1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2        "https://www.w3.org/TR/html4/loose.dtd">
3
4<html>
5
6<head>
7
8<title>Postfix Configuration Parameters </title>
9
10<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
11<link rel='stylesheet' type='text/css' href='postfix-doc.css'>
12
13<script type="text/javascript">
14
15// Kludge for https://support.google.com/chrome/thread/11993079
16const isChrome = /Chrome/.test(navigator.userAgent)
17    && /Google Inc/.test(navigator.vendor);
18const hash = window.location.hash;
19if (hash && isChrome) {
20    setTimeout(function() {
21        window.location.hash = "";
22        window.location.hash = hash;
23    }, 1000);
24}
25
26</script>
27
28</head>
29
30<body>
31
32<h1><img src="postfix-logo.jpg" width="203" height="98" alt="">Postfix Configuration Parameters </h1>
33
34<hr>
35
36<h2> Postfix main.cf file format </h2>
37
38<p> The Postfix main.cf configuration file specifies a very small
39subset of all the parameters that control the operation of the
40Postfix mail system. Parameters not explicitly specified are left
41at their default values. </p>
42
43<p> The general format of the main.cf file is as follows: </p>
44
45<ul>
46
47<li> <p> Each logical line is in the form "parameter = value".
48Whitespace around the "=" is ignored, as is whitespace at the end
49of a logical line. </p>
50
51<li> <p> Empty lines and whitespace-only lines are ignored, as are
52lines whose first non-whitespace character is a `#'. </p>
53
54<li> <p> A logical line starts with non-whitespace text. A line
55that starts with whitespace continues a logical line. </p>
56
57<li> <p> A parameter value may refer to other parameters. </p>
58
59<ul>
60
61<li> <p> The expressions "$name" and "${name}" are recursively
62replaced with the value of the named parameter. The parameter name
63must contain only characters from the set [a-zA-Z0-9_].
64An undefined parameter value is replaced with the empty value.  </p>
65
66<li> <p> The expressions "${name?value}" and "${name?{value}}" are
67replaced with "value" when "$name" is non-empty. The parameter name
68must contain only characters from the set [a-zA-Z0-9_]. These forms are
69supported with Postfix versions &ge; 2.2 and &ge; 3.0, respectively.
70</p>
71
72<li> <p> The expressions "${name:value}" and "${name:{value}}" are
73replaced with "value" when "$name" is empty. The parameter name must
74contain only characters from the set [a-zA-Z0-9_]. These forms are
75supported with Postfix versions &ge; 2.2 and &ge; 3.0, respectively.
76</p>
77
78<li> <p> The expression "${name?{value1}:{value2}}" is replaced
79with "value1" when "$name" is non-empty, and with "value2" when
80"$name" is empty.  The "{}" is required for "value1", optional for
81"value2".  The parameter name must contain only characters from the
82set [a-zA-Z0-9_].  This form is supported with Postfix versions
83&ge; 3.0.  </p>
84
85<li> <p> The first item inside "${...}" may be a relational expression
86of the form: "{value3} == {value4}". Besides the "==" (equality)
87operator Postfix supports "!=" (inequality), "&lt;", "&le;", "&ge;",
88and "&gt;". The comparison is numerical when both operands are all
89digits, otherwise the comparison is lexicographical. These forms
90are supported with Postfix versions &ge; 3.0. </p>
91
92<li> <p> Each "value" is subject to recursive named parameter and
93relational expression evaluation, except where noted.  </p>
94
95<li> <p> Whitespace before or after each "{value}" is ignored. </p>
96
97<li> <p> Specify "$$" to produce a single "$" character. </p>
98
99<li> <p> The legacy form "$(...)" is equivalent to the preferred
100form "${...}". </p>
101
102</ul>
103
104<li> <p> When the same parameter is defined multiple times, only
105the last instance is remembered. </p>
106
107<li> <p> Otherwise, the order of main.cf parameter definitions does
108not matter. </p>
109
110</ul>
111
112<p> The remainder of this document is a description of all Postfix
113configuration parameters. Default values are shown after the
114parameter name in parentheses, and can be looked up with the
115"<b>postconf -d</b>" command. </p>
116
117<p> Note: this is not an invitation to make changes to Postfix
118configuration parameters. Unnecessary changes are likely to impair
119the operation of the mail system.  </p>
120
121<dl>
122<DT><b><a name="2bounce_notice_recipient">2bounce_notice_recipient</a>
123(default: postmaster)</b></DT><DD>
124
125<p> The recipient of undeliverable mail that cannot be returned to
126the sender.  This feature is enabled with the <a href="postconf.5.html#notify_classes">notify_classes</a>
127parameter.  </p>
128
129
130</DD>
131
132<DT><b><a name="access_map_defer_code">access_map_defer_code</a>
133(default: 450)</b></DT><DD>
134
135<p>
136The numerical Postfix SMTP server response code for
137an <a href="access.5.html">access(5)</a> map "defer" action, including "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>"
138or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>". Prior to Postfix 2.6, the response
139is hard-coded as "450".
140</p>
141
142<p>
143Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
144</p>
145
146<p>
147This feature is available in Postfix 2.6 and later.
148</p>
149
150
151</DD>
152
153<DT><b><a name="access_map_reject_code">access_map_reject_code</a>
154(default: 554)</b></DT><DD>
155
156<p>
157The numerical Postfix SMTP server response code for
158an <a href="access.5.html">access(5)</a> map "reject" action.
159</p>
160
161<p>
162Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
163</p>
164
165
166</DD>
167
168<DT><b><a name="address_verify_cache_cleanup_interval">address_verify_cache_cleanup_interval</a>
169(default: 12h)</b></DT><DD>
170
171<p> The amount of time between <a href="verify.8.html">verify(8)</a> address verification
172database cleanup runs. This feature requires that the database
173supports the "delete" and "sequence" operators.  Specify a zero
174interval to disable database cleanup. </p>
175
176<p> After each database cleanup run, the <a href="verify.8.html">verify(8)</a> daemon logs the
177number of entries that were retained and dropped. A cleanup run is
178logged as "partial" when the daemon terminates early after "<b>postfix
179reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
180seconds. </p>
181
182<p> Specify a non-negative time value (an integral value plus an optional
183one-letter suffix that specifies the time unit).  Time units: s
184(seconds), m (minutes), h (hours), d (days), w (weeks).
185The default time unit is h (hours).  </p>
186
187<p> This feature is available in Postfix 2.7. </p>
188
189
190</DD>
191
192<DT><b><a name="address_verify_default_transport">address_verify_default_transport</a>
193(default: $<a href="postconf.5.html#default_transport">default_transport</a>)</b></DT><DD>
194
195<p>
196Overrides the <a href="postconf.5.html#default_transport">default_transport</a> parameter setting for address
197verification probes.
198</p>
199
200<p>
201This feature is available in Postfix 2.1 and later.
202</p>
203
204
205</DD>
206
207<DT><b><a name="address_verify_local_transport">address_verify_local_transport</a>
208(default: $<a href="postconf.5.html#local_transport">local_transport</a>)</b></DT><DD>
209
210<p>
211Overrides the <a href="postconf.5.html#local_transport">local_transport</a> parameter setting for address
212verification probes.
213</p>
214
215<p>
216This feature is available in Postfix 2.1 and later.
217</p>
218
219
220</DD>
221
222<DT><b><a name="address_verify_map">address_verify_map</a>
223(default: see "postconf -d" output)</b></DT><DD>
224
225<p>
226Lookup table for persistent address verification status
227storage.  The table is maintained by the <a href="verify.8.html">verify(8)</a> service, and
228is opened before the process releases privileges.
229</p>
230
231<p>
232The lookup table is persistent by default (Postfix 2.7 and later).
233Specify an empty table name to keep the information in volatile
234memory which is lost after "<b>postfix reload</b>" or "<b>postfix
235stop</b>". This is the default with Postfix version 2.6 and earlier.
236</p>
237
238<p>
239Specify a location in a file system that will not fill up. If the
240database becomes corrupted, the world comes to an end. To recover,
241delete (NOT: truncate) the file and do "<b>postfix reload</b>".
242</p>
243
244<p> Postfix daemon processes do not use root privileges when opening
245this file (Postfix 2.5 and later).  The file must therefore be
246stored under a Postfix-owned directory such as the <a href="postconf.5.html#data_directory">data_directory</a>.
247As a migration aid, an attempt to open the file under a non-Postfix
248directory is redirected to the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
249warning is logged. </p>
250
251<p>
252Examples:
253</p>
254
255<pre>
256<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="DATABASE_README.html#types">hash</a>:/var/db/postfix/verify
257<a href="postconf.5.html#address_verify_map">address_verify_map</a> = <a href="DATABASE_README.html#types">btree</a>:/var/db/postfix/verify
258</pre>
259
260<p>
261This feature is available in Postfix 2.1 and later.
262</p>
263
264
265</DD>
266
267<DT><b><a name="address_verify_negative_cache">address_verify_negative_cache</a>
268(default: yes)</b></DT><DD>
269
270<p>
271Enable caching of failed address verification probe results.  When
272this feature is enabled, the cache may pollute quickly with garbage.
273When this feature is disabled, Postfix will generate an address
274probe for every lookup.
275</p>
276
277<p>
278This feature is available in Postfix 2.1 and later.
279</p>
280
281
282</DD>
283
284<DT><b><a name="address_verify_negative_expire_time">address_verify_negative_expire_time</a>
285(default: 3d)</b></DT><DD>
286
287<p>
288The time after which a failed probe expires from the address
289verification cache.
290</p>
291
292<p> Specify a non-zero time value (an integral value plus an optional
293one-letter suffix that specifies the time unit).  Time units: s
294(seconds), m (minutes), h (hours), d (days), w (weeks).
295The default time unit is d (days).  </p>
296
297<p>
298This feature is available in Postfix 2.1 and later.
299</p>
300
301
302</DD>
303
304<DT><b><a name="address_verify_negative_refresh_time">address_verify_negative_refresh_time</a>
305(default: 3h)</b></DT><DD>
306
307<p>
308The time after which a failed address verification probe needs to
309be refreshed.
310</p>
311
312<p> Specify a non-zero time value (an integral value plus an optional
313one-letter suffix that specifies the time unit).  Time units: s
314(seconds), m (minutes), h (hours), d (days), w (weeks).
315The default time unit is h (hours).  </p>
316
317<p>
318This feature is available in Postfix 2.1 and later.
319</p>
320
321
322</DD>
323
324<DT><b><a name="address_verify_pending_request_limit">address_verify_pending_request_limit</a>
325(default: see "postconf -d" output)</b></DT><DD>
326
327<p> A safety limit that prevents address verification requests from
328overwhelming the Postfix queue. By default, the number of pending
329requests is limited to 1/4 of the <a href="QSHAPE_README.html#active_queue">active queue</a> maximum size
330(<a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a>). The queue manager enforces the limit
331by tempfailing requests that exceed the limit. This affects only
332unknown addresses and inactive addresses that have expired, because
333the <a href="verify.8.html">verify(8)</a> daemon automatically refreshes an active address
334before it expires. </p>
335
336<p> This feature is available in Postfix 3.1 and later.  </p>
337
338
339</DD>
340
341<DT><b><a name="address_verify_poll_count">address_verify_poll_count</a>
342(default: normal: 3, <a href="STRESS_README.html">overload</a>: 1)</b></DT><DD>
343
344<p>
345How many times to query the <a href="verify.8.html">verify(8)</a> service for the completion
346of an address verification request in progress.
347</p>
348
349<p> By default, the Postfix SMTP server polls the <a href="verify.8.html">verify(8)</a> service
350up to three times under non-overload conditions, and only once when
351under overload.  With Postfix version 2.5 and earlier, the SMTP
352server always polls the <a href="verify.8.html">verify(8)</a> service up to three times by
353default.  </p>
354
355<p>
356Specify 1 to implement a crude form of greylisting, that is, always
357defer the first delivery request for a new address.
358</p>
359
360<p>
361Examples:
362</p>
363
364<pre>
365# Postfix &le; 2.6 default
366<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 3
367# Poor man's greylisting
368<a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> = 1
369</pre>
370
371<p>
372This feature is available in Postfix 2.1 and later.
373</p>
374
375
376</DD>
377
378<DT><b><a name="address_verify_poll_delay">address_verify_poll_delay</a>
379(default: 3s)</b></DT><DD>
380
381<p>
382The delay between queries for the completion of an address
383verification request in progress.
384</p>
385
386<p>
387The default polling delay is 3 seconds.
388</p>
389
390<p> Specify a non-zero time value (an integral value plus an optional
391one-letter suffix that specifies the time unit).  Time units: s
392(seconds), m (minutes), h (hours), d (days), w (weeks).
393The default time unit is s (seconds).  </p>
394
395<p>
396This feature is available in Postfix 2.1 and later.
397</p>
398
399
400</DD>
401
402<DT><b><a name="address_verify_positive_expire_time">address_verify_positive_expire_time</a>
403(default: 31d)</b></DT><DD>
404
405<p>
406The time after which a successful probe expires from the address
407verification cache.
408</p>
409
410<p> Specify a non-zero time value (an integral value plus an optional
411one-letter suffix that specifies the time unit).  Time units: s
412(seconds), m (minutes), h (hours), d (days), w (weeks).
413The default time unit is d (days).  </p>
414
415<p>
416This feature is available in Postfix 2.1 and later.
417</p>
418
419
420</DD>
421
422<DT><b><a name="address_verify_positive_refresh_time">address_verify_positive_refresh_time</a>
423(default: 7d)</b></DT><DD>
424
425<p>
426The time after which a successful address verification probe needs
427to be refreshed.  The address verification status is not updated
428when the probe fails (optimistic caching).
429</p>
430
431<p> Specify a non-zero time value (an integral value plus an optional
432one-letter suffix that specifies the time unit).  Time units: s
433(seconds), m (minutes), h (hours), d (days), w (weeks).
434The default time unit is d (days).  </p>
435
436<p>
437This feature is available in Postfix 2.1 and later.
438</p>
439
440
441</DD>
442
443<DT><b><a name="address_verify_relay_transport">address_verify_relay_transport</a>
444(default: $<a href="postconf.5.html#relay_transport">relay_transport</a>)</b></DT><DD>
445
446<p>
447Overrides the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter setting for address
448verification probes.
449</p>
450
451<p>
452This feature is available in Postfix 2.1 and later.
453</p>
454
455
456</DD>
457
458<DT><b><a name="address_verify_relayhost">address_verify_relayhost</a>
459(default: $<a href="postconf.5.html#relayhost">relayhost</a>)</b></DT><DD>
460
461<p>
462Overrides the <a href="postconf.5.html#relayhost">relayhost</a> parameter setting for address verification
463probes. This information can be overruled with the <a href="transport.5.html">transport(5)</a> table.
464</p>
465
466<p>
467This feature is available in Postfix 2.1 and later.
468</p>
469
470
471</DD>
472
473<DT><b><a name="address_verify_sender">address_verify_sender</a>
474(default: $<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b></DT><DD>
475
476<p> The sender address to use in address verification probes; prior
477to Postfix 2.5 the default was "postmaster". To
478avoid problems with address probes that are sent in response to
479address probes, the Postfix SMTP server excludes the probe sender
480address from all SMTPD access blocks. </p>
481
482<p>
483Specify an empty value (<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> =) or &lt;&gt; if you want
484to use the null sender address. Beware, some sites reject mail from
485&lt;&gt;, even though RFCs require that such addresses be accepted.
486</p>
487
488<p>
489Examples:
490</p>
491
492<pre>
493<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> = &lt;&gt;
494<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> = postmaster@<a href="postconf.5.html#mydomain">mydomain</a>
495</pre>
496
497<p>
498This feature is available in Postfix 2.1 and later.
499</p>
500
501
502</DD>
503
504<DT><b><a name="address_verify_sender_dependent_default_transport_maps">address_verify_sender_dependent_default_transport_maps</a>
505(default: $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>)</b></DT><DD>
506
507<p> Overrides the <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> parameter
508setting for address verification probes.  </p>
509
510<p> This feature is available in Postfix 2.7 and later.  </p>
511
512
513</DD>
514
515<DT><b><a name="address_verify_sender_dependent_relayhost_maps">address_verify_sender_dependent_relayhost_maps</a>
516(default: $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>)</b></DT><DD>
517
518<p>
519Overrides the <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> parameter setting for address
520verification probes.
521</p>
522
523<p>
524This feature is available in Postfix 2.3 and later.
525</p>
526
527
528</DD>
529
530<DT><b><a name="address_verify_sender_ttl">address_verify_sender_ttl</a>
531(default: 0s)</b></DT><DD>
532
533<p> The time between changes in the time-dependent portion of address
534verification probe sender addresses. The time-dependent portion is
535appended to the localpart of the address specified with the
536<a href="postconf.5.html#address_verify_sender">address_verify_sender</a> parameter. This feature is ignored when the
537probe sender addresses is the null sender, i.e. the <a href="postconf.5.html#address_verify_sender">address_verify_sender</a>
538value is empty or &lt;&gt;. </p>
539
540<p> Historically, the probe sender address was fixed. This has
541caused such addresses to end up on spammer mailing lists, and has
542resulted in wasted network and processing resources.  </p>
543
544<p> To enable time-dependent probe sender addresses, specify a
545non-zero time value. Specify a value of at least several hours,
546to avoid problems with senders that use greylisting. Avoid nice
547TTL values, to make the result less predictable.  </p>
548
549<p> Specify a non-negative time value (an integral value plus an optional
550one-letter suffix that specifies the time unit).  Time units: s
551(seconds), m (minutes), h (hours), d (days), w (weeks).
552The default time unit is s (seconds).  </p>
553
554<p> This feature is available in Postfix 2.9 and later.  </p>
555
556
557</DD>
558
559<DT><b><a name="address_verify_service_name">address_verify_service_name</a>
560(default: verify)</b></DT><DD>
561
562<p>
563The name of the <a href="verify.8.html">verify(8)</a> address verification service. This service
564maintains the status of sender and/or recipient address verification
565probes, and generates probes on request by other Postfix processes.
566</p>
567
568
569</DD>
570
571<DT><b><a name="address_verify_transport_maps">address_verify_transport_maps</a>
572(default: $<a href="postconf.5.html#transport_maps">transport_maps</a>)</b></DT><DD>
573
574<p>
575Overrides the <a href="postconf.5.html#transport_maps">transport_maps</a> parameter setting for address verification
576probes.
577</p>
578
579<p>
580This feature is available in Postfix 2.1 and later.
581</p>
582
583
584</DD>
585
586<DT><b><a name="address_verify_virtual_transport">address_verify_virtual_transport</a>
587(default: $<a href="postconf.5.html#virtual_transport">virtual_transport</a>)</b></DT><DD>
588
589<p>
590Overrides the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter setting for address
591verification probes.
592</p>
593
594<p>
595This feature is available in Postfix 2.1 and later.
596</p>
597
598
599</DD>
600
601<DT><b><a name="alias_database">alias_database</a>
602(default: see "postconf -d" output)</b></DT><DD>
603
604<p>
605The alias databases for <a href="local.8.html">local(8)</a> delivery that are updated with
606"<b>newaliases</b>" or with "<b>sendmail -bi</b>".
607</p>
608
609<p>
610This is a separate configuration parameter because not all the
611tables specified with $<a href="postconf.5.html#alias_maps">alias_maps</a> have to be local files.
612</p>
613
614<p>
615Examples:
616</p>
617
618<pre>
619<a href="postconf.5.html#alias_database">alias_database</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases
620<a href="postconf.5.html#alias_database">alias_database</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/mail/aliases
621</pre>
622
623
624</DD>
625
626<DT><b><a name="alias_maps">alias_maps</a>
627(default: see "postconf -d" output)</b></DT><DD>
628
629<p>
630Optional lookup tables that are searched only with an email address
631localpart (no domain) and that apply only to <a href="local.8.html">local(8)</a> recipients;
632this is unlike <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> that are often searched with a
633full email address (including domain) and that apply to all recipients:
634<a href="local.8.html">local(8)</a>, virtual, and remote.
635The <a href="postconf.5.html#alias_maps">alias_maps</a> table format and lookups are documented in <a href="aliases.5.html">aliases(5)</a>.
636For an overview of Postfix address manipulations see the
637<a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document. </p>
638
639<p>
640Specify zero or more "type:name" lookup tables, separated by
641whitespace or comma. Tables will be searched in the specified order
642until a match is found.
643Note: these lookups are recursive.
644</p>
645
646<p>
647The default list is system dependent.  On systems with NIS, the
648default is to search the local alias database, then the NIS alias
649database.
650</p>
651
652<p>
653If you change the alias database, run "<b>postalias /etc/aliases</b>"
654(or wherever your system stores the mail alias file), or simply
655run "<b>newaliases</b>" to build the necessary DBM or DB file.
656</p>
657
658<p>
659The <a href="local.8.html">local(8)</a> delivery agent disallows regular expression substitution
660of $1 etc. in <a href="postconf.5.html#alias_maps">alias_maps</a>, because that would open a security hole.
661</p>
662
663<p>
664The <a href="local.8.html">local(8)</a> delivery agent will silently ignore requests to use
665the <a href="proxymap.8.html">proxymap(8)</a> server within <a href="postconf.5.html#alias_maps">alias_maps</a>. Instead it will open the
666table directly. Before Postfix version 2.2, the <a href="local.8.html">local(8)</a> delivery
667agent will terminate with a fatal error.
668</p>
669
670<p>
671Examples:
672</p>
673
674<pre>
675<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases, nis:mail.aliases
676<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/aliases
677</pre>
678
679
680</DD>
681
682<DT><b><a name="allow_mail_to_commands">allow_mail_to_commands</a>
683(default: alias, forward)</b></DT><DD>
684
685<p>
686Restrict <a href="local.8.html">local(8)</a> mail delivery to external commands.  The default
687is to disallow delivery to "|command" in :include:  files (see
688<a href="aliases.5.html">aliases(5)</a> for the text that defines this terminology).
689</p>
690
691<p>
692Specify zero or more of: <b>alias</b>, <b>forward</b> or <b>include</b>,
693in order to allow commands in <a href="aliases.5.html">aliases(5)</a>, .forward files or in
694:include:  files, respectively.
695</p>
696
697<p>
698Example:
699</p>
700
701<pre>
702<a href="postconf.5.html#allow_mail_to_commands">allow_mail_to_commands</a> = alias,forward,include
703</pre>
704
705
706</DD>
707
708<DT><b><a name="allow_mail_to_files">allow_mail_to_files</a>
709(default: alias, forward)</b></DT><DD>
710
711<p>
712Restrict <a href="local.8.html">local(8)</a> mail delivery to external files. The default is
713to disallow "/file/name" destinations in :include:  files (see
714<a href="aliases.5.html">aliases(5)</a> for the text that defines this terminology).
715</p>
716
717<p>
718Specify zero or more of: <b>alias</b>, <b>forward</b> or <b>include</b>,
719in order to allow "/file/name" destinations in <a href="aliases.5.html">aliases(5)</a>, .forward
720files and in :include:  files, respectively.
721</p>
722
723<p>
724Example:
725</p>
726
727<pre>
728<a href="postconf.5.html#allow_mail_to_files">allow_mail_to_files</a> = alias,forward,include
729</pre>
730
731
732</DD>
733
734<DT><b><a name="allow_min_user">allow_min_user</a>
735(default: no)</b></DT><DD>
736
737<p>
738Allow a sender or recipient address to have `-' as the first
739character.  By
740default, this is not allowed, to avoid accidents with software that
741passes email addresses via the command line. Such software
742would not be able to distinguish a malicious address from a
743bona fide command-line option. Although this can be prevented by
744inserting a "--" option terminator into the command line, this is
745difficult to enforce consistently and globally.  </p>
746
747<p> As of Postfix version 2.5, this feature is implemented by
748<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>.  With earlier versions this feature was implemented
749by <a href="qmgr.8.html">qmgr(8)</a> and was limited to recipient addresses only. </p>
750
751
752</DD>
753
754<DT><b><a name="allow_percent_hack">allow_percent_hack</a>
755(default: yes)</b></DT><DD>
756
757<p>
758Enable the rewriting of the form "user%domain" to "user@domain".
759This is enabled by default.
760</p>
761
762<p> Note: as of Postfix version 2.2, message header address rewriting
763happens only when one of the following conditions is true: </p>
764
765<ul>
766
767<li> The message is received with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command,
768
769<li> The message is received from a network client that matches
770$<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a>,
771
772<li> The message is received from the network, and the
773<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter specifies a non-empty value.
774
775</ul>
776
777<p> To get the behavior before Postfix version 2.2, specify
778"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
779
780<p>
781Example:
782</p>
783
784<pre>
785<a href="postconf.5.html#allow_percent_hack">allow_percent_hack</a> = no
786</pre>
787
788
789</DD>
790
791<DT><b><a name="allow_srv_lookup_fallback">allow_srv_lookup_fallback</a>
792(default: no)</b></DT><DD>
793
794<p> When SRV record lookup fails or no SRV record exists, fall back
795to MX or IP address lookup as if SRV record lookup was not enabled. <p>
796
797<p> This feature is available in Postfix 3.8 and later. </p>
798
799
800</DD>
801
802<DT><b><a name="allow_untrusted_routing">allow_untrusted_routing</a>
803(default: no)</b></DT><DD>
804
805<p>
806Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
807from untrusted clients to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
808</p>
809
810<p>
811By default, this feature is turned off.  This closes a nasty open
812relay loophole where a backup MX host can be tricked into forwarding
813junk mail to a primary MX host which then spams it out to the world.
814</p>
815
816<p>
817This parameter also controls if non-local addresses with sender-specified
818routing can match Postfix access tables. By default, such addresses
819cannot match Postfix access tables, because the address is ambiguous.
820</p>
821
822
823</DD>
824
825<DT><b><a name="alternate_config_directories">alternate_config_directories</a>
826(default: empty)</b></DT><DD>
827
828<p>
829A list of non-default Postfix configuration directories that may
830be specified with "-c <a href="postconf.5.html#config_directory">config_directory</a>" on the command line (in the
831case of <a href="sendmail.1.html">sendmail(1)</a>, with the "-C" option), or via the MAIL_CONFIG
832environment parameter.
833</p>
834
835<p>
836This list must be specified in the default Postfix <a href="postconf.5.html">main.cf</a> file,
837and will be used by set-gid Postfix commands such as <a href="postqueue.1.html">postqueue(1)</a>
838and <a href="postdrop.1.html">postdrop(1)</a>.
839</p>
840
841<p>
842Specify absolute pathnames, separated by comma or space. Note: $name
843expansion is not supported.
844</p>
845
846
847</DD>
848
849<DT><b><a name="always_add_missing_headers">always_add_missing_headers</a>
850(default: no)</b></DT><DD>
851
852<p> Always add (Resent-) From:, To:, Date: or Message-ID: headers
853when not present.  Postfix 2.6 and later add these headers only
854when clients match the <a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter
855setting.  Earlier Postfix versions always add these headers; this
856may break DKIM signatures that cover non-existent headers.
857The <a href="postconf.5.html#undisclosed_recipients_header">undisclosed_recipients_header</a> parameter setting determines
858whether a To: header will be added. </p>
859
860
861</DD>
862
863<DT><b><a name="always_bcc">always_bcc</a>
864(default: empty)</b></DT><DD>
865
866<p>
867Optional address that receives a "blind carbon copy" of each message
868that is received by the Postfix mail system.
869</p>
870
871<p>
872Note: with Postfix 2.3 and later the BCC address is added as if it
873was specified with NOTIFY=NONE. The sender will not be notified
874when the BCC address is undeliverable, as long as all down-stream
875software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
876</p>
877
878<p>
879Note: with Postfix 2.2 and earlier the sender will be notified
880when the BCC address is undeliverable.
881</p>
882
883<p> Note: automatic BCC recipients are produced only for new mail.
884To avoid mailer loops, automatic BCC recipients are not generated
885after Postfix forwards mail internally, or after Postfix generates
886mail itself. </p>
887
888<p> Note: automatic BCC recipients are subject to address
889canonicalization (add missing domain), <a href="postconf.5.html#canonical_maps">canonical_maps</a>, <a href="postconf.5.html#masquerade_domains">masquerade_domains</a>,
890and <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>. </p>
891
892
893</DD>
894
895<DT><b><a name="anvil_rate_time_unit">anvil_rate_time_unit</a>
896(default: 60s)</b></DT><DD>
897
898<p>
899The time unit over which client connection rates and other rates
900are calculated.
901</p>
902
903<p>
904This feature is implemented by the <a href="anvil.8.html">anvil(8)</a> service which is available
905in Postfix version 2.2 and later.
906</p>
907
908<p>
909The default interval is relatively short. Because of the high
910frequency of updates, the <a href="anvil.8.html">anvil(8)</a> server uses volatile memory
911only. Thus, information is lost whenever the process terminates.
912</p>
913
914<p> Specify a non-zero time value (an integral value plus an optional
915one-letter suffix that specifies the time unit).  Time units: s
916(seconds), m (minutes), h (hours), d (days), w (weeks).
917The default time unit is s (seconds).  </p>
918
919
920</DD>
921
922<DT><b><a name="anvil_status_update_time">anvil_status_update_time</a>
923(default: 600s)</b></DT><DD>
924
925<p>
926How frequently the <a href="anvil.8.html">anvil(8)</a> connection and rate limiting server
927logs peak usage information.
928</p>
929
930<p> Specify a non-zero time value (an integral value plus an optional
931one-letter suffix that specifies the time unit).  Time units: s
932(seconds), m (minutes), h (hours), d (days), w (weeks).
933The default time unit is s (seconds).  </p>
934
935<p>
936This feature is available in Postfix 2.2 and later.
937</p>
938
939
940</DD>
941
942<DT><b><a name="append_at_myorigin">append_at_myorigin</a>
943(default: yes)</b></DT><DD>
944
945<p>
946With locally submitted mail, append the string "@$<a href="postconf.5.html#myorigin">myorigin</a>" to mail
947addresses without domain information. With remotely submitted mail,
948append the string "@$<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a>" instead.
949</p>
950
951<p>
952Note 1: this feature is enabled by default and must not be turned off.
953Postfix does not support domain-less addresses.
954</p>
955
956<p> Note 2: with Postfix version 2.2, message header address rewriting
957happens only when one of the following conditions is true: </p>
958
959<ul>
960
961<li> The message is received with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command,
962
963<li> The message is received from a network client that matches
964$<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a>,
965
966<li> The message is received from the network, and the
967<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter specifies a non-empty value.
968
969</ul>
970
971<p> To get the behavior before Postfix version 2.2, specify
972"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
973
974
975</DD>
976
977<DT><b><a name="append_dot_mydomain">append_dot_mydomain</a>
978(default: Postfix &ge; 3.0: no, Postfix &lt; 3.0: yes)</b></DT><DD>
979
980<p>
981With locally submitted mail, append the string ".$<a href="postconf.5.html#mydomain">mydomain</a>" to
982addresses that have no ".domain" information. With remotely submitted
983mail, append the string ".$<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a>"
984instead.
985</p>
986
987<p>
988Note 1: When disabled (Postfix 3.0 and later), users will not be
989able to send mail to "user@partialdomainname" but will have to
990specify full domain names instead.
991</p>
992
993<p> Note 2: with Postfix version 2.2, message header address rewriting
994happens only when one of the following conditions is true: </p>
995
996<ul>
997
998<li> The message is received with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command,
999
1000<li> The message is received from a network client that matches
1001$<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a>,
1002
1003<li> The message is received from the network, and the
1004<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter specifies a non-empty value.
1005
1006</ul>
1007
1008<p> To get the behavior before Postfix version 2.2, specify
1009"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
1010
1011
1012</DD>
1013
1014<DT><b><a name="application_event_drain_time">application_event_drain_time</a>
1015(default: 100s)</b></DT><DD>
1016
1017<p>
1018How long the <a href="postkick.1.html">postkick(1)</a> command waits for a request to enter the
1019Postfix daemon process input buffer before giving up.
1020</p>
1021
1022<p> Specify a non-zero time value (an integral value plus an optional
1023one-letter suffix that specifies the time unit).  Time units: s
1024(seconds), m (minutes), h (hours), d (days), w (weeks).
1025The default time unit is s (seconds).  </p>
1026
1027<p>
1028This feature is available in Postfix 2.1 and later.
1029</p>
1030
1031
1032</DD>
1033
1034<DT><b><a name="authorized_flush_users">authorized_flush_users</a>
1035(default: <a href="DATABASE_README.html#types">static</a>:anyone)</b></DT><DD>
1036
1037<p>
1038List of users who are authorized to flush the queue.
1039</p>
1040
1041<p>
1042By default, all users are allowed to flush the queue.  Access is
1043always granted if the invoking user is the super-user or the
1044$<a href="postconf.5.html#mail_owner">mail_owner</a> user.  Otherwise, the real UID of the process is looked
1045up in the system password file, and access is granted only if the
1046corresponding login name is on the access list.  The username
1047"unknown" is used for processes whose real UID is not found in the
1048password file.  </p>
1049
1050<p>
1051Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
1052separated by commas and/or whitespace. The list is matched left to
1053right, and the search stops on the first match. A "/file/name"
1054pattern is replaced
1055by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name
1056matches a lookup key (the lookup result is ignored).  Continue long
1057lines by starting the next line with whitespace. Specify "!pattern"
1058to exclude a name from the list. The form "!/file/name" is supported
1059only in Postfix version 2.4 and later.  </p>
1060
1061<p>
1062This feature is available in Postfix 2.2 and later.
1063</p>
1064
1065
1066</DD>
1067
1068<DT><b><a name="authorized_mailq_users">authorized_mailq_users</a>
1069(default: <a href="DATABASE_README.html#types">static</a>:anyone)</b></DT><DD>
1070
1071<p>
1072List of users who are authorized to view the queue.
1073</p>
1074
1075<p>
1076By default, all users are allowed to view the queue.  Access is
1077always granted if the invoking user is the super-user or the
1078$<a href="postconf.5.html#mail_owner">mail_owner</a> user.  Otherwise, the real UID of the process is looked
1079up in the system password file, and access is granted only if the
1080corresponding login name is on the access list.  The username
1081"unknown" is used for processes whose real UID is not found in the
1082password file.  </p>
1083
1084<p>
1085Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
1086separated by commas and/or whitespace. The list is matched left to
1087right, and the search stops on the first match. A "/file/name"
1088pattern is replaced
1089by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name
1090matches a lookup key (the lookup result is ignored).  Continue long
1091lines by starting the next line with whitespace. Specify "!pattern"
1092to exclude a user name from the list. The form "!/file/name" is
1093supported only in Postfix version 2.4 and later.  </p>
1094
1095<p>
1096This feature is available in Postfix 2.2 and later.
1097</p>
1098
1099
1100</DD>
1101
1102<DT><b><a name="authorized_submit_users">authorized_submit_users</a>
1103(default: <a href="DATABASE_README.html#types">static</a>:anyone)</b></DT><DD>
1104
1105<p>
1106List of users who are authorized to submit mail with the <a href="sendmail.1.html">sendmail(1)</a>
1107command (and with the privileged <a href="postdrop.1.html">postdrop(1)</a> helper command).
1108</p>
1109
1110<p>
1111By default, all users are allowed to submit mail.  Otherwise, the
1112real UID of the process is looked up in the system password file,
1113and access is granted only if the corresponding login name is on
1114the access list.  The username "unknown" is used for processes
1115whose real UID is not found in the password file. To deny mail
1116submission access to all users specify an empty list.  </p>
1117
1118<p>
1119Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
1120separated by commas and/or whitespace. The list is matched left to right,
1121and the search stops on the first match. A "/file/name" pattern is
1122replaced by its contents;
1123a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name matches a lookup key
1124(the lookup result is ignored).  Continue long lines by starting the
1125next line with whitespace. Specify "!pattern" to exclude a user
1126name from the list. The form "!/file/name" is supported only in
1127Postfix version 2.4 and later.  </p>
1128
1129<p>
1130Example:
1131</p>
1132
1133<pre>
1134<a href="postconf.5.html#authorized_submit_users">authorized_submit_users</a> = !www, <a href="DATABASE_README.html#types">static</a>:all
1135</pre>
1136
1137<p>
1138This feature is available in Postfix 2.2 and later.
1139</p>
1140
1141
1142</DD>
1143
1144<DT><b><a name="authorized_verp_clients">authorized_verp_clients</a>
1145(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
1146
1147<p> What remote SMTP clients are allowed to specify the XVERP command.
1148This command requests that mail be delivered one recipient at a
1149time with a per recipient return address.  </p>
1150
1151<p> By default, only trusted clients are allowed to specify XVERP.
1152</p>
1153
1154<p> This parameter was introduced with Postfix version 1.1.  Postfix
1155version 2.1 renamed this parameter to <a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a>
1156and changed the default to none. </p>
1157
1158<p> Specify a list of network/netmask patterns, separated by commas
1159and/or whitespace. The mask specifies the number of bits in the
1160network part of a host address. You can also specify hostnames or
1161.domain names (the initial dot causes the domain to match any name
1162below it),  "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns.  A "/file/name"
1163pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table
1164is matched when a table entry matches a lookup string (the lookup
1165result is ignored).  Continue long lines by starting the next line
1166with whitespace. Specify "!pattern" to exclude an address or network
1167block from the list. The form "!/file/name" is supported only in
1168Postfix version 2.4 and later. </p>
1169
1170<p> Note: IP version 6 address information must be specified inside
1171<tt>[]</tt> in the <a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> value, and in files
1172specified with "/file/name".  IP version 6 addresses contain the
1173":" character, and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>"
1174pattern.  </p>
1175
1176
1177</DD>
1178
1179<DT><b><a name="backwards_bounce_logfile_compatibility">backwards_bounce_logfile_compatibility</a>
1180(default: yes)</b></DT><DD>
1181
1182<p>
1183Produce additional <a href="bounce.8.html">bounce(8)</a> logfile records that can be read by
1184Postfix versions before 2.0. The current and more extensible "name =
1185value" format is needed in order to implement more sophisticated
1186functionality.
1187</p>
1188
1189<p>
1190This feature is available in Postfix 2.1 and later.
1191</p>
1192
1193
1194</DD>
1195
1196<DT><b><a name="berkeley_db_create_buffer_size">berkeley_db_create_buffer_size</a>
1197(default: 16777216)</b></DT><DD>
1198
1199<p>
1200The per-table I/O buffer size for programs that create Berkeley DB
1201hash or btree tables.  Specify a byte count.
1202</p>
1203
1204<p>
1205This feature is available in Postfix 2.0 and later.
1206</p>
1207
1208
1209</DD>
1210
1211<DT><b><a name="berkeley_db_read_buffer_size">berkeley_db_read_buffer_size</a>
1212(default: 131072)</b></DT><DD>
1213
1214<p>
1215The per-table I/O buffer size for programs that read Berkeley DB
1216hash or btree tables.  Specify a byte count.
1217</p>
1218
1219<p>
1220This feature is available in Postfix 2.0 and later.
1221</p>
1222
1223
1224</DD>
1225
1226<DT><b><a name="best_mx_transport">best_mx_transport</a>
1227(default: empty)</b></DT><DD>
1228
1229<p>
1230Where the Postfix SMTP client should deliver mail when it detects
1231a "mail loops back to myself" error condition. This happens when
1232the local MTA is the best SMTP mail exchanger for a destination
1233not listed in $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>,
1234$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.  By default,
1235the Postfix SMTP client returns such mail as undeliverable.
1236</p>
1237
1238<p>
1239Specify, for example, "<a href="postconf.5.html#best_mx_transport">best_mx_transport</a> = local" to pass the mail
1240from the Postfix SMTP client to the <a href="local.8.html">local(8)</a> delivery agent. You
1241can specify
1242any message delivery "transport" or "transport:nexthop" that is
1243defined in the <a href="master.5.html">master.cf</a> file. See the <a href="transport.5.html">transport(5)</a> manual page
1244for the syntax and meaning of "transport" or "transport:nexthop".
1245</p>
1246
1247<p>
1248However, this feature is expensive because it ties up a Postfix
1249SMTP client process while the <a href="local.8.html">local(8)</a> delivery agent is doing its
1250work. It is more efficient (for Postfix) to list all <a href="VIRTUAL_README.html#canonical">hosted domains</a>
1251in a table or database.
1252</p>
1253
1254
1255</DD>
1256
1257<DT><b><a name="biff">biff</a>
1258(default: yes)</b></DT><DD>
1259
1260<p>
1261Whether or not to use the local <a href="postconf.5.html#biff">biff</a> service.  This service sends
1262"new mail" notifications to users who have requested new mail
1263notification with the UNIX command "<a href="postconf.5.html#biff">biff</a> y".
1264</p>
1265
1266<p>
1267For compatibility reasons this feature is on by default.  On systems
1268with lots of interactive users, the <a href="postconf.5.html#biff">biff</a> service can be a performance
1269drain.  Specify "<a href="postconf.5.html#biff">biff</a> = no" in <a href="postconf.5.html">main.cf</a> to disable.
1270</p>
1271
1272
1273</DD>
1274
1275<DT><b><a name="body_checks">body_checks</a>
1276(default: empty)</b></DT><DD>
1277
1278<p> Optional lookup tables for content inspection as specified in
1279the <a href="header_checks.5.html">body_checks(5)</a> manual page.  </p>
1280
1281<p> Note: with Postfix versions before 2.0, these rules inspect
1282all content after the primary message headers. </p>
1283
1284
1285</DD>
1286
1287<DT><b><a name="body_checks_size_limit">body_checks_size_limit</a>
1288(default: 51200)</b></DT><DD>
1289
1290<p>
1291How much text in a message body segment (or attachment, if you
1292prefer to use that term) is subjected to <a href="postconf.5.html#body_checks">body_checks</a> inspection.
1293The amount of text is limited to avoid scanning huge attachments.
1294</p>
1295
1296<p>
1297This feature is available in Postfix 2.0 and later.
1298</p>
1299
1300
1301</DD>
1302
1303<DT><b><a name="bounce_notice_recipient">bounce_notice_recipient</a>
1304(default: postmaster)</b></DT><DD>
1305
1306<p>
1307The recipient of postmaster notifications with the message headers
1308of mail that Postfix did not deliver and of SMTP conversation
1309transcripts of mail that Postfix did not receive.  This feature is
1310enabled with the <a href="postconf.5.html#notify_classes">notify_classes</a> parameter.  </p>
1311
1312
1313</DD>
1314
1315<DT><b><a name="bounce_queue_lifetime">bounce_queue_lifetime</a>
1316(default: 5d)</b></DT><DD>
1317
1318<p>
1319Consider a bounce message as undeliverable, when delivery fails
1320with a temporary error, and the time in the queue has reached the
1321<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a> limit.  By default, this limit is the same
1322as for regular mail.
1323</p>
1324
1325<p> Specify a non-negative time value (an integral value plus an optional
1326one-letter suffix that specifies the time unit).  Time units: s
1327(seconds), m (minutes), h (hours), d (days), w (weeks).
1328The default time unit is d (days).  </p>
1329
1330<p>
1331Specify 0 when mail delivery should be tried only once.
1332</p>
1333
1334<p>
1335This feature is available in Postfix 2.1 and later.
1336</p>
1337
1338
1339</DD>
1340
1341<DT><b><a name="bounce_service_name">bounce_service_name</a>
1342(default: bounce)</b></DT><DD>
1343
1344<p>
1345The name of the <a href="bounce.8.html">bounce(8)</a> service. This service maintains a record
1346of failed delivery attempts and generates non-delivery notifications.
1347</p>
1348
1349<p>
1350This feature is available in Postfix 2.0 and later.
1351</p>
1352
1353
1354</DD>
1355
1356<DT><b><a name="bounce_size_limit">bounce_size_limit</a>
1357(default: 50000)</b></DT><DD>
1358
1359<p> The maximal amount of original message text that is sent in a
1360non-delivery notification. Specify a byte count.  A message is
1361returned as either message/rfc822 (the complete original) or as
1362text/rfc822-headers (the headers only).  With Postfix version 2.4
1363and earlier, a message is always returned as message/rfc822 and is
1364truncated when it exceeds the size limit.
1365</p>
1366
1367<p> Notes: </p>
1368
1369<ul>
1370
1371<li> <p> If you increase this limit, then you should increase the
1372<a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> value proportionally.  </p>
1373
1374<li> <p> Be careful when making changes.  Excessively large values
1375will result in the loss of non-delivery notifications, when a bounce
1376message size exceeds a local or remote MTA's message size limit.
1377</p>
1378
1379</ul>
1380
1381
1382</DD>
1383
1384<DT><b><a name="bounce_template_file">bounce_template_file</a>
1385(default: empty)</b></DT><DD>
1386
1387<p> Pathname of a configuration file with bounce message templates.
1388These override the built-in templates of delivery status notification
1389(DSN) messages for undeliverable mail, delayed mail, successful
1390delivery, or delivery verification. The <a href="bounce.5.html">bounce(5)</a> manual page
1391describes how to edit and test template files.  </p>
1392
1393<p> Template message body text may contain $name references to
1394Postfix configuration parameters. The result of $name expansion can
1395be previewed with "<b>postconf -b <i>file_name</i></b>" before the file
1396is placed into the Postfix configuration directory.  </p>
1397
1398<p> This feature is available in Postfix 2.3 and later.  </p>
1399
1400
1401</DD>
1402
1403<DT><b><a name="broken_sasl_auth_clients">broken_sasl_auth_clients</a>
1404(default: no)</b></DT><DD>
1405
1406<p>
1407Enable interoperability with remote SMTP clients that implement an obsolete
1408version of the AUTH command (<a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>). Examples of such clients
1409are MicroSoft Outlook Express version 4 and MicroSoft Exchange
1410version 5.0.
1411</p>
1412
1413<p>
1414Specify "<a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> = yes" to have Postfix advertise
1415AUTH support in a non-standard way.
1416</p>
1417
1418
1419</DD>
1420
1421<DT><b><a name="canonical_classes">canonical_classes</a>
1422(default: envelope_sender, envelope_recipient, header_sender, header_recipient)</b></DT><DD>
1423
1424<p> What addresses are subject to <a href="postconf.5.html#canonical_maps">canonical_maps</a> address mapping.
1425By default, <a href="postconf.5.html#canonical_maps">canonical_maps</a> address mapping is applied to envelope
1426sender and recipient addresses, and to header sender and header
1427recipient addresses.  </p>
1428
1429<p> Specify one or more of: envelope_sender, envelope_recipient,
1430header_sender, header_recipient </p>
1431
1432<p> This feature is available in Postfix 2.2 and later. </p>
1433
1434
1435</DD>
1436
1437<DT><b><a name="canonical_maps">canonical_maps</a>
1438(default: empty)</b></DT><DD>
1439
1440<p>
1441Optional address mapping lookup tables for message headers and
1442envelopes. The mapping is applied to both sender and recipient
1443addresses, in both envelopes and in headers, as controlled
1444with the <a href="postconf.5.html#canonical_classes">canonical_classes</a> parameter. This is typically used
1445to clean up dirty addresses from legacy mail systems, or to replace
1446login names by Firstname.Lastname.  The table format and lookups
1447are documented in <a href="canonical.5.html">canonical(5)</a>. For an overview of Postfix address
1448manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
1449</p>
1450
1451<p>
1452Specify zero or more "type:name" lookup tables, separated by
1453whitespace or comma. Tables will be searched in the specified order
1454until a match is found.
1455Note: these lookups are recursive.
1456</p>
1457
1458<p>
1459If you use this feature, run "<b>postmap /etc/postfix/canonical</b>" to
1460build the necessary DBM or DB file after every change. The changes
1461will become visible after a minute or so.  Use "<b>postfix reload</b>"
1462to eliminate the delay.
1463</p>
1464
1465<p> Note: with Postfix version 2.2, message header address mapping
1466happens only when message header address rewriting is enabled: </p>
1467
1468<ul>
1469
1470<li> The message is received with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command,
1471
1472<li> The message is received from a network client that matches
1473$<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a>,
1474
1475<li> The message is received from the network, and the
1476<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter specifies a non-empty value.
1477
1478</ul>
1479
1480<p> To get the behavior before Postfix version 2.2, specify
1481"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
1482
1483<p>
1484Examples:
1485</p>
1486
1487<pre>
1488<a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">dbm</a>:/etc/postfix/canonical
1489<a href="postconf.5.html#canonical_maps">canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/canonical
1490</pre>
1491
1492
1493</DD>
1494
1495<DT><b><a name="cleanup_replace_stray_cr_lf">cleanup_replace_stray_cr_lf</a>
1496(default: yes)</b></DT><DD>
1497
1498<p> Replace each stray &lt;CR&gt; or &lt;LF&gt; character in message
1499content with a space character, to prevent outbound SMTP smuggling,
1500and to make the evaluation of Postfix-added DKIM or other signatures
1501independent from how a remote mail server handles such characters.
1502</p>
1503
1504<p> SMTP does not allow such characters unless they are part of a
1505&lt;CR&gt;&lt;LF&gt; sequence, and different mail systems handle
1506such stray characters in an implementation-dependent manner. Stray
1507&lt;CR&gt; or &lt;LF&gt; characters could be used for outbound
1508SMTP smuggling, where an attacker uses a Postfix server to send
1509message content with a non-standard End-of-DATA sequence that
1510triggers inbound SMTP smuggling at a remote SMTP server.</p>
1511
1512<p> The replacement happens before all other content management,
1513and before Postfix may add a DKIM etc. signature; if the signature
1514were created first, the replacement could invalidate the signature.
1515</p>
1516
1517<p> In addition to preventing SMTP smuggling, replacing stray
1518&lt;CR&gt; or &lt;LF&gt; characters ensures that the result of
1519signature validation by later mail system will not depend on how
1520that mail system handles those stray characters in an
1521implementation-dependent manner. </p>
1522
1523<p> Note: this feature is disabled with "<a href="postconf.5.html#receive_override_options">receive_override_options</a> =
1524<a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>". </p>
1525
1526<p> This feature is available in Postfix &ge; 3.9, 3.8.5, 3.7.10,
15273.6.14, and 3.5.24. </p>
1528
1529
1530</DD>
1531
1532<DT><b><a name="cleanup_service_name">cleanup_service_name</a>
1533(default: cleanup)</b></DT><DD>
1534
1535<p>
1536The name of the <a href="cleanup.8.html">cleanup(8)</a> service. This service rewrites addresses
1537into the standard form, and performs <a href="canonical.5.html">canonical(5)</a> address mapping
1538and <a href="virtual.5.html">virtual(5)</a> aliasing.
1539</p>
1540
1541<p>
1542This feature is available in Postfix 2.0 and later.
1543</p>
1544
1545
1546</DD>
1547
1548<DT><b><a name="command_directory">command_directory</a>
1549(default: see "postconf -d" output)</b></DT><DD>
1550
1551<p>
1552The location of all postfix administrative commands.
1553</p>
1554
1555
1556</DD>
1557
1558<DT><b><a name="command_execution_directory">command_execution_directory</a>
1559(default: empty)</b></DT><DD>
1560
1561<p> The <a href="local.8.html">local(8)</a> delivery agent working directory for delivery to
1562external commands.  Failure to change directory causes the delivery
1563to be deferred. </p>
1564
1565<p> The <a href="postconf.5.html#command_execution_directory">command_execution_directory</a> value is not subject to Postfix
1566configuration parameter $name expansion. Instead, the following
1567$name expansions are done on <a href="postconf.5.html#command_execution_directory">command_execution_directory</a> before the
1568directory is used. Expansion happens in the context
1569of the delivery request.  The result of $name expansion is filtered
1570with the character set that is specified with the
1571<a href="postconf.5.html#execution_directory_expansion_filter">execution_directory_expansion_filter</a> parameter.  </p>
1572
1573<dl>
1574
1575<dt><b>$user</b></dt>
1576
1577<dd>The recipient's username. </dd>
1578
1579<dt><b>$shell</b></dt>
1580
1581<dd>The recipient's login shell pathname. </dd>
1582
1583<dt><b>$home</b></dt>
1584
1585<dd>The recipient's home directory. </dd>
1586
1587<dt><b>$recipient</b></dt>
1588
1589<dd>The full recipient address. </dd>
1590
1591<dt><b>$extension</b></dt>
1592
1593<dd>The optional recipient address extension. </dd>
1594
1595<dt><b>$domain</b></dt>
1596
1597<dd>The recipient domain. </dd>
1598
1599<dt><b>$local</b></dt>
1600
1601<dd>The entire recipient localpart. </dd>
1602
1603<dt><b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b></dt>
1604
1605<dd>The address extension delimiter that was found in the recipient
1606address (Postfix 2.11 and later), or the system-wide recipient
1607address extension delimiter (Postfix 2.10 and earlier). </dd>
1608
1609<dt><b>${name?value}</b></dt>
1610
1611<dt><b>${name?{value}}</b> (Postfix &ge; 3.0)</dt>
1612
1613<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
1614
1615<dt><b>${name:value}</b></dt>
1616
1617<dt><b>${name:{value}}</b> (Postfix &ge; 3.0)</dt>
1618
1619<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
1620
1621<dt><b>${name?{value1}:{value2}}</b> (Postfix &ge; 3.0)</dt>
1622
1623<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
1624<i>value2</i> otherwise. </dd>
1625
1626</dl>
1627
1628<p>
1629Instead of $name you can also specify ${name} or $(name).
1630</p>
1631
1632<p> This feature is available in Postfix 2.2 and later. </p>
1633
1634
1635</DD>
1636
1637<DT><b><a name="command_expansion_filter">command_expansion_filter</a>
1638(default: see "postconf -d" output)</b></DT><DD>
1639
1640<p>
1641Restrict the characters that the <a href="local.8.html">local(8)</a> delivery agent allows in
1642$name expansions of $<a href="postconf.5.html#mailbox_command">mailbox_command</a> and $<a href="postconf.5.html#command_execution_directory">command_execution_directory</a>.
1643Characters outside the
1644allowed set are replaced by underscores.
1645</p>
1646
1647
1648</DD>
1649
1650<DT><b><a name="command_time_limit">command_time_limit</a>
1651(default: 1000s)</b></DT><DD>
1652
1653<p>
1654Time limit for delivery to external commands. This limit is used
1655by the <a href="local.8.html">local(8)</a> delivery agent, and is the default time limit for
1656delivery by the <a href="pipe.8.html">pipe(8)</a> delivery agent.
1657</p>
1658
1659<p>
1660Note: if you set this time limit to a large value you must update the
1661global <a href="postconf.5.html#ipc_timeout">ipc_timeout</a> parameter as well.
1662</p>
1663
1664
1665</DD>
1666
1667<DT><b><a name="compatibility_level">compatibility_level</a>
1668(default: 0)</b></DT><DD>
1669
1670<p> A safety net that causes Postfix to run with backwards-compatible
1671default settings after an upgrade to a newer Postfix version. </p>
1672
1673<p> With backwards compatibility turned on (the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#compatibility_level">compatibility_level</a>
1674value is less than the Postfix built-in value), Postfix looks for
1675settings that are left at their implicit default value, and logs a
1676message when a backwards-compatible default setting is required.
1677</p>
1678
1679<blockquote>
1680<pre>
1681using backwards-compatible default setting <i>name=value</i>
1682    to [accept a specific client request]
1683
1684using backwards-compatible default setting <i>name=value</i>
1685    to [enable specific Postfix behavior]
1686</pre>
1687</blockquote>
1688
1689<p> See <a href="COMPATIBILITY_README.html">COMPATIBILITY_README</a> for specific message details. If such
1690a message is logged in the context of a legitimate request, the
1691system administrator should make the backwards-compatible setting
1692permanent in <a href="postconf.5.html">main.cf</a> or <a href="master.5.html">master.cf</a>, for example: </p>
1693
1694<blockquote>
1695<pre>
1696# <b>postconf</b> <i>name=value</i>
1697# <b>postfix reload</b>
1698</pre>
1699</blockquote>
1700
1701<p> When no more backwards-compatible settings need to be made
1702permanent, the administrator should turn off backwards compatibility
1703by updating the <a href="postconf.5.html#compatibility_level">compatibility_level</a> setting in <a href="postconf.5.html">main.cf</a>:</p>
1704
1705<blockquote>
1706<pre>
1707# <b>postconf <a href="postconf.5.html#compatibility_level">compatibility_level</a>=<i>N</i></b>
1708# <b>postfix reload</b>
1709</pre>
1710</blockquote>
1711
1712<p> For <i>N</i> specify the number that is logged in your <a href="postfix.1.html">postfix(1)</a>
1713warning message: </p>
1714
1715<blockquote>
1716<pre>
1717warning: To disable backwards compatibility use "postconf
1718    <a href="postconf.5.html#compatibility_level">compatibility_level</a>=<i>N</i>" and "postfix reload"
1719</pre>
1720</blockquote>
1721
1722<p> Starting with Postfix version 3.6, the compatibility level in
1723the above warning message is the Postfix version that introduced
1724the last incompatible change. The level is formatted as
1725<i>major.minor.patch</i>, where <i>patch</i> is usually omitted and
1726defaults to zero. Earlier compatibility levels are 0, 1 and 2. </p>
1727
1728<p> NOTE: this also introduces support for the "&lt;level",
1729"&lt;=level", and other operators to compare compatibility levels.
1730With the standard operators "&lt;", "&lt;=", etc., compatibility
1731level "3.10" would be smaller than "3.9" which is undesirable. </p>
1732
1733<p> This feature is available in Postfix 3.0 and later. </p>
1734
1735
1736</DD>
1737
1738<DT><b><a name="config_directory">config_directory</a>
1739(default: see "postconf -d" output)</b></DT><DD>
1740
1741<p> The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a>
1742configuration files. This can be overruled via the following
1743mechanisms: </p>
1744
1745<ul>
1746
1747<li> <p> The MAIL_CONFIG environment variable (daemon processes
1748and commands). </p>
1749
1750<li> <p> The "-c" command-line option (commands only). </p>
1751
1752</ul>
1753
1754<p> With Postfix commands that run with set-gid privileges, a
1755<a href="postconf.5.html#config_directory">config_directory</a> override either requires root privileges, or it
1756requires that the directory is listed with the <a href="postconf.5.html#alternate_config_directories">alternate_config_directories</a>
1757parameter in the default <a href="postconf.5.html">main.cf</a> file.  </p>
1758
1759
1760</DD>
1761
1762<DT><b><a name="confirm_delay_cleared">confirm_delay_cleared</a>
1763(default: no)</b></DT><DD>
1764
1765<p> After sending a "your message is delayed" notification, inform
1766the sender when the delay clears up. This can result in a sudden
1767burst of notifications at the end of a prolonged network outage,
1768and is therefore disabled by default. </p>
1769
1770<p> See also: <a href="postconf.5.html#delay_warning_time">delay_warning_time</a>. </p>
1771
1772<p> This feature is available in Postfix 3.0 and later. </p>
1773
1774
1775</DD>
1776
1777<DT><b><a name="connection_cache_protocol_timeout">connection_cache_protocol_timeout</a>
1778(default: 5s)</b></DT><DD>
1779
1780<p> Time limit for connection cache connect, send or receive
1781operations.  The time limit is enforced in the client. </p>
1782
1783<p> This feature is available in Postfix 2.3 and later. </p>
1784
1785
1786</DD>
1787
1788<DT><b><a name="connection_cache_service_name">connection_cache_service_name</a>
1789(default: scache)</b></DT><DD>
1790
1791<p> The name of the <a href="scache.8.html">scache(8)</a> connection cache service.  This service
1792maintains a limited pool of cached sessions.  </p>
1793
1794<p> This feature is available in Postfix 2.2 and later. </p>
1795
1796
1797</DD>
1798
1799<DT><b><a name="connection_cache_status_update_time">connection_cache_status_update_time</a>
1800(default: 600s)</b></DT><DD>
1801
1802<p> How frequently the <a href="scache.8.html">scache(8)</a> server logs usage statistics with
1803connection cache hit and miss rates for logical destinations and for
1804physical endpoints. </p>
1805
1806
1807</DD>
1808
1809<DT><b><a name="connection_cache_ttl_limit">connection_cache_ttl_limit</a>
1810(default: 2s)</b></DT><DD>
1811
1812<p> The maximal time-to-live value that the <a href="scache.8.html">scache(8)</a> connection
1813cache server
1814allows. Requests that specify a larger TTL will be stored with the
1815maximum allowed TTL. The purpose of this additional control is to
1816protect the infrastructure against careless people. The cache TTL
1817is already bounded by $<a href="postconf.5.html#max_idle">max_idle</a>.  </p>
1818
1819
1820</DD>
1821
1822<DT><b><a name="content_filter">content_filter</a>
1823(default: empty)</b></DT><DD>
1824
1825<p> After the message is queued, send the entire message to the
1826specified <i>transport:destination</i>. The <i>transport</i> name
1827specifies the first field of a mail delivery agent definition in
1828<a href="master.5.html">master.cf</a>; the syntax of the next-hop <i>destination</i> is described
1829in the manual page of the corresponding delivery agent.  More
1830information about external content filters is in the Postfix
1831<a href="FILTER_README.html">FILTER_README</a> file.  </p>
1832
1833<p> Notes: </p>
1834
1835<ul>
1836
1837<li> <p> This setting has lower precedence than a FILTER action
1838that is specified in an <a href="access.5.html">access(5)</a>, <a href="header_checks.5.html">header_checks(5)</a> or <a href="header_checks.5.html">body_checks(5)</a>
1839table. </p>
1840
1841<li> <p> The meaning of an empty next-hop filter <i>destination</i>
1842is version dependent.  Postfix 2.7 and later will use the recipient
1843domain; earlier versions will use $<a href="postconf.5.html#myhostname">myhostname</a>.  Specify
1844"<a href="postconf.5.html#default_filter_nexthop">default_filter_nexthop</a> = $<a href="postconf.5.html#myhostname">myhostname</a>" for compatibility with Postfix
18452.6 or earlier, or specify a <a href="postconf.5.html#content_filter">content_filter</a> value with an explicit
1846next-hop <i>destination</i>.  </p>
1847
1848</ul>
1849
1850
1851</DD>
1852
1853<DT><b><a name="cyrus_sasl_config_path">cyrus_sasl_config_path</a>
1854(default: empty)</b></DT><DD>
1855
1856<p> Search path for Cyrus SASL application configuration files,
1857currently used only to locate the $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file.
1858Specify zero or more directories separated by a colon character,
1859or an empty value to use Cyrus SASL's built-in search path.  </p>
1860
1861<p> Note: some Debian-based Postfix distributions ignore the
1862"<a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a>" parameter setting, and force Postfix to
1863open the file <code>/etc/postfix/sasl/smtpd.conf</code>. </p>
1864
1865<p> This feature is available in Postfix 2.5 and later when compiled
1866with Cyrus SASL 2.1.22 or later. </p>
1867
1868
1869</DD>
1870
1871<DT><b><a name="daemon_directory">daemon_directory</a>
1872(default: see "postconf -d" output)</b></DT><DD>
1873
1874<p>
1875The directory with Postfix support programs and daemon programs.
1876These should not be invoked directly by humans. The directory must
1877be owned by root.
1878</p>
1879
1880
1881</DD>
1882
1883<DT><b><a name="daemon_table_open_error_is_fatal">daemon_table_open_error_is_fatal</a>
1884(default: no)</b></DT><DD>
1885
1886<p> How a Postfix daemon process handles errors while opening lookup
1887tables: gradual degradation or immediate termination. </p>
1888
1889<dl>
1890
1891<dt> <b> no </b> (default) </dt> <dd> <p> Gradual degradation: a
1892daemon process logs a message of type "error" and continues execution
1893with reduced functionality. Features that do not depend on the
1894unavailable table will work normally, while features that depend
1895on the table will result in a type "warning" message.  <br> When
1896the <a href="postconf.5.html#notify_classes">notify_classes</a> parameter value contains the "data" class, the
1897Postfix SMTP server and client will report transcripts of sessions
1898with an error because a table is unavailable.  </p> </dd>
1899
1900<dt> <b> yes </b> (historical behavior) </dt> <dd> <p> Immediate
1901termination: a daemon process logs a type "fatal" message and
1902terminates immediately.  This option reduces the number of possible
1903code paths through Postfix, and may therefore be slightly more
1904secure than the default.  </p> </dd>
1905
1906</dl>
1907
1908<p> For the sake of sanity, the number of type "error" messages is
1909limited to 13 over the lifetime of a daemon process. </p>
1910
1911<p> This feature is available in Postfix 2.9 and later.  </p>
1912
1913
1914</DD>
1915
1916<DT><b><a name="daemon_timeout">daemon_timeout</a>
1917(default: 18000s)</b></DT><DD>
1918
1919<p> How much time a Postfix daemon process may take to handle a
1920request before it is terminated by a built-in watchdog timer.  </p>
1921
1922<p> Specify a non-zero time value (an integral value plus an optional
1923one-letter suffix that specifies the time unit).  Time units: s
1924(seconds), m (minutes), h (hours), d (days), w (weeks).
1925The default time unit is s (seconds).  </p>
1926
1927
1928</DD>
1929
1930<DT><b><a name="data_directory">data_directory</a>
1931(default: see "postconf -d" output)</b></DT><DD>
1932
1933<p> The directory with Postfix-writable data files (for example:
1934caches, pseudo-random numbers).  This directory must be owned by
1935the <a href="postconf.5.html#mail_owner">mail_owner</a> account, and must not be shared with non-Postfix
1936software.  </p>
1937
1938<p> This feature is available in Postfix 2.5 and later. </p>
1939
1940
1941</DD>
1942
1943<DT><b><a name="debug_peer_level">debug_peer_level</a>
1944(default: 2)</b></DT><DD>
1945
1946<p> The increment in verbose logging level when a nexthop destination,
1947remote client or server name or network address matches a pattern
1948given with the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. </p>
1949
1950<p> Per-nexthop debug logging is available in Postfix 3.6 and later. </p>
1951
1952
1953</DD>
1954
1955<DT><b><a name="debug_peer_list">debug_peer_list</a>
1956(default: empty)</b></DT><DD>
1957
1958<p> Optional list of nexthop destination, remote client or server
1959name or network address patterns that, if matched, cause the verbose
1960logging level to increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
1961</p>
1962
1963<p> Per-nexthop debug logging is available in Postfix 3.6 and later. </p>
1964
1965<p> Specify domain names, network/netmask patterns, "/file/name"
1966patterns or "<a href="DATABASE_README.html">type:table</a>" lookup tables. The right-hand side result
1967from "<a href="DATABASE_README.html">type:table</a>" lookups is ignored.  </p>
1968
1969<p> Pattern matching of domain names is controlled by the presence
1970or absence of "<a href="postconf.5.html#debug_peer_list">debug_peer_list</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
1971parameter value.  </p>
1972
1973<p>
1974Examples:
1975</p>
1976
1977<pre>
1978<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> = 127.0.0.1
1979<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> = example.com
1980</pre>
1981
1982
1983</DD>
1984
1985<DT><b><a name="debugger_command">debugger_command</a>
1986(default: empty)</b></DT><DD>
1987
1988<p>
1989The external command to execute when a Postfix daemon program is
1990invoked with the -D option.
1991</p>
1992
1993<p>
1994Use "command .. &amp; sleep 5" so that the debugger can attach before
1995the process marches on. If you use an X-based debugger, be sure to
1996set up your XAUTHORITY environment variable before starting Postfix.
1997</p>
1998
1999<p>
2000Note: the command is subject to $name expansion, before it is
2001passed to the default command interpreter. Specify "$$" to
2002produce a single "$" character.
2003</p>
2004
2005<p>
2006Example:
2007</p>
2008
2009<pre>
2010<a href="postconf.5.html#debugger_command">debugger_command</a> =
2011    PATH=/usr/bin:/usr/X11R6/bin
2012    ddd $<a href="postconf.5.html#daemon_directory">daemon_directory</a>/$<a href="postconf.5.html#process_name">process_name</a> $<a href="postconf.5.html#process_id">process_id</a> &amp; sleep 5
2013</pre>
2014
2015
2016</DD>
2017
2018<DT><b><a name="default_database_type">default_database_type</a>
2019(default: see "postconf -d" output)</b></DT><DD>
2020
2021<p>
2022The default database type for use in <a href="newaliases.1.html">newaliases(1)</a>, <a href="postalias.1.html">postalias(1)</a>
2023and <a href="postmap.1.html">postmap(1)</a> commands. On many UNIX systems the default type is
2024either <b>dbm</b> or <b>hash</b>. The default setting is frozen
2025when the Postfix system is built.
2026</p>
2027
2028<p>
2029Examples:
2030</p>
2031
2032<pre>
2033<a href="postconf.5.html#default_database_type">default_database_type</a> = hash
2034<a href="postconf.5.html#default_database_type">default_database_type</a> = dbm
2035</pre>
2036
2037
2038</DD>
2039
2040<DT><b><a name="default_delivery_slot_cost">default_delivery_slot_cost</a>
2041(default: 5)</b></DT><DD>
2042
2043<p>
2044How often the Postfix queue manager's scheduler is allowed to
2045preempt delivery of one message with another.
2046</p>
2047
2048<p>
2049Each transport maintains a so-called "available delivery slot counter"
2050for each message. One message can be preempted by another one when
2051the other message can be delivered using no more delivery slots
2052(i.e., invocations of delivery agents) than the current message
2053counter has accumulated (or will eventually accumulate - see about
2054slot loans below). This parameter controls how often the counter is
2055incremented - it happens after each <a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a>
2056recipients have been delivered.
2057</p>
2058
2059<p>
2060The cost of 0 is used to disable the preempting scheduling completely.
2061The minimum value the scheduling algorithm can use is 2 - use it
2062if you want to maximize the message throughput rate. Although there
2063is no maximum, it doesn't make much sense to use values above say
206450.
2065</p>
2066
2067<p>
2068The only reason why the value of 2 is not the default is the way
2069this parameter affects the delivery of mailing-list mail. In the
2070worst case, delivery can take somewhere between (cost+1/cost)
2071and (cost/cost-1) times more than if the preemptive scheduler was
2072disabled. The default value of 5 turns out to provide reasonable
2073message response times while making sure the mailing-list deliveries
2074are not extended by more than 20-25 percent even in the worst case.
2075</p>
2076
2077<p> Use <a href="postconf.5.html#transport_delivery_slot_cost"><i>transport</i>_delivery_slot_cost</a> to specify a
2078transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2079name of the message delivery transport.
2080</p>
2081
2082<p>
2083Examples:
2084</p>
2085
2086<pre>
2087<a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a> = 0
2088<a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a> = 2
2089</pre>
2090
2091
2092</DD>
2093
2094<DT><b><a name="default_delivery_slot_discount">default_delivery_slot_discount</a>
2095(default: 50)</b></DT><DD>
2096
2097<p>
2098The default value for transport-specific _delivery_slot_discount
2099settings.
2100</p>
2101
2102<p>
2103This parameter speeds up the moment when a message preemption can
2104happen. Instead of waiting until the full amount of delivery slots
2105required is available, the preemption can happen when
2106<a href="postconf.5.html#transport_delivery_slot_discount"><i>transport</i>_delivery_slot_discount</a> percent of the required amount
2107plus <a href="postconf.5.html#transport_delivery_slot_loan"><i>transport</i>_delivery_slot_loan</a> still remains to be accumulated.
2108Note that the full amount will still have to be accumulated before
2109another preemption can take place later.
2110</p>
2111
2112<p> Use <a href="postconf.5.html#transport_delivery_slot_discount"><i>transport</i>_delivery_slot_discount</a> to specify a
2113transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2114name of the message delivery transport.
2115</p>
2116
2117
2118</DD>
2119
2120<DT><b><a name="default_delivery_slot_loan">default_delivery_slot_loan</a>
2121(default: 3)</b></DT><DD>
2122
2123<p>
2124The default value for transport-specific _delivery_slot_loan
2125settings.
2126</p>
2127
2128<p>
2129This parameter speeds up the moment when a message preemption can
2130happen. Instead of waiting until the full amount of delivery slots
2131required is available, the preemption can happen when
2132<a href="postconf.5.html#transport_delivery_slot_discount">transport_delivery_slot_discount</a> percent of the required amount
2133plus <a href="postconf.5.html#transport_delivery_slot_loan">transport_delivery_slot_loan</a> still remains to be accumulated.
2134Note that the full amount will still have to be accumulated before
2135another preemption can take place later.
2136</p>
2137
2138<p> Use <a href="postconf.5.html#transport_delivery_slot_loan"><i>transport</i>_delivery_slot_loan</a> to specify a
2139transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2140name of the message delivery transport.
2141</p>
2142
2143
2144</DD>
2145
2146<DT><b><a name="default_delivery_status_filter">default_delivery_status_filter</a>
2147(default: empty)</b></DT><DD>
2148
2149<p> Optional filter in Postfix delivery agents, to replace the
2150delivery status code or explanatory text of successful or unsuccessful
2151deliveries. This allows the replacement of a temporary error status
2152code (4.X.X) with a permanent error status code (5.X.X) or vice
2153versa, but does not allow
2154the replacement of a successful status code (2.X.X) with an
2155unsuccessful status code (4.X.X or 5.X.X) or vice versa. </p>
2156
2157<p> Note: the (smtp|lmtp)_delivery_status_filter is applied only
2158once per recipient: when delivery is successful, when delivery is
2159rejected with 5XX, or when there are no more alternate MX or A
2160destinations. Use <a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> or <a href="postconf.5.html#lmtp_reply_filter">lmtp_reply_filter</a> to inspect
2161responses for all delivery attempts. </p>
2162
2163<p> The following parameters can be used to implement a filter for
2164specific delivery agents: <a href="postconf.5.html#lmtp_delivery_status_filter">lmtp_delivery_status_filter</a>,
2165<a href="postconf.5.html#local_delivery_status_filter">local_delivery_status_filter</a>, <a href="postconf.5.html#pipe_delivery_status_filter">pipe_delivery_status_filter</a>,
2166<a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a> or <a href="postconf.5.html#virtual_delivery_status_filter">virtual_delivery_status_filter</a>. These
2167parameters support the same filter syntax as described here. </p>
2168
2169<p> Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup table names, separated
2170by comma or whitespace. For each successful or unsuccessful delivery
2171to a recipient, the tables are queried in the specified order with
2172one line of text that is structured as follows: </p>
2173
2174<blockquote>
2175enhanced-status-code SPACE explanatory-text
2176</blockquote>
2177
2178<p> The first table match wins. The lookup result must have the
2179same structure as the query, a successful status code (2.X.X) must
2180be replaced with a successful status code, an unsuccessful status
2181code (4.X.X or 5.X.X) must be replaced with an unsuccessful status
2182code, and the explanatory text field must be non-empty. Other results
2183will result in a warning.  </p>
2184
2185<p> Example 1: convert specific soft TLS errors into hard errors,
2186by overriding the first number in the enhanced status code.  </p>
2187
2188<blockquote>
2189<pre>
2190/etc/postfix/<a href="postconf.5.html">main.cf</a>:
2191    <a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/smtp_dsn_filter
2192</pre>
2193</blockquote>
2194
2195<blockquote>
2196<pre>
2197/etc/postfix/smtp_dsn_filter:
2198    /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
2199        5$1
2200    /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
2201        5$1
2202    # Do not change the following into hard bounces. They may
2203    # result from a local configuration problem.
2204    # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
2205    # 4.\d+.\d+ TLS is required, but unavailable
2206    # 4.\d+.\d+ Cannot start TLS: handshake failure
2207</pre>
2208</blockquote>
2209
2210<p> Example 2: censor the per-recipient delivery status text so
2211that it does not reveal the destination command or filename
2212when a remote sender requests confirmation of successful delivery.
2213</p>
2214
2215<blockquote>
2216<pre>
2217/etc/postfix/<a href="postconf.5.html">main.cf</a>:
2218    <a href="postconf.5.html#local_delivery_status_filter">local_delivery_status_filter</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/local_dsn_filter
2219</pre>
2220</blockquote>
2221
2222<blockquote>
2223<pre>
2224/etc/postfix/local_dsn_filter:
2225    /^(2\S+ delivered to file).+/    $1
2226    /^(2\S+ delivered to command).+/ $1
2227</pre>
2228</blockquote>
2229
2230<p> Notes: </p>
2231
2232<ul>
2233
2234<li> <p> This feature will NOT override the <a href="postconf.5.html#soft_bounce">soft_bounce</a> safety net. </p>
2235
2236<li> <p> This feature will change the enhanced status code and text
2237that is logged to the maillog file, and that is reported to the
2238sender in delivery confirmation or non-delivery notifications.
2239</p>
2240
2241</ul>
2242
2243<p> This feature is available in Postfix 3.0 and later. </p>
2244
2245
2246</DD>
2247
2248<DT><b><a name="default_destination_concurrency_failed_cohort_limit">default_destination_concurrency_failed_cohort_limit</a>
2249(default: 1)</b></DT><DD>
2250
2251<p> How many pseudo-cohorts must suffer connection or handshake
2252failure before a specific destination is considered unavailable
2253(and further delivery is suspended). Specify zero to disable this
2254feature. A destination's pseudo-cohort failure count is reset each
2255time a delivery completes without connection or handshake failure
2256for that specific destination. </p>
2257
2258<p> A pseudo-cohort is the number of deliveries equal to a destination's
2259delivery concurrency. </p>
2260
2261<p> Use <a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit"><i>transport</i>_destination_concurrency_failed_cohort_limit</a> to specify
2262a transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2263name of the message delivery transport. </p>
2264
2265<p> This feature is available in Postfix 2.5. The default setting
2266is compatible with earlier Postfix versions. </p>
2267
2268
2269</DD>
2270
2271<DT><b><a name="default_destination_concurrency_limit">default_destination_concurrency_limit</a>
2272(default: 20)</b></DT><DD>
2273
2274<p>
2275The default maximal number of parallel deliveries to the same
2276destination.  This is the default limit for delivery via the <a href="lmtp.8.html">lmtp(8)</a>,
2277<a href="pipe.8.html">pipe(8)</a>, <a href="smtp.8.html">smtp(8)</a> and <a href="virtual.8.html">virtual(8)</a> delivery agents.
2278With a per-destination recipient limit &gt; 1, a destination is a domain,
2279otherwise it is a recipient.
2280</p>
2281
2282<p> Use <a href="postconf.5.html#transport_destination_concurrency_limit"><i>transport</i>_destination_concurrency_limit</a> to specify a
2283transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2284name of the message delivery transport.
2285</p>
2286
2287
2288</DD>
2289
2290<DT><b><a name="default_destination_concurrency_negative_feedback">default_destination_concurrency_negative_feedback</a>
2291(default: 1)</b></DT><DD>
2292
2293<p> The per-destination amount of delivery concurrency negative
2294feedback, after a delivery completes with a connection or handshake
2295failure. Feedback values are in the range 0..1 inclusive. With
2296negative feedback, concurrency is decremented at the beginning of
2297a sequence of length 1/feedback. This is unlike positive feedback,
2298where concurrency is incremented at the end of a sequence of length
22991/feedback. </p>
2300
2301<p> As of Postfix version 2.5, negative feedback cannot reduce
2302delivery concurrency to zero.  Instead, a destination is marked
2303dead (further delivery suspended) after the failed pseudo-cohort
2304count reaches $<a href="postconf.5.html#default_destination_concurrency_failed_cohort_limit">default_destination_concurrency_failed_cohort_limit</a>
2305(or $<a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit"><i>transport</i>_destination_concurrency_failed_cohort_limit</a>).
2306To make the scheduler completely immune to connection or handshake
2307failures, specify a zero feedback value and a zero failed pseudo-cohort
2308limit.  </p>
2309
2310<p> Specify one of the following forms: </p>
2311
2312<dl>
2313
2314<dt> <b><i>number</i> </b> </dt>
2315
2316<dt> <b><i>number</i> / <i>number</i> </b> </dt>
2317
2318<dd> Constant feedback. The value must be in the range 0..1 inclusive.
2319The default setting of "1" is compatible with Postfix versions
2320before 2.5, where a destination's delivery concurrency is throttled
2321down to zero (and further delivery suspended) after a single failed
2322pseudo-cohort. </dd>
2323
2324<dt> <b><i>number</i> / concurrency </b> </dt>
2325
2326<dd> Variable feedback of "<i>number</i> / (delivery concurrency)".
2327The <i>number</i> must be in the range 0..1 inclusive. With
2328<i>number</i> equal to "1", a destination's delivery concurrency
2329is decremented by 1 after each failed pseudo-cohort.  </dd>
2330
2331</dl>
2332
2333<p> A pseudo-cohort is the number of deliveries equal to a destination's
2334delivery concurrency. </p>
2335
2336<p> Use <a href="postconf.5.html#transport_destination_concurrency_negative_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a>
2337to specify a transport-specific override, where <i>transport</i>
2338is the <a href="master.5.html">master.cf</a>
2339name of the message delivery transport. </p>
2340
2341<p> This feature is available in Postfix 2.5. The default setting
2342is compatible with earlier Postfix versions. </p>
2343
2344
2345</DD>
2346
2347<DT><b><a name="default_destination_concurrency_positive_feedback">default_destination_concurrency_positive_feedback</a>
2348(default: 1)</b></DT><DD>
2349
2350<p> The per-destination amount of delivery concurrency positive
2351feedback, after a delivery completes without connection or handshake
2352failure. Feedback values are in the range 0..1 inclusive.  The
2353concurrency increases until it reaches the per-destination maximal
2354concurrency limit. With positive feedback, concurrency is incremented
2355at the end of a sequence with length 1/feedback. This is unlike
2356negative feedback, where concurrency is decremented at the start
2357of a sequence of length 1/feedback. </p>
2358
2359<p> Specify one of the following forms:  </p>
2360
2361<dl>
2362
2363<dt> <b><i>number</i> </b> </dt>
2364
2365<dt> <b><i>number</i> / <i>number</i> </b> </dt>
2366
2367<dd> Constant feedback.  The value must be in the range 0..1
2368inclusive. The default setting of "1" is compatible with Postfix
2369versions before 2.5, where a destination's delivery concurrency
2370doubles after each successful pseudo-cohort.  </dd>
2371
2372<dt> <b><i>number</i> / concurrency </b> </dt>
2373
2374<dd> Variable feedback of "<i>number</i> / (delivery concurrency)".
2375The <i>number</i> must be in the range 0..1 inclusive. With
2376<i>number</i> equal to "1", a destination's delivery concurrency
2377is incremented by 1 after each successful pseudo-cohort.  </dd>
2378
2379</dl>
2380
2381<p> A pseudo-cohort is the number of deliveries equal to a destination's
2382delivery concurrency. </p>
2383
2384<p> Use <a href="postconf.5.html#transport_destination_concurrency_positive_feedback"><i>transport</i>_destination_concurrency_positive_feedback</a>
2385to specify a transport-specific override, where <i>transport</i>
2386is the <a href="master.5.html">master.cf</a> name of the message delivery transport. </p>
2387
2388<p> This feature is available in Postfix 2.5 and later.  </p>
2389
2390
2391</DD>
2392
2393<DT><b><a name="default_destination_rate_delay">default_destination_rate_delay</a>
2394(default: 0s)</b></DT><DD>
2395
2396<p> The default amount of delay that is inserted between individual
2397message deliveries to the same destination and over the same message
2398delivery transport. Specify a non-zero value to rate-limit those
2399message deliveries to at most one per $<a href="postconf.5.html#default_destination_rate_delay">default_destination_rate_delay</a>.
2400</p>
2401
2402<p> The resulting behavior depends on the value of the corresponding
2403per-destination recipient limit.
2404
2405</p>
2406
2407<ul>
2408
2409<li> <p> With a corresponding per-destination recipient limit &gt;
24101, the rate delay specifies the time between deliveries to the
2411<i>same domain</i>.  Different domains are delivered in parallel,
2412subject to the process limits specified in <a href="master.5.html">master.cf</a>. </p>
2413
2414<li> <p> With a corresponding per-destination recipient limit equal
2415to 1, the rate delay specifies the time between deliveries to the
2416<i>same recipient</i>. Different recipients are delivered in
2417parallel, subject to the process limits specified in <a href="master.5.html">master.cf</a>.
2418</p>
2419
2420</ul>
2421
2422<p> To enable the delay, specify a non-zero time value (an integral
2423value plus an optional one-letter suffix that specifies the time
2424unit). </p>
2425
2426<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
2427(weeks). The default time unit is s (seconds). </p>
2428
2429<p> NOTE: the delay is enforced by the queue manager. The delay
2430timer state does not survive "<b>postfix reload</b>" or "<b>postfix
2431stop</b>".
2432</p>
2433
2434<p> Use <a href="postconf.5.html#transport_destination_rate_delay"><i>transport</i>_destination_rate_delay</a> to specify a
2435transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2436name of the message delivery transport.
2437</p>
2438
2439<p> NOTE: with a non-zero _destination_rate_delay, specify a
2440<a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit"><i>transport</i>_destination_concurrency_failed_cohort_limit</a> of 10
2441or more to prevent Postfix from deferring all mail for the same
2442destination after only one connection or handshake error. </p>
2443
2444<p> This feature is available in Postfix 2.5 and later. </p>
2445
2446
2447</DD>
2448
2449<DT><b><a name="default_destination_recipient_limit">default_destination_recipient_limit</a>
2450(default: 50)</b></DT><DD>
2451
2452<p>
2453The default maximal number of recipients per message delivery.
2454This is the default limit for delivery via the <a href="lmtp.8.html">lmtp(8)</a>, <a href="pipe.8.html">pipe(8)</a>,
2455<a href="smtp.8.html">smtp(8)</a> and <a href="virtual.8.html">virtual(8)</a> delivery agents.
2456</p>
2457
2458<p> Setting this parameter to a value of 1 affects email deliveries
2459as follows:</p>
2460
2461<ul>
2462
2463<li> <p> It changes the meaning of the corresponding per-destination
2464concurrency limit, from concurrency of deliveries to the <i>same
2465domain</i> into concurrency of deliveries to the <i>same recipient</i>.
2466Different recipients are delivered in parallel, subject to the
2467process limits specified in <a href="master.5.html">master.cf</a>. </p>
2468
2469<li> <p> It changes the meaning of the corresponding per-destination
2470rate delay, from the delay between deliveries to the <i>same
2471domain</i> into the delay between deliveries to the <i>same
2472recipient</i>.  Again, different recipients are delivered in parallel,
2473subject to the process limits specified in <a href="master.5.html">master.cf</a>.  </p>
2474
2475<li> <p> It changes the meaning of other corresponding per-destination
2476settings in a similar manner, from settings for delivery to the
2477<i>same domain</i> into settings for delivery to the <i>same
2478recipient</i>.
2479
2480</ul>
2481
2482<p> Use <a href="postconf.5.html#transport_destination_recipient_limit"><i>transport</i>_destination_recipient_limit</a> to specify a
2483transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2484name of the message delivery transport.
2485</p>
2486
2487
2488</DD>
2489
2490<DT><b><a name="default_extra_recipient_limit">default_extra_recipient_limit</a>
2491(default: 1000)</b></DT><DD>
2492
2493<p>
2494The default value for the extra per-transport limit imposed on the
2495number of in-memory recipients.  This extra recipient space is
2496reserved for the cases when the Postfix queue manager's scheduler
2497preempts one message with another and suddenly needs some extra
2498recipient slots for the chosen message in order to avoid performance
2499degradation.
2500</p>
2501
2502<p> Use <a href="postconf.5.html#transport_extra_recipient_limit"><i>transport</i>_extra_recipient_limit</a> to specify a
2503transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2504name of the message delivery transport.
2505</p>
2506
2507
2508</DD>
2509
2510<DT><b><a name="default_filter_nexthop">default_filter_nexthop</a>
2511(default: empty)</b></DT><DD>
2512
2513<p> When a <a href="postconf.5.html#content_filter">content_filter</a> or FILTER request specifies no explicit
2514next-hop destination, use $<a href="postconf.5.html#default_filter_nexthop">default_filter_nexthop</a> instead; when
2515that value is empty, use the domain in the recipient address.
2516Specify "<a href="postconf.5.html#default_filter_nexthop">default_filter_nexthop</a> = $<a href="postconf.5.html#myhostname">myhostname</a>" for compatibility
2517with Postfix version 2.6 and earlier, or specify an explicit next-hop
2518destination with each <a href="postconf.5.html#content_filter">content_filter</a> value or FILTER action. </p>
2519
2520<p> This feature is available in Postfix 2.7 and later.  </p>
2521
2522
2523</DD>
2524
2525<DT><b><a name="default_minimum_delivery_slots">default_minimum_delivery_slots</a>
2526(default: 3)</b></DT><DD>
2527
2528<p>
2529How many recipients a message must have in order to invoke the
2530Postfix queue manager's scheduling algorithm at all.  Messages
2531which would never accumulate at least this many delivery slots
2532(subject to slot cost parameter as well) are never preempted.
2533</p>
2534
2535<p> Use <a href="postconf.5.html#transport_minimum_delivery_slots"><i>transport</i>_minimum_delivery_slots</a> to specify a
2536transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2537name of the message delivery transport.
2538</p>
2539
2540
2541</DD>
2542
2543<DT><b><a name="default_privs">default_privs</a>
2544(default: nobody)</b></DT><DD>
2545
2546<p>
2547The default rights used by the <a href="local.8.html">local(8)</a> delivery agent for delivery
2548to an external file or command.  These rights are used when delivery
2549is requested from an <a href="aliases.5.html">aliases(5)</a> file that is owned by <b>root</b>, or
2550when delivery is done on behalf of <b>root</b>. <b>DO NOT SPECIFY A
2551PRIVILEGED USER OR THE POSTFIX OWNER</b>.
2552</p>
2553
2554
2555</DD>
2556
2557<DT><b><a name="default_process_limit">default_process_limit</a>
2558(default: 100)</b></DT><DD>
2559
2560<p>
2561The default maximal number of Postfix child processes that provide
2562a given service. This limit can be overruled for specific services
2563in the <a href="master.5.html">master.cf</a> file.
2564</p>
2565
2566
2567</DD>
2568
2569<DT><b><a name="default_rbl_reply">default_rbl_reply</a>
2570(default: see "postconf -d" output)</b></DT><DD>
2571
2572<p>
2573The default Postfix SMTP server response template for a request that is
2574rejected by an RBL-based restriction. This template can be overruled
2575by specific entries in the optional <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> lookup table.
2576</p>
2577
2578<p>
2579This feature is available in Postfix 2.0 and later.
2580</p>
2581
2582<p>
2583The template does not support Postfix configuration parameter $name
2584substitution. Instead, it supports exactly one level of $name
2585substitution for the following attributes:
2586</p>
2587
2588<dl>
2589
2590<dt><b>$client</b></dt>
2591
2592<dd>The client hostname and IP address, formatted as name[address]. </dd>
2593
2594<dt><b>$client_address</b></dt>
2595
2596<dd>The client IP address. </dd>
2597
2598<dt><b>$client_name</b></dt>
2599
2600<dd>The client hostname or "unknown". See <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a>
2601for more details. </dd>
2602
2603<dt><b>$reverse_client_name</b></dt>
2604
2605<dd>The client hostname from address-&gt;name lookup, or "unknown".
2606See <a href="postconf.5.html#reject_unknown_reverse_client_hostname">reject_unknown_reverse_client_hostname</a> for more details. </dd>
2607
2608<dt><b>$helo_name</b></dt>
2609
2610<dd>The hostname given in HELO or EHLO command or empty string. </dd>
2611
2612<dt><b>$rbl_class</b></dt>
2613
2614<dd>The denylisted entity type: Client host, Helo command, Sender
2615address, or Recipient address. </dd>
2616
2617<dt><b>$rbl_code</b></dt>
2618
2619<dd>The numerical SMTP response code, as specified with the
2620<a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> configuration parameter. Note: The numerical
2621SMTP response code is required, and must appear at the start of the
2622reply. With Postfix version 2.3 and later this information may be followed
2623by an <a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> enhanced status code. </dd>
2624
2625<dt><b>$rbl_domain</b></dt>
2626
2627<dd>The RBL domain (without any <i>=address-filter</i>) where
2628$rbl_what is denylisted. </dd>
2629
2630<dt><b>$rbl_reason</b></dt>
2631
2632<dd>The reason why $rbl_what is denylisted, or an empty string. </dd>
2633
2634<dt><b>$rbl_what</b></dt>
2635
2636<dd>The entity that is denylisted (an IP address, a hostname, a domain
2637name, or an email address whose domain was denylisted). </dd>
2638
2639<dt><b>$recipient</b></dt>
2640
2641<dd>The recipient address or &lt;&gt; in case of the null address. </dd>
2642
2643<dt><b>$recipient_domain</b></dt>
2644
2645<dd>The recipient domain or empty string. </dd>
2646
2647<dt><b>$recipient_name</b></dt>
2648
2649<dd>The recipient address localpart or &lt;&gt; in case of null address. </dd>
2650
2651<dt><b>$sender</b></dt>
2652
2653<dd>The sender address or &lt;&gt; in case of the null address. </dd>
2654
2655<dt><b>$sender_domain</b></dt>
2656
2657<dd>The sender domain or empty string. </dd>
2658
2659<dt><b>$sender_name</b></dt>
2660
2661<dd>The sender address localpart or &lt;&gt; in case of the null address. </dd>
2662
2663<dt><b>${name?value}</b></dt>
2664
2665<dt><b>${name?{value}}</b> (Postfix &ge; 3.0)</dt>
2666
2667<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
2668
2669<dt><b>${name:value}</b></dt>
2670
2671<dt><b>${name:{value}}</b> (Postfix &ge; 3.0)</dt>
2672
2673<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
2674
2675<dt><b>${name?{value1}:{value2}}</b> (Postfix &ge; 3.0)</dt>
2676
2677<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
2678<i>value2</i> otherwise. </dd>
2679
2680</dl>
2681
2682<p>
2683Instead of $name you can also specify ${name} or $(name).
2684</p>
2685
2686<p> Note: when an enhanced status code is specified in an RBL reply
2687template, it is subject to modification.  The following transformations
2688are needed when the same RBL response template is used for client,
2689helo, sender, or recipient access restrictions.  </p>
2690
2691<ul>
2692
2693<li> <p> When rejecting a sender address, the Postfix SMTP server
2694will transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the
2695corresponding sender DSN status, and vice versa. </p>
2696
2697<li> <p> When rejecting non-address information (such as the HELO
2698command argument or the client hostname/address), the Postfix SMTP
2699server will transform a sender or recipient DSN status into a generic
2700non-address DSN status (e.g., 4.0.0).  </p>
2701
2702</ul>
2703
2704
2705</DD>
2706
2707<DT><b><a name="default_recipient_limit">default_recipient_limit</a>
2708(default: 20000)</b></DT><DD>
2709
2710<p>
2711The default per-transport upper limit on the number of in-memory
2712recipients.  These limits take priority over the global
2713<a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a> after the message has been assigned
2714to the respective transports.  See also <a href="postconf.5.html#default_extra_recipient_limit">default_extra_recipient_limit</a>
2715and <a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a>.
2716</p>
2717
2718<p> Use <a href="postconf.5.html#transport_recipient_limit"><i>transport</i>_recipient_limit</a> to specify a
2719transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2720name of the message delivery transport.
2721</p>
2722
2723
2724</DD>
2725
2726<DT><b><a name="default_recipient_refill_delay">default_recipient_refill_delay</a>
2727(default: 5s)</b></DT><DD>
2728
2729<p>
2730The default per-transport maximum delay between refilling recipients.
2731When not all message recipients fit into memory at once, keep loading
2732more of them at least once every this many seconds.  This is used to
2733make sure the recipients are refilled in a timely manner even when
2734$<a href="postconf.5.html#default_recipient_refill_limit">default_recipient_refill_limit</a> is too high for too slow deliveries.
2735</p>
2736
2737<p> Use <a href="postconf.5.html#transport_recipient_refill_delay"><i>transport</i>_recipient_refill_delay</a> to specify a
2738transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2739name of the message delivery transport.
2740</p>
2741
2742<p> This feature is available in Postfix 2.4 and later. </p>
2743
2744
2745</DD>
2746
2747<DT><b><a name="default_recipient_refill_limit">default_recipient_refill_limit</a>
2748(default: 100)</b></DT><DD>
2749
2750<p>
2751The default per-transport limit on the number of recipients refilled at
2752once.  When not all message recipients fit into memory at once, keep
2753loading more of them in batches of at least this many at a time.  See also
2754$<a href="postconf.5.html#default_recipient_refill_delay">default_recipient_refill_delay</a>, which may result in recipient batches
2755lower than this when this limit is too high for too slow deliveries.
2756</p>
2757
2758<p> Use <a href="postconf.5.html#transport_recipient_refill_limit"><i>transport</i>_recipient_refill_limit</a> to specify a
2759transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
2760name of the message delivery transport.
2761</p>
2762
2763<p> This feature is available in Postfix 2.4 and later. </p>
2764
2765
2766</DD>
2767
2768<DT><b><a name="default_transport">default_transport</a>
2769(default: smtp)</b></DT><DD>
2770
2771<p>
2772The default mail delivery transport and next-hop destination for
2773the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: recipient domains that do not match
2774$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
2775$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
2776or $<a href="postconf.5.html#relay_domains">relay_domains</a>. This information will not be used when
2777<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> returns a result, and may
2778be overridden with the <a href="transport.5.html">transport(5)</a> table. </p>
2779
2780<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> class: <p>
2781
2782<ul>
2783
2784<li> <p> In order of decreasing precedence, the delivery transport
2785is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
2786$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>.
2787</p>
2788
2789<li> <p> In order of decreasing precedence, the nexthop destination
2790is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
2791$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3)
2792$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
2793domain. </p>
2794
2795</ul>
2796
2797<p>
2798Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i>
2799is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>.
2800The <i>:nexthop</i> destination is optional; its syntax is documented
2801in the manual page of the corresponding delivery agent. In the case of
2802SMTP or LMTP, specify one or more destinations separated by comma or
2803whitespace (with Postfix 3.5 and later).
2804</p>
2805
2806<p>
2807Example:
2808</p>
2809
2810<pre>
2811<a href="postconf.5.html#default_transport">default_transport</a> = uucp:relayhostname
2812</pre>
2813
2814
2815</DD>
2816
2817<DT><b><a name="default_transport_rate_delay">default_transport_rate_delay</a>
2818(default: 0s)</b></DT><DD>
2819
2820<p> The default amount of delay that is inserted between individual
2821message deliveries over the same message delivery transport,
2822regardless of destination. Specify a non-zero value to rate-limit
2823those message deliveries to at most one per $<a href="postconf.5.html#default_transport_rate_delay">default_transport_rate_delay</a>.
2824</p>
2825
2826<p>Use <a href="postconf.5.html#transport_transport_rate_delay"><i>transport</i>_transport_rate_delay</a> to specify a
2827transport-specific override, where the initial <i>transport</i> is
2828the <a href="master.5.html">master.cf</a> name of the message delivery transport. </p>
2829
2830<p> Example: throttle outbound SMTP mail to at most 3 deliveries
2831per minute. </p>
2832
2833<pre>
2834/etc/postfix/<a href="postconf.5.html">main.cf</a>:
2835    smtp_transport_rate_delay = 20s
2836</pre>
2837
2838<p> To enable the delay, specify a non-zero time value (an integral
2839value plus an optional one-letter suffix that specifies the time
2840unit). </p>
2841
2842<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
2843(weeks). The default time unit is s (seconds). </p>
2844
2845<p> NOTE: the delay is enforced by the queue manager. </p>
2846
2847<p> This feature is available in Postfix 3.1 and later. </p>
2848
2849
2850</DD>
2851
2852<DT><b><a name="default_verp_delimiters">default_verp_delimiters</a>
2853(default: +=)</b></DT><DD>
2854
2855<p> The two default VERP delimiter characters. These are used when
2856no explicit delimiters are specified with the SMTP XVERP command
2857or with the "<b>sendmail -XV</b>" command-line option (Postfix 2.2
2858and earlier: <b>-V</b>). Specify characters that are allowed by the
2859<a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> setting.
2860</p>
2861
2862<p>
2863This feature is available in Postfix 1.1 and later.
2864</p>
2865
2866
2867</DD>
2868
2869<DT><b><a name="defer_code">defer_code</a>
2870(default: 450)</b></DT><DD>
2871
2872<p>
2873The numerical Postfix SMTP server response code when a remote SMTP
2874client request is rejected by the "defer" restriction.
2875</p>
2876
2877<p>
2878Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
2879</p>
2880
2881
2882</DD>
2883
2884<DT><b><a name="defer_service_name">defer_service_name</a>
2885(default: defer)</b></DT><DD>
2886
2887<p>
2888The name of the defer service. This service is implemented by the
2889<a href="bounce.8.html">bounce(8)</a> daemon and maintains a record
2890of failed delivery attempts and generates non-delivery notifications.
2891</p>
2892
2893<p>
2894This feature is available in Postfix 2.0 and later.
2895</p>
2896
2897
2898</DD>
2899
2900<DT><b><a name="defer_transports">defer_transports</a>
2901(default: empty)</b></DT><DD>
2902
2903<p>
2904The names of message delivery transports that should not deliver mail
2905unless someone issues "<b>sendmail -q</b>" or equivalent. Specify zero
2906or more mail delivery transport names that appear in the
2907first field of <a href="master.5.html">master.cf</a>.
2908</p>
2909
2910<p>
2911Example:
2912</p>
2913
2914<pre>
2915<a href="postconf.5.html#defer_transports">defer_transports</a> = smtp
2916</pre>
2917
2918
2919</DD>
2920
2921<DT><b><a name="delay_logging_resolution_limit">delay_logging_resolution_limit</a>
2922(default: 2)</b></DT><DD>
2923
2924<p> The maximal number of digits after the decimal point when logging
2925delay values. Specify a number in the range 0..6. </p>
2926
2927<p> To improve readability, delays are logged with only a limited
2928number of significant digits: </p>
2929
2930<ul>
2931
2932<li> Delays &ge; 100s are rounded off to an integral number of
2933seconds.
2934
2935<li> Delays &lt; 10<sup>-$<a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a></sup> are
2936rounded off to "0".
2937
2938<li> Other delays are rounded off to two significant digits, or
2939fewer if the result would exceed the <a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a>.
2940
2941</ul>
2942
2943<p> The format of the "delays=a/b/c/d" logging is as follows: </p>
2944
2945<ul>
2946
2947<li> a = Time from message arrival to last <a href="QSHAPE_README.html#active_queue">active queue</a> entry.
2948
2949<li> b = Time from last <a href="QSHAPE_README.html#active_queue">active queue</a> entry to the beginning of
2950connection setup.
2951
2952<li> c = Time in connection setup. With SMTP, that is the time
2953before sending the MAIL FROM command: with a new connection, that
2954includes DNS lookups, and protocol handshakes with TCP, EHLO, and
2955STARTTLS; with a reused connection, that includes DNS lookups,
2956connection cache lookup by domain or IP address, and a liveness
2957probe with RSET.
2958
2959<li> d = Time in message transmission. With SMTP, that starts with
2960sending MAIL FROM.
2961
2962</ul>
2963
2964<p> This feature is available in Postfix 2.3 and later.  </p>
2965
2966
2967</DD>
2968
2969<DT><b><a name="delay_notice_recipient">delay_notice_recipient</a>
2970(default: postmaster)</b></DT><DD>
2971
2972<p>
2973The recipient of postmaster notifications with the message headers
2974of mail that cannot be delivered within $<a href="postconf.5.html#delay_warning_time">delay_warning_time</a> time
2975units.  </p>
2976
2977<p>
2978See also: <a href="postconf.5.html#delay_warning_time">delay_warning_time</a>, <a href="postconf.5.html#notify_classes">notify_classes</a>.
2979</p>
2980
2981
2982</DD>
2983
2984<DT><b><a name="delay_warning_time">delay_warning_time</a>
2985(default: 0h)</b></DT><DD>
2986
2987<p>
2988The time after which the sender receives a copy of the message
2989headers of mail that is still queued. The <a href="postconf.5.html#confirm_delay_cleared">confirm_delay_cleared</a>
2990parameter controls sender notification when the delay clears up.
2991</p>
2992
2993<p>
2994To enable this feature, specify a non-zero time value (an integral
2995value plus an optional one-letter suffix that specifies the time
2996unit).
2997</p>
2998
2999<p>
3000Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
3001The default time unit is h (hours).
