1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtpd(8) </title> 6</head> <body> <pre> 7SMTPD(8) SMTPD(8) 8 9<b>NAME</b> 10 smtpd - Postfix SMTP server 11 12<b>SYNOPSIS</b> 13 <b>smtpd</b> [generic Postfix daemon options] 14 15 <b>sendmail -bs</b> 16 17<b>DESCRIPTION</b> 18 The SMTP server accepts network connection requests and 19 performs zero or more SMTP transactions per connection. 20 Each received message is piped through the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> dae- 21 mon, and is placed into the <a href="QSHAPE_README.html#incoming_queue"><b>incoming</b> queue</a> as one single 22 queue file. For this mode of operation, the program 23 expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 24 25 Alternatively, the SMTP server be can run in stand-alone 26 mode; this is traditionally obtained with "<b>sendmail -bs</b>". 27 When the SMTP server runs stand-alone with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b> 28 privileges, it receives mail even while the mail system is 29 not running, deposits messages directly into the <b>maildrop</b> 30 queue, and disables the SMTP server's access policies. As 31 of Postfix version 2.3, the SMTP server refuses to receive 32 mail from the network when it runs with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b> 33 privileges. 34 35 The SMTP server implements a variety of policies for con- 36 nection requests, and for parameters given to <b>HELO, ETRN,</b> 37 <b>MAIL FROM, VRFY</b> and <b>RCPT TO</b> commands. They are detailed 38 below and in the <a href="postconf.5.html"><b>main.cf</b></a> configuration file. 39 40<b>SECURITY</b> 41 The SMTP server is moderately security-sensitive. It talks 42 to SMTP clients and to DNS servers on the network. The 43 SMTP server can be run chrooted at fixed low privilege. 44 45<b>STANDARDS</b> 46 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 47 <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements) 48 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 49 <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions) 50 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 51 <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command) 52 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes) 53 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 54 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 55 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 56 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 57 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 58 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 59 <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP Transmission Types) 60 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 61 62<b>DIAGNOSTICS</b> 63 Problems and transactions are logged to <b>syslogd</b>(8). 64 65 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, 66 the postmaster is notified of bounces, protocol problems, 67 policy violations, and of other trouble. 68 69<b>CONFIGURATION PARAMETERS</b> 70 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as 71 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> processes run for only a limited amount of time. 72 Use the command "<b>postfix reload</b>" to speed up a change. 73 74 The text below provides only a parameter summary. See 75 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. 76 77<b>COMPATIBILITY CONTROLS</b> 78 The following parameters work around implementation errors 79 in other software, and/or allow you to override standards 80 in order to prevent undesirable use. 81 82 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b> 83 Enable inter-operability with SMTP clients that 84 implement an obsolete version of the AUTH command 85 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). 86 87 <b><a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> (no)</b> 88 Disable the SMTP VRFY command. 89 90 <b><a href="postconf.5.html#smtpd_noop_commands">smtpd_noop_commands</a> (empty)</b> 91 List of commands that the Postfix SMTP server 92 replies to with "250 Ok", without doing any syntax 93 checks and without changing state. 94 95 <b><a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> (no)</b> 96 Require that addresses received in SMTP MAIL FROM 97 and RCPT TO commands are enclosed with <>, and that 98 those addresses do not contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style com- 99 ments or phrases. 100 101 Available in Postfix version 2.1 and later: 102 103 <b><a href="postconf.5.html#resolve_null_domain">resolve_null_domain</a> (no)</b> 104 Resolve an address that ends in the "@" null domain 105 as if the local hostname were specified, instead of 106 rejecting the address as invalid. 107 108 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b> 109 Request that the Postfix SMTP server rejects mail 110 from unknown sender addresses, even when no 111 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction 112 is specified. 113 114 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b> 115 What remote SMTP clients the Postfix SMTP server 116 will not offer AUTH support to. 117 118 Available in Postfix version 2.2 and later: 119 120 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> (empty)</b> 121 Lookup tables, indexed by the remote SMTP client 122 address, with case insensitive lists of EHLO key- 123 words (pipelining, starttls, auth, etc.) that the 124 SMTP server will not send in the EHLO response to a 125 remote SMTP client. 126 127 <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> (empty)</b> 128 A case insensitive list of EHLO keywords (pipelin- 129 ing, starttls, auth, etc.) that the SMTP server 130 will not send in the EHLO response to a remote SMTP 131 client. 132 133 <b><a href="postconf.5.html#smtpd_delay_open_until_valid_rcpt">smtpd_delay_open_until_valid_rcpt</a> (yes)</b> 134 Postpone the start of an SMTP mail transaction 135 until a valid RCPT TO command is received. 136 137 Available in Postfix version 2.3 and later: 138 139 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b> 140 Force the Postfix SMTP server to issue a TLS ses- 141 sion id, even when TLS session caching is turned 142 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty). 143 144 Available in Postfix version 2.6 and later: 145 146 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 147 An optional workaround for routers that break TCP 148 window scaling. 149 150 Available in Postfix version 2.7 and later: 151 152 <b><a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> (empty)</b> 153 A mechanism to transform commands from remote SMTP 154 clients. 155 156<b>ADDRESS REWRITING CONTROLS</b> 157 See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed 158 discussion of Postfix address rewriting. 