From 3e160e27e4686620d16477a9ea9cf00141e52ce7 Mon Sep 17 00:00:00 2001
From: Daniel Baumann
The list of domains that are a member of that address -class: for example, all local domains, or all relay domains.
+class. + +Examples: all local domains, or all relay domains.
+ +The default delivery transport for domains in that address +class.
+ +Examples: local_transport or relay_transport (these point +to services defined in master.cf).
-The default delivery transport for that address class. For -example, the local, -virtual or relay delivery transport (delivery transports are defined -in master.cf). This helps to keep Postfix configurations simple, -by avoiding the need for explicit routing information in transport -maps.
+Benefit: this avoids the need for explicit routing information +in transport maps.
The list of valid recipient addresses for that address -class. The Postfix SMTP server rejects invalid recipients with -"User unknown in <name of address class here> table". This -helps to keep the Postfix queue free of undeliverable MAILER-DAEMON -messages.
+class. + +Benefit: the Postfix SMTP server rejects an invalid recipient +with "User unknown in <name of address class> table", and +avoids sending a MAILER-DAEMON message with backscatter spam.
Valid recipient addresses are listed with the local_recipient_maps -parameter, as described in LOCAL_RECIPIENT_README. The Postfix SMTP -server rejects invalid recipients with "User unknown in local -recipient table". If the local_recipient_maps parameter value is -empty, then the Postfix SMTP server accepts any address in the -local domain class.
+Valid recipient addresses for those domains are +listed with the local_recipient_maps parameter, as described in +LOCAL_RECIPIENT_README. The Postfix SMTP server rejects invalid recipients +with "User unknown in local recipient table". If the local_recipient_maps +parameter value is empty, then the Postfix SMTP server accepts any +address in the local domain class.
The mail delivery transport is specified with the local_transport parameter. The default value is local:$myhostname @@ -111,21 +116,25 @@ class.
Purpose: hosted domains where each recipient address is -aliased to an address in a different domain, for example, a local -UNIX system account or a remote address. A +aliased to an address in a different domain class, for example, a +local UNIX system account or a remote address. A virtual alias example is given in the VIRTUAL_README file.
Domain names are listed in virtual_alias_domains. The default value is $virtual_alias_maps for Postfix 1.1 compatibility.
-Valid recipient addresses are listed with the virtual_alias_maps -parameter. The Postfix SMTP server rejects invalid recipients with -"User unknown in virtual alias table". The default value is -$virtual_maps for Postfix 1.1 compatibility.
+Valid recipient addresses for those domains are listed with the +virtual_alias_maps parameter. The Postfix SMTP server rejects invalid +recipients with "User unknown in virtual alias table". The default +value is $virtual_maps for Postfix 1.1 compatibility.
-There is no mail delivery transport parameter. Every -address must be aliased to an address in some other domain.
++ +Note: for historical reasons, virtual_alias_maps +apply to recipients in all domain classes, not only the virtual +alias domain class.
There is no configurable mail delivery transport. Every +address must be aliased to an address in some other domain class.
Purpose: final delivery for hosted domains where each recipient address can have its own mailbox, and where users do not -need to have a UNIX system account. A virtual mailbox example is +need to have a UNIX system account. A virtual mailbox example is given in the VIRTUAL_README file.
Domain names are listed with the virtual_mailbox_domains parameter. The default value is $virtual_mailbox_maps for Postfix 1.1 compatibility.
-Valid recipient addresses are listed with the virtual_mailbox_maps -parameter. The Postfix SMTP server rejects invalid recipients with -"User unknown in virtual mailbox table". If this parameter value -is empty, the Postfix SMTP server accepts all recipients for domains -listed in $virtual_mailbox_domains.
+Valid recipient addresses for those domains are listed +with the virtual_mailbox_maps parameter. The Postfix SMTP server +rejects invalid recipients with "User unknown in virtual mailbox +table". If this parameter value is empty, the Postfix SMTP server +accepts all recipients for domains listed in $virtual_mailbox_domains. +
The mail delivery transport is specified with the virtual_transport parameter. The default value is virtual @@ -169,11 +179,12 @@ file.
Domain names are listed with the relay_domains parameter.
-Valid recipient addresses are listed with the relay_recipient_maps -parameter. The Postfix SMTP server rejects invalid recipients with -"User unknown in relay recipient table". If this parameter value -is empty, the Postfix SMTP server accepts all recipients for domains -listed with the relay_domains parameter.
+Valid recipient addresses for those domains are listed +with the relay_recipient_maps parameter. The Postfix SMTP server +rejects invalid recipients with "User unknown in relay recipient +table". If this parameter value is empty, the Postfix SMTP server +accepts all recipients for domains listed with the relay_domains +parameter.