3002</p>
3003
3004<p>
3005See also: <a href="postconf.5.html#delay_notice_recipient">delay_notice_recipient</a>, <a href="postconf.5.html#notify_classes">notify_classes</a>, <a href="postconf.5.html#confirm_delay_cleared">confirm_delay_cleared</a>.
3006</p>
3007
3008
3009</DD>
3010
3011<DT><b><a name="deliver_lock_attempts">deliver_lock_attempts</a>
3012(default: 20)</b></DT><DD>
3013
3014<p>
3015The maximal number of attempts to acquire an exclusive lock on a
3016mailbox file or <a href="bounce.8.html">bounce(8)</a> logfile.
3017</p>
3018
3019
3020</DD>
3021
3022<DT><b><a name="deliver_lock_delay">deliver_lock_delay</a>
3023(default: 1s)</b></DT><DD>
3024
3025<p>
3026The time between attempts to acquire an exclusive lock on a mailbox
3027file or <a href="bounce.8.html">bounce(8)</a> logfile.
3028</p>
3029
3030<p> Specify a non-zero time value (an integral value plus an optional
3031one-letter suffix that specifies the time unit).  Time units: s
3032(seconds), m (minutes), h (hours), d (days), w (weeks).
3033The default time unit is s (seconds).  </p>
3034
3035
3036</DD>
3037
3038<DT><b><a name="destination_concurrency_feedback_debug">destination_concurrency_feedback_debug</a>
3039(default: no)</b></DT><DD>
3040
3041<p> Make the queue manager's feedback algorithm verbose for performance
3042analysis purposes. </p>
3043
3044<p> This feature is available in Postfix 2.5 and later. </p>
3045
3046
3047</DD>
3048
3049<DT><b><a name="detect_8bit_encoding_header">detect_8bit_encoding_header</a>
3050(default: yes)</b></DT><DD>
3051
3052<p> Automatically detect 8BITMIME body content by looking at
3053Content-Transfer-Encoding: message headers; historically, this
3054behavior was hard-coded to be "always on".  </p>
3055
3056<p> This feature is available in Postfix 2.5 and later. </p>
3057
3058
3059</DD>
3060
3061<DT><b><a name="disable_dns_lookups">disable_dns_lookups</a>
3062(default: no)</b></DT><DD>
3063
3064<p>
3065Disable DNS lookups in the Postfix SMTP and LMTP clients. When
3066disabled, hosts are looked up with the getaddrinfo() system
3067library routine which normally also looks in /etc/hosts.  As of
3068Postfix 2.11, this parameter is deprecated; use <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>
3069instead.
3070</p>
3071
3072<p>
3073DNS lookups are enabled by default.
3074</p>
3075
3076
3077</DD>
3078
3079<DT><b><a name="disable_mime_input_processing">disable_mime_input_processing</a>
3080(default: no)</b></DT><DD>
3081
3082<p>
3083Turn off MIME processing while receiving mail. This means that no
3084special treatment is given to Content-Type: message headers, and
3085that all text after the initial message headers is considered to
3086be part of the message body.
3087</p>
3088
3089<p>
3090This feature is available in Postfix 2.0 and later.
3091</p>
3092
3093<p>
3094Mime input processing is enabled by default, and is needed in order
3095to recognize MIME headers in message content.
3096</p>
3097
3098
3099</DD>
3100
3101<DT><b><a name="disable_mime_output_conversion">disable_mime_output_conversion</a>
3102(default: no)</b></DT><DD>
3103
3104<p>
3105Disable the conversion of 8BITMIME format to 7BIT format.  Mime
3106output conversion is needed when the destination does not advertise
31078BITMIME support.
3108</p>
3109
3110<p>
3111This feature is available in Postfix 2.0 and later.
3112</p>
3113
3114
3115</DD>
3116
3117<DT><b><a name="disable_verp_bounces">disable_verp_bounces</a>
3118(default: no)</b></DT><DD>
3119
3120<p>
3121Disable sending one bounce report per recipient.
3122</p>
3123
3124<p>
3125The default, one per recipient, is what ezmlm needs.
3126</p>
3127
3128<p>
3129This feature is available in Postfix 1.1 and later.
3130</p>
3131
3132
3133</DD>
3134
3135<DT><b><a name="disable_vrfy_command">disable_vrfy_command</a>
3136(default: no)</b></DT><DD>
3137
3138<p>
3139Disable the SMTP VRFY command. This stops some techniques used to
3140harvest email addresses.
3141</p>
3142
3143<p>
3144Example:
3145</p>
3146
3147<pre>
3148<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> = no
3149</pre>
3150
3151
3152</DD>
3153
3154<DT><b><a name="dns_ncache_ttl_fix_enable">dns_ncache_ttl_fix_enable</a>
3155(default: no)</b></DT><DD>
3156
3157<p> Enable a workaround for future libc incompatibility. The Postfix
3158implementation of <a href="https://tools.ietf.org/html/rfc2308">RFC 2308</a> negative reply caching relies on the
3159promise that res_query() and res_search() invoke res_send(), which
3160returns the server response in an application buffer even if the
3161requested record does not exist. If this promise is broken, specify
3162"yes" to enable a  workaround for DNS reputation lookups. </p>
3163
3164<p>
3165This feature is available in Postfix 3.1 and later.
3166</p>
3167
3168
3169</DD>
3170
3171<DT><b><a name="dnsblog_reply_delay">dnsblog_reply_delay</a>
3172(default: 0s)</b></DT><DD>
3173
3174<p> A debugging aid to artificially delay DNS responses. </p>
3175
3176<p> This feature is available in Postfix 2.8.  </p>
3177
3178
3179</DD>
3180
3181<DT><b><a name="dnsblog_service_name">dnsblog_service_name</a>
3182(default: dnsblog)</b></DT><DD>
3183
3184<p> The name of the <a href="dnsblog.8.html">dnsblog(8)</a> service entry in <a href="master.5.html">master.cf</a>. This
3185service performs DNS allow/denylist lookups. </p>
3186
3187<p> This feature is available in Postfix 2.8 and later. </p>
3188
3189
3190</DD>
3191
3192<DT><b><a name="dnssec_probe">dnssec_probe</a>
3193(default: ns:.)</b></DT><DD>
3194
3195<p> The DNS query type (default: "ns") and DNS query name (default:
3196".") that Postfix may use to determine whether DNSSEC validation
3197is available.
3198</p>
3199
3200<p> Background: DNSSEC validation is needed for Postfix DANE support;
3201this ensures that Postfix receives TLSA records with secure TLS
3202server certificate info. When DNSSEC validation is unavailable,
3203mail deliveries using <i>opportunistic</i> DANE will not be protected
3204by server certificate info in TLSA records, and mail deliveries
3205using <i>mandatory</i> DANE will not be made at all. </p>
3206
3207<p> By default, a Postfix process will send a DNSSEC probe after
32081) the process made a DNS query that requested DNSSEC validation,
32092) the process did not receive a DNSSEC validated response to this
3210query or to an earlier query, and 3) the process did not already
3211send a DNSSEC probe. <p>
3212
3213<p> When the DNSSEC probe has no response, or when the response is
3214not DNSSEC validated, Postfix logs a warning that DNSSEC validation
3215may be unavailable. </p>
3216
3217<p> Example: </p>
3218
3219<pre>
3220warning: DNSSEC validation may be unavailable
3221warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received a response that is not DNSSEC validated
3222warning: reason: <a href="postconf.5.html#dnssec_probe">dnssec_probe</a> 'ns:.' received no response: Server failure
3223</pre>
3224
3225<p> Possible reasons why DNSSEC validation may be unavailable: </p>
3226
3227<ul>
3228
3229<li> The local /etc/resolv.conf file specifies a DNS resolver that
3230does not validate DNSSEC signatures (that's
3231$<a href="postconf.5.html#queue_directory">queue_directory</a>/etc/resolv.conf when a Postfix daemon runs in a
3232chroot jail).
3233
3234<li> The local system library does not pass on the "DNSSEC validated"
3235bit to Postfix, or Postfix does not know how to ask the library to
3236do that.
3237
3238</ul>
3239
3240<p> By default, the DNSSEC probe asks for the DNS root zone NS
3241records, because resolvers should always have that information
3242cached. If Postfix runs on a network where the DNS root zone is not
3243reachable, specify a different probe, or specify an empty <a href="postconf.5.html#dnssec_probe">dnssec_probe</a>
3244value to disable the feature. </p>
3245
3246<p> This feature is available in Postfix 3.6 and later. It was backported
3247to Postfix versions 3.5.9, 3.4.19, 3.3.16. 3.2.21. </p>
3248
3249
3250</DD>
3251
3252<DT><b><a name="dont_remove">dont_remove</a>
3253(default: 0)</b></DT><DD>
3254
3255<p>
3256Don't remove queue files and save them to the "saved" mail queue.
3257This is a debugging aid.  To inspect the envelope information and
3258content of a Postfix queue file, use the <a href="postcat.1.html">postcat(1)</a> command.
3259</p>
3260
3261
3262</DD>
3263
3264<DT><b><a name="double_bounce_sender">double_bounce_sender</a>
3265(default: double-bounce)</b></DT><DD>
3266
3267<p> The sender address of postmaster notifications that are generated
3268by the mail system. All mail to this address is silently discarded,
3269in order to terminate mail bounce loops.  </p>
3270
3271
3272</DD>
3273
3274<DT><b><a name="duplicate_filter_limit">duplicate_filter_limit</a>
3275(default: 1000)</b></DT><DD>
3276
3277<p> The maximal number of addresses remembered by the address
3278duplicate filter for <a href="aliases.5.html">aliases(5)</a> or <a href="virtual.5.html">virtual(5)</a> alias expansion, or
3279for <a href="showq.8.html">showq(8)</a> queue displays.  </p>
3280
3281
3282</DD>
3283
3284<DT><b><a name="empty_address_default_transport_maps_lookup_key">empty_address_default_transport_maps_lookup_key</a>
3285(default: &lt;&gt;)</b></DT><DD>
3286
3287<p> The <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> search string that
3288will be used instead of the null sender address. </p>
3289
3290<p> This feature is available in Postfix 2.7 and later.  </p>
3291
3292
3293</DD>
3294
3295<DT><b><a name="empty_address_local_login_sender_maps_lookup_key">empty_address_local_login_sender_maps_lookup_key</a>
3296(default: &lt;&gt;)</b></DT><DD>
3297
3298<p>
3299The lookup key to be used in <a href="postconf.5.html#local_login_sender_maps">local_login_sender_maps</a> tables, instead
3300of the null sender address.
3301</p>
3302
3303<p> This feature is available in Postfix 3.6 and later. </p>
3304
3305
3306</DD>
3307
3308<DT><b><a name="empty_address_recipient">empty_address_recipient</a>
3309(default: MAILER-DAEMON)</b></DT><DD>
3310
3311<p>
3312The recipient of mail addressed to the null address.  Postfix does
3313not accept such addresses in SMTP commands, but they may still be
3314created locally as the result of configuration or software error.
3315</p>
3316
3317
3318</DD>
3319
3320<DT><b><a name="empty_address_relayhost_maps_lookup_key">empty_address_relayhost_maps_lookup_key</a>
3321(default: &lt;&gt;)</b></DT><DD>
3322
3323<p> The <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> search string that will be
3324used instead of the null sender address. </p>
3325
3326<p> This feature is available in Postfix 2.5 and later. With
3327earlier versions, <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> lookups were
3328skipped for the null sender address.  </p>
3329
3330
3331</DD>
3332
3333<DT><b><a name="enable_errors_to">enable_errors_to</a>
3334(default: no)</b></DT><DD>
3335
3336<p> Report mail delivery errors to the address specified with the
3337non-standard Errors-To: message header, instead of the envelope
3338sender address (this feature is removed with Postfix version 2.2, is
3339turned off by default with Postfix version 2.1, and is always turned on
3340with older Postfix versions).  </p>
3341
3342
3343</DD>
3344
3345<DT><b><a name="enable_idna2003_compatibility">enable_idna2003_compatibility</a>
3346(default: no)</b></DT><DD>
3347
3348<p> Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
3349when converting UTF-8 domain names to/from the ASCII form that is
3350used for DNS lookups. Specify "yes" for compatibility with Postfix
3351&le; 3.1 (not recommended). This affects the conversion of domain
3352names that contain for example the German sz and the Greek zeta.
3353See <a href="https://unicode.org/cldr/utility/idna.jsp">https://unicode.org/cldr/utility/idna.jsp</a> for more examples.
3354</p>
3355
3356<p> This feature is available in Postfix 3.2 and later.  </p>
3357
3358
3359</DD>
3360
3361<DT><b><a name="enable_long_queue_ids">enable_long_queue_ids</a>
3362(default: no)</b></DT><DD>
3363
3364<p> Enable long, non-repeating, queue IDs (queue file names).  The
3365benefit of non-repeating names is simpler logfile analysis and
3366easier queue migration (there is no need to run "postsuper" to
3367change queue file names that don't match their message file inode
3368number).  </p>
3369
3370<p> Note: see below for how to convert long queue file names to
3371Postfix &le; 2.8. </p>
3372
3373<p> Changing the parameter value to "yes" has the following effects:
3374</p>
3375
3376<ul>
3377
3378<li> <p> Existing queue file names are not affected. </p>
3379
3380<li> <p> New queue files are created with names such as 3Pt2mN2VXxznjll.
3381These are encoded in a 52-character alphabet that contains digits
3382(0-9), upper-case letters (B-Z) and lower-case letters (b-z). For
3383safety reasons the vowels (AEIOUaeiou) are excluded from the alphabet.
3384The name format is: 6 or more characters for the time in seconds,
33854 characters for the time in microseconds, the 'z'; the remainder
3386is the file inode number encoded in the first 51 characters of the
338752-character alphabet.  </p>
3388
3389<li> <p> New messages have a Message-ID header with
3390<i>queueID</i>@<i><a href="postconf.5.html#myhostname">myhostname</a></i>.  </p>
3391
3392<li> <p> The mailq (postqueue -p) output has a wider Queue ID column.
3393The number of whitespace-separated fields is not changed. <p>
3394
3395<li> <p> The <a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> algorithm uses the first characters
3396of the queue file creation time in microseconds, after conversion
3397into hexadecimal representation. This produces the same queue hashing
3398behavior as if the queue file name was created with "<a href="postconf.5.html#enable_long_queue_ids">enable_long_queue_ids</a>
3399= no". </p>
3400
3401</ul>
3402
3403<p> Changing the parameter value to "no" has the following effects:
3404</p>
3405
3406<ul>
3407
3408<li> <p> Existing long queue file names are renamed to the short
3409form (while running "postfix reload" or "postsuper").  </p>
3410
3411<li> <p> New queue files are created with names such as C3CD21F3E90
3412from a hexadecimal alphabet that contains digits (0-9) and upper-case
3413letters (A-F). The name format is: 5 characters for the time in
3414microseconds; the remainder is the file inode number. </p>
3415
3416<li> <p> New messages have a Message-ID header with
3417<i>YYYYMMDDHHMMSS.queueid</i>@<i><a href="postconf.5.html#myhostname">myhostname</a></i>, where
3418<i>YYYYMMDDHHMMSS</i> are the year, month, day, hour, minute and
3419second.
3420
3421<li> <p> The mailq (postqueue -p) output has the same format as
3422with Postfix &le; 2.8. <p>
3423
3424<li> <p> The <a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> algorithm uses the first characters
3425of the queue file name, with the hexadecimal representation of the
3426file creation time in microseconds.  </p>
3427
3428</ul>
3429
3430<p> Before migration to Postfix &le; 2.8, the following commands
3431are required to convert long queue file names into short names: </p>
3432
3433<pre>
3434# postfix stop
3435# postconf <a href="postconf.5.html#enable_long_queue_ids">enable_long_queue_ids</a>=no
3436# postsuper
3437</pre>
3438
3439<p> Repeat the postsuper command until it reports no more queue file
3440name changes. </p>
3441
3442<p> This feature is available in Postfix 2.9 and later.  </p>
3443
3444
3445</DD>
3446
3447<DT><b><a name="enable_original_recipient">enable_original_recipient</a>
3448(default: yes)</b></DT><DD>
3449
3450<p> Enable support for the original recipient address after an
3451address is rewritten to a different address (for example with
3452aliasing or with canonical mapping). </p>
3453
3454<p> The original recipient address is used as follows: </p>
3455
3456<dl>
3457
3458<dt> Final delivery </dt> <dd> With "<a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> =
3459yes", the original recipient address is stored in the <b>X-Original-To</b>
3460message header. This header may be used to distinguish between
3461different recipients that share the same mailbox.  </dd>
3462
3463<dt> Recipient deduplication </dt> <dd> With "<a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a>
3464= yes", the <a href="cleanup.8.html">cleanup(8)</a> daemon performs duplicate recipient elimination
3465based on the content of (original recipient, maybe-rewritten
3466recipient) pairs.  Otherwise, the <a href="cleanup.8.html">cleanup(8)</a> daemon performs duplicate
3467recipient elimination based only on the maybe-rewritten recipient
3468address.  </dd>
3469
3470</dl>
3471
3472<p> Note: with Postfix &le; 3.2 the "setting <a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a>
3473= <b>no</b>" breaks address verification for addresses that are
3474aliased or otherwise rewritten (Postfix is unable to store the
3475address verification result under the original probe destination
3476address; instead, it can store the result only under the rewritten
3477address).  </p>
3478
3479<p> This feature is available in Postfix 2.1 and later. Postfix
3480version 2.0 behaves as if this parameter is always set to <b>yes</b>.
3481Postfix versions before 2.0 have no support for the original recipient
3482address. </p>
3483
3484
3485</DD>
3486
3487<DT><b><a name="enable_threaded_bounces">enable_threaded_bounces</a>
3488(default: no)</b></DT><DD>
3489
3490<p> Enable non-delivery, success, and delay notifications that link
3491to the original message by including a References: and In-Reply-To:
3492header with the original Message-ID value. There are advantages and
3493disadvantages to consider. </p>
3494
3495<dl>
3496
3497<dt> <b> advantage </b> </dt> <dd> This allows mail readers to present
3498a delivery status notification in the same email thread as the original
3499message. </dd>
3500
3501<dt> <b> disadvantage </b> </dt> <dd> This makes it easy for users to
3502mistakenly delete the whole email thread (all related messages),
3503instead of deleting only the non-delivery notification. </dd>
3504
3505</dl>
3506
3507<p> This feature is available in Postfix 3.6 and later. </p>
3508
3509
3510</DD>
3511
3512<DT><b><a name="error_notice_recipient">error_notice_recipient</a>
3513(default: postmaster)</b></DT><DD>
3514
3515<p> The recipient of postmaster notifications about mail delivery
3516problems that are caused by policy, resource, software or protocol
3517errors.  These notifications are enabled with the <a href="postconf.5.html#notify_classes">notify_classes</a>
3518parameter.  </p>
3519
3520
3521</DD>
3522
3523<DT><b><a name="error_service_name">error_service_name</a>
3524(default: error)</b></DT><DD>
3525
3526<p>
3527The name of the <a href="error.8.html">error(8)</a> pseudo delivery agent. This service always
3528returns mail as undeliverable.
3529</p>
3530
3531<p>
3532This feature is available in Postfix 2.0 and later.
3533</p>
3534
3535
3536</DD>
3537
3538<DT><b><a name="execution_directory_expansion_filter">execution_directory_expansion_filter</a>
3539(default: see "postconf -d" output)</b></DT><DD>
3540
3541<p> Restrict the characters that the <a href="local.8.html">local(8)</a> delivery agent allows
3542in $name expansions of $<a href="postconf.5.html#command_execution_directory">command_execution_directory</a>.  Characters
3543outside the allowed set are replaced by underscores.  </p>
3544
3545<p> This feature is available in Postfix 2.2 and later. </p>
3546
3547
3548</DD>
3549
3550<DT><b><a name="expand_owner_alias">expand_owner_alias</a>
3551(default: no)</b></DT><DD>
3552
3553<p>
3554When delivering to an alias "<i>aliasname</i>" that has an
3555"owner-<i>aliasname</i>" companion alias, set the envelope sender
3556address to the expansion of the "owner-<i>aliasname</i>" alias.
3557Normally, Postfix sets the envelope sender address to the name of
3558the "owner-<i>aliasname</i>" alias.
3559</p>
3560
3561
3562</DD>
3563
3564<DT><b><a name="export_environment">export_environment</a>
3565(default: see "postconf -d" output)</b></DT><DD>
3566
3567<p>
3568The list of environment variables that a Postfix process will export
3569to non-Postfix processes. The TZ variable is needed for sane
3570time keeping on System-V-ish systems.
3571</p>
3572
3573<p>
3574Specify a list of names and/or name=value pairs, separated by
3575whitespace or comma. Specify "{ name=value }" to protect whitespace
3576or comma in parameter values (whitespace after the opening "{" and
3577before the closing "}"
3578is ignored). The form name=value is supported with Postfix version
35792.1 and later; the use of {} is supported with Postfix 3.0 and
3580later.  </p>
3581
3582<p>
3583Example:
3584</p>
3585
3586<pre>
3587<a href="postconf.5.html#export_environment">export_environment</a> = TZ PATH=/bin:/usr/bin
3588</pre>
3589
3590
3591</DD>
3592
3593<DT><b><a name="extract_recipient_limit">extract_recipient_limit</a>
3594(default: 10240)</b></DT><DD>
3595
3596<p>
3597The maximal number of recipient addresses that Postfix will extract
3598from message headers when mail is submitted with "<b>sendmail -t</b>".
3599</p>
3600
3601<p>
3602This feature was removed in Postfix version 2.1.
3603</p>
3604
3605
3606</DD>
3607
3608<DT><b><a name="fallback_relay">fallback_relay</a>
3609(default: empty)</b></DT><DD>
3610
3611<p>
3612Optional list of relay hosts for SMTP destinations that can't be
3613found or that are unreachable. With Postfix 2.3 this parameter
3614is renamed to <a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a>. </p>
3615
3616<p>
3617By default, mail is returned to the sender when a destination is
3618not found, and delivery is deferred when a destination is unreachable.
3619</p>
3620
3621<p> The fallback relays must be SMTP destinations. Specify a domain,
3622host, host:port, [host]:port, [address] or [address]:port; the form
3623[host] turns off MX lookups.  If you specify multiple SMTP
3624destinations, Postfix will try them in the specified order.  </p>
3625
3626<p> Note: before Postfix 2.2, do not use the <a href="postconf.5.html#fallback_relay">fallback_relay</a> feature
3627when relaying mail
3628for a backup or primary MX domain. Mail would loop between the
3629Postfix MX host and the <a href="postconf.5.html#fallback_relay">fallback_relay</a> host when the final destination
3630is unavailable. </p>
3631
3632<ul>
3633
3634<li> In <a href="postconf.5.html">main.cf</a> specify "<a href="postconf.5.html#relay_transport">relay_transport</a> = relay",
3635
3636<li> In <a href="master.5.html">master.cf</a> specify "-o <a href="postconf.5.html#fallback_relay">fallback_relay</a> =" (i.e., empty) at
3637the end of the <tt>relay</tt> entry.
3638
3639<li> In transport maps, specify "relay:<i>nexthop...</i>"
3640as the right-hand side for backup or primary MX domain entries.
3641
3642</ul>
3643
3644<p> Postfix version 2.2 and later will not use the <a href="postconf.5.html#fallback_relay">fallback_relay</a> feature
3645for destinations that it is MX host for.
3646</p>
3647
3648
3649</DD>
3650
3651<DT><b><a name="fallback_transport">fallback_transport</a>
3652(default: empty)</b></DT><DD>
3653
3654<p>
3655Optional message delivery transport that the <a href="local.8.html">local(8)</a> delivery
3656agent should use for names that are not found in the <a href="aliases.5.html">aliases(5)</a>
3657or UNIX password database.
3658</p>
3659
3660<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
3661is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
3662<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
3663<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
3664
3665
3666</DD>
3667
3668<DT><b><a name="fallback_transport_maps">fallback_transport_maps</a>
3669(default: empty)</b></DT><DD>
3670
3671<p> Optional lookup tables with per-recipient message delivery
3672transports for recipients that the <a href="local.8.html">local(8)</a> delivery agent could
3673not find in the <a href="aliases.5.html">aliases(5)</a> or UNIX password database. </p>
3674
3675<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
3676is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
3677<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
3678<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
3679
3680<p> For safety reasons, this feature does not allow $number
3681substitutions in regular expression maps. </p>
3682
3683<p> This feature is available in Postfix 2.3 and later. </p>
3684
3685
3686</DD>
3687
3688<DT><b><a name="fast_flush_domains">fast_flush_domains</a>
3689(default: $<a href="postconf.5.html#relay_domains">relay_domains</a>)</b></DT><DD>
3690
3691<p>
3692Optional list of destinations that are eligible for per-destination
3693logfiles with mail that is queued to those destinations.
3694</p>
3695
3696<p>
3697By default, Postfix maintains "fast flush" logfiles only for
3698destinations that the Postfix SMTP server is willing to relay to
3699(i.e. the default is: "<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> = $<a href="postconf.5.html#relay_domains">relay_domains</a>"; see
3700the <a href="postconf.5.html#relay_domains">relay_domains</a> parameter in the <a href="postconf.5.html">postconf(5)</a> manual).
3701</p>
3702
3703<p> Specify a list of hosts or domains, "/file/name" patterns or
3704"<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by commas and/or whitespace.
3705Continue long lines by starting the next line with whitespace. A
3706"/file/name" pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>"
3707lookup table is matched when the domain or its parent domain appears
3708as lookup key.  </p>
3709
3710<p> Pattern matching of domain names is controlled by the presence
3711or absence of "<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
3712parameter value.  </p>
3713
3714<p>
3715Specify "<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> =" (i.e., empty) to disable the feature
3716altogether.
3717</p>
3718
3719
3720</DD>
3721
3722<DT><b><a name="fast_flush_purge_time">fast_flush_purge_time</a>
3723(default: 7d)</b></DT><DD>
3724
3725<p>
3726The time after which an empty per-destination "fast flush" logfile
3727is deleted.
3728</p>
3729
3730<p>
3731You can specify the time as a number, or as a number followed by
3732a letter that indicates the time unit: s=seconds, m=minutes, h=hours,
3733d=days, w=weeks.  The default time unit is days.
3734</p>
3735
3736
3737</DD>
3738
3739<DT><b><a name="fast_flush_refresh_time">fast_flush_refresh_time</a>
3740(default: 12h)</b></DT><DD>
3741
3742<p>
3743The time after which a non-empty but unread per-destination "fast
3744flush" logfile needs to be refreshed.  The contents of a logfile
3745are refreshed by requesting delivery of all messages listed in the
3746logfile.
3747</p>
3748
3749<p>
3750You can specify the time as a number, or as a number followed by
3751a letter that indicates the time unit: s=seconds, m=minutes, h=hours,
3752d=days, w=weeks.  The default time unit is hours.
3753</p>
3754
3755
3756</DD>
3757
3758<DT><b><a name="fault_injection_code">fault_injection_code</a>
3759(default: 0)</b></DT><DD>
3760
3761<p>
3762Force specific internal tests to fail, to test the handling of
3763errors that are difficult to reproduce otherwise.
3764</p>
3765
3766
3767</DD>
3768
3769<DT><b><a name="flush_service_name">flush_service_name</a>
3770(default: flush)</b></DT><DD>
3771
3772<p>
3773The name of the <a href="flush.8.html">flush(8)</a> service. This service maintains per-destination
3774logfiles with the queue file names of mail that is queued for those
3775destinations.
3776</p>
3777
3778<p>
3779This feature is available in Postfix 2.0 and later.
3780</p>
3781
3782
3783</DD>
3784
3785<DT><b><a name="force_mime_input_conversion">force_mime_input_conversion</a>
3786(default: no)</b></DT><DD>
3787
3788<p> Convert body content that claims to be 8-bit into quoted-printable,
3789before <a href="postconf.5.html#header_checks">header_checks</a>, <a href="postconf.5.html#body_checks">body_checks</a>, Milters, and before after-queue
3790content filters. This feature does not affect messages that are
3791sent into <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>. </p>
3792
3793<p> The typical use case is an MTA that applies this conversion
3794before signing outbound messages, so that the signatures will remain
3795valid when a message is later delivered to an MTA that does not
3796announce 8BITMIME support, or when a message line exceeds the SMTP
3797length limit. </p>
3798
3799<p> This feature is available in Postfix &ge; 3.9. </p>
3800
3801
3802</DD>
3803
3804<DT><b><a name="fork_attempts">fork_attempts</a>
3805(default: 5)</b></DT><DD>
3806
3807<p> The maximal number of attempts to fork() a child process.  </p>
3808
3809
3810</DD>
3811
3812<DT><b><a name="fork_delay">fork_delay</a>
3813(default: 1s)</b></DT><DD>
3814
3815<p> The delay between attempts to fork() a child process.  </p>
3816
3817<p> Specify a non-zero time value (an integral value plus an optional
3818one-letter suffix that specifies the time unit).  Time units: s
3819(seconds), m (minutes), h (hours), d (days), w (weeks).
3820The default time unit is s (seconds).  </p>
3821
3822
3823</DD>
3824
3825<DT><b><a name="forward_expansion_filter">forward_expansion_filter</a>
3826(default: see "postconf -d" output)</b></DT><DD>
3827
3828<p>
3829Restrict the characters that the <a href="local.8.html">local(8)</a> delivery agent allows in
3830$name expansions of $<a href="postconf.5.html#forward_path">forward_path</a>.  Characters outside the
3831allowed set are replaced by underscores.
3832</p>
3833
3834
3835</DD>
3836
3837<DT><b><a name="forward_path">forward_path</a>
3838(default: see "postconf -d" output)</b></DT><DD>
3839
3840<p> The <a href="local.8.html">local(8)</a> delivery agent search list for finding a .forward
3841file with user-specified delivery methods. The first file that is
3842found is used.  </p>
3843
3844<p> The <a href="postconf.5.html#forward_path">forward_path</a> value is not subject to Postfix configuration
3845parameter $name expansion. Instead, the following $name expansions
3846are done on <a href="postconf.5.html#forward_path">forward_path</a> before the search actually happens.
3847The result of $name expansion is
3848filtered with the character set that is specified with the
3849<a href="postconf.5.html#forward_expansion_filter">forward_expansion_filter</a> parameter.  </p>
3850
3851<dl>
3852
3853<dt><b>$user</b></dt>
3854
3855<dd>The recipient's username. </dd>
3856
3857<dt><b>$shell</b></dt>
3858
3859<dd>The recipient's login shell pathname. </dd>
3860
3861<dt><b>$home</b></dt>
3862
3863<dd>The recipient's home directory. </dd>
3864
3865<dt><b>$recipient</b></dt>
3866
3867<dd>The full recipient address. </dd>
3868
3869<dt><b>$extension</b></dt>
3870
3871<dd>The optional recipient address extension. </dd>
3872
3873<dt><b>$domain</b></dt>
3874
3875<dd>The recipient domain. </dd>
3876
3877<dt><b>$local</b></dt>
3878
3879<dd>The entire recipient localpart. </dd>
3880
3881<dt><b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b></dt>
3882
3883<dd>The address extension delimiter that was found in the recipient
3884address (Postfix 2.11 and later), or the 'first' delimiter specified
3885with the system-wide recipient address extension delimiter (Postfix
38863.5.22, 3.6.12, 3.7.8, 3.8.3 and later). Historically, this was
3887always the system-wide recipient
3888address extension delimiter (Postfix 2.10 and earlier). </dd>
3889
3890<dt><b>${name?value}</b></dt>
3891
3892<dt><b>${name?{value}}</b> (Postfix &ge; 3.0)</dt>
3893
3894<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
3895
3896<dt><b>${name:value}</b></dt>
3897
3898<dt><b>${name:{value}}</b> (Postfix &ge; 3.0)</dt>
3899
3900<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
3901
3902<dt><b>${name?{value1}:{value2}}</b> (Postfix &ge; 3.0)</dt>
3903
3904<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
3905<i>value2</i> otherwise. </dd>
3906
3907</dl>
3908
3909<p>
3910Instead of $name you can also specify ${name} or $(name).
3911</p>
3912
3913<p>
3914Examples:
3915</p>
3916
3917<pre>
3918<a href="postconf.5.html#forward_path">forward_path</a> = /var/forward/$user
3919<a href="postconf.5.html#forward_path">forward_path</a> =
3920    /var/forward/$user/.forward$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>$extension,
3921    /var/forward/$user/.forward
3922</pre>
3923
3924
3925</DD>
3926
3927<DT><b><a name="frozen_delivered_to">frozen_delivered_to</a>
3928(default: yes)</b></DT><DD>
3929
3930<p> Update the <a href="local.8.html">local(8)</a> delivery agent's idea of the Delivered-To:
3931address (see <a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a>) only once, at the start of
3932a delivery attempt; do not update the Delivered-To: address while
3933expanding aliases or .forward files. </p>
3934
3935<p> This feature is available in Postfix 2.3 and later. With older
3936Postfix releases, the behavior is as if this parameter is set to
3937"no". The old setting can be expensive with deeply nested aliases
3938or .forward files. When an alias or .forward file changes the
3939Delivered-To: address, it ties up one queue file and one cleanup
3940process instance while mail is being forwarded.  </p>
3941
3942
3943</DD>
3944
3945<DT><b><a name="full_name_encoding_charset">full_name_encoding_charset</a>
3946(default: utf-8)</b></DT><DD>
3947
3948<p> The character set name (also called "charset") that Postfix
3949will output when it automatically generates an <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a> encoded
3950full name. Encoding non-ASCII full names can avoid the need to use
3951SMTPUTF8, and therefore can avoid incompatibility with sites that
3952do not support SMTPUTF8. </p>
3953
3954<p> The encoded names look like "=?charset?q?gibberish?=" with
3955quoted-printable encoding, or "=?charset?b?gibberish?=" with base64
3956encoding. Postfix uses quoted-printable encoding for a full name
3957that is short or mostly printable ASCII, and uses base64 otherwise.
3958</p>
3959
3960<p> Background: when a message without a From: header is submitted
3961with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command, the Postfix <a href="cleanup.8.html">cleanup(8)</a> daemon
3962will add a From: header and will try to use the sender's full name
3963specified with the Postfix <a href="sendmail.1.html">sendmail(1)</a> "-F" option, with the Postfix
3964<a href="sendmail.1.html">sendmail(1)</a> "NAME" environment variable, or with the GECOS field
3965in the UNIX password database. In the latter case, Postfix will
3966replace the "&amp;" character with the login name, with a lowercase
3967ASCII first character converted to uppercase. </p>
3968
3969<p> NOTE: Postfix does not convert between character sets. The
3970<a href="postconf.5.html#full_name_encoding_charset">full_name_encoding_charset</a> parameter specifies the character set
3971of the full name in the Postfix sendmail "-F" option, in the Postfix
3972sendmail "NAME" environment variable, or in the GECOS field of the
3973UNIX password database. The parameter value is also part of the
3974encoded full name, and informs a Mail User Agent how to display the
3975decoded gibberish. </p>
3976
3977<p> Specify a valid character set name such as "utf-8" or "iso-8859-1
3978(specify the latter for full names that use the Latin1 encoding).
3979The character set name is case insensitive. When a character set
3980name violates <a href="https://tools.ietf.org/html/rfc2047">RFC 2047</a> syntax, Postfix will log a warning and will
3981skip the full name. </p>
3982
3983<p> This feature is available in Postfix &ge; 3.10. </p>
3984
3985
3986</DD>
3987
3988<DT><b><a name="hash_queue_depth">hash_queue_depth</a>
3989(default: 1)</b></DT><DD>
3990
3991<p>
3992The number of subdirectory levels for queue directories listed with
3993the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a> parameter. Queue hashing is implemented by
3994creating one or more levels of directories with one-character names.
3995Originally, these directory names were equal to the first characters
3996of the queue file name, with the hexadecimal representation of the
3997file creation time in microseconds. </p>
3998
3999<p> With long queue file names, queue hashing produces the same
4000results as with short names. The file creation time in microseconds
4001is converted into hexadecimal form before the result is used for
4002queue hashing.  The base 16 encoding gives finer control over the
4003number of subdirectories than is possible with the base 52 encoding
4004of long queue file names.  </p>
4005
4006<p>
4007After changing the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a> or <a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> parameter,
4008execute the command "<b>postfix reload</b>".
4009</p>
4010
4011
4012</DD>
4013
4014<DT><b><a name="hash_queue_names">hash_queue_names</a>
4015(default: deferred, defer)</b></DT><DD>
4016
4017<p>
4018The names of queue directories that are split across multiple
4019subdirectory levels.
4020</p>
4021
4022<p> Before Postfix version 2.2, the default list of hashed queues
4023was significantly larger. Claims about improvements in file system
4024technology suggest that hashing of the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>
4025is no longer needed. Fewer hashed directories speed up the time
4026needed to restart Postfix. </p>
4027
4028<p>
4029After changing the <a href="postconf.5.html#hash_queue_names">hash_queue_names</a> or <a href="postconf.5.html#hash_queue_depth">hash_queue_depth</a> parameter,
4030execute the command "<b>postfix reload</b>".
4031</p>
4032
4033
4034</DD>
4035
4036<DT><b><a name="header_address_token_limit">header_address_token_limit</a>
4037(default: 10240)</b></DT><DD>
4038
4039<p>
4040The maximal number of address tokens are allowed in an address
4041message header. Information that exceeds the limit is discarded.
4042The limit is enforced by the <a href="cleanup.8.html">cleanup(8)</a> server.
4043</p>
4044
4045
4046</DD>
4047
4048<DT><b><a name="header_checks">header_checks</a>
4049(default: empty)</b></DT><DD>
4050
4051<p>
4052Optional lookup tables for content inspection of primary non-MIME
4053message headers, as specified in the <a href="header_checks.5.html">header_checks(5)</a> manual page.
4054</p>
4055
4056
4057</DD>
4058
4059<DT><b><a name="header_from_format">header_from_format</a>
4060(default: standard)</b></DT><DD>
4061
4062<p> The format of the Postfix-generated <b>From:</b> header. This
4063setting affects the appearance of 'full name' information when a
4064local program such as /bin/mail submits a message without a From:
4065header through the Postfix <a href="sendmail.1.html">sendmail(1)</a> command. </p>
4066
4067<p> Specify one of the following: </p>
4068
4069<dl>
4070
4071<dt><b>standard</b> (default)</dt> <dd> Produce a header formatted
4072as "<b>From:</b> <i>name</i><b> &lt;</b><i>address</i><b>&gt;</b>".
4073This is the default as of Postfix 3.3.</dd>
4074
4075<dt><b>obsolete</b></dt> <dd>Produce a header formatted as "<b>From:</b>
4076<i>address</i> <b>(</b><i>name</i><b>)</b>". This is the behavior
4077prior to Postfix 3.3. </dd>
4078
4079</dl>
4080
4081<p> Notes: </p>
4082
4083<ul>
4084
4085<li> <p> Postfix generates the format "<b>From:</b> <i>address</i>"
4086when <i>name</i> information is unavailable or the envelope sender
4087address is empty. This is the same behavior as prior to Postfix
40883.3. </p>
4089
4090<li> <p> In the <b>standard</b> form, the <i>name</i> will be quoted
4091if it contains <b>specials</b> as defined in <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a>, or the "!%"
4092address operators. </p>
4093
4094<li> <p> The Postfix <a href="sendmail.1.html">sendmail(1)</a> command gets <i>name</i> information
4095from the <b>-F</b> command-line option, from the <b>NAME</b>
4096environment variable, or from the UNIX password file. </p>
4097
4098</ul>
4099
4100<p> This feature is available in Postfix 3.3 and later. </p>
4101
4102
4103</DD>
4104
4105<DT><b><a name="header_size_limit">header_size_limit</a>
4106(default: 102400)</b></DT><DD>
4107
4108<p>
4109The maximal amount of memory in bytes for storing a message header.
4110If a header is larger, the excess is discarded.  The limit is
4111enforced by the <a href="cleanup.8.html">cleanup(8)</a> server.
4112</p>
4113
4114
4115</DD>
4116
4117<DT><b><a name="helpful_warnings">helpful_warnings</a>
4118(default: yes)</b></DT><DD>
4119
4120<p>
4121Log warnings about problematic configuration settings, and provide
4122helpful suggestions.
4123</p>
4124
4125<p>
4126This feature is available in Postfix 2.0 and later.
4127</p>
4128
4129
4130</DD>
4131
4132<DT><b><a name="home_mailbox">home_mailbox</a>
4133(default: empty)</b></DT><DD>
4134
4135<p>
4136Optional pathname of a mailbox file relative to a <a href="local.8.html">local(8)</a> user's
4137home directory.
4138</p>
4139
4140<p>
4141Specify a pathname ending in "/" for qmail-style delivery.
4142</p>
4143
4144<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
4145is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
4146<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
4147<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
4148
4149<p>
4150Examples:
4151</p>
4152
4153<pre>
4154<a href="postconf.5.html#home_mailbox">home_mailbox</a> = Mailbox
4155<a href="postconf.5.html#home_mailbox">home_mailbox</a> = Maildir/
4156</pre>
4157
4158
4159</DD>
4160
4161<DT><b><a name="hopcount_limit">hopcount_limit</a>
4162(default: 50)</b></DT><DD>
4163
4164<p>
4165The maximal number of Received:  message headers that is allowed
4166in the primary message headers. A message that exceeds the limit
4167is bounced, in order to stop a mailer loop.
4168</p>
4169
4170
4171</DD>
4172
4173<DT><b><a name="html_directory">html_directory</a>
4174(default: see "postconf -d" output)</b></DT><DD>
4175
4176<p>
4177The location of Postfix HTML files that describe how to build,
4178configure or operate a specific Postfix subsystem or feature.
4179</p>
4180
4181
4182</DD>
4183
4184<DT><b><a name="ignore_mx_lookup_error">ignore_mx_lookup_error</a>
4185(default: no)</b></DT><DD>
4186
4187<p> Ignore DNS MX lookups that produce no response.  By default,
4188the Postfix SMTP client defers delivery and tries again after some
4189delay.  This behavior is required by the SMTP standard.  </p>
4190
4191<p>
4192Specify "<a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> = yes" to force a DNS A record
4193lookup instead. This violates the SMTP standard and can result in
4194mis-delivery of mail.
4195</p>
4196
4197
4198</DD>
4199
4200<DT><b><a name="ignore_srv_lookup_error">ignore_srv_lookup_error</a>
4201(default: no)</b></DT><DD>
4202
4203<p> When SRV record lookup fails, fall back to MX or IP address
4204lookup as if SRV record lookup was not enabled. </p>
4205
4206<p> This feature is available in Postfix 3.8 and later. </p>
4207
4208
4209</DD>
4210
4211<DT><b><a name="import_environment">import_environment</a>
4212(default: see "postconf -d" output)</b></DT><DD>
4213
4214<p> The list of environment variables that a privileged Postfix
4215process will import from a non-Postfix parent process, or name=value
4216environment overrides.  Unprivileged utilities will enforce the
4217name=value overrides, but otherwise will not change their process
4218environment.  Examples of relevant environment variables: </p>
4219
4220<dl>
4221
4222<dt><b>TZ</b></dt>
4223
4224<dd>May be needed for sane time keeping on most System-V-ish systems.
4225</dd>
4226
4227<dt><b>DISPLAY</b></dt>
4228
4229<dd>Needed for debugging Postfix daemons with an X-windows debugger. </dd>
4230
4231<dt><b>XAUTHORITY</b></dt>
4232
4233<dd>Needed for debugging Postfix daemons with an X-windows debugger. </dd>
4234
4235<dt><b>MAIL_CONFIG</b></dt>
4236
4237<dd>Needed to make "<b>postfix -c</b>" work. </dd>
4238
4239<dt><b>POSTLOG_SERVICE</b></dt>
4240
4241<dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
4242process initialization. </dd>
4243
4244<dt><b>POSTLOG_HOSTNAME</b></dt>
4245
4246<dd>Needed to make "<b><a href="postconf.5.html#maillog_file">maillog_file</a></b>" work during daemon
4247process initialization. </dd>
4248
4249</dl>
4250
4251<p> Specify a list of names and/or name=value pairs, separated by
4252whitespace or comma. Specify "{ name=value }" to protect whitespace
4253or comma in environment variable values (whitespace after the opening "{" and
4254before the closing "}"
4255is ignored). The form name=value is supported with Postfix version
42562.1 and later; the use of {} is supported with Postfix 3.0 and
4257later.  </p>
4258
4259
4260</DD>
4261
4262<DT><b><a name="in_flow_delay">in_flow_delay</a>
4263(default: 1s)</b></DT><DD>
4264
4265<p> Time to pause before accepting a new message, when the message
4266arrival rate exceeds the message delivery rate. This feature is
4267turned on by default (it's disabled on SCO UNIX due to an SCO bug).
4268</p>
4269
4270<p>
4271With the default 100 Postfix SMTP server process limit, "<a href="postconf.5.html#in_flow_delay">in_flow_delay</a>
4272= 1s" limits the mail inflow to 100 messages per second above the
4273number of messages delivered per second.
4274</p>
4275
4276<p>
4277Specify 0 to disable the feature. Valid delays are 0..10.
4278</p>
4279
4280
4281</DD>
4282
4283<DT><b><a name="inet_interfaces">inet_interfaces</a>
4284(default: all)</b></DT><DD>
4285
4286<p> The local network interface addresses that this mail system
4287receives mail on. Specify "all" to receive mail on all network
4288interfaces (default), "loopback-only" to receive mail on loopback
4289network interfaces only (Postfix version 2.2 and later), or zero
4290or more IPv4 or IPv6 addresses (IPv6 is supported in Postfix version
42912.2 and later). The parameter also controls whether Postfix will
4292accept mail for <tt>user@[ip.address]</tt>, and prevents Postfix
4293from delivering mail to a host that has equal or larger MX preference.
4294Specify an empty value if Postfix does not receive mail over the
4295network, or if all network listeners have an explicit IP address
4296in <a href="master.5.html">master.cf</a>. </p>
4297
4298<p>
4299Note 1: you need to stop and start Postfix when this parameter changes.
4300</p>
4301
4302<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
4303but this form is not required here. </p>
4304
4305<p> When <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> and/or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> are not
4306specified, the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> setting may constrain the source IP
4307address for an outbound SMTP or LMTP connection as described below.
4308</p>
4309
4310<p> The following text is specific to SMTP and IPv4. The same
4311reasoning applies to the IPv6 protocol, and to the Postfix LMTP
4312client. To disable IPv4 or IPv6 support in the Postfix SMTP and
4313LMTP client, use <a href="postconf.5.html#inet_protocols">inet_protocols</a>. </p>
4314
4315<ul>
4316
4317<li> <p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies one IPv4 address, and that
4318is not a loopback address, the Postfix SMTP client uses that as the
4319source address for outbound IPv4 connections. </p>
4320
4321<li> <p> Otherwise, the Postfix SMTP client does not constrain the
4322source IPv4 address, and connects using a system-chosen source IPv4
4323address. This includes the cases where <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> is empty,
4324where it specifies <b>all</b>, or where it contains no IPv4 address,
4325one IPv4 address that is a loopback address, or multiple IPv4
4326addresses.  </p>
4327
4328</ul>
4329
4330<p> A Postfix SMTP client may fail to reach some remote SMTP servers
4331when the client source IP address is constrained explicitly with
4332<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>, or implicitly with
4333<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>. This can happen when Postfix runs on a multi-homed
4334system such as a firewall, the Postfix SMTP source client IP address
4335is constrained to one specific network interface, and the remote
4336SMTP server must be reached through a different interface. Setting
4337<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> to 0.0.0.0 avoids the potential problem for IPv4,
4338and setting <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> to :: solves the problem for IPv6.
4339</p>
4340
4341<p>
4342A better solution for multi-homed systems is to leave <a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
4343at the default value and instead use explicit IP addresses in
4344the <a href="master.5.html">master.cf</a> SMTP server definitions.  This preserves the Postfix
4345SMTP client's
4346loop detection, by ensuring that each side of the firewall knows that the
4347other IP address is still the same host. Setting $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> to a
4348single IPv4 and/or IPV6 address is primarily useful with virtual
4349hosting of domains on
4350secondary IP addresses, when each IP address serves a different domain
4351(and has a different $<a href="postconf.5.html#myhostname">myhostname</a> setting). </p>
4352
4353<p>
4354See also the <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> parameter, for network addresses that
4355are forwarded to Postfix by way of a proxy or address translator.
4356</p>
4357
4358<p>
4359Examples:
4360</p>
4361
4362<pre>
4363<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = all (DEFAULT)
4364<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = loopback-only (Postfix version 2.2 and later)
4365<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = 127.0.0.1
4366<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = 127.0.0.1, [::1] (Postfix version 2.2 and later)
4367<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> = 192.168.1.2, 127.0.0.1
4368</pre>
4369
4370
4371</DD>
4372
4373<DT><b><a name="inet_protocols">inet_protocols</a>
4374(default: see 'postconf -d' output)</b></DT><DD>
4375
4376<p> The Internet protocols Postfix will attempt to use when making
4377or accepting connections. Specify one or more of "ipv4"
4378or "ipv6", separated by whitespace or commas. The form
4379"all" is equivalent to "ipv4, ipv6" or "ipv4", depending
4380on whether the operating system implements IPv6. </p>
4381
4382<p> With Postfix 2.8 and earlier the default is "ipv4". For backwards
4383compatibility with these releases, the Postfix 2.9 and later upgrade
4384procedure appends an explicit "<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv4" setting to
4385<a href="postconf.5.html">main.cf</a> when no explicit setting is present. This compatibility
4386workaround will be phased out as IPv6 deployment becomes more common.
4387</p>
4388
4389<p> This feature is available in Postfix 2.2 and later. </p>
4390
4391<p> Note: you MUST stop and start Postfix after changing this
4392parameter. </p>
4393
4394<p> On systems that pre-date IPV6_V6ONLY support (<a href="https://tools.ietf.org/html/rfc3493">RFC 3493</a>), an
4395IPv6 server will also accept IPv4 connections, even when IPv4 is
4396turned off with the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter.  On systems with
4397IPV6_V6ONLY support, Postfix will use separate server sockets for
4398IPv6 and IPv4, and each will accept only connections for the
4399corresponding protocol.  </p>
4400
4401<p> When IPv4 support is enabled via the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter,
4402Postfix will look up DNS type A records, and will convert
4403IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original
4404IPv4 form (1.2.3.4).  The latter is needed on hosts that pre-date
4405IPV6_V6ONLY support (<a href="https://tools.ietf.org/html/rfc3493">RFC 3493</a>). </p>
4406
4407<p> When IPv6 support is enabled via the <a href="postconf.5.html#inet_protocols">inet_protocols</a> parameter,
4408Postfix will do DNS type AAAA record lookups. </p>
4409
4410<p> When both IPv4 and IPv6 support are enabled, the Postfix SMTP
4411client will choose the protocol as specified with the
4412<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> parameter. Postfix versions before 2.8
4413attempt to connect via IPv6 before attempting to use IPv4.  </p>
4414
4415<p>
4416Examples:
4417</p>
4418
4419<pre>
4420<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv4
4421<a href="postconf.5.html#inet_protocols">inet_protocols</a> = all (DEFAULT)
4422<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv6
4423<a href="postconf.5.html#inet_protocols">inet_protocols</a> = ipv4, ipv6
4424</pre>
4425
4426
4427</DD>
4428
4429<DT><b><a name="info_log_address_format">info_log_address_format</a>
4430(default: external)</b></DT><DD>
4431
4432<p> The email address form that will be used in non-debug logging
4433(info, warning, etc.). As of Postfix 3.5 when an address localpart
4434contains spaces or other special characters, the localpart will be
4435quoted, for example: </p>
4436
4437<blockquote>
4438<pre>
4439    from=&lt;"name with spaces"@example.com&gt;
4440</pre>
4441</blockquote>
4442
4443<p> Older Postfix versions would log the internal (unquoted) form: </p>
4444
4445<blockquote>
4446<pre>
4447    from=&lt;name with spaces@example.com&gt;
4448</pre>
4449</blockquote>
4450
4451<p> The external and internal forms are identical for the vast
4452majority of email addresses that contain no spaces or other special
4453characters in the localpart. </p>
4454
4455<p> The logging in external form is consistent with the address
4456form that Postfix 3.2 and later prefer for most table lookups. This
4457is therefore the more useful form for non-debug logging. </p>
4458
4459<p> Specify "<b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> = internal</b>" for backwards
4460compatibility. </p>
4461
4462<p> Postfix uses the unquoted form internally, because an attacker
4463can specify an email address in different forms by playing games
4464with quotes and backslashes. An attacker should not be able to use
4465such games to circumvent Postfix access policies. </p>
4466
4467<p> This feature is available in Postfix 3.5 and later. </p>
4468
4469
4470</DD>
4471
4472<DT><b><a name="initial_destination_concurrency">initial_destination_concurrency</a>
4473(default: 5)</b></DT><DD>
4474
4475<p>
4476The initial per-destination concurrency level for parallel delivery
4477to the same destination.
4478With per-destination recipient limit &gt; 1, a destination is a domain,
4479otherwise it is a recipient.
4480</p>
4481
4482<p> Use <a href="postconf.5.html#transport_initial_destination_concurrency"><i>transport</i>_initial_destination_concurrency</a> to specify
4483a transport-specific override, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
4484name of the message delivery transport (Postfix 2.5 and later). </p>
4485
4486<p>
4487Warning: with concurrency of 1, one bad message can be enough to
4488block all mail to a site.
4489</p>
4490
4491
4492</DD>
4493
4494<DT><b><a name="internal_mail_filter_classes">internal_mail_filter_classes</a>
4495(default: empty)</b></DT><DD>
4496
4497<p> What categories of Postfix-generated mail are subject to
4498before-queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a>
4499and <a href="postconf.5.html#body_checks">body_checks</a>.  Specify zero or more of the following, separated
4500by whitespace or comma.  </p>
4501
4502<dl>
4503
4504<dt><b>bounce</b></dt> <dd> Inspect the content of delivery
4505status notifications. </dd>
4506
4507<dt><b>notify</b></dt> <dd> Inspect the content of postmaster
4508notifications by the <a href="smtp.8.html">smtp(8)</a> and <a href="smtpd.8.html">smtpd(8)</a> processes. </dd>
4509
4510</dl>
4511
4512<p> NOTE: It's generally not safe to enable content inspection of
4513Postfix-generated email messages. The user is warned. </p>
4514
4515<p> This feature is available in Postfix 2.3 and later. </p>
4516
4517
4518</DD>
4519
4520<DT><b><a name="invalid_hostname_reject_code">invalid_hostname_reject_code</a>
4521(default: 501)</b></DT><DD>
4522
4523<p>
4524The numerical Postfix SMTP server response code when the client
4525HELO or EHLO command parameter is rejected by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
4526restriction.
4527</p>
4528
4529<p>
4530Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
4531</p>
4532
4533
4534</DD>
4535
4536<DT><b><a name="ipc_idle">ipc_idle</a>
4537(default: version dependent)</b></DT><DD>
4538
4539<p>
4540The time after which a client closes an idle internal communication
4541channel.  The purpose is to allow Postfix daemon processes to
4542terminate voluntarily after they become idle. This is used, for
4543example, by the Postfix address resolving and rewriting clients.
4544</p>
4545
4546<p> With Postfix 2.4 the default value was reduced from 100s to 5s. </p>
4547
4548<p> Specify a non-zero time value (an integral value plus an optional
4549one-letter suffix that specifies the time unit).  Time units: s
4550(seconds), m (minutes), h (hours), d (days), w (weeks).
4551The default time unit is s (seconds).  </p>
4552
4553
4554</DD>
4555
4556<DT><b><a name="ipc_timeout">ipc_timeout</a>
4557(default: 3600s)</b></DT><DD>
4558
4559<p>
4560The time limit for sending or receiving information over an internal
4561communication channel.  The purpose is to break out of deadlock
4562situations. If the time limit is exceeded the software aborts with a
4563fatal error.
4564</p>
4565
4566<p> Specify a non-zero time value (an integral value plus an optional
4567one-letter suffix that specifies the time unit).  Time units: s
4568(seconds), m (minutes), h (hours), d (days), w (weeks).
4569The default time unit is s (seconds).  </p>
4570
4571
4572</DD>
4573
4574<DT><b><a name="ipc_ttl">ipc_ttl</a>
4575(default: 1000s)</b></DT><DD>
4576
4577<p>
4578The time after which a client closes an active internal communication
4579channel.  The purpose is to allow Postfix daemon processes to
4580terminate voluntarily
4581after reaching their client limit.  This is used, for example, by
4582the Postfix address resolving and rewriting clients.
4583</p>
4584
4585<p> Specify a non-zero time value (an integral value plus an optional
4586one-letter suffix that specifies the time unit).  Time units: s
4587(seconds), m (minutes), h (hours), d (days), w (weeks).
4588The default time unit is s (seconds).  </p>
4589
4590<p>
4591This feature is available in Postfix 2.1 and later.
4592</p>
4593
4594
4595</DD>
4596
4597<DT><b><a name="known_tcp_ports">known_tcp_ports</a>
4598(default: lmtp=24, smtp=25, smtps=submissions=465, submission=587)</b></DT><DD>
4599
4600<p> Optional setting that avoids lookups in the services(5) database.
4601This feature was implemented to address inconsistencies in the name
4602of the port "465" service. The ABNF is:
4603</p>
4604
4605<blockquote>
4606<p>
4607<a href="postconf.5.html#known_tcp_ports">known_tcp_ports</a> = empty | name-to-port *("," name-to-port) <br>
4608name-to-port = 1*(service-name "=') port-number
4609</p>
4610</blockquote>
4611
4612<p> The comma is required. Whitespace is optional but it cannot appear
4613inside a service name or port number. </p>
4614
4615<p> This feature is available in Postfix 3.6 and later. </p>
4616
4617
4618</DD>
4619
4620<DT><b><a name="line_length_limit">line_length_limit</a>
4621(default: 2048)</b></DT><DD>
4622
4623<p> Upon input, long lines are chopped up into pieces of at most
4624this length; upon delivery, long lines are reconstructed.  </p>
4625
4626
4627</DD>
4628
4629<DT><b><a name="lmdb_map_size">lmdb_map_size</a>
4630(default: 16777216)</b></DT><DD>
4631
4632<p>
4633The initial OpenLDAP LMDB database size limit in bytes.  Each time
4634a database becomes full, its size limit is doubled.
4635</p>
4636
4637<p>
4638This feature is available in Postfix 2.11 and later.
4639</p>
4640
4641
4642</DD>
4643
4644<DT><b><a name="lmtp_address_preference">lmtp_address_preference</a>
4645(default: ipv6)</b></DT><DD>
4646
4647<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a>
4648configuration parameter.  See there for details. </p>
4649
4650<p> This feature is available in Postfix 2.8 and later.  </p>
4651
4652
4653</DD>
4654
4655<DT><b><a name="lmtp_address_verify_target">lmtp_address_verify_target</a>
4656(default: rcpt)</b></DT><DD>
4657
4658<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a>
4659configuration parameter.  See there for details. </p>
4660
4661<p> This feature is available in Postfix 3.0 and later.  </p>
4662
4663
4664</DD>
4665
4666<DT><b><a name="lmtp_assume_final">lmtp_assume_final</a>
4667(default: no)</b></DT><DD>
4668
4669<p> When a remote LMTP server announces no DSN support, assume that
4670the
4671server performs final delivery, and send "delivered" delivery status
4672notifications instead of "relayed". The default setting is backwards
4673compatible to avoid the infinitesimal possibility of breaking
4674existing LMTP-based content filters. </p>
4675
4676
4677</DD>
4678
4679<DT><b><a name="lmtp_balance_inet_protocols">lmtp_balance_inet_protocols</a>
4680(default: yes)</b></DT><DD>
4681
4682<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a>
4683configuration parameter. See there for details. </p>
4684
4685<p> This feature is available in Postfix 3.3 and later.  </p>
4686
4687
4688</DD>
4689
4690<DT><b><a name="lmtp_bind_address">lmtp_bind_address</a>
4691(default: empty)</b></DT><DD>
4692
4693<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> configuration
4694parameter.  See there for details. </p>
4695
4696<p> This feature is available in Postfix 2.3 and later. </p>
4697
4698
4699</DD>
4700
4701<DT><b><a name="lmtp_bind_address6">lmtp_bind_address6</a>
4702(default: empty)</b></DT><DD>
4703
4704<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> configuration
4705parameter.  See there for details. </p>
4706
4707<p> This feature is available in Postfix 2.3 and later. </p>
4708
4709
4710</DD>
4711
4712<DT><b><a name="lmtp_bind_address_enforce">lmtp_bind_address_enforce</a>
4713(default: empty)</b></DT><DD>
4714
4715<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a>
4716configuration parameter. See there for details. </p>
4717
4718<p> This feature is available in Postfix 3.7 and later. </p>
4719
4720
4721</DD>
4722
4723<DT><b><a name="lmtp_body_checks">lmtp_body_checks</a>
4724(default: empty)</b></DT><DD>
4725
4726<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> configuration
4727parameter. See there for details. </p>
4728
4729<p> This feature is available in Postfix 2.5 and later. </p>
4730
4731
4732</DD>
4733
4734<DT><b><a name="lmtp_cache_connection">lmtp_cache_connection</a>
4735(default: yes)</b></DT><DD>
4736
4737<p>
4738Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
4739seconds. When the LMTP client receives a request for the same
4740connection the connection is reused.
4741</p>
4742
4743<p> This parameter is available in Postfix version 2.2 and earlier.
4744With Postfix version 2.3 and later, see <a href="postconf.5.html#lmtp_connection_cache_on_demand">lmtp_connection_cache_on_demand</a>,
4745<a href="postconf.5.html#lmtp_connection_cache_destinations">lmtp_connection_cache_destinations</a>, or <a href="postconf.5.html#lmtp_connection_reuse_time_limit">lmtp_connection_reuse_time_limit</a>.
4746</p>
4747
4748<p>
4749The effectiveness of cached connections will be determined by the
4750number of remote LMTP servers in use, and the concurrency limit specified
4751for the Postfix LMTP client. Cached connections are closed under any of
4752the following conditions:
4753</p>
4754
4755<ul>
4756
4757<li> The Postfix LMTP client idle time limit is reached.  This limit is
4758specified with the Postfix <a href="postconf.5.html#max_idle">max_idle</a> configuration parameter.
4759
4760<li> A delivery request specifies a different destination than the
4761one currently cached.
4762
4763<li> The per-process limit on the number of delivery requests is
4764reached.  This limit is specified with the Postfix <a href="postconf.5.html#max_use">max_use</a>
4765configuration parameter.
4766
4767<li> Upon the onset of another delivery request, the remote LMTP server
4768associated with the current session does not respond to the RSET
4769command.
4770
4771</ul>
4772
4773<p>
4774Most of these limitations have been with the Postfix
4775connection cache that is shared among multiple LMTP client
4776programs.
4777</p>
4778
4779
4780</DD>
4781
4782<DT><b><a name="lmtp_cname_overrides_servername">lmtp_cname_overrides_servername</a>
4783(default: yes)</b></DT><DD>
4784
4785<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a>
4786configuration parameter.  See there for details. </p>
4787
4788<p> This feature is available in Postfix 2.3 and later. </p>
4789
4790
4791</DD>
4792
4793<DT><b><a name="lmtp_connect_timeout">lmtp_connect_timeout</a>
4794(default: 0s)</b></DT><DD>
4795
4796<p> The Postfix LMTP client time limit for completing a TCP connection, or
4797zero (use the operating system built-in time limit).  When no
4798connection can be made within the deadline, the LMTP client tries
4799the next address on the mail exchanger list.  </p>
4800
4801<p> Specify a non-negative time value (an integral value plus an optional
4802one-letter suffix that specifies the time unit).  Time units: s
4803(seconds), m (minutes), h (hours), d (days), w (weeks).
4804The default time unit is s (seconds).  </p>
4805
4806<p>
4807Example:
4808</p>
4809
4810<pre>
4811<a href="postconf.5.html#lmtp_connect_timeout">lmtp_connect_timeout</a> = 30s
4812</pre>
4813
4814
4815</DD>
4816
4817<DT><b><a name="lmtp_connection_cache_destinations">lmtp_connection_cache_destinations</a>
4818(default: empty)</b></DT><DD>
4819
4820<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a>
4821configuration parameter.  See there for details. </p>
4822
4823<p> This feature is available in Postfix 2.3 and later. </p>
4824
4825
4826</DD>
4827
4828<DT><b><a name="lmtp_connection_cache_on_demand">lmtp_connection_cache_on_demand</a>
4829(default: yes)</b></DT><DD>
4830
4831<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a>
4832configuration parameter.  See there for details. </p>
4833
4834<p> This feature is available in Postfix 2.3 and later. </p>
4835
4836
4837</DD>
4838
4839<DT><b><a name="lmtp_connection_cache_time_limit">lmtp_connection_cache_time_limit</a>
4840(default: 2s)</b></DT><DD>
4841
4842<p> The LMTP-specific version of the
4843<a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> configuration parameter.
4844See there for details. </p>
4845
4846<p> This feature is available in Postfix 2.3 and later. </p>
4847
4848
4849</DD>
4850
4851<DT><b><a name="lmtp_connection_reuse_count_limit">lmtp_connection_reuse_count_limit</a>
4852(default: 0)</b></DT><DD>
4853
4854<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a>
4855configuration parameter.  See there for details. </p>
4856
4857<p> This feature is available in Postfix 2.11 and later. </p>
4858
4859
4860</DD>
4861
4862<DT><b><a name="lmtp_connection_reuse_time_limit">lmtp_connection_reuse_time_limit</a>
4863(default: 300s)</b></DT><DD>
4864
4865<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a>
4866configuration parameter.  See there for details. </p>
4867
4868<p> This feature is available in Postfix 2.3 and later. </p>
4869
4870
4871</DD>
4872
4873<DT><b><a name="lmtp_data_done_timeout">lmtp_data_done_timeout</a>
4874(default: 600s)</b></DT><DD>
4875
4876<p> The Postfix LMTP client time limit for sending the LMTP ".",
4877and for receiving the remote LMTP server response.  When no response
4878is received within the deadline, a warning is logged that the mail
4879may be delivered multiple times.  </p>
4880
4881<p> Specify a non-zero time value (an integral value plus an optional
4882one-letter suffix that specifies the time unit).  Time units: s
4883(seconds), m (minutes), h (hours), d (days), w (weeks).
4884The default time unit is s (seconds).  </p>
4885
4886
4887</DD>
4888
4889<DT><b><a name="lmtp_data_init_timeout">lmtp_data_init_timeout</a>
4890(default: 120s)</b></DT><DD>
4891
4892<p>
4893The Postfix LMTP client time limit for sending the LMTP DATA command,
4894and
4895for receiving the remote LMTP server response.
4896</p>
4897
4898<p> Specify a non-zero time value (an integral value plus an optional
4899one-letter suffix that specifies the time unit).  Time units: s
4900(seconds), m (minutes), h (hours), d (days), w (weeks).
4901The default time unit is s (seconds).  </p>
4902
4903
4904</DD>
4905
4906<DT><b><a name="lmtp_data_xfer_timeout">lmtp_data_xfer_timeout</a>
4907(default: 180s)</b></DT><DD>
4908
4909<p>
4910The Postfix LMTP client time limit for sending the LMTP message
4911content.
4912When the connection stalls for more than $<a href="postconf.5.html#lmtp_data_xfer_timeout">lmtp_data_xfer_timeout</a>
4913the LMTP client terminates the transfer.
4914</p>
4915
4916<p> Specify a non-zero time value (an integral value plus an optional
4917one-letter suffix that specifies the time unit).  Time units: s
4918(seconds), m (minutes), h (hours), d (days), w (weeks).
4919The default time unit is s (seconds).  </p>
4920
4921
4922</DD>
4923
4924<DT><b><a name="lmtp_defer_if_no_mx_address_found">lmtp_defer_if_no_mx_address_found</a>
4925(default: no)</b></DT><DD>
4926
4927<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a>
4928configuration parameter.  See there for details. </p>
4929
4930<p> This feature is available in Postfix 2.3 and later. </p>
4931
4932
4933</DD>
4934
4935<DT><b><a name="lmtp_delivery_status_filter">lmtp_delivery_status_filter</a>
4936(default: empty)</b></DT><DD>
4937
4938<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_delivery_status_filter">smtp_delivery_status_filter</a>
4939configuration parameter.  See there for details. </p>
4940
4941<p> This feature is available in Postfix 3.0 and later. </p>
4942
4943
4944</DD>
4945
4946<DT><b><a name="lmtp_destination_concurrency_limit">lmtp_destination_concurrency_limit</a>
4947(default: $<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a>)</b></DT><DD>
4948
4949<p> The maximal number of parallel deliveries to the same destination
4950via the lmtp message delivery transport. This limit is enforced by
4951the queue manager. The message delivery transport name is the first
4952field in the entry in the <a href="master.5.html">master.cf</a> file.  </p>
4953
4954
4955</DD>
4956
4957<DT><b><a name="lmtp_destination_recipient_limit">lmtp_destination_recipient_limit</a>
4958(default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
4959
4960<p> The maximal number of recipients per message for the lmtp
4961message delivery transport. This limit is enforced by the queue
4962manager. The message delivery transport name is the first field in
4963the entry in the <a href="master.5.html">master.cf</a> file.  </p>
4964
4965<p> Setting this parameter to a value of 1 changes the meaning of
4966<a href="postconf.5.html#lmtp_destination_concurrency_limit">lmtp_destination_concurrency_limit</a> from concurrency per domain into
4967concurrency per recipient.  </p>
4968
4969
4970</DD>
4971
4972<DT><b><a name="lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a>
4973(default: empty)</b></DT><DD>
4974
4975<p> Lookup tables, indexed by the remote LMTP server address, with
4976case insensitive lists of LHLO keywords (pipelining, starttls,
4977auth, etc.) that the Postfix LMTP client will ignore in the LHLO
4978response
4979from a remote LMTP server. See <a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> for
4980details. The table is not indexed by hostname for consistency with
4981<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>
4982
4983<p> This feature is available in Postfix 2.3 and later. </p>
4984
4985
4986</DD>
4987
4988<DT><b><a name="lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a>
4989(default: empty)</b></DT><DD>
4990
4991<p> A case insensitive list of LHLO keywords (pipelining, starttls,
4992auth, etc.) that the Postfix LMTP client will ignore in the LHLO
4993response
4994from a remote LMTP server. </p>
4995
4996<p> This feature is available in Postfix 2.3 and later. </p>
4997
4998<p> Notes: </p>
4999
5000<ul>
5001
5002<li> <p> Specify the <b>silent-discard</b> pseudo keyword to prevent
5003this action from being logged. </p>
5004
5005<li> <p> Use the <a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> feature to
5006discard LHLO keywords selectively. </p>
5007
5008</ul>
5009
5010
5011</DD>
5012
5013<DT><b><a name="lmtp_dns_reply_filter">lmtp_dns_reply_filter</a>
5014(default: empty)</b></DT><DD>
5015
5016<p> Optional filter for Postfix LMTP client DNS lookup results.
5017See <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a> for details including an example.  </p>
5018
5019<p> This feature is available in Postfix 3.0 and later. </p>
5020
5021
5022</DD>
5023
5024<DT><b><a name="lmtp_dns_resolver_options">lmtp_dns_resolver_options</a>
5025(default: empty)</b></DT><DD>
5026
5027<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a>
5028configuration parameter.  See there for details. </p>
5029
5030<p> This feature is available in Postfix 2.8 and later.  </p>
5031
5032
5033</DD>
5034
5035<DT><b><a name="lmtp_dns_support_level">lmtp_dns_support_level</a>
5036(default: empty)</b></DT><DD>
5037
5038<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>
5039configuration parameter.  See there for details.  </p>
5040
5041<p> This feature is available in Postfix 2.11 and later.  </p>
5042
5043
5044</DD>
5045
5046<DT><b><a name="lmtp_enforce_tls">lmtp_enforce_tls</a>
5047(default: no)</b></DT><DD>
5048
5049<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> configuration
5050parameter.  See there for details. </p>
5051
5052<p> This feature is deprecated as of Postfix 3.9. Specify
5053<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p>
5054
5055<p> This feature is available in Postfix 2.3 and later. </p>
5056
5057
5058</DD>
5059
5060<DT><b><a name="lmtp_fallback_relay">lmtp_fallback_relay</a>
5061(default: empty)</b></DT><DD>
5062
5063<p> Optional list of relay hosts for LMTP destinations that can't be
5064found or that are unreachable.  In <a href="postconf.5.html">main.cf</a> elements are separated by
5065whitespace or commas.  </p>
5066
5067<p> By default, mail is returned to the sender when a destination is not
5068found, and delivery is deferred when a destination is unreachable.  </p>
5069
5070<p> The fallback relays must be TCP destinations, specified without
5071a leading "inet:" prefix.  Specify a host or host:port.  Since MX
5072lookups do not apply with LMTP, there is no need to use the "[host]" or
5073"[host]:port" forms.  If you specify multiple LMTP destinations, Postfix
5074will try them in the specified order.  </p>
5075
5076<p>
5077This feature is available in Postfix 3.1 and later.
5078</p>
5079
5080
5081</DD>
5082
5083<DT><b><a name="lmtp_generic_maps">lmtp_generic_maps</a>
5084(default: empty)</b></DT><DD>
5085
5086<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> configuration
5087parameter.  See there for details. </p>
5088
5089<p> This feature is available in Postfix 2.3 and later. </p>
5090
5091
5092</DD>
5093
5094<DT><b><a name="lmtp_header_checks">lmtp_header_checks</a>
5095(default: empty)</b></DT><DD>
5096
5097<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> configuration
5098parameter. See there for details. </p>
5099
5100<p> This feature is available in Postfix 2.5 and later. </p>
5101
5102
5103</DD>
5104
5105<DT><b><a name="lmtp_host_lookup">lmtp_host_lookup</a>
5106(default: dns)</b></DT><DD>
5107
5108<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> configuration
5109parameter.  See there for details. </p>
5110
5111<p> This feature is available in Postfix 2.3 and later. </p>
5112
5113
5114</DD>
5115
5116<DT><b><a name="lmtp_lhlo_name">lmtp_lhlo_name</a>
5117(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
5118
5119<p>
5120The hostname to send in the LMTP LHLO command.
5121</p>
5122
5123<p>
5124The default value is the machine hostname.  Specify a hostname or
5125[ip.add.re.ss] or [ip:v6:add:re::ss].
5126</p>
5127
5128<p>
5129This information can be specified in the <a href="postconf.5.html">main.cf</a> file for all LMTP
5130clients, or it can be specified in the <a href="master.5.html">master.cf</a> file for a specific
5131client, for example:
5132</p>
5133
5134<blockquote>
5135<pre>
5136/etc/postfix/<a href="master.5.html">master.cf</a>:
5137    mylmtp ... lmtp -o <a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a>=foo.bar.com
5138</pre>
5139</blockquote>
5140
5141<p>
5142This feature is available in Postfix 2.3 and later.
5143</p>
5144
5145
5146</DD>
5147
5148<DT><b><a name="lmtp_lhlo_timeout">lmtp_lhlo_timeout</a>
5149(default: 300s)</b></DT><DD>
5150
5151<p> The Postfix LMTP client time limit for sending the LHLO command,
5152and for receiving the initial remote LMTP server response. </p>
5153
5154<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
5155(weeks).  The default time unit is s (seconds).  </p>
5156
5157
5158</DD>
5159
5160<DT><b><a name="lmtp_line_length_limit">lmtp_line_length_limit</a>
5161(default: 998)</b></DT><DD>
5162
5163<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a>
5164configuration parameter.  See there for details. </p>
5165
5166<p> This feature is available in Postfix 2.3 and later. </p>
5167
5168
5169</DD>
5170
5171<DT><b><a name="lmtp_mail_timeout">lmtp_mail_timeout</a>
5172(default: 300s)</b></DT><DD>
5173
5174<p>
5175The Postfix LMTP client time limit for sending the MAIL FROM command,
5176and for receiving the remote LMTP server response.
5177</p>
5178
5179<p> Specify a non-zero time value (an integral value plus an optional
5180one-letter suffix that specifies the time unit).  Time units: s
5181(seconds), m (minutes), h (hours), d (days), w (weeks).
5182The default time unit is s (seconds).  </p>
5183
5184
5185</DD>
5186
5187<DT><b><a name="lmtp_mime_header_checks">lmtp_mime_header_checks</a>
5188(default: empty)</b></DT><DD>
5189
5190<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a>
5191configuration parameter. See there for details. </p>
5192
5193<p> This feature is available in Postfix 2.5 and later. </p>
5194
5195
5196</DD>
5197
5198<DT><b><a name="lmtp_min_data_rate">lmtp_min_data_rate</a>
5199(default: 500)</b></DT><DD>
5200
5201<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> configuration
5202parameter. See there for details. </p>
5203
5204<p> This feature is available in Postfix 3.7 and later. </p>
5205
5206
5207</DD>
5208
5209<DT><b><a name="lmtp_mx_address_limit">lmtp_mx_address_limit</a>
5210(default: 5)</b></DT><DD>
5211
5212<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> configuration
5213parameter.  See there for details. </p>
5214
5215<p> This feature is available in Postfix 2.3 and later. </p>
5216
5217
5218</DD>
5219
5220<DT><b><a name="lmtp_mx_session_limit">lmtp_mx_session_limit</a>
5221(default: 2)</b></DT><DD>
5222
5223<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> configuration
5224parameter.  See there for details. </p>
5225
5226<p> This feature is available in Postfix 2.3 and later. </p>
5227
5228
5229</DD>
5230
5231<DT><b><a name="lmtp_nested_header_checks">lmtp_nested_header_checks</a>
5232(default: empty)</b></DT><DD>
5233
5234<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a>
5235configuration parameter. See there for details. </p>
5236
5237<p> This feature is available in Postfix 2.5 and later. </p>
5238
5239
5240</DD>
5241
5242<DT><b><a name="lmtp_per_record_deadline">lmtp_per_record_deadline</a>
5243(default: no)</b></DT><DD>
5244
5245<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a>
5246configuration parameter.  See there for details. </p>
5247
5248<p> This feature is available in Postfix 2.9 and later.  </p>
5249
5250
5251</DD>
5252
5253<DT><b><a name="lmtp_per_request_deadline">lmtp_per_request_deadline</a>
5254(default: no)</b></DT><DD>
5255
5256<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>
5257configuration parameter. See there for details. </p>
5258
5259<p> This feature is available in Postfix 3.7 and later. </p>
5260
5261
5262</DD>
5263
5264<DT><b><a name="lmtp_pix_workaround_delay_time">lmtp_pix_workaround_delay_time</a>
5265(default: 10s)</b></DT><DD>
5266
5267<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a>
5268configuration parameter.  See there for details. </p>
5269
5270<p> This feature is available in Postfix 2.3 and later. </p>
5271
5272
5273</DD>
5274
5275<DT><b><a name="lmtp_pix_workaround_maps">lmtp_pix_workaround_maps</a>
5276(default: empty)</b></DT><DD>
5277
5278<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a>
5279configuration parameter.  See there for details. </p>
5280
5281<p> This feature is available in Postfix 2.4 and later. </p>
5282
5283
5284</DD>
5285
5286<DT><b><a name="lmtp_pix_workaround_threshold_time">lmtp_pix_workaround_threshold_time</a>
5287(default: 500s)</b></DT><DD>
5288
5289<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a>
5290configuration parameter.  See there for details. </p>
5291
5292<p> This feature is available in Postfix 2.3 and later. </p>
5293
5294
5295</DD>
5296
5297<DT><b><a name="lmtp_pix_workarounds">lmtp_pix_workarounds</a>
5298(default: empty)</b></DT><DD>
5299
5300<p> The LMTP-specific version of the smtp_pix_workaround
5301configuration parameter.  See there for details. </p>
5302
5303<p> This feature is available in Postfix 2.4 and later. </p>
5304
5305
5306</DD>
5307
5308<DT><b><a name="lmtp_quit_timeout">lmtp_quit_timeout</a>
5309(default: 300s)</b></DT><DD>
5310
5311<p>
5312The Postfix LMTP client time limit for sending the QUIT command,
5313and for receiving the remote LMTP server response.
5314</p>
5315
5316<p> Specify a non-zero time value (an integral value plus an optional
5317one-letter suffix that specifies the time unit).  Time units: s
5318(seconds), m (minutes), h (hours), d (days), w (weeks).
5319The default time unit is s (seconds).  </p>
5320
5321
5322</DD>
5323
5324<DT><b><a name="lmtp_quote_rfc821_envelope">lmtp_quote_rfc821_envelope</a>
5325(default: yes)</b></DT><DD>
5326
5327<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a>
5328configuration parameter.  See there for details. </p>
5329
5330<p> This feature is available in Postfix 2.3 and later. </p>
5331
5332
5333</DD>
5334
5335<DT><b><a name="lmtp_randomize_addresses">lmtp_randomize_addresses</a>
5336(default: yes)</b></DT><DD>
5337
5338<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a>
5339configuration parameter.  See there for details. </p>
5340
5341<p> This feature is available in Postfix 2.3 and later. </p>
5342
5343
5344</DD>
5345
5346<DT><b><a name="lmtp_rcpt_timeout">lmtp_rcpt_timeout</a>
5347(default: 300s)</b></DT><DD>
5348
5349<p>
5350The Postfix LMTP client time limit for sending the RCPT TO command,
5351and for receiving the remote LMTP server response.
5352</p>
5353
5354<p> Specify a non-zero time value (an integral value plus an optional
5355one-letter suffix that specifies the time unit).  Time units: s
5356(seconds), m (minutes), h (hours), d (days), w (weeks).
5357The default time unit is s (seconds).  </p>
5358
5359
5360</DD>
5361
5362<DT><b><a name="lmtp_reply_filter">lmtp_reply_filter</a>
5363(default: empty)</b></DT><DD>
5364
5365<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a>
5366configuration parameter.  See there for details. </p>
5367
5368<p> This feature is available in Postfix 2.7 and later. </p>
5369
5370
5371</DD>
5372
5373<DT><b><a name="lmtp_rset_timeout">lmtp_rset_timeout</a>
5374(default: 20s)</b></DT><DD>
5375
5376<p> The Postfix LMTP client time limit for sending the RSET command,
5377and for receiving the remote LMTP server response. The LMTP client
5378sends RSET in
5379order to finish a recipient address probe, or to verify that a
5380cached connection is still alive.  </p>
5381
5382<p> Specify a non-zero time value (an integral value plus an optional
5383one-letter suffix that specifies the time unit).  Time units: s
5384(seconds), m (minutes), h (hours), d (days), w (weeks).
5385The default time unit is s (seconds).  </p>
5386
5387
5388</DD>
5389
5390<DT><b><a name="lmtp_sasl_auth_cache_name">lmtp_sasl_auth_cache_name</a>
5391(default: empty)</b></DT><DD>
5392
5393<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
5394configuration parameter.  See there for details. </p>
5395
5396<p> This feature is available in Postfix 2.5 and later. </p>
5397
5398
5399</DD>
5400
5401<DT><b><a name="lmtp_sasl_auth_cache_time">lmtp_sasl_auth_cache_time</a>
5402(default: 90d)</b></DT><DD>
5403
5404<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a>
5405configuration parameter.  See there for details. </p>
5406
5407<p> This feature is available in Postfix 2.5 and later. </p>
5408
5409
5410</DD>
5411
5412<DT><b><a name="lmtp_sasl_auth_enable">lmtp_sasl_auth_enable</a>
5413(default: no)</b></DT><DD>
5414
5415<p>
5416Enable SASL authentication in the Postfix LMTP client.
5417</p>
5418
5419
5420</DD>
5421
5422<DT><b><a name="lmtp_sasl_auth_soft_bounce">lmtp_sasl_auth_soft_bounce</a>
5423(default: yes)</b></DT><DD>
5424
5425<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a>
5426configuration parameter.  See there for details. </p>
5427
5428<p> This feature is available in Postfix 2.5 and later. </p>
5429
5430
5431</DD>
5432
5433<DT><b><a name="lmtp_sasl_mechanism_filter">lmtp_sasl_mechanism_filter</a>
5434(default: empty)</b></DT><DD>
5435
5436<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
5437configuration parameter.  See there for details. </p>
5438
5439<p> This feature is available in Postfix 2.3 and later. </p>
5440
5441
5442</DD>
5443
5444<DT><b><a name="lmtp_sasl_password_maps">lmtp_sasl_password_maps</a>
5445(default: empty)</b></DT><DD>
5446
5447<p>
5448Optional Postfix LMTP client lookup tables with one username:password entry
5449per host or domain.  If a remote host or domain has no username:password
5450entry, then the Postfix LMTP client will not attempt to authenticate
5451to the remote host.
5452</p>
5453
5454
5455</DD>
5456
5457<DT><b><a name="lmtp_sasl_password_result_delimiter">lmtp_sasl_password_result_delimiter</a>
5458(default: :)</b></DT><DD>
5459
5460<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a>
5461configuration parameter.  See there for details. </p>
5462
5463
5464</DD>
5465
5466<DT><b><a name="lmtp_sasl_path">lmtp_sasl_path</a>
5467(default: empty)</b></DT><DD>
5468
5469<p> Implementation-specific information that is passed through to
5470the SASL plug-in implementation that is selected with
5471<b><a href="postconf.5.html#lmtp_sasl_type">lmtp_sasl_type</a></b>.  Typically this specifies the name of a
5472configuration file or rendezvous point. </p>
5473
5474<p> This feature is available in Postfix 2.3 and later. </p>
5475
5476
5477</DD>
5478
5479<DT><b><a name="lmtp_sasl_security_options">lmtp_sasl_security_options</a>
5480(default: noplaintext, noanonymous)</b></DT><DD>
5481
5482<p> SASL security options; as of Postfix 2.3 the list of available
5483features depends on the SASL client implementation that is selected
5484with <b><a href="postconf.5.html#lmtp_sasl_type">lmtp_sasl_type</a></b>.  </p>
5485
5486<p> The following security features are defined for the <b>cyrus</b>
5487client SASL implementation: </p>
5488
5489<dl>
5490
5491<dt><b>noplaintext</b></dt>
5492
5493<dd>Disallow authentication methods that use plaintext passwords. </dd>
5494
5495<dt><b>noactive</b></dt>
5496
5497<dd>Disallow authentication methods that are vulnerable to non-dictionary
5498active attacks. </dd>
5499
5500<dt><b>nodictionary</b></dt>
5501
5502<dd>Disallow authentication methods that are vulnerable to passive
5503dictionary attacks. </dd>
5504
5505<dt><b>noanonymous</b></dt>
5506
5507<dd>Disallow anonymous logins. </dd>
5508
5509</dl>
5510
5511<p>
5512Example:
5513</p>
5514
5515<pre>
5516<a href="postconf.5.html#lmtp_sasl_security_options">lmtp_sasl_security_options</a> = noplaintext
5517</pre>
5518
5519
5520</DD>
5521
5522<DT><b><a name="lmtp_sasl_tls_security_options">lmtp_sasl_tls_security_options</a>
5523(default: $<a href="postconf.5.html#lmtp_sasl_security_options">lmtp_sasl_security_options</a>)</b></DT><DD>
5524
5525<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>
5526configuration parameter.  See there for details. </p>
5527
5528<p> This feature is available in Postfix 2.3 and later. </p>
5529
5530
5531</DD>
5532
5533<DT><b><a name="lmtp_sasl_tls_verified_security_options">lmtp_sasl_tls_verified_security_options</a>
5534(default: $<a href="postconf.5.html#lmtp_sasl_tls_security_options">lmtp_sasl_tls_security_options</a>)</b></DT><DD>
5535
5536<p> The LMTP-specific version of the
5537<a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> configuration parameter.
5538See there for details. </p>
5539
5540<p> This feature is available in Postfix 2.3 and later. </p>
5541
5542
5543</DD>
5544
5545<DT><b><a name="lmtp_sasl_type">lmtp_sasl_type</a>
5546(default: cyrus)</b></DT><DD>
5547
5548<p> The SASL plug-in type that the Postfix LMTP client should use
5549for authentication.  The available types are listed with the
5550"<b>postconf -A</b>" command. </p>
5551
5552<p> This feature is available in Postfix 2.3 and later. </p>
5553
5554
5555</DD>
5556
5557<DT><b><a name="lmtp_send_dummy_mail_auth">lmtp_send_dummy_mail_auth</a>
5558(default: no)</b></DT><DD>
5559
5560<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a>
5561configuration parameter.  See there for details. </p>
5562
5563<p> This feature is available in Postfix 2.9 and later.  </p>
5564
5565
5566</DD>
5567
5568<DT><b><a name="lmtp_send_xforward_command">lmtp_send_xforward_command</a>
5569(default: no)</b></DT><DD>
5570
5571<p>
5572Send an XFORWARD command to the remote LMTP server when the LMTP LHLO
5573server response announces XFORWARD support.  This allows an <a href="lmtp.8.html">lmtp(8)</a>
5574delivery agent, used for content filter message injection, to
5575forward the name, address, protocol and HELO name of the original
5576client to the content filter and downstream LMTP server.
5577Before you change the value to yes, it is best to make sure that
5578your content filter supports this command.
5579</p>
5580
5581<p>
5582This feature is available in Postfix 2.1 and later.
5583</p>
5584
5585
5586</DD>
5587
5588<DT><b><a name="lmtp_sender_dependent_authentication">lmtp_sender_dependent_authentication</a>
5589(default: no)</b></DT><DD>
5590
5591<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a>
5592configuration parameter.  See there for details. </p>
5593
5594<p> This feature is available in Postfix 2.3 and later. </p>
5595
5596
5597</DD>
5598
5599<DT><b><a name="lmtp_skip_5xx_greeting">lmtp_skip_5xx_greeting</a>
5600(default: yes)</b></DT><DD>
5601
5602<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a>
5603configuration parameter.  See there for details. </p>
5604
5605<p> This feature is available in Postfix 2.3 and later. </p>
5606
5607
5608</DD>
5609
5610<DT><b><a name="lmtp_skip_quit_response">lmtp_skip_quit_response</a>
5611(default: no)</b></DT><DD>
5612
5613<p>
5614Wait for the response to the LMTP QUIT command.
5615</p>
5616
5617
5618</DD>
5619
5620<DT><b><a name="lmtp_starttls_timeout">lmtp_starttls_timeout</a>
5621(default: 300s)</b></DT><DD>
5622
5623<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> configuration
5624parameter.  See there for details. </p>
5625
5626<p> This feature is available in Postfix 2.3 and later. </p>
5627
5628
5629</DD>
5630
5631<DT><b><a name="lmtp_tcp_port">lmtp_tcp_port</a>
5632(default: 24)</b></DT><DD>
5633
5634<p>
5635The default TCP port that the Postfix LMTP client connects to.
5636Specify a symbolic name (see services(5)) or a numeric port.
5637</p>
5638
5639
5640</DD>
5641
5642<DT><b><a name="lmtp_tls_CAfile">lmtp_tls_CAfile</a>
5643(default: empty)</b></DT><DD>
5644
5645<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>
5646configuration parameter.  See there for details. </p>
5647
5648<p> This feature is available in Postfix 2.3 and later. </p>
5649
5650
5651</DD>
5652
5653<DT><b><a name="lmtp_tls_CApath">lmtp_tls_CApath</a>
5654(default: empty)</b></DT><DD>
5655
5656<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>
5657configuration parameter.  See there for details. </p>
5658
5659<p> This feature is available in Postfix 2.3 and later. </p>
5660
5661
5662</DD>
5663
5664<DT><b><a name="lmtp_tls_block_early_mail_reply">lmtp_tls_block_early_mail_reply</a>
5665(default: empty)</b></DT><DD>
5666
5667<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a>
5668configuration parameter.  See there for details. </p>
5669
5670<p> This feature is available in Postfix 2.7 and later. </p>
5671
5672
5673</DD>
5674
5675<DT><b><a name="lmtp_tls_cert_file">lmtp_tls_cert_file</a>
5676(default: empty)</b></DT><DD>
5677
5678<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>
5679configuration parameter.  See there for details. </p>
5680
5681<p> This feature is available in Postfix 2.3 and later. </p>
5682
5683
5684</DD>
5685
5686<DT><b><a name="lmtp_tls_chain_files">lmtp_tls_chain_files</a>
5687(default: empty)</b></DT><DD>
5688
5689<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> configuration
5690parameter. See there for details. </p>
5691
5692<p> This feature is available in Postfix 3.4 and later.  </p>
5693
5694
5695</DD>
5696
5697<DT><b><a name="lmtp_tls_ciphers">lmtp_tls_ciphers</a>
5698(default: medium)</b></DT><DD>
5699
5700<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> configuration
5701parameter. See there for details. </p>
5702
5703<p> This feature is available in Postfix 2.6 and later. </p>
5704
5705
5706</DD>
5707
5708<DT><b><a name="lmtp_tls_connection_reuse">lmtp_tls_connection_reuse</a>
5709(default: no)</b></DT><DD>
5710
5711<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> configuration
5712parameter. See there for details. </p>
5713
5714<p> This feature is available in Postfix 3.4 and later. </p>
5715
5716
5717</DD>
5718
5719<DT><b><a name="lmtp_tls_dcert_file">lmtp_tls_dcert_file</a>
5720(default: empty)</b></DT><DD>
5721
5722<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
5723configuration parameter.  See there for details. </p>
5724
5725<p> This feature is available in Postfix 2.3 and later. </p>
5726
5727
5728</DD>
5729
5730<DT><b><a name="lmtp_tls_dkey_file">lmtp_tls_dkey_file</a>
5731(default: $<a href="postconf.5.html#lmtp_tls_dcert_file">lmtp_tls_dcert_file</a>)</b></DT><DD>
5732
5733<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>
5734configuration parameter.  See there for details. </p>
5735
5736<p> This feature is available in Postfix 2.3 and later. </p>
5737
5738
5739</DD>
5740
5741<DT><b><a name="lmtp_tls_eccert_file">lmtp_tls_eccert_file</a>
5742(default: empty)</b></DT><DD>
5743
5744<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> configuration
5745parameter.  See there for details. </p>
5746
5747<p> This feature is available in Postfix 2.6 and later, when Postfix is
5748compiled and linked with OpenSSL 1.0.0 or later. </p>
5749
5750
5751</DD>
5752
5753<DT><b><a name="lmtp_tls_eckey_file">lmtp_tls_eckey_file</a>
5754(default: empty)</b></DT><DD>
5755
5756<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> configuration
5757parameter.  See there for details. </p>
5758
5759<p> This feature is available in Postfix 2.6 and later, when Postfix is
5760compiled and linked with OpenSSL 1.0.0 or later. </p>
5761
5762
5763</DD>
5764
5765<DT><b><a name="lmtp_tls_enable_rpk">lmtp_tls_enable_rpk</a>
5766(default: yes)</b></DT><DD>
5767
5768<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
5769configuration parameter.  See there for details. </p>
5770
5771<p> This feature is available in Postfix 3.9 and later. </p>
5772
5773
5774</DD>
5775
5776<DT><b><a name="lmtp_tls_enforce_peername">lmtp_tls_enforce_peername</a>
5777(default: yes)</b></DT><DD>
5778
5779<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
5780configuration parameter.  See there for details. </p>
5781
5782<p> This feature is available in Postfix 2.3 and later. </p>
5783
5784
5785</DD>
5786
5787<DT><b><a name="lmtp_tls_exclude_ciphers">lmtp_tls_exclude_ciphers</a>
5788(default: empty)</b></DT><DD>
5789
5790<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
5791configuration parameter.  See there for details. </p>
5792
5793<p> This feature is available in Postfix 2.3 and later. </p>
5794
5795
5796</DD>
5797
5798<DT><b><a name="lmtp_tls_fingerprint_cert_match">lmtp_tls_fingerprint_cert_match</a>
5799(default: empty)</b></DT><DD>
5800
5801<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a>
5802configuration parameter.  See there for details. </p>
5803
5804<p> This feature is available in Postfix 2.5 and later. </p>
5805
5806
5807</DD>
5808
5809<DT><b><a name="lmtp_tls_fingerprint_digest">lmtp_tls_fingerprint_digest</a>
5810(default: see "postconf -d" output)</b></DT><DD>
5811
5812<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>
5813configuration parameter.  See there for details. </p>
5814
5815<p> This feature is available in Postfix 2.5 and later. </p>
5816
5817
5818</DD>
5819
5820<DT><b><a name="lmtp_tls_force_insecure_host_tlsa_lookup">lmtp_tls_force_insecure_host_tlsa_lookup</a>
5821(default: no)</b></DT><DD>
5822
5823<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a>
5824configuration parameter.  See there for details. </p>
5825
5826<p> This feature is available in Postfix 2.11 and later. </p>
5827
5828
5829</DD>
5830
5831<DT><b><a name="lmtp_tls_key_file">lmtp_tls_key_file</a>
5832(default: $<a href="postconf.5.html#lmtp_tls_cert_file">lmtp_tls_cert_file</a>)</b></DT><DD>
5833
5834<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>
5835configuration parameter.  See there for details. </p>
5836
5837<p> This feature is available in Postfix 2.3 and later. </p>
5838
5839
5840</DD>
5841
5842<DT><b><a name="lmtp_tls_loglevel">lmtp_tls_loglevel</a>
5843(default: 0)</b></DT><DD>
5844
5845<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>
5846configuration parameter.  See there for details. </p>
5847
5848<p> This feature is available in Postfix 2.3 and later. </p>
5849
5850
5851</DD>
5852
5853<DT><b><a name="lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>
5854(default: medium)</b></DT><DD>
5855
5856<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>
5857configuration parameter.  See there for details. </p>
5858
5859<p> This feature is available in Postfix 2.3 and later. </p>
5860
5861
5862</DD>
5863
5864<DT><b><a name="lmtp_tls_mandatory_exclude_ciphers">lmtp_tls_mandatory_exclude_ciphers</a>
5865(default: empty)</b></DT><DD>
5866
5867<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>
5868configuration parameter.  See there for details. </p>
5869
5870<p> This feature is available in Postfix 2.3 and later. </p>
5871
5872
5873</DD>
5874
5875<DT><b><a name="lmtp_tls_mandatory_protocols">lmtp_tls_mandatory_protocols</a>
5876(default: see 'postconf -d' output)</b></DT><DD>
5877
5878<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
5879configuration parameter. See there for details. </p>
5880
5881<p> This feature is available in Postfix 2.3 and later. </p>
5882
5883
5884</DD>
5885
5886<DT><b><a name="lmtp_tls_note_starttls_offer">lmtp_tls_note_starttls_offer</a>
5887(default: no)</b></DT><DD>
5888
5889<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a>
5890configuration parameter.  See there for details. </p>
5891
5892<p> This feature is available in Postfix 2.3 and later. </p>
5893
5894
5895</DD>
5896
5897<DT><b><a name="lmtp_tls_per_site">lmtp_tls_per_site</a>
5898(default: empty)</b></DT><DD>
5899
5900<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> configuration
5901parameter.  See there for details. </p>
5902
5903<p> This feature is deprecated as of Postfix 3.9. Specify
5904<a href="postconf.5.html#lmtp_tls_policy_maps">lmtp_tls_policy_maps</a> instead. </p>
5905
5906<p> This feature is available in Postfix 2.3 and later. </p>
5907
5908
5909</DD>
5910
5911<DT><b><a name="lmtp_tls_policy_maps">lmtp_tls_policy_maps</a>
5912(default: empty)</b></DT><DD>
5913
5914<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
5915configuration parameter. See there for details. </p>
5916
5917<p> This feature is available in Postfix 2.3 and later. </p>
5918
5919
5920</DD>
5921
5922<DT><b><a name="lmtp_tls_protocols">lmtp_tls_protocols</a>
5923(default: see 'postconf -d' output)</b></DT><DD>
5924
5925<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> configuration
5926parameter. See there for details. </p>
5927
5928<p> This feature is available in Postfix 2.6 and later. </p>
5929
5930
5931</DD>
5932
5933<DT><b><a name="lmtp_tls_scert_verifydepth">lmtp_tls_scert_verifydepth</a>
5934(default: 9)</b></DT><DD>
5935
5936<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>
5937configuration parameter.  See there for details. </p>
5938
5939<p> This feature is available in Postfix 2.3 and later. </p>
5940
5941
5942</DD>
5943
5944<DT><b><a name="lmtp_tls_secure_cert_match">lmtp_tls_secure_cert_match</a>
5945(default: nexthop)</b></DT><DD>
5946
5947<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
5948configuration parameter. See there for details. </p>
5949
5950<p> This feature is available in Postfix 2.3 and later. </p>
5951
5952
5953</DD>
5954
5955<DT><b><a name="lmtp_tls_security_level">lmtp_tls_security_level</a>
5956(default: empty)</b></DT><DD>
5957
5958<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> configuration
5959parameter.  See there for details. </p>
5960
5961<p> This feature is available in Postfix 2.3 and later. </p>
5962
5963
5964</DD>
5965
5966<DT><b><a name="lmtp_tls_servername">lmtp_tls_servername</a>
5967(default: empty)</b></DT><DD>
5968
5969<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a> configuration
5970parameter. See there for details. </p>
5971
5972<p> This feature is available in Postfix 3.4 and later.  </p>
5973
5974
5975</DD>
5976
5977<DT><b><a name="lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>
5978(default: empty)</b></DT><DD>
5979
5980<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
5981configuration parameter. See there for details. </p>
5982
5983<p> This feature is available in Postfix 2.3 and later. </p>
5984
5985
5986</DD>
5987
5988<DT><b><a name="lmtp_tls_session_cache_timeout">lmtp_tls_session_cache_timeout</a>
5989(default: 3600s)</b></DT><DD>
5990
5991<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a>
5992configuration parameter.  See there for details. </p>
5993
5994<p> This feature is available in Postfix 2.3 and later. </p>
5995
5996
5997</DD>
5998
5999<DT><b><a name="lmtp_tls_trust_anchor_file">lmtp_tls_trust_anchor_file</a>
6000(default: empty)</b></DT><DD>
6001
6002<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>
6003configuration parameter.  See there for details.  </p>
6004
6005<p> This feature is available in Postfix 2.11 and later.  </p>
6006
6007
6008</DD>
6009
6010<DT><b><a name="lmtp_tls_verify_cert_match">lmtp_tls_verify_cert_match</a>
6011(default: hostname)</b></DT><DD>
6012
6013<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a>
6014configuration parameter. See there for details. </p>
6015
6016<p> This feature is available in Postfix 2.3 and later. </p>
6017
6018
6019</DD>
6020
6021<DT><b><a name="lmtp_tls_wrappermode">lmtp_tls_wrappermode</a>
6022(default: no)</b></DT><DD>
6023
6024<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> configuration
6025parameter. See there for details. </p>
6026
6027<p> This feature is available in Postfix 3.0 and later. </p>
6028
6029
6030</DD>
6031
6032<DT><b><a name="lmtp_use_tls">lmtp_use_tls</a>
6033(default: no)</b></DT><DD>
6034
6035<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> configuration
6036parameter.  See there for details. </p>
6037
6038<p> This feature is deprecated as of Postfix 3.9. Specify
6039<a href="postconf.5.html#lmtp_tls_security_level">lmtp_tls_security_level</a> instead. </p>
6040
6041<p> This feature is available in Postfix 2.3 and later. </p>
6042
6043
6044</DD>
6045
6046<DT><b><a name="lmtp_xforward_timeout">lmtp_xforward_timeout</a>
6047(default: 300s)</b></DT><DD>
6048
6049<p>
6050The Postfix LMTP client time limit for sending the XFORWARD command,
6051and for receiving the remote LMTP server response.
6052</p>
6053
6054<p>
6055In case of problems the client does NOT try the next address on
6056the mail exchanger list.
6057</p>
6058
6059<p> Specify a non-zero time value (an integral value plus an optional
6060one-letter suffix that specifies the time unit).  Time units: s
6061(seconds), m (minutes), h (hours), d (days), w (weeks).
6062The default time unit is s (seconds).  </p>
6063
6064<p>
6065This feature is available in Postfix 2.1 and later.
6066</p>
6067
6068
6069</DD>
6070
6071<DT><b><a name="local_command_shell">local_command_shell</a>
6072(default: empty)</b></DT><DD>
6073
6074<p>
6075Optional shell program for <a href="local.8.html">local(8)</a> delivery to non-Postfix commands.
