1 1 000 000 messages with good performance unlikely above that limit 2 10 10 Mandatory configuration file edits 3 11 11 To chroot or not to chroot 4 12 12 Care and feeding of the Postfix system 514 rbl_domain rbl_reason rbl_reason 6168 100 189 2 255 255 255 224 718 rbl_domain rbl_reason rbl_reason 8 1 ffff ffff ffff ffff ffff ffff ffff ffff 92001 240 587 0 2d0 b7ff fe88 2ca7 ffff ffff ffff ffff 10 31 sasldb Accounts are stored stored in a Cyrus SASL Berkeley DB 11 33 ldapdb Accounts are stored stored in an LDAP database 12 4 yes yes yes never 100 135 postmaster postmaster example com 145 root root localhost 156 abuse abuse example com 1680821 S 0 00 24 smtpd n smtp t inet u c o stress yes 1783326 S 0 00 28 smtpd n smtp t inet u c o stress 1884345 Ss 0 00 11 usr bin perl usr libexec postfix smtpd policy pl 19 8 SENDMAIL usr sbin sendmail G i NEVER NEVER NEVER use t here 20address localpart as per RFC 822 so that additional or or 21all all Maximum per destination delivery concurrency 22and cost cost 1 times more than if the preemptive scheduler was 23 and sneak in the ten recipient mail Wait wait wait Could we Aren t 24 aNULL aNULL kEECDH kEDH RC4 eNULL EXPORT LOW STRENGTH 25Arrival Date Sun 26 Nov 2006 17 01 01 0500 EST 26attacks with user domain domain addresses when Postfix provides 27authzTo authzTo dn regex uniqueIdentifier ou people dc example dc com 28 AUXLIBS AUXLIBS options for LDAP or TLS etc 29blockquote blockquote 30 broken smtp smtp o smtp_quote_rfc821_envelope no 31ccert_fingerprint C2 9D F4 87 71 73 73 D9 18 E7 C2 F3 C1 DA 6E 04 32command_directory command_directory 33 concurrency concurrency limit 34config_directory config_directory 35daemon_directory daemon_directory 36data_directory data_directory 37Date Sun 26 Nov 2006 17 01 01 0500 EST 38dd dd Alternatively check_ccert_access accepts an explicit search 39dd dd check_ccert_access type table search_order cert_fingerprint 40dd dd The commas are optional dd 41dd dd The default algorithm is b sha256 b with Postfix ge 3 6 42 dd No TLS TLS will not be used unless enabled for specific 43Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject 44 default_transport uucp uucp gateway 45 different client IP addresses Lookup results override the the global 46Documentation Documentation is available as README files start with the file 47done done 48done done 49 dt b a name check_address_map check_address_map a i a href DATABASE_RE 50 dt b a name check_ccert_access check_ccert_access a i a href DATABASE_ 51 dt b a name check_client_a_access check_client_a_access a i a href DAT 52 dt b a name check_client_access check_client_access a i a href DATABAS 53 dt b a name check_client_mx_access check_client_mx_access a i a href D 54 dt b a name check_client_ns_access check_client_ns_access a i a href D 55 dt b a name check_etrn_access check_etrn_access a i a href DATABASE_RE 56 dt b a name check_helo_a_access check_helo_a_access a i a href DATABAS 57 dt b a name check_helo_access check_helo_access a i a href DATABASE_RE 58 dt b a name check_helo_mx_access check_helo_mx_access a i a href DATAB 59 dt b a name check_helo_ns_access check_helo_ns_access a i a href DATAB 60 dt b a name check_policy_service check_policy_service i servername i a 61 dt b a name check_recipient_a_access check_recipient_a_access a i a hre 62 dt b a name check_recipient_access check_recipient_access a i a href D 63 dt b a name check_recipient_mx_access check_recipient_mx_access a i a h 64 dt b a name check_recipient_ns_access check_recipient_ns_access a i a h 65 dt b a name check_sasl_access check_sasl_access a i a href DATABASE_RE 66 dt b a name check_sender_a_access check_sender_a_access a i a href DAT 67 dt b a name check_sender_access check_sender_access a i a href DATABAS 68 dt b a name check_sender_mx_access check_sender_mx_access a i a href D 69 dt b a name check_sender_ns_access check_sender_ns_access a i a href D 70 dt b a name defer defer a b dt 71 dt b a name defer_if_permit defer_if_permit a b dt 72 dt b a name defer_if_reject defer_if_reject a b dt 73 dt b a name defer_unauth_destination defer_unauth_destination a b dt 74 dt b a name no_address_mappings no_address_mappings a b dt 75 dt b a name no_header_body_checks no_header_body_checks a b dt 76 dt b a name no_milters no_milters a b dt 77 dt b a name no_unknown_recipient_checks no_unknown_recipient_checks a b 78 dt b a name permit_auth_destination permit_auth_destination a b dt 79 dt b a name permit_dnswl_client permit_dnswl_client i dnswl_domain d d d d 80 dt b a name permit_inet_interfaces permit_inet_interfaces a b dt 81 dt b a name permit_mx_backup permit_mx_backup a b dt 82 dt b a