1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtp(8) </title> 6</head> <body> <pre> 7SMTP(8) SMTP(8) 8 9<b>NAME</b> 10 smtp - Postfix SMTP+LMTP client 11 12<b>SYNOPSIS</b> 13 <b>smtp</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix SMTP+LMTP client implements the SMTP and LMTP 17 mail delivery protocols. It processes message delivery 18 requests from the queue manager. Each request specifies a 19 queue file, a sender address, a domain or host to deliver 20 to, and recipient information. This program expects to be 21 run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 22 23 The SMTP+LMTP client updates the queue file and marks 24 recipients as finished, or it informs the queue manager 25 that delivery should be tried again at a later time. 26 Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>, 27 <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. 28 29 The SMTP+LMTP client looks up a list of mail exchanger 30 addresses for the destination host, sorts the list by 31 preference, and connects to each listed address until it 32 finds a server that responds. 33 34 When a server is not reachable, or when mail delivery 35 fails due to a recoverable error condition, the SMTP+LMTP 36 client will try to deliver the mail to an alternate host. 37 38 After a successful mail transaction, a connection may be 39 saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it 40 may be used by any SMTP+LMTP client for a subsequent 41 transaction. 42 43 By default, connection caching is enabled temporarily for 44 destinations that have a high volume of mail in the active 45 queue. Connection caching can be enabled permanently for 46 specific destinations. 47 48<b>SMTP DESTINATION SYNTAX</b> 49 SMTP destinations have the following form: 50 51 <i>domainname</i> 52 53 <i>domainname</i>:<i>port</i> 54 Look up the mail exchangers for the specified 55 domain, and connect to the specified port (default: 56 <b>smtp</b>). 57 58 [<i>hostname</i>] 59 60 [<i>hostname</i>]:<i>port</i> 61 Look up the address(es) of the specified host, and 62 connect to the specified port (default: <b>smtp</b>). 63 64 [<i>address</i>] 65 66 [<i>address</i>]:<i>port</i> 67 Connect to the host at the specified address, and 68 connect to the specified port (default: <b>smtp</b>). An 69 IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>]. 70 71<b>LMTP DESTINATION SYNTAX</b> 72 LMTP destinations have the following form: 73 74 <b>unix</b>:<i>pathname</i> 75 Connect to the local UNIX-domain server that is 76 bound to the specified <i>pathname</i>. If the process 77 runs chrooted, an absolute pathname is interpreted 78 relative to the Postfix queue directory. 79 80 <b>inet</b>:<i>hostname</i> 81 82 <b>inet:</b><i>hostname</i>:<i>port</i> 83 84 <b>inet</b>:[<i>address</i>] 85 86 <b>inet</b>:[<i>address</i>]:<i>port</i> 87 Connect to the specified TCP port on the specified 88 local or remote host. If no port is specified, con- 89 nect to the port defined as <b>lmtp</b> in <b>services</b>(4). 90 If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con- 91 figuration parameter (default value of 24) will be 92 used. An IPv6 address must be formatted as 93 [<b>ipv6</b>:<i>address</i>]. 94 95<b>SECURITY</b> 96 The SMTP+LMTP client is moderately security-sensitive. It 97 talks to SMTP or LMTP servers and to DNS servers on the 98 network. The SMTP+LMTP client can be run chrooted at fixed 99 low privilege. 100 101<b>STANDARDS</b> 102 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 103 <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) 104 <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions) 105 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 106 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 107 <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol) 108 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes) 109 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies) 110 <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types) 111 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 112 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 113 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 114 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 115 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 116 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 117 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 118 119<b>DIAGNOSTICS</b> 120 Problems and transactions are logged to <b>syslogd</b>(8). Cor- 121 rupted message files are marked so that the queue manager 122 can move them to the <b>corrupt</b> queue for further inspection. 123 124 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, 125 the postmaster is notified of bounces, protocol problems, 126 and of other trouble. 127 128<b>BUGS</b> 129 SMTP and LMTP connection caching does not work with TLS. 130 The necessary support for TLS object passivation and re- 131 activation does not exist without closing the session, 132 which defeats the purpose. 133 134 SMTP and LMTP connection caching assumes that SASL creden- 135 tials are valid for all destinations that map onto the 136 same IP address and TCP port. 137 138<b>CONFIGURATION PARAMETERS</b> 139 Before Postfix version 2.3, the LMTP client is a separate 140 program that implements only a subset of the functionality 141 available with SMTP: there is no support for TLS, and con- 142 nections are cached in-process, making it ineffective when 143 the client is used for multiple domains. 