6076By default, non-Postfix commands are executed directly; commands
6077are given to the default shell (typically, /bin/sh) only when they
6078contain shell meta characters or shell built-in commands.
6079</p>
6080
6081<p> "sendmail's restricted shell" (smrsh) is what most people will
6082use in order to restrict what programs can be run from e.g. .forward
6083files (smrsh is part of the Sendmail distribution).  </p>
6084
6085<p> Note: when a shell program is specified, it is invoked even
6086when the command contains no shell built-in commands or meta
6087characters.  </p>
6088
6089<p>
6090Example:
6091</p>
6092
6093<pre>
6094<a href="postconf.5.html#local_command_shell">local_command_shell</a> = /some/where/smrsh -c
6095<a href="postconf.5.html#local_command_shell">local_command_shell</a> = /bin/bash -c
6096</pre>
6097
6098
6099</DD>
6100
6101<DT><b><a name="local_delivery_status_filter">local_delivery_status_filter</a>
6102(default: $<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b></DT><DD>
6103
6104<p> Optional filter for the <a href="local.8.html">local(8)</a> delivery agent to change the
6105status code or explanatory text of successful or unsuccessful
6106deliveries.  See <a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a> for details.  </p>
6107
6108<p> This feature is available in Postfix 3.0 and later. </p>
6109
6110
6111</DD>
6112
6113<DT><b><a name="local_destination_concurrency_limit">local_destination_concurrency_limit</a>
6114(default: 2)</b></DT><DD>
6115
6116<p> The maximal number of parallel deliveries via the local mail
6117delivery transport to the same recipient (when
6118"<a href="postconf.5.html#local_destination_recipient_limit">local_destination_recipient_limit</a> = 1") or the maximal number of
6119parallel deliveries to the same <a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> (when
6120"<a href="postconf.5.html#local_destination_recipient_limit">local_destination_recipient_limit</a> &gt; 1"). This limit is enforced by
6121the queue manager. The message delivery transport name is the first
6122field in the entry in the <a href="master.5.html">master.cf</a> file. </p>
6123
6124<p> A low limit of 2 is recommended, just in case someone has an
6125expensive shell command in a .forward file or in an alias (e.g.,
6126a mailing list manager).  You don't want to run lots of those at
6127the same time.  </p>
6128
6129
6130</DD>
6131
6132<DT><b><a name="local_destination_recipient_limit">local_destination_recipient_limit</a>
6133(default: 1)</b></DT><DD>
6134
6135<p> The maximal number of recipients per message delivery via the
6136local mail delivery transport. This limit is enforced by the queue
6137manager. The message delivery transport name is the first field in
6138the entry in the <a href="master.5.html">master.cf</a> file. </p>
6139
6140<p> Setting this parameter to a value &gt; 1 changes the meaning of
6141<a href="postconf.5.html#local_destination_concurrency_limit">local_destination_concurrency_limit</a> from concurrency per recipient
6142into concurrency per domain.  </p>
6143
6144
6145</DD>
6146
6147<DT><b><a name="local_header_rewrite_clients">local_header_rewrite_clients</a>
6148(default: <a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b></DT><DD>
6149
6150<p> Rewrite or add message headers in mail from these clients,
6151updating incomplete addresses with the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or
6152$<a href="postconf.5.html#mydomain">mydomain</a>, and adding missing headers. </p>
6153
6154<p> See the <a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a> and <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a> parameters
6155for details of how domain names are appended to incomplete addresses.
6156</p>
6157
6158<p> See <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> to optionally rewrite or add
6159message headers in mail from other clients. </p>
6160
6161<p> Specify a list of zero or more of the following:  </p>
6162
6163<dl>
6164
6165<dt><b><a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a></b></dt>
6166
6167<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
6168client IP address matches $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>. This is enabled by
6169default. </dd>
6170
6171<dt><b><a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a></b></dt>
6172
6173<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
6174client IP address matches any network or network address listed in
6175$<a href="postconf.5.html#mynetworks">mynetworks</a>. This setting will not prevent remote mail header
6176address rewriting when mail from a remote client is forwarded by
6177a neighboring system.  </dd>
6178
6179<dt><b><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> </b></dt>
6180
6181<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
6182client is successfully authenticated via the <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH)
6183protocol. </dd>
6184
6185<dt><b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a> </b></dt>
6186
6187<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
6188remote SMTP client TLS certificate fingerprint or public key fingerprint
6189(Postfix 2.9 and later) is listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
6190The fingerprint digest algorithm is configurable via the
6191<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
6192Postfix version 2.5).  </dd>
6193
6194<dd> The default algorithm is <b>sha256</b> with Postfix &ge; 3.6
6195and the <b><a href="postconf.5.html#compatibility_level">compatibility_level</a></b> set to 3.6 or higher. With Postfix
6196&le; 3.5, the default algorithm is <b>md5</b>.  The best-practice
6197algorithm is now <b>sha256</b>. Recent advances in hash function
6198cryptanalysis have led to md5 and sha1 being deprecated in favor of
6199sha256.  However, as long as there are no known "second pre-image"
6200attacks against the older algorithms, their use in this context, though
6201not recommended, is still likely safe.  </dd>
6202
6203<dt><b><a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a> </b></dt>
6204
6205<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
6206remote SMTP client TLS certificate is successfully verified, regardless of
6207whether it is listed on the server, and regardless of the certifying
6208authority. </dd>
6209
6210<dt><b><a name="check_address_map">check_address_map</a> <i><a href="DATABASE_README.html">type:table</a></i> </b></dt>
6211
6212<dt><b><i><a href="DATABASE_README.html">type:table</a></i> </b></dt>
6213
6214<dd> Append the domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> when the
6215client IP address matches the specified lookup table.
6216The lookup result is ignored, and no subnet lookup is done. This
6217is suitable for, e.g., pop-before-smtp lookup tables. </dd>
6218
6219</dl>
6220
6221<p> Examples:  </p>
6222
6223<p> The Postfix &lt; 2.2 backwards compatible setting: always rewrite
6224message headers, and always append my own domain to incomplete
6225header addresses.  </p>
6226
6227<blockquote>
6228<pre>
6229<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all
6230</pre>
6231</blockquote>
6232
6233<p> The purist (and default) setting: rewrite headers only in mail
6234from Postfix sendmail and in SMTP mail from this machine. </p>
6235
6236<blockquote>
6237<pre>
6238<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>
6239</pre>
6240</blockquote>
6241
6242<p> The intermediate setting: rewrite header addresses and append
6243$<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a> information only with mail from Postfix
6244sendmail, from local clients, or from authorized SMTP clients. </p>
6245
6246<p> Note: this setting will not prevent remote mail header address
6247rewriting when mail from a remote client is forwarded by a neighboring
6248system.  </p>
6249
6250<blockquote>
6251<pre>
6252<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
6253    <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a> <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
6254    <a href="postconf.5.html#check_address_map">check_address_map</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/pop-before-smtp
6255</pre>
6256</blockquote>
6257
6258
6259</DD>
6260
6261<DT><b><a name="local_login_sender_maps">local_login_sender_maps</a>
6262(default: <a href="DATABASE_README.html#types">static</a>:*)</b></DT><DD>
6263
6264<p> A list of lookup tables that are searched by the UNIX login name,
6265and that return a list of allowed envelope sender patterns separated
6266by space or comma. These sender patterns are enforced by the Postfix
6267<a href="postdrop.1.html">postdrop(1)</a> command. The default is backwards-compatible:
6268every user may specify any sender envelope address. </p>
6269
6270<p> When no UNIX login name is available, the <a href="postdrop.1.html">postdrop(1)</a> command will
6271prepend "<b>uid:</b>" to the numerical UID and use that instead. </p>
6272
6273<p> This feature ignores address extensions in the user-specified
6274envelope sender address. </p>
6275
6276<p> Note: to enforce that the From: header address matches the envelope
6277sender (MAIL FROM) address, specify an external filter such as a Milter,
6278with the <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a> parameter. For example:
6279<a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. </p>
6280
6281<p> The following sender patterns are special; these cannot be used
6282as part of a longer pattern. </p>
6283
6284<dl compact>
6285
6286<dt> <b> * </b> <dd> This pattern allows any envelope sender address.
6287</dd>
6288
6289<dt> <b> &lt;&gt; </b> </dt> <dd> This pattern allows the empty
6290envelope sender address. See the
6291<a href="postconf.5.html#empty_address_local_login_sender_maps_lookup_key">empty_address_local_login_sender_maps_lookup_key</a> configuration
6292parameter. </dd>
6293
6294<dt> <b> @</b><i>domain</i> </dt> <dd> This pattern allows an
6295envelope sender address when the '<b>@</b>' and <i>domain</i> part
6296match. </dd>
6297
6298</dl>
6299
6300<p> Examples: </p>
6301
6302<pre>
6303/etc/postfix/<a href="postconf.5.html">main.cf</a>:
6304    # Allow root and postfix full control, anyone else can only
6305    # send mail as themselves. Use "uid:" followed by the numerical
6306    # UID when the UID has no entry in the UNIX password file.
6307    <a href="postconf.5.html#local_login_sender_maps">local_login_sender_maps</a> =
6308        <a href="DATABASE_README.html#types">inline</a>:{ { root = * }, { postfix = * } },
6309        <a href="pcre_table.5.html">pcre</a>:/etc/postfix/login_senders
6310</pre>
6311
6312<pre>
6313/etc/postfix/login_senders:
6314   # Allow both the bare username and the user@domain forms.
6315    /(.+)/ $1 $1@example.com
6316</pre>
6317
6318<p> This feature is available in Postfix 3.6 and later. </p>
6319
6320
6321</DD>
6322
6323<DT><b><a name="local_recipient_maps">local_recipient_maps</a>
6324(default: <a href="proxymap.8.html">proxy</a>:unix:passwd.byname $<a href="postconf.5.html#alias_maps">alias_maps</a>)</b></DT><DD>
6325
6326<p> Lookup tables with all names or addresses of valid local
6327recipients. A recipient address is local when its domain matches
6328$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </p>
6329
6330<p> If the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter value is non-empty (the
6331default), then the Postfix SMTP server queries <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
6332as specified in "<a href="LOCAL_RECIPIENT_README.html#format">Local
6333recipient table query format</a>", and rejects mail for unknown
6334local recipients. Other Postfix interfaces such as the Postfix
6335<a href="sendmail.1.html">sendmail(1)</a> command may still accept an "unknown" recipient.  </p>
6336
6337<p> The default <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting assumes that <a href="postconf.5.html#local_transport">local_transport</a>
6338specifies the UNIX-compatible <a href="local.8.html">local(8)</a> delivery agent which queries
6339the UNIX passwd database (typically, /etc.passwd) and the local
6340aliases database (typically, /etc/aliases). The <a href="proxymap.8.html">proxy</a>: agent allows
6341the Postfix SMTP server to access the UNIX passwd database from
6342outside a chroot jail. </p>
6343
6344<p> For other local mail delivery configurations, see  "<a href="LOCAL_RECIPIENT_README.html#change">When you need to
6345change the local_recipient_maps setting in main.cf</a>". </p>
6346
6347<p>
6348Technically, tables listed with $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> are used as
6349lists: The Postfix SMTP server needs to know only if a lookup string
6350is found or not, but it does not use the result from table lookup. </p>
6351
6352<p>
6353Specify zero or more "type:name" lookup tables, separated by
6354whitespace or comma. Tables will be searched in the specified order
6355until a match is found.
6356</p>
6357
6358<p>
6359To turn off local recipient checking in the Postfix SMTP server,
6360specify "<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =" (i.e. empty).
6361</p>
6362
6363<p>
6364Examples:
6365</p>
6366
6367<pre>
6368<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =
6369</pre>
6370
6371
6372</DD>
6373
6374<DT><b><a name="local_transport">local_transport</a>
6375(default: <a href="local.8.html">local</a>:$<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
6376
6377<p> The default mail delivery transport and next-hop destination
6378for final delivery to domains listed with <a href="postconf.5.html#mydestination">mydestination</a>, and for
6379[ipaddress] destinations that match $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
6380This information can be overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
6381
6382<p>
6383By default, local mail is delivered to the transport called "local",
6384which is just the name of a service that is defined the <a href="master.5.html">master.cf</a> file.
6385</p>
6386
6387<p>
6388Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i>
6389is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>.
6390The <i>:nexthop</i> destination is optional; its syntax is documented
6391in the manual page of the corresponding delivery agent.
6392</p>
6393
6394<p>
6395Beware: if you override the default local delivery agent then you
6396need to review the <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> document, otherwise the
6397SMTP server may reject mail for local recipients.
6398</p>
6399
6400
6401</DD>
6402
6403<DT><b><a name="luser_relay">luser_relay</a>
6404(default: empty)</b></DT><DD>
6405
6406<p>
6407Optional catch-all destination for unknown <a href="local.8.html">local(8)</a> recipients.
6408By default, mail for unknown recipients in domains that match
6409$<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> is returned
6410as undeliverable.
6411</p>
6412
6413<p>
6414The <a href="postconf.5.html#luser_relay">luser_relay</a> value is not subject to Postfix configuration
6415parameter $name expansion. Instead, the following $name expansions
6416are done:
6417</p>
6418
6419<dl>
6420
6421<dt><b>$domain</b></dt>
6422
6423<dd>The recipient domain. </dd>
6424
6425<dt><b>$extension</b></dt>
6426
6427<dd>The recipient address extension. </dd>
6428
6429<dt><b>$home</b></dt>
6430
6431<dd>The recipient's home directory. </dd>
6432
6433<dt><b>$local</b></dt>
6434
6435<dd>The entire recipient address localpart. </dd>
6436
6437<dt><b>$recipient</b></dt>
6438
6439<dd>The full recipient address. </dd>
6440
6441<dt><b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a></b></dt>
6442
6443<dd>The address extension delimiter that was found in the recipient
6444address (Postfix 2.11 and later), or the system-wide recipient
6445address extension delimiter (Postfix 2.10 and earlier). </dd>
6446
6447<dt><b>$shell</b></dt>
6448
6449<dd>The recipient's login shell. </dd>
6450
6451<dt><b>$user</b></dt>
6452
6453<dd>The recipient username. </dd>
6454
6455<dt><b>${name?value}</b></dt>
6456
6457<dt><b>${name?{value}}</b> (Postfix &ge; 3.0)</dt>
6458
6459<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
6460
6461<dt><b>${name:value}</b></dt>
6462
6463<dt><b>${name:{value}}</b> (Postfix &ge; 3.0)</dt>
6464
6465<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
6466
6467<dt><b>${name?{value1}:{value2}}</b> (Postfix &ge; 3.0)</dt>
6468
6469<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
6470<i>value2</i> otherwise. </dd>
6471
6472</dl>
6473
6474<p>
6475Instead of $name you can also specify ${name} or $(name).
6476</p>
6477
6478<p>
6479Note: <a href="postconf.5.html#luser_relay">luser_relay</a> works only for the Postfix <a href="local.8.html">local(8)</a> delivery agent.
6480</p>
6481
6482<p>
6483Note: if you use this feature for accounts not in the UNIX password
6484file, then you must specify "<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =" (i.e. empty)
6485in the <a href="postconf.5.html">main.cf</a> file, otherwise the Postfix SMTP server will reject mail
6486for non-UNIX accounts with "User unknown in local recipient table".
6487</p>
6488
6489<p>
6490Examples:
6491</p>
6492
6493<pre>
6494<a href="postconf.5.html#luser_relay">luser_relay</a> = $user@other.host
6495<a href="postconf.5.html#luser_relay">luser_relay</a> = $local@other.host
6496<a href="postconf.5.html#luser_relay">luser_relay</a> = admin+$local
6497</pre>
6498
6499
6500</DD>
6501
6502<DT><b><a name="mail_name">mail_name</a>
6503(default: Postfix)</b></DT><DD>
6504
6505<p>
6506The mail system name that is displayed in Received: headers, in
6507the SMTP greeting banner, and in bounced mail.
6508</p>
6509
6510
6511</DD>
6512
6513<DT><b><a name="mail_owner">mail_owner</a>
6514(default: postfix)</b></DT><DD>
6515
6516<p>
6517The UNIX system account that owns the Postfix queue and most Postfix
6518daemon processes.  Specify the name of an unprivileged user account
6519that does not share a user or group ID with other accounts, and that
6520owns no other files
6521or processes on the system.  In particular, don't specify nobody
6522or daemon.  PLEASE USE A DEDICATED USER ID AND GROUP ID.
6523</p>
6524
6525<p>
6526When this parameter value is changed you need to re-run "<b>postfix
6527set-permissions</b>" (with Postfix version 2.0 and earlier:
6528"<b>/etc/postfix/post-install set-permissions</b>".
6529</p>
6530
6531
6532</DD>
6533
6534<DT><b><a name="mail_release_date">mail_release_date</a>
6535(default: see "postconf -d" output)</b></DT><DD>
6536
6537<p>
6538The Postfix release date, in "YYYYMMDD" format.
6539</p>
6540
6541
6542</DD>
6543
6544<DT><b><a name="mail_spool_directory">mail_spool_directory</a>
6545(default: see "postconf -d" output)</b></DT><DD>
6546
6547<p>
6548The directory where <a href="local.8.html">local(8)</a> UNIX-style mailboxes are kept. The
6549default setting depends on the system type. Specify a name ending
6550in / for maildir-style delivery.
6551</p>
6552
6553<p>
6554Note: maildir delivery is done with the privileges of the recipient.
6555If you use the <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a> setting for maildir style
6556delivery, then you must create the top-level maildir directory in
6557advance. Postfix will not create it.
6558</p>
6559
6560<p>
6561Examples:
6562</p>
6563
6564<pre>
6565<a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a> = /var/mail
6566<a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a> = /var/spool/mail
6567</pre>
6568
6569
6570</DD>
6571
6572<DT><b><a name="mail_version">mail_version</a>
6573(default: see "postconf -d" output)</b></DT><DD>
6574
6575<p>
6576The version of the mail system. Stable releases are named
6577<i>major</i>.<i>minor</i>.<i>patchlevel</i>. Experimental releases
6578also include the release date. The version string can be used in,
6579for example, the SMTP greeting banner.
6580</p>
6581
6582
6583</DD>
6584
6585<DT><b><a name="mailbox_command">mailbox_command</a>
6586(default: empty)</b></DT><DD>
6587
6588<p>
6589Optional external command that the <a href="local.8.html">local(8)</a> delivery agent should
6590use for mailbox delivery.  The command is run with the user ID and
6591the primary group ID privileges of the recipient.  Exception:
6592command delivery for root executes with $<a href="postconf.5.html#default_privs">default_privs</a> privileges.
6593This is not a problem, because 1) mail for root should always be
6594aliased to a real user and 2) don't log in as root, use "su" instead.
6595</p>
6596
6597<p>
6598The following environment variables are exported to the command:
6599</p>
6600
6601<dl>
6602
6603<dt><b>CLIENT_ADDRESS</b></dt>
6604
6605<dd>Remote client network address. Available in Postfix version 2.2 and
6606later. </dd>
6607
6608<dt><b>CLIENT_HELO</b></dt>
6609
6610<dd>Remote client EHLO command parameter. Available in Postfix version 2.2
6611and later.</dd>
6612
6613<dt><b>CLIENT_HOSTNAME</b></dt>
6614
6615<dd>Remote client hostname. Available in Postfix version 2.2 and later.
6616</dd>
6617
6618<dt><b>CLIENT_PROTOCOL</b></dt>
6619
6620<dd>Remote client protocol. Available in Postfix version 2.2 and later.
6621</dd>
6622
6623<dt><b>DOMAIN</b></dt>
6624
6625<dd>The domain part of the recipient address. </dd>
6626
6627<dt><b>ENVID</b></dt>
6628
6629<dd>The optional <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a> envelope ID. Available in Postfix version
66303.9 and later</dd>
6631
6632<dt><b>EXTENSION</b></dt>
6633
6634<dd>The optional address extension. </dd>
6635
6636<dt><b>HOME</b></dt>
6637
6638<dd>The recipient home directory. </dd>
6639
6640<dt><b>LOCAL</b></dt>
6641
6642<dd>The recipient address localpart. </dd>
6643
6644<dt><b>LOGNAME</b></dt>
6645
6646<dd>The recipient's username. </dd>
6647
6648<dt><b>ORIGINAL_RECIPIENT</b></dt>
6649
6650<dd>The entire recipient address, before any address rewriting or
6651aliasing.  </dd>
6652
6653<dt><b>RECIPIENT</b></dt>
6654
6655<dd>The full recipient address. </dd>
6656
6657<dt><b>SASL_METHOD</b></dt>
6658
6659<dd>SASL authentication method specified in the remote client AUTH
6660command. Available in Postfix version 2.2 and later. </dd>
6661
6662<dt><b>SASL_SENDER</b></dt>
6663
6664<dd>SASL sender address specified in the remote client MAIL FROM
6665command. Available in Postfix version 2.2 and later. </dd>
6666
6667<dt><b>SASL_USER</b></dt>
6668
6669<dd>SASL username specified in the remote client AUTH command.
6670Available in Postfix version 2.2 and later.  </dd>
6671
6672<dt><b>SENDER</b></dt>
6673
6674<dd>The full sender address. </dd>
6675
6676<dt><b>SHELL</b></dt>
6677
6678<dd>The recipient's login shell. </dd>
6679
6680<dt><b>USER</b></dt>
6681
6682<dd>The recipient username. </dd>
6683
6684</dl>
6685
6686<p>
6687Unlike other Postfix configuration parameters, the <a href="postconf.5.html#mailbox_command">mailbox_command</a>
6688parameter is not subjected to $name substitutions. This is to make
6689it easier to specify shell syntax (see example below).
6690</p>
6691
6692<p>
6693If you can, avoid shell meta characters because they will force
6694Postfix to run an expensive shell process. If you're delivering
6695via "procmail" then running a shell won't make a noticeable difference
6696in the total cost.
6697</p>
6698
6699<p>
6700Note: if you use the <a href="postconf.5.html#mailbox_command">mailbox_command</a> feature to deliver mail
6701system-wide, you must set up an alias that forwards mail for root
6702to a real user.
6703</p>
6704
6705<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
6706is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
6707<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
6708<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
6709
6710<p>
6711Examples:
6712</p>
6713
6714<pre>
6715<a href="postconf.5.html#mailbox_command">mailbox_command</a> = /some/where/procmail
6716<a href="postconf.5.html#mailbox_command">mailbox_command</a> = /some/where/procmail -a "$EXTENSION"
6717<a href="postconf.5.html#mailbox_command">mailbox_command</a> = /some/where/maildrop -d "$USER"
6718        -f "$SENDER" "$EXTENSION"
6719</pre>
6720
6721
6722</DD>
6723
6724<DT><b><a name="mailbox_command_maps">mailbox_command_maps</a>
6725(default: empty)</b></DT><DD>
6726
6727<p>
6728Optional lookup tables with per-recipient external commands to use
6729for <a href="local.8.html">local(8)</a> mailbox delivery.  Behavior is as with <a href="postconf.5.html#mailbox_command">mailbox_command</a>.
6730</p>
6731
6732<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
6733is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
6734<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
6735<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
6736
6737<p>
6738Specify zero or more "type:name" lookup tables, separated by
6739whitespace or comma. Tables will be searched in the specified order
6740until a match is found.
6741</p>
6742
6743
6744</DD>
6745
6746<DT><b><a name="mailbox_delivery_lock">mailbox_delivery_lock</a>
6747(default: see "postconf -d" output)</b></DT><DD>
6748
6749<p>
6750How to lock a UNIX-style <a href="local.8.html">local(8)</a> mailbox before attempting delivery.
6751For a list of available file locking methods, use the "<b>postconf
6752-l</b>" command.
6753</p>
6754
6755<p>
6756This setting is ignored with <b>maildir</b> style delivery,
6757because such deliveries are safe without explicit locks.
6758</p>
6759
6760<p>
6761Note: The <b>dotlock</b> method requires that the recipient UID or
6762GID has write access to the parent directory of the mailbox file.
6763</p>
6764
6765<p>
6766Note: the default setting of this parameter is system dependent.
6767</p>
6768
6769
6770</DD>
6771
6772<DT><b><a name="mailbox_size_limit">mailbox_size_limit</a>
6773(default: 51200000)</b></DT><DD>
6774
6775<p> The maximal size of any <a href="local.8.html">local(8)</a> individual mailbox or maildir
6776file, or zero (no limit).  In fact, this limits the size of any
6777file that is written to upon local delivery, including files written
6778by external commands that are executed by the <a href="local.8.html">local(8)</a> delivery
6779agent. The value cannot exceed LONG_MAX (typically, a 32-bit or
678064-bit signed integer).
6781</p>
6782
6783<p>
6784This limit must not be smaller than the message size limit.
6785</p>
6786
6787
6788</DD>
6789
6790<DT><b><a name="mailbox_transport">mailbox_transport</a>
6791(default: empty)</b></DT><DD>
6792
6793<p>
6794Optional message delivery transport that the <a href="local.8.html">local(8)</a> delivery
6795agent should use for mailbox delivery to all local recipients,
6796whether or not they are found in the UNIX passwd database.
6797</p>
6798
6799<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
6800is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
6801<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
6802<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
6803
6804
6805</DD>
6806
6807<DT><b><a name="mailbox_transport_maps">mailbox_transport_maps</a>
6808(default: empty)</b></DT><DD>
6809
6810<p> Optional lookup tables with per-recipient message delivery
6811transports to use for <a href="local.8.html">local(8)</a> mailbox delivery, whether or not the
6812recipients are found in the UNIX passwd database. </p>
6813
6814<p> The precedence of <a href="local.8.html">local(8)</a> delivery features from high to low
6815is: aliases, .forward files, <a href="postconf.5.html#mailbox_transport_maps">mailbox_transport_maps</a>, <a href="postconf.5.html#mailbox_transport">mailbox_transport</a>,
6816<a href="postconf.5.html#mailbox_command_maps">mailbox_command_maps</a>, <a href="postconf.5.html#mailbox_command">mailbox_command</a>, <a href="postconf.5.html#home_mailbox">home_mailbox</a>, <a href="postconf.5.html#mail_spool_directory">mail_spool_directory</a>,
6817<a href="postconf.5.html#fallback_transport_maps">fallback_transport_maps</a>, <a href="postconf.5.html#fallback_transport">fallback_transport</a> and <a href="postconf.5.html#luser_relay">luser_relay</a>.  </p>
6818
6819<p>
6820Specify zero or more "type:name" lookup tables, separated by
6821whitespace or comma. Tables will be searched in the specified order
6822until a match is found.
6823</p>
6824
6825<p> For safety reasons, this feature does not allow $number
6826substitutions in regular expression maps. </p>
6827
6828<p> This feature is available in Postfix 2.3 and later. </p>
6829
6830
6831</DD>
6832
6833<DT><b><a name="maillog_file">maillog_file</a>
6834(default: empty)</b></DT><DD>
6835
6836<p> The name of an optional logfile that is written by the Postfix
6837<a href="postlogd.8.html">postlogd(8)</a> service. An empty value selects logging to syslogd(8).
6838Specify "/dev/stdout" to select logging to standard output. Stdout
6839logging requires that Postfix is started with "postfix start-fg".
6840</p>
6841
6842<p> Note 1: The <a href="postconf.5.html#maillog_file">maillog_file</a> parameter value must contain a prefix
6843that is specified with the <a href="postconf.5.html#maillog_file_prefixes">maillog_file_prefixes</a> parameter. </p>
6844
6845<p> Note 2: Some Postfix non-daemon programs may still log information
6846to syslogd(8), before they have processed their configuration
6847parameters and command-line options. </p>
6848
6849<p> This feature is available in Postfix 3.4 and later. </p>
6850
6851
6852</DD>
6853
6854<DT><b><a name="maillog_file_compressor">maillog_file_compressor</a>
6855(default: gzip)</b></DT><DD>
6856
6857<p> The program to run after rotating $<a href="postconf.5.html#maillog_file">maillog_file</a> with "postfix
6858logrotate". The command is run with the rotated logfile name as its
6859first argument. </p>
6860
6861<p> This feature is available in Postfix 3.4 and later. </p>
6862
6863
6864</DD>
6865
6866<DT><b><a name="maillog_file_permissions">maillog_file_permissions</a>
6867(default: 0600)</b></DT><DD>
6868
6869<p> The file access permissions that will be set when the file
6870$<a href="postconf.5.html#maillog_file">maillog_file</a> is created for the first time, or when the file is
6871created after an existing file is rotated. Specify one of: <b>0600</b>
6872(only super-user read/write access), <b>0640</b> (adds 'group' read
6873access), or <b>0644</b> (also adds 'other' read access). The leading
6874'0' is optional.  </p>
6875
6876<p> This feature is available in Postfix 3.9 and later. </p>
6877
6878
6879</DD>
6880
6881<DT><b><a name="maillog_file_prefixes">maillog_file_prefixes</a>
6882(default: /var, /dev/stdout)</b></DT><DD>
6883
6884<p> A list of allowed prefixes for a <a href="postconf.5.html#maillog_file">maillog_file</a> value. This is a
6885safety feature to contain the damage from a single configuration
6886mistake. Specify one or more prefix strings, separated by comma or
6887whitespace. </p>
6888
6889<p> This feature is available in Postfix 3.4 and later. </p>
6890
6891
6892</DD>
6893
6894<DT><b><a name="maillog_file_rotate_suffix">maillog_file_rotate_suffix</a>
6895(default: %Y%m%d-%H%M%S)</b></DT><DD>
6896
6897<p> The format of the suffix to append to $<a href="postconf.5.html#maillog_file">maillog_file</a> while rotating
6898the file with "postfix logrotate". See strftime(3) for syntax. The
6899default suffix, YYYYMMDD-HHMMSS, allows logs to be rotated frequently.
6900</p>
6901
6902<p> This feature is available in Postfix 3.4 and later. </p>
6903
6904
6905</DD>
6906
6907<DT><b><a name="mailq_path">mailq_path</a>
6908(default: see "postconf -d" output)</b></DT><DD>
6909
6910<p>
6911Sendmail compatibility feature that specifies where the Postfix
6912<a href="mailq.1.html">mailq(1)</a> command is installed. This command can be used to
6913list the Postfix mail queue.
6914</p>
6915
6916
6917</DD>
6918
6919<DT><b><a name="manpage_directory">manpage_directory</a>
6920(default: see "postconf -d" output)</b></DT><DD>
6921
6922<p>
6923Where the Postfix manual pages are installed.
6924</p>
6925
6926
6927</DD>
6928
6929<DT><b><a name="maps_rbl_domains">maps_rbl_domains</a>
6930(default: empty)</b></DT><DD>
6931
6932<p>
6933Obsolete feature: use the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> feature instead.
6934</p>
6935
6936
6937</DD>
6938
6939<DT><b><a name="maps_rbl_reject_code">maps_rbl_reject_code</a>
6940(default: 554)</b></DT><DD>
6941
6942<p>
6943The numerical Postfix SMTP server response code when a remote SMTP
6944client request is blocked by the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
6945<a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>, <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or
6946<a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction.
6947</p>
6948
6949<p>
6950Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
6951</p>
6952
6953
6954</DD>
6955
6956<DT><b><a name="masquerade_classes">masquerade_classes</a>
6957(default: envelope_sender, header_sender, header_recipient)</b></DT><DD>
6958
6959<p>
6960What addresses are subject to address masquerading.
6961</p>
6962
6963<p>
6964By default, address masquerading is limited to envelope sender
6965addresses, and to header sender and header recipient addresses.
6966This allows you to use address masquerading on a mail gateway while
6967still being able to forward mail to users on individual machines.
6968</p>
6969
6970<p>
6971Specify zero or more of: envelope_sender, envelope_recipient,
6972header_sender, header_recipient
6973</p>
6974
6975
6976</DD>
6977
6978<DT><b><a name="masquerade_domains">masquerade_domains</a>
6979(default: empty)</b></DT><DD>
6980
6981<p>
6982Optional list of domains whose subdomain structure will be stripped
6983off in email addresses.
6984</p>
6985
6986<p>
6987The list is processed left to right, and processing stops at the
6988first match.  Thus,
6989</p>
6990
6991<blockquote>
6992<pre>
6993<a href="postconf.5.html#masquerade_domains">masquerade_domains</a> = foo.example.com example.com
6994</pre>
6995</blockquote>
6996
6997<p>
6998strips "user@any.thing.foo.example.com" to "user@foo.example.com",
6999but strips "user@any.thing.else.example.com" to "user@example.com".
7000</p>
7001
7002<p>
7003A domain name prefixed with ! means do not masquerade this domain
7004or its subdomains. Thus,
7005</p>
7006
7007<blockquote>
7008<pre>
7009<a href="postconf.5.html#masquerade_domains">masquerade_domains</a> = !foo.example.com example.com
7010</pre>
7011</blockquote>
7012
7013<p>
7014does not change "user@any.thing.foo.example.com" or "user@foo.example.com",
7015but strips "user@any.thing.else.example.com" to "user@example.com".
7016</p>
7017
7018<p> Note: with Postfix version 2.2, message header address masquerading
7019happens only when message header address rewriting is enabled: </p>
7020
7021<ul>
7022
7023<li> The message is received with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command,
7024
7025<li> The message is received from a network client that matches
7026$<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a>,
7027
7028<li> The message is received from the network, and the
7029<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter specifies a non-empty value.
7030
7031</ul>
7032
7033<p> To get the behavior before Postfix version 2.2, specify
7034"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
7035
7036<p>
7037Example:
7038</p>
7039
7040<pre>
7041<a href="postconf.5.html#masquerade_domains">masquerade_domains</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
7042</pre>
7043
7044
7045</DD>
7046
7047<DT><b><a name="masquerade_exceptions">masquerade_exceptions</a>
7048(default: empty)</b></DT><DD>
7049
7050<p>
7051Optional list of user names that are not subjected to address
7052masquerading, even when their addresses match $<a href="postconf.5.html#masquerade_domains">masquerade_domains</a>.
7053</p>
7054
7055<p>
7056By default, address masquerading makes no exceptions.
7057</p>
7058
7059<p>
7060Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
7061separated by commas and/or whitespace. The list is matched left to
7062right, and the search stops on the first match. A "/file/name"
7063pattern is replaced
7064by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name
7065matches a lookup key (the lookup result is ignored).  Continue long
7066lines by starting the next line with whitespace. Specify "!pattern"
7067to exclude a name from the list. The form "!/file/name" is supported
7068only in Postfix version 2.4 and later.  </p>
7069
7070<p>
7071Examples:
7072</p>
7073
7074<pre>
7075<a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a> = root, mailer-daemon
7076<a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a> = root
7077</pre>
7078
7079
7080</DD>
7081
7082<DT><b><a name="master_service_disable">master_service_disable</a>
7083(default: empty)</b></DT><DD>
7084
7085<p> Selectively disable <a href="master.8.html">master(8)</a> listener ports by service type
7086or by service name and type.  Specify a list of service types
7087("inet", "unix", "fifo", or "pass") or "name/type" tuples, where
7088"name" is the first field of a <a href="master.5.html">master.cf</a> entry and "type" is a
7089service type. As with other Postfix matchlists, a search stops at
7090the first match.  Specify "!pattern" to exclude a service from the
7091list. By default, all <a href="master.8.html">master(8)</a> listener ports are enabled.  </p>
7092
7093<p> Note: this feature does not support "/file/name" or "<a href="DATABASE_README.html">type:table</a>"
7094patterns, nor does it support wildcards such as "*" or "all". This
7095is intentional. </p>
7096
7097<p> Examples: </p>
7098
7099<pre>
7100# With Postfix 2.6..2.10 use '.' instead of '/'.
7101# Turn on all <a href="master.8.html">master(8)</a> listener ports (the default).
7102<a href="postconf.5.html#master_service_disable">master_service_disable</a> =
7103# Turn off only the main SMTP listener port.
7104<a href="postconf.5.html#master_service_disable">master_service_disable</a> = smtp/inet
7105# Turn off all TCP/IP listener ports.
7106<a href="postconf.5.html#master_service_disable">master_service_disable</a> = inet
7107# Turn off all TCP/IP listener ports except "foo".
7108<a href="postconf.5.html#master_service_disable">master_service_disable</a> = !foo/inet, inet
7109</pre>
7110
7111<p> This feature is available in Postfix 2.6 and later. </p>
7112
7113
7114</DD>
7115
7116<DT><b><a name="max_idle">max_idle</a>
7117(default: 100s)</b></DT><DD>
7118
7119<p>
7120The maximum amount of time that an idle Postfix daemon process waits
7121for an incoming connection before terminating voluntarily.  This
7122parameter
7123is ignored by the Postfix queue manager and by other long-lived
7124Postfix daemon processes.
7125</p>
7126
7127<p> Specify a non-zero time value (an integral value plus an optional
7128one-letter suffix that specifies the time unit).  Time units: s
7129(seconds), m (minutes), h (hours), d (days), w (weeks).
7130The default time unit is s (seconds).  </p>
7131
7132
7133</DD>
7134
7135<DT><b><a name="max_use">max_use</a>
7136(default: 100)</b></DT><DD>
7137
7138<p>
7139The maximal number of incoming connections that a Postfix daemon
7140process will service before terminating voluntarily.  This parameter
7141is ignored by the Postfix queue
7142manager and by other long-lived Postfix daemon processes.
7143</p>
7144
7145
7146</DD>
7147
7148<DT><b><a name="maximal_backoff_time">maximal_backoff_time</a>
7149(default: 4000s)</b></DT><DD>
7150
7151<p>
7152The maximal time between attempts to deliver a deferred message.
7153</p>
7154
7155<p> This parameter should be set to a value greater than or equal
7156to $<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>. See also $<a href="postconf.5.html#queue_run_delay">queue_run_delay</a>.  </p>
7157
7158<p> Specify a non-zero time value (an integral value plus an optional
7159one-letter suffix that specifies the time unit).  Time units: s
7160(seconds), m (minutes), h (hours), d (days), w (weeks).
7161The default time unit is s (seconds).  </p>
7162
7163
7164</DD>
7165
7166<DT><b><a name="maximal_queue_lifetime">maximal_queue_lifetime</a>
7167(default: 5d)</b></DT><DD>
7168
7169<p>
7170Consider a message as undeliverable, when delivery fails with a
7171temporary error, and the time in the queue has reached the
7172<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a> limit.
7173</p>
7174
7175<p> Specify a non-negative time value (an integral value plus an optional
7176one-letter suffix that specifies the time unit).  Time units: s
7177(seconds), m (minutes), h (hours), d (days), w (weeks).
7178The default time unit is d (days).  </p>
7179
7180<p>
7181Specify 0 when mail delivery should be tried only once.
7182</p>
7183
7184
7185</DD>
7186
7187<DT><b><a name="message_drop_headers">message_drop_headers</a>
7188(default: bcc, content-length, resent-bcc, return-path)</b></DT><DD>
7189
7190<p> Names of message headers that the <a href="cleanup.8.html">cleanup(8)</a> daemon will remove
7191after applying <a href="header_checks.5.html">header_checks(5)</a> and before invoking Milter applications.
7192The default setting is compatible with Postfix &lt; 3.0. </p>
7193
7194<p> Specify a list of header names, separated by comma or space.
7195Names are matched in a case-insensitive manner.  The list of supported
7196header names is limited only by available memory.  </p>
7197
7198<p> This feature is available in Postfix 3.0 and later. </p>
7199
7200
7201</DD>
7202
7203<DT><b><a name="message_reject_characters">message_reject_characters</a>
7204(default: empty)</b></DT><DD>
7205
7206<p> The set of characters that Postfix will reject in message
7207content.  The usual C-like escape sequences are recognized: <tt>\a
7208\b \f \n \r \t \v \<i>ddd</i></tt> (up to three octal digits) and
7209<tt>\\</tt>. </p>
7210
7211<p> Note 1: this feature does not recognize text that requires MIME
7212decoding. It inspects raw message content, just like <a href="postconf.5.html#header_checks">header_checks</a>
7213and <a href="postconf.5.html#body_checks">body_checks</a>.  </p>
7214
7215<p> Note 2: this feature is disabled with "<a href="postconf.5.html#receive_override_options">receive_override_options</a>
7216= <a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>".  </p>
7217
7218<p> Example: </p>
7219
7220<pre>
7221<a href="postconf.5.html#message_reject_characters">message_reject_characters</a> = \0
7222</pre>
7223
7224<p> This feature is available in Postfix 2.3 and later.  </p>
7225
7226
7227</DD>
7228
7229<DT><b><a name="message_size_limit">message_size_limit</a>
7230(default: 10240000)</b></DT><DD>
7231
7232<p>
7233The maximal size in bytes of a message, including envelope information.
7234The value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit
7235signed integer).
7236</p>
7237
7238<p> Note: be careful when making changes.  Excessively small values
7239will result in the loss of non-delivery notifications, when a bounce
7240message size exceeds the local or remote MTA's message size limit.
7241</p>
7242
7243
7244</DD>
7245
7246<DT><b><a name="message_strip_characters">message_strip_characters</a>
7247(default: empty)</b></DT><DD>
7248
7249<p> The set of characters that Postfix will remove from message
7250content.  The usual C-like escape sequences are recognized: <tt>\a
7251\b \f \n \r \t \v \<i>ddd</i></tt> (up to three octal digits) and
7252<tt>\\</tt>. </p>
7253
7254<p> Note 1: this feature does not recognize text that requires MIME
7255decoding. It inspects raw message content, just like <a href="postconf.5.html#header_checks">header_checks</a>
7256and <a href="postconf.5.html#body_checks">body_checks</a>.  </p>
7257
7258<p> Note 2: this feature is disabled with "<a href="postconf.5.html#receive_override_options">receive_override_options</a>
7259= <a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>".  </p>
7260
7261<p> Example: </p>
7262
7263<pre>
7264<a href="postconf.5.html#message_strip_characters">message_strip_characters</a> = \0
7265</pre>
7266
7267<p> This feature is available in Postfix 2.3 and later.  </p>
7268
7269
7270</DD>
7271
7272<DT><b><a name="meta_directory">meta_directory</a>
7273(default: see 'postconf -d' output)</b></DT><DD>
7274
7275<p> The location of non-executable files that are shared among
7276multiple Postfix instances, such as postfix-files, dynamicmaps.cf,
7277and the multi-instance template files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">master.cf</a>.proto.
7278This directory should contain only Postfix-related files.  Typically,
7279the <a href="postconf.5.html#meta_directory">meta_directory</a> parameter has the same default as the <a href="postconf.5.html#config_directory">config_directory</a>
7280parameter (/etc/postfix or /usr/local/etc/postfix).  </p>
7281
7282<p> For backwards compatibility with Postfix versions 2.6..2.11,
7283specify "<a href="postconf.5.html#meta_directory">meta_directory</a> = $<a href="postconf.5.html#daemon_directory">daemon_directory</a>" in <a href="postconf.5.html">main.cf</a> before
7284installing or upgrading Postfix, or specify "<a href="postconf.5.html#meta_directory">meta_directory</a> =
7285/path/name" on the "make makefiles", "make install" or "make upgrade"
7286command line.  </p>
7287
7288<p> This feature is available in Postfix 3.0 and later. </p>
7289
7290
7291</DD>
7292
7293<DT><b><a name="milter_command_timeout">milter_command_timeout</a>
7294(default: 30s)</b></DT><DD>
7295
7296<p> The time limit for sending an SMTP command to a Milter (mail
7297filter) application, and for receiving the response.  </p>
7298
7299<p> Specify a non-zero time value (an integral value plus an optional
7300one-letter suffix that specifies the time unit).  Time units: s
7301(seconds), m (minutes), h (hours), d (days), w (weeks).
7302The default time unit is s (seconds).  </p>
7303
7304<p> This feature is available in Postfix 2.3 and later. </p>
7305
7306
7307</DD>
7308
7309<DT><b><a name="milter_connect_macros">milter_connect_macros</a>
7310(default: see "postconf -d" output)</b></DT><DD>
7311
7312<p> The macros that are sent to Milter (mail filter) applications
7313after completion of an SMTP connection. See <a href="MILTER_README.html">MILTER_README</a>
7314for a list of available macro names and their meanings. </p>
7315
7316<p> This feature is available in Postfix 2.3 and later. </p>
7317
7318
7319</DD>
7320
7321<DT><b><a name="milter_connect_timeout">milter_connect_timeout</a>
7322(default: 30s)</b></DT><DD>
7323
7324<p> The time limit for connecting to a Milter (mail filter)
7325application, and for negotiating protocol options. </p>
7326
7327<p> Specify a non-zero time value (an integral value plus an optional
7328one-letter suffix that specifies the time unit).  Time units: s
7329(seconds), m (minutes), h (hours), d (days), w (weeks).
7330The default time unit is s (seconds).  </p>
7331
7332<p> This feature is available in Postfix 2.3 and later. </p>
7333
7334
7335</DD>
7336
7337<DT><b><a name="milter_content_timeout">milter_content_timeout</a>
7338(default: 300s)</b></DT><DD>
7339
7340<p> The time limit for sending message content to a Milter (mail
7341filter) application, and for receiving the response.  </p>
7342
7343<p> Specify a non-zero time value (an integral value plus an optional
7344one-letter suffix that specifies the time unit).  Time units: s
7345(seconds), m (minutes), h (hours), d (days), w (weeks).
7346The default time unit is s (seconds).  </p>
7347
7348<p> This feature is available in Postfix 2.3 and later. </p>
7349
7350
7351</DD>
7352
7353<DT><b><a name="milter_data_macros">milter_data_macros</a>
7354(default: see "postconf -d" output)</b></DT><DD>
7355
7356<p> The macros that are sent to version 4 or higher Milter (mail
7357filter) applications after the SMTP DATA command. See <a href="MILTER_README.html">MILTER_README</a>
7358for a list of available macro names and their meanings.  </p>
7359
7360<p> This feature is available in Postfix 2.3 and later. </p>
7361
7362
7363</DD>
7364
7365<DT><b><a name="milter_default_action">milter_default_action</a>
7366(default: tempfail)</b></DT><DD>
7367
7368<p> The default action when a Milter (mail filter) response is
7369unavailable (for example, bad Postfix configuration or Milter
7370failure). Specify one of the following: </p>
7371
7372<dl compact>
7373
7374<dt>accept</dt> <dd>Proceed as if the mail filter was not present.
7375</dd>
7376
7377<dt>reject</dt> <dd>Reject all further commands in this session
7378with a permanent status code.</dd>
7379
7380<dt>tempfail</dt> <dd>Reject all further commands in this session
7381with a temporary status code. </dd>
7382
7383<dt>quarantine</dt> <dd>Like "accept", but freeze the message in
7384the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Available with Postfix 2.6 and later. </dd>
7385
7386</dl>
7387
7388<p> This feature is available in Postfix 2.3 and later. </p>
7389
7390
7391</DD>
7392
7393<DT><b><a name="milter_end_of_data_macros">milter_end_of_data_macros</a>
7394(default: see "postconf -d" output)</b></DT><DD>
7395
7396<p> The macros that are sent to Milter (mail filter) applications
7397after the message end-of-data. See <a href="MILTER_README.html">MILTER_README</a> for a list of
7398available macro names and their meanings.  </p>
7399
7400<p> This feature is available in Postfix 2.3 and later. </p>
7401
7402
7403</DD>
7404
7405<DT><b><a name="milter_end_of_header_macros">milter_end_of_header_macros</a>
7406(default: see "postconf -d" output)</b></DT><DD>
7407
7408<p> The macros that are sent to Milter (mail filter) applications
7409after the end of the message header. See <a href="MILTER_README.html">MILTER_README</a> for a list
7410of available macro names and their meanings.  </p>
7411
7412<p> This feature is available in Postfix 2.5 and later. </p>
7413
7414
7415</DD>
7416
7417<DT><b><a name="milter_header_checks">milter_header_checks</a>
7418(default: empty)</b></DT><DD>
7419
7420<p> Optional lookup tables for content inspection of message headers
7421that are produced by Milter applications.  See the <a href="header_checks.5.html">header_checks(5)</a>
7422manual page available actions. Currently, PREPEND is not implemented.
7423</p>
7424
7425<p> The following example sends all mail that is marked as SPAM to
7426a spam handling machine. Note that matches are case-insensitive
7427by default. </p>
7428
7429<pre>
7430/etc/postfix/<a href="postconf.5.html">main.cf</a>:
7431    <a href="postconf.5.html#milter_header_checks">milter_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/<a href="postconf.5.html#milter_header_checks">milter_header_checks</a>
7432</pre>
7433
7434<pre>
7435/etc/postfix/<a href="postconf.5.html#milter_header_checks">milter_header_checks</a>:
7436    /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
7437</pre>
7438
7439<p> The <a href="postconf.5.html#milter_header_checks">milter_header_checks</a> mechanism could also be used for
7440allowlisting. For example it could be used to skip heavy content
7441inspection for DKIM-signed mail from known friendly domains. </p>
7442
7443<p> This feature is available in Postfix 2.7, and as an optional
7444patch for Postfix 2.6. </p>
7445
7446
7447</DD>
7448
7449<DT><b><a name="milter_helo_macros">milter_helo_macros</a>
7450(default: see "postconf -d" output)</b></DT><DD>
7451
7452<p> The macros that are sent to Milter (mail filter) applications
7453after the SMTP HELO or EHLO command. See
7454<a href="MILTER_README.html">MILTER_README</a> for a list of available macro names and their meanings.
7455</p>
7456
7457<p> This feature is available in Postfix 2.3 and later. </p>
7458
7459
7460</DD>
7461
7462<DT><b><a name="milter_macro_daemon_name">milter_macro_daemon_name</a>
7463(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
7464
7465<p> The {daemon_name} macro value for Milter (mail filter) applications.
7466See <a href="MILTER_README.html">MILTER_README</a> for a list of available macro names and their
7467meanings.  </p>
7468
7469<p> This feature is available in Postfix 2.3 and later. </p>
7470
7471
7472</DD>
7473
7474<DT><b><a name="milter_macro_defaults">milter_macro_defaults</a>
7475(default: empty)</b></DT><DD>
7476
7477<p> Optional list of <i>name=value</i> pairs that specify default
7478values for arbitrary macros that Postfix may send to Milter
7479applications.  These defaults are used when there is no corresponding
7480information from the message delivery context. </p>
7481
7482<p> Specify <i>name=value</i> or <i>{name=value}</i> pairs separated
7483by comma or whitespace.  Enclose a pair in "{}" when a value contains
7484comma or whitespace (this form ignores whitespace after the enclosing
7485"{", around the "=", and before the enclosing "}"). </p>
7486
7487<p> This feature is available in Postfix 3.1 and later.  </p>
7488
7489
7490</DD>
7491
7492<DT><b><a name="milter_macro_v">milter_macro_v</a>
7493(default: $<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b></DT><DD>
7494
7495<p> The {v} macro value for Milter (mail filter) applications.
7496See <a href="MILTER_README.html">MILTER_README</a> for a list of available macro names and their
7497meanings.  </p>
7498
7499<p> This feature is available in Postfix 2.3 and later. </p>
7500
7501
7502</DD>
7503
7504<DT><b><a name="milter_mail_macros">milter_mail_macros</a>
7505(default: see "postconf -d" output)</b></DT><DD>
7506
7507<p> The macros that are sent to Milter (mail filter) applications
7508after the SMTP MAIL FROM command. See <a href="MILTER_README.html">MILTER_README</a>
7509for a list of available macro names and their meanings. </p>
7510
7511<p> This feature is available in Postfix 2.3 and later. </p>
7512
7513
7514</DD>
7515
7516<DT><b><a name="milter_protocol">milter_protocol</a>
7517(default: 6)</b></DT><DD>
7518
7519<p> The mail filter protocol version and optional protocol extensions
7520for communication with a Milter application; prior to Postfix 2.6
7521the default protocol is 2. Postfix
7522sends this version number during the initial protocol handshake.
7523It should match the version number that is expected by the mail
7524filter application (or by its Milter library).  </p>
7525
7526<p>Protocol versions: </p>
7527
7528<dl compact>
7529
7530<dt>2</dt> <dd>Use Sendmail 8 mail filter protocol version 2 (default
7531with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..
75322.5).</dd>
7533
7534<dt>3</dt> <dd>Use Sendmail 8 mail filter protocol version 3.</dd>
7535
7536<dt>4</dt> <dd>Use Sendmail 8 mail filter protocol version 4.</dd>
7537
7538<dt>6</dt> <dd>Use Sendmail 8 mail filter protocol version 6 (default
7539with Sendmail version 8.14 and Postfix version 2.6).</dd>
7540
7541</dl>
7542
7543<p>Protocol extensions: </p>
7544
7545<dl compact>
7546
7547<dt>no_header_reply</dt> <dd> Specify this when the Milter application
7548will not reply for each individual message header.</dd>
7549
7550</dl>
7551
7552<p> This feature is available in Postfix 2.3 and later. </p>
7553
7554
7555</DD>
7556
7557<DT><b><a name="milter_rcpt_macros">milter_rcpt_macros</a>
7558(default: see "postconf -d" output)</b></DT><DD>
7559
7560<p> The macros that are sent to Milter (mail filter) applications
7561after the SMTP RCPT TO command. See <a href="MILTER_README.html">MILTER_README</a>
7562for a list of available macro names and their meanings. </p>
7563
7564<p> This feature is available in Postfix 2.3 and later. </p>
7565
7566
7567</DD>
7568
7569<DT><b><a name="milter_unknown_command_macros">milter_unknown_command_macros</a>
7570(default: see "postconf -d" output)</b></DT><DD>
7571
7572<p> The macros that are sent to version 3 or higher Milter (mail
7573filter) applications after an unknown SMTP command.  See <a href="MILTER_README.html">MILTER_README</a>
7574for a list of available macro names and their meanings.  </p>
7575
7576<p> This feature is available in Postfix 2.3 and later. </p>
7577
7578
7579</DD>
7580
7581<DT><b><a name="mime_boundary_length_limit">mime_boundary_length_limit</a>
7582(default: 2048)</b></DT><DD>
7583
7584<p>
7585The maximal length of MIME multipart boundary strings. The MIME
7586processor is unable to distinguish between boundary strings that
7587do not differ in the first $<a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> characters.
7588</p>
7589
7590<p>
7591This feature is available in Postfix 2.0 and later.
7592</p>
7593
7594
7595</DD>
7596
7597<DT><b><a name="mime_header_checks">mime_header_checks</a>
7598(default: $<a href="postconf.5.html#header_checks">header_checks</a>)</b></DT><DD>
7599
7600<p>
7601Optional lookup tables for content inspection of MIME related
7602message headers, as described in the <a href="header_checks.5.html">header_checks(5)</a> manual page.
7603</p>
7604
7605<p>
7606This feature is available in Postfix 2.0 and later.
7607</p>
7608
7609
7610</DD>
7611
7612<DT><b><a name="mime_nesting_limit">mime_nesting_limit</a>
7613(default: 100)</b></DT><DD>
7614
7615<p>
7616The maximal recursion level that the MIME processor will handle.
7617Postfix refuses mail that is nested deeper than the specified limit.
7618</p>
7619
7620<p>
7621This feature is available in Postfix 2.0 and later.
7622</p>
7623
7624
7625</DD>
7626
7627<DT><b><a name="minimal_backoff_time">minimal_backoff_time</a>
7628(default: 300s)</b></DT><DD>
7629
7630<p>
7631The minimal time between attempts to deliver a deferred message;
7632prior to Postfix 2.4 the default value was 1000s.
7633</p>
7634
7635<p>
7636This parameter also limits the time an unreachable destination is
7637kept in the short-term, in-memory, destination status cache.
7638</p>
7639
7640<p> This parameter should be set greater than or equal to
7641$<a href="postconf.5.html#queue_run_delay">queue_run_delay</a>. See also $<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a>.  </p>
7642
7643<p> Specify a non-zero time value (an integral value plus an optional
7644one-letter suffix that specifies the time unit).  Time units: s
7645(seconds), m (minutes), h (hours), d (days), w (weeks).
7646The default time unit is s (seconds).  </p>
7647
7648
7649</DD>
7650
7651<DT><b><a name="multi_instance_directories">multi_instance_directories</a>
7652(default: empty)</b></DT><DD>
7653
7654<p> An optional list of non-default Postfix configuration directories;
7655these directories belong to additional Postfix instances that share
7656the Postfix executable files and documentation with the default
7657Postfix instance, and that are started, stopped, etc., together
7658with the default Postfix instance.  Specify a list of pathnames
7659separated by comma or whitespace.  </p>
7660
7661<p> When $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> is empty, the <a href="postfix.1.html">postfix(1)</a> command
7662runs in single-instance mode and operates on a single Postfix
7663instance only. Otherwise, the <a href="postfix.1.html">postfix(1)</a> command runs in multi-instance
7664mode and invokes the multi-instance manager specified with the
7665<a href="postconf.5.html#multi_instance_wrapper">multi_instance_wrapper</a> parameter. The multi-instance manager in
7666turn executes <a href="postfix.1.html">postfix(1)</a> commands for the default instance and for
7667all Postfix instances in $<a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>.  </p>
7668
7669<p> Currently, this parameter setting is ignored except for the
7670default <a href="postconf.5.html">main.cf</a> file. </p>
7671
7672<p> This feature is available in Postfix 2.6 and later. </p>
7673
7674
7675</DD>
7676
7677<DT><b><a name="multi_instance_enable">multi_instance_enable</a>
7678(default: no)</b></DT><DD>
7679
7680<p> Allow this Postfix instance to be started, stopped, etc., by a
7681multi-instance manager.  By default, new instances are created in
7682a safe state that prevents them from being started inadvertently.
7683This parameter is reserved for the multi-instance manager.  </p>
7684
7685<p> This feature is available in Postfix 2.6 and later. </p>
7686
7687
7688</DD>
7689
7690<DT><b><a name="multi_instance_group">multi_instance_group</a>
7691(default: empty)</b></DT><DD>
7692
7693<p> The optional instance group name of this Postfix instance. A
7694group identifies closely-related Postfix instances that the
7695multi-instance manager can start, stop, etc., as a unit.  This
7696parameter is reserved for the multi-instance manager. </p>
7697
7698<p> This feature is available in Postfix 2.6 and later. </p>
7699
7700
7701</DD>
7702
7703<DT><b><a name="multi_instance_name">multi_instance_name</a>
7704(default: empty)</b></DT><DD>
7705
7706<p> The optional instance name of this Postfix instance. This name
7707becomes also the default value for the <a href="postconf.5.html#syslog_name">syslog_name</a> parameter. </p>
7708
7709<p> This feature is available in Postfix 2.6 and later. </p>
7710
7711
7712</DD>
7713
7714<DT><b><a name="multi_instance_wrapper">multi_instance_wrapper</a>
7715(default: empty)</b></DT><DD>
7716
7717<p> The pathname of a multi-instance manager command that the
7718<a href="postfix.1.html">postfix(1)</a> command invokes when the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a>
7719parameter value is non-empty. The pathname may be followed by
7720initial command arguments separated by whitespace; shell
7721metacharacters such as quotes are not supported in this context.
7722</p>
7723
7724<p> The <a href="postfix.1.html">postfix(1)</a> command invokes the manager command with the
7725<a href="postfix.1.html">postfix(1)</a> non-option command arguments on the manager command line,
7726and with all installation configuration parameters exported into
7727the manager command process environment. The manager command in
7728turn invokes the <a href="postfix.1.html">postfix(1)</a> command for individual Postfix instances
7729as "postfix -c <i><a href="postconf.5.html#config_directory">config_directory</a></i> <i>command</i>".  </p>
7730
7731<p> This feature is available in Postfix 2.6 and later. </p>
7732
7733
7734</DD>
7735
7736<DT><b><a name="multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a>
7737(default: 550)</b></DT><DD>
7738
7739<p>
7740The numerical Postfix SMTP server response code when a remote SMTP
7741client request is blocked by the <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a>
7742restriction.
7743</p>
7744
7745<p>
7746Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
7747</p>
7748
7749<p>
7750This feature is available in Postfix 2.1 and later.
7751</p>
7752
7753
7754</DD>
7755
7756<DT><b><a name="mydestination">mydestination</a>
7757(default: $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b></DT><DD>
7758
7759<p> The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a>
7760mail delivery transport. By default this is the Postfix <a href="local.8.html">local(8)</a>
7761delivery agent which looks up all recipients in /etc/passwd and
7762/etc/aliases. The SMTP server validates recipient addresses with
7763$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> and rejects non-existent recipients. See also
7764the <a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> file.
7765</p>
7766
7767<p>
7768The default <a href="postconf.5.html#mydestination">mydestination</a> value specifies names for the local
7769machine only.  On a mail domain gateway, you should also include
7770$<a href="postconf.5.html#mydomain">mydomain</a>.
7771</p>
7772
7773<p>
7774The $<a href="postconf.5.html#local_transport">local_transport</a> delivery method is also selected for mail
7775addressed to user@[the.net.work.address] of the mail system (the
7776IP addresses specified with the <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> and <a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>
7777parameters).
7778</p>
7779
7780<p>
7781Warnings:
7782</p>
7783
7784<ul>
7785
7786<li><p>Do not specify the names of virtual domains - those domains
7787are specified elsewhere. See <a href="VIRTUAL_README.html">VIRTUAL_README</a> for more information. </p>
7788
7789<li><p>Do not specify the names of domains that this machine is
7790backup MX host for. See <a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> for how to
7791set up backup MX hosts. </p>
7792
7793<li><p>By default, the Postfix SMTP server rejects mail for recipients
7794not listed with the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> parameter.  See the
7795<a href="postconf.5.html">postconf(5)</a> manual for a description of the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
7796and <a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> parameters. </p>
7797
7798</ul>
7799
7800<p>
7801Specify a list of host or domain names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>"
7802patterns, separated by commas and/or whitespace. A "/file/name"
7803pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table
7804is matched when a name matches a lookup key (the lookup result is
7805ignored).  Continue long lines by starting the next line with
7806whitespace.  </p>
7807
7808<p>
7809Examples:
7810</p>
7811
7812<pre>
7813<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a> $<a href="postconf.5.html#mydomain">mydomain</a>
7814<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a> www.$<a href="postconf.5.html#mydomain">mydomain</a>, ftp.$<a href="postconf.5.html#mydomain">mydomain</a>
7815</pre>
7816
7817
7818</DD>
7819
7820<DT><b><a name="mydomain">mydomain</a>
7821(default: see "postconf -d" output)</b></DT><DD>
7822
7823<p>
7824The internet domain name of this mail system.  The default is to
7825use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component, or "localdomain" (Postfix
78262.3 and later).  $<a href="postconf.5.html#mydomain">mydomain</a> is used as
7827a default value for many other configuration parameters.
7828</p>
7829
7830<p>
7831Example:
7832</p>
7833
7834<pre>
7835<a href="postconf.5.html#mydomain">mydomain</a> = domain.tld
7836</pre>
7837
7838
7839</DD>
7840
7841<DT><b><a name="myhostname">myhostname</a>
7842(default: see "postconf -d" output)</b></DT><DD>
7843
7844<p>
7845The internet hostname of this mail system. The default is to use
7846the fully-qualified domain name (FQDN) from gethostname(), or to
7847use the non-FQDN result from gethostname() and append ".$<a href="postconf.5.html#mydomain">mydomain</a>".
7848$<a href="postconf.5.html#myhostname">myhostname</a> is used as a default value for many other configuration
7849parameters.  </p>
7850
7851<p>
7852Example:
7853</p>
7854
7855<pre>
7856<a href="postconf.5.html#myhostname">myhostname</a> = host.example.com
7857</pre>
7858
7859
7860</DD>
7861
7862<DT><b><a name="mynetworks">mynetworks</a>
7863(default: see "postconf -d" output)</b></DT><DD>
7864
7865<p>
7866The list of "trusted" remote SMTP clients that have more privileges than
7867"strangers".
7868</p>
7869
7870<p>
7871In particular, "trusted" SMTP clients are allowed to relay mail
7872through Postfix.  See the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter
7873description in the <a href="postconf.5.html">postconf(5)</a> manual.
7874</p>
7875
7876<p>
7877You can specify the list of "trusted" network addresses by hand
7878or you can let Postfix do it for you (which is the default).
7879See the description of the <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> parameter for more
7880information.
7881</p>
7882
7883<p>
7884If you specify the <a href="postconf.5.html#mynetworks">mynetworks</a> list by hand,
7885Postfix ignores the <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> setting.
7886</p>
7887
7888<p> Specify a list of network addresses or network/netmask patterns,
7889separated by commas and/or whitespace. Continue long lines by
7890starting the next line with whitespace. </p>
7891
7892<p> The netmask specifies the number of bits in the network part
7893of a host address.  You can also specify "/file/name" or "<a href="DATABASE_README.html">type:table</a>"
7894patterns.  A "/file/name" pattern is replaced by its contents; a
7895"<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a table entry matches a
7896lookup string (the lookup result is ignored). </p>
7897
7898<p> The list is matched left to right, and the search stops on the
7899first match.  Specify "!pattern" to exclude an address or network
7900block from the list. The form "!/file/name" is supported only
7901in Postfix version 2.4 and later. </p>
7902
7903<p> Note 1: Pattern matching of domain names is controlled by the
7904presence or absence of "<a href="postconf.5.html#mynetworks">mynetworks</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
7905parameter value.  </p>
7906
7907<p> Note 2: IP version 6 address information must be specified inside
7908<tt>[]</tt> in the <a href="postconf.5.html#mynetworks">mynetworks</a> value, and in files specified with
7909"/file/name".  IP version 6 addresses contain the ":" character,
7910and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>" pattern.  </p>
7911
7912<p> Note 3: CIDR ranges cannot be specified in hash tables.  Use cidr
7913tables if CIDR ranges are used. </p>
7914
7915<p> Examples:  </p>
7916
7917<pre>
7918<a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 168.100.189.0/28
7919<a href="postconf.5.html#mynetworks">mynetworks</a> = !192.168.0.1, 192.168.0.0/28
7920<a href="postconf.5.html#mynetworks">mynetworks</a> = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
7921<a href="postconf.5.html#mynetworks">mynetworks</a> = $<a href="postconf.5.html#config_directory">config_directory</a>/mynetworks
7922<a href="postconf.5.html#mynetworks">mynetworks</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/network_table
7923<a href="postconf.5.html#mynetworks">mynetworks</a> = <a href="cidr_table.5.html">cidr</a>:/etc/postfix/network_table.cidr
7924</pre>
7925
7926
7927</DD>
7928
7929<DT><b><a name="mynetworks_style">mynetworks_style</a>
7930(default: Postfix &ge; 3.0: host, Postfix &lt; 3.0: subnet)</b></DT><DD>
7931
7932<p>
7933The method to generate the default value for the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter.
7934This is the list of trusted networks for relay access control etc.
7935</p>
7936
7937<ul>
7938
7939<li><p>Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host" when Postfix should
7940"trust" only the local machine. </p>
7941
7942<li><p>Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet" when Postfix
7943should "trust" remote SMTP clients in the same IP subnetworks as the local
7944machine.  On Linux, this works correctly only with interfaces
7945specified with the "ifconfig" or "ip" command. </p>
7946
7947<li><p>Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = class" when Postfix should
7948"trust" remote SMTP clients in the same IP class A/B/C networks as the
7949local machine.  Caution: this may cause
7950Postfix to "trust" your entire provider's network.  Instead, specify
7951an explicit <a href="postconf.5.html#mynetworks">mynetworks</a> list by hand, as described with the <a href="postconf.5.html#mynetworks">mynetworks</a>
7952configuration parameter. </p>
7953
7954</ul>
7955
7956
7957</DD>
7958
7959<DT><b><a name="myorigin">myorigin</a>
7960(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
7961
7962<p>
7963The domain name that locally-posted mail appears to come
7964from, and that locally posted mail is delivered to. The default,
7965$<a href="postconf.5.html#myhostname">myhostname</a>, is adequate for small sites.  If you run a domain with
7966multiple machines, you should (1) change this to $<a href="postconf.5.html#mydomain">mydomain</a> and (2)
7967set up a domain-wide alias database that aliases each user to
7968user@that.users.mailhost.
7969</p>
7970
7971<p>
7972Example:
7973</p>
7974
7975<pre>
7976<a href="postconf.5.html#myorigin">myorigin</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
7977</pre>
7978
7979
7980</DD>
7981
7982<DT><b><a name="nested_header_checks">nested_header_checks</a>
7983(default: $<a href="postconf.5.html#header_checks">header_checks</a>)</b></DT><DD>
7984
7985<p>
7986Optional lookup tables for content inspection of non-MIME message
7987headers in attached messages, as described in the <a href="header_checks.5.html">header_checks(5)</a>
7988manual page.
7989</p>
7990
7991<p>
7992This feature is available in Postfix 2.0 and later.
7993</p>
7994
7995
7996</DD>
7997
7998<DT><b><a name="newaliases_path">newaliases_path</a>
7999(default: see "postconf -d" output)</b></DT><DD>
8000
8001<p>
8002Sendmail compatibility feature that specifies the location of the
8003<a href="newaliases.1.html">newaliases(1)</a> command. This command can be used to rebuild the
8004<a href="local.8.html">local(8)</a> <a href="aliases.5.html">aliases(5)</a> database.
8005</p>
8006
8007
8008</DD>
8009
8010<DT><b><a name="non_fqdn_reject_code">non_fqdn_reject_code</a>
8011(default: 504)</b></DT><DD>
8012
8013<p>
8014The numerical Postfix SMTP server reply code when a client request
8015is rejected by the <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>, <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a>
8016or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> restriction.
8017</p>
8018
8019
8020</DD>
8021
8022<DT><b><a name="non_smtpd_milters">non_smtpd_milters</a>
8023(default: empty)</b></DT><DD>
8024
8025<p> A list of Milter (mail filter) applications for new mail that
8026does not arrive via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server. This includes local
8027submission via the <a href="sendmail.1.html">sendmail(1)</a> command line, new mail that arrives
8028via the Postfix <a href="qmqpd.8.html">qmqpd(8)</a> server, and old mail that is re-injected
8029into the queue with "postsuper -r".  Specify space or comma as a
8030separator. See the <a href="MILTER_README.html">MILTER_README</a> document for details.  </p>
8031
8032<p> This feature is available in Postfix 2.3 and later. </p>
8033
8034
8035</DD>
8036
8037<DT><b><a name="notify_classes">notify_classes</a>
8038(default: resource, software)</b></DT><DD>
8039
8040<p>
8041The list of error classes that are reported to the postmaster. These
8042postmaster notifications do not replace user notifications. The
8043default is to report only the most serious problems. The paranoid
8044may wish to turn on the policy (UCE and mail relaying) and protocol
8045error (broken mail software) reports.
8046</p>
8047
8048<p> NOTE: postmaster notifications may contain confidential information
8049such as SASL passwords or message content.  It is the system
8050administrator's responsibility to treat such information with care.
8051</p>
8052
8053<p>
8054The error classes are:
8055</p>
8056
8057<dl>
8058
8059<dt><b>bounce</b> (also implies <b>2bounce</b>)</dt>
8060
8061<dd>Send the postmaster copies of the headers of bounced mail, and
8062send transcripts of SMTP sessions when Postfix rejects mail. The
8063notification is sent to the address specified with the
8064<a href="postconf.5.html#bounce_notice_recipient">bounce_notice_recipient</a> configuration parameter (default: postmaster).
8065</dd>
8066
8067<dt><b>2bounce</b></dt>
8068
8069<dd>Send undeliverable bounced mail to the postmaster. The notification
8070is sent to the address specified with the <a href="postconf.5.html#2bounce_notice_recipient">2bounce_notice_recipient</a>
8071configuration parameter (default: postmaster). </dd>
8072
8073<dt><b>data</b></dt>
8074
8075<dd>Send the postmaster a transcript of the SMTP session with an
8076error because a critical data file was unavailable. The notification
8077is sent to the address specified with the <a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a>
8078configuration parameter (default: postmaster). <br> This feature
8079is available in Postfix 2.9 and later.  </dd>
8080
8081<dt><b>delay</b></dt>
8082
8083<dd>Send the postmaster copies of the headers of delayed mail (see
8084<a href="postconf.5.html#delay_warning_time">delay_warning_time</a>). The
8085notification is sent to the address specified with the
8086<a href="postconf.5.html#delay_notice_recipient">delay_notice_recipient</a> configuration parameter (default: postmaster).
8087</dd>
8088
8089<dt><b>policy</b></dt>
8090
8091<dd>Send the postmaster a transcript of the SMTP session when a
8092client request was rejected because of (UCE) policy. The notification
8093is sent to the address specified with the <a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a>
8094configuration parameter (default: postmaster).  </dd>
8095
8096<dt><b>protocol</b></dt>
8097
8098<dd>Send the postmaster a transcript of the SMTP session in case
8099of client or server protocol errors. The notification is sent to
8100the address specified with the <a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> configuration
8101parameter (default: postmaster). </dd>
8102
8103<dt><b>resource</b></dt>
8104
8105<dd>Inform the postmaster of mail not delivered due to resource
8106problems.  The notification is sent to the address specified with
8107the <a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> configuration parameter (default:
8108postmaster). </dd>
8109
8110<dt><b>software</b></dt>
8111
8112<dd>Inform the postmaster of mail not delivered due to software
8113problems.  The notification is sent to the address specified with
8114the <a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> configuration parameter (default:
8115postmaster). </dd>
8116
8117</dl>
8118
8119<p>
8120Examples:
8121</p>
8122
8123<pre>
8124<a href="postconf.5.html#notify_classes">notify_classes</a> = bounce, delay, policy, protocol, resource, software
8125<a href="postconf.5.html#notify_classes">notify_classes</a> = 2bounce, resource, software
8126</pre>
8127
8128
8129</DD>
8130
8131<DT><b><a name="openssl_path">openssl_path</a>
8132(default: openssl)</b></DT><DD>
8133
8134<p>
8135The location of the OpenSSL command line program openssl(1).  This
8136is used by the "<b><a href="postfix-tls.1.html">postfix tls</a></b>" command to create private keys,
8137certificate signing requests, self-signed certificates, and to
8138compute public key digests for DANE TLSA records.  In multi-instance
8139environments, this parameter is always determined from the configuration
8140of the default Postfix instance.
8141</p>
8142
8143<p> Example: </p>
8144
8145<blockquote>
8146<pre>
8147/etc/postfix/<a href="postconf.5.html">main.cf</a>:
8148    # NetBSD pkgsrc:
8149    <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/pkg/bin/openssl
8150    # Local build:
8151    <a href="postconf.5.html#openssl_path">openssl_path</a> = /usr/local/bin/openssl
8152</pre>
8153</blockquote>
8154
8155<p>
8156This feature is available in Postfix 3.1 and later.
8157</p>
8158
8159
8160</DD>
8161
8162<DT><b><a name="owner_request_special">owner_request_special</a>
8163(default: yes)</b></DT><DD>
8164
8165<p>
8166Enable special treatment for owner-<i>listname</i> entries in the
8167<a href="aliases.5.html">aliases(5)</a> file, and don't split owner-<i>listname</i> and
8168<i>listname</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>
8169is set to "-".  This feature is useful for mailing lists.
8170</p>
8171
8172
8173</DD>
8174
8175<DT><b><a name="parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
8176(default: see "postconf -d" output)</b></DT><DD>
8177
8178<p>
8179A list of Postfix features where the pattern "example.com" also
8180matches subdomains of example.com,
8181instead of requiring an explicit ".example.com" pattern.  This is
8182planned backwards compatibility:  eventually, all Postfix features
8183are expected to require explicit ".example.com" style patterns when
8184you really want to match subdomains.
8185</p>
8186
8187<p> The following Postfix feature names are supported. </p>
8188
8189<dl>
8190
8191<dt> Postfix version 1.0 and later</dt>
8192
8193<dd>
8194<a href="postconf.5.html#debug_peer_list">debug_peer_list</a>,
8195<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a>,
8196<a href="postconf.5.html#mynetworks">mynetworks</a>,
8197<a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a>,
8198<a href="postconf.5.html#relay_domains">relay_domains</a>,
8199<a href="postconf.5.html#transport_maps">transport_maps</a>
8200</dd>
8201
8202<dt> Postfix version 1.1 and later</dt>
8203
8204<dd>
8205<a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a>,
8206<a href="SMTPD_ACCESS_README.html">smtpd_access_maps</a>,
8207</dd>
8208
8209<dt> Postfix version 2.8 and later </dt>
8210
8211<dd>
8212<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a>
8213</dd>
8214
8215<dt> Postfix version 3.0 and later </dt>
8216
8217<dd>
8218<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>
8219</dd>
8220
8221</dl>
8222
8223
8224</DD>
8225
8226<DT><b><a name="permit_mx_backup_networks">permit_mx_backup_networks</a>
8227(default: empty)</b></DT><DD>
8228
8229<p>
8230Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP access feature to
8231only domains whose primary MX hosts match the listed networks.
8232The parameter value syntax is the same as with the <a href="postconf.5.html#mynetworks">mynetworks</a>
8233parameter; note, however, that the default value is empty.  </p>
8234
8235<p> Pattern matching of domain names is controlled by the presence
8236or absence of "<a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a>" in the
8237<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value.  </p>
8238
8239
8240</DD>
8241
8242<DT><b><a name="pickup_service_name">pickup_service_name</a>
8243(default: pickup)</b></DT><DD>
8244
8245<p>
8246The name of the <a href="pickup.8.html">pickup(8)</a> service. This service picks up local mail
8247submissions from the Postfix <a href="QSHAPE_README.html#maildrop_queue">maildrop queue</a>.
8248</p>
8249
8250<p>
8251This feature is available in Postfix 2.0 and later.
8252</p>
8253
8254
8255</DD>
8256
8257<DT><b><a name="pipe_delivery_status_filter">pipe_delivery_status_filter</a>
8258(default: $<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b></DT><DD>
8259
8260<p> Optional filter for the <a href="pipe.8.html">pipe(8)</a> delivery agent to change the
8261delivery status code or explanatory text of successful or unsuccessful
8262deliveries.  See <a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a> for details.  </p>
8263
8264<p> This feature is available in Postfix 3.0 and later. </p>
8265
8266
8267</DD>
8268
8269<DT><b><a name="plaintext_reject_code">plaintext_reject_code</a>
8270(default: 450)</b></DT><DD>
8271
8272<p>
8273The numerical Postfix SMTP server response code when a request
8274is rejected by the <b><a href="postconf.5.html#reject_plaintext_session">reject_plaintext_session</a></b> restriction.
8275</p>
8276
8277<p> This feature is available in Postfix 2.3 and later. </p>
8278
8279
8280</DD>
8281
8282<DT><b><a name="postlog_service_name">postlog_service_name</a>
8283(default: postlog)</b></DT><DD>
8284
8285<p> The name of the <a href="postlogd.8.html">postlogd(8)</a> service entry in <a href="master.5.html">master.cf</a>.
8286This service appends logfile records to the file specified
8287with the <a href="postconf.5.html#maillog_file">maillog_file</a> parameter. </p>
8288
8289<p> This feature is available in Postfix 3.4 and later. </p>
8290
8291
8292</DD>
8293
8294<DT><b><a name="postlogd_watchdog_timeout">postlogd_watchdog_timeout</a>
8295(default: 10s)</b></DT><DD>
8296
8297<p> How much time a <a href="postlogd.8.html">postlogd(8)</a> process may take to process a request
8298before it is terminated by a built-in watchdog timer. This is a
8299safety mechanism that prevents <a href="postlogd.8.html">postlogd(8)</a> from becoming non-responsive
8300due to a bug in Postfix itself or in system software. This limit
8301cannot be set under 10s. </p>
8302
8303<p> Specify a non-zero time value (an integral value plus an optional
8304one-letter suffix that specifies the time unit).  Time units: s
8305(seconds), m (minutes), h (hours), d (days), w (weeks).
8306The default time unit is s (seconds).  </p>
8307
8308<p> This feature is available in Postfix 3.4 and later.  </p>
8309
8310
8311</DD>
8312
8313<DT><b><a name="postmulti_control_commands">postmulti_control_commands</a>
8314(default: reload flush)</b></DT><DD>
8315
8316<p> The <a href="postfix.1.html">postfix(1)</a> commands that the <a href="postmulti.1.html">postmulti(1)</a> instance manager
8317treats as "control" commands, that operate on running instances. For
8318these commands, disabled instances are skipped. </p>
8319
8320<p> This feature is available in Postfix 2.6 and later. </p>
8321
8322
8323</DD>
8324
8325<DT><b><a name="postmulti_start_commands">postmulti_start_commands</a>
8326(default: start)</b></DT><DD>
8327
8328<p> The <a href="postfix.1.html">postfix(1)</a> commands that the <a href="postmulti.1.html">postmulti(1)</a> instance manager treats
8329as "start" commands. For these commands, disabled instances are "checked"
8330rather than "started", and failure to "start" a member instance of an
8331instance group will abort the start-up of later instances. </p>
8332
8333<p> This feature is available in Postfix 2.6 and later. </p>
8334
8335
8336</DD>
8337
8338<DT><b><a name="postmulti_stop_commands">postmulti_stop_commands</a>
8339(default: see "postconf -d" output)</b></DT><DD>
8340
8341<p> The <a href="postfix.1.html">postfix(1)</a> commands that the <a href="postmulti.1.html">postmulti(1)</a> instance manager treats
8342as "stop" commands. For these commands, disabled instances are skipped,
8343and enabled instances are processed in reverse order. </p>
8344
8345<p> This feature is available in Postfix 2.6 and later. </p>
8346
8347
8348</DD>
8349
8350<DT><b><a name="postscreen_access_list">postscreen_access_list</a>
8351(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b></DT><DD>
8352
8353<p> Permanent allow/denylist for remote SMTP client IP addresses.
8354<a href="postscreen.8.html">postscreen(8)</a> searches this list immediately after a remote SMTP
8355client connects.  Specify a comma- or whitespace-separated list of
8356commands (in upper or lower case) or lookup tables. The search stops
8357upon the first command that fires for the client IP address. </p>
8358
8359<dl>
8360
8361<dt> <b> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> </b> </dt> <dd> Allowlist the client and
8362terminate the search if the client IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>.
8363Do not subject the client to any before/after 220 greeting tests.
8364Pass the connection immediately to a Postfix SMTP server process.
8365<br> Pattern matching of domain names is controlled by the presence
8366or absence of "<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a>" in the
8367<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value. </dd>
8368
8369<dt> <b> <a href="DATABASE_README.html">type:table</a> </b> </dt> <dd> Query the specified lookup
8370table. Each table lookup result is an access list, except that
8371access lists inside a table cannot specify <a href="DATABASE_README.html">type:table</a> entries.  <br>
8372To discourage the use of hash, btree, etc. tables, there is no
8373support for substring matching like <a href="smtpd.8.html">smtpd(8)</a>. Use CIDR tables
8374instead.  </dd>
8375
8376<dt> <b> permit </b> </dt> <dd> Allowlist the client and terminate
8377the search. Do not subject the client to any before/after 220
8378greeting tests. Pass the connection immediately to a Postfix SMTP
8379server process. </dd>
8380
8381<dt> <b> reject </b> </dt> <dd> Denylist the client and terminate
8382the search. Subject the client to the action configured with the
8383<a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> configuration parameter. </dd>
8384
8385<dt> <b> dunno </b> </dt> <dd> All <a href="postscreen.8.html">postscreen(8)</a> access lists
8386implicitly have this command at the end. <br> When <b> dunno </b>
8387is executed inside a lookup table, return from the lookup table and
8388evaluate the next command.  <br> When <b> dunno </b> is executed
8389outside a lookup table, terminate the search, and subject the client
8390to the configured before/after 220 greeting tests. </dd>
8391
8392</dl>
8393
8394<p> Example: </p>
8395
8396<pre>
8397/etc/postfix/<a href="postconf.5.html">main.cf</a>:
8398    <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
8399        <a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
8400    # Postfix &lt; 3.6 use <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a>.
8401    <a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> = enforce
8402</pre>
8403
8404<pre>
8405/etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>:
8406    # Rules are evaluated in the order as specified.
8407    # Denylist 192.168.* except 192.168.0.1.
8408    192.168.0.1         dunno
8409    192.168.0.0/16      reject
8410</pre>
8411
8412<p> This feature is available in Postfix 2.8. </p>
8413
8414
8415</DD>
8416
8417<DT><b><a name="postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a>
8418(default: <a href="DATABASE_README.html#types">static</a>:all)</b></DT><DD>
8419
8420<p> A list of local <a href="postscreen.8.html">postscreen(8)</a> server IP addresses where a
8421non-allowlisted remote SMTP client can obtain <a href="postscreen.8.html">postscreen(8)</a>'s temporary
8422allowlist status. This status is required before the client can
8423talk to a Postfix SMTP server process.  By default, a client can
8424obtain <a href="postscreen.8.html">postscreen(8)</a>'s allowlist status on any local <a href="postscreen.8.html">postscreen(8)</a>
8425server IP address. </p>
8426
8427<p> When <a href="postscreen.8.html">postscreen(8)</a> listens on both primary and backup MX
8428addresses, the <a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> parameter can be
8429configured to give the temporary allowlist status only when a client
8430connects to a primary MX address. Once a client is allowlisted it
8431can talk to a Postfix SMTP server on any address. Thus, clients
8432that connect only to backup MX addresses will never become allowlisted,
8433and will never be allowed to talk to a Postfix SMTP server process.
8434</p>
8435
8436<p> Specify a list of network addresses or network/netmask patterns,
8437separated by commas and/or whitespace. The netmask specifies the
8438number of bits in the network part of a host address. Continue long
8439lines by starting the next line with whitespace. </p>
8440
8441<p> You can also specify "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns.  A
8442"/file/name" pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>"
8443lookup table is matched when a table entry matches a lookup string
8444(the lookup result is ignored). </p>
8445
8446<p> The list is matched left to right, and the search stops on the
8447first match. Specify "!pattern" to exclude an address or network
8448block from the list.  </p>
8449
8450<p> Note: IP version 6 address information must be specified inside
8451[] in the <a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> value, and in files
8452specified with "/file/name".  IP version 6 addresses contain the
8453":" character, and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>"
8454pattern. </p>
8455
8456<p> Example: </p>
8457
8458<pre>
8459/etc/postfix/<a href="postconf.5.html">main.cf</a>:
8460    # Don't allowlist connections to the backup IP address.
8461    # Postfix &lt; 3.6 use <a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a>.
8462    <a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> = !168.100.189.8, <a href="DATABASE_README.html#types">static</a>:all
8463</pre>
8464
8465<p> This feature is available in Postfix 3.6 and later.  </p>
8466
8467<p> Available as <a href="postconf.5.html#postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a> in Postfix 2.9 - 3.5. </p>
8468
8469
8470</DD>
8471
8472<DT><b><a name="postscreen_bare_newline_action">postscreen_bare_newline_action</a>
8473(default: ignore)</b></DT><DD>
8474
8475<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when a remote SMTP client sends
8476a bare newline character, that is, a newline not preceded by carriage
8477return.  Specify one of the following: </p>
8478
8479<dl>
8480
8481<dt> <b>ignore</b> </dt>
8482
8483<dd> Ignore the failure of this test. Allow other tests to complete.
8484Do <i>not</i> repeat this test before the result from some
8485other test expires.
8486This option is useful for testing and collecting statistics
8487without blocking mail permanently. </dd>
8488
8489<dt> <b>enforce</b> </dt>
8490
8491<dd> Allow other tests to complete. Reject attempts to deliver mail
8492with a 550 SMTP reply, and log the helo/sender/recipient information.
8493Repeat this test the next time the client connects. </dd>
8494
8495<dt> <b>drop</b> </dt>
8496
8497<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
8498this test the next time the client connects.  </dd>
8499
8500</dl>
8501
8502<p> This feature is available in Postfix 2.8. </p>
8503
8504
8505</DD>
8506
8507<DT><b><a name="postscreen_bare_newline_enable">postscreen_bare_newline_enable</a>
8508(default: no)</b></DT><DD>
8509
8510<p> Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html">postscreen(8)</a>
8511server. These tests are expensive: a remote SMTP client must
8512disconnect after
8513it passes the test, before it can talk to a real Postfix SMTP server.
8514</p>
8515
8516<p> This feature is available in Postfix 2.8.  </p>
8517
8518
8519</DD>
8520
8521<DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>
8522(default: 30d)</b></DT><DD>
8523
8524<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
8525IP address passed a "bare newline" SMTP protocol test, before it
8526address is required to pass that test again. The default
8527is long because a remote SMTP client must disconnect after it passes
8528the test,
8529before it can talk to a real Postfix SMTP server. </p>
8530
8531<p> Specify a non-zero time value (an integral value plus an optional
8532one-letter suffix that specifies the time unit).  Time units: s
8533(seconds), m (minutes), h (hours), d (days), w (weeks).
8534The default time unit is d (days).  </p>
8535
8536<p> This feature is available in Postfix 2.8.  </p>
8537
8538
8539</DD>
8540
8541<DT><b><a name="postscreen_blacklist_action">postscreen_blacklist_action</a>
8542(default: ignore)</b></DT><DD>
8543
8544<p> Renamed to <a href="postconf.5.html#postscreen_denylist_action">postscreen_denylist_action</a> in Postfix 3.6. </p>
8545
8546<p> This feature is available in Postfix 2.8 - 3.5. </p>
8547
8548
8549</DD>
8550
8551<DT><b><a name="postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a>
8552(default: 12h)</b></DT><DD>
8553
8554<p> The amount of time between <a href="postscreen.8.html">postscreen(8)</a> cache cleanup runs.
8555Cache cleanup increases the load on the cache database and should
8556therefore not be run frequently. This feature requires that the
8557cache database supports the "delete" and "sequence" operators.
8558Specify a zero interval to disable cache cleanup. </p>
8559
8560<p> After each cache cleanup run, the <a href="postscreen.8.html">postscreen(8)</a> daemon logs the
8561number of entries that were retained and dropped. A cleanup run is
8562logged as "partial" when the daemon terminates early after "<b>postfix
8563reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
8564seconds. </p>
8565
8566<p> Specify a non-negative time value (an integral value plus an optional
8567one-letter suffix that specifies the time unit).  Time units: s
8568(seconds), m (minutes), h (hours), d (days), w (weeks).
8569The default time unit is h (hours).  </p>
8570
8571<p> This feature is available in Postfix 2.8. </p>
8572
8573
8574</DD>
8575
8576<DT><b><a name="postscreen_cache_map">postscreen_cache_map</a>
8577(default: <a href="DATABASE_README.html#types">btree</a>:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b></DT><DD>
8578
8579<p> Persistent storage for the <a href="postscreen.8.html">postscreen(8)</a> server decisions. </p>
8580
8581<p> To share a <a href="postscreen.8.html">postscreen(8)</a> cache between multiple <a href="postscreen.8.html">postscreen(8)</a>
8582instances, use "<a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> = <a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html#types">btree</a>:/path/to/file".
8583This requires Postfix version 2.9 or later; earlier <a href="proxymap.8.html">proxymap(8)</a>
8584implementations don't support cache cleanup. For an alternative
8585approach see the <a href="memcache_table.5.html">memcache_table(5)</a> manpage. </p>
8586
8587<p> This feature is available in Postfix 2.8. </p>
8588
8589
8590</DD>
8591
8592<DT><b><a name="postscreen_cache_retention_time">postscreen_cache_retention_time</a>
8593(default: 7d)</b></DT><DD>
8594
8595<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache an expired
8596temporary allowlist entry before it is removed. This prevents clients
8597from being logged as "NEW" just because their cache entry expired
8598an hour ago. It also prevents the cache from filling up with clients
8599that passed some deep protocol test once and never came back. </p>
8600
8601<p> Specify a non-zero time value (an integral value plus an optional
8602one-letter suffix that specifies the time unit).  Time units: s
8603(seconds), m (minutes), h (hours), d (days), w (weeks).
8604The default time unit is d (days).  </p>
8605
8606<p> This feature is available in Postfix 2.8. </p>
8607
8608
8609</DD>
8610
8611<DT><b><a name="postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a>
8612(default: $<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b></DT><DD>
8613
8614<p> How many simultaneous connections any remote SMTP client is
8615allowed to have
8616with the <a href="postscreen.8.html">postscreen(8)</a> daemon. By default, this limit is the same
8617as with the Postfix SMTP server. Note that the triage process can
8618take several seconds, with the time spent in <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>
8619delay, and with the time spent talking to the <a href="postscreen.8.html">postscreen(8)</a> built-in
8620dummy SMTP protocol engine. </p>
8621
8622<p> This feature is available in Postfix 2.8.  </p>
8623
8624
8625</DD>
8626
8627<DT><b><a name="postscreen_command_count_limit">postscreen_command_count_limit</a>
8628(default: 20)</b></DT><DD>
8629
8630<p> The limit on the total number of commands per SMTP session for
8631<a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP protocol engine.  This SMTP engine
8632defers or rejects all attempts to deliver mail, therefore there is
8633no need to enforce separate limits on the number of junk commands
8634and error commands.  </p>
8635
8636<p> This feature is available in Postfix 2.8.  </p>
8637
8638
8639</DD>
8640
8641<DT><b><a name="postscreen_command_filter">postscreen_command_filter</a>
8642(default: $<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b></DT><DD>
8643
8644<p> A mechanism to transform commands from remote SMTP clients.
8645See <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> for further details. </p>
8646
8647<p> This feature is available in Postfix 2.8 and later. </p>
8648
8649
8650</DD>
8651
8652<DT><b><a name="postscreen_command_time_limit">postscreen_command_time_limit</a>
8653(default: normal: 300s, <a href="STRESS_README.html">overload</a>: 10s)</b></DT><DD>
8654
8655<p> The time limit to read an entire command line with <a href="postscreen.8.html">postscreen(8)</a>'s
8656built-in SMTP protocol engine. </p>
8657
8658<p> This feature is available in Postfix 2.8.  </p>
8659
8660
8661</DD>
8662
8663<DT><b><a name="postscreen_denylist_action">postscreen_denylist_action</a>
8664(default: ignore)</b></DT><DD>
8665
8666<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when a remote SMTP client is
8667permanently denylisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.
8668Specify one of the following: </p>
8669
8670<dl>
8671
8672<dt> <b>ignore</b> (default) </dt>
8673
8674<dd> Ignore  this result. Allow other tests to complete.  Repeat
8675this test the next time the client connects.
8676This option is useful for testing and collecting statistics
8677without blocking mail. </dd>
8678
8679<dt> <b>enforce</b> </dt>
8680
8681<dd> Allow other tests to complete. Reject attempts to deliver mail
8682with a 550 SMTP reply, and log the helo/sender/recipient information.
8683Repeat this test the next time the client connects. </dd>
8684
8685<dt> <b>drop</b> </dt>
8686
8687<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
8688this test the next time the client connects. </dd>
8689
8690</dl>
8691
8692<p> This feature is available in Postfix 3.6 and later. </p>
8693
8694<p> Available as <a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> in Postfix 2.8 - 3.5. </p>
8695
8696
8697</DD>
8698
8699<DT><b><a name="postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a>
8700(default: $<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b></DT><DD>
8701
8702<p> Disable the SMTP VRFY command in the <a href="postscreen.8.html">postscreen(8)</a> daemon.  See
8703<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> for details.  </p>
8704
8705<p> This feature is available in Postfix 2.8.  </p>
8706
8707
8708</DD>
8709
8710<DT><b><a name="postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a>
8711(default: $<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>)</b></DT><DD>
8712
8713<p> Lookup tables, indexed by the remote SMTP client address, with
8714case insensitive lists of EHLO keywords (pipelining, starttls, auth,
8715etc.) that the <a href="postscreen.8.html">postscreen(8)</a> server will not send in the EHLO response
8716to a remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.
8717The table is not searched by hostname for robustness reasons.  </p>
8718
8719<p> This feature is available in Postfix 2.8 and later. </p>
8720
8721
8722</DD>
8723
8724<DT><b><a name="postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a>
8725(default: $<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b></DT><DD>
8726
8727<p> A case insensitive list of EHLO keywords (pipelining, starttls,
8728auth, etc.) that the <a href="postscreen.8.html">postscreen(8)</a> server will not send in the EHLO
8729response to a remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>
8730for details. </p>
8731
8732<p> This feature is available in Postfix 2.8 and later. </p>
8733
8734
8735</DD>
8736
8737<DT><b><a name="postscreen_dnsbl_action">postscreen_dnsbl_action</a>
8738(default: ignore)</b></DT><DD>
8739
8740<p>The action that <a href="postscreen.8.html">postscreen(8)</a> takes when a remote SMTP client's combined
8741DNSBL score is equal to or greater than a threshold (as defined
8742with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>
8743parameters).  Specify one of the following: </p>
8744
8745<dl>
8746
8747<dt> <b>ignore</b> (default) </dt>
8748
8749<dd> Ignore the failure of this test. Allow other tests to complete.
8750Repeat this test the next time the client connects.
8751This option is useful for testing and collecting statistics
8752without blocking mail. </dd>
8753
8754<dt> <b>enforce</b> </dt>
8755
8756<dd> Allow other tests to complete. Reject attempts to deliver mail
8757with a 550 SMTP reply, and log the helo/sender/recipient information.
8758Repeat this test the next time the client connects. </dd>
8759
8760<dt> <b>drop</b> </dt>
8761
8762<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
8763this test the next time the client connects. </dd>
8764
8765</dl>
8766
8767<p> This feature is available in Postfix 2.8. </p>
8768
8769
8770</DD>
8771
8772<DT><b><a name="postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a>
8773(default: 0)</b></DT><DD>
8774
8775<p> Allow a remote SMTP client to skip "before" and "after 220
8776greeting" protocol tests, based on its combined DNSBL score as
8777defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.  </p>
8778
8779<p> Specify a negative value to enable this feature. When a client
8780passes the <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> without having
8781failed other tests, all pending or disabled tests are flagged as
8782completed with an expiration time based on the DNS reply TTL.
8783When a test was already completed, its expiration time is updated
8784if it was less than the value based on the DNS reply TTL. See
8785also <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> and <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>. </p>
8786
8787<p> This feature is available in Postfix 3.6 and later.  </p>
8788
8789<p> Available as <a href="postconf.5.html#postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a> in Postfix 2.11
8790- 3.5.  </p>
8791
8792
8793</DD>
8794
8795<DT><b><a name="postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>
8796(default: ${<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>?{$<a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>}:{1}}h)</b></DT><DD>
8797
8798<p> The maximum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a
8799client IP address passed a DNS-based reputation test, before it is
8800required to pass that test again. If the DNS
8801reply specifies a shorter TTL value, that value will be used unless
8802it would be smaller than <a href="postconf.5.html#postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>.  </p>
8803
8804<p> Specify a non-zero time value (an integral value plus an optional
8805one-letter suffix that specifies the time unit).  Time units: s
8806(seconds), m (minutes), h (hours), d (days), w (weeks).
8807The default time unit is h (hours).  </p>
8808
8809<p> This feature is available in Postfix 3.1. The default setting
8810is backwards-compatible with older Postfix versions. </p>
8811
8812
8813</DD>
8814
8815<DT><b><a name="postscreen_dnsbl_min_ttl">postscreen_dnsbl_min_ttl</a>
8816(default: 60s)</b></DT><DD>
8817
8818<p> The minimum amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a
8819client IP address passed a DNS-based reputation test, before it
8820is required to pass that test again. If the DNS
8821reply specifies a larger TTL value, that value will be used unless
8822it would be larger than <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a>.  </p>
8823
8824<p> Specify a non-zero time value (an integral value plus an optional
8825one-letter suffix that specifies the time unit).  Time units: s
8826(seconds), m (minutes), h (hours), d (days), w (weeks).
8827The default time unit is s (seconds).  </p>
8828
8829<p> This feature is available in Postfix 3.1. </p>
8830
8831
8832</DD>
8833
8834<DT><b><a name="postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a>
8835(default: empty)</b></DT><DD>
8836
8837<p> A mapping from an actual DNSBL domain name which includes a secret
8838password, to the DNSBL domain name that postscreen will reply with
8839when it rejects mail.  When no mapping is found, the actual DNSBL
8840domain will be used. </p>
8841
8842<p> For maximal stability it is best to use a file that is read
8843into memory such as <a href="pcre_table.5.html">pcre</a>:, <a href="regexp_table.5.html">regexp</a>: or <a href="DATABASE_README.html#types">texthash</a>: (<a href="DATABASE_README.html#types">texthash</a>: is similar
8844to <a href="DATABASE_README.html#types">hash</a>:, except a) there is no need to run <a href="postmap.1.html">postmap(1)</a> before the
8845file can be used, and b) <a href="DATABASE_README.html#types">texthash</a>: does not detect changes after
8846the file is read). </p>
8847
8848<p> Example: </p>
8849
8850<pre>
8851/etc/postfix/<a href="postconf.5.html">main.cf</a>:
8852    <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> = <a href="DATABASE_README.html#types">texthash</a>:/etc/postfix/dnsbl_reply
8853</pre>
8854
8855<pre>
8856/etc/postfix/dnsbl_reply:
8857   secret.zen.spamhaus.org      zen.spamhaus.org
8858</pre>
8859
8860<p> NOTE: This feature differs from the Postfix SMTP server's
8861<a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> feature, where 1) the table search key includes the
8862optional "<i>=address-filter</i>", and where 2) the lookup result
8863contains free text with <i>$name</i> variables. </p>
8864
8865<p> This feature is available in Postfix 2.8.  </p>
8866
8867
8868</DD>
8869
8870<DT><b><a name="postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>
8871(default: empty)</b></DT><DD>
8872
8873<p>Optional list of patterns with DNS allow/denylist domains, filters
8874and weight
8875factors. When the list is non-empty, the <a href="dnsblog.8.html">dnsblog(8)</a> daemon will
8876query these domains with the reversed IP addresses of remote SMTP
8877clients,
8878and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with
8879each non-error reply as described below. </p>
8880
8881<p> Caution: when postscreen rejects mail, its SMTP response contains
8882the DNSBL
8883domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide
8884"password" information in DNSBL domain names. </p>
8885
8886<p> When a client's score is equal to or greater than the threshold
8887specified with <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>, <a href="postscreen.8.html">postscreen(8)</a> can drop
8888the connection with the remote SMTP client. </p>
8889
8890<p> Specify a list of domain=filter*weight patterns, separated by
8891comma or whitespace.  </p>
8892
8893<ul>
8894
8895<li> <p> When a pattern specifies no "=filter", <a href="postscreen.8.html">postscreen(8)</a> will
8896use any non-error DNSBL query result.  Otherwise, <a href="postscreen.8.html">postscreen(8)</a>
8897will use only DNSBL
8898query results that match the filter. The filter has the form d.d.d.d,
8899where each d is a number, or a pattern inside [] that contains one
8900or more ";"-separated numbers or number..number ranges.  </p>
8901
8902<li> <p> When a pattern specifies no "*weight", the weight of the
8903pattern is 1.  Otherwise, the weight must be an integral number.
8904Specify a negative number for allowlisting.  </p>
8905
8906<li> <p> When a pattern matches one or more DNSBL query results,
8907<a href="postscreen.8.html">postscreen(8)</a> adds that pattern's weight once to the remote SMTP
8908client's DNSBL score. </p>
8909
8910</ul>
8911
8912<p> Examples: </p>
8913
8914<p> To use example.com as a high-confidence blocklist, and to
8915block mail with example.net and example.org only when both agree:
8916</p>
8917
8918<pre>
8919<a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> = 2
8920<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = example.com*2, example.net, example.org
8921</pre>
8922
8923<p> To filter only DNSBL replies containing 127.0.0.4: </p>
8924
8925<pre>
8926<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = example.com=127.0.0.4
8927</pre>
8928
8929<p> This feature is available in Postfix 2.8. </p>
8930
8931
8932</DD>
8933
8934<DT><b><a name="postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>
8935(default: 1)</b></DT><DD>
8936
8937<p> The inclusive lower bound for blocking a remote SMTP client, based on
8938its combined DNSBL score as defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>
8939parameter. </p>
8940
8941<p> This feature is available in Postfix 2.8.  </p>
8942
8943
8944</DD>
8945
8946<DT><b><a name="postscreen_dnsbl_timeout">postscreen_dnsbl_timeout</a>
8947(default: 10s)</b></DT><DD>
8948
8949<p> The time limit for DNSBL or DNSWL lookups. This is separate from
8950the timeouts in the <a href="dnsblog.8.html">dnsblog(8)</a> daemon which are defined by system
8951resolver(3) routines. </p>
8952
8953<p> Specify a non-zero time value (an integral value plus an optional
8954one-letter suffix that specifies the time unit).  Time units: s
8955(seconds), m (minutes), h (hours), d (days), w (weeks).
