From b7c15c31519dc44c1f691e0466badd556ffe9423 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 18:18:56 +0200 Subject: Adding upstream version 3.7.10. Signed-off-by: Daniel Baumann --- proto/postconf.proto | 18715 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 18715 insertions(+) create mode 100644 proto/postconf.proto (limited to 'proto/postconf.proto') diff --git a/proto/postconf.proto b/proto/postconf.proto new file mode 100644 index 0000000..10b47cf --- /dev/null +++ b/proto/postconf.proto @@ -0,0 +1,18715 @@ +# This is the input file for automatically generating the postconf(5) +# manual page, the summaries of parameters in on-line manual pages, +# and for the postconf.5.html hyperlinked document. +# +# The following tools operate on information from this file: +# +# xpostconf +# Extracts specific parameter definitions from this file, or +# produces a sorted version of all the information in this +# document. +# +# postconf2html +# Adds parameter name +default headers. The result can be embedded +# into the postconf.5.html hyperlinked document. +# +# postconf2man +# Converts this file into something that can be embedded into +# the postconf(5) UNIX-style manual page. This tool knows only +# a limited subset of HTML as described below. +# +# postconf2src +# Converts this file result into something that can be embedded +# into Postfix source code files. +# +# The subset of HTML that you can use is limited by the postconf2man +# tool: +# +# * Supported HTML elements are: blockquote, ul, li, dl, dt, dd, +# p, pre, b, i, h, and the escapes for < <= >= >. Sorry, no +# tables. +# +# * HTML elements must be specified in lower case. +# +# * Lists cannot be nested. +# +# * The postconf2man tool leaves unrecognized HTML in place as a +# reminder that it is not supported. +# +# * Text between is stripped out. The +# must appear on separate lines. +# +# * Use to request an empty line in the middle +# of a block of text. This is needed with indented lists. +# +# * Blank lines are special for postconf2man: it replaces them by +# a "new paragraph" command. Don't put any blank lines inside +#
text. Instead, put those blank lines between +#
and
. +# +# * Text after a blank line must start with an HTML element. +# +# Also: +# +# * All
and
text must be closed with and
. +# +# * Use
..
for examples +# between narrative text, instead of indenting examples by hand. +# +# * Use
..
for the "Examples:" section at the end +# of a parameter description. +# +# The postlink tool automatically inserts hyperlinks for the following, +# so you must not hyperlink that information yourself: +# +# * Postfix manual pages +# * URLs +# * RFCs +# * Postfix configuration parameters +# * Postfix README files +# * Address classes and other terminology. +# +# The xpostconf and postconf2html tools expect the file format described +# in the comments below. The description includes the transformation +# that is done by the postconf2html tool. +# +# * The format of this file is blocks of text separated by one or +# more empty (or all whitespace) lines. +# +# * A text block that begins with %PARAM specifies a parameter name +# and its default value, separated by whitespace. The text in +# the blocks that follow is the parameter description. +# +# * The first line (text up to the first ". ") is used in Postfix +# on-line manual pages, in the one-line configuration parameter +# summaries. +# +# * A text block that begins with the "<" character is treated as +# literal HTML. For example, to specify a "dl" list element one +# would write: +# +# |
name
+# | +# |text that describes "name". +# | +# |
... +# +# As described below, the text that describes "name" will be +# enclosed with

and

. +# +# An "ul" list element would be written like this: +# +# |
  • text for this list element. +# +# * Any text block that does not begin with < is an error. + +%CLASS address-verification Address verification (Postfix 2.1 and later) + +

    +Sender/recipient address verification is implemented by sending +probe email messages that are not actually delivered. This feature +is requested via the reject_unverified_sender and +reject_unverified_recipient access restrictions. The status of +verification probes is maintained by the address verification +service. See the file ADDRESS_VERIFICATION_README for information +about how to configure and operate the Postfix sender/recipient +address verification service. +

    + +%CLASS smtpd-compatibility Compatibility controls + +%CLASS resource-control Resource controls + +%CLASS after-queue-filter After-queue content filter + +

    +As of version 1.0, Postfix can be configured to send new mail to +an external content filter AFTER the mail is queued. This content +filter is expected to inject mail back into a (Postfix or other) +MTA for further delivery. See the FILTER_README document for +details. +

    + +%CLASS before-queue-filter Before-queue content filter + +

    +The Postfix SMTP server can be configured to send incoming mail to +a real-time SMTP-based content filter BEFORE mail is queued. This +content filter is expected to inject mail back into Postfix. See +the SMTPD_PROXY_README document for details on how to configure +and operate this feature. +

    + +%CLASS basic-config Basic configuration parameters + +%CLASS smtpd-access-relay SMTP server access and relay control + +%CLASS smtpd-sasl SMTP server SASL authentication + +%CLASS unknown-recipients Rejecting mail for unknown recipients + +%CLASS smtpd-reply-code SMTP server response codes + +%CLASS other Other configuration parameters + +%PARAM access_map_reject_code 554 + +

    +The numerical Postfix SMTP server response code for +an access(5) map "reject" action. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM access_map_defer_code 450 + +

    +The numerical Postfix SMTP server response code for +an access(5) map "defer" action, including "defer_if_permit" +or "defer_if_reject". Prior to Postfix 2.6, the response +is hard-coded as "450". +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +

    +This feature is available in Postfix 2.6 and later. +

    + +%PARAM address_verify_default_transport $default_transport + +

    +Overrides the default_transport parameter setting for address +verification probes. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_local_transport $local_transport + +

    +Overrides the local_transport parameter setting for address +verification probes. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_map see "postconf -d" output + +

    +Lookup table for persistent address verification status +storage. The table is maintained by the verify(8) service, and +is opened before the process releases privileges. +

    + +

    +The lookup table is persistent by default (Postfix 2.7 and later). +Specify an empty table name to keep the information in volatile +memory which is lost after "postfix reload" or "postfix +stop". This is the default with Postfix version 2.6 and earlier. +

    + +

    +Specify a location in a file system that will not fill up. If the +database becomes corrupted, the world comes to an end. To recover, +delete (NOT: truncate) the file and do "postfix reload". +

    + +

    Postfix daemon processes do not use root privileges when opening +this file (Postfix 2.5 and later). The file must therefore be +stored under a Postfix-owned directory such as the data_directory. +As a migration aid, an attempt to open the file under a non-Postfix +directory is redirected to the Postfix-owned data_directory, and a +warning is logged.

    + +

    +Examples: +

    + +
    +address_verify_map = hash:/var/lib/postfix/verify
    +address_verify_map = btree:/var/lib/postfix/verify
    +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_negative_cache yes + +

    +Enable caching of failed address verification probe results. When +this feature is enabled, the cache may pollute quickly with garbage. +When this feature is disabled, Postfix will generate an address +probe for every lookup. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_negative_expire_time 3d + +

    +The time after which a failed probe expires from the address +verification cache. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_negative_refresh_time 3h + +

    +The time after which a failed address verification probe needs to +be refreshed. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is h (hours).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_cache_cleanup_interval 12h + +

    The amount of time between verify(8) address verification +database cleanup runs. This feature requires that the database +supports the "delete" and "sequence" operators. Specify a zero +interval to disable database cleanup.

    + +

    After each database cleanup run, the verify(8) daemon logs the +number of entries that were retained and dropped. A cleanup run is +logged as "partial" when the daemon terminates early after "postfix +reload", "postfix stop", or no requests for $max_idle +seconds.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is h (hours).

    + +

    This feature is available in Postfix 2.7.

    + +%PARAM address_verify_poll_count normal: 3, overload: 1 + +

    +How many times to query the verify(8) service for the completion +of an address verification request in progress. +

    + +

    By default, the Postfix SMTP server polls the verify(8) service +up to three times under non-overload conditions, and only once when +under overload. With Postfix version 2.5 and earlier, the SMTP +server always polls the verify(8) service up to three times by +default.

    + +

    +Specify 1 to implement a crude form of greylisting, that is, always +defer the first delivery request for a new address. +

    + +

    +Examples: +

    + +
    +# Postfix ≤ 2.6 default
    +address_verify_poll_count = 3
    +# Poor man's greylisting
    +address_verify_poll_count = 1
    +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_poll_delay 3s + +

    +The delay between queries for the completion of an address +verification request in progress. +

    + +

    +The default polling delay is 3 seconds. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_positive_expire_time 31d + +

    +The time after which a successful probe expires from the address +verification cache. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_positive_refresh_time 7d + +

    +The time after which a successful address verification probe needs +to be refreshed. The address verification status is not updated +when the probe fails (optimistic caching). +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_relay_transport $relay_transport + +

    +Overrides the relay_transport parameter setting for address +verification probes. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_relayhost $relayhost + +

    +Overrides the relayhost parameter setting for address verification +probes. This information can be overruled with the transport(5) table. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_sender $double_bounce_sender + +

    The sender address to use in address verification probes; prior +to Postfix 2.5 the default was "postmaster". To +avoid problems with address probes that are sent in response to +address probes, the Postfix SMTP server excludes the probe sender +address from all SMTPD access blocks.

    + +

    +Specify an empty value (address_verify_sender =) or <> if you want +to use the null sender address. Beware, some sites reject mail from +<>, even though RFCs require that such addresses be accepted. +

    + +

    +Examples: +

    + +
    +address_verify_sender = <>
    +address_verify_sender = postmaster@my.domain
    +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_transport_maps $transport_maps + +

    +Overrides the transport_maps parameter setting for address verification +probes. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM address_verify_virtual_transport $virtual_transport + +

    +Overrides the virtual_transport parameter setting for address +verification probes. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM alias_database see "postconf -d" output + +

    +The alias databases for local(8) delivery that are updated with +"newaliases" or with "sendmail -bi". +

    + +

    +This is a separate configuration parameter because not all the +tables specified with $alias_maps have to be local files. +

    + +

    +Examples: +

    + +
    +alias_database = hash:/etc/aliases
    +alias_database = hash:/etc/mail/aliases
    +
    + +%PARAM alias_maps see "postconf -d" output + +

    +The alias databases that are used for local(8) delivery. See +aliases(5) for syntax details. +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

    + +

    +The default list is system dependent. On systems with NIS, the +default is to search the local alias database, then the NIS alias +database. +

    + +

    +If you change the alias database, run "postalias /etc/aliases" +(or wherever your system stores the mail alias file), or simply +run "newaliases" to build the necessary DBM or DB file. +

    + +

    +The local(8) delivery agent disallows regular expression substitution +of $1 etc. in alias_maps, because that would open a security hole. +

    + +

    +The local(8) delivery agent will silently ignore requests to use +the proxymap(8) server within alias_maps. Instead it will open the +table directly. Before Postfix version 2.2, the local(8) delivery +agent will terminate with a fatal error. +

    + +

    +Examples: +

    + +
    +alias_maps = hash:/etc/aliases, nis:mail.aliases
    +alias_maps = hash:/etc/aliases
    +
    + +%PARAM allow_mail_to_commands alias, forward + +

    +Restrict local(8) mail delivery to external commands. The default +is to disallow delivery to "|command" in :include: files (see +aliases(5) for the text that defines this terminology). +

    + +

    +Specify zero or more of: alias, forward or include, +in order to allow commands in aliases(5), .forward files or in +:include: files, respectively. +

    + +

    +Example: +

    + +
    +allow_mail_to_commands = alias,forward,include
    +
    + +%PARAM allow_mail_to_files alias, forward + +

    +Restrict local(8) mail delivery to external files. The default is +to disallow "/file/name" destinations in :include: files (see +aliases(5) for the text that defines this terminology). +

    + +

    +Specify zero or more of: alias, forward or include, +in order to allow "/file/name" destinations in aliases(5), .forward +files and in :include: files, respectively. +

    + +

    +Example: +

    + +
    +allow_mail_to_files = alias,forward,include
    +
    + +%PARAM allow_min_user no + +

    +Allow a sender or recipient address to have `-' as the first +character. By +default, this is not allowed, to avoid accidents with software that +passes email addresses via the command line. Such software +would not be able to distinguish a malicious address from a +bona fide command-line option. Although this can be prevented by +inserting a "--" option terminator into the command line, this is +difficult to enforce consistently and globally.

    + +

    As of Postfix version 2.5, this feature is implemented by +trivial-rewrite(8). With earlier versions this feature was implemented +by qmgr(8) and was limited to recipient addresses only.

    + +%PARAM allow_percent_hack yes + +

    +Enable the rewriting of the form "user%domain" to "user@domain". +This is enabled by default. +

    + +

    Note: as of Postfix version 2.2, message header address rewriting +happens only when one of the following conditions is true:

    + +
      + +
    • The message is received with the Postfix sendmail(1) command, + +
    • The message is received from a network client that matches +$local_header_rewrite_clients, + +
    • The message is received from the network, and the +remote_header_rewrite_domain parameter specifies a non-empty value. + +
    + +

    To get the behavior before Postfix version 2.2, specify +"local_header_rewrite_clients = static:all".

    + +

    +Example: +

    + +
    +allow_percent_hack = no
    +
    + +%PARAM allow_untrusted_routing no + +

    +Forward mail with sender-specified routing (user[@%!]remote[@%!]site) +from untrusted clients to destinations matching $relay_domains. +

    + +

    +By default, this feature is turned off. This closes a nasty open +relay loophole where a backup MX host can be tricked into forwarding +junk mail to a primary MX host which then spams it out to the world. +

    + +

    +This parameter also controls if non-local addresses with sender-specified +routing can match Postfix access tables. By default, such addresses +cannot match Postfix access tables, because the address is ambiguous. +

    + +%PARAM always_bcc + +

    +Optional address that receives a "blind carbon copy" of each message +that is received by the Postfix mail system. +

    + +

    +Note: with Postfix 2.3 and later the BCC address is added as if it +was specified with NOTIFY=NONE. The sender will not be notified +when the BCC address is undeliverable, as long as all down-stream +software implements RFC 3461. +

    + +

    +Note: with Postfix 2.2 and earlier the sender will be notified +when the BCC address is undeliverable. +

    + +

    Note: automatic BCC recipients are produced only for new mail. +To avoid mailer loops, automatic BCC recipients are not generated +after Postfix forwards mail internally, or after Postfix generates +mail itself.

    + +%PARAM berkeley_db_create_buffer_size 16777216 + +

    +The per-table I/O buffer size for programs that create Berkeley DB +hash or btree tables. Specify a byte count. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM berkeley_db_read_buffer_size 131072 + +

    +The per-table I/O buffer size for programs that read Berkeley DB +hash or btree tables. Specify a byte count. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM best_mx_transport + +

    +Where the Postfix SMTP client should deliver mail when it detects +a "mail loops back to myself" error condition. This happens when +the local MTA is the best SMTP mail exchanger for a destination +not listed in $mydestination, $inet_interfaces, $proxy_interfaces, +$virtual_alias_domains, or $virtual_mailbox_domains. By default, +the Postfix SMTP client returns such mail as undeliverable. +

    + +

    +Specify, for example, "best_mx_transport = local" to pass the mail +from the Postfix SMTP client to the local(8) delivery agent. You +can specify +any message delivery "transport" or "transport:nexthop" that is +defined in the master.cf file. See the transport(5) manual page +for the syntax and meaning of "transport" or "transport:nexthop". +

    + +

    +However, this feature is expensive because it ties up a Postfix +SMTP client process while the local(8) delivery agent is doing its +work. It is more efficient (for Postfix) to list all hosted domains +in a table or database. +

    + +%PARAM biff yes + +

    +Whether or not to use the local biff service. This service sends +"new mail" notifications to users who have requested new mail +notification with the UNIX command "biff y". +

    + +

    +For compatibility reasons this feature is on by default. On systems +with lots of interactive users, the biff service can be a performance +drain. Specify "biff = no" in main.cf to disable. +

    + +%PARAM body_checks + +

    Optional lookup tables for content inspection as specified in +the body_checks(5) manual page.

    + +

    Note: with Postfix versions before 2.0, these rules inspect +all content after the primary message headers.

    + +%PARAM body_checks_size_limit 51200 + +

    +How much text in a message body segment (or attachment, if you +prefer to use that term) is subjected to body_checks inspection. +The amount of text is limited to avoid scanning huge attachments. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM bounce_queue_lifetime 5d + +

    +Consider a bounce message as undeliverable, when delivery fails +with a temporary error, and the time in the queue has reached the +bounce_queue_lifetime limit. By default, this limit is the same +as for regular mail. +

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    +Specify 0 when mail delivery should be tried only once. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM bounce_size_limit 50000 + +

    The maximal amount of original message text that is sent in a +non-delivery notification. Specify a byte count. A message is +returned as either message/rfc822 (the complete original) or as +text/rfc822-headers (the headers only). With Postfix version 2.4 +and earlier, a message is always returned as message/rfc822 and is +truncated when it exceeds the size limit. +

    + +

    Notes:

    + +
      + +
    • If you increase this limit, then you should increase the +mime_nesting_limit value proportionally.

      + +
    • Be careful when making changes. Excessively large values +will result in the loss of non-delivery notifications, when a bounce +message size exceeds a local or remote MTA's message size limit. +

      + +
    + +%PARAM canonical_maps + +

    +Optional address mapping lookup tables for message headers and +envelopes. The mapping is applied to both sender and recipient +addresses, in both envelopes and in headers, as controlled +with the canonical_classes parameter. This is typically used +to clean up dirty addresses from legacy mail systems, or to replace +login names by Firstname.Lastname. The table format and lookups +are documented in canonical(5). For an overview of Postfix address +manipulations see the ADDRESS_REWRITING_README document. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

    + +

    +If you use this feature, run "postmap /etc/postfix/canonical" to +build the necessary DBM or DB file after every change. The changes +will become visible after a minute or so. Use "postfix reload" +to eliminate the delay. +

    + +

    Note: with Postfix version 2.2, message header address mapping +happens only when message header address rewriting is enabled:

    + +
      + +
    • The message is received with the Postfix sendmail(1) command, + +
    • The message is received from a network client that matches +$local_header_rewrite_clients, + +
    • The message is received from the network, and the +remote_header_rewrite_domain parameter specifies a non-empty value. + +
    + +

    To get the behavior before Postfix version 2.2, specify +"local_header_rewrite_clients = static:all".

    + +

    +Examples: +

    + +
    +canonical_maps = dbm:/etc/postfix/canonical
    +canonical_maps = hash:/etc/postfix/canonical
    +
    + +%PARAM canonical_classes envelope_sender, envelope_recipient, header_sender, header_recipient + +

    What addresses are subject to canonical_maps address mapping. +By default, canonical_maps address mapping is applied to envelope +sender and recipient addresses, and to header sender and header +recipient addresses.

    + +

    Specify one or more of: envelope_sender, envelope_recipient, +header_sender, header_recipient

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM sender_canonical_classes envelope_sender, header_sender + +

    What addresses are subject to sender_canonical_maps address +mapping. By default, sender_canonical_maps address mapping is +applied to envelope sender addresses, and to header sender addresses. +

    + +

    Specify one or more of: envelope_sender, header_sender

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM recipient_canonical_classes envelope_recipient, header_recipient + +

    What addresses are subject to recipient_canonical_maps address +mapping. By default, recipient_canonical_maps address mapping is +applied to envelope recipient addresses, and to header recipient +addresses.

    + +

    Specify one or more of: envelope_recipient, header_recipient +

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM command_directory see "postconf -d" output + +

    +The location of all postfix administrative commands. +

    + +%PARAM command_time_limit 1000s + +

    +Time limit for delivery to external commands. This limit is used +by the local(8) delivery agent, and is the default time limit for +delivery by the pipe(8) delivery agent. +

    + +

    +Note: if you set this time limit to a large value you must update the +global ipc_timeout parameter as well. +

    + +%PARAM daemon_directory see "postconf -d" output + +

    +The directory with Postfix support programs and daemon programs. +These should not be invoked directly by humans. The directory must +be owned by root. +

    + +%PARAM daemon_timeout 18000s + +

    How much time a Postfix daemon process may take to handle a +request before it is terminated by a built-in watchdog timer.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM debug_peer_level 2 + +

    The increment in verbose logging level when a nexthop destination, +remote client or server name or network address matches a pattern +given with the debug_peer_list parameter.

    + +

    Per-nexthop debug logging is available in Postfix 3.6 and later.

    + +%PARAM debug_peer_list + +

    Optional list of nexthop destination, remote client or server +name or network address patterns that, if matched, cause the verbose +logging level to increase by the amount specified in $debug_peer_level. +

    + +

    Per-nexthop debug logging is available in Postfix 3.6 and later.

    + +

    Specify domain names, network/netmask patterns, "/file/name" +patterns or "type:table" lookup tables. The right-hand side result +from "type:table" lookups is ignored.

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "debug_peer_list" in the parent_domain_matches_subdomains +parameter value.

    + +

    +Examples: +

    + +
    +debug_peer_list = 127.0.0.1
    +debug_peer_list = example.com
    +
    + +%PARAM default_database_type see "postconf -d" output + +

    +The default database type for use in newaliases(1), postalias(1) +and postmap(1) commands. On many UNIX systems the default type is +either dbm or hash. The default setting is frozen +when the Postfix system is built. +

    + +

    +Examples: +

    + +
    +default_database_type = hash
    +default_database_type = dbm
    +
    + +%PARAM default_delivery_slot_cost 5 + +

    +How often the Postfix queue manager's scheduler is allowed to +preempt delivery of one message with another. +

    + +

    +Each transport maintains a so-called "available delivery slot counter" +for each message. One message can be preempted by another one when +the other message can be delivered using no more delivery slots +(i.e., invocations of delivery agents) than the current message +counter has accumulated (or will eventually accumulate - see about +slot loans below). This parameter controls how often the counter is +incremented - it happens after each default_delivery_slot_cost +recipients have been delivered. +

    + +

    +The cost of 0 is used to disable the preempting scheduling completely. +The minimum value the scheduling algorithm can use is 2 - use it +if you want to maximize the message throughput rate. Although there +is no maximum, it doesn't make much sense to use values above say +50. +

    + +

    +The only reason why the value of 2 is not the default is the way +this parameter affects the delivery of mailing-list mail. In the +worst case, delivery can take somewhere between (cost+1/cost) +and (cost/cost-1) times more than if the preemptive scheduler was +disabled. The default value of 5 turns out to provide reasonable +message response times while making sure the mailing-list deliveries +are not extended by more than 20-25 percent even in the worst case. +

    + +

    Use transport_delivery_slot_cost to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +

    +Examples: +

    + +
    +default_delivery_slot_cost = 0
    +default_delivery_slot_cost = 2
    +
    + +%PARAM default_destination_concurrency_limit 20 + +

    +The default maximal number of parallel deliveries to the same +destination. This is the default limit for delivery via the lmtp(8), +pipe(8), smtp(8) and virtual(8) delivery agents. +With a per-destination recipient limit > 1, a destination is a domain, +otherwise it is a recipient. +

    + +

    Use transport_destination_concurrency_limit to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%PARAM default_destination_recipient_limit 50 + +

    +The default maximal number of recipients per message delivery. +This is the default limit for delivery via the lmtp(8), pipe(8), +smtp(8) and virtual(8) delivery agents. +

    + +

    Setting this parameter to a value of 1 affects email deliveries +as follows:

    + +
      + +
    • It changes the meaning of the corresponding per-destination +concurrency limit, from concurrency of deliveries to the same +domain into concurrency of deliveries to the same recipient. +Different recipients are delivered in parallel, subject to the +process limits specified in master.cf.

      + +
    • It changes the meaning of the corresponding per-destination +rate delay, from the delay between deliveries to the same +domain into the delay between deliveries to the same +recipient. Again, different recipients are delivered in parallel, +subject to the process limits specified in master.cf.

      + +
    • It changes the meaning of other corresponding per-destination +settings in a similar manner, from settings for delivery to the +same domain into settings for delivery to the same +recipient. + +

    + +

    Use transport_destination_recipient_limit to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%PARAM default_extra_recipient_limit 1000 + +

    +The default value for the extra per-transport limit imposed on the +number of in-memory recipients. This extra recipient space is +reserved for the cases when the Postfix queue manager's scheduler +preempts one message with another and suddenly needs some extra +recipient slots for the chosen message in order to avoid performance +degradation. +

    + +

    Use transport_extra_recipient_limit to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%PARAM default_minimum_delivery_slots 3 + +

    +How many recipients a message must have in order to invoke the +Postfix queue manager's scheduling algorithm at all. Messages +which would never accumulate at least this many delivery slots +(subject to slot cost parameter as well) are never preempted. +

    + +

    Use transport_minimum_delivery_slots to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%PARAM default_privs nobody + +

    +The default rights used by the local(8) delivery agent for delivery +to an external file or command. These rights are used when delivery +is requested from an aliases(5) file that is owned by root, or +when delivery is done on behalf of root. DO NOT SPECIFY A +PRIVILEGED USER OR THE POSTFIX OWNER. +

    + +%PARAM default_process_limit 100 + +

    +The default maximal number of Postfix child processes that provide +a given service. This limit can be overruled for specific services +in the master.cf file. +

    + +%PARAM default_rbl_reply see "postconf -d" output + +

    +The default Postfix SMTP server response template for a request that is +rejected by an RBL-based restriction. This template can be overruled +by specific entries in the optional rbl_reply_maps lookup table. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +

    +The template does not support Postfix configuration parameter $name +substitution. Instead, it supports exactly one level of $name +substitution for the following attributes: +

    + +
    + +
    $client
    + +
    The client hostname and IP address, formatted as name[address].
    + +
    $client_address
    + +
    The client IP address.
    + +
    $client_name
    + +
    The client hostname or "unknown". See reject_unknown_client_hostname +for more details.
    + +
    $reverse_client_name
    + +
    The client hostname from address->name lookup, or "unknown". +See reject_unknown_reverse_client_hostname for more details.
    + +#
    $forward_client_name
    +# +#
    The client hostname from address->name lookup followed by +#name->address lookup, or "unknown". See +#reject_unknown_forward_client_hostname for more details.
    + +
    $helo_name
    + +
    The hostname given in HELO or EHLO command or empty string.
    + +
    $rbl_class
    + +
    The denylisted entity type: Client host, Helo command, Sender +address, or Recipient address.
    + +
    $rbl_code
    + +
    The numerical SMTP response code, as specified with the +maps_rbl_reject_code configuration parameter. Note: The numerical +SMTP response code is required, and must appear at the start of the +reply. With Postfix version 2.3 and later this information may be followed +by an RFC 3463 enhanced status code.
    + +
    $rbl_domain
    + +
    The RBL domain where $rbl_what is denylisted.
    + +
    $rbl_reason
    + +
    The reason why $rbl_what is denylisted, or an empty string.
    + +
    $rbl_what
    + +
    The entity that is denylisted (an IP address, a hostname, a domain +name, or an email address whose domain was denylisted).
    + +
    $recipient
    + +
    The recipient address or <> in case of the null address.
    + +
    $recipient_domain
    + +
    The recipient domain or empty string.
    + +
    $recipient_name
    + +
    The recipient address localpart or <> in case of null address.
    + +
    $sender
    + +
    The sender address or <> in case of the null address.
    + +
    $sender_domain
    + +
    The sender domain or empty string.
    + +
    $sender_name
    + +
    The sender address localpart or <> in case of the null address.
    + +
    ${name?value}
    + +
    ${name?{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is non-empty.
    + +
    ${name:value}
    + +
    ${name:{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is empty.
    + +
    ${name?{value1}:{value2}} (Postfix ≥ 3.0)
    + +
    Expands to value1 when $name is non-empty, +value2 otherwise.
    + +
    + +

    +Instead of $name you can also specify ${name} or $(name). +

    + +

    Note: when an enhanced status code is specified in an RBL reply +template, it is subject to modification. The following transformations +are needed when the same RBL reply template is used for client, +helo, sender, or recipient access restrictions.

    + +
      + +
    • When rejecting a sender address, the Postfix SMTP server +will transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the +corresponding sender DSN status, and vice versa.

      + +
    • When rejecting non-address information (such as the HELO +command argument or the client hostname/address), the Postfix SMTP +server will transform a sender or recipient DSN status into a generic +non-address DSN status (e.g., 4.0.0).

      + +
    + +%PARAM default_recipient_limit 20000 + +

    +The default per-transport upper limit on the number of in-memory +recipients. These limits take priority over the global +qmgr_message_recipient_limit after the message has been assigned +to the respective transports. See also default_extra_recipient_limit +and qmgr_message_recipient_minimum. +

    + +

    Use transport_recipient_limit to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%PARAM default_recipient_refill_limit 100 + +

    +The default per-transport limit on the number of recipients refilled at +once. When not all message recipients fit into memory at once, keep +loading more of them in batches of at least this many at a time. See also +$default_recipient_refill_delay, which may result in recipient batches +lower than this when this limit is too high for too slow deliveries. +

    + +

    Use transport_recipient_refill_limit to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM default_recipient_refill_delay 5s + +

    +The default per-transport maximum delay between refilling recipients. +When not all message recipients fit into memory at once, keep loading +more of them at least once every this many seconds. This is used to +make sure the recipients are refilled in a timely manner even when +$default_recipient_refill_limit is too high for too slow deliveries. +

    + +

    Use transport_recipient_refill_delay to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM default_transport smtp + +

    +The default mail delivery transport and next-hop destination for +destinations that do not match $mydestination, $inet_interfaces, +$proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, +or $relay_domains. This information can be overruled with the +sender_dependent_default_transport_maps parameter and with the +transport(5) table.

    + +

    +In order of decreasing precedence, the nexthop destination is taken +from $sender_dependent_default_transport_maps, $default_transport, +$sender_dependent_relayhost_maps, $relayhost, or from the recipient +domain. +

    + +

    +Specify a string of the form transport:nexthop, where transport +is the name of a mail delivery transport defined in master.cf. +The :nexthop destination is optional; its syntax is documented +in the manual page of the corresponding delivery agent. In the case of +SMTP or LMTP, specify one or more destinations separated by comma or +whitespace (with Postfix 3.5 and later). +

    + +

    +Example: +

    + +
    +default_transport = uucp:relayhostname
    +
    + +%PARAM defer_code 450 + +

    +The numerical Postfix SMTP server response code when a remote SMTP +client request is rejected by the "defer" restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM defer_transports + +

    +The names of message delivery transports that should not deliver mail +unless someone issues "sendmail -q" or equivalent. Specify zero +or more mail delivery transport names that appear in the +first field of master.cf. +

    + +

    +Example: +

    + +
    +defer_transports = smtp
    +
    + +%PARAM deliver_lock_attempts 20 + +

    +The maximal number of attempts to acquire an exclusive lock on a +mailbox file or bounce(8) logfile. +

    + +%PARAM deliver_lock_delay 1s + +

    +The time between attempts to acquire an exclusive lock on a mailbox +file or bounce(8) logfile. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM disable_vrfy_command no + +

    +Disable the SMTP VRFY command. This stops some techniques used to +harvest email addresses. +

    + +

    +Example: +

    + +
    +disable_vrfy_command = no
    +
    + +%PARAM double_bounce_sender double-bounce + +

    The sender address of postmaster notifications that are generated +by the mail system. All mail to this address is silently discarded, +in order to terminate mail bounce loops.

    + +%PARAM duplicate_filter_limit 1000 + +

    The maximal number of addresses remembered by the address +duplicate filter for aliases(5) or virtual(5) alias expansion, or +for showq(8) queue displays.

    + +%PARAM enable_original_recipient yes + +

    Enable support for the original recipient address after an +address is rewritten to a different address (for example with +aliasing or with canonical mapping).

    + +

    The original recipient address is used as follows:

    + +
    + +
    Final delivery
    With "enable_original_recipient = +yes", the original recipient address is stored in the X-Original-To +message header. This header may be used to distinguish between +different recipients that share the same mailbox.
    + +
    Recipient deduplication
    With "enable_original_recipient += yes", the cleanup(8) daemon performs duplicate recipient elimination +based on the content of (original recipient, maybe-rewritten +recipient) pairs. Otherwise, the cleanup(8) daemon performs duplicate +recipient elimination based only on the maybe-rewritten recipient +address.
    + +
    + +

    Note: with Postfix ≤ 3.2 the "setting enable_original_recipient += no" breaks address verification for addresses that are +aliased or otherwise rewritten (Postfix is unable to store the +address verification result under the original probe destination +address; instead, it can store the result only under the rewritten +address).

    + +

    This feature is available in Postfix 2.1 and later. Postfix +version 2.0 behaves as if this parameter is always set to yes. +Postfix versions before 2.0 have no support for the original recipient +address.

    + +%PARAM export_environment see "postconf -d" output + +

    +The list of environment variables that a Postfix process will export +to non-Postfix processes. The TZ variable is needed for sane +time keeping on System-V-ish systems. +

    + +

    +Specify a list of names and/or name=value pairs, separated by +whitespace or comma. Specify "{ name=value }" to protect whitespace +or comma in parameter values (whitespace after the opening "{" and +before the closing "}" +is ignored). The form name=value is supported with Postfix version +2.1 and later; the use of {} is supported with Postfix 3.0 and +later.

    + +

    +Example: +

    + +
    +export_environment = TZ PATH=/bin:/usr/bin
    +
    + +%PARAM smtp_fallback_relay $fallback_relay + +

    +Optional list of relay hosts for SMTP destinations that can't be +found or that are unreachable. With Postfix 2.2 and earlier this +parameter is called fallback_relay.

    + +

    +By default, mail is returned to the sender when a destination is +not found, and delivery is deferred when a destination is unreachable. +

    + +

    With bulk email deliveries, it can be beneficial to run the +fallback relay MTA on the same host, so that it can reuse the sender +IP address. This speeds up deliveries that are delayed by IP-based +reputation systems (greylist, etc.).

    + +

    The fallback relays must be SMTP destinations. Specify a domain, +host, host:port, [host]:port, [address] or [address]:port; the form +[host] turns off MX lookups. If you specify multiple SMTP +destinations, Postfix will try them in the specified order.

    + +

    To prevent mailer loops between MX hosts and fall-back hosts, +Postfix version 2.2 and later will not use the fallback relays for +destinations that it is MX host for (assuming DNS lookup is turned on). +

    + +%PARAM fallback_relay + +

    +Optional list of relay hosts for SMTP destinations that can't be +found or that are unreachable. With Postfix 2.3 this parameter +is renamed to smtp_fallback_relay.

    + +

    +By default, mail is returned to the sender when a destination is +not found, and delivery is deferred when a destination is unreachable. +

    + +

    The fallback relays must be SMTP destinations. Specify a domain, +host, host:port, [host]:port, [address] or [address]:port; the form +[host] turns off MX lookups. If you specify multiple SMTP +destinations, Postfix will try them in the specified order.

    + +

    Note: before Postfix 2.2, do not use the fallback_relay feature +when relaying mail +for a backup or primary MX domain. Mail would loop between the +Postfix MX host and the fallback_relay host when the final destination +is unavailable.

    + +
      + +
    • In main.cf specify "relay_transport = relay", + +
    • In master.cf specify "-o fallback_relay =" (i.e., empty) at +the end of the relay entry. + +
    • In transport maps, specify "relay:nexthop..." +as the right-hand side for backup or primary MX domain entries. + +
    + +

    Postfix version 2.2 and later will not use the fallback_relay feature +for destinations that it is MX host for. +

    + +%PARAM lmtp_fallback_relay + +

    Optional list of relay hosts for LMTP destinations that can't be +found or that are unreachable. In main.cf elements are separated by +whitespace or commas.

    + +

    By default, mail is returned to the sender when a destination is not +found, and delivery is deferred when a destination is unreachable.

    + +

    The fallback relays must be TCP destinations, specified without +a leading "inet:" prefix. Specify a host or host:port. Since MX +lookups do not apply with LMTP, there is no need to use the "[host]" or +"[host]:port" forms. If you specify multiple LMTP destinations, Postfix +will try them in the specified order.

    + +

    +This feature is available in Postfix 3.1 and later. +

    + +%PARAM fast_flush_domains $relay_domains + +

    +Optional list of destinations that are eligible for per-destination +logfiles with mail that is queued to those destinations. +

    + +

    +By default, Postfix maintains "fast flush" logfiles only for +destinations that the Postfix SMTP server is willing to relay to +(i.e. the default is: "fast_flush_domains = $relay_domains"; see +the relay_domains parameter in the postconf(5) manual). +

    + +

    Specify a list of hosts or domains, "/file/name" patterns or +"type:table" lookup tables, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. A +"/file/name" pattern is replaced by its contents; a "type:table" +lookup table is matched when the domain or its parent domain appears +as lookup key.

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "fast_flush_domains" in the parent_domain_matches_subdomains +parameter value.

    + +

    +Specify "fast_flush_domains =" (i.e., empty) to disable the feature +altogether. +

    + +%PARAM fast_flush_purge_time 7d + +

    +The time after which an empty per-destination "fast flush" logfile +is deleted. +

    + +

    +You can specify the time as a number, or as a number followed by +a letter that indicates the time unit: s=seconds, m=minutes, h=hours, +d=days, w=weeks. The default time unit is days. +

    + +%PARAM fast_flush_refresh_time 12h + +

    +The time after which a non-empty but unread per-destination "fast +flush" logfile needs to be refreshed. The contents of a logfile +are refreshed by requesting delivery of all messages listed in the +logfile. +

    + +

    +You can specify the time as a number, or as a number followed by +a letter that indicates the time unit: s=seconds, m=minutes, h=hours, +d=days, w=weeks. The default time unit is hours. +

    + +%PARAM fork_attempts 5 + +

    The maximal number of attempts to fork() a child process.

    + +%PARAM fork_delay 1s + +

    The delay between attempts to fork() a child process.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM execution_directory_expansion_filter see "postconf -d" output + +

    Restrict the characters that the local(8) delivery agent allows +in $name expansions of $command_execution_directory. Characters +outside the allowed set are replaced by underscores.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM command_execution_directory + +

    The local(8) delivery agent working directory for delivery to +external commands. Failure to change directory causes the delivery +to be deferred.

    + +

    The command_execution_directory value is not subject to Postfix +configuration parameter $name expansion. Instead, the following +$name expansions are done on command_execution_directory before the +directory is used. Expansion happens in the context +of the delivery request. The result of $name expansion is filtered +with the character set that is specified with the +execution_directory_expansion_filter parameter.

    + +
    + +
    $user
    + +
    The recipient's username.
    + +
    $shell
    + +
    The recipient's login shell pathname.
    + +
    $home
    + +
    The recipient's home directory.
    + +
    $recipient
    + +
    The full recipient address.
    + +
    $extension
    + +
    The optional recipient address extension.
    + +
    $domain
    + +
    The recipient domain.
    + +
    $local
    + +
    The entire recipient localpart.
    + +
    $recipient_delimiter
    + +
    The address extension delimiter that was found in the recipient +address (Postfix 2.11 and later), or the system-wide recipient +address extension delimiter (Postfix 2.10 and earlier).
    + +
    ${name?value}
    + +
    ${name?{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is non-empty.
    + +
    ${name:value}
    + +
    ${name:{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is empty.
    + +
    ${name?{value1}:{value2}} (Postfix ≥ 3.0)
    + +
    Expands to value1 when $name is non-empty, +value2 otherwise.
    + +
    + +

    +Instead of $name you can also specify ${name} or $(name). +

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM forward_path see "postconf -d" output + +

    The local(8) delivery agent search list for finding a .forward +file with user-specified delivery methods. The first file that is +found is used.

    + +

    The forward_path value is not subject to Postfix configuration +parameter $name expansion. Instead, the following $name expansions +are done on forward_path before the search actually happens. +The result of $name expansion is +filtered with the character set that is specified with the +forward_expansion_filter parameter.

    + +
    + +
    $user
    + +
    The recipient's username.
    + +
    $shell
    + +
    The recipient's login shell pathname.
    + +
    $home
    + +
    The recipient's home directory.
    + +
    $recipient
    + +
    The full recipient address.
    + +
    $extension
    + +
    The optional recipient address extension.
    + +
    $domain
    + +
    The recipient domain.
    + +
    $local
    + +
    The entire recipient localpart.
    + +
    $recipient_delimiter
    + +
    The address extension delimiter that was found in the recipient +address (Postfix 2.11 and later), or the 'first' delimiter specified +with the system-wide recipient address extension delimiter (Postfix +3.5.22, 3.5.12, 3.7.8, 3.8.3 and later). Historically, this was +always the system-wide recipient +address extension delimiter (Postfix 2.10 and earlier).
    + +
    ${name?value}
    + +
    ${name?{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is non-empty.
    + +
    ${name:value}
    + +
    ${name:{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is empty.
    + +
    ${name?{value1}:{value2}} (Postfix ≥ 3.0)
    + +
    Expands to value1 when $name is non-empty, +value2 otherwise.
    + +
    + +

    +Instead of $name you can also specify ${name} or $(name). +

    + +

    +Examples: +

    + +
    +forward_path = /var/forward/$user
    +forward_path =
    +    /var/forward/$user/.forward$recipient_delimiter$extension,
    +    /var/forward/$user/.forward
    +
    + +%CLASS queue-hashing Queue directory hashing + +

    +Queue directory hashing is a performance feature. Splitting one +queue directory across multiple subdirectory levels can speed up +file access by reducing the number of files per directory. +

    + +

    +Unfortunately, deeply hashing the incoming or deferred queue can +actually slow down the mail system (with a depth of 2, mailq with +an empty queue can take several seconds). +

    + +

    +Hashing must NOT be used with a world-writable maildrop directory. +Hashing MUST be used for the defer logfile directory, to avoid poor +performance when handling lots of deferred mail. +

    + +%PARAM hash_queue_depth 1 + +

    +The number of subdirectory levels for queue directories listed with +the hash_queue_names parameter. Queue hashing is implemented by +creating one or more levels of directories with one-character names. +Originally, these directory names were equal to the first characters +of the queue file name, with the hexadecimal representation of the +file creation time in microseconds.

    + +

    With long queue file names, queue hashing produces the same +results as with short names. The file creation time in microseconds +is converted into hexadecimal form before the result is used for +queue hashing. The base 16 encoding gives finer control over the +number of subdirectories than is possible with the base 52 encoding +of long queue file names.

    + +

    +After changing the hash_queue_names or hash_queue_depth parameter, +execute the command "postfix reload". +

    + +%PARAM hash_queue_names deferred, defer + +

    +The names of queue directories that are split across multiple +subdirectory levels. +

    + +

    Before Postfix version 2.2, the default list of hashed queues +was significantly larger. Claims about improvements in file system +technology suggest that hashing of the incoming and active queues +is no longer needed. Fewer hashed directories speed up the time +needed to restart Postfix.

    + +

    +After changing the hash_queue_names or hash_queue_depth parameter, +execute the command "postfix reload". +

    + +%CLASS headerbody-checks Content inspection built-in features + +

    +The Postfix cleanup(8) server has a limited ability to inspect +message headers and body content for signs of trouble. This is not +meant to be a substitute for content filters that do complex +processing such attachment decoding and unzipping. +

    + +%PARAM header_checks + +

    +Optional lookup tables for content inspection of primary non-MIME +message headers, as specified in the header_checks(5) manual page. +

    + +%PARAM header_size_limit 102400 + +

    +The maximal amount of memory in bytes for storing a message header. +If a header is larger, the excess is discarded. The limit is +enforced by the cleanup(8) server. +

    + +%PARAM home_mailbox + +

    +Optional pathname of a mailbox file relative to a local(8) user's +home directory. +

    + +

    +Specify a pathname ending in "/" for qmail-style delivery. +

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +

    +Examples: +

    + +
    +home_mailbox = Mailbox
    +home_mailbox = Maildir/
    +
    + +%PARAM hopcount_limit 50 + +

    +The maximal number of Received: message headers that is allowed +in the primary message headers. A message that exceeds the limit +is bounced, in order to stop a mailer loop. +

    + +%PARAM ignore_mx_lookup_error no + +

    Ignore DNS MX lookups that produce no response. By default, +the Postfix SMTP client defers delivery and tries again after some +delay. This behavior is required by the SMTP standard.

    + +

    +Specify "ignore_mx_lookup_error = yes" to force a DNS A record +lookup instead. This violates the SMTP standard and can result in +mis-delivery of mail. +

    + +%PARAM import_environment see "postconf -d" output + +

    The list of environment variables that a privileged Postfix +process will import from a non-Postfix parent process, or name=value +environment overrides. Unprivileged utilities will enforce the +name=value overrides, but otherwise will not change their process +environment. Examples of relevant environment variables:

    + +
    + +
    TZ
    + +
    May be needed for sane time keeping on most System-V-ish systems. +
    + +
    DISPLAY
    + +
    Needed for debugging Postfix daemons with an X-windows debugger.
    + +
    XAUTHORITY
    + +
    Needed for debugging Postfix daemons with an X-windows debugger.
    + +
    MAIL_CONFIG
    + +
    Needed to make "postfix -c" work.
    + +
    + +

    Specify a list of names and/or name=value pairs, separated by +whitespace or comma. Specify "{ name=value }" to protect whitespace +or comma in environment variable values (whitespace after the opening "{" and +before the closing "}" +is ignored). The form name=value is supported with Postfix version +2.1 and later; the use of {} is supported with Postfix 3.0 and +later.

    + +%PARAM in_flow_delay 1s + +

    Time to pause before accepting a new message, when the message +arrival rate exceeds the message delivery rate. This feature is +turned on by default (it's disabled on SCO UNIX due to an SCO bug). +

    + +

    +With the default 100 Postfix SMTP server process limit, "in_flow_delay += 1s" limits the mail inflow to 100 messages per second above the +number of messages delivered per second. +

    + +

    +Specify 0 to disable the feature. Valid delays are 0..10. +

    + +%PARAM inet_interfaces all + +

    The network interface addresses that this mail system receives +mail on. Specify "all" to receive mail on all network +interfaces (default), and "loopback-only" to receive mail +on loopback network interfaces only (Postfix version 2.2 and later). The +parameter also controls delivery of mail to user@[ip.address]. +

    + +

    +Note 1: you need to stop and start Postfix when this parameter changes. +

    + +

    Note 2: address information may be enclosed inside [], +but this form is not required here.

    + +

    When inet_interfaces specifies just one IPv4 and/or IPv6 address +that is not a loopback address, the Postfix SMTP client will use +this address as the IP source address for outbound mail. Support +for IPv6 is available in Postfix version 2.2 and later.

    + +

    +On a multi-homed firewall with separate Postfix instances listening on the +"inside" and "outside" interfaces, this can prevent each instance from +being able to reach remote SMTP servers on the "other side" of the +firewall. Setting +smtp_bind_address to 0.0.0.0 avoids the potential problem for +IPv4, and setting smtp_bind_address6 to :: solves the problem +for IPv6.

    + +

    +A better solution for multi-homed firewalls is to leave inet_interfaces +at the default value and instead use explicit IP addresses in +the master.cf SMTP server definitions. This preserves the Postfix +SMTP client's +loop detection, by ensuring that each side of the firewall knows that the +other IP address is still the same host. Setting $inet_interfaces to a +single IPv4 and/or IPV6 address is primarily useful with virtual +hosting of domains on +secondary IP addresses, when each IP address serves a different domain +(and has a different $myhostname setting).

    + +

    +See also the proxy_interfaces parameter, for network addresses that +are forwarded to Postfix by way of a proxy or address translator. +

    + +

    +Examples: +

    + +
    +inet_interfaces = all (DEFAULT)
    +inet_interfaces = loopback-only (Postfix version 2.2 and later)
    +inet_interfaces = 127.0.0.1
    +inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
    +inet_interfaces = 192.168.1.2, 127.0.0.1
    +
    + +%PARAM inet_protocols see 'postconf -d output' + +

    The Internet protocols Postfix will attempt to use when making +or accepting connections. Specify one or more of "ipv4" +or "ipv6", separated by whitespace or commas. The form +"all" is equivalent to "ipv4, ipv6" or "ipv4", depending +on whether the operating system implements IPv6.

    + +

    With Postfix 2.8 and earlier the default is "ipv4". For backwards +compatibility with these releases, the Postfix 2.9 and later upgrade +procedure appends an explicit "inet_protocols = ipv4" setting to +main.cf when no explicit setting is present. This compatibility +workaround will be phased out as IPv6 deployment becomes more common. +

    + +

    This feature is available in Postfix 2.2 and later.

    + +

    Note: you MUST stop and start Postfix after changing this +parameter.

    + +

    On systems that pre-date IPV6_V6ONLY support (RFC 3493), an +IPv6 server will also accept IPv4 connections, even when IPv4 is +turned off with the inet_protocols parameter. On systems with +IPV6_V6ONLY support, Postfix will use separate server sockets for +IPv6 and IPv4, and each will accept only connections for the +corresponding protocol.

    + +

    When IPv4 support is enabled via the inet_protocols parameter, +Postfix will look up DNS type A records, and will convert +IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original +IPv4 form (1.2.3.4). The latter is needed on hosts that pre-date +IPV6_V6ONLY support (RFC 3493).

    + +

    When IPv6 support is enabled via the inet_protocols parameter, +Postfix will do DNS type AAAA record lookups.

    + +

    When both IPv4 and IPv6 support are enabled, the Postfix SMTP +client will choose the protocol as specified with the +smtp_address_preference parameter. Postfix versions before 2.8 +attempt to connect via IPv6 before attempting to use IPv4.

    + +

    +Examples: +

    + +
    +inet_protocols = ipv4
    +inet_protocols = all (DEFAULT)
    +inet_protocols = ipv6
    +inet_protocols = ipv4, ipv6
    +
    + +%PARAM initial_destination_concurrency 5 + +

    +The initial per-destination concurrency level for parallel delivery +to the same destination. +With per-destination recipient limit > 1, a destination is a domain, +otherwise it is a recipient. +

    + +

    Use transport_initial_destination_concurrency to specify +a transport-specific override, where transport is the master.cf +name of the message delivery transport (Postfix 2.5 and later).

    + +

    +Warning: with concurrency of 1, one bad message can be enough to +block all mail to a site. +

    + +%PARAM invalid_hostname_reject_code 501 + +

    +The numerical Postfix SMTP server response code when the client +HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname +restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM ipc_idle version dependent + +

    +The time after which a client closes an idle internal communication +channel. The purpose is to allow Postfix daemon processes to +terminate voluntarily after they become idle. This is used, for +example, by the Postfix address resolving and rewriting clients. +

    + +

    With Postfix 2.4 the default value was reduced from 100s to 5s.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM ipc_timeout 3600s + +

    +The time limit for sending or receiving information over an internal +communication channel. The purpose is to break out of deadlock +situations. If the time limit is exceeded the software aborts with a +fatal error. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM ipc_ttl 1000s + +

    +The time after which a client closes an active internal communication +channel. The purpose is to allow Postfix daemon processes to +terminate voluntarily +after reaching their client limit. This is used, for example, by +the Postfix address resolving and rewriting clients. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM line_length_limit 2048 + +

    Upon input, long lines are chopped up into pieces of at most +this length; upon delivery, long lines are reconstructed.

    + +%PARAM lmtp_connect_timeout 0s + +

    The Postfix LMTP client time limit for completing a TCP connection, or +zero (use the operating system built-in time limit). When no +connection can be made within the deadline, the LMTP client tries +the next address on the mail exchanger list.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +Example: +

    + +
    +lmtp_connect_timeout = 30s
    +
    + +%PARAM lmtp_data_done_timeout 600s + +

    The Postfix LMTP client time limit for sending the LMTP ".", +and for receiving the remote LMTP server response. When no response +is received within the deadline, a warning is logged that the mail +may be delivered multiple times.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_data_init_timeout 120s + +

    +The Postfix LMTP client time limit for sending the LMTP DATA command, +and +for receiving the remote LMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_data_xfer_timeout 180s + +

    +The Postfix LMTP client time limit for sending the LMTP message +content. +When the connection stalls for more than $lmtp_data_xfer_timeout +the LMTP client terminates the transfer. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_lhlo_timeout 300s + +

    The Postfix LMTP client time limit for receiving the LMTP +greeting banner. When the remote LMTP server drops the connection +without sending a +greeting banner, or when it sends no greeting banner within the +deadline, the LMTP client tries the next address on the mail +exchanger list.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_mail_timeout 300s + +

    +The Postfix LMTP client time limit for sending the MAIL FROM command, +and for receiving the remote LMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_quit_timeout 300s + +

    +The Postfix LMTP client time limit for sending the QUIT command, +and for receiving the remote LMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_rcpt_timeout 300s + +

    +The Postfix LMTP client time limit for sending the RCPT TO command, +and for receiving the remote LMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_rset_timeout 20s + +

    The Postfix LMTP client time limit for sending the RSET command, +and for receiving the remote LMTP server response. The LMTP client +sends RSET in +order to finish a recipient address probe, or to verify that a +cached connection is still alive.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM lmtp_send_xforward_command no + +

    +Send an XFORWARD command to the remote LMTP server when the LMTP LHLO +server response announces XFORWARD support. This allows an lmtp(8) +delivery agent, used for content filter message injection, to +forward the name, address, protocol and HELO name of the original +client to the content filter and downstream LMTP server. +Before you change the value to yes, it is best to make sure that +your content filter supports this command. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM lmtp_skip_quit_response no + +

    +Wait for the response to the LMTP QUIT command. +

    + +%PARAM lmtp_xforward_timeout 300s + +

    +The Postfix LMTP client time limit for sending the XFORWARD command, +and for receiving the remote LMTP server response. +

    + +

    +In case of problems the client does NOT try the next address on +the mail exchanger list. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM local_command_shell + +

    +Optional shell program for local(8) delivery to non-Postfix commands. +By default, non-Postfix commands are executed directly; commands +are given to the default shell (typically, /bin/sh) only when they +contain shell meta characters or shell built-in commands. +

    + +

    "sendmail's restricted shell" (smrsh) is what most people will +use in order to restrict what programs can be run from e.g. .forward +files (smrsh is part of the Sendmail distribution).

    + +

    Note: when a shell program is specified, it is invoked even +when the command contains no shell built-in commands or meta +characters.

    + +

    +Example: +

    + +
    +local_command_shell = /some/where/smrsh -c
    +local_command_shell = /bin/bash -c
    +
    + +%PARAM local_destination_concurrency_limit 2 + +

    The maximal number of parallel deliveries via the local mail +delivery transport to the same recipient (when +"local_destination_recipient_limit = 1") or the maximal number of +parallel deliveries to the same local domain (when +"local_destination_recipient_limit > 1"). This limit is enforced by +the queue manager. The message delivery transport name is the first +field in the entry in the master.cf file.

    + +

    A low limit of 2 is recommended, just in case someone has an +expensive shell command in a .forward file or in an alias (e.g., +a mailing list manager). You don't want to run lots of those at +the same time.

    + +%PARAM local_destination_recipient_limit 1 + +

    The maximal number of recipients per message delivery via the +local mail delivery transport. This limit is enforced by the queue +manager. The message delivery transport name is the first field in +the entry in the master.cf file.

    + +

    Setting this parameter to a value > 1 changes the meaning of +local_destination_concurrency_limit from concurrency per recipient +into concurrency per domain.

    + +%PARAM local_recipient_maps proxy:unix:passwd.byname $alias_maps + +

    Lookup tables with all names or addresses of local recipients: +a recipient address is local when its domain matches $mydestination, +$inet_interfaces or $proxy_interfaces. Specify @domain as a +wild-card for domains that do not have a valid recipient list. +Technically, tables listed with $local_recipient_maps are used as +lists: Postfix needs to know only if a lookup string is found or +not, but it does not use the result from table lookup.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +If this parameter is non-empty (the default), then the Postfix SMTP +server will reject mail for unknown local users. +

    + +

    +To turn off local recipient checking in the Postfix SMTP server, +specify "local_recipient_maps =" (i.e. empty). +

    + +

    +The default setting assumes that you use the default Postfix local +delivery agent for local delivery. You need to update the +local_recipient_maps setting if: +

    + +
      + +
    • You redefine the local delivery agent in master.cf. + +
    • You redefine the "local_transport" setting in main.cf. + +
    • You use the "luser_relay", "mailbox_transport", or "fallback_transport" +feature of the Postfix local(8) delivery agent. + +
    + +

    +Details are described in the LOCAL_RECIPIENT_README file. +

    + +

    +Beware: if the Postfix SMTP server runs chrooted, you need to access +the passwd file via the proxymap(8) service, in order to overcome +chroot access restrictions. The alternative, maintaining a copy of +the system password file in the chroot jail is not practical. +

    + +

    +Examples: +

    + +
    +local_recipient_maps =
    +
    + +%PARAM local_transport local:$myhostname + +

    The default mail delivery transport and next-hop destination +for final delivery to domains listed with mydestination, and for +[ipaddress] destinations that match $inet_interfaces or $proxy_interfaces. +This information can be overruled with the transport(5) table.

    + +

    +By default, local mail is delivered to the transport called "local", +which is just the name of a service that is defined the master.cf file. +

    + +

    +Specify a string of the form transport:nexthop, where transport +is the name of a mail delivery transport defined in master.cf. +The :nexthop destination is optional; its syntax is documented +in the manual page of the corresponding delivery agent. +

    + +

    +Beware: if you override the default local delivery agent then you +need to review the LOCAL_RECIPIENT_README document, otherwise the +SMTP server may reject mail for local recipients. +

    + +%PARAM luser_relay + +

    +Optional catch-all destination for unknown local(8) recipients. +By default, mail for unknown recipients in domains that match +$mydestination, $inet_interfaces or $proxy_interfaces is returned +as undeliverable. +

    + +

    +The luser_relay value is not subject to Postfix configuration +parameter $name expansion. Instead, the following $name expansions +are done: +

    + +
    + +
    $domain
    + +
    The recipient domain.
    + +
    $extension
    + +
    The recipient address extension.
    + +
    $home
    + +
    The recipient's home directory.
    + +
    $local
    + +
    The entire recipient address localpart.
    + +
    $recipient
    + +
    The full recipient address.
    + +
    $recipient_delimiter
    + +
    The address extension delimiter that was found in the recipient +address (Postfix 2.11 and later), or the system-wide recipient +address extension delimiter (Postfix 2.10 and earlier).
    + +
    $shell
    + +
    The recipient's login shell.
    + +
    $user
    + +
    The recipient username.
    + +
    ${name?value}
    + +
    ${name?{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is non-empty.
    + +
    ${name:value}
    + +
    ${name:{value}} (Postfix ≥ 3.0)
    + +
    Expands to value when $name is empty.
    + +
    ${name?{value1}:{value2}} (Postfix ≥ 3.0)
    + +
    Expands to value1 when $name is non-empty, +value2 otherwise.
    + +
    + +

    +Instead of $name you can also specify ${name} or $(name). +

    + +

    +Note: luser_relay works only for the Postfix local(8) delivery agent. +

    + +

    +Note: if you use this feature for accounts not in the UNIX password +file, then you must specify "local_recipient_maps =" (i.e. empty) +in the main.cf file, otherwise the Postfix SMTP server will reject mail +for non-UNIX accounts with "User unknown in local recipient table". +

    + +

    +Examples: +

    + +
    +luser_relay = $user@other.host
    +luser_relay = $local@other.host
    +luser_relay = admin+$local
    +
    + +%PARAM mail_name Postfix + +

    +The mail system name that is displayed in Received: headers, in +the SMTP greeting banner, and in bounced mail. +

    + +%PARAM mail_owner postfix + +

    +The UNIX system account that owns the Postfix queue and most Postfix +daemon processes. Specify the name of an unprivileged user account +that does not share a user or group ID with other accounts, and that +owns no other files +or processes on the system. In particular, don't specify nobody +or daemon. PLEASE USE A DEDICATED USER ID AND GROUP ID. +

    + +

    +When this parameter value is changed you need to re-run "postfix +set-permissions" (with Postfix version 2.0 and earlier: +"/etc/postfix/post-install set-permissions". +

    + +%PARAM mail_spool_directory see "postconf -d" output + +

    +The directory where local(8) UNIX-style mailboxes are kept. The +default setting depends on the system type. Specify a name ending +in / for maildir-style delivery. +

    + +

    +Note: maildir delivery is done with the privileges of the recipient. +If you use the mail_spool_directory setting for maildir style +delivery, then you must create the top-level maildir directory in +advance. Postfix will not create it. +

    + +

    +Examples: +

    + +
    +mail_spool_directory = /var/mail
    +mail_spool_directory = /var/spool/mail
    +
    + +%PARAM mail_version see "postconf -d" output + +

    +The version of the mail system. Stable releases are named +major.minor.patchlevel. Experimental releases +also include the release date. The version string can be used in, +for example, the SMTP greeting banner. +

    + +%PARAM mailbox_command + +

    +Optional external command that the local(8) delivery agent should +use for mailbox delivery. The command is run with the user ID and +the primary group ID privileges of the recipient. Exception: +command delivery for root executes with $default_privs privileges. +This is not a problem, because 1) mail for root should always be +aliased to a real user and 2) don't log in as root, use "su" instead. +

    + +

    +The following environment variables are exported to the command: +

    + +
    + +
    CLIENT_ADDRESS
    + +
    Remote client network address. Available in Postfix version 2.2 and +later.
    + +
    CLIENT_HELO
    + +
    Remote client EHLO command parameter. Available in Postfix version 2.2 +and later.
    + +
    CLIENT_HOSTNAME
    + +
    Remote client hostname. Available in Postfix version 2.2 and later. +
    + +
    CLIENT_PROTOCOL
    + +
    Remote client protocol. Available in Postfix version 2.2 and later. +
    + +
    DOMAIN
    + +
    The domain part of the recipient address.
    + +
    EXTENSION
    + +
    The optional address extension.
    + +
    HOME
    + +
    The recipient home directory.
    + +
    LOCAL
    + +
    The recipient address localpart.
    + +
    LOGNAME
    + +
    The recipient's username.
    + +
    ORIGINAL_RECIPIENT
    + +
    The entire recipient address, before any address rewriting or +aliasing.
    + +
    RECIPIENT
    + +
    The full recipient address.
    + +
    SASL_METHOD
    + +
    SASL authentication method specified in the remote client AUTH +command. Available in Postfix version 2.2 and later.
    + +
    SASL_SENDER
    + +
    SASL sender address specified in the remote client MAIL FROM +command. Available in Postfix version 2.2 and later.
    + +
    SASL_USER
    + +
    SASL username specified in the remote client AUTH command. +Available in Postfix version 2.2 and later.
    + +
    SENDER
    + +
    The full sender address.
    + +
    SHELL
    + +
    The recipient's login shell.
    + +
    USER
    + +
    The recipient username.
    + +
    + +

    +Unlike other Postfix configuration parameters, the mailbox_command +parameter is not subjected to $name substitutions. This is to make +it easier to specify shell syntax (see example below). +

    + +

    +If you can, avoid shell meta characters because they will force +Postfix to run an expensive shell process. If you're delivering +via "procmail" then running a shell won't make a noticeable difference +in the total cost. +

    + +

    +Note: if you use the mailbox_command feature to deliver mail +system-wide, you must set up an alias that forwards mail for root +to a real user. +

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +

    +Examples: +

    + +
    +mailbox_command = /some/where/procmail
    +mailbox_command = /some/where/procmail -a "$EXTENSION"
    +mailbox_command = /some/where/maildrop -d "$USER"
    +        -f "$SENDER" "$EXTENSION"
    +
    + +%PARAM mailbox_size_limit 51200000 + +

    The maximal size of any local(8) individual mailbox or maildir +file, or zero (no limit). In fact, this limits the size of any +file that is written to upon local delivery, including files written +by external commands that are executed by the local(8) delivery +agent. The value cannot exceed LONG_MAX (typically, a 32-bit or +64-bit signed integer). +

    + +

    +This limit must not be smaller than the message size limit. +

    + +%PARAM maps_rbl_reject_code 554 + +

    +The numerical Postfix SMTP server response code when a remote SMTP +client request is blocked by the reject_rbl_client, reject_rhsbl_client, +reject_rhsbl_reverse_client, reject_rhsbl_sender or +reject_rhsbl_recipient restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM masquerade_classes envelope_sender, header_sender, header_recipient + +

    +What addresses are subject to address masquerading. +

    + +

    +By default, address masquerading is limited to envelope sender +addresses, and to header sender and header recipient addresses. +This allows you to use address masquerading on a mail gateway while +still being able to forward mail to users on individual machines. +

    + +

    +Specify zero or more of: envelope_sender, envelope_recipient, +header_sender, header_recipient +

    + +%PARAM masquerade_domains + +

    +Optional list of domains whose subdomain structure will be stripped +off in email addresses. +

    + +

    +The list is processed left to right, and processing stops at the +first match. Thus, +

    + +
    +
    +masquerade_domains = foo.example.com example.com
    +
    +
    + +

    +strips "user@any.thing.foo.example.com" to "user@foo.example.com", +but strips "user@any.thing.else.example.com" to "user@example.com". +

    + +

    +A domain name prefixed with ! means do not masquerade this domain +or its subdomains. Thus, +

    + +
    +
    +masquerade_domains = !foo.example.com example.com
    +
    +
    + +

    +does not change "user@any.thing.foo.example.com" or "user@foo.example.com", +but strips "user@any.thing.else.example.com" to "user@example.com". +

    + +

    Note: with Postfix version 2.2, message header address masquerading +happens only when message header address rewriting is enabled:

    + +
      + +
    • The message is received with the Postfix sendmail(1) command, + +
    • The message is received from a network client that matches +$local_header_rewrite_clients, + +
    • The message is received from the network, and the +remote_header_rewrite_domain parameter specifies a non-empty value. + +
    + +

    To get the behavior before Postfix version 2.2, specify +"local_header_rewrite_clients = static:all".

