1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtp(8) </title> 6</head> <body> <pre> 7SMTP(8) SMTP(8) 8 9<b>NAME</b> 10 smtp - Postfix SMTP+LMTP client 11 12<b>SYNOPSIS</b> 13 <b>smtp</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery 17 protocols. It processes message delivery requests from the queue man- 18 ager. Each request specifies a queue file, a sender address, a domain 19 or host to deliver to, and recipient information. This program expects 20 to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 21 22 The SMTP+LMTP client updates the queue file and marks recipients as 23 finished, or it informs the queue manager that delivery should be tried 24 again at a later time. Delivery status reports are sent to the 25 <a href="bounce.8.html"><b>bounce</b>(8)</a>, <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. 26 27 The SMTP+LMTP client looks up a list of mail exchanger addresses for 28 the destination host, sorts the list by preference, and connects to 29 each listed address until it finds a server that responds. 30 31 When a server is not reachable, or when mail delivery fails due to a 32 recoverable error condition, the SMTP+LMTP client will try to deliver 33 the mail to an alternate host. 34 35 After a successful mail transaction, a connection may be saved to the 36 <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it may be used by any 37 SMTP+LMTP client for a subsequent transaction. 38 39 By default, connection caching is enabled temporarily for destinations 40 that have a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. Connection caching 41 can be enabled permanently for specific destinations. 42 43<b>SMTP DESTINATION SYNTAX</b> 44 SMTP destinations have the following form: 45 46 <i>domainname</i> 47 48 <i>domainname</i>:<i>port</i> 49 Look up the mail exchangers for the specified domain, and con- 50 nect to the specified port (default: <b>smtp</b>). 51 52 [<i>hostname</i>] 53 54 [<i>hostname</i>]:<i>port</i> 55 Look up the address(es) of the specified host, and connect to 56 the specified port (default: <b>smtp</b>). 57 58 [<i>address</i>] 59 60 [<i>address</i>]:<i>port</i> 61 Connect to the host at the specified address, and connect to the 62 specified port (default: <b>smtp</b>). An IPv6 address must be format- 63 ted as [<b>ipv6</b>:<i>address</i>]. 64 65<b>LMTP DESTINATION SYNTAX</b> 66 LMTP destinations have the following form: 67 68 <b>unix</b>:<i>pathname</i> 69 Connect to the local UNIX-domain server that is bound to the 70 specified <i>pathname</i>. If the process runs chrooted, an absolute 71 pathname is interpreted relative to the Postfix queue directory. 72 73 <b>inet</b>:<i>hostname</i> 74 75 <b>inet</b>:<i>hostname</i>:<i>port</i> 76 77 <b>inet</b>:[<i>address</i>] 78 79 <b>inet</b>:[<i>address</i>]:<i>port</i> 80 Connect to the specified TCP port on the specified local or 81 remote host. If no port is specified, connect to the port 82 defined as <b>lmtp</b> in <b>services</b>(4). If no such service is found, 83 the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> configuration parameter (default value of 24) 84 will be used. An IPv6 address must be formatted as 85 [<b>ipv6</b>:<i>address</i>]. 86 87<b>SECURITY</b> 88 The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP 89 or LMTP servers and to DNS servers on the network. The SMTP+LMTP client 90 can be run chrooted at fixed low privilege. 91 92<b>STANDARDS</b> 93 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 94 <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) 95 <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions) 96 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 97 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 98 <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol) 99 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes) 100 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies) 101 <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types) 102 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 103 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 104 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 105 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 106 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 107 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 108 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 109 <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a> (SMTP protocol) 110 111<b>DIAGNOSTICS</b> 112 Problems and transactions are logged to <b>syslogd</b>(8). Corrupted message 113 files are marked so that the queue manager can move them to the <b>corrupt</b> 114 queue for further inspection. 115 116 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, the postmas- 117 ter is notified of bounces, protocol problems, and of other trouble. 118 119<b>BUGS</b> 120 SMTP and LMTP connection caching does not work with TLS. The necessary 121 support for TLS object passivation and re-activation does not exist 122 without closing the session, which defeats the purpose. 123 124 SMTP and LMTP connection caching assumes that SASL credentials are 125 valid for all destinations that map onto the same IP address and TCP 126 port. 127 128<b>CONFIGURATION PARAMETERS</b> 129 Before Postfix version 2.3, the LMTP client is a separate program that 130 implements only a subset of the functionality available with SMTP: 131 there is no support for TLS, and connections are cached in-process, 132 making it ineffective when the client is used for multiple domains. 133 134 Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> "mirror" param- 135 eter for the equivalent LMTP feature. This document describes only 136 those LMTP-related parameters that aren't simply "mirror" parameters. 137 138 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> processes 139 run for only a limited amount of time. Use the command "<b>postfix reload</b>" 140 to speed up a change. 141 142 The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for 143 more details including examples. 