8956The default time unit is s (seconds).  </p>
8957
8958<p> This feature is available in Postfix 3.0.  </p>
8959
8960
8961</DD>
8962
8963<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
8964(default: 1h)</b></DT><DD>
8965
8966<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
8967IP address passed a DNS-based reputation test, before it is required
8968to pass that test again.  </p>
8969
8970<p> Specify a non-zero time value (an integral value plus an optional
8971one-letter suffix that specifies the time unit).  Time units: s
8972(seconds), m (minutes), h (hours), d (days), w (weeks).
8973The default time unit is h (hours).  </p>
8974
8975<p> This feature is available in Postfix 2.8-3.0. It was
8976replaced by <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> in Postfix 3.1.  </p>
8977
8978
8979</DD>
8980
8981<DT><b><a name="postscreen_dnsbl_whitelist_threshold">postscreen_dnsbl_whitelist_threshold</a>
8982(default: 0)</b></DT><DD>
8983
8984<p> Renamed to <a href="postconf.5.html#postscreen_dnsbl_allowlist_threshold">postscreen_dnsbl_allowlist_threshold</a> in Postfix 3.6. </p>
8985
8986<p> This feature is available in Postfix 2.11 - 3.5.  </p>
8987
8988
8989</DD>
8990
8991<DT><b><a name="postscreen_enforce_tls">postscreen_enforce_tls</a>
8992(default: $<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b></DT><DD>
8993
8994<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
8995require that clients use TLS encryption.  See smtpd_postscreen_enforce_tls
8996for details.  </p>
8997
8998<p> This feature is available in Postfix 2.8 and later.
8999Preferably, use <a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> instead. </p>
9000
9001
9002</DD>
9003
9004<DT><b><a name="postscreen_expansion_filter">postscreen_expansion_filter</a>
9005(default: see "postconf -d" output)</b></DT><DD>
9006
9007<p> List of characters that are permitted in <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a>
9008attribute expansions.  See <a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> for further
9009details. </p>
9010
9011<p> This feature is available in Postfix 2.8 and later. </p>
9012
9013
9014</DD>
9015
9016<DT><b><a name="postscreen_forbidden_commands">postscreen_forbidden_commands</a>
9017(default: $<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b></DT><DD>
9018
9019<p> List of commands that the <a href="postscreen.8.html">postscreen(8)</a> server considers in
9020violation of the SMTP protocol. See <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> for
9021syntax, and <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> for possible actions.
9022</p>
9023
9024<p> This feature is available in Postfix 2.8.  </p>
9025
9026
9027</DD>
9028
9029<DT><b><a name="postscreen_greet_action">postscreen_greet_action</a>
9030(default: ignore)</b></DT><DD>
9031
9032<p>The action that <a href="postscreen.8.html">postscreen(8)</a> takes when a remote SMTP client speaks
9033before its turn within the time specified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>
9034parameter.  Specify one of the following: </p>
9035
9036<dl>
9037
9038<dt> <b>ignore</b> (default) </dt>
9039
9040<dd> Ignore the failure of this test. Allow other tests to complete.
9041Repeat this test the next time the client connects.
9042This option is useful for testing and collecting statistics
9043without blocking mail. </dd>
9044
9045<dt> <b>enforce</b> </dt>
9046
9047<dd> Allow other tests to complete. Reject attempts to deliver mail
9048with a 550 SMTP reply, and log the helo/sender/recipient information.
9049Repeat this test the next time the client connects. </dd>
9050
9051<dt> <b>drop</b> </dt>
9052
9053<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
9054this test the next time the client connects. </dd>
9055
9056</dl>
9057
9058<p> In either case, <a href="postscreen.8.html">postscreen(8)</a> will not allowlist the remote SMTP client
9059IP address. </p>
9060
9061<p> This feature is available in Postfix 2.8. </p>
9062
9063
9064</DD>
9065
9066<DT><b><a name="postscreen_greet_banner">postscreen_greet_banner</a>
9067(default: $<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b></DT><DD>
9068
9069<p> The <i>text</i> in the optional "220-<i>text</i>..." server
9070response that
9071<a href="postscreen.8.html">postscreen(8)</a> sends ahead of the real Postfix SMTP server's "220
9072text..." response, in an attempt to confuse bad SMTP clients so
9073that they speak before their turn (pre-greet).  Specify an empty
9074value to disable this feature.  </p>
9075
9076<p> This feature is available in Postfix 2.8. </p>
9077
9078
9079</DD>
9080
9081<DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>
9082(default: 1d)</b></DT><DD>
9083
9084<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
9085IP address passed a PREGREET test, before it is required to pass
9086that test again. The default is relatively short, because
9087a good client can immediately talk to a real Postfix SMTP server. </p>
9088
9089<p> Specify a non-zero time value (an integral value plus an optional
9090one-letter suffix that specifies the time unit).  Time units: s
9091(seconds), m (minutes), h (hours), d (days), w (weeks).
9092The default time unit is d (days).  </p>
9093
9094<p> This feature is available in Postfix 2.8. </p>
9095
9096
9097</DD>
9098
9099<DT><b><a name="postscreen_greet_wait">postscreen_greet_wait</a>
9100(default: normal: 6s, <a href="STRESS_README.html">overload</a>: 2s)</b></DT><DD>
9101
9102<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will wait for an SMTP
9103client to send a command before its turn, and for DNS blocklist
9104lookup results to arrive (default: up to 2 seconds under stress,
9105up to 6 seconds otherwise).  <p>
9106
9107<p> Specify a non-zero time value (an integral value plus an optional
9108one-letter suffix that specifies the time unit).  Time units: s
9109(seconds), m (minutes), h (hours), d (days), w (weeks).
9110The default time unit is s (seconds).  </p>
9111
9112<p> This feature is available in Postfix 2.8. </p>
9113
9114
9115</DD>
9116
9117<DT><b><a name="postscreen_helo_required">postscreen_helo_required</a>
9118(default: $<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b></DT><DD>
9119
9120<p> Require that a remote SMTP client sends HELO or EHLO before
9121commencing a MAIL transaction. </p>
9122
9123<p> This feature is available in Postfix 2.8.  </p>
9124
9125
9126</DD>
9127
9128<DT><b><a name="postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a>
9129(default: drop)</b></DT><DD>
9130
9131<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when a remote SMTP client sends
9132non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>
9133parameter.  Specify one of the following: </p>
9134
9135<dl>
9136
9137<dt> <b>ignore</b> </dt>
9138
9139<dd> Ignore the failure of this test. Allow other tests to complete.
9140Do <i>not</i> repeat this test before the result from some
9141other test expires.
9142This option is useful for testing and collecting statistics
9143without blocking mail permanently. </dd>
9144
9145<dt> <b>enforce</b> </dt>
9146
9147<dd> Allow other tests to complete. Reject attempts to deliver mail
9148with a 550 SMTP reply, and log the helo/sender/recipient information.
9149Repeat this test the next time the client connects. </dd>
9150
9151<dt> <b>drop</b> </dt>
9152
9153<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
9154this test the next time the client connects. This action is the
9155same as with the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>
9156feature.  </dd>
9157
9158</dl>
9159
9160<p> This feature is available in Postfix 2.8. </p>
9161
9162
9163</DD>
9164
9165<DT><b><a name="postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a>
9166(default: no)</b></DT><DD>
9167
9168<p> Enable "non-SMTP command" tests in the <a href="postscreen.8.html">postscreen(8)</a> server. These
9169tests are expensive: a client must disconnect after it passes the
9170test, before it can talk to a real Postfix SMTP server. </p>
9171
9172<p> This feature is available in Postfix 2.8.  </p>
9173
9174
9175</DD>
9176
9177<DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>
9178(default: 30d)</b></DT><DD>
9179
9180<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
9181IP address passed a "non_smtp_command" SMTP protocol test, before
9182it is required to pass that test again. The default
9183is long because a client must disconnect after it passes the test,
9184before it can talk to a real Postfix SMTP server. </p>
9185
9186<p> Specify a non-zero time value (an integral value plus an optional
9187one-letter suffix that specifies the time unit).  Time units: s
9188(seconds), m (minutes), h (hours), d (days), w (weeks).
9189The default time unit is d (days).  </p>
9190
9191<p> This feature is available in Postfix 2.8.  </p>
9192
9193
9194</DD>
9195
9196<DT><b><a name="postscreen_pipelining_action">postscreen_pipelining_action</a>
9197(default: enforce)</b></DT><DD>
9198
9199<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when a remote SMTP client
9200sends
9201multiple commands instead of sending one command and waiting for
9202the server to respond.  Specify one of the following: </p>
9203
9204<dl>
9205
9206<dt> <b>ignore</b> </dt>
9207
9208<dd> Ignore the failure of this test. Allow other tests to complete.
9209Do <i>not</i> repeat this test before the result from some
9210other test expires.
9211This option is useful for testing and collecting statistics
9212without blocking mail permanently. </dd>
9213
9214<dt> <b>enforce</b> </dt>
9215
9216<dd> Allow other tests to complete. Reject attempts to deliver mail
9217with a 550 SMTP reply, and log the helo/sender/recipient information.
9218Repeat this test the next time the client connects. </dd>
9219
9220<dt> <b>drop</b> </dt>
9221
9222<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
9223this test the next time the client connects. </dd>
9224
9225</dl>
9226
9227<p> This feature is available in Postfix 2.8. </p>
9228
9229
9230</DD>
9231
9232<DT><b><a name="postscreen_pipelining_enable">postscreen_pipelining_enable</a>
9233(default: no)</b></DT><DD>
9234
9235<p> Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html">postscreen(8)</a>
9236server. These tests are expensive: a good client must disconnect
9237after it passes the test, before it can talk to a real Postfix SMTP
9238server. </p>
9239
9240<p> This feature is available in Postfix 2.8.  </p>
9241
9242
9243</DD>
9244
9245<DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>
9246(default: 30d)</b></DT><DD>
9247
9248<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> remembers that a client
9249IP address passed a "pipelining" SMTP protocol test, before it is
9250required to pass that test again. The default is
9251long because a good client must disconnect after it passes the test,
9252before it can talk to a real Postfix SMTP server. </p>
9253
9254<p> Specify a non-zero time value (an integral value plus an optional
9255one-letter suffix that specifies the time unit).  Time units: s
9256(seconds), m (minutes), h (hours), d (days), w (weeks).
9257The default time unit is d (days).  </p>
9258
9259<p> This feature is available in Postfix 2.8.  </p>
9260
9261
9262</DD>
9263
9264<DT><b><a name="postscreen_post_queue_limit">postscreen_post_queue_limit</a>
9265(default: $<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b></DT><DD>
9266
9267<p> The number of clients that can be waiting for service from a
9268real Postfix SMTP server process. When this queue is full, all
9269clients will
9270receive a 421 response. </p>
9271
9272<p> This feature is available in Postfix 2.8. </p>
9273
9274
9275</DD>
9276
9277<DT><b><a name="postscreen_pre_queue_limit">postscreen_pre_queue_limit</a>
9278(default: $<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b></DT><DD>
9279
9280<p> The number of non-allowlisted clients that can be waiting for
9281a decision whether they will receive service from a real Postfix
9282SMTP server
9283process. When this queue is full, all non-allowlisted clients will
9284receive a 421 response. </p>
9285
9286<p> This feature is available in Postfix 2.8. </p>
9287
9288
9289</DD>
9290
9291<DT><b><a name="postscreen_reject_footer">postscreen_reject_footer</a>
9292(default: $<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b></DT><DD>
9293
9294<p> Optional information that is appended after a 4XX or 5XX
9295<a href="postscreen.8.html">postscreen(8)</a> server
9296response. See <a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> for further details.  </p>
9297
9298<p> This feature is available in Postfix 2.8 and later. </p>
9299
9300
9301</DD>
9302
9303<DT><b><a name="postscreen_reject_footer_maps">postscreen_reject_footer_maps</a>
9304(default: $<a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>)</b></DT><DD>
9305
9306<p> Optional lookup table for information that is appended after a 4XX
9307or 5XX <a href="postscreen.8.html">postscreen(8)</a> server response. See <a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a> for
9308further details. </p>
9309
9310<p> This feature is available in Postfix 3.4 and later. </p>
9311
9312
9313</DD>
9314
9315<DT><b><a name="postscreen_tls_security_level">postscreen_tls_security_level</a>
9316(default: $<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b></DT><DD>
9317
9318<p> The SMTP TLS security level for the <a href="postscreen.8.html">postscreen(8)</a> server; when
9319a non-empty value is specified, this overrides the obsolete parameters
9320<a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. See <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>
9321for details. </p>
9322
9323<p> This feature is available in Postfix 2.8 and later. </p>
9324
9325
9326</DD>
9327
9328<DT><b><a name="postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a>
9329(default: empty)</b></DT><DD>
9330
9331<p> The name of the proxy protocol used by an optional before-postscreen
9332proxy agent. When a proxy agent is used, this protocol conveys local
9333and remote address and port information. Specify
9334"<a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> = haproxy" to enable the haproxy
9335protocol; version 2 is supported with Postfix 3.5 and later. <p>
9336
9337<p> This feature is available in Postfix 2.10 and later.  </p>
9338
9339
9340</DD>
9341
9342<DT><b><a name="postscreen_upstream_proxy_timeout">postscreen_upstream_proxy_timeout</a>
9343(default: 5s)</b></DT><DD>
9344
9345<p> The time limit for the proxy protocol specified with the
9346<a href="postconf.5.html#postscreen_upstream_proxy_protocol">postscreen_upstream_proxy_protocol</a> parameter. </p>
9347
9348<p> This feature is available in Postfix 2.10 and later.  </p>
9349
9350
9351</DD>
9352
9353<DT><b><a name="postscreen_use_tls">postscreen_use_tls</a>
9354(default: $<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b></DT><DD>
9355
9356<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
9357but do not require that clients use TLS encryption. </p>
9358
9359<p> This feature is available in Postfix 2.8 and later.
9360Preferably, use <a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> instead. </p>
9361
9362
9363</DD>
9364
9365<DT><b><a name="postscreen_watchdog_timeout">postscreen_watchdog_timeout</a>
9366(default: 10s)</b></DT><DD>
9367
9368<p> How much time a <a href="postscreen.8.html">postscreen(8)</a> process may take to respond to
9369a remote SMTP client command or to perform a cache operation before it
9370is terminated by a built-in watchdog timer.  This is a safety
9371mechanism that prevents <a href="postscreen.8.html">postscreen(8)</a> from becoming non-responsive
9372due to a bug in Postfix itself or in system software.  To avoid
9373false alarms and unnecessary cache corruption this limit cannot be
9374set under 10s.  </p>
9375
9376<p> Specify a non-zero time value (an integral value plus an optional
9377one-letter suffix that specifies the time unit).  Time units: s
9378(seconds), m (minutes), h (hours), d (days), w (weeks).
9379The default time unit is s (seconds).  </p>
9380
9381<p> This feature is available in Postfix 2.8.  </p>
9382
9383
9384</DD>
9385
9386<DT><b><a name="postscreen_whitelist_interfaces">postscreen_whitelist_interfaces</a>
9387(default: <a href="DATABASE_README.html#types">static</a>:all)</b></DT><DD>
9388
9389<p> Renamed to <a href="postconf.5.html#postscreen_allowlist_interfaces">postscreen_allowlist_interfaces</a> in Postfix 3.6. </p>
9390
9391<p> This feature is available in Postfix 2.9 - 3.5. </p>
9392
9393
9394</DD>
9395
9396<DT><b><a name="prepend_delivered_header">prepend_delivered_header</a>
9397(default: command, file, forward)</b></DT><DD>
9398
9399<p> The message delivery contexts where the Postfix <a href="local.8.html">local(8)</a> delivery
9400agent prepends a Delivered-To:  message header with the address
9401that the mail was delivered to. This information is used for mail
9402delivery loop detection.  </p>
9403
9404<p>
9405By default, the Postfix local delivery agent prepends a Delivered-To:
9406header when forwarding mail and when delivering to file (mailbox)
9407and command. Turning off the Delivered-To: header when forwarding
9408mail is not recommended.
9409</p>
9410
9411<p>
9412Specify zero or more of <b>forward</b>, <b>file</b>, or <b>command</b>.
9413</p>
9414
9415<p>
9416Example:
9417</p>
9418
9419<pre>
9420<a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a> = forward
9421</pre>
9422
9423
9424</DD>
9425
9426<DT><b><a name="process_id">process_id</a>
9427(read-only)</b></DT><DD>
9428
9429<p>
9430The process ID of a Postfix command or daemon process.
9431</p>
9432
9433
9434</DD>
9435
9436<DT><b><a name="process_id_directory">process_id_directory</a>
9437(default: pid)</b></DT><DD>
9438
9439<p>
9440The location of Postfix PID files relative to $<a href="postconf.5.html#queue_directory">queue_directory</a>.
9441This is a read-only parameter.
9442</p>
9443
9444
9445</DD>
9446
9447<DT><b><a name="process_name">process_name</a>
9448(read-only)</b></DT><DD>
9449
9450<p>
9451The process name of a Postfix command or daemon process.
9452</p>
9453
9454
9455</DD>
9456
9457<DT><b><a name="propagate_unmatched_extensions">propagate_unmatched_extensions</a>
9458(default: canonical, virtual)</b></DT><DD>
9459
9460<p>
9461What address lookup tables copy an address extension from the lookup
9462key to the lookup result.
9463</p>
9464
9465<p>
9466For example, with a <a href="virtual.5.html">virtual(5)</a> mapping of "<i>joe@example.com =&gt;
9467joe.user@example.net</i>", the address "<i>joe+foo@example.com</i>"
9468would rewrite to "<i>joe.user+foo@example.net</i>".
9469</p>
9470
9471<p>
9472Specify zero or more of <b>canonical</b>, <b>virtual</b>, <b>alias</b>,
9473<b>forward</b>, <b>include</b> or <b>generic</b>. These cause
9474address extension
9475propagation with <a href="canonical.5.html">canonical(5)</a>, <a href="virtual.5.html">virtual(5)</a>, and <a href="aliases.5.html">aliases(5)</a> maps,
9476with <a href="local.8.html">local(8)</a> .forward and :include: file lookups, and with <a href="smtp.8.html">smtp(8)</a>
9477generic maps, respectively.  </p>
9478
9479<p>
9480Note: enabling this feature for types other than <b>canonical</b>
9481and <b>virtual</b> is likely to cause problems when mail is forwarded
9482to other sites, especially with mail that is sent to a mailing list
9483exploder address.
9484</p>
9485
9486<p>
9487Examples:
9488</p>
9489
9490<pre>
9491<a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> = canonical, virtual, alias,
9492        forward, include
9493<a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> = canonical, virtual
9494</pre>
9495
9496
9497</DD>
9498
9499<DT><b><a name="proxy_interfaces">proxy_interfaces</a>
9500(default: empty)</b></DT><DD>
9501
9502<p>
9503The remote network interface addresses that this mail system receives mail
9504on by way of a proxy or network address translation unit.
9505</p>
9506
9507<p>
9508This feature is available in Postfix 2.0 and later.
9509</p>
9510
9511<p> You must specify your "outside" proxy/NAT addresses when your
9512system is a backup MX host for other domains, otherwise mail delivery
9513loops will happen when the primary MX host is down.  </p>
9514
9515<p>
9516Example:
9517</p>
9518
9519<pre>
9520<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
9521</pre>
9522
9523
9524</DD>
9525
9526<DT><b><a name="proxy_read_maps">proxy_read_maps</a>
9527(default: see "postconf -d" output)</b></DT><DD>
9528
9529<p>
9530The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
9531access for the read-only service.
9532</p>
9533
9534<p>
9535Specify zero or more "type:name" lookup tables, separated by
9536whitespace or comma.
9537Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.
9538</p>
9539
9540<p>
9541This feature is available in Postfix 2.0 and later.
9542</p>
9543
9544
9545</DD>
9546
9547<DT><b><a name="proxy_write_maps">proxy_write_maps</a>
9548(default: see "postconf -d" output)</b></DT><DD>
9549
9550<p> The lookup tables that the <a href="proxymap.8.html">proxymap(8)</a> server is allowed to
9551access for the read-write service. Postfix-owned local database
9552files should be stored under the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>.
9553Table references that don't begin with <a href="proxymap.8.html">proxy</a>: are ignored.  </p>
9554
9555<p>
9556This feature is available in Postfix 2.5 and later.
9557</p>
9558
9559
9560</DD>
9561
9562<DT><b><a name="proxymap_service_name">proxymap_service_name</a>
9563(default: proxymap)</b></DT><DD>
9564
9565<p> The name of the proxymap read-only table lookup service.  This
9566service is normally implemented by the <a href="proxymap.8.html">proxymap(8)</a> daemon. </p>
9567
9568<p> This feature is available in Postfix 2.6 and later. </p>
9569
9570
9571</DD>
9572
9573<DT><b><a name="proxywrite_service_name">proxywrite_service_name</a>
9574(default: proxywrite)</b></DT><DD>
9575
9576<p> The name of the proxywrite read-write table lookup service.
9577This service is normally implemented by the <a href="proxymap.8.html">proxymap(8)</a> daemon.
9578</p>
9579
9580<p> This feature is available in Postfix 2.6 and later. </p>
9581
9582
9583</DD>
9584
9585<DT><b><a name="qmgr_clog_warn_time">qmgr_clog_warn_time</a>
9586(default: 300s)</b></DT><DD>
9587
9588<p>
9589The minimal delay between warnings that a specific destination is
9590clogging up the Postfix <a href="QSHAPE_README.html#active_queue">active queue</a>. Specify 0 to disable.
9591</p>
9592
9593<p> Specify a non-negative time value (an integral value plus an optional
9594one-letter suffix that specifies the time unit).  Time units: s
9595(seconds), m (minutes), h (hours), d (days), w (weeks).
9596The default time unit is s (seconds).  </p>
9597
9598<p>
9599This feature is enabled with the <a href="postconf.5.html#helpful_warnings">helpful_warnings</a> parameter.
9600</p>
9601
9602<p>
9603This feature is available in Postfix 2.0 and later.
9604</p>
9605
9606
9607</DD>
9608
9609<DT><b><a name="qmgr_daemon_timeout">qmgr_daemon_timeout</a>
9610(default: 1000s)</b></DT><DD>
9611
9612<p> How much time a Postfix queue manager process may take to handle
9613a request before it is terminated by a built-in watchdog timer.
9614</p>
9615
9616<p> Specify a non-zero time value (an integral value plus an optional
9617one-letter suffix that specifies the time unit).  Time units: s
9618(seconds), m (minutes), h (hours), d (days), w (weeks).
9619The default time unit is s (seconds).  </p>
9620
9621<p> This feature is available in Postfix 2.8 and later.  </p>
9622
9623
9624</DD>
9625
9626<DT><b><a name="qmgr_fudge_factor">qmgr_fudge_factor</a>
9627(default: 100)</b></DT><DD>
9628
9629<p>
9630Obsolete feature: the percentage of delivery resources that a busy
9631mail system will use up for delivery of a large mailing  list
9632message.
9633</p>
9634
9635<p>
9636This feature exists only in the <a href="qmgr.8.html">oqmgr(8)</a> old queue manager. The
9637current queue manager solves the problem in a better way.
9638</p>
9639
9640
9641</DD>
9642
9643<DT><b><a name="qmgr_ipc_timeout">qmgr_ipc_timeout</a>
9644(default: 60s)</b></DT><DD>
9645
9646<p> The time limit for the queue manager to send or receive information
9647over an internal communication channel.  The purpose is to break
9648out of deadlock situations. If the time limit is exceeded the
9649software either retries or aborts the operation. </p>
9650
9651<p> Specify a non-zero time value (an integral value plus an optional
9652one-letter suffix that specifies the time unit).  Time units: s
9653(seconds), m (minutes), h (hours), d (days), w (weeks).
9654The default time unit is s (seconds).  </p>
9655
9656<p> This feature is available in Postfix 2.8 and later.  </p>
9657
9658
9659</DD>
9660
9661<DT><b><a name="qmgr_message_active_limit">qmgr_message_active_limit</a>
9662(default: 20000)</b></DT><DD>
9663
9664<p>
9665The maximal number of messages in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
9666</p>
9667
9668
9669</DD>
9670
9671<DT><b><a name="qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>
9672(default: 20000)</b></DT><DD>
9673
9674<p> The maximal number of recipients held in memory by the Postfix
9675queue manager, and the maximal size of the short-term,
9676in-memory "dead" destination status cache.  </p>
9677
9678
9679</DD>
9680
9681<DT><b><a name="qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a>
9682(default: 10)</b></DT><DD>
9683
9684<p>
9685The minimal number of in-memory recipients for any message. This
9686takes priority over any other in-memory recipient limits (i.e.,
9687the global <a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a> and the per transport
9688_recipient_limit) if necessary. The minimum value allowed for this
9689parameter is 1.
9690</p>
9691
9692
9693</DD>
9694
9695<DT><b><a name="qmqpd_authorized_clients">qmqpd_authorized_clients</a>
9696(default: empty)</b></DT><DD>
9697
9698<p>
9699What remote QMQP clients are allowed to connect to the Postfix QMQP
9700server port.
9701</p>
9702
9703<p>
9704By default, no client is allowed to use the service. This is
9705because the QMQP server will relay mail to any destination.
9706</p>
9707
9708<p>
9709Specify a list of client patterns. A list pattern specifies a host
9710name, a domain name, an internet address, or a network/mask pattern,
9711where the mask specifies the number of bits in the network part.
9712When a pattern specifies a file name, its contents are substituted
9713for the file name; when a pattern is a "<a href="DATABASE_README.html">type:table</a>" table specification,
9714table lookup is used instead.  </p>
9715
9716<p>
9717Patterns are separated by whitespace and/or commas. In order to
9718reverse the result, precede a pattern with an
9719exclamation point (!). The form "!/file/name" is supported only
9720in Postfix version 2.4 and later.
9721</p>
9722
9723<p> Pattern matching of domain names is controlled by the presence
9724or absence of "<a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a>" in the
9725<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value.  </p>
9726
9727<p>
9728Example:
9729</p>
9730
9731<pre>
9732<a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a> = !192.168.0.1, 192.168.0.0/24
9733</pre>
9734
9735
9736</DD>
9737
9738<DT><b><a name="qmqpd_client_port_logging">qmqpd_client_port_logging</a>
9739(default: no)</b></DT><DD>
9740
9741<p> Enable logging of the remote QMQP client port in addition to
9742the hostname and IP address. The logging format is "host[address]:port".
9743</p>
9744
9745<p> This feature is available in Postfix 2.5 and later. </p>
9746
9747
9748</DD>
9749
9750<DT><b><a name="qmqpd_error_delay">qmqpd_error_delay</a>
9751(default: 1s)</b></DT><DD>
9752
9753<p>
9754How long the Postfix QMQP server will pause before sending a negative
9755reply to the remote QMQP client. The purpose is to slow down confused
9756or malicious clients.
9757</p>
9758
9759<p> Specify a non-negative time value (an integral value plus an optional
9760one-letter suffix that specifies the time unit).  Time units: s
9761(seconds), m (minutes), h (hours), d (days), w (weeks).
9762The default time unit is s (seconds).  </p>
9763
9764
9765</DD>
9766
9767<DT><b><a name="qmqpd_timeout">qmqpd_timeout</a>
9768(default: 300s)</b></DT><DD>
9769
9770<p>
9771The time limit for sending or receiving information over the network.
9772If a read or write operation blocks for more than $<a href="postconf.5.html#qmqpd_timeout">qmqpd_timeout</a>
9773seconds the Postfix QMQP server gives up and disconnects.
9774</p>
9775
9776<p> Specify a non-zero time value (an integral value plus an optional
9777one-letter suffix that specifies the time unit).  Time units: s
9778(seconds), m (minutes), h (hours), d (days), w (weeks).
9779The default time unit is s (seconds).  </p>
9780
9781
9782</DD>
9783
9784<DT><b><a name="queue_directory">queue_directory</a>
9785(default: see "postconf -d" output)</b></DT><DD>
9786
9787<p>
9788The location of the Postfix top-level queue directory. This is the
9789root directory of Postfix daemon processes that run chrooted.
9790</p>
9791
9792
9793</DD>
9794
9795<DT><b><a name="queue_file_attribute_count_limit">queue_file_attribute_count_limit</a>
9796(default: 100)</b></DT><DD>
9797
9798<p>
9799The maximal number of (name=value) attributes that may be stored
9800in a Postfix queue file. The limit is enforced by the <a href="cleanup.8.html">cleanup(8)</a>
9801server.
9802</p>
9803
9804<p>
9805This feature is available in Postfix 2.0 and later.
9806</p>
9807
9808
9809</DD>
9810
9811<DT><b><a name="queue_minfree">queue_minfree</a>
9812(default: 0)</b></DT><DD>
9813
9814<p>
9815The minimal amount of free space in bytes in the queue file system
9816that is needed to receive mail.  This is currently used by the
9817Postfix SMTP server to decide if it will accept any mail at all.
9818</p>
9819
9820<p>
9821By default, the Postfix SMTP server rejects MAIL FROM commands when
9822the amount of free space is less than 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>
9823(Postfix version 2.1 and later).
9824To specify a higher minimum free space limit, specify a <a href="postconf.5.html#queue_minfree">queue_minfree</a>
9825value that is at least 1.5*$<a href="postconf.5.html#message_size_limit">message_size_limit</a>.
9826</p>
9827
9828<p>
9829With Postfix versions 2.0 and earlier, a <a href="postconf.5.html#queue_minfree">queue_minfree</a> value of
9830zero means there is no minimum required amount of free space.
9831</p>
9832
9833
9834</DD>
9835
9836<DT><b><a name="queue_run_delay">queue_run_delay</a>
9837(default: 300s)</b></DT><DD>
9838
9839<p>
9840The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue manager;
9841prior to Postfix 2.4 the default value was 1000s.
9842</p>
9843
9844<p> This parameter should be set less than or equal to
9845$<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>. See also $<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a>.  </p>
9846
9847<p> Specify a non-zero time value (an integral value plus an optional
9848one-letter suffix that specifies the time unit).  Time units: s
9849(seconds), m (minutes), h (hours), d (days), w (weeks).
9850The default time unit is s (seconds).  </p>
9851
9852
9853</DD>
9854
9855<DT><b><a name="queue_service_name">queue_service_name</a>
9856(default: qmgr)</b></DT><DD>
9857
9858<p>
9859The name of the <a href="qmgr.8.html">qmgr(8)</a> service. This service manages the Postfix
9860queue and schedules delivery requests.
9861</p>
9862
9863<p>
9864This feature is available in Postfix 2.0 and later.
9865</p>
9866
9867
9868</DD>
9869
9870<DT><b><a name="rbl_reply_maps">rbl_reply_maps</a>
9871(default: empty)</b></DT><DD>
9872
9873<p>
9874Optional lookup tables with RBL or RHSBL response templates. The
9875table search key is the reject_rbl_* or reject_rhsbl_* argument,
9876including any optional "<i>=address-filter</i>".  With Postfix 3.10
9877and later, if the result is "not found" and the search key has the
9878form <i>domain=address-filter</i>, then <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> will also
9879search with the <i>domain</i>. </p>
9880
9881<p> By default, Postfix uses the
9882template as specified with the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> configuration
9883parameter. See there for a discussion of the response template
9884syntax.
9885</p>
9886
9887<p> Example: </p>
9888
9889<pre>
9890/etc/postfix/<a href="postconf.5.html">main.cf</a>:
9891    <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/rbl_reply
9892    <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
9893        <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
9894        <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11],
9895        ...
9896<br>
9897/etc/postfix/rbl_reply:
9898    # See https://www.postfix.org/postconf.5.html#<a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a>
9899    # for the definition of the $client_address and $rbl_class etc.
9900    # variables.
9901    <i>secret</i>.zen.dq.spamhaus.net=127.0.0.[2..11]
9902        554 $rbl_class $rbl_what blocked using ZEN - see <a href="https://www.spamhaus.org/query/ip/$client_address">https://www.spamhaus.org/query/ip/$client_address</a> for details
9903</pre>
9904
9905<pre>
9906    # Postfix &ge; 3.10: if a search key <i>domain=address-filter</i>
9907    # is not found, then <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> will also search with the
9908    # <i>domain</i>.
9909    <i>secret</i>.zen.dq.spamhaus.net
9910        554 $rbl_class $rbl_what blocked using ZEN - see <a href="https://www.spamhaus.org/query/ip/$client_address">https://www.spamhaus.org/query/ip/$client_address</a> for details
9911</pre>
9912
9913<p>
9914NOTE: This feature differs from <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> where
9915the table search key is only a domain name (no "<i>=address-filter</i>",
9916no "<i>*weight</i>" factor) and where the lookup result
9917should be only a domain name (no free text, no <i>$name</i> variables).
9918</p>
9919
9920<p>
9921This feature is available in Postfix 2.0 and later.
9922The "=address-filter" feature is available in Postfix 2.8 and later.
9923</p>
9924
9925
9926</DD>
9927
9928<DT><b><a name="readme_directory">readme_directory</a>
9929(default: see "postconf -d" output)</b></DT><DD>
9930
9931<p>
9932The location of Postfix README files that describe how to build,
9933configure or operate a specific Postfix subsystem or feature.
9934</p>
9935
9936
9937</DD>
9938
9939<DT><b><a name="receive_override_options">receive_override_options</a>
9940(default: empty)</b></DT><DD>
9941
9942<p> Enable or disable recipient validation, built-in content
9943filtering, or address mapping. Typically, these are specified in
9944<a href="master.5.html">master.cf</a> as command-line arguments for the <a href="smtpd.8.html">smtpd(8)</a>, <a href="qmqpd.8.html">qmqpd(8)</a> or
9945<a href="pickup.8.html">pickup(8)</a> daemons. </p>
9946
9947<p> Specify zero or more of the following options.  The options
9948override <a href="postconf.5.html">main.cf</a> settings and are either implemented by <a href="smtpd.8.html">smtpd(8)</a>,
9949<a href="qmqpd.8.html">qmqpd(8)</a>, or <a href="pickup.8.html">pickup(8)</a> themselves, or they are forwarded to the
9950cleanup server.  </p>
9951
9952<dl>
9953
9954<dt><b><a name="no_unknown_recipient_checks">no_unknown_recipient_checks</a></b></dt>
9955
9956<dd>Do not try to reject unknown recipients (SMTP server only).
9957This is typically specified AFTER an external content filter.
9958</dd>
9959
9960<dt><b><a name="no_address_mappings">no_address_mappings</a></b></dt>
9961
9962<dd>Disable canonical address mapping, virtual alias map expansion,
9963address masquerading, and automatic BCC (blind carbon-copy)
9964recipients. This is typically specified BEFORE an external content
9965filter. </dd>
9966
9967<dt><b><a name="no_header_body_checks">no_header_body_checks</a></b></dt>
9968
9969<dd>Disable header/body_checks. This is typically specified AFTER
9970an external content filter. </dd>
9971
9972<dt><b><a name="no_milters">no_milters</a></b></dt>
9973
9974<dd>Disable Milter (mail filter) applications. This is typically
9975specified AFTER an external content filter. </dd>
9976
9977</dl>
9978
9979<p>
9980Note: when the "BEFORE content filter" <a href="postconf.5.html#receive_override_options">receive_override_options</a>
9981setting is specified in the <a href="postconf.5.html">main.cf</a> file, specify the "AFTER content
9982filter" <a href="postconf.5.html#receive_override_options">receive_override_options</a> setting in <a href="master.5.html">master.cf</a> (and vice
9983versa).
9984</p>
9985
9986<p>
9987Examples:
9988</p>
9989
9990<pre>
9991<a href="postconf.5.html#receive_override_options">receive_override_options</a> =
9992    <a href="postconf.5.html#no_unknown_recipient_checks">no_unknown_recipient_checks</a>, <a href="postconf.5.html#no_header_body_checks">no_header_body_checks</a>
9993<a href="postconf.5.html#receive_override_options">receive_override_options</a> = <a href="postconf.5.html#no_address_mappings">no_address_mappings</a>
9994</pre>
9995
9996<p>
9997This feature is available in Postfix 2.1 and later.
9998</p>
9999
10000
10001</DD>
10002
10003<DT><b><a name="recipient_bcc_maps">recipient_bcc_maps</a>
10004(default: empty)</b></DT><DD>
10005
10006<p>
10007Optional BCC (blind carbon-copy) address lookup tables, indexed by
10008envelope recipient address.  The BCC address (multiple results are not
10009supported) is added when mail enters from outside of Postfix.
10010</p>
10011
10012<p>
10013Specify zero or more "type:name" lookup tables, separated by
10014whitespace or comma. Tables will be searched in the specified order
10015until a match is found.
10016</p>
10017
10018<p>
10019The table search order is as follows:
10020</p>
10021
10022<ul>
10023
10024<li> Look up the "user+extension@domain.tld" address including the
10025optional address extension.
10026
10027<li> Look up the "user@domain.tld" address without the optional
10028address extension.
10029
10030<li> Look up the "user+extension" address local part when the
10031recipient domain equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
10032or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
10033
10034<li> Look up the "user" address local part when the recipient domain
10035equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
10036
10037<li> Look up the "@domain.tld" part.
10038
10039</ul>
10040
10041<p>
10042Note: with Postfix 2.3 and later the BCC address is added as if it
10043was specified with NOTIFY=NONE. The sender will not be notified
10044when the BCC address is undeliverable, as long as all down-stream
10045software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
10046</p>
10047
10048<p>
10049Note: with Postfix 2.2 and earlier the sender will unconditionally
10050be notified when the BCC address is undeliverable.
10051</p>
10052
10053<p> Note: automatic BCC recipients are produced only for new mail.
10054To avoid mailer loops, automatic BCC recipients are not generated
10055after Postfix forwards mail internally, or after Postfix generates
10056mail itself. </p>
10057
10058<p> Note: automatic BCC recipients are subject to address
10059canonicalization (add missing domain), <a href="postconf.5.html#canonical_maps">canonical_maps</a>, <a href="postconf.5.html#masquerade_domains">masquerade_domains</a>,
10060and <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>. </p>
10061
10062<p>
10063Example:
10064</p>
10065
10066<pre>
10067<a href="postconf.5.html#recipient_bcc_maps">recipient_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/recipient_bcc
10068</pre>
10069
10070<p>
10071After a change, run "<b>postmap /etc/postfix/recipient_bcc</b>".
10072</p>
10073
10074<p>
10075This feature is available in Postfix 2.1 and later.
10076</p>
10077
10078
10079</DD>
10080
10081<DT><b><a name="recipient_canonical_classes">recipient_canonical_classes</a>
10082(default: envelope_recipient, header_recipient)</b></DT><DD>
10083
10084<p> What addresses are subject to <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> address
10085mapping.  By default, <a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> address mapping is
10086applied to envelope recipient addresses, and to header recipient
10087addresses.  </p>
10088
10089<p> Specify one or more of: envelope_recipient, header_recipient
10090</p>
10091
10092<p> This feature is available in Postfix 2.2 and later. </p>
10093
10094
10095</DD>
10096
10097<DT><b><a name="recipient_canonical_maps">recipient_canonical_maps</a>
10098(default: empty)</b></DT><DD>
10099
10100<p>
10101Optional address mapping lookup tables for envelope and header
10102recipient addresses.
10103The table format and lookups are documented in <a href="canonical.5.html">canonical(5)</a>.
10104</p>
10105
10106<p>
10107Note: $<a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> is processed before $<a href="postconf.5.html#canonical_maps">canonical_maps</a>.
10108</p>
10109
10110<p>
10111Example:
10112</p>
10113
10114<pre>
10115<a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/recipient_canonical
10116</pre>
10117
10118
10119</DD>
10120
10121<DT><b><a name="recipient_delimiter">recipient_delimiter</a>
10122(default: empty)</b></DT><DD>
10123
10124<p> The set of characters that can separate an email address
10125localpart, user name, or a .forward file name from its extension.
10126For example, with "<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +", the software tries
10127user+foo@example.com before trying user@example.com, user+foo before
10128trying user, and .forward+foo before trying .forward. </p>
10129
10130<p> More formally, an email address localpart or user name is
10131separated from its extension by the first character that matches
10132the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> set. The delimiter character and extension
10133may then be used to generate an extended .forward file name. This
10134implementation recognizes one delimiter character and one extension
10135per email address localpart or email address. With Postfix 2.10 and
10136earlier, the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> specifies a single character. </p>
10137
10138<p> See <a href="canonical.5.html">canonical(5)</a>, <a href="local.8.html">local(8)</a>, <a href="relocated.5.html">relocated(5)</a> and <a href="virtual.5.html">virtual(5)</a> for the
10139effects of <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> on lookups in aliases, canonical,
10140virtual, and relocated maps, and see the <a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a>
10141parameter for propagating an extension from one email address to
10142another.  </p>
10143
10144<p> When used in <a href="postconf.5.html#command_execution_directory">command_execution_directory</a>, <a href="postconf.5.html#forward_path">forward_path</a>, or
10145<a href="postconf.5.html#luser_relay">luser_relay</a>, ${<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>} is replaced with the actual
10146recipient delimiter that was found in the recipient email address
10147(Postfix 2.11 and later), or it is replaced with the <a href="postconf.5.html">main.cf</a>
10148<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> parameter value (Postfix 2.10 and earlier).
10149</p>
10150
10151<p> The <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is not applied to the mailer-daemon
10152address, the postmaster address, or the double-bounce address. With
10153the default "<a href="postconf.5.html#owner_request_special">owner_request_special</a> = yes" setting, the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>
10154is also not applied to addresses with the special "owner-" prefix
10155or the special "-request" suffix. </p>
10156
10157<p>
10158Examples:
10159</p>
10160
10161<pre>
10162# Handle Postfix-style extensions.
10163<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +
10164</pre>
10165
10166<pre>
10167# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
10168<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> = +-
10169</pre>
10170
10171<pre>
10172# Use .forward for mail without address extension, and for mail with
10173# an unrecognized address extension.
10174<a href="postconf.5.html#forward_path">forward_path</a> = $home/.forward${<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>}${extension},
10175    $home/.forward
10176</pre>
10177
10178
10179</DD>
10180
10181<DT><b><a name="reject_code">reject_code</a>
10182(default: 554)</b></DT><DD>
10183
10184<p>
10185The numerical Postfix SMTP server response code when a remote SMTP
10186client request is rejected by the "reject" restriction.
10187</p>
10188
10189<p>
10190Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
10191</p>
10192
10193
10194</DD>
10195
10196<DT><b><a name="reject_tempfail_action">reject_tempfail_action</a>
10197(default: <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b></DT><DD>
10198
10199<p> The Postfix SMTP server's action when a reject-type restriction
10200fails due to a temporary error condition. Specify "defer" to defer
10201the remote SMTP client request immediately. With the default
10202"<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" action, the Postfix SMTP server continues to look
10203for opportunities to reject mail, and defers the client request
10204only if it would otherwise be accepted. </p>
10205
10206<p> For finer control, see: <a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a>,
10207<a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a>, <a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a>,
10208and <a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a>.  </p>
10209
10210<p> This feature is available in Postfix 2.6 and later. </p>
10211
10212
10213</DD>
10214
10215<DT><b><a name="relay_clientcerts">relay_clientcerts</a>
10216(default: empty)</b></DT><DD>
10217
10218<p> List of tables with remote SMTP client-certificate fingerprints or
10219public key fingerprints (Postfix 2.9 and later) for which the Postfix
10220SMTP server will allow access with the <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
10221feature.  The fingerprint digest algorithm is configurable via the
10222<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
10223Postfix version 2.5).  </p>
10224
10225<p> The default algorithm is <b>sha256</b> with Postfix &ge; 3.6
10226and the <b><a href="postconf.5.html#compatibility_level">compatibility_level</a></b> set to 3.6 or higher. With Postfix
10227&le; 3.5, the default algorithm is <b>md5</b>.  The best-practice
10228algorithm is now <b>sha256</b>. Recent advances in hash function
10229cryptanalysis have led to md5 and sha1 being deprecated in favor of
10230sha256.  However, as long as there are no known "second pre-image"
10231attacks against the older algorithms, their use in this context, though
10232not recommended, is still likely safe.  </p>
10233
10234<p> Postfix lookup tables are in the form of (key, value) pairs.
10235Since we only need the key, the value can be chosen freely, e.g.
10236the name of the user or host:
10237D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home </p>
10238
10239<p> Example: </p>
10240
10241<pre>
10242<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relay_clientcerts
10243</pre>
10244
10245<p>For more fine-grained control, use <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> to select
10246an appropriate <a href="access.5.html">access(5)</a> policy for each client.
10247See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
10248
10249<p>This feature is available with Postfix version 2.2.</p>
10250
10251
10252</DD>
10253
10254<DT><b><a name="relay_destination_concurrency_limit">relay_destination_concurrency_limit</a>
10255(default: $<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a>)</b></DT><DD>
10256
10257<p> The maximal number of parallel deliveries to the same destination
10258via the relay message delivery transport. This limit is enforced
10259by the queue manager. The message delivery transport name is the
10260first field in the entry in the <a href="master.5.html">master.cf</a> file.  </p>
10261
10262<p> This feature is available in Postfix 2.0 and later. </p>
10263
10264
10265</DD>
10266
10267<DT><b><a name="relay_destination_recipient_limit">relay_destination_recipient_limit</a>
10268(default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
10269
10270<p> The maximal number of recipients per message for the relay
10271message delivery transport. This limit is enforced by the queue
10272manager. The message delivery transport name is the first field in
10273the entry in the <a href="master.5.html">master.cf</a> file.  </p>
10274
10275<p> Setting this parameter to a value of 1 changes the meaning of
10276<a href="postconf.5.html#relay_destination_concurrency_limit">relay_destination_concurrency_limit</a> from concurrency per domain
10277into concurrency per recipient.  </p>
10278
10279<p> This feature is available in Postfix 2.0 and later. </p>
10280
10281
10282</DD>
10283
10284<DT><b><a name="relay_domains">relay_domains</a>
10285(default: Postfix &ge; 3.0: empty, Postfix &lt; 3.0: $<a href="postconf.5.html#mydestination">mydestination</a>)</b></DT><DD>
10286
10287<p> What destination domains (and subdomains thereof) this system
10288will relay mail to. For details about how
10289the <a href="postconf.5.html#relay_domains">relay_domains</a> value is used, see the description of the
10290<a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a> and <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> SMTP recipient
10291restrictions.  </p>
10292
10293<p> Domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a> are delivered with the
10294$<a href="postconf.5.html#relay_transport">relay_transport</a> mail delivery transport. The SMTP server validates
10295recipient addresses with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> and rejects non-existent
10296recipients. See also the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a> address class in the
10297<a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> file.  </p>
10298
10299<p> Note: Postfix will not automatically forward mail for domains
10300that list this system as their primary or backup MX host. See the
10301<a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> restriction in the <a href="postconf.5.html">postconf(5)</a> manual page.  </p>
10302
10303<p> Specify a list of host or domain names, "/file/name" patterns
10304or "<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by commas and/or whitespace.
10305Continue long lines by starting the next line with whitespace. A
10306"/file/name" pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>"
10307lookup table is matched when a (parent) domain appears as lookup
10308key. Specify "!pattern" to exclude a domain from the list. The form
10309"!/file/name" is supported only in Postfix version 2.4 and later.
10310</p>
10311
10312<p> Pattern matching of domain names is controlled by the presence
10313or absence of "<a href="postconf.5.html#relay_domains">relay_domains</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
10314parameter value. </p>
10315
10316
10317</DD>
10318
10319<DT><b><a name="relay_domains_reject_code">relay_domains_reject_code</a>
10320(default: 554)</b></DT><DD>
10321
10322<p>
10323The numerical Postfix SMTP server response code when a client
10324request is rejected by the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient
10325restriction.
10326</p>
10327
10328<p>
10329Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
10330</p>
10331
10332
10333</DD>
10334
10335<DT><b><a name="relay_recipient_maps">relay_recipient_maps</a>
10336(default: empty)</b></DT><DD>
10337
10338<p> Optional lookup tables with all valid addresses in the domains
10339that match $<a href="postconf.5.html#relay_domains">relay_domains</a>. Specify @domain as a wild-card for
10340domains that have no valid recipient list, and become a source of
10341backscatter mail: Postfix accepts spam for non-existent recipients
10342and then floods innocent people with undeliverable mail.  Technically,
10343tables
10344listed with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> are used as lists: Postfix needs
10345to know only if a lookup string is found or not, but it does not
10346use the result from the table lookup.  </p>
10347
10348<p>
10349Specify zero or more "type:name" lookup tables, separated by
10350whitespace or comma. Tables will be searched in the specified order
10351until a match is found.
10352</p>
10353
10354<p>
10355If this parameter is non-empty, then the Postfix SMTP server will reject
10356mail to unknown relay users. This feature is off by default.
10357</p>
10358
10359<p>
10360See also the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a> address class in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>
10361file.
10362</p>
10363
10364<p>
10365Example:
10366</p>
10367
10368<pre>
10369<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relay_recipients
10370</pre>
10371
10372<p>
10373This feature is available in Postfix 2.0 and later.
10374</p>
10375
10376
10377</DD>
10378
10379<DT><b><a name="relay_transport">relay_transport</a>
10380(default: relay)</b></DT><DD>
10381
10382<p>
10383The default mail delivery transport and next-hop destination for
10384the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: recipient domains that match
10385$<a href="postconf.5.html#relay_domains">relay_domains</a>. </p>
10386
10387<p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class: </p>
10388
10389<ul>
10390
10391<li> <p> In order of decreasing precedence, the message delivery
10392transport is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>.
10393</p>
10394
10395<li> <p> In order of decreasing precedence, the nexthop destination
10396is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3)
10397$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
10398domain.  </p>
10399
10400</ul>
10401
10402<p>
10403Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i>
10404is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>.
10405The <i>:nexthop</i> destination is optional; its syntax is documented
10406in the manual page of the corresponding delivery agent.
10407</p>
10408
10409<p>
10410See also the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a> address class in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>
10411file.
10412</p>
10413
10414<p>
10415This feature is available in Postfix 2.0 and later.
10416</p>
10417
10418
10419</DD>
10420
10421<DT><b><a name="relayhost">relayhost</a>
10422(default: empty)</b></DT><DD>
10423
10424<p>
10425The next-hop destination(s) for non-local mail; takes precedence
10426over non-<a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a> in recipient addresses. This information
10427will not be used when the sender matches $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>.
10428</p>
10429
10430<p> In order of decreasing precedence: </p>
10431
10432<ul>
10433
10434<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class
10435(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken
10436from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3)
10437$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
10438domain. <p>
10439
10440<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class
10441(domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
10442$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
10443or $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1)
10444$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or
10445$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a>
10446or the recipient domain. </p>
10447
10448</ul>
10449
10450<p>
10451On an intranet, specify the organizational domain name. If your
10452internal DNS uses no MX records, specify the name of the intranet
10453gateway host instead.
10454</p>
10455
10456<p>
10457In the case of SMTP delivery, specify one or more destinations in
10458the form of a domain name, hostname, hostname:service, [hostname]:service,
10459[hostaddress] or [hostaddress]:service, separated by comma or whitespace.
10460The form [hostname] turns off MX or SRV lookups. Multiple destinations
10461are supported in Postfix 3.5 and later. Each destination is tried
10462in the specified order.
10463</p>
10464
10465<p> If an SMTP destination is a load balancer, and there are no
10466alternative destinations, specify the load balancer multiple times.
10467Without the duplicate info, the Postfix SMTP client would not
10468reconnect immediately to the same load balancer after a remote SMTP
10469server failure. </p>
10470
10471<p>
10472If you're connected via UUCP, see the <a href="UUCP_README.html">UUCP_README</a> file for useful
10473information.
10474</p>
10475
10476<p>
10477Examples:
10478</p>
10479
10480<pre>
10481<a href="postconf.5.html#relayhost">relayhost</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
10482<a href="postconf.5.html#relayhost">relayhost</a> = [gateway.example.com]
10483<a href="postconf.5.html#relayhost">relayhost</a> = mail1.example:587, mail2.example:587
10484<a href="postconf.5.html#relayhost">relayhost</a> = [an.ip.add.ress]
10485</pre>
10486
10487
10488</DD>
10489
10490<DT><b><a name="relocated_maps">relocated_maps</a>
10491(default: empty)</b></DT><DD>
10492
10493<p>
10494Optional lookup tables with new contact information for users or
10495domains that no longer exist.  The table format and lookups are
10496documented in <a href="relocated.5.html">relocated(5)</a>.
10497</p>
10498
10499<p>
10500Specify zero or more "type:name" lookup tables, separated by
10501whitespace or comma. Tables will be searched in the specified order
10502until a match is found.
10503</p>
10504
10505<p>
10506If you use this feature, run "<b>postmap /etc/postfix/relocated</b>" to
10507build the necessary DBM or DB file after change, then "<b>postfix
10508reload</b>" to make the changes visible.
10509</p>
10510
10511<p>
10512Examples:
10513</p>
10514
10515<pre>
10516<a href="postconf.5.html#relocated_maps">relocated_maps</a> = <a href="DATABASE_README.html#types">dbm</a>:/etc/postfix/relocated
10517<a href="postconf.5.html#relocated_maps">relocated_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/relocated
10518</pre>
10519
10520
10521</DD>
10522
10523<DT><b><a name="remote_header_rewrite_domain">remote_header_rewrite_domain</a>
10524(default: empty)</b></DT><DD>
10525
10526<p> Rewrite or add message headers in mail from remote clients if
10527the <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter value is non-empty,
10528updating incomplete addresses with the domain specified in the
10529<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter, and adding missing headers.
10530</p>
10531
10532<p> The
10533<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> parameter controls what clients Postfix
10534considers local. </p>
10535
10536<p> Examples:  </p>
10537
10538<p> The safe setting: append "domain.invalid" to incomplete header
10539addresses from remote SMTP clients, so that those addresses cannot
10540be confused with local addresses. </p>
10541
10542<blockquote>
10543<pre>
10544<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> = domain.invalid
10545</pre>
10546</blockquote>
10547
10548<p> The default, purist, setting: don't rewrite headers from remote
10549clients at all. </p>
10550
10551<blockquote>
10552<pre>
10553<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> =
10554</pre>
10555</blockquote>
10556
10557
10558</DD>
10559
10560<DT><b><a name="require_home_directory">require_home_directory</a>
10561(default: no)</b></DT><DD>
10562
10563<p>
10564Require that a <a href="local.8.html">local(8)</a> recipient's home directory exists
10565before mail delivery is attempted. By default this test is disabled.
10566It can be useful for environments that import home directories to
10567the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED).
10568</p>
10569
10570
10571</DD>
10572
10573<DT><b><a name="reset_owner_alias">reset_owner_alias</a>
10574(default: no)</b></DT><DD>
10575
10576<p> Reset the <a href="local.8.html">local(8)</a> delivery agent's idea of the owner-alias
10577attribute, when delivering mail to a child alias that does not have
10578its own owner alias. </p>
10579
10580<p> This feature is available in Postfix 2.8 and later. With older
10581Postfix releases, the behavior is as if this parameter is set to
10582"yes". </p>
10583
10584<p> As documented in <a href="aliases.5.html">aliases(5)</a>, when an alias <i>name</i> has a
10585companion alias named owner-<i>name</i>, this will replace the
10586envelope sender address, so that delivery errors will be
10587reported to the owner alias instead of the sender. This configuration
10588is recommended for mailing lists. <p>
10589
10590<p> A less known property of the owner alias is that it also forces
10591the <a href="local.8.html">local(8)</a> delivery agent to write local and remote addresses
10592from alias expansion to a new queue file, instead of attempting to
10593deliver mail to local addresses as soon as they come out of alias
10594expansion.  </p>
10595
10596<p> Writing local addresses from alias expansion to a new queue
10597file allows for robust handling of temporary delivery errors: errors
10598with one local member have no effect on deliveries to other members
10599of the list.  On the other hand, delivery to local addresses as
10600soon as they come out of alias expansion is fragile: a temporary
10601error with one local address from alias expansion will cause the
10602entire alias to be expanded repeatedly until the error goes away,
10603or until the message expires in the queue.  In that case, a problem
10604with one list member results in multiple message deliveries to other
10605list members. </p>
10606
10607<p> The default behavior of Postfix 2.8 and later is to keep the
10608owner-alias attribute of the parent alias, when delivering mail to
10609a child alias that does not have its own owner alias. Then, local
10610addresses from that child alias will be written to a new queue file,
10611and a temporary error with one local address will not affect delivery
10612to other mailing list members. </p>
10613
10614<p> Unfortunately, older Postfix releases reset the owner-alias
10615attribute when delivering mail to a child alias that does not have
10616its own owner alias. To be precise, this resets only the decision
10617to create a new queue file, not the decision to override the envelope
10618sender address. The <a href="local.8.html">local(8)</a> delivery agent then attempts to
10619deliver local addresses as soon as they come out of child alias
10620expansion.  If delivery to any address from child alias expansion
10621fails with a temporary error condition, the entire mailing list may
10622be expanded repeatedly until the mail expires in the queue, resulting
10623in multiple deliveries of the same message to mailing list members.
10624</p>
10625
10626
10627</DD>
10628
10629<DT><b><a name="resolve_dequoted_address">resolve_dequoted_address</a>
10630(default: yes)</b></DT><DD>
10631
10632<p> Resolve a recipient address safely instead of correctly, by
10633looking inside quotes.  </p>
10634
10635<p> By default, the Postfix address resolver does not quote the
10636address localpart as per <a href="https://tools.ietf.org/html/rfc822">RFC 822</a>, so that additional @ or % or !
10637operators remain visible. This behavior is safe but it is also
10638technically incorrect.  </p>
10639
10640<p> If you specify "<a href="postconf.5.html#resolve_dequoted_address">resolve_dequoted_address</a> = no", then
10641the Postfix
10642resolver will not know about additional @ etc. operators in the
10643address localpart. This opens opportunities for obscure mail relay
10644attacks with user@domain@domain addresses when Postfix provides
10645backup MX service for Sendmail systems.  </p>
10646
10647
10648</DD>
10649
10650<DT><b><a name="resolve_null_domain">resolve_null_domain</a>
10651(default: no)</b></DT><DD>
10652
10653<p> Resolve an address that ends in the "@" null domain as if the
10654local hostname were specified, instead of rejecting the address as
10655invalid.  </p>
10656
10657<p> This feature is available in Postfix 2.1 and later.
10658Earlier versions always resolve the null domain as the local
10659hostname.  </p>
10660
10661<p> The Postfix SMTP server uses this feature to reject mail from
10662or to addresses that end in the "@" null domain, and from addresses
10663that rewrite into a form that ends in the "@" null domain.  </p>
10664
10665
10666</DD>
10667
10668<DT><b><a name="resolve_numeric_domain">resolve_numeric_domain</a>
10669(default: no)</b></DT><DD>
10670
10671<p> Resolve "user@ipaddress" as "user@[ipaddress]", instead of
10672rejecting the address as invalid.  </p>
10673
10674<p> This feature is available in Postfix 2.3 and later.
10675
10676
10677</DD>
10678
10679<DT><b><a name="respectful_logging">respectful_logging</a>
10680(default: see 'postconf -d' output)</b></DT><DD>
10681
10682<p> Avoid logging that implies white is better than black. Instead
10683use 'allowlist', 'denylist', and variations of those words. </p>
10684
10685<p> This feature is available in Postfix 3.6 and later. </p>
10686
10687
10688</DD>
10689
10690<DT><b><a name="rewrite_service_name">rewrite_service_name</a>
10691(default: rewrite)</b></DT><DD>
10692
10693<p>
10694The name of the address rewriting service. This service rewrites
10695addresses to standard form and resolves them to a (delivery method,
10696next-hop host, recipient) triple.
10697</p>
10698
10699<p>
10700This feature is available in Postfix 2.0 and later.
10701</p>
10702
10703
10704</DD>
10705
10706<DT><b><a name="sample_directory">sample_directory</a>
10707(default: /etc/postfix)</b></DT><DD>
10708
10709<p>
10710The name of the directory with example Postfix configuration files.
10711Starting with Postfix 2.1, these files have been replaced with the
10712<a href="postconf.5.html">postconf(5)</a> manual page.
10713</p>
10714
10715
10716</DD>
10717
10718<DT><b><a name="send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a>
10719(default: no)</b></DT><DD>
10720
10721<p> When authenticating to a remote SMTP or LMTP server with the
10722default setting "no", send no SASL authoriZation ID (authzid); send
10723only the SASL authentiCation ID (authcid) plus the authcid's password.
10724</p>
10725
10726<p> The non-default setting "yes" enables the behavior of older
10727Postfix versions.  These always send a SASL authzid that is equal
10728to the SASL authcid, but this causes interoperability problems
10729with some SMTP servers. </p>
10730
10731<p> This feature is available in Postfix 2.4.4 and later. </p>
10732
10733
10734</DD>
10735
10736<DT><b><a name="sender_based_routing">sender_based_routing</a>
10737(default: no)</b></DT><DD>
10738
10739<p>
10740This parameter should not be used. It was replaced by <a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>
10741in Postfix version 2.3.
10742</p>
10743
10744
10745</DD>
10746
10747<DT><b><a name="sender_bcc_maps">sender_bcc_maps</a>
10748(default: empty)</b></DT><DD>
10749
10750<p> Optional BCC (blind carbon-copy) address lookup tables, indexed
10751by envelope sender address.  The BCC address (multiple results are not
10752supported) is added when mail enters from outside of Postfix.  </p>
10753
10754<p>
10755Specify zero or more "type:name" lookup tables, separated by
10756whitespace or comma. Tables will be searched in the specified order
10757until a match is found.
10758</p>
10759
10760<p>
10761The table search order is as follows:
10762</p>
10763
10764<ul>
10765
10766<li> Look up the "user+extension@domain.tld" address including the
10767optional address extension.
10768
10769<li> Look up the "user@domain.tld" address without the optional
10770address extension.
10771
10772<li> Look up the "user+extension" address local part when the
10773sender domain equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
10774or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
10775
10776<li> Look up the "user" address local part when the sender domain
10777equals $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
10778
10779<li> Look up the "@domain.tld" part.
10780
10781</ul>
10782
10783<p>
10784Note: with Postfix 2.3 and later the BCC address is added as if it
10785was specified with NOTIFY=NONE. The sender will not be notified
10786when the BCC address is undeliverable, as long as all down-stream
10787software implements <a href="https://tools.ietf.org/html/rfc3461">RFC 3461</a>.
10788</p>
10789
10790<p>
10791Note: with Postfix 2.2 and earlier the sender will be notified
10792when the BCC address is undeliverable.
10793</p>
10794
10795<p> Note: automatic BCC recipients are produced only for new mail.
10796To avoid mailer loops, automatic BCC recipients are not generated
10797after Postfix forwards mail internally, or after Postfix generates
10798mail itself. </p>
10799
10800<p> Note: automatic BCC recipients are subject to address
10801canonicalization (add missing domain), <a href="postconf.5.html#canonical_maps">canonical_maps</a>, <a href="postconf.5.html#masquerade_domains">masquerade_domains</a>,
10802and <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>. </p>
10803
10804<p>
10805Example:
10806</p>
10807
10808<pre>
10809<a href="postconf.5.html#sender_bcc_maps">sender_bcc_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_bcc
10810</pre>
10811
10812<p>
10813After a change, run "<b>postmap /etc/postfix/sender_bcc</b>".
10814</p>
10815
10816<p>
10817This feature is available in Postfix 2.1 and later.
10818</p>
10819
10820
10821</DD>
10822
10823<DT><b><a name="sender_canonical_classes">sender_canonical_classes</a>
10824(default: envelope_sender, header_sender)</b></DT><DD>
10825
10826<p> What addresses are subject to <a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> address
10827mapping.  By default, <a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> address mapping is
10828applied to envelope sender addresses, and to header sender addresses.
10829</p>
10830
10831<p> Specify one or more of: envelope_sender, header_sender </p>
10832
10833<p> This feature is available in Postfix 2.2 and later. </p>
10834
10835
10836</DD>
10837
10838<DT><b><a name="sender_canonical_maps">sender_canonical_maps</a>
10839(default: empty)</b></DT><DD>
10840
10841<p>
10842Optional address mapping lookup tables for envelope and header
10843sender addresses.
10844The table format and lookups are documented in <a href="canonical.5.html">canonical(5)</a>.
10845</p>
10846
10847<p>
10848Example: you want to rewrite the SENDER address "user@ugly.example"
10849to "user@pretty.example", while still being able to send mail to
10850the RECIPIENT address "user@ugly.example".
10851</p>
10852
10853<p>
10854Note: $<a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> is processed before $<a href="postconf.5.html#canonical_maps">canonical_maps</a>.
10855</p>
10856
10857<p>
10858Example:
10859</p>
10860
10861<pre>
10862<a href="postconf.5.html#sender_canonical_maps">sender_canonical_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/sender_canonical
10863</pre>
10864
10865
10866</DD>
10867
10868<DT><b><a name="sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>
10869(default: empty)</b></DT><DD>
10870
10871<p> A sender-dependent override for the global <a href="postconf.5.html#default_transport">default_transport</a>
10872parameter setting. The tables are searched by the envelope sender
10873address and @domain. A lookup result of DUNNO terminates the search
10874without overriding the global <a href="postconf.5.html#default_transport">default_transport</a> parameter setting.
10875This information is overruled with the <a href="transport.5.html">transport(5)</a> table. </p>
10876
10877<p> This setting affects only the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class
10878(recipient domains that do not match $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
10879$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
10880or $<a href="postconf.5.html#relay_domains">relay_domains</a>): </p>
10881
10882<ul>
10883
10884<li> <p> In order of decreasing precedence, the delivery transport
10885is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
10886$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>.
10887</p>
10888
10889<li> <p> In order of decreasing precedence, the nexthop destination
10890is taken from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2)
10891$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or $<a href="postconf.5.html#default_transport">default_transport</a>, 3)
10892$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
10893domain. </p>
10894
10895</ul>
10896
10897<p> Note: this overrides <a href="postconf.5.html#default_transport">default_transport</a>, not <a href="postconf.5.html#transport_maps">transport_maps</a>, and
10898therefore the expected syntax is that of <a href="postconf.5.html#default_transport">default_transport</a>, not the
10899syntax of <a href="postconf.5.html#transport_maps">transport_maps</a>.  Specifically, this does not support the
10900<a href="postconf.5.html#transport_maps">transport_maps</a> syntax for null transport, null nexthop, or null
10901email addresses. </p>
10902
10903<p>
10904Specify zero or more "type:name" lookup tables, separated by
10905whitespace or comma. Tables will be searched in the specified order
10906until a match is found.
10907</p>
10908
10909<p> For safety reasons, this feature does not allow $number
10910substitutions in regular expression maps. </p>
10911
10912<p> This feature is available in Postfix 2.7 and later.  </p>
10913
10914
10915</DD>
10916
10917<DT><b><a name="sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>
10918(default: empty)</b></DT><DD>
10919
10920<p> A sender-dependent override for the global <a href="postconf.5.html#relayhost">relayhost</a> parameter
10921setting. The tables are searched by the envelope sender address and
10922@domain. A lookup result of DUNNO terminates the search without
10923overriding the global <a href="postconf.5.html#relayhost">relayhost</a> parameter setting (Postfix 2.6 and
10924later). </p>
10925
10926<p> In order of decreasing precedence: </p>
10927
10928<ul>
10929
10930<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domain</a> address class
10931(domains matching $<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken
10932from 1) $<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#relay_transport">relay_transport</a>, 3)
10933$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a> or the recipient
10934domain. </p>
10935
10936<li> <p> For recipient domains in the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a> address class
10937(domains that do not match <a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
10938$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>,
10939$<a href="postconf.5.html#relay_domains">relay_domains</a>), the nexthop destination is taken from 1)
10940$<a href="postconf.5.html#transport_maps">transport_maps</a>, 2) $<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> or
10941$<a href="postconf.5.html#default_transport">default_transport</a>, 3) $<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a> or $<a href="postconf.5.html#relayhost">relayhost</a>
10942or the recipient domain. </p>
10943
10944</ul>
10945
10946<p>
10947Specify zero or more "type:name" lookup tables, separated by
10948whitespace or comma. Tables will be searched in the specified order
10949until a match is found.
10950</p>
10951
10952<p> For safety reasons, this feature does not allow $number
10953substitutions in regular expression maps. </p>
10954
10955<p>
10956This feature is available in Postfix 2.3 and later.
10957</p>
10958
10959
10960</DD>
10961
10962<DT><b><a name="sendmail_fix_line_endings">sendmail_fix_line_endings</a>
10963(default: always)</b></DT><DD>
10964
10965<p> Controls how the Postfix sendmail command converts email message
10966line endings from &lt;CR&gt;&lt;LF&gt; into UNIX format (&lt;LF&gt;).
10967</p>
10968
10969<dl>
10970
10971<dt> <b>always</b> </dt> <dd> Always convert message lines ending
10972in &lt;CR&gt;&lt;LF&gt;. This setting is the default with Postfix
109732.9 and later. </dd>
10974
10975<dt> <b>strict</b> </dt> <dd> Convert message lines ending in
10976&lt;CR&gt;&lt;LF&gt; only if the first input line ends in
10977&lt;CR&gt;&lt;LF&gt;. This setting is backwards-compatible with
10978Postfix 2.8 and earlier. </dd>
10979
10980<dt> <b>never</b> </dt> <dd> Never convert message lines ending in
10981&lt;CR&gt;&lt;LF&gt;. This setting exists for completeness only.
10982</dd>
10983
10984</dl>
10985
10986<p> This feature is available in Postfix 2.9 and later. </p>
10987
10988
10989</DD>
10990
10991<DT><b><a name="sendmail_path">sendmail_path</a>
10992(default: see "postconf -d" output)</b></DT><DD>
10993
10994<p>
10995A Sendmail compatibility feature that specifies the location of
10996the Postfix <a href="sendmail.1.html">sendmail(1)</a> command. This command can be used to
10997submit mail into the Postfix queue.
10998</p>
10999
11000
11001</DD>
11002
11003<DT><b><a name="service_name">service_name</a>
11004(read-only)</b></DT><DD>
11005
11006<p> The <a href="master.5.html">master.cf</a> service name of a Postfix daemon process. This
11007can be used to distinguish the logging from different services that
11008use the same program name. </p>
11009
11010<p> Example <a href="master.5.html">master.cf</a> entries: </p>
11011
11012<pre>
11013# Distinguish inbound MTA logging from submission and submissions logging.
11014smtp      inet  n       -       n       -       -       smtpd
11015submission inet n       -       n       -       -       smtpd
11016    -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
11017submissions inet n      -       n       -       -       smtpd
11018    -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
11019</pre>
11020
11021<pre>
11022# Distinguish outbound MTA logging from inbound relay logging.
11023smtp      unix  -       -       n       -       -       smtp
11024relay     unix  -       -       n       -       -       smtp
11025    -o <a href="postconf.5.html#syslog_name">syslog_name</a>=postfix/$<a href="postconf.5.html#service_name">service_name</a>
11026</pre>
11027
11028<p> This feature is available in Postfix 3.3 and later. </p>
11029
11030
11031</DD>
11032
11033<DT><b><a name="service_throttle_time">service_throttle_time</a>
11034(default: 60s)</b></DT><DD>
11035
11036<p>
11037How long the Postfix <a href="master.8.html">master(8)</a> waits before forking a server that
11038appears to be malfunctioning.
11039</p>
11040
11041<p> Specify a non-zero time value (an integral value plus an optional
11042one-letter suffix that specifies the time unit).  Time units: s
11043(seconds), m (minutes), h (hours), d (days), w (weeks).
11044The default time unit is s (seconds).  </p>
11045
11046
11047</DD>
11048
11049<DT><b><a name="setgid_group">setgid_group</a>
11050(default: postdrop)</b></DT><DD>
11051
11052<p>
11053The group ownership of set-gid Postfix commands and of group-writable
11054Postfix directories. When this parameter value is changed you need
11055to re-run "<b>postfix set-permissions</b>" (with Postfix version 2.0 and
11056earlier: "<b>/etc/postfix/post-install set-permissions</b>".
11057</p>
11058
11059
11060</DD>
11061
11062<DT><b><a name="shlib_directory">shlib_directory</a>
11063(default: see 'postconf -d' output)</b></DT><DD>
11064
11065<p> The location of Postfix dynamically-linked libraries
11066(libpostfix-*.so), and the default location of Postfix database
11067plugins (postfix-*.so) that have a relative pathname in the
11068dynamicmaps.cf file.  The <a href="postconf.5.html#shlib_directory">shlib_directory</a> parameter defaults to
11069"no" when Postfix dynamically-linked libraries and database plugins
11070are disabled at compile time, otherwise it typically defaults to
11071/usr/lib/postfix or /usr/local/lib/postfix.  </p>
11072
11073<p> Notes: </p>
11074
11075<ul>
11076
11077<li> <p> The directory specified with <a href="postconf.5.html#shlib_directory">shlib_directory</a> should contain
11078only Postfix-related files. Postfix dynamically-linked libraries
11079and database plugins should not be installed in a "public" system
11080directory such as /usr/lib or /usr/local/lib. Linking Postfix
11081dynamically-linked library files or database plugins into non-Postfix
11082programs is not supported.  Postfix dynamically-linked libraries
11083and database plugins implement a Postfix-internal API that changes
11084without maintaining compatibility.  </p>
11085
11086<li> <p> You can change the <a href="postconf.5.html#shlib_directory">shlib_directory</a> value after Postfix is
11087built. However, you may have to run ldconfig or equivalent to prevent
11088Postfix programs from failing because the libpostfix-*.so files are
11089not found.  No ldconfig command is needed if you keep the libpostfix-*.so
11090files in the compiled-in default $<a href="postconf.5.html#shlib_directory">shlib_directory</a> location. </p>
11091
11092</ul>
11093
11094<p> This feature is available in Postfix 3.0 and later. </p>
11095
11096
11097</DD>
11098
11099<DT><b><a name="show_user_unknown_table_name">show_user_unknown_table_name</a>
11100(default: yes)</b></DT><DD>
11101
11102<p>
11103Display the name of the recipient table in the "User unknown"
11104responses.  The extra detail makes troubleshooting easier but also
11105reveals information that is nobody else's business.
11106</p>
11107
11108<p>
11109This feature is available in Postfix 2.0 and later.
11110</p>
11111
11112
11113</DD>
11114
11115<DT><b><a name="showq_service_name">showq_service_name</a>
11116(default: showq)</b></DT><DD>
11117
11118<p>
11119The name of the <a href="showq.8.html">showq(8)</a> service. This service produces mail queue
11120status reports.
11121</p>
11122
11123<p>
11124This feature is available in Postfix 2.0 and later.
11125</p>
11126
11127
11128</DD>
11129
11130<DT><b><a name="smtp_address_preference">smtp_address_preference</a>
11131(default: any)</b></DT><DD>
11132
11133<p> The address type ("ipv6", "ipv4" or "any") that the Postfix
11134SMTP client will try first, when a destination has IPv6 and IPv4
11135addresses with equal MX preference. This feature has no effect
11136unless the <a href="postconf.5.html#inet_protocols">inet_protocols</a> setting enables both IPv4 and IPv6. </p>
11137
11138<p> Postfix SMTP client address preference has evolved. With Postfix
111392.8 the default is "ipv6"; earlier implementations are hard-coded
11140to prefer IPv6 over IPv4. </p>
11141
11142<p> Notes for mail delivery between sites that have both IPv4 and
11143IPv6 connectivity: </p>
11144
11145<ul>
11146
11147<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv6" is unsafe.
11148All deliveries will suffer delays during an IPv6 outage, even
11149while the destination is still reachable over IPv4. Mail may be
11150stuck in the queue with Postfix versions &lt; 3.3 that do not
11151implement "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a>". For similar reasons, the
11152setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is also unsafe. </p>
11153
11154<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = any" is safe. With
11155this, and "<a href="postconf.5.html#smtp_balance_inet_protocols">smtp_balance_inet_protocols</a> = yes" (the default), only
11156half of deliveries will suffer delays if there is an outage
11157that affects IPv6 or IPv4, as long as it does not affect both. </p>
11158
11159<li> <p> The setting "<a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> = ipv4" is not a
11160solution for remote servers that flag email received over IPv6 as
11161more 'spammy' (the client IPv6 address has a bad or missing PTR or
11162AAAA record, bad network neighbors, etc.). Instead, configure Postfix
11163to receive mail over both IPv4 and IPv6, and to deliver mail over
11164only IPv4. </p>
11165
11166<blockquote>
11167<pre>
11168/etc/postfix/<a href="postconf.5.html">main.cf</a>:
11169    <a href="postconf.5.html#inet_protocols">inet_protocols</a> = all
11170</pre>
11171</blockquote>
11172
11173<blockquote>
11174<pre>
11175/etc/postfix/<a href="master.5.html">master.cf</a>
11176    smtp ...other fields... smtp -o <a href="postconf.5.html#inet_protocols">inet_protocols</a>=ipv4
11177</pre>
11178</blockquote>
11179
11180</ul>
11181
11182<p> This feature is available in Postfix 2.8 and later.  </p>
11183
11184
11185</DD>
11186
11187<DT><b><a name="smtp_address_verify_target">smtp_address_verify_target</a>
11188(default: rcpt)</b></DT><DD>
11189
11190<p> In the context of email address verification, the SMTP protocol
11191stage that determines whether an email address is deliverable.
11192Specify one of "rcpt" or "data".  The latter is needed with remote
11193SMTP servers that reject recipients after the DATA command. Use
11194<a href="postconf.5.html#transport_maps">transport_maps</a> to apply this feature selectively:  </p>
11195
11196<blockquote>
11197<pre>
11198/etc/postfix/<a href="postconf.5.html">main.cf</a>:
11199    <a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
11200</pre>
11201</blockquote>
11202
11203<blockquote>
11204<pre>
11205/etc/postfix/transport:
11206    smtp-domain-that-verifies-after-data    smtp-data-target:
11207    lmtp-domain-that-verifies-after-data    lmtp-data-target:
11208</pre>
11209</blockquote>
11210
11211<blockquote>
11212<pre>
11213/etc/postfix/<a href="master.5.html">master.cf</a>:
11214    smtp-data-target    unix    -    -    n    -    -    smtp
11215        -o <a href="postconf.5.html#smtp_address_verify_target">smtp_address_verify_target</a>=data
11216    lmtp-data-target    unix    -    -    n    -    -    lmtp
11217        -o <a href="postconf.5.html#lmtp_address_verify_target">lmtp_address_verify_target</a>=data
11218</pre>
11219</blockquote>
11220
11221<p> Unselective use of the "data" target does no harm, but will
11222result in unnecessary "lost connection after DATA" events at remote
11223SMTP/LMTP servers. </p>
11224
11225<p> This feature is available in Postfix 3.0 and later.  </p>
11226
11227
11228</DD>
11229
11230<DT><b><a name="smtp_always_send_ehlo">smtp_always_send_ehlo</a>
11231(default: yes)</b></DT><DD>
11232
11233<p>
11234Always send EHLO at the start of an SMTP session.
11235</p>
11236
11237<p>
11238With "<a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> = no", the Postfix SMTP client sends
11239EHLO only when
11240the word "ESMTP" appears in the server greeting banner (example:
11241220 spike.porcupine.org ESMTP Postfix).
11242</p>
11243
11244
11245</DD>
11246
11247<DT><b><a name="smtp_balance_inet_protocols">smtp_balance_inet_protocols</a>
11248(default: yes)</b></DT><DD>
11249
11250<p> When a remote destination resolves to a combination of IPv4 and
11251IPv6 addresses, ensure that the Postfix SMTP client can try both
11252address types before it runs into the <a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a>. </p>
11253
11254<p> This avoids an interoperability problem when a destination resolves
11255to primarily IPv6 addresses, the smtp_address_limit feature eliminates
11256most or all IPv4 addresses, and the destination is not reachable over
11257IPv6. </p>
11258
11259<p> This feature is available in Postfix 3.3 and later. </p>
11260
11261
11262</DD>
11263
11264<DT><b><a name="smtp_bind_address">smtp_bind_address</a>
11265(default: empty)</b></DT><DD>
11266
11267<p>
11268An optional numerical network address that the Postfix SMTP client
11269should bind to when making an IPv4 connection.
11270</p>
11271
11272<p>
11273This can be specified in the <a href="postconf.5.html">main.cf</a> file for all SMTP clients, or
11274it can be specified in the <a href="master.5.html">master.cf</a> file for a specific client,
11275for example:
11276</p>
11277
11278<blockquote>
11279<pre>
11280/etc/postfix/<a href="master.5.html">master.cf</a>:
11281    smtp ... smtp -o <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a>=11.22.33.44
11282</pre>
11283</blockquote>
11284
11285<p> See <a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> for how Postfix should handle
11286errors (Postfix 3.7 and later). </p>
11287
11288<p> Note 1: when <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies no more than one IPv4
11289address, and that address is a non-loopback address, it is
11290automatically used as the <a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a>.  This supports virtual
11291IP hosting, but can be a problem on multi-homed firewalls. See the
11292<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> documentation for more detail. </p>
11293
11294<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
11295but this form is not required here. </p>
11296
11297
11298</DD>
11299
11300<DT><b><a name="smtp_bind_address6">smtp_bind_address6</a>
11301(default: empty)</b></DT><DD>
11302
11303<p>
11304An optional numerical network address that the Postfix SMTP client
11305should bind to when making an IPv6 connection.
11306</p>
11307
11308<p> This feature is available in Postfix 2.2 and later. </p>
11309
11310<p>
11311This can be specified in the <a href="postconf.5.html">main.cf</a> file for all SMTP clients, or
11312it can be specified in the <a href="master.5.html">master.cf</a> file for a specific client,
11313for example:
11314</p>
11315
11316<blockquote>
11317<pre>
11318/etc/postfix/<a href="master.5.html">master.cf</a>:
11319    smtp ... smtp -o <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>=1:2:3:4:5:6:7:8
11320</pre>
11321</blockquote>
11322
11323<p> See <a href="postconf.5.html#smtp_bind_address_enforce">smtp_bind_address_enforce</a> for how Postfix should handle
11324errors (Postfix 3.7 and later). </p>
11325
11326<p> Note 1: when <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies no more than one IPv6
11327address, and that address is a non-loopback address, it is
11328automatically used as the <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a>.  This supports virtual
11329IP hosting, but can be a problem on multi-homed firewalls. See the
11330<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> documentation for more detail. </p>
11331
11332<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
11333but this form is not recommended here. </p>
11334
11335
11336</DD>
11337
11338<DT><b><a name="smtp_bind_address_enforce">smtp_bind_address_enforce</a>
11339(default: no)</b></DT><DD>
11340
11341<p> Defer delivery when the Postfix SMTP client cannot apply the
11342<a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> or <a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> setting. By default, the
11343Postfix SMTP client will continue delivery after logging a warning.
11344</p>
11345
11346<p> This feature is available in Postfix 3.7 and later. </p>
11347
11348
11349</DD>
11350
11351<DT><b><a name="smtp_body_checks">smtp_body_checks</a>
11352(default: empty)</b></DT><DD>
11353
11354<p> Restricted <a href="header_checks.5.html">body_checks(5)</a> tables for the Postfix SMTP client.
11355These tables are searched while mail is being delivered.  Actions
11356that change the delivery time or destination are not available.
11357</p>
11358
11359<p> This feature is available in Postfix 2.5 and later. </p>
11360
11361
11362</DD>
11363
11364<DT><b><a name="smtp_cname_overrides_servername">smtp_cname_overrides_servername</a>
11365(default: version dependent)</b></DT><DD>
11366
11367<p> When the remote SMTP servername is a DNS CNAME, replace the
11368servername with the result from CNAME expansion for the purpose of
11369logging, SASL password lookup, TLS
11370policy decisions, or TLS certificate verification. The value "no"
11371hardens Postfix <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> hostname-based policies against
11372false hostname information in DNS CNAME records, and makes SASL
11373password file lookups more predictable. This is the default setting
11374as of Postfix 2.3. </p>
11375
11376<p> When DNS CNAME records are validated with secure DNS lookups
11377(<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> = dnssec), they are always allowed to
11378override the above servername (Postfix 2.11 and later). </p>
11379
11380<p> This feature is available in Postfix 2.2.9 and later. </p>
11381
11382
11383</DD>
11384
11385<DT><b><a name="smtp_connect_timeout">smtp_connect_timeout</a>
11386(default: 30s)</b></DT><DD>
11387
11388<p>
11389The Postfix SMTP client time limit for completing a TCP connection, or
11390zero (use the operating system built-in time limit).
11391</p>
11392
11393<p>
11394When no connection can be made within the deadline, the Postfix
11395SMTP client
11396tries the next address on the mail exchanger list. Specify 0 to
11397disable the time limit (i.e. use whatever timeout is implemented by
11398the operating system).
11399</p>
11400
11401<p> Specify a non-negative time value (an integral value plus an optional
11402one-letter suffix that specifies the time unit).  Time units: s
11403(seconds), m (minutes), h (hours), d (days), w (weeks).
11404The default time unit is s (seconds).  </p>
11405
11406
11407</DD>
11408
11409<DT><b><a name="smtp_connection_cache_destinations">smtp_connection_cache_destinations</a>
11410(default: empty)</b></DT><DD>
11411
11412<p> Permanently enable SMTP connection caching for the specified
11413destinations.  With SMTP connection caching, a connection is not
11414closed immediately after completion of a mail transaction.  Instead,
11415the connection is kept open for up to $<a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a>
11416seconds.  This allows connections to be reused for other deliveries,
11417and can improve mail delivery performance. </p>
11418
11419<p> Specify a comma or white space separated list of destinations
11420or pseudo-destinations: </p>
11421
11422<ul>
11423
11424<li> if mail is sent without a <a href="postconf.5.html#relayhost">relay host</a>: a domain name (the
11425right-hand side of an email address, without the [] around a numeric
11426IP address),
11427
11428<li> if mail is sent via a <a href="postconf.5.html#relayhost">relay host</a>: a <a href="postconf.5.html#relayhost">relay host</a> name (without
11429[] or non-default TCP port), as specified in <a href="postconf.5.html">main.cf</a> or in the
11430transport map,
11431
11432<li> if mail is sent via a UNIX-domain socket: a pathname (without
11433the unix: prefix),
11434
11435<li> a /file/name with domain names and/or <a href="postconf.5.html#relayhost">relay host</a> names as
11436defined above,
11437
11438<li> a "<a href="DATABASE_README.html">type:table</a>" with domain names and/or <a href="postconf.5.html#relayhost">relay host</a> names on
11439the left-hand side.  The right-hand side result from "<a href="DATABASE_README.html">type:table</a>"
11440lookups is ignored.
11441
11442</ul>
11443
11444<p> This feature is available in Postfix 2.2 and later. </p>
11445
11446
11447</DD>
11448
11449<DT><b><a name="smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a>
11450(default: yes)</b></DT><DD>
11451
11452<p> Temporarily enable SMTP connection caching while a destination
11453has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.  With SMTP connection
11454caching, a connection is not closed immediately after completion
11455of a mail transaction.  Instead, the connection is kept open for
11456up to $<a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> seconds.  This allows
11457connections to be reused for other deliveries, and can improve mail
11458delivery performance. </p>
11459
11460<p> This feature is available in Postfix 2.2 and later. </p>
11461
11462
11463</DD>
11464
11465<DT><b><a name="smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a>
11466(default: 2s)</b></DT><DD>
11467
11468<p> When SMTP connection caching is enabled, the amount of time that
11469an unused SMTP client socket is kept open before it is closed.  Do
11470not specify larger values without permission from the remote sites.
11471</p>
11472
11473<p> This feature is available in Postfix 2.2 and later. </p>
11474
11475
11476</DD>
11477
11478<DT><b><a name="smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a>
11479(default: 0)</b></DT><DD>
11480
11481<p> When SMTP connection caching is enabled, the number of times
11482that an SMTP session may be reused before it is closed, or zero (no
11483limit).  With a reuse count limit of N, a connection is used up to
11484N+1 times.  </p>
11485
11486<p> NOTE: This feature is unsafe. When a high-volume destination
11487has multiple inbound MTAs, then the slowest inbound MTA will attract
11488the most connections to that destination.  This limitation does not
11489exist with the <a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> feature. </p>
11490
11491<p> This feature is available in Postfix 2.11. </p>
11492
11493
11494</DD>
11495
11496<DT><b><a name="smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a>
11497(default: 300s)</b></DT><DD>
11498
11499<p> The amount of time during which Postfix will use an SMTP
11500connection repeatedly.  The timer starts when the connection is
11501initiated (i.e. it includes the connect, greeting and helo latency,
11502in addition to the latencies of subsequent mail delivery transactions).
11503</p>
11504
11505<p> This feature addresses a performance stability problem with
11506remote SMTP servers. This problem is not specific to Postfix: it
11507can happen when any MTA sends large amounts of SMTP email to a site
11508that has multiple MX hosts. </p>
11509
11510<p> The problem starts when one of a set of MX hosts becomes slower
11511than the rest.  Even though SMTP clients connect to fast and slow
11512MX hosts with equal probability, the slow MX host ends up with more
11513simultaneous inbound connections than the faster MX hosts, because
11514the slow MX host needs more time to serve each client request. </p>
11515
11516<p> The slow MX host becomes a connection attractor.  If one MX
11517host becomes N times slower than the rest, it dominates mail delivery
11518latency unless there are more than N fast MX hosts to counter the
11519effect. And if the number of MX hosts is smaller than N, the mail
11520delivery latency becomes effectively that of the slowest MX host
11521divided by the total number of MX hosts. </p>
11522
11523<p> The solution uses connection caching in a way that differs from
11524Postfix version 2.2.  By limiting the amount of time during which a connection
11525can be used repeatedly (instead of limiting the number of deliveries
11526over that connection), Postfix not only restores fairness in the
11527distribution of simultaneous connections across a set of MX hosts,
11528it also favors deliveries over connections that perform well, which
11529is exactly what we want.  </p>
11530
11531<p> The default reuse time limit, 300s, is comparable to the various
11532smtp transaction timeouts which are fair estimates of maximum excess
11533latency for a slow delivery.  Note that hosts may accept thousands
11534of messages over a single connection within the default connection
11535reuse time limit. This number is much larger than the default Postfix
11536version 2.2 limit of 10 messages per cached connection. It may prove necessary
11537to lower the limit to avoid interoperability issues with MTAs that
11538exhibit bugs when many messages are delivered via a single connection.
11539A lower reuse time limit risks losing the benefit of connection
11540reuse when the average connection and mail delivery latency exceeds
11541the reuse time limit.  </p>
11542
11543<p> This feature is available in Postfix 2.3 and later. </p>
11544
11545
11546</DD>
11547
11548<DT><b><a name="smtp_data_done_timeout">smtp_data_done_timeout</a>
11549(default: 600s)</b></DT><DD>
11550
11551<p>
11552The Postfix SMTP client time limit for sending the SMTP ".", and
11553for receiving the remote SMTP server response.
11554</p>
11555
11556<p>
11557When no response is received within the deadline, a warning is
11558logged that the mail may be delivered multiple times.
11559</p>
11560
11561<p> Specify a non-zero time value (an integral value plus an optional
11562one-letter suffix that specifies the time unit).  Time units: s
11563(seconds), m (minutes), h (hours), d (days), w (weeks).
11564The default time unit is s (seconds).  </p>
11565
11566
11567</DD>
11568
11569<DT><b><a name="smtp_data_init_timeout">smtp_data_init_timeout</a>
11570(default: 120s)</b></DT><DD>
11571
11572<p>
11573The Postfix SMTP client time limit for sending the SMTP DATA command,
11574and for receiving the remote SMTP server response.
11575</p>
11576
11577<p>
11578Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
11579The default time unit is s (seconds).
11580</p>
11581
11582
11583</DD>
11584
11585<DT><b><a name="smtp_data_xfer_timeout">smtp_data_xfer_timeout</a>
11586(default: 180s)</b></DT><DD>
11587
11588<p>
11589The Postfix SMTP client time limit for sending the SMTP message content.
11590When the connection makes no progress for more than $<a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a>
11591seconds the Postfix SMTP client terminates the transfer.
11592</p>
11593
11594<p>
11595Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
11596The default time unit is s (seconds).
11597</p>
11598
11599
11600</DD>
11601
11602<DT><b><a name="smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a>
11603(default: no)</b></DT><DD>
11604
11605<p>
11606Defer mail delivery when no MX record resolves to an IP address.
11607</p>
11608
11609<p>
11610The default (no) is to return the mail as undeliverable. With older
11611Postfix versions the default was to keep trying to deliver the mail
11612until someone fixed the MX record or until the mail was too old.
11613</p>
11614
11615<p>
11616Note: the Postfix SMTP client always ignores MX records with equal
11617or worse preference
11618than the local MTA itself.
11619</p>
11620
11621<p>
11622This feature is available in Postfix 2.1 and later.
11623</p>
11624
11625
11626</DD>
11627
11628<DT><b><a name="smtp_delivery_status_filter">smtp_delivery_status_filter</a>
11629(default: $<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b></DT><DD>
11630
11631<p> Optional filter for the <a href="smtp.8.html">smtp(8)</a> delivery agent to change the
11632delivery status code or explanatory text of successful or unsuccessful
11633deliveries.  See <a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a> for details.  </p>
11634
11635<p> NOTE: This feature modifies Postfix SMTP client error or non-error
11636messages that may or may not be derived from remote SMTP server
11637responses.  In contrast, the <a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> feature modifies
11638remote SMTP server responses only.  </p>
11639
11640
11641</DD>
11642
11643<DT><b><a name="smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>
11644(default: $<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a>)</b></DT><DD>
11645
11646<p> The maximal number of parallel deliveries to the same destination
11647via the smtp message delivery transport. This limit is enforced by
11648the queue manager. The message delivery transport name is the first
11649field in the entry in the <a href="master.5.html">master.cf</a> file.  </p>
11650
11651
11652</DD>
11653
11654<DT><b><a name="smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>
11655(default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
11656
11657<p> The maximal number of recipients per message for the smtp
11658message delivery transport. This limit is enforced by the queue
11659manager. The message delivery transport name is the first field in
11660the entry in the <a href="master.5.html">master.cf</a> file.  </p>
11661
11662<p> Setting this parameter to a value of 1 changes the meaning of
11663<a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> from concurrency per domain
11664into concurrency per recipient.  </p>
11665
11666
11667</DD>
11668
11669<DT><b><a name="smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a>
11670(default: empty)</b></DT><DD>
11671
11672<p> Lookup tables, indexed by the remote SMTP server address, with
11673case insensitive lists of EHLO keywords (pipelining, starttls, auth,
11674etc.) that the Postfix SMTP client will ignore in the EHLO response from a
11675remote SMTP server. See <a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> for details. The
11676table is not indexed by hostname for consistency with
11677<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>. </p>
11678
11679<p>
11680Specify zero or more "type:name" lookup tables, separated by
11681whitespace or comma. Tables will be searched in the specified order
11682until a match is found.
11683</p>
11684
11685<p> This feature is available in Postfix 2.2 and later. </p>
11686
11687
11688</DD>
11689
11690<DT><b><a name="smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a>
11691(default: empty)</b></DT><DD>
11692
11693<p> A case insensitive list of EHLO keywords (pipelining, starttls,
11694auth, etc.) that the Postfix SMTP client will ignore in the EHLO
11695response from a remote SMTP server. </p>
11696
11697<p> This feature is available in Postfix 2.2 and later. </p>
11698
11699<p> Notes: </p>
11700
11701<ul>
11702
11703<li> <p> Specify the <b>silent-discard</b> pseudo keyword to prevent
11704this action from being logged. </p>
11705
11706<li> <p> Use the <a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> feature to
11707discard EHLO keywords selectively. </p>
11708
11709</ul>
11710
11711
11712</DD>
11713
11714<DT><b><a name="smtp_dns_reply_filter">smtp_dns_reply_filter</a>
11715(default: empty)</b></DT><DD>
11716
11717<p> Optional filter for Postfix SMTP client DNS lookup results.
11718Specify zero or more lookup tables.  The lookup tables are searched
11719in the given order for a match with the DNS lookup result, converted
11720to the following form: </p>
11721
11722<pre>
11723    <i>name ttl class type preference value</i>
11724</pre>
11725
11726<p> The <i>class</i> field is always "IN", the <i>preference</i>
11727field exists only for MX records, the names of hosts, domains, etc.
11728end in ".", and those names are in ASCII form (xn--mumble form in
11729the case of UTF8 names).  </p>
11730
11731<p> When a match is found, the table lookup result specifies an
11732action.  By default, the table query and the action name are
11733case-insensitive.  Currently, only the <b>IGNORE</b> action is
11734implemented.  </p>
11735
11736<p> Notes: </p>
11737
11738<ul>
11739
11740<li> <p> Postfix DNS reply filters have no effect on implicit DNS
11741lookups through nsswitch.conf or equivalent mechanisms.  </p>
11742
11743<li> <p> The Postfix SMTP/LMTP client uses <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a>
11744and <a href="postconf.5.html#lmtp_dns_reply_filter">lmtp_dns_reply_filter</a> only to discover a remote SMTP or LMTP
11745service (record types MX, A, AAAA, and TLSA).  These lookups are
11746also made to implement the features <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> and
11747<a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.  </p>
11748
11749<li> <p> The Postfix SMTP/LMTP client defers mail delivery when
11750a filter removes all lookup results from a successful query.  </p>
11751
11752<li> <p> Postfix SMTP server uses <a href="postconf.5.html#smtpd_dns_reply_filter">smtpd_dns_reply_filter</a> only to
11753look up MX, A, AAAA, and TXT records to implement the features
11754<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>, <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>,
11755<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>, reject_rbl_*, and reject_rhsbl_*.
11756</p>
11757
11758<li> <p> The Postfix SMTP server logs a warning or defers mail
11759delivery when a filter removes all lookup results from a successful
11760query.  </p>
11761
11762</ul>
11763
11764<p> Example: ignore Google AAAA records in Postfix SMTP client DNS
11765lookups, because Google sometimes hard-rejects mail from IPv6 clients
11766with valid PTR etc. records. </p>
11767
11768<pre>
11769/etc/postfix/<a href="postconf.5.html">main.cf</a>:
11770    <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/smtp_dns_reply_filter
11771</pre>
11772
11773<pre>
11774/etc/postfix/smtp_dns_reply_filter:
11775    # /domain ttl IN AAAA address/ action, all case-insensitive.
11776    # Note: the domain name ends in ".".
11777    /^\S+\.google\.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
11778</pre>
11779
11780<p> This feature is available in Postfix 3.0 and later. </p>
11781
11782
11783</DD>
11784
11785<DT><b><a name="smtp_dns_resolver_options">smtp_dns_resolver_options</a>
11786(default: empty)</b></DT><DD>
11787
11788<p> DNS Resolver options for the Postfix SMTP client.  Specify zero
11789or more of the following options, separated by comma or whitespace.
11790Option names are case-sensitive. Some options refer to domain names
11791that are specified in the file /etc/resolv.conf or equivalent. </p>
11792
11793<dl>
11794
11795<dt><b>res_defnames</b></dt>
11796
11797<dd> Append the current domain name to single-component names (those
11798that do not contain a "." character). This can produce incorrect
11799results, and is the hard-coded behavior prior to Postfix 2.8. </dd>
11800
11801<dt><b>res_dnsrch</b></dt>
11802
11803<dd> Search for host names in the current domain and in parent
11804domains. This can produce incorrect results and is therefore not
11805recommended. </dd>
11806
11807</dl>
11808
11809<p> This feature is available in Postfix 2.8 and later.  </p>
11810
11811
11812</DD>
11813
11814<DT><b><a name="smtp_dns_support_level">smtp_dns_support_level</a>
11815(default: empty)</b></DT><DD>
11816
11817<p> Level of DNS support in the Postfix SMTP client.  With
11818"<a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>" left at its empty default value, the legacy
11819"<a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a>" parameter controls whether DNS is enabled in
11820the Postfix SMTP client, otherwise the legacy parameter is ignored.
11821</p>
11822
11823<p> Specify one of the following: </p>
11824
11825<dl>
11826
11827<dt><b>disabled</b></dt>
11828
11829<dd>Disable DNS lookups.  No MX lookups are performed and hostname
11830to address lookups are unconditionally "native".  This setting is
11831not appropriate for hosts that deliver mail to the public Internet.
11832Some obsolete how-to documents recommend disabling DNS lookups in
11833some configurations with content_filters.  This is no longer required
11834and strongly discouraged.  </dd>
11835
11836<dt><b>enabled</b></dt>
11837
11838<dd>Enable DNS lookups.  Nexthop destination domains not enclosed
11839in "[]" will be subject to MX lookups.  If "dns" and "native" are
11840included in the "<a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>" parameter value, DNS will be
11841queried first to resolve MX-host A records, followed by "native"
11842lookups if no answer is found in DNS.  </dd>
11843
11844<dt><b>dnssec</b></dt>
11845
11846<dd>Enable <a href="https://tools.ietf.org/html/rfc4033">DNSSEC</a>
11847lookups.  The "dnssec" setting differs from the "enabled" setting
11848above in the following ways: <ul> <li>Any MX lookups will set
11849RES_USE_DNSSEC and RES_USE_EDNS0 to request DNSSEC-validated
11850responses. If the MX response is DNSSEC-validated the corresponding
11851hostnames are considered validated.  <li> The address lookups of
11852validated hostnames are also validated, (provided of course
11853"<a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>" includes "dns", see below).  <li>Temporary
11854failures in DNSSEC-enabled hostname-to-address resolution block any
11855"native" lookups.  Additional "native" lookups only happen when
11856DNSSEC lookups hard-fail (NODATA or NXDOMAIN).  </ul> </dd>
11857
11858</dl>
11859
11860<p> The Postfix SMTP client considers non-MX "[nexthop]" and
11861"[nexthop]:port" destinations equivalent to statically-validated
11862MX records of the form "nexthop.  IN MX 0 nexthop."  Therefore,
11863with "dnssec" support turned on, validated hostname-to-address
11864lookups apply to the nexthop domain of any "[nexthop]" or
11865"[nexthop]:port" destination.  This is also true for LMTP "inet:host"
11866and "inet:host:port" destinations, as LMTP hostnames are never
11867subject to MX lookups.  </p>
11868
11869<p>The "dnssec" setting is recommended only if you plan to use the
11870<a href="TLS_README.html#client_tls_dane">dane</a> or <a
11871href="TLS_README.html#client_tls_dane">dane-only</a> TLS security
11872level, otherwise enabling DNSSEC support in Postfix offers no
11873additional security.  Postfix DNSSEC support relies on an upstream
11874recursive nameserver that validates DNSSEC signatures.  Such a DNS
11875server will always filter out forged DNS responses, even when Postfix
11876itself is not configured to use DNSSEC. </p>
11877
11878<p> When using Postfix DANE support the "<a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a>" parameter
11879should include "dns", as <a
11880href="https://tools.ietf.org/html/rfc7672">DANE</a> is not applicable
11881to hosts resolved via "native" lookups.  </p>
11882
11883<p> As mentioned above, Postfix is not a validating <a
11884href="https://tools.ietf.org/html/rfc4035#section-4.9">stub
11885resolver</a>; it relies on the system's configured DNSSEC-validating
11886<a href="https://tools.ietf.org/html/rfc4035#section-3.2">recursive
11887nameserver</a> to perform all DNSSEC validation.  Since this
11888nameserver's DNSSEC-validated responses will be fully trusted, it
11889is strongly recommended that the MTA host have a local DNSSEC-validating
11890recursive caching nameserver listening on a loopback address, and
11891be configured to use only this nameserver for all lookups.  Otherwise,
11892Postfix may remain subject to man-in-the-middle attacks that forge
11893responses from the recursive nameserver</p>
11894
11895<p>DNSSEC support requires a version of Postfix compiled against a
11896reasonably-modern DNS resolver(3) library that implements the
11897RES_USE_DNSSEC and RES_USE_EDNS0 resolver options. </p>
11898
11899<p> This feature is available in Postfix 2.11 and later.  </p>
11900
11901
11902</DD>
11903
11904<DT><b><a name="smtp_enforce_tls">smtp_enforce_tls</a>
11905(default: no)</b></DT><DD>
11906
11907<p> Enforcement mode: require that remote SMTP servers use TLS
11908encryption, and never send mail in the clear.  This also requires
11909that the remote SMTP server hostname matches the information in
11910the remote server certificate, and that the remote SMTP server
11911certificate was issued by a CA that is trusted by the Postfix SMTP
11912client. If the certificate doesn't verify or the hostname doesn't
11913match, delivery is deferred and mail stays in the queue.  </p>
11914
11915<p> The server hostname is matched against all names provided as
11916dNSNames in the SubjectAlternativeName.  If no dNSNames are specified,
11917the CommonName is checked.  The behavior may be changed with the
11918<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> option.  </p>
11919
11920<p> This option is useful only if you are definitely sure that you
11921will only connect to servers that support <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> _and_ that
11922provide valid server certificates.  Typical use is for clients that
11923send all their email to a dedicated mailhub.  </p>
11924
11925<p> This feature is available in Postfix 2.2 and later. With
11926Postfix 2.3 and later use <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> instead. </p>
11927
11928
11929</DD>
11930
11931<DT><b><a name="smtp_fallback_relay">smtp_fallback_relay</a>
11932(default: $<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b></DT><DD>
11933
11934<p> Optional list of relay destinations that will be used when an
11935SMTP destination is not found, or when delivery fails due to a
11936non-permanent error. With Postfix 2.2 and earlier this parameter
11937is called <a href="postconf.5.html#fallback_relay">fallback_relay</a>. </p>
11938
11939<p> By default, <a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> is empty, mail is returned to
11940the sender when a destination is not found, and delivery is deferred
11941after it fails due to a non-permanent error. </p>
11942
11943<p> With bulk email deliveries, it can be beneficial to run the
11944fallback relay MTA on the same host, so that it can reuse the sender
11945IP address.  This speeds up deliveries that are delayed by IP-based
11946reputation systems (greylist, etc.). </p>
11947
11948<p> The fallback relays must be SMTP destinations. Specify a domain,
11949host, host:port, [host]:port, [address] or [address]:port; the form
11950[host] turns off MX lookups.  If you specify multiple SMTP
11951destinations, Postfix will try them in the specified order.  </p>
11952
11953<p> To prevent mailer loops between MX hosts and fall-back hosts,
11954Postfix version 2.2 and later will not use the fallback relays for
11955destinations that it is MX host for (assuming DNS lookup is turned on).