    + + +

    +Example: +

    + +
    +masquerade_domains = $mydomain
    +
    + +%PARAM masquerade_exceptions + +

    +Optional list of user names that are not subjected to address +masquerading, even when their addresses match $masquerade_domains. +

    + +

    +By default, address masquerading makes no exceptions. +

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. A "/file/name" +pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace. Specify "!pattern" +to exclude a name from the list. The form "!/file/name" is supported +only in Postfix version 2.4 and later.

    + +

    +Examples: +

    + +
    +masquerade_exceptions = root, mailer-daemon
    +masquerade_exceptions = root
    +
    + +%PARAM max_idle 100s + +

    +The maximum amount of time that an idle Postfix daemon process waits +for an incoming connection before terminating voluntarily. This +parameter +is ignored by the Postfix queue manager and by other long-lived +Postfix daemon processes. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM max_use 100 + +

    +The maximal number of incoming connections that a Postfix daemon +process will service before terminating voluntarily. This parameter +is ignored by the Postfix queue +manager and by other long-lived Postfix daemon processes. +

    + +%PARAM maximal_backoff_time 4000s + +

    +The maximal time between attempts to deliver a deferred message. +

    + +

    This parameter should be set to a value greater than or equal +to $minimal_backoff_time. See also $queue_run_delay.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM maximal_queue_lifetime 5d + +

    +Consider a message as undeliverable, when delivery fails with a +temporary error, and the time in the queue has reached the +maximal_queue_lifetime limit. +

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    +Specify 0 when mail delivery should be tried only once. +

    + +%PARAM lmdb_map_size 16777216 + +

    +The initial OpenLDAP LMDB database size limit in bytes. Each time +a database becomes full, its size limit is doubled. +

    + +

    +This feature is available in Postfix 2.11 and later. +

    + +%PARAM message_size_limit 10240000 + +

    +The maximal size in bytes of a message, including envelope information. +The value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit +signed integer). +

    + +

    Note: be careful when making changes. Excessively small values +will result in the loss of non-delivery notifications, when a bounce +message size exceeds the local or remote MTA's message size limit. +

    + +%PARAM minimal_backoff_time 300s + +

    +The minimal time between attempts to deliver a deferred message; +prior to Postfix 2.4 the default value was 1000s. +

    + +

    +This parameter also limits the time an unreachable destination is +kept in the short-term, in-memory, destination status cache. +

    + +

    This parameter should be set greater than or equal to +$queue_run_delay. See also $maximal_backoff_time.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM multi_recipient_bounce_reject_code 550 + +

    +The numerical Postfix SMTP server response code when a remote SMTP +client request is blocked by the reject_multi_recipient_bounce +restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM mydestination $myhostname, localhost.$mydomain, localhost + +

    The list of domains that are delivered via the $local_transport +mail delivery transport. By default this is the Postfix local(8) +delivery agent which looks up all recipients in /etc/passwd and +/etc/aliases. The SMTP server validates recipient addresses with +$local_recipient_maps and rejects non-existent recipients. See also +the local domain class in the ADDRESS_CLASS_README file. +

    + +

    +The default mydestination value specifies names for the local +machine only. On a mail domain gateway, you should also include +$mydomain. +

    + +

    +The $local_transport delivery method is also selected for mail +addressed to user@[the.net.work.address] of the mail system (the +IP addresses specified with the inet_interfaces and proxy_interfaces +parameters). +

    + +

    +Warnings: +

    + +
      + +
    • Do not specify the names of virtual domains - those domains +are specified elsewhere. See VIRTUAL_README for more information.

      + +
    • Do not specify the names of domains that this machine is +backup MX host for. See STANDARD_CONFIGURATION_README for how to +set up backup MX hosts.

      + +
    • By default, the Postfix SMTP server rejects mail for recipients +not listed with the local_recipient_maps parameter. See the +postconf(5) manual for a description of the local_recipient_maps +and unknown_local_recipient_reject_code parameters.

      + +
    + +

    +Specify a list of host or domain names, "/file/name" or "type:table" +patterns, separated by commas and/or whitespace. A "/file/name" +pattern is replaced by its contents; a "type:table" lookup table +is matched when a name matches a lookup key (the lookup result is +ignored). Continue long lines by starting the next line with +whitespace.

    + +

    +Examples: +

    + +
    +mydestination = $myhostname, localhost.$mydomain $mydomain
    +mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
    +
    + +%PARAM mydomain see "postconf -d" output + +

    +The internet domain name of this mail system. The default is to +use $myhostname minus the first component, or "localdomain" (Postfix +2.3 and later). $mydomain is used as +a default value for many other configuration parameters. +

    + +

    +Example: +

    + +
    +mydomain = domain.tld
    +
    + +%PARAM myhostname see "postconf -d" output + +

    +The internet hostname of this mail system. The default is to use +the fully-qualified domain name (FQDN) from gethostname(), or to +use the non-FQDN result from gethostname() and append ".$mydomain". +$myhostname is used as a default value for many other configuration +parameters.

    + +

    +Example: +

    + +
    +myhostname = host.example.com
    +
    + +%PARAM mynetworks see "postconf -d" output + +

    +The list of "trusted" remote SMTP clients that have more privileges than +"strangers". +

    + +

    +In particular, "trusted" SMTP clients are allowed to relay mail +through Postfix. See the smtpd_relay_restrictions parameter +description in the postconf(5) manual. +

    + +

    +You can specify the list of "trusted" network addresses by hand +or you can let Postfix do it for you (which is the default). +See the description of the mynetworks_style parameter for more +information. +

    + +

    +If you specify the mynetworks list by hand, +Postfix ignores the mynetworks_style setting. +

    + +

    Specify a list of network addresses or network/netmask patterns, +separated by commas and/or whitespace. Continue long lines by +starting the next line with whitespace.

    + +

    The netmask specifies the number of bits in the network part +of a host address. You can also specify "/file/name" or "type:table" +patterns. A "/file/name" pattern is replaced by its contents; a +"type:table" lookup table is matched when a table entry matches a +lookup string (the lookup result is ignored).

    + +

    The list is matched left to right, and the search stops on the +first match. Specify "!pattern" to exclude an address or network +block from the list. The form "!/file/name" is supported only +in Postfix version 2.4 and later.

    + +

    Note 1: Pattern matching of domain names is controlled by the +presence or absence of "mynetworks" in the parent_domain_matches_subdomains +parameter value.

    + +

    Note 2: IP version 6 address information must be specified inside +[] in the mynetworks value, and in files specified with +"/file/name". IP version 6 addresses contain the ":" character, +and would otherwise be confused with a "type:table" pattern.

    + +

    Note 3: CIDR ranges cannot be specified in hash tables. Use cidr +tables if CIDR ranges are used.

    + +

    Examples:

    + +
     
    +mynetworks = 127.0.0.0/8 168.100.189.0/28
    +mynetworks = !192.168.0.1, 192.168.0.0/28
    +mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64 
    +mynetworks = $config_directory/mynetworks
    +mynetworks = hash:/etc/postfix/network_table
    +mynetworks = cidr:/etc/postfix/network_table.cidr
    +
    + +%PARAM myorigin $myhostname + +

    +The domain name that locally-posted mail appears to come +from, and that locally posted mail is delivered to. The default, +$myhostname, is adequate for small sites. If you run a domain with +multiple machines, you should (1) change this to $mydomain and (2) +set up a domain-wide alias database that aliases each user to +user@that.users.mailhost. +

    + +

    +Example: +

    + +
    +myorigin = $mydomain
    +
    + +%PARAM notify_classes resource, software + +

    +The list of error classes that are reported to the postmaster. These +postmaster notifications do not replace user notifications. The +default is to report only the most serious problems. The paranoid +may wish to turn on the policy (UCE and mail relaying) and protocol +error (broken mail software) reports. +

    + +

    NOTE: postmaster notifications may contain confidential information +such as SASL passwords or message content. It is the system +administrator's responsibility to treat such information with care. +

    + +

    +The error classes are: +

    + +
    + +
    bounce (also implies 2bounce)
    + +
    Send the postmaster copies of the headers of bounced mail, and +send transcripts of SMTP sessions when Postfix rejects mail. The +notification is sent to the address specified with the +bounce_notice_recipient configuration parameter (default: postmaster). +
    + +
    2bounce
    + +
    Send undeliverable bounced mail to the postmaster. The notification +is sent to the address specified with the 2bounce_notice_recipient +configuration parameter (default: postmaster).
    + +
    data
    + +
    Send the postmaster a transcript of the SMTP session with an +error because a critical data file was unavailable. The notification +is sent to the address specified with the error_notice_recipient +configuration parameter (default: postmaster).
    This feature +is available in Postfix 2.9 and later.
    + +
    delay
    + +
    Send the postmaster copies of the headers of delayed mail (see +delay_warning_time). The +notification is sent to the address specified with the +delay_notice_recipient configuration parameter (default: postmaster). +
    + +
    policy
    + +
    Send the postmaster a transcript of the SMTP session when a +client request was rejected because of (UCE) policy. The notification +is sent to the address specified with the error_notice_recipient +configuration parameter (default: postmaster).
    + +
    protocol
    + +
    Send the postmaster a transcript of the SMTP session in case +of client or server protocol errors. The notification is sent to +the address specified with the error_notice_recipient configuration +parameter (default: postmaster).
    + +
    resource
    + +
    Inform the postmaster of mail not delivered due to resource +problems. The notification is sent to the address specified with +the error_notice_recipient configuration parameter (default: +postmaster).
    + +
    software
    + +
    Inform the postmaster of mail not delivered due to software +problems. The notification is sent to the address specified with +the error_notice_recipient configuration parameter (default: +postmaster).
    + +
    + +

    +Examples: +

    + +
    +notify_classes = bounce, delay, policy, protocol, resource, software
    +notify_classes = 2bounce, resource, software
    +
    + +%PARAM parent_domain_matches_subdomains see "postconf -d" output + +

    +A list of Postfix features where the pattern "example.com" also +matches subdomains of example.com, +instead of requiring an explicit ".example.com" pattern. This is +planned backwards compatibility: eventually, all Postfix features +are expected to require explicit ".example.com" style patterns when +you really want to match subdomains. +

    + +

    The following Postfix feature names are supported.

    + +
    + +
    Postfix version 1.0 and later
    + +
    +debug_peer_list, +fast_flush_domains, +mynetworks, +permit_mx_backup_networks, +relay_domains, +transport_maps +
    + +
    Postfix version 1.1 and later
    + +
    +qmqpd_authorized_clients, +smtpd_access_maps, +
    + +
    Postfix version 2.8 and later
    + +
    +postscreen_access_list +
    + +
    Postfix version 3.0 and later
    + +
    +smtpd_client_event_limit_exceptions +
    + +
    + +%PARAM propagate_unmatched_extensions canonical, virtual + +

    +What address lookup tables copy an address extension from the lookup +key to the lookup result. +

    + +

    +For example, with a virtual(5) mapping of "joe@example.com => +joe.user@example.net", the address "joe+foo@example.com" +would rewrite to "joe.user+foo@example.net". +

    + +

    +Specify zero or more of canonical, virtual, alias, +forward, include or generic. These cause +address extension +propagation with canonical(5), virtual(5), and aliases(5) maps, +with local(8) .forward and :include: file lookups, and with smtp(8) +generic maps, respectively.

    + +

    +Note: enabling this feature for types other than canonical +and virtual is likely to cause problems when mail is forwarded +to other sites, especially with mail that is sent to a mailing list +exploder address. +

    + +

    +Examples: +

    + +
    +propagate_unmatched_extensions = canonical, virtual, alias,
    +        forward, include
    +propagate_unmatched_extensions = canonical, virtual
    +
    + +%PARAM proxy_interfaces + +

    +The network interface addresses that this mail system receives mail +on by way of a proxy or network address translation unit. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +

    You must specify your "outside" proxy/NAT addresses when your +system is a backup MX host for other domains, otherwise mail delivery +loops will happen when the primary MX host is down.

    + +

    +Example: +

    + +
    +proxy_interfaces = 1.2.3.4
    +
    + +%PARAM qmgr_message_active_limit 20000 + +

    +The maximal number of messages in the active queue. +

    + +%PARAM qmgr_message_recipient_limit 20000 + +

    The maximal number of recipients held in memory by the Postfix +queue manager, and the maximal size of the short-term, +in-memory "dead" destination status cache.

    + +%PARAM qmgr_message_recipient_minimum 10 + +

    +The minimal number of in-memory recipients for any message. This +takes priority over any other in-memory recipient limits (i.e., +the global qmgr_message_recipient_limit and the per transport +_recipient_limit) if necessary. The minimum value allowed for this +parameter is 1. +

    + +%PARAM qmqpd_authorized_clients + +

    +What remote QMQP clients are allowed to connect to the Postfix QMQP +server port. +

    + +

    +By default, no client is allowed to use the service. This is +because the QMQP server will relay mail to any destination. +

    + +

    +Specify a list of client patterns. A list pattern specifies a host +name, a domain name, an internet address, or a network/mask pattern, +where the mask specifies the number of bits in the network part. +When a pattern specifies a file name, its contents are substituted +for the file name; when a pattern is a "type:table" table specification, +table lookup is used instead.

    + +

    +Patterns are separated by whitespace and/or commas. In order to +reverse the result, precede a pattern with an +exclamation point (!). The form "!/file/name" is supported only +in Postfix version 2.4 and later. +

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "qmqpd_authorized_clients" in the +parent_domain_matches_subdomains parameter value.

    + +

    +Example: +

    + +
    +qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
    +
    + +%PARAM qmqpd_error_delay 1s + +

    +How long the Postfix QMQP server will pause before sending a negative +reply to the remote QMQP client. The purpose is to slow down confused +or malicious clients. +

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM qmqpd_timeout 300s + +

    +The time limit for sending or receiving information over the network. +If a read or write operation blocks for more than $qmqpd_timeout +seconds the Postfix QMQP server gives up and disconnects. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM queue_minfree 0 + +

    +The minimal amount of free space in bytes in the queue file system +that is needed to receive mail. This is currently used by the +Postfix SMTP server to decide if it will accept any mail at all. +

    + +

    +By default, the Postfix SMTP server rejects MAIL FROM commands when +the amount of free space is less than 1.5*$message_size_limit +(Postfix version 2.1 and later). +To specify a higher minimum free space limit, specify a queue_minfree +value that is at least 1.5*$message_size_limit. +

    + +

    +With Postfix versions 2.0 and earlier, a queue_minfree value of +zero means there is no minimum required amount of free space. +

    + +%PARAM queue_run_delay 300s + +

    +The time between deferred queue scans by the queue manager; +prior to Postfix 2.4 the default value was 1000s. +

    + +

    This parameter should be set less than or equal to +$minimal_backoff_time. See also $maximal_backoff_time.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM rbl_reply_maps + +

    +Optional lookup tables with RBL response templates. The tables are +indexed by the RBL domain name. By default, Postfix uses the default +template as specified with the default_rbl_reply configuration +parameter. See there for a discussion of the syntax of RBL reply +templates. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM receive_override_options + +

    Enable or disable recipient validation, built-in content +filtering, or address mapping. Typically, these are specified in +master.cf as command-line arguments for the smtpd(8), qmqpd(8) or +pickup(8) daemons.

    + +

    Specify zero or more of the following options. The options +override main.cf settings and are either implemented by smtpd(8), +qmqpd(8), or pickup(8) themselves, or they are forwarded to the +cleanup server.

    + +
    + +
    no_unknown_recipient_checks
    + +
    Do not try to reject unknown recipients (SMTP server only). +This is typically specified AFTER an external content filter. +
    + +
    no_address_mappings
    + +
    Disable canonical address mapping, virtual alias map expansion, +address masquerading, and automatic BCC (blind carbon-copy) +recipients. This is typically specified BEFORE an external content +filter.
    + +
    no_header_body_checks
    + +
    Disable header/body_checks. This is typically specified AFTER +an external content filter.
    + +
    no_milters
    + +
    Disable Milter (mail filter) applications. This is typically +specified AFTER an external content filter.
    + +
    + +

    +Note: when the "BEFORE content filter" receive_override_options +setting is specified in the main.cf file, specify the "AFTER content +filter" receive_override_options setting in master.cf (and vice +versa). +

    + +

    +Examples: +

    + +
    +receive_override_options =
    +    no_unknown_recipient_checks, no_header_body_checks
    +receive_override_options = no_address_mappings
    +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM recipient_bcc_maps + +

    +Optional BCC (blind carbon-copy) address lookup tables, indexed by +recipient address. The BCC address (multiple results are not +supported) is added when mail enters from outside of Postfix. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +The table search order is as follows: +

    + +
      + +
    • Look up the "user+extension@domain.tld" address including the +optional address extension. + +
    • Look up the "user@domain.tld" address without the optional +address extension. + +
    • Look up the "user+extension" address local part when the +recipient domain equals $myorigin, $mydestination, $inet_interfaces +or $proxy_interfaces. + +
    • Look up the "user" address local part when the recipient domain +equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. + +
    • Look up the "@domain.tld" part. + +
    + +

    +Note: with Postfix 2.3 and later the BCC address is added as if it +was specified with NOTIFY=NONE. The sender will not be notified +when the BCC address is undeliverable, as long as all down-stream +software implements RFC 3461. +

    + +

    +Note: with Postfix 2.2 and earlier the sender will unconditionally +be notified when the BCC address is undeliverable. +

    + +

    Note: automatic BCC recipients are produced only for new mail. +To avoid mailer loops, automatic BCC recipients are not generated +after Postfix forwards mail internally, or after Postfix generates +mail itself.

    + +

    +Example: +

    + +
    +recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
    +
    + +

    +After a change, run "postmap /etc/postfix/recipient_bcc". +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM recipient_canonical_maps + +

    +Optional address mapping lookup tables for envelope and header +recipient addresses. +The table format and lookups are documented in canonical(5). +

    + +

    +Note: $recipient_canonical_maps is processed before $canonical_maps. +

    + +

    +Example: +

    + +
    +recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
    +
    + +%PARAM recipient_delimiter + +

    The set of characters that can separate an email address +localpart, user name, or a .forward file name from its extension. +For example, with "recipient_delimiter = +", the software tries +user+foo@example.com before trying user@example.com, user+foo before +trying user, and .forward+foo before trying .forward.

    + +

    More formally, an email address localpart or user name is +separated from its extension by the first character that matches +the recipient_delimiter set. The delimiter character and extension +may then be used to generate an extended .forward file name. This +implementation recognizes one delimiter character and one extension +per email address localpart or email address. With Postfix 2.10 and +earlier, the recipient_delimiter specifies a single character.

    + +

    See canonical(5), local(8), relocated(5) and virtual(5) for the +effects of recipient_delimiter on lookups in aliases, canonical, +virtual, and relocated maps, and see the propagate_unmatched_extensions +parameter for propagating an extension from one email address to +another.

    + +

    When used in command_execution_directory, forward_path, or +luser_relay, ${recipient_delimiter} is replaced with the actual +recipient delimiter that was found in the recipient email address +(Postfix 2.11 and later), or it is replaced with the main.cf +recipient_delimiter parameter value (Postfix 2.10 and earlier). +

    + +

    The recipient_delimiter is not applied to the mailer-daemon +address, the postmaster address, or the double-bounce address. With +the default "owner_request_special = yes" setting, the recipient_delimiter +is also not applied to addresses with the special "owner-" prefix +or the special "-request" suffix.

    + +

    +Examples: +

    + +
    +# Handle Postfix-style extensions.
    +recipient_delimiter = +
    +
    + +
    +# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
    +recipient_delimiter = +-
    +
    + +
    +# Use .forward for mail without address extension, and for mail with
    +# an unrecognized address extension.
    +forward_path = $home/.forward${recipient_delimiter}${extension},
    +    $home/.forward
    +
    + +%PARAM reject_code 554 + +

    +The numerical Postfix SMTP server response code when a remote SMTP +client request is rejected by the "reject" restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM relay_domains Postfix ≥ 3.0: empty, Postfix < 3.0: $mydestination + +

    What destination domains (and subdomains thereof) this system +will relay mail to. For details about how +the relay_domains value is used, see the description of the +permit_auth_destination and reject_unauth_destination SMTP recipient +restrictions.

    + +

    Domains that match $relay_domains are delivered with the +$relay_transport mail delivery transport. The SMTP server validates +recipient addresses with $relay_recipient_maps and rejects non-existent +recipients. See also the relay domains address class in the +ADDRESS_CLASS_README file.

    + +

    Note: Postfix will not automatically forward mail for domains +that list this system as their primary or backup MX host. See the +permit_mx_backup restriction in the postconf(5) manual page.

    + +

    Specify a list of host or domain names, "/file/name" patterns +or "type:table" lookup tables, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. A +"/file/name" pattern is replaced by its contents; a "type:table" +lookup table is matched when a (parent) domain appears as lookup +key. Specify "!pattern" to exclude a domain from the list. The form +"!/file/name" is supported only in Postfix version 2.4 and later. +

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "relay_domains" in the parent_domain_matches_subdomains +parameter value.

    + +%PARAM relay_domains_reject_code 554 + +

    +The numerical Postfix SMTP server response code when a client +request is rejected by the reject_unauth_destination recipient +restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM relay_recipient_maps + +

    Optional lookup tables with all valid addresses in the domains +that match $relay_domains. Specify @domain as a wild-card for +domains that have no valid recipient list, and become a source of +backscatter mail: Postfix accepts spam for non-existent recipients +and then floods innocent people with undeliverable mail. Technically, +tables +listed with $relay_recipient_maps are used as lists: Postfix needs +to know only if a lookup string is found or not, but it does not +use the result from the table lookup.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +If this parameter is non-empty, then the Postfix SMTP server will reject +mail to unknown relay users. This feature is off by default. +

    + +

    +See also the relay domains address class in the ADDRESS_CLASS_README +file. +

    + +

    +Example: +

    + +
    +relay_recipient_maps = hash:/etc/postfix/relay_recipients
    +
    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM relayhost + +

    +The next-hop destination(s) for non-local mail; overrides non-local +domains in recipient addresses. This information is overruled with +relay_transport, sender_dependent_default_transport_maps, +default_transport, sender_dependent_relayhost_maps +and with the transport(5) table. +

    + +

    +On an intranet, specify the organizational domain name. If your +internal DNS uses no MX records, specify the name of the intranet +gateway host instead. +

    + +

    +In the case of SMTP or LMTP delivery, specify one or more destinations +in the form of a domain name, hostname, hostname:port, [hostname]:port, +[hostaddress] or [hostaddress]:port, separated by comma or whitespace. +The form [hostname] turns off MX lookups. Multiple destinations are +supported in Postfix 3.5 and later. +

    + +

    +If you're connected via UUCP, see the UUCP_README file for useful +information. +

    + +

    +Examples: +

    + +
    +relayhost = $mydomain
    +relayhost = [gateway.example.com]
    +relayhost = mail1.example:587, mail2.example:587
    +relayhost = [an.ip.add.ress]
    +
    + +%PARAM relocated_maps + +

    +Optional lookup tables with new contact information for users or +domains that no longer exist. The table format and lookups are +documented in relocated(5). +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +If you use this feature, run "postmap /etc/postfix/relocated" to +build the necessary DBM or DB file after change, then "postfix +reload" to make the changes visible. +

    + +

    +Examples: +

    + +
    +relocated_maps = dbm:/etc/postfix/relocated
    +relocated_maps = hash:/etc/postfix/relocated
    +
    + +%PARAM require_home_directory no + +

    +Require that a local(8) recipient's home directory exists +before mail delivery is attempted. By default this test is disabled. +It can be useful for environments that import home directories to +the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED). +

    + +%PARAM resolve_dequoted_address yes + +

    Resolve a recipient address safely instead of correctly, by +looking inside quotes.

    + +

    By default, the Postfix address resolver does not quote the +address localpart as per RFC 822, so that additional @ or % or ! +operators remain visible. This behavior is safe but it is also +technically incorrect.

    + +

    If you specify "resolve_dequoted_address = no", then +the Postfix +resolver will not know about additional @ etc. operators in the +address localpart. This opens opportunities for obscure mail relay +attacks with user@domain@domain addresses when Postfix provides +backup MX service for Sendmail systems.

    + +%PARAM resolve_null_domain no + +

    Resolve an address that ends in the "@" null domain as if the +local hostname were specified, instead of rejecting the address as +invalid.

    + +

    This feature is available in Postfix 2.1 and later. +Earlier versions always resolve the null domain as the local +hostname.

    + +

    The Postfix SMTP server uses this feature to reject mail from +or to addresses that end in the "@" null domain, and from addresses +that rewrite into a form that ends in the "@" null domain.

    + +%PARAM sender_bcc_maps + +

    Optional BCC (blind carbon-copy) address lookup tables, indexed +by sender address. The BCC address (multiple results are not +supported) is added when mail enters from outside of Postfix.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +The table search order is as follows: +

    + +
      + +
    • Look up the "user+extension@domain.tld" address including the +optional address extension. + +
    • Look up the "user@domain.tld" address without the optional +address extension. + +
    • Look up the "user+extension" address local part when the +sender domain equals $myorigin, $mydestination, $inet_interfaces +or $proxy_interfaces. + +
    • Look up the "user" address local part when the sender domain +equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. + +
    • Look up the "@domain.tld" part. + +
    + +

    +Note: with Postfix 2.3 and later the BCC address is added as if it +was specified with NOTIFY=NONE. The sender will not be notified +when the BCC address is undeliverable, as long as all down-stream +software implements RFC 3461. +

    + +

    +Note: with Postfix 2.2 and earlier the sender will be notified +when the BCC address is undeliverable. +

    + +

    Note: automatic BCC recipients are produced only for new mail. +To avoid mailer loops, automatic BCC recipients are not generated +after Postfix forwards mail internally, or after Postfix generates +mail itself.

    + +

    +Example: +

    + +
    +sender_bcc_maps = hash:/etc/postfix/sender_bcc
    +
    + +

    +After a change, run "postmap /etc/postfix/sender_bcc". +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM sender_canonical_maps + +

    +Optional address mapping lookup tables for envelope and header +sender addresses. +The table format and lookups are documented in canonical(5). +

    + +

    +Example: you want to rewrite the SENDER address "user@ugly.domain" +to "user@pretty.domain", while still being able to send mail to +the RECIPIENT address "user@ugly.domain". +

    + +

    +Note: $sender_canonical_maps is processed before $canonical_maps. +

    + +

    +Example: +

    + +
    +sender_canonical_maps = hash:/etc/postfix/sender_canonical
    +
    + +%PARAM smtp_always_send_ehlo yes + +

    +Always send EHLO at the start of an SMTP session. +

    + +

    +With "smtp_always_send_ehlo = no", the Postfix SMTP client sends +EHLO only when +the word "ESMTP" appears in the server greeting banner (example: +220 spike.porcupine.org ESMTP Postfix). +

    + +%PARAM smtp_bind_address + +

    +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv4 connection. +

    + +

    +This can be specified in the main.cf file for all SMTP clients, or +it can be specified in the master.cf file for a specific client, +for example: +

    + +
    +
    +/etc/postfix/master.cf:
    +    smtp ... smtp -o smtp_bind_address=11.22.33.44
    +
    +
    + +

    See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later).

    + +

    Note 1: when inet_interfaces specifies no more than one IPv4 +address, and that address is a non-loopback address, it is +automatically used as the smtp_bind_address. This supports virtual +IP hosting, but can be a problem on multi-homed firewalls. See the +inet_interfaces documentation for more detail.

    + +

    Note 2: address information may be enclosed inside [], +but this form is not required here.

    + +%PARAM smtp_bind_address6 + +

    +An optional numerical network address that the Postfix SMTP client +should bind to when making an IPv6 connection. +

    + +

    This feature is available in Postfix 2.2 and later.

    + +

    +This can be specified in the main.cf file for all SMTP clients, or +it can be specified in the master.cf file for a specific client, +for example: +

    + +
    +
    +/etc/postfix/master.cf:
    +    smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
    +
    +
    + +

    See smtp_bind_address_enforce for how Postfix should handle +errors (Postfix 3.7 and later).

    + +

    Note 1: when inet_interfaces specifies no more than one IPv6 +address, and that address is a non-loopback address, it is +automatically used as the smtp_bind_address6. This supports virtual +IP hosting, but can be a problem on multi-homed firewalls. See the +inet_interfaces documentation for more detail.

    + +

    Note 2: address information may be enclosed inside [], +but this form is not recommended here.

    + +%PARAM smtp_connection_cache_time_limit 2s + +

    When SMTP connection caching is enabled, the amount of time that +an unused SMTP client socket is kept open before it is closed. Do +not specify larger values without permission from the remote sites. +

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_connection_reuse_time_limit 300s + +

    The amount of time during which Postfix will use an SMTP +connection repeatedly. The timer starts when the connection is +initiated (i.e. it includes the connect, greeting and helo latency, +in addition to the latencies of subsequent mail delivery transactions). +

    + +

    This feature addresses a performance stability problem with +remote SMTP servers. This problem is not specific to Postfix: it +can happen when any MTA sends large amounts of SMTP email to a site +that has multiple MX hosts.

    + +

    The problem starts when one of a set of MX hosts becomes slower +than the rest. Even though SMTP clients connect to fast and slow +MX hosts with equal probability, the slow MX host ends up with more +simultaneous inbound connections than the faster MX hosts, because +the slow MX host needs more time to serve each client request.

    + +

    The slow MX host becomes a connection attractor. If one MX +host becomes N times slower than the rest, it dominates mail delivery +latency unless there are more than N fast MX hosts to counter the +effect. And if the number of MX hosts is smaller than N, the mail +delivery latency becomes effectively that of the slowest MX host +divided by the total number of MX hosts.

    + +

    The solution uses connection caching in a way that differs from +Postfix version 2.2. By limiting the amount of time during which a connection +can be used repeatedly (instead of limiting the number of deliveries +over that connection), Postfix not only restores fairness in the +distribution of simultaneous connections across a set of MX hosts, +it also favors deliveries over connections that perform well, which +is exactly what we want.

    + +

    The default reuse time limit, 300s, is comparable to the various +smtp transaction timeouts which are fair estimates of maximum excess +latency for a slow delivery. Note that hosts may accept thousands +of messages over a single connection within the default connection +reuse time limit. This number is much larger than the default Postfix +version 2.2 limit of 10 messages per cached connection. It may prove necessary +to lower the limit to avoid interoperability issues with MTAs that +exhibit bugs when many messages are delivered via a single connection. +A lower reuse time limit risks losing the benefit of connection +reuse when the average connection and mail delivery latency exceeds +the reuse time limit.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_connection_cache_destinations + +

    Permanently enable SMTP connection caching for the specified +destinations. With SMTP connection caching, a connection is not +closed immediately after completion of a mail transaction. Instead, +the connection is kept open for up to $smtp_connection_cache_time_limit +seconds. This allows connections to be reused for other deliveries, +and can improve mail delivery performance.

    + +

    Specify a comma or white space separated list of destinations +or pseudo-destinations:

    + +
      + +
    • if mail is sent without a relay host: a domain name (the +right-hand side of an email address, without the [] around a numeric +IP address), + +
    • if mail is sent via a relay host: a relay host name (without +[] or non-default TCP port), as specified in main.cf or in the +transport map, + +
    • if mail is sent via a UNIX-domain socket: a pathname (without +the unix: prefix), + +
    • a /file/name with domain names and/or relay host names as +defined above, + +
    • a "type:table" with domain names and/or relay host names on +the left-hand side. The right-hand side result from "type:table" +lookups is ignored. + +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_connection_cache_on_demand yes + +

    Temporarily enable SMTP connection caching while a destination +has a high volume of mail in the active queue. With SMTP connection +caching, a connection is not closed immediately after completion +of a mail transaction. Instead, the connection is kept open for +up to $smtp_connection_cache_time_limit seconds. This allows +connections to be reused for other deliveries, and can improve mail +delivery performance.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_connect_timeout 30s + +

    +The Postfix SMTP client time limit for completing a TCP connection, or +zero (use the operating system built-in time limit). +

    + +

    +When no connection can be made within the deadline, the Postfix +SMTP client +tries the next address on the mail exchanger list. Specify 0 to +disable the time limit (i.e. use whatever timeout is implemented by +the operating system). +

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_data_done_timeout 600s + +

    +The Postfix SMTP client time limit for sending the SMTP ".", and +for receiving the remote SMTP server response. +

    + +

    +When no response is received within the deadline, a warning is +logged that the mail may be delivered multiple times. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_data_init_timeout 120s + +

    +The Postfix SMTP client time limit for sending the SMTP DATA command, +and for receiving the remote SMTP server response. +

    + +

    +Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). +

    + +%PARAM smtp_data_xfer_timeout 180s + +

    +The Postfix SMTP client time limit for sending the SMTP message content. +When the connection makes no progress for more than $smtp_data_xfer_timeout +seconds the Postfix SMTP client terminates the transfer. +

    + +

    +Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds). +

    + +%PARAM smtp_defer_if_no_mx_address_found no + +

    +Defer mail delivery when no MX record resolves to an IP address. +

    + +

    +The default (no) is to return the mail as undeliverable. With older +Postfix versions the default was to keep trying to deliver the mail +until someone fixed the MX record or until the mail was too old. +

    + +

    +Note: the Postfix SMTP client always ignores MX records with equal +or worse preference +than the local MTA itself. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM lmtp_destination_concurrency_limit $default_destination_concurrency_limit + +

    The maximal number of parallel deliveries to the same destination +via the lmtp message delivery transport. This limit is enforced by +the queue manager. The message delivery transport name is the first +field in the entry in the master.cf file.

    + +%PARAM lmtp_destination_recipient_limit $default_destination_recipient_limit + +

    The maximal number of recipients per message for the lmtp +message delivery transport. This limit is enforced by the queue +manager. The message delivery transport name is the first field in +the entry in the master.cf file.

    + +

    Setting this parameter to a value of 1 changes the meaning of +lmtp_destination_concurrency_limit from concurrency per domain into +concurrency per recipient.

    + +%PARAM relay_destination_concurrency_limit $default_destination_concurrency_limit + +

    The maximal number of parallel deliveries to the same destination +via the relay message delivery transport. This limit is enforced +by the queue manager. The message delivery transport name is the +first field in the entry in the master.cf file.

    + +

    This feature is available in Postfix 2.0 and later.

    + +%PARAM relay_destination_recipient_limit $default_destination_recipient_limit + +

    The maximal number of recipients per message for the relay +message delivery transport. This limit is enforced by the queue +manager. The message delivery transport name is the first field in +the entry in the master.cf file.

    + +

    Setting this parameter to a value of 1 changes the meaning of +relay_destination_concurrency_limit from concurrency per domain +into concurrency per recipient.

    + +

    This feature is available in Postfix 2.0 and later.

    + +%PARAM smtp_destination_concurrency_limit $default_destination_concurrency_limit + +

    The maximal number of parallel deliveries to the same destination +via the smtp message delivery transport. This limit is enforced by +the queue manager. The message delivery transport name is the first +field in the entry in the master.cf file.

    + +%PARAM smtp_destination_recipient_limit $default_destination_recipient_limit + +

    The maximal number of recipients per message for the smtp +message delivery transport. This limit is enforced by the queue +manager. The message delivery transport name is the first field in +the entry in the master.cf file.

    + +

    Setting this parameter to a value of 1 changes the meaning of +smtp_destination_concurrency_limit from concurrency per domain +into concurrency per recipient.

    + +%PARAM virtual_destination_concurrency_limit $default_destination_concurrency_limit + +

    The maximal number of parallel deliveries to the same destination +via the virtual message delivery transport. This limit is enforced +by the queue manager. The message delivery transport name is the +first field in the entry in the master.cf file.

    + +%PARAM virtual_destination_recipient_limit $default_destination_recipient_limit + +

    The maximal number of recipients per message for the virtual +message delivery transport. This limit is enforced by the queue +manager. The message delivery transport name is the first field in +the entry in the master.cf file.

    + +

    Setting this parameter to a value of 1 changes the meaning of +virtual_destination_concurrency_limit from concurrency per domain +into concurrency per recipient.

    + +%PARAM smtp_helo_name $myhostname + +

    +The hostname to send in the SMTP HELO or EHLO command. +

    + +

    +The default value is the machine hostname. Specify a hostname or +[ip.add.re.ss]. +

    + +

    +This information can be specified in the main.cf file for all SMTP +clients, or it can be specified in the master.cf file for a specific +client, for example: +

    + +
    +
    +/etc/postfix/master.cf:
    +    mysmtp ... smtp -o smtp_helo_name=foo.bar.com
    +
    +
    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM smtp_helo_timeout 300s + +

    +The Postfix SMTP client time limit for sending the HELO or EHLO command, +and for receiving the initial remote SMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_host_lookup dns + +

    +What mechanisms the Postfix SMTP client uses to look up a host's +IP address. This parameter is ignored when DNS lookups are disabled +(see: disable_dns_lookups and smtp_dns_support_level). The "dns" +mechanism is always tried before "native" if both are listed. +

    + +

    +Specify one of the following: +

    + +
    + +
    dns
    + +
    Hosts can be found in the DNS (preferred).
    + +
    native
    + +
    Use the native naming service only (nsswitch.conf, or equivalent +mechanism).
    + +
    dns, native
    + +
    Use the native service for hosts not found in the DNS.
    + +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtp_line_length_limit 998 + +

    +The maximal length of message header and body lines that Postfix +will send via SMTP. This limit does not include the <CR><LF> +at the end of each line. Longer lines are broken by inserting +"<CR><LF><SPACE>", to minimize the damage to MIME +formatted mail. Specify zero to disable this limit. +

    + +

    +The Postfix limit of 998 characters not including <CR><LF> +is consistent with the SMTP limit of 1000 characters including +<CR><LF>. The Postfix limit was 990 with Postfix 2.8 +and earlier. +

    + +%PARAM smtp_mail_timeout 300s + +

    +The Postfix SMTP client time limit for sending the MAIL FROM command, +and for receiving the remote SMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_mx_address_limit 5 + +

    +The maximal number of MX (mail exchanger) IP addresses that can +result from Postfix SMTP client mail exchanger lookups, or zero (no +limit). Prior to +Postfix version 2.3, this limit was disabled by default. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtp_mx_session_limit 2 + +

    The maximal number of SMTP sessions per delivery request before +the Postfix SMTP client +gives up or delivers to a fall-back relay host, or zero (no +limit). This restriction ignores sessions that fail to complete the +SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to +complete the EHLO and TLS handshake (Postfix version 2.3 and later).

    + +

    This feature is available in Postfix 2.1 and later.

    + +%PARAM smtp_never_send_ehlo no + +

    Never send EHLO at the start of an SMTP session. See also the +smtp_always_send_ehlo parameter.

    + +%PARAM smtp_pix_workaround_threshold_time 500s + +

    How long a message must be queued before the Postfix SMTP client +turns on the PIX firewall "<CR><LF>.<CR><LF>" +bug workaround for delivery through firewalls with "smtp fixup" +mode turned on.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +By default, the workaround is turned off for mail that is queued +for less than 500 seconds. In other words, the workaround is normally +turned off for the first delivery attempt. +

    + +

    +Specify 0 to enable the PIX firewall +"<CR><LF>.<CR><LF>" bug workaround upon the +first delivery attempt. +

    + +%PARAM smtp_quit_timeout 300s + +

    +The Postfix SMTP client time limit for sending the QUIT command, +and for receiving the remote SMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_quote_rfc821_envelope yes + +

    +Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands +as required +by RFC 5321. This includes putting quotes around an address localpart +that ends in ".". +

    + +

    +The default is to comply with RFC 5321. If you have to send mail to +a broken SMTP server, configure a special SMTP client in master.cf: +

    + +
    +
    +/etc/postfix/master.cf:
    +    broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
    +
    +
    + +

    +and route mail for the destination in question to the "broken-smtp" +message delivery with a transport(5) table. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtp_rcpt_timeout 300s + +

    +The Postfix SMTP client time limit for sending the SMTP RCPT TO +command, and for receiving the remote SMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_sasl_auth_enable no + +

    +Enable SASL authentication in the Postfix SMTP client. By default, +the Postfix SMTP client uses no authentication. +

    + +

    +Example: +

    + +
    +smtp_sasl_auth_enable = yes
    +
    + +%PARAM smtp_sasl_password_maps + +

    +Optional Postfix SMTP client lookup tables with one username:password +entry per sender, remote hostname or next-hop domain. Per-sender +lookup is done only when sender-dependent authentication is enabled. +If no username:password entry is found, then the Postfix SMTP client +will not attempt to authenticate to the remote host. +

    + +

    +The Postfix SMTP client opens the lookup table before going to +chroot jail, so you can leave the password file in /etc/postfix. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +%PARAM smtp_sasl_security_options noplaintext, noanonymous + +

    Postfix SMTP client SASL security options; as of Postfix 2.3 +the list of available +features depends on the SASL client implementation that is selected +with smtp_sasl_type.

    + +

    The following security features are defined for the cyrus +client SASL implementation:

    + +

    +Specify zero or more of the following: +

    + +
    + +
    noplaintext
    + +
    Disallow methods that use plaintext passwords.
    + +
    noactive
    + +
    Disallow methods subject to active (non-dictionary) attack. +
    + +
    nodictionary
    + +
    Disallow methods subject to passive (dictionary) attack.
    + +
    noanonymous
    + +
    Disallow methods that allow anonymous authentication.
    + +
    mutual_auth
    + +
    Only allow methods that provide mutual authentication (not +available with SASL version 1).
    + +
    + +

    +Example: +

    + +
    +smtp_sasl_security_options = noplaintext
    +
    + +%PARAM smtp_sasl_mechanism_filter + +

    +If non-empty, a Postfix SMTP client filter for the remote SMTP +server's list of offered SASL mechanisms. Different client and +server implementations may support different mechanism lists; by +default, the Postfix SMTP client will use the intersection of the +two. smtp_sasl_mechanism_filter specifies an optional third mechanism +list to intersect with.

    + +

    Specify mechanism names, "/file/name" patterns or "type:table" +lookup tables. The right-hand side result from "type:table" lookups +is ignored. Specify "!pattern" to exclude a mechanism name from the +list. The form "!/file/name" is supported only in Postfix version +2.4 and later.

    + +

    This feature is available in Postfix 2.2 and later.

    + +

    +Examples: +

    + +
    +smtp_sasl_mechanism_filter = plain, login
    +smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
    +smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
    +
    + +%PARAM smtp_send_xforward_command no + +

    +Send the non-standard XFORWARD command when the Postfix SMTP server +EHLO response announces XFORWARD support. +

    + +

    +This allows a Postfix SMTP delivery agent, used for injecting mail +into +a content filter, to forward the name, address, protocol and HELO +name of the original client to the content filter and downstream +queuing SMTP server. This can produce more useful logging than +localhost[127.0.0.1] etc. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtp_skip_4xx_greeting yes + +

    +Skip SMTP servers that greet with a 4XX status code (go away, try +again later). +

    + +

    +By default, the Postfix SMTP client moves on the next mail exchanger. +Specify +"smtp_skip_4xx_greeting = no" if Postfix should defer delivery +immediately. +

    + +

    This feature is available in Postfix 2.0 and earlier. +Later Postfix versions always skip remote SMTP servers that greet +with a +4XX status code.

    + +%PARAM smtp_skip_5xx_greeting yes + +

    +Skip remote SMTP servers that greet with a 5XX status code. +

    + +

    By default, the Postfix SMTP client moves on the next mail +exchanger. Specify "smtp_skip_5xx_greeting = no" if Postfix should +bounce the mail immediately. Caution: the latter behavior appears +to contradict RFC 2821.

    + +%PARAM smtp_skip_quit_response yes + +

    +Do not wait for the response to the SMTP QUIT command. +

    + +%PARAM smtp_xforward_timeout 300s + +

    +The Postfix SMTP client time limit for sending the XFORWARD command, +and for receiving the remote SMTP server response. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM authorized_verp_clients $mynetworks + +

    What remote SMTP clients are allowed to specify the XVERP command. +This command requests that mail be delivered one recipient at a +time with a per recipient return address.

    + +

    By default, only trusted clients are allowed to specify XVERP. +

    + +

    This parameter was introduced with Postfix version 1.1. Postfix +version 2.1 renamed this parameter to smtpd_authorized_verp_clients +and changed the default to none.

    + +

    Specify a list of network/netmask patterns, separated by commas +and/or whitespace. The mask specifies the number of bits in the +network part of a host address. You can also specify hostnames or +.domain names (the initial dot causes the domain to match any name +below it), "/file/name" or "type:table" patterns. A "/file/name" +pattern is replaced by its contents; a "type:table" lookup table +is matched when a table entry matches a lookup string (the lookup +result is ignored). Continue long lines by starting the next line +with whitespace. Specify "!pattern" to exclude an address or network +block from the list. The form "!/file/name" is supported only in +Postfix version 2.4 and later.

    + +

    Note: IP version 6 address information must be specified inside +[] in the authorized_verp_clients value, and in files +specified with "/file/name". IP version 6 addresses contain the +":" character, and would otherwise be confused with a "type:table" +pattern.

    + +%PARAM smtpd_authorized_verp_clients $authorized_verp_clients + +

    What remote SMTP clients are allowed to specify the XVERP command. +This command requests that mail be delivered one recipient at a +time with a per recipient return address.

    + +

    By default, no clients are allowed to specify XVERP.

    + +

    This parameter was renamed with Postfix version 2.1. The default value +is backwards compatible with Postfix version 2.0.

    + +

    Specify a list of network/netmask patterns, separated by commas +and/or whitespace. The mask specifies the number of bits in the +network part of a host address. You can also specify hostnames or +.domain names (the initial dot causes the domain to match any name +below it), "/file/name" or "type:table" patterns. A "/file/name" +pattern is replaced by its contents; a "type:table" lookup table +is matched when a table entry matches a lookup string (the lookup +result is ignored). Continue long lines by starting the next line +with whitespace. Specify "!pattern" to exclude an address or network +block from the list. The form "!/file/name" is supported only in +Postfix version 2.4 and later.

    + +

    Note: IP version 6 address information must be specified inside +[] in the smtpd_authorized_verp_clients value, and in +files specified with "/file/name". IP version 6 addresses contain +the ":" character, and would otherwise be confused with a "type:table" +pattern.

    + +%PARAM smtpd_authorized_xclient_hosts + +

    +What remote SMTP clients are allowed to use the XCLIENT feature. This +command overrides remote SMTP client information that is used for access +control. Typical use is for SMTP-based content filters, fetchmail-like +programs, or SMTP server access rule testing. See the XCLIENT_README +document for details. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +

    +By default, no clients are allowed to specify XCLIENT. +

    + +

    +Specify a list of network/netmask patterns, separated by commas +and/or whitespace. The mask specifies the number of bits in the +network part of a host address. You can also specify hostnames or +.domain names (the initial dot causes the domain to match any name +below it), "/file/name" or "type:table" patterns. A "/file/name" +pattern is replaced by its contents; a "type:table" lookup table +is matched when a table entry matches a lookup string (the lookup +result is ignored). Continue long lines by starting the next line +with whitespace. Specify "!pattern" to exclude an address or network +block from the list. The form "!/file/name" is supported only in +Postfix version 2.4 and later.

    + +

    Note: IP version 6 address information must be specified inside +[] in the smtpd_authorized_xclient_hosts value, and in +files specified with "/file/name". IP version 6 addresses contain +the ":" character, and would otherwise be confused with a "type:table" +pattern.

    + +%PARAM smtpd_authorized_xforward_hosts + +

    +What remote SMTP clients are allowed to use the XFORWARD feature. This +command forwards information that is used to improve logging after +SMTP-based content filters. See the XFORWARD_README document for +details. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +

    +By default, no clients are allowed to specify XFORWARD. +

    + +

    +Specify a list of network/netmask patterns, separated by commas +and/or whitespace. The mask specifies the number of bits in the +network part of a host address. You can also specify hostnames or +.domain names (the initial dot causes the domain to match any name +below it), "/file/name" or "type:table" patterns. A "/file/name" +pattern is replaced by its contents; a "type:table" lookup table +is matched when a table entry matches a lookup string (the lookup +result is ignored). Continue long lines by starting the next line +with whitespace. Specify "!pattern" to exclude an address or network +block from the list. The form "!/file/name" is supported only in +Postfix version 2.4 and later.

    + +

    Note: IP version 6 address information must be specified inside +[] in the smtpd_authorized_xforward_hosts value, and in +files specified with "/file/name". IP version 6 addresses contain +the ":" character, and would otherwise be confused with a "type:table" +pattern.

    + +%PARAM smtpd_banner $myhostname ESMTP $mail_name + +

    +The text that follows the 220 status code in the SMTP greeting +banner. Some people like to see the mail version advertised. By +default, Postfix shows no version. +

    + +

    +You MUST specify $myhostname at the start of the text. This is +required by the SMTP protocol. +

    + +

    +Example: +

    + +
    +smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
    +
    + +%PARAM smtpd_client_connection_count_limit 50 + +

    +How many simultaneous connections any client is allowed to +make to this service. By default, the limit is set to half +the default process limit value. +

    + +

    +To disable this feature, specify a limit of 0. +

    + +

    +WARNING: The purpose of this feature is to limit abuse. It must +not be used to regulate legitimate mail traffic. +

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM smtpd_client_event_limit_exceptions $mynetworks + +

    +Clients that are excluded from smtpd_client_*_count/rate_limit +restrictions. See the mynetworks parameter +description for the parameter value syntax. +

    + +

    +By default, clients in trusted networks are excluded. Specify a +list of network blocks, hostnames or .domain names (the initial +dot causes the domain to match any name below it). +

    + +

    Note: IP version 6 address information must be specified inside +[] in the smtpd_client_event_limit_exceptions value, and +in files specified with "/file/name". IP version 6 addresses +contain the ":" character, and would otherwise be confused with a +"type:table" pattern.

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "smtpd_client_event_limit_exceptions" in the +parent_domain_matches_subdomains parameter value (Postfix 3.0 and +later).

