From b7c15c31519dc44c1f691e0466badd556ffe9423 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 18:18:56 +0200 Subject: Adding upstream version 3.7.10. Signed-off-by: Daniel Baumann --- html/smtp.8.html | 1092 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1092 insertions(+) create mode 100644 html/smtp.8.html (limited to 'html/smtp.8.html') diff --git a/html/smtp.8.html b/html/smtp.8.html new file mode 100644 index 0000000..8593cde --- /dev/null +++ b/html/smtp.8.html @@ -0,0 +1,1092 @@ + + + + Postfix manual - smtp(8) +
+SMTP(8)                                                                SMTP(8)
+
+NAME
+       smtp - Postfix SMTP+LMTP client
+
+SYNOPSIS
+       smtp [generic Postfix daemon options] [flags=DORX]
+
+DESCRIPTION
+       The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery
+       protocols. It processes message delivery requests from the  queue  man-
+       ager.  Each  request specifies a queue file, a sender address, a domain
+       or host to deliver to, and recipient information.  This program expects
+       to be run from the master(8) process manager.
+
+       The  SMTP+LMTP  client  updates  the queue file and marks recipients as
+       finished, or it informs the queue manager that delivery should be tried
+       again  at  a  later  time.  Delivery  status  reports  are  sent to the
+       bounce(8), defer(8) or trace(8) daemon as appropriate.
+
+       The SMTP+LMTP client looks up a list of mail  exchanger  addresses  for
+       the  destination  host,  sorts  the list by preference, and connects to
+       each listed address until it finds a server that responds.
+
+       When a server is not reachable, or when mail delivery fails  due  to  a
+       recoverable  error  condition, the SMTP+LMTP client will try to deliver
+       the mail to an alternate host.
+
+       After a successful mail transaction, a connection may be saved  to  the
+       scache(8)  connection  cache  server,  so  that  it  may be used by any
+       SMTP+LMTP client for a subsequent transaction.
+
+       By default, connection caching is enabled temporarily for  destinations
+       that have a high volume of mail in the active queue. Connection caching
+       can be enabled permanently for specific destinations.
+
+SMTP DESTINATION SYNTAX
+       The Postfix SMTP+LMTP client supports multiple  destinations  separated
+       by comma or whitespace (Postfix 3.5 and later).  SMTP destinations have
+       the following form:
+
+       domainname
+
+       domainname:port
+              Look up the mail exchangers for the specified domain,  and  con-
+              nect to the specified port (default: smtp).
+
+       [hostname]
+
+       [hostname]:port
+              Look  up  the  address(es) of the specified host, and connect to
+              the specified port (default: smtp).
+
+       [address]
+
+       [address]:port
+              Connect to the host at the specified address, and connect to the
+              specified  port (default: smtp). An IPv6 address must be format-
+              ted as [ipv6:address].
+
+LMTP DESTINATION SYNTAX
+       The Postfix SMTP+LMTP client supports multiple  destinations  separated
+       by comma or whitespace (Postfix 3.5 and later).  LMTP destinations have
+       the following form:
+
+       unix:pathname
+              Connect to the local UNIX-domain server that  is  bound  to  the
+              specified  pathname.  If  the process runs chrooted, an absolute
+              pathname is interpreted relative to the Postfix queue directory.
+
+       inet:hostname
+
+       inet:hostname:port
+
+       inet:[address]
+
+       inet:[address]:port
+              Connect  to  the  specified  TCP  port on the specified local or
+              remote host. If no  port  is  specified,  connect  to  the  port
+              defined  as  lmtp  in services(4).  If no such service is found,
+              the lmtp_tcp_port configuration parameter (default value of  24)
+              will   be   used.    An   IPv6  address  must  be  formatted  as
+              [ipv6:address].
+
+SINGLE-RECIPIENT DELIVERY
+       By default, the Postfix SMTP+LMTP  client  delivers  mail  to  multiple
+       recipients  per delivery request. This is undesirable when prepending a
+       Delivered-to: or X-Original-To: message header. To prevent Postfix from
+       sending multiple recipients per delivery request, specify
+
+           transport_destination_recipient_limit = 1
+
+       in  the  Postfix main.cf file, where transport is the name in the first
+       column of the Postfix master.cf entry for this mail delivery service.
+
+COMMAND ATTRIBUTE SYNTAX
+       flags=DORX (optional)
+              Optional message processing flags.
+
+              D      Prepend a "Delivered-To: recipient" message  header  with
+                     the  envelope  recipient address. Note: for this to work,
+                     the transport_destination_recipient_limit must be 1  (see
+                     SINGLE-RECIPIENT DELIVERY above for details).
+
+                     The  D  flag  also  enforces loop detection: if a message
+                     already contains a Delivered-To:  header  with  the  same
+                     recipient  address, then the message is returned as unde-
+                     liverable. The address comparison is case insensitive.
+
+                     This feature is available as of Postfix 3.5.
+
+              O      Prepend an "X-Original-To: recipient" message header with
+                     the recipient address as given to Postfix. Note: for this
+                     to work, the  transport_destination_recipient_limit  must
+                     be 1 (see SINGLE-RECIPIENT DELIVERY above for details).
+
+                     This feature is available as of Postfix 3.5.
+
+              R      Prepend a "Return-Path: <sender>" message header with the
+                     envelope sender address.
