diff options
Diffstat (limited to '')
-rw-r--r-- | html/postconf.5.html | 771 |
1 files changed, 598 insertions, 173 deletions
diff --git a/html/postconf.5.html b/html/postconf.5.html index dbb8cc8..0ac9b68 100644 --- a/html/postconf.5.html +++ b/html/postconf.5.html @@ -612,8 +612,14 @@ Examples: (default: see "postconf -d" output)</b></DT><DD> <p> -The alias databases that are used for <a href="local.8.html">local(8)</a> delivery. See -<a href="aliases.5.html">aliases(5)</a> for syntax details. +Optional lookup tables with aliases that apply only to <a href="local.8.html">local(8)</a> +recipients; this is unlike <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> that apply to all +recipients: <a href="local.8.html">local(8)</a>, virtual, and remote. +The table format and lookups are documented in <a href="aliases.5.html">aliases(5)</a>. For an +overview of Postfix address manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> +document. </p> + +<p> Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. @@ -2732,19 +2738,30 @@ name of the message delivery transport. <p> The default mail delivery transport and next-hop destination for -destinations that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: recipient domains that do not match +$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, -or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information can be overruled with the -<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> parameter and with the -<a href="transport.5.html">transport(5)</a> table. </p> +or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information will not be used when +<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> returns a result, and may +be overridden with the <a href="transport.5.html">transport(5)</a> table. </p> -<p> -In order of decreasing precedence, the nexthop destination is taken -from $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, $<a href="postconf.5.html#default_transport">default_transport</a>, -$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, or from the recipient -domain. +<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: <p> + +<ul> + +<li> <p> In order of decreasing precedence, the delivery transport +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>. </p> +<li> <p> In order of decreasing precedence, the nexthop destination +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +</ul> + <p> Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>. @@ -3715,6 +3732,25 @@ This feature is available in Postfix 2.0 and later. </DD> +<DT><b><a name="force_mime_input_conversion">force_mime_input_conversion</a> +(default: no)</b></DT><DD> + +<p> Convert body content that claims to be 8-bit into quoted-printable, +before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before after-queue +content filters. This feature does not affect messages that are +sent into <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>. </p> + +<p> The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit. </p> + +<p> This feature is available in Postfix ≥ 3.9. </p> + + +</DD> + <DT><b><a name="fork_attempts">fork_attempts</a> (default: 5)</b></DT><DD> @@ -3797,7 +3833,7 @@ filtered with the character set that is specified with the <dd>The address extension delimiter that was found in the recipient address (Postfix 2.11 and later), or the 'first' delimiter specified with the system-wide recipient address extension delimiter (Postfix -3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier). </dd> @@ -4154,12 +4190,17 @@ Specify 0 to disable the feature. Valid delays are 0..10. <DT><b><a name="inet_interfaces">inet_interfaces</a> (default: all)</b></DT><DD> -<p> The local network interface addresses that this mail system receives -mail on. Specify "all" to receive mail on all network -interfaces (default), and "loopback-only" to receive mail -on loopback network interfaces only (Postfix version 2.2 and later). The -parameter also controls delivery of mail to <tt>user@[ip.address]</tt>. -</p> +<p> The local network interface addresses that this mail system +receives mail on. Specify "all" to receive mail on all network +interfaces (default), "loopback-only" to receive mail on loopback +network interfaces only (Postfix version 2.2 and later), or zero +or more IPv4 or IPv6 addresses (IPv6 is supported in Postfix version +2.2 and later). The parameter also controls whether Postfix will +accept mail for <tt>user@[ip.address]</tt>, and prevents Postfix +from delivering mail to a host that has equal or larger MX preference. +Specify an empty value if Postfix does not receive mail over the +network, or if all network listeners have an explicit IP address +in <a href="master.5.html">master.cf</a>. </p> <p> Note 1: you need to stop and start Postfix when this parameter changes. @@ -4168,22 +4209,44 @@ Note 1: you need to stop and start Postfix when this parameter changes. <p> Note 2: address information may be enclosed inside <tt>[]</tt>, but this form is not required here. </p> -<p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies just one IPv4 and/or IPv6 address -that is not a loopback address, the Postfix SMTP client will use -this address as the IP source address for outbound mail. Support -for IPv6 is available in Postfix version 2.2 and later. </p> +<p> When <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> and/or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> are not +specified, the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> setting may constrain the source IP +address for an outbound SMTP or LMTP connection as described below. +</p> + +<p> The following text is specific to SMTP and IPv4. The same +reasoning applies to the IPv6 protocol, and to the Postfix LMTP +client. To disable IPv4 or IPv6 support in the Postfix SMTP and +LMTP client, use <a href="postconf.5.html#inet_protocols">inet_protocols</a>. </p> -<p> -On a multi-homed firewall with separate Postfix instances listening on the -"inside" and "outside" interfaces, this can prevent each instance from -being able to reach remote SMTP servers on the "other side" of the -firewall. Setting -<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for -IPv4, and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem -for IPv6. </p> +<ul> + +<li> <p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies one IPv4 address, and that +is not a loopback address, the Postfix SMTP client uses