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM smtpd_client_connection_rate_limit 0 + +

    +The maximal number of connection attempts any client is allowed to +make to this service per time unit. The time unit is specified +with the anvil_rate_time_unit configuration parameter. +

    + +

    +By default, a client can make as many connections per time unit as +Postfix can accept. +

    + +

    +To disable this feature, specify a limit of 0. +

    + +

    +WARNING: The purpose of this feature is to limit abuse. It must +not be used to regulate legitimate mail traffic. +

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +

    +Example: +

    + +
    +smtpd_client_connection_rate_limit = 1000
    +
    + +%PARAM smtpd_client_message_rate_limit 0 + +

    +The maximal number of message delivery requests that any client is +allowed to make to this service per time unit, regardless of whether +or not Postfix actually accepts those messages. The time unit is +specified with the anvil_rate_time_unit configuration parameter. +

    + +

    +By default, a client can send as many message delivery requests +per time unit as Postfix can accept. +

    + +

    +To disable this feature, specify a limit of 0. +

    + +

    +WARNING: The purpose of this feature is to limit abuse. It must +not be used to regulate legitimate mail traffic. +

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +

    +Example: +

    + +
    +smtpd_client_message_rate_limit = 1000
    +
    + +%PARAM smtpd_client_recipient_rate_limit 0 + +

    +The maximal number of recipient addresses that any client is allowed +to send to this service per time unit, regardless of whether or not +Postfix actually accepts those recipients. The time unit is specified +with the anvil_rate_time_unit configuration parameter. +

    + +

    +By default, a client can send as many recipient addresses per time +unit as Postfix can accept. +

    + +

    +To disable this feature, specify a limit of 0. +

    + +

    +WARNING: The purpose of this feature is to limit abuse. It must +not be used to regulate legitimate mail traffic. +

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +

    +Example: +

    + +
    +smtpd_client_recipient_rate_limit = 1000
    +
    + +%PARAM smtpd_client_new_tls_session_rate_limit 0 + +

    +The maximal number of new (i.e., uncached) TLS sessions that a +remote SMTP client is allowed to negotiate with this service per +time unit. The time unit is specified with the anvil_rate_time_unit +configuration parameter. +

    + +

    +By default, a remote SMTP client can negotiate as many new TLS +sessions per time unit as Postfix can accept. +

    + +

    +To disable this feature, specify a limit of 0. Otherwise, specify +a limit that is at least the per-client concurrent session limit, +or else legitimate client sessions may be rejected. +

    + +

    +WARNING: The purpose of this feature is to limit abuse. It must +not be used to regulate legitimate mail traffic. +

    + +

    +This feature is available in Postfix 2.3 and later. +

    + +

    +Example: +

    + +
    +smtpd_client_new_tls_session_rate_limit = 100
    +
    + +%PARAM smtpd_client_auth_rate_limit 0 + +

    +The maximal number of AUTH commands that any client is allowed to +send to this service per time unit, regardless of whether or not +Postfix actually accepts those commands. The time unit is specified +with the anvil_rate_time_unit configuration parameter. +

    + +

    +By default, there is no limit on the number of AUTH commands that a +client may send. +

    + +

    +To disable this feature, specify a limit of 0. +

    + +

    +WARNING: The purpose of this feature is to limit abuse. It must +not be used to regulate legitimate mail traffic. +

    + +

    +This feature is available in Postfix 3.1 and later. +

    + +%PARAM smtpd_client_restrictions + +

    +Optional restrictions that the Postfix SMTP server applies in the +context of a client connection request. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    +The default is to allow all connection requests. +

    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +Restrictions are applied in the order as specified; the first +restriction that matches wins. +

    + +

    +The following restrictions are specific to client hostname or +client network address information. +

    + +
    + +
    check_ccert_access type:table
    + +
    By default use the remote SMTP client certificate fingerprint +or the public key +fingerprint (Postfix 2.9 and later) as the lookup key for the specified +access(5) database; with Postfix version 2.2, also require that the +remote SMTP client certificate is verified successfully. +The fingerprint digest algorithm is configurable via the +smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to +Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert += yes" and is available with Postfix version +2.2 and later.
    + +
    The default algorithm is sha256 with Postfix ≥ 3.6 +and the compatibility_level set to 3.6 or higher. With Postfix +≤ 3.5, the default algorithm is md5. The best-practice +algorithm is now sha256. Recent advances in hash function +cryptanalysis have led to md5 and sha1 being deprecated in favor of +sha256. However, as long as there are no known "second pre-image" +attacks against the older algorithms, their use in this context, though +not recommended, is still likely safe.
    + +
    Alternatively, check_ccert_access accepts an explicit search +order (Postfix 3.5 and later). The default search order as described +above corresponds with:
    + +
    check_ccert_access { type:table, { search_order = cert_fingerprint, +pubkey_fingerprint } }
    + +
    The commas are optional.
    + +
    check_client_access type:table
    + +
    Search the specified access database for the client hostname, +parent domains, client IP address, or networks obtained by stripping +least significant octets. See the access(5) manual page for details.
    + +
    check_client_a_access type:table
    + +
    Search the specified access(5) database for the IP addresses for the +client hostname, and execute the corresponding action. Note: a result +of "OK" is not allowed for safety reasons. Instead, use DUNNO in order +to exclude specific hosts from denylists. This feature is available +in Postfix 3.0 and later.
    + +
    check_client_mx_access type:table
    + +
    Search the specified access(5) database for the MX hosts for the +client hostname, and execute the corresponding action. If no MX +record is found, look up A or AAAA records, just like the Postfix +SMTP client would. Note: a result +of "OK" is not allowed for safety reasons. Instead, use DUNNO in order +to exclude specific hosts from denylists. This feature is available +in Postfix 2.7 and later.
    + +
    check_client_ns_access type:table
    + +
    Search the specified access(5) database for the DNS servers for +the client hostname, and execute the corresponding action. Note: a +result of "OK" is not allowed for safety reasons. Instead, use DUNNO +in order to exclude specific hosts from denylists. This feature is +available in Postfix 2.7 and later.
    + +
    check_reverse_client_hostname_access type:table
    + +
    Search the specified access database for the unverified reverse +client hostname, parent domains, client IP address, or networks +obtained by stripping least significant octets. See the access(5) +manual page for details. Note: a result of "OK" is not allowed for +safety reasons. Instead, use DUNNO in order to exclude specific +hosts from denylists. This feature is available in Postfix 2.6 +and later.
    + +
    check_reverse_client_hostname_a_access type:table
    + +
    Search the specified access(5) database for the IP addresses for the +unverified reverse client hostname, and execute the corresponding +action. Note: a result of "OK" is not allowed for safety reasons. +Instead, use DUNNO in order to exclude specific hosts from denylists. +This feature is available in Postfix 3.0 and later.
    + +
    check_reverse_client_hostname_mx_access type:table
    + +
    Search the specified access(5) database for the MX hosts for the +unverified reverse client hostname, and execute the corresponding +action. If no MX record is found, look up A or AAAA records, just +like the Postfix SMTP client would. +Note: a result of "OK" is not allowed for safety reasons. +Instead, use DUNNO in order to exclude specific hosts from denylists. +This feature is available in Postfix 2.7 and later.
    + +
    check_reverse_client_hostname_ns_access type:table
    + +
    Search the specified access(5) database for the DNS servers for +the unverified reverse client hostname, and execute the corresponding +action. Note: a result of "OK" is not allowed for safety reasons. +Instead, use DUNNO in order to exclude specific hosts from denylists. +This feature is available in Postfix 2.7 and later.
    + +
    check_sasl_access type:table
    + +
    Use the remote SMTP client SASL user name as the lookup key for +the specified access(5) database. The lookup key has the form +"username@domainname" when the smtpd_sasl_local_domain parameter +value is non-empty. Unlike the check_client_access feature, +check_sasl_access does not perform matches of parent domains or IP +subnet ranges. This feature is available with Postfix version 2.11 +and later.
    + +
    permit_inet_interfaces
    + +
    Permit the request when the client IP address matches +$inet_interfaces.
    + +
    permit_mynetworks
    + +
    Permit the request when the client IP address matches any +network or network address listed in $mynetworks.
    + +
    permit_sasl_authenticated
    + +
    Permit the request when the client is successfully +authenticated via the RFC 4954 (AUTH) protocol.
    + + +
    permit_tls_all_clientcerts
    + +
    Permit the request when the remote SMTP client certificate is +verified successfully. This option must be used only if a special +CA issues the certificates and only this CA is listed as a trusted +CA. Otherwise, clients with a third-party certificate would also +be allowed to relay. Specify "tls_append_default_CA = no" when the +trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, +to prevent Postfix from appending the system-supplied default CAs. +This feature requires "smtpd_tls_ask_ccert = yes" and is available +with Postfix version 2.2 and later.
    + +
    permit_tls_clientcerts
    + +
    Permit the request when the remote SMTP client certificate +fingerprint or public key fingerprint (Postfix 2.9 and later) is +listed in $relay_clientcerts. +The fingerprint digest algorithm is configurable via the +smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to +Postfix version 2.5). This feature requires "smtpd_tls_ask_ccert += yes" and is available with Postfix version 2.2 and later.
    + +
    The default algorithm is sha256 with Postfix ≥ 3.6 +and the compatibility_level set to 3.6 or higher. With Postfix +≤ 3.5, the default algorithm is md5. The best-practice +algorithm is now sha256. Recent advances in hash function +cryptanalysis have led to md5 and sha1 being deprecated in favor of +sha256. However, as long as there are no known "second pre-image" +attacks against the older algorithms, their use in this context, though +not recommended, is still likely safe.
    + +
    reject_rbl_client rbl_domain=d.d.d.d
    + +
    Reject the request when the reversed client network address is +listed with the A record "d.d.d.d" under rbl_domain +(Postfix version 2.1 and later only). Each "d" is a number, +or a pattern inside "[]" that contains one or more ";"-separated +numbers or number..number ranges (Postfix version 2.8 and later). +If no "=d.d.d.d" is specified, reject the request when the +reversed client network address is listed with any A record under +rbl_domain.
    +The maps_rbl_reject_code parameter specifies the response code for +rejected requests (default: 554), the default_rbl_reply parameter +specifies the default server reply, and the rbl_reply_maps parameter +specifies tables with server replies indexed by rbl_domain. +This feature is available in Postfix 2.0 and later.
    + +
    permit_dnswl_client dnswl_domain=d.d.d.d
    + +
    Accept the request when the reversed client network address is +listed with the A record "d.d.d.d" under dnswl_domain. +Each "d" is a number, or a pattern inside "[]" that contains +one or more ";"-separated numbers or number..number ranges. +If no "=d.d.d.d" is specified, accept the request when the +reversed client network address is listed with any A record under +dnswl_domain.
    For safety, permit_dnswl_client is silently +ignored when it would override reject_unauth_destination. The +result is DEFER_IF_REJECT when allowlist lookup fails. This feature +is available in Postfix 2.8 and later.
    + +
    reject_rhsbl_client rbl_domain=d.d.d.d
    + +
    Reject the request when the client hostname is listed with the +A record "d.d.d.d" under rbl_domain (Postfix version +2.1 and later only). Each "d" is a number, or a pattern +inside "[]" that contains one or more ";"-separated numbers or +number..number ranges (Postfix version 2.8 and later). If no +"=d.d.d.d" is specified, reject the request when the client +hostname is listed with +any A record under rbl_domain. See the reject_rbl_client +description above for additional RBL related configuration parameters. +This feature is available in Postfix 2.0 and later; with Postfix +version 2.8 and later, reject_rhsbl_reverse_client will usually +produce better results.
    + +
    permit_rhswl_client rhswl_domain=d.d.d.d
    + +
    Accept the request when the client hostname is listed with the +A record "d.d.d.d" under rhswl_domain. Each "d" +is a number, or a pattern inside "[]" that contains one or more +";"-separated numbers or number..number ranges. If no +"=d.d.d.d" is specified, accept the request when the client +hostname is listed with any A record under rhswl_domain. +
    Caution: client name allowlisting is fragile, since the client +name lookup can fail due to temporary outages. Client name +allowlisting should be used only to reduce false positives in e.g. +DNS-based blocklists, and not for making access rule exceptions. +
    For safety, permit_rhswl_client is silently ignored when it +would override reject_unauth_destination. The result is DEFER_IF_REJECT +when allowlist lookup fails. This feature is available in Postfix +2.8 and later.
    + +
    reject_rhsbl_reverse_client rbl_domain=d.d.d.d
    + +
    Reject the request when the unverified reverse client hostname +is listed with the A record "d.d.d.d" under rbl_domain. +Each "d" is a number, or a pattern inside "[]" that contains +one or more ";"-separated numbers or number..number ranges. +If no "=d.d.d.d" is specified, reject the request when the +unverified reverse client hostname is listed with any A record under +rbl_domain. See the reject_rbl_client description above for +additional RBL related configuration parameters. This feature is +available in Postfix 2.8 and later.
    + +
    reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    + +
    Reject the request when 1) the client IP address->name mapping +fails, or 2) the name->address mapping fails, or 3) the name->address +mapping does not match the client IP address.
    This is a +stronger restriction than the reject_unknown_reverse_client_hostname +feature, which triggers only under condition 1) above.
    The +unknown_client_reject_code parameter specifies the response code +for rejected requests (default: 450). The reply is always 450 in +case the address->name or name->address lookup failed due to +a temporary problem.
    + +
    reject_unknown_reverse_client_hostname
    + +
    Reject the request when the client IP address has no address->name +mapping.
    This is a weaker restriction than the +reject_unknown_client_hostname feature, which requires not only +that the address->name and name->address mappings exist, but +also that the two mappings reproduce the client IP address.
    +The unknown_client_reject_code parameter specifies the response +code for rejected requests (default: 450). The reply is always 450 +in case the address->name lookup failed due to a temporary +problem.
    This feature is available in Postfix 2.3 and +later.
    + +#
    reject_unknown_forward_client_hostname
    +# +#
    Reject the request when the client IP address has no address->name +#or name ->address mapping.
    This is a weaker restriction +#than the reject_unknown_client_hostname feature, which requires not +#only that the address->name and name->address mappings exist, +#but also that the two mappings reproduce the client IP address. +#
    The unknown_client_reject_code parameter specifies the response +#code for rejected requests (default: 450). The reply is always 450 +#in case the address->name or name ->address lookup failed due +#to a temporary problem.
    This feature is available in Postfix +#version 2.3 and later.
    + +
    + +

    +In addition, you can use any of the following +generic restrictions. These restrictions are applicable in +any SMTP command context. +

    + +
    + +
    check_policy_service servername
    + +
    Query the specified policy server. See the SMTPD_POLICY_README +document for details. This feature is available in Postfix 2.1 +and later.
    + +
    defer
    + +
    Defer the request. The client is told to try again later. This +restriction is useful at the end of a restriction list, to make +the default policy explicit.
    The defer_code parameter specifies +the SMTP server reply code (default: 450).
    + +
    defer_if_permit
    + +
    Defer the request if some later restriction would result in an +explicit or implicit PERMIT action. This is useful when a denylisting +feature fails due to a temporary problem. This feature is available +in Postfix version 2.1 and later.
    + +
    defer_if_reject
    + +
    Defer the request if some later restriction would result in a +REJECT action. This is useful when an allowlisting feature fails +due to a temporary problem. This feature is available in Postfix +version 2.1 and later.
    + +
    permit
    + +
    Permit the request. This restriction is useful at the end of +a restriction list, to make the default policy explicit.
    + +
    reject_multi_recipient_bounce
    + +
    Reject the request when the envelope sender is the null address, +and the message has multiple envelope recipients. This usage has +rare but legitimate applications: under certain conditions, +multi-recipient mail that was posted with the DSN option NOTIFY=NEVER +may be forwarded with the null sender address. +
    Note: this restriction can only work reliably +when used in smtpd_data_restrictions or +smtpd_end_of_data_restrictions, because the total number of +recipients is not known at an earlier stage of the SMTP conversation. +Use at the RCPT stage will only reject the second etc. recipient. +
    +The multi_recipient_bounce_reject_code parameter specifies the +response code for rejected requests (default: 550). This feature +is available in Postfix 2.1 and later.
    + +
    reject_plaintext_session
    + +
    Reject the request when the connection is not encrypted. This +restriction should not be used before the client has had a chance +to negotiate encryption with the AUTH or STARTTLS commands. +
    +The plaintext_reject_code parameter specifies the response +code for rejected requests (default: 450). This feature is available +in Postfix 2.3 and later.
    + +
    reject_unauth_pipelining
    + +
    Reject the request when the client sends SMTP commands ahead +of time where it is not allowed, or when the client sends SMTP +commands ahead of time without knowing that Postfix actually supports +ESMTP command pipelining. This stops mail from bulk mail software +that improperly uses ESMTP command pipelining in order to speed up +deliveries. +
    With Postfix 2.6 and later, the SMTP server sets a per-session +flag whenever it detects illegal pipelining, including pipelined +HELO or EHLO commands. The reject_unauth_pipelining feature simply +tests whether the flag was set at any point in time during the +session. +
    With older Postfix versions, reject_unauth_pipelining checks +the current status of the input read queue, and its usage is not +recommended in contexts other than smtpd_data_restrictions.
    + +
    reject
    + +
    Reject the request. This restriction is useful at the end of +a restriction list, to make the default policy explicit. The +reject_code configuration parameter specifies the response code for +rejected requests (default: 554).
    + +
    sleep seconds
    + +
    Pause for the specified number of seconds and proceed with +the next restriction in the list, if any. This may stop zombie +mail when used as: +
    +/etc/postfix/main.cf:
    +    smtpd_client_restrictions = 
    +        sleep 1, reject_unauth_pipelining
    +    smtpd_delay_reject = no
    +
    +This feature is available in Postfix 2.3.
    + +
    warn_if_reject
    + +
    A safety net for testing. When "warn_if_reject" is placed +before a reject-type restriction, access table query, or +check_policy_service query, this logs a "reject_warning" message +instead of rejecting a request (when a reject-type restriction fails +due to a temporary error, this logs a "reject_warning" message for +any implicit "defer_if_permit" actions that would normally prevent +mail from being accepted by some later access restriction). This +feature has no effect on defer_if_reject restrictions.
    + +
    + +

    +Other restrictions that are valid in this context: +

    + +
      + +
    • SMTP command specific restrictions that are described under +the smtpd_helo_restrictions, smtpd_sender_restrictions or +smtpd_recipient_restrictions parameters. When helo, sender or +recipient restrictions are listed under smtpd_client_restrictions, +they have effect only with "smtpd_delay_reject = yes", so that +$smtpd_client_restrictions is evaluated at the time of the RCPT TO +command. + +
    + +

    +Example: +

    + +
    +smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
    +
    + +%CLASS smtpd-tarpit Tarpit features + +

    +When a remote SMTP client makes errors, the Postfix SMTP server +can insert delays before responding. This can help to slow down +run-away software. The behavior is controlled by an error counter +that counts the number of errors within an SMTP session that a +client makes without delivering mail. +

    + +
      + +
    • When the error counter is less than $smtpd_soft_error_limit the +Postfix SMTP server replies immediately (Postfix version 2.0 and earlier +delay their 4xx or 5xx error response).

      + +
    • When the error counter reaches $smtpd_soft_error_limit, the Postfix +SMTP server delays all its responses.

      + +
    • When the error counter reaches $smtpd_hard_error_limit the Postfix +SMTP server breaks the connection.

      + +
    + +%PARAM smtpd_error_sleep_time 1s + +

    With Postfix version 2.1 and later: the SMTP server response delay after +a client has made more than $smtpd_soft_error_limit errors, and +fewer than $smtpd_hard_error_limit errors, without delivering mail. +

    + +

    With Postfix version 2.0 and earlier: the SMTP server delay +before sending a reject (4xx or 5xx) response, when the client has +made fewer than $smtpd_soft_error_limit errors without delivering +mail. When the client has made $smtpd_soft_error_limit or more errors, +delay all responses with the larger of (number of errors) seconds +or $smtpd_error_sleep_time.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtpd_soft_error_limit 10 + +

    +The number of errors a remote SMTP client is allowed to make without +delivering mail before the Postfix SMTP server slows down all its +responses. +

    + +
      + +
    • With Postfix version 2.1 and later, when the error count +is > $smtpd_soft_error_limit, the Postfix SMTP server +delays all responses by $smtpd_error_sleep_time.

      + +
    • With Postfix versions 2.0 and earlier, when the error count +is > $smtpd_soft_error_limit, the Postfix SMTP server delays all +responses by the larger of (number of errors) seconds or +$smtpd_error_sleep_time.

      + +
    • With Postfix versions 2.0 and earlier, when the error count +is ≤ $smtpd_soft_error_limit, the Postfix SMTP server delays 4XX +and 5XX responses by $smtpd_error_sleep_time.

      + +
    + +%PARAM smtpd_hard_error_limit normal: 20, overload: 1 + +

    +The maximal number of errors a remote SMTP client is allowed to +make without delivering mail. The Postfix SMTP server disconnects +when the limit is reached. Normally the default limit is 20, but +it changes under overload to just 1. With Postfix 2.5 and earlier, +the SMTP server always allows up to 20 errors by default. +Valid values are greater than zero. + +

    + +%PARAM smtpd_junk_command_limit normal: 100, overload: 1 + +

    +The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote +SMTP client can send before the Postfix SMTP server starts to +increment the error counter with each junk command. The junk +command count is reset after mail is delivered. See also the +smtpd_error_sleep_time and smtpd_soft_error_limit configuration +parameters. Normally the default limit is 100, but it changes under +overload to just 1. With Postfix 2.5 and earlier, the SMTP server +always allows up to 100 junk commands by default.

    + +%PARAM smtpd_recipient_overshoot_limit 1000 + +

    The number of recipients that a remote SMTP client can send in +excess of the limit specified with $smtpd_recipient_limit, before +the Postfix SMTP server increments the per-session error count +for each excess recipient.

    + +%PARAM smtpd_etrn_restrictions + +

    +Optional restrictions that the Postfix SMTP server applies in the +context of a client ETRN command. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    +The Postfix ETRN implementation accepts only destinations that are +eligible for the Postfix "fast flush" service. See the ETRN_README +file for details. +

    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +Restrictions are applied in the order as specified; the first +restriction that matches wins. +

    + +

    +The following restrictions are specific to the domain name information +received with the ETRN command. +

    + +
    + +
    check_etrn_access type:table
    + +
    Search the specified access database for the ETRN domain name +or its parent domains. See the access(5) manual page for details. +
    + +
    + +

    +Other restrictions that are valid in this context: +

    + +
      + +
    • Generic restrictions that can be used +in any SMTP command context, described under smtpd_client_restrictions. + +
    • SMTP command specific restrictions described under +smtpd_client_restrictions and smtpd_helo_restrictions. + +
    + +

    +Example: +

    + +
    +smtpd_etrn_restrictions = permit_mynetworks, reject
    +
    + +%PARAM smtpd_expansion_filter see "postconf -d" output + +

    +What characters are allowed in $name expansions of RBL reply +templates. Characters not in the allowed set are replaced by "_". +Use C like escapes to specify special characters such as whitespace. +

    + +

    +The smtpd_expansion_filter value is not subject to Postfix configuration +parameter $name expansion. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM smtpd_forbidden_commands CONNECT GET POST regexp:{{/^[^A-Z]/ Bogus}} + +

    +List of commands that cause the Postfix SMTP server to immediately +terminate the session with a 221 code. This can be used to disconnect +clients that obviously attempt to abuse the system. In addition to the +commands listed in this parameter, commands that follow the "Label:" +format of message headers will also cause a disconnect. With Postfix +versions 3.6 and earlier, the default value is "CONNECT GET POST". +

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +

    +Support for inline regular expressions was added in Postfix version +3.7. See regexp_table(5) for a description of the syntax and features. +

    + +%PARAM smtpd_helo_required no + +

    +Require that a remote SMTP client introduces itself with the HELO +or EHLO command before sending the MAIL command or other commands +that require EHLO negotiation. +

    + +

    +Example: +

    + +
    +smtpd_helo_required = yes
    +
    + +%PARAM smtpd_helo_restrictions + +

    +Optional restrictions that the Postfix SMTP server applies in the +context of a client HELO command. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    +The default is to permit everything. +

    + +

    Note: specify "smtpd_helo_required = yes" to fully enforce this +restriction (without "smtpd_helo_required = yes", a client can +simply skip smtpd_helo_restrictions by not sending HELO or EHLO). +

    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +Restrictions are applied in the order as specified; the first +restriction that matches wins. +

    + +

    +The following restrictions are specific to the hostname information +received with the HELO or EHLO command. +

    + +
    + +
    check_helo_access type:table
    + +
    Search the specified access(5) database for the HELO or EHLO +hostname or parent domains, and execute the corresponding action. +Note: specify "smtpd_helo_required = yes" to fully enforce this +restriction (without "smtpd_helo_required = yes", a client can +simply skip check_helo_access by not sending HELO or EHLO).
    + +
    check_helo_a_access type:table
    + +
    Search the specified access(5) database for the IP addresses for +the HELO or EHLO hostname, and execute the corresponding action. +Note 1: a result of "OK" is not allowed for safety reasons. Instead, +use DUNNO in order to exclude specific hosts from denylists. Note +2: specify "smtpd_helo_required = yes" to fully enforce this +restriction (without "smtpd_helo_required = yes", a client can +simply skip check_helo_a_access by not sending HELO or EHLO). This +feature is available in Postfix 3.0 and later. +
    + +
    check_helo_mx_access type:table
    + +
    Search the specified access(5) database for the MX hosts for +the HELO or EHLO hostname, and execute the corresponding action. +If no MX record is found, look up A or AAAA records, just like the +Postfix SMTP client would. +Note 1: a result of "OK" is not allowed for safety reasons. Instead, +use DUNNO in order to exclude specific hosts from denylists. Note +2: specify "smtpd_helo_required = yes" to fully enforce this +restriction (without "smtpd_helo_required = yes", a client can +simply skip check_helo_mx_access by not sending HELO or EHLO). This +feature is available in Postfix 2.1 and later. +
    + +
    check_helo_ns_access type:table
    + +
    Search the specified access(5) database for the DNS servers +for the HELO or EHLO hostname, and execute the corresponding action. +Note 1: a result of "OK" is not allowed for safety reasons. Instead, +use DUNNO in order to exclude specific hosts from denylists. Note +2: specify "smtpd_helo_required = yes" to fully enforce this +restriction (without "smtpd_helo_required = yes", a client can +simply skip check_helo_ns_access by not sending HELO or EHLO). This +feature is available in Postfix 2.1 and later. +
    + +
    reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
    + +
    Reject the request when the HELO or EHLO hostname is malformed. +Note: specify "smtpd_helo_required = yes" to fully enforce +this restriction (without "smtpd_helo_required = yes", a client can simply +skip reject_invalid_helo_hostname by not sending HELO or EHLO). +
    The invalid_hostname_reject_code specifies the response code +for rejected requests (default: 501).
    + +
    reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
    + +
    Reject the request when the HELO or EHLO hostname is not in +fully-qualified domain or address literal form, as required by the +RFC. Note: specify +"smtpd_helo_required = yes" to fully enforce this restriction +(without "smtpd_helo_required = yes", a client can simply skip +reject_non_fqdn_helo_hostname by not sending HELO or EHLO).
    +The non_fqdn_reject_code parameter specifies the response code for +rejected requests (default: 504).
    + +
    reject_rhsbl_helo rbl_domain=d.d.d.d
    + +
    Reject the request when the HELO or EHLO hostname is +listed with the A record "d.d.d.d" under rbl_domain +(Postfix version 2.1 and later only). Each "d" is a number, +or a pattern inside "[]" that contains one or more ";"-separated +numbers or number..number ranges (Postfix version 2.8 and later). +If no "=d.d.d.d" is +specified, reject the request when the HELO or EHLO hostname is +listed with any A record under rbl_domain. See the +reject_rbl_client description for additional RBL related configuration +parameters. Note: specify "smtpd_helo_required = yes" to fully +enforce this restriction (without "smtpd_helo_required = yes", a +client can simply skip reject_rhsbl_helo by not sending HELO or +EHLO). This feature is available in Postfix 2.0 +and later.
    + +
    reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
    + +
    Reject the request when the HELO or EHLO hostname has no DNS A +or MX record.
    The reply is specified with the +unknown_hostname_reject_code parameter (default: 450) or +unknown_helo_hostname_tempfail_action (default: defer_if_permit). +See the respective parameter descriptions for details.
    +Note: specify "smtpd_helo_required = yes" to fully +enforce this restriction (without "smtpd_helo_required = yes", a +client can simply skip reject_unknown_helo_hostname by not sending +HELO or EHLO).
    + +
    + +

    +Other restrictions that are valid in this context: +

    + +
      + +
    • Generic restrictions that can be used +in any SMTP command context, described under smtpd_client_restrictions. + +
    • Client hostname or network address specific restrictions +described under smtpd_client_restrictions. + +
    • SMTP command specific restrictions described under +smtpd_sender_restrictions or smtpd_recipient_restrictions. When +sender or recipient restrictions are listed under smtpd_helo_restrictions, +they have effect only with "smtpd_delay_reject = yes", so that +$smtpd_helo_restrictions is evaluated at the time of the RCPT TO +command. + +
    + +

    +Examples: +

    + +
    +smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
    +smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
    +
    + +%PARAM smtpd_history_flush_threshold 100 + +

    +The maximal number of lines in the Postfix SMTP server command history +before it is flushed upon receipt of EHLO, RSET, or end of DATA. +

    + +%PARAM smtpd_noop_commands + +

    +List of commands that the Postfix SMTP server replies to with "250 +Ok", without doing any syntax checks and without changing state. +This list overrides any commands built into the Postfix SMTP server. +

    + +%PARAM smtpd_proxy_ehlo $myhostname + +

    +How the Postfix SMTP server announces itself to the proxy filter. +By default, the Postfix hostname is used. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_proxy_options + +

    +List of options that control how the Postfix SMTP server +communicates with a before-queue content filter. Specify zero or +more of the following, separated by comma or whitespace.

    + +
    + +
    speed_adjust
    + +

    Do not connect to a before-queue content filter until an entire +message has been received. This reduces the number of simultaneous +before-queue content filter processes.

    + +

    NOTE 1: A filter must not selectively reject recipients +of a multi-recipient message. Rejecting all recipients is OK, as +is accepting all recipients.

    + +

    NOTE 2: This feature increases the minimum amount of free queue +space by $message_size_limit. The extra space is needed to save the +message to a temporary file.

    + +
    + +

    +This feature is available in Postfix 2.7 and later. +

    + +%CLASS smtpd-proxy SMTP Proxy filter + +

    +As of Postfix version 2.1, the SMTP server can forward all incoming +mail to a content filtering proxy server that inspects all mail +BEFORE it is stored in the Postfix mail queue. +

    + +

    +WARNING: the proxy filter must reply within a fixed deadline or +else the remote SMTP client times out and mail duplication happens. +This becomes a problem as mail load increases so that fewer and +fewer CPU cycles remain available to mead the fixed deadline. +

    + +%PARAM smtpd_proxy_filter + +

    The hostname and TCP port of the mail filtering proxy server. +The proxy receives all mail from the Postfix SMTP server, and is +supposed to give the result to another Postfix SMTP server process. +

    + +

    Specify "host:port" or "inet:host:port" for a TCP endpoint, or +"unix:pathname" for a UNIX-domain endpoint. The host can be specified +as an IP address or as a symbolic name; no MX lookups are done. +When no "host" or "host:" is specified, the local machine is +assumed. Pathname interpretation is relative to the Postfix queue +directory.

    + +

    This feature is available in Postfix 2.1 and later.

    + +

    The "inet:" and "unix:" prefixes are available in Postfix 2.3 +and later.

    + +%PARAM smtpd_proxy_timeout 100s + +

    +The time limit for connecting to a proxy filter and for sending or +receiving information. When a connection fails the client gets a +generic error message while more detailed information is logged to +the maillog file. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_recipient_limit 1000 + +

    +The maximal number of recipients that the Postfix SMTP server +accepts per message delivery request. +

    + +%PARAM smtpd_recipient_restrictions see "postconf -d" output + +

    +Optional restrictions that the Postfix SMTP server applies in the +context of a client RCPT TO command, after smtpd_relay_restrictions. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy.

    + +

    For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before.

    + +

    +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify +at least one of the following restrictions. Otherwise Postfix will +refuse to receive mail: +

    + +
    +
    +reject, reject_unauth_destination
    +
    +
    + +
    +
    +defer, defer_if_permit, defer_unauth_destination
    +
    +
    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +Restrictions are applied in the order as specified; the first +restriction that matches wins. +

    + +

    +The following restrictions are specific to the recipient address +that is received with the RCPT TO command. +

    + +
    + +
    check_recipient_access type:table
    + +
    Search the specified access(5) database for the resolved RCPT +TO address, domain, parent domains, or localpart@, and execute the +corresponding action.
    + +
    check_recipient_a_access type:table
    + +
    Search the specified access(5) database for the IP addresses for +the RCPT TO domain, and execute the corresponding action. Note: +a result of "OK" is not allowed for safety reasons. Instead, use +DUNNO in order to exclude specific hosts from denylists. This +feature is available in Postfix 3.0 and later.
    + +
    check_recipient_mx_access type:table
    + +
    Search the specified access(5) database for the MX hosts for +the RCPT TO domain, and execute the corresponding action. If no +MX record is found, look up A or AAAA records, just like the Postfix +SMTP client would. Note: +a result of "OK" is not allowed for safety reasons. Instead, use +DUNNO in order to exclude specific hosts from denylists. This +feature is available in Postfix 2.1 and later.
    + +
    check_recipient_ns_access type:table
    + +
    Search the specified access(5) database for the DNS servers +for the RCPT TO domain, and execute the corresponding action. +Note: a result of "OK" is not allowed for safety reasons. Instead, +use DUNNO in order to exclude specific hosts from denylists. This +feature is available in Postfix 2.1 and later.
    + +
    permit_auth_destination
    + +
    Permit the request when one of the following is true: + +
      + +
    • Postfix is a mail forwarder: the resolved RCPT TO domain matches +$relay_domains or a subdomain thereof, and the address contains no +sender-specified routing (user@elsewhere@domain), + +
    • Postfix is the final destination: the resolved RCPT TO domain +matches $mydestination, $inet_interfaces, $proxy_interfaces, +$virtual_alias_domains, or $virtual_mailbox_domains, and the address +contains no sender-specified routing (user@elsewhere@domain). + +
    + +
    permit_mx_backup
    + +
    Permit the request when the local mail system is a backup MX for +the RCPT TO domain, or when the domain is an authorized destination +(see permit_auth_destination for definition). + +
      + +
    • Safety: permit_mx_backup does not accept addresses that have +sender-specified routing information (example: user@elsewhere@domain). + +
    • Safety: permit_mx_backup can be vulnerable to mis-use when +access is not restricted with permit_mx_backup_networks. + +
    • Safety: as of Postfix version 2.3, permit_mx_backup no longer +accepts the address when the local mail system is a primary MX for +the recipient domain. Exception: permit_mx_backup accepts the address +when it specifies an authorized destination (see permit_auth_destination +for definition). + +
    • Limitation: mail may be rejected in case of a temporary DNS +lookup problem with Postfix prior to version 2.0. + +
    + +
    reject_non_fqdn_recipient
    + +
    Reject the request when the RCPT TO address specifies a +domain that is not in +fully-qualified domain form, as required by the RFC.
    The +non_fqdn_reject_code parameter specifies the response code for +rejected requests (default: 504).
    + +
    reject_rhsbl_recipient rbl_domain=d.d.d.d
    + +
    Reject the request when the RCPT TO domain is listed with the +A record "d.d.d.d" under rbl_domain (Postfix version +2.1 and later only). Each "d" is a number, or a pattern +inside "[]" that contains one or more ";"-separated numbers or +number..number ranges (Postfix version 2.8 and later). If no +"=d.d.d.d" is specified, reject +the request when the RCPT TO domain is listed with +any A record under rbl_domain.
    The maps_rbl_reject_code +parameter specifies the response code for rejected requests (default: +554); the default_rbl_reply parameter specifies the default server +reply; and the rbl_reply_maps parameter specifies tables with server +replies indexed by rbl_domain. This feature is available +in Postfix version 2.0 and later.
    + +
    reject_unauth_destination
    + +
    Reject the request unless one of the following is true: + +
      + +
    • Postfix is a mail forwarder: the resolved RCPT TO domain matches +$relay_domains or a subdomain thereof, and contains no sender-specified +routing (user@elsewhere@domain), + +
    • Postfix is the final destination: the resolved RCPT TO domain +matches $mydestination, $inet_interfaces, $proxy_interfaces, +$virtual_alias_domains, or $virtual_mailbox_domains, and contains +no sender-specified routing (user@elsewhere@domain). + +
    The relay_domains_reject_code parameter specifies the response +code for rejected requests (default: 554).
    + +
    defer_unauth_destination
    + +
    Reject the same requests as reject_unauth_destination, with a +non-permanent error code. This feature is available in Postfix +2.10 and later.
    + +
    reject_unknown_recipient_domain
    + +
    Reject the request when Postfix is not final destination for +the recipient domain, and the RCPT TO domain has 1) no DNS MX and +no DNS A +record or 2) a malformed MX record such as a record with +a zero-length MX hostname (Postfix version 2.3 and later).
    The +reply is specified with the unknown_address_reject_code parameter +(default: 450), unknown_address_tempfail_action (default: +defer_if_permit), or 556 (nullmx, Postfix 3.0 and +later). See the respective parameter descriptions for details. +
    + +
    reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
    + +
    Reject the request when the RCPT TO address is not listed in +the list of valid recipients for its domain class. See the +smtpd_reject_unlisted_recipient parameter description for details. +This feature is available in Postfix 2.1 and later.
    + +
    reject_unverified_recipient
    + +
    Reject the request when mail to the RCPT TO address is known +to bounce, or when the recipient address destination is not reachable. +Address verification information is managed by the verify(8) server; +see the ADDRESS_VERIFICATION_README file for details.
    The +unverified_recipient_reject_code parameter specifies the numerical +response code when an address is known to bounce (default: 450, +change it to 550 when you are confident that it is safe to do so). +
    The unverified_recipient_defer_code parameter specifies the +numerical response code when an address probe failed due to a +temporary problem (default: 450).
    The +unverified_recipient_tempfail_action parameter specifies the action +after address probe failure due to a temporary problem (default: +defer_if_permit).
    This feature breaks for aliased addresses +with "enable_original_recipient = no" (Postfix ≤ 3.2).
    +This feature is available in Postfix 2.1 and later.
    + +
    + +

    +Other restrictions that are valid in this context: +

    + +
      + +
    • Generic restrictions that can be used +in any SMTP command context, described under smtpd_client_restrictions. + +
    • SMTP command specific restrictions described under +smtpd_client_restrictions, smtpd_helo_restrictions and +smtpd_sender_restrictions. + +
    + +

    +Example: +

    + +
    +# The Postfix before 2.10 default mail relay policy. Later Postfix
    +# versions implement this preferably with smtpd_relay_restrictions.
    +smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    +
    + +%PARAM smtpd_relay_restrictions permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination + +

    Access restrictions for mail relay control that the Postfix +SMTP server applies in the context of the RCPT TO command, before +smtpd_recipient_restrictions. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    With Postfix versions before 2.10, the rules for relay permission +and spam blocking were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. As of Postfix 2.10, relay +permission rules are preferably implemented with smtpd_relay_restrictions, +so that a permissive spam blocking policy under +smtpd_recipient_restrictions will no longer result in a permissive +mail relay policy.

    + +

    For backwards compatibility, sites that migrate from Postfix +versions before 2.10 can set smtpd_relay_restrictions to the empty +value, and use smtpd_recipient_restrictions exactly as before.

    + +

    +By default, the Postfix SMTP server accepts: +

    + +
      + +
    • Mail from clients whose IP address matches $mynetworks, or: + +
    • Mail from clients who are SASL authenticated, or: + +
    • Mail to remote destinations that match $relay_domains, except +for addresses that contain sender-specified routing +(user@elsewhere@domain), or: + +
    • Mail to local destinations that match $inet_interfaces +or $proxy_interfaces, $mydestination, $virtual_alias_domains, or +$virtual_mailbox_domains. + +
    + +

    +IMPORTANT: Either the smtpd_relay_restrictions or the +smtpd_recipient_restrictions parameter must specify +at least one of the following restrictions. Otherwise Postfix will +refuse to receive mail: +

    + +
    +
    +reject, reject_unauth_destination
    +
    +
    + +
    +
    +defer, defer_if_permit, defer_unauth_destination
    +
    +
    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +The same restrictions are available as documented under +smtpd_recipient_restrictions. +

    + +

    This feature is available in Postix 2.10 and later.

    + +%CLASS sasl-auth SASL Authentication + +

    +Postfix SASL support (RFC 4954) can be used to authenticate remote +SMTP clients to the Postfix SMTP server, and to authenticate the +Postfix SMTP client to a remote SMTP server. +See the SASL_README document for details. +

    + +%PARAM smtpd_sasl_auth_enable no + +

    +Enable SASL authentication in the Postfix SMTP server. By default, +the Postfix SMTP server does not use authentication. +

    + +

    +If a remote SMTP client is authenticated, the permit_sasl_authenticated +access restriction can be used to permit relay access, like this: +

    + +
    +
    +# With Postfix 2.10 and later, the mail relay policy is
    +# preferably specified under smtpd_relay_restrictions.
    +smtpd_relay_restrictions =
    +    permit_mynetworks, permit_sasl_authenticated, ...
    +
    + +
    +# With Postfix before 2.10, the relay policy can be
    +# specified only under smtpd_recipient_restrictions.
    +smtpd_recipient_restrictions =
    +    permit_mynetworks, permit_sasl_authenticated, ...
    +
    +
    + +

    To reject all SMTP connections from unauthenticated clients, +specify "smtpd_delay_reject = yes" (which is the default) and use: +

    + +
    +
    +smtpd_client_restrictions = permit_sasl_authenticated, reject
    +
    +
    + +

    +See the SASL_README file for SASL configuration and operation details. +

    + +%PARAM smtpd_sasl_authenticated_header no + +

    Report the SASL authenticated user name in the smtpd(8) Received +message header.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_sasl_exceptions_networks + +

    +What remote SMTP clients the Postfix SMTP server will not offer +AUTH support to. +

    + +

    +Some clients (Netscape 4 at least) have a bug that causes them to +require a login and password whenever AUTH is offered, whether it's +necessary or not. To work around this, specify, for example, +$mynetworks to prevent Postfix from offering AUTH to local clients. +

    + +

    +Specify a list of network/netmask patterns, separated by commas +and/or whitespace. The mask specifies the number of bits in the +network part of a host address. You can also specify "/file/name" or +"type:table" patterns. A "/file/name" pattern is replaced by its +contents; a "type:table" lookup table is matched when a table entry +matches a lookup string (the lookup result is ignored). Continue +long lines by starting the next line with whitespace. Specify +"!pattern" to exclude an address or network block from the list. +The form "!/file/name" is supported only in Postfix version 2.4 and +later.

    + +

    Note: IP version 6 address information must be specified inside +[] in the smtpd_sasl_exceptions_networks value, and in +files specified with "/file/name". IP version 6 addresses contain +the ":" character, and would otherwise be confused with a "type:table" +pattern.

    + +

    +Example: +

    + +
    +smtpd_sasl_exceptions_networks = $mynetworks
    +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_sasl_local_domain + +

    +The name of the Postfix SMTP server's local SASL authentication +realm. +

    + +

    +By default, the local authentication realm name is the null string. +

    + +

    +Examples: +

    + +
    +smtpd_sasl_local_domain = $mydomain
    +smtpd_sasl_local_domain = $myhostname
    +
    + +%PARAM smtpd_sasl_security_options noanonymous + +

    Postfix SMTP server SASL security options; as of Postfix 2.3 +the list of available +features depends on the SASL server implementation that is selected +with smtpd_sasl_type.

    + +

    The following security features are defined for the cyrus +server SASL implementation:

    + +

    +Restrict what authentication mechanisms the Postfix SMTP server +will offer to the client. The list of available authentication +mechanisms is system dependent. +

    + +

    +Specify zero or more of the following: +

    + +
    + +
    noplaintext
    + +
    Disallow methods that use plaintext passwords.
    + +
    noactive
    + +
    Disallow methods subject to active (non-dictionary) attack.
    + +
    nodictionary
    + +
    Disallow methods subject to passive (dictionary) attack.
    + +
    noanonymous
    + +
    Disallow methods that allow anonymous authentication.
    + +
    forward_secrecy
    + +
    Only allow methods that support forward secrecy (Dovecot only). +
    + +
    mutual_auth
    + +
    Only allow methods that provide mutual authentication (not available +with Cyrus SASL version 1).
    + +
    + +

    +By default, the Postfix SMTP server accepts plaintext passwords but +not anonymous logins. +

    + +

    +Warning: it appears that clients try authentication methods in the +order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) +which means that if you disable plaintext passwords, clients will +log in anonymously, even when they should be able to use CRAM-MD5. +So, if you disable plaintext logins, disable anonymous logins too. +Postfix treats anonymous login as no authentication. +

    + +

    +Example: +

    + +
    +smtpd_sasl_security_options = noanonymous, noplaintext
    +
    + +%PARAM smtpd_sender_login_maps + +

    +Optional lookup table with the SASL login names that own the sender +(MAIL FROM) addresses. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. With lookups from +indexed files such as DB or DBM, or from networked tables such as +NIS, LDAP or SQL, the following search operations are done with a +sender address of user@domain:

    + +
    + +
    1) user@domain
    + +
    This table lookup is always done and has the highest precedence.
    + +
    2) user
    + +
    This table lookup is done only when the domain part of the +sender address matches $myorigin, $mydestination, $inet_interfaces +or $proxy_interfaces.
    + +
    3) @domain
    + +
    This table lookup is done last and has the lowest precedence.
    + +
    + +

    +In all cases the result of table lookup must be either "not found" +or a list of SASL login names separated by comma and/or whitespace. +

    + +%PARAM smtpd_sender_restrictions + +

    +Optional restrictions that the Postfix SMTP server applies in the +context of a client MAIL FROM command. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    +The default is to permit everything. +

    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +Restrictions are applied in the order as specified; the first +restriction that matches wins. +

    + +

    +The following restrictions are specific to the sender address +received with the MAIL FROM command. +

    + +
    + +
    check_sender_access type:table
    + +
    Search the specified access(5) database for the MAIL FROM +address, domain, parent domains, or localpart@, and execute the +corresponding action.
    + +
    check_sender_a_access type:table
    + +
    Search the specified access(5) database for the IP addresses for +the MAIL FROM domain, and execute the corresponding action. Note: +a result of "OK" is not allowed for safety reasons. Instead, use +DUNNO in order to exclude specific hosts from denylists. This +feature is available in Postfix 3.0 and later.
    + +
    check_sender_mx_access type:table
    + +
    Search the specified access(5) database for the MX hosts for +the MAIL FROM domain, and execute the corresponding action. If no +MX record is found, look up A or AAAA records, just like the Postfix +SMTP client would. Note: +a result of "OK" is not allowed for safety reasons. Instead, use +DUNNO in order to exclude specific hosts from denylists. This +feature is available in Postfix 2.1 and later.
    + +
    check_sender_ns_access type:table
    + +
    Search the specified access(5) database for the DNS servers +for the MAIL FROM domain, and execute the corresponding action. +Note: a result of "OK" is not allowed for safety reasons. Instead, +use DUNNO in order to exclude specific hosts from denylists. This +feature is available in Postfix 2.1 and later.
    + +
    reject_authenticated_sender_login_mismatch
    + +
    Enforces the reject_sender_login_mismatch restriction for +authenticated clients only. This feature is available in +Postfix version 2.1 and later.
    + +
    reject_known_sender_login_mismatch
    + +
    Apply the reject_sender_login_mismatch restriction only to MAIL +FROM addresses that are known in $smtpd_sender_login_maps. This +feature is available in Postfix version 2.11 and later.
    + +
    reject_non_fqdn_sender
    + +
    Reject the request when the MAIL FROM address specifies a +domain that is not in +fully-qualified domain form as required by the RFC.
    The +non_fqdn_reject_code parameter specifies the response code for +rejected requests (default: 504).
    + +
    reject_rhsbl_sender rbl_domain=d.d.d.d
    + +
    Reject the request when the MAIL FROM domain is listed with +the A record "d.d.d.d" under rbl_domain (Postfix +version 2.1 and later only). Each "d" is a number, or a +pattern inside "[]" that contains one or more ";"-separated numbers +or number..number ranges (Postfix version 2.8 and later). If no +"=d.d.d.d" is specified, +reject the request when the MAIL FROM domain is +listed with any A record under rbl_domain.
    The +maps_rbl_reject_code parameter specifies the response code for +rejected requests (default: 554); the default_rbl_reply parameter +specifies the default server reply; and the rbl_reply_maps parameter +specifies tables with server replies indexed by rbl_domain. +This feature is available in Postfix 2.0 and later.
    + +
    reject_sender_login_mismatch
    + +
    Reject the request when $smtpd_sender_login_maps specifies an +owner for the MAIL FROM address, but the client is not (SASL) logged +in as that MAIL FROM address owner; or when the client is (SASL) +logged in, but the client login name doesn't own the MAIL FROM +address according to $smtpd_sender_login_maps.
    + +
    reject_unauthenticated_sender_login_mismatch
    + +
    Enforces the reject_sender_login_mismatch restriction for +unauthenticated clients only. This feature is available in +Postfix version 2.1 and later.
    + +
    reject_unknown_sender_domain
    + +
    Reject the request when Postfix is not the final destination for +the sender address, and the MAIL FROM domain has 1) no DNS MX and +no DNS A +record, or 2) a malformed MX record such as a record with +a zero-length MX hostname (Postfix version 2.3 and later).
    The +reply is specified with the unknown_address_reject_code parameter +(default: 450), unknown_address_tempfail_action (default: +defer_if_permit), or 550 (nullmx, Postfix 3.0 and +later). See the respective parameter descriptions for details. +
    + +
    reject_unlisted_sender
    + +
    Reject the request when the MAIL FROM address is not listed in +the list of valid recipients for its domain class. See the +smtpd_reject_unlisted_sender parameter description for details. +This feature is available in Postfix 2.1 and later.
    + +
    reject_unverified_sender
    + +
    Reject the request when mail to the MAIL FROM address is known to +bounce, or when the sender address destination is not reachable. +Address verification information is managed by the verify(8) server; +see the ADDRESS_VERIFICATION_README file for details.
    The +unverified_sender_reject_code parameter specifies the numerical +response code when an address is known to bounce (default: 450, +change into 550 when you are confident that it is safe to do so). +
    The unverified_sender_defer_code specifies the numerical response +code when an address probe failed due to a temporary problem +(default: 450).
    The unverified_sender_tempfail_action parameter +specifies the action after address probe failure due to a temporary +problem (default: defer_if_permit).
    This feature breaks for +aliased addresses with "enable_original_recipient = no" (Postfix +≤ 3.2).
    This feature is available in Postfix 2.1 and later. +
    + +
    + +

    +Other restrictions that are valid in this context: +

    + +
      + +
    • Generic restrictions that can be used +in any SMTP command context, described under smtpd_client_restrictions. + +
    • SMTP command specific restrictions described under +smtpd_client_restrictions and smtpd_helo_restrictions. + +
    • SMTP command specific restrictions described under +smtpd_recipient_restrictions. When recipient restrictions are listed +under smtpd_sender_restrictions, they have effect only with +"smtpd_delay_reject = yes", so that $smtpd_sender_restrictions is +evaluated at the time of the RCPT TO command. + +
    + +

    +Examples: +

    + +
    +smtpd_sender_restrictions = reject_unknown_sender_domain
    +smtpd_sender_restrictions = reject_unknown_sender_domain,
    +    check_sender_access hash:/etc/postfix/access
    +
    + +%PARAM smtpd_timeout normal: 300s, overload: 10s + +

    When the Postfix SMTP server wants to send an SMTP server +response, how long the Postfix SMTP server will wait for an underlying +network write operation to complete; and when the Postfix SMTP +server Postfix wants to receive an SMTP client request, how long +the Postfix SMTP server will wait for an underlying network read +operation to complete. See the smtpd_per_request_deadline for how +this time limit may be enforced (with Postfix 2.9-3.6 see +smtpd_per_record_deadline).

    + +

    Normally the default limit +is 300s, but it changes under overload to just 10s. With Postfix +2.5 and earlier, the SMTP server always uses a time limit of 300s +by default. +

    + +

    +Note: if you set SMTP time limits to very large values you may have +to update the global ipc_timeout parameter. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM soft_bounce no + +

    +Safety net to keep mail queued that would otherwise be returned to +the sender. This parameter disables locally-generated bounces, +changes the handling of negative responses from remote servers, +content filters or plugins, +and prevents the Postfix SMTP server from rejecting mail permanently +by changing 5xx reply codes into 4xx. However, soft_bounce is no +cure for address rewriting mistakes or mail routing mistakes. +

    + +

    +Note: "soft_bounce = yes" is in some cases implemented by modifying +server responses. Therefore, the response that Postfix logs may +differ from the response that Postfix actually sends or receives. +

    + +

    +Example: +

    + +
    +soft_bounce = yes
    +
    + +%PARAM stale_lock_time 500s + +

    +The time after which a stale exclusive mailbox lockfile is removed. +This is used for delivery to file or mailbox. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM strict_rfc821_envelopes no + +

    +Require that addresses received in SMTP MAIL FROM and RCPT TO +commands are enclosed with <>, and that those addresses do +not contain RFC 822 style comments or phrases. This stops mail +from poorly written software. +

    + +

    +By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL +FROM and RCPT TO addresses. +

    + +%PARAM swap_bangpath yes + +

    +Enable the rewriting of "site!user" into "user@site". This is +necessary if your machine is connected to UUCP networks. It is +enabled by default. +

    + +

    Note: with Postfix version 2.2, message header address rewriting +happens only when one of the following conditions is true:

    + +
      + +
    • The message is received with the Postfix sendmail(1) command, + +
    • The message is received from a network client that matches +$local_header_rewrite_clients, + +
    • The message is received from the network, and the +remote_header_rewrite_domain parameter specifies a non-empty value. + +
    + +

    To get the behavior before Postfix version 2.2, specify +"local_header_rewrite_clients = static:all".

    + +

    +Example: +

    + +
    +swap_bangpath = no
    +
    + +%PARAM syslog_facility mail + +

    +The syslog facility of Postfix logging. Specify a facility as +defined in syslog.conf(5). The default facility is "mail". +

    + +

    +Warning: a non-default syslog_facility setting takes effect only +after a Postfix process has completed initialization. Errors during +process initialization will be logged with the default facility. +Examples are errors while parsing the command line arguments, and +errors while accessing the Postfix main.cf configuration file. +

    + +%PARAM syslog_name see "postconf -d" output + +

    +A prefix that is prepended to the process name in syslog +records, so that, for example, "smtpd" becomes "prefix/smtpd". +

    + +

    +Warning: a non-default syslog_name setting takes effect only after +a Postfix process has completed initialization. Errors during +process initialization will be logged with the default name. Examples +are errors while parsing the command line arguments, and errors +while accessing the Postfix main.cf configuration file. +

    + +%PARAM transport_maps + +

    +Optional lookup tables with mappings from recipient address to +(message delivery transport, next-hop destination). See transport(5) +for details. +

    + +

    +Specify zero or more "type:table" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. If you use this +feature with local files, run "postmap /etc/postfix/transport" +after making a change.

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "transport_maps" in the parent_domain_matches_subdomains +parameter value.

    + +

    For safety reasons, as of Postfix 2.3 this feature does not +allow $number substitutions in regular expression maps.

    + +

    +Examples: +

    + +
    +transport_maps = dbm:/etc/postfix/transport
    +transport_maps = hash:/etc/postfix/transport
    +
    + +%PARAM transport_retry_time 60s + +

    +The time between attempts by the Postfix queue manager to contact +a malfunctioning message delivery transport. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM trigger_timeout 10s + +

    +The time limit for sending a trigger to a Postfix daemon (for +example, the pickup(8) or qmgr(8) daemon). This time limit prevents +programs from getting stuck when the mail system is under heavy +load. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM unknown_address_reject_code 450 + +

    +The numerical response code when the Postfix SMTP server rejects a +sender or recipient address because its domain is unknown. This +is one of the possible replies from the restrictions +reject_unknown_sender_domain and reject_unknown_recipient_domain. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM unknown_client_reject_code 450 + +

    +The numerical Postfix SMTP server response code when a client +without valid address <=> name mapping is rejected by the +reject_unknown_client_hostname restriction. The SMTP server always replies +with 450 when the mapping failed due to a temporary error condition. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM unknown_hostname_reject_code 450 + +

    +The numerical Postfix SMTP server response code when the hostname +specified with the HELO or EHLO command is rejected by the +reject_unknown_helo_hostname restriction. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +%PARAM unknown_local_recipient_reject_code 550 + +

    +The numerical Postfix SMTP server response code when a recipient +address is local, and $local_recipient_maps specifies a list of +lookup tables that does not match the recipient. A recipient +address is local when its domain matches $mydestination, +$proxy_interfaces or $inet_interfaces. +

    + +

    +The default setting is 550 (reject mail) but it is safer to initially +use 450 (try again later) so you have time to find out if your +local_recipient_maps settings are OK. +

    + +

    +Example: +

    + +
    +unknown_local_recipient_reject_code = 450
    +
    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM unverified_recipient_reject_code 450 + +

    +The numerical Postfix SMTP server response when a recipient address +is rejected by the reject_unverified_recipient restriction. +

    + +

    +Unlike elsewhere in Postfix, you can specify 250 in order to +accept the address anyway. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM unverified_recipient_defer_code 450 + +

    +The numerical Postfix SMTP server response when a recipient address +probe fails due to a temporary error condition. +

    + +

    +Unlike elsewhere in Postfix, you can specify 250 in order to +accept the address anyway. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +

    +This feature is available in Postfix 2.6 and later. +

    + +%PARAM unverified_sender_reject_code 450 + +

    +The numerical Postfix SMTP server response code when a recipient +address is rejected by the reject_unverified_sender restriction. +

    + +

    +Unlike elsewhere in Postfix, you can specify 250 in order to +accept the address anyway. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM unverified_sender_defer_code 450 + +

    +The numerical Postfix SMTP server response code when a sender address +probe fails due to a temporary error condition. +

    + +

    +Unlike elsewhere in Postfix, you can specify 250 in order to +accept the address anyway. +

    + +

    +Do not change this unless you have a complete understanding of RFC 5321. +

    + +

    +This feature is available in Postfix 2.6 and later. +

    + +%PARAM virtual_alias_domains $virtual_alias_maps + +

    Postfix is the final destination for the specified list of virtual +alias domains, that is, domains for which all addresses are aliased +to addresses in other local or remote domains. The SMTP server +validates recipient addresses with $virtual_alias_maps and rejects +non-existent recipients. See also the virtual alias domain class +in the ADDRESS_CLASS_README file

    + +

    +This feature is available in Postfix 2.0 and later. The default +value is backwards compatible with Postfix version 1.1. +

    + +

    +The default value is $virtual_alias_maps so that you can keep all +information about virtual alias domains in one place. If you have +many users, it is better to separate information that changes more +frequently (virtual address -> local or remote address mapping) +from information that changes less frequently (the list of virtual +domain names). +

    + +

    Specify a list of host or domain names, "/file/name" or +"type:table" patterns, separated by commas and/or whitespace. A +"/file/name" pattern is replaced by its contents; a "type:table" +lookup table is matched when a table entry matches a host or domain name +(the lookup result is ignored). Continue long lines by starting +the next line with whitespace. Specify "!pattern" to exclude a host +or domain name from the list. The form "!/file/name" is supported +only in Postfix version 2.4 and later.

    + +

    +See also the VIRTUAL_README and ADDRESS_CLASS_README documents +for further information. +

    + +

    +Example: +

    + +
    +virtual_alias_domains = virtual1.tld virtual2.tld
    +
    + +%PARAM virtual_alias_expansion_limit 1000 + +

    +The maximal number of addresses that virtual alias expansion produces +from each original recipient. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM virtual_alias_maps $virtual_maps + +

    +Optional lookup tables that alias specific mail addresses or domains +to other local or remote addresses. The table format and lookups +are documented in virtual(5). For an overview of Postfix address +manipulations see the ADDRESS_REWRITING_README document. +

    + +

    +This feature is available in Postfix 2.0 and later. The default +value is backwards compatible with Postfix version 1.1. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +Note: these lookups are recursive. +

    + +

    +If you use this feature with indexed files, run "postmap +/etc/postfix/virtual" after changing the file. +

    + +

    +Examples: +

    + +
    +virtual_alias_maps = dbm:/etc/postfix/virtual
    +virtual_alias_maps = hash:/etc/postfix/virtual
    +
    + +%PARAM virtual_alias_recursion_limit 1000 + +

    +The maximal nesting depth of virtual alias expansion. Currently +the recursion limit is applied only to the left branch of the +expansion graph, so the depth of the tree can in the worst case +reach the sum of the expansion and recursion limits. This may +change in the future. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%CLASS trouble-shooting Trouble shooting + +

    +The DEBUG_README document describes how to debug parts of the +Postfix mail system. The methods vary from making the software log +a lot of detail, to running some daemon processes under control of +a call tracer or debugger. +

    + +%PARAM debugger_command + +

    +The external command to execute when a Postfix daemon program is +invoked with the -D option. +

    + +

    +Use "command .. & sleep 5" so that the debugger can attach before +the process marches on. If you use an X-based debugger, be sure to +set up your XAUTHORITY environment variable before starting Postfix. +

    + +

    +Note: the command is subject to $name expansion, before it is +passed to the default command interpreter. Specify "$$" to +produce a single "$" character. +

    + +

    +Example: +

    + +
    +debugger_command =
    +    PATH=/usr/bin:/usr/X11R6/bin
    +    ddd $daemon_directory/$process_name $process_id & sleep 5
    +
    + +%PARAM 2bounce_notice_recipient postmaster + +

    The recipient of undeliverable mail that cannot be returned to +the sender. This feature is enabled with the notify_classes +parameter.

    + +%PARAM address_verify_service_name verify + +

    +The name of the verify(8) address verification service. This service +maintains the status of sender and/or recipient address verification +probes, and generates probes on request by other Postfix processes. +

    + +%PARAM alternate_config_directories + +

    +A list of non-default Postfix configuration directories that may +be specified with "-c config_directory" on the command line (in the +case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG +environment parameter. +

    + +

    +This list must be specified in the default Postfix main.cf file, +and will be used by set-gid Postfix commands such as postqueue(1) +and postdrop(1). +

    + +

    +Specify absolute pathnames, separated by comma or space. Note: $name +expansion is not supported. +

    + +%PARAM append_at_myorigin yes + +

    +With locally submitted mail, append the string "@$myorigin" to mail +addresses without domain information. With remotely submitted mail, +append the string "@$remote_header_rewrite_domain" instead. +

    + +

    +Note 1: this feature is enabled by default and must not be turned off. +Postfix does not support domain-less addresses. +

    + +

    Note 2: with Postfix version 2.2, message header address rewriting +happens only when one of the following conditions is true:

    + +
      + +
    • The message is received with the Postfix sendmail(1) command, + +
    • The message is received from a network client that matches +$local_header_rewrite_clients, + +
    • The message is received from the network, and the +remote_header_rewrite_domain parameter specifies a non-empty value. + +
    + +

    To get the behavior before Postfix version 2.2, specify +"local_header_rewrite_clients = static:all".

    + +%PARAM append_dot_mydomain Postfix ≥ 3.0: no, Postfix < 3.0: yes + +

    +With locally submitted mail, append the string ".$mydomain" to +addresses that have no ".domain" information. With remotely submitted +mail, append the string ".$remote_header_rewrite_domain" +instead. +

    + +

    +Note 1: this feature is enabled by default. If disabled, users will not be +able to send mail to "user@partialdomainname" but will have to +specify full domain names instead. +

    + +

    Note 2: with Postfix version 2.2, message header address rewriting +happens only when one of the following conditions is true:

    + +
      + +
    • The message is received with the Postfix sendmail(1) command, + +
    • The message is received from a network client that matches +$local_header_rewrite_clients, + +
    • The message is received from the network, and the +remote_header_rewrite_domain parameter specifies a non-empty value. + +
    + +

    To get the behavior before Postfix version 2.2, specify +"local_header_rewrite_clients = static:all".

    + +%PARAM application_event_drain_time 100s + +

    +How long the postkick(1) command waits for a request to enter the +Postfix daemon process input buffer before giving up. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM authorized_flush_users static:anyone + +

    +List of users who are authorized to flush the queue. +

    + +

    +By default, all users are allowed to flush the queue. Access is +always granted if the invoking user is the super-user or the +$mail_owner user. Otherwise, the real UID of the process is looked +up in the system password file, and access is granted only if the +corresponding login name is on the access list. The username +"unknown" is used for processes whose real UID is not found in the +password file.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. A "/file/name" +pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace. Specify "!pattern" +to exclude a name from the list. The form "!/file/name" is supported +only in Postfix version 2.4 and later.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM authorized_mailq_users static:anyone + +

    +List of users who are authorized to view the queue. +

    + +

    +By default, all users are allowed to view the queue. Access is +always granted if the invoking user is the super-user or the +$mail_owner user. Otherwise, the real UID of the process is looked +up in the system password file, and access is granted only if the +corresponding login name is on the access list. The username +"unknown" is used for processes whose real UID is not found in the +password file.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. A "/file/name" +pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace. Specify "!pattern" +to exclude a user name from the list. The form "!/file/name" is +supported only in Postfix version 2.4 and later.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM authorized_submit_users static:anyone + +

    +List of users who are authorized to submit mail with the sendmail(1) +command (and with the privileged postdrop(1) helper command). +

    + +

    +By default, all users are allowed to submit mail. Otherwise, the +real UID of the process is looked up in the system password file, +and access is granted only if the corresponding login name is on +the access list. The username "unknown" is used for processes +whose real UID is not found in the password file. To deny mail +submission access to all users specify an empty list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to right, +and the search stops on the first match. A "/file/name" pattern is +replaced by its contents; +a "type:table" lookup table is matched when a name matches a lookup key +(the lookup result is ignored). Continue long lines by starting the +next line with whitespace. Specify "!pattern" to exclude a user +name from the list. The form "!/file/name" is supported only in +Postfix version 2.4 and later.

    + +

    +Example: +

    + +
    +authorized_submit_users = !www, static:all
    +
    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM backwards_bounce_logfile_compatibility yes + +

    +Produce additional bounce(8) logfile records that can be read by +Postfix versions before 2.0. The current and more extensible "name = +value" format is needed in order to implement more sophisticated +functionality. +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM bounce_notice_recipient postmaster + +

    +The recipient of postmaster notifications with the message headers +of mail that Postfix did not deliver and of SMTP conversation +transcripts of mail that Postfix did not receive. This feature is +enabled with the notify_classes parameter.

    + +%PARAM bounce_service_name bounce + +

    +The name of the bounce(8) service. This service maintains a record +of failed delivery attempts and generates non-delivery notifications. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM broken_sasl_auth_clients no + +

    +Enable interoperability with remote SMTP clients that implement an obsolete +version of the AUTH command (RFC 4954). Examples of such clients +are MicroSoft Outlook Express version 4 and MicroSoft Exchange +version 5.0. +

    + +

    +Specify "broken_sasl_auth_clients = yes" to have Postfix advertise +AUTH support in a non-standard way. +

    + +%PARAM cleanup_service_name cleanup + +

    +The name of the cleanup(8) service. This service rewrites addresses +into the standard form, and performs canonical(5) address mapping +and virtual(5) aliasing. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM anvil_status_update_time 600s + +

    +How frequently the anvil(8) connection and rate limiting server +logs peak usage information. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM enable_errors_to no + +

    Report mail delivery errors to the address specified with the +non-standard Errors-To: message header, instead of the envelope +sender address (this feature is removed with Postfix version 2.2, is +turned off by default with Postfix version 2.1, and is always turned on +with older Postfix versions).

    + +%PARAM extract_recipient_limit 10240 + +

    +The maximal number of recipient addresses that Postfix will extract +from message headers when mail is submitted with "sendmail -t". +

    + +

    +This feature was removed in Postfix version 2.1. +

    + +%PARAM anvil_rate_time_unit 60s + +

    +The time unit over which client connection rates and other rates +are calculated. +

    + +

    +This feature is implemented by the anvil(8) service which is available +in Postfix version 2.2 and later. +

    + +

    +The default interval is relatively short. Because of the high +frequency of updates, the anvil(8) server uses volatile memory +only. Thus, information is lost whenever the process terminates. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM command_expansion_filter see "postconf -d" output + +

    +Restrict the characters that the local(8) delivery agent allows in +$name expansions of $mailbox_command and $command_execution_directory. +Characters outside the +allowed set are replaced by underscores. +

    + +%PARAM content_filter + +

    After the message is queued, send the entire message to the +specified transport:destination. The transport name +specifies the first field of a mail delivery agent definition in +master.cf; the syntax of the next-hop destination is described +in the manual page of the corresponding delivery agent. More +information about external content filters is in the Postfix +FILTER_README file.