The mail delivery transport is specified with the relay_transport parameter. The default value is relay which diff --git a/html/ADDRESS_REWRITING_README.html b/html/ADDRESS_REWRITING_README.html index 85e296f..c92a314 100644 --- a/html/ADDRESS_REWRITING_README.html +++ b/html/ADDRESS_REWRITING_README.html @@ -94,9 +94,7 @@ as invalid
Address manipulation | Scope | -Daemon | Global turn-on control | Selective -turn-off control | Daemon | Turn-on controls | +Turn-off controls | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Rewrite addresses to standard form | all mail | trivial- rewrite(8) |
@@ -340,13 +338,12 @@ nowrap> all mail cleanup(8) | < nowrap> all mail | cleanup(8) | virtual_alias_maps | receive_override_options | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resolve address to destination - | all mail | trivial- rewrite(8) |
-none | none | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mail transport switch | -all mail | trivial- rewrite(8) | -transport_maps | none | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Resolve address to (transport, next-hop +destination) | all mail |
+trivial- rewrite(8) | local_transport, virtual_transport, +relay_transport, default_transport, relayhost, +sender_dependent_relayhost_maps, sender_dependent_default_transport_maps + | content_filter | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Relocated users table | all mail | trivial- rewrite(8) |
@@ -774,6 +771,11 @@ may be a more appropriate vehicle. See the VIRTUAL
for an overview of methods to host virtual domains with Postfix.
+ Note: virtual aliasing (virtual_alias_maps) applies to all +recipients: local(8), virtual, and remote. +This is unlike local aliasing (alias_maps) which applies only to +local(8) recipients. +Virtual aliasing is disabled by default. To enable, edit the virtual_alias_maps parameter in the main.cf file and specify one or more lookup tables, separated by whitespace or @@ -792,7 +794,7 @@ commas. Addresses found in virtual alias maps are subjected to another -iteration of virtual aliasing, but are not subjected to canonical +iteration of virtual aliasing, but are not subjected to canonical mapping, in order to avoid loops. For static mappings as shown above, lookup tables such as hash:, @@ -833,9 +835,8 @@ manager delegates the more complex address manipulations to the
Using backwards-compatible +default setting "smtpd_relay_restrictions = (empty)" + +Using backwards-compatible +default setting smtputf8_enable=no +Logged with compatibility_level < 2:
Logged with compatibility_level < 3.6: @@ -241,6 +241,48 @@ administrator should make the backwards-compatible setting +Using backwards-compatible default +setting smtputf8_enable=no+ +The smtputf8_enable default value has changed from "no" to "yes". +With the new "yes" setting, the Postfix SMTP server rejects non-ASCII +addresses from clients that don't request SMTPUTF8 support, after +Postfix is updated from an older version. The backwards-compatibility +safety net is designed to prevent such surprises. + +As long as the smtputf8_enable parameter is left at its implicit +default value, and the compatibility_level setting is +less than 1, Postfix logs a warning each time an SMTP command uses a +non-ASCII address localpart without requesting SMTPUTF8 support: + +++ ++postfix/smtpd[27560]: using backwards-compatible default setting + smtputf8_enable=no to accept non-ASCII sender address + "??@example.org" from localhost[127.0.0.1] ++ ++ ++postfix/smtpd[27560]: using backwards-compatible default setting + smtputf8_enable=no to accept non-ASCII recipient address + "??@example.com" from localhost[127.0.0.1] ++ If the address should not be rejected, and the client cannot +be updated to use SMTPUTF8, then the system administrator should +make the backwards-compatible setting "smtputf8_enable = no" permanent +in main.cf: + + +++# postconf smtputf8_enable=no +# postfix reload ++ Using backwards-compatible default setting mynetworks_style=subnet@@ -352,48 +394,6 @@ administrator should make the backwards-compatible settingInstead of $mydestination, it may be better to specify an explicit list of domain names. -Using backwards-compatible default -setting smtputf8_enable=no- -The smtputf8_enable default value has changed from "no" to "yes". -With the new "yes" setting, the Postfix SMTP server rejects non-ASCII -addresses from clients that don't request SMTPUTF8 support, after -Postfix is updated from an older version. The backwards-compatibility -safety net is designed to prevent such surprises. - -As long as the smtputf8_enable parameter is left at its implicit -default value, and the compatibility_level setting is -less than 1, Postfix logs a warning each time an SMTP command uses a -non-ASCII address localpart without requesting SMTPUTF8 support: - --- --postfix/smtpd[27560]: using backwards-compatible default setting - smtputf8_enable=no to accept non-ASCII sender address - "??@example.org" from localhost[127.0.0.1] -- -- --postfix/smtpd[27560]: using backwards-compatible default setting - smtputf8_enable=no to accept non-ASCII recipient address - "??