an optional 1391one-letter suffix that specifies the time unit). Time units: s 1392(seconds), m (minutes), h (hours), d (days), w (weeks). 1393The default time unit is s (seconds). </p> 1394 1395%PARAM disable_vrfy_command no 1396 1397<p> 1398Disable the SMTP VRFY command. This stops some techniques used to 1399harvest email addresses. 1400</p> 1401 1402<p> 1403Example: 1404</p> 1405 1406<pre> 1407disable_vrfy_command = no 1408</pre> 1409 1410%PARAM double_bounce_sender double-bounce 1411 1412<p> The sender address of postmaster notifications that are generated 1413by the mail system. All mail to this address is silently discarded, 1414in order to terminate mail bounce loops. </p> 1415 1416%PARAM duplicate_filter_limit 1000 1417 1418<p> The maximal number of addresses remembered by the address 1419duplicate filter for aliases(5) or virtual(5) alias expansion, or 1420for showq(8) queue displays. </p> 1421 1422%PARAM enable_original_recipient yes 1423 1424<p> Enable support for the original recipient address after an 1425address is rewritten to a different address (for example with 1426aliasing or with canonical mapping). </p> 1427 1428<p> The original recipient address is used as follows: </p> 1429 1430<dl> 1431 1432<dt> Final delivery </dt> <dd> With "enable_original_recipient = 1433yes", the original recipient address is stored in the <b>X-Original-To</b> 1434message header. This header may be used to distinguish between 1435different recipients that share the same mailbox. </dd> 1436 1437<dt> Recipient deduplication </dt> <dd> With "enable_original_recipient 1438= yes", the cleanup(8) daemon performs duplicate recipient elimination 1439based on the content of (original recipient, maybe-rewritten 1440recipient) pairs. Otherwise, the cleanup(8) daemon performs duplicate 1441recipient elimination based only on the maybe-rewritten recipient 1442address. </dd> 1443 1444</dl> 1445 1446<p> Note: with Postfix ≤ 3.2 the "setting enable_original_recipient 1447= <b>no</b>" breaks address verification for addresses that are 1448aliased or otherwise rewritten (Postfix is unable to store the 1449address verification result under the original probe destination 1450address; instead, it can store the result only under the rewritten 1451address). </p> 1452 1453<p> This feature is available in Postfix 2.1 and later. Postfix 1454version 2.0 behaves as if this parameter is always set to <b>yes</b>. 1455Postfix versions before 2.0 have no support for the original recipient 1456address. </p> 1457 1458%PARAM export_environment see "postconf -d" output 1459 1460<p> 1461The list of environment variables that a Postfix process will export 1462to non-Postfix processes. The TZ variable is needed for sane 1463time keeping on System-V-ish systems. 1464</p> 1465 1466<p> 1467Specify a list of names and/or name=value pairs, separated by 1468whitespace or comma. Specify "{ name=value }" to protect whitespace 1469or comma in parameter values (whitespace after the opening "{" and 1470before the closing "}" 1471is ignored). The form name=value is supported with Postfix version 14722.1 and later; the use of {} is supported with Postfix 3.0 and 1473later. </p> 1474 1475<p> 1476Example: 1477</p> 1478 1479<pre> 1480export_environment = TZ PATH=/bin:/usr/bin 1481</pre> 1482 1483%PARAM smtp_fallback_relay $fallback_relay 1484 1485<p> Optional list of relay destinations that will be used when an 1486SMTP destination is not found, or when delivery fails due to a 1487non-permanent error. With Postfix 2.2 and earlier this parameter 1488is called fallback_relay. </p> 1489 1490<p> By default, smtp_fallback_relay is empty, mail is returned to 1491the sender when a destination is not found, and delivery is deferred 1492after it fails due to a non-permanent error. </p> 1493 1494<p> With bulk email deliveries, it can be beneficial to run the 1495fallback relay MTA on the same host, so that it can reuse the sender 1496IP address. This speeds up deliveries that are delayed by IP-based 1497reputation systems (greylist, etc.). </p> 1498 1499<p> The fallback relays must be SMTP destinations. Specify a domain, 1500host, host:port, [host]:port, [address] or [address]:port; the form 1501[host] turns off MX lookups. If you specify multiple SMTP 1502destinations, Postfix will try them in the specified order. </p> 1503 1504<p> To prevent mailer loops between MX hosts and fall-back hosts, 1505Postfix version 2.2 and later will not use the fallback relays for 1506destinations that it is MX host for (assuming DNS lookup is turned on). 1507</p> 1508 1509%PARAM fallback_relay 1510 1511<p> 1512Optional list of relay hosts for SMTP destinations that can't be 1513found or that are unreachable. With Postfix 2.3 this parameter 1514is renamed to smtp_fallback_relay. </p> 1515 1516<p> 1517By default, mail is returned to the sender when a destination is 1518not found, and delivery is deferred when a destination is unreachable. 1519</p> 1520 1521<p> The fallback relays must be SMTP destinations. Specify a domain, 1522host, host:port, [host]:port, [address] or [address]:port; the form 1523[host] turns off MX lookups. If you specify multiple SMTP 1524destinations, Postfix will try them in the specified order. </p> 1525 1526<p> Note: before Postfix 2.2, do not use the fallback_relay feature 1527when relaying mail 1528for a backup or primary MX domain. Mail would loop between the 1529Postfix MX host and the fallback_relay host when the final destination 1530is unavailable. </p> 1531 1532<ul> 1533 1534<li> In main.cf specify "relay_transport = relay", 1535 1536<li> In master.cf specify "-o fallback_relay =" (i.e., empty) at 1537the end of the <tt>relay</tt> entry. 1538 1539<li> In transport maps, specify "relay:<i>nexthop...</i>" 1540as the right-hand side for backup or primary MX domain entries. 1541 1542</ul> 1543 1544<p> Postfix version 2.2 and later will not use the fallback_relay feature 1545for destinations that it is MX host for. 1546</p> 1547 1548%PARAM lmtp_fallback_relay 1549 1550<p> Optional list of relay hosts for LMTP destinations that can't be 1551found or that are unreachable. In main.cf elements are separated by 1552whitespace or commas. </p> 1553 1554<p> By default, mail is returned to the sender when a destination is not 1555found, and delivery is deferred when a destination is unreachable. </p> 1556 1557<p> The fallback relays must be TCP destinations, specified without 1558a leading "inet:" prefix. Specify a host or host:port. Since MX 1559lookups do not apply with LMTP, there is no need to use the "[host]" or 1560"[host]:port" forms. If you specify multiple LMTP destinations, Postfix 1561will try them in the specified order. </p> 1562 1563<p> 1564This feature is available in Postfix 3.1 and later. 1565</p> 1566 1567%PARAM fast_flush_domains $relay_domains 1568 1569<p> 1570Optional list of destinations that are eligible for per-destination 1571logfiles with mail that is queued to those destinations. 1572</p> 1573 1574<p> 1575By default, Postfix maintains "fast flush" logfiles only for 1576destinations that the Postfix SMTP server is willing to relay to 1577(i.e. the default is: "fast_flush_domains = $relay_domains"; see 1578the relay_domains parameter in the postconf(5) manual). 1579</p> 1580 1581<p> Specify a list of hosts or domains, "/file/name" patterns or 1582"type:table" lookup tables, separated by commas and/or whitespace. 1583Continue long lines by starting the next line with whitespace. A 1584"/file/name" pattern is replaced by its contents; a "type:table" 1585lookup table is matched when the domain or its parent domain appears 1586as lookup key. </p> 1587 1588<p> Pattern matching of domain names is controlled by the presence 1589or absence of "fast_flush_domains" in the parent_domain_matches_subdomains 1590parameter value. </p> 1591 1592<p> 1593Specify "fast_flush_domains =" (i.e., empty) to disable the feature 1594altogether. 1595</p> 1596 1597%PARAM fast_flush_purge_time 7d 1598 1599<p> 1600The time after which an empty per-destination "fast flush" logfile 1601is deleted. 1602</p> 1603 1604<p> 1605You can specify the time as a number, or as a number followed by 1606a letter that indicates the time unit: s=seconds, m=minutes, h=hours, 1607d=days, w=weeks. The default time unit is days. 1608</p> 1609 1610%PARAM fast_flush_refresh_time 12h 1611 1612<p> 1613The time after which a non-empty but unread per-destination "fast 1614flush" logfile needs to be refreshed. The contents of a logfile 1615are refreshed by requesting delivery of all messages listed in the 1616logfile. 1617</p> 1618 1619<p> 1620You can specify the time as a number, or as a number followed by 1621a letter that indicates the time unit: s=seconds, m=minutes, h=hours, 1622d=days, w=weeks. The default time unit is hours. 1623</p> 1624 1625%PARAM fork_attempts 5 1626 1627<p> The maximal number of attempts to fork() a child process. </p> 1628 1629%PARAM fork_delay 1s 1630 1631<p> The delay between attempts to fork() a child process. </p> 1632 1633<p> Specify a non-zero time value (an integral value plus an optional 1634one-letter suffix that specifies the time unit). Time units: s 1635(seconds), m (minutes), h (hours), d (days), w (weeks). 1636The default time unit is s (seconds). </p> 1637 1638%PARAM execution_directory_expansion_filter see "postconf -d" output 1639 1640<p> Restrict the characters that the local(8) delivery agent allows 1641in $name expansions of $command_execution_directory. Characters 1642outside the allowed set are replaced by underscores. </p> 1643 1644<p> This feature is available in Postfix 2.2 and later. </p> 1645 1646%PARAM command_execution_directory 1647 1648<p> The local(8) delivery agent working directory for delivery to 1649external commands. Failure to change directory causes the delivery 1650to be deferred. </p> 1651 1652<p> The command_execution_directory value is not subject to Postfix 1653configuration parameter $name expansion. Instead, the following 1654$name expansions are done on command_execution_directory before the 1655directory is used. Expansion happens in the context 1656of the delivery request. The result of $name expansion is filtered 1657with the character set that is specified with the 1658execution_directory_expansion_filter parameter. </p> 1659 1660<dl> 1661 1662<dt><b>$user</b></dt> 1663 1664<dd>The recipient's username. </dd> 1665 1666<dt><b>$shell</b></dt> 1667 1668<dd>The recipient's login shell pathname. </dd> 1669 1670<dt><b>$home</b></dt> 1671 1672<dd>The recipient's home directory. </dd> 1673 1674<dt><b>$recipient</b></dt> 1675 1676<dd>The full recipient address. </dd> 1677 1678<dt><b>$extension</b></dt> 1679 1680<dd>The optional recipient address extension. </dd> 1681 1682<dt><b>$domain</b></dt> 1683 1684<dd>The recipient domain. </dd> 1685 1686<dt><b>$local</b></dt> 1687 1688<dd>The entire recipient localpart. </dd> 1689 1690<dt><b>$recipient_delimiter</b></dt> 1691 1692<dd>The address extension delimiter that was found in the recipient 1693address (Postfix 2.11 and later), or the system-wide recipient 1694address extension delimiter (Postfix 2.10 and earlier). </dd> 1695 1696<dt><b>${name?value}</b></dt> 1697 1698<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt> 1699 1700<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd> 1701 1702<dt><b>${name:value}</b></dt> 1703 1704<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt> 1705 1706<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd> 1707 1708<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt> 1709 1710<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty, 1711<i>value2</i> otherwise. </dd> 1712 1713</dl> 1714 1715<p> 1716Instead of $name you can also specify ${name} or $(name). 1717</p> 1718 1719<p> This feature is available in Postfix 2.2 and later. </p> 1720 1721%PARAM forward_path see "postconf -d" output 1722 1723<p> The local(8) delivery agent search list for finding a .forward 1724file with user-specified delivery methods. The first file that is 1725found is used. </p> 1726 1727<p> The forward_path value is not subject to Postfix configuration 1728parameter $name expansion. Instead, the following $name expansions 1729are done on forward_path before the search actually happens. 1730The result of $name expansion is 1731filtered with the character set that is specified with the 1732forward_expansion_filter parameter. </p> 1733 1734<dl> 1735 1736<dt><b>$user</b></dt> 1737 1738<dd>The recipient's username. </dd> 1739 1740<dt><b>$shell</b></dt> 1741 1742<dd>The recipient's login shell pathname. </dd> 1743 1744<dt><b>$home</b></dt> 1745 1746<dd>The recipient's home directory. </dd> 1747 1748<dt><b>$recipient</b></dt> 1749 1750<dd>The full recipient address. </dd> 1751 1752<dt><b>$extension</b></dt> 1753 1754<dd>The optional recipient address extension. </dd> 1755 1756<dt><b>$domain</b></dt> 1757 1758<dd>The recipient domain. </dd> 1759 1760<dt><b>$local</b></dt> 1761 1762<dd>The entire recipient localpart. </dd> 1763 1764<dt><b>$recipient_delimiter</b></dt> 1765 1766<dd>The address extension delimiter that was found in the recipient 1767address (Postfix 2.11 and later), or the 'first' delimiter specified 1768with the system-wide recipient address extension delimiter (Postfix 17693.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was 1770always the system-wide recipient 1771address extension delimiter (Postfix 2.10 and earlier). </dd> 1772 1773<dt><b>${name?value}</b></dt> 1774 1775<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt> 1776 1777<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd> 1778 1779<dt><b>${name:value}</b></dt> 1780 1781<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt> 1782 1783<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd> 1784 1785<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt> 1786 1787<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty, 1788<i>value2</i> otherwise. </dd> 1789 1790</dl> 1791 1792<p> 1793Instead of $name you can also specify ${name} or $(name). 1794</p> 1795 1796<p> 1797Examples: 1798</p> 1799 1800<pre> 1801forward_path = /var/forward/$user 1802forward_path = 1803 /var/forward/$user/.forward$recipient_delimiter$extension, 1804 /var/forward/$user/.forward 1805</pre> 1806 1807%CLASS queue-hashing Queue directory hashing 1808 1809<p> 1810Queue directory hashing is a performance feature. Splitting one 1811queue directory across multiple subdirectory levels can speed up 1812file access by reducing the number of files per directory. 1813</p> 1814 1815<p> 1816Unfortunately, deeply hashing the incoming or deferred queue can 1817actually slow down the mail system (with a depth of 2, mailq with 1818an empty queue can take several seconds). 1819</p> 1820 1821<p> 1822Hashing must NOT be used with a world-writable maildrop directory. 1823Hashing MUST be used for the defer logfile directory, to avoid poor 1824performance when handling lots of deferred mail. 1825</p> 1826 1827%PARAM hash_queue_depth 1 1828 1829<p> 1830The number of subdirectory levels for queue directories listed with 1831the hash_queue_names parameter. Queue hashing is implemented by 1832creating one or more levels of directories with one-character names. 1833Originally, these directory names were equal to the first characters 1834of the queue file name, with the hexadecimal representation of the 1835file creation time in microseconds. </p> 1836 1837<p> With long queue file names, queue hashing produces the same 1838results as with short names. The file creation time in microseconds 1839is converted into hexadecimal form before the result is used for 1840queue hashing. The base 16 encoding gives finer control over the 1841number of subdirectories than is possible with the base 52 encoding 1842of long queue file names. </p> 1843 1844<p> 1845After changing the hash_queue_names or hash_queue_depth parameter, 1846execute the command "<b>postfix reload</b>". 1847</p> 1848 1849%PARAM hash_queue_names deferred, defer 1850 1851<p> 1852The names of queue directories that are split across multiple 1853subdirectory levels. 1854</p> 1855 1856<p> Before Postfix version 2.2, the default list of hashed queues 1857was significantly larger. Claims about improvements in file system 1858technology suggest that hashing of the incoming and active queues 1859is no longer needed. Fewer hashed directories speed up the time 1860needed to restart Postfix. </p> 1861 1862<p> 1863After changing the hash_queue_names or hash_queue_depth parameter, 1864execute the command "<b>postfix reload</b>". 1865</p> 1866 1867%CLASS headerbody-checks Content inspection built-in features 1868 1869<p> 1870The Postfix cleanup(8) server has a limited ability to inspect 1871message headers and body content for signs of trouble. This is not 1872meant to be a substitute for content filters that do complex 1873processing such attachment decoding and unzipping. 1874</p> 1875 1876%PARAM header_checks 1877 1878<p> 1879Optional lookup tables for content inspection of primary non-MIME 1880message headers, as specified in the header_checks(5) manual page. 1881</p> 1882 1883%PARAM header_size_limit 102400 1884 1885<p> 1886The maximal amount of memory in bytes for storing a message header. 1887If a header is larger, the excess is discarded. The limit is 1888enforced by the cleanup(8) server. 1889</p> 1890 1891%PARAM home_mailbox 1892 1893<p> 1894Optional pathname of a mailbox file relative to a local(8) user's 1895home directory. 1896</p> 1897 1898<p> 1899Specify a pathname ending in "/" for qmail-style delivery. 1900</p> 1901 1902<p> The precedence of local(8) delivery features from high to low 1903is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 1904mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 1905fallback_transport_maps, fallback_transport and luser_relay. </p> 1906 1907<p> 1908Examples: 1909</p> 1910 1911<pre> 1912home_mailbox = Mailbox 1913home_mailbox = Maildir/ 1914</pre> 1915 1916%PARAM hopcount_limit 50 1917 1918<p> 1919The maximal number of Received: message headers that is allowed 1920in the primary message headers. A message that exceeds the limit 1921is bounced, in order to stop a mailer loop. 1922</p> 1923 1924%PARAM ignore_mx_lookup_error no 1925 1926<p> Ignore DNS MX lookups that produce no response. By default, 1927the Postfix SMTP client defers delivery and tries again after some 1928delay. This behavior is required by the SMTP standard. </p> 1929 1930<p> 1931Specify "ignore_mx_lookup_error = yes" to force a DNS A record 1932lookup instead. This violates the SMTP standard and can result in 1933mis-delivery of mail. 1934</p> 1935 1936%PARAM import_environment see "postconf -d" output 1937 1938<p> The list of environment variables that a privileged Postfix 1939process will import from a non-Postfix parent process, or name=value 1940environment overrides. Unprivileged utilities will enforce the 1941name=value overrides, but otherwise will not change their process 1942environment. Examples of relevant environment variables: </p> 1943 1944<dl> 1945 1946<dt><b>TZ</b></dt> 1947 1948<dd>May be needed for sane time keeping on most System-V-ish systems. 1949</dd> 1950 1951<dt><b>DISPLAY</b></dt> 1952 1953<dd>Needed for debugging Postfix daemons with an X-windows debugger. </dd> 1954 1955<dt><b>XAUTHORITY</b></dt> 1956 1957<dd>Needed for debugging Postfix daemons with an X-windows debugger. </dd> 1958 1959<dt><b>MAIL_CONFIG</b></dt> 1960 1961<dd>Needed to make "<b>postfix -c</b>" work. </dd> 1962 1963<dt><b>POSTLOG_SERVICE</b></dt> 1964 1965<dd>Needed to make "<b>maillog_file</b>" work during daemon 1966process initialization. </dd> 1967 1968<dt><b>POSTLOG_HOSTNAME</b></dt> 1969 1970<dd>Needed to make "<b>maillog_file</b>" work during daemon 1971process initialization. </dd> 1972 1973</dl> 1974 1975<p> Specify a list of names and/or name=value pairs, separated by 1976whitespace or comma. Specify "{ name=value }" to protect whitespace 1977or comma in environment variable values (whitespace after the opening "{" and 1978before the closing "}" 1979is ignored). The form name=value is supported with Postfix version 19802.1 and later; the use of {} is supported with Postfix 3.0 and 1981later. </p> 1982 1983%PARAM in_flow_delay 1s 1984 1985<p> Time to pause before accepting a new message, when the message 1986arrival rate exceeds the message delivery rate. This feature is 1987turned on by default (it's disabled on SCO UNIX due to an SCO bug). 1988</p> 1989 1990<p> 1991With the default 100 Postfix SMTP server process limit, "in_flow_delay 1992= 1s" limits the mail inflow to 100 messages per second above the 1993number of messages delivered per second. 1994</p> 1995 1996<p> 1997Specify 0 to disable the feature. Valid delays are 0..10. 1998</p> 1999 2000%PARAM inet_interfaces all 2001 2002<p> The local network interface addresses that this mail system receives 2003mail on. Specify "all" to receive mail on all network 2004interfaces (default), and "loopback-only" to receive mail 2005on loopback network interfaces only (Postfix version 2.2 and later). The 2006parameter also controls delivery of mail to <tt>user@[ip.address]</tt>. 2007</p> 2008 2009<p> 2010Note 1: you need to stop and start Postfix when this parameter changes. 2011</p> 2012 2013<p> Note 2: address information may be enclosed inside <tt>[]</tt>, 2014but this form is not required here. </p> 2015 2016<p> When inet_interfaces specifies just one IPv4 and/or IPv6 address 2017that is not a loopback address, the Postfix SMTP client will use 2018this address as the IP source address for outbound mail. Support 2019for IPv6 is available in Postfix version 2.2 and later. </p> 2020 2021<p> 2022On a multi-homed firewall with separate Postfix instances listening on the 2023"inside" and "outside" interfaces, this can prevent each instance from 2024being able to reach remote SMTP servers on the "other side" of the 2025firewall. Setting 2026smtp_bind_address to 0.0.0.0 avoids the potential problem for 2027IPv4, and setting smtp_bind_address6 to :: solves the problem 2028for IPv6. </p> 2029 2030<p> 2031A better solution for multi-homed firewalls is to leave inet_interfaces 2032at the default value and instead use explicit IP addresses in 2033the master.cf SMTP server definitions. This preserves the Postfix 2034SMTP client's 2035loop detection, by ensuring that each side of the firewall knows that the 2036other IP address is still the same host. Setting $inet_interfaces to a 2037single IPv4 and/or IPV6 address is primarily useful with virtual 2038hosting of domains on 2039secondary IP addresses, when each IP address serves a different domain 2040(and has a different $myhostname setting). </p> 2041 2042<p> 2043See also the proxy_interfaces parameter, for network addresses that 2044are forwarded to Postfix by way of a proxy or address translator. 2045</p> 2046 2047<p> 2048Examples: 2049</p> 2050 2051<pre> 2052inet_interfaces = all (DEFAULT) 2053inet_interfaces = loopback-only (Postfix version 2.2 and later) 2054inet_interfaces = 127.0.0.1 2055inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later) 2056inet_interfaces = 192.168.1.2, 127.0.0.1 2057</pre> 2058 2059%PARAM inet_protocols see 'postconf -d output' 2060 2061<p> The Internet protocols Postfix will attempt to use when making 2062or accepting connections. Specify one or more of "ipv4" 2063or "ipv6", separated by whitespace or commas. The form 2064"all" is equivalent to "ipv4, ipv6" or "ipv4", depending 2065on whether the operating system implements IPv6. </p> 2066 2067<p> With Postfix 2.8 and earlier the default is "ipv4". For backwards 2068compatibility with these releases, the Postfix 2.9 and later upgrade 2069procedure appends an explicit "inet_protocols = ipv4" setting to 2070main.cf when no explicit setting is present. This compatibility 2071workaround will be phased out as IPv6 deployment becomes more common. 2072</p> 2073 2074<p> This feature is available in Postfix 2.2 and later. </p> 2075 2076<p> Note: you MUST stop and start Postfix after changing this 2077parameter. </p> 2078 2079<p> On systems that pre-date IPV6_V6ONLY support (RFC 3493), an 2080IPv6 server will also accept IPv4 connections, even when IPv4 is 2081turned off with the inet_protocols parameter. On systems with 2082IPV6_V6ONLY support, Postfix will use separate server sockets for 2083IPv6 and IPv4, and each will accept only connections for the 2084corresponding protocol. </p> 2085 2086<p> When IPv4 support is enabled via the inet_protocols parameter, 2087Postfix will look up DNS type A records, and will convert 2088IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original 2089IPv4 form (1.2.3.4). The latter is needed on hosts that pre-date 2090IPV6_V6ONLY support (RFC 3493). </p> 2091 2092<p> When IPv6 support is enabled via the inet_protocols parameter, 2093Postfix will do DNS type AAAA record lookups. </p> 2094 2095<p> When both IPv4 and IPv6 support are enabled, the Postfix SMTP 2096client will choose the protocol as specified with the 2097smtp_address_preference parameter. Postfix versions before 2.8 2098attempt to connect via IPv6 before attempting to use IPv4. </p> 2099 2100<p> 2101Examples: 2102</p> 2103 2104<pre> 2105inet_protocols = ipv4 2106inet_protocols = all (DEFAULT) 2107inet_protocols = ipv6 2108inet_protocols = ipv4, ipv6 2109</pre> 2110 2111%PARAM initial_destination_concurrency 5 2112 2113<p> 2114The initial per-destination concurrency level for parallel delivery 2115to the same destination. 2116With per-destination recipient limit > 1, a destination is a domain, 2117otherwise it is a recipient. 2118</p> 2119 2120<p> Use <i>transport</i>_initial_destination_concurrency to specify 2121a transport-specific override, where <i>transport</i> is the master.cf 2122name of the message delivery transport (Postfix 2.5 and later). </p> 2123 2124<p> 2125Warning: with concurrency of 1, one bad message can be enough to 2126block all mail to a site. 2127</p> 2128 2129%PARAM invalid_hostname_reject_code 501 2130 2131<p> 2132The numerical Postfix SMTP server response code when the client 2133HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname 2134restriction. 2135</p> 2136 2137<p> 2138Do not change this unless you have a complete understanding of RFC 5321. 2139</p> 2140 2141%PARAM ipc_idle version dependent 2142 2143<p> 2144The time after which a client closes an idle internal communication 2145channel. The purpose is to allow Postfix daemon processes to 2146terminate voluntarily after they become idle. This is used, for 2147example, by the Postfix address resolving and rewriting clients. 2148</p> 2149 2150<p> With Postfix 2.4 the default value was reduced from 100s to 5s. </p> 2151 2152<p> Specify a non-zero time value (an integral value plus an optional 2153one-letter suffix that specifies the time unit). Time units: s 2154(seconds), m (minutes), h (hours), d (days), w (weeks). 2155The default time unit is s (seconds). </p> 2156 2157%PARAM ipc_timeout 3600s 2158 2159<p> 2160The time limit for sending or receiving information over an internal 2161communication channel. The purpose is to break out of deadlock 2162situations. If the time limit is exceeded the software aborts with a 2163fatal error. 2164</p> 2165 2166<p> Specify a non-zero time value (an integral value plus an optional 2167one-letter suffix that specifies the time unit). Time units: s 2168(seconds), m (minutes), h (hours), d (days), w (weeks). 2169The default time unit is s (seconds). </p> 2170 2171%PARAM ipc_ttl 1000s 2172 2173<p> 2174The time after which a client closes an active internal communication 2175channel. The purpose is to allow Postfix daemon processes to 2176terminate voluntarily 2177after reaching their client limit. This is used, for example, by 2178the Postfix address resolving and rewriting clients. 2179</p> 2180 2181<p> Specify a non-zero time value (an integral value plus an optional 2182one-letter suffix that specifies the time unit). Time units: s 2183(seconds), m (minutes), h (hours), d (days), w (weeks). 2184The default time unit is s (seconds). </p> 2185 2186<p> 2187This feature is available in Postfix 2.1 and later. 2188</p> 2189 2190%PARAM line_length_limit 2048 2191 2192<p> Upon input, long lines are chopped up into pieces of at most 2193this length; upon delivery, long lines are reconstructed. </p> 2194 2195%PARAM lmtp_connect_timeout 0s 2196 2197<p> The Postfix LMTP client time limit for completing a TCP connection, or 2198zero (use the operating system built-in time limit). When no 2199connection can be made within the deadline, the LMTP client tries 2200the next address on the mail exchanger list. </p> 2201 2202<p> Specify a non-negative time value (an integral value plus an optional 2203one-letter suffix that specifies the time unit). Time units: s 2204(seconds), m (minutes), h (hours), d (days), w (weeks). 2205The default time unit is s (seconds). </p> 2206 2207<p> 2208Example: 2209</p> 2210 2211<pre> 2212lmtp_connect_timeout = 30s 2213</pre> 2214 2215%PARAM lmtp_data_done_timeout 600s 2216 2217<p> The Postfix LMTP client time limit for sending the LMTP ".", 2218and for receiving the remote LMTP server response. When no response 2219is received within the deadline, a warning is logged that the mail 2220may be delivered multiple times. </p> 2221 2222<p> Specify a non-zero time value (an integral value plus an optional 2223one-letter suffix that specifies the time unit). Time units: s 2224(seconds), m (minutes), h (hours), d (days), w (weeks). 2225The default time unit is s (seconds). </p> 2226 2227%PARAM lmtp_data_init_timeout 120s 2228 2229<p> 2230The Postfix LMTP client time limit for sending the LMTP DATA command, 2231and 2232for receiving the remote LMTP server response. 2233</p> 2234 2235<p> Specify a non-zero time value (an integral value plus an optional 2236one-letter suffix that specifies the time unit). Time units: s 2237(seconds), m (minutes), h (hours), d (days), w (weeks). 2238The default time unit is s (seconds). </p> 2239 2240%PARAM lmtp_data_xfer_timeout 180s 2241 2242<p> 2243The Postfix LMTP client time limit for sending the LMTP message 2244content. 2245When the connection stalls for more than $lmtp_data_xfer_timeout 2246the LMTP client terminates the transfer. 2247</p> 2248 2249<p> Specify a non-zero time value (an integral value plus an optional 2250one-letter suffix that specifies the time unit). Time units: s 2251(seconds), m (minutes), h (hours), d (days), w (weeks). 2252The default time unit is s (seconds). </p> 2253 2254%PARAM lmtp_lhlo_timeout 300s 2255 2256<p> The Postfix LMTP client time limit for receiving the LMTP 2257greeting banner. When the remote LMTP server drops the connection 2258without sending a 2259greeting banner, or when it sends no greeting banner within the 2260deadline, the LMTP client tries the next address on the mail 2261exchanger list. </p> 2262 2263<p> Specify a non-zero time value (an integral value plus an optional 2264one-letter suffix that specifies the time unit). Time units: s 2265(seconds), m (minutes), h (hours), d (days), w (weeks). 2266The default time unit is s (seconds). </p> 2267 2268%PARAM lmtp_mail_timeout 300s 2269 2270<p> 2271The Postfix LMTP client time limit for sending the MAIL FROM command, 2272and for receiving the remote LMTP server response. 2273</p> 2274 2275<p> Specify a non-zero time value (an integral value plus an optional 2276one-letter suffix that specifies the time unit). Time units: s 2277(seconds), m (minutes), h (hours), d (days), w (weeks). 2278The default time unit is s (seconds). </p> 2279 2280%PARAM lmtp_quit_timeout 300s 2281 2282<p> 2283The Postfix LMTP client time limit for sending the QUIT command, 2284and for receiving the remote LMTP server response. 2285</p> 2286 2287<p> Specify a non-zero time value (an integral value plus an optional 2288one-letter suffix that specifies the time unit). Time units: s 2289(seconds), m (minutes), h (hours), d (days), w (weeks). 2290The default time unit is s (seconds). </p> 2291 2292%PARAM lmtp_rcpt_timeout 300s 2293 2294<p> 2295The Postfix LMTP client time limit for sending the RCPT TO command, 2296and for receiving the remote LMTP server response. 2297</p> 2298 2299<p> Specify a non-zero time value (an integral value plus an optional 2300one-letter suffix that specifies the time unit). Time units: s 2301(seconds), m (minutes), h (hours), d (days), w (weeks). 2302The default time unit is s (seconds). </p> 2303 2304%PARAM lmtp_rset_timeout 20s 2305 2306<p> The Postfix LMTP client time limit for sending the RSET command, 2307and for receiving the remote LMTP server response. The LMTP client 2308sends RSET in 2309order to finish a recipient address probe, or to verify that a 2310cached connection is still alive. </p> 2311 2312<p> Specify a non-zero time value (an integral value plus an optional 2313one-letter suffix that specifies the time unit). Time units: s 2314(seconds), m (minutes), h (hours), d (days), w (weeks). 2315The default time unit is s (seconds). </p> 2316 2317%PARAM lmtp_send_xforward_command no 2318 2319<p> 2320Send an XFORWARD command to the remote LMTP server when the LMTP LHLO 2321server response announces XFORWARD support. This allows an lmtp(8) 2322delivery agent, used for content filter message injection, to 2323forward the name, address, protocol and HELO name of the original 2324client to the content filter and downstream LMTP server. 2325Before you change the value to yes, it is best to make sure that 2326your content filter supports this command. 2327</p> 2328 2329<p> 2330This feature is available in Postfix 2.1 and later. 2331</p> 2332 2333%PARAM lmtp_skip_quit_response no 2334 2335<p> 2336Wait for the response to the LMTP QUIT command. 2337</p> 2338 2339%PARAM lmtp_xforward_timeout 300s 2340 2341<p> 2342The Postfix LMTP client time limit for sending the XFORWARD command, 2343and for receiving the remote LMTP server response. 2344</p> 2345 2346<p> 2347In case of problems the client does NOT try the next address on 2348the mail exchanger list. 2349</p> 2350 2351<p> Specify a non-zero time value (an integral value plus an optional 2352one-letter suffix that specifies the time unit). Time units: s 2353(seconds), m (minutes), h (hours), d (days), w (weeks). 2354The default time unit is s (seconds). </p> 2355 2356<p> 2357This feature is available in Postfix 2.1 and later. 2358</p> 2359 2360%PARAM local_command_shell 2361 2362<p> 2363Optional shell program for local(8) delivery to non-Postfix commands. 2364By default, non-Postfix commands are executed directly; commands 2365are given to the default shell (typically, /bin/sh) only when they 2366contain shell meta characters or shell built-in commands. 2367</p> 2368 2369<p> "sendmail's restricted shell" (smrsh) is what most people will 2370use in order to restrict what programs can be run from e.g. .forward 2371files (smrsh is part of the Sendmail distribution). </p> 2372 2373<p> Note: when a shell program is specified, it is invoked even 2374when the command contains no shell built-in commands or meta 2375characters. </p> 2376 2377<p> 2378Example: 2379</p> 2380 2381<pre> 2382local_command_shell = /some/where/smrsh -c 2383local_command_shell = /bin/bash -c 2384</pre> 2385 2386%PARAM local_destination_concurrency_limit 2 2387 2388<p> The maximal number of parallel deliveries via the local mail 2389delivery transport to the same recipient (when 2390"local_destination_recipient_limit = 1") or the maximal number of 2391parallel deliveries to the same local domain (when 2392"local_destination_recipient_limit > 1"). This limit is enforced by 2393the queue manager. The message delivery transport name is the first 2394field in the entry in the master.cf file. </p> 2395 2396<p> A low limit of 2 is recommended, just in case someone has an 2397expensive shell command in a .forward file or in an alias (e.g., 2398a mailing list manager). You don't want to run lots of those at 2399the same time. </p> 2400 2401%PARAM local_destination_recipient_limit 1 2402 2403<p> The maximal number of recipients per message delivery via the 2404local mail delivery transport. This limit is enforced by the queue 2405manager. The message delivery transport name is the first field in 2406the entry in the master.cf file. </p> 2407 2408<p> Setting this parameter to a value > 1 changes the meaning of 2409local_destination_concurrency_limit from concurrency per recipient 2410into concurrency per domain. </p> 2411 2412%PARAM local_recipient_maps proxy:unix:passwd.byname $alias_maps 2413 2414<p> Lookup tables with all names or addresses of local recipients: 2415a recipient address is local when its domain matches $mydestination, 2416$inet_interfaces or $proxy_interfaces. Specify @domain as a 2417wild-card for domains that do not have a valid recipient list. 2418Technically, tables listed with $local_recipient_maps are used as 2419lists: Postfix needs to know only if a lookup string is found or 2420not, but it does not use the result from table lookup. </p> 2421 2422<p> 2423Specify zero or more "type:name" lookup tables, separated by 2424whitespace or comma. Tables will be searched in the specified order 2425until a match is found. 2426</p> 2427 2428<p> 2429If this parameter is non-empty (the default), then the Postfix SMTP 2430server will reject mail for unknown local users. 2431</p> 2432 2433<p> 2434To turn off local recipient checking in the Postfix SMTP server, 2435specify "local_recipient_maps =" (i.e. empty). 2436</p> 2437 2438<p> 2439The default setting assumes that you use the default Postfix local 2440delivery agent for local delivery. You need to update the 2441local_recipient_maps setting if: 2442</p> 2443 2444<ul> 2445 2446<li>You redefine the local delivery agent in master.cf. 2447 2448<li>You redefine the "local_transport" setting in main.cf. 2449 2450<li>You use the "luser_relay", "mailbox_transport", or "fallback_transport" 2451feature of the Postfix local(8) delivery agent. 2452 2453</ul> 2454 2455<p> 2456Details are described in the LOCAL_RECIPIENT_README file. 2457</p> 2458 2459<p> 2460Beware: if the Postfix SMTP server runs chrooted, you need to access 2461the passwd file via the proxymap(8) service, in order to overcome 2462chroot access restrictions. The alternative, maintaining a copy of 2463the system password file in the chroot jail is not practical. 2464</p> 2465 2466<p> 2467Examples: 2468</p> 2469 2470<pre> 2471local_recipient_maps = 2472</pre> 2473 2474%PARAM local_transport local:$myhostname 2475 2476<p> The default mail delivery transport and next-hop destination 2477for final delivery to domains listed with mydestination, and for 2478[ipaddress] destinations that match $inet_interfaces or $proxy_interfaces. 2479This information can be overruled with the transport(5) table. </p> 2480 2481<p> 2482By default, local mail is delivered to the transport called "local", 2483which is just the name of a service that is defined the master.cf file. 2484</p> 2485 2486<p> 2487Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> 2488is the name of a mail delivery transport defined in master.cf. 2489The <i>:nexthop</i> destination is optional; its syntax is documented 2490in the manual page of the corresponding delivery agent. 2491</p> 2492 2493<p> 2494Beware: if you override the default local delivery agent then you 2495need to review the LOCAL_RECIPIENT_README document, otherwise the 2496SMTP server may reject mail for local recipients. 2497</p> 2498 2499%PARAM luser_relay 2500 2501<p> 2502Optional catch-all destination for unknown local(8) recipients. 2503By default, mail for unknown recipients in domains that match 2504$mydestination, $inet_interfaces or $proxy_interfaces is returned 2505as undeliverable. 2506</p> 2507 2508<p> 2509The luser_relay value is not subject to Postfix configuration 2510parameter $name expansion. Instead, the following $name expansions 2511are done: 2512</p> 2513 2514<dl> 2515 2516<dt><b>$domain</b></dt> 2517 2518<dd>The recipient domain. </dd> 2519 2520<dt><b>$extension</b></dt> 2521 2522<dd>The recipient address extension. </dd> 2523 2524<dt><b>$home</b></dt> 2525 2526<dd>The recipient's home directory. </dd> 2527 2528<dt><b>$local</b></dt> 2529 2530<dd>The entire recipient address localpart. </dd> 2531 2532<dt><b>$recipient</b></dt> 2533 2534<dd>The full recipient address. </dd> 2535 2536<dt><b>$recipient_delimiter</b></dt> 2537 2538<dd>The address extension delimiter that was found in the recipient 2539address (Postfix 2.11 and later), or the system-wide recipient 2540address extension delimiter (Postfix 2.10 and earlier). </dd> 2541 2542<dt><b>$shell</b></dt> 2543 2544<dd>The recipient's login shell. </dd> 2545 2546<dt><b>$user</b></dt> 2547 2548<dd>The recipient username. </dd> 2549 2550<dt><b>${name?value}</b></dt> 2551 2552<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt> 2553 2554<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd> 2555 2556<dt><b>${name:value}</b></dt> 2557 2558<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt> 2559 2560<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd> 2561 2562<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt> 2563 2564<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty, 2565<i>value2</i> otherwise. </dd> 2566 2567</dl> 2568 2569<p> 2570Instead of $name you can also specify ${name} or $(name). 2571</p> 2572 2573<p> 2574Note: luser_relay works only for the Postfix local(8) delivery agent. 2575</p> 2576 2577<p> 2578Note: if you use this feature for accounts not in the UNIX password 2579file, then you must specify "local_recipient_maps =" (i.e. empty) 2580in the main.cf file, otherwise the Postfix SMTP server will reject mail 2581for non-UNIX accounts with "User unknown in local recipient table". 2582</p> 2583 2584<p> 2585Examples: 2586</p> 2587 2588<pre> 2589luser_relay = $user@other.host 2590luser_relay = $local@other.host 2591luser_relay = admin+$local 2592</pre> 2593 2594%PARAM mail_name Postfix 2595 2596<p> 2597The mail system name that is displayed in Received: headers, in 2598the SMTP greeting banner, and in bounced mail. 2599</p> 2600 2601%PARAM mail_owner postfix 2602 2603<p> 2604The UNIX system account that owns the Postfix queue and most Postfix 2605daemon processes. Specify the name of an unprivileged user account 2606that does not share a user or group ID with other accounts, and that 2607owns no other files 2608or processes on the system. In particular, don't specify nobody 2609or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID. 2610</p> 2611 2612<p> 2613When this parameter value is changed you need to re-run "<b>postfix 2614set-permissions</b>" (with Postfix version 2.0 and earlier: 2615"<b>/etc/postfix/post-install set-permissions</b>". 2616</p> 2617 2618%PARAM mail_spool_directory see "postconf -d" output 2619 2620<p> 2621The directory where local(8) UNIX-style mailboxes are kept. The 2622default setting depends on the system type. Specify a name ending 2623in / for maildir-style delivery. 2624</p> 2625 2626<p> 2627Note: maildir delivery is done with the privileges of the recipient. 2628If you use the mail_spool_directory setting for maildir style 2629delivery, then you must create the top-level maildir directory in 2630advance. Postfix will not create it. 2631</p> 2632 2633<p> 2634Examples: 2635</p> 2636 2637<pre> 2638mail_spool_directory = /var/mail 2639mail_spool_directory = /var/spool/mail 2640</pre> 2641 2642%PARAM mail_version see "postconf -d" output 2643 2644<p> 2645The version of the mail system. Stable releases are named 2646<i>major</i>.<i>minor</i>.<i>patchlevel</i>. Experimental releases 2647also include the release date. The version string can be used in, 2648for example, the SMTP greeting banner. 2649</p> 2650 2651%PARAM mailbox_command 2652 2653<p> 2654Optional external command that the local(8) delivery agent should 2655use for mailbox delivery. The command is run with the user ID and 2656the primary group ID privileges of the recipient. Exception: 2657command delivery for root executes with $default_privs privileges. 2658This is not a problem, because 1) mail for root should always be 2659aliased to a real user and 2) don't log in as root, use "su" instead. 2660</p> 2661 2662<p> 2663The following environment variables are exported to the command: 2664</p> 2665 2666<dl> 2667 2668<dt><b>CLIENT_ADDRESS</b></dt> 2669 2670<dd>Remote client network address. Available in Postfix version 2.2 and 2671later. </dd> 2672 2673<dt><b>CLIENT_HELO</b></dt> 2674 2675<dd>Remote client EHLO command parameter. Available in Postfix version 2.2 2676and later.</dd> 2677 2678<dt><b>CLIENT_HOSTNAME</b></dt> 2679 2680<dd>Remote client hostname. Available in Postfix version 2.2 and later. 2681</dd> 2682 2683<dt><b>CLIENT_PROTOCOL</b></dt> 2684 2685<dd>Remote client protocol. Available in Postfix version 2.2 and later. 2686</dd> 2687 2688<dt><b>DOMAIN</b></dt> 2689 2690<dd>The domain part of the recipient address. </dd> 2691 2692<dt><b>EXTENSION</b></dt> 2693 2694<dd>The optional address extension. </dd> 2695 2696<dt><b>HOME</b></dt> 2697 2698<dd>The recipient home directory. </dd> 2699 2700<dt><b>LOCAL</b></dt> 2701 2702<dd>The recipient address localpart. </dd> 2703 2704<dt><b>LOGNAME</b></dt> 2705 2706<dd>The recipient's username. </dd> 2707 2708<dt><b>ORIGINAL_RECIPIENT</b></dt> 2709 2710<dd>The entire recipient address, before any address rewriting or 2711aliasing. </dd> 2712 2713<dt><b>RECIPIENT</b></dt> 2714 2715<dd>The full recipient address. </dd> 2716 2717<dt><b>SASL_METHOD</b></dt> 2718 2719<dd>SASL authentication method specified in the remote client AUTH 2720command. Available in Postfix version 2.2 and later. </dd> 2721 2722<dt><b>SASL_SENDER</b></dt> 2723 2724<dd>SASL sender address specified in the remote client MAIL FROM 2725command. Available in Postfix version 2.2 and later. </dd> 2726 2727<dt><b>SASL_USER</b></dt> 2728 2729<dd>SASL username specified in the remote client AUTH command. 2730Available in Postfix version 2.2 and later. </dd> 2731 2732<dt><b>SENDER</b></dt> 2733 2734<dd>The full sender address. </dd> 2735 2736<dt><b>SHELL</b></dt> 2737 2738<dd>The recipient's login shell. </dd> 2739 2740<dt><b>USER</b></dt> 2741 2742<dd>The recipient username. </dd> 2743 2744</dl> 2745 2746<p> 2747Unlike other Postfix configuration parameters, the mailbox_command 2748parameter is not subjected to $name substitutions. This is to make 2749it easier to specify shell syntax (see example below). 2750</p> 2751 2752<p> 2753If you can, avoid shell meta characters because they will force 2754Postfix to run an expensive shell process. If you're delivering 2755via "procmail" then running a shell won't make a noticeable difference 2756in the total cost. 2757</p> 2758 2759<p> 2760Note: if you use the mailbox_command feature to deliver mail 2761system-wide, you must set up an alias that forwards mail for root 2762to a real user. 2763</p> 2764 2765<p> The precedence of local(8) delivery features from high to low 2766is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 2767mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 2768fallback_transport_maps, fallback_transport and luser_relay. </p> 2769 2770<p> 2771Examples: 2772</p> 2773 2774<pre> 2775mailbox_command = /some/where/procmail 2776mailbox_command = /some/where/procmail -a "$EXTENSION" 2777mailbox_command = /some/where/maildrop -d "$USER" 2778 -f "$SENDER" "$EXTENSION" 2779</pre> 2780 2781%PARAM mailbox_size_limit 51200000 2782 2783<p> The maximal size of any local(8) individual mailbox or maildir 2784file, or zero (no limit). In fact, this limits the size of any 2785file that is written to upon local delivery, including files written 2786by external commands that are executed by the local(8) delivery 2787agent. The value cannot exceed LONG_MAX (typically, a 32-bit or 278864-bit signed integer). 2789</p> 2790 2791<p> 2792This limit must not be smaller than the message size limit. 2793</p> 2794 2795%PARAM maps_rbl_reject_code 554 2796 2797<p> 2798The numerical Postfix SMTP server response code when a remote SMTP 2799client request is blocked by the reject_rbl_client, reject_rhsbl_client, 2800reject_rhsbl_reverse_client, reject_rhsbl_sender or 2801reject_rhsbl_recipient restriction. 2802</p> 2803 2804<p> 2805Do not change this unless you have a complete understanding of RFC 5321. 2806</p> 2807 2808%PARAM masquerade_classes envelope_sender, header_sender, header_recipient 2809 2810<p> 2811What addresses are subject to address masquerading. 2812</p> 2813 2814<p> 2815By default, address masquerading is limited to envelope sender 2816addresses, and to header sender and header recipient addresses. 2817This allows you to use address masquerading on a mail gateway while 2818still being able to forward mail to users on individual machines. 2819</p> 2820 2821<p> 2822Specify zero or more of: envelope_sender, envelope_recipient, 2823header_sender, header_recipient 2824</p> 2825 2826%PARAM masquerade_domains 2827 2828<p> 2829Optional list of domains whose subdomain structure will be stripped 2830off in email addresses. 2831</p> 2832 2833<p> 2834The list is processed left to right, and processing stops at the 2835first match. Thus, 2836</p> 2837 2838<blockquote> 2839<pre> 2840masquerade_domains = foo.example.com example.com 2841</pre> 2842</blockquote> 2843 2844<p> 2845strips "user@any.thing.foo.example.com" to "user@foo.example.com", 2846but strips "user@any.thing.else.example.com" to "user@example.com". 2847</p> 2848 2849<p> 2850A domain name prefixed with ! means do not masquerade this domain 2851or its subdomains. Thus, 2852</p> 2853 2854<blockquote> 2855<pre> 2856masquerade_domains = !foo.example.com example.com 2857</pre> 2858</blockquote> 2859 2860<p> 2861does not change "user@any.thing.foo.example.com" or "user@foo.example.com", 2862but strips "user@any.thing.else.example.com" to "user@example.com". 2863</p> 2864 2865<p> Note: with Postfix version 2.2, message header address masquerading 2866happens only when message header address rewriting is enabled: </p> 2867 2868<ul> 2869 2870<li> The message is received with the Postfix sendmail(1) command, 2871 2872<li> The message is received from a network client that matches 2873$local_header_rewrite_clients, 2874 2875<li> The message is received from the network, and the 2876remote_header_rewrite_domain parameter specifies a non-empty value. 2877 2878</ul> 2879 2880<p> To get the behavior before Postfix version 2.2, specify 2881"local_header_rewrite_clients = static:all". </p> 2882 2883 2884<p> 2885Example: 2886</p> 2887 2888<pre> 2889masquerade_domains = $mydomain 2890</pre> 2891 2892%PARAM masquerade_exceptions 2893 2894<p> 2895Optional list of user names that are not subjected to address 2896masquerading, even when their addresses match $masquerade_domains. 2897</p> 2898 2899<p> 2900By default, address masquerading makes no exceptions. 2901</p> 2902 2903<p> 2904Specify a list of user names, "/file/name" or "type:table" patterns, 2905separated by commas and/or whitespace. The list is matched left to 2906right, and the search stops on the first match. A "/file/name" 2907pattern is replaced 2908by its contents; a "type:table" lookup table is matched when a name 2909matches a lookup key (the lookup result is ignored). Continue long 2910lines by starting the next line with whitespace. Specify "!pattern" 2911to exclude a name from the list. The form "!/file/name" is supported 2912only in Postfix version 2.4 and later. </p> 2913 2914<p> 2915Examples: 2916</p> 2917 2918<pre> 2919masquerade_exceptions = root, mailer-daemon 2920masquerade_exceptions = root 2921</pre> 2922 2923%PARAM max_idle 100s 2924 2925<p> 2926The maximum amount of time that an idle Postfix daemon process waits 2927for an incoming connection before terminating voluntarily. This 2928parameter 2929is ignored by the Postfix queue manager and by other long-lived 2930Postfix daemon processes. 2931</p> 2932 2933<p> Specify a non-zero time value (an integral value plus an optional 2934one-letter suffix that specifies the time unit). Time units: s 2935(seconds), m (minutes), h (hours), d (days), w (weeks). 2936The default time unit is s (seconds). </p> 2937 2938%PARAM max_use 100 2939 2940<p> 2941The maximal number of incoming connections that a Postfix daemon 2942process will service before terminating voluntarily. This parameter 2943is ignored by the Postfix queue 2944manager and by other long-lived Postfix daemon processes. 2945</p> 2946 2947%PARAM maximal_backoff_time 4000s 2948 2949<p> 2950The maximal time between attempts to deliver a deferred message. 2951</p> 2952 2953<p> This parameter should be set to a value greater than or equal 2954to $minimal_backoff_time. See also $queue_run_delay. </p> 2955 2956<p> Specify a non-zero time value (an integral value plus an optional 2957one-letter suffix that specifies the time unit). Time units: s 2958(seconds), m (minutes), h (hours), d (days), w (weeks). 2959The default time unit is s (seconds). </p> 2960 2961%PARAM maximal_queue_lifetime 5d 2962 2963<p> 2964Consider a message as undeliverable, when delivery fails with a 2965temporary error, and the time in the queue has reached the 2966maximal_queue_lifetime limit. 2967</p> 2968 2969<p> Specify a non-negative time value (an integral value plus an optional 2970one-letter suffix that specifies the time unit). Time units: s 2971(seconds), m (minutes), h (hours), d (days), w (weeks). 2972The default time unit is d (days). </p> 2973 2974<p> 2975Specify 0 when mail delivery should be tried only once. 2976</p> 2977 2978%PARAM lmdb_map_size 16777216 2979 2980<p> 2981The initial OpenLDAP LMDB database size limit in bytes. Each time 2982a database becomes full, its size limit is doubled. 2983</p> 2984 2985<p> 2986This feature is available in Postfix 2.11 and later. 2987</p> 2988 2989%PARAM message_size_limit 10240000 2990 2991<p> 2992The maximal size in bytes of a message, including envelope information. 2993The value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit 2994signed integer). 2995</p> 2996 2997<p> Note: be careful when making changes. Excessively small values 2998will result in the loss of non-delivery notifications, when a bounce 2999message size exceeds the local or remote MTA's message size limit. 3000</p> 3001 3002%PARAM minimal_backoff_time 300s 3003 3004<p> 3005The minimal time between attempts to deliver a deferred message; 3006prior to Postfix 2.4 the default value was 1000s. 3007</p> 3008 3009<p> 3010This parameter also limits the time an unreachable destination is 3011kept in the short-term, in-memory, destination status cache. 3012</p> 3013 3014<p> This parameter should be set greater than or equal to 3015$queue_run_delay. See also $maximal_backoff_time. </p> 3016 3017<p> Specify a non-zero time value (an integral value plus an optional 3018one-letter suffix that specifies the time unit). Time units: s 3019(seconds), m (minutes), h (hours), d (days), w (weeks). 3020The default time unit is s (seconds). </p> 3021 3022%PARAM multi_recipient_bounce_reject_code 550 3023 3024<p> 3025The numerical Postfix SMTP server response code when a remote SMTP 3026client request is blocked by the reject_multi_recipient_bounce 3027restriction. 3028</p> 3029 3030<p> 3031Do not change this unless you have a complete understanding of RFC 5321. 3032</p> 3033 3034<p> 3035This feature is available in Postfix 2.1 and later. 3036</p> 3037 3038%PARAM mydestination $myhostname, localhost.$mydomain, localhost 3039 3040<p> The list of domains that are delivered via the $local_transport 3041mail delivery transport. By default this is the Postfix local(8) 3042delivery agent which looks up all recipients in /etc/passwd and 3043/etc/aliases. The SMTP server validates recipient addresses with 3044$local_recipient_maps and rejects non-existent recipients. See also 3045the local domain class in the ADDRESS_CLASS_README file. 3046</p> 3047 3048<p> 3049The default mydestination value specifies names for the local 3050machine only. On a mail domain gateway, you should also include 3051$mydomain. 3052</p> 3053 3054<p> 3055The $local_transport delivery method is also selected for mail 3056addressed to user@[the.net.work.address] of the mail system (the 3057IP addresses specified with the inet_interfaces and proxy_interfaces 3058parameters). 3059</p> 3060 3061<p> 3062Warnings: 3063</p> 3064 3065<ul> 3066 3067<li><p>Do not specify the names of virtual domains - those domains 3068are specified elsewhere. See VIRTUAL_README for more information. </p> 3069 3070<li><p>Do not specify the names of domains that this machine is 3071backup MX host for. See STANDARD_CONFIGURATION_README for how to 3072set up backup MX hosts. </p> 3073 3074<li><p>By default, the Postfix SMTP server rejects mail for recipients 3075not listed with the local_recipient_maps parameter. See the 3076postconf(5) manual for a description of the local_recipient_maps 3077and unknown_local_recipient_reject_code parameters. </p> 3078 3079</ul> 3080 3081<p> 3082Specify a list of host or domain names, "/file/name" or "type:table" 3083patterns, separated by commas and/or whitespace. A "/file/name" 3084pattern is replaced by its contents; a "type:table" lookup table 3085is matched when a name matches a lookup key (the lookup result is 3086ignored). Continue long lines by starting the next line with 3087whitespace. </p> 3088 3089<p> 3090Examples: 3091</p> 3092 3093<pre> 3094mydestination = $myhostname, localhost.$mydomain $mydomain 3095mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain 3096</pre> 3097 3098%PARAM mydomain see "postconf -d" output 3099 3100<p> 3101The internet domain name of this mail system. The default is to 3102use $myhostname minus the first component, or "localdomain" (Postfix 31032.3 and later). $mydomain is used as 3104a default value for many other configuration parameters. 3105</p> 3106 3107<p> 3108Example: 3109</p> 3110 3111<pre> 3112mydomain = domain.tld 3113</pre> 3114 3115%PARAM myhostname see "postconf -d" output 3116 3117<p> 3118The internet hostname of this mail system. The default is to use 3119the fully-qualified domain name (FQDN) from gethostname(), or to 3120use the non-FQDN result from gethostname() and append ".$mydomain". 3121$myhostname is used as a default value for many other configuration 3122parameters. </p> 3123 3124<p> 3125Example: 3126</p> 3127 3128<pre> 3129myhostname = host.example.com 3130</pre> 3131 3132%PARAM mynetworks see "postconf -d" output 3133 3134<p> 3135The list of "trusted" remote SMTP clients that have more privileges than 3136"strangers". 3137</p> 3138 3139<p> 3140In particular, "trusted" SMTP clients are allowed to relay mail 3141through Postfix. See the smtpd_relay_restrictions parameter 3142description in the postconf(5) manual. 3143</p> 3144 3145<p> 3146You can specify the list of "trusted" network addresses by hand 3147or you can let Postfix do it for you (which is the default). 3148See the description of the mynetworks_style parameter for more 3149information. 3150</p> 3151 3152<p> 3153If you specify the mynetworks list by hand, 3154Postfix ignores the mynetworks_style setting. 3155</p> 3156 3157<p> Specify a list of network addresses or network/netmask patterns, 3158separated by commas and/or whitespace. Continue long lines by 3159starting the next line with whitespace. </p> 3160 3161<p> The netmask specifies the number of bits in the network part 3162of a host address. You can also specify "/file/name" or "type:table" 3163patterns. A "/file/name" pattern is replaced by its contents; a 3164"type:table" lookup table is matched when a table entry matches a 3165lookup string (the lookup result is ignored). </p> 3166 3167<p> The list is matched left to right, and the search stops on the 3168first match. Specify "!pattern" to exclude an address or network 3169block from the list. The form "!/file/name" is supported only 3170in Postfix version 2.4 and later. </p> 3171 3172<p> Note 1: Pattern matching of domain names is controlled by the 3173presence or absence of "mynetworks" in the parent_domain_matches_subdomains 3174parameter value. </p> 3175 3176<p> Note 2: IP version 6 address information must be specified inside 3177<tt>[]</tt> in the mynetworks value, and in files specified with 3178"/file/name". IP version 6 addresses contain the ":" character, 3179and would otherwise be confused with a "type:table" pattern. </p> 3180 3181<p> Note 3: CIDR ranges cannot be specified in hash tables. Use cidr 3182tables if CIDR ranges are used. </p> 3183 3184<p> Examples: </p> 3185 3186<pre> 3187mynetworks = 127.0.0.0/8 168.100.189.0/28 3188mynetworks = !192.168.0.1, 192.168.0.0/28 3189mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64 3190mynetworks = $config_directory/mynetworks 3191mynetworks = hash:/etc/postfix/network_table 3192mynetworks = cidr:/etc/postfix/network_table.cidr 3193</pre> 3194 3195%PARAM myorigin $myhostname 3196 3197<p> 3198The domain name that locally-posted mail appears to come 3199from, and that locally posted mail is delivered to. The default, 3200$myhostname, is adequate for small sites. If you run a domain with 3201multiple machines, you should (1) change this to $mydomain and (2) 3202set up a domain-wide alias database that aliases each user to 3203user@that.users.mailhost. 3204</p> 3205 3206<p> 3207Example: 3208</p> 3209 3210<pre> 3211myorigin = $mydomain 3212</pre> 3213 3214%PARAM notify_classes resource, software 3215 3216<p> 3217The list of error classes that are reported to the postmaster. These 3218postmaster notifications do not replace user notifications. The 3219default is to report only the most serious problems. The paranoid 3220may wish to turn on the policy (UCE and mail relaying) and protocol 3221error (broken mail software) reports. 3222</p> 3223 3224<p> NOTE: postmaster notifications may contain confidential information 3225such as SASL passwords or message content. It is the system 3226administrator's responsibility to treat such information with care. 3227</p> 3228 3229<p> 3230The error classes are: 3231</p> 3232 3233<dl> 3234 3235<dt><b>bounce</b> (also implies <b>2bounce</b>)</dt> 3236 3237<dd>Send the postmaster copies of the headers of bounced mail, and 3238send transcripts of SMTP sessions when Postfix rejects mail. The 3239notification is sent to the address specified with the 3240bounce_notice_recipient configuration parameter (default: postmaster). 3241</dd> 3242 3243<dt><b>2bounce</b></dt> 3244 3245<dd>Send undeliverable bounced mail to the postmaster. The notification 3246is sent to the address specified with the 2bounce_notice_recipient 3247configuration parameter (default: postmaster). </dd> 3248 3249<dt><b>data</b></dt> 3250 3251<dd>Send the postmaster a transcript of the SMTP session with an 3252error because a critical data file was unavailable. The notification 3253is sent to the address specified with the error_notice_recipient 3254configuration parameter (default: postmaster). <br> This feature 3255is available in Postfix 2.9 and later. </dd> 3256 3257<dt><b>delay</b></dt> 3258 3259<dd>Send the postmaster copies of the headers of delayed mail (see 3260delay_warning_time). The 3261notification is sent to the address specified with the 3262delay_notice_recipient configuration parameter (default: postmaster). 3263</dd> 3264 3265<dt><b>policy</b></dt> 3266 3267<dd>Send the postmaster a transcript of the SMTP session when a 3268client request was rejected because of (UCE) policy. The notification 3269is sent to the address specified with the error_notice_recipient 3270configuration parameter (default: postmaster). </dd> 3271 3272<dt><b>protocol</b></dt> 3273 3274<dd>Send the postmaster a transcript of the SMTP session in case 3275of client or server protocol errors. The notification is sent to 3276the address specified with the error_notice_recipient configuration 3277parameter (default: postmaster). </dd> 3278 3279<dt><b>resource</b></dt> 3280 3281<dd>Inform the postmaster of mail not delivered due to resource 3282problems. The notification is sent to the address specified with 3283the error_notice_recipient configuration parameter (default: 3284postmaster). </dd> 3285 3286<dt><b>software</b></dt> 3287 3288<dd>Inform the postmaster of mail not delivered due to software 3289problems. The notification is sent to the address specified with 3290the error_notice_recipient configuration parameter (default: 3291postmaster). </dd> 3292 3293</dl> 3294 3295<p> 3296Examples: 3297</p> 3298 3299<pre> 3300notify_classes = bounce, delay, policy, protocol, resource, software 3301notify_classes = 2bounce, resource, software 3302</pre> 3303 3304%PARAM parent_domain_matches_subdomains see "postconf -d" output 3305 3306<p> 3307A list of Postfix features where the pattern "example.com" also 3308matches subdomains of example.com, 3309instead of requiring an explicit ".example.com" pattern. This is 3310planned backwards compatibility: eventually, all Postfix features 3311are expected to require explicit ".example.com" style patterns when 3312you really want to match subdomains. 3313</p> 3314 3315<p> The following Postfix feature names are supported. </p> 3316 3317<dl> 3318 3319<dt> Postfix version 1.0 and later</dt> 3320 3321<dd> 3322debug_peer_list, 3323fast_flush_domains, 3324mynetworks, 3325permit_mx_backup_networks, 3326relay_domains, 3327transport_maps 3328</dd> 3329 3330<dt> Postfix version 1.1 and later</dt> 3331 3332<dd> 3333qmqpd_authorized_clients, 3334<a href="SMTPD_ACCESS_README.html">smtpd_access_maps</a>, 3335</dd> 3336 3337<dt> Postfix version 2.8 and later </dt> 3338 3339<dd> 3340postscreen_access_list 3341</dd> 3342 3343<dt> Postfix version 3.0 and later </dt> 3344 3345<dd> 3346smtpd_client_event_limit_exceptions 3347</dd> 3348 3349</dl> 3350 3351%PARAM propagate_unmatched_extensions canonical, virtual 3352 3353<p> 3354What address lookup tables copy an address extension from the lookup 3355key to the lookup result. 3356</p> 3357 3358<p> 3359For example, with a virtual(5) mapping of "<i>joe@example.com => 3360joe.user@example.net</i>", the address "<i>joe+foo@example.com</i>" 3361would rewrite to "<i>joe.user+foo@example.net</i>". 3362</p> 3363 3364<p> 3365Specify zero or more of <b>canonical</b>, <b>virtual</b>, <b>alias</b>, 3366<b>forward</b>, <b>include</b> or <b>generic</b>. These cause 3367address extension 3368propagation with canonical(5), virtual(5), and aliases(5) maps, 3369with local(8) .forward and :include: file lookups, and with smtp(8) 3370generic maps, respectively. </p> 3371 3372<p> 3373Note: enabling this feature for types other than <b>canonical</b> 3374and <b>virtual</b> is likely to cause problems when mail is forwarded 3375to other sites, especially with mail that is sent to a mailing list 3376exploder address. 3377</p> 3378 3379<p> 3380Examples: 3381</p> 3382 3383<pre> 3384propagate_unmatched_extensions = canonical, virtual, alias, 3385 forward, include 3386propagate_unmatched_extensions = canonical, virtual 3387</pre> 3388 3389%PARAM proxy_interfaces 3390 3391<p> 3392The remote network interface addresses that this mail system receives mail 3393on by way of a proxy or network address translation unit. 3394</p> 3395 3396<p> 3397This feature is available in Postfix 2.0 and later. 3398</p> 3399 3400<p> You must specify your "outside" proxy/NAT addresses when your 3401system is a backup MX host for other domains, otherwise mail delivery 3402loops will happen when the primary MX host is down. </p> 3403 3404<p> 3405Example: 3406</p> 3407 3408<pre> 3409proxy_interfaces = 1.2.3.4 3410</pre> 3411 3412%PARAM qmgr_message_active_limit 20000 3413 3414<p> 3415The maximal number of messages in the active queue. 3416</p> 3417 3418%PARAM qmgr_message_recipient_limit 20000 3419 3420<p> The maximal number of recipients held in memory by the Postfix 3421queue manager, and the maximal size of the short-term, 3422in-memory "dead" destination status cache. </p> 3423 3424%PARAM qmgr_message_recipient_minimum 10 3425 3426<p> 3427The minimal number of in-memory recipients for any message. This 3428takes priority over any other in-memory recipient limits (i.e., 3429the global qmgr_message_recipient_limit and the per transport 3430_recipient_limit) if necessary. The minimum value allowed for this 3431parameter is 1. 3432</p> 3433 3434%PARAM qmqpd_authorized_clients 3435 3436<p> 3437What remote QMQP clients are allowed to connect to the Postfix QMQP 3438server port. 3439</p> 3440 3441<p> 3442By default, no client is allowed to use the service. This is 3443because the QMQP server will relay mail to any destination. 3444</p> 3445 3446<p> 3447Specify a list of client patterns. A list pattern specifies a host 3448name, a domain name, an internet address, or a network/mask pattern, 3449where the mask specifies the number of bits in the network part. 3450When a pattern specifies a file name, its contents are substituted 3451for the file name; when a pattern is a "type:table" table specification, 3452table lookup is used instead. </p> 3453 3454<p> 3455Patterns are separated by whitespace and/or commas. In order to 3456reverse the result, precede a pattern with an 3457exclamation point (!). The form "!/file/name" is supported only 3458in Postfix version 2.4 and later. 3459</p> 3460 3461<p> Pattern matching of domain names is controlled by the presence 3462or absence of "qmqpd_authorized_clients" in the 3463parent_domain_matches_subdomains parameter value. </p> 3464 3465<p> 3466Example: 3467</p> 3468 3469<pre> 3470qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24 3471</pre> 3472 3473%PARAM qmqpd_error_delay 1s 3474 3475<p> 3476How long the Postfix QMQP server will pause before sending a negative 3477reply to the remote QMQP client. The purpose is to slow down confused 3478or malicious clients. 3479</p> 3480 3481<p> Specify a non-negative time value (an integral value plus an optional 3482one-letter suffix that specifies the time unit). Time units: s 3483(seconds), m (minutes), h (hours), d (days), w (weeks). 3484The default time unit is s (seconds). </p> 3485 3486%PARAM qmqpd_timeout 300s 3487 3488<p> 3489The time limit for sending or receiving information over the network. 3490If a read or write operation blocks for more than $qmqpd_timeout 3491seconds the Postfix QMQP server gives up and disconnects. 3492</p> 3493 3494<p> Specify a non-zero time value (an integral value plus an optional 3495one-letter suffix that specifies the time unit). Time units: s 3496(seconds), m (minutes), h (hours), d (days), w (weeks). 3497The default time unit is s (seconds). </p> 3498 3499%PARAM queue_minfree 0 3500 3501<p> 3502The minimal amount of free space in bytes in the queue file system 3503that is needed to receive mail. This is currently used by the 3504Postfix SMTP server to decide if it will accept any mail at all. 3505</p> 3506 3507<p> 3508By default, the Postfix SMTP server rejects MAIL FROM commands when 3509the amount of free space is less than 1.5*$message_size_limit 3510(Postfix version 2.1 and later). 3511To specify a higher minimum free space limit, specify a queue_minfree 3512value that is at least 1.5*$message_size_limit. 3513</p> 3514 3515<p> 3516With Postfix versions 2.0 and earlier, a queue_minfree value of 3517zero means there is no minimum required amount of free space. 3518</p> 3519 3520%PARAM queue_run_delay 300s 3521 3522<p> 3523The time between deferred queue scans by the queue manager; 3524prior to Postfix 2.4 the default value was 1000s. 3525</p> 3526 3527<p> This parameter should be set less than or equal to 3528$minimal_backoff_time. See also $maximal_backoff_time. </p> 3529 3530<p> Specify a non-zero time value (an integral value plus an optional 3531one-letter suffix that specifies the time unit). Time units: s 3532(seconds), m (minutes), h (hours), d (days), w (weeks). 3533The default time unit is s (seconds). </p> 3534 3535%PARAM rbl_reply_maps 3536 3537<p> 3538Optional lookup tables with RBL response templates. The tables are 3539indexed by the RBL domain name. By default, Postfix uses the default 3540template as specified with the default_rbl_reply configuration 3541parameter. See there for a discussion of the syntax of RBL reply 3542templates. 3543</p> 3544 3545<p> 3546This feature is available in Postfix 2.0 and later. 3547</p> 3548 3549%PARAM receive_override_options 3550 3551<p> Enable or disable recipient validation, built-in content 3552filtering, or address mapping. Typically, these are specified in 3553master.cf as command-line arguments for the smtpd(8), qmqpd(8) or 3554pickup(8) daemons. </p> 3555 3556<p> Specify zero or more of the following options. The options 3557override main.cf settings and are either implemented by smtpd(8), 3558qmqpd(8), or pickup(8) themselves, or they are forwarded to the 3559cleanup server. </p> 3560 3561<dl> 3562 3563<dt><b><a name="no_unknown_recipient_checks">no_unknown_recipient_checks</a></b></dt> 3564 3565<dd>Do not try to reject unknown recipients (SMTP server only). 3566This is typically specified AFTER an external content filter. 3567</dd> 3568 3569<dt><b><a name="no_address_mappings">no_address_mappings</a></b></dt> 3570 3571<dd>Disable canonical address mapping, virtual alias map expansion, 3572address masquerading, and automatic BCC (blind carbon-copy) 3573recipients. This is typically specified BEFORE an external content 3574filter. </dd> 3575 3576<dt><b><a name="no_header_body_checks">no_header_body_checks</a></b></dt> 3577 3578<dd>Disable header/body_checks. This is typically specified AFTER 3579an external content filter. </dd> 3580 3581<dt><b><a name="no_milters">no_milters</a></b></dt> 3582 3583<dd>Disable Milter (mail filter) applications. This is typically 3584specified AFTER an external content filter. </dd> 3585 3586</dl> 3587 3588<p> 3589Note: when the "BEFORE content filter" receive_override_options 3590setting is specified in the main.cf file, specify the "AFTER content 3591filter" receive_override_options setting in master.cf (and vice 3592versa). 3593</p> 3594 3595<p> 3596Examples: 3597</p> 3598 3599<pre> 3600receive_override_options = 3601 no_unknown_recipient_checks, no_header_body_checks 3602receive_override_options = no_address_mappings 3603</pre> 3604 3605<p> 3606This feature is available in Postfix 2.1 and later. 3607</p> 3608 3609%PARAM recipient_bcc_maps 3610 3611<p> 3612Optional BCC (blind carbon-copy) address lookup tables, indexed by 3613envelope recipient address. The BCC address (multiple results are not 3614supported) is added when mail enters from outside of Postfix. 3615</p> 3616 3617<p> 3618Specify zero or more "type:name" lookup tables, separated by 3619whitespace or comma. Tables will be searched in the specified order 3620until a match is found. 3621</p> 3622 3623<p> 3624The table search order is as follows: 3625</p> 3626 3627<ul> 3628 3629<li> Look up the "user+extension@domain.tld" address including the 3630optional address extension. 3631 3632<li> Look up the "user@domain.tld" address without the optional 3633address extension. 3634 3635<li> Look up the "user+extension" address local part when the 3636recipient domain equals $myorigin, $mydestination, $inet_interfaces 3637or $proxy_interfaces. 3638 3639<li> Look up the "user" address local part when the recipient domain 3640equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. 3641 3642<li> Look up the "@domain.tld" part. 3643 3644</ul> 3645 3646<p> 3647Note: with Postfix 2.3 and later the BCC address is added as if it 3648was specified with NOTIFY=NONE. The sender will not be notified 3649when the BCC address is undeliverable, as long as all down-stream 3650software implements RFC 3461. 3651</p> 3652 3653<p> 3654Note: with Postfix 2.2 and earlier the sender will unconditionally 3655be notified when the BCC address is undeliverable. 3656</p> 3657 3658<p> Note: automatic BCC recipients are produced only for new mail. 3659To avoid mailer loops, automatic BCC recipients are not generated 3660after Postfix forwards mail internally, or after Postfix generates 3661mail itself. </p> 3662 3663<p> 3664Example: 3665</p> 3666 3667<pre> 3668recipient_bcc_maps = hash:/etc/postfix/recipient_bcc 3669</pre> 3670 3671<p> 3672After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>". 3673</p> 3674 3675<p> 3676This feature is available in Postfix 2.1 and later. 3677</p> 3678 3679%PARAM recipient_canonical_maps 3680 3681<p> 3682Optional address mapping lookup tables for envelope and header 3683recipient addresses. 3684The table format and lookups are documented in canonical(5). 3685</p> 3686 3687<p> 3688Note: $recipient_canonical_maps is processed before $canonical_maps. 3689</p> 3690 3691<p> 3692Example: 3693</p> 3694 3695<pre> 3696recipient_canonical_maps = hash:/etc/postfix/recipient_canonical 3697</pre> 3698 3699%PARAM recipient_delimiter 3700 3701<p> The set of characters that can separate an email address 3702localpart, user name, or a .forward file name from its extension. 3703For example, with "recipient_delimiter = +", the software tries 3704user+foo@example.com before trying user@example.com, user+foo before 3705trying user, and .forward+foo before trying .forward. </p> 3706 3707<p> More formally, an email address localpart or user name is 3708separated from its extension by the first character that matches 3709the recipient_delimiter set. The delimiter character and extension 3710may then be used to generate an extended .forward file name. This 3711implementation recognizes one delimiter character and one extension 3712per email address localpart or email address. With Postfix 2.10 and 3713earlier, the recipient_delimiter specifies a single character. </p> 3714 3715<p> See canonical(5), local(8), relocated(5) and virtual(5) for the 3716effects of recipient_delimiter on lookups in aliases, canonical, 3717virtual, and relocated maps, and see the propagate_unmatched_extensions 3718parameter for propagating an extension from one email address to 3719another. </p> 3720 3721<p> When used in command_execution_directory, forward_path, or 3722luser_relay, ${recipient_delimiter} is replaced with the actual 3723recipient delimiter that was found in the recipient email address 3724(Postfix 2.11 and later), or it is replaced with the main.cf 3725recipient_delimiter parameter value (Postfix 2.10 and earlier). 3726</p> 3727 3728<p> The recipient_delimiter is not applied to the mailer-daemon 3729address, the postmaster address, or the double-bounce address. With 3730the default "owner_request_special = yes" setting, the recipient_delimiter 3731is also not applied to addresses with the special "owner-" prefix 3732or the special "-request" suffix. </p> 3733 3734<p> 3735Examples: 3736</p> 3737 3738<pre> 3739# Handle Postfix-style extensions. 3740recipient_delimiter = + 3741</pre> 3742 3743<pre> 3744# Handle both Postfix and qmail extensions (Postfix 2.11 and later). 3745recipient_delimiter = +- 3746</pre> 3747 3748<pre> 3749# Use .forward for mail without address extension, and for mail with 3750# an unrecognized address extension. 3751forward_path = $home/.forward${recipient_delimiter}${extension}, 3752 $home/.forward 3753</pre> 3754 3755%PARAM reject_code 554 3756 3757<p> 3758The numerical Postfix SMTP server response code when a remote SMTP 3759client request is rejected by the "reject" restriction. 3760</p> 3761 3762<p> 3763Do not change this unless you have a complete understanding of RFC 5321. 3764</p> 3765 3766%PARAM relay_domains Postfix ≥ 3.0: empty, Postfix < 3.0: $mydestination 3767 3768<p> What destination domains (and subdomains thereof) this system 3769will relay mail to. For details about how 3770the relay_domains value is used, see the description of the 3771permit_auth_destination and reject_unauth_destination SMTP recipient 3772restrictions. </p> 3773 3774<p> Domains that match $relay_domains are delivered with the 3775$relay_transport mail delivery transport. The SMTP server validates 3776recipient addresses with $relay_recipient_maps and rejects non-existent 3777recipients. See also the relay domains address class in the 3778ADDRESS_CLASS_README file. </p> 3779 3780<p> Note: Postfix will not automatically forward mail for domains 3781that list this system as their primary or backup MX host. See the 3782permit_mx_backup restriction in the postconf(5) manual page. </p> 3783 3784<p> Specify a list of host or domain names, "/file/name" patterns 3785or "type:table" lookup tables, separated by commas and/or whitespace. 3786Continue long lines by starting the next line with whitespace. A 3787"/file/name" pattern is replaced by its contents; a "type:table" 3788lookup table is matched when a (parent) domain appears as lookup 3789key. Specify "!pattern" to exclude a domain from the list. The form 3790"!/file/name" is supported only in Postfix version 2.4 and later. 3791</p> 3792 3793<p> Pattern matching of domain names is controlled by the presence 3794or absence of "relay_domains" in the parent_domain_matches_subdomains 3795parameter value. </p> 3796 3797%PARAM relay_domains_reject_code 554 3798 3799<p> 3800The numerical Postfix SMTP server response code when a client 3801request is rejected by the reject_unauth_destination recipient 3802restriction. 3803</p> 3804 3805<p> 3806Do not change this unless you have a complete understanding of RFC 5321. 3807</p> 3808 3809%PARAM relay_recipient_maps 3810 3811<p> Optional lookup tables with all valid addresses in the domains 3812that match $relay_domains. Specify @domain as a wild-card for 3813domains that have no valid recipient list, and become a source of 3814backscatter mail: Postfix accepts spam for non-existent recipients 3815and then floods innocent people with undeliverable mail. Technically, 3816tables 3817listed with $relay_recipient_maps are used as lists: Postfix needs 3818to know only if a lookup string is found or not, but it does not 3819use the result from the table lookup. </p> 3820 3821<p> 3822Specify zero or more "type:name" lookup tables, separated by 3823whitespace or comma. Tables will be searched in the specified order 3824until a match is found. 3825</p> 3826 3827<p> 3828If this parameter is non-empty, then the Postfix SMTP server will reject 3829mail to unknown relay users. This feature is off by default. 3830</p> 3831 3832<p> 3833See also the relay domains address class in the ADDRESS_CLASS_README 3834file. 3835</p> 3836 3837<p> 3838Example: 3839</p> 3840 3841<pre> 3842relay_recipient_maps = hash:/etc/postfix/relay_recipients 3843</pre> 3844 3845<p> 3846This feature is available in Postfix 2.0 and later. 3847</p> 3848 3849%PARAM relayhost 3850 3851<p> 3852The next-hop destination(s) for non-local mail; overrides non-local 3853domains in recipient addresses. This information is overruled with 3854relay_transport, sender_dependent_default_transport_maps, 3855default_transport, sender_dependent_relayhost_maps 3856and with the transport(5) table. 3857</p> 3858 3859<p> 3860On an intranet, specify the organizational domain name. If your 3861internal DNS uses no MX records, specify the name of the intranet 3862gateway host instead. 3863</p> 3864 3865<p> 3866In the case of SMTP or LMTP delivery, specify one or more destinations 3867in the form of a domain name, hostname, hostname:port, [hostname]:port, 3868[hostaddress] or [hostaddress]:port, separated by comma or whitespace. 3869The form [hostname] turns off MX lookups. Multiple destinations are 3870supported in Postfix 3.5 and later. 3871</p> 3872 3873<p> 3874If you're connected via UUCP, see the UUCP_README file for useful 3875information. 3876</p> 3877 3878<p> 3879Examples: 3880</p> 3881 3882<pre> 3883relayhost = $mydomain 3884relayhost = [gateway.example.com] 3885relayhost = mail1.example:587, mail2.example:587 3886relayhost = [an.ip.add.ress] 3887</pre> 3888 3889%PARAM relocated_maps 3890 3891<p> 3892Optional lookup tables with new contact information for users or 3893domains that no longer exist. The table format and lookups are 3894documented in relocated(5). 3895</p> 3896 3897<p> 3898Specify zero or more "type:name" lookup tables, separated by 3899whitespace or comma. Tables will be searched in the specified order 3900until a match is found. 3901</p> 3902 3903<p> 3904If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to 3905build the necessary DBM or DB file after change, then "<b>postfix 3906reload</b>" to make the changes visible. 3907</p> 3908 3909<p> 3910Examples: 3911</p> 3912 3913<pre> 3914relocated_maps = dbm:/etc/postfix/relocated 3915relocated_maps = hash:/etc/postfix/relocated 3916</pre> 3917 3918%PARAM require_home_directory no 3919 3920<p> 3921Require that a local(8) recipient's home directory exists 3922before mail delivery is attempted. By default this test is disabled. 3923It can be useful for environments that import home directories to 3924the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED). 3925</p> 3926 3927%PARAM resolve_dequoted_address yes 3928 3929<p> Resolve a recipient address safely instead of correctly, by 3930looking inside quotes. </p> 3931 3932<p> By default, the Postfix address resolver does not quote the 3933address localpart as per RFC 822, so that additional @ or % or ! 3934operators remain visible. This behavior is safe but it is also 3935technically incorrect. </p> 3936 3937<p> If you specify "resolve_dequoted_address = no", then 3938the Postfix 3939resolver will not know about additional @ etc. operators in the 3940address localpart. This opens opportunities for obscure mail relay 3941attacks with user@domain@domain addresses when Postfix provides 3942backup MX service for Sendmail systems. </p> 3943 3944%PARAM resolve_null_domain no 3945 3946<p> Resolve an address that ends in the "@" null domain as if the 3947local hostname were specified, instead of rejecting the address as 3948invalid. </p> 3949 3950<p> This feature is available in Postfix 2.1 and later. 