    + +

    Notes:

    + +
      + +
    • This setting has lower precedence than a FILTER action +that is specified in an access(5), header_checks(5) or body_checks(5) +table.

      + +
    • The meaning of an empty next-hop filter destination +is version dependent. Postfix 2.7 and later will use the recipient +domain; earlier versions will use $myhostname. Specify +"default_filter_nexthop = $myhostname" for compatibility with Postfix +2.6 or earlier, or specify a content_filter value with an explicit +next-hop destination.

      + +
    + +%PARAM default_delivery_slot_discount 50 + +

    +The default value for transport-specific _delivery_slot_discount +settings. +

    + +

    +This parameter speeds up the moment when a message preemption can +happen. Instead of waiting until the full amount of delivery slots +required is available, the preemption can happen when +transport_delivery_slot_discount percent of the required amount +plus transport_delivery_slot_loan still remains to be accumulated. +Note that the full amount will still have to be accumulated before +another preemption can take place later. +

    + +

    Use transport_delivery_slot_discount to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%PARAM default_delivery_slot_loan 3 + +

    +The default value for transport-specific _delivery_slot_loan +settings. +

    + +

    +This parameter speeds up the moment when a message preemption can +happen. Instead of waiting until the full amount of delivery slots +required is available, the preemption can happen when +transport_delivery_slot_discount percent of the required amount +plus transport_delivery_slot_loan still remains to be accumulated. +Note that the full amount will still have to be accumulated before +another preemption can take place later. +

    + +

    Use transport_delivery_slot_loan to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +%CLASS verp VERP Support + +

    +With VERP style delivery, each recipient of a message receives a +customized copy of the message with his/her own recipient address +encoded in the envelope sender address. The VERP_README file +describes configuration and operation details of Postfix support +for variable envelope return path addresses. VERP style delivery +is requested with the SMTP XVERP command or with the "sendmail +-V" command-line option and is available in Postfix +1.1 and later. +

    + +%PARAM default_verp_delimiters += + +

    The two default VERP delimiter characters. These are used when +no explicit delimiters are specified with the SMTP XVERP command +or with the "sendmail -XV" command-line option (Postfix 2.2 +and earlier: -V). Specify characters that are allowed by the +verp_delimiter_filter setting. +

    + +

    +This feature is available in Postfix 1.1 and later. +

    + +%PARAM defer_service_name defer + +

    +The name of the defer service. This service is implemented by the +bounce(8) daemon and maintains a record +of failed delivery attempts and generates non-delivery notifications. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM delay_notice_recipient postmaster + +

    +The recipient of postmaster notifications with the message headers +of mail that cannot be delivered within $delay_warning_time time +units.

    + +

    +See also: delay_warning_time, notify_classes. +

    + +%PARAM delay_warning_time 0h + +

    +The time after which the sender receives a copy of the message +headers of mail that is still queued. The confirm_delay_cleared +parameter controls sender notification when the delay clears up. +

    + +

    +To enable this feature, specify a non-zero time value (an integral +value plus an optional one-letter suffix that specifies the time +unit). +

    + +

    +Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is h (hours). +

    + +

    +See also: delay_notice_recipient, notify_classes, confirm_delay_cleared. +

    + +%PARAM confirm_delay_cleared no + +

    After sending a "your message is delayed" notification, inform +the sender when the delay clears up. This can result in a sudden +burst of notifications at the end of a prolonged network outage, +and is therefore disabled by default.

    + +

    See also: delay_warning_time.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM disable_dns_lookups no + +

    +Disable DNS lookups in the Postfix SMTP and LMTP clients. When +disabled, hosts are looked up with the getaddrinfo() system +library routine which normally also looks in /etc/hosts. As of +Postfix 2.11, this parameter is deprecated; use smtp_dns_support_level +instead. +

    + +

    +DNS lookups are enabled by default. +

    + +%CLASS mime MIME Processing + +

    +MIME processing is available in Postfix as of version 2.0. Older +Postfix versions do not recognize MIME headers inside the message +body. +

    + +%PARAM disable_mime_input_processing no + +

    +Turn off MIME processing while receiving mail. This means that no +special treatment is given to Content-Type: message headers, and +that all text after the initial message headers is considered to +be part of the message body. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +

    +Mime input processing is enabled by default, and is needed in order +to recognize MIME headers in message content. +

    + +%PARAM disable_mime_output_conversion no + +

    +Disable the conversion of 8BITMIME format to 7BIT format. Mime +output conversion is needed when the destination does not advertise +8BITMIME support. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM disable_verp_bounces no + +

    +Disable sending one bounce report per recipient. +

    + +

    +The default, one per recipient, is what ezmlm needs. +

    + +

    +This feature is available in Postfix 1.1 and later. +

    + +%PARAM dont_remove 0 + +

    +Don't remove queue files and save them to the "saved" mail queue. +This is a debugging aid. To inspect the envelope information and +content of a Postfix queue file, use the postcat(1) command. +

    + +%PARAM empty_address_recipient MAILER-DAEMON + +

    +The recipient of mail addressed to the null address. Postfix does +not accept such addresses in SMTP commands, but they may still be +created locally as the result of configuration or software error. +

    + +%PARAM error_notice_recipient postmaster + +

    The recipient of postmaster notifications about mail delivery +problems that are caused by policy, resource, software or protocol +errors. These notifications are enabled with the notify_classes +parameter.

    + +%PARAM error_service_name error + +

    +The name of the error(8) pseudo delivery agent. This service always +returns mail as undeliverable. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM expand_owner_alias no + +

    +When delivering to an alias "aliasname" that has an +"owner-aliasname" companion alias, set the envelope sender +address to the expansion of the "owner-aliasname" alias. +Normally, Postfix sets the envelope sender address to the name of +the "owner-aliasname" alias. +

    + +%PARAM fallback_transport + +

    +Optional message delivery transport that the local(8) delivery +agent should use for names that are not found in the aliases(5) +or UNIX password database. +

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +%PARAM fault_injection_code 0 + +

    +Force specific internal tests to fail, to test the handling of +errors that are difficult to reproduce otherwise. +

    + +%PARAM flush_service_name flush + +

    +The name of the flush(8) service. This service maintains per-destination +logfiles with the queue file names of mail that is queued for those +destinations. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM forward_expansion_filter see "postconf -d" output + +

    +Restrict the characters that the local(8) delivery agent allows in +$name expansions of $forward_path. Characters outside the +allowed set are replaced by underscores. +

    + +%PARAM header_address_token_limit 10240 + +

    +The maximal number of address tokens are allowed in an address +message header. Information that exceeds the limit is discarded. +The limit is enforced by the cleanup(8) server. +

    + +%PARAM helpful_warnings yes + +

    +Log warnings about problematic configuration settings, and provide +helpful suggestions. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM lmtp_cache_connection yes + +

    +Keep Postfix LMTP client connections open for up to $max_idle +seconds. When the LMTP client receives a request for the same +connection the connection is reused. +

    + +

    This parameter is available in Postfix version 2.2 and earlier. +With Postfix version 2.3 and later, see lmtp_connection_cache_on_demand, +lmtp_connection_cache_destinations, or lmtp_connection_reuse_time_limit. +

    + +

    +The effectiveness of cached connections will be determined by the +number of remote LMTP servers in use, and the concurrency limit specified +for the Postfix LMTP client. Cached connections are closed under any of +the following conditions: +

    + +
      + +
    • The Postfix LMTP client idle time limit is reached. This limit is +specified with the Postfix max_idle configuration parameter. + +
    • A delivery request specifies a different destination than the +one currently cached. + +
    • The per-process limit on the number of delivery requests is +reached. This limit is specified with the Postfix max_use +configuration parameter. + +
    • Upon the onset of another delivery request, the remote LMTP server +associated with the current session does not respond to the RSET +command. + +
    + +

    +Most of these limitations have been with the Postfix +connection cache that is shared among multiple LMTP client +programs. +

    + +%PARAM lmtp_sasl_auth_enable no + +

    +Enable SASL authentication in the Postfix LMTP client. +

    + +%PARAM lmtp_sasl_password_maps + +

    +Optional Postfix LMTP client lookup tables with one username:password entry +per host or domain. If a remote host or domain has no username:password +entry, then the Postfix LMTP client will not attempt to authenticate +to the remote host. +

    + +%PARAM lmtp_sasl_security_options noplaintext, noanonymous + +

    SASL security options; as of Postfix 2.3 the list of available +features depends on the SASL client implementation that is selected +with lmtp_sasl_type.

    + +

    The following security features are defined for the cyrus +client SASL implementation:

    + +
    + +
    noplaintext
    + +
    Disallow authentication methods that use plaintext passwords.
    + +
    noactive
    + +
    Disallow authentication methods that are vulnerable to non-dictionary +active attacks.
    + +
    nodictionary
    + +
    Disallow authentication methods that are vulnerable to passive +dictionary attacks.
    + +
    noanonymous
    + +
    Disallow anonymous logins.
    + +
    + +

    +Example: +

    + +
    +lmtp_sasl_security_options = noplaintext
    +
    + +%PARAM lmtp_tcp_port 24 + +

    +The default TCP port that the Postfix LMTP client connects to. +Specify a symbolic name (see services(5)) or a numeric port. +

    + +%PARAM smtp_tcp_port smtp + +

    +The default TCP port that the Postfix SMTP client connects to. +Specify a symbolic name (see services(5)) or a numeric port. +

    + +%PARAM mail_release_date see "postconf -d" output + +

    +The Postfix release date, in "YYYYMMDD" format. +

    + +%PARAM mailbox_command_maps + +

    +Optional lookup tables with per-recipient external commands to use +for local(8) mailbox delivery. Behavior is as with mailbox_command. +

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +%PARAM mailbox_delivery_lock see "postconf -d" output + +

    +How to lock a UNIX-style local(8) mailbox before attempting delivery. +For a list of available file locking methods, use the "postconf +-l" command. +

    + +

    +This setting is ignored with maildir style delivery, +because such deliveries are safe without explicit locks. +

    + +

    +Note: The dotlock method requires that the recipient UID or +GID has write access to the parent directory of the mailbox file. +

    + +

    +Note: the default setting of this parameter is system dependent. +

    + +%PARAM mailbox_transport + +

    +Optional message delivery transport that the local(8) delivery +agent should use for mailbox delivery to all local recipients, +whether or not they are found in the UNIX passwd database. +

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +%PARAM mailq_path see "postconf -d" output + +

    +Sendmail compatibility feature that specifies where the Postfix +mailq(1) command is installed. This command can be used to +list the Postfix mail queue. +

    + +%PARAM manpage_directory see "postconf -d" output + +

    +Where the Postfix manual pages are installed. +

    + +%PARAM maps_rbl_domains + +

    +Obsolete feature: use the reject_rbl_client feature instead. +

    + +%PARAM mime_boundary_length_limit 2048 + +

    +The maximal length of MIME multipart boundary strings. The MIME +processor is unable to distinguish between boundary strings that +do not differ in the first $mime_boundary_length_limit characters. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM mime_header_checks $header_checks + +

    +Optional lookup tables for content inspection of MIME related +message headers, as described in the header_checks(5) manual page. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM mime_nesting_limit 100 + +

    +The maximal recursion level that the MIME processor will handle. +Postfix refuses mail that is nested deeper than the specified limit. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM mynetworks_style Postfix ≥ 3.0: host, Postfix < 3.0: subnet + +

    +The method to generate the default value for the mynetworks parameter. +This is the list of trusted networks for relay access control etc. +

    + +
      + +
    • Specify "mynetworks_style = host" when Postfix should +"trust" only the local machine.

      + +
    • Specify "mynetworks_style = subnet" when Postfix +should "trust" remote SMTP clients in the same IP subnetworks as the local +machine. On Linux, this works correctly only with interfaces +specified with the "ifconfig" or "ip" command.

      + +
    • Specify "mynetworks_style = class" when Postfix should +"trust" remote SMTP clients in the same IP class A/B/C networks as the +local machine. Caution: this may cause +Postfix to "trust" your entire provider's network. Instead, specify +an explicit mynetworks list by hand, as described with the mynetworks +configuration parameter.

      + +
    + +%PARAM nested_header_checks $header_checks + +

    +Optional lookup tables for content inspection of non-MIME message +headers in attached messages, as described in the header_checks(5) +manual page. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM newaliases_path see "postconf -d" output + +

    +Sendmail compatibility feature that specifies the location of the +newaliases(1) command. This command can be used to rebuild the +local(8) aliases(5) database. +

    + +%PARAM non_fqdn_reject_code 504 + +

    +The numerical Postfix SMTP server reply code when a client request +is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender +or reject_non_fqdn_recipient restriction. +

    + +%PARAM owner_request_special yes + +

    +Enable special treatment for owner-listname entries in the +aliases(5) file, and don't split owner-listname and +listname-request address localparts when the recipient_delimiter +is set to "-". This feature is useful for mailing lists. +

    + +%PARAM permit_mx_backup_networks + +

    +Restrict the use of the permit_mx_backup SMTP access feature to +only domains whose primary MX hosts match the listed networks. +The parameter value syntax is the same as with the mynetworks +parameter; note, however, that the default value is empty.

    + +

    Pattern matching of domain names is controlled by the presence +or absence of "permit_mx_backup_networks" in the +parent_domain_matches_subdomains parameter value.

    + +%PARAM pickup_service_name pickup + +

    +The name of the pickup(8) service. This service picks up local mail +submissions from the Postfix maildrop queue. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM prepend_delivered_header command, file, forward + +

    The message delivery contexts where the Postfix local(8) delivery +agent prepends a Delivered-To: message header with the address +that the mail was delivered to. This information is used for mail +delivery loop detection.

    + +

    +By default, the Postfix local delivery agent prepends a Delivered-To: +header when forwarding mail and when delivering to file (mailbox) +and command. Turning off the Delivered-To: header when forwarding +mail is not recommended. +

    + +

    +Specify zero or more of forward, file, or command. +

    + +

    +Example: +

    + +
    +prepend_delivered_header = forward
    +
    + +%PARAM process_name read-only + +

    +The process name of a Postfix command or daemon process. +

    + +%PARAM service_name read-only + +

    The master.cf service name of a Postfix daemon process. This +can be used to distinguish the logging from different services that +use the same program name.

    + +

    Example master.cf entries:

    + +
    +# Distinguish inbound MTA logging from submission and smtps logging.
    +smtp      inet  n       -       n       -       -       smtpd
    +submission inet n       -       n       -       -       smtpd
    +    -o syslog_name=postfix/$service_name
    +smtps     inet  n       -       n       -       -       smtpd
    +    -o syslog_name=postfix/$service_name
    +
    + +
    +# Distinguish outbound MTA logging from inbound relay logging.
    +smtp      unix  -       -       n       -       -       smtp
    +relay     unix  -       -       n       -       -       smtp
    +    -o syslog_name=postfix/$service_name
    +
    + +%PARAM process_id read-only + +

    +The process ID of a Postfix command or daemon process. +

    + +%PARAM process_id_directory pid + +

    +The location of Postfix PID files relative to $queue_directory. +This is a read-only parameter. +

    + +%PARAM proxy_read_maps see "postconf -d" output + +

    +The lookup tables that the proxymap(8) server is allowed to +access for the read-only service. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. +Table references that don't begin with proxy: are ignored. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM proxy_write_maps see "postconf -d" output + +

    The lookup tables that the proxymap(8) server is allowed to +access for the read-write service. Postfix-owned local database +files should be stored under the Postfix-owned data_directory. +Table references that don't begin with proxy: are ignored.

    + +

    +This feature is available in Postfix 2.5 and later. +

    + +%PARAM qmgr_clog_warn_time 300s + +

    +The minimal delay between warnings that a specific destination is +clogging up the Postfix active queue. Specify 0 to disable. +

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is enabled with the helpful_warnings parameter. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM qmgr_fudge_factor 100 + +

    +Obsolete feature: the percentage of delivery resources that a busy +mail system will use up for delivery of a large mailing list +message. +

    + +

    +This feature exists only in the oqmgr(8) old queue manager. The +current queue manager solves the problem in a better way. +

    + +%PARAM queue_directory see "postconf -d" output + +

    +The location of the Postfix top-level queue directory. This is the +root directory of Postfix daemon processes that run chrooted. +

    + +%PARAM queue_file_attribute_count_limit 100 + +

    +The maximal number of (name=value) attributes that may be stored +in a Postfix queue file. The limit is enforced by the cleanup(8) +server. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM queue_service_name qmgr + +

    +The name of the qmgr(8) service. This service manages the Postfix +queue and schedules delivery requests. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM html_directory see "postconf -d" output + +

    +The location of Postfix HTML files that describe how to build, +configure or operate a specific Postfix subsystem or feature. +

    + +%PARAM readme_directory see "postconf -d" output + +

    +The location of Postfix README files that describe how to build, +configure or operate a specific Postfix subsystem or feature. +

    + +%PARAM relay_transport relay + +

    +The default mail delivery transport and next-hop destination for +remote delivery to domains listed with $relay_domains. In order of +decreasing precedence, the nexthop destination is taken from +$relay_transport, $sender_dependent_relayhost_maps, $relayhost, or +from the recipient domain. This information can be overruled with +the transport(5) table. +

    + +

    +Specify a string of the form transport:nexthop, where transport +is the name of a mail delivery transport defined in master.cf. +The :nexthop destination is optional; its syntax is documented +in the manual page of the corresponding delivery agent. +

    + +

    +See also the relay domains address class in the ADDRESS_CLASS_README +file. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM rewrite_service_name rewrite + +

    +The name of the address rewriting service. This service rewrites +addresses to standard form and resolves them to a (delivery method, +next-hop host, recipient) triple. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM sample_directory /etc/postfix + +

    +The name of the directory with example Postfix configuration files. +Starting with Postfix 2.1, these files have been replaced with the +postconf(5) manual page. +

    + +%PARAM sender_based_routing no + +

    +This parameter should not be used. It was replaced by sender_dependent_relayhost_maps +in Postfix version 2.3. +

    + +%PARAM sendmail_path see "postconf -d" output + +

    +A Sendmail compatibility feature that specifies the location of +the Postfix sendmail(1) command. This command can be used to +submit mail into the Postfix queue. +

    + +%PARAM service_throttle_time 60s + +

    +How long the Postfix master(8) waits before forking a server that +appears to be malfunctioning. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM setgid_group postdrop + +

    +The group ownership of set-gid Postfix commands and of group-writable +Postfix directories. When this parameter value is changed you need +to re-run "postfix set-permissions" (with Postfix version 2.0 and +earlier: "/etc/postfix/post-install set-permissions". +

    + +%PARAM show_user_unknown_table_name yes + +

    +Display the name of the recipient table in the "User unknown" +responses. The extra detail makes troubleshooting easier but also +reveals information that is nobody else's business. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM showq_service_name showq + +

    +The name of the showq(8) service. This service produces mail queue +status reports. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM smtp_pix_workaround_delay_time 10s + +

    +How long the Postfix SMTP client pauses before sending +".<CR><LF>" in order to work around the PIX firewall +"<CR><LF>.<CR><LF>" bug. +

    + +

    +Choosing too short a time makes this workaround ineffective when +sending large messages over slow network connections. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +%PARAM smtp_randomize_addresses yes + +

    +Randomize the order of equal-preference MX host addresses. This +is a performance feature of the Postfix SMTP client. +

    + +%PARAM smtp_rset_timeout 20s + +

    The Postfix SMTP client time limit for sending the RSET command, +and for receiving the remote SMTP server response. The SMTP client +sends RSET in +order to finish a recipient address probe, or to verify that a +cached session is still usable.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.1 and later.

    + +%PARAM smtpd_data_restrictions + +

    +Optional access restrictions that the Postfix SMTP server applies +in the context of the SMTP DATA command. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +

    +Specify a list of restrictions, separated by commas and/or whitespace. +Continue long lines by starting the next line with whitespace. +Restrictions are applied in the order as specified; the first +restriction that matches wins. +

    + +

    +The following restrictions are valid in this context: +

    + +
      + +
    • Generic restrictions that can be used +in any SMTP command context, described under smtpd_client_restrictions. + +
    • SMTP command specific restrictions described under +smtpd_client_restrictions, smtpd_helo_restrictions, +smtpd_sender_restrictions or smtpd_recipient_restrictions. + +
    • However, no recipient information is available in the case of +multi-recipient mail. Acting on only one recipient would be misleading, +because any decision will affect all recipients equally. Acting on +all recipients would require a possibly very large amount of memory, +and would also be misleading for the reasons mentioned before. + +
    + +

    +Examples: +

    + +
    +smtpd_data_restrictions = reject_unauth_pipelining
    +smtpd_data_restrictions = reject_multi_recipient_bounce
    +
    + +%PARAM smtpd_end_of_data_restrictions + +

    Optional access restrictions that the Postfix SMTP server +applies in the context of the SMTP END-OF-DATA command. +See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access +restriction lists" for a discussion of evaluation context and time. +

    + +

    This feature is available in Postfix 2.2 and later.

    + +

    See smtpd_data_restrictions for details and limitations.

    + +%PARAM smtpd_delay_reject yes + +

    +Wait until the RCPT TO command before evaluating +$smtpd_client_restrictions, $smtpd_helo_restrictions and +$smtpd_sender_restrictions, or wait until the ETRN command before +evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. +

    + +

    +This feature is turned on by default because some clients apparently +mis-behave when the Postfix SMTP server rejects commands before +RCPT TO. +

    + +

    +The default setting has one major benefit: it allows Postfix to log +recipient address information when rejecting a client name/address +or sender address, so that it is possible to find out whose mail +is being rejected. +

    + +%PARAM smtpd_null_access_lookup_key <> + +

    +The lookup key to be used in SMTP access(5) tables instead of the +null sender address. +

    + +%CLASS smtpd-policy SMTP server policy delegation + +

    +The Postfix SMTP server has a number of built-in mechanisms to +block or accept mail at specific SMTP protocol stages. As of version +2.1 Postfix can be configured to delegate policy decisions to an +external server that runs outside Postfix. See the file +SMTPD_POLICY_README for more information. +

    + +%PARAM smtpd_policy_service_max_idle 300s + +

    +The time after which an idle SMTPD policy service connection is +closed. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_policy_service_max_ttl 1000s + +

    +The time after which an active SMTPD policy service connection is +closed. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_policy_service_timeout 100s + +

    +The time limit for connecting to, writing to, or receiving from a +delegated SMTPD policy server. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_policy_service_request_limit 0 + +

    +The maximal number of requests per SMTPD policy service connection, +or zero (no limit). Once a connection reaches this limit, the +connection is closed and the next request will be sent over a new +connection. This is a workaround to avoid error-recovery delays +with policy servers that cannot maintain a persistent connection. +

    + +

    +This feature is available in Postfix 3.0 and later. +

    + +%PARAM smtpd_reject_unlisted_recipient yes + +

    +Request that the Postfix SMTP server rejects mail for unknown +recipient addresses, even when no explicit reject_unlisted_recipient +access restriction is specified. This prevents the Postfix queue +from filling up with undeliverable MAILER-DAEMON messages. +

    + +

    An address is always considered "known" when it matches a +virtual(5) alias or a canonical(5) mapping. + +

      + +
    • The recipient domain matches $mydestination, $inet_interfaces +or $proxy_interfaces, but the recipient is not listed in +$local_recipient_maps, and $local_recipient_maps is not null. + +
    • The recipient domain matches $virtual_alias_domains but the +recipient is not listed in $virtual_alias_maps. + +
    • The recipient domain matches $virtual_mailbox_domains but the +recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps +is not null. + +
    • The recipient domain matches $relay_domains but the recipient +is not listed in $relay_recipient_maps, and $relay_recipient_maps +is not null. + +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_reject_unlisted_sender no + +

    Request that the Postfix SMTP server rejects mail from unknown +sender addresses, even when no explicit reject_unlisted_sender +access restriction is specified. This can slow down an explosion +of forged mail from worms or viruses.

    + +

    An address is always considered "known" when it matches a +virtual(5) alias or a canonical(5) mapping. + +

      + +
    • The sender domain matches $mydestination, $inet_interfaces or +$proxy_interfaces, but the sender is not listed in +$local_recipient_maps, and $local_recipient_maps is not null. + +
    • The sender domain matches $virtual_alias_domains but the sender +is not listed in $virtual_alias_maps. + +
    • The sender domain matches $virtual_mailbox_domains but the +sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps +is not null. + +
    • The sender domain matches $relay_domains but the sender is +not listed in $relay_recipient_maps, and $relay_recipient_maps is +not null. + +
    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM smtpd_restriction_classes + +

    +User-defined aliases for groups of access restrictions. The aliases +can be specified in smtpd_recipient_restrictions etc., and on the +right-hand side of a Postfix access(5) table. +

    + +

    +One major application is for implementing per-recipient UCE control. +See the RESTRICTION_CLASS_README document for other examples. +

    + +%PARAM smtpd_sasl_application_name smtpd + +

    +The application name that the Postfix SMTP server uses for SASL +server initialization. This +controls the name of the SASL configuration file. The default value +is smtpd, corresponding to a SASL configuration file named +smtpd.conf. +

    + +

    +This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 +it was renamed to smtpd_sasl_path. +

    + +%PARAM strict_7bit_headers no + +

    +Reject mail with 8-bit text in message headers. This blocks mail +from poorly written applications. +

    + +

    +This feature should not be enabled on a general purpose mail server, +because it is likely to reject legitimate email. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM strict_8bitmime no + +

    +Enable both strict_7bit_headers and strict_8bitmime_body. +

    + +

    +This feature should not be enabled on a general purpose mail server, +because it is likely to reject legitimate email. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM strict_8bitmime_body no + +

    +Reject 8-bit message body text without 8-bit MIME content encoding +information. This blocks mail from poorly written applications. +

    + +

    +Unfortunately, this also rejects majordomo approval requests when +the included request contains valid 8-bit MIME mail, and it rejects +bounces from mailers that do not MIME encapsulate 8-bit content +(for example, bounces from qmail or from old versions of Postfix). +

    + +

    +This feature should not be enabled on a general purpose mail server, +because it is likely to reject legitimate email. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM strict_mime_encoding_domain no + +

    +Reject mail with invalid Content-Transfer-Encoding: information +for the message/* or multipart/* MIME content types. This blocks +mail from poorly written software. +

    + +

    +This feature should not be enabled on a general purpose mail server, +because it will reject mail after a single violation. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM sun_mailtool_compatibility no + +

    +Obsolete SUN mailtool compatibility feature. Instead, use +"mailbox_delivery_lock = dotlock". +

    + +%PARAM trace_service_name trace + +

    +The name of the trace service. This service is implemented by the +bounce(8) daemon and maintains a record +of mail deliveries and produces a mail delivery report when verbose +delivery is requested with "sendmail -v". +

    + +

    +This feature is available in Postfix 2.1 and later. +

    + +%PARAM undisclosed_recipients_header see "postconf -d" output + +

    +Message header that the Postfix cleanup(8) server inserts when a +message contains no To: or Cc: message header. With Postfix 2.8 +and later, the default value is empty. With Postfix 2.4-2.7, +specify an empty value to disable this feature.

    + +

    Example:

    + +
    +# Default value before Postfix 2.8.
    +# Note: the ":" and ";" are both required.
    +undisclosed_recipients_header = To: undisclosed-recipients:;
    +
    + +%PARAM unknown_relay_recipient_reject_code 550 + +

    +The numerical Postfix SMTP server reply code when a recipient +address matches $relay_domains, and relay_recipient_maps specifies +a list of lookup tables that does not match the recipient address. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM unknown_virtual_alias_reject_code 550 + +

    +The Postfix SMTP server reply code when a recipient address matches +$virtual_alias_domains, and $virtual_alias_maps specifies a list +of lookup tables that does not match the recipient address. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM unknown_virtual_mailbox_reject_code 550 + +

    +The Postfix SMTP server reply code when a recipient address matches +$virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list +of lookup tables that does not match the recipient address. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM verp_delimiter_filter -=+ + +

    +The characters Postfix accepts as VERP delimiter characters on the +Postfix sendmail(1) command line and in SMTP commands. +

    + +

    +This feature is available in Postfix 1.1 and later. +

    + +%PARAM virtual_gid_maps + +

    +Lookup tables with the per-recipient group ID for virtual(8) mailbox +delivery. +

    + +

    This parameter is specific to the virtual(8) delivery agent. +It does not apply when mail is delivered with a different mail +delivery program.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +In a lookup table, specify a left-hand side of "@domain.tld" to +match any user in the specified domain that does not have a specific +"user@domain.tld" entry. +

    + +

    +When a recipient address has an optional address extension +(user+foo@domain.tld), the virtual(8) delivery agent looks up +the full address first, and when the lookup fails, it looks up the +unextended address (user@domain.tld). +

    + +

    +Note 1: for security reasons, the virtual(8) delivery agent disallows +regular expression substitution of $1 etc. in regular expression +lookup tables, because that would open a security hole. +

    + +

    +Note 2: for security reasons, the virtual(8) delivery agent will +silently ignore requests to use the proxymap(8) server. Instead +it will open the table directly. Before Postfix version 2.2, the +virtual(8) delivery agent will terminate with a fatal error. +

    + +%PARAM virtual_mailbox_base + +

    +A prefix that the virtual(8) delivery agent prepends to all pathname +results from $virtual_mailbox_maps table lookups. This is a safety +measure to ensure that an out of control map doesn't litter the +file system with mailboxes. While virtual_mailbox_base could be +set to "/", this setting isn't recommended. +

    + +

    This parameter is specific to the virtual(8) delivery agent. +It does not apply when mail is delivered with a different mail +delivery program.

    + +

    +Example: +

    + +
    +virtual_mailbox_base = /var/mail
    +
    + +%PARAM virtual_mailbox_domains $virtual_mailbox_maps + +

    Postfix is the final destination for the specified list of domains; +mail is delivered via the $virtual_transport mail delivery transport. +By default this is the Postfix virtual(8) delivery agent. The SMTP +server validates recipient addresses with $virtual_mailbox_maps +and rejects mail for non-existent recipients. See also the virtual +mailbox domain class in the ADDRESS_CLASS_README file.

    + +

    This parameter expects the same syntax as the mydestination +configuration parameter.

    + +

    +This feature is available in Postfix 2.0 and later. The default +value is backwards compatible with Postfix version 1.1. +

    + +%PARAM virtual_mailbox_limit 51200000 + +

    +The maximal size in bytes of an individual virtual(8) mailbox or +maildir file, or zero (no limit).

    + +

    This parameter is specific to the virtual(8) delivery agent. +It does not apply when mail is delivered with a different mail +delivery program.

    + +%PARAM virtual_mailbox_lock see "postconf -d" output + +

    +How to lock a UNIX-style virtual(8) mailbox before attempting +delivery. For a list of available file locking methods, use the +"postconf -l" command. +

    + +

    This parameter is specific to the virtual(8) delivery agent. +It does not apply when mail is delivered with a different mail +delivery program.

    + +

    +This setting is ignored with maildir style delivery, because +such deliveries are safe without application-level locks. +

    + +

    +Note 1: the dotlock method requires that the recipient UID +or GID has write access to the parent directory of the recipient's +mailbox file. +

    + +

    +Note 2: the default setting of this parameter is system dependent. +

    + +%PARAM virtual_mailbox_maps + +

    +Optional lookup tables with all valid addresses in the domains that +match $virtual_mailbox_domains. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +In a lookup table, specify a left-hand side of "@domain.tld" to +match any user in the specified domain that does not have a specific +"user@domain.tld" entry. +

    + +

    +With the default "virtual_mailbox_domains = $virtual_mailbox_maps", +lookup tables also need entries with a left-hand side of "domain.tld" +to satisfy virtual_mailbox_domain lookups (the right-hand side is +required but will not be used). +

    + +

    The remainder of this text is specific to the virtual(8) delivery +agent. It does not apply when mail is delivered with a different +mail delivery program.

    + +

    +The virtual(8) delivery agent uses this table to look up the +per-recipient mailbox or maildir pathname. If the lookup result +ends in a slash ("/"), maildir-style delivery is carried out, +otherwise the path is assumed to specify a UNIX-style mailbox file. +Note that $virtual_mailbox_base is unconditionally prepended to +this path. +

    + +

    +When a recipient address has an optional address extension +(user+foo@domain.tld), the virtual(8) delivery agent looks up +the full address first, and when the lookup fails, it looks up the +unextended address (user@domain.tld). +

    + +

    +Note 1: for security reasons, the virtual(8) delivery agent disallows +regular expression substitution of $1 etc. in regular expression +lookup tables, because that would open a security hole. +

    + +

    +Note 2: for security reasons, the virtual(8) delivery agent will +silently ignore requests to use the proxymap(8) server. Instead +it will open the table directly. Before Postfix version 2.2, the +virtual(8) delivery agent will terminate with a fatal error. +

    + +%PARAM virtual_minimum_uid 100 + +

    +The minimum user ID value that the virtual(8) delivery agent accepts +as a result from $virtual_uid_maps table lookup. Returned +values less than this will be rejected, and the message will be +deferred. +

    + +

    This parameter is specific to the virtual(8) delivery agent. +It does not apply when mail is delivered with a different mail +delivery program.

    + +%PARAM virtual_transport virtual + +

    +The default mail delivery transport and next-hop destination for +final delivery to domains listed with $virtual_mailbox_domains. +This information can be overruled with the transport(5) table. +

    + +

    +Specify a string of the form transport:nexthop, where transport +is the name of a mail delivery transport defined in master.cf. +The :nexthop destination is optional; its syntax is documented +in the manual page of the corresponding delivery agent. +

    + +

    +This feature is available in Postfix 2.0 and later. +

    + +%PARAM virtual_uid_maps + +

    +Lookup tables with the per-recipient user ID that the virtual(8) +delivery agent uses while writing to the recipient's mailbox. +

    + +

    This parameter is specific to the virtual(8) delivery agent. +It does not apply when mail is delivered with a different mail +delivery program.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    +In a lookup table, specify a left-hand side of "@domain.tld" +to match any user in the specified domain that does not have a +specific "user@domain.tld" entry. +

    + +

    +When a recipient address has an optional address extension +(user+foo@domain.tld), the virtual(8) delivery agent looks up +the full address first, and when the lookup fails, it looks up the +unextended address (user@domain.tld). +

    + +

    +Note 1: for security reasons, the virtual(8) delivery agent disallows +regular expression substitution of $1 etc. in regular expression +lookup tables, because that would open a security hole. +

    + +

    +Note 2: for security reasons, the virtual(8) delivery agent will +silently ignore requests to use the proxymap(8) server. Instead +it will open the table directly. Before Postfix version 2.2, the +virtual(8) delivery agent will terminate with a fatal error. +

    + +%PARAM config_directory see "postconf -d" output + +

    The default location of the Postfix main.cf and master.cf +configuration files. This can be overruled via the following +mechanisms:

    + +
      + +
    • The MAIL_CONFIG environment variable (daemon processes +and commands).

      + +
    • The "-c" command-line option (commands only).

      + +
    + +

    With Postfix commands that run with set-gid privileges, a +config_directory override either requires root privileges, or it +requires that the directory is listed with the alternate_config_directories +parameter in the default main.cf file.

    + +%PARAM virtual_maps + +

    Optional lookup tables with a) names of domains for which all +addresses are aliased to addresses in other local or remote domains, +and b) addresses that are aliased to addresses in other local or +remote domains. Available before Postfix version 2.0. With Postfix +version 2.0 and later, this is replaced by separate controls: virtual_alias_domains +and virtual_alias_maps.

    + +%PARAM smtp_discard_ehlo_keywords + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the Postfix SMTP client will ignore in the EHLO +response from a remote SMTP server.

    + +

    This feature is available in Postfix 2.2 and later.

    + +

    Notes:

    + +
      + +
    • Specify the silent-discard pseudo keyword to prevent +this action from being logged.

      + +
    • Use the smtp_discard_ehlo_keyword_address_maps feature to +discard EHLO keywords selectively.

      + +
    + +%PARAM smtpd_discard_ehlo_keywords + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the Postfix SMTP server will not send in the EHLO +response +to a remote SMTP client.

    + +

    This feature is available in Postfix 2.2 and later.

    + +

    Notes:

    + +
      + +
    • Specify the silent-discard pseudo keyword to prevent +this action from being logged.

      + +
    • Use the smtpd_discard_ehlo_keyword_address_maps feature +to discard EHLO keywords selectively.

      + +
    + +%PARAM smtp_discard_ehlo_keyword_address_maps + +

    Lookup tables, indexed by the remote SMTP server address, with +case insensitive lists of EHLO keywords (pipelining, starttls, auth, +etc.) that the Postfix SMTP client will ignore in the EHLO response from a +remote SMTP server. See smtp_discard_ehlo_keywords for details. The +table is not indexed by hostname for consistency with +smtpd_discard_ehlo_keyword_address_maps.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_discard_ehlo_keyword_address_maps + +

    Lookup tables, indexed by the remote SMTP client address, with +case insensitive lists of EHLO keywords (pipelining, starttls, auth, +etc.) that the Postfix SMTP server will not send in the EHLO response +to a +remote SMTP client. See smtpd_discard_ehlo_keywords for details. +The tables are not searched by hostname for robustness reasons.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM connection_cache_service_name scache + +

    The name of the scache(8) connection cache service. This service +maintains a limited pool of cached sessions.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM connection_cache_ttl_limit 2s + +

    The maximal time-to-live value that the scache(8) connection +cache server +allows. Requests that specify a larger TTL will be stored with the +maximum allowed TTL. The purpose of this additional control is to +protect the infrastructure against careless people. The cache TTL +is already bounded by $max_idle.

    + +%PARAM connection_cache_status_update_time 600s + +

    How frequently the scache(8) server logs usage statistics with +connection cache hit and miss rates for logical destinations and for +physical endpoints.

    + +%PARAM remote_header_rewrite_domain + +

    Don't rewrite message headers from remote clients at all when +this parameter is empty; otherwise, rewrite message headers and +append the specified domain name to incomplete addresses. The +local_header_rewrite_clients parameter controls what clients Postfix +considers local.

    + +

    Examples:

    + +

    The safe setting: append "domain.invalid" to incomplete header +addresses from remote SMTP clients, so that those addresses cannot +be confused with local addresses.

    + +
    +
     
    +remote_header_rewrite_domain = domain.invalid
    +
    +
    + +

    The default, purist, setting: don't rewrite headers from remote +clients at all.

    + +
    +
    +remote_header_rewrite_domain =
    +
    +
    + +%PARAM local_header_rewrite_clients permit_inet_interfaces + +

    Rewrite message header addresses in mail from these clients and +update incomplete addresses with the domain name in $myorigin or +$mydomain; either don't rewrite message headers from other clients +at all, or rewrite message headers and update incomplete addresses +with the domain specified in the remote_header_rewrite_domain +parameter.

    + +

    See the append_at_myorigin and append_dot_mydomain parameters +for details of how domain names are appended to incomplete addresses. +

    + +

    Specify a list of zero or more of the following:

    + +
    + +
    permit_inet_interfaces
    + +
    Append the domain name in $myorigin or $mydomain when the +client IP address matches $inet_interfaces. This is enabled by +default.
    + +
    permit_mynetworks
    + +
    Append the domain name in $myorigin or $mydomain when the +client IP address matches any network or network address listed in +$mynetworks. This setting will not prevent remote mail header +address rewriting when mail from a remote client is forwarded by +a neighboring system.
    + +
    permit_sasl_authenticated
    + +
    Append the domain name in $myorigin or $mydomain when the +client is successfully authenticated via the RFC 4954 (AUTH) +protocol.
    + +
    permit_tls_clientcerts
    + +
    Append the domain name in $myorigin or $mydomain when the +remote SMTP client TLS certificate fingerprint or public key fingerprint +(Postfix 2.9 and later) is listed in $relay_clientcerts. +The fingerprint digest algorithm is configurable via the +smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to +Postfix version 2.5).
    + +
    The default algorithm is sha256 with Postfix ≥ 3.6 +and the compatibility_level set to 3.6 or higher. With Postfix +≤ 3.5, the default algorithm is md5. The best-practice +algorithm is now sha256. Recent advances in hash function +cryptanalysis have led to md5 and sha1 being deprecated in favor of +sha256. However, as long as there are no known "second pre-image" +attacks against the older algorithms, their use in this context, though +not recommended, is still likely safe.
    + +
    permit_tls_all_clientcerts
    + +
    Append the domain name in $myorigin or $mydomain when the +remote SMTP client TLS certificate is successfully verified, regardless of +whether it is listed on the server, and regardless of the certifying +authority.
    + +
    check_address_map type:table
    + +
    type:table
    + +
    Append the domain name in $myorigin or $mydomain when the +client IP address matches the specified lookup table. +The lookup result is ignored, and no subnet lookup is done. This +is suitable for, e.g., pop-before-smtp lookup tables.
    + +
    + +

    Examples:

    + +

    The Postfix < 2.2 backwards compatible setting: always rewrite +message headers, and always append my own domain to incomplete +header addresses.

    + +
    +
     
    +local_header_rewrite_clients = static:all
    +
    +
    + +

    The purist (and default) setting: rewrite headers only in mail +from Postfix sendmail and in SMTP mail from this machine.

    + +
    +
    +local_header_rewrite_clients = permit_inet_interfaces
    +
    +
    + +

    The intermediate setting: rewrite header addresses and append +$myorigin or $mydomain information only with mail from Postfix +sendmail, from local clients, or from authorized SMTP clients.

    + +

    Note: this setting will not prevent remote mail header address +rewriting when mail from a remote client is forwarded by a neighboring +system.

    + +
    +
    +local_header_rewrite_clients = permit_mynetworks, 
    +    permit_sasl_authenticated permit_tls_clientcerts
    +    check_address_map hash:/etc/postfix/pop-before-smtp 
    +
    +
    + +%PARAM smtpd_tls_cert_file + +

    File with the Postfix SMTP server RSA certificate in PEM format. +This file may also contain the Postfix SMTP server private RSA key. +With Postfix ≥ 3.4 the preferred way to configure server keys and +certificates is via the "smtpd_tls_chain_files" parameter.

    + +

    Public Internet MX hosts without certificates signed by a "reputable" +CA must generate, and be prepared to present to most clients, a +self-signed or private-CA signed certificate. The client will not be +able to authenticate the server, but unless it is running Postfix 2.3 or +similar software, it will still insist on a server certificate.

    + +

    For servers that are not public Internet MX hosts, Postfix +supports configurations with no certificates. This entails the use of +just the anonymous TLS ciphers, which are not supported by typical SMTP +clients. Since some clients may not fall back to plain text after a TLS +handshake failure, a certificate-less Postfix SMTP server will be unable +to receive email from some TLS-enabled clients. To avoid accidental +configurations with no certificates, Postfix enables certificate-less +operation only when the administrator explicitly sets +"smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server +configurations will not accidentally enable TLS without certificates.

    + +

    Note that server certificates are not optional in TLS 1.3. To run +without certificates you'd have to disable the TLS 1.3 protocol by +including '!TLSv1.3' in "smtpd_tls_protocols" and perhaps also +"smtpd_tls_mandatory_protocols". It is simpler instead to just +configure a certificate chain. Certificate-less operation is not +recommended.

    + +

    Both RSA and DSA certificates are supported. When both types +are present, the cipher used determines which certificate will be +presented to the client. For Netscape and OpenSSL clients without +special cipher choices the RSA certificate is preferred.

    + +

    To enable a remote SMTP client to verify the Postfix SMTP server +certificate, the issuing CA certificates must be made available to the +client. You should include the required certificates in the server +certificate file, the server certificate first, then the issuing +CA(s) (bottom-up order).

    + +

    Example: the certificate for "server.example.com" was issued by +"intermediate CA" which itself has a certificate of "root CA". +Create the server.pem file with "cat server_cert.pem intermediate_CA.pem +root_CA.pem > server.pem".

    + +

    If you also want to verify client certificates issued by these +CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which +case it is not necessary to have them in the smtpd_tls_cert_file, +smtpd_tls_dcert_file (obsolete) or smtpd_tls_eccert_file.

    + +

    A certificate supplied here must be usable as an SSL server certificate +and hence pass the "openssl verify -purpose sslserver ..." test.

    + +

    Example:

    + +
    +smtpd_tls_cert_file = /etc/postfix/server.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_key_file $smtpd_tls_cert_file + +

    File with the Postfix SMTP server RSA private key in PEM format. +This file may be combined with the Postfix SMTP server RSA certificate +file specified with $smtpd_tls_cert_file. With Postfix ≥ 3.4 the +preferred way to configure server keys and certificates is via the +"smtpd_tls_chain_files" parameter.

    + +

    The private key must be accessible without a pass-phrase, i.e. it +must not be encrypted. File permissions should grant read-only +access to the system superuser account ("root"), and no access +to anyone else.

    + +%PARAM smtpd_tls_dcert_file + +

    File with the Postfix SMTP server DSA certificate in PEM format. +This file may also contain the Postfix SMTP server private DSA key. +The DSA algorithm is obsolete and should not be used.

    + +

    See the discussion under smtpd_tls_cert_file for more details. +

    + +

    Example:

    + +
    +smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_dkey_file $smtpd_tls_dcert_file + +

    File with the Postfix SMTP server DSA private key in PEM format. +This file may be combined with the Postfix SMTP server DSA certificate +file specified with $smtpd_tls_dcert_file. The DSA algorithm is obsolete +and should not be used.

    + +

    The private key must be accessible without a pass-phrase, i.e. it +must not be encrypted. File permissions should grant read-only +access to the system superuser account ("root"), and no access +to anyone else.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_CAfile + +

    A file containing (PEM format) CA certificates of root CAs trusted +to sign either remote SMTP client certificates or intermediate CA +certificates. These are loaded into memory before the smtpd(8) server +enters the chroot jail. If the number of trusted roots is large, consider +using smtpd_tls_CApath instead, but note that the latter directory must +be present in the chroot jail if the smtpd(8) server is chrooted. This +file may also be used to augment the server certificate trust chain, +but it is best to include all the required certificates directly in the +server certificate file.

    + +

    Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY +the system-supplied default Certification Authority certificates. +

    + +

    Specify "tls_append_default_CA = no" to prevent Postfix from +appending the system-supplied default CAs and trusting third-party +certificates.

    + +

    By default (see smtpd_tls_ask_ccert), client certificates are not +requested, and smtpd_tls_CAfile should remain empty. If you do make use +of client certificates, the distinguished names (DNs) of the Certification +Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client +in the client certificate request message. MUAs with multiple client +certificates may use the list of preferred Certification Authorities +to select the correct client certificate. You may want to put your +"preferred" CA or CAs in this file, and install other trusted CAs in +$smtpd_tls_CApath.

    + +

    Example:

    + +
    +smtpd_tls_CAfile = /etc/postfix/CAcert.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_CApath + +

    A directory containing (PEM format) CA certificates of root CAs +trusted to sign either remote SMTP client certificates or intermediate CA +certificates. Do not forget to create the necessary "hash" links with, +for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use +smtpd_tls_CApath in chroot mode, this directory (or a copy) must be +inside the chroot jail.

    + +

    Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to +use ONLY the system-supplied default Certification Authority certificates. +

    + +

    Specify "tls_append_default_CA = no" to prevent Postfix from +appending the system-supplied default CAs and trusting third-party +certificates.

    + +

    By default (see smtpd_tls_ask_ccert), client certificates are +not requested, and smtpd_tls_CApath should remain empty. In contrast +to smtpd_tls_CAfile, DNs of Certification Authorities installed +in $smtpd_tls_CApath are not included in the client certificate +request message. MUAs with multiple client certificates may use the +list of preferred Certification Authorities to select the correct +client certificate. You may want to put your "preferred" CA or +CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in +$smtpd_tls_CApath.

    + +

    Example:

    + +
    +smtpd_tls_CApath = /etc/postfix/certs
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_loglevel 0 + +

    Enable additional Postfix SMTP server logging of TLS activity. +Each logging level also includes the information that is logged at +a lower logging level.

    + +
    + +
    0 Disable logging of TLS activity.
    + +
    1 Log only a summary message on TLS handshake completion +— no logging of client certificate trust-chain verification errors +if client certificate verification is not required. With Postfix 2.8 and +earlier, log the summary message, peer certificate summary information +and unconditionally log trust-chain verification errors.
    + +
    2 Also log levels during TLS negotiation.
    + +
    3 Also log hexadecimal and ASCII dump of TLS negotiation +process.
    + +
    4 Also log hexadecimal and ASCII dump of complete +transmission after STARTTLS.
    + +
    + +

    Do not use "smtpd_tls_loglevel = 2" or higher except in case +of problems. Use of loglevel 4 is strongly discouraged.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_received_header no + +

    Request that the Postfix SMTP server produces Received: message +headers that include information about the protocol and cipher used, +as well as the remote SMTP client CommonName and client certificate issuer +CommonName. This is disabled by default, as the information may +be modified in transit through other mail servers. Only information +that was recorded by the final destination can be trusted.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_use_tls no + +

    Opportunistic TLS: announce STARTTLS support to remote SMTP clients, +but do not require that clients use TLS encryption.

    + +

    Note: when invoked via "sendmail -bs", Postfix will never offer +STARTTLS due to insufficient privileges to access the server private +key. This is intended behavior.

    + +

    This feature is available in Postfix 2.2 and later. With +Postfix 2.3 and later use smtpd_tls_security_level instead.

    + +%PARAM smtpd_enforce_tls no + +

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, +and require that clients use TLS encryption. According to RFC 2487 +this MUST NOT be applied in case of a publicly-referenced SMTP +server. This option is therefore off by default.

    + +

    Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".

    + +

    Note 2: when invoked via "sendmail -bs", Postfix will never offer +STARTTLS due to insufficient privileges to access the server private +key. This is intended behavior.

    + +

    This feature is available in Postfix 2.2 and later. With +Postfix 2.3 and later use smtpd_tls_security_level instead.

    + +%PARAM smtpd_tls_wrappermode no + +

    Run the Postfix SMTP server in TLS "wrapper" mode, +instead of using the STARTTLS command.

    + +

    If you want to support this service, enable a special port in +master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP +server's command line. Port 465 (submissions/smtps) is reserved for +this purpose.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_ask_ccert no + +

    Ask a remote SMTP client for a client certificate. This +information is needed for certificate based mail relaying with, +for example, the permit_tls_clientcerts feature.

    + +

    Some clients such as Netscape will either complain if no +certificate is available (for the list of CAs in $smtpd_tls_CAfile) +or will offer multiple client certificates to choose from. This +may be annoying, so this option is "off" by default.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_req_ccert no + +

    With mandatory TLS encryption, require a trusted remote SMTP client +certificate in order to allow TLS connections to proceed. This +option implies "smtpd_tls_ask_ccert = yes".

    + +

    When TLS encryption is optional, this setting is ignored with +a warning written to the mail log.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_ccert_verifydepth 9 + +

    The verification depth for remote SMTP client certificates. A +depth of 1 is sufficient if the issuing CA is listed in a local CA +file.

    + +

    The default verification depth is 9 (the OpenSSL default) for +compatibility with earlier Postfix behavior. Prior to Postfix 2.5, +the default value was 5, but the limit was not actually enforced. If +you have set this to a lower non-default value, certificates with longer +trust chains may now fail to verify. Certificate chains with 1 or 2 +CAs are common, deeper chains are more rare and any number between 5 +and 9 should suffice in practice. You can choose a lower number if, +for example, you trust certificates directly signed by an issuing CA +but not any CAs it delegates to.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_auth_only no + +

    When TLS encryption is optional in the Postfix SMTP server, do +not announce or accept SASL authentication over unencrypted +connections.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_session_cache_database + +

    Name of the file containing the optional Postfix SMTP server +TLS session cache. Specify a database type that supports enumeration, +such as btree or sdbm; there is no need to support +concurrent access. The file is created if it does not exist. The smtpd(8) +daemon does not use this parameter directly, rather the cache is +implemented indirectly in the tlsmgr(8) daemon. This means that +per-smtpd-instance master.cf overrides of this parameter are not +effective. Note that each of the cache databases supported by tlsmgr(8) +daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be +stored separately. It is not at this time possible to store multiple +caches in a single database.

    + +

    Note: dbm databases are not suitable. TLS +session objects are too large.

    + +

    As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

    + + +

    As of Postfix 2.11 the preferred mechanism for session resumption +is RFC 5077 TLS session tickets, which don't require server-side +storage. Consequently, for Postfix ≥ 2.11 this parameter should +generally be left empty. TLS session tickets require an OpenSSL +library (at least version 0.9.8h) that provides full support for +this TLS extension. See also smtpd_tls_session_cache_timeout.

    + +

    Example:

    + +
    +smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_session_cache_timeout 3600s + +

    The expiration time of Postfix SMTP server TLS session cache +information. A cache cleanup is performed periodically +every $smtpd_tls_session_cache_timeout seconds. As with +$smtpd_tls_session_cache_database, this parameter is implemented in the +tlsmgr(8) daemon and therefore per-smtpd-instance master.cf overrides +are not possible.

    + +

    As of Postfix 2.11 this setting cannot exceed 100 days. If set +≤ 0, session caching is disabled, not just via the database, but +also via RFC 5077 TLS session tickets, which don't require server-side +storage. If set to a positive value less than 2 minutes, the minimum +value of 2 minutes is used instead. TLS session tickets require +an OpenSSL library (at least version 0.9.8h) that provides full +support for this TLS extension.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.2 and later, and updated +for TLS session ticket support in Postfix 2.11.

    + +%PARAM relay_clientcerts + +

    List of tables with remote SMTP client-certificate fingerprints or +public key fingerprints (Postfix 2.9 and later) for which the Postfix +SMTP server will allow access with the permit_tls_clientcerts +feature. The fingerprint digest algorithm is configurable via the +smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to +Postfix version 2.5).

    + +

    The default algorithm is sha256 with Postfix ≥ 3.6 +and the compatibility_level set to 3.6 or higher. With Postfix +≤ 3.5, the default algorithm is md5. The best-practice +algorithm is now sha256. Recent advances in hash function +cryptanalysis have led to md5 and sha1 being deprecated in favor of +sha256. However, as long as there are no known "second pre-image" +attacks against the older algorithms, their use in this context, though +not recommended, is still likely safe.

    + +

    Postfix lookup tables are in the form of (key, value) pairs. +Since we only need the key, the value can be chosen freely, e.g. +the name of the user or host: +D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home

    + +

    Example:

    + +
    +relay_clientcerts = hash:/etc/postfix/relay_clientcerts
    +
    + +

    For more fine-grained control, use check_ccert_access to select +an appropriate access(5) policy for each client. +See RESTRICTION_CLASS_README.

    + +

    This feature is available with Postfix version 2.2.

    + +%PARAM smtpd_tls_cipherlist + +

    Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS +cipher list. It is easy to create interoperability problems by choosing +a non-default cipher list. Do not use a non-default TLS cipherlist for +MX hosts on the public Internet. Clients that begin the TLS handshake, +but are unable to agree on a common cipher, may not be able to send any +email to the SMTP server. Using a restricted cipher list may be more +appropriate for a dedicated MSA or an internal mailhub, where one can +exert some control over the TLS software and settings of the connecting +clients.

    + +

    Note: do not use "" quotes around the parameter value.

    + +

    This feature is available with Postfix version 2.2. It is not used with +Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

    + +%PARAM smtpd_tls_dh1024_param_file + +

    File with DH parameters that the Postfix SMTP server should +use with non-export EDH ciphers.

    + +

    With Postfix ≥ 3.7, built with OpenSSL version is 3.0.0 or later, if the +parameter value is either empty or "auto", then the DH parameter +selection is delegated to the OpenSSL library, which selects appropriate +parameters based on the TLS handshake. This choice is likely to be the most +interoperable with SMTP clients using various TLS libraries, and custom local +parameters are no longer recommended when using Postfix ≥ 3.7 built against +OpenSSL 3.0.0.

    + +

    The best-practice choice of parameters uses a 2048-bit prime. This is fine, +despite the historical "1024" in the parameter name. Do not be tempted to use +much larger values, performance degrades quickly, and you may also cease to +interoperate with some mainstream SMTP clients. As of Postfix 3.1, the +compiled-in default prime is 2048-bits, and it is not strictly necessary, +though perhaps somewhat beneficial to generate custom DH parameters.

    + +

    Instead of using the exact same parameter sets as distributed +with other TLS packages, it is more secure to generate your own +set of parameters with something like the following commands:

    + +
    +
    +openssl dhparam -out /etc/postfix/dh2048.pem 2048
    +openssl dhparam -out /etc/postfix/dh1024.pem 1024
    +# As of Postfix 3.6, export-grade 512-bit DH parameters are no longer
    +# supported or needed.
    +openssl dhparam -out /etc/postfix/dh512.pem 512
    +
    +
    + +

    It is safe to share the same DH parameters between multiple +Postfix instances. If you prefer, you can generate separate +parameters for each instance.

    + +

    If you want to take maximal advantage of ciphers that offer forward secrecy see +the Getting +started section of FORWARD_SECRECY_README. The +full document conveniently presents all information about Postfix +"perfect" forward secrecy support in one place: what forward secrecy +is, how to tweak settings, and what you can expect to see when +Postfix uses ciphers with forward secrecy.

    + +

    Example:

    + +
    +smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_tls_dh512_param_file + +

    File with DH parameters that the Postfix SMTP server should +use with export-grade EDH ciphers. The default SMTP server cipher +grade is "medium" with Postfix releases after the middle of 2015, +and as a result export-grade cipher suites are by default not used. +

    + +

    With Postfix ≥ 3.6 export-grade Diffie-Hellman key exchange +is no longer supported, and this parameter is silently ignored.

    + +

    See also the discussion under the smtpd_tls_dh1024_param_file +configuration parameter.

    + +

    Example:

    + +
    +smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
    +
    + +

    This feature is available in Postfix 2.2 and later, +but is ignored in Postfix 3.6 and later.

    + +%PARAM smtpd_starttls_timeout see "postconf -d" output + +

    The time limit for Postfix SMTP server write and read operations +during TLS startup and shutdown handshake procedures. The current +default value is stress-dependent. Before Postfix version 2.8, it +was fixed at 300s.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_cert_file + +

    File with the Postfix SMTP client RSA certificate in PEM format. +This file may also contain the Postfix SMTP client private RSA key, and +these may be the same as the Postfix SMTP server RSA certificate and key +file. With Postfix ≥ 3.4 the preferred way to configure client keys +and certificates is via the "smtp_tls_chain_files" parameter.

    + +

    Do not configure client certificates unless you must present +client TLS certificates to one or more servers. Client certificates are +not usually needed, and can cause problems in configurations that work +well without them. The recommended setting is to let the defaults stand:

    + +
    +
    +smtp_tls_cert_file =
    +smtp_tls_key_file =
    +smtp_tls_eccert_file =
    +smtp_tls_eckey_file =
    +# Obsolete DSA parameters
    +smtp_tls_dcert_file =
    +smtp_tls_dkey_file =
    +# Postfix ≥ 3.4 interface
    +smtp_tls_chain_files =
    +
    +
    + +

    The best way to use the default settings is to comment out the above +parameters in main.cf if present.

    + +

    To enable remote SMTP servers to verify the Postfix SMTP client +certificate, the issuing CA certificates must be made available to the +server. You should include the required certificates in the client +certificate file, the client certificate first, then the issuing +CA(s) (bottom-up order).

    + +

    Example: the certificate for "client.example.com" was issued by +"intermediate CA" which itself has a certificate issued by "root CA". +As the "root" super-user create the client.pem file with:

    + +
    +
    +# umask 077
    +# cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem 
    +
    +
    + +

    If you also want to verify remote SMTP server certificates issued by +these CAs, you can add the CA certificates to the smtp_tls_CAfile, in +which case it is not necessary to have them in the smtp_tls_cert_file, +smtp_tls_dcert_file (obsolete) or smtp_tls_eccert_file.

    + +

    A certificate supplied here must be usable as an SSL client certificate +and hence pass the "openssl verify -purpose sslclient ..." test.

    + +

    Example:

    + +
    +smtp_tls_cert_file = /etc/postfix/chain.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_key_file $smtp_tls_cert_file + +

    File with the Postfix SMTP client RSA private key in PEM format. +This file may be combined with the Postfix SMTP client RSA certificate +file specified with $smtp_tls_cert_file. With Postfix ≥ 3.4 the +preferred way to configure client keys and certificates is via the +"smtp_tls_chain_files" parameter.

    + +

    The private key must be accessible without a pass-phrase, i.e. it +must not be encrypted. File permissions should grant read-only +access to the system superuser account ("root"), and no access +to anyone else.

    + +

    Example:

    + +
    +smtp_tls_key_file = $smtp_tls_cert_file
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_CAfile + +

    A file containing CA certificates of root CAs trusted to sign +either remote SMTP server certificates or intermediate CA certificates. +These are loaded into memory before the smtp(8) client enters the +chroot jail. If the number of trusted roots is large, consider using +smtp_tls_CApath instead, but note that the latter directory must be +present in the chroot jail if the smtp(8) client is chrooted. This +file may also be used to augment the client certificate trust chain, +but it is best to include all the required certificates directly in +$smtp_tls_cert_file (or, Postfix ≥ 3.4 $smtp_tls_chain_files).