144 145<b>COMPATIBILITY CONTROLS</b> 146 <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b> 147 Ignore DNS MX lookups that produce no response. 148 149 <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b> 150 Always send EHLO at the start of an SMTP session. 151 152 <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b> 153 Never send EHLO at the start of an SMTP session. 154 155 <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b> 156 Defer mail delivery when no MX record resolves to an IP address. 157 158 <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (998)</b> 159 The maximal length of message header and body lines that Postfix 160 will send via SMTP. 161 162 <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> 163 How long the Postfix SMTP client pauses before sending 164 ".<CR><LF>" in order to work around the PIX firewall 165 "<CR><LF>.<CR><LF>" bug. 166 167 <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> 168 How long a message must be queued before the Postfix SMTP client 169 turns on the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for 170 delivery through firewalls with "smtp fixup" mode turned on. 171 172 <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> 173 A list that specifies zero or more workarounds for CISCO PIX 174 firewall bugs. 175 176 <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> 177 Lookup tables, indexed by the remote SMTP server address, with 178 per-destination workarounds for CISCO PIX firewall bugs. 179 180 <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> 181 Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO 182 commands as required by <a href="http://tools.ietf.org/html/rfc5321">RFC 5321</a>. 183 184 <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b> 185 A mechanism to transform replies from remote SMTP servers one 186 line at a time. 187 188 <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> 189 Skip remote SMTP servers that greet with a 5XX status code. 190 191 <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b> 192 Do not wait for the response to the SMTP QUIT command. 193 194 Available in Postfix version 2.0 and earlier: 195 196 <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> 197 Skip SMTP servers that greet with a 4XX status code (go away, 198 try again later). 199 200 Available in Postfix version 2.2 and later: 201 202 <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> 203 Lookup tables, indexed by the remote SMTP server address, with 204 case insensitive lists of EHLO keywords (pipelining, starttls, 205 auth, etc.) that the Postfix SMTP client will ignore in the EHLO 206 response from a remote SMTP server. 207 208 <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> 209 A case insensitive list of EHLO keywords (pipelining, starttls, 210 auth, etc.) that the Postfix SMTP client will ignore in the EHLO 211 response from a remote SMTP server. 212 213 <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> 214 Optional lookup tables that perform address rewriting in the 215 Postfix SMTP client, typically to transform a locally valid 216 address into a globally valid address when sending mail across 217 the Internet. 218 219 Available in Postfix version 2.2.9 and later: 220 221 <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> 222 Allow DNS CNAME records to override the servername that the 223 Postfix SMTP client uses for logging, SASL password lookup, TLS 224 policy decisions, or TLS certificate verification. 225 226 Available in Postfix version 2.3 and later: 227 228 <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> 229 Lookup tables, indexed by the remote LMTP server address, with 230 case insensitive lists of LHLO keywords (pipelining, starttls, 231 auth, etc.) that the Postfix LMTP client will ignore in the LHLO 232 response from a remote LMTP server. 233 234 <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> 235 A case insensitive list of LHLO keywords (pipelining, starttls, 236 auth, etc.) that the Postfix LMTP client will ignore in the LHLO 237 response from a remote LMTP server. 238 239 Available in Postfix version 2.4.4 and later: 240 241 <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> 242 When authenticating to a remote SMTP or LMTP server with the 243 default setting "no", send no SASL authoriZation ID (authzid); 244 send only the SASL authentiCation ID (authcid) plus the auth- 245 cid's password. 246 247 Available in Postfix version 2.5 and later: 248 249 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> 250 Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. 251 252 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> 253 Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP 254 client. 255 256 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> 257 Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP 258 client. 259 260 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> 261 Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables for the Postfix SMTP client. 262 263 Available in Postfix version 2.6 and later: 264 265 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 266 An optional workaround for routers that break TCP window scal- 267 ing. 268 269 Available in Postfix version 2.8 and later: 270 271 <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b> 272 DNS Resolver options for the Postfix SMTP client. 273 274 Available in Postfix version 2.9 and later: 275 276 <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> 277 Change the behavior of the smtp_*_timeout time limits, from a 278 time limit per read or write system call, to a time limit to 279 send or receive a complete record (an SMTP command line, SMTP 280 response line, SMTP message content line, or TLS protocol mes- 281 sage). 282 283 <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> 284 Whether or not to append the "AUTH=<>" option to the MAIL FROM 285 command in SASL-authenticated SMTP sessions. 