diff options
Diffstat (limited to '')
59 files changed, 3037 insertions, 1402 deletions
diff --git a/html/ADDRESS_CLASS_README.html b/html/ADDRESS_CLASS_README.html index ec46627..179d13d 100644 --- a/html/ADDRESS_CLASS_README.html +++ b/html/ADDRESS_CLASS_README.html @@ -52,20 +52,25 @@ address classes are very important for the operation of Postfix. </p> <ul> <li> <p> The list of domains that are a member of that address -class: for example, all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p> +class. </p> + +<p> Examples: all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p> + +<li> <p> The default delivery transport for domains in that address +class. </p> + +<p> Examples: <a href="postconf.5.html#local_transport">local_transport</a> or <a href="postconf.5.html#relay_transport">relay_transport</a> (these point +to services defined in <a href="master.5.html">master.cf</a>). </p> -<li> <p> The default delivery transport for that address class. For -example, the local, -virtual or relay delivery transport (delivery transports are defined -in <a href="master.5.html">master.cf</a>). This helps to keep Postfix configurations simple, -by avoiding the need for explicit routing information in transport -maps. </p> +<p> Benefit: this avoids the need for explicit routing information +in transport maps. </p> <li> <p> The list of valid recipient addresses for that address -class. The Postfix SMTP server rejects invalid recipients with -"User unknown in <name of address class here> table". This -helps to keep the Postfix queue free of undeliverable MAILER-DAEMON -messages. </p> +class. </p> + +<p> Benefit: the Postfix SMTP server rejects an invalid recipient +with "User unknown in <name of address class> table", and +avoids sending a MAILER-DAEMON message with backscatter spam. </p> </ul> @@ -92,12 +97,12 @@ This domain class also includes mail for <i>user@[ipaddress]</i> when the IP address is listed with the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> parameters. </p> -<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> -parameter, as described in <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>. The Postfix SMTP -server rejects invalid recipients with "User unknown in local -recipient table". If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter value is -empty, then the Postfix SMTP server accepts any address in the -<a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class. </p> +<li> <p> Valid recipient addresses for those domains are +listed with the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter, as described in +<a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>. The Postfix SMTP server rejects invalid recipients +with "User unknown in local recipient table". If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> +parameter value is empty, then the Postfix SMTP server accepts any +address in the <a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class. </p> <li> <p> The mail delivery transport is specified with the <a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b><a href="local.8.html">local</a>:$<a href="postconf.5.html#myhostname">myhostname</a></b> @@ -111,21 +116,25 @@ class. </p> <ul> <li> <p> Purpose: <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each recipient address is -aliased to an address in a different domain, for example, a local -UNIX system account or a remote address. A +aliased to an address in a different domain class, for example, a +local UNIX system account or a remote address. A <a href="VIRTUAL_README.html#virtual_alias">virtual alias example</a> is given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p> <li> <p> Domain names are listed in <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>. The default value is $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> for Postfix 1.1 compatibility. </p> -<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> -parameter. The Postfix SMTP server rejects invalid recipients with -"User unknown in virtual alias table". The default value is -$<a href="postconf.5.html#virtual_maps">virtual_maps</a> for Postfix 1.1 compatibility. </p> +<li> <p> Valid recipient addresses for those domains are listed with the +<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> parameter. The Postfix SMTP server rejects invalid +recipients with "User unknown in virtual alias table". The default +value is $<a href="postconf.5.html#virtual_maps">virtual_maps</a> for Postfix 1.1 compatibility. </p> -<li> <p> There is no mail delivery transport parameter. Every -address must be aliased to an address in some other domain. </p> +<blockquote ><p> Note: for historical reasons, <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> +apply to recipients in all domain classes, not only the virtual +alias domain class. </p> </blockquote> + +<li> <p> There is no configurable mail delivery transport. Every +address must be aliased to an address in some other domain class. </p> </ul> @@ -136,18 +145,19 @@ class. </p> <li> <p> Purpose: final delivery for <a href="VIRTUAL_README.html#canonical">hosted domains</a> where each recipient address can have its own mailbox, and where users do not -need to have a UNIX system account. A <a href="VIRTUAL_README.html#virtual_mailbox">virtual mailbox example</a> is +need to have a UNIX system account. A <a href="VIRTUAL_README.html#virtual_mailbox">virtual mailbox example</a> is given in the <a href="VIRTUAL_README.html">VIRTUAL_README</a> file. </p> <li> <p> Domain names are listed with the <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> parameter. The default value is $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> for Postfix 1.1 compatibility. </p> -<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> -parameter. The Postfix SMTP server rejects invalid recipients with -"User unknown in virtual mailbox table". If this parameter value -is empty, the Postfix SMTP server accepts all recipients for domains -listed in $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. </p> +<li> <p> Valid recipient addresses for those domains are listed +with the <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> parameter. The Postfix SMTP server +rejects invalid recipients with "User unknown in virtual mailbox +table". If this parameter value is empty, the Postfix SMTP server +accepts all recipients for domains listed in $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. +</p> <li> <p> The mail delivery transport is specified with the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter. The default value is <b>virtual</b> @@ -169,11 +179,12 @@ file. </p> <li> <p> Domain names are listed with the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter. </p> -<li> <p> Valid recipient addresses are listed with the <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> -parameter. The Postfix SMTP server rejects invalid recipients with -"User unknown in relay recipient table". If this parameter value -is empty, the Postfix SMTP server accepts all recipients for domains -listed with the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter. </p> +<li> <p> Valid recipient addresses for those domains are listed +with the <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameter. The Postfix SMTP server +rejects invalid recipients with "User unknown in relay recipient +table". If this parameter value is empty, the Postfix SMTP server +accepts all recipients for domains listed with the <a href="postconf.5.html#relay_domains">relay_domains</a> +parameter. </p> <li> <p> The mail delivery transport is specified with the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter. The default value is <b>relay</b> which diff --git a/html/ADDRESS_REWRITING_README.html b/html/ADDRESS_REWRITING_README.html index 85e296f..c92a314 100644 --- a/html/ADDRESS_REWRITING_README.html +++ b/html/ADDRESS_REWRITING_README.html @@ -94,9 +94,7 @@ as invalid </a> <ul> -<li> <a href="#resolve"> Resolve address to destination </a> - -<li> <a href="#transport"> Mail transport switch </a> +<li> <a href="#resolve"> Resolve address to (transport, next-hop destination) </a> <li> <a href="#relocated"> Relocated users table </a> @@ -312,8 +310,8 @@ find what you need. </p> <table border="1"> <tr> <th nowrap> Address manipulation </th> <th nowrap> Scope </th> -<th> Daemon </th> <th nowrap> Global turn-on control </th> <th nowrap> Selective -turn-off control </th> </tr> +<th> Daemon </th> <th nowrap> Turn-on controls </th> <th nowrap> +Turn-off controls </th> </tr> <tr> <td> <a href="#standard"> Rewrite addresses to standard form</a> </td> <td nowrap> all mail </td> <td> <a href="trivial-rewrite.8.html">trivial-<br>rewrite(8)</a> </td> @@ -340,13 +338,12 @@ nowrap> all mail </td> <td> <a href="cleanup.8.html">cleanup(8)</a> </td> <td> < nowrap> all mail </td> <td> <a href="cleanup.8.html">cleanup(8)</a> </td> <td> <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> </td> <td> <a href="postconf.5.html#receive_override_options">receive_override_options</a> </td> </tr> -<tr> <td> <a href="#resolve"> Resolve address to destination </a> -</td> <td nowrap> all mail </td> <td> <a href="trivial-rewrite.8.html">trivial-<br>rewrite(8)</a> </td> -<td> none </td> <td> none </td> </tr> - -<tr> <td> <a href="#transport"> Mail transport switch</a> </td> -<td nowrap> all mail </td> <td> <a href="trivial-rewrite.8.html">trivial-<br>rewrite(8)</a> </td> <td> -<a href="postconf.5.html#transport_maps">transport_maps</a> </td> <td> none </td> </tr> +<tr> <td> <a href="#resolve"> Resolve address to (transport, next-hop +destination) </a> </td> <td nowrap> all mail </td> <td> +<a href="trivial-rewrite.8.html">trivial-<br>rewrite(8)</a> </td> <td> <a href="postconf.5.html#local_transport">local_transport</a>, <a href="postconf.5.html#virtual_transport">virtual_transport</a>, +<a href="postconf.5.html#relay_transport">relay_transport</a>, <a href="postconf.5.html#default_transport">default_transport</a>, <a href="postconf.5.html#relayhost">relayhost</a>, +<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> +</td> <td> <a href="postconf.5.html#content_filter">content_filter</a> </td> </tr> <tr> <td> <a href="#relocated"> Relocated users table</a> </td> <td nowrap> all mail </td> <td> <a href="trivial-rewrite.8.html">trivial-<br>rewrite(8)</a> </td> <td> @@ -774,6 +771,11 @@ may be a more appropriate vehicle. See the <a href="VIRTUAL_README.html">VIRTUAL for an overview of methods to host virtual domains with Postfix. </p> +<p> Note: <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> (<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>) applies to all +recipients: <a href="local.8.html">local(8)</a>, virtual, and remote. <!-- wrap filler --> +This is unlike <a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a> (<a href="postconf.5.html#alias_maps">alias_maps</a>) which applies only to +<a href="local.8.html">local(8)</a> recipients. </p> + <p> Virtual aliasing is disabled by default. To enable, edit the <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> parameter in the <a href="postconf.5.html">main.cf</a> file and specify one or more lookup tables, separated by whitespace or @@ -792,7 +794,7 @@ commas. </p> </blockquote> <p> Addresses found in virtual alias maps are subjected to another -iteration of virtual aliasing, but are not subjected to canonical +iteration of <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a>, but are not subjected to canonical mapping, in order to avoid loops. </p> <p> For static mappings as shown above, lookup tables such as <a href="DATABASE_README.html#types">hash</a>:, @@ -833,9 +835,8 @@ manager delegates the more complex address manipulations to the <ul> -<li> <a href="#resolve"> Resolve address to destination </a> - -<li> <a href="#transport"> Mail transport switch</a> +<li> <a href="#resolve"> Resolve address to (transport, next-hop +destination) </a> <li> <a href="#relocated"> Relocated users table</a> @@ -873,67 +874,108 @@ via the <a href="local.8.html">local(8)</a> delivery agent: </p> step in more detail, with specific examples or with pointers to documentation with examples. </p> -<h3> <a name="resolve"> Resolve address to destination </a> </h3> +<h3> <a name="resolve"> Resolve address to (transport, next-hop +destination) </a> </h3> <p> The Postfix <a href="qmgr.8.html">qmgr(8)</a> queue manager selects new mail from the -<a href="QSHAPE_README.html#incoming_queue">incoming queue</a> or old mail from the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>, and asks the -<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> address rewriting and resolving daemon where it -should be delivered. </p> +<a href="QSHAPE_README.html#incoming_queue">incoming queue</a> or old mail from the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. First it +looks for overrides: </p> + +<ul> -<p> As of version 2.0, Postfix distinguishes four major address -classes. Each class has its own list of domain names, and each -class has its own default delivery method, as shown in the table -below. See the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> document for the fine details. -Postfix versions before 2.0 only distinguish between local delivery -and everything else. </p> +<li> <p> The REDIRECT action in <a href="access.5.html">access(5)</a>, <a href="header_checks.5.html">header_checks(5)</a> or +<a href="header_checks.5.html">body_checks(5)</a> overrides all recipients of the message, and overrides +a <a href="postconf.5.html#content_filter">content_filter</a> setting, and FILTER action in <a href="access.5.html">access(5)</a>, +<a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a>. The REDIRECT action was implemented +as a short-cut to retaliate for abuse. </p> + +<li> <p> A <a href="postconf.5.html#content_filter">content_filter</a> setting and FILTER action in <a href="access.5.html">access(5)</a>, +<a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a> provide their own (transport, +next-hop destination) information. This bypasses all the steps that +are described in the remainder of this section. </p> + +</ul> + +<p> When there is no content filter override, the <a href="qmgr.8.html">qmgr(8)</a> queue +manager asks the <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> address rewriting and resolving +daemon for each recipient how to deliver it (which message delivery +transport) and where to deliver it (what next-hop destination). </p> + +<p> As of version 2.0, Postfix distinguishes four major domain +classes. Each class has its own list of recipient domain names, and +each class has its own delivery method, as shown in the table below. +See the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> document for the fine details. Postfix +versions before 2.0 only distinguish between local delivery and +everything else. </p> + +<p> Note that the table does not match recipients against +<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>. The reason is that all valid recipients in +a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> must be aliased to an address in a different +domain. All other recipients in a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> are by +definition undeliverable, and do not need to be considered here. +</p> <blockquote> <table border="1"> -<tr><th align="left">Destination domain list </th> <th -align="left">Default delivery method </th> <th>Availability -</th> </tr> +<tr> <th align="left">Domain class</th> <th align="left">Recipient +domain match </th> <th> Delivery method </th> <th>Availability </th> +</tr> -<tr><td>$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> </td> -<td>$<a href="postconf.5.html#local_transport">local_transport</a> </td> <td>Postfix 1.0</td></tr> +<tr><td>Local</td> <td><a href="postconf.5.html#mydestination">mydestination</a>, <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> +</td> <td><a href="postconf.5.html#local_transport">local_transport</a> </td> <td>Postfix 1.0</td></tr> -<tr><td>$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> </td> <td>$<a href="postconf.5.html#virtual_transport">virtual_transport</a> </td> -<td>Postfix 2.0</td> </tr> +<tr><td>Virtual mailbox</td> <td><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> </td> +<td><a href="postconf.5.html#virtual_transport">virtual_transport</a> </td> <td>Postfix 2.0</td> </tr> -<tr><td>$<a href="postconf.5.html#relay_domains">relay_domains</a> </td> <td>$<a href="postconf.5.html#relay_transport">relay_transport</a> </td> <td>Postfix -2.0</td> </tr> +<tr><td>Relay</td> <td><a href="postconf.5.html#relay_domains">relay_domains</a> </td> <td><a href="postconf.5.html#relay_transport">relay_transport</a> +</td> <td>Postfix 2.0</td> </tr> -<tr><td>none </td> <td>$<a href="postconf.5.html#default_transport">default_transport</a> </td> <td>Postfix 1.0</td> -</tr> +<tr><td>Default</td><td> none </td> <td><a href="postconf.5.html#default_transport">default_transport</a> </td> +<td>Postfix 1.0</td> </tr> </table> </blockquote> -<h3> <a name="transport"> Mail transport switch </a> </h3> +<p> The delivery methods in the above table may include a next-hop +destination in addition to a delivery transport. This may override +the next-hop destination that is by default taken from the recipient +domain. </p> -<p> Once the <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon has determined a default -delivery method it searches the optional <a href="transport.5.html">transport(5)</a> table for -information that overrides the message destination and/or delivery -method. Typical use of the <a href="transport.5.html">transport(5)</a> table is to send mail to -a system -that is not connected to the Internet, or to use a special SMTP -client configuration for destinations that have special requirements. -See, for example, the <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> and <a href="UUCP_README.html">UUCP_README</a> -documents, and the examples in the <a href="transport.5.html">transport(5)</a> manual page. </p> +<p> Over time, features have been added to override the above +transport and/or next-hop destination information. The following +table lists where a transport or next-hop destination may be taken +from, depending on the recipient domain class. </p> -<p> Transport table lookups are disabled by default. To enable, -edit the <a href="postconf.5.html#transport_maps">transport_maps</a> parameter in the <a href="postconf.5.html">main.cf</a> file and specify -one or more lookup tables, separated by whitespace or commas. </p> +<blockquote> -<p> Example: </p> +<table border="1"> + +<tr> <th>Domain class</th> <th>Transport sources (in order of +descending precedence)</th> <th> Next hop sources (in order of +descending precedence)</th> </tr> + +<tr> <td> Local </td> <td> <a href="postconf.5.html#transport_maps">transport_maps</a>, <a href="postconf.5.html#local_transport">local_transport</a></td> +<td> <a href="postconf.5.html#transport_maps">transport_maps</a>, <a href="postconf.5.html#local_transport">local_transport</a>, recipient domain</td> </tr> + +<tr> <td> Virtual mailbox </td> <td> <a href="postconf.5.html#transport_maps">transport_maps</a>, +<a href="postconf.5.html#virtual_transport">virtual_transport</a></td> <td> <a href="postconf.5.html#transport_maps">transport_maps</a>, <a href="postconf.5.html#virtual_transport">virtual_transport</a>, +recipient domain</td> </tr> + +<tr> <td> Relay </td> <td> <a href="postconf.5.html#transport_maps">transport_maps</a>, <a href="postconf.5.html#relay_transport">relay_transport</a></td> +<td> <a href="postconf.5.html#transport_maps">transport_maps</a>, <a href="postconf.5.html#relay_transport">relay_transport</a>, <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, +<a href="postconf.5.html#relayhost">relayhost</a>, recipient domain</td> </tr> + +<tr> <td> Default </td> <td> <a href="postconf.5.html#transport_maps">transport_maps</a>, +<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a></td> +<td> <a href="postconf.5.html#transport_maps">transport_maps</a>, <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, +<a href="postconf.5.html#default_transport">default_transport</a>, <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, <a href="postconf.5.html#relayhost">relayhost</a>, +recipient domain</td> </tr> + +</table> -<blockquote> -<pre> -/etc/postfix/<a href="postconf.5.html">main.cf</a>: - <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport -</pre> </blockquote> <h3> <a name="relocated"> Relocated users table </a> </h3> @@ -1019,6 +1061,11 @@ direct mail for standard aliases such as postmaster to real people. The table can also be used to map "Firstname.Lastname" addresses to login names. </p> +<p> Note: <a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a> (<a href="postconf.5.html#alias_maps">alias_maps</a>) applies only to <a href="local.8.html">local(8)</a> +recipients. This is unlike <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> (<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>) +which applies to all recipients: <a href="local.8.html">local(8)</a>, virtual, and remote. +</p> + <p> Alias lookups are enabled by default. The default configuration depends on the operating system environment, but it is typically one of the following: </p> diff --git a/html/COMPATIBILITY_README.html b/html/COMPATIBILITY_README.html index 2b6a58b..37c37a5 100644 --- a/html/COMPATIBILITY_README.html +++ b/html/COMPATIBILITY_README.html @@ -61,24 +61,24 @@ default setting append_dot_mydomain=yes </a> </p> <li> <p> <a href="#chroot"> Using backwards-compatible default setting chroot=y</a> </p> +<li><p> <a href="#relay_restrictions"> Using backwards-compatible +default setting "smtpd_relay_restrictions = (empty)"</a> </p> + +<li> <p> <a href="#smtputf8_enable"> Using backwards-compatible +default setting smtputf8_enable=no</a> </p> + </ul> <p> Logged with <a href="postconf.5.html#compatibility_level">compatibility_level</a> < 2: </p> <ul> -<li><p> <a href="#relay_restrictions"> Using backwards-compatible -default setting "smtpd_relay_restrictions = (empty)"</a> </p> - <li> <p> <a href="#mynetworks_style"> Using backwards-compatible default setting mynetworks_style=subnet </a> </p> <li> <p> <a href="#relay_domains"> Using backwards-compatible default setting relay_domains=$mydestination </a> </p> -<li> <p> <a href="#smtputf8_enable"> Using backwards-compatible -default setting smtputf8_enable=no</a> </p> - </ul> <p> Logged with <a href="postconf.5.html#compatibility_level">compatibility_level</a> < 3.6: </p> @@ -241,6 +241,48 @@ administrator should make the backwards-compatible setting </pre> </blockquote> +<h2> <a name="smtputf8_enable"> Using backwards-compatible default +setting smtputf8_enable=no</a> </h2> + +<p> The <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> default value has changed from "no" to "yes". +With the new "yes" setting, the Postfix SMTP server rejects non-ASCII +addresses from clients that don't request SMTPUTF8 support, after +Postfix is updated from an older version. The backwards-compatibility +safety net is designed to prevent such surprises. </p> + +<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left at its implicit +default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is +less than 1, Postfix logs a warning each time an SMTP command uses a +non-ASCII address localpart without requesting SMTPUTF8 support: </p> + +<blockquote> +<pre> +postfix/smtpd[27560]: using backwards-compatible default setting + <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no to accept non-ASCII sender address + "??@example.org" from localhost[127.0.0.1] +</pre> +</blockquote> + +<blockquote> +<pre> +postfix/smtpd[27560]: using backwards-compatible default setting + <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no to accept non-ASCII recipient address + "??@example.com" from localhost[127.0.0.1] +</pre> +</blockquote> + +<p> If the address should not be rejected, and the client cannot +be updated to use SMTPUTF8, then the system administrator should +make the backwards-compatible setting "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = no" permanent +in <a href="postconf.5.html">main.cf</a>: + +<blockquote> +<pre> +# <b>postconf <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no</b> +# <b>postfix reload</b> +</pre> +</blockquote> + <h2> <a name="mynetworks_style"> Using backwards-compatible default setting mynetworks_style=subnet</a> </h2> @@ -352,48 +394,6 @@ administrator should make the backwards-compatible setting <p> Instead of $<a href="postconf.5.html#mydestination">mydestination</a>, it may be better to specify an explicit list of domain names. </p> -<h2> <a name="smtputf8_enable"> Using backwards-compatible default -setting smtputf8_enable=no</a> </h2> - -<p> The <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> default value has changed from "no" to "yes". -With the new "yes" setting, the Postfix SMTP server rejects non-ASCII -addresses from clients that don't request SMTPUTF8 support, after -Postfix is updated from an older version. The backwards-compatibility -safety net is designed to prevent such surprises. </p> - -<p> As long as the <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> parameter is left at its implicit -default value, and the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting is -less than 1, Postfix logs a warning each time an SMTP command uses a -non-ASCII address localpart without requesting SMTPUTF8 support: </p> - -<blockquote> -<pre> -postfix/smtpd[27560]: using backwards-compatible default setting - <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no to accept non-ASCII sender address - "??@example.org" from localhost[127.0.0.1] -</pre> -</blockquote> - -<blockquote> -<pre> -postfix/smtpd[27560]: using backwards-compatible default setting - <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no to accept non-ASCII recipient address - "??@example.com" from localhost[127.0.0.1] -</pre> -</blockquote> - -<p> If the address should not be rejected, and the client cannot -be updated to use SMTPUTF8, then the system administrator should -make the backwards-compatible setting "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = no" permanent -in <a href="postconf.5.html">main.cf</a>: - -<blockquote> -<pre> -# <b>postconf <a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a>=no</b> -# <b>postfix reload</b> -</pre> -</blockquote> - <h2> <a name="smtpd_digest"> Using backwards-compatible default setting smtpd_tls_fingerprint_digest=md5</a> </h2> diff --git a/html/DATABASE_README.html b/html/DATABASE_README.html index e3b3c05..87941bc 100644 --- a/html/DATABASE_README.html +++ b/html/DATABASE_README.html @@ -56,10 +56,10 @@ documentation: </p> <blockquote> <pre> /etc/postfix/<a href="postconf.5.html">main.cf</a>: - <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/aliases (local aliasing) + <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/aliases (<a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a>) <a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks (content filtering) <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport (routing table) - <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual (address rewriting) + <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual (<a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a>) </pre> </blockquote> @@ -349,6 +349,11 @@ See <a href="lmdb_table.5.html">lmdb_table(5)</a> for details. </dd> <dd> Memcache database client. Configuration details are given in <a href="memcache_table.5.html">memcache_table(5)</a>. </dd> +<dt> <b>mongodb</b> (read-only) </dt> + +<dd> MongoDB database client. Configuration details are given in +<a href="mongodb_table.5.html">mongodb_table(5)</a>, with examples in <a href="MONGODB_README.html">MONGODB_README</a>. </dd> + <dt> <b>mysql</b> (read-only) </dt> <dd> MySQL database client. Configuration details are given in diff --git a/html/DEPRECATION_README.html b/html/DEPRECATION_README.html new file mode 100644 index 0000000..4729568 --- /dev/null +++ b/html/DEPRECATION_README.html @@ -0,0 +1,411 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> + +<html> + +<head> + +<title>Postfix Replacements for Deprecated Features </title> + +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +<link rel='stylesheet' type='text/css' href='postfix-doc.css'> + +</head> + +<body> + +<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix +Replacements for Deprecated Features</h1> + +<hr> + +<h2>Purpose of this document </h2> + +<p> This document describes Postfix features that are deprecated +(will be removed) or that have already been removed. It also has +tips for making an existing Postfix configuration more future-proof. +</p> + +<p> Overview: </p> + +<ul> + +<li> <a href="#why"> Why deprecate? </a> + +<li> <a href="#process"> Deprecation process </a> + +<li> <a href="#features"> Deprecated features </a> + +</ul> + +<h2> <a name="why"> Why deprecate? </a> </h2> + +<p> Sometimes, a Postfix feature needs to be replaced with a different +one. To give an example: </p> + +<ul> + +<li> <p> The initial Postfix TLS implementation used multiple boolean +parameters: one parameter to enable opportunistic TLS (for example, +"<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes") and one parameter to enable mandatory TLS +(for example, "smtp_require_tls = yes"). </p> + +<li> <p> As we added support more features such as fingerprint, +dane, and so on, we decided not to add more boolean parameters. +Instead we introduced one configuration parameter to select from +multiple deployment models (for example, <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = +may | encrypt | dane, etc...). </p> + +</ul> + +<!-- + +<p> Over time it has become clear that 'level' is too rigid, so this may +have to change again. Wietse and Viktor have been discussing a way to +specify a range with minimum properties that are required (e.g., encrypt) +and nice-to-have properties if they are available (dane or mta-sts). </p> + +--> + +<p> Having both the "old" and "new" way to configure Postfix is +convenient for existing Postfix installations, because their +configuration does not break after an upgrade to a new version. +Unfortunately, there are also disadvantages. Having multiple ways +to do similar things is not only confusing for newcomers, it also +makes Postfix harder to change. </p> + +<h2> <a name="process"> Deprecation process </a> </h2> + +<p> The basic process steps are: </p> + +<ol> + +<li> <p> Inform humans that a feature will be removed, and suggest +replacements, in logging and documentation. </p> + +<li> <p> Remove the feature, and update logging and documentation. </p> + +</ol> + +<p> Disclaimer: it has taken 20 years for some features to be +removed. This past is not a guarantee for the future. </p> + +<h2> <a name="features"> Deprecated features </a> </h2> + +<p> The table summarizes removed or deprecated features and +replacements. Click on the "obsolete feature" name for a more +detailed description. </p> + +<blockquote> + +<table border="1"> + +<tr> <th> Obsolete feature name </th> <th> Warning as <br> of version +</th> <th> Removed <br> in version </th> <th> Replacement </th> +</tr> + +<tr> <td> <a href="#disable_dns_lookups"> disable_dns_lookups </a> +</td> <td align="center"> 3.9 </td> <td align="center"> - </td> +<td> <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> </td> </tr> + +<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_use_tls </a> </td> +<td align="center"> 3.9 </td> <td align="center"> - </td> <td> +<i>xxx</i>_tls_security_level </td> </tr> + +<tr> <td> <a href="#xxx_enforce_tls"> <i>xxx</i>_enforce_tls </a> +</td> <td align="center"> 3.9 </td> <td align="center"> - </td> +<td> <i>xxx</i>_tls_security_level </td> </tr> + +<tr> <td> <a href="#xxx_per_site"> <i>xxx</i>_per_site </a> </td> +<td align="center"> 3.9 </td> <td align="center"> - </td> <td> +<i>xxx</i>_policy_maps </td> </tr> + +<tr> <td> <a href="#smtpd_tls_dh1024_param_file"> +smtpd_tls_dh1024_param_file </a> </td> <td align="center"> 3.9 </td> +<td align="center"> - </td> <td> do not specify (leave at default) +</td> </tr> + +<tr> <td> <a href="#smtpd_tls_eecdh_grade"> smtpd_tls_eecdh_grade +</a> </td> <td align="center"> 3.9 </td> <td align="center"> - </td> +<td> do not specify (leave at default) </td> </tr> + +<tr> <td> <a href="#permit_mx_backup"> permit_mx_backup </a> </td> +<td align="center"> 3.9 </td> <td align="center"> - </td> <td> +<a href="postconf.5.html#relay_domains">relay_domains</a> </td> </tr> + +<tr> <td> <a href="#check_relay_domains"> check_relay_domains </a> +</td> <td align="center"> 2.2 </td> <td align="center"> 3.9 </td> +<td> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> </td> </tr> + +<tr> <td> <a href="#reject_maps_rbl"> reject_maps_rbl </a> </td> +<td align="center"> 2.1 </td> <td align="center"> 3.9 </td> <td> +<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> </td> </tr> + +<tr> <td> <a href="#permit_naked_ip_address"> permit_naked_ip_address +</a> </td> <td align="center"> 2.0 </td> <td align="center"> 3.9 +</td> <td> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> </td> </tr> + +</table> + +</blockquote> + +<h3> <a name="disable_dns_lookups"> Obsolete DNS on/off configuration +</a> </h3> + +<p> The <a href="postconf.1.html">postconf(1)</a> command logs the following: </p> + +<ul> + +<li> support for parameter "<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a>" will be removed; instead, specify "<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>" + +</ul> + +<p> Replace obsolete configuration with its replacement: </p> + +<blockquote> + +<table border="1"> + +<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration +</th> <th> Replacement configuration </th> </tr> + +<tr> <td> To disable DNS lookups in the Postfix SMTP/LMTP client +</td> <td> <a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = yes </td> <td> <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> += disabled </td> </tr> + +<tr> <td> To enable DNS lookups in the Postfix SMTP/LMTP client </td> <td> +<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> = no </td> <td> +Leave <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> at the implicit default which is empty, unless +you need a higher support level such as DNSSEC. </td> </tr> + +</table> + +</blockquote> + +<h3> <a name="xxx_use_tls"> Obsolete opportunistic TLS configuration +</a> </h3> + +<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p> + +<ul> + +<li> support for parameter "<a href="postconf.5.html#lmtp_use_tls">lmtp_use_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a>" + +<li> support for parameter "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>" + +<li> support for parameter "<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>" + +</ul> + +<p> There are similarly-named parameters and warnings for <a href="postscreen.8.html">postscreen(8)</a> +and <a href="tlsproxy.8.html">tlsproxy(8)</a>, but those parameters should rarely be specified +by hand. </p> + +<p> Replace obsolete configuration with its replacement: </p> + +<blockquote> + +<table border="1"> + +<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr> + +<tr> <td> To turn off TLS </td> <td> <i>xxx</i>_use_tls = no </td> +<td> <i>xxx</i>_security_level = none </td> </tr> + +<tr> <td> To turn on opportunistic TLS </td> <td> <i>xxx</i>_use_tls += yes </td> <td> <i>xxx</i>_security_level = may </td> </tr> + +</table> + +</blockquote> + +<h3> <a name="xxx_enforce_tls"> Obsolete mandatory TLS configuration +</a> </h3> + +<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p> + +<ul> + +<li> support for parameter "<a href="postconf.5.html#lmtp_enforce_tls">lmtp_enforce_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a>" + +<li> support for parameter "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>" + +<li> support for parameter "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>" will be removed; instead, specify "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>" + +</ul> + +<p> There are similarly-named parameters and warnings for <a href="postscreen.8.html">postscreen(8)</a> +and <a href="tlsproxy.8.html">tlsproxy(8)</a>, but those parameters should rarely be specified +by hand. </p> + +<p> Replace obsolete configuration with its replacement: </p> + +<blockquote> + +<table border="1"> + +<tr> <th width="33%"> Goal </th> <th width="33%"> Obsolete configuration </th> <th> Replacement configuration </th> </tr> + +<tr> <td> To turn off mandatory TLS </td> <td> <i>xxx</i>_enforce_tls += no </td> <td> <i>xxx</i>_security_level = may </td> </tr> + +<tr> <td> To turn on mandatory TLS </td> <td> <i>xxx</i>_enforce_tls += yes </td> <td> <i>xxx</i>_security_level = encrypt </td> </tr> + +</table> + +</blockquote> + +<h3> <a name="xxx_per_site"> Obsolete TLS policy table configuration +</a> </h3> + +<p> The <a href="postconf.1.html">postconf(1)</a> command logs one of the following: </p> + +<ul> + +<li> support for parameter "<a href="postconf.5.html#lmtp_tls_per_site">lmtp_tls_per_site</a>" will be removed; +instead, specify "<a href="postconf.5.html#lmtp_tls_policy_maps">lmtp_tls_policy_maps</a>" + +<li> support for parameter "<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>" will be removed; +instead, specify "<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>" + +</ul> + +<p> There is similarly-named parameter and warning for <a href="tlsproxy.8.html">tlsproxy(8)</a>, +but that parameter should rarely be specified by hand. </p> + +<p> Unfortunately, this is more than a name change: the table format +has changed too, as has the table search process. There is no simple +conversion of the obsolete form to its replacement. </p> + +<h3> <a name="check_relay_domains"> check_relay_domains </a> </h3> + +<p> Depending on the Postfix version, the Postfix SMTP daemon logs +following warning: </p> + +<ul> + +<li> support for restriction "check_relay_domains" has been removed +in Postfix 3.9"; instead, specify "<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" + +<li> support for restriction "check_relay_domains" will be removed +from Postfix; use "<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" instead + +</ul> + +<p> This feature was removed because it would relay based on the +client domain name, which is not robust. </p> + +<p> Recommended configuration to prevent an "open relay" problem +with the SMTP service on port 25: +</p> + +<blockquote> +<pre> +<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = + <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, + <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, + <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> + ...other restrictions... +</pre> +</blockquote> + +<p> Or equivalent in <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>. </p> + +<h3> <a name="permit_mx_backup"> permit_mx_backup</a> </h3> + +<p> The Postfix version 3.9 and later SMTP daemon logs the following +warning: </p> + +<ul> + +<li> support for restriction "<a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a>" will be removed +from Postfix; instead, specify "<a href="postconf.5.html#relay_domains">relay_domains</a>" + +</ul> + +<p> This feature will be removed because it is too difficult to +configure recipient address validation, making Postfix a source of +backscatter bounces. </p> + +<p> To specify the domains that Postfix will provide MX backup +service for, see <a href="STANDARD_CONFIGURATION_README.html#backup"> +Configuring Postfix as primary or backup MX host for a remote +site</a>. </p> + +<h3> <a name="reject_maps_rbl"> reject_maps_rbl</a> </h3> + +<p> Depending on the Postfix version, the SMTP daemon logs one of +the following warnings: </p> + +<ul> + +<li> support for restriction "reject_maps_rbl" has been removed in +Postfix 3.9"; instead, specify "<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> domain-name" + +<li> support for restriction "reject_maps_rbl" will be removed from +Postfix; use "<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> domain-name" instead + +</ul> + +<p> This feature was replaced because "MAPS RBL" is the name of a +specific reputation service. The <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> feature provides +a superset of the reject_maps_rbl functionality. </p> + +<p> Recommended configuration: </p> + +<blockquote> +<pre> +<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = + <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, + <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, + <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> + <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> <i>domain-name</i> + ...other restrictions... +</pre> +</blockquote> + +<p> Where <i>domain-name</i> is the domain name of a DNS reputation service. </p> + +<h3> <a name="permit_naked_ip_address"> permit_naked_ip_address</a> </h3> + +<p> Depending on the Postfix version, the SMTP daemon logs one of +the following warnings: </p> + +<ul> + +<li> support for restriction "permit_naked_ip_address" has been +removed in Postfix 3.9"; instead, specify "<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>" or +"<a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>" + +<li> restriction permit_naked_ip_address is deprecated. Use +<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> or <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> instead + +</ul> + +<p> This feature was removed because it was easy to get a false +match when <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> was intended to match a +remote SMTP client IP address. </p> + +<p> Recommended configuration: </p> + +<blockquote> +<pre> +<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = + <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, + <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, + <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> + <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> <i>domain-name</i> + ...other restrictions... +</pre> +</blockquote> + +<p> That is, no restriction on HELO or EHLO syntax. Such restrictions +ar rarely useful nowadays. + +</body> + +</html> diff --git a/html/INSTALL.html b/html/INSTALL.html index 6cd70d1..94d78ba 100644 --- a/html/INSTALL.html +++ b/html/INSTALL.html @@ -605,6 +605,9 @@ describe how to build Postfix with support for optional features: <tr> <td> LDAP database</td> <td><a href="LDAP_README.html">LDAP_README</a></td> <td> Postfix 1.0 </td> </tr> +<tr> <td> MongoDB database</td> <td><a href="MONGODB_README.html">MONGODB_README</a></td> <td> Postfix +3.9 </td> </tr> + <tr> <td> MySQL database</td> <td><a href="MYSQL_README.html">MYSQL_README</a></td> <td> Postfix 1.0 </td> </tr> diff --git a/html/LOCAL_RECIPIENT_README.html b/html/LOCAL_RECIPIENT_README.html index a3a3636..5a614e0 100644 --- a/html/LOCAL_RECIPIENT_README.html +++ b/html/LOCAL_RECIPIENT_README.html @@ -57,7 +57,8 @@ all names or addresses of local recipients. A recipient address is local when its domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. If a local username or address is not listed in $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>, then the Postfix SMTP server will reject -the address with "User unknown in local recipient table". </p> +the address with "User unknown in local recipient table". Other +Postfix interfaces may still accept an "unknown" recipient. </p> <p> The default setting, shown below, assumes that you use the default Postfix <a href="local.8.html">local(8)</a> delivery agent for local delivery, where diff --git a/html/MAILLOG_README.html b/html/MAILLOG_README.html index be58e33..ab751f4 100644 --- a/html/MAILLOG_README.html +++ b/html/MAILLOG_README.html @@ -63,10 +63,16 @@ Postfix version. </p> /var/log/postfix.log. See also the "<a href="#logrotate">Logfile rotation</a>" section below for logfile management. </p> +<p> In the example below, specifying <a href="postconf.5.html#maillog_file_permissions">maillog_file_permissions</a> is +optional (Postfix 3.9 and later). The default value is 0600, i.e., +only the super-user can access the file; the value 0644 also +adds 'group' and 'other' read access. </p> + <blockquote> <pre> # postfix stop # postconf <a href="postconf.5.html#maillog_file">maillog_file</a>=/var/log/postfix.log +# postconf <a href="postconf.5.html#maillog_file_permissions">maillog_file_permissions</a>=0644 # (Postfix 3.9 and later) # postfix start </pre> </blockquote> @@ -124,6 +130,10 @@ old logfile. </p> program is configured with the <a href="postconf.5.html#maillog_file_compressor">maillog_file_compressor</a> parameter (default: gzip). </p> +<li> <p> The next time it logs an event, <a href="postlogd.8.html">postlogd(8)</a> will create a +new logfile, with permissions specified with the <a href="postconf.5.html#maillog_file_permissions">maillog_file_permissions</a> +parameter (default: 0600). </p> + </ul> <p> Notes: </p> diff --git a/html/MILTER_README.html b/html/MILTER_README.html index c69a5bf..b72fdb8 100644 --- a/html/MILTER_README.html +++ b/html/MILTER_README.html @@ -630,7 +630,7 @@ and protocol. </p> clients </a></h3> <p> The <a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> feature supports different Milter settings -for different client IP addresses. Lookup results override the the +for different client IP addresses. Lookup results override the global <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> setting, and have the same syntax. For example, to disable Milter settings for local address ranges: </p> diff --git a/html/MONGODB_README.html b/html/MONGODB_README.html new file mode 100644 index 0000000..a05d1f5 --- /dev/null +++ b/html/MONGODB_README.html @@ -0,0 +1,263 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<title>Postfix MongoDB Howto</title> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +</head> +<body> +<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix MongoDB Howto</h1> +<hr> + +<h2>MongoDB Support in Postfix</h2> + +<p> Postfix can use MongoDB as a source for any of its lookups: +<a href="aliases.5.html">aliases(5)</a>, <a href="virtual.5.html">virtual(5)</a>, <a href="canonical.5.html">canonical(5)</a>, etc. This allows you to keep +information for your mail service in a replicated noSQL database +with fine-grained access controls. By not storing it locally on the +mail server, the administrators can maintain it from anywhere, and +the users can control whatever bits of it you think appropriate. +You can have multiple mail servers using the same information, +without the hassle and delay of having to copy it to each. </p> + +<p> Topics covered in this document:</p> + +<ul> +<li><a href="#build">Building Postfix with MongoDB support</a> +<li><a href="#config">Configuring MongoDB lookups</a> +<li><a href="#example_virtual">Example: virtual alias maps</a> +<li><a href="#example_mailing_list">Example: Mailing lists</a> +<li><a href="#example_projections">Example: MongoDB projections</a> +<li><a href="#feedback">Feedback</a> +<li><a href="#credits">Credits</a> +</ul> + +<h2><a name="build">Building Postfix with MongoDB support</a></h2> + +<p>These instructions assume that you build Postfix from source +code as described in the <a href="INSTALL.html">INSTALL</a> document. Some modification may +be required if you build Postfix from a vendor-specific source +package. </p> + +<p>The Postfix MongoDB client requires the <b>mongo-c-driver</b> +library. This can be built from source code from <a +href="https://github.com/mongodb/mongo-c-driver/releases">the +mongod-c project</a>, or this can be installed as a binary package +from your OS distribution, typically named <b>mongo-c-driver</b>, +<b>mongo-c-driver-devel</b> or <b>libmongoc-dev</b>. +Installing the mongo-c-driver library may also install <b>libbson</b> +as a dependency. </p> + +<p> To build Postfix with mongodb map support, add to the CCARGS +environment variable the options -DHAS_MONGODB and -I for the +directory containing the mongodb headers, and specify the <a href="MONGODB_README.html">AUXLIBS_MONGODB</a> +with the libmongoc and libbson libraries, for example:</p> + +<blockquote> +<pre> +% make tidy +% make -f Makefile.init makefiles \ + CCARGS="$CCARGS -DHAS_MONGODB -I/usr/include/libmongoc-1.0 \ + -I/usr/include/libbson-1.0" \ + <a href="MONGODB_README.html">AUXLIBS_MONGODB</a>="-lmongoc-1.0 -lbson-1.0" +</pre> +</blockquote> + +<p>The 'make tidy' command is needed only if you have previously +built Postfix without MongoDB support. </p> + +<p>If your MongoDB shared library is in a directory that the RUN-TIME +linker does not know about, add a "-Wl,-R,/path/to/directory" option +after "-lbson-1.0". Then, just run 'make'.