1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtp(8) </title> 6</head> <body> <pre> 7SMTP(8) SMTP(8) 8 9<b>NAME</b> 10 smtp - Postfix SMTP+LMTP client 11 12<b>SYNOPSIS</b> 13 <b>smtp</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix SMTP+LMTP client implements the SMTP and LMTP 17 mail delivery protocols. It processes message delivery 18 requests from the queue manager. Each request specifies a 19 queue file, a sender address, a domain or host to deliver 20 to, and recipient information. This program expects to be 21 run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 22 23 The SMTP+LMTP client updates the queue file and marks 24 recipients as finished, or it informs the queue manager 25 that delivery should be tried again at a later time. 26 Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>, 27 <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. 28 29 The SMTP+LMTP client looks up a list of mail exchanger 30 addresses for the destination host, sorts the list by 31 preference, and connects to each listed address until it 32 finds a server that responds. 33 34 When a server is not reachable, or when mail delivery 35 fails due to a recoverable error condition, the SMTP+LMTP 36 client will try to deliver the mail to an alternate host. 37 38 After a successful mail transaction, a connection may be 39 saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it 40 may be used by any SMTP+LMTP client for a subsequent 41 transaction. 42 43 By default, connection caching is enabled temporarily for 44 destinations that have a high volume of mail in the active 45 queue. Connection caching can be enabled permanently for 46 specific destinations. 47 48<b>SMTP DESTINATION SYNTAX</b> 49 SMTP destinations have the following form: 50 51 <i>domainname</i> 52 53 <i>domainname</i>:<i>port</i> 54 Look up the mail exchangers for the specified 55 domain, and connect to the specified port (default: 56 <b>smtp</b>). 57 58 [<i>hostname</i>] 59 60 [<i>hostname</i>]:<i>port</i> 61 Look up the address(es) of the specified host, and 62 connect to the specified port (default: <b>smtp</b>). 63 64 [<i>address</i>] 65 66 [<i>address</i>]:<i>port</i> 67 Connect to the host at the specified address, and 68 connect to the specified port (default: <b>smtp</b>). An 69 IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>]. 70 71<b>LMTP DESTINATION SYNTAX</b> 72 LMTP destinations have the following form: 73 74 <b>unix</b>:<i>pathname</i> 75 Connect to the local UNIX-domain server that is 76 bound to the specified <i>pathname</i>. If the process 77 runs chrooted, an absolute pathname is interpreted 78 relative to the Postfix queue directory. 79 80 <b>inet</b>:<i>hostname</i> 81 82 <b>inet:</b><i>hostname</i>:<i>port</i> 83 84 <b>inet</b>:[<i>address</i>] 85 86 <b>inet</b>:[<i>address</i>]:<i>port</i> 87 Connect to the specified TCP port on the specified 88 local or remote host. If no port is specified, con- 89 nect to the port defined as <b>lmtp</b> in <b>services</b>(4). 90 If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con- 91 figuration parameter (default value of 24) will be 92 used. An IPv6 address must be formatted as 93 [<b>ipv6</b>:<i>address</i>]. 94 95<b>SECURITY</b> 96 The SMTP+LMTP client is moderately security-sensitive. It 97 talks to SMTP or LMTP servers and to DNS servers on the 98 network. The SMTP+LMTP client can be run chrooted at fixed 99 low privilege. 100 101<b>STANDARDS</b> 102 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 103 <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) 104 <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions) 105 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 106 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 107 <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol) 108 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes) 109 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies) 110 <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types) 111 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 112 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 113 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 114 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 115 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 116 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 117 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 118 119<b>DIAGNOSTICS</b> 120 Problems and transactions are logged to <b>syslogd</b>(8). Cor- 121 rupted message files are marked so that the queue manager 122 can move them to the <b>corrupt</b> queue for further inspection. 123 124 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, 125 the postmaster is notified of bounces, protocol problems, 126 and of other trouble. 127 128<b>BUGS</b> 129 SMTP and LMTP connection caching does not work with TLS. 130 The necessary support for TLS object passivation and re- 131 activation does not exist without closing the session, 132 which defeats the purpose. 133 134 SMTP and LMTP connection caching assumes that SASL creden- 135 tials are valid for all destinations that map onto the 136 same IP address and TCP port. 137 138<b>CONFIGURATION PARAMETERS</b> 139 Before Postfix version 2.3, the LMTP client is a separate 140 program that implements only a subset of the functionality 141 available with SMTP: there is no support for TLS, and con- 142 nections are cached in-process, making it ineffective when 143 the client is used for multiple domains. 144 145 Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> 146 "mirror" parameter for the equivalent LMTP feature. This 147 document describes only those LMTP-related parameters that 148 aren't simply "mirror" parameters. 