+
+                     This feature is available as of Postfix 3.5.
+
+              X      Indicates that the delivery is final. This  flag  affects
+                     the  status  reported  in  "success" DSN (delivery status
+                     notification) messages, and  changes  it  from  "relayed"
+                     into "delivered".
+
+                     This feature is available as of Postfix 3.5.
+
+SECURITY
+       The SMTP+LMTP client is moderately security-sensitive. It
+       talks to SMTP or LMTP servers and to DNS servers on the
+       network. The SMTP+LMTP client can be run chrooted at fixed
+       low privilege.
+
+STANDARDS
+       RFC 821 (SMTP protocol)
+       RFC 822 (ARPA Internet Text Messages)
+       RFC 1651 (SMTP service extensions)
+       RFC 1652 (8bit-MIME transport)
+       RFC 1870 (Message Size Declaration)
+       RFC 2033 (LMTP protocol)
+       RFC 2034 (SMTP Enhanced Error Codes)
+       RFC 2045 (MIME: Format of Internet Message Bodies)
+       RFC 2046 (MIME: Media Types)
+       RFC 2554 (AUTH command)
+       RFC 2821 (SMTP protocol)
+       RFC 2920 (SMTP Pipelining)
+       RFC 3207 (STARTTLS command)
+       RFC 3461 (SMTP DSN Extension)
+       RFC 3463 (Enhanced Status Codes)
+       RFC 4954 (AUTH command)
+       RFC 5321 (SMTP protocol)
+       RFC 6531 (Internationalized SMTP)
+       RFC 6533 (Internationalized Delivery Status Notifications)
+       RFC 7672 (SMTP security via opportunistic DANE TLS)
+
+DIAGNOSTICS
+       Problems  and  transactions  are  logged  to syslogd(8) or postlogd(8).
+       Corrupted message files are marked so that the queue manager  can  move
+       them to the corrupt queue for further inspection.
+
+       Depending  on the setting of the notify_classes parameter, the postmas-
+       ter is notified of bounces, protocol problems, and of other trouble.
+
+BUGS
+       SMTP and LMTP connection reuse for TLS (without  closing  the  SMTP  or
+       LMTP connection) is not supported before Postfix 3.4.
+
+       SMTP  and LMTP connection reuse assumes that SASL credentials are valid
+       for all destinations that map onto the same IP address and TCP port.
+
+CONFIGURATION PARAMETERS
+       Before Postfix version 2.3, the LMTP client is a separate program  that
+       implements  only  a  subset  of  the functionality available with SMTP:
+       there is no support for TLS, and  connections  are  cached  in-process,
+       making it ineffective when the client is used for multiple domains.
+
+       Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" param-
+       eter for the equivalent LMTP  feature.  This  document  describes  only
+       those LMTP-related parameters that aren't simply "mirror" parameters.
+
+       Changes  to  main.cf  are picked up automatically, as smtp(8) processes
+       run for only a limited amount of time. Use the command "postfix reload"
+       to speed up a change.
+
+       The  text  below provides only a parameter summary. See postconf(5) for
+       more details including examples.
+
+COMPATIBILITY CONTROLS
+       ignore_mx_lookup_error (no)
+              Ignore DNS MX lookups that produce no response.
+
+       smtp_always_send_ehlo (yes)
+              Always send EHLO at the start of an SMTP session.
+
+       smtp_never_send_ehlo (no)
+              Never send EHLO at the start of an SMTP session.
+
+       smtp_defer_if_no_mx_address_found (no)
+              Defer mail delivery when no MX record resolves to an IP address.
+
+       smtp_line_length_limit (998)
+              The maximal length of message header and body lines that Postfix
+              will send via SMTP.
+
+       smtp_pix_workaround_delay_time (10s)
+              How  long  the  Postfix  SMTP  client  pauses   before   sending
+              ".<CR><LF>"   in   order   to   work  around  the  PIX  firewall
+              "<CR><LF>.<CR><LF>" bug.
+
+       smtp_pix_workaround_threshold_time (500s)
+              How long a message must be queued before the Postfix SMTP client
+              turns on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for
+              delivery through firewalls with "smtp fixup" mode turned on.
+
+       smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
+              A list that specifies zero or more  workarounds  for  CISCO  PIX
+              firewall bugs.
+
+       smtp_pix_workaround_maps (empty)
+              Lookup  tables,  indexed by the remote SMTP server address, with
+              per-destination workarounds for CISCO PIX firewall bugs.
+
+       smtp_quote_rfc821_envelope (yes)
+              Quote addresses in Postfix SMTP client MAIL  FROM  and  RCPT  TO
+              commands as required by RFC 5321.
+
+       smtp_reply_filter (empty)
+              A  mechanism  to  transform replies from remote SMTP servers one
+              line at a time.
+
+       smtp_skip_5xx_greeting (yes)
+              Skip remote SMTP servers that greet with a 5XX status code.
+
+       smtp_skip_quit_response (yes)
+              Do not wait for the response to the SMTP QUIT command.
+
+       Available in Postfix version 2.0 and earlier:
+
+       smtp_skip_4xx_greeting (yes)
+              Skip SMTP servers that greet with a 4XX status  code  (go  away,
+              try again later).