    + +

    Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use +ONLY the system-supplied default Certification Authority certificates. +

    + +

    Specify "tls_append_default_CA = no" to prevent Postfix from +appending the system-supplied default CAs and trusting third-party +certificates.

    + +

    Example:

    + +
    +smtp_tls_CAfile = /etc/postfix/CAcert.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_CApath + +

    Directory with PEM format Certification Authority certificates +that the Postfix SMTP client uses to verify a remote SMTP server +certificate. Don't forget to create the necessary "hash" links +with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". +

    + +

    To use this option in chroot mode, this directory (or a copy) +must be inside the chroot jail.

    + +

    Specify "smtp_tls_CApath = /path/to/system_CA_directory" to +use ONLY the system-supplied default Certification Authority certificates. +

    + +

    Specify "tls_append_default_CA = no" to prevent Postfix from +appending the system-supplied default CAs and trusting third-party +certificates.

    + +

    Example:

    + +
    +smtp_tls_CApath = /etc/postfix/certs
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_loglevel 0 + +

    Enable additional Postfix SMTP client logging of TLS activity. +Each logging level also includes the information that is logged at +a lower logging level.

    + +
    + +
    0 Disable logging of TLS activity.
    + +
    1 Log only a summary message on TLS handshake completion +— no logging of remote SMTP server certificate trust-chain +verification errors if server certificate verification is not required. +With Postfix 2.8 and earlier, log the summary message and unconditionally +log trust-chain verification errors.
    + +
    2 Also log levels during TLS negotiation.
    + +
    3 Also log the hexadecimal and ASCII dump of the +TLS negotiation process.
    + +
    4 Also log the hexadecimal and ASCII dump of complete +transmission after STARTTLS.
    + +
    + +

    Do not use "smtp_tls_loglevel = 2" or higher except in case of +problems. Use of loglevel 4 is strongly discouraged.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_session_cache_database + +

    Name of the file containing the optional Postfix SMTP client +TLS session cache. Specify a database type that supports enumeration, +such as btree or sdbm; there is no need to support +concurrent access. The file is created if it does not exist. The smtp(8) +daemon does not use this parameter directly, rather the cache is +implemented indirectly in the tlsmgr(8) daemon. This means that +per-smtp-instance master.cf overrides of this parameter are not effective. +Note that each of the cache databases supported by tlsmgr(8) daemon: +$smtpd_tls_session_cache_database, $smtp_tls_session_cache_database +(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to +be stored separately. It is not at this time possible to store multiple +caches in a single database.

    + +

    Note: dbm databases are not suitable. TLS +session objects are too large.

    + +

    As of version 2.5, Postfix no longer uses root privileges when +opening this file. The file should now be stored under the Postfix-owned +data_directory. As a migration aid, an attempt to open the file +under a non-Postfix directory is redirected to the Postfix-owned +data_directory, and a warning is logged.

    + +

    Example:

    + +
    +smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_session_cache_timeout 3600s + +

    The expiration time of Postfix SMTP client TLS session cache +information. A cache cleanup is performed periodically +every $smtp_tls_session_cache_timeout seconds. As with +$smtp_tls_session_cache_database, this parameter is implemented in the +tlsmgr(8) daemon and therefore per-smtp-instance master.cf overrides +are not possible.

    + +

    As of Postfix 2.11 this setting cannot exceed 100 days. If set +≤ 0, session caching is disabled. If set to a positive value +less than 2 minutes, the minimum value of 2 minutes is used instead.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_use_tls no + +

    Opportunistic mode: use TLS when a remote SMTP server announces +STARTTLS support, otherwise send the mail in the clear. Beware: +some SMTP servers offer STARTTLS even if it is not configured. With +Postfix < 2.3, if the TLS handshake fails, and no other server is +available, delivery is deferred and mail stays in the queue. If this +is a concern for you, use the smtp_tls_per_site feature instead.

    + +

    This feature is available in Postfix 2.2 and later. With +Postfix 2.3 and later use smtp_tls_security_level instead.

    + +%PARAM smtp_enforce_tls no + +

    Enforcement mode: require that remote SMTP servers use TLS +encryption, and never send mail in the clear. This also requires +that the remote SMTP server hostname matches the information in +the remote server certificate, and that the remote SMTP server +certificate was issued by a CA that is trusted by the Postfix SMTP +client. If the certificate doesn't verify or the hostname doesn't +match, delivery is deferred and mail stays in the queue.

    + +

    The server hostname is matched against all names provided as +dNSNames in the SubjectAlternativeName. If no dNSNames are specified, +the CommonName is checked. The behavior may be changed with the +smtp_tls_enforce_peername option.

    + +

    This option is useful only if you are definitely sure that you +will only connect to servers that support RFC 2487 _and_ that +provide valid server certificates. Typical use is for clients that +send all their email to a dedicated mailhub.

    + +

    This feature is available in Postfix 2.2 and later. With +Postfix 2.3 and later use smtp_tls_security_level instead.

    + +%PARAM smtp_tls_enforce_peername yes + +

    With mandatory TLS encryption, require that the remote SMTP +server hostname matches the information in the remote SMTP server +certificate. As of RFC 2487 the requirements for hostname checking +for MTA clients are not specified.

    + +

    This option can be set to "no" to disable strict peer name +checking. This setting has no effect on sessions that are controlled +via the smtp_tls_per_site table.

    + +

    Disabling the hostname verification can make sense in a closed +environment where special CAs are created. If not used carefully, +this option opens the danger of a "man-in-the-middle" attack (the +CommonName of this attacker will be logged).

    + +

    This feature is available in Postfix 2.2 and later. With +Postfix 2.3 and later use smtp_tls_security_level instead.

    + +%PARAM smtp_tls_per_site + +

    Optional lookup tables with the Postfix SMTP client TLS usage +policy by next-hop destination and by remote SMTP server hostname. +When both lookups succeed, the more specific per-site policy (NONE, +MUST, etc.) overrides the less specific one (MAY), and the more secure +per-site policy (MUST, etc.) overrides the less secure one (NONE). +With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged: +use smtp_tls_policy_maps instead.

    + +

    Use of the bare hostname as the per-site table lookup key is +discouraged. Always use the full destination nexthop (enclosed in +[] with a possible ":port" suffix). A recipient domain or MX-enabled +transport next-hop with no port suffix may look like a bare hostname, +but is still a suitable destination.

    + +

    Specify a next-hop destination or server hostname on the left-hand +side; no wildcards are allowed. The next-hop destination is either +the recipient domain, or the destination specified with a transport(5) +table, the relayhost parameter, or the relay_transport parameter. +On the right hand side specify one of the following keywords:

    + +
    + +
    NONE
    Don't use TLS at all. This overrides a less +specific MAY lookup result from the alternate host or next-hop +lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, +and smtp_tls_enforce_peername settings.
    + +
    MAY
    Try to use TLS if the server announces support, +otherwise use an unencrypted connection. This has less precedence +than a more specific result (including NONE) from the alternate +host or next-hop lookup key, and has less precedence than the more +specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername += yes".
    + +
    MUST_NOPEERMATCH
    Require TLS encryption, but do not +require that the remote SMTP server hostname matches the information +in the remote SMTP server certificate, or that the server certificate +was issued by a trusted CA. This overrides a less secure NONE +or a less specific MAY lookup result from the alternate host +or next-hop lookup key, and overrides the global smtp_use_tls, +smtp_enforce_tls and smtp_tls_enforce_peername settings.
    + +
    MUST
    Require TLS encryption, require that the remote +SMTP server hostname matches the information in the remote SMTP +server certificate, and require that the remote SMTP server certificate +was issued by a trusted CA. This overrides a less secure NONE +or MUST_NOPEERMATCH or a less specific MAY lookup +result from the alternate host or next-hop lookup key, and overrides +the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername +settings.
    + +
    + +

    The above keywords correspond to the "none", "may", "encrypt" and +"verify" security levels for the new smtp_tls_security_level parameter +introduced in Postfix 2.3. Starting with Postfix 2.3, and independently +of how the policy is specified, the smtp_tls_mandatory_ciphers and +smtp_tls_mandatory_protocols parameters apply when TLS encryption +is mandatory. Connections for which encryption is optional typically +enable all "export" grade and better ciphers (see smtp_tls_ciphers +and smtp_tls_protocols).

    + +

    As long as no secure DNS lookup mechanism is available, false +hostnames in MX or CNAME responses can change the server hostname +that Postfix uses for TLS policy lookup and server certificate +verification. Even with a perfect match between the server hostname and +the server certificate, there is no guarantee that Postfix is connected +to the right server. See TLS_README (Closing a DNS loophole with obsolete +per-site TLS policies) for a possible work-around.

    + +

    This feature is available in Postfix 2.2 and later. With +Postfix 2.3 and later use smtp_tls_policy_maps instead.

    + +%PARAM smtp_tls_scert_verifydepth 9 + +

    The verification depth for remote SMTP server certificates. A depth +of 1 is sufficient if the issuing CA is listed in a local CA file.

    + +

    The default verification depth is 9 (the OpenSSL default) for +compatibility with earlier Postfix behavior. Prior to Postfix 2.5, +the default value was 5, but the limit was not actually enforced. If +you have set this to a lower non-default value, certificates with longer +trust chains may now fail to verify. Certificate chains with 1 or 2 +CAs are common, deeper chains are more rare and any number between 5 +and 9 should suffice in practice. You can choose a lower number if, +for example, you trust certificates directly signed by an issuing CA +but not any CAs it delegates to.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_note_starttls_offer no + +

    Log the hostname of a remote SMTP server that offers STARTTLS, +when TLS is not already enabled for that server.

    + +

    The logfile record looks like:

    + +
    +postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_cipherlist + +

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS +cipher list. As this feature applies to all TLS security levels, it is easy +to create interoperability problems by choosing a non-default cipher +list. Do not use a non-default TLS cipher list on hosts that deliver email +to the public Internet: you will be unable to send email to servers that +only support the ciphers you exclude. Using a restricted cipher list +may be more appropriate for an internal MTA, where one can exert some +control over the TLS software and settings of the peer servers.

    + +

    Note: do not use "" quotes around the parameter value.

    + +

    This feature is available in Postfix version 2.2. It is not used with +Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.

    + +%PARAM smtp_starttls_timeout 300s + +

    Time limit for Postfix SMTP client write and read operations +during TLS startup and shutdown handshake procedures.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file + +

    File with the Postfix SMTP client DSA private key in PEM format. +This file may be combined with the Postfix SMTP client DSA certificate +file specified with $smtp_tls_dcert_file. The DSA algorithm is obsolete +and should not be used.

    + +

    The private key must be accessible without a pass-phrase, i.e. it +must not be encrypted. File permissions should grant read-only +access to the system superuser account ("root"), and no access +to anyone else.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_tls_dcert_file + +

    File with the Postfix SMTP client DSA certificate in PEM format. +This file may also contain the Postfix SMTP client private DSA key. +The DSA algorithm is obsolete and should not be used.

    + +

    See the discussion under smtp_tls_cert_file for more details. +

    + +

    Example:

    + +
    +smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
    +
    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM tls_append_default_CA no + +

    Append the system-supplied default Certification Authority +certificates to the ones specified with *_tls_CApath or *_tls_CAfile. +The default is "no"; this prevents Postfix from trusting third-party +certificates and giving them relay permission with +permit_tls_all_clientcerts.

    + +

    This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, +2.7.2 and later versions. Specify "tls_append_default_CA = yes" for +backwards compatibility, to avoid breaking certificate verification +with sites that don't use permit_tls_all_clientcerts.

    + +%PARAM tls_random_exchange_name see "postconf -d" output + +

    Name of the pseudo random number generator (PRNG) state file +that is maintained by tlsmgr(8). The file is created when it does +not exist, and its length is fixed at 1024 bytes.

    + +

    As of version 2.5, Postfix no longer uses root privileges when +opening this file, and the default file location was changed from +${config_directory}/prng_exch to ${data_directory}/prng_exch. As +a migration aid, an attempt to open the file under a non-Postfix +directory is redirected to the Postfix-owned data_directory, and a +warning is logged.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM tls_random_source see "postconf -d" output + +

    The external entropy source for the in-memory tlsmgr(8) pseudo +random number generator (PRNG) pool. Be sure to specify a non-blocking +source. If this source is not a regular file, the entropy source +type must be prepended: egd:/path/to/egd_socket for a source with +EGD compatible socket interface, or dev:/path/to/device for a +device file.

    + +

    Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom +gives timeout errors.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM tls_random_bytes 32 + +

    The number of bytes that tlsmgr(8) reads from $tls_random_source +when (re)seeding the in-memory pseudo random number generator (PRNG) +pool. The default of 32 bytes (256 bits) is good enough for 128bit +symmetric keys. If using EGD or a device file, a maximum of 255 +bytes is read.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM tls_random_reseed_period 3600s + +

    The maximal time between attempts by tlsmgr(8) to re-seed the +in-memory pseudo random number generator (PRNG) pool from external +sources. The actual time between re-seeding attempts is calculated +using the PRNG, and is between 0 and the time specified.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM tls_random_prng_update_period 3600s + +

    The time between attempts by tlsmgr(8) to save the state of +the pseudo random number generator (PRNG) to the file specified +with $tls_random_exchange_name.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM tls_daemon_random_bytes 32 + +

    The number of pseudo-random bytes that an smtp(8) or smtpd(8) +process requests from the tlsmgr(8) server in order to seed its +internal pseudo random number generator (PRNG). The default of 32 +bytes (equivalent to 256 bits) is sufficient to generate a 128bit +(or 168bit) session key.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_sasl_tls_security_options $smtp_sasl_security_options + +

    The SASL authentication security options that the Postfix SMTP +client uses for TLS encrypted SMTP sessions.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtpd_sasl_tls_security_options $smtpd_sasl_security_options + +

    The SASL authentication security options that the Postfix SMTP +server uses for TLS encrypted SMTP sessions.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM smtp_generic_maps + +

    Optional lookup tables that perform address rewriting in the +Postfix SMTP client, typically to transform a locally valid address into +a globally valid address when sending mail across the Internet. +This is needed when the local machine does not have its own Internet +domain name, but uses something like localdomain.local +instead.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    The table format and lookups are documented in generic(5); +examples are shown in the ADDRESS_REWRITING_README and +STANDARD_CONFIGURATION_README documents.

    + +

    This feature is available in Postfix 2.2 and later.

    + +%PARAM message_reject_characters + +

    The set of characters that Postfix will reject in message +content. The usual C-like escape sequences are recognized: \a +\b \f \n \r \t \v \ddd (up to three octal digits) and +\\.

    + +

    Note 1: this feature does not recognize text that requires MIME +decoding. It inspects raw message content, just like header_checks +and body_checks.

    + +

    Note 2: this feature is disabled with "receive_override_options += no_header_body_checks".

    + +

    Example:

    + +
    +message_reject_characters = \0
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM message_strip_characters + +

    The set of characters that Postfix will remove from message +content. The usual C-like escape sequences are recognized: \a +\b \f \n \r \t \v \ddd (up to three octal digits) and +\\.

    + +

    Note 1: this feature does not recognize text that requires MIME +decoding. It inspects raw message content, just like header_checks +and body_checks.

    + +

    Note 2: this feature is disabled with "receive_override_options += no_header_body_checks".

    + +

    Example:

    + +
    +message_strip_characters = \0
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM frozen_delivered_to yes + +

    Update the local(8) delivery agent's idea of the Delivered-To: +address (see prepend_delivered_header) only once, at the start of +a delivery attempt; do not update the Delivered-To: address while +expanding aliases or .forward files.

    + +

    This feature is available in Postfix 2.3 and later. With older +Postfix releases, the behavior is as if this parameter is set to +"no". The old setting can be expensive with deeply nested aliases +or .forward files. When an alias or .forward file changes the +Delivered-To: address, it ties up one queue file and one cleanup +process instance while mail is being forwarded.

    + +%PARAM smtpd_peername_lookup yes + +

    Attempt to look up the remote SMTP client hostname, and verify that +the name matches the client IP address. A client name is set to +"unknown" when it cannot be looked up or verified, or when name +lookup is disabled. Turning off name lookup reduces delays due to +DNS lookup and increases the maximal inbound delivery rate.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM delay_logging_resolution_limit 2 + +

    The maximal number of digits after the decimal point when logging +sub-second delay values. Specify a number in the range 0..6.

    + +

    Large delay values are rounded off to an integral number of seconds; +delay values below the delay_logging_resolution_limit are logged +as "0", and delay values under 100s are logged with at most two-digit +precision.

    + +

    The format of the "delays=a/b/c/d" logging is as follows:

    + +
      + +
    • a = time from message arrival to last active queue entry + +
    • b = time from last active queue entry to connection setup + +
    • c = time in connection setup, including DNS, EHLO and STARTTLS + +
    • d = time in message transmission + +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM bounce_template_file + +

    Pathname of a configuration file with bounce message templates. +These override the built-in templates of delivery status notification +(DSN) messages for undeliverable mail, delayed mail, successful +delivery, or delivery verification. The bounce(5) manual page +describes how to edit and test template files.

    + +

    Template message body text may contain $name references to +Postfix configuration parameters. The result of $name expansion can +be previewed with "postconf -b file_name" before the file +is placed into the Postfix configuration directory.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM sender_dependent_relayhost_maps + +

    A sender-dependent override for the global relayhost parameter +setting. The tables are searched by the envelope sender address and +@domain. A lookup result of DUNNO terminates the search without +overriding the global relayhost parameter setting (Postfix 2.6 and +later). This information is overruled with relay_transport, +sender_dependent_default_transport_maps, default_transport and with +the transport(5) table.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    For safety reasons, this feature does not allow $number +substitutions in regular expression maps.

    + +

    +This feature is available in Postfix 2.3 and later. +

    + +%PARAM empty_address_relayhost_maps_lookup_key <> + +

    The sender_dependent_relayhost_maps search string that will be +used instead of the null sender address.

    + +

    This feature is available in Postfix 2.5 and later. With +earlier versions, sender_dependent_relayhost_maps lookups were +skipped for the null sender address.

    + +%PARAM address_verify_sender_dependent_relayhost_maps $sender_dependent_relayhost_maps + +

    +Overrides the sender_dependent_relayhost_maps parameter setting for address +verification probes. +

    + +

    +This feature is available in Postfix 2.3 and later. +

    + +%PARAM smtp_sender_dependent_authentication no + +

    +Enable sender-dependent authentication in the Postfix SMTP client; this is +available only with SASL authentication, and disables SMTP connection +caching to ensure that mail from different senders will use the +appropriate credentials.

    + +

    +This feature is available in Postfix 2.3 and later. +

    + +%PARAM lmtp_lhlo_name $myhostname + +

    +The hostname to send in the LMTP LHLO command. +

    + +

    +The default value is the machine hostname. Specify a hostname or +[ip.add.re.ss] or [ip:v6:add:re::ss]. +

    + +

    +This information can be specified in the main.cf file for all LMTP +clients, or it can be specified in the master.cf file for a specific +client, for example: +

    + +
    +
    +/etc/postfix/master.cf:
    +    mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
    +
    +
    + +

    +This feature is available in Postfix 2.3 and later. +

    + +%PARAM lmtp_discard_lhlo_keyword_address_maps + +

    Lookup tables, indexed by the remote LMTP server address, with +case insensitive lists of LHLO keywords (pipelining, starttls, +auth, etc.) that the Postfix LMTP client will ignore in the LHLO +response +from a remote LMTP server. See lmtp_discard_lhlo_keywords for +details. The table is not indexed by hostname for consistency with +smtpd_discard_ehlo_keyword_address_maps.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_discard_lhlo_keywords + +

    A case insensitive list of LHLO keywords (pipelining, starttls, +auth, etc.) that the Postfix LMTP client will ignore in the LHLO +response +from a remote LMTP server.

    + +

    This feature is available in Postfix 2.3 and later.

    + +

    Notes:

    + +
      + +
    • Specify the silent-discard pseudo keyword to prevent +this action from being logged.

      + +
    • Use the lmtp_discard_lhlo_keyword_address_maps feature to +discard LHLO keywords selectively.

      + +
    + +%PARAM lmtp_lhlo_timeout 300s + +

    The Postfix LMTP client time limit for sending the LHLO command, +and for receiving the initial remote LMTP server response.

    + +

    Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks). The default time unit is s (seconds).

    + +%PARAM lmtp_sasl_tls_security_options $lmtp_sasl_security_options + +

    The LMTP-specific version of the smtp_sasl_tls_security_options +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_sasl_mechanism_filter + +

    The LMTP-specific version of the smtp_sasl_mechanism_filter +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_bind_address + +

    The LMTP-specific version of the smtp_bind_address configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_bind_address6 + +

    The LMTP-specific version of the smtp_bind_address6 configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_host_lookup dns + +

    The LMTP-specific version of the smtp_host_lookup configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_connection_cache_destinations + +

    The LMTP-specific version of the smtp_connection_cache_destinations +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_per_site + +

    The LMTP-specific version of the smtp_tls_per_site configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_generic_maps + +

    The LMTP-specific version of the smtp_generic_maps configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_pix_workaround_threshold_time 500s + +

    The LMTP-specific version of the smtp_pix_workaround_threshold_time +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_pix_workaround_delay_time 10s + +

    The LMTP-specific version of the smtp_pix_workaround_delay_time +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_connection_reuse_time_limit 300s + +

    The LMTP-specific version of the smtp_connection_reuse_time_limit +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_starttls_timeout 300s + +

    The LMTP-specific version of the smtp_starttls_timeout configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_line_length_limit 990 + +

    The LMTP-specific version of the smtp_line_length_limit +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_mx_address_limit 5 + +

    The LMTP-specific version of the smtp_mx_address_limit configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_mx_session_limit 2 + +

    The LMTP-specific version of the smtp_mx_session_limit configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_scert_verifydepth 9 + +

    The LMTP-specific version of the smtp_tls_scert_verifydepth +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_skip_5xx_greeting yes + +

    The LMTP-specific version of the smtp_skip_5xx_greeting +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_randomize_addresses yes + +

    The LMTP-specific version of the smtp_randomize_addresses +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_quote_rfc821_envelope yes + +

    The LMTP-specific version of the smtp_quote_rfc821_envelope +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_defer_if_no_mx_address_found no + +

    The LMTP-specific version of the smtp_defer_if_no_mx_address_found +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_connection_cache_on_demand yes + +

    The LMTP-specific version of the smtp_connection_cache_on_demand +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_use_tls no + +

    The LMTP-specific version of the smtp_use_tls configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_enforce_tls no + +

    The LMTP-specific version of the smtp_enforce_tls configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_security_level + +

    The LMTP-specific version of the smtp_tls_security_level configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_enforce_peername yes + +

    The LMTP-specific version of the smtp_tls_enforce_peername +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_note_starttls_offer no + +

    The LMTP-specific version of the smtp_tls_note_starttls_offer +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_sender_dependent_authentication no + +

    The LMTP-specific version of the smtp_sender_dependent_authentication +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM connection_cache_protocol_timeout 5s + +

    Time limit for connection cache connect, send or receive +operations. The time limit is enforced in the client.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_sasl_type cyrus + +

    The SASL plug-in type that the Postfix SMTP server should use +for authentication. The available types are listed with the +"postconf -a" command.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_sasl_type cyrus + +

    The SASL plug-in type that the Postfix SMTP client should use +for authentication. The available types are listed with the +"postconf -A" command.

    + +

    This feature is available in Postfix 2.3 and later.

    + + +%PARAM lmtp_sasl_type cyrus + +

    The SASL plug-in type that the Postfix LMTP client should use +for authentication. The available types are listed with the +"postconf -A" command.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_sasl_path smtpd + +

    Implementation-specific information that the Postfix SMTP server +passes through to +the SASL plug-in implementation that is selected with +smtpd_sasl_type. Typically this specifies the name of a +configuration file or rendezvous point.

    + +

    This feature is available in Postfix 2.3 and later. In earlier +releases it was called smtpd_sasl_application_name.

    + +%PARAM smtpd_sasl_service smtp + +

    The service name that is passed to the SASL plug-in that is +selected with smtpd_sasl_type and smtpd_sasl_path. +

    + +

    This feature is available in Postfix 2.11 and later. Prior +versions behave as if "smtp" is specified.

    + +%PARAM smtpd_sasl_response_limit 12288 + +

    The maximum length of a SASL client's response to a server challenge. +When the client's "initial response" is longer than the normal limit for +SMTP commands, the client must omit its initial response, and wait for an +empty server challenge; it can then send what would have been its "initial +response" as a response to the empty server challenge. RFC4954 requires the +server to accept client responses up to at least 12288 octets of +base64-encoded text. The default value is therefore also the minimum value +accepted for this parameter.

    + +

    This feature is available in Postfix 3.4 and later. Prior versions use +"line_length_limit", which may need to be raised to accommodate larger client +responses, as may be needed with GSSAPI authentication of Windows AD users +who are members of many groups.

    + +%PARAM cyrus_sasl_config_path + +

    Search path for Cyrus SASL application configuration files, +currently used only to locate the $smtpd_sasl_path.conf file. +Specify zero or more directories separated by a colon character, +or an empty value to use Cyrus SASL's built-in search path.

    + +

    This feature is available in Postfix 2.5 and later when compiled +with Cyrus SASL 2.1.22 or later.

    + +%PARAM smtp_sasl_path + +

    Implementation-specific information that the Postfix SMTP client +passes through to +the SASL plug-in implementation that is selected with +smtp_sasl_type. Typically this specifies the name of a +configuration file or rendezvous point.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_sasl_path + +

    Implementation-specific information that is passed through to +the SASL plug-in implementation that is selected with +lmtp_sasl_type. Typically this specifies the name of a +configuration file or rendezvous point.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM plaintext_reject_code 450 + +

    +The numerical Postfix SMTP server response code when a request +is rejected by the reject_plaintext_session restriction. +

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM resolve_numeric_domain no + +

    Resolve "user@ipaddress" as "user@[ipaddress]", instead of +rejecting the address as invalid.

    + +

    This feature is available in Postfix 2.3 and later. + +%PARAM mailbox_transport_maps + +

    Optional lookup tables with per-recipient message delivery +transports to use for local(8) mailbox delivery, whether or not the +recipients are found in the UNIX passwd database.

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    For safety reasons, this feature does not allow $number +substitutions in regular expression maps.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM fallback_transport_maps + +

    Optional lookup tables with per-recipient message delivery +transports for recipients that the local(8) delivery agent could +not find in the aliases(5) or UNIX password database.

    + +

    The precedence of local(8) delivery features from high to low +is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, +mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, +fallback_transport_maps, fallback_transport and luser_relay.

    + +

    For safety reasons, this feature does not allow $number +substitutions in regular expression maps.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_cname_overrides_servername version dependent + +

    When the remote SMTP servername is a DNS CNAME, replace the +servername with the result from CNAME expansion for the purpose of +logging, SASL password lookup, TLS +policy decisions, or TLS certificate verification. The value "no" +hardens Postfix smtp_tls_per_site hostname-based policies against +false hostname information in DNS CNAME records, and makes SASL +password file lookups more predictable. This is the default setting +as of Postfix 2.3.

    + +

    When DNS CNAME records are validated with secure DNS lookups +(smtp_dns_support_level = dnssec), they are always allowed to +override the above servername (Postfix 2.11 and later).

    + +

    This feature is available in Postfix 2.2.9 and later.

    + +%PARAM lmtp_cname_overrides_servername yes + +

    The LMTP-specific version of the smtp_cname_overrides_servername +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_sasl_tls_verified_security_options $smtp_sasl_tls_security_options + +

    The SASL authentication security options that the Postfix SMTP +client uses for TLS encrypted SMTP sessions with a verified server +certificate.

    + +

    When mail is sent to the public MX host for the recipient's +domain, server certificates are by default optional, and delivery +proceeds even if certificate verification fails. For delivery via +a submission service that requires SASL authentication, it may be +appropriate to send plaintext passwords only when the connection +to the server is strongly encrypted and the server identity +is verified.

    + +

    The smtp_sasl_tls_verified_security_options parameter makes it +possible to only enable plaintext mechanisms when a secure connection +to the server is available. Submission servers subject to this +policy must either have verifiable certificates or offer suitable +non-plaintext SASL mechanisms.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM lmtp_sasl_tls_verified_security_options $lmtp_sasl_tls_security_options + +

    The LMTP-specific version of the +smtp_sasl_tls_verified_security_options configuration parameter. +See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_connection_cache_time_limit 2s + +

    The LMTP-specific version of the +smtp_connection_cache_time_limit configuration parameter. +See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_delay_open_until_valid_rcpt yes + +

    Postpone the start of an SMTP mail transaction until a valid +RCPT TO command is received. Specify "no" to create a mail transaction +as soon as the Postfix SMTP server receives a valid MAIL FROM +command.

    + +

    With sites that reject lots of mail, the default setting reduces +the use of +disk, CPU and memory resources. The downside is that rejected +recipients are logged with NOQUEUE instead of a mail transaction +ID. This complicates the logfile analysis of multi-recipient mail. +

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_cert_file + +

    The LMTP-specific version of the smtp_tls_cert_file +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_key_file $lmtp_tls_cert_file + +

    The LMTP-specific version of the smtp_tls_key_file +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_dcert_file + +

    The LMTP-specific version of the smtp_tls_dcert_file +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_dkey_file $lmtp_tls_dcert_file + +

    The LMTP-specific version of the smtp_tls_dkey_file +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_CAfile + +

    The LMTP-specific version of the smtp_tls_CAfile +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_CApath + +

    The LMTP-specific version of the smtp_tls_CApath +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_loglevel 0 + +

    The LMTP-specific version of the smtp_tls_loglevel +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_session_cache_database + +

    The LMTP-specific version of the smtp_tls_session_cache_database +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_session_cache_timeout 3600s + +

    The LMTP-specific version of the smtp_tls_session_cache_timeout +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_policy_maps + +

    Optional lookup tables with the Postfix SMTP client TLS security +policy by next-hop destination; when a non-empty value is specified, +this overrides the obsolete smtp_tls_per_site parameter. See +TLS_README for a more detailed discussion of TLS security levels. +

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    The TLS policy table is indexed by the full next-hop destination, +which is either the recipient domain, or the verbatim next-hop +specified in the transport table, $local_transport, $virtual_transport, +$relay_transport or $default_transport. This includes any enclosing +square brackets and any non-default destination server port suffix. The +LMTP socket type prefix (inet: or unix:) is not included in the lookup +key.

    + +

    Only the next-hop domain, or $myhostname with LMTP over UNIX-domain +sockets, is used as the nexthop name for certificate verification. The +port and any enclosing square brackets are used in the table lookup key, +but are not used for server name verification.

    + +

    When the lookup key is a domain name without enclosing square brackets +or any :port suffix (typically the recipient domain), and the full +domain is not found in the table, just as with the transport(5) table, +the parent domain starting with a leading "." is matched recursively. This +allows one to specify a security policy for a recipient domain and all +its sub-domains.

    + +

    The lookup result is a security level, followed by an optional list +of whitespace and/or comma separated name=value attributes that override +related main.cf settings. The TLS security levels in order of increasing +security are:

    + +
    + +
    none
    +
    No TLS. No additional attributes are supported at this level.
    + +
    may
    +
    Opportunistic TLS. Since sending in the clear is acceptable, +demanding stronger than default TLS security merely reduces +interoperability. The optional "ciphers", "exclude", and "protocols" +attributes (available for opportunistic TLS with Postfix ≥ 2.6) +and "connection_reuse" attribute (Postfix ≥ 3.4) override the +"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols", +and +"smtp_tls_connection_reuse" configuration parameters. In the policy table, +multiple ciphers, protocols or excluded ciphers must be separated by colons, +as attribute values may not contain whitespace or commas. When opportunistic +TLS handshakes fail, Postfix retries the connection with TLS disabled. +This allows mail delivery to sites with non-interoperable TLS +implementations.
    + +
    encrypt
    +
    Mandatory TLS encryption. At this level +and higher, the optional "protocols" attribute overrides the main.cf +smtp_tls_mandatory_protocols parameter, the optional "ciphers" attribute +overrides the main.cf smtp_tls_mandatory_ciphers parameter, the +optional "exclude" attribute (Postfix ≥ 2.6) overrides the main.cf +smtp_tls_mandatory_exclude_ciphers parameter, and the optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the +main.cf smtp_tls_connection_reuse parameter. In the policy table, +multiple ciphers, protocols or excluded ciphers must be separated by colons, +as attribute values may not contain whitespace or commas.
    + +
    dane
    +
    Opportunistic DANE TLS. The TLS policy for the destination is +obtained via TLSA records in DNSSEC. If no TLSA records are found, +the effective security level used is may. If TLSA records are +found, but none are usable, the effective security level is encrypt. When usable +TLSA records are obtained for the remote SMTP server, the +server certificate must match the TLSA records. RFC 7672 (DANE) +TLS authentication and DNSSEC support is available with Postfix +2.11 and later. The optional "connection_reuse" attribute (Postfix +≥ 3.4) overrides the main.cf smtp_tls_connection_reuse parameter. +When the effective security level used is may, the optional "ciphers", +"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the +"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", and "smtp_tls_protocols" +configuration parameters. +When the effective security level used is encrypt, the optional "ciphers", +"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the +"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and +"smtp_tls_mandatory_protocols" configuration parameters. +
    + +
    dane-only
    +
    Mandatory DANE TLS. The TLS policy for the destination is +obtained via TLSA records in DNSSEC. If no TLSA records are found, +or none are usable, no connection is made to the server. When +usable TLSA records are obtained for the remote SMTP server, the +server certificate must match the TLSA records. RFC 7672 (DANE) TLS +authentication and DNSSEC support is available with Postfix 2.11 +and later. The optional "ciphers", "exclude", and "protocols" attributes +(Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers", +"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" +configuration parameters. The optional "connection_reuse" attribute +(Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse parameter. +
    + +
    fingerprint
    +
    Certificate fingerprint +verification. Available with Postfix 2.5 and later. At this security +level, there are no trusted Certification Authorities. The certificate +trust chain, expiration date, ... are not checked. Instead, +the optional "match" attribute, or else the main.cf +smtp_tls_fingerprint_cert_match parameter, lists the certificate +fingerprints or the public key fingerprint (Postfix 2.9 and later) +of the valid server certificate. The digest +algorithm used to calculate the fingerprint is selected by the +smtp_tls_fingerprint_digest parameter. Multiple fingerprints can +be combined with a "|" delimiter in a single match attribute, or multiple +match attributes can be employed. The ":" character is not used as a +delimiter as it occurs between each pair of fingerprint (hexadecimal) +digits. The optional "ciphers", "exclude", and "protocols" attributes +(Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers", +"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols" +configuration parameters. The optional "connection_reuse" attribute +(Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse +parameter.
    + +
    verify
    +
    Mandatory TLS verification. At this security +level, DNS MX lookups are trusted to be secure enough, and the name +verified in the server certificate is usually obtained indirectly via +unauthenticated DNS MX lookups. The optional "match" attribute overrides +the main.cf smtp_tls_verify_cert_match parameter. In the policy table, +multiple match patterns and strategies must be separated by colons. +In practice explicit control over matching is more common with the +"secure" policy, described below. The optional "ciphers", "exclude", +and "protocols" attributes (Postfix ≥ 2.6) override the +"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and +"smtp_tls_mandatory_protocols" configuration parameters. The optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf +smtp_tls_connection_reuse parameter.
    + +
    secure
    +
    Secure-channel TLS. At this security level, DNS +MX lookups, though potentially used to determine the candidate next-hop +gateway IP addresses, are not trusted to be secure enough for TLS +peername verification. Instead, the default name verified in the server +certificate is obtained directly from the next-hop, or is explicitly +specified via the optional "match" attribute which overrides the +main.cf smtp_tls_secure_cert_match parameter. In the policy table, +multiple match patterns and strategies must be separated by colons. +The match attribute is most useful when multiple domains are supported by +a common server: the policy entries for additional domains specify matching +rules for the primary domain certificate. While transport table overrides +that route the secondary domains to the primary nexthop also allow secure +verification, they risk delivery to the wrong destination when domains +change hands or are re-assigned to new gateways. With the "match" +attribute approach, routing is not perturbed, and mail is deferred if +verification of a new MX host fails. The optional "ciphers", "exclude", +and "protocols" attributes (Postfix ≥ 2.6) override the +"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and +"smtp_tls_mandatory_protocols" configuration parameters. The optional +"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf +smtp_tls_connection_reuse parameter.
    + +
    + +

    +Example: +

    + +
    +/etc/postfix/main.cf:
    +    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
    +    # Postfix 2.5 and later.
    +    #
    +    # The default digest is sha256 with Postfix ≥ 3.6 and
    +    # compatibility level ≥ 3.
    +    #
    +    smtp_tls_fingerprint_digest = sha256
    +
    + +
    +/etc/postfix/tls_policy:
    +    example.edu                 none
    +    example.mil                 may
    +    example.gov                 encrypt protocols=TLSv1
    +    example.com                 verify ciphers=high
    +    example.net                 secure
    +    .example.net                secure match=.example.net:example.net
    +    [mail.example.org]:587      secure match=nexthop
    +    # Postfix 2.5 and later
    +    [thumb.example.org]          fingerprint
    +        match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
    +        match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
    +
    + +

    Note: The "hostname" strategy if listed in a non-default +setting of smtp_tls_secure_cert_match or in the "match" attribute +in the policy table can render the "secure" level vulnerable to +DNS forgery. Do not use the "hostname" strategy for secure-channel +configurations in environments where DNS security is not assured.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_mandatory_protocols see "postconf -d" output + +

    TLS protocols that the Postfix SMTP client will use with mandatory +TLS encryption. In main.cf the values are separated by whitespace, +commas or colons. In the policy table "protocols" attribute (see +smtp_tls_policy_maps) the only valid separator is colon. An empty value +means allow all protocols.

    + +

    The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

    + +

    As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set a lowest acceptable TLS protocol version +and/or a highest acceptable TLS protocol version. To set the lower +bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

    + +

    Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

    + +

    Hexadecimal example (Postfix ≥ 3.6):

    +
    +
    +# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
    +# in some future version of OpenSSL (presently a warning is logged).
    +smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
    +# Allow only TLS 1.2 and up:
    +smtp_tls_mandatory_protocols = >=0x0303
    +
    +
    + +

    With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2, +!SSLv3". Listing the protocols to include, rather than the protocols to +exclude, is supported, but not recommended. The exclusion syntax more +accurately matches the underlying OpenSSL interface.

    + +

    When using the exclusion syntax, take care to ensure that the range +of protocols supported by the Postfix SMTP client is contiguous. When +a protocol version is enabled, disabling any higher version implicitly +disables all versions above that higher version. Thus, for example:

    + +
    +
    +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
    +
    +
    + +

    also disables any protocol versions higher than TLSv1.1 leaving +only "TLSv1" enabled.

    + +

    Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

    + +

    While the vast majority of SMTP servers with DANE TLSA records now +support at least TLS 1.2, a few still only support TLS 1.0. If you use +"dane" or "dane-only" it is best not to disable TLSv1, except perhaps +via the policy table for destinations which you are sure will support +"TLSv1.2".

    + +

    See the documentation of the smtp_tls_policy_maps parameter and +TLS_README for more information about security levels.

    + +

    Example:

    +
    +# Preferred syntax with Postfix ≥ 3.6:
    +smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
    +# Legacy syntax:
    +smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_verify_cert_match hostname + +

    How the Postfix SMTP client verifies the server certificate +peername for the +"verify" TLS security level. In a "verify" TLS policy table +($smtp_tls_policy_maps) entry the optional "match" attribute +overrides this main.cf setting.

    + +

    This parameter specifies one or more patterns or strategies separated +by commas, whitespace or colons. In the policy table the only valid +separator is the colon character.

    + +

    Patterns specify domain names, or domain name suffixes:

    + +
    + +
    example.com
    Match the example.com domain, +i.e. one of the names in the server certificate must be example.com. +Upper and lower case distinctions are ignored.
    + +
    .example.com
    +
    Match subdomains of the example.com domain, i.e. match +a name in the server certificate that consists of a non-zero number of +labels followed by a .example.com suffix. Case distinctions are +ignored.
    + +
    + +

    Strategies specify a transformation from the next-hop domain +to the expected name in the server certificate:

    + +
    + +
    nexthop
    +
    Match against the next-hop domain, which is either the recipient +domain, or the transport next-hop configured for the domain stripped of +any optional socket type prefix, enclosing square brackets and trailing +port. When MX lookups are not suppressed, this is the original nexthop +domain prior to the MX lookup, not the result of the MX lookup. For +LMTP delivery via UNIX-domain sockets, the verified next-hop name is +$myhostname. This strategy is suitable for use with the "secure" +policy. Case is ignored.
    + +
    dot-nexthop
    +
    As above, but match server certificate names that are subdomains +of the next-hop domain. Case is ignored.
    + +
    hostname
    Match against the hostname of the server, often +obtained via an unauthenticated DNS MX lookup. For LMTP delivery via +UNIX-domain sockets, the verified name is $myhostname. This matches +the verification strategy of the "MUST" keyword in the obsolete +smtp_tls_per_site table, and is suitable for use with the "verify" +security level. When the next-hop name is enclosed in square brackets +to suppress MX lookups, the "hostname" strategy is the same as the +"nexthop" strategy. Case is ignored.
    + +
    + +

    +Sample main.cf setting: +

    + +
    +smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
    +
    + +

    +Sample policy table override: +

    + +
    +example.com     verify  match=hostname:nexthop
    +.example.com    verify  match=example.com:.example.com:hostname
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_secure_cert_match nexthop, dot-nexthop + +

    How the Postfix SMTP client verifies the server certificate +peername for the "secure" TLS security level. In a "secure" TLS policy table +($smtp_tls_policy_maps) entry the optional "match" attribute +overrides this main.cf setting.

    + +

    This parameter specifies one or more patterns or strategies separated +by commas, whitespace or colons. In the policy table the only valid +separator is the colon character.

    + +

    For a description of the pattern and strategy syntax see the +smtp_tls_verify_cert_match parameter. The "hostname" strategy should +be avoided in this context, as in the absence of a secure global DNS, using +the results of MX lookups in certificate verification is not immune to active +(man-in-the-middle) attacks on DNS.

    + +

    +Sample main.cf setting: +

    + +
    +
    +smtp_tls_secure_cert_match = nexthop
    +
    +
    + +

    +Sample policy table override: +

    + +
    +
    +example.net     secure match=example.com:.example.com
    +.example.net    secure match=example.com:.example.com
    +
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_policy_maps + +

    The LMTP-specific version of the smtp_tls_policy_maps +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_mandatory_protocols see postconf -d output + +

    The LMTP-specific version of the smtp_tls_mandatory_protocols +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_verify_cert_match hostname + +

    The LMTP-specific version of the smtp_tls_verify_cert_match +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_secure_cert_match nexthop + +

    The LMTP-specific version of the smtp_tls_secure_cert_match +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_tls_mandatory_protocols see "postconf -d" output + +

    TLS protocols accepted by the Postfix SMTP server with mandatory TLS +encryption. If the list is empty, the server supports all available TLS +protocol versions. A non-empty value is a list of protocol names to +include or exclude, separated by whitespace, commas or colons.

    + +

    The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

    + +

    As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

    + +

    Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

    + +

    Hexadecimal example (Postfix ≥ 3.6):

    +
    +
    +# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
    +# in some future version of OpenSSL (presently a warning is logged).
    +smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
    +# Allow only TLS 1.2 and up:
    +smtpd_tls_mandatory_protocols = >=0x0303
    +
    +
    + +

    With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtpd_tls_mandatory_protocols = +!SSLv2, !SSLv3". Listing the protocols to include, rather than +protocols to exclude, is supported, but not recommended. The exclusion +form more accurately matches the underlying OpenSSL interface.

    + +

    Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

    + +

    Example:

    + +
    +# Preferred syntax with Postfix ≥ 3.6:
    +smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
    +# Legacy syntax:
    +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_security_level + +

    The default SMTP TLS security level for the Postfix SMTP client. +When a non-empty value is specified, this overrides the obsolete +parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername; +when no value is specified for smtp_tls_enforce_peername or the obsolete +parameters, the default SMTP TLS security level is +none.

    + +

    Specify one of the following security levels:

    + +
    + +
    none
    +
    No TLS. TLS will not be used unless enabled for specific +destinations via smtp_tls_policy_maps.
    + +
    may
    +
    Opportunistic TLS. Use TLS if this is supported by the remote +SMTP server, otherwise use plaintext. Since +sending in the clear is acceptable, demanding stronger than default TLS +security merely reduces interoperability. +The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6) +configuration parameters provide control over the protocols and +cipher grade used with opportunistic TLS. With earlier releases the +opportunistic TLS cipher grade is always "export" and no protocols +are disabled. +When TLS handshakes fail, the connection is retried with TLS disabled. +This allows mail delivery to sites with non-interoperable TLS +implementations.
    + +
    encrypt
    +
    Mandatory TLS encryption. Since a minimum +level of security is intended, it is reasonable to be specific about +sufficiently secure protocol versions and ciphers. At this security level +and higher, the main.cf parameters smtp_tls_mandatory_protocols and +smtp_tls_mandatory_ciphers specify the TLS protocols and minimum +cipher grade which the administrator considers secure enough for +mandatory encrypted sessions. This security level is not an appropriate +default for systems delivering mail to the Internet.
    + +
    dane
    +
    Opportunistic DANE TLS. At this security level, the TLS policy +for the destination is obtained via DNSSEC. For TLSA policy to be +in effect, the destination domain's containing DNS zone must be +signed and the Postfix SMTP client's operating system must be +configured to send its DNS queries to a recursive DNS nameserver +that is able to validate the signed records. Each MX host's DNS +zone should also be signed, and should publish DANE TLSA (RFC 7672) +records that specify how that MX host's TLS certificate is to be +verified. TLSA records do not preempt the normal SMTP MX host +selection algorithm, if some MX hosts support TLSA and others do +not, TLS security will vary from delivery to delivery. It is up +to the domain owner to configure their MX hosts and their DNS +sensibly. To configure the Postfix SMTP client for DNSSEC lookups +see the documentation for the smtp_dns_support_level main.cf +parameter. When DNSSEC-validated TLSA records are not found the +effective tls security level is "may". When TLSA records are found, +but are all unusable the effective security level is "encrypt". For +purposes of protocol and cipher selection, the "dane" security level +is treated like a "mandatory" TLS security level, and weak ciphers +and protocols are disabled. Since DANE authenticates server +certificates the "aNULL" cipher-suites are transparently excluded +at this level, no need to configure this manually. RFC 7672 (DANE) +TLS authentication is available with Postfix 2.11 and later.
    + +
    dane-only
    +
    Mandatory DANE TLS. This is just like "dane" above, but DANE +TLSA authentication is required. There is no fallback to "may" or +"encrypt" when TLSA records are missing or unusable. RFC 7672 +(DANE) TLS authentication is available with Postfix 2.11 and later. +
    + +
    fingerprint
    +
    Certificate fingerprint verification. +At this security level, there are no trusted Certification Authorities. +The certificate trust chain, expiration date, etc., are +not checked. Instead, the smtp_tls_fingerprint_cert_match +parameter lists the certificate fingerprint or public key fingerprint +(Postfix 2.9 and later) of the valid server certificate. The digest +algorithm used to calculate the fingerprint is selected by the +smtp_tls_fingerprint_digest parameter. Available with Postfix +2.5 and later.
    + +
    verify
    +
    Mandatory TLS verification. At this security +level, DNS MX lookups are trusted to be secure enough, and the name +verified in the server certificate is usually obtained indirectly +via unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match +parameter controls how the server name is verified. In practice explicit +control over matching is more common at the "secure" level, described +below. This security level is not an appropriate default for systems +delivering mail to the Internet.
    + +
    secure
    +
    Secure-channel TLS. At this security level, +DNS MX lookups, though potentially used to determine the candidate +next-hop gateway IP addresses, are not trusted to be secure enough +for TLS peername verification. Instead, the default name verified in +the server certificate is obtained from the next-hop domain as specified +in the smtp_tls_secure_cert_match configuration parameter. The default +matching rule is that a server certificate matches when its name is equal +to or is a sub-domain of the nexthop domain. This security level is not +an appropriate default for systems delivering mail to the Internet.
    + +
    + +

    +Examples: +

    + +
    +# No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
    +smtp_tls_security_level = none
    +
    + +
    +# Opportunistic TLS.
    +smtp_tls_security_level = may
    +# Do not tweak opportunistic ciphers or protocols unless it is essential
    +# to do so (if a security vulnerability is found in the SSL library that
    +# can be mitigated by disabling a particular protocol or raising the
    +# cipher grade).
    +smtp_tls_ciphers = medium
    +smtp_tls_protocols = >=TLSv1
    +# Legacy (Postfix < 3.6) syntax:
    +smtp_tls_protocols = !SSLv2, !SSLv3
    +
    + +
    +# Mandatory (high-grade) TLS encryption.
    +smtp_tls_security_level = encrypt
    +smtp_tls_mandatory_ciphers = high
    +
    + +
    +# Authenticated TLS 1.2 or better matching the nexthop domain or a
    +# subdomain.
    +smtp_tls_security_level = secure
    +smtp_tls_mandatory_ciphers = high
    +smtp_tls_mandatory_protocols = >=TLSv1.2
    +smtp_tls_secure_cert_match = nexthop, dot-nexthop
    +
    + +
    +# Certificate fingerprint verification (Postfix ≥ 2.5).
    +# The CA-less "fingerprint" security level only scales to a limited
    +# number of destinations. As a global default rather than a per-site
    +# setting, this is practical only when mail for all recipients is sent
    +# to a central mail hub.
    +relayhost = [mailhub.example.com]
    +smtp_tls_security_level = fingerprint
    +smtp_tls_mandatory_protocols = >=TLSv1.2
    +smtp_tls_mandatory_ciphers = high
    +smtp_tls_fingerprint_cert_match = 
    +    3D:95:34:51:...:40:99:C0:C1
    +    EC:3B:2D:B0:...:A3:9D:72:F6
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_milters + +

    A list of Milter (mail filter) applications for new mail that +arrives via the Postfix smtpd(8) server. Specify space or comma as +separator. See the MILTER_README document for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM non_smtpd_milters + +

    A list of Milter (mail filter) applications for new mail that +does not arrive via the Postfix smtpd(8) server. This includes local +submission via the sendmail(1) command line, new mail that arrives +via the Postfix qmqpd(8) server, and old mail that is re-injected +into the queue with "postsuper -r". Specify space or comma as a +separator. See the MILTER_README document for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_protocol 6 + +

    The mail filter protocol version and optional protocol extensions +for communication with a Milter application; prior to Postfix 2.6 +the default protocol is 2. Postfix +sends this version number during the initial protocol handshake. +It should match the version number that is expected by the mail +filter application (or by its Milter library).

    + +

    Protocol versions:

    + +
    + +
    2
    Use Sendmail 8 mail filter protocol version 2 (default +with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. +2.5).
    + +
    3
    Use Sendmail 8 mail filter protocol version 3.
    + +
    4
    Use Sendmail 8 mail filter protocol version 4.
    + +
    6
    Use Sendmail 8 mail filter protocol version 6 (default +with Sendmail version 8.14 and Postfix version 2.6).
    + +
    + +

    Protocol extensions:

    + +
    + +
    no_header_reply
    Specify this when the Milter application +will not reply for each individual message header.
    + +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_default_action tempfail + +

    The default action when a Milter (mail filter) response is +unavailable (for example, bad Postfix configuration or Milter +failure). Specify one of the following:

    + +
    + +
    accept
    Proceed as if the mail filter was not present. +
    + +
    reject
    Reject all further commands in this session +with a permanent status code.
    + +
    tempfail
    Reject all further commands in this session +with a temporary status code.
    + +
    quarantine
    Like "accept", but freeze the message in +the "hold" queue. Available with Postfix 2.6 and later.
    + +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_connect_timeout 30s + +

    The time limit for connecting to a Milter (mail filter) +application, and for negotiating protocol options.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_command_timeout 30s + +

    The time limit for sending an SMTP command to a Milter (mail +filter) application, and for receiving the response.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_content_timeout 300s + +

    The time limit for sending message content to a Milter (mail +filter) application, and for receiving the response.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_connect_macros see "postconf -d" output + +

    The macros that are sent to Milter (mail filter) applications +after completion of an SMTP connection. See MILTER_README +for a list of available macro names and their meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_helo_macros see "postconf -d" output + +

    The macros that are sent to Milter (mail filter) applications +after the SMTP HELO or EHLO command. See +MILTER_README for a list of available macro names and their meanings. +

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_mail_macros see "postconf -d" output + +

    The macros that are sent to Milter (mail filter) applications +after the SMTP MAIL FROM command. See MILTER_README +for a list of available macro names and their meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_rcpt_macros see "postconf -d" output + +

    The macros that are sent to Milter (mail filter) applications +after the SMTP RCPT TO command. See MILTER_README +for a list of available macro names and their meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_data_macros see "postconf -d" output + +

    The macros that are sent to version 4 or higher Milter (mail +filter) applications after the SMTP DATA command. See MILTER_README +for a list of available macro names and their meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_end_of_header_macros see "postconf -d" output + +

    The macros that are sent to Milter (mail filter) applications +after the end of the message header. See MILTER_README for a list +of available macro names and their meanings.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM milter_end_of_data_macros see "postconf -d" output + +

    The macros that are sent to Milter (mail filter) applications +after the message end-of-data. See MILTER_README for a list of +available macro names and their meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_unknown_command_macros see "postconf -d" output + +

    The macros that are sent to version 3 or higher Milter (mail +filter) applications after an unknown SMTP command. See MILTER_README +for a list of available macro names and their meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_macro_daemon_name $myhostname + +

    The {daemon_name} macro value for Milter (mail filter) applications. +See MILTER_README for a list of available macro names and their +meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM milter_macro_defaults + +

    Optional list of name=value pairs that specify default +values for arbitrary macros that Postfix may send to Milter +applications. These defaults are used when there is no corresponding +information from the message delivery context.

    + +

    Specify name=value or {name=value} pairs separated +by comma or whitespace. Enclose a pair in "{}" when a value contains +comma or whitespace (this form ignores whitespace after the enclosing +"{", around the "=", and before the enclosing "}").

    + +

    This feature is available in Postfix 3.1 and later.

    + +%PARAM milter_macro_v $mail_name $mail_version + +

    The {v} macro value for Milter (mail filter) applications. +See MILTER_README for a list of available macro names and their +meanings.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_tls_mandatory_ciphers medium + +

    The minimum TLS cipher grade that the Postfix SMTP server will +use with mandatory TLS encryption. The default grade ("medium") is +sufficiently strong that any benefit from globally restricting TLS +sessions to a more stringent grade is likely negligible, especially +given the fact that many implementations still do not offer any stronger +("high" grade) ciphers, while those that do, will always use "high" +grade ciphers. So insisting on "high" grade ciphers is generally +counter-productive. Allowing "export" or "low" ciphers is typically +not a good idea, as systems limited to just these are limited to +obsolete browsers. No known SMTP clients fail to support at least +one "medium" or "high" grade cipher.

    + +

    The following cipher grades are supported:

    + +
    +
    export
    +
    Enable "EXPORT" grade or stronger OpenSSL ciphers. The +underlying cipherlist is specified via the tls_export_cipherlist +configuration parameter, which you are strongly encouraged not to +change. This choice is insecure and SHOULD NOT be used.
    + +
    low
    +
    Enable "LOW" grade or stronger OpenSSL ciphers. The underlying +cipherlist is specified via the tls_low_cipherlist configuration +parameter, which you are strongly encouraged not to change. This +choice is insecure and SHOULD NOT be used.
    + +
    medium
    +
    Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit +or longer symmetric bulk-encryption keys. This is the default minimum +strength for mandatory TLS encryption. The underlying cipherlist is +specified via the tls_medium_cipherlist configuration parameter, which +you are strongly encouraged not to change.
    + +
    high
    +
    Enable only "HIGH" grade OpenSSL ciphers. The +underlying cipherlist is specified via the tls_high_cipherlist +configuration parameter, which you are strongly encouraged to +not change.
    + +
    null
    +
    Enable only the "NULL" OpenSSL ciphers, these provide authentication +without encryption. This setting is only appropriate in the rare +case that all clients are prepared to use NULL ciphers (not normally +enabled in TLS clients). The underlying cipherlist is specified via the +tls_null_cipherlist configuration parameter, which you are strongly +encouraged not to change.
    + +
    + +

    Cipher types listed in +smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are +excluded from the base definition of the selected cipher grade. See +smtpd_tls_ciphers for cipher controls that apply to opportunistic +TLS.

    + +

    The underlying cipherlists for grades other than "null" include +anonymous ciphers, but these are automatically filtered out if the +server is configured to ask for remote SMTP client certificates. You are very +unlikely to need to take any steps to exclude anonymous ciphers, they +are excluded automatically as required. If you must exclude anonymous +ciphers even when Postfix does not need or use peer certificates, set +"smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only +when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = aNULL".

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_tls_exclude_ciphers + +

    List of ciphers or cipher types to exclude from the SMTP server +cipher list at all TLS security levels. Excluding valid ciphers +can create interoperability problems. DO NOT exclude ciphers unless it +is essential to do so. This is not an OpenSSL cipherlist; it is a simple +list separated by whitespace and/or commas. The elements are a single +cipher, or one or more "+" separated cipher properties, in which case +only ciphers matching all the properties are excluded.

    + +

    Examples (some of these will cause problems):

    + +
    +
    +smtpd_tls_exclude_ciphers = aNULL
    +smtpd_tls_exclude_ciphers = MD5, DES
    +smtpd_tls_exclude_ciphers = DES+MD5
    +smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
    +smtpd_tls_exclude_ciphers = kEDH+aRSA
    +
    +
    + +

    The first setting disables anonymous ciphers. The next setting +disables ciphers that use the MD5 digest algorithm or the (single) DES +encryption algorithm. The next setting disables ciphers that use MD5 and +DES together. The next setting disables the two ciphers "AES256-SHA" +and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" +key exchange with RSA authentication.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_tls_mandatory_exclude_ciphers + +

    Additional list of ciphers or cipher types to exclude from the +Postfix SMTP server cipher list at mandatory TLS security levels. +This list +works in addition to the exclusions listed with smtpd_tls_exclude_ciphers +(see there for syntax details).

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_mandatory_ciphers medium + +

    The minimum TLS cipher grade that the Postfix SMTP client will +use with +mandatory TLS encryption. The default value "medium" is suitable +for most destinations with which you may want to enforce TLS, and +is beyond the reach of today's cryptanalytic methods. See +smtp_tls_policy_maps for information on how to configure ciphers +on a per-destination basis.

    + +

    The following cipher grades are supported:

    + +
    +
    export
    +
    Enable "EXPORT" grade or better OpenSSL ciphers. The underlying +cipherlist is specified via the tls_export_cipherlist configuration +parameter, which you are strongly encouraged not to change. This +choice is insecure and SHOULD NOT be used.
    + +
    low
    +
    Enable "LOW" grade or better OpenSSL ciphers. The underlying +cipherlist is specified via the tls_low_cipherlist configuration +parameter, which you are strongly encouraged not to change. This +choice is insecure and SHOULD NOT be used.
    + +
    medium
    +
    Enable "MEDIUM" grade or better OpenSSL ciphers. +The underlying cipherlist is specified via the tls_medium_cipherlist +configuration parameter, which you are strongly encouraged not to change. +
    + +
    high
    +
    Enable only "HIGH" grade OpenSSL ciphers. This setting may +be appropriate when all mandatory TLS destinations (e.g. when all +mail is routed to a suitably capable relayhost) support at least one +"HIGH" grade cipher. The underlying cipherlist is specified via the +tls_high_cipherlist configuration parameter, which you are strongly +encouraged not to change.
    + +
    null
    +
    Enable only the "NULL" OpenSSL ciphers, these provide authentication +without encryption. This setting is only appropriate in the rare case +that all servers are prepared to use NULL ciphers (not normally enabled +in TLS servers). A plausible use-case is an LMTP server listening on a +UNIX-domain socket that is configured to support "NULL" ciphers. The +underlying cipherlist is specified via the tls_null_cipherlist +configuration parameter, which you are strongly encouraged not to +change.
    + +
    + +

    The underlying cipherlists for grades other than "null" include +anonymous ciphers, but these are automatically filtered out if the +Postfix SMTP client is configured to verify server certificates. +You are very unlikely to need to take any steps to exclude anonymous +ciphers, they are excluded automatically as necessary. If you must +exclude anonymous ciphers at the "may" or "encrypt" security levels, +when the Postfix SMTP client does not need or use peer certificates, set +"smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only when +TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_exclude_ciphers + +

    List of ciphers or cipher types to exclude from the Postfix +SMTP client cipher +list at all TLS security levels. This is not an OpenSSL cipherlist, it is +a simple list separated by whitespace and/or commas. The elements are a +single cipher, or one or more "+" separated cipher properties, in which +case only ciphers matching all the properties are excluded.