@example.com" from localhost[127.0.0.1] -- If the address should not be rejected, and the client cannot -be updated to use SMTPUTF8, then the system administrator should -make the backwards-compatible setting "smtputf8_enable = no" permanent -in main.cf: - - ---# postconf smtputf8_enable=no -# postfix reload -- Using backwards-compatible default setting smtpd_tls_fingerprint_digest=md5diff --git a/html/DATABASE_README.html b/html/DATABASE_README.html index e3b3c05..87941bc 100644 --- a/html/DATABASE_README.html +++ b/html/DATABASE_README.html @@ -56,10 +56,10 @@ documentation:@@ -349,6 +349,11 @@ See lmdb_table(5) for details./etc/postfix/main.cf: - alias_maps = hash:/etc/postfix/aliases (local aliasing) + alias_maps = hash:/etc/postfix/aliases (local aliasing) header_checks = regexp:/etc/postfix/header_checks (content filtering) transport_maps = hash:/etc/postfix/transport (routing table) - virtual_alias_maps = hash:/etc/postfix/virtual (address rewriting) + virtual_alias_maps = hash:/etc/postfix/virtual (virtual aliasing) Postfix +Replacements for Deprecated Features+ ++ + Purpose of this document+ +This document describes Postfix features that are deprecated +(will be removed) or that have already been removed. It also has +tips for making an existing Postfix configuration more future-proof. + + +Overview: + +
Why deprecate?+ +Sometimes, a Postfix feature needs to be replaced with a different +one. To give an example: + +
Having both the "old" and "new" way to configure Postfix is +convenient for existing Postfix installations, because their +configuration does not break after an upgrade to a new version. +Unfortunately, there are also disadvantages. Having multiple ways +to do similar things is not only confusing for newcomers, it also +makes Postfix harder to change. + +Deprecation process+ +The basic process steps are: + +
Disclaimer: it has taken 20 years for some features to be +removed. This past is not a guarantee for the future. + +Deprecated features+ +The table summarizes removed or deprecated features and +replacements. Click on the "obsolete feature" name for a more +detailed description. + ++ ++ + Obsolete DNS on/off configuration ++ +The postconf(1) command logs the following: + +
Replace obsolete configuration with its replacement: + ++ ++ + Obsolete opportunistic TLS configuration ++ +The postconf(1) command logs one of the following: + +
There are similarly-named parameters and warnings for postscreen(8) +and tlsproxy(8), but those parameters should rarely be specified +by hand. + +Replace obsolete configuration with its replacement: + ++ ++ + Obsolete mandatory TLS configuration ++ +The postconf(1) command logs one of the following: + +
There are similarly-named parameters and warnings for postscreen(8) +and tlsproxy(8), but those parameters should rarely be specified +by hand. + +Replace obsolete configuration with its replacement: + ++ ++ + Obsolete TLS policy table configuration ++ +The postconf(1) command logs one of the following: + +
There is similarly-named parameter and warning for tlsproxy(8), +but that parameter should rarely be specified by hand. + +Unfortunately, this is more than a name change: the table format +has changed too, as has the table search process. There is no simple +conversion of the obsolete form to its replacement. + +check_relay_domains+ +Depending on the Postfix version, the Postfix SMTP daemon logs +following warning: + +
This feature was removed because it would relay based on the +client domain name, which is not robust. + +Recommended configuration to prevent an "open relay" problem +with the SMTP service on port 25: + + +++ ++main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + ...other restrictions... ++ Or equivalent in smtpd_relay_restrictions. + +permit_mx_backup+ +The Postfix version 3.9 and later SMTP daemon logs the following +warning: + +
This feature will be removed because it is too difficult to +configure recipient address validation, making Postfix a source of +backscatter bounces. + +To specify the domains that Postfix will provide MX backup +service for, see +Configuring Postfix as primary or backup MX host for a remote +site. + +reject_maps_rbl+ +Depending on the Postfix version, the SMTP daemon logs one of +the following warnings: + +
This feature was replaced because "MAPS RBL" is the name of a +specific reputation service. The reject_rbl_client feature provides +a superset of the reject_maps_rbl functionality. + +Recommended configuration: + +++ ++main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + reject_rbl_client domain-name + ...other restrictions... ++ Where domain-name is the domain name of a DNS reputation service. + +permit_naked_ip_address+ +Depending on the Postfix version, the SMTP daemon logs one of +the following warnings: + +
This feature was removed because it was easy to get a false +match when smtpd_recipient_restrictions was intended to match a +remote SMTP client IP address. + +Recommended configuration: + +++ ++main.cf: + smtpd_recipient_restrictions = + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + reject_rbl_client domain-name + ...other restrictions... ++ That is, no restriction on HELO or EHLO syntax. Such restrictions +ar rarely useful nowadays. + + + + diff --git a/html/INSTALL.html b/html/INSTALL.html index 6cd70d1..94d78ba 100644 --- a/html/INSTALL.html +++ b/html/INSTALL.html @@ -605,6 +605,9 @@ describe how to build Postfix with support for optional features: LDAP database | LDAP_README | Postfix
1.0 | MongoDB database | MONGODB_README | Postfix
+3.9 | MySQL database | MYSQL_README | Postfix