+
+       Available in Postfix version 2.2 and later:
+
+       smtp_discard_ehlo_keyword_address_maps (empty)
+              Lookup  tables,  indexed by the remote SMTP server address, with
+              case insensitive lists of EHLO keywords  (pipelining,  starttls,
+              auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+              response from a remote SMTP server.
+
+       smtp_discard_ehlo_keywords (empty)
+              A case insensitive list of EHLO keywords (pipelining,  starttls,
+              auth, etc.) that the Postfix SMTP client will ignore in the EHLO
+              response from a remote SMTP server.
+
+       smtp_generic_maps (empty)
+              Optional lookup tables that perform  address  rewriting  in  the
+              Postfix  SMTP  client,  typically  to  transform a locally valid
+              address into a globally valid address when sending  mail  across
+              the Internet.
+
+       Available in Postfix version 2.2.9 and later:
+
+       smtp_cname_overrides_servername (version dependent)
+              When  the  remote  SMTP  servername  is a DNS CNAME, replace the
+              servername with the result from CNAME expansion for the  purpose
+              of  logging,  SASL password lookup, TLS policy decisions, or TLS
+              certificate verification.
+
+       Available in Postfix version 2.3 and later:
+
+       lmtp_discard_lhlo_keyword_address_maps (empty)
+              Lookup tables, indexed by the remote LMTP server  address,  with
+              case  insensitive  lists of LHLO keywords (pipelining, starttls,
+              auth, etc.) that the Postfix LMTP client will ignore in the LHLO
+              response from a remote LMTP server.
+
+       lmtp_discard_lhlo_keywords (empty)
+              A  case insensitive list of LHLO keywords (pipelining, starttls,
+              auth, etc.) that the Postfix LMTP client will ignore in the LHLO
+              response from a remote LMTP server.
+
+       Available in Postfix version 2.4.4 and later:
+
+       send_cyrus_sasl_authzid (no)
+              When  authenticating  to  a  remote SMTP or LMTP server with the
+              default setting "no", send no SASL authoriZation  ID  (authzid);
+              send  only  the  SASL authentiCation ID (authcid) plus the auth-
+              cid's password.
+
+       Available in Postfix version 2.5 and later:
+
+       smtp_header_checks (empty)
+              Restricted header_checks(5) tables for the Postfix SMTP  client.
+
+       smtp_mime_header_checks (empty)
+              Restricted  mime_header_checks(5)  tables  for  the Postfix SMTP
+              client.
+
+       smtp_nested_header_checks (empty)
+              Restricted nested_header_checks(5) tables for the  Postfix  SMTP
+              client.
+
+       smtp_body_checks (empty)
+              Restricted body_checks(5) tables for the Postfix SMTP client.
+
+       Available in Postfix version 2.6 and later:
+
+       tcp_windowsize (0)
+              An  optional  workaround for routers that break TCP window scal-
+              ing.
+
+       Available in Postfix version 2.8 and later:
+
+       smtp_dns_resolver_options (empty)
+              DNS Resolver options for the Postfix SMTP client.
+
+       Available in Postfix version 2.9 - 3.6:
+
+       smtp_per_record_deadline (no)
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              time  limit  per  read  or write system call, to a time limit to
+              send or receive a complete record (an SMTP  command  line,  SMTP
+              response  line,  SMTP message content line, or TLS protocol mes-
+              sage).
+
+       Available in Postfix version 2.9 and later:
+
+       smtp_send_dummy_mail_auth (no)
+              Whether or not to append the "AUTH=<>" option to the  MAIL  FROM
+              command in SASL-authenticated SMTP sessions.
+
+       Available in Postfix version 2.11 and later:
+
+       smtp_dns_support_level (empty)
+              Level of DNS support in the Postfix SMTP client.
+
+       Available in Postfix version 3.0 and later:
+
+       smtp_delivery_status_filter ($default_delivery_status_filter)
+              Optional  filter  for  the  smtp(8) delivery agent to change the
+              delivery status code or explanatory text of successful or unsuc-
+              cessful deliveries.
+
+       smtp_dns_reply_filter (empty)
+              Optional filter for Postfix SMTP client DNS lookup results.
+
+       Available in Postfix version 3.3 and later:
+
+       smtp_balance_inet_protocols (yes)
+              When  a remote destination resolves to a combination of IPv4 and
+              IPv6 addresses, ensure that the Postfix SMTP client can try both
+              address types before it runs into the smtp_mx_address_limit.
+
+       Available in Postfix 3.5 and later:
+
+       info_log_address_format (external)
+              The  email  address  form that will be used in non-debug logging
+              (info, warning, etc.).
+
+       Available in Postfix 3.6 and later:
+
+       dnssec_probe (ns:.)
+              The DNS query type (default: "ns") and DNS query name  (default:
+              ".") that Postfix may use to determine whether DNSSEC validation
+              is available.
+
+       known_tcp_ports  (lmtp=24,  smtp=25,   smtps=submissions=465,   submis-
+       sion=587)
+              Optional setting that avoids lookups in  the  services(5)  data-
+              base.
+
+       Available in Postfix version 3.7 and later:
+
+       smtp_per_request_deadline (no)
+              Change  the  behavior  of the smtp_*_timeout time limits, from a
+              time limit per plaintext or TLS read or write call,  to  a  com-
+              bined  time  limit  for  sending a complete SMTP request and for
+              receiving a complete SMTP response.