</p> + +<h2><a name="config">Configuring MongoDB lookups</a></h2> + +<p> In order to use MongoDB lookups, define a MongoDB source as a +table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p> + +<blockquote> +<pre> +<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases, <a href="proxymap.8.html">proxy</a>:<a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/mongo-aliases.cf +</pre> +</blockquote> + +<p> The file /etc/postfix/mongo-aliases.cf can specify a number of +parameters. For a complete description, see the <a href="mongodb_table.5.html">mongodb_table(5)</a> +manual page. </p> + +<h2><a name="example_virtual">Example: virtual(5) alias maps</a></h2> + +<p> Here's a basic example for using MongoDB to look up <a href="virtual.5.html">virtual(5)</a> +aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have: </p> + +<blockquote> +<pre> +<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual_aliases, + <a href="proxymap.8.html">proxy</a>:<a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/mongo-virtual-aliases.cf +</pre> +</blockquote> + +<p> and in <a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/mongo-virtual-aliases.cf you have: </p> + +<blockquote> +<pre> +uri = mongodb+srv://user_name:password@some_server +dbname = mail +collection = mailbox +query_filter = {"$or": [{"username":"%s"}, {"alias.address": "%s"}], "active": 1} +result_attribute = username +</pre> +</blockquote> + +<p>This example assumes mailbox names are stored in a MongoDB backend, +in a format like:</p> + +<blockquote> +<pre> +{ "username": "user@example.com", + "alias": [ + {"address": "admin@example.com"}, + {"address": "abuse@example.com"} + ], + "active": 1 +} +</pre> +</blockquote> + +<p>Upon receiving mail for "admin@example.com" that isn't found in the +/etc/postfix/virtual_aliases database, Postfix will search the +MongoDB server/cluster listening at port 27017 on some_server. It +will connect using the provided credentials, and search for any +entries whose username is, or alias field has "admin@example.com". +It will return the username attribute of those found, and build a +list of their email addresses. </p> + +<p> Notes: </p> + +<ul> + +<li><p> As with <b>projection</b> (see below), the Postfix mongodb +client automatically removes the top-level '_id' field from a +result_attribute result. </p> </li> + +<li><p> The Postfix mongodb client will only parse result fields +with data types UTF8, INT32, INT64 and ARRAY. Other fields will be +ignored, with a warning in the logs. </p> </li> + +</ul> + +<h2><a name="example_mailing_list">Example: Mailing lists</a></h2> + +<p>When it comes to mailing lists, one way of implementing one would +be as below:</p> + +<blockquote> +<pre> +{ "name": "dev@example.com", "active": 1, "address": + [ "hamid@example.com", "wietse@example.com", "viktor@example.com" ] } +</pre> +</blockquote> + +<p>using the filter below, will result in a comma separated string +with all email addresses in this list. </p> + +<blockquote> +<pre> +query_filter = {"name": "%s", "active": 1} +result_attribute = address +</pre> +</blockquote> + +<p> Notes: </p> + +<ul> + +<li><p> As with <b>projection</b> (see below), the Postfix mongodb +client automatically removes the top-level '_id' field from a +result_attribute result. </p> </li> + +<li><p> The Postfix mongodb client will only parse result fields +with data types UTF8, INT32, INT64 and ARRAY. Other fields will be +ignored, with a warning in the logs. </p> </li> + +</ul> + +<h2><a name="example_projections">Example: advanced projections</a></h2> + +<p>This module also supports the use of more complex MongoDB +projections. There may be some use cases where operations such as +concatenation are necessary to be performed on the data retrieved +from the database. Although it is encouraged to keep the database +design simple enough so this is not necessary, postfix supports the +use of MongoDB projections to achieve the goal. </p> + +<p>Consider the example below:</p> + +<blockquote> +<pre> +{ "username": "user@example.com", + "local_part": "user", + "domain": "example.com", + "alias": [ + {"address": "admin@example.com"}, + {"address": "abuse@example.com"} + ], + "active": 1 +} +</pre> +</blockquote> + +<p><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> can be created using below parameters in a +<a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/mongo-virtual-mailboxes.cf file:</p> + +<blockquote> +<pre> +uri = mongodb+srv://user_name:password@some_server +dbname = mail +collection = mailbox +query_filter = {"$or": [{"username":"%s"}, {"alias.address": "%s"}], "active": 1} +projection = { "mail_path": {"$concat": ["$domain", "/", "$local_part"]} } +</pre> +</blockquote> + +<p>This will return 'example.com/user' path built from the database fields. </p> + +<p>A couple of considerations when using projections:</p> + +<ul> + +<li><p>As with <b>result_attribute</b>, the Postfix mongodb client +automatically removes the top-level '_id' field from a projection +result. </p></li> + +<li><p> The Postfix mongodb client will only parse fields with data +types UTF8, INT32, INT64 and ARRAY. Other fields will be ignored, +with a warning in the logs. It is suggested to exclude any unnecessary +fields when using a projection. </p></li> + +</ul> + +<h2><a name="feedback">Feedback</a></h2> + +<p> If you have questions, send them to postfix-users@postfix.org. +Please include relevant information about your Postfix setup: +MongoDB-related output from postconf, which libraries you built +with, and such. If your question involves your database contents, +please include the applicable bits of some database entries. </p> + +<h2><a name="credits">Credits</a></h2> + +<ul> + +<li> Stephan Ferraro (Aionda GmbH) implemented an early version of the +Postfix MongoDB client. + +<li> Hamid Maadani (Dextrous Technologies, LLC) added support for +projections and %<i>letter</i> interpolation, and added documentation. + +<li> Wietse Venema adopted and restructured the code and documentation. + +</ul> + +</body> + +</html> diff --git a/html/Makefile.in b/html/Makefile.in index c5481f8..7f23ed7 100644 --- a/html/Makefile.in +++ b/html/Makefile.in @@ -20,7 +20,7 @@ CONFIG = access.5.html aliases.5.html canonical.5.html relocated.5.html \ transport.5.html virtual.5.html pcre_table.5.html regexp_table.5.html \ cidr_table.5.html tcp_table.5.html header_checks.5.html \ ldap_table.5.html lmdb_table.5.html mysql_table.5.html \ - pgsql_table.5.html memcache_table.5.html \ + pgsql_table.5.html memcache_table.5.html mongodb_table.5.html \ master.5.html nisplus_table.5.html generic.5.html bounce.5.html \ postfix-wrapper.5.html sqlite_table.5.html socketmap_table.5.html OTHER = postfix-manuals.html @@ -298,6 +298,10 @@ memcache_table.5.html: ../proto/memcache_table PATH=../mantools:$$PATH; \ srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ +mongodb_table.5.html: ../proto/mongodb_table + PATH=../mantools:$$PATH; \ + srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ + mysql_table.5.html: ../proto/mysql_table PATH=../mantools:$$PATH; \ srctoman - $? | $(AWK) | $(NROFF) -man | uniq | $(MAN2HTML) | postlink >$@ diff --git a/html/POSTSCREEN_README.html b/html/POSTSCREEN_README.html index bca2ef0..9bef8db 100644 --- a/html/POSTSCREEN_README.html +++ b/html/POSTSCREEN_README.html @@ -120,7 +120,7 @@ of time to deliver spam before their IP address becomes denylisted. To speed up spam deliveries, zombies make compromises in their SMTP protocol implementation. For example, they speak before their turn, or they ignore responses from SMTP servers and continue sending -mail even when the server tells them to go away. </p> +commands even when the server tells them to go away. </p> <p> <a href="postscreen.8.html">postscreen(8)</a> uses a variety of measurements to recognize zombies. First, <a href="postscreen.8.html">postscreen(8)</a> determines if the remote SMTP client @@ -159,7 +159,7 @@ overhead for legitimate clients. </p> <h2> <a name="quick">Quick tests before everything else</a> </h2> -<p> Before engaging in SMTP-level tests. <a href="postscreen.8.html">postscreen(8)</a> queries a +<p> Before engaging in SMTP-level tests, <a href="postscreen.8.html">postscreen(8)</a> queries a number of local deny and allowlists. These tests speed up the handling of known clients. </p> diff --git a/html/TLS_README.html b/html/TLS_README.html index eb9965a..a77f69d 100644 --- a/html/TLS_README.html +++ b/html/TLS_README.html @@ -2266,82 +2266,124 @@ describe the corresponding table syntax: </p> additional attributes are supported at this level. </dd> <dt><b>may</b></dt> <dd><a href="#client_tls_may">Opportunistic TLS</a>. -The optional "ciphers", "exclude" and "protocols" attributes -(available for opportunistic TLS with Postfix ≥ 2.6) override the -"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" -configuration parameters. At this level and higher, the optional -"servername" attribute (available with Postfix ≥ 3.4) overrides the -global "<a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a>" parameter, enabling per-destination -configuration of the SNI extension sent to the remote SMTP server. </dd> +The optional "ciphers", "exclude", and "protocols" attributes (available +for opportunistic TLS with Postfix ≥ 2.6) and "connection_reuse" +attribute (Postfix ≥ 3.4) override the "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", +"<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>", and +"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. At this level and +higher, the optional "servername" attribute (available with Postfix ≥ +3.4) overrides the global "<a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a>" parameter, enabling +per-destination configuration of the SNI extension sent to the remote +SMTP server. The optional "enable_rpk" attribute (Postfix ≥ 3.9) +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. When opportunistic +TLS handshakes fail, Postfix retries the connection with TLS disabled. +This allows mail delivery to sites with non-interoperable TLS +implementations.</dd> <dt><b>encrypt</b></dt> <dd><a href="#client_tls_encrypt"> Mandatory encryption</a>. -Mail is delivered only if the remote SMTP server offers STARTTLS -and the TLS handshake succeeds. At this level and higher, the optional +Mail is delivered only if the remote SMTP server offers STARTTLS and the +TLS handshake succeeds. At this level and higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> -parameter, the optional "ciphers" attribute overrides the -<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, and the optional -"exclude" attribute (Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a> -<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter. </dd> +parameter, the optional "ciphers" attribute overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the optional "exclude" attribute +(Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter, and the optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. The optional "enable_rpk" attribute +(Postfix ≥ 3.9) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. +</dd> <dt><b>dane</b></dt> <dd><a href="#client_tls_dane">Opportunistic DANE TLS</a>. The TLS policy for the destination is obtained via TLSA records in -DNSSEC. If no TLSA records are found, the effective security level -used is <a href="#client_tls_may">may</a>. If TLSA records are -found, but none are usable, the effective security level is <a -href="#client_tls_encrypt">encrypt</a>. When usable TLSA records -are obtained for the remote SMTP server, SSLv2+3 are automatically -disabled (see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate -must match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication -and DNSSEC support is available with Postfix 2.11 and later. </dd> +DNSSEC. If no TLSA records are found, the effective security level used +is <a href="#client_tls_may">may</a>. If TLSA records are found, but +none are usable, the effective security level is <a +href="#client_tls_encrypt">encrypt</a>. When usable TLSA records are +obtained for the remote SMTP server, the server certificate must match +the TLSA records (and the SNI name is unconditionally set to the TLSA +<i>base domain</i>). <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and DNSSEC +support is available with Postfix 2.11 and later. The optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. When the effective security level +used is <a href="#client_tls_may">may</a>, the optional "ciphers", +"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the +"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" +configuration parameters. When the effective security level used is <a +href="#client_tls_encrypt">encrypt</a>, the optional "ciphers", +"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the +"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and +"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. </dd> <dt><b>dane-only</b></dt> <dd><a href="#client_tls_dane">Mandatory DANE TLS</a>. The TLS policy for the destination is obtained via TLSA records in -DNSSEC. If no TLSA records are found, or none are usable, no -connection is made to the server. When usable TLSA records are -obtained for the remote SMTP server, SSLv2+3 are automatically disabled -(see <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>), and the server certificate must -match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and -DNSSEC support is available with Postfix 2.11 and later. </dd> +DNSSEC. If no TLSA records are found, or none are usable, no connection +is made to the server. When usable TLSA records are obtained for the +remote SMTP server, the server certificate must match the TLSA records. +<a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS authentication and DNSSEC support is available with +Postfix 2.11 and later. The optional "ciphers", "exclude", and +"protocols" attributes (Postfix ≥ 2.6) override the +"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and +"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> <dt><b>fingerprint</b></dt> <dd><a href="#client_tls_fprint">Certificate -fingerprint verification.</a> Available with Postfix 2.5 and -later. At this security level, there are no trusted Certification -Authorities. The certificate trust chain, expiration date, ... are -not checked. Instead, the optional <b>match</b> attribute, or else -the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists -the server certificate fingerprints or public key fingerprints -(Postfix 2.9 and later). The -digest algorithm used to calculate fingerprints is selected by the -<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. Multiple fingerprints can -be combined with a "|" delimiter in a single match attribute, or multiple -match attributes can be employed. The ":" character is not used as a -delimiter as it occurs between each pair of fingerprint (hexadecimal) -digits. </dd> +fingerprint verification.</a> Available with Postfix 2.5 and later. At +this security level, there are no trusted Certification Authorities. The +certificate trust chain, expiration date, ... are not checked. Instead, +the optional "match" attribute, or else the <a href="postconf.5.html">main.cf</a> +<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists the certificate +fingerprints or the public key fingerprints (Postfix 2.9 and later) of +acceptable server certificates. The digest algorithm used to calculate +the fingerprint is selected by the <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> +parameter. Multiple fingerprints can be combined with a "|" delimiter in +a single match attribute, or multiple match attributes can be employed. +The ":" character is not used as a delimiter as it occurs between each +pair of fingerprint (hexadecimal) digits. The optional "ciphers", +"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the +"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and +"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. The optional "enable_rpk" +attribute (Postfix ≥ 3.9) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +parameter. </dd> <dt><b>verify</b></dt> <dd><a href="#client_tls_verify">Mandatory -server certificate verification</a>. Mail is delivered only if the -TLS handshake succeeds, if the remote SMTP server certificate can -be validated (not expired or revoked, and signed by a trusted -Certification Authority), and if the server certificate name matches -the optional "match" attribute (or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> -parameter value when no optional "match" attribute is specified). -With Postfix ≥ 2.11 the "tafile" attribute optionally modifies -trust chain verification in the same manner as the -"<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute -may be specified multiple times to load multiple trust-anchor -files. </dd> +server certificate verification</a>. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups are presumed to be +secure enough, and the name verified in the server certificate is +potentially obtained via unauthenticated DNS MX lookups. The server +certificate name must match either the optional "match" attribute, or +else the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter value. With +Postfix ≥ 2.11 the "tafile" attribute optionally modifies trust chain +verification in the same manner as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" +parameter. The "tafile" attribute may be specified multiple times to +load multiple trust-anchor files. The optional "connection_reuse" +attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> <dt><b>secure</b></dt> <dd><a href="#client_tls_secure">Secure certificate -verification.</a> Mail is delivered only if the TLS handshake succeeds, -and DNS forgery resistant remote SMTP certificate verification succeeds -(not expired or revoked, and signed by a trusted Certification Authority), -and if the server certificate name matches the optional "match" attribute -(or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter value when no optional -"match" attribute is specified). With Postfix ≥ 2.11 the "tafile" -attribute optionally modifies trust chain verification in the same manner -as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute -may be specified multiple times to load multiple trust-anchor -files. </dd> +verification.</a> +Mail is delivered only if the TLS handshake succeeds, the remote SMTP +server certificate chain can be validated, and a DNS name in the +certificate matches the specified match criteria. At this security +level, DNS MX lookups, though potentially used to determine the +candidate next-hop gateway IP addresses, are <b>not</b> presumed to be +secure enough for TLS peername verification. Instead, the default name +verified in the server certificate is obtained directly from the +next-hop, or is explicitly specified via the optional "match" attribute +which overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. The +optional "ciphers", "exclude", and "protocols" attributes (Postfix ≥ +2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", +"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" +configuration parameters. With Postfix ≥ 2.11 the "tafile" attribute +optionally modifies trust chain verification in the same manner as the +"<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute may be +specified multiple times to load multiple trust-anchor files. The +optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the +<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> </dl> diff --git a/html/access.5.html b/html/access.5.html index 24f844b..427eacf 100644 --- a/html/access.5.html +++ b/html/access.5.html @@ -60,7 +60,7 @@ ACCESS(5) ACCESS(5) A logical line starts with non-whitespace text. A line that starts with whitespace continues a logical line. -<b>EMAIL ADDRESS PATTERNS</b> +<b>EMAIL ADDRESS PATTERNS IN INDEXED TABLES</b> With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, patterns are tried in the order as listed below: @@ -92,7 +92,7 @@ ACCESS(5) ACCESS(5) (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@, and <i>user</i>@. -<b>HOST NAME/ADDRESS PATTERNS</b> +<b>HOST NAME/ADDRESS PATTERNS IN INDEXED TABLES</b> With lookups from indexed files such as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following lookup patterns are examined in the order as listed: diff --git a/html/aliases.5.html b/html/aliases.5.html index 27cfe69..79d01b4 100644 --- a/html/aliases.5.html +++ b/html/aliases.5.html @@ -14,9 +14,13 @@ ALIASES(5) ALIASES(5) <b>newaliases</b> <b>DESCRIPTION</b> - The <a href="aliases.5.html"><b>aliases</b>(5)</a> table provides a system-wide mechanism to redirect mail - for local recipients. The redirections are processed by the Postfix - <a href="local.8.html"><b>local</b>(8)</a> delivery agent. + The optional <a href="aliases.5.html"><b>aliases</b>(5)</a> table (<a href="postconf.5.html#alias_maps">alias_maps</a>) redirects mail for local + recipients. The redirections are processed by the Postfix <a href="local.8.html"><b>local</b>(8)</a> + delivery agent. + + This is unlike <a href="virtual.5.html"><b>virtual</b>(5)</a> aliasing (<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>) which applies + to all recipients: <a href="local.8.html">local(8)</a>, virtual, and remote, and which is imple- + mented by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon. Normally, the <a href="aliases.5.html"><b>aliases</b>(5)</a> table is specified as a text file that serves as input to the <a href="postalias.1.html"><b>postalias</b>(1)</a> command. The result, an indexed file in @@ -144,7 +148,9 @@ ALIASES(5) ALIASES(5) "<b>newaliases</b>" or with "<b>sendmail -bi</b>". <b><a href="postconf.5.html#alias_maps">alias_maps</a> (see 'postconf -d' output)</b> - The alias databases that are used for <a href="local.8.html"><b>local</b>(8)</a> delivery. + Optional lookup tables with aliases that apply only to <a href="local.8.html"><b>local</b>(8)</a> + recipients; this is unlike <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> that apply to all + recipients: <a href="local.8.html"><b>local</b>(8)</a>, virtual, and remote. <b><a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_commands</a> (alias, forward)</b> Restrict <a href="local.8.html"><b>local</b>(8)</a> mail delivery to external commands. diff --git a/html/canonical.5.html b/html/canonical.5.html index 68b6532..d051297 100644 --- a/html/canonical.5.html +++ b/html/canonical.5.html @@ -56,7 +56,7 @@ CANONICAL(5) CANONICAL(5) systems. The <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping is not to be confused with <i>virtual alias</i> sup- - port or with local aliasing. To change the destination but not the + port or with <a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a>. To change the destination but not the headers, use the <a href="virtual.5.html"><b>virtual</b>(5)</a> or <a href="aliases.5.html"><b>aliases</b>(5)</a> map instead. <b>CASE FOLDING</b> @@ -211,20 +211,18 @@ CANONICAL(5) CANONICAL(5) Other parameters of interest: <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> - The network interface addresses that this mail system receives - mail on. + The local network interface addresses that this mail system + receives mail on. <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b> - Rewrite message header addresses in mail from these clients and - update incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or - $<a href="postconf.5.html#mydomain">mydomain</a>; either don't rewrite message headers from other - clients at all, or rewrite message headers and update incomplete - addresses with the domain specified in the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_re</a>- - <a href="postconf.5.html#remote_header_rewrite_domain">write_domain</a> parameter. + Rewrite or add message headers in mail from these clients, + updating incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> + or $<a href="postconf.5.html#mydomain">mydomain</a>, and adding missing headers. <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> - The network interface addresses that this mail system receives - mail on by way of a proxy or network address translation unit. + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- + tion unit. <b><a href="postconf.5.html#masquerade_classes">masquerade_classes</a> (envelope_sender, header_sender, header_recipient)</b> What addresses are subject to address masquerading. @@ -253,15 +251,17 @@ CANONICAL(5) CANONICAL(5) set to "-". <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b> - Don't rewrite message headers from remote clients at all when - this parameter is empty; otherwise, rewrite message headers and - append the specified domain name to incomplete addresses. + Rewrite or add message headers in mail from remote clients if + the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty, + updating incomplete addresses with the domain specified in the + <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing head- + ers. <b>SEE ALSO</b> <a href="cleanup.8.html">cleanup(8)</a>, canonicalize and enqueue mail <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager <a href="postconf.5.html">postconf(5)</a>, configuration parameters - <a href="virtual.5.html">virtual(5)</a>, virtual aliasing + <a href="virtual.5.html">virtual(5)</a>, <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> <b>README FILES</b> <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview diff --git a/html/cleanup.8.html b/html/cleanup.8.html index 6e662f6..e4ecd43 100644 --- a/html/cleanup.8.html +++ b/html/cleanup.8.html @@ -172,26 +172,26 @@ CLEANUP(8) CLEANUP(8) <b>BEFORE QUEUE MILTER CONTROLS</b> As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail - filter) protocol. When mail is not received via the <a href="smtpd.8.html">smtpd(8)</a> server, + filter) protocol. When mail is not received via the <a href="smtpd.8.html">smtpd(8)</a> server, the <a href="cleanup.8.html">cleanup(8)</a> server will simulate SMTP events to the extent that this is possible. For details see the <a href="MILTER_README.html">MILTER_README</a> document. <b><a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a> (empty)</b> - A list of Milter (mail filter) applications for new mail that + A list of Milter (mail filter) applications for new mail that does not arrive via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server. <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b> - The mail filter protocol version and optional protocol exten- - sions for communication with a Milter application; prior to + The mail filter protocol version and optional protocol exten- + sions for communication with a Milter application; prior to Postfix 2.6 the default protocol is 2. <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b> - The default action when a Milter (mail filter) response is - unavailable (for example, bad Postfix configuration or Milter + The default action when a Milter (mail filter) response is + unavailable (for example, bad Postfix configuration or Milter failure). <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> - The {daemon_name} macro value for Milter (mail filter) applica- + The {daemon_name} macro value for Milter (mail filter) applica- tions. <b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b> @@ -202,45 +202,45 @@ CLEANUP(8) CLEANUP(8) tion, and for negotiating protocol options. <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b> - The time limit for sending an SMTP command to a Milter (mail + The time limit for sending an SMTP command to a Milter (mail filter) application, and for receiving the response. <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b> - The time limit for sending message content to a Milter (mail + The time limit for sending message content to a Milter (mail filter) application, and for receiving the response. <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after completion of an SMTP connection. <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP HELO or EHLO command. <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP MAIL FROM command. <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the SMTP RCPT TO command. <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to version 4 or higher Milter (mail + The macros that are sent to version 4 or higher Milter (mail filter) applications after the SMTP DATA command. <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to version 3 or higher Milter (mail + The macros that are sent to version 3 or higher Milter (mail filter) applications after an unknown SMTP command. <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the message end-of-data. Available in Postfix version 2.5 and later: <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b> - The macros that are sent to Milter (mail filter) applications + The macros that are sent to Milter (mail filter) applications after the end of the message header. Available in Postfix version 2.7 and later: @@ -252,8 +252,8 @@ CLEANUP(8) CLEANUP(8) Available in Postfix version 3.1 and later: <b><a href="postconf.5.html#milter_macro_defaults">milter_macro_defaults</a> (empty)</b> - Optional list of <i>name=value</i> pairs that specify default values - for arbitrary macros that Postfix may send to Milter applica- + Optional list of <i>name=value</i> pairs that specify default values + for arbitrary macros that Postfix may send to Milter applica- tions. <b>MIME PROCESSING CONTROLS</b> @@ -279,82 +279,83 @@ CLEANUP(8) CLEANUP(8) ing information. <b><a href="postconf.5.html#strict_mime_encoding_domain">strict_mime_encoding_domain</a> (no)</b> - Reject mail with invalid Content-Transfer-Encoding: information + Reject mail with invalid Content-Transfer-Encoding: information for the message/* or multipart/* MIME content types. Available in Postfix version 2.5 and later: <b><a href="postconf.5.html#detect_8bit_encoding_header">detect_8bit_encoding_header</a> (yes)</b> - Automatically detect 8BITMIME body content by looking at Con- - tent-Transfer-Encoding: message headers; historically, this + Automatically detect 8BITMIME body content by looking at Con- + tent-Transfer-Encoding: message headers; historically, this behavior was hard-coded to be "always on". <b>AUTOMATIC BCC RECIPIENT CONTROLS</b> - Postfix can automatically add BCC (blind carbon copy) when mail enters + Postfix can automatically add BCC (blind carbon copy) when mail enters the mail system: <b><a href="postconf.5.html#always_bcc">always_bcc</a> (empty)</b> - Optional address that receives a "blind carbon copy" of each + Optional address that receives a "blind carbon copy" of each message that is received by the Postfix mail system. Available in Postfix version 2.1 and later: <b><a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> (empty)</b> - Optional BCC (blind carbon-copy) address lookup tables, indexed - by sender address. + Optional BCC (blind carbon-copy) address lookup tables, indexed + by envelope sender address. <b><a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> (empty)</b> - Optional BCC (blind carbon-copy) address lookup tables, indexed - by recipient address. + Optional BCC (blind carbon-copy) address lookup tables, indexed + by envelope recipient address. <b>ADDRESS TRANSFORMATION CONTROLS</b> - Address rewriting is delegated to the <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> daemon. The + Address rewriting is delegated to the <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> daemon. The <a href="cleanup.8.html"><b>cleanup</b>(8)</a> server implements table driven address mapping. <b><a href="postconf.5.html#empty_address_recipient">empty_address_recipient</a> (MAILER-DAEMON)</b> The recipient of mail addressed to the null address. <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b> - Optional address mapping lookup tables for message headers and + Optional address mapping lookup tables for message headers and envelopes. <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b> - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header recipient addresses. <b><a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> (empty)</b> - Optional address mapping lookup tables for envelope and header + Optional address mapping lookup tables for envelope and header sender addresses. <b><a href="postconf.5.html#masquerade_classes">masquerade_classes</a> (envelope_sender, header_sender, header_recipient)</b> What addresses are subject to address masquerading. <b><a href="postconf.5.html#masquerade_domains">masquerade_domains</a> (empty)</b> - Optional list of domains whose subdomain structure will be + Optional list of domains whose subdomain structure will be stripped off in email addresses. <b><a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a> (empty)</b> - Optional list of user names that are not subjected to address - masquerading, even when their addresses match $<a href="postconf.5.html#masquerade_domains">masquer</a>- + Optional list of user names that are not subjected to address + masquerading, even when their addresses match $<a href="postconf.5.html#masquerade_domains">masquer</a>- <a href="postconf.5.html#masquerade_domains">ade_domains</a>. <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b> - What address lookup tables copy an address extension from the + What address lookup tables copy an address extension from the lookup key to the lookup result. Available before Postfix version 2.0: <b><a href="postconf.5.html#virtual_maps">virtual_maps</a> (empty)</b> - Optional lookup tables with a) names of domains for which all - addresses are aliased to addresses in other local or remote + Optional lookup tables with a) names of domains for which all + addresses are aliased to addresses in other local or remote domains, and b) addresses that are aliased to addresses in other local or remote domains. Available in Postfix version 2.0 and later: <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b> - Optional lookup tables that alias specific mail addresses or - domains to other local or remote address. + Optional lookup tables with aliases that apply to all recipi- + ents: <a href="local.8.html"><b>local</b>(8)</a>, virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> + that apply only to <a href="local.8.html"><b>local</b>(8)</a> recipients. Available in Postfix version 2.2 and later: @@ -371,9 +372,11 @@ CLEANUP(8) CLEANUP(8) ping. <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b> - Don't rewrite message headers from remote clients at all when - this parameter is empty; otherwise, rewrite message headers and - append the specified domain name to incomplete addresses. + Rewrite or add message headers in mail from remote clients if + the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty, + updating incomplete addresses with the domain specified in the + <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing head- + ers. <b>RESOURCE AND RATE CONTROLS</b> <b><a href="postconf.5.html#duplicate_filter_limit">duplicate_filter_limit</a> (1000)</b> @@ -433,7 +436,7 @@ CLEANUP(8) CLEANUP(8) <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b> Enable preliminary SMTPUTF8 support for the protocols described - in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. + in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>. <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b> Detect that a message requires SMTPUTF8 support for the speci- @@ -520,6 +523,13 @@ CLEANUP(8) CLEANUP(8) The email address form that will be used in non-debug logging (info, warning, etc.). + Available in Postfix 3.9 and later: + + <b><a href="postconf.5.html#force_mime_input_conversion">force_mime_input_conversion</a> (no)</b> + Convert body content that claims to be 8-bit into quoted-print- + able, before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before + after-queue content filters. + <b>FILES</b> /etc/postfix/canonical*, canonical mapping table /etc/postfix/virtual*, virtual mapping table diff --git a/html/dnsblog.8.html b/html/dnsblog.8.html index 250b046..2028fa1 100644 --- a/html/dnsblog.8.html +++ b/html/dnsblog.8.html @@ -49,8 +49,8 @@ DNSBLOG(8) DNSBLOG(8) request before it is terminated by a built-in watchdog timer. <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> - Optional list of DNS allow/denylist domains, filters and weight - factors. + Optional list of patterns with DNS allow/denylist domains, fil- + ters and weight factors. <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> The time limit for sending or receiving information over an diff --git a/html/generic.5.html b/html/generic.5.html index 813d47e..c1a8a30 100644 --- a/html/generic.5.html +++ b/html/generic.5.html @@ -182,25 +182,26 @@ GENERIC(5) GENERIC(5) Other parameters of interest: <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> - The network interface addresses that this mail system receives - mail on. + The local network interface addresses that this mail system + receives mail on. <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> - The network interface addresses that this mail system receives - mail on by way of a proxy or network address translation unit. + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- + tion unit. <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b> - The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a> + The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport. <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. <b><a href="postconf.5.html#owner_request_special">owner_request_special</a> (yes)</b> - Enable special treatment for owner-<i>listname</i> entries in the + Enable special treatment for owner-<i>listname</i> entries in the <a href="aliases.5.html"><b>aliases</b>(5)</a> file, and don't split owner-<i>listname</i> and <i>list-</i> - <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is + <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is set to "-". <b>SEE ALSO</b> diff --git a/html/header_checks.5.html b/html/header_checks.5.html index 6bb114a..c1c8b17 100644 --- a/html/header_checks.5.html +++ b/html/header_checks.5.html @@ -392,40 +392,31 @@ HEADER_CHECKS(5) HEADER_CHECKS(5) <b>Return-Path:</b>. <b>CONFIGURATION PARAMETERS</b> - <b><a href="postconf.5.html#body_checks">body_checks</a></b> - Lookup tables with content filter rules for message body lines. - These filters see one physical line at a time, in chunks of at - most <b>$<a href="postconf.5.html#line_length_limit">line_length_limit</a></b> bytes. - - <b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a></b> - The amount of content per message body segment (attachment) that - is subjected to <b>$<a href="postconf.5.html#body_checks">body_checks</a></b> filtering. - - <b><a href="postconf.5.html#header_checks">header_checks</a></b> - - <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>) - - <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>) - Lookup tables with content filter rules for message header - lines: respectively, these are applied to the initial message - headers (not including MIME headers), to the MIME headers any- - where in the message, and to the initial headers of attached - messages. - - Note: these filters see one logical message header at a time, - even when a message header spans multiple lines. Message headers - that are longer than <b>$<a href="postconf.5.html#header_size_limit">header_size_limit</a></b> characters are trun- - cated. - - <b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a></b> - While receiving mail, give no special treatment to MIME related - message headers; all text after the initial message headers is - considered to be part of the message body. This means that - <b><a href="postconf.5.html#header_checks">header_checks</a></b> is applied to all the initial message headers, and - that <b><a href="postconf.5.html#body_checks">body_checks</a></b> is applied to the remainder of the message. - - Note: when used in this manner, <b><a href="postconf.5.html#body_checks">body_checks</a></b> will process a - multi-line message header one line at a time. + <b><a href="postconf.5.html#body_checks">body_checks</a> (empty)</b> + Optional lookup tables for content inspection as specified in + the <a href="header_checks.5.html"><b>body_checks</b>(5)</a> manual page. + + <b><a href="postconf.5.html#body_checks_size_limit">body_checks_size_limit</a> (51200)</b> + How much text in a message body segment (or attachment, if you + prefer to use that term) is subjected to <a href="postconf.5.html#body_checks">body_checks</a> inspection. + + <b><a href="postconf.5.html#header_checks">header_checks</a> (empty)</b> + Optional lookup tables for content inspection of primary + non-MIME message headers, as specified in the <a href="header_checks.5.html"><b>header_checks</b>(5)</a> + manual page. + + <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a> ($<a href="postconf.5.html#header_checks">header_checks</a>)</b> + Optional lookup tables for content inspection of MIME related + message headers, as described in the <a href="header_checks.5.html"><b>header_checks</b>(5)</a> manual + page. + + <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a> ($<a href="postconf.5.html#header_checks">header_checks</a>)</b> + Optional lookup tables for content inspection of non-MIME mes- + sage headers in attached messages, as described in the + <a href="header_checks.5.html"><b>header_checks</b>(5)</a> manual page. + + <b><a href="postconf.5.html#disable_mime_input_processing">disable_mime_input_processing</a> (no)</b> + Turn off MIME processing while receiving mail. <b>EXAMPLES</b> Header pattern to block attachments with bad file name extensions. For diff --git a/html/index.html b/html/index.html index 68edc59..a7da6cb 100644 --- a/html/index.html +++ b/html/index.html @@ -53,6 +53,8 @@ configuration examples </a> <li> <a href="COMPATIBILITY_README.html"> Backwards-Compatibility Safety Net</a> +<li> <a href="DEPRECATION_README.html"> Deprecated features and alternatives </a> + <li> <a href="INSTALL.html"> Installation from source code </a> </ul> @@ -141,6 +143,8 @@ Per-client/user/etc. access </a> <li> <a href="MEMCACHE_README.html"> Memcache Howto </a> +<li> <a href="MONGODB_README.html"> MongoDB Howto </a> + <li> <a href="MYSQL_README.html"> MySQL Howto </a> <li> <a href="PCRE_README.html"> PCRE Howto </a> diff --git a/html/lmtp.8.html b/html/lmtp.8.html index 1144ee8..4cc187c 100644 --- a/html/lmtp.8.html +++ b/html/lmtp.8.html @@ -5,88 +5,100 @@ <link rel='stylesheet' type='text/css' href='postfix-doc.css'> <title> Postfix manual - smtp(8) </title> </head> <body> <pre> -SMTP(8) SMTP(8) +SMTP,(LMTP) SMTP,(LMTP) <b>NAME</b> - smtp - Postfix SMTP+LMTP client + smtp, lmtp - Postfix SMTP+LMTP client <b>SYNOPSIS</b> <b>smtp</b> [generic Postfix daemon options] [flags=DORX] + <b>lmtp</b> [generic Postfix daemon options] [flags=DORX] + <b>DESCRIPTION</b> The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery protocols. It processes message delivery requests from the queue man- ager. Each request specifies a queue file, a sender address, a domain or host to deliver to, and recipient information. This program expects - to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. + to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. The process name, <b>smtp</b> or + <b>lmtp</b>, controls the protocol, and the names of the configuration parame- + ters that will be used. The SMTP+LMTP client updates the queue file and marks recipients as finished, or it informs the queue manager that delivery should be tried again at a later time. Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>, <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. - The SMTP+LMTP client looks up a list of mail exchanger addresses for - the destination host, sorts the list by preference, and connects to - each listed address until it finds a server that responds. - - When a server is not reachable, or when mail delivery fails due to a - recoverable error condition, the SMTP+LMTP client will try to deliver - the mail to an alternate host. + The server lookup strategy is different for SMTP and LMTP, as described + in the sections "SMTP SERVER LOOKUP" and "LMTP SERVER LOOKUP". - After a successful mail transaction, a connection may be saved to the - <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it may be used by any + After a successful mail transaction, a connection may be saved to the + <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it may be used by any SMTP+LMTP client for a subsequent transaction. - By default, connection caching is enabled temporarily for destinations + By default, connection caching is enabled temporarily for destinations that have a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. Connection caching can be enabled permanently for specific destinations. -<b>SMTP DESTINATION SYNTAX</b> - The Postfix SMTP+LMTP client supports multiple destinations separated - by comma or whitespace (Postfix 3.5 and later). SMTP destinations have - the following form: +<b>SMTP SERVER LOOKUP</b> + The Postfix SMTP client supports multiple destinations separated by + comma or whitespace (Postfix 3.5 and later). Each destination is tried + in the specified order. + + SMTP destinations have the following form: <i>domainname</i> - <i>domainname</i>:<i>port</i> - Look up the mail exchangers for the specified domain, and con- - nect to the specified port (default: <b>smtp</b>). + <i>domainname</i>:<i>service</i> + Look up the mail exchangers for the specified domain, and con- + nect to the specified service (default: <b>smtp</b>). Optionally, mail + exchangers may be looked up with SRV queries instead of MX; this + requires that <i>service</i> is given in symbolic form. [<i>hostname</i>] - [<i>hostname</i>]:<i>port</i> - Look up the address(es) of the specified host, and connect to - the specified port (default: <b>smtp</b>). + [<i>hostname</i>]:<i>service</i> + Look up the address(es) for the specified host, and connect to + the specified service (default: <b>smtp</b>). [<i>address</i>] - [<i>address</i>]:<i>port</i> + [<i>address</i>]:<i>service</i> Connect to the host at the specified address, and connect to the - specified port (default: <b>smtp</b>). An IPv6 address must be format- - ted as [<b>ipv6</b>:<i>address</i>]. + specified service (default: <b>smtp</b>). An IPv6 address must be for- + matted as [<b>ipv6</b>:<i>address</i>]. -<b>LMTP DESTINATION SYNTAX</b> - The Postfix SMTP+LMTP client supports multiple destinations separated - by comma or whitespace (Postfix 3.5 and later). LMTP destinations have - the following form: +<b>LMTP SERVER LOOKUP</b> + The Postfix LMTP client supports multiple destinations separated by + comma or whitespace (Postfix 3.5 and later). Each destination is tried + in the specified order. + + LMTP destinations have the following form: <b>unix</b>:<i>pathname</i> - Connect to the local UNIX-domain server that is bound to the - specified <i>pathname</i>. If the process runs chrooted, an absolute + Connect to the local UNIX-domain server that is bound to the + specified <i>pathname</i>. If the process runs chrooted, an absolute pathname is interpreted relative to the Postfix queue directory. + <b>inet</b>:<i>domainname</i> + + <b>inet</b>:<i>domainname</i>:<i>service</i> + Look up the LMTP servers for the specified domain and service + (default: <b>lmtp</b>). This form is supported when SRV lookups are + enabled, and requires that <i>service</i> is in symbolic form. + <b>inet</b>:<i>hostname</i> - <b>inet</b>:<i>hostname</i>:<i>port</i> + <b>inet</b>:<i>hostname</i>:<i>service</i> + Look up the address(es) for the specified host, and connect to + the specified service (default: <b>lmtp</b>). When SRV lookups are + enabled, use the form <b>[</b><i>hostname</i><b>]</b> to force address lookups. <b>inet</b>:[<i>address</i>] - <b>inet</b>:[<i>address</i>]:<i>port</i> - Connect to the specified TCP port on the specified local or - remote host. If no port is specified, connect to the port - defined as <b>lmtp</b> in <b>services</b>(4). If no such service is found, - the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> configuration parameter (default value of 24) - will be used. An IPv6 address must be formatted as + <b>inet</b>:[<i>address</i>]:<i>service</i> + Connect to the specified local or remote host and service + (default: <b>lmtp</b>). An IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>]. <b>SINGLE-RECIPIENT DELIVERY</b> @@ -136,10 +148,9 @@ SMTP(8) SMTP(8) This feature is available as of Postfix 3.5. <b>SECURITY</b> - The SMTP+LMTP client is moderately security-sensitive. It - talks to SMTP or LMTP servers and to DNS servers on the - network. The SMTP+LMTP client can be run chrooted at fixed - low privilege. + The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP + or LMTP servers and to DNS servers on the network. The SMTP+LMTP client + can be run chrooted at fixed low privilege. <b>STANDARDS</b> <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) @@ -180,20 +191,19 @@ SMTP(8) SMTP(8) for all destinations that map onto the same IP address and TCP port. <b>CONFIGURATION PARAMETERS</b> - Before Postfix version 2.3, the LMTP client is a separate program that - implements only a subset of the functionality available with SMTP: - there is no support for TLS, and connections are cached in-process, - making it ineffective when the client is used for multiple domains. + Postfix versions 2.3 and later implement the SMTP and LMTP client with + the same program, and choose the protocol and configuration parameters + based on the process name, <b>smtp</b> or <b>lmtp</b>. Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> "mirror" param- - eter for the equivalent LMTP feature. This document describes only + eter for the equivalent LMTP feature. This document describes only those LMTP-related parameters that aren't simply "mirror" parameters. - Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> processes + Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> processes run for only a limited amount of time. Use the command "<b>postfix reload</b>" to speed up a change. - The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <b>COMPATIBILITY CONTROLS</b> @@ -214,8 +224,8 @@ SMTP(8) SMTP(8) will send via SMTP. <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> - How long the Postfix SMTP client pauses before sending - ".<CR><LF>" in order to work around the PIX firewall + How long the Postfix SMTP client pauses before sending + ".<CR><LF>" in order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug. <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> @@ -224,19 +234,19 @@ SMTP(8) SMTP(8) delivery through firewalls with "smtp fixup" mode turned on. <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> - A list that specifies zero or more workarounds for CISCO PIX + A list that specifies zero or more workarounds for CISCO PIX firewall bugs. <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> - Lookup tables, indexed by the remote SMTP server address, with + Lookup tables, indexed by the remote SMTP server address, with per-destination workarounds for CISCO PIX firewall bugs. <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> - Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO + Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands as required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b> - A mechanism to transform replies from remote SMTP servers one + A mechanism to transform replies from remote SMTP servers one line at a time. <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> @@ -248,68 +258,68 @@ SMTP(8) SMTP(8) Available in Postfix version 2.0 and earlier: <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> - Skip SMTP servers that greet with a 4XX status code (go away, + Skip SMTP servers that greet with a 4XX status code (go away, try again later). Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> - Lookup tables, indexed by the remote SMTP server address, with - case insensitive lists of EHLO keywords (pipelining, starttls, + Lookup tables, indexed by the remote SMTP server address, with + case insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> - A case insensitive list of EHLO keywords (pipelining, starttls, + A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> - Optional lookup tables that perform address rewriting in the - Postfix SMTP client, typically to transform a locally valid - address into a globally valid address when sending mail across + Optional lookup tables that perform address rewriting in the + Postfix SMTP client, typically to transform a locally valid + address into a globally valid address when sending mail across the Internet. Available in Postfix version 2.2.9 and later: <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> - When the remote SMTP servername is a DNS CNAME, replace the - servername with the result from CNAME expansion for the purpose - of logging, SASL password lookup, TLS policy decisions, or TLS + When the remote SMTP servername is a DNS CNAME, replace the + servername with the result from CNAME expansion for the purpose + of logging, SASL password lookup, TLS policy decisions, or TLS certificate verification. Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> - Lookup tables, indexed by the remote LMTP server address, with - case insensitive lists of LHLO keywords (pipelining, starttls, + Lookup tables, indexed by the remote LMTP server address, with + case insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.) that the Postfix LMTP client will ignore in the LHLO response from a remote LMTP server. <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> - A case insensitive list of LHLO keywords (pipelining, starttls, + A case insensitive list of LHLO keywords (pipelining, starttls, auth, etc.) that the Postfix LMTP client will ignore in the LHLO response from a remote LMTP server. Available in Postfix version 2.4.4 and later: <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> - When authenticating to a remote SMTP or LMTP server with the - default setting "no", send no SASL authoriZation ID (authzid); - send only the SASL authentiCation ID (authcid) plus the auth- + When authenticating to a remote SMTP or LMTP server with the + default setting "no", send no SASL authoriZation ID (authzid); + send only the SASL authentiCation ID (authcid) plus the auth- cid's password. Available in Postfix version 2.5 and later: <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> - Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. + Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> - Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP + Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP client. <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> - Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP + Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP client. <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> @@ -318,7 +328,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> - An optional workaround for routers that break TCP window scal- + An optional workaround for routers that break TCP window scal- ing. Available in Postfix version 2.8 and later: @@ -329,16 +339,16 @@ SMTP(8) SMTP(8) Available in Postfix version 2.9 - 3.6: <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.9 and later: <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> - Whether or not to append the "AUTH=<>" option to the MAIL FROM + Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. Available in Postfix version 2.11 and later: @@ -349,7 +359,7 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: <b><a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b> - Optional filter for the <a href="smtp.8.html"><b>smtp</b>(8)</a> delivery agent to change the + Optional filter for the <a href="smtp.8.html"><b>smtp</b>(8)</a> delivery agent to change the delivery status code or explanatory text of successful or unsuc- cessful deliveries. @@ -359,38 +369,38 @@ SMTP(8) SMTP(8) Available in Postfix version 3.3 and later: <b><a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a> (yes)</b> - When a remote destination resolves to a combination of IPv4 and + When a remote destination resolves to a combination of IPv4 and IPv6 addresses, ensure that the Postfix SMTP client can try both address types before it runs into the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a>. Available in Postfix 3.5 and later: <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b> - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). Available in Postfix 3.6 and later: <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b> - The DNS query type (default: "ns") and DNS query name (default: + The DNS query type (default: "ns") and DNS query name (default: ".") that Postfix may use to determine whether DNSSEC validation is available. - <b><a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> (lmtp=24, smtp=25, smtps=submissions=465, submis-</b> + <b><a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> (lmtp=24, smtp=25, smtps=submissions=465, submis-</b> <b>sion=587)</b> - Optional setting that avoids lookups in the <b>services</b>(5) data- + Optional setting that avoids lookups in the <b>services</b>(5) data- base. Available in Postfix version 3.7 and later: <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b> - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b> - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>. @@ -400,16 +410,16 @@ SMTP(8) SMTP(8) Available in Postfix version 3.8 and later: <b><a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> (empty)</b> - Enables discovery for the specified service(s) using DNS SRV + Enables discovery for the specified service(s) using DNS SRV records. <b><a href="postconf.5.html#ignore_srv_lookup_error">ignore_srv_lookup_error</a> (no)</b> - When SRV record lookup fails, fall back to MX or IP address + When SRV record lookup fails, fall back to MX or IP address lookup as if SRV record lookup was not enabled. <b><a href="postconf.5.html#allow_srv_lookup_fallback">allow_srv_lookup_fallback</a> (no)</b> - When SRV record lookup fails or no SRV record exists, fall back - to MX or IP address lookup as if SRV record lookup was not + When SRV record lookup fails or no SRV record exists, fall back + to MX or IP address lookup as if SRV record lookup was not enabled. <b>MIME PROCESSING CONTROLS</b> @@ -428,7 +438,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> - Send the non-standard XFORWARD command when the Postfix SMTP + Send the non-standard XFORWARD command when the Postfix SMTP server EHLO response announces XFORWARD support. <b>SASL AUTHENTICATION CONTROLS</b> @@ -436,60 +446,66 @@ SMTP(8) SMTP(8) Enable SASL authentication in the Postfix SMTP client. <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> - Optional Postfix SMTP client lookup tables with one user- - name:password entry per sender, remote hostname or next-hop + Optional Postfix SMTP client lookup tables with one user- + name:password entry per sender, remote hostname or next-hop domain. <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> Postfix SMTP client SASL security options; as of Postfix 2.3 the - list of available features depends on the SASL client implemen- + list of available features depends on the SASL client implemen- tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> - If non-empty, a Postfix SMTP client filter for the remote SMTP + If non-empty, a Postfix SMTP client filter for the remote SMTP server's list of offered SASL mechanisms. Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> Enable sender-dependent authentication in the Postfix SMTP - client; this is available only with SASL authentication, and - disables SMTP connection caching to ensure that mail from dif- + client; this is available only with SASL authentication, and + disables SMTP connection caching to ensure that mail from dif- ferent senders will use the appropriate credentials. <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> Implementation-specific information that the Postfix SMTP client - passes through to the SASL plug-in implementation that is + passes through to the SASL plug-in implementation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> - The SASL plug-in type that the Postfix SMTP client should use + The SASL plug-in type that the Postfix SMTP client should use for authentication. Available in Postfix version 2.5 and later: <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> - An optional table to prevent repeated SASL authentication fail- - ures with the same remote SMTP server hostname, username and + An optional table to prevent repeated SASL authentication fail- + ures with the same remote SMTP server hostname, username and password. <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> - The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it + The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it is removed. <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> - When a remote SMTP server rejects a SASL authentication request - with a 535 reply code, defer mail delivery instead of returning + When a remote SMTP server rejects a SASL authentication request + with a 535 reply code, defer mail delivery instead of returning mail as undeliverable. Available in Postfix version 2.9 and later: <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> - Whether or not to append the "AUTH=<>" option to the MAIL FROM + Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. + Available in Postfix version 3.9 and later: + + <b><a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> (:)</b> + The delimiter between username and password in sasl_passwd_maps + lookup results. + <b>STARTTLS SUPPORT CONTROLS</b> Detailed information about STARTTLS configuration may be found in the <a href="TLS_README.html">TLS_README</a> document. @@ -619,7 +635,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: - <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b> + <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see 'postconf -d' output)</b> TLS protocols that the Postfix SMTP client will use with oppor- tunistic TLS encryption. @@ -724,6 +740,12 @@ SMTP(8) SMTP(8) The application name passed by Postfix to OpenSSL library ini- tialization functions. + Available in Postfix version 3.9 and later: + + <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b> + Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key + instead of an X.509 certificate. + <b>OBSOLETE STARTTLS CONTROLS</b> The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a @@ -954,7 +976,7 @@ SMTP(8) SMTP(8) The local network interface addresses that this mail system receives mail on. - <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b> + <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b> The Internet protocols Postfix will attempt to use when making or accepting connections. @@ -1119,5 +1141,5 @@ SMTP(8) SMTP(8) Victor Duchovni Morgan Stanley - SMTP(8) + 8 SMTP,(LMTP) </pre> </body> </html> diff --git a/html/local.8.html b/html/local.8.html index fce3d04..a923ce2 100644 --- a/html/local.8.html +++ b/html/local.8.html @@ -178,40 +178,42 @@ LOCAL(8) LOCAL(8) replaced with underscores. The list of acceptable characters is speci- fied with the <b><a href="postconf.5.html#command_expansion_filter">command_expansion_filter</a></b> configuration parameter. - <b>SHELL</b> The recipient user's login shell. + <b>SHELL</b> The envelope recipient user's login shell. - <b>HOME</b> The recipient user's home directory. + <b>HOME</b> The envelope recipient user's home directory. - <b>USER</b> The bare recipient name. + <b>USER</b> The bare envelope recipient name. <b>EXTENSION</b> - The optional recipient address extension. + The optional envelope recipient address extension. - <b>DOMAIN</b> The recipient address domain part. + <b>DOMAIN</b> The envelope recipient address domain part. <b>LOGNAME</b> - The bare recipient name. + The bare envelope recipient name. - <b>LOCAL</b> The entire recipient address localpart (text to the left of the - rightmost @ character). + <b>LOCAL</b> The entire envelope recipient address localpart (text to the + left of the rightmost @ character). <b>ORIGINAL_RECIPIENT</b> - The entire recipient address, before any address rewriting or - aliasing (Postfix 2.5 and later). + The entire envelope recipient address, before any address + rewriting or aliasing (Postfix 2.5 and later). <b>RECIPIENT</b> - The entire recipient address. + The entire envelope recipient address. - <b>SENDER</b> The entire sender address. + <b>SENDER</b> The entire envelope sender address. - Additional remote client information is made available via the follow- + <b>ENVID</b> The optional <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> envelope ID. Available as of Postfix 3.9. + + Additional remote client information is made available via the follow- ing environment variables: <b>CLIENT_ADDRESS</b> Remote client network address. Available as of Postfix 2.2. <b>CLIENT_HELO</b> - Remote client EHLO command parameter. Available as of Postfix + Remote client EHLO command parameter. Available as of Postfix 2.2. <b>CLIENT_HOSTNAME</b> @@ -221,69 +223,69 @@ LOCAL(8) LOCAL(8) Remote client protocol. Available as of Postfix 2.2. <b>SASL_METHOD</b> - SASL authentication method specified in the remote client AUTH + SASL authentication method specified in the remote client AUTH command. Available as of Postfix 2.2. <b>SASL_SENDER</b> - SASL sender address specified in the remote client MAIL FROM + SASL sender address specified in the remote client MAIL FROM command. Available as of Postfix 2.2. <b>SASL_USERNAME</b> - SASL username specified in the remote client AUTH command. + SASL username specified in the remote client AUTH command. Available as of Postfix 2.2. - The <b>PATH</b> environment variable is always reset to a system-dependent - default path, and environment variables whose names are blessed by the + The <b>PATH</b> environment variable is always reset to a system-dependent + default path, and environment variables whose names are blessed by the <b><a href="postconf.5.html#export_environment">export_environment</a></b> configuration parameter are exported unchanged. The current working directory is the mail queue directory. The <a href="local.8.html"><b>local</b>(8)</a> daemon prepends a "<b>From</b> <i>sender time</i><b>_</b><i>stamp</i>" envelope header - to each message, prepends an <b>X-Original-To:</b> header with the recipient - address as given to Postfix, prepends an optional <b>Delivered-To:</b> header - with the final recipient envelope address, prepends a <b>Return-Path:</b> + to each message, prepends an <b>X-Original-To:</b> header with the recipient + address as given to Postfix, prepends an optional <b>Delivered-To:</b> header + with the final recipient envelope address, prepends a <b>Return-Path:</b> header with the sender envelope address, and appends no empty line. <b>EXTERNAL FILE DELIVERY</b> - The delivery format depends on the destination filename syntax. The - default is to use UNIX-style mailbox format. Specify a name ending in + The delivery format depends on the destination filename syntax. The + default is to use UNIX-style mailbox format. Specify a name ending in <b>/</b> for <b>qmail</b>-compatible <b>maildir</b> delivery. - The <b><a href="postconf.5.html#allow_mail_to_files">allow_mail_to_files</a></b> configuration parameter restricts delivery to - external files. The default setting (<b>alias, forward</b>) forbids file des- + The <b><a href="postconf.5.html#allow_mail_to_files">allow_mail_to_files</a></b> configuration parameter restricts delivery to + external files. The default setting (<b>alias, forward</b>) forbids file des- tinations in <b>:include:</b> files. - In the case of UNIX-style mailbox delivery, the <a href="local.8.html"><b>local</b>(8)</a> daemon - prepends a "<b>From</b> <i>sender time</i><b>_</b><i>stamp</i>" envelope header to each message, - prepends an <b>X-Original-To:</b> header with the recipient address as given - to Postfix, prepends an optional <b>Delivered-To:</b> header with the final - recipient envelope address, prepends a > character to lines beginning - with "<b>From</b> ", and appends an empty line. The envelope sender address - is available in the <b>Return-Path:</b> header. When the destination is a - regular file, it is locked for exclusive access while delivery is in + In the case of UNIX-style mailbox delivery, the <a href="local.8.html"><b>local</b>(8)</a> daemon + prepends a "<b>From</b> <i>sender time</i><b>_</b><i>stamp</i>" envelope header to each message, + prepends an <b>X-Original-To:</b> header with the recipient address as given + to Postfix, prepends an optional <b>Delivered-To:</b> header with the final + recipient envelope address, prepends a > character to lines beginning + with "<b>From</b> ", and appends an empty line. The envelope sender address + is available in the <b>Return-Path:</b> header. When the destination is a + regular file, it is locked for exclusive access while delivery is in progress. In case of problems, an attempt is made to truncate a regular file to its original length. - In the case of <b>maildir</b> delivery, the local daemon prepends an optional - <b>Delivered-To:</b> header with the final envelope recipient address, and - prepends an <b>X-Original-To:</b> header with the recipient address as given - to Postfix. The envelope sender address is available in the + In the case of <b>maildir</b> delivery, the local daemon prepends an optional + <b>Delivered-To:</b> header with the final envelope recipient address, and + prepends an <b>X-Original-To:</b> header with the recipient address as given + to Postfix. The envelope sender address is available in the <b>Return-Path:</b> header. <b>ADDRESS EXTENSION</b> - The optional <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b> configuration parameter specifies how + The optional <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b> configuration parameter specifies how to separate address extensions from local recipient names. - For example, with "<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +</b>", mail for <i>name</i>+<i>foo</i> is - delivered to the alias <i>name</i>+<i>foo</i> or to the alias <i>name</i>, to the destina- + For example, with "<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +</b>", mail for <i>name</i>+<i>foo</i> is + delivered to the alias <i>name</i>+<i>foo</i> or to the alias <i>name</i>, to the destina- tions listed in ~<i>name</i>/.<b>forward</b>+<i>foo</i> or in ~<i>name</i>/.<b>forward</b>, to the mailbox owned by the user <i>name</i>, or it is sent back as undeliverable. <b>DELIVERY RIGHTS</b> - Deliveries to external files and external commands are made with the - rights of the receiving user on whose behalf the delivery is made. In - the absence of a user context, the <a href="local.8.html"><b>local</b>(8)</a> daemon uses the owner - rights of the <b>:include:</b> file or alias database. When those files are + Deliveries to external files and external commands are made with the + rights of the receiving user on whose behalf the delivery is made. In + the absence of a user context, the <a href="local.8.html"><b>local</b>(8)</a> daemon uses the owner + rights of the <b>:include:</b> file or alias database. When those files are owned by the superuser, delivery is made with the rights specified with the <b><a href="postconf.5.html#default_privs">default_privs</a></b> configuration parameter. @@ -292,43 +294,43 @@ LOCAL(8) LOCAL(8) <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes) <b>DIAGNOSTICS</b> - Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. - Corrupted message files are marked so that the queue manager can move + Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. + Corrupted message files are marked so that the queue manager can move them to the <b>corrupt</b> queue afterwards. - Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, the postmas- + Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, the postmas- ter is notified of bounces and of other trouble. <b>SECURITY</b> - The <a href="local.8.html"><b>local</b>(8)</a> delivery agent needs a dual personality 1) to access the + The <a href="local.8.html"><b>local</b>(8)</a> delivery agent needs a dual personality 1) to access the private Postfix queue and IPC mechanisms, 2) to impersonate the recipi- - ent and deliver to recipient-specified files or commands. It is there- + ent and deliver to recipient-specified files or commands. It is there- fore security sensitive. - The <a href="local.8.html"><b>local</b>(8)</a> delivery agent disallows regular expression substitution + The <a href="local.8.html"><b>local</b>(8)</a> delivery agent disallows regular expression substitution of $1 etc. in <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>, because that would open a security hole. - The <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore requests to use the - <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead it will open the table + The <a href="local.8.html"><b>local</b>(8)</a> delivery agent will silently ignore requests to use the + <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server within <b><a href="postconf.5.html#alias_maps">alias_maps</a></b>. Instead it will open the table directly. Before Postfix version 2.2, the <a href="local.8.html"><b>local</b>(8)</a> delivery agent will terminate with a fatal error. <b>BUGS</b> - For security reasons, the message delivery status of external commands - or of external files is never checkpointed to file. As a result, the - program may occasionally deliver more than once to a command or exter- + For security reasons, the message delivery status of external commands + or of external files is never checkpointed to file. As a result, the + program may occasionally deliver more than once to a command or exter- nal file. Better safe than sorry. - Mutually-recursive aliases or ~/.<b>forward</b> files are not detected early. - The resulting mail forwarding loop is broken by the use of the <b>Deliv-</b> + Mutually-recursive aliases or ~/.<b>forward</b> files are not detected early. + The resulting mail forwarding loop is broken by the use of the <b>Deliv-</b> <b>ered-To:</b> message header. <b>CONFIGURATION PARAMETERS</b> - Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="local.8.html"><b>local</b>(8)</a> processes + Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="local.8.html"><b>local</b>(8)</a> processes run for only a limited amount of time. Use the command "<b>postfix reload</b>" to speed up a change. - The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <b>COMPATIBILITY CONTROLS</b> @@ -336,14 +338,14 @@ LOCAL(8) LOCAL(8) Whether or not to use the local <a href="postconf.5.html#biff">biff</a> service. <b><a href="postconf.5.html#expand_owner_alias">expand_owner_alias</a> (no)</b> - When delivering to an alias "<i>aliasname</i>" that has an + When delivering to an alias "<i>aliasname</i>" that has an "owner-<i>aliasname</i>" companion alias, set the envelope sender address to the expansion of the "owner-<i>aliasname</i>" alias. <b><a href="postconf.5.html#owner_request_special">owner_request_special</a> (yes)</b> - Enable special treatment for owner-<i>listname</i> entries in the + Enable special treatment for owner-<i>listname</i> entries in the <a href="aliases.5.html"><b>aliases</b>(5)</a> file, and don't split owner-<i>listname</i> and <i>list-</i> - <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is + <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is set to "-". <b><a href="postconf.5.html#sun_mailtool_compatibility">sun_mailtool_compatibility</a> (no)</b> @@ -352,62 +354,64 @@ LOCAL(8) LOCAL(8) Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#frozen_delivered_to">frozen_delivered_to</a> (yes)</b> - Update the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the Delivered-To: - address (see <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at the start - of a delivery attempt; do not update the Delivered-To: address + Update the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the Delivered-To: + address (see <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at the start + of a delivery attempt; do not update the Delivered-To: address while expanding aliases or .forward files. Available in Postfix version 2.5.3 and later: <b><a href="postconf.5.html#strict_mailbox_ownership">strict_mailbox_ownership</a> (yes)</b> - Defer delivery when a mailbox file is not owned by its recipi- + Defer delivery when a mailbox file is not owned by its recipi- ent. <b><a href="postconf.5.html#reset_owner_alias">reset_owner_alias</a> (no)</b> - Reset the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the owner-alias - attribute, when delivering mail to a child alias that does not + Reset the <a href="local.8.html"><b>local</b>(8)</a> delivery agent's idea of the owner-alias + attribute, when delivering mail to a child alias that does not have its own owner alias. Available in Postfix version 3.0 and later: <b><a href="postconf.5.html#local_delivery_status_filter">local_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b> - Optional filter for the <a href="local.8.html"><b>local</b>(8)</a> delivery agent to change the - status code or explanatory text of successful or unsuccessful + Optional filter for the <a href="local.8.html"><b>local</b>(8)</a> delivery agent to change the + status code or explanatory text of successful or unsuccessful deliveries. <b>DELIVERY METHOD CONTROLS</b> - The precedence of <a href="local.8.html"><b>local</b>(8)</a> delivery methods from high to low is: + The precedence of <a href="local.8.html"><b>local</b>(8)</a> delivery methods from high to low is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>, - <a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_direc</a>- + <a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_direc</a>- <a href="postconf.5.html#mail_spool_directory">tory</a>, <a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a>, and <a href="postconf.5.html#luser_relay">luser_relay</a>. <b><a href="postconf.5.html#alias_maps">alias_maps</a> (see 'postconf -d' output)</b> - The alias databases that are used for <a href="local.8.html"><b>local</b>(8)</a> delivery. + Optional lookup tables with aliases that apply only to <a href="local.8.html"><b>local</b>(8)</a> + recipients; this is unlike <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> that apply to all + recipients: <a href="local.8.html"><b>local</b>(8)</a>, virtual, and remote. <b><a href="postconf.5.html#forward_path">forward_path</a> (see 'postconf -d' output)</b> - The <a href="local.8.html"><b>local</b>(8)</a> delivery agent search list for finding a .forward + The <a href="local.8.html"><b>local</b>(8)</a> delivery agent search list for finding a .forward file with user-specified delivery methods. <b><a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a> (empty)</b> Optional lookup tables with per-recipient message delivery - transports to use for <a href="local.8.html"><b>local</b>(8)</a> mailbox delivery, whether or not + transports to use for <a href="local.8.html"><b>local</b>(8)</a> mailbox delivery, whether or not the recipients are found in the UNIX passwd database. <b><a href="postconf.5.html#mailbox_transport">mailbox_transport</a> (empty)</b> - Optional message delivery transport that the <a href="local.8.html"><b>local</b>(8)</a> delivery - agent should use for mailbox delivery to all local recipients, + Optional message delivery transport that the <a href="local.8.html"><b>local</b>(8)</a> delivery + agent should use for mailbox delivery to all local recipients, whether or not they are found in the UNIX passwd database. <b><a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a> (empty)</b> - Optional lookup tables with per-recipient external commands to + Optional lookup tables with per-recipient external commands to use for <a href="local.8.html"><b>local</b>(8)</a> mailbox delivery. <b><a href="postconf.5.html#mailbox_command">mailbox_command</a> (empty)</b> - Optional external command that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent + Optional external command that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent should use for mailbox delivery. <b><a href="postconf.5.html#home_mailbox">home_mailbox</a> (empty)</b> - Optional pathname of a mailbox file relative to a <a href="local.8.html"><b>local</b>(8)</a> + Optional pathname of a mailbox file relative to a <a href="local.8.html"><b>local</b>(8)</a> user's home directory. <b><a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a> (see 'postconf -d' output)</b> @@ -419,17 +423,17 @@ LOCAL(8) LOCAL(8) not find in the <a href="aliases.5.html"><b>aliases</b>(5)</a> or UNIX password database. <b><a href="postconf.5.html#fallback_transport">fallback_transport</a> (empty)</b> - Optional message delivery transport that the <a href="local.8.html"><b>local</b>(8)</a> delivery - agent should use for names that are not found in the <a href="aliases.5.html"><b>aliases</b>(5)</a> + Optional message delivery transport that the <a href="local.8.html"><b>local</b>(8)</a> delivery + agent should use for names that are not found in the <a href="aliases.5.html"><b>aliases</b>(5)</a> or UNIX password database. <b><a href="postconf.5.html#luser_relay">luser_relay</a> (empty)</b> - Optional catch-all destination for unknown <a href="local.8.html"><b>local</b>(8)</a> recipients. + Optional catch-all destination for unknown <a href="local.8.html"><b>local</b>(8)</a> recipients. Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#command_execution_directory">command_execution_directory</a> (empty)</b> - The <a href="local.8.html"><b>local</b>(8)</a> delivery agent working directory for delivery to + The <a href="local.8.html"><b>local</b>(8)</a> delivery agent working directory for delivery to external commands. <b>MAILBOX LOCKING CONTROLS</b> @@ -438,15 +442,15 @@ LOCAL(8) LOCAL(8) mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile. <b><a href="postconf.5.html#deliver_lock_delay">deliver_lock_delay</a> (1s)</b> - The time between attempts to acquire an exclusive lock on a + The time between attempts to acquire an exclusive lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile. <b><a href="postconf.5.html#stale_lock_time">stale_lock_time</a> (500s)</b> - The time after which a stale exclusive mailbox lockfile is + The time after which a stale exclusive mailbox lockfile is removed. <b><a href="postconf.5.html#mailbox_delivery_lock">mailbox_delivery_lock</a> (see 'postconf -d' output)</b> - How to lock a UNIX-style <a href="local.8.html"><b>local</b>(8)</a> mailbox before attempting + How to lock a UNIX-style <a href="local.8.html"><b>local</b>(8)</a> mailbox before attempting delivery. <b>RESOURCE AND RATE CONTROLS</b> @@ -459,20 +463,20 @@ LOCAL(8) LOCAL(8) <a href="showq.8.html"><b>showq</b>(8)</a> queue displays. <b><a href="postconf.5.html#mailbox_size_limit">mailbox_size_limit</a> (51200000)</b> - The maximal size of any <a href="local.8.html"><b>local</b>(8)</a> individual mailbox or maildir + The maximal size of any <a href="local.8.html"><b>local</b>(8)</a> individual mailbox or maildir file, or zero (no limit). Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon: <b><a href="postconf.5.html#local_destination_concurrency_limit">local_destination_concurrency_limit</a> (2)</b> - The maximal number of parallel deliveries via the local mail - delivery transport to the same recipient (when "<a href="postconf.5.html#local_destination_recipient_limit">local_destina</a>- - <a href="postconf.5.html#local_destination_recipient_limit">tion_recipient_limit</a> = 1") or the maximal number of parallel + The maximal number of parallel deliveries via the local mail + delivery transport to the same recipient (when "<a href="postconf.5.html#local_destination_recipient_limit">local_destina</a>- + <a href="postconf.5.html#local_destination_recipient_limit">tion_recipient_limit</a> = 1") or the maximal number of parallel deliveries to the same local domain (when "<a href="postconf.5.html#local_destination_recipient_limit">local_destina</a>- <a href="postconf.5.html#local_destination_recipient_limit">tion_recipient_limit</a> > 1"). <b><a href="postconf.5.html#local_destination_recipient_limit">local_destination_recipient_limit</a> (1)</b> - The maximal number of recipients per message delivery via the + The maximal number of recipients per message delivery via the local mail delivery transport. <b>SECURITY CONTROLS</b> @@ -483,49 +487,49 @@ LOCAL(8) LOCAL(8) Restrict <a href="local.8.html"><b>local</b>(8)</a> mail delivery to external files. <b><a href="postconf.5.html#command_expansion_filter">command_expansion_filter</a> (see 'postconf -d' output)</b> - Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows - in $name expansions of $<a href="postconf.5.html#mailbox_command">mailbox_command</a> and $<a href="postconf.5.html#command_execution_directory">command_execu</a>- + Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows + in $name expansions of $<a href="postconf.5.html#mailbox_command">mailbox_command</a> and $<a href="postconf.5.html#command_execution_directory">command_execu</a>- <a href="postconf.5.html#command_execution_directory">tion_directory</a>. <b><a href="postconf.5.html#default_privs">default_privs</a> (nobody)</b> - The default rights used by the <a href="local.8.html"><b>local</b>(8)</a> delivery agent for + The default rights used by the <a href="local.8.html"><b>local</b>(8)</a> delivery agent for delivery to an external file or command. <b><a href="postconf.5.html#forward_expansion_filter">forward_expansion_filter</a> (see 'postconf -d' output)</b> - Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows + Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows in $name expansions of $<a href="postconf.5.html#forward_path">forward_path</a>. Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#execution_directory_expansion_filter">execution_directory_expansion_filter</a> (see 'postconf -d' output)</b> - Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows + Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows in $name expansions of $<a href="postconf.5.html#command_execution_directory">command_execution_directory</a>. Available in Postfix version 2.5.3 and later: <b><a href="postconf.5.html#strict_mailbox_ownership">strict_mailbox_ownership</a> (yes)</b> - Defer delivery when a mailbox file is not owned by its recipi- + Defer delivery when a mailbox file is not owned by its recipi- ent. <b>MISCELLANEOUS CONTROLS</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> - The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- figuration files. <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. <b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b> - The list of environment variables that a Postfix process will + The list of environment variables that a Postfix process will export to non-Postfix processes. <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. <b><a href="postconf.5.html#local_command_shell">local_command_shell</a> (empty)</b> @@ -533,7 +537,7 @@ LOCAL(8) LOCAL(8) mands. <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> @@ -541,8 +545,8 @@ LOCAL(8) LOCAL(8) process will service before terminating voluntarily. <b><a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a> (command, file, forward)</b> - The message delivery contexts where the Postfix <a href="local.8.html"><b>local</b>(8)</a> deliv- - ery agent prepends a Delivered-To: message header with the + The message delivery contexts where the Postfix <a href="local.8.html"><b>local</b>(8)</a> deliv- + ery agent prepends a Delivered-To: message header with the address that the mail was delivered to. <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> @@ -552,14 +556,14 @@ LOCAL(8) LOCAL(8) The process name of a Postfix command or daemon process. <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b> - What address lookup tables copy an address extension from the + What address lookup tables copy an address extension from the lookup key to the lookup result. <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b> The location of the Postfix top-level queue directory. <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b> - The set of characters that can separate an email address local- + The set of characters that can separate an email address local- part, user name, or a .forward file name from its extension. <b><a href="postconf.5.html#require_home_directory">require_home_directory</a> (no)</b> @@ -570,14 +574,14 @@ LOCAL(8) LOCAL(8) The syslog facility of Postfix logging. <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 3.3 and later: <b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b> - Enable support for the original recipient address after an - address is rewritten to a different address (for example with + Enable support for the original recipient address after an + address is rewritten to a different address (for example with aliasing or with canonical mapping). <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> @@ -586,7 +590,7 @@ LOCAL(8) LOCAL(8) Available in Postfix 3.5 and later: <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b> - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). <b>FILES</b> @@ -610,10 +614,10 @@ LOCAL(8) LOCAL(8) The Secure Mailer license must be distributed with this software. <b>HISTORY</b> - The <b>Delivered-To:</b> message header appears in the <b>qmail</b> system by Daniel + The <b>Delivered-To:</b> message header appears in the <b>qmail</b> system by Daniel Bernstein. - The <i>maildir</i> structure appears in the <b>qmail</b> system by Daniel Bernstein. + The <i>maildir</i> structure appears in the <b>qmail</b> system by Daniel Bernstein. <b>AUTHOR(S)</b> Wietse Venema diff --git a/html/mailq.1.html b/html/mailq.1.html index bebc17b..bf6051d 100644 --- a/html/mailq.1.html +++ b/html/mailq.1.html @@ -455,9 +455,11 @@ SENDMAIL(1) SENDMAIL(1) The location of the Postfix top-level queue directory. <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b> - Don't rewrite message headers from remote clients at all when - this parameter is empty; otherwise, rewrite message headers and - append the specified domain name to incomplete addresses. + Rewrite or add message headers in mail from remote clients if + the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty, + updating incomplete addresses with the domain specified in the + <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing head- + ers. <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> The syslog facility of Postfix logging. diff --git a/html/makedefs.1.html b/html/makedefs.1.html index 7202a8d..ce67257 100644 --- a/html/makedefs.1.html +++ b/html/makedefs.1.html @@ -34,9 +34,9 @@ MAKEDEFS(1) MAKEDEFS(1) <b>AUXLIBS=</b><i>object</i><b>_</b><i>library...</i> Specifies one or more non-default object libraries. Postfix 3.0 and later specify some of their database library dependencies - with <a href="CDB_README.html">AUXLIBS_CDB</a>, <a href="LDAP_README.html">AUXLIBS_LDAP</a>, <a href="LMDB_README.html">AUXLIBS_LMDB</a>, <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>, - <a href="PCRE_README.html">AUXLIBS_PCRE</a>, <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>, AUXLIBS_SDBM, and <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>, - respectively. + with <a href="CDB_README.html">AUXLIBS_CDB</a>, <a href="LDAP_README.html">AUXLIBS_LDAP</a>, <a href="LMDB_README.html">AUXLIBS_LMDB</a>, <a href="MONGODB_README.html">AUXLIBS_MONGODB</a>, + <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>, <a href="PCRE_README.html">AUXLIBS_PCRE</a>, <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>, AUXLIBS_SDBM, and + <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>, respectively. <b>CC=</b><i>compiler</i><b>_</b><i>command</i> Specifies a non-default compiler. On many systems, the default diff --git a/html/master.5.html b/html/master.5.html index 04a0c42..21f2b43 100644 --- a/html/master.5.html +++ b/html/master.5.html @@ -226,10 +226,17 @@ MASTER(5) MASTER(5) options to make a Postfix daemon process increasingly verbose. - Other command-line arguments + <b>Command-line arguments that start with {</b> + With Postfix 3.0 and later specify "{" and "}" around + command arguments that start with "{". The outer "{" and + "}" are removed from the input, together with any leading + or trailing whitespace. + + <b>Other command-line arguments</b> Specify "{" and "}" around command arguments that contain - whitespace (Postfix 3.0 and later). Whitespace after "{" - and before "}" is ignored. + whitespace (Postfix 3.0 and later). The outer "{" and "}" + are removed from the input, together with any leading or + trailing whitespace. <b>SEE ALSO</b> <a href="master.8.html">master(8)</a>, process manager diff --git a/html/master.8.html b/html/master.8.html index cacc801..de0f9a5 100644 --- a/html/master.8.html +++ b/html/master.8.html @@ -148,15 +148,15 @@ MASTER(8) MASTER(8) invoked with the -D option. <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> - The network interface addresses that this mail system receives - mail on. + The local network interface addresses that this mail system + receives mail on. - <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b> + <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b> The Internet protocols Postfix will attempt to use when making or accepting connections. <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b> - The list of environment parameters that a privileged Postfix + The list of environment variables that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides. diff --git a/html/mongodb_table.5.html b/html/mongodb_table.5.html new file mode 100644 index 0000000..b7434f2 --- /dev/null +++ b/html/mongodb_table.5.html @@ -0,0 +1,215 @@ +<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> +<html> <head> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> +<link rel='stylesheet' type='text/css' href='postfix-doc.css'> +<title> Postfix manual - mongodb_table(5) </title> +</head> <body> <pre> +MONGODB_TABLE(5) MONGODB_TABLE(5) + +<b>NAME</b> + mongodb_table - Postfix MongoDB client configuration + +<b>SYNOPSIS</b> + <b>postmap -q "</b><i>string</i><b>" <a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/</b><i>filename</i> + + <b>postmap -q - <a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i> + +<b>DESCRIPTION</b> + The Postfix mail system uses optional tables for address rewriting or + mail routing. These tables are usually in <b>dbm</b> or <b>db</b> format. + + Alternatively, lookup tables can be specified as MongoDB databases. In + order to use MongoDB lookups, define a MongoDB source as a lookup table + in <a href="postconf.5.html">main.cf</a>, for example: + <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/mongodb-aliases.cf + + In this example, the file /etc/postfix/mongodb-aliases.cf has the same + format as the Postfix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters + described below. It is also possible to have the configuration in + <a href="postconf.5.html">main.cf</a>; see "OBSOLETE MAIN.CF PARAMETERS" below. + + It is strongly recommended to use <a href="proxymap.8.html">proxy</a>:mongodb, in order to reduce the + number of database connections. For example: + <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="proxymap.8.html">proxy</a>:<a href="mongodb_table.5.html">mongodb</a>:/etc/postfix/mongodb-aliases.cf + + Note: when using <a href="proxymap.8.html">proxy</a>:<a href="mongodb_table.5.html">mongodb</a>:/<i>file</i>, the file must be readable by the + unprivileged postfix user (specified with the Postfix <a href="postconf.5.html#mail_owner">mail_owner</a> con- + figuration parameter). + +<b>MONGODB PARAMETERS</b> + <b>uri</b> The URI of mongo server/cluster that Postfix will try to connect + to and query from. Please see + <a href="https://www.mongodb.com/docs/manual/reference/connection-string/">https://www.mongodb.com/docs/manual/reference/connection-string/</a> + + Example: + uri = mongodb+srv://user:pass@loclhost:27017/mail + + <b>dbname</b> Name of the database to read the information from. Example: + dbname = mail + + <b>collection</b> + Name of the collection (table) to read the information from. + Example: + collection = mailbox + + <b>query_filter</b> + The MongoDB query template used to search the database, where <b>%s</b> + is a substitute for the email address that Postfix is trying to + resolve. Please see: + <a href="https://www.mongodb.com/docs/manual/tutorial/query-documents/">https://www.mongodb.com/docs/manual/tutorial/query-documents/</a> + + Example: + query_filter = {"$or": [{"username": "%s"}, {"alias.address": "%s"}], "active": 1} + + This parameter supports the following '%' expansions: + + <b>%%</b> This is replaced by a literal '%' character. + + <b>%s</b> This is replaced by the input key. The %s must appear in + quotes, because all Postfix queries are strings contain- + ing (parts from) a domain or email address. Postfix makes + no numerical queries. + + <b>%u</b> When the input key is an address of the form user@domain, + <b>%u</b> is replaced by the local part of the address. Other- + wise, <b>%u</b> is replaced by the entire search string. + + <b>%d</b> When the input key is an address of the form user@domain, + <b>%d</b> is replaced by the domain part of the address. + + <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- + sponding most significant component of the input key's + domain. If the input key is <i>user@mail.example.com</i>, then + %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. + + In the above substitutions, characters will be quoted as + required by <a href="https://tools.ietf.org/html/rfc4627">RFC 4627</a>. For example, each double quote or back- + slash character will be escaped with a backslash characacter. + + <b>projection</b> + Advanced MongoDB query projections. Please see: + <a href="https://www.mongodb.com/docs/manual/tutorial/project-fields-from-query-results/">https://www.mongodb.com/docs/manual/tutorial/project-fields-from-query-results/</a> + + <b>o</b> If <b>projection</b> is non-empty, then <b>result_attribute</b> must be + empty. + + <b>o</b> This implementation can extract information only from + result fields that have type <b>string</b> (UTF8), <b>integer</b> + (int32, int64) and <b>array</b>. Other result fields will be + ignored with a warning. Please see: + <a href="https://mongoc.org/libbson/current/bson_type_t.html">https://mongoc.org/libbson/current/bson_type_t.html</a> + + <b>o</b> As with <b>result_attribute</b>, the top-level _id field (type + OID) is automatically removed from projection results. + + <b>result_attribute</b> + Comma or whitespace separated list with the names of fields to + be returned in a lookup result. + + <b>o</b> If <b>result_attribute</b> is non-empty, then <b>projection</b> must be + empty. + + <b>o</b> As with <b>projection</b>, the top-level _id field (type OID) is + automatically removed from lookup results. + + <b>result_format (default: %s</b>) + Format template applied to the result from <b>projection</b> or + <b>result_attribute</b>. Most commonly used to append (or prepend) text + to the result. This parameter supports the following '%' expan- + sions: + + <b>%%</b> This is replaced by a literal '%' character. + + <b>%s</b> This is replaced by the value of the result attribute. + When result is empty it is skipped. + + <b>%u</b> When the result attribute value is an address of the form + user@domain, <b>%u</b> is replaced by the local part of the + address. When the result has an empty localpart it is + skipped. + + <b>%d</b> When a result attribute value is an address of the form + user@domain, <b>%d</b> is replaced by the domain part of the + attribute value. When the result is unqualified it is + skipped. + + <b>%[SUD1-9]</b> + The upper-case and decimal digit expansions interpolate + the parts of the input key rather than the result. Their + behavior is identical to that described with <b>query_fil-</b> + <b>ter</b>, and in fact because the input key is known in + advance, lookups whose key does not contain all the + information specified in the result template are sup- + pressed and return no results. + + For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use + a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After + applying the result format, multiple values are concatenated as + comma separated strings. The expansion_limit parameter explained + below allows one to restrict the number of values in the result, + which is especially useful for maps that should return a single + value. + + The default value <b>%s</b> specifies that each attribute value should + be used as is. + + NOTE: DO NOT put quotes around the result format! The result is + not a JSON string. + + <b>domain (default: no domain list)</b> + This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>" + databases. When specified, only fully qualified search keys with + a *non-empty* localpart and a matching domain are eligible for + lookup: 'user' lookups, bare domain lookups and "@domain" + lookups are not performed. This can significantly reduce the + query load on the backend database. Example: + domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains + + <b>expansion_limit (default: 0)</b> + A limit on the total number of result elements returned (as a + comma separated list) by a lookup against the map. A setting of + zero disables the limit. Lookups fail with a temporary error if + the limit is exceeded. Setting the limit to 1 ensures that + lookups do not return multiple values. + +<b>OBSOLETE MAIN.CF PARAMETERS</b> + MongoDB parameters can also be defined in <a href="postconf.5.html">main.cf</a>. Specify as MongoDB + source a name that doesn't begin with a slash or a dot. The MongoDB + parameters will then be accessible as the name you've given the source + in its definition, an underscore, and the name of the parameter. For + example, if a map is specified as "<a href="mongodb_table.5.html">mongodb</a>:<i>mongodb</i><b>_</b><i>source</i>", the "uri" + parameter would be defined in <a href="postconf.5.html">main.cf</a> as "<i>mongodb</i><b>_</b><i>source</i>_uri". + + Note: with this form, passwords are written in <a href="postconf.5.html">main.cf</a>, which is nor- + mally world-readable, and '$' in a mongodb parameter setting needs to + be written as '$$'. + +<b>SEE ALSO</b> + <a href="postmap.1.html">postmap(1)</a>, Postfix lookup table maintenance + <a href="postconf.5.html">postconf(5)</a>, configuration parameters + +<b>README FILES</b> + <a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview + <a href="MONGODB_README.html">MONGODB_README</a>, Postfix MONGODB client guide + +<b>LICENSE</b> + The Secure Mailer license must be distributed with this software. + +<b>HISTORY</b> + MongoDB support was introduced with Postfix version 3.9. + +<b>AUTHOR(S)</b> + Hamid Maadani (hamid@dexo.tech) + Dextrous Technologies, LLC + + Edited by: + Wietse Venema + porcupine.org + + Based on prior work by: + Stephan Ferraro + Aionda GmbH + + MONGODB_TABLE(5) +</pre> </body> </html> diff --git a/html/mysql_table.5.html b/html/mysql_table.5.html index 4971e57..5063e65 100644 --- a/html/mysql_table.5.html +++ b/html/mysql_table.5.html @@ -72,56 +72,76 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) <b>dbname</b> The database name on the servers. Example: dbname = customer_database - <b>query</b> The SQL query template used to search the database, where <b>%s</b> is - a substitute for the address Postfix is trying to resolve, e.g. + <b>charset (default: utf8mb4)</b> + The default MySQL client character set; this also implies the + collation order. + + This parameter is available with Postfix 3.9 and later. With + earlier Postfix versions, the default was chosen by the MySQL + implementation (<b>utf8mb4</b> as of MySQL 8.0, <b>latin1</b> historically). + + <b>idle_interval (default: 60)</b> + The number of seconds after which an idle database connection + will be closed. + + This feature is available in Postfix 3.9 and later. + + <b>retry_interval (default: 60)</b> + The number of seconds that a database connection will be skipped + after an error. + + This feature is available in Postfix 3.9 and later. + + <b>query</b> The SQL query template used to search the database, where <b>%s</b> is + a substitute for the address Postfix is trying to resolve, e.g. query = SELECT replacement FROM aliases WHERE mailbox = '%s' - By default, every query must return a result set (instead of - storing its results in a table); with "<b>require_result_set = no</b>" - (Postfix 3.2 and later), the absence of a result set is treated + By default, every query must return a result set (instead of + storing its results in a table); with "<b>require_result_set = no</b>" + (Postfix 3.2 and later), the absence of a result set is treated as "not found". This parameter supports the following '%' expansions: <b>%%</b> This is replaced by a literal '%' character. - <b>%s</b> This is replaced by the input key. SQL quoting is used - to make sure that the input key does not add unexpected + <b>%s</b> This is replaced by the input key. SQL quoting is used + to make sure that the input key does not add unexpected metacharacters. <b>%u</b> When the input key is an address of the form user@domain, - <b>%u</b> is replaced by the SQL quoted local part of the - address. Otherwise, <b>%u</b> is replaced by the entire search - string. If the localpart is empty, the query is sup- + <b>%u</b> is replaced by the SQL quoted local part of the + address. Otherwise, <b>%u</b> is replaced by the entire search + string. If the localpart is empty, the query is sup- pressed and returns no results. <b>%d</b> When the input key is an address of the form user@domain, - <b>%d</b> is replaced by the SQL quoted domain part of the - address. Otherwise, the query is suppressed and returns + <b>%d</b> is replaced by the SQL quoted domain part of the + address. Otherwise, the query is suppressed and returns no results. <b>%[SUD]</b> The upper-case equivalents of the above expansions behave - in the <b>query</b> parameter identically to their lower-case - counter-parts. With the <b>result_format</b> parameter (see - below), they expand the input key rather than the result + in the <b>query</b> parameter identically to their lower-case + counter-parts. With the <b>result_format</b> parameter (see + below), they expand the input key rather than the result value. - <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- - sponding most significant component of the input key's - domain. If the input key is <i>user@mail.example.com</i>, then + <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre- + sponding most significant component of the input key's + domain. If the input key is <i>user@mail.example.com</i>, then %1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key - is unqualified or does not have enough domain components - to satisfy all the specified patterns, the query is sup- + is unqualified or does not have enough domain components + to satisfy all the specified patterns, the query is sup- pressed and returns no results. - The <b>domain</b> parameter described below limits the input keys to - addresses in matching domains. When the <b>domain</b> parameter is + The <b>domain</b> parameter described below limits the input keys to + addresses in matching domains. When the <b>domain</b> parameter is non-empty, SQL queries for unqualified addresses or addresses in non-matching domains are suppressed and return no results. - This parameter is available with Postfix 2.2. In prior releases - the SQL query was built from the separate parameters: - <b>select_field</b>, <b>table</b>, <b>where_field</b> and <b>additional_conditions</b>. The + This parameter is available with Postfix 2.2. In prior releases + the SQL query was built from the separate parameters: + <b>select_field</b>, <b>table</b>, <b>where_field</b> and <b>additional_conditions</b>. The mapping from the old parameters to the equivalent query is: SELECT [<b>select_field</b>] @@ -129,50 +149,50 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) WHERE [<b>where_field</b>] = '%s' [<b>additional_conditions</b>] - The '%s' in the <b>WHERE</b> clause expands to the escaped search - string. With Postfix 2.2 these legacy parameters are used if + The '%s' in the <b>WHERE</b> clause expands to the escaped search + string. With Postfix 2.2 these legacy parameters are used if the <b>query</b> parameter is not specified. NOTE: DO NOT put quotes around the query parameter. <b>result_format (default: %s</b>) Format template applied to result attributes. Most commonly used - to append (or prepend) text to the result. This parameter sup- + to append (or prepend) text to the result. This parameter sup- ports the following '%' expansions: <b>%%</b> This is replaced by a literal '%' character. - <b>%s</b> This is replaced by the value of the result attribute. + <b>%s</b> This is replaced by the value of the result attribute. When result is empty it is skipped. <b>%u</b> When the result attribute value is an address of the form - user@domain, <b>%u</b> is replaced by the local part of the - address. When the result has an empty localpart it is + user@domain, <b>%u</b> is replaced by the local part of the + address. When the result has an empty localpart it is skipped. - <b>%d</b> When a result attribute value is an address of the form - user@domain, <b>%d</b> is replaced by the domain part of the - attribute value. When the result is unqualified it is + <b>%d</b> When a result attribute value is an address of the form + user@domain, <b>%d</b> is replaced by the domain part of the + attribute value. When the result is unqualified it is skipped. <b>%[SUD1-9]</b> - The upper-case and decimal digit expansions interpolate - the parts of the input key rather than the result. Their - behavior is identical to that described with <b>query</b>, and - in fact because the input key is known in advance, - queries whose key does not contain all the information - specified in the result template are suppressed and + The upper-case and decimal digit expansions interpolate + the parts of the input key rather than the result. Their + behavior is identical to that described with <b>query</b>, and + in fact because the input key is known in advance, + queries whose key does not contain all the information + specified in the result template are suppressed and return no results. For example, using "result_format = <a href="smtp.8.html">smtp</a>:[%s]" allows one to use a mailHost attribute as the basis of a <a href="transport.5.html">transport(5)</a> table. After - applying the result format, multiple values are concatenated as + applying the result format, multiple values are concatenated as comma separated strings. The expansion_limit and parameter - explained below allows one to restrict the number of values in + explained below allows one to restrict the number of values in the result, which is especially useful for maps that must return at most one value. - The default value <b>%s</b> specifies that each result value should be + The default value <b>%s</b> specifies that each result value should be used as is. This parameter is available with Postfix 2.2 and later. @@ -180,15 +200,15 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) NOTE: DO NOT put quotes around the result format! <b>domain (default: no domain list)</b> - This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>" + This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>" databases. When specified, only fully qualified search keys with - a *non-empty* localpart and a matching domain are eligible for + a *non-empty* localpart and a matching domain are eligible for lookup: 'user' lookups, bare domain lookups and "@domain" - lookups are not performed. This can significantly reduce the + lookups are not performed. This can significantly reduce the query load on the MySQL server. domain = postfix.org, <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/searchdomains - It is best not to use SQL to store the domains eligible for SQL + It is best not to use SQL to store the domains eligible for SQL lookups. This parameter is available with Postfix 2.2 and later. @@ -197,37 +217,37 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) the input keys are always unqualified. <b>expansion_limit (default: 0)</b> - A limit on the total number of result elements returned (as a + A limit on the total number of result elements returned (as a comma separated list) by a lookup against the map. A setting of - zero disables the limit. Lookups fail with a temporary error if - the limit is exceeded. Setting the limit to 1 ensures that + zero disables the limit. Lookups fail with a temporary error if + the limit is exceeded. Setting the limit to 1 ensures that lookups do not return multiple values. <b>option_file</b> - Read options from the given file instead of the default my.cnf - location. This reads options from the <b>[client]</b> option group, + Read options from the given file instead of the default my.cnf + location. This reads options from the <b>[client]</b> option group, optionally followed by options from the group given with <b>option_group</b>. This parameter is available with Postfix 2.11 and later. <b>option_group (default: Postfix</b> ><b>=3.2: client,</b> <<b>= 3.1: empty)</b> - Read options from the given group of the mysql options file, + Read options from the given group of the mysql options file, after reading options from the <b>[client]</b> group. - Postfix 3.2 and later read <b>[client]</b> option group settings by - default. To disable this specify no <b>option_file</b> and specify + Postfix 3.2 and later read <b>[client]</b> option group settings by + default. To disable this specify no <b>option_file</b> and specify "<b>option_group =</b>" (i.e. an empty value). - Postfix 3.1 and earlier don't read <b>[client]</b> option group set- - tings unless a non-empty <b>option_file</b> or <b>option_group</b> value are + Postfix 3.1 and earlier don't read <b>[client]</b> option group set- + tings unless a non-empty <b>option_file</b> or <b>option_group</b> value are specified. To enable this, specify, for example, "<b>option_group =</b> <b>client</b>". This parameter is available with Postfix 2.11 and later. <b>require_result_set (default: yes)</b> - If "<b>yes</b>", require that every query returns a result set. If + If "<b>yes</b>", require that every query returns a result set. If "<b>no</b>", treat the absence of a result set as "not found". This parameter is available with Postfix 3.2 and later. @@ -238,19 +258,19 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) This parameter is available with Postfix 2.11 and later. <b>tls_key_file</b> - File containing the private key corresponding to <b>tls_cert_file</b>. + File containing the private key corresponding to <b>tls_cert_file</b>. This parameter is available with Postfix 2.11 and later. <b>tls_CAfile</b> - File containing certificates for all of the X509 Certification - Authorities the client will recognize. Takes precedence over + File containing certificates for all of the X509 Certification + Authorities the client will recognize. Takes precedence over <b>tls_CApath</b>. This parameter is available with Postfix 2.11 and later. <b>tls_CApath</b> - Directory containing X509 Certification Authority certificates + Directory containing X509 Certification Authority certificates in separate individual files. This parameter is available with Postfix 2.11 and later. @@ -261,13 +281,13 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) This parameter is available with Postfix 2.11 and later. <b>tls_verify_cert (default: no)</b> - Verify that the server's name matches the common name in the + Verify that the server's name matches the common name in the certificate. This parameter is available with Postfix 2.11 and later. <b>USING MYSQL STORED PROCEDURES</b> - Postfix 3.2 and later support calling a stored procedure instead of + Postfix 3.2 and later support calling a stored procedure instead of using a SELECT statement in the query, e.g. <b>query</b> = CALL lookup('%s') @@ -275,17 +295,17 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) The previously described '%' expansions can be used in the parameter(s) to the stored procedure. - By default, every stored procedure call must return a result set, i.e. - every code path must execute a SELECT statement that returns a result + By default, every stored procedure call must return a result set, i.e. + every code path must execute a SELECT statement that returns a result set (instead of storing its results in a table). With - "<b>require_result_set = no</b>", the absence of a result set is treated as + "<b>require_result_set = no</b>", the absence of a result set is treated as "not found". - A stored procedure must not return multiple result sets. That is, - there must be no code path that executes multiple SELECT statements + A stored procedure must not return multiple result sets. That is, + there must be no code path that executes multiple SELECT statements that return a result (instead of storing their results in a table). - The following is an example of a stored procedure returning a single + The following is an example of a stored procedure returning a single result set: CREATE [DEFINER=`user`@`host`] PROCEDURE @@ -297,26 +317,26 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) END <b>OBSOLETE MAIN.CF PARAMETERS</b> - For compatibility with other Postfix lookup tables, MySQL parameters - can also be defined in <a href="postconf.5.html">main.cf</a>. In order to do that, specify as MySQL - source a name that doesn't begin with a slash or a dot. The MySQL - parameters will then be accessible as the name you've given the source - in its definition, an underscore, and the name of the parameter. For - example, if the map is specified as "<a href="mysql_table.5.html">mysql</a>:<i>mysqlname</i>", the parameter + For compatibility with other Postfix lookup tables, MySQL parameters + can also be defined in <a href="postconf.5.html">main.cf</a>. In order to do that, specify as MySQL + source a name that doesn't begin with a slash or a dot. The MySQL + parameters will then be accessible as the name you've given the source + in its definition, an underscore, and the name of the parameter. For + example, if the map is specified as "<a href="mysql_table.5.html">mysql</a>:<i>mysqlname</i>", the parameter "hosts" would be defined in <a href="postconf.5.html">main.cf</a> as "<i>mysqlname</i>_hosts". - Note: with this form, the passwords for the MySQL sources are written - in <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form + Note: with this form, the passwords for the MySQL sources are written + in <a href="postconf.5.html">main.cf</a>, which is normally world-readable. Support for this form will be removed in a future Postfix version. <b>OBSOLETE QUERY INTERFACE</b> - This section describes an interface that is deprecated as of Postfix - 2.2. It is replaced by the more general <b>query</b> interface described - above. If the <b>query</b> parameter is defined, the legacy parameters - described here ignored. Please migrate to the new interface as the + This section describes an interface that is deprecated as of Postfix + 2.2. It is replaced by the more general <b>query</b> interface described + above. If the <b>query</b> parameter is defined, the legacy parameters + described here ignored. Please migrate to the new interface as the legacy interface may be removed in a future release. - The following parameters can be used to fill in a SELECT template + The following parameters can be used to fill in a SELECT template statement of the form: SELECT [<b>select_field</b>] @@ -325,7 +345,7 @@ MYSQL_TABLE(5) MYSQL_TABLE(5) [<b>additional_conditions</b>] The specifier %s is replaced by the search string, and is escaped so if - it contains single quotes or other odd characters, it will not cause a + it contains single quotes or other odd characters, it will not cause a parse error, or worse, a security problem. <b>select_field</b> diff --git a/html/newaliases.1.html b/html/newaliases.1.html index bebc17b..bf6051d 100644 --- a/html/newaliases.1.html +++ b/html/newaliases.1.html @@ -455,9 +455,11 @@ SENDMAIL(1) SENDMAIL(1) The location of the Postfix top-level queue directory. <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b> - Don't rewrite message headers from remote clients at all when - this parameter is empty; otherwise, rewrite message headers and - append the specified domain name to incomplete addresses. + Rewrite or add message headers in mail from remote clients if + the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty, + updating incomplete addresses with the domain specified in the + <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing head- + ers. <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> The syslog facility of Postfix logging. diff --git a/html/pcre_table.5.html b/html/pcre_table.5.html index 0216e3e..1e03644 100644 --- a/html/pcre_table.5.html +++ b/html/pcre_table.5.html @@ -191,8 +191,12 @@ PCRE_TABLE(5) PCRE_TABLE(5) Postfix parses the result as if it is a file in /etc/postfix. - Note: if a rule contains <b>$</b>, specify <b>$$</b> to keep Postfix from trying to - do <i>$name</i> expansion as it evaluates a parameter value. + Note: if an inlined rule contains <b>$</b>, specify <b>$$</b> to keep Postfix from + trying to do <i>$name</i> expansion as it evaluates a parameter value. + + Note: when using <i>$name</i> inside an inlined pattern, use \Q<i>$name</i>\E to dis- + able metacharacters such as '.' in the <i>$name</i> expansion. Otherwise, the + pattern may have unexpected matches. <b>EXAMPLE SMTPD ACCESS MAP</b> # Protect your outgoing majordomo exploders diff --git a/html/pgsql_table.5.html b/html/pgsql_table.5.html index 964bd6d..0b50fd1 100644 --- a/html/pgsql_table.5.html +++ b/html/pgsql_table.5.html @@ -72,11 +72,24 @@ PGSQL_TABLE(5) PGSQL_TABLE(5) The encoding used by the database client. The default setting is: encoding = UTF8 + Historically, the database client was hard coded to use LATIN1 in an attempt to disable multibyte character support. This feature is available in Postfix 3.8 and later. + <b>idle_interval (default: 60)</b> + The number of seconds after which an idle database connection + will be closed. + + This feature is available in Postfix 3.9 and later. + + <b>retry_interval (default: 60)</b> + The number of seconds that a database connection will be skipped + after an error. + + This feature is available in Postfix 3.9 and later. + <b>query</b> The SQL query template used to search the database, where <b>%s</b> is a substitute for the address Postfix is trying to resolve, e.g. query = SELECT replacement FROM aliases WHERE mailbox = '%s' diff --git a/html/pipe.8.html b/html/pipe.8.html index a0e4678..d813954 100644 --- a/html/pipe.8.html +++ b/html/pipe.8.html @@ -242,13 +242,19 @@ PIPE(8) PIPE(8) This feature is available as of Postfix 2.5. + <b>${envid}</b> + This macro expands to the <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> envelope ID if avail- + able, otherwise the empty string. + + This feature is available as of Postfix 3.9. + <b>${extension}</b> - This macro expands to the extension part of a recipient - address. For example, with an address <i>user+foo@domain</i> + This macro expands to the extension part of a recipient + address. For example, with an address <i>user+foo@domain</i> the extension is <i>foo</i>. - A command-line argument that contains <b>${extension}</b> - expands into as many command-line arguments as there are + A command-line argument that contains <b>${extension}</b> + expands into as many command-line arguments as there are recipients. This information is modified by the <b>u</b> flag for case fold- @@ -256,11 +262,11 @@ PIPE(8) PIPE(8) <b>${mailbox}</b> This macro expands to the complete local part of a recip- - ient address. For example, with an address + ient address. For example, with an address <i>user+foo@domain</i> the mailbox is <i>user+foo</i>. - A command-line argument that contains <b>${mailbox}</b> expands - to as many command-line arguments as there are recipi- + A command-line argument that contains <b>${mailbox}</b> expands + to as many command-line arguments as there are recipi- ents. This information is modified by the <b>u</b> flag for case fold- @@ -273,11 +279,11 @@ PIPE(8) PIPE(8) ing. <b>${original_recipient}</b> - This macro expands to the complete recipient address + This macro expands to the complete recipient address before any address rewriting or aliasing. - A command-line argument that contains <b>${original_recipi-</b> - <b>ent}</b> expands to as many command-line arguments as there + A command-line argument that contains <b>${original_recipi-</b> + <b>ent}</b> expands to as many command-line arguments as there are recipients. This information is modified by the <b>hqu</b> flags for quoting @@ -293,8 +299,8 @@ PIPE(8) PIPE(8) <b>${recipient}</b> This macro expands to the complete recipient address. - A command-line argument that contains <b>${recipient}</b> - expands to as many command-line arguments as there are + A command-line argument that contains <b>${recipient}</b> + expands to as many command-line arguments as there are recipients. This information is modified by the <b>hqu</b> flags for quoting @@ -302,13 +308,13 @@ PIPE(8) PIPE(8) <b>${sasl_method}</b> This macro expands to the name of the SASL authentication - mechanism in the AUTH command when the Postfix SMTP + mechanism in the AUTH command when the Postfix SMTP server received the message. This feature is available as of Postfix 2.2. <b>${sasl_sender}</b> - This macro expands to the SASL sender name (i.e. the + This macro expands to the SASL sender name (i.e. the original submitter as per <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) in the MAIL FROM com- mand when the Postfix SMTP server received the message. @@ -321,25 +327,25 @@ PIPE(8) PIPE(8) This feature is available as of Postfix 2.2. <b>${sender}</b> - This macro expands to the envelope sender address. By - default, the null sender address expands to MAILER-DAE- - MON; this can be changed with the <b>null_sender</b> attribute, + This macro expands to the envelope sender address. By + default, the null sender address expands to MAILER-DAE- + MON; this can be changed with the <b>null_sender</b> attribute, as described above. This information is modified by the <b>q</b> flag for quoting. <b>${size}</b> This macro expands to Postfix's idea of the message size, - which is an approximation of the size of the message as + which is an approximation of the size of the message as delivered. <b>${user}</b> - This macro expands to the username part of a recipient - address. For example, with an address <i>user+foo@domain</i> + This macro expands to the username part of a recipient + address. For example, with an address <i>user+foo@domain</i> the username part is <i>user</i>. - A command-line argument that contains <b>${user}</b> expands - into as many command-line arguments as there are recipi- + A command-line argument that contains <b>${user}</b> expands + into as many command-line arguments as there are recipi- ents. This information is modified by the <b>u</b> flag for case fold- @@ -349,36 +355,36 @@ PIPE(8) PIPE(8) <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes) <b>DIAGNOSTICS</b> - Command exit status codes are expected to follow the conventions + Command exit status codes are expected to follow the conventions defined in <<b>sysexits.h</b>>. Exit status 0 means normal successful comple- tion. In the case of a non-zero exit status, a limited amount of command out- - put is logged, and reported in a delivery status notification. When - the output begins with a 4.X.X or 5.X.X enhanced status code, the sta- - tus code takes precedence over the non-zero exit status (Postfix ver- + put is logged, and reported in a delivery status notification. When + the output begins with a 4.X.X or 5.X.X enhanced status code, the sta- + tus code takes precedence over the non-zero exit status (Postfix ver- sion 2.3 and later). - After successful delivery (zero exit status) a limited amount of com- - mand output is logged, and reported in "success" delivery status noti- + After successful delivery (zero exit status) a limited amount of com- + mand output is logged, and reported in "success" delivery status noti- fications (Postfix 3.0 and later). This command output is not examined for the presence of an enhanced status code. - Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. - Corrupted message files are marked so that the queue manager can move + Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>. + Corrupted message files are marked so that the queue manager can move them to the <b>corrupt</b> queue for further inspection. <b>SECURITY</b> - This program needs a dual personality 1) to access the private Postfix - queue and IPC mechanisms, and 2) to execute external commands as the + This program needs a dual personality 1) to access the private Postfix + queue and IPC mechanisms, and 2) to execute external commands as the specified user. It is therefore security sensitive. <b>CONFIGURATION PARAMETERS</b> Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically as <a href="pipe.8.html"><b>pipe</b>(8)</a> processes run - for only a limited amount of time. Use the command "<b>postfix reload</b>" to + for only a limited amount of time. Use the command "<b>postfix reload</b>" to speed up a change. - The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <b>RESOURCE AND RATE CONTROLS</b> @@ -386,50 +392,50 @@ PIPE(8) PIPE(8) <b><a href="postconf.5.html#transport_time_limit">transport_time_limit</a> ($<a href="postconf.5.html#command_time_limit">command_time_limit</a>)</b> A transport-specific override for the <a href="postconf.5.html#command_time_limit">command_time_limit</a> parame- - ter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message + ter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery transport. Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon: <b><a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b> - A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>- + A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>- <a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery transport. <b><a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b> <b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b> A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>- - <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> + <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery transport. <b>MISCELLANEOUS CONTROLS</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> - The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- figuration files. <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> - The maximal number of digits after the decimal point when log- + The maximal number of digits after the decimal point when log- ging sub-second delay values. <b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b> - The list of environment variables that a Postfix process will + The list of environment variables that a Postfix process will export to non-Postfix processes. <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b> - The UNIX system account that owns the Postfix queue and most + The UNIX system account that owns the Postfix queue and most Postfix daemon processes. <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> @@ -446,28 +452,28 @@ PIPE(8) PIPE(8) The location of the Postfix top-level queue directory. <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b> - The set of characters that can separate an email address local- + The set of characters that can separate an email address local- part, user name, or a .forward file name from its extension. <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> The syslog facility of Postfix logging. <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 3.0 and later: <b><a href="postconf.5.html#pipe_delivery_status_filter">pipe_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b> - Optional filter for the <a href="pipe.8.html"><b>pipe</b>(8)</a> delivery agent to change the + Optional filter for the <a href="pipe.8.html"><b>pipe</b>(8)</a> delivery agent to change the delivery status code or explanatory text of successful or unsuc- cessful deliveries. Available in Postfix version 3.3 and later: <b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b> - Enable support for the original recipient address after an - address is rewritten to a different address (for example with + Enable support for the original recipient address after an + address is rewritten to a different address (for example with aliasing or with canonical mapping). <b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b> @@ -476,7 +482,7 @@ PIPE(8) PIPE(8) Available in Postfix 3.5 and later: <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b> - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). <b>SEE ALSO</b> diff --git a/html/postcat.1.html b/html/postcat.1.html index 4c61c52..71b763e 100644 --- a/html/postcat.1.html +++ b/html/postcat.1.html @@ -85,7 +85,7 @@ POSTCAT(1) POSTCAT(1) figuration files. <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b> - The list of environment parameters that a privileged Postfix + The list of environment variables that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides. diff --git a/html/postconf.1.html b/html/postconf.1.html index 4269a5e..a8444a2 100644 --- a/html/postconf.1.html +++ b/html/postconf.1.html @@ -13,7 +13,7 @@ POSTCONF(1) POSTCONF(1) <b>SYNOPSIS</b> <b>Managing <a href="postconf.5.html">main.cf</a>:</b> - <b>postconf</b> [<b>-dfhHnopvx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-C</b> <i>class,...