autoupdate

[postfix-master.git] / postfix-master / smtp.8.html

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
<html> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<title> Postfix manual - smtp(8) </title>
</head> <body> <pre>
SMTP(8)                                                                SMTP(8)

<b>NAME</b>
       smtp - Postfix SMTP+LMTP client

<b>SYNOPSIS</b>
       <b>smtp</b> [generic Postfix daemon options]

<b>DESCRIPTION</b>
       The  Postfix SMTP+LMTP client implements the SMTP and LMTP
       mail delivery protocols.  It  processes  message  delivery
       requests  from the queue manager. Each request specifies a
       queue file, a sender address, a domain or host to  deliver
       to, and recipient information.  This program expects to be
       run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.

       The SMTP+LMTP client updates  the  queue  file  and  marks
       recipients  as  finished,  or it informs the queue manager
       that delivery should be  tried  again  at  a  later  time.
       Delivery   status  reports  are  sent  to  the  <a href="bounce.8.html"><b>bounce</b>(8)</a>,
       <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate.

       The SMTP+LMTP client looks up a  list  of  mail  exchanger
       addresses  for  the  destination  host,  sorts the list by
       preference, and connects to each listed address  until  it
       finds a server that responds.

       When  a  server  is  not  reachable, or when mail delivery
       fails due to a recoverable error condition, the  SMTP+LMTP
       client  will try to deliver the mail to an alternate host.

       After a successful mail transaction, a connection  may  be
       saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it
       may be used by  any  SMTP+LMTP  client  for  a  subsequent
       transaction.

       By  default, connection caching is enabled temporarily for
       destinations that have a high volume of mail in the active
       queue.  Connection  caching can be enabled permanently for
       specific destinations.

<b>SMTP DESTINATION SYNTAX</b>
       SMTP destinations have the following form:

       <i>domainname</i>

       <i>domainname</i>:<i>port</i>
              Look up  the  mail  exchangers  for  the  specified
              domain, and connect to the specified port (default:
              <b>smtp</b>).

       [<i>hostname</i>]

       [<i>hostname</i>]:<i>port</i>
              Look up the address(es) of the specified host,  and
              connect to the specified port (default: <b>smtp</b>).

       [<i>address</i>]

       [<i>address</i>]:<i>port</i>
              Connect  to  the host at the specified address, and
              connect to the specified port (default:  <b>smtp</b>).  An
              IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>].

<b>LMTP DESTINATION SYNTAX</b>
       LMTP destinations have the following form:

       <b>unix</b>:<i>pathname</i>
              Connect  to  the  local  UNIX-domain server that is
              bound to the specified  <i>pathname</i>.  If  the  process
              runs  chrooted, an absolute pathname is interpreted
              relative to the Postfix queue directory.

       <b>inet</b>:<i>hostname</i>

       <b>inet:</b><i>hostname</i>:<i>port</i>

       <b>inet</b>:[<i>address</i>]

       <b>inet</b>:[<i>address</i>]:<i>port</i>
              Connect to the specified TCP port on the  specified
              local or remote host. If no port is specified, con-
              nect to the port defined as  <b>lmtp</b>  in  <b>services</b>(4).
              If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con-
              figuration parameter (default value of 24) will  be
              used.    An  IPv6  address  must  be  formatted  as
              [<b>ipv6</b>:<i>address</i>].

<b>SECURITY</b>
       The SMTP+LMTP client is moderately security-sensitive.  It
       talks  to  SMTP  or LMTP servers and to DNS servers on the
       network. The SMTP+LMTP client can be run chrooted at fixed
       low privilege.

<b>STANDARDS</b>
       <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
       <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
       <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
       <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
       <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
       <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
       <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
       <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
       <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
       <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
       <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
       <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
       <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
       <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
       <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
       <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)

<b>DIAGNOSTICS</b>
       Problems  and transactions are logged to <b>syslogd</b>(8).  Cor-
       rupted message files are marked so that the queue  manager
       can move them to the <b>corrupt</b> queue for further inspection.

       Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b>  parameter,
       the  postmaster is notified of bounces, protocol problems,
       and of other trouble.