286 287 Available in Postfix version 2.11 and later: 288 289 <b><a href="postconf.5.html#smtp_dns_support_level">smtp_dns_support_level</a> (empty)</b> 290 Level of DNS support in the Postfix SMTP client. 291 292<b>MIME PROCESSING CONTROLS</b> 293 Available in Postfix version 2.0 and later: 294 295 <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> 296 Disable the conversion of 8BITMIME format to 7BIT format. 297 298 <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> 299 The maximal length of MIME multipart boundary strings. 300 301 <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b> 302 The maximal recursion level that the MIME processor will handle. 303 304<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 305 Available in Postfix version 2.1 and later: 306 307 <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> 308 Send the non-standard XFORWARD command when the Postfix SMTP 309 server EHLO response announces XFORWARD support. 310 311<b>SASL AUTHENTICATION CONTROLS</b> 312 <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> 313 Enable SASL authentication in the Postfix SMTP client. 314 315 <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> 316 Optional Postfix SMTP client lookup tables with one user- 317 name:password entry per remote hostname or domain, or sender 318 address when sender-dependent authentication is enabled. 319 320 <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> 321 Postfix SMTP client SASL security options; as of Postfix 2.3 the 322 list of available features depends on the SASL client implemen- 323 tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 324 325 Available in Postfix version 2.2 and later: 326 327 <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> 328 If non-empty, a Postfix SMTP client filter for the remote SMTP 329 server's list of offered SASL mechanisms. 330 331 Available in Postfix version 2.3 and later: 332 333 <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> 334 Enable sender-dependent authentication in the Postfix SMTP 335 client; this is available only with SASL authentication, and 336 disables SMTP connection caching to ensure that mail from dif- 337 ferent senders will use the appropriate credentials. 338 339 <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> 340 Implementation-specific information that the Postfix SMTP client 341 passes through to the SASL plug-in implementation that is 342 selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 343 344 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> 345 The SASL plug-in type that the Postfix SMTP client should use 346 for authentication. 347 348 Available in Postfix version 2.5 and later: 349 350 <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> 351 An optional table to prevent repeated SASL authentication fail- 352 ures with the same remote SMTP server hostname, username and 353 password. 354 355 <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> 356 The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it 357 is removed. 358 359 <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> 360 When a remote SMTP server rejects a SASL authentication request 361 with a 535 reply code, defer mail delivery instead of returning 362 mail as undeliverable. 363 364 Available in Postfix version 2.9 and later: 365 366 <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> 367 Whether or not to append the "AUTH=<>" option to the MAIL FROM 368 command in SASL-authenticated SMTP sessions. 369 370<b>STARTTLS SUPPORT CONTROLS</b> 371 Detailed information about STARTTLS configuration may be found in the 372 <a href="TLS_README.html">TLS_README</a> document. 373 374 <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> 375 The default SMTP TLS security level for the Postfix SMTP client; 376 when a non-empty value is specified, this overrides the obsolete 377 parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and 378 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. 379 380 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b> 381 The SASL authentication security options that the Postfix SMTP 382 client uses for TLS encrypted SMTP sessions. 383 384 <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> 385 Time limit for Postfix SMTP client write and read operations 386 during TLS startup and shutdown handshake procedures. 387 388 <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> 389 A file containing CA certificates of root CAs trusted to sign 390 either remote SMTP server certificates or intermediate CA cer- 391 tificates. 392 393 <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> 394 Directory with PEM format certificate authority certificates 395 that the Postfix SMTP client uses to verify a remote SMTP server 396 certificate. 397 398 <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> 399 File with the Postfix SMTP client RSA certificate in PEM format. 400 401 <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> 402 The minimum TLS cipher grade that the Postfix SMTP client will 403 use with mandatory TLS encryption. 404 405 <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> 406 List of ciphers or cipher types to exclude from the Postfix SMTP 407 client cipher list at all TLS security levels. 408 409 <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> 410 Additional list of ciphers or cipher types to exclude from the 411 Postfix SMTP client cipher list at mandatory TLS security lev- 412 els. 413 414 <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> 415 File with the Postfix SMTP client DSA certificate in PEM format. 416 417 <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 418 File with the Postfix SMTP client DSA private key in PEM format. 419 420 <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 421 File with the Postfix SMTP client RSA private key in PEM format. 422 423 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 424 Enable additional Postfix SMTP client logging of TLS activity. 