3951Earlier versions always resolve the null domain as the local 3952hostname. </p> 3953 3954<p> The Postfix SMTP server uses this feature to reject mail from 3955or to addresses that end in the "@" null domain, and from addresses 3956that rewrite into a form that ends in the "@" null domain. </p> 3957 3958%PARAM sender_bcc_maps 3959 3960<p> Optional BCC (blind carbon-copy) address lookup tables, indexed 3961by envelope sender address. The BCC address (multiple results are not 3962supported) is added when mail enters from outside of Postfix. </p> 3963 3964<p> 3965Specify zero or more "type:name" lookup tables, separated by 3966whitespace or comma. Tables will be searched in the specified order 3967until a match is found. 3968</p> 3969 3970<p> 3971The table search order is as follows: 3972</p> 3973 3974<ul> 3975 3976<li> Look up the "user+extension@domain.tld" address including the 3977optional address extension. 3978 3979<li> Look up the "user@domain.tld" address without the optional 3980address extension. 3981 3982<li> Look up the "user+extension" address local part when the 3983sender domain equals $myorigin, $mydestination, $inet_interfaces 3984or $proxy_interfaces. 3985 3986<li> Look up the "user" address local part when the sender domain 3987equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. 3988 3989<li> Look up the "@domain.tld" part. 3990 3991</ul> 3992 3993<p> 3994Note: with Postfix 2.3 and later the BCC address is added as if it 3995was specified with NOTIFY=NONE. The sender will not be notified 3996when the BCC address is undeliverable, as long as all down-stream 3997software implements RFC 3461. 3998</p> 3999 4000<p> 4001Note: with Postfix 2.2 and earlier the sender will be notified 4002when the BCC address is undeliverable. 4003</p> 4004 4005<p> Note: automatic BCC recipients are produced only for new mail. 4006To avoid mailer loops, automatic BCC recipients are not generated 4007after Postfix forwards mail internally, or after Postfix generates 4008mail itself. </p> 4009 4010<p> 4011Example: 4012</p> 4013 4014<pre> 4015sender_bcc_maps = hash:/etc/postfix/sender_bcc 4016</pre> 4017 4018<p> 4019After a change, run "<b>postmap /etc/postfix/sender_bcc</b>". 4020</p> 4021 4022<p> 4023This feature is available in Postfix 2.1 and later. 4024</p> 4025 4026%PARAM sender_canonical_maps 4027 4028<p> 4029Optional address mapping lookup tables for envelope and header 4030sender addresses. 4031The table format and lookups are documented in canonical(5). 4032</p> 4033 4034<p> 4035Example: you want to rewrite the SENDER address "user@ugly.example" 4036to "user@pretty.example", while still being able to send mail to 4037the RECIPIENT address "user@ugly.example". 4038</p> 4039 4040<p> 4041Note: $sender_canonical_maps is processed before $canonical_maps. 4042</p> 4043 4044<p> 4045Example: 4046</p> 4047 4048<pre> 4049sender_canonical_maps = hash:/etc/postfix/sender_canonical 4050</pre> 4051 4052%PARAM smtp_always_send_ehlo yes 4053 4054<p> 4055Always send EHLO at the start of an SMTP session. 4056</p> 4057 4058<p> 4059With "smtp_always_send_ehlo = no", the Postfix SMTP client sends 4060EHLO only when 4061the word "ESMTP" appears in the server greeting banner (example: 4062220 spike.porcupine.org ESMTP Postfix). 4063</p> 4064 4065%PARAM smtp_bind_address 4066 4067<p> 4068An optional numerical network address that the Postfix SMTP client 4069should bind to when making an IPv4 connection. 4070</p> 4071 4072<p> 4073This can be specified in the main.cf file for all SMTP clients, or 4074it can be specified in the master.cf file for a specific client, 4075for example: 4076</p> 4077 4078<blockquote> 4079<pre> 4080/etc/postfix/master.cf: 4081 smtp ... smtp -o smtp_bind_address=11.22.33.44 4082</pre> 4083</blockquote> 4084 4085<p> See smtp_bind_address_enforce for how Postfix should handle 4086errors (Postfix 3.7 and later). </p> 4087 4088<p> Note 1: when inet_interfaces specifies no more than one IPv4 4089address, and that address is a non-loopback address, it is 4090automatically used as the smtp_bind_address. This supports virtual 4091IP hosting, but can be a problem on multi-homed firewalls. See the 4092inet_interfaces documentation for more detail. </p> 4093 4094<p> Note 2: address information may be enclosed inside <tt>[]</tt>, 4095but this form is not required here. </p> 4096 4097%PARAM smtp_bind_address6 4098 4099<p> 4100An optional numerical network address that the Postfix SMTP client 4101should bind to when making an IPv6 connection. 4102</p> 4103 4104<p> This feature is available in Postfix 2.2 and later. </p> 4105 4106<p> 4107This can be specified in the main.cf file for all SMTP clients, or 4108it can be specified in the master.cf file for a specific client, 4109for example: 4110</p> 4111 4112<blockquote> 4113<pre> 4114/etc/postfix/master.cf: 4115 smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8 4116</pre> 4117</blockquote> 4118 4119<p> See smtp_bind_address_enforce for how Postfix should handle 4120errors (Postfix 3.7 and later). </p> 4121 4122<p> Note 1: when inet_interfaces specifies no more than one IPv6 4123address, and that address is a non-loopback address, it is 4124automatically used as the smtp_bind_address6. This supports virtual 4125IP hosting, but can be a problem on multi-homed firewalls. See the 4126inet_interfaces documentation for more detail. </p> 4127 4128<p> Note 2: address information may be enclosed inside <tt>[]</tt>, 4129but this form is not recommended here. </p> 4130 4131%PARAM smtp_connection_cache_time_limit 2s 4132 4133<p> When SMTP connection caching is enabled, the amount of time that 4134an unused SMTP client socket is kept open before it is closed. Do 4135not specify larger values without permission from the remote sites. 4136</p> 4137 4138<p> This feature is available in Postfix 2.2 and later. </p> 4139 4140%PARAM smtp_connection_reuse_time_limit 300s 4141 4142<p> The amount of time during which Postfix will use an SMTP 4143connection repeatedly. The timer starts when the connection is 4144initiated (i.e. it includes the connect, greeting and helo latency, 4145in addition to the latencies of subsequent mail delivery transactions). 4146</p> 4147 4148<p> This feature addresses a performance stability problem with 4149remote SMTP servers. This problem is not specific to Postfix: it 4150can happen when any MTA sends large amounts of SMTP email to a site 4151that has multiple MX hosts. </p> 4152 4153<p> The problem starts when one of a set of MX hosts becomes slower 4154than the rest. Even though SMTP clients connect to fast and slow 4155MX hosts with equal probability, the slow MX host ends up with more 4156simultaneous inbound connections than the faster MX hosts, because 4157the slow MX host needs more time to serve each client request. </p> 4158 4159<p> The slow MX host becomes a connection attractor. If one MX 4160host becomes N times slower than the rest, it dominates mail delivery 4161latency unless there are more than N fast MX hosts to counter the 4162effect. And if the number of MX hosts is smaller than N, the mail 4163delivery latency becomes effectively that of the slowest MX host 4164divided by the total number of MX hosts. </p> 4165 4166<p> The solution uses connection caching in a way that differs from 4167Postfix version 2.2. By limiting the amount of time during which a connection 4168can be used repeatedly (instead of limiting the number of deliveries 4169over that connection), Postfix not only restores fairness in the 4170distribution of simultaneous connections across a set of MX hosts, 4171it also favors deliveries over connections that perform well, which 4172is exactly what we want. </p> 4173 4174<p> The default reuse time limit, 300s, is comparable to the various 4175smtp transaction timeouts which are fair estimates of maximum excess 4176latency for a slow delivery. Note that hosts may accept thousands 4177of messages over a single connection within the default connection 4178reuse time limit. This number is much larger than the default Postfix 4179version 2.2 limit of 10 messages per cached connection. It may prove necessary 4180to lower the limit to avoid interoperability issues with MTAs that 4181exhibit bugs when many messages are delivered via a single connection. 4182A lower reuse time limit risks losing the benefit of connection 4183reuse when the average connection and mail delivery latency exceeds 4184the reuse time limit. </p> 4185 4186<p> This feature is available in Postfix 2.3 and later. </p> 4187 4188%PARAM smtp_connection_cache_destinations 4189 4190<p> Permanently enable SMTP connection caching for the specified 4191destinations. With SMTP connection caching, a connection is not 4192closed immediately after completion of a mail transaction. Instead, 4193the connection is kept open for up to $smtp_connection_cache_time_limit 4194seconds. This allows connections to be reused for other deliveries, 4195and can improve mail delivery performance. </p> 4196 4197<p> Specify a comma or white space separated list of destinations 4198or pseudo-destinations: </p> 4199 4200<ul> 4201 4202<li> if mail is sent without a relay host: a domain name (the 4203right-hand side of an email address, without the [] around a numeric 4204IP address), 4205 4206<li> if mail is sent via a relay host: a relay host name (without 4207[] or non-default TCP port), as specified in main.cf or in the 4208transport map, 4209 4210<li> if mail is sent via a UNIX-domain socket: a pathname (without 4211the unix: prefix), 4212 4213<li> a /file/name with domain names and/or relay host names as 4214defined above, 4215 4216<li> a "type:table" with domain names and/or relay host names on 4217the left-hand side. The right-hand side result from "type:table" 4218lookups is ignored. 4219 4220</ul> 4221 4222<p> This feature is available in Postfix 2.2 and later. </p> 4223 4224%PARAM smtp_connection_cache_on_demand yes 4225 4226<p> Temporarily enable SMTP connection caching while a destination 4227has a high volume of mail in the active queue. With SMTP connection 4228caching, a connection is not closed immediately after completion 4229of a mail transaction. Instead, the connection is kept open for 4230up to $smtp_connection_cache_time_limit seconds. This allows 4231connections to be reused for other deliveries, and can improve mail 4232delivery performance. </p> 4233 4234<p> This feature is available in Postfix 2.2 and later. </p> 4235 4236%PARAM smtp_connect_timeout 30s 4237 4238<p> 4239The Postfix SMTP client time limit for completing a TCP connection, or 4240zero (use the operating system built-in time limit). 4241</p> 4242 4243<p> 4244When no connection can be made within the deadline, the Postfix 4245SMTP client 4246tries the next address on the mail exchanger list. Specify 0 to 4247disable the time limit (i.e. use whatever timeout is implemented by 4248the operating system). 4249</p> 4250 4251<p> Specify a non-negative time value (an integral value plus an optional 4252one-letter suffix that specifies the time unit). Time units: s 4253(seconds), m (minutes), h (hours), d (days), w (weeks). 4254The default time unit is s (seconds). </p> 4255 4256%PARAM smtp_data_done_timeout 600s 4257 4258<p> 4259The Postfix SMTP client time limit for sending the SMTP ".", and 4260for receiving the remote SMTP server response. 4261</p> 4262 4263<p> 4264When no response is received within the deadline, a warning is 4265logged that the mail may be delivered multiple times. 4266</p> 4267 4268<p> Specify a non-zero time value (an integral value plus an optional 4269one-letter suffix that specifies the time unit). Time units: s 4270(seconds), m (minutes), h (hours), d (days), w (weeks). 4271The default time unit is s (seconds). </p> 4272 4273%PARAM smtp_data_init_timeout 120s 4274 4275<p> 4276The Postfix SMTP client time limit for sending the SMTP DATA command, 4277and for receiving the remote SMTP server response. 4278</p> 4279 4280<p> 4281Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 4282The default time unit is s (seconds). 4283</p> 4284 4285%PARAM smtp_data_xfer_timeout 180s 4286 4287<p> 4288The Postfix SMTP client time limit for sending the SMTP message content. 4289When the connection makes no progress for more than $smtp_data_xfer_timeout 4290seconds the Postfix SMTP client terminates the transfer. 4291</p> 4292 4293<p> 4294Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 4295The default time unit is s (seconds). 4296</p> 4297 4298%PARAM smtp_defer_if_no_mx_address_found no 4299 4300<p> 4301Defer mail delivery when no MX record resolves to an IP address. 4302</p> 4303 4304<p> 4305The default (no) is to return the mail as undeliverable. With older 4306Postfix versions the default was to keep trying to deliver the mail 4307until someone fixed the MX record or until the mail was too old. 4308</p> 4309 4310<p> 4311Note: the Postfix SMTP client always ignores MX records with equal 4312or worse preference 4313than the local MTA itself. 4314</p> 4315 4316<p> 4317This feature is available in Postfix 2.1 and later. 4318</p> 4319 4320%PARAM lmtp_destination_concurrency_limit $default_destination_concurrency_limit 4321 4322<p> The maximal number of parallel deliveries to the same destination 4323via the lmtp message delivery transport. This limit is enforced by 4324the queue manager. The message delivery transport name is the first 4325field in the entry in the master.cf file. </p> 4326 4327%PARAM lmtp_destination_recipient_limit $default_destination_recipient_limit 4328 4329<p> The maximal number of recipients per message for the lmtp 4330message delivery transport. This limit is enforced by the queue 4331manager. The message delivery transport name is the first field in 4332the entry in the master.cf file. </p> 4333 4334<p> Setting this parameter to a value of 1 changes the meaning of 4335lmtp_destination_concurrency_limit from concurrency per domain into 4336concurrency per recipient. </p> 4337 4338%PARAM relay_destination_concurrency_limit $default_destination_concurrency_limit 4339 4340<p> The maximal number of parallel deliveries to the same destination 4341via the relay message delivery transport. This limit is enforced 4342by the queue manager. The message delivery transport name is the 4343first field in the entry in the master.cf file. </p> 4344 4345<p> This feature is available in Postfix 2.0 and later. </p> 4346 4347%PARAM relay_destination_recipient_limit $default_destination_recipient_limit 4348 4349<p> The maximal number of recipients per message for the relay 4350message delivery transport. This limit is enforced by the queue 4351manager. The message delivery transport name is the first field in 4352the entry in the master.cf file. </p> 4353 4354<p> Setting this parameter to a value of 1 changes the meaning of 4355relay_destination_concurrency_limit from concurrency per domain 4356into concurrency per recipient. </p> 4357 4358<p> This feature is available in Postfix 2.0 and later. </p> 4359 4360%PARAM smtp_destination_concurrency_limit $default_destination_concurrency_limit 4361 4362<p> The maximal number of parallel deliveries to the same destination 4363via the smtp message delivery transport. This limit is enforced by 4364the queue manager. The message delivery transport name is the first 4365field in the entry in the master.cf file. </p> 4366 4367%PARAM smtp_destination_recipient_limit $default_destination_recipient_limit 4368 4369<p> The maximal number of recipients per message for the smtp 4370message delivery transport. This limit is enforced by the queue 4371manager. The message delivery transport name is the first field in 4372the entry in the master.cf file. </p> 4373 4374<p> Setting this parameter to a value of 1 changes the meaning of 4375smtp_destination_concurrency_limit from concurrency per domain 4376into concurrency per recipient. </p> 4377 4378%PARAM virtual_destination_concurrency_limit $default_destination_concurrency_limit 4379 4380<p> The maximal number of parallel deliveries to the same destination 4381via the virtual message delivery transport. This limit is enforced 4382by the queue manager. The message delivery transport name is the 4383first field in the entry in the master.cf file. </p> 4384 4385%PARAM virtual_destination_recipient_limit $default_destination_recipient_limit 4386 4387<p> The maximal number of recipients per message for the virtual 4388message delivery transport. This limit is enforced by the queue 4389manager. The message delivery transport name is the first field in 4390the entry in the master.cf file. </p> 4391 4392<p> Setting this parameter to a value of 1 changes the meaning of 4393virtual_destination_concurrency_limit from concurrency per domain 4394into concurrency per recipient. </p> 4395 4396%PARAM smtp_helo_name $myhostname 4397 4398<p> 4399The hostname to send in the SMTP HELO or EHLO command. 4400</p> 4401 4402<p> 4403The default value is the machine hostname. Specify a hostname or 4404[ip.add.re.ss]. 4405</p> 4406 4407<p> 4408This information can be specified in the main.cf file for all SMTP 4409clients, or it can be specified in the master.cf file for a specific 4410client, for example: 4411</p> 4412 4413<blockquote> 4414<pre> 4415/etc/postfix/master.cf: 4416 mysmtp ... smtp -o smtp_helo_name=foo.bar.com 4417</pre> 4418</blockquote> 4419 4420<p> 4421This feature is available in Postfix 2.0 and later. 4422</p> 4423 4424%PARAM smtp_helo_timeout 300s 4425 4426<p> 4427The Postfix SMTP client time limit for sending the HELO or EHLO command, 4428and for receiving the initial remote SMTP server response. 4429</p> 4430 4431<p> Specify a non-zero time value (an integral value plus an optional 4432one-letter suffix that specifies the time unit). Time units: s 4433(seconds), m (minutes), h (hours), d (days), w (weeks). 4434The default time unit is s (seconds). </p> 4435 4436%PARAM smtp_host_lookup dns 4437 4438<p> 4439What mechanisms the Postfix SMTP client uses to look up a host's 4440IP address. This parameter is ignored when DNS lookups are disabled 4441(see: disable_dns_lookups and smtp_dns_support_level). The "dns" 4442mechanism is always tried before "native" if both are listed. 4443</p> 4444 4445<p> 4446Specify one of the following: 4447</p> 4448 4449<dl> 4450 4451<dt><b>dns</b></dt> 4452 4453<dd>Hosts can be found in the DNS (preferred). </dd> 4454 4455<dt><b>native</b></dt> 4456 4457<dd>Use the native naming service only (nsswitch.conf, or equivalent 4458mechanism). </dd> 4459 4460<dt><b>dns, native</b></dt> 4461 4462<dd>Use the native service for hosts not found in the DNS. </dd> 4463 4464</dl> 4465 4466<p> 4467This feature is available in Postfix 2.1 and later. 4468</p> 4469 4470%PARAM smtp_line_length_limit 998 4471 4472<p> 4473The maximal length of message header and body lines that Postfix 4474will send via SMTP. This limit does not include the <CR><LF> 4475at the end of each line. Longer lines are broken by inserting 4476"<CR><LF><SPACE>", to minimize the damage to MIME 4477formatted mail. Specify zero to disable this limit. 4478</p> 4479 4480<p> 4481The Postfix limit of 998 characters not including <CR><LF> 4482is consistent with the SMTP limit of 1000 characters including 4483<CR><LF>. The Postfix limit was 990 with Postfix 2.8 4484and earlier. 4485</p> 4486 4487%PARAM smtp_mail_timeout 300s 4488 4489<p> 4490The Postfix SMTP client time limit for sending the MAIL FROM command, 4491and for receiving the remote SMTP server response. 4492</p> 4493 4494<p> Specify a non-zero time value (an integral value plus an optional 4495one-letter suffix that specifies the time unit). Time units: s 4496(seconds), m (minutes), h (hours), d (days), w (weeks). 4497The default time unit is s (seconds). </p> 4498 4499%PARAM smtp_mx_address_limit 5 4500 4501<p> 4502The maximal number of MX (mail exchanger) IP addresses that can 4503result from Postfix SMTP client mail exchanger lookups, or zero (no 4504limit). Prior to 4505Postfix version 2.3, this limit was disabled by default. 4506</p> 4507 4508<p> 4509This feature is available in Postfix 2.1 and later. 4510</p> 4511 4512%PARAM smtp_mx_session_limit 2 4513 4514<p> The maximal number of SMTP sessions per delivery request before 4515the Postfix SMTP client 4516gives up or delivers to a fall-back relay host, or zero (no 4517limit). This restriction ignores sessions that fail to complete the 4518SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to 4519complete the EHLO and TLS handshake (Postfix version 2.3 and later). </p> 4520 4521<p> This feature is available in Postfix 2.1 and later. </p> 4522 4523%PARAM smtp_never_send_ehlo no 4524 4525<p> Never send EHLO at the start of an SMTP session. See also the 4526smtp_always_send_ehlo parameter. </p> 4527 4528%PARAM smtp_pix_workaround_threshold_time 500s 4529 4530<p> How long a message must be queued before the Postfix SMTP client 4531turns on the PIX firewall "<CR><LF>.<CR><LF>" 4532bug workaround for delivery through firewalls with "smtp fixup" 4533mode turned on. </p> 4534 4535<p> Specify a non-negative time value (an integral value plus an optional 4536one-letter suffix that specifies the time unit). Time units: s 4537(seconds), m (minutes), h (hours), d (days), w (weeks). 4538The default time unit is s (seconds). </p> 4539 4540<p> 4541By default, the workaround is turned off for mail that is queued 4542for less than 500 seconds. In other words, the workaround is normally 4543turned off for the first delivery attempt. 4544</p> 4545 4546<p> 4547Specify 0 to enable the PIX firewall 4548"<CR><LF>.<CR><LF>" bug workaround upon the 4549first delivery attempt. 4550</p> 4551 4552%PARAM smtp_quit_timeout 300s 4553 4554<p> 4555The Postfix SMTP client time limit for sending the QUIT command, 4556and for receiving the remote SMTP server response. 4557</p> 4558 4559<p> Specify a non-zero time value (an integral value plus an optional 4560one-letter suffix that specifies the time unit). Time units: s 4561(seconds), m (minutes), h (hours), d (days), w (weeks). 4562The default time unit is s (seconds). </p> 4563 4564%PARAM smtp_quote_rfc821_envelope yes 4565 4566<p> 4567Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands 4568as required 4569by RFC 5321. This includes putting quotes around an address localpart 4570that ends in ".". 4571</p> 4572 4573<p> 4574The default is to comply with RFC 5321. If you have to send mail to 4575a broken SMTP server, configure a special SMTP client in master.cf: 4576</p> 4577 4578<blockquote> 4579<pre> 4580/etc/postfix/master.cf: 4581 broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no 4582</pre> 4583</blockquote> 4584 4585<p> 4586and route mail for the destination in question to the "broken-smtp" 4587message delivery with a transport(5) table. 4588</p> 4589 4590<p> 4591This feature is available in Postfix 2.1 and later. 4592</p> 4593 4594%PARAM smtp_rcpt_timeout 300s 4595 4596<p> 4597The Postfix SMTP client time limit for sending the SMTP RCPT TO 4598command, and for receiving the remote SMTP server response. 4599</p> 4600 4601<p> Specify a non-zero time value (an integral value plus an optional 4602one-letter suffix that specifies the time unit). Time units: s 4603(seconds), m (minutes), h (hours), d (days), w (weeks). 4604The default time unit is s (seconds). </p> 4605 4606%PARAM smtp_sasl_auth_enable no 4607 4608<p> 4609Enable SASL authentication in the Postfix SMTP client. By default, 4610the Postfix SMTP client uses no authentication. 4611</p> 4612 4613<p> 4614Example: 4615</p> 4616 4617<pre> 4618smtp_sasl_auth_enable = yes 4619</pre> 4620 4621%PARAM smtp_sasl_password_maps 4622 4623<p> 4624Optional Postfix SMTP client lookup tables with one username:password 4625entry per sender, remote hostname or next-hop domain. Per-sender 4626lookup is done only when sender-dependent authentication is enabled. 4627If no username:password entry is found, then the Postfix SMTP client 4628will not attempt to authenticate to the remote host. 4629</p> 4630 4631<p> 4632The Postfix SMTP client opens the lookup table before going to 4633chroot jail, so you can leave the password file in /etc/postfix. 4634</p> 4635 4636<p> 4637Specify zero or more "type:name" lookup tables, separated by 4638whitespace or comma. Tables will be searched in the specified order 4639until a match is found. 4640</p> 4641 4642%PARAM smtp_sasl_security_options noplaintext, noanonymous 4643 4644<p> Postfix SMTP client SASL security options; as of Postfix 2.3 4645the list of available 4646features depends on the SASL client implementation that is selected 4647with <b>smtp_sasl_type</b>. </p> 4648 4649<p> The following security features are defined for the <b>cyrus</b> 4650client SASL implementation: </p> 4651 4652<p> 4653Specify zero or more of the following: 4654</p> 4655 4656<dl> 4657 4658<dt><b>noplaintext</b></dt> 4659 4660<dd>Disallow methods that use plaintext passwords. </dd> 4661 4662<dt><b>noactive</b></dt> 4663 4664<dd>Disallow methods subject to active (non-dictionary) attack. 4665</dd> 4666 4667<dt><b>nodictionary</b></dt> 4668 4669<dd>Disallow methods subject to passive (dictionary) attack. </dd> 4670 4671<dt><b>noanonymous</b></dt> 4672 4673<dd>Disallow methods that allow anonymous authentication. </dd> 4674 4675<dt><b>mutual_auth</b></dt> 4676 4677<dd>Only allow methods that provide mutual authentication (not 4678available with SASL version 1). </dd> 4679 4680</dl> 4681 4682<p> 4683Example: 4684</p> 4685 4686<pre> 4687smtp_sasl_security_options = noplaintext 4688</pre> 4689 4690%PARAM smtp_sasl_mechanism_filter 4691 4692<p> 4693If non-empty, a Postfix SMTP client filter for the remote SMTP 4694server's list of offered SASL mechanisms. Different client and 4695server implementations may support different mechanism lists; by 4696default, the Postfix SMTP client will use the intersection of the 4697two. smtp_sasl_mechanism_filter specifies an optional third mechanism 4698list to intersect with. </p> 4699 4700<p> Specify mechanism names, "/file/name" patterns or "type:table" 4701lookup tables. The right-hand side result from "type:table" lookups 4702is ignored. Specify "!pattern" to exclude a mechanism name from the 4703list. The form "!/file/name" is supported only in Postfix version 47042.4 and later. </p> 4705 4706<p> This feature is available in Postfix 2.2 and later. </p> 4707 4708<p> 4709Examples: 4710</p> 4711 4712<pre> 4713smtp_sasl_mechanism_filter = plain, login 4714smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs 4715smtp_sasl_mechanism_filter = !gssapi, !login, static:rest 4716</pre> 4717 4718%PARAM smtp_send_xforward_command no 4719 4720<p> 4721Send the non-standard XFORWARD command when the Postfix SMTP server 4722EHLO response announces XFORWARD support. 4723</p> 4724 4725<p> 4726This allows a Postfix SMTP delivery agent, used for injecting mail 4727into 4728a content filter, to forward the name, address, protocol and HELO 4729name of the original client to the content filter and downstream 4730queuing SMTP server. This can produce more useful logging than 4731localhost[127.0.0.1] etc. 4732</p> 4733 4734<p> 4735This feature is available in Postfix 2.1 and later. 4736</p> 4737 4738%PARAM smtp_skip_4xx_greeting yes 4739 4740<p> 4741Skip SMTP servers that greet with a 4XX status code (go away, try 4742again later). 4743</p> 4744 4745<p> 4746By default, the Postfix SMTP client moves on the next mail exchanger. 4747Specify 4748"smtp_skip_4xx_greeting = no" if Postfix should defer delivery 4749immediately. 4750</p> 4751 4752<p> This feature is available in Postfix 2.0 and earlier. 4753Later Postfix versions always skip remote SMTP servers that greet 4754with a 47554XX status code. </p> 4756 4757%PARAM smtp_skip_5xx_greeting yes 4758 4759<p> 4760Skip remote SMTP servers that greet with a 5XX status code. 4761</p> 4762 4763<p> By default, the Postfix SMTP client moves on the next mail 4764exchanger. Specify "smtp_skip_5xx_greeting = no" if Postfix should 4765bounce the mail immediately. Caution: the latter behavior appears 4766to contradict RFC 2821. </p> 4767 4768%PARAM smtp_skip_quit_response yes 4769 4770<p> 4771Do not wait for the response to the SMTP QUIT command. 4772</p> 4773 4774%PARAM smtp_xforward_timeout 300s 4775 4776<p> 4777The Postfix SMTP client time limit for sending the XFORWARD command, 4778and for receiving the remote SMTP server response. 4779</p> 4780 4781<p> Specify a non-zero time value (an integral value plus an optional 4782one-letter suffix that specifies the time unit). Time units: s 4783(seconds), m (minutes), h (hours), d (days), w (weeks). 4784The default time unit is s (seconds). </p> 4785 4786<p> 4787This feature is available in Postfix 2.1 and later. 4788</p> 4789 4790%PARAM authorized_verp_clients $mynetworks 4791 4792<p> What remote SMTP clients are allowed to specify the XVERP command. 4793This command requests that mail be delivered one recipient at a 4794time with a per recipient return address. </p> 4795 4796<p> By default, only trusted clients are allowed to specify XVERP. 4797</p> 4798 4799<p> This parameter was introduced with Postfix version 1.1. Postfix 4800version 2.1 renamed this parameter to smtpd_authorized_verp_clients 4801and changed the default to none. </p> 4802 4803<p> Specify a list of network/netmask patterns, separated by commas 4804and/or whitespace. The mask specifies the number of bits in the 4805network part of a host address. You can also specify hostnames or 4806.domain names (the initial dot causes the domain to match any name 4807below it), "/file/name" or "type:table" patterns. A "/file/name" 4808pattern is replaced by its contents; a "type:table" lookup table 4809is matched when a table entry matches a lookup string (the lookup 4810result is ignored). Continue long lines by starting the next line 4811with whitespace. Specify "!pattern" to exclude an address or network 4812block from the list. The form "!/file/name" is supported only in 4813Postfix version 2.4 and later. </p> 4814 4815<p> Note: IP version 6 address information must be specified inside 4816<tt>[]</tt> in the authorized_verp_clients value, and in files 4817specified with "/file/name". IP version 6 addresses contain the 4818":" character, and would otherwise be confused with a "type:table" 4819pattern. </p> 4820 4821%PARAM smtpd_authorized_verp_clients $authorized_verp_clients 4822 4823<p> What remote SMTP clients are allowed to specify the XVERP command. 4824This command requests that mail be delivered one recipient at a 4825time with a per recipient return address. </p> 4826 4827<p> By default, no clients are allowed to specify XVERP. </p> 4828 4829<p> This parameter was renamed with Postfix version 2.1. The default value 4830is backwards compatible with Postfix version 2.0. </p> 4831 4832<p> Specify a list of network/netmask patterns, separated by commas 4833and/or whitespace. The mask specifies the number of bits in the 4834network part of a host address. You can also specify hostnames or 4835.domain names (the initial dot causes the domain to match any name 4836below it), "/file/name" or "type:table" patterns. A "/file/name" 4837pattern is replaced by its contents; a "type:table" lookup table 4838is matched when a table entry matches a lookup string (the lookup 4839result is ignored). Continue long lines by starting the next line 4840with whitespace. Specify "!pattern" to exclude an address or network 4841block from the list. The form "!/file/name" is supported only in 4842Postfix version 2.4 and later. </p> 4843 4844<p> Note: IP version 6 address information must be specified inside 4845<tt>[]</tt> in the smtpd_authorized_verp_clients value, and in 4846files specified with "/file/name". IP version 6 addresses contain 4847the ":" character, and would otherwise be confused with a "type:table" 4848pattern. </p> 4849 4850%PARAM smtpd_authorized_xclient_hosts 4851 4852<p> 4853What remote SMTP clients are allowed to use the XCLIENT feature. This 4854command overrides remote SMTP client information that is used for access 4855control. Typical use is for SMTP-based content filters, fetchmail-like 4856programs, or SMTP server access rule testing. See the XCLIENT_README 4857document for details. 4858</p> 4859 4860<p> 4861This feature is available in Postfix 2.1 and later. 4862</p> 4863 4864<p> 4865By default, no clients are allowed to specify XCLIENT. 4866</p> 4867 4868<p> 4869Specify a list of network/netmask patterns, separated by commas 4870and/or whitespace. The mask specifies the number of bits in the 4871network part of a host address. You can also specify hostnames or 4872.domain names (the initial dot causes the domain to match any name 4873below it), "/file/name" or "type:table" patterns. A "/file/name" 4874pattern is replaced by its contents; a "type:table" lookup table 4875is matched when a table entry matches a lookup string (the lookup 4876result is ignored). Continue long lines by starting the next line 4877with whitespace. Specify "!pattern" to exclude an address or network 4878block from the list. The form "!/file/name" is supported only in 4879Postfix version 2.4 and later. </p> 4880 4881<p> Note: IP version 6 address information must be specified inside 4882<tt>[]</tt> in the smtpd_authorized_xclient_hosts value, and in 4883files specified with "/file/name". IP version 6 addresses contain 4884the ":" character, and would otherwise be confused with a "type:table" 4885pattern. </p> 4886 4887%PARAM smtpd_authorized_xforward_hosts 4888 4889<p> 4890What remote SMTP clients are allowed to use the XFORWARD feature. This 4891command forwards information that is used to improve logging after 4892SMTP-based content filters. See the XFORWARD_README document for 4893details. 4894</p> 4895 4896<p> 4897This feature is available in Postfix 2.1 and later. 4898</p> 4899 4900<p> 4901By default, no clients are allowed to specify XFORWARD. 4902</p> 4903 4904<p> 4905Specify a list of network/netmask patterns, separated by commas 4906and/or whitespace. The mask specifies the number of bits in the 4907network part of a host address. You can also specify hostnames or 4908.domain names (the initial dot causes the domain to match any name 4909below it), "/file/name" or "type:table" patterns. A "/file/name" 4910pattern is replaced by its contents; a "type:table" lookup table 4911is matched when a table entry matches a lookup string (the lookup 4912result is ignored). Continue long lines by starting the next line 4913with whitespace. Specify "!pattern" to exclude an address or network 4914block from the list. The form "!/file/name" is supported only in 4915Postfix version 2.4 and later. </p> 4916 4917<p> Note: IP version 6 address information must be specified inside 4918<tt>[]</tt> in the smtpd_authorized_xforward_hosts value, and in 4919files specified with "/file/name". IP version 6 addresses contain 4920the ":" character, and would otherwise be confused with a "type:table" 4921pattern. </p> 4922 4923%PARAM smtpd_banner $myhostname ESMTP $mail_name 4924 4925<p> 4926The text that follows the 220 status code in the SMTP greeting 4927banner. Some people like to see the mail version advertised. By 4928default, Postfix shows no version. 4929</p> 4930 4931<p> 4932You MUST specify $myhostname at the start of the text. This is 4933required by the SMTP protocol. 4934</p> 4935 4936<p> 4937Example: 4938</p> 4939 4940<pre> 4941smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) 4942</pre> 4943 4944%PARAM smtpd_client_connection_count_limit 50 4945 4946<p> 4947How many simultaneous connections any client is allowed to 4948make to this service. By default, the limit is set to half 4949the default process limit value. 4950</p> 4951 4952<p> 4953To disable this feature, specify a limit of 0. 4954</p> 4955 4956<p> 4957WARNING: The purpose of this feature is to limit abuse. It must 4958not be used to regulate legitimate mail traffic. 4959</p> 4960 4961<p> 4962This feature is available in Postfix 2.2 and later. 4963</p> 4964 4965%PARAM smtpd_client_event_limit_exceptions $mynetworks 4966 4967<p> 4968Clients that are excluded from smtpd_client_*_count/rate_limit 4969restrictions. See the mynetworks parameter 4970description for the parameter value syntax. 4971</p> 4972 4973<p> 4974By default, clients in trusted networks are excluded. Specify a 4975list of network blocks, hostnames or .domain names (the initial 4976dot causes the domain to match any name below it). 4977</p> 4978 4979<p> Note: IP version 6 address information must be specified inside 4980<tt>[]</tt> in the smtpd_client_event_limit_exceptions value, and 4981in files specified with "/file/name". IP version 6 addresses 4982contain the ":" character, and would otherwise be confused with a 4983"type:table" pattern. </p> 4984 4985<p> Pattern matching of domain names is controlled by the presence 4986or absence of "smtpd_client_event_limit_exceptions" in the 4987parent_domain_matches_subdomains parameter value (Postfix 3.0 and 4988later). </p> 4989 4990<p> 4991This feature is available in Postfix 2.2 and later. 4992</p> 4993 4994%PARAM smtpd_client_connection_rate_limit 0 4995 4996<p> 4997The maximal number of connection attempts any client is allowed to 4998make to this service per time unit. The time unit is specified 4999with the anvil_rate_time_unit configuration parameter. 5000</p> 5001 5002<p> 5003By default, a client can make as many connections per time unit as 5004Postfix can accept. 5005</p> 5006 5007<p> 5008To disable this feature, specify a limit of 0. 5009</p> 5010 5011<p> 5012WARNING: The purpose of this feature is to limit abuse. It must 5013not be used to regulate legitimate mail traffic. 5014</p> 5015 5016<p> 5017This feature is available in Postfix 2.2 and later. 5018</p> 5019 5020<p> 5021Example: 5022</p> 5023 5024<pre> 5025smtpd_client_connection_rate_limit = 1000 5026</pre> 5027 5028%PARAM smtpd_client_message_rate_limit 0 5029 5030<p> 5031The maximal number of message delivery requests that any client is 5032allowed to make to this service per time unit, regardless of whether 5033or not Postfix actually accepts those messages. The time unit is 5034specified with the anvil_rate_time_unit configuration parameter. 5035</p> 5036 5037<p> 5038By default, a client can send as many message delivery requests 5039per time unit as Postfix can accept. 5040</p> 5041 5042<p> 5043To disable this feature, specify a limit of 0. 5044</p> 5045 5046<p> 5047WARNING: The purpose of this feature is to limit abuse. It must 5048not be used to regulate legitimate mail traffic. 5049</p> 5050 5051<p> 5052This feature is available in Postfix 2.2 and later. 5053</p> 5054 5055<p> 5056Example: 5057</p> 5058 5059<pre> 5060smtpd_client_message_rate_limit = 1000 5061</pre> 5062 5063%PARAM smtpd_client_recipient_rate_limit 0 5064 5065<p> 5066The maximal number of recipient addresses that any client is allowed 5067to send to this service per time unit, regardless of whether or not 5068Postfix actually accepts those recipients. The time unit is specified 5069with the anvil_rate_time_unit configuration parameter. 5070</p> 5071 5072<p> 5073By default, a client can send as many recipient addresses per time 5074unit as Postfix can accept. 5075</p> 5076 5077<p> 5078To disable this feature, specify a limit of 0. 5079</p> 5080 5081<p> 5082WARNING: The purpose of this feature is to limit abuse. It must 5083not be used to regulate legitimate mail traffic. 5084</p> 5085 5086<p> 5087This feature is available in Postfix 2.2 and later. 5088</p> 5089 5090<p> 5091Example: 5092</p> 5093 5094<pre> 5095smtpd_client_recipient_rate_limit = 1000 5096</pre> 5097 5098%PARAM smtpd_client_new_tls_session_rate_limit 0 5099 5100<p> 5101The maximal number of new (i.e., uncached) TLS sessions that a 5102remote SMTP client is allowed to negotiate with this service per 5103time unit. The time unit is specified with the anvil_rate_time_unit 5104configuration parameter. 5105</p> 5106 5107<p> 5108By default, a remote SMTP client can negotiate as many new TLS 5109sessions per time unit as Postfix can accept. 5110</p> 5111 5112<p> 5113To disable this feature, specify a limit of 0. Otherwise, specify 5114a limit that is at least the per-client concurrent session limit, 5115or else legitimate client sessions may be rejected. 5116</p> 5117 5118<p> 5119WARNING: The purpose of this feature is to limit abuse. It must 5120not be used to regulate legitimate mail traffic. 5121</p> 5122 5123<p> 5124This feature is available in Postfix 2.3 and later. 5125</p> 5126 5127<p> 5128Example: 5129</p> 5130 5131<pre> 5132smtpd_client_new_tls_session_rate_limit = 100 5133</pre> 5134 5135%PARAM smtpd_client_auth_rate_limit 0 5136 5137<p> 5138The maximal number of AUTH commands that any client is allowed to 5139send to this service per time unit, regardless of whether or not 5140Postfix actually accepts those commands. The time unit is specified 5141with the anvil_rate_time_unit configuration parameter. 5142</p> 5143 5144<p> 5145By default, there is no limit on the number of AUTH commands that a 5146client may send. 5147</p> 5148 5149<p> 5150To disable this feature, specify a limit of 0. 5151</p> 5152 5153<p> 5154WARNING: The purpose of this feature is to limit abuse. It must 5155not be used to regulate legitimate mail traffic. 5156</p> 5157 5158<p> 5159This feature is available in Postfix 3.1 and later. 5160</p> 5161 5162%PARAM smtpd_client_restrictions 5163 5164<p> 5165Optional restrictions that the Postfix SMTP server applies in the 5166context of a client connection request. 5167See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 5168restriction lists" for a discussion of evaluation context and time. 5169</p> 5170 5171<p> 5172The default is to allow all connection requests. 5173</p> 5174 5175<p> 5176Specify a list of restrictions, separated by commas and/or whitespace. 5177Continue long lines by starting the next line with whitespace. 5178Restrictions are applied in the order as specified; the first 5179restriction that matches wins. 5180</p> 5181 5182<p> 5183The following restrictions are specific to client hostname or 5184client network address information. 5185</p> 5186 5187<dl> 5188 5189<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5190 5191<dd> By default use the remote SMTP client certificate fingerprint 5192or the public key 5193fingerprint (Postfix 2.9 and later) as the lookup key for the specified 5194access(5) database; with Postfix version 2.2, also require that the 5195remote SMTP client certificate is verified successfully. 5196The fingerprint digest algorithm is configurable via the 5197smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to 5198Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert 5199= yes" and is available with Postfix version 52002.2 and later. </dd> 5201 5202<dd> The default algorithm is <b>sha256</b> with Postfix ≥ 3.6 5203and the <b>compatibility_level</b> set to 3.6 or higher. With Postfix 5204≤ 3.5, the default algorithm is <b>md5</b>. The best-practice 5205algorithm is now <b>sha256</b>. Recent advances in hash function 5206cryptanalysis have led to md5 and sha1 being deprecated in favor of 5207sha256. However, as long as there are no known "second pre-image" 5208attacks against the older algorithms, their use in this context, though 5209not recommended, is still likely safe. </dd> 5210 5211<dd> Alternatively, check_ccert_access accepts an explicit search 5212order (Postfix 3.5 and later). The default search order as described 5213above corresponds with: </dd> 5214 5215<dd> check_ccert_access { type:table, { search_order = cert_fingerprint, 5216pubkey_fingerprint } } </dd> 5217 5218<dd> The commas are optional. </dd> 5219 5220<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5221 5222<dd>Search the specified access database for the client hostname, 5223parent domains, client IP address, or networks obtained by stripping 5224least significant octets. See the access(5) manual page for details. </dd> 5225 5226<dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5227 5228<dd>Search the specified access(5) database for the IP addresses for the 5229client hostname, and execute the corresponding action. Note: a result 5230of "OK" is not allowed for safety reasons. Instead, use DUNNO in order 5231to exclude specific hosts from denylists. This feature is available 5232in Postfix 3.0 and later. </dd> 5233 5234<dt><b><a name="check_client_mx_access">check_client_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5235 5236<dd>Search the specified access(5) database for the MX hosts for the 5237client hostname, and execute the corresponding action. If no MX 5238record is found, look up A or AAAA records, just like the Postfix 5239SMTP client would. Note: a result 5240of "OK" is not allowed for safety reasons. Instead, use DUNNO in order 5241to exclude specific hosts from denylists. This feature is available 5242in Postfix 2.7 and later. </dd> 5243 5244<dt><b><a name="check_client_ns_access">check_client_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5245 5246<dd>Search the specified access(5) database for the DNS servers for 5247the client hostname, and execute the corresponding action. Note: a 5248result of "OK" is not allowed for safety reasons. Instead, use DUNNO 5249in order to exclude specific hosts from denylists. This feature is 5250available in Postfix 2.7 and later. </dd> 5251 5252<dt><b><a name="check_reverse_client_hostname_access">check_reverse_client_hostname_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5253 5254<dd>Search the specified access database for the unverified reverse 5255client hostname, parent domains, client IP address, or networks 5256obtained by stripping least significant octets. See the access(5) 5257manual page for details. Note: a result of "OK" is not allowed for 5258safety reasons. Instead, use DUNNO in order to exclude specific 5259hosts from denylists. This feature is available in Postfix 2.6 5260and later.</dd> 5261 5262<dt><b><a name="check_reverse_client_hostname_a_access">check_reverse_client_hostname_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5263 5264<dd>Search the specified access(5) database for the IP addresses for the 5265unverified reverse client hostname, and execute the corresponding 5266action. Note: a result of "OK" is not allowed for safety reasons. 5267Instead, use DUNNO in order to exclude specific hosts from denylists. 5268This feature is available in Postfix 3.0 and later. </dd> 5269 5270<dt><b><a name="check_reverse_client_hostname_mx_access">check_reverse_client_hostname_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5271 5272<dd>Search the specified access(5) database for the MX hosts for the 5273unverified reverse client hostname, and execute the corresponding 5274action. If no MX record is found, look up A or AAAA records, just 5275like the Postfix SMTP client would. 5276Note: a result of "OK" is not allowed for safety reasons. 5277Instead, use DUNNO in order to exclude specific hosts from denylists. 5278This feature is available in Postfix 2.7 and later. </dd> 5279 5280<dt><b><a name="check_reverse_client_hostname_ns_access">check_reverse_client_hostname_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5281 5282<dd>Search the specified access(5) database for the DNS servers for 5283the unverified reverse client hostname, and execute the corresponding 5284action. Note: a result of "OK" is not allowed for safety reasons. 5285Instead, use DUNNO in order to exclude specific hosts from denylists. 5286This feature is available in Postfix 2.7 and later. </dd> 5287 5288<dt><b><a name="check_sasl_access">check_sasl_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5289 5290<dd> Use the remote SMTP client SASL user name as the lookup key for 5291the specified access(5) database. The lookup key has the form 5292"username@domainname" when the smtpd_sasl_local_domain parameter 5293value is non-empty. Unlike the check_client_access feature, 5294check_sasl_access does not perform matches of parent domains or IP 5295subnet ranges. This feature is available with Postfix version 2.11 5296and later. </dd> 5297 5298<dt><b><a name="permit_inet_interfaces">permit_inet_interfaces</a></b></dt> 5299 5300<dd>Permit the request when the client IP address matches 5301$inet_interfaces. </dd> 5302 5303<dt><b><a name="permit_mynetworks">permit_mynetworks</a></b></dt> 5304 5305<dd>Permit the request when the client IP address matches any 5306network or network address listed in $mynetworks. </dd> 5307 5308<dt><b><a name="permit_sasl_authenticated">permit_sasl_authenticated</a></b></dt> 5309 5310<dd> Permit the request when the client is successfully 5311authenticated via the RFC 4954 (AUTH) protocol. </dd> 5312 5313 5314<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt> 5315 5316<dd> Permit the request when the remote SMTP client certificate is 5317verified successfully. This option must be used only if a special 5318CA issues the certificates and only this CA is listed as a trusted 5319CA. Otherwise, clients with a third-party certificate would also 5320be allowed to relay. Specify "tls_append_default_CA = no" when the 5321trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, 5322to prevent Postfix from appending the system-supplied default CAs. 5323This feature requires "smtpd_tls_ask_ccert = yes" and is available 5324with Postfix version 2.2 and later.</dd> 5325 5326<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt> 5327 5328<dd>Permit the request when the remote SMTP client certificate 5329fingerprint or public key fingerprint (Postfix 2.9 and later) is 5330listed in $relay_clientcerts. 5331The fingerprint digest algorithm is configurable via the 5332smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to 5333Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert 5334= yes" and is available with Postfix version 2.2 and later.</dd> 5335 5336<dd> The default algorithm is <b>sha256</b> with Postfix ≥ 3.6 5337and the <b>compatibility_level</b> set to 3.6 or higher. With Postfix 5338≤ 3.5, the default algorithm is <b>md5</b>. The best-practice 5339algorithm is now <b>sha256</b>. Recent advances in hash function 5340cryptanalysis have led to md5 and sha1 being deprecated in favor of 5341sha256. However, as long as there are no known "second pre-image" 5342attacks against the older algorithms, their use in this context, though 5343not recommended, is still likely safe. </dd> 5344 5345<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt> 5346 5347<dd>Reject the request when the reversed client network address is 5348listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> 5349(Postfix version 2.1 and later only). Each "<i>d</i>" is a number, 5350or a pattern inside "[]" that contains one or more ";"-separated 5351numbers or number..number ranges (Postfix version 2.8 and later). 5352If no "<i>=d.d.d.d</i>" is specified, reject the request when the 5353reversed client network address is listed with any A record under 5354<i>rbl_domain</i>. <br> 5355The maps_rbl_reject_code parameter specifies the response code for 5356rejected requests (default: 554), the default_rbl_reply parameter 5357specifies the default server reply, and the rbl_reply_maps parameter 5358specifies tables with server replies indexed by <i>rbl_domain</i>. 5359This feature is available in Postfix 2.0 and later. </dd> 5360 5361<dt><b><a name="permit_dnswl_client">permit_dnswl_client <i>dnswl_domain=d.d.d.d</i></a></b></dt> 5362 5363<dd>Accept the request when the reversed client network address is 5364listed with the A record "<i>d.d.d.d</i>" under <i>dnswl_domain</i>. 5365Each "<i>d</i>" is a number, or a pattern inside "[]" that contains 5366one or more ";"-separated numbers or number..number ranges. 5367If no "<i>=d.d.d.d</i>" is specified, accept the request when the 5368reversed client network address is listed with any A record under 5369<i>dnswl_domain</i>. <br> For safety, permit_dnswl_client is silently 5370ignored when it would override reject_unauth_destination. The 5371result is DEFER_IF_REJECT when allowlist lookup fails. This feature 5372is available in Postfix 2.8 and later. </dd> 5373 5374<dt><b><a name="reject_rhsbl_client">reject_rhsbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt> 5375 5376<dd>Reject the request when the client hostname is listed with the 5377A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version 53782.1 and later only). Each "<i>d</i>" is a number, or a pattern 5379inside "[]" that contains one or more ";"-separated numbers or 5380number..number ranges (Postfix version 2.8 and later). If no 5381"<i>=d.d.d.d</i>" is specified, reject the request when the client 5382hostname is listed with 5383any A record under <i>rbl_domain</i>. See the reject_rbl_client 5384description above for additional RBL related configuration parameters. 5385This feature is available in Postfix 2.0 and later; with Postfix 5386version 2.8 and later, reject_rhsbl_reverse_client will usually 5387produce better results. </dd> 5388 5389<dt><b><a name="permit_rhswl_client">permit_rhswl_client <i>rhswl_domain=d.d.d.d</i></a></b></dt> 5390 5391<dd>Accept the request when the client hostname is listed with the 5392A record "<i>d.d.d.d</i>" under <i>rhswl_domain</i>. Each "<i>d</i>" 5393is a number, or a pattern inside "[]" that contains one or more 5394";"-separated numbers or number..number ranges. If no 5395"<i>=d.d.d.d</i>" is specified, accept the request when the client 5396hostname is listed with any A record under <i>rhswl_domain</i>. 5397<br> Caution: client name allowlisting is fragile, since the client 5398name lookup can fail due to temporary outages. Client name 5399allowlisting should be used only to reduce false positives in e.g. 5400DNS-based blocklists, and not for making access rule exceptions. 5401<br> For safety, permit_rhswl_client is silently ignored when it 5402would override reject_unauth_destination. The result is DEFER_IF_REJECT 5403when allowlist lookup fails. This feature is available in Postfix 54042.8 and later. </dd> 5405 5406<dt><b><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client <i>rbl_domain=d.d.d.d</i></a></b></dt> 5407 5408<dd>Reject the request when the unverified reverse client hostname 5409is listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>. 5410Each "<i>d</i>" is a number, or a pattern inside "[]" that contains 5411one or more ";"-separated numbers or number..number ranges. 5412If no "<i>=d.d.d.d</i>" is specified, reject the request when the 5413unverified reverse client hostname is listed with any A record under 5414<i>rbl_domain</i>. See the reject_rbl_client description above for 5415additional RBL related configuration parameters. This feature is 5416available in Postfix 2.8 and later. </dd> 5417 5418<dt><b><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a></b> (with Postfix < 2.3: reject_unknown_client)</dt> 5419 5420<dd>Reject the request when 1) the client IP address->name mapping 5421fails, or 2) the name->address mapping fails, or 3) the name->address 5422mapping does not match the client IP address. <br> This is a 5423stronger restriction than the reject_unknown_reverse_client_hostname 5424feature, which triggers only under condition 1) above. <br> The 5425unknown_client_reject_code parameter specifies the response code 5426for rejected requests (default: 450). The reply is always 450 in 5427case the address->name or name->address lookup failed due to 5428a temporary problem. </dd> 5429 5430<dt><b><a name="reject_unknown_reverse_client_hostname">reject_unknown_reverse_client_hostname</a></b></dt> 5431 5432<dd>Reject the request when the client IP address has no address->name 5433mapping. <br> This is a weaker restriction than the 5434reject_unknown_client_hostname feature, which requires not only 5435that the address->name and name->address mappings exist, but 5436also that the two mappings reproduce the client IP address. <br> 5437The unknown_client_reject_code parameter specifies the response 5438code for rejected requests (default: 450). The reply is always 450 5439in case the address->name lookup failed due to a temporary 5440problem. <br> This feature is available in Postfix 2.3 and 5441later. </dd> 5442 5443#<dt><b><a name="reject_unknown_forward_client_hostname">reject_unknown_forward_client_hostname</a></b></dt> 5444# 5445#<dd>Reject the request when the client IP address has no address->name 5446#or name ->address mapping. <br> This is a weaker restriction 5447#than the reject_unknown_client_hostname feature, which requires not 5448#only that the address->name and name->address mappings exist, 5449#but also that the two mappings reproduce the client IP address. 5450#<br> The unknown_client_reject_code parameter specifies the response 5451#code for rejected requests (default: 450). The reply is always 450 5452#in case the address->name or name ->address lookup failed due 5453#to a temporary problem. <br> This feature is available in Postfix 5454#version 2.3 and later. </dd> 5455 5456</dl> 5457 5458<p> 5459In addition, you can use any of the following <a name="generic"> 5460generic</a> restrictions. These restrictions are applicable in 5461any SMTP command context. 5462</p> 5463 5464<dl> 5465 5466<dt><b><a name="check_policy_service">check_policy_service <i>servername</i></a></b></dt> 5467 5468<dd>Query the specified policy server. See the SMTPD_POLICY_README 5469document for details. This feature is available in Postfix 2.1 5470and later. </dd> 5471 5472<dt><b><a name="defer">defer</a></b></dt> 5473 5474<dd>Defer the request. The client is told to try again later. This 5475restriction is useful at the end of a restriction list, to make 5476the default policy explicit. <br> The defer_code parameter specifies 5477the SMTP server reply code (default: 450).</dd> 5478 5479<dt><b><a name="defer_if_permit">defer_if_permit</a></b></dt> 5480 5481<dd>Defer the request if some later restriction would result in an 5482explicit or implicit PERMIT action. This is useful when a denylisting 5483feature fails due to a temporary problem. This feature is available 5484in Postfix version 2.1 and later. </dd> 5485 5486<dt><b><a name="defer_if_reject">defer_if_reject</a></b></dt> 5487 5488<dd>Defer the request if some later restriction would result in a 5489REJECT action. This is useful when an allowlisting feature fails 5490due to a temporary problem. This feature is available in Postfix 5491version 2.1 and later. </dd> 5492 5493<dt><b><a name="permit">permit</a></b></dt> 5494 5495<dd>Permit the request. This restriction is useful at the end of 5496a restriction list, to make the default policy explicit.</dd> 5497 5498<dt><b><a name="reject_multi_recipient_bounce">reject_multi_recipient_bounce</a></b></dt> 5499 5500<dd>Reject the request when the envelope sender is the null address, 5501and the message has multiple envelope recipients. This usage has 5502rare but legitimate applications: under certain conditions, 5503multi-recipient mail that was posted with the DSN option NOTIFY=NEVER 5504may be forwarded with the null sender address. 5505<br> Note: this restriction can only work reliably 5506when used in smtpd_data_restrictions or 5507smtpd_end_of_data_restrictions, because the total number of 5508recipients is not known at an earlier stage of the SMTP conversation. 5509Use at the RCPT stage will only reject the second etc. recipient. 5510<br> 5511The multi_recipient_bounce_reject_code parameter specifies the 5512response code for rejected requests (default: 550). This feature 5513is available in Postfix 2.1 and later. </dd> 5514 5515<dt><b><a name="reject_plaintext_session">reject_plaintext_session</a></b></dt> 5516 5517<dd>Reject the request when the connection is not encrypted. This 5518restriction should not be used before the client has had a chance 5519to negotiate encryption with the AUTH or STARTTLS commands. 5520<br> 5521The plaintext_reject_code parameter specifies the response 5522code for rejected requests (default: 450). This feature is available 5523in Postfix 2.3 and later. </dd> 5524 5525<dt><b><a name="reject_unauth_pipelining">reject_unauth_pipelining</a></b></dt> 5526 5527<dd>Reject the request when the client sends SMTP commands ahead 5528of time where it is not allowed, or when the client sends SMTP 5529commands ahead of time without knowing that Postfix actually supports 5530ESMTP command pipelining. This stops mail from bulk mail software 5531that improperly uses ESMTP command pipelining in order to speed up 5532deliveries. 5533<br> With Postfix 2.6 and later, the SMTP server sets a per-session 5534flag whenever it detects illegal pipelining, including pipelined 5535HELO or EHLO commands. The reject_unauth_pipelining feature simply 5536tests whether the flag was set at any point in time during the 5537session. 5538<br> With older Postfix versions, reject_unauth_pipelining checks 5539the current status of the input read queue, and its usage is not 5540recommended in contexts other than smtpd_data_restrictions. </dd> 5541 5542<dt><b><a name="reject">reject</a></b></dt> 5543 5544<dd>Reject the request. This restriction is useful at the end of 5545a restriction list, to make the default policy explicit. The 5546reject_code configuration parameter specifies the response code for 5547rejected requests (default: 554).</dd> 5548 5549<dt><b><a name="sleep">sleep <i>seconds</i></a></b></dt> 5550 5551<dd>Pause for the specified number of seconds and proceed with 5552the next restriction in the list, if any. This may stop zombie 5553mail when used as: 5554<pre> 5555/etc/postfix/main.cf: 5556 smtpd_client_restrictions = 5557 sleep 1, reject_unauth_pipelining 5558 smtpd_delay_reject = no 5559</pre> 5560This feature is available in Postfix 2.3. </dd> 5561 5562<dt><b><a name="warn_if_reject">warn_if_reject</a></b></dt> 5563 5564<dd> A safety net for testing. When "warn_if_reject" is placed 5565before a reject-type restriction, access table query, or 5566check_policy_service query, this logs a "reject_warning" message 5567instead of rejecting a request (when a reject-type restriction fails 5568due to a temporary error, this logs a "reject_warning" message for 5569any implicit "defer_if_permit" actions that would normally prevent 5570mail from being accepted by some later access restriction). This 5571feature has no effect on defer_if_reject restrictions. </dd> 5572 5573</dl> 5574 5575<p> 5576Other restrictions that are valid in this context: 5577</p> 5578 5579<ul> 5580 5581<li> SMTP command specific restrictions that are described under 5582the smtpd_helo_restrictions, smtpd_sender_restrictions or 5583smtpd_recipient_restrictions parameters. When helo, sender or 5584recipient restrictions are listed under smtpd_client_restrictions, 5585they have effect only with "smtpd_delay_reject = yes", so that 5586$smtpd_client_restrictions is evaluated at the time of the RCPT TO 5587command. 5588 5589</ul> 5590 5591<p> 5592Example: 5593</p> 5594 5595<pre> 5596smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname 5597</pre> 5598 5599%CLASS smtpd-tarpit Tarpit features 5600 5601<p> 5602When a remote SMTP client makes errors, the Postfix SMTP server 5603can insert delays before responding. This can help to slow down 5604run-away software. The behavior is controlled by an error counter 5605that counts the number of errors within an SMTP session that a 5606client makes without delivering mail. 5607</p> 5608 5609<ul> 5610 5611<li><p>When the error counter is less than $smtpd_soft_error_limit the 5612Postfix SMTP server replies immediately (Postfix version 2.0 and earlier 5613delay their 4xx or 5xx error response). </p> 5614 5615<li><p>When the error counter reaches $smtpd_soft_error_limit, the Postfix 5616SMTP server delays all its responses. </p> 5617 5618<li><p>When the error counter reaches $smtpd_hard_error_limit the Postfix 5619SMTP server breaks the connection. </p> 5620 5621</ul> 5622 5623%PARAM smtpd_error_sleep_time 1s 5624 5625<p>With Postfix version 2.1 and later: the SMTP server response delay after 5626a client has made more than $smtpd_soft_error_limit errors, and 5627fewer than $smtpd_hard_error_limit errors, without delivering mail. 5628</p> 5629 5630<p>With Postfix version 2.0 and earlier: the SMTP server delay 5631before sending a reject (4xx or 5xx) response, when the client has 5632made fewer than $smtpd_soft_error_limit errors without delivering 5633mail. When the client has made $smtpd_soft_error_limit or more errors, 5634delay all responses with the larger of (number of errors) seconds 5635or $smtpd_error_sleep_time. </p> 5636 5637<p> Specify a non-negative time value (an integral value plus an optional 5638one-letter suffix that specifies the time unit). Time units: s 5639(seconds), m (minutes), h (hours), d (days), w (weeks). 5640The default time unit is s (seconds). </p> 5641 5642%PARAM smtpd_soft_error_limit 10 5643 5644<p> 5645The number of errors a remote SMTP client is allowed to make without 5646delivering mail before the Postfix SMTP server slows down all its 5647responses. 5648</p> 5649 5650<ul> 5651 5652<li><p>With Postfix version 2.1 and later, when the error count 5653is > $smtpd_soft_error_limit, the Postfix SMTP server 5654delays all responses by $smtpd_error_sleep_time. </p> 5655 5656<li><p>With Postfix versions 2.0 and earlier, when the error count 5657is > $smtpd_soft_error_limit, the Postfix SMTP server delays all 5658responses by the larger of (number of errors) seconds or 5659$smtpd_error_sleep_time. </p> 5660 5661<li><p>With Postfix versions 2.0 and earlier, when the error count 5662is ≤ $smtpd_soft_error_limit, the Postfix SMTP server delays 4XX 5663and 5XX responses by $smtpd_error_sleep_time. </p> 5664 5665</ul> 5666 5667%PARAM smtpd_hard_error_limit normal: 20, overload: 1 5668 5669<p> 5670The maximal number of errors a remote SMTP client is allowed to 5671make without delivering mail. The Postfix SMTP server disconnects 5672when the limit is reached. Normally the default limit is 20, but 5673it changes under overload to just 1. With Postfix 2.5 and earlier, 5674the SMTP server always allows up to 20 errors by default. 5675Valid values are greater than zero. 5676 5677</p> 5678 5679%PARAM smtpd_junk_command_limit normal: 100, overload: 1 5680 5681<p> 5682The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote 5683SMTP client can send before the Postfix SMTP server starts to 5684increment the error counter with each junk command. The junk 5685command count is reset after mail is delivered. See also the 5686smtpd_error_sleep_time and smtpd_soft_error_limit configuration 5687parameters. Normally the default limit is 100, but it changes under 5688overload to just 1. With Postfix 2.5 and earlier, the SMTP server 5689always allows up to 100 junk commands by default. </p> 5690 5691%PARAM smtpd_recipient_overshoot_limit 1000 5692 5693<p> The number of recipients that a remote SMTP client can send in 5694excess of the limit specified with $smtpd_recipient_limit, before 5695the Postfix SMTP server increments the per-session error count 5696for each excess recipient. </p> 5697 5698%PARAM smtpd_etrn_restrictions 5699 5700<p> 5701Optional restrictions that the Postfix SMTP server applies in the 5702context of a client ETRN command. 5703See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 5704restriction lists" for a discussion of evaluation context and time. 5705</p> 5706 5707<p> 5708The Postfix ETRN implementation accepts only destinations that are 5709eligible for the Postfix "fast flush" service. See the ETRN_README 5710file for details. 5711</p> 5712 5713<p> 5714Specify a list of restrictions, separated by commas and/or whitespace. 5715Continue long lines by starting the next line with whitespace. 5716Restrictions are applied in the order as specified; the first 5717restriction that matches wins. 5718</p> 5719 5720<p> 5721The following restrictions are specific to the domain name information 5722received with the ETRN command. 5723</p> 5724 5725<dl> 5726 5727<dt><b><a name="check_etrn_access">check_etrn_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5728 5729<dd>Search the specified access database for the ETRN domain name 5730or its parent domains. See the access(5) manual page for details. 5731</dd> 5732 5733</dl> 5734 5735<p> 5736Other restrictions that are valid in this context: 5737</p> 5738 5739<ul> 5740 5741<li><a href="#generic">Generic</a> restrictions that can be used 5742in any SMTP command context, described under smtpd_client_restrictions. 5743 5744<li>SMTP command specific restrictions described under 5745smtpd_client_restrictions and smtpd_helo_restrictions. 5746 5747</ul> 5748 5749<p> 5750Example: 5751</p> 5752 5753<pre> 5754smtpd_etrn_restrictions = permit_mynetworks, reject 5755</pre> 5756 5757%PARAM smtpd_expansion_filter see "postconf -d" output 5758 5759<p> 5760What characters are allowed in $name expansions of RBL reply 5761templates. Characters not in the allowed set are replaced by "_". 5762Use C like escapes to specify special characters such as whitespace. 5763</p> 5764 5765<p> 5766The smtpd_expansion_filter value is not subject to Postfix configuration 5767parameter $name expansion. 5768</p> 5769 5770<p> 5771This feature is available in Postfix 2.0 and later. 5772</p> 5773 5774%PARAM smtpd_forbidden_commands CONNECT GET POST regexp:{{/^[^A-Z]/ Bogus}} 5775 5776<p> 5777List of commands that cause the Postfix SMTP server to immediately 5778terminate the session with a 221 code. This can be used to disconnect 5779clients that obviously attempt to abuse the system. In addition to the 5780commands listed in this parameter, commands that follow the "Label:" 5781format of message headers will also cause a disconnect. With Postfix 5782versions 3.6 and earlier, the default value is "CONNECT GET POST". 5783</p> 5784 5785<p> 5786This feature is available in Postfix 2.2 and later. 5787</p> 5788 5789<p> 5790Support for inline regular expressions was added in Postfix version 57913.7. See regexp_table(5) for a description of the syntax and features. 5792</p> 5793 5794%PARAM smtpd_helo_required no 5795 5796<p> 5797Require that a remote SMTP client introduces itself with the HELO 5798or EHLO command before sending the MAIL command or other commands 5799that require EHLO negotiation. 5800</p> 5801 5802<p> 5803Example: 5804</p> 5805 5806<pre> 5807smtpd_helo_required = yes 5808</pre> 5809 5810%PARAM smtpd_helo_restrictions 5811 5812<p> 5813Optional restrictions that the Postfix SMTP server applies in the 5814context of a client HELO command. 5815See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 5816restriction lists" for a discussion of evaluation context and time. 5817</p> 5818 5819<p> 5820The default is to permit everything. 5821</p> 5822 5823<p> Note: specify "smtpd_helo_required = yes" to fully enforce this 5824restriction (without "smtpd_helo_required = yes", a client can 5825simply skip smtpd_helo_restrictions by not sending HELO or EHLO). 5826</p> 5827 5828<p> 5829Specify a list of restrictions, separated by commas and/or whitespace. 5830Continue long lines by starting the next line with whitespace. 5831Restrictions are applied in the order as specified; the first 5832restriction that matches wins. 5833</p> 5834 5835<p> 5836The following restrictions are specific to the hostname information 5837received with the HELO or EHLO command. 5838</p> 5839 5840<dl> 5841 5842<dt><b><a name="check_helo_access">check_helo_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5843 5844<dd>Search the specified access(5) database for the HELO or EHLO 5845hostname or parent domains, and execute the corresponding action. 5846Note: specify "smtpd_helo_required = yes" to fully enforce this 5847restriction (without "smtpd_helo_required = yes", a client can 5848simply skip check_helo_access by not sending HELO or EHLO). </dd> 5849 5850<dt><b><a name="check_helo_a_access">check_helo_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5851 5852<dd>Search the specified access(5) database for the IP addresses for 5853the HELO or EHLO hostname, and execute the corresponding action. 5854Note 1: a result of "OK" is not allowed for safety reasons. Instead, 5855use DUNNO in order to exclude specific hosts from denylists. Note 58562: specify "smtpd_helo_required = yes" to fully enforce this 5857restriction (without "smtpd_helo_required = yes", a client can 5858simply skip check_helo_a_access by not sending HELO or EHLO). This 5859feature is available in Postfix 3.0 and later. 5860</dd> 5861 5862<dt><b><a name="check_helo_mx_access">check_helo_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5863 5864<dd>Search the specified access(5) database for the MX hosts for 5865the HELO or EHLO hostname, and execute the corresponding action. 5866If no MX record is found, look up A or AAAA records, just like the 5867Postfix SMTP client would. 5868Note 1: a result of "OK" is not allowed for safety reasons. Instead, 5869use DUNNO in order to exclude specific hosts from denylists. Note 58702: specify "smtpd_helo_required = yes" to fully enforce this 5871restriction (without "smtpd_helo_required = yes", a client can 5872simply skip check_helo_mx_access by not sending HELO or EHLO). This 5873feature is available in Postfix 2.1 and later. 5874</dd> 5875 5876<dt><b><a name="check_helo_ns_access">check_helo_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 5877 5878<dd>Search the specified access(5) database for the DNS servers 5879for the HELO or EHLO hostname, and execute the corresponding action. 5880Note 1: a result of "OK" is not allowed for safety reasons. Instead, 5881use DUNNO in order to exclude specific hosts from denylists. Note 58822: specify "smtpd_helo_required = yes" to fully enforce this 5883restriction (without "smtpd_helo_required = yes", a client can 5884simply skip check_helo_ns_access by not sending HELO or EHLO). This 5885feature is available in Postfix 2.1 and later. 5886</dd> 5887 5888<dt><b><a name="reject_invalid_helo_hostname">reject_invalid_helo_hostname</a></b> (with Postfix < 2.3: reject_invalid_hostname)</dt> 5889 5890<dd>Reject the request when the HELO or EHLO hostname is malformed. 5891Note: specify "smtpd_helo_required = yes" to fully enforce 5892this restriction (without "smtpd_helo_required = yes", a client can simply 5893skip reject_invalid_helo_hostname by not sending HELO or EHLO). 5894<br> The invalid_hostname_reject_code specifies the response code 5895for rejected requests (default: 501).</dd> 5896 5897<dt><b><a name="reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a></b> (with Postfix < 2.3: reject_non_fqdn_hostname)</dt> 5898 5899<dd>Reject the request when the HELO or EHLO hostname is not in 5900fully-qualified domain or address literal form, as required by the 5901RFC. Note: specify 5902"smtpd_helo_required = yes" to fully enforce this restriction 5903(without "smtpd_helo_required = yes", a client can simply skip 5904reject_non_fqdn_helo_hostname by not sending HELO or EHLO). <br> 5905The non_fqdn_reject_code parameter specifies the response code for 5906rejected requests (default: 504).</dd> 5907 5908<dt><b><a name="reject_rhsbl_helo">reject_rhsbl_helo <i>rbl_domain=d.d.d.d</i></a></b></dt> 5909 5910<dd>Reject the request when the HELO or EHLO hostname is 5911listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> 5912(Postfix version 2.1 and later only). Each "<i>d</i>" is a number, 5913or a pattern inside "[]" that contains one or more ";"-separated 5914numbers or number..number ranges (Postfix version 2.8 and later). 5915If no "<i>=d.d.d.d</i>" is 5916specified, reject the request when the HELO or EHLO hostname is 5917listed with any A record under <i>rbl_domain</i>. See the 5918reject_rbl_client description for additional RBL related configuration 5919parameters. Note: specify "smtpd_helo_required = yes" to fully 5920enforce this restriction (without "smtpd_helo_required = yes", a 5921client can simply skip reject_rhsbl_helo by not sending HELO or 5922EHLO). This feature is available in Postfix 2.0 5923and later. </dd> 5924 5925<dt><b><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a></b> (with Postfix < 2.3: reject_unknown_hostname)</dt> 5926 5927<dd>Reject the request when the HELO or EHLO hostname has no DNS A 5928or MX record. <br> The reply is specified with the 5929unknown_hostname_reject_code parameter (default: 450) or 5930unknown_helo_hostname_tempfail_action (default: defer_if_permit). 5931See the respective parameter descriptions for details. <br> 5932Note: specify "smtpd_helo_required = yes" to fully 5933enforce this restriction (without "smtpd_helo_required = yes", a 5934client can simply skip reject_unknown_helo_hostname by not sending 5935HELO or EHLO). </dd> 5936 5937</dl> 5938 5939<p> 5940Other restrictions that are valid in this context: 5941</p> 5942 5943<ul> 5944 5945<li> <a href="#generic">Generic</a> restrictions that can be used 5946in any SMTP command context, described under smtpd_client_restrictions. 5947 5948<li> Client hostname or network address specific restrictions 5949described under smtpd_client_restrictions. 5950 5951<li> SMTP command specific restrictions described under 5952smtpd_sender_restrictions or smtpd_recipient_restrictions. When 5953sender or recipient restrictions are listed under smtpd_helo_restrictions, 5954they have effect only with "smtpd_delay_reject = yes", so that 5955$smtpd_helo_restrictions is evaluated at the time of the RCPT TO 5956command. 5957 5958</ul> 5959 5960<p> 5961Examples: 5962</p> 5963 5964<pre> 5965smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname 5966smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname 5967</pre> 5968 5969%PARAM smtpd_history_flush_threshold 100 5970 5971<p> 5972The maximal number of lines in the Postfix SMTP server command history 5973before it is flushed upon receipt of EHLO, RSET, or end of DATA. 5974</p> 5975 5976%PARAM smtpd_noop_commands 5977 5978<p> 5979List of commands that the Postfix SMTP server replies to with "250 5980Ok", without doing any syntax checks and without changing state. 5981This list overrides any commands built into the Postfix SMTP server. 5982</p> 5983 5984%PARAM smtpd_proxy_ehlo $myhostname 5985 5986<p> 5987How the Postfix SMTP server announces itself to the proxy filter. 5988By default, the Postfix hostname is used. 5989</p> 5990 5991<p> 5992This feature is available in Postfix 2.1 and later. 5993</p> 5994 5995%PARAM smtpd_proxy_options 5996 5997<p> 5998List of options that control how the Postfix SMTP server 5999communicates with a before-queue content filter. Specify zero or 6000more of the following, separated by comma or whitespace. </p> 6001 6002<dl> 6003 6004<dt><b>speed_adjust</b></dt> 6005 6006<dd> <p> Do not connect to a before-queue content filter until an entire 6007message has been received. This reduces the number of simultaneous 6008before-queue content filter processes. </p> 6009 6010<p> NOTE 1: A filter must not <i>selectively</i> reject recipients 6011of a multi-recipient message. Rejecting all recipients is OK, as 6012is accepting all recipients. </p> 6013 6014<p> NOTE 2: This feature increases the minimum amount of free queue 6015space by $message_size_limit. The extra space is needed to save the 6016message to a temporary file. </p> </dd> 6017 6018</dl> 6019 6020<p> 6021This feature is available in Postfix 2.7 and later. 6022</p> 6023 6024%CLASS smtpd-proxy SMTP Proxy filter 6025 6026<p> 6027As of Postfix version 2.1, the SMTP server can forward all incoming 6028mail to a content filtering proxy server that inspects all mail 6029BEFORE it is stored in the Postfix mail queue. 6030</p> 6031 6032<p> 6033WARNING: the proxy filter must reply within a fixed deadline or 6034else the remote SMTP client times out and mail duplication happens. 6035This becomes a problem as mail load increases so that fewer and 6036fewer CPU cycles remain available to mead the fixed deadline. 6037</p> 6038 6039%PARAM smtpd_proxy_filter 6040 6041<p> The hostname and TCP port of the mail filtering proxy server. 6042The proxy receives all mail from the Postfix SMTP server, and is 6043supposed to give the result to another Postfix SMTP server process. 6044</p> 6045 6046<p> Specify "host:port" or "inet:host:port" for a TCP endpoint, or 6047"unix:pathname" for a UNIX-domain endpoint. The host can be specified 6048as an IP address or as a symbolic name; no MX lookups are done. 6049When no "host" or "host:" is specified, the local machine is 6050assumed. Pathname interpretation is relative to the Postfix queue 6051directory. </p> 6052 6053<p> This feature is available in Postfix 2.1 and later. </p> 6054 6055<p> The "inet:" and "unix:" prefixes are available in Postfix 2.3 6056and later. </p> 6057 6058%PARAM smtpd_proxy_timeout 100s 6059 6060<p> 6061The time limit for connecting to a proxy filter and for sending or 6062receiving information. When a connection fails the client gets a 6063generic error message while more detailed information is logged to 6064the maillog file. 6065</p> 6066 6067<p> Specify a non-zero time value (an integral value plus an optional 6068one-letter suffix that specifies the time unit). Time units: s 6069(seconds), m (minutes), h (hours), d (days), w (weeks). 6070The default time unit is s (seconds). </p> 6071 6072<p> 6073This feature is available in Postfix 2.1 and later. 6074</p> 6075 6076%PARAM smtpd_recipient_limit 1000 6077 6078<p> 6079The maximal number of recipients that the Postfix SMTP server 6080accepts per message delivery request. 6081</p> 6082 6083%PARAM smtpd_recipient_restrictions see "postconf -d" output 6084 6085<p> 6086Optional restrictions that the Postfix SMTP server applies in the 6087context of a client RCPT TO command, after smtpd_relay_restrictions. 6088See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 6089restriction lists" for a discussion of evaluation context and time. 6090</p> 6091 6092<p> With Postfix versions before 2.10, the rules for relay permission 6093and spam blocking were combined under smtpd_recipient_restrictions, 6094resulting in error-prone configuration. As of Postfix 2.10, relay 6095permission rules are preferably implemented with smtpd_relay_restrictions, 6096so that a permissive spam blocking policy under 6097smtpd_recipient_restrictions will no longer result in a permissive 6098mail relay policy. </p> 6099 6100<p> For backwards compatibility, sites that migrate from Postfix 6101versions before 2.10 can set smtpd_relay_restrictions to the empty 6102value, and use smtpd_recipient_restrictions exactly as before. </p> 6103 6104<p> 6105IMPORTANT: Either the smtpd_relay_restrictions or the 6106smtpd_recipient_restrictions parameter must specify 6107at least one of the following restrictions. Otherwise Postfix will 6108refuse to receive mail: 6109</p> 6110 6111<blockquote> 6112<pre> 6113reject, reject_unauth_destination 6114</pre> 6115</blockquote> 6116 6117<blockquote> 6118<pre> 6119defer, defer_if_permit, defer_unauth_destination 6120</pre> 6121</blockquote> 6122 6123<p> 6124Specify a list of restrictions, separated by commas and/or whitespace. 6125Continue long lines by starting the next line with whitespace. 6126Restrictions are applied in the order as specified; the first 6127restriction that matches wins. 6128</p> 6129 6130<p> 6131The following restrictions are specific to the recipient address 6132that is received with the RCPT TO command. 6133</p> 6134 6135<dl> 6136 6137<dt><b><a name="check_recipient_access">check_recipient_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6138 6139<dd>Search the specified access(5) database for the resolved RCPT 6140TO address, domain, parent domains, or localpart@, and execute the 6141corresponding action. </dd> 6142 6143<dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6144 6145<dd>Search the specified access(5) database for the IP addresses for 6146the RCPT TO domain, and execute the corresponding action. Note: 6147a result of "OK" is not allowed for safety reasons. Instead, use 6148DUNNO in order to exclude specific hosts from denylists. This 6149feature is available in Postfix 3.0 and later. </dd> 6150 6151<dt><b><a name="check_recipient_mx_access">check_recipient_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6152 6153<dd>Search the specified access(5) database for the MX hosts for 6154the RCPT TO domain, and execute the corresponding action. If no 6155MX record is found, look up A or AAAA records, just like the Postfix 6156SMTP client would. Note: 6157a result of "OK" is not allowed for safety reasons. Instead, use 6158DUNNO in order to exclude specific hosts from denylists. This 6159feature is available in Postfix 2.1 and later. </dd> 6160 6161<dt><b><a name="check_recipient_ns_access">check_recipient_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6162 6163<dd>Search the specified access(5) database for the DNS servers 6164for the RCPT TO domain, and execute the corresponding action. 