<b>BUGS</b>
       SMTP and LMTP connection caching does not work  with  TLS.
       The  necessary  support for TLS object passivation and re-
       activation does not exist  without  closing  the  session,
       which defeats the purpose.

       SMTP and LMTP connection caching assumes that SASL creden-
       tials are valid for all destinations  that  map  onto  the
       same IP address and TCP port.

<b>CONFIGURATION PARAMETERS</b>
       Before  Postfix version 2.3, the LMTP client is a separate
       program that implements only a subset of the functionality
       available with SMTP: there is no support for TLS, and con-
       nections are cached in-process, making it ineffective when
       the client is used for multiple domains.

       Most  smtp_<i>xxx</i>  configuration  parameters have an lmtp_<i>xxx</i>
       "mirror" parameter for the equivalent LMTP  feature.  This
       document describes only those LMTP-related parameters that
       aren't simply "mirror" parameters.

       Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a>
       processes  run  for only a limited amount of time. Use the
       command "<b>postfix reload</b>" to speed up a change.

       The text below provides  only  a  parameter  summary.  See
       <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.

<b>COMPATIBILITY CONTROLS</b>
       <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b>
              Ignore DNS MX lookups that produce no response.

       <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b>
              Always send EHLO at the start of an SMTP session.

       <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b>
              Never send EHLO at the start of an SMTP session.

       <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b>
              Defer  mail  delivery when no MX record resolves to
              an IP address.

       <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b>
              The maximal length of message header and body lines
              that Postfix will send via SMTP.

       <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b>
              How  long  the  Postfix  SMTP  client pauses before
              sending ".&lt;CR&gt;&lt;LF&gt;" in order to work around the PIX
              firewall "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug.

       <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b>
              How  long a message must be queued before the Post-
              fix  SMTP  client  turns  on   the   PIX   firewall
              "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;"  bug  workaround  for  delivery
              through firewalls with "smtp fixup" mode turned on.

       <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b>
              A  list that specifies zero or more workarounds for
              CISCO PIX firewall bugs.

       <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b>
              Lookup tables, indexed by the  remote  SMTP  server
              address, with per-destination workarounds for CISCO
              PIX firewall bugs.

       <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
              Quote addresses in SMTP MAIL FROM and RCPT TO  com-
              mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>.

       <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
              A  mechanism  to transform replies from remote SMTP
              servers one line at a time.

       <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
              Skip SMTP servers that greet with a 5XX status code
              (go away, do not try again later).

       <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b>
              Do  not wait for the response to the SMTP QUIT com-
              mand.

       Available in Postfix version 2.0 and earlier:

       <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b>
              Skip SMTP servers that greet with a 4XX status code
              (go away, try again later).

       Available in Postfix version 2.2 and later:

       <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b>
              Lookup  tables,  indexed  by the remote SMTP server
              address, with case insensitive lists of  EHLO  key-
              words  (pipelining,  starttls, auth, etc.) that the
              Postfix  SMTP  client  will  ignore  in  the   EHLO
              response from a remote SMTP server.

       <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
              A  case insensitive list of EHLO keywords (pipelin-
              ing, starttls, auth, etc.) that  the  Postfix  SMTP
              client  will  ignore  in  the  EHLO response from a
              remote SMTP server.

       <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
              Optional lookup tables that perform address rewrit-
              ing  in  the  SMTP client, typically to transform a
              locally valid address into a globally valid address
              when sending mail across the Internet.

       Available in Postfix version 2.2.9 and later:

       <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
              Allow  DNS CNAME records to override the servername
              that the Postfix SMTP client uses for logging, SASL
              password  lookup, TLS policy decisions, or TLS cer-
              tificate verification.

       Available in Postfix version 2.3 and later:

       <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b>
              Lookup tables, indexed by the  remote  LMTP  server
              address,  with  case insensitive lists of LHLO key-
              words (pipelining, starttls, auth, etc.)  that  the
              LMTP client will ignore in the LHLO response from a
              remote LMTP server.