144 145 Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> 146 "mirror" parameter for the equivalent LMTP feature. This 147 document describes only those LMTP-related parameters that 148 aren't simply "mirror" parameters. 149 150 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> 151 processes run for only a limited amount of time. Use the 152 command "<b>postfix reload</b>" to speed up a change. 153 154 The text below provides only a parameter summary. See 155 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. 156 157<b>COMPATIBILITY CONTROLS</b> 158 <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b> 159 Ignore DNS MX lookups that produce no response. 160 161 <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b> 162 Always send EHLO at the start of an SMTP session. 163 164 <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b> 165 Never send EHLO at the start of an SMTP session. 166 167 <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b> 168 Defer mail delivery when no MX record resolves to 169 an IP address. 170 171 <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b> 172 The maximal length of message header and body lines 173 that Postfix will send via SMTP. 174 175 <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> 176 How long the Postfix SMTP client pauses before 177 sending ".<CR><LF>" in order to work around the PIX 178 firewall "<CR><LF>.<CR><LF>" bug. 179 180 <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> 181 How long a message must be queued before the Post- 182 fix SMTP client turns on the PIX firewall 183 "<CR><LF>.<CR><LF>" bug workaround for delivery 184 through firewalls with "smtp fixup" mode turned on. 185 186 <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> 187 A list that specifies zero or more workarounds for 188 CISCO PIX firewall bugs. 189 190 <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> 191 Lookup tables, indexed by the remote SMTP server 192 address, with per-destination workarounds for CISCO 193 PIX firewall bugs. 194 195 <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> 196 Quote addresses in SMTP MAIL FROM and RCPT TO com- 197 mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. 198 199 <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> 200 Skip SMTP servers that greet with a 5XX status code 201 (go away, do not try again later). 202 203 <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b> 204 Do not wait for the response to the SMTP QUIT com- 205 mand. 206 207 Available in Postfix version 2.0 and earlier: 208 209 <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> 210 Skip SMTP servers that greet with a 4XX status code 211 (go away, try again later). 212 213 Available in Postfix version 2.2 and later: 214 215 <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> 216 Lookup tables, indexed by the remote SMTP server 217 address, with case insensitive lists of EHLO key- 218 words (pipelining, starttls, auth, etc.) that the 219 Postfix SMTP client will ignore in the EHLO 220 response from a remote SMTP server. 221 222 <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> 223 A case insensitive list of EHLO keywords (pipelin- 224 ing, starttls, auth, etc.) that the Postfix SMTP 225 client will ignore in the EHLO response from a 226 remote SMTP server. 227 228 <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> 229 Optional lookup tables that perform address rewrit- 230 ing in the SMTP client, typically to transform a 231 locally valid address into a globally valid address 232 when sending mail across the Internet. 233 234 Available in Postfix version 2.2.9 and later: 235 236 <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> 237 Allow DNS CNAME records to override the servername 238 that the Postfix SMTP client uses for logging, SASL 239 password lookup, TLS policy decisions, or TLS cer- 240 tificate verification. 241 242 Available in Postfix version 2.3 and later: 243 244 <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> 245 Lookup tables, indexed by the remote LMTP server 246 address, with case insensitive lists of LHLO key- 247 words (pipelining, starttls, auth, etc.) that the 248 LMTP client will ignore in the LHLO response from a 249 remote LMTP server. 250 251 <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> 252 A case insensitive list of LHLO keywords (pipelin- 253 ing, starttls, auth, etc.) that the LMTP client 254 will ignore in the LHLO response from a remote LMTP 255 server. 256 257 Available in Postfix version 2.4.4 and later: 258 259 <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> 260 When authenticating to a remote SMTP or LMTP server 261 with the default setting "no", send no SASL autho- 262 riZation ID (authzid); send only the SASL authenti- 263 Cation ID (authcid) plus the authcid's password. 264 265 Available in Postfix version 2.5 and later: 266 267 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> 268 Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix 269 SMTP client. 270 271 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> 272 Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the 273 Postfix SMTP client. 274 275 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> 276 Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the 277 Postfix SMTP client. 278 279 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> 280 Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables for the Postfix 281 SMTP client. 