+
+       smtp_min_data_rate (500)
+              The minimum plaintext data transfer  rate  in  bytes/second  for
+              DATA    requests,    when    deadlines    are    enabled    with
+              smtp_per_request_deadline.
+
+       header_from_format (standard)
+              The format of the Postfix-generated From: header.
+
+MIME PROCESSING CONTROLS
+       Available in Postfix version 2.0 and later:
+
+       disable_mime_output_conversion (no)
+              Disable the conversion of 8BITMIME format to 7BIT format.
+
+       mime_boundary_length_limit (2048)
+              The maximal length of MIME multipart boundary strings.
+
+       mime_nesting_limit (100)
+              The maximal recursion level that the MIME processor will handle.
+
+EXTERNAL CONTENT INSPECTION CONTROLS
+       Available in Postfix version 2.1 and later:
+
+       smtp_send_xforward_command (no)
+              Send  the  non-standard  XFORWARD  command when the Postfix SMTP
+              server EHLO response announces XFORWARD support.
+
+SASL AUTHENTICATION CONTROLS
+       smtp_sasl_auth_enable (no)
+              Enable SASL authentication in the Postfix SMTP client.
+
+       smtp_sasl_password_maps (empty)
+              Optional Postfix  SMTP  client  lookup  tables  with  one  user-
+              name:password  entry  per  sender,  remote  hostname or next-hop
+              domain.
+
+       smtp_sasl_security_options (noplaintext, noanonymous)
+              Postfix SMTP client SASL security options; as of Postfix 2.3 the
+              list  of available features depends on the SASL client implemen-
+              tation that is selected with smtp_sasl_type.
+
+       Available in Postfix version 2.2 and later:
+
+       smtp_sasl_mechanism_filter (empty)
+              If non-empty, a Postfix SMTP client filter for the  remote  SMTP
+              server's list of offered SASL mechanisms.
+
+       Available in Postfix version 2.3 and later:
+
+       smtp_sender_dependent_authentication (no)
+              Enable  sender-dependent  authentication  in  the  Postfix  SMTP
+              client; this is available only  with  SASL  authentication,  and
+              disables  SMTP  connection caching to ensure that mail from dif-
+              ferent senders will use the appropriate credentials.
+
+       smtp_sasl_path (empty)
+              Implementation-specific information that the Postfix SMTP client
+              passes  through  to  the  SASL  plug-in  implementation  that is
+              selected with smtp_sasl_type.
+
+       smtp_sasl_type (cyrus)
+              The SASL plug-in type that the Postfix SMTP  client  should  use
+              for authentication.
+
+       Available in Postfix version 2.5 and later:
+
+       smtp_sasl_auth_cache_name (empty)
+              An  optional table to prevent repeated SASL authentication fail-
+              ures with the same remote SMTP  server  hostname,  username  and
+              password.
+
+       smtp_sasl_auth_cache_time (90d)
+              The  maximal age of an smtp_sasl_auth_cache_name entry before it
+              is removed.
+
+       smtp_sasl_auth_soft_bounce (yes)
+              When a remote SMTP server rejects a SASL authentication  request
+              with  a 535 reply code, defer mail delivery instead of returning
+              mail as undeliverable.
+
+       Available in Postfix version 2.9 and later:
+
+       smtp_send_dummy_mail_auth (no)
+              Whether or not to append the "AUTH=<>" option to the  MAIL  FROM
+              command in SASL-authenticated SMTP sessions.
+
+STARTTLS SUPPORT CONTROLS
+       Detailed  information  about STARTTLS configuration may be found in the
+       TLS_README document.
+
+       smtp_tls_security_level (empty)
+              The default SMTP TLS security level for the Postfix SMTP client;
+              when a non-empty value is specified, this overrides the obsolete
+              parameters       smtp_use_tls,       smtp_enforce_tls,       and
+              smtp_tls_enforce_peername.
+
+       smtp_sasl_tls_security_options ($smtp_sasl_security_options)
+              The  SASL  authentication security options that the Postfix SMTP
+              client uses for TLS encrypted SMTP sessions.
+
+       smtp_starttls_timeout (300s)
+              Time limit for Postfix SMTP client  write  and  read  operations
+              during TLS startup and shutdown handshake procedures.
+
+       smtp_tls_CAfile (empty)
+              A  file  containing  CA certificates of root CAs trusted to sign
+              either remote SMTP server certificates or intermediate  CA  cer-
+              tificates.
+
+       smtp_tls_CApath (empty)
+              Directory  with  PEM format Certification Authority certificates
+              that the Postfix SMTP client uses to verify a remote SMTP server
+              certificate.
+
+       smtp_tls_cert_file (empty)
+              File with the Postfix SMTP client RSA certificate in PEM format.
+
+       smtp_tls_mandatory_ciphers (medium)
+              The minimum TLS cipher grade that the Postfix SMTP  client  will
+              use with mandatory TLS encryption.
+
+       smtp_tls_exclude_ciphers (empty)
+              List of ciphers or cipher types to exclude from the Postfix SMTP
+              client cipher list at all TLS security levels.
+
+       smtp_tls_mandatory_exclude_ciphers (empty)
+              Additional list of ciphers or cipher types to exclude  from  the
+              Postfix  SMTP  client cipher list at mandatory TLS security lev-
+              els.
+
+       smtp_tls_dcert_file (empty)
+              File with the Postfix SMTP client DSA certificate in PEM format.