       <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
              A case insensitive list of LHLO keywords  (pipelin-
              ing,  starttls,  auth,  etc.)  that the LMTP client
              will ignore in the LHLO response from a remote LMTP
              server.

       Available in Postfix version 2.4.4 and later:

       <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
              When authenticating to a remote SMTP or LMTP server
              with the default setting "no", send no SASL  autho-
              riZation ID (authzid); send only the SASL authenti-
              Cation ID (authcid) plus the authcid's password.

       Available in Postfix version 2.5 and later:

       <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b>
              Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the  Postfix
              SMTP client.

       <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b>
              Restricted  <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5)  tables  for  the
              Postfix SMTP client.

       <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b>
              Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables  for  the
              Postfix SMTP client.

       <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b>
              Restricted  <a href="header_checks.5.html"><b>body_checks</b>(5)</a>  tables  for the Postfix
              SMTP client.

       Available in Postfix version 2.6 and later:

       <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
              An optional workaround for routers that  break  TCP
              window scaling.

       Available in Postfix version 2.8 and later:

       <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b>
              DNS Resolver options for the Postfix SMTP client.

<b>MIME PROCESSING CONTROLS</b>
       Available in Postfix version 2.0 and later:

       <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
              Disable  the  conversion of 8BITMIME format to 7BIT
              format.

       <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
              The  maximal  length  of  MIME  multipart  boundary
              strings.

       <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b>
              The maximal recursion level that the MIME processor
              will handle.

<b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
       Available in Postfix version 2.1 and later:

       <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
              Send the non-standard  XFORWARD  command  when  the
              Postfix  SMTP  server EHLO response announces XFOR-
              WARD support.

<b>SASL AUTHENTICATION CONTROLS</b>
       <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
              Enable SASL  authentication  in  the  Postfix  SMTP
              client.

       <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
              Optional  SMTP  client lookup tables with one user-
              name:password entry per remote hostname or  domain,
              or sender address when sender-dependent authentica-
              tion is enabled.

       <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
              Postfix SMTP client SASL security  options;  as  of
              Postfix  2.3 the list of available features depends
              on the SASL client implementation that is  selected
              with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.

       Available in Postfix version 2.2 and later:

       <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
              If  non-empty, a Postfix SMTP client filter for the
              remote SMTP server's list of  offered  SASL  mecha-
              nisms.

       Available in Postfix version 2.3 and later:

       <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
              Enable sender-dependent authentication in the Post-
              fix SMTP client; this is available only  with  SASL
              authentication,   and   disables   SMTP  connection
              caching to ensure that mail from different  senders
              will use the appropriate credentials.

       <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
              Implementation-specific  information that the Post-
              fix SMTP client passes through to the SASL  plug-in
              implementation     that     is     selected    with
              <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.

       <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
              The SASL plug-in type that the Postfix SMTP  client
              should use for authentication.

       Available in Postfix version 2.5 and later:

       <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
              An  optional table to prevent repeated SASL authen-
              tication failures with the same remote SMTP  server
              hostname, username and password.

       <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
              The  maximal  age  of  an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
              entry before it is removed.

       <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
              When a remote SMTP server rejects a SASL  authenti-
              cation  request  with  a 535 reply code, defer mail
              delivery instead of returning  mail  as  undeliver-
              able.

<b>STARTTLS SUPPORT CONTROLS</b>
       Detailed  information  about STARTTLS configuration may be
       found in the <a href="TLS_README.html">TLS_README</a> document.

       <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
              The default SMTP TLS security level for the Postfix
              SMTP  client;  when a non-empty value is specified,
              this    overrides    the    obsolete     parameters
              <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>,         <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>,         and
              <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.

       <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>           ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
       <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
              The SASL authentication security options  that  the
              Postfix  SMTP  client  uses  for TLS encrypted SMTP
              sessions.

       <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
              Time limit for Postfix SMTP client write  and  read
              operations  during  TLS  startup and shutdown hand-
              shake procedures.

       <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
              A file  containing  CA  certificates  of  root  CAs
              trusted  to sign either remote SMTP server certifi-
              cates or intermediate CA certificates.