6165Note: a result of "OK" is not allowed for safety reasons. Instead, 6166use DUNNO in order to exclude specific hosts from denylists. This 6167feature is available in Postfix 2.1 and later. </dd> 6168 6169<dt><b><a name="permit_auth_destination">permit_auth_destination</a></b></dt> 6170 6171<dd>Permit the request when one of the following is true: 6172 6173<ul> 6174 6175<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches 6176$relay_domains or a subdomain thereof, and the address contains no 6177sender-specified routing (user@elsewhere@domain), 6178 6179<li> Postfix is the final destination: the resolved RCPT TO domain 6180matches $mydestination, $inet_interfaces, $proxy_interfaces, 6181$virtual_alias_domains, or $virtual_mailbox_domains, and the address 6182contains no sender-specified routing (user@elsewhere@domain). 6183 6184</ul></dd> 6185 6186<dt><b><a name="permit_mx_backup">permit_mx_backup</a></b></dt> 6187 6188<dd>Permit the request when the local mail system is a backup MX for 6189the RCPT TO domain, or when the domain is an authorized destination 6190(see permit_auth_destination for definition). 6191 6192<ul> 6193 6194<li> Safety: permit_mx_backup does not accept addresses that have 6195sender-specified routing information (example: user@elsewhere@domain). 6196 6197<li> Safety: permit_mx_backup can be vulnerable to mis-use when 6198access is not restricted with permit_mx_backup_networks. 6199 6200<li> Safety: as of Postfix version 2.3, permit_mx_backup no longer 6201accepts the address when the local mail system is a primary MX for 6202the recipient domain. Exception: permit_mx_backup accepts the address 6203when it specifies an authorized destination (see permit_auth_destination 6204for definition). 6205 6206<li> Limitation: mail may be rejected in case of a temporary DNS 6207lookup problem with Postfix prior to version 2.0. 6208 6209</ul></dd> 6210 6211<dt><b><a name="reject_non_fqdn_recipient">reject_non_fqdn_recipient</a></b></dt> 6212 6213<dd>Reject the request when the RCPT TO address specifies a 6214domain that is not in 6215fully-qualified domain form, as required by the RFC. <br> The 6216non_fqdn_reject_code parameter specifies the response code for 6217rejected requests (default: 504). </dd> 6218 6219<dt><b><a name="reject_rhsbl_recipient">reject_rhsbl_recipient <i>rbl_domain=d.d.d.d</i></a></b></dt> 6220 6221<dd>Reject the request when the RCPT TO domain is listed with the 6222A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version 62232.1 and later only). Each "<i>d</i>" is a number, or a pattern 6224inside "[]" that contains one or more ";"-separated numbers or 6225number..number ranges (Postfix version 2.8 and later). If no 6226"<i>=d.d.d.d</i>" is specified, reject 6227the request when the RCPT TO domain is listed with 6228any A record under <i>rbl_domain</i>. <br> The maps_rbl_reject_code 6229parameter specifies the response code for rejected requests (default: 6230554); the default_rbl_reply parameter specifies the default server 6231reply; and the rbl_reply_maps parameter specifies tables with server 6232replies indexed by <i>rbl_domain</i>. This feature is available 6233in Postfix version 2.0 and later.</dd> 6234 6235<dt><b><a name="reject_unauth_destination">reject_unauth_destination</a></b></dt> 6236 6237<dd>Reject the request unless one of the following is true: 6238 6239<ul> 6240 6241<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches 6242$relay_domains or a subdomain thereof, and contains no sender-specified 6243routing (user@elsewhere@domain), 6244 6245<li> Postfix is the final destination: the resolved RCPT TO domain 6246matches $mydestination, $inet_interfaces, $proxy_interfaces, 6247$virtual_alias_domains, or $virtual_mailbox_domains, and contains 6248no sender-specified routing (user@elsewhere@domain). 6249 6250</ul>The relay_domains_reject_code parameter specifies the response 6251code for rejected requests (default: 554). </dd> 6252 6253<dt><b><a name="defer_unauth_destination">defer_unauth_destination</a></b></dt> 6254 6255<dd> Reject the same requests as reject_unauth_destination, with a 6256non-permanent error code. This feature is available in Postfix 62572.10 and later.</dd> 6258 6259<dt><b><a name="reject_unknown_recipient_domain">reject_unknown_recipient_domain</a></b></dt> 6260 6261<dd>Reject the request when Postfix is not final destination for 6262the recipient domain, and the RCPT TO domain has 1) no DNS MX and 6263no DNS A 6264record or 2) a malformed MX record such as a record with 6265a zero-length MX hostname (Postfix version 2.3 and later). <br> The 6266reply is specified with the unknown_address_reject_code parameter 6267(default: 450), unknown_address_tempfail_action (default: 6268defer_if_permit), or 556 (nullmx, Postfix 3.0 and 6269later). See the respective parameter descriptions for details. 6270</dd> 6271 6272<dt><b><a name="reject_unlisted_recipient">reject_unlisted_recipient</a></b> (with Postfix version 2.0: check_recipient_maps)</dt> 6273 6274<dd> Reject the request when the RCPT TO address is not listed in 6275the list of valid recipients for its domain class. See the 6276smtpd_reject_unlisted_recipient parameter description for details. 6277This feature is available in Postfix 2.1 and later.</dd> 6278 6279<dt><b><a name="reject_unverified_recipient">reject_unverified_recipient</a></b></dt> 6280 6281<dd>Reject the request when mail to the RCPT TO address is known 6282to bounce, or when the recipient address destination is not reachable. 6283Address verification information is managed by the verify(8) server; 6284see the ADDRESS_VERIFICATION_README file for details. <br> The 6285unverified_recipient_reject_code parameter specifies the numerical 6286response code when an address is known to bounce (default: 450, 6287change it to 550 when you are confident that it is safe to do so). 6288<br>The unverified_recipient_defer_code parameter specifies the 6289numerical response code when an address probe failed due to a 6290temporary problem (default: 450). <br> The 6291unverified_recipient_tempfail_action parameter specifies the action 6292after address probe failure due to a temporary problem (default: 6293defer_if_permit). <br> This feature breaks for aliased addresses 6294with "enable_original_recipient = no" (Postfix ≤ 3.2). <br> 6295This feature is available in Postfix 2.1 and later. </dd> 6296 6297</dl> 6298 6299<p> 6300Other restrictions that are valid in this context: 6301</p> 6302 6303<ul> 6304 6305<li><a href="#generic">Generic</a> restrictions that can be used 6306in any SMTP command context, described under smtpd_client_restrictions. 6307 6308<li>SMTP command specific restrictions described under 6309smtpd_client_restrictions, smtpd_helo_restrictions and 6310smtpd_sender_restrictions. 6311 6312</ul> 6313 6314<p> 6315Example: 6316</p> 6317 6318<pre> 6319# The Postfix before 2.10 default mail relay policy. Later Postfix 6320# versions implement this preferably with smtpd_relay_restrictions. 6321smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination 6322</pre> 6323 6324%PARAM smtpd_relay_restrictions permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination 6325 6326<p> Access restrictions for mail relay control that the Postfix 6327SMTP server applies in the context of the RCPT TO command, before 6328smtpd_recipient_restrictions. 6329See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 6330restriction lists" for a discussion of evaluation context and time. 6331</p> 6332 6333<p> With Postfix versions before 2.10, the rules for relay permission 6334and spam blocking were combined under smtpd_recipient_restrictions, 6335resulting in error-prone configuration. As of Postfix 2.10, relay 6336permission rules are preferably implemented with smtpd_relay_restrictions, 6337so that a permissive spam blocking policy under 6338smtpd_recipient_restrictions will no longer result in a permissive 6339mail relay policy. </p> 6340 6341<p> For backwards compatibility, sites that migrate from Postfix 6342versions before 2.10 can set smtpd_relay_restrictions to the empty 6343value, and use smtpd_recipient_restrictions exactly as before. </p> 6344 6345<p> 6346By default, the Postfix SMTP server accepts: 6347</p> 6348 6349<ul> 6350 6351<li> Mail from clients whose IP address matches $mynetworks, or: 6352 6353<li> Mail from clients who are SASL authenticated, or: 6354 6355<li> Mail to remote destinations that match $relay_domains, except 6356for addresses that contain sender-specified routing 6357(user@elsewhere@domain), or: 6358 6359<li> Mail to local destinations that match $inet_interfaces 6360or $proxy_interfaces, $mydestination, $virtual_alias_domains, or 6361$virtual_mailbox_domains. 6362 6363</ul> 6364 6365<p> 6366IMPORTANT: Either the smtpd_relay_restrictions or the 6367smtpd_recipient_restrictions parameter must specify 6368at least one of the following restrictions. Otherwise Postfix will 6369refuse to receive mail: 6370</p> 6371 6372<blockquote> 6373<pre> 6374reject, reject_unauth_destination 6375</pre> 6376</blockquote> 6377 6378<blockquote> 6379<pre> 6380defer, defer_if_permit, defer_unauth_destination 6381</pre> 6382</blockquote> 6383 6384<p> 6385Specify a list of restrictions, separated by commas and/or whitespace. 6386Continue long lines by starting the next line with whitespace. 6387The same restrictions are available as documented under 6388smtpd_recipient_restrictions. 6389</p> 6390 6391<p> This feature is available in Postix 2.10 and later. </p> 6392 6393%CLASS sasl-auth SASL Authentication 6394 6395<p> 6396Postfix SASL support (RFC 4954) can be used to authenticate remote 6397SMTP clients to the Postfix SMTP server, and to authenticate the 6398Postfix SMTP client to a remote SMTP server. 6399See the SASL_README document for details. 6400</p> 6401 6402%PARAM smtpd_sasl_auth_enable no 6403 6404<p> 6405Enable SASL authentication in the Postfix SMTP server. By default, 6406the Postfix SMTP server does not use authentication. 6407</p> 6408 6409<p> 6410If a remote SMTP client is authenticated, the permit_sasl_authenticated 6411access restriction can be used to permit relay access, like this: 6412</p> 6413 6414<blockquote> 6415<pre> 6416# With Postfix 2.10 and later, the mail relay policy is 6417# preferably specified under smtpd_relay_restrictions. 6418smtpd_relay_restrictions = 6419 permit_mynetworks, permit_sasl_authenticated, ... 6420</pre> 6421 6422<pre> 6423# With Postfix before 2.10, the relay policy can be 6424# specified only under smtpd_recipient_restrictions. 6425smtpd_recipient_restrictions = 6426 permit_mynetworks, permit_sasl_authenticated, ... 6427</pre> 6428</blockquote> 6429 6430<p> To reject all SMTP connections from unauthenticated clients, 6431specify "smtpd_delay_reject = yes" (which is the default) and use: 6432</p> 6433 6434<blockquote> 6435<pre> 6436smtpd_client_restrictions = permit_sasl_authenticated, reject 6437</pre> 6438</blockquote> 6439 6440<p> 6441See the SASL_README file for SASL configuration and operation details. 6442</p> 6443 6444%PARAM smtpd_sasl_authenticated_header no 6445 6446<p> Report the SASL authenticated user name in the smtpd(8) Received 6447message header. </p> 6448 6449<p> This feature is available in Postfix 2.3 and later. </p> 6450 6451%PARAM smtpd_sasl_exceptions_networks 6452 6453<p> 6454What remote SMTP clients the Postfix SMTP server will not offer 6455AUTH support to. 6456</p> 6457 6458<p> 6459Some clients (Netscape 4 at least) have a bug that causes them to 6460require a login and password whenever AUTH is offered, whether it's 6461necessary or not. To work around this, specify, for example, 6462$mynetworks to prevent Postfix from offering AUTH to local clients. 6463</p> 6464 6465<p> 6466Specify a list of network/netmask patterns, separated by commas 6467and/or whitespace. The mask specifies the number of bits in the 6468network part of a host address. You can also specify "/file/name" or 6469"type:table" patterns. A "/file/name" pattern is replaced by its 6470contents; a "type:table" lookup table is matched when a table entry 6471matches a lookup string (the lookup result is ignored). Continue 6472long lines by starting the next line with whitespace. Specify 6473"!pattern" to exclude an address or network block from the list. 6474The form "!/file/name" is supported only in Postfix version 2.4 and 6475later. </p> 6476 6477<p> Note: IP version 6 address information must be specified inside 6478<tt>[]</tt> in the smtpd_sasl_exceptions_networks value, and in 6479files specified with "/file/name". IP version 6 addresses contain 6480the ":" character, and would otherwise be confused with a "type:table" 6481pattern. </p> 6482 6483<p> 6484Example: 6485</p> 6486 6487<pre> 6488smtpd_sasl_exceptions_networks = $mynetworks 6489</pre> 6490 6491<p> 6492This feature is available in Postfix 2.1 and later. 6493</p> 6494 6495%PARAM smtpd_sasl_local_domain 6496 6497<p> 6498The name of the Postfix SMTP server's local SASL authentication 6499realm. 6500</p> 6501 6502<p> 6503By default, the local authentication realm name is the null string. 6504</p> 6505 6506<p> 6507Examples: 6508</p> 6509 6510<pre> 6511smtpd_sasl_local_domain = $mydomain 6512smtpd_sasl_local_domain = $myhostname 6513</pre> 6514 6515%PARAM smtpd_sasl_security_options noanonymous 6516 6517<p> Postfix SMTP server SASL security options; as of Postfix 2.3 6518the list of available 6519features depends on the SASL server implementation that is selected 6520with <b>smtpd_sasl_type</b>. </p> 6521 6522<p> The following security features are defined for the <b>cyrus</b> 6523server SASL implementation: </p> 6524 6525<p> 6526Restrict what authentication mechanisms the Postfix SMTP server 6527will offer to the client. The list of available authentication 6528mechanisms is system dependent. 6529</p> 6530 6531<p> 6532Specify zero or more of the following: 6533</p> 6534 6535<dl> 6536 6537<dt><b>noplaintext</b></dt> 6538 6539<dd>Disallow methods that use plaintext passwords. </dd> 6540 6541<dt><b>noactive</b></dt> 6542 6543<dd>Disallow methods subject to active (non-dictionary) attack. </dd> 6544 6545<dt><b>nodictionary</b></dt> 6546 6547<dd>Disallow methods subject to passive (dictionary) attack. </dd> 6548 6549<dt><b>noanonymous</b></dt> 6550 6551<dd>Disallow methods that allow anonymous authentication. </dd> 6552 6553<dt><b>forward_secrecy</b></dt> 6554 6555<dd>Only allow methods that support forward secrecy (Dovecot only). 6556</dd> 6557 6558<dt><b>mutual_auth</b></dt> 6559 6560<dd>Only allow methods that provide mutual authentication (not available 6561with Cyrus SASL version 1). </dd> 6562 6563</dl> 6564 6565<p> 6566By default, the Postfix SMTP server accepts plaintext passwords but 6567not anonymous logins. 6568</p> 6569 6570<p> 6571Warning: it appears that clients try authentication methods in the 6572order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) 6573which means that if you disable plaintext passwords, clients will 6574log in anonymously, even when they should be able to use CRAM-MD5. 6575So, if you disable plaintext logins, disable anonymous logins too. 6576Postfix treats anonymous login as no authentication. 6577</p> 6578 6579<p> 6580Example: 6581</p> 6582 6583<pre> 6584smtpd_sasl_security_options = noanonymous, noplaintext 6585</pre> 6586 6587%PARAM smtpd_sender_login_maps 6588 6589<p> 6590Optional lookup table with the SASL login names that own the sender 6591(MAIL FROM) addresses. 6592</p> 6593 6594<p> 6595Specify zero or more "type:name" lookup tables, separated by 6596whitespace or comma. Tables will be searched in the specified order 6597until a match is found. With lookups from 6598indexed files such as DB or DBM, or from networked tables such as 6599NIS, LDAP or SQL, the following search operations are done with a 6600sender address of <i>user@domain</i>: </p> 6601 6602<dl> 6603 6604<dt> 1) <i>user@domain</i> </dt> 6605 6606<dd>This table lookup is always done and has the highest precedence. </dd> 6607 6608<dt> 2) <i>user</i> </dt> 6609 6610<dd>This table lookup is done only when the <i>domain</i> part of the 6611sender address matches $myorigin, $mydestination, $inet_interfaces 6612or $proxy_interfaces. </dd> 6613 6614<dt> 3) <i>@domain</i> </dt> 6615 6616<dd>This table lookup is done last and has the lowest precedence. </dd> 6617 6618</dl> 6619 6620<p> 6621In all cases the result of table lookup must be either "not found" 6622or a list of SASL login names separated by comma and/or whitespace. 6623</p> 6624 6625%PARAM smtpd_sender_restrictions 6626 6627<p> 6628Optional restrictions that the Postfix SMTP server applies in the 6629context of a client MAIL FROM command. 6630See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 6631restriction lists" for a discussion of evaluation context and time. 6632</p> 6633 6634<p> 6635The default is to permit everything. 6636</p> 6637 6638<p> 6639Specify a list of restrictions, separated by commas and/or whitespace. 6640Continue long lines by starting the next line with whitespace. 6641Restrictions are applied in the order as specified; the first 6642restriction that matches wins. 6643</p> 6644 6645<p> 6646The following restrictions are specific to the sender address 6647received with the MAIL FROM command. 6648</p> 6649 6650<dl> 6651 6652<dt><b><a name="check_sender_access">check_sender_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6653 6654<dd>Search the specified access(5) database for the MAIL FROM 6655address, domain, parent domains, or localpart@, and execute the 6656corresponding action. </dd> 6657 6658<dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6659 6660<dd>Search the specified access(5) database for the IP addresses for 6661the MAIL FROM domain, and execute the corresponding action. Note: 6662a result of "OK" is not allowed for safety reasons. Instead, use 6663DUNNO in order to exclude specific hosts from denylists. This 6664feature is available in Postfix 3.0 and later. </dd> 6665 6666<dt><b><a name="check_sender_mx_access">check_sender_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6667 6668<dd>Search the specified access(5) database for the MX hosts for 6669the MAIL FROM domain, and execute the corresponding action. If no 6670MX record is found, look up A or AAAA records, just like the Postfix 6671SMTP client would. Note: 6672a result of "OK" is not allowed for safety reasons. Instead, use 6673DUNNO in order to exclude specific hosts from denylists. This 6674feature is available in Postfix 2.1 and later. </dd> 6675 6676<dt><b><a name="check_sender_ns_access">check_sender_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> 6677 6678<dd>Search the specified access(5) database for the DNS servers 6679for the MAIL FROM domain, and execute the corresponding action. 6680Note: a result of "OK" is not allowed for safety reasons. Instead, 6681use DUNNO in order to exclude specific hosts from denylists. This 6682feature is available in Postfix 2.1 and later. </dd> 6683 6684<dt><b><a name="reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a></b></dt> 6685 6686<dd> Reject the request when the client is authenticated with SASL, 6687but either the MAIL FROM address is not listed in $smtpd_sender_login_maps, 6688or the SASL login name is not an owner for that address. 6689<br> 6690This prevents an authenticated client from using a MAIL FROM address 6691that they do not explicitly own. 6692<br> 6693This feature is available in Postfix version 2.1 and later. </dd> 6694 6695<dt><b><a name="reject_known_sender_login_mismatch">reject_known_sender_login_mismatch</a></b></dt> 6696 6697<dd> When the client is authenticated with SASL, reject the request 6698when the MAIL FROM address is listed in $smtpd_sender_login_maps, 6699but the SASL login name is not an owner for that address. 6700<br> 6701When the client is not authenticated with SASL, reject the request 6702when SASL is enabled, and the MAIL FROM address is listed in 6703$smtpd_sender_login_maps. 6704<br> 6705This protects any MAIL FROM address that is listed in 6706$smtpd_sender_login_maps, while still allowing a client to use any 6707unlisted MAIL FROM address. 6708<br> 6709This feature is available in Postfix version 2.11 and later.</dd> 6710 6711<dt><b><a name="reject_non_fqdn_sender">reject_non_fqdn_sender</a></b></dt> 6712 6713<dd>Reject the request when the MAIL FROM address specifies a 6714domain that is not in 6715fully-qualified domain form as required by the RFC. <br> The 6716non_fqdn_reject_code parameter specifies the response code for 6717rejected requests (default: 504). </dd> 6718 6719<dt><b><a name="reject_rhsbl_sender">reject_rhsbl_sender <i>rbl_domain=d.d.d.d</i></a></b></dt> 6720 6721<dd>Reject the request when the MAIL FROM domain is listed with 6722the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix 6723version 2.1 and later only). Each "<i>d</i>" is a number, or a 6724pattern inside "[]" that contains one or more ";"-separated numbers 6725or number..number ranges (Postfix version 2.8 and later). If no 6726"<i>=d.d.d.d</i>" is specified, 6727reject the request when the MAIL FROM domain is 6728listed with any A record under <i>rbl_domain</i>. <br> The 6729maps_rbl_reject_code parameter specifies the response code for 6730rejected requests (default: 554); the default_rbl_reply parameter 6731specifies the default server reply; and the rbl_reply_maps parameter 6732specifies tables with server replies indexed by <i>rbl_domain</i>. 6733This feature is available in Postfix 2.0 and later.</dd> 6734 6735<dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt> 6736 6737<dd> As of Postfix 2.1, this is an alias for 6738"reject_authenticated_sender_login_mismatch, 6739reject_unauthenticated_sender_login_mismatch".</dd> 6740 6741<dt><b><a name="reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a></b></dt> 6742 6743<dd> Reject the request when SASL is enabled, the MAIL FROM address 6744is listed in $smtpd_sender_login_maps, but the client is not 6745authenticated with SASL. 6746<br> 6747With SASL enabled, this prevents an unauthenticated client from 6748using any MAIL FROM address that is listed in $smtpd_sender_login_maps. 6749<br> 6750This feature is available in Postfix version 2.1 and later.</dd> 6751 6752<dt><b><a name="reject_unknown_sender_domain">reject_unknown_sender_domain</a></b></dt> 6753 6754<dd>Reject the request when Postfix is not the final destination for 6755the sender address, and the MAIL FROM domain has 1) no DNS MX and 6756no DNS A 6757record, or 2) a malformed MX record such as a record with 6758a zero-length MX hostname (Postfix version 2.3 and later). <br> The 6759reply is specified with the unknown_address_reject_code parameter 6760(default: 450), unknown_address_tempfail_action (default: 6761defer_if_permit), or 550 (nullmx, Postfix 3.0 and 6762later). See the respective parameter descriptions for details. 6763</dd> 6764 6765<dt><b><a name="reject_unlisted_sender">reject_unlisted_sender</a></b></dt> 6766 6767<dd>Reject the request when the MAIL FROM address is not listed in 6768the list of valid recipients for its domain class. See the 6769smtpd_reject_unlisted_sender parameter description for details. 6770This feature is available in Postfix 2.1 and later.</dd> 6771 6772<dt><b><a name="reject_unverified_sender">reject_unverified_sender</a></b></dt> 6773 6774<dd>Reject the request when mail to the MAIL FROM address is known to 6775bounce, or when the sender address destination is not reachable. 6776Address verification information is managed by the verify(8) server; 6777see the ADDRESS_VERIFICATION_README file for details. <br> The 6778unverified_sender_reject_code parameter specifies the numerical 6779response code when an address is known to bounce (default: 450, 6780change into 550 when you are confident that it is safe to do so). 6781<br>The unverified_sender_defer_code specifies the numerical response 6782code when an address probe failed due to a temporary problem 6783(default: 450). <br> The unverified_sender_tempfail_action parameter 6784specifies the action after address probe failure due to a temporary 6785problem (default: defer_if_permit). <br> This feature breaks for 6786aliased addresses with "enable_original_recipient = no" (Postfix 6787≤ 3.2). <br> This feature is available in Postfix 2.1 and later. 6788</dd> 6789 6790</dl> 6791 6792<p> 6793Other restrictions that are valid in this context: 6794</p> 6795 6796<ul> 6797 6798<li> <a href="#generic">Generic</a> restrictions that can be used 6799in any SMTP command context, described under smtpd_client_restrictions. 6800 6801<li> SMTP command specific restrictions described under 6802smtpd_client_restrictions and smtpd_helo_restrictions. 6803 6804<li> SMTP command specific restrictions described under 6805smtpd_recipient_restrictions. When recipient restrictions are listed 6806under smtpd_sender_restrictions, they have effect only with 6807"smtpd_delay_reject = yes", so that $smtpd_sender_restrictions is 6808evaluated at the time of the RCPT TO command. 6809 6810</ul> 6811 6812<p> 6813Examples: 6814</p> 6815 6816<pre> 6817smtpd_sender_restrictions = reject_unknown_sender_domain 6818smtpd_sender_restrictions = reject_unknown_sender_domain, 6819 check_sender_access hash:/etc/postfix/access 6820</pre> 6821 6822%PARAM smtpd_timeout normal: 300s, overload: 10s 6823 6824<p> When the Postfix SMTP server wants to send an SMTP server 6825response, how long the Postfix SMTP server will wait for an underlying 6826network write operation to complete; and when the Postfix SMTP 6827server Postfix wants to receive an SMTP client request, how long 6828the Postfix SMTP server will wait for an underlying network read 6829operation to complete. See the smtpd_per_request_deadline for how 6830this time limit may be enforced (with Postfix 2.9-3.6 see 6831smtpd_per_record_deadline). </p> 6832 6833<p> Normally the default limit 6834is 300s, but it changes under overload to just 10s. With Postfix 68352.5 and earlier, the SMTP server always uses a time limit of 300s 6836by default. 6837</p> 6838 6839<p> 6840Note: if you set SMTP time limits to very large values you may have 6841to update the global ipc_timeout parameter. 6842</p> 6843 6844<p> Specify a non-zero time value (an integral value plus an optional 6845one-letter suffix that specifies the time unit). Time units: s 6846(seconds), m (minutes), h (hours), d (days), w (weeks). 6847The default time unit is s (seconds). </p> 6848 6849%PARAM soft_bounce no 6850 6851<p> 6852Safety net to keep mail queued that would otherwise be returned to 6853the sender. This parameter disables locally-generated bounces, 6854changes the handling of negative responses from remote servers, 6855content filters or plugins, 6856and prevents the Postfix SMTP server from rejecting mail permanently 6857by changing 5xx reply codes into 4xx. However, soft_bounce is no 6858cure for address rewriting mistakes or mail routing mistakes. 6859</p> 6860 6861<p> 6862Note: "soft_bounce = yes" is in some cases implemented by modifying 6863server responses. Therefore, the response that Postfix logs may 6864differ from the response that Postfix actually sends or receives. 6865</p> 6866 6867<p> 6868Example: 6869</p> 6870 6871<pre> 6872soft_bounce = yes 6873</pre> 6874 6875%PARAM stale_lock_time 500s 6876 6877<p> 6878The time after which a stale exclusive mailbox lockfile is removed. 6879This is used for delivery to file or mailbox. 6880</p> 6881 6882<p> Specify a non-zero time value (an integral value plus an optional 6883one-letter suffix that specifies the time unit). Time units: s 6884(seconds), m (minutes), h (hours), d (days), w (weeks). 6885The default time unit is s (seconds). </p> 6886 6887%PARAM strict_rfc821_envelopes no 6888 6889<p> 6890Require that addresses received in SMTP MAIL FROM and RCPT TO 6891commands are enclosed with <>, and that those addresses do 6892not contain RFC 822 style comments or phrases. This stops mail 6893from poorly written software. 6894</p> 6895 6896<p> 6897By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL 6898FROM and RCPT TO addresses. 6899</p> 6900 6901%PARAM swap_bangpath yes 6902 6903<p> 6904Enable the rewriting of "site!user" into "user@site". This is 6905necessary if your machine is connected to UUCP networks. It is 6906enabled by default. 6907</p> 6908 6909<p> Note: with Postfix version 2.2, message header address rewriting 6910happens only when one of the following conditions is true: </p> 6911 6912<ul> 6913 6914<li> The message is received with the Postfix sendmail(1) command, 6915 6916<li> The message is received from a network client that matches 6917$local_header_rewrite_clients, 6918 6919<li> The message is received from the network, and the 6920remote_header_rewrite_domain parameter specifies a non-empty value. 6921 6922</ul> 6923 6924<p> To get the behavior before Postfix version 2.2, specify 6925"local_header_rewrite_clients = static:all". </p> 6926 6927<p> 6928Example: 6929</p> 6930 6931<pre> 6932swap_bangpath = no 6933</pre> 6934 6935%PARAM syslog_facility mail 6936 6937<p> 6938The syslog facility of Postfix logging. Specify a facility as 6939defined in syslog.conf(5). The default facility is "mail". 6940</p> 6941 6942<p> 6943Warning: a non-default syslog_facility setting takes effect only 6944after a Postfix process has completed initialization. Errors during 6945process initialization will be logged with the default facility. 6946Examples are errors while parsing the command line arguments, and 6947errors while accessing the Postfix main.cf configuration file. 6948</p> 6949 6950%PARAM syslog_name see "postconf -d" output 6951 6952<p> 6953A prefix that is prepended to the process name in syslog 6954records, so that, for example, "smtpd" becomes "prefix/smtpd". 6955</p> 6956 6957<p> 6958Warning: a non-default syslog_name setting takes effect only after 6959a Postfix process has completed initialization. Errors during 6960process initialization will be logged with the default name. Examples 6961are errors while parsing the command line arguments, and errors 6962while accessing the Postfix main.cf configuration file. 6963</p> 6964 6965%PARAM transport_maps 6966 6967<p> 6968Optional lookup tables with mappings from recipient address to 6969(message delivery transport, next-hop destination). See transport(5) 6970for details. 6971</p> 6972 6973<p> 6974Specify zero or more "type:table" lookup tables, separated by 6975whitespace or comma. Tables will be searched in the specified order 6976until a match is found. If you use this 6977feature with local files, run "<b>postmap /etc/postfix/transport</b>" 6978after making a change. </p> 6979 6980<p> Pattern matching of domain names is controlled by the presence 6981or absence of "transport_maps" in the parent_domain_matches_subdomains 6982parameter value. </p> 6983 6984<p> For safety reasons, as of Postfix 2.3 this feature does not 6985allow $number substitutions in regular expression maps. </p> 6986 6987<p> 6988Examples: 6989</p> 6990 6991<pre> 6992transport_maps = dbm:/etc/postfix/transport 6993transport_maps = hash:/etc/postfix/transport 6994</pre> 6995 6996%PARAM transport_retry_time 60s 6997 6998<p> 6999The time between attempts by the Postfix queue manager to contact 7000a malfunctioning message delivery transport. 7001</p> 7002 7003<p> Specify a non-zero time value (an integral value plus an optional 7004one-letter suffix that specifies the time unit). Time units: s 7005(seconds), m (minutes), h (hours), d (days), w (weeks). 7006The default time unit is s (seconds). </p> 7007 7008%PARAM trigger_timeout 10s 7009 7010<p> 7011The time limit for sending a trigger to a Postfix daemon (for 7012example, the pickup(8) or qmgr(8) daemon). This time limit prevents 7013programs from getting stuck when the mail system is under heavy 7014load. 7015</p> 7016 7017<p> Specify a non-zero time value (an integral value plus an optional 7018one-letter suffix that specifies the time unit). Time units: s 7019(seconds), m (minutes), h (hours), d (days), w (weeks). 7020The default time unit is s (seconds). </p> 7021 7022%PARAM unknown_address_reject_code 450 7023 7024<p> 7025The numerical response code when the Postfix SMTP server rejects a 7026sender or recipient address because its domain is unknown. This 7027is one of the possible replies from the restrictions 7028reject_unknown_sender_domain and reject_unknown_recipient_domain. 7029</p> 7030 7031<p> 7032Do not change this unless you have a complete understanding of RFC 5321. 7033</p> 7034 7035%PARAM unknown_client_reject_code 450 7036 7037<p> 7038The numerical Postfix SMTP server response code when a client 7039without valid address <=> name mapping is rejected by the 7040reject_unknown_client_hostname restriction. The SMTP server always replies 7041with 450 when the mapping failed due to a temporary error condition. 7042</p> 7043 7044<p> 7045Do not change this unless you have a complete understanding of RFC 5321. 7046</p> 7047 7048%PARAM unknown_hostname_reject_code 450 7049 7050<p> 7051The numerical Postfix SMTP server response code when the hostname 7052specified with the HELO or EHLO command is rejected by the 7053reject_unknown_helo_hostname restriction. 7054</p> 7055 7056<p> 7057Do not change this unless you have a complete understanding of RFC 5321. 7058</p> 7059 7060%PARAM unknown_local_recipient_reject_code 550 7061 7062<p> 7063The numerical Postfix SMTP server response code when a recipient 7064address is local, and $local_recipient_maps specifies a list of 7065lookup tables that does not match the recipient. A recipient 7066address is local when its domain matches $mydestination, 7067$proxy_interfaces or $inet_interfaces. 7068</p> 7069 7070<p> 7071The default setting is 550 (reject mail) but it is safer to initially 7072use 450 (try again later) so you have time to find out if your 7073local_recipient_maps settings are OK. 7074</p> 7075 7076<p> 7077Example: 7078</p> 7079 7080<pre> 7081unknown_local_recipient_reject_code = 450 7082</pre> 7083 7084<p> 7085This feature is available in Postfix 2.0 and later. 7086</p> 7087 7088%PARAM unverified_recipient_reject_code 450 7089 7090<p> 7091The numerical Postfix SMTP server response when a recipient address 7092is rejected by the reject_unverified_recipient restriction. 7093</p> 7094 7095<p> 7096Unlike elsewhere in Postfix, you can specify 250 in order to 7097accept the address anyway. 7098</p> 7099 7100<p> 7101Do not change this unless you have a complete understanding of RFC 5321. 7102</p> 7103 7104<p> 7105This feature is available in Postfix 2.1 and later. 7106</p> 7107 7108%PARAM unverified_recipient_defer_code 450 7109 7110<p> 7111The numerical Postfix SMTP server response when a recipient address 7112probe fails due to a temporary error condition. 7113</p> 7114 7115<p> 7116Unlike elsewhere in Postfix, you can specify 250 in order to 7117accept the address anyway. 7118</p> 7119 7120<p> 7121Do not change this unless you have a complete understanding of RFC 5321. 7122</p> 7123 7124<p> 7125This feature is available in Postfix 2.6 and later. 7126</p> 7127 7128%PARAM unverified_sender_reject_code 450 7129 7130<p> 7131The numerical Postfix SMTP server response code when a recipient 7132address is rejected by the reject_unverified_sender restriction. 7133</p> 7134 7135<p> 7136Unlike elsewhere in Postfix, you can specify 250 in order to 7137accept the address anyway. 7138</p> 7139 7140<p> 7141Do not change this unless you have a complete understanding of RFC 5321. 7142</p> 7143 7144<p> 7145This feature is available in Postfix 2.1 and later. 7146</p> 7147 7148%PARAM unverified_sender_defer_code 450 7149 7150<p> 7151The numerical Postfix SMTP server response code when a sender address 7152probe fails due to a temporary error condition. 7153</p> 7154 7155<p> 7156Unlike elsewhere in Postfix, you can specify 250 in order to 7157accept the address anyway. 7158</p> 7159 7160<p> 7161Do not change this unless you have a complete understanding of RFC 5321. 7162</p> 7163 7164<p> 7165This feature is available in Postfix 2.6 and later. 7166</p> 7167 7168%PARAM virtual_alias_domains $virtual_alias_maps 7169 7170<p> Postfix is the final destination for the specified list of virtual 7171alias domains, that is, domains for which all addresses are aliased 7172to addresses in other local or remote domains. The SMTP server 7173validates recipient addresses with $virtual_alias_maps and rejects 7174non-existent recipients. See also the virtual alias domain class 7175in the ADDRESS_CLASS_README file </p> 7176 7177<p> 7178This feature is available in Postfix 2.0 and later. The default 7179value is backwards compatible with Postfix version 1.1. 7180</p> 7181 7182<p> 7183The default value is $virtual_alias_maps so that you can keep all 7184information about virtual alias domains in one place. If you have 7185many users, it is better to separate information that changes more 7186frequently (virtual address -> local or remote address mapping) 7187from information that changes less frequently (the list of virtual 7188domain names). 7189</p> 7190 7191<p> Specify a list of host or domain names, "/file/name" or 7192"type:table" patterns, separated by commas and/or whitespace. A 7193"/file/name" pattern is replaced by its contents; a "type:table" 7194lookup table is matched when a table entry matches a host or domain name 7195(the lookup result is ignored). Continue long lines by starting 7196the next line with whitespace. Specify "!pattern" to exclude a host 7197or domain name from the list. The form "!/file/name" is supported 7198only in Postfix version 2.4 and later. </p> 7199 7200<p> 7201See also the VIRTUAL_README and ADDRESS_CLASS_README documents 7202for further information. 7203</p> 7204 7205<p> 7206Example: 7207</p> 7208 7209<pre> 7210virtual_alias_domains = virtual1.tld virtual2.tld 7211</pre> 7212 7213%PARAM virtual_alias_expansion_limit 1000 7214 7215<p> 7216The maximal number of addresses that virtual alias expansion produces 7217from each original recipient. 7218</p> 7219 7220<p> 7221This feature is available in Postfix 2.1 and later. 7222</p> 7223 7224%PARAM virtual_alias_maps $virtual_maps 7225 7226<p> 7227Optional lookup tables that alias specific mail addresses or domains 7228to other local or remote addresses. The table format and lookups 7229are documented in virtual(5). For an overview of Postfix address 7230manipulations see the ADDRESS_REWRITING_README document. 7231</p> 7232 7233<p> 7234This feature is available in Postfix 2.0 and later. The default 7235value is backwards compatible with Postfix version 1.1. 7236</p> 7237 7238<p> 7239Specify zero or more "type:name" lookup tables, separated by 7240whitespace or comma. Tables will be searched in the specified order 7241until a match is found. 7242Note: these lookups are recursive. 7243</p> 7244 7245<p> 7246If you use this feature with indexed files, run "<b>postmap 7247/etc/postfix/virtual</b>" after changing the file. 7248</p> 7249 7250<p> 7251Examples: 7252</p> 7253 7254<pre> 7255virtual_alias_maps = dbm:/etc/postfix/virtual 7256virtual_alias_maps = hash:/etc/postfix/virtual 7257</pre> 7258 7259%PARAM virtual_alias_recursion_limit 1000 7260 7261<p> 7262The maximal nesting depth of virtual alias expansion. Currently 7263the recursion limit is applied only to the left branch of the 7264expansion graph, so the depth of the tree can in the worst case 7265reach the sum of the expansion and recursion limits. This may 7266change in the future. 7267</p> 7268 7269<p> 7270This feature is available in Postfix 2.1 and later. 7271</p> 7272 7273%CLASS trouble-shooting Trouble shooting 7274 7275<p> 7276The DEBUG_README document describes how to debug parts of the 7277Postfix mail system. The methods vary from making the software log 7278a lot of detail, to running some daemon processes under control of 7279a call tracer or debugger. 7280</p> 7281 7282%PARAM debugger_command 7283 7284<p> 7285The external command to execute when a Postfix daemon program is 7286invoked with the -D option. 7287</p> 7288 7289<p> 7290Use "command .. & sleep 5" so that the debugger can attach before 7291the process marches on. If you use an X-based debugger, be sure to 7292set up your XAUTHORITY environment variable before starting Postfix. 7293</p> 7294 7295<p> 7296Note: the command is subject to $name expansion, before it is 7297passed to the default command interpreter. Specify "$$" to 7298produce a single "$" character. 7299</p> 7300 7301<p> 7302Example: 7303</p> 7304 7305<pre> 7306debugger_command = 7307 PATH=/usr/bin:/usr/X11R6/bin 7308 ddd $daemon_directory/$process_name $process_id & sleep 5 7309</pre> 7310 7311%PARAM 2bounce_notice_recipient postmaster 7312 7313<p> The recipient of undeliverable mail that cannot be returned to 7314the sender. This feature is enabled with the notify_classes 7315parameter. </p> 7316 7317%PARAM address_verify_service_name verify 7318 7319<p> 7320The name of the verify(8) address verification service. This service 7321maintains the status of sender and/or recipient address verification 7322probes, and generates probes on request by other Postfix processes. 7323</p> 7324 7325%PARAM alternate_config_directories 7326 7327<p> 7328A list of non-default Postfix configuration directories that may 7329be specified with "-c config_directory" on the command line (in the 7330case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG 7331environment parameter. 7332</p> 7333 7334<p> 7335This list must be specified in the default Postfix main.cf file, 7336and will be used by set-gid Postfix commands such as postqueue(1) 7337and postdrop(1). 7338</p> 7339 7340<p> 7341Specify absolute pathnames, separated by comma or space. Note: $name 7342expansion is not supported. 7343</p> 7344 7345%PARAM append_at_myorigin yes 7346 7347<p> 7348With locally submitted mail, append the string "@$myorigin" to mail 7349addresses without domain information. With remotely submitted mail, 7350append the string "@$remote_header_rewrite_domain" instead. 7351</p> 7352 7353<p> 7354Note 1: this feature is enabled by default and must not be turned off. 7355Postfix does not support domain-less addresses. 7356</p> 7357 7358<p> Note 2: with Postfix version 2.2, message header address rewriting 7359happens only when one of the following conditions is true: </p> 7360 7361<ul> 7362 7363<li> The message is received with the Postfix sendmail(1) command, 7364 7365<li> The message is received from a network client that matches 7366$local_header_rewrite_clients, 7367 7368<li> The message is received from the network, and the 7369remote_header_rewrite_domain parameter specifies a non-empty value. 7370 7371</ul> 7372 7373<p> To get the behavior before Postfix version 2.2, specify 7374"local_header_rewrite_clients = static:all". </p> 7375 7376%PARAM append_dot_mydomain Postfix ≥ 3.0: no, Postfix < 3.0: yes 7377 7378<p> 7379With locally submitted mail, append the string ".$mydomain" to 7380addresses that have no ".domain" information. With remotely submitted 7381mail, append the string ".$remote_header_rewrite_domain" 7382instead. 7383</p> 7384 7385<p> 7386Note 1: When disabled (Postfix 3.0 and later), users will not be 7387able to send mail to "user@partialdomainname" but will have to 7388specify full domain names instead. 7389</p> 7390 7391<p> Note 2: with Postfix version 2.2, message header address rewriting 7392happens only when one of the following conditions is true: </p> 7393 7394<ul> 7395 7396<li> The message is received with the Postfix sendmail(1) command, 7397 7398<li> The message is received from a network client that matches 7399$local_header_rewrite_clients, 7400 7401<li> The message is received from the network, and the 7402remote_header_rewrite_domain parameter specifies a non-empty value. 7403 7404</ul> 7405 7406<p> To get the behavior before Postfix version 2.2, specify 7407"local_header_rewrite_clients = static:all". </p> 7408 7409%PARAM application_event_drain_time 100s 7410 7411<p> 7412How long the postkick(1) command waits for a request to enter the 7413Postfix daemon process input buffer before giving up. 7414</p> 7415 7416<p> Specify a non-zero time value (an integral value plus an optional 7417one-letter suffix that specifies the time unit). Time units: s 7418(seconds), m (minutes), h (hours), d (days), w (weeks). 7419The default time unit is s (seconds). </p> 7420 7421<p> 7422This feature is available in Postfix 2.1 and later. 7423</p> 7424 7425%PARAM authorized_flush_users static:anyone 7426 7427<p> 7428List of users who are authorized to flush the queue. 7429</p> 7430 7431<p> 7432By default, all users are allowed to flush the queue. Access is 7433always granted if the invoking user is the super-user or the 7434$mail_owner user. Otherwise, the real UID of the process is looked 7435up in the system password file, and access is granted only if the 7436corresponding login name is on the access list. The username 7437"unknown" is used for processes whose real UID is not found in the 7438password file. </p> 7439 7440<p> 7441Specify a list of user names, "/file/name" or "type:table" patterns, 7442separated by commas and/or whitespace. The list is matched left to 7443right, and the search stops on the first match. A "/file/name" 7444pattern is replaced 7445by its contents; a "type:table" lookup table is matched when a name 7446matches a lookup key (the lookup result is ignored). Continue long 7447lines by starting the next line with whitespace. Specify "!pattern" 7448to exclude a name from the list. The form "!/file/name" is supported 7449only in Postfix version 2.4 and later. </p> 7450 7451<p> 7452This feature is available in Postfix 2.2 and later. 7453</p> 7454 7455%PARAM authorized_mailq_users static:anyone 7456 7457<p> 7458List of users who are authorized to view the queue. 7459</p> 7460 7461<p> 7462By default, all users are allowed to view the queue. Access is 7463always granted if the invoking user is the super-user or the 7464$mail_owner user. Otherwise, the real UID of the process is looked 7465up in the system password file, and access is granted only if the 7466corresponding login name is on the access list. The username 7467"unknown" is used for processes whose real UID is not found in the 7468password file. </p> 7469 7470<p> 7471Specify a list of user names, "/file/name" or "type:table" patterns, 7472separated by commas and/or whitespace. The list is matched left to 7473right, and the search stops on the first match. A "/file/name" 7474pattern is replaced 7475by its contents; a "type:table" lookup table is matched when a name 7476matches a lookup key (the lookup result is ignored). Continue long 7477lines by starting the next line with whitespace. Specify "!pattern" 7478to exclude a user name from the list. The form "!/file/name" is 7479supported only in Postfix version 2.4 and later. </p> 7480 7481<p> 7482This feature is available in Postfix 2.2 and later. 7483</p> 7484 7485%PARAM authorized_submit_users static:anyone 7486 7487<p> 7488List of users who are authorized to submit mail with the sendmail(1) 7489command (and with the privileged postdrop(1) helper command). 7490</p> 7491 7492<p> 7493By default, all users are allowed to submit mail. Otherwise, the 7494real UID of the process is looked up in the system password file, 7495and access is granted only if the corresponding login name is on 7496the access list. The username "unknown" is used for processes 7497whose real UID is not found in the password file. To deny mail 7498submission access to all users specify an empty list. </p> 7499 7500<p> 7501Specify a list of user names, "/file/name" or "type:table" patterns, 7502separated by commas and/or whitespace. The list is matched left to right, 7503and the search stops on the first match. A "/file/name" pattern is 7504replaced by its contents; 7505a "type:table" lookup table is matched when a name matches a lookup key 7506(the lookup result is ignored). Continue long lines by starting the 7507next line with whitespace. Specify "!pattern" to exclude a user 7508name from the list. The form "!/file/name" is supported only in 7509Postfix version 2.4 and later. </p> 7510 7511<p> 7512Example: 7513</p> 7514 7515<pre> 7516authorized_submit_users = !www, static:all 7517</pre> 7518 7519<p> 7520This feature is available in Postfix 2.2 and later. 7521</p> 7522 7523%PARAM backwards_bounce_logfile_compatibility yes 7524 7525<p> 7526Produce additional bounce(8) logfile records that can be read by 7527Postfix versions before 2.0. The current and more extensible "name = 7528value" format is needed in order to implement more sophisticated 7529functionality. 7530</p> 7531 7532<p> 7533This feature is available in Postfix 2.1 and later. 7534</p> 7535 7536%PARAM bounce_notice_recipient postmaster 7537 7538<p> 7539The recipient of postmaster notifications with the message headers 7540of mail that Postfix did not deliver and of SMTP conversation 7541transcripts of mail that Postfix did not receive. This feature is 7542enabled with the notify_classes parameter. </p> 7543 7544%PARAM bounce_service_name bounce 7545 7546<p> 7547The name of the bounce(8) service. This service maintains a record 7548of failed delivery attempts and generates non-delivery notifications. 7549</p> 7550 7551<p> 7552This feature is available in Postfix 2.0 and later. 7553</p> 7554 7555%PARAM broken_sasl_auth_clients no 7556 7557<p> 7558Enable interoperability with remote SMTP clients that implement an obsolete 7559version of the AUTH command (RFC 4954). Examples of such clients 7560are MicroSoft Outlook Express version 4 and MicroSoft Exchange 7561version 5.0. 7562</p> 7563 7564<p> 7565Specify "broken_sasl_auth_clients = yes" to have Postfix advertise 7566AUTH support in a non-standard way. 7567</p> 7568 7569%PARAM cleanup_service_name cleanup 7570 7571<p> 7572The name of the cleanup(8) service. This service rewrites addresses 7573into the standard form, and performs canonical(5) address mapping 7574and virtual(5) aliasing. 7575</p> 7576 7577<p> 7578This feature is available in Postfix 2.0 and later. 7579</p> 7580 7581%PARAM anvil_status_update_time 600s 7582 7583<p> 7584How frequently the anvil(8) connection and rate limiting server 7585logs peak usage information. 7586</p> 7587 7588<p> Specify a non-zero time value (an integral value plus an optional 7589one-letter suffix that specifies the time unit). Time units: s 7590(seconds), m (minutes), h (hours), d (days), w (weeks). 7591The default time unit is s (seconds). </p> 7592 7593<p> 7594This feature is available in Postfix 2.2 and later. 7595</p> 7596 7597%PARAM enable_errors_to no 7598 7599<p> Report mail delivery errors to the address specified with the 7600non-standard Errors-To: message header, instead of the envelope 7601sender address (this feature is removed with Postfix version 2.2, is 7602turned off by default with Postfix version 2.1, and is always turned on 7603with older Postfix versions). </p> 7604 7605%PARAM extract_recipient_limit 10240 7606 7607<p> 7608The maximal number of recipient addresses that Postfix will extract 7609from message headers when mail is submitted with "<b>sendmail -t</b>". 7610</p> 7611 7612<p> 7613This feature was removed in Postfix version 2.1. 7614</p> 7615 7616%PARAM anvil_rate_time_unit 60s 7617 7618<p> 7619The time unit over which client connection rates and other rates 7620are calculated. 7621</p> 7622 7623<p> 7624This feature is implemented by the anvil(8) service which is available 7625in Postfix version 2.2 and later. 7626</p> 7627 7628<p> 7629The default interval is relatively short. Because of the high 7630frequency of updates, the anvil(8) server uses volatile memory 7631only. Thus, information is lost whenever the process terminates. 7632</p> 7633 7634<p> Specify a non-zero time value (an integral value plus an optional 7635one-letter suffix that specifies the time unit). Time units: s 7636(seconds), m (minutes), h (hours), d (days), w (weeks). 7637The default time unit is s (seconds). </p> 7638 7639%PARAM command_expansion_filter see "postconf -d" output 7640 7641<p> 7642Restrict the characters that the local(8) delivery agent allows in 7643$name expansions of $mailbox_command and $command_execution_directory. 7644Characters outside the 7645allowed set are replaced by underscores. 7646</p> 7647 7648%PARAM content_filter 7649 7650<p> After the message is queued, send the entire message to the 7651specified <i>transport:destination</i>. The <i>transport</i> name 7652specifies the first field of a mail delivery agent definition in 7653master.cf; the syntax of the next-hop <i>destination</i> is described 7654in the manual page of the corresponding delivery agent. More 7655information about external content filters is in the Postfix 7656FILTER_README file. </p> 7657 7658<p> Notes: </p> 7659 7660<ul> 7661 7662<li> <p> This setting has lower precedence than a FILTER action 7663that is specified in an access(5), header_checks(5) or body_checks(5) 7664table. </p> 7665 7666<li> <p> The meaning of an empty next-hop filter <i>destination</i> 7667is version dependent. Postfix 2.7 and later will use the recipient 7668domain; earlier versions will use $myhostname. Specify 7669"default_filter_nexthop = $myhostname" for compatibility with Postfix 76702.6 or earlier, or specify a content_filter value with an explicit 7671next-hop <i>destination</i>. </p> 7672 7673</ul> 7674 7675%PARAM default_delivery_slot_discount 50 7676 7677<p> 7678The default value for transport-specific _delivery_slot_discount 7679settings. 7680</p> 7681 7682<p> 7683This parameter speeds up the moment when a message preemption can 7684happen. Instead of waiting until the full amount of delivery slots 7685required is available, the preemption can happen when 7686<i>transport</i>_delivery_slot_discount percent of the required amount 7687plus <i>transport</i>_delivery_slot_loan still remains to be accumulated. 7688Note that the full amount will still have to be accumulated before 7689another preemption can take place later. 7690</p> 7691 7692<p> Use <i>transport</i>_delivery_slot_discount to specify a 7693transport-specific override, where <i>transport</i> is the master.cf 7694name of the message delivery transport. 7695</p> 7696 7697%PARAM default_delivery_slot_loan 3 7698 7699<p> 7700The default value for transport-specific _delivery_slot_loan 7701settings. 7702</p> 7703 7704<p> 7705This parameter speeds up the moment when a message preemption can 7706happen. Instead of waiting until the full amount of delivery slots 7707required is available, the preemption can happen when 7708transport_delivery_slot_discount percent of the required amount 7709plus transport_delivery_slot_loan still remains to be accumulated. 7710Note that the full amount will still have to be accumulated before 7711another preemption can take place later. 7712</p> 7713 7714<p> Use <i>transport</i>_delivery_slot_loan to specify a 7715transport-specific override, where <i>transport</i> is the master.cf 7716name of the message delivery transport. 7717</p> 7718 7719%CLASS verp VERP Support 7720 7721<p> 7722With VERP style delivery, each recipient of a message receives a 7723customized copy of the message with his/her own recipient address 7724encoded in the envelope sender address. The VERP_README file 7725describes configuration and operation details of Postfix support 7726for variable envelope return path addresses. VERP style delivery 7727is requested with the SMTP XVERP command or with the "<b>sendmail 7728-V</b>" command-line option and is available in Postfix 77291.1 and later. 7730</p> 7731 7732%PARAM default_verp_delimiters += 7733 7734<p> The two default VERP delimiter characters. These are used when 7735no explicit delimiters are specified with the SMTP XVERP command 7736or with the "<b>sendmail -XV</b>" command-line option (Postfix 2.2 7737and earlier: <b>-V</b>). Specify characters that are allowed by the 7738verp_delimiter_filter setting. 7739</p> 7740 7741<p> 7742This feature is available in Postfix 1.1 and later. 7743</p> 7744 7745%PARAM defer_service_name defer 7746 7747<p> 7748The name of the defer service. This service is implemented by the 7749bounce(8) daemon and maintains a record 7750of failed delivery attempts and generates non-delivery notifications. 7751</p> 7752 7753<p> 7754This feature is available in Postfix 2.0 and later. 7755</p> 7756 7757%PARAM delay_notice_recipient postmaster 7758 7759<p> 7760The recipient of postmaster notifications with the message headers 7761of mail that cannot be delivered within $delay_warning_time time 7762units. </p> 7763 7764<p> 7765See also: delay_warning_time, notify_classes. 7766</p> 7767 7768%PARAM delay_warning_time 0h 7769 7770<p> 7771The time after which the sender receives a copy of the message 7772headers of mail that is still queued. The confirm_delay_cleared 7773parameter controls sender notification when the delay clears up. 7774</p> 7775 7776<p> 7777To enable this feature, specify a non-zero time value (an integral 7778value plus an optional one-letter suffix that specifies the time 7779unit). 7780</p> 7781 7782<p> 7783Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). 7784The default time unit is h (hours). 7785</p> 7786 7787<p> 7788See also: delay_notice_recipient, notify_classes, confirm_delay_cleared. 7789</p> 7790 7791%PARAM confirm_delay_cleared no 7792 7793<p> After sending a "your message is delayed" notification, inform 7794the sender when the delay clears up. This can result in a sudden 7795burst of notifications at the end of a prolonged network outage, 7796and is therefore disabled by default. </p> 7797 7798<p> See also: delay_warning_time. </p> 7799 7800<p> This feature is available in Postfix 3.0 and later. </p> 7801 7802%PARAM disable_dns_lookups no 7803 7804<p> 7805Disable DNS lookups in the Postfix SMTP and LMTP clients. When 7806disabled, hosts are looked up with the getaddrinfo() system 7807library routine which normally also looks in /etc/hosts. As of 7808Postfix 2.11, this parameter is deprecated; use smtp_dns_support_level 7809instead. 7810</p> 7811 7812<p> 7813DNS lookups are enabled by default. 7814</p> 7815 7816%CLASS mime MIME Processing 7817 7818<p> 7819MIME processing is available in Postfix as of version 2.0. Older 7820Postfix versions do not recognize MIME headers inside the message 7821body. 7822</p> 7823 7824%PARAM disable_mime_input_processing no 7825 7826<p> 7827Turn off MIME processing while receiving mail. This means that no 7828special treatment is given to Content-Type: message headers, and 7829that all text after the initial message headers is considered to 7830be part of the message body. 7831</p> 7832 7833<p> 7834This feature is available in Postfix 2.0 and later. 7835</p> 7836 7837<p> 7838Mime input processing is enabled by default, and is needed in order 7839to recognize MIME headers in message content. 7840</p> 7841 7842%PARAM disable_mime_output_conversion no 7843 7844<p> 7845Disable the conversion of 8BITMIME format to 7BIT format. Mime 7846output conversion is needed when the destination does not advertise 78478BITMIME support. 7848</p> 7849 7850<p> 7851This feature is available in Postfix 2.0 and later. 7852</p> 7853 7854%PARAM disable_verp_bounces no 7855 7856<p> 7857Disable sending one bounce report per recipient. 7858</p> 7859 7860<p> 7861The default, one per recipient, is what ezmlm needs. 7862</p> 7863 7864<p> 7865This feature is available in Postfix 1.1 and later. 7866</p> 7867 7868%PARAM dont_remove 0 7869 7870<p> 7871Don't remove queue files and save them to the "saved" mail queue. 7872This is a debugging aid. To inspect the envelope information and 7873content of a Postfix queue file, use the postcat(1) command. 7874</p> 7875 7876%PARAM empty_address_recipient MAILER-DAEMON 7877 7878<p> 7879The recipient of mail addressed to the null address. Postfix does 7880not accept such addresses in SMTP commands, but they may still be 7881created locally as the result of configuration or software error. 7882</p> 7883 7884%PARAM error_notice_recipient postmaster 7885 7886<p> The recipient of postmaster notifications about mail delivery 7887problems that are caused by policy, resource, software or protocol 7888errors. These notifications are enabled with the notify_classes 7889parameter. </p> 7890 7891%PARAM error_service_name error 7892 7893<p> 7894The name of the error(8) pseudo delivery agent. This service always 7895returns mail as undeliverable. 7896</p> 7897 7898<p> 7899This feature is available in Postfix 2.0 and later. 7900</p> 7901 7902%PARAM expand_owner_alias no 7903 7904<p> 7905When delivering to an alias "<i>aliasname</i>" that has an 7906"owner-<i>aliasname</i>" companion alias, set the envelope sender 7907address to the expansion of the "owner-<i>aliasname</i>" alias. 7908Normally, Postfix sets the envelope sender address to the name of 7909the "owner-<i>aliasname</i>" alias. 7910</p> 7911 7912%PARAM fallback_transport 7913 7914<p> 7915Optional message delivery transport that the local(8) delivery 7916agent should use for names that are not found in the aliases(5) 7917or UNIX password database. 7918</p> 7919 7920<p> The precedence of local(8) delivery features from high to low 7921is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 7922mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 7923fallback_transport_maps, fallback_transport and luser_relay. </p> 7924 7925%PARAM fault_injection_code 0 7926 7927<p> 7928Force specific internal tests to fail, to test the handling of 7929errors that are difficult to reproduce otherwise. 7930</p> 7931 7932%PARAM flush_service_name flush 7933 7934<p> 7935The name of the flush(8) service. This service maintains per-destination 7936logfiles with the queue file names of mail that is queued for those 7937destinations. 7938</p> 7939 7940<p> 7941This feature is available in Postfix 2.0 and later. 7942</p> 7943 7944%PARAM forward_expansion_filter see "postconf -d" output 7945 7946<p> 7947Restrict the characters that the local(8) delivery agent allows in 7948$name expansions of $forward_path. Characters outside the 7949allowed set are replaced by underscores. 7950</p> 7951 7952%PARAM header_address_token_limit 10240 7953 7954<p> 7955The maximal number of address tokens are allowed in an address 7956message header. Information that exceeds the limit is discarded. 7957The limit is enforced by the cleanup(8) server. 7958</p> 7959 7960%PARAM helpful_warnings yes 7961 7962<p> 7963Log warnings about problematic configuration settings, and provide 7964helpful suggestions. 7965</p> 7966 7967<p> 7968This feature is available in Postfix 2.0 and later. 7969</p> 7970 7971%PARAM lmtp_cache_connection yes 7972 7973<p> 7974Keep Postfix LMTP client connections open for up to $max_idle 7975seconds. When the LMTP client receives a request for the same 7976connection the connection is reused. 7977</p> 7978 7979<p> This parameter is available in Postfix version 2.2 and earlier. 7980With Postfix version 2.3 and later, see lmtp_connection_cache_on_demand, 7981lmtp_connection_cache_destinations, or lmtp_connection_reuse_time_limit. 7982</p> 7983 7984<p> 7985The effectiveness of cached connections will be determined by the 7986number of remote LMTP servers in use, and the concurrency limit specified 7987for the Postfix LMTP client. Cached connections are closed under any of 7988the following conditions: 7989</p> 7990 7991<ul> 7992 7993<li> The Postfix LMTP client idle time limit is reached. This limit is 7994specified with the Postfix max_idle configuration parameter. 7995 7996<li> A delivery request specifies a different destination than the 7997one currently cached. 7998 7999<li> The per-process limit on the number of delivery requests is 8000reached. This limit is specified with the Postfix max_use 8001configuration parameter. 8002 8003<li> Upon the onset of another delivery request, the remote LMTP server 8004associated with the current session does not respond to the RSET 8005command. 8006 8007</ul> 8008 8009<p> 8010Most of these limitations have been with the Postfix 8011connection cache that is shared among multiple LMTP client 8012programs. 8013</p> 8014 8015%PARAM lmtp_sasl_auth_enable no 8016 8017<p> 8018Enable SASL authentication in the Postfix LMTP client. 8019</p> 8020 8021%PARAM lmtp_sasl_password_maps 8022 8023<p> 8024Optional Postfix LMTP client lookup tables with one username:password entry 8025per host or domain. If a remote host or domain has no username:password 8026entry, then the Postfix LMTP client will not attempt to authenticate 8027to the remote host. 8028</p> 8029 8030%PARAM lmtp_sasl_security_options noplaintext, noanonymous 8031 8032<p> SASL security options; as of Postfix 2.3 the list of available 8033features depends on the SASL client implementation that is selected 8034with <b>lmtp_sasl_type</b>. </p> 8035 8036<p> The following security features are defined for the <b>cyrus</b> 8037client SASL implementation: </p> 8038 8039<dl> 8040 8041<dt><b>noplaintext</b></dt> 8042 8043<dd>Disallow authentication methods that use plaintext passwords. </dd> 8044 8045<dt><b>noactive</b></dt> 8046 8047<dd>Disallow authentication methods that are vulnerable to non-dictionary 8048active attacks. </dd> 8049 8050<dt><b>nodictionary</b></dt> 8051 8052<dd>Disallow authentication methods that are vulnerable to passive 8053dictionary attacks. </dd> 8054 8055<dt><b>noanonymous</b></dt> 8056 8057<dd>Disallow anonymous logins. </dd> 8058 8059</dl> 8060 8061<p> 8062Example: 8063</p> 8064 8065<pre> 8066lmtp_sasl_security_options = noplaintext 8067</pre> 8068 8069%PARAM lmtp_tcp_port 24 8070 8071<p> 8072The default TCP port that the Postfix LMTP client connects to. 8073Specify a symbolic name (see services(5)) or a numeric port. 8074</p> 8075 8076%PARAM smtp_tcp_port smtp 8077 8078<p> 8079The default TCP port that the Postfix SMTP client connects to. 8080Specify a symbolic name (see services(5)) or a numeric port. 8081</p> 8082 8083%PARAM mail_release_date see "postconf -d" output 8084 8085<p> 8086The Postfix release date, in "YYYYMMDD" format. 8087</p> 8088 8089%PARAM mailbox_command_maps 8090 8091<p> 8092Optional lookup tables with per-recipient external commands to use 8093for local(8) mailbox delivery. Behavior is as with mailbox_command. 8094</p> 8095 8096<p> The precedence of local(8) delivery features from high to low 8097is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 8098mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 8099fallback_transport_maps, fallback_transport and luser_relay. </p> 8100 8101<p> 8102Specify zero or more "type:name" lookup tables, separated by 8103whitespace or comma. Tables will be searched in the specified order 8104until a match is found. 8105</p> 8106 8107%PARAM mailbox_delivery_lock see "postconf -d" output 8108 8109<p> 8110How to lock a UNIX-style local(8) mailbox before attempting delivery. 8111For a list of available file locking methods, use the "<b>postconf 8112-l</b>" command. 8113</p> 8114 8115<p> 8116This setting is ignored with <b>maildir</b> style delivery, 8117because such deliveries are safe without explicit locks. 8118</p> 8119 8120<p> 8121Note: The <b>dotlock</b> method requires that the recipient UID or 8122GID has write access to the parent directory of the mailbox file. 8123</p> 8124 8125<p> 8126Note: the default setting of this parameter is system dependent. 8127</p> 8128 8129%PARAM mailbox_transport 8130 8131<p> 8132Optional message delivery transport that the local(8) delivery 8133agent should use for mailbox delivery to all local recipients, 8134whether or not they are found in the UNIX passwd database. 8135</p> 8136 8137<p> The precedence of local(8) delivery features from high to low 8138is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 8139mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 8140fallback_transport_maps, fallback_transport and luser_relay. </p> 8141 8142%PARAM mailq_path see "postconf -d" output 8143 8144<p> 8145Sendmail compatibility feature that specifies where the Postfix 8146mailq(1) command is installed. This command can be used to 8147list the Postfix mail queue. 8148</p> 8149 8150%PARAM manpage_directory see "postconf -d" output 8151 8152<p> 8153Where the Postfix manual pages are installed. 8154</p> 8155 8156%PARAM maps_rbl_domains 8157 8158<p> 8159Obsolete feature: use the reject_rbl_client feature instead. 8160</p> 8161 8162%PARAM mime_boundary_length_limit 2048 8163 8164<p> 8165The maximal length of MIME multipart boundary strings. The MIME 8166processor is unable to distinguish between boundary strings that 8167do not differ in the first $mime_boundary_length_limit characters. 8168</p> 8169 8170<p> 8171This feature is available in Postfix 2.0 and later. 8172</p> 8173 8174%PARAM mime_header_checks $header_checks 8175 8176<p> 8177Optional lookup tables for content inspection of MIME related 8178message headers, as described in the header_checks(5) manual page. 8179</p> 8180 8181<p> 8182This feature is available in Postfix 2.0 and later. 8183</p> 8184 8185%PARAM mime_nesting_limit 100 8186 8187<p> 8188The maximal recursion level that the MIME processor will handle. 8189Postfix refuses mail that is nested deeper than the specified limit. 8190</p> 8191 8192<p> 8193This feature is available in Postfix 2.0 and later. 8194</p> 8195 8196%PARAM mynetworks_style Postfix ≥ 3.0: host, Postfix < 3.0: subnet 8197 8198<p> 8199The method to generate the default value for the mynetworks parameter. 8200This is the list of trusted networks for relay access control etc. 8201</p> 8202 8203<ul> 8204 8205<li><p>Specify "mynetworks_style = host" when Postfix should 8206"trust" only the local machine. </p> 8207 8208<li><p>Specify "mynetworks_style = subnet" when Postfix 8209should "trust" remote SMTP clients in the same IP subnetworks as the local 8210machine. On Linux, this works correctly only with interfaces 8211specified with the "ifconfig" or "ip" command. </p> 8212 8213<li><p>Specify "mynetworks_style = class" when Postfix should 8214"trust" remote SMTP clients in the same IP class A/B/C networks as the 8215local machine. Caution: this may cause 8216Postfix to "trust" your entire provider's network. Instead, specify 8217an explicit mynetworks list by hand, as described with the mynetworks 8218configuration parameter. </p> 8219 8220</ul> 8221 8222%PARAM nested_header_checks $header_checks 8223 8224<p> 8225Optional lookup tables for content inspection of non-MIME message 8226headers in attached messages, as described in the header_checks(5) 8227manual page. 8228</p> 8229 8230<p> 8231This feature is available in Postfix 2.0 and later. 8232</p> 8233 8234%PARAM newaliases_path see "postconf -d" output 8235 8236<p> 8237Sendmail compatibility feature that specifies the location of the 8238newaliases(1) command. This command can be used to rebuild the 8239local(8) aliases(5) database. 8240</p> 8241 8242%PARAM non_fqdn_reject_code 504 8243 8244<p> 8245The numerical Postfix SMTP server reply code when a client request 8246is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender 8247or reject_non_fqdn_recipient restriction. 8248</p> 8249 8250%PARAM owner_request_special yes 8251 8252<p> 8253Enable special treatment for owner-<i>listname</i> entries in the 8254aliases(5) file, and don't split owner-<i>listname</i> and 8255<i>listname</i>-request address localparts when the recipient_delimiter 8256is set to "-". This feature is useful for mailing lists. 8257</p> 8258 8259%PARAM permit_mx_backup_networks 8260 8261<p> 8262Restrict the use of the permit_mx_backup SMTP access feature to 8263only domains whose primary MX hosts match the listed networks. 8264The parameter value syntax is the same as with the mynetworks 8265parameter; note, however, that the default value is empty. </p> 8266 8267<p> Pattern matching of domain names is controlled by the presence 8268or absence of "permit_mx_backup_networks" in the 8269parent_domain_matches_subdomains parameter value. </p> 8270 8271%PARAM pickup_service_name pickup 8272 8273<p> 8274The name of the pickup(8) service. This service picks up local mail 8275submissions from the Postfix maildrop queue. 8276</p> 8277 8278<p> 8279This feature is available in Postfix 2.0 and later. 8280</p> 8281 8282%PARAM prepend_delivered_header command, file, forward 8283 8284<p> The message delivery contexts where the Postfix local(8) delivery 8285agent prepends a Delivered-To: message header with the address 8286that the mail was delivered to. This information is used for mail 8287delivery loop detection. </p> 8288 8289<p> 8290By default, the Postfix local delivery agent prepends a Delivered-To: 8291header when forwarding mail and when delivering to file (mailbox) 8292and command. Turning off the Delivered-To: header when forwarding 8293mail is not recommended. 8294</p> 8295 8296<p> 8297Specify zero or more of <b>forward</b>, <b>file</b>, or <b>command</b>. 8298</p> 8299 8300<p> 8301Example: 8302</p> 8303 8304<pre> 8305prepend_delivered_header = forward 8306</pre> 8307 8308%PARAM process_name read-only 8309 8310<p> 8311The process name of a Postfix command or daemon process. 8312</p> 8313 8314%PARAM service_name read-only 8315 8316<p> The master.cf service name of a Postfix daemon process. This 8317can be used to distinguish the logging from different services that 8318use the same program name. </p> 8319 8320<p> Example master.cf entries: </p> 8321 8322<pre> 8323# Distinguish inbound MTA logging from submission and smtps logging. 8324smtp inet n - n - - smtpd 8325submission inet n - n - - smtpd 8326 -o syslog_name=postfix/$service_name 8327smtps inet n - n - - smtpd 8328 -o syslog_name=postfix/$service_name 8329</pre> 8330 8331<pre> 8332# Distinguish outbound MTA logging from inbound relay logging. 8333smtp unix - - n - - smtp 8334relay unix - - n - - smtp 8335 -o syslog_name=postfix/$service_name 8336</pre> 8337 8338%PARAM process_id read-only 8339 8340<p> 8341The process ID of a Postfix command or daemon process. 8342</p> 8343 8344%PARAM process_id_directory pid 8345 8346<p> 8347The location of Postfix PID files relative to $queue_directory. 8348This is a read-only parameter. 8349</p> 8350 8351%PARAM proxy_read_maps see "postconf -d" output 8352 8353<p> 8354The lookup tables that the proxymap(8) server is allowed to 8355access for the read-only service. 8356</p> 8357 8358<p> 8359Specify zero or more "type:name" lookup tables, separated by 8360whitespace or comma. 8361Table references that don't begin with proxy: are ignored. 8362</p> 8363 8364<p> 8365This feature is available in Postfix 2.0 and later. 8366</p> 8367 8368%PARAM proxy_write_maps see "postconf -d" output 8369 8370<p> The lookup tables that the proxymap(8) server is allowed to 8371access for the read-write service. Postfix-owned local database 8372files should be stored under the Postfix-owned data_directory. 8373Table references that don't begin with proxy: are ignored. </p> 8374 8375<p> 8376This feature is available in Postfix 2.5 and later. 8377</p> 8378 8379%PARAM qmgr_clog_warn_time 300s 8380 8381<p> 8382The minimal delay between warnings that a specific destination is 8383clogging up the Postfix active queue. Specify 0 to disable. 8384</p> 8385 8386<p> Specify a non-negative time value (an integral value plus an optional 8387one-letter suffix that specifies the time unit). Time units: s 8388(seconds), m (minutes), h (hours), d (days), w (weeks). 8389The default time unit is s (seconds). </p> 8390 8391<p> 8392This feature is enabled with the helpful_warnings parameter. 8393</p> 8394 8395<p> 8396This feature is available in Postfix 2.0 and later. 8397</p> 8398 8399%PARAM qmgr_fudge_factor 100 8400 8401<p> 8402Obsolete feature: the percentage of delivery resources that a busy 8403mail system will use up for delivery of a large mailing list 8404message. 8405</p> 8406 8407<p> 8408This feature exists only in the oqmgr(8) old queue manager. The 8409current queue manager solves the problem in a better way. 8410</p> 8411 8412%PARAM queue_directory see "postconf -d" output 8413 8414<p> 8415The location of the Postfix top-level queue directory. This is the 8416root directory of Postfix daemon processes that run chrooted. 8417</p> 8418 8419%PARAM queue_file_attribute_count_limit 100 8420 8421<p> 8422The maximal number of (name=value) attributes that may be stored 8423in a Postfix queue file. The limit is enforced by the cleanup(8) 8424server. 8425</p> 8426 8427<p> 8428This feature is available in Postfix 2.0 and later. 8429</p> 8430 8431%PARAM queue_service_name qmgr 8432 8433<p> 8434The name of the qmgr(8) service. This service manages the Postfix 8435queue and schedules delivery requests. 8436</p> 8437 8438<p> 8439This feature is available in Postfix 2.0 and later. 8440</p> 8441 8442%PARAM html_directory see "postconf -d" output 8443 8444<p> 8445The location of Postfix HTML files that describe how to build, 8446configure or operate a specific Postfix subsystem or feature. 8447</p> 8448 8449%PARAM readme_directory see "postconf -d" output 8450 8451<p> 8452The location of Postfix README files that describe how to build, 8453configure or operate a specific Postfix subsystem or feature. 8454</p> 8455 8456%PARAM relay_transport relay 8457 8458<p> 8459The default mail delivery transport and next-hop destination for 8460remote delivery to domains listed with $relay_domains. In order of 8461decreasing precedence, the nexthop destination is taken from 8462$relay_transport, $sender_dependent_relayhost_maps, $relayhost, or 8463from the recipient domain. This information can be overruled with 8464the transport(5) table. 8465</p> 8466 8467<p> 8468Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> 8469is the name of a mail delivery transport defined in master.cf. 8470The <i>:nexthop</i> destination is optional; its syntax is documented 8471in the manual page of the corresponding delivery agent. 8472</p> 8473 8474<p> 8475See also the relay domains address class in the ADDRESS_CLASS_README 8476file. 8477</p> 8478 8479<p> 8480This feature is available in Postfix 2.0 and later. 8481</p> 8482 8483%PARAM rewrite_service_name rewrite 8484 8485<p> 8486The name of the address rewriting service. This service rewrites 8487addresses to standard form and resolves them to a (delivery method, 8488next-hop host, recipient) triple. 8489</p> 8490 8491<p> 8492This feature is available in Postfix 2.0 and later. 8493</p> 8494 8495%PARAM sample_directory /etc/postfix 8496 8497<p> 8498The name of the directory with example Postfix configuration files. 8499Starting with Postfix 2.1, these files have been replaced with the 8500postconf(5) manual page. 8501</p> 8502 8503%PARAM sender_based_routing no 8504 8505<p> 8506This parameter should not be used. It was replaced by sender_dependent_relayhost_maps 8507in Postfix version 2.3. 8508</p> 8509 8510%PARAM sendmail_path see "postconf -d" output 8511 8512<p> 8513A Sendmail compatibility feature that specifies the location of 8514the Postfix sendmail(1) command. This command can be used to 8515submit mail into the Postfix queue. 8516</p> 8517 8518%PARAM service_throttle_time 60s 8519 8520<p> 8521How long the Postfix master(8) waits before forking a server that 8522appears to be malfunctioning. 8523</p> 8524 8525<p> Specify a non-zero time value (an integral value plus an optional 8526one-letter suffix that specifies the time unit). Time units: s 8527(seconds), m (minutes), h (hours), d (days), w (weeks). 8528The default time unit is s (seconds). </p> 8529 8530%PARAM setgid_group postdrop 8531 8532<p> 8533The group ownership of set-gid Postfix commands and of group-writable 8534Postfix directories. When this parameter value is changed you need 8535to re-run "<b>postfix set-permissions</b>" (with Postfix version 2.0 and 8536earlier: "<b>/etc/postfix/post-install set-permissions</b>". 8537</p> 8538 8539%PARAM show_user_unknown_table_name yes 8540 8541<p> 8542Display the name of the recipient table in the "User unknown" 8543responses. The extra detail makes troubleshooting easier but also 8544reveals information that is nobody else's business. 8545</p> 8546 8547<p> 8548This feature is available in Postfix 2.0 and later. 8549</p> 8550 8551%PARAM showq_service_name showq 8552 8553<p> 8554The name of the showq(8) service. This service produces mail queue 8555status reports. 8556</p> 8557 8558<p> 8559This feature is available in Postfix 2.0 and later. 8560</p> 8561 8562%PARAM smtp_pix_workaround_delay_time 10s 8563 8564<p> 8565How long the Postfix SMTP client pauses before sending 8566".<CR><LF>" in order to work around the PIX firewall 8567"<CR><LF>.<CR><LF>" bug. 8568</p> 8569 8570<p> 8571Choosing too short a time makes this workaround ineffective when 8572sending large messages over slow network connections. 8573</p> 8574 8575<p> Specify a non-zero time value (an integral value plus an optional 8576one-letter suffix that specifies the time unit). Time units: s 8577(seconds), m (minutes), h (hours), d (days), w (weeks). 8578The default time unit is s (seconds). </p> 8579 8580%PARAM smtp_randomize_addresses yes 8581 8582<p> 8583Randomize the order of equal-preference MX host addresses. This 8584is a performance feature of the Postfix SMTP client. 8585</p> 8586 8587%PARAM smtp_rset_timeout 20s 8588 8589<p> The Postfix SMTP client time limit for sending the RSET command, 8590and for receiving the remote SMTP server response. The SMTP client 8591sends RSET in 8592order to finish a recipient address probe, or to verify that a 8593cached session is still usable. </p> 8594 8595<p> Specify a non-zero time value (an integral value plus an optional 8596one-letter suffix that specifies the time unit). Time units: s 8597(seconds), m (minutes), h (hours), d (days), w (weeks). 8598The default time unit is s (seconds). </p> 8599 8600<p> This feature is available in Postfix 2.1 and later. </p> 8601 8602%PARAM smtpd_data_restrictions 8603 8604<p> 8605Optional access restrictions that the Postfix SMTP server applies 8606in the context of the SMTP DATA command. 8607See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 8608restriction lists" for a discussion of evaluation context and time. 8609</p> 8610 8611<p> 8612This feature is available in Postfix 2.0 and later. 8613</p> 8614 8615<p> 8616Specify a list of restrictions, separated by commas and/or whitespace. 8617Continue long lines by starting the next line with whitespace. 8618Restrictions are applied in the order as specified; the first 8619restriction that matches wins. 8620</p> 8621 8622<p> 8623The following restrictions are valid in this context: 8624</p> 8625 8626<ul> 8627 8628<li><a href="#generic">Generic</a> restrictions that can be used 8629in any SMTP command context, described under smtpd_client_restrictions. 8630 8631<li>SMTP command specific restrictions described under 8632smtpd_client_restrictions, smtpd_helo_restrictions, 8633smtpd_sender_restrictions or smtpd_recipient_restrictions. 8634 8635<li>However, no recipient information is available in the case of 8636multi-recipient mail. Acting on only one recipient would be misleading, 8637because any decision will affect all recipients equally. Acting on 8638all recipients would require a possibly very large amount of memory, 8639and would also be misleading for the reasons mentioned before. 8640 8641</ul> 8642 8643<p> 8644Examples: 8645</p> 8646 8647<pre> 8648smtpd_data_restrictions = reject_unauth_pipelining 8649smtpd_data_restrictions = reject_multi_recipient_bounce 8650</pre> 8651 8652%PARAM smtpd_end_of_data_restrictions 8653 8654<p> Optional access restrictions that the Postfix SMTP server 8655applies in the context of the SMTP END-OF-DATA command. 8656See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access 8657restriction lists" for a discussion of evaluation context and time. 8658</p> 8659 8660<p> This feature is available in Postfix 2.2 and later. </p> 8661 8662<p> See smtpd_data_restrictions for details and limitations. </p> 8663 8664%PARAM smtpd_delay_reject yes 8665 8666<p> 8667Wait until the RCPT TO command before evaluating 8668$smtpd_client_restrictions, $smtpd_helo_restrictions and 8669$smtpd_sender_restrictions, or wait until the ETRN command before 8670evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. 8671</p> 8672 8673<p> 8674This feature is turned on by default because some clients apparently 8675mis-behave when the Postfix SMTP server rejects commands before 8676RCPT TO. 8677</p> 8678 8679<p> 8680The default setting has one major benefit: it allows Postfix to log 8681recipient address information when rejecting a client name/address 8682or sender address, so that it is possible to find out whose mail 8683is being rejected. 8684</p> 8685 8686%PARAM smtpd_null_access_lookup_key <> 8687 8688<p> 8689The lookup key to be used in SMTP access(5) tables instead of the 8690null sender address. 8691</p> 8692 8693%CLASS smtpd-policy SMTP server policy delegation 8694 8695<p> 8696The Postfix SMTP server has a number of built-in mechanisms to 8697block or accept mail at specific SMTP protocol stages. As of version 86982.1 Postfix can be configured to delegate policy decisions to an 8699external server that runs outside Postfix. See the file 8700SMTPD_POLICY_README for more information. 8701</p> 8702 8703%PARAM smtpd_policy_service_max_idle 300s 8704 8705<p> 8706The time after which an idle SMTPD policy service connection is 8707closed. 8708</p> 8709 8710<p> Specify a non-zero time value (an integral value plus an optional 8711one-letter suffix that specifies the time unit). Time units: s 8712(seconds), m (minutes), h (hours), d (days), w (weeks). 8713The default time unit is s (seconds). </p> 8714 8715<p> 8716This feature is available in Postfix 2.1 and later. 