    + +

    Examples (some of these will cause problems):

    + +
    +
    +smtp_tls_exclude_ciphers = aNULL
    +smtp_tls_exclude_ciphers = MD5, DES
    +smtp_tls_exclude_ciphers = DES+MD5
    +smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
    +smtp_tls_exclude_ciphers = kEDH+aRSA
    +
    +
    + +

    The first setting disables anonymous ciphers. The next setting +disables ciphers that use the MD5 digest algorithm or the (single) DES +encryption algorithm. The next setting disables ciphers that use MD5 and +DES together. The next setting disables the two ciphers "AES256-SHA" +and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" +key exchange with RSA authentication.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_tls_mandatory_exclude_ciphers + +

    Additional list of ciphers or cipher types to exclude from the +Postfix SMTP client cipher list at mandatory TLS security levels. This list +works in addition to the exclusions listed with smtp_tls_exclude_ciphers +(see there for syntax details).

    + +

    Starting with Postfix 2.6, the mandatory cipher exclusions can be +specified on a per-destination basis via the TLS policy "exclude" +attribute. See smtp_tls_policy_maps for notes and examples.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM tls_high_cipherlist see "postconf -d" output + +

    The OpenSSL cipherlist for "high" grade ciphers. This defines +the meaning of the "high" setting in smtpd_tls_ciphers, +smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, +lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly +encouraged not to change this setting.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM tls_medium_cipherlist see "postconf -d" output + +

    The OpenSSL cipherlist for "medium" or higher grade ciphers. This +defines the meaning of the "medium" setting in smtpd_tls_ciphers, +smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, +lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. This is the +default cipherlist for mandatory TLS encryption in the TLS client +(with anonymous ciphers disabled when verifying server certificates). +This is the default cipherlist for opportunistic TLS with Postfix +releases after the middle of 2015. You are strongly encouraged not +to change this setting.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM tls_low_cipherlist see "postconf -d" output + +

    The OpenSSL cipherlist for "low" or higher grade ciphers. This defines +the meaning of the "low" setting in smtpd_tls_ciphers, +smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, +lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly +encouraged not to change this setting.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM tls_export_cipherlist see "postconf -d" output + +

    The OpenSSL cipherlist for "export" or higher grade ciphers. This +defines the meaning of the "export" setting in smtpd_tls_ciphers, +smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers, +lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. With Postfix +releases before the middle of 2015 this is the default cipherlist +for the opportunistic ("may") TLS client security level and also +the default cipherlist for the SMTP server. You are strongly +encouraged not to change this setting.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM tls_null_cipherlist eNULL:!aNULL + +

    The OpenSSL cipherlist for "NULL" grade ciphers that provide +authentication without encryption. This defines the meaning of the "null" +setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and +lmtp_tls_mandatory_ciphers. You are strongly encouraged not to +change this setting.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_mandatory_ciphers medium + +

    The LMTP-specific version of the smtp_tls_mandatory_ciphers +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_exclude_ciphers + +

    The LMTP-specific version of the smtp_tls_exclude_ciphers +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM lmtp_tls_mandatory_exclude_ciphers + +

    The LMTP-specific version of the smtp_tls_mandatory_exclude_ciphers +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_tls_security_level + +

    The SMTP TLS security level for the Postfix SMTP server; when +a non-empty value is specified, this overrides the obsolete parameters +smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with +"smtpd_tls_wrappermode = yes".

    + +

    Specify one of the following security levels:

    + +
    + +
    none
    TLS will not be used.
    + +
    may
    Opportunistic TLS: announce STARTTLS support +to remote SMTP clients, but do not require that clients use TLS encryption. +
    + +
    encrypt
    Mandatory TLS encryption: announce +STARTTLS support to remote SMTP clients, and require that clients use TLS +encryption. According to RFC 2487 this MUST NOT be applied in case +of a publicly-referenced SMTP server. Instead, this option should +be used only on dedicated servers.
    + +
    + +

    Note 1: the "fingerprint", "verify" and "secure" levels are not +supported here. +The Postfix SMTP server logs a warning and uses "encrypt" instead. +To verify remote SMTP client certificates, see TLS_README for a discussion +of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts +features.

    + +

    Note 2: The parameter setting "smtpd_tls_security_level = +encrypt" implies "smtpd_tls_auth_only = yes".

    + +

    Note 3: when invoked via "sendmail -bs", Postfix will never +offer STARTTLS due to insufficient privileges to access the server +private key. This is intended behavior.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM internal_mail_filter_classes + +

    What categories of Postfix-generated mail are subject to +before-queue content inspection by non_smtpd_milters, header_checks +and body_checks. Specify zero or more of the following, separated +by whitespace or comma.

    + +
    + +
    bounce
    Inspect the content of delivery +status notifications.
    + +
    notify
    Inspect the content of postmaster +notifications by the smtp(8) and smtpd(8) processes.
    + +
    + +

    NOTE: It's generally not safe to enable content inspection of +Postfix-generated email messages. The user is warned.

    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtpd_tls_always_issue_session_ids yes + +

    Force the Postfix SMTP server to issue a TLS session id, even +when TLS session caching is turned off (smtpd_tls_session_cache_database +is empty). This behavior is compatible with Postfix < 2.3.

    + +

    With Postfix 2.3 and later the Postfix SMTP server can disable +session id generation when TLS session caching is turned off. This +keeps remote SMTP clients from caching sessions that almost certainly cannot +be re-used.

    + +

    By default, the Postfix SMTP server always generates TLS session +ids. This works around a known defect in mail client applications +such as MS Outlook, and may also prevent interoperability issues +with other MTAs.

    + +

    Example:

    + +
    +smtpd_tls_always_issue_session_ids = no
    +
    + +

    This feature is available in Postfix 2.3 and later.

    + +%PARAM smtp_pix_workarounds disable_esmtp, delay_dotcrlf + +

    A list that specifies zero or more workarounds for CISCO PIX +firewall bugs. These workarounds are implemented by the Postfix +SMTP client. Workaround names are separated by comma or space, and +are case insensitive. This parameter setting can be overruled with +per-destination smtp_pix_workaround_maps settings.

    + +
    + +
    delay_dotcrlf
    Insert a delay before sending +".<CR><LF>" after the end of the message content. The +delay is subject to the smtp_pix_workaround_delay_time and +smtp_pix_workaround_threshold_time parameter settings.
    + +
    disable_esmtp
    Disable all extended SMTP commands: +send HELO instead of EHLO.
    + +
    + +

    This feature is available in Postfix 2.4 and later. The default +settings are backwards compatible with earlier Postfix versions. +

    + +%PARAM smtp_pix_workaround_maps + +

    Lookup tables, indexed by the remote SMTP server address, with +per-destination workarounds for CISCO PIX firewall bugs. The table +is not indexed by hostname for consistency with +smtp_discard_ehlo_keyword_address_maps.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM lmtp_pix_workarounds + +

    The LMTP-specific version of the smtp_pix_workaround +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM smtp_tls_fingerprint_digest see "postconf -d" output + +

    The message digest algorithm used to construct remote SMTP server +certificate fingerprints. At the "fingerprint" TLS security level +(smtp_tls_security_level = fingerprint), the server certificate is +verified by directly matching its certificate fingerprint or its public +key fingerprint (Postfix 2.9 and later). The fingerprint is the +message digest of the server certificate (or its public key) +using the selected +algorithm. With a digest algorithm resistant to "second pre-image" +attacks, it is not feasible to create a new public key and a matching +certificate (or public/private key-pair) that has the same fingerprint.

    + +

    The default algorithm is sha256 with Postfix ≥ 3.6 +and the compatibility_level set to 3.6 or higher. With Postfix +≤ 3.5, the default algorithm is md5.

    + +

    The best-practice algorithm is now sha256. Recent advances in hash +function cryptanalysis have led to md5 and sha1 being deprecated in favor of +sha256. However, as long as there are no known "second pre-image" attacks +against the older algorithms, their use in this context, though not +recommended, is still likely safe.

    + +

    While additional digest algorithms are often available with OpenSSL's +libcrypto, only those used by libssl in SSL cipher suites are available to +Postfix. You'll likely find support for md5, sha1, sha256 and sha512.

    + +

    To find the fingerprint of a specific certificate file, with a +specific digest algorithm, run: +

    + +
    +
    +$ openssl x509 -noout -fingerprint -digest -in certfile.pem
    +
    +
    + +

    The text to the right of the "=" sign is the desired fingerprint. +For example:

    + +
    +
    +$ openssl x509 -noout -fingerprint -sha256 -in cert.pem
    +SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
    +
    +
    + +

    To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint.

    + +

    The actual command to transform the key to DER format depends on the +version of OpenSSL used. As of OpenSSL 1.0.0, the "pkey" command supports +all key types.

    +
    +
    +# OpenSSL ≥ 1.0 with SHA-256 fingerprints.
    +$ openssl x509 -in cert.pem -noout -pubkey |
    +    openssl pkey -pubin -outform DER |
    +    openssl dgst -sha256 -c
    +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58
    +
    +
    + +

    The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and the public key fingerprint when the TLS loglevel is 2 or +higher.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_tls_fingerprint_cert_match + +

    List of acceptable remote SMTP server certificate fingerprints for +the "fingerprint" TLS security level (smtp_tls_security_level = +fingerprint). At this security level, Certification Authorities are not +used, and certificate expiration times are ignored. Instead, server +certificates are verified directly via their certificate fingerprint +or public key fingerprint (Postfix 2.9 and later). The fingerprint +is a message digest of the server certificate (or public key). The +digest algorithm is selected via the smtp_tls_fingerprint_digest +parameter.

    + +

    The colons between each pair of nibbles in the fingerprint value +are optional (Postfix ≥ 3.6). These were required in earlier +Postfix releases.

    + +

    When an smtp_tls_policy_maps table entry specifies the +"fingerprint" security level, any "match" attributes in that entry specify +the list of valid fingerprints for the corresponding destination. Multiple +fingerprints can be combined with a "|" delimiter in a single match +attribute, or multiple match attributes can be employed.

    + +

    Example: Certificate fingerprint verification with internal mailhub. +Two matching fingerprints are listed. The relayhost may be multiple +physical hosts behind a load-balancer, each with its own private/public +key and self-signed certificate. Alternatively, a single relayhost may +be in the process of switching from one set of private/public keys to +another, and both keys are trusted just prior to the transition.

    + +
    +
    +relayhost = [mailhub.example.com]
    +smtp_tls_security_level = fingerprint
    +smtp_tls_fingerprint_digest = sha256
    +smtp_tls_fingerprint_cert_match =
    +    cd:fc:d8:db:f8:c4:82:96:6c:...:28:71:e8:f5:8d:a5:0d:9b:d4:a6
    +    dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4
    +
    +
    + +

    Example: Certificate fingerprint verification with selected destinations. +As in the example above, we show two matching fingerprints:

    + +
    +
    +/etc/postfix/main.cf:
    +    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
    +    smtp_tls_fingerprint_digest = sha256
    +
    +
    + +
    +
    +/etc/postfix/tls_policy:
    +    example.com	fingerprint
    +        match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
    +        match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
    +
    +
    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_tls_fingerprint_cert_match + +

    The LMTP-specific version of the smtp_tls_fingerprint_cert_match +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_tls_fingerprint_digest see "postconf -d" output + +

    The LMTP-specific version of the smtp_tls_fingerprint_digest +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtpd_tls_fingerprint_digest see "postconf -d" output + +

    The message digest algorithm to construct remote SMTP client-certificate +fingerprints or public key fingerprints (Postfix 2.9 and later) for +check_ccert_access and permit_tls_clientcerts.

    + +

    The default algorithm is sha256 with Postfix ≥ 3.6 +and the compatibility_level set to 3.6 or higher. With Postfix +≤ 3.5, the default algorithm is md5.

    + +

    The best-practice algorithm is now sha256. Recent advances in hash +function cryptanalysis have led to md5 and sha1 being deprecated in favor of +sha256. However, as long as there are no known "second pre-image" attacks +against the older algorithms, their use in this context, though not +recommended, is still likely safe.

    + +

    While additional digest algorithms are often available with OpenSSL's +libcrypto, only those used by libssl in SSL cipher suites are available to +Postfix. You'll likely find support for md5, sha1, sha256 and sha512.

    + +

    To find the fingerprint of a specific certificate file, with a +specific digest algorithm, run:

    + +
    +
    +$ openssl x509 -noout -fingerprint -digest -in certfile.pem
    +
    +
    + +

    The text to the right of "=" sign is the desired fingerprint. +For example:

    + +
    +
    +$ openssl x509 -noout -fingerprint -sha256 -in cert.pem
    +SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
    +
    +
    + +

    To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint.

    + +

    Example:

    +
    +
    +$ openssl x509 -in cert.pem -noout -pubkey |
    +    openssl pkey -pubin -outform DER |
    +    openssl dgst -sha256 -c
    +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
    +
    +
    + +

    The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when the TLS loglevel is 2 or +higher.

    + +

    Example: client-certificate access table, with sha256 fingerprints:

    + +
    +
    +/etc/postfix/main.cf:
    +    smtpd_tls_fingerprint_digest = sha256
    +    smtpd_client_restrictions =
    +        check_ccert_access hash:/etc/postfix/access,
    +        reject
    +
    +
    +/etc/postfix/access:
    +    # Action folded to next line...
    +    AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B
    +        OK
    +    85:16:78:FD:73:6E:CE:70:E0:...:5F:0D:3C:C8:6D:C4:2C:24:59:E1
    +        permit_auth_destination
    +
    +
    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_pix_workaround_maps + +

    The LMTP-specific version of the smtp_pix_workaround_maps +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM detect_8bit_encoding_header yes + +

    Automatically detect 8BITMIME body content by looking at +Content-Transfer-Encoding: message headers; historically, this +behavior was hard-coded to be "always on".

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM send_cyrus_sasl_authzid no + +

    When authenticating to a remote SMTP or LMTP server with the +default setting "no", send no SASL authoriZation ID (authzid); send +only the SASL authentiCation ID (authcid) plus the authcid's password. +

    + +

    The non-default setting "yes" enables the behavior of older +Postfix versions. These always send a SASL authzid that is equal +to the SASL authcid, but this causes interoperability problems +with some SMTP servers.

    + +

    This feature is available in Postfix 2.4.4 and later.

    + +%PARAM smtpd_client_port_logging no + +

    Enable logging of the remote SMTP client port in addition to +the hostname and IP address. The logging format is "host[address]:port". +

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM qmqpd_client_port_logging no + +

    Enable logging of the remote QMQP client port in addition to +the hostname and IP address. The logging format is "host[address]:port". +

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_tls_protocols see postconf -d output + +

    TLS protocols that the Postfix SMTP client will use with +opportunistic TLS encryption. In main.cf the values are separated by +whitespace, commas or colons. In the policy table "protocols" attribute +(see smtp_tls_policy_maps) the only valid separator is colon. An empty +value means allow all protocols.

    + +

    The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

    + +

    As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

    + +

    Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

    + +

    Hexadecimal example (Postfix ≥ 3.6):

    +
    +
    +# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
    +# in some future version of OpenSSL (presently a warning is logged).
    +smtp_tls_protocols = >=TLSv1, <=0305
    +# Allow only TLS 1.0 and up:
    +smtp_tls_protocols = >=0x0301
    +
    +
    + +

    With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtp_tls_protocols = !SSLv2, !SSLv3". +Listing the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more accurately +matches the underlying OpenSSL interface.

    + +

    When using the exclusion syntax, take care to ensure that the range of +protocols advertised by an SSL/TLS client is contiguous. When a protocol +version is enabled, disabling any higher version implicitly disables all +versions above that higher version. Thus, for example: +

    +
    +
    +smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
    +
    +
    +

    also disables any protocols version higher than TLSv1.1 leaving +only "TLSv1" enabled.

    + +

    Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

    + +

    Example:

    +
    +# Preferred syntax with Postfix ≥ 3.6:
    +smtp_tls_protocols = >=TLSv1, <=TLSv1.3
    +# Legacy syntax:
    +smtp_tls_protocols = !SSLv2, !SSLv3
    +
    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM smtpd_tls_protocols see postconf -d output + +

    TLS protocols accepted by the Postfix SMTP server with opportunistic +TLS encryption. If the list is empty, the server supports all available +TLS protocol versions. A non-empty value is a list of protocol names to +include or exclude, separated by whitespace, commas or colons.

    + +

    The valid protocol names (see SSL_get_version(3)) are "SSLv2", +"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3". Starting with +Postfix 3.6, the default value is ">=TLSv1", which sets TLS 1.0 as +the lowest supported TLS protocol version (see below). Older releases +use the "!" exclusion syntax, also described below.

    + +

    As of Postfix 3.6, the preferred way to limit the range of +acceptable protocols is to set the lowest acceptable TLS protocol +version and/or the highest acceptable TLS protocol version. To set the +lower bound include an element of the form: ">=version" where +version is a either one of the TLS protocol names listed above, +or a hexadecimal number corresponding to the desired TLS protocol +version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper +bound, use "<=version". There must be no whitespace between +the ">=" or "<=" symbols and the protocol name or number.

    + +

    Hexadecimal protocol numbers make it possible to specify protocol +bounds for TLS versions that are known to OpenSSL, but might not be +known to Postfix. They cannot be used with the legacy exclusion syntax. +Leading "0" or "0x" prefixes are supported, but not required. +Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to +"TLSv1". Hexadecimal versions unknown to OpenSSL will fail to set the +upper or lower bound, and a warning will be logged. Hexadecimal +versions should only be used when Postfix is linked with some future +version of OpenSSL that supports TLS 1.4 or later, but Postfix does not +yet support a symbolic name for that protocol version.

    + +

    Hexadecimal example (Postfix ≥ 3.6):

    +
    +
    +# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
    +# in some future version of OpenSSL (presently a warning is logged).
    +smtpd_tls_protocols = >=TLSv1, <=0305
    +# Allow only TLS 1.0 and up:
    +smtpd_tls_protocols = >=0x0301
    +
    +
    + +

    With Postfix < 3.6 there is no support for a minimum or maximum +version, and the protocol range is configured via protocol exclusions. +To require at least TLS 1.0, set "smtpd_tls_protocols = !SSLv2, !SSLv3". +Listing the protocols to include, rather than protocols to exclude, is +supported, but not recommended. The exclusion form more accurately +matches the underlying OpenSSL interface.

    + +

    Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling +this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch +releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2).

    + +

    Example:

    +
    +# Preferred syntax with Postfix ≥ 3.6:
    +smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
    +# Legacy syntax:
    +smtpd_tls_protocols = !SSLv2, !SSLv3
    +
    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM lmtp_tls_protocols see postconf -d output + +

    The LMTP-specific version of the smtp_tls_protocols configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM smtp_tls_ciphers medium + +

    The minimum TLS cipher grade that the Postfix SMTP client +will use with opportunistic TLS encryption. Cipher types listed in +smtp_tls_exclude_ciphers are excluded from the base definition of +the selected cipher grade. The default value is "medium" for +Postfix releases after the middle of 2015, "export" for older +releases.

    + +

    When TLS is mandatory the cipher grade is chosen via the +smtp_tls_mandatory_ciphers configuration parameter, see there for syntax +details. See smtp_tls_policy_maps for information on how to configure +ciphers on a per-destination basis.

    + +

    This feature is available in Postfix 2.6 and later. With earlier Postfix +releases only the smtp_tls_mandatory_ciphers parameter is implemented, +and opportunistic TLS always uses "export" or better (i.e. all) ciphers.

    + +%PARAM smtpd_tls_ciphers medium + +

    The minimum TLS cipher grade that the Postfix SMTP server +will use with opportunistic TLS encryption. Cipher types listed in +smtpd_tls_exclude_ciphers are excluded from the base definition of +the selected cipher grade. The default value is "medium" for Postfix +releases after the middle of 2015, "export" for older releases. +

    + +

    When TLS is mandatory the cipher grade is chosen via the +smtpd_tls_mandatory_ciphers configuration parameter, see there for syntax +details.

    + +

    This feature is available in Postfix 2.6 and later. With earlier Postfix +releases only the smtpd_tls_mandatory_ciphers parameter is implemented, +and opportunistic TLS always uses "export" or better (i.e. all) ciphers.

    + +%PARAM lmtp_tls_ciphers medium + +

    The LMTP-specific version of the smtp_tls_ciphers configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM tls_eecdh_auto_curves see "postconf -d" output + +

    The prioritized list of elliptic curves supported by the Postfix +SMTP client and server. These curves are used by the Postfix SMTP +server when "smtpd_tls_eecdh_grade = auto". The selected curves +must be implemented by OpenSSL and be standardized for use in TLS +(RFC 8422). It is unwise to list only +"bleeding-edge" curves supported by a small subset of clients. The +default list is suitable for most users.

    + +

    Postfix skips curve names that are unknown to OpenSSL, or that +are known but not yet implemented. This makes it possible to +"anticipate" support for curves that should be used once they become +available. In particular, in some OpenSSL versions, the new RFC +8031 curves "X25519" and "X448" may be known by name, but ECDH +support for either or both may be missing. These curves may appear +in the default value of this parameter, even though they'll only +be usable with later versions of OpenSSL.

    + +

    This feature is available in Postfix 3.2 and later, when it is +compiled and linked with OpenSSL 1.0.2 or later on platforms where +EC algorithms have not been disabled by the vendor.

    + +%PARAM tls_eecdh_strong_curve prime256v1 + +

    The elliptic curve used by the Postfix SMTP server for sensibly +strong +ephemeral ECDH key exchange. This curve is used by the Postfix SMTP +server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly +strong" means approximately 128-bit security based on best known +attacks. The selected curve must be implemented by OpenSSL (as +reported by ecparam(1) with the "-list_curves" option) and be one +of the curves listed in Section 5.1.1 of RFC 8422. You should not +generally change this setting. Remote SMTP client implementations +must support this curve for EECDH key exchange to take place. It +is unwise to choose only "bleeding-edge" curves supported by only a +small subset of clients.

    + +

    The default "strong" curve is rated in NSA Suite +B for information classified up to SECRET.

    + +

    Note: elliptic curve names are poorly standardized; different +standards groups are assigning different names to the same underlying +curves. The curve with the X9.62 name "prime256v1" is also known +under the SECG name "secp256r1", but OpenSSL does not recognize the +latter name.

    + +

    If you want to take maximal advantage of ciphers that offer forward secrecy see +the Getting +started section of FORWARD_SECRECY_README. The +full document conveniently presents all information about Postfix +"perfect" forward secrecy support in one place: what forward secrecy +is, how to tweak settings, and what you can expect to see when +Postfix uses ciphers with forward secrecy.

    + +

    This feature is available in Postfix 2.6 and later, when it is +compiled and linked with OpenSSL 1.0.0 or later on platforms where +EC algorithms have not been disabled by the vendor.

    + +%PARAM tls_eecdh_ultra_curve secp384r1 + +

    The elliptic curve used by the Postfix SMTP server for maximally +strong +ephemeral ECDH key exchange. This curve is used by the Postfix SMTP +server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally +strong" means approximately 192-bit security based on best known attacks. +This additional strength comes at a significant computational cost, most +users should instead set "smtpd_tls_eecdh_grade = strong". The selected +curve must be implemented by OpenSSL (as reported by ecparam(1) with the +"-list_curves" option) and be one of the curves listed in Section 5.1.1 +of RFC 8422. You should not generally change this setting. Remote SMTP +client implementations must support this curve for EECDH key exchange +to take place. It is unwise to choose only "bleeding-edge" curves +supported by only a small subset of clients.

    + +

    This default "ultra" curve is rated in NSA Suite +B for information classified up to TOP SECRET.

    + +

    If you want to take maximal advantage of ciphers that offer forward secrecy see +the Getting +started section of FORWARD_SECRECY_README. The +full document conveniently presents all information about Postfix +"perfect" forward secrecy support in one place: what forward secrecy +is, how to tweak settings, and what you can expect to see when +Postfix uses ciphers with forward secrecy.

    + +

    This feature is available in Postfix 2.6 and later, when it is +compiled and linked with OpenSSL 1.0.0 or later on platforms where +EC algorithms have not been disabled by the vendor.

    + +%PARAM smtpd_tls_eecdh_grade see "postconf -d" output + +

    The Postfix SMTP server security grade for ephemeral elliptic-curve +Diffie-Hellman (EECDH) key exchange. As of Postfix 3.6, the value of +this parameter is always ignored, and Postfix behaves as though the +auto value (described below) was chosen. +

    + +

    The available choices are:

    + +
    + +
    auto
    Use the most preferred curve that is +supported by both the client and the server. This setting requires +Postfix ≥ 3.2 compiled and linked with OpenSSL ≥ 1.0.2. This +is the default setting under the above conditions (and the only +setting used with Postfix ≥ 3.6).
    + +
    none
    Don't use EECDH. Ciphers based on EECDH key +exchange will be disabled. This is the default in Postfix versions +2.6 and 2.7.
    + +
    strong
    Use EECDH with approximately 128 bits of +security at a reasonable computational cost. This is the default in +Postfix versions 2.8–3.5.
    + +
    ultra
    Use EECDH with approximately 192 bits of +security at computational cost that is approximately twice as high +as 128 bit strength ECC.
    + +
    + +

    If you want to take maximal advantage of ciphers that offer forward secrecy see +the Getting +started section of FORWARD_SECRECY_README. The +full document conveniently presents all information about Postfix +"perfect" forward secrecy support in one place: what forward secrecy +is, how to tweak settings, and what you can expect to see when +Postfix uses ciphers with forward secrecy.

    + +

    This feature is available in Postfix 2.6 and later, when it is +compiled and linked with OpenSSL 1.0.0 or later on platforms +where EC algorithms have not been disabled by the vendor.

    + +%PARAM smtpd_tls_eccert_file + +

    File with the Postfix SMTP server ECDSA certificate in PEM format. +This file may also contain the Postfix SMTP server private ECDSA key. +With Postfix ≥ 3.4 the preferred way to configure server keys and +certificates is via the "smtpd_tls_chain_files" parameter.

    + +

    See the discussion under smtpd_tls_cert_file for more details.

    + +

    Example:

    + +
    +smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
    +
    + +

    This feature is available in Postfix 2.6 and later, when Postfix is +compiled and linked with OpenSSL 1.0.0 or later.

    + +%PARAM smtpd_tls_eckey_file $smtpd_tls_eccert_file + +

    File with the Postfix SMTP server ECDSA private key in PEM format. +This file may be combined with the Postfix SMTP server ECDSA certificate +file specified with $smtpd_tls_eccert_file. With Postfix ≥ 3.4 the +preferred way to configure server keys and certificates is via the +"smtpd_tls_chain_files" parameter.

    + +

    The private key must be accessible without a pass-phrase, i.e. it +must not be encrypted. File permissions should grant read-only +access to the system superuser account ("root"), and no access +to anyone else.

    + +

    This feature is available in Postfix 2.6 and later, when Postfix is +compiled and linked with OpenSSL 1.0.0 or later.

    + +%PARAM smtp_tls_eccert_file + +

    File with the Postfix SMTP client ECDSA certificate in PEM format. +This file may also contain the Postfix SMTP client ECDSA private key. +With Postfix ≥ 3.4 the preferred way to configure client keys and +certificates is via the "smtp_tls_chain_files" parameter.

    + +

    See the discussion under smtp_tls_cert_file for more details. +

    + +

    Example:

    + +
    +smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
    +
    + +

    This feature is available in Postfix 2.6 and later, when Postfix is +compiled and linked with OpenSSL 1.0.0 or later.

    + +%PARAM smtp_tls_eckey_file $smtp_tls_eccert_file + +

    File with the Postfix SMTP client ECDSA private key in PEM format. +This file may be combined with the Postfix SMTP client ECDSA certificate +file specified with $smtp_tls_eccert_file. With Postfix ≥ 3.4 the +preferred way to configure client keys and certificates is via the +"smtp_tls_chain_files" parameter.

    + +

    The private key must be accessible without a pass-phrase, i.e. it +must not be encrypted. File permissions should grant read-only +access to the system superuser account ("root"), and no access +to anyone else.

    + +

    This feature is available in Postfix 2.6 and later, when Postfix is +compiled and linked with OpenSSL 1.0.0 or later.

    + +%PARAM lmtp_tls_eccert_file + +

    The LMTP-specific version of the smtp_tls_eccert_file configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.6 and later, when Postfix is +compiled and linked with OpenSSL 1.0.0 or later.

    + +%PARAM lmtp_tls_eckey_file + +

    The LMTP-specific version of the smtp_tls_eckey_file configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.6 and later, when Postfix is +compiled and linked with OpenSSL 1.0.0 or later.

    + +%PARAM smtp_header_checks + +

    Restricted header_checks(5) tables for the Postfix SMTP client. +These tables are searched while mail is being delivered. Actions +that change the delivery time or destination are not available. +

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_mime_header_checks + +

    Restricted mime_header_checks(5) tables for the Postfix SMTP +client. These tables are searched while mail is being delivered. +Actions that change the delivery time or destination are not +available.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_nested_header_checks + +

    Restricted nested_header_checks(5) tables for the Postfix SMTP +client. These tables are searched while mail is being delivered. +Actions that change the delivery time or destination are not +available.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_body_checks + +

    Restricted body_checks(5) tables for the Postfix SMTP client. +These tables are searched while mail is being delivered. Actions +that change the delivery time or destination are not available. +

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM destination_concurrency_feedback_debug no + +

    Make the queue manager's feedback algorithm verbose for performance +analysis purposes.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM default_destination_concurrency_failed_cohort_limit 1 + +

    How many pseudo-cohorts must suffer connection or handshake +failure before a specific destination is considered unavailable +(and further delivery is suspended). Specify zero to disable this +feature. A destination's pseudo-cohort failure count is reset each +time a delivery completes without connection or handshake failure +for that specific destination.

    + +

    A pseudo-cohort is the number of deliveries equal to a destination's +delivery concurrency.

    + +

    Use transport_destination_concurrency_failed_cohort_limit to specify +a transport-specific override, where transport is the master.cf +name of the message delivery transport.

    + +

    This feature is available in Postfix 2.5. The default setting +is compatible with earlier Postfix versions.

    + +%PARAM default_destination_concurrency_negative_feedback 1 + +

    The per-destination amount of delivery concurrency negative +feedback, after a delivery completes with a connection or handshake +failure. Feedback values are in the range 0..1 inclusive. With +negative feedback, concurrency is decremented at the beginning of +a sequence of length 1/feedback. This is unlike positive feedback, +where concurrency is incremented at the end of a sequence of length +1/feedback.

    + +

    As of Postfix version 2.5, negative feedback cannot reduce +delivery concurrency to zero. Instead, a destination is marked +dead (further delivery suspended) after the failed pseudo-cohort +count reaches $default_destination_concurrency_failed_cohort_limit +(or $transport_destination_concurrency_failed_cohort_limit). +To make the scheduler completely immune to connection or handshake +failures, specify a zero feedback value and a zero failed pseudo-cohort +limit.

    + +

    Specify one of the following forms:

    + +
    + +
    number
    + +
    number / number
    + +
    Constant feedback. The value must be in the range 0..1 inclusive. +The default setting of "1" is compatible with Postfix versions +before 2.5, where a destination's delivery concurrency is throttled +down to zero (and further delivery suspended) after a single failed +pseudo-cohort.
    + +
    number / concurrency
    + +
    Variable feedback of "number / (delivery concurrency)". +The number must be in the range 0..1 inclusive. With +number equal to "1", a destination's delivery concurrency +is decremented by 1 after each failed pseudo-cohort.
    + + + +
    + +

    A pseudo-cohort is the number of deliveries equal to a destination's +delivery concurrency.

    + +

    Use transport_destination_concurrency_negative_feedback +to specify a transport-specific override, where transport +is the master.cf +name of the message delivery transport.

    + +

    This feature is available in Postfix 2.5. The default setting +is compatible with earlier Postfix versions.

    + +%PARAM default_destination_concurrency_positive_feedback 1 + +

    The per-destination amount of delivery concurrency positive +feedback, after a delivery completes without connection or handshake +failure. Feedback values are in the range 0..1 inclusive. The +concurrency increases until it reaches the per-destination maximal +concurrency limit. With positive feedback, concurrency is incremented +at the end of a sequence with length 1/feedback. This is unlike +negative feedback, where concurrency is decremented at the start +of a sequence of length 1/feedback.

    + +

    Specify one of the following forms:

    + +
    + +
    number
    + +
    number / number
    + +
    Constant feedback. The value must be in the range 0..1 +inclusive. The default setting of "1" is compatible with Postfix +versions before 2.5, where a destination's delivery concurrency +doubles after each successful pseudo-cohort.
    + +
    number / concurrency
    + +
    Variable feedback of "number / (delivery concurrency)". +The number must be in the range 0..1 inclusive. With +number equal to "1", a destination's delivery concurrency +is incremented by 1 after each successful pseudo-cohort.
    + + + +
    + +

    A pseudo-cohort is the number of deliveries equal to a destination's +delivery concurrency.

    + +

    Use transport_destination_concurrency_positive_feedback +to specify a transport-specific override, where transport +is the master.cf name of the message delivery transport.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM transport_destination_concurrency_failed_cohort_limit $default_destination_concurrency_failed_cohort_limit + +

    A transport-specific override for the +default_destination_concurrency_failed_cohort_limit parameter value, +where transport is the master.cf name of the message delivery +transport.

    + +

    Note: some transport_destination_concurrency_failed_cohort_limit +parameters will not show up in "postconf" command output before +Postfix version 2.9. This limitation applies to many parameters +whose name is a combination of a master.cf service name and a +built-in suffix (in this case: +"_destination_concurrency_failed_cohort_limit").

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM transport_destination_concurrency_positive_feedback $default_destination_concurrency_positive_feedback + +

    A transport-specific override for the +default_destination_concurrency_positive_feedback parameter value, +where transport is the master.cf name of the message delivery +transport.

    + +

    Note: some transport_destination_concurrency_positive_feedback +parameters will not show up in "postconf" command output before +Postfix version 2.9. This limitation applies to many parameters +whose name is a combination of a master.cf service name and a +built-in suffix (in this case: +"_destination_concurrency_positive_feedback").

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM transport_destination_concurrency_negative_feedback $default_destination_concurrency_negative_feedback + +

    A transport-specific override for the +default_destination_concurrency_negative_feedback parameter value, +where transport is the master.cf name of the message delivery +transport.

    + +

    Note: some transport_destination_concurrency_negative_feedback +parameters will not show up in "postconf" command output before +Postfix version 2.9. This limitation applies to many parameters +whose name is a combination of a master.cf service name and a +built-in suffix (in this case: +"_destination_concurrency_negative_feedback").

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM transport_initial_destination_concurrency $initial_destination_concurrency + +

    A transport-specific override for the initial_destination_concurrency +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: some transport_initial_destination_concurrency +parameters will not show up in "postconf" command output before +Postfix version 2.9. This limitation applies to many parameters +whose name is a combination of a master.cf service name and a +built-in suffix (in this case: "_initial_destination_concurrency"). +

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM transport_destination_concurrency_limit $default_destination_concurrency_limit + +

    A transport-specific override for the +default_destination_concurrency_limit parameter value, where +transport is the master.cf name of the message delivery +transport.

    + +

    Note: some transport_destination_concurrency_limit +parameters will not show up in "postconf" command output before +Postfix version 2.9. This limitation applies to many parameters +whose name is a combination of a master.cf service name and a +built-in suffix (in this case: "_destination_concurrency_limit"). +

    + +%PARAM transport_destination_recipient_limit $default_destination_recipient_limit + +

    A transport-specific override for the +default_destination_recipient_limit parameter value, where +transport is the master.cf name of the message delivery +transport.

    + +

    Note: some transport_destination_recipient_limit parameters +will not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_destination_recipient_limit").

    + +%PARAM transport_time_limit $command_time_limit + +

    A transport-specific override for the command_time_limit parameter +value, where transport is the master.cf name of the message +delivery transport.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    Note: transport_time_limit parameters will not show up +in "postconf" command output before Postfix version 2.9. This +limitation applies to many parameters whose name is a combination +of a master.cf service name and a built-in suffix (in this case: +"_time_limit").

    + +%PARAM transport_delivery_slot_cost $default_delivery_slot_cost + +

    A transport-specific override for the default_delivery_slot_cost +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_delivery_slot_cost parameters will not +show up in "postconf" command output before Postfix version 2.9. +This limitation applies to many parameters whose name is a combination +of a master.cf service name and a built-in suffix (in this case: +"_delivery_slot_cost").

    + +%PARAM transport_delivery_slot_loan $default_delivery_slot_loan + +

    A transport-specific override for the default_delivery_slot_loan +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_delivery_slot_loan parameters will not +show up in "postconf" command output before Postfix version 2.9. +This limitation applies to many parameters whose name is a combination +of a master.cf service name and a built-in suffix (in this case: +"_delivery_slot_loan").

    + +%PARAM transport_delivery_slot_discount $default_delivery_slot_discount + +

    A transport-specific override for the default_delivery_slot_discount +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_delivery_slot_discount parameters will +not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_delivery_slot_discount").

    + +%PARAM transport_minimum_delivery_slots $default_minimum_delivery_slots + +

    A transport-specific override for the default_minimum_delivery_slots +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_minimum_delivery_slots parameters will +not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_minimum_delivery_slots").

    + +%PARAM transport_recipient_limit $default_recipient_limit + +

    A transport-specific override for the default_recipient_limit +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: some transport_recipient_limit parameters will not +show up in "postconf" command output before Postfix version 2.9. +This limitation applies to many parameters whose name is a combination +of a master.cf service name and a built-in suffix (in this case: +"_recipient_limit").

    + +%PARAM transport_extra_recipient_limit $default_extra_recipient_limit + +

    A transport-specific override for the default_extra_recipient_limit +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_extra_recipient_limit parameters will +not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_extra_recipient_limit").

    + +%PARAM transport_recipient_refill_limit $default_recipient_refill_limit + +

    A transport-specific override for the default_recipient_refill_limit +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_recipient_refill_limit parameters will +not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_recipient_refill_limit").

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM transport_recipient_refill_delay $default_recipient_refill_delay + +

    A transport-specific override for the default_recipient_refill_delay +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: transport_recipient_refill_delay parameters will +not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_recipient_refill_delay").

    + +

    This feature is available in Postfix 2.4 and later.

    + +%PARAM default_transport_rate_delay 0s + +

    The default amount of delay that is inserted between individual +message deliveries over the same message delivery transport, +regardless of destination. Specify a non-zero value to rate-limit +those message deliveries to at most one per $default_transport_rate_delay. +

    + +

    Use transport_transport_rate_delay to specify a +transport-specific override, where the initial transport is +the master.cf name of the message delivery transport.

    + +

    Example: throttle outbound SMTP mail to at most 3 deliveries +per minute.

    + +
    +/etc/postfix/main.cf:
    +    smtp_transport_rate_delay = 20s
    +
    + +

    To enable the delay, specify a non-zero time value (an integral +value plus an optional one-letter suffix that specifies the time +unit).

    + +

    Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks). The default time unit is s (seconds).

    + +

    NOTE: the delay is enforced by the queue manager.

    + +

    This feature is available in Postfix 3.1 and later.

    + +%PARAM transport_transport_rate_delay $default_transport_rate_delay + +

    A transport-specific override for the default_transport_rate_delay +parameter value, where the initial transport in the parameter +name is the master.cf name of the message delivery transport.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    Note: transport_transport_rate_delay parameters will +not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_transport_rate_delay").

    + +%PARAM default_destination_rate_delay 0s + +

    The default amount of delay that is inserted between individual +message deliveries to the same destination and over the same message +delivery transport. Specify a non-zero value to rate-limit those +message deliveries to at most one per $default_destination_rate_delay. +

    + +

    The resulting behavior depends on the value of the corresponding +per-destination recipient limit. + +

    + +
      + +
    • With a corresponding per-destination recipient limit > +1, the rate delay specifies the time between deliveries to the +same domain. Different domains are delivered in parallel, +subject to the process limits specified in master.cf.

      + +
    • With a corresponding per-destination recipient limit equal +to 1, the rate delay specifies the time between deliveries to the +same recipient. Different recipients are delivered in +parallel, subject to the process limits specified in master.cf. +

      + +
    + +

    To enable the delay, specify a non-zero time value (an integral +value plus an optional one-letter suffix that specifies the time +unit).

    + +

    Time units: s (seconds), m (minutes), h (hours), d (days), w +(weeks). The default time unit is s (seconds).

    + +

    NOTE: the delay is enforced by the queue manager. The delay +timer state does not survive "postfix reload" or "postfix +stop". +

    + +

    Use transport_destination_rate_delay to specify a +transport-specific override, where transport is the master.cf +name of the message delivery transport. +

    + +

    NOTE: with a non-zero _destination_rate_delay, specify a +transport_destination_concurrency_failed_cohort_limit of 10 +or more to prevent Postfix from deferring all mail for the same +destination after only one connection or handshake error.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM transport_destination_rate_delay $default_destination_rate_delay + +

    A transport-specific override for the default_destination_rate_delay +parameter value, where transport is the master.cf name of +the message delivery transport.

    + +

    Note: some transport_destination_rate_delay parameters +will not show up in "postconf" command output before Postfix version +2.9. This limitation applies to many parameters whose name is a +combination of a master.cf service name and a built-in suffix (in +this case: "_destination_rate_delay").

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM data_directory see "postconf -d" output + +

    The directory with Postfix-writable data files (for example: +caches, pseudo-random numbers). This directory must be owned by +the mail_owner account, and must not be shared with non-Postfix +software.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM stress + +

    This feature is documented in the STRESS_README document.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_sasl_auth_soft_bounce yes + +

    When a remote SMTP server rejects a SASL authentication request +with a 535 reply code, defer mail delivery instead of returning +mail as undeliverable. The latter behavior was hard-coded prior to +Postfix version 2.5.

    + +

    Note: the setting "yes" overrides the global soft_bounce +parameter, but the setting "no" does not.

    + +

    Example:

    + +
    +# Default as of Postfix 2.5
    +smtp_sasl_auth_soft_bounce = yes
    +# The old hard-coded default
    +smtp_sasl_auth_soft_bounce = no
    +
    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_sasl_auth_cache_name + +

    An optional table to prevent repeated SASL authentication +failures with the same remote SMTP server hostname, username and +password. Each table (key, value) pair contains a server name, a +username and password, and the full server response. This information +is stored when a remote SMTP server rejects an authentication attempt +with a 535 reply code. As long as the smtp_sasl_password_maps +information does not change, and as long as the smtp_sasl_auth_cache_name +information does not expire (see smtp_sasl_auth_cache_time) the +Postfix SMTP client avoids SASL authentication attempts with the +same server, username and password, and instead bounces or defers +mail as controlled with the smtp_sasl_auth_soft_bounce configuration +parameter.

    + +

    Use a per-destination delivery concurrency of 1 (for example, +"smtp_destination_concurrency_limit = 1", +"relay_destination_concurrency_limit = 1", etc.), otherwise multiple +delivery agents may experience a login failure at the same time. +

    + +

    The table must be accessed via the proxywrite service, i.e. the +map name must start with "proxy:". The table should be stored under +the directory specified with the data_directory parameter.

    + +

    This feature uses cryptographic hashing to protect plain-text +passwords, and requires that Postfix is compiled with TLS support. +

    + +

    Example:

    + +
    +smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
    +
    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM smtp_sasl_auth_cache_time 90d + +

    The maximal age of an smtp_sasl_auth_cache_name entry before it +is removed.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_sasl_auth_soft_bounce yes + +

    The LMTP-specific version of the smtp_sasl_auth_soft_bounce +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_sasl_auth_cache_name + +

    The LMTP-specific version of the smtp_sasl_auth_cache_name +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_sasl_auth_cache_time 90d + +

    The LMTP-specific version of the smtp_sasl_auth_cache_time +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM unverified_sender_reject_reason + +

    The Postfix SMTP server's reply when rejecting mail with +reject_unverified_sender. Do not include the numeric SMTP reply +code or the enhanced status code. By default, the response includes +actual address verification details. + +

    Example:

    + +
    +unverified_sender_reject_reason = Sender address lookup failed
    +
    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM unverified_recipient_reject_reason + +

    The Postfix SMTP server's reply when rejecting mail with +reject_unverified_recipient. Do not include the numeric SMTP reply +code or the enhanced status code. By default, the response includes +actual address verification details. + +

    Example:

    + +
    +unverified_recipient_reject_reason = Recipient address lookup failed
    +
    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM strict_mailbox_ownership yes + +

    Defer delivery when a mailbox file is not owned by its recipient. +The default setting is not backwards compatible.

    + +

    This feature is available in Postfix 2.5.3 and later.

    + +%PARAM proxymap_service_name proxymap + +

    The name of the proxymap read-only table lookup service. This +service is normally implemented by the proxymap(8) daemon.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM proxywrite_service_name proxywrite + +

    The name of the proxywrite read-write table lookup service. +This service is normally implemented by the proxymap(8) daemon. +

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM master_service_disable + +

    Selectively disable master(8) listener ports by service type +or by service name and type. Specify a list of service types +("inet", "unix", "fifo", or "pass") or "name/type" tuples, where +"name" is the first field of a master.cf entry and "type" is a +service type. As with other Postfix matchlists, a search stops at +the first match. Specify "!pattern" to exclude a service from the +list. By default, all master(8) listener ports are enabled.

    + +

    Note: this feature does not support "/file/name" or "type:table" +patterns, nor does it support wildcards such as "*" or "all". This +is intentional.

    + +

    Examples:

    + +
    +# With Postfix 2.6..2.10 use '.' instead of '/'.
    +# Turn on all master(8) listener ports (the default).
    +master_service_disable =
    +# Turn off only the main SMTP listener port.
    +master_service_disable = smtp/inet
    +# Turn off all TCP/IP listener ports.
    +master_service_disable = inet
    +# Turn off all TCP/IP listener ports except "foo".
    +master_service_disable = !foo/inet, inet
    +
    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM tcp_windowsize 0 + +

    An optional workaround for routers that break TCP window scaling. +Specify a value > 0 and < 65536 to enable this feature. With +Postfix TCP servers (smtpd(8), qmqpd(8)), this feature is implemented +by the Postfix master(8) daemon.

    + +

    To change this parameter without stopping Postfix, you need to +first terminate all Postfix TCP servers:

    + +
    +
    +# postconf -e master_service_disable=inet
    +# postfix reload
    +
    +
    + +

    This immediately terminates all processes that accept network +connections. Next, you enable Postfix TCP servers with the updated +tcp_windowsize setting:

    + +
    +
    +# postconf -e tcp_windowsize=65535 master_service_disable=
    +# postfix reload
    +
    +
    + +

    If you skip these steps with a running Postfix system, then the +tcp_windowsize change will work only for Postfix TCP clients (smtp(8), +lmtp(8)).

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM multi_instance_directories + +

    An optional list of non-default Postfix configuration directories; +these directories belong to additional Postfix instances that share +the Postfix executable files and documentation with the default +Postfix instance, and that are started, stopped, etc., together +with the default Postfix instance. Specify a list of pathnames +separated by comma or whitespace.

    + +

    When $multi_instance_directories is empty, the postfix(1) command +runs in single-instance mode and operates on a single Postfix +instance only. Otherwise, the postfix(1) command runs in multi-instance +mode and invokes the multi-instance manager specified with the +multi_instance_wrapper parameter. The multi-instance manager in +turn executes postfix(1) commands for the default instance and for +all Postfix instances in $multi_instance_directories.

    + +

    Currently, this parameter setting is ignored except for the +default main.cf file.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM multi_instance_wrapper + +

    The pathname of a multi-instance manager command that the +postfix(1) command invokes when the multi_instance_directories +parameter value is non-empty. The pathname may be followed by +initial command arguments separated by whitespace; shell +metacharacters such as quotes are not supported in this context. +

    + +

    The postfix(1) command invokes the manager command with the +postfix(1) non-option command arguments on the manager command line, +and with all installation configuration parameters exported into +the manager command process environment. The manager command in +turn invokes the postfix(1) command for individual Postfix instances +as "postfix -c config_directory command".

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM multi_instance_group + +

    The optional instance group name of this Postfix instance. A +group identifies closely-related Postfix instances that the +multi-instance manager can start, stop, etc., as a unit. This +parameter is reserved for the multi-instance manager.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM multi_instance_name + +

    The optional instance name of this Postfix instance. This name +becomes also the default value for the syslog_name parameter.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM multi_instance_enable no + +

    Allow this Postfix instance to be started, stopped, etc., by a +multi-instance manager. By default, new instances are created in +a safe state that prevents them from being started inadvertently. +This parameter is reserved for the multi-instance manager.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM reject_tempfail_action defer_if_permit + +

    The Postfix SMTP server's action when a reject-type restriction +fails due to a temporary error condition. Specify "defer" to defer +the remote SMTP client request immediately. With the default +"defer_if_permit" action, the Postfix SMTP server continues to look +for opportunities to reject mail, and defers the client request +only if it would otherwise be accepted.

    + +

    For finer control, see: unverified_recipient_tempfail_action, +unverified_sender_tempfail_action, unknown_address_tempfail_action, +and unknown_helo_hostname_tempfail_action.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM unverified_recipient_tempfail_action $reject_tempfail_action + +

    The Postfix SMTP server's action when reject_unverified_recipient +fails due to a temporary error condition. Specify "defer" to defer +the remote SMTP client request immediately. With the default +"defer_if_permit" action, the Postfix SMTP server continues to look +for opportunities to reject mail, and defers the client request +only if it would otherwise be accepted.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM unverified_sender_tempfail_action $reject_tempfail_action + +

    The Postfix SMTP server's action when reject_unverified_sender +fails due to a temporary error condition. Specify "defer" to defer +the remote SMTP client request immediately. With the default +"defer_if_permit" action, the Postfix SMTP server continues to look +for opportunities to reject mail, and defers the client request +only if it would otherwise be accepted.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM unknown_address_tempfail_action $reject_tempfail_action + +

    The Postfix SMTP server's action when reject_unknown_sender_domain +or reject_unknown_recipient_domain fail due to a temporary error +condition. Specify "defer" to defer the remote SMTP client request +immediately. With the default "defer_if_permit" action, the Postfix +SMTP server continues to look for opportunities to reject mail, and +defers the client request only if it would otherwise be accepted. +

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM unknown_helo_hostname_tempfail_action $reject_tempfail_action + +

    The Postfix SMTP server's action when reject_unknown_helo_hostname +fails due to a temporary error condition. Specify "defer" to defer +the remote SMTP client request immediately. With the default +"defer_if_permit" action, the Postfix SMTP server continues to look +for opportunities to reject mail, and defers the client request +only if it would otherwise be accepted.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM postmulti_start_commands start + +

    The postfix(1) commands that the postmulti(1) instance manager treats +as "start" commands. For these commands, disabled instances are "checked" +rather than "started", and failure to "start" a member instance of an +instance group will abort the start-up of later instances.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM postmulti_stop_commands see "postconf -d" output + +

    The postfix(1) commands that the postmulti(1) instance manager treats +as "stop" commands. For these commands, disabled instances are skipped, +and enabled instances are processed in reverse order.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM postmulti_control_commands reload flush + +

    The postfix(1) commands that the postmulti(1) instance manager +treats as "control" commands, that operate on running instances. For +these commands, disabled instances are skipped.

    + +

    This feature is available in Postfix 2.6 and later.

    + +%PARAM lmtp_assume_final no + +

    When a remote LMTP server announces no DSN support, assume that +the +server performs final delivery, and send "delivered" delivery status +notifications instead of "relayed". The default setting is backwards +compatible to avoid the infinitesimal possibility of breaking +existing LMTP-based content filters.

    + +%PARAM always_add_missing_headers no + +

    Always add (Resent-) From:, To:, Date: or Message-ID: headers +when not present. Postfix 2.6 and later add these headers only +when clients match the local_header_rewrite_clients parameter +setting. Earlier Postfix versions always add these headers; this +may break DKIM signatures that cover non-existent headers. +The undisclosed_recipients_header parameter setting determines +whether a To: header will be added.

    + +%PARAM lmtp_header_checks + +

    The LMTP-specific version of the smtp_header_checks configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_mime_header_checks + +

    The LMTP-specific version of the smtp_mime_header_checks +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_nested_header_checks + +

    The LMTP-specific version of the smtp_nested_header_checks +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM lmtp_body_checks + +

    The LMTP-specific version of the smtp_body_checks configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 2.5 and later.

    + +%PARAM milter_header_checks + +

    Optional lookup tables for content inspection of message headers +that are produced by Milter applications. See the header_checks(5) +manual page available actions. Currently, PREPEND is not implemented. +

    + +

    The following example sends all mail that is marked as SPAM to +a spam handling machine. Note that matches are case-insensitive +by default.

    + +
    +/etc/postfix/main.cf:
    +    milter_header_checks = pcre:/etc/postfix/milter_header_checks
    +
    + +
    +/etc/postfix/milter_header_checks:
    +    /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
    +
    + +

    The milter_header_checks mechanism could also be used for +allowlisting. For example it could be used to skip heavy content +inspection for DKIM-signed mail from known friendly domains.

    + +

    This feature is available in Postfix 2.7, and as an optional +patch for Postfix 2.6.

    + +%PARAM postscreen_cache_map btree:$data_directory/postscreen_cache + +

    Persistent storage for the postscreen(8) server decisions.

    + +

    To share a postscreen(8) cache between multiple postscreen(8) +instances, use "postscreen_cache_map = proxy:btree:/path/to/file". +This requires Postfix version 2.9 or later; earlier proxymap(8) +implementations don't support cache cleanup. For an alternative +approach see the memcache_table(5) manpage.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM smtpd_service_name smtpd + +

    The internal service that postscreen(8) hands off allowed +connections to. In a future version there may be different +classes of SMTP service.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_post_queue_limit $default_process_limit + +

    The number of clients that can be waiting for service from a +real Postfix SMTP server process. When this queue is full, all +clients will +receive a 421 response.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_pre_queue_limit $default_process_limit + +

    The number of non-allowlisted clients that can be waiting for +a decision whether they will receive service from a real Postfix +SMTP server +process. When this queue is full, all non-allowlisted clients will +receive a 421 response.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_greet_ttl 1d + +

    The amount of time that postscreen(8) will use the result from +a successful PREGREET test. During this time, the client IP address +is excluded from this test. The default is relatively short, because +a good client can immediately talk to a real Postfix SMTP server.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_cache_retention_time 7d + +

    The amount of time that postscreen(8) will cache an expired +temporary allowlist entry before it is removed. This prevents clients +from being logged as "NEW" just because their cache entry expired +an hour ago. It also prevents the cache from filling up with clients +that passed some deep protocol test once and never came back.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_cache_cleanup_interval 12h + +

    The amount of time between postscreen(8) cache cleanup runs. +Cache cleanup increases the load on the cache database and should +therefore not be run frequently. This feature requires that the +cache database supports the "delete" and "sequence" operators. +Specify a zero interval to disable cache cleanup.

    + +

    After each cache cleanup run, the postscreen(8) daemon logs the +number of entries that were retained and dropped. A cleanup run is +logged as "partial" when the daemon terminates early after "postfix +reload", "postfix stop", or no requests for $max_idle +seconds.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is h (hours).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_greet_wait normal: 6s, overload: 2s + +

    The amount of time that postscreen(8) will wait for an SMTP +client to send a command before its turn, and for DNS blocklist +lookup results to arrive (default: up to 2 seconds under stress, +up to 6 seconds otherwise).

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_dnsbl_sites + +

    Optional list of DNS allow/denylist domains, filters and weight +factors. When the list is non-empty, the dnsblog(8) daemon will +query these domains with the IP addresses of remote SMTP clients, +and postscreen(8) will update an SMTP client's DNSBL score with +each non-error reply.

    + +

    Caution: when postscreen rejects mail, it replies with the DNSBL +domain name. Use the postscreen_dnsbl_reply_map feature to hide +"password" information in DNSBL domain names.

    + +

    When a client's score is equal to or greater than the threshold +specified with postscreen_dnsbl_threshold, postscreen(8) can drop +the connection with the remote SMTP client.

    + +

    Specify a list of domain=filter*weight entries, separated by +comma or whitespace.

    + +
      + +
    • When no "=filter" is specified, postscreen(8) will use any +non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL +replies that match the filter. The filter has the form d.d.d.d, +where each d is a number, or a pattern inside [] that contains one +or more ";"-separated numbers or number..number ranges.

      + +
    • When no "*weight" is specified, postscreen(8) increments +the remote SMTP client's DNSBL score by 1. Otherwise, the weight must be +an integral number, and postscreen(8) adds the specified weight to +the remote SMTP client's DNSBL score. Specify a negative number for +allowlisting.

      + +
    • When one postscreen_dnsbl_sites entry produces multiple +DNSBL responses, postscreen(8) applies the weight at most once. +

      + +
    + +

    Examples:

    + +

    To use example.com as a high-confidence blocklist, and to +block mail with example.net and example.org only when both agree: +

    + +
     
    +postscreen_dnsbl_threshold = 2 
    +postscreen_dnsbl_sites = example.com*2, example.net, example.org 
    +
    + +

    To filter only DNSBL replies containing 127.0.0.4:

    + +
     
    +postscreen_dnsbl_sites = example.com=127.0.0.4 
    +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_dnsbl_action ignore + +

    The action that postscreen(8) takes when a remote SMTP client's combined +DNSBL score is equal to or greater than a threshold (as defined +with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold +parameters). Specify one of the following:

    + +
    + +
    ignore (default)
    + +
    Ignore the failure of this test. Allow other tests to complete. +Repeat this test the next time the client connects. +This option is useful for testing and collecting statistics +without blocking mail.
    + +
    enforce
    + +
    Allow other tests to complete. Reject attempts to deliver mail +with a 550 SMTP reply, and log the helo/sender/recipient information. +Repeat this test the next time the client connects.
    + +
    drop
    + +
    Drop the connection immediately with a 521 SMTP reply. Repeat +this test the next time the client connects.
    + +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_greet_action ignore + +

    The action that postscreen(8) takes when a remote SMTP client speaks +before its turn within the time specified with the postscreen_greet_wait +parameter. Specify one of the following:

    + +
    + +
    ignore (default)
    + +
    Ignore the failure of this test. Allow other tests to complete. +Repeat this test the next time the client connects. +This option is useful for testing and collecting statistics +without blocking mail.
    + +
    enforce
    + +
    Allow other tests to complete. Reject attempts to deliver mail +with a 550 SMTP reply, and log the helo/sender/recipient information. +Repeat this test the next time the client connects.
    + +
    drop
    + +
    Drop the connection immediately with a 521 SMTP reply. Repeat +this test the next time the client connects.
    + +
    + +

    In either case, postscreen(8) will not allowlist the remote SMTP client +IP address.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_access_list permit_mynetworks + +

    Permanent allow/denylist for remote SMTP client IP addresses. +postscreen(8) searches this list immediately after a remote SMTP +client connects. Specify a comma- or whitespace-separated list of +commands (in upper or lower case) or lookup tables. The search stops +upon the first command that fires for the client IP address.

    + +
    + +
    permit_mynetworks
    Allowlist the client and +terminate the search if the client IP address matches $mynetworks. +Do not subject the client to any before/after 220 greeting tests. +Pass the connection immediately to a Postfix SMTP server process. +
    Pattern matching of domain names is controlled by the presence +or absence of "postscreen_access_list" in the +parent_domain_matches_subdomains parameter value.
    + +
    type:table
    Query the specified lookup +table. Each table lookup result is an access list, except that +access lists inside a table cannot specify type:table entries.
    +To discourage the use of hash, btree, etc. tables, there is no +support for substring matching like smtpd(8). Use CIDR tables +instead.
    + +
    permit
    Allowlist the client and terminate +the search. Do not subject the client to any before/after 220 +greeting tests. Pass the connection immediately to a Postfix SMTP +server process.
    + +
    reject
    Denylist the client and terminate +the search. Subject the client to the action configured with the +postscreen_denylist_action configuration parameter.
    + +
    dunno
    All postscreen(8) access lists +implicitly have this command at the end.
    When dunno +is executed inside a lookup table, return from the lookup table and +evaluate the next command.
    When dunno is executed +outside a lookup table, terminate the search, and subject the client +to the configured before/after 220 greeting tests.
    + +
    + +

    Example:

    + +
    +/etc/postfix/main.cf:
    +    postscreen_access_list = permit_mynetworks, 
    +        cidr:/etc/postfix/postscreen_access.cidr
    +    # Postfix < 3.6 use postscreen_blacklist_action.
    +    postscreen_denylist_action = enforce
    +
    + +
    +/etc/postfix/postscreen_access.cidr:
    +    # Rules are evaluated in the order as specified.
    +    # Denylist 192.168.* except 192.168.0.1.
    +    192.168.0.1         dunno
    +    192.168.0.0/16      reject
    +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_greet_banner $smtpd_banner + +

    The text in the optional "220-text..." server +response that +postscreen(8) sends ahead of the real Postfix SMTP server's "220 +text..." response, in an attempt to confuse bad SMTP clients so +that they speak before their turn (pre-greet). Specify an empty +value to disable this feature.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_blacklist_action ignore + +

    Renamed to postscreen_denylist_action in Postfix 3.6.

    + +

    This feature is available in Postfix 2.8 - 3.5.

    + +%PARAM postscreen_denylist_action ignore + +

    The action that postscreen(8) takes when a remote SMTP client is +permanently denylisted with the postscreen_access_list parameter. +Specify one of the following:

    + +
    + +
    ignore (default)
    + +
    Ignore this result. Allow other tests to complete. Repeat +this test the next time the client connects. +This option is useful for testing and collecting statistics +without blocking mail.
    + +
    enforce
    + +
    Allow other tests to complete. Reject attempts to deliver mail +with a 550 SMTP reply, and log the helo/sender/recipient information. +Repeat this test the next time the client connects.
    + +
    drop
    + +
    Drop the connection immediately with a 521 SMTP reply. Repeat +this test the next time the client connects.
    + +
    + +

    This feature is available in Postfix 3.6 and later.