+
+       smtp_tls_dkey_file ($smtp_tls_dcert_file)
+              File with the Postfix SMTP client DSA private key in PEM format.
+
+       smtp_tls_key_file ($smtp_tls_cert_file)
+              File with the Postfix SMTP client RSA private key in PEM format.
+
+       smtp_tls_loglevel (0)
+              Enable additional Postfix SMTP client logging of TLS activity.
+
+       smtp_tls_note_starttls_offer (no)
+              Log  the  hostname of a remote SMTP server that offers STARTTLS,
+              when TLS is not already enabled for that server.
+
+       smtp_tls_policy_maps (empty)
+              Optional lookup tables with the Postfix SMTP client TLS security
+              policy by next-hop destination; when a non-empty value is speci-
+              fied, this overrides the obsolete smtp_tls_per_site parameter.
+
+       smtp_tls_mandatory_protocols (see 'postconf -d' output)
+              TLS protocols that the Postfix SMTP client will use with  manda-
+              tory TLS encryption.
+
+       smtp_tls_scert_verifydepth (9)
+              The verification depth for remote SMTP server certificates.
+
+       smtp_tls_secure_cert_match (nexthop, dot-nexthop)
+              How  the  Postfix  SMTP  client  verifies the server certificate
+              peername for the "secure" TLS security level.
+
+       smtp_tls_session_cache_database (empty)
+              Name of the file containing the optional Postfix SMTP client TLS
+              session cache.
+
+       smtp_tls_session_cache_timeout (3600s)
+              The  expiration  time  of  Postfix SMTP client TLS session cache
+              information.
+
+       smtp_tls_verify_cert_match (hostname)
+              How the Postfix SMTP  client  verifies  the  server  certificate
+              peername for the "verify" TLS security level.
+
+       tls_daemon_random_bytes (32)
+              The  number  of  pseudo-random bytes that an smtp(8) or smtpd(8)
+              process requests from the tlsmgr(8) server in order to seed  its
+              internal pseudo random number generator (PRNG).
+
+       tls_high_cipherlist (see 'postconf -d' output)
+              The OpenSSL cipherlist for "high" grade ciphers.
+
+       tls_medium_cipherlist (see 'postconf -d' output)
+              The OpenSSL cipherlist for "medium" or higher grade ciphers.
+
+       tls_low_cipherlist (see 'postconf -d' output)
+              The OpenSSL cipherlist for "low" or higher grade ciphers.
+
+       tls_export_cipherlist (see 'postconf -d' output)
+              The OpenSSL cipherlist for "export" or higher grade ciphers.
+
+       tls_null_cipherlist (eNULL:!aNULL)
+              The  OpenSSL  cipherlist  for  "NULL" grade ciphers that provide
+              authentication without encryption.
+
+       Available in Postfix version 2.4 and later:
+
+       smtp_sasl_tls_verified_security_options           ($smtp_sasl_tls_secu-
+       rity_options)
+              The SASL authentication security options that the  Postfix  SMTP
+              client  uses  for  TLS  encrypted  SMTP sessions with a verified
+              server certificate.
+
+       Available in Postfix version 2.5 and later:
+
+       smtp_tls_fingerprint_cert_match (empty)
+              List of acceptable remote SMTP server  certificate  fingerprints
+              for   the   "fingerprint"  TLS  security  level  (smtp_tls_secu-
+              rity_level = fingerprint).
+
+       smtp_tls_fingerprint_digest (see 'postconf -d' output)
+              The message digest  algorithm  used  to  construct  remote  SMTP
+              server certificate fingerprints.
+
+       Available in Postfix version 2.6 and later:
+
+       smtp_tls_protocols (see postconf -d output)
+              TLS  protocols that the Postfix SMTP client will use with oppor-
+              tunistic TLS encryption.
+
+       smtp_tls_ciphers (medium)
+              The minimum TLS cipher grade that the Postfix SMTP  client  will
+              use with opportunistic TLS encryption.
+
+       smtp_tls_eccert_file (empty)
+              File  with the Postfix SMTP client ECDSA certificate in PEM for-
+              mat.
+
+       smtp_tls_eckey_file ($smtp_tls_eccert_file)
+              File with the Postfix SMTP client ECDSA private key in PEM  for-
+              mat.
+
+       Available in Postfix version 2.7 and later:
+
+       smtp_tls_block_early_mail_reply (no)
+              Try  to  detect  a mail hijacking attack based on a TLS protocol
+              vulnerability (CVE-2009-3555), where an attacker prepends  mali-
+              cious  HELO,  MAIL, RCPT, DATA commands to a Postfix SMTP client
+              TLS session.
+
+       Available in Postfix version 2.8 and later:
+
+       tls_disable_workarounds (see 'postconf -d' output)
+              List or bit-mask of OpenSSL bug work-arounds to disable.
+
+       Available in Postfix version 2.11-3.1:
+
+       tls_dane_digest_agility (on)
+              Configure RFC7671 DANE TLSA digest algorithm agility.
+
+       tls_dane_trust_anchor_digest_enable (yes)
+              Enable support for RFC 6698 (DANE TLSA) DNS records that contain
+              digests of trust-anchors with certificate usage "2".
+
+       Available in Postfix version 2.11 and later:
+
+       smtp_tls_trust_anchor_file (empty)
+              Zero  or  more  PEM-format  files with trust-anchor certificates
+              and/or public keys.