282 283 Available in Postfix version 2.6 and later: 284 285 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 286 An optional workaround for routers that break TCP 287 window scaling. 288 289<b>MIME PROCESSING CONTROLS</b> 290 Available in Postfix version 2.0 and later: 291 292 <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> 293 Disable the conversion of 8BITMIME format to 7BIT 294 format. 295 296 <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> 297 The maximal length of MIME multipart boundary 298 strings. 299 300 <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b> 301 The maximal recursion level that the MIME processor 302 will handle. 303 304<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 305 Available in Postfix version 2.1 and later: 306 307 <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> 308 Send the non-standard XFORWARD command when the 309 Postfix SMTP server EHLO response announces XFOR- 310 WARD support. 311 312<b>SASL AUTHENTICATION CONTROLS</b> 313 <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> 314 Enable SASL authentication in the Postfix SMTP 315 client. 316 317 <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> 318 Optional SMTP client lookup tables with one user- 319 name:password entry per remote hostname or domain, 320 or sender address when sender-dependent authentica- 321 tion is enabled. 322 323 <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> 324 Postfix SMTP client SASL security options; as of 325 Postfix 2.3 the list of available features depends 326 on the SASL client implementation that is selected 327 with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 328 329 Available in Postfix version 2.2 and later: 330 331 <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> 332 If non-empty, a Postfix SMTP client filter for the 333 remote SMTP server's list of offered SASL mecha- 334 nisms. 335 336 Available in Postfix version 2.3 and later: 337 338 <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> 339 Enable sender-dependent authentication in the Post- 340 fix SMTP client; this is available only with SASL 341 authentication, and disables SMTP connection 342 caching to ensure that mail from different senders 343 will use the appropriate credentials. 344 345 <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> 346 Implementation-specific information that the Post- 347 fix SMTP client passes through to the SASL plug-in 348 implementation that is selected with 349 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 350 351 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> 352 The SASL plug-in type that the Postfix SMTP client 353 should use for authentication. 354 355 Available in Postfix version 2.5 and later: 356 357 <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> 358 An optional table to prevent repeated SASL authen- 359 tication failures with the same remote SMTP server 360 hostname, username and password. 361 362 <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> 363 The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> 364 entry before it is removed. 365 366 <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> 367 When a remote SMTP server rejects a SASL authenti- 368 cation request with a 535 reply code, defer mail 369 delivery instead of returning mail as undeliver- 370 able. 371 372<b>STARTTLS SUPPORT CONTROLS</b> 373 Detailed information about STARTTLS configuration may be 374 found in the <a href="TLS_README.html">TLS_README</a> document. 375 376 <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> 377 The default SMTP TLS security level for the Postfix 378 SMTP client; when a non-empty value is specified, 379 this overrides the obsolete parameters 380 <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and 381 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. 382 383 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b> 384 <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b> 385 The SASL authentication security options that the 386 Postfix SMTP client uses for TLS encrypted SMTP 387 sessions. 388 389 <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> 390 Time limit for Postfix SMTP client write and read 391 operations during TLS startup and shutdown hand- 392 shake procedures. 393 394 <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> 395 A file containing CA certificates of root CAs 396 trusted to sign either remote SMTP server certifi- 397 cates or intermediate CA certificates. 398 399 <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> 400 Directory with PEM format certificate authority 401 certificates that the Postfix SMTP client uses to 402 verify a remote SMTP server certificate. 403 404 <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> 405 File with the Postfix SMTP client RSA certificate 406 in PEM format. 407 408 <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> 409 The minimum TLS cipher grade that the Postfix SMTP 410 client will use with mandatory TLS encryption. 411 412 <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> 413 List of ciphers or cipher types to exclude from the 414 Postfix SMTP client cipher list at all TLS security 415 levels. 416 417 <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> 418 Additional list of ciphers or cipher types to 419 exclude from the SMTP client cipher list at manda- 420 tory TLS security levels. 421 422 <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> 423 File with the Postfix SMTP client DSA certificate 424 in PEM format. 