    + +

    Available as postscreen_blacklist_action in Postfix 2.8 - 3.5.

    + +%PARAM smtpd_command_filter + +

    A mechanism to transform commands from remote SMTP clients. +This is a last-resort tool to work around client commands that break +interoperability with the Postfix SMTP server. Other uses involve +fault injection to test Postfix's handling of invalid commands. +

    + +

    Specify the name of a "type:table" lookup table. The search +string is the SMTP command as received from the remote SMTP client, +except that initial whitespace and the trailing <CR><LF> +are removed. The result value is executed by the Postfix SMTP +server.

    + +

    There is no need to use smtpd_command_filter for the following +cases:

    + +
      + +
    • Use "resolve_numeric_domain = yes" to accept +"user@ipaddress".

      + +
    • Postfix already accepts the correct form +"user@[ipaddress]". Use virtual_alias_maps or canonical_maps +to translate these into domain names if necessary.

      + +
    • Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User +Name <user@example.com>>". Postfix will ignore the "User +Name" part and deliver to the <user@example.com> address. +

      + +
    + +

    Examples of problems that can be solved with the smtpd_command_filter +feature:

    + +
    +/etc/postfix/main.cf:
    +    smtpd_command_filter = pcre:/etc/postfix/command_filter
    +
    + +
    +/etc/postfix/command_filter:
    +    # Work around clients that send malformed HELO commands.
    +    /^HELO\s*$/ HELO domain.invalid
    +
    + +
    +    # Work around clients that send empty lines.
    +    /^\s*$/     NOOP
    +
    + +
    +    # Work around clients that send RCPT TO:<'user@domain'>.
    +    # WARNING: do not lose the parameters that follow the address.
    +    /^(RCPT\s+TO:\s*<)'([^[:space:]]+)'(>.*)/     $1$2$3
    +
    + +
    +    # Append XVERP to MAIL FROM commands to request VERP-style delivery.
    +    # See VERP_README for more information on how to use Postfix VERP.
    +    /^(MAIL\s+FROM:\s*<listname@example\.com>.*)/   $1 XVERP
    +
    + +
    +    # Bounce-never mail sink. Use notify_classes=bounce,resource,software 
    +    # to send bounced mail to the postmaster (with message body removed).
    +    /^(RCPT\s+TO:\s*<.*>.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
    +    /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
    +
    + +

    This feature is available in Postfix 2.7.

    + +%PARAM smtp_reply_filter + +

    A mechanism to transform replies from remote SMTP servers one +line at a time. This is a last-resort tool to work around server +replies that break interoperability with the Postfix SMTP client. +Other uses involve fault injection to test Postfix's handling of +invalid responses.

    + +

    Notes:

    + +
      + +
    • In the case of a multi-line reply, the Postfix SMTP client +uses the final reply line's numerical SMTP reply code and enhanced +status code.

      + +
    • The numerical SMTP reply code (XYZ) takes precedence over +the enhanced status code (X.Y.Z). When the enhanced status code +initial digit differs from the SMTP reply code initial digit, or +when no enhanced status code is present, the Postfix SMTP client +uses a generic enhanced status code (X.0.0) instead.

      + +
    + +

    Specify the name of a "type:table" lookup table. The search +string is a single SMTP reply line as received from the remote SMTP +server, except that the trailing <CR><LF> are removed. +When the lookup succeeds, the result replaces the single SMTP reply +line.

    + +

    Examples:

    + +
    +/etc/postfix/main.cf:
    +    smtp_reply_filter = pcre:/etc/postfix/reply_filter
    +
    + +
    +/etc/postfix/reply_filter:
    +    # Transform garbage into "250-filler..." so that it looks like
    +    # one line from a multi-line reply. It does not matter what we
    +    # substitute here as long it has the right syntax.  The Postfix
    +    # SMTP client will use the final line's numerical SMTP reply
    +    # code and enhanced status code.
    +    !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
    +
    + +

    This feature is available in Postfix 2.7.

    + +%PARAM lmtp_reply_filter + +

    The LMTP-specific version of the smtp_reply_filter +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.7 and later.

    + +%PARAM smtp_tls_block_early_mail_reply no + +

    Try to detect a mail hijacking attack based on a TLS protocol +vulnerability (CVE-2009-3555), where an attacker prepends malicious +HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. +The attack would succeed with non-Postfix SMTP servers that reply +to the malicious HELO, MAIL, RCPT, DATA commands after negotiating +the Postfix SMTP client TLS session.

    + +

    This feature is available in Postfix 2.7.

    + +%PARAM lmtp_tls_block_early_mail_reply + +

    The LMTP-specific version of the smtp_tls_block_early_mail_reply +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.7 and later.

    + +%PARAM empty_address_default_transport_maps_lookup_key <> + +

    The sender_dependent_default_transport_maps search string that +will be used instead of the null sender address.

    + +

    This feature is available in Postfix 2.7 and later.

    + +%PARAM sender_dependent_default_transport_maps + +

    A sender-dependent override for the global default_transport +parameter setting. The tables are searched by the envelope sender +address and @domain. A lookup result of DUNNO terminates the search +without overriding the global default_transport parameter setting. +This information is overruled with the transport(5) table.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    Note: this overrides default_transport, not transport_maps, and +therefore the expected syntax is that of default_transport, not the +syntax of transport_maps. Specifically, this does not support the +transport_maps syntax for null transport, null nexthop, or null +email addresses.

    + +

    For safety reasons, this feature does not allow $number +substitutions in regular expression maps.

    + +

    This feature is available in Postfix 2.7 and later.

    + +%PARAM address_verify_sender_dependent_default_transport_maps $sender_dependent_default_transport_maps + +

    Overrides the sender_dependent_default_transport_maps parameter +setting for address verification probes.

    + +

    This feature is available in Postfix 2.7 and later.

    + +%PARAM default_filter_nexthop + +

    When a content_filter or FILTER request specifies no explicit +next-hop destination, use $default_filter_nexthop instead; when +that value is empty, use the domain in the recipient address. +Specify "default_filter_nexthop = $myhostname" for compatibility +with Postfix version 2.6 and earlier, or specify an explicit next-hop +destination with each content_filter value or FILTER action.

    + +

    This feature is available in Postfix 2.7 and later.

    + +%PARAM smtp_address_preference any + +

    The address type ("ipv6", "ipv4" or "any") that the Postfix +SMTP client will try first, when a destination has IPv6 and IPv4 +addresses with equal MX preference. This feature has no effect +unless the inet_protocols setting enables both IPv4 and IPv6.

    + +

    Postfix SMTP client address preference has evolved. With Postfix +2.8 the default is "ipv6"; earlier implementations are hard-coded +to prefer IPv6 over IPv4.

    + +

    Notes for mail delivery between sites that have both IPv4 and +IPv6 connectivity:

    + +
      + +
    • The setting "smtp_address_preference = ipv6" is unsafe. +It can fail to deliver mail when there is an outage that affects +IPv6, while the destination is still reachable over IPv4.

      + +
    • The setting "smtp_address_preference = any" is safe. With +this, mail will eventually be delivered even if there is an outage +that affects IPv6 or IPv4, as long as it does not affect both.

      + +
    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM lmtp_address_preference ipv6 + +

    The LMTP-specific version of the smtp_address_preference +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM smtp_dns_resolver_options + +

    DNS Resolver options for the Postfix SMTP client. Specify zero +or more of the following options, separated by comma or whitespace. +Option names are case-sensitive. Some options refer to domain names +that are specified in the file /etc/resolv.conf or equivalent.

    + +
    + +
    res_defnames
    + +
    Append the current domain name to single-component names (those +that do not contain a "." character). This can produce incorrect +results, and is the hard-coded behavior prior to Postfix 2.8.
    + +
    res_dnsrch
    + +
    Search for host names in the current domain and in parent +domains. This can produce incorrect results and is therefore not +recommended.
    + +
    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM lmtp_dns_resolver_options + +

    The LMTP-specific version of the smtp_dns_resolver_options +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM postscreen_dnsbl_threshold 1 + +

    The inclusive lower bound for blocking a remote SMTP client, based on +its combined DNSBL score as defined with the postscreen_dnsbl_sites +parameter.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_dnsbl_whitelist_threshold 0 + +

    Renamed to postscreen_dnsbl_allowlist_threshold in Postfix 3.6.

    + +

    This feature is available in Postfix 2.11 - 3.5.

    + +%PARAM postscreen_dnsbl_allowlist_threshold 0 + +

    Allow a remote SMTP client to skip "before" and "after 220 +greeting" protocol tests, based on its combined DNSBL score as +defined with the postscreen_dnsbl_sites parameter.

    + +

    Specify a negative value to enable this feature. When a client +passes the postscreen_dnsbl_allowlist_threshold without having +failed other tests, all pending or disabled tests are flagged as +completed with a time-to-live value equal to postscreen_dnsbl_ttl. +When a test was already completed, its time-to-live value is updated +if it was less than postscreen_dnsbl_ttl.

    + +

    This feature is available in Postfix 3.6 and later.

    + +

    Available as postscreen_dnsbl_whitelist_threshold in Postfix 2.11 +- 3.5.

    + +%PARAM postscreen_command_count_limit 20 + +

    The limit on the total number of commands per SMTP session for +postscreen(8)'s built-in SMTP protocol engine. This SMTP engine +defers or rejects all attempts to deliver mail, therefore there is +no need to enforce separate limits on the number of junk commands +and error commands.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_command_time_limit normal: 300s, overload: 10s + +

    The time limit to read an entire command line with postscreen(8)'s +built-in SMTP protocol engine.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_dnsbl_ttl 1h + +

    The amount of time that postscreen(8) will use the result from +a successful DNS-based reputation test before a client +IP address is required to pass that test again.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is h (hours).

    + +

    This feature is available in Postfix 2.8-3.0. It was +replaced by postscreen_dnsbl_max_ttl in Postfix 3.1.

    + +%PARAM postscreen_dnsbl_min_ttl 60s + +

    The minimum amount of time that postscreen(8) will use the +result from a successful DNS-based reputation test before a +client IP address is required to pass that test again. If the DNS +reply specifies a larger TTL value, that value will be used unless +it would be larger than postscreen_dnsbl_max_ttl.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 3.1.

    + +%PARAM postscreen_dnsbl_max_ttl ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h + +

    The maximum amount of time that postscreen(8) will use the +result from a successful DNS-based reputation test before a +client IP address is required to pass that test again. If the DNS +reply specifies a shorter TTL value, that value will be used unless +it would be smaller than postscreen_dnsbl_min_ttl.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is h (hours).

    + +

    This feature is available in Postfix 3.1. The default setting +is backwards-compatible with older Postfix versions.

    + +%PARAM postscreen_pipelining_action enforce + +

    The action that postscreen(8) takes when a remote SMTP client +sends +multiple commands instead of sending one command and waiting for +the server to respond. Specify one of the following:

    + +
    + +
    ignore
    + +
    Ignore the failure of this test. Allow other tests to complete. +Do not repeat this test before the result from some +other test expires. +This option is useful for testing and collecting statistics +without blocking mail permanently.
    + +
    enforce
    + +
    Allow other tests to complete. Reject attempts to deliver mail +with a 550 SMTP reply, and log the helo/sender/recipient information. +Repeat this test the next time the client connects.
    + +
    drop
    + +
    Drop the connection immediately with a 521 SMTP reply. Repeat +this test the next time the client connects.
    + +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_pipelining_ttl 30d + +

    The amount of time that postscreen(8) will use the result from +a successful "pipelining" SMTP protocol test. During this time, the +client IP address is excluded from this test. The default is +long because a good client must disconnect after it passes the test, +before it can talk to a real Postfix SMTP server.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_pipelining_enable no + +

    Enable "pipelining" SMTP protocol tests in the postscreen(8) +server. These tests are expensive: a good client must disconnect +after it passes the test, before it can talk to a real Postfix SMTP +server.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_watchdog_timeout 10s + +

    How much time a postscreen(8) process may take to respond to +a remote SMTP client command or to perform a cache operation before it +is terminated by a built-in watchdog timer. This is a safety +mechanism that prevents postscreen(8) from becoming non-responsive +due to a bug in Postfix itself or in system software. To avoid +false alarms and unnecessary cache corruption this limit cannot be +set under 10s.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_helo_required $smtpd_helo_required + +

    Require that a remote SMTP client sends HELO or EHLO before +commencing a MAIL transaction.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_forbidden_commands $smtpd_forbidden_commands + +

    List of commands that the postscreen(8) server considers in +violation of the SMTP protocol. See smtpd_forbidden_commands for +syntax, and postscreen_non_smtp_command_action for possible actions. +

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_disable_vrfy_command $disable_vrfy_command + +

    Disable the SMTP VRFY command in the postscreen(8) daemon. See +disable_vrfy_command for details.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_non_smtp_command_action drop + +

    The action that postscreen(8) takes when a remote SMTP client sends +non-SMTP commands as specified with the postscreen_forbidden_commands +parameter. Specify one of the following:

    + +
    + +
    ignore
    + +
    Ignore the failure of this test. Allow other tests to complete. +Do not repeat this test before the result from some +other test expires. +This option is useful for testing and collecting statistics +without blocking mail permanently.
    + +
    enforce
    + +
    Allow other tests to complete. Reject attempts to deliver mail +with a 550 SMTP reply, and log the helo/sender/recipient information. +Repeat this test the next time the client connects.
    + +
    drop
    + +
    Drop the connection immediately with a 521 SMTP reply. Repeat +this test the next time the client connects. This action is the +same as with the Postfix SMTP server's smtpd_forbidden_commands +feature.
    + +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_non_smtp_command_ttl 30d + +

    The amount of time that postscreen(8) will use the result from +a successful "non_smtp_command" SMTP protocol test. During this +time, the client IP address is excluded from this test. The default +is long because a client must disconnect after it passes the test, +before it can talk to a real Postfix SMTP server.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_non_smtp_command_enable no + +

    Enable "non-SMTP command" tests in the postscreen(8) server. These +tests are expensive: a client must disconnect after it passes the +test, before it can talk to a real Postfix SMTP server.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_dnsbl_reply_map + +

    A mapping from an actual DNSBL domain name which includes a secret +password, to the DNSBL domain name that postscreen will reply with +when it rejects mail. When no mapping is found, the actual DNSBL +domain will be used.

    + +

    For maximal stability it is best to use a file that is read +into memory such as pcre:, regexp: or texthash: (texthash: is similar +to hash:, except a) there is no need to run postmap(1) before the +file can be used, and b) texthash: does not detect changes after +the file is read).

    + +

    Example:

    + +
    +/etc/postfix/main.cf:
    +    postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
    +
    + +
    +/etc/postfix/dnsbl_reply:
    +   secret.zen.spamhaus.org	zen.spamhaus.org
    +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_dnsbl_timeout 10s + +

    The time limit for DNSBL or DNSWL lookups. This is separate from +the timeouts in the dnsblog(8) daemon which are defined by system +resolver(3) routines.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 3.0.

    +%PARAM postscreen_bare_newline_action ignore + +

    The action that postscreen(8) takes when a remote SMTP client sends +a bare newline character, that is, a newline not preceded by carriage +return. Specify one of the following:

    + +
    + +
    ignore
    + +
    Ignore the failure of this test. Allow other tests to complete. +Do not repeat this test before the result from some +other test expires. +This option is useful for testing and collecting statistics +without blocking mail permanently.
    + +
    enforce
    + +
    Allow other tests to complete. Reject attempts to deliver mail +with a 550 SMTP reply, and log the helo/sender/recipient information. +Repeat this test the next time the client connects.
    + +
    drop
    + +
    Drop the connection immediately with a 521 SMTP reply. Repeat +this test the next time the client connects.
    + +
    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_bare_newline_ttl 30d + +

    The amount of time that postscreen(8) will use the result from +a successful "bare newline" SMTP protocol test. During this +time, the client IP address is excluded from this test. The default +is long because a remote SMTP client must disconnect after it passes +the test, +before it can talk to a real Postfix SMTP server.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is d (days).

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_bare_newline_enable no + +

    Enable "bare newline" SMTP protocol tests in the postscreen(8) +server. These tests are expensive: a remote SMTP client must +disconnect after +it passes the test, before it can talk to a real Postfix SMTP server. +

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM postscreen_client_connection_count_limit $smtpd_client_connection_count_limit + +

    How many simultaneous connections any remote SMTP client is +allowed to have +with the postscreen(8) daemon. By default, this limit is the same +as with the Postfix SMTP server. Note that the triage process can +take several seconds, with the time spent in postscreen_greet_wait +delay, and with the time spent talking to the postscreen(8) built-in +dummy SMTP protocol engine.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM dnsblog_reply_delay 0s + +

    A debugging aid to artificially delay DNS responses.

    + +

    This feature is available in Postfix 2.8.

    + +%PARAM reset_owner_alias no + +

    Reset the local(8) delivery agent's idea of the owner-alias +attribute, when delivering mail to a child alias that does not have +its own owner alias.

    + +

    This feature is available in Postfix 2.8 and later. With older +Postfix releases, the behavior is as if this parameter is set to +"yes".

    + +

    As documented in aliases(5), when an alias name has a +companion alias named owner-name, this will replace the +envelope sender address, so that delivery errors will be +reported to the owner alias instead of the sender. This configuration +is recommended for mailing lists.

    + +

    A less known property of the owner alias is that it also forces +the local(8) delivery agent to write local and remote addresses +from alias expansion to a new queue file, instead of attempting to +deliver mail to local addresses as soon as they come out of alias +expansion.

    + +

    Writing local addresses from alias expansion to a new queue +file allows for robust handling of temporary delivery errors: errors +with one local member have no effect on deliveries to other members +of the list. On the other hand, delivery to local addresses as +soon as they come out of alias expansion is fragile: a temporary +error with one local address from alias expansion will cause the +entire alias to be expanded repeatedly until the error goes away, +or until the message expires in the queue. In that case, a problem +with one list member results in multiple message deliveries to other +list members.

    + +

    The default behavior of Postfix 2.8 and later is to keep the +owner-alias attribute of the parent alias, when delivering mail to +a child alias that does not have its own owner alias. Then, local +addresses from that child alias will be written to a new queue file, +and a temporary error with one local address will not affect delivery +to other mailing list members.

    + +

    Unfortunately, older Postfix releases reset the owner-alias +attribute when delivering mail to a child alias that does not have +its own owner alias. To be precise, this resets only the decision +to create a new queue file, not the decision to override the envelope +sender address. The local(8) delivery agent then attempts to +deliver local addresses as soon as they come out of child alias +expansion. If delivery to any address from child alias expansion +fails with a temporary error condition, the entire mailing list may +be expanded repeatedly until the mail expires in the queue, resulting +in multiple deliveries of the same message to mailing list members. +

    + +%PARAM qmgr_ipc_timeout 60s + +

    The time limit for the queue manager to send or receive information +over an internal communication channel. The purpose is to break +out of deadlock situations. If the time limit is exceeded the +software either retries or aborts the operation.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM qmgr_daemon_timeout 1000s + +

    How much time a Postfix queue manager process may take to handle +a request before it is terminated by a built-in watchdog timer. +

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tls_preempt_cipherlist no + +

    With SSLv3 and later, use the Postfix SMTP server's cipher +preference order instead of the remote client's cipher preference +order.

    + +

    By default, the OpenSSL server selects the client's most preferred +cipher that the server supports. With SSLv3 and later, the server may +choose its own most preferred cipher that is supported (offered) by +the client. Setting "tls_preempt_cipherlist = yes" enables server cipher +preferences.

    + +

    While server cipher selection may in some cases lead to a more secure +or performant cipher choice, there is some risk of interoperability +issues. In the past, some SSL clients have listed lower priority ciphers +that they did not implement correctly. If the server chooses a cipher +that the client prefers less, it may select a cipher whose client +implementation is flawed. Most notably Windows 2003 Microsoft +Exchange servers have flawed implementations of DES-CBC3-SHA, which +OpenSSL considers stronger than RC4-SHA. Enabling server cipher-suite +selection may create interoperability issues with Windows 2003 +Microsoft Exchange clients.

    + +

    This feature is available in Postfix 2.8 and later, in combination +with OpenSSL 0.9.7 and later.

    + +%PARAM tls_disable_workarounds see "postconf -d" output + +

    List or bit-mask of OpenSSL bug work-arounds to disable.

    + +

    The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS +implementations. Applications, such as Postfix, that want to maximize +interoperability ask the OpenSSL library to enable the full set of +recommended work-arounds.

    + +

    From time to time, it is discovered that a work-around creates a +security issue, and should no longer be used. If upgrading OpenSSL +to a fixed version is not an option or an upgrade is not available +in a timely manner, or in closed environments where no buggy clients +or servers exist, it may be appropriate to disable some or all of the +OpenSSL interoperability work-arounds. This parameter specifies which +bug work-arounds to disable.

    + +

    If the value of the parameter is a hexadecimal long integer starting +with "0x", the bug work-arounds corresponding to the bits specified in +its value are removed from the SSL_OP_ALL work-around bit-mask +(see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more +bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying +0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should +also be sufficient on 64-bit systems, until OpenSSL abandons support +for 32-bit systems and starts using the high 32 bits of a 64-bit +bug-workaround mask.

    + +

    Otherwise, the parameter is a white-space or comma separated list +of specific named bug work-arounds chosen from the list below. It +is possible that your OpenSSL version includes new bug work-arounds +added after your Postfix source code was last updated, in that case +you can only disable one of these via the hexadecimal syntax above.

    + +
    + +
    CRYPTOPRO_TLSEXT_BUG
    New with GOST support in +OpenSSL 1.0.0.
    + +
    DONT_INSERT_EMPTY_FRAGMENTS
    See +SSL_CTX_set_options(3)
    + +
    LEGACY_SERVER_CONNECT
    See SSL_CTX_set_options(3)
    + +
    MICROSOFT_BIG_SSLV3_BUFFER
    See +SSL_CTX_set_options(3)
    + +
    MICROSOFT_SESS_ID_BUG
    See SSL_CTX_set_options(3)
    + +
    MSIE_SSLV2_RSA_PADDING
    also aliased as +CVE-2005-2969. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.7h and OpenSSL 0.9.8a.
    + +
    NETSCAPE_CHALLENGE_BUG
    See SSL_CTX_set_options(3)
    + +
    NETSCAPE_REUSE_CIPHER_CHANGE_BUG
    also aliased +as CVE-2010-4180. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c.
    + +
    SSLEAY_080_CLIENT_DH_BUG
    See +SSL_CTX_set_options(3)
    + +
    SSLREF2_REUSE_CERT_TYPE_BUG
    See +SSL_CTX_set_options(3)
    + +
    TLS_BLOCK_PADDING_BUG
    See SSL_CTX_set_options(3)
    + +
    TLS_D5_BUG
    See SSL_CTX_set_options(3)
    + +
    TLS_ROLLBACK_BUG
    See SSL_CTX_set_options(3). +This is disabled in OpenSSL 0.9.7 and later. Nobody should still +be using 0.9.6!
    + +
    TLSEXT_PADDING
    Postfix ≥ 3.4. See SSL_CTX_set_options(3).
    + +
    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tls_legacy_public_key_fingerprints no + +

    A temporary migration aid for sites that use certificate +public-key fingerprints with Postfix 2.9.0..2.9.5, which use +an incorrect algorithm. This parameter has no effect on the certificate +fingerprint support that is available since Postfix 2.2.

    + +

    Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate public-key finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. To compute the correct +certificate public-key fingerprints, see TLS_README.

    + +

    This feature is available in Postfix 2.9.6 and later.

    + +%PARAM tlsproxy_watchdog_timeout 10s + +

    How much time a tlsproxy(8) process may take to process local +or remote I/O before it is terminated by a built-in watchdog timer. +This is a safety mechanism that prevents tlsproxy(8) from becoming +non-responsive due to a bug in Postfix itself or in system software. +To avoid false alarms and unnecessary cache corruption this limit +cannot be set under 10s.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.8 and later

    + +%PARAM postscreen_discard_ehlo_keywords $smtpd_discard_ehlo_keywords + +

    A case insensitive list of EHLO keywords (pipelining, starttls, +auth, etc.) that the postscreen(8) server will not send in the EHLO +response to a remote SMTP client. See smtpd_discard_ehlo_keywords +for details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM postscreen_discard_ehlo_keyword_address_maps $smtpd_discard_ehlo_keyword_address_maps + +

    Lookup tables, indexed by the remote SMTP client address, with +case insensitive lists of EHLO keywords (pipelining, starttls, auth, +etc.) that the postscreen(8) server will not send in the EHLO response +to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. +The table is not searched by hostname for robustness reasons.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM postscreen_use_tls $smtpd_use_tls + +

    Opportunistic TLS: announce STARTTLS support to remote SMTP clients, +but do not require that clients use TLS encryption.

    + +

    This feature is available in Postfix 2.8 and later. +Preferably, use postscreen_tls_security_level instead.

    + +%PARAM postscreen_enforce_tls $smtpd_enforce_tls + +

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, and +require that clients use TLS encryption. See smtpd_postscreen_enforce_tls +for details.

    + +

    This feature is available in Postfix 2.8 and later. +Preferably, use postscreen_tls_security_level instead.

    + +%PARAM postscreen_tls_security_level $smtpd_tls_security_level + +

    The SMTP TLS security level for the postscreen(8) server; when +a non-empty value is specified, this overrides the obsolete parameters +postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_security_level +for details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_enforce_tls $smtpd_enforce_tls + +

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, and +require that clients use TLS encryption. See smtpd_enforce_tls for +further details. Use tlsproxy_tls_security_level instead.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_CAfile $smtpd_tls_CAfile + +

    A file containing (PEM format) CA certificates of root CAs +trusted to sign either remote SMTP client certificates or intermediate +CA certificates. See smtpd_tls_CAfile for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_CApath $smtpd_tls_CApath + +

    A directory containing (PEM format) CA certificates of root CAs +trusted to sign either remote SMTP client certificates or intermediate +CA certificates. See smtpd_tls_CApath for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_always_issue_session_ids $smtpd_tls_always_issue_session_ids + +

    Force the Postfix tlsproxy(8) server to issue a TLS session id, +even when TLS session caching is turned off. See +smtpd_tls_always_issue_session_ids for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_ask_ccert $smtpd_tls_ask_ccert + +

    Ask a remote SMTP client for a client certificate. See +smtpd_tls_ask_ccert for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_ccert_verifydepth $smtpd_tls_ccert_verifydepth + +

    The verification depth for remote SMTP client certificates. A +depth of 1 is sufficient if the issuing CA is listed in a local CA +file. See smtpd_tls_ccert_verifydepth for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_cert_file $smtpd_tls_cert_file + +

    File with the Postfix tlsproxy(8) server RSA certificate in PEM +format. This file may also contain the Postfix tlsproxy(8) server +private RSA key. See smtpd_tls_cert_file for further details. With +Postfix ≥ 3.4 the preferred way to configure tlsproxy server keys and +certificates is via the "tlsproxy_tls_chain_files" parameter.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_ciphers $smtpd_tls_ciphers + +

    The minimum TLS cipher grade that the Postfix tlsproxy(8) server +will use with opportunistic TLS encryption. See smtpd_tls_ciphers +for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_dcert_file $smtpd_tls_dcert_file + +

    File with the Postfix tlsproxy(8) server DSA certificate in PEM +format. This file may also contain the Postfix tlsproxy(8) server +private DSA key. DSA is obsolete and should not be used. See +smtpd_tls_dcert_file for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_dh1024_param_file $smtpd_tls_dh1024_param_file + +

    File with DH parameters that the Postfix tlsproxy(8) server +should use with non-export EDH ciphers. See smtpd_tls_dh1024_param_file +for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_dh512_param_file $smtpd_tls_dh512_param_file + +

    File with DH parameters that the Postfix tlsproxy(8) server +should use with export-grade EDH ciphers. See smtpd_tls_dh512_param_file +for further details. The default SMTP server cipher grade is +"medium" with Postfix releases after the middle of 2015, and as a +result export-grade cipher suites are by default not used.

    + +

    With Postfix ≥ 3.6 export-grade Diffie-Hellman key exchange +is no longer supported, and this parameter is silently ignored.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_dkey_file $smtpd_tls_dkey_file + +

    File with the Postfix tlsproxy(8) server DSA private key in PEM +format. This file may be combined with the Postfix tlsproxy(8) server +DSA certificate file specified with $smtpd_tls_dcert_file. DSA is +obsolete and should not be used. See smtpd_tls_dkey_file for further +details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_eccert_file $smtpd_tls_eccert_file + +

    File with the Postfix tlsproxy(8) server ECDSA certificate in PEM +format. This file may also contain the Postfix tlsproxy(8) server +private ECDSA key. See smtpd_tls_eccert_file for further details. With +Postfix ≥ 3.4 the preferred way to configure tlsproxy server keys and +certificates is via the "tlsproxy_tls_chain_files" parameter.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_eckey_file $smtpd_tls_eckey_file + +

    File with the Postfix tlsproxy(8) server ECDSA private key in PEM +format. This file may be combined with the Postfix tlsproxy(8) server +ECDSA certificate file specified with $smtpd_tls_eccert_file. See +smtpd_tls_eckey_file for further details. With Postfix ≥ 3.4 the +preferred way to configure tlsproxy server keys and certificates is via +the "tlsproxy_tls_chain_files" parameter.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_eecdh_grade $smtpd_tls_eecdh_grade + +

    The Postfix tlsproxy(8) server security grade for ephemeral +elliptic-curve Diffie-Hellman (EECDH) key exchange. See +smtpd_tls_eecdh_grade for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_exclude_ciphers $smtpd_tls_exclude_ciphers + +

    List of ciphers or cipher types to exclude from the tlsproxy(8) +server cipher list at all TLS security levels. See +smtpd_tls_exclude_ciphers for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_fingerprint_digest $smtpd_tls_fingerprint_digest + +

    The message digest algorithm to construct remote SMTP +client-certificate +fingerprints. See smtpd_tls_fingerprint_digest for further details. +

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_key_file $smtpd_tls_key_file + +

    File with the Postfix tlsproxy(8) server RSA private key in PEM +format. This file may be combined with the Postfix tlsproxy(8) server +RSA certificate file specified with $smtpd_tls_cert_file. See +smtpd_tls_key_file for further details. With Postfix ≥ 3.4 the +preferred way to configure tlsproxy server keys and certificates is via +the "tlsproxy_tls_chain_files" parameter.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_loglevel $smtpd_tls_loglevel + +

    Enable additional Postfix tlsproxy(8) server logging of TLS +activity. Each logging level also includes the information that +is logged at a lower logging level. See smtpd_tls_loglevel for +further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_mandatory_ciphers $smtpd_tls_mandatory_ciphers + +

    The minimum TLS cipher grade that the Postfix tlsproxy(8) server +will use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers +for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_mandatory_exclude_ciphers $smtpd_tls_mandatory_exclude_ciphers + +

    Additional list of ciphers or cipher types to exclude from the +tlsproxy(8) server cipher list at mandatory TLS security levels. +See smtpd_tls_mandatory_exclude_ciphers for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_mandatory_protocols $smtpd_tls_mandatory_protocols + +

    The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server +with mandatory TLS encryption. If the list is empty, the server +supports all available SSL/TLS protocol versions. See +smtpd_tls_mandatory_protocols for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_protocols $smtpd_tls_protocols + +

    List of TLS protocols that the Postfix tlsproxy(8) server will +exclude or include with opportunistic TLS encryption. See +smtpd_tls_protocols for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_req_ccert $smtpd_tls_req_ccert + +

    With mandatory TLS encryption, require a trusted remote SMTP +client certificate in order to allow TLS connections to proceed. +See smtpd_tls_req_ccert for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_security_level $smtpd_tls_security_level + +

    The SMTP TLS security level for the Postfix tlsproxy(8) server; +when a non-empty value is specified, this overrides the obsolete +parameters smtpd_use_tls and smtpd_enforce_tls. See +smtpd_tls_security_level for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_tls_session_cache_timeout $smtpd_tls_session_cache_timeout + +

    Obsolete expiration time of Postfix tlsproxy(8) server TLS session +cache information. Since the cache is shared with smtpd(8) and managed +by tlsmgr(8), there is only one expiration time for the SMTP server cache +shared by all three services, namely smtpd_tls_session_cache_timeout.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_use_tls $smtpd_use_tls + +

    Opportunistic TLS: announce STARTTLS support to remote SMTP clients, +but do not require that clients use TLS encryption. See smtpd_use_tls +for further details. Use tlsproxy_tls_security_level instead.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM smtpd_reject_footer + +

    Optional information that is appended after each Postfix SMTP +server +4XX or 5XX response.

    + +

    The following example uses "\c" at the start of the template +(supported in Postfix 2.10 and later) to suppress the line break +between the reply text and the footer text. With earlier Postfix +versions, the footer text always begins on a new line, and the "\c" +is output literally.

    + +
    +/etc/postfix/main.cf:
    +    smtpd_reject_footer = \c. For assistance, call 800-555-0101.
    +     Please provide the following information in your problem report:
    +     time ($localtime), client ($client_address) and server
    +     ($server_name).
    +
    + +

    Server response:

    + +
    +    550-5.5.1 <user@example> Recipient address rejected: User
    +    unknown. For assistance, call 800-555-0101. Please provide the
    +    following information in your problem report: time (Jan 4 15:42:00),
    +    client (192.168.1.248) and server (mail1.example.com).
    +
    + +

    Note: the above text is meant to make it easier to find the +Postfix logfile records for a failed SMTP session. The text itself +is not logged to the Postfix SMTP server's maillog file.

    + +

    Be sure to keep the text as short as possible. Long text may +be truncated before it is logged to the remote SMTP client's maillog +file, or before it is returned to the sender in a delivery status +notification.

    + +

    The template text is not subject to Postfix configuration +parameter $name expansion. Instead, this feature supports a limited +number of $name attributes in the footer text. These attributes are +replaced with their current value for the SMTP session.

    + +

    Note: specify $$name in footer text that is looked up from +regexp: or pcre:-based smtpd_reject_footer_maps, otherwise the +Postfix server will not use the footer text and will log a warning +instead.

    + +
    + +
    client_address
    The Client IP address that +is logged in the maillog file.
    + +
    client_port
    The client TCP port that is +logged in the maillog file.
    + +
    localtime
    The server local time (Mmm dd +hh:mm:ss) that is logged in the maillog file.
    + +
    server_name
    The server's myhostname value. +This attribute is made available for sites with multiple MTAs +(perhaps behind a load-balancer), where the server name can help +the server support team to quickly find the right log files.
    + +
    + +

    Notes:

    + +
      + +
    • NOT SUPPORTED are other attributes such as sender, recipient, +or main.cf parameters.

      + +
    • For safety reasons, text that does not match +$smtpd_expansion_filter is censored.

      + +
    + +

    This feature supports the two-character sequence \n as a request +for a line break in the footer text. Postfix automatically inserts +after each line break the three-digit SMTP reply code (and optional +enhanced status code) from the original Postfix reject message. +

    + +

    To work around mail software that mis-handles multi-line replies, +specify the two-character sequence \c at the start of the template. +This suppresses the line break between the reply text and the footer +text (Postfix 2.10 and later).

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM smtpd_reject_footer_maps + +

    Lookup tables, indexed by the complete Postfix SMTP server 4xx or +5xx response, with reject footer templates. See smtpd_reject_footer +for details.

    + +

    +Specify zero or more "type:name" lookup tables, separated by +whitespace or comma. Tables will be searched in the specified order +until a match is found. +

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM postscreen_expansion_filter see "postconf -d" output + +

    List of characters that are permitted in postscreen_reject_footer +attribute expansions. See smtpd_expansion_filter for further +details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM postscreen_reject_footer $smtpd_reject_footer + +

    Optional information that is appended after a 4XX or 5XX +postscreen(8) server +response. See smtpd_reject_footer for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM postscreen_reject_footer_maps $smtpd_reject_footer_maps + +

    Optional lookup table for information that is appended after a 4XX +or 5XX postscreen(8) server response. See smtpd_reject_footer_maps for +further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM postscreen_command_filter $smtpd_command_filter + +

    A mechanism to transform commands from remote SMTP clients. +See smtpd_command_filter for further details.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM dnsblog_service_name dnsblog + +

    The name of the dnsblog(8) service entry in master.cf. This +service performs DNS allow/denylist lookups.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM tlsproxy_service_name tlsproxy + +

    The name of the tlsproxy(8) service entry in master.cf. This +service performs plaintext <=> TLS ciphertext conversion.

    + +

    This feature is available in Postfix 2.8 and later.

    + +%PARAM smtpd_per_record_deadline normal: no, overload: yes + +

    Change the behavior of the smtpd_timeout and smtpd_starttls_timeout +time limits, from a +time limit per read or write system call, to a time limit to send +or receive a complete record (an SMTP command line, SMTP response +line, SMTP message content line, or TLS protocol message). This +limits the impact from hostile peers that trickle data one byte at +a time.

    + +

    Note: when per-record deadlines are enabled, a short timeout +may cause problems with TLS over very slow network connections. +The reasons are that a TLS protocol message can be up to 16 kbytes +long (with TLSv1), and that an entire TLS protocol message must be +sent or received within the per-record deadline.

    + +

    This feature is available in Postfix 2.9-3.6. With older +Postfix releases, the behavior is as if this parameter is set to +"no". Postfix 3.7 and later use smtpd_per_request_deadline.

    + +%PARAM smtp_per_record_deadline no + +

    Change the behavior of the smtp_*_timeout time limits, from a +time limit per read or write system call, to a time limit to send +or receive a complete record (an SMTP command line, SMTP response +line, SMTP message content line, or TLS protocol message). This +limits the impact from hostile peers that trickle data one byte at +a time.

    + +

    Note: when per-record deadlines are enabled, a short timeout +may cause problems with TLS over very slow network connections. +The reasons are that a TLS protocol message can be up to 16 kbytes +long (with TLSv1), and that an entire TLS protocol message must be +sent or received within the per-record deadline.

    + +

    This feature is available in Postfix 2.9-3.6. With older +Postfix releases, the behavior is as if this parameter is set to +"no". Postfix 3.7 and later use smtp_per_request_deadline.

    + +%PARAM lmtp_per_record_deadline no + +

    The LMTP-specific version of the smtp_per_record_deadline +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM postscreen_whitelist_interfaces static:all + +

    Renamed to postscreen_allowlist_interfaces in Postfix 3.6.

    + +

    This feature is available in Postfix 2.9 - 3.5.

    + +%PARAM postscreen_allowlist_interfaces static:all + +

    A list of local postscreen(8) server IP addresses where a +non-allowlisted remote SMTP client can obtain postscreen(8)'s temporary +allowlist status. This status is required before the client can +talk to a Postfix SMTP server process. By default, a client can +obtain postscreen(8)'s allowlist status on any local postscreen(8) +server IP address.

    + +

    When postscreen(8) listens on both primary and backup MX +addresses, the postscreen_allowlist_interfaces parameter can be +configured to give the temporary allowlist status only when a client +connects to a primary MX address. Once a client is allowlisted it +can talk to a Postfix SMTP server on any address. Thus, clients +that connect only to backup MX addresses will never become allowlisted, +and will never be allowed to talk to a Postfix SMTP server process. +

    + +

    Specify a list of network addresses or network/netmask patterns, +separated by commas and/or whitespace. The netmask specifies the +number of bits in the network part of a host address. Continue long +lines by starting the next line with whitespace.

    + +

    You can also specify "/file/name" or "type:table" patterns. A +"/file/name" pattern is replaced by its contents; a "type:table" +lookup table is matched when a table entry matches a lookup string +(the lookup result is ignored).

    + +

    The list is matched left to right, and the search stops on the +first match. Specify "!pattern" to exclude an address or network +block from the list.

    + +

    Note: IP version 6 address information must be specified inside +[] in the postscreen_allowlist_interfaces value, and in files +specified with "/file/name". IP version 6 addresses contain the +":" character, and would otherwise be confused with a "type:table" +pattern.

    + +

    Example:

    + +
    +/etc/postfix/main.cf:
    +    # Don't allowlist connections to the backup IP address.
    +    # Postfix < 3.6 use postscreen_whitelist_interfaces.
    +    postscreen_allowlist_interfaces = !168.100.189.8, static:all
    +
    + +

    This feature is available in Postfix 3.6 and later.

    + +

    Available as postscreen_whitelist_interfaces in Postfix 2.9 - 3.5.

    + +%PARAM postscreen_upstream_proxy_protocol + +

    The name of the proxy protocol used by an optional before-postscreen +proxy agent. When a proxy agent is used, this protocol conveys local +and remote address and port information. Specify +"postscreen_upstream_proxy_protocol = haproxy" to enable the haproxy +protocol; version 2 is supported with Postfix 3.5 and later.

    + +

    This feature is available in Postfix 2.10 and later.

    + +%PARAM postscreen_upstream_proxy_timeout 5s + +

    The time limit for the proxy protocol specified with the +postscreen_upstream_proxy_protocol parameter.

    + +

    This feature is available in Postfix 2.10 and later.

    + +%PARAM smtpd_upstream_proxy_protocol + +

    The name of the proxy protocol used by an optional before-smtpd +proxy agent. When a proxy agent is used, this protocol conveys local +and remote address and port information. Specify +"smtpd_upstream_proxy_protocol = haproxy" to enable the haproxy +protocol; version 2 is supported with Postfix 3.5 and later.

    + +

    NOTE: To use the nginx proxy with smtpd(8), enable the XCLIENT +protocol with smtpd_authorized_xclient_hosts. This supports SASL +authentication in the proxy agent (Postfix 2.9 and later).

    + +

    This feature is available in Postfix 2.10 and later.

    + +%PARAM smtpd_upstream_proxy_timeout 5s + +

    The time limit for the proxy protocol specified with the +smtpd_upstream_proxy_protocol parameter.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.10 and later.

    + +%PARAM enable_long_queue_ids no + +

    Enable long, non-repeating, queue IDs (queue file names). The +benefit of non-repeating names is simpler logfile analysis and +easier queue migration (there is no need to run "postsuper" to +change queue file names that don't match their message file inode +number).

    + +

    Note: see below for how to convert long queue file names to +Postfix ≤ 2.8.

    + +

    Changing the parameter value to "yes" has the following effects: +

    + +
      + +
    • Existing queue file names are not affected.

      + +
    • New queue files are created with names such as 3Pt2mN2VXxznjll. +These are encoded in a 52-character alphabet that contains digits +(0-9), upper-case letters (B-Z) and lower-case letters (b-z). For +safety reasons the vowels (AEIOUaeiou) are excluded from the alphabet. +The name format is: 6 or more characters for the time in seconds, +4 characters for the time in microseconds, the 'z'; the remainder +is the file inode number encoded in the first 51 characters of the +52-character alphabet.

      + +
    • New messages have a Message-ID header with +queueID@myhostname.

      + +
    • The mailq (postqueue -p) output has a wider Queue ID column. +The number of whitespace-separated fields is not changed.

      + +

    • The hash_queue_depth algorithm uses the first characters +of the queue file creation time in microseconds, after conversion +into hexadecimal representation. This produces the same queue hashing +behavior as if the queue file name was created with "enable_long_queue_ids += no".

      + +
    + +

    Changing the parameter value to "no" has the following effects: +

    + +
      + +
    • Existing long queue file names are renamed to the short +form (while running "postfix reload" or "postsuper").

      + +
    • New queue files are created with names such as C3CD21F3E90 +from a hexadecimal alphabet that contains digits (0-9) and upper-case +letters (A-F). The name format is: 5 characters for the time in +microseconds; the remainder is the file inode number.

      + +
    • New messages have a Message-ID header with +YYYYMMDDHHMMSS.queueid@myhostname, where +YYYYMMDDHHMMSS are the year, month, day, hour, minute and +second. + +

    • The mailq (postqueue -p) output has the same format as +with Postfix ≤ 2.8.

      + +

    • The hash_queue_depth algorithm uses the first characters +of the queue file name, with the hexadecimal representation of the +file creation time in microseconds.

      + +
    + +

    Before migration to Postfix ≤ 2.8, the following commands +are required to convert long queue file names into short names:

    + +
    +# postfix stop
    +# postconf enable_long_queue_ids=no
    +# postsuper
    +
    + +

    Repeat the postsuper command until it reports no more queue file +name changes.

    + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM sendmail_fix_line_endings always + +

    Controls how the Postfix sendmail command converts email message +line endings from <CR><LF> into UNIX format (<LF>). +

    + +
    + +
    always
    Always convert message lines ending +in <CR><LF>. This setting is the default with Postfix +2.9 and later.
    + +
    strict
    Convert message lines ending in +<CR><LF> only if the first input line ends in +<CR><LF>. This setting is backwards-compatible with +Postfix 2.8 and earlier.
    + +
    never
    Never convert message lines ending in +<CR><LF>. This setting exists for completeness only. +
    + +
    + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM smtp_send_dummy_mail_auth no + +

    Whether or not to append the "AUTH=<>" option to the MAIL +FROM command in SASL-authenticated SMTP sessions. The default is +not to send this, to avoid problems with broken remote SMTP servers. +Before Postfix 2.9 the behavior is as if "smtp_send_dummy_mail_auth += yes". + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM lmtp_send_dummy_mail_auth no + +

    The LMTP-specific version of the smtp_send_dummy_mail_auth +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM address_verify_sender_ttl 0s + +

    The time between changes in the time-dependent portion of address +verification probe sender addresses. The time-dependent portion is +appended to the localpart of the address specified with the +address_verify_sender parameter. This feature is ignored when the +probe sender addresses is the null sender, i.e. the address_verify_sender +value is empty or <>.

    + +

    Historically, the probe sender address was fixed. This has +caused such addresses to end up on spammer mailing lists, and has +resulted in wasted network and processing resources.

    + +

    To enable time-dependent probe sender addresses, specify a +non-zero time value. Specify a value of at least several hours, +to avoid problems with senders that use greylisting. Avoid nice +TTL values, to make the result less predictable.

    + +

    Specify a non-negative time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM smtp_address_verify_target rcpt + +

    In the context of email address verification, the SMTP protocol +stage that determines whether an email address is deliverable. +Specify one of "rcpt" or "data". The latter is needed with remote +SMTP servers that reject recipients after the DATA command. Use +transport_maps to apply this feature selectively:

    + +
    +
    +/etc/postfix/main.cf:
    +    transport_maps = hash:/etc/postfix/transport
    +
    +
    + +
    +
    +/etc/postfix/transport:
    +    smtp-domain-that-verifies-after-data    smtp-data-target:
    +    lmtp-domain-that-verifies-after-data    lmtp-data-target:
    +
    +
    + +
    +
    +/etc/postfix/master.cf:
    +    smtp-data-target    unix    -    -    n    -    -    smtp
    +        -o smtp_address_verify_target=data
    +    lmtp-data-target    unix    -    -    n    -    -    lmtp
    +        -o lmtp_address_verify_target=data
    +
    +
    + +

    Unselective use of the "data" target does no harm, but will +result in unnecessary "lost connection after DATA" events at remote +SMTP/LMTP servers.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM lmtp_address_verify_target rcpt + +

    The LMTP-specific version of the smtp_address_verify_target +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM daemon_table_open_error_is_fatal no + +

    How a Postfix daemon process handles errors while opening lookup +tables: gradual degradation or immediate termination.

    + +
    + +
    no (default)

    Gradual degradation: a +daemon process logs a message of type "error" and continues execution +with reduced functionality. Features that do not depend on the +unavailable table will work normally, while features that depend +on the table will result in a type "warning" message.
    When +the notify_classes parameter value contains the "data" class, the +Postfix SMTP server and client will report transcripts of sessions +with an error because a table is unavailable.

    + +
    yes (historical behavior)

    Immediate +termination: a daemon process logs a type "fatal" message and +terminates immediately. This option reduces the number of possible +code paths through Postfix, and may therefore be slightly more +secure than the default.

    + +
    + +

    For the sake of sanity, the number of type "error" messages is +limited to 13 over the lifetime of a daemon process.

    + +

    This feature is available in Postfix 2.9 and later.

    + +%PARAM smtpd_log_access_permit_actions + +

    Enable logging of the named "permit" actions in SMTP server +access lists (by default, the SMTP server logs "reject" actions but +not "permit" actions). This feature does not affect conditional +actions such as "defer_if_permit".

    + +

    Specify a list of "permit" action names, "/file/name" or +"type:table" patterns, separated by commas and/or whitespace. The +list is matched left to right, and the search stops on the first +match. A "/file/name" pattern is replaced by its contents; a +"type:table" lookup table is matched when a name matches a lookup +key (the lookup result is ignored). Continue long lines by starting +the next line with whitespace. Specify "!pattern" to exclude a name +from the list.

    + +

    Examples:

    + +
    +/etc/postfix/main.cf:
    +    # Log all "permit" actions.
    +    smtpd_log_access_permit_actions = static:all
    +
    + +
    +/etc/postfix/main.cf:
    +    # Log "permit_dnswl_client" only.
    +    smtpd_log_access_permit_actions = permit_dnswl_client
    +
    + +

    This feature is available in Postfix 2.10 and later.

    + +%PARAM smtp_dns_support_level + +

    Level of DNS support in the Postfix SMTP client. With +"smtp_dns_support_level" left at its empty default value, the legacy +"disable_dns_lookups" parameter controls whether DNS is enabled in +the Postfix SMTP client, otherwise the legacy parameter is ignored. +

    + +

    Specify one of the following:

    + +
    + +
    disabled
    + +
    Disable DNS lookups. No MX lookups are performed and hostname +to address lookups are unconditionally "native". This setting is +not appropriate for hosts that deliver mail to the public Internet. +Some obsolete how-to documents recommend disabling DNS lookups in +some configurations with content_filters. This is no longer required +and strongly discouraged.
    + +
    enabled
    + +
    Enable DNS lookups. Nexthop destination domains not enclosed +in "[]" will be subject to MX lookups. If "dns" and "native" are +included in the "smtp_host_lookup" parameter value, DNS will be +queried first to resolve MX-host A records, followed by "native" +lookups if no answer is found in DNS.
    + +
    dnssec
    + +
    Enable DNSSEC +lookups. The "dnssec" setting differs from the "enabled" setting +above in the following ways:
    • Any MX lookups will set +RES_USE_DNSSEC and RES_USE_EDNS0 to request DNSSEC-validated +responses. If the MX response is DNSSEC-validated the corresponding +hostnames are considered validated.
    • The address lookups of +validated hostnames are also validated, (provided of course +"smtp_host_lookup" includes "dns", see below).
    • Temporary +failures in DNSSEC-enabled hostname-to-address resolution block any +"native" lookups. Additional "native" lookups only happen when +DNSSEC lookups hard-fail (NODATA or NXDOMAIN).
    + +
    + +

    The Postfix SMTP client considers non-MX "[nexthop]" and +"[nexthop]:port" destinations equivalent to statically-validated +MX records of the form "nexthop. IN MX 0 nexthop." Therefore, +with "dnssec" support turned on, validated hostname-to-address +lookups apply to the nexthop domain of any "[nexthop]" or +"[nexthop]:port" destination. This is also true for LMTP "inet:host" +and "inet:host:port" destinations, as LMTP hostnames are never +subject to MX lookups.

    + +

    The "dnssec" setting is recommended only if you plan to use the +dane or dane-only TLS security +level, otherwise enabling DNSSEC support in Postfix offers no +additional security. Postfix DNSSEC support relies on an upstream +recursive nameserver that validates DNSSEC signatures. Such a DNS +server will always filter out forged DNS responses, even when Postfix +itself is not configured to use DNSSEC.

    + +

    When using Postfix DANE support the "smtp_host_lookup" parameter +should include "dns", as DANE is not applicable +to hosts resolved via "native" lookups.

    + +

    As mentioned above, Postfix is not a validating stub +resolver; it relies on the system's configured DNSSEC-validating +recursive +nameserver to perform all DNSSEC validation. Since this +nameserver's DNSSEC-validated responses will be fully trusted, it +is strongly recommended that the MTA host have a local DNSSEC-validating +recursive caching nameserver listening on a loopback address, and +be configured to use only this nameserver for all lookups. Otherwise, +Postfix may remain subject to man-in-the-middle attacks that forge +responses from the recursive nameserver

    + +

    DNSSEC support requires a version of Postfix compiled against a +reasonably-modern DNS resolver(3) library that implements the +RES_USE_DNSSEC and RES_USE_EDNS0 resolver options.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM lmtp_dns_support_level + +

    The LMTP-specific version of the smtp_dns_support_level +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM smtp_tls_trust_anchor_file + +

    Zero or more PEM-format files with trust-anchor certificates +and/or public keys. If the parameter is not empty the root CAs in +CAfile and CApath are no longer trusted. Rather, the Postfix SMTP +client will only trust certificate-chains signed by one of the +trust-anchors contained in the chosen files. The specified +trust-anchor certificates and public keys are not subject to +expiration, and need not be (self-signed) root CAs. They may, if +desired, be intermediate certificates. Therefore, these certificates +also may be found "in the middle" of the trust chain presented by +the remote SMTP server, and any untrusted issuing parent certificates +will be ignored. Specify a list of pathnames separated by comma +or whitespace.

    + +

    Whether specified in main.cf, or on a per-destination basis, +the trust-anchor PEM file must be accessible to the Postfix SMTP +client in the chroot jail if applicable. The trust-anchor file +should contain only certificates and public keys, no private key +material, and must be readable by the non-privileged $mail_owner +user. This allows destinations to be bound to a set of specific +CAs or public keys without trusting the same CAs for all destinations. +

    + +

    The main.cf parameter supports single-purpose Postfix installations +that send mail to a fixed set of SMTP peers. At most sites, if +trust-anchor files are used at all, they will be specified on a +per-destination basis via the "tafile" attribute of the "verify" +and "secure" levels in smtp_tls_policy_maps.

    + +

    The underlying mechanism is in support of RFC 7672 (DANE TLSA), +which defines mechanisms for an SMTP client MTA to securely determine +server TLS certificates via DNS.

    + +

    If you want your trust anchors to be public keys, with OpenSSL +you can extract a single PEM public key from a PEM X.509 file +containing a single certificate, as follows:

    + +
    +
    +$ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
    +
    +
    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM lmtp_tls_trust_anchor_file + +

    The LMTP-specific version of the smtp_tls_trust_anchor_file +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM tls_dane_trust_anchor_digest_enable yes + +

    Enable support for RFC 6698 (DANE TLSA) DNS records that contain +digests of trust-anchors with certificate usage "2". Do not change +this setting from its default value.

    + +

    This feature is available in Postfix 2.11 through 3.1. It has +been withdrawn in Postfix 3.2, as trust-anchor TLSA records are now +widely used and have proved sufficiently reliable. Postfix 3.2 and +later ignore this configuration parameter and behaves as though it +were set to "yes".

    + +%PARAM tls_wildcard_matches_multiple_labels yes + +

    Match multiple DNS labels with "*" in wildcard certificates. +

    + +

    Some mail service providers prepend the customer domain name +to a base domain for which they have a wildcard TLS certificate. +For example, the MX records for example.com hosted by example.net +may be:

    + +
    +
    +example.com. IN MX 0 example.com.mx1.example.net.
    +example.com. IN MX 0 example.com.mx2.example.net.
    +
    +
    + +

    and the TLS certificate may be for "*.example.net". The "*" +then corresponds with multiple labels in the mail server domain +name. While multi-label wildcards are not widely supported, and +are not blessed by any standard, there is little to be gained by +disallowing their use in this context.

    + +

    Notes:

    + +

      + +
    • In a certificate name, the "*" is special only when it is +used as the first label.

      + +
    • While Postfix (2.11 or later) can match "*" with multiple +domain name labels, other implementations likely will not.

      + +
    • Earlier Postfix implementations behave as if +"tls_wildcard_matches_multiple_labels = no".

      + +
    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM tls_ssl_options + +

    List or bit-mask of OpenSSL options to enable.

    + +

    The OpenSSL toolkit provides a set of options that applications +can enable to tune the OpenSSL behavior. Some of these work around +bugs in other implementations and are on by default. You can use +the tls_disable_workarounds parameter to selectively disable some +or all of the bug work-arounds, making OpenSSL more strict at the +cost of non-interoperability with SSL clients or servers that exhibit +the bugs.

    + +

    Other options are off by default, and typically enable or disable +features rather than bug work-arounds. These may be turned on (with +care) via the tls_ssl_options parameter. The value is a white-space +or comma separated list of named options chosen from the list below. +The names are not case-sensitive, you can use lower-case if you +prefer. The upper case values below match the corresponding macro +name in the ssl.h header file with the SSL_OP_ prefix removed. It +is possible that your OpenSSL version includes new options added +after your Postfix source code was last updated, in that case you +can only enable one of these via the hexadecimal syntax below.

    + +

    You should only enable features via the hexadecimal mask when +the need to control the feature is critical (to deal with a new +vulnerability or a serious interoperability problem). Postfix DOES +NOT promise backwards compatible behavior with respect to the mask +bits. A feature enabled via the mask in one release may be enabled +by other means in a later release, and the mask bit will then be +ignored. Therefore, use of the hexadecimal mask is only a temporary +measure until a new Postfix or OpenSSL release provides a better +solution.

    + +

    If the value of the parameter is a hexadecimal long integer +starting with "0x", the options corresponding to the bits specified +in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)). +You can only enable options not already controlled by other Postfix +settings. For example, you cannot disable protocols or enable +server cipher preference. Do not attempt to enable all features by +specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some +bug work-arounds are also valid here, allowing them to be re-enabled +if/when they're no longer enabled by default. The supported values +include:

    + +
    + +
    ENABLE_MIDDLEBOX_COMPAT
    Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
    + +
    LEGACY_SERVER_CONNECT
    See SSL_CTX_set_options(3).
    + +
    NO_TICKET
    Enabled by default when needed in +fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥ +2.11, unless for some reason you do not want to support TLS session +resumption. Best not set explicitly. See SSL_CTX_set_options(3).
    + +
    NO_COMPRESSION
    Disable SSL compression even if +supported by the OpenSSL library. Compression is CPU-intensive, +and compression before encryption does not always improve security.
    + +
    NO_RENEGOTIATION
    Postfix ≥ 3.4. This can +reduce opportunities for a potential CPU exhaustion attack. See +SSL_CTX_set_options(3).
    + +
    NO_SESSION_RESUMPTION_ON_RENEGOTIATION
    Postfix +≥ 3.4. See SSL_CTX_set_options(3).
    + +
    PRIORITIZE_CHACHA
    Postfix ≥ 3.4. See SSL_CTX_set_options(3).
    + +
    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM tlsmgr_service_name tlsmgr + +

    The name of the tlsmgr(8) service entry in master.cf. This +service maintains TLS session caches and other information in support +of TLS.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM lmtp_connection_reuse_count_limit 0 + +

    The LMTP-specific version of the smtp_connection_reuse_count_limit +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM smtp_connection_reuse_count_limit 0 + +

    When SMTP connection caching is enabled, the number of times +that an SMTP session may be reused before it is closed, or zero (no +limit). With a reuse count limit of N, a connection is used up to +N+1 times.

    + +

    NOTE: This feature is unsafe. When a high-volume destination +has multiple inbound MTAs, then the slowest inbound MTA will attract +the most connections to that destination. This limitation does not +exist with the smtp_connection_reuse_time_limit feature.

    + +

    This feature is available in Postfix 2.11.

    + +%PARAM lmtp_tls_force_insecure_host_tlsa_lookup no + +

    The LMTP-specific version of the smtp_tls_force_insecure_host_tlsa_lookup +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM smtp_tls_force_insecure_host_tlsa_lookup no + +

    Lookup the associated DANE TLSA RRset even when a hostname is +not an alias and its address records lie in an unsigned zone. This +is unlikely to ever yield DNSSEC validated results, since child +zones of unsigned zones are also unsigned in the absence of DLV or +locally configured non-root trust-anchors. We anticipate that such +mechanisms will not be used for just the "_tcp" subdomain of a host. +Suppressing the TLSA RRset lookup reduces latency and avoids potential +interoperability problems with nameservers for unsigned zones that +are not prepared to handle the new TLSA RRset.

    + +

    This feature is available in Postfix 2.11.

    + +%PARAM tls_dane_digest_agility on + +

    Configure RFC7671 DANE TLSA digest algorithm agility. +Do not change this setting from its default value.

    + +

    See Section 8 of RFC7671 for correct key rotation procedures.

    + +

    This feature is available in Postfix 2.11 through 3.1. Postfix +3.2 and later ignore this configuration parameter and behave as +though it were set to "on".

    + +%PARAM tls_dane_digests sha512 sha256 + +

    DANE TLSA (RFC 6698, RFC 7671, RFC 7672) resource-record "matching +type" digest algorithms in descending preference order. All the +specified algorithms must be supported by the underlying OpenSSL +library, otherwise the Postfix SMTP client will not support DANE +TLSA security.

    + +

    Specify a list of digest names separated by commas and/or +whitespace. Each digest name may be followed by an optional +"=<number>" suffix. For example, "sha512" may instead be specified +as "sha512=2" and "sha256" may instead be specified as "sha256=1". +The optional number must match the IANA assigned TLSA matching type number the algorithm in question. +Postfix will check this constraint for the algorithms it knows about. +Additional matching type algorithms registered with IANA can be added +with explicit numbers provided they are supported by OpenSSL.