159 160 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b> 161 Enable or disable recipient validation, built-in 162 content filtering, or address mapping. 163 164 Available in Postfix version 2.2 and later: 165 166 <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b> 167 Rewrite message header addresses in mail from these 168 clients and update incomplete addresses with the 169 domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't 170 rewrite message headers from other clients at all, 171 or rewrite message headers and update incomplete 172 addresses with the domain specified in the 173 <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter. 174 175<b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b> 176 As of version 1.0, Postfix can be configured to send new 177 mail to an external content filter AFTER the mail is 178 queued. This content filter is expected to inject mail 179 back into a (Postfix or other) MTA for further delivery. 180 See the <a href="FILTER_README.html">FILTER_README</a> document for details. 181 182 <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b> 183 After the message is queued, send the entire mes- 184 sage to the specified <i>transport:destination</i>. 185 186<b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b> 187 As of version 2.1, the Postfix SMTP server can be config- 188 ured to send incoming mail to a real-time SMTP-based con- 189 tent filter BEFORE mail is queued. This content filter is 190 expected to inject mail back into Postfix. See the 191 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config- 192 ure and operate this feature. 193 194 <b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b> 195 The hostname and TCP port of the mail filtering 196 proxy server. 197 198 <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 199 How the Postfix SMTP server announces itself to the 200 proxy filter. 201 202 <b><a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a> (empty)</b> 203 List of options that control how the Postfix SMTP 204 server communicates with a before-queue content 205 filter. 206 207 <b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b> 208 The time limit for connecting to a proxy filter and 209 for sending or receiving information. 210 211<b>BEFORE QUEUE MILTER CONTROLS</b> 212 As of version 2.3, Postfix supports the Sendmail version 8 213 Milter (mail filter) protocol. These content filters run 214 outside Postfix. They can inspect the SMTP command stream 215 and the message content, and can request modifications 216 before mail is queued. For details see the <a href="MILTER_README.html">MILTER_README</a> 217 document. 218 219 <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b> 220 A list of Milter (mail filter) applications for new 221 mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server. 222 223 <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b> 224 The mail filter protocol version and optional pro- 225 tocol extensions for communication with a Milter 226 application; prior to Postfix 2.6 the default pro- 227 tocol is 2. 228 229 <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b> 230 The default action when a Milter (mail filter) 231 application is unavailable or mis-configured. 232 233 <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 234 The {daemon_name} macro value for Milter (mail fil- 235 ter) applications. 236 237 <b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b> 238 The {v} macro value for Milter (mail filter) appli- 239 cations. 240 241 <b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b> 242 The time limit for connecting to a Milter (mail 243 filter) application, and for negotiating protocol 244 options. 245 246 <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b> 247 The time limit for sending an SMTP command to a 248 Milter (mail filter) application, and for receiving 249 the response. 250 251 <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b> 252 The time limit for sending message content to a 253 Milter (mail filter) application, and for receiving 254 the response. 255 256 <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b> 257 The macros that are sent to Milter (mail filter) 258 applications after completion of an SMTP connec- 259 tion. 260 261 <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b> 262 The macros that are sent to Milter (mail filter) 263 applications after the SMTP HELO or EHLO command. 264 265 <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b> 266 The macros that are sent to Milter (mail filter) 267 applications after the SMTP MAIL FROM command. 268 269 <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b> 270 The macros that are sent to Milter (mail filter) 271 applications after the SMTP RCPT TO command. 272 273 <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b> 274 The macros that are sent to version 4 or higher 275 Milter (mail filter) applications after the SMTP 276 DATA command. 277 278 <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b> 279 The macros that are sent to version 3 or higher 280 Milter (mail filter) applications after an unknown 281 SMTP command. 282 283 <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b> 284 The macros that are sent to Milter (mail filter) 285 applications after the end of the message header. 286 287 <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b> 288 The macros that are sent to Milter (mail filter) 289 applications after the message end-of-data. 290 291<b>GENERAL CONTENT INSPECTION CONTROLS</b> 292 The following parameters are applicable for both built-in 293 and external content filters. 294 295 Available in Postfix version 2.1 and later: 296 297 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b> 298 Enable or disable recipient validation, built-in 299 content filtering, or address mapping. 300 301<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 302 The following parameters are applicable for both before- 303 queue and after-queue content filtering. 304 305 Available in Postfix version 2.1 and later: 306 307 <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b> 308 What SMTP clients are allowed to use the XFORWARD 309 feature. 310 311<b>SASL AUTHENTICATION CONTROLS</b> 312 Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti- 313 cate remote SMTP clients to the Postfix SMTP server, and 314 to authenticate the Postfix SMTP client to a remote SMTP 315 server. See the <a href="SASL_README.html">SASL_README</a> document for details. 316 317 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b> 318 Enable inter-operability with SMTP clients that 319 implement an obsolete version of the AUTH command 320 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). 321 322 <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b> 323 Enable SASL authentication in the Postfix SMTP 324 server. 