       <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
              Directory with  PEM  format  certificate  authority
              certificates  that  the Postfix SMTP client uses to
              verify a remote SMTP server certificate.

       <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
              File with the Postfix SMTP client  RSA  certificate
              in PEM format.

       <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
              The  minimum TLS cipher grade that the Postfix SMTP
              client will use with mandatory TLS encryption.

       <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
              List of ciphers or cipher types to exclude from the
              Postfix SMTP client cipher list at all TLS security
              levels.

       <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
              Additional list  of  ciphers  or  cipher  types  to
              exclude  from the SMTP client cipher list at manda-
              tory TLS security levels.

       <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
              File with the Postfix SMTP client  DSA  certificate
              in PEM format.

       <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
              File  with  the Postfix SMTP client DSA private key
              in PEM format.

       <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
              File with the Postfix SMTP client RSA  private  key
              in PEM format.

       <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
              Enable  additional  Postfix  SMTP client logging of
              TLS activity.

       <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
              Log the hostname  of  a  remote  SMTP  server  that
              offers  STARTTLS,  when  TLS is not already enabled
              for that server.

       <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
              Optional lookup tables with the Postfix SMTP client
              TLS security policy by next-hop destination; when a
              non-empty value is specified,  this  overrides  the
              obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.

       <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
              List  of  SSL/TLS  protocols  that the Postfix SMTP
              client will use with mandatory TLS encryption.

       <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
              The verification depth for remote SMTP server  cer-
              tificates.

       <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
              The server certificate peername verification method
              for the "secure" TLS security level.

       <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
              Name of the file containing  the  optional  Postfix
              SMTP client TLS session cache.

       <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
              The expiration time of Postfix SMTP client TLS ses-
              sion cache information.

       <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
              The server certificate peername verification method
              for the "verify" TLS security level.

       <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
              The  number  of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
              or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process  requests  from  the  <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
              server  in order to seed its internal pseudo random
              number generator (PRNG).

       <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
       <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
              The OpenSSL cipherlist for "HIGH" grade ciphers.

       <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b>
              The OpenSSL cipherlist for "MEDIUM" or higher grade
              ciphers.

       <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
              The  OpenSSL  cipherlist  for "LOW" or higher grade
              ciphers.

       <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
              The OpenSSL cipherlist for "EXPORT" or higher grade
              ciphers.

       <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
              that provide authentication without encryption.

       Available in Postfix version 2.4 and later:

       <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
       <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
              The SASL authentication security options  that  the
              Postfix  SMTP  client  uses  for TLS encrypted SMTP
              sessions with a verified server certificate.

       Available in Postfix version 2.5 and later:

       <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
              List of acceptable remote SMTP  server  certificate
              fingerprints  for  the  "fingerprint"  TLS security
              level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint).

       <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
              The message  digest  algorithm  used  to  construct
              remote SMTP server certificate fingerprints.

       Available in Postfix version 2.6 and later:

       <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
              List  of TLS protocols that the Postfix SMTP client
              will exclude  or  include  with  opportunistic  TLS
              encryption.

       <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
              The  minimum TLS cipher grade that the Postfix SMTP
              client will use with opportunistic TLS  encryption.

       <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
              File with the Postfix SMTP client ECDSA certificate
              in PEM format.

       <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
              File with the Postfix SMTP client ECDSA private key
              in PEM format.

       Available in Postfix version 2.7 and later:

       <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
              Try  to  detect  a mail hijacking attack based on a
              TLS protocol vulnerability  (CVE-2009-3555),  where
              an  attacker  prepends  malicious HELO, MAIL, RCPT,
              DATA commands to a Postfix SMTP client TLS session.

<b>OBSOLETE STARTTLS CONTROLS</b>
       The  following configuration parameters exist for compati-
       bility with Postfix versions before 2.3. Support for these
       will be removed in a future release.

       <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
              Opportunistic  mode:  use  TLS  when  a remote SMTP
              server announces STARTTLS support,  otherwise  send
              the mail in the clear.

       <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
              Enforcement  mode: require that remote SMTP servers
              use TLS encryption, and  never  send  mail  in  the
              clear.