8717</p> 8718 8719%PARAM smtpd_policy_service_max_ttl 1000s 8720 8721<p> 8722The time after which an active SMTPD policy service connection is 8723closed. 8724</p> 8725 8726<p> Specify a non-zero time value (an integral value plus an optional 8727one-letter suffix that specifies the time unit). Time units: s 8728(seconds), m (minutes), h (hours), d (days), w (weeks). 8729The default time unit is s (seconds). </p> 8730 8731<p> 8732This feature is available in Postfix 2.1 and later. 8733</p> 8734 8735%PARAM smtpd_policy_service_timeout 100s 8736 8737<p> 8738The time limit for connecting to, writing to, or receiving from a 8739delegated SMTPD policy server. 8740</p> 8741 8742<p> Specify a non-zero time value (an integral value plus an optional 8743one-letter suffix that specifies the time unit). Time units: s 8744(seconds), m (minutes), h (hours), d (days), w (weeks). 8745The default time unit is s (seconds). </p> 8746 8747<p> 8748This feature is available in Postfix 2.1 and later. 8749</p> 8750 8751%PARAM smtpd_policy_service_request_limit 0 8752 8753<p> 8754The maximal number of requests per SMTPD policy service connection, 8755or zero (no limit). Once a connection reaches this limit, the 8756connection is closed and the next request will be sent over a new 8757connection. This is a workaround to avoid error-recovery delays 8758with policy servers that cannot maintain a persistent connection. 8759</p> 8760 8761<p> 8762This feature is available in Postfix 3.0 and later. 8763</p> 8764 8765%PARAM smtpd_reject_unlisted_recipient yes 8766 8767<p> 8768Request that the Postfix SMTP server rejects mail for unknown 8769recipient addresses, even when no explicit reject_unlisted_recipient 8770access restriction is specified. This prevents the Postfix queue 8771from filling up with undeliverable MAILER-DAEMON messages. 8772</p> 8773 8774<p> An address is considered "unknown" when 1) it does not match a 8775virtual(5) alias or canonical(5) mapping, and 2) the address is not 8776valid for its address class. For a definition of class-based address 8777validation, see <a href="ADDRESS_CLASS_README.html#classes"> 8778ADDRESS_CLASS_README</a>. </p> 8779 8780<p> 8781This feature is available in Postfix 2.1 and later. 8782</p> 8783 8784%PARAM smtpd_reject_unlisted_sender no 8785 8786<p> Request that the Postfix SMTP server rejects mail from unknown 8787sender addresses, even when no explicit reject_unlisted_sender 8788access restriction is specified. This can slow down an explosion 8789of forged mail from worms or viruses. </p> 8790 8791<p> An address is considered "unknown" when 1) it does not match a 8792virtual(5) alias or canonical(5) mapping, and 2) the address is not 8793valid for its address class. For a definition of class-based address 8794validation, see <a href="ADDRESS_CLASS_README.html#classes"> 8795ADDRESS_CLASS_README</a>. </p> 8796 8797<p> 8798This feature is available in Postfix 2.1 and later. 8799</p> 8800 8801%PARAM smtpd_restriction_classes 8802 8803<p> 8804User-defined aliases for groups of access restrictions. The aliases 8805can be specified in smtpd_recipient_restrictions etc., and on the 8806right-hand side of a Postfix access(5) table. 8807</p> 8808 8809<p> 8810One major application is for implementing per-recipient UCE control. 8811See the RESTRICTION_CLASS_README document for other examples. 8812</p> 8813 8814%PARAM smtpd_sasl_application_name smtpd 8815 8816<p> 8817The application name that the Postfix SMTP server uses for SASL 8818server initialization. This 8819controls the name of the SASL configuration file. The default value 8820is <b>smtpd</b>, corresponding to a SASL configuration file named 8821<b>smtpd.conf</b>. 8822</p> 8823 8824<p> 8825This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 8826it was renamed to smtpd_sasl_path. 8827</p> 8828 8829%PARAM strict_7bit_headers no 8830 8831<p> 8832Reject mail with 8-bit text in message headers. This blocks mail 8833from poorly written applications. 8834</p> 8835 8836<p> 8837This feature should not be enabled on a general purpose mail server, 8838because it is likely to reject legitimate email. 8839</p> 8840 8841<p> 8842This feature is available in Postfix 2.0 and later. 8843</p> 8844 8845%PARAM strict_8bitmime no 8846 8847<p> 8848Enable both strict_7bit_headers and strict_8bitmime_body. 8849</p> 8850 8851<p> 8852This feature should not be enabled on a general purpose mail server, 8853because it is likely to reject legitimate email. 8854</p> 8855 8856<p> 8857This feature is available in Postfix 2.0 and later. 8858</p> 8859 8860%PARAM strict_8bitmime_body no 8861 8862<p> 8863Reject 8-bit message body text without 8-bit MIME content encoding 8864information. This blocks mail from poorly written applications. 8865</p> 8866 8867<p> 8868Unfortunately, this also rejects majordomo approval requests when 8869the included request contains valid 8-bit MIME mail, and it rejects 8870bounces from mailers that do not MIME encapsulate 8-bit content 8871(for example, bounces from qmail or from old versions of Postfix). 8872</p> 8873 8874<p> 8875This feature should not be enabled on a general purpose mail server, 8876because it is likely to reject legitimate email. 8877</p> 8878 8879<p> 8880This feature is available in Postfix 2.0 and later. 8881</p> 8882 8883%PARAM strict_mime_encoding_domain no 8884 8885<p> 8886Reject mail with invalid Content-Transfer-Encoding: information 8887for the message/* or multipart/* MIME content types. This blocks 8888mail from poorly written software. 8889</p> 8890 8891<p> 8892This feature should not be enabled on a general purpose mail server, 8893because it will reject mail after a single violation. 8894</p> 8895 8896<p> 8897This feature is available in Postfix 2.0 and later. 8898</p> 8899 8900%PARAM sun_mailtool_compatibility no 8901 8902<p> 8903Obsolete SUN mailtool compatibility feature. Instead, use 8904"mailbox_delivery_lock = dotlock". 8905</p> 8906 8907%PARAM trace_service_name trace 8908 8909<p> 8910The name of the trace service. This service is implemented by the 8911bounce(8) daemon and maintains a record 8912of mail deliveries and produces a mail delivery report when verbose 8913delivery is requested with "<b>sendmail -v</b>". 8914</p> 8915 8916<p> 8917This feature is available in Postfix 2.1 and later. 8918</p> 8919 8920%PARAM undisclosed_recipients_header see "postconf -d" output 8921 8922<p> 8923Message header that the Postfix cleanup(8) server inserts when a 8924message contains no To: or Cc: message header. With Postfix 2.8 8925and later, the default value is empty. With Postfix 2.4-2.7, 8926specify an empty value to disable this feature. </p> 8927 8928<p> Example: </p> 8929 8930<pre> 8931# Default value before Postfix 2.8. 8932# Note: the ":" and ";" are both required. 8933undisclosed_recipients_header = To: undisclosed-recipients:; 8934</pre> 8935 8936%PARAM unknown_relay_recipient_reject_code 550 8937 8938<p> 8939The numerical Postfix SMTP server reply code when a recipient 8940address matches $relay_domains, and relay_recipient_maps specifies 8941a list of lookup tables that does not match the recipient address. 8942</p> 8943 8944<p> 8945This feature is available in Postfix 2.0 and later. 8946</p> 8947 8948%PARAM unknown_virtual_alias_reject_code 550 8949 8950<p> 8951The Postfix SMTP server reply code when a recipient address matches 8952$virtual_alias_domains, and $virtual_alias_maps specifies a list 8953of lookup tables that does not match the recipient address. 8954</p> 8955 8956<p> 8957This feature is available in Postfix 2.0 and later. 8958</p> 8959 8960%PARAM unknown_virtual_mailbox_reject_code 550 8961 8962<p> 8963The Postfix SMTP server reply code when a recipient address matches 8964$virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list 8965of lookup tables that does not match the recipient address. 8966</p> 8967 8968<p> 8969This feature is available in Postfix 2.0 and later. 8970</p> 8971 8972%PARAM verp_delimiter_filter -=+ 8973 8974<p> 8975The characters Postfix accepts as VERP delimiter characters on the 8976Postfix sendmail(1) command line and in SMTP commands. 8977</p> 8978 8979<p> 8980This feature is available in Postfix 1.1 and later. 8981</p> 8982 8983%PARAM virtual_gid_maps 8984 8985<p> 8986Lookup tables with the per-recipient group ID for virtual(8) mailbox 8987delivery. 8988</p> 8989 8990<p> This parameter is specific to the virtual(8) delivery agent. 8991It does not apply when mail is delivered with a different mail 8992delivery program. </p> 8993 8994<p> 8995Specify zero or more "type:name" lookup tables, separated by 8996whitespace or comma. Tables will be searched in the specified order 8997until a match is found. 8998</p> 8999 9000<p> 9001In a lookup table, specify a left-hand side of "@domain.tld" to 9002match any user in the specified domain that does not have a specific 9003"user@domain.tld" entry. 9004</p> 9005 9006<p> 9007When a recipient address has an optional address extension 9008(user+foo@domain.tld), the virtual(8) delivery agent looks up 9009the full address first, and when the lookup fails, it looks up the 9010unextended address (user@domain.tld). 9011</p> 9012 9013<p> 9014Note 1: for security reasons, the virtual(8) delivery agent disallows 9015regular expression substitution of $1 etc. in regular expression 9016lookup tables, because that would open a security hole. 9017</p> 9018 9019<p> 9020Note 2: for security reasons, the virtual(8) delivery agent will 9021silently ignore requests to use the proxymap(8) server. Instead 9022it will open the table directly. Before Postfix version 2.2, the 9023virtual(8) delivery agent will terminate with a fatal error. 9024</p> 9025 9026%PARAM virtual_mailbox_base 9027 9028<p> 9029A prefix that the virtual(8) delivery agent prepends to all pathname 9030results from $virtual_mailbox_maps table lookups. This is a safety 9031measure to ensure that an out of control map doesn't litter the 9032file system with mailboxes. While virtual_mailbox_base could be 9033set to "/", this setting isn't recommended. 9034</p> 9035 9036<p> This parameter is specific to the virtual(8) delivery agent. 9037It does not apply when mail is delivered with a different mail 9038delivery program. </p> 9039 9040<p> 9041Example: 9042</p> 9043 9044<pre> 9045virtual_mailbox_base = /var/mail 9046</pre> 9047 9048%PARAM virtual_mailbox_domains $virtual_mailbox_maps 9049 9050<p> Postfix is the final destination for the specified list of domains; 9051mail is delivered via the $virtual_transport mail delivery transport. 9052By default this is the Postfix virtual(8) delivery agent. The SMTP 9053server validates recipient addresses with $virtual_mailbox_maps 9054and rejects mail for non-existent recipients. See also the virtual 9055mailbox domain class in the ADDRESS_CLASS_README file. </p> 9056 9057<p> This parameter expects the same syntax as the mydestination 9058configuration parameter. </p> 9059 9060<p> 9061This feature is available in Postfix 2.0 and later. The default 9062value is backwards compatible with Postfix version 1.1. 9063</p> 9064 9065%PARAM virtual_mailbox_limit 51200000 9066 9067<p> 9068The maximal size in bytes of an individual virtual(8) mailbox or 9069maildir file, or zero (no limit). </p> 9070 9071<p> This parameter is specific to the virtual(8) delivery agent. 9072It does not apply when mail is delivered with a different mail 9073delivery program. </p> 9074 9075%PARAM virtual_mailbox_lock see "postconf -d" output 9076 9077<p> 9078How to lock a UNIX-style virtual(8) mailbox before attempting 9079delivery. For a list of available file locking methods, use the 9080"<b>postconf -l</b>" command. 9081</p> 9082 9083<p> This parameter is specific to the virtual(8) delivery agent. 9084It does not apply when mail is delivered with a different mail 9085delivery program. </p> 9086 9087<p> 9088This setting is ignored with <b>maildir</b> style delivery, because 9089such deliveries are safe without application-level locks. 9090</p> 9091 9092<p> 9093Note 1: the <b>dotlock</b> method requires that the recipient UID 9094or GID has write access to the parent directory of the recipient's 9095mailbox file. 9096</p> 9097 9098<p> 9099Note 2: the default setting of this parameter is system dependent. 9100</p> 9101 9102%PARAM virtual_mailbox_maps 9103 9104<p> 9105Optional lookup tables with all valid addresses in the domains that 9106match $virtual_mailbox_domains. 9107</p> 9108 9109<p> 9110Specify zero or more "type:name" lookup tables, separated by 9111whitespace or comma. Tables will be searched in the specified order 9112until a match is found. 9113</p> 9114 9115<p> 9116In a lookup table, specify a left-hand side of "@domain.tld" to 9117match any user in the specified domain that does not have a specific 9118"user@domain.tld" entry. 9119</p> 9120 9121<p> 9122With the default "virtual_mailbox_domains = $virtual_mailbox_maps", 9123lookup tables also need entries with a left-hand side of "domain.tld" 9124to satisfy virtual_mailbox_domain lookups (the right-hand side is 9125required but will not be used). 9126</p> 9127 9128<p> The remainder of this text is specific to the virtual(8) delivery 9129agent. It does not apply when mail is delivered with a different 9130mail delivery program. </p> 9131 9132<p> 9133The virtual(8) delivery agent uses this table to look up the 9134per-recipient mailbox or maildir pathname. If the lookup result 9135ends in a slash ("/"), maildir-style delivery is carried out, 9136otherwise the path is assumed to specify a UNIX-style mailbox file. 9137Note that $virtual_mailbox_base is unconditionally prepended to 9138this path. 9139</p> 9140 9141<p> 9142When a recipient address has an optional address extension 9143(user+foo@domain.tld), the virtual(8) delivery agent looks up 9144the full address first, and when the lookup fails, it looks up the 9145unextended address (user@domain.tld). 9146</p> 9147 9148<p> 9149Note 1: for security reasons, the virtual(8) delivery agent disallows 9150regular expression substitution of $1 etc. in regular expression 9151lookup tables, because that would open a security hole. 9152</p> 9153 9154<p> 9155Note 2: for security reasons, the virtual(8) delivery agent will 9156silently ignore requests to use the proxymap(8) server. Instead 9157it will open the table directly. Before Postfix version 2.2, the 9158virtual(8) delivery agent will terminate with a fatal error. 9159</p> 9160 9161%PARAM virtual_minimum_uid 100 9162 9163<p> 9164The minimum user ID value that the virtual(8) delivery agent accepts 9165as a result from $virtual_uid_maps table lookup. Returned 9166values less than this will be rejected, and the message will be 9167deferred. 9168</p> 9169 9170<p> This parameter is specific to the virtual(8) delivery agent. 9171It does not apply when mail is delivered with a different mail 9172delivery program. </p> 9173 9174%PARAM virtual_transport virtual 9175 9176<p> 9177The default mail delivery transport and next-hop destination for 9178final delivery to domains listed with $virtual_mailbox_domains. 9179This information can be overruled with the transport(5) table. 9180</p> 9181 9182<p> 9183Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> 9184is the name of a mail delivery transport defined in master.cf. 9185The <i>:nexthop</i> destination is optional; its syntax is documented 9186in the manual page of the corresponding delivery agent. 9187</p> 9188 9189<p> 9190This feature is available in Postfix 2.0 and later. 9191</p> 9192 9193%PARAM virtual_uid_maps 9194 9195<p> 9196Lookup tables with the per-recipient user ID that the virtual(8) 9197delivery agent uses while writing to the recipient's mailbox. 9198</p> 9199 9200<p> This parameter is specific to the virtual(8) delivery agent. 9201It does not apply when mail is delivered with a different mail 9202delivery program. </p> 9203 9204<p> 9205Specify zero or more "type:name" lookup tables, separated by 9206whitespace or comma. Tables will be searched in the specified order 9207until a match is found. 9208</p> 9209 9210<p> 9211In a lookup table, specify a left-hand side of "@domain.tld" 9212to match any user in the specified domain that does not have a 9213specific "user@domain.tld" entry. 9214</p> 9215 9216<p> 9217When a recipient address has an optional address extension 9218(user+foo@domain.tld), the virtual(8) delivery agent looks up 9219the full address first, and when the lookup fails, it looks up the 9220unextended address (user@domain.tld). 9221</p> 9222 9223<p> 9224Note 1: for security reasons, the virtual(8) delivery agent disallows 9225regular expression substitution of $1 etc. in regular expression 9226lookup tables, because that would open a security hole. 9227</p> 9228 9229<p> 9230Note 2: for security reasons, the virtual(8) delivery agent will 9231silently ignore requests to use the proxymap(8) server. Instead 9232it will open the table directly. Before Postfix version 2.2, the 9233virtual(8) delivery agent will terminate with a fatal error. 9234</p> 9235 9236%PARAM config_directory see "postconf -d" output 9237 9238<p> The default location of the Postfix main.cf and master.cf 9239configuration files. This can be overruled via the following 9240mechanisms: </p> 9241 9242<ul> 9243 9244<li> <p> The MAIL_CONFIG environment variable (daemon processes 9245and commands). </p> 9246 9247<li> <p> The "-c" command-line option (commands only). </p> 9248 9249</ul> 9250 9251<p> With Postfix commands that run with set-gid privileges, a 9252config_directory override either requires root privileges, or it 9253requires that the directory is listed with the alternate_config_directories 9254parameter in the default main.cf file. </p> 9255 9256%PARAM virtual_maps 9257 9258<p> Optional lookup tables with a) names of domains for which all 9259addresses are aliased to addresses in other local or remote domains, 9260and b) addresses that are aliased to addresses in other local or 9261remote domains. Available before Postfix version 2.0. With Postfix 9262version 2.0 and later, this is replaced by separate controls: virtual_alias_domains 9263and virtual_alias_maps. </p> 9264 9265%PARAM smtp_discard_ehlo_keywords 9266 9267<p> A case insensitive list of EHLO keywords (pipelining, starttls, 9268auth, etc.) that the Postfix SMTP client will ignore in the EHLO 9269response from a remote SMTP server. </p> 9270 9271<p> This feature is available in Postfix 2.2 and later. </p> 9272 9273<p> Notes: </p> 9274 9275<ul> 9276 9277<li> <p> Specify the <b>silent-discard</b> pseudo keyword to prevent 9278this action from being logged. </p> 9279 9280<li> <p> Use the smtp_discard_ehlo_keyword_address_maps feature to 9281discard EHLO keywords selectively. </p> 9282 9283</ul> 9284 9285%PARAM smtpd_discard_ehlo_keywords 9286 9287<p> A case insensitive list of EHLO keywords (pipelining, starttls, 9288auth, etc.) that the Postfix SMTP server will not send in the EHLO 9289response 9290to a remote SMTP client. </p> 9291 9292<p> This feature is available in Postfix 2.2 and later. </p> 9293 9294<p> Notes: </p> 9295 9296<ul> 9297 9298<li> <p> Specify the <b>silent-discard</b> pseudo keyword to prevent 9299this action from being logged. </p> 9300 9301<li> <p> Use the smtpd_discard_ehlo_keyword_address_maps feature 9302to discard EHLO keywords selectively. </p> 9303 9304</ul> 9305 9306%PARAM smtp_discard_ehlo_keyword_address_maps 9307 9308<p> Lookup tables, indexed by the remote SMTP server address, with 9309case insensitive lists of EHLO keywords (pipelining, starttls, auth, 9310etc.) that the Postfix SMTP client will ignore in the EHLO response from a 9311remote SMTP server. See smtp_discard_ehlo_keywords for details. The 9312table is not indexed by hostname for consistency with 9313smtpd_discard_ehlo_keyword_address_maps. </p> 9314 9315<p> 9316Specify zero or more "type:name" lookup tables, separated by 9317whitespace or comma. Tables will be searched in the specified order 9318until a match is found. 9319</p> 9320 9321<p> This feature is available in Postfix 2.2 and later. </p> 9322 9323%PARAM smtpd_discard_ehlo_keyword_address_maps 9324 9325<p> Lookup tables, indexed by the remote SMTP client address, with 9326case insensitive lists of EHLO keywords (pipelining, starttls, auth, 9327etc.) that the Postfix SMTP server will not send in the EHLO response 9328to a 9329remote SMTP client. See smtpd_discard_ehlo_keywords for details. 9330The tables are not searched by hostname for robustness reasons. </p> 9331 9332<p> 9333Specify zero or more "type:name" lookup tables, separated by 9334whitespace or comma. Tables will be searched in the specified order 9335until a match is found. 9336</p> 9337 9338<p> This feature is available in Postfix 2.2 and later. </p> 9339 9340%PARAM connection_cache_service_name scache 9341 9342<p> The name of the scache(8) connection cache service. This service 9343maintains a limited pool of cached sessions. </p> 9344 9345<p> This feature is available in Postfix 2.2 and later. </p> 9346 9347%PARAM connection_cache_ttl_limit 2s 9348 9349<p> The maximal time-to-live value that the scache(8) connection 9350cache server 9351allows. Requests that specify a larger TTL will be stored with the 9352maximum allowed TTL. The purpose of this additional control is to 9353protect the infrastructure against careless people. The cache TTL 9354is already bounded by $max_idle. </p> 9355 9356%PARAM connection_cache_status_update_time 600s 9357 9358<p> How frequently the scache(8) server logs usage statistics with 9359connection cache hit and miss rates for logical destinations and for 9360physical endpoints. </p> 9361 9362%PARAM remote_header_rewrite_domain 9363 9364<p> Rewrite or add message headers in mail from remote clients if 9365the remote_header_rewrite_domain parameter value is non-empty, 9366updating incomplete addresses with the domain specified in the 9367remote_header_rewrite_domain parameter, and adding missing headers. 9368</p> 9369 9370<p> The 9371local_header_rewrite_clients parameter controls what clients Postfix 9372considers local. </p> 9373 9374<p> Examples: </p> 9375 9376<p> The safe setting: append "domain.invalid" to incomplete header 9377addresses from remote SMTP clients, so that those addresses cannot 9378be confused with local addresses. </p> 9379 9380<blockquote> 9381<pre> 9382remote_header_rewrite_domain = domain.invalid 9383</pre> 9384</blockquote> 9385 9386<p> The default, purist, setting: don't rewrite headers from remote 9387clients at all. </p> 9388 9389<blockquote> 9390<pre> 9391remote_header_rewrite_domain = 9392</pre> 9393</blockquote> 9394 9395%PARAM local_header_rewrite_clients permit_inet_interfaces 9396 9397<p> Rewrite or add message headers in mail from these clients, 9398updating incomplete addresses with the domain name in $myorigin or 9399$mydomain, and adding missing headers. </p> 9400 9401<p> See the append_at_myorigin and append_dot_mydomain parameters 9402for details of how domain names are appended to incomplete addresses. 9403</p> 9404 9405<p> See remote_header_rewrite_domain to optionally rewrite or add 9406message headers in mail from other clients. </p> 9407 9408<p> Specify a list of zero or more of the following: </p> 9409 9410<dl> 9411 9412<dt><b>permit_inet_interfaces</b></dt> 9413 9414<dd> Append the domain name in $myorigin or $mydomain when the 9415client IP address matches $inet_interfaces. This is enabled by 9416default. </dd> 9417 9418<dt><b>permit_mynetworks</b></dt> 9419 9420<dd> Append the domain name in $myorigin or $mydomain when the 9421client IP address matches any network or network address listed in 9422$mynetworks. This setting will not prevent remote mail header 9423address rewriting when mail from a remote client is forwarded by 9424a neighboring system. </dd> 9425 9426<dt><b>permit_sasl_authenticated </b></dt> 9427 9428<dd> Append the domain name in $myorigin or $mydomain when the 9429client is successfully authenticated via the RFC 4954 (AUTH) 9430protocol. </dd> 9431 9432<dt><b>permit_tls_clientcerts </b></dt> 9433 9434<dd> Append the domain name in $myorigin or $mydomain when the 9435remote SMTP client TLS certificate fingerprint or public key fingerprint 9436(Postfix 2.9 and later) is listed in $relay_clientcerts. 9437The fingerprint digest algorithm is configurable via the 9438smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to 9439Postfix version 2.5). </dd> 9440 9441<dd> The default algorithm is <b>sha256</b> with Postfix ≥ 3.6 9442and the <b>compatibility_level</b> set to 3.6 or higher. With Postfix 9443≤ 3.5, the default algorithm is <b>md5</b>. The best-practice 9444algorithm is now <b>sha256</b>. Recent advances in hash function 9445cryptanalysis have led to md5 and sha1 being deprecated in favor of 9446sha256. However, as long as there are no known "second pre-image" 9447attacks against the older algorithms, their use in this context, though 9448not recommended, is still likely safe. </dd> 9449 9450<dt><b>permit_tls_all_clientcerts </b></dt> 9451 9452<dd> Append the domain name in $myorigin or $mydomain when the 9453remote SMTP client TLS certificate is successfully verified, regardless of 9454whether it is listed on the server, and regardless of the certifying 9455authority. </dd> 9456 9457<dt><b><a name="check_address_map">check_address_map</a> <i><a href="DATABASE_README.html">type:table</a></i> </b></dt> 9458 9459<dt><b><i><a href="DATABASE_README.html">type:table</a></i> </b></dt> 9460 9461<dd> Append the domain name in $myorigin or $mydomain when the 9462client IP address matches the specified lookup table. 9463The lookup result is ignored, and no subnet lookup is done. This 9464is suitable for, e.g., pop-before-smtp lookup tables. </dd> 9465 9466</dl> 9467 9468<p> Examples: </p> 9469 9470<p> The Postfix < 2.2 backwards compatible setting: always rewrite 9471message headers, and always append my own domain to incomplete 9472header addresses. </p> 9473 9474<blockquote> 9475<pre> 9476local_header_rewrite_clients = static:all 9477</pre> 9478</blockquote> 9479 9480<p> The purist (and default) setting: rewrite headers only in mail 9481from Postfix sendmail and in SMTP mail from this machine. </p> 9482 9483<blockquote> 9484<pre> 9485local_header_rewrite_clients = permit_inet_interfaces 9486</pre> 9487</blockquote> 9488 9489<p> The intermediate setting: rewrite header addresses and append 9490$myorigin or $mydomain information only with mail from Postfix 9491sendmail, from local clients, or from authorized SMTP clients. </p> 9492 9493<p> Note: this setting will not prevent remote mail header address 9494rewriting when mail from a remote client is forwarded by a neighboring 9495system. </p> 9496 9497<blockquote> 9498<pre> 9499local_header_rewrite_clients = permit_mynetworks, 9500 permit_sasl_authenticated permit_tls_clientcerts 9501 check_address_map hash:/etc/postfix/pop-before-smtp 9502</pre> 9503</blockquote> 9504 9505%PARAM smtpd_tls_cert_file 9506 9507<p> File with the Postfix SMTP server RSA certificate in PEM format. 9508This file may also contain the Postfix SMTP server private RSA key. 9509With Postfix ≥ 3.4 the preferred way to configure server keys and 9510certificates is via the "smtpd_tls_chain_files" parameter. </p> 9511 9512<p> Public Internet MX hosts without certificates signed by a "reputable" 9513CA must generate, and be prepared to present to most clients, a 9514self-signed or private-CA signed certificate. The client will not be 9515able to authenticate the server, but unless it is running Postfix 2.3 or 9516similar software, it will still insist on a server certificate. </p> 9517 9518<p> For servers that are <b>not</b> public Internet MX hosts, Postfix 9519supports configurations with no certificates. This entails the use of 9520just the anonymous TLS ciphers, which are not supported by typical SMTP 9521clients. Since some clients may not fall back to plain text after a TLS 9522handshake failure, a certificate-less Postfix SMTP server will be unable 9523to receive email from some TLS-enabled clients. To avoid accidental 9524configurations with no certificates, Postfix enables certificate-less 9525operation only when the administrator explicitly sets 9526"smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server 9527configurations will not accidentally enable TLS without certificates. </p> 9528 9529<p> Note that server certificates are not optional in TLS 1.3. To run 9530without certificates you'd have to disable the TLS 1.3 protocol by 9531including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also 9532"smtpd_tls_mandatory_protocols". It is simpler instead to just 9533configure a certificate chain. Certificate-less operation is not 9534recommended. <p> 9535 9536<p> Both RSA and DSA certificates are supported. When both types 9537are present, the cipher used determines which certificate will be 9538presented to the client. For Netscape and OpenSSL clients without 9539special cipher choices the RSA certificate is preferred. </p> 9540 9541<p> To enable a remote SMTP client to verify the Postfix SMTP server 9542certificate, the issuing CA certificates must be made available to the 9543client. You should include the required certificates in the server 9544certificate file, the server certificate first, then the issuing 9545CA(s) (bottom-up order). </p> 9546 9547<p> Example: the certificate for "server.example.com" was issued by 9548"intermediate CA" which itself has a certificate of "root CA". 9549Create the server.pem file with "cat server_cert.pem intermediate_CA.pem 9550root_CA.pem > server.pem". </p> 9551 9552<p> If you also want to verify client certificates issued by these 9553CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which 9554case it is not necessary to have them in the smtpd_tls_cert_file, 9555smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file. </p> 9556 9557<p> A certificate supplied here must be usable as an SSL server certificate 9558and hence pass the "openssl verify -purpose sslserver ..." test. </p> 9559 9560<p> Example: </p> 9561 9562<pre> 9563smtpd_tls_cert_file = /etc/postfix/server.pem 9564</pre> 9565 9566<p> This feature is available in Postfix 2.2 and later. </p> 9567 9568%PARAM smtpd_tls_key_file $smtpd_tls_cert_file 9569 9570<p> File with the Postfix SMTP server RSA private key in PEM format. 9571This file may be combined with the Postfix SMTP server RSA certificate 9572file specified with $smtpd_tls_cert_file. With Postfix ≥ 3.4 the 9573preferred way to configure server keys and certificates is via the 9574"smtpd_tls_chain_files" parameter. </p> 9575 9576<p> The private key must be accessible without a pass-phrase, i.e. it 9577must not be encrypted. File permissions should grant read-only 9578access to the system superuser account ("root"), and no access 9579to anyone else. </p> 9580 9581%PARAM smtpd_tls_dcert_file 9582 9583<p> File with the Postfix SMTP server DSA certificate in PEM format. 9584This file may also contain the Postfix SMTP server private DSA key. 9585The DSA algorithm is obsolete and should not be used. </p> 9586 9587<p> See the discussion under smtpd_tls_cert_file for more details. 9588</p> 9589 9590<p> Example: </p> 9591 9592<pre> 9593smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem 9594</pre> 9595 9596<p> This feature is available in Postfix 2.2 and later. </p> 9597 9598%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file 9599 9600<p> File with the Postfix SMTP server DSA private key in PEM format. 9601This file may be combined with the Postfix SMTP server DSA certificate 9602file specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete 9603and should not be used. </p> 9604 9605<p> The private key must be accessible without a pass-phrase, i.e. it 9606must not be encrypted. File permissions should grant read-only 9607access to the system superuser account ("root"), and no access 9608to anyone else. </p> 9609 9610<p> This feature is available in Postfix 2.2 and later. </p> 9611 9612%PARAM smtpd_tls_CAfile 9613 9614<p> A file containing (PEM format) CA certificates of root CAs trusted 9615to sign either remote SMTP client certificates or intermediate CA 9616certificates. These are loaded into memory before the smtpd(8) server 9617enters the chroot jail. If the number of trusted roots is large, consider 9618using smtpd_tls_CApath instead, but note that the latter directory must 9619be present in the chroot jail if the smtpd(8) server is chrooted. This 9620file may also be used to augment the server certificate trust chain, 9621but it is best to include all the required certificates directly in the 9622server certificate file. </p> 9623 9624<p> Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY 9625the system-supplied default Certification Authority certificates. 9626</p> 9627 9628<p> Specify "tls_append_default_CA = no" to prevent Postfix from 9629appending the system-supplied default CAs and trusting third-party 9630certificates. </p> 9631 9632<p> By default (see smtpd_tls_ask_ccert), client certificates are not 9633requested, and smtpd_tls_CAfile should remain empty. If you do make use 9634of client certificates, the distinguished names (DNs) of the Certification 9635Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client 9636in the client certificate request message. MUAs with multiple client 9637certificates may use the list of preferred Certification Authorities 9638to select the correct client certificate. You may want to put your 9639"preferred" CA or CAs in this file, and install other trusted CAs in 9640$smtpd_tls_CApath. </p> 9641 9642<p> Example: </p> 9643 9644<pre> 9645smtpd_tls_CAfile = /etc/postfix/CAcert.pem 9646</pre> 9647 9648<p> This feature is available in Postfix 2.2 and later. </p> 9649 9650%PARAM smtpd_tls_CApath 9651 9652<p> A directory containing (PEM format) CA certificates of root CAs 9653trusted to sign either remote SMTP client certificates or intermediate CA 9654certificates. Do not forget to create the necessary "hash" links with, 9655for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use 9656smtpd_tls_CApath in chroot mode, this directory (or a copy) must be 9657inside the chroot jail. </p> 9658 9659<p> Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to 9660use ONLY the system-supplied default Certification Authority certificates. 9661</p> 9662 9663<p> Specify "tls_append_default_CA = no" to prevent Postfix from 9664appending the system-supplied default CAs and trusting third-party 9665certificates. </p> 9666 9667<p> By default (see smtpd_tls_ask_ccert), client certificates are 9668not requested, and smtpd_tls_CApath should remain empty. In contrast 9669to smtpd_tls_CAfile, DNs of Certification Authorities installed 9670in $smtpd_tls_CApath are not included in the client certificate 9671request message. MUAs with multiple client certificates may use the 9672list of preferred Certification Authorities to select the correct 9673client certificate. You may want to put your "preferred" CA or 9674CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in 9675$smtpd_tls_CApath. </p> 9676 9677<p> Example: </p> 9678 9679<pre> 9680smtpd_tls_CApath = /etc/postfix/certs 9681</pre> 9682 9683<p> This feature is available in Postfix 2.2 and later. </p> 9684 9685%PARAM smtpd_tls_loglevel 0 9686 9687<p> Enable additional Postfix SMTP server logging of TLS activity. 9688Each logging level also includes the information that is logged at 9689a lower logging level. </p> 9690 9691<dl compact> 9692 9693<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd> 9694 9695<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion 9696— no logging of client certificate trust-chain verification errors 9697if client certificate verification is not required. With Postfix 2.8 and 9698earlier, log the summary message, peer certificate summary information 9699and unconditionally log trust-chain verification errors. </dd> 9700 9701<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> 9702 9703<dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation 9704process. </dd> 9705 9706<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete 9707transmission after STARTTLS. </dd> 9708 9709</dl> 9710 9711<p> Do not use "smtpd_tls_loglevel = 2" or higher except in case 9712of problems. Use of loglevel 4 is strongly discouraged. </p> 9713 9714<p> This feature is available in Postfix 2.2 and later. </p> 9715 9716%PARAM smtpd_tls_received_header no 9717 9718<p> Request that the Postfix SMTP server produces Received: message 9719headers that include information about the protocol and cipher used, 9720as well as the remote SMTP client CommonName and client certificate issuer 9721CommonName. This is disabled by default, as the information may 9722be modified in transit through other mail servers. Only information 9723that was recorded by the final destination can be trusted. </p> 9724 9725<p> This feature is available in Postfix 2.2 and later. </p> 9726 9727%PARAM smtpd_use_tls no 9728 9729<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients, 9730but do not require that clients use TLS encryption. </p> 9731 9732<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer 9733STARTTLS due to insufficient privileges to access the server private 9734key. This is intended behavior. </p> 9735 9736<p> This feature is available in Postfix 2.2 and later. With 9737Postfix 2.3 and later use smtpd_tls_security_level instead. </p> 9738 9739%PARAM smtpd_enforce_tls no 9740 9741<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, 9742and require that clients use TLS encryption. According to RFC 2487 9743this MUST NOT be applied in case of a publicly-referenced SMTP 9744server. This option is therefore off by default. </p> 9745 9746<p> Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes". </p> 9747 9748<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer 9749STARTTLS due to insufficient privileges to access the server private 9750key. This is intended behavior. </p> 9751 9752<p> This feature is available in Postfix 2.2 and later. With 9753Postfix 2.3 and later use smtpd_tls_security_level instead. </p> 9754 9755%PARAM smtpd_tls_wrappermode no 9756 9757<p> Run the Postfix SMTP server in TLS "wrapper" mode, 9758instead of using the STARTTLS command. </p> 9759 9760<p> If you want to support this service, enable a special port in 9761master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP 9762server's command line. Port 465 (submissions/smtps) is reserved for 9763this purpose. </p> 9764 9765<p> This feature is available in Postfix 2.2 and later. </p> 9766 9767%PARAM smtpd_tls_ask_ccert no 9768 9769<p> Ask a remote SMTP client for a client certificate. This 9770information is needed for certificate based mail relaying with, 9771for example, the permit_tls_clientcerts feature. </p> 9772 9773<p> Some clients such as Netscape will either complain if no 9774certificate is available (for the list of CAs in $smtpd_tls_CAfile) 9775or will offer multiple client certificates to choose from. This 9776may be annoying, so this option is "off" by default. </p> 9777 9778<p> This feature is available in Postfix 2.2 and later. </p> 9779 9780%PARAM smtpd_tls_req_ccert no 9781 9782<p> With mandatory TLS encryption, require a trusted remote SMTP client 9783certificate in order to allow TLS connections to proceed. This 9784option implies "smtpd_tls_ask_ccert = yes". </p> 9785 9786<p> When TLS encryption is optional, this setting is ignored with 9787a warning written to the mail log. </p> 9788 9789<p> This feature is available in Postfix 2.2 and later. </p> 9790 9791%PARAM smtpd_tls_ccert_verifydepth 9 9792 9793<p> The verification depth for remote SMTP client certificates. A 9794depth of 1 is sufficient if the issuing CA is listed in a local CA 9795file. </p> 9796 9797<p> The default verification depth is 9 (the OpenSSL default) for 9798compatibility with earlier Postfix behavior. Prior to Postfix 2.5, 9799the default value was 5, but the limit was not actually enforced. If 9800you have set this to a lower non-default value, certificates with longer 9801trust chains may now fail to verify. Certificate chains with 1 or 2 9802CAs are common, deeper chains are more rare and any number between 5 9803and 9 should suffice in practice. You can choose a lower number if, 9804for example, you trust certificates directly signed by an issuing CA 9805but not any CAs it delegates to. </p> 9806 9807<p> This feature is available in Postfix 2.2 and later. </p> 9808 9809%PARAM smtpd_tls_auth_only no 9810 9811<p> When TLS encryption is optional in the Postfix SMTP server, do 9812not announce or accept SASL authentication over unencrypted 9813connections. </p> 9814 9815<p> This feature is available in Postfix 2.2 and later. </p> 9816 9817%PARAM smtpd_tls_session_cache_database 9818 9819<p> Name of the file containing the optional Postfix SMTP server 9820TLS session cache. Specify a database type that supports enumeration, 9821such as <b>btree</b> or <b>sdbm</b>; there is no need to support 9822concurrent access. The file is created if it does not exist. The smtpd(8) 9823daemon does not use this parameter directly, rather the cache is 9824implemented indirectly in the tlsmgr(8) daemon. This means that 9825per-smtpd-instance master.cf overrides of this parameter are not 9826effective. Note that each of the cache databases supported by tlsmgr(8) 9827daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database 9828(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be 9829stored separately. It is not at this time possible to store multiple 9830caches in a single database. </p> 9831 9832<p> Note: <b>dbm</b> databases are not suitable. TLS 9833session objects are too large. </p> 9834 9835<p> As of version 2.5, Postfix no longer uses root privileges when 9836opening this file. The file should now be stored under the Postfix-owned 9837data_directory. As a migration aid, an attempt to open the file 9838under a non-Postfix directory is redirected to the Postfix-owned 9839data_directory, and a warning is logged. </p> 9840 9841 9842<p> As of Postfix 2.11 the preferred mechanism for session resumption 9843is RFC 5077 TLS session tickets, which don't require server-side 9844storage. Consequently, for Postfix ≥ 2.11 this parameter should 9845generally be left empty. TLS session tickets require an OpenSSL 9846library (at least version 0.9.8h) that provides full support for 9847this TLS extension. See also smtpd_tls_session_cache_timeout. </p> 9848 9849<p> Example: </p> 9850 9851<pre> 9852smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache 9853</pre> 9854 9855<p> This feature is available in Postfix 2.2 and later. </p> 9856 9857%PARAM smtpd_tls_session_cache_timeout 3600s 9858 9859<p> The expiration time of Postfix SMTP server TLS session cache 9860information. A cache cleanup is performed periodically 9861every $smtpd_tls_session_cache_timeout seconds. As with 9862$smtpd_tls_session_cache_database, this parameter is implemented in the 9863tlsmgr(8) daemon and therefore per-smtpd-instance master.cf overrides 9864are not possible. </p> 9865 9866<p> As of Postfix 2.11 this setting cannot exceed 100 days. If set 9867≤ 0, session caching is disabled, not just via the database, but 9868also via RFC 5077 TLS session tickets, which don't require server-side 9869storage. If set to a positive value less than 2 minutes, the minimum 9870value of 2 minutes is used instead. TLS session tickets require 9871an OpenSSL library (at least version 0.9.8h) that provides full 9872support for this TLS extension. </p> 9873 9874<p> Specify a non-negative time value (an integral value plus an optional 9875one-letter suffix that specifies the time unit). Time units: s 9876(seconds), m (minutes), h (hours), d (days), w (weeks). 9877The default time unit is s (seconds). </p> 9878 9879<p> This feature is available in Postfix 2.2 and later, and updated 9880for TLS session ticket support in Postfix 2.11. </p> 9881 9882%PARAM relay_clientcerts 9883 9884<p> List of tables with remote SMTP client-certificate fingerprints or 9885public key fingerprints (Postfix 2.9 and later) for which the Postfix 9886SMTP server will allow access with the permit_tls_clientcerts 9887feature. The fingerprint digest algorithm is configurable via the 9888smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to 9889Postfix version 2.5). </p> 9890 9891<p> The default algorithm is <b>sha256</b> with Postfix ≥ 3.6 9892and the <b>compatibility_level</b> set to 3.6 or higher. With Postfix 9893≤ 3.5, the default algorithm is <b>md5</b>. The best-practice 9894algorithm is now <b>sha256</b>. Recent advances in hash function 9895cryptanalysis have led to md5 and sha1 being deprecated in favor of 9896sha256. However, as long as there are no known "second pre-image" 9897attacks against the older algorithms, their use in this context, though 9898not recommended, is still likely safe. </p> 9899 9900<p> Postfix lookup tables are in the form of (key, value) pairs. 9901Since we only need the key, the value can be chosen freely, e.g. 9902the name of the user or host: 9903D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p> 9904 9905<p> Example: </p> 9906 9907<pre> 9908relay_clientcerts = hash:/etc/postfix/relay_clientcerts 9909</pre> 9910 9911<p>For more fine-grained control, use check_ccert_access to select 9912an appropriate access(5) policy for each client. 9913See RESTRICTION_CLASS_README.</p> 9914 9915<p>This feature is available with Postfix version 2.2.</p> 9916 9917%PARAM smtpd_tls_cipherlist 9918 9919<p> Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS 9920cipher list. It is easy to create interoperability problems by choosing 9921a non-default cipher list. Do not use a non-default TLS cipherlist for 9922MX hosts on the public Internet. Clients that begin the TLS handshake, 9923but are unable to agree on a common cipher, may not be able to send any 9924email to the SMTP server. Using a restricted cipher list may be more 9925appropriate for a dedicated MSA or an internal mailhub, where one can 9926exert some control over the TLS software and settings of the connecting 9927clients. </p> 9928 9929<p> <b>Note:</b> do not use "" quotes around the parameter value. </p> 9930 9931<p>This feature is available with Postfix version 2.2. It is not used with 9932Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead. </p> 9933 9934%PARAM smtpd_tls_dh1024_param_file 9935 9936<p> File with DH parameters that the Postfix SMTP server should 9937use with non-export EDH ciphers. </p> 9938 9939<p> With Postfix ≥ 3.7, built with OpenSSL version is 3.0.0 or later, if the 9940parameter value is either empty or "<b>auto</b>", then the DH parameter 9941selection is delegated to the OpenSSL library, which selects appropriate 9942parameters based on the TLS handshake. This choice is likely to be the most 9943interoperable with SMTP clients using various TLS libraries, and custom local 9944parameters are no longer recommended when using Postfix ≥ 3.7 built against 9945OpenSSL 3.0.0. </p> 9946 9947<p> The best-practice choice of parameters uses a 2048-bit prime. This is fine, 9948despite the historical "1024" in the parameter name. Do not be tempted to use 9949much larger values, performance degrades quickly, and you may also cease to 9950interoperate with some mainstream SMTP clients. As of Postfix 3.1, the 9951compiled-in default prime is 2048-bits, and it is not strictly necessary, 9952though perhaps somewhat beneficial to generate custom DH parameters. </p> 9953 9954<p> Instead of using the exact same parameter sets as distributed 9955with other TLS packages, it is more secure to generate your own 9956set of parameters with something like the following commands: </p> 9957 9958<blockquote> 9959<pre> 9960openssl dhparam -out /etc/postfix/dh2048.pem 2048 9961openssl dhparam -out /etc/postfix/dh1024.pem 1024 9962# As of Postfix 3.6, export-grade 512-bit DH parameters are no longer 9963# supported or needed. 9964openssl dhparam -out /etc/postfix/dh512.pem 512 9965</pre> 9966</blockquote> 9967 9968<p> It is safe to share the same DH parameters between multiple 9969Postfix instances. If you prefer, you can generate separate 9970parameters for each instance. </p> 9971 9972<p> If you want to take maximal advantage of ciphers that offer <a 9973href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see 9974the <a href="FORWARD_SECRECY_README.html#quick-start">Getting 9975started</a> section of <a 9976href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>. The 9977full document conveniently presents all information about Postfix 9978"perfect" forward secrecy support in one place: what forward secrecy 9979is, how to tweak settings, and what you can expect to see when 9980Postfix uses ciphers with forward secrecy. </p> 9981 9982<p> Example: </p> 9983 9984<pre> 9985smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem 9986</pre> 9987 9988<p>This feature is available in Postfix 2.2 and later.</p> 9989 9990%PARAM smtpd_tls_dh512_param_file 9991 9992<p> File with DH parameters that the Postfix SMTP server should 9993use with export-grade EDH ciphers. The default SMTP server cipher 9994grade is "medium" with Postfix releases after the middle of 2015, 9995and as a result export-grade cipher suites are by default not used. 9996</p> 9997 9998<p> With Postfix ≥ 3.6 export-grade Diffie-Hellman key exchange 9999is no longer supported, and this parameter is silently ignored. </p> 10000 10001<p> See also the discussion under the smtpd_tls_dh1024_param_file 10002configuration parameter. </p> 10003 10004<p> Example: </p> 10005 10006<pre> 10007smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem 10008</pre> 10009 10010<p>This feature is available in Postfix 2.2 and later, 10011but is ignored in Postfix 3.6 and later.</p> 10012 10013%PARAM smtpd_starttls_timeout see "postconf -d" output 10014 10015<p> The time limit for Postfix SMTP server write and read operations 10016during TLS startup and shutdown handshake procedures. The current 10017default value is stress-dependent. Before Postfix version 2.8, it 10018was fixed at 300s. </p> 10019 10020<p> Specify a non-zero time value (an integral value plus an optional 10021one-letter suffix that specifies the time unit). Time units: s 10022(seconds), m (minutes), h (hours), d (days), w (weeks). 10023The default time unit is s (seconds). </p> 10024 10025<p> This feature is available in Postfix 2.2 and later. </p> 10026 10027%PARAM smtp_tls_cert_file 10028 10029<p> File with the Postfix SMTP client RSA certificate in PEM format. 10030This file may also contain the Postfix SMTP client private RSA key, and 10031these may be the same as the Postfix SMTP server RSA certificate and key 10032file. With Postfix ≥ 3.4 the preferred way to configure client keys 10033and certificates is via the "smtp_tls_chain_files" parameter. </p> 10034 10035<p> Do not configure client certificates unless you <b>must</b> present 10036client TLS certificates to one or more servers. Client certificates are 10037not usually needed, and can cause problems in configurations that work 10038well without them. The recommended setting is to let the defaults stand: </p> 10039 10040<blockquote> 10041<pre> 10042smtp_tls_cert_file = 10043smtp_tls_key_file = 10044smtp_tls_eccert_file = 10045smtp_tls_eckey_file = 10046# Obsolete DSA parameters 10047smtp_tls_dcert_file = 10048smtp_tls_dkey_file = 10049# Postfix ≥ 3.4 interface 10050smtp_tls_chain_files = 10051</pre> 10052</blockquote> 10053 10054<p> The best way to use the default settings is to comment out the above 10055parameters in main.cf if present. </p> 10056 10057<p> To enable remote SMTP servers to verify the Postfix SMTP client 10058certificate, the issuing CA certificates must be made available to the 10059server. You should include the required certificates in the client 10060certificate file, the client certificate first, then the issuing 10061CA(s) (bottom-up order). </p> 10062 10063<p> Example: the certificate for "client.example.com" was issued by 10064"intermediate CA" which itself has a certificate issued by "root CA". 10065As the "root" super-user create the client.pem file with: </p> 10066 10067<blockquote> 10068<pre> 10069# <b>umask 077</b> 10070# <b>cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem </b> 10071</pre> 10072</blockquote> 10073 10074<p> If you also want to verify remote SMTP server certificates issued by 10075these CAs, you can add the CA certificates to the smtp_tls_CAfile, in 10076which case it is not necessary to have them in the smtp_tls_cert_file, 10077smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file. </p> 10078 10079<p> A certificate supplied here must be usable as an SSL client certificate 10080and hence pass the "openssl verify -purpose sslclient ..." test. </p> 10081 10082<p> Example: </p> 10083 10084<pre> 10085smtp_tls_cert_file = /etc/postfix/chain.pem 10086</pre> 10087 10088<p> This feature is available in Postfix 2.2 and later. </p> 10089 10090%PARAM smtp_tls_key_file $smtp_tls_cert_file 10091 10092<p> File with the Postfix SMTP client RSA private key in PEM format. 10093This file may be combined with the Postfix SMTP client RSA certificate 10094file specified with $smtp_tls_cert_file. With Postfix ≥ 3.4 the 10095preferred way to configure client keys and certificates is via the 10096"smtp_tls_chain_files" parameter. </p> 10097 10098<p> The private key must be accessible without a pass-phrase, i.e. it 10099must not be encrypted. File permissions should grant read-only 10100access to the system superuser account ("root"), and no access 10101to anyone else. </p> 10102 10103<p> Example: </p> 10104 10105<pre> 10106smtp_tls_key_file = $smtp_tls_cert_file 10107</pre> 10108 10109<p> This feature is available in Postfix 2.2 and later. </p> 10110 10111%PARAM smtp_tls_CAfile 10112 10113<p> A file containing CA certificates of root CAs trusted to sign 10114either remote SMTP server certificates or intermediate CA certificates. 10115These are loaded into memory before the smtp(8) client enters the 10116chroot jail. If the number of trusted roots is large, consider using 10117smtp_tls_CApath instead, but note that the latter directory must be 10118present in the chroot jail if the smtp(8) client is chrooted. This 10119file may also be used to augment the client certificate trust chain, 10120but it is best to include all the required certificates directly in 10121$smtp_tls_cert_file (or, Postfix ≥ 3.4 $smtp_tls_chain_files). </p> 10122 10123<p> Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use 10124ONLY the system-supplied default Certification Authority certificates. 10125</p> 10126 10127<p> Specify "tls_append_default_CA = no" to prevent Postfix from 10128appending the system-supplied default CAs and trusting third-party 10129certificates. </p> 10130 10131<p> Example: </p> 10132 10133<pre> 10134smtp_tls_CAfile = /etc/postfix/CAcert.pem 10135</pre> 10136 10137<p> This feature is available in Postfix 2.2 and later. </p> 10138 10139%PARAM smtp_tls_CApath 10140 10141<p> Directory with PEM format Certification Authority certificates 10142that the Postfix SMTP client uses to verify a remote SMTP server 10143certificate. Don't forget to create the necessary "hash" links 10144with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". 10145</p> 10146 10147<p> To use this option in chroot mode, this directory (or a copy) 10148must be inside the chroot jail. </p> 10149 10150<p> Specify "smtp_tls_CApath = /path/to/system_CA_directory" to 10151use ONLY the system-supplied default Certification Authority certificates. 10152</p> 10153 10154<p> Specify "tls_append_default_CA = no" to prevent Postfix from 10155appending the system-supplied default CAs and trusting third-party 10156certificates. </p> 10157 10158<p> Example: </p> 10159 10160<pre> 10161smtp_tls_CApath = /etc/postfix/certs 10162</pre> 10163 10164<p> This feature is available in Postfix 2.2 and later. </p> 10165 10166%PARAM smtp_tls_loglevel 0 10167 10168<p> Enable additional Postfix SMTP client logging of TLS activity. 10169Each logging level also includes the information that is logged at 10170a lower logging level. </p> 10171 10172<dl compact> 10173 10174<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd> 10175 10176<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion 10177— no logging of remote SMTP server certificate trust-chain 10178verification errors if server certificate verification is not required. 10179With Postfix 2.8 and earlier, log the summary message and unconditionally 10180log trust-chain verification errors. </dd> 10181 10182<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> 10183 10184<dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the 10185TLS negotiation process. </dd> 10186 10187<dt> </dt> <dd> 4 Also log the hexadecimal and ASCII dump of complete 10188transmission after STARTTLS. </dd> 10189 10190</dl> 10191 10192<p> Do not use "smtp_tls_loglevel = 2" or higher except in case of 10193problems. Use of loglevel 4 is strongly discouraged. </p> 10194 10195<p> This feature is available in Postfix 2.2 and later. </p> 10196 10197%PARAM smtp_tls_session_cache_database 10198 10199<p> Name of the file containing the optional Postfix SMTP client 10200TLS session cache. Specify a database type that supports enumeration, 10201such as <b>btree</b> or <b>sdbm</b>; there is no need to support 10202concurrent access. The file is created if it does not exist. The smtp(8) 10203daemon does not use this parameter directly, rather the cache is 10204implemented indirectly in the tlsmgr(8) daemon. This means that 10205per-smtp-instance master.cf overrides of this parameter are not effective. 10206Note that each of the cache databases supported by tlsmgr(8) daemon: 10207$smtpd_tls_session_cache_database, $smtp_tls_session_cache_database 10208(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to 10209be stored separately. It is not at this time possible to store multiple 10210caches in a single database. </p> 10211 10212<p> Note: <b>dbm</b> databases are not suitable. TLS 10213session objects are too large. </p> 10214 10215<p> As of version 2.5, Postfix no longer uses root privileges when 10216opening this file. The file should now be stored under the Postfix-owned 10217data_directory. As a migration aid, an attempt to open the file 10218under a non-Postfix directory is redirected to the Postfix-owned 10219data_directory, and a warning is logged. </p> 10220 10221<p> Example: </p> 10222 10223<pre> 10224smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache 10225</pre> 10226 10227<p> This feature is available in Postfix 2.2 and later. </p> 10228 10229%PARAM smtp_tls_session_cache_timeout 3600s 10230 10231<p> The expiration time of Postfix SMTP client TLS session cache 10232information. A cache cleanup is performed periodically 10233every $smtp_tls_session_cache_timeout seconds. As with 10234$smtp_tls_session_cache_database, this parameter is implemented in the 10235tlsmgr(8) daemon and therefore per-smtp-instance master.cf overrides 10236are not possible. </p> 10237 10238<p> As of Postfix 2.11 this setting cannot exceed 100 days. If set 10239≤ 0, session caching is disabled. If set to a positive value 10240less than 2 minutes, the minimum value of 2 minutes is used instead. </p> 10241 10242<p> Specify a non-zero time value (an integral value plus an optional 10243one-letter suffix that specifies the time unit). Time units: s 10244(seconds), m (minutes), h (hours), d (days), w (weeks). 10245The default time unit is s (seconds). </p> 10246 10247<p> This feature is available in Postfix 2.2 and later. </p> 10248 10249%PARAM smtp_use_tls no 10250 10251<p> Opportunistic mode: use TLS when a remote SMTP server announces 10252STARTTLS support, otherwise send the mail in the clear. Beware: 10253some SMTP servers offer STARTTLS even if it is not configured. With 10254Postfix < 2.3, if the TLS handshake fails, and no other server is 10255available, delivery is deferred and mail stays in the queue. If this 10256is a concern for you, use the smtp_tls_per_site feature instead. </p> 10257 10258<p> This feature is available in Postfix 2.2 and later. With 10259Postfix 2.3 and later use smtp_tls_security_level instead. </p> 10260 10261%PARAM smtp_enforce_tls no 10262 10263<p> Enforcement mode: require that remote SMTP servers use TLS 10264encryption, and never send mail in the clear. This also requires 10265that the remote SMTP server hostname matches the information in 10266the remote server certificate, and that the remote SMTP server 10267certificate was issued by a CA that is trusted by the Postfix SMTP 10268client. If the certificate doesn't verify or the hostname doesn't 10269match, delivery is deferred and mail stays in the queue. </p> 10270 10271<p> The server hostname is matched against all names provided as 10272dNSNames in the SubjectAlternativeName. If no dNSNames are specified, 10273the CommonName is checked. The behavior may be changed with the 10274smtp_tls_enforce_peername option. </p> 10275 10276<p> This option is useful only if you are definitely sure that you 10277will only connect to servers that support RFC 2487 _and_ that 10278provide valid server certificates. Typical use is for clients that 10279send all their email to a dedicated mailhub. </p> 10280 10281<p> This feature is available in Postfix 2.2 and later. With 10282Postfix 2.3 and later use smtp_tls_security_level instead. </p> 10283 10284%PARAM smtp_tls_enforce_peername yes 10285 10286<p> With mandatory TLS encryption, require that the remote SMTP 10287server hostname matches the information in the remote SMTP server 10288certificate. As of RFC 2487 the requirements for hostname checking 10289for MTA clients are not specified. </p> 10290 10291<p> This option can be set to "no" to disable strict peer name 10292checking. This setting has no effect on sessions that are controlled 10293via the smtp_tls_per_site table. </p> 10294 10295<p> Disabling the hostname verification can make sense in a closed 10296environment where special CAs are created. If not used carefully, 10297this option opens the danger of a "man-in-the-middle" attack (the 10298CommonName of this attacker will be logged). </p> 10299 10300<p> This feature is available in Postfix 2.2 and later. With 10301Postfix 2.3 and later use smtp_tls_security_level instead. </p> 10302 10303%PARAM smtp_tls_per_site 10304 10305<p> Optional lookup tables with the Postfix SMTP client TLS usage 10306policy by next-hop destination and by remote SMTP server hostname. 10307When both lookups succeed, the more specific per-site policy (NONE, 10308MUST, etc.) overrides the less specific one (MAY), and the more secure 10309per-site policy (MUST, etc.) overrides the less secure one (NONE). 10310With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged: 10311use smtp_tls_policy_maps instead. </p> 10312 10313<p> Use of the bare hostname as the per-site table lookup key is 10314discouraged. Always use the full destination nexthop (enclosed in 10315[] with a possible ":port" suffix). A recipient domain or MX-enabled 10316transport next-hop with no port suffix may look like a bare hostname, 10317but is still a suitable <i>destination</i>. </p> 10318 10319<p> Specify a next-hop destination or server hostname on the left-hand 10320side; no wildcards are allowed. The next-hop destination is either 10321the recipient domain, or the destination specified with a transport(5) 10322table, the relayhost parameter, or the relay_transport parameter. 10323On the right hand side specify one of the following keywords: </p> 10324 10325<dl> 10326 10327<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less 10328specific <b>MAY</b> lookup result from the alternate host or next-hop 10329lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, 10330and smtp_tls_enforce_peername settings. </dd> 10331 10332<dt> MAY </dt> <dd> Try to use TLS if the server announces support, 10333otherwise use an unencrypted connection. This has less precedence 10334than a more specific result (including <b>NONE</b>) from the alternate 10335host or next-hop lookup key, and has less precedence than the more 10336specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername 10337= yes". </dd> 10338 10339<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not 10340require that the remote SMTP server hostname matches the information 10341in the remote SMTP server certificate, or that the server certificate 10342was issued by a trusted CA. This overrides a less secure <b>NONE</b> 10343or a less specific <b>MAY</b> lookup result from the alternate host 10344or next-hop lookup key, and overrides the global smtp_use_tls, 10345smtp_enforce_tls and smtp_tls_enforce_peername settings. </dd> 10346 10347<dt> MUST </dt> <dd> Require TLS encryption, require that the remote 10348SMTP server hostname matches the information in the remote SMTP 10349server certificate, and require that the remote SMTP server certificate 10350was issued by a trusted CA. This overrides a less secure <b>NONE</b> 10351or <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup 10352result from the alternate host or next-hop lookup key, and overrides 10353the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername 10354settings. </dd> 10355 10356</dl> 10357 10358<p> The above keywords correspond to the "none", "may", "encrypt" and 10359"verify" security levels for the new smtp_tls_security_level parameter 10360introduced in Postfix 2.3. Starting with Postfix 2.3, and independently 10361of how the policy is specified, the smtp_tls_mandatory_ciphers and 10362smtp_tls_mandatory_protocols parameters apply when TLS encryption 10363is mandatory. Connections for which encryption is optional typically 10364enable all "export" grade and better ciphers (see smtp_tls_ciphers 10365and smtp_tls_protocols). </p> 10366 10367<p> As long as no secure DNS lookup mechanism is available, false 10368hostnames in MX or CNAME responses can change the server hostname 10369that Postfix uses for TLS policy lookup and server certificate 10370verification. Even with a perfect match between the server hostname and 10371the server certificate, there is no guarantee that Postfix is connected 10372to the right server. See TLS_README (Closing a DNS loophole with obsolete 10373per-site TLS policies) for a possible work-around. </p> 10374 10375<p> This feature is available in Postfix 2.2 and later. With 10376Postfix 2.3 and later use smtp_tls_policy_maps instead. </p> 10377 10378%PARAM smtp_tls_scert_verifydepth 9 10379 10380<p> The verification depth for remote SMTP server certificates. A depth 10381of 1 is sufficient if the issuing CA is listed in a local CA file. </p> 10382 10383<p> The default verification depth is 9 (the OpenSSL default) for 10384compatibility with earlier Postfix behavior. Prior to Postfix 2.5, 10385the default value was 5, but the limit was not actually enforced. If 10386you have set this to a lower non-default value, certificates with longer 10387trust chains may now fail to verify. Certificate chains with 1 or 2 10388CAs are common, deeper chains are more rare and any number between 5 10389and 9 should suffice in practice. You can choose a lower number if, 10390for example, you trust certificates directly signed by an issuing CA 10391but not any CAs it delegates to. </p> 10392 10393<p> This feature is available in Postfix 2.2 and later. </p> 10394 10395%PARAM smtp_tls_note_starttls_offer no 10396 10397<p> Log the hostname of a remote SMTP server that offers STARTTLS, 10398when TLS is not already enabled for that server. </p> 10399 10400<p> The logfile record looks like: </p> 10401 10402<pre> 10403postfix/smtp[pid]: Host offered STARTTLS: [name.of.host] 10404</pre> 10405 10406<p> This feature is available in Postfix 2.2 and later. </p> 10407 10408%PARAM smtp_tls_cipherlist 10409 10410<p> Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS 10411cipher list. As this feature applies to all TLS security levels, it is easy 10412to create interoperability problems by choosing a non-default cipher 10413list. Do not use a non-default TLS cipher list on hosts that deliver email 10414to the public Internet: you will be unable to send email to servers that 10415only support the ciphers you exclude. Using a restricted cipher list 10416may be more appropriate for an internal MTA, where one can exert some 10417control over the TLS software and settings of the peer servers. </p> 10418 10419<p> <b>Note:</b> do not use "" quotes around the parameter value. </p> 10420 10421<p> This feature is available in Postfix version 2.2. It is not used with 10422Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead. </p> 10423 10424%PARAM smtp_starttls_timeout 300s 10425 10426<p> Time limit for Postfix SMTP client write and read operations 10427during TLS startup and shutdown handshake procedures. </p> 10428 10429<p> Specify a non-zero time value (an integral value plus an optional 10430one-letter suffix that specifies the time unit). Time units: s 10431(seconds), m (minutes), h (hours), d (days), w (weeks). 10432The default time unit is s (seconds). </p> 10433 10434<p> This feature is available in Postfix 2.2 and later. </p> 10435 10436%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file 10437 10438<p> File with the Postfix SMTP client DSA private key in PEM format. 10439This file may be combined with the Postfix SMTP client DSA certificate 10440file specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete 10441and should not be used. </p> 10442 10443<p> The private key must be accessible without a pass-phrase, i.e. it 10444must not be encrypted. File permissions should grant read-only 10445access to the system superuser account ("root"), and no access 10446to anyone else. </p> 10447 10448<p> This feature is available in Postfix 2.2 and later. </p> 10449 10450%PARAM smtp_tls_dcert_file 10451 10452<p> File with the Postfix SMTP client DSA certificate in PEM format. 10453This file may also contain the Postfix SMTP client private DSA key. 10454The DSA algorithm is obsolete and should not be used. </p> 10455 10456<p> See the discussion under smtp_tls_cert_file for more details. 10457</p> 10458 10459<p> Example: </p> 10460 10461<pre> 10462smtp_tls_dcert_file = /etc/postfix/client-dsa.pem 10463</pre> 10464 10465<p> This feature is available in Postfix 2.2 and later. </p> 10466 10467%PARAM tls_append_default_CA no 10468 10469<p> Append the system-supplied default Certification Authority 10470certificates to the ones specified with *_tls_CApath or *_tls_CAfile. 10471The default is "no"; this prevents Postfix from trusting third-party 10472certificates and giving them relay permission with 10473permit_tls_all_clientcerts. </p> 10474 10475<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, 104762.7.2 and later versions. Specify "tls_append_default_CA = yes" for 10477backwards compatibility, to avoid breaking certificate verification 10478with sites that don't use permit_tls_all_clientcerts. </p> 10479 10480%PARAM tls_random_exchange_name see "postconf -d" output 10481 10482<p> Name of the pseudo random number generator (PRNG) state file 10483that is maintained by tlsmgr(8). The file is created when it does 10484not exist, and its length is fixed at 1024 bytes. </p> 10485 10486<p> As of version 2.5, Postfix no longer uses root privileges when 10487opening this file, and the default file location was changed from 10488${config_directory}/prng_exch to ${data_directory}/prng_exch. As 10489a migration aid, an attempt to open the file under a non-Postfix 10490directory is redirected to the Postfix-owned data_directory, and a 10491warning is logged. </p> 10492 10493<p> This feature is available in Postfix 2.2 and later. </p> 10494 10495%PARAM tls_random_source see "postconf -d" output 10496 10497<p> The external entropy source for the in-memory tlsmgr(8) pseudo 10498random number generator (PRNG) pool. Be sure to specify a non-blocking 10499source. If this source is not a regular file, the entropy source 10500type must be prepended: egd:/path/to/egd_socket for a source with 10501EGD compatible socket interface, or dev:/path/to/device for a 10502device file. </p> 10503 10504<p> Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom 10505gives timeout errors. </p> 10506 10507<p> This feature is available in Postfix 2.2 and later. </p> 10508 10509%PARAM tls_random_bytes 32 10510 10511<p> The number of bytes that tlsmgr(8) reads from $tls_random_source 10512when (re)seeding the in-memory pseudo random number generator (PRNG) 10513pool. The default of 32 bytes (256 bits) is good enough for 128bit 10514symmetric keys. If using EGD or a device file, a maximum of 255 10515bytes is read. </p> 10516 10517<p> This feature is available in Postfix 2.2 and later. </p> 10518 10519%PARAM tls_random_reseed_period 3600s 10520 10521<p> The maximal time between attempts by tlsmgr(8) to re-seed the 10522in-memory pseudo random number generator (PRNG) pool from external 10523sources. The actual time between re-seeding attempts is calculated 10524using the PRNG, and is between 0 and the time specified. </p> 10525 10526<p> Specify a non-zero time value (an integral value plus an optional 10527one-letter suffix that specifies the time unit). Time units: s 10528(seconds), m (minutes), h (hours), d (days), w (weeks). 10529The default time unit is s (seconds). </p> 10530 10531<p> This feature is available in Postfix 2.2 and later. </p> 10532 10533%PARAM tls_random_prng_update_period 3600s 10534 10535<p> The time between attempts by tlsmgr(8) to save the state of 10536the pseudo random number generator (PRNG) to the file specified 10537with $tls_random_exchange_name. </p> 10538 10539<p> Specify a non-zero time value (an integral value plus an optional 10540one-letter suffix that specifies the time unit). Time units: s 10541(seconds), m (minutes), h (hours), d (days), w (weeks). 10542The default time unit is s (seconds). </p> 10543 10544<p> This feature is available in Postfix 2.2 and later. </p> 10545 10546%PARAM tls_daemon_random_bytes 32 10547 10548<p> The number of pseudo-random bytes that an smtp(8) or smtpd(8) 10549process requests from the tlsmgr(8) server in order to seed its 10550internal pseudo random number generator (PRNG). The default of 32 10551bytes (equivalent to 256 bits) is sufficient to generate a 128bit 10552(or 168bit) session key. </p> 10553 10554<p> This feature is available in Postfix 2.2 and later. </p> 10555 10556%PARAM smtp_sasl_tls_security_options $smtp_sasl_security_options 10557 10558<p> The SASL authentication security options that the Postfix SMTP 10559client uses for TLS encrypted SMTP sessions. </p> 10560 10561<p> This feature is available in Postfix 2.2 and later. </p> 10562 10563%PARAM smtpd_sasl_tls_security_options $smtpd_sasl_security_options 10564 10565<p> The SASL authentication security options that the Postfix SMTP 10566server uses for TLS encrypted SMTP sessions. </p> 10567 10568<p> This feature is available in Postfix 2.2 and later. </p> 10569 10570%PARAM smtp_generic_maps 10571 10572<p> Optional lookup tables that perform address rewriting in the 10573Postfix SMTP client, typically to transform a locally valid address into 10574a globally valid address when sending mail across the Internet. 10575This is needed when the local machine does not have its own Internet 10576domain name, but uses something like <i>localdomain.local</i> 10577instead. </p> 10578 10579<p> 10580Specify zero or more "type:name" lookup tables, separated by 10581whitespace or comma. Tables will be searched in the specified order 10582until a match is found. 10583</p> 10584 10585<p> The table format and lookups are documented in generic(5); 10586examples are shown in the ADDRESS_REWRITING_README and 10587STANDARD_CONFIGURATION_README documents. </p> 10588 10589<p> This feature is available in Postfix 2.2 and later. </p> 10590 10591%PARAM message_reject_characters 10592 10593<p> The set of characters that Postfix will reject in message 10594content. The usual C-like escape sequences are recognized: <tt>\a 10595\b \f \n \r \t \v \<i>ddd</i></tt> (up to three octal digits) and 10596<tt>\\</tt>. </p> 10597 10598<p> Note 1: this feature does not recognize text that requires MIME 10599decoding. It inspects raw message content, just like header_checks 10600and body_checks. </p> 10601 10602<p> Note 2: this feature is disabled with "receive_override_options 10603= no_header_body_checks". </p> 10604 10605<p> Example: </p> 10606 10607<pre> 10608message_reject_characters = \0 10609</pre> 10610 10611<p> This feature is available in Postfix 2.3 and later. </p> 10612 10613%PARAM message_strip_characters 10614 10615<p> The set of characters that Postfix will remove from message 10616content. The usual C-like escape sequences are recognized: <tt>\a 10617\b \f \n \r \t \v \<i>ddd</i></tt> (up to three octal digits) and 10618<tt>\\</tt>. </p> 10619 10620<p> Note 1: this feature does not recognize text that requires MIME 10621decoding. It inspects raw message content, just like header_checks 10622and body_checks. </p> 10623 10624<p> Note 2: this feature is disabled with "receive_override_options 10625= no_header_body_checks". </p> 10626 10627<p> Example: </p> 10628 10629<pre> 10630message_strip_characters = \0 10631</pre> 10632 10633<p> This feature is available in Postfix 2.3 and later. </p> 10634 10635%PARAM frozen_delivered_to yes 10636 10637<p> Update the local(8) delivery agent's idea of the Delivered-To: 10638address (see prepend_delivered_header) only once, at the start of 10639a delivery attempt; do not update the Delivered-To: address while 10640expanding aliases or .forward files. </p> 10641 10642<p> This feature is available in Postfix 2.3 and later. With older 10643Postfix releases, the behavior is as if this parameter is set to 10644"no". The old setting can be expensive with deeply nested aliases 10645or .forward files. When an alias or .forward file changes the 10646Delivered-To: address, it ties up one queue file and one cleanup 10647process instance while mail is being forwarded. </p> 10648 10649%PARAM smtpd_peername_lookup yes 10650 10651<p> Attempt to look up the remote SMTP client hostname, and verify that 10652the name matches the client IP address. A client name is set to 10653"unknown" when it cannot be looked up or verified, or when name 10654lookup is disabled. Turning off name lookup reduces delays due to 10655DNS lookup and increases the maximal inbound delivery rate. </p> 10656 10657<p> This feature is available in Postfix 2.3 and later. </p> 10658 10659%PARAM delay_logging_resolution_limit 2 10660 10661<p> The maximal number of digits after the decimal point when logging 10662sub-second delay values. Specify a number in the range 0..6. </p> 10663 10664<p> Large delay values are rounded off to an integral number of seconds; 10665delay values below the delay_logging_resolution_limit are logged 10666as "0", and delay values under 100s are logged with at most two-digit 10667precision. </p> 10668 10669<p> The format of the "delays=a/b/c/d" logging is as follows: </p> 10670 10671<ul> 10672 10673<li> a = time from message arrival to last active queue entry 10674 10675<li> b = time from last active queue entry to connection setup 10676 10677<li> c = time in connection setup, including DNS, EHLO and STARTTLS 10678 10679<li> d = time in message transmission 10680 10681</ul> 10682 10683<p> This feature is available in Postfix 2.3 and later. </p> 10684 10685%PARAM bounce_template_file 10686 10687<p> Pathname of a configuration file with bounce message templates. 10688These override the built-in templates of delivery status notification 10689(DSN) messages for undeliverable mail, delayed mail, successful 10690delivery, or delivery verification. The bounce(5) manual page 10691describes how to edit and test template files. </p> 10692 10693<p> Template message body text may contain $name references to 10694Postfix configuration parameters. The result of $name expansion can 10695be previewed with "<b>postconf -b <i>file_name</i></b>" before the file 10696is placed into the Postfix configuration directory. </p> 10697 10698<p> This feature is available in Postfix 2.3 and later. </p> 10699 10700%PARAM sender_dependent_relayhost_maps 10701 10702<p> A sender-dependent override for the global relayhost parameter 10703setting. The tables are searched by the envelope sender address and 10704@domain. A lookup result of DUNNO terminates the search without 10705overriding the global relayhost parameter setting (Postfix 2.6 and 10706later). This information is overruled with relay_transport, 10707sender_dependent_default_transport_maps, default_transport and with 10708the transport(5) table. </p> 10709 10710<p> 10711Specify zero or more "type:name" lookup tables, separated by 10712whitespace or comma. Tables will be searched in the specified order 10713until a match is found. 10714</p> 10715 10716<p> For safety reasons, this feature does not allow $number 10717substitutions in regular expression maps. </p> 10718 10719<p> 10720This feature is available in Postfix 2.3 and later. 10721</p> 10722 10723%PARAM empty_address_relayhost_maps_lookup_key <> 10724 10725<p> The sender_dependent_relayhost_maps search string that will be 10726used instead of the null sender address. </p> 10727 10728<p> This feature is available in Postfix 2.5 and later. With 10729earlier versions, sender_dependent_relayhost_maps lookups were 10730skipped for the null sender address. </p> 10731 10732%PARAM address_verify_sender_dependent_relayhost_maps $sender_dependent_relayhost_maps 10733 10734<p> 10735Overrides the sender_dependent_relayhost_maps parameter setting for address 10736verification probes. 10737</p> 10738 10739<p> 10740This feature is available in Postfix 2.3 and later. 10741</p> 10742 10743%PARAM smtp_sender_dependent_authentication no 10744 10745<p> 10746Enable sender-dependent authentication in the Postfix SMTP client; this is 10747available only with SASL authentication, and disables SMTP connection 10748caching to ensure that mail from different senders will use the 10749appropriate credentials. </p> 10750 10751<p> 10752This feature is available in Postfix 2.3 and later. 10753</p> 10754 10755%PARAM lmtp_lhlo_name $myhostname 10756 10757<p> 10758The hostname to send in the LMTP LHLO command. 10759</p> 10760 10761<p> 10762The default value is the machine hostname. Specify a hostname or 10763[ip.add.re.ss] or [ip:v6:add:re::ss]. 10764</p> 10765 10766<p> 10767This information can be specified in the main.cf file for all LMTP 10768clients, or it can be specified in the master.cf file for a specific 10769client, for example: 10770</p> 10771 10772<blockquote> 10773<pre> 10774/etc/postfix/master.cf: 10775 mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com 10776</pre> 10777</blockquote> 10778 10779<p> 10780This feature is available in Postfix 2.3 and later. 