autoupdate
[postfix-master.git] / postfix-master / smtp.8.html
blob93fe29cc3e16b4595fa7b096817a7f75e68b581e
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
3 <html> <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
5 <title> Postfix manual - smtp(8) </title>
6 </head> <body> <pre>
7 SMTP(8) SMTP(8)
9 <b>NAME</b>
10 smtp - Postfix SMTP+LMTP client
12 <b>SYNOPSIS</b>
13 <b>smtp</b> [generic Postfix daemon options]
15 <b>DESCRIPTION</b>
16 The Postfix SMTP+LMTP client implements the SMTP and LMTP
17 mail delivery protocols. It processes message delivery
18 requests from the queue manager. Each request specifies a
19 queue file, a sender address, a domain or host to deliver
20 to, and recipient information. This program expects to be
21 run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
23 The SMTP+LMTP client updates the queue file and marks
24 recipients as finished, or it informs the queue manager
25 that delivery should be tried again at a later time.
26 Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>,
27 <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate.
29 The SMTP+LMTP client looks up a list of mail exchanger
30 addresses for the destination host, sorts the list by
31 preference, and connects to each listed address until it
32 finds a server that responds.
34 When a server is not reachable, or when mail delivery
35 fails due to a recoverable error condition, the SMTP+LMTP
36 client will try to deliver the mail to an alternate host.
38 After a successful mail transaction, a connection may be
39 saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it
40 may be used by any SMTP+LMTP client for a subsequent
41 transaction.
43 By default, connection caching is enabled temporarily for
44 destinations that have a high volume of mail in the active
45 queue. Connection caching can be enabled permanently for
46 specific destinations.
48 <b>SMTP DESTINATION SYNTAX</b>
49 SMTP destinations have the following form:
51 <i>domainname</i>
53 <i>domainname</i>:<i>port</i>
54 Look up the mail exchangers for the specified
55 domain, and connect to the specified port (default:
56 <b>smtp</b>).
58 [<i>hostname</i>]
60 [<i>hostname</i>]:<i>port</i>
61 Look up the address(es) of the specified host, and
62 connect to the specified port (default: <b>smtp</b>).
64 [<i>address</i>]
66 [<i>address</i>]:<i>port</i>
67 Connect to the host at the specified address, and
68 connect to the specified port (default: <b>smtp</b>). An
69 IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>].
71 <b>LMTP DESTINATION SYNTAX</b>
72 LMTP destinations have the following form:
74 <b>unix</b>:<i>pathname</i>
75 Connect to the local UNIX-domain server that is
76 bound to the specified <i>pathname</i>. If the process
77 runs chrooted, an absolute pathname is interpreted
78 relative to the Postfix queue directory.
80 <b>inet</b>:<i>hostname</i>
82 <b>inet:</b><i>hostname</i>:<i>port</i>
84 <b>inet</b>:[<i>address</i>]
86 <b>inet</b>:[<i>address</i>]:<i>port</i>
87 Connect to the specified TCP port on the specified
88 local or remote host. If no port is specified, con-
89 nect to the port defined as <b>lmtp</b> in <b>services</b>(4).
90 If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con-
91 figuration parameter (default value of 24) will be
92 used. An IPv6 address must be formatted as
93 [<b>ipv6</b>:<i>address</i>].
95 <b>SECURITY</b>
96 The SMTP+LMTP client is moderately security-sensitive. It
97 talks to SMTP or LMTP servers and to DNS servers on the
98 network. The SMTP+LMTP client can be run chrooted at fixed
99 low privilege.
101 <b>STANDARDS</b>
102 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
103 <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages)
104 <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions)
105 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
106 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
107 <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol)
108 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
109 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies)
110 <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types)
111 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
112 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
113 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
114 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
115 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
116 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
117 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
119 <b>DIAGNOSTICS</b>
120 Problems and transactions are logged to <b>syslogd</b>(8). Cor-
121 rupted message files are marked so that the queue manager
122 can move them to the <b>corrupt</b> queue for further inspection.
124 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter,
125 the postmaster is notified of bounces, protocol problems,
126 and of other trouble.
128 <b>BUGS</b>
129 SMTP and LMTP connection caching does not work with TLS.
130 The necessary support for TLS object passivation and re-
131 activation does not exist without closing the session,
132 which defeats the purpose.
134 SMTP and LMTP connection caching assumes that SASL creden-
135 tials are valid for all destinations that map onto the
136 same IP address and TCP port.
138 <b>CONFIGURATION PARAMETERS</b>
139 Before Postfix version 2.3, the LMTP client is a separate
140 program that implements only a subset of the functionality
141 available with SMTP: there is no support for TLS, and con-
142 nections are cached in-process, making it ineffective when
143 the client is used for multiple domains.
145 Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i>
146 "mirror" parameter for the equivalent LMTP feature. This
147 document describes only those LMTP-related parameters that
148 aren't simply "mirror" parameters.
150 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a>
151 processes run for only a limited amount of time. Use the
152 command "<b>postfix reload</b>" to speed up a change.