11956</p>
11957
11958
11959</DD>
11960
11961<DT><b><a name="smtp_generic_maps">smtp_generic_maps</a>
11962(default: empty)</b></DT><DD>
11963
11964<p> Optional lookup tables that perform address rewriting in the
11965Postfix SMTP client, typically to transform a locally valid address into
11966a globally valid address when sending mail across the Internet.
11967This is needed when the local machine does not have its own Internet
11968domain name, but uses something like <i>localdomain.local</i>
11969instead.  </p>
11970
11971<p>
11972Specify zero or more "type:name" lookup tables, separated by
11973whitespace or comma. Tables will be searched in the specified order
11974until a match is found.
11975</p>
11976
11977<p> The table format and lookups are documented in <a href="generic.5.html">generic(5)</a>;
11978examples are shown in the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> and
11979<a href="STANDARD_CONFIGURATION_README.html">STANDARD_CONFIGURATION_README</a> documents. </p>
11980
11981<p> This feature is available in Postfix 2.2 and later.  </p>
11982
11983
11984</DD>
11985
11986<DT><b><a name="smtp_header_checks">smtp_header_checks</a>
11987(default: empty)</b></DT><DD>
11988
11989<p> Restricted <a href="header_checks.5.html">header_checks(5)</a> tables for the Postfix SMTP client.
11990These tables are searched while mail is being delivered.  Actions
11991that change the delivery time or destination are not available.
11992</p>
11993
11994<p> This feature is available in Postfix 2.5 and later. </p>
11995
11996
11997</DD>
11998
11999<DT><b><a name="smtp_helo_name">smtp_helo_name</a>
12000(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
12001
12002<p>
12003The hostname to send in the SMTP HELO or EHLO command.
12004</p>
12005
12006<p>
12007The default value is the machine hostname.  Specify a hostname or
12008[ip.add.re.ss].
12009</p>
12010
12011<p>
12012This information can be specified in the <a href="postconf.5.html">main.cf</a> file for all SMTP
12013clients, or it can be specified in the <a href="master.5.html">master.cf</a> file for a specific
12014client, for example:
12015</p>
12016
12017<blockquote>
12018<pre>
12019/etc/postfix/<a href="master.5.html">master.cf</a>:
12020    mysmtp ... smtp -o <a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a>=foo.bar.com
12021</pre>
12022</blockquote>
12023
12024<p>
12025This feature is available in Postfix 2.0 and later.
12026</p>
12027
12028
12029</DD>
12030
12031<DT><b><a name="smtp_helo_timeout">smtp_helo_timeout</a>
12032(default: 300s)</b></DT><DD>
12033
12034<p>
12035The Postfix SMTP client time limit for sending the HELO or EHLO command,
12036and for receiving the initial remote SMTP server response.
12037</p>
12038
12039<p> Specify a non-zero time value (an integral value plus an optional
12040one-letter suffix that specifies the time unit).  Time units: s
12041(seconds), m (minutes), h (hours), d (days), w (weeks).
12042The default time unit is s (seconds).  </p>
12043
12044
12045</DD>
12046
12047<DT><b><a name="smtp_host_lookup">smtp_host_lookup</a>
12048(default: dns)</b></DT><DD>
12049
12050<p>
12051What mechanisms the Postfix SMTP client uses to look up a host's
12052IP address.  This parameter is ignored when DNS lookups are disabled
12053(see: <a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> and <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a>).  The "dns"
12054mechanism is always tried before "native" if both are listed.
12055</p>
12056
12057<p>
12058Specify one of the following:
12059</p>
12060
12061<dl>
12062
12063<dt><b>dns</b></dt>
12064
12065<dd>Hosts can be found in the DNS (preferred).  </dd>
12066
12067<dt><b>native</b></dt>
12068
12069<dd>Use the native naming service only (nsswitch.conf, or equivalent
12070mechanism).  </dd>
12071
12072<dt><b>dns, native</b></dt>
12073
12074<dd>Use the native service for hosts not found in the DNS.  </dd>
12075
12076</dl>
12077
12078<p>
12079This feature is available in Postfix 2.1 and later.
12080</p>
12081
12082
12083</DD>
12084
12085<DT><b><a name="smtp_line_length_limit">smtp_line_length_limit</a>
12086(default: 998)</b></DT><DD>
12087
12088<p>
12089The maximal length of message header and body lines that Postfix
12090will send via SMTP. This limit does not include the &lt;CR&gt;&lt;LF&gt;
12091at the end of each line.  Longer lines are broken by inserting
12092"&lt;CR&gt;&lt;LF&gt;&lt;SPACE&gt;", to minimize the damage to MIME
12093formatted mail. Specify zero to disable this limit.
12094</p>
12095
12096<p>
12097The Postfix limit of 998 characters not including &lt;CR&gt;&lt;LF&gt;
12098is consistent with the SMTP limit of 1000 characters including
12099&lt;CR&gt;&lt;LF&gt;.  The Postfix limit was 990 with Postfix 2.8
12100and earlier.
12101</p>
12102
12103
12104</DD>
12105
12106<DT><b><a name="smtp_mail_timeout">smtp_mail_timeout</a>
12107(default: 300s)</b></DT><DD>
12108
12109<p>
12110The Postfix SMTP client time limit for sending the MAIL FROM command,
12111and for receiving the remote SMTP server response.
12112</p>
12113
12114<p> Specify a non-zero time value (an integral value plus an optional
12115one-letter suffix that specifies the time unit).  Time units: s
12116(seconds), m (minutes), h (hours), d (days), w (weeks).
12117The default time unit is s (seconds).  </p>
12118
12119
12120</DD>
12121
12122<DT><b><a name="smtp_mime_header_checks">smtp_mime_header_checks</a>
12123(default: empty)</b></DT><DD>
12124
12125<p> Restricted mime_<a href="header_checks.5.html">header_checks(5)</a> tables for the Postfix SMTP
12126client. These tables are searched while mail is being delivered.
12127Actions that change the delivery time or destination are not
12128available.  </p>
12129
12130<p> This feature is available in Postfix 2.5 and later. </p>
12131
12132
12133</DD>
12134
12135<DT><b><a name="smtp_min_data_rate">smtp_min_data_rate</a>
12136(default: 500)</b></DT><DD>
12137
12138<p> The minimum plaintext data transfer rate in bytes/second for
12139DATA requests, when deadlines are enabled with <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
12140After a write operation transfers N plaintext message bytes (possibly
12141after TLS encryption), and after the DATA request deadline is
12142decremented by the elapsed time of that write operation, the DATA
12143request deadline is incremented by N/smtp_min_data_rate seconds.
12144However, the deadline will never be incremented beyond the time
12145limit specified with <a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a>.  </p>
12146
12147<p> This feature is available in Postfix 3.7 and later. </p>
12148
12149
12150</DD>
12151
12152<DT><b><a name="smtp_mx_address_limit">smtp_mx_address_limit</a>
12153(default: 5)</b></DT><DD>
12154
12155<p>
12156The maximal number of MX (mail exchanger) IP addresses that can
12157result from Postfix SMTP client mail exchanger lookups, or zero (no
12158limit). Prior to
12159Postfix version 2.3, this limit was disabled by default.
12160</p>
12161
12162<p>
12163This feature is available in Postfix 2.1 and later.
12164</p>
12165
12166
12167</DD>
12168
12169<DT><b><a name="smtp_mx_session_limit">smtp_mx_session_limit</a>
12170(default: 2)</b></DT><DD>
12171
12172<p> The maximal number of SMTP sessions per delivery request before
12173the Postfix SMTP client
12174gives up or delivers to a fall-back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no
12175limit). This restriction ignores sessions that fail to complete the
12176SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to
12177complete the EHLO and TLS handshake (Postfix version 2.3 and later).  </p>
12178
12179<p> This feature is available in Postfix 2.1 and later.  </p>
12180
12181
12182</DD>
12183
12184<DT><b><a name="smtp_nested_header_checks">smtp_nested_header_checks</a>
12185(default: empty)</b></DT><DD>
12186
12187<p> Restricted nested_<a href="header_checks.5.html">header_checks(5)</a> tables for the Postfix SMTP
12188client. These tables are searched while mail is being delivered.
12189Actions that change the delivery time or destination are not
12190available.  </p>
12191
12192<p> This feature is available in Postfix 2.5 and later. </p>
12193
12194
12195</DD>
12196
12197<DT><b><a name="smtp_never_send_ehlo">smtp_never_send_ehlo</a>
12198(default: no)</b></DT><DD>
12199
12200<p> Never send EHLO at the start of an SMTP session. See also the
12201<a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> parameter.  </p>
12202
12203
12204</DD>
12205
12206<DT><b><a name="smtp_per_record_deadline">smtp_per_record_deadline</a>
12207(default: no)</b></DT><DD>
12208
12209<p> Change the behavior of the smtp_*_timeout time limits, from a
12210time limit per read or write system call, to a time limit to send
12211or receive a complete record (an SMTP command line, SMTP response
12212line, SMTP message content line, or TLS protocol message).  This
12213limits the impact from hostile peers that trickle data one byte at
12214a time.  </p>
12215
12216<p> Note: when per-record deadlines are enabled, a short timeout
12217may cause problems with TLS over very slow network connections.
12218The reasons are that a TLS protocol message can be up to 16 kbytes
12219long (with TLSv1), and that an entire TLS protocol message must be
12220sent or received within the per-record deadline.  </p>
12221
12222<p> This feature is available in Postfix 2.9-3.6. With older
12223Postfix releases, the behavior is as if this parameter is set to
12224"no". Postfix 3.7 and later use <a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>. </p>
12225
12226
12227</DD>
12228
12229<DT><b><a name="smtp_per_request_deadline">smtp_per_request_deadline</a>
12230(default: no)</b></DT><DD>
12231
12232<p> Change the behavior of the smtp_*_timeout time limits, from a
12233time limit per plaintext or TLS read or write call, to a combined
12234time limit for sending a complete SMTP request and for receiving a
12235complete SMTP response. The deadline limits only the time spent
12236waiting for plaintext or TLS read or write calls, not time spent
12237elsewhere. The per-request deadline limits the impact from hostile
12238peers that trickle data one byte at a time. </p>
12239
12240<p> See <a href="postconf.5.html#smtp_min_data_rate">smtp_min_data_rate</a> for how the per-request deadline is
12241managed during the DATA phase. </p>
12242
12243<p> Note: when per-request deadlines are enabled, a short time limit
12244may cause problems with TLS over very slow network connections. The
12245reason is that a TLS protocol message can be up to 16 kbytes long
12246(with TLSv1), and that an entire TLS protocol message must be
12247transferred within the per-request deadline. </p>
12248
12249<p> This feature is available in Postfix 3.7 and later. A weaker
12250feature, called <a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a>, is available with Postfix
122512.9-3.6. </p>
12252
12253<p> This feature is available in Postfix 3.7 and later. </p>
12254
12255
12256</DD>
12257
12258<DT><b><a name="smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a>
12259(default: 10s)</b></DT><DD>
12260
12261<p>
12262How long the Postfix SMTP client pauses before sending
12263".&lt;CR&gt;&lt;LF&gt;" in order to work around the PIX firewall
12264"&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug.
12265</p>
12266
12267<p>
12268Choosing too short a time makes this workaround ineffective when
12269sending large messages over slow network connections.
12270</p>
12271
12272<p> Specify a non-zero time value (an integral value plus an optional
12273one-letter suffix that specifies the time unit).  Time units: s
12274(seconds), m (minutes), h (hours), d (days), w (weeks).
12275The default time unit is s (seconds).  </p>
12276
12277
12278</DD>
12279
12280<DT><b><a name="smtp_pix_workaround_maps">smtp_pix_workaround_maps</a>
12281(default: empty)</b></DT><DD>
12282
12283<p> Lookup tables, indexed by the remote SMTP server address, with
12284per-destination workarounds for CISCO PIX firewall bugs.  The table
12285is not indexed by hostname for consistency with
12286<a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a>. </p>
12287
12288<p>
12289Specify zero or more "type:name" lookup tables, separated by
12290whitespace or comma. Tables will be searched in the specified order
12291until a match is found.
12292</p>
12293
12294<p> This feature is available in Postfix 2.4 and later. </p>
12295
12296
12297</DD>
12298
12299<DT><b><a name="smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a>
12300(default: 500s)</b></DT><DD>
12301
12302<p> How long a message must be queued before the Postfix SMTP client
12303turns on the PIX firewall "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;"
12304bug workaround for delivery through firewalls with "smtp fixup"
12305mode turned on.  </p>
12306
12307<p> Specify a non-negative time value (an integral value plus an optional
12308one-letter suffix that specifies the time unit).  Time units: s
12309(seconds), m (minutes), h (hours), d (days), w (weeks).
12310The default time unit is s (seconds).  </p>
12311
12312<p>
12313By default, the workaround is turned off for mail that is queued
12314for less than 500 seconds. In other words, the workaround is normally
12315turned off for the first delivery attempt.
12316</p>
12317
12318<p>
12319Specify 0 to enable the PIX firewall
12320"&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug workaround upon the
12321first delivery attempt.
12322</p>
12323
12324
12325</DD>
12326
12327<DT><b><a name="smtp_pix_workarounds">smtp_pix_workarounds</a>
12328(default: disable_esmtp, delay_dotcrlf)</b></DT><DD>
12329
12330<p> A list that specifies zero or more workarounds for CISCO PIX
12331firewall bugs. These workarounds are implemented by the Postfix
12332SMTP client. Workaround names are separated by comma or space, and
12333are case insensitive.  This parameter setting can be overruled with
12334per-destination <a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> settings. </p>
12335
12336<dl>
12337
12338<dt><b>delay_dotcrlf</b><dd> Insert a delay before sending
12339".&lt;CR&gt;&lt;LF&gt;" after the end of the message content.  The
12340delay is subject to the <a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> and
12341<a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> parameter settings. </dd>
12342
12343<dt><b>disable_esmtp</b><dd> Disable all extended SMTP commands:
12344send HELO instead of EHLO. </dd>
12345
12346</dl>
12347
12348<p> This feature is available in Postfix 2.4 and later. The default
12349settings are backwards compatible with earlier Postfix versions.
12350</p>
12351
12352
12353</DD>
12354
12355<DT><b><a name="smtp_quit_timeout">smtp_quit_timeout</a>
12356(default: 300s)</b></DT><DD>
12357
12358<p>
12359The Postfix SMTP client time limit for sending the QUIT command,
12360and for receiving the remote SMTP server response.
12361</p>
12362
12363<p> Specify a non-zero time value (an integral value plus an optional
12364one-letter suffix that specifies the time unit).  Time units: s
12365(seconds), m (minutes), h (hours), d (days), w (weeks).
12366The default time unit is s (seconds).  </p>
12367
12368
12369</DD>
12370
12371<DT><b><a name="smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a>
12372(default: yes)</b></DT><DD>
12373
12374<p>
12375Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
12376as required
12377by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. This includes putting quotes around an address localpart
12378that ends in ".".
12379</p>
12380
12381<p>
12382The default is to comply with <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. If you have to send mail to
12383a broken SMTP server, configure a special SMTP client in <a href="master.5.html">master.cf</a>:
12384</p>
12385
12386<blockquote>
12387<pre>
12388/etc/postfix/<a href="master.5.html">master.cf</a>:
12389    broken-smtp . . . smtp -o <a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a>=no
12390</pre>
12391</blockquote>
12392
12393<p>
12394and route mail for the destination in question to the "broken-smtp"
12395message delivery with a <a href="transport.5.html">transport(5)</a> table.
12396</p>
12397
12398<p>
12399This feature is available in Postfix 2.1 and later.
12400</p>
12401
12402
12403</DD>
12404
12405<DT><b><a name="smtp_randomize_addresses">smtp_randomize_addresses</a>
12406(default: yes)</b></DT><DD>
12407
12408<p>
12409Randomize the order of equal-preference MX host addresses.  This
12410is a performance feature of the Postfix SMTP client.
12411</p>
12412
12413
12414</DD>
12415
12416<DT><b><a name="smtp_rcpt_timeout">smtp_rcpt_timeout</a>
12417(default: 300s)</b></DT><DD>
12418
12419<p>
12420The Postfix SMTP client time limit for sending the SMTP RCPT TO
12421command, and for receiving the remote SMTP server response.
12422</p>
12423
12424<p> Specify a non-zero time value (an integral value plus an optional
12425one-letter suffix that specifies the time unit).  Time units: s
12426(seconds), m (minutes), h (hours), d (days), w (weeks).
12427The default time unit is s (seconds).  </p>
12428
12429
12430</DD>
12431
12432<DT><b><a name="smtp_reply_filter">smtp_reply_filter</a>
12433(default: empty)</b></DT><DD>
12434
12435<p> A mechanism to transform replies from remote SMTP servers one
12436line at a time.  This is a last-resort tool to work around server
12437replies that break interoperability with the Postfix SMTP client.
12438Other uses involve fault injection to test Postfix's handling of
12439invalid responses. </p>
12440
12441<p> Notes: </p>
12442
12443<ul>
12444
12445<li> <p> In the case of a multi-line reply, the Postfix SMTP client
12446uses the final reply line's numerical SMTP reply code and enhanced
12447status code.  </p>
12448
12449<li> <p> The numerical SMTP reply code (XYZ) takes precedence over
12450the enhanced status code (X.Y.Z).  When the enhanced status code
12451initial digit differs from the SMTP reply code initial digit, or
12452when no enhanced status code is present, the Postfix SMTP client
12453uses a generic enhanced status code (X.0.0) instead. </p>
12454
12455</ul>
12456
12457<p> Specify the name of a "<a href="DATABASE_README.html">type:table</a>" lookup table. The search
12458string is a single SMTP reply line as received from the remote SMTP
12459server, except that the trailing &lt;CR&gt;&lt;LF&gt; are removed.
12460When the lookup succeeds, the result replaces the single SMTP reply
12461line. </p>
12462
12463<p> Examples: </p>
12464
12465<pre>
12466/etc/postfix/<a href="postconf.5.html">main.cf</a>:
12467    <a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/reply_filter
12468</pre>
12469
12470<pre>
12471/etc/postfix/reply_filter:
12472    # Transform garbage into "250-filler..." so that it looks like
12473    # one line from a multi-line reply. It does not matter what we
12474    # substitute here as long it has the right syntax.  The Postfix
12475    # SMTP client will use the final line's numerical SMTP reply
12476    # code and enhanced status code.
12477    !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
12478</pre>
12479
12480<p> This feature is available in Postfix 2.7. </p>
12481
12482
12483</DD>
12484
12485<DT><b><a name="smtp_rset_timeout">smtp_rset_timeout</a>
12486(default: 20s)</b></DT><DD>
12487
12488<p> The Postfix SMTP client time limit for sending the RSET command,
12489and for receiving the remote SMTP server response. The SMTP client
12490sends RSET in
12491order to finish a recipient address probe, or to verify that a
12492cached session is still usable.  </p>
12493
12494<p> Specify a non-zero time value (an integral value plus an optional
12495one-letter suffix that specifies the time unit).  Time units: s
12496(seconds), m (minutes), h (hours), d (days), w (weeks).
12497The default time unit is s (seconds).  </p>
12498
12499<p> This feature is available in Postfix 2.1 and later.  </p>
12500
12501
12502</DD>
12503
12504<DT><b><a name="smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
12505(default: empty)</b></DT><DD>
12506
12507<p> An optional table to prevent repeated SASL authentication
12508failures with the same remote SMTP server hostname, username and
12509password. Each table (key, value) pair contains a server name, a
12510username and password, and the full server response. This information
12511is stored when a remote SMTP server rejects an authentication attempt
12512with a 535 reply code.  As long as the <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a>
12513information does not change, and as long as the <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
12514information does not expire (see <a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a>) the
12515Postfix SMTP client avoids SASL authentication attempts with the
12516same server, username and password, and instead bounces or defers
12517mail as controlled with the <a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> configuration
12518parameter.  </p>
12519
12520<p> Use a per-destination delivery concurrency of 1 (for example,
12521"<a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> = 1",
12522"<a href="postconf.5.html#relay_destination_concurrency_limit">relay_destination_concurrency_limit</a> = 1", etc.), otherwise multiple
12523delivery agents may experience a login failure at the same time.
12524</p>
12525
12526<p> The table must be accessed via the proxywrite service, i.e. the
12527map name must start with "<a href="proxymap.8.html">proxy</a>:". The table should be stored under
12528the directory specified with the <a href="postconf.5.html#data_directory">data_directory</a> parameter. </p>
12529
12530<p> This feature uses cryptographic hashing to protect plain-text
12531passwords, and requires that Postfix is compiled with TLS support.
12532</p>
12533
12534<p> Example: </p>
12535
12536<pre>
12537<a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> = <a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html#types">btree</a>:/var/db/postfix/sasl_auth_cache
12538</pre>
12539
12540<p> This feature is available in Postfix 2.5 and later. </p>
12541
12542
12543</DD>
12544
12545<DT><b><a name="smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a>
12546(default: 90d)</b></DT><DD>
12547
12548<p> The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
12549is removed. </p>
12550
12551<p> Specify a non-negative time value (an integral value plus an optional
12552one-letter suffix that specifies the time unit).  Time units: s
12553(seconds), m (minutes), h (hours), d (days), w (weeks).
12554The default time unit is d (days).  </p>
12555
12556<p> This feature is available in Postfix 2.5 and later. </p>
12557
12558
12559</DD>
12560
12561<DT><b><a name="smtp_sasl_auth_enable">smtp_sasl_auth_enable</a>
12562(default: no)</b></DT><DD>
12563
12564<p>
12565Enable SASL authentication in the Postfix SMTP client.  By default,
12566the Postfix SMTP client uses no authentication.
12567</p>
12568
12569<p>
12570Example:
12571</p>
12572
12573<pre>
12574<a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
12575</pre>
12576
12577
12578</DD>
12579
12580<DT><b><a name="smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a>
12581(default: yes)</b></DT><DD>
12582
12583<p> When a remote SMTP server rejects a SASL authentication request
12584with a 535 reply code, defer mail delivery instead of returning
12585mail as undeliverable. The latter behavior was hard-coded prior to
12586Postfix version 2.5. </p>
12587
12588<p> Note: the setting "yes" overrides the global <a href="postconf.5.html#soft_bounce">soft_bounce</a>
12589parameter, but the setting "no" does not. </p>
12590
12591<p> Example: </p>
12592
12593<pre>
12594# Default as of Postfix 2.5
12595<a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> = yes
12596# The old hard-coded default
12597<a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> = no
12598</pre>
12599
12600<p> This feature is available in Postfix 2.5 and later. </p>
12601
12602
12603</DD>
12604
12605<DT><b><a name="smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a>
12606(default: empty)</b></DT><DD>
12607
12608<p>
12609If non-empty, a Postfix SMTP client filter for the remote SMTP
12610server's list of offered SASL mechanisms.  Different client and
12611server implementations may support different mechanism lists; by
12612default, the Postfix SMTP client will use the intersection of the
12613two. <a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> specifies an optional third mechanism
12614list to intersect with. </p>
12615
12616<p> Specify mechanism names, "/file/name" patterns or "<a href="DATABASE_README.html">type:table</a>"
12617lookup tables. The right-hand side result from "<a href="DATABASE_README.html">type:table</a>" lookups
12618is ignored. Specify "!pattern" to exclude a mechanism name from the
12619list. The form "!/file/name" is supported only in Postfix version
126202.4 and later. </p>
12621
12622<p> This feature is available in Postfix 2.2 and later. </p>
12623
12624<p>
12625Examples:
12626</p>
12627
12628<pre>
12629<a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = plain, login
12630<a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = /etc/postfix/smtp_mechs
12631<a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> = !gssapi, !login, <a href="DATABASE_README.html#types">static</a>:rest
12632</pre>
12633
12634
12635</DD>
12636
12637<DT><b><a name="smtp_sasl_password_maps">smtp_sasl_password_maps</a>
12638(default: empty)</b></DT><DD>
12639
12640<p>
12641Optional Postfix SMTP client lookup tables with one username:password
12642entry per sender, remote hostname or next-hop domain. Per-sender
12643lookup is done only when sender-dependent authentication is enabled.
12644If no username:password entry is found, then the Postfix SMTP client
12645will not attempt to authenticate to the remote host.
12646</p>
12647
12648<p> Use <a href="postconf.5.html#smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a> to specify an
12649alternative separator between username and password. </p>
12650
12651<p>
12652The Postfix SMTP client opens the lookup table before going to
12653chroot jail, so you can leave the password file in /etc/postfix.
12654</p>
12655
12656<p>
12657Specify zero or more "type:name" lookup tables, separated by
12658whitespace or comma. Tables will be searched in the specified order
12659until a match is found.
12660</p>
12661
12662
12663</DD>
12664
12665<DT><b><a name="smtp_sasl_password_result_delimiter">smtp_sasl_password_result_delimiter</a>
12666(default: :)</b></DT><DD>
12667
12668<p> The delimiter between username and password in sasl_passwd_maps lookup
12669results. Specify one non-whitespace character that does not appear in
12670the username. </p>
12671
12672<p> This feature is available in Postfix &ge; 3.9. </p>
12673
12674
12675</DD>
12676
12677<DT><b><a name="smtp_sasl_path">smtp_sasl_path</a>
12678(default: empty)</b></DT><DD>
12679
12680<p> Implementation-specific information that the Postfix SMTP client
12681passes through to
12682the SASL plug-in implementation that is selected with
12683<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.  Typically this specifies the name of a
12684configuration file or rendezvous point. </p>
12685
12686<p> This feature is available in Postfix 2.3 and later. </p>
12687
12688
12689</DD>
12690
12691<DT><b><a name="smtp_sasl_security_options">smtp_sasl_security_options</a>
12692(default: noplaintext, noanonymous)</b></DT><DD>
12693
12694<p> Postfix SMTP client SASL security options; as of Postfix 2.3
12695the list of available
12696features depends on the SASL client implementation that is selected
12697with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.  </p>
12698
12699<p> The following security features are defined for the <b>cyrus</b>
12700client SASL implementation: </p>
12701
12702<p>
12703Specify zero or more of the following:
12704</p>
12705
12706<dl>
12707
12708<dt><b>noplaintext</b></dt>
12709
12710<dd>Disallow methods that use plaintext passwords. </dd>
12711
12712<dt><b>noactive</b></dt>
12713
12714<dd>Disallow methods subject to active (non-dictionary) attack.
12715</dd>
12716
12717<dt><b>nodictionary</b></dt>
12718
12719<dd>Disallow methods subject to passive (dictionary) attack. </dd>
12720
12721<dt><b>noanonymous</b></dt>
12722
12723<dd>Disallow methods that allow anonymous authentication. </dd>
12724
12725<dt><b>mutual_auth</b></dt>
12726
12727<dd>Only allow methods that provide mutual authentication (not
12728available with SASL version 1). </dd>
12729
12730</dl>
12731
12732<p>
12733Example:
12734</p>
12735
12736<pre>
12737<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> = noplaintext
12738</pre>
12739
12740
12741</DD>
12742
12743<DT><b><a name="smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>
12744(default: $<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b></DT><DD>
12745
12746<p> The SASL authentication security options that the Postfix SMTP
12747client uses for TLS encrypted SMTP sessions. </p>
12748
12749<p> This feature is available in Postfix 2.2 and later.  </p>
12750
12751
12752</DD>
12753
12754<DT><b><a name="smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a>
12755(default: $<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b></DT><DD>
12756
12757<p> The SASL authentication security options that the Postfix SMTP
12758client uses for TLS encrypted SMTP sessions with a verified server
12759certificate. </p>
12760
12761<p> When mail is sent to the public MX host for the recipient's
12762domain, server certificates are by default optional, and delivery
12763proceeds even if certificate verification fails. For delivery via
12764a submission service that requires SASL authentication, it may be
12765appropriate to send plaintext passwords only when the connection
12766to the server is strongly encrypted <b>and</b> the server identity
12767is verified. </p>
12768
12769<p> The <a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> parameter makes it
12770possible to only enable plaintext mechanisms when a secure connection
12771to the server is available. Submission servers subject to this
12772policy must either have verifiable certificates or offer suitable
12773non-plaintext SASL mechanisms. </p>
12774
12775<p> This feature is available in Postfix 2.6 and later. </p>
12776
12777
12778</DD>
12779
12780<DT><b><a name="smtp_sasl_type">smtp_sasl_type</a>
12781(default: cyrus)</b></DT><DD>
12782
12783<p> The SASL plug-in type that the Postfix SMTP client should use
12784for authentication.  The available types are listed with the
12785"<b>postconf -A</b>" command. </p>
12786
12787<p> This feature is available in Postfix 2.3 and later. </p>
12788
12789
12790</DD>
12791
12792<DT><b><a name="smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a>
12793(default: no)</b></DT><DD>
12794
12795<p> Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL
12796FROM command in SASL-authenticated SMTP sessions. The default is
12797not to send this, to avoid problems with broken remote SMTP servers.
12798Before Postfix 2.9 the behavior is as if "<a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a>
12799= yes".
12800
12801<p> This feature is available in Postfix 2.9 and later. </p>
12802
12803
12804</DD>
12805
12806<DT><b><a name="smtp_send_xforward_command">smtp_send_xforward_command</a>
12807(default: no)</b></DT><DD>
12808
12809<p>
12810Send the non-standard XFORWARD command when the Postfix SMTP server
12811EHLO response announces XFORWARD support.
12812</p>
12813
12814<p>
12815This allows a Postfix SMTP delivery agent, used for injecting mail
12816into
12817a content filter, to forward the name, address, protocol and HELO
12818name of the original client to the content filter and downstream
12819queuing SMTP server. This can produce more useful logging than
12820localhost[127.0.0.1] etc.
12821</p>
12822
12823<p>
12824This feature is available in Postfix 2.1 and later.
12825</p>
12826
12827
12828</DD>
12829
12830<DT><b><a name="smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a>
12831(default: no)</b></DT><DD>
12832
12833<p>
12834Enable sender-dependent authentication in the Postfix SMTP client; this is
12835available only with SASL authentication, and disables SMTP connection
12836caching to ensure that mail from different senders will use the
12837appropriate credentials.  </p>
12838
12839<p>
12840This feature is available in Postfix 2.3 and later.
12841</p>
12842
12843
12844</DD>
12845
12846<DT><b><a name="smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a>
12847(default: yes)</b></DT><DD>
12848
12849<p>
12850Skip SMTP servers that greet with a 4XX status code (go away, try
12851again later).
12852</p>
12853
12854<p>
12855By default, the Postfix SMTP client moves on the next mail exchanger.
12856Specify
12857"<a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> = no" if Postfix should defer delivery
12858immediately.
12859</p>
12860
12861<p> This feature is available in Postfix 2.0 and earlier.
12862Later Postfix versions always skip remote SMTP servers that greet
12863with a
128644XX status code. </p>
12865
12866
12867</DD>
12868
12869<DT><b><a name="smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a>
12870(default: yes)</b></DT><DD>
12871
12872<p>
12873Skip remote SMTP servers that greet with a 5XX status code.
12874</p>
12875
12876<p> By default, the Postfix SMTP client moves on the next mail
12877exchanger. Specify "<a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> = no" if Postfix should
12878bounce the mail immediately. Caution: the latter behavior appears
12879to contradict <a href="https://tools.ietf.org/html/rfc2821">RFC 2821</a>. </p>
12880
12881
12882</DD>
12883
12884<DT><b><a name="smtp_skip_quit_response">smtp_skip_quit_response</a>
12885(default: yes)</b></DT><DD>
12886
12887<p>
12888Do not wait for the response to the SMTP QUIT command.
12889</p>
12890
12891
12892</DD>
12893
12894<DT><b><a name="smtp_starttls_timeout">smtp_starttls_timeout</a>
12895(default: 300s)</b></DT><DD>
12896
12897<p> Time limit for Postfix SMTP client write and read operations
12898during TLS startup and shutdown handshake procedures. </p>
12899
12900<p> Specify a non-zero time value (an integral value plus an optional
12901one-letter suffix that specifies the time unit).  Time units: s
12902(seconds), m (minutes), h (hours), d (days), w (weeks).
12903The default time unit is s (seconds).  </p>
12904
12905<p> This feature is available in Postfix 2.2 and later.  </p>
12906
12907
12908</DD>
12909
12910<DT><b><a name="smtp_tcp_port">smtp_tcp_port</a>
12911(default: smtp)</b></DT><DD>
12912
12913<p>
12914The default TCP port that the Postfix SMTP client connects to.
12915Specify a symbolic name (see services(5)) or a numeric port.
12916</p>
12917
12918
12919</DD>
12920
12921<DT><b><a name="smtp_tls_CAfile">smtp_tls_CAfile</a>
12922(default: empty)</b></DT><DD>
12923
12924<p> A file containing CA certificates of root CAs trusted to sign
12925either remote SMTP server certificates or intermediate CA certificates.
12926These are loaded into memory before the <a href="smtp.8.html">smtp(8)</a> client enters the
12927chroot jail. If the number of trusted roots is large, consider using
12928<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> instead, but note that the latter directory must be
12929present in the chroot jail if the <a href="smtp.8.html">smtp(8)</a> client is chrooted. This
12930file may also be used to augment the client certificate trust chain,
12931but it is best to include all the required certificates directly in
12932$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (or, Postfix &ge; 3.4 $<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>). </p>
12933
12934<p> Specify "<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /path/to/system_CA_file" to use
12935ONLY the system-supplied default Certification Authority certificates.
12936</p>
12937
12938<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
12939appending the system-supplied default CAs and trusting third-party
12940certificates. </p>
12941
12942<p> Example: </p>
12943
12944<pre>
12945<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> = /etc/postfix/CAcert.pem
12946</pre>
12947
12948<p> This feature is available in Postfix 2.2 and later.  </p>
12949
12950
12951</DD>
12952
12953<DT><b><a name="smtp_tls_CApath">smtp_tls_CApath</a>
12954(default: empty)</b></DT><DD>
12955
12956<p> Directory with PEM format Certification Authority certificates
12957that the Postfix SMTP client uses to verify a remote SMTP server
12958certificate.  Don't forget to create the necessary "hash" links
12959with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
12960</p>
12961
12962<p> To use this option in chroot mode, this directory (or a copy)
12963must be inside the chroot jail. </p>
12964
12965<p> Specify "<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> = /path/to/system_CA_directory" to
12966use ONLY the system-supplied default Certification Authority certificates.
12967</p>
12968
12969<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
12970appending the system-supplied default CAs and trusting third-party
12971certificates. </p>
12972
12973<p> Example: </p>
12974
12975<pre>
12976<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> = /etc/postfix/certs
12977</pre>
12978
12979<p> This feature is available in Postfix 2.2 and later.  </p>
12980
12981
12982</DD>
12983
12984<DT><b><a name="smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a>
12985(default: no)</b></DT><DD>
12986
12987<p> Try to detect a mail hijacking attack based on a TLS protocol
12988vulnerability (CVE-2009-3555), where an attacker prepends malicious
12989HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session.
12990The attack would succeed with non-Postfix SMTP servers that reply
12991to the malicious HELO, MAIL, RCPT, DATA commands after negotiating
12992the Postfix SMTP client TLS session.  </p>
12993
12994<p> This feature is available in Postfix 2.7. </p>
12995
12996
12997</DD>
12998
12999<DT><b><a name="smtp_tls_cert_file">smtp_tls_cert_file</a>
13000(default: empty)</b></DT><DD>
13001
13002<p> File with the Postfix SMTP client RSA certificate in PEM format.
13003This file may also contain the Postfix SMTP client private RSA key, and
13004these may be the same as the Postfix SMTP server RSA certificate and key
13005file.  With Postfix &ge; 3.4 the preferred way to configure client keys
13006and certificates is via the "<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>" parameter. </p>
13007
13008<p> Do not configure client certificates unless you <b>must</b> present
13009client TLS certificates to one or more servers. Client certificates are
13010not usually needed, and can cause problems in configurations that work
13011well without them. The recommended setting is to let the defaults stand: </p>
13012
13013<blockquote>
13014<pre>
13015<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> =
13016<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> =
13017<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> =
13018<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> =
13019# Obsolete DSA parameters
13020<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> =
13021<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> =
13022# Postfix &ge; 3.4 interface
13023<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> =
13024</pre>
13025</blockquote>
13026
13027<p> The best way to use the default settings is to comment out the above
13028parameters in <a href="postconf.5.html">main.cf</a> if present. </p>
13029
13030<p> To enable remote SMTP servers to verify the Postfix SMTP client
13031certificate, the issuing CA certificates must be made available to the
13032server. You should include the required certificates in the client
13033certificate file, the client certificate first, then the issuing
13034CA(s) (bottom-up order). </p>
13035
13036<p> Example: the certificate for "client.example.com" was issued by
13037"intermediate CA" which itself has a certificate issued by "root CA".
13038As the "root" super-user create the client.pem file with: </p>
13039
13040<blockquote>
13041<pre>
13042# <b>umask 077</b>
13043# <b>cat client_key.pem client_cert.pem intermediate_CA.pem &gt; chain.pem </b>
13044</pre>
13045</blockquote>
13046
13047<p> If you also want to verify remote SMTP server certificates issued by
13048these CAs, you can add the CA certificates to the <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>, in
13049which case it is not necessary to have them in the <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>,
13050<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (obsolete) or <a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>. </p>
13051
13052<p> A certificate supplied here must be usable as an SSL client certificate
13053and hence pass the "openssl verify -purpose sslclient ..." test. </p>
13054
13055<p> Example: </p>
13056
13057<pre>
13058<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> = /etc/postfix/chain.pem
13059</pre>
13060
13061<p> This feature is available in Postfix 2.2 and later.  </p>
13062
13063
13064</DD>
13065
13066<DT><b><a name="smtp_tls_chain_files">smtp_tls_chain_files</a>
13067(default: empty)</b></DT><DD>
13068
13069<p> List of one or more PEM files, each holding one or more private keys
13070directly followed by a corresponding certificate chain.  The file names
13071are separated by commas and/or whitespace.  This parameter obsoletes the
13072legacy algorithm-specific key and certificate file settings.  When this
13073parameter is non-empty, the legacy parameters are ignored, and a warning
13074is logged if any are also non-empty.  </p>
13075
13076<p> With the proliferation of multiple private key algorithms&mdash;which,
13077as of OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519
13078and Ed448&mdash;it is increasingly impractical to use separate
13079parameters to configure the key and certificate chain for each
13080algorithm.  Therefore, Postfix now supports storing multiple keys and
13081corresponding certificate chains in a single file or in a set of files.
13082
13083<p> Each key must appear <b>immediately before</b> the corresponding
13084certificate, optionally followed by additional issuer certificates that
13085complete the certificate chain for that key.  When multiple files are
13086specified, they are equivalent to a single file that is concatenated
13087from those files in the given order.  Thus, while a key must always
13088precede its certificate and issuer chain, it can be in a separate file,
13089so long as that file is listed immediately before the file that holds
13090the corresponding certificate chain.  Once all the files are
13091concatenated, the sequence of PEM objects must be: <i>key1, cert1,
13092[chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN].</i> </p>
13093
13094<p> Storing the private key in the same file as the corresponding
13095certificate is more reliable.  With the key and certificate in separate
13096files, there is a chance that during key rollover a Postfix process
13097might load a private key and certificate from separate files that don't
13098match.  Various operational errors may even result in a persistent
13099broken configuration in which the certificate does not match the private
13100key. </p>
13101
13102<p> The file or files must contain at most one key of each type.  If,
13103for example, two or more RSA keys and corresponding chains are listed,
13104depending on the version of OpenSSL either only the last one will be
13105used or a configuration error may be detected.  Note that while
13106"Ed25519" and "Ed448" are considered separate algorithms, the various
13107ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
13108considered as different parameters of a single "ECDSA" algorithm, so it
13109is not presently possible to configure keys for more than one ECDSA
13110curve.  </p>
13111
13112<p>
13113Example (separate files for each key and corresponding certificate chain):
13114</p>
13115<blockquote>
13116<pre>
13117/etc/postfix/<a href="postconf.5.html">main.cf</a>:
13118    <a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> =
13119        ${<a href="postconf.5.html#config_directory">config_directory</a>}/ed25519.pem,
13120        ${<a href="postconf.5.html#config_directory">config_directory</a>}/ed448.pem,
13121        ${<a href="postconf.5.html#config_directory">config_directory</a>}/rsa.pem
13122</pre>
13123</blockquote>
13124
13125<blockquote>
13126<pre>
13127/etc/postfix/ed25519.pem:
13128    -----BEGIN PRIVATE KEY-----
13129    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
13130    -----END PRIVATE KEY-----
13131    -----BEGIN CERTIFICATE-----
13132    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
13133    ...
13134    nC0egv51YPDWxEHom4QA
13135    -----END CERTIFICATE-----
13136</pre>
13137</blockquote>
13138
13139<blockquote>
13140<pre>
13141/etc/postfix/ed448.pem:
13142    -----BEGIN PRIVATE KEY-----
13143    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
13144    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
13145    -----END PRIVATE KEY-----
13146    -----BEGIN CERTIFICATE-----
13147    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
13148    ...
13149    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
13150    -----END CERTIFICATE-----
13151</pre>
13152</blockquote>
13153
13154<blockquote>
13155<pre>
13156/etc/postfix/rsa.pem:
13157    -----BEGIN PRIVATE KEY-----
13158    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
13159    ...
13160    ahQkZ3+krcaJvDSMgvu0tDc=
13161    -----END PRIVATE KEY-----
13162    -----BEGIN CERTIFICATE-----
13163    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
13164    ...
13165    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
13166    -----END CERTIFICATE-----
13167</pre>
13168</blockquote>
13169
13170<p>
13171Example (all keys and certificates in a single file):
13172</p>
13173<blockquote>
13174<pre>
13175/etc/postfix/<a href="postconf.5.html">main.cf</a>:
13176    <a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/chains.pem
13177</pre>
13178</blockquote>
13179
13180<blockquote>
13181<pre>
13182/etc/postfix/chains.pem:
13183    -----BEGIN PRIVATE KEY-----
13184    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
13185    -----END PRIVATE KEY-----
13186    -----BEGIN CERTIFICATE-----
13187    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
13188    ...
13189    nC0egv51YPDWxEHom4QA
13190    -----END CERTIFICATE-----
13191    -----BEGIN PRIVATE KEY-----
13192    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
13193    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
13194    -----END PRIVATE KEY-----
13195    -----BEGIN CERTIFICATE-----
13196    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
13197    ...
13198    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
13199    -----END CERTIFICATE-----
13200    -----BEGIN PRIVATE KEY-----
13201    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
13202    ...
13203    ahQkZ3+krcaJvDSMgvu0tDc=
13204    -----END PRIVATE KEY-----
13205    -----BEGIN CERTIFICATE-----
13206    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
13207    ...
13208    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
13209    -----END CERTIFICATE-----
13210</pre>
13211</blockquote>
13212
13213<p> This feature is available in Postfix 3.4 and later.  </p>
13214
13215
13216</DD>
13217
13218<DT><b><a name="smtp_tls_cipherlist">smtp_tls_cipherlist</a>
13219(default: empty)</b></DT><DD>
13220
13221<p> Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
13222cipher list. As this feature applies to all TLS security levels, it is easy
13223to create interoperability problems by choosing a non-default cipher
13224list. Do not use a non-default TLS cipher list on hosts that deliver email
13225to the public Internet: you will be unable to send email to servers that
13226only support the ciphers you exclude. Using a restricted cipher list
13227may be more appropriate for an internal MTA, where one can exert some
13228control over the TLS software and settings of the peer servers. </p>
13229
13230<p> <b>Note:</b> do not use "" quotes around the parameter value. </p>
13231
13232<p> This feature is available in Postfix version 2.2. It is not used with
13233Postfix 2.3 and later; use <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> instead. </p>
13234
13235
13236</DD>
13237
13238<DT><b><a name="smtp_tls_ciphers">smtp_tls_ciphers</a>
13239(default: medium)</b></DT><DD>
13240
13241<p> The minimum TLS cipher grade that the Postfix SMTP client
13242will use with opportunistic TLS encryption. Cipher types listed in
13243<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> are excluded from the base definition of
13244the selected cipher grade.   The default value is "medium" for
13245Postfix releases after the middle of 2015, "export" for older
13246releases.  </p>
13247
13248<p> When TLS is mandatory the cipher grade is chosen via the
13249<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> configuration parameter, see there for syntax
13250details. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for information on how to configure
13251ciphers on a per-destination basis. </p>
13252
13253<p> This feature is available in Postfix 2.6 and later. With earlier Postfix
13254releases only the <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter is implemented,
13255and opportunistic TLS always uses "export" or better (i.e. all) ciphers. </p>
13256
13257
13258</DD>
13259
13260<DT><b><a name="smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>
13261(default: no)</b></DT><DD>
13262
13263<p> Try to make multiple deliveries per TLS-encrypted connection.
13264This uses the <a href="tlsproxy.8.html">tlsproxy(8)</a> service to encrypt an SMTP connection,
13265uses the <a href="scache.8.html">scache(8)</a> service to save that connection, and relies on
13266hints from the <a href="qmgr.8.html">qmgr(8)</a> daemon. </p>
13267
13268<p> See "<a href="TLS_README.html#client_tls_reuse">Client-side
13269TLS connection reuse</a>" for background details. </p>
13270
13271<p> This feature is available in Postfix 3.4 and later.  </p>
13272
13273
13274</DD>
13275
13276<DT><b><a name="smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a>
13277(default: dane)</b></DT><DD>
13278
13279<p> The TLS policy for MX hosts with "secure" TLSA records when the
13280nexthop destination security level is <b>dane</b>, but the MX
13281record was found via an "insecure" MX lookup.  The choices are:
13282</p>
13283
13284<dl>
13285<dt><b>may</b></dt>
13286<dd> The TLSA records will be ignored and TLS will be optional.  If
13287the MX host does not appear to support STARTTLS, or the STARTTLS
13288handshake fails, mail may be sent in the clear. </dd>
13289<dt><b>encrypt</b></dt>
13290<dd> The TLSA records will signal a requirement to use TLS.  While
13291TLS encryption will be required, authentication will not be performed.
13292</dd>
13293<dt><b>dane</b></dt>
13294<dd>The TLSA records will be used just as with "secure" MX records.
13295TLS encryption will be required, and, if at least one of the TLSA
13296records is "usable", authentication will be required.  When
13297authentication succeeds, it will be logged only as "Trusted", not
13298"Verified", because the MX host name could have been forged.  </dd>
13299</dl>
13300
13301<p> The default setting is "dane" as of Postfix versions 3.6.17,
133023.7.13, 3.8.8, 3.9.2, and 3.10.0. With earlier versions the default
13303was mistakenly dependent on the <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> setting.
13304</p>
13305
13306<p> Though with "insecure" MX records an active attacker can
13307compromise SMTP transport security by returning forged MX records,
13308such attacks are "tamper-evident" since any forged MX hostnames
13309will be recorded in the mail logs.  Attackers who place a high value
13310on staying hidden may be deterred from forging MX records. </p>
13311
13312<p>
13313This feature is available in Postfix 3.1 and later. The <b>may</b>
13314policy is backwards-compatible with earlier Postfix versions.
13315</p>
13316
13317
13318</DD>
13319
13320<DT><b><a name="smtp_tls_dcert_file">smtp_tls_dcert_file</a>
13321(default: empty)</b></DT><DD>
13322
13323<p> File with the Postfix SMTP client DSA certificate in PEM format.
13324This file may also contain the Postfix SMTP client private DSA key.
13325The DSA algorithm is obsolete and should not be used. </p>
13326
13327<p> See the discussion under <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> for more details.
13328</p>
13329
13330<p> Example: </p>
13331
13332<pre>
13333<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
13334</pre>
13335
13336<p> This feature is available in Postfix 2.2 and later.  </p>
13337
13338
13339</DD>
13340
13341<DT><b><a name="smtp_tls_dkey_file">smtp_tls_dkey_file</a>
13342(default: $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b></DT><DD>
13343
13344<p> File with the Postfix SMTP client DSA private key in PEM format.
13345This file may be combined with the Postfix SMTP client DSA certificate
13346file specified with $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>. The DSA algorithm is obsolete
13347and should not be used. </p>
13348
13349<p> The private key must be accessible without a pass-phrase, i.e. it
13350must not be encrypted. File permissions should grant read-only
13351access to the system superuser account ("root"), and no access
13352to anyone else. </p>
13353
13354<p> This feature is available in Postfix 2.2 and later.  </p>
13355
13356
13357</DD>
13358
13359<DT><b><a name="smtp_tls_eccert_file">smtp_tls_eccert_file</a>
13360(default: empty)</b></DT><DD>
13361
13362<p> File with the Postfix SMTP client ECDSA certificate in PEM format.
13363This file may also contain the Postfix SMTP client ECDSA private key.
13364With Postfix &ge; 3.4 the preferred way to configure client keys and
13365certificates is via the "<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>" parameter. </p>
13366
13367<p> See the discussion under <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> for more details.
13368</p>
13369
13370<p> Example: </p>
13371
13372<pre>
13373<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> = /etc/postfix/ecdsa-ccert.pem
13374</pre>
13375
13376<p> This feature is available in Postfix 2.6 and later, when Postfix is
13377compiled and linked with OpenSSL 1.0.0 or later. </p>
13378
13379
13380</DD>
13381
13382<DT><b><a name="smtp_tls_eckey_file">smtp_tls_eckey_file</a>
13383(default: $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b></DT><DD>
13384
13385<p> File with the Postfix SMTP client ECDSA private key in PEM format.
13386This file may be combined with the Postfix SMTP client ECDSA certificate
13387file specified with $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>.  With Postfix &ge; 3.4 the
13388preferred way to configure client keys and certificates is via the
13389"<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>" parameter. </p>
13390
13391<p> The private key must be accessible without a pass-phrase, i.e. it
13392must not be encrypted. File permissions should grant read-only
13393access to the system superuser account ("root"), and no access
13394to anyone else. </p>
13395
13396<p> This feature is available in Postfix 2.6 and later, when Postfix is
13397compiled and linked with OpenSSL 1.0.0 or later. </p>
13398
13399
13400</DD>
13401
13402<DT><b><a name="smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
13403(default: no)</b></DT><DD>
13404
13405<p> Request that remote SMTP servers send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
13406instead of an X.509 certificate. This feature and the enable_rpk
13407policy attribute are ignored when there is no raw public key support
13408in the local TLS implementation.  </p>
13409
13410<ul>
13411
13412<li> <p> At the "may", "encrypt" and "fingerprint" security levels,
13413with parameter setting "<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk
13414= yes" in a policy entry, the Postfix SMTP client will indicate in
13415the TLS handshake that it prefers to receive a raw server public
13416key, but it will still accept a server public key certificate. </p>
13417
13418<li> <p> At the "fingerprint" security level, with parameter setting
13419"<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> = yes" or with "enable_rpk = yes" in a policy
13420entry, server authentication based on certificate fingerprints
13421becomes more fragile.  Even if the server private key and certificate
13422remain unchanged, the remote SMTP server will fail fingerprint
13423authentication (won't match the configured list of fingerprints)
13424when it starts sending a raw public key instead of a certificate,
13425after its TLS implementation is updated with raw public key support.
13426Therefore, <b>DO NOT</b> enable raw public keys to remote destinations
13427authenticated by server <b>certificate</b> fingerprints.  You should
13428enable raw public keys only for servers matched via their public
13429key fingerprint.  </p>
13430
13431<li> <p> At the "verify" and "secure" security levels, the Postfix
13432SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
13433or the enable_rpk policy attribute. </p>
13434
13435<li> <p> At the opportunistic "dane" security level, the Postfix
13436SMTP client ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> or
13437the enable_rpk policy attribute (but it will respect them when it
13438falls back to the "may" or "encrypt" level). When all valid TLSA
13439records specify only server public keys (no certificates) and the
13440local TLS implementation supports raw public keys, the client will
13441indicate in the TLS handshake that it prefers to receive a raw
13442public key, but it will still accept a public key certificate. </p>
13443
13444<li> <p> At the mandatory "dane-only" security level, the Postfix
13445SMTP client always ignores the parameter setting <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a>
13446or the enable_rpk policy attribute. When all valid TLSA records
13447specify only server public keys (no certificates) and the local TLS
13448implementation supports raw public keys, the client will indicate
13449in the TLS handshake that it prefers to receive a raw public key,
13450but it will still accept a public key certificate. </p>
13451
13452</ul>
13453
13454<p>The Postfix SMTP client is always willing to send raw public keys
13455to servers that solicit them when a client certificate is configured
13456and the local TLS implementation supports raw public keys. </p>
13457
13458<p> Sample commands to compute certificate and public key SHA256 digests: </p>
13459
13460<pre>
13461# SHA256 digest of the first certificate in "cert.pem"
13462$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c
13463</pre>
13464
13465<pre>
13466# SHA256 digest of the SPKI of the first certificate in "cert.pem"
13467$ openssl x509 -in cert.pem -pubkey -noout |
13468    openssl pkey -pubin -outform DER | openssl dgst -sha256 -c
13469</pre>
13470
13471<pre>
13472# SHA256 digest of the SPKI of the first private key in "pkey.pem"
13473$ openssl pkey -in pkey.pem -pubout -outform DER |
13474    openssl dgst -sha256 -c
13475</pre>
13476
13477<p> This feature is available in Postfix 3.9 and later. </p>
13478
13479
13480</DD>
13481
13482<DT><b><a name="smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
13483(default: yes)</b></DT><DD>
13484
13485<p> With mandatory TLS encryption, require that the remote SMTP
13486server hostname matches the information in the remote SMTP server
13487certificate.  As of <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> the requirements for hostname checking
13488for MTA clients are not specified. </p>
13489
13490<p> This option can be set to "no" to disable strict peer name
13491checking. This setting has no effect on sessions that are controlled
13492via the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table.  </p>
13493
13494<p> Disabling the hostname verification can make sense in a closed
13495environment where special CAs are created.  If not used carefully,
13496this option opens the danger of a "man-in-the-middle" attack (the
13497CommonName of this attacker will be logged). </p>
13498
13499<p> This feature is available in Postfix 2.2 and later. With
13500Postfix 2.3 and later use <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> instead. </p>
13501
13502
13503</DD>
13504
13505<DT><b><a name="smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
13506(default: empty)</b></DT><DD>
13507
13508<p> List of ciphers or cipher types to exclude from the Postfix
13509SMTP client cipher
13510list at all TLS security levels. This is not an OpenSSL cipherlist, it is
13511a simple list separated by whitespace and/or commas. The elements are a
13512single cipher, or one or more "+" separated cipher properties, in which
13513case only ciphers matching <b>all</b> the properties are excluded. </p>
13514
13515<p> Examples (some of these will cause problems): </p>
13516
13517<blockquote>
13518<pre>
13519<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL
13520<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = MD5, DES
13521<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = DES+MD5
13522<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = AES256-SHA, DES-CBC3-MD5
13523<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = kEDH+aRSA
13524</pre>
13525</blockquote>
13526
13527<p> The first setting disables anonymous ciphers. The next setting
13528disables ciphers that use the MD5 digest algorithm or the (single) DES
13529encryption algorithm. The next setting disables ciphers that use MD5 and
13530DES together.  The next setting disables the two ciphers "AES256-SHA"
13531and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH"
13532key exchange with RSA authentication. </p>
13533
13534<p> This feature is available in Postfix 2.3 and later. </p>
13535
13536
13537</DD>
13538
13539<DT><b><a name="smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a>
13540(default: empty)</b></DT><DD>
13541
13542<p> List of acceptable remote SMTP server certificate fingerprints for
13543the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> =
13544fingerprint). At this security level, Certification Authorities are not
13545used, and certificate expiration times are ignored. Instead, server
13546certificates are verified directly via their certificate fingerprint
13547or public key fingerprint (Postfix 2.9 and later). The fingerprint
13548is a message digest of the server certificate (or public key). The
13549digest algorithm is selected via the <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b>
13550parameter. </p>
13551
13552<p> The colons between each pair of nibbles in the fingerprint value
13553are optional (Postfix &ge; 3.6). These were required in earlier
13554Postfix releases. </p>
13555
13556<p> When an <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a></b> table entry specifies the
13557"fingerprint" security level, any "match" attributes in that entry specify
13558the list of valid fingerprints for the corresponding destination. Multiple
13559fingerprints can be combined with a "|" delimiter in a single match
13560attribute, or multiple match attributes can be employed. </p>
13561
13562<p> Example: Certificate fingerprint verification with internal mailhub.
13563Two matching fingerprints are listed. The <a href="postconf.5.html#relayhost">relayhost</a> may be multiple
13564physical hosts behind a load-balancer, each with its own private/public
13565key and self-signed certificate. Alternatively, a single <a href="postconf.5.html#relayhost">relayhost</a> may
13566be in the process of switching from one set of private/public keys to
13567another, and both keys are trusted just prior to the transition. </p>
13568
13569<blockquote>
13570<pre>
13571<a href="postconf.5.html#relayhost">relayhost</a> = [mailhub.example.com]
13572<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = fingerprint
13573<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> = sha256
13574<a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> =
13575    cd:fc:d8:db:f8:c4:82:96:6c:...:28:71:e8:f5:8d:a5:0d:9b:d4:a6
13576    dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4
13577</pre>
13578</blockquote>
13579
13580<p> Example: Certificate fingerprint verification with selected destinations.
13581As in the example above, we show two matching fingerprints: </p>
13582
13583<blockquote>
13584<pre>
13585/etc/postfix/<a href="postconf.5.html">main.cf</a>:
13586    <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/tls_policy
13587    <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> = sha256
13588</pre>
13589</blockquote>
13590
13591<blockquote>
13592<pre>
13593/etc/postfix/tls_policy:
13594    example.com fingerprint
13595        match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
13596        match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
13597</pre>
13598</blockquote>
13599
13600<p> This feature is available in Postfix 2.5 and later. </p>
13601
13602
13603</DD>
13604
13605<DT><b><a name="smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>
13606(default: see "postconf -d" output)</b></DT><DD>
13607
13608<p> The message digest algorithm used to construct remote SMTP server
13609certificate fingerprints. At the "fingerprint" TLS security level
13610(<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint), the server certificate is
13611verified by directly matching its certificate fingerprint or its public
13612key fingerprint (Postfix 2.9 and later). The fingerprint is the
13613message digest of the server certificate (or its public key)
13614using the selected
13615algorithm. With a digest algorithm resistant to "second pre-image"
13616attacks, it is not feasible to create a new public key and a matching
13617certificate (or public/private key-pair) that has the same fingerprint. </p>
13618
13619<p> The default algorithm is <b>sha256</b> with Postfix &ge; 3.6
13620and the <b><a href="postconf.5.html#compatibility_level">compatibility_level</a></b> set to 3.6 or higher. With Postfix
13621&le; 3.5, the default algorithm is <b>md5</b>. </p>
13622
13623<p> The best-practice algorithm is now <b>sha256</b>. Recent advances in hash
13624function cryptanalysis have led to md5 and sha1 being deprecated in favor of
13625sha256.  However, as long as there are no known "second pre-image" attacks
13626against the older algorithms, their use in this context, though not
13627recommended, is still likely safe.  </p>
13628
13629<p> While additional digest algorithms are often available with OpenSSL's
13630libcrypto, only those used by libssl in SSL cipher suites are available to
13631Postfix.  You'll likely find support for md5, sha1, sha256 and sha512. </p>
13632
13633<p> To find the fingerprint of a specific certificate file, with a
13634specific digest algorithm, run:
13635</p>
13636
13637<blockquote>
13638<pre>
13639$ openssl x509 -noout -fingerprint -<i>digest</i> -in <i>certfile</i>.pem
13640</pre>
13641</blockquote>
13642
13643<p> The text to the right of the "=" sign is the desired fingerprint.
13644For example: </p>
13645
13646<blockquote>
13647<pre>
13648$ openssl x509 -noout -fingerprint -sha256 -in cert.pem
13649SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
13650</pre>
13651</blockquote>
13652
13653<p> To extract the public key fingerprint from an X.509 certificate,
13654you need to extract the public key from the certificate and compute
13655the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
13656the "-pubkey" option of the "x509" command extracts the public
13657key always in "PEM" format. We pipe the result to another OpenSSL
13658command that converts the key to DER and then to the "dgst" command
13659to compute the fingerprint. </p>
13660
13661<p> The actual command to transform the key to DER format depends on the
13662version of OpenSSL used. As of OpenSSL 1.0.0, the "pkey" command supports
13663all key types. </p>
13664<blockquote>
13665<pre>
13666# OpenSSL &ge; 1.0 with SHA-256 fingerprints.
13667$ openssl x509 -in cert.pem -noout -pubkey |
13668    openssl pkey -pubin -outform DER |
13669    openssl dgst -sha256 -c
13670(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58
13671</pre>
13672</blockquote>
13673
13674<p> The Postfix SMTP server and client log the peer (leaf) certificate
13675fingerprint and the public key fingerprint when the TLS loglevel is 2 or
13676higher. </p>
13677
13678<p> This feature is available in Postfix 2.5 and later. </p>
13679
13680
13681</DD>
13682
13683<DT><b><a name="smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a>
13684(default: no)</b></DT><DD>
13685
13686<p> Lookup the associated DANE TLSA RRset even when a hostname is
13687not an alias and its address records lie in an unsigned zone.  This
13688is unlikely to ever yield DNSSEC validated results, since child
13689zones of unsigned zones are also unsigned in the absence of DLV or
13690locally configured non-root trust-anchors.  We anticipate that such
13691mechanisms will not be used for just the "_tcp" subdomain of a host.
13692Suppressing the TLSA RRset lookup reduces latency and avoids potential
13693interoperability problems with nameservers for unsigned zones that
13694are not prepared to handle the new TLSA RRset.  </p>
13695
13696<p> This feature is available in Postfix 2.11. </p>
13697
13698
13699</DD>
13700
13701<DT><b><a name="smtp_tls_key_file">smtp_tls_key_file</a>
13702(default: $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b></DT><DD>
13703
13704<p> File with the Postfix SMTP client RSA private key in PEM format.
13705This file may be combined with the Postfix SMTP client RSA certificate
13706file specified with $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>.  With Postfix &ge; 3.4 the
13707preferred way to configure client keys and certificates is via the
13708"<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>" parameter. </p>
13709
13710<p> The private key must be accessible without a pass-phrase, i.e. it
13711must not be encrypted. File permissions should grant read-only
13712access to the system superuser account ("root"), and no access
13713to anyone else. </p>
13714
13715<p> Example: </p>
13716
13717<pre>
13718<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> = $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>
13719</pre>
13720
13721<p> This feature is available in Postfix 2.2 and later.  </p>
13722
13723
13724</DD>
13725
13726<DT><b><a name="smtp_tls_loglevel">smtp_tls_loglevel</a>
13727(default: 0)</b></DT><DD>
13728
13729<p> Enable additional Postfix SMTP client logging of TLS activity.
13730Each logging level also includes the information that is logged at
13731a lower logging level.  </p>
13732
13733<dl compact>
13734
13735<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
13736
13737<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
13738&mdash; no logging of remote SMTP server certificate trust-chain
13739verification errors if server certificate verification is not required.
13740With Postfix 2.8 and earlier, log the summary message and unconditionally
13741log trust-chain verification errors.  </dd>
13742
13743<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS
13744library, log session cache operations, and enable OpenSSL logging
13745of the progress of the SSL handshake. </dd>
13746
13747<dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the
13748TLS negotiation process.  </dd>
13749
13750<dt> </dt> <dd> 4 Also log the hexadecimal and ASCII dump of complete
13751transmission after STARTTLS. </dd>
13752
13753</dl>
13754
13755<p> Do not use "<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> = 2" or higher except in case of
13756problems. Use of loglevel 4 is strongly discouraged. </p>
13757
13758<p> This feature is available in Postfix 2.2 and later.  </p>
13759
13760
13761</DD>
13762
13763<DT><b><a name="smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>
13764(default: medium)</b></DT><DD>
13765
13766<p> The minimum TLS cipher grade that the Postfix SMTP client will
13767use with
13768mandatory TLS encryption.  The default value "medium" is suitable
13769for most destinations with which you may want to enforce TLS, and
13770is beyond the reach of today's cryptanalytic methods. See
13771<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for information on how to configure ciphers
13772on a per-destination basis. </p>
13773
13774<p> The following cipher grades are supported: </p>
13775
13776<dl>
13777<dt><b>high</b></dt>
13778<dd> Enable only "HIGH" grade OpenSSL ciphers.  This setting may
13779be appropriate when all mandatory TLS destinations (e.g. when all
13780mail is routed to a suitably capable <a href="postconf.5.html#relayhost">relayhost</a>) support at least one
13781"HIGH" grade cipher. The underlying cipherlist is specified via the
13782<a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> configuration parameter, which you are strongly
13783encouraged not to change. </dd>
13784
13785<dt><b>medium</b></dt>
13786<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
13787The underlying cipherlist is specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a>
13788configuration parameter, which you are strongly encouraged not to change.
13789</dd>
13790
13791<dt><b>null</b></dt>
13792<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
13793without encryption.  This setting is only appropriate in the rare case
13794that all servers are prepared to use NULL ciphers (not normally enabled
13795in TLS servers). A plausible use-case is an LMTP server listening on a
13796UNIX-domain socket that is configured to support "NULL" ciphers. The
13797underlying cipherlist is specified via the <a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a>
13798configuration parameter, which you are strongly encouraged not to
13799change. </dd>
13800
13801<dt><b>low</b></dt>
13802<dd> Enable "LOW" grade or stronger OpenSSL ciphers.  In Postfix
13803&ge; 3.8 this cipher grade is always identical to "medium".  Recent
13804versions of OpenSSL do not support any "LOW" grade ciphers.  In
13805earlier Postfix releases the underlying cipherlist was specified
13806via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration parameter, which you are
13807strongly encouraged not to change.  This obsolete cipher grade
13808SHOULD NOT be used.  </dd>
13809
13810<dt><b>export</b></dt>
13811<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers.  In Postfix
13812&ge; 3.8 this cipher grade is always identical to "medium".  Recent
13813versions of OpenSSL do not support any "EXPORT" grade ciphers.  In
13814earlier Postfix releases the underlying cipherlist was specified
13815via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration parameter, which you are
13816strongly encouraged not to change.  This obsolete cipher grade
13817SHOULD NOT be used.  </dd>
13818
13819</dl>
13820
13821<p> The underlying cipherlists for grades other than "null" include
13822anonymous ciphers, but these are automatically filtered out if the
13823Postfix SMTP client is configured to verify server certificates.
13824You are very unlikely to need to take any steps to exclude anonymous
13825ciphers, they are excluded automatically as necessary.  If you must
13826exclude anonymous ciphers at the "may" or "encrypt" security levels,
13827when the Postfix SMTP client does not need or use peer certificates, set
13828"<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> = aNULL". To exclude anonymous ciphers only when
13829TLS is enforced, set "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> = aNULL". </p>
13830
13831<p> This feature is available in Postfix 2.3 and later. </p>
13832
13833
13834</DD>
13835
13836<DT><b><a name="smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>
13837(default: empty)</b></DT><DD>
13838
13839<p> Additional list of ciphers or cipher types to exclude from the
13840Postfix SMTP client cipher list at mandatory TLS security levels. This list
13841works in addition to the exclusions listed with <a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>
13842(see there for syntax details).  </p>
13843
13844<p> Starting with Postfix 2.6, the mandatory cipher exclusions can be
13845specified on a per-destination basis via the TLS policy "exclude"
13846attribute. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> for notes and examples. </p>
13847
13848<p> This feature is available in Postfix 2.3 and later. </p>
13849
13850
13851</DD>
13852
13853<DT><b><a name="smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>
13854(default: see "postconf -d" output)</b></DT><DD>
13855
13856<p> TLS protocols that the Postfix SMTP client will use with mandatory
13857TLS encryption.  In <a href="postconf.5.html">main.cf</a> the values are separated by whitespace,
13858commas or colons. In the policy table "protocols" attribute (see
13859<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon. An empty value
13860means allow all protocols. </p>
13861
13862<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
13863"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
13864Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
13865the lowest supported TLS protocol version (see below).  Older releases
13866use the "!" exclusion syntax, also described below.  </p>
13867
13868<p> As of Postfix 3.6, the preferred way to limit the range of
13869acceptable protocols is to set a lowest acceptable TLS protocol version
13870and/or a highest acceptable TLS protocol version.  To set the lower
13871bound include an element of the form: "&gt;=<i>version</i>" where
13872<i>version</i> is a either one of the TLS protocol names listed above,
13873or a hexadecimal number corresponding to the desired TLS protocol
13874version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
13875bound, use "&lt;=<i>version</i>".  There must be no whitespace between
13876the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
13877
13878<p> Hexadecimal protocol numbers make it possible to specify protocol
13879bounds for TLS versions that are known to OpenSSL, but might not be
13880known to Postfix.  They cannot be used with the legacy exclusion syntax.
13881Leading "0" or "0x" prefixes are supported, but not required.
13882Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
13883"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
13884upper or lower bound, and a warning will be logged.  Hexadecimal
13885versions should only be used when Postfix is linked with some future
13886version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
13887yet support a symbolic name for that protocol version. </p>
13888
13889<p>Hexadecimal example (Postfix &ge; 3.6):</p>
13890<blockquote>
13891<pre>
13892# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
13893# in some future version of OpenSSL (presently a warning is logged).
13894<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=0305
13895# Allow only TLS 1.2 and up:
13896<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=0x0303
13897</pre>
13898</blockquote>
13899
13900<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
13901version, and the protocol range is configured via protocol exclusions.
13902To require at least TLS 1.0, set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2,
13903!SSLv3". Listing the protocols to include, rather than the protocols to
13904exclude, is supported, but not recommended.  The exclusion syntax more
13905accurately matches the underlying OpenSSL interface.  </p>
13906
13907<p> When using the exclusion syntax, take care to ensure that the range
13908of protocols supported by the Postfix SMTP client is contiguous.  When
13909a protocol version is enabled, disabling any higher version implicitly
13910disables all versions above that higher version.  Thus, for example: </p>
13911
13912<blockquote>
13913<pre>
13914<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1.1
13915</pre>
13916</blockquote>
13917
13918<p> also disables any protocol versions higher than TLSv1.1 leaving
13919only "TLSv1" enabled.  </p>
13920
13921<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
13922this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
13923releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
13924
13925<p> While the vast majority of SMTP servers with DANE TLSA records now
13926support at least TLS 1.2, a few still only support TLS 1.0.  If you use
13927"dane" or "dane-only" it is best not to disable TLSv1, except perhaps
13928via the policy table for destinations which you are sure will support
13929"TLSv1.2".  </p>
13930
13931<p> See the documentation of the <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> parameter and
13932<a href="TLS_README.html">TLS_README</a> for more information about security levels. </p>
13933
13934<p> Example: </p>
13935<pre>
13936# Preferred syntax with Postfix &ge; 3.6:
13937<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=TLSv1.3
13938# Legacy syntax:
13939<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
13940</pre>
13941
13942<p> This feature is available in Postfix 2.3 and later. </p>
13943
13944
13945</DD>
13946
13947<DT><b><a name="smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a>
13948(default: no)</b></DT><DD>
13949
13950<p> Log the hostname of a remote SMTP server that offers STARTTLS,
13951when TLS is not already enabled for that server. </p>
13952
13953<p> The logfile record looks like:  </p>
13954
13955<pre>
13956postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
13957</pre>
13958
13959<p> This feature is available in Postfix 2.2 and later.  </p>
13960
13961
13962</DD>
13963
13964<DT><b><a name="smtp_tls_per_site">smtp_tls_per_site</a>
13965(default: empty)</b></DT><DD>
13966
13967<p> Optional lookup tables with the Postfix SMTP client TLS usage
13968policy by next-hop destination and by remote SMTP server hostname.
13969When both lookups succeed, the more specific per-site policy (NONE,
13970MUST, etc.) overrides the less specific one (MAY), and the more secure
13971per-site policy (MUST, etc.) overrides the less secure one (NONE).
13972With Postfix 2.3 and later <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> is strongly discouraged:
13973use <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> instead. </p>
13974
13975<p> Use of the bare hostname as the per-site table lookup key is
13976discouraged. Always use the full destination nexthop (enclosed in
13977[] with a possible ":port" suffix). A recipient domain or MX-enabled
13978transport next-hop with no port suffix may look like a bare hostname,
13979but is still a suitable <i>destination</i>. </p>
13980
13981<p> Specify a next-hop destination or server hostname on the left-hand
13982side; no wildcards are allowed. The next-hop destination is either
13983the recipient domain, or the destination specified with a <a href="transport.5.html">transport(5)</a>
13984table, the <a href="postconf.5.html#relayhost">relayhost</a> parameter, or the <a href="postconf.5.html#relay_transport">relay_transport</a> parameter.
13985On the right hand side specify one of the following keywords:  </p>
13986
13987<dl>
13988
13989<dt> NONE </dt> <dd> Don't use TLS at all. This overrides a less
13990specific <b>MAY</b> lookup result from the alternate host or next-hop
13991lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,
13992and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
13993
13994<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
13995otherwise use an unencrypted connection; after a failed TLS handshake
13996or TLS session, fall back to plaintext if the message has spent
13997<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. This level has less precedence
13998than a more specific result (including <b>NONE</b>) from the alternate
13999host or next-hop lookup key, and has less precedence than the more
14000specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
14001= yes". </dd>
14002
14003<dt> MUST_NOPEERMATCH </dt> <dd> Require TLS encryption, but do not
14004require that the remote SMTP server hostname matches the information
14005in the remote SMTP server certificate, or that the server certificate
14006was issued by a trusted CA. This overrides a less secure <b>NONE</b>
14007or a less specific <b>MAY</b> lookup result from the alternate host
14008or next-hop lookup key, and overrides the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,
14009<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings.  </dd>
14010
14011<dt> MUST </dt> <dd> Require TLS encryption, require that the remote
14012SMTP server hostname matches the information in the remote SMTP
14013server certificate, and require that the remote SMTP server certificate
14014was issued by a trusted CA. This overrides a less secure <b>NONE</b>
14015or <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
14016result from the alternate host or next-hop lookup key, and overrides
14017the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
14018settings.  </dd>
14019
14020</dl>
14021
14022<p> The above keywords correspond to the "none", "may", "encrypt" and
14023"verify" security levels for the new <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> parameter
14024introduced in Postfix 2.3. Starting with Postfix 2.3, and independently
14025of how the policy is specified, the <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
14026<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameters apply when TLS encryption
14027is mandatory. Connections for which encryption is optional typically
14028enable all "export" grade and better ciphers (see <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>
14029and <a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>). </p>
14030
14031<p> As long as no secure DNS lookup mechanism is available, false
14032hostnames in MX or CNAME responses can change the server hostname
14033that Postfix uses for TLS policy lookup and server certificate
14034verification. Even with a perfect match between the server hostname and
14035the server certificate, there is no guarantee that Postfix is connected
14036to the right server.  See <a href="TLS_README.html">TLS_README</a> (Closing a DNS loophole with obsolete
14037per-site TLS policies) for a possible work-around. </p>
14038
14039<p> This feature is available in Postfix 2.2 and later. With
14040Postfix 2.3 and later use <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> instead. </p>
14041
14042
14043</DD>
14044
14045<DT><b><a name="smtp_tls_policy_maps">smtp_tls_policy_maps</a>
14046(default: empty)</b></DT><DD>
14047
14048<p> Optional lookup tables with the Postfix SMTP client TLS security
14049policy by next-hop destination; when a non-empty value is specified,
14050this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.  See
14051<a href="TLS_README.html">TLS_README</a> for a more detailed discussion of TLS security levels,
14052and see <a href="TLSRPT_README.html">TLSRPT_README</a> for additional configuration that may be
14053needed for MTA-STS plugins. </p>
14054
14055<p>
14056Specify zero or more "type:name" lookup tables, separated by
14057whitespace or comma. Tables will be searched in the specified order
14058until a match is found.
14059</p>
14060
14061<p> The TLS policy table is indexed by the full next-hop destination,
14062which is either the recipient domain, or the verbatim next-hop
14063specified in the transport table, $<a href="postconf.5.html#local_transport">local_transport</a>, $<a href="postconf.5.html#virtual_transport">virtual_transport</a>,
14064$<a href="postconf.5.html#relay_transport">relay_transport</a> or $<a href="postconf.5.html#default_transport">default_transport</a>. This includes any enclosing
14065square brackets and any non-default destination server port suffix. The
14066LMTP socket type prefix (inet: or unix:) is not included in the lookup
14067key. </p>
14068
14069<p> Only the next-hop domain, or $<a href="postconf.5.html#myhostname">myhostname</a> with LMTP over UNIX-domain
14070sockets, is used as the nexthop name for certificate verification. The
14071port and any enclosing square brackets are used in the table lookup key,
14072but are not used for server name verification. </p>
14073
14074<p> When the lookup key is a domain name without enclosing square brackets
14075or any <i>:port</i> suffix (typically the recipient domain), and the full
14076domain is not found in the table, just as with the <a href="transport.5.html">transport(5)</a> table,
14077the parent domain starting with a leading "." is matched recursively. This
14078allows one to specify a security policy for a recipient domain and all
14079its sub-domains. </p>
14080
14081<p> The lookup result is a security level, followed by an optional list
14082of whitespace and/or comma separated name=value attributes that override
14083related <a href="postconf.5.html">main.cf</a> settings. The TLS security levels in order of increasing
14084security are: </p>
14085
14086<dl>
14087
14088<dt><b><a href="TLS_README.html#client_tls_none">none</a></b></dt>
14089<dd>No TLS. No additional attributes are supported at this level. </dd>
14090
14091<dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt>
14092<dd>Opportunistic TLS. Since sending in the clear is acceptable,
14093demanding stronger than default TLS security merely reduces
14094interoperability. The optional "ciphers", "exclude", and "protocols"
14095attributes (available for opportunistic TLS with Postfix &ge; 2.6) and
14096"connection_reuse" attribute (Postfix &ge; 3.4) override the
14097"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>",
14098and "<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy
14099table, multiple ciphers, protocols or excluded ciphers must be separated
14100by colons, as attribute values may not contain whitespace or commas.  At
14101this level and higher, the optional "servername" attribute (available
14102with Postfix &ge; 3.4) overrides the global "<a href="postconf.5.html#smtp_tls_servername">smtp_tls_servername</a>"
14103parameter, enabling per-destination configuration of the SNI extension
14104sent to the remote SMTP server.  The optional "enable_rpk" attribute
14105(Postfix &ge; 3.9) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter.
14106When opportunistic TLS handshakes fail, Postfix retries the connection
14107with TLS disabled.  This allows mail delivery to sites with
14108non-interoperable TLS implementations.</dd>
14109
14110<dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt>
14111<dd>Mandatory TLS encryption. Mail is delivered only if the remote SMTP
14112server offers STARTTLS and the TLS handshake succeeds. At this level and
14113higher, the optional "protocols" attribute overrides the <a href="postconf.5.html">main.cf</a>
14114<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter, the optional "ciphers" attribute
14115overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter, the optional
14116"exclude" attribute (Postfix &ge; 2.6) overrides the <a href="postconf.5.html">main.cf</a>
14117<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter, and the optional
14118"connection_reuse" attribute (Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a>
14119<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table, multiple
14120ciphers, protocols or excluded ciphers must be separated by colons, as
14121attribute values may not contain whitespace or commas.  The optional
14122"enable_rpk" attribute (Postfix &ge; 3.9) overrides the <a href="postconf.5.html">main.cf</a>
14123<a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd>
14124
14125<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt>
14126<dd>Opportunistic DANE TLS.  The TLS policy for the destination is
14127obtained via TLSA records in DNSSEC.  If no TLSA records are found,
14128the effective security level used is <a
14129href="TLS_README.html#client_tls_may">may</a>.  If TLSA records are
14130found, but none are usable, the effective security level is <a
14131href="TLS_README.html#client_tls_encrypt">encrypt</a>.  When usable
14132TLSA records are obtained for the remote SMTP server, the
14133server certificate must match the TLSA records.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
14134TLS authentication and DNSSEC support is available with Postfix
141352.11 and later. The optional "connection_reuse" attribute (Postfix
14136&ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
14137When the effective security level used is <a
14138href="TLS_README.html#client_tls_may">may</a>, the optional "ciphers",
14139"exclude", and "protocols" attributes (Postfix &ge; 2.6) override the
14140"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>"
14141configuration parameters.
14142When the effective security level used is <a
14143href="TLS_README.html#client_tls_encrypt">encrypt</a>, the optional "ciphers",
14144"exclude", and "protocols" attributes (Postfix &ge; 2.6) override the
14145"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and
14146"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters.
14147</dd>
14148
14149<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt>
14150<dd>Mandatory DANE TLS.  The TLS policy for the destination is
14151obtained via TLSA records in DNSSEC.  If no TLSA records are found,
14152or none are usable, no connection is made to the server.  When
14153usable TLSA records are obtained for the remote SMTP server, the
14154server certificate must match the TLSA records.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS
14155authentication and DNSSEC support is available with Postfix 2.11
14156and later. The optional "ciphers", "exclude", and "protocols" attributes
14157(Postfix &ge; 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
14158"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
14159configuration parameters. The optional "connection_reuse" attribute
14160(Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
14161</dd>
14162
14163<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
14164<dd>Certificate fingerprint
14165verification. Available with Postfix 2.5 and later. At this security
14166level, there are no trusted Certification Authorities. The certificate
14167trust chain, expiration date, ... are not checked. Instead,
14168the optional policy table "match" attribute, or else the <a href="postconf.5.html">main.cf</a>
14169<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists the certificate
14170fingerprints or the public key fingerprints (Postfix 2.9 and later)
14171of acceptable server certificates. The digest
14172algorithm used to calculate the fingerprint is selected by the
14173<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. Multiple fingerprints can
14174be combined with a "|" delimiter in a single match attribute, or multiple
14175match attributes can be employed. The ":" character is not used as a
14176delimiter as it occurs between each pair of fingerprint (hexadecimal)
14177digits. The optional "ciphers", "exclude", and "protocols" attributes
14178(Postfix &ge; 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
14179"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
14180configuration parameters. The optional "connection_reuse" attribute
14181(Postfix &ge; 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>
14182parameter.  The optional "enable_rpk" attribute (Postfix &ge; 3.9)
14183overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_enable_rpk">smtp_tls_enable_rpk</a> parameter. </dd>
14184
14185<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt>
14186<dd>Mandatory TLS verification.  Mail is delivered only if the TLS
14187handshake succeeds, the remote SMTP server certificate chain can be
14188validated, and a DNS name in the certificate matches the specified match
14189criteria. At this security level, DNS MX lookups are presumed to be
14190secure enough, and the name verified in the server certificate is
14191potentially obtained via unauthenticated DNS MX lookups.  The optional
14192"match" attribute overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a>
14193parameter. In the policy table, multiple match patterns and strategies
14194must be separated by colons.  In practice explicit control over matching
14195is more common with the "secure" policy, described below. The optional
14196"ciphers", "exclude", and "protocols" attributes (Postfix &ge; 2.6)
14197override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
14198"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
14199configuration parameters. With Postfix &ge; 2.11 the optional "tafile"
14200policy table attribute modifies trust chain verification in the same
14201manner as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile"
14202attribute may be specified multiple times to load multiple trust-anchor
14203files. The optional "connection_reuse" attribute (Postfix &ge; 3.4)
14204overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
14205
14206<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt>
14207<dd>Secure certificate verification. Mail is delivered only if the TLS
14208handshake succeeds, the remote SMTP server certificate chain can be
14209validated, and a DNS name in the certificate matches the specified match
14210criteria.  At this security level, DNS MX lookups, though potentially
14211used to determine the candidate next-hop gateway IP addresses, are
14212<b>not</b> presumed to be secure enough for TLS peername verification.
14213Instead, the default name verified in the server certificate is obtained
14214directly from the next-hop, or is explicitly specified via the optional
14215"match" attribute which overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
14216parameter. In the policy table, multiple match patterns and strategies
14217must be separated by colons.  The match attribute is most useful when
14218multiple domains are supported by a common server: the policy entries
14219for additional domains specify matching rules for the primary domain
14220certificate. While transport table overrides that route the secondary
14221domains to the primary nexthop also allow secure verification, they risk
14222delivery to the wrong destination when domains change hands or are
14223re-assigned to new gateways. With the "match" attribute approach,
14224routing is not perturbed, and mail is deferred if verification of a new
14225MX host fails. The optional "ciphers", "exclude", and "protocols"
14226attributes (Postfix &ge; 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
14227"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
14228configuration parameters. With Postfix &ge; 2.11 the "tafile" attribute
14229optionally modifies trust chain verification in the same manner as the
14230"<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter.  The "tafile" attribute may be
14231specified multiple times to load multiple trust-anchor files. The
14232optional "connection_reuse" attribute (Postfix &ge; 3.4) overrides the
14233<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
14234
14235</dl>
14236
14237<p>
14238Example:
14239</p>
14240
14241<pre>
14242/etc/postfix/<a href="postconf.5.html">main.cf</a>:
14243    <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/tls_policy
14244    # Postfix 2.5 and later.
14245    #
14246    # The default digest is sha256 with Postfix &ge; 3.6 and
14247    # compatibility level &ge; 3.
14248    #
14249    <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> = sha256
14250</pre>
14251
14252<pre>
14253/etc/postfix/tls_policy:
14254    example.edu                 none
14255    example.mil                 may
14256    example.gov                 encrypt protocols=TLSv1
14257    example.com                 verify ciphers=high
14258    example.net                 secure
14259    .example.net                secure match=.example.net:example.net
14260    [mail.example.org]:587      secure match=nexthop
14261    # Postfix 2.5 and later
14262    [thumb.example.org]          fingerprint
14263        match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
14264        match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
14265</pre>
14266
14267<p> <b>Note:</b> The "hostname" strategy if listed in a non-default
14268setting of <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> or in the "match" attribute
14269in the policy table can render the "secure" level vulnerable to
14270DNS forgery. Do not use the "hostname" strategy for secure-channel
14271configurations in environments where DNS security is not assured. </p>
14272
14273<p> This feature is available in Postfix 2.3 and later. </p>
14274
14275
14276</DD>
14277
14278<DT><b><a name="smtp_tls_protocols">smtp_tls_protocols</a>
14279(default: see 'postconf -d' output)</b></DT><DD>
14280
14281<p> TLS protocols that the Postfix SMTP client will use with
14282opportunistic TLS encryption.  In <a href="postconf.5.html">main.cf</a> the values are separated by
14283whitespace, commas or colons. In the policy table "protocols" attribute
14284(see <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) the only valid separator is colon.  An empty
14285value means allow all protocols. </p>
14286
14287<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
14288"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
14289Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
14290the lowest supported TLS protocol version (see below).  Older releases
14291use the "!" exclusion syntax, also described below.  </p>
14292
14293<p> As of Postfix 3.6, the preferred way to limit the range of
14294acceptable protocols is to set the lowest acceptable TLS protocol
14295version and/or the highest acceptable TLS protocol version.  To set the
14296lower bound include an element of the form: "&gt;=<i>version</i>" where
14297<i>version</i> is either one of the TLS protocol names listed above,
14298or a hexadecimal number corresponding to the desired TLS protocol
14299version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
14300bound, use "&lt;=<i>version</i>".  There must be no whitespace between
14301the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
14302
14303<p> Hexadecimal protocol numbers make it possible to specify protocol
14304bounds for TLS versions that are known to OpenSSL, but might not be
14305known to Postfix.  They cannot be used with the legacy exclusion syntax.
14306Leading "0" or "0x" prefixes are supported, but not required.
14307Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
14308"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
14309upper or lower bound, and a warning will be logged.  Hexadecimal
14310versions should only be used when Postfix is linked with some future
14311version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
14312yet support a symbolic name for that protocol version. </p>
14313
14314<p>Hexadecimal example (Postfix &ge; 3.6):</p>
14315<blockquote>
14316<pre>
14317# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
14318# in some future version of OpenSSL (presently a warning is logged).
14319<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1, &lt;=0305
14320# Allow only TLS 1.0 and up:
14321<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=0x0301
14322</pre>
14323</blockquote>
14324
14325<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
14326version, and the protocol range is configured via protocol exclusions.
14327To require at least TLS 1.0, set "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3".
14328Listing the protocols to include, rather than protocols to exclude, is
14329supported, but not recommended.  The exclusion form more accurately
14330matches the underlying OpenSSL interface.  </p>
14331
14332<p> When using the exclusion syntax, take care to ensure that the range of
14333protocols advertised by an SSL/TLS client is contiguous.  When a protocol
14334version is enabled, disabling any higher version implicitly disables all
14335versions above that higher version.  Thus, for example:
14336</p>
14337<blockquote>
14338<pre>
14339<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3, !TLSv1.1
14340</pre>
14341</blockquote>
14342<p> also disables any protocols version higher than TLSv1.1 leaving
14343only "TLSv1" enabled.  </p>
14344
14345<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
14346this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
14347releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
14348
14349<p> Example: </p>
14350<pre>
14351# Preferred syntax with Postfix &ge; 3.6:
14352<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1, &lt;=TLSv1.3
14353# Legacy syntax:
14354<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3
14355</pre>
14356
14357<p> This feature is available in Postfix 2.6 and later. </p>
14358
14359
14360</DD>
14361
14362<DT><b><a name="smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>
14363(default: 9)</b></DT><DD>
14364
14365<p> The verification depth for remote SMTP server certificates. A depth
14366of 1 is sufficient if the issuing CA is listed in a local CA file. </p>
14367
14368<p> The default verification depth is 9 (the OpenSSL default) for
14369compatibility with earlier Postfix behavior. Prior to Postfix 2.5,
14370the default value was 5, but the limit was not actually enforced. If
14371you have set this to a lower non-default value, certificates with longer
14372trust chains may now fail to verify. Certificate chains with 1 or 2
14373CAs are common, deeper chains are more rare and any number between 5
14374and 9 should suffice in practice. You can choose a lower number if,
14375for example, you trust certificates directly signed by an issuing CA
14376but not any CAs it delegates to. </p>
14377
14378<p> This feature is available in Postfix 2.2 and later.  </p>
14379
14380
14381</DD>
14382
14383<DT><b><a name="smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a>
14384(default: nexthop, dot-nexthop)</b></DT><DD>
14385
14386<p> How the Postfix SMTP client verifies the server certificate
14387peername for the "secure" TLS security level. In a "secure" TLS policy table
14388($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) entry the optional "match" attribute
14389overrides this <a href="postconf.5.html">main.cf</a> setting. </p>
14390
14391<p> This parameter specifies one or more patterns or strategies separated
14392by commas, whitespace or colons.  In the policy table the only valid
14393separator is the colon character. </p>
14394
14395<p> For a description of the pattern and strategy syntax see the
14396<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter. The "hostname" strategy should
14397be avoided in this context, as in the absence of a secure global DNS, using
14398the results of MX lookups in certificate verification is not immune to active
14399(man-in-the-middle) attacks on DNS. </p>
14400
14401<p>
14402Sample <a href="postconf.5.html">main.cf</a> setting:
14403</p>
14404
14405<blockquote>
14406<pre>
14407<a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> = nexthop
14408</pre>
14409</blockquote>
14410
14411<p>
14412Sample policy table override:
14413</p>
14414
14415<blockquote>
14416<pre>
14417example.net     secure match=example.com:.example.com
14418.example.net    secure match=example.com:.example.com
14419</pre>
14420</blockquote>
14421
14422<p> This feature is available in Postfix 2.3 and later. </p>
14423
14424
14425</DD>
14426
14427<DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
14428(default: empty)</b></DT><DD>
14429
14430<p> The default SMTP TLS security level for the Postfix SMTP client.
14431When a non-empty value is specified, this overrides the obsolete
14432parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>;
14433when no value is specified for <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> or the obsolete
14434parameters, the default SMTP TLS security level is
14435<a href="TLS_README.html#client_tls_none">none</a>. </p>
14436
14437<p> Specify one of the following security levels: </p>
14438
14439<dl>
14440
14441<dt><b><a href="TLS_README.html#client_tls_none">none</a></b></dt>
14442<dd> No TLS. TLS will not be used unless enabled for specific
14443destinations via <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>. </dd>
14444
14445<dt><b><a href="TLS_README.html#client_tls_may">may</a></b></dt>
14446<dd> Opportunistic TLS. Use TLS if this is supported by the remote
14447SMTP server, otherwise use plaintext; after a failed TLS handshake
14448or TLS session, fall back to plaintext if the message has spent
14449<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> in the mail queue. Since
14450sending in the clear is acceptable, demanding stronger than default TLS
14451security merely reduces interoperability.
14452The "<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>" and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>" (Postfix &ge; 2.6)
14453configuration parameters provide control over the protocols and
14454cipher grade used with opportunistic TLS.  With earlier releases the
14455opportunistic TLS cipher grade is always "export" and no protocols
14456are disabled.
14457When TLS handshakes fail, the connection is retried with TLS disabled.
14458This allows mail delivery to sites with non-interoperable TLS
14459implementations. </dd>
14460
14461<dt><b><a href="TLS_README.html#client_tls_encrypt">encrypt</a></b></dt>
14462<dd>Mandatory TLS encryption. Since a minimum
14463level of security is intended, it is reasonable to be specific about
14464sufficiently secure protocol versions and ciphers. At this security level
14465and higher, the <a href="postconf.5.html">main.cf</a> parameters <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> and
14466<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> specify the TLS protocols and minimum
14467cipher grade which the administrator considers secure enough for
14468mandatory encrypted sessions. This security level is not an appropriate
14469default for systems delivering mail to the Internet. </dd>
14470
14471<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt>
14472<dd>Opportunistic DANE TLS.  At this security level, the TLS policy
14473for the destination is obtained via DNSSEC.  For TLSA policy to be
14474in effect, the destination domain's containing DNS zone must be
14475signed and the Postfix SMTP client's operating system must be
14476configured to send its DNS queries to a recursive DNS nameserver
14477that is able to validate the signed records.  Each MX host's DNS
14478zone should also be signed, and should publish DANE TLSA (<a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>)
14479records that specify how that MX host's TLS certificate is to be
14480verified.  TLSA records do not preempt the normal SMTP MX host
14481selection algorithm, if some MX hosts support TLSA and others do
14482not, TLS security will vary from delivery to delivery.  It is up
14483to the domain owner to configure their MX hosts and their DNS
14484sensibly.  To configure the Postfix SMTP client for DNSSEC lookups
14485see the documentation for the <a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> <a href="postconf.5.html">main.cf</a>
14486parameter.  When DNSSEC-validated TLSA records are not found the
14487effective tls security level is "may".  When TLSA records are found,
14488but are all unusable the effective security level is "encrypt".  For
14489purposes of protocol and cipher selection, the "dane" security level
14490is treated like a "mandatory" TLS security level, and weak ciphers
14491and protocols are disabled.  Since DANE authenticates server
14492certificates the "aNULL" cipher-suites are transparently excluded
14493at this level, no need to configure this manually.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE)
14494TLS authentication is available with Postfix 2.11 and later.  </dd>
14495
14496<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt>
14497<dd>Mandatory DANE TLS.  This is just like "dane" above, but DANE
14498TLSA authentication is required.  There is no fallback to "may" or
14499"encrypt" when TLSA records are missing or unusable.  <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>
14500(DANE) TLS authentication is available with Postfix 2.11 and later.
14501</dd>
14502
14503<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
14504<dd>Certificate fingerprint verification.
14505At this security level, there are no trusted Certification Authorities.
14506The certificate trust chain, expiration date, etc., are
14507not checked. Instead, the <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b>
14508parameter lists the certificate fingerprint or public key fingerprint
14509(Postfix 2.9 and later) of the valid server certificate. The digest
14510algorithm used to calculate the fingerprint is selected by the
14511<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a></b> parameter. Available with Postfix
145122.5 and later.  </dd>
14513
14514<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt>
14515<dd>Mandatory TLS verification. At this security
14516level, DNS MX lookups are trusted to be secure enough, and the name
14517verified in the server certificate is usually obtained indirectly
14518via unauthenticated DNS MX lookups. The <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a>
14519parameter controls how the server name is verified. In practice explicit
14520control over matching is more common at the "secure" level, described
14521below. This security level is not an appropriate default for systems
14522delivering mail to the Internet. </dd>
14523
14524<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt>
14525<dd>Secure-channel TLS.  At this security level,
14526DNS MX lookups, though potentially used to determine the candidate
14527next-hop gateway IP addresses, are <b>not</b> trusted to be secure enough
14528for TLS peername verification. Instead, the default name verified in
14529the server certificate is obtained from the next-hop domain as specified
14530in the <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> configuration parameter. The default
14531matching rule is that a server certificate matches when its name is equal
14532to or is a sub-domain of the nexthop domain. This security level is not
14533an appropriate default for systems delivering mail to the Internet. </dd>
14534
14535</dl>
14536
14537<p>
14538Examples:
14539</p>
14540
14541<pre>
14542# No TLS. Formerly: <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>=no and <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>=no.
14543<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = none
14544</pre>
14545
14546<pre>
14547# Opportunistic TLS.
14548<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
14549# Do not tweak opportunistic ciphers or protocols unless it is essential
14550# to do so (if a security vulnerability is found in the SSL library that
14551# can be mitigated by disabling a particular protocol or raising the
14552# cipher grade).
14553<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> = medium
14554<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = &gt;=TLSv1
14555# Legacy (Postfix &lt; 3.6) syntax:
14556<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3
14557</pre>
14558
14559<pre>
14560# Mandatory (high-grade) TLS encryption.
14561<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
14562<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = high
14563</pre>
14564
14565<pre>
14566# Authenticated TLS 1.2 or better matching the nexthop domain or a
14567# subdomain.
14568<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = secure
14569<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = high
14570<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2
14571<a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> = nexthop, dot-nexthop
14572</pre>
14573
14574<pre>
14575# Certificate fingerprint verification (Postfix &ge; 2.5).
14576# The CA-less "fingerprint" security level only scales to a limited
14577# number of destinations. As a global default rather than a per-site
14578# setting, this is practical only when mail for all recipients is sent
14579# to a central mail hub.
14580<a href="postconf.5.html#relayhost">relayhost</a> = [mailhub.example.com]
14581<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = fingerprint
14582<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = &gt;=TLSv1.2
14583<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> = high
14584<a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> =
14585    3D:95:34:51:...:40:99:C0:C1
14586    EC:3B:2D:B0:...:A3:9D:72:F6
14587</pre>
14588
14589<p> This feature is available in Postfix 2.3 and later. </p>
14590
14591
14592</DD>
14593
14594<DT><b><a name="smtp_tls_servername">smtp_tls_servername</a>
14595(default: empty)</b></DT><DD>
14596
14597<p> Optional name to send to the remote SMTP server in the TLS Server
14598Name Indication (SNI) extension.  The SNI extension is always on when
14599DANE is used to authenticate the server, and in that case the SNI name
14600sent is the one required by <a href="https://tools.ietf.org/html/rfc7672">RFC7672</a> and this parameter is ignored. </p>
14601
14602<p> Some SMTP servers use the received SNI name to select an appropriate
14603certificate chain to present to the client.  While this may improve
14604interoperability with such servers, it may reduce interoperability with
14605other servers that choose to abort the connection when they don't have a
14606certificate chain configured for the requested name.  Such servers
14607should select a default certificate chain and continue the handshake,
14608but some may not.  Therefore, absent DANE, no SNI name is sent by
14609default. </p>
14610
14611<p> The SNI name must be either a valid DNS hostname, or else one of the
14612special values <b>hostname</b> or <b>nexthop</b>, which select either the
14613remote hostname or the nexthop domain respectively.  DNS names for SNI must be
14614in A-label (punycode) form.  Invalid DNS names log a configuration error
14615warning and mail delivery is deferred.  </p>
14616
14617<p> Except when using a <a href="postconf.5.html#relayhost">relayhost</a> to forward all email, the only
14618sensible non-empty <a href="postconf.5.html">main.cf</a> setting for this parameter is
14619<b>hostname</b>.  Other non-empty values are only practical on a
14620per-destination basis via the <b>servername</b> attribute of the Postfix
14621TLS <a href="TLS_README.html#client_tls_policy">policy table</a>.  When
14622in doubt, leave this parameter empty, and configure per-destination SNI
14623as needed. </p>
14624
14625<p> This feature is available in Postfix 3.4 and later.  </p>
14626
14627
14628</DD>
14629
14630<DT><b><a name="smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
14631(default: empty)</b></DT><DD>
14632
14633<p> Name of the file containing the optional Postfix SMTP client
14634TLS session cache. Specify a database type that supports enumeration,
14635such as <b>btree</b> or <b>sdbm</b>; there is no need to support
14636concurrent access.  The file is created if it does not exist. The <a href="smtp.8.html">smtp(8)</a>
14637daemon does not use this parameter directly, rather the cache is
14638implemented indirectly in the <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon. This means that
14639per-smtp-instance <a href="master.5.html">master.cf</a> overrides of this parameter are not effective.