10781</p> 10782 10783%PARAM lmtp_discard_lhlo_keyword_address_maps 10784 10785<p> Lookup tables, indexed by the remote LMTP server address, with 10786case insensitive lists of LHLO keywords (pipelining, starttls, 10787auth, etc.) that the Postfix LMTP client will ignore in the LHLO 10788response 10789from a remote LMTP server. See lmtp_discard_lhlo_keywords for 10790details. The table is not indexed by hostname for consistency with 10791smtpd_discard_ehlo_keyword_address_maps. </p> 10792 10793<p> This feature is available in Postfix 2.3 and later. </p> 10794 10795%PARAM lmtp_discard_lhlo_keywords 10796 10797<p> A case insensitive list of LHLO keywords (pipelining, starttls, 10798auth, etc.) that the Postfix LMTP client will ignore in the LHLO 10799response 10800from a remote LMTP server. </p> 10801 10802<p> This feature is available in Postfix 2.3 and later. </p> 10803 10804<p> Notes: </p> 10805 10806<ul> 10807 10808<li> <p> Specify the <b>silent-discard</b> pseudo keyword to prevent 10809this action from being logged. </p> 10810 10811<li> <p> Use the lmtp_discard_lhlo_keyword_address_maps feature to 10812discard LHLO keywords selectively. </p> 10813 10814</ul> 10815 10816%PARAM lmtp_lhlo_timeout 300s 10817 10818<p> The Postfix LMTP client time limit for sending the LHLO command, 10819and for receiving the initial remote LMTP server response. </p> 10820 10821<p> Time units: s (seconds), m (minutes), h (hours), d (days), w 10822(weeks). The default time unit is s (seconds). </p> 10823 10824%PARAM lmtp_sasl_tls_security_options $lmtp_sasl_security_options 10825 10826<p> The LMTP-specific version of the smtp_sasl_tls_security_options 10827configuration parameter. See there for details. </p> 10828 10829<p> This feature is available in Postfix 2.3 and later. </p> 10830 10831%PARAM lmtp_sasl_mechanism_filter 10832 10833<p> The LMTP-specific version of the smtp_sasl_mechanism_filter 10834configuration parameter. See there for details. </p> 10835 10836<p> This feature is available in Postfix 2.3 and later. </p> 10837 10838%PARAM lmtp_bind_address 10839 10840<p> The LMTP-specific version of the smtp_bind_address configuration 10841parameter. See there for details. </p> 10842 10843<p> This feature is available in Postfix 2.3 and later. </p> 10844 10845%PARAM lmtp_bind_address6 10846 10847<p> The LMTP-specific version of the smtp_bind_address6 configuration 10848parameter. See there for details. </p> 10849 10850<p> This feature is available in Postfix 2.3 and later. </p> 10851 10852%PARAM lmtp_host_lookup dns 10853 10854<p> The LMTP-specific version of the smtp_host_lookup configuration 10855parameter. See there for details. </p> 10856 10857<p> This feature is available in Postfix 2.3 and later. </p> 10858 10859%PARAM lmtp_connection_cache_destinations 10860 10861<p> The LMTP-specific version of the smtp_connection_cache_destinations 10862configuration parameter. See there for details. </p> 10863 10864<p> This feature is available in Postfix 2.3 and later. </p> 10865 10866%PARAM lmtp_tls_per_site 10867 10868<p> The LMTP-specific version of the smtp_tls_per_site configuration 10869parameter. See there for details. </p> 10870 10871<p> This feature is available in Postfix 2.3 and later. </p> 10872 10873%PARAM lmtp_generic_maps 10874 10875<p> The LMTP-specific version of the smtp_generic_maps configuration 10876parameter. See there for details. </p> 10877 10878<p> This feature is available in Postfix 2.3 and later. </p> 10879 10880%PARAM lmtp_pix_workaround_threshold_time 500s 10881 10882<p> The LMTP-specific version of the smtp_pix_workaround_threshold_time 10883configuration parameter. See there for details. </p> 10884 10885<p> This feature is available in Postfix 2.3 and later. </p> 10886 10887%PARAM lmtp_pix_workaround_delay_time 10s 10888 10889<p> The LMTP-specific version of the smtp_pix_workaround_delay_time 10890configuration parameter. See there for details. </p> 10891 10892<p> This feature is available in Postfix 2.3 and later. </p> 10893 10894%PARAM lmtp_connection_reuse_time_limit 300s 10895 10896<p> The LMTP-specific version of the smtp_connection_reuse_time_limit 10897configuration parameter. See there for details. </p> 10898 10899<p> This feature is available in Postfix 2.3 and later. </p> 10900 10901%PARAM lmtp_starttls_timeout 300s 10902 10903<p> The LMTP-specific version of the smtp_starttls_timeout configuration 10904parameter. See there for details. </p> 10905 10906<p> This feature is available in Postfix 2.3 and later. </p> 10907 10908%PARAM lmtp_line_length_limit 998 10909 10910<p> The LMTP-specific version of the smtp_line_length_limit 10911configuration parameter. See there for details. </p> 10912 10913<p> This feature is available in Postfix 2.3 and later. </p> 10914 10915%PARAM lmtp_mx_address_limit 5 10916 10917<p> The LMTP-specific version of the smtp_mx_address_limit configuration 10918parameter. See there for details. </p> 10919 10920<p> This feature is available in Postfix 2.3 and later. </p> 10921 10922%PARAM lmtp_mx_session_limit 2 10923 10924<p> The LMTP-specific version of the smtp_mx_session_limit configuration 10925parameter. See there for details. </p> 10926 10927<p> This feature is available in Postfix 2.3 and later. </p> 10928 10929%PARAM lmtp_tls_scert_verifydepth 9 10930 10931<p> The LMTP-specific version of the smtp_tls_scert_verifydepth 10932configuration parameter. See there for details. </p> 10933 10934<p> This feature is available in Postfix 2.3 and later. </p> 10935 10936%PARAM lmtp_skip_5xx_greeting yes 10937 10938<p> The LMTP-specific version of the smtp_skip_5xx_greeting 10939configuration parameter. See there for details. </p> 10940 10941<p> This feature is available in Postfix 2.3 and later. </p> 10942 10943%PARAM lmtp_randomize_addresses yes 10944 10945<p> The LMTP-specific version of the smtp_randomize_addresses 10946configuration parameter. See there for details. </p> 10947 10948<p> This feature is available in Postfix 2.3 and later. </p> 10949 10950%PARAM lmtp_quote_rfc821_envelope yes 10951 10952<p> The LMTP-specific version of the smtp_quote_rfc821_envelope 10953configuration parameter. See there for details. </p> 10954 10955<p> This feature is available in Postfix 2.3 and later. </p> 10956 10957%PARAM lmtp_defer_if_no_mx_address_found no 10958 10959<p> The LMTP-specific version of the smtp_defer_if_no_mx_address_found 10960configuration parameter. See there for details. </p> 10961 10962<p> This feature is available in Postfix 2.3 and later. </p> 10963 10964%PARAM lmtp_connection_cache_on_demand yes 10965 10966<p> The LMTP-specific version of the smtp_connection_cache_on_demand 10967configuration parameter. See there for details. </p> 10968 10969<p> This feature is available in Postfix 2.3 and later. </p> 10970 10971%PARAM lmtp_use_tls no 10972 10973<p> The LMTP-specific version of the smtp_use_tls configuration 10974parameter. See there for details. </p> 10975 10976<p> This feature is available in Postfix 2.3 and later. </p> 10977 10978%PARAM lmtp_enforce_tls no 10979 10980<p> The LMTP-specific version of the smtp_enforce_tls configuration 10981parameter. See there for details. </p> 10982 10983<p> This feature is available in Postfix 2.3 and later. </p> 10984 10985%PARAM lmtp_tls_security_level 10986 10987<p> The LMTP-specific version of the smtp_tls_security_level configuration 10988parameter. See there for details. </p> 10989 10990<p> This feature is available in Postfix 2.3 and later. </p> 10991 10992%PARAM lmtp_tls_enforce_peername yes 10993 10994<p> The LMTP-specific version of the smtp_tls_enforce_peername 10995configuration parameter. See there for details. </p> 10996 10997<p> This feature is available in Postfix 2.3 and later. </p> 10998 10999%PARAM lmtp_tls_note_starttls_offer no 11000 11001<p> The LMTP-specific version of the smtp_tls_note_starttls_offer 11002configuration parameter. See there for details. </p> 11003 11004<p> This feature is available in Postfix 2.3 and later. </p> 11005 11006%PARAM lmtp_sender_dependent_authentication no 11007 11008<p> The LMTP-specific version of the smtp_sender_dependent_authentication 11009configuration parameter. See there for details. </p> 11010 11011<p> This feature is available in Postfix 2.3 and later. </p> 11012 11013%PARAM connection_cache_protocol_timeout 5s 11014 11015<p> Time limit for connection cache connect, send or receive 11016operations. The time limit is enforced in the client. </p> 11017 11018<p> This feature is available in Postfix 2.3 and later. </p> 11019 11020%PARAM smtpd_sasl_type cyrus 11021 11022<p> The SASL plug-in type that the Postfix SMTP server should use 11023for authentication. The available types are listed with the 11024"<b>postconf -a</b>" command. </p> 11025 11026<p> This feature is available in Postfix 2.3 and later. </p> 11027 11028%PARAM smtp_sasl_type cyrus 11029 11030<p> The SASL plug-in type that the Postfix SMTP client should use 11031for authentication. The available types are listed with the 11032"<b>postconf -A</b>" command. </p> 11033 11034<p> This feature is available in Postfix 2.3 and later. </p> 11035 11036 11037%PARAM lmtp_sasl_type cyrus 11038 11039<p> The SASL plug-in type that the Postfix LMTP client should use 11040for authentication. The available types are listed with the 11041"<b>postconf -A</b>" command. </p> 11042 11043<p> This feature is available in Postfix 2.3 and later. </p> 11044 11045%PARAM smtpd_sasl_path smtpd 11046 11047<p> Implementation-specific information that the Postfix SMTP server 11048passes through to 11049the SASL plug-in implementation that is selected with 11050<b>smtpd_sasl_type</b>. Typically this specifies the name of a 11051configuration file or rendezvous point. </p> 11052 11053<p> This feature is available in Postfix 2.3 and later. In earlier 11054releases it was called <b>smtpd_sasl_application_name</b>. </p> 11055 11056%PARAM smtpd_sasl_service smtp 11057 11058<p> The service name that is passed to the SASL plug-in that is 11059selected with <b>smtpd_sasl_type</b> and <b>smtpd_sasl_path</b>. 11060</p> 11061 11062<p> This feature is available in Postfix 2.11 and later. Prior 11063versions behave as if "<b>smtp</b>" is specified. </p> 11064 11065%PARAM smtpd_sasl_response_limit 12288 11066 11067<p> The maximum length of a SASL client's response to a server challenge. 11068When the client's "initial response" is longer than the normal limit for 11069SMTP commands, the client must omit its initial response, and wait for an 11070empty server challenge; it can then send what would have been its "initial 11071response" as a response to the empty server challenge. RFC4954 requires the 11072server to accept client responses up to at least 12288 octets of 11073base64-encoded text. The default value is therefore also the minimum value 11074accepted for this parameter.</p> 11075 11076<p> This feature is available in Postfix 3.4 and later. Prior versions use 11077"line_length_limit", which may need to be raised to accommodate larger client 11078responses, as may be needed with GSSAPI authentication of Windows AD users 11079who are members of many groups. </p> 11080 11081%PARAM cyrus_sasl_config_path 11082 11083<p> Search path for Cyrus SASL application configuration files, 11084currently used only to locate the $smtpd_sasl_path.conf file. 11085Specify zero or more directories separated by a colon character, 11086or an empty value to use Cyrus SASL's built-in search path. </p> 11087 11088<p> This feature is available in Postfix 2.5 and later when compiled 11089with Cyrus SASL 2.1.22 or later. </p> 11090 11091%PARAM smtp_sasl_path 11092 11093<p> Implementation-specific information that the Postfix SMTP client 11094passes through to 11095the SASL plug-in implementation that is selected with 11096<b>smtp_sasl_type</b>. Typically this specifies the name of a 11097configuration file or rendezvous point. </p> 11098 11099<p> This feature is available in Postfix 2.3 and later. </p> 11100 11101%PARAM lmtp_sasl_path 11102 11103<p> Implementation-specific information that is passed through to 11104the SASL plug-in implementation that is selected with 11105<b>lmtp_sasl_type</b>. Typically this specifies the name of a 11106configuration file or rendezvous point. </p> 11107 11108<p> This feature is available in Postfix 2.3 and later. </p> 11109 11110%PARAM plaintext_reject_code 450 11111 11112<p> 11113The numerical Postfix SMTP server response code when a request 11114is rejected by the <b>reject_plaintext_session</b> restriction. 11115</p> 11116 11117<p> This feature is available in Postfix 2.3 and later. </p> 11118 11119%PARAM resolve_numeric_domain no 11120 11121<p> Resolve "user@ipaddress" as "user@[ipaddress]", instead of 11122rejecting the address as invalid. </p> 11123 11124<p> This feature is available in Postfix 2.3 and later. 11125 11126%PARAM mailbox_transport_maps 11127 11128<p> Optional lookup tables with per-recipient message delivery 11129transports to use for local(8) mailbox delivery, whether or not the 11130recipients are found in the UNIX passwd database. </p> 11131 11132<p> The precedence of local(8) delivery features from high to low 11133is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 11134mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 11135fallback_transport_maps, fallback_transport and luser_relay. </p> 11136 11137<p> 11138Specify zero or more "type:name" lookup tables, separated by 11139whitespace or comma. Tables will be searched in the specified order 11140until a match is found. 11141</p> 11142 11143<p> For safety reasons, this feature does not allow $number 11144substitutions in regular expression maps. </p> 11145 11146<p> This feature is available in Postfix 2.3 and later. </p> 11147 11148%PARAM fallback_transport_maps 11149 11150<p> Optional lookup tables with per-recipient message delivery 11151transports for recipients that the local(8) delivery agent could 11152not find in the aliases(5) or UNIX password database. </p> 11153 11154<p> The precedence of local(8) delivery features from high to low 11155is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, 11156mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, 11157fallback_transport_maps, fallback_transport and luser_relay. </p> 11158 11159<p> For safety reasons, this feature does not allow $number 11160substitutions in regular expression maps. </p> 11161 11162<p> This feature is available in Postfix 2.3 and later. </p> 11163 11164%PARAM smtp_cname_overrides_servername version dependent 11165 11166<p> When the remote SMTP servername is a DNS CNAME, replace the 11167servername with the result from CNAME expansion for the purpose of 11168logging, SASL password lookup, TLS 11169policy decisions, or TLS certificate verification. The value "no" 11170hardens Postfix smtp_tls_per_site hostname-based policies against 11171false hostname information in DNS CNAME records, and makes SASL 11172password file lookups more predictable. This is the default setting 11173as of Postfix 2.3. </p> 11174 11175<p> When DNS CNAME records are validated with secure DNS lookups 11176(smtp_dns_support_level = dnssec), they are always allowed to 11177override the above servername (Postfix 2.11 and later). </p> 11178 11179<p> This feature is available in Postfix 2.2.9 and later. </p> 11180 11181%PARAM lmtp_cname_overrides_servername yes 11182 11183<p> The LMTP-specific version of the smtp_cname_overrides_servername 11184configuration parameter. See there for details. </p> 11185 11186<p> This feature is available in Postfix 2.3 and later. </p> 11187 11188%PARAM smtp_sasl_tls_verified_security_options $smtp_sasl_tls_security_options 11189 11190<p> The SASL authentication security options that the Postfix SMTP 11191client uses for TLS encrypted SMTP sessions with a verified server 11192certificate. </p> 11193 11194<p> When mail is sent to the public MX host for the recipient's 11195domain, server certificates are by default optional, and delivery 11196proceeds even if certificate verification fails. For delivery via 11197a submission service that requires SASL authentication, it may be 11198appropriate to send plaintext passwords only when the connection 11199to the server is strongly encrypted <b>and</b> the server identity 11200is verified. </p> 11201 11202<p> The smtp_sasl_tls_verified_security_options parameter makes it 11203possible to only enable plaintext mechanisms when a secure connection 11204to the server is available. Submission servers subject to this 11205policy must either have verifiable certificates or offer suitable 11206non-plaintext SASL mechanisms. </p> 11207 11208<p> This feature is available in Postfix 2.6 and later. </p> 11209 11210%PARAM lmtp_sasl_tls_verified_security_options $lmtp_sasl_tls_security_options 11211 11212<p> The LMTP-specific version of the 11213smtp_sasl_tls_verified_security_options configuration parameter. 11214See there for details. </p> 11215 11216<p> This feature is available in Postfix 2.3 and later. </p> 11217 11218%PARAM lmtp_connection_cache_time_limit 2s 11219 11220<p> The LMTP-specific version of the 11221smtp_connection_cache_time_limit configuration parameter. 11222See there for details. </p> 11223 11224<p> This feature is available in Postfix 2.3 and later. </p> 11225 11226%PARAM smtpd_delay_open_until_valid_rcpt yes 11227 11228<p> Postpone the start of an SMTP mail transaction until a valid 11229RCPT TO command is received. Specify "no" to create a mail transaction 11230as soon as the Postfix SMTP server receives a valid MAIL FROM 11231command. </p> 11232 11233<p> With sites that reject lots of mail, the default setting reduces 11234the use of 11235disk, CPU and memory resources. The downside is that rejected 11236recipients are logged with NOQUEUE instead of a mail transaction 11237ID. This complicates the logfile analysis of multi-recipient mail. 11238</p> 11239 11240<p> This feature is available in Postfix 2.3 and later. </p> 11241 11242%PARAM lmtp_tls_cert_file 11243 11244<p> The LMTP-specific version of the smtp_tls_cert_file 11245configuration parameter. See there for details. </p> 11246 11247<p> This feature is available in Postfix 2.3 and later. </p> 11248 11249%PARAM lmtp_tls_key_file $lmtp_tls_cert_file 11250 11251<p> The LMTP-specific version of the smtp_tls_key_file 11252configuration parameter. See there for details. </p> 11253 11254<p> This feature is available in Postfix 2.3 and later. </p> 11255 11256%PARAM lmtp_tls_dcert_file 11257 11258<p> The LMTP-specific version of the smtp_tls_dcert_file 11259configuration parameter. See there for details. </p> 11260 11261<p> This feature is available in Postfix 2.3 and later. </p> 11262 11263%PARAM lmtp_tls_dkey_file $lmtp_tls_dcert_file 11264 11265<p> The LMTP-specific version of the smtp_tls_dkey_file 11266configuration parameter. See there for details. </p> 11267 11268<p> This feature is available in Postfix 2.3 and later. </p> 11269 11270%PARAM lmtp_tls_CAfile 11271 11272<p> The LMTP-specific version of the smtp_tls_CAfile 11273configuration parameter. See there for details. </p> 11274 11275<p> This feature is available in Postfix 2.3 and later. </p> 11276 11277%PARAM lmtp_tls_CApath 11278 11279<p> The LMTP-specific version of the smtp_tls_CApath 11280configuration parameter. See there for details. </p> 11281 11282<p> This feature is available in Postfix 2.3 and later. </p> 11283 11284%PARAM lmtp_tls_loglevel 0 11285 11286<p> The LMTP-specific version of the smtp_tls_loglevel 11287configuration parameter. See there for details. </p> 11288 11289<p> This feature is available in Postfix 2.3 and later. </p> 11290 11291%PARAM lmtp_tls_session_cache_database 11292 11293<p> The LMTP-specific version of the smtp_tls_session_cache_database 11294configuration parameter. See there for details. </p> 11295 11296<p> This feature is available in Postfix 2.3 and later. </p> 11297 11298%PARAM lmtp_tls_session_cache_timeout 3600s 11299 11300<p> The LMTP-specific version of the smtp_tls_session_cache_timeout 11301configuration parameter. See there for details. </p> 11302 11303<p> This feature is available in Postfix 2.3 and later. </p> 11304 11305%PARAM smtp_tls_policy_maps 11306 11307<p> Optional lookup tables with the Postfix SMTP client TLS security 11308policy by next-hop destination; when a non-empty value is specified, 11309this overrides the obsolete smtp_tls_per_site parameter. See 11310TLS_README for a more detailed discussion of TLS security levels. 11311</p> 11312 11313<p> 11314Specify zero or more "type:name" lookup tables, separated by 11315whitespace or comma. Tables will be searched in the specified order 11316until a match is found. 11317</p> 11318 11319<p> The TLS policy table is indexed by the full next-hop destination, 11320which is either the recipient domain, or the verbatim next-hop 11321specified in the transport table, $local_transport, $virtual_transport, 11322$relay_transport or $default_transport. This includes any enclosing 11323square brackets and any non-default destination server port suffix. The 11324LMTP socket type prefix (inet: or unix:) is not included in the lookup 11325key. </p> 11326 11327<p> Only the next-hop domain, or $myhostname with LMTP over UNIX-domain 11328sockets, is used as the nexthop name for certificate verification. The 11329port and any enclosing square brackets are used in the table lookup key, 11330but are not used for server name verification. </p> 11331 11332<p> When the lookup key is a domain name without enclosing square brackets 11333or any <i>:port</i> suffix (typically the recipient domain), and the full 11334domain is not found in the table, just as with the transport(5) table, 11335the parent domain starting with a leading "." is matched recursively. This 11336allows one to specify a security policy for a recipient domain and all 11337its sub-domains. </p> 11338 11339<p> The lookup result is a security level, followed by an optional list 11340of whitespace and/or comma separated name=value attributes that override 11341related main.cf settings. The TLS security levels in order of increasing 11342security are: </p> 11343 11344<dl> 11345 11346<dt><b><a href="TLS_README.html#client_tls_none">none</a></b></dt> 11347<dd>No TLS. No additional attributes are supported at this level. </dd> 11348 11349<dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt> 11350<dd>Opportunistic TLS. Since sending in the clear is acceptable, 11351demanding stronger than default TLS security merely reduces 11352interoperability. The optional "ciphers", "exclude", and "protocols" 11353attributes (available for opportunistic TLS with Postfix ≥ 2.6) 11354and "connection_reuse" attribute (Postfix ≥ 3.4) override the 11355"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols", 11356and 11357"smtp_tls_connection_reuse" configuration parameters. In the policy table, 11358multiple ciphers, protocols or excluded ciphers must be separated by colons, 11359as attribute values may not contain whitespace or commas. When opportunistic 11360TLS handshakes fail, Postfix retries the connection with TLS disabled. 11361This allows mail delivery to sites with non-interoperable TLS 11362implementations.</dd> 11363 11364<dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt> 11365<dd>Mandatory TLS encryption. At this level 11366and higher, the optional "protocols" attribute overrides the main.cf 11367smtp_tls_mandatory_protocols parameter, the optional "ciphers" attribute 11368overrides the main.cf smtp_tls_mandatory_ciphers parameter, the 11369optional "exclude" attribute (Postfix ≥ 2.6) overrides the main.cf 11370smtp_tls_mandatory_exclude_ciphers parameter, and the optional 11371"connection_reuse" attribute (Postfix ≥ 3.4) overrides the 11372main.cf smtp_tls_connection_reuse parameter. In the policy table, 11373multiple ciphers, protocols or excluded ciphers must be separated by colons, 11374as attribute values may not contain whitespace or commas. </dd> 11375 11376<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt> 11377<dd>Opportunistic DANE TLS. The TLS policy for the destination is 11378obtained via TLSA records in DNSSEC. If no TLSA records are found, 11379the effective security level used is <a 11380href="TLS_README.html#client_tls_may">may</a>. If TLSA records are 11381found, but none are usable, the effective security level is <a 11382href="TLS_README.html#client_tls_encrypt">encrypt</a>. When usable 11383TLSA records are obtained for the remote SMTP server, the 11384server certificate must match the TLSA records. RFC 7672 (DANE) 11385TLS authentication and DNSSEC support is available with Postfix 113862.11 and later. The optional "connection_reuse" attribute (Postfix 11387≥ 3.4) overrides the main.cf smtp_tls_connection_reuse parameter. 11388When the effective security level used is <a 11389href="TLS_README.html#client_tls_may">may</a>, the optional "ciphers", 11390"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the 11391"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", and "smtp_tls_protocols" 11392configuration parameters. 11393When the effective security level used is <a 11394href="TLS_README.html#client_tls_encrypt">encrypt</a>, the optional "ciphers", 11395"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the 11396"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and 11397"smtp_tls_mandatory_protocols" configuration parameters. 11398</dd> 11399 11400<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt> 11401<dd>Mandatory DANE TLS. The TLS policy for the destination is 11402obtained via TLSA records in DNSSEC. If no TLSA records are found, 11403or none are usable, no connection is made to the server. When 11404usable TLSA records are obtained for the remote SMTP server, the 11405server certificate must match the TLSA records. RFC 7672 (DANE) TLS 11406authentication and DNSSEC support is available with Postfix 2.11 11407and later. The optional "ciphers", "exclude", and "protocols" attributes 11408(Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers", 11409"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" 11410configuration parameters. The optional "connection_reuse" attribute 11411(Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse parameter. 11412</dd> 11413 11414<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt> 11415<dd>Certificate fingerprint 11416verification. Available with Postfix 2.5 and later. At this security 11417level, there are no trusted Certification Authorities. The certificate 11418trust chain, expiration date, ... are not checked. Instead, 11419the optional "match" attribute, or else the main.cf 11420<b>smtp_tls_fingerprint_cert_match</b> parameter, lists the certificate 11421fingerprints or the public key fingerprint (Postfix 2.9 and later) 11422of the valid server certificate. The digest 11423algorithm used to calculate the fingerprint is selected by the 11424<b>smtp_tls_fingerprint_digest</b> parameter. Multiple fingerprints can 11425be combined with a "|" delimiter in a single match attribute, or multiple 11426match attributes can be employed. The ":" character is not used as a 11427delimiter as it occurs between each pair of fingerprint (hexadecimal) 11428digits. The optional "ciphers", "exclude", and "protocols" attributes 11429(Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers", 11430"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" 11431configuration parameters. The optional "connection_reuse" attribute 11432(Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse 11433parameter. </dd> 11434 11435<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt> 11436<dd>Mandatory TLS verification. At this security 11437level, DNS MX lookups are trusted to be secure enough, and the name 11438verified in the server certificate is usually obtained indirectly via 11439unauthenticated DNS MX lookups. The optional "match" attribute overrides 11440the main.cf smtp_tls_verify_cert_match parameter. In the policy table, 11441multiple match patterns and strategies must be separated by colons. 11442In practice explicit control over matching is more common with the 11443"secure" policy, described below. The optional "ciphers", "exclude", 11444and "protocols" attributes (Postfix ≥ 2.6) override the 11445"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and 11446"smtp_tls_mandatory_protocols" configuration parameters. The optional 11447"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf 11448smtp_tls_connection_reuse parameter. </dd> 11449 11450<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt> 11451<dd>Secure-channel TLS. At this security level, DNS 11452MX lookups, though potentially used to determine the candidate next-hop 11453gateway IP addresses, are <b>not</b> trusted to be secure enough for TLS 11454peername verification. Instead, the default name verified in the server 11455certificate is obtained directly from the next-hop, or is explicitly 11456specified via the optional "match" attribute which overrides the 11457main.cf smtp_tls_secure_cert_match parameter. In the policy table, 11458multiple match patterns and strategies must be separated by colons. 11459The match attribute is most useful when multiple domains are supported by 11460a common server: the policy entries for additional domains specify matching 11461rules for the primary domain certificate. While transport table overrides 11462that route the secondary domains to the primary nexthop also allow secure 11463verification, they risk delivery to the wrong destination when domains 11464change hands or are re-assigned to new gateways. With the "match" 11465attribute approach, routing is not perturbed, and mail is deferred if 11466verification of a new MX host fails. The optional "ciphers", "exclude", 11467and "protocols" attributes (Postfix ≥ 2.6) override the 11468"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and 11469"smtp_tls_mandatory_protocols" configuration parameters. The optional 11470"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf 11471smtp_tls_connection_reuse parameter. </dd> 11472 11473</dl> 11474 11475<p> 11476Example: 11477</p> 11478 11479<pre> 11480/etc/postfix/main.cf: 11481 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy 11482 # Postfix 2.5 and later. 11483 # 11484 # The default digest is sha256 with Postfix ≥ 3.6 and 11485 # compatibility level ≥ 3. 11486 # 11487 smtp_tls_fingerprint_digest = sha256 11488</pre> 11489 11490<pre> 11491/etc/postfix/tls_policy: 11492 example.edu none 11493 example.mil may 11494 example.gov encrypt protocols=TLSv1 11495 example.com verify ciphers=high 11496 example.net secure 11497 .example.net secure match=.example.net:example.net 11498 [mail.example.org]:587 secure match=nexthop 11499 # Postfix 2.5 and later 11500 [thumb.example.org] fingerprint 11501 match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f 11502 match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76 11503</pre> 11504 11505<p> <b>Note:</b> The "hostname" strategy if listed in a non-default 11506setting of smtp_tls_secure_cert_match or in the "match" attribute 11507in the policy table can render the "secure" level vulnerable to 11508DNS forgery. Do not use the "hostname" strategy for secure-channel 11509configurations in environments where DNS security is not assured. </p> 11510 11511<p> This feature is available in Postfix 2.3 and later. </p> 11512 11513%PARAM smtp_tls_mandatory_protocols see "postconf -d" output 11514 11515<p> TLS protocols that the Postfix SMTP client will use with mandatory 11516TLS encryption. In main.cf the values are separated by whitespace, 11517commas or colons. In the policy table "protocols" attribute (see 11518smtp_tls_policy_maps) the only valid separator is colon. An empty value 11519means allow all protocols. </p> 11520 11521<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2", 11522"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with 11523Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as 11524the lowest supported TLS protocol version (see below). Older releases 11525use the "!" exclusion syntax, also described below. </p> 11526 11527<p> As of Postfix 3.6, the preferred way to limit the range of 11528acceptable protocols is to set a lowest acceptable TLS protocol version 11529and/or a highest acceptable TLS protocol version. To set the lower 11530bound include an element of the form: ">=<i>version</i>" where 11531<i>version</i> is a either one of the TLS protocol names listed above, 11532or a hexadecimal number corresponding to the desired TLS protocol 11533version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper 11534bound, use "<=<i>version</i>". There must be no whitespace between 11535the ">=" or "<=" symbols and the protocol name or number. </p> 11536 11537<p> Hexadecimal protocol numbers make it possible to specify protocol 11538bounds for TLS versions that are known to OpenSSL, but might not be 11539known to Postfix. They cannot be used with the legacy exclusion syntax. 11540Leading "0" or "0x" prefixes are supported, but not required. 11541Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to 11542"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the 11543upper or lower bound, and a warning will be logged. Hexadecimal 11544versions should only be used when Postfix is linked with some future 11545version of OpenSSL that supports TLS 1.4 or later, but Postfix does not 11546yet support a symbolic name for that protocol version. </p> 11547 11548<p>Hexadecimal example (Postfix ≥ 3.6):</p> 11549<blockquote> 11550<pre> 11551# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported 11552# in some future version of OpenSSL (presently a warning is logged). 11553smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305 11554# Allow only TLS 1.2 and up: 11555smtp_tls_mandatory_protocols = >=0x0303 11556</pre> 11557</blockquote> 11558 11559<p> With Postfix < 3.6 there is no support for a minimum or maximum 11560version, and the protocol range is configured via protocol exclusions. 11561To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2, 11562!SSLv3". Listing the protocols to include, rather than the protocols to 11563exclude, is supported, but not recommended. The exclusion syntax more 11564accurately matches the underlying OpenSSL interface. </p> 11565 11566<p> When using the exclusion syntax, take care to ensure that the range 11567of protocols supported by the Postfix SMTP client is contiguous. When 11568a protocol version is enabled, disabling any higher version implicitly 11569disables all versions above that higher version. Thus, for example: </p> 11570 11571<blockquote> 11572<pre> 11573smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1 11574</pre> 11575</blockquote> 11576 11577<p> also disables any protocol versions higher than TLSv1.1 leaving 11578only "TLSv1" enabled. </p> 11579 11580<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling 11581this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch 11582releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p> 11583 11584<p> While the vast majority of SMTP servers with DANE TLSA records now 11585support at least TLS 1.2, a few still only support TLS 1.0. If you use 11586"dane" or "dane-only" it is best not to disable TLSv1, except perhaps 11587via the policy table for destinations which you are sure will support 11588"TLSv1.2". </p> 11589 11590<p> See the documentation of the smtp_tls_policy_maps parameter and 11591TLS_README for more information about security levels. </p> 11592 11593<p> Example: </p> 11594<pre> 11595# Preferred syntax with Postfix ≥ 3.6: 11596smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3 11597# Legacy syntax: 11598smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 11599</pre> 11600 11601<p> This feature is available in Postfix 2.3 and later. </p> 11602 11603%PARAM smtp_tls_verify_cert_match hostname 11604 11605<p> How the Postfix SMTP client verifies the server certificate 11606peername for the 11607"verify" TLS security level. In a "verify" TLS policy table 11608($smtp_tls_policy_maps) entry the optional "match" attribute 11609overrides this main.cf setting. </p> 11610 11611<p> This parameter specifies one or more patterns or strategies separated 11612by commas, whitespace or colons. In the policy table the only valid 11613separator is the colon character. </p> 11614 11615<p> Patterns specify domain names, or domain name suffixes: </p> 11616 11617<dl> 11618 11619<dt><i>example.com</i></dt> <dd> Match the <i>example.com</i> domain, 11620i.e. one of the names in the server certificate must be <i>example.com</i>. 11621Upper and lower case distinctions are ignored. </dd> 11622 11623<dt><i>.example.com</i></dt> 11624<dd> Match subdomains of the <i>example.com</i> domain, i.e. match 11625a name in the server certificate that consists of a non-zero number of 11626labels followed by a <i>.example.com</i> suffix. Case distinctions are 11627ignored.</dd> 11628 11629</dl> 11630 11631<p> Strategies specify a transformation from the next-hop domain 11632to the expected name in the server certificate: </p> 11633 11634<dl> 11635 11636<dt>nexthop</dt> 11637<dd> Match against the next-hop domain, which is either the recipient 11638domain, or the transport next-hop configured for the domain stripped of 11639any optional socket type prefix, enclosing square brackets and trailing 11640port. When MX lookups are not suppressed, this is the original nexthop 11641domain prior to the MX lookup, not the result of the MX lookup. For 11642LMTP delivery via UNIX-domain sockets, the verified next-hop name is 11643$myhostname. This strategy is suitable for use with the "secure" 11644policy. Case is ignored.</dd> 11645 11646<dt>dot-nexthop</dt> 11647<dd> As above, but match server certificate names that are subdomains 11648of the next-hop domain. Case is ignored.</dd> 11649 11650<dt>hostname</dt> <dd> Match against the hostname of the server, often 11651obtained via an unauthenticated DNS MX lookup. For LMTP delivery via 11652UNIX-domain sockets, the verified name is $myhostname. This matches 11653the verification strategy of the "MUST" keyword in the obsolete 11654smtp_tls_per_site table, and is suitable for use with the "verify" 11655security level. When the next-hop name is enclosed in square brackets 11656to suppress MX lookups, the "hostname" strategy is the same as the 11657"nexthop" strategy. Case is ignored.</dd> 11658 11659</dl> 11660 11661<p> 11662Sample main.cf setting: 11663</p> 11664 11665<pre> 11666smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop 11667</pre> 11668 11669<p> 11670Sample policy table override: 11671</p> 11672 11673<pre> 11674example.com verify match=hostname:nexthop 11675.example.com verify match=example.com:.example.com:hostname 11676</pre> 11677 11678<p> This feature is available in Postfix 2.3 and later. </p> 11679 11680%PARAM smtp_tls_secure_cert_match nexthop, dot-nexthop 11681 11682<p> How the Postfix SMTP client verifies the server certificate 11683peername for the "secure" TLS security level. In a "secure" TLS policy table 11684($smtp_tls_policy_maps) entry the optional "match" attribute 11685overrides this main.cf setting. </p> 11686 11687<p> This parameter specifies one or more patterns or strategies separated 11688by commas, whitespace or colons. In the policy table the only valid 11689separator is the colon character. </p> 11690 11691<p> For a description of the pattern and strategy syntax see the 11692smtp_tls_verify_cert_match parameter. The "hostname" strategy should 11693be avoided in this context, as in the absence of a secure global DNS, using 11694the results of MX lookups in certificate verification is not immune to active 11695(man-in-the-middle) attacks on DNS. </p> 11696 11697<p> 11698Sample main.cf setting: 11699</p> 11700 11701<blockquote> 11702<pre> 11703smtp_tls_secure_cert_match = nexthop 11704</pre> 11705</blockquote> 11706 11707<p> 11708Sample policy table override: 11709</p> 11710 11711<blockquote> 11712<pre> 11713example.net secure match=example.com:.example.com 11714.example.net secure match=example.com:.example.com 11715</pre> 11716</blockquote> 11717 11718<p> This feature is available in Postfix 2.3 and later. </p> 11719 11720%PARAM lmtp_tls_policy_maps 11721 11722<p> The LMTP-specific version of the smtp_tls_policy_maps 11723configuration parameter. See there for details. </p> 11724 11725<p> This feature is available in Postfix 2.3 and later. </p> 11726 11727%PARAM lmtp_tls_mandatory_protocols see postconf -d output 11728 11729<p> The LMTP-specific version of the smtp_tls_mandatory_protocols 11730configuration parameter. See there for details. </p> 11731 11732<p> This feature is available in Postfix 2.3 and later. </p> 11733 11734%PARAM lmtp_tls_verify_cert_match hostname 11735 11736<p> The LMTP-specific version of the smtp_tls_verify_cert_match 11737configuration parameter. See there for details. </p> 11738 11739<p> This feature is available in Postfix 2.3 and later. </p> 11740 11741%PARAM lmtp_tls_secure_cert_match nexthop 11742 11743<p> The LMTP-specific version of the smtp_tls_secure_cert_match 11744configuration parameter. See there for details. </p> 11745 11746<p> This feature is available in Postfix 2.3 and later. </p> 11747 11748%PARAM smtpd_tls_mandatory_protocols see "postconf -d" output 11749 11750<p> TLS protocols accepted by the Postfix SMTP server with mandatory TLS 11751encryption. If the list is empty, the server supports all available TLS 11752protocol versions. A non-empty value is a list of protocol names to 11753include or exclude, separated by whitespace, commas or colons. </p> 11754 11755<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2", 11756"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with 11757Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as 11758the lowest supported TLS protocol version (see below). Older releases 11759use the "!" exclusion syntax, also described below. </p> 11760 11761<p> As of Postfix 3.6, the preferred way to limit the range of 11762acceptable protocols is to set the lowest acceptable TLS protocol 11763version and/or the highest acceptable TLS protocol version. To set the 11764lower bound include an element of the form: ">=<i>version</i>" where 11765<i>version</i> is a either one of the TLS protocol names listed above, 11766or a hexadecimal number corresponding to the desired TLS protocol 11767version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper 11768bound, use "<=<i>version</i>". There must be no whitespace between 11769the ">=" or "<=" symbols and the protocol name or number. </p> 11770 11771<p> Hexadecimal protocol numbers make it possible to specify protocol 11772bounds for TLS versions that are known to OpenSSL, but might not be 11773known to Postfix. They cannot be used with the legacy exclusion syntax. 11774Leading "0" or "0x" prefixes are supported, but not required. 11775Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to 11776"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the 11777upper or lower bound, and a warning will be logged. Hexadecimal 11778versions should only be used when Postfix is linked with some future 11779version of OpenSSL that supports TLS 1.4 or later, but Postfix does not 11780yet support a symbolic name for that protocol version. </p> 11781 11782<p>Hexadecimal example (Postfix ≥ 3.6):</p> 11783<blockquote> 11784<pre> 11785# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported 11786# in some future version of OpenSSL (presently a warning is logged). 11787smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305 11788# Allow only TLS 1.2 and up: 11789smtpd_tls_mandatory_protocols = >=0x0303 11790</pre> 11791</blockquote> 11792 11793<p> With Postfix < 3.6 there is no support for a minimum or maximum 11794version, and the protocol range is configured via protocol exclusions. 11795To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols = 11796!SSLv2, !SSLv3". Listing the protocols to include, rather than 11797protocols to exclude, is supported, but not recommended. The exclusion 11798form more accurately matches the underlying OpenSSL interface. </p> 11799 11800<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling 11801this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch 11802releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p> 11803 11804<p> Example: </p> 11805 11806<pre> 11807# Preferred syntax with Postfix ≥ 3.6: 11808smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3 11809# Legacy syntax: 11810smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 11811</pre> 11812 11813<p> This feature is available in Postfix 2.3 and later. </p> 11814 11815%PARAM smtp_tls_security_level 11816 11817<p> The default SMTP TLS security level for the Postfix SMTP client. 11818When a non-empty value is specified, this overrides the obsolete 11819parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername; 11820when no value is specified for smtp_tls_enforce_peername or the obsolete 11821parameters, the default SMTP TLS security level is 11822<a href="TLS_README.html#client_tls_none">none</a>. </p> 11823 11824<p> Specify one of the following security levels: </p> 11825 11826<dl> 11827 11828<dt><b><a href="TLS_README.html#client_tls_none">none</a></b></dt> 11829<dd> No TLS. TLS will not be used unless enabled for specific 11830destinations via smtp_tls_policy_maps. </dd> 11831 11832<dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt> 11833<dd> Opportunistic TLS. Use TLS if this is supported by the remote 11834SMTP server, otherwise use plaintext. Since 11835sending in the clear is acceptable, demanding stronger than default TLS 11836security merely reduces interoperability. 11837The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6) 11838configuration parameters provide control over the protocols and 11839cipher grade used with opportunistic TLS. With earlier releases the 11840opportunistic TLS cipher grade is always "export" and no protocols 11841are disabled. 11842When TLS handshakes fail, the connection is retried with TLS disabled. 11843This allows mail delivery to sites with non-interoperable TLS 11844implementations. </dd> 11845 11846<dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt> 11847<dd>Mandatory TLS encryption. Since a minimum 11848level of security is intended, it is reasonable to be specific about 11849sufficiently secure protocol versions and ciphers. At this security level 11850and higher, the main.cf parameters smtp_tls_mandatory_protocols and 11851smtp_tls_mandatory_ciphers specify the TLS protocols and minimum 11852cipher grade which the administrator considers secure enough for 11853mandatory encrypted sessions. This security level is not an appropriate 11854default for systems delivering mail to the Internet. </dd> 11855 11856<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt> 11857<dd>Opportunistic DANE TLS. At this security level, the TLS policy 11858for the destination is obtained via DNSSEC. For TLSA policy to be 11859in effect, the destination domain's containing DNS zone must be 11860signed and the Postfix SMTP client's operating system must be 11861configured to send its DNS queries to a recursive DNS nameserver 11862that is able to validate the signed records. Each MX host's DNS 11863zone should also be signed, and should publish DANE TLSA (RFC 7672) 11864records that specify how that MX host's TLS certificate is to be 11865verified. TLSA records do not preempt the normal SMTP MX host 11866selection algorithm, if some MX hosts support TLSA and others do 11867not, TLS security will vary from delivery to delivery. It is up 11868to the domain owner to configure their MX hosts and their DNS 11869sensibly. To configure the Postfix SMTP client for DNSSEC lookups 11870see the documentation for the smtp_dns_support_level main.cf 11871parameter. When DNSSEC-validated TLSA records are not found the 11872effective tls security level is "may". When TLSA records are found, 11873but are all unusable the effective security level is "encrypt". For 11874purposes of protocol and cipher selection, the "dane" security level 11875is treated like a "mandatory" TLS security level, and weak ciphers 11876and protocols are disabled. Since DANE authenticates server 11877certificates the "aNULL" cipher-suites are transparently excluded 11878at this level, no need to configure this manually. RFC 7672 (DANE) 11879TLS authentication is available with Postfix 2.11 and later. </dd> 11880 11881<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt> 11882<dd>Mandatory DANE TLS. This is just like "dane" above, but DANE 11883TLSA authentication is required. There is no fallback to "may" or 11884"encrypt" when TLSA records are missing or unusable. RFC 7672 11885(DANE) TLS authentication is available with Postfix 2.11 and later. 11886</dd> 11887 11888<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt> 11889<dd>Certificate fingerprint verification. 11890At this security level, there are no trusted Certification Authorities. 11891The certificate trust chain, expiration date, etc., are 11892not checked. Instead, the <b>smtp_tls_fingerprint_cert_match</b> 11893parameter lists the certificate fingerprint or public key fingerprint 11894(Postfix 2.9 and later) of the valid server certificate. The digest 11895algorithm used to calculate the fingerprint is selected by the 11896<b>smtp_tls_fingerprint_digest</b> parameter. Available with Postfix 118972.5 and later. </dd> 11898 11899<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt> 11900<dd>Mandatory TLS verification. At this security 11901level, DNS MX lookups are trusted to be secure enough, and the name 11902verified in the server certificate is usually obtained indirectly 11903via unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match 11904parameter controls how the server name is verified. In practice explicit 11905control over matching is more common at the "secure" level, described 11906below. This security level is not an appropriate default for systems 11907delivering mail to the Internet. </dd> 11908 11909<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt> 11910<dd>Secure-channel TLS. At this security level, 11911DNS MX lookups, though potentially used to determine the candidate 11912next-hop gateway IP addresses, are <b>not</b> trusted to be secure enough 11913for TLS peername verification. Instead, the default name verified in 11914the server certificate is obtained from the next-hop domain as specified 11915in the smtp_tls_secure_cert_match configuration parameter. The default 11916matching rule is that a server certificate matches when its name is equal 11917to or is a sub-domain of the nexthop domain. This security level is not 11918an appropriate default for systems delivering mail to the Internet. </dd> 11919 11920</dl> 11921 11922<p> 11923Examples: 11924</p> 11925 11926<pre> 11927# No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no. 11928smtp_tls_security_level = none 11929</pre> 11930 11931<pre> 11932# Opportunistic TLS. 11933smtp_tls_security_level = may 11934# Do not tweak opportunistic ciphers or protocols unless it is essential 11935# to do so (if a security vulnerability is found in the SSL library that 11936# can be mitigated by disabling a particular protocol or raising the 11937# cipher grade). 11938smtp_tls_ciphers = medium 11939smtp_tls_protocols = >=TLSv1 11940# Legacy (Postfix < 3.6) syntax: 11941smtp_tls_protocols = !SSLv2, !SSLv3 11942</pre> 11943 11944<pre> 11945# Mandatory (high-grade) TLS encryption. 11946smtp_tls_security_level = encrypt 11947smtp_tls_mandatory_ciphers = high 11948</pre> 11949 11950<pre> 11951# Authenticated TLS 1.2 or better matching the nexthop domain or a 11952# subdomain. 11953smtp_tls_security_level = secure 11954smtp_tls_mandatory_ciphers = high 11955smtp_tls_mandatory_protocols = >=TLSv1.2 11956smtp_tls_secure_cert_match = nexthop, dot-nexthop 11957</pre> 11958 11959<pre> 11960# Certificate fingerprint verification (Postfix ≥ 2.5). 11961# The CA-less "fingerprint" security level only scales to a limited 11962# number of destinations. As a global default rather than a per-site 11963# setting, this is practical only when mail for all recipients is sent 11964# to a central mail hub. 11965relayhost = [mailhub.example.com] 11966smtp_tls_security_level = fingerprint 11967smtp_tls_mandatory_protocols = >=TLSv1.2 11968smtp_tls_mandatory_ciphers = high 11969smtp_tls_fingerprint_cert_match = 11970 3D:95:34:51:...:40:99:C0:C1 11971 EC:3B:2D:B0:...:A3:9D:72:F6 11972</pre> 11973 11974<p> This feature is available in Postfix 2.3 and later. </p> 11975 11976%PARAM smtpd_milters 11977 11978<p> A list of Milter (mail filter) applications for new mail that 11979arrives via the Postfix smtpd(8) server. Specify space or comma as 11980separator. See the MILTER_README document for details. </p> 11981 11982<p> This feature is available in Postfix 2.3 and later. </p> 11983 11984%PARAM non_smtpd_milters 11985 11986<p> A list of Milter (mail filter) applications for new mail that 11987does not arrive via the Postfix smtpd(8) server. This includes local 11988submission via the sendmail(1) command line, new mail that arrives 11989via the Postfix qmqpd(8) server, and old mail that is re-injected 11990into the queue with "postsuper -r". Specify space or comma as a 11991separator. See the MILTER_README document for details. </p> 11992 11993<p> This feature is available in Postfix 2.3 and later. </p> 11994 11995%PARAM milter_protocol 6 11996 11997<p> The mail filter protocol version and optional protocol extensions 11998for communication with a Milter application; prior to Postfix 2.6 11999the default protocol is 2. Postfix 12000sends this version number during the initial protocol handshake. 12001It should match the version number that is expected by the mail 12002filter application (or by its Milter library). </p> 12003 12004<p>Protocol versions: </p> 12005 12006<dl compact> 12007 12008<dt>2</dt> <dd>Use Sendmail 8 mail filter protocol version 2 (default 12009with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. 120102.5).</dd> 12011 12012<dt>3</dt> <dd>Use Sendmail 8 mail filter protocol version 3.</dd> 12013 12014<dt>4</dt> <dd>Use Sendmail 8 mail filter protocol version 4.</dd> 12015 12016<dt>6</dt> <dd>Use Sendmail 8 mail filter protocol version 6 (default 12017with Sendmail version 8.14 and Postfix version 2.6).</dd> 12018 12019</dl> 12020 12021<p>Protocol extensions: </p> 12022 12023<dl compact> 12024 12025<dt>no_header_reply</dt> <dd> Specify this when the Milter application 12026will not reply for each individual message header.</dd> 12027 12028</dl> 12029 12030<p> This feature is available in Postfix 2.3 and later. </p> 12031 12032%PARAM milter_default_action tempfail 12033 12034<p> The default action when a Milter (mail filter) response is 12035unavailable (for example, bad Postfix configuration or Milter 12036failure). Specify one of the following: </p> 12037 12038<dl compact> 12039 12040<dt>accept</dt> <dd>Proceed as if the mail filter was not present. 12041</dd> 12042 12043<dt>reject</dt> <dd>Reject all further commands in this session 12044with a permanent status code.</dd> 12045 12046<dt>tempfail</dt> <dd>Reject all further commands in this session 12047with a temporary status code. </dd> 12048 12049<dt>quarantine</dt> <dd>Like "accept", but freeze the message in 12050the "hold" queue. Available with Postfix 2.6 and later. </dd> 12051 12052</dl> 12053 12054<p> This feature is available in Postfix 2.3 and later. </p> 12055 12056%PARAM milter_connect_timeout 30s 12057 12058<p> The time limit for connecting to a Milter (mail filter) 12059application, and for negotiating protocol options. </p> 12060 12061<p> Specify a non-zero time value (an integral value plus an optional 12062one-letter suffix that specifies the time unit). Time units: s 12063(seconds), m (minutes), h (hours), d (days), w (weeks). 12064The default time unit is s (seconds). </p> 12065 12066<p> This feature is available in Postfix 2.3 and later. </p> 12067 12068%PARAM milter_command_timeout 30s 12069 12070<p> The time limit for sending an SMTP command to a Milter (mail 12071filter) application, and for receiving the response. </p> 12072 12073<p> Specify a non-zero time value (an integral value plus an optional 12074one-letter suffix that specifies the time unit). Time units: s 12075(seconds), m (minutes), h (hours), d (days), w (weeks). 12076The default time unit is s (seconds). </p> 12077 12078<p> This feature is available in Postfix 2.3 and later. </p> 12079 12080%PARAM milter_content_timeout 300s 12081 12082<p> The time limit for sending message content to a Milter (mail 12083filter) application, and for receiving the response. </p> 12084 12085<p> Specify a non-zero time value (an integral value plus an optional 12086one-letter suffix that specifies the time unit). Time units: s 12087(seconds), m (minutes), h (hours), d (days), w (weeks). 12088The default time unit is s (seconds). </p> 12089 12090<p> This feature is available in Postfix 2.3 and later. </p> 12091 12092%PARAM milter_connect_macros see "postconf -d" output 12093 12094<p> The macros that are sent to Milter (mail filter) applications 12095after completion of an SMTP connection. See MILTER_README 12096for a list of available macro names and their meanings. </p> 12097 12098<p> This feature is available in Postfix 2.3 and later. </p> 12099 12100%PARAM milter_helo_macros see "postconf -d" output 12101 12102<p> The macros that are sent to Milter (mail filter) applications 12103after the SMTP HELO or EHLO command. See 12104MILTER_README for a list of available macro names and their meanings. 12105</p> 12106 12107<p> This feature is available in Postfix 2.3 and later. </p> 12108 12109%PARAM milter_mail_macros see "postconf -d" output 12110 12111<p> The macros that are sent to Milter (mail filter) applications 12112after the SMTP MAIL FROM command. See MILTER_README 12113for a list of available macro names and their meanings. </p> 12114 12115<p> This feature is available in Postfix 2.3 and later. </p> 12116 12117%PARAM milter_rcpt_macros see "postconf -d" output 12118 12119<p> The macros that are sent to Milter (mail filter) applications 12120after the SMTP RCPT TO command. See MILTER_README 12121for a list of available macro names and their meanings. </p> 12122 12123<p> This feature is available in Postfix 2.3 and later. </p> 12124 12125%PARAM milter_data_macros see "postconf -d" output 12126 12127<p> The macros that are sent to version 4 or higher Milter (mail 12128filter) applications after the SMTP DATA command. See MILTER_README 12129for a list of available macro names and their meanings. </p> 12130 12131<p> This feature is available in Postfix 2.3 and later. </p> 12132 12133%PARAM milter_end_of_header_macros see "postconf -d" output 12134 12135<p> The macros that are sent to Milter (mail filter) applications 12136after the end of the message header. See MILTER_README for a list 12137of available macro names and their meanings. </p> 12138 12139<p> This feature is available in Postfix 2.5 and later. </p> 12140 12141%PARAM milter_end_of_data_macros see "postconf -d" output 12142 12143<p> The macros that are sent to Milter (mail filter) applications 12144after the message end-of-data. See MILTER_README for a list of 12145available macro names and their meanings. </p> 12146 12147<p> This feature is available in Postfix 2.3 and later. </p> 12148 12149%PARAM milter_unknown_command_macros see "postconf -d" output 12150 12151<p> The macros that are sent to version 3 or higher Milter (mail 12152filter) applications after an unknown SMTP command. See MILTER_README 12153for a list of available macro names and their meanings. </p> 12154 12155<p> This feature is available in Postfix 2.3 and later. </p> 12156 12157%PARAM milter_macro_daemon_name $myhostname 12158 12159<p> The {daemon_name} macro value for Milter (mail filter) applications. 12160See MILTER_README for a list of available macro names and their 12161meanings. </p> 12162 12163<p> This feature is available in Postfix 2.3 and later. </p> 12164 12165%PARAM milter_macro_defaults 12166 12167<p> Optional list of <i>name=value</i> pairs that specify default 12168values for arbitrary macros that Postfix may send to Milter 12169applications. These defaults are used when there is no corresponding 12170information from the message delivery context. </p> 12171 12172<p> Specify <i>name=value</i> or <i>{name=value}</i> pairs separated 12173by comma or whitespace. Enclose a pair in "{}" when a value contains 12174comma or whitespace (this form ignores whitespace after the enclosing 12175"{", around the "=", and before the enclosing "}"). </p> 12176 12177<p> This feature is available in Postfix 3.1 and later. </p> 12178 12179%PARAM milter_macro_v $mail_name $mail_version 12180 12181<p> The {v} macro value for Milter (mail filter) applications. 12182See MILTER_README for a list of available macro names and their 12183meanings. </p> 12184 12185<p> This feature is available in Postfix 2.3 and later. </p> 12186 12187%PARAM smtpd_tls_mandatory_ciphers medium 12188 12189<p> The minimum TLS cipher grade that the Postfix SMTP server will 12190use with mandatory TLS encryption. The default grade ("medium") is 12191sufficiently strong that any benefit from globally restricting TLS 12192sessions to a more stringent grade is likely negligible, especially 12193given the fact that many implementations still do not offer any stronger 12194("high" grade) ciphers, while those that do, will always use "high" 12195grade ciphers. So insisting on "high" grade ciphers is generally 12196counter-productive. Allowing "export" or "low" ciphers is typically 12197not a good idea, as systems limited to just these are limited to 12198obsolete browsers. No known SMTP clients fail to support at least 12199one "medium" or "high" grade cipher. </p> 12200 12201<p> The following cipher grades are supported: </p> 12202 12203<dl> 12204<dt><b>high</b></dt> 12205<dd> Enable only "HIGH" grade OpenSSL ciphers. The 12206underlying cipherlist is specified via the tls_high_cipherlist 12207configuration parameter, which you are strongly encouraged to 12208not change. </dd> 12209 12210<dt><b>medium</b></dt> 12211<dd> Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit 12212or longer symmetric bulk-encryption keys. This is the default minimum 12213strength for mandatory TLS encryption. The underlying cipherlist is 12214specified via the tls_medium_cipherlist configuration parameter, which 12215you are strongly encouraged not to change. </dd> 12216 12217<dt><b>null</b></dt> 12218<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication 12219without encryption. This setting is only appropriate in the rare 12220case that all clients are prepared to use NULL ciphers (not normally 12221enabled in TLS clients). The underlying cipherlist is specified via the 12222tls_null_cipherlist configuration parameter, which you are strongly 12223encouraged not to change. </dd> 12224 12225<dt><b>low</b></dt> 12226<dd> Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix 12227≥ 3.8 this cipher grade is always identical to "medium". Recent 12228versions of OpenSSL do not support any "LOW" grade ciphers. In 12229earlier Postfix releases the underlying cipherlist was specified 12230via the tls_low_cipherlist configuration parameter, which you are 12231strongly encouraged not to change. This obsolete cipher grade 12232SHOULD NOT be used. </dd> 12233 12234<dt><b>export</b></dt> 12235<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix 12236≥ 3.8 this cipher grade is always identical to "medium". Recent 12237versions of OpenSSL do not support any "EXPORT" grade ciphers. In 12238earlier Postfix releases the underlying cipherlist was specified 12239via the tls_export_cipherlist configuration parameter, which you are 12240strongly encouraged not to change. This obsolete cipher grade 12241SHOULD NOT be used. </dd> 12242 12243</dl> 12244 12245<p> Cipher types listed in 12246smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are 12247excluded from the base definition of the selected cipher grade. See 12248smtpd_tls_ciphers for cipher controls that apply to opportunistic 12249TLS. </p> 12250 12251<p> The underlying cipherlists for grades other than "null" include 12252anonymous ciphers, but these are automatically filtered out if the 12253server is configured to ask for remote SMTP client certificates. You are very 12254unlikely to need to take any steps to exclude anonymous ciphers, they 12255are excluded automatically as required. If you must exclude anonymous 12256ciphers even when Postfix does not need or use peer certificates, set 12257"smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only 12258when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = aNULL". </p> 12259 12260<p> This feature is available in Postfix 2.3 and later. </p> 12261 12262%PARAM smtpd_tls_exclude_ciphers 12263 12264<p> List of ciphers or cipher types to exclude from the SMTP server 12265cipher list at all TLS security levels. Excluding valid ciphers 12266can create interoperability problems. DO NOT exclude ciphers unless it 12267is essential to do so. This is not an OpenSSL cipherlist; it is a simple 12268list separated by whitespace and/or commas. The elements are a single 12269cipher, or one or more "+" separated cipher properties, in which case 12270only ciphers matching <b>all</b> the properties are excluded. </p> 12271 12272<p> Examples (some of these will cause problems): </p> 12273 12274<blockquote> 12275<pre> 12276smtpd_tls_exclude_ciphers = aNULL 12277smtpd_tls_exclude_ciphers = MD5, DES 12278smtpd_tls_exclude_ciphers = DES+MD5 12279smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5 12280smtpd_tls_exclude_ciphers = kEDH+aRSA 12281</pre> 12282</blockquote> 12283 12284<p> The first setting disables anonymous ciphers. The next setting 12285disables ciphers that use the MD5 digest algorithm or the (single) DES 12286encryption algorithm. The next setting disables ciphers that use MD5 and 12287DES together. The next setting disables the two ciphers "AES256-SHA" 12288and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" 12289key exchange with RSA authentication. </p> 12290 12291<p> This feature is available in Postfix 2.3 and later. </p> 12292 12293%PARAM smtpd_tls_mandatory_exclude_ciphers 12294 12295<p> Additional list of ciphers or cipher types to exclude from the 12296Postfix SMTP server cipher list at mandatory TLS security levels. 12297This list 12298works in addition to the exclusions listed with smtpd_tls_exclude_ciphers 12299(see there for syntax details). </p> 12300 12301<p> This feature is available in Postfix 2.3 and later. </p> 12302 12303%PARAM smtp_tls_mandatory_ciphers medium 12304 12305<p> The minimum TLS cipher grade that the Postfix SMTP client will 12306use with 12307mandatory TLS encryption. The default value "medium" is suitable 12308for most destinations with which you may want to enforce TLS, and 12309is beyond the reach of today's cryptanalytic methods. See 12310smtp_tls_policy_maps for information on how to configure ciphers 12311on a per-destination basis. </p> 12312 12313<p> The following cipher grades are supported: </p> 12314 12315<dl> 12316<dt><b>high</b></dt> 12317<dd> Enable only "HIGH" grade OpenSSL ciphers. This setting may 12318be appropriate when all mandatory TLS destinations (e.g. when all 12319mail is routed to a suitably capable relayhost) support at least one 12320"HIGH" grade cipher. The underlying cipherlist is specified via the 12321tls_high_cipherlist configuration parameter, which you are strongly 12322encouraged not to change. </dd> 12323 12324<dt><b>medium</b></dt> 12325<dd> Enable "MEDIUM" grade or better OpenSSL ciphers. 12326The underlying cipherlist is specified via the tls_medium_cipherlist 12327configuration parameter, which you are strongly encouraged not to change. 12328</dd> 12329 12330<dt><b>null</b></dt> 12331<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication 12332without encryption. This setting is only appropriate in the rare case 12333that all servers are prepared to use NULL ciphers (not normally enabled 12334in TLS servers). A plausible use-case is an LMTP server listening on a 12335UNIX-domain socket that is configured to support "NULL" ciphers. The 12336underlying cipherlist is specified via the tls_null_cipherlist 12337configuration parameter, which you are strongly encouraged not to 12338change. </dd> 12339 12340<dt><b>low</b></dt> 12341<dd> Enable "LOW" grade or stronger OpenSSL ciphers. In Postfix 12342≥ 3.8 this cipher grade is always identical to "medium". Recent 12343versions of OpenSSL do not support any "LOW" grade ciphers. In 12344earlier Postfix releases the underlying cipherlist was specified 12345via the tls_low_cipherlist configuration parameter, which you are 12346strongly encouraged not to change. This obsolete cipher grade 12347SHOULD NOT be used. </dd> 12348 12349<dt><b>export</b></dt> 12350<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. In Postfix 12351≥ 3.8 this cipher grade is always identical to "medium". Recent 12352versions of OpenSSL do not support any "EXPORT" grade ciphers. In 12353earlier Postfix releases the underlying cipherlist was specified 12354via the tls_export_cipherlist configuration parameter, which you are 12355strongly encouraged not to change. This obsolete cipher grade 12356SHOULD NOT be used. </dd> 12357 12358</dl> 12359 12360<p> The underlying cipherlists for grades other than "null" include 12361anonymous ciphers, but these are automatically filtered out if the 12362Postfix SMTP client is configured to verify server certificates. 12363You are very unlikely to need to take any steps to exclude anonymous 12364ciphers, they are excluded automatically as necessary. If you must 12365exclude anonymous ciphers at the "may" or "encrypt" security levels, 12366when the Postfix SMTP client does not need or use peer certificates, set 12367"smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only when 12368TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL". </p> 12369 12370<p> This feature is available in Postfix 2.3 and later. </p> 12371 12372%PARAM smtp_tls_exclude_ciphers 12373 12374<p> List of ciphers or cipher types to exclude from the Postfix 12375SMTP client cipher 12376list at all TLS security levels. This is not an OpenSSL cipherlist, it is 12377a simple list separated by whitespace and/or commas. The elements are a 12378single cipher, or one or more "+" separated cipher properties, in which 12379case only ciphers matching <b>all</b> the properties are excluded. </p> 12380 12381<p> Examples (some of these will cause problems): </p> 12382 12383<blockquote> 12384<pre> 12385smtp_tls_exclude_ciphers = aNULL 12386smtp_tls_exclude_ciphers = MD5, DES 12387smtp_tls_exclude_ciphers = DES+MD5 12388smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5 12389smtp_tls_exclude_ciphers = kEDH+aRSA 12390</pre> 12391</blockquote> 12392 12393<p> The first setting disables anonymous ciphers. The next setting 12394disables ciphers that use the MD5 digest algorithm or the (single) DES 12395encryption algorithm. The next setting disables ciphers that use MD5 and 12396DES together. The next setting disables the two ciphers "AES256-SHA" 12397and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" 12398key exchange with RSA authentication. </p> 12399 12400<p> This feature is available in Postfix 2.3 and later. </p> 12401 12402%PARAM smtp_tls_mandatory_exclude_ciphers 12403 12404<p> Additional list of ciphers or cipher types to exclude from the 12405Postfix SMTP client cipher list at mandatory TLS security levels. This list 12406works in addition to the exclusions listed with smtp_tls_exclude_ciphers 12407(see there for syntax details). </p> 12408 12409<p> Starting with Postfix 2.6, the mandatory cipher exclusions can be 12410specified on a per-destination basis via the TLS policy "exclude" 12411attribute. See smtp_tls_policy_maps for notes and examples. </p> 12412 12413<p> This feature is available in Postfix 2.3 and later. </p> 12414 12415%PARAM tls_high_cipherlist see "postconf -d" output 12416 12417<p> The OpenSSL cipherlist for "high" grade ciphers. This defines 12418the meaning of the "high" setting in smtpd_tls_ciphers, 12419smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, 12420lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly 12421encouraged not to change this setting. </p> 12422 12423<p> This feature is available in Postfix 2.3 and later. </p> 12424 12425%PARAM tls_medium_cipherlist see "postconf -d" output 12426 12427<p> The OpenSSL cipherlist for "medium" or higher grade ciphers. This 12428defines the meaning of the "medium" setting in smtpd_tls_ciphers, 12429smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, 12430lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This is the 12431default cipherlist for mandatory TLS encryption in the TLS client 12432(with anonymous ciphers disabled when verifying server certificates). 12433This is the default cipherlist for opportunistic TLS with Postfix 12434releases after the middle of 2015. You are strongly encouraged not 12435to change this setting. </p> 12436 12437<p> This feature is available in Postfix 2.3 and later. </p> 12438 12439%PARAM tls_low_cipherlist see "postconf -d" output 12440 12441<p> The OpenSSL cipherlist for "low" or higher grade ciphers. 12442Ignored as of Postfix 3.8. In earlier Postfix releases this 12443defined the meaning of the "low" setting in smtpd_tls_ciphers, 12444smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, 12445smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and 12446lmtp_tls_mandatory_ciphers. You are strongly encouraged not to 12447change this setting. </p> 12448 12449<p> This feature is available in Postfix 2.3 and later. </p> 12450 12451%PARAM tls_export_cipherlist see "postconf -d" output 12452 12453<p> The OpenSSL cipherlist for "export" or higher grade ciphers. 12454Ignored as of Postfix 3.8. In earlier Postfix releases this 12455defined the meaning of the "export" setting in smtpd_tls_ciphers, 12456smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, 12457smtp_tls_mandatory_ciphers, lmtp_tls_ciphers, and 12458lmtp_tls_mandatory_ciphers. You are strongly encouraged not to 12459change this setting. </p> 12460 12461<p> This feature is available in Postfix 2.3 and later. </p> 12462 12463%PARAM tls_null_cipherlist eNULL:!aNULL 12464 12465<p> The OpenSSL cipherlist for "NULL" grade ciphers that provide 12466authentication without encryption. This defines the meaning of the "null" 12467setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and 12468lmtp_tls_mandatory_ciphers. You are strongly encouraged not to 12469change this setting. </p> 12470 12471<p> This feature is available in Postfix 2.3 and later. </p> 12472 12473%PARAM lmtp_tls_mandatory_ciphers medium 12474 12475<p> The LMTP-specific version of the smtp_tls_mandatory_ciphers 12476configuration parameter. See there for details. </p> 12477 12478<p> This feature is available in Postfix 2.3 and later. </p> 12479 12480%PARAM lmtp_tls_exclude_ciphers 12481 12482<p> The LMTP-specific version of the smtp_tls_exclude_ciphers 12483configuration parameter. See there for details. </p> 12484 12485<p> This feature is available in Postfix 2.3 and later. </p> 12486 12487%PARAM lmtp_tls_mandatory_exclude_ciphers 12488 12489<p> The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers 12490configuration parameter. See there for details. </p> 12491 12492<p> This feature is available in Postfix 2.3 and later. </p> 12493 12494%PARAM smtpd_tls_security_level 12495 12496<p> The SMTP TLS security level for the Postfix SMTP server; when 12497a non-empty value is specified, this overrides the obsolete parameters 12498smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with 12499"smtpd_tls_wrappermode = yes". </p> 12500 12501<p> Specify one of the following security levels: </p> 12502 12503<dl> 12504 12505<dt><b>none</b></dt> <dd> TLS will not be used. </dd> 12506 12507<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support 12508to remote SMTP clients, but do not require that clients use TLS encryption. 12509</dd> 12510 12511<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce 12512STARTTLS support to remote SMTP clients, and require that clients use TLS 12513encryption. According to RFC 2487 this MUST NOT be applied in case 12514of a publicly-referenced SMTP server. Instead, this option should 12515be used only on dedicated servers. </dd> 12516 12517</dl> 12518 12519<p> Note 1: the "fingerprint", "verify" and "secure" levels are not 12520supported here. 12521The Postfix SMTP server logs a warning and uses "encrypt" instead. 12522To verify remote SMTP client certificates, see TLS_README for a discussion 12523of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts 12524features. </p> 12525 12526<p> Note 2: The parameter setting "smtpd_tls_security_level = 12527encrypt" implies "smtpd_tls_auth_only = yes".</p> 12528 12529<p> Note 3: when invoked via "sendmail -bs", Postfix will never 12530offer STARTTLS due to insufficient privileges to access the server 12531private key. This is intended behavior.</p> 12532 12533<p> This feature is available in Postfix 2.3 and later. </p> 12534 12535%PARAM internal_mail_filter_classes 12536 12537<p> What categories of Postfix-generated mail are subject to 12538before-queue content inspection by non_smtpd_milters, header_checks 12539and body_checks. Specify zero or more of the following, separated 12540by whitespace or comma. </p> 12541 12542<dl> 12543 12544<dt><b>bounce</b></dt> <dd> Inspect the content of delivery 12545status notifications. </dd> 12546 12547<dt><b>notify</b></dt> <dd> Inspect the content of postmaster 12548notifications by the smtp(8) and smtpd(8) processes. </dd> 12549 12550</dl> 12551 12552<p> NOTE: It's generally not safe to enable content inspection of 12553Postfix-generated email messages. The user is warned. </p> 12554 12555<p> This feature is available in Postfix 2.3 and later. </p> 12556 12557%PARAM smtpd_tls_always_issue_session_ids yes 12558 12559<p> Force the Postfix SMTP server to issue a TLS session id, even 12560when TLS session caching is turned off (smtpd_tls_session_cache_database 12561is empty). This behavior is compatible with Postfix < 2.3. </p> 12562 12563<p> With Postfix 2.3 and later the Postfix SMTP server can disable 12564session id generation when TLS session caching is turned off. This 12565keeps remote SMTP clients from caching sessions that almost certainly cannot 12566be re-used. </p> 12567 12568<p> By default, the Postfix SMTP server always generates TLS session 12569ids. This works around a known defect in mail client applications 12570such as MS Outlook, and may also prevent interoperability issues 12571with other MTAs. </p> 12572 12573<p> Example: </p> 12574 12575<pre> 12576smtpd_tls_always_issue_session_ids = no 12577</pre> 12578 12579<p> This feature is available in Postfix 2.3 and later. </p> 12580 12581%PARAM smtp_pix_workarounds disable_esmtp, delay_dotcrlf 12582 12583<p> A list that specifies zero or more workarounds for CISCO PIX 12584firewall bugs. These workarounds are implemented by the Postfix 12585SMTP client. Workaround names are separated by comma or space, and 12586are case insensitive. This parameter setting can be overruled with 12587per-destination smtp_pix_workaround_maps settings. </p> 12588 12589<dl> 12590 12591<dt><b>delay_dotcrlf</b><dd> Insert a delay before sending 12592".<CR><LF>" after the end of the message content. The 12593delay is subject to the smtp_pix_workaround_delay_time and 12594smtp_pix_workaround_threshold_time parameter settings. </dd> 12595 12596<dt><b>disable_esmtp</b><dd> Disable all extended SMTP commands: 12597send HELO instead of EHLO. </dd> 12598 12599</dl> 12600 12601<p> This feature is available in Postfix 2.4 and later. The default 12602settings are backwards compatible with earlier Postfix versions. 12603</p> 12604 12605%PARAM smtp_pix_workaround_maps 12606 12607<p> Lookup tables, indexed by the remote SMTP server address, with 12608per-destination workarounds for CISCO PIX firewall bugs. The table 12609is not indexed by hostname for consistency with 12610smtp_discard_ehlo_keyword_address_maps. </p> 12611 12612<p> 12613Specify zero or more "type:name" lookup tables, separated by 12614whitespace or comma. Tables will be searched in the specified order 12615until a match is found. 12616</p> 12617 12618<p> This feature is available in Postfix 2.4 and later. </p> 12619 12620%PARAM lmtp_pix_workarounds 12621 12622<p> The LMTP-specific version of the smtp_pix_workaround 12623configuration parameter. See there for details. </p> 12624 12625<p> This feature is available in Postfix 2.4 and later. </p> 12626 12627%PARAM smtp_tls_fingerprint_digest see "postconf -d" output 12628 12629<p> The message digest algorithm used to construct remote SMTP server 12630certificate fingerprints. At the "fingerprint" TLS security level 12631(<b>smtp_tls_security_level</b> = fingerprint), the server certificate is 12632verified by directly matching its certificate fingerprint or its public 12633key fingerprint (Postfix 2.9 and later). The fingerprint is the 12634message digest of the server certificate (or its public key) 12635using the selected 12636algorithm. With a digest algorithm resistant to "second pre-image" 12637attacks, it is not feasible to create a new public key and a matching 12638certificate (or public/private key-pair) that has the same fingerprint. </p> 12639 12640<p> The default algorithm is <b>sha256</b> with Postfix ≥ 3.6 12641and the <b>compatibility_level</b> set to 3.6 or higher. With Postfix 12642≤ 3.5, the default algorithm is <b>md5</b>. </p> 12643 12644<p> The best-practice algorithm is now <b>sha256</b>. Recent advances in hash 12645function cryptanalysis have led to md5 and sha1 being deprecated in favor of 12646sha256. However, as long as there are no known "second pre-image" attacks 12647against the older algorithms, their use in this context, though not 12648recommended, is still likely safe. </p> 12649 12650<p> While additional digest algorithms are often available with OpenSSL's 12651libcrypto, only those used by libssl in SSL cipher suites are available to 12652Postfix. You'll likely find support for md5, sha1, sha256 and sha512. </p> 12653 12654<p> To find the fingerprint of a specific certificate file, with a 12655specific digest algorithm, run: 12656</p> 12657 12658<blockquote> 12659<pre> 12660$ openssl x509 -noout -fingerprint -<i>digest</i> -in <i>certfile</i>.pem 12661</pre> 12662</blockquote> 12663 12664<p> The text to the right of the "=" sign is the desired fingerprint. 12665For example: </p> 12666 12667<blockquote> 12668<pre> 12669$ openssl x509 -noout -fingerprint -sha256 -in cert.pem 12670SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A 12671</pre> 12672</blockquote> 12673 12674<p> To extract the public key fingerprint from an X.509 certificate, 12675you need to extract the public key from the certificate and compute 12676the appropriate digest of its DER (ASN.1) encoding. With OpenSSL 12677the "-pubkey" option of the "x509" command extracts the public 12678key always in "PEM" format. We pipe the result to another OpenSSL 12679command that converts the key to DER and then to the "dgst" command 12680to compute the fingerprint. </p> 12681 12682<p> The actual command to transform the key to DER format depends on the 12683version of OpenSSL used. As of OpenSSL 1.0.0, the "pkey" command supports 12684all key types. </p> 12685<blockquote> 12686<pre> 12687# OpenSSL ≥ 1.0 with SHA-256 fingerprints. 12688$ openssl x509 -in cert.pem -noout -pubkey | 12689 openssl pkey -pubin -outform DER | 12690 openssl dgst -sha256 -c 12691(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58 12692</pre> 12693</blockquote> 12694 12695<p> The Postfix SMTP server and client log the peer (leaf) certificate 12696fingerprint and the public key fingerprint when the TLS loglevel is 2 or 12697higher. </p> 12698 12699<p> This feature is available in Postfix 2.5 and later. </p> 12700 12701%PARAM smtp_tls_fingerprint_cert_match 12702 12703<p> List of acceptable remote SMTP server certificate fingerprints for 12704the "fingerprint" TLS security level (<b>smtp_tls_security_level</b> = 12705fingerprint). At this security level, Certification Authorities are not 12706used, and certificate expiration times are ignored. Instead, server 12707certificates are verified directly via their certificate fingerprint 12708or public key fingerprint (Postfix 2.9 and later). The fingerprint 12709is a message digest of the server certificate (or public key). The 12710digest algorithm is selected via the <b>smtp_tls_fingerprint_digest</b> 12711parameter. </p> 12712 12713<p> The colons between each pair of nibbles in the fingerprint value 12714are optional (Postfix ≥ 3.6). These were required in earlier 12715Postfix releases. </p> 12716 12717<p> When an <b>smtp_tls_policy_maps</b> table entry specifies the 12718"fingerprint" security level, any "match" attributes in that entry specify 12719the list of valid fingerprints for the corresponding destination. Multiple 12720fingerprints can be combined with a "|" delimiter in a single match 12721attribute, or multiple match attributes can be employed. </p> 12722 12723<p> Example: Certificate fingerprint verification with internal mailhub. 12724Two matching fingerprints are listed. The relayhost may be multiple 12725physical hosts behind a load-balancer, each with its own private/public 12726key and self-signed certificate. Alternatively, a single relayhost may 12727be in the process of switching from one set of private/public keys to 12728another, and both keys are trusted just prior to the transition. </p> 12729 12730<blockquote> 12731<pre> 12732relayhost = [mailhub.example.com] 12733smtp_tls_security_level = fingerprint 12734smtp_tls_fingerprint_digest = sha256 12735smtp_tls_fingerprint_cert_match = 12736 cd:fc:d8:db:f8:c4:82:96:6c:...:28:71:e8:f5:8d:a5:0d:9b:d4:a6 12737 dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4 12738</pre> 12739</blockquote> 12740 12741<p> Example: Certificate fingerprint verification with selected destinations. 12742As in the example above, we show two matching fingerprints: </p> 12743 12744<blockquote> 12745<pre> 12746/etc/postfix/main.cf: 12747 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy 12748 smtp_tls_fingerprint_digest = sha256 12749</pre> 12750</blockquote> 12751 12752<blockquote> 12753<pre> 12754/etc/postfix/tls_policy: 12755 example.com fingerprint 12756 match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76 12757 match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f 12758</pre> 12759</blockquote> 12760 12761<p> This feature is available in Postfix 2.5 and later. </p> 12762 12763%PARAM lmtp_tls_fingerprint_cert_match 12764 12765<p> The LMTP-specific version of the smtp_tls_fingerprint_cert_match 12766configuration parameter. See there for details. </p> 12767 12768<p> This feature is available in Postfix 2.5 and later. </p> 12769 12770%PARAM lmtp_tls_fingerprint_digest see "postconf -d" output 12771 12772<p> The LMTP-specific version of the smtp_tls_fingerprint_digest 12773configuration parameter. See there for details. </p> 12774 12775<p> This feature is available in Postfix 2.5 and later. </p> 12776 12777%PARAM smtpd_tls_fingerprint_digest see "postconf -d" output 12778 12779<p> The message digest algorithm to construct remote SMTP client-certificate 12780fingerprints or public key fingerprints (Postfix 2.9 and later) for 12781<b>check_ccert_access</b> and <b>permit_tls_clientcerts</b>. </p> 12782 12783<p> The default algorithm is <b>sha256</b> with Postfix ≥ 3.6 12784and the <b>compatibility_level</b> set to 3.6 or higher. With Postfix 12785≤ 3.5, the default algorithm is <b>md5</b>. </p> 12786 12787<p> The best-practice algorithm is now <b>sha256</b>. Recent advances in hash 12788function cryptanalysis have led to md5 and sha1 being deprecated in favor of 12789sha256. However, as long as there are no known "second pre-image" attacks 12790against the older algorithms, their use in this context, though not 12791recommended, is still likely safe. </p> 12792 12793<p> While additional digest algorithms are often available with OpenSSL's 12794libcrypto, only those used by libssl in SSL cipher suites are available to 12795Postfix. You'll likely find support for md5, sha1, sha256 and sha512. </p> 12796 12797<p> To find the fingerprint of a specific certificate file, with a 12798specific digest algorithm, run: </p> 12799 12800<blockquote> 12801<pre> 12802$ openssl x509 -noout -fingerprint -<i>digest</i> -in <i>certfile</i>.pem 12803</pre> 12804</blockquote> 12805 12806<p> The text to the right of "=" sign is the desired fingerprint. 