149 150 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> 151 processes run for only a limited amount of time. Use the 152 command "<b>postfix reload</b>" to speed up a change. 153 154 The text below provides only a parameter summary. See 155 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. 156 157<b>COMPATIBILITY CONTROLS</b> 158 <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b> 159 Ignore DNS MX lookups that produce no response. 160 161 <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b> 162 Always send EHLO at the start of an SMTP session. 163 164 <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b> 165 Never send EHLO at the start of an SMTP session. 166 167 <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b> 168 Defer mail delivery when no MX record resolves to 169 an IP address. 170 171 <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b> 172 The maximal length of message header and body lines 173 that Postfix will send via SMTP. 174 175 <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> 176 How long the Postfix SMTP client pauses before 177 sending ".<CR><LF>" in order to work around the PIX 178 firewall "<CR><LF>.<CR><LF>" bug. 179 180 <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> 181 How long a message must be queued before the Post- 182 fix SMTP client turns on the PIX firewall 183 "<CR><LF>.<CR><LF>" bug workaround for delivery 184 through firewalls with "smtp fixup" mode turned on. 185 186 <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> 187 A list that specifies zero or more workarounds for 188 CISCO PIX firewall bugs. 189 190 <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> 191 Lookup tables, indexed by the remote SMTP server 192 address, with per-destination workarounds for CISCO 193 PIX firewall bugs. 194 195 <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> 196 Quote addresses in SMTP MAIL FROM and RCPT TO com- 197 mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. 198 199 <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b> 200 A mechanism to transform replies from remote SMTP 201 servers one line at a time. 202 203 <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> 204 Skip SMTP servers that greet with a 5XX status code 205 (go away, do not try again later). 206 207 <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b> 208 Do not wait for the response to the SMTP QUIT com- 209 mand. 210 211 Available in Postfix version 2.0 and earlier: 212 213 <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> 214 Skip SMTP servers that greet with a 4XX status code 215 (go away, try again later). 216 217 Available in Postfix version 2.2 and later: 218 219 <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> 220 Lookup tables, indexed by the remote SMTP server 221 address, with case insensitive lists of EHLO key- 222 words (pipelining, starttls, auth, etc.) that the 223 Postfix SMTP client will ignore in the EHLO 224 response from a remote SMTP server. 225 226 <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> 227 A case insensitive list of EHLO keywords (pipelin- 228 ing, starttls, auth, etc.) that the Postfix SMTP 229 client will ignore in the EHLO response from a 230 remote SMTP server. 231 232 <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> 233 Optional lookup tables that perform address rewrit- 234 ing in the SMTP client, typically to transform a 235 locally valid address into a globally valid address 236 when sending mail across the Internet. 237 238 Available in Postfix version 2.2.9 and later: 239 240 <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> 241 Allow DNS CNAME records to override the servername 242 that the Postfix SMTP client uses for logging, SASL 243 password lookup, TLS policy decisions, or TLS cer- 244 tificate verification. 245 246 Available in Postfix version 2.3 and later: 247 248 <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> 249 Lookup tables, indexed by the remote LMTP server 250 address, with case insensitive lists of LHLO key- 251 words (pipelining, starttls, auth, etc.) that the 252 LMTP client will ignore in the LHLO response from a 253 remote LMTP server. 254 255 <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> 256 A case insensitive list of LHLO keywords (pipelin- 257 ing, starttls, auth, etc.) that the LMTP client 258 will ignore in the LHLO response from a remote LMTP 259 server. 260 261 Available in Postfix version 2.4.4 and later: 262 263 <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> 264 When authenticating to a remote SMTP or LMTP server 265 with the default setting "no", send no SASL autho- 266 riZation ID (authzid); send only the SASL authenti- 267 Cation ID (authcid) plus the authcid's password. 268 269 Available in Postfix version 2.5 and later: 270 271 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> 272 Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix 273 SMTP client. 274 275 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> 276 Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the 277 Postfix SMTP client. 278 279 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> 280 Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the 281 Postfix SMTP client. 282 283 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> 284 Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables for the Postfix 285 SMTP client. 286 287 Available in Postfix version 2.6 and later: 288 289 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 290 An optional workaround for routers that break TCP 291 window scaling. 