425 426 <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 427 File with the Postfix SMTP client DSA private key 428 in PEM format. 429 430 <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 431 File with the Postfix SMTP client RSA private key 432 in PEM format. 433 434 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 435 Enable additional Postfix SMTP client logging of 436 TLS activity. 437 438 <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> 439 Log the hostname of a remote SMTP server that 440 offers STARTTLS, when TLS is not already enabled 441 for that server. 442 443 <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> 444 Optional lookup tables with the Postfix SMTP client 445 TLS security policy by next-hop destination; when a 446 non-empty value is specified, this overrides the 447 obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. 448 449 <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> 450 List of SSL/TLS protocols that the Postfix SMTP 451 client will use with mandatory TLS encryption. 452 453 <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> 454 The verification depth for remote SMTP server cer- 455 tificates. 456 457 <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> 458 The server certificate peername verification method 459 for the "secure" TLS security level. 460 461 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 462 Name of the file containing the optional Postfix 463 SMTP client TLS session cache. 464 465 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 466 The expiration time of Postfix SMTP client TLS ses- 467 sion cache information. 468 469 <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> 470 The server certificate peername verification method 471 for the "verify" TLS security level. 472 473 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 474 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> 475 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 476 server in order to seed its internal pseudo random 477 number generator (PRNG). 478 479 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> 480 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 481 The OpenSSL cipherlist for "HIGH" grade ciphers. 482 483 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 484 The OpenSSL cipherlist for "MEDIUM" or higher grade 485 ciphers. 486 487 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 488 The OpenSSL cipherlist for "LOW" or higher grade 489 ciphers. 490 491 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 492 The OpenSSL cipherlist for "EXPORT" or higher grade 493 ciphers. 494 495 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 496 The OpenSSL cipherlist for "NULL" grade ciphers 497 that provide authentication without encryption. 498 499 Available in Postfix version 2.4 and later: 500 501 <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b> 502 <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b> 503 The SASL authentication security options that the 504 Postfix SMTP client uses for TLS encrypted SMTP 505 sessions with a verified server certificate. 506 507 Available in Postfix version 2.5 and later: 508 509 <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> 510 List of acceptable remote SMTP server certificate 511 fingerprints for the "fingerprint" TLS security 512 level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint). 513 514 <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> 515 The message digest algorithm used to construct 516 remote SMTP server certificate fingerprints. 517 518 Available in Postfix version 2.6 and later: 519 520 <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> 521 List of TLS protocols that the Postfix SMTP client 522 will exclude or include with opportunistic TLS 523 encryption. 524 525 <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> 526 The minimum TLS cipher grade that the Postfix SMTP 527 client will use with opportunistic TLS encryption. 528 529 <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> 530 File with the Postfix SMTP client ECDSA certificate 531 in PEM format. 532 533 <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 534 File with the Postfix SMTP client ECDSA private key 535 in PEM format. 536 537<b>OBSOLETE STARTTLS CONTROLS</b> 538 The following configuration parameters exist for compati- 539 bility with Postfix versions before 2.3. Support for these 540 will be removed in a future release. 541 542 <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> 543 Opportunistic mode: use TLS when a remote SMTP 544 server announces STARTTLS support, otherwise send 545 the mail in the clear. 546 547 <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> 548 Enforcement mode: require that remote SMTP servers 549 use TLS encryption, and never send mail in the 550 clear. 551 552 <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> 553 With mandatory TLS encryption, require that the 554 remote SMTP server hostname matches the information 555 in the remote SMTP server certificate. 556 557 <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> 558 Optional lookup tables with the Postfix SMTP client 559 TLS usage policy by next-hop destination and by 560 remote SMTP server hostname. 