325 326 <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b> 327 The name of the Postfix SMTP server's local SASL 328 authentication realm. 329 330 <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b> 331 Postfix SMTP server SASL security options; as of 332 Postfix 2.3 the list of available features depends 333 on the SASL server implementation that is selected 334 with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. 335 336 <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b> 337 Optional lookup table with the SASL login names 338 that own sender (MAIL FROM) addresses. 339 340 Available in Postfix version 2.1 and later: 341 342 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b> 343 What remote SMTP clients the Postfix SMTP server 344 will not offer AUTH support to. 345 346 Available in Postfix version 2.1 and 2.2: 347 348 <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b> 349 The application name that the Postfix SMTP server 350 uses for SASL server initialization. 351 352 Available in Postfix version 2.3 and later: 353 354 <b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b> 355 Report the SASL authenticated user name in the 356 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header. 357 358 <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b> 359 Implementation-specific information that the Post- 360 fix SMTP server passes through to the SASL plug-in 361 implementation that is selected with 362 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. 363 364 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b> 365 The SASL plug-in type that the Postfix SMTP server 366 should use for authentication. 367 368 Available in Postfix version 2.5 and later: 369 370 <b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b> 371 Search path for Cyrus SASL application configura- 372 tion files, currently used only to locate the 373 $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file. 374 375<b>STARTTLS SUPPORT CONTROLS</b> 376 Detailed information about STARTTLS configuration may be 377 found in the <a href="TLS_README.html">TLS_README</a> document. 378 379 <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b> 380 The SMTP TLS security level for the Postfix SMTP 381 server; when a non-empty value is specified, this 382 overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and 383 <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. 384 385 <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b> 386 <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b> 387 The SASL authentication security options that the 388 Postfix SMTP server uses for TLS encrypted SMTP 389 sessions. 390 391 <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (see 'postconf -d' output)</b> 392 The time limit for Postfix SMTP server write and 393 read operations during TLS startup and shutdown 394 handshake procedures. 395 396 <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b> 397 A file containing (PEM format) CA certificates of 398 root CAs trusted to sign either remote SMTP client 399 certificates or intermediate CA certificates. 400 401 <b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b> 402 A directory containing (PEM format) CA certificates 403 of root CAs trusted to sign either remote SMTP 404 client certificates or intermediate CA certifi- 405 cates. 406 407 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b> 408 Force the Postfix SMTP server to issue a TLS ses- 409 sion id, even when TLS session caching is turned 410 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty). 411 412 <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b> 413 Ask a remote SMTP client for a client certificate. 414 415 <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b> 416 When TLS encryption is optional in the Postfix SMTP 417 server, do not announce or accept SASL authentica- 418 tion over unencrypted connections. 419 420 <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b> 421 The verification depth for remote SMTP client cer- 422 tificates. 423 424 <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b> 425 File with the Postfix SMTP server RSA certificate 426 in PEM format. 427 428 <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b> 429 List of ciphers or cipher types to exclude from the 430 SMTP server cipher list at all TLS security levels. 431 432 <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b> 433 File with the Postfix SMTP server DSA certificate 434 in PEM format. 435 436 <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b> 437 File with DH parameters that the Postfix SMTP 438 server should use with EDH ciphers. 439 440 <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b> 441 File with DH parameters that the Postfix SMTP 442 server should use with EDH ciphers. 443 444 <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b> 445 File with the Postfix SMTP server DSA private key 446 in PEM format. 447 448 <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b> 449 File with the Postfix SMTP server RSA private key 450 in PEM format. 451 452 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> 453 Enable additional Postfix SMTP server logging of 454 TLS activity. 455 456 <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b> 457 The minimum TLS cipher grade that the Postfix SMTP 458 server will use with mandatory TLS encryption. 459 460 <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b> 461 Additional list of ciphers or cipher types to 462 exclude from the SMTP server cipher list at manda- 463 tory TLS security levels. 464 465 <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> 466 The SSL/TLS protocols accepted by the Postfix SMTP 467 server with mandatory TLS encryption. 468 469 <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b> 470 Request that the Postfix SMTP server produces 471 Received: message headers that include information 472 about the protocol and cipher used, as well as the 473 client CommonName and client certificate issuer 474 CommonName. 475 476 <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b> 477 With mandatory TLS encryption, require a trusted 478 remote SMTP client certificate in order to allow 479 TLS connections to proceed. 480 481 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> 482 Name of the file containing the optional Postfix 483 SMTP server TLS session cache. 484 485 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> 486 The expiration time of Postfix SMTP server TLS ses- 487 sion cache information. 