292 293 Available in Postfix version 2.8 and later: 294 295 <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b> 296 DNS Resolver options for the Postfix SMTP client. 297 298<b>MIME PROCESSING CONTROLS</b> 299 Available in Postfix version 2.0 and later: 300 301 <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> 302 Disable the conversion of 8BITMIME format to 7BIT 303 format. 304 305 <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> 306 The maximal length of MIME multipart boundary 307 strings. 308 309 <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b> 310 The maximal recursion level that the MIME processor 311 will handle. 312 313<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 314 Available in Postfix version 2.1 and later: 315 316 <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> 317 Send the non-standard XFORWARD command when the 318 Postfix SMTP server EHLO response announces XFOR- 319 WARD support. 320 321<b>SASL AUTHENTICATION CONTROLS</b> 322 <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> 323 Enable SASL authentication in the Postfix SMTP 324 client. 325 326 <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> 327 Optional SMTP client lookup tables with one user- 328 name:password entry per remote hostname or domain, 329 or sender address when sender-dependent authentica- 330 tion is enabled. 331 332 <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> 333 Postfix SMTP client SASL security options; as of 334 Postfix 2.3 the list of available features depends 335 on the SASL client implementation that is selected 336 with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 337 338 Available in Postfix version 2.2 and later: 339 340 <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> 341 If non-empty, a Postfix SMTP client filter for the 342 remote SMTP server's list of offered SASL mecha- 343 nisms. 344 345 Available in Postfix version 2.3 and later: 346 347 <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> 348 Enable sender-dependent authentication in the Post- 349 fix SMTP client; this is available only with SASL 350 authentication, and disables SMTP connection 351 caching to ensure that mail from different senders 352 will use the appropriate credentials. 353 354 <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> 355 Implementation-specific information that the Post- 356 fix SMTP client passes through to the SASL plug-in 357 implementation that is selected with 358 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 359 360 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> 361 The SASL plug-in type that the Postfix SMTP client 362 should use for authentication. 363 364 Available in Postfix version 2.5 and later: 365 366 <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> 367 An optional table to prevent repeated SASL authen- 368 tication failures with the same remote SMTP server 369 hostname, username and password. 370 371 <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> 372 The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> 373 entry before it is removed. 374 375 <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> 376 When a remote SMTP server rejects a SASL authenti- 377 cation request with a 535 reply code, defer mail 378 delivery instead of returning mail as undeliver- 379 able. 380 381<b>STARTTLS SUPPORT CONTROLS</b> 382 Detailed information about STARTTLS configuration may be 383 found in the <a href="TLS_README.html">TLS_README</a> document. 384 385 <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> 386 The default SMTP TLS security level for the Postfix 387 SMTP client; when a non-empty value is specified, 388 this overrides the obsolete parameters 389 <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and 390 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. 391 392 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b> 393 <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b> 394 The SASL authentication security options that the 395 Postfix SMTP client uses for TLS encrypted SMTP 396 sessions. 397 398 <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> 399 Time limit for Postfix SMTP client write and read 400 operations during TLS startup and shutdown hand- 401 shake procedures. 402 403 <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> 404 A file containing CA certificates of root CAs 405 trusted to sign either remote SMTP server certifi- 406 cates or intermediate CA certificates. 407 408 <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> 409 Directory with PEM format certificate authority 410 certificates that the Postfix SMTP client uses to 411 verify a remote SMTP server certificate. 412 413 <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> 414 File with the Postfix SMTP client RSA certificate 415 in PEM format. 416 417 <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> 418 The minimum TLS cipher grade that the Postfix SMTP 419 client will use with mandatory TLS encryption. 420 421 <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> 422 List of ciphers or cipher types to exclude from the 423 Postfix SMTP client cipher list at all TLS security 424 levels. 425 426 <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> 427 Additional list of ciphers or cipher types to 428 exclude from the SMTP client cipher list at manda- 429 tory TLS security levels. 430 431 <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> 432 File with the Postfix SMTP client DSA certificate 433 in PEM format. 434 435 <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 436 File with the Postfix SMTP client DSA private key 437 in PEM format. 