1.0 | The default setting, shown below, assumes that you use the default Postfix local(8) delivery agent for local delivery, where diff --git a/html/MAILLOG_README.html b/html/MAILLOG_README.html index be58e33..ab751f4 100644 --- a/html/MAILLOG_README.html +++ b/html/MAILLOG_README.html @@ -63,10 +63,16 @@ Postfix version. /var/log/postfix.log. See also the "Logfile rotation" section below for logfile management. +In the example below, specifying maillog_file_permissions is +optional (Postfix 3.9 and later). The default value is 0600, i.e., +only the super-user can access the file; the value 0644 also +adds 'group' and 'other' read access. +@@ -124,6 +130,10 @@ old logfile. program is configured with the maillog_file_compressor parameter (default: gzip). +# postfix stop # postconf maillog_file=/var/log/postfix.log +# postconf maillog_file_permissions=0644 # (Postfix 3.9 and later) # postfix start The next time it logs an event, postlogd(8) will create a +new logfile, with permissions specified with the maillog_file_permissions +parameter (default: 0600). +Notes: diff --git a/html/MILTER_README.html b/html/MILTER_README.html index c69a5bf..b72fdb8 100644 --- a/html/MILTER_README.html +++ b/html/MILTER_README.html @@ -630,7 +630,7 @@ and protocol. clientsThe smtpd_milter_maps feature supports different Milter settings -for different client IP addresses. Lookup results override the the +for different client IP addresses. Lookup results override the global smtpd_milters setting, and have the same syntax. For example, to disable Milter settings for local address ranges: diff --git a/html/MONGODB_README.html b/html/MONGODB_README.html new file mode 100644 index 0000000..a05d1f5 --- /dev/null +++ b/html/MONGODB_README.html @@ -0,0 +1,263 @@ + + + +Postfix MongoDB Howto++ + MongoDB Support in Postfix+ +Postfix can use MongoDB as a source for any of its lookups: +aliases(5), virtual(5), canonical(5), etc. This allows you to keep +information for your mail service in a replicated noSQL database +with fine-grained access controls. By not storing it locally on the +mail server, the administrators can maintain it from anywhere, and +the users can control whatever bits of it you think appropriate. +You can have multiple mail servers using the same information, +without the hassle and delay of having to copy it to each. + +Topics covered in this document: + +
Building Postfix with MongoDB support+ +These instructions assume that you build Postfix from source +code as described in the INSTALL document. Some modification may +be required if you build Postfix from a vendor-specific source +package. + +The Postfix MongoDB client requires the mongo-c-driver +library. This can be built from source code from the +mongod-c project, or this can be installed as a binary package +from your OS distribution, typically named mongo-c-driver, +mongo-c-driver-devel or libmongoc-dev. +Installing the mongo-c-driver library may also install libbson +as a dependency. + +To build Postfix with mongodb map support, add to the CCARGS +environment variable the options -DHAS_MONGODB and -I for the +directory containing the mongodb headers, and specify the AUXLIBS_MONGODB +with the libmongoc and libbson libraries, for example: + +++ ++% make tidy +% make -f Makefile.init makefiles \ + CCARGS="$CCARGS -DHAS_MONGODB -I/usr/include/libmongoc-1.0 \ + -I/usr/include/libbson-1.0" \ + AUXLIBS_MONGODB="-lmongoc-1.0 -lbson-1.0" ++ The 'make tidy' command is needed only if you have previously +built Postfix without MongoDB support. + +If your MongoDB shared library is in a directory that the RUN-TIME +linker does not know about, add a "-Wl,-R,/path/to/directory" option +after "-lbson-1.0". Then, just run 'make'. + +Configuring MongoDB lookups+ +In order to use MongoDB lookups, define a MongoDB source as a +table lookup in main.cf, for example: + +++ ++alias_maps = hash:/etc/aliases, proxy:mongodb:/etc/postfix/mongo-aliases.cf ++ The file /etc/postfix/mongo-aliases.cf can specify a number of +parameters. For a complete description, see the mongodb_table(5) +manual page. + +Example: virtual(5) alias maps+ +Here's a basic example for using MongoDB to look up virtual(5) +aliases. Assume that in main.cf, you have: + +++ ++virtual_alias_maps = hash:/etc/postfix/virtual_aliases, + proxy:mongodb:/etc/postfix/mongo-virtual-aliases.cf ++ and in mongodb:/etc/postfix/mongo-virtual-aliases.cf you have: + +++ ++uri = mongodb+srv://user_name:password@some_server +dbname = mail +collection = mailbox +query_filter = {"$or": [{"username":"%s"}, {"alias.address": "%s"}], "active": 1} +result_attribute = username ++ This example assumes mailbox names are stored in a MongoDB backend, +in a format like: + +++ ++{ "username": "user@example.com", + "alias": [ + {"address": "admin@example.com"}, + {"address": "abuse@example.com"} + ], + "active": 1 +} ++ Upon receiving mail for "admin@example.com" that isn't found in the +/etc/postfix/virtual_aliases database, Postfix will search the +MongoDB server/cluster listening at port 27017 on some_server. It +will connect using the provided credentials, and search for any +entries whose username is, or alias field has "admin@example.com". +It will return the username attribute of those found, and build a +list of their email addresses. + +Notes: + +
Example: Mailing lists+ +When it comes to mailing lists, one way of implementing one would +be as below: + +++ ++{ "name": "dev@example.com", "active": 1, "address": + [ "hamid@example.com", "wietse@example.com", "viktor@example.com" ] } ++ using the filter below, will result in a comma separated string +with all email addresses in this list. + +++ ++query_filter = {"name": "%s", "active": 1} +result_attribute = address ++ Notes: + +