425 426 <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> 427 Log the hostname of a remote SMTP server that offers STARTTLS, 428 when TLS is not already enabled for that server. 429 430 <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> 431 Optional lookup tables with the Postfix SMTP client TLS security 432 policy by next-hop destination; when a non-empty value is speci- 433 fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. 434 435 <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b> 436 List of SSL/TLS protocols that the Postfix SMTP client will use 437 with mandatory TLS encryption. 438 439 <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> 440 The verification depth for remote SMTP server certificates. 441 442 <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> 443 How the Postfix SMTP client verifies the server certificate 444 peername for the "secure" TLS security level. 445 446 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 447 Name of the file containing the optional Postfix SMTP client TLS 448 session cache. 449 450 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 451 The expiration time of Postfix SMTP client TLS session cache 452 information. 453 454 <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> 455 How the Postfix SMTP client verifies the server certificate 456 peername for the "verify" TLS security level. 457 458 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 459 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> 460 process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its 461 internal pseudo random number generator (PRNG). 462 463 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 464 The OpenSSL cipherlist for "HIGH" grade ciphers. 465 466 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 467 The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. 468 469 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 470 The OpenSSL cipherlist for "LOW" or higher grade ciphers. 471 472 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 473 The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. 474 475 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 476 The OpenSSL cipherlist for "NULL" grade ciphers that provide 477 authentication without encryption. 478 479 Available in Postfix version 2.4 and later: 480 481 <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b> 482 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b> 483 The SASL authentication security options that the Postfix SMTP 484 client uses for TLS encrypted SMTP sessions with a verified 485 server certificate. 486 487 Available in Postfix version 2.5 and later: 488 489 <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> 490 List of acceptable remote SMTP server certificate fingerprints 491 for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b> 492 <b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint). 493 494 <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> 495 The message digest algorithm used to construct remote SMTP 496 server certificate fingerprints. 497 498 Available in Postfix version 2.6 and later: 499 500 <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> 501 List of TLS protocols that the Postfix SMTP client will exclude 502 or include with opportunistic TLS encryption. 503 504 <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> 505 The minimum TLS cipher grade that the Postfix SMTP client will 506 use with opportunistic TLS encryption. 507 508 <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> 509 File with the Postfix SMTP client ECDSA certificate in PEM for- 510 mat. 511 512 <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 513 File with the Postfix SMTP client ECDSA private key in PEM for- 514 mat. 515 516 Available in Postfix version 2.7 and later: 517 518 <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> 519 Try to detect a mail hijacking attack based on a TLS protocol 520 vulnerability (CVE-2009-3555), where an attacker prepends mali- 521 cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client 522 TLS session. 523 524 Available in Postfix version 2.8 and later: 525 526 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> 527 List or bit-mask of OpenSSL bug work-arounds to disable. 528 529 Available in Postfix version 2.11 and later: 530 531 <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b> 532 Zero or more PEM-format files with trust-anchor certificates 533 and/or public keys. 534 535 <b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b> 536 Lookup the associated DANE TLSA RRset even when a hostname is 537 not an alias and its address records lie in an unsigned zone. 538 539 <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b> 540 <a href="http://tools.ietf.org/html/rfc6698">RFC 6698</a> trust-anchor digest support in the Postfix TLS library. 541 542 <b><a href="postconf.5.html#tlsmgr_service_name">tlsmgr_service_name</a> (tlsmgr)</b> 543 The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. 544 545<b>OBSOLETE STARTTLS CONTROLS</b> 546 The following configuration parameters exist for compatibility with 547 Postfix versions before 2.3. Support for these will be removed in a 548 future release. 549 550 <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> 551 Opportunistic mode: use TLS when a remote SMTP server announces 552 STARTTLS support, otherwise send the mail in the clear. 553 554 <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> 555 Enforcement mode: require that remote SMTP servers use TLS 556 encryption, and never send mail in the clear. 557 558 <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> 559 With mandatory TLS encryption, require that the remote SMTP 560 server hostname matches the information in the remote SMTP 561 server certificate. 