488 489 <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b> 490 Run the Postfix SMTP server in the non-standard 491 "wrapper" mode, instead of using the STARTTLS com- 492 mand. 493 494 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 495 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> 496 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 497 server in order to seed its internal pseudo random 498 number generator (PRNG). 499 500 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> 501 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 502 The OpenSSL cipherlist for "HIGH" grade ciphers. 503 504 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 505 The OpenSSL cipherlist for "MEDIUM" or higher grade 506 ciphers. 507 508 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 509 The OpenSSL cipherlist for "LOW" or higher grade 510 ciphers. 511 512 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 513 The OpenSSL cipherlist for "EXPORT" or higher grade 514 ciphers. 515 516 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 517 The OpenSSL cipherlist for "NULL" grade ciphers 518 that provide authentication without encryption. 519 520 Available in Postfix version 2.5 and later: 521 522 <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b> 523 The message digest algorithm used to construct 524 client-certificate fingerprints for 525 <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>. 526 527 Available in Postfix version 2.6 and later: 528 529 <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b> 530 List of TLS protocols that the Postfix SMTP server 531 will exclude or include with opportunistic TLS 532 encryption. 533 534 <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b> 535 The minimum TLS cipher grade that the Postfix SMTP 536 server will use with opportunistic TLS encryption. 537 538 <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b> 539 File with the Postfix SMTP server ECDSA certificate 540 in PEM format. 541 542 <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b> 543 File with the Postfix SMTP server ECDSA private key 544 in PEM format. 545 546 <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b> 547 The Postfix SMTP server security grade for 548 ephemeral elliptic-curve Diffie-Hellman (EECDH) key 549 exchange. 550 551 <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b> 552 The elliptic curve used by the SMTP server for sen- 553 sibly strong ephemeral ECDH key exchange. 554 555 <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b> 556 The elliptic curve used by the SMTP server for max- 557 imally strong ephemeral ECDH key exchange. 558 559 Available in Postfix version 2.8 and later: 560 561 <b><a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> (no)</b> 562 With SSLv3 and later, use the server's cipher pref- 563 erence order instead of the client's cipher prefer- 564 ence order. 565 566 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> 567 List or bit-mask of OpenSSL bug work-arounds to 568 disable. 569 570<b>OBSOLETE STARTTLS CONTROLS</b> 571 The following configuration parameters exist for compati- 572 bility with Postfix versions before 2.3. Support for these 573 will be removed in a future release. 574 575 <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b> 576 Opportunistic TLS: announce STARTTLS support to 577 SMTP clients, but do not require that clients use 578 TLS encryption. 579 580 <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b> 581 Mandatory TLS: announce STARTTLS support to SMTP 582 clients, and require that clients use TLS encryp- 583 tion. 584 585 <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b> 586 Obsolete Postfix < 2.3 control for the Postfix SMTP 587 server TLS cipher list. 588 589<b>VERP SUPPORT CONTROLS</b> 590 With VERP style delivery, each recipient of a message 591 receives a customized copy of the message with his/her own 592 recipient address encoded in the envelope sender address. 593 The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation 594 details of Postfix support for variable envelope return 595 path addresses. VERP style delivery is requested with the 596 SMTP XVERP command or with the "sendmail -V" command-line 597 option and is available in Postfix version 1.1 and later. 598 599 <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b> 600 The two default VERP delimiter characters. 601 602 <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b> 603 The characters Postfix accepts as VERP delimiter 604 characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line 605 and in SMTP commands. 606 607 Available in Postfix version 1.1 and 2.0: 608 609 <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> 610 What SMTP clients are allowed to specify the XVERP 611 command. 612 613 Available in Postfix version 2.1 and later: 614 615 <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b> 616 What SMTP clients are allowed to specify the XVERP 617 command. 618 619<b>TROUBLE SHOOTING CONTROLS</b> 620 The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of 621 the Postfix mail system. The methods vary from making the 622 software log a lot of detail, to running some daemon pro- 623 cesses under control of a call tracer or debugger. 624 625 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 626 The increment in verbose logging level when a 627 remote client or server matches a pattern in the 628 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 629 630 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 631 Optional list of remote client or server hostname 632 or network address patterns that cause the verbose 633 logging level to increase by the amount specified 634 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 635 636 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 637 The recipient of postmaster notifications about 638 mail delivery problems that are caused by policy, 639 resource, software or protocol errors. 640 641 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 642 What categories of Postfix-generated mail are sub- 643 ject to before-queue content inspection by 644 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. 645 646 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 647 The list of error classes that are reported to the 648 postmaster. 649 650 <b><a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> (empty)</b> 651 Optional information that is appended after each 652 SMTP server 4XX or 5XX response. 653 654 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> 655 Safety net to keep mail queued that would otherwise 656 be returned to the sender. 657 658 Available in Postfix version 2.1 and later: 659 660 <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b> 661 What SMTP clients are allowed to use the XCLIENT 662 feature. 663 664<b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b> 665 As of Postfix version 2.0, the SMTP server rejects mail 666 for unknown recipients. This prevents the mail queue from 667 clogging up with undeliverable MAILER-DAEMON messages. 