that as the +source address for outbound IPv4 connections. </p> + +<li> <p> Otherwise, the Postfix SMTP client does not constrain the +source IPv4 address, and connects using a system-chosen source IPv4 +address. This includes the cases where <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> is empty, +where it specifies <b>all</b>, or where it contains no IPv4 address, +one IPv4 address that is a loopback address, or multiple IPv4 +addresses. </p> + +</ul> + +<p> A Postfix SMTP client may fail to reach some remote SMTP servers +when the client source IP address is constrained explicitly with +<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>, or implicitly with +<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>. This can happen when Postfix runs on a multi-homed +system such as a firewall, the Postfix SMTP source client IP address +is constrained to one specific network interface, and the remote +SMTP server must be reached through a different interface. Setting +<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for IPv4, +and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem for IPv6. +</p> <p> -A better solution for multi-homed firewalls is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> +A better solution for multi-homed systems is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> at the default value and instead use explicit IP addresses in the <a href="master.5.html">master.cf</a> SMTP server definitions. This preserves the Postfix SMTP client's @@ -4215,7 +4278,7 @@ Examples: </DD> <DT><b><a name="inet_protocols">inet_protocols</a> -(default: see 'postconf -d output')</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" @@ -4893,6 +4956,9 @@ configuration parameter. See there for details. </p> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> configuration parameter. See there for details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.3 and later. </p> @@ -5295,6 +5361,15 @@ to the remote host. </DD> +<DT><b><a name="lmtp_sasl_password_result_delimiter">lmtp_sasl_password_result_delimiter</a> +(default: :)</b></DT><DD> + +<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> +configuration parameter. See there for details. </p> + + +</DD> + <DT><b><a name="lmtp_sasl_path">lmtp_sasl_path</a> (default: empty)</b></DT><DD> @@ -5594,6 +5669,17 @@ compiled and linked with OpenSSL 1.0.0 or later. </p> </DD> +<DT><b><a name="lmtp_tls_enable_rpk">lmtp_tls_enable_rpk</a> +(default: yes)</b></DT><DD> + +<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +configuration parameter. See there for details. </p> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="lmtp_tls_enforce_peername">lmtp_tls_enforce_peername</a> (default: yes)</b></DT><DD> @@ -5694,7 +5780,7 @@ configuration parameter. See there for details. </p> </DD> <DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. See there for details. </p> @@ -5721,6 +5807,9 @@ configuration parameter. See there for details. </p> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> configuration parameter. See there for details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#lmtp_tls_policy_maps">lmtp_tls_policy_maps</a> instead. </p> + <p> This feature is available in Postfix 2.3 and later. </p> @@ -5738,7 +5827,7 @@ configuration parameter. See there for details. </p> </DD> <DT><b><a name="lmtp_tls_protocols">lmtp_tls_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> configuration parameter. See there for details. </p> @@ -5853,6 +5942,9 @@ parameter. See there for details. </p> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> configuration parameter. See there for details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.3 and later. </p> @@ -6149,8 +6241,8 @@ until a match is found. <p> If this parameter is non-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. -</p> +server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient. </p> <p> To turn off local recipient checking in the Postfix SMTP server, @@ -6449,6 +6541,11 @@ and later.</dd> <dd>The domain part of the recipient address. </dd> +<dt><b>ENVID</b></dt> + +<dd>The optional <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> envelope ID. Available in Postfix version +3.9 and later</dd> + <dt><b>EXTENSION</b></dt> <dd>The optional address extension. </dd> @@ -6683,6 +6780,21 @@ first argument. </p> </DD> +<DT><b><a name="maillog_file_permissions">maillog_file_permissions</a> +(default: 0600)</b></DT><DD> + +<p> The file access permissions that will be set when the file +$<a href="postconf.5.html#maillog_file">maillog_file</a> is created for the first time, or when the file is +created after an existing file is rotated. Specify one of: <b>0600</b> +(only super-user read/write access), <b>0640</b> (adds 'group' read +access), or <b>0644</b> (also adds 'other' read access). The leading +'0' is optional. </p> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="maillog_file_prefixes">maillog_file_prefixes</a> (default: /var, /dev/stdout)</b></DT><DD> @@ -8326,9 +8438,9 @@ it passes the test, before it can talk to a real Postfix SMTP server. <DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (default: 30d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful "bare newline" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a "bare newline" SMTP protocol test, before it +address is required to pass that test again. The default is long because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. </p> @@ -8584,9 +8696,10 @@ defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dns <p> Specify a negative value to enable this feature. When a client passes the <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> without having failed other tests, all pending or disabled tests are flagged as -completed with a time-to-live value equal to <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>. -When a test was already completed, its time-to-live value is updated -if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>. </p> +completed with an expiration time based on the DNS reply TTL. +When a test was already completed, its expiration time is updated +if it was less than the value based on the DNS reply TTL. See +also <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> and <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p> <p> This feature is available in Postfix 3.6 and later. </p> @@ -8599,9 +8712,9 @@ if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dn <DT><b><a name="postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> (default: ${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b></DT><DD> -<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a +client IP address passed a DNS-based reputation test, before it is +required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p> @@ -8619,9 +8732,9 @@ is backwards-compatible with older Postfix versions. </p> <DT><b><a name="postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (default: 60s)</b></DT><DD> -<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a +client IP address passed a DNS-based reputation test, before it +is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>. </p> @@ -8762,9 +8875,9 @@ The default time unit is s (seconds). </p> <DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (default: 1h)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful DNS-based reputation test before a client -IP address is required to pass that test again. </p> +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a DNS-based reputation test, before it is required +to pass that test again. </p> <p> Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s @@ -8880,9 +8993,9 @@ value to disable this feature. </p> <DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a> (default: 1d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful PREGREET test. During this time, the client IP address -is excluded from this test. The default is relatively short, because +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a PREGREET test, before it is required to pass +that test again. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server. </p> <p> Specify a non-zero time value (an integral value plus an optional @@ -8976,9 +9089,9 @@ test, before it can talk to a real Postfix SMTP server. </p> <DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (default: 30d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful "non_smtp_command" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a "non_smtp_command" SMTP protocol test, before +it is required to pass that test again. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. </p> @@ -9044,9 +9157,9 @@ server. </p> <DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (default: 30d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful "pipelining" SMTP protocol test. During this time, the -client IP address is excluded from this test. The default is +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a "pipelining" SMTP protocol test, before it is +required to pass that test again. The default is long because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. </p> @@ -10136,13 +10249,24 @@ This feature is available in Postfix 2.0 and later. <p> The default mail delivery transport and next-hop destination for -remote delivery to domains listed with $<a href="postconf.5.html#relay_domains">relay_domains</a>. In order of -decreasing precedence, the nexthop destination is taken from -$<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, or -from the recipient domain. This information can be overruled with -the <a href="transport.5.html">transport(5)</a> table. +the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: recipient domains that match +$<a href="postconf.5.html#relay_domains">relay_domains</a>. </p> + +<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: </p> + +<ul> + +<li> <p> In order of decreasing precedence, the message delivery +transport is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>. </p> +<li> <p> In order of decreasing precedence, the nexthop destination +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +</ul> + <p> Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>. @@ -10166,13 +10290,31 @@ This feature is available in Postfix 2.0 and later. (default: empty)</b></DT><DD> <p> -The next-hop destination(s) for non-local mail; overrides non-local -domains in recipient addresses. This information is overruled with -<a href="postconf.5.html#relay_transport">relay_transport</a>, <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, -<a href="postconf.5.html#default_transport">default_transport</a>, <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> -and with the <a href="transport.5.html">transport(5)</a> table. +The next-hop destination(s) for non-local mail; takes precedence +over non-<a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> in recipient addresses. This information +will not be used when the sender matches $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>. </p> +<p> In order of decreasing precedence: </p> + +<ul> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class +(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken +from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. <p> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class +(domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, +or $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1) +$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or +$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> +or the recipient domain. </p> + +</ul> + <p> On an intranet, specify the organizational domain name. If your internal DNS uses no MX records, specify the name of the intranet @@ -10180,11 +10322,12 @@ gateway host instead. </p> <p> -In the case of SMTP or LMTP delivery, specify one or more destinations -in the form of a domain name, hostname, hostname:port, [hostname]:port, -[hostaddress] or [hostaddress]:port, separated by comma or whitespace. -The form [hostname] turns off MX lookups. Multiple destinations are -supported in Postfix 3.5 and later. +In the case of SMTP delivery, specify one or more destinations in +the form of a domain name, hostname, hostname:service, [hostname]:service, +[hostaddress] or [hostaddress]:service, separated by comma or whitespace. +The form [hostname] turns off MX or SRV lookups. Multiple destinations +are supported in Postfix 3.5 and later. Each destination is tried +in the specified order. </p> <p> @@ -10589,18 +10732,38 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting. This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p> -<p> -Specify zero or more "type:name" lookup tables, separated by -whitespace or comma. Tables will be searched in the specified order -until a match is found. +<p> This setting affects only the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class +(recipient domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, +or $<a href="postconf.5.html#relay_domains">relay_domains</a>): </p> + +<ul> + +<li> <p> In order of decreasing precedence, the delivery transport +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>. </p> +<li> <p> In order of decreasing precedence, the nexthop destination +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +</ul> + <p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>. Specifically, this does not support the <a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport, null nexthop, or null email addresses. </p> +<p> +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +</p> + <p> For safety reasons, this feature does not allow $number substitutions in regular expression maps. </p> @@ -10616,9 +10779,27 @@ substitutions in regular expression maps. </p> setting. The tables are searched by the envelope sender address and @domain. A lookup result of DUNNO terminates the search without overriding the global <a href="postconf.5.html#relayhost">relayhost</a> parameter setting (Postfix 2.6 and -later). This information is overruled with <a href="postconf.5.html#relay_transport">relay_transport</a>, -<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a> and with -the <a href="transport.5.html">transport(5)</a> table. </p> +later). </p> + +<p> In order of decreasing precedence: </p> + +<ul> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class +(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken +from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class +(domains that do not match <a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, +$<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1) +$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or +$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> +or the recipient domain. </p> + +</ul> <p> Specify zero or more "type:name" lookup tables, separated by @@ -10820,13 +11001,38 @@ IPv6 connectivity: </p> <ul> <li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv6" is unsafe. -It can fail to deliver mail when there is an outage that affects -IPv6, while the destination is still reachable over IPv4. </p> +All deliveries will suffer delays during an IPv6 outage, even +while the destination is still reachable over IPv4. Mail may be +stuck in the queue with Postfix versions < 3.3 that do not +implement "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a>". For similar reasons, the +setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is also unsafe. </p> <li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = any" is safe. With -this, mail will eventually be delivered even if there is an outage +this, and "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a> = yes" (the default), only +half of deliveries will suffer delays if there is an outage that affects IPv6 or IPv4, as long as it does not affect both. </p> +<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is not a +solution for remote servers that flag email received over IPv6 as +more 'spammy' (the client IPv6 address has a bad or missing PTR or +AAAA record, bad network neighbors, etc.). Instead, configure Postfix +to receive mail over both IPv4 and IPv6, and to deliver mail over +only IPv4. </p> + +<blockquote> +<pre> +/etc/postfix/<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#inet_protocols">inet_protocols</a> = all +</pre> +</blockquote> + +<blockquote> +<pre> +/etc/postfix/<a href="master.5.html">master.cf</a> + smtp ...other fields... smtp -o <a href="postconf.5.html#inet_protocols">inet_protocols</a>=ipv4 +</pre> +</blockquote> + </ul> <p> This feature is available in Postfix 2.8 and later. </p> @@ -12295,6 +12501,9 @@ If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host. </p> +<p> Use <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> to specify an +alternative separator between username and password. </p> + <p> The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. @@ -12309,6 +12518,18 @@ until a match is found. </DD> +<DT><b><a name="smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> +(default: :)</b></DT><DD> + +<p> The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non-whitespace character that does not appear in +the username. </p> + +<p> This feature is available in Postfix ≥ 3.9. </p> + + +</DD> + <DT><b><a name="smtp_sasl_path">smtp_sasl_path</a> (default: empty)</b></DT><DD> @@ -13035,6 +13256,86 @@ compiled and linked with OpenSSL 1.0.0 or later. </p> </DD> +<DT><b><a name="smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +(default: no)</b></DT><DD> + +<p> Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key +instead of an X.509 certificate. This feature and the enable_rpk +policy attribute are ignored when there is no raw public key support +in the local TLS implementation. </p> + +<ul> + +<li> <p> At the "may", "encrypt" and "fingerprint" security levels, +with parameter setting "<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk += yes" in a policy entry, the Postfix SMTP client will indicate in +the TLS handshake that it prefers to receive a raw server public +key, but it will still accept a server public key certificate. </p> + +<li> <p> At the "fingerprint" security level, with parameter setting +"<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk = yes" in a policy +entry, server authentication based on certificate fingerprints +becomes more fragile. Even if the server private key and certificate +remain unchanged, the remote SMTP server will fail fingerprint +authentication (won't match the configured list of fingerprints) +when it starts sending a raw public key instead of a certificate, +after its TLS implementation is updated with raw public key support. +Therefore, <b>DO NOT</b> enable raw public keys to remote destinations +authenticated by server <b>certificate</b> fingerprints. You should +enable raw public keys only for servers matched via their public +key fingerprint. </p> + +<li> <p> At the "verify" and "secure" security levels, the Postfix +SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +or the enable_rpk policy attribute. </p> + +<li> <p> At the opportunistic "dane" security level, the Postfix +SMTP client ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> or +the enable_rpk policy attribute (but it will respect them when it +falls back to the "may" or "encrypt" level). When all valid TLSA +records