562 563 <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> 564 Optional lookup tables with the Postfix SMTP client TLS usage 565 policy by next-hop destination and by remote SMTP server host- 566 name. 567 568 <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> 569 Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS 570 cipher list. 571 572<b>RESOURCE AND RATE CONTROLS</b> 573 <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b> 574 <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b> 575 The maximal number of parallel deliveries to the same destina- 576 tion via the smtp message delivery transport. 577 578 <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b> 579 The maximal number of recipients per message for the smtp mes- 580 sage delivery transport. 581 582 <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> 583 The Postfix SMTP client time limit for completing a TCP connec- 584 tion, or zero (use the operating system built-in time limit). 585 586 <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> 587 The Postfix SMTP client time limit for sending the HELO or EHLO 588 command, and for receiving the initial remote SMTP server 589 response. 590 591 <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> 592 The Postfix LMTP client time limit for sending the LHLO command, 593 and for receiving the initial remote LMTP server response. 594 595 <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b> 596 The Postfix SMTP client time limit for sending the XFORWARD com- 597 mand, and for receiving the remote SMTP server response. 598 599 <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> 600 The Postfix SMTP client time limit for sending the MAIL FROM 601 command, and for receiving the remote SMTP server response. 602 603 <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> 604 The Postfix SMTP client time limit for sending the SMTP RCPT TO 605 command, and for receiving the remote SMTP server response. 606 607 <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> 608 The Postfix SMTP client time limit for sending the SMTP DATA 609 command, and for receiving the remote SMTP server response. 610 611 <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> 612 The Postfix SMTP client time limit for sending the SMTP message 613 content. 614 615 <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> 616 The Postfix SMTP client time limit for sending the SMTP ".", and 617 for receiving the remote SMTP server response. 618 619 <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> 620 The Postfix SMTP client time limit for sending the QUIT command, 621 and for receiving the remote SMTP server response. 622 623 Available in Postfix version 2.1 and later: 624 625 <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> 626 The maximal number of MX (mail exchanger) IP addresses that can 627 result from Postfix SMTP client mail exchanger lookups, or zero 628 (no limit). 629 630 <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> 631 The maximal number of SMTP sessions per delivery request before 632 the Postfix SMTP client gives up or delivers to a fall-back 633 <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). 634 635 <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> 636 The Postfix SMTP client time limit for sending the RSET command, 637 and for receiving the remote SMTP server response. 638 639 Available in Postfix version 2.2 and earlier: 640 641 <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> 642 Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a> 643 seconds. 644 645 Available in Postfix version 2.2 and later: 646 647 <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> 648 Permanently enable SMTP connection caching for the specified 649 destinations. 650 651 <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> 652 Temporarily enable SMTP connection caching while a destination 653 has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. 654 655 <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> 656 The amount of time during which Postfix will use an SMTP connec- 657 tion repeatedly. 658 659 <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> 660 When SMTP connection caching is enabled, the amount of time that 661 an unused SMTP client socket is kept open before it is closed. 662 663 Available in Postfix version 2.3 and later: 664 665 <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> 666 Time limit for connection cache connect, send or receive opera- 667 tions. 668 669 Available in Postfix version 2.9 and later: 670 671 <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> 672 Change the behavior of the smtp_*_timeout time limits, from a 673 time limit per read or write system call, to a time limit to 674 send or receive a complete record (an SMTP command line, SMTP 675 response line, SMTP message content line, or TLS protocol mes- 676 sage). 677 678 Available in Postfix version 2.11 and later: 679 680 <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b> 681 When SMTP connection caching is enabled, the number of times 682 that an SMTP session may be reused before it is closed, or zero 683 (no limit). 684 685<b>TROUBLE SHOOTING CONTROLS</b> 686 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 687 The increment in verbose logging level when a remote client or 688 server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 689 690 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 691 Optional list of remote client or server hostname or network 692 address patterns that cause the verbose logging level to 693 increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 694 695 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 696 The recipient of postmaster notifications about mail delivery 697 problems that are caused by policy, resource, software or proto- 698 col errors. 699 700 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 701 What categories of Postfix-generated mail are subject to before- 702 queue content inspection by <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and 703 <a href="postconf.5.html#body_checks">body_checks</a>. 704 705 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 706 The list of error classes that are reported to the postmaster. 