668 Additional information on this topic is in the 669 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents. 670 671 <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b> 672 Display the name of the recipient table in the 673 "User unknown" responses. 674 675 <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b> 676 Optional address mapping lookup tables for message 677 headers and envelopes. 678 679 <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b> 680 Optional address mapping lookup tables for envelope 681 and header recipient addresses. 682 683 Parameters concerning known/unknown local recipients: 684 685 <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b> 686 <b>host)</b> 687 The list of domains that are delivered via the 688 $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport. 689 690 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 691 The network interface addresses that this mail sys- 692 tem receives mail on. 693 694 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 695 The network interface addresses that this mail sys- 696 tem receives mail on by way of a proxy or network 697 address translation unit. 698 699 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b> 700 The Internet protocols Postfix will attempt to use 701 when making or accepting connections. 702 703 <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b> 704 <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b> 705 Lookup tables with all names or addresses of local 706 recipients: a recipient address is local when its 707 domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or 708 $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. 709 710 <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b> 711 The numerical Postfix SMTP server response code 712 when a recipient address is local, and 713 $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup 714 tables that does not match the recipient. 715 716 Parameters concerning known/unknown recipients of relay 717 destinations: 718 719 <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b> 720 What destination domains (and subdomains thereof) 721 this system will relay mail to. 722 723 <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b> 724 Optional lookup tables with all valid addresses in 725 the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>. 726 727 <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b> 728 The numerical Postfix SMTP server reply code when a 729 recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and 730 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup 731 tables that does not match the recipient address. 732 733 Parameters concerning known/unknown recipients in virtual 734 alias domains: 735 736 <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b> 737 Postfix is final destination for the specified list 738 of virtual alias domains, that is, domains for 739 which all addresses are aliased to addresses in 740 other local or remote domains. 741 742 <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b> 743 Optional lookup tables that alias specific mail 744 addresses or domains to other local or remote 745 address. 746 747 <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b> 748 The SMTP server reply code when a recipient address 749 matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>- 750 <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables 751 that does not match the recipient address. 752 753 Parameters concerning known/unknown recipients in virtual 754 mailbox domains: 755 756 <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b> 757 Postfix is final destination for the specified list 758 of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>- 759 <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport. 760 761 <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b> 762 Optional lookup tables with all valid addresses in 763 the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. 764 765 <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b> 766 The SMTP server reply code when a recipient address 767 matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>- 768 <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables 769 that does not match the recipient address. 770 771<b>RESOURCE AND RATE CONTROLS</b> 772 The following parameters limit resource usage by the SMTP 773 server and/or control client request rates. 774 775 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> 776 Upon input, long lines are chopped up into pieces 777 of at most this length; upon delivery, long lines 778 are reconstructed. 779 780 <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b> 781 The minimal amount of free space in bytes in the 782 queue file system that is needed to receive mail. 783 784 <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b> 785 The maximal size in bytes of a message, including 786 envelope information. 787 788 <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b> 789 The maximal number of recipients that the Postfix 790 SMTP server accepts per message delivery request. 791 792 <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, overload: 10s)</b> 793 The time limit for sending a Postfix SMTP server 794 response and for receiving a remote SMTP client 795 request. 796 797 <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b> 798 The maximal number of lines in the Postfix SMTP 799 server command history before it is flushed upon 800 receipt of EHLO, RSET, or end of DATA. 801 802 Available in Postfix version 2.3 and later: 803 804 <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b> 805 Attempt to look up the remote SMTP client hostname, 806 and verify that the name matches the client IP 807 address. 808 809 The per SMTP client connection count and request rate lim- 810 its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser- 811 vice, and are available in Postfix version 2.2 and later. 812 813 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b> 814 How many simultaneous connections any client is 815 allowed to make to this service. 816 817 <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b> 818 The maximal number of connection attempts any 819 client is allowed to make to this service per time 820 unit. 821 822 <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b> 823 The maximal number of message delivery requests 824 that any client is allowed to make to this service 825 per time unit, regardless of whether or not Postfix 826 actually accepts those messages. 827 828 <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b> 829 The maximal number of recipient addresses that any 830 client is allowed to send to this service per time 831 unit, regardless of whether or not Postfix actually 832 accepts those recipients. 