+
+       smtp_tls_force_insecure_host_tlsa_lookup (no)
+              Lookup the associated DANE TLSA RRset even when  a  hostname  is
+              not an alias and its address records lie in an unsigned zone.
+
+       tlsmgr_service_name (tlsmgr)
+              The name of the tlsmgr(8) service entry in master.cf.
+
+       Available in Postfix version 3.0 and later:
+
+       smtp_tls_wrappermode (no)
+              Request  that  the Postfix SMTP client connects using the legacy
+              SMTPS protocol instead of using the STARTTLS command.
+
+       Available in Postfix version 3.1 and later:
+
+       smtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)
+              The TLS policy for MX hosts with "secure" TLSA records when  the
+              nexthop  destination  security  level is dane, but the MX record
+              was found via an "insecure" MX lookup.
+
+       Available in Postfix version 3.4 and later:
+
+       smtp_tls_connection_reuse (no)
+              Try to make multiple deliveries per TLS-encrypted connection.
+
+       smtp_tls_chain_files (empty)
+              List of one or more PEM files, each holding one or more  private
+              keys directly followed by a corresponding certificate chain.
+
+       smtp_tls_servername (empty)
+              Optional  name  to  send  to  the  remote SMTP server in the TLS
+              Server Name Indication (SNI) extension.
+
+       Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
+
+       tls_fast_shutdown_enable (yes)
+              A workaround for implementations that hang Postfix  while  shut-
+              ting down a TLS session, until Postfix times out.
+
+       Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
+
+       tls_config_file (default)
+              Optional configuration file with baseline OpenSSL settings.
+
+       tls_config_name (empty)
+              The  application  name passed by Postfix to OpenSSL library ini-
+              tialization functions.
+
+OBSOLETE STARTTLS CONTROLS
+       The  following  configuration  parameters  exist for compatibility with
+       Postfix versions before 2.3. Support for these will  be  removed  in  a
+       future release.
+
+       smtp_use_tls (no)
+              Opportunistic  mode: use TLS when a remote SMTP server announces
+              STARTTLS support, otherwise send the mail in the clear.
+
+       smtp_enforce_tls (no)
+              Enforcement mode: require  that  remote  SMTP  servers  use  TLS
+              encryption, and never send mail in the clear.
+
+       smtp_tls_enforce_peername (yes)
+              With  mandatory  TLS  encryption,  require  that the remote SMTP
+              server hostname matches  the  information  in  the  remote  SMTP
+              server certificate.
+
+       smtp_tls_per_site (empty)
+              Optional  lookup  tables  with the Postfix SMTP client TLS usage
+              policy by next-hop destination and by remote SMTP  server  host-
+              name.
+
+       smtp_tls_cipherlist (empty)
+              Obsolete  Postfix  < 2.3 control for the Postfix SMTP client TLS
+              cipher list.
+
+RESOURCE AND RATE CONTROLS
+       smtp_connect_timeout (30s)
+              The Postfix SMTP client time limit for completing a TCP  connec-
+              tion, or zero (use the operating system built-in time limit).
+
+       smtp_helo_timeout (300s)
+              The  Postfix SMTP client time limit for sending the HELO or EHLO
+              command, and  for  receiving  the  initial  remote  SMTP  server
+              response.
+
+       lmtp_lhlo_timeout (300s)
+              The Postfix LMTP client time limit for sending the LHLO command,
+              and for receiving the initial remote LMTP server response.
+
+       smtp_xforward_timeout (300s)
+              The Postfix SMTP client time limit for sending the XFORWARD com-
+              mand, and for receiving the remote SMTP server response.
+
+       smtp_mail_timeout (300s)
+              The  Postfix  SMTP  client  time limit for sending the MAIL FROM
+              command, and for receiving the remote SMTP server response.
+
+       smtp_rcpt_timeout (300s)
+              The Postfix SMTP client time limit for sending the SMTP RCPT  TO
+              command, and for receiving the remote SMTP server response.
+
+       smtp_data_init_timeout (120s)
+              The  Postfix  SMTP  client  time limit for sending the SMTP DATA
+              command, and for receiving the remote SMTP server response.
+
+       smtp_data_xfer_timeout (180s)
+              The Postfix SMTP client time limit for sending the SMTP  message
+              content.
+
+       smtp_data_done_timeout (600s)
+              The Postfix SMTP client time limit for sending the SMTP ".", and
+              for receiving the remote SMTP server response.
+
+       smtp_quit_timeout (300s)
+              The Postfix SMTP client time limit for sending the QUIT command,
+              and for receiving the remote SMTP server response.
+
+       Available in Postfix version 2.1 and later:
+
+       smtp_mx_address_limit (5)
+              The  maximal number of MX (mail exchanger) IP addresses that can
+              result from Postfix SMTP client mail exchanger lookups, or  zero
+              (no limit).
+
+       smtp_mx_session_limit (2)
+              The  maximal number of SMTP sessions per delivery request before
+              the Postfix SMTP client gives up  or  delivers  to  a  fall-back
+              relay host, or zero (no limit).
+
+       smtp_rset_timeout (20s)
+              The Postfix SMTP client time limit for sending the RSET command,
+              and for receiving the remote SMTP server response.
+
+       Available in Postfix version 2.2 and earlier:
+
+       lmtp_cache_connection (yes)
+              Keep Postfix LMTP client connections open for  up  to  $max_idle
+              seconds.