specify only server public keys (no certificates) and the +local TLS implementation supports raw public keys, the client will +indicate in the TLS handshake that it prefers to receive a raw +public key, but it will still accept a public key certificate. </p> + +<li> <p> At the mandatory "dane-only" security level, the Postfix +SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +or the enable_rpk policy attribute. When all valid TLSA records +specify only server public keys (no certificates) and the local TLS +implementation supports raw public keys, the client will indicate +in the TLS handshake that it prefers to receive a raw public key, +but it will still accept a public key certificate. </p> + +</ul> + +<p>The Postfix SMTP client is always willing to send raw public keys +to servers that solicit them when a client certificate is configured +and the local TLS implementation supports raw public keys. </p> + +<p> Sample commands to compute certificate and public key SHA256 digests: </p> + +<pre> +# SHA256 digest of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -pubkey -noout | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first private key in "pkey.pem" +$ openssl pkey -in pkey.pem -pubout -outform DER | + openssl dgst -sha256 -c +</pre> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (default: yes)</b></DT><DD> @@ -13296,7 +13597,9 @@ verification errors if server certificate verification is not required. With Postfix 2.8 and earlier, log the summary message and unconditionally log trust-chain verification errors. </dd> -<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> +<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS +library, log session cache operations, and enable OpenSSL logging +of the progress of the SSL handshake. </dd> <dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the TLS negotiation process. </dd> @@ -13546,11 +13849,13 @@ lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd> <dt> MAY </dt> <dd> Try to use TLS if the server announces support, -otherwise use an unencrypted connection. This has less precedence +otherwise use an unencrypted connection; after a failed TLS handshake +or TLS session, fall back to plaintext if the message has spent +<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. This level has less precedence than a more specific result (including <b>NONE</b>) from the alternate host or next-hop lookup key, and has less precedence than the more specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> -= yes". </dd> += yes". </dd> <dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not require that the remote SMTP server hostname matches the information @@ -13643,28 +13948,35 @@ security are: </p> <dd>Opportunistic TLS. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The optional "ciphers", "exclude", and "protocols" -attributes (available for opportunistic TLS with Postfix ≥ 2.6) -and "connection_reuse" attribute (Postfix ≥ 3.4) override the +attributes (available for opportunistic TLS with Postfix ≥ 2.6) and +"connection_reuse" attribute (Postfix ≥ 3.4) override the "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>", -and -"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy table, -multiple ciphers, protocols or excluded ciphers must be separated by colons, -as attribute values may not contain whitespace or commas. When opportunistic -TLS handshakes fail, Postfix retries the connection with TLS disabled. -This allows mail delivery to sites with non-interoperable TLS -implementations.</dd> +and "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy +table, multiple ciphers, protocols or excluded ciphers must be separated +by colons, as attribute values may not contain whitespace or commas. At +this level and higher, the optional "servername" attribute (available +with Postfix ≥ 3.4) overrides the global "<a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a>" +parameter, enabling per-destination configuration of the SNI extension +sent to the remote SMTP server. The optional "enable_rpk" attribute +(Postfix ≥ 3.9) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. +When opportunistic TLS handshakes fail, Postfix retries the connection +with TLS disabled. This allows mail delivery to sites with +non-interoperable TLS implementations.</dd> <dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt> -<dd>Mandatory TLS encryption. At this level -and higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a> +<dd>Mandatory TLS encryption. Mail is delivered only if the remote SMTP +server offers STARTTLS and the TLS handshake succeeds. At this level and +higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter, the optional "ciphers" attribute -overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the -optional "exclude" attribute (Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a> +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the optional +"exclude" attribute (Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter, and the optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the -<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table, -multiple ciphers, protocols or excluded ciphers must be separated by colons, -as attribute values may not contain whitespace or commas. </dd> +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table, multiple +ciphers, protocols or excluded ciphers must be separated by colons, as +attribute values may not contain whitespace or commas. The optional +"enable_rpk" attribute (Postfix ≥ 3.9) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd> <dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt> <dd>Opportunistic DANE TLS. The TLS policy for the destination is @@ -13709,10 +14021,10 @@ configuration parameters. The optional "connection_reuse" attribute verification. Available with Postfix 2.5 and later. At this security level, there are no trusted Certification Authorities. The certificate trust chain, expiration date, ... are not checked. Instead, -the optional "match" attribute, or else the <a href="postconf.5.html">main.cf</a> +the optional policy table "match" attribute, or else the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists the certificate -fingerprints or the public key fingerprint (Postfix 2.9 and later) -of the valid server certificate. The digest +fingerprints or the public key fingerprints (Postfix 2.9 and later) +of acceptable server certificates. The digest