438 439 <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 440 File with the Postfix SMTP client RSA private key 441 in PEM format. 442 443 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 444 Enable additional Postfix SMTP client logging of 445 TLS activity. 446 447 <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> 448 Log the hostname of a remote SMTP server that 449 offers STARTTLS, when TLS is not already enabled 450 for that server. 451 452 <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> 453 Optional lookup tables with the Postfix SMTP client 454 TLS security policy by next-hop destination; when a 455 non-empty value is specified, this overrides the 456 obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. 457 458 <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> 459 List of SSL/TLS protocols that the Postfix SMTP 460 client will use with mandatory TLS encryption. 461 462 <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> 463 The verification depth for remote SMTP server cer- 464 tificates. 465 466 <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> 467 The server certificate peername verification method 468 for the "secure" TLS security level. 469 470 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 471 Name of the file containing the optional Postfix 472 SMTP client TLS session cache. 473 474 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 475 The expiration time of Postfix SMTP client TLS ses- 476 sion cache information. 477 478 <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> 479 The server certificate peername verification method 480 for the "verify" TLS security level. 481 482 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 483 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> 484 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 485 server in order to seed its internal pseudo random 486 number generator (PRNG). 487 488 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> 489 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 490 The OpenSSL cipherlist for "HIGH" grade ciphers. 491 492 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 493 The OpenSSL cipherlist for "MEDIUM" or higher grade 494 ciphers. 495 496 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 497 The OpenSSL cipherlist for "LOW" or higher grade 498 ciphers. 499 500 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 501 The OpenSSL cipherlist for "EXPORT" or higher grade 502 ciphers. 503 504 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 505 The OpenSSL cipherlist for "NULL" grade ciphers 506 that provide authentication without encryption. 507 508 Available in Postfix version 2.4 and later: 509 510 <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b> 511 <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b> 512 The SASL authentication security options that the 513 Postfix SMTP client uses for TLS encrypted SMTP 514 sessions with a verified server certificate. 515 516 Available in Postfix version 2.5 and later: 517 518 <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> 519 List of acceptable remote SMTP server certificate 520 fingerprints for the "fingerprint" TLS security 521 level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint). 522 523 <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> 524 The message digest algorithm used to construct 525 remote SMTP server certificate fingerprints. 526 527 Available in Postfix version 2.6 and later: 528 529 <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> 530 List of TLS protocols that the Postfix SMTP client 531 will exclude or include with opportunistic TLS 532 encryption. 533 534 <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> 535 The minimum TLS cipher grade that the Postfix SMTP 536 client will use with opportunistic TLS encryption. 537 538 <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> 539 File with the Postfix SMTP client ECDSA certificate 540 in PEM format. 541 542 <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 543 File with the Postfix SMTP client ECDSA private key 544 in PEM format. 545 546 Available in Postfix version 2.7 and later: 547 548 <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> 549 Try to detect a mail hijacking attack based on a 550 TLS protocol vulnerability (CVE-2009-3555), where 551 an attacker prepends malicious HELO, MAIL, RCPT, 552 DATA commands to a Postfix SMTP client TLS session. 553 554 Available in Postfix version 2.8 and later: 555 556 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> 557 List or bit-mask of OpenSSL bug work-arounds to 558 disable. 559 560<b>OBSOLETE STARTTLS CONTROLS</b> 561 The following configuration parameters exist for compati- 562 bility with Postfix versions before 2.3. Support for these 563 will be removed in a future release. 564 565 <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> 566 Opportunistic mode: use TLS when a remote SMTP 567 server announces STARTTLS support, otherwise send 568 the mail in the clear. 569 570 <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> 571 Enforcement mode: require that remote SMTP servers 572 use TLS encryption, and never send mail in the 573 clear. 574 575 <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> 576 With mandatory TLS encryption, require that the 577 remote SMTP server hostname matches the information 578 in the remote SMTP server certificate. 579 580 <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> 581 Optional lookup tables with the Postfix SMTP client 582 TLS usage policy by next-hop destination and by 583 remote SMTP server hostname. 