707 708<b>MISCELLANEOUS CONTROLS</b> 709 <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> 710 Where the Postfix SMTP client should deliver mail when it 711 detects a "mail loops back to myself" error condition. 712 713 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 714 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- 715 figuration files. 716 717 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 718 How much time a Postfix daemon process may take to handle a 719 request before it is terminated by a built-in watchdog timer. 720 721 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 722 The maximal number of digits after the decimal point when log- 723 ging sub-second delay values. 724 725 <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> 726 Disable DNS lookups in the Postfix SMTP and LMTP clients. 727 728 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 729 The network interface addresses that this mail system receives 730 mail on. 731 732 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b> 733 The Internet protocols Postfix will attempt to use when making 734 or accepting connections. 735 736 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 737 The time limit for sending or receiving information over an 738 internal communication channel. 739 740 <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> 741 When a remote LMTP server announces no DSN support, assume that 742 the server performs final delivery, and send "delivered" deliv- 743 ery status notifications instead of "relayed". 744 745 <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> 746 The default TCP port that the Postfix LMTP client connects to. 747 748 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 749 The maximum amount of time that an idle Postfix daemon process 750 waits for an incoming connection before terminating voluntarily. 751 752 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 753 The maximal number of incoming connections that a Postfix daemon 754 process will service before terminating voluntarily. 755 756 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 757 The process ID of a Postfix command or daemon process. 758 759 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 760 The process name of a Postfix command or daemon process. 761 762 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 763 The network interface addresses that this mail system receives 764 mail on by way of a proxy or network address translation unit. 765 766 <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b> 767 The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP 768 client will try first, when a destination has IPv6 and IPv4 769 addresses with equal MX preference. 770 771 <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> 772 An optional numerical network address that the Postfix SMTP 773 client should bind to when making an IPv4 connection. 774 775 <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> 776 An optional numerical network address that the Postfix SMTP 777 client should bind to when making an IPv6 connection. 778 779 <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 780 The hostname to send in the SMTP EHLO or HELO command. 781 782 <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 783 The hostname to send in the LMTP LHLO command. 784 785 <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> 786 What mechanisms the Postfix SMTP client uses to look up a host's 787 IP address. 788 789 <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> 790 Randomize the order of equal-preference MX host addresses. 791 792 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 793 The syslog facility of Postfix logging. 794 795 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 796 The mail system name that is prepended to the process name in 797 syslog records, so that "smtpd" becomes, for example, "post- 798 fix/smtpd". 799 800 Available with Postfix 2.2 and earlier: 801 802 <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b> 803 Optional list of relay hosts for SMTP destinations that can't be 804 found or that are unreachable. 805 806 Available with Postfix 2.3 and later: 807 808 <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> 809 Optional list of relay hosts for SMTP destinations that can't be 810 found or that are unreachable. 811 812<b>SEE ALSO</b> 813 <a href="generic.5.html">generic(5)</a>, output address rewriting 814 <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection 815 <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection 816 <a href="qmgr.8.html">qmgr(8)</a>, queue manager 817 <a href="bounce.8.html">bounce(8)</a>, delivery status reports 818 <a href="scache.8.html">scache(8)</a>, connection cache server 819 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 820 <a href="master.5.html">master(5)</a>, generic daemon options 821 <a href="master.8.html">master(8)</a>, process manager 822 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 823 syslogd(8), system logging 824 825<b>README FILES</b> 826 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 827 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 828 829<b>LICENSE</b> 830 The Secure Mailer license must be distributed with this software. 831 832<b>AUTHOR(S)</b> 833 Wietse Venema 834 IBM T.J. Watson Research 835 P.O. Box 704 836 Yorktown Heights, NY 10598, USA 837 838 Command pipelining in cooperation with: 839 Jon Ribbens 840 Oaktree Internet Solutions Ltd., 841 Internet House, 842 Canal Basin, 843 Coventry, 844 CV1 4LY, United Kingdom. 845 846 SASL support originally by: 847 Till Franke 848 SuSE Rhein/Main AG 849 65760 Eschborn, Germany 850 851 TLS support originally by: 852 Lutz Jaenicke 853 BTU Cottbus 854 Allgemeine Elektrotechnik 855 Universitaetsplatz 3-4 856 D-03044 Cottbus, Germany 857 858 Revised TLS and SMTP connection cache support by: 859 Victor Duchovni 860 Morgan Stanley 861 862 SMTP(8) 863</pre> </body> </html> 864