algorithm used to calculate the fingerprint is selected by the <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. Multiple fingerprints can be combined with a "|" delimiter in a single match attribute, or multiple @@ -13723,45 +14035,58 @@ digits. The optional "ciphers", "exclude", and "protocols" attributes "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> -parameter. </dd> +parameter. The optional "enable_rpk" attribute (Postfix ≥ 3.9) +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd> <dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt> -<dd>Mandatory TLS verification. At this security -level, DNS MX lookups are trusted to be secure enough, and the name -verified in the server certificate is usually obtained indirectly via -unauthenticated DNS MX lookups. The optional "match" attribute overrides -the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter. In the policy table, -multiple match patterns and strategies must be separated by colons. -In practice explicit control over matching is more common with the -"secure" policy, described below. The optional "ciphers", "exclude", -and "protocols" attributes (Postfix ≥ 2.6) override the -"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and -"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> -<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> +<dd>Mandatory TLS verification. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups are presumed to be +secure enough, and the name verified in the server certificate is +potentially obtained via unauthenticated DNS MX lookups. The optional +"match" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> +parameter. In the policy table, multiple match patterns and strategies +must be separated by colons. In practice explicit control over matching +is more common with the "secure" policy, described below. The optional +"ciphers", "exclude", and "protocols" attributes (Postfix ≥ 2.6) +override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", +"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" +configuration parameters. With Postfix ≥ 2.11 the optional "tafile" +policy table attribute modifies trust chain verification in the same +manner as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" +attribute may be specified multiple times to load multiple trust-anchor +files. The optional "connection_reuse" attribute (Postfix ≥ 3.4) +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> <dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt> -<dd>Secure-channel TLS. At this security level, DNS -MX lookups, though potentially used to determine the candidate next-hop -gateway IP addresses, are <b>not</b> trusted to be secure enough for TLS -peername verification. Instead, the default name verified in the server -certificate is obtained directly from the next-hop, or is explicitly -specified via the optional "match" attribute which overrides the -<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In the policy table, -multiple match patterns and strategies must be separated by colons. -The match attribute is most useful when multiple domains are supported by -a common server: the policy entries for additional domains specify matching -rules for the primary domain certificate. While transport table overrides -that route the secondary domains to the primary nexthop also allow secure -verification, they risk delivery to the wrong destination when domains -change hands or are re-assigned to new gateways. With the "match" -attribute approach, routing is not perturbed, and mail is deferred if -verification of a new MX host fails. The optional "ciphers", "exclude", -and "protocols" attributes (Postfix ≥ 2.6) override the -"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and -"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> -<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> +<dd>Secure certificate verification. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups, though potentially +used to determine the candidate next-hop gateway IP addresses, are +<b>not</b> presumed to be secure enough for TLS peername verification. +Instead, the default name verified in the server certificate is obtained +directly from the next-hop, or is explicitly specified via the optional +"match" attribute which overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> +parameter. In the policy table, multiple match patterns and strategies +must be separated by colons. The match attribute is most useful when +multiple domains are supported by a common server: the policy entries +for additional domains specify matching rules for the primary domain +certificate. While transport table overrides that route the secondary +domains to the primary nexthop also allow secure verification, they risk +delivery to the wrong destination when domains change hands or are +re-assigned to new gateways. With the "match" attribute approach, +routing is not perturbed, and mail is deferred if verification of a new +MX host fails. The optional "ciphers", "exclude", and "protocols" +attributes (Postfix ≥ 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", +"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" +configuration parameters. With Postfix ≥ 2.11 the "tafile" attribute +optionally modifies trust chain verification in the same manner as the +"<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute may be +specified multiple times to load multiple trust-anchor files. The +optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the +<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> </dl> @@ -13807,7 +14132,7 @@ configurations in environments where DNS security is not assured. </p> </DD> <DT><b><a name="smtp_tls_protocols">smtp_tls_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by @@ -13975,7 +14300,9 @@ destinations via <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_ <dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt> <dd> Opportunistic TLS. Use TLS if this is supported by the remote -SMTP server, otherwise use plaintext. Since +SMTP server, otherwise use plaintext; after a failed TLS handshake +or TLS session, fall back to plaintext if the message has spent +<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" (Postfix ≥ 2.6) @@ -14896,9 +15223,8 @@ pubkey_fingerprint } } </dd> <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> -<dd>Search the specified access database for the client hostname, -parent domains, client IP address, or networks obtained by stripping -least significant octets. See the <a href="access.5.html">access(5)</a> manual page for details. </dd> +<dd>Search the specified access database for the client hostname +or IP address. See the <a href="access.5.html">access(5)</a> manual page for details. </dd> <dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> @@ -14929,8 +15255,7 @@ available in Postfix 2.7 and later. </dd> <dt><b><a name="check_reverse_client_hostname_access">check_reverse_client_hostname_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified access database for the unverified reverse -client hostname, parent domains, client IP address, or networks -obtained by stripping least significant octets. See the <a href="access.5.html">access(5)</a> +client hostname or IP address. See the <a href="access.5.html">access(5)</a> manual page for details. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from denylists. This feature is available in Postfix 2.6 @@ -15527,6 +15852,9 @@ server. This option is therefore off by default. </p> STARTTLS due to insufficient privileges to access the server private key. This is intended behavior. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> @@ -15588,8 +15916,8 @@ received with the ETRN command. <dt><b><a name="check_etrn_access">check_etrn_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> -<dd>Search the specified access database for the ETRN domain name -or its parent domains. See the <a href="access.5.html">access(5)</a> manual page for details. +<dd>Search the specified access database for the ETRN domain name. +See the <a href="access.5.html">access(5)</a> manual page for details. </dd> </dl> @@ -15641,7 +15969,7 @@ This feature is available in Postfix 2.0 and later. </DD> <DT><b><a name="smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> -(default: Postfix < 3.9: no)</b></DT><DD> +(default: Postfix ≥ 3.9: normalize)</b></DT><DD> <p> Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. Such line @@ -15654,7 +15982,8 @@ SMTP smuggling</a>. </p> <dl compact> -<dt> <b>normalize</b></dt> <dd> Require the standard +<dt> <b>normalize</b> (default for Postfix ≥ 3.9) </dt> +<dd> Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Otherwise, allow command or message content lines ending in the non-standard <LF>, and process them as if the client sent the @@ -15666,6 +15995,13 @@ with the standard End-of-DATA sequence <CR><LF>.<CR><LF>. <br> <br> Such clients can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd> +<dt> <b>note</b> </dt> <dd> Same as "normalize", but also notes in +the log whether the Postfix SMTP server received any lines with +"bare <LF>". The information is formatted as "<tt>disconnect +from name[address] ... notes=bare_lf</tt>". The notes value is +expected to become a list of comma-separated names. <br> <br> This +feature is available in Postfix 3.9 and later. </dd> + <dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd> <dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA @@ -15684,8 +16020,8 @@ of BDAT violations, BDAT can be selectively disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd> -<dt> <b>no</b> (default)</dt> <dd> Do not require the standard -End-of-DATA +<dt> <b>no</b> (default for Postfix < 3.9) </dt> +<dd> Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process a bare <LF> as if the client sent <CR><LF>. This option is fully backwards compatible, but is not recommended for @@ -15793,9 +16129,9 @@ Specify a 5XX status code (521 to disconnect). <p> Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321) command pipelining constraints. The server replies with "554 5.5.0 Error: SMTP protocol synchronization" and logs the unexpected remote -SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes" -to enable. This feature is enabled by default with Postfix ≥ -3.9. </p> +SMTP client input. This feature is enabled by default with Postfix +≥ 3.9. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = no" to disable. +</p> <p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20. </p> @@ -15899,7 +16235,7 @@ received with the HELO or EHLO command. <dt><b><a name="check_helo_access">check_helo_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified <a href="access.5.html">access(5)</a> database for the HELO or EHLO -hostname or parent domains, and execute the corresponding action. +hostname, and execute the corresponding action. Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply skip <a href="postconf.5.html#check_helo_access">check_helo_access</a> by not sending HELO or EHLO). </dd> @@ -16563,8 +16899,7 @@ that is received with the RCPT TO command. <dt><b><a name="check_recipient_access">check_recipient_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified <a href="access.5.html">access(5)</a> database for the resolved RCPT -TO address, domain, parent domains, or localpart@, and execute the -corresponding action. </dd> +TO address, and execute the corresponding action. </dd> <dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> @@ -16993,7 +17328,7 @@ The same restrictions are available as documented under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. </p> -<p> This feature is available in Postix 2.10 and later. </p> +<p> This feature is available in Postfix 2.10 and later. </p> </DD> @@ -17411,8 +17746,7 @@ received with the MAIL FROM command. <dt><b><a name="check_sender_access">check_sender_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MAIL FROM -address, domain, parent domains, or localpart@, and execute the -corresponding action. </dd> +address, and execute the corresponding action. </dd> <dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> @@ -18316,6 +18650,53 @@ where EC algorithms have not been disabled by the vendor. </p> </DD> +<DT><b><a name="smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> +(default: no)</b></DT><DD> + +<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key +instead of an X.509 certificate, when asking for or requiring client +authentication. This feature is ignored when there is no raw public +key support in the local TLS implementation. </p> + +<p> The Postfix SMTP server will log a warning when "<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> += yes", but the remote SMTP client sends a certificate, the +certificate's public key fingerprint does not match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> +table, while