+
+       Available in Postfix version 2.2 and later:
+
+       smtp_connection_cache_destinations (empty)
+              Permanently  enable  SMTP  connection  caching for the specified
+              destinations.
+
+       smtp_connection_cache_on_demand (yes)
+              Temporarily enable SMTP connection caching while  a  destination
+              has a high volume of mail in the active queue.
+
+       smtp_connection_reuse_time_limit (300s)
+              The amount of time during which Postfix will use an SMTP connec-
+              tion repeatedly.
+
+       smtp_connection_cache_time_limit (2s)
+              When SMTP connection caching is enabled, the amount of time that
+              an unused SMTP client socket is kept open before it is closed.
+
+       Available in Postfix version 2.3 and later:
+
+       connection_cache_protocol_timeout (5s)
+              Time  limit for connection cache connect, send or receive opera-
+              tions.
+
+       Available in Postfix version 2.9 - 3.6:
+
+       smtp_per_record_deadline (no)
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              time  limit  per  read  or write system call, to a time limit to
+              send or receive a complete record (an SMTP  command  line,  SMTP
+              response  line,  SMTP message content line, or TLS protocol mes-
+              sage).
+
+       Available in Postfix version 2.11 and later:
+
+       smtp_connection_reuse_count_limit (0)
+              When SMTP connection caching is enabled,  the  number  of  times
+              that  an SMTP session may be reused before it is closed, or zero
+              (no limit).
+
+       Available in Postfix version 3.4 and later:
+
+       smtp_tls_connection_reuse (no)
+              Try to make multiple deliveries per TLS-encrypted connection.
+
+       Available in Postfix version 3.7 and later:
+
+       smtp_per_request_deadline (no)
+              Change the behavior of the smtp_*_timeout time  limits,  from  a
+              time  limit  per  plaintext or TLS read or write call, to a com-
+              bined time limit for sending a complete  SMTP  request  and  for
+              receiving a complete SMTP response.
+
+       smtp_min_data_rate (500)
+              The  minimum  plaintext  data  transfer rate in bytes/second for
+              DATA    requests,    when    deadlines    are    enabled    with
+              smtp_per_request_deadline.
+
+       Implemented in the qmgr(8) daemon:
+
+       transport_destination_concurrency_limit   ($default_destination_concur-
+       rency_limit)
+              A  transport-specific  override for the default_destination_con-
+              currency_limit parameter value, where transport is the master.cf
+              name of the message delivery transport.
+
+       transport_destination_recipient_limit     ($default_destination_recipi-
+       ent_limit)
+              A transport-specific override for the default_destination_recip-
+              ient_limit parameter value, where  transport  is  the  master.cf
+              name of the message delivery transport.
+
+SMTPUTF8 CONTROLS
+       Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
+
+       smtputf8_enable (yes)
+              Enable  preliminary SMTPUTF8 support for the protocols described
+              in RFC 6531..6533.
+
+       smtputf8_autodetect_classes (sendmail, verify)
+              Detect that a message requires SMTPUTF8 support for  the  speci-
+              fied mail origin classes.
+
+       Available in Postfix version 3.2 and later:
+
+       enable_idna2003_compatibility (no)
+              Enable   'transitional'   compatibility   between  IDNA2003  and
+              IDNA2008, when converting UTF-8 domain names to/from  the  ASCII
+              form that is used for DNS lookups.
+
+TROUBLE SHOOTING CONTROLS
+       debug_peer_level (2)
+              The  increment  in verbose logging level when a nexthop destina-
+              tion, remote client or server name or network address matches  a
+              pattern given with the debug_peer_list parameter.
+
+       debug_peer_list (empty)
+              Optional  list  of  nexthop destination, remote client or server
+              name or network address patterns that,  if  matched,  cause  the
+              verbose  logging  level  to  increase by the amount specified in
+              $debug_peer_level.
+
+       error_notice_recipient (postmaster)
+              The recipient of postmaster notifications  about  mail  delivery
+              problems that are caused by policy, resource, software or proto-
+              col errors.
+
+       internal_mail_filter_classes (empty)
+              What  categories  of  Postfix-generated  mail  are  subject   to
+              before-queue    content    inspection    by   non_smtpd_milters,
+              header_checks and body_checks.
+
+       notify_classes (resource, software)
+              The list of error classes that are reported to the postmaster.
+
+MISCELLANEOUS CONTROLS
+       best_mx_transport (empty)
+              Where the Postfix  SMTP  client  should  deliver  mail  when  it
+              detects a "mail loops back to myself" error condition.
+
+       config_directory (see 'postconf -d' output)
+              The  default  location of the Postfix main.cf and master.cf con-
+              figuration files.
+
+       daemon_timeout (18000s)
+              How much time a Postfix daemon process  may  take  to  handle  a
+              request before it is terminated by a built-in watchdog timer.
+
+       delay_logging_resolution_limit (2)
+              The  maximal  number of digits after the decimal point when log-
+              ging sub-second delay values.
+
+       disable_dns_lookups (no)
+              Disable DNS lookups in the Postfix SMTP and LMTP clients.
+
+       inet_interfaces (all)
+              The network interface addresses that this mail  system  receives
+              mail on.
+
+       inet_protocols (see 'postconf -d output')
+              The  Internet  protocols Postfix will attempt to use when making
+              or accepting connections.