       <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
              With  mandatory  TLS  encryption,  require that the
              remote SMTP server hostname matches the information
              in the remote SMTP server certificate.

       <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
              Optional lookup tables with the Postfix SMTP client
              TLS usage policy by  next-hop  destination  and  by
              remote SMTP server hostname.

       <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
              Obsolete Postfix &lt; 2.3 control for the Postfix SMTP
              client TLS cipher list.

<b>RESOURCE AND RATE CONTROLS</b>
       <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a>      ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
       <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
              The maximal number of parallel  deliveries  to  the
              same  destination  via  the  smtp  message delivery
              transport.

       <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a>        ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
       <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
              The maximal number of recipients  per  message  for
              the smtp message delivery transport.

       <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
              The  SMTP  client  time  limit for completing a TCP
              connection,  or  zero  (use  the  operating  system
              built-in time limit).

       <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
              The  SMTP client time limit for sending the HELO or
              EHLO command, and for receiving the initial  server
              response.

       <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
              The  LMTP  client  time  limit for sending the LHLO
              command,  and  for  receiving  the  initial  server
              response.

       <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
              The SMTP client time limit for sending the XFORWARD
              command, and for receiving the server response.

       <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
              The SMTP client time limit  for  sending  the  MAIL
              FROM   command,   and   for  receiving  the  server
              response.

       <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
              The SMTP client time limit  for  sending  the  SMTP
              RCPT  TO  command,  and  for  receiving  the server
              response.

       <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
              The SMTP client time limit  for  sending  the  SMTP
              DATA   command,   and   for  receiving  the  server
              response.

       <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
              The SMTP client time limit  for  sending  the  SMTP
              message content.

       <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
              The  SMTP  client  time  limit for sending the SMTP
              ".", and for receiving the server response.

       <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
              The SMTP client time limit  for  sending  the  QUIT
              command, and for receiving the server response.

       Available in Postfix version 2.1 and later:

       <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
              The  maximal  number  of  MX  (mail  exchanger)  IP
              addresses  that  can  result  from  mail  exchanger
              lookups, or zero (no limit).

       <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
              The  maximal  number  of SMTP sessions per delivery
              request before giving up or delivering to  a  fall-
              back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).

       <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
              The  SMTP  client  time  limit for sending the RSET
              command, and for receiving the server response.

       Available in Postfix version 2.2 and earlier:

       <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
              Keep Postfix LMTP client connections open for up to
              $<a href="postconf.5.html#max_idle">max_idle</a> seconds.

       Available in Postfix version 2.2 and later:

       <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
              Permanently  enable SMTP connection caching for the
              specified destinations.

       <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
              Temporarily enable SMTP connection caching while  a
              destination has a high volume of mail in the active
              queue.

       <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
              The amount of time during which Postfix will use an
              SMTP connection repeatedly.

       <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
              When SMTP connection caching is enabled, the amount
              of time that an unused SMTP client socket  is  kept
              open before it is closed.

       Available in Postfix version 2.3 and later:

       <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
              Time  limit  for  connection cache connect, send or
              receive operations.

<b>TROUBLE SHOOTING CONTROLS</b>
       <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
              The increment  in  verbose  logging  level  when  a
              remote  client  or  server matches a pattern in the
              <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.

       <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
              Optional list of remote client or  server  hostname
              or  network address patterns that cause the verbose
              logging level to increase by the  amount  specified
              in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.

       <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
              The  recipient  of  postmaster  notifications about
              mail delivery problems that are caused  by  policy,
              resource, software or protocol errors.

       <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
              What  categories of Postfix-generated mail are sub-
              ject  to   before-queue   content   inspection   by
              <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.

       <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
              The  list of error classes that are reported to the
              postmaster.

<b>MISCELLANEOUS CONTROLS</b>
       <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
              Where the Postfix SMTP client should  deliver  mail
              when it detects a "mail loops back to myself" error
              condition.

       <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
              The default location of  the  Postfix  <a href="postconf.5.html">main.cf</a>  and
              <a href="master.5.html">master.cf</a> configuration files.