561 562 <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> 563 Obsolete Postfix < 2.3 control for the Postfix SMTP 564 client TLS cipher list. 565 566<b>RESOURCE AND RATE CONTROLS</b> 567 <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> 568 <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> 569 The maximal number of parallel deliveries to the 570 same destination via the smtp message delivery 571 transport. 572 573 <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> 574 <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> 575 The maximal number of recipients per message for 576 the smtp message delivery transport. 577 578 <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> 579 The SMTP client time limit for completing a TCP 580 connection, or zero (use the operating system 581 built-in time limit). 582 583 <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> 584 The SMTP client time limit for sending the HELO or 585 EHLO command, and for receiving the initial server 586 response. 587 588 <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> 589 The LMTP client time limit for sending the LHLO 590 command, and for receiving the initial server 591 response. 592 593 <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b> 594 The SMTP client time limit for sending the XFORWARD 595 command, and for receiving the server response. 596 597 <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> 598 The SMTP client time limit for sending the MAIL 599 FROM command, and for receiving the server 600 response. 601 602 <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> 603 The SMTP client time limit for sending the SMTP 604 RCPT TO command, and for receiving the server 605 response. 606 607 <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> 608 The SMTP client time limit for sending the SMTP 609 DATA command, and for receiving the server 610 response. 611 612 <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> 613 The SMTP client time limit for sending the SMTP 614 message content. 615 616 <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> 617 The SMTP client time limit for sending the SMTP 618 ".", and for receiving the server response. 619 620 <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> 621 The SMTP client time limit for sending the QUIT 622 command, and for receiving the server response. 623 624 Available in Postfix version 2.1 and later: 625 626 <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> 627 The maximal number of MX (mail exchanger) IP 628 addresses that can result from mail exchanger 629 lookups, or zero (no limit). 630 631 <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> 632 The maximal number of SMTP sessions per delivery 633 request before giving up or delivering to a fall- 634 back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). 635 636 <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> 637 The SMTP client time limit for sending the RSET 638 command, and for receiving the server response. 639 640 Available in Postfix version 2.2 and earlier: 641 642 <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> 643 Keep Postfix LMTP client connections open for up to 644 $<a href="postconf.5.html#max_idle">max_idle</a> seconds. 645 646 Available in Postfix version 2.2 and later: 647 648 <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> 649 Permanently enable SMTP connection caching for the 650 specified destinations. 651 652 <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> 653 Temporarily enable SMTP connection caching while a 654 destination has a high volume of mail in the active 655 queue. 656 657 <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> 658 The amount of time during which Postfix will use an 659 SMTP connection repeatedly. 660 661 <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> 662 When SMTP connection caching is enabled, the amount 663 of time that an unused SMTP client socket is kept 664 open before it is closed. 665 666 Available in Postfix version 2.3 and later: 667 668 <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> 669 Time limit for connection cache connect, send or 670 receive operations. 671 672<b>TROUBLE SHOOTING CONTROLS</b> 673 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 674 The increment in verbose logging level when a 675 remote client or server matches a pattern in the 676 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 677 678 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 679 Optional list of remote client or server hostname 680 or network address patterns that cause the verbose 681 logging level to increase by the amount specified 682 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 683 684 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 685 The recipient of postmaster notifications about 686 mail delivery problems that are caused by policy, 687 resource, software or protocol errors. 688 689 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 690 What categories of Postfix-generated mail are sub- 691 ject to before-queue content inspection by 692 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. 693 694 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 695 The list of error classes that are reported to the 696 postmaster. 697 698<b>MISCELLANEOUS CONTROLS</b> 699 <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> 700 Where the Postfix SMTP client should deliver mail 701 when it detects a "mail loops back to myself" error 702 condition. 703 704 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 705 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and 706 <a href="master.5.html">master.cf</a> configuration files. 