Example: advanced projections+ +This module also supports the use of more complex MongoDB +projections. There may be some use cases where operations such as +concatenation are necessary to be performed on the data retrieved +from the database. Although it is encouraged to keep the database +design simple enough so this is not necessary, postfix supports the +use of MongoDB projections to achieve the goal. + +Consider the example below: + +++ ++{ "username": "user@example.com", + "local_part": "user", + "domain": "example.com", + "alias": [ + {"address": "admin@example.com"}, + {"address": "abuse@example.com"} + ], + "active": 1 +} ++ virtual_mailbox_maps can be created using below parameters in a +mongodb:/etc/postfix/mongo-virtual-mailboxes.cf file: + +++ ++uri = mongodb+srv://user_name:password@some_server +dbname = mail +collection = mailbox +query_filter = {"$or": [{"username":"%s"}, {"alias.address": "%s"}], "active": 1} +projection = { "mail_path": {"$concat": ["$domain", "/", "$local_part"]} } ++ This will return 'example.com/user' path built from the database fields. + +A couple of considerations when using projections: + +
Feedback+ +If you have questions, send them to postfix-users@postfix.org. +Please include relevant information about your Postfix setup: +MongoDB-related output from postconf, which libraries you built +with, and such. If your question involves your database contents, +please include the applicable bits of some database entries. + +Credits+ +
postscreen(8) uses a variety of measurements to recognize zombies. First, postscreen(8) determines if the remote SMTP client @@ -159,7 +159,7 @@ overhead for legitimate clients. Quick tests before everything else-Before engaging in SMTP-level tests. postscreen(8) queries a + Before engaging in SMTP-level tests, postscreen(8) queries a number of local deny and allowlists. These tests speed up the handling of known clients. diff --git a/html/TLS_README.html b/html/TLS_README.html index eb9965a..a77f69d 100644 --- a/html/TLS_README.html +++ b/html/TLS_README.html @@ -2266,82 +2266,124 @@ describe the corresponding table syntax: additional attributes are supported at this level.-SMTP(8) SMTP(8) +SMTP,(LMTP) SMTP,(LMTP) NAME - smtp - Postfix SMTP+LMTP client + smtp, lmtp - Postfix SMTP+LMTP client SYNOPSIS smtp [generic Postfix daemon options] [flags=DORX] + lmtp [generic Postfix daemon options] [flags=DORX] + DESCRIPTION The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery protocols. It processes message delivery requests from the queue man- ager. Each request specifies a queue file, a sender address, a domain or host to deliver to, and recipient information. This program expects - to be run from the master(8) process manager. + to be run from the master(8) process manager. The process name, smtp or + lmtp, controls the protocol, and the names of the configuration parame- + ters that will be used. The SMTP+LMTP client updates the queue file and marks recipients as finished, or it informs the queue manager that delivery should be tried again at a later time. Delivery status reports are sent to the bounce(8), defer(8) or trace(8) daemon as appropriate. - The SMTP+LMTP client looks up a list of mail exchanger addresses for - the destination host, sorts the list by preference, and connects to - each listed address until it finds a server that responds. - - When a server is not reachable, or when mail delivery fails due to a - recoverable error condition, the SMTP+LMTP client will try to deliver - the mail to an alternate host. + The server lookup strategy is different for SMTP and LMTP, as described + in the sections "SMTP SERVER LOOKUP" and "LMTP SERVER LOOKUP". - After a successful mail transaction, a connection may be saved to the - scache(8) connection cache server, so that it may be used by any + After a successful mail transaction, a connection may be saved to the + scache(8) connection cache server, so that it may be used by any SMTP+LMTP client for a subsequent transaction. - By default, connection caching is enabled temporarily for destinations + By default, connection caching is enabled temporarily for destinations that have a high volume of mail in the active queue. Connection caching can be enabled permanently for specific destinations. -SMTP DESTINATION SYNTAX - The Postfix SMTP+LMTP client supports multiple destinations separated - by comma or whitespace (Postfix 3.5 and later). SMTP destinations have - the following form: +SMTP SERVER LOOKUP + The Postfix SMTP client supports multiple destinations separated by + comma or whitespace (Postfix 3.5 and later). Each destination is tried + in the specified order. + + SMTP destinations have the following form: domainname - domainname:port - Look up the mail exchangers for the specified domain, and con- - nect to the specified port (default: smtp). + domainname:service + Look up the mail exchangers for the specified domain, and con- + nect to the specified service (default: smtp). Optionally, mail + exchangers may be looked up with SRV queries instead of MX; this + requires that service is given in symbolic form. [hostname] - [hostname]:port - Look up the address(es) of the specified host, and connect to - the specified port (default: smtp). + [hostname]:service + Look up the address(es) for the specified host, and connect to + the specified service (default: smtp). [address] - [address]:port + [address]:service Connect to the host at the specified address, and connect to the - specified port (default: smtp). An IPv6 address must be format- - ted as [ipv6:address]. + specified service (default: smtp). An IPv6 address must be for- + matted as [ipv6:address]. -LMTP DESTINATION SYNTAX - The Postfix SMTP+LMTP client