</i>] [<i>parameter ...</i>] + <b>postconf</b> [<b>-dfhHnopqvx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-C</b> <i>class,...</i>] [<i>parameter ...</i>] <b>postconf</b> [<b>-epv</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <i>parameter</i><b>=</b><i>value ...</i> @@ -23,7 +23,7 @@ POSTCONF(1) POSTCONF(1) <b>Managing <a href="master.5.html">master.cf</a> service entries:</b> - <b>postconf -M</b> [<b>-fovx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>service</i>[<b>/</b><i>type</i>] <i>...</i>] + <b>postconf -M</b> [<b>-foqvx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>service</i>[<b>/</b><i>type</i>] <i>...</i>] <b>postconf -M</b> [<b>-ev</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <i>service</i><b>/</b><i>type</i><b>=</b><i>value ...</i> @@ -33,13 +33,13 @@ POSTCONF(1) POSTCONF(1) <b>Managing <a href="master.5.html">master.cf</a> service fields:</b> - <b>postconf -F</b> [<b>-fhHovx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>service</i>[<b>/</b><i>type</i>[<b>/</b><i>field</i>]] <i>...</i>] + <b>postconf -F</b> [<b>-fhHoqvx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>service</i>[<b>/</b><i>type</i>[<b>/</b><i>field</i>]] <i>...</i>] <b>postconf -F</b> [<b>-ev</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <i>service</i><b>/</b><i>type</i><b>/</b><i>field</i><b>=</b><i>value ...</i> <b>Managing <a href="master.5.html">master.cf</a> service parameters:</b> - <b>postconf -P</b> [<b>-fhHovx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>service</i>[<b>/</b><i>type</i>[<b>/</b><i>parameter</i>]] <i>...</i>] + <b>postconf -P</b> [<b>-fhHoqvx</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<i>service</i>[<b>/</b><i>type</i>[<b>/</b><i>parameter</i>]] <i>...</i>] <b>postconf -P</b> [<b>-ev</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] <i>service</i><b>/</b><i>type</i><b>/</b><i>parameter</i><b>=</b><i>value ...</i> @@ -272,52 +272,58 @@ POSTCONF(1) POSTCONF(1) This feature is available with Postfix 2.9 and later. + <b>mongodb</b> + MongoDB database client. This is described in <a href="mongodb_table.5.html"><b>mongodb_ta-</b></a> + <a href="mongodb_table.5.html"><b>ble</b>(5)</a>. + + This feature is available with Postfix 3.9 and later. + <b>mysql</b> (read-only) MySQL database client. Available on systems with support - for MySQL databases. This is described in <a href="mysql_table.5.html"><b>mysql_ta-</b></a> + for MySQL databases. This is described in <a href="mysql_table.5.html"><b>mysql_ta-</b></a> <a href="mysql_table.5.html"><b>ble</b>(5)</a>. <b>pcre</b> (read-only) - A lookup table based on Perl Compatible Regular Expres- + A lookup table based on Perl Compatible Regular Expres- sions. The file format is described in <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. <b>pgsql</b> (read-only) - PostgreSQL database client. This is described in + PostgreSQL database client. This is described in <a href="pgsql_table.5.html"><b>pgsql_table</b>(5)</a>. This feature is available with Postfix 2.1 and later. <b>pipemap</b> (read-only) - A lookup table that constructs a pipeline of tables. - Example: "<b><a href="DATABASE_README.html#types">pipemap</a>:{</b><i>type</i><b>_</b><i>1:name</i><b>_</b><i>1, ..., type</i><b>_</b><i>n:name</i><b>_</b><i>n</i><b>}</b>". - Each "<a href="DATABASE_README.html#types">pipemap</a>:" query is given to the first table. Each + A lookup table that constructs a pipeline of tables. + Example: "<b><a href="DATABASE_README.html#types">pipemap</a>:{</b><i>type</i><b>_</b><i>1:name</i><b>_</b><i>1, ..., type</i><b>_</b><i>n:name</i><b>_</b><i>n</i><b>}</b>". + Each "<a href="DATABASE_README.html#types">pipemap</a>:" query is given to the first table. Each lookup result becomes the query for the next table in the - pipeline, and the last table produces the final result. - When any table lookup produces no result, the pipeline - produces no result. The first and last characters of the + pipeline, and the last table produces the final result. + When any table lookup produces no result, the pipeline + produces no result. The first and last characters of the "<a href="DATABASE_README.html#types">pipemap</a>:" table name must be "<b>{</b>" and "<b>}</b>". Within these, individual maps are separated with comma or whitespace. This feature is available with Postfix 3.0 and later. - <b>proxy</b> Postfix <a href="proxymap.8.html"><b>proxymap</b>(8)</a> client for shared access to Postfix + <b>proxy</b> Postfix <a href="proxymap.8.html"><b>proxymap</b>(8)</a> client for shared access to Postfix databases. The table name syntax is <i>type</i><b>:</b><i>name</i>. This feature is available with Postfix 2.0 and later. <b>randmap</b> (read-only) - An in-memory table that performs random selection. Exam- + An in-memory table that performs random selection. Exam- ple: "<b><a href="DATABASE_README.html#types">randmap</a>:{</b><i>result</i><b>_</b><i>1, ..., result</i><b>_</b><i>n</i><b>}</b>". Each table query returns a random choice from the specified results. - The first and last characters of the "<a href="DATABASE_README.html#types">randmap</a>:" table - name must be "<b>{</b>" and "<b>}</b>". Within these, individual + The first and last characters of the "<a href="DATABASE_README.html#types">randmap</a>:" table + name must be "<b>{</b>" and "<b>}</b>". Within these, individual results are separated with comma or whitespace. To give a specific result more weight, specify it multiple times. This feature is available with Postfix 3.0 and later. <b>regexp</b> (read-only) - A lookup table based on regular expressions. The file + A lookup table based on regular expressions. The file format is described in <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>. <b>sdbm</b> An indexed file type based on hashing. Available on sys- @@ -326,9 +332,9 @@ POSTCONF(1) POSTCONF(1) This feature is available with Postfix 2.2 and later. <b>socketmap</b> (read-only) - Sendmail-style socketmap client. The table name is - <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i> for a TCP/IP server, or <b>unix</b>:<i>path-</i> - <i>name</i>:<i>name</i> for a UNIX-domain server. This is described in + Sendmail-style socketmap client. The table name is + <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i> for a TCP/IP server, or <b>unix</b>:<i>path-</i> + <i>name</i>:<i>name</i> for a UNIX-domain server. This is described in <a href="socketmap_table.5.html"><b>socketmap_table</b>(5)</a>. This feature is available with Postfix 2.10 and later. @@ -339,11 +345,11 @@ POSTCONF(1) POSTCONF(1) This feature is available with Postfix 2.8 and later. <b>static</b> (read-only) - A table that always returns its name as lookup result. + A table that always returns its name as lookup result. For example, <b><a href="DATABASE_README.html#types">static</a>:foobar</b> always returns the string <b>foo-</b> - <b>bar</b> as lookup result. Specify "<b><a href="DATABASE_README.html#types">static</a>:{</b> <i>text with white-</i> - <i>space</i> <b>}</b>" when the result contains whitespace; this form - ignores whitespace after the opening "<b>{</b>" and before the + <b>bar</b> as lookup result. Specify "<b><a href="DATABASE_README.html#types">static</a>:{</b> <i>text with white-</i> + <i>space</i> <b>}</b>" when the result contains whitespace; this form + ignores whitespace after the opening "<b>{</b>" and before the closing "<b>}</b>". See also the <i><a href="DATABASE_README.html#types">inline</a>:</i> map. The form "<b><a href="DATABASE_README.html#types">static</a>:{</b><i>text</i><b>}</b> is available with Postfix 3.0 and @@ -353,66 +359,66 @@ POSTCONF(1) POSTCONF(1) TCP/IP client. The protocol is described in <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. <b>texthash</b> (read-only) - Produces similar results as <a href="DATABASE_README.html#types">hash</a>: files, except that you - don't need to run the <a href="postmap.1.html"><b>postmap</b>(1)</a> command before you can - use the file, and that it does not detect changes after + Produces similar results as <a href="DATABASE_README.html#types">hash</a>: files, except that you + don't need to run the <a href="postmap.1.html"><b>postmap</b>(1)</a> command before you can + use the file, and that it does not detect changes after the file is read. This feature is available with Postfix 2.8 and later. <b>unionmap</b> (read-only) - A table that sends each query to multiple lookup tables - and that concatenates all found results, separated by + A table that sends each query to multiple lookup tables + and that concatenates all found results, separated by comma. The table name syntax is the same as for <b>pipemap</b>. This feature is available with Postfix 3.0 and later. <b>unix</b> (read-only) - A limited view of the UNIX authentication database. The + A limited view of the UNIX authentication database. The following tables are implemented: <b>unix:passwd.byname</b> - The table is the UNIX password database. The key - is a login name. The result is a password file + The table is the UNIX password database. The key + is a login name. The result is a password file entry in <b>passwd</b>(5) format. <b>unix:group.byname</b> The table is the UNIX group database. The key is a - group name. The result is a group file entry in + group name. The result is a group file entry in <b>group</b>(5) format. - Other table types may exist depending on how Postfix was built. + Other table types may exist depending on how Postfix was built. - <b>-M</b> Show <a href="master.5.html"><b>master.cf</b></a> file contents instead of <a href="postconf.5.html"><b>main.cf</b></a> file contents. + <b>-M</b> Show <a href="master.5.html"><b>master.cf</b></a> file contents instead of <a href="postconf.5.html"><b>main.cf</b></a> file contents. Specify <b>-Mf</b> to fold long lines for human readability. Specify zero or more arguments, each with a <i>service-name</i> or <i>ser-</i> - <i>vice-name/service-type</i> pair, where <i>service-name</i> is the first - field of a <a href="master.5.html">master.cf</a> entry and <i>service-type</i> is one of (<b>inet</b>, + <i>vice-name/service-type</i> pair, where <i>service-name</i> is the first + field of a <a href="master.5.html">master.cf</a> entry and <i>service-type</i> is one of (<b>inet</b>, <b>unix</b>, <b>fifo</b>, or <b>pass</b>). - If <i>service-name</i> or <i>service-name/service-type</i> is specified, only - the matching <a href="master.5.html">master.cf</a> entries will be output. For example, - "<b>postconf -Mf smtp</b>" will output all services named "smtp", and - "<b>postconf -Mf smtp/inet</b>" will output only the smtp service that - listens on the network. Trailing service type fields that are + If <i>service-name</i> or <i>service-name/service-type</i> is specified, only + the matching <a href="master.5.html">master.cf</a> entries will be output. For example, + "<b>postconf -Mf smtp</b>" will output all services named "smtp", and + "<b>postconf -Mf smtp/inet</b>" will output only the smtp service that + listens on the network. Trailing service type fields that are omitted will be handled as "*" wildcard fields. This feature is available with Postfix 2.9 and later. The syntax - was changed from "<i>name.type</i>" to "<i>name/type</i>", and "*" wildcard + was changed from "<i>name.type</i>" to "<i>name/type</i>", and "*" wildcard support was added with Postfix 2.11. <b>-n</b> Show only configuration parameters that have explicit <i>name=value</i> - settings in <a href="postconf.5.html"><b>main.cf</b></a>. Specify <b>-nf</b> to fold long lines for human - readability (Postfix 2.9 and later). To show settings that dif- + settings in <a href="postconf.5.html"><b>main.cf</b></a>. Specify <b>-nf</b> to fold long lines for human + readability (Postfix 2.9 and later). To show settings that dif- fer from built-in defaults only, use the following bash syntax: LANG=C comm -23 <(postconf -n) <(postconf -d) Replace "-23" with "-12" to show settings that duplicate built-in defaults. <b>-o</b> <i>name=value</i> - Override <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This lets you see the - effect changing a parameter would have when it is used in other + Override <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This lets you see the + effect changing a parameter would have when it is used in other configuration parameters, e.g.: postconf -x -o stress=yes @@ -422,38 +428,42 @@ POSTCONF(1) POSTCONF(1) This feature is available with Postfix 2.11 and later. - <b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser- - vices and all parameters), formatted as "<i>service/type/parame-</i> + <b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser- + vices and all parameters), formatted as "<i>service/type/parame-</i> <i>ter=value</i>", one per line. Specify <b>-Pf</b> to fold long lines. - Specify one or more "<i>service/type/parameter</i>" instances on the - <a href="postconf.1.html"><b>postconf</b>(1)</a> command line to limit the output to parameters of - interest. Trailing parameter name or service type fields that + Specify one or more "<i>service/type/parameter</i>" instances on the + <a href="postconf.1.html"><b>postconf</b>(1)</a> command line to limit the output to parameters of + interest. Trailing parameter name or service type fields that are omitted will be handled as "*" wildcard fields. This feature is available with Postfix 2.11 and later. + <b>-q</b> Do not log warnings for deprecated or unused parameters. + + This feature is available with Postfix 3.9 and later. + <b>-t</b> [<i>template</i><b>_</b><i>file</i>] - Display the templates for text that appears at the beginning of - delivery status notification (DSN) messages, without expanding + Display the templates for text that appears at the beginning of + delivery status notification (DSN) messages, without expanding $<b>name</b> expressions. - To override the <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a></b> parameter setting, specify - a template file name at the end of the "<b>postconf -t</b>" command - line. Specify an empty file name to display built-in templates + To override the <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a></b> parameter setting, specify + a template file name at the end of the "<b>postconf -t</b>" command + line. Specify an empty file name to display built-in templates (in shell language: ""). This feature is available with Postfix 2.3 and later. <b>-T</b> <i>mode</i> - If Postfix is compiled without TLS support, the <b>-T</b> option pro- - duces no output. Otherwise, if an invalid <i>mode</i> is specified, - the <b>-T</b> option reports an error and exits with a non-zero status + If Postfix is compiled without TLS support, the <b>-T</b> option pro- + duces no output. Otherwise, if an invalid <i>mode</i> is specified, + the <b>-T</b> option reports an error and exits with a non-zero status code. The valid modes are: <b>compile-version</b> Output the OpenSSL version that Postfix was compiled with - (i.e. the OpenSSL version in a header file). The output + (i.e. the OpenSSL version in a header file). The output format is the same as with the command "<b>openssl version</b>". <b>run-version</b> @@ -461,40 +471,40 @@ POSTCONF(1) POSTCONF(1) runtime (i.e. the OpenSSL version in a shared library). <b>public-key-algorithms</b> - Output the lower-case names of the supported public-key + Output the lower-case names of the supported public-key algorithms, one per-line. This feature is available with Postfix 3.1 and later. - <b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b> + <b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b> options make the software increasingly verbose. - <b>-x</b> Expand <i>$name</i> in <a href="postconf.5.html"><b>main.cf</b></a> or <a href="master.5.html"><b>master.cf</b></a> parameter values. The + <b>-x</b> Expand <i>$name</i> in <a href="postconf.5.html"><b>main.cf</b></a> or <a href="master.5.html"><b>master.cf</b></a> parameter values. The expansion is recursive. This feature is available with Postfix 2.10 and later. - <b>-X</b> Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and remove the parameters + <b>-X</b> Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and remove the parameters named on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. Specify a list of param- eter names, not "<i>name=value</i>" pairs. - With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one - or more service entries as specified with "<i>service/type</i>" on the + With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one + or more service entries as specified with "<i>service/type</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. - With <b>-P</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one + With <b>-P</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one or more service parameter settings (-o parameter=value settings) - as specified with "<i>service/type/parameter</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a> + as specified with "<i>service/type/parameter</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. In all cases the file is copied to a temporary file then renamed into place. Specify quotes to protect special characters on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. - There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera- + There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera- tion. - This feature is available with Postfix 2.10 and later. Support + This feature is available with Postfix 2.10 and later. Support for -M and -P was added with Postfix 2.11. <b>-#</b> Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and comment out the parame- @@ -502,18 +512,18 @@ POSTCONF(1) POSTCONF(1) eters revert to their default values. Specify a list of parame- ter names, not "<i>name=value</i>" pairs. - With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and comment out - one or more service entries as specified with "<i>service/type</i>" on + With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and comment out + one or more service entries as specified with "<i>service/type</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. In all cases the file is copied to a temporary file then renamed into place. Specify quotes to protect special characters on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. - There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera- + There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera- tion. - This feature is available with Postfix 2.6 and later. Support + This feature is available with Postfix 2.6 and later. Support for -M was added with Postfix 2.11. <b>DIAGNOSTICS</b> @@ -524,18 +534,18 @@ POSTCONF(1) POSTCONF(1) Directory with Postfix configuration files. <b>CONFIGURATION PARAMETERS</b> - The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro- + The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro- gram. - The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> - The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- figuration files. <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b> - Pathname of a configuration file with bounce message templates. + Pathname of a configuration file with bounce message templates. <b>FILES</b> /etc/postfix/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters diff --git a/html/postconf.5.html b/html/postconf.5.html index dbb8cc8..0ac9b68 100644 --- a/html/postconf.5.html +++ b/html/postconf.5.html @@ -612,8 +612,14 @@ Examples: (default: see "postconf -d" output)</b></DT><DD> <p> -The alias databases that are used for <a href="local.8.html">local(8)</a> delivery. See -<a href="aliases.5.html">aliases(5)</a> for syntax details. +Optional lookup tables with aliases that apply only to <a href="local.8.html">local(8)</a> +recipients; this is unlike <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> that apply to all +recipients: <a href="local.8.html">local(8)</a>, virtual, and remote. +The table format and lookups are documented in <a href="aliases.5.html">aliases(5)</a>. For an +overview of Postfix address manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> +document. </p> + +<p> Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. @@ -2732,19 +2738,30 @@ name of the message delivery transport. <p> The default mail delivery transport and next-hop destination for -destinations that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: recipient domains that do not match +$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, -or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information can be overruled with the -<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> parameter and with the -<a href="transport.5.html">transport(5)</a> table. </p> +or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information will not be used when +<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> returns a result, and may +be overridden with the <a href="transport.5.html">transport(5)</a> table. </p> -<p> -In order of decreasing precedence, the nexthop destination is taken -from $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, $<a href="postconf.5.html#default_transport">default_transport</a>, -$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, or from the recipient -domain. +<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: <p> + +<ul> + +<li> <p> In order of decreasing precedence, the delivery transport +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>. </p> +<li> <p> In order of decreasing precedence, the nexthop destination +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +</ul> + <p> Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>. @@ -3715,6 +3732,25 @@ This feature is available in Postfix 2.0 and later. </DD> +<DT><b><a name="force_mime_input_conversion">force_mime_input_conversion</a> +(default: no)</b></DT><DD> + +<p> Convert body content that claims to be 8-bit into quoted-printable, +before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before after-queue +content filters. This feature does not affect messages that are +sent into <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>. </p> + +<p> The typical use case is an MTA that applies this conversion +before signing outbound messages, so that the signatures will remain +valid when a message is later delivered to an MTA that does not +announce 8BITMIME support, or when a message line exceeds the SMTP +length limit. </p> + +<p> This feature is available in Postfix ≥ 3.9. </p> + + +</DD> + <DT><b><a name="fork_attempts">fork_attempts</a> (default: 5)</b></DT><DD> @@ -3797,7 +3833,7 @@ filtered with the character set that is specified with the <dd>The address extension delimiter that was found in the recipient address (Postfix 2.11 and later), or the 'first' delimiter specified with the system-wide recipient address extension delimiter (Postfix -3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +3.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was always the system-wide recipient address extension delimiter (Postfix 2.10 and earlier). </dd> @@ -4154,12 +4190,17 @@ Specify 0 to disable the feature. Valid delays are 0..10. <DT><b><a name="inet_interfaces">inet_interfaces</a> (default: all)</b></DT><DD> -<p> The local network interface addresses that this mail system receives -mail on. Specify "all" to receive mail on all network -interfaces (default), and "loopback-only" to receive mail -on loopback network interfaces only (Postfix version 2.2 and later). The -parameter also controls delivery of mail to <tt>user@[ip.address]</tt>. -</p> +<p> The local network interface addresses that this mail system +receives mail on. Specify "all" to receive mail on all network +interfaces (default), "loopback-only" to receive mail on loopback +network interfaces only (Postfix version 2.2 and later), or zero +or more IPv4 or IPv6 addresses (IPv6 is supported in Postfix version +2.2 and later). The parameter also controls whether Postfix will +accept mail for <tt>user@[ip.address]</tt>, and prevents Postfix +from delivering mail to a host that has equal or larger MX preference. +Specify an empty value if Postfix does not receive mail over the +network, or if all network listeners have an explicit IP address +in <a href="master.5.html">master.cf</a>. </p> <p> Note 1: you need to stop and start Postfix when this parameter changes. @@ -4168,22 +4209,44 @@ Note 1: you need to stop and start Postfix when this parameter changes. <p> Note 2: address information may be enclosed inside <tt>[]</tt>, but this form is not required here. </p> -<p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies just one IPv4 and/or IPv6 address -that is not a loopback address, the Postfix SMTP client will use -this address as the IP source address for outbound mail. Support -for IPv6 is available in Postfix version 2.2 and later. </p> +<p> When <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> and/or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> are not +specified, the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> setting may constrain the source IP +address for an outbound SMTP or LMTP connection as described below. +</p> + +<p> The following text is specific to SMTP and IPv4. The same +reasoning applies to the IPv6 protocol, and to the Postfix LMTP +client. To disable IPv4 or IPv6 support in the Postfix SMTP and +LMTP client, use <a href="postconf.5.html#inet_protocols">inet_protocols</a>. </p> -<p> -On a multi-homed firewall with separate Postfix instances listening on the -"inside" and "outside" interfaces, this can prevent each instance from -being able to reach remote SMTP servers on the "other side" of the -firewall. Setting -<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for -IPv4, and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem -for IPv6. </p> +<ul> + +<li> <p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies one IPv4 address, and that +is not a loopback address, the Postfix SMTP client uses that as the +source address for outbound IPv4 connections. </p> + +<li> <p> Otherwise, the Postfix SMTP client does not constrain the +source IPv4 address, and connects using a system-chosen source IPv4 +address. This includes the cases where <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> is empty, +where it specifies <b>all</b>, or where it contains no IPv4 address, +one IPv4 address that is a loopback address, or multiple IPv4 +addresses. </p> + +</ul> + +<p> A Postfix SMTP client may fail to reach some remote SMTP servers +when the client source IP address is constrained explicitly with +<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>, or implicitly with +<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>. This can happen when Postfix runs on a multi-homed +system such as a firewall, the Postfix SMTP source client IP address +is constrained to one specific network interface, and the remote +SMTP server must be reached through a different interface. Setting +<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for IPv4, +and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem for IPv6. +</p> <p> -A better solution for multi-homed firewalls is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> +A better solution for multi-homed systems is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> at the default value and instead use explicit IP addresses in the <a href="master.5.html">master.cf</a> SMTP server definitions. This preserves the Postfix SMTP client's @@ -4215,7 +4278,7 @@ Examples: </DD> <DT><b><a name="inet_protocols">inet_protocols</a> -(default: see 'postconf -d output')</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" @@ -4893,6 +4956,9 @@ configuration parameter. See there for details. </p> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> configuration parameter. See there for details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.3 and later. </p> @@ -5295,6 +5361,15 @@ to the remote host. </DD> +<DT><b><a name="lmtp_sasl_password_result_delimiter">lmtp_sasl_password_result_delimiter</a> +(default: :)</b></DT><DD> + +<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> +configuration parameter. See there for details. </p> + + +</DD> + <DT><b><a name="lmtp_sasl_path">lmtp_sasl_path</a> (default: empty)</b></DT><DD> @@ -5594,6 +5669,17 @@ compiled and linked with OpenSSL 1.0.0 or later. </p> </DD> +<DT><b><a name="lmtp_tls_enable_rpk">lmtp_tls_enable_rpk</a> +(default: yes)</b></DT><DD> + +<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +configuration parameter. See there for details. </p> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="lmtp_tls_enforce_peername">lmtp_tls_enforce_peername</a> (default: yes)</b></DT><DD> @@ -5694,7 +5780,7 @@ configuration parameter. See there for details. </p> </DD> <DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> configuration parameter. See there for details. </p> @@ -5721,6 +5807,9 @@ configuration parameter. See there for details. </p> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> configuration parameter. See there for details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#lmtp_tls_policy_maps">lmtp_tls_policy_maps</a> instead. </p> + <p> This feature is available in Postfix 2.3 and later. </p> @@ -5738,7 +5827,7 @@ configuration parameter. See there for details. </p> </DD> <DT><b><a name="lmtp_tls_protocols">lmtp_tls_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> configuration parameter. See there for details. </p> @@ -5853,6 +5942,9 @@ parameter. See there for details. </p> <p> The LMTP-specific version of the <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> configuration parameter. See there for details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.3 and later. </p> @@ -6149,8 +6241,8 @@ until a match is found. <p> If this parameter is non-empty (the default), then the Postfix SMTP -server will reject mail for unknown local users. -</p> +server will reject mail for unknown local users. Other Postfix +interfaces may still accept an "unknown" recipient. </p> <p> To turn off local recipient checking in the Postfix SMTP server, @@ -6449,6 +6541,11 @@ and later.</dd> <dd>The domain part of the recipient address. </dd> +<dt><b>ENVID</b></dt> + +<dd>The optional <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> envelope ID. Available in Postfix version +3.9 and later</dd> + <dt><b>EXTENSION</b></dt> <dd>The optional address extension. </dd> @@ -6683,6 +6780,21 @@ first argument. </p> </DD> +<DT><b><a name="maillog_file_permissions">maillog_file_permissions</a> +(default: 0600)</b></DT><DD> + +<p> The file access permissions that will be set when the file +$<a href="postconf.5.html#maillog_file">maillog_file</a> is created for the first time, or when the file is +created after an existing file is rotated. Specify one of: <b>0600</b> +(only super-user read/write access), <b>0640</b> (adds 'group' read +access), or <b>0644</b> (also adds 'other' read access). The leading +'0' is optional. </p> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="maillog_file_prefixes">maillog_file_prefixes</a> (default: /var, /dev/stdout)</b></DT><DD> @@ -8326,9 +8438,9 @@ it passes the test, before it can talk to a real Postfix SMTP server. <DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (default: 30d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful "bare newline" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a "bare newline" SMTP protocol test, before it +address is required to pass that test again. The default is long because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. </p> @@ -8584,9 +8696,10 @@ defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dns <p> Specify a negative value to enable this feature. When a client passes the <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> without having failed other tests, all pending or disabled tests are flagged as -completed with a time-to-live value equal to <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>. -When a test was already completed, its time-to-live value is updated -if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>. </p> +completed with an expiration time based on the DNS reply TTL. +When a test was already completed, its expiration time is updated +if it was less than the value based on the DNS reply TTL. See +also <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> and <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p> <p> This feature is available in Postfix 3.6 and later. </p> @@ -8599,9 +8712,9 @@ if it was less than <a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dn <DT><b><a name="postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> (default: ${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b></DT><DD> -<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a +client IP address passed a DNS-based reputation test, before it is +required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p> @@ -8619,9 +8732,9 @@ is backwards-compatible with older Postfix versions. </p> <DT><b><a name="postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (default: 60s)</b></DT><DD> -<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the -result from a successful DNS-based reputation test before a -client IP address is required to pass that test again. If the DNS +<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a +client IP address passed a DNS-based reputation test, before it +is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>. </p> @@ -8762,9 +8875,9 @@ The default time unit is s (seconds). </p> <DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (default: 1h)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful DNS-based reputation test before a client -IP address is required to pass that test again. </p> +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a DNS-based reputation test, before it is required +to pass that test again. </p> <p> Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s @@ -8880,9 +8993,9 @@ value to disable this feature. </p> <DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a> (default: 1d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful PREGREET test. During this time, the client IP address -is excluded from this test. The default is relatively short, because +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a PREGREET test, before it is required to pass +that test again. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server. </p> <p> Specify a non-zero time value (an integral value plus an optional @@ -8976,9 +9089,9 @@ test, before it can talk to a real Postfix SMTP server. </p> <DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (default: 30d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful "non_smtp_command" SMTP protocol test. During this -time, the client IP address is excluded from this test. The default +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a "non_smtp_command" SMTP protocol test, before +it is required to pass that test again. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. </p> @@ -9044,9 +9157,9 @@ server. </p> <DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (default: 30d)</b></DT><DD> -<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from -a successful "pipelining" SMTP protocol test. During this time, the -client IP address is excluded from this test. The default is +<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client +IP address passed a "pipelining" SMTP protocol test, before it is +required to pass that test again. The default is long because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. </p> @@ -10136,13 +10249,24 @@ This feature is available in Postfix 2.0 and later. <p> The default mail delivery transport and next-hop destination for -remote delivery to domains listed with $<a href="postconf.5.html#relay_domains">relay_domains</a>. In order of -decreasing precedence, the nexthop destination is taken from -$<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, or -from the recipient domain. This information can be overruled with -the <a href="transport.5.html">transport(5)</a> table. +the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: recipient domains that match +$<a href="postconf.5.html#relay_domains">relay_domains</a>. </p> + +<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: </p> + +<ul> + +<li> <p> In order of decreasing precedence, the message delivery +transport is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>. </p> +<li> <p> In order of decreasing precedence, the nexthop destination +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +</ul> + <p> Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i> is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>. @@ -10166,13 +10290,31 @@ This feature is available in Postfix 2.0 and later. (default: empty)</b></DT><DD> <p> -The next-hop destination(s) for non-local mail; overrides non-local -domains in recipient addresses. This information is overruled with -<a href="postconf.5.html#relay_transport">relay_transport</a>, <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, -<a href="postconf.5.html#default_transport">default_transport</a>, <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> -and with the <a href="transport.5.html">transport(5)</a> table. +The next-hop destination(s) for non-local mail; takes precedence +over non-<a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> in recipient addresses. This information +will not be used when the sender matches $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>. </p> +<p> In order of decreasing precedence: </p> + +<ul> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class +(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken +from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. <p> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class +(domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, +or $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1) +$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or +$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> +or the recipient domain. </p> + +</ul> + <p> On an intranet, specify the organizational domain name. If your internal DNS uses no MX records, specify the name of the intranet @@ -10180,11 +10322,12 @@ gateway host instead. </p> <p> -In the case of SMTP or LMTP delivery, specify one or more destinations -in the form of a domain name, hostname, hostname:port, [hostname]:port, -[hostaddress] or [hostaddress]:port, separated by comma or whitespace. -The form [hostname] turns off MX lookups. Multiple destinations are -supported in Postfix 3.5 and later. +In the case of SMTP delivery, specify one or more destinations in +the form of a domain name, hostname, hostname:service, [hostname]:service, +[hostaddress] or [hostaddress]:service, separated by comma or whitespace. +The form [hostname] turns off MX or SRV lookups. Multiple destinations +are supported in Postfix 3.5 and later. Each destination is tried +in the specified order. </p> <p> @@ -10589,18 +10732,38 @@ address and @domain. A lookup result of DUNNO terminates the search without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting. This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p> -<p> -Specify zero or more "type:name" lookup tables, separated by -whitespace or comma. Tables will be searched in the specified order -until a match is found. +<p> This setting affects only the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class +(recipient domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, +or $<a href="postconf.5.html#relay_domains">relay_domains</a>): </p> + +<ul> + +<li> <p> In order of decreasing precedence, the delivery transport +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>. </p> +<li> <p> In order of decreasing precedence, the nexthop destination +is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +</ul> + <p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>. Specifically, this does not support the <a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport, null nexthop, or null email addresses. </p> +<p> +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +</p> + <p> For safety reasons, this feature does not allow $number substitutions in regular expression maps. </p> @@ -10616,9 +10779,27 @@ substitutions in regular expression maps. </p> setting. The tables are searched by the envelope sender address and @domain. A lookup result of DUNNO terminates the search without overriding the global <a href="postconf.5.html#relayhost">relayhost</a> parameter setting (Postfix 2.6 and -later). This information is overruled with <a href="postconf.5.html#relay_transport">relay_transport</a>, -<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, <a href="postconf.5.html#default_transport">default_transport</a> and with -the <a href="transport.5.html">transport(5)</a> table. </p> +later). </p> + +<p> In order of decreasing precedence: </p> + +<ul> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class +(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken +from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3) +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient +domain. </p> + +<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class +(domains that do not match <a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, +$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, +$<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1) +$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or +$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> +or the recipient domain. </p> + +</ul> <p> Specify zero or more "type:name" lookup tables, separated by @@ -10820,13 +11001,38 @@ IPv6 connectivity: </p> <ul> <li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv6" is unsafe. -It can fail to deliver mail when there is an outage that affects -IPv6, while the destination is still reachable over IPv4. </p> +All deliveries will suffer delays during an IPv6 outage, even +while the destination is still reachable over IPv4. Mail may be +stuck in the queue with Postfix versions < 3.3 that do not +implement "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a>". For similar reasons, the +setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is also unsafe. </p> <li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = any" is safe. With -this, mail will eventually be delivered even if there is an outage +this, and "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a> = yes" (the default), only +half of deliveries will suffer delays if there is an outage that affects IPv6 or IPv4, as long as it does not affect both. </p> +<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is not a +solution for remote servers that flag email received over IPv6 as +more 'spammy' (the client IPv6 address has a bad or missing PTR or +AAAA record, bad network neighbors, etc.). Instead, configure Postfix +to receive mail over both IPv4 and IPv6, and to deliver mail over +only IPv4. </p> + +<blockquote> +<pre> +/etc/postfix/<a href="postconf.5.html">main.cf</a>: + <a href="postconf.5.html#inet_protocols">inet_protocols</a> = all +</pre> +</blockquote> + +<blockquote> +<pre> +/etc/postfix/<a href="master.5.html">master.cf</a> + smtp ...other fields... smtp -o <a href="postconf.5.html#inet_protocols">inet_protocols</a>=ipv4 +</pre> +</blockquote> + </ul> <p> This feature is available in Postfix 2.8 and later. </p> @@ -12295,6 +12501,9 @@ If no username:password entry is found, then the Postfix SMTP client will not attempt to authenticate to the remote host. </p> +<p> Use <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> to specify an +alternative separator between username and password. </p> + <p> The Postfix SMTP client opens the lookup table before going to chroot jail, so you can leave the password file in /etc/postfix. @@ -12309,6 +12518,18 @@ until a match is found. </DD> +<DT><b><a name="smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> +(default: :)</b></DT><DD> + +<p> The delimiter between username and password in sasl_passwd_maps lookup +results. Specify one non-whitespace character that does not appear in +the username. </p> + +<p> This feature is available in Postfix ≥ 3.9. </p> + + +</DD> + <DT><b><a name="smtp_sasl_path">smtp_sasl_path</a> (default: empty)</b></DT><DD> @@ -13035,6 +13256,86 @@ compiled and linked with OpenSSL 1.0.0 or later. </p> </DD> +<DT><b><a name="smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +(default: no)</b></DT><DD> + +<p> Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key +instead of an X.509 certificate. This feature and the enable_rpk +policy attribute are ignored when there is no raw public key support +in the local TLS implementation. </p> + +<ul> + +<li> <p> At the "may", "encrypt" and "fingerprint" security levels, +with parameter setting "<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk += yes" in a policy entry, the Postfix SMTP client will indicate in +the TLS handshake that it prefers to receive a raw server public +key, but it will still accept a server public key certificate. </p> + +<li> <p> At the "fingerprint" security level, with parameter setting +"<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk = yes" in a policy +entry, server authentication based on certificate fingerprints +becomes more fragile. Even if the server private key and certificate +remain unchanged, the remote SMTP server will fail fingerprint +authentication (won't match the configured list of fingerprints) +when it starts sending a raw public key instead of a certificate, +after its TLS implementation is updated with raw public key support. +Therefore, <b>DO NOT</b> enable raw public keys to remote destinations +authenticated by server <b>certificate</b> fingerprints. You should +enable raw public keys only for servers matched via their public +key fingerprint. </p> + +<li> <p> At the "verify" and "secure" security levels, the Postfix +SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +or the enable_rpk policy attribute. </p> + +<li> <p> At the opportunistic "dane" security level, the Postfix +SMTP client ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> or +the enable_rpk policy attribute (but it will respect them when it +falls back to the "may" or "encrypt" level). When all valid TLSA +records specify only server public keys (no certificates) and the +local TLS implementation supports raw public keys, the client will +indicate in the TLS handshake that it prefers to receive a raw +public key, but it will still accept a public key certificate. </p> + +<li> <p> At the mandatory "dane-only" security level, the Postfix +SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> +or the enable_rpk policy attribute. When all valid TLSA records +specify only server public keys (no certificates) and the local TLS +implementation supports raw public keys, the client will indicate +in the TLS handshake that it prefers to receive a raw public key, +but it will still accept a public key certificate. </p> + +</ul> + +<p>The Postfix SMTP client is always willing to send raw public keys +to servers that solicit them when a client certificate is configured +and the local TLS implementation supports raw public keys. </p> + +<p> Sample commands to compute certificate and public key SHA256 digests: </p> + +<pre> +# SHA256 digest of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -pubkey -noout | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first private key in "pkey.pem" +$ openssl pkey -in pkey.pem -pubout -outform DER | + openssl dgst -sha256 -c +</pre> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (default: yes)</b></DT><DD> @@ -13296,7 +13597,9 @@ verification errors if server certificate verification is not required. With Postfix 2.8 and earlier, log the summary message and unconditionally log trust-chain verification errors. </dd> -<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> +<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS +library, log session cache operations, and enable OpenSSL logging +of the progress of the SSL handshake. </dd> <dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the TLS negotiation process. </dd> @@ -13546,11 +13849,13 @@ lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd> <dt> MAY </dt> <dd> Try to use TLS if the server announces support, -otherwise use an unencrypted connection. This has less precedence +otherwise use an unencrypted connection; after a failed TLS handshake +or TLS session, fall back to plaintext if the message has spent +<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. This level has less precedence than a more specific result (including <b>NONE</b>) from the alternate host or next-hop lookup key, and has less precedence than the more specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> -= yes". </dd> += yes". </dd> <dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not require that the remote SMTP server hostname matches the information @@ -13643,28 +13948,35 @@ security are: </p> <dd>Opportunistic TLS. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The optional "ciphers", "exclude", and "protocols" -attributes (available for opportunistic TLS with Postfix ≥ 2.6) -and "connection_reuse" attribute (Postfix ≥ 3.4) override the +attributes (available for opportunistic TLS with Postfix ≥ 2.6) and +"connection_reuse" attribute (Postfix ≥ 3.4) override the "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>", -and -"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy table, -multiple ciphers, protocols or excluded ciphers must be separated by colons, -as attribute values may not contain whitespace or commas. When opportunistic -TLS handshakes fail, Postfix retries the connection with TLS disabled. -This allows mail delivery to sites with non-interoperable TLS -implementations.</dd> +and "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy +table, multiple ciphers, protocols or excluded ciphers must be separated +by colons, as attribute values may not contain whitespace or commas. At +this level and higher, the optional "servername" attribute (available +with Postfix ≥ 3.4) overrides the global "<a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a>" +parameter, enabling per-destination configuration of the SNI extension +sent to the remote SMTP server. The optional "enable_rpk" attribute +(Postfix ≥ 3.9) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. +When opportunistic TLS handshakes fail, Postfix retries the connection +with TLS disabled. This allows mail delivery to sites with +non-interoperable TLS implementations.</dd> <dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt> -<dd>Mandatory TLS encryption. At this level -and higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a> +<dd>Mandatory TLS encryption. Mail is delivered only if the remote SMTP +server offers STARTTLS and the TLS handshake succeeds. At this level and +higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter, the optional "ciphers" attribute -overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the -optional "exclude" attribute (Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a> +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the optional +"exclude" attribute (Postfix ≥ 2.6) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter, and the optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the -<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table, -multiple ciphers, protocols or excluded ciphers must be separated by colons, -as attribute values may not contain whitespace or commas. </dd> +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table, multiple +ciphers, protocols or excluded ciphers must be separated by colons, as +attribute values may not contain whitespace or commas. The optional +"enable_rpk" attribute (Postfix ≥ 3.9) overrides the <a href="postconf.5.html">main.cf</a> +<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd> <dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt> <dd>Opportunistic DANE TLS. The TLS policy for the destination is @@ -13709,10 +14021,10 @@ configuration parameters. The optional "connection_reuse" attribute verification. Available with Postfix 2.5 and later. At this security level, there are no trusted Certification Authorities. The certificate trust chain, expiration date, ... are not checked. Instead, -the optional "match" attribute, or else the <a href="postconf.5.html">main.cf</a> +the optional policy table "match" attribute, or else the <a href="postconf.5.html">main.cf</a> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists the certificate -fingerprints or the public key fingerprint (Postfix 2.9 and later) -of the valid server certificate. The digest +fingerprints or the public key fingerprints (Postfix 2.9 and later) +of acceptable server certificates. The digest algorithm used to calculate the fingerprint is selected by the <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. Multiple fingerprints can be combined with a "|" delimiter in a single match attribute, or multiple @@ -13723,45 +14035,58 @@ digits. The optional "ciphers", "exclude", and "protocols" attributes "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> -parameter. </dd> +parameter. The optional "enable_rpk" attribute (Postfix ≥ 3.9) +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd> <dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt> -<dd>Mandatory TLS verification. At this security -level, DNS MX lookups are trusted to be secure enough, and the name -verified in the server certificate is usually obtained indirectly via -unauthenticated DNS MX lookups. The optional "match" attribute overrides -the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter. In the policy table, -multiple match patterns and strategies must be separated by colons. -In practice explicit control over matching is more common with the -"secure" policy, described below. The optional "ciphers", "exclude", -and "protocols" attributes (Postfix ≥ 2.6) override the -"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and -"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> -<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> +<dd>Mandatory TLS verification. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups are presumed to be +secure enough, and the name verified in the server certificate is +potentially obtained via unauthenticated DNS MX lookups. The optional +"match" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> +parameter. In the policy table, multiple match patterns and strategies +must be separated by colons. In practice explicit control over matching +is more common with the "secure" policy, described below. The optional +"ciphers", "exclude", and "protocols" attributes (Postfix ≥ 2.6) +override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", +"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" +configuration parameters. With Postfix ≥ 2.11 the optional "tafile" +policy table attribute modifies trust chain verification in the same +manner as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" +attribute may be specified multiple times to load multiple trust-anchor +files. The optional "connection_reuse" attribute (Postfix ≥ 3.4) +overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> <dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt> -<dd>Secure-channel TLS. At this security level, DNS -MX lookups, though potentially used to determine the candidate next-hop -gateway IP addresses, are <b>not</b> trusted to be secure enough for TLS -peername verification. Instead, the default name verified in the server -certificate is obtained directly from the next-hop, or is explicitly -specified via the optional "match" attribute which overrides the -<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In the policy table, -multiple match patterns and strategies must be separated by colons. -The match attribute is most useful when multiple domains are supported by -a common server: the policy entries for additional domains specify matching -rules for the primary domain certificate. While transport table overrides -that route the secondary domains to the primary nexthop also allow secure -verification, they risk delivery to the wrong destination when domains -change hands or are re-assigned to new gateways. With the "match" -attribute approach, routing is not perturbed, and mail is deferred if -verification of a new MX host fails. The optional "ciphers", "exclude", -and "protocols" attributes (Postfix ≥ 2.6) override the -"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and -"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional -"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> -<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> +<dd>Secure certificate verification. Mail is delivered only if the TLS +handshake succeeds, the remote SMTP server certificate chain can be +validated, and a DNS name in the certificate matches the specified match +criteria. At this security level, DNS MX lookups, though potentially +used to determine the candidate next-hop gateway IP addresses, are +<b>not</b> presumed to be secure enough for TLS peername verification. +Instead, the default name verified in the server certificate is obtained +directly from the next-hop, or is explicitly specified via the optional +"match" attribute which overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> +parameter. In the policy table, multiple match patterns and strategies +must be separated by colons. The match attribute is most useful when +multiple domains are supported by a common server: the policy entries +for additional domains specify matching rules for the primary domain +certificate. While transport table overrides that route the secondary +domains to the primary nexthop also allow secure verification, they risk +delivery to the wrong destination when domains change hands or are +re-assigned to new gateways. With the "match" attribute approach, +routing is not perturbed, and mail is deferred if verification of a new +MX host fails. The optional "ciphers", "exclude", and "protocols" +attributes (Postfix ≥ 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", +"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" +configuration parameters. With Postfix ≥ 2.11 the "tafile" attribute +optionally modifies trust chain verification in the same manner as the +"<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute may be +specified multiple times to load multiple trust-anchor files. The +optional "connection_reuse" attribute (Postfix ≥ 3.4) overrides the +<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd> </dl> @@ -13807,7 +14132,7 @@ configurations in environments where DNS security is not assured. </p> </DD> <DT><b><a name="smtp_tls_protocols">smtp_tls_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> TLS protocols that the Postfix SMTP client will use with opportunistic TLS encryption. In <a href="postconf.5.html">main.cf</a> the values are separated by @@ -13975,7 +14300,9 @@ destinations via <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_ <dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt> <dd> Opportunistic TLS. Use TLS if this is supported by the remote -SMTP server, otherwise use plaintext. Since +SMTP server, otherwise use plaintext; after a failed TLS handshake +or TLS session, fall back to plaintext if the message has spent +<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. Since sending in the clear is acceptable, demanding stronger than default TLS security merely reduces interoperability. The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" (Postfix ≥ 2.6) @@ -14896,9 +15223,8 @@ pubkey_fingerprint } } </dd> <dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> -<dd>Search the specified access database for the client hostname, -parent domains, client IP address, or networks obtained by stripping -least significant octets. See the <a href="access.5.html">access(5)</a> manual page for details. </dd> +<dd>Search the specified access database for the client hostname +or IP address. See the <a href="access.5.html">access(5)</a> manual page for details. </dd> <dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> @@ -14929,8 +15255,7 @@ available in Postfix 2.7 and later. </dd> <dt><b><a name="check_reverse_client_hostname_access">check_reverse_client_hostname_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified access database for the unverified reverse -client hostname, parent domains, client IP address, or networks -obtained by stripping least significant octets. See the <a href="access.5.html">access(5)</a> +client hostname or IP address. See the <a href="access.5.html">access(5)</a> manual page for details. Note: a result of "OK" is not allowed for safety reasons. Instead, use DUNNO in order to exclude specific hosts from denylists. This feature is available in Postfix 2.6 @@ -15527,6 +15852,9 @@ server. This option is therefore off by default. </p> STARTTLS due to insufficient privileges to access the server private key. This is intended behavior. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> @@ -15588,8 +15916,8 @@ received with the ETRN command. <dt><b><a name="check_etrn_access">check_etrn_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> -<dd>Search the specified access database for the ETRN domain name -or its parent domains. See the <a href="access.5.html">access(5)</a> manual page for details. +<dd>Search the specified access database for the ETRN domain name. +See the <a href="access.5.html">access(5)</a> manual page for details. </dd> </dl> @@ -15641,7 +15969,7 @@ This feature is available in Postfix 2.0 and later. </DD> <DT><b><a name="smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> -(default: Postfix < 3.9: no)</b></DT><DD> +(default: Postfix ≥ 3.9: normalize)</b></DT><DD> <p> Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. Such line @@ -15654,7 +15982,8 @@ SMTP smuggling</a>. </p> <dl compact> -<dt> <b>normalize</b></dt> <dd> Require the standard +<dt> <b>normalize</b> (default for Postfix ≥ 3.9) </dt> +<dd> Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Otherwise, allow command or message content lines ending in the non-standard <LF>, and process them as if the client sent the @@ -15666,6 +15995,13 @@ with the standard End-of-DATA sequence <CR><LF>.<CR><LF>. <br> <br> Such clients can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd> +<dt> <b>note</b> </dt> <dd> Same as "normalize", but also notes in +the log whether the Postfix SMTP server received any lines with +"bare <LF>". The information is formatted as "<tt>disconnect +from name[address] ... notes=bare_lf</tt>". The notes value is +expected to become a list of comma-separated names. <br> <br> This +feature is available in Postfix 3.9 and later. </dd> + <dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd> <dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA @@ -15684,8 +16020,8 @@ of BDAT violations, BDAT can be selectively disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd> -<dt> <b>no</b> (default)</dt> <dd> Do not require the standard -End-of-DATA +<dt> <b>no</b> (default for Postfix < 3.9) </dt> +<dd> Do not require the standard End-of-DATA sequence <CR><LF>.<CR><LF>. Always process a bare <LF> as if the client sent <CR><LF>. This option is fully backwards compatible, but is not recommended for @@ -15793,9 +16129,9 @@ Specify a 5XX status code (521 to disconnect). <p> Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321) command pipelining constraints. The server replies with "554 5.5.0 Error: SMTP protocol synchronization" and logs the unexpected remote -SMTP client input. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = yes" -to enable. This feature is enabled by default with Postfix ≥ -3.9. </p> +SMTP client input. This feature is enabled by default with Postfix +≥ 3.9. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = no" to disable. +</p> <p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, 3.6.10, and 3.5.20. </p> @@ -15899,7 +16235,7 @@ received with the HELO or EHLO command. <dt><b><a name="check_helo_access">check_helo_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified <a href="access.5.html">access(5)</a> database for the HELO or EHLO -hostname or parent domains, and execute the corresponding action. +hostname, and execute the corresponding action. Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply skip <a href="postconf.5.html#check_helo_access">check_helo_access</a> by not sending HELO or EHLO). </dd> @@ -16563,8 +16899,7 @@ that is received with the RCPT TO command. <dt><b><a name="check_recipient_access">check_recipient_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified <a href="access.5.html">access(5)</a> database for the resolved RCPT -TO address, domain, parent domains, or localpart@, and execute the -corresponding action. </dd> +TO address, and execute the corresponding action. </dd> <dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> @@ -16993,7 +17328,7 @@ The same restrictions are available as documented under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. </p> -<p> This feature is available in Postix 2.10 and later. </p> +<p> This feature is available in Postfix 2.10 and later. </p> </DD> @@ -17411,8 +17746,7 @@ received with the MAIL FROM command. <dt><b><a name="check_sender_access">check_sender_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> <dd>Search the specified <a href="access.5.html">access(5)</a> database for the MAIL FROM -address, domain, parent domains, or localpart@, and execute the -corresponding action. </dd> +address, and execute the corresponding action. </dd> <dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt> @@ -18316,6 +18650,53 @@ where EC algorithms have not been disabled by the vendor. </p> </DD> +<DT><b><a name="smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> +(default: no)</b></DT><DD> + +<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key +instead of an X.509 certificate, when asking for or requiring client +authentication. This feature is ignored when there is no raw public +key support in the local TLS implementation. </p> + +<p> The Postfix SMTP server will log a warning when "<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> += yes", but the remote SMTP client sends a certificate, the +certificate's public key fingerprint does not match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> +table, while the certificate fingerprint does match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> +table. The remote SMTP client would lose access when it starts +sending a raw public key instead of a certificate, after its TLS +implementation is updated with raw public key support. </p> + +<p> The Postfix SMTP server always sends a raw public key instead +of a certificate, if solicited by the remote SMTP client and the +local TLS implementation supports raw public keys. If the client +sends a server name indication with an SNI TLS extension, and +<a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> is configured, the server will extract a raw +public key from the indicated certificate. </p> + +<p> Sample commands to compute certificate and public key SHA256 digests: </p> + +<pre> +# SHA256 digest of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first certificate in "cert.pem" +$ openssl x509 -in cert.pem -pubkey -noout | + openssl pkey -pubin -outform DER | openssl dgst -sha256 -c +</pre> + +<pre> +# SHA256 digest of the SPKI of the first private key in "pkey.pem" +$ openssl pkey -in pkey.pem -pubout -outform DER | + openssl dgst -sha256 -c +</pre> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (default: empty)</b></DT><DD> @@ -18472,7 +18853,9 @@ if client certificate verification is not required. With Postfix 2.8 and earlier, log the summary message, peer certificate summary information and unconditionally log trust-chain verification errors. </dd> -<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd> +<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS +library, log session cache operations, and enable OpenSSL logging +of the progress of the SSL handshake. </dd> <dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation process. </dd> @@ -18655,7 +19038,7 @@ releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2). </p> </DD> <DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a> -(default: see postconf -d output)</b></DT><DD> +(default: see 'postconf -d' output)</b></DT><DD> <p> TLS protocols accepted by the Postfix SMTP server with opportunistic TLS encryption. If the list is empty, the server supports all available @@ -18931,6 +19314,9 @@ but do not require that clients use TLS encryption. </p> STARTTLS due to insufficient privileges to access the server private key. This is intended behavior. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p> @@ -19438,8 +19824,7 @@ via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter. selected name is not present in the configuration file, the default application name ("openssl_conf") is used as a fallback. </p> -<p> This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, -3.6.10, and 3.5.20. </p> +<p> This feature is available in Postfix ≥ 3.9. </p> </DD> @@ -20356,6 +20741,9 @@ to configure tlsproxy client keys and certificates is via the See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> + <p> This feature is available in Postfix 3.4 and later. </p> @@ -20427,6 +20815,9 @@ value. </p> usage policy by next-hop destination and by remote TLS server hostname. See <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> for further details. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> instead. </p> + <p> This feature is available in Postfix 3.4 and later. </p> @@ -20488,6 +20879,9 @@ was previously called <a href="postconf.5.html#tlsproxy_client_level">tlsproxy_c support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p> + <p> This feature is available in Postfix 3.4 and later. </p> @@ -20500,6 +20894,9 @@ support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.8 and later. </p> @@ -20632,6 +21029,8 @@ private DSA key. DSA is obsolete and should not be used. See should use with non-export EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> for further details. </p> +<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p> + <p> This feature is available in Postfix 2.8 and later. </p> @@ -20704,11 +21103,25 @@ the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files elliptic-curve Diffie-Hellman (EECDH) key exchange. See <a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p> +<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p> + <p> This feature is available in Postfix 2.8 and later. </p> </DD> +<DT><b><a name="tlsproxy_tls_enable_rpk">tlsproxy_tls_enable_rpk</a> +(default: $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>)</b></DT><DD> + +<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key +instead of an X.509 certificate, when asking or requiring client +authentication. See $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> for details. </p> + +<p> This feature is available in Postfix 3.9 and later. </p> + + +</DD> + <DT><b><a name="tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> (default: $<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b></DT><DD> @@ -20856,6 +21269,9 @@ shared by all three services, namely <a href="postconf.5.html#smtpd_tls_session_ but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> +<p> This feature is deprecated as of Postfix 3.9. Specify +<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p> + <p> This feature is available in Postfix 2.8 and later. </p> @@ -21100,7 +21516,14 @@ built-in suffix (in this case: "_initial_destination_concurrency"). <p> Optional lookup tables with mappings from recipient address to (message delivery transport, next-hop destination). See <a href="transport.5.html">transport(5)</a> -for details. +for syntax details. +</p> + +<p> This information may override the message delivery transport +and/or next-hop destination that are specified with $<a href="postconf.5.html#local_transport">local_transport</a>, +$<a href="postconf.5.html#virtual_transport">virtual_transport</a>, $<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#default_transport">default_transport</a>, +$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>, +$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, or the recipient domain. </p> <p> @@ -21735,7 +22158,7 @@ This feature is available in Postfix 1.1 and later. <p> The maximal length of an email address after virtual alias expansion. -This stops virtual aliasing loops that increase the address length +This stops <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> loops that increase the address length exponentially. </p> @@ -21814,8 +22237,10 @@ This feature is available in Postfix 2.1 and later. (default: $<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b></DT><DD> <p> -Optional lookup tables that alias specific mail addresses or domains -to other local or remote addresses. The table format and lookups +Optional lookup tables with aliases that apply to all recipients: +<a href="local.8.html">local(8)</a>, virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> that apply +only to <a href="local.8.html">local(8)</a> recipients. +The table format and lookups are documented in <a href="virtual.5.html">virtual(5)</a>. For an overview of Postfix address manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document. </p> diff --git a/html/postdrop.1.html b/html/postdrop.1.html index 72a4abf..bc4293a 100644 --- a/html/postdrop.1.html +++ b/html/postdrop.1.html @@ -70,7 +70,7 @@ POSTDROP(1) POSTDROP(1) figuration files. <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b> - The list of environment parameters that a privileged Postfix + The list of environment variables that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides. diff --git a/html/postfix-manuals.html b/html/postfix-manuals.html index 7ddfa73..84774a5 100644 --- a/html/postfix-manuals.html +++ b/html/postfix-manuals.html @@ -135,7 +135,7 @@ the following convention: </p> <li> <a href="access.5.html">access(5)</a>, Postfix SMTP access control table -<li> <a href="aliases.5.html">aliases(5)</a>, Postfix alias database +<li> <a href="aliases.5.html">aliases(5)</a>, Postfix <a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a> <li> <a href="canonical.5.html">canonical(5)</a>, Postfix input address rewriting @@ -147,7 +147,7 @@ the following convention: </p> <li> <a href="transport.5.html">transport(5)</a>, Postfix routing table -<li> <a href="virtual.5.html">virtual(5)</a>, Postfix virtual aliasing +<li> <a href="virtual.5.html">virtual(5)</a>, Postfix <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> </ul> @@ -164,6 +164,8 @@ the following convention: </p> <li> <a href="memcache_table.5.html">memcache_table(5)</a>, Postfix memcache client +<li> <a href="mongodb_table.5.html">mongodb_table(5)</a>, Postfix MongoDB client + <li> <a href="mysql_table.5.html">mysql_table(5)</a>, Postfix MYSQL client <li> <a href="nisplus_table.5.html">nisplus_table(5)</a>, Postfix NIS+ client diff --git a/html/postfix.1.html b/html/postfix.1.html index 4654071..a6ede78 100644 --- a/html/postfix.1.html +++ b/html/postfix.1.html @@ -346,19 +346,20 @@ POSTFIX(1) POSTFIX(1) Table-driven mechanisms: <a href="access.5.html">access(5)</a>, Postfix SMTP access control table - <a href="aliases.5.html">aliases(5)</a>, Postfix alias database + <a href="aliases.5.html">aliases(5)</a>, Postfix <a href="ADDRESS_REWRITING_README.html#aliases">local aliasing</a> <a href="canonical.5.html">canonical(5)</a>, Postfix input address rewriting <a href="generic.5.html">generic(5)</a>, Postfix output address rewriting <a href="header_checks.5.html">header_checks(5)</a>, <a href="header_checks.5.html">body_checks(5)</a>, Postfix content inspection <a href="relocated.5.html">relocated(5)</a>, Users that have moved <a href="transport.5.html">transport(5)</a>, Postfix routing table - <a href="virtual.5.html">virtual(5)</a>, Postfix virtual aliasing + <a href="virtual.5.html">virtual(5)</a>, Postfix <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> Table lookup mechanisms: <a href="cidr_table.5.html">cidr_table(5)</a>, Associate CIDR pattern with value <a href="ldap_table.5.html">ldap_table(5)</a>, Postfix LDAP client <a href="lmdb_table.5.html">lmdb_table(5)</a>, Postfix LMDB database driver <a href="memcache_table.5.html">memcache_table(5)</a>, Postfix memcache client + <a href="mongodb_table.5.html">mongodb_table(5)</a>, Postfix MongoDB client <a href="mysql_table.5.html">mysql_table(5)</a>, Postfix MYSQL client <a href="nisplus_table.5.html">nisplus_table(5)</a>, Postfix NIS+ client <a href="pcre_table.5.html">pcre_table(5)</a>, Associate PCRE pattern with value diff --git a/html/postkick.1.html b/html/postkick.1.html index 3156fc4..9ca7c59 100644 --- a/html/postkick.1.html +++ b/html/postkick.1.html @@ -63,7 +63,7 @@ POSTKICK(1) POSTKICK(1) the Postfix daemon process input buffer before giving up. <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b> - The list of environment parameters that a privileged Postfix + The list of environment variables that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides. diff --git a/html/postlock.1.html b/html/postlock.1.html index 0ca0b57..9750f9b 100644 --- a/html/postlock.1.html +++ b/html/postlock.1.html @@ -93,7 +93,7 @@ POSTLOCK(1) POSTLOCK(1) figuration files. <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b> - The list of environment parameters that a privileged Postfix + The list of environment variables that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides. diff --git a/html/postlog.1.html b/html/postlog.1.html index 587edbc..617b78b 100644 --- a/html/postlog.1.html +++ b/html/postlog.1.html @@ -90,6 +90,13 @@ POSTLOG(1) POSTLOG(1) <b><a href="postconf.5.html#postlog_service_name">postlog_service_name</a> (postlog)</b> The name of the <a href="postlogd.8.html"><b>postlogd</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. + Available in Postfix 3.9 and later: + + <b><a href="postconf.5.html#maillog_file_permissions">maillog_file_permissions</a> (0600)</b> + The file access permissions that will be set when the file + $<a href="postconf.5.html#maillog_file">maillog_file</a> is created for the first time, or when the file is + created after an existing file is rotated. + <b>SEE ALSO</b> <a href="postconf.5.html">postconf(5)</a>, configuration parameters <a href="postlogd.8.html">postlogd(8)</a>, Postfix logging diff --git a/html/postlogd.8.html b/html/postlogd.8.html index 58cdf01..e0a72af 100644 --- a/html/postlogd.8.html +++ b/html/postlogd.8.html @@ -36,9 +36,9 @@ POSTLOGD(8) POSTLOGD(8) <a href="postqueue.1.html"><b>postqueue</b>(1)</a> and (Postfix >= 3.7) <a href="postlog.1.html"><b>postlog</b>(1)</a>. <b>CONFIGURATION PARAMETERS</b> - Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="postlogd.8.html"><b>postlogd</b>(8)</a> pro- - cesses run for only a limited amount of time. Use the command "<b>postfix</b> - <b>reload</b>" to speed up a change. + Changes to <a href="postconf.5.html"><b>main.cf</b></a> are not picked up automatically, because <a href="postlogd.8.html"><b>postlogd</b>(8)</a> + terminates only after reaching the <b><a href="postconf.5.html#max_idle">max_idle</a></b> time limit. Use the com- + mand "<b>postfix reload</b>" to speed up a change. The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. @@ -68,6 +68,13 @@ POSTLOGD(8) POSTLOGD(8) How much time a <a href="postlogd.8.html"><b>postlogd</b>(8)</a> process may take to process a request before it is terminated by a built-in watchdog timer. + Available in Postfix 3.9 and later: + + <b><a href="postconf.5.html#maillog_file_permissions">maillog_file_permissions</a> (0600)</b> + The file access permissions that will be set when the file + $<a href="postconf.5.html#maillog_file">maillog_file</a> is created for the first time, or when the file is + created after an existing file is rotated. + <b>SEE ALSO</b> <a href="postconf.5.html">postconf(5)</a>, configuration parameters syslogd(8), system logging diff --git a/html/postscreen.8.html b/html/postscreen.8.html index 3511a9c..9ab10b7 100644 --- a/html/postscreen.8.html +++ b/html/postscreen.8.html @@ -315,31 +315,35 @@ POSTSCREEN(8) POSTSCREEN(8) porary allowlist entry before it is removed. <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> - The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a - successful "bare newline" SMTP protocol test. + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP + address passed a "bare newline" SMTP protocol test, before it + address is required to pass that test again. <b><a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a></b> <b>(${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b> - The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the - result from a successful DNS-based reputation test before a - client IP address is required to pass that test again. + The maximum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a + client IP address passed a DNS-based reputation test, before it + is required to pass that test again. <b><a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a> (60s)</b> - The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the - result from a successful DNS-based reputation test before a - client IP address is required to pass that test again. + The minimum amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a + client IP address passed a DNS-based reputation test, before it + is required to pass that test again. <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> - The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a - successful PREGREET test. + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP + address passed a PREGREET test, before it is required to pass + that test again. <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> - The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a - successful "non_smtp_command" SMTP protocol test. + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP + address passed a "non_smtp_command" SMTP protocol test, before + it is required to pass that test again. <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> - The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the result from a - successful "pipelining" SMTP protocol test. + The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> remembers that a client IP + address passed a "pipelining" SMTP protocol test, before it is + required to pass that test again. <b>RESOURCE CONTROLS</b> <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> diff --git a/html/postsuper.1.html b/html/postsuper.1.html index 30a524a..cf0681a 100644 --- a/html/postsuper.1.html +++ b/html/postsuper.1.html @@ -275,7 +275,7 @@ POSTSUPER(1) POSTSUPER(1) subdirectory levels. <b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b> - The list of environment parameters that a privileged Postfix + The list of environment variables that a privileged Postfix process will import from a non-Postfix parent process, or name=value environment overrides. diff --git a/html/posttls-finger.1.html b/html/posttls-finger.1.html index 2ed629a..a1475ca 100644 --- a/html/posttls-finger.1.html +++ b/html/posttls-finger.1.html @@ -112,7 +112,7 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) ified in the DNS). In Postfix versions prior to 3.6, the default value was "md5". - <b>-f</b> Lookup the associated DANE TLSA RRset even when a hostname is + <b>-f</b> Look up the associated DANE TLSA RRset even when a hostname is not an alias and its address records lie in an unsigned zone. See <a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> for details. @@ -302,6 +302,16 @@ POSTTLS-FINGER(1) POSTTLS-FINGER(1) protocol. The destination <i>domain</i>:<i>port</i> must of course provide such a service. + <b>-x</b> Prefer <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> non-X.509 raw public key (RPK) server creden- + tials. By default only X.509 certificates are accepted. This + is analogous to setting <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes</b> in the <a href="smtp.8.html">smtp(8)</a> + client. At the fingerprint security level, when raw public keys + are enabled, only public key (and not certificate) fingerprints + will be compared against the specified list of <i>match</i> arguments. + Certificate fingerprints are fragile when raw public keys are + solicited, the server may at some point in time start returning + only the public key. + <b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro- gram development only. diff --git a/html/proxymap.8.html b/html/proxymap.8.html index 7c98c47..a1f2f18 100644 --- a/html/proxymap.8.html +++ b/html/proxymap.8.html @@ -41,7 +41,7 @@ PROXYMAP(8) PROXYMAP(8) <b>o</b> To provide single-updater functionality for lookup tables that do not reliably support multiple writers (i.e. all file-based - tables). + tables that are not based on <b>lmdb</b>). The <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server implements the following requests: diff --git a/html/qmgr.8.html b/html/qmgr.8.html index bfaa05f..068b256 100644 --- a/html/qmgr.8.html +++ b/html/qmgr.8.html @@ -232,8 +232,8 @@ QMGR(8) QMGR(8) ter.cf</a> name of the message delivery transport. <b><a href="postconf.5.html#default_recipient_refill_delay">default_recipient_refill_delay</a> (5s)</b> - The default per-transport maximum delay between recipients - refills. + The default per-transport maximum delay between refilling recip- + ients. <b><a href="postconf.5.html#transport_recipient_refill_delay">transport_recipient_refill_delay</a> ($<a href="postconf.5.html#default_recipient_refill_delay">default_recipient_refill_delay</a>)</b> A transport-specific override for the <a href="postconf.5.html#default_recipient_refill_delay">default_recipi</a>- diff --git a/html/qmqpd.8.html b/html/qmqpd.8.html index 9506cfa..55cbcdc 100644 --- a/html/qmqpd.8.html +++ b/html/qmqpd.8.html @@ -61,7 +61,7 @@ QMQPD(8) QMQPD(8) <b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b> Enable preliminary SMTPUTF8 support for the protocols described - in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. + in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>. <b><a href="postconf.5.html#smtputf8_autodetect_classes">smtputf8_autodetect_classes</a> (sendmail, verify)</b> Detect that a message requires SMTPUTF8 support for the speci- diff --git a/html/regexp_table.5.html b/html/regexp_table.5.html index 05cda13..96e4b38 100644 --- a/html/regexp_table.5.html +++ b/html/regexp_table.5.html @@ -148,8 +148,12 @@ REGEXP_TABLE(5) REGEXP_TABLE(5) Postfix parses the result as if it is a file in /etc/postfix. - Note: if a rule contains <b>$</b>, specify <b>$$</b> to keep Postfix from trying to - do <i>$name</i> expansion as it evaluates a parameter value. + Note: if an inlined rule contains <b>$</b>, specify <b>$$</b> to keep Postfix from + trying to do <i>$name</i> expansion as it evaluates a parameter value. + + Note: when using <i>$name</i> inside an inlined pattern, this will not disable + metacharacters such as '.' in the <i>$name</i> expansion. To prevent unex- + pected matches, use a <a href="pcre_table.5.html">pcre</a>: table, and specify \Q<i>$name</i>\E. <b>EXAMPLE SMTPD ACCESS MAP</b> # Disallow sender-specified routing. This is a must if you relay mail diff --git a/html/relocated.5.html b/html/relocated.5.html index efd2f53..62a580a 100644 --- a/html/relocated.5.html +++ b/html/relocated.5.html @@ -125,8 +125,8 @@ RELOCATED(5) RELOCATED(5) Other parameters of interest: <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> - The network interface addresses that this mail system receives - mail on. + The local network interface addresses that this mail system + receives mail on. <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b> The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a> @@ -137,8 +137,9 @@ RELOCATED(5) RELOCATED(5) and that locally posted mail is delivered to. <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> - The network interface addresses that this mail system receives - mail on by way of a proxy or network address translation unit. + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- + tion unit. <b>SEE ALSO</b> <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver diff --git a/html/sendmail.1.html b/html/sendmail.1.html index bebc17b..bf6051d 100644 --- a/html/sendmail.1.html +++ b/html/sendmail.1.html @@ -455,9 +455,11 @@ SENDMAIL(1) SENDMAIL(1) The location of the Postfix top-level queue directory. <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b> - Don't rewrite message headers from remote clients at all when - this parameter is empty; otherwise, rewrite message headers and - append the specified domain name to incomplete addresses. + Rewrite or add message headers in mail from remote clients if + the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty, + updating incomplete addresses with the domain specified in the + <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing head- + ers. <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> The syslog facility of Postfix logging. diff --git a/html/smtp-source.1.html b/html/smtp-source.1.html index db9a17b..6311971 100644 --- a/html/smtp-source.1.html +++ b/html/smtp-source.1.html @@ -49,7 +49,7 @@ SMTP-SOURCE(1) SMTP-SOURCE(1) over the same connection. <b>-f</b> <i>from</i> - Use the specified sender address (default: <foo@<a href="postconf.5.html#myhostname">myhostname</a>>). + Use the specified sender address (default: <foo@my-hostname>). <b>-F</b> <i>file</i> Send the pre-formatted message header and body in the specified @@ -65,28 +65,42 @@ SMTP-SOURCE(1) SMTP-SOURCE(1) <b>-m</b> <i>message</i><b>_</b><i>count</i> Send the specified number of messages (default: 1). - <b>-M</b> <i><a href="postconf.5.html#myhostname">myhostname</a></i> + <b>-M</b> <i>my-hostname</i> Use the specified hostname or [address] in the HELO command and in the default sender and recipient addresses, instead of the machine hostname. - <b>-N</b> Prepend a non-repeating sequence number to each recipient - address. This avoids the artificial 100% hit rate in the resolve - and rewrite client caches and exercises the trivial-rewrite dae- - mon, better approximating Postfix performance under real-life - work-loads. + <b>-N</b> Generate each recipient address by appending a number (a + per-process recipient counter) to the recipient address local- + part specified with the <b>-t</b> option. + + Note: to use the number as an address extension, specify an + explicit address delimiter at the end of the recipient local- + part, as in "<b>-t localpart+@domain</b>" or "<b>-t localpart+</b>", where "<b>+</b>" + is a Postfix recipient address delimiter. + + Benefits: + + <b>o</b> A non-constant recipient address avoids an unrealistic + 100% cache hit rate in clients of the Postfix trivial-re- + write service, better approximating performance under + real-life work-loads. + + <b>o</b> A fixed recipient address local-part with a non-constant + address extension avoids the need to configure a large + number of valid recipient addresses in the receiving + Postfix server. <b>-o</b> Old mode: don't send HELO, and don't send message headers. <b>-r</b> <i>recipient</i><b>_</b><i>count</i> - Send the specified number of recipients per transaction - (default: 1). Recipient names are generated by prepending a - number to the recipient address. + Send the specified number of recipients per transaction + (default: 1), and generate recipient addresses as described + under the <b>-N</b> option. <b>-R</b> <i>interval</i> - Wait for a random period of time 0 <= n <= interval between mes- - sages. Suspending one thread does not affect other delivery - threads. + Wait a random time (0 <= n <= <i>interval</i>) between messages. Sus- + pending one thread does not affect other delivery threads. <b>-s</b> <i>session</i><b>_</b><i>count</i> Run the specified number of SMTP sessions in parallel (default: @@ -95,7 +109,8 @@ SMTP-SOURCE(1) SMTP-SOURCE(1) <b>-S</b> <i>subject</i> Send mail with the named subject line (default: none). - <b>-t</b> <i>to</i> Use the specified recipient address (default: <foo@<a href="postconf.5.html#myhostname">myhostname</a>>). + <b>-t</b> <i>to</i> Use the specified recipient address (default: <foo@my-host- + name>). <b>-T</b> <i>windowsize</i> Override the default TCP window size. To work around broken TCP diff --git a/html/smtp.8.html b/html/smtp.8.html index 1144ee8..4cc187c 100644 --- a/html/smtp.8.html +++ b/html/smtp.8.html @@ -5,88 +5,100 @@ <link rel='stylesheet' type='text/css' href='postfix-doc.css'> <title> Postfix manual - smtp(8) </title> </head> <body> <pre> -SMTP(8) SMTP(8) +SMTP,(LMTP) SMTP,(LMTP) <b>NAME</b> - smtp - Postfix SMTP+LMTP client + smtp, lmtp - Postfix SMTP+LMTP client <b>SYNOPSIS</b> <b>smtp</b> [generic Postfix daemon options] [flags=DORX] + <b>lmtp</b> [generic Postfix daemon options] [flags=DORX] + <b>DESCRIPTION</b> The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery protocols. It processes message delivery requests from the queue man- ager. Each request specifies a queue file, a sender address, a domain or host to deliver to, and recipient information. This program expects - to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. + to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. The process name, <b>smtp</b> or + <b>lmtp</b>, controls the protocol, and the names of the configuration parame- + ters that will be used. The SMTP+LMTP client updates the queue file and marks recipients as finished, or it informs the queue manager that delivery should be tried again at a later time. Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>, <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. - The SMTP+LMTP client looks up a list of mail exchanger addresses for - the destination host, sorts the list by preference, and connects to - each listed address until it finds a server that responds. - - When a server is not reachable, or when mail delivery fails due to a - recoverable error condition, the SMTP+LMTP client will try to deliver - the mail to an alternate host. + The server lookup strategy is different for SMTP and LMTP, as described + in the sections "SMTP SERVER LOOKUP" and "LMTP SERVER LOOKUP". - After a successful mail transaction, a connection may be saved to the - <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it may be used by any + After a successful mail transaction, a connection may be saved to the + <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it may be used by any SMTP+LMTP client for a subsequent transaction. - By default, connection caching is enabled temporarily for destinations + By default, connection caching is enabled temporarily for destinations that have a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. Connection caching can be enabled permanently for specific destinations. -<b>SMTP DESTINATION SYNTAX</b> - The Postfix SMTP+LMTP client supports multiple destinations separated - by comma or whitespace (Postfix 3.5 and later). SMTP destinations have - the following form: +<b>SMTP SERVER LOOKUP</b> + The Postfix SMTP client supports multiple destinations separated by + comma or whitespace (Postfix 3.5 and later). Each destination is tried + in the specified order. + + SMTP destinations have the following form: <i>domainname</i> - <i>domainname</i>:<i>port</i> - Look up the mail exchangers for the specified domain, and con- - nect to the specified port (default: <b>smtp</b>). + <i>domainname</i>:<i>service</i> + Look up the mail exchangers for the specified domain, and con- + nect to the specified service (default: <b>smtp</b>). Optionally, mail + exchangers may be looked up with SRV queries instead of MX; this + requires that <i>service</i> is given in symbolic form. [<i>hostname</i>] - [<i>hostname</i>]:<i>port</i> - Look up the address(es) of the specified host, and connect to - the specified port (default: <b>smtp</b>). + [<i>hostname</i>]:<i>service</i> + Look up the address(es) for the specified host, and connect to + the specified service (default: <b>smtp</b>). [<i>address</i>] - [<i>address</i>]:<i>port</i> + [<i>address</i>]:<i>service</i> Connect to the host at the specified address, and connect to the - specified port (default: <b>smtp</b>). An IPv6 address must be format- - ted as [<b>ipv6</b>:<i>address</i>]. + specified service (default: <b>smtp</b>). An IPv6 address must be for- + matted as [<b>ipv6</b>:<i>address</i>]. -<b>LMTP DESTINATION SYNTAX</b> - The Postfix SMTP+LMTP client supports multiple destinations separated - by comma or whitespace (Postfix 3.5 and later). LMTP destinations have - the following form: +<b>LMTP SERVER LOOKUP</b> + The Postfix LMTP client supports multiple destinations separated by + comma or whitespace (Postfix 3.5 and later). Each destination is tried + in the specified order. + + LMTP destinations have the following form: <b>unix</b>:<i>pathname</i> - Connect to the local UNIX-domain server that is bound to the - specified <i>pathname</i>. If the process runs chrooted, an absolute + Connect to the local UNIX-domain server that is bound to the + specified <i>pathname</i>. If the process runs chrooted, an absolute pathname is interpreted relative to the Postfix queue directory. + <b>inet</b>:<i>domainname</i> + + <b>inet</b>:<i>domainname</i>:<i>service</i> + Look up the LMTP servers for the specified domain and service + (default: <b>lmtp</b>). This form is supported when SRV lookups are + enabled, and requires that <i>service</i> is in symbolic form. + <b>inet</b>:<i>hostname</i> - <b>inet</b>:<i>hostname</i>:<i>port</i> + <b>inet</b>:<i>hostname</i>:<i>service</i> + Look up the address(es) for the specified host, and connect to + the specified service (default: <b>lmtp</b>). When SRV lookups are + enabled, use the form <b>[</b><i>hostname</i><b>]</b> to force address lookups. <b>inet</b>:[<i>address</i>] - <b>inet</b>:[<i>address</i>]:<i>port</i> - Connect to the specified TCP port on the specified local or - remote host. If no port is specified, connect to the port - defined as <b>lmtp</b> in <b>services</b>(4). If no such service is found, - the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> configuration parameter (default value of 24) - will be used. An IPv6 address must be formatted as + <b>inet</b>:[<i>address</i>]:<i>service</i> + Connect to the specified local or remote host and service + (default: <b>lmtp</b>). An IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>]. <b>SINGLE-RECIPIENT DELIVERY</b> @@ -136,10 +148,9 @@ SMTP(8) SMTP(8) This feature is available as of Postfix 3.5. <b>SECURITY</b> - The SMTP+LMTP client is moderately security-sensitive. It - talks to SMTP or LMTP servers and to DNS servers on the - network. The SMTP+LMTP client can be run chrooted at fixed - low privilege. + The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP + or LMTP servers and to DNS servers on the network. The SMTP+LMTP client + can be run chrooted at fixed low privilege. <b>STANDARDS</b> <a href="https://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) @@ -180,20 +191,19 @@ SMTP(8) SMTP(8) for all destinations that map onto the same IP address and TCP port. <b>CONFIGURATION PARAMETERS</b> - Before Postfix version 2.3, the LMTP client is a separate program that - implements only a subset of the functionality available with SMTP: - there is no support for TLS, and connections are cached in-process, - making it ineffective when the client is used for multiple domains. + Postfix versions 2.3 and later implement the SMTP and LMTP client with + the same program, and choose the protocol and configuration parameters + based on the process name, <b>smtp</b> or <b>lmtp</b>. Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> "mirror" param- - eter for the equivalent LMTP feature. This document describes only + eter for the equivalent LMTP feature. This document describes only those LMTP-related parameters that aren't simply "mirror" parameters. - Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> processes + Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> processes run for only a limited amount of time. Use the command "<b>postfix reload</b>" to speed up a change. - The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for + The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <b>COMPATIBILITY CONTROLS</b> @@ -214,8 +224,8 @@ SMTP(8) SMTP(8) will send via SMTP. <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> - How long the Postfix SMTP client pauses before sending - ".<CR><LF>" in order to work around the PIX firewall + How long the Postfix SMTP client pauses before sending + ".<CR><LF>" in order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug. <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> @@ -224,19 +234,19 @@ SMTP(8) SMTP(8) delivery through firewalls with "smtp fixup" mode turned on. <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> - A list that specifies zero or more workarounds for CISCO PIX + A list that specifies zero or more workarounds for CISCO PIX firewall bugs. <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> - Lookup tables, indexed by the remote SMTP server address, with + Lookup tables, indexed by the remote SMTP server address, with per-destination workarounds for CISCO PIX firewall bugs. <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> - Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO + Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands as required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b> - A mechanism to transform replies from remote SMTP servers one + A mechanism to transform replies from remote SMTP servers one line at a time. <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> @@ -248,68 +258,68 @@ SMTP(8) SMTP(8) Available in Postfix version 2.0 and earlier: <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> - Skip SMTP servers that greet with a 4XX status code (go away, + Skip SMTP servers that greet with a 4XX status code (go away, try again later). Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> - Lookup tables, indexed by the remote SMTP server address, with - case insensitive lists of EHLO keywords (pipelining, starttls, + Lookup tables, indexed by the remote SMTP server address, with + case insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> - A case insensitive list of EHLO keywords (pipelining, starttls, + A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> - Optional lookup tables that perform address rewriting in the - Postfix SMTP client, typically to transform a locally valid - address into a globally valid address when sending mail across + Optional lookup tables that perform address rewriting in the + Postfix SMTP client, typically to transform a locally valid + address into a globally valid address when sending mail across the Internet. Available in Postfix version 2.2.9 and later: <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> - When the remote SMTP servername is a DNS CNAME, replace the - servername with the result from CNAME expansion for the purpose - of logging, SASL password lookup, TLS policy decisions, or TLS + When the remote SMTP servername is a DNS CNAME, replace the + servername with the result from CNAME expansion for the purpose + of logging, SASL password lookup, TLS policy decisions, or TLS certificate verification. Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> - Lookup tables, indexed by the remote LMTP server address, with - case insensitive lists of LHLO keywords (pipelining, starttls, + Lookup tables, indexed by the remote LMTP server address, with + case insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.) that the Postfix LMTP client will ignore in the LHLO response from a remote LMTP server. <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> - A case insensitive list of LHLO keywords (pipelining, starttls, + A case insensitive list of LHLO keywords (pipelining, starttls, auth, etc.) that the Postfix LMTP client will ignore in the LHLO response from a remote LMTP server. Available in Postfix version 2.4.4 and later: <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> - When authenticating to a remote SMTP or LMTP server with the - default setting "no", send no SASL authoriZation ID (authzid); - send only the SASL authentiCation ID (authcid) plus the auth- + When authenticating to a remote SMTP or LMTP server with the + default setting "no", send no SASL authoriZation ID (authzid); + send only the SASL authentiCation ID (authcid) plus the auth- cid's password. Available in Postfix version 2.5 and later: <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> - Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. + Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> - Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP + Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP client. <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> - Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP + Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP client. <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> @@ -318,7 +328,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> - An optional workaround for routers that break TCP window scal- + An optional workaround for routers that break TCP window scal- ing. Available in Postfix version 2.8 and later: @@ -329,16 +339,16 @@ SMTP(8) SMTP(8) Available in Postfix version 2.9 - 3.6: <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.9 and later: <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> - Whether or not to append the "AUTH=<>" option to the MAIL FROM + Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. Available in Postfix version 2.11 and later: @@ -349,7 +359,7 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: <b><a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b> - Optional filter for the <a href="smtp.8.html"><b>smtp</b>(8)</a> delivery agent to change the + Optional filter for the <a href="smtp.8.html"><b>smtp</b>(8)</a> delivery agent to change the delivery status code or explanatory text of successful or unsuc- cessful deliveries. @@ -359,38 +369,38 @@ SMTP(8) SMTP(8) Available in Postfix version 3.3 and later: <b><a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a> (yes)</b> - When a remote destination resolves to a combination of IPv4 and + When a remote destination resolves to a combination of IPv4 and IPv6 addresses, ensure that the Postfix SMTP client can try both address types before it runs into the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a>. Available in Postfix 3.5 and later: <b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b> - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). Available in Postfix 3.6 and later: <b><a href="postconf.5.html#dnssec_probe">dnssec_probe</a> (ns:.)</b> - The DNS query type (default: "ns") and DNS query name (default: + The DNS query type (default: "ns") and DNS query name (default: ".") that Postfix may use to determine whether DNSSEC validation is available. - <b><a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> (lmtp=24, smtp=25, smtps=submissions=465, submis-</b> + <b><a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> (lmtp=24, smtp=25, smtps=submissions=465, submis-</b> <b>sion=587)</b> - Optional setting that avoids lookups in the <b>services</b>(5) data- + Optional setting that avoids lookups in the <b>services</b>(5) data- base. Available in Postfix version 3.7 and later: <b><a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a> (no)</b> - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. <b><a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> (500)</b> - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>. @@ -400,16 +410,16 @@ SMTP(8) SMTP(8) Available in Postfix version 3.8 and later: <b><a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> (empty)</b> - Enables discovery for the specified service(s) using DNS SRV + Enables discovery for the specified service(s) using DNS SRV records. <b><a href="postconf.5.html#ignore_srv_lookup_error">ignore_srv_lookup_error</a> (no)</b> - When SRV record lookup fails, fall back to MX or IP address + When SRV record lookup fails, fall back to MX or IP address lookup as if SRV record lookup was not enabled. <b><a href="postconf.5.html#allow_srv_lookup_fallback">allow_srv_lookup_fallback</a> (no)</b> - When SRV record lookup fails or no SRV record exists, fall back - to MX or IP address lookup as if SRV record lookup was not + When SRV record lookup fails or no SRV record exists, fall back + to MX or IP address lookup as if SRV record lookup was not enabled. <b>MIME PROCESSING CONTROLS</b> @@ -428,7 +438,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> - Send the non-standard XFORWARD command when the Postfix SMTP + Send the non-standard XFORWARD command when the Postfix SMTP server EHLO response announces XFORWARD support. <b>SASL AUTHENTICATION CONTROLS</b> @@ -436,60 +446,66 @@ SMTP(8) SMTP(8) Enable SASL authentication in the Postfix SMTP client. <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> - Optional Postfix SMTP client lookup tables with one user- - name:password entry per sender, remote hostname or next-hop + Optional Postfix SMTP client lookup tables with one user- + name:password entry per sender, remote hostname or next-hop domain. <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> Postfix SMTP client SASL security options; as of Postfix 2.3 the - list of available features depends on the SASL client implemen- + list of available features depends on the SASL client implemen- tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> - If non-empty, a Postfix SMTP client filter for the remote SMTP + If non-empty, a Postfix SMTP client filter for the remote SMTP server's list of offered SASL mechanisms. Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> Enable sender-dependent authentication in the Postfix SMTP - client; this is available only with SASL authentication, and - disables SMTP connection caching to ensure that mail from dif- + client; this is available only with SASL authentication, and + disables SMTP connection caching to ensure that mail from dif- ferent senders will use the appropriate credentials. <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> Implementation-specific information that the Postfix SMTP client - passes through to the SASL plug-in implementation that is + passes through to the SASL plug-in implementation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> - The SASL plug-in type that the Postfix SMTP client should use + The SASL plug-in type that the Postfix SMTP client should use for authentication. Available in Postfix version 2.5 and later: <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> - An optional table to prevent repeated SASL authentication fail- - ures with the same remote SMTP server hostname, username and + An optional table to prevent repeated SASL authentication fail- + ures with the same remote SMTP server hostname, username and password. <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> - The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it + The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it is removed. <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> - When a remote SMTP server rejects a SASL authentication request - with a 535 reply code, defer mail delivery instead of returning + When a remote SMTP server rejects a SASL authentication request + with a 535 reply code, defer mail delivery instead of returning mail as undeliverable. Available in Postfix version 2.9 and later: <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> - Whether or not to append the "AUTH=<>" option to the MAIL FROM + Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. + Available in Postfix version 3.9 and later: + + <b><a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> (:)</b> + The delimiter between username and password in sasl_passwd_maps + lookup results. + <b>STARTTLS SUPPORT CONTROLS</b> Detailed information about STARTTLS configuration may be found in the <a href="TLS_README.html">TLS_README</a> document. @@ -619,7 +635,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: - <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see postconf -d output)</b> + <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (see 'postconf -d' output)</b> TLS protocols that the Postfix SMTP client will use with oppor- tunistic TLS encryption. @@ -724,6 +740,12 @@ SMTP(8) SMTP(8) The application name passed by Postfix to OpenSSL library ini- tialization functions. + Available in Postfix version 3.9 and later: + + <b><a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> (no)</b> + Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key + instead of an X.509 certificate. + <b>OBSOLETE STARTTLS CONTROLS</b> The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a @@ -954,7 +976,7 @@ SMTP(8) SMTP(8) The local network interface addresses that this mail system receives mail on. - <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b> + <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b> The Internet protocols Postfix will attempt to use when making or accepting connections. @@ -1119,5 +1141,5 @@ SMTP(8) SMTP(8) Victor Duchovni Morgan Stanley - SMTP(8) + 8 SMTP,(LMTP) </pre> </body> </html> diff --git a/html/smtpd.8.html b/html/smtpd.8.html index 672302a..85a8aee 100644 --- a/html/smtpd.8.html +++ b/html/smtpd.8.html @@ -560,7 +560,7 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.6 and later: - <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (see postconf -d output)</b> + <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (see 'postconf -d' output)</b> TLS protocols accepted by the Postfix SMTP server with oppor- tunistic TLS encryption. @@ -648,6 +648,13 @@ SMTPD(8) SMTPD(8) The application name passed by Postfix to OpenSSL library ini- tialization functions. + Available in Postfix version 3.9 and later: + + <b><a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> (no)</b> + Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key + instead of an X.509 certificate, when asking for or requiring + client authentication. + <b>OBSOLETE STARTTLS CONTROLS</b> The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a @@ -801,7 +808,7 @@ SMTPD(8) SMTPD(8) receives mail on by way of a proxy or network address transla- tion unit. - <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d output')</b> + <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (see 'postconf -d' output)</b> The Internet protocols Postfix will attempt to use when making or accepting connections. @@ -840,30 +847,31 @@ SMTPD(8) SMTPD(8) aliased to addresses in other local or remote domains. <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b> - Optional lookup tables that alias specific mail addresses or - domains to other local or remote addresses. + Optional lookup tables with aliases that apply to all recipi- + ents: <a href="local.8.html"><b>local</b>(8)</a>, virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> + that apply only to <a href="local.8.html"><b>local</b>(8)</a> recipients. <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b> - The Postfix SMTP server reply code when a recipient address - matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> speci- - fies a list of lookup tables that does not match the recipient + The Postfix SMTP server reply code when a recipient address + matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> speci- + fies a list of lookup tables that does not match the recipient address. Parameters concerning known/unknown recipients in virtual mailbox domains: <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b> - Postfix is the final destination for the specified list of - domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail + Postfix is the final destination for the specified list of + domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail delivery transport. <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b> - Optional lookup tables with all valid addresses in the domains + Optional lookup tables with all valid addresses in the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b> - The Postfix SMTP server reply code when a recipient address - matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> + The Postfix SMTP server reply code when a recipient address + matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> specifies a list of lookup tables that does not match the recip- ient address. @@ -872,7 +880,7 @@ SMTPD(8) SMTPD(8) control client request rates. <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> - Upon input, long lines are chopped up into pieces of at most + Upon input, long lines are chopped up into pieces of at most this length; upon delivery, long lines are reconstructed. <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b> @@ -880,62 +888,62 @@ SMTPD(8) SMTPD(8) tem that is needed to receive mail. <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b> - The maximal size in bytes of a message, including envelope + The maximal size in bytes of a message, including envelope information. <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b> - The maximal number of recipients that the Postfix SMTP server + The maximal number of recipients that the Postfix SMTP server accepts per message delivery request. <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, overload: 10s)</b> - When the Postfix SMTP server wants to send an SMTP server - response, how long the Postfix SMTP server will wait for an - underlying network write operation to complete; and when the - Postfix SMTP server Postfix wants to receive an SMTP client - request, how long the Postfix SMTP server will wait for an + When the Postfix SMTP server wants to send an SMTP server + response, how long the Postfix SMTP server will wait for an + underlying network write operation to complete; and when the + Postfix SMTP server Postfix wants to receive an SMTP client + request, how long the Postfix SMTP server will wait for an underlying network read operation to complete. <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b> - The maximal number of lines in the Postfix SMTP server command - history before it is flushed upon receipt of EHLO, RSET, or end + The maximal number of lines in the Postfix SMTP server command + history before it is flushed upon receipt of EHLO, RSET, or end of DATA. Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b> - Attempt to look up the remote SMTP client hostname, and verify + Attempt to look up the remote SMTP client hostname, and verify that the name matches the client IP address. The per SMTP client connection count and request rate limits are imple- - mented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> service, and are available in + mented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> service, and are available in Postfix version 2.2 and later. <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b> - How many simultaneous connections any client is allowed to make + How many simultaneous connections any client is allowed to make to this service. <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b> - The maximal number of connection attempts any client is allowed + The maximal number of connection attempts any client is allowed to make to this service per time unit. <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b> - The maximal number of message delivery requests that any client - is allowed to make to this service per time unit, regardless of + The maximal number of message delivery requests that any client + is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b> - The maximal number of recipient addresses that any client is - allowed to send to this service per time unit, regardless of + The maximal number of recipient addresses that any client is + allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients. <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> - Clients that are excluded from smtpd_client_*_count/rate_limit + Clients that are excluded from smtpd_client_*_count/rate_limit restrictions. Available in Postfix version 2.3 and later: <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b> - The maximal number of new (i.e., uncached) TLS sessions that a + The maximal number of new (i.e., uncached) TLS sessions that a remote SMTP client is allowed to negotiate with this service per time unit. @@ -943,29 +951,29 @@ SMTPD(8) SMTPD(8) <b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b> Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_start</a>- - <a href="postconf.5.html#smtpd_starttls_timeout">tls_timeout</a> time limits, from a time limit per read or write - system call, to a time limit to send or receive a complete - record (an SMTP command line, SMTP response line, SMTP message + <a href="postconf.5.html#smtpd_starttls_timeout">tls_timeout</a> time limits, from a time limit per read or write + system call, to a time limit to send or receive a complete + record (an SMTP command line, SMTP response line, SMTP message content line, or TLS protocol message). Available in Postfix version 3.1 and later: <b><a href="postconf.5.html#smtpd_client_auth_rate_limit">smtpd_client_auth_rate_limit</a> (0)</b> - The maximal number of AUTH commands that any client is allowed - to send to this service per time unit, regardless of whether or + The maximal number of AUTH commands that any client is allowed + to send to this service per time unit, regardless of whether or not Postfix actually accepts those commands. Available in Postfix version 3.7 and later: <b><a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a> (normal: no, overload: yes)</b> Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_start</a>- - <a href="postconf.5.html#smtpd_starttls_timeout">tls_timeout</a> time limits, from a time limit per plaintext or TLS - read or write call, to a combined time limit for receiving a - complete SMTP request and for sending a complete SMTP response. + <a href="postconf.5.html#smtpd_starttls_timeout">tls_timeout</a> time limits, from a time limit per plaintext or TLS + read or write call, to a combined time limit for receiving a + complete SMTP request and for sending a complete SMTP response. <b><a href="postconf.5.html#smtpd_min_data_rate">smtpd_min_data_rate</a> (500)</b> - The minimum plaintext data transfer rate in bytes/second for - DATA and BDAT requests, when deadlines are enabled with + The minimum plaintext data transfer rate in bytes/second for + DATA and BDAT requests, when deadlines are enabled with <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>. <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b> @@ -974,27 +982,27 @@ SMTPD(8) SMTPD(8) Available in Postfix version 3.8 and later: <b><a href="postconf.5.html#smtpd_client_ipv4_prefix_length">smtpd_client_ipv4_prefix_length</a> (32)</b> - Aggregate smtpd_client_*_count and smtpd_client_*_rate statis- + Aggregate smtpd_client_*_count and smtpd_client_*_rate statis- tics by IPv4 network blocks with the specified network prefix. <b><a href="postconf.5.html#smtpd_client_ipv6_prefix_length">smtpd_client_ipv6_prefix_length</a> (84)</b> - Aggregate smtpd_client_*_count and smtpd_client_*_rate statis- + Aggregate smtpd_client_*_count and smtpd_client_*_rate statis- tics by IPv6 network blocks with the specified network prefix. Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later: <b><a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> (Postfix</b> ><b>= 3.9: yes)</b> - Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321) + Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321) command pipelining constraints. Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later: - <b><a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> (Postfix</b> < <b>3.9: no)</b> - Reject or restrict input lines from an SMTP client that end in + <b><a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> (Postfix</b> ><b>= 3.9: normalize)</b> + Reject or restrict input lines from an SMTP client that end in <LF> instead of the standard <CR><LF>. <b><a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> - Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> + Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> enforcement. Available in Postfix 3.9, 3.8.5, 3.7.10, 3.6.14, 3.5.24 and later: @@ -1004,55 +1012,55 @@ SMTPD(8) SMTPD(8) request with "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject". <b>TARPIT CONTROLS</b> - When a remote SMTP client makes errors, the Postfix SMTP server can - insert delays before responding. This can help to slow down run-away - software. The behavior is controlled by an error counter that counts + When a remote SMTP client makes errors, the Postfix SMTP server can + insert delays before responding. This can help to slow down run-away + software. The behavior is controlled by an error counter that counts the number of errors within an SMTP session that a client makes without delivering mail. <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b> - With Postfix version 2.1 and later: the SMTP server response - delay after a client has made more than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> - errors, and fewer than $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without + With Postfix version 2.1 and later: the SMTP server response + delay after a client has made more than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> + errors, and fewer than $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering mail. <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b> - The number of errors a remote SMTP client is allowed to make - without delivering mail before the Postfix SMTP server slows + The number of errors a remote SMTP client is allowed to make + without delivering mail before the Postfix SMTP server slows down all its responses. <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (normal: 20, overload: 1)</b> - The maximal number of errors a remote SMTP client is allowed to + The maximal number of errors a remote SMTP client is allowed to make without delivering mail. <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (normal: 100, overload: 1)</b> - The number of junk commands (NOOP, VRFY, ETRN or RSET) that a - remote SMTP client can send before the Postfix SMTP server + The number of junk commands (NOOP, VRFY, ETRN or RSET) that a + remote SMTP client can send before the Postfix SMTP server starts to increment the error counter with each junk command. Available in Postfix version 2.1 and later: <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b> - The number of recipients that a remote SMTP client can send in + The number of recipients that a remote SMTP client can send in excess of the limit specified with $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, - before the Postfix SMTP server increments the per-session error + before the Postfix SMTP server increments the per-session error count for each excess recipient. <b>ACCESS POLICY DELEGATION CONTROLS</b> - As of version 2.1, Postfix can be configured to delegate access policy - decisions to an external server that runs outside Postfix. See the + As of version 2.1, Postfix can be configured to delegate access policy + decisions to an external server that runs outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for more information. <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b> - The time after which an idle SMTPD policy service connection is + The time after which an idle SMTPD policy service connection is closed. <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b> - The time after which an active SMTPD policy service connection + The time after which an active SMTPD policy service connection is closed. <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b> - The time limit for connecting to, writing to, or receiving from + The time limit for connecting to, writing to, or receiving from a delegated SMTPD policy server. Available in Postfix version 3.0 and later: @@ -1062,81 +1070,81 @@ SMTPD(8) SMTPD(8) The default action when an SMTPD policy service request fails. <b><a href="postconf.5.html#smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a> (0)</b> - The maximal number of requests per SMTPD policy service connec- + The maximal number of requests per SMTPD policy service connec- tion, or zero (no limit). <b><a href="postconf.5.html#smtpd_policy_service_try_limit">smtpd_policy_service_try_limit</a> (2)</b> - The maximal number of attempts to send an SMTPD policy service + The maximal number of attempts to send an SMTPD policy service request before giving up. <b><a href="postconf.5.html#smtpd_policy_service_retry_delay">smtpd_policy_service_retry_delay</a> (1s)</b> - The delay between attempts to resend a failed SMTPD policy ser- + The delay between attempts to resend a failed SMTPD policy ser- vice request. Available in Postfix version 3.1 and later: <b><a href="postconf.5.html#smtpd_policy_service_policy_context">smtpd_policy_service_policy_context</a> (empty)</b> - Optional information that the Postfix SMTP server specifies in - the "policy_context" attribute of a policy service request - (originally, to share the same service endpoint among multiple + Optional information that the Postfix SMTP server specifies in + the "policy_context" attribute of a policy service request + (originally, to share the same service endpoint among multiple <a href="postconf.5.html#check_policy_service">check_policy_service</a> clients). <b>ACCESS CONTROLS</b> - The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to all the SMTP + The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to all the SMTP server access control features. <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b> - Wait until the RCPT TO command before evaluating + Wait until the RCPT TO command before evaluating $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until the ETRN command - before evaluating $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and + before evaluating $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>. <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b> - A list of Postfix features where the pattern "example.com" also - matches subdomains of example.com, instead of requiring an + A list of Postfix features where the pattern "example.com" also + matches subdomains of example.com, instead of requiring an explicit ".example.com" pattern. <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b> - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client connection request. <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b> - Require that a remote SMTP client introduces itself with the - HELO or EHLO command before sending the MAIL command or other + Require that a remote SMTP client introduces itself with the + HELO or EHLO command before sending the MAIL command or other commands that require EHLO negotiation. <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b> - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client HELO command. <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b> - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client MAIL FROM command. <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (see 'postconf -d' output)</b> - Optional restrictions that the Postfix SMTP server applies in - the context of a client RCPT TO command, after + Optional restrictions that the Postfix SMTP server applies in + the context of a client RCPT TO command, after <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>. <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b> - Optional restrictions that the Postfix SMTP server applies in + Optional restrictions that the Postfix SMTP server applies in the context of a client ETRN command. <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b> - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients to destina- + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destina- tions matching $<a href="postconf.5.html#relay_domains">relay_domains</a>. <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b> User-defined aliases for groups of access restrictions. <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b> - The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables instead of + The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables instead of the null sender address. <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b> - Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature to + Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: @@ -1146,19 +1154,19 @@ SMTPD(8) SMTPD(8) applies in the context of the SMTP DATA command. <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b> - What characters are allowed in $name expansions of RBL reply + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b> - Request that the Postfix SMTP server rejects mail from unknown - sender addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> + Request that the Postfix SMTP server rejects mail from unknown + sender addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction is specified. <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b> - Request that the Postfix SMTP server rejects mail for unknown - recipient addresses, even when no explicit + Request that the Postfix SMTP server rejects mail for unknown + recipient addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restriction is specified. Available in Postfix version 2.2 and later: @@ -1172,17 +1180,17 @@ SMTPD(8) SMTPD(8) <b><a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,</b> <b><a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>)</b> Access restrictions for mail relay control that the Postfix SMTP - server applies in the context of the RCPT TO command, before + server applies in the context of the RCPT TO command, before <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. <b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b> - Postfix version 2.1 introduces sender and recipient address verifica- + Postfix version 2.1 introduces sender and recipient address verifica- tion. This feature is implemented by sending probe email messages that are not actually delivered. This feature is requested via the - <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access - restrictions. The status of verification probes is maintained by the - <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> for infor- - mation about how to configure and operate the Postfix sender/recipient + <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access + restrictions. The status of verification probes is maintained by the + <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> for infor- + mation about how to configure and operate the Postfix sender/recipient address verification service. <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (normal: 3, overload: 1)</b> @@ -1194,7 +1202,7 @@ SMTPD(8) SMTPD(8) fication request in progress. <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b> - The sender address to use in address verification probes; prior + The sender address to use in address verification probes; prior to Postfix 2.5 the default was "postmaster". <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b> @@ -1202,18 +1210,18 @@ SMTPD(8) SMTPD(8) address is rejected by the <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction. <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b> - The numerical Postfix SMTP server response when a recipient - address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restric- + The numerical Postfix SMTP server response when a recipient + address is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restric- tion. Available in Postfix version 2.6 and later: <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b> - The numerical Postfix SMTP server response code when a sender + The numerical Postfix SMTP server response code when a sender address probe fails due to a temporary error condition. <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b> - The numerical Postfix SMTP server response when a recipient + The numerical Postfix SMTP server response when a recipient address probe fails due to a temporary error condition. <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b> @@ -1225,17 +1233,17 @@ SMTPD(8) SMTPD(8) <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>. <b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b> - The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> + The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> fails due to a temporary error