+
+       ipc_timeout (3600s)
+              The time limit for sending  or  receiving  information  over  an
+              internal communication channel.
+
+       lmtp_assume_final (no)
+              When  a remote LMTP server announces no DSN support, assume that
+              the server performs final delivery, and send "delivered"  deliv-
+              ery status notifications instead of "relayed".
+
+       lmtp_tcp_port (24)
+              The default TCP port that the Postfix LMTP client connects to.
+
+       max_idle (100s)
+              The  maximum  amount of time that an idle Postfix daemon process
+              waits for an incoming connection before terminating voluntarily.
+
+       max_use (100)
+              The maximal number of incoming connections that a Postfix daemon
+              process will service before terminating voluntarily.
+
+       process_id (read-only)
+              The process ID of a Postfix command or daemon process.
+
+       process_name (read-only)
+              The process name of a Postfix command or daemon process.
+
+       proxy_interfaces (empty)
+              The network interface addresses that this mail  system  receives
+              mail on by way of a proxy or network address translation unit.
+
+       smtp_address_preference (any)
+              The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
+              client will try first, when a  destination  has  IPv6  and  IPv4
+              addresses with equal MX preference.
+
+       smtp_bind_address (empty)
+              An  optional  numerical  network  address  that the Postfix SMTP
+              client should bind to when making an IPv4 connection.
+
+       smtp_bind_address6 (empty)
+              An optional numerical network  address  that  the  Postfix  SMTP
+              client should bind to when making an IPv6 connection.
+
+       smtp_helo_name ($myhostname)
+              The hostname to send in the SMTP HELO or EHLO command.
+
+       lmtp_lhlo_name ($myhostname)
+              The hostname to send in the LMTP LHLO command.
+
+       smtp_host_lookup (dns)
+              What mechanisms the Postfix SMTP client uses to look up a host's
+              IP address.
+
+       smtp_randomize_addresses (yes)
+              Randomize the order of equal-preference MX host addresses.
+
+       syslog_facility (mail)
+              The syslog facility of Postfix logging.
+
+       syslog_name (see 'postconf -d' output)
+              A prefix that  is  prepended  to  the  process  name  in  syslog
+              records, so that, for example, "smtpd" becomes "prefix/smtpd".
+
+       Available with Postfix 2.2 and earlier:
+
+       fallback_relay (empty)
+              Optional list of relay hosts for SMTP destinations that can't be
+              found or that are unreachable.
+
+       Available with Postfix 2.3 and later:
+
+       smtp_fallback_relay ($fallback_relay)
+              Optional list of relay hosts for SMTP destinations that can't be
+              found or that are unreachable.
+
+       Available with Postfix 3.0 and later:
+
+       smtp_address_verify_target (rcpt)
+              In  the context of email address verification, the SMTP protocol
+              stage that determines whether an email address is deliverable.
+
+       Available with Postfix 3.1 and later:
+
+       lmtp_fallback_relay (empty)
+              Optional list of relay hosts for LMTP destinations that can't be
+              found or that are unreachable.
+
+       Available with Postfix 3.2 and later:
+
+       smtp_tcp_port (smtp)
+              The default TCP port that the Postfix SMTP client connects to.
+
+       Available in Postfix 3.3 and later:
+
+       service_name (read-only)
+              The master.cf service name of a Postfix daemon process.
+
+       Available in Postfix 3.7 and later:
+
+       smtp_bind_address_enforce (no)
+              Defer  delivery  when  the  Postfix SMTP client cannot apply the
+              smtp_bind_address or smtp_bind_address6 setting.
+
+SEE ALSO
+       generic(5), output address rewriting
+       header_checks(5), message header content inspection
+       body_checks(5), body parts content inspection
+       qmgr(8), queue manager
+       bounce(8), delivery status reports
+       scache(8), connection cache server
+       postconf(5), configuration parameters
+       master(5), generic daemon options
+       master(8), process manager
+       tlsmgr(8), TLS session and PRNG management
+       postlogd(8), Postfix logging
+       syslogd(8), system logging
+
+README FILES
+       SASL_README, Postfix SASL howto
+       TLS_README, Postfix STARTTLS howto
+
+LICENSE
+       The Secure Mailer license must be distributed with this software.
+
+AUTHOR(S)
+       Wietse Venema
+       IBM T.J. Watson Research
+       P.O. Box 704
+       Yorktown Heights, NY 10598, USA
+
+       Wietse Venema
+       Google, Inc.
+       111 8th Avenue
+       New York, NY 10011, USA
+
+       Command pipelining in cooperation with:
+       Jon Ribbens
+       Oaktree Internet Solutions Ltd.,
+       Internet House,
+       Canal Basin,
+       Coventry,
+       CV1 4LY, United Kingdom.
+
+       SASL support originally by:
+       Till Franke
+       SuSE Rhein/Main AG
+       65760 Eschborn, Germany
+
+       TLS support originally by:
+       Lutz Jaenicke
+       BTU Cottbus
+       Allgemeine Elektrotechnik
+       Universitaetsplatz 3-4
+       D-03044 Cottbus, Germany
+
+       Revised TLS and SMTP connection cache support by:
+       Victor Duchovni
+       Morgan Stanley
+
+                                                                       SMTP(8)
+
-- cgit v1.2.3