12807For example: </p> 12808 12809<blockquote> 12810<pre> 12811$ openssl x509 -noout -fingerprint -sha256 -in cert.pem 12812SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A 12813</pre> 12814</blockquote> 12815 12816<p> To extract the public key fingerprint from an X.509 certificate, 12817you need to extract the public key from the certificate and compute 12818the appropriate digest of its DER (ASN.1) encoding. With OpenSSL 12819the "-pubkey" option of the "x509" command extracts the public 12820key always in "PEM" format. We pipe the result to another OpenSSL 12821command that converts the key to DER and then to the "dgst" command 12822to compute the fingerprint. </p> 12823 12824<p> Example: </p> 12825<blockquote> 12826<pre> 12827$ openssl x509 -in cert.pem -noout -pubkey | 12828 openssl pkey -pubin -outform DER | 12829 openssl dgst -sha256 -c 12830(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 12831</pre> 12832</blockquote> 12833 12834<p> The Postfix SMTP server and client log the peer (leaf) certificate 12835fingerprint and public key fingerprint when the TLS loglevel is 2 or 12836higher. </p> 12837 12838<p> Example: client-certificate access table, with sha256 fingerprints: </p> 12839 12840<blockquote> 12841<pre> 12842/etc/postfix/main.cf: 12843 smtpd_tls_fingerprint_digest = sha256 12844 smtpd_client_restrictions = 12845 check_ccert_access hash:/etc/postfix/access, 12846 reject 12847</pre> 12848<pre> 12849/etc/postfix/access: 12850 # Action folded to next line... 12851 AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B 12852 OK 12853 85:16:78:FD:73:6E:CE:70:E0:...:5F:0D:3C:C8:6D:C4:2C:24:59:E1 12854 permit_auth_destination 12855</pre> 12856</blockquote> 12857 12858<p> This feature is available in Postfix 2.5 and later. </p> 12859 12860%PARAM lmtp_pix_workaround_maps 12861 12862<p> The LMTP-specific version of the smtp_pix_workaround_maps 12863configuration parameter. See there for details. </p> 12864 12865<p> This feature is available in Postfix 2.4 and later. </p> 12866 12867%PARAM detect_8bit_encoding_header yes 12868 12869<p> Automatically detect 8BITMIME body content by looking at 12870Content-Transfer-Encoding: message headers; historically, this 12871behavior was hard-coded to be "always on". </p> 12872 12873<p> This feature is available in Postfix 2.5 and later. </p> 12874 12875%PARAM send_cyrus_sasl_authzid no 12876 12877<p> When authenticating to a remote SMTP or LMTP server with the 12878default setting "no", send no SASL authoriZation ID (authzid); send 12879only the SASL authentiCation ID (authcid) plus the authcid's password. 12880</p> 12881 12882<p> The non-default setting "yes" enables the behavior of older 12883Postfix versions. These always send a SASL authzid that is equal 12884to the SASL authcid, but this causes interoperability problems 12885with some SMTP servers. </p> 12886 12887<p> This feature is available in Postfix 2.4.4 and later. </p> 12888 12889%PARAM smtpd_client_port_logging no 12890 12891<p> Enable logging of the remote SMTP client port in addition to 12892the hostname and IP address. The logging format is "host[address]:port". 12893</p> 12894 12895<p> This feature is available in Postfix 2.5 and later. </p> 12896 12897%PARAM qmqpd_client_port_logging no 12898 12899<p> Enable logging of the remote QMQP client port in addition to 12900the hostname and IP address. The logging format is "host[address]:port". 12901</p> 12902 12903<p> This feature is available in Postfix 2.5 and later. </p> 12904 12905%PARAM smtp_tls_protocols see postconf -d output 12906 12907<p> TLS protocols that the Postfix SMTP client will use with 12908opportunistic TLS encryption. In main.cf the values are separated by 12909whitespace, commas or colons. In the policy table "protocols" attribute 12910(see smtp_tls_policy_maps) the only valid separator is colon. An empty 12911value means allow all protocols. </p> 12912 12913<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2", 12914"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with 12915Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as 12916the lowest supported TLS protocol version (see below). Older releases 12917use the "!" exclusion syntax, also described below. </p> 12918 12919<p> As of Postfix 3.6, the preferred way to limit the range of 12920acceptable protocols is to set the lowest acceptable TLS protocol 12921version and/or the highest acceptable TLS protocol version. To set the 12922lower bound include an element of the form: ">=<i>version</i>" where 12923<i>version</i> is either one of the TLS protocol names listed above, 12924or a hexadecimal number corresponding to the desired TLS protocol 12925version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper 12926bound, use "<=<i>version</i>". There must be no whitespace between 12927the ">=" or "<=" symbols and the protocol name or number. </p> 12928 12929<p> Hexadecimal protocol numbers make it possible to specify protocol 12930bounds for TLS versions that are known to OpenSSL, but might not be 12931known to Postfix. They cannot be used with the legacy exclusion syntax. 12932Leading "0" or "0x" prefixes are supported, but not required. 12933Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to 12934"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the 12935upper or lower bound, and a warning will be logged. Hexadecimal 12936versions should only be used when Postfix is linked with some future 12937version of OpenSSL that supports TLS 1.4 or later, but Postfix does not 12938yet support a symbolic name for that protocol version. </p> 12939 12940<p>Hexadecimal example (Postfix ≥ 3.6):</p> 12941<blockquote> 12942<pre> 12943# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported 12944# in some future version of OpenSSL (presently a warning is logged). 12945smtp_tls_protocols = >=TLSv1, <=0305 12946# Allow only TLS 1.0 and up: 12947smtp_tls_protocols = >=0x0301 12948</pre> 12949</blockquote> 12950 12951<p> With Postfix < 3.6 there is no support for a minimum or maximum 12952version, and the protocol range is configured via protocol exclusions. 12953To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3". 12954Listing the protocols to include, rather than protocols to exclude, is 12955supported, but not recommended. The exclusion form more accurately 12956matches the underlying OpenSSL interface. </p> 12957 12958<p> When using the exclusion syntax, take care to ensure that the range of 12959protocols advertised by an SSL/TLS client is contiguous. When a protocol 12960version is enabled, disabling any higher version implicitly disables all 12961versions above that higher version. Thus, for example: 12962</p> 12963<blockquote> 12964<pre> 12965smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1 12966</pre> 12967</blockquote> 12968<p> also disables any protocols version higher than TLSv1.1 leaving 12969only "TLSv1" enabled. </p> 12970 12971<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling 12972this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch 12973releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p> 12974 12975<p> Example: </p> 12976<pre> 12977# Preferred syntax with Postfix ≥ 3.6: 12978smtp_tls_protocols = >=TLSv1, <=TLSv1.3 12979# Legacy syntax: 12980smtp_tls_protocols = !SSLv2, !SSLv3 12981</pre> 12982 12983<p> This feature is available in Postfix 2.6 and later. </p> 12984 12985%PARAM smtpd_tls_protocols see postconf -d output 12986 12987<p> TLS protocols accepted by the Postfix SMTP server with opportunistic 12988TLS encryption. If the list is empty, the server supports all available 12989TLS protocol versions. A non-empty value is a list of protocol names to 12990include or exclude, separated by whitespace, commas or colons. </p> 12991 12992<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2", 12993"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with 12994Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as 12995the lowest supported TLS protocol version (see below). Older releases 12996use the "!" exclusion syntax, also described below. </p> 12997 12998<p> As of Postfix 3.6, the preferred way to limit the range of 12999acceptable protocols is to set the lowest acceptable TLS protocol 13000version and/or the highest acceptable TLS protocol version. To set the 13001lower bound include an element of the form: ">=<i>version</i>" where 13002<i>version</i> is a either one of the TLS protocol names listed above, 13003or a hexadecimal number corresponding to the desired TLS protocol 13004version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper 13005bound, use "<=<i>version</i>". There must be no whitespace between 13006the ">=" or "<=" symbols and the protocol name or number. </p> 13007 13008<p> Hexadecimal protocol numbers make it possible to specify protocol 13009bounds for TLS versions that are known to OpenSSL, but might not be 13010known to Postfix. They cannot be used with the legacy exclusion syntax. 13011Leading "0" or "0x" prefixes are supported, but not required. 13012Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to 13013"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the 13014upper or lower bound, and a warning will be logged. Hexadecimal 13015versions should only be used when Postfix is linked with some future 13016version of OpenSSL that supports TLS 1.4 or later, but Postfix does not 13017yet support a symbolic name for that protocol version. </p> 13018 13019<p>Hexadecimal example (Postfix ≥ 3.6):</p> 13020<blockquote> 13021<pre> 13022# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported 13023# in some future version of OpenSSL (presently a warning is logged). 13024smtpd_tls_protocols = >=TLSv1, <=0305 13025# Allow only TLS 1.0 and up: 13026smtpd_tls_protocols = >=0x0301 13027</pre> 13028</blockquote> 13029 13030<p> With Postfix < 3.6 there is no support for a minimum or maximum 13031version, and the protocol range is configured via protocol exclusions. 13032To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3". 13033Listing the protocols to include, rather than protocols to exclude, is 13034supported, but not recommended. The exclusion form more accurately 13035matches the underlying OpenSSL interface. </p> 13036 13037<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling 13038this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch 13039releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p> 13040 13041<p> Example: </p> 13042<pre> 13043# Preferred syntax with Postfix ≥ 3.6: 13044smtpd_tls_protocols = >=TLSv1, <=TLSv1.3 13045# Legacy syntax: 13046smtpd_tls_protocols = !SSLv2, !SSLv3 13047</pre> 13048 13049<p> This feature is available in Postfix 2.6 and later. </p> 13050 13051%PARAM lmtp_tls_protocols see postconf -d output 13052 13053<p> The LMTP-specific version of the smtp_tls_protocols configuration 13054parameter. See there for details. </p> 13055 13056<p> This feature is available in Postfix 2.6 and later. </p> 13057 13058%PARAM smtp_tls_ciphers medium 13059 13060<p> The minimum TLS cipher grade that the Postfix SMTP client 13061will use with opportunistic TLS encryption. Cipher types listed in 13062smtp_tls_exclude_ciphers are excluded from the base definition of 13063the selected cipher grade. The default value is "medium" for 13064Postfix releases after the middle of 2015, "export" for older 13065releases. </p> 13066 13067<p> When TLS is mandatory the cipher grade is chosen via the 13068smtp_tls_mandatory_ciphers configuration parameter, see there for syntax 13069details. See smtp_tls_policy_maps for information on how to configure 13070ciphers on a per-destination basis. </p> 13071 13072<p> This feature is available in Postfix 2.6 and later. With earlier Postfix 13073releases only the smtp_tls_mandatory_ciphers parameter is implemented, 13074and opportunistic TLS always uses "export" or better (i.e. all) ciphers. </p> 13075 13076%PARAM smtpd_tls_ciphers medium 13077 13078<p> The minimum TLS cipher grade that the Postfix SMTP server 13079will use with opportunistic TLS encryption. Cipher types listed in 13080smtpd_tls_exclude_ciphers are excluded from the base definition of 13081the selected cipher grade. The default value is "medium" for Postfix 13082releases after the middle of 2015, "export" for older releases. 13083</p> 13084 13085<p> When TLS is mandatory the cipher grade is chosen via the 13086smtpd_tls_mandatory_ciphers configuration parameter, see there for syntax 13087details. </p> 13088 13089<p> This feature is available in Postfix 2.6 and later. With earlier Postfix 13090releases only the smtpd_tls_mandatory_ciphers parameter is implemented, 13091and opportunistic TLS always uses "export" or better (i.e. all) ciphers. </p> 13092 13093%PARAM lmtp_tls_ciphers medium 13094 13095<p> The LMTP-specific version of the smtp_tls_ciphers configuration 13096parameter. See there for details. </p> 13097 13098<p> This feature is available in Postfix 2.6 and later. </p> 13099 13100%PARAM tls_eecdh_auto_curves see "postconf -d" output 13101 13102<p> The prioritized list of elliptic curves supported by the Postfix 13103SMTP client and server. These curves are used by the Postfix SMTP 13104server when "smtpd_tls_eecdh_grade = auto". The selected curves must be 13105implemented by OpenSSL and be standardized for use in TLS (RFC 8422). 13106It is unwise to list only "bleeding-edge" curves supported by a small 13107subset of clients. The default list is suitable for most users. </p> 13108 13109<p> Postfix skips curve names that are unknown to OpenSSL, or that 13110are known but not yet implemented. This makes it possible to 13111"anticipate" support for curves that should be used once they become 13112available. In particular, in some OpenSSL versions, the new RFC 131138031 curves "X25519" and "X448" may be known by name, but ECDH 13114support for either or both may be missing. These curves may appear 13115in the default value of this parameter, even though they'll only 13116be usable with later versions of OpenSSL. </p> 13117 13118<p> See also the "tls_ffdhe_auto_groups" parameter, which supports 13119customizing the list of FFDHE groups enabled with TLS 1.3. That setting 13120is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later. 13121</p> 13122 13123<p> This feature is available in Postfix 3.2 and later, when it is 13124compiled and linked with OpenSSL 1.0.2 or later on platforms where 13125EC algorithms have not been disabled by the vendor. </p> 13126 13127%PARAM tls_ffdhe_auto_groups see "postconf -d" output 13128 13129<p> The prioritized list of finite-field Diffie-Hellman ephemeral 13130(FFDHE) key exchange groups supported by the Postfix SMTP client and 13131server. OpenSSL 3.0 adds support for FFDHE key agreement in TLS 1.3. 13132In OpenSSL 1.1.1, TLS 1.3 was only supported with elliptic-curve based 13133key agreement. The "tls_ffdhe_auto_groups" parameter makes it possible 13134to configure the list of FFDHE groups that the Postfix client or server 13135will enable in OpenSSL 3.0 and up. This parameter has no effect when 13136Postfix is built against earlier OpenSSL versions. </p> 13137 13138<p> The default list of FFDHE groups that Postfix enables in OpenSSL 3.0 13139and up includes just the 2048 and 3072-bit groups. Stronger FFDHE 13140groups perform poorly and EC groups are a much better choice for the 13141same security level. Postfix ignores group names that are unknown to 13142OpenSSL, or that are known but not yet implemented. The FFDHE groups 13143are largely a backup, in case some peer does not support EC key 13144exchange, or EC key exchange needs to be disabled for some pressing 13145reason. </p> 13146 13147<p> Setting this parameter empty disables FFDHE support in TLS 1.3. 13148Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends 13149on whether any of the "kDHE" ciphers are included in the cipherlist. 13150</p> 13151 13152<p> Conversely, setting "tls_eecdh_auto_curves" empty disables TLS 1.3 13153EC key agreement in OpenSSL 3.0 and later. Note that at least one of 13154"tls_eecdh_auto_curves" and "tls_ffdhe_auto_groups" must be non-empty, 13155this is required by OpenSSL 3.0. If both are inadvertently set empty, 13156Postfix will fall back to the compiled-in defaults. </p> 13157 13158<p> All the default groups and EC curves should sufficiently strong 13159to make "pruning" the defaults unwise. At a minimum, "X25519" and 13160"P-256" (a.k.a. "prime256v1") should be among the enabled EC curves, 13161while "dhe2048" and "dhe3072" should be among the FFDHE groups. </p> 13162 13163<p> This feature is available in Postfix 3.8 and later, when it is 13164compiled and linked with OpenSSL 3.0 or later. </p> 13165 13166%PARAM tls_eecdh_strong_curve prime256v1 13167 13168<p> The elliptic curve used by the Postfix SMTP server for sensibly 13169strong 13170ephemeral ECDH key exchange. This curve is used by the Postfix SMTP 13171server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly 13172strong" means approximately 128-bit security based on best known 13173attacks. The selected curve must be implemented by OpenSSL (as 13174reported by ecparam(1) with the "-list_curves" option) and be one 13175of the curves listed in Section 5.1.1 of RFC 8422. You should not 13176generally change this setting. Remote SMTP client implementations 13177must support this curve for EECDH key exchange to take place. It 13178is unwise to choose only "bleeding-edge" curves supported by only a 13179small subset of clients. </p> 13180 13181<p> The default "strong" curve is rated in NSA <a 13182href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite 13183B</a> for information classified up to SECRET. </p> 13184 13185<p> Note: elliptic curve names are poorly standardized; different 13186standards groups are assigning different names to the same underlying 13187curves. The curve with the X9.62 name "prime256v1" is also known 13188under the SECG name "secp256r1", but OpenSSL does not recognize the 13189latter name. </p> 13190 13191<p> If you want to take maximal advantage of ciphers that offer <a 13192href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see 13193the <a href="FORWARD_SECRECY_README.html#quick-start">Getting 13194started</a> section of <a 13195href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>. The 13196full document conveniently presents all information about Postfix 13197"perfect" forward secrecy support in one place: what forward secrecy 13198is, how to tweak settings, and what you can expect to see when 13199Postfix uses ciphers with forward secrecy. </p> 13200 13201<p> This feature is available in Postfix 2.6 and later, when it is 13202compiled and linked with OpenSSL 1.0.0 or later on platforms where 13203EC algorithms have not been disabled by the vendor. </p> 13204 13205%PARAM tls_eecdh_ultra_curve secp384r1 13206 13207<p> The elliptic curve used by the Postfix SMTP server for maximally 13208strong 13209ephemeral ECDH key exchange. This curve is used by the Postfix SMTP 13210server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally 13211strong" means approximately 192-bit security based on best known attacks. 13212This additional strength comes at a significant computational cost, most 13213users should instead set "smtpd_tls_eecdh_grade = strong". The selected 13214curve must be implemented by OpenSSL (as reported by ecparam(1) with the 13215"-list_curves" option) and be one of the curves listed in Section 5.1.1 13216of RFC 8422. You should not generally change this setting. Remote SMTP 13217client implementations must support this curve for EECDH key exchange 13218to take place. It is unwise to choose only "bleeding-edge" curves 13219supported by only a small subset of clients. </p> 13220 13221<p> This default "ultra" curve is rated in NSA <a 13222href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite 13223B</a> for information classified up to TOP SECRET. </p> 13224 13225<p> If you want to take maximal advantage of ciphers that offer <a 13226href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see 13227the <a href="FORWARD_SECRECY_README.html#quick-start">Getting 13228started</a> section of <a 13229href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>. The 13230full document conveniently presents all information about Postfix 13231"perfect" forward secrecy support in one place: what forward secrecy 13232is, how to tweak settings, and what you can expect to see when 13233Postfix uses ciphers with forward secrecy. </p> 13234 13235<p> This feature is available in Postfix 2.6 and later, when it is 13236compiled and linked with OpenSSL 1.0.0 or later on platforms where 13237EC algorithms have not been disabled by the vendor. </p> 13238 13239%PARAM smtpd_tls_eecdh_grade see "postconf -d" output 13240 13241<p> The Postfix SMTP server security grade for ephemeral elliptic-curve 13242Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of 13243this parameter is always ignored, and Postfix behaves as though the 13244<b>auto</b> value (described below) was chosen. 13245</p> 13246 13247<p> The available choices are: </p> 13248 13249<dl> 13250 13251<dt><b>auto</b></dt> <dd> Use the most preferred curve that is 13252supported by both the client and the server. This setting requires 13253Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This 13254is the default setting under the above conditions (and the only 13255setting used with Postfix ≥ 3.6). </dd> 13256 13257<dt><b>none</b></dt> <dd> Don't use EECDH. Ciphers based on EECDH key 13258exchange will be disabled. This is the default in Postfix versions 132592.6 and 2.7. </dd> 13260 13261<dt><b>strong</b></dt> <dd> Use EECDH with approximately 128 bits of 13262security at a reasonable computational cost. This is the default in 13263Postfix versions 2.8–3.5. </dd> 13264 13265<dt><b>ultra</b></dt> <dd> Use EECDH with approximately 192 bits of 13266security at computational cost that is approximately twice as high 13267as 128 bit strength ECC. </dd> 13268 13269</dl> 13270 13271<p> If you want to take maximal advantage of ciphers that offer <a 13272href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see 13273the <a href="FORWARD_SECRECY_README.html#quick-start">Getting 13274started</a> section of <a 13275href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>. The 13276full document conveniently presents all information about Postfix 13277"perfect" forward secrecy support in one place: what forward secrecy 13278is, how to tweak settings, and what you can expect to see when 13279Postfix uses ciphers with forward secrecy. </p> 13280 13281<p> This feature is available in Postfix 2.6 and later, when it is 13282compiled and linked with OpenSSL 1.0.0 or later on platforms 13283where EC algorithms have not been disabled by the vendor. </p> 13284 13285%PARAM smtpd_tls_eccert_file 13286 13287<p> File with the Postfix SMTP server ECDSA certificate in PEM format. 13288This file may also contain the Postfix SMTP server private ECDSA key. 13289With Postfix ≥ 3.4 the preferred way to configure server keys and 13290certificates is via the "smtpd_tls_chain_files" parameter. </p> 13291 13292<p> See the discussion under smtpd_tls_cert_file for more details. </p> 13293 13294<p> Example: </p> 13295 13296<pre> 13297smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem 13298</pre> 13299 13300<p> This feature is available in Postfix 2.6 and later, when Postfix is 13301compiled and linked with OpenSSL 1.0.0 or later. </p> 13302 13303%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file 13304 13305<p> File with the Postfix SMTP server ECDSA private key in PEM format. 13306This file may be combined with the Postfix SMTP server ECDSA certificate 13307file specified with $smtpd_tls_eccert_file. With Postfix ≥ 3.4 the 13308preferred way to configure server keys and certificates is via the 13309"smtpd_tls_chain_files" parameter. </p> 13310 13311<p> The private key must be accessible without a pass-phrase, i.e. it 13312must not be encrypted. File permissions should grant read-only 13313access to the system superuser account ("root"), and no access 13314to anyone else. </p> 13315 13316<p> This feature is available in Postfix 2.6 and later, when Postfix is 13317compiled and linked with OpenSSL 1.0.0 or later. </p> 13318 13319%PARAM smtp_tls_eccert_file 13320 13321<p> File with the Postfix SMTP client ECDSA certificate in PEM format. 13322This file may also contain the Postfix SMTP client ECDSA private key. 13323With Postfix ≥ 3.4 the preferred way to configure client keys and 13324certificates is via the "smtp_tls_chain_files" parameter. </p> 13325 13326<p> See the discussion under smtp_tls_cert_file for more details. 13327</p> 13328 13329<p> Example: </p> 13330 13331<pre> 13332smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem 13333</pre> 13334 13335<p> This feature is available in Postfix 2.6 and later, when Postfix is 13336compiled and linked with OpenSSL 1.0.0 or later. </p> 13337 13338%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file 13339 13340<p> File with the Postfix SMTP client ECDSA private key in PEM format. 13341This file may be combined with the Postfix SMTP client ECDSA certificate 13342file specified with $smtp_tls_eccert_file. With Postfix ≥ 3.4 the 13343preferred way to configure client keys and certificates is via the 13344"smtp_tls_chain_files" parameter. </p> 13345 13346<p> The private key must be accessible without a pass-phrase, i.e. it 13347must not be encrypted. File permissions should grant read-only 13348access to the system superuser account ("root"), and no access 13349to anyone else. </p> 13350 13351<p> This feature is available in Postfix 2.6 and later, when Postfix is 13352compiled and linked with OpenSSL 1.0.0 or later. </p> 13353 13354%PARAM lmtp_tls_eccert_file 13355 13356<p> The LMTP-specific version of the smtp_tls_eccert_file configuration 13357parameter. See there for details. </p> 13358 13359<p> This feature is available in Postfix 2.6 and later, when Postfix is 13360compiled and linked with OpenSSL 1.0.0 or later. </p> 13361 13362%PARAM lmtp_tls_eckey_file 13363 13364<p> The LMTP-specific version of the smtp_tls_eckey_file configuration 13365parameter. See there for details. </p> 13366 13367<p> This feature is available in Postfix 2.6 and later, when Postfix is 13368compiled and linked with OpenSSL 1.0.0 or later. </p> 13369 13370%PARAM smtp_header_checks 13371 13372<p> Restricted header_checks(5) tables for the Postfix SMTP client. 13373These tables are searched while mail is being delivered. Actions 13374that change the delivery time or destination are not available. 13375</p> 13376 13377<p> This feature is available in Postfix 2.5 and later. </p> 13378 13379%PARAM smtp_mime_header_checks 13380 13381<p> Restricted mime_header_checks(5) tables for the Postfix SMTP 13382client. These tables are searched while mail is being delivered. 13383Actions that change the delivery time or destination are not 13384available. </p> 13385 13386<p> This feature is available in Postfix 2.5 and later. </p> 13387 13388%PARAM smtp_nested_header_checks 13389 13390<p> Restricted nested_header_checks(5) tables for the Postfix SMTP 13391client. These tables are searched while mail is being delivered. 13392Actions that change the delivery time or destination are not 13393available. </p> 13394 13395<p> This feature is available in Postfix 2.5 and later. </p> 13396 13397%PARAM smtp_body_checks 13398 13399<p> Restricted body_checks(5) tables for the Postfix SMTP client. 13400These tables are searched while mail is being delivered. Actions 13401that change the delivery time or destination are not available. 13402</p> 13403 13404<p> This feature is available in Postfix 2.5 and later. </p> 13405 13406%PARAM destination_concurrency_feedback_debug no 13407 13408<p> Make the queue manager's feedback algorithm verbose for performance 13409analysis purposes. </p> 13410 13411<p> This feature is available in Postfix 2.5 and later. </p> 13412 13413%PARAM default_destination_concurrency_failed_cohort_limit 1 13414 13415<p> How many pseudo-cohorts must suffer connection or handshake 13416failure before a specific destination is considered unavailable 13417(and further delivery is suspended). Specify zero to disable this 13418feature. A destination's pseudo-cohort failure count is reset each 13419time a delivery completes without connection or handshake failure 13420for that specific destination. </p> 13421 13422<p> A pseudo-cohort is the number of deliveries equal to a destination's 13423delivery concurrency. </p> 13424 13425<p> Use <i>transport</i>_destination_concurrency_failed_cohort_limit to specify 13426a transport-specific override, where <i>transport</i> is the master.cf 13427name of the message delivery transport. </p> 13428 13429<p> This feature is available in Postfix 2.5. The default setting 13430is compatible with earlier Postfix versions. </p> 13431 13432%PARAM default_destination_concurrency_negative_feedback 1 13433 13434<p> The per-destination amount of delivery concurrency negative 13435feedback, after a delivery completes with a connection or handshake 13436failure. Feedback values are in the range 0..1 inclusive. With 13437negative feedback, concurrency is decremented at the beginning of 13438a sequence of length 1/feedback. This is unlike positive feedback, 13439where concurrency is incremented at the end of a sequence of length 134401/feedback. </p> 13441 13442<p> As of Postfix version 2.5, negative feedback cannot reduce 13443delivery concurrency to zero. Instead, a destination is marked 13444dead (further delivery suspended) after the failed pseudo-cohort 13445count reaches $default_destination_concurrency_failed_cohort_limit 13446(or $<i>transport</i>_destination_concurrency_failed_cohort_limit). 13447To make the scheduler completely immune to connection or handshake 13448failures, specify a zero feedback value and a zero failed pseudo-cohort 13449limit. </p> 13450 13451<p> Specify one of the following forms: </p> 13452 13453<dl> 13454 13455<dt> <b><i>number</i> </b> </dt> 13456 13457<dt> <b><i>number</i> / <i>number</i> </b> </dt> 13458 13459<dd> Constant feedback. The value must be in the range 0..1 inclusive. 13460The default setting of "1" is compatible with Postfix versions 13461before 2.5, where a destination's delivery concurrency is throttled 13462down to zero (and further delivery suspended) after a single failed 13463pseudo-cohort. </dd> 13464 13465<dt> <b><i>number</i> / concurrency </b> </dt> 13466 13467<dd> Variable feedback of "<i>number</i> / (delivery concurrency)". 13468The <i>number</i> must be in the range 0..1 inclusive. With 13469<i>number</i> equal to "1", a destination's delivery concurrency 13470is decremented by 1 after each failed pseudo-cohort. </dd> 13471 13472<!-- 13473 13474<dt> <b><i>number</i> / sqrt_concurrency </b> </dt> 13475 13476<dd> Variable feedback of "<i>number</i> / sqrt(delivery concurrency)". 13477The <i>number</i> must be in the range 0..1 inclusive. This setting 13478may be removed in a future version. </dd> 13479 13480--> 13481 13482</dl> 13483 13484<p> A pseudo-cohort is the number of deliveries equal to a destination's 13485delivery concurrency. </p> 13486 13487<p> Use <i>transport</i>_destination_concurrency_negative_feedback 13488to specify a transport-specific override, where <i>transport</i> 13489is the master.cf 13490name of the message delivery transport. </p> 13491 13492<p> This feature is available in Postfix 2.5. The default setting 13493is compatible with earlier Postfix versions. </p> 13494 13495%PARAM default_destination_concurrency_positive_feedback 1 13496 13497<p> The per-destination amount of delivery concurrency positive 13498feedback, after a delivery completes without connection or handshake 13499failure. Feedback values are in the range 0..1 inclusive. The 13500concurrency increases until it reaches the per-destination maximal 13501concurrency limit. With positive feedback, concurrency is incremented 13502at the end of a sequence with length 1/feedback. This is unlike 13503negative feedback, where concurrency is decremented at the start 13504of a sequence of length 1/feedback. </p> 13505 13506<p> Specify one of the following forms: </p> 13507 13508<dl> 13509 13510<dt> <b><i>number</i> </b> </dt> 13511 13512<dt> <b><i>number</i> / <i>number</i> </b> </dt> 13513 13514<dd> Constant feedback. The value must be in the range 0..1 13515inclusive. The default setting of "1" is compatible with Postfix 13516versions before 2.5, where a destination's delivery concurrency 13517doubles after each successful pseudo-cohort. </dd> 13518 13519<dt> <b><i>number</i> / concurrency </b> </dt> 13520 13521<dd> Variable feedback of "<i>number</i> / (delivery concurrency)". 13522The <i>number</i> must be in the range 0..1 inclusive. With 13523<i>number</i> equal to "1", a destination's delivery concurrency 13524is incremented by 1 after each successful pseudo-cohort. </dd> 13525 13526<!-- 13527 13528<dt> <b><i>number</i> / sqrt_concurrency </b> </dt> 13529 13530<dd> Variable feedback of "<i>number</i> / sqrt(delivery concurrency)". 13531The <i>number</i> must be in the range 0..1 inclusive. This setting 13532may be removed in a future version. </dd> 13533 13534--> 13535 13536</dl> 13537 13538<p> A pseudo-cohort is the number of deliveries equal to a destination's 13539delivery concurrency. </p> 13540 13541<p> Use <i>transport</i>_destination_concurrency_positive_feedback 13542to specify a transport-specific override, where <i>transport</i> 13543is the master.cf name of the message delivery transport. </p> 13544 13545<p> This feature is available in Postfix 2.5 and later. </p> 13546 13547%PARAM transport_destination_concurrency_failed_cohort_limit $default_destination_concurrency_failed_cohort_limit 13548 13549<p> A transport-specific override for the 13550default_destination_concurrency_failed_cohort_limit parameter value, 13551where <i>transport</i> is the master.cf name of the message delivery 13552transport. </p> 13553 13554<p> Note: some <i>transport</i>_destination_concurrency_failed_cohort_limit 13555parameters will not show up in "postconf" command output before 13556Postfix version 2.9. This limitation applies to many parameters 13557whose name is a combination of a master.cf service name and a 13558built-in suffix (in this case: 13559"_destination_concurrency_failed_cohort_limit"). </p> 13560 13561<p> This feature is available in Postfix 2.5 and later. </p> 13562 13563%PARAM transport_destination_concurrency_positive_feedback $default_destination_concurrency_positive_feedback 13564 13565<p> A transport-specific override for the 13566default_destination_concurrency_positive_feedback parameter value, 13567where <i>transport</i> is the master.cf name of the message delivery 13568transport. </p> 13569 13570<p> Note: some <i>transport</i>_destination_concurrency_positive_feedback 13571parameters will not show up in "postconf" command output before 13572Postfix version 2.9. This limitation applies to many parameters 13573whose name is a combination of a master.cf service name and a 13574built-in suffix (in this case: 13575"_destination_concurrency_positive_feedback"). </p> 13576 13577<p> This feature is available in Postfix 2.5 and later. </p> 13578 13579%PARAM transport_destination_concurrency_negative_feedback $default_destination_concurrency_negative_feedback 13580 13581<p> A transport-specific override for the 13582default_destination_concurrency_negative_feedback parameter value, 13583where <i>transport</i> is the master.cf name of the message delivery 13584transport. </p> 13585 13586<p> Note: some <i>transport</i>_destination_concurrency_negative_feedback 13587parameters will not show up in "postconf" command output before 13588Postfix version 2.9. This limitation applies to many parameters 13589whose name is a combination of a master.cf service name and a 13590built-in suffix (in this case: 13591"_destination_concurrency_negative_feedback"). </p> 13592 13593<p> This feature is available in Postfix 2.5 and later. </p> 13594 13595%PARAM transport_initial_destination_concurrency $initial_destination_concurrency 13596 13597<p> A transport-specific override for the initial_destination_concurrency 13598parameter value, where <i>transport</i> is the master.cf name of 13599the message delivery transport. </p> 13600 13601<p> Note: some <i>transport</i>_initial_destination_concurrency 13602parameters will not show up in "postconf" command output before 13603Postfix version 2.9. This limitation applies to many parameters 13604whose name is a combination of a master.cf service name and a 13605built-in suffix (in this case: "_initial_destination_concurrency"). 13606</p> 13607 13608<p> This feature is available in Postfix 2.5 and later. </p> 13609 13610%PARAM transport_destination_concurrency_limit $default_destination_concurrency_limit 13611 13612<p> A transport-specific override for the 13613default_destination_concurrency_limit parameter value, where 13614<i>transport</i> is the master.cf name of the message delivery 13615transport. </p> 13616 13617<p> Note: some <i>transport</i>_destination_concurrency_limit 13618parameters will not show up in "postconf" command output before 13619Postfix version 2.9. This limitation applies to many parameters 13620whose name is a combination of a master.cf service name and a 13621built-in suffix (in this case: "_destination_concurrency_limit"). 13622</p> 13623 13624%PARAM transport_destination_recipient_limit $default_destination_recipient_limit 13625 13626<p> A transport-specific override for the 13627default_destination_recipient_limit parameter value, where 13628<i>transport</i> is the master.cf name of the message delivery 13629transport. </p> 13630 13631<p> Note: some <i>transport</i>_destination_recipient_limit parameters 13632will not show up in "postconf" command output before Postfix version 136332.9. This limitation applies to many parameters whose name is a 13634combination of a master.cf service name and a built-in suffix (in 13635this case: "_destination_recipient_limit"). </p> 13636 13637%PARAM transport_time_limit $command_time_limit 13638 13639<p> A transport-specific override for the command_time_limit parameter 13640value, where <i>transport</i> is the master.cf name of the message 13641delivery transport. </p> 13642 13643<p> Specify a non-zero time value (an integral value plus an optional 13644one-letter suffix that specifies the time unit). Time units: s 13645(seconds), m (minutes), h (hours), d (days), w (weeks). 13646The default time unit is s (seconds). </p> 13647 13648<p> Note: <i>transport</i>_time_limit parameters will not show up 13649in "postconf" command output before Postfix version 2.9. This 13650limitation applies to many parameters whose name is a combination 13651of a master.cf service name and a built-in suffix (in this case: 13652"_time_limit"). </p> 13653 13654%PARAM transport_delivery_slot_cost $default_delivery_slot_cost 13655 13656<p> A transport-specific override for the default_delivery_slot_cost 13657parameter value, where <i>transport</i> is the master.cf name of 13658the message delivery transport. </p> 13659 13660<p> Note: <i>transport</i>_delivery_slot_cost parameters will not 13661show up in "postconf" command output before Postfix version 2.9. 13662This limitation applies to many parameters whose name is a combination 13663of a master.cf service name and a built-in suffix (in this case: 13664"_delivery_slot_cost"). </p> 13665 13666%PARAM transport_delivery_slot_loan $default_delivery_slot_loan 13667 13668<p> A transport-specific override for the default_delivery_slot_loan 13669parameter value, where <i>transport</i> is the master.cf name of 13670the message delivery transport. </p> 13671 13672<p> Note: <i>transport</i>_delivery_slot_loan parameters will not 13673show up in "postconf" command output before Postfix version 2.9. 13674This limitation applies to many parameters whose name is a combination 13675of a master.cf service name and a built-in suffix (in this case: 13676"_delivery_slot_loan"). </p> 13677 13678%PARAM transport_delivery_slot_discount $default_delivery_slot_discount 13679 13680<p> A transport-specific override for the default_delivery_slot_discount 13681parameter value, where <i>transport</i> is the master.cf name of 13682the message delivery transport. </p> 13683 13684<p> Note: <i>transport</i>_delivery_slot_discount parameters will 13685not show up in "postconf" command output before Postfix version 136862.9. This limitation applies to many parameters whose name is a 13687combination of a master.cf service name and a built-in suffix (in 13688this case: "_delivery_slot_discount"). </p> 13689 13690%PARAM transport_minimum_delivery_slots $default_minimum_delivery_slots 13691 13692<p> A transport-specific override for the default_minimum_delivery_slots 13693parameter value, where <i>transport</i> is the master.cf name of 13694the message delivery transport. </p> 13695 13696<p> Note: <i>transport</i>_minimum_delivery_slots parameters will 13697not show up in "postconf" command output before Postfix version 136982.9. This limitation applies to many parameters whose name is a 13699combination of a master.cf service name and a built-in suffix (in 13700this case: "_minimum_delivery_slots"). </p> 13701 13702%PARAM transport_recipient_limit $default_recipient_limit 13703 13704<p> A transport-specific override for the default_recipient_limit 13705parameter value, where <i>transport</i> is the master.cf name of 13706the message delivery transport. </p> 13707 13708<p> Note: some <i>transport</i>_recipient_limit parameters will not 13709show up in "postconf" command output before Postfix version 2.9. 13710This limitation applies to many parameters whose name is a combination 13711of a master.cf service name and a built-in suffix (in this case: 13712"_recipient_limit"). </p> 13713 13714%PARAM transport_extra_recipient_limit $default_extra_recipient_limit 13715 13716<p> A transport-specific override for the default_extra_recipient_limit 13717parameter value, where <i>transport</i> is the master.cf name of 13718the message delivery transport. </p> 13719 13720<p> Note: <i>transport</i>_extra_recipient_limit parameters will 13721not show up in "postconf" command output before Postfix version 137222.9. This limitation applies to many parameters whose name is a 13723combination of a master.cf service name and a built-in suffix (in 13724this case: "_extra_recipient_limit"). </p> 13725 13726%PARAM transport_recipient_refill_limit $default_recipient_refill_limit 13727 13728<p> A transport-specific override for the default_recipient_refill_limit 13729parameter value, where <i>transport</i> is the master.cf name of 13730the message delivery transport. </p> 13731 13732<p> Note: <i>transport</i>_recipient_refill_limit parameters will 13733not show up in "postconf" command output before Postfix version 137342.9. This limitation applies to many parameters whose name is a 13735combination of a master.cf service name and a built-in suffix (in 13736this case: "_recipient_refill_limit"). </p> 13737 13738<p> This feature is available in Postfix 2.4 and later. </p> 13739 13740%PARAM transport_recipient_refill_delay $default_recipient_refill_delay 13741 13742<p> A transport-specific override for the default_recipient_refill_delay 13743parameter value, where <i>transport</i> is the master.cf name of 13744the message delivery transport. </p> 13745 13746<p> Note: <i>transport</i>_recipient_refill_delay parameters will 13747not show up in "postconf" command output before Postfix version 137482.9. This limitation applies to many parameters whose name is a 13749combination of a master.cf service name and a built-in suffix (in 13750this case: "_recipient_refill_delay"). </p> 13751 13752<p> This feature is available in Postfix 2.4 and later. </p> 13753 13754%PARAM default_transport_rate_delay 0s 13755 13756<p> The default amount of delay that is inserted between individual 13757message deliveries over the same message delivery transport, 13758regardless of destination. Specify a non-zero value to rate-limit 13759those message deliveries to at most one per $default_transport_rate_delay. 13760</p> 13761 13762<p>Use <i>transport</i>_transport_rate_delay to specify a 13763transport-specific override, where the initial <i>transport</i> is 13764the master.cf name of the message delivery transport. </p> 13765 13766<p> Example: throttle outbound SMTP mail to at most 3 deliveries 13767per minute. </p> 13768 13769<pre> 13770/etc/postfix/main.cf: 13771 smtp_transport_rate_delay = 20s 13772</pre> 13773 13774<p> To enable the delay, specify a non-zero time value (an integral 13775value plus an optional one-letter suffix that specifies the time 13776unit). </p> 13777 13778<p> Time units: s (seconds), m (minutes), h (hours), d (days), w 13779(weeks). The default time unit is s (seconds). </p> 13780 13781<p> NOTE: the delay is enforced by the queue manager. </p> 13782 13783<p> This feature is available in Postfix 3.1 and later. </p> 13784 13785%PARAM transport_transport_rate_delay $default_transport_rate_delay 13786 13787<p> A transport-specific override for the default_transport_rate_delay 13788parameter value, where the initial <i>transport</i> in the parameter 13789name is the master.cf name of the message delivery transport. </p> 13790 13791<p> Specify a non-negative time value (an integral value plus an optional 13792one-letter suffix that specifies the time unit). Time units: s 13793(seconds), m (minutes), h (hours), d (days), w (weeks). 13794The default time unit is s (seconds). </p> 13795 13796<p> Note: <i>transport</i>_transport_rate_delay parameters will 13797not show up in "postconf" command output before Postfix version 137982.9. This limitation applies to many parameters whose name is a 13799combination of a master.cf service name and a built-in suffix (in 13800this case: "_transport_rate_delay"). </p> 13801 13802%PARAM default_destination_rate_delay 0s 13803 13804<p> The default amount of delay that is inserted between individual 13805message deliveries to the same destination and over the same message 13806delivery transport. Specify a non-zero value to rate-limit those 13807message deliveries to at most one per $default_destination_rate_delay. 13808</p> 13809 13810<p> The resulting behavior depends on the value of the corresponding 13811per-destination recipient limit. 13812 13813</p> 13814 13815<ul> 13816 13817<li> <p> With a corresponding per-destination recipient limit > 138181, the rate delay specifies the time between deliveries to the 13819<i>same domain</i>. Different domains are delivered in parallel, 13820subject to the process limits specified in master.cf. </p> 13821 13822<li> <p> With a corresponding per-destination recipient limit equal 13823to 1, the rate delay specifies the time between deliveries to the 13824<i>same recipient</i>. Different recipients are delivered in 13825parallel, subject to the process limits specified in master.cf. 13826</p> 13827 13828</ul> 13829 13830<p> To enable the delay, specify a non-zero time value (an integral 13831value plus an optional one-letter suffix that specifies the time 13832unit). </p> 13833 13834<p> Time units: s (seconds), m (minutes), h (hours), d (days), w 13835(weeks). The default time unit is s (seconds). </p> 13836 13837<p> NOTE: the delay is enforced by the queue manager. The delay 13838timer state does not survive "<b>postfix reload</b>" or "<b>postfix 13839stop</b>". 13840</p> 13841 13842<p> Use <i>transport</i>_destination_rate_delay to specify a 13843transport-specific override, where <i>transport</i> is the master.cf 13844name of the message delivery transport. 13845</p> 13846 13847<p> NOTE: with a non-zero _destination_rate_delay, specify a 13848<i>transport</i>_destination_concurrency_failed_cohort_limit of 10 13849or more to prevent Postfix from deferring all mail for the same 13850destination after only one connection or handshake error. </p> 13851 13852<p> This feature is available in Postfix 2.5 and later. </p> 13853 13854%PARAM transport_destination_rate_delay $default_destination_rate_delay 13855 13856<p> A transport-specific override for the default_destination_rate_delay 13857parameter value, where <i>transport</i> is the master.cf name of 13858the message delivery transport. </p> 13859 13860<p> Note: some <i>transport</i>_destination_rate_delay parameters 13861will not show up in "postconf" command output before Postfix version 138622.9. This limitation applies to many parameters whose name is a 13863combination of a master.cf service name and a built-in suffix (in 13864this case: "_destination_rate_delay"). </p> 13865 13866<p> This feature is available in Postfix 2.5 and later. </p> 13867 13868%PARAM data_directory see "postconf -d" output 13869 13870<p> The directory with Postfix-writable data files (for example: 13871caches, pseudo-random numbers). This directory must be owned by 13872the mail_owner account, and must not be shared with non-Postfix 13873software. </p> 13874 13875<p> This feature is available in Postfix 2.5 and later. </p> 13876 13877%PARAM stress 13878 13879<p> This feature is documented in the STRESS_README document. </p> 13880 13881<p> This feature is available in Postfix 2.5 and later. </p> 13882 13883%PARAM smtp_sasl_auth_soft_bounce yes 13884 13885<p> When a remote SMTP server rejects a SASL authentication request 13886with a 535 reply code, defer mail delivery instead of returning 13887mail as undeliverable. The latter behavior was hard-coded prior to 13888Postfix version 2.5. </p> 13889 13890<p> Note: the setting "yes" overrides the global soft_bounce 13891parameter, but the setting "no" does not. </p> 13892 13893<p> Example: </p> 13894 13895<pre> 13896# Default as of Postfix 2.5 13897smtp_sasl_auth_soft_bounce = yes 13898# The old hard-coded default 13899smtp_sasl_auth_soft_bounce = no 13900</pre> 13901 13902<p> This feature is available in Postfix 2.5 and later. </p> 13903 13904%PARAM smtp_sasl_auth_cache_name 13905 13906<p> An optional table to prevent repeated SASL authentication 13907failures with the same remote SMTP server hostname, username and 13908password. Each table (key, value) pair contains a server name, a 13909username and password, and the full server response. This information 13910is stored when a remote SMTP server rejects an authentication attempt 13911with a 535 reply code. As long as the smtp_sasl_password_maps 13912information does not change, and as long as the smtp_sasl_auth_cache_name 13913information does not expire (see smtp_sasl_auth_cache_time) the 13914Postfix SMTP client avoids SASL authentication attempts with the 13915same server, username and password, and instead bounces or defers 13916mail as controlled with the smtp_sasl_auth_soft_bounce configuration 13917parameter. </p> 13918 13919<p> Use a per-destination delivery concurrency of 1 (for example, 13920"smtp_destination_concurrency_limit = 1", 13921"relay_destination_concurrency_limit = 1", etc.), otherwise multiple 13922delivery agents may experience a login failure at the same time. 13923</p> 13924 13925<p> The table must be accessed via the proxywrite service, i.e. the 13926map name must start with "proxy:". The table should be stored under 13927the directory specified with the data_directory parameter. </p> 13928 13929<p> This feature uses cryptographic hashing to protect plain-text 13930passwords, and requires that Postfix is compiled with TLS support. 13931</p> 13932 13933<p> Example: </p> 13934 13935<pre> 13936smtp_sasl_auth_cache_name = proxy:btree:/var/db/postfix/sasl_auth_cache 13937</pre> 13938 13939<p> This feature is available in Postfix 2.5 and later. </p> 13940 13941%PARAM smtp_sasl_auth_cache_time 90d 13942 13943<p> The maximal age of an smtp_sasl_auth_cache_name entry before it 13944is removed. </p> 13945 13946<p> Specify a non-negative time value (an integral value plus an optional 13947one-letter suffix that specifies the time unit). Time units: s 13948(seconds), m (minutes), h (hours), d (days), w (weeks). 13949The default time unit is d (days). </p> 13950 13951<p> This feature is available in Postfix 2.5 and later. </p> 13952 13953%PARAM lmtp_sasl_auth_soft_bounce yes 13954 13955<p> The LMTP-specific version of the smtp_sasl_auth_soft_bounce 13956configuration parameter. See there for details. </p> 13957 13958<p> This feature is available in Postfix 2.5 and later. </p> 13959 13960%PARAM lmtp_sasl_auth_cache_name 13961 13962<p> The LMTP-specific version of the smtp_sasl_auth_cache_name 13963configuration parameter. See there for details. </p> 13964 13965<p> This feature is available in Postfix 2.5 and later. </p> 13966 13967%PARAM lmtp_sasl_auth_cache_time 90d 13968 13969<p> The LMTP-specific version of the smtp_sasl_auth_cache_time 13970configuration parameter. See there for details. </p> 13971 13972<p> This feature is available in Postfix 2.5 and later. </p> 13973 13974%PARAM unverified_sender_reject_reason 13975 13976<p> The Postfix SMTP server's reply when rejecting mail with 13977reject_unverified_sender. Do not include the numeric SMTP reply 13978code or the enhanced status code. By default, the response includes 13979actual address verification details. 13980 13981<p> Example: </p> 13982 13983<pre> 13984unverified_sender_reject_reason = Sender address lookup failed 13985</pre> 13986 13987<p> This feature is available in Postfix 2.6 and later. </p> 13988 13989%PARAM unverified_recipient_reject_reason 13990 13991<p> The Postfix SMTP server's reply when rejecting mail with 13992reject_unverified_recipient. Do not include the numeric SMTP reply 13993code or the enhanced status code. By default, the response includes 13994actual address verification details. 13995 13996<p> Example: </p> 13997 13998<pre> 13999unverified_recipient_reject_reason = Recipient address lookup failed 14000</pre> 14001 14002<p> This feature is available in Postfix 2.6 and later. </p> 14003 14004%PARAM strict_mailbox_ownership yes 14005 14006<p> Defer delivery when a mailbox file is not owned by its recipient. 14007The default setting is not backwards compatible. </p> 14008 14009<p> This feature is available in Postfix 2.5.3 and later. </p> 14010 14011%PARAM proxymap_service_name proxymap 14012 14013<p> The name of the proxymap read-only table lookup service. This 14014service is normally implemented by the proxymap(8) daemon. </p> 14015 14016<p> This feature is available in Postfix 2.6 and later. </p> 14017 14018%PARAM proxywrite_service_name proxywrite 14019 14020<p> The name of the proxywrite read-write table lookup service. 14021This service is normally implemented by the proxymap(8) daemon. 14022</p> 14023 14024<p> This feature is available in Postfix 2.6 and later. </p> 14025 14026%PARAM master_service_disable 14027 14028<p> Selectively disable master(8) listener ports by service type 14029or by service name and type. Specify a list of service types 14030("inet", "unix", "fifo", or "pass") or "name/type" tuples, where 14031"name" is the first field of a master.cf entry and "type" is a 14032service type. As with other Postfix matchlists, a search stops at 14033the first match. Specify "!pattern" to exclude a service from the 14034list. By default, all master(8) listener ports are enabled. </p> 14035 14036<p> Note: this feature does not support "/file/name" or "type:table" 14037patterns, nor does it support wildcards such as "*" or "all". This 14038is intentional. </p> 14039 14040<p> Examples: </p> 14041 14042<pre> 14043# With Postfix 2.6..2.10 use '.' instead of '/'. 14044# Turn on all master(8) listener ports (the default). 14045master_service_disable = 14046# Turn off only the main SMTP listener port. 14047master_service_disable = smtp/inet 14048# Turn off all TCP/IP listener ports. 14049master_service_disable = inet 14050# Turn off all TCP/IP listener ports except "foo". 14051master_service_disable = !foo/inet, inet 14052</pre> 14053 14054<p> This feature is available in Postfix 2.6 and later. </p> 14055 14056%PARAM tcp_windowsize 0 14057 14058<p> An optional workaround for routers that break TCP window scaling. 14059Specify a value > 0 and < 65536 to enable this feature. With 14060Postfix TCP servers (smtpd(8), qmqpd(8)), this feature is implemented 14061by the Postfix master(8) daemon. </p> 14062 14063<p> To change this parameter without stopping Postfix, you need to 14064first terminate all Postfix TCP servers: </p> 14065 14066<blockquote> 14067<pre> 14068# postconf -e master_service_disable=inet 14069# postfix reload 14070</pre> 14071</blockquote> 14072 14073<p> This immediately terminates all processes that accept network 14074connections. Next, you enable Postfix TCP servers with the updated 14075tcp_windowsize setting: </p> 14076 14077<blockquote> 14078<pre> 14079# postconf -e tcp_windowsize=65535 master_service_disable= 14080# postfix reload 14081</pre> 14082</blockquote> 14083 14084<p> If you skip these steps with a running Postfix system, then the 14085tcp_windowsize change will work only for Postfix TCP clients (smtp(8), 14086lmtp(8)). </p> 14087 14088<p> This feature is available in Postfix 2.6 and later. </p> 14089 14090%PARAM multi_instance_directories 14091 14092<p> An optional list of non-default Postfix configuration directories; 14093these directories belong to additional Postfix instances that share 14094the Postfix executable files and documentation with the default 14095Postfix instance, and that are started, stopped, etc., together 14096with the default Postfix instance. Specify a list of pathnames 14097separated by comma or whitespace. </p> 14098 14099<p> When $multi_instance_directories is empty, the postfix(1) command 14100runs in single-instance mode and operates on a single Postfix 14101instance only. Otherwise, the postfix(1) command runs in multi-instance 14102mode and invokes the multi-instance manager specified with the 14103multi_instance_wrapper parameter. The multi-instance manager in 14104turn executes postfix(1) commands for the default instance and for 14105all Postfix instances in $multi_instance_directories. </p> 14106 14107<p> Currently, this parameter setting is ignored except for the 14108default main.cf file. </p> 14109 14110<p> This feature is available in Postfix 2.6 and later. </p> 14111 14112%PARAM multi_instance_wrapper 14113 14114<p> The pathname of a multi-instance manager command that the 14115postfix(1) command invokes when the multi_instance_directories 14116parameter value is non-empty. The pathname may be followed by 14117initial command arguments separated by whitespace; shell 14118metacharacters such as quotes are not supported in this context. 14119</p> 14120 14121<p> The postfix(1) command invokes the manager command with the 14122postfix(1) non-option command arguments on the manager command line, 14123and with all installation configuration parameters exported into 14124the manager command process environment. The manager command in 14125turn invokes the postfix(1) command for individual Postfix instances 14126as "postfix -c <i>config_directory</i> <i>command</i>". </p> 14127 14128<p> This feature is available in Postfix 2.6 and later. </p> 14129 14130%PARAM multi_instance_group 14131 14132<p> The optional instance group name of this Postfix instance. A 14133group identifies closely-related Postfix instances that the 14134multi-instance manager can start, stop, etc., as a unit. This 14135parameter is reserved for the multi-instance manager. </p> 14136 14137<p> This feature is available in Postfix 2.6 and later. </p> 14138 14139%PARAM multi_instance_name 14140 14141<p> The optional instance name of this Postfix instance. This name 14142becomes also the default value for the syslog_name parameter. </p> 14143 14144<p> This feature is available in Postfix 2.6 and later. </p> 14145 14146%PARAM multi_instance_enable no 14147 14148<p> Allow this Postfix instance to be started, stopped, etc., by a 14149multi-instance manager. By default, new instances are created in 14150a safe state that prevents them from being started inadvertently. 14151This parameter is reserved for the multi-instance manager. </p> 14152 14153<p> This feature is available in Postfix 2.6 and later. </p> 14154 14155%PARAM reject_tempfail_action defer_if_permit 14156 14157<p> The Postfix SMTP server's action when a reject-type restriction 14158fails due to a temporary error condition. Specify "defer" to defer 14159the remote SMTP client request immediately. With the default 14160"defer_if_permit" action, the Postfix SMTP server continues to look 14161for opportunities to reject mail, and defers the client request 14162only if it would otherwise be accepted. </p> 14163 14164<p> For finer control, see: unverified_recipient_tempfail_action, 14165unverified_sender_tempfail_action, unknown_address_tempfail_action, 14166and unknown_helo_hostname_tempfail_action. </p> 14167 14168<p> This feature is available in Postfix 2.6 and later. </p> 14169 14170%PARAM unverified_recipient_tempfail_action $reject_tempfail_action 14171 14172<p> The Postfix SMTP server's action when reject_unverified_recipient 14173fails due to a temporary error condition. Specify "defer" to defer 14174the remote SMTP client request immediately. With the default 14175"defer_if_permit" action, the Postfix SMTP server continues to look 14176for opportunities to reject mail, and defers the client request 14177only if it would otherwise be accepted. </p> 14178 14179<p> This feature is available in Postfix 2.6 and later. </p> 14180 14181%PARAM unverified_sender_tempfail_action $reject_tempfail_action 14182 14183<p> The Postfix SMTP server's action when reject_unverified_sender 14184fails due to a temporary error condition. Specify "defer" to defer 14185the remote SMTP client request immediately. With the default 14186"defer_if_permit" action, the Postfix SMTP server continues to look 14187for opportunities to reject mail, and defers the client request 14188only if it would otherwise be accepted. </p> 14189 14190<p> This feature is available in Postfix 2.6 and later. </p> 14191 14192%PARAM unknown_address_tempfail_action $reject_tempfail_action 14193 14194<p> The Postfix SMTP server's action when reject_unknown_sender_domain 14195or reject_unknown_recipient_domain fail due to a temporary error 14196condition. Specify "defer" to defer the remote SMTP client request 14197immediately. With the default "defer_if_permit" action, the Postfix 14198SMTP server continues to look for opportunities to reject mail, and 14199defers the client request only if it would otherwise be accepted. 14200</p> 14201 14202<p> This feature is available in Postfix 2.6 and later. </p> 14203 14204%PARAM unknown_helo_hostname_tempfail_action $reject_tempfail_action 14205 14206<p> The Postfix SMTP server's action when reject_unknown_helo_hostname 14207fails due to a temporary error condition. Specify "defer" to defer 14208the remote SMTP client request immediately. With the default 14209"defer_if_permit" action, the Postfix SMTP server continues to look 14210for opportunities to reject mail, and defers the client request 14211only if it would otherwise be accepted. </p> 14212 14213<p> This feature is available in Postfix 2.6 and later. </p> 14214 14215%PARAM postmulti_start_commands start 14216 14217<p> The postfix(1) commands that the postmulti(1) instance manager treats 14218as "start" commands. For these commands, disabled instances are "checked" 14219rather than "started", and failure to "start" a member instance of an 14220instance group will abort the start-up of later instances. </p> 14221 14222<p> This feature is available in Postfix 2.6 and later. </p> 14223 14224%PARAM postmulti_stop_commands see "postconf -d" output 14225 14226<p> The postfix(1) commands that the postmulti(1) instance manager treats 14227as "stop" commands. For these commands, disabled instances are skipped, 14228and enabled instances are processed in reverse order. </p> 14229 14230<p> This feature is available in Postfix 2.6 and later. </p> 14231 14232%PARAM postmulti_control_commands reload flush 14233 14234<p> The postfix(1) commands that the postmulti(1) instance manager 14235treats as "control" commands, that operate on running instances. For 14236these commands, disabled instances are skipped. </p> 14237 14238<p> This feature is available in Postfix 2.6 and later. </p> 14239 14240%PARAM lmtp_assume_final no 14241 14242<p> When a remote LMTP server announces no DSN support, assume that 14243the 14244server performs final delivery, and send "delivered" delivery status 14245notifications instead of "relayed". The default setting is backwards 14246compatible to avoid the infinitesimal possibility of breaking 14247existing LMTP-based content filters. </p> 14248 14249%PARAM always_add_missing_headers no 14250 14251<p> Always add (Resent-) From:, To:, Date: or Message-ID: headers 14252when not present. Postfix 2.6 and later add these headers only 14253when clients match the local_header_rewrite_clients parameter 14254setting. Earlier Postfix versions always add these headers; this 14255may break DKIM signatures that cover non-existent headers. 14256The undisclosed_recipients_header parameter setting determines 14257whether a To: header will be added. </p> 14258 14259%PARAM lmtp_header_checks 14260 14261<p> The LMTP-specific version of the smtp_header_checks configuration 14262parameter. See there for details. </p> 14263 14264<p> This feature is available in Postfix 2.5 and later. </p> 14265 14266%PARAM lmtp_mime_header_checks 14267 14268<p> The LMTP-specific version of the smtp_mime_header_checks 14269configuration parameter. See there for details. </p> 14270 14271<p> This feature is available in Postfix 2.5 and later. </p> 14272 14273%PARAM lmtp_nested_header_checks 14274 14275<p> The LMTP-specific version of the smtp_nested_header_checks 14276configuration parameter. See there for details. </p> 14277 14278<p> This feature is available in Postfix 2.5 and later. </p> 14279 14280%PARAM lmtp_body_checks 14281 14282<p> The LMTP-specific version of the smtp_body_checks configuration 14283parameter. See there for details. </p> 14284 14285<p> This feature is available in Postfix 2.5 and later. </p> 14286 14287%PARAM milter_header_checks 14288 14289<p> Optional lookup tables for content inspection of message headers 14290that are produced by Milter applications. See the header_checks(5) 14291manual page available actions. Currently, PREPEND is not implemented. 14292</p> 14293 14294<p> The following example sends all mail that is marked as SPAM to 14295a spam handling machine. Note that matches are case-insensitive 14296by default. </p> 14297 14298<pre> 14299/etc/postfix/main.cf: 14300 milter_header_checks = pcre:/etc/postfix/milter_header_checks 14301</pre> 14302 14303<pre> 14304/etc/postfix/milter_header_checks: 14305 /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25 14306</pre> 14307 14308<p> The milter_header_checks mechanism could also be used for 14309allowlisting. For example it could be used to skip heavy content 14310inspection for DKIM-signed mail from known friendly domains. </p> 14311 14312<p> This feature is available in Postfix 2.7, and as an optional 14313patch for Postfix 2.6. </p> 14314 14315%PARAM postscreen_cache_map btree:$data_directory/postscreen_cache 14316 14317<p> Persistent storage for the postscreen(8) server decisions. </p> 14318 14319<p> To share a postscreen(8) cache between multiple postscreen(8) 14320instances, use "postscreen_cache_map = proxy:btree:/path/to/file". 14321This requires Postfix version 2.9 or later; earlier proxymap(8) 14322implementations don't support cache cleanup. For an alternative 14323approach see the memcache_table(5) manpage. </p> 14324 14325<p> This feature is available in Postfix 2.8. </p> 14326 14327%PARAM smtpd_service_name smtpd 14328 14329<p> The internal service that postscreen(8) hands off allowed 14330connections to. In a future version there may be different 14331classes of SMTP service. </p> 14332 14333<p> This feature is available in Postfix 2.8. </p> 14334 14335%PARAM postscreen_post_queue_limit $default_process_limit 14336 14337<p> The number of clients that can be waiting for service from a 14338real Postfix SMTP server process. When this queue is full, all 14339clients will 14340receive a 421 response. </p> 14341 14342<p> This feature is available in Postfix 2.8. </p> 14343 14344%PARAM postscreen_pre_queue_limit $default_process_limit 14345 14346<p> The number of non-allowlisted clients that can be waiting for 14347a decision whether they will receive service from a real Postfix 14348SMTP server 14349process. When this queue is full, all non-allowlisted clients will 14350receive a 421 response. </p> 14351 14352<p> This feature is available in Postfix 2.8. </p> 14353 14354%PARAM postscreen_greet_ttl 1d 14355 14356<p> The amount of time that postscreen(8) will use the result from 14357a successful PREGREET test. During this time, the client IP address 14358is excluded from this test. The default is relatively short, because 14359a good client can immediately talk to a real Postfix SMTP server. </p> 14360 14361<p> Specify a non-zero time value (an integral value plus an optional 14362one-letter suffix that specifies the time unit). Time units: s 14363(seconds), m (minutes), h (hours), d (days), w (weeks). 14364The default time unit is d (days). </p> 14365 14366<p> This feature is available in Postfix 2.8. </p> 14367 14368%PARAM postscreen_cache_retention_time 7d 14369 14370<p> The amount of time that postscreen(8) will cache an expired 14371temporary allowlist entry before it is removed. This prevents clients 14372from being logged as "NEW" just because their cache entry expired 14373an hour ago. It also prevents the cache from filling up with clients 14374that passed some deep protocol test once and never came back. </p> 14375 14376<p> Specify a non-zero time value (an integral value plus an optional 14377one-letter suffix that specifies the time unit). Time units: s 14378(seconds), m (minutes), h (hours), d (days), w (weeks). 14379The default time unit is d (days). </p> 14380 14381<p> This feature is available in Postfix 2.8. </p> 14382 14383%PARAM postscreen_cache_cleanup_interval 12h 14384 14385<p> The amount of time between postscreen(8) cache cleanup runs. 14386Cache cleanup increases the load on the cache database and should 14387therefore not be run frequently. This feature requires that the 14388cache database supports the "delete" and "sequence" operators. 14389Specify a zero interval to disable cache cleanup. </p> 14390 14391<p> After each cache cleanup run, the postscreen(8) daemon logs the 14392number of entries that were retained and dropped. A cleanup run is 14393logged as "partial" when the daemon terminates early after "<b>postfix 14394reload</b>", "<b>postfix stop</b>", or no requests for $max_idle 14395seconds. </p> 14396 14397<p> Specify a non-negative time value (an integral value plus an optional 14398one-letter suffix that specifies the time unit). Time units: s 14399(seconds), m (minutes), h (hours), d (days), w (weeks). 14400The default time unit is h (hours). </p> 14401 14402<p> This feature is available in Postfix 2.8. </p> 14403 14404%PARAM postscreen_greet_wait normal: 6s, overload: 2s 14405 14406<p> The amount of time that postscreen(8) will wait for an SMTP 14407client to send a command before its turn, and for DNS blocklist 14408lookup results to arrive (default: up to 2 seconds under stress, 14409up to 6 seconds otherwise). <p> 14410 14411<p> Specify a non-zero time value (an integral value plus an optional 14412one-letter suffix that specifies the time unit). Time units: s 14413(seconds), m (minutes), h (hours), d (days), w (weeks). 14414The default time unit is s (seconds). </p> 14415 14416<p> This feature is available in Postfix 2.8. </p> 14417 14418%PARAM postscreen_dnsbl_sites 14419 14420<p>Optional list of patterns with DNS allow/denylist domains, filters 14421and weight 14422factors. When the list is non-empty, the dnsblog(8) daemon will 14423query these domains with the reversed IP addresses of remote SMTP 14424clients, 14425and postscreen(8) will update an SMTP client's DNSBL score with 14426each non-error reply as described below. </p> 14427 14428<p> Caution: when postscreen rejects mail, its SMTP response contains 14429the DNSBL 14430domain name. Use the postscreen_dnsbl_reply_map feature to hide 14431"password" information in DNSBL domain names. </p> 14432 14433<p> When a client's score is equal to or greater than the threshold 14434specified with postscreen_dnsbl_threshold, postscreen(8) can drop 14435the connection with the remote SMTP client. </p> 14436 14437<p> Specify a list of domain=filter*weight patterns, separated by 14438comma or whitespace. </p> 14439 14440<ul> 14441 14442<li> <p> When a pattern specifies no "=filter", postscreen(8) will 14443use any non-error DNSBL query result. Otherwise, postscreen(8) 14444will use only DNSBL 14445query results that match the filter. The filter has the form d.d.d.d, 14446where each d is a number, or a pattern inside [] that contains one 14447or more ";"-separated numbers or number..number ranges. </p> 14448 14449<li> <p> When a pattern specifies no "*weight", the weight of the 14450pattern is 1. Otherwise, the weight must be an integral number. 14451Specify a negative number for allowlisting. </p> 14452 14453<li> <p> When a pattern matches one or more DNSBL query results, 14454postscreen(8) adds that pattern's weight once to the remote SMTP 14455client's DNSBL score. </p> 14456 14457</ul> 14458 14459<p> Examples: </p> 14460 14461<p> To use example.com as a high-confidence blocklist, and to 14462block mail with example.net and example.org only when both agree: 14463</p> 14464 14465<pre> 14466postscreen_dnsbl_threshold = 2 14467postscreen_dnsbl_sites = example.com*2, example.net, example.org 14468</pre> 14469 14470<p> To filter only DNSBL replies containing 127.0.0.4: </p> 14471 14472<pre> 14473postscreen_dnsbl_sites = example.com=127.0.0.4 14474</pre> 14475 14476<p> This feature is available in Postfix 2.8. </p> 14477 14478%PARAM postscreen_dnsbl_action ignore 14479 14480<p>The action that postscreen(8) takes when a remote SMTP client's combined 14481DNSBL score is equal to or greater than a threshold (as defined 14482with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold 14483parameters). Specify one of the following: </p> 14484 14485<dl> 14486 14487<dt> <b>ignore</b> (default) </dt> 14488 14489<dd> Ignore the failure of this test. Allow other tests to complete. 14490Repeat this test the next time the client connects. 14491This option is useful for testing and collecting statistics 14492without blocking mail. </dd> 14493 14494<dt> <b>enforce</b> </dt> 14495 14496<dd> Allow other tests to complete. Reject attempts to deliver mail 14497with a 550 SMTP reply, and log the helo/sender/recipient information. 14498Repeat this test the next time the client connects. </dd> 14499 14500<dt> <b>drop</b> </dt> 14501 14502<dd> Drop the connection immediately with a 521 SMTP reply. Repeat 14503this test the next time the client connects. </dd> 14504 14505</dl> 14506 14507<p> This feature is available in Postfix 2.8. </p> 14508 14509%PARAM postscreen_greet_action ignore 14510 14511<p>The action that postscreen(8) takes when a remote SMTP client speaks 14512before its turn within the time specified with the postscreen_greet_wait 14513parameter. Specify one of the following: </p> 14514 14515<dl> 14516 14517<dt> <b>ignore</b> (default) </dt> 14518 14519<dd> Ignore the failure of this test. Allow other tests to complete. 14520Repeat this test the next time the client connects. 14521This option is useful for testing and collecting statistics 14522without blocking mail. </dd> 14523 14524<dt> <b>enforce</b> </dt> 14525 14526<dd> Allow other tests to complete. Reject attempts to deliver mail 14527with a 550 SMTP reply, and log the helo/sender/recipient information. 14528Repeat this test the next time the client connects. </dd> 14529 14530<dt> <b>drop</b> </dt> 14531 14532<dd> Drop the connection immediately with a 521 SMTP reply. Repeat 14533this test the next time the client connects. </dd> 14534 14535</dl> 14536 14537<p> In either case, postscreen(8) will not allowlist the remote SMTP client 14538IP address. </p> 14539 14540<p> This feature is available in Postfix 2.8. </p> 14541 14542%PARAM postscreen_access_list permit_mynetworks 14543 14544<p> Permanent allow/denylist for remote SMTP client IP addresses. 14545postscreen(8) searches this list immediately after a remote SMTP 14546client connects. Specify a comma- or whitespace-separated list of 14547commands (in upper or lower case) or lookup tables. The search stops 14548upon the first command that fires for the client IP address. </p> 14549 14550<dl> 14551 14552<dt> <b> permit_mynetworks </b> </dt> <dd> Allowlist the client and 14553terminate the search if the client IP address matches $mynetworks. 14554Do not subject the client to any before/after 220 greeting tests. 14555Pass the connection immediately to a Postfix SMTP server process. 14556<br> Pattern matching of domain names is controlled by the presence 14557or absence of "postscreen_access_list" in the 14558parent_domain_matches_subdomains parameter value. </dd> 14559 14560<dt> <b> type:table </b> </dt> <dd> Query the specified lookup 14561table. Each table lookup result is an access list, except that 14562access lists inside a table cannot specify type:table entries. <br> 14563To discourage the use of hash, btree, etc. tables, there is no 14564support for substring matching like smtpd(8). Use CIDR tables 14565instead. </dd> 14566 14567<dt> <b> permit </b> </dt> <dd> Allowlist the client and terminate 14568the search. Do not subject the client to any before/after 220 14569greeting tests. Pass the connection immediately to a Postfix SMTP 14570server process. </dd> 14571 14572<dt> <b> reject </b> </dt> <dd> Denylist the client and terminate 14573the search. Subject the client to the action configured with the 14574postscreen_denylist_action configuration parameter. </dd> 14575 14576<dt> <b> dunno </b> </dt> <dd> All postscreen(8) access lists 14577implicitly have this command at the end. <br> When <b> dunno </b> 14578is executed inside a lookup table, return from the lookup table and 14579evaluate the next command. <br> When <b> dunno </b> is executed 14580outside a lookup table, terminate the search, and subject the client 14581to the configured before/after 220 greeting tests. </dd> 14582 14583</dl> 14584 14585<p> Example: </p> 14586 14587<pre> 14588/etc/postfix/main.cf: 14589 postscreen_access_list = permit_mynetworks, 14590 cidr:/etc/postfix/postscreen_access.cidr 14591 # Postfix < 3.6 use postscreen_blacklist_action. 14592 postscreen_denylist_action = enforce 14593</pre> 14594 14595<pre> 14596/etc/postfix/postscreen_access.cidr: 14597 # Rules are evaluated in the order as specified. 14598 # Denylist 192.168.* except 192.168.0.1. 14599 192.168.0.1 dunno 14600 192.168.0.0/16 reject 14601</pre> 14602 14603<p> This feature is available in Postfix 2.8. </p> 14604 14605%PARAM postscreen_greet_banner $smtpd_banner 14606 14607<p> The <i>text</i> in the optional "220-<i>text</i>..." server 14608response that 14609postscreen(8) sends ahead of the real Postfix SMTP server's "220 14610text..." response, in an attempt to confuse bad SMTP clients so 14611that they speak before their turn (pre-greet). Specify an empty 14612value to disable this feature. </p> 14613 14614<p> This feature is available in Postfix 2.8. </p> 14615 14616%PARAM postscreen_blacklist_action ignore 14617 14618<p> Renamed to postscreen_denylist_action in Postfix 3.6. </p> 14619 14620<p> This feature is available in Postfix 2.8 - 3.5. </p> 14621 14622%PARAM postscreen_denylist_action ignore 14623 14624<p> The action that postscreen(8) takes when a remote SMTP client is 14625permanently denylisted with the postscreen_access_list parameter. 14626Specify one of the following: </p> 14627 14628<dl> 14629 14630<dt> <b>ignore</b> (default) </dt> 14631 14632<dd> Ignore this result. Allow other tests to complete. Repeat 14633this test the next time the client connects. 14634This option is useful for testing and collecting statistics 14635without blocking mail. </dd> 14636 14637<dt> <b>enforce</b> </dt> 14638 14639<dd> Allow other tests to complete. Reject attempts to deliver mail 14640with a 550 SMTP reply, and log the helo/sender/recipient information. 14641Repeat this test the next time the client connects. </dd> 14642 14643<dt> <b>drop</b> </dt> 14644 14645<dd> Drop the connection immediately with a 521 SMTP reply. Repeat 14646this test the next time the client connects. </dd> 14647 14648</dl> 14649 14650<p> This feature is available in Postfix 3.6 and later. </p> 14651 14652<p> Available as postscreen_blacklist_action in Postfix 2.8 - 3.5. </p> 14653 14654%PARAM smtpd_command_filter 14655 14656<p> A mechanism to transform commands from remote SMTP clients. 14657This is a last-resort tool to work around client commands that break 14658interoperability with the Postfix SMTP server. Other uses involve 14659fault injection to test Postfix's handling of invalid commands. 14660</p> 14661 14662<p> Specify the name of a "type:table" lookup table. The search 14663string is the SMTP command as received from the remote SMTP client, 14664except that initial whitespace and the trailing <CR><LF> 14665are removed. The result value is executed by the Postfix SMTP 14666server. </p> 14667 14668<p> There is no need to use smtpd_command_filter for the following 14669cases: </p> 14670 14671<ul> 14672 14673<li> <p> Use "resolve_numeric_domain = yes" to accept 14674"<i>user@ipaddress</i>". </p> 14675 14676<li> <p> Postfix already accepts the correct form 14677"<i>user@[ipaddress]</i>". Use virtual_alias_maps or canonical_maps 14678to translate these into domain names if necessary. </p> 14679 14680<li> <p> Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<<i>User 14681Name <user@example.com>></i>". Postfix will ignore the "<i>User 14682Name</i>" part and deliver to the <i><user@example.com></i> address. 14683</p> 14684 14685</ul> 14686 14687<p> Examples of problems that can be solved with the smtpd_command_filter 14688feature: </p> 14689 14690<pre> 14691/etc/postfix/main.cf: 14692 smtpd_command_filter = pcre:/etc/postfix/command_filter 14693</pre> 14694 14695<pre> 14696/etc/postfix/command_filter: 14697 # Work around clients that send malformed HELO commands. 14698 /^HELO\s*$/ HELO domain.invalid 14699</pre> 14700 14701<pre> 14702 # Work around clients that send empty lines. 14703 /^\s*$/ NOOP 14704</pre> 14705 14706<pre> 14707 # Work around clients that send RCPT TO:<'user@domain'>. 14708 # WARNING: do not lose the parameters that follow the address. 14709 /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/ $1$2$3 14710</pre> 14711 14712<pre> 14713 # Append XVERP to MAIL FROM commands to request VERP-style delivery. 14714 # See VERP_README for more information on how to use Postfix VERP. 14715 /^(MAIL\s+FROM:\s*<listname@example\.com>.*)/ $1 XVERP 14716</pre> 14717 14718<pre> 14719 # Bounce-never mail sink. Use notify_classes=bounce,resource,software 14720 # to send bounced mail to the postmaster (with message body removed). 14721 /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/ $1 NOTIFY=NEVER$2 14722 /^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER 14723</pre> 14724 14725<p> This feature is available in Postfix 2.7. </p> 14726 14727%PARAM smtp_reply_filter 14728 14729<p> A mechanism to transform replies from remote SMTP servers one 14730line at a time. This is a last-resort tool to work around server 14731replies that break interoperability with the Postfix SMTP client. 14732Other uses involve fault injection to test Postfix's handling of 14733invalid responses. </p> 14734 14735<p> Notes: </p> 14736 14737<ul> 14738 14739<li> <p> In the case of a multi-line reply, the Postfix SMTP client 14740uses the final reply line's numerical SMTP reply code and enhanced 14741status code. </p> 14742 14743<li> <p> The numerical SMTP reply code (XYZ) takes precedence over 14744the enhanced status code (X.Y.Z). When the enhanced status code 14745initial digit differs from the SMTP reply code initial digit, or 14746when no enhanced status code is present, the Postfix SMTP client 14747uses a generic enhanced status code (X.0.0) instead. </p> 14748 14749</ul> 14750 14751<p> Specify the name of a "type:table" lookup table. The search 14752string is a single SMTP reply line as received from the remote SMTP 14753server, except that the trailing <CR><LF> are removed. 