707 708 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 709 How much time a Postfix daemon process may take to 710 handle a request before it is terminated by a 711 built-in watchdog timer. 712 713 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 714 The maximal number of digits after the decimal 715 point when logging sub-second delay values. 716 717 <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> 718 Disable DNS lookups in the Postfix SMTP and LMTP 719 clients. 720 721 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 722 The network interface addresses that this mail sys- 723 tem receives mail on. 724 725 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b> 726 The Internet protocols Postfix will attempt to use 727 when making or accepting connections. 728 729 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 730 The time limit for sending or receiving information 731 over an internal communication channel. 732 733 <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> 734 When an LMTP server announces no DSN support, 735 assume that the server performs final delivery, and 736 send "delivered" delivery status notifications 737 instead of "relayed". 738 739 <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> 740 The default TCP port that the Postfix LMTP client 741 connects to. 742 743 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 744 The maximum amount of time that an idle Postfix 745 daemon process waits for an incoming connection 746 before terminating voluntarily. 747 748 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 749 The maximal number of incoming connections that a 750 Postfix daemon process will service before termi- 751 nating voluntarily. 752 753 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 754 The process ID of a Postfix command or daemon 755 process. 756 757 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 758 The process name of a Postfix command or daemon 759 process. 760 761 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 762 The network interface addresses that this mail sys- 763 tem receives mail on by way of a proxy or network 764 address translation unit. 765 766 <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> 767 An optional numerical network address that the 768 Postfix SMTP client should bind to when making an 769 IPv4 connection. 770 771 <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> 772 An optional numerical network address that the 773 Postfix SMTP client should bind to when making an 774 IPv6 connection. 775 776 <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 777 The hostname to send in the SMTP EHLO or HELO com- 778 mand. 779 780 <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 781 The hostname to send in the LMTP LHLO command. 782 783 <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> 784 What mechanisms when the Postfix SMTP client uses 785 to look up a host's IP address. 786 787 <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> 788 Randomize the order of equal-preference MX host 789 addresses. 790 791 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 792 The syslog facility of Postfix logging. 793 794 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 795 The mail system name that is prepended to the 796 process name in syslog records, so that "smtpd" 797 becomes, for example, "postfix/smtpd". 798 799 Available with Postfix 2.2 and earlier: 800 801 <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b> 802 Optional list of relay hosts for SMTP destinations 803 that can't be found or that are unreachable. 804 805 Available with Postfix 2.3 and later: 806 807 <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> 808 Optional list of relay hosts for SMTP destinations 809 that can't be found or that are unreachable. 810 811<b>SEE ALSO</b> 812 <a href="generic.5.html">generic(5)</a>, output address rewriting 813 <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection 814 <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection 815 <a href="qmgr.8.html">qmgr(8)</a>, queue manager 816 <a href="bounce.8.html">bounce(8)</a>, delivery status reports 817 <a href="scache.8.html">scache(8)</a>, connection cache server 818 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 819 <a href="master.5.html">master(5)</a>, generic daemon options 820 <a href="master.8.html">master(8)</a>, process manager 821 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 822 syslogd(8), system logging 823 824<b>README FILES</b> 825 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 826 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 827 828<b>LICENSE</b> 829 The Secure Mailer license must be distributed with this 830 software. 831 832<b>AUTHOR(S)</b> 833 Wietse Venema 834 IBM T.J. Watson Research 835 P.O. Box 704 836 Yorktown Heights, NY 10598, USA 837 838 Command pipelining in cooperation with: 839 Jon Ribbens 840 Oaktree Internet Solutions Ltd., 841 Internet House, 842 Canal Basin, 843 Coventry, 844 CV1 4LY, United Kingdom. 845 846 SASL support originally by: 847 Till Franke 848 SuSE Rhein/Main AG 849 65760 Eschborn, Germany 850 851 TLS support originally by: 852 Lutz Jaenicke 853 BTU Cottbus 854 Allgemeine Elektrotechnik 855 Universitaetsplatz 3-4 856 D-03044 Cottbus, Germany 857 858 Revised TLS and SMTP connection cache support by: 859 Victor Duchovni 860 Morgan Stanley 861 862 SMTP(8) 863</pre> </body> </html> 864