584 585 <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> 586 Obsolete Postfix < 2.3 control for the Postfix SMTP 587 client TLS cipher list. 588 589<b>RESOURCE AND RATE CONTROLS</b> 590 <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> 591 <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> 592 The maximal number of parallel deliveries to the 593 same destination via the smtp message delivery 594 transport. 595 596 <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> 597 <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> 598 The maximal number of recipients per message for 599 the smtp message delivery transport. 600 601 <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> 602 The SMTP client time limit for completing a TCP 603 connection, or zero (use the operating system 604 built-in time limit). 605 606 <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> 607 The SMTP client time limit for sending the HELO or 608 EHLO command, and for receiving the initial server 609 response. 610 611 <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> 612 The LMTP client time limit for sending the LHLO 613 command, and for receiving the initial server 614 response. 615 616 <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b> 617 The SMTP client time limit for sending the XFORWARD 618 command, and for receiving the server response. 619 620 <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> 621 The SMTP client time limit for sending the MAIL 622 FROM command, and for receiving the server 623 response. 624 625 <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> 626 The SMTP client time limit for sending the SMTP 627 RCPT TO command, and for receiving the server 628 response. 629 630 <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> 631 The SMTP client time limit for sending the SMTP 632 DATA command, and for receiving the server 633 response. 634 635 <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> 636 The SMTP client time limit for sending the SMTP 637 message content. 638 639 <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> 640 The SMTP client time limit for sending the SMTP 641 ".", and for receiving the server response. 642 643 <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> 644 The SMTP client time limit for sending the QUIT 645 command, and for receiving the server response. 646 647 Available in Postfix version 2.1 and later: 648 649 <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> 650 The maximal number of MX (mail exchanger) IP 651 addresses that can result from mail exchanger 652 lookups, or zero (no limit). 653 654 <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> 655 The maximal number of SMTP sessions per delivery 656 request before giving up or delivering to a fall- 657 back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). 658 659 <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> 660 The SMTP client time limit for sending the RSET 661 command, and for receiving the server response. 662 663 Available in Postfix version 2.2 and earlier: 664 665 <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> 666 Keep Postfix LMTP client connections open for up to 667 $<a href="postconf.5.html#max_idle">max_idle</a> seconds. 668 669 Available in Postfix version 2.2 and later: 670 671 <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> 672 Permanently enable SMTP connection caching for the 673 specified destinations. 674 675 <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> 676 Temporarily enable SMTP connection caching while a 677 destination has a high volume of mail in the active 678 queue. 679 680 <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> 681 The amount of time during which Postfix will use an 682 SMTP connection repeatedly. 683 684 <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> 685 When SMTP connection caching is enabled, the amount 686 of time that an unused SMTP client socket is kept 687 open before it is closed. 688 689 Available in Postfix version 2.3 and later: 690 691 <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> 692 Time limit for connection cache connect, send or 693 receive operations. 694 695<b>TROUBLE SHOOTING CONTROLS</b> 696 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 697 The increment in verbose logging level when a 698 remote client or server matches a pattern in the 699 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 700 701 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 702 Optional list of remote client or server hostname 703 or network address patterns that cause the verbose 704 logging level to increase by the amount specified 705 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 706 707 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 708 The recipient of postmaster notifications about 709 mail delivery problems that are caused by policy, 710 resource, software or protocol errors. 711 712 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 713 What categories of Postfix-generated mail are sub- 714 ject to before-queue content inspection by 715 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. 716 717 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 718 The list of error classes that are reported to the 719 postmaster. 720 721<b>MISCELLANEOUS CONTROLS</b> 722 <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> 723 Where the Postfix SMTP client should deliver mail 724 when it detects a "mail loops back to myself" error 725 condition. 726 727 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 728 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and 729 <a href="master.5.html">master.cf</a> configuration files. 