14754When the lookup succeeds, the result replaces the single SMTP reply 14755line. </p> 14756 14757<p> Examples: </p> 14758 14759<pre> 14760/etc/postfix/main.cf: 14761 smtp_reply_filter = pcre:/etc/postfix/reply_filter 14762</pre> 14763 14764<pre> 14765/etc/postfix/reply_filter: 14766 # Transform garbage into "250-filler..." so that it looks like 14767 # one line from a multi-line reply. It does not matter what we 14768 # substitute here as long it has the right syntax. The Postfix 14769 # SMTP client will use the final line's numerical SMTP reply 14770 # code and enhanced status code. 14771 !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage 14772</pre> 14773 14774<p> This feature is available in Postfix 2.7. </p> 14775 14776%PARAM lmtp_reply_filter 14777 14778<p> The LMTP-specific version of the smtp_reply_filter 14779configuration parameter. See there for details. </p> 14780 14781<p> This feature is available in Postfix 2.7 and later. </p> 14782 14783%PARAM smtp_tls_block_early_mail_reply no 14784 14785<p> Try to detect a mail hijacking attack based on a TLS protocol 14786vulnerability (CVE-2009-3555), where an attacker prepends malicious 14787HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. 14788The attack would succeed with non-Postfix SMTP servers that reply 14789to the malicious HELO, MAIL, RCPT, DATA commands after negotiating 14790the Postfix SMTP client TLS session. </p> 14791 14792<p> This feature is available in Postfix 2.7. </p> 14793 14794%PARAM lmtp_tls_block_early_mail_reply 14795 14796<p> The LMTP-specific version of the smtp_tls_block_early_mail_reply 14797configuration parameter. See there for details. </p> 14798 14799<p> This feature is available in Postfix 2.7 and later. </p> 14800 14801%PARAM empty_address_default_transport_maps_lookup_key <> 14802 14803<p> The sender_dependent_default_transport_maps search string that 14804will be used instead of the null sender address. </p> 14805 14806<p> This feature is available in Postfix 2.7 and later. </p> 14807 14808%PARAM sender_dependent_default_transport_maps 14809 14810<p> A sender-dependent override for the global default_transport 14811parameter setting. The tables are searched by the envelope sender 14812address and @domain. A lookup result of DUNNO terminates the search 14813without overriding the global default_transport parameter setting. 14814This information is overruled with the transport(5) table. </p> 14815 14816<p> 14817Specify zero or more "type:name" lookup tables, separated by 14818whitespace or comma. Tables will be searched in the specified order 14819until a match is found. 14820</p> 14821 14822<p> Note: this overrides default_transport, not transport_maps, and 14823therefore the expected syntax is that of default_transport, not the 14824syntax of transport_maps. Specifically, this does not support the 14825transport_maps syntax for null transport, null nexthop, or null 14826email addresses. </p> 14827 14828<p> For safety reasons, this feature does not allow $number 14829substitutions in regular expression maps. </p> 14830 14831<p> This feature is available in Postfix 2.7 and later. </p> 14832 14833%PARAM address_verify_sender_dependent_default_transport_maps $sender_dependent_default_transport_maps 14834 14835<p> Overrides the sender_dependent_default_transport_maps parameter 14836setting for address verification probes. </p> 14837 14838<p> This feature is available in Postfix 2.7 and later. </p> 14839 14840%PARAM default_filter_nexthop 14841 14842<p> When a content_filter or FILTER request specifies no explicit 14843next-hop destination, use $default_filter_nexthop instead; when 14844that value is empty, use the domain in the recipient address. 14845Specify "default_filter_nexthop = $myhostname" for compatibility 14846with Postfix version 2.6 and earlier, or specify an explicit next-hop 14847destination with each content_filter value or FILTER action. </p> 14848 14849<p> This feature is available in Postfix 2.7 and later. </p> 14850 14851%PARAM smtp_address_preference any 14852 14853<p> The address type ("ipv6", "ipv4" or "any") that the Postfix 14854SMTP client will try first, when a destination has IPv6 and IPv4 14855addresses with equal MX preference. This feature has no effect 14856unless the inet_protocols setting enables both IPv4 and IPv6. </p> 14857 14858<p> Postfix SMTP client address preference has evolved. With Postfix 148592.8 the default is "ipv6"; earlier implementations are hard-coded 14860to prefer IPv6 over IPv4. </p> 14861 14862<p> Notes for mail delivery between sites that have both IPv4 and 14863IPv6 connectivity: </p> 14864 14865<ul> 14866 14867<li> <p> The setting "smtp_address_preference = ipv6" is unsafe. 14868It can fail to deliver mail when there is an outage that affects 14869IPv6, while the destination is still reachable over IPv4. </p> 14870 14871<li> <p> The setting "smtp_address_preference = any" is safe. With 14872this, mail will eventually be delivered even if there is an outage 14873that affects IPv6 or IPv4, as long as it does not affect both. </p> 14874 14875</ul> 14876 14877<p> This feature is available in Postfix 2.8 and later. </p> 14878 14879%PARAM lmtp_address_preference ipv6 14880 14881<p> The LMTP-specific version of the smtp_address_preference 14882configuration parameter. See there for details. </p> 14883 14884<p> This feature is available in Postfix 2.8 and later. </p> 14885 14886%PARAM smtp_dns_resolver_options 14887 14888<p> DNS Resolver options for the Postfix SMTP client. Specify zero 14889or more of the following options, separated by comma or whitespace. 14890Option names are case-sensitive. Some options refer to domain names 14891that are specified in the file /etc/resolv.conf or equivalent. </p> 14892 14893<dl> 14894 14895<dt><b>res_defnames</b></dt> 14896 14897<dd> Append the current domain name to single-component names (those 14898that do not contain a "." character). This can produce incorrect 14899results, and is the hard-coded behavior prior to Postfix 2.8. </dd> 14900 14901<dt><b>res_dnsrch</b></dt> 14902 14903<dd> Search for host names in the current domain and in parent 14904domains. This can produce incorrect results and is therefore not 14905recommended. </dd> 14906 14907</dl> 14908 14909<p> This feature is available in Postfix 2.8 and later. </p> 14910 14911%PARAM lmtp_dns_resolver_options 14912 14913<p> The LMTP-specific version of the smtp_dns_resolver_options 14914configuration parameter. See there for details. </p> 14915 14916<p> This feature is available in Postfix 2.8 and later. </p> 14917 14918%PARAM postscreen_dnsbl_threshold 1 14919 14920<p> The inclusive lower bound for blocking a remote SMTP client, based on 14921its combined DNSBL score as defined with the postscreen_dnsbl_sites 14922parameter. </p> 14923 14924<p> This feature is available in Postfix 2.8. </p> 14925 14926%PARAM postscreen_dnsbl_whitelist_threshold 0 14927 14928<p> Renamed to postscreen_dnsbl_allowlist_threshold in Postfix 3.6. </p> 14929 14930<p> This feature is available in Postfix 2.11 - 3.5. </p> 14931 14932%PARAM postscreen_dnsbl_allowlist_threshold 0 14933 14934<p> Allow a remote SMTP client to skip "before" and "after 220 14935greeting" protocol tests, based on its combined DNSBL score as 14936defined with the postscreen_dnsbl_sites parameter. </p> 14937 14938<p> Specify a negative value to enable this feature. When a client 14939passes the postscreen_dnsbl_allowlist_threshold without having 14940failed other tests, all pending or disabled tests are flagged as 14941completed with a time-to-live value equal to postscreen_dnsbl_ttl. 14942When a test was already completed, its time-to-live value is updated 14943if it was less than postscreen_dnsbl_ttl. </p> 14944 14945<p> This feature is available in Postfix 3.6 and later. </p> 14946 14947<p> Available as postscreen_dnsbl_whitelist_threshold in Postfix 2.11 14948- 3.5. </p> 14949 14950%PARAM postscreen_command_count_limit 20 14951 14952<p> The limit on the total number of commands per SMTP session for 14953postscreen(8)'s built-in SMTP protocol engine. This SMTP engine 14954defers or rejects all attempts to deliver mail, therefore there is 14955no need to enforce separate limits on the number of junk commands 14956and error commands. </p> 14957 14958<p> This feature is available in Postfix 2.8. </p> 14959 14960%PARAM postscreen_command_time_limit normal: 300s, overload: 10s 14961 14962<p> The time limit to read an entire command line with postscreen(8)'s 14963built-in SMTP protocol engine. </p> 14964 14965<p> This feature is available in Postfix 2.8. </p> 14966 14967%PARAM postscreen_dnsbl_ttl 1h 14968 14969<p> The amount of time that postscreen(8) will use the result from 14970a successful DNS-based reputation test before a client 14971IP address is required to pass that test again. </p> 14972 14973<p> Specify a non-zero time value (an integral value plus an optional 14974one-letter suffix that specifies the time unit). Time units: s 14975(seconds), m (minutes), h (hours), d (days), w (weeks). 14976The default time unit is h (hours). </p> 14977 14978<p> This feature is available in Postfix 2.8-3.0. It was 14979replaced by postscreen_dnsbl_max_ttl in Postfix 3.1. </p> 14980 14981%PARAM postscreen_dnsbl_min_ttl 60s 14982 14983<p> The minimum amount of time that postscreen(8) will use the 14984result from a successful DNS-based reputation test before a 14985client IP address is required to pass that test again. If the DNS 14986reply specifies a larger TTL value, that value will be used unless 14987it would be larger than postscreen_dnsbl_max_ttl. </p> 14988 14989<p> Specify a non-zero time value (an integral value plus an optional 14990one-letter suffix that specifies the time unit). Time units: s 14991(seconds), m (minutes), h (hours), d (days), w (weeks). 14992The default time unit is s (seconds). </p> 14993 14994<p> This feature is available in Postfix 3.1. </p> 14995 14996%PARAM postscreen_dnsbl_max_ttl ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h 14997 14998<p> The maximum amount of time that postscreen(8) will use the 14999result from a successful DNS-based reputation test before a 15000client IP address is required to pass that test again. If the DNS 15001reply specifies a shorter TTL value, that value will be used unless 15002it would be smaller than postscreen_dnsbl_min_ttl. </p> 15003 15004<p> Specify a non-zero time value (an integral value plus an optional 15005one-letter suffix that specifies the time unit). Time units: s 15006(seconds), m (minutes), h (hours), d (days), w (weeks). 15007The default time unit is h (hours). </p> 15008 15009<p> This feature is available in Postfix 3.1. The default setting 15010is backwards-compatible with older Postfix versions. </p> 15011 15012%PARAM postscreen_pipelining_action enforce 15013 15014<p> The action that postscreen(8) takes when a remote SMTP client 15015sends 15016multiple commands instead of sending one command and waiting for 15017the server to respond. Specify one of the following: </p> 15018 15019<dl> 15020 15021<dt> <b>ignore</b> </dt> 15022 15023<dd> Ignore the failure of this test. Allow other tests to complete. 15024Do <i>not</i> repeat this test before the result from some 15025other test expires. 15026This option is useful for testing and collecting statistics 15027without blocking mail permanently. </dd> 15028 15029<dt> <b>enforce</b> </dt> 15030 15031<dd> Allow other tests to complete. Reject attempts to deliver mail 15032with a 550 SMTP reply, and log the helo/sender/recipient information. 15033Repeat this test the next time the client connects. </dd> 15034 15035<dt> <b>drop</b> </dt> 15036 15037<dd> Drop the connection immediately with a 521 SMTP reply. Repeat 15038this test the next time the client connects. </dd> 15039 15040</dl> 15041 15042<p> This feature is available in Postfix 2.8. </p> 15043 15044%PARAM postscreen_pipelining_ttl 30d 15045 15046<p> The amount of time that postscreen(8) will use the result from 15047a successful "pipelining" SMTP protocol test. During this time, the 15048client IP address is excluded from this test. The default is 15049long because a good client must disconnect after it passes the test, 15050before it can talk to a real Postfix SMTP server. </p> 15051 15052<p> Specify a non-zero time value (an integral value plus an optional 15053one-letter suffix that specifies the time unit). Time units: s 15054(seconds), m (minutes), h (hours), d (days), w (weeks). 15055The default time unit is d (days). </p> 15056 15057<p> This feature is available in Postfix 2.8. </p> 15058 15059%PARAM postscreen_pipelining_enable no 15060 15061<p> Enable "pipelining" SMTP protocol tests in the postscreen(8) 15062server. These tests are expensive: a good client must disconnect 15063after it passes the test, before it can talk to a real Postfix SMTP 15064server. </p> 15065 15066<p> This feature is available in Postfix 2.8. </p> 15067 15068%PARAM postscreen_watchdog_timeout 10s 15069 15070<p> How much time a postscreen(8) process may take to respond to 15071a remote SMTP client command or to perform a cache operation before it 15072is terminated by a built-in watchdog timer. This is a safety 15073mechanism that prevents postscreen(8) from becoming non-responsive 15074due to a bug in Postfix itself or in system software. To avoid 15075false alarms and unnecessary cache corruption this limit cannot be 15076set under 10s. </p> 15077 15078<p> Specify a non-zero time value (an integral value plus an optional 15079one-letter suffix that specifies the time unit). Time units: s 15080(seconds), m (minutes), h (hours), d (days), w (weeks). 15081The default time unit is s (seconds). </p> 15082 15083<p> This feature is available in Postfix 2.8. </p> 15084 15085%PARAM postscreen_helo_required $smtpd_helo_required 15086 15087<p> Require that a remote SMTP client sends HELO or EHLO before 15088commencing a MAIL transaction. </p> 15089 15090<p> This feature is available in Postfix 2.8. </p> 15091 15092%PARAM postscreen_forbidden_commands $smtpd_forbidden_commands 15093 15094<p> List of commands that the postscreen(8) server considers in 15095violation of the SMTP protocol. See smtpd_forbidden_commands for 15096syntax, and postscreen_non_smtp_command_action for possible actions. 15097</p> 15098 15099<p> This feature is available in Postfix 2.8. </p> 15100 15101%PARAM postscreen_disable_vrfy_command $disable_vrfy_command 15102 15103<p> Disable the SMTP VRFY command in the postscreen(8) daemon. See 15104disable_vrfy_command for details. </p> 15105 15106<p> This feature is available in Postfix 2.8. </p> 15107 15108%PARAM postscreen_non_smtp_command_action drop 15109 15110<p> The action that postscreen(8) takes when a remote SMTP client sends 15111non-SMTP commands as specified with the postscreen_forbidden_commands 15112parameter. Specify one of the following: </p> 15113 15114<dl> 15115 15116<dt> <b>ignore</b> </dt> 15117 15118<dd> Ignore the failure of this test. Allow other tests to complete. 15119Do <i>not</i> repeat this test before the result from some 15120other test expires. 15121This option is useful for testing and collecting statistics 15122without blocking mail permanently. </dd> 15123 15124<dt> <b>enforce</b> </dt> 15125 15126<dd> Allow other tests to complete. Reject attempts to deliver mail 15127with a 550 SMTP reply, and log the helo/sender/recipient information. 15128Repeat this test the next time the client connects. </dd> 15129 15130<dt> <b>drop</b> </dt> 15131 15132<dd> Drop the connection immediately with a 521 SMTP reply. Repeat 15133this test the next time the client connects. This action is the 15134same as with the Postfix SMTP server's smtpd_forbidden_commands 15135feature. </dd> 15136 15137</dl> 15138 15139<p> This feature is available in Postfix 2.8. </p> 15140 15141%PARAM postscreen_non_smtp_command_ttl 30d 15142 15143<p> The amount of time that postscreen(8) will use the result from 15144a successful "non_smtp_command" SMTP protocol test. During this 15145time, the client IP address is excluded from this test. The default 15146is long because a client must disconnect after it passes the test, 15147before it can talk to a real Postfix SMTP server. </p> 15148 15149<p> Specify a non-zero time value (an integral value plus an optional 15150one-letter suffix that specifies the time unit). Time units: s 15151(seconds), m (minutes), h (hours), d (days), w (weeks). 15152The default time unit is d (days). </p> 15153 15154<p> This feature is available in Postfix 2.8. </p> 15155 15156%PARAM postscreen_non_smtp_command_enable no 15157 15158<p> Enable "non-SMTP command" tests in the postscreen(8) server. These 15159tests are expensive: a client must disconnect after it passes the 15160test, before it can talk to a real Postfix SMTP server. </p> 15161 15162<p> This feature is available in Postfix 2.8. </p> 15163 15164%PARAM postscreen_dnsbl_reply_map 15165 15166<p> A mapping from an actual DNSBL domain name which includes a secret 15167password, to the DNSBL domain name that postscreen will reply with 15168when it rejects mail. When no mapping is found, the actual DNSBL 15169domain will be used. </p> 15170 15171<p> For maximal stability it is best to use a file that is read 15172into memory such as pcre:, regexp: or texthash: (texthash: is similar 15173to hash:, except a) there is no need to run postmap(1) before the 15174file can be used, and b) texthash: does not detect changes after 15175the file is read). </p> 15176 15177<p> Example: </p> 15178 15179<pre> 15180/etc/postfix/main.cf: 15181 postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply 15182</pre> 15183 15184<pre> 15185/etc/postfix/dnsbl_reply: 15186 secret.zen.spamhaus.org zen.spamhaus.org 15187</pre> 15188 15189<p> This feature is available in Postfix 2.8. </p> 15190 15191%PARAM postscreen_dnsbl_timeout 10s 15192 15193<p> The time limit for DNSBL or DNSWL lookups. This is separate from 15194the timeouts in the dnsblog(8) daemon which are defined by system 15195resolver(3) routines. </p> 15196 15197<p> Specify a non-zero time value (an integral value plus an optional 15198one-letter suffix that specifies the time unit). Time units: s 15199(seconds), m (minutes), h (hours), d (days), w (weeks). 15200The default time unit is s (seconds). </p> 15201 15202<p> This feature is available in Postfix 3.0. </p> 15203%PARAM postscreen_bare_newline_action ignore 15204 15205<p> The action that postscreen(8) takes when a remote SMTP client sends 15206a bare newline character, that is, a newline not preceded by carriage 15207return. Specify one of the following: </p> 15208 15209<dl> 15210 15211<dt> <b>ignore</b> </dt> 15212 15213<dd> Ignore the failure of this test. Allow other tests to complete. 15214Do <i>not</i> repeat this test before the result from some 15215other test expires. 15216This option is useful for testing and collecting statistics 15217without blocking mail permanently. </dd> 15218 15219<dt> <b>enforce</b> </dt> 15220 15221<dd> Allow other tests to complete. Reject attempts to deliver mail 15222with a 550 SMTP reply, and log the helo/sender/recipient information. 15223Repeat this test the next time the client connects. </dd> 15224 15225<dt> <b>drop</b> </dt> 15226 15227<dd> Drop the connection immediately with a 521 SMTP reply. Repeat 15228this test the next time the client connects. </dd> 15229 15230</dl> 15231 15232<p> This feature is available in Postfix 2.8. </p> 15233 15234%PARAM postscreen_bare_newline_ttl 30d 15235 15236<p> The amount of time that postscreen(8) will use the result from 15237a successful "bare newline" SMTP protocol test. During this 15238time, the client IP address is excluded from this test. The default 15239is long because a remote SMTP client must disconnect after it passes 15240the test, 15241before it can talk to a real Postfix SMTP server. </p> 15242 15243<p> Specify a non-zero time value (an integral value plus an optional 15244one-letter suffix that specifies the time unit). Time units: s 15245(seconds), m (minutes), h (hours), d (days), w (weeks). 15246The default time unit is d (days). </p> 15247 15248<p> This feature is available in Postfix 2.8. </p> 15249 15250%PARAM postscreen_bare_newline_enable no 15251 15252<p> Enable "bare newline" SMTP protocol tests in the postscreen(8) 15253server. These tests are expensive: a remote SMTP client must 15254disconnect after 15255it passes the test, before it can talk to a real Postfix SMTP server. 15256</p> 15257 15258<p> This feature is available in Postfix 2.8. </p> 15259 15260%PARAM postscreen_client_connection_count_limit $smtpd_client_connection_count_limit 15261 15262<p> How many simultaneous connections any remote SMTP client is 15263allowed to have 15264with the postscreen(8) daemon. By default, this limit is the same 15265as with the Postfix SMTP server. Note that the triage process can 15266take several seconds, with the time spent in postscreen_greet_wait 15267delay, and with the time spent talking to the postscreen(8) built-in 15268dummy SMTP protocol engine. </p> 15269 15270<p> This feature is available in Postfix 2.8. </p> 15271 15272%PARAM dnsblog_reply_delay 0s 15273 15274<p> A debugging aid to artificially delay DNS responses. </p> 15275 15276<p> This feature is available in Postfix 2.8. </p> 15277 15278%PARAM reset_owner_alias no 15279 15280<p> Reset the local(8) delivery agent's idea of the owner-alias 15281attribute, when delivering mail to a child alias that does not have 15282its own owner alias. </p> 15283 15284<p> This feature is available in Postfix 2.8 and later. With older 15285Postfix releases, the behavior is as if this parameter is set to 15286"yes". </p> 15287 15288<p> As documented in aliases(5), when an alias <i>name</i> has a 15289companion alias named owner-<i>name</i>, this will replace the 15290envelope sender address, so that delivery errors will be 15291reported to the owner alias instead of the sender. This configuration 15292is recommended for mailing lists. <p> 15293 15294<p> A less known property of the owner alias is that it also forces 15295the local(8) delivery agent to write local and remote addresses 15296from alias expansion to a new queue file, instead of attempting to 15297deliver mail to local addresses as soon as they come out of alias 15298expansion. </p> 15299 15300<p> Writing local addresses from alias expansion to a new queue 15301file allows for robust handling of temporary delivery errors: errors 15302with one local member have no effect on deliveries to other members 15303of the list. On the other hand, delivery to local addresses as 15304soon as they come out of alias expansion is fragile: a temporary 15305error with one local address from alias expansion will cause the 15306entire alias to be expanded repeatedly until the error goes away, 15307or until the message expires in the queue. In that case, a problem 15308with one list member results in multiple message deliveries to other 15309list members. </p> 15310 15311<p> The default behavior of Postfix 2.8 and later is to keep the 15312owner-alias attribute of the parent alias, when delivering mail to 15313a child alias that does not have its own owner alias. Then, local 15314addresses from that child alias will be written to a new queue file, 15315and a temporary error with one local address will not affect delivery 15316to other mailing list members. </p> 15317 15318<p> Unfortunately, older Postfix releases reset the owner-alias 15319attribute when delivering mail to a child alias that does not have 15320its own owner alias. To be precise, this resets only the decision 15321to create a new queue file, not the decision to override the envelope 15322sender address. The local(8) delivery agent then attempts to 15323deliver local addresses as soon as they come out of child alias 15324expansion. If delivery to any address from child alias expansion 15325fails with a temporary error condition, the entire mailing list may 15326be expanded repeatedly until the mail expires in the queue, resulting 15327in multiple deliveries of the same message to mailing list members. 15328</p> 15329 15330%PARAM qmgr_ipc_timeout 60s 15331 15332<p> The time limit for the queue manager to send or receive information 15333over an internal communication channel. The purpose is to break 15334out of deadlock situations. If the time limit is exceeded the 15335software either retries or aborts the operation. </p> 15336 15337<p> Specify a non-zero time value (an integral value plus an optional 15338one-letter suffix that specifies the time unit). Time units: s 15339(seconds), m (minutes), h (hours), d (days), w (weeks). 15340The default time unit is s (seconds). </p> 15341 15342<p> This feature is available in Postfix 2.8 and later. </p> 15343 15344%PARAM qmgr_daemon_timeout 1000s 15345 15346<p> How much time a Postfix queue manager process may take to handle 15347a request before it is terminated by a built-in watchdog timer. 15348</p> 15349 15350<p> Specify a non-zero time value (an integral value plus an optional 15351one-letter suffix that specifies the time unit). Time units: s 15352(seconds), m (minutes), h (hours), d (days), w (weeks). 15353The default time unit is s (seconds). </p> 15354 15355<p> This feature is available in Postfix 2.8 and later. </p> 15356 15357%PARAM tls_preempt_cipherlist no 15358 15359<p> With SSLv3 and later, use the Postfix SMTP server's cipher 15360preference order instead of the remote client's cipher preference 15361order. </p> 15362 15363<p> By default, the OpenSSL server selects the client's most preferred 15364cipher that the server supports. With SSLv3 and later, the server may 15365choose its own most preferred cipher that is supported (offered) by 15366the client. Setting "tls_preempt_cipherlist = yes" enables server cipher 15367preferences. </p> 15368 15369<p> While server cipher selection may in some cases lead to a more secure 15370or performant cipher choice, there is some risk of interoperability 15371issues. In the past, some SSL clients have listed lower priority ciphers 15372that they did not implement correctly. If the server chooses a cipher 15373that the client prefers less, it may select a cipher whose client 15374implementation is flawed. Most notably Windows 2003 Microsoft 15375Exchange servers have flawed implementations of DES-CBC3-SHA, which 15376OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite 15377selection may create interoperability issues with Windows 2003 15378Microsoft Exchange clients. </p> 15379 15380<p> This feature is available in Postfix 2.8 and later, in combination 15381with OpenSSL 0.9.7 and later. </p> 15382 15383%PARAM tls_disable_workarounds see "postconf -d" output 15384 15385<p> List or bit-mask of OpenSSL bug work-arounds to disable. </p> 15386 15387<p> The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS 15388implementations. Applications, such as Postfix, that want to maximize 15389interoperability ask the OpenSSL library to enable the full set of 15390recommended work-arounds. </p> 15391 15392<p> From time to time, it is discovered that a work-around creates a 15393security issue, and should no longer be used. If upgrading OpenSSL 15394to a fixed version is not an option or an upgrade is not available 15395in a timely manner, or in closed environments where no buggy clients 15396or servers exist, it may be appropriate to disable some or all of the 15397OpenSSL interoperability work-arounds. This parameter specifies which 15398bug work-arounds to disable. </p> 15399 15400<p> If the value of the parameter is a hexadecimal long integer starting 15401with "0x", the bug work-arounds corresponding to the bits specified in 15402its value are removed from the <b>SSL_OP_ALL</b> work-around bit-mask 15403(see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more 15404bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying 154050xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should 15406also be sufficient on 64-bit systems, until OpenSSL abandons support 15407for 32-bit systems and starts using the high 32 bits of a 64-bit 15408bug-workaround mask. </p> 15409 15410<p> Otherwise, the parameter is a white-space or comma separated list 15411of specific named bug work-arounds chosen from the list below. It 15412is possible that your OpenSSL version includes new bug work-arounds 15413added after your Postfix source code was last updated, in that case 15414you can only disable one of these via the hexadecimal syntax above. </p> 15415 15416<dl> 15417 15418<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in 15419OpenSSL 1.0.0.</dd> 15420 15421<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See 15422SSL_CTX_set_options(3)</dd> 15423 15424<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd> 15425 15426<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See 15427SSL_CTX_set_options(3)</dd> 15428 15429<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd> 15430 15431<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as 15432<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by 15433default with OpenSSL versions that may predate the fix. Fixed in 15434OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd> 15435 15436<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd> 15437 15438<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased 15439as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by 15440default with OpenSSL versions that may predate the fix. Fixed in 15441OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd> 15442 15443<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See 15444SSL_CTX_set_options(3)</dd> 15445 15446<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See 15447SSL_CTX_set_options(3)</dd> 15448 15449<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd> 15450 15451<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd> 15452 15453<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3). 15454This is disabled in OpenSSL 0.9.7 and later. Nobody should still 15455be using 0.9.6! </dd> 15456 15457<dt><b>TLSEXT_PADDING</b></dt><dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd> 15458 15459</dl> 15460 15461<p> This feature is available in Postfix 2.8 and later. </p> 15462 15463%PARAM tls_legacy_public_key_fingerprints no 15464 15465<p> A temporary migration aid for sites that use certificate 15466<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use 15467an incorrect algorithm. This parameter has no effect on the certificate 15468fingerprint support that is available since Postfix 2.2. </p> 15469 15470<p> Specify "tls_legacy_public_key_fingerprints = yes" temporarily, 15471pending a migration from configuration files with incorrect Postfix 154722.9.0..2.9.5 certificate public-key finger prints, to the correct 15473fingerprints used by Postfix 2.9.6 and later. To compute the correct 15474certificate public-key fingerprints, see TLS_README. </p> 15475 15476<p> This feature is available in Postfix 2.9.6 and later. </p> 15477 15478%PARAM tlsproxy_watchdog_timeout 10s 15479 15480<p> How much time a tlsproxy(8) process may take to process local 15481or remote I/O before it is terminated by a built-in watchdog timer. 15482This is a safety mechanism that prevents tlsproxy(8) from becoming 15483non-responsive due to a bug in Postfix itself or in system software. 15484To avoid false alarms and unnecessary cache corruption this limit 15485cannot be set under 10s. </p> 15486 15487<p> Specify a non-zero time value (an integral value plus an optional 15488one-letter suffix that specifies the time unit). Time units: s 15489(seconds), m (minutes), h (hours), d (days), w (weeks). 15490The default time unit is s (seconds). </p> 15491 15492<p> This feature is available in Postfix 2.8 and later </p> 15493 15494%PARAM postscreen_discard_ehlo_keywords $smtpd_discard_ehlo_keywords 15495 15496<p> A case insensitive list of EHLO keywords (pipelining, starttls, 15497auth, etc.) that the postscreen(8) server will not send in the EHLO 15498response to a remote SMTP client. See smtpd_discard_ehlo_keywords 15499for details. </p> 15500 15501<p> This feature is available in Postfix 2.8 and later. </p> 15502 15503%PARAM postscreen_discard_ehlo_keyword_address_maps $smtpd_discard_ehlo_keyword_address_maps 15504 15505<p> Lookup tables, indexed by the remote SMTP client address, with 15506case insensitive lists of EHLO keywords (pipelining, starttls, auth, 15507etc.) that the postscreen(8) server will not send in the EHLO response 15508to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. 15509The table is not searched by hostname for robustness reasons. </p> 15510 15511<p> This feature is available in Postfix 2.8 and later. </p> 15512 15513%PARAM postscreen_use_tls $smtpd_use_tls 15514 15515<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients, 15516but do not require that clients use TLS encryption. </p> 15517 15518<p> This feature is available in Postfix 2.8 and later. 15519Preferably, use postscreen_tls_security_level instead. </p> 15520 15521%PARAM postscreen_enforce_tls $smtpd_enforce_tls 15522 15523<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, and 15524require that clients use TLS encryption. See smtpd_postscreen_enforce_tls 15525for details. </p> 15526 15527<p> This feature is available in Postfix 2.8 and later. 15528Preferably, use postscreen_tls_security_level instead. </p> 15529 15530%PARAM postscreen_tls_security_level $smtpd_tls_security_level 15531 15532<p> The SMTP TLS security level for the postscreen(8) server; when 15533a non-empty value is specified, this overrides the obsolete parameters 15534postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_security_level 15535for details. </p> 15536 15537<p> This feature is available in Postfix 2.8 and later. </p> 15538 15539%PARAM tlsproxy_enforce_tls $smtpd_enforce_tls 15540 15541<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, and 15542require that clients use TLS encryption. See smtpd_enforce_tls for 15543further details. Use tlsproxy_tls_security_level instead. </p> 15544 15545<p> This feature is available in Postfix 2.8 and later. </p> 15546 15547%PARAM tlsproxy_tls_CAfile $smtpd_tls_CAfile 15548 15549<p> A file containing (PEM format) CA certificates of root CAs 15550trusted to sign either remote SMTP client certificates or intermediate 15551CA certificates. See smtpd_tls_CAfile for further details. </p> 15552 15553<p> This feature is available in Postfix 2.8 and later. </p> 15554 15555%PARAM tlsproxy_tls_CApath $smtpd_tls_CApath 15556 15557<p> A directory containing (PEM format) CA certificates of root CAs 15558trusted to sign either remote SMTP client certificates or intermediate 15559CA certificates. See smtpd_tls_CApath for further details. </p> 15560 15561<p> This feature is available in Postfix 2.8 and later. </p> 15562 15563%PARAM tlsproxy_tls_always_issue_session_ids $smtpd_tls_always_issue_session_ids 15564 15565<p> Force the Postfix tlsproxy(8) server to issue a TLS session id, 15566even when TLS session caching is turned off. See 15567smtpd_tls_always_issue_session_ids for further details. </p> 15568 15569<p> This feature is available in Postfix 2.8 and later. </p> 15570 15571%PARAM tlsproxy_tls_ask_ccert $smtpd_tls_ask_ccert 15572 15573<p> Ask a remote SMTP client for a client certificate. See 15574smtpd_tls_ask_ccert for further details. </p> 15575 15576<p> This feature is available in Postfix 2.8 and later. </p> 15577 15578%PARAM tlsproxy_tls_ccert_verifydepth $smtpd_tls_ccert_verifydepth 15579 15580<p> The verification depth for remote SMTP client certificates. A 15581depth of 1 is sufficient if the issuing CA is listed in a local CA 15582file. See smtpd_tls_ccert_verifydepth for further details. </p> 15583 15584<p> This feature is available in Postfix 2.8 and later. </p> 15585 15586%PARAM tlsproxy_tls_cert_file $smtpd_tls_cert_file 15587 15588<p> File with the Postfix tlsproxy(8) server RSA certificate in PEM 15589format. This file may also contain the Postfix tlsproxy(8) server 15590private RSA key. See smtpd_tls_cert_file for further details. With 15591Postfix ≥ 3.4 the preferred way to configure tlsproxy server keys and 15592certificates is via the "tlsproxy_tls_chain_files" parameter. </p> 15593 15594<p> This feature is available in Postfix 2.8 and later. </p> 15595 15596%PARAM tlsproxy_tls_ciphers $smtpd_tls_ciphers 15597 15598<p> The minimum TLS cipher grade that the Postfix tlsproxy(8) server 15599will use with opportunistic TLS encryption. See smtpd_tls_ciphers 15600for further details. </p> 15601 15602<p> This feature is available in Postfix 2.8 and later. </p> 15603 15604%PARAM tlsproxy_tls_dcert_file $smtpd_tls_dcert_file 15605 15606<p> File with the Postfix tlsproxy(8) server DSA certificate in PEM 15607format. This file may also contain the Postfix tlsproxy(8) server 15608private DSA key. DSA is obsolete and should not be used. See 15609smtpd_tls_dcert_file for further details. </p> 15610 15611<p> This feature is available in Postfix 2.8 and later. </p> 15612 15613%PARAM tlsproxy_tls_dh1024_param_file $smtpd_tls_dh1024_param_file 15614 15615<p> File with DH parameters that the Postfix tlsproxy(8) server 15616should use with non-export EDH ciphers. See smtpd_tls_dh1024_param_file 15617for further details. </p> 15618 15619<p> This feature is available in Postfix 2.8 and later. </p> 15620 15621%PARAM tlsproxy_tls_dh512_param_file $smtpd_tls_dh512_param_file 15622 15623<p> File with DH parameters that the Postfix tlsproxy(8) server 15624should use with export-grade EDH ciphers. See smtpd_tls_dh512_param_file 15625for further details. The default SMTP server cipher grade is 15626"medium" with Postfix releases after the middle of 2015, and as a 15627result export-grade cipher suites are by default not used. </p> 15628 15629<p> With Postfix ≥ 3.6 export-grade Diffie-Hellman key exchange 15630is no longer supported, and this parameter is silently ignored. </p> 15631 15632<p> This feature is available in Postfix 2.8 and later. </p> 15633 15634%PARAM tlsproxy_tls_dkey_file $smtpd_tls_dkey_file 15635 15636<p> File with the Postfix tlsproxy(8) server DSA private key in PEM 15637format. This file may be combined with the Postfix tlsproxy(8) server 15638DSA certificate file specified with $smtpd_tls_dcert_file. DSA is 15639obsolete and should not be used. See smtpd_tls_dkey_file for further 15640details. </p> 15641 15642<p> This feature is available in Postfix 2.8 and later. </p> 15643 15644%PARAM tlsproxy_tls_eccert_file $smtpd_tls_eccert_file 15645 15646<p> File with the Postfix tlsproxy(8) server ECDSA certificate in PEM 15647format. This file may also contain the Postfix tlsproxy(8) server 15648private ECDSA key. See smtpd_tls_eccert_file for further details. With 15649Postfix ≥ 3.4 the preferred way to configure tlsproxy server keys and 15650certificates is via the "tlsproxy_tls_chain_files" parameter. </p> 15651 15652<p> This feature is available in Postfix 2.8 and later. </p> 15653 15654%PARAM tlsproxy_tls_eckey_file $smtpd_tls_eckey_file 15655 15656<p> File with the Postfix tlsproxy(8) server ECDSA private key in PEM 15657format. This file may be combined with the Postfix tlsproxy(8) server 15658ECDSA certificate file specified with $smtpd_tls_eccert_file. See 15659smtpd_tls_eckey_file for further details. With Postfix ≥ 3.4 the 15660preferred way to configure tlsproxy server keys and certificates is via 15661the "tlsproxy_tls_chain_files" parameter. </p> 15662 15663<p> This feature is available in Postfix 2.8 and later. </p> 15664 15665%PARAM tlsproxy_tls_eecdh_grade $smtpd_tls_eecdh_grade 15666 15667<p> The Postfix tlsproxy(8) server security grade for ephemeral 15668elliptic-curve Diffie-Hellman (EECDH) key exchange. See 15669smtpd_tls_eecdh_grade for further details. </p> 15670 15671<p> This feature is available in Postfix 2.8 and later. </p> 15672 15673%PARAM tlsproxy_tls_exclude_ciphers $smtpd_tls_exclude_ciphers 15674 15675<p> List of ciphers or cipher types to exclude from the tlsproxy(8) 15676server cipher list at all TLS security levels. See 15677smtpd_tls_exclude_ciphers for further details. </p> 15678 15679<p> This feature is available in Postfix 2.8 and later. </p> 15680 15681%PARAM tlsproxy_tls_fingerprint_digest $smtpd_tls_fingerprint_digest 15682 15683<p> The message digest algorithm to construct remote SMTP 15684client-certificate 15685fingerprints. See smtpd_tls_fingerprint_digest for further details. 15686</p> 15687 15688<p> This feature is available in Postfix 2.8 and later. </p> 15689 15690%PARAM tlsproxy_tls_key_file $smtpd_tls_key_file 15691 15692<p> File with the Postfix tlsproxy(8) server RSA private key in PEM 15693format. This file may be combined with the Postfix tlsproxy(8) server 15694RSA certificate file specified with $smtpd_tls_cert_file. See 15695smtpd_tls_key_file for further details. With Postfix ≥ 3.4 the 15696preferred way to configure tlsproxy server keys and certificates is via 15697the "tlsproxy_tls_chain_files" parameter. </p> 15698 15699<p> This feature is available in Postfix 2.8 and later. </p> 15700 15701%PARAM tlsproxy_tls_loglevel $smtpd_tls_loglevel 15702 15703<p> Enable additional Postfix tlsproxy(8) server logging of TLS 15704activity. Each logging level also includes the information that 15705is logged at a lower logging level. See smtpd_tls_loglevel for 15706further details. </p> 15707 15708<p> This feature is available in Postfix 2.8 and later. </p> 15709 15710%PARAM tlsproxy_tls_mandatory_ciphers $smtpd_tls_mandatory_ciphers 15711 15712<p> The minimum TLS cipher grade that the Postfix tlsproxy(8) server 15713will use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers 15714for further details. </p> 15715 15716<p> This feature is available in Postfix 2.8 and later. </p> 15717 15718%PARAM tlsproxy_tls_mandatory_exclude_ciphers $smtpd_tls_mandatory_exclude_ciphers 15719 15720<p> Additional list of ciphers or cipher types to exclude from the 15721tlsproxy(8) server cipher list at mandatory TLS security levels. 15722See smtpd_tls_mandatory_exclude_ciphers for further details. </p> 15723 15724<p> This feature is available in Postfix 2.8 and later. </p> 15725 15726%PARAM tlsproxy_tls_mandatory_protocols $smtpd_tls_mandatory_protocols 15727 15728<p> The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server 15729with mandatory TLS encryption. If the list is empty, the server 15730supports all available SSL/TLS protocol versions. See 15731smtpd_tls_mandatory_protocols for further details. </p> 15732 15733<p> This feature is available in Postfix 2.8 and later. </p> 15734 15735%PARAM tlsproxy_tls_protocols $smtpd_tls_protocols 15736 15737<p> List of TLS protocols that the Postfix tlsproxy(8) server will 15738exclude or include with opportunistic TLS encryption. See 15739smtpd_tls_protocols for further details. </p> 15740 15741<p> This feature is available in Postfix 2.8 and later. </p> 15742 15743%PARAM tlsproxy_tls_req_ccert $smtpd_tls_req_ccert 15744 15745<p> With mandatory TLS encryption, require a trusted remote SMTP 15746client certificate in order to allow TLS connections to proceed. 15747See smtpd_tls_req_ccert for further details. </p> 15748 15749<p> This feature is available in Postfix 2.8 and later. </p> 15750 15751%PARAM tlsproxy_tls_security_level $smtpd_tls_security_level 15752 15753<p> The SMTP TLS security level for the Postfix tlsproxy(8) server; 15754when a non-empty value is specified, this overrides the obsolete 15755parameters smtpd_use_tls and smtpd_enforce_tls. See 15756smtpd_tls_security_level for further details. </p> 15757 15758<p> This feature is available in Postfix 2.8 and later. </p> 15759 15760%PARAM tlsproxy_tls_session_cache_timeout $smtpd_tls_session_cache_timeout 15761 15762<p> Obsolete expiration time of Postfix tlsproxy(8) server TLS session 15763cache information. Since the cache is shared with smtpd(8) and managed 15764by tlsmgr(8), there is only one expiration time for the SMTP server cache 15765shared by all three services, namely smtpd_tls_session_cache_timeout. </p> 15766 15767<p> This feature is available in Postfix 2.8 and later. </p> 15768 15769%PARAM tlsproxy_use_tls $smtpd_use_tls 15770 15771<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients, 15772but do not require that clients use TLS encryption. See smtpd_use_tls 15773for further details. Use tlsproxy_tls_security_level instead. </p> 15774 15775<p> This feature is available in Postfix 2.8 and later. </p> 15776 15777%PARAM smtpd_reject_footer 15778 15779<p> Optional information that is appended after each Postfix SMTP 15780server 157814XX or 5XX response. </p> 15782 15783<p> The following example uses "\c" at the start of the template 15784(supported in Postfix 2.10 and later) to suppress the line break 15785between the reply text and the footer text. With earlier Postfix 15786versions, the footer text always begins on a new line, and the "\c" 15787is output literally. </p> 15788 15789<pre> 15790/etc/postfix/main.cf: 15791 smtpd_reject_footer = \c. For assistance, call 800-555-0101. 15792 Please provide the following information in your problem report: 15793 time ($localtime), client ($client_address) and server 15794 ($server_name). 15795</pre> 15796 15797<p> Server response: </p> 15798 15799<pre> 15800 550-5.5.1 <user@example> Recipient address rejected: User 15801 unknown. For assistance, call 800-555-0101. Please provide the 15802 following information in your problem report: time (Jan 4 15:42:00), 15803 client (192.168.1.248) and server (mail1.example.com). 15804</pre> 15805 15806<p> Note: the above text is meant to make it easier to find the 15807Postfix logfile records for a failed SMTP session. The text itself 15808is not logged to the Postfix SMTP server's maillog file. </p> 15809 15810<p> Be sure to keep the text as short as possible. Long text may 15811be truncated before it is logged to the remote SMTP client's maillog 15812file, or before it is returned to the sender in a delivery status 15813notification. </p> 15814 15815<p> The template text is not subject to Postfix configuration 15816parameter $name expansion. Instead, this feature supports a limited 15817number of $name attributes in the footer text. These attributes are 15818replaced with their current value for the SMTP session. </p> 15819 15820<p> Note: specify $$name in footer text that is looked up from 15821regexp: or pcre:-based smtpd_reject_footer_maps, otherwise the 15822Postfix server will not use the footer text and will log a warning 15823instead. </p> 15824 15825<dl> 15826 15827<dt> <b>client_address</b> </dt> <dd> The Client IP address that 15828is logged in the maillog file. </dd> 15829 15830<dt> <b>client_port</b> </dt> <dd> The client TCP port that is 15831logged in the maillog file. </dd> 15832 15833<dt> <b>localtime</b> </dt> <dd> The server local time (Mmm dd 15834hh:mm:ss) that is logged in the maillog file. </dd> 15835 15836<dt> <b>server_name</b> </dt> <dd> The server's myhostname value. 15837This attribute is made available for sites with multiple MTAs 15838(perhaps behind a load-balancer), where the server name can help 15839the server support team to quickly find the right log files. </dd> 15840 15841</dl> 15842 15843<p> Notes: </p> 15844 15845<ul> 15846 15847<li> <p> NOT SUPPORTED are other attributes such as sender, recipient, 15848or main.cf parameters. </p> 15849 15850<li> <p> For safety reasons, text that does not match 15851$smtpd_expansion_filter is censored. </p> 15852 15853</ul> 15854 15855<p> This feature supports the two-character sequence \n as a request 15856for a line break in the footer text. Postfix automatically inserts 15857after each line break the three-digit SMTP reply code (and optional 15858enhanced status code) from the original Postfix reject message. 15859</p> 15860 15861<p> To work around mail software that mis-handles multi-line replies, 15862specify the two-character sequence \c at the start of the template. 15863This suppresses the line break between the reply text and the footer 15864text (Postfix 2.10 and later). </p> 15865 15866<p> This feature is available in Postfix 2.8 and later. </p> 15867 15868%PARAM smtpd_reject_footer_maps 15869 15870<p> Lookup tables, indexed by the complete Postfix SMTP server 4xx or 158715xx response, with reject footer templates. See smtpd_reject_footer 15872for details. </p> 15873 15874<p> 15875Specify zero or more "type:name" lookup tables, separated by 15876whitespace or comma. Tables will be searched in the specified order 15877until a match is found. 15878</p> 15879 15880<p> This feature is available in Postfix 3.4 and later. </p> 15881 15882%PARAM postscreen_expansion_filter see "postconf -d" output 15883 15884<p> List of characters that are permitted in postscreen_reject_footer 15885attribute expansions. See smtpd_expansion_filter for further 15886details. </p> 15887 15888<p> This feature is available in Postfix 2.8 and later. </p> 15889 15890%PARAM postscreen_reject_footer $smtpd_reject_footer 15891 15892<p> Optional information that is appended after a 4XX or 5XX 15893postscreen(8) server 15894response. See smtpd_reject_footer for further details. </p> 15895 15896<p> This feature is available in Postfix 2.8 and later. </p> 15897 15898%PARAM postscreen_reject_footer_maps $smtpd_reject_footer_maps 15899 15900<p> Optional lookup table for information that is appended after a 4XX 15901or 5XX postscreen(8) server response. See smtpd_reject_footer_maps for 15902further details. </p> 15903 15904<p> This feature is available in Postfix 3.4 and later. </p> 15905 15906%PARAM postscreen_command_filter $smtpd_command_filter 15907 15908<p> A mechanism to transform commands from remote SMTP clients. 15909See smtpd_command_filter for further details. </p> 15910 15911<p> This feature is available in Postfix 2.8 and later. </p> 15912 15913%PARAM dnsblog_service_name dnsblog 15914 15915<p> The name of the dnsblog(8) service entry in master.cf. This 15916service performs DNS allow/denylist lookups. </p> 15917 15918<p> This feature is available in Postfix 2.8 and later. </p> 15919 15920%PARAM tlsproxy_service_name tlsproxy 15921 15922<p> The name of the tlsproxy(8) service entry in master.cf. This 15923service performs plaintext <=> TLS ciphertext conversion. <p> 15924 15925<p> This feature is available in Postfix 2.8 and later. </p> 15926 15927%PARAM smtpd_per_record_deadline normal: no, overload: yes 15928 15929<p> Change the behavior of the smtpd_timeout and smtpd_starttls_timeout 15930time limits, from a 15931time limit per read or write system call, to a time limit to send 15932or receive a complete record (an SMTP command line, SMTP response 15933line, SMTP message content line, or TLS protocol message). This 15934limits the impact from hostile peers that trickle data one byte at 15935a time. </p> 15936 15937<p> Note: when per-record deadlines are enabled, a short timeout 15938may cause problems with TLS over very slow network connections. 15939The reasons are that a TLS protocol message can be up to 16 kbytes 15940long (with TLSv1), and that an entire TLS protocol message must be 15941sent or received within the per-record deadline. </p> 15942 15943<p> This feature is available in Postfix 2.9-3.6. With older 15944Postfix releases, the behavior is as if this parameter is set to 15945"no". Postfix 3.7 and later use smtpd_per_request_deadline. </p> 15946 15947%PARAM smtp_per_record_deadline no 15948 15949<p> Change the behavior of the smtp_*_timeout time limits, from a 15950time limit per read or write system call, to a time limit to send 15951or receive a complete record (an SMTP command line, SMTP response 15952line, SMTP message content line, or TLS protocol message). This 15953limits the impact from hostile peers that trickle data one byte at 15954a time. </p> 15955 15956<p> Note: when per-record deadlines are enabled, a short timeout 15957may cause problems with TLS over very slow network connections. 15958The reasons are that a TLS protocol message can be up to 16 kbytes 15959long (with TLSv1), and that an entire TLS protocol message must be 15960sent or received within the per-record deadline. </p> 15961 15962<p> This feature is available in Postfix 2.9-3.6. With older 15963Postfix releases, the behavior is as if this parameter is set to 15964"no". Postfix 3.7 and later use smtp_per_request_deadline. </p> 15965 15966%PARAM lmtp_per_record_deadline no 15967 15968<p> The LMTP-specific version of the smtp_per_record_deadline 15969configuration parameter. See there for details. </p> 15970 15971<p> This feature is available in Postfix 2.9 and later. </p> 15972 15973%PARAM postscreen_whitelist_interfaces static:all 15974 15975<p> Renamed to postscreen_allowlist_interfaces in Postfix 3.6. </p> 15976 15977<p> This feature is available in Postfix 2.9 - 3.5. </p> 15978 15979%PARAM postscreen_allowlist_interfaces static:all 15980 15981<p> A list of local postscreen(8) server IP addresses where a 15982non-allowlisted remote SMTP client can obtain postscreen(8)'s temporary 15983allowlist status. This status is required before the client can 15984talk to a Postfix SMTP server process. By default, a client can 15985obtain postscreen(8)'s allowlist status on any local postscreen(8) 15986server IP address. </p> 15987 15988<p> When postscreen(8) listens on both primary and backup MX 15989addresses, the postscreen_allowlist_interfaces parameter can be 15990configured to give the temporary allowlist status only when a client 15991connects to a primary MX address. Once a client is allowlisted it 15992can talk to a Postfix SMTP server on any address. Thus, clients 15993that connect only to backup MX addresses will never become allowlisted, 15994and will never be allowed to talk to a Postfix SMTP server process. 15995</p> 15996 15997<p> Specify a list of network addresses or network/netmask patterns, 15998separated by commas and/or whitespace. The netmask specifies the 15999number of bits in the network part of a host address. Continue long 16000lines by starting the next line with whitespace. </p> 16001 16002<p> You can also specify "/file/name" or "type:table" patterns. A 16003"/file/name" pattern is replaced by its contents; a "type:table" 16004lookup table is matched when a table entry matches a lookup string 16005(the lookup result is ignored). </p> 16006 16007<p> The list is matched left to right, and the search stops on the 16008first match. Specify "!pattern" to exclude an address or network 16009block from the list. </p> 16010 16011<p> Note: IP version 6 address information must be specified inside 16012[] in the postscreen_allowlist_interfaces value, and in files 16013specified with "/file/name". IP version 6 addresses contain the 16014":" character, and would otherwise be confused with a "type:table" 16015pattern. </p> 16016 16017<p> Example: </p> 16018 16019<pre> 16020/etc/postfix/main.cf: 16021 # Don't allowlist connections to the backup IP address. 16022 # Postfix < 3.6 use postscreen_whitelist_interfaces. 16023 postscreen_allowlist_interfaces = !168.100.189.8, static:all 16024</pre> 16025 16026<p> This feature is available in Postfix 3.6 and later. </p> 16027 16028<p> Available as postscreen_whitelist_interfaces in Postfix 2.9 - 3.5. </p> 16029 16030%PARAM postscreen_upstream_proxy_protocol 16031 16032<p> The name of the proxy protocol used by an optional before-postscreen 16033proxy agent. When a proxy agent is used, this protocol conveys local 16034and remote address and port information. Specify 16035"postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy 16036protocol; version 2 is supported with Postfix 3.5 and later. <p> 16037 16038<p> This feature is available in Postfix 2.10 and later. </p> 16039 16040%PARAM postscreen_upstream_proxy_timeout 5s 16041 16042<p> The time limit for the proxy protocol specified with the 16043postscreen_upstream_proxy_protocol parameter. </p> 16044 16045<p> This feature is available in Postfix 2.10 and later. </p> 16046 16047%PARAM smtpd_upstream_proxy_protocol 16048 16049<p> The name of the proxy protocol used by an optional before-smtpd 16050proxy agent. When a proxy agent is used, this protocol conveys local 16051and remote address and port information. Specify 16052"smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy 16053protocol; version 2 is supported with Postfix 3.5 and later. </p> 16054 16055<p> NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT 16056protocol with smtpd_authorized_xclient_hosts. This supports SASL 16057authentication in the proxy agent (Postfix 2.9 and later). <p> 16058 16059<p> This feature is available in Postfix 2.10 and later. </p> 16060 16061%PARAM smtpd_upstream_proxy_timeout 5s 16062 16063<p> The time limit for the proxy protocol specified with the 16064smtpd_upstream_proxy_protocol parameter. </p> 16065 16066<p> Specify a non-zero time value (an integral value plus an optional 16067one-letter suffix that specifies the time unit). Time units: s 16068(seconds), m (minutes), h (hours), d (days), w (weeks). 16069The default time unit is s (seconds). </p> 16070 16071<p> This feature is available in Postfix 2.10 and later. </p> 16072 16073%PARAM enable_long_queue_ids no 16074 16075<p> Enable long, non-repeating, queue IDs (queue file names). The 16076benefit of non-repeating names is simpler logfile analysis and 16077easier queue migration (there is no need to run "postsuper" to 16078change queue file names that don't match their message file inode 16079number). </p> 16080 16081<p> Note: see below for how to convert long queue file names to 16082Postfix ≤ 2.8. </p> 16083 16084<p> Changing the parameter value to "yes" has the following effects: 16085</p> 16086 16087<ul> 16088 16089<li> <p> Existing queue file names are not affected. </p> 16090 16091<li> <p> New queue files are created with names such as 3Pt2mN2VXxznjll. 16092These are encoded in a 52-character alphabet that contains digits 16093(0-9), upper-case letters (B-Z) and lower-case letters (b-z). For 16094safety reasons the vowels (AEIOUaeiou) are excluded from the alphabet. 16095The name format is: 6 or more characters for the time in seconds, 160964 characters for the time in microseconds, the 'z'; the remainder 16097is the file inode number encoded in the first 51 characters of the 1609852-character alphabet. </p> 16099 16100<li> <p> New messages have a Message-ID header with 16101<i>queueID</i>@<i>myhostname</i>. </p> 16102 16103<li> <p> The mailq (postqueue -p) output has a wider Queue ID column. 16104The number of whitespace-separated fields is not changed. <p> 16105 16106<li> <p> The hash_queue_depth algorithm uses the first characters 16107of the queue file creation time in microseconds, after conversion 16108into hexadecimal representation. This produces the same queue hashing 16109behavior as if the queue file name was created with "enable_long_queue_ids 16110= no". </p> 16111 16112</ul> 16113 16114<p> Changing the parameter value to "no" has the following effects: 16115</p> 16116 16117<ul> 16118 16119<li> <p> Existing long queue file names are renamed to the short 16120form (while running "postfix reload" or "postsuper"). </p> 16121 16122<li> <p> New queue files are created with names such as C3CD21F3E90 16123from a hexadecimal alphabet that contains digits (0-9) and upper-case 16124letters (A-F). The name format is: 5 characters for the time in 16125microseconds; the remainder is the file inode number. </p> 16126 16127<li> <p> New messages have a Message-ID header with 16128<i>YYYYMMDDHHMMSS.queueid</i>@<i>myhostname</i>, where 16129<i>YYYYMMDDHHMMSS</i> are the year, month, day, hour, minute and 16130second. 16131 16132<li> <p> The mailq (postqueue -p) output has the same format as 16133with Postfix ≤ 2.8. <p> 16134 16135<li> <p> The hash_queue_depth algorithm uses the first characters 16136of the queue file name, with the hexadecimal representation of the 16137file creation time in microseconds. </p> 16138 16139</ul> 16140 16141<p> Before migration to Postfix ≤ 2.8, the following commands 16142are required to convert long queue file names into short names: </p> 16143 16144<pre> 16145# postfix stop 16146# postconf enable_long_queue_ids=no 16147# postsuper 16148</pre> 16149 16150<p> Repeat the postsuper command until it reports no more queue file 16151name changes. </p> 16152 16153<p> This feature is available in Postfix 2.9 and later. </p> 16154 16155%PARAM sendmail_fix_line_endings always 16156 16157<p> Controls how the Postfix sendmail command converts email message 16158line endings from <CR><LF> into UNIX format (<LF>). 16159</p> 16160 16161<dl> 16162 16163<dt> <b>always</b> </dt> <dd> Always convert message lines ending 16164in <CR><LF>. This setting is the default with Postfix 161652.9 and later. </dd> 16166 16167<dt> <b>strict</b> </dt> <dd> Convert message lines ending in 16168<CR><LF> only if the first input line ends in 16169<CR><LF>. This setting is backwards-compatible with 16170Postfix 2.8 and earlier. </dd> 16171 16172<dt> <b>never</b> </dt> <dd> Never convert message lines ending in 16173<CR><LF>. This setting exists for completeness only. 16174</dd> 16175 16176</dl> 16177 16178<p> This feature is available in Postfix 2.9 and later. </p> 16179 16180%PARAM smtp_send_dummy_mail_auth no 16181 16182<p> Whether or not to append the "AUTH=<>" option to the MAIL 16183FROM command in SASL-authenticated SMTP sessions. The default is 16184not to send this, to avoid problems with broken remote SMTP servers. 16185Before Postfix 2.9 the behavior is as if "smtp_send_dummy_mail_auth 16186= yes". 16187 16188<p> This feature is available in Postfix 2.9 and later. </p> 16189 16190%PARAM lmtp_send_dummy_mail_auth no 16191 16192<p> The LMTP-specific version of the smtp_send_dummy_mail_auth 16193configuration parameter. See there for details. </p> 16194 16195<p> This feature is available in Postfix 2.9 and later. </p> 16196 16197%PARAM address_verify_sender_ttl 0s 16198 16199<p> The time between changes in the time-dependent portion of address 16200verification probe sender addresses. The time-dependent portion is 16201appended to the localpart of the address specified with the 16202address_verify_sender parameter. This feature is ignored when the 16203probe sender addresses is the null sender, i.e. the address_verify_sender 16204value is empty or <>. </p> 16205 16206<p> Historically, the probe sender address was fixed. This has 16207caused such addresses to end up on spammer mailing lists, and has 16208resulted in wasted network and processing resources. </p> 16209 16210<p> To enable time-dependent probe sender addresses, specify a 16211non-zero time value. Specify a value of at least several hours, 16212to avoid problems with senders that use greylisting. Avoid nice 16213TTL values, to make the result less predictable. </p> 16214 16215<p> Specify a non-negative time value (an integral value plus an optional 16216one-letter suffix that specifies the time unit). Time units: s 16217(seconds), m (minutes), h (hours), d (days), w (weeks). 16218The default time unit is s (seconds). </p> 16219 16220<p> This feature is available in Postfix 2.9 and later. </p> 16221 16222%PARAM smtp_address_verify_target rcpt 16223 16224<p> In the context of email address verification, the SMTP protocol 16225stage that determines whether an email address is deliverable. 16226Specify one of "rcpt" or "data". The latter is needed with remote 16227SMTP servers that reject recipients after the DATA command. Use 16228transport_maps to apply this feature selectively: </p> 16229 16230<blockquote> 16231<pre> 16232/etc/postfix/main.cf: 16233 transport_maps = hash:/etc/postfix/transport 16234</pre> 16235</blockquote> 16236 16237<blockquote> 16238<pre> 16239/etc/postfix/transport: 16240 smtp-domain-that-verifies-after-data smtp-data-target: 16241 lmtp-domain-that-verifies-after-data lmtp-data-target: 16242</pre> 16243</blockquote> 16244 16245<blockquote> 16246<pre> 16247/etc/postfix/master.cf: 16248 smtp-data-target unix - - n - - smtp 16249 -o smtp_address_verify_target=data 16250 lmtp-data-target unix - - n - - lmtp 16251 -o lmtp_address_verify_target=data 16252</pre> 16253</blockquote> 16254 16255<p> Unselective use of the "data" target does no harm, but will 16256result in unnecessary "lost connection after DATA" events at remote 16257SMTP/LMTP servers. </p> 16258 16259<p> This feature is available in Postfix 3.0 and later. </p> 16260 16261%PARAM lmtp_address_verify_target rcpt 16262 16263<p> The LMTP-specific version of the smtp_address_verify_target 16264configuration parameter. See there for details. </p> 16265 16266<p> This feature is available in Postfix 3.0 and later. </p> 16267 16268%PARAM daemon_table_open_error_is_fatal no 16269 16270<p> How a Postfix daemon process handles errors while opening lookup 16271tables: gradual degradation or immediate termination. </p> 16272 16273<dl> 16274 16275<dt> <b> no </b> (default) </dt> <dd> <p> Gradual degradation: a 16276daemon process logs a message of type "error" and continues execution 16277with reduced functionality. Features that do not depend on the 16278unavailable table will work normally, while features that depend 16279on the table will result in a type "warning" message. <br> When 16280the notify_classes parameter value contains the "data" class, the 16281Postfix SMTP server and client will report transcripts of sessions 16282with an error because a table is unavailable. </p> </dd> 16283 16284<dt> <b> yes </b> (historical behavior) </dt> <dd> <p> Immediate 16285termination: a daemon process logs a type "fatal" message and 16286terminates immediately. This option reduces the number of possible 16287code paths through Postfix, and may therefore be slightly more 16288secure than the default. </p> </dd> 16289 16290</dl> 16291 16292<p> For the sake of sanity, the number of type "error" messages is 16293limited to 13 over the lifetime of a daemon process. </p> 16294 16295<p> This feature is available in Postfix 2.9 and later. </p> 16296 16297%PARAM smtpd_log_access_permit_actions 16298 16299<p> Enable logging of the named "permit" actions in SMTP server 16300access lists (by default, the SMTP server logs "reject" actions but 16301not "permit" actions). This feature does not affect conditional 16302actions such as "defer_if_permit". </p> 16303 16304<p> Specify a list of "permit" action names, "/file/name" or 16305"type:table" patterns, separated by commas and/or whitespace. The 16306list is matched left to right, and the search stops on the first 16307match. A "/file/name" pattern is replaced by its contents; a 16308"type:table" lookup table is matched when a name matches a lookup 16309key (the lookup result is ignored). Continue long lines by starting 16310the next line with whitespace. Specify "!pattern" to exclude a name 16311from the list. </p> 16312 16313<p> Examples: </p> 16314 16315<pre> 16316/etc/postfix/main.cf: 16317 # Log all "permit" actions. 16318 smtpd_log_access_permit_actions = static:all 16319</pre> 16320 16321<pre> 16322/etc/postfix/main.cf: 16323 # Log "permit_dnswl_client" only. 16324 smtpd_log_access_permit_actions = permit_dnswl_client 16325</pre> 16326 16327<p> This feature is available in Postfix 2.10 and later. </p> 16328 16329%PARAM smtp_dns_support_level 16330 16331<p> Level of DNS support in the Postfix SMTP client. With 16332"smtp_dns_support_level" left at its empty default value, the legacy 16333"disable_dns_lookups" parameter controls whether DNS is enabled in 16334the Postfix SMTP client, otherwise the legacy parameter is ignored. 16335</p> 16336 16337<p> Specify one of the following: </p> 16338 16339<dl> 16340 16341<dt><b>disabled</b></dt> 16342 16343<dd>Disable DNS lookups. No MX lookups are performed and hostname 16344to address lookups are unconditionally "native". This setting is 16345not appropriate for hosts that deliver mail to the public Internet. 16346Some obsolete how-to documents recommend disabling DNS lookups in 16347some configurations with content_filters. This is no longer required 16348and strongly discouraged. </dd> 16349 16350<dt><b>enabled</b></dt> 16351 16352<dd>Enable DNS lookups. Nexthop destination domains not enclosed 16353in "[]" will be subject to MX lookups. If "dns" and "native" are 16354included in the "smtp_host_lookup" parameter value, DNS will be 16355queried first to resolve MX-host A records, followed by "native" 16356lookups if no answer is found in DNS. </dd> 16357 16358<dt><b>dnssec</b></dt> 16359 16360<dd>Enable <a href="https://tools.ietf.org/html/rfc4033">DNSSEC</a> 16361lookups. The "dnssec" setting differs from the "enabled" setting 16362above in the following ways: <ul> <li>Any MX lookups will set 16363RES_USE_DNSSEC and RES_USE_EDNS0 to request DNSSEC-validated 16364responses. If the MX response is DNSSEC-validated the corresponding 16365hostnames are considered validated. <li> The address lookups of 16366validated hostnames are also validated, (provided of course 16367"smtp_host_lookup" includes "dns", see below). <li>Temporary 16368failures in DNSSEC-enabled hostname-to-address resolution block any 16369"native" lookups. Additional "native" lookups only happen when 16370DNSSEC lookups hard-fail (NODATA or NXDOMAIN). </ul> </dd> 16371 16372</dl> 16373 16374<p> The Postfix SMTP client considers non-MX "[nexthop]" and 16375"[nexthop]:port" destinations equivalent to statically-validated 16376MX records of the form "nexthop. IN MX 0 nexthop." Therefore, 16377with "dnssec" support turned on, validated hostname-to-address 16378lookups apply to the nexthop domain of any "[nexthop]" or 16379"[nexthop]:port" destination. This is also true for LMTP "inet:host" 16380and "inet:host:port" destinations, as LMTP hostnames are never 16381subject to MX lookups. </p> 16382 16383<p>The "dnssec" setting is recommended only if you plan to use the 16384<a href="TLS_README.html#client_tls_dane">dane</a> or <a 16385href="TLS_README.html#client_tls_dane">dane-only</a> TLS security 16386level, otherwise enabling DNSSEC support in Postfix offers no 16387additional security. Postfix DNSSEC support relies on an upstream 16388recursive nameserver that validates DNSSEC signatures. Such a DNS 16389server will always filter out forged DNS responses, even when Postfix 16390itself is not configured to use DNSSEC. </p> 16391 16392<p> When using Postfix DANE support the "smtp_host_lookup" parameter 16393should include "dns", as <a 16394href="https://tools.ietf.org/html/rfc7672">DANE</a> is not applicable 16395to hosts resolved via "native" lookups. </p> 16396 16397<p> As mentioned above, Postfix is not a validating <a 16398href="https://tools.ietf.org/html/rfc4035#section-4.9">stub 16399resolver</a>; it relies on the system's configured DNSSEC-validating 16400<a href="https://tools.ietf.org/html/rfc4035#section-3.2">recursive 16401nameserver</a> to perform all DNSSEC validation. Since this 16402nameserver's DNSSEC-validated responses will be fully trusted, it 16403is strongly recommended that the MTA host have a local DNSSEC-validating 16404recursive caching nameserver listening on a loopback address, and 16405be configured to use only this nameserver for all lookups. Otherwise, 16406Postfix may remain subject to man-in-the-middle attacks that forge 16407responses from the recursive nameserver</p> 16408 16409<p>DNSSEC support requires a version of Postfix compiled against a 16410reasonably-modern DNS resolver(3) library that implements the 16411RES_USE_DNSSEC and RES_USE_EDNS0 resolver options. </p> 16412 16413<p> This feature is available in Postfix 2.11 and later. </p> 16414 16415%PARAM lmtp_dns_support_level 16416 16417<p> The LMTP-specific version of the smtp_dns_support_level 16418configuration parameter. See there for details. </p> 16419 16420<p> This feature is available in Postfix 2.11 and later. </p> 16421 16422%PARAM smtp_tls_trust_anchor_file 16423 16424<p> Zero or more PEM-format files with trust-anchor certificates 16425and/or public keys. If the parameter is not empty the root CAs in 16426CAfile and CApath are no longer trusted. Rather, the Postfix SMTP 16427client will only trust certificate-chains signed by one of the 16428trust-anchors contained in the chosen files. The specified 16429trust-anchor certificates and public keys are not subject to 16430expiration, and need not be (self-signed) root CAs. They may, if 16431desired, be intermediate certificates. Therefore, these certificates 16432also may be found "in the middle" of the trust chain presented by 16433the remote SMTP server, and any untrusted issuing parent certificates 16434will be ignored. Specify a list of pathnames separated by comma 16435or whitespace. </p> 16436 16437<p> Whether specified in main.cf, or on a per-destination basis, 16438the trust-anchor PEM file must be accessible to the Postfix SMTP 16439client in the chroot jail if applicable. The trust-anchor file 16440should contain only certificates and public keys, no private key 16441material, and must be readable by the non-privileged $mail_owner 16442user. This allows destinations to be bound to a set of specific 16443CAs or public keys without trusting the same CAs for all destinations. 16444</p> 16445 16446<p> The main.cf parameter supports single-purpose Postfix installations 16447that send mail to a fixed set of SMTP peers. At most sites, if 16448trust-anchor files are used at all, they will be specified on a 16449per-destination basis via the "tafile" attribute of the "verify" 16450and "secure" levels in smtp_tls_policy_maps. </p> 16451 16452<p> The underlying mechanism is in support of RFC 7672 (DANE TLSA), 16453which defines mechanisms for an SMTP client MTA to securely determine 16454server TLS certificates via DNS. </p> 16455 16456<p> If you want your trust anchors to be public keys, with OpenSSL 16457you can extract a single PEM public key from a PEM X.509 file 16458containing a single certificate, as follows: </p> 16459 16460<blockquote> 16461<pre> 16462$ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey 16463</pre> 16464</blockquote> 16465 16466<p> This feature is available in Postfix 2.11 and later. </p> 16467 16468%PARAM lmtp_tls_trust_anchor_file 16469 16470<p> The LMTP-specific version of the smtp_tls_trust_anchor_file 16471configuration parameter. See there for details. </p> 16472 16473<p> This feature is available in Postfix 2.11 and later. </p> 16474 16475%PARAM tls_dane_trust_anchor_digest_enable yes 16476 16477<p> Enable support for RFC 6698 (DANE TLSA) DNS records that contain 16478digests of trust-anchors with certificate usage "2". Do not change 16479this setting from its default value. </p> 16480 16481<p> This feature is available in Postfix 2.11 through 3.1. It has 16482been withdrawn in Postfix 3.2, as trust-anchor TLSA records are now 16483widely used and have proved sufficiently reliable. Postfix 3.2 and 16484later ignore this configuration parameter and behaves as though it 16485were set to "yes". </p> 16486 16487%PARAM tls_wildcard_matches_multiple_labels yes 16488 16489<p> Match multiple DNS labels with "*" in wildcard certificates. 16490</p> 16491 16492<p> Some mail service providers prepend the customer domain name 16493to a base domain for which they have a wildcard TLS certificate. 16494For example, the MX records for example.com hosted by example.net 16495may be: </p> 16496 16497<blockquote> 16498<pre> 16499example.com. IN MX 0 example.com.mx1.example.net. 16500example.com. IN MX 0 example.com.mx2.example.net. 16501</pre> 16502</blockquote> 16503 16504<p> and the TLS certificate may be for "*.example.net". The "*" 16505then corresponds with multiple labels in the mail server domain 16506name. While multi-label wildcards are not widely supported, and 16507are not blessed by any standard, there is little to be gained by 16508disallowing their use in this context. </p> 16509 16510<p> Notes: <p> 16511 16512<ul> 16513 16514<li> <p> In a certificate name, the "*" is special only when it is 16515used as the first label. </p> 16516 16517<li> <p> While Postfix (2.11 or later) can match "*" with multiple 16518domain name labels, other implementations likely will not. </p> 16519 16520<li> <p> Earlier Postfix implementations behave as if 16521"tls_wildcard_matches_multiple_labels = no". </p> 16522 16523</ul> 16524 16525<p> This feature is available in Postfix 2.11 and later. </p> 16526 16527%PARAM tls_ssl_options 16528 16529<p> List or bit-mask of OpenSSL options to enable. </p> 16530 16531<p> The OpenSSL toolkit provides a set of options that applications 16532can enable to tune the OpenSSL behavior. Some of these work around 16533bugs in other implementations and are on by default. You can use 16534the tls_disable_workarounds parameter to selectively disable some 16535or all of the bug work-arounds, making OpenSSL more strict at the 16536cost of non-interoperability with SSL clients or servers that exhibit 16537the bugs. </p> 16538 16539<p> Other options are off by default, and typically enable or disable 16540features rather than bug work-arounds. These may be turned on (with 16541care) via the tls_ssl_options parameter. The value is a white-space 16542or comma separated list of named options chosen from the list below. 16543The names are not case-sensitive, you can use lower-case if you 16544prefer. The upper case values below match the corresponding macro 16545name in the ssl.h header file with the SSL_OP_ prefix removed. It 16546is possible that your OpenSSL version includes new options added 16547after your Postfix source code was last updated, in that case you 16548can only enable one of these via the hexadecimal syntax below. </p> 16549 16550<p> You should only enable features via the hexadecimal mask when 16551the need to control the feature is critical (to deal with a new 16552vulnerability or a serious interoperability problem). Postfix DOES 16553NOT promise backwards compatible behavior with respect to the mask 16554bits. A feature enabled via the mask in one release may be enabled 16555by other means in a later release, and the mask bit will then be 16556ignored. Therefore, use of the hexadecimal mask is only a temporary 16557measure until a new Postfix or OpenSSL release provides a better 16558solution. </p> 16559 16560<p> If the value of the parameter is a hexadecimal long integer 16561starting with "0x", the options corresponding to the bits specified 16562in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). 16563You can only enable options not already controlled by other Postfix 16564settings. For example, you cannot disable protocols or enable 16565server cipher preference. Do not attempt to enable all features by 16566specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some 16567bug work-arounds are also valid here, allowing them to be re-enabled 16568if/when they're no longer enabled by default. The supported values 16569include: </p> 16570 16571<dl> 16572 16573<dt><b>ENABLE_MIDDLEBOX_COMPAT</b></dt> <dd>Postfix ≥ 3.4. See 16574SSL_CTX_set_options(3).</dd> 16575 16576<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd> 16577 16578<dt><b>NO_TICKET</b></dt> <dd>Enabled by default when needed in 16579fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥ 165802.11, unless for some reason you do not want to support TLS session 16581resumption. Best not set explicitly. See SSL_CTX_set_options(3).</dd> 16582 16583<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if 16584supported by the OpenSSL library. Compression is CPU-intensive, 16585and compression before encryption does not always improve security. </dd> 16586 16587<dt><b>NO_RENEGOTIATION</b></dt> <dd>Postfix ≥ 3.4. This can 16588reduce opportunities for a potential CPU exhaustion attack. See 16589SSL_CTX_set_options(3).</dd> 16590 16591<dt><b>NO_SESSION_RESUMPTION_ON_RENEGOTIATION</b></dt> <dd>Postfix 16592≥ 3.4. See SSL_CTX_set_options(3).</dd> 16593 16594<dt><b>PRIORITIZE_CHACHA</b></dt> <dd>Postfix ≥ 3.4. See SSL_CTX_set_options(3).</dd> 16595 16596</dl> 16597 16598<p> This feature is available in Postfix 2.11 and later. </p> 16599 16600%PARAM tlsmgr_service_name tlsmgr 16601 16602<p> The name of the tlsmgr(8) service entry in master.cf. This 16603service maintains TLS session caches and other information in support 16604of TLS. </p> 16605 16606<p> This feature is available in Postfix 2.11 and later. </p> 16607 16608%PARAM lmtp_connection_reuse_count_limit 0 16609 16610<p> The LMTP-specific version of the smtp_connection_reuse_count_limit 16611configuration parameter. See there for details. </p> 16612 16613<p> This feature is available in Postfix 2.11 and later. </p> 16614 16615%PARAM smtp_connection_reuse_count_limit 0 16616 16617<p> When SMTP connection caching is enabled, the number of times 16618that an SMTP session may be reused before it is closed, or zero (no 16619limit). With a reuse count limit of N, a connection is used up to 16620N+1 times. </p> 16621 16622<p> NOTE: This feature is unsafe. When a high-volume destination 16623has multiple inbound MTAs, then the slowest inbound MTA will attract 16624the most connections to that destination. This limitation does not 16625exist with the smtp_connection_reuse_time_limit feature. </p> 16626 16627<p> This feature is available in Postfix 2.11. </p> 16628 16629%PARAM lmtp_tls_force_insecure_host_tlsa_lookup no 16630 16631<p> The LMTP-specific version of the smtp_tls_force_insecure_host_tlsa_lookup 16632configuration parameter. See there for details. </p> 16633 16634<p> This feature is available in Postfix 2.11 and later. </p> 16635 16636%PARAM smtp_tls_force_insecure_host_tlsa_lookup no 16637 16638<p> Lookup the associated DANE TLSA RRset even when a hostname is 16639not an alias and its address records lie in an unsigned zone. This 16640is unlikely to ever yield DNSSEC validated results, since child 16641zones of unsigned zones are also unsigned in the absence of DLV or 16642locally configured non-root trust-anchors. We anticipate that such 16643mechanisms will not be used for just the "_tcp" subdomain of a host. 16644Suppressing the TLSA RRset lookup reduces latency and avoids potential 16645interoperability problems with nameservers for unsigned zones that 16646are not prepared to handle the new TLSA RRset. </p> 16647 16648<p> This feature is available in Postfix 2.11. </p> 16649 16650%PARAM tls_dane_digest_agility on 16651 16652<p> Configure RFC7671 DANE TLSA digest algorithm agility. 16653Do not change this setting from its default value. </p> 16654 16655<p> See Section 8 of RFC7671 for correct key rotation procedures. </p> 16656 16657<p> This feature is available in Postfix 2.11 through 3.1. Postfix 166583.2 and later ignore this configuration parameter and behave as 16659though it were set to "on". </p> 16660 16661%PARAM tls_dane_digests sha512 sha256 16662 16663<p> DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching 16664type" digest algorithms in descending preference order. All the 16665specified algorithms must be supported by the underlying OpenSSL 16666library, otherwise the Postfix SMTP client will not support DANE 16667TLSA security. </p> 16668 16669<p> Specify a list of digest names separated by commas and/or 16670whitespace. Each digest name may be followed by an optional 16671"=<number>" suffix. For example, "sha512" may instead be specified 16672as "sha512=2" and "sha256" may instead be specified as "sha256=1". 16673The optional number must match the <a 16674href="https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml#matching-types" 16675>IANA</a> assigned TLSA matching type number the algorithm in question. 16676Postfix will check this constraint for the algorithms it knows about. 