    + +

    Invalid list elements are logged with a warning and disable DANE +support. TLSA RRs that specify digests not included in the list are +ignored with a warning.

    + +

    Note: It is unwise to omit sha256 from the digest list. This +digest algorithm is the only mandatory to implement digest algorithm +in RFC 6698, and many servers are expected to publish TLSA records +with just sha256 digests. Unless one of the standard digests is +seriously compromised and servers have had ample time to update their +TLSA records you should not omit any standard digests, just arrange +them in order from strongest to weakest.

    + +

    This feature is available in Postfix 2.11 and later.

    + +%PARAM tls_session_ticket_cipher Postfix ≥ 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc + +

    Algorithm used to encrypt RFC5077 TLS session tickets. This +algorithm must use CBC mode, have a 128-bit block size, and must +have a key length between 128 and 256 bits. The default is +aes-256-cbc. Overriding the default to choose a different algorithm +is discouraged.

    + +

    Setting this parameter empty disables session ticket support +in the Postfix SMTP server. Another way to disable session ticket +support is via the tls_ssl_options parameter.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM tls_fast_shutdown_enable yes + +

    A workaround for implementations that hang Postfix while shutting +down a TLS session, until Postfix times out. With this enabled, +Postfix will not wait for the remote TLS peer to respond to a TLS +'close' notification. This behavior is recommended for TLSv1.0 and +later.

    + +%PARAM default_delivery_status_filter + +

    Optional filter to replace the delivery status code or explanatory +text of successful or unsuccessful deliveries. This does not allow +the replacement of a successful status code (2.X.X) with an +unsuccessful status code (4.X.X or 5.X.X) or vice versa.

    + +

    Note: the (smtp|lmtp)_delivery_status_filter is applied only +once per recipient: when delivery is successful, when delivery is +rejected with 5XX, or when there are no more alternate MX or A +destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect +responses for all delivery attempts.

    + +

    The following parameters can be used to implement a filter for +specific delivery agents: lmtp_delivery_status_filter, +local_delivery_status_filter, pipe_delivery_status_filter, +smtp_delivery_status_filter or virtual_delivery_status_filter. These +parameters support the same filter syntax as described here.

    + +

    Specify zero or more "type:table" lookup table names, separated +by comma or whitespace. For each successful or unsuccessful delivery +to a recipient, the tables are queried in the specified order with +one line of text that is structured as follows:

    + +
    +enhanced-status-code SPACE explanatory-text +
    + +

    The first table match wins. The lookup result must have the +same structure as the query, a successful status code (2.X.X) must +be replaced with a successful status code, an unsuccessful status +code (4.X.X or 5.X.X) must be replaced with an unsuccessful status +code, and the explanatory text field must be non-empty. Other results +will result in a warning.

    + +

    Example 1: convert specific soft TLS errors into hard errors, +by overriding the first number in the enhanced status code.

    + +
    +
    +/etc/postfix/main.cf:
    +    smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
    +
    +
    + +
    +
    +/etc/postfix/smtp_dsn_filter:
    +    /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
    +        5$1
    +    /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
    +        5$1
    +    # Do not change the following into hard bounces. They may
    +    # result from a local configuration problem.
    +    # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
    +    # 4.\d+.\d+ TLS is required, but unavailable
    +    # 4.\d+.\d+ Cannot start TLS: handshake failure
    +
    +
    + +

    Example 2: censor the per-recipient delivery status text so +that it does not reveal the destination command or filename +when a remote sender requests confirmation of successful delivery. +

    + +
    +
    +/etc/postfix/main.cf:
    +    local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
    +
    +
    + +
    +
    +/etc/postfix/local_dsn_filter:
    +    /^(2\S+ delivered to file).+/    $1
    +    /^(2\S+ delivered to command).+/ $1
    +
    +
    + +

    Notes:

    + +
      + +
    • This feature will NOT override the soft_bounce safety net.

      + +
    • This feature will change the enhanced status code and text +that is logged to the maillog file, and that is reported to the +sender in delivery confirmation or non-delivery notifications. +

      + +
    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtp_delivery_status_filter $default_delivery_status_filter + +

    Optional filter for the smtp(8) delivery agent to change the +delivery status code or explanatory text of successful or unsuccessful +deliveries. See default_delivery_status_filter for details.

    + +

    NOTE: This feature modifies Postfix SMTP client error or non-error +messages that may or may not be derived from remote SMTP server +responses. In contrast, the smtp_reply_filter feature modifies +remote SMTP server responses only.

    + +%PARAM lmtp_delivery_status_filter + +

    The LMTP-specific version of the smtp_delivery_status_filter +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM pipe_delivery_status_filter $default_delivery_status_filter + +

    Optional filter for the pipe(8) delivery agent to change the +delivery status code or explanatory text of successful or unsuccessful +deliveries. See default_delivery_status_filter for details.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM virtual_delivery_status_filter $default_delivery_status_filter + +

    Optional filter for the virtual(8) delivery agent to change the +delivery status code or explanatory text of successful or unsuccessful +deliveries. See default_delivery_status_filter for details.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM local_delivery_status_filter $default_delivery_status_filter + +

    Optional filter for the local(8) delivery agent to change the +status code or explanatory text of successful or unsuccessful +deliveries. See default_delivery_status_filter for details.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM shlib_directory see 'postconf -d' output + +

    The location of Postfix dynamically-linked libraries +(libpostfix-*.so), and the default location of Postfix database +plugins (postfix-*.so) that have a relative pathname in the +dynamicmaps.cf file. The shlib_directory parameter defaults to +"no" when Postfix dynamically-linked libraries and database plugins +are disabled at compile time, otherwise it typically defaults to +/usr/lib/postfix or /usr/local/lib/postfix.

    + +

    Notes:

    + +
      + +
    • The directory specified with shlib_directory should contain +only Postfix-related files. Postfix dynamically-linked libraries +and database plugins should not be installed in a "public" system +directory such as /usr/lib or /usr/local/lib. Linking Postfix +dynamically-linked library files or database plugins into non-Postfix +programs is not supported. Postfix dynamically-linked libraries +and database plugins implement a Postfix-internal API that changes +without maintaining compatibility.

      + +
    • You can change the shlib_directory value after Postfix is +built. However, you may have to run ldconfig or equivalent to prevent +Postfix programs from failing because the libpostfix-*.so files are +not found. No ldconfig command is needed if you keep the libpostfix-*.so +files in the compiled-in default $shlib_directory location.

      + +
    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM meta_directory see 'postconf -d' output + +

    The location of non-executable files that are shared among +multiple Postfix instances, such as postfix-files, dynamicmaps.cf, +and the multi-instance template files main.cf.proto and master.cf.proto. +This directory should contain only Postfix-related files. Typically, +the meta_directory parameter has the same default as the config_directory +parameter (/etc/postfix or /usr/local/etc/postfix).

    + +

    For backwards compatibility with Postfix versions 2.6..2.11, +specify "meta_directory = $daemon_directory" in main.cf before +installing or upgrading Postfix, or specify "meta_directory = +/path/name" on the "make makefiles", "make install" or "make upgrade" +command line.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtpd_policy_service_default_action 451 4.3.5 Server configuration problem + +

    The default action when an SMTPD policy service request fails. +Specify "DUNNO" to behave as if the failed SMTPD policy service +request was not sent, and to continue processing other access +restrictions, if any.

    + +

    Limitations:

    + +
      + +
    • This parameter may specify any value that would be a valid +SMTPD policy server response (or access(5) map lookup result). An +access(5) map or policy server in this parameter value may need to +be declared in advance with a restriction_class setting.

      + +
    • If the specified action invokes another check_policy_service +request, that request will have the built-in default action.

      + +
    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtpd_policy_service_try_limit 2 + +

    The maximal number of attempts to send an SMTPD policy service +request before giving up. Specify a value greater than zero.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtpd_policy_service_retry_delay 1s + +

    The delay between attempts to resend a failed SMTPD policy +service request. Specify a value greater than zero.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtputf8_enable yes + +

    Enable preliminary SMTPUTF8 support for the protocols described +in RFC 6531, RFC 6532, and RFC 6533. This requires that Postfix is +built to support these protocols.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM strict_smtputf8 no + +

    Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix +SMTP server accepts UTF8 sender or recipient addresses only when +the client requests an SMTPUTF8 mail transaction.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtputf8_autodetect_classes sendmail, verify + +

    Detect that a message requires SMTPUTF8 support for the specified +mail origin classes. This is a workaround to avoid chicken-and-egg +problems during the initial SMTPUTF8 roll-out in environments with +pre-existing mail flows that contain UTF8. Those mail flows should +not break because Postfix suddenly refuses to deliver such mail +to down-stream MTAs that don't announce SMTPUTF8 support.

    + +

    The problem is that Postfix cannot rely solely on the sender's +declaration that a message requires SMTPUTF8 support, because UTF8 +may be introduced during local processing (for example, the client +hostname in Postfix's Received: header, adding @$myorigin or +.$mydomain to an incomplete address, address rewriting, alias +expansion, automatic BCC recipients, local forwarding, and changes +made by header checks or Milter applications).

    + +

    For now, the default is to enable "SMTPUTF8 required" autodetection +only for Postfix sendmail command-line submissions and address +verification probes. This may change once SMTPUTF8 support achieves +world domination. However, sites that add UTF8 content via local +processing (see above) should autodetect the need for SMTPUTF8 +support for all email.

    + +

    Specify one or more of the following:

    + +
    + +
    sendmail
    Submission with the Postfix +sendmail(1) command.
    + +
    smtpd
    Mail received with the smtpd(8) +daemon.
    + +
    qmqpd
    Mail received with the qmqpd(8) +daemon.
    + +
    forward
    Local forwarding or aliasing. When +a message is received with "SMTPUTF8 required", then the forwarded +(aliased) message always has "SMTPUTF8 required".
    + +
    bounce
    Submission by the bounce(8) daemon. +When a message is received with "SMTPUTF8 required", then the +delivery status notification always has "SMTPUTF8 required".
    + +
    notify
    Postmaster notification from the +smtp(8) or smtpd(8) daemon.
    + +
    verify
    Address verification probe from the +verify(8) daemon.
    + +
    all
    Enable SMTPUTF8 autodetection for all +mail.
    + +
    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM compatibility_level 0 + +

    A safety net that causes Postfix to run with backwards-compatible +default settings after an upgrade to a newer Postfix version.

    + +

    With backwards compatibility turned on (the main.cf compatibility_level +value is less than the Postfix built-in value), Postfix looks for +settings that are left at their implicit default value, and logs a +message when a backwards-compatible default setting is required. +

    + +
    +
    +using backwards-compatible default setting name=value
    +    to [accept a specific client request]
    +
    +using backwards-compatible default setting name=value
    +    to [enable specific Postfix behavior]
    +
    +
    + +

    See COMPATIBILITY_README for specific message details. If such +a message is logged in the context of a legitimate request, the +system administrator should make the backwards-compatible setting +permanent in main.cf or master.cf, for example:

    + +
    +
    +# postconf name=value
    +# postfix reload
    +
    +
    + +

    When no more backwards-compatible settings need to be made +permanent, the administrator should turn off backwards compatibility +by updating the compatibility_level setting in main.cf:

    + +
    +
    +# postconf compatibility_level=N
    +# postfix reload
    +
    +
    + +

    For N specify the number that is logged in your postfix(1) +warning message:

    + +
    +
    +warning: To disable backwards compatibility use "postconf
    +    compatibility_level=N" and "postfix reload"
    +
    +
    + +

    Starting with Postfix version 3.6, the compatibility level in +the above warning message is the Postfix version that introduced +the last incompatible change. The level is formatted as +major.minor.patch, where patch is usually omitted and +defaults to zero. Earlier compatibility levels are 0, 1 and 2.

    + +

    NOTE: this also introduces support for the "<level", +"<=level", and other operators to compare compatibility levels. +With the standard operators "<", "<=", etc., compatibility +level "3.10" would be smaller than "3.9" which is undesirable.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM message_drop_headers bcc, content-length, resent-bcc, return-path + +

    Names of message headers that the cleanup(8) daemon will remove +after applying header_checks(5) and before invoking Milter applications. +The default setting is compatible with Postfix < 3.0.

    + +

    Specify a list of header names, separated by comma or space. +Names are matched in a case-insensitive manner. The list of supported +header names is limited only by available memory.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtpd_dns_reply_filter + +

    Optional filter for Postfix SMTP server DNS lookup results. +See smtp_dns_reply_filter for details including an example. +

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM lmtp_dns_reply_filter + +

    Optional filter for Postfix LMTP client DNS lookup results. +See smtp_dns_reply_filter for details including an example.

    + +

    This feature is available in Postfix 3.0 and later.

    + +#%PARAM postscreen_dns_reply_filter +# +#

    Optional filter for postscreen(8) DNS lookup results. +#See smtp_dns_reply_filter for details including an example. +#

    +# +#

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtp_dns_reply_filter + +

    Optional filter for Postfix SMTP client DNS lookup results. +Specify zero or more lookup tables. The lookup tables are searched +in the given order for a match with the DNS lookup result, converted +to the following form:

    + +
    +    name ttl class type preference value
    +
    + +

    The class field is always "IN", the preference +field exists only for MX records, the names of hosts, domains, etc. +end in ".", and those names are in ASCII form (xn--mumble form in +the case of UTF8 names).

    + +

    When a match is found, the table lookup result specifies an +action. By default, the table query and the action name are +case-insensitive. Currently, only the IGNORE action is +implemented.

    + +

    Notes:

    + +
      + +
    • Postfix DNS reply filters have no effect on implicit DNS +lookups through nsswitch.conf or equivalent mechanisms.

      + +
    • The Postfix SMTP/LMTP client uses smtp_dns_reply_filter +and lmtp_dns_reply_filter only to discover a remote SMTP or LMTP +service (record types MX, A, AAAA, and TLSA). These lookups are +also made to implement the features reject_unverified_sender and +reject_unverified_recipient.

      + +
    • The Postfix SMTP/LMTP client defers mail delivery when +a filter removes all lookup results from a successful query.

      + +
    • Postfix SMTP server uses smtpd_dns_reply_filter only to +look up MX, A, AAAA, and TXT records to implement the features +reject_unknown_helo_hostname, reject_unknown_sender_domain, +reject_unknown_recipient_domain, reject_rbl_*, and reject_rhsbl_*. +

      + +
    • The Postfix SMTP server logs a warning or defers mail +delivery when a filter removes all lookup results from a successful +query.

      + +
    + +

    Example: ignore Google AAAA records in Postfix SMTP client DNS +lookups, because Google sometimes hard-rejects mail from IPv6 clients +with valid PTR etc. records.

    + +
    +/etc/postfix/main.cf:
    +    smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
    +
    + +
    +/etc/postfix/smtp_dns_reply_filter:
    +    # /domain ttl IN AAAA address/ action, all case-insensitive.
    +    # Note: the domain name ends in ".".
    +    /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
    +
    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtp_tls_wrappermode no + +

    Request that the Postfix SMTP client connects using the +SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.

    + +

    This mode requires "smtp_tls_security_level = encrypt" or +stronger.

    + +

    Example: deliver all remote mail via a provider's server +"mail.example.com".

    + +
    +/etc/postfix/main.cf:
    +    # Client-side SMTPS requires "encrypt" or stronger.
    +    smtp_tls_security_level = encrypt
    +    smtp_tls_wrappermode = yes
    +    # The [] suppress MX lookups.
    +    relayhost = [mail.example.com]:465
    +
    + +

    More examples are in TLS_README, including examples for older +Postfix versions.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM lmtp_tls_wrappermode no + +

    The LMTP-specific version of the smtp_tls_wrappermode configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 3.0 and later.

    + +%PARAM smtp_tls_connection_reuse no + +

    Try to make multiple deliveries per TLS-encrypted connection. +This uses the tlsproxy(8) service to encrypt an SMTP connection, +uses the scache(8) service to save that connection, and relies on +hints from the qmgr(8) daemon.

    + +

    See "Client-side +TLS connection reuse" for background details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM lmtp_tls_connection_reuse no + +

    The LMTP-specific version of the smtp_tls_connection_reuse configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM virtual_alias_address_length_limit 1000 + +

    +The maximal length of an email address after virtual alias expansion. +This stops virtual aliasing loops that increase the address length +exponentially. +

    + +

    +This feature is available in Postfix 3.0 and later. +

    + +%PARAM dns_ncache_ttl_fix_enable no + +

    Enable a workaround for future libc incompatibility. The Postfix +implementation of RFC 2308 negative reply caching relies on the +promise that res_query() and res_search() invoke res_send(), which +returns the server response in an application buffer even if the +requested record does not exist. If this promise is broken, specify +"yes" to enable a workaround for DNS reputation lookups.

    + +

    +This feature is available in Postfix 3.1 and later. +

    + +%PARAM smtpd_policy_service_policy_context + +

    Optional information that the Postfix SMTP server specifies in +the "policy_context" attribute of a policy service request (originally, +to share the same service endpoint among multiple check_policy_service +clients).

    + +

    +This feature is available in Postfix 3.1 and later. +

    + +%PARAM smtp_tls_dane_insecure_mx_policy see "postconf -d" output + +

    The TLS policy for MX hosts with "secure" TLSA records when the +nexthop destination security level is dane, but the MX +record was found via an "insecure" MX lookup. The choices are: +

    + +
    +
    may
    +
    The TLSA records will be ignored and TLS will be optional. If +the MX host does not appear to support STARTTLS, or the STARTTLS +handshake fails, mail may be sent in the clear.
    +
    encrypt
    +
    The TLSA records will signal a requirement to use TLS. While +TLS encryption will be required, authentication will not be performed. +
    +
    dane
    +
    The TLSA records will be used just as with "secure" MX records. +TLS encryption will be required, and, if at least one of the TLSA +records is "usable", authentication will be required. When +authentication succeeds, it will be logged only as "Trusted", not +"Verified", because the MX host name could have been forged.
    +
    + +

    The default setting for Postfix ≥ 3.6 is "dane" with +"smtp_tls_security_level = dane", otherwise "may". This behavior +was backported to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. +With earlier Postfix versions the default setting was always "dane". +

    + +

    Though with "insecure" MX records an active attacker can +compromise SMTP transport security by returning forged MX records, +such attacks are "tamper-evident" since any forged MX hostnames +will be recorded in the mail logs. Attackers who place a high value +on staying hidden may be deterred from forging MX records.

    + +

    +This feature is available in Postfix 3.1 and later. The may +policy is backwards-compatible with earlier Postfix versions. +

    + +%PARAM openssl_path openssl + +

    +The location of the OpenSSL command line program openssl(1). This +is used by the "postfix tls" command to create private keys, +certificate signing requests, self-signed certificates, and to +compute public key digests for DANE TLSA records. In multi-instance +environments, this parameter is always determined from the configuration +of the default Postfix instance. +

    + +

    Example:

    + +
    +
    +/etc/postfix/main.cf:
    +    # NetBSD pkgsrc:
    +    openssl_path = /usr/pkg/bin/openssl
    +    # Local build:
    +    openssl_path = /usr/local/bin/openssl
    +
    +
    + +

    +This feature is available in Postfix 3.1 and later. +

    + +%PARAM address_verify_pending_request_limit see "postconf -d" output + +

    A safety limit that prevents address verification requests from +overwhelming the Postfix queue. By default, the number of pending +requests is limited to 1/4 of the active queue maximum size +(qmgr_message_active_limit). The queue manager enforces the limit +by tempfailing requests that exceed the limit. This affects only +unknown addresses and inactive addresses that have expired, because +the verify(8) daemon automatically refreshes an active address +before it expires.

    + +

    This feature is available in Postfix 3.1 and later.

    + +%PARAM smtpd_milter_maps + +

    Lookup tables with Milter settings per remote SMTP client IP +address. The lookup result overrides the smtpd_milters setting, +and has the same syntax.

    + +

    Note: lookup tables cannot return empty responses. Specify a +lookup result of DISABLE (case does not matter) to indicate that +Milter support should be disabled.

    + +

    Example to disable Milters for local clients:

    + +
    +/etc/postfix/main.cf:
    +    smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
    +    smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
    +
    + +
    +/etc/postfix/smtpd_milter_map:
    +    # Disable Milters for local clients.
    +    127.0.0.0/8    DISABLE
    +    192.168.0.0/16 DISABLE
    +    ::/64          DISABLE
    +    2001:db8::/32  DISABLE
    +
    + +

    This feature is available in Postfix 3.2 and later.

    + +%PARAM enable_idna2003_compatibility no + +

    Enable 'transitional' compatibility between IDNA2003 and IDNA2008, +when converting UTF-8 domain names to/from the ASCII form that is +used for DNS lookups. Specify "yes" for compatibility with Postfix +≤ 3.1 (not recommended). This affects the conversion of domain +names that contain for example the German sz and the Greek zeta. +See http://unicode.org/cldr/utility/idna.jsp for more examples. +

    + +

    This feature is available in Postfix 3.2 and later.

    + +%PARAM smtp_balance_inet_protocols yes + +

    When a remote destination resolves to a combination of IPv4 and +IPv6 addresses, ensure that the Postfix SMTP client can try both +address types before it runs into the smtp_mx_address_limit.

    + +

    This avoids an interoperability problem when a destination resolves +to primarily IPv6 addresses, the smtp_address_limit feature eliminates +most or all IPv4 addresses, and the destination is not reachable over +IPv6.

    + +

    This feature is available in Postfix 3.3 and later.

    + +%PARAM lmtp_balance_inet_protocols yes + +

    The LMTP-specific version of the smtp_balance_inet_protocols +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 3.3 and later.

    + +%PARAM header_from_format standard + +

    The format of the Postfix-generated From: header. This +setting affects the appearance of 'full name' information when a +local program such as /bin/mail submits a message without a From: +header through the Postfix sendmail(1) command.

    + +

    Specify one of the following:

    + +
    + +
    standard (default)
    Produce a header formatted +as "From: name <address>". +This is the default as of Postfix 3.3.
    + +
    obsolete
    Produce a header formatted as "From: +address (name)". This is the behavior +prior to Postfix 3.3.
    + +
    + +

    Notes:

    + +
      + +
    • Postfix generates the format "From: address" +when name information is unavailable or the envelope sender +address is empty. This is the same behavior as prior to Postfix +3.3.

      + +
    • In the standard form, the name will be quoted +if it contains specials as defined in RFC 5322, or the "!%" +address operators.

      + +
    • The Postfix sendmail(1) command gets name information +from the -F command-line option, from the NAME +environment variable, or from the UNIX password file.

      + +
    + +

    This feature is available in Postfix 3.3 and later.

    + +%PARAM tlsproxy_client_CAfile $smtp_tls_CAfile + +

    A file containing CA certificates of root CAs trusted to sign +either remote TLS server certificates or intermediate CA certificates. +See smtp_tls_CAfile for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_CApath $smtp_tls_CApath + +

    Directory with PEM format Certification Authority certificates +that the Postfix tlsproxy(8) client uses to verify a remote TLS +server certificate. See smtp_tls_CApath for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_cert_file $smtp_tls_cert_file + +

    File with the Postfix tlsproxy(8) client RSA certificate in PEM +format. See smtp_tls_cert_file for further details. The preferred way +to configure tlsproxy client keys and certificates is via the +"tlsproxy_client_chain_files" parameter.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_key_file $smtp_tls_key_file + +

    File with the Postfix tlsproxy(8) client RSA private key in PEM +format. See smtp_tls_key_file for further details. The preferred way to +configure tlsproxy client keys and certificates is via the +"tlsproxy_client_chain_files" parameter.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_dcert_file $smtp_tls_dcert_file + +

    File with the Postfix tlsproxy(8) client DSA certificate in PEM +format. See smtp_tls_dcert_file for further details. DSA is obsolete and +should not be used.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_dkey_file $smtp_tls_dkey_file + +

    File with the Postfix tlsproxy(8) client DSA private key in PEM +format. See smtp_tls_dkey_file for further details. DSA is obsolete and +should not be used.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_eccert_file $smtp_tls_eccert_file + +

    File with the Postfix tlsproxy(8) client ECDSA certificate in PEM +format. See smtp_tls_eccert_file for further details. The preferred way +to configure tlsproxy client keys and certificates is via the +"tlsproxy_client_chain_files" parameter.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_eckey_file $smtp_tls_eckey_file + +

    File with the Postfix tlsproxy(8) client ECDSA private key in PEM +format. See smtp_tls_eckey_file for further details. The preferred way +to configure tlsproxy client keys and certificates is via the +"tlsproxy_client_chain_files" parameter.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_fingerprint_digest $smtp_tls_fingerprint_digest + +

    The message digest algorithm used to construct remote TLS server +certificate fingerprints. See smtp_tls_fingerprint_digest for +further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_loglevel $smtp_tls_loglevel + +

    Enable additional Postfix tlsproxy(8) client logging of TLS +activity. See smtp_tls_loglevel for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_loglevel_parameter smtp_tls_loglevel + +

    The name of the parameter that provides the tlsproxy_client_loglevel +value.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_scert_verifydepth $smtp_tls_scert_verifydepth + +

    The verification depth for remote TLS server certificates. +See smtp_tls_scert_verifydepth for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_level $smtp_tls_security_level + +

    The default TLS security level for the Postfix tlsproxy(8) +client. See smtp_tls_security_level for further details.

    + +

    This feature is available in Postfix 3.4 - 3.6. It was +renamed to tlsproxy_client_security_level in Postfix 3.7.

    + +%PARAM tlsproxy_client_security_level $smtp_tls_security_level + +

    The default TLS security level for the Postfix tlsproxy(8) +client. See smtp_tls_security_level for further details.

    + +

    This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_level.

    + +%PARAM tlsproxy_client_per_site $smtp_tls_per_site + +

    Optional lookup tables with the Postfix tlsproxy(8) client TLS +usage policy by next-hop destination and by remote TLS server +hostname. See smtp_tls_per_site for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_policy $smtp_tls_policy_maps + +

    Optional lookup tables with the Postfix tlsproxy(8) client TLS +security policy by next-hop destination. See smtp_tls_policy_maps +for further details.

    + +

    This feature is available in Postfix 3.4 - 3.6. It was +renamed to tlsproxy_client_policy_maps in Postfix 3.7.

    + +%PARAM tlsproxy_client_policy_maps $smtp_tls_policy_maps + +

    Optional lookup tables with the Postfix tlsproxy(8) client TLS +security policy by next-hop destination. See smtp_tls_policy_maps +for further details.

    + +

    This feature is available in Postfix 3.7 and later. It +was previously called tlsproxy_client_policy.

    + +%PARAM tlsproxy_client_use_tls $smtp_use_tls + +

    Opportunistic mode: use TLS when a remote server announces TLS +support. See smtp_use_tls for further details. Use +tlsproxy_client_security_level instead.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_enforce_tls $smtp_enforce_tls + +

    Enforcement mode: require that SMTP servers use TLS encryption. +See smtp_enforce_tls for further details. Use +tlsproxy_client_security_level instead.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM smtpd_tls_chain_files + +

    List of one or more PEM files, each holding one or more private keys +directly followed by a corresponding certificate chain. The file names +are separated by commas and/or whitespace. This parameter obsoletes the +legacy algorithm-specific key and certificate file settings. When this +parameter is non-empty, the legacy parameters are ignored, and a warning +is logged if any are also non-empty.

    + +

    With the proliferation of multiple private key algorithms—which, +as of OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 +and Ed448—it is increasingly impractical to use separate +parameters to configure the key and certificate chain for each +algorithm. Therefore, Postfix now supports storing multiple keys and +corresponding certificate chains in a single file or in a set of files. + +

    Each key must appear immediately before the corresponding +certificate, optionally followed by additional issuer certificates that +complete the certificate chain for that key. When multiple files are +specified, they are equivalent to a single file that is concatenated +from those files in the given order. Thus, while a key must always +precede its certificate and issuer chain, it can be in a separate file, +so long as that file is listed immediately before the file that holds +the corresponding certificate chain. Once all the files are +concatenated, the sequence of PEM objects must be: key1, cert1, +[chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN].

    + +

    Storing the private key in the same file as the corresponding +certificate is more reliable. With the key and certificate in separate +files, there is a chance that during key rollover a Postfix process +might load a private key and certificate from separate files that don't +match. Various operational errors may even result in a persistent +broken configuration in which the certificate does not match the private +key.

    + +

    The file or files must contain at most one key of each type. If, +for example, two or more RSA keys and corresponding chains are listed, +depending on the version of OpenSSL either only the last one will be +used or a configuration error may be detected. Note that while +"Ed25519" and "Ed448" are considered separate algorithms, the various +ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are +considered as different parameters of a single "ECDSA" algorithm, so it +is not presently possible to configure keys for more than one ECDSA +curve.

    + +

    RSA is still the most widely supported algorithm. Presently (late +2018), ECDSA support is common, but not yet universal, and Ed25519 and +Ed448 support is mostly absent. Therefore, an RSA key should generally +be configured, along with any additional keys for the other algorithms +when desired.

    + +

    +Example (separate files for each key and corresponding certificate chain): +

    +
    +
    +/etc/postfix/main.cf:
    +    smtpd_tls_chain_files =
    +        ${config_directory}/ed25519.pem,
    +        ${config_directory}/ed448.pem,
    +        ${config_directory}/rsa.pem
    +
    +
    + +
    +
    +/etc/postfix/ed25519.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
    +    ...
    +    nC0egv51YPDWxEHom4QA
    +    -----END CERTIFICATE-----
    +
    +
    + +
    +
    +/etc/postfix/ed448.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
    +    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
    +    ...
    +    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
    +    -----END CERTIFICATE-----
    +
    +
    + +
    +
    +/etc/postfix/rsa.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
    +    ...
    +    ahQkZ3+krcaJvDSMgvu0tDc=
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
    +    ...
    +    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
    +    -----END CERTIFICATE-----
    +
    +
    + +

    +Example (all keys and certificates in a single file): +

    +
    +
    +/etc/postfix/main.cf:
    +    smtpd_tls_chain_files = ${config_directory}/chains.pem
    +
    +
    + +
    +
    +/etc/postfix/chains.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
    +    ...
    +    nC0egv51YPDWxEHom4QA
    +    -----END CERTIFICATE-----
    +    -----BEGIN PRIVATE KEY-----
    +    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
    +    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
    +    ...
    +    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
    +    -----END CERTIFICATE-----
    +    -----BEGIN PRIVATE KEY-----
    +    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
    +    ...
    +    ahQkZ3+krcaJvDSMgvu0tDc=
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
    +    ...
    +    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
    +    -----END CERTIFICATE-----
    +
    +
    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM smtp_tls_chain_files + +

    List of one or more PEM files, each holding one or more private keys +directly followed by a corresponding certificate chain. The file names +are separated by commas and/or whitespace. This parameter obsoletes the +legacy algorithm-specific key and certificate file settings. When this +parameter is non-empty, the legacy parameters are ignored, and a warning +is logged if any are also non-empty.

    + +

    With the proliferation of multiple private key algorithms—which, +as of OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519 +and Ed448—it is increasingly impractical to use separate +parameters to configure the key and certificate chain for each +algorithm. Therefore, Postfix now supports storing multiple keys and +corresponding certificate chains in a single file or in a set of files. + +

    Each key must appear immediately before the corresponding +certificate, optionally followed by additional issuer certificates that +complete the certificate chain for that key. When multiple files are +specified, they are equivalent to a single file that is concatenated +from those files in the given order. Thus, while a key must always +precede its certificate and issuer chain, it can be in a separate file, +so long as that file is listed immediately before the file that holds +the corresponding certificate chain. Once all the files are +concatenated, the sequence of PEM objects must be: key1, cert1, +[chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN].

    + +

    Storing the private key in the same file as the corresponding +certificate is more reliable. With the key and certificate in separate +files, there is a chance that during key rollover a Postfix process +might load a private key and certificate from separate files that don't +match. Various operational errors may even result in a persistent +broken configuration in which the certificate does not match the private +key.

    + +

    The file or files must contain at most one key of each type. If, +for example, two or more RSA keys and corresponding chains are listed, +depending on the version of OpenSSL either only the last one will be +used or a configuration error may be detected. Note that while +"Ed25519" and "Ed448" are considered separate algorithms, the various +ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are +considered as different parameters of a single "ECDSA" algorithm, so it +is not presently possible to configure keys for more than one ECDSA +curve.

    + +

    +Example (separate files for each key and corresponding certificate chain): +

    +
    +
    +/etc/postfix/main.cf:
    +    smtp_tls_chain_files =
    +        ${config_directory}/ed25519.pem,
    +        ${config_directory}/ed448.pem,
    +        ${config_directory}/rsa.pem
    +
    +
    + +
    +
    +/etc/postfix/ed25519.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
    +    ...
    +    nC0egv51YPDWxEHom4QA
    +    -----END CERTIFICATE-----
    +
    +
    + +
    +
    +/etc/postfix/ed448.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
    +    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
    +    ...
    +    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
    +    -----END CERTIFICATE-----
    +
    +
    + +
    +
    +/etc/postfix/rsa.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
    +    ...
    +    ahQkZ3+krcaJvDSMgvu0tDc=
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
    +    ...
    +    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
    +    -----END CERTIFICATE-----
    +
    +
    + +

    +Example (all keys and certificates in a single file): +

    +
    +
    +/etc/postfix/main.cf:
    +    smtp_tls_chain_files = ${config_directory}/chains.pem
    +
    +
    + +
    +
    +/etc/postfix/chains.pem:
    +    -----BEGIN PRIVATE KEY-----
    +    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
    +    ...
    +    nC0egv51YPDWxEHom4QA
    +    -----END CERTIFICATE-----
    +    -----BEGIN PRIVATE KEY-----
    +    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
    +    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
    +    ...
    +    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
    +    -----END CERTIFICATE-----
    +    -----BEGIN PRIVATE KEY-----
    +    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
    +    ...
    +    ahQkZ3+krcaJvDSMgvu0tDc=
    +    -----END PRIVATE KEY-----
    +    -----BEGIN CERTIFICATE-----
    +    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
    +    ...
    +    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
    +    -----END CERTIFICATE-----
    +
    +
    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM lmtp_tls_chain_files + +

    The LMTP-specific version of the smtp_tls_chain_files configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_client_chain_files $smtp_tls_chain_files + +

    Files with the Postfix tlsproxy(8) client keys and certificate +chains in PEM format. See smtp_tls_chain_files for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tlsproxy_tls_chain_files $smtpd_tls_chain_files + +

    Files with the Postfix tlsproxy(8) server keys and certificate +chains in PEM format. See smtpd_tls_chain_files for further details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM tls_server_sni_maps + +

    Optional lookup tables that map names received from remote SMTP +clients via the TLS Server Name Indication (SNI) extension to the +appropriate keys and certificate chains. This parameter is implemented +in the Postfix TLS library, and applies to both smtpd(8) and the SMTP +server mode of tlsproxy(8).

    + +

    When this parameter is non-empty, the Postfix SMTP server enables +SNI extension processing, and logs SNI values that are invalid or +don't match an entry in the specified tables. When an entry +does match, the SNI name is logged as part of the connection summary +at log levels 1 and higher.

    + +

    The lookup key is either the verbatim SNI domain name or an +ancestor domain prefixed with a leading dot. For internationalized +domains, the lookup key must be in IDNA 2008 A-label form (as +required in the TLS SNI extension).

    + +

    The syntax of the lookup value is the same as with the +smtp_tls_chain_files parameter (see there for additional details), +but here scoped to just TLS connections in which the client sends +a matching SNI domain name.

    + +

    Example:

    +
    +
    +/etc/postfix/main.cf:
    +    #
    +    # The indexed SNI table must be created with "postmap -F"
    +    #
    +    indexed = ${default_database_type}:${config_directory}/
    +    tls_server_sni_maps = ${indexed}sni
    +
    +
    + +
    +
    +/etc/postfix/sni:
    +    #
    +    # The example.com domain has both an RSA and ECDSA certificate
    +    # chain.  The chain files MUST start with the private key,
    +    # with the certificate chain next, starting with the leaf
    +    # (server) certificate, and then the issuer certificates.
    +    #
    +    example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
    +                /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
    +    #
    +    # The example.net domain has a wildcard certificate, and two
    +    # additional DNS names.  So its certificate chain is also used
    +    # with any subdomain, plus the additional names.
    +    #
    +    example.net /etc/postfix/sni-chains/example.net.pem
    +    .example.net /etc/postfix/sni-chains/example.net.pem
    +    example.info /etc/postfix/sni-chains/example.net.pem
    +    example.org /etc/postfix/sni-chains/example.net.pem
    +
    +
    + +

    Note that the SNI lookup tables should also have entries for +the domains that correspond to the Postfix SMTP server's default +certificate(s). This ensures that the remote SMTP client's TLS SNI +extension gets a positive response when it specifies one of the +Postfix SMTP server's default domains, and ensures that the Postfix +SMTP server will not log an SNI name mismatch for such a domain. +The Postfix SMTP server's default certificates are then only used +when the client sends no SNI or when it sends SNI with a domain +that the server knows no certificate(s) for.

    + +

    The mapping from an SNI domain name to a certificate chain is indirect. In +the input source files for "cdb", "hash", "btree" or other tables that are +converted to on-disk indexed files via postmap(1), the value specified for each +key is a list of filenames. When postmap(1) is used with the -F option, +the generated table stores for each lookup key the base64-encoded contents of +the associated files. When querying tables via postmap -Fq, the table +value is decoded from base64, yielding the original file content, plus a new +line.

    + +

    With "regexp", "pcre", "inline", "texthash", "static" and similar +tables that are interpreted at run-time, and don't have a separate +source format, the table value is again a list files, that are loaded +into memory when the table is opened.

    + +

    With tables whose content is managed outside of Postfix, such +as LDAP, MySQL, PostgreSQL, socketmap and tcp, the value must be a +concatenation of the desired PEM keys and certificate chains, that +is then further encoded to yield a single-line base64 string. +Creation of such tables and secure storage (the value includes +private key material) are outside the responsibility of Postfix.

    + +

    With "socketmap" and "tcp" the data will be transmitted in the clear, and +there is no query access control, so these are generally unsuitable for storing +SNI chains. With LDAP and SQL, you should restrict read access and use TLS to +protect the sensitive data in transit.

    + +

    Typically there is only one private key and its chain of certificates +starting with the "leaf" certificate corresponding to that key, and +continuing with the appropriate intermediate issuer CA certificates, +with each certificate ideally followed by its issuer. Servers +that have keys and certificates for more than one algorithm (e.g. +both an RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519) +can use multiple chains concatenated together, with the key always +listed before the corresponding certificates.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM smtp_tls_servername + +

    Optional name to send to the remote SMTP server in the TLS Server +Name Indication (SNI) extension. The SNI extension is always on when +DANE is used to authenticate the server, and in that case the SNI name +sent is the one required by RFC7672 and this parameter is ignored.

    + +

    Some SMTP servers use the received SNI name to select an appropriate +certificate chain to present to the client. While this may improve +interoperability with such servers, it may reduce interoperability with +other servers that choose to abort the connection when they don't have a +certificate chain configured for the requested name. Such servers +should select a default certificate chain and continue the handshake, +but some may not. Therefore, absent DANE, no SNI name is sent by +default.

    + +

    The SNI name must be either a valid DNS hostname, or else one of the +special values hostname or nexthop, which select either the +remote hostname or the nexthop domain respectively. DNS names for SNI must be +in A-label (punycode) form. Invalid DNS names log a configuration error +warning and mail delivery is deferred.

    + +

    Except when using a relayhost to forward all email, the only +sensible non-empty main.cf setting for this parameter is +hostname. Other non-empty values are only practical on a +per-destination basis via the servername attribute of the Postfix +TLS policy table. When +in doubt, leave this parameter empty, and configure per-destination SNI +as needed.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM lmtp_tls_servername + +

    The LMTP-specific version of the smtp_tls_servername configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM maillog_file + +

    The name of an optional logfile that is written by the Postfix +postlogd(8) service. An empty value selects logging to syslogd(8). +Specify "/dev/stdout" to select logging to standard output. Stdout +logging requires that Postfix is started with "postfix start-fg". +

    + +

    Note 1: The maillog_file parameter value must contain a prefix +that is specified with the maillog_file_prefixes parameter.

    + +

    Note 2: Some Postfix non-daemon programs may still log information +to syslogd(8), before they have processed their configuration +parameters and command-line options.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM postlog_service_name postlog + +

    The name of the postlogd(8) service entry in master.cf. +This service appends logfile records to the file specified +with the maillog_file parameter.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM postlogd_watchdog_timeout 10s + +

    How much time a postlogd(8) process may take to process a request +before it is terminated by a built-in watchdog timer. This is a +safety mechanism that prevents postlogd(8) from becoming non-responsive +due to a bug in Postfix itself or in system software. This limit +cannot be set under 10s.

    + +

    Specify a non-zero time value (an integral value plus an optional +one-letter suffix that specifies the time unit). Time units: s +(seconds), m (minutes), h (hours), d (days), w (weeks). +The default time unit is s (seconds).

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM maillog_file_prefixes /var, /dev/stdout + +

    A list of allowed prefixes for a maillog_file value. This is a +safety feature to contain the damage from a single configuration +mistake. Specify one or more prefix strings, separated by comma or +whitespace.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM maillog_file_compressor gzip + +

    The program to run after rotating $maillog_file with "postfix +logrotate". The command is run with the rotated logfile name as its +first argument.

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM maillog_file_rotate_suffix %Y%m%d-%H%M%S + +

    The format of the suffix to append to $maillog_file while rotating +the file with "postfix logrotate". See strftime(3) for syntax. The +default suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently. +

    + +

    This feature is available in Postfix 3.4 and later.

    + +%PARAM info_log_address_format external + +

    The email address form that will be used in non-debug logging +(info, warning, etc.). As of Postfix 3.5 when an address localpart +contains spaces or other special characters, the localpart will be +quoted, for example:

    + +
    +
    +    from=<"name with spaces"@example.com>
    +
    +
    + +

    Older Postfix versions would log the internal (unquoted) form:

    + +
    +
    +    from=<name with spaces@example.com>
    +
    +
    + +

    The external and internal forms are identical for the vast +majority of email addresses that contain no spaces or other special +characters in the localpart.

    + +

    The logging in external form is consistent with the address +form that Postfix 3.2 and later prefer for most table lookups. This +is therefore the more useful form for non-debug logging.

    + +

    Specify "info_log_address_format = internal" for backwards +compatibility.

    + +

    Postfix uses the unquoted form internally, because an attacker +can specify an email address in different forms by playing games +with quotes and backslashes. An attacker should not be able to use +such games to circumvent Postfix access policies.

    + +

    This feature is available in Postfix 3.5 and later.

    + +%PARAM smtpd_sasl_mechanism_filter !external, static:rest + +

    If non-empty, a filter for the SASL mechanism names that the +Postfix SMTP server will announce in the EHLO response. By default, +the Postfix SMTP server will not announce the EXTERNAL mechanism, +because Postfix support for that is not implemented.

    + +

    Specify mechanism names, "/file/name" patterns, or "type:table" +lookup tables, separated by comma or whitespace. The right-hand +side result from "type:table" lookups is ignored. Specify "!pattern" +to exclude a mechanism name from the list.

    + +

    +Examples: +

    + +
    +smtpd_sasl_mechanism_filter = !external, !gssapi, static:rest
    +smtpd_sasl_mechanism_filter = login, plain
    +smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs
    +
    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM dnssec_probe ns:. + +

    The DNS query type (default: "ns") and DNS query name (default: +".") that Postfix may use to determine whether DNSSEC validation +is available. +

    + +

    Background: DNSSEC validation is needed for Postfix DANE support; +this ensures that Postfix receives TLSA records with secure TLS +server certificate info. When DNSSEC validation is unavailable, +mail deliveries using opportunistic DANE will not be protected +by server certificate info in TLSA records, and mail deliveries +using mandatory DANE will not be made at all.

    + +

    By default, a Postfix process will send a DNSSEC probe after +1) the process made a DNS query that requested DNSSEC validation, +2) the process did not receive a DNSSEC validated response to this +query or to an earlier query, and 3) the process did not already +send a DNSSEC probe.

    + +

    When the DNSSEC probe has no response, or when the response is +not DNSSEC validated, Postfix logs a warning that DNSSEC validation +may be unavailable.

    + +

    Example:

    + +
    +warning: DNSSEC validation may be unavailable
    +warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
    +warning: reason: dnssec_probe 'ns:.' received no response: Server failure
    +
    + +

    Possible reasons why DNSSEC validation may be unavailable:

    + +
      + +
    • The local /etc/resolv.conf file specifies a DNS resolver that +does not validate DNSSEC signatures (that's +$queue_directory/etc/resolv.conf when a Postfix daemon runs in a +chroot jail). + +
    • The local system library does not pass on the "DNSSEC validated" +bit to Postfix, or Postfix does not know how to ask the library to +do that. + +
    + +

    By default, the DNSSEC probe asks for the DNS root zone NS +records, because resolvers should always have that information +cached. If Postfix runs on a network where the DNS root zone is not +reachable, specify a different probe, or specify an empty dnssec_probe +value to disable the feature.

    + +

    This feature is available in Postfix 3.6 and later. It was backported +to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21.

    + +%PARAM local_login_sender_maps static:* + +

    A list of lookup tables that are searched by the UNIX login name, +and that return a list of allowed envelope sender patterns separated +by space or comma. These sender patterns are enforced by the Postfix +postdrop(1) command. The default is backwards-compatible: +every user may specify any sender envelope address.

    + +

    When no UNIX login name is available, the postdrop(1) command will +prepend "uid:" to the numerical UID and use that instead.

    + +

    This feature ignores address extensions in the user-specified +envelope sender address.

    + +

    The following sender patterns are special; these cannot be used +as part of a longer pattern.

    + +
    + +
    *
    This pattern allows any envelope sender address. +
    + +
    <>
    This pattern allows the empty +envelope sender address. See the +empty_address_local_login_sender_maps_lookup_key configuration +parameter.
    + +
    @domain
    This pattern allows an +envelope sender address when the '@' and domain part +match.
    + +
    + +

    Examples:

    + +
    +/etc/postfix/main.cf:
    +    # Allow root and postfix full control, anyone else can only
    +    # send mail as themselves. Use "uid:" followed by the numerical
    +    # UID when the UID has no entry in the UNIX password file.
    +    local_login_sender_maps = 
    +	inline:{ { root = * }, { postfix = * } },
    +	pcre:/etc/postfix/login_senders
    +
    + +
    +/etc/postfix/login_senders:
    +   # Allow both the bare username and the user@domain forms.
    +    /(.+)/ $1 $1@example.com
    +
    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM empty_address_local_login_sender_maps_lookup_key <> + +

    +The lookup key to be used in local_login_sender_maps tables, instead +of the null sender address. +

    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM enable_threaded_bounces no + +

    Enable non-delivery, success, and delay notifications that link +to the original message by including a References: and In-Reply-To: +header with the original Message-ID value. There are advantages and +disadvantages to consider.

    + +
    + +
    advantage
    This allows mail readers to present +a delivery status notification in the same email thread as the original +message.
    + +
    disadvantage
    This makes it easy for users to +mistakenly delete the whole email thread (all related messages), +instead of deleting only the non-delivery notification.
    + +
    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM smtpd_relay_before_recipient_restrictions see "postconf -d" output + +

    Evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions. +Historically, smtpd_relay_restrictions was evaluated after +smtpd_recipient_restrictions, contradicting documented behavior.

    + +

    Background: the smtpd_relay_restrictions feature is primarily +designed to enforce a mail relaying policy, while +smtpd_recipient_restrictions is primarily designed to enforce spam +blocking policy. Both are evaluated while replying to the RCPT TO +command, and both support the same features.

    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM respectful_logging see 'postconf -d' output + +

    Avoid logging that implies white is better than black. Instead +use 'allowlist', 'denylist', and variations of those words.

    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM known_tcp_ports lmtp=24, smtp=25, smtps=submissions=465, submission=587 + +

    Optional setting that avoids lookups in the services(5) database. +This feature was implemented to address inconsistencies in the name +of the port "465" service. The ABNF is: +

    + +
    +

    +known_tcp_ports = empty | name-to-port *("," name-to-port)
    +name-to-port = 1*(service-name "=') port-number +

    +
    + +

    The comma is required. Whitespace is optional but it cannot appear +inside a service name or port number.

    + +

    This feature is available in Postfix 3.6 and later.

    + +%PARAM smtpd_min_data_rate 500 + +

    The minimum plaintext data transfer rate in bytes/second for +DATA and BDAT requests, when deadlines are enabled with +smtpd_per_request_deadline. After a read operation transfers N +plaintext message bytes (possibly after TLS decryption), and after +the DATA or BDAT request deadline is decremented by the elapsed +time of that read operation, the DATA or BDAT request deadline is +incremented by N/smtpd_min_data_rate seconds. However, the deadline +will never be incremented beyond the time limit specified with +smtpd_timeout.

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM smtpd_per_request_deadline normal: no, overload: yes + +

    Change the behavior of the smtpd_timeout and smtpd_starttls_timeout +time limits, from a time limit per plaintext or TLS read or write +call, to a combined time limit for receiving a complete SMTP request +and for sending a complete SMTP response. The deadline limits only +the time spent waiting for plaintext or TLS read or write calls, +not time spent elsewhere. The per-request deadline limits the impact +from hostile peers that trickle data one byte at a time.

    + +

    See smtpd_min_data_rate for how the per-request deadline is +managed during the DATA and BDAT phase.

    + +

    Note: when per-request deadlines are enabled, a short time limit +may cause problems with TLS over very slow network connections. The +reason is that a TLS protocol message can be up to 16 kbytes long +(with TLSv1), and that an entire TLS protocol message must be +transferred within the per-request deadline.

    + +

    This feature is available in Postfix 3.7 and later. A weaker +feature, called smtpd_per_record_deadline, is available with Postfix +2.9-3.6. With older Postfix releases, the behavior is as if this +parameter is set to "no".

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM lmtp_min_data_rate 500 + +

    The LMTP-specific version of the smtp_min_data_rate configuration +parameter. See there for details.

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM lmtp_per_request_deadline no + +

    The LMTP-specific version of the smtp_per_request_deadline +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM smtp_min_data_rate 500 + +

    The minimum plaintext data transfer rate in bytes/second for +DATA requests, when deadlines are enabled with smtp_per_request_deadline. +After a write operation transfers N plaintext message bytes (possibly +after TLS encryption), and after the DATA request deadline is +decremented by the elapsed time of that write operation, the DATA +request deadline is incremented by N/smtp_min_data_rate seconds. +However, the deadline will never be incremented beyond the time +limit specified with smtp_data_xfer_timeout.

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM smtp_per_request_deadline no + +

    Change the behavior of the smtp_*_timeout time limits, from a +time limit per plaintext or TLS read or write call, to a combined +time limit for sending a complete SMTP request and for receiving a +complete SMTP response. The deadline limits only the time spent +waiting for plaintext or TLS read or write calls, not time spent +elsewhere. The per-request deadline limits the impact from hostile +peers that trickle data one byte at a time.

    + +

    See smtp_min_data_rate for how the per-request deadline is +managed during the DATA phase.

    + +

    Note: when per-request deadlines are enabled, a short time limit +may cause problems with TLS over very slow network connections. The +reason is that a TLS protocol message can be up to 16 kbytes long +(with TLSv1), and that an entire TLS protocol message must be +transferred within the per-request deadline.

    + +

    This feature is available in Postfix 3.7 and later. A weaker +feature, called smtp_per_record_deadline, is available with Postfix +2.9-3.6.

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM smtp_bind_address_enforce no + +

    Defer delivery when the Postfix SMTP client cannot apply the +smtp_bind_address or smtp_bind_address6 setting. By default, the +Postfix SMTP client will continue delivery after logging a warning. +

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM lmtp_bind_address_enforce + +

    The LMTP-specific version of the smtp_bind_address_enforce +configuration parameter. See there for details.

    + +

    This feature is available in Postfix 3.7 and later.

    + +%PARAM tls_config_name + +

    The application name passed by Postfix to OpenSSL library +initialization functions. This name is used to select the desired +configuration "section" in the OpenSSL configuration file specified +via the tls_config_file parameter. When empty, or when the +selected name is not present in the configuration file, the default +application name ("openssl_conf") is used as a fallback.

    + +

    This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

    + +%PARAM tls_config_file default + +

    Optional configuration file with baseline OpenSSL settings. +OpenSSL loads any SSL settings found in the configuration file for +the selected application name (see tls_config_name) or else the +built-in application name "openssl_conf" when no application name is +specified, or no corresponding configuration section is present. +

    + +

    With OpenSSL releases 1.1.1 and 1.1.1a, applications (including +Postfix) can neither specify an alternative configuration file, nor +avoid loading the default configuration file.

    + +

    With OpenSSL 1.1.1b or later, this parameter may be set to one of: +

    + +
    + +
    default (default)
    Load the system-wide +"openssl.cnf" configuration file.
    + +
    none (recommended, OpenSSL 1.1.1b or later only)
    +
    This setting disables loading of the system-wide "openssl.cnf" +file.
    + +
    /absolute-path (OpenSSL 1.1.1b or later only)
    +
    Load the configuration file specified by /absolute-path. +With this setting it is an error for the file to not contain any +settings for the selected tls_config_name. There is no fallback to +the default "openssl_conf" name.
    + +
    + +

    Failures in processing of the built-in default configuration file, +are silently ignored. Any errors in loading a non-default configuration +file are detected by Postfix, and cause TLS support to be disabled. +

    + +

    The OpenSSL configuration file format is not documented here, +beyond giving two examples.

    + +

    Example: Default settings for all applications.

    + +
    +
    +# The name 'openssl_conf' is the default application name
    +# The section name to the right of the '=' sign is arbitrary,
    +# any name will do, so long as it refers to the desired section.
    +#
    +# The name 'system_default' selects the settings applied internally
    +# by the SSL library as part of SSL object creation.  Applications
    +# can then apply any additional settings of their choice.
    +#
    +# In this example, TLS versions prior to 1.2 are disabled by default.
    +#
    +openssl_conf = system_wide_settings
    +[system_wide_settings]
    +ssl_conf = ssl_library_settings
    +[ssl_library_settings]
    +system_default = initial_ssl_settings
    +[initial_ssl_settings]
    +MinProtocol = TLSv1.2
    +
    +
    + +

    Example: Custom settings for an application named "postfix".

    + +
    +
    +# The mapping from an application name to the corresponding configuration
    +# section must appear near the top of the file, (in what is sometimes called
    +# the "default section") prior to the start of any explicitly named
    +# "[sections]".  The named sections can appear in any order and don't nest.
    +#
    +postfix = postfix_settings
    +[postfix_settings]
    +ssl_conf = postfix_ssl_settings
    +[postfix_ssl_settings]
    +system_default = baseline_postfix_settings
    +[baseline_postfix_settings]
    +MinProtocol = TLSv1
    +
    +
    + +

    This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

    + +%PARAM smtpd_forbid_bare_newline Postfix < 3.9: no + +

    Reject or restrict input lines from an SMTP client that end in +<LF> instead of the standard <CR><LF>. Such line +endings are commonly allowed with UNIX-based SMTP servers, but they +violate RFC 5321, and allowing such line endings can make a server +vulnerable to +SMTP smuggling.

    + +

    Specify one of the following values (case does not matter):

    + +
    + +
    normalize
    Require the standard +End-of-DATA sequence <CR><LF>.<CR><LF>. +Otherwise, allow command or message content lines ending in the +non-standard <LF>, and process them as if the client sent the +standard <CR><LF>.

    This maintains compatibility +with many legitimate SMTP client applications that send a mix of +standard and non-standard line endings, but will fail to receive +email from client implementations that do not terminate DATA content +with the standard End-of-DATA sequence +<CR><LF>.<CR><LF>.

    Such clients +can be excluded with smtpd_forbid_bare_newline_exclusions.
    + +
    yes
    Compatibility alias for normalize.
    + +
    reject
    Require the standard End-of-DATA +sequence <CR><LF>.<CR><LF>. Reject a command +or message content when a line contains bare <LF>, log a "bare +<LF> received" error, and reply with the SMTP status code in +$smtpd_forbid_bare_newline_reject_code.

    This will reject +email from SMTP clients that send any non-standard line endings +such as web applications, netcat, or load balancer health checks. +

    This will also reject email from services that use BDAT +to send MIME text containing a bare newline (RFC 3030 Section 3 +requires canonical MIME format for text message types, defined in +RFC 2045 Sections 2.7 and 2.8).

    Such clients can be +excluded with smtpd_forbid_bare_newline_exclusions (or, in the case +of BDAT violations, BDAT can be selectively disabled with +smtpd_discard_ehlo_keyword_address_maps, or globally disabled with +smtpd_discard_ehlo_keywords).
    + +
    no (default)
    Do not require the standard +End-of-DATA +sequence <CR><LF>.<CR><LF>. Always process +a bare <LF> as if the client sent <CR><LF>. This +option is fully backwards compatible, but is not recommended for +an Internet-facing SMTP server, because it is vulnerable to SMTP smuggling. +
    + +
    + +

    Recommended settings:

    + +
    +
    +# Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    +# Otherwise, allow bare <LF> and process it as if the client sent
    +# <CR><LF>.
    +#
    +# This maintains compatibility with many legitimate SMTP client
    +# applications that send a mix of standard and non-standard line
    +# endings, but will fail to receive email from client implementations
    +# that do not terminate DATA content with the standard End-of-DATA
    +# sequence <CR><LF>.<CR><LF>.
    +#
    +# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    +# The example below allowlists SMTP clients in trusted networks.
    +#
    +smtpd_forbid_bare_newline = normalize
    +smtpd_forbid_bare_newline_exclusions = $mynetworks
    +
    +
    + +

    Alternative:

    + +
    +
    +# Reject input lines that contain <LF> and log a "bare <LF> received"
    +# error. Require that input lines end in <CR><LF>, and require the
    +# standard End-of-DATA sequence <CR><LF>.<CR><LF>.
    +#
    +# This will reject email from SMTP clients that send any non-standard
    +# line endings such as web applications, netcat, or load balancer
    +# health checks.
    +#
    +# This will also reject email from services that use BDAT to send
    +# MIME text containing a bare newline (RFC 3030 Section 3 requires
    +# canonical MIME format for text message types, defined in RFC 2045
    +# Sections 2.7 and 2.8).
    +#
    +# Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
    +# The example below allowlists SMTP clients in trusted networks.
    +#
    +smtpd_forbid_bare_newline = reject
    +smtpd_forbid_bare_newline_exclusions = $mynetworks
    +#
    +# Alternatively, in the case of BDAT violations, BDAT can be selectively
    +# disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
    +# disabled with smtpd_discard_ehlo_keywords.
    +#
    +# smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
    +# /path/to/file:
    +#     10.0.0.0/24 chunking, silent-discard
    +# smtpd_discard_ehlo_keywords = chunking, silent-discard
    +
    +
    + +

    This feature with settings yes and no is available +in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the +settings reject, and normalize are available with +Postfix ≥ 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24.

    + +%PARAM smtpd_forbid_bare_newline_exclusions $mynetworks + +

    Exclude the specified clients from smtpd_forbid_bare_newline +enforcement. This setting uses the same syntax and parent-domain +matching behavior as mynetworks.

    + +

    This feature is available in Postfix ≥ 3.9, 3.8.4, 3.7.9, +3.6.13, and 3.5.23.

    + +%PARAM smtpd_forbid_bare_newline_reject_code 550 + +

    +The numerical Postfix SMTP server response code when rejecting a +request with "smtpd_forbid_bare_newline = reject". +Specify a 5XX status code (521 to disconnect). +

    + +

    This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10, +3.6.14, and 3.5.24.

    + +%PARAM cleanup_replace_stray_cr_lf yes + +

    Replace each stray <CR> or <LF> character in message +content with a space character, to prevent outbound SMTP smuggling, +and to make the evaluation of Postfix-added DKIM or other signatures +independent from how a remote mail server handles such characters. +

    + +

    SMTP does not allow such characters unless they are part of a +<CR><LF> sequence, and different mail systems handle +such stray characters in an implementation-dependent manner. Stray +<CR> or <LF> characters could be used for outbound +SMTP smuggling, where an attacker uses a Postfix server to send +message content with a non-standard End-of-DATA sequence that +triggers inbound SMTP smuggling at a remote SMTP server.

    + +

    The replacement happens before all other content management, +and before Postfix may add a DKIM etc. signature; if the signature +were created first, the replacement could invalidate the signature. +

    + +

    In addition to preventing SMTP smuggling, replacing stray +<CR> or <LF> characters ensures that the result of +signature validation by later mail system will not depend on how +that mail system handles those stray characters in an +implementation-dependent manner.

    + +

    This feature is available in Postfix ≥ 3.9, 3.8.5, 3.7.10, +3.6.14, and 3.5.24.

    + +%PARAM smtpd_forbid_unauth_pipelining Postfix ≥ 3.9: yes + +

    Disconnect remote SMTP clients that violate RFC 2920 (or 5321) +command pipelining constraints. The server replies with "554 5.5.0 +Error: SMTP protocol synchronization" and logs the unexpected remote +SMTP client input. Specify "smtpd_forbid_unauth_pipelining = yes" +to enable. This feature is enabled by default with Postfix ≥ +3.9.

    + +

    This feature is available in Postfix ≥ 3.9, 3.8.1, 3.7.6, +3.6.10, and 3.5.20.

    -- cgit v1.2.3