14640Note that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon:
14641$<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, $<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
14642(and with Postfix 2.3 and later $<a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>), needs to
14643be stored separately. It is not at this time possible to store multiple
14644caches in a single database. </p>
14645
14646<p> Note: <b>dbm</b> databases are not suitable. TLS
14647session objects are too large. </p>
14648
14649<p> As of version 2.5, Postfix no longer uses root privileges when
14650opening this file. The file should now be stored under the Postfix-owned
14651<a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to open the file
14652under a non-Postfix directory is redirected to the Postfix-owned
14653<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
14654
14655<p> Example: </p>
14656
14657<pre>
14658<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> = <a href="DATABASE_README.html#types">btree</a>:/var/db/postfix/smtp_scache
14659</pre>
14660
14661<p> This feature is available in Postfix 2.2 and later.  </p>
14662
14663
14664</DD>
14665
14666<DT><b><a name="smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a>
14667(default: 3600s)</b></DT><DD>
14668
14669<p> The expiration time of Postfix SMTP client TLS session cache
14670information.  A cache cleanup is performed periodically
14671every $<a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> seconds. As with
14672$<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>, this parameter is implemented in the
14673<a href="tlsmgr.8.html">tlsmgr(8)</a> daemon and therefore per-smtp-instance <a href="master.5.html">master.cf</a> overrides
14674are not possible. </p>
14675
14676<p> As of Postfix 2.11 this setting cannot exceed 100 days.  If set
14677&le; 0, session caching is disabled.  If set to a positive value
14678less than 2 minutes, the minimum value of 2 minutes is used instead.  </p>
14679
14680<p> Specify a non-zero time value (an integral value plus an optional
14681one-letter suffix that specifies the time unit).  Time units: s
14682(seconds), m (minutes), h (hours), d (days), w (weeks).
14683The default time unit is s (seconds).  </p>
14684
14685<p> This feature is available in Postfix 2.2 and later.  </p>
14686
14687
14688</DD>
14689
14690<DT><b><a name="smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>
14691(default: empty)</b></DT><DD>
14692
14693<p> Zero or more PEM-format files with trust-anchor certificates
14694and/or public keys.  If the parameter is not empty the root CAs in
14695CAfile and CApath are no longer trusted.  Rather, the Postfix SMTP
14696client will only trust certificate-chains signed by one of the
14697trust-anchors contained in the chosen files.  The specified
14698trust-anchor certificates and public keys are not subject to
14699expiration, and need not be (self-signed) root CAs.  They may, if
14700desired, be intermediate certificates. Therefore, these certificates
14701also may be found "in the middle" of the trust chain presented by
14702the remote SMTP server, and any untrusted issuing parent certificates
14703will be ignored.  Specify a list of pathnames separated by comma
14704or whitespace.  </p>
14705
14706<p>  Whether specified in <a href="postconf.5.html">main.cf</a>, or on a per-destination basis,
14707the trust-anchor PEM file must be accessible to the Postfix SMTP
14708client in the chroot jail if applicable.  The trust-anchor file
14709should contain only certificates and public keys, no private key
14710material, and must be readable by the non-privileged $<a href="postconf.5.html#mail_owner">mail_owner</a>
14711user.  This allows destinations to be bound to a set of specific
14712CAs or public keys without trusting the same CAs for all destinations.
14713</p>
14714
14715<p> The <a href="postconf.5.html">main.cf</a> parameter supports single-purpose Postfix installations
14716that send mail to a fixed set of SMTP peers.  At most sites, if
14717trust-anchor files are used at all, they will be specified on a
14718per-destination basis via the "tafile" attribute of the "verify"
14719and "secure" levels in <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>.  </p>
14720
14721<p> The underlying mechanism is in support of <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE TLSA),
14722which defines mechanisms for an SMTP client MTA to securely determine
14723server TLS certificates via DNS.  </p>
14724
14725<p> If you want your trust anchors to be public keys, with OpenSSL
14726you can extract a single PEM public key from a PEM X.509 file
14727containing a single certificate, as follows: </p>
14728
14729<blockquote>
14730<pre>
14731$ openssl x509 -in cert.pem -out ta-key.pem -noout -pubkey
14732</pre>
14733</blockquote>
14734
14735<p> This feature is available in Postfix 2.11 and later.  </p>
14736
14737
14738</DD>
14739
14740<DT><b><a name="smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a>
14741(default: hostname)</b></DT><DD>
14742
14743<p> How the Postfix SMTP client verifies the server certificate
14744peername for the
14745"verify" TLS security level. In a "verify" TLS policy table
14746($<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>) entry the optional "match" attribute
14747overrides this <a href="postconf.5.html">main.cf</a> setting. </p>
14748
14749<p> This parameter specifies one or more patterns or strategies separated
14750by commas, whitespace or colons.  In the policy table the only valid
14751separator is the colon character. </p>
14752
14753<p> Patterns specify domain names, or domain name suffixes: </p>
14754
14755<dl>
14756
14757<dt><i>example.com</i></dt> <dd> Match the <i>example.com</i> domain,
14758i.e. one of the names in the server certificate must be <i>example.com</i>.
14759Upper and lower case distinctions are ignored. </dd>
14760
14761<dt><i>.example.com</i></dt>
14762<dd> Match subdomains of the <i>example.com</i> domain, i.e. match
14763a name in the server certificate that consists of a non-zero number of
14764labels followed by a <i>.example.com</i> suffix. Case distinctions are
14765ignored.</dd>
14766
14767</dl>
14768
14769<p> Strategies specify a transformation from the next-hop domain
14770to the expected name in the server certificate: </p>
14771
14772<dl>
14773
14774<dt>nexthop</dt>
14775<dd> Match against the next-hop domain, which is either the recipient
14776domain, or the transport next-hop configured for the domain stripped of
14777any optional socket type prefix, enclosing square brackets and trailing
14778port. When MX lookups are not suppressed, this is the original nexthop
14779domain prior to the MX lookup, not the result of the MX lookup. For
14780LMTP delivery via UNIX-domain sockets, the verified next-hop name is
14781$<a href="postconf.5.html#myhostname">myhostname</a>.  This strategy is suitable for use with the "secure"
14782policy. Case is ignored.</dd>
14783
14784<dt>dot-nexthop</dt>
14785<dd> As above, but match server certificate names that are subdomains
14786of the next-hop domain. Case is ignored.</dd>
14787
14788<dt>hostname</dt> <dd> Match against the hostname of the server, often
14789obtained via an unauthenticated DNS MX lookup. For LMTP delivery via
14790UNIX-domain sockets, the verified name is $<a href="postconf.5.html#myhostname">myhostname</a>. This matches
14791the verification strategy of the "MUST" keyword in the obsolete
14792<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table, and is suitable for use with the "verify"
14793security level. When the next-hop name is enclosed in square brackets
14794to suppress MX lookups, the "hostname" strategy is the same as the
14795"nexthop" strategy. Case is ignored.</dd>
14796
14797</dl>
14798
14799<p>
14800Sample <a href="postconf.5.html">main.cf</a> setting:
14801</p>
14802
14803<pre>
14804<a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> = hostname, nexthop, dot-nexthop
14805</pre>
14806
14807<p>
14808Sample policy table override:
14809</p>
14810
14811<pre>
14812example.com     verify  match=hostname:nexthop
14813.example.com    verify  match=example.com:.example.com:hostname
14814</pre>
14815
14816<p> This feature is available in Postfix 2.3 and later. </p>
14817
14818
14819</DD>
14820
14821<DT><b><a name="smtp_tls_wrappermode">smtp_tls_wrappermode</a>
14822(default: no)</b></DT><DD>
14823
14824<p> Request that the Postfix SMTP client connects using the
14825SUBMISSIONS (formerly called SMTPS) protocol instead of using the
14826STARTTLS command. </p>
14827
14828<p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or
14829stronger. </p>
14830
14831<p> Example: deliver all remote mail via a provider's submissions
14832service at "mail.example.com".  </p>
14833
14834<pre>
14835/etc/postfix/<a href="postconf.5.html">main.cf</a>:
14836    # Client-side SUBMISSIONS requires "encrypt" or stronger.
14837    <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt
14838    <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes
14839    # The [] suppress MX lookups.
14840    <a href="postconf.5.html#relayhost">relayhost</a> = [mail.example.com]:submissions
14841</pre>
14842
14843<p> More examples are in <a href="TLS_README.html">TLS_README</a>, including examples for older
14844Postfix versions. </p>
14845
14846<p> This feature is available in Postfix 3.0 and later.  </p>
14847
14848
14849</DD>
14850
14851<DT><b><a name="smtp_tlsrpt_enable">smtp_tlsrpt_enable</a>
14852(default: no)</b></DT><DD>
14853
14854<p> Enable support for <a href="https://tools.ietf.org/html/rfc8460">RFC 8460</a> TLSRPT notifications. A mail receiving
14855domain can publish a TLSRPT policy in DNS, to request periodic
14856summaries of successful and failed SMTP over TLS connections to
14857their MX servers. This feature requires that Postfix is built
14858with a TLSRPT supporting library. </p>
14859
14860<p> See <a href="TLSRPT_README.html">TLSRPT_README</a> for configuration examples and additional
14861requirements for MTA-STS <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins. </p>
14862
14863<p> This feature is available in Postfix &ge; 3.10. </p>
14864
14865
14866</DD>
14867
14868<DT><b><a name="smtp_tlsrpt_skip_reused_handshakes">smtp_tlsrpt_skip_reused_handshakes</a>
14869(default: yes)</b></DT><DD>
14870
14871<p> Do not report the TLSRPT status for TLS protocol handshakes
14872that reuse a previously-negotiated TLS session (there is no new
14873information to report). Report the TLSRPT status only for "new" TLS
14874sessions. Set this to "no" to log the TLSRPT status of all TLS
14875handshakes, for example to troubleshoot Postfix TLSRPT support.
14876</p>
14877
14878<p> Note: if an SMTP over TLS connection is reused, there is no
14879second etc. TLS handshake to report. </p>
14880
14881<p> This feature is available in Postfix &ge; 3.10. </p>
14882
14883
14884</DD>
14885
14886<DT><b><a name="smtp_tlsrpt_socket_name">smtp_tlsrpt_socket_name</a>
14887(default: empty)</b></DT><DD>
14888
14889<p> The pathname of a UNIX-domain datagram socket that is managed
14890by a local TLSRPT reporting service. This parameter must specify a
14891pathname (absolute, or relative to $<a href="postconf.5.html#queue_directory">queue_directory</a>) when
14892"<a href="postconf.5.html#smtp_tlsrpt_enable">smtp_tlsrpt_enable</a> = yes". </p>
14893
14894<p> See <a href="TLSRPT_README.html">TLSRPT_README</a> for configuration examples and additional
14895requirements for MTA-STS <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> plugins. </p>
14896
14897<p> This feature is available in Postfix &ge; 3.10. </p>
14898
14899
14900</DD>
14901
14902<DT><b><a name="smtp_use_tls">smtp_use_tls</a>
14903(default: no)</b></DT><DD>
14904
14905<p> Opportunistic mode: use TLS when a remote SMTP server announces
14906STARTTLS support, otherwise send the mail in the clear. Beware:
14907some SMTP servers offer STARTTLS even if it is not configured.  With
14908Postfix &lt; 2.3, if the TLS handshake fails, and no other server is
14909available, delivery is deferred and mail stays in the queue. If this
14910is a concern for you, use the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> feature instead.  </p>
14911
14912<p> This feature is available in Postfix 2.2 and later. With
14913Postfix 2.3 and later use <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> instead. </p>
14914
14915
14916</DD>
14917
14918<DT><b><a name="smtp_xforward_timeout">smtp_xforward_timeout</a>
14919(default: 300s)</b></DT><DD>
14920
14921<p>
14922The Postfix SMTP client time limit for sending the XFORWARD command,
14923and for receiving the remote SMTP server response.
14924</p>
14925
14926<p> Specify a non-zero time value (an integral value plus an optional
14927one-letter suffix that specifies the time unit).  Time units: s
14928(seconds), m (minutes), h (hours), d (days), w (weeks).
14929The default time unit is s (seconds).  </p>
14930
14931<p>
14932This feature is available in Postfix 2.1 and later.
14933</p>
14934
14935
14936</DD>
14937
14938<DT><b><a name="smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a>
14939(default: $<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b></DT><DD>
14940
14941<p> What remote SMTP clients are allowed to specify the XVERP command.
14942This command requests that mail be delivered one recipient at a
14943time with a per recipient return address.  </p>
14944
14945<p> By default, no clients are allowed to specify XVERP.  </p>
14946
14947<p> This parameter was renamed with Postfix version 2.1. The default value
14948is backwards compatible with Postfix version 2.0.  </p>
14949
14950<p> Specify a list of network/netmask patterns, separated by commas
14951and/or whitespace. The mask specifies the number of bits in the
14952network part of a host address. You can also specify hostnames or
14953.domain names (the initial dot causes the domain to match any name
14954below it),  "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns.  A "/file/name"
14955pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table
14956is matched when a table entry matches a lookup string (the lookup
14957result is ignored).  Continue long lines by starting the next line
14958with whitespace. Specify "!pattern" to exclude an address or network
14959block from the list. The form "!/file/name" is supported only in
14960Postfix version 2.4 and later.  </p>
14961
14962<p> Note: IP version 6 address information must be specified inside
14963<tt>[]</tt> in the <a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> value, and in
14964files specified with "/file/name".  IP version 6 addresses contain
14965the ":" character, and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>"
14966pattern.  </p>
14967
14968
14969</DD>
14970
14971<DT><b><a name="smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a>
14972(default: empty)</b></DT><DD>
14973
14974<p>
14975What remote SMTP clients are allowed to use the XCLIENT feature.  This
14976command overrides remote SMTP client information that is used for access
14977control. Typical use is for SMTP-based content filters, fetchmail-like
14978programs, or SMTP server access rule testing. See the <a href="XCLIENT_README.html">XCLIENT_README</a>
14979document for details.
14980</p>
14981
14982<p>
14983This feature is available in Postfix 2.1 and later.
14984</p>
14985
14986<p>
14987By default, no clients are allowed to specify XCLIENT.
14988</p>
14989
14990<p>
14991Specify a list of network/netmask patterns, separated by commas
14992and/or whitespace. The mask specifies the number of bits in the
14993network part of a host address. You can also specify hostnames or
14994.domain names (the initial dot causes the domain to match any name
14995below it),  "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns.  A "/file/name"
14996pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table
14997is matched when a table entry matches a lookup string (the lookup
14998result is ignored).  Continue long lines by starting the next line
14999with whitespace. Specify "!pattern" to exclude an address or network
15000block from the list. The form "!/file/name" is supported only in
15001Postfix version 2.4 and later.  </p>
15002
15003<p> Note: IP version 6 address information must be specified inside
15004<tt>[]</tt> in the <a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> value, and in
15005files specified with "/file/name".  IP version 6 addresses contain
15006the ":" character, and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>"
15007pattern.  </p>
15008
15009
15010</DD>
15011
15012<DT><b><a name="smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a>
15013(default: empty)</b></DT><DD>
15014
15015<p>
15016What remote SMTP clients are allowed to use the XFORWARD feature.  This
15017command forwards information that is used to improve logging after
15018SMTP-based content filters. See the <a href="XFORWARD_README.html">XFORWARD_README</a> document for
15019details.
15020</p>
15021
15022<p>
15023This feature is available in Postfix 2.1 and later.
15024</p>
15025
15026<p>
15027By default, no clients are allowed to specify XFORWARD.
15028</p>
15029
15030<p>
15031Specify a list of network/netmask patterns, separated by commas
15032and/or whitespace. The mask specifies the number of bits in the
15033network part of a host address. You can also specify hostnames or
15034.domain names (the initial dot causes the domain to match any name
15035below it),  "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns.  A "/file/name"
15036pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table
15037is matched when a table entry matches a lookup string (the lookup
15038result is ignored).  Continue long lines by starting the next line
15039with whitespace. Specify "!pattern" to exclude an address or network
15040block from the list. The form "!/file/name" is supported only in
15041Postfix version 2.4 and later.  </p>
15042
15043<p> Note: IP version 6 address information must be specified inside
15044<tt>[]</tt> in the <a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> value, and in
15045files specified with "/file/name".  IP version 6 addresses contain
15046the ":" character, and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>"
15047pattern.  </p>
15048
15049
15050</DD>
15051
15052<DT><b><a name="smtpd_banner">smtpd_banner</a>
15053(default: $<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b></DT><DD>
15054
15055<p>
15056The text that follows the 220 status code in the SMTP greeting
15057banner. Some people like to see the mail version advertised. By
15058default, Postfix shows no version.
15059</p>
15060
15061<p>
15062You MUST specify $<a href="postconf.5.html#myhostname">myhostname</a> at the start of the text. This is
15063required by the SMTP protocol.
15064</p>
15065
15066<p>
15067Example:
15068</p>
15069
15070<pre>
15071<a href="postconf.5.html#smtpd_banner">smtpd_banner</a> = $<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a> ($<a href="postconf.5.html#mail_version">mail_version</a>)
15072</pre>
15073
15074
15075</DD>
15076
15077<DT><b><a name="smtpd_client_auth_rate_limit">smtpd_client_auth_rate_limit</a>
15078(default: 0)</b></DT><DD>
15079
15080<p>
15081The maximal number of AUTH commands that any client is allowed to
15082send to this service per time unit, regardless of whether or not
15083Postfix actually accepts those commands.  The time unit is specified
15084with the <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> configuration parameter.
15085</p>
15086
15087<p>
15088By default, there is no limit on the number of AUTH commands that a
15089client may send.
15090</p>
15091
15092<p>
15093To disable this feature, specify a limit of 0.
15094</p>
15095
15096<p>
15097WARNING: The purpose of this feature is to limit abuse. It must
15098not be used to regulate legitimate mail traffic.
15099</p>
15100
15101<p>
15102This feature is available in Postfix 3.1 and later.
15103</p>
15104
15105
15106</DD>
15107
15108<DT><b><a name="smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>
15109(default: 50)</b></DT><DD>
15110
15111<p>
15112How many simultaneous connections any client is allowed to
15113make to this service.  By default, the limit is set to half
15114the default process limit value.
15115</p>
15116
15117<p>
15118To disable this feature, specify a limit of 0.
15119</p>
15120
15121<p>
15122WARNING: The purpose of this feature is to limit abuse. It must
15123not be used to regulate legitimate mail traffic.
15124</p>
15125
15126<p>
15127This feature is available in Postfix 2.2 and later.
15128</p>
15129
15130
15131</DD>
15132
15133<DT><b><a name="smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a>
15134(default: 0)</b></DT><DD>
15135
15136<p>
15137The maximal number of connection attempts any client is allowed to
15138make to this service per time unit.  The time unit is specified
15139with the <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> configuration parameter.
15140</p>
15141
15142<p>
15143By default, a client can make as many connections per time unit as
15144Postfix can accept.
15145</p>
15146
15147<p>
15148To disable this feature, specify a limit of 0.
15149</p>
15150
15151<p>
15152WARNING: The purpose of this feature is to limit abuse. It must
15153not be used to regulate legitimate mail traffic.
15154</p>
15155
15156<p>
15157This feature is available in Postfix 2.2 and later.
15158</p>
15159
15160<p>
15161Example:
15162</p>
15163
15164<pre>
15165<a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> = 1000
15166</pre>
15167
15168
15169</DD>
15170
15171<DT><b><a name="smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>
15172(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
15173
15174<p>
15175Clients that are excluded from smtpd_client_*_count/rate_limit
15176restrictions. See the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter
15177description for the parameter value syntax.
15178</p>
15179
15180<p>
15181By default, clients in trusted networks are excluded. Specify a
15182list of network blocks, hostnames or .domain names (the initial
15183dot causes the domain to match any name below it).
15184</p>
15185
15186<p> Note: IP version 6 address information must be specified inside
15187<tt>[]</tt> in the <a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> value, and
15188in files specified with "/file/name".  IP version 6 addresses
15189contain the ":" character, and would otherwise be confused with a
15190"<a href="DATABASE_README.html">type:table</a>" pattern.  </p>
15191
15192<p> Pattern matching of domain names is controlled by the presence
15193or absence of "<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a>" in the
15194<a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> parameter value (Postfix 3.0 and
15195later).  </p>
15196
15197<p>
15198This feature is available in Postfix 2.2 and later.
15199</p>
15200
15201
15202</DD>
15203
15204<DT><b><a name="smtpd_client_ipv4_prefix_length">smtpd_client_ipv4_prefix_length</a>
15205(default: 32)</b></DT><DD>
15206
15207<p> Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics
15208by IPv4 network blocks with the specified network prefix. Aggregation
15209uses fewer <a href="anvil.8.html">anvil(8)</a> resources to maintain counters. By default,
15210aggregation is disabled for IPv4. </p>
15211
15212<p> This feature is available in Postfix 3.8 and later. </p>
15213
15214
15215</DD>
15216
15217<DT><b><a name="smtpd_client_ipv6_prefix_length">smtpd_client_ipv6_prefix_length</a>
15218(default: 84)</b></DT><DD>
15219
15220<p> Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics
15221by IPv6 network blocks with the specified network prefix. Aggregation
15222uses fewer the <a href="anvil.8.html">anvil(8)</a> resources to maintain counters. By default,
15223aggregation is enabled for IPv6.  </p>
15224
15225<p> This feature is available in Postfix 3.8 and later. </p>
15226
15227
15228</DD>
15229
15230<DT><b><a name="smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a>
15231(default: 0)</b></DT><DD>
15232
15233<p>
15234The maximal number of message delivery requests that any client is
15235allowed to make to this service per time unit, regardless of whether
15236or not Postfix actually accepts those messages.  The time unit is
15237specified with the <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> configuration parameter.
15238</p>
15239
15240<p>
15241By default, a client can send as many message delivery requests
15242per time unit as Postfix can accept.
15243</p>
15244
15245<p>
15246To disable this feature, specify a limit of 0.
15247</p>
15248
15249<p>
15250WARNING: The purpose of this feature is to limit abuse. It must
15251not be used to regulate legitimate mail traffic.
15252</p>
15253
15254<p>
15255This feature is available in Postfix 2.2 and later.
15256</p>
15257
15258<p>
15259Example:
15260</p>
15261
15262<pre>
15263<a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> = 1000
15264</pre>
15265
15266
15267</DD>
15268
15269<DT><b><a name="smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a>
15270(default: 0)</b></DT><DD>
15271
15272<p>
15273The maximal number of new (i.e., uncached) TLS sessions that a
15274remote SMTP client is allowed to negotiate with this service per
15275time unit.  The time unit is specified with the <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a>
15276configuration parameter.
15277</p>
15278
15279<p>
15280By default, a remote SMTP client can negotiate as many new TLS
15281sessions per time unit as Postfix can accept.
15282</p>
15283
15284<p>
15285To disable this feature, specify a limit of 0. Otherwise, specify
15286a limit that is at least the per-client concurrent session limit,
15287or else legitimate client sessions may be rejected.
15288</p>
15289
15290<p>
15291WARNING: The purpose of this feature is to limit abuse. It must
15292not be used to regulate legitimate mail traffic.
15293</p>
15294
15295<p>
15296This feature is available in Postfix 2.3 and later.
15297</p>
15298
15299<p>
15300Example:
15301</p>
15302
15303<pre>
15304<a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> = 100
15305</pre>
15306
15307
15308</DD>
15309
15310<DT><b><a name="smtpd_client_port_logging">smtpd_client_port_logging</a>
15311(default: no)</b></DT><DD>
15312
15313<p> Enable logging of the remote SMTP client port in addition to
15314the hostname and IP address. The logging format is "host[address]:port".
15315</p>
15316
15317<p> This feature is available in Postfix 2.5 and later. </p>
15318
15319
15320</DD>
15321
15322<DT><b><a name="smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a>
15323(default: 0)</b></DT><DD>
15324
15325<p>
15326The maximal number of recipient addresses that any client is allowed
15327to send to this service per time unit, regardless of whether or not
15328Postfix actually accepts those recipients.  The time unit is specified
15329with the <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> configuration parameter.
15330</p>
15331
15332<p>
15333By default, a client can send as many recipient addresses per time
15334unit as Postfix can accept.
15335</p>
15336
15337<p>
15338To disable this feature, specify a limit of 0.
15339</p>
15340
15341<p>
15342WARNING: The purpose of this feature is to limit abuse. It must
15343not be used to regulate legitimate mail traffic.
15344</p>
15345
15346<p>
15347This feature is available in Postfix 2.2 and later.
15348</p>
15349
15350<p>
15351Example:
15352</p>
15353
15354<pre>
15355<a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> = 1000
15356</pre>
15357
15358
15359</DD>
15360
15361<DT><b><a name="smtpd_client_restrictions">smtpd_client_restrictions</a>
15362(default: empty)</b></DT><DD>
15363
15364<p>
15365Optional restrictions that the Postfix SMTP server applies in the
15366context of a client connection request.
15367See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
15368restriction lists" for a discussion of evaluation context and time.
15369</p>
15370
15371<p>
15372The default is to allow all connection requests.
15373</p>
15374
15375<p>
15376Specify a list of restrictions, separated by commas and/or whitespace.
15377Continue long lines by starting the next line with whitespace.
15378Restrictions are applied in the order as specified; the first
15379restriction that matches wins.
15380</p>
15381
15382<p>
15383The following restrictions are specific to client hostname or
15384client network address information.
15385</p>
15386
15387<dl>
15388
15389<dt><b><a name="check_ccert_access">check_ccert_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15390
15391<dd> By default use the remote SMTP client certificate fingerprint
15392or the public key
15393fingerprint (Postfix 2.9 and later) as the lookup key for the specified
15394<a href="access.5.html">access(5)</a> database; with Postfix version 2.2, also require that the
15395remote SMTP client certificate is verified successfully.
15396The fingerprint digest algorithm is configurable via the
15397<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
15398Postfix version 2.5).  This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
15399= yes" and is available with Postfix version
154002.2 and later. </dd>
15401
15402<dd> The default algorithm is <b>sha256</b> with Postfix &ge; 3.6
15403and the <b><a href="postconf.5.html#compatibility_level">compatibility_level</a></b> set to 3.6 or higher. With Postfix
15404&le; 3.5, the default algorithm is <b>md5</b>.  The best-practice
15405algorithm is now <b>sha256</b>. Recent advances in hash function
15406cryptanalysis have led to md5 and sha1 being deprecated in favor of
15407sha256.  However, as long as there are no known "second pre-image"
15408attacks against the older algorithms, their use in this context, though
15409not recommended, is still likely safe.  </dd>
15410
15411<dd> Alternatively, <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> accepts an explicit search
15412order (Postfix 3.5 and later). The default search order as described
15413above corresponds with: </dd>
15414
15415<dd> <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> { <a href="DATABASE_README.html">type:table</a>, { search_order = cert_fingerprint,
15416pubkey_fingerprint } } </dd>
15417
15418<dd> The commas are optional. </dd>
15419
15420<dt><b><a name="check_client_access">check_client_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15421
15422<dd>Search the specified access database for the client hostname
15423or IP address. See the <a href="access.5.html">access(5)</a> manual page for details. </dd>
15424
15425<dt><b><a name="check_client_a_access">check_client_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15426
15427<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for the
15428client hostname, and execute the corresponding action.  Note: a result
15429of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
15430to exclude specific hosts from denylists.  This feature is available
15431in Postfix 3.0 and later.  </dd>
15432
15433<dt><b><a name="check_client_mx_access">check_client_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15434
15435<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for the
15436client hostname, and execute the corresponding action.  If no MX
15437record is found, look up A or AAAA records, just like the Postfix
15438SMTP client would. Note: a result
15439of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
15440to exclude specific hosts from denylists.  This feature is available
15441in Postfix 2.7 and later.  </dd>
15442
15443<dt><b><a name="check_client_ns_access">check_client_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15444
15445<dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers for
15446the client hostname, and execute the corresponding action.  Note: a
15447result of "OK" is not allowed for safety reasons. Instead, use DUNNO
15448in order to exclude specific hosts from denylists.  This feature is
15449available in Postfix 2.7 and later.  </dd>
15450
15451<dt><b><a name="check_reverse_client_hostname_access">check_reverse_client_hostname_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15452
15453<dd>Search the specified access database for the unverified reverse
15454client hostname or IP address. See the <a href="access.5.html">access(5)</a>
15455manual page for details.  Note: a result of "OK" is not allowed for
15456safety reasons.  Instead, use DUNNO in order to exclude specific
15457hosts from denylists.  This feature is available in Postfix 2.6
15458and later.</dd>
15459
15460<dt><b><a name="check_reverse_client_hostname_a_access">check_reverse_client_hostname_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15461
15462<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for the
15463unverified reverse client hostname, and execute the corresponding
15464action.  Note: a result of "OK" is not allowed for safety reasons.
15465Instead, use DUNNO in order to exclude specific hosts from denylists.
15466This feature is available in Postfix 3.0 and later.  </dd>
15467
15468<dt><b><a name="check_reverse_client_hostname_mx_access">check_reverse_client_hostname_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15469
15470<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for the
15471unverified reverse client hostname, and execute the corresponding
15472action.  If no MX record is found, look up A or AAAA records, just
15473like the Postfix SMTP client would.
15474Note: a result of "OK" is not allowed for safety reasons.
15475Instead, use DUNNO in order to exclude specific hosts from denylists.
15476This feature is available in Postfix 2.7 and later.  </dd>
15477
15478<dt><b><a name="check_reverse_client_hostname_ns_access">check_reverse_client_hostname_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15479
15480<dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers for
15481the unverified reverse client hostname, and execute the corresponding
15482action.  Note: a result of "OK" is not allowed for safety reasons.
15483Instead, use DUNNO in order to exclude specific hosts from denylists.
15484This feature is available in Postfix 2.7 and later.  </dd>
15485
15486<dt><b><a name="check_sasl_access">check_sasl_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
15487
15488<dd> Use the remote SMTP client SASL user name as the lookup key for
15489the specified <a href="access.5.html">access(5)</a> database. The lookup key has the form
15490"username@domainname" when the <a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> parameter
15491value is non-empty.  Unlike the <a href="postconf.5.html#check_client_access">check_client_access</a> feature,
15492<a href="postconf.5.html#check_sasl_access">check_sasl_access</a> does not perform matches of parent domains or IP
15493subnet ranges.  This feature is available with Postfix version 2.11
15494and later. </dd>
15495
15496<dt><b><a name="permit_inet_interfaces">permit_inet_interfaces</a></b></dt>
15497
15498<dd>Permit the request when the client IP address matches
15499$<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>. </dd>
15500
15501<dt><b><a name="permit_mynetworks">permit_mynetworks</a></b></dt>
15502
15503<dd>Permit the request when the client IP address matches any
15504network or network address listed in  $<a href="postconf.5.html#mynetworks">mynetworks</a>. </dd>
15505
15506<dt><b><a name="permit_sasl_authenticated">permit_sasl_authenticated</a></b></dt>
15507
15508<dd> Permit the request when the client is successfully
15509authenticated via the <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH) protocol. </dd>
15510
15511<dt><b><a name="permit_tls_all_clientcerts">permit_tls_all_clientcerts</a></b></dt>
15512
15513<dd> Permit the request when the remote SMTP client certificate is
15514verified successfully.  This option must be used only if a special
15515CA issues the certificates and only this CA is listed as a trusted
15516CA. Otherwise, clients with a third-party certificate would also
15517be allowed to relay.  Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
15518trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
15519to prevent Postfix from appending the system-supplied default CAs.
15520This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes" and is available
15521with Postfix version 2.2 and later.</dd>
15522
15523<dt><b><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></b></dt>
15524
15525<dd>Permit the request when the remote SMTP client certificate
15526fingerprint or public key fingerprint (Postfix 2.9 and later) is
15527listed in $<a href="postconf.5.html#relay_clientcerts">relay_clientcerts</a>.
15528The fingerprint digest algorithm is configurable via the
15529<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> parameter (hard-coded as md5 prior to
15530Postfix version 2.5).  This feature requires "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
15531= yes" and is available with Postfix version 2.2 and later.</dd>
15532
15533<dd> The default algorithm is <b>sha256</b> with Postfix &ge; 3.6
15534and the <b><a href="postconf.5.html#compatibility_level">compatibility_level</a></b> set to 3.6 or higher. With Postfix
15535&le; 3.5, the default algorithm is <b>md5</b>.  The best-practice
15536algorithm is now <b>sha256</b>. Recent advances in hash function
15537cryptanalysis have led to md5 and sha1 being deprecated in favor of
15538sha256.  However, as long as there are no known "second pre-image"
15539attacks against the older algorithms, their use in this context, though
15540not recommended, is still likely safe.  </dd>
15541
15542<dt><b><a name="reject_rbl_client">reject_rbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
15543
15544<dd>Reject the request when the reversed client network address is
15545listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>
15546(Postfix version 2.1 and later only).  Each "<i>d</i>" is a number,
15547or a pattern inside "[]" that contains one or more ";"-separated
15548numbers or number..number ranges (Postfix version 2.8 and later).
15549If no "<i>=d.d.d.d</i>" is specified, reject the request when the
15550reversed client network address is listed with any A record under
15551<i>rbl_domain</i>. <br>
15552The <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> parameter specifies the response code for
15553rejected requests (default:  554), the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a>  parameter
15554specifies the default server reply, and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a>  parameter
15555specifies tables with server replies indexed by <i>rbl_domain</i>.
15556This feature is available in Postfix 2.0 and later.  </dd>
15557
15558<dt><b><a name="permit_dnswl_client">permit_dnswl_client <i>dnswl_domain=d.d.d.d</i></a></b></dt>
15559
15560<dd>Accept the request when the reversed client network address is
15561listed with the A record "<i>d.d.d.d</i>" under <i>dnswl_domain</i>.
15562Each "<i>d</i>" is a number, or a pattern inside "[]" that contains
15563one or more ";"-separated numbers or number..number ranges.
15564If no "<i>=d.d.d.d</i>" is specified, accept the request when the
15565reversed client network address is listed with any A record under
15566<i>dnswl_domain</i>. <br> For safety, <a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a> is silently
15567ignored when it would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>.  The
15568result is DEFER_IF_REJECT when allowlist lookup fails.  This feature
15569is available in Postfix 2.8 and later.  </dd>
15570
15571<dt><b><a name="reject_rhsbl_client">reject_rhsbl_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
15572
15573<dd>Reject the request when the client hostname is listed with the
15574A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version
155752.1 and later only).  Each "<i>d</i>" is a number, or a pattern
15576inside "[]" that contains one or more ";"-separated numbers or
15577number..number ranges (Postfix version 2.8 and later).  If no
15578"<i>=d.d.d.d</i>" is specified, reject the request when the client
15579hostname is listed with
15580any A record under <i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>
15581description above for additional RBL related configuration parameters.
15582This feature is available in Postfix 2.0 and later; with Postfix
15583version 2.8 and later, <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> will usually
15584produce better results.  </dd>
15585
15586<dt><b><a name="permit_rhswl_client">permit_rhswl_client <i>rhswl_domain=d.d.d.d</i></a></b></dt>
15587
15588<dd>Accept the request when the client hostname is listed with the
15589A record "<i>d.d.d.d</i>" under <i>rhswl_domain</i>.  Each "<i>d</i>"
15590is a number, or a pattern inside "[]" that contains one or more
15591";"-separated numbers or number..number ranges. If no
15592"<i>=d.d.d.d</i>" is specified, accept the request when the client
15593hostname is listed with any A record under <i>rhswl_domain</i>.
15594<br> Caution: client name allowlisting is fragile, since the client
15595name lookup can fail due to temporary outages.  Client name
15596allowlisting should be used only to reduce false positives in e.g.
15597DNS-based blocklists, and not for making access rule exceptions.
15598<br> For safety, <a href="postconf.5.html#permit_rhswl_client">permit_rhswl_client</a> is silently ignored when it
15599would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>.  The result is DEFER_IF_REJECT
15600when allowlist lookup fails.  This feature is available in Postfix
156012.8 and later.  </dd>
15602
15603<dt><b><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client <i>rbl_domain=d.d.d.d</i></a></b></dt>
15604
15605<dd>Reject the request when the unverified reverse client hostname
15606is listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>.
15607Each "<i>d</i>" is a number, or a pattern inside "[]" that contains
15608one or more ";"-separated numbers or number..number ranges.
15609If no "<i>=d.d.d.d</i>" is specified, reject the request when the
15610unverified reverse client hostname is listed with any A record under
15611<i>rbl_domain</i>. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description above for
15612additional RBL related configuration parameters.  This feature is
15613available in Postfix 2.8 and later.  </dd>
15614
15615<dt><b><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_client)</dt>
15616
15617<dd>Reject the request when 1) the client IP address-&gt;name mapping
15618fails, or 2) the name-&gt;address mapping fails, or 3) the name-&gt;address
15619mapping does not match the client IP address.  <br> This is a
15620stronger restriction than the <a href="postconf.5.html#reject_unknown_reverse_client_hostname">reject_unknown_reverse_client_hostname</a>
15621feature, which triggers only under condition 1) above. <br> The
15622<a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> parameter specifies the response code
15623for rejected requests (default: 450). The reply is always 450 in
15624case the address-&gt;name or name-&gt;address lookup failed due to
15625a temporary problem. </dd>
15626
15627<dt><b><a name="reject_unknown_reverse_client_hostname">reject_unknown_reverse_client_hostname</a></b></dt>
15628
15629<dd>Reject the request when the client IP address has no address-&gt;name
15630mapping. <br> This is a weaker restriction than the
15631<a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> feature, which requires not only
15632that the address-&gt;name and name-&gt;address mappings exist, but
15633also that the two mappings reproduce the client IP address.  <br>
15634The <a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> parameter specifies the response
15635code for rejected requests (default: 450).  The reply is always 450
15636in case the address-&gt;name lookup failed due to a temporary
15637problem. <br> This feature is available in Postfix 2.3 and
15638later.  </dd>
15639
15640</dl>
15641
15642<p>
15643In addition, you can use any of the following <a name="generic">
15644generic</a> restrictions.  These restrictions are applicable in
15645any SMTP command context.
15646</p>
15647
15648<dl>
15649
15650<dt><b><a name="check_policy_service">check_policy_service <i>servername</i></a></b></dt>
15651
15652<dd>Query the specified policy server. See the <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>
15653document for details. This feature is available in Postfix 2.1
15654and later. </dd>
15655
15656<dt><b><a name="defer">defer</a></b></dt>
15657
15658<dd>Defer the request. The client is told to try again later. This
15659restriction is useful at the end of a restriction list, to make
15660the default policy explicit. <br> The <a href="postconf.5.html#defer_code">defer_code</a> parameter specifies
15661the SMTP server reply code (default: 450).</dd>
15662
15663<dt><b><a name="defer_if_permit">defer_if_permit</a></b></dt>
15664
15665<dd>Defer the request if some later restriction would result in an
15666explicit or implicit PERMIT action.  This is useful when a denylisting
15667feature fails due to a temporary problem.  This feature is available
15668in Postfix version 2.1 and later.  </dd>
15669
15670<dt><b><a name="defer_if_reject">defer_if_reject</a></b></dt>
15671
15672<dd>Defer the request if some later restriction would result in a
15673REJECT action.  This is useful when an allowlisting feature fails
15674due to a temporary problem.  This feature is available in Postfix
15675version 2.1 and later.  </dd>
15676
15677<dt><b><a name="permit">permit</a></b></dt>
15678
15679<dd>Permit the request. This restriction is useful at the end of
15680a restriction list, to make the default policy explicit.</dd>
15681
15682<dt><b><a name="reject_multi_recipient_bounce">reject_multi_recipient_bounce</a></b></dt>
15683
15684<dd>Reject the request when the envelope sender is the null address,
15685and the message has multiple envelope recipients. This usage has
15686rare but legitimate applications: under certain conditions,
15687multi-recipient mail that was posted with the DSN option NOTIFY=NEVER
15688may be forwarded with the null sender address.
15689<br> Note: this restriction can only work reliably
15690when used in <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> or
15691<a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a>, because the total number of
15692recipients is not known at an earlier stage of the SMTP conversation.
15693Use at the RCPT stage will only reject the second etc.  recipient.
15694<br>
15695The <a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> parameter specifies the
15696response code for rejected requests (default:  550).  This feature
15697is available in Postfix 2.1 and later. </dd>
15698
15699<dt><b><a name="reject_plaintext_session">reject_plaintext_session</a></b></dt>
15700
15701<dd>Reject the request when the connection is not encrypted. This
15702restriction should not be used before the client has had a chance
15703to negotiate encryption with the AUTH or STARTTLS commands.
15704<br>
15705The <a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> parameter specifies the response
15706code for rejected requests (default:  450).  This feature is available
15707in Postfix 2.3 and later. </dd>
15708
15709<dt><b><a name="reject_unauth_pipelining">reject_unauth_pipelining</a></b></dt>
15710
15711<dd>Reject the request when the client sends SMTP commands ahead
15712of time where it is not allowed, or when the client sends SMTP
15713commands ahead of time without knowing that Postfix actually supports
15714ESMTP command pipelining. This stops mail from bulk mail software
15715that improperly uses ESMTP command pipelining in order to speed up
15716deliveries.
15717<br> With Postfix 2.6 and later, the SMTP server sets a per-session
15718flag whenever it detects illegal pipelining, including pipelined
15719HELO or EHLO commands. The <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a> feature simply
15720tests whether the flag was set at any point in time during the
15721session.
15722<br> With older Postfix versions, <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a> checks
15723the current status of the input read queue, and its usage is not
15724recommended in contexts other than <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a>.  </dd>
15725
15726<dt><b><a name="reject">reject</a></b></dt>
15727
15728<dd>Reject the request. This restriction is useful at the end of
15729a restriction list, to make the default policy explicit.  The
15730<a href="postconf.5.html#reject_code">reject_code</a> configuration parameter specifies the response code for
15731rejected requests (default: 554).</dd>
15732
15733<dt><b><a name="sleep">sleep <i>seconds</i></a></b></dt>
15734
15735<dd>Pause for the specified number of seconds and proceed with
15736the next restriction in the list, if any. This may stop zombie
15737mail when used as:
15738<pre>
15739/etc/postfix/<a href="postconf.5.html">main.cf</a>:
15740    <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> =
15741        sleep 1, <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
15742    <a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = no
15743</pre>
15744This feature is available in Postfix 2.3. </dd>
15745
15746<dt><b><a name="warn_if_reject">warn_if_reject</a></b></dt>
15747
15748<dd> A safety net for testing. When "<a href="postconf.5.html#warn_if_reject">warn_if_reject</a>" is placed
15749before a reject-type restriction, access table query, or
15750<a href="postconf.5.html#check_policy_service">check_policy_service</a> query, this logs a "reject_warning" message
15751instead of rejecting a request (when a reject-type restriction fails
15752due to a temporary error, this logs a "reject_warning" message for
15753any implicit "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" actions that would normally prevent
15754mail from being accepted by some later access restriction). This
15755feature has no effect on <a href="postconf.5.html#defer_if_reject">defer_if_reject</a> restrictions.  </dd>
15756
15757</dl>
15758
15759<p>
15760Other restrictions that are valid in this context:
15761</p>
15762
15763<ul>
15764
15765<li> SMTP command specific restrictions that are described under
15766the <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>, <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> or
15767<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameters. When helo, sender or
15768recipient restrictions are listed under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>,
15769they have effect only with "<a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = yes", so that
15770$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> is evaluated at the time of the RCPT TO
15771command.
15772
15773</ul>
15774
15775<p>
15776Example:
15777</p>
15778
15779<pre>
15780<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a>
15781</pre>
15782
15783
15784</DD>
15785
15786<DT><b><a name="smtpd_command_filter">smtpd_command_filter</a>
15787(default: empty)</b></DT><DD>
15788
15789<p> A mechanism to transform commands from remote SMTP clients.
15790This is a last-resort tool to work around client commands that break
15791interoperability with the Postfix SMTP server.  Other uses involve
15792fault injection to test Postfix's handling of invalid commands.
15793</p>
15794
15795<p> Specify the name of a "<a href="DATABASE_README.html">type:table</a>" lookup table. The search
15796string is the SMTP command as received from the remote SMTP client,
15797except that initial whitespace and the trailing &lt;CR&gt;&lt;LF&gt;
15798are removed.  The result value is executed by the Postfix SMTP
15799server.  </p>
15800
15801<p> There is no need to use <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> for the following
15802cases: </p>
15803
15804<ul>
15805
15806<li> <p> Use "<a href="postconf.5.html#resolve_numeric_domain">resolve_numeric_domain</a> = yes" to accept
15807"<i>user@ipaddress</i>". </p>
15808
15809<li> <p> Postfix already accepts the correct form
15810"<i>user@[ipaddress]</i>". Use <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> or <a href="postconf.5.html#canonical_maps">canonical_maps</a>
15811to translate these into domain names if necessary.  </p>
15812
15813<li> <p> Use "<a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> = no" to accept "RCPT TO:&lt;<i>User
15814Name &lt;user@example.com&gt;&gt;</i>". Postfix will ignore the "<i>User
15815Name</i>" part and deliver to the <i>&lt;user@example.com&gt;</i> address.
15816</p>
15817
15818</ul>
15819
15820<p> Examples of problems that can be solved with the <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>
15821feature: </p>
15822
15823<pre>
15824/etc/postfix/<a href="postconf.5.html">main.cf</a>:
15825    <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/command_filter
15826</pre>
15827
15828<pre>
15829/etc/postfix/command_filter:
15830    # Work around clients that send malformed HELO commands.
15831    /^HELO\s*$/ HELO domain.invalid
15832</pre>
15833
15834<pre>
15835    # Work around clients that send empty lines.
15836    /^\s*$/     NOOP
15837</pre>
15838
15839<pre>
15840    # Work around clients that send RCPT TO:&lt;'user@domain'&gt;.
15841    # WARNING: do not lose the parameters that follow the address.
15842    /^(RCPT\s+TO:\s*&lt;)'([^[:space:]]+)'(&gt;.*)/     $1$2$3
15843</pre>
15844
15845<pre>
15846    # Append XVERP to MAIL FROM commands to request VERP-style delivery.
15847    # See <a href="VERP_README.html">VERP_README</a> for more information on how to use Postfix VERP.
15848    /^(MAIL\s+FROM:\s*&lt;listname@example\.com&gt;.*)/   $1 XVERP
15849</pre>
15850
15851<pre>
15852    # Bounce-never mail sink. Use <a href="postconf.5.html#notify_classes">notify_classes</a>=bounce,resource,software
15853    # to send bounced mail to the postmaster (with message body removed).
15854    /^(RCPT\s+TO:\s*&lt;.*&gt;.*)\s+NOTIFY=\S+(.*)/     $1 NOTIFY=NEVER$2
15855    /^(RCPT\s+TO:.*)/                             $1 NOTIFY=NEVER
15856</pre>
15857
15858<p> This feature is available in Postfix 2.7. </p>
15859
15860
15861</DD>
15862
15863<DT><b><a name="smtpd_data_restrictions">smtpd_data_restrictions</a>
15864(default: empty)</b></DT><DD>
15865
15866<p>
15867Optional access restrictions that the Postfix SMTP server applies
15868in the context of the SMTP DATA command.
15869See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
15870restriction lists" for a discussion of evaluation context and time.
15871</p>
15872
15873<p>
15874This feature is available in Postfix 2.0 and later.
15875</p>
15876
15877<p>
15878Specify a list of restrictions, separated by commas and/or whitespace.
15879Continue long lines by starting the next line with whitespace.
15880Restrictions are applied in the order as specified; the first
15881restriction that matches wins.
15882</p>
15883
15884<p>
15885The following restrictions are valid in this context:
15886</p>
15887
15888<ul>
15889
15890<li><a href="#generic">Generic</a> restrictions that can be used
15891in any SMTP command context, described under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>.
15892
15893<li>SMTP command specific restrictions described under
15894<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>,
15895<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> or <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
15896
15897<li>However, no recipient information is available in the case of
15898multi-recipient mail. Acting on only one recipient would be misleading,
15899because any decision will affect all recipients equally. Acting on
15900all recipients would require a possibly very large amount of memory,
15901and would also be misleading for the reasons mentioned before.
15902
15903</ul>
15904
15905<p>
15906Examples:
15907</p>
15908
15909<pre>
15910<a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
15911<a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a>
15912</pre>
15913
15914
15915</DD>
15916
15917<DT><b><a name="smtpd_delay_open_until_valid_rcpt">smtpd_delay_open_until_valid_rcpt</a>
15918(default: yes)</b></DT><DD>
15919
15920<p> Postpone the start of an SMTP mail transaction until a valid
15921RCPT TO command is received. Specify "no" to create a mail transaction
15922as soon as the Postfix SMTP server receives a valid MAIL FROM
15923command. </p>
15924
15925<p> With sites that reject lots of mail, the default setting reduces
15926the use of
15927disk, CPU and memory resources. The downside is that rejected
15928recipients are logged with NOQUEUE instead of a mail transaction
15929ID (also known as a queue ID).
15930</p>
15931
15932<p> This feature is available in Postfix 2.3 and later. </p>
15933
15934
15935</DD>
15936
15937<DT><b><a name="smtpd_delay_reject">smtpd_delay_reject</a>
15938(default: yes)</b></DT><DD>
15939
15940<p>
15941Wait until the RCPT TO command before evaluating
15942$<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> and
15943$<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until the ETRN command before
15944evaluating $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>.
15945</p>
15946
15947<p>
15948This feature is turned on by default because some clients apparently
15949mis-behave when the Postfix SMTP server rejects commands before
15950RCPT TO.
15951</p>
15952
15953<p>
15954The default setting has one major benefit: it allows Postfix to log
15955recipient address information when rejecting a client name/address
15956or sender address, so that it is possible to find out whose mail
15957is being rejected.
15958</p>
15959
15960
15961</DD>
15962
15963<DT><b><a name="smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>
15964(default: empty)</b></DT><DD>
15965
15966<p> Lookup tables, indexed by the remote SMTP client address, with
15967case insensitive lists of EHLO keywords (pipelining, starttls, auth,
15968etc.) that the Postfix SMTP server will not send in the EHLO response
15969to a
15970remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.
15971The tables are not searched by hostname for robustness reasons.  </p>
15972
15973<p>
15974Specify zero or more "type:name" lookup tables, separated by
15975whitespace or comma. Tables will be searched in the specified order
15976until a match is found.
15977</p>
15978
15979<p> This feature is available in Postfix 2.2 and later. </p>
15980
15981
15982</DD>
15983
15984<DT><b><a name="smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>
15985(default: empty)</b></DT><DD>
15986
15987<p> A case insensitive list of EHLO keywords (pipelining, starttls,
15988auth, etc.) that the Postfix SMTP server will not send in the EHLO
15989response
15990to a remote SMTP client. </p>
15991
15992<p> This feature is available in Postfix 2.2 and later. </p>
15993
15994<p> Notes: </p>
15995
15996<ul>
15997
15998<li> <p> Specify the <b>silent-discard</b> pseudo keyword to prevent
15999this action from being logged. </p>
16000
16001<li> <p> Use the <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> feature
16002to discard EHLO keywords selectively.  </p>
16003
16004</ul>
16005
16006
16007</DD>
16008
16009<DT><b><a name="smtpd_dns_reply_filter">smtpd_dns_reply_filter</a>
16010(default: empty)</b></DT><DD>
16011
16012<p> Optional filter for Postfix SMTP server DNS lookup results.
16013See <a href="postconf.5.html#smtp_dns_reply_filter">smtp_dns_reply_filter</a> for details including an example.
16014</p>
16015
16016<p> This feature is available in Postfix 3.0 and later. </p>
16017
16018
16019</DD>
16020
16021<DT><b><a name="smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a>
16022(default: empty)</b></DT><DD>
16023
16024<p> Optional access restrictions that the Postfix SMTP server
16025applies in the context of the SMTP END-OF-DATA command.
16026See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
16027restriction lists" for a discussion of evaluation context and time.
16028</p>
16029
16030<p> This feature is available in Postfix 2.2 and later. </p>
16031
16032<p> See <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> for details and limitations. </p>
16033
16034
16035</DD>
16036
16037<DT><b><a name="smtpd_enforce_tls">smtpd_enforce_tls</a>
16038(default: no)</b></DT><DD>
16039
16040<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients,
16041and reject all plaintext commands except HELO, EHLO, XCLIENT,
16042STARTTLS, NOOP, QUIT, and (Postfix &ge; 3.9) HELP.
16043According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a>
16044this MUST NOT be applied in case of a publicly-referenced SMTP
16045server. Instead, this should be used on dedicated servers, for
16046example submission (port 587). This option is therefore off by
16047default. </p>
16048
16049<p> Note 1: "<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> = yes" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes". </p>
16050
16051<p> Note 2: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
16052STARTTLS due to insufficient privileges to access the server private
16053key. This is intended behavior. </p>
16054
16055<p> This feature is deprecated as of Postfix 3.9. Specify
16056<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
16057
16058<p> This feature is available in Postfix 2.2 and later. With
16059Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
16060
16061
16062</DD>
16063
16064<DT><b><a name="smtpd_error_sleep_time">smtpd_error_sleep_time</a>
16065(default: 1s)</b></DT><DD>
16066
16067<p>With Postfix version 2.1 and later: the SMTP server response delay after
16068a client has made more than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and
16069fewer than $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering mail.
16070</p>
16071
16072<p>With Postfix version 2.0 and earlier: the SMTP server delay
16073before sending a reject (4xx or 5xx) response, when the client has
16074made fewer than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors without delivering
16075mail. When the client has made $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> or more errors,
16076delay all responses with the larger of (number of errors) seconds
16077or $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
16078
16079<p> Specify a non-negative time value (an integral value plus an optional
16080one-letter suffix that specifies the time unit).  Time units: s
16081(seconds), m (minutes), h (hours), d (days), w (weeks).
16082The default time unit is s (seconds).  </p>
16083
16084
16085</DD>
16086
16087<DT><b><a name="smtpd_etrn_restrictions">smtpd_etrn_restrictions</a>
16088(default: empty)</b></DT><DD>
16089
16090<p>
16091Optional restrictions that the Postfix SMTP server applies in the
16092context of a client ETRN command.
16093See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
16094restriction lists" for a discussion of evaluation context and time.
16095</p>
16096
16097<p>
16098The Postfix ETRN implementation accepts only destinations that are
16099eligible for the Postfix "fast flush" service. See the <a href="ETRN_README.html">ETRN_README</a>
16100file for details.
16101</p>
16102
16103<p>
16104Specify a list of restrictions, separated by commas and/or whitespace.
16105Continue long lines by starting the next line with whitespace.
16106Restrictions are applied in the order as specified; the first
16107restriction that matches wins.
16108</p>
16109
16110<p>
16111The following restrictions are specific to the domain name information
16112received with the ETRN command.
16113</p>
16114
16115<dl>
16116
16117<dt><b><a name="check_etrn_access">check_etrn_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
16118
16119<dd>Search the specified access database for the ETRN domain name.
16120See the <a href="access.5.html">access(5)</a> manual page for details.
16121</dd>
16122
16123</dl>
16124
16125<p>
16126Other restrictions that are valid in this context:
16127</p>
16128
16129<ul>
16130
16131<li><a href="#generic">Generic</a> restrictions that can be used
16132in any SMTP command context, described under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>.
16133
16134<li>SMTP command specific restrictions described under
16135<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>.
16136
16137</ul>
16138
16139<p>
16140Example:
16141</p>
16142
16143<pre>
16144<a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, reject
16145</pre>
16146
16147
16148</DD>
16149
16150<DT><b><a name="smtpd_expansion_filter">smtpd_expansion_filter</a>
16151(default: see "postconf -d" output)</b></DT><DD>
16152
16153<p>
16154What characters are allowed in $name expansions of RBL reply
16155templates. Characters not in the allowed set are replaced by "_".
16156Use C like escapes to specify special characters such as whitespace.
16157</p>
16158
16159<p>
16160The <a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> value is not subject to Postfix configuration
16161parameter $name expansion.
16162</p>
16163
16164<p>
16165This feature is available in Postfix 2.0 and later.
16166</p>
16167
16168
16169</DD>
16170
16171<DT><b><a name="smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
16172(default: Postfix &ge; 3.9: normalize)</b></DT><DD>
16173
16174<p> Reject or restrict input lines from an SMTP client that end in
16175&lt;LF&gt; instead of the standard &lt;CR&gt;&lt;LF&gt;. Such line
16176endings are commonly allowed with UNIX-based SMTP servers, but they
16177violate <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>, and allowing such line endings can make a server
16178vulnerable to <a href="https://www.postfix.org/smtp-smuggling.html">
16179SMTP smuggling</a>.  </p>
16180
16181<p> Specify one of the following values (case does not matter): </p>
16182
16183<dl compact>
16184
16185<dt> <b>normalize</b> (default for Postfix &ge; 3.9) </dt>
16186<dd> Require the standard
16187End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
16188Otherwise, allow command or message content lines ending in the
16189non-standard &lt;LF&gt;, and process them as if the client sent the
16190standard &lt;CR&gt;&lt;LF&gt;. <br> <br> This maintains compatibility
16191with many legitimate SMTP client applications that send a mix of
16192standard and non-standard line endings, but will fail to receive
16193email from client implementations that do not terminate DATA content
16194with the standard End-of-DATA sequence
16195&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. <br> <br> Such clients
16196can be excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>. </dd>
16197
16198<dt> <b>note</b> </dt> <dd> Same as "normalize", but also notes in
16199the log whether the Postfix SMTP server received any lines with
16200"bare &lt;LF&gt;". The information is formatted as "<tt>disconnect
16201from name[address] ...  notes=bare_lf</tt>". The notes value is
16202expected to become a list of comma-separated names. <br> <br> This
16203feature is available in Postfix 3.9 and later. </dd>
16204
16205<dt> <b>yes</b> </dt> <dd> Compatibility alias for <b>normalize</b>. </dd>
16206
16207<dt> <b>reject</b> </dt> <dd> Require the standard End-of-DATA
16208sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Reject a command
16209or message content when a line contains bare &lt;LF&gt;, log a "bare
16210&lt;LF&gt; received" error, and reply with the SMTP status code in
16211$<a href="postconf.5.html#smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>. <br> <br> This will reject
16212email from SMTP clients that send any non-standard line endings
16213such as web applications, netcat, or load balancer health checks.
16214<br> <br> This will also reject email from services that use BDAT
16215to send MIME text containing a bare newline (<a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3
16216requires canonical MIME format for text message types, defined in
16217<a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a> Sections 2.7 and 2.8). <br> <br> Such clients can be
16218excluded with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> (or, in the case
16219of BDAT violations, BDAT can be selectively disabled with
16220<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally disabled with
16221<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>). </dd>
16222
16223<dt> <b>no</b> (default for Postfix &lt; 3.9) </dt>
16224<dd> Do not require the standard End-of-DATA
16225sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;. Always process
16226a bare &lt;LF&gt; as if the client sent &lt;CR&gt;&lt;LF&gt;. This
16227option is fully backwards compatible, but is not recommended for
16228an Internet-facing SMTP server, because it is vulnerable to <a
16229href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling</a>.
16230</dd>
16231
16232</dl>
16233
16234<p> Recommended settings: </p>
16235
16236<blockquote>
16237<pre>
16238# Require the standard End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
16239# Otherwise, allow bare &lt;LF&gt; and process it as if the client sent
16240# &lt;CR&gt;&lt;LF&gt;.
16241#
16242# This maintains compatibility with many legitimate SMTP client
16243# applications that send a mix of standard and non-standard line
16244# endings, but will fail to receive email from client implementations
16245# that do not terminate DATA content with the standard End-of-DATA
16246# sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
16247#
16248# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
16249# The example below allowlists SMTP clients in trusted networks.
16250#
16251<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = normalize
16252<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
16253</pre>
16254</blockquote>
16255
16256<p> Alternative: </p>
16257
16258<blockquote>
16259<pre>
16260# Reject input lines that contain &lt;LF&gt; and log a "bare &lt;LF&gt; received"
16261# error. Require that input lines end in &lt;CR&gt;&lt;LF&gt;, and require the
16262# standard End-of-DATA sequence &lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;.
16263#
16264# This will reject email from SMTP clients that send any non-standard
16265# line endings such as web applications, netcat, or load balancer
16266# health checks.
16267#
16268# This will also reject email from services that use BDAT to send
16269# MIME text containing a bare newline (<a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> Section 3 requires
16270# canonical MIME format for text message types, defined in <a href="https://tools.ietf.org/html/rfc2045">RFC 2045</a>
16271# Sections 2.7 and 2.8).
16272#
16273# Such clients can be allowlisted with <a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>.
16274# The example below allowlists SMTP clients in trusted networks.
16275#
16276<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject
16277<a href="postconf.5.html#smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
16278#
16279# Alternatively, in the case of BDAT violations, BDAT can be selectively
16280# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>, or globally
16281# disabled with <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>.
16282#
16283# <a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> = <a href="cidr_table.5.html">cidr</a>:/path/to/file
16284# /path/to/file:
16285#     10.0.0.0/24 chunking, silent-discard
16286# <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> = chunking, silent-discard
16287</pre>
16288</blockquote>
16289
16290<p> This feature with settings <b>yes</b> and <b>no</b> is available
16291in Postfix 3.8.4, 3.7.9, 3.6.13, and 3.5.23. Additionally, the
16292settings <b>reject</b>, and <b>normalize</b> are available with
16293Postfix &ge; 3.9, 3.8.5, 3.7.10, 3.6.14, and 3.5.24. </p>
16294
16295
16296</DD>
16297
16298<DT><b><a name="smtpd_forbid_bare_newline_exclusions">smtpd_forbid_bare_newline_exclusions</a>
16299(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</b></DT><DD>
16300
16301<p> Exclude the specified clients from <a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a>
16302enforcement. This setting uses the same syntax and parent-domain
16303matching behavior as <a href="postconf.5.html#mynetworks">mynetworks</a>. </p>
16304
16305<p> This feature is available in Postfix &ge; 3.9, 3.8.4, 3.7.9,
163063.6.13, and 3.5.23. </p>
16307
16308
16309</DD>
16310
16311<DT><b><a name="smtpd_forbid_bare_newline_reject_code">smtpd_forbid_bare_newline_reject_code</a>
16312(default: 550)</b></DT><DD>
16313
16314<p>
16315The numerical Postfix SMTP server response code when rejecting a
16316request with "<a href="postconf.5.html#smtpd_forbid_bare_newline">smtpd_forbid_bare_newline</a> = reject".
16317Specify a 5XX status code (521 to disconnect).
16318</p>
16319
16320<p> This feature is available in Postfix &ge; 3.9, 3.8.5, 3.7.10,
163213.6.14, and 3.5.24. </p>
16322
16323
16324</DD>
16325
16326<DT><b><a name="smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a>
16327(default: Postfix &ge; 3.9: yes)</b></DT><DD>
16328
16329<p> Disconnect remote SMTP clients that violate <a href="https://tools.ietf.org/html/rfc2920">RFC 2920</a> (or 5321)
16330command pipelining constraints. The server replies with "554 5.5.0
16331Error: SMTP protocol synchronization" and logs the unexpected remote
16332SMTP client input. This feature is enabled by default with Postfix
16333&ge; 3.9. Specify "<a href="postconf.5.html#smtpd_forbid_unauth_pipelining">smtpd_forbid_unauth_pipelining</a> = no" to disable.
16334</p>
16335
16336<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
163373.6.10, and 3.5.20. </p>
16338
16339
16340</DD>
16341
16342<DT><b><a name="smtpd_forbidden_commands">smtpd_forbidden_commands</a>
16343(default: CONNECT GET POST <a href="regexp_table.5.html">regexp</a>:{{/^[^A-Z]/ Bogus}})</b></DT><DD>
16344
16345<p>
16346List of commands that cause the Postfix SMTP server to immediately
16347terminate the session with a 221 code. This can be used to disconnect
16348clients that obviously attempt to abuse the system. In addition to the
16349commands listed in this parameter, commands that follow the "Label:"
16350format of message headers will also cause a disconnect. With Postfix
16351versions 3.6 and earlier, the default value is "CONNECT GET POST".
16352</p>
16353
16354<p>
16355This feature is available in Postfix 2.2 and later.
16356</p>
16357
16358<p>
16359Support for inline regular expressions was added in Postfix version
163603.7. See <a href="regexp_table.5.html">regexp_table(5)</a> for a description of the syntax and features.
16361</p>
16362
16363
16364</DD>
16365
16366<DT><b><a name="smtpd_hard_error_limit">smtpd_hard_error_limit</a>
16367(default: normal: 20, <a href="STRESS_README.html">overload</a>: 1)</b></DT><DD>
16368
16369<p>
16370The maximal number of errors a remote SMTP client is allowed to
16371make without delivering mail. The Postfix SMTP server disconnects
16372when the limit is reached. Normally the default limit is 20, but
16373it changes under overload to just 1. With Postfix 2.5 and earlier,
16374the SMTP server always allows up to 20 errors by default.
16375Valid values are greater than zero.
16376
16377</p>
16378
16379
16380</DD>
16381
16382<DT><b><a name="smtpd_helo_required">smtpd_helo_required</a>
16383(default: no)</b></DT><DD>
16384
16385<p>
16386Require that a remote SMTP client introduces itself with the HELO
16387or EHLO command before sending the MAIL command or other commands
16388that require EHLO negotiation.
16389</p>
16390
16391<p>
16392Example:
16393</p>
16394
16395<pre>
16396<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes
16397</pre>
16398
16399
16400</DD>
16401
16402<DT><b><a name="smtpd_helo_restrictions">smtpd_helo_restrictions</a>
16403(default: empty)</b></DT><DD>
16404
16405<p>
16406Optional restrictions that the Postfix SMTP server applies in the
16407context of a client HELO command.
16408See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
16409restriction lists" for a discussion of evaluation context and time.
16410</p>
16411
16412<p>
16413The default is to permit everything.
16414</p>
16415
16416<p> Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
16417restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
16418simply skip <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> by not sending HELO or EHLO).
16419</p>
16420
16421<p>
16422Specify a list of restrictions, separated by commas and/or whitespace.
16423Continue long lines by starting the next line with whitespace.
16424Restrictions are applied in the order as specified; the first
16425restriction that matches wins.
16426</p>
16427
16428<p>
16429The following restrictions are specific to the hostname information
16430received with the HELO or EHLO command.
16431</p>
16432
16433<dl>
16434
16435<dt><b><a name="check_helo_access">check_helo_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
16436
16437<dd>Search the specified <a href="access.5.html">access(5)</a> database for the HELO or EHLO
16438hostname, and execute the corresponding action.
16439Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
16440restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
16441simply skip <a href="postconf.5.html#check_helo_access">check_helo_access</a> by not sending HELO or EHLO).  </dd>
16442
16443<dt><b><a name="check_helo_a_access">check_helo_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
16444
16445<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for
16446the HELO or EHLO hostname, and execute the corresponding action.
16447Note 1: a result of "OK" is not allowed for safety reasons. Instead,
16448use DUNNO in order to exclude specific hosts from denylists.  Note
164492: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
16450restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
16451simply skip check_helo_a_access by not sending HELO or EHLO).  This
16452feature is available in Postfix 3.0 and later.
16453</dd>
16454
16455<dt><b><a name="check_helo_mx_access">check_helo_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
16456
16457<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
16458the HELO or EHLO hostname, and execute the corresponding action.
16459If no MX record is found, look up A or AAAA records, just like the
16460Postfix SMTP client would.
16461Note 1: a result of "OK" is not allowed for safety reasons. Instead,
16462use DUNNO in order to exclude specific hosts from denylists.  Note
164632: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
16464restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
16465simply skip <a href="postconf.5.html#check_helo_mx_access">check_helo_mx_access</a> by not sending HELO or EHLO).  This
16466feature is available in Postfix 2.1 and later.
16467</dd>
16468
16469<dt><b><a name="check_helo_ns_access">check_helo_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
16470
16471<dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers
16472for the HELO or EHLO hostname, and execute the corresponding action.
16473Note 1: a result of "OK" is not allowed for safety reasons. Instead,
16474use DUNNO in order to exclude specific hosts from denylists.  Note
164752: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this
16476restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can
16477simply skip <a href="postconf.5.html#check_helo_ns_access">check_helo_ns_access</a> by not sending HELO or EHLO). This
16478feature is available in Postfix 2.1 and later.
16479</dd>
16480
16481<dt><b><a name="reject_invalid_helo_hostname">reject_invalid_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_invalid_hostname)</dt>
16482
16483<dd>Reject the request when the HELO or EHLO hostname is malformed.
16484Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce
16485this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply
16486skip <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> by not sending HELO or EHLO).
16487<br> The <a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> specifies the response code
16488for rejected requests (default: 501).</dd>
16489
16490<dt><b><a name="reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_non_fqdn_hostname)</dt>
16491
16492<dd>Reject the request when the HELO or EHLO hostname is not in
16493fully-qualified domain or address literal form, as required by the
16494RFC. Note: specify
16495"<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this restriction
16496(without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply skip
16497<a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a> by not sending HELO or EHLO).  <br>
16498The <a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> parameter specifies the response code for
16499rejected requests (default: 504).</dd>
16500
16501<dt><b><a name="reject_rhsbl_helo">reject_rhsbl_helo <i>rbl_domain=d.d.d.d</i></a></b></dt>
16502
16503<dd>Reject the request when the HELO or EHLO hostname is
16504listed with the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i>
16505(Postfix version 2.1 and later only).  Each "<i>d</i>" is a number,
16506or a pattern inside "[]" that contains one or more ";"-separated
16507numbers or number..number ranges (Postfix version 2.8 and later).
16508If no "<i>=d.d.d.d</i>" is
16509specified, reject the request when the HELO or EHLO hostname is
16510listed with any A record under <i>rbl_domain</i>. See the
16511<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description for additional RBL related configuration
16512parameters.  Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully
16513enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a
16514client can simply skip <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> by not sending HELO or
16515EHLO). This feature is available in Postfix 2.0
16516and later.  </dd>
16517
16518<dt><b><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a></b> (with Postfix &lt; 2.3: reject_unknown_hostname)</dt>
16519
16520<dd>Reject the request when the HELO or EHLO hostname has no DNS A
16521or MX record. <br> The reply is specified with the
16522<a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> parameter (default: 450) or
16523<a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> (default: <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>).
16524See the respective parameter descriptions for details. <br>
16525Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully
16526enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a
16527client can simply skip <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> by not sending
16528HELO or EHLO). </dd>
16529
16530</dl>
16531
16532<p>
16533Other restrictions that are valid in this context:
16534</p>
16535
16536<ul>
16537
16538<li> <a href="#generic">Generic</a> restrictions that can be used
16539in any SMTP command context, described under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>.
16540
16541<li> Client hostname or network address specific restrictions
16542described under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>.
16543
16544<li> SMTP command specific restrictions described under
16545<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> or <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.  When
16546sender or recipient restrictions are listed under <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>,
16547they have effect only with "<a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = yes", so that
16548$<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> is evaluated at the time of the RCPT TO
16549command.
16550
16551</ul>
16552
16553<p>
16554Examples:
16555</p>
16556
16557<pre>
16558<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
16559<a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>
16560</pre>
16561
16562
16563</DD>
16564
16565<DT><b><a name="smtpd_hide_client_session">smtpd_hide_client_session</a>
16566(default: no)</b></DT><DD>
16567
16568<p> Do not include SMTP client session information in the Postfix
16569SMTP server's Received: message header. </p>
16570
16571<ul>
16572
16573<li> <p> The default setting, "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = no",
16574must be used for the port 25 MTA service. It provides information
16575that is required by <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. </p>
16576
16577<li> <p> The setting "<a href="postconf.5.html#smtpd_hide_client_session">smtpd_hide_client_session</a> = yes" may be used
16578for the port 587 and 465 MUA services. This hides the SMTP client
16579hostname and IP address, TLS session details, SASL login details,
16580and SMTP protocol details. </p>
16581
16582</ul>
16583
16584<p> Depending on the number of recipients, a redacted Received:
16585header has one of the following forms: </p>
16586
16587<blockquote>
16588<pre>
16589Received: by mail.example.com (Postfix) id postfix-queue-id
16590        for &lt;user@example.com&gt;; Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
16591<br>
16592Received: by mail.example.com (Postfix) id postfix-queue-id
16593        Day, dd Mon yyyy hh:mm:ss tz-offset (zone)
16594</pre>
16595</blockquote>
16596
16597<p> The redacted form hides that a message was received with SMTP,
16598and therefore it does not need to provide the information required by
16599<a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>. The form does still meet <a href="https://tools.ietf.org/html/rfc5322">RFC 5322</a> requirements. </p>
16600
16601<p> This feature is available in Postfix &ge; 3.10. </p>
16602
16603
16604</DD>
16605
16606<DT><b><a name="smtpd_history_flush_threshold">smtpd_history_flush_threshold</a>
16607(default: 100)</b></DT><DD>
16608
16609<p>
16610The maximal number of lines in the Postfix SMTP server command history
16611before it is flushed upon receipt of EHLO, RSET, or end of DATA.
16612</p>
16613
16614
16615</DD>
16616
16617<DT><b><a name="smtpd_junk_command_limit">smtpd_junk_command_limit</a>
16618(default: normal: 100, <a href="STRESS_README.html">overload</a>: 1)</b></DT><DD>
16619
16620<p>
16621The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
16622SMTP client can send before the Postfix SMTP server starts to
16623increment the error counter with each junk command.  The junk
16624command count is reset after mail is delivered.  See also the
16625<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> and <a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> configuration
16626parameters.  Normally the default limit is 100, but it changes under
16627overload to just 1. With Postfix 2.5 and earlier, the SMTP server
16628always allows up to 100 junk commands by default.  </p>
16629
16630
16631</DD>
16632
16633<DT><b><a name="smtpd_log_access_permit_actions">smtpd_log_access_permit_actions</a>
16634(default: empty)</b></DT><DD>
16635
16636<p> Enable logging of the named "permit" actions in SMTP server
16637access lists (by default, the SMTP server logs "reject" actions but
16638not "permit" actions).  This feature does not affect conditional
16639actions such as "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>". </p>
16640
16641<p> Specify a list of "permit" action names, "/file/name" or
16642"<a href="DATABASE_README.html">type:table</a>" patterns, separated by commas and/or whitespace. The
16643list is matched left to right, and the search stops on the first
16644match. A "/file/name" pattern is replaced by its contents; a
16645"<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name matches a lookup
16646key (the lookup result is ignored).  Continue long lines by starting
16647the next line with whitespace. Specify "!pattern" to exclude a name
16648from the list. </p>
16649
16650<p> Examples: </p>
16651
16652<pre>
16653/etc/postfix/<a href="postconf.5.html">main.cf</a>:
16654    # Log all "permit" actions.
16655    <a href="postconf.5.html#smtpd_log_access_permit_actions">smtpd_log_access_permit_actions</a> = <a href="DATABASE_README.html#types">static</a>:all
16656</pre>
16657
16658<pre>
16659/etc/postfix/<a href="postconf.5.html">main.cf</a>:
16660    # Log "<a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a>" only.
16661    <a href="postconf.5.html#smtpd_log_access_permit_actions">smtpd_log_access_permit_actions</a> = <a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a>
16662</pre>
16663
16664<p> This feature is available in Postfix 2.10 and later.  </p>
16665
16666
16667</DD>
16668
16669<DT><b><a name="smtpd_milter_maps">smtpd_milter_maps</a>
16670(default: empty)</b></DT><DD>
16671
16672<p> Lookup tables with Milter settings per remote SMTP client IP
16673address.  The lookup result overrides the <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> setting,
16674and has the same syntax. </p>
16675
16676<p> Note: lookup tables cannot return empty responses. Specify a
16677lookup result of DISABLE (case does not matter) to indicate that
16678Milter support should be disabled. </p>
16679
16680<p> Example to disable Milters for local clients: </p>
16681
16682<pre>
16683/etc/postfix/<a href="postconf.5.html">main.cf</a>:
16684    <a href="postconf.5.html#smtpd_milter_maps">smtpd_milter_maps</a> = <a href="cidr_table.5.html">cidr</a>:/etc/postfix/smtpd_milter_map
16685    <a href="postconf.5.html#smtpd_milters">smtpd_milters</a> = inet:host:port, { inet:host:port, ... }, ...
16686</pre>
16687
16688<pre>
16689/etc/postfix/smtpd_milter_map:
16690    # Disable Milters for local clients.
16691    127.0.0.0/8    DISABLE
16692    192.168.0.0/16 DISABLE
16693    ::/64          DISABLE
16694    2001:db8::/32  DISABLE
16695</pre>
16696
16697<p> This feature is available in Postfix 3.2 and later.  </p>
16698
16699
16700</DD>
16701
16702<DT><b><a name="smtpd_milters">smtpd_milters</a>
16703(default: empty)</b></DT><DD>
16704
16705<p> A list of Milter (mail filter) applications for new mail that
16706arrives via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server. Specify space or comma as
16707separator. See the <a href="MILTER_README.html">MILTER_README</a> document for details.  </p>
16708
16709<p> This feature is available in Postfix 2.3 and later. </p>
16710
16711
16712</DD>
16713
16714<DT><b><a name="smtpd_min_data_rate">smtpd_min_data_rate</a>
16715(default: 500)</b></DT><DD>
16716
16717<p> The minimum plaintext data transfer rate in bytes/second for
16718DATA and BDAT requests, when deadlines are enabled with
16719<a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>. After a read operation transfers N
16720plaintext message bytes (possibly after TLS decryption), and after
16721the DATA or BDAT request deadline is decremented by the elapsed
16722time of that read operation, the DATA or BDAT request deadline is
16723incremented by N/smtpd_min_data_rate seconds. However, the deadline
16724will never be incremented beyond the time limit specified with
16725<a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a>.  </p>
16726
16727<p> This feature is available in Postfix 3.7 and later. </p>
16728
16729
16730</DD>
16731
16732<DT><b><a name="smtpd_noop_commands">smtpd_noop_commands</a>
16733(default: empty)</b></DT><DD>
16734
16735<p>
16736List of commands that the Postfix SMTP server replies to with "250
16737Ok", without doing any syntax checks and without changing state.
16738This list overrides any commands built into the Postfix SMTP server.
16739</p>
16740
16741
16742</DD>
16743
16744<DT><b><a name="smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a>
16745(default: &lt;&gt;)</b></DT><DD>
16746
16747<p>
16748The lookup key to be used in SMTP <a href="access.5.html">access(5)</a> tables instead of the
16749null sender address.
16750</p>
16751
16752
16753</DD>
16754
16755<DT><b><a name="smtpd_peername_lookup">smtpd_peername_lookup</a>
16756(default: yes)</b></DT><DD>
16757
16758<p> Attempt to look up the remote SMTP client hostname, and verify that
16759the name matches the client IP address. A client name is set to
16760"unknown" when it cannot be looked up or verified, or when name
16761lookup is disabled.  Turning off name lookup reduces delays due to
16762DNS lookup and increases the maximal inbound delivery rate. </p>
16763
16764<p> This feature is available in Postfix 2.3 and later.  </p>
16765
16766
16767</DD>
16768
16769<DT><b><a name="smtpd_per_record_deadline">smtpd_per_record_deadline</a>
16770(default: normal: no, <a href="STRESS_README.html">overload</a>: yes)</b></DT><DD>
16771
16772<p> Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a>
16773time limits, from a
16774time limit per read or write system call, to a time limit to send
16775or receive a complete record (an SMTP command line, SMTP response
16776line, SMTP message content line, or TLS protocol message).  This
16777limits the impact from hostile peers that trickle data one byte at
16778a time.  </p>
16779
16780<p> Note: when per-record deadlines are enabled, a short timeout
16781may cause problems with TLS over very slow network connections.
16782The reasons are that a TLS protocol message can be up to 16 kbytes
16783long (with TLSv1), and that an entire TLS protocol message must be
16784sent or received within the per-record deadline.  </p>
16785
16786<p> This feature is available in Postfix 2.9-3.6. With older
16787Postfix releases, the behavior is as if this parameter is set to
16788"no". Postfix 3.7 and later use <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>. </p>
16789
16790
16791</DD>
16792
16793<DT><b><a name="smtpd_per_request_deadline">smtpd_per_request_deadline</a>
16794(default: normal: no, <a href="STRESS_README.html">overload</a>: yes)</b></DT><DD>
16795
16796<p> Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> and <a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a>
16797time limits, from a time limit per plaintext or TLS read or write
16798call, to a combined time limit for receiving a complete SMTP request
16799and for sending a complete SMTP response. The deadline limits only
16800the time spent waiting for plaintext or TLS read or write calls,
16801not time spent elsewhere. The per-request deadline limits the impact
16802from hostile peers that trickle data one byte at a time. </p>
16803
16804<p> See <a href="postconf.5.html#smtpd_min_data_rate">smtpd_min_data_rate</a> for how the per-request deadline is
16805managed during the DATA and BDAT phase. </p>
16806
16807<p> Note: when per-request deadlines are enabled, a short time limit
16808may cause problems with TLS over very slow network connections. The
16809reason is that a TLS protocol message can be up to 16 kbytes long
16810(with TLSv1), and that an entire TLS protocol message must be
16811transferred within the per-request deadline. </p>
16812
16813<p> This feature is available in Postfix 3.7 and later. A weaker
16814feature, called <a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a>, is available with Postfix
168152.9-3.6. With older Postfix releases, the behavior is as if this
16816parameter is set to "no". </p>
16817
16818<p> This feature is available in Postfix 3.7 and later. </p>
16819
16820
16821</DD>
16822
16823<DT><b><a name="smtpd_policy_service_default_action">smtpd_policy_service_default_action</a>
16824(default: 451 4.3.5 Server configuration problem)</b></DT><DD>
16825
16826<p> The default action when an SMTPD policy service request fails.
16827Specify "DUNNO" to behave as if the failed  SMTPD policy service
16828request was not sent, and to continue processing other access
16829restrictions, if any. </p>
16830
16831<p> Limitations: </p>
16832
16833<ul>
16834
16835<li> <p>  This parameter may specify any value that would be a valid
16836SMTPD policy server response (or <a href="access.5.html">access(5)</a> map lookup result).  An
16837<a href="access.5.html">access(5)</a> map or policy server in this parameter value may need to
16838be declared in advance with a restriction_class setting.  </p>
16839
16840<li> <p> If the specified action invokes another <a href="postconf.5.html#check_policy_service">check_policy_service</a>
16841request, that request will have the built-in default action. </p>
16842
16843</ul>
16844
16845<p> This feature is available in Postfix 3.0 and later. </p>
16846
16847
16848</DD>
16849
16850<DT><b><a name="smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a>
16851(default: 300s)</b></DT><DD>
16852
16853<p>
16854The time after which an idle SMTPD policy service connection is
16855closed.
16856</p>
16857
16858<p> Specify a non-zero time value (an integral value plus an optional
16859one-letter suffix that specifies the time unit).  Time units: s
16860(seconds), m (minutes), h (hours), d (days), w (weeks).
16861The default time unit is s (seconds).  </p>
16862
16863<p>
16864This feature is available in Postfix 2.1 and later.
16865</p>
16866
16867
16868</DD>
16869
16870<DT><b><a name="smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a>
16871(default: 1000s)</b></DT><DD>
16872
16873<p>
16874The time after which an active SMTPD policy service connection is
16875closed.
16876</p>
16877
16878<p> Specify a non-zero time value (an integral value plus an optional
16879one-letter suffix that specifies the time unit).  Time units: s
16880(seconds), m (minutes), h (hours), d (days), w (weeks).
16881The default time unit is s (seconds).  </p>
16882
16883<p>
16884This feature is available in Postfix 2.1 and later.
16885</p>
16886
16887
16888</DD>
16889
16890<DT><b><a name="smtpd_policy_service_policy_context">smtpd_policy_service_policy_context</a>
16891(default: empty)</b></DT><DD>
16892
16893<p> Optional information that the Postfix SMTP server specifies in
16894the "policy_context" attribute of a policy service request (originally,
16895to share the same service endpoint among multiple <a href="postconf.5.html#check_policy_service">check_policy_service</a>
16896clients).  </p>
16897
16898<p>
16899This feature is available in Postfix 3.1 and later.
16900</p>
16901
16902
16903</DD>
16904
16905<DT><b><a name="smtpd_policy_service_request_limit">smtpd_policy_service_request_limit</a>
16906(default: 0)</b></DT><DD>
16907
16908<p>
16909The maximal number of requests per SMTPD policy service connection,
16910or zero (no limit). Once a connection reaches this limit, the
16911connection is closed and the next request will be sent over a new
16912connection. This is a workaround to avoid error-recovery delays
16913with policy servers that cannot maintain a persistent connection.
16914</p>
16915
16916<p>
16917This feature is available in Postfix 3.0 and later.
16918</p>
16919
16920
16921</DD>
16922
16923<DT><b><a name="smtpd_policy_service_retry_delay">smtpd_policy_service_retry_delay</a>
16924(default: 1s)</b></DT><DD>
16925
16926<p> The delay between attempts to resend a failed SMTPD policy
16927service request. Specify a value greater than zero. </p>
16928
16929<p> Specify a non-zero time value (an integral value plus an optional
16930one-letter suffix that specifies the time unit).  Time units: s
16931(seconds), m (minutes), h (hours), d (days), w (weeks).
16932The default time unit is s (seconds).  </p>
16933
16934<p> This feature is available in Postfix 3.0 and later. </p>
16935
16936
16937</DD>
16938
16939<DT><b><a name="smtpd_policy_service_timeout">smtpd_policy_service_timeout</a>
16940(default: 100s)</b></DT><DD>
16941
16942<p>
16943The time limit for connecting to, writing to, or receiving from a
16944delegated SMTPD policy server.
16945</p>
16946
16947<p> Specify a non-zero time value (an integral value plus an optional
16948one-letter suffix that specifies the time unit).  Time units: s
16949(seconds), m (minutes), h (hours), d (days), w (weeks).
16950The default time unit is s (seconds).  </p>
16951
16952<p>
16953This feature is available in Postfix 2.1 and later.
16954</p>
16955
16956
16957</DD>
16958
16959<DT><b><a name="smtpd_policy_service_try_limit">smtpd_policy_service_try_limit</a>
16960(default: 2)</b></DT><DD>
16961
16962<p> The maximal number of attempts to send an SMTPD policy service
16963request before giving up. Specify a value greater than zero. </p>
16964
16965<p> This feature is available in Postfix 3.0 and later. </p>
16966
16967
16968</DD>
16969
16970<DT><b><a name="smtpd_proxy_ehlo">smtpd_proxy_ehlo</a>
16971(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
16972
16973<p>
16974How the Postfix SMTP server announces itself to the proxy filter.
16975By default, the Postfix hostname is used.
16976</p>
16977
16978<p>
16979This feature is available in Postfix 2.1 and later.
16980</p>
16981
16982
16983</DD>
16984
16985<DT><b><a name="smtpd_proxy_filter">smtpd_proxy_filter</a>
16986(default: empty)</b></DT><DD>
16987
16988<p> The hostname and TCP port of the mail filtering proxy server.
16989The proxy receives all mail from the Postfix SMTP server, and is
16990supposed to give the result to another Postfix SMTP server process.
16991</p>
16992
16993<p> Specify "host:port" or "inet:host:port" for a TCP endpoint, or
16994"unix:pathname" for a UNIX-domain endpoint. The host can be specified
16995as an IP address or as a symbolic name; no MX lookups are done.
16996When no "host" or "host:" is specified, the local machine is
16997assumed.  Pathname interpretation is relative to the Postfix queue
16998directory.  </p>
16999
17000<p> This feature is available in Postfix 2.1 and later.  </p>
17001
17002<p> The "inet:" and "unix:" prefixes are available in Postfix 2.3
17003and later.  </p>
17004
17005
17006</DD>
17007
17008<DT><b><a name="smtpd_proxy_options">smtpd_proxy_options</a>
17009(default: empty)</b></DT><DD>
17010
17011<p>
17012List of options that control how the Postfix SMTP server
17013communicates with a before-queue content filter. Specify zero or
17014more of the following, separated by comma or whitespace.  </p>
17015
17016<dl>
17017
17018<dt><b>speed_adjust</b></dt>
17019
17020<dd> <p> Do not connect to a before-queue content filter until an entire
17021message has been received. This reduces the number of simultaneous
17022before-queue content filter processes. </p>
17023
17024<p> NOTE 1: A filter must not <i>selectively</i> reject recipients
17025of a multi-recipient message.  Rejecting all recipients is OK, as
17026is accepting all recipients. </p>
17027
17028<p> NOTE 2: This feature increases the minimum amount of free queue
17029space by $<a href="postconf.5.html#message_size_limit">message_size_limit</a>. The extra space is needed to save the
17030message to a temporary file. </p> </dd>
17031
17032</dl>
17033
17034<p>
17035This feature is available in Postfix 2.7 and later.
17036</p>
17037
17038
17039</DD>
17040
17041<DT><b><a name="smtpd_proxy_timeout">smtpd_proxy_timeout</a>
17042(default: 100s)</b></DT><DD>
17043
17044<p>
17045The time limit for connecting to a proxy filter and for sending or
17046receiving information.  When a connection fails the client gets a
17047generic error message while more detailed information is logged to
17048the maillog file.
17049</p>
17050
17051<p> Specify a non-zero time value (an integral value plus an optional
17052one-letter suffix that specifies the time unit).  Time units: s
17053(seconds), m (minutes), h (hours), d (days), w (weeks).
17054The default time unit is s (seconds).  </p>
17055
17056<p>
17057This feature is available in Postfix 2.1 and later.
17058</p>
17059
17060
17061</DD>
17062
17063<DT><b><a name="smtpd_recipient_limit">smtpd_recipient_limit</a>
17064(default: 1000)</b></DT><DD>
17065
17066<p>
17067The maximal number of recipients that the Postfix SMTP server
17068accepts per message delivery request.
17069</p>
17070
17071
17072</DD>
17073
17074<DT><b><a name="smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a>
17075(default: 1000)</b></DT><DD>
17076
17077<p> The number of recipients that a remote SMTP client can send in
17078excess of the limit specified with $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before
17079the Postfix SMTP server increments the per-session error count
17080for each excess recipient.  </p>
17081
17082
17083</DD>
17084
17085<DT><b><a name="smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>
17086(default: see "postconf -d" output)</b></DT><DD>
17087
17088<p>
17089Optional restrictions that the Postfix SMTP server applies in the
17090context of a client RCPT TO command, after <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
17091See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
17092restriction lists" for a discussion of evaluation context and time.
17093</p>
17094
17095<p> With Postfix versions before 2.10, the rules for relay permission
17096and spam blocking were combined under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>,
17097resulting in error-prone configuration.  As of Postfix 2.10, relay
17098permission rules are preferably implemented with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>,
17099so that a permissive spam blocking policy under
17100<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> will no longer result in a permissive
17101mail relay policy.  </p>
17102
17103<p> For backwards compatibility, sites that migrate from Postfix
17104versions before 2.10 can set <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> to the empty
17105value, and use <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> exactly as before. </p>
17106
17107<p>
17108IMPORTANT: Either the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> or the
17109<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameter must specify
17110at least one of the following restrictions. Otherwise Postfix will
17111refuse to receive mail:
17112</p>
17113
17114<blockquote>
17115<pre>
17116reject, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
17117</pre>
17118</blockquote>
17119
17120<blockquote>
17121<pre>
17122defer, <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>, <a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>
17123</pre>
17124</blockquote>
17125
17126<p>
17127Specify a list of restrictions, separated by commas and/or whitespace.
17128Continue long lines by starting the next line with whitespace.
17129Restrictions are applied in the order as specified; the first
17130restriction that matches wins.
17131</p>
17132
17133<p>
17134The following restrictions are specific to the recipient address
17135that is received with the RCPT TO command.
17136</p>
17137
17138<dl>
17139
17140<dt><b><a name="check_recipient_access">check_recipient_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
17141
17142<dd>Search the specified <a href="access.5.html">access(5)</a> database for the resolved RCPT
17143TO address, and execute the corresponding action.  </dd>
17144
17145<dt><b><a name="check_recipient_a_access">check_recipient_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
17146
17147<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for
17148the RCPT TO domain, and execute the corresponding action.  Note:
17149a result of "OK" is not allowed for safety reasons. Instead, use
17150DUNNO in order to exclude specific hosts from denylists.  This
17151feature is available in Postfix 3.0 and later. </dd>
17152
17153<dt><b><a name="check_recipient_mx_access">check_recipient_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
17154
17155<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
17156the RCPT TO domain, and execute the corresponding action.  If no
17157MX record is found, look up A or AAAA records, just like the Postfix
17158SMTP client would. Note:
17159a result of "OK" is not allowed for safety reasons. Instead, use
17160DUNNO in order to exclude specific hosts from denylists.  This
17161feature is available in Postfix 2.1 and later. </dd>
17162
17163<dt><b><a name="check_recipient_ns_access">check_recipient_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
17164
17165<dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers
17166for the RCPT TO domain, and execute the corresponding action.
17167Note: a result of "OK" is not allowed for safety reasons. Instead,
17168use DUNNO in order to exclude specific hosts from denylists.  This
17169feature is available in Postfix 2.1 and later.  </dd>
17170
17171<dt><b><a name="permit_auth_destination">permit_auth_destination</a></b></dt>
17172
17173<dd>Permit the request when one of the following is true:
17174
17175<ul>
17176
17177<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches
17178$<a href="postconf.5.html#relay_domains">relay_domains</a> or a subdomain thereof, and the address contains no
17179sender-specified routing (user@elsewhere@domain),
17180
17181<li> Postfix is the final destination: the resolved RCPT TO domain
17182matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>,
17183$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and the address
17184contains no sender-specified routing (user@elsewhere@domain).
17185
17186</ul></dd>
17187
17188<dt><b><a name="permit_mx_backup">permit_mx_backup</a></b></dt>
17189
17190<dd>Permit the request when the local mail system is a backup MX for
17191the RCPT TO domain, or when the domain is an authorized destination
17192(see <a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a> for definition).
17193
17194<ul>
17195
17196<li> Safety: <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> does not accept addresses that have
17197sender-specified routing information (example: user@elsewhere@domain).
17198
17199<li> Safety: <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> can be vulnerable to mis-use when
17200access is not restricted with <a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a>.
17201
17202<li> Safety: as of Postfix version 2.3, <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> no longer
17203accepts the address when the local mail system is a primary MX for
17204the recipient domain.  Exception: <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> accepts the address
17205when it specifies an authorized destination (see <a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a>
17206for definition).
17207
17208<li> Limitation: mail may be rejected in case of a temporary DNS
17209lookup problem with Postfix prior to version 2.0.
17210
17211</ul></dd>
17212
17213<dt><b><a name="reject_non_fqdn_recipient">reject_non_fqdn_recipient</a></b></dt>
17214
17215<dd>Reject the request when the RCPT TO address specifies a
17216domain that is not in
17217fully-qualified domain form, as required by the RFC. <br> The
17218<a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> parameter specifies the response code for
17219rejected requests (default: 504). </dd>
17220
17221<dt><b><a name="reject_rhsbl_recipient">reject_rhsbl_recipient <i>rbl_domain=d.d.d.d</i></a></b></dt>
17222
17223<dd>Reject the request when the RCPT TO domain is listed with the
17224A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix version
172252.1 and later only).  Each "<i>d</i>" is a number, or a pattern
17226inside "[]" that contains one or more ";"-separated numbers or
17227number..number ranges (Postfix version 2.8 and later). If no
17228"<i>=d.d.d.d</i>" is specified, reject
17229the request when the RCPT TO domain is listed with
17230any A record under <i>rbl_domain</i>. <br> The <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a>
17231parameter specifies the response code for rejected requests (default:
17232554); the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter specifies the default server
17233reply; and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter specifies tables with server
17234replies indexed by <i>rbl_domain</i>.  This feature is available
17235in Postfix version 2.0 and later.</dd>
17236
17237<dt><b><a name="reject_unauth_destination">reject_unauth_destination</a></b></dt>
17238
17239<dd>Reject the request unless one of the following is true:
17240
17241<ul>
17242
17243<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches
17244$<a href="postconf.5.html#relay_domains">relay_domains</a> or a subdomain thereof, and contains no sender-specified
17245routing (user@elsewhere@domain),
17246
17247<li> Postfix is the final destination: the resolved RCPT TO domain
17248matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>, $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>,
17249$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and contains
17250no sender-specified routing (user@elsewhere@domain).
17251
17252</ul>The <a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> parameter specifies the response
17253code for rejected requests (default: 554). </dd>
17254
17255<dt><b><a name="defer_unauth_destination">defer_unauth_destination</a></b></dt>
17256
17257<dd> Reject the same requests as <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>, with a
17258non-permanent error code.  This feature is available in Postfix
172592.10 and later.</dd>
17260
17261<dt><b><a name="reject_unknown_recipient_domain">reject_unknown_recipient_domain</a></b></dt>
17262
17263<dd>Reject the request when Postfix is not final destination for
17264the recipient domain, and the RCPT TO domain has 1) no DNS MX and
17265no DNS A
17266record or 2) a malformed MX record such as a record with
17267a zero-length MX hostname (Postfix version 2.3 and later). <br> The
17268reply is specified with the <a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter
17269(default: 450), <a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> (default:
17270<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>), or 556 (nullmx, Postfix 3.0 and
17271later). See the respective parameter descriptions for details.
17272</dd>
17273
17274<dt><b><a name="reject_unlisted_recipient">reject_unlisted_recipient</a></b> (with Postfix version 2.0: check_recipient_maps)</dt>
17275
17276<dd> Reject the request when the RCPT TO address is not listed in
17277the list of valid recipients for its domain class. See the
17278<a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> parameter description for details.
17279This feature is available in Postfix 2.1 and later.</dd>
17280
17281<dt><b><a name="reject_unverified_recipient">reject_unverified_recipient</a></b></dt>
17282
17283<dd>Reject the request when mail to the RCPT TO address is known
17284to bounce, or when the recipient address destination is not reachable.
17285Address verification information is managed by the <a href="verify.8.html">verify(8)</a> server;
17286see the <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> file for details.  <br> The
17287<a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> parameter specifies the numerical
17288response code when an address is known to bounce (default: 450,
17289change it to 550 when you are confident that it is safe to do so).
17290<br>The <a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> parameter specifies the
17291numerical response code when an address probe failed due to a
17292temporary problem (default: 450). <br> The
17293<a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> parameter specifies the action
17294after address probe failure due to a temporary problem (default:
17295<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>). <br> This feature breaks for aliased addresses
17296with "<a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> = no" (Postfix &le; 3.2). <br>
17297This feature is available in Postfix 2.1 and later. </dd>
17298
17299</dl>
17300
17301<p>
17302Other restrictions that are valid in this context:
17303</p>
17304
17305<ul>
17306
17307<li><a href="#generic">Generic</a> restrictions that can be used
17308in any SMTP command context, described under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>.
17309
17310<li>SMTP command specific restrictions described under
17311<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> and
17312<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>.
17313
17314</ul>
17315
17316<p>
17317Example:
17318</p>
17319
17320<pre>
17321# The Postfix before 2.10 default mail relay policy. Later Postfix
17322# versions implement this preferably with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
17323<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
17324</pre>
17325
17326
17327</DD>
17328
17329<DT><b><a name="smtpd_reject_footer">smtpd_reject_footer</a>
17330(default: empty)</b></DT><DD>
17331
17332<p> Optional information that is appended after each Postfix SMTP
17333server
173344XX or 5XX response. </p>
17335
17336<p> The following example uses "\c" at the start of the template
17337(supported in Postfix 2.10 and later) to suppress the line break
17338between the reply text and the footer text. With earlier Postfix
17339versions, the footer text always begins on a new line, and the "\c"
17340is output literally. </p>
17341
17342<pre>
17343/etc/postfix/<a href="postconf.5.html">main.cf</a>:
17344    <a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> = \c. For assistance, call 800-555-0101.
17345     Please provide the following information in your problem report:
17346     time ($localtime), client ($client_address) and server
17347     ($server_name).
17348</pre>
17349
17350<p> Server response: </p>
17351
17352<pre>
17353    550-5.5.1 &lt;user@example&gt; Recipient address rejected: User
17354    unknown. For assistance, call 800-555-0101. Please provide the
17355    following information in your problem report: time (Jan 4 15:42:00),
17356    client (192.168.1.248) and server (mail1.example.com).
17357</pre>
17358
17359<p> Note: the above text is meant to make it easier to find the
17360Postfix logfile records for a failed SMTP session. The text itself
17361is not logged to the Postfix SMTP server's maillog file. </p>
17362
17363<p> Be sure to keep the text as short as possible. Long text may
17364be truncated before it is logged to the remote SMTP client's maillog
17365file, or before it is returned to the sender in a delivery status
17366notification.  </p>
17367
17368<p> The template text is not subject to Postfix configuration
17369parameter $name expansion. Instead, this feature supports a limited
17370number of $name attributes in the footer text. These attributes are
17371replaced with their current value for the SMTP session. </p>
17372
17373<p> Note: specify $$name in footer text that is looked up from
17374<a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>:-based <a href="postconf.5.html#smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>, otherwise the
17375Postfix server will not use the footer text and will log a warning
17376instead. </p>
17377
17378<dl>
17379
17380<dt> <b>client_address</b> </dt> <dd> The Client IP address that
17381is logged in the maillog file. </dd>
17382
17383<dt> <b>client_port</b> </dt> <dd> The client TCP port that is
17384logged in the maillog file. </dd>
17385
17386<dt> <b>localtime</b> </dt> <dd> The server local time (Mmm dd
17387hh:mm:ss) that is logged in the maillog file. </dd>
17388
17389<dt> <b>server_name</b> </dt> <dd> The server's <a href="postconf.5.html#myhostname">myhostname</a> value.
17390This attribute is made available for sites with multiple MTAs
17391(perhaps behind a load-balancer), where the server name can help
17392the server support team to quickly find the right log files.  </dd>
17393
17394</dl>
17395
17396<p> Notes: </p>
17397
17398<ul>
17399
17400<li> <p> NOT SUPPORTED are other attributes such as sender, recipient,
17401or <a href="postconf.5.html">main.cf</a> parameters.  </p>
17402
17403<li> <p> For safety reasons, text that does not match
17404$<a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> is censored. </p>
17405
17406</ul>
17407
17408<p> This feature supports the two-character sequence \n as a request
17409for a line break in the footer text. Postfix automatically inserts
17410after each line break the three-digit SMTP reply code (and optional
17411enhanced status code) from the original Postfix reject message.
17412</p>
17413
17414<p> To work around mail software that mis-handles multi-line replies,
17415specify the two-character sequence \c at the start of the template.
17416This suppresses the line break between the reply text and the footer
17417text (Postfix 2.10 and later).  </p>
17418
17419<p> This feature is available in Postfix 2.8 and later. </p>
17420
17421
17422</DD>
17423
17424<DT><b><a name="smtpd_reject_footer_maps">smtpd_reject_footer_maps</a>
17425(default: empty)</b></DT><DD>
17426
17427<p> Lookup tables, indexed by the complete Postfix SMTP server 4xx or
174285xx response, with reject footer templates. See <a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>
17429for details. </p>
17430
17431<p>
17432Specify zero or more "type:name" lookup tables, separated by
17433whitespace or comma. Tables will be searched in the specified order
17434until a match is found.
17435</p>
17436
17437<p> This feature is available in Postfix 3.4 and later. </p>
17438
17439
17440</DD>
17441
17442<DT><b><a name="smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a>
17443(default: yes)</b></DT><DD>
17444
17445<p>
17446Request that the Postfix SMTP server rejects mail for unknown
17447recipient addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a>
17448access restriction is specified. This prevents the Postfix queue
17449from filling up with undeliverable MAILER-DAEMON messages.
17450</p>
17451
17452<p> An address is considered "unknown" when 1) it does not match a
17453<a href="virtual.5.html">virtual(5)</a> alias or <a href="canonical.5.html">canonical(5)</a> mapping, and 2) the address is not
17454valid for its address class. For a definition of class-based address
17455validation, see <a href="ADDRESS_CLASS_README.html#classes">
17456ADDRESS_CLASS_README</a>. </p>
17457
17458<p>
17459This feature is available in Postfix 2.1 and later.
17460</p>
17461
17462
17463</DD>
17464
17465<DT><b><a name="smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a>
17466(default: no)</b></DT><DD>
17467
17468<p> Request that the Postfix SMTP server rejects mail from unknown
17469sender addresses, even when no explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a>
17470access restriction is specified. This can slow down an explosion
17471of forged mail from worms or viruses. </p>
17472
17473<p> An address is considered "unknown" when 1) it does not match a
17474<a href="virtual.5.html">virtual(5)</a> alias or <a href="canonical.5.html">canonical(5)</a> mapping, and 2) the address is not
17475valid for its address class. For a definition of class-based address
17476validation, see <a href="ADDRESS_CLASS_README.html#classes">
17477ADDRESS_CLASS_README</a>. </p>
17478
17479<p>
17480This feature is available in Postfix 2.1 and later.