16677Additional matching type algorithms registered with IANA can be added 16678with explicit numbers provided they are supported by OpenSSL. </p> 16679 16680<p> Invalid list elements are logged with a warning and disable DANE 16681support. TLSA RRs that specify digests not included in the list are 16682ignored with a warning. </p> 16683 16684<p> Note: It is unwise to omit sha256 from the digest list. This 16685digest algorithm is the only mandatory to implement digest algorithm 16686in RFC 6698, and many servers are expected to publish TLSA records 16687with just sha256 digests. Unless one of the standard digests is 16688seriously compromised and servers have had ample time to update their 16689TLSA records you should not omit any standard digests, just arrange 16690them in order from strongest to weakest. </p> 16691 16692<p> This feature is available in Postfix 2.11 and later. </p> 16693 16694%PARAM tls_session_ticket_cipher Postfix ≥ 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc 16695 16696<p> Algorithm used to encrypt RFC5077 TLS session tickets. This 16697algorithm must use CBC mode, have a 128-bit block size, and must 16698have a key length between 128 and 256 bits. The default is 16699aes-256-cbc. Overriding the default to choose a different algorithm 16700is discouraged. </p> 16701 16702<p> Setting this parameter empty disables session ticket support 16703in the Postfix SMTP server. Another way to disable session ticket 16704support is via the tls_ssl_options parameter. </p> 16705 16706<p> This feature is available in Postfix 3.0 and later. </p> 16707 16708%PARAM tls_fast_shutdown_enable yes 16709 16710<p> A workaround for implementations that hang Postfix while shutting 16711down a TLS session, until Postfix times out. With this enabled, 16712Postfix will not wait for the remote TLS peer to respond to a TLS 16713'close' notification. This behavior is recommended for TLSv1.0 and 16714later. </p> 16715 16716%PARAM default_delivery_status_filter 16717 16718<p> Optional filter to replace the delivery status code or explanatory 16719text of successful or unsuccessful deliveries. This does not allow 16720the replacement of a successful status code (2.X.X) with an 16721unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p> 16722 16723<p> Note: the (smtp|lmtp)_delivery_status_filter is applied only 16724once per recipient: when delivery is successful, when delivery is 16725rejected with 5XX, or when there are no more alternate MX or A 16726destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect 16727responses for all delivery attempts. </p> 16728 16729<p> The following parameters can be used to implement a filter for 16730specific delivery agents: lmtp_delivery_status_filter, 16731local_delivery_status_filter, pipe_delivery_status_filter, 16732smtp_delivery_status_filter or virtual_delivery_status_filter. These 16733parameters support the same filter syntax as described here. </p> 16734 16735<p> Specify zero or more "type:table" lookup table names, separated 16736by comma or whitespace. For each successful or unsuccessful delivery 16737to a recipient, the tables are queried in the specified order with 16738one line of text that is structured as follows: </p> 16739 16740<blockquote> 16741enhanced-status-code SPACE explanatory-text 16742</blockquote> 16743 16744<p> The first table match wins. The lookup result must have the 16745same structure as the query, a successful status code (2.X.X) must 16746be replaced with a successful status code, an unsuccessful status 16747code (4.X.X or 5.X.X) must be replaced with an unsuccessful status 16748code, and the explanatory text field must be non-empty. Other results 16749will result in a warning. </p> 16750 16751<p> Example 1: convert specific soft TLS errors into hard errors, 16752by overriding the first number in the enhanced status code. </p> 16753 16754<blockquote> 16755<pre> 16756/etc/postfix/main.cf: 16757 smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter 16758</pre> 16759</blockquote> 16760 16761<blockquote> 16762<pre> 16763/etc/postfix/smtp_dsn_filter: 16764 /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/ 16765 5$1 16766 /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/ 16767 5$1 16768 # Do not change the following into hard bounces. They may 16769 # result from a local configuration problem. 16770 # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable 16771 # 4.\d+.\d+ TLS is required, but unavailable 16772 # 4.\d+.\d+ Cannot start TLS: handshake failure 16773</pre> 16774</blockquote> 16775 16776<p> Example 2: censor the per-recipient delivery status text so 16777that it does not reveal the destination command or filename 16778when a remote sender requests confirmation of successful delivery. 16779</p> 16780 16781<blockquote> 16782<pre> 16783/etc/postfix/main.cf: 16784 local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter 16785</pre> 16786</blockquote> 16787 16788<blockquote> 16789<pre> 16790/etc/postfix/local_dsn_filter: 16791 /^(2\S+ delivered to file).+/ $1 16792 /^(2\S+ delivered to command).+/ $1 16793</pre> 16794</blockquote> 16795 16796<p> Notes: </p> 16797 16798<ul> 16799 16800<li> <p> This feature will NOT override the soft_bounce safety net. </p> 16801 16802<li> <p> This feature will change the enhanced status code and text 16803that is logged to the maillog file, and that is reported to the 16804sender in delivery confirmation or non-delivery notifications. 16805</p> 16806 16807</ul> 16808 16809<p> This feature is available in Postfix 3.0 and later. </p> 16810 16811%PARAM smtp_delivery_status_filter $default_delivery_status_filter 16812 16813<p> Optional filter for the smtp(8) delivery agent to change the 16814delivery status code or explanatory text of successful or unsuccessful 16815deliveries. See default_delivery_status_filter for details. </p> 16816 16817<p> NOTE: This feature modifies Postfix SMTP client error or non-error 16818messages that may or may not be derived from remote SMTP server 16819responses. In contrast, the smtp_reply_filter feature modifies 16820remote SMTP server responses only. </p> 16821 16822%PARAM lmtp_delivery_status_filter 16823 16824<p> The LMTP-specific version of the smtp_delivery_status_filter 16825configuration parameter. See there for details. </p> 16826 16827<p> This feature is available in Postfix 3.0 and later. </p> 16828 16829%PARAM pipe_delivery_status_filter $default_delivery_status_filter 16830 16831<p> Optional filter for the pipe(8) delivery agent to change the 16832delivery status code or explanatory text of successful or unsuccessful 16833deliveries. See default_delivery_status_filter for details. </p> 16834 16835<p> This feature is available in Postfix 3.0 and later. </p> 16836 16837%PARAM virtual_delivery_status_filter $default_delivery_status_filter 16838 16839<p> Optional filter for the virtual(8) delivery agent to change the 16840delivery status code or explanatory text of successful or unsuccessful 16841deliveries. See default_delivery_status_filter for details. </p> 16842 16843<p> This feature is available in Postfix 3.0 and later. </p> 16844 16845%PARAM local_delivery_status_filter $default_delivery_status_filter 16846 16847<p> Optional filter for the local(8) delivery agent to change the 16848status code or explanatory text of successful or unsuccessful 16849deliveries. See default_delivery_status_filter for details. </p> 16850 16851<p> This feature is available in Postfix 3.0 and later. </p> 16852 16853%PARAM shlib_directory see 'postconf -d' output 16854 16855<p> The location of Postfix dynamically-linked libraries 16856(libpostfix-*.so), and the default location of Postfix database 16857plugins (postfix-*.so) that have a relative pathname in the 16858dynamicmaps.cf file. The shlib_directory parameter defaults to 16859"no" when Postfix dynamically-linked libraries and database plugins 16860are disabled at compile time, otherwise it typically defaults to 16861/usr/lib/postfix or /usr/local/lib/postfix. </p> 16862 16863<p> Notes: </p> 16864 16865<ul> 16866 16867<li> <p> The directory specified with shlib_directory should contain 16868only Postfix-related files. Postfix dynamically-linked libraries 16869and database plugins should not be installed in a "public" system 16870directory such as /usr/lib or /usr/local/lib. Linking Postfix 16871dynamically-linked library files or database plugins into non-Postfix 16872programs is not supported. Postfix dynamically-linked libraries 16873and database plugins implement a Postfix-internal API that changes 16874without maintaining compatibility. </p> 16875 16876<li> <p> You can change the shlib_directory value after Postfix is 16877built. However, you may have to run ldconfig or equivalent to prevent 16878Postfix programs from failing because the libpostfix-*.so files are 16879not found. No ldconfig command is needed if you keep the libpostfix-*.so 16880files in the compiled-in default $shlib_directory location. </p> 16881 16882</ul> 16883 16884<p> This feature is available in Postfix 3.0 and later. </p> 16885 16886%PARAM meta_directory see 'postconf -d' output 16887 16888<p> The location of non-executable files that are shared among 16889multiple Postfix instances, such as postfix-files, dynamicmaps.cf, 16890and the multi-instance template files main.cf.proto and master.cf.proto. 16891This directory should contain only Postfix-related files. Typically, 16892the meta_directory parameter has the same default as the config_directory 16893parameter (/etc/postfix or /usr/local/etc/postfix). </p> 16894 16895<p> For backwards compatibility with Postfix versions 2.6..2.11, 16896specify "meta_directory = $daemon_directory" in main.cf before 16897installing or upgrading Postfix, or specify "meta_directory = 16898/path/name" on the "make makefiles", "make install" or "make upgrade" 16899command line. </p> 16900 16901<p> This feature is available in Postfix 3.0 and later. </p> 16902 16903%PARAM smtpd_policy_service_default_action 451 4.3.5 Server configuration problem 16904 16905<p> The default action when an SMTPD policy service request fails. 16906Specify "DUNNO" to behave as if the failed SMTPD policy service 16907request was not sent, and to continue processing other access 16908restrictions, if any. </p> 16909 16910<p> Limitations: </p> 16911 16912<ul> 16913 16914<li> <p> This parameter may specify any value that would be a valid 16915SMTPD policy server response (or access(5) map lookup result). An 16916access(5) map or policy server in this parameter value may need to 16917be declared in advance with a restriction_class setting. </p> 16918 16919<li> <p> If the specified action invokes another check_policy_service 16920request, that request will have the built-in default action. </p> 16921 16922</ul> 16923 16924<p> This feature is available in Postfix 3.0 and later. </p> 16925 16926%PARAM smtpd_policy_service_try_limit 2 16927 16928<p> The maximal number of attempts to send an SMTPD policy service 16929request before giving up. Specify a value greater than zero. </p> 16930 16931<p> This feature is available in Postfix 3.0 and later. </p> 16932 16933%PARAM smtpd_policy_service_retry_delay 1s 16934 16935<p> The delay between attempts to resend a failed SMTPD policy 16936service request. Specify a value greater than zero. </p> 16937 16938<p> Specify a non-zero time value (an integral value plus an optional 16939one-letter suffix that specifies the time unit). Time units: s 16940(seconds), m (minutes), h (hours), d (days), w (weeks). 16941The default time unit is s (seconds). </p> 16942 16943<p> This feature is available in Postfix 3.0 and later. </p> 16944 16945%PARAM smtputf8_enable yes 16946 16947<p> Enable preliminary SMTPUTF8 support for the protocols described 16948in RFC 6531, RFC 6532, and RFC 6533. This requires that Postfix is 16949built to support these protocols. </p> 16950 16951<p> This feature is available in Postfix 3.0 and later. </p> 16952 16953%PARAM strict_smtputf8 no 16954 16955<p> Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix 16956SMTP server accepts UTF8 sender or recipient addresses only when 16957the client requests an SMTPUTF8 mail transaction. </p> 16958 16959<p> This feature is available in Postfix 3.0 and later. </p> 16960 16961%PARAM smtputf8_autodetect_classes sendmail, verify 16962 16963<p> Detect that a message requires SMTPUTF8 support for the specified 16964mail origin classes. This is a workaround to avoid chicken-and-egg 16965problems during the initial SMTPUTF8 roll-out in environments with 16966pre-existing mail flows that contain UTF8. Those mail flows should 16967not break because Postfix suddenly refuses to deliver such mail 16968to down-stream MTAs that don't announce SMTPUTF8 support. </p> 16969 16970<p> The problem is that Postfix cannot rely solely on the sender's 16971declaration that a message requires SMTPUTF8 support, because UTF8 16972may be introduced during local processing (for example, the client 16973hostname in Postfix's Received: header, adding @$myorigin or 16974.$mydomain to an incomplete address, address rewriting, alias 16975expansion, automatic BCC recipients, local forwarding, and changes 16976made by header checks or Milter applications). </p> 16977 16978<p> For now, the default is to enable "SMTPUTF8 required" autodetection 16979only for Postfix sendmail command-line submissions and address 16980verification probes. This may change once SMTPUTF8 support achieves 16981world domination. However, sites that add UTF8 content via local 16982processing (see above) should autodetect the need for SMTPUTF8 16983support for all email.</p> 16984 16985<p> Specify one or more of the following: </p> 16986 16987<dl compact> 16988 16989<dt> <b> sendmail </b> </dt> <dd> Submission with the Postfix 16990sendmail(1) command. </dd> 16991 16992<dt> <b> smtpd </b> </dt> <dd> Mail received with the smtpd(8) 16993daemon. </dd> 16994 16995<dt> <b> qmqpd </b> </dt> <dd> Mail received with the qmqpd(8) 16996daemon. </dd> 16997 16998<dt> <b> forward </b> </dt> <dd> Local forwarding or aliasing. When 16999a message is received with "SMTPUTF8 required", then the forwarded 17000(aliased) message always has "SMTPUTF8 required". </dd> 17001 17002<dt> <b> bounce </b> </dt> <dd> Submission by the bounce(8) daemon. 17003When a message is received with "SMTPUTF8 required", then the 17004delivery status notification always has "SMTPUTF8 required". </dd> 17005 17006<dt> <b> notify </b> </dt> <dd> Postmaster notification from the 17007smtp(8) or smtpd(8) daemon. </dd> 17008 17009<dt> <b> verify </b> </dt> <dd> Address verification probe from the 17010verify(8) daemon. </dd> 17011 17012<dt> <b> all </b> </dt> <dd> Enable SMTPUTF8 autodetection for all 17013mail. </dd> 17014 17015</dl> 17016 17017<p> This feature is available in Postfix 3.0 and later. </p> 17018 17019%PARAM compatibility_level 0 17020 17021<p> A safety net that causes Postfix to run with backwards-compatible 17022default settings after an upgrade to a newer Postfix version. </p> 17023 17024<p> With backwards compatibility turned on (the main.cf compatibility_level 17025value is less than the Postfix built-in value), Postfix looks for 17026settings that are left at their implicit default value, and logs a 17027message when a backwards-compatible default setting is required. 17028</p> 17029 17030<blockquote> 17031<pre> 17032using backwards-compatible default setting <i>name=value</i> 17033 to [accept a specific client request] 17034<nroffescape .sp> 17035using backwards-compatible default setting <i>name=value</i> 17036 to [enable specific Postfix behavior] 17037</pre> 17038</blockquote> 17039 17040<p> See COMPATIBILITY_README for specific message details. If such 17041a message is logged in the context of a legitimate request, the 17042system administrator should make the backwards-compatible setting 17043permanent in main.cf or master.cf, for example: </p> 17044 17045<blockquote> 17046<pre> 17047# <b>postconf</b> <i>name=value</i> 17048# <b>postfix reload</b> 17049</pre> 17050</blockquote> 17051 17052<p> When no more backwards-compatible settings need to be made 17053permanent, the administrator should turn off backwards compatibility 17054by updating the compatibility_level setting in main.cf:</p> 17055 17056<blockquote> 17057<pre> 17058# <b>postconf compatibility_level=<i>N</i></b> 17059# <b>postfix reload</b> 17060</pre> 17061</blockquote> 17062 17063<p> For <i>N</i> specify the number that is logged in your postfix(1) 17064warning message: </p> 17065 17066<blockquote> 17067<pre> 17068warning: To disable backwards compatibility use "postconf 17069 compatibility_level=<i>N</i>" and "postfix reload" 17070</pre> 17071</blockquote> 17072 17073<p> Starting with Postfix version 3.6, the compatibility level in 17074the above warning message is the Postfix version that introduced 17075the last incompatible change. The level is formatted as 17076<i>major.minor.patch</i>, where <i>patch</i> is usually omitted and 17077defaults to zero. Earlier compatibility levels are 0, 1 and 2. </p> 17078 17079<p> NOTE: this also introduces support for the "<level", 17080"<=level", and other operators to compare compatibility levels. 17081With the standard operators "<", "<=", etc., compatibility 17082level "3.10" would be smaller than "3.9" which is undesirable. </p> 17083 17084<p> This feature is available in Postfix 3.0 and later. </p> 17085 17086%PARAM message_drop_headers bcc, content-length, resent-bcc, return-path 17087 17088<p> Names of message headers that the cleanup(8) daemon will remove 17089after applying header_checks(5) and before invoking Milter applications. 17090The default setting is compatible with Postfix < 3.0. </p> 17091 17092<p> Specify a list of header names, separated by comma or space. 17093Names are matched in a case-insensitive manner. The list of supported 17094header names is limited only by available memory. </p> 17095 17096<p> This feature is available in Postfix 3.0 and later. </p> 17097 17098%PARAM smtpd_dns_reply_filter 17099 17100<p> Optional filter for Postfix SMTP server DNS lookup results. 17101See smtp_dns_reply_filter for details including an example. 17102</p> 17103 17104<p> This feature is available in Postfix 3.0 and later. </p> 17105 17106%PARAM lmtp_dns_reply_filter 17107 17108<p> Optional filter for Postfix LMTP client DNS lookup results. 17109See smtp_dns_reply_filter for details including an example. </p> 17110 17111<p> This feature is available in Postfix 3.0 and later. </p> 17112 17113#%PARAM postscreen_dns_reply_filter 17114# 17115#<p> Optional filter for postscreen(8) DNS lookup results. 17116#See smtp_dns_reply_filter for details including an example. 17117#</p> 17118# 17119#<p> This feature is available in Postfix 3.0 and later. </p> 17120 17121%PARAM smtp_dns_reply_filter 17122 17123<p> Optional filter for Postfix SMTP client DNS lookup results. 17124Specify zero or more lookup tables. The lookup tables are searched 17125in the given order for a match with the DNS lookup result, converted 17126to the following form: </p> 17127 17128<pre> 17129 <i>name ttl class type preference value</i> 17130</pre> 17131 17132<p> The <i>class</i> field is always "IN", the <i>preference</i> 17133field exists only for MX records, the names of hosts, domains, etc. 17134end in ".", and those names are in ASCII form (xn--mumble form in 17135the case of UTF8 names). </p> 17136 17137<p> When a match is found, the table lookup result specifies an 17138action. By default, the table query and the action name are 17139case-insensitive. Currently, only the <b>IGNORE</b> action is 17140implemented. </p> 17141 17142<p> Notes: </p> 17143 17144<ul> 17145 17146<li> <p> Postfix DNS reply filters have no effect on implicit DNS 17147lookups through nsswitch.conf or equivalent mechanisms. </p> 17148 17149<li> <p> The Postfix SMTP/LMTP client uses smtp_dns_reply_filter 17150and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP 17151service (record types MX, A, AAAA, and TLSA). These lookups are 17152also made to implement the features reject_unverified_sender and 17153reject_unverified_recipient. </p> 17154 17155<li> <p> The Postfix SMTP/LMTP client defers mail delivery when 17156a filter removes all lookup results from a successful query. </p> 17157 17158<li> <p> Postfix SMTP server uses smtpd_dns_reply_filter only to 17159look up MX, A, AAAA, and TXT records to implement the features 17160reject_unknown_helo_hostname, reject_unknown_sender_domain, 17161reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*. 17162</p> 17163 17164<li> <p> The Postfix SMTP server logs a warning or defers mail 17165delivery when a filter removes all lookup results from a successful 17166query. </p> 17167 17168</ul> 17169 17170<p> Example: ignore Google AAAA records in Postfix SMTP client DNS 17171lookups, because Google sometimes hard-rejects mail from IPv6 clients 17172with valid PTR etc. records. </p> 17173 17174<pre> 17175/etc/postfix/main.cf: 17176 smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter 17177</pre> 17178 17179<pre> 17180/etc/postfix/smtp_dns_reply_filter: 17181 # /domain ttl IN AAAA address/ action, all case-insensitive. 17182 # Note: the domain name ends in ".". 17183 /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE 17184</pre> 17185 17186<p> This feature is available in Postfix 3.0 and later. </p> 17187 17188%PARAM smtp_tls_wrappermode no 17189 17190<p> Request that the Postfix SMTP client connects using the 17191SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p> 17192 17193<p> This mode requires "smtp_tls_security_level = encrypt" or 17194stronger. </p> 17195 17196<p> Example: deliver all remote mail via a provider's server 17197"mail.example.com". </p> 17198 17199<pre> 17200/etc/postfix/main.cf: 17201 # Client-side SMTPS requires "encrypt" or stronger. 17202 smtp_tls_security_level = encrypt 17203 smtp_tls_wrappermode = yes 17204 # The [] suppress MX lookups. 17205 relayhost = [mail.example.com]:465 17206</pre> 17207 17208<p> More examples are in TLS_README, including examples for older 17209Postfix versions. </p> 17210 17211<p> This feature is available in Postfix 3.0 and later. </p> 17212 17213%PARAM lmtp_tls_wrappermode no 17214 17215<p> The LMTP-specific version of the smtp_tls_wrappermode configuration 17216parameter. See there for details. </p> 17217 17218<p> This feature is available in Postfix 3.0 and later. </p> 17219 17220%PARAM smtp_tls_connection_reuse no 17221 17222<p> Try to make multiple deliveries per TLS-encrypted connection. 17223This uses the tlsproxy(8) service to encrypt an SMTP connection, 17224uses the scache(8) service to save that connection, and relies on 17225hints from the qmgr(8) daemon. </p> 17226 17227<p> See "<a href="TLS_README.html#client_tls_reuse">Client-side 17228TLS connection reuse</a>" for background details. </p> 17229 17230<p> This feature is available in Postfix 3.4 and later. </p> 17231 17232%PARAM lmtp_tls_connection_reuse no 17233 17234<p> The LMTP-specific version of the smtp_tls_connection_reuse configuration 17235parameter. See there for details. </p> 17236 17237<p> This feature is available in Postfix 3.4 and later. </p> 17238 17239%PARAM virtual_alias_address_length_limit 1000 17240 17241<p> 17242The maximal length of an email address after virtual alias expansion. 17243This stops virtual aliasing loops that increase the address length 17244exponentially. 17245</p> 17246 17247<p> 17248This feature is available in Postfix 3.0 and later. 17249</p> 17250 17251%PARAM dns_ncache_ttl_fix_enable no 17252 17253<p> Enable a workaround for future libc incompatibility. The Postfix 17254implementation of RFC 2308 negative reply caching relies on the 17255promise that res_query() and res_search() invoke res_send(), which 17256returns the server response in an application buffer even if the 17257requested record does not exist. If this promise is broken, specify 17258"yes" to enable a workaround for DNS reputation lookups. </p> 17259 17260<p> 17261This feature is available in Postfix 3.1 and later. 17262</p> 17263 17264%PARAM smtpd_policy_service_policy_context 17265 17266<p> Optional information that the Postfix SMTP server specifies in 17267the "policy_context" attribute of a policy service request (originally, 17268to share the same service endpoint among multiple check_policy_service 17269clients). </p> 17270 17271<p> 17272This feature is available in Postfix 3.1 and later. 17273</p> 17274 17275%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output 17276 17277<p> The TLS policy for MX hosts with "secure" TLSA records when the 17278nexthop destination security level is <b>dane</b>, but the MX 17279record was found via an "insecure" MX lookup. The choices are: 17280</p> 17281 17282<dl> 17283<dt><b>may</b></dt> 17284<dd> The TLSA records will be ignored and TLS will be optional. If 17285the MX host does not appear to support STARTTLS, or the STARTTLS 17286handshake fails, mail may be sent in the clear. </dd> 17287<dt><b>encrypt</b></dt> 17288<dd> The TLSA records will signal a requirement to use TLS. While 17289TLS encryption will be required, authentication will not be performed. 17290</dd> 17291<dt><b>dane</b></dt> 17292<dd>The TLSA records will be used just as with "secure" MX records. 17293TLS encryption will be required, and, if at least one of the TLSA 17294records is "usable", authentication will be required. When 17295authentication succeeds, it will be logged only as "Trusted", not 17296"Verified", because the MX host name could have been forged. </dd> 17297</dl> 17298 17299<p> The default setting for Postfix ≥ 3.6 is "dane" with 17300"smtp_tls_security_level = dane", otherwise "may". This behavior 17301was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. 17302With earlier Postfix versions the default setting was always "dane". 17303</p> 17304 17305<p> Though with "insecure" MX records an active attacker can 17306compromise SMTP transport security by returning forged MX records, 17307such attacks are "tamper-evident" since any forged MX hostnames 17308will be recorded in the mail logs. Attackers who place a high value 17309on staying hidden may be deterred from forging MX records. </p> 17310 17311<p> 17312This feature is available in Postfix 3.1 and later. The <b>may</b> 17313policy is backwards-compatible with earlier Postfix versions. 17314</p> 17315 17316%PARAM openssl_path openssl 17317 17318<p> 17319The location of the OpenSSL command line program openssl(1). This 17320is used by the "<b>postfix tls</b>" command to create private keys, 17321certificate signing requests, self-signed certificates, and to 17322compute public key digests for DANE TLSA records. In multi-instance 17323environments, this parameter is always determined from the configuration 17324of the default Postfix instance. 17325</p> 17326 17327<p> Example: </p> 17328 17329<blockquote> 17330<pre> 17331/etc/postfix/main.cf: 17332 # NetBSD pkgsrc: 17333 openssl_path = /usr/pkg/bin/openssl 17334 # Local build: 17335 openssl_path = /usr/local/bin/openssl 17336</pre> 17337</blockquote> 17338 17339<p> 17340This feature is available in Postfix 3.1 and later. 17341</p> 17342 17343%PARAM address_verify_pending_request_limit see "postconf -d" output 17344 17345<p> A safety limit that prevents address verification requests from 17346overwhelming the Postfix queue. By default, the number of pending 17347requests is limited to 1/4 of the active queue maximum size 17348(qmgr_message_active_limit). The queue manager enforces the limit 17349by tempfailing requests that exceed the limit. This affects only 17350unknown addresses and inactive addresses that have expired, because 17351the verify(8) daemon automatically refreshes an active address 17352before it expires. </p> 17353 17354<p> This feature is available in Postfix 3.1 and later. </p> 17355 17356%PARAM smtpd_milter_maps 17357 17358<p> Lookup tables with Milter settings per remote SMTP client IP 17359address. The lookup result overrides the smtpd_milters setting, 17360and has the same syntax. </p> 17361 17362<p> Note: lookup tables cannot return empty responses. Specify a 17363lookup result of DISABLE (case does not matter) to indicate that 17364Milter support should be disabled. </p> 17365 17366<p> Example to disable Milters for local clients: </p> 17367 17368<pre> 17369/etc/postfix/main.cf: 17370 smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map 17371 smtpd_milters = inet:host:port, { inet:host:port, ... }, ... 17372</pre> 17373 17374<pre> 17375/etc/postfix/smtpd_milter_map: 17376 # Disable Milters for local clients. 17377 127.0.0.0/8 DISABLE 17378 192.168.0.0/16 DISABLE 17379 ::/64 DISABLE 17380 2001:db8::/32 DISABLE 17381</pre> 17382 17383<p> This feature is available in Postfix 3.2 and later. </p> 17384 17385%PARAM enable_idna2003_compatibility no 17386 17387<p> Enable 'transitional' compatibility between IDNA2003 and IDNA2008, 17388when converting UTF-8 domain names to/from the ASCII form that is 17389used for DNS lookups. Specify "yes" for compatibility with Postfix 17390≤ 3.1 (not recommended). This affects the conversion of domain 17391names that contain for example the German sz and the Greek zeta. 17392See http://unicode.org/cldr/utility/idna.jsp for more examples. 17393</p> 17394 17395<p> This feature is available in Postfix 3.2 and later. </p> 17396 17397%PARAM smtp_balance_inet_protocols yes 17398 17399<p> When a remote destination resolves to a combination of IPv4 and 17400IPv6 addresses, ensure that the Postfix SMTP client can try both 17401address types before it runs into the smtp_mx_address_limit. </p> 17402 17403<p> This avoids an interoperability problem when a destination resolves 17404to primarily IPv6 addresses, the smtp_address_limit feature eliminates 17405most or all IPv4 addresses, and the destination is not reachable over 17406IPv6. </p> 17407 17408<p> This feature is available in Postfix 3.3 and later. </p> 17409 17410%PARAM lmtp_balance_inet_protocols yes 17411 17412<p> The LMTP-specific version of the smtp_balance_inet_protocols 17413configuration parameter. See there for details. </p> 17414 17415<p> This feature is available in Postfix 3.3 and later. </p> 17416 17417%PARAM header_from_format standard 17418 17419<p> The format of the Postfix-generated <b>From:</b> header. This 17420setting affects the appearance of 'full name' information when a 17421local program such as /bin/mail submits a message without a From: 17422header through the Postfix sendmail(1) command. </p> 17423 17424<p> Specify one of the following: </p> 17425 17426<dl> 17427 17428<dt><b>standard</b> (default)</dt> <dd> Produce a header formatted 17429as "<b>From:</b> <i>name</i><b> <</b><i>address</i><b>></b>". 17430This is the default as of Postfix 3.3.</dd> 17431 17432<dt><b>obsolete</b></dt> <dd>Produce a header formatted as "<b>From:</b> 17433<i>address</i> <b>(</b><i>name</i><b>)</b>". This is the behavior 17434prior to Postfix 3.3. </dd> 17435 17436</dl> 17437 17438<p> Notes: </p> 17439 17440<ul> 17441 17442<li> <p> Postfix generates the format "<b>From:</b> <i>address</i>" 17443when <i>name</i> information is unavailable or the envelope sender 17444address is empty. This is the same behavior as prior to Postfix 174453.3. </p> 17446 17447<li> <p> In the <b>standard</b> form, the <i>name</i> will be quoted 17448if it contains <b>specials</b> as defined in RFC 5322, or the "!%" 17449address operators. </p> 17450 17451<li> <p> The Postfix sendmail(1) command gets <i>name</i> information 17452from the <b>-F</b> command-line option, from the <b>NAME</b> 17453environment variable, or from the UNIX password file. </p> 17454 17455</ul> 17456 17457<p> This feature is available in Postfix 3.3 and later. </p> 17458 17459%PARAM tlsproxy_client_CAfile $smtp_tls_CAfile 17460 17461<p> A file containing CA certificates of root CAs trusted to sign 17462either remote TLS server certificates or intermediate CA certificates. 17463See smtp_tls_CAfile for further details. </p> 17464 17465<p> This feature is available in Postfix 3.4 and later. </p> 17466 17467%PARAM tlsproxy_client_CApath $smtp_tls_CApath 17468 17469<p> Directory with PEM format Certification Authority certificates 17470that the Postfix tlsproxy(8) client uses to verify a remote TLS 17471server certificate. See smtp_tls_CApath for further details. </p> 17472 17473<p> This feature is available in Postfix 3.4 and later. </p> 17474 17475%PARAM tlsproxy_client_cert_file $smtp_tls_cert_file 17476 17477<p> File with the Postfix tlsproxy(8) client RSA certificate in PEM 17478format. See smtp_tls_cert_file for further details. The preferred way 17479to configure tlsproxy client keys and certificates is via the 17480"tlsproxy_client_chain_files" parameter. </p> 17481 17482<p> This feature is available in Postfix 3.4 and later. </p> 17483 17484%PARAM tlsproxy_client_key_file $smtp_tls_key_file 17485 17486<p> File with the Postfix tlsproxy(8) client RSA private key in PEM 17487format. See smtp_tls_key_file for further details. The preferred way to 17488configure tlsproxy client keys and certificates is via the 17489"tlsproxy_client_chain_files" parameter. </p> 17490 17491<p> This feature is available in Postfix 3.4 and later. </p> 17492 17493%PARAM tlsproxy_client_dcert_file $smtp_tls_dcert_file 17494 17495<p> File with the Postfix tlsproxy(8) client DSA certificate in PEM 17496format. See smtp_tls_dcert_file for further details. DSA is obsolete and 17497should not be used. </p> 17498 17499<p> This feature is available in Postfix 3.4 and later. </p> 17500 17501%PARAM tlsproxy_client_dkey_file $smtp_tls_dkey_file 17502 17503<p> File with the Postfix tlsproxy(8) client DSA private key in PEM 17504format. See smtp_tls_dkey_file for further details. DSA is obsolete and 17505should not be used. </p> 17506 17507<p> This feature is available in Postfix 3.4 and later. </p> 17508 17509%PARAM tlsproxy_client_eccert_file $smtp_tls_eccert_file 17510 17511<p> File with the Postfix tlsproxy(8) client ECDSA certificate in PEM 17512format. See smtp_tls_eccert_file for further details. The preferred way 17513to configure tlsproxy client keys and certificates is via the 17514"tlsproxy_client_chain_files" parameter. </p> 17515 17516<p> This feature is available in Postfix 3.4 and later. </p> 17517 17518%PARAM tlsproxy_client_eckey_file $smtp_tls_eckey_file 17519 17520<p> File with the Postfix tlsproxy(8) client ECDSA private key in PEM 17521format. See smtp_tls_eckey_file for further details. The preferred way 17522to configure tlsproxy client keys and certificates is via the 17523"tlsproxy_client_chain_files" parameter. </p> 17524 17525<p> This feature is available in Postfix 3.4 and later. </p> 17526 17527%PARAM tlsproxy_client_fingerprint_digest $smtp_tls_fingerprint_digest 17528 17529<p> The message digest algorithm used to construct remote TLS server 17530certificate fingerprints. See smtp_tls_fingerprint_digest for 17531further details. </p> 17532 17533<p> This feature is available in Postfix 3.4 and later. </p> 17534 17535%PARAM tlsproxy_client_loglevel $smtp_tls_loglevel 17536 17537<p> Enable additional Postfix tlsproxy(8) client logging of TLS 17538activity. See smtp_tls_loglevel for further details. </p> 17539 17540<p> This feature is available in Postfix 3.4 and later. </p> 17541 17542%PARAM tlsproxy_client_loglevel_parameter smtp_tls_loglevel 17543 17544<p> The name of the parameter that provides the tlsproxy_client_loglevel 17545value. </p> 17546 17547<p> This feature is available in Postfix 3.4 and later. </p> 17548 17549%PARAM tlsproxy_client_scert_verifydepth $smtp_tls_scert_verifydepth 17550 17551<p> The verification depth for remote TLS server certificates. 17552See smtp_tls_scert_verifydepth for further details. </p> 17553 17554<p> This feature is available in Postfix 3.4 and later. </p> 17555 17556%PARAM tlsproxy_client_level $smtp_tls_security_level 17557 17558<p> The default TLS security level for the Postfix tlsproxy(8) 17559client. See smtp_tls_security_level for further details. </p> 17560 17561<p> This feature is available in Postfix 3.4 - 3.6. It was 17562renamed to tlsproxy_client_security_level in Postfix 3.7. </p> 17563 17564%PARAM tlsproxy_client_security_level $smtp_tls_security_level 17565 17566<p> The default TLS security level for the Postfix tlsproxy(8) 17567client. See smtp_tls_security_level for further details. </p> 17568 17569<p> This feature is available in Postfix 3.7 and later. It 17570was previously called tlsproxy_client_level. </p> 17571 17572%PARAM tlsproxy_client_per_site $smtp_tls_per_site 17573 17574<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS 17575usage policy by next-hop destination and by remote TLS server 17576hostname. See smtp_tls_per_site for further details. </p> 17577 17578<p> This feature is available in Postfix 3.4 and later. </p> 17579 17580%PARAM tlsproxy_client_policy $smtp_tls_policy_maps 17581 17582<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS 17583security policy by next-hop destination. See smtp_tls_policy_maps 17584for further details. </p> 17585 17586<p> This feature is available in Postfix 3.4 - 3.6. It was 17587renamed to tlsproxy_client_policy_maps in Postfix 3.7. </p> 17588 17589%PARAM tlsproxy_client_policy_maps $smtp_tls_policy_maps 17590 17591<p> Optional lookup tables with the Postfix tlsproxy(8) client TLS 17592security policy by next-hop destination. See smtp_tls_policy_maps 17593for further details. </p> 17594 17595<p> This feature is available in Postfix 3.7 and later. It 17596was previously called tlsproxy_client_policy. </p> 17597 17598%PARAM tlsproxy_client_use_tls $smtp_use_tls 17599 17600<p> Opportunistic mode: use TLS when a remote server announces TLS 17601support. See smtp_use_tls for further details. Use 17602tlsproxy_client_security_level instead. </p> 17603 17604<p> This feature is available in Postfix 3.4 and later. </p> 17605 17606%PARAM tlsproxy_client_enforce_tls $smtp_enforce_tls 17607 17608<p> Enforcement mode: require that SMTP servers use TLS encryption. 17609See smtp_enforce_tls for further details. Use 17610tlsproxy_client_security_level instead. </p> 17611 17612<p> This feature is available in Postfix 3.4 and later. </p> 17613 17614%PARAM smtpd_tls_chain_files 17615 17616<p> List of one or more PEM files, each holding one or more private keys 17617directly followed by a corresponding certificate chain. The file names 17618are separated by commas and/or whitespace. This parameter obsoletes the 17619legacy algorithm-specific key and certificate file settings. When this 17620parameter is non-empty, the legacy parameters are ignored, and a warning 17621is logged if any are also non-empty. </p> 17622 17623<p> With the proliferation of multiple private key algorithms—which, 17624as of OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 17625and Ed448—it is increasingly impractical to use separate 17626parameters to configure the key and certificate chain for each 17627algorithm. Therefore, Postfix now supports storing multiple keys and 17628corresponding certificate chains in a single file or in a set of files. 17629 17630<p> Each key must appear <b>immediately before</b> the corresponding 17631certificate, optionally followed by additional issuer certificates that 17632complete the certificate chain for that key. When multiple files are 17633specified, they are equivalent to a single file that is concatenated 17634from those files in the given order. Thus, while a key must always 17635precede its certificate and issuer chain, it can be in a separate file, 17636so long as that file is listed immediately before the file that holds 17637the corresponding certificate chain. Once all the files are 17638concatenated, the sequence of PEM objects must be: <i>key1, cert1, 17639[chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN].</i> </p> 17640 17641<p> Storing the private key in the same file as the corresponding 17642certificate is more reliable. With the key and certificate in separate 17643files, there is a chance that during key rollover a Postfix process 17644might load a private key and certificate from separate files that don't 17645match. Various operational errors may even result in a persistent 17646broken configuration in which the certificate does not match the private 17647key. </p> 17648 17649<p> The file or files must contain at most one key of each type. If, 17650for example, two or more RSA keys and corresponding chains are listed, 17651depending on the version of OpenSSL either only the last one will be 17652used or a configuration error may be detected. Note that while 17653"Ed25519" and "Ed448" are considered separate algorithms, the various 17654ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are 17655considered as different parameters of a single "ECDSA" algorithm, so it 17656is not presently possible to configure keys for more than one ECDSA 17657curve. </p> 17658 17659<p> RSA is still the most widely supported algorithm. Presently (late 176602018), ECDSA support is common, but not yet universal, and Ed25519 and 17661Ed448 support is mostly absent. Therefore, an RSA key should generally 17662be configured, along with any additional keys for the other algorithms 17663when desired. </p> 17664 17665<p> 17666Example (separate files for each key and corresponding certificate chain): 17667</p> 17668<blockquote> 17669<pre> 17670/etc/postfix/main.cf: 17671 smtpd_tls_chain_files = 17672 ${config_directory}/ed25519.pem, 17673 ${config_directory}/ed448.pem, 17674 ${config_directory}/rsa.pem 17675</pre> 17676</blockquote> 17677 17678<blockquote> 17679<pre> 17680/etc/postfix/ed25519.pem: 17681 -----BEGIN PRIVATE KEY----- 17682 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 17683 -----END PRIVATE KEY----- 17684 -----BEGIN CERTIFICATE----- 17685 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG 17686 ... 17687 nC0egv51YPDWxEHom4QA 17688 -----END CERTIFICATE----- 17689</pre> 17690</blockquote> 17691 17692<blockquote> 17693<pre> 17694/etc/postfix/ed448.pem: 17695 -----BEGIN PRIVATE KEY----- 17696 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe 17697 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A== 17698 -----END PRIVATE KEY----- 17699 -----BEGIN CERTIFICATE----- 17700 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG 17701 ... 17702 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA 17703 -----END CERTIFICATE----- 17704</pre> 17705</blockquote> 17706 17707<blockquote> 17708<pre> 17709/etc/postfix/rsa.pem: 17710 -----BEGIN PRIVATE KEY----- 17711 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL 17712 ... 17713 ahQkZ3+krcaJvDSMgvu0tDc= 17714 -----END PRIVATE KEY----- 17715 -----BEGIN CERTIFICATE----- 17716 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL 17717 ... 17718 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE= 17719 -----END CERTIFICATE----- 17720</pre> 17721</blockquote> 17722 17723<p> 17724Example (all keys and certificates in a single file): 17725</p> 17726<blockquote> 17727<pre> 17728/etc/postfix/main.cf: 17729 smtpd_tls_chain_files = ${config_directory}/chains.pem 17730</pre> 17731</blockquote> 17732 17733<blockquote> 17734<pre> 17735/etc/postfix/chains.pem: 17736 -----BEGIN PRIVATE KEY----- 17737 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 17738 -----END PRIVATE KEY----- 17739 -----BEGIN CERTIFICATE----- 17740 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG 17741 ... 17742 nC0egv51YPDWxEHom4QA 17743 -----END CERTIFICATE----- 17744 -----BEGIN PRIVATE KEY----- 17745 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe 17746 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A== 17747 -----END PRIVATE KEY----- 17748 -----BEGIN CERTIFICATE----- 17749 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG 17750 ... 17751 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA 17752 -----END CERTIFICATE----- 17753 -----BEGIN PRIVATE KEY----- 17754 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL 17755 ... 17756 ahQkZ3+krcaJvDSMgvu0tDc= 17757 -----END PRIVATE KEY----- 17758 -----BEGIN CERTIFICATE----- 17759 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL 17760 ... 17761 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE= 17762 -----END CERTIFICATE----- 17763</pre> 17764</blockquote> 17765 17766<p> This feature is available in Postfix 3.4 and later. </p> 17767 17768%PARAM smtp_tls_chain_files 17769 17770<p> List of one or more PEM files, each holding one or more private keys 17771directly followed by a corresponding certificate chain. The file names 17772are separated by commas and/or whitespace. This parameter obsoletes the 17773legacy algorithm-specific key and certificate file settings. When this 17774parameter is non-empty, the legacy parameters are ignored, and a warning 17775is logged if any are also non-empty. </p> 17776 17777<p> With the proliferation of multiple private key algorithms—which, 17778as of OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 17779and Ed448—it is increasingly impractical to use separate 17780parameters to configure the key and certificate chain for each 17781algorithm. Therefore, Postfix now supports storing multiple keys and 17782corresponding certificate chains in a single file or in a set of files. 17783 17784<p> Each key must appear <b>immediately before</b> the corresponding 17785certificate, optionally followed by additional issuer certificates that 17786complete the certificate chain for that key. When multiple files are 17787specified, they are equivalent to a single file that is concatenated 17788from those files in the given order. Thus, while a key must always 17789precede its certificate and issuer chain, it can be in a separate file, 17790so long as that file is listed immediately before the file that holds 17791the corresponding certificate chain. Once all the files are 17792concatenated, the sequence of PEM objects must be: <i>key1, cert1, 17793[chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN].</i> </p> 17794 17795<p> Storing the private key in the same file as the corresponding 17796certificate is more reliable. With the key and certificate in separate 17797files, there is a chance that during key rollover a Postfix process 17798might load a private key and certificate from separate files that don't 17799match. Various operational errors may even result in a persistent 17800broken configuration in which the certificate does not match the private 17801key. </p> 17802 17803<p> The file or files must contain at most one key of each type. If, 17804for example, two or more RSA keys and corresponding chains are listed, 17805depending on the version of OpenSSL either only the last one will be 17806used or a configuration error may be detected. Note that while 17807"Ed25519" and "Ed448" are considered separate algorithms, the various 17808ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are 17809considered as different parameters of a single "ECDSA" algorithm, so it 17810is not presently possible to configure keys for more than one ECDSA 17811curve. </p> 17812 17813<p> 17814Example (separate files for each key and corresponding certificate chain): 17815</p> 17816<blockquote> 17817<pre> 17818/etc/postfix/main.cf: 17819 smtp_tls_chain_files = 17820 ${config_directory}/ed25519.pem, 17821 ${config_directory}/ed448.pem, 17822 ${config_directory}/rsa.pem 17823</pre> 17824</blockquote> 17825 17826<blockquote> 17827<pre> 17828/etc/postfix/ed25519.pem: 17829 -----BEGIN PRIVATE KEY----- 17830 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 17831 -----END PRIVATE KEY----- 17832 -----BEGIN CERTIFICATE----- 17833 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG 17834 ... 17835 nC0egv51YPDWxEHom4QA 17836 -----END CERTIFICATE----- 17837</pre> 17838</blockquote> 17839 17840<blockquote> 17841<pre> 17842/etc/postfix/ed448.pem: 17843 -----BEGIN PRIVATE KEY----- 17844 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe 17845 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A== 17846 -----END PRIVATE KEY----- 17847 -----BEGIN CERTIFICATE----- 17848 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG 17849 ... 17850 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA 17851 -----END CERTIFICATE----- 17852</pre> 17853</blockquote> 17854 17855<blockquote> 17856<pre> 17857/etc/postfix/rsa.pem: 17858 -----BEGIN PRIVATE KEY----- 17859 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL 17860 ... 17861 ahQkZ3+krcaJvDSMgvu0tDc= 17862 -----END PRIVATE KEY----- 17863 -----BEGIN CERTIFICATE----- 17864 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL 17865 ... 17866 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE= 17867 -----END CERTIFICATE----- 17868</pre> 17869</blockquote> 17870 17871<p> 17872Example (all keys and certificates in a single file): 17873</p> 17874<blockquote> 17875<pre> 17876/etc/postfix/main.cf: 17877 smtp_tls_chain_files = ${config_directory}/chains.pem 17878</pre> 17879</blockquote> 17880 17881<blockquote> 17882<pre> 17883/etc/postfix/chains.pem: 17884 -----BEGIN PRIVATE KEY----- 17885 MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3 17886 -----END PRIVATE KEY----- 17887 -----BEGIN CERTIFICATE----- 17888 MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG 17889 ... 17890 nC0egv51YPDWxEHom4QA 17891 -----END CERTIFICATE----- 17892 -----BEGIN PRIVATE KEY----- 17893 MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe 17894 LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A== 17895 -----END PRIVATE KEY----- 17896 -----BEGIN CERTIFICATE----- 17897 MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG 17898 ... 17899 pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA 17900 -----END CERTIFICATE----- 17901 -----BEGIN PRIVATE KEY----- 17902 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL 17903 ... 17904 ahQkZ3+krcaJvDSMgvu0tDc= 17905 -----END PRIVATE KEY----- 17906 -----BEGIN CERTIFICATE----- 17907 MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL 17908 ... 17909 Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE= 17910 -----END CERTIFICATE----- 17911</pre> 17912</blockquote> 17913 17914<p> This feature is available in Postfix 3.4 and later. </p> 17915 17916%PARAM lmtp_tls_chain_files 17917 17918<p> The LMTP-specific version of the smtp_tls_chain_files configuration 17919parameter. See there for details. </p> 17920 17921<p> This feature is available in Postfix 3.4 and later. </p> 17922 17923%PARAM tlsproxy_client_chain_files $smtp_tls_chain_files 17924 17925<p> Files with the Postfix tlsproxy(8) client keys and certificate 17926chains in PEM format. See smtp_tls_chain_files for further details. </p> 17927 17928<p> This feature is available in Postfix 3.4 and later. </p> 17929 17930%PARAM tlsproxy_tls_chain_files $smtpd_tls_chain_files 17931 17932<p> Files with the Postfix tlsproxy(8) server keys and certificate 17933chains in PEM format. See smtpd_tls_chain_files for further details. </p> 17934 17935<p> This feature is available in Postfix 3.4 and later. </p> 17936 17937%PARAM tls_server_sni_maps 17938 17939<p> Optional lookup tables that map names received from remote SMTP 17940clients via the TLS Server Name Indication (SNI) extension to the 17941appropriate keys and certificate chains. This parameter is implemented 17942in the Postfix TLS library, and applies to both smtpd(8) and the SMTP 17943server mode of tlsproxy(8). </p> 17944 17945<p> When this parameter is non-empty, the Postfix SMTP server enables 17946SNI extension processing, and logs SNI values that are invalid or 17947don't match an entry in the specified tables. When an entry 17948does match, the SNI name is logged as part of the connection summary 17949at log levels 1 and higher. </p> 17950 17951<p> The lookup key is either the verbatim SNI domain name or an 17952ancestor domain prefixed with a leading dot. For internationalized 17953domains, the lookup key must be in IDNA 2008 A-label form (as 17954required in the TLS SNI extension). </p> 17955 17956<p> The syntax of the lookup value is the same as with the 17957smtp_tls_chain_files parameter (see there for additional details), 17958but here scoped to just TLS connections in which the client sends 17959a matching SNI domain name. </p> 17960 17961<p> Example: </p> 17962<blockquote> 17963<pre> 17964/etc/postfix/main.cf: 17965 # 17966 # The indexed SNI table must be created with "postmap -F" 17967 # 17968 indexed = ${default_database_type}:${config_directory}/ 17969 tls_server_sni_maps = ${indexed}sni 17970</pre> 17971</blockquote> 17972 17973<blockquote> 17974<pre> 17975/etc/postfix/sni: 17976 # 17977 # The example.com domain has both an RSA and ECDSA certificate 17978 # chain. The chain files MUST start with the private key, 17979 # with the certificate chain next, starting with the leaf 17980 # (server) certificate, and then the issuer certificates. 17981 # 17982 example.com /etc/postfix/sni-chains/rsa2048.example.com.pem, 17983 /etc/postfix/sni-chains/ecdsa-p256.example.com.pem 17984 # 17985 # The example.net domain has a wildcard certificate, and two 17986 # additional DNS names. So its certificate chain is also used 17987 # with any subdomain, plus the additional names. 17988 # 17989 example.net /etc/postfix/sni-chains/example.net.pem 17990 .example.net /etc/postfix/sni-chains/example.net.pem 17991 example.info /etc/postfix/sni-chains/example.net.pem 17992 example.org /etc/postfix/sni-chains/example.net.pem 17993</pre> 17994</blockquote> 17995 17996<p> Note that the SNI lookup tables should also have entries for 17997the domains that correspond to the Postfix SMTP server's default 17998certificate(s). This ensures that the remote SMTP client's TLS SNI 17999extension gets a positive response when it specifies one of the 18000Postfix SMTP server's default domains, and ensures that the Postfix 18001SMTP server will not log an SNI name mismatch for such a domain. 18002The Postfix SMTP server's default certificates are then only used 18003when the client sends no SNI or when it sends SNI with a domain 18004that the server knows no certificate(s) for. </p> 18005 18006<p> The mapping from an SNI domain name to a certificate chain is indirect. In 18007the input source files for "cdb", "hash", "btree" or other tables that are 18008converted to on-disk indexed files via postmap(1), the value specified for each 18009key is a list of filenames. When postmap(1) is used with the <b>-F</b> option, 18010the generated table stores for each lookup key the base64-encoded contents of 18011the associated files. When querying tables via <b>postmap -Fq</b>, the table 18012value is decoded from base64, yielding the original file content, plus a new 18013line. </p> 18014 18015<p> With "regexp", "pcre", "inline", "texthash", "static" and similar 18016tables that are interpreted at run-time, and don't have a separate 18017source format, the table value is again a list files, that are loaded 18018into memory when the table is opened. </p> 18019 18020<p> With tables whose content is managed outside of Postfix, such 18021as LDAP, MySQL, PostgreSQL, socketmap and tcp, the value must be a 18022concatenation of the desired PEM keys and certificate chains, that 18023is then further encoded to yield a single-line base64 string. 18024Creation of such tables and secure storage (the value includes 18025private key material) are outside the responsibility of Postfix. </p> 18026 18027<p> With "socketmap" and "tcp" the data will be transmitted in the clear, and 18028there is no query access control, so these are generally unsuitable for storing 18029SNI chains. With LDAP and SQL, you should restrict read access and use TLS to 18030protect the sensitive data in transit. </p> 18031 18032<p> Typically there is only one private key and its chain of certificates 18033starting with the "leaf" certificate corresponding to that key, and 18034continuing with the appropriate intermediate issuer CA certificates, 18035with each certificate ideally followed by its issuer. Servers 18036that have keys and certificates for more than one algorithm (e.g. 18037both an RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) 18038can use multiple chains concatenated together, with the key always 18039listed before the corresponding certificates. </p> 18040 18041<p> This feature is available in Postfix 3.4 and later. </p> 18042 18043%PARAM smtp_tls_servername 18044 18045<p> Optional name to send to the remote SMTP server in the TLS Server 18046Name Indication (SNI) extension. The SNI extension is always on when 18047DANE is used to authenticate the server, and in that case the SNI name 18048sent is the one required by RFC7672 and this parameter is ignored. </p> 18049 18050<p> Some SMTP servers use the received SNI name to select an appropriate 18051certificate chain to present to the client. While this may improve 18052interoperability with such servers, it may reduce interoperability with 18053other servers that choose to abort the connection when they don't have a 18054certificate chain configured for the requested name. Such servers 18055should select a default certificate chain and continue the handshake, 18056but some may not. Therefore, absent DANE, no SNI name is sent by 18057default. </p> 18058 18059<p> The SNI name must be either a valid DNS hostname, or else one of the 18060special values <b>hostname</b> or <b>nexthop</b>, which select either the 18061remote hostname or the nexthop domain respectively. DNS names for SNI must be 18062in A-label (punycode) form. Invalid DNS names log a configuration error 18063warning and mail delivery is deferred. </p> 18064 18065<p> Except when using a relayhost to forward all email, the only 18066sensible non-empty main.cf setting for this parameter is 18067<b>hostname</b>. Other non-empty values are only practical on a 18068per-destination basis via the <b>servername</b> attribute of the Postfix 18069TLS <a href="TLS_README.html#client_tls_policy">policy table</a>. When 18070in doubt, leave this parameter empty, and configure per-destination SNI 18071as needed. </p> 18072 18073<p> This feature is available in Postfix 3.4 and later. </p> 18074 18075%PARAM lmtp_tls_servername 18076 18077<p> The LMTP-specific version of the smtp_tls_servername configuration 18078parameter. See there for details. </p> 18079 18080<p> This feature is available in Postfix 3.4 and later. </p> 18081 18082%PARAM maillog_file 18083 18084<p> The name of an optional logfile that is written by the Postfix 18085postlogd(8) service. An empty value selects logging to syslogd(8). 18086Specify "/dev/stdout" to select logging to standard output. Stdout 18087logging requires that Postfix is started with "postfix start-fg". 18088</p> 18089 18090<p> Note 1: The maillog_file parameter value must contain a prefix 18091that is specified with the maillog_file_prefixes parameter. </p> 18092 18093<p> Note 2: Some Postfix non-daemon programs may still log information 18094to syslogd(8), before they have processed their configuration 18095parameters and command-line options. </p> 18096 18097<p> This feature is available in Postfix 3.4 and later. </p> 18098 18099%PARAM postlog_service_name postlog 18100 18101<p> The name of the postlogd(8) service entry in master.cf. 18102This service appends logfile records to the file specified 18103with the maillog_file parameter. </p> 18104 18105<p> This feature is available in Postfix 3.4 and later. </p> 18106 18107%PARAM postlogd_watchdog_timeout 10s 18108 18109<p> How much time a postlogd(8) process may take to process a request 18110before it is terminated by a built-in watchdog timer. This is a 18111safety mechanism that prevents postlogd(8) from becoming non-responsive 18112due to a bug in Postfix itself or in system software. This limit 18113cannot be set under 10s. </p> 18114 18115<p> Specify a non-zero time value (an integral value plus an optional 18116one-letter suffix that specifies the time unit). Time units: s 18117(seconds), m (minutes), h (hours), d (days), w (weeks). 18118The default time unit is s (seconds). </p> 18119 18120<p> This feature is available in Postfix 3.4 and later. </p> 18121 18122%PARAM maillog_file_prefixes /var, /dev/stdout 18123 18124<p> A list of allowed prefixes for a maillog_file value. This is a 18125safety feature to contain the damage from a single configuration 18126mistake. Specify one or more prefix strings, separated by comma or 18127whitespace. </p> 18128 18129<p> This feature is available in Postfix 3.4 and later. </p> 18130 18131%PARAM maillog_file_compressor gzip 18132 18133<p> The program to run after rotating $maillog_file with "postfix 18134logrotate". The command is run with the rotated logfile name as its 18135first argument. </p> 18136 18137<p> This feature is available in Postfix 3.4 and later. </p> 18138 18139%PARAM maillog_file_rotate_suffix %Y%m%d-%H%M%S 18140 18141<p> The format of the suffix to append to $maillog_file while rotating 18142the file with "postfix logrotate". See strftime(3) for syntax. The 18143default suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently. 18144</p> 18145 18146<p> This feature is available in Postfix 3.4 and later. </p> 18147 18148%PARAM info_log_address_format external 18149 18150<p> The email address form that will be used in non-debug logging 18151(info, warning, etc.). As of Postfix 3.5 when an address localpart 18152contains spaces or other special characters, the localpart will be 18153quoted, for example: </p> 18154 18155<blockquote> 18156<pre> 18157 from=<"name with spaces"@example.com> 18158</pre> 18159</blockquote> 18160 18161<p> Older Postfix versions would log the internal (unquoted) form: </p> 18162 18163<blockquote> 18164<pre> 18165 from=<name with spaces@example.com> 18166</pre> 18167</blockquote> 18168 18169<p> The external and internal forms are identical for the vast 18170majority of email addresses that contain no spaces or other special 18171characters in the localpart. </p> 18172 18173<p> The logging in external form is consistent with the address 18174form that Postfix 3.2 and later prefer for most table lookups. This 18175is therefore the more useful form for non-debug logging. </p> 18176 18177<p> Specify "<b>info_log_address_format = internal</b>" for backwards 18178compatibility. </p> 18179 18180<p> Postfix uses the unquoted form internally, because an attacker 18181can specify an email address in different forms by playing games 18182with quotes and backslashes. An attacker should not be able to use 18183such games to circumvent Postfix access policies. </p> 18184 18185<p> This feature is available in Postfix 3.5 and later. </p> 18186 18187%PARAM smtpd_sasl_mechanism_filter !external, static:rest 18188 18189<p> If non-empty, a filter for the SASL mechanism names that the 18190Postfix SMTP server will announce in the EHLO response. By default, 18191the Postfix SMTP server will not announce the EXTERNAL mechanism, 18192because Postfix support for that is not implemented. </p> 18193 18194<p> Specify mechanism names, "/file/name" patterns, or "type:table" 18195lookup tables, separated by comma or whitespace. The right-hand 18196side result from "type:table" lookups is ignored. Specify "!pattern" 18197to exclude a mechanism name from the list. </p> 18198 18199<p> 18200Examples: 18201</p> 18202 18203<pre> 18204smtpd_sasl_mechanism_filter = !external, !gssapi, static:rest 18205smtpd_sasl_mechanism_filter = login, plain 18206smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs 18207</pre> 18208 18209<p> This feature is available in Postfix 3.6 and later. </p> 18210 18211%PARAM dnssec_probe ns:. 18212 18213<p> The DNS query type (default: "ns") and DNS query name (default: 18214".") that Postfix may use to determine whether DNSSEC validation 18215is available. 18216</p> 18217 18218<p> Background: DNSSEC validation is needed for Postfix DANE support; 18219this ensures that Postfix receives TLSA records with secure TLS 18220server certificate info. When DNSSEC validation is unavailable, 18221mail deliveries using <i>opportunistic</i> DANE will not be protected 18222by server certificate info in TLSA records, and mail deliveries 18223using <i>mandatory</i> DANE will not be made at all. </p> 18224 18225<p> By default, a Postfix process will send a DNSSEC probe after 182261) the process made a DNS query that requested DNSSEC validation, 182272) the process did not receive a DNSSEC validated response to this 18228query or to an earlier query, and 3) the process did not already 18229send a DNSSEC probe. <p> 18230 18231<p> When the DNSSEC probe has no response, or when the response is 18232not DNSSEC validated, Postfix logs a warning that DNSSEC validation 18233may be unavailable. </p> 18234 18235<p> Example: </p> 18236 18237<pre> 18238warning: DNSSEC validation may be unavailable 18239warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated 18240warning: reason: dnssec_probe 'ns:.' received no response: Server failure 18241</pre> 18242 18243<p> Possible reasons why DNSSEC validation may be unavailable: </p> 18244 18245<ul> 18246 18247<li> The local /etc/resolv.conf file specifies a DNS resolver that 18248does not validate DNSSEC signatures (that's 18249$queue_directory/etc/resolv.conf when a Postfix daemon runs in a 18250chroot jail). 18251 18252<li> The local system library does not pass on the "DNSSEC validated" 18253bit to Postfix, or Postfix does not know how to ask the library to 18254do that. 18255 18256</ul> 18257 18258<p> By default, the DNSSEC probe asks for the DNS root zone NS 18259records, because resolvers should always have that information 18260cached. If Postfix runs on a network where the DNS root zone is not 18261reachable, specify a different probe, or specify an empty dnssec_probe 18262value to disable the feature. </p> 18263 18264<p> This feature is available in Postfix 3.6 and later. It was backported 18265to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. </p> 18266 18267%PARAM local_login_sender_maps static:* 18268 18269<p> A list of lookup tables that are searched by the UNIX login name, 18270and that return a list of allowed envelope sender patterns separated 18271by space or comma. These sender patterns are enforced by the Postfix 18272postdrop(1) command. The default is backwards-compatible: 18273every user may specify any sender envelope address. </p> 18274 18275<p> When no UNIX login name is available, the postdrop(1) command will 18276prepend "<b>uid:</b>" to the numerical UID and use that instead. </p> 18277 18278<p> This feature ignores address extensions in the user-specified 18279envelope sender address. </p> 18280 18281<p> The following sender patterns are special; these cannot be used 18282as part of a longer pattern. </p> 18283 18284<dl compact> 18285 18286<dt> <b> * </b> <dd> This pattern allows any envelope sender address. 18287</dd> 18288 18289<dt> <b> <> </b> </dt> <dd> This pattern allows the empty 18290envelope sender address. See the 18291empty_address_local_login_sender_maps_lookup_key configuration 18292parameter. </dd> 18293 18294<dt> <b> @</b><i>domain</i> </dt> <dd> This pattern allows an 18295envelope sender address when the '<b>@</b>' and <i>domain</i> part 18296match. </dd> 18297 18298</dl> 18299 18300<p> Examples: </p> 18301 18302<pre> 18303/etc/postfix/main.cf: 18304 # Allow root and postfix full control, anyone else can only 18305 # send mail as themselves. Use "uid:" followed by the numerical 18306 # UID when the UID has no entry in the UNIX password file. 18307 local_login_sender_maps = 18308 inline:{ { root = * }, { postfix = * } }, 18309 pcre:/etc/postfix/login_senders 18310</pre> 18311 18312<pre> 18313/etc/postfix/login_senders: 18314 # Allow both the bare username and the user@domain forms. 18315 /(.+)/ $1 $1@example.com 18316</pre> 18317 18318<p> This feature is available in Postfix 3.6 and later. </p> 18319 18320%PARAM empty_address_local_login_sender_maps_lookup_key <> 18321 18322<p> 18323The lookup key to be used in local_login_sender_maps tables, instead 18324of the null sender address. 18325</p> 18326 18327<p> This feature is available in Postfix 3.6 and later. </p> 18328 18329%PARAM enable_threaded_bounces no 18330 18331<p> Enable non-delivery, success, and delay notifications that link 18332to the original message by including a References: and In-Reply-To: 18333header with the original Message-ID value. There are advantages and 18334disadvantages to consider. </p> 18335 18336<dl> 18337 18338<dt> <b> advantage </b> </dt> <dd> This allows mail readers to present 18339a delivery status notification in the same email thread as the original 18340message. </dd> 18341 18342<dt> <b> disadvantage </b> </dt> <dd> This makes it easy for users to 18343mistakenly delete the whole email thread (all related messages), 18344instead of deleting only the non-delivery notification. </dd> 18345 18346</dl> 18347 18348<p> This feature is available in Postfix 3.6 and later. </p> 18349 18350%PARAM smtpd_relay_before_recipient_restrictions see "postconf -d" output 18351 18352<p> Evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions. 18353Historically, smtpd_relay_restrictions was evaluated after 18354smtpd_recipient_restrictions, contradicting documented behavior. </p> 18355 18356<p> Background: the smtpd_relay_restrictions feature is primarily 18357designed to enforce a mail relaying policy, while 18358smtpd_recipient_restrictions is primarily designed to enforce spam 18359blocking policy. Both are evaluated while replying to the RCPT TO 18360command, and both support the same features. </p> 18361 18362<p> This feature is available in Postfix 3.6 and later. </p> 18363 18364%PARAM respectful_logging see 'postconf -d' output 18365 18366<p> Avoid logging that implies white is better than black. Instead 18367use 'allowlist', 'denylist', and variations of those words. </p> 18368 18369<p> This feature is available in Postfix 3.6 and later. </p> 18370 18371%PARAM known_tcp_ports lmtp=24, smtp=25, smtps=submissions=465, submission=587 18372 18373<p> Optional setting that avoids lookups in the services(5) database. 18374This feature was implemented to address inconsistencies in the name 18375of the port "465" service. The ABNF is: 18376</p> 18377 18378<blockquote> 18379<p> 18380known_tcp_ports = empty | name-to-port *("," name-to-port) <br> 18381name-to-port = 1*(service-name "=') port-number 18382</p> 18383</blockquote> 18384 18385<p> The comma is required. Whitespace is optional but it cannot appear 18386inside a service name or port number. </p> 18387 18388<p> This feature is available in Postfix 3.6 and later. </p> 18389 18390%PARAM smtpd_min_data_rate 500 18391 18392<p> The minimum plaintext data transfer rate in bytes/second for 18393DATA and BDAT requests, when deadlines are enabled with 18394smtpd_per_request_deadline. After a read operation transfers N 18395plaintext message bytes (possibly after TLS decryption), and after 18396the DATA or BDAT request deadline is decremented by the elapsed 18397time of that read operation, the DATA or BDAT request deadline is 18398incremented by N/smtpd_min_data_rate seconds. However, the deadline 18399will never be incremented beyond the time limit specified with 18400smtpd_timeout. </p> 18401 18402<p> This feature is available in Postfix 3.7 and later. </p> 18403 18404%PARAM smtpd_per_request_deadline normal: no, overload: yes 18405 18406<p> Change the behavior of the smtpd_timeout and smtpd_starttls_timeout 18407time limits, from a time limit per plaintext or TLS read or write 18408call, to a combined time limit for receiving a complete SMTP request 18409and for sending a complete SMTP response. The deadline limits only 18410the time spent waiting for plaintext or TLS read or write calls, 18411not time spent elsewhere. The per-request deadline limits the impact 18412from hostile peers that trickle data one byte at a time. </p> 18413 18414<p> See smtpd_min_data_rate for how the per-request deadline is 18415managed during the DATA and BDAT phase. </p> 18416 18417<p> Note: when per-request deadlines are enabled, a short time limit 18418may cause problems with TLS over very slow network connections. The 18419reason is that a TLS protocol message can be up to 16 kbytes long 18420(with TLSv1), and that an entire TLS protocol message must be 18421transferred within the per-request deadline. </p> 18422 18423<p> This feature is available in Postfix 3.7 and later. A weaker 18424feature, called smtpd_per_record_deadline, is available with Postfix 184252.9-3.6. With older Postfix releases, the behavior is as if this 18426parameter is set to "no". </p> 18427 18428<p> This feature is available in Postfix 3.7 and later. </p> 18429 18430%PARAM lmtp_min_data_rate 500 18431 18432<p> The LMTP-specific version of the smtp_min_data_rate configuration 18433parameter. See there for details. </p> 18434 18435<p> This feature is available in Postfix 3.7 and later. </p> 18436 18437%PARAM lmtp_per_request_deadline no 18438 18439<p> The LMTP-specific version of the smtp_per_request_deadline 18440configuration parameter. See there for details. </p> 18441 18442<p> This feature is available in Postfix 3.7 and later. </p> 18443 18444%PARAM smtp_min_data_rate 500 18445 18446<p> The minimum plaintext data transfer rate in bytes/second for 18447DATA requests, when deadlines are enabled with smtp_per_request_deadline. 18448After a write operation transfers N plaintext message bytes (possibly 18449after TLS encryption), and after the DATA request deadline is 18450decremented by the elapsed time of that write operation, the DATA 18451request deadline is incremented by N/smtp_min_data_rate seconds. 18452However, the deadline will never be incremented beyond the time 18453limit specified with smtp_data_xfer_timeout. </p> 18454 18455<p> This feature is available in Postfix 3.7 and later. </p> 18456 18457%PARAM smtp_per_request_deadline no 18458 18459<p> Change the behavior of the smtp_*_timeout time limits, from a 18460time limit per plaintext or TLS read or write call, to a combined 18461time limit for sending a complete SMTP request and for receiving a 18462complete SMTP response. The deadline limits only the time spent 18463waiting for plaintext or TLS read or write calls, not time spent 18464elsewhere. The per-request deadline limits the impact from hostile 18465peers that trickle data one byte at a time. </p> 18466 18467<p> See smtp_min_data_rate for how the per-request deadline is 18468managed during the DATA phase. </p> 18469 18470<p> Note: when per-request deadlines are enabled, a short time limit 18471may cause problems with TLS over very slow network connections. The 18472reason is that a TLS protocol message can be up to 16 kbytes long 18473(with TLSv1), and that an entire TLS protocol message must be 18474transferred within the per-request deadline. </p> 18475 18476<p> This feature is available in Postfix 3.7 and later. A weaker 18477feature, called smtp_per_record_deadline, is available with Postfix 184782.9-3.6. </p> 18479 18480<p> This feature is available in Postfix 3.7 and later. </p> 18481 18482%PARAM smtp_bind_address_enforce no 18483 18484<p> Defer delivery when the Postfix SMTP client cannot apply the 18485smtp_bind_address or smtp_bind_address6 setting. By default, the 18486Postfix SMTP client will continue delivery after logging a warning. 18487</p> 18488 18489<p> This feature is available in Postfix 3.7 and later. </p> 18490 18491%PARAM lmtp_bind_address_enforce 18492 18493<p> The LMTP-specific version of the smtp_bind_address_enforce 18494configuration parameter. See there for details. </p> 18495 18496<p> This feature is available in Postfix 3.7 and later. </p> 18497 18498%PARAM use_srv_lookup 18499 18500<p> Enables discovery for the specified service(s) using DNS SRV 18501records. For example, with "use_srv_lookup = submission" and 18502"relayhost = example.com:submission", the Postfix SMTP client will 18503look up DNS SRV records for _submission._tcp.example.com, and will 18504relay email through the hosts and ports that are specified with 18505those records. See RFC 2782 for details of the host selection 18506process. </p> 18507 18508<p> Specify zero or more service names separated by comma and/or 18509whitespace. Any name in the services(5) database may be specified, 18510though in practice only submission, submissions, and smtp make 18511sense. </p> 18512 18513<p> When SRV record lookup is enabled with use_srv_lookup, you can 18514enclose a domain name in "[]" to force IP address lookup instead 18515of SRV record lookup. </p> 18516 18517<p> Example 1: MUA-to-MTA submission using SRV record lookup for 18518the "submission" service for domain "example.com". This uses the 18519default SMTP delivery agent with STARTTLS, and looks up SRV records 18520for "_submission._tcp.example.com". </p> 18521 18522<pre> 18523/etc/postfix/main.cf: 18524 use_srv_lookup = submission 18525 relayhost = example.com:submission 18526 smtp_tls_security_level = may 18527 ...see SASL_README for sasl configuration... 18528</pre> 18529 18530<p> Example 2: MUA-to-MTA submission using SRV record lookup for 18531the "submissions" service for domain "example.org". This uses a 18532dedicated SMTP delivery agent (smtp-wraptls) with tls_wrappermode 18533turned on, and looks up SRV records for "_submissions._tcp.example.org". 18534</p> 18535 18536<p> Note: specify the older name "smtps" instead of "submissions" 18537when a provider has DNS SRV records like "_smtps._tcp.example.org" 18538instead of "_submissions._tcp.example.org". </p> 18539 18540<pre> 18541/etc/postfix/main.cf: 18542 use_srv_lookup = submissions 18543 default_transport = smtp-wraptls:example.org:submissions 18544 ...see SASL_README for sasl configuration... 18545</pre> 18546 18547<pre> 18548/etc/postfix/master.cf: 18549 smtp-wraptls unix ... ... ... ... ... smtp 18550 -o { smtp_tls_wrappermode = yes } 18551 -o { smtp_tls_security_level = encrypt } 18552</pre> 18553 18554<p> Example 3: Sender-dependent selection for a combination of 18555MUA-to-MTA submission services. This combines examples 1 and 2 with 18556examples of how to disable SRV and look up IP address records for 18557"smtp-relay.example.net" and "smtp-relay.other.example". Again, 18558specify the older name "smtps" instead of "submissions" when a 18559provider has DNS SRV records like "_smtps._tcp.example.org" instead 18560of "_submissions._tcp.example.org". </p> 18561 18562<pre> 18563/etc/postfix/main.cf: 18564 use_srv_lookup = submission, submissions 18565 sender_dependent_default_transport_maps = inline:{ 18566 # Destinations that support SRV record lookup. 18567 { user1@example.com = smtp:example.com:submission } 18568 { user2@example.org = smtp-wraptls:example.org:submissions } 18569 # Use [destination] to force IP address lookups. 18570 { user3@example.net = smtp:[smtp-relay.example.net]:submission } 18571 { user4@other.example = 18572 smtp-wraptls:[smtp-relay.other.example]:submissions } } 18573 ...see SASL_README for sasl configuration... 18574</pre> 18575 18576<p> Example 4: MTA-to-MTA traffic, using SRV record lookup for the 18577SMTP service. This is useful for Postfix tests, and may be useful 18578in environments where ports are dynamically assigned to servers. 18579</p> 18580 18581<pre> 18582/etc/postfix/main.cf: 18583 use_srv_lookup = smtp 18584 # Fall back to MX record lookup when SRV records are unavailable. 18585 #allow_srv_lookup_fallback = yes 18586 #ignore_srv_lookup_error = yes 18587</pre> 18588 18589<p> This feature is available in Postfix 3.8 and later. </p> 18590 18591%PARAM ignore_srv_lookup_error no 18592 18593<p> When SRV record lookup fails, fall back to MX or IP address 18594lookup as if SRV record lookup was not enabled. </p> 18595 18596<p> This feature is available in Postfix 3.8 and later. </p> 18597 18598%PARAM allow_srv_lookup_fallback no 18599 18600<p> When SRV record lookup fails or no SRV record exists, fall back 18601to MX or IP address lookup as if SRV record lookup was not enabled. <p> 18602 18603<p> This feature is available in Postfix 3.8 and later. </p> 18604 18605%PARAM smtpd_client_ipv4_prefix_length 32 18606 18607<p> Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics 18608by IPv4 network blocks with the specified network prefix. Aggregation 18609uses fewer anvil(8) resources to maintain counters. By default, 18610aggregation is disabled for IPv4. </p> 18611 18612<p> This feature is available in Postfix 3.8 and later. </p> 18613 18614%PARAM smtpd_client_ipv6_prefix_length 84 18615 18616<p> Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics 18617by IPv6 network blocks with the specified network prefix. Aggregation 18618uses fewer the anvil(8) resources to maintain counters. By default, 18619aggregation is enabled for IPv6. </p> 18620 18621<p> This feature is available in Postfix 3.8 and later. </p> 18622 18623%PARAM tls_config_name 18624 18625<p> The application name passed by Postfix to OpenSSL library 18626initialization functions. This name is used to select the desired 18627configuration "section" in the OpenSSL configuration file specified 18628via the tls_config_file parameter. When empty, or when the 18629selected name is not present in the configuration file, the default 18630application name ("openssl_conf") is used as a fallback. </p> 18631 18632<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 186333.6.10, and 3.5.20. </p> 18634 18635%PARAM tls_config_file default 18636 18637<p> Optional configuration file with baseline OpenSSL settings. 18638OpenSSL loads any SSL settings found in the configuration file for 18639the selected application name (see tls_config_name) or else the 18640built-in application name "openssl_conf" when no application name is 18641specified, or no corresponding configuration section is present. 18642</p> 18643 18644<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including 18645Postfix) can neither specify an alternative configuration file, nor 18646avoid loading the default configuration file. </p> 18647 18648<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of: 18649</p> 18650 18651<dl> 18652 18653<dt> <b>default</b> (default) </dt> <dd> Load the system-wide 18654"openssl.cnf" configuration file. </dd> 18655 18656<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt> 18657<dd> This setting disables loading of the system-wide "openssl.cnf" 18658file. </dd> 18659 18660<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt> 18661<dd> Load the configuration file specified by <i>/absolute-path</i>. 18662With this setting it is an error for the file to not contain any 18663settings for the selected tls_config_name. There is no fallback to 18664the default "openssl_conf" name. </dd> 18665 18666</dl> 18667 18668<p> Failures in processing of the built-in default configuration file, 18669are silently ignored. Any errors in loading a non-default configuration 18670file are detected by Postfix, and cause TLS support to be disabled. 18671</p> 18672 18673<p> The OpenSSL configuration file format is not documented here, 18674beyond giving two examples. <p> 18675 18676<p> Example: Default settings for all applications. </p> 18677 18678<blockquote> 18679<pre> 18680# The name 'openssl_conf' is the default application name 18681# The section name to the right of the '=' sign is arbitrary, 18682# any name will do, so long as it refers to the desired section. 18683# 18684# The name 'system_default' selects the settings applied internally 18685# by the SSL library as part of SSL object creation. Applications 18686# can then apply any additional settings of their choice. 18687# 18688# In this example, TLS versions prior to 1.2 are disabled by default. 18689# 18690openssl_conf = system_wide_settings 18691[system_wide_settings] 18692ssl_conf = ssl_library_settings 18693[ssl_library_settings] 18694system_default = initial_ssl_settings 18695[initial_ssl_settings] 18696MinProtocol = TLSv1.2 18697</pre> 18698</blockquote> 18699 18700<p> Example: Custom settings for an application named "postfix". </p> 18701 18702<blockquote> 18703<pre> 18704# The mapping from an application name to the corresponding configuration 18705# section must appear near the top of the file, (in what is sometimes called 18706# the "default section") prior to the start of any explicitly named 18707# "[sections]". The named sections can appear in any order and don't nest. 18708# 18709postfix = postfix_settings 18710[postfix_settings] 18711ssl_conf = postfix_ssl_settings 18712[postfix_ssl_settings] 18713system_default = baseline_postfix_settings 18714[baseline_postfix_settings] 18715MinProtocol = TLSv1 18716</pre> 18717</blockquote> 18718 18719<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 187203.6.10, and 3.5.20. </p> 18721 18722%PARAM smtpd_forbid_bare_newline Postfix < 3.9: no 18723 18724<p> Reply with "Error: bare <LF> received" and disconnect 18725when a remote SMTP client sends a line ending in <LF>, violating 18726the RFC 5321 requirement that lines must end in <CR><LF>. 18727This feature is disbled by default with Postfix < 3.9. Use 18728smtpd_forbid_bare_newline_exclusions to exclude non-standard clients 18729such as netcat. Specify "smtpd_forbid_bare_newline = no" to disable 18730(not recommended for an Internet-connected MTA). </p> 18731 18732<p> See <a href="https://www.postfix.org/smtp-smuggling.html"> 18733https://www.postfix.org/smtp-smuggling.html</a> for details. 18734 18735<p> Example: </p> 18736 18737<blockquote> 18738<pre> 18739# Disconnect remote SMTP clients that send bare newlines, but allow 18740# local clients with non-standard SMTP implementations such as netcat, 18741# fax machines, or load balancer health checks. 18742# 18743smtpd_forbid_bare_newline = yes 18744smtpd_forbid_bare_newline_exclusions = $mynetworks 18745</pre> 18746</blockquote> 18747 18748<p> This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 187493.6.13, and 3.5.23. </p> 18750 18751%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks 18752 18753<p> Exclude the specified clients from smtpd_forbid_bare_newline 18754enforcement. It uses the same syntax and parent-domain matching 18755behavior as mynetworks. </p> 18756 18757<p> Example: </p> 18758 18759<blockquote> 18760<pre> 18761# Disconnect remote SMTP clients that send bare newlines, but allow 18762# local clients with non-standard SMTP implementations such as netcat, 18763# fax machines, or load balancer health checks. 18764# 18765smtpd_forbid_bare_newline = yes 18766smtpd_forbid_bare_newline_exclusions = $mynetworks 18767</pre> 18768</blockquote> 18769 18770<p> This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, 187713.6.13, and 3.5.23. </p> 18772 18773%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes 18774 18775<p> Disconnect remote SMTP clients that violate RFC 2920 (or 5321) 18776command pipelining constraints. The server replies with "554 5.5.0 18777Error: SMTP protocol synchronization" and logs the unexpected remote 18778SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" 18779to enable. This feature is enabled by default with Postfix ≥ 187803.9. </p> 18781 18782<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 187833.6.10, and 3.5.20. </p> 18784