       <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
              How  much time a Postfix daemon process may take to
              handle a request  before  it  is  terminated  by  a
              built-in watchdog timer.

       <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
              The  maximal  number  of  digits  after the decimal
              point when logging sub-second delay values.

       <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
              Disable DNS lookups in the Postfix  SMTP  and  LMTP
              clients.

       <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
              The network interface addresses that this mail sys-
              tem receives mail on.

       <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
              The Internet protocols Postfix will attempt to  use
              when making or accepting connections.

       <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
              The time limit for sending or receiving information
              over an internal communication channel.

       <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
              When an  LMTP  server  announces  no  DSN  support,
              assume that the server performs final delivery, and
              send  "delivered"  delivery  status   notifications
              instead of "relayed".

       <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
              The  default  TCP port that the Postfix LMTP client
              connects to.

       <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
              The maximum amount of time  that  an  idle  Postfix
              daemon  process  waits  for  an incoming connection
              before terminating voluntarily.

       <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
              The maximal number of incoming connections  that  a
              Postfix  daemon  process will service before termi-
              nating voluntarily.

       <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
              The process ID  of  a  Postfix  command  or  daemon
              process.

       <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
              The  process  name  of  a Postfix command or daemon
              process.

       <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
              The network interface addresses that this mail sys-
              tem  receives  mail on by way of a proxy or network
              address translation unit.

       <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (ipv6)</b>
              The address type ("ipv6", "ipv4" or "any") that the
              Postfix SMTP client will try first, when a destina-
              tion has IPv6 and  IPv4  addresses  with  equal  MX
              preference.

       <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
              An  optional  numerical  network  address  that the
              Postfix SMTP client should bind to when  making  an
              IPv4 connection.

       <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
              An  optional  numerical  network  address  that the
              Postfix SMTP client should bind to when  making  an
              IPv6 connection.

       <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
              The  hostname to send in the SMTP EHLO or HELO com-
              mand.

       <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
              The hostname to send in the LMTP LHLO command.

       <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
              What mechanisms the Postfix  SMTP  client  uses  to
              look up a host's IP address.

       <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
              Randomize  the  order  of  equal-preference MX host
              addresses.

       <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
              The syslog facility of Postfix logging.

       <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
              The mail system  name  that  is  prepended  to  the
              process  name  in  syslog  records, so that "smtpd"
              becomes, for example, "postfix/smtpd".

       Available with Postfix 2.2 and earlier:

       <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
              Optional list of relay hosts for SMTP  destinations
              that can't be found or that are unreachable.

       Available with Postfix 2.3 and later:

       <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
              Optional  list of relay hosts for SMTP destinations
              that can't be found or that are unreachable.

<b>SEE ALSO</b>
       <a href="generic.5.html">generic(5)</a>, output address rewriting
       <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection
       <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection
       <a href="qmgr.8.html">qmgr(8)</a>, queue manager
       <a href="bounce.8.html">bounce(8)</a>, delivery status reports
       <a href="scache.8.html">scache(8)</a>, connection cache server
       <a href="postconf.5.html">postconf(5)</a>, configuration parameters
       <a href="master.5.html">master(5)</a>, generic daemon options
       <a href="master.8.html">master(8)</a>, process manager
       <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management
       syslogd(8), system logging

<b>README FILES</b>
       <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto
       <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto

<b>LICENSE</b>
       The  Secure  Mailer  license must be distributed with this
       software.

<b>AUTHOR(S)</b>
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

       Command pipelining in cooperation with:
       Jon Ribbens
       Oaktree Internet Solutions Ltd.,
       Internet House,
       Canal Basin,
       Coventry,
       CV1 4LY, United Kingdom.

       SASL support originally by:
       Till Franke
       SuSE Rhein/Main AG
       65760 Eschborn, Germany

       TLS support originally by:
       Lutz Jaenicke
       BTU Cottbus
       Allgemeine Elektrotechnik
       Universitaetsplatz 3-4
       D-03044 Cottbus, Germany

       Revised TLS and SMTP connection cache support by:
       Victor Duchovni
       Morgan Stanley

                                                                       SMTP(8)
</pre> </body> </html>