supports multiple destinations separated - by comma or whitespace (Postfix 3.5 and later). LMTP destinations have - the following form: +LMTP SERVER LOOKUP + The Postfix LMTP client supports multiple destinations separated by + comma or whitespace (Postfix 3.5 and later). Each destination is tried + in the specified order. + + LMTP destinations have the following form: unix:pathname - Connect to the local UNIX-domain server that is bound to the - specified pathname. If the process runs chrooted, an absolute + Connect to the local UNIX-domain server that is bound to the + specified pathname. If the process runs chrooted, an absolute pathname is interpreted relative to the Postfix queue directory. + inet:domainname + + inet:domainname:service + Look up the LMTP servers for the specified domain and service + (default: lmtp). This form is supported when SRV lookups are + enabled, and requires that service is in symbolic form. + inet:hostname - inet:hostname:port + inet:hostname:service + Look up the address(es) for the specified host, and connect to + the specified service (default: lmtp). When SRV lookups are + enabled, use the form [hostname] to force address lookups. inet:[address] - inet:[address]:port - Connect to the specified TCP port on the specified local or - remote host. If no port is specified, connect to the port - defined as lmtp in services(4). If no such service is found, - the lmtp_tcp_port configuration parameter (default value of 24) - will be used. An IPv6 address must be formatted as + inet:[address]:service + Connect to the specified local or remote host and service + (default: lmtp). An IPv6 address must be formatted as [ipv6:address]. SINGLE-RECIPIENT DELIVERY @@ -136,10 +148,9 @@ SMTP(8) SMTP(8) This feature is available as of Postfix 3.5. SECURITY - The SMTP+LMTP client is moderately security-sensitive. It - talks to SMTP or LMTP servers and to DNS servers on the - network. The SMTP+LMTP client can be run chrooted at fixed - low privilege. + The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP + or LMTP servers and to DNS servers on the network. The SMTP+LMTP client + can be run chrooted at fixed low privilege. STANDARDS RFC 821 (SMTP protocol) @@ -180,20 +191,19 @@ SMTP(8) SMTP(8) for all destinations that map onto the same IP address and TCP port. CONFIGURATION PARAMETERS - Before Postfix version 2.3, the LMTP client is a separate program that - implements only a subset of the functionality available with SMTP: - there is no support for TLS, and connections are cached in-process, - making it ineffective when the client is used for multiple domains. + Postfix versions 2.3 and later implement the SMTP and LMTP client with + the same program, and choose the protocol and configuration parameters + based on the process name, smtp or lmtp. Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" param- - eter for the equivalent LMTP feature. This document describes only + eter for the equivalent LMTP feature. This document describes only those LMTP-related parameters that aren't simply "mirror" parameters. - Changes to main.cf are picked up automatically, as smtp(8) processes + Changes to main.cf are picked up automatically, as smtp(8) processes run for only a limited amount of time. Use the command "postfix reload" to speed up a change. - The text below provides only a parameter summary. See postconf(5) for + The text below provides only a parameter summary. See postconf(5) for more details including examples. COMPATIBILITY CONTROLS @@ -214,8 +224,8 @@ SMTP(8) SMTP(8) will send via SMTP. smtp_pix_workaround_delay_time (10s) - How long the Postfix SMTP client pauses before sending - ".<CR><LF>" in order to work around the PIX firewall + How long the Postfix SMTP client pauses before sending + ".<CR><LF>" in order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug. smtp_pix_workaround_threshold_time (500s) @@ -224,19 +234,19 @@ SMTP(8) SMTP(8) delivery through firewalls with "smtp fixup" mode turned on. smtp_pix_workarounds (disable_esmtp, delay_dotcrlf) - A list that specifies zero or more workarounds for CISCO PIX + A list that specifies zero or more workarounds for CISCO PIX firewall bugs. smtp_pix_workaround_maps (empty) - Lookup tables, indexed by the remote SMTP server address, with + Lookup tables, indexed by the remote SMTP server address, with per-destination workarounds for CISCO PIX firewall bugs. smtp_quote_rfc821_envelope (yes) - Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO + Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands as required by RFC 5321. smtp_reply_filter (empty) - A mechanism to transform replies from remote SMTP servers one + A mechanism to transform replies from remote SMTP servers one line at a time. smtp_skip_5xx_greeting (yes) @@ -248,68 +258,68 @@ SMTP(8) SMTP(8) Available in Postfix version 2.0 and earlier: smtp_skip_4xx_greeting (yes) - Skip SMTP servers that greet with a 4XX status code (go away, + Skip SMTP servers that greet with a 4XX status code (go away, try again later). Available in Postfix version 2.2 and later: smtp_discard_ehlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote SMTP server address, with - case insensitive lists of EHLO keywords (pipelining, starttls, + Lookup tables, indexed by the remote SMTP server address, with + case insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_discard_ehlo_keywords (empty) - A case insensitive list of EHLO keywords (pipelining, starttls, + A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that the Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_generic_maps (empty) - Optional lookup tables that perform address rewriting in the - Postfix SMTP client, typically to transform a locally valid - address into a globally valid address when sending mail across + Optional lookup tables that perform address rewriting in the + Postfix SMTP client, typically to transform a locally valid + address into a globally valid address when sending mail across the Internet. Available in Postfix version 2.2.9 and later: smtp_cname_overrides_servername (version dependent) - When the remote SMTP servername is a DNS CNAME, replace the - servername with the result from CNAME expansion for the purpose - of logging, SASL password lookup, TLS policy decisions, or TLS + When the remote SMTP servername is a DNS CNAME, replace the + servername with the result from CNAME expansion for the purpose + of logging, SASL password lookup, TLS policy decisions, or TLS certificate verification. Available in Postfix version 2.3 and later: lmtp_discard_lhlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote LMTP server address, with - case insensitive lists of LHLO keywords (pipelining, starttls, + Lookup tables, indexed by the remote LMTP server address, with + case insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.) that the Postfix LMTP client will ignore in the LHLO response from a remote LMTP server. lmtp_discard_lhlo_keywords (empty) - A case insensitive list of LHLO keywords (pipelining, starttls, + A case insensitive list of LHLO keywords (pipelining, starttls, auth, etc.) that the Postfix LMTP client will ignore in the LHLO response from a remote LMTP server. Available in Postfix version 2.4.4 and later: send_cyrus_sasl_authzid (no) - When authenticating to a remote SMTP or LMTP server with the - default setting "no", send no SASL authoriZation ID (authzid); - send only the SASL authentiCation ID (authcid) plus the auth- + When authenticating to a remote SMTP or LMTP server with the + default setting "no", send no SASL authoriZation ID (authzid); + send only the SASL authentiCation ID (authcid) plus the auth- cid's password. Available in Postfix version 2.5 and later: smtp_header_checks (empty) - Restricted header_checks(5) tables for the Postfix SMTP client. + Restricted header_checks(5) tables for the Postfix SMTP client. smtp_mime_header_checks (empty) - Restricted mime_header_checks(5) tables for the Postfix SMTP + Restricted mime_header_checks(5) tables for the Postfix SMTP client. smtp_nested_header_checks (empty) - Restricted nested_header_checks(5) tables for the Postfix SMTP + Restricted nested_header_checks(5) tables for the Postfix SMTP client. smtp_body_checks (empty) @@ -318,7 +328,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: tcp_windowsize (0) - An optional workaround for routers that break TCP window scal- + An optional workaround for routers that break TCP window scal- ing. Available in Postfix version 2.8 and later: @@ -329,16 +339,16 @@ SMTP(8) SMTP(8) Available in Postfix version 2.9 - 3.6: smtp_per_record_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per read or write system call, to a time limit to - send or receive a complete record (an SMTP command line, SMTP - response line, SMTP message content line, or TLS protocol mes- + Change the behavior of the smtp_*_timeout time limits, from a + time limit per read or write system call, to a time limit to + send or receive a complete record (an SMTP command line, SMTP + response line, SMTP message content line, or TLS protocol mes- sage). Available in Postfix version 2.9 and later: smtp_send_dummy_mail_auth (no) - Whether or not to append the "AUTH=<>" option to the MAIL FROM + Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. Available in Postfix version 2.11 and later: @@ -349,7 +359,7 @@ SMTP(8) SMTP(8) Available in Postfix version 3.0 and later: smtp_delivery_status_filter ($default_delivery_status_filter) - Optional filter for the smtp(8) delivery agent to change the + Optional filter for the smtp(8) delivery agent to change the delivery status code or explanatory text of successful or unsuc- cessful deliveries. @@ -359,38 +369,38 @@ SMTP(8) SMTP(8) Available in Postfix version 3.3 and later: smtp_balance_inet_protocols (yes) - When a remote destination resolves to a combination of IPv4 and + When a remote destination resolves to a combination of IPv4 and IPv6 addresses, ensure that the Postfix SMTP client can try both address types before it runs into the smtp_mx_address_limit. Available in Postfix 3.5 and later: info_log_address_format (external) - The email address form that will be used in non-debug logging + The email address form that will be used in non-debug logging (info, warning, etc.). Available in Postfix 3.6 and later: dnssec_probe (ns:.) - The DNS query type (default: "ns") and DNS query name (default: + The DNS query type (default: "ns") and DNS query name (default: ".") that Postfix may use to determine whether DNSSEC validation is available. - known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis- + known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis- sion=587) - Optional setting that avoids lookups in the services(5) data- + Optional setting that avoids lookups in the services(5) data- base. Available in Postfix version 3.7 and later: smtp_per_request_deadline (no) - Change the behavior of the smtp_*_timeout time limits, from a - time limit per plaintext or TLS read or write call, to a com- - bined time limit for sending a complete SMTP request and for + Change the