name permit_mynetworks permit_mynetworks a b dt 83 dt b a name permit permit a b dt 84 dt b a name permit_rhswl_client permit_rhswl_client i rhswl_domain d d d d 85 dt b a name permit_sasl_authenticated permit_sasl_authenticated a b dt 86 dt b a name permit_tls_all_clientcerts permit_tls_all_clientcerts a b 87 dt b a name permit_tls_clientcerts permit_tls_clientcerts a b dt 88 dt b a name reject_invalid_helo_hostname reject_invalid_helo_hostname a 89 dt b a name reject_multi_recipient_bounce reject_multi_recipient_bounce a 90 dt b a name reject_non_fqdn_helo_hostname reject_non_fqdn_helo_hostname a 91 dt b a name reject_non_fqdn_recipient reject_non_fqdn_recipient a b dt 92 dt b a name reject_non_fqdn_sender reject_non_fqdn_sender a b dt 93 dt b a name reject_plaintext_session reject_plaintext_session a b dt 94 dt b a name reject_rbl_client reject_rbl_client i rbl_domain d d d d i 95 dt b a name reject reject a b dt 96 dt b a name reject_rhsbl_client reject_rhsbl_client i rbl_domain d d d d 97 dt b a name reject_rhsbl_helo reject_rhsbl_helo i rbl_domain d d d d i 98 dt b a name reject_rhsbl_recipient reject_rhsbl_recipient i rbl_domain d d 99 dt b a name reject_rhsbl_reverse_client reject_rhsbl_reverse_client i rbl_ 100 dt b a name reject_rhsbl_sender reject_rhsbl_sender i rbl_domain d d d d 101 dt b a name reject_sender_login_mismatch reject_sender_login_mismatch a 102 dt b a name reject_unauth_destination reject_unauth_destination a b dt 103 dt b a name reject_unauth_pipelining reject_unauth_pipelining a b dt 104 dt b a name reject_unknown_client_hostname reject_unknown_client_hostname 105 dt b a name reject_unknown_helo_hostname reject_unknown_helo_hostname a 106 dt b a name reject_unknown_recipient_domain reject_unknown_recipient_domain 107 dt b a name reject_unknown_sender_domain reject_unknown_sender_domain a 108 dt b a name reject_unlisted_recipient reject_unlisted_recipient a b wi 109 dt b a name reject_unlisted_sender reject_unlisted_sender a b dt 110 dt b a name reject_unverified_recipient reject_unverified_recipient a b 111 dt b a name reject_unverified_sender reject_unverified_sender a b dt 112 dt b a name sleep sleep i seconds i a b dt 113 dt b a name warn_if_reject warn_if_reject a b dt 114dt dt b i a href DATABASE_README html type table a i b dt 115dt dt b i number i i number i b dt 116 dt dt dd 0 Disable logging of TLS activity dd 117 dt dt dd 1 Log only a summary message on TLS handshake completion 118 dt dt dd 2 Also log levels during TLS negotiation dd 119 dt dt dd 3 Also log hexadecimal and ASCII dump of TLS negotiation 120 dt dt dd 4 Also log hexadecimal and ASCII dump of complete 121 dude dude example com 122 eliminates the latency of the TCP handshake SYN SYN ACK ACK 123 example com uucp uucp host 124 example MAIL RCPT BDAT BDAT MAIL RCPT BDAT without ever having to 125 export MANPATH MANPATH pwd man MANPATH 126fe80 1 2d0 b7ff fe88 2ca7 ffff ffff ffff ffff 127fe80 5 1 ffff ffff ffff ffff 128file allows for robust handling of temporary delivery errors errors 129Filtered Filtered 130for the file name when a pattern is a type table table specification 131from host example com 192 168 0 2 TLSv1 with cipher cipher name 132generic generic a restrictions These restrictions are applicable in 133 groups msn com 63 2 1 2 4 4 14 14 14 8 0 134 highvolume com 4000 160 160 320 640 1280 1440 0 0 0 0 135host host port host port address or address port the form 136 http www umich edu dirsvcs ldap ldap html or OpenLDAP 137 id 84863BC0E5 Sun 26 Nov 2006 17 01 01 0500 EST 138 if concurrency concurrency limit 139 ifconfig en0 alias address netmask 255 255 255 255 140 inet_addr_local inet_addr_local configured 2 IPv4 addresses 141 inet_addr_local inet_addr_local configured 4 IPv6 addresses 142insiders_only insiders_only check_sender_access hash etc postfix insiders reject 143in the form of a domain name hostname hostname port hostname port 144into memory such as pcre regexp or texthash texthash is similar 145 jane jane janes preferred machine 146 joe joe joes preferred machine 147 Line 8 NEVER NEVER NEVER use the t command line option here It 148listname listname request 149 lists sourceforge net 2313 2313 0 0 0 0 0 0 0 0 150local local 8 151local_only local_only 152maildrop maildrop 153maildrop maildrop owner cn root dc your dc com 154make make makefiles CC opt ansic bin cc Ae HP UX 155make make makefiles CC purify cc 156 man man man5 postconf 5 less 157master_service_disable foo inet inet 158multi_instance_enable multi_instance_enable 159multi_instance_group multi_instance_group 160multi_instance_name multi_instance_name 161mydestination myhostname localhost mydomain