17481</p>
17482
17483
17484</DD>
17485
17486<DT><b><a name="smtpd_relay_before_recipient_restrictions">smtpd_relay_before_recipient_restrictions</a>
17487(default: see "postconf -d" output)</b></DT><DD>
17488
17489<p> Evaluate <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> before <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
17490Historically, <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> was evaluated after
17491<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>, contradicting documented behavior. </p>
17492
17493<p> Background: the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> feature is primarily
17494designed to enforce a mail relaying policy, while
17495<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> is primarily designed to enforce spam
17496blocking policy. Both are evaluated while replying to the RCPT TO
17497command, and both support the same features. </p>
17498
17499<p> This feature is available in Postfix 3.6 and later. </p>
17500
17501
17502</DD>
17503
17504<DT><b><a name="smtpd_relay_restrictions">smtpd_relay_restrictions</a>
17505(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, <a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>)</b></DT><DD>
17506
17507<p> Access restrictions for mail relay control that the Postfix
17508SMTP server applies in the context of the RCPT TO command, before
17509<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
17510See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
17511restriction lists" for a discussion of evaluation context and time.
17512</p>
17513
17514<p> With Postfix versions before 2.10, the rules for relay permission
17515and spam blocking were combined under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>,
17516resulting in error-prone configuration.  As of Postfix 2.10, relay
17517permission rules are preferably implemented with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>,
17518so that a permissive spam blocking policy under
17519<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> will no longer result in a permissive
17520mail relay policy.  </p>
17521
17522<p> For backwards compatibility, sites that migrate from Postfix
17523versions before 2.10 can set <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> to the empty
17524value, and use <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> exactly as before. </p>
17525
17526<p>
17527By default, the Postfix SMTP server accepts:
17528</p>
17529
17530<ul>
17531
17532<li> Mail from clients whose IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>, or:
17533
17534<li> Mail from clients who are SASL authenticated, or:
17535
17536<li> Mail to remote destinations that match $<a href="postconf.5.html#relay_domains">relay_domains</a>, except
17537for addresses that contain sender-specified routing
17538(user@elsewhere@domain), or:
17539
17540<li> Mail to local destinations that match $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
17541or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or
17542$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
17543
17544</ul>
17545
17546<p>
17547IMPORTANT: Either the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> or the
17548<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameter must specify
17549at least one of the following restrictions. Otherwise Postfix will
17550refuse to receive mail:
17551</p>
17552
17553<blockquote>
17554<pre>
17555reject, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
17556</pre>
17557</blockquote>
17558
17559<blockquote>
17560<pre>
17561defer, <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>, <a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>
17562</pre>
17563</blockquote>
17564
17565<p>
17566Specify a list of restrictions, separated by commas and/or whitespace.
17567Continue long lines by starting the next line with whitespace.
17568The same restrictions are available as documented under
17569<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
17570</p>
17571
17572<p> This feature is available in Postfix 2.10 and later. </p>
17573
17574
17575</DD>
17576
17577<DT><b><a name="smtpd_restriction_classes">smtpd_restriction_classes</a>
17578(default: empty)</b></DT><DD>
17579
17580<p>
17581User-defined aliases for groups of access restrictions. The aliases
17582can be specified in <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> etc., and on the
17583right-hand side of a Postfix <a href="access.5.html">access(5)</a> table.
17584</p>
17585
17586<p>
17587One major application is for implementing per-recipient UCE control.
17588See the <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a> document for other examples.
17589</p>
17590
17591
17592</DD>
17593
17594<DT><b><a name="smtpd_sasl_application_name">smtpd_sasl_application_name</a>
17595(default: smtpd)</b></DT><DD>
17596
17597<p>
17598The application name that the Postfix SMTP server uses for SASL
17599server initialization. This
17600controls the name of the SASL configuration file. The default value
17601is <b>smtpd</b>, corresponding to a SASL configuration file named
17602<b>smtpd.conf</b>.
17603</p>
17604
17605<p>
17606This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3
17607it was renamed to <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.
17608</p>
17609
17610
17611</DD>
17612
17613<DT><b><a name="smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a>
17614(default: no)</b></DT><DD>
17615
17616<p>
17617Enable SASL authentication in the Postfix SMTP server. By default,
17618the Postfix SMTP server does not use authentication.
17619</p>
17620
17621<p>
17622If a remote SMTP client is authenticated, the <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
17623access restriction can be used to permit relay access, like this:
17624</p>
17625
17626<blockquote>
17627<pre>
17628# With Postfix 2.10 and later, the mail relay policy is
17629# preferably specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
17630<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
17631    <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, ...
17632</pre>
17633
17634<pre>
17635# With Postfix before 2.10, the relay policy can be
17636# specified only under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
17637<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
17638    <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, ...
17639</pre>
17640</blockquote>
17641
17642<p> To reject all SMTP connections from unauthenticated clients,
17643specify "<a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = yes" (which is the default) and use:
17644</p>
17645
17646<blockquote>
17647<pre>
17648<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, reject
17649</pre>
17650</blockquote>
17651
17652<p>
17653See the <a href="SASL_README.html">SASL_README</a> file for SASL configuration and operation details.
17654</p>
17655
17656
17657</DD>
17658
17659<DT><b><a name="smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a>
17660(default: no)</b></DT><DD>
17661
17662<p> Report the SASL authenticated user name in the <a href="smtpd.8.html">smtpd(8)</a> Received
17663message header.  </p>
17664
17665<p> This feature is available in Postfix 2.3 and later.  </p>
17666
17667
17668</DD>
17669
17670<DT><b><a name="smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a>
17671(default: empty)</b></DT><DD>
17672
17673<p>
17674What remote SMTP clients the Postfix SMTP server will not offer
17675AUTH support to.
17676</p>
17677
17678<p>
17679Some clients (Netscape 4 at least) have a bug that causes them to
17680require a login and password whenever AUTH is offered, whether it's
17681necessary or not. To work around this, specify, for example,
17682$<a href="postconf.5.html#mynetworks">mynetworks</a> to prevent Postfix from offering AUTH to local clients.
17683</p>
17684
17685<p>
17686Specify a list of network/netmask patterns, separated by commas
17687and/or whitespace. The mask specifies the number of bits in the
17688network part of a host address. You can also specify "/file/name" or
17689"<a href="DATABASE_README.html">type:table</a>" patterns.  A "/file/name" pattern is replaced by its
17690contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a table entry
17691matches a lookup string (the lookup result is ignored).  Continue
17692long lines by starting the next line with whitespace. Specify
17693"!pattern" to exclude an address or network block from the list.
17694The form "!/file/name" is supported only in Postfix version 2.4 and
17695later.  </p>
17696
17697<p> Note: IP version 6 address information must be specified inside
17698<tt>[]</tt> in the <a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> value, and in
17699files specified with "/file/name".  IP version 6 addresses contain
17700the ":" character, and would otherwise be confused with a "<a href="DATABASE_README.html">type:table</a>"
17701pattern.  </p>
17702
17703<p>
17704Example:
17705</p>
17706
17707<pre>
17708<a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> = $<a href="postconf.5.html#mynetworks">mynetworks</a>
17709</pre>
17710
17711<p>
17712This feature is available in Postfix 2.1 and later.
17713</p>
17714
17715
17716</DD>
17717
17718<DT><b><a name="smtpd_sasl_local_domain">smtpd_sasl_local_domain</a>
17719(default: empty)</b></DT><DD>
17720
17721<p>
17722The name of the Postfix SMTP server's local SASL authentication
17723realm.
17724</p>
17725
17726<p>
17727By default, the local authentication realm name is the null string.
17728</p>
17729
17730<p>
17731Examples:
17732</p>
17733
17734<pre>
17735<a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> = $<a href="postconf.5.html#mydomain">mydomain</a>
17736<a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> = $<a href="postconf.5.html#myhostname">myhostname</a>
17737</pre>
17738
17739
17740</DD>
17741
17742<DT><b><a name="smtpd_sasl_mechanism_filter">smtpd_sasl_mechanism_filter</a>
17743(default: !external, <a href="DATABASE_README.html#types">static</a>:rest)</b></DT><DD>
17744
17745<p> If non-empty, a filter for the SASL mechanism names that the
17746Postfix SMTP server will announce in the EHLO response. By default,
17747the Postfix SMTP server will not announce the EXTERNAL mechanism,
17748because Postfix support for that is not implemented. </p>
17749
17750<p> Specify mechanism names, "/file/name" patterns, or "<a href="DATABASE_README.html">type:table</a>"
17751lookup tables, separated by comma or whitespace. The right-hand
17752side result from "<a href="DATABASE_README.html">type:table</a>" lookups is ignored. Specify "!pattern"
17753to exclude a mechanism name from the list. </p>
17754
17755<p>
17756Examples:
17757</p>
17758
17759<pre>
17760<a href="postconf.5.html#smtpd_sasl_mechanism_filter">smtpd_sasl_mechanism_filter</a> = !external, !gssapi, <a href="DATABASE_README.html#types">static</a>:rest
17761<a href="postconf.5.html#smtpd_sasl_mechanism_filter">smtpd_sasl_mechanism_filter</a> = login, plain
17762<a href="postconf.5.html#smtpd_sasl_mechanism_filter">smtpd_sasl_mechanism_filter</a> = /etc/postfix/smtpd_mechs
17763</pre>
17764
17765<p> This feature is available in Postfix 3.6 and later. </p>
17766
17767
17768</DD>
17769
17770<DT><b><a name="smtpd_sasl_path">smtpd_sasl_path</a>
17771(default: smtpd)</b></DT><DD>
17772
17773<p> Implementation-specific information that the Postfix SMTP server
17774passes through to
17775the SASL plug-in implementation that is selected with
17776<b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.  Typically this specifies the name of a
17777configuration file or rendezvous point. </p>
17778
17779<p> This feature is available in Postfix 2.3 and later. In earlier
17780releases it was called <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a></b>. </p>
17781
17782
17783</DD>
17784
17785<DT><b><a name="smtpd_sasl_response_limit">smtpd_sasl_response_limit</a>
17786(default: 12288)</b></DT><DD>
17787
17788<p> The maximum length of a SASL client's response to a server challenge.
17789When the client's "initial response" is longer than the normal limit for
17790SMTP commands, the client must omit its initial response, and wait for an
17791empty server challenge; it can then send what would have been its "initial
17792response" as a response to the empty server challenge.  <a href="https://tools.ietf.org/html/rfc4954">RFC4954</a> requires the
17793server to accept client responses up to at least 12288 octets of
17794base64-encoded text.  The default value is therefore also the minimum value
17795accepted for this parameter.</p>
17796
17797<p> This feature is available in Postfix 3.4 and later. Prior versions use
17798"<a href="postconf.5.html#line_length_limit">line_length_limit</a>", which may need to be raised to accommodate larger client
17799responses, as may be needed with GSSAPI authentication of Windows AD users
17800who are members of many groups. </p>
17801
17802
17803</DD>
17804
17805<DT><b><a name="smtpd_sasl_security_options">smtpd_sasl_security_options</a>
17806(default: noanonymous)</b></DT><DD>
17807
17808<p> Postfix SMTP server SASL security options; as of Postfix 2.3
17809the list of available
17810features depends on the SASL server implementation that is selected
17811with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.  </p>
17812
17813<p> The following security features are defined for the <b>cyrus</b>
17814server SASL implementation: </p>
17815
17816<p>
17817Restrict what authentication mechanisms the Postfix SMTP server
17818will offer to the client.  The list of available authentication
17819mechanisms is system dependent.
17820</p>
17821
17822<p>
17823Specify zero or more of the following:
17824</p>
17825
17826<dl>
17827
17828<dt><b>noplaintext</b></dt>
17829
17830<dd>Disallow methods that use plaintext passwords. </dd>
17831
17832<dt><b>noactive</b></dt>
17833
17834<dd>Disallow methods subject to active (non-dictionary) attack. </dd>
17835
17836<dt><b>nodictionary</b></dt>
17837
17838<dd>Disallow methods subject to passive (dictionary) attack. </dd>
17839
17840<dt><b>noanonymous</b></dt>
17841
17842<dd>Disallow methods that allow anonymous authentication. </dd>
17843
17844<dt><b>forward_secrecy</b></dt>
17845
17846<dd>Only allow methods that support forward secrecy (Dovecot only).
17847</dd>
17848
17849<dt><b>mutual_auth</b></dt>
17850
17851<dd>Only allow methods that provide mutual authentication (not available
17852with Cyrus SASL version 1). </dd>
17853
17854</dl>
17855
17856<p>
17857By default, the Postfix SMTP server accepts plaintext passwords but
17858not anonymous logins.
17859</p>
17860
17861<p>
17862Warning: it appears that clients try authentication methods in the
17863order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
17864which means that if you disable plaintext passwords, clients will
17865log in anonymously, even when they should be able to use CRAM-MD5.
17866So, if you disable plaintext logins, disable anonymous logins too.
17867Postfix treats anonymous login as no authentication.
17868</p>
17869
17870<p>
17871Example:
17872</p>
17873
17874<pre>
17875<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> = noanonymous, noplaintext
17876</pre>
17877
17878
17879</DD>
17880
17881<DT><b><a name="smtpd_sasl_service">smtpd_sasl_service</a>
17882(default: smtp)</b></DT><DD>
17883
17884<p> The service name that is passed to the SASL plug-in that is
17885selected with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b> and <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a></b>.
17886</p>
17887
17888<p> This feature is available in Postfix 2.11 and later. Prior
17889versions behave as if "<b>smtp</b>" is specified. </p>
17890
17891
17892</DD>
17893
17894<DT><b><a name="smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a>
17895(default: $<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a>)</b></DT><DD>
17896
17897<p> The SASL authentication security options that the Postfix SMTP
17898server uses for TLS encrypted SMTP sessions. </p>
17899
17900<p> This feature is available in Postfix 2.2 and later.  </p>
17901
17902
17903</DD>
17904
17905<DT><b><a name="smtpd_sasl_type">smtpd_sasl_type</a>
17906(default: cyrus)</b></DT><DD>
17907
17908<p> The SASL plug-in type that the Postfix SMTP server should use
17909for authentication. The available types are listed with the
17910"<b>postconf -a</b>" command. </p>
17911
17912<p> This feature is available in Postfix 2.3 and later. </p>
17913
17914
17915</DD>
17916
17917<DT><b><a name="smtpd_sender_login_maps">smtpd_sender_login_maps</a>
17918(default: empty)</b></DT><DD>
17919
17920<p>
17921Optional lookup table with the SASL login names that own the
17922envelope sender
17923(MAIL FROM) addresses.
17924</p>
17925
17926<blockquote> <p> Note: to enforce that the From: header address
17927matches the envelope sender (MAIL FROM) address, use an external
17928filter such as a Milter, for the submission or submissions (formerly
17929called smtps )
17930services. For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>. </p>
17931</blockquote>
17932
17933<p>
17934Specify zero or more "type:name" lookup tables, separated by
17935whitespace or comma. Tables will be searched in the specified order
17936until a match is found.  With lookups from
17937indexed files such as DB or DBM, or from networked tables such as
17938NIS, LDAP or SQL, the following search operations are done with a
17939sender address of <i>user@domain</i>:  </p>
17940
17941<dl>
17942
17943<dt> 1) <i>user@domain</i> </dt>
17944
17945<dd>This table lookup is always done and has the highest precedence. </dd>
17946
17947<dt> 2) <i>user</i> </dt>
17948
17949<dd>This table lookup is done only when the <i>domain</i> part of the
17950sender address matches $<a href="postconf.5.html#myorigin">myorigin</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
17951or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. </dd>
17952
17953<dt> 3) <i>@domain</i> </dt>
17954
17955<dd>This table lookup is done last and has the lowest precedence. </dd>
17956
17957</dl>
17958
17959<p>
17960In all cases the result of table lookup must be either "not found"
17961or a list of SASL login names separated by comma and/or whitespace.
17962</p>
17963
17964
17965</DD>
17966
17967<DT><b><a name="smtpd_sender_restrictions">smtpd_sender_restrictions</a>
17968(default: empty)</b></DT><DD>
17969
17970<p>
17971Optional restrictions that the Postfix SMTP server applies in the
17972context of a client MAIL FROM command.
17973See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
17974restriction lists" for a discussion of evaluation context and time.
17975</p>
17976
17977<p>
17978The default is to permit everything.
17979</p>
17980
17981<p>
17982Specify a list of restrictions, separated by commas and/or whitespace.
17983Continue long lines by starting the next line with whitespace.
17984Restrictions are applied in the order as specified; the first
17985restriction that matches wins.
17986</p>
17987
17988<p>
17989The following restrictions are specific to the sender address
17990received with the MAIL FROM command.
17991</p>
17992
17993<dl>
17994
17995<dt><b><a name="check_sender_access">check_sender_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
17996
17997<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MAIL FROM
17998address, and execute the corresponding action. </dd>
17999
18000<dt><b><a name="check_sender_a_access">check_sender_a_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
18001
18002<dd>Search the specified <a href="access.5.html">access(5)</a> database for the IP addresses for
18003the MAIL FROM domain, and execute the corresponding action.  Note:
18004a result of "OK" is not allowed for safety reasons. Instead, use
18005DUNNO in order to exclude specific hosts from denylists.  This
18006feature is available in Postfix 3.0 and later. </dd>
18007
18008<dt><b><a name="check_sender_mx_access">check_sender_mx_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
18009
18010<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for
18011the MAIL FROM domain, and execute the corresponding action.  If no
18012MX record is found, look up A or AAAA records, just like the Postfix
18013SMTP client would. Note:
18014a result of "OK" is not allowed for safety reasons. Instead, use
18015DUNNO in order to exclude specific hosts from denylists.  This
18016feature is available in Postfix 2.1 and later. </dd>
18017
18018<dt><b><a name="check_sender_ns_access">check_sender_ns_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
18019
18020<dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers
18021for the MAIL FROM domain, and execute the corresponding action.
18022Note: a result of "OK" is not allowed for safety reasons. Instead,
18023use DUNNO in order to exclude specific hosts from denylists.  This
18024feature is available in Postfix 2.1 and later.  </dd>
18025
18026<dt><b><a name="reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a></b></dt>
18027
18028<dd> Reject the request when the client is authenticated with SASL,
18029but either the MAIL FROM address is not listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>,
18030or the SASL login name is not an owner for that address.
18031<br>
18032This prevents an authenticated client from using a MAIL FROM address
18033that they do not explicitly own.
18034<br>
18035Note: to enforce that the From: header address matches the envelope
18036sender (MAIL FROM) address, use an external filter such as a Milter,
18037for the submission or submissions (formerly called smtps) services.
18038For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
18039<br>
18040This feature is available in Postfix version 2.1 and later. </dd>
18041
18042<dt><b><a name="reject_known_sender_login_mismatch">reject_known_sender_login_mismatch</a></b></dt>
18043
18044<dd> When the client is authenticated with SASL, reject the request
18045when the MAIL FROM address is listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>,
18046but the SASL login name is not an owner for that address.
18047<br>
18048When the client is not authenticated with SASL, reject the request
18049when SASL is enabled, and the MAIL FROM address is listed in
18050$<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>.
18051<br>
18052This protects any MAIL FROM address that is listed in
18053$<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>, while still allowing a client to use any
18054unlisted MAIL FROM address.
18055<br>
18056Note: to enforce that the From: header address matches the envelope
18057sender (MAIL FROM) address, use an external filter such as a Milter,
18058for the submission or submissions (formerly called smtps) services.
18059For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
18060<br>
18061This feature is available in Postfix version 2.11 and later.</dd>
18062
18063<dt><b><a name="reject_non_fqdn_sender">reject_non_fqdn_sender</a></b></dt>
18064
18065<dd>Reject the request when the MAIL FROM address specifies a
18066domain that is not in
18067fully-qualified domain form as required by the RFC. <br> The
18068<a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> parameter specifies the response code for
18069rejected requests (default: 504). </dd>
18070
18071<dt><b><a name="reject_rhsbl_sender">reject_rhsbl_sender <i>rbl_domain=d.d.d.d</i></a></b></dt>
18072
18073<dd>Reject the request when the MAIL FROM domain is listed with
18074the A record "<i>d.d.d.d</i>" under <i>rbl_domain</i> (Postfix
18075version 2.1 and later only).  Each "<i>d</i>" is a number, or a
18076pattern inside "[]" that contains one or more ";"-separated numbers
18077or number..number ranges (Postfix version 2.8 and later). If no
18078"<i>=d.d.d.d</i>" is specified,
18079reject the request when the MAIL FROM domain is
18080listed with any A record under <i>rbl_domain</i>. <br> The
18081<a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> parameter specifies the response code for
18082rejected requests (default:  554); the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter
18083specifies the default server reply; and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter
18084specifies tables with server replies indexed by <i>rbl_domain</i>.
18085This feature is available in Postfix 2.0 and later.</dd>
18086
18087<dt><b><a name="reject_sender_login_mismatch">reject_sender_login_mismatch</a></b></dt>
18088
18089<dd> As of Postfix 2.1, this is an alias for
18090"<a href="postconf.5.html#reject_authenticated_sender_login_mismatch">reject_authenticated_sender_login_mismatch</a>,
18091<a href="postconf.5.html#reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a>".</dd>
18092
18093<dt><b><a name="reject_unauthenticated_sender_login_mismatch">reject_unauthenticated_sender_login_mismatch</a></b></dt>
18094
18095<dd> Reject the request when SASL is enabled, the MAIL FROM address
18096is listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>, but the client is not
18097authenticated with SASL.
18098<br>
18099With SASL enabled, this prevents an unauthenticated client from
18100using any MAIL FROM address that is listed in $<a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a>.
18101<br>
18102Note: to enforce that the From: header address matches the envelope
18103sender (MAIL FROM) address, use an external filter such as a Milter,
18104for the submission or submissions (formerly called smtps) services.
18105For example: <a href="https://github.com/magcks/milterfrom">https://github.com/magcks/milterfrom</a>.
18106<br>
18107This feature is available in Postfix version 2.1 and later.</dd>
18108
18109<dt><b><a name="reject_unknown_sender_domain">reject_unknown_sender_domain</a></b></dt>
18110
18111<dd>Reject the request when Postfix is not the final destination for
18112the sender address, and the MAIL FROM domain has 1) no DNS MX and
18113no DNS A
18114record, or 2) a malformed MX record such as a record with
18115a zero-length MX hostname (Postfix version 2.3 and later). <br> The
18116reply is specified with the <a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> parameter
18117(default: 450), <a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> (default:
18118<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>), or 550 (nullmx, Postfix 3.0 and
18119later). See the respective parameter descriptions for details.
18120</dd>
18121
18122<dt><b><a name="reject_unlisted_sender">reject_unlisted_sender</a></b></dt>
18123
18124<dd>Reject the request when the MAIL FROM address is not listed in
18125the list of valid recipients for its domain class. See the
18126<a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> parameter description for details.
18127This feature is available in Postfix 2.1 and later.</dd>
18128
18129<dt><b><a name="reject_unverified_sender">reject_unverified_sender</a></b></dt>
18130
18131<dd>Reject the request when mail to the MAIL FROM address is known to
18132bounce, or when the sender address destination is not reachable.
18133Address verification information is managed by the <a href="verify.8.html">verify(8)</a> server;
18134see the <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> file for details. <br> The
18135<a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> parameter specifies the numerical
18136response code when an address is known to bounce (default: 450,
18137change into 550 when you are confident that it is safe to do so).
18138<br>The <a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> specifies the numerical response
18139code when an address probe failed due to a temporary problem
18140(default: 450).  <br> The <a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> parameter
18141specifies the action after address probe failure due to a temporary
18142problem (default: <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>).  <br> This feature breaks for
18143aliased addresses with "<a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> = no" (Postfix
18144&le; 3.2).  <br> This feature is available in Postfix 2.1 and later.
18145</dd>
18146
18147</dl>
18148
18149<p>
18150Other restrictions that are valid in this context:
18151</p>
18152
18153<ul>
18154
18155<li> <a href="#generic">Generic</a> restrictions that can be used
18156in any SMTP command context, described under <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>.
18157
18158<li> SMTP command specific restrictions described under
18159<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>.
18160
18161<li> SMTP command specific restrictions described under
18162<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. When recipient restrictions are listed
18163under <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, they have effect only with
18164"<a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = yes", so that $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> is
18165evaluated at the time of the RCPT TO command.
18166
18167</ul>
18168
18169<p>
18170Examples:
18171</p>
18172
18173<pre>
18174<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> = <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
18175<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> = <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>,
18176    <a href="postconf.5.html#check_sender_access">check_sender_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/access
18177</pre>
18178
18179
18180</DD>
18181
18182<DT><b><a name="smtpd_service_name">smtpd_service_name</a>
18183(default: smtpd)</b></DT><DD>
18184
18185<p> The internal service that <a href="postscreen.8.html">postscreen(8)</a> hands off allowed
18186connections to. In a future version there may be different
18187classes of SMTP service. </p>
18188
18189<p> This feature is available in Postfix 2.8. </p>
18190
18191
18192</DD>
18193
18194<DT><b><a name="smtpd_soft_error_limit">smtpd_soft_error_limit</a>
18195(default: 10)</b></DT><DD>
18196
18197<p>
18198The number of errors a remote SMTP client is allowed to make without
18199delivering mail before the Postfix SMTP server slows down all its
18200responses.
18201</p>
18202
18203<ul>
18204
18205<li><p>With Postfix version 2.1 and later, when the error count
18206is &gt; $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>, the Postfix SMTP server
18207delays all responses by $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
18208
18209<li><p>With Postfix versions 2.0 and earlier, when the error count
18210is &gt; $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>, the Postfix SMTP server delays all
18211responses by the larger of (number of errors) seconds or
18212$<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
18213
18214<li><p>With Postfix versions 2.0 and earlier, when the error count
18215is &le; $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>, the Postfix SMTP server delays 4XX
18216and 5XX responses by $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
18217
18218</ul>
18219
18220
18221</DD>
18222
18223<DT><b><a name="smtpd_starttls_timeout">smtpd_starttls_timeout</a>
18224(default: see "postconf -d" output)</b></DT><DD>
18225
18226<p> The time limit for Postfix SMTP server write and read operations
18227during TLS startup and shutdown handshake procedures. The current
18228default value is stress-dependent. Before Postfix version 2.8, it
18229was fixed at 300s. </p>
18230
18231<p> Specify a non-zero time value (an integral value plus an optional
18232one-letter suffix that specifies the time unit).  Time units: s
18233(seconds), m (minutes), h (hours), d (days), w (weeks).
18234The default time unit is s (seconds).  </p>
18235
18236<p> This feature is available in Postfix 2.2 and later.  </p>
18237
18238
18239</DD>
18240
18241<DT><b><a name="smtpd_timeout">smtpd_timeout</a>
18242(default: normal: 300s, <a href="STRESS_README.html">overload</a>: 10s)</b></DT><DD>
18243
18244<p> When the Postfix SMTP server wants to send an SMTP server
18245response, how long the Postfix SMTP server will wait for an underlying
18246network write operation to complete; and when the Postfix SMTP
18247server Postfix wants to receive an SMTP client request, how long
18248the Postfix SMTP server will wait for an underlying network read
18249operation to complete. See the <a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a> for how
18250this time limit may be enforced (with Postfix 2.9-3.6 see
18251<a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a>). </p>
18252
18253<p> Normally the default limit
18254is 300s, but it changes under overload to just 10s. With Postfix
182552.5 and earlier, the SMTP server always uses a time limit of 300s
18256by default.
18257</p>
18258
18259<p>
18260Note: if you set SMTP time limits to very large values you may have
18261to update the global <a href="postconf.5.html#ipc_timeout">ipc_timeout</a> parameter.
18262</p>
18263
18264<p> Specify a non-zero time value (an integral value plus an optional
18265one-letter suffix that specifies the time unit).  Time units: s
18266(seconds), m (minutes), h (hours), d (days), w (weeks).
18267The default time unit is s (seconds).  </p>
18268
18269
18270</DD>
18271
18272<DT><b><a name="smtpd_tls_CAfile">smtpd_tls_CAfile</a>
18273(default: empty)</b></DT><DD>
18274
18275<p> A file containing (PEM format) CA certificates of root CAs trusted
18276to sign either remote SMTP client certificates or intermediate CA
18277certificates.  These are loaded into memory before the <a href="smtpd.8.html">smtpd(8)</a> server
18278enters the chroot jail. If the number of trusted roots is large, consider
18279using <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> instead, but note that the latter directory must
18280be present in the chroot jail if the <a href="smtpd.8.html">smtpd(8)</a> server is chrooted. This
18281file may also be used to augment the server certificate trust chain,
18282but it is best to include all the required certificates directly in the
18283server certificate file. </p>
18284
18285<p> Specify "<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /path/to/system_CA_file" to use ONLY
18286the system-supplied default Certification Authority certificates.
18287</p>
18288
18289<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
18290appending the system-supplied default CAs and trusting third-party
18291certificates. </p>
18292
18293<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not
18294requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use
18295of client certificates, the distinguished names (DNs) of the Certification
18296Authorities listed in <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> are sent to the remote SMTP client
18297in the client certificate request message. MUAs with multiple client
18298certificates may use the list of preferred Certification Authorities
18299to select the correct client certificate.  You may want to put your
18300"preferred" CA or CAs in this file, and install other trusted CAs in
18301$<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>. </p>
18302
18303<p> Example: </p>
18304
18305<pre>
18306<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> = /etc/postfix/CAcert.pem
18307</pre>
18308
18309<p> This feature is available in Postfix 2.2 and later.  </p>
18310
18311
18312</DD>
18313
18314<DT><b><a name="smtpd_tls_CApath">smtpd_tls_CApath</a>
18315(default: empty)</b></DT><DD>
18316
18317<p> A directory containing (PEM format) CA certificates of root CAs
18318trusted to sign either remote SMTP client certificates or intermediate CA
18319certificates. Do not forget to create the necessary "hash" links with,
18320for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
18321<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be
18322inside the chroot jail. </p>
18323
18324<p> Specify "<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> = /path/to/system_CA_directory" to
18325use ONLY the system-supplied default Certification Authority certificates.
18326</p>
18327
18328<p> Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from
18329appending the system-supplied default CAs and trusting third-party
18330certificates. </p>
18331
18332<p> By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are
18333not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast
18334to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of Certification Authorities installed
18335in $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> are not included in the client certificate
18336request message. MUAs with multiple client certificates may use the
18337list of preferred Certification Authorities to select the correct
18338client certificate.  You may want to put your "preferred" CA or
18339CAs in $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, and install the remaining trusted CAs in
18340$<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>. </p>
18341
18342<p> Example: </p>
18343
18344<pre>
18345<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> = /etc/postfix/certs
18346</pre>
18347
18348<p> This feature is available in Postfix 2.2 and later.  </p>
18349
18350
18351</DD>
18352
18353<DT><b><a name="smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a>
18354(default: yes)</b></DT><DD>
18355
18356<p> Force the Postfix SMTP server to issue a TLS session id, even
18357when TLS session caching is turned off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
18358is empty). This behavior is compatible with Postfix &lt; 2.3. </p>
18359
18360<p> With Postfix 2.3 and later the Postfix SMTP server can disable
18361session id generation when TLS session caching is turned off. This
18362keeps remote SMTP clients from caching sessions that almost certainly cannot
18363be re-used.  </p>
18364
18365<p> By default, the Postfix SMTP server always generates TLS session
18366ids. This works around a known defect in mail client applications
18367such as MS Outlook, and may also prevent interoperability issues
18368with other MTAs. </p>
18369
18370<p> Example: </p>
18371
18372<pre>
18373<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> = no
18374</pre>
18375
18376<p> This feature is available in Postfix 2.3 and later. </p>
18377
18378
18379</DD>
18380
18381<DT><b><a name="smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>
18382(default: no)</b></DT><DD>
18383
18384<p> Ask a remote SMTP client for a client certificate. This
18385information is needed for certificate based mail relaying with,
18386for example, the <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a> feature. </p>
18387
18388<p> Some clients such as Netscape will either complain if no
18389certificate is available (for the list of CAs in $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)
18390or will offer multiple client certificates to choose from. This
18391may be annoying, so this option is "off" by default. </p>
18392
18393<p> This feature is available in Postfix 2.2 and later.  </p>
18394
18395
18396</DD>
18397
18398<DT><b><a name="smtpd_tls_auth_only">smtpd_tls_auth_only</a>
18399(default: no)</b></DT><DD>
18400
18401<p> When TLS encryption is optional in the Postfix SMTP server, do
18402not announce or accept SASL authentication over unencrypted
18403connections. </p>
18404
18405<p> This feature is available in Postfix 2.2 and later.  </p>
18406
18407
18408</DD>
18409
18410<DT><b><a name="smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a>
18411(default: 9)</b></DT><DD>
18412
18413<p> The verification depth for remote SMTP client certificates. A
18414depth of 1 is sufficient if the issuing CA is listed in a local CA
18415file. </p>
18416
18417<p> The default verification depth is 9 (the OpenSSL default) for
18418compatibility with earlier Postfix behavior. Prior to Postfix 2.5,
18419the default value was 5, but the limit was not actually enforced. If
18420you have set this to a lower non-default value, certificates with longer
18421trust chains may now fail to verify. Certificate chains with 1 or 2
18422CAs are common, deeper chains are more rare and any number between 5
18423and 9 should suffice in practice. You can choose a lower number if,
18424for example, you trust certificates directly signed by an issuing CA
18425but not any CAs it delegates to. </p>
18426
18427<p> This feature is available in Postfix 2.2 and later.  </p>
18428
18429
18430</DD>
18431
18432<DT><b><a name="smtpd_tls_cert_file">smtpd_tls_cert_file</a>
18433(default: empty)</b></DT><DD>
18434
18435<p> File with the Postfix SMTP server RSA certificate in PEM format.
18436This file may also contain the Postfix SMTP server private RSA key.
18437With Postfix &ge; 3.4 the preferred way to configure server keys and
18438certificates is via the "<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>" parameter. </p>
18439
18440<p> Public Internet MX hosts without certificates signed by a "reputable"
18441CA must generate, and be prepared to present to most clients, a
18442self-signed or private-CA signed certificate. The client will not be
18443able to authenticate the server, but unless it is running Postfix 2.3 or
18444similar software, it will still insist on a server certificate. </p>
18445
18446<p> For servers that are <b>not</b> public Internet MX hosts, Postfix
18447supports configurations with no certificates. This entails the use of
18448just the anonymous TLS ciphers, which are not supported by typical SMTP
18449clients. Since some clients may not fall back to plain text after a TLS
18450handshake failure, a certificate-less Postfix SMTP server will be unable
18451to receive email from some TLS-enabled clients. To avoid accidental
18452configurations with no certificates, Postfix enables certificate-less
18453operation only when the administrator explicitly sets
18454"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = none". This ensures that new Postfix SMTP server
18455configurations will not accidentally enable TLS without certificates.  </p>
18456
18457<p> Note that server certificates are not optional in TLS 1.3. To run
18458without certificates you'd have to disable the TLS 1.3 protocol by
18459including '!TLSv1.3' in "<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>" and perhaps also
18460"<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>".  It is simpler instead to just
18461configure a certificate chain.  Certificate-less operation is not
18462recommended. <p>
18463
18464<p> Both RSA and DSA certificates are supported.  When both types
18465are present, the cipher used determines which certificate will be
18466presented to the client.  For Netscape and OpenSSL clients without
18467special cipher choices the RSA certificate is preferred. </p>
18468
18469<p> To enable a remote SMTP client to verify the Postfix SMTP server
18470certificate, the issuing CA certificates must be made available to the
18471client. You should include the required certificates in the server
18472certificate file, the server certificate first, then the issuing
18473CA(s) (bottom-up order). </p>
18474
18475<p> Example: the certificate for "server.example.com" was issued by
18476"intermediate CA" which itself has a certificate of "root CA".
18477Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
18478root_CA.pem &gt; server.pem". </p>
18479
18480<p> If you also want to verify client certificates issued by these
18481CAs, you can add the CA certificates to the <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, in which
18482case it is not necessary to have them in the <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>,
18483<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (obsolete) or <a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>. </p>
18484
18485<p> A certificate supplied here must be usable as an SSL server certificate
18486and hence pass the "openssl verify -purpose sslserver ..." test. </p>
18487
18488<p> Example: </p>
18489
18490<pre>
18491<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = /etc/postfix/server.pem
18492</pre>
18493
18494<p> This feature is available in Postfix 2.2 and later.  </p>
18495
18496
18497</DD>
18498
18499<DT><b><a name="smtpd_tls_chain_files">smtpd_tls_chain_files</a>
18500(default: empty)</b></DT><DD>
18501
18502<p> List of one or more PEM files, each holding one or more private keys
18503directly followed by a corresponding certificate chain.  The file names
18504are separated by commas and/or whitespace.  This parameter obsoletes the
18505legacy algorithm-specific key and certificate file settings.  When this
18506parameter is non-empty, the legacy parameters are ignored, and a warning
18507is logged if any are also non-empty.  </p>
18508
18509<p> With the proliferation of multiple private key algorithms&mdash;which,
18510as of OpenSSL 1.1.1, include DSA (obsolete), RSA, ECDSA, Ed25519
18511and Ed448&mdash;it is increasingly impractical to use separate
18512parameters to configure the key and certificate chain for each
18513algorithm.  Therefore, Postfix now supports storing multiple keys and
18514corresponding certificate chains in a single file or in a set of files.
18515
18516<p> Each key must appear <b>immediately before</b> the corresponding
18517certificate, optionally followed by additional issuer certificates that
18518complete the certificate chain for that key.  When multiple files are
18519specified, they are equivalent to a single file that is concatenated
18520from those files in the given order.  Thus, while a key must always
18521precede its certificate and issuer chain, it can be in a separate file,
18522so long as that file is listed immediately before the file that holds
18523the corresponding certificate chain.  Once all the files are
18524concatenated, the sequence of PEM objects must be: <i>key1, cert1,
18525[chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN].</i> </p>
18526
18527<p> Storing the private key in the same file as the corresponding
18528certificate is more reliable.  With the key and certificate in separate
18529files, there is a chance that during key rollover a Postfix process
18530might load a private key and certificate from separate files that don't
18531match.  Various operational errors may even result in a persistent
18532broken configuration in which the certificate does not match the private
18533key. </p>
18534
18535<p> The file or files must contain at most one key of each type.  If,
18536for example, two or more RSA keys and corresponding chains are listed,
18537depending on the version of OpenSSL either only the last one will be
18538used or a configuration error may be detected.  Note that while
18539"Ed25519" and "Ed448" are considered separate algorithms, the various
18540ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
18541considered as different parameters of a single "ECDSA" algorithm, so it
18542is not presently possible to configure keys for more than one ECDSA
18543curve.  </p>
18544
18545<p> RSA is still the most widely supported algorithm.  Presently (late
185462018), ECDSA support is common, but not yet universal, and Ed25519 and
18547Ed448 support is mostly absent.  Therefore, an RSA key should generally
18548be configured, along with any additional keys for the other algorithms
18549when desired.  </p>
18550
18551<p>
18552Example (separate files for each key and corresponding certificate chain):
18553</p>
18554<blockquote>
18555<pre>
18556/etc/postfix/<a href="postconf.5.html">main.cf</a>:
18557    <a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a> =
18558        ${<a href="postconf.5.html#config_directory">config_directory</a>}/ed25519.pem,
18559        ${<a href="postconf.5.html#config_directory">config_directory</a>}/ed448.pem,
18560        ${<a href="postconf.5.html#config_directory">config_directory</a>}/rsa.pem
18561</pre>
18562</blockquote>
18563
18564<blockquote>
18565<pre>
18566/etc/postfix/ed25519.pem:
18567    -----BEGIN PRIVATE KEY-----
18568    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
18569    -----END PRIVATE KEY-----
18570    -----BEGIN CERTIFICATE-----
18571    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
18572    ...
18573    nC0egv51YPDWxEHom4QA
18574    -----END CERTIFICATE-----
18575</pre>
18576</blockquote>
18577
18578<blockquote>
18579<pre>
18580/etc/postfix/ed448.pem:
18581    -----BEGIN PRIVATE KEY-----
18582    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
18583    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
18584    -----END PRIVATE KEY-----
18585    -----BEGIN CERTIFICATE-----
18586    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
18587    ...
18588    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
18589    -----END CERTIFICATE-----
18590</pre>
18591</blockquote>
18592
18593<blockquote>
18594<pre>
18595/etc/postfix/rsa.pem:
18596    -----BEGIN PRIVATE KEY-----
18597    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
18598    ...
18599    ahQkZ3+krcaJvDSMgvu0tDc=
18600    -----END PRIVATE KEY-----
18601    -----BEGIN CERTIFICATE-----
18602    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
18603    ...
18604    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
18605    -----END CERTIFICATE-----
18606</pre>
18607</blockquote>
18608
18609<p>
18610Example (all keys and certificates in a single file):
18611</p>
18612<blockquote>
18613<pre>
18614/etc/postfix/<a href="postconf.5.html">main.cf</a>:
18615    <a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/chains.pem
18616</pre>
18617</blockquote>
18618
18619<blockquote>
18620<pre>
18621/etc/postfix/chains.pem:
18622    -----BEGIN PRIVATE KEY-----
18623    MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
18624    -----END PRIVATE KEY-----
18625    -----BEGIN CERTIFICATE-----
18626    MIIBKzCB3qADAgECAhQaw+rflRreYuUZBp0HuNn/e5rMZDAFBgMrZXAwFDESMBAG
18627    ...
18628    nC0egv51YPDWxEHom4QA
18629    -----END CERTIFICATE-----
18630    -----BEGIN PRIVATE KEY-----
18631    MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
18632    LNler7nzHQJ1SLcOiXFHXlxp/84VZuh32A==
18633    -----END PRIVATE KEY-----
18634    -----BEGIN CERTIFICATE-----
18635    MIIBdjCB96ADAgECAhQSv4oP972KypOZPNPF4fmsiQoRHzAFBgMrZXEwFDESMBAG
18636    ...
18637    pQcWsx+4J29e6YWH3Cy/CdUaexKP4RPCZDrPX7bk5C2BQ+eeYOxyThMA
18638    -----END CERTIFICATE-----
18639    -----BEGIN PRIVATE KEY-----
18640    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
18641    ...
18642    ahQkZ3+krcaJvDSMgvu0tDc=
18643    -----END PRIVATE KEY-----
18644    -----BEGIN CERTIFICATE-----
18645    MIIC+DCCAeCgAwIBAgIUIUkrbk1GAemPCT8i9wKsTGDH7HswDQYJKoZIhvcNAQEL
18646    ...
18647    Rirz15HGVNTK8wzFd+nulPzwUo6dH2IU8KazmyRi7OGvpyrMlm15TRE2oyE=
18648    -----END CERTIFICATE-----
18649</pre>
18650</blockquote>
18651
18652<p> This feature is available in Postfix 3.4 and later.  </p>
18653
18654
18655</DD>
18656
18657<DT><b><a name="smtpd_tls_cipherlist">smtpd_tls_cipherlist</a>
18658(default: empty)</b></DT><DD>
18659
18660<p> Obsolete Postfix &lt; 2.3 control for the Postfix SMTP server TLS
18661cipher list. It is easy to create interoperability problems by choosing
18662a non-default cipher list. Do not use a non-default TLS cipherlist for
18663MX hosts on the public Internet. Clients that begin the TLS handshake,
18664but are unable to agree on a common cipher, may not be able to send any
18665email to the SMTP server. Using a restricted cipher list may be more
18666appropriate for a dedicated MSA or an internal mailhub, where one can
18667exert some control over the TLS software and settings of the connecting
18668clients. </p>
18669
18670<p> <b>Note:</b> do not use "" quotes around the parameter value. </p>
18671
18672<p>This feature is available with Postfix version 2.2. It is not used with
18673Postfix 2.3 and later; use <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> instead. </p>
18674
18675
18676</DD>
18677
18678<DT><b><a name="smtpd_tls_ciphers">smtpd_tls_ciphers</a>
18679(default: medium)</b></DT><DD>
18680
18681<p> The minimum TLS cipher grade that the Postfix SMTP server
18682will use with opportunistic TLS encryption. Cipher types listed in
18683<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> are excluded from the base definition of
18684the selected cipher grade.  The default value is "medium" for Postfix
18685releases after the middle of 2015, "export" for older releases.
18686</p>
18687
18688<p> When TLS is mandatory the cipher grade is chosen via the
18689<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> configuration parameter, see there for syntax
18690details. </p>
18691
18692<p> This feature is available in Postfix 2.6 and later. With earlier Postfix
18693releases only the <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> parameter is implemented,
18694and opportunistic TLS always uses "export" or better (i.e. all) ciphers. </p>
18695
18696
18697</DD>
18698
18699<DT><b><a name="smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>
18700(default: empty)</b></DT><DD>
18701
18702<p> File with the Postfix SMTP server DSA certificate in PEM format.
18703This file may also contain the Postfix SMTP server private DSA key.
18704The DSA algorithm is obsolete and should not be used. </p>
18705
18706<p> See the discussion under <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> for more details.
18707</p>
18708
18709<p> Example: </p>
18710
18711<pre>
18712<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> = /etc/postfix/server-dsa.pem
18713</pre>
18714
18715<p> This feature is available in Postfix 2.2 and later.  </p>
18716
18717
18718</DD>
18719
18720<DT><b><a name="smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>
18721(default: empty)</b></DT><DD>
18722
18723<p> File with DH parameters that the Postfix SMTP server should
18724use with non-export EDH ciphers. </p>
18725
18726<p> With Postfix &ge; 3.7, built with OpenSSL version is 3.0.0 or later, if the
18727parameter value is either empty or "<b>auto</b>", then the DH parameter
18728selection is delegated to the OpenSSL library, which selects appropriate
18729parameters based on the TLS handshake.  This choice is likely to be the most
18730interoperable with SMTP clients using various TLS libraries, and custom local
18731parameters are no longer recommended when using Postfix &ge; 3.7 built against
18732OpenSSL 3.0.0.  </p>
18733
18734<p> The best-practice choice of parameters uses a 2048-bit prime.  This is fine,
18735despite the historical "1024" in the parameter name.  Do not be tempted to use
18736much larger values, performance degrades quickly, and you may also cease to
18737interoperate with some mainstream SMTP clients.  As of Postfix 3.1, the
18738compiled-in default prime is 2048-bits, and it is not strictly necessary,
18739though perhaps somewhat beneficial to generate custom DH parameters. </p>
18740
18741<p> Instead of using the exact same parameter sets as distributed
18742with other TLS packages, it is more secure to generate your own
18743set of parameters with something like the following commands:  </p>
18744
18745<blockquote>
18746<pre>
18747openssl dhparam -out /etc/postfix/dh2048.pem 2048
18748openssl dhparam -out /etc/postfix/dh1024.pem 1024
18749# As of Postfix 3.6, export-grade 512-bit DH parameters are no longer
18750# supported or needed.
18751openssl dhparam -out /etc/postfix/dh512.pem 512
18752</pre>
18753</blockquote>
18754
18755<p> It is safe to share the same DH parameters between multiple
18756Postfix instances.  If you prefer, you can generate separate
18757parameters for each instance.  </p>
18758
18759<p> If you want to take maximal advantage of ciphers that offer <a
18760href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see
18761the <a href="FORWARD_SECRECY_README.html#quick-start">Getting
18762started</a> section of <a
18763href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>.  The
18764full document conveniently presents all information about Postfix
18765"perfect" forward secrecy support in one place: what forward secrecy
18766is, how to tweak settings, and what you can expect to see when
18767Postfix uses ciphers with forward secrecy.  </p>
18768
18769<p> Example: </p>
18770
18771<pre>
18772<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> = /etc/postfix/dh2048.pem
18773</pre>
18774
18775<p>This feature is available in Postfix 2.2 and later.</p>
18776
18777
18778</DD>
18779
18780<DT><b><a name="smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>
18781(default: empty)</b></DT><DD>
18782
18783<p> File with DH parameters that the Postfix SMTP server should
18784use with export-grade EDH ciphers.  The default SMTP server cipher
18785grade is "medium" with Postfix releases after the middle of 2015,
18786and as a result export-grade cipher suites are by default not used.
18787</p>
18788
18789<p> With Postfix &ge; 3.6 export-grade Diffie-Hellman key exchange
18790is no longer supported, and this parameter is silently ignored. </p>
18791
18792<p> See also the discussion under the <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>
18793configuration parameter.  </p>
18794
18795<p> Example: </p>
18796
18797<pre>
18798<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> = /etc/postfix/dh_512.pem
18799</pre>
18800
18801<p>This feature is available in Postfix 2.2 and later,
18802but is ignored in Postfix 3.6 and later.</p>
18803
18804
18805</DD>
18806
18807<DT><b><a name="smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>
18808(default: $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b></DT><DD>
18809
18810<p> File with the Postfix SMTP server DSA private key in PEM format.
18811This file may be combined with the Postfix SMTP server DSA certificate
18812file specified with $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>. The DSA algorithm is obsolete
18813and should not be used. </p>
18814
18815<p> The private key must be accessible without a pass-phrase, i.e. it
18816must not be encrypted. File permissions should grant read-only
18817access to the system superuser account ("root"), and no access
18818to anyone else. </p>
18819
18820<p> This feature is available in Postfix 2.2 and later.  </p>
18821
18822
18823</DD>
18824
18825<DT><b><a name="smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>
18826(default: empty)</b></DT><DD>
18827
18828<p> File with the Postfix SMTP server ECDSA certificate in PEM format.
18829This file may also contain the Postfix SMTP server private ECDSA key.
18830With Postfix &ge; 3.4 the preferred way to configure server keys and
18831certificates is via the "<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>" parameter. </p>
18832
18833<p> See the discussion under <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> for more details. </p>
18834
18835<p> Example: </p>
18836
18837<pre>
18838<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> = /etc/postfix/ecdsa-scert.pem
18839</pre>
18840
18841<p> This feature is available in Postfix 2.6 and later, when Postfix is
18842compiled and linked with OpenSSL 1.0.0 or later. </p>
18843
18844
18845</DD>
18846
18847<DT><b><a name="smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>
18848(default: $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b></DT><DD>
18849
18850<p> File with the Postfix SMTP server ECDSA private key in PEM format.
18851This file may be combined with the Postfix SMTP server ECDSA certificate
18852file specified with $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>.  With Postfix &ge; 3.4 the
18853preferred way to configure server keys and certificates is via the
18854"<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>" parameter. </p>
18855
18856<p> The private key must be accessible without a pass-phrase, i.e. it
18857must not be encrypted. File permissions should grant read-only
18858access to the system superuser account ("root"), and no access
18859to anyone else. </p>
18860
18861<p> This feature is available in Postfix 2.6 and later, when Postfix is
18862compiled and linked with OpenSSL 1.0.0 or later. </p>
18863
18864
18865</DD>
18866
18867<DT><b><a name="smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>
18868(default: see "postconf -d" output)</b></DT><DD>
18869
18870<p> The Postfix SMTP server security grade for ephemeral elliptic-curve
18871Diffie-Hellman (EECDH) key exchange.   As of Postfix 3.6, the value of
18872this parameter is always ignored, and Postfix behaves as though the
18873<b>auto</b> value (described below) was chosen.
18874</p>
18875
18876<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
18877
18878<p> The available choices are: </p>
18879
18880<dl>
18881
18882<dt><b>auto</b></dt> <dd> Use the most preferred curve that is
18883supported by both the client and the server.  This setting requires
18884Postfix &ge; 3.2 compiled and linked with OpenSSL &ge; 1.0.2.  This
18885is the default setting under the above conditions (and the only
18886setting used with Postfix &ge; 3.6). </dd>
18887
18888<dt><b>none</b></dt> <dd> Don't use EECDH. Ciphers based on EECDH key
18889exchange will be disabled. This is the default in Postfix versions
188902.6 and 2.7. </dd>
18891
18892<dt><b>strong</b></dt> <dd> Use EECDH with approximately 128 bits of
18893security at a reasonable computational cost. This is the default in
18894Postfix versions 2.8&ndash;3.5.  </dd>
18895
18896<dt><b>ultra</b></dt> <dd> Use EECDH with approximately 192 bits of
18897security at computational cost that is approximately twice as high
18898as 128 bit strength ECC. </dd>
18899
18900</dl>
18901
18902<p> If you want to take maximal advantage of ciphers that offer <a
18903href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see
18904the <a href="FORWARD_SECRECY_README.html#quick-start">Getting
18905started</a> section of <a
18906href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>.  The
18907full document conveniently presents all information about Postfix
18908"perfect" forward secrecy support in one place: what forward secrecy
18909is, how to tweak settings, and what you can expect to see when
18910Postfix uses ciphers with forward secrecy.  </p>
18911
18912<p> This feature is available in Postfix 2.6 and later, when it is
18913compiled and linked with OpenSSL 1.0.0 or later on platforms
18914where EC algorithms have not been disabled by the vendor. </p>
18915
18916
18917</DD>
18918
18919<DT><b><a name="smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>
18920(default: no)</b></DT><DD>
18921
18922<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
18923instead of an X.509 certificate, when asking for or requiring client
18924authentication. This feature is ignored when there is no raw public
18925key support in the local TLS implementation. </p>
18926
18927<p> The Postfix SMTP server will log a warning when "<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>
18928= yes", but the remote SMTP client sends a certificate, the
18929certificate's public key fingerprint does not match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a>
18930table, while the certificate fingerprint does match a <a href="postconf.5.html#check_ccert_access">check_ccert_access</a>
18931table. The remote SMTP client would lose access when it starts
18932sending a raw public key instead of a certificate, after its TLS
18933implementation is updated with raw public key support. </p>
18934
18935<p> The Postfix SMTP server always sends a raw public key instead
18936of a certificate, if solicited by the remote SMTP client and the
18937local TLS implementation supports raw public keys. If the client
18938sends a server name indication with an SNI TLS extension, and
18939<a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> is configured, the server will extract a raw
18940public key from the indicated certificate. </p>
18941
18942<p> Sample commands to compute certificate and public key SHA256 digests: </p>
18943
18944<pre>
18945# SHA256 digest of the first certificate in "cert.pem"
18946$ openssl x509 -in cert.pem -outform DER | openssl dgst -sha256 -c
18947</pre>
18948
18949<pre>
18950# SHA256 digest of the SPKI of the first certificate in "cert.pem"
18951$ openssl x509 -in cert.pem -pubkey -noout |
18952    openssl pkey -pubin -outform DER | openssl dgst -sha256 -c
18953</pre>
18954
18955<pre>
18956# SHA256 digest of the SPKI of the first private key in "pkey.pem"
18957$ openssl pkey -in pkey.pem -pubout -outform DER |
18958    openssl dgst -sha256 -c
18959</pre>
18960
18961<p> This feature is available in Postfix 3.9 and later. </p>
18962
18963
18964</DD>
18965
18966<DT><b><a name="smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>
18967(default: empty)</b></DT><DD>
18968
18969<p> List of ciphers or cipher types to exclude from the SMTP server
18970cipher list at all TLS security levels. Excluding valid ciphers
18971can create interoperability problems. DO NOT exclude ciphers unless it
18972is essential to do so. This is not an OpenSSL cipherlist; it is a simple
18973list separated by whitespace and/or commas. The elements are a single
18974cipher, or one or more "+" separated cipher properties, in which case
18975only ciphers matching <b>all</b> the properties are excluded. </p>
18976
18977<p> Examples (some of these will cause problems): </p>
18978
18979<blockquote>
18980<pre>
18981<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL
18982<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = MD5, DES
18983<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = DES+MD5
18984<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = AES256-SHA, DES-CBC3-MD5
18985<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = kEDH+aRSA
18986</pre>
18987</blockquote>
18988
18989<p> The first setting disables anonymous ciphers. The next setting
18990disables ciphers that use the MD5 digest algorithm or the (single) DES
18991encryption algorithm. The next setting disables ciphers that use MD5 and
18992DES together.  The next setting disables the two ciphers "AES256-SHA"
18993and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH"
18994key exchange with RSA authentication. </p>
18995
18996<p> This feature is available in Postfix 2.3 and later. </p>
18997
18998
18999</DD>
19000
19001<DT><b><a name="smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>
19002(default: see "postconf -d" output)</b></DT><DD>
19003
19004<p> The message digest algorithm to construct remote SMTP client-certificate
19005fingerprints or public key fingerprints (Postfix 2.9 and later) for
19006<b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>. </p>
19007
19008<p> The default algorithm is <b>sha256</b> with Postfix &ge; 3.6
19009and the <b><a href="postconf.5.html#compatibility_level">compatibility_level</a></b> set to 3.6 or higher. With Postfix
19010&le; 3.5, the default algorithm is <b>md5</b>. </p>
19011
19012<p> The best-practice algorithm is now <b>sha256</b>. Recent advances in hash
19013function cryptanalysis have led to md5 and sha1 being deprecated in favor of
19014sha256.  However, as long as there are no known "second pre-image" attacks
19015against the older algorithms, their use in this context, though not
19016recommended, is still likely safe.  </p>
19017
19018<p> While additional digest algorithms are often available with OpenSSL's
19019libcrypto, only those used by libssl in SSL cipher suites are available to
19020Postfix.  You'll likely find support for md5, sha1, sha256 and sha512. </p>
19021
19022<p> To find the fingerprint of a specific certificate file, with a
19023specific digest algorithm, run: </p>
19024
19025<blockquote>
19026<pre>
19027$ openssl x509 -noout -fingerprint -<i>digest</i> -in <i>certfile</i>.pem
19028</pre>
19029</blockquote>
19030
19031<p> The text to the right of "=" sign is the desired fingerprint.
19032For example: </p>
19033
19034<blockquote>
19035<pre>
19036$ openssl x509 -noout -fingerprint -sha256 -in cert.pem
19037SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
19038</pre>
19039</blockquote>
19040
19041<p> To extract the public key fingerprint from an X.509 certificate,
19042you need to extract the public key from the certificate and compute
19043the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
19044the "-pubkey" option of the "x509" command extracts the public
19045key always in "PEM" format. We pipe the result to another OpenSSL
19046command that converts the key to DER and then to the "dgst" command
19047to compute the fingerprint. </p>
19048
19049<p> Example: </p>
19050<blockquote>
19051<pre>
19052$ openssl x509 -in cert.pem -noout -pubkey |
19053    openssl pkey -pubin -outform DER |
19054    openssl dgst -sha256 -c
19055(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
19056</pre>
19057</blockquote>
19058
19059<p> The Postfix SMTP server and client log the peer (leaf) certificate
19060fingerprint and public key fingerprint when the TLS loglevel is 2 or
19061higher. </p>
19062
19063<p> Example: client-certificate access table, with sha256 fingerprints: </p>
19064
19065<blockquote>
19066<pre>
19067/etc/postfix/<a href="postconf.5.html">main.cf</a>:
19068    <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> = sha256
19069    <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> =
19070        <a href="postconf.5.html#check_ccert_access">check_ccert_access</a> <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/access,
19071        reject
19072</pre>
19073<pre>
19074/etc/postfix/access:
19075    # Action folded to next line...
19076    AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B
19077        OK
19078    85:16:78:FD:73:6E:CE:70:E0:...:5F:0D:3C:C8:6D:C4:2C:24:59:E1
19079        <a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a>
19080</pre>
19081</blockquote>
19082
19083<p> This feature is available in Postfix 2.5 and later. </p>
19084
19085
19086</DD>
19087
19088<DT><b><a name="smtpd_tls_key_file">smtpd_tls_key_file</a>
19089(default: $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b></DT><DD>
19090
19091<p> File with the Postfix SMTP server RSA private key in PEM format.
19092This file may be combined with the Postfix SMTP server RSA certificate
19093file specified with $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>.  With Postfix &ge; 3.4 the
19094preferred way to configure server keys and certificates is via the
19095"<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>" parameter. </p>
19096
19097<p> The private key must be accessible without a pass-phrase, i.e. it
19098must not be encrypted. File permissions should grant read-only
19099access to the system superuser account ("root"), and no access
19100to anyone else. </p>
19101
19102
19103</DD>
19104
19105<DT><b><a name="smtpd_tls_loglevel">smtpd_tls_loglevel</a>
19106(default: 0)</b></DT><DD>
19107
19108<p> Enable additional Postfix SMTP server logging of TLS activity.
19109Each logging level also includes the information that is logged at
19110a lower logging level.  </p>
19111
19112<dl compact>
19113
19114<dt> </dt> <dd> 0 Disable logging of TLS activity. </dd>
19115
19116<dt> </dt> <dd> 1 Log only a summary message on TLS handshake completion
19117&mdash; no logging of client certificate trust-chain verification errors
19118if client certificate verification is not required.  With Postfix 2.8 and
19119earlier, log the summary message, peer certificate summary information
19120and unconditionally log trust-chain verification errors.  </dd>
19121
19122<dt> </dt> <dd> 2 Also enable verbose logging in the Postfix TLS
19123library, log session cache operations, and enable OpenSSL logging
19124of the progress of the SSL handshake. </dd>
19125
19126<dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation
19127process. </dd>
19128
19129<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
19130transmission after STARTTLS. </dd>
19131
19132</dl>
19133
19134<p> Do not use "<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> = 2" or higher except in case
19135of problems. Use of loglevel 4 is strongly discouraged. </p>
19136
19137<p> This feature is available in Postfix 2.2 and later.  </p>
19138
19139
19140</DD>
19141
19142<DT><b><a name="smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>
19143(default: medium)</b></DT><DD>
19144
19145<p> The minimum TLS cipher grade that the Postfix SMTP server will
19146use with mandatory TLS encryption. The default grade ("medium") is
19147sufficiently strong that any benefit from globally restricting TLS
19148sessions to a more stringent grade is likely negligible, especially
19149given the fact that many implementations still do not offer any stronger
19150("high" grade) ciphers, while those that do, will always use "high"
19151grade ciphers. So insisting on "high" grade ciphers is generally
19152counter-productive. Allowing "export" or "low" ciphers is typically
19153not a good idea, as systems limited to just these are limited to
19154obsolete browsers. No known SMTP clients fail to support at least
19155one "medium" or "high" grade cipher. </p>
19156
19157<p> The following cipher grades are supported: </p>
19158
19159<dl>
19160<dt><b>high</b></dt>
19161<dd> Enable only "HIGH" grade OpenSSL ciphers. The
19162underlying cipherlist is specified via the <a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a>
19163configuration parameter, which you are strongly encouraged to
19164not change. </dd>
19165
19166<dt><b>medium</b></dt>
19167<dd> Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit
19168or longer symmetric bulk-encryption keys. This is the default minimum
19169strength for mandatory TLS encryption. The underlying cipherlist is
19170specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration parameter, which
19171you are strongly encouraged not to change. </dd>
19172
19173<dt><b>null</b></dt>
19174<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
19175without encryption.  This setting is only appropriate in the rare
19176case that all clients are prepared to use NULL ciphers (not normally
19177enabled in TLS clients). The underlying cipherlist is specified via the
19178<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
19179encouraged not to change. </dd>
19180
19181<dt><b>low</b></dt>
19182<dd> Enable "LOW" grade or stronger OpenSSL ciphers.  In Postfix
19183&ge; 3.8 this cipher grade is always identical to "medium".  Recent
19184versions of OpenSSL do not support any "LOW" grade ciphers.  In
19185earlier Postfix releases the underlying cipherlist was specified
19186via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration parameter, which you are
19187strongly encouraged not to change.  This obsolete cipher grade
19188SHOULD NOT be used.  </dd>
19189
19190<dt><b>export</b></dt>
19191<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers.  In Postfix
19192&ge; 3.8 this cipher grade is always identical to "medium".  Recent
19193versions of OpenSSL do not support any "EXPORT" grade ciphers.  In
19194earlier Postfix releases the underlying cipherlist was specified
19195via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration parameter, which you are
19196strongly encouraged not to change.  This obsolete cipher grade
19197SHOULD NOT be used.  </dd>
19198
19199</dl>
19200
19201<p> Cipher types listed in
19202<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> or <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> are
19203excluded from the base definition of the selected cipher grade. See
19204<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> for cipher controls that apply to opportunistic
19205TLS. </p>
19206
19207<p> The underlying cipherlists for grades other than "null" include
19208anonymous ciphers, but these are automatically filtered out if the
19209server is configured to ask for remote SMTP client certificates.  You are very
19210unlikely to need to take any steps to exclude anonymous ciphers, they
19211are excluded automatically as required.  If you must exclude anonymous
19212ciphers even when Postfix does not need or use peer certificates, set
19213"<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> = aNULL". To exclude anonymous ciphers only
19214when TLS is enforced, set "<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> = aNULL". </p>
19215
19216<p> This feature is available in Postfix 2.3 and later. </p>
19217
19218
19219</DD>
19220
19221<DT><b><a name="smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>
19222(default: empty)</b></DT><DD>
19223
19224<p> Additional list of ciphers or cipher types to exclude from the
19225Postfix SMTP server cipher list at mandatory TLS security levels.
19226This list
19227works in addition to the exclusions listed with <a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>
19228(see there for syntax details).  </p>
19229
19230<p> This feature is available in Postfix 2.3 and later. </p>
19231
19232
19233</DD>
19234
19235<DT><b><a name="smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>
19236(default: see "postconf -d" output)</b></DT><DD>
19237
19238<p> TLS protocols accepted by the Postfix SMTP server with mandatory TLS
19239encryption.  If the list is empty, the server supports all available TLS
19240protocol versions.  A non-empty value is a list of protocol names to
19241include or exclude, separated by whitespace, commas or colons.  </p>
19242
19243<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
19244"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
19245Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
19246the lowest supported TLS protocol version (see below).  Older releases
19247use the "!" exclusion syntax, also described below.  </p>
19248
19249<p> As of Postfix 3.6, the preferred way to limit the range of
19250acceptable protocols is to set the lowest acceptable TLS protocol
19251version and/or the highest acceptable TLS protocol version.  To set the
19252lower bound include an element of the form: "&gt;=<i>version</i>" where
19253<i>version</i> is a either one of the TLS protocol names listed above,
19254or a hexadecimal number corresponding to the desired TLS protocol
19255version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
19256bound, use "&lt;=<i>version</i>".  There must be no whitespace between
19257the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
19258
19259<p> Hexadecimal protocol numbers make it possible to specify protocol
19260bounds for TLS versions that are known to OpenSSL, but might not be
19261known to Postfix.  They cannot be used with the legacy exclusion syntax.
19262Leading "0" or "0x" prefixes are supported, but not required.
19263Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
19264"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
19265upper or lower bound, and a warning will be logged.  Hexadecimal
19266versions should only be used when Postfix is linked with some future
19267version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
19268yet support a symbolic name for that protocol version. </p>
19269
19270<p>Hexadecimal example (Postfix &ge; 3.6):</p>
19271<blockquote>
19272<pre>
19273# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
19274# in some future version of OpenSSL (presently a warning is logged).
19275<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=0305
19276# Allow only TLS 1.2 and up:
19277<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=0x0303
19278</pre>
19279</blockquote>
19280
19281<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
19282version, and the protocol range is configured via protocol exclusions.
19283To require at least TLS 1.0, set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> =
19284!SSLv2, !SSLv3".  Listing the protocols to include, rather than
19285protocols to exclude, is supported, but not recommended.  The exclusion
19286form more accurately matches the underlying OpenSSL interface.  </p>
19287
19288<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
19289this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
19290releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
19291
19292<p> Example: </p>
19293
19294<pre>
19295# Preferred syntax with Postfix &ge; 3.6:
19296<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = &gt;=TLSv1.2, &lt;=TLSv1.3
19297# Legacy syntax:
19298<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
19299</pre>
19300
19301<p> This feature is available in Postfix 2.3 and later. </p>
19302
19303
19304</DD>
19305
19306<DT><b><a name="smtpd_tls_protocols">smtpd_tls_protocols</a>
19307(default: see 'postconf -d' output)</b></DT><DD>
19308
19309<p> TLS protocols accepted by the Postfix SMTP server with opportunistic
19310TLS encryption. If the list is empty, the server supports all available
19311TLS protocol versions.  A non-empty value is a list of protocol names to
19312include or exclude, separated by whitespace, commas or colons.  </p>
19313
19314<p> The valid protocol names (see SSL_get_version(3)) are "SSLv2",
19315"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" and "TLSv1.3".  Starting with
19316Postfix 3.6, the default value is "&gt;=TLSv1", which sets TLS 1.0 as
19317the lowest supported TLS protocol version (see below).  Older releases
19318use the "!" exclusion syntax, also described below.  </p>
19319
19320<p> As of Postfix 3.6, the preferred way to limit the range of
19321acceptable protocols is to set the lowest acceptable TLS protocol
19322version and/or the highest acceptable TLS protocol version.  To set the
19323lower bound include an element of the form: "&gt;=<i>version</i>" where
19324<i>version</i> is a either one of the TLS protocol names listed above,
19325or a hexadecimal number corresponding to the desired TLS protocol
19326version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.).  For the upper
19327bound, use "&lt;=<i>version</i>".  There must be no whitespace between
19328the "&gt;=" or "&lt;=" symbols and the protocol name or number. </p>
19329
19330<p> Hexadecimal protocol numbers make it possible to specify protocol
19331bounds for TLS versions that are known to OpenSSL, but might not be
19332known to Postfix.  They cannot be used with the legacy exclusion syntax.
19333Leading "0" or "0x" prefixes are supported, but not required.
19334Therefore, "301", "0301", "0x301" and "0x0301" are all equivalent to
19335"TLSv1".  Hexadecimal versions unknown to OpenSSL will fail to set the
19336upper or lower bound, and a warning will be logged.  Hexadecimal
19337versions should only be used when Postfix is linked with some future
19338version of OpenSSL that supports TLS 1.4 or later, but Postfix does not
19339yet support a symbolic name for that protocol version. </p>
19340
19341<p>Hexadecimal example (Postfix &ge; 3.6):</p>
19342<blockquote>
19343<pre>
19344# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
19345# in some future version of OpenSSL (presently a warning is logged).
19346<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = &gt;=TLSv1, &lt;=0305
19347# Allow only TLS 1.0 and up:
19348<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = &gt;=0x0301
19349</pre>
19350</blockquote>
19351
19352<p> With Postfix &lt; 3.6 there is no support for a minimum or maximum
19353version, and the protocol range is configured via protocol exclusions.
19354To require at least TLS 1.0, set "<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3".
19355Listing the protocols to include, rather than protocols to exclude, is
19356supported, but not recommended.  The exclusion form more accurately
19357matches the underlying OpenSSL interface.  </p>
19358
19359<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1.  Disabling
19360this protocol via "!TLSv1.3" is supported since Postfix 3.4 (or patch
19361releases &ge; 3.0.14, 3.1.10, 3.2.7 and 3.3.2).  </p>
19362
19363<p> Example: </p>
19364<pre>
19365# Preferred syntax with Postfix &ge; 3.6:
19366<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = &gt;=TLSv1, &lt;=TLSv1.3
19367# Legacy syntax:
19368<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3
19369</pre>
19370
19371<p> This feature is available in Postfix 2.6 and later. </p>
19372
19373
19374</DD>
19375
19376<DT><b><a name="smtpd_tls_received_header">smtpd_tls_received_header</a>
19377(default: no)</b></DT><DD>
19378
19379<p> Request that the Postfix SMTP server produces Received:  message
19380headers that include information about the protocol and cipher used,
19381as well as the remote SMTP client CommonName and client certificate issuer
19382CommonName.  This is disabled by default, as the information may
19383be modified in transit through other mail servers.  Only information
19384that was recorded by the final destination can be trusted. </p>
19385
19386<p> This feature is available in Postfix 2.2 and later.  </p>
19387
19388
19389</DD>
19390
19391<DT><b><a name="smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>
19392(default: no)</b></DT><DD>
19393
19394<p> With mandatory TLS encryption, require a trusted remote SMTP client
19395certificate in order to allow TLS connections to proceed.  This
19396option implies "<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> = yes". </p>
19397
19398<p> When TLS encryption is optional, this setting is ignored with
19399a warning written to the mail log. </p>
19400
19401<p> This feature is available in Postfix 2.2 and later.  </p>
19402
19403
19404</DD>
19405
19406<DT><b><a name="smtpd_tls_security_level">smtpd_tls_security_level</a>
19407(default: empty)</b></DT><DD>
19408
19409<p> The SMTP TLS security level for the Postfix SMTP server; when
19410a non-empty value is specified, this overrides the obsolete parameters
19411<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. This parameter is ignored with
19412"<a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> = yes".  </p>
19413
19414<p> Specify one of the following security levels: </p>
19415
19416<dl>
19417
19418<dt><b>none</b></dt> <dd> TLS will not be used. </dd>
19419
19420<dt><b>may</b></dt> <dd> Opportunistic TLS: announce STARTTLS support
19421to remote SMTP clients, but do not require that clients use TLS encryption.
19422</dd>
19423
19424<dt><b>encrypt</b></dt> <dd>Mandatory TLS encryption: announce
19425STARTTLS support to remote SMTP clients, and reject all plaintext
19426commands except HELO, EHLO, XCLIENT, STARTTLS, NOOP, QUIT, and (Postfix
19427&ge; 3.9) HELP. According to <a href="https://tools.ietf.org/html/rfc2487">RFC 2487</a> this MUST NOT be applied in case
19428of a publicly-referenced SMTP server. Instead, this should be used
19429on dedicated servers, for example submission (port 587). </dd>
19430
19431</dl>
19432
19433<p> Note 1: the "fingerprint", "verify" and "secure" levels are not
19434supported here.
19435The Postfix SMTP server logs a warning and uses "encrypt" instead.
19436To verify remote SMTP client certificates, see <a href="TLS_README.html">TLS_README</a> for a discussion
19437of the <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>, <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>, and <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
19438features.  </p>
19439
19440<p> Note 2: The parameter setting "<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> =
19441encrypt" implies "<a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> = yes".</p>
19442
19443<p> Note 3: when invoked via "sendmail -bs", Postfix will never
19444offer STARTTLS due to insufficient privileges to access the server
19445private key. This is intended behavior.</p>
19446
19447<p> This feature is available in Postfix 2.3 and later. </p>
19448
19449
19450</DD>
19451
19452<DT><b><a name="smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>
19453(default: empty)</b></DT><DD>
19454
19455<p> Name of the file containing the optional Postfix SMTP server
19456TLS session cache. Specify a database type that supports enumeration,
19457such as <b>btree</b> or <b>sdbm</b>; there is no need to support
19458concurrent access.  The file is created if it does not exist. The <a href="smtpd.8.html">smtpd(8)</a>
19459daemon does not use this parameter directly, rather the cache is
19460implemented indirectly in the <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon. This means that
19461per-smtpd-instance <a href="master.5.html">master.cf</a> overrides of this parameter are not
19462effective. Note that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a>
19463daemon: $<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, $<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
19464(and with Postfix 2.3 and later $<a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>), needs to be
19465stored separately. It is not at this time possible to store multiple
19466caches in a single database. </p>
19467
19468<p> Note: <b>dbm</b> databases are not suitable. TLS
19469session objects are too large. </p>
19470
19471<p> As of version 2.5, Postfix no longer uses root privileges when
19472opening this file. The file should now be stored under the Postfix-owned
19473<a href="postconf.5.html#data_directory">data_directory</a>. As a migration aid, an attempt to open the file
19474under a non-Postfix directory is redirected to the Postfix-owned
19475<a href="postconf.5.html#data_directory">data_directory</a>, and a warning is logged. </p>
19476
19477<p> As of Postfix 2.11 the preferred mechanism for session resumption
19478is <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
19479storage.  Consequently, for Postfix &ge; 2.11 this parameter should
19480generally be left empty.  TLS session tickets require an OpenSSL
19481library (at least version 0.9.8h) that provides full support for
19482this TLS extension.  See also <a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>. </p>
19483
19484<p> Example: </p>
19485
19486<pre>
19487<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> = <a href="DATABASE_README.html#types">btree</a>:/var/db/postfix/smtpd_scache
19488</pre>
19489
19490<p> This feature is available in Postfix 2.2 and later.  </p>
19491
19492
19493</DD>
19494
19495<DT><b><a name="smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>
19496(default: 3600s)</b></DT><DD>
19497
19498<p> The expiration time of Postfix SMTP server TLS session cache
19499information. A cache cleanup is performed periodically
19500every $<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> seconds. As with
19501$<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, this parameter is implemented in the
19502<a href="tlsmgr.8.html">tlsmgr(8)</a> daemon and therefore per-smtpd-instance <a href="master.5.html">master.cf</a> overrides
19503are not possible. </p>
19504
19505<p> As of Postfix 2.11 this setting cannot exceed 100 days.  If set
19506&le; 0, session caching is disabled, not just via the database, but
19507also via <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a> TLS session tickets, which don't require server-side
19508storage.  If set to a positive value less than 2 minutes, the minimum
19509value of 2 minutes is used instead.  TLS session tickets require
19510an OpenSSL library (at least version 0.9.8h) that provides full
19511support for this TLS extension. </p>
19512
19513<p> Specify a non-negative time value (an integral value plus an optional
19514one-letter suffix that specifies the time unit).  Time units: s
19515(seconds), m (minutes), h (hours), d (days), w (weeks).
19516The default time unit is s (seconds).  </p>
19517
19518<p> This feature is available in Postfix 2.2 and later, and updated
19519for TLS session ticket support in Postfix 2.11. </p>
19520
19521
19522</DD>
19523
19524<DT><b><a name="smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>
19525(default: no)</b></DT><DD>
19526
19527<p> Run the Postfix SMTP server in TLS "wrapper" mode,
19528instead of using the STARTTLS command. </p>
19529
19530<p> If you want to support this service, enable a special port in
19531<a href="master.5.html">master.cf</a>, and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" on the SMTP
19532server's command line. Port 465 (submissions, formerly called smtps)
19533is reserved for this purpose. </p>
19534
19535<p> This feature is available in Postfix 2.2 and later.  </p>
19536
19537
19538</DD>
19539
19540<DT><b><a name="smtpd_upstream_proxy_protocol">smtpd_upstream_proxy_protocol</a>
19541(default: empty)</b></DT><DD>
19542
19543<p> The name of the proxy protocol used by an optional before-smtpd
19544proxy agent. When a proxy agent is used, this protocol conveys local
19545and remote address and port information.  Specify
19546"<a href="postconf.5.html#smtpd_upstream_proxy_protocol">smtpd_upstream_proxy_protocol</a> = haproxy" to enable the haproxy
19547protocol; version 2 is supported with Postfix 3.5 and later. </p>
19548
19549<p> NOTE: To use the nginx proxy with <a href="smtpd.8.html">smtpd(8)</a>, enable the XCLIENT
19550protocol with <a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a>. This supports SASL
19551authentication in the proxy agent (Postfix 2.9 and later). <p>
19552
19553<p> This feature is available in Postfix 2.10 and later.  </p>
19554
19555
19556</DD>
19557
19558<DT><b><a name="smtpd_upstream_proxy_timeout">smtpd_upstream_proxy_timeout</a>
19559(default: 5s)</b></DT><DD>
19560
19561<p> The time limit for the proxy protocol specified with the
19562<a href="postconf.5.html#smtpd_upstream_proxy_protocol">smtpd_upstream_proxy_protocol</a> parameter. </p>
19563
19564<p> Specify a non-zero time value (an integral value plus an optional
19565one-letter suffix that specifies the time unit).  Time units: s
19566(seconds), m (minutes), h (hours), d (days), w (weeks).
19567The default time unit is s (seconds).  </p>
19568
19569<p> This feature is available in Postfix 2.10 and later.  </p>
19570
19571
19572</DD>
19573
19574<DT><b><a name="smtpd_use_tls">smtpd_use_tls</a>
19575(default: no)</b></DT><DD>
19576
19577<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
19578but do not require that clients use TLS encryption. </p>
19579
19580<p> Note: when invoked via "<b>sendmail -bs</b>", Postfix will never offer
19581STARTTLS due to insufficient privileges to access the server private
19582key. This is intended behavior. </p>
19583
19584<p> This feature is deprecated as of Postfix 3.9. Specify
19585<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
19586
19587<p> This feature is available in Postfix 2.2 and later. With
19588Postfix 2.3 and later use <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> instead. </p>
19589
19590
19591</DD>
19592
19593<DT><b><a name="smtputf8_autodetect_classes">smtputf8_autodetect_classes</a>
19594(default: sendmail, verify)</b></DT><DD>
19595
19596<p> Detect that a message requires SMTPUTF8 support for the specified
19597mail origin classes.  This is a workaround to avoid chicken-and-egg
19598problems during the initial SMTPUTF8 roll-out in environments with
19599pre-existing mail flows that contain UTF8. Those mail flows should
19600not break because Postfix suddenly refuses to deliver such mail
19601to down-stream MTAs that don't announce SMTPUTF8 support.  </p>
19602
19603<p> The problem is that Postfix cannot rely solely on the sender's
19604declaration that a message requires SMTPUTF8 support, because UTF8
19605may be introduced during local processing (for example, the client
19606hostname in Postfix's Received: header, adding @$<a href="postconf.5.html#myorigin">myorigin</a> or
19607.$<a href="postconf.5.html#mydomain">mydomain</a> to an incomplete address, address rewriting, alias
19608expansion, automatic BCC recipients, local forwarding, and changes
19609made by header checks or Milter applications). </p>
19610
19611<p> For now, the default is to enable "SMTPUTF8 required" autodetection
19612only for Postfix sendmail command-line submissions and address
19613verification probes.  This may change once SMTPUTF8 support achieves
19614world domination.  However, sites that add UTF8 content via local
19615processing (see above) should autodetect the need for SMTPUTF8
19616support for all email.</p>
19617
19618<p> Specify one or more of the following: </p>
19619
19620<dl compact>
19621
19622<dt> <b> sendmail </b> </dt> <dd> Submission with the Postfix
19623<a href="sendmail.1.html">sendmail(1)</a> command. </dd>
19624
19625<dt> <b> smtpd </b> </dt> <dd> Mail received with the <a href="smtpd.8.html">smtpd(8)</a>
19626daemon. </dd>
19627
19628<dt> <b> qmqpd </b> </dt> <dd> Mail received with the <a href="qmqpd.8.html">qmqpd(8)</a>
19629daemon. </dd>
19630
19631<dt> <b> forward </b> </dt> <dd> Local forwarding or aliasing.  When
19632a message is received with "SMTPUTF8 required", then the forwarded
19633(aliased) message always has "SMTPUTF8 required".  </dd>
19634
19635<dt> <b> bounce </b> </dt> <dd> Submission by the <a href="bounce.8.html">bounce(8)</a> daemon.
19636When a message is received with "SMTPUTF8 required", then the
19637delivery status notification always has "SMTPUTF8 required".  </dd>
19638
19639<dt> <b> notify </b> </dt> <dd> Postmaster notification from the
19640<a href="smtp.8.html">smtp(8)</a> or <a href="smtpd.8.html">smtpd(8)</a> daemon. </dd>
19641
19642<dt> <b> verify </b> </dt> <dd> Address verification probe from the
19643<a href="verify.8.html">verify(8)</a> daemon.  </dd>
19644
19645<dt> <b> all </b> </dt> <dd> Enable SMTPUTF8 autodetection for all
19646mail. </dd>
19647
19648</dl>
19649
19650<p> This feature is available in Postfix 3.0 and later. </p>
19651
19652
19653</DD>
19654
19655<DT><b><a name="smtputf8_enable">smtputf8_enable</a>
19656(default: yes)</b></DT><DD>
19657
19658<p> Enable preliminary SMTPUTF8 support for the protocols described
19659in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>. This requires that Postfix is
19660built to support these protocols. </p>
19661
19662<p> This feature is available in Postfix 3.0 and later. </p>
19663
19664
19665</DD>
19666
19667<DT><b><a name="socketmap_max_reply_size">socketmap_max_reply_size</a>
19668(default: 100000)</b></DT><DD>
19669
19670<p> The maximum allowed reply size from a socketmap server, not
19671including the netstring encapsulation. </p>
19672
19673<p> This feature is available in Postfix &ge; 3.10. </p>
19674
19675
19676</DD>
19677
19678<DT><b><a name="soft_bounce">soft_bounce</a>
19679(default: no)</b></DT><DD>
19680
19681<p>
19682Safety net to keep mail queued that would otherwise be returned to
19683the sender.  This parameter disables locally-generated bounces,
19684changes the handling of negative responses from remote servers,
19685content filters or plugins,
19686and prevents the Postfix SMTP server from rejecting mail permanently
19687by changing 5xx reply codes into 4xx.  However, <a href="postconf.5.html#soft_bounce">soft_bounce</a> is no
19688cure for address rewriting mistakes or mail routing mistakes.
19689</p>
19690
19691<p>
19692Note: "<a href="postconf.5.html#soft_bounce">soft_bounce</a> = yes" is in some cases implemented by modifying
19693server responses. Therefore, the response that Postfix logs may
19694differ from the response that Postfix actually sends or receives.
19695</p>
19696
19697<p>
19698Example:
19699</p>
19700
19701<pre>
19702<a href="postconf.5.html#soft_bounce">soft_bounce</a> = yes
19703</pre>
19704
19705
19706</DD>
19707
19708<DT><b><a name="stale_lock_time">stale_lock_time</a>
19709(default: 500s)</b></DT><DD>
19710
19711<p>
19712The time after which a stale exclusive mailbox lockfile is removed.
19713This is used for delivery to file or mailbox.
19714</p>
19715
19716<p> Specify a non-zero time value (an integral value plus an optional
19717one-letter suffix that specifies the time unit).  Time units: s
19718(seconds), m (minutes), h (hours), d (days), w (weeks).
19719The default time unit is s (seconds).  </p>
19720
19721
19722</DD>
19723
19724<DT><b><a name="stress">stress</a>
19725(default: empty)</b></DT><DD>
19726
19727<p> This feature is documented in the <a href="STRESS_README.html">STRESS_README</a> document. </p>
19728
19729<p> This feature is available in Postfix 2.5 and later. </p>
19730
19731
19732</DD>
19733
19734<DT><b><a name="strict_7bit_headers">strict_7bit_headers</a>
19735(default: no)</b></DT><DD>
19736
19737<p>
19738Reject mail with 8-bit text in message headers. This blocks mail
19739from poorly written applications.
19740</p>
19741
19742<p>
19743This feature should not be enabled on a general purpose mail server,
19744because it is likely to reject legitimate email.
19745</p>
19746
19747<p>
19748This feature is available in Postfix 2.0 and later.
19749</p>
19750
19751
19752</DD>
19753
19754<DT><b><a name="strict_8bitmime">strict_8bitmime</a>
19755(default: no)</b></DT><DD>
19756
19757<p>
19758Enable both <a href="postconf.5.html#strict_7bit_headers">strict_7bit_headers</a> and <a href="postconf.5.html#strict_8bitmime_body">strict_8bitmime_body</a>.
19759</p>
19760
19761<p>
19762This feature should not be enabled on a general purpose mail server,
19763because it is likely to reject legitimate email.
19764</p>
19765
19766<p>
19767This feature is available in Postfix 2.0 and later.
19768</p>
19769
19770
19771</DD>
19772
19773<DT><b><a name="strict_8bitmime_body">strict_8bitmime_body</a>
19774(default: no)</b></DT><DD>
19775
19776<p>
19777Reject 8-bit message body text without 8-bit MIME content encoding
19778information.  This blocks mail from poorly written applications.
19779</p>
19780
19781<p>
19782Unfortunately, this also rejects majordomo approval requests when
19783the included request contains valid 8-bit MIME mail, and it rejects
19784bounces from mailers that do not MIME encapsulate 8-bit content
19785(for example, bounces from qmail or from old versions of Postfix).
19786</p>
19787
19788<p>
19789This feature should not be enabled on a general purpose mail server,
19790because it is likely to reject legitimate email.
19791</p>
19792
19793<p>
19794This feature is available in Postfix 2.0 and later.
19795</p>
19796
19797
19798</DD>
19799
19800<DT><b><a name="strict_mailbox_ownership">strict_mailbox_ownership</a>
19801(default: yes)</b></DT><DD>
19802
19803<p> Defer delivery when a mailbox file is not owned by its recipient.
19804The default setting is not backwards compatible.  </p>
19805
19806<p> This feature is available in Postfix 2.5.3 and later. </p>
19807
19808
19809</DD>
19810
19811<DT><b><a name="strict_mime_encoding_domain">strict_mime_encoding_domain</a>
19812(default: no)</b></DT><DD>
19813
19814<p>
19815Reject mail with invalid Content-Transfer-Encoding: information
19816for the message/* or multipart/* MIME content types.  This blocks
19817mail from poorly written software.
19818</p>
19819
19820<p>
19821This feature should not be enabled on a general purpose mail server,
19822because it will reject mail after a single violation.
19823</p>
19824
19825<p>
19826This feature is available in Postfix 2.0 and later.
19827</p>
19828
19829
19830</DD>
19831
19832<DT><b><a name="strict_rfc821_envelopes">strict_rfc821_envelopes</a>
19833(default: no)</b></DT><DD>
19834
19835<p>
19836Require that addresses received in SMTP MAIL FROM and RCPT TO
19837commands are enclosed with &lt;&gt;, and that those addresses do
19838not contain <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> style comments or phrases.  This stops mail
19839from poorly written software.
19840</p>
19841
19842<p>
19843By default, the Postfix SMTP server accepts <a href="https://tools.ietf.org/html/rfc822">RFC 822</a> syntax in MAIL
19844FROM and RCPT TO addresses.
19845</p>
19846
19847
19848</DD>
19849
19850<DT><b><a name="strict_smtputf8">strict_smtputf8</a>
19851(default: no)</b></DT><DD>
19852
19853<p> Enable stricter enforcement of the SMTPUTF8 protocol. The Postfix
19854SMTP server accepts UTF8 sender or recipient addresses only when
19855the client requests an SMTPUTF8 mail transaction. </p>
19856
19857<p> This feature is available in Postfix 3.0 and later. </p>
19858
19859
19860</DD>
19861
19862<DT><b><a name="sun_mailtool_compatibility">sun_mailtool_compatibility</a>
19863(default: no)</b></DT><DD>
19864
19865<p>
19866Obsolete SUN mailtool compatibility feature. Instead, use
19867"<a href="postconf.5.html#mailbox_delivery_lock">mailbox_delivery_lock</a> = dotlock".
19868</p>
19869
19870
19871</DD>
19872
19873<DT><b><a name="swap_bangpath">swap_bangpath</a>
19874(default: yes)</b></DT><DD>
19875
19876<p>
19877Enable the rewriting of "site!user" into "user@site".  This is
19878necessary if your machine is connected to UUCP networks.  It is
19879enabled by default.
19880</p>
19881
19882<p> Note: with Postfix version 2.2, message header address rewriting
19883happens only when one of the following conditions is true: </p>
19884
19885<ul>
19886
19887<li> The message is received with the Postfix <a href="sendmail.1.html">sendmail(1)</a> command,
19888
19889<li> The message is received from a network client that matches
19890$<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a>,
19891
19892<li> The message is received from the network, and the
19893<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter specifies a non-empty value.
19894
19895</ul>
19896
19897<p> To get the behavior before Postfix version 2.2, specify
19898"<a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> = <a href="DATABASE_README.html#types">static</a>:all". </p>
19899
19900<p>
19901Example:
19902</p>
19903
19904<pre>
19905<a href="postconf.5.html#swap_bangpath">swap_bangpath</a> = no
19906</pre>
19907
19908
19909</DD>
19910
19911<DT><b><a name="syslog_facility">syslog_facility</a>
19912(default: mail)</b></DT><DD>
19913
19914<p>
19915The syslog facility of Postfix logging. Specify a facility as
19916defined in syslog.conf(5). The default facility is "mail".
19917</p>
19918
19919<p>
19920Warning: a non-default <a href="postconf.5.html#syslog_facility">syslog_facility</a> setting takes effect only
19921after a Postfix process has completed initialization.  Errors during
19922process initialization will be logged with the default facility.
19923Examples are errors while parsing the command line arguments, and
19924errors while accessing the Postfix <a href="postconf.5.html">main.cf</a> configuration file.
19925</p>
19926
19927
19928</DD>
19929
19930<DT><b><a name="syslog_name">syslog_name</a>
19931(default: see "postconf -d" output)</b></DT><DD>
19932
19933<p>
19934A prefix that is prepended to the process name in syslog
19935records, so that, for example, "smtpd" becomes "prefix/smtpd".
19936</p>
19937
19938<p>
19939Warning: a non-default <a href="postconf.5.html#syslog_name">syslog_name</a> setting takes effect only after
19940a Postfix process has completed initialization. Errors during
19941process initialization will be logged with the default name. Examples
19942are errors while parsing the command line arguments, and errors
19943while accessing the Postfix <a href="postconf.5.html">main.cf</a> configuration file.
19944</p>
19945
19946
19947</DD>
19948
19949<DT><b><a name="tcp_windowsize">tcp_windowsize</a>
19950(default: 0)</b></DT><DD>
19951
19952<p> An optional workaround for routers that break TCP window scaling.
19953Specify a value &gt; 0 and &lt; 65536 to enable this feature.  With
19954Postfix TCP servers (<a href="smtpd.8.html">smtpd(8)</a>, <a href="qmqpd.8.html">qmqpd(8)</a>), this feature is implemented
19955by the Postfix <a href="master.8.html">master(8)</a> daemon.  </p>
19956
19957<p> To change this parameter without stopping Postfix, you need to
19958first terminate all Postfix TCP servers: </p>
19959
19960<blockquote>
19961<pre>
19962# postconf -e <a href="postconf.5.html#master_service_disable">master_service_disable</a>=inet
19963# postfix reload
19964</pre>
19965</blockquote>
19966
19967<p> This immediately terminates all processes that accept network
19968connections.  Next, you enable Postfix TCP servers with the updated
19969<a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> setting: </p>
19970
19971<blockquote>
19972<pre>
19973# postconf -e <a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a>=65535 <a href="postconf.5.html#master_service_disable">master_service_disable</a>=
19974# postfix reload
19975</pre>
19976</blockquote>
19977
19978<p> If you skip these steps with a running Postfix system, then the
19979<a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> change will work only for Postfix TCP clients (<a href="smtp.8.html">smtp(8)</a>,
19980<a href="lmtp.8.html">lmtp(8)</a>).  </p>
19981
19982<p> This feature is available in Postfix 2.6 and later. </p>
19983
19984
19985</DD>
19986
19987<DT><b><a name="tls_append_default_CA">tls_append_default_CA</a>
19988(default: no)</b></DT><DD>
19989
19990<p> Append the system-supplied default Certification Authority
19991certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
19992The default is "no"; this prevents Postfix from trusting third-party
19993certificates and giving them relay permission with
19994<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>.  </p>
19995
19996<p> This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
199972.7.2 and later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for
19998backwards compatibility, to avoid breaking certificate verification
19999with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>. </p>
20000
20001
20002</DD>
20003
20004<DT><b><a name="tls_config_file">tls_config_file</a>
20005(default: default)</b></DT><DD>
20006
20007<p> Optional configuration file with baseline OpenSSL settings.
20008OpenSSL loads any SSL settings found in the configuration file for
20009the selected application name (see <a href="postconf.5.html#tls_config_name">tls_config_name</a>) or else the
20010built-in application name "openssl_conf" when no application name is
20011specified, or no corresponding configuration section is present.
20012</p>
20013
20014<p> With OpenSSL releases 1.1.1 and 1.1.1a, applications (including
20015Postfix) can neither specify an alternative configuration file, nor
20016avoid loading the default configuration file.  </p>
20017
20018<p> With OpenSSL 1.1.1b or later, this parameter may be set to one of:
20019</p>
20020
20021<dl>
20022
20023<dt> <b>default</b> (default) </dt> <dd> Load the system-wide
20024"openssl.cnf" configuration file.  </dd>
20025
20026<dt> <b>none</b> (recommended, OpenSSL 1.1.1b or later only) </dt>
20027<dd> This setting disables loading of  the system-wide "openssl.cnf"
20028file.  </dd>
20029
20030<dt> <b><i>/absolute-path</i></b> (OpenSSL 1.1.1b or later only) </dt>
20031<dd> Load the configuration file specified by <i>/absolute-path</i>.
20032With this setting it is an error for the file to not contain any
20033settings for the selected <a href="postconf.5.html#tls_config_name">tls_config_name</a>.  There is no fallback to
20034the default "openssl_conf" name. </dd>
20035
20036</dl>
20037
20038<p> Failures in processing of the built-in default configuration file,
20039are silently ignored.  Any errors in loading a non-default configuration
20040file are detected by Postfix, and cause TLS support to be disabled.
20041</p>
20042
20043<p> The OpenSSL configuration file format is not documented here,
20044beyond giving two examples. <p>
20045
20046<p> Example: Default settings for all applications. </p>
20047
20048<blockquote>
20049<pre>
20050# The name 'openssl_conf' is the default application name
20051# The section name to the right of the '=' sign is arbitrary,
20052# any name will do, so long as it refers to the desired section.
20053#
20054# The name 'system_default' selects the settings applied internally
20055# by the SSL library as part of SSL object creation.  Applications
20056# can then apply any additional settings of their choice.
20057#
20058# In this example, TLS versions prior to 1.2 are disabled by default.
20059#
20060openssl_conf = system_wide_settings
20061[system_wide_settings]
20062ssl_conf = ssl_library_settings
20063[ssl_library_settings]
20064system_default = initial_ssl_settings
20065[initial_ssl_settings]
20066MinProtocol = TLSv1.2
20067</pre>
20068</blockquote>
20069
20070<p> Example: Custom settings for an application named "postfix". </p>
20071
20072<blockquote>
20073<pre>
20074# The mapping from an application name to the corresponding configuration
20075# section must appear near the top of the file, (in what is sometimes called
20076# the "default section") prior to the start of any explicitly named
20077# "[sections]".  The named sections can appear in any order and don't nest.
20078#
20079postfix = postfix_settings
20080[postfix_settings]
20081ssl_conf = postfix_ssl_settings
20082[postfix_ssl_settings]
20083system_default = baseline_postfix_settings
20084[baseline_postfix_settings]
20085MinProtocol = TLSv1
20086</pre>
20087</blockquote>
20088
20089<p> Example: Custom OpenSSL group settings. </p>
20090
20091<pre>
20092<a href="postconf.5.html">main.cf</a>:
20093    <a href="postconf.5.html#tls_config_file">tls_config_file</a> = ${<a href="postconf.5.html#config_directory">config_directory</a>}/openssl.cnf
20094    <a href="postconf.5.html#tls_config_name">tls_config_name</a> = postfix
20095</pre>
20096
20097<pre>
20098openssl.cnf:
20099    postfix = postfix_settings
20100</pre>
20101
20102<pre>
20103    [postfix_settings]
20104    ssl_conf = postfix_ssl_settings
20105</pre>
20106
20107<pre>
20108    [postfix_ssl_settings]
20109    system_default = baseline_postfix_settings
20110</pre>
20111
20112<pre>
20113    [baseline_postfix_settings]
20114    # New OpenSSL 3.5 syntax, for older releases consider
20115    # the Postfix default:
20116    #
20117    # Groups = X25519:X448:prime256v1:secp384r1:secp521r1:ffdhe2048:ffdhe3072
20118    #
20119    Groups = *X25519MLKEM768 / *X25519:X448 / P-256:P-384
20120</pre>
20121
20122<p> Caution: It is typically best to just use the default OpenSSL
20123group settings, by setting "<a href="postconf.5.html#tls_config_file">tls_config_file</a> = none". Overly strict
20124system-wide TLS settings will conflict with Postfix's opportunistic
20125TLS, where being less restrictive is better than downgrading to
20126cleartext SMTP. </p>
20127
20128<p> This feature is available in Postfix &ge; 3.9, 3.8.1, 3.7.6,
201293.6.10, and 3.5.20. </p>
20130
20131
20132</DD>
20133
20134<DT><b><a name="tls_config_name">tls_config_name</a>
20135(default: empty)</b></DT><DD>
20136
20137<p> The application name passed by Postfix to OpenSSL library
20138initialization functions.  This name is used to select the desired
20139configuration "section" in the OpenSSL configuration file specified
20140via the <a href="postconf.5.html#tls_config_file">tls_config_file</a> parameter.  When empty, or when the
20141selected name is not present in the configuration file, the default
20142application name ("openssl_conf") is used as a fallback.  </p>
20143
20144<p> This feature is available in Postfix &ge; 3.9.  </p>
20145
20146
20147</DD>
20148
20149<DT><b><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>
20150(default: 32)</b></DT><DD>
20151
20152<p> The number of pseudo-random bytes that an <a href="smtp.8.html">smtp(8)</a> or <a href="smtpd.8.html">smtpd(8)</a>
20153process requests from the <a href="tlsmgr.8.html">tlsmgr(8)</a> server in order to seed its
20154internal pseudo random number generator (PRNG).  The default of 32
20155bytes (equivalent to 256 bits) is sufficient to generate a 128bit
20156(or 168bit) session key. </p>
20157
20158<p> This feature is available in Postfix 2.2 and later.  </p>
20159
20160
20161</DD>
20162
20163<DT><b><a name="tls_dane_digest_agility">tls_dane_digest_agility</a>
20164(default: on)</b></DT><DD>
20165
20166<p> Configure <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> DANE TLSA digest algorithm agility.
20167Do not change this setting from its default value. </p>
20168
20169<p> See Section 8 of <a href="https://tools.ietf.org/html/rfc7671">RFC7671</a> for correct key rotation procedures.  </p>
20170
20171<p> This feature is available in Postfix 2.11 through 3.1.  Postfix
201723.2 and later ignore this configuration parameter and behave as
20173though it were set to "on".  </p>
20174
20175
20176</DD>
20177
20178<DT><b><a name="tls_dane_digests">tls_dane_digests</a>
20179(default: sha512 sha256)</b></DT><DD>
20180
20181<p> DANE TLSA (<a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, <a href="https://tools.ietf.org/html/rfc7671">RFC 7671</a>, <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a>) resource-record "matching
20182type" digest algorithms in descending preference order.  All the
20183specified algorithms must be supported by the underlying OpenSSL
20184library, otherwise the Postfix SMTP client will not support DANE
20185TLSA security.  </p>
20186
20187<p> Specify a list of digest names separated by commas and/or
20188whitespace.  Each digest name may be followed by an optional
20189"=&lt;number&gt;" suffix.  For example, "sha512" may instead be specified
20190as "sha512=2" and "sha256" may instead be specified as "sha256=1".
20191The optional number must match the <a
20192href="https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml#matching-types"
20193>IANA</a> assigned TLSA matching type number the algorithm in question.
20194Postfix will check this constraint for the algorithms it knows about.