behavior of the smtp_*_timeout time limits, from a + time limit per plaintext or TLS read or write call, to a com- + bined time limit for sending a complete SMTP request and for receiving a complete SMTP response. smtp_min_data_rate (500) - The minimum plaintext data transfer rate in bytes/second for + The minimum plaintext data transfer rate in bytes/second for DATA requests, when deadlines are enabled with smtp_per_request_deadline. @@ -400,16 +410,16 @@ SMTP(8) SMTP(8) Available in Postfix version 3.8 and later: use_srv_lookup (empty) - Enables discovery for the specified service(s) using DNS SRV + Enables discovery for the specified service(s) using DNS SRV records. ignore_srv_lookup_error (no) - When SRV record lookup fails, fall back to MX or IP address + When SRV record lookup fails, fall back to MX or IP address lookup as if SRV record lookup was not enabled. allow_srv_lookup_fallback (no) - When SRV record lookup fails or no SRV record exists, fall back - to MX or IP address lookup as if SRV record lookup was not + When SRV record lookup fails or no SRV record exists, fall back + to MX or IP address lookup as if SRV record lookup was not enabled. MIME PROCESSING CONTROLS @@ -428,7 +438,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the Postfix SMTP + Send the non-standard XFORWARD command when the Postfix SMTP server EHLO response announces XFORWARD support. SASL AUTHENTICATION CONTROLS @@ -436,60 +446,66 @@ SMTP(8) SMTP(8) Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional Postfix SMTP client lookup tables with one user- - name:password entry per sender, remote hostname or next-hop + Optional Postfix SMTP client lookup tables with one user- + name:password entry per sender, remote hostname or next-hop domain. smtp_sasl_security_options (noplaintext, noanonymous) Postfix SMTP client SASL security options; as of Postfix 2.3 the - list of available features depends on the SASL client implemen- + list of available features depends on the SASL client implemen- tation that is selected with smtp_sasl_type. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the remote SMTP + If non-empty, a Postfix SMTP client filter for the remote SMTP server's list of offered SASL mechanisms. Available in Postfix version 2.3 and later: smtp_sender_dependent_authentication (no) Enable sender-dependent authentication in the Postfix SMTP - client; this is available only with SASL authentication, and - disables SMTP connection caching to ensure that mail from dif- + client; this is available only with SASL authentication, and + disables SMTP connection caching to ensure that mail from dif- ferent senders will use the appropriate credentials. smtp_sasl_path (empty) Implementation-specific information that the Postfix SMTP client - passes through to the SASL plug-in implementation that is + passes through to the SASL plug-in implementation that is selected with smtp_sasl_type. smtp_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP client should use + The SASL plug-in type that the Postfix SMTP client should use for authentication. Available in Postfix version 2.5 and later: smtp_sasl_auth_cache_name (empty) - An optional table to prevent repeated SASL authentication fail- - ures with the same remote SMTP server hostname, username and + An optional table to prevent repeated SASL authentication fail- + ures with the same remote SMTP server hostname, username and password. smtp_sasl_auth_cache_time (90d) - The maximal age of an smtp_sasl_auth_cache_name entry before it + The maximal age of an smtp_sasl_auth_cache_name entry before it is removed. smtp_sasl_auth_soft_bounce (yes) - When a remote SMTP server rejects a SASL authentication request - with a 535 reply code, defer mail delivery instead of returning + When a remote SMTP server rejects a SASL authentication request + with a 535 reply code, defer mail delivery instead of returning mail as undeliverable. Available in Postfix version 2.9 and later: smtp_send_dummy_mail_auth (no) - Whether or not to append the "AUTH=<>" option to the MAIL FROM + Whether or not to append the "AUTH=<>" option to the MAIL FROM command in SASL-authenticated SMTP sessions. + Available in Postfix version 3.9 and later: + + smtp_sasl_password_result_delimiter (:) + The delimiter between username and password in sasl_passwd_maps + lookup results. + STARTTLS SUPPORT CONTROLS Detailed information about STARTTLS configuration may be found in the TLS_README document. @@ -619,7 +635,7 @@ SMTP(8) SMTP(8) Available in Postfix version 2.6 and later: - smtp_tls_protocols (see postconf -d output) + smtp_tls_protocols (see 'postconf -d' output) TLS protocols that the Postfix SMTP client will use with oppor- tunistic TLS encryption. @@ -724,6 +740,12 @@ SMTP(8) SMTP(8) The application name passed by Postfix to OpenSSL library ini- tialization functions. + Available in Postfix version 3.9 and later: + + smtp_tls_enable_rpk (no) + Request that remote SMTP servers send an RFC7250 raw public key + instead of an X.509 certificate. + OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compatibility with Postfix versions before 2.3. Support for these will be removed in a @@ -954,7 +976,7 @@ SMTP(8) SMTP(8) The local network interface addresses that this mail system receives mail on. - inet_protocols (see 'postconf -d output') + inet_protocols (see 'postconf -d' output) The Internet protocols Postfix will attempt to use when making or accepting connections. @@ -1119,5 +1141,5 @@ SMTP(8) SMTP(8) Victor Duchovni Morgan Stanley - SMTP(8) + 8 SMTP,(LMTP) |