mydomain 162 mydomain to an incomplete address address rewriting alias 163mynetworks mynetworks 127 0 0 0 8 168 100 189 0 28 1 128 fe80 10 2001 240 587 164mynetworks mynetworks hash etc postfix network_table 165Name lt user example com gt gt i Postfix will ignore the i User 166 name name port name or name port 167 NOTE Postfix 3 6 also introduces support for the level level 168number number ranges Postfix version 2 8 and later If no 169numbers or number number ranges Postfix version 2 8 and later 170one or more separated numbers or number number ranges 171 openssl req new key key 172or more separated numbers or number number ranges p 173or number number ranges Postfix version 2 8 and later If no 174 ownership of system directories such as etc usr usr bin var 175 PARAM postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl 176 patterns list multiple domain names as domain domain 177 p Note 2 address information may be enclosed inside tt tt 178 postfix 12345 12345 postfix no where no shell 179 Postfix 2 3 2 5 to hang up on clients that that match 180 Postfix has TWO sets of mail filters filters that are used for 181Postfix Postfix can use an LDAP directory as a source for any of its lookups 182 Postfix Postfix passes the status back to the remote SMTP 183 Postfix Postfix will send the mail back to the sender address 184pre pre 185query_filter mailacceptinggeneralid s maildrop maildrop 186queue_directory queue_directory 187Received from localhost localhost 127 0 0 1 188Received Received from porcupine org 189rejected rejected recipients are available on request by the Milter 190 rewrite 8 none none 191 Say we have ten recipient mail followed by two two recipient mails If 192 separated numbers or number number ranges If no 193smtpd_recipient_restrictions smtpd_recipient_restrictions 194smtpd_relay_restrictions smtpd_relay_restrictions 195smtpd_relay_restrictions smtpd_relay_restrictions 196 smtpd_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1 197smtpd_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1 198 smtp smtp o smtp_bind_address 11 22 33 44 199 smtp smtp o smtp_bind_address6 1 2 3 4 5 6 7 8 200 smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1 201smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1 202 SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with 203 T 5 10 20 40 80 160 320 640 1280 1280 204 T A 5 10 20 40 80 160 320 320 205 The and match and literally Without the the 206 The matches literally Without the the would 207Therefore 301 0301 0x301 and 0x0301 are all equivalent to 208 The syntax of name value value name value and name value 209the the backed up domain tld domain This prevents your mail queue 210 tls_random_source dev dev urandom 211 tls_random_source dev dev urandom 212tls_random_source dev dev urandom 213TLS TLS support in the LMTP delivery agent 214 TLSv1 3 with cipher TLS_AES_256_GCM_SHA384 256 256 bits 215 to flush flush 8 Deferred 216to host example com 192 168 0 2 25 TLSv1 with cipher cipher name 217 to server example TLSv1 3 with cipher TLS_AES_256_GCM_SHA384 256 256 bits 218 TOTAL 5000 200 200 400 800 1600 1000 200 200 200 200 219transport transport 220 tt tt in the authorized_verp_clients value and in files 221 tt tt in the mynetworks value and in files specified with 222 tt tt in the smtpd_authorized_verp_clients value and in 223 tt tt in the smtpd_authorized_xclient_hosts value and in 224 tt tt in the smtpd_authorized_xforward_hosts value and in 225 tt tt in the smtpd_client_event_limit_exceptions value and 226 tt tt in the smtpd_sasl_exceptions_networks value and in 227 tt tt p 228two two recipient mails 229 uid cn cn auth 230Unfiltered Unfiltered 231 unknown recipients in local domains domains that match mydestination 232 Use blockquote pre pre blockquote for examples 233 Use pre pre for the Examples section at the end 234username username 235 user sourceforge net 7678 7678 0 0 0 0 0 0 0 0 236 using TLSv1 3 with cipher TLS_AES_256_GCM_SHA384 256 256 bits 237 using TLSv1 with cipher cipher name 238var var spool and so on This is especially an issue if you executed 239With the standard operators lt lt etc compatibility 240 yes yes yes never 100 241zombie zombie tlsproxy 8 smtpd 8 242 and 1 000 000 messages with good performance unlikely above that 243dt dt b name value b Postfix ge 3 0 dt 244 dt dt dd 3 Also log the hexadecimal and ASCII dump of the 245 dt dt dd 4 Also log the hexadecimal and ASCII dump of complete 246 parametername stress something something Other 247 p Note on OpenBSD systems specify dev dev arandom when dev dev urandom 248 user3 example net smtp smtp relay example net submission 249