833 834 <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> 835 Clients that are excluded from 836 smtpd_client_*_count/rate_limit restrictions. 837 838 Available in Postfix version 2.3 and later: 839 840 <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b> 841 The maximal number of new (i.e., uncached) TLS ses- 842 sions that a remote SMTP client is allowed to nego- 843 tiate with this service per time unit. 844 845<b>TARPIT CONTROLS</b> 846 When a remote SMTP client makes errors, the Postfix SMTP 847 server can insert delays before responding. This can help 848 to slow down run-away software. The behavior is con- 849 trolled by an error counter that counts the number of 850 errors within an SMTP session that a client makes without 851 delivering mail. 852 853 <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b> 854 With Postfix version 2.1 and later: the SMTP server 855 response delay after a client has made more than 856 $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than 857 $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering 858 mail. 859 860 <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b> 861 The number of errors a remote SMTP client is 862 allowed to make without delivering mail before the 863 Postfix SMTP server slows down all its responses. 864 865 <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (normal: 20, overload: 1)</b> 866 The maximal number of errors a remote SMTP client 867 is allowed to make without delivering mail. 868 869 <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (normal: 100, overload: 1)</b> 870 The number of junk commands (NOOP, VRFY, ETRN or 871 RSET) that a remote SMTP client can send before the 872 Postfix SMTP server starts to increment the error 873 counter with each junk command. 874 875 Available in Postfix version 2.1 and later: 876 877 <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b> 878 The number of recipients that a remote SMTP client 879 can send in excess of the limit specified with 880 $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP 881 server increments the per-session error count for 882 each excess recipient. 883 884<b>ACCESS POLICY DELEGATION CONTROLS</b> 885 As of version 2.1, Postfix can be configured to delegate 886 access policy decisions to an external server that runs 887 outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for 888 more information. 889 890 <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b> 891 The time after which an idle SMTPD policy service 892 connection is closed. 893 894 <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b> 895 The time after which an active SMTPD policy service 896 connection is closed. 897 898 <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b> 899 The time limit for connecting to, writing to or 900 receiving from a delegated SMTPD policy server. 901 902<b>ACCESS CONTROLS</b> 903 The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to 904 all the SMTP server access control features. 905 906 <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b> 907 Wait until the RCPT TO command before evaluating 908 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric- 909 tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until 910 the ETRN command before evaluating 911 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric- 912 tions. 913 914 <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b> 915 <b>put)</b> 916 What Postfix features match subdomains of 917 "domain.tld" automatically, instead of requiring an 918 explicit ".domain.tld" pattern. 919 920 <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b> 921 Optional SMTP server access restrictions in the 922 context of a client SMTP connection request. 923 924 <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b> 925 Require that a remote SMTP client introduces itself 926 with the HELO or EHLO command before sending the 927 MAIL command or other commands that require EHLO 928 negotiation. 929 930 <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b> 931 Optional restrictions that the Postfix SMTP server 932 applies in the context of the SMTP HELO command. 933 934 <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b> 935 Optional restrictions that the Postfix SMTP server 936 applies in the context of the MAIL FROM command. 937 938 <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b> 939 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b> 940 The access restrictions that the Postfix SMTP 941 server applies in the context of the RCPT TO com- 942 mand. 943 944 <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b> 945 Optional SMTP server access restrictions in the 946 context of a client ETRN request. 947 948 <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b> 949 Forward mail with sender-specified routing 950 (user[@%!]remote[@%!]site) from untrusted clients 951 to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>. 952 953 <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b> 954 User-defined aliases for groups of access restric- 955 tions. 956 957 <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b> 958 The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables 959 instead of the null sender address. 960 961 <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b> 962 Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP 963 access feature to only domains whose primary MX 964 hosts match the listed networks. 965 966 Available in Postfix version 2.0 and later: 967 968 <b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b> 969 Optional access restrictions that the Postfix SMTP 970 server applies in the context of the SMTP DATA com- 971 mand. 972 973 <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b> 974 What characters are allowed in $name expansions of 975 RBL reply templates. 976 977 Available in Postfix version 2.1 and later: 978 979 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b> 980 Request that the Postfix SMTP server rejects mail 981 from unknown sender addresses, even when no 982 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction 983 is specified. 984 985 <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b> 986 Request that the Postfix SMTP server rejects mail 987 for unknown recipient addresses, even when no 988 explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric- 989 tion is specified. 990 991 Available in Postfix version 2.2 and later: 992 993 <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b> 994 Optional access restrictions that the Postfix SMTP 995 server applies in the context of the SMTP END-OF- 996 DATA command. 