20195Additional matching type algorithms registered with IANA can be added
20196with explicit numbers provided they are supported by OpenSSL. </p>
20197
20198<p> Invalid list elements are logged with a warning and disable DANE
20199support.  TLSA RRs that specify digests not included in the list are
20200ignored with a warning. </p>
20201
20202<p> Note: It is unwise to omit sha256 from the digest list.  This
20203digest algorithm is the only mandatory to implement digest algorithm
20204in <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected to publish TLSA records
20205with just sha256 digests.  Unless one of the standard digests is
20206seriously compromised and servers have had ample time to update their
20207TLSA records you should not omit any standard digests, just arrange
20208them in order from strongest to weakest.  </p>
20209
20210<p> This feature is available in Postfix 2.11 and later. </p>
20211
20212
20213</DD>
20214
20215<DT><b><a name="tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a>
20216(default: yes)</b></DT><DD>
20217
20218<p> Enable support for <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a> (DANE TLSA) DNS records that contain
20219digests of trust-anchors with certificate usage "2".  Do not change
20220this setting from its default value.  </p>
20221
20222<p> This feature is available in Postfix 2.11 through 3.1.  It has
20223been withdrawn in Postfix 3.2, as trust-anchor TLSA records are now
20224widely used and have proved sufficiently reliable.  Postfix 3.2 and
20225later ignore this configuration parameter and behaves as though it
20226were set to "yes".  </p>
20227
20228
20229</DD>
20230
20231<DT><b><a name="tls_disable_workarounds">tls_disable_workarounds</a>
20232(default: see "postconf -d" output)</b></DT><DD>
20233
20234<p> List or bit-mask of OpenSSL bug work-arounds to disable. </p>
20235
20236<p> The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
20237implementations. Applications, such as Postfix, that want to maximize
20238interoperability ask the OpenSSL library to enable the full set of
20239recommended work-arounds. </p>
20240
20241<p> From time to time, it is discovered that a work-around creates a
20242security issue, and should no longer be used. If upgrading OpenSSL
20243to a fixed version is not an option or an upgrade is not available
20244in a timely manner, or in closed environments where no buggy clients
20245or servers exist, it may be appropriate to disable some or all of the
20246OpenSSL interoperability work-arounds. This parameter specifies which
20247bug work-arounds to disable. </p>
20248
20249<p> If the value of the parameter is a hexadecimal long integer starting
20250with "0x", the bug work-arounds corresponding to the bits specified in
20251its value are removed from the <b>SSL_OP_ALL</b> work-around bit-mask
20252(see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more
20253bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying
202540xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
20255also be sufficient on 64-bit systems, until OpenSSL abandons support
20256for 32-bit systems and starts using the high 32 bits of a 64-bit
20257bug-workaround mask. </p>
20258
20259<p> Otherwise, the parameter is a white-space or comma separated list
20260of specific named bug work-arounds chosen from the list below. It
20261is possible that your OpenSSL version includes new bug work-arounds
20262added after your Postfix source code was last updated, in that case
20263you can only disable one of these via the hexadecimal syntax above. </p>
20264
20265<dl>
20266
20267<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
20268OpenSSL 1.0.0.</dd>
20269
20270<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
20271SSL_CTX_set_options(3)</dd>
20272
20273<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
20274
20275<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See
20276SSL_CTX_set_options(3)</dd>
20277
20278<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
20279
20280<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as
20281<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by
20282default with OpenSSL versions that may predate the fix. Fixed in
20283OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>
20284
20285<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
20286
20287<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
20288as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
20289default with OpenSSL versions that may predate the fix. Fixed in
20290OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
20291
20292<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See
20293SSL_CTX_set_options(3)</dd>
20294
20295<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
20296SSL_CTX_set_options(3)</dd>
20297
20298<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
20299
20300<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
20301
20302<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3).
20303This is disabled in OpenSSL 0.9.7 and later. Nobody should still
20304be using 0.9.6! </dd>
20305
20306<dt><b>TLSEXT_PADDING</b></dt><dd>Postfix &ge; 3.4. See SSL_CTX_set_options(3).</dd>
20307
20308</dl>
20309
20310<p> This feature is available in Postfix 2.8 and later.  </p>
20311
20312
20313</DD>
20314
20315<DT><b><a name="tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>
20316(default: see "postconf -d" output)</b></DT><DD>
20317
20318<p> The prioritized list of elliptic curves, that should be enabled in the
20319Postfix SMTP client and server.  The selected curves should be implemented
20320by OpenSSL and be standardized for use in the TLS "supported groups" extension
20321(<a href="https://tools.ietf.org/html/rfc8422">RFC8422</a>, <a href="https://tools.ietf.org/html/rfc8446">RFC8446</a> and <a href="https://tools.ietf.org/html/rfc8447">RFC8447</a>).  Be sure to include at least "x25519" and
20322"prime256v1" (the OpenSSL name for "secp256r1", a.k.a. "P-256").  The default
20323list is suitable for most users. </p>
20324
20325<p> On the client side, the first curve listed will be used to construct the
20326client's initial TLS 1.3 "keyshare".  If this is not supported by the server,
20327the TLS handshake may require an additional round-trip after the server issues
20328a HelloRetryRequest (HRR) indicating a suitable mutually supported curve. </p>
20329
20330<p> Postfix skips curve names that are unknown to OpenSSL, or that are known
20331but not yet implemented.  This makes it possible to "anticipate" support for
20332curves that should be used once they become available, or to deploy the same
20333setting on a server "farm" where not all servers support the same curves.  </p>
20334
20335<p> As of Postfix 3.10, when compiled with OpenSSL 3.0 or later, the "curve"
20336names can be more general key encapsulation mechanisms (KEMs), and/or may be
20337loaded from an external "provider" (via a suitable <a href="postconf.5.html#tls_config_file">tls_config_file</a>).  </p>
20338
20339<p> See also the "<a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>" parameter, which supports
20340customizing the list of FFDHE groups enabled with TLS 1.3.  That setting
20341is introduced with Postfix 3.8, when built against OpenSSL 3.0 or later.
20342</p>
20343
20344<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
20345configuration syntax that Postfix will not attempt to imitate.
20346Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
20347both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and if available <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>
20348to the empty value, to enable algorithm selection through OpenSSL
20349configuration. See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example.
20350</p>
20351
20352<p> This feature is available in Postfix 3.2 and later, when it is
20353compiled and linked with OpenSSL 1.0.2 or later on platforms where
20354EC algorithms have not been disabled by the vendor. </p>
20355
20356
20357</DD>
20358
20359<DT><b><a name="tls_eecdh_strong_curve">tls_eecdh_strong_curve</a>
20360(default: prime256v1)</b></DT><DD>
20361
20362<p> The elliptic curve used by the Postfix SMTP server for sensibly
20363strong
20364ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
20365server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = strong". The phrase "sensibly
20366strong" means approximately 128-bit security based on best known
20367attacks. The selected curve must be implemented by OpenSSL (as
20368reported by ecparam(1) with the "-list_curves" option) and be one
20369of the curves listed in Section 5.1.1 of <a href="https://tools.ietf.org/html/rfc8422">RFC 8422</a>. You should not
20370generally change this setting.  Remote SMTP client implementations
20371must support this curve for EECDH key exchange to take place.  It
20372is unwise to choose only "bleeding-edge" curves supported by only a
20373small subset of clients.  </p>
20374
20375<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
20376
20377<p> The default "strong" curve is rated in NSA <a
20378href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
20379B</a> for information classified up to SECRET.  </p>
20380
20381<p> Note: elliptic curve names are poorly standardized; different
20382standards groups are assigning different names to the same underlying
20383curves.  The curve with the X9.62 name "prime256v1" is also known
20384under the SECG name "secp256r1", but OpenSSL does not recognize the
20385latter name. </p>
20386
20387<p> If you want to take maximal advantage of ciphers that offer <a
20388href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see
20389the <a href="FORWARD_SECRECY_README.html#quick-start">Getting
20390started</a> section of <a
20391href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>.  The
20392full document conveniently presents all information about Postfix
20393"perfect" forward secrecy support in one place: what forward secrecy
20394is, how to tweak settings, and what you can expect to see when
20395Postfix uses ciphers with forward secrecy.  </p>
20396
20397<p> This feature is available in Postfix 2.6 and later, when it is
20398compiled and linked with OpenSSL 1.0.0 or later on platforms where
20399EC algorithms have not been disabled by the vendor. </p>
20400
20401
20402</DD>
20403
20404<DT><b><a name="tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a>
20405(default: secp384r1)</b></DT><DD>
20406
20407<p> The elliptic curve used by the Postfix SMTP server for maximally
20408strong
20409ephemeral ECDH key exchange. This curve is used by the Postfix SMTP
20410server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = ultra". The phrase "maximally
20411strong" means approximately 192-bit security based on best known attacks.
20412This additional strength comes at a significant computational cost, most
20413users should instead set "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = strong".  The selected
20414curve must be implemented by OpenSSL (as reported by ecparam(1) with the
20415"-list_curves" option) and be one of the curves listed in Section 5.1.1
20416of <a href="https://tools.ietf.org/html/rfc8422">RFC 8422</a>. You should not generally change this setting.  Remote SMTP
20417client implementations must support this curve for EECDH key exchange
20418to take place.  It is unwise to choose only "bleeding-edge" curves
20419supported by only a small subset of clients. </p>
20420
20421<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
20422
20423<p> This default "ultra" curve is rated in NSA <a
20424href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
20425B</a> for information classified up to TOP SECRET. </p>
20426
20427<p> If you want to take maximal advantage of ciphers that offer <a
20428href="FORWARD_SECRECY_README.html#dfn_fs">forward secrecy</a> see
20429the <a href="FORWARD_SECRECY_README.html#quick-start">Getting
20430started</a> section of <a
20431href="FORWARD_SECRECY_README.html">FORWARD_SECRECY_README</a>.  The
20432full document conveniently presents all information about Postfix
20433"perfect" forward secrecy support in one place: what forward secrecy
20434is, how to tweak settings, and what you can expect to see when
20435Postfix uses ciphers with forward secrecy.  </p>
20436
20437<p> This feature is available in Postfix 2.6 and later, when it is
20438compiled and linked with OpenSSL 1.0.0 or later on platforms where
20439EC algorithms have not been disabled by the vendor. </p>
20440
20441
20442</DD>
20443
20444<DT><b><a name="tls_export_cipherlist">tls_export_cipherlist</a>
20445(default: see "postconf -d" output)</b></DT><DD>
20446
20447<p> The OpenSSL cipherlist for "export" or higher grade ciphers.
20448Ignored as of Postfix 3.8.  In earlier Postfix releases this
20449defined the meaning of the "export" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
20450<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>,
20451<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>, <a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and
20452<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>.  You are strongly encouraged not to
20453change this setting.  </p>
20454
20455<p> This feature is available in Postfix 2.3 and later.  </p>
20456
20457
20458</DD>
20459
20460<DT><b><a name="tls_fast_shutdown_enable">tls_fast_shutdown_enable</a>
20461(default: yes)</b></DT><DD>
20462
20463<p> A workaround for implementations that hang Postfix while shutting
20464down a TLS session, until Postfix times out. With this enabled,
20465Postfix will not wait for the remote TLS peer to respond to a TLS
20466'close' notification. This behavior is recommended for TLSv1.0 and
20467later. </p>
20468
20469
20470</DD>
20471
20472<DT><b><a name="tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>
20473(default: see "postconf -d" output)</b></DT><DD>
20474
20475<p> The prioritized list of finite-field Diffie-Hellman ephemeral
20476(FFDHE) key exchange groups supported by the Postfix SMTP client and
20477server.  OpenSSL 3.0 adds support for FFDHE key agreement in TLS 1.3.
20478In OpenSSL 1.1.1, TLS 1.3 was only supported with elliptic-curve based
20479key agreement.  The "<a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a>" parameter makes it possible
20480to configure the list of FFDHE groups that the Postfix client or server
20481will enable in OpenSSL 3.0 and up.  This parameter has no effect when
20482Postfix is built against earlier OpenSSL versions. </p>
20483
20484<p> The default list of FFDHE groups that Postfix enables in OpenSSL 3.0
20485and up includes just the 2048 and 3072-bit groups.  Stronger FFDHE
20486groups perform poorly and EC groups are a much better choice for the
20487same security level.  Postfix ignores group names that are unknown to
20488OpenSSL, or that are known but not yet implemented.  The FFDHE groups
20489are largely a backup, in case some peer does not support EC key
20490exchange, or EC key exchange needs to be disabled for some pressing
20491reason. </p>
20492
20493<p> Setting this parameter empty disables FFDHE support in TLS 1.3.
20494Whether FFDHE key agreement is enabled in TLS 1.2 and earlier depends
20495on whether any of the "kDHE" ciphers are included in the cipherlist.
20496</p>
20497
20498<p> Conversely, setting "<a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a>" empty disables TLS 1.3
20499EC key agreement in OpenSSL 3.0 and later. If both are set empty,
20500Postfix will fall back to OpenSSL preferences as described next. </p>
20501
20502<p> Post-quantum cryptography support: OpenSSL 3.5 introduces new
20503configuration syntax that Postfix will not attempt to imitate.
20504Instead, with Postfix 3.6.17, 3.7.13, 3.8.8, 3.9.2, and later, set
20505both <a href="postconf.5.html#tls_eecdh_auto_curves">tls_eecdh_auto_curves</a> and <a href="postconf.5.html#tls_ffdhe_auto_groups">tls_ffdhe_auto_groups</a> to the empty
20506value, to enable algorithm selection through OpenSSL configuration.
20507See <a href="postconf.5.html#tls_config_file">tls_config_file</a> for a configuration example. </p>
20508
20509<p> All the default groups and EC curves should be sufficiently strong to make
20510"pruning" the defaults unwise.  At a minimum, "x25519" and "prime256v1" (the
20511OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC
20512curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. </p>
20513
20514<p> This feature is available in Postfix 3.8 and later, when it is
20515compiled and linked with OpenSSL 3.0 or later. </p>
20516
20517
20518</DD>
20519
20520<DT><b><a name="tls_high_cipherlist">tls_high_cipherlist</a>
20521(default: see "postconf -d" output)</b></DT><DD>
20522
20523<p> The OpenSSL cipherlist for "high" grade ciphers. This defines
20524the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
20525<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>,
20526<a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly
20527encouraged not to change this setting.  </p>
20528
20529<p> This feature is available in Postfix 2.3 and later. </p>
20530
20531
20532</DD>
20533
20534<DT><b><a name="tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a>
20535(default: no)</b></DT><DD>
20536
20537<p> A temporary migration aid for sites that use certificate
20538<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
20539an incorrect algorithm. This parameter has no effect on the certificate
20540fingerprint support that is available since Postfix 2.2. </p>
20541
20542<p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> = yes" temporarily,
20543pending a migration from configuration files with incorrect Postfix
205442.9.0..2.9.5 certificate public-key finger prints, to the correct
20545fingerprints used by Postfix 2.9.6 and later.  To compute the correct
20546certificate public-key fingerprints, see <a href="TLS_README.html">TLS_README</a>. </p>
20547
20548<p> This feature is available in Postfix 2.9.6 and later.  </p>
20549
20550
20551</DD>
20552
20553<DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a>
20554(default: see "postconf -d" output)</b></DT><DD>
20555
20556<p> The OpenSSL cipherlist for "low" or higher grade ciphers.
20557Ignored as of Postfix 3.8.  In earlier Postfix releases this
20558defined the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
20559<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>,
20560<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>, <a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and
20561<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly encouraged not to
20562change this setting.  </p>
20563
20564<p> This feature is available in Postfix 2.3 and later.  </p>
20565
20566
20567</DD>
20568
20569<DT><b><a name="tls_medium_cipherlist">tls_medium_cipherlist</a>
20570(default: see "postconf -d" output)</b></DT><DD>
20571
20572<p> The OpenSSL cipherlist for "medium" or higher grade ciphers. This
20573defines the meaning of the "medium" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
20574<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>,
20575<a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>.  This is the
20576default cipherlist for mandatory TLS encryption in the TLS client
20577(with anonymous ciphers disabled when verifying server certificates).
20578This is the default cipherlist for opportunistic TLS with Postfix
20579releases after the middle of 2015.  You are strongly encouraged not
20580to change this setting.  </p>
20581
20582<p> This feature is available in Postfix 2.3 and later. </p>
20583
20584
20585</DD>
20586
20587<DT><b><a name="tls_null_cipherlist">tls_null_cipherlist</a>
20588(default: eNULL:!aNULL)</b></DT><DD>
20589
20590<p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
20591authentication without encryption. This defines the meaning of the "null"
20592setting in <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
20593<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>.  You are strongly encouraged not to
20594change this setting. </p>
20595
20596<p> This feature is available in Postfix 2.3 and later. </p>
20597
20598
20599</DD>
20600
20601<DT><b><a name="tls_preempt_cipherlist">tls_preempt_cipherlist</a>
20602(default: no)</b></DT><DD>
20603
20604<p> With SSLv3 and later, use the Postfix SMTP server's cipher
20605preference order instead of the remote client's cipher preference
20606order. </p>
20607
20608<p> By default, the OpenSSL server selects the client's most preferred
20609cipher that the server supports. With SSLv3 and later, the server may
20610choose its own most preferred cipher that is supported (offered) by
20611the client. Setting "<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = yes" enables server cipher
20612preferences. </p>
20613
20614<p> While server cipher selection may in some cases lead to a more secure
20615or performant cipher choice, there is some risk of interoperability
20616issues. In the past, some SSL clients have listed lower priority ciphers
20617that they did not implement correctly. If the server chooses a cipher
20618that the client prefers less, it may select a cipher whose client
20619implementation is flawed. Most notably Windows 2003 Microsoft
20620Exchange servers have flawed implementations of DES-CBC3-SHA, which
20621OpenSSL considers stronger than RC4-SHA.  Enabling server cipher-suite
20622selection may create interoperability issues with Windows 2003
20623Microsoft Exchange clients.  </p>
20624
20625<p> This feature is available in Postfix 2.8 and later, in combination
20626with OpenSSL 0.9.7 and later. </p>
20627
20628
20629</DD>
20630
20631<DT><b><a name="tls_random_bytes">tls_random_bytes</a>
20632(default: 32)</b></DT><DD>
20633
20634<p> The number of bytes that <a href="tlsmgr.8.html">tlsmgr(8)</a> reads from $<a href="postconf.5.html#tls_random_source">tls_random_source</a>
20635when (re)seeding the in-memory pseudo random number generator (PRNG)
20636pool. The default of 32 bytes (256 bits) is good enough for 128bit
20637symmetric keys.  If using EGD or a device file, a maximum of 255
20638bytes is read. </p>
20639
20640<p> This feature is available in Postfix 2.2 and later.  </p>
20641
20642
20643</DD>
20644
20645<DT><b><a name="tls_random_exchange_name">tls_random_exchange_name</a>
20646(default: see "postconf -d" output)</b></DT><DD>
20647
20648<p> Name of the pseudo random number generator (PRNG) state file
20649that is maintained by <a href="tlsmgr.8.html">tlsmgr(8)</a>. The file is created when it does
20650not exist, and its length is fixed at 1024 bytes.  </p>
20651
20652<p> As of version 2.5, Postfix no longer uses root privileges when
20653opening this file, and the default file location was changed from
20654${<a href="postconf.5.html#config_directory">config_directory</a>}/prng_exch to ${<a href="postconf.5.html#data_directory">data_directory</a>}/prng_exch.  As
20655a migration aid, an attempt to open the file under a non-Postfix
20656directory is redirected to the Postfix-owned <a href="postconf.5.html#data_directory">data_directory</a>, and a
20657warning is logged. </p>
20658
20659<p> This feature is available in Postfix 2.2 and later.  </p>
20660
20661
20662</DD>
20663
20664<DT><b><a name="tls_random_prng_update_period">tls_random_prng_update_period</a>
20665(default: 3600s)</b></DT><DD>
20666
20667<p> The time between attempts by <a href="tlsmgr.8.html">tlsmgr(8)</a> to save the state of
20668the pseudo random number generator (PRNG) to the file specified
20669with $<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>.  </p>
20670
20671<p> Specify a non-zero time value (an integral value plus an optional
20672one-letter suffix that specifies the time unit).  Time units: s
20673(seconds), m (minutes), h (hours), d (days), w (weeks).
20674The default time unit is s (seconds).  </p>
20675
20676<p> This feature is available in Postfix 2.2 and later.  </p>
20677
20678
20679</DD>
20680
20681<DT><b><a name="tls_random_reseed_period">tls_random_reseed_period</a>
20682(default: 3600s)</b></DT><DD>
20683
20684<p> The maximal time between attempts by <a href="tlsmgr.8.html">tlsmgr(8)</a> to re-seed the
20685in-memory pseudo random number generator (PRNG) pool from external
20686sources.  The actual time between re-seeding attempts is calculated
20687using the PRNG, and is between 0 and the time specified.  </p>
20688
20689<p> Specify a non-zero time value (an integral value plus an optional
20690one-letter suffix that specifies the time unit).  Time units: s
20691(seconds), m (minutes), h (hours), d (days), w (weeks).
20692The default time unit is s (seconds).  </p>
20693
20694<p> This feature is available in Postfix 2.2 and later.  </p>
20695
20696
20697</DD>
20698
20699<DT><b><a name="tls_random_source">tls_random_source</a>
20700(default: see "postconf -d" output)</b></DT><DD>
20701
20702<p> The external entropy source for the in-memory <a href="tlsmgr.8.html">tlsmgr(8)</a> pseudo
20703random number generator (PRNG) pool. Be sure to specify a non-blocking
20704source.  If this source is not a regular file, the entropy source
20705type must be prepended:  egd:/path/to/egd_socket for a source with
20706EGD compatible socket interface, or dev:/path/to/device for a
20707device file.  </p>
20708
20709<p> Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
20710gives timeout errors.  </p>
20711
20712<p> This feature is available in Postfix 2.2 and later.  </p>
20713
20714
20715</DD>
20716
20717<DT><b><a name="tls_required_enable">tls_required_enable</a>
20718(default: yes)</b></DT><DD>
20719
20720<p> Enable support for the "TLS-Required: no" message header, defined
20721in <a href="https://tools.ietf.org/html/rfc8689">RFC 8689</a>. By adding this header to a message, a sender requests
20722no enforcement of TLS policy. This limits the Postfix SMTP client
20723TLS security level to "may", that is, do not verify remote SMTP
20724server certificates, and fall back to plaintext if TLS is unavailable.
20725If a message contains a "TLS-Required: no" header, then Postfix
20726will add that header to a delivery status notification for that
20727message. </p>
20728
20729<p> This feature is available in Postfix &ge; 3.10. </p>
20730
20731
20732</DD>
20733
20734<DT><b><a name="tls_server_sni_maps">tls_server_sni_maps</a>
20735(default: empty)</b></DT><DD>
20736
20737<p> Optional lookup tables that map names received from remote SMTP
20738clients via the TLS Server Name Indication (SNI) extension to the
20739appropriate keys and certificate chains.  This parameter is implemented
20740in the Postfix TLS library, and applies to both <a href="smtpd.8.html">smtpd(8)</a> and the SMTP
20741server mode of <a href="tlsproxy.8.html">tlsproxy(8)</a>. </p>
20742
20743<p> When this parameter is non-empty, the Postfix SMTP server enables
20744SNI extension processing, and logs SNI values that are invalid or
20745don't match an entry in the specified tables.  When an entry
20746does match, the SNI name is logged as part of the connection summary
20747at log levels 1 and higher.  </p>
20748
20749<p> The lookup key is either the verbatim SNI domain name or an
20750ancestor domain prefixed with a leading dot.  For internationalized
20751domains, the lookup key must be in IDNA 2008 A-label form (as
20752required in the TLS SNI extension). </p>
20753
20754<p> The syntax of the lookup value is the same as with the
20755<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> parameter (see there for additional details),
20756but here scoped to just TLS connections in which the client sends
20757a matching SNI domain name. </p>
20758
20759<p> Example: </p>
20760<blockquote>
20761<pre>
20762/etc/postfix/<a href="postconf.5.html">main.cf</a>:
20763    #
20764    # The indexed SNI table must be created with "postmap -F"
20765    #
20766    indexed = ${<a href="postconf.5.html#default_database_type">default_database_type</a>}:${<a href="postconf.5.html#config_directory">config_directory</a>}/
20767    <a href="postconf.5.html#tls_server_sni_maps">tls_server_sni_maps</a> = ${indexed}sni
20768</pre>
20769</blockquote>
20770
20771<blockquote>
20772<pre>
20773/etc/postfix/sni:
20774    #
20775    # The example.com domain has both an RSA and ECDSA certificate
20776    # chain.  The chain files MUST start with the private key,
20777    # with the certificate chain next, starting with the leaf
20778    # (server) certificate, and then the issuer certificates.
20779    #
20780    example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
20781                /etc/postfix/sni-chains/ecdsa-p256.example.com.pem
20782    #
20783    # The example.net domain has a wildcard certificate, and two
20784    # additional DNS names.  So its certificate chain is also used
20785    # with any subdomain, plus the additional names.
20786    #
20787    example.net /etc/postfix/sni-chains/example.net.pem
20788    .example.net /etc/postfix/sni-chains/example.net.pem
20789    example.info /etc/postfix/sni-chains/example.net.pem
20790    example.org /etc/postfix/sni-chains/example.net.pem
20791</pre>
20792</blockquote>
20793
20794<p> Note that the SNI lookup tables should also have entries for
20795the domains that correspond to the Postfix SMTP server's default
20796certificate(s). This ensures that the remote SMTP client's TLS SNI
20797extension gets a positive response when it specifies one of the
20798Postfix SMTP server's <a href="ADDRESS_CLASS_README.html#default_domain_class">default domains</a>, and ensures that the Postfix
20799SMTP server will not log an SNI name mismatch for such a domain.
20800The Postfix SMTP server's default certificates are then only used
20801when the client sends no SNI or when it sends SNI with a domain
20802that the server knows no certificate(s) for. </p>
20803
20804<p> The mapping from an SNI domain name to a certificate chain is indirect.  In
20805the input source files for "cdb", "hash", "btree" or other tables that are
20806converted to on-disk indexed files via <a href="postmap.1.html">postmap(1)</a>, the value specified for each
20807key is a list of filenames.  When <a href="postmap.1.html">postmap(1)</a> is used with the <b>-F</b> option,
20808the generated table stores for each lookup key the base64-encoded contents of
20809the associated files.  When querying tables via <b>postmap -Fq</b>, the table
20810value is decoded from base64, yielding the original file content, plus a new
20811line. </p>
20812
20813<p> With "regexp", "pcre", "inline", "texthash", "static" and similar
20814tables that are interpreted at run-time, and don't have a separate
20815source format, the table value is again a list files, that are loaded
20816into memory when the table is opened.  </p>
20817
20818<p> With tables whose content is managed outside of Postfix, such
20819as LDAP, MySQL, PostgreSQL, socketmap and tcp, the value must be a
20820concatenation of the desired PEM keys and certificate chains, that
20821is then further encoded to yield a single-line base64 string.
20822Creation of such tables and secure storage (the value includes
20823private key material) are outside the responsibility of Postfix.  </p>
20824
20825<p> With "socketmap" and "tcp" the data will be transmitted in the clear, and
20826there is no query access control, so these are generally unsuitable for storing
20827SNI chains.  With LDAP and SQL, you should restrict read access and use TLS to
20828protect the sensitive data in transit.  </p>
20829
20830<p> Typically there is only one private key and its chain of certificates
20831starting with the "leaf" certificate corresponding to that key, and
20832continuing with the appropriate intermediate issuer CA certificates,
20833with each certificate ideally followed by its issuer.  Servers
20834that have keys and certificates for more than one algorithm (e.g.
20835both an RSA key and an ECDSA key, or even RSA, ECDSA and Ed25519)
20836can use multiple chains concatenated together, with the key always
20837listed before the corresponding certificates. </p>
20838
20839<p> This feature is available in Postfix 3.4 and later.  </p>
20840
20841
20842</DD>
20843
20844<DT><b><a name="tls_session_ticket_cipher">tls_session_ticket_cipher</a>
20845(default: Postfix &ge; 3.0: aes-256-cbc, Postfix &lt; 3.0: aes-128-cbc)</b></DT><DD>
20846
20847<p> Algorithm used to encrypt <a href="https://tools.ietf.org/html/rfc5077">RFC5077</a> TLS session tickets.  This
20848algorithm must use CBC mode, have a 128-bit block size, and must
20849have a key length between 128 and 256 bits.  The default is
20850aes-256-cbc.  Overriding the default to choose a different algorithm
20851is discouraged.  </p>
20852
20853<p> Setting this parameter empty disables session ticket support
20854in the Postfix SMTP server.  Another way to disable session ticket
20855support is via the <a href="postconf.5.html#tls_ssl_options">tls_ssl_options</a> parameter.  </p>
20856
20857<p> This feature is available in Postfix 3.0 and later. </p>
20858
20859
20860</DD>
20861
20862<DT><b><a name="tls_ssl_options">tls_ssl_options</a>
20863(default: empty)</b></DT><DD>
20864
20865<p> List or bit-mask of OpenSSL options to enable. </p>
20866
20867<p> The OpenSSL toolkit provides a set of options that applications
20868can enable to tune the OpenSSL behavior.  Some of these work around
20869bugs in other implementations and are on by default.  You can use
20870the <a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> parameter to selectively disable some
20871or all of the bug work-arounds, making OpenSSL more strict at the
20872cost of non-interoperability with SSL clients or servers that exhibit
20873the bugs.  </p>
20874
20875<p> Other options are off by default, and typically enable or disable
20876features rather than bug work-arounds.  These may be turned on (with
20877care) via the <a href="postconf.5.html#tls_ssl_options">tls_ssl_options</a> parameter.  The value is a white-space
20878or comma separated list of named options chosen from the list below.
20879The names are not case-sensitive, you can use lower-case if you
20880prefer.  The upper case values below match the corresponding macro
20881name in the ssl.h header file with the SSL_OP_ prefix removed.  It
20882is possible that your OpenSSL version includes new options added
20883after your Postfix source code was last updated, in that case you
20884can only enable one of these via the hexadecimal syntax below.  </p>
20885
20886<p> You should only enable features via the hexadecimal mask when
20887the need to control the feature is critical (to deal with a new
20888vulnerability or a serious interoperability problem).  Postfix DOES
20889NOT promise backwards compatible behavior with respect to the mask
20890bits.  A feature enabled via the mask in one release may be enabled
20891by other means in a later release, and the mask bit will then be
20892ignored.  Therefore, use of the hexadecimal mask is only a temporary
20893measure until a new Postfix or OpenSSL release provides a better
20894solution.  </p>
20895
20896<p> If the value of the parameter is a hexadecimal long integer
20897starting with "0x", the options corresponding to the bits specified
20898in its value are enabled (see openssl/ssl.h and SSL_CTX_set_options(3)).
20899You can only enable options not already controlled by other Postfix
20900settings.  For example, you cannot disable protocols or enable
20901server cipher preference.  Do not attempt to enable all features by
20902specifying 0xFFFFFFFF, this is unlikely to be a good idea.  Some
20903bug work-arounds are also valid here, allowing them to be re-enabled
20904if/when they're no longer enabled by default.  The supported values
20905include: </p>
20906
20907<dl>
20908
20909<dt><b>ENABLE_MIDDLEBOX_COMPAT</b></dt> <dd>Postfix &ge; 3.4. See
20910SSL_CTX_set_options(3).</dd>
20911
20912<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3).</dd>
20913
20914<dt><b>NO_TICKET</b></dt> <dd>Enabled by default when needed in
20915fully-patched Postfix &ge; 2.7.  Not needed at all for Postfix &ge;
209162.11, unless for some reason you do not want to support TLS session
20917resumption.  Best not set explicitly.  See SSL_CTX_set_options(3).</dd>
20918
20919<dt><b>NO_COMPRESSION</b></dt> <dd>Disable SSL compression even if
20920supported by the OpenSSL library.  Compression is CPU-intensive,
20921and compression before encryption does not always improve security.  </dd>
20922
20923<dt><b>NO_RENEGOTIATION</b></dt> <dd>Postfix &ge; 3.4.  This can
20924reduce opportunities for a potential CPU exhaustion attack.  See
20925SSL_CTX_set_options(3).</dd>
20926
20927<dt><b>NO_SESSION_RESUMPTION_ON_RENEGOTIATION</b></dt> <dd>Postfix
20928&ge; 3.4. See SSL_CTX_set_options(3).</dd>
20929
20930<dt><b>PRIORITIZE_CHACHA</b></dt> <dd>Postfix &ge; 3.4. See SSL_CTX_set_options(3).</dd>
20931
20932</dl>
20933
20934<p> This feature is available in Postfix 2.11 and later.  </p>
20935
20936
20937</DD>
20938
20939<DT><b><a name="tls_wildcard_matches_multiple_labels">tls_wildcard_matches_multiple_labels</a>
20940(default: yes)</b></DT><DD>
20941
20942<p> Match multiple DNS labels with "*" in wildcard certificates.
20943</p>
20944
20945<p> Some mail service providers prepend the customer domain name
20946to a base domain for which they have a wildcard TLS certificate.
20947For example, the MX records for example.com hosted by example.net
20948may be: </p>
20949
20950<blockquote>
20951<pre>
20952example.com. IN MX 0 example.com.mx1.example.net.
20953example.com. IN MX 0 example.com.mx2.example.net.
20954</pre>
20955</blockquote>
20956
20957<p> and the TLS certificate may be for "*.example.net". The "*"
20958then corresponds with multiple labels in the mail server domain
20959name.  While multi-label wildcards are not widely supported, and
20960are not blessed by any standard, there is little to be gained by
20961disallowing their use in this context.  </p>
20962
20963<p> Notes: <p>
20964
20965<ul>
20966
20967<li> <p> In a certificate name, the "*" is special only when it is
20968used as the first label. </p>
20969
20970<li> <p> While Postfix (2.11 or later) can match "*" with multiple
20971domain name labels, other implementations likely will not.  </p>
20972
20973<li> <p> Earlier Postfix implementations behave as if
20974"<a href="postconf.5.html#tls_wildcard_matches_multiple_labels">tls_wildcard_matches_multiple_labels</a> = no". </p>
20975
20976</ul>
20977
20978<p> This feature is available in Postfix 2.11 and later.  </p>
20979
20980
20981</DD>
20982
20983<DT><b><a name="tlsmgr_service_name">tlsmgr_service_name</a>
20984(default: tlsmgr)</b></DT><DD>
20985
20986<p> The name of the <a href="tlsmgr.8.html">tlsmgr(8)</a> service entry in <a href="master.5.html">master.cf</a>. This
20987service maintains TLS session caches and other information in support
20988of TLS. </p>
20989
20990<p> This feature is available in Postfix 2.11 and later. </p>
20991
20992
20993</DD>
20994
20995<DT><b><a name="tlsproxy_client_CAfile">tlsproxy_client_CAfile</a>
20996(default: $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a>)</b></DT><DD>
20997
20998<p> A file containing CA certificates of root CAs trusted to sign
20999either remote TLS server certificates or intermediate CA certificates.
21000See <a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> for further details. </p>
21001
21002<p> This feature is available in Postfix 3.4 and later. </p>
21003
21004
21005</DD>
21006
21007<DT><b><a name="tlsproxy_client_CApath">tlsproxy_client_CApath</a>
21008(default: $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a>)</b></DT><DD>
21009
21010<p> Directory with PEM format Certification Authority certificates
21011that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client uses to verify a remote TLS
21012server certificate. See <a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> for further details. </p>
21013
21014<p> This feature is available in Postfix 3.4 and later. </p>
21015
21016
21017</DD>
21018
21019<DT><b><a name="tlsproxy_client_cert_file">tlsproxy_client_cert_file</a>
21020(default: $<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b></DT><DD>
21021
21022<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client RSA certificate in PEM
21023format. See <a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> for further details.  The preferred way
21024to configure tlsproxy client keys and certificates is via the
21025"<a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a>" parameter. </p>
21026
21027<p> This feature is available in Postfix 3.4 and later. </p>
21028
21029
21030</DD>
21031
21032<DT><b><a name="tlsproxy_client_chain_files">tlsproxy_client_chain_files</a>
21033(default: $<a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a>)</b></DT><DD>
21034
21035<p> Files with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client keys and certificate
21036chains in PEM format. See <a href="postconf.5.html#smtp_tls_chain_files">smtp_tls_chain_files</a> for further details. </p>
21037
21038<p> This feature is available in Postfix 3.4 and later. </p>
21039
21040
21041</DD>
21042
21043<DT><b><a name="tlsproxy_client_dcert_file">tlsproxy_client_dcert_file</a>
21044(default: $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b></DT><DD>
21045
21046<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client DSA certificate in PEM
21047format. See <a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> for further details. DSA is obsolete and
21048should not be used. </p>
21049
21050<p> This feature is available in Postfix 3.4 and later. </p>
21051
21052
21053</DD>
21054
21055<DT><b><a name="tlsproxy_client_dkey_file">tlsproxy_client_dkey_file</a>
21056(default: $<a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a>)</b></DT><DD>
21057
21058<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client DSA private key in PEM
21059format. See <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> for further details. DSA is obsolete and
21060should not be used. </p>
21061
21062<p> This feature is available in Postfix 3.4 and later. </p>
21063
21064
21065</DD>
21066
21067<DT><b><a name="tlsproxy_client_eccert_file">tlsproxy_client_eccert_file</a>
21068(default: $<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b></DT><DD>
21069
21070<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client ECDSA certificate in PEM
21071format. See <a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> for further details. The preferred way
21072to configure tlsproxy client keys and certificates is via the
21073"<a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a>" parameter. </p>
21074
21075<p> This feature is available in Postfix 3.4 and later. </p>
21076
21077
21078</DD>
21079
21080<DT><b><a name="tlsproxy_client_eckey_file">tlsproxy_client_eckey_file</a>
21081(default: $<a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a>)</b></DT><DD>
21082
21083<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client ECDSA private key in PEM
21084format. See <a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> for further details.  The preferred way
21085to configure tlsproxy client keys and certificates is via the
21086"<a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a>" parameter. </p>
21087
21088<p> This feature is available in Postfix 3.4 and later. </p>
21089
21090
21091</DD>
21092
21093<DT><b><a name="tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a>
21094(default: $<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b></DT><DD>
21095
21096<p> Enforcement mode: require that SMTP servers use TLS encryption.
21097See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. Use
21098<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
21099
21100<p> This feature is deprecated as of Postfix 3.9. Specify
21101<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
21102
21103<p> This feature is available in Postfix 3.4 and later. </p>
21104
21105
21106</DD>
21107
21108<DT><b><a name="tlsproxy_client_fingerprint_digest">tlsproxy_client_fingerprint_digest</a>
21109(default: $<a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a>)</b></DT><DD>
21110
21111<p> The message digest algorithm used to construct remote TLS server
21112certificate fingerprints. See <a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> for
21113further details. </p>
21114
21115<p> This feature is available in Postfix 3.4 and later. </p>
21116
21117
21118</DD>
21119
21120<DT><b><a name="tlsproxy_client_key_file">tlsproxy_client_key_file</a>
21121(default: $<a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a>)</b></DT><DD>
21122
21123<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client RSA private key in PEM
21124format. See <a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> for further details. The preferred way to
21125configure tlsproxy client keys and certificates is via the
21126"<a href="postconf.5.html#tlsproxy_client_chain_files">tlsproxy_client_chain_files</a>" parameter. </p>
21127
21128<p> This feature is available in Postfix 3.4 and later. </p>
21129
21130
21131</DD>
21132
21133<DT><b><a name="tlsproxy_client_level">tlsproxy_client_level</a>
21134(default: $<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b></DT><DD>
21135
21136<p> The default TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
21137client. See <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> for further details. </p>
21138
21139<p> This feature is available in Postfix 3.4 - 3.6. It was
21140renamed to <a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> in Postfix 3.7. </p>
21141
21142
21143</DD>
21144
21145<DT><b><a name="tlsproxy_client_loglevel">tlsproxy_client_loglevel</a>
21146(default: $<a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b></DT><DD>
21147
21148<p> Enable additional Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client logging of TLS
21149activity. See <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> for further details. </p>
21150
21151<p> This feature is available in Postfix 3.4 and later. </p>
21152
21153
21154</DD>
21155
21156<DT><b><a name="tlsproxy_client_loglevel_parameter">tlsproxy_client_loglevel_parameter</a>
21157(default: <a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a>)</b></DT><DD>
21158
21159<p> The name of the parameter that provides the <a href="postconf.5.html#tlsproxy_client_loglevel">tlsproxy_client_loglevel</a>
21160value. </p>
21161
21162<p> This feature is available in Postfix 3.4 and later. </p>
21163
21164
21165</DD>
21166
21167<DT><b><a name="tlsproxy_client_per_site">tlsproxy_client_per_site</a>
21168(default: $<a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a>)</b></DT><DD>
21169
21170<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
21171usage policy by next-hop destination and by remote TLS server
21172hostname.  See <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> for further details. </p>
21173
21174<p> This feature is deprecated as of Postfix 3.9. Specify
21175<a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> instead. </p>
21176
21177<p> This feature is available in Postfix 3.4 and later. </p>
21178
21179
21180</DD>
21181
21182<DT><b><a name="tlsproxy_client_policy">tlsproxy_client_policy</a>
21183(default: $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b></DT><DD>
21184
21185<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
21186security policy by next-hop destination. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
21187for further details. </p>
21188
21189<p> This feature is available in Postfix 3.4 - 3.6. It was
21190renamed to <a href="postconf.5.html#tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a> in Postfix 3.7. </p>
21191
21192
21193</DD>
21194
21195<DT><b><a name="tlsproxy_client_policy_maps">tlsproxy_client_policy_maps</a>
21196(default: $<a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>)</b></DT><DD>
21197
21198<p> Optional lookup tables with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> client TLS
21199security policy by next-hop destination. See <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a>
21200for further details. </p>
21201
21202<p> This feature is available in Postfix 3.7 and later. It
21203was previously called <a href="postconf.5.html#tlsproxy_client_policy">tlsproxy_client_policy</a>. </p>
21204
21205
21206</DD>
21207
21208<DT><b><a name="tlsproxy_client_scert_verifydepth">tlsproxy_client_scert_verifydepth</a>
21209(default: $<a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a>)</b></DT><DD>
21210
21211<p> The verification depth for remote TLS server certificates.
21212See <a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> for further details. </p>
21213
21214<p> This feature is available in Postfix 3.4 and later. </p>
21215
21216
21217</DD>
21218
21219<DT><b><a name="tlsproxy_client_security_level">tlsproxy_client_security_level</a>
21220(default: $<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a>)</b></DT><DD>
21221
21222<p> The default TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
21223client. See <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> for further details. </p>
21224
21225<p> This feature is available in Postfix 3.7 and later. It
21226was previously called <a href="postconf.5.html#tlsproxy_client_level">tlsproxy_client_level</a>. </p>
21227
21228
21229</DD>
21230
21231<DT><b><a name="tlsproxy_client_use_tls">tlsproxy_client_use_tls</a>
21232(default: $<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b></DT><DD>
21233
21234<p> Opportunistic mode: use TLS when a remote server announces TLS
21235support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. Use
21236<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
21237
21238<p> This feature is deprecated as of Postfix 3.9. Specify
21239<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
21240
21241<p> This feature is available in Postfix 3.4 and later. </p>
21242
21243
21244</DD>
21245
21246<DT><b><a name="tlsproxy_enforce_tls">tlsproxy_enforce_tls</a>
21247(default: $<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b></DT><DD>
21248
21249<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
21250require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for
21251further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
21252
21253<p> This feature is deprecated as of Postfix 3.9. Specify
21254<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
21255
21256<p> This feature is available in Postfix 2.8 and later. </p>
21257
21258
21259</DD>
21260
21261<DT><b><a name="tlsproxy_service_name">tlsproxy_service_name</a>
21262(default: tlsproxy)</b></DT><DD>
21263
21264<p> The name of the <a href="tlsproxy.8.html">tlsproxy(8)</a> service entry in <a href="master.5.html">master.cf</a>. This
21265service performs plaintext &lt;=&gt; TLS ciphertext conversion. <p>
21266
21267<p> This feature is available in Postfix 2.8 and later. </p>
21268
21269
21270</DD>
21271
21272<DT><b><a name="tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a>
21273(default: $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b></DT><DD>
21274
21275<p> A file containing (PEM format) CA certificates of root CAs
21276trusted to sign either remote SMTP client certificates or intermediate
21277CA certificates.  See <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> for further details. </p>
21278
21279<p> This feature is available in Postfix 2.8 and later. </p>
21280
21281
21282</DD>
21283
21284<DT><b><a name="tlsproxy_tls_CApath">tlsproxy_tls_CApath</a>
21285(default: $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b></DT><DD>
21286
21287<p> A directory containing (PEM format) CA certificates of root CAs
21288trusted to sign either remote SMTP client certificates or intermediate
21289CA certificates. See <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> for further details. </p>
21290
21291<p> This feature is available in Postfix 2.8 and later. </p>
21292
21293
21294</DD>
21295
21296<DT><b><a name="tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a>
21297(default: $<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a>)</b></DT><DD>
21298
21299<p> Force the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server to issue a TLS session id,
21300even when TLS session caching is turned off. See
21301<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> for further details. </p>
21302
21303<p> This feature is available in Postfix 2.8 and later. </p>
21304
21305
21306</DD>
21307
21308<DT><b><a name="tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a>
21309(default: $<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b></DT><DD>
21310
21311<p> Ask a remote SMTP client for a client certificate. See
21312<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> for further details. </p>
21313
21314<p> This feature is available in Postfix 2.8 and later. </p>
21315
21316
21317</DD>
21318
21319<DT><b><a name="tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a>
21320(default: $<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a>)</b></DT><DD>
21321
21322<p> The verification depth for remote SMTP client certificates. A
21323depth of 1 is sufficient if the issuing CA is listed in a local CA
21324file. See <a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> for further details. </p>
21325
21326<p> This feature is available in Postfix 2.8 and later. </p>
21327
21328
21329</DD>
21330
21331<DT><b><a name="tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a>
21332(default: $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b></DT><DD>
21333
21334<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server RSA certificate in PEM
21335format.  This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21336private RSA key.  See <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> for further details.  With
21337Postfix &ge; 3.4 the preferred way to configure tlsproxy server keys and
21338certificates is via the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a>" parameter. </p>
21339
21340<p> This feature is available in Postfix 2.8 and later. </p>
21341
21342
21343</DD>
21344
21345<DT><b><a name="tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a>
21346(default: $<a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a>)</b></DT><DD>
21347
21348<p> Files with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server keys and certificate
21349chains in PEM format. See <a href="postconf.5.html#smtpd_tls_chain_files">smtpd_tls_chain_files</a> for further details. </p>
21350
21351<p> This feature is available in Postfix 3.4 and later. </p>
21352
21353
21354</DD>
21355
21356<DT><b><a name="tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a>
21357(default: $<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b></DT><DD>
21358
21359<p> The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21360will use with opportunistic TLS encryption. See <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>
21361for further details. </p>
21362
21363<p> This feature is available in Postfix 2.8 and later. </p>
21364
21365
21366</DD>
21367
21368<DT><b><a name="tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a>
21369(default: $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b></DT><DD>
21370
21371<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server DSA certificate in PEM
21372format.  This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21373private DSA key.  DSA is obsolete and should not be used.  See
21374<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> for further details.  </p>
21375
21376<p> This feature is available in Postfix 2.8 and later. </p>
21377
21378
21379</DD>
21380
21381<DT><b><a name="tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a>
21382(default: $<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b></DT><DD>
21383
21384<p> File with DH parameters that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21385should use with non-export EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>
21386for further details. </p>
21387
21388<p> This feature is deprecated as of Postfix 3.9. Do not specify. </p>
21389
21390<p> This feature is available in Postfix 2.8 and later. </p>
21391
21392
21393</DD>
21394
21395<DT><b><a name="tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a>
21396(default: $<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b></DT><DD>
21397
21398<p> File with DH parameters that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21399should use with export-grade EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>
21400for further details.  The default SMTP server cipher grade is
21401"medium" with Postfix releases after the middle of 2015, and as a
21402result export-grade cipher suites are by default not used.  </p>
21403
21404<p> With Postfix &ge; 3.6 export-grade Diffie-Hellman key exchange
21405is no longer supported, and this parameter is silently ignored. </p>
21406
21407<p> This feature is available in Postfix 2.8 and later. </p>
21408
21409
21410</DD>
21411
21412<DT><b><a name="tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a>
21413(default: $<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b></DT><DD>
21414
21415<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server DSA private key in PEM
21416format.  This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21417DSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>.  DSA is
21418obsolete and should not be used.  See <a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> for further
21419details. </p>
21420
21421<p> This feature is available in Postfix 2.8 and later. </p>
21422
21423
21424</DD>
21425
21426<DT><b><a name="tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a>
21427(default: $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b></DT><DD>
21428
21429<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server ECDSA certificate in PEM
21430format.  This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21431private ECDSA key.  See <a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> for further details.  With
21432Postfix &ge; 3.4 the preferred way to configure tlsproxy server keys and
21433certificates is via the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a>" parameter. </p>
21434
21435<p> This feature is available in Postfix 2.8 and later. </p>
21436
21437
21438</DD>
21439
21440<DT><b><a name="tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a>
21441(default: $<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</b></DT><DD>
21442
21443<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server ECDSA private key in PEM
21444format.  This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21445ECDSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>.  See
21446<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> for further details.  With Postfix &ge; 3.4 the
21447preferred way to configure tlsproxy server keys and certificates is via
21448the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a>" parameter. </p>
21449
21450<p> This feature is available in Postfix 2.8 and later. </p>
21451
21452
21453</DD>
21454
21455<DT><b><a name="tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a>
21456(default: $<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b></DT><DD>
21457
21458<p> The Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server security grade for ephemeral
21459elliptic-curve Diffie-Hellman (EECDH) key exchange. See
21460<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
21461
21462<p> This feature is not used as of Postfix 3.6. Do not specify. </p>
21463
21464<p> This feature is available in Postfix 2.8 and later. </p>
21465
21466
21467</DD>
21468
21469<DT><b><a name="tlsproxy_tls_enable_rpk">tlsproxy_tls_enable_rpk</a>
21470(default: $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a>)</b></DT><DD>
21471
21472<p> Request that remote SMTP clients send an <a href="https://tools.ietf.org/html/rfc7250">RFC7250</a> raw public key
21473instead of an X.509 certificate, when asking or requiring client
21474authentication. See $<a href="postconf.5.html#smtpd_tls_enable_rpk">smtpd_tls_enable_rpk</a> for details. </p>
21475
21476<p> This feature is available in Postfix 3.9 and later. </p>
21477
21478
21479</DD>
21480
21481<DT><b><a name="tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a>
21482(default: $<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b></DT><DD>
21483
21484<p> List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html">tlsproxy(8)</a>
21485server cipher list at all TLS security levels. See
21486<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> for further details. </p>
21487
21488<p> This feature is available in Postfix 2.8 and later. </p>
21489
21490
21491</DD>
21492
21493<DT><b><a name="tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a>
21494(default: $<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</b></DT><DD>
21495
21496<p> The message digest algorithm to construct remote SMTP
21497client-certificate
21498fingerprints. See <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> for further details.
21499</p>
21500
21501<p> This feature is available in Postfix 2.8 and later. </p>
21502
21503
21504</DD>
21505
21506<DT><b><a name="tlsproxy_tls_key_file">tlsproxy_tls_key_file</a>
21507(default: $<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b></DT><DD>
21508
21509<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server RSA private key in PEM
21510format.  This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21511RSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>.  See
21512<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> for further details.  With Postfix &ge; 3.4 the
21513preferred way to configure tlsproxy server keys and certificates is via
21514the "<a href="postconf.5.html#tlsproxy_tls_chain_files">tlsproxy_tls_chain_files</a>" parameter. </p>
21515
21516<p> This feature is available in Postfix 2.8 and later. </p>
21517
21518
21519</DD>
21520
21521<DT><b><a name="tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a>
21522(default: $<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b></DT><DD>
21523
21524<p> Enable additional Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server logging of TLS
21525activity.  Each logging level also includes the information that
21526is logged at a lower logging level. See <a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> for
21527further details.  </p>
21528
21529<p> This feature is available in Postfix 2.8 and later. </p>
21530
21531
21532</DD>
21533
21534<DT><b><a name="tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a>
21535(default: $<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</b></DT><DD>
21536
21537<p> The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21538will use with mandatory TLS encryption. See <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>
21539for further details. </p>
21540
21541<p> This feature is available in Postfix 2.8 and later. </p>
21542
21543
21544</DD>
21545
21546<DT><b><a name="tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a>
21547(default: $<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>)</b></DT><DD>
21548
21549<p> Additional list of ciphers or cipher types to exclude from the
21550<a href="tlsproxy.8.html">tlsproxy(8)</a> server cipher list at mandatory TLS security levels.
21551See <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> for further details. </p>
21552
21553<p> This feature is available in Postfix 2.8 and later. </p>
21554
21555
21556</DD>
21557
21558<DT><b><a name="tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a>
21559(default: $<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</b></DT><DD>
21560
21561<p> The SSL/TLS protocols accepted by the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
21562with mandatory TLS encryption. If the list is empty, the server
21563supports all available SSL/TLS protocol versions.  See
21564<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> for further details. </p>
21565
21566<p> This feature is available in Postfix 2.8 and later. </p>
21567
21568
21569</DD>
21570
21571<DT><b><a name="tlsproxy_tls_protocols">tlsproxy_tls_protocols</a>
21572(default: $<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b></DT><DD>
21573
21574<p> List of TLS protocols that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server will
21575exclude or include with opportunistic TLS encryption. See
21576<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> for further details. </p>
21577
21578<p> This feature is available in Postfix 2.8 and later. </p>
21579
21580
21581</DD>
21582
21583<DT><b><a name="tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a>
21584(default: $<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b></DT><DD>
21585
21586<p> With mandatory TLS encryption, require a trusted remote SMTP
21587client certificate in order to allow TLS connections to proceed.
21588See <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> for further details. </p>
21589
21590<p> This feature is available in Postfix 2.8 and later. </p>
21591
21592
21593</DD>
21594
21595<DT><b><a name="tlsproxy_tls_security_level">tlsproxy_tls_security_level</a>
21596(default: $<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b></DT><DD>
21597
21598<p> The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server;
21599when a non-empty value is specified, this overrides the obsolete
21600parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. See
21601<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> for further details. </p>
21602
21603<p> This feature is available in Postfix 2.8 and later. </p>
21604
21605
21606</DD>
21607
21608<DT><b><a name="tlsproxy_tls_session_cache_timeout">tlsproxy_tls_session_cache_timeout</a>
21609(default: $<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>)</b></DT><DD>
21610
21611<p> Obsolete expiration time of Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server TLS session
21612cache information. Since the cache is shared with <a href="smtpd.8.html">smtpd(8)</a> and managed
21613by <a href="tlsmgr.8.html">tlsmgr(8)</a>, there is only one expiration time for the SMTP server cache
21614shared by all three services, namely <a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>. </p>
21615
21616<p> This feature is available in Postfix 2.8-2.10. </p>
21617
21618
21619</DD>
21620
21621<DT><b><a name="tlsproxy_use_tls">tlsproxy_use_tls</a>
21622(default: $<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b></DT><DD>
21623
21624<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
21625but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>
21626for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
21627
21628<p> This feature is deprecated as of Postfix 3.9. Specify
21629<a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
21630
21631<p> This feature is available in Postfix 2.8 and later. </p>
21632
21633
21634</DD>
21635
21636<DT><b><a name="tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a>
21637(default: 10s)</b></DT><DD>
21638
21639<p> How much time a <a href="tlsproxy.8.html">tlsproxy(8)</a> process may take to process local
21640or remote I/O before it is terminated by a built-in watchdog timer.
21641This is a safety mechanism that prevents <a href="tlsproxy.8.html">tlsproxy(8)</a> from becoming
21642non-responsive due to a bug in Postfix itself or in system software.
21643To avoid false alarms and unnecessary cache corruption this limit
21644cannot be set under 10s.  </p>
21645
21646<p> Specify a non-zero time value (an integral value plus an optional
21647one-letter suffix that specifies the time unit).  Time units: s
21648(seconds), m (minutes), h (hours), d (days), w (weeks).
21649The default time unit is s (seconds).  </p>
21650
21651<p> This feature is available in Postfix 2.8 and later  </p>
21652
21653
21654</DD>
21655
21656<DT><b><a name="trace_service_name">trace_service_name</a>
21657(default: trace)</b></DT><DD>
21658
21659<p>
21660The name of the trace service. This service is implemented by the
21661<a href="bounce.8.html">bounce(8)</a> daemon and maintains a record
21662of mail deliveries and produces a mail delivery report when verbose
21663delivery is requested with "<b>sendmail -v</b>".
21664</p>
21665
21666<p>
21667This feature is available in Postfix 2.1 and later.
21668</p>
21669
21670
21671</DD>
21672
21673<DT><b><a name="transport_delivery_slot_cost">transport_delivery_slot_cost</a>
21674(default: $<a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a>)</b></DT><DD>
21675
21676<p> A transport-specific override for the <a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a>
21677parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21678the message delivery transport. </p>
21679
21680<p> Note: <a href="postconf.5.html#transport_delivery_slot_cost"><i>transport</i>_delivery_slot_cost</a> parameters will not
21681show up in "postconf" command output before Postfix version 2.9.
21682This limitation applies to many parameters whose name is a combination
21683of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in this case:
21684"_delivery_slot_cost"). </p>
21685
21686
21687</DD>
21688
21689<DT><b><a name="transport_delivery_slot_discount">transport_delivery_slot_discount</a>
21690(default: $<a href="postconf.5.html#default_delivery_slot_discount">default_delivery_slot_discount</a>)</b></DT><DD>
21691
21692<p> A transport-specific override for the <a href="postconf.5.html#default_delivery_slot_discount">default_delivery_slot_discount</a>
21693parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21694the message delivery transport. </p>
21695
21696<p> Note: <a href="postconf.5.html#transport_delivery_slot_discount"><i>transport</i>_delivery_slot_discount</a> parameters will
21697not show up in "postconf" command output before Postfix version
216982.9.  This limitation applies to many parameters whose name is a
21699combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21700this case: "_delivery_slot_discount"). </p>
21701
21702
21703</DD>
21704
21705<DT><b><a name="transport_delivery_slot_loan">transport_delivery_slot_loan</a>
21706(default: $<a href="postconf.5.html#default_delivery_slot_loan">default_delivery_slot_loan</a>)</b></DT><DD>
21707
21708<p> A transport-specific override for the <a href="postconf.5.html#default_delivery_slot_loan">default_delivery_slot_loan</a>
21709parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21710the message delivery transport. </p>
21711
21712<p> Note: <a href="postconf.5.html#transport_delivery_slot_loan"><i>transport</i>_delivery_slot_loan</a> parameters will not
21713show up in "postconf" command output before Postfix version 2.9.
21714This limitation applies to many parameters whose name is a combination
21715of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in this case:
21716"_delivery_slot_loan"). </p>
21717
21718
21719</DD>
21720
21721<DT><b><a name="transport_destination_concurrency_failed_cohort_limit">transport_destination_concurrency_failed_cohort_limit</a>
21722(default: $<a href="postconf.5.html#default_destination_concurrency_failed_cohort_limit">default_destination_concurrency_failed_cohort_limit</a>)</b></DT><DD>
21723
21724<p> A transport-specific override for the
21725<a href="postconf.5.html#default_destination_concurrency_failed_cohort_limit">default_destination_concurrency_failed_cohort_limit</a> parameter value,
21726where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery
21727transport. </p>
21728
21729<p> Note: some <a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit"><i>transport</i>_destination_concurrency_failed_cohort_limit</a>
21730parameters will not show up in "postconf" command output before
21731Postfix version 2.9.  This limitation applies to many parameters
21732whose name is a combination of a <a href="master.5.html">master.cf</a> service name and a
21733built-in suffix (in this case:
21734"_destination_concurrency_failed_cohort_limit"). </p>
21735
21736<p> This feature is available in Postfix 2.5 and later. </p>
21737
21738
21739</DD>
21740
21741<DT><b><a name="transport_destination_concurrency_limit">transport_destination_concurrency_limit</a>
21742(default: $<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a>)</b></DT><DD>
21743
21744<p> A transport-specific override for the
21745<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a> parameter value, where
21746<i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery
21747transport. </p>
21748
21749<p> Note: some <a href="postconf.5.html#transport_destination_concurrency_limit"><i>transport</i>_destination_concurrency_limit</a>
21750parameters will not show up in "postconf" command output before
21751Postfix version 2.9.  This limitation applies to many parameters
21752whose name is a combination of a <a href="master.5.html">master.cf</a> service name and a
21753built-in suffix (in this case: "_destination_concurrency_limit").
21754</p>
21755
21756
21757</DD>
21758
21759<DT><b><a name="transport_destination_concurrency_negative_feedback">transport_destination_concurrency_negative_feedback</a>
21760(default: $<a href="postconf.5.html#default_destination_concurrency_negative_feedback">default_destination_concurrency_negative_feedback</a>)</b></DT><DD>
21761
21762<p> A transport-specific override for the
21763<a href="postconf.5.html#default_destination_concurrency_negative_feedback">default_destination_concurrency_negative_feedback</a> parameter value,
21764where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery
21765transport. </p>
21766
21767<p> Note: some <a href="postconf.5.html#transport_destination_concurrency_negative_feedback"><i>transport</i>_destination_concurrency_negative_feedback</a>
21768parameters will not show up in "postconf" command output before
21769Postfix version 2.9.  This limitation applies to many parameters
21770whose name is a combination of a <a href="master.5.html">master.cf</a> service name and a
21771built-in suffix (in this case:
21772"_destination_concurrency_negative_feedback"). </p>
21773
21774<p> This feature is available in Postfix 2.5 and later. </p>
21775
21776
21777</DD>
21778
21779<DT><b><a name="transport_destination_concurrency_positive_feedback">transport_destination_concurrency_positive_feedback</a>
21780(default: $<a href="postconf.5.html#default_destination_concurrency_positive_feedback">default_destination_concurrency_positive_feedback</a>)</b></DT><DD>
21781
21782<p> A transport-specific override for the
21783<a href="postconf.5.html#default_destination_concurrency_positive_feedback">default_destination_concurrency_positive_feedback</a> parameter value,
21784where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery
21785transport. </p>
21786
21787<p> Note: some <a href="postconf.5.html#transport_destination_concurrency_positive_feedback"><i>transport</i>_destination_concurrency_positive_feedback</a>
21788parameters will not show up in "postconf" command output before
21789Postfix version 2.9.  This limitation applies to many parameters
21790whose name is a combination of a <a href="master.5.html">master.cf</a> service name and a
21791built-in suffix (in this case:
21792"_destination_concurrency_positive_feedback"). </p>
21793
21794<p> This feature is available in Postfix 2.5 and later. </p>
21795
21796
21797</DD>
21798
21799<DT><b><a name="transport_destination_rate_delay">transport_destination_rate_delay</a>
21800(default: $<a href="postconf.5.html#default_destination_rate_delay">default_destination_rate_delay</a>)</b></DT><DD>
21801
21802<p> A transport-specific override for the <a href="postconf.5.html#default_destination_rate_delay">default_destination_rate_delay</a>
21803parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21804the message delivery transport. </p>
21805
21806<p> Note: some <a href="postconf.5.html#transport_destination_rate_delay"><i>transport</i>_destination_rate_delay</a> parameters
21807will not show up in "postconf" command output before Postfix version
218082.9.  This limitation applies to many parameters whose name is a
21809combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21810this case: "_destination_rate_delay"). </p>
21811
21812<p> This feature is available in Postfix 2.5 and later. </p>
21813
21814
21815</DD>
21816
21817<DT><b><a name="transport_destination_recipient_limit">transport_destination_recipient_limit</a>
21818(default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
21819
21820<p> A transport-specific override for the
21821<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a> parameter value, where
21822<i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message delivery
21823transport. </p>
21824
21825<p> Note: some <a href="postconf.5.html#transport_destination_recipient_limit"><i>transport</i>_destination_recipient_limit</a> parameters
21826will not show up in "postconf" command output before Postfix version
218272.9.  This limitation applies to many parameters whose name is a
21828combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21829this case: "_destination_recipient_limit"). </p>
21830
21831
21832</DD>
21833
21834<DT><b><a name="transport_extra_recipient_limit">transport_extra_recipient_limit</a>
21835(default: $<a href="postconf.5.html#default_extra_recipient_limit">default_extra_recipient_limit</a>)</b></DT><DD>
21836
21837<p> A transport-specific override for the <a href="postconf.5.html#default_extra_recipient_limit">default_extra_recipient_limit</a>
21838parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21839the message delivery transport. </p>
21840
21841<p> Note: <a href="postconf.5.html#transport_extra_recipient_limit"><i>transport</i>_extra_recipient_limit</a> parameters will
21842not show up in "postconf" command output before Postfix version
218432.9.  This limitation applies to many parameters whose name is a
21844combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21845this case: "_extra_recipient_limit").  </p>
21846
21847
21848</DD>
21849
21850<DT><b><a name="transport_initial_destination_concurrency">transport_initial_destination_concurrency</a>
21851(default: $<a href="postconf.5.html#initial_destination_concurrency">initial_destination_concurrency</a>)</b></DT><DD>
21852
21853<p> A transport-specific override for the <a href="postconf.5.html#initial_destination_concurrency">initial_destination_concurrency</a>
21854parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21855the message delivery transport. </p>
21856
21857<p> Note: some <a href="postconf.5.html#transport_initial_destination_concurrency"><i>transport</i>_initial_destination_concurrency</a>
21858parameters will not show up in "postconf" command output before
21859Postfix version 2.9.  This limitation applies to many parameters
21860whose name is a combination of a <a href="master.5.html">master.cf</a> service name and a
21861built-in suffix (in this case: "_initial_destination_concurrency").
21862</p>
21863
21864<p> This feature is available in Postfix 2.5 and later. </p>
21865
21866
21867</DD>
21868
21869<DT><b><a name="transport_maps">transport_maps</a>
21870(default: empty)</b></DT><DD>
21871
21872<p>
21873Optional lookup tables with mappings from recipient address to
21874(message delivery transport, next-hop destination).  See <a href="transport.5.html">transport(5)</a>
21875for syntax details.
21876</p>
21877
21878<p> This information may override the message delivery transport
21879and/or next-hop destination that are specified with $<a href="postconf.5.html#local_transport">local_transport</a>,
21880$<a href="postconf.5.html#virtual_transport">virtual_transport</a>, $<a href="postconf.5.html#relay_transport">relay_transport</a>, $<a href="postconf.5.html#default_transport">default_transport</a>,
21881$<a href="postconf.5.html#sender_dependent_relayhost_maps">sender_dependent_relayhost_maps</a>, $<a href="postconf.5.html#relayhost">relayhost</a>,
21882$<a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a>, or the recipient domain.
21883</p>
21884
21885<p>
21886Specify zero or more "<a href="DATABASE_README.html">type:table</a>" lookup tables, separated by
21887whitespace or comma. Tables will be searched in the specified order
21888until a match is found.  If you use this
21889feature with local files, run "<b>postmap /etc/postfix/transport</b>"
21890after making a change.  </p>
21891
21892<p> Pattern matching of domain names is controlled by the presence
21893or absence of "<a href="postconf.5.html#transport_maps">transport_maps</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
21894parameter value.  </p>
21895
21896<p> For safety reasons, as of Postfix 2.3 this feature does not
21897allow $number substitutions in regular expression maps. </p>
21898
21899<p>
21900Examples:
21901</p>
21902
21903<pre>
21904<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">dbm</a>:/etc/postfix/transport
21905<a href="postconf.5.html#transport_maps">transport_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/transport
21906</pre>
21907
21908
21909</DD>
21910
21911<DT><b><a name="transport_minimum_delivery_slots">transport_minimum_delivery_slots</a>
21912(default: $<a href="postconf.5.html#default_minimum_delivery_slots">default_minimum_delivery_slots</a>)</b></DT><DD>
21913
21914<p> A transport-specific override for the <a href="postconf.5.html#default_minimum_delivery_slots">default_minimum_delivery_slots</a>
21915parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21916the message delivery transport. </p>
21917
21918<p> Note: <a href="postconf.5.html#transport_minimum_delivery_slots"><i>transport</i>_minimum_delivery_slots</a> parameters will
21919not show up in "postconf" command output before Postfix version
219202.9.  This limitation applies to many parameters whose name is a
21921combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21922this case: "_minimum_delivery_slots"). </p>
21923
21924
21925</DD>
21926
21927<DT><b><a name="transport_recipient_limit">transport_recipient_limit</a>
21928(default: $<a href="postconf.5.html#default_recipient_limit">default_recipient_limit</a>)</b></DT><DD>
21929
21930<p> A transport-specific override for the <a href="postconf.5.html#default_recipient_limit">default_recipient_limit</a>
21931parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21932the message delivery transport. </p>
21933
21934<p> Note: some <a href="postconf.5.html#transport_recipient_limit"><i>transport</i>_recipient_limit</a> parameters will not
21935show up in "postconf" command output before Postfix version 2.9.
21936This limitation applies to many parameters whose name is a combination
21937of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in this case:
21938"_recipient_limit"). </p>
21939
21940
21941</DD>
21942
21943<DT><b><a name="transport_recipient_refill_delay">transport_recipient_refill_delay</a>
21944(default: $<a href="postconf.5.html#default_recipient_refill_delay">default_recipient_refill_delay</a>)</b></DT><DD>
21945
21946<p> A transport-specific override for the <a href="postconf.5.html#default_recipient_refill_delay">default_recipient_refill_delay</a>
21947parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21948the message delivery transport. </p>
21949
21950<p> Note: <a href="postconf.5.html#transport_recipient_refill_delay"><i>transport</i>_recipient_refill_delay</a> parameters will
21951not show up in "postconf" command output before Postfix version
219522.9.  This limitation applies to many parameters whose name is a
21953combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21954this case: "_recipient_refill_delay").  </p>
21955
21956<p> This feature is available in Postfix 2.4 and later. </p>
21957
21958
21959</DD>
21960
21961<DT><b><a name="transport_recipient_refill_limit">transport_recipient_refill_limit</a>
21962(default: $<a href="postconf.5.html#default_recipient_refill_limit">default_recipient_refill_limit</a>)</b></DT><DD>
21963
21964<p> A transport-specific override for the <a href="postconf.5.html#default_recipient_refill_limit">default_recipient_refill_limit</a>
21965parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of
21966the message delivery transport. </p>
21967
21968<p> Note: <a href="postconf.5.html#transport_recipient_refill_limit"><i>transport</i>_recipient_refill_limit</a> parameters will
21969not show up in "postconf" command output before Postfix version
219702.9.  This limitation applies to many parameters whose name is a
21971combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
21972this case: "_recipient_refill_limit").  </p>
21973
21974<p> This feature is available in Postfix 2.4 and later. </p>
21975
21976
21977</DD>
21978
21979<DT><b><a name="transport_retry_time">transport_retry_time</a>
21980(default: 60s)</b></DT><DD>
21981
21982<p>
21983The time between attempts by the Postfix queue manager to contact
21984a malfunctioning message delivery transport.
21985</p>
21986
21987<p> Specify a non-zero time value (an integral value plus an optional
21988one-letter suffix that specifies the time unit).  Time units: s
21989(seconds), m (minutes), h (hours), d (days), w (weeks).
21990The default time unit is s (seconds).  </p>
21991
21992
21993</DD>
21994
21995<DT><b><a name="transport_time_limit">transport_time_limit</a>
21996(default: $<a href="postconf.5.html#command_time_limit">command_time_limit</a>)</b></DT><DD>
21997
21998<p> A transport-specific override for the <a href="postconf.5.html#command_time_limit">command_time_limit</a> parameter
21999value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message
22000delivery transport. </p>
22001
22002<p> Specify a non-zero time value (an integral value plus an optional
22003one-letter suffix that specifies the time unit).  Time units: s
22004(seconds), m (minutes), h (hours), d (days), w (weeks).
22005The default time unit is s (seconds).  </p>
22006
22007<p> Note: <a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameters will not show up
22008in "postconf" command output before Postfix version 2.9.  This
22009limitation applies to many parameters whose name is a combination
22010of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in this case:
22011"_time_limit"). </p>
22012
22013
22014</DD>
22015
22016<DT><b><a name="transport_transport_rate_delay">transport_transport_rate_delay</a>
22017(default: $<a href="postconf.5.html#default_transport_rate_delay">default_transport_rate_delay</a>)</b></DT><DD>
22018
22019<p> A transport-specific override for the <a href="postconf.5.html#default_transport_rate_delay">default_transport_rate_delay</a>
22020parameter value, where the initial <i>transport</i> in the parameter
22021name is the <a href="master.5.html">master.cf</a> name of the message delivery transport. </p>
22022
22023<p> Specify a non-negative time value (an integral value plus an optional
22024one-letter suffix that specifies the time unit).  Time units: s
22025(seconds), m (minutes), h (hours), d (days), w (weeks).
22026The default time unit is s (seconds).  </p>
22027
22028<p> Note: <a href="postconf.5.html#transport_transport_rate_delay"><i>transport</i>_transport_rate_delay</a> parameters will
22029not show up in "postconf" command output before Postfix version
220302.9.  This limitation applies to many parameters whose name is a
22031combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
22032this case: "_transport_rate_delay").  </p>
22033
22034
22035</DD>
22036
22037<DT><b><a name="trigger_timeout">trigger_timeout</a>
22038(default: 10s)</b></DT><DD>
22039
22040<p>
22041The time limit for sending a trigger to a Postfix daemon (for
22042example, the <a href="pickup.8.html">pickup(8)</a> or <a href="qmgr.8.html">qmgr(8)</a> daemon). This time limit prevents
22043programs from getting stuck when the mail system is under heavy
22044load.
22045</p>
22046
22047<p> Specify a non-zero time value (an integral value plus an optional
22048one-letter suffix that specifies the time unit).  Time units: s
22049(seconds), m (minutes), h (hours), d (days), w (weeks).
22050The default time unit is s (seconds).  </p>
22051
22052
22053</DD>
22054
22055<DT><b><a name="undisclosed_recipients_header">undisclosed_recipients_header</a>
22056(default: see "postconf -d" output)</b></DT><DD>
22057
22058<p>
22059Message header that the Postfix <a href="cleanup.8.html">cleanup(8)</a> server inserts when a
22060message contains no To: or Cc: message header. With Postfix 2.8
22061and later, the default value is empty. With Postfix 2.4-2.7,
22062specify an empty value to disable this feature.  </p>
22063
22064<p> Example: </p>
22065
22066<pre>
22067# Default value before Postfix 2.8.
22068# Note: the ":" and ";" are both required.
22069<a href="postconf.5.html#undisclosed_recipients_header">undisclosed_recipients_header</a> = To: undisclosed-recipients:;
22070</pre>
22071
22072
22073</DD>
22074
22075<DT><b><a name="unknown_address_reject_code">unknown_address_reject_code</a>
22076(default: 450)</b></DT><DD>
22077
22078<p>
22079The numerical response code when the Postfix SMTP server rejects a
22080sender or recipient address because its domain is unknown.  This
22081is one of the possible replies from the restrictions
22082<a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> and <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>.
22083</p>
22084
22085<p>
22086Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22087</p>
22088
22089
22090</DD>
22091
22092<DT><b><a name="unknown_address_tempfail_action">unknown_address_tempfail_action</a>
22093(default: $<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b></DT><DD>
22094
22095<p> The Postfix SMTP server's action when <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
22096or <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> fail due to a temporary error
22097condition. Specify "defer" to defer the remote SMTP client request
22098immediately. With the default "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" action, the Postfix
22099SMTP server continues to look for opportunities to reject mail, and
22100defers the client request only if it would otherwise be accepted.
22101</p>
22102
22103<p> This feature is available in Postfix 2.6 and later. </p>
22104
22105
22106</DD>
22107
22108<DT><b><a name="unknown_client_reject_code">unknown_client_reject_code</a>
22109(default: 450)</b></DT><DD>
22110
22111<p>
22112The numerical Postfix SMTP server response code when a client
22113without valid address &lt;=&gt; name mapping is rejected by the
22114<a href="postconf.5.html#reject_unknown_client_hostname">reject_unknown_client_hostname</a> restriction. The SMTP server always replies
22115with 450 when the mapping failed due to a temporary error condition.
22116</p>
22117
22118<p>
22119Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22120</p>
22121
22122
22123</DD>
22124
22125<DT><b><a name="unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a>
22126(default: $<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b></DT><DD>
22127
22128<p> The Postfix SMTP server's action when <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>
22129fails due to a temporary error condition. Specify "defer" to defer
22130the remote SMTP client request immediately. With the default
22131"<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" action, the Postfix SMTP server continues to look
22132for opportunities to reject mail, and defers the client request
22133only if it would otherwise be accepted. </p>
22134
22135<p> This feature is available in Postfix 2.6 and later. </p>
22136
22137
22138</DD>
22139
22140<DT><b><a name="unknown_hostname_reject_code">unknown_hostname_reject_code</a>
22141(default: 450)</b></DT><DD>
22142
22143<p>
22144The numerical Postfix SMTP server response code when the hostname
22145specified with the HELO or EHLO command is rejected by the
22146<a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
22147</p>
22148
22149<p>
22150Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22151</p>
22152
22153
22154</DD>
22155
22156<DT><b><a name="unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a>
22157(default: 550)</b></DT><DD>
22158
22159<p>
22160The numerical Postfix SMTP server response code when a recipient
22161address is local, and $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of
22162lookup tables that does not match the recipient.  A recipient
22163address is local when its domain matches $<a href="postconf.5.html#mydestination">mydestination</a>,
22164$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> or $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>.
22165</p>
22166
22167<p>
22168The default setting is 550 (reject mail) but it is safer to initially
22169use 450 (try again later) so you have time to find out if your
22170<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> settings are OK.
22171</p>
22172
22173<p>
22174Example:
22175</p>
22176
22177<pre>
22178<a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> = 450
22179</pre>
22180
22181<p>
22182This feature is available in Postfix 2.0 and later.
22183</p>
22184
22185
22186</DD>
22187
22188<DT><b><a name="unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a>
22189(default: 550)</b></DT><DD>
22190
22191<p>
22192The numerical Postfix SMTP server reply code when a recipient
22193address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies
22194a list of lookup tables that does not match the recipient address.
22195</p>
22196
22197<p>
22198This feature is available in Postfix 2.0 and later.
22199</p>
22200
22201
22202</DD>
22203
22204<DT><b><a name="unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a>
22205(default: 550)</b></DT><DD>
22206
22207<p>
22208The Postfix SMTP server reply code when a recipient address matches
22209$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> specifies a list
22210of lookup tables that does not match the recipient address.
22211</p>
22212
22213<p>
22214This feature is available in Postfix 2.0 and later.
22215</p>
22216
22217
22218</DD>
22219
22220<DT><b><a name="unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a>
22221(default: 550)</b></DT><DD>
22222
22223<p>
22224The Postfix SMTP server reply code when a recipient address matches
22225$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> specifies a list
22226of lookup tables that does not match the recipient address.
22227</p>
22228
22229<p>
22230This feature is available in Postfix 2.0 and later.
22231</p>
22232
22233
22234</DD>
22235
22236<DT><b><a name="unverified_recipient_defer_code">unverified_recipient_defer_code</a>
22237(default: 450)</b></DT><DD>
22238
22239<p>
22240The numerical Postfix SMTP server response when a recipient address
22241probe fails due to a temporary error condition.
22242</p>
22243
22244<p>
22245Unlike elsewhere in Postfix, you can specify 250 in order to
22246accept the address anyway.
22247</p>
22248
22249<p>
22250Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22251</p>
22252
22253<p>
22254This feature is available in Postfix 2.6 and later.
22255</p>
22256
22257
22258</DD>
22259
22260<DT><b><a name="unverified_recipient_reject_code">unverified_recipient_reject_code</a>
22261(default: 450)</b></DT><DD>
22262
22263<p>
22264The numerical Postfix SMTP server response when a recipient address
22265is rejected by the <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> restriction.
22266</p>
22267
22268<p>
22269Unlike elsewhere in Postfix, you can specify 250 in order to
22270accept the address anyway.
22271</p>
22272
22273<p>
22274Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22275</p>
22276
22277<p>
22278This feature is available in Postfix 2.1 and later.
22279</p>
22280
22281
22282</DD>
22283
22284<DT><b><a name="unverified_recipient_reject_reason">unverified_recipient_reject_reason</a>
22285(default: empty)</b></DT><DD>
22286
22287<p> The Postfix SMTP server's reply when rejecting mail with
22288<a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>. Do not include the numeric SMTP reply
22289code or the enhanced status code. By default, the response includes
22290actual address verification details.
22291
22292<p> Example: </p>
22293
22294<pre>
22295<a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> = Recipient address lookup failed
22296</pre>
22297
22298<p> This feature is available in Postfix 2.6 and later. </p>
22299
22300
22301</DD>
22302
22303<DT><b><a name="unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a>
22304(default: $<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b></DT><DD>
22305
22306<p> The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>
22307fails due to a temporary error condition. Specify "defer" to defer
22308the remote SMTP client request immediately. With the default
22309"<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" action, the Postfix SMTP server continues to look
22310for opportunities to reject mail, and defers the client request
22311only if it would otherwise be accepted. </p>
22312
22313<p> This feature is available in Postfix 2.6 and later. </p>
22314
22315
22316</DD>
22317
22318<DT><b><a name="unverified_sender_defer_code">unverified_sender_defer_code</a>
22319(default: 450)</b></DT><DD>
22320
22321<p>
22322The numerical Postfix SMTP server response code when a sender address
22323probe fails due to a temporary error condition.
22324</p>
22325
22326<p>
22327Unlike elsewhere in Postfix, you can specify 250 in order to
22328accept the address anyway.
22329</p>
22330
22331<p>
22332Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22333</p>
22334
22335<p>
22336This feature is available in Postfix 2.6 and later.
22337</p>
22338
22339
22340</DD>
22341
22342<DT><b><a name="unverified_sender_reject_code">unverified_sender_reject_code</a>
22343(default: 450)</b></DT><DD>
22344
22345<p>
22346The numerical Postfix SMTP server response code when a recipient
22347address is rejected by the <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
22348</p>
22349
22350<p>
22351Unlike elsewhere in Postfix, you can specify 250 in order to
22352accept the address anyway.
22353</p>
22354
22355<p>
22356Do not change this unless you have a complete understanding of <a href="https://tools.ietf.org/html/rfc5321">RFC 5321</a>.
22357</p>
22358
22359<p>
22360This feature is available in Postfix 2.1 and later.
22361</p>
22362
22363
22364</DD>
22365
22366<DT><b><a name="unverified_sender_reject_reason">unverified_sender_reject_reason</a>
22367(default: empty)</b></DT><DD>
22368
22369<p> The Postfix SMTP server's reply when rejecting mail with
22370<a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>. Do not include the numeric SMTP reply
22371code or the enhanced status code. By default, the response includes
22372actual address verification details.
22373
22374<p> Example: </p>
22375
22376<pre>
22377<a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> = Sender address lookup failed
22378</pre>
22379
22380<p> This feature is available in Postfix 2.6 and later. </p>
22381
22382
22383</DD>
22384
22385<DT><b><a name="unverified_sender_tempfail_action">unverified_sender_tempfail_action</a>
22386(default: $<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b></DT><DD>
22387
22388<p> The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>
22389fails due to a temporary error condition. Specify "defer" to defer
22390the remote SMTP client request immediately. With the default
22391"<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" action, the Postfix SMTP server continues to look
22392for opportunities to reject mail, and defers the client request
22393only if it would otherwise be accepted. </p>
22394
22395<p> This feature is available in Postfix 2.6 and later. </p>
22396
22397
22398</DD>
22399
22400<DT><b><a name="use_srv_lookup">use_srv_lookup</a>
22401(default: empty)</b></DT><DD>
22402
22403<p> Enables discovery for the specified service(s) using DNS SRV
22404records. For example, with "<a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> = submission" and
22405"<a href="postconf.5.html#relayhost">relayhost</a> = example.com:submission", the Postfix SMTP client will
22406look up DNS SRV records for _submission._tcp.example.com, and will
22407relay email through the hosts and ports that are specified with
22408those records. See <a href="https://tools.ietf.org/html/rfc2782">RFC 2782</a> for details of the host selection
22409process. </p>
22410
22411<p> Specify zero or more service names separated by comma and/or
22412whitespace. Any name in the services(5) database may be specified,
22413though in practice only submission or submissions (formerly called
22414smtp) make sense.  </p>
22415
22416<p> When SRV record lookup is enabled with <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a>, you can
22417enclose a domain name in "[]" to force IP address lookup instead
22418of SRV record lookup. </p>
22419
22420<p> Example 1: MUA-to-MTA submission using SRV record lookup for
22421the "submission" service for domain "example.com". This uses the
22422default SMTP delivery agent with STARTTLS, and looks up SRV records
22423for "_submission._tcp.example.com". </p>
22424
22425<pre>
22426/etc/postfix/<a href="postconf.5.html">main.cf</a>:
22427    <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> = submission
22428    <a href="postconf.5.html#relayhost">relayhost</a> = example.com:submission
22429    <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
22430    ...see <a href="SASL_README.html">SASL_README</a> for sasl configuration...
22431</pre>
22432
22433<p> Example 2: MUA-to-MTA submission using SRV record lookup for
22434the "submissions" service for domain "example.org". This uses a
22435dedicated SMTP delivery agent (smtp-wraptls) with tls_wrappermode
22436turned on, and looks up SRV records for "_submissions._tcp.example.org".
22437</p>
22438
22439<p> Note: specify the older name "smtps" instead of "submissions"
22440when a provider has DNS SRV records like "_smtps._tcp.example.org"
22441instead of "_submissions._tcp.example.org". </p>
22442
22443<pre>
22444/etc/postfix/<a href="postconf.5.html">main.cf</a>:
22445    <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> = submissions
22446    <a href="postconf.5.html#default_transport">default_transport</a> = smtp-wraptls:example.org:submissions
22447    ...see <a href="SASL_README.html">SASL_README</a> for sasl configuration...
22448</pre>
22449
22450<pre>
22451/etc/postfix/<a href="master.5.html">master.cf</a>:
22452    smtp-wraptls   unix   ...   ...   ...   ...   ...   smtp
22453        -o { <a href="postconf.5.html#smtp_tls_wrappermode">smtp_tls_wrappermode</a> = yes }
22454        -o { <a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt }
22455</pre>
22456
22457<p> Example 3: Sender-dependent selection for a combination of
22458MUA-to-MTA submission services. This combines examples 1 and 2 with
22459examples of how to disable SRV and look up IP address records for
22460"smtp-relay.example.net" and "smtp-relay.other.example".  Again,
22461specify the older name "smtps" instead of "submissions" when a
22462provider has DNS SRV records like "_smtps._tcp.example.org" instead
22463of "_submissions._tcp.example.org". </p>
22464
22465<pre>
22466/etc/postfix/<a href="postconf.5.html">main.cf</a>:
22467    <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> = submission, submissions
22468    <a href="postconf.5.html#sender_dependent_default_transport_maps">sender_dependent_default_transport_maps</a> = <a href="DATABASE_README.html#types">inline</a>:{
22469        # Destinations that support SRV record lookup.
22470        { user1@example.com = <a href="smtp.8.html">smtp</a>:example.com:submission }
22471        { user2@example.org = smtp-wraptls:example.org:submissions }
22472        # Use [destination] to force IP address lookups.
22473        { user3@example.net = <a href="smtp.8.html">smtp</a>:[smtp-relay.example.net]:submission }
22474        { user4@other.example =
22475              smtp-wraptls:[smtp-relay.other.example]:submissions } }
22476    ...see <a href="SASL_README.html">SASL_README</a> for sasl configuration...
22477</pre>
22478
22479<p> Example 4: MTA-to-MTA traffic, using SRV record lookup for the
22480SMTP service. This is useful for Postfix tests, and may be useful
22481in environments where ports are dynamically assigned to servers.
22482</p>
22483
22484<pre>
22485/etc/postfix/<a href="postconf.5.html">main.cf</a>:
22486    <a href="postconf.5.html#use_srv_lookup">use_srv_lookup</a> = smtp
22487    # Fall back to MX record lookup when SRV records are unavailable.
22488    #<a href="postconf.5.html#allow_srv_lookup_fallback">allow_srv_lookup_fallback</a> = yes
22489    #<a href="postconf.5.html#ignore_srv_lookup_error">ignore_srv_lookup_error</a> = yes
22490</pre>
22491
22492<p> This feature is available in Postfix 3.8 and later. </p>
22493
22494
22495</DD>
22496
22497<DT><b><a name="verp_delimiter_filter">verp_delimiter_filter</a>
22498(default: -=+)</b></DT><DD>
22499
22500<p>
22501The characters Postfix accepts as VERP delimiter characters on the
22502Postfix <a href="sendmail.1.html">sendmail(1)</a> command line and in SMTP commands.
22503</p>
22504
22505<p>
22506This feature is available in Postfix 1.1 and later.
22507</p>
22508
22509
22510</DD>
22511
22512<DT><b><a name="virtual_alias_address_length_limit">virtual_alias_address_length_limit</a>
22513(default: 1000)</b></DT><DD>
22514
22515<p>
22516The maximal length of an email address after virtual alias expansion.
22517This stops <a href="ADDRESS_REWRITING_README.html#virtual">virtual aliasing</a> loops that increase the address length
22518exponentially.
22519</p>
22520
22521<p>
22522This feature is available in Postfix 3.0 and later.
22523</p>
22524
22525
22526</DD>
22527
22528<DT><b><a name="virtual_alias_domains">virtual_alias_domains</a>
22529(default: $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b></DT><DD>
22530
22531<p> Postfix is the final destination for the specified list of virtual
22532alias domains, that is, domains for which all addresses are aliased
22533to addresses in other local or remote domains. The SMTP server
22534validates recipient addresses with $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> and rejects
22535non-existent recipients. See also the <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> class
22536in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> file </p>
22537
22538<p>
22539This feature is available in Postfix 2.0 and later. The default
22540value is backwards compatible with Postfix version 1.1.
22541</p>
22542
22543<p>
22544The default value is $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> so that you can keep all
22545information about <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a> in one place.  If you have
22546many users, it is better to separate information that changes more
22547frequently (virtual address -&gt; local or remote address mapping)
22548from information that changes less frequently (the list of virtual
22549domain names).
22550</p>
22551
22552<p> Specify a list of host or domain names, "/file/name" or
22553"<a href="DATABASE_README.html">type:table</a>" patterns, separated by commas and/or whitespace. A
22554"/file/name" pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>"
22555lookup table is matched when a table entry matches a host or domain name
22556(the lookup result is ignored).  Continue long lines by starting
22557the next line with whitespace. Specify "!pattern" to exclude a host
22558or domain name from the list. The form "!/file/name" is supported
22559only in Postfix version 2.4 and later.  </p>
22560
22561<p>
22562See also the <a href="VIRTUAL_README.html">VIRTUAL_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents
22563for further information.
22564</p>
22565
22566<p>
22567Example:
22568</p>
22569
22570<pre>
22571<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> = virtual1.tld virtual2.tld
22572</pre>
22573
22574
22575</DD>
22576
22577<DT><b><a name="virtual_alias_expansion_limit">virtual_alias_expansion_limit</a>
22578(default: 1000)</b></DT><DD>
22579
22580<p>
22581The maximal number of addresses that virtual alias expansion produces
22582from each original recipient.
22583</p>
22584
22585<p>
22586This feature is available in Postfix 2.1 and later.
22587</p>
22588
22589
22590</DD>
22591
22592<DT><b><a name="virtual_alias_maps">virtual_alias_maps</a>
22593(default: $<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b></DT><DD>
22594
22595<p>
22596Optional lookup tables that are often searched with a full email
22597address (including domain) and that apply to all recipients: <a href="local.8.html">local(8)</a>,
22598virtual, and remote; this is unlike <a href="postconf.5.html#alias_maps">alias_maps</a> that are only searched
22599with an email address localpart (no domain) and that apply
22600only to <a href="local.8.html">local(8)</a> recipients.
22601The <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> table format and lookups
22602are documented in <a href="virtual.5.html">virtual(5)</a>. For an overview of Postfix address
22603manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
22604</p>
22605
22606<p>
22607This feature is available in Postfix 2.0 and later. The default
22608value is backwards compatible with Postfix version 1.1.
22609</p>
22610
22611<p>
22612Specify zero or more "type:name" lookup tables, separated by
22613whitespace or comma. Tables will be searched in the specified order
22614until a match is found.
22615Note: these lookups are recursive.
22616</p>
22617
22618<p>
22619If you use this feature with indexed files, run "<b>postmap
22620/etc/postfix/virtual</b>" after changing the file.
22621</p>
22622
22623<p>
22624Examples:
22625</p>
22626
22627<pre>
22628<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">dbm</a>:/etc/postfix/virtual
22629<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = <a href="DATABASE_README.html#types">hash</a>:/etc/postfix/virtual
22630</pre>
22631
22632
22633</DD>
22634
22635<DT><b><a name="virtual_alias_recursion_limit">virtual_alias_recursion_limit</a>
22636(default: 1000)</b></DT><DD>
22637
22638<p>
22639The maximal nesting depth of virtual alias expansion.  Currently
22640the recursion limit is applied only to the left branch of the
22641expansion graph, so the depth of the tree can in the worst case
22642reach the sum of the expansion and recursion limits.  This may
22643change in the future.
22644</p>
22645
22646<p>
22647This feature is available in Postfix 2.1 and later.
22648</p>
22649
22650
22651</DD>
22652
22653<DT><b><a name="virtual_delivery_status_filter">virtual_delivery_status_filter</a>
22654(default: $<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b></DT><DD>
22655
22656<p> Optional filter for the <a href="virtual.8.html">virtual(8)</a> delivery agent to change the
22657delivery status code or explanatory text of successful or unsuccessful
22658deliveries.  See <a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a> for details.  </p>
22659
22660<p> This feature is available in Postfix 3.0 and later. </p>
22661
22662
22663</DD>
22664
22665<DT><b><a name="virtual_destination_concurrency_limit">virtual_destination_concurrency_limit</a>
22666(default: $<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a>)</b></DT><DD>
22667
22668<p> The maximal number of parallel deliveries to the same destination
22669via the virtual message delivery transport. This limit is enforced
22670by the queue manager. The message delivery transport name is the
22671first field in the entry in the <a href="master.5.html">master.cf</a> file.  </p>
22672
22673
22674</DD>
22675
22676<DT><b><a name="virtual_destination_recipient_limit">virtual_destination_recipient_limit</a>
22677(default: $<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b></DT><DD>
22678
22679<p> The maximal number of recipients per message for the virtual
22680message delivery transport. This limit is enforced by the queue
22681manager. The message delivery transport name is the first field in
22682the entry in the <a href="master.5.html">master.cf</a> file.  </p>
22683
22684<p> Setting this parameter to a value of 1 changes the meaning of
22685<a href="postconf.5.html#virtual_destination_concurrency_limit">virtual_destination_concurrency_limit</a> from concurrency per domain
22686into concurrency per recipient.  </p>
22687
22688
22689</DD>
22690
22691<DT><b><a name="virtual_gid_maps">virtual_gid_maps</a>
22692(default: empty)</b></DT><DD>
22693
22694<p>
22695Lookup tables with the per-recipient group ID for <a href="virtual.8.html">virtual(8)</a> mailbox
22696delivery.
22697</p>
22698
22699<p> This parameter is specific to the <a href="virtual.8.html">virtual(8)</a> delivery agent.
22700It does not apply when mail is delivered with a different mail
22701delivery program.  </p>
22702
22703<p>
22704Specify zero or more "type:name" lookup tables, separated by
22705whitespace or comma. Tables will be searched in the specified order
22706until a match is found.
22707</p>
22708
22709<p>
22710In a lookup table, specify a left-hand side of "@domain.tld" to
22711match any user in the specified domain that does not have a specific
22712"user@domain.tld" entry.
22713</p>
22714
22715<p>
22716When a recipient address has an optional address extension
22717(user+foo@domain.tld), the <a href="virtual.8.html">virtual(8)</a> delivery agent looks up
22718the full address first, and when the lookup fails, it looks up the
22719unextended address (user@domain.tld).
22720</p>
22721
22722<p>
22723Note 1: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent disallows
22724regular expression substitution of $1 etc. in regular expression
22725lookup tables, because that would open a security hole.
22726</p>
22727
22728<p>
22729Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent will
22730silently ignore requests to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead
22731it will open the table directly. Before Postfix version 2.2, the
22732<a href="virtual.8.html">virtual(8)</a> delivery agent will terminate with a fatal error.
22733</p>
22734
22735
22736</DD>
22737
22738<DT><b><a name="virtual_mailbox_base">virtual_mailbox_base</a>
22739(default: empty)</b></DT><DD>
22740
22741<p>
22742A prefix that the <a href="virtual.8.html">virtual(8)</a> delivery agent prepends to all pathname
22743results from $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> table lookups.  This is a safety
22744measure to ensure that an out of control map doesn't litter the
22745file system with mailboxes.  While <a href="postconf.5.html#virtual_mailbox_base">virtual_mailbox_base</a> could be
22746set to "/", this setting isn't recommended.
22747</p>
22748
22749<p> This parameter is specific to the <a href="virtual.8.html">virtual(8)</a> delivery agent.
22750It does not apply when mail is delivered with a different mail
22751delivery program.  </p>
22752
22753<p>
22754Example:
22755</p>
22756
22757<pre>
22758<a href="postconf.5.html#virtual_mailbox_base">virtual_mailbox_base</a> = /var/mail
22759</pre>
22760
22761
22762</DD>
22763
22764<DT><b><a name="virtual_mailbox_domains">virtual_mailbox_domains</a>
22765(default: $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b></DT><DD>
22766
22767<p> Postfix is the final destination for the specified list of domains;
22768mail is delivered via the $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail delivery transport.
22769By default this is the Postfix <a href="virtual.8.html">virtual(8)</a> delivery agent.  The SMTP
22770server validates recipient addresses with $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
22771and rejects mail for non-existent recipients.  See also the virtual
22772mailbox domain class in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> file.  </p>
22773
22774<p> This parameter expects the same syntax as the <a href="postconf.5.html#mydestination">mydestination</a>
22775configuration parameter.  </p>
22776
22777<p>
22778This feature is available in Postfix 2.0 and later. The default
22779value is backwards compatible with Postfix version 1.1.
22780</p>
22781
22782
22783</DD>
22784
22785<DT><b><a name="virtual_mailbox_limit">virtual_mailbox_limit</a>
22786(default: 51200000)</b></DT><DD>
22787
22788<p>
22789The maximal size in bytes of an individual <a href="virtual.8.html">virtual(8)</a> mailbox or
22790maildir file, or zero (no limit).  </p>
22791
22792<p> This parameter is specific to the <a href="virtual.8.html">virtual(8)</a> delivery agent.
22793It does not apply when mail is delivered with a different mail
22794delivery program.  </p>
22795
22796
22797</DD>
22798
22799<DT><b><a name="virtual_mailbox_lock">virtual_mailbox_lock</a>
22800(default: see "postconf -d" output)</b></DT><DD>
22801
22802<p>
22803How to lock a UNIX-style <a href="virtual.8.html">virtual(8)</a> mailbox before attempting
22804delivery.  For a list of available file locking methods, use the
22805"<b>postconf -l</b>" command.
22806</p>
22807
22808<p> This parameter is specific to the <a href="virtual.8.html">virtual(8)</a> delivery agent.
22809It does not apply when mail is delivered with a different mail
22810delivery program.  </p>
22811
22812<p>
22813This setting is ignored with <b>maildir</b> style delivery, because
22814such deliveries are safe without application-level locks.
22815</p>
22816
22817<p>
22818Note 1: the <b>dotlock</b> method requires that the recipient UID
22819or GID has write access to the parent directory of the recipient's
22820mailbox file.
22821</p>
22822
22823<p>
22824Note 2: the default setting of this parameter is system dependent.
22825</p>
22826
22827
22828</DD>
22829
22830<DT><b><a name="virtual_mailbox_maps">virtual_mailbox_maps</a>
22831(default: empty)</b></DT><DD>
22832
22833<p>
22834Optional lookup tables with all valid addresses in the domains that
22835match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
22836</p>
22837
22838<p>
22839Specify zero or more "type:name" lookup tables, separated by
22840whitespace or comma. Tables will be searched in the specified order
22841until a match is found.
22842</p>
22843
22844<p>
22845In a lookup table, specify a left-hand side of "@domain.tld" to
22846match any user in the specified domain that does not have a specific
22847"user@domain.tld" entry.
22848</p>
22849
22850<p>
22851With the default "<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>",
22852lookup tables also need entries with a left-hand side of "domain.tld"
22853to satisfy virtual_mailbox_domain lookups (the right-hand side is
22854required but will not be used).
22855</p>
22856
22857<p> The remainder of this text is specific to the <a href="virtual.8.html">virtual(8)</a> delivery
22858agent.  It does not apply when mail is delivered with a different
22859mail delivery program.  </p>
22860
22861<p>
22862The <a href="virtual.8.html">virtual(8)</a> delivery agent uses this table to look up the
22863per-recipient mailbox or maildir pathname.  If the lookup result
22864ends in a slash ("/"), maildir-style delivery is carried out,
22865otherwise the path is assumed to specify a UNIX-style mailbox file.
22866Note that $<a href="postconf.5.html#virtual_mailbox_base">virtual_mailbox_base</a> is unconditionally prepended to
22867this path.
22868</p>
22869
22870<p>
22871When a recipient address has an optional address extension
22872(user+foo@domain.tld), the <a href="virtual.8.html">virtual(8)</a> delivery agent looks up
22873the full address first, and when the lookup fails, it looks up the
22874unextended address (user@domain.tld).
22875</p>
22876
22877<p>
22878Note 1: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent disallows
22879regular expression substitution of $1 etc. in regular expression
22880lookup tables, because that would open a security hole.
22881</p>
22882
22883<p>
22884Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent will
22885silently ignore requests to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead
22886it will open the table directly. Before Postfix version 2.2, the
22887<a href="virtual.8.html">virtual(8)</a> delivery agent will terminate with a fatal error.
22888</p>
22889
22890
22891</DD>
22892
22893<DT><b><a name="virtual_maps">virtual_maps</a>
22894(default: empty)</b></DT><DD>
22895
22896<p> Optional lookup tables with a) names of domains for which all
22897addresses are aliased to addresses in other local or remote domains,
22898and b) addresses that are aliased to addresses in other local or
22899remote domains.  Available before Postfix version 2.0. With Postfix
22900version 2.0 and later, this is replaced by separate controls: <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>
22901and <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>. </p>
22902
22903
22904</DD>
22905
22906<DT><b><a name="virtual_minimum_uid">virtual_minimum_uid</a>
22907(default: 100)</b></DT><DD>
22908
22909<p>
22910The minimum user ID value that the <a href="virtual.8.html">virtual(8)</a> delivery agent accepts
22911as a result from $<a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a> table lookup.  Returned
22912values less than this will be rejected, and the message will be
22913deferred.
22914</p>
22915
22916<p> This parameter is specific to the <a href="virtual.8.html">virtual(8)</a> delivery agent.
22917It does not apply when mail is delivered with a different mail
22918delivery program.  </p>
22919
22920
22921</DD>
22922
22923<DT><b><a name="virtual_transport">virtual_transport</a>
22924(default: virtual)</b></DT><DD>
22925
22926<p>
22927The default mail delivery transport and next-hop destination for
22928final delivery to domains listed with $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
22929This information can be overruled with the <a href="transport.5.html">transport(5)</a> table.
22930</p>
22931
22932<p>
22933Specify a string of the form <i>transport:nexthop</i>, where <i>transport</i>
22934is the name of a mail delivery transport defined in <a href="master.5.html">master.cf</a>.
22935The <i>:nexthop</i> destination is optional; its syntax is documented
22936in the manual page of the corresponding delivery agent.
22937</p>
22938
22939<p>
22940This feature is available in Postfix 2.0 and later.
22941</p>
22942
22943
22944</DD>
22945
22946<DT><b><a name="virtual_uid_maps">virtual_uid_maps</a>
22947(default: empty)</b></DT><DD>
22948
22949<p>
22950Lookup tables with the per-recipient user ID that the <a href="virtual.8.html">virtual(8)</a>
22951delivery agent uses while writing to the recipient's mailbox.
22952</p>
22953
22954<p> This parameter is specific to the <a href="virtual.8.html">virtual(8)</a> delivery agent.
22955It does not apply when mail is delivered with a different mail
22956delivery program.  </p>
22957
22958<p>
22959Specify zero or more "type:name" lookup tables, separated by
22960whitespace or comma. Tables will be searched in the specified order
22961until a match is found.
22962</p>
22963
22964<p>
22965In a lookup table, specify a left-hand side of "@domain.tld"
22966to match any user in the specified domain that does not have a
22967specific "user@domain.tld" entry.
22968</p>
22969
22970<p>
22971When a recipient address has an optional address extension
22972(user+foo@domain.tld), the <a href="virtual.8.html">virtual(8)</a> delivery agent looks up
22973the full address first, and when the lookup fails, it looks up the
22974unextended address (user@domain.tld).
22975</p>
22976
22977<p>
22978Note 1: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent disallows
22979regular expression substitution of $1 etc. in regular expression
22980lookup tables, because that would open a security hole.
22981</p>
22982
22983<p>
22984Note 2: for security reasons, the <a href="virtual.8.html">virtual(8)</a> delivery agent will
22985silently ignore requests to use the <a href="proxymap.8.html">proxymap(8)</a> server. Instead
22986it will open the table directly. Before Postfix version 2.2, the
22987<a href="virtual.8.html">virtual(8)</a> delivery agent will terminate with a fatal error.
22988</p>
22989
22990
22991</DD>
22992
22993</dl>
22994
22995</body>
22996
22997</html>
22998