730 731 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 732 How much time a Postfix daemon process may take to 733 handle a request before it is terminated by a 734 built-in watchdog timer. 735 736 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 737 The maximal number of digits after the decimal 738 point when logging sub-second delay values. 739 740 <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> 741 Disable DNS lookups in the Postfix SMTP and LMTP 742 clients. 743 744 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 745 The network interface addresses that this mail sys- 746 tem receives mail on. 747 748 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b> 749 The Internet protocols Postfix will attempt to use 750 when making or accepting connections. 751 752 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 753 The time limit for sending or receiving information 754 over an internal communication channel. 755 756 <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> 757 When an LMTP server announces no DSN support, 758 assume that the server performs final delivery, and 759 send "delivered" delivery status notifications 760 instead of "relayed". 761 762 <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> 763 The default TCP port that the Postfix LMTP client 764 connects to. 765 766 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 767 The maximum amount of time that an idle Postfix 768 daemon process waits for an incoming connection 769 before terminating voluntarily. 770 771 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 772 The maximal number of incoming connections that a 773 Postfix daemon process will service before termi- 774 nating voluntarily. 775 776 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 777 The process ID of a Postfix command or daemon 778 process. 779 780 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 781 The process name of a Postfix command or daemon 782 process. 783 784 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 785 The network interface addresses that this mail sys- 786 tem receives mail on by way of a proxy or network 787 address translation unit. 788 789 <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (ipv6)</b> 790 The address type ("ipv6", "ipv4" or "any") that the 791 Postfix SMTP client will try first, when a destina- 792 tion has IPv6 and IPv4 addresses with equal MX 793 preference. 794 795 <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> 796 An optional numerical network address that the 797 Postfix SMTP client should bind to when making an 798 IPv4 connection. 799 800 <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> 801 An optional numerical network address that the 802 Postfix SMTP client should bind to when making an 803 IPv6 connection. 804 805 <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 806 The hostname to send in the SMTP EHLO or HELO com- 807 mand. 808 809 <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 810 The hostname to send in the LMTP LHLO command. 811 812 <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> 813 What mechanisms the Postfix SMTP client uses to 814 look up a host's IP address. 815 816 <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> 817 Randomize the order of equal-preference MX host 818 addresses. 819 820 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 821 The syslog facility of Postfix logging. 822 823 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 824 The mail system name that is prepended to the 825 process name in syslog records, so that "smtpd" 826 becomes, for example, "postfix/smtpd". 827 828 Available with Postfix 2.2 and earlier: 829 830 <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b> 831 Optional list of relay hosts for SMTP destinations 832 that can't be found or that are unreachable. 833 834 Available with Postfix 2.3 and later: 835 836 <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> 837 Optional list of relay hosts for SMTP destinations 838 that can't be found or that are unreachable. 839 840<b>SEE ALSO</b> 841 <a href="generic.5.html">generic(5)</a>, output address rewriting 842 <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection 843 <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection 844 <a href="qmgr.8.html">qmgr(8)</a>, queue manager 845 <a href="bounce.8.html">bounce(8)</a>, delivery status reports 846 <a href="scache.8.html">scache(8)</a>, connection cache server 847 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 848 <a href="master.5.html">master(5)</a>, generic daemon options 849 <a href="master.8.html">master(8)</a>, process manager 850 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 851 syslogd(8), system logging 852 853<b>README FILES</b> 854 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 855 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 856 857<b>LICENSE</b> 858 The Secure Mailer license must be distributed with this 859 software. 860 861<b>AUTHOR(S)</b> 862 Wietse Venema 863 IBM T.J. Watson Research 864 P.O. Box 704 865 Yorktown Heights, NY 10598, USA 866 867 Command pipelining in cooperation with: 868 Jon Ribbens 869 Oaktree Internet Solutions Ltd., 870 Internet House, 871 Canal Basin, 872 Coventry, 873 CV1 4LY, United Kingdom. 874 875 SASL support originally by: 876 Till Franke 877 SuSE Rhein/Main AG 878 65760 Eschborn, Germany 879 880 TLS support originally by: 881 Lutz Jaenicke 882 BTU Cottbus 883 Allgemeine Elektrotechnik 884 Universitaetsplatz 3-4 885 D-03044 Cottbus, Germany 886 887 Revised TLS and SMTP connection cache support by: 888 Victor Duchovni 889 Morgan Stanley 890 891 SMTP(8) 892</pre> </body> </html> 893