997 998<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b> 999 Postfix version 2.1 introduces sender and recipient 1000 address verification. This feature is implemented by 1001 sending probe email messages that are not actually deliv- 1002 ered. This feature is requested via the reject_unveri- 1003 fied_sender and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access 1004 restrictions. The status of verification probes is main- 1005 tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>- 1006 <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure 1007 and operate the Postfix sender/recipient address verifica- 1008 tion service. 1009 1010 <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (normal: 3, overload: 1)</b> 1011 How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for 1012 the completion of an address verification request 1013 in progress. 1014 1015 <b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b> 1016 The delay between queries for the completion of an 1017 address verification request in progress. 1018 1019 <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b> 1020 The sender address to use in address verification 1021 probes; prior to Postfix 2.5 the default was "post- 1022 master". 1023 1024 <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b> 1025 The numerical Postfix SMTP server response code 1026 when a recipient address is rejected by the 1027 <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction. 1028 1029 <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b> 1030 The numerical Postfix SMTP server response when a 1031 recipient address is rejected by the reject_unveri- 1032 fied_recipient restriction. 1033 1034 Available in Postfix version 2.6 and later: 1035 1036 <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b> 1037 The numerical Postfix SMTP server response code 1038 when a sender address probe fails due to a tempo- 1039 rary error condition. 1040 1041 <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b> 1042 The numerical Postfix SMTP server response when a 1043 recipient address probe fails due to a temporary 1044 error condition. 1045 1046 <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b> 1047 The Postfix SMTP server's reply when rejecting mail 1048 with <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>. 1049 1050 <b><a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> (empty)</b> 1051 The Postfix SMTP server's reply when rejecting mail 1052 with <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>. 1053 1054 <b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b> 1055 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b> 1056 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unver</a>- 1057 <a href="postconf.5.html#reject_unverified_sender">ified_sender</a> fails due to a temporary error condi- 1058 tion. 1059 1060 <b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b> 1061 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b> 1062 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unver</a>- 1063 <a href="postconf.5.html#reject_unverified_recipient">ified_recipient</a> fails due to a temporary error con- 1064 dition. 1065 1066<b>ACCESS CONTROL RESPONSES</b> 1067 The following parameters control numerical SMTP reply 1068 codes and/or text responses. 1069 1070 <b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b> 1071 The numerical Postfix SMTP server response code for 1072 an <a href="access.5.html"><b>access</b>(5)</a> map "reject" action. 1073 1074 <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b> 1075 The numerical Postfix SMTP server response code 1076 when a remote SMTP client request is rejected by 1077 the "defer" restriction. 1078 1079 <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b> 1080 The numerical Postfix SMTP server response code 1081 when the client HELO or EHLO command parameter is 1082 rejected by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> 1083 restriction. 1084 1085 <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b> 1086 The numerical Postfix SMTP server response code 1087 when a remote SMTP client request is blocked by the 1088 <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>, 1089 <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>, <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or 1090 <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction. 1091 1092 <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b> 1093 The numerical Postfix SMTP server reply code when a 1094 client request is rejected by the 1095 <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>, 1096 <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> 1097 restriction. 1098 1099 <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b> 1100 The numerical Postfix SMTP server response code 1101 when a request is rejected by the <b>reject_plain-</b> 1102 <b>text_session</b> restriction. 1103 1104 <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b> 1105 The numerical Postfix SMTP server response code 1106 when a remote SMTP client request is rejected by 1107 the "reject" restriction. 1108 1109 <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b> 1110 The numerical Postfix SMTP server response code 1111 when a client request is rejected by the 1112 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction. 1113 1114 <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b> 1115 The numerical Postfix SMTP server response code 1116 when a sender or recipient address is rejected by 1117 the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or 1118 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction. 1119 1120 <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b> 1121 The numerical Postfix SMTP server response code 1122 when a client without valid address <=> name map- 1123 ping is rejected by the reject_unknown_client_host- 1124 name restriction. 1125 1126 <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b> 1127 The numerical Postfix SMTP server response code 1128 when the hostname specified with the HELO or EHLO 1129 command is rejected by the 1130 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction. 1131 1132 Available in Postfix version 2.0 and later: 1133 1134 <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b> 1135 The default SMTP server response template for a 1136 request that is rejected by an RBL-based restric- 1137 tion. 1138 1139 <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b> 1140 The numerical Postfix SMTP server response code 1141 when a remote SMTP client request is blocked by the 1142 <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction. 1143 1144 <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b> 1145 Optional lookup tables with RBL response templates. 