condition. <b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b> - The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipi</a>- + The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipi</a>- <a href="postconf.5.html#reject_unverified_recipient">ent</a> fails due to a temporary error condition. Available with Postfix 2.9 and later: <b><a href="postconf.5.html#address_verify_sender_ttl">address_verify_sender_ttl</a> (0s)</b> - The time between changes in the time-dependent portion of + The time between changes in the time-dependent portion of address verification probe sender addresses. <b>ACCESS CONTROL RESPONSES</b> @@ -1247,36 +1255,36 @@ SMTPD(8) SMTPD(8) map "reject" action. <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b> - The numerical Postfix SMTP server response code when a remote + The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction. <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b> - The numerical Postfix SMTP server response code when the client - HELO or EHLO command parameter is rejected by the + The numerical Postfix SMTP server response code when the client + HELO or EHLO command parameter is rejected by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> restriction. <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b> - The numerical Postfix SMTP server response code when a remote - SMTP client request is blocked by the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, + The numerical Postfix SMTP server response code when a remote + SMTP client request is blocked by the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>, <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>, <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction. <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b> - The numerical Postfix SMTP server reply code when a client - request is rejected by the <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>, + The numerical Postfix SMTP server reply code when a client + request is rejected by the <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>, <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> restriction. <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b> - The numerical Postfix SMTP server response code when a request + The numerical Postfix SMTP server response code when a request is rejected by the <b><a href="postconf.5.html#reject_plaintext_session">reject_plaintext_session</a></b> restriction. <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b> - The numerical Postfix SMTP server response code when a remote + The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "reject" restriction. <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b> - The numerical Postfix SMTP server response code when a client - request is rejected by the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient + The numerical Postfix SMTP server response code when a client + request is rejected by the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction. <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b> @@ -1284,24 +1292,24 @@ SMTPD(8) SMTPD(8) a sender or recipient address because its domain is unknown. <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b> - The numerical Postfix SMTP server response code when a client - without valid address <=> name mapping is rejected by the + The numerical Postfix SMTP server response code when a client + without valid address <=> name mapping is rejected by the <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> restriction. <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b> - The numerical Postfix SMTP server response code when the host- - name specified with the HELO or EHLO command is rejected by the + The numerical Postfix SMTP server response code when the host- + name specified with the HELO or EHLO command is rejected by the <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction. Available in Postfix version 2.0 and later: <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b> - The default Postfix SMTP server response template for a request + The default Postfix SMTP server response template for a request that is rejected by an RBL-based restriction. <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b> - The numerical Postfix SMTP server response code when a remote - SMTP client request is blocked by the <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipi</a>- + The numerical Postfix SMTP server response code when a remote + SMTP client request is blocked by the <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipi</a>- <a href="postconf.5.html#reject_multi_recipient_bounce">ent_bounce</a> restriction. <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b> @@ -1311,52 +1319,52 @@ SMTPD(8) SMTPD(8) <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b> The numerical Postfix SMTP server response code for an <a href="access.5.html"><b>access</b>(5)</a> - map "defer" action, including "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or + map "defer" action, including "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>". <b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b> - The Postfix SMTP server's action when a reject-type restriction + The Postfix SMTP server's action when a reject-type restriction fails due to a temporary error condition. <b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b> - The Postfix SMTP server's action when <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_host</a>- + The Postfix SMTP server's action when <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_host</a>- <a href="postconf.5.html#reject_unknown_helo_hostname">name</a> fails due to a temporary error condition. <b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b> - The Postfix SMTP server's action when - <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> + The Postfix SMTP server's action when + <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> fail due to a temporary error condition. <b>MISCELLANEOUS CONTROLS</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> - The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- figuration files. <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> - How much time a Postfix daemon process may take to handle a + How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer. <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> The location of all postfix administrative commands. <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b> - The sender address of postmaster notifications that are gener- + The sender address of postmaster notifications that are gener- ated by the mail system. <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> - The time limit for sending or receiving information over an + The time limit for sending or receiving information over an internal communication channel. <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b> - The mail system name that is displayed in Received: headers, in + The mail system name that is displayed in Received: headers, in the SMTP greeting banner, and in bounced mail. <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b> - The UNIX system account that owns the Postfix queue and most + The UNIX system account that owns the Postfix queue and most Postfix daemon processes. <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> - The maximum amount of time that an idle Postfix daemon process + The maximum amount of time that an idle Postfix daemon process waits for an incoming connection before terminating voluntarily. <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> @@ -1367,11 +1375,11 @@ SMTPD(8) SMTPD(8) The internet hostname of this mail system. <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b> - The list of "trusted" remote SMTP clients that have more privi- + The list of "trusted" remote SMTP clients that have more privi- leges than "strangers". <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> - The domain name that locally-posted mail appears to come from, + The domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> @@ -1384,24 +1392,24 @@ SMTPD(8) SMTPD(8) The location of the Postfix top-level queue directory. <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b> - The set of characters that can separate an email address local- + The set of characters that can separate an email address local- part, user name, or a .forward file name from its extension. <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b> - The text that follows the 220 status code in the SMTP greeting + The text that follows the 220 status code in the SMTP greeting banner. <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> The syslog facility of Postfix logging. <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix version 2.2 and later: <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT GET POST <a href="regexp_table.5.html">regexp</a>:{{/^[^A-Z]/ Bogus}})</b> - List of commands that cause the Postfix SMTP server to immedi- + List of commands that cause the Postfix SMTP server to immedi- ately terminate the session with a 221 code. Available in Postfix version 2.5 and later: @@ -1418,7 +1426,7 @@ SMTPD(8) SMTPD(8) Available in Postfix 3.4 and later: <b><a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a> (empty)</b> - Lookup tables, indexed by the complete Postfix SMTP server 4xx + Lookup tables, indexed by the complete Postfix SMTP server 4xx or 5xx response, with reject footer templates. <b>SEE ALSO</b> diff --git a/html/socketmap_table.5.html b/html/socketmap_table.5.html index a8bbd07..4c9e96c 100644 --- a/html/socketmap_table.5.html +++ b/html/socketmap_table.5.html @@ -18,7 +18,7 @@ SOCKETMAP_TABLE(5) SOCKETMAP_TABLE(5) <b>postmap -q - <a href="socketmap_table.html">socketmap</a>:unix:</b><i>pathname</i><b>:</b><i>name</i> <<i>inputfile</i> <b>DESCRIPTION</b> - The Postfix mail system uses optional tables for address rewriting. + The Postfix mail system uses optional tables for address rewriting, mail routing or policy lookup. The Postfix socketmap client expects TCP endpoint names of the form diff --git a/html/tlsproxy.8.html b/html/tlsproxy.8.html index 0c36743..615a222 100644 --- a/html/tlsproxy.8.html +++ b/html/tlsproxy.8.html @@ -170,26 +170,26 @@ TLSPROXY(8) TLSPROXY(8) tialization functions. <b>STARTTLS SERVER CONTROLS</b> - These settings are clones of Postfix SMTP server settings. They allow + These settings are clones of Postfix SMTP server settings. They allow <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as - the Postfix SMTP server, before dropping privileges, so that the key - files can be kept read-only for root. These settings can currently not - be overruled by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that + the Postfix SMTP server, before dropping privileges, so that the key + files can be kept read-only for root. These settings can currently not + be overruled by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request, but that limitation may be removed in a future version. <b><a href="postconf.5.html#tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a> ($<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b> - A file containing (PEM format) CA certificates of root CAs + A file containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. <b><a href="postconf.5.html#tlsproxy_tls_CApath">tlsproxy_tls_CApath</a> ($<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b> - A directory containing (PEM format) CA certificates of root CAs + A directory containing (PEM format) CA certificates of root CAs trusted to sign either remote SMTP client certificates or inter- mediate CA certificates. <b><a href="postconf.5.html#tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a> ($<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_ses</a>-</b> <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">sion_ids</a>)</b> - Force the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server to issue a TLS session id, + Force the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server to issue a TLS session id, even when TLS session caching is turned off. <b><a href="postconf.5.html#tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a> ($<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b> @@ -199,7 +199,7 @@ TLSPROXY(8) TLSPROXY(8) The verification depth for remote SMTP client certificates. <b><a href="postconf.5.html#tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA certificate in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA certificate in PEM format. <b><a href="postconf.5.html#tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b> @@ -207,47 +207,47 @@ TLSPROXY(8) TLSPROXY(8) will use with opportunistic TLS encryption. <b><a href="postconf.5.html#tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA certificate in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA certificate in PEM format. <b><a href="postconf.5.html#tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b> - File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server + File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server should use with non-export EDH ciphers. <b><a href="postconf.5.html#tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a> ($<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b> - File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server + File with DH parameters that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server should use with export-grade EDH ciphers. <b><a href="postconf.5.html#tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA private key in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server DSA private key in PEM format. <b><a href="postconf.5.html#tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA certificate in + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA certificate in PEM format. <b><a href="postconf.5.html#tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA private key in + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server ECDSA private key in PEM format. <b><a href="postconf.5.html#tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a> ($<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b> - The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for ephemeral + The Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. <b><a href="postconf.5.html#tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b> - List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> + List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at all TLS security levels. <b><a href="postconf.5.html#tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a> ($<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</b> - The message digest algorithm to construct remote SMTP + The message digest algorithm to construct remote SMTP client-certificate fingerprints. <b><a href="postconf.5.html#tlsproxy_tls_key_file">tlsproxy_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA private key in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server RSA private key in PEM format. <b><a href="postconf.5.html#tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a> ($<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b> - Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server logging of TLS + Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server logging of TLS activity. <b><a href="postconf.5.html#tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</b> @@ -256,7 +256,7 @@ TLSPROXY(8) TLSPROXY(8) <b><a href="postconf.5.html#tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_manda</a>-</b> <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">tory_exclude_ciphers</a>)</b> - Additional list of ciphers or cipher types to exclude from the + Additional list of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server cipher list at mandatory TLS security levels. <b><a href="postconf.5.html#tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a> ($<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</b> @@ -264,67 +264,74 @@ TLSPROXY(8) TLSPROXY(8) with mandatory TLS encryption. <b><a href="postconf.5.html#tlsproxy_tls_protocols">tlsproxy_tls_protocols</a> ($<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b> - List of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will + List of TLS protocols that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server will exclude or include with opportunistic TLS encryption. <b><a href="postconf.5.html#tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a> ($<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b> - With mandatory TLS encryption, require a trusted remote SMTP + With mandatory TLS encryption, require a trusted remote SMTP client certificate in order to allow TLS connections to proceed. <b><a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> - The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server; + The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server; when a non-empty value is specified, this overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. <b><a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a> ($<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b> - Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate + Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> server keys and certificate chains in PEM format. + Available in Postfix version 3.9 and later: + + <b><a href="postconf.5.html#tlsproxy_tls_enable_rpk">tlsproxy_tls_enable_rpk</a> ($<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>)</b> + Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key + instead of an X.509 certificate, when asking or requiring client + authentication. + <b>STARTTLS CLIENT CONTROLS</b> - These settings are clones of Postfix SMTP client settings. They allow + These settings are clones of Postfix SMTP client settings. They allow <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> to load the same certificate and private key information as - the Postfix SMTP client, before dropping privileges, so that the key + the Postfix SMTP client, before dropping privileges, so that the key files can be kept read-only for root. Some settings may be overruled by information in a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client request. Available in Postfix version 3.4 and later: <b><a href="postconf.5.html#tlsproxy_client_CAfile">tlsproxy_client_CAfile</a> ($<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b> - A file containing CA certificates of root CAs trusted to sign - either remote TLS server certificates or intermediate CA cer- + A file containing CA certificates of root CAs trusted to sign + either remote TLS server certificates or intermediate CA cer- tificates. <b><a href="postconf.5.html#tlsproxy_client_CApath">tlsproxy_client_CApath</a> ($<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b> - Directory with PEM format Certification Authority certificates - that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client uses to verify a remote TLS + Directory with PEM format Certification Authority certificates + that the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client uses to verify a remote TLS server certificate. <b><a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a> ($<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>)</b> - Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client keys and certificate + Files with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client keys and certificate chains in PEM format. <b><a href="postconf.5.html#tlsproxy_client_cert_file">tlsproxy_client_cert_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA certificate in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA certificate in PEM format. <b><a href="postconf.5.html#tlsproxy_client_key_file">tlsproxy_client_key_file</a> ($<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA private key in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client RSA private key in PEM format. <b><a href="postconf.5.html#tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA certificate in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA certificate in PEM format. <b><a href="postconf.5.html#tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA private key in PEM + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client DSA private key in PEM format. <b><a href="postconf.5.html#tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA certificate in + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA certificate in PEM format. <b><a href="postconf.5.html#tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b> - File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA private key in + File with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client ECDSA private key in PEM format. <b><a href="postconf.5.html#tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a> ($<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b> @@ -332,7 +339,7 @@ TLSPROXY(8) TLSPROXY(8) certificate fingerprints. <b><a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a> ($<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b> - Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client logging of TLS + Enable additional Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client logging of TLS activity. <b><a href="postconf.5.html#tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a> (<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b> @@ -343,43 +350,43 @@ TLSPROXY(8) TLSPROXY(8) The verification depth for remote TLS server certificates. <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b> - Opportunistic mode: use TLS when a remote server announces TLS + Opportunistic mode: use TLS when a remote server announces TLS support. <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b> - Enforcement mode: require that SMTP servers use TLS encryption. + Enforcement mode: require that SMTP servers use TLS encryption. <b><a href="postconf.5.html#tlsproxy_client_per_site">tlsproxy_client_per_site</a> ($<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b> - Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS - usage policy by next-hop destination and by remote TLS server + Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS + usage policy by next-hop destination and by remote TLS server hostname. Available in Postfix version 3.4-3.6: <b><a href="postconf.5.html#tlsproxy_client_level">tlsproxy_client_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b> - The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> + The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client. <b><a href="postconf.5.html#tlsproxy_client_policy">tlsproxy_client_policy</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b> - Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS + Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS security policy by next-hop destination. Available in Postfix version 3.7 and later: <b><a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> ($<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b> - The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> + The default TLS security level for the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client. <b><a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> ($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b> - Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS + Optional lookup tables with the Postfix <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> client TLS security policy by next-hop destination. <b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> - These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy + These parameters are supported for compatibility with <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters. <b><a href="postconf.5.html#tlsproxy_use_tls">tlsproxy_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> - Opportunistic TLS: announce STARTTLS support to remote SMTP + Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not require that clients use TLS encryption. <b><a href="postconf.5.html#tlsproxy_enforce_tls">tlsproxy_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> @@ -387,11 +394,11 @@ TLSPROXY(8) TLSPROXY(8) and require that clients use TLS encryption. <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b> - Opportunistic mode: use TLS when a remote server announces TLS + Opportunistic mode: use TLS when a remote server announces TLS support. <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b> - Enforcement mode: require that SMTP servers use TLS encryption. + Enforcement mode: require that SMTP servers use TLS encryption. <b>RESOURCE CONTROLS</b> <b><a href="postconf.5.html#tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a> (10s)</b> @@ -400,7 +407,7 @@ TLSPROXY(8) TLSPROXY(8) <b>MISCELLANEOUS CONTROLS</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> - The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- + The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- figuration files. <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> @@ -413,7 +420,7 @@ TLSPROXY(8) TLSPROXY(8) The syslog facility of Postfix logging. <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> - A prefix that is prepended to the process name in syslog + A prefix that is prepended to the process name in syslog records, so that, for example, "smtpd" becomes "prefix/smtpd". Available in Postfix 3.3 and later: diff --git a/html/trivial-rewrite.8.html b/html/trivial-rewrite.8.html index 1bcd8e7..7b1e3e3 100644 --- a/html/trivial-rewrite.8.html +++ b/html/trivial-rewrite.8.html @@ -134,9 +134,11 @@ TRIVIAL-REWRITE(8) TRIVIAL-REWRITE(8) Available in Postfix 2.2 and later: <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b> - Don't rewrite message headers from remote clients at all when - this parameter is empty; otherwise, rewrite message headers and - append the specified domain name to incomplete addresses. + Rewrite or add message headers in mail from remote clients if + the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty, + updating incomplete addresses with the domain specified in the + <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing head- + ers. <b>ROUTING CONTROLS</b> The following is applicable to Postfix version 2.0 and later. Earlier @@ -155,13 +157,14 @@ TRIVIAL-REWRITE(8) TRIVIAL-REWRITE(8) <b><a href="postconf.5.html#relay_transport">relay_transport</a> (relay)</b> The default mail delivery transport and next-hop destination for - remote delivery to domains listed with $<a href="postconf.5.html#relay_domains">relay_domains</a>. + the relay domain address class: recipient domains that match + $<a href="postconf.5.html#relay_domains">relay_domains</a>. <b><a href="postconf.5.html#default_transport">default_transport</a> (smtp)</b> The default mail delivery transport and next-hop destination for - destinations that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, - $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mail</a>- - <a href="postconf.5.html#virtual_mailbox_domains">box_domains</a>, or $<a href="postconf.5.html#relay_domains">relay_domains</a>. + the default domain class: recipient domains that do not match + $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">vir</a>- + <a href="postconf.5.html#virtual_alias_domains">tual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, or $<a href="postconf.5.html#relay_domains">relay_domains</a>. <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' output)</b> A list of Postfix features where the pattern "example.com" also @@ -169,8 +172,8 @@ TRIVIAL-REWRITE(8) TRIVIAL-REWRITE(8) explicit ".example.com" pattern. <b><a href="postconf.5.html#relayhost">relayhost</a> (empty)</b> - The next-hop destination(s) for non-local mail; overrides - non-<a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> in recipient addresses. + The next-hop destination(s) for non-local mail; takes precedence + over non-<a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> in recipient addresses. <b><a href="postconf.5.html#transport_maps">transport_maps</a> (empty)</b> Optional lookup tables with mappings from recipient address to diff --git a/html/virtual.5.html b/html/virtual.5.html index 7e9061e..c1c6ece 100644 --- a/html/virtual.5.html +++ b/html/virtual.5.html @@ -18,101 +18,102 @@ VIRTUAL(5) VIRTUAL(5) <b>postmap -q - /etc/postfix/virtual</b> <<i>inputfile</i> <b>DESCRIPTION</b> - The optional <a href="virtual.5.html"><b>virtual</b>(5)</a> alias table rewrites recipient addresses for - all local, all virtual, and all remote mail destinations. This is - unlike the <a href="aliases.5.html"><b>aliases</b>(5)</a> table which is used only for <a href="local.8.html"><b>local</b>(8)</a> delivery. - This feature is implemented in the Postfix <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon before - mail is queued. + The optional <a href="virtual.5.html"><b>virtual</b>(5)</a> alias table (<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>) applies to all + recipients: <a href="local.8.html">local(8)</a>, virtual, and remote. This feature is implemented + in the Postfix <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon before mail is queued. - Virtual aliasing is recursive; to terminate recursion for a specific + This is unlike the <a href="aliases.5.html"><b>aliases</b>(5)</a> table (<a href="postconf.5.html#alias_maps">alias_maps</a>) which applies only to + <a href="local.8.html"><b>local</b>(8)</a> recipients. + + Virtual aliasing is recursive; to terminate recursion for a specific address, alias that address to itself. - The main applications of virtual aliasing are: + The main applications of <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> are: <b>o</b> To redirect mail for one address to one or more addresses. - <b>o</b> To implement virtual alias domains where all addresses are + <b>o</b> To implement virtual alias domains where all addresses are aliased to addresses in other domains. - Virtual alias domains are not to be confused with the virtual + Virtual alias domains are not to be confused with the virtual mailbox domains that are implemented with the Postfix <a href="virtual.8.html"><b>virtual</b>(8)</a> - mail delivery agent. With <a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">virtual mailbox domains</a>, each recipi- + mail delivery agent. With <a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">virtual mailbox domains</a>, each recipi- ent address can have its own mailbox. - Virtual aliasing is applied only to recipient envelope addresses, and - does not affect message headers. Use <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping to rewrite + Virtual aliasing is applied only to recipient envelope addresses, and + does not affect message headers. Use <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping to rewrite header and envelope addresses in general. - Normally, the <a href="virtual.5.html"><b>virtual</b>(5)</a> alias table is specified as a text file that + Normally, the <a href="virtual.5.html"><b>virtual</b>(5)</a> alias table is specified as a text file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The result, an indexed file - in <b>dbm</b> or <b>db</b> format, is used for fast searching by the mail system. + in <b>dbm</b> or <b>db</b> format, is used for fast searching by the mail system. Execute the command "<b>postmap /etc/postfix/virtual</b>" to rebuild an indexed file after changing the corresponding text file. - When the table is provided via other means such as NIS, LDAP or SQL, + When the table is provided via other means such as NIS, LDAP or SQL, the same lookups are done as for ordinary indexed files. - Alternatively, the table can be provided as a regular-expression map - where patterns are given as regular expressions, or lookups can be - directed to a TCP-based server. In those case, the lookups are done in - a slightly different way as described below under "REGULAR EXPRESSION + Alternatively, the table can be provided as a regular-expression map + where patterns are given as regular expressions, or lookups can be + directed to a TCP-based server. In those case, the lookups are done in + a slightly different way as described below under "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES". <b>CASE FOLDING</b> - The search string is folded to lowercase before database lookup. As of - Postfix 2.3, the search string is not case folded with database types - such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both upper and + The search string is folded to lowercase before database lookup. As of + Postfix 2.3, the search string is not case folded with database types + such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose lookup fields can match both upper and lower case. <b>TABLE FORMAT</b> The input format for the <a href="postmap.1.html"><b>postmap</b>(1)</a> command is as follows: <i>pattern address, address, ...</i> - When <i>pattern</i> matches a mail address, replace it by the corre- + When <i>pattern</i> matches a mail address, replace it by the corre- sponding <i>address</i>. blank lines and comments - Empty lines and whitespace-only lines are ignored, as are lines + Empty lines and whitespace-only lines are ignored, as are lines whose first non-whitespace character is a `#'. multi-line text - A logical line starts with non-whitespace text. A line that + A logical line starts with non-whitespace text. A line that starts with whitespace continues a logical line. <b>TABLE SEARCH ORDER</b> - With lookups from indexed files such as DB or DBM, or from networked - tables such as NIS, LDAP or SQL, each <i>user</i>@<i>domain</i> query produces a + With lookups from indexed files such as DB or DBM, or from networked + tables such as NIS, LDAP or SQL, each <i>user</i>@<i>domain</i> query produces a sequence of query patterns as described below. Each query pattern is sent to each specified lookup table before trying the next query pattern, until a match is found. <i>user</i>@<i>domain address, address, ...</i> - Redirect mail for <i>user</i>@<i>domain</i> to <i>address</i>. This form has the + Redirect mail for <i>user</i>@<i>domain</i> to <i>address</i>. This form has the highest precedence. <i>user address, address, ...</i> - Redirect mail for <i>user</i>@<i>site</i> to <i>address</i> when <i>site</i> is equal to - $<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in $<b><a href="postconf.5.html#mydestination">mydestination</a></b>, or when it is + Redirect mail for <i>user</i>@<i>site</i> to <i>address</i> when <i>site</i> is equal to + $<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in $<b><a href="postconf.5.html#mydestination">mydestination</a></b>, or when it is listed in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>. - This functionality overlaps with the functionality of the local - <i>aliases</i>(5) database. The difference is that <a href="virtual.5.html"><b>virtual</b>(5)</a> mapping + This functionality overlaps with the functionality of the local + <i>aliases</i>(5) database. The difference is that <a href="virtual.5.html"><b>virtual</b>(5)</a> mapping can be applied to non-local addresses. @<i>domain address, address, ...</i> - Redirect mail for other users in <i>domain</i> to <i>address</i>. This form + Redirect mail for other users in <i>domain</i> to <i>address</i>. This form has the lowest precedence. - Note: @<i>domain</i> is a wild-card. With this form, the Postfix SMTP - server accepts mail for any recipient in <i>domain</i>, regardless of - whether that recipient exists. This may turn your mail system - into a backscatter source: Postfix first accepts mail for - non-existent recipients and then tries to return that mail as + Note: @<i>domain</i> is a wild-card. With this form, the Postfix SMTP + server accepts mail for any recipient in <i>domain</i>, regardless of + whether that recipient exists. This may turn your mail system + into a backscatter source: Postfix first accepts mail for + non-existent recipients and then tries to return that mail as "undeliverable" to the often forged sender address. - To avoid backscatter with mail for a wild-card domain, replace - the wild-card mapping with explicit 1:1 mappings, or add a + To avoid backscatter with mail for a wild-card domain, replace + the wild-card mapping with explicit 1:1 mappings, or add a <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restriction for that domain: <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = @@ -128,11 +129,11 @@ VIRTUAL(5) VIRTUAL(5) <b>RESULT ADDRESS REWRITING</b> The lookup result is subject to address rewriting: - <b>o</b> When the result has the form @<i>otherdomain</i>, the result becomes - the same <i>user</i> in <i>otherdomain</i>. This works only for the first + <b>o</b> When the result has the form @<i>otherdomain</i>, the result becomes + the same <i>user</i> in <i>otherdomain</i>. This works only for the first address in a multi-address lookup result. - <b>o</b> When "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses + <b>o</b> When "<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>" to addresses without "@domain". <b>o</b> When "<b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>", append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>" to addresses @@ -140,26 +141,26 @@ VIRTUAL(5) VIRTUAL(5) <b>ADDRESS EXTENSION</b> When a mail address localpart contains the optional recipient delimiter - (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order becomes: <i>user+foo</i>@<i>domain</i>, + (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and @<i>domain</i>. - The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls whether an + The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls whether an unmatched address extension (<i>+foo</i>) is propagated to the result of a ta- ble lookup. <b>VIRTUAL ALIAS DOMAINS</b> - Besides virtual aliases, the virtual alias table can also be used to - implement virtual alias domains. With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, all + Besides virtual aliases, the virtual alias table can also be used to + implement <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. With a virtual alias domain, all recipient addresses are aliased to addresses in other domains. - Virtual alias domains are not to be confused with the virtual mailbox - domains that are implemented with the Postfix <a href="virtual.8.html"><b>virtual</b>(8)</a> mail delivery - agent. With <a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">virtual mailbox domains</a>, each recipient address can have + Virtual alias domains are not to be confused with the virtual mailbox + domains that are implemented with the Postfix <a href="virtual.8.html"><b>virtual</b>(8)</a> mail delivery + agent. With virtual mailbox domains, each recipient address can have its own mailbox. - With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the virtual domain has its own user name - space. Local (i.e. non-virtual) usernames are not visible in a virtual - alias domain. In particular, local <a href="aliases.5.html"><b>aliases</b>(5)</a> and local mailing lists + With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the virtual domain has its own user name + space. Local (i.e. non-virtual) usernames are not visible in a virtual + alias domain. In particular, local <a href="aliases.5.html"><b>aliases</b>(5)</a> and local mailing lists are not visible as <i>localname@virtual-alias.domain</i>. Support for a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> looks like: @@ -167,7 +168,7 @@ VIRTUAL(5) VIRTUAL(5) /etc/postfix/<a href="postconf.5.html">main.cf</a>: <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual - Note: some systems use <b>dbm</b> databases instead of <b>hash</b>. See the output + Note: some systems use <b>dbm</b> databases instead of <b>hash</b>. See the output from "<b>postconf -m</b>" for available database types. /etc/postfix/virtual: @@ -177,46 +178,46 @@ VIRTUAL(5) VIRTUAL(5) <i>user2@virtual-alias.domain address2, address3</i> The <i>virtual-alias.domain anything</i> entry is required for a virtual alias - domain. <b>Without this entry, mail is rejected with "relay access</b> + domain. <b>Without this entry, mail is rejected with "relay access</b> <b>denied", or bounces with "mail loops back to myself".</b> - Do not specify <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> names in the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#mydestination">mydestination</a></b> + Do not specify <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> names in the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#mydestination">mydestination</a></b> or <b><a href="postconf.5.html#relay_domains">relay_domains</a></b> configuration parameters. - With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the Postfix SMTP server accepts mail for + With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the Postfix SMTP server accepts mail for <i>known-user@virtual-alias.domain</i>, and rejects mail for <i>unknown-user</i>@<i>vir-</i> <i>tual-alias.domain</i> as undeliverable. - Instead of specifying the virtual alias domain name via the <b><a href="postconf.5.html#virtual_alias_maps">vir</a>-</b> - <b><a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a></b> table, you may also specify it via the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#virtual_alias_domains">vir-</b> + Instead of specifying the virtual alias domain name via the <b><a href="postconf.5.html#virtual_alias_maps">vir</a>-</b> + <b><a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a></b> table, you may also specify it via the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#virtual_alias_domains">vir-</b> <b>tual_alias_domains</a></b> configuration parameter. This latter parameter uses the same syntax as the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#mydestination">mydestination</a></b> configuration parameter. <b>REGULAR EXPRESSION TABLES</b> - This section describes how the table lookups change when the table is - given in the form of regular expressions. For a description of regular + This section describes how the table lookups change when the table is + given in the form of regular expressions. For a description of regular expression lookup table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. - Each pattern is a regular expression that is applied to the entire - address being looked up. Thus, <i>user@domain</i> mail addresses are not bro- - ken up into their <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> + Each pattern is a regular expression that is applied to the entire + address being looked up. Thus, <i>user@domain</i> mail addresses are not bro- + ken up into their <i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>. - Patterns are applied in the order as specified in the table, until a + Patterns are applied in the order as specified in the table, until a pattern is found that matches the search string. - Results are the same as with indexed file lookups, with the additional - feature that parenthesized substrings from the pattern can be interpo- + Results are the same as with indexed file lookups, with the additional + feature that parenthesized substrings from the pattern can be interpo- lated as <b>$1</b>, <b>$2</b> and so on. <b>TCP-BASED TABLES</b> - This section describes how the table lookups change when lookups are - directed to a TCP-based server. For a description of the TCP - client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is + This section describes how the table lookups change when lookups are + directed to a TCP-based server. For a description of the TCP + client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is available in Postfix 2.5 and later. - Each lookup operation uses the entire address once. Thus, <i>user@domain</i> - mail addresses are not broken up into their <i>user</i> and <i>@domain</i> con- + Each lookup operation uses the entire address once. Thus, <i>user@domain</i> + mail addresses are not broken up into their <i>user</i> and <i>@domain</i> con- stituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>. Results are the same as with indexed file lookups. @@ -230,8 +231,9 @@ VIRTUAL(5) VIRTUAL(5) Use the "<b>postfix reload</b>" command after a configuration change. <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b> - Optional lookup tables that alias specific mail addresses or - domains to other local or remote addresses. + Optional lookup tables with aliases that apply to all recipi- + ents: <a href="local.8.html"><b>local</b>(8)</a>, virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> + that apply only to <a href="local.8.html"><b>local</b>(8)</a> recipients. <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b> Postfix is the final destination for the specified list of vir- @@ -245,8 +247,8 @@ VIRTUAL(5) VIRTUAL(5) Other parameters of interest: <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> - The network interface addresses that this mail system receives - mail on. + The local network interface addresses that this mail system + receives mail on. <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b> The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a> @@ -263,8 +265,9 @@ VIRTUAL(5) VIRTUAL(5) set to "-". <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> - The network interface addresses that this mail system receives - mail on by way of a proxy or network address translation unit. + The remote network interface addresses that this mail system + receives mail on by way of a proxy or network address transla- + tion unit. <b>SEE ALSO</b> <a href="cleanup.8.html">cleanup(8)</a>, canonicalize and enqueue mail |