the certificate fingerprint does match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> +table. The remote SMTP client would lose access when it starts +sending a raw public key instead of a certificate, after its TLS +implementation is updated with raw public key support. </p> + +<p> The Postfix SMTP server always sends a raw public key instead +of a certificate, if solicited by the remote SMTP client and the +local TLS implementation supports raw public keys. If the client +sends a server name indication with an SNI TLS extension, and +<a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> is configured, the server will extract a raw +public key from the indicated certificate. </p> + +<p> Sample commands to compute certificate and public key SHA256 digests: </p> + +<pre> +# SHA256 digest of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -pubkey -noout | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first private key in "pkey.pem" +$ openssl pkey -in pkey.pem -pubout -outform DER | + openssl dgst -sha256 -c +</pre> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (default: empty)</b></DT><DD> @@ -18472,7 +18853,9 @@ if client certificate verification is not required. With Postfix 2.8 and earlier, log the summary message, peer certificate summary information and unconditionally log trust-chain verification errors. </dd> -<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> +<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS +library, log session cache operations, and enable OpenSSL logging +of the progress of the SSL handshake. </dd> <dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation process. </dd> @@ -18655,7 +19038,7 @@ releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p> </DD> <DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. If the list is empty, the server supports all available @@ -18931,6 +19314,9 @@ but do not require that clients use TLS encryption. </p> STARTTLS due to insufficient privileges to access the server private key. This is intended behavior. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> @@ -19438,8 +19824,7 @@ via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. selected name is not present in the configuration file, the default application name ("openssl_conf") is used as a fallback. </p> -<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, -3.6.10, and 3.5.20. </p> +<p> This feature is available in Postfix ≥ 3.9. </p> </DD> @@ -20356,6 +20741,9 @@ to configure tlsproxy client keys and certificates is via the See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> + <p> This feature is available in Postfix 3.4 and later. </p> @@ -20427,6 +20815,9 @@ value. </p> usage policy by next-hop destination and by remote TLS server hostname. See <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> for further details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> instead. </p> + <p> This feature is available in Postfix 3.4 and later. </p> @@ -20488,6 +20879,9 @@ was previously called <a href="postconf.5.html#tlsproxy_client_level">tlsproxy_c support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> + <p> This feature is available in Postfix 3.4 and later. </p> @@ -20500,6 +20894,9 @@ support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.8 and later. </p> @@ -20632,6 +21029,8 @@ private DSA key. DSA is obsolete and should not be used. See should use with non-export EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> for further details. </p> +<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p> + <p> This feature is available in Postfix 2.8 and later. </p> @@ -20704,11 +21103,25 @@ the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files elliptic-curve Diffie-Hellman (EECDH) key exchange. See <a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p> +<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p> + <p> This feature is available in Postfix 2.8 and later. </p> </DD> +<DT><b><a name="tlsproxy_tls_enable_rpk">tlsproxy_tls_enable_rpk</a> +(default: $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>)</b></DT><DD> + +<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key +instead of an X.509 certificate, when asking or requiring client +authentication. See $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> for details. </p> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> (default: $<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b></DT><DD> @@ -20856,6 +21269,9 @@ shared by all three services, namely <a href="postconf.5.html#smtpd_tls_session_ but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.8 and later. </p> @@ -21100,7 +21516,14 @@ built-in suffix (in this case: "_initial_destination_concurrency"). <p> Optional lookup tables with mappings from recipient address to (message delivery transport, next-hop destination). See <a href="transport.5.html">transport(5)</a> -for details. +for syntax details. +</p> + +<p> This information may override the message delivery transport +and/or next-hop destination that are specified with $<a href="postconf.5.html#local_transport">local_transport</a>, +$<a href="postconf.5.html#virtual_transport">virtual_transport</a>, $<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#default_transport">default_transport</a>, +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, or the recipient domain. </p> <p> @@ -21735,7 +22158,7 @@ This feature is available in Postfix 1.1 and later. <p> The maximal length of an email address after virtual alias expansion. -This stops virtual aliasing loops that increase the address length +This stops <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> loops that increase the address length exponentially. </p> @@ -21814,8 +22237,10 @@ This feature is available in Postfix 2.1 and later. (default: $<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b></DT><DD> <p> -Optional lookup tables that alias specific mail addresses or domains -to other local or remote addresses. The table format and lookups +Optional lookup tables with aliases that apply to all recipients: +<a href="local.8.html">local(8)</a>, virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> that apply +only to <a href="local.8.html">local(8)</a> recipients. +The table format and lookups are documented in <a href="virtual.5.html">virtual(5)</a>. For an overview of Postfix address manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document. </p> |