1146 1147 Available in Postfix version 2.6 and later: 1148 1149 <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b> 1150 The numerical Postfix SMTP server response code for 1151 an <a href="access.5.html"><b>access</b>(5)</a> map "defer" action, including 1152 "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>". 1153 1154 <b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b> 1155 The Postfix SMTP server's action when a reject-type 1156 restriction fails due to a temporary error condi- 1157 tion. 1158 1159 <b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b> 1160 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b> 1161 The Postfix SMTP server's action when 1162 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> fails due to an tempo- 1163 rary error condition. 1164 1165 <b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b> 1166 The Postfix SMTP server's action when 1167 <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or 1168 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> fail due to a tem- 1169 porary error condition. 1170 1171<b>MISCELLANEOUS CONTROLS</b> 1172 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 1173 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and 1174 <a href="master.5.html">master.cf</a> configuration files. 1175 1176 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 1177 How much time a Postfix daemon process may take to 1178 handle a request before it is terminated by a 1179 built-in watchdog timer. 1180 1181 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> 1182 The location of all postfix administrative com- 1183 mands. 1184 1185 <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b> 1186 The sender address of postmaster notifications that 1187 are generated by the mail system. 1188 1189 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 1190 The time limit for sending or receiving information 1191 over an internal communication channel. 1192 1193 <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b> 1194 The mail system name that is displayed in Received: 1195 headers, in the SMTP greeting banner, and in 1196 bounced mail. 1197 1198 <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b> 1199 The UNIX system account that owns the Postfix queue 1200 and most Postfix daemon processes. 1201 1202 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 1203 The maximum amount of time that an idle Postfix 1204 daemon process waits for an incoming connection 1205 before terminating voluntarily. 1206 1207 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 1208 The maximal number of incoming connections that a 1209 Postfix daemon process will service before termi- 1210 nating voluntarily. 1211 1212 <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b> 1213 The internet hostname of this mail system. 1214 1215 <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b> 1216 The list of "trusted" SMTP clients that have more 1217 privileges than "strangers". 1218 1219 <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 1220 The domain name that locally-posted mail appears to 1221 come from, and that locally posted mail is deliv- 1222 ered to. 1223 1224 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 1225 The process ID of a Postfix command or daemon 1226 process. 1227 1228 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 1229 The process name of a Postfix command or daemon 1230 process. 1231 1232 <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b> 1233 The location of the Postfix top-level queue direc- 1234 tory. 1235 1236 <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b> 1237 The separator between user names and address exten- 1238 sions (user+foo). 1239 1240 <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b> 1241 The text that follows the 220 status code in the 1242 SMTP greeting banner. 1243 1244 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 1245 The syslog facility of Postfix logging. 1246 1247 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 1248 The mail system name that is prepended to the 1249 process name in syslog records, so that "smtpd" 1250 becomes, for example, "postfix/smtpd". 1251 1252 Available in Postfix version 2.2 and later: 1253 1254 <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b> 1255 List of commands that cause the Postfix SMTP server 1256 to immediately terminate the session with a 221 1257 code. 1258 1259 Available in Postfix version 2.5 and later: 1260 1261 <b><a href="postconf.5.html#smtpd_client_port_logging">smtpd_client_port_logging</a> (no)</b> 1262 Enable logging of the remote SMTP client port in 1263 addition to the hostname and IP address. 1264 1265<b>SEE ALSO</b> 1266 <a href="anvil.8.html">anvil(8)</a>, connection/rate limiting 1267 <a href="cleanup.8.html">cleanup(8)</a>, message canonicalization 1268 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 1269 <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver 1270 <a href="verify.8.html">verify(8)</a>, address verification service 1271 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 1272 <a href="master.5.html">master(5)</a>, generic daemon options 1273 <a href="master.8.html">master(8)</a>, process manager 1274 syslogd(8), system logging 1275 1276<b>README FILES</b> 1277 <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients 1278 <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation 1279 <a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter 1280 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients 1281 <a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications 1282 <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, built-in access policies 1283 <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>, external policy server 1284 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>, external before-queue content filter 1285 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 1286 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 1287 <a href="VERP_README.html">VERP_README</a>, Postfix XVERP extension 1288 <a href="XCLIENT_README.html">XCLIENT_README</a>, Postfix XCLIENT extension 1289 <a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension 1290 1291<b>LICENSE</b> 1292 The Secure Mailer license must be distributed with this 1293 software. 1294 1295<b>AUTHOR(S)</b> 1296 Wietse Venema 1297 IBM T.J. Watson Research 1298 P.O. Box 704 1299 Yorktown Heights, NY 10598, USA 1300 1301 SASL support originally by: 1302 Till Franke 1303 SuSE Rhein/Main AG 1304 65760 Eschborn, Germany 1305 1306 TLS support originally by: 1307 Lutz Jaenicke 1308 BTU Cottbus 1309 Allgemeine Elektrotechnik 1310 Universitaetsplatz 3-4 1311 D-03044 Cottbus, Germany 1312 1313 Revised TLS support by: 1314 Victor Duchovni 1315 Morgan Stanley 1316 1317 SMTPD(8) 1318</pre> </body> </html> 1319