154 The text below provides only a parameter summary. See
155 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
157 <b>COMPATIBILITY CONTROLS</b>
158 <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b>
159 Ignore DNS MX lookups that produce no response.
161 <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b>
162 Always send EHLO at the start of an SMTP session.
164 <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b>
165 Never send EHLO at the start of an SMTP session.
167 <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b>
168 Defer mail delivery when no MX record resolves to
169 an IP address.
171 <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b>
172 The maximal length of message header and body lines
173 that Postfix will send via SMTP.
175 <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b>
176 How long the Postfix SMTP client pauses before
177 sending ".&lt;CR&gt;&lt;LF&gt;" in order to work around the PIX
178 firewall "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug.
180 <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b>
181 How long a message must be queued before the Post-
182 fix SMTP client turns on the PIX firewall
183 "&lt;CR&gt;&lt;LF&gt;.&lt;CR&gt;&lt;LF&gt;" bug workaround for delivery
184 through firewalls with "smtp fixup" mode turned on.
186 <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b>
187 A list that specifies zero or more workarounds for
188 CISCO PIX firewall bugs.
190 <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b>
191 Lookup tables, indexed by the remote SMTP server
192 address, with per-destination workarounds for CISCO
193 PIX firewall bugs.
195 <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
196 Quote addresses in SMTP MAIL FROM and RCPT TO com-
197 mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>.
199 <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b>
200 A mechanism to transform replies from remote SMTP
201 servers one line at a time.
203 <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
204 Skip SMTP servers that greet with a 5XX status code
205 (go away, do not try again later).
207 <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b>
208 Do not wait for the response to the SMTP QUIT com-
209 mand.
211 Available in Postfix version 2.0 and earlier:
213 <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b>
214 Skip SMTP servers that greet with a 4XX status code
215 (go away, try again later).
217 Available in Postfix version 2.2 and later:
219 <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b>
220 Lookup tables, indexed by the remote SMTP server
221 address, with case insensitive lists of EHLO key-
222 words (pipelining, starttls, auth, etc.) that the
223 Postfix SMTP client will ignore in the EHLO
224 response from a remote SMTP server.
226 <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
227 A case insensitive list of EHLO keywords (pipelin-
228 ing, starttls, auth, etc.) that the Postfix SMTP
229 client will ignore in the EHLO response from a
230 remote SMTP server.
232 <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
233 Optional lookup tables that perform address rewrit-
234 ing in the SMTP client, typically to transform a
235 locally valid address into a globally valid address
236 when sending mail across the Internet.
238 Available in Postfix version 2.2.9 and later:
240 <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
241 Allow DNS CNAME records to override the servername
242 that the Postfix SMTP client uses for logging, SASL
243 password lookup, TLS policy decisions, or TLS cer-
244 tificate verification.
246 Available in Postfix version 2.3 and later:
248 <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b>
249 Lookup tables, indexed by the remote LMTP server
250 address, with case insensitive lists of LHLO key-
251 words (pipelining, starttls, auth, etc.) that the
252 LMTP client will ignore in the LHLO response from a
253 remote LMTP server.
255 <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
256 A case insensitive list of LHLO keywords (pipelin-
257 ing, starttls, auth, etc.) that the LMTP client
258 will ignore in the LHLO response from a remote LMTP
259 server.
261 Available in Postfix version 2.4.4 and later:
263 <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
264 When authenticating to a remote SMTP or LMTP server
265 with the default setting "no", send no SASL autho-
266 riZation ID (authzid); send only the SASL authenti-
267 Cation ID (authcid) plus the authcid's password.
269 Available in Postfix version 2.5 and later:
271 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b>
272 Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix
273 SMTP client.
275 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b>
276 Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the
277 Postfix SMTP client.
279 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b>
280 Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the
281 Postfix SMTP client.
283 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b>
284 Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables for the Postfix
285 SMTP client.
287 Available in Postfix version 2.6 and later:
289 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
290 An optional workaround for routers that break TCP
291 window scaling.
293 Available in Postfix version 2.8 and later:
295 <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b>
296 DNS Resolver options for the Postfix SMTP client.
298 Available in Postfix version 2.9 and later:
300 <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
301 Change the behavior of the smtp_*_timeout time lim-
302 its, from a time limit per read or write system
303 call, to a time limit to read or write a complete
304 record (an SMTP command line, SMTP response line,
305 SMTP message content line, or TLS protocol mes-
306 sage).
308 <b>MIME PROCESSING CONTROLS</b>
309 Available in Postfix version 2.0 and later:
311 <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
312 Disable the conversion of 8BITMIME format to 7BIT
313 format.
315 <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
316 The maximal length of MIME multipart boundary
317 strings.
319 <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b>
320 The maximal recursion level that the MIME processor
321 will handle.
323 <b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
324 Available in Postfix version 2.1 and later:
326 <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
327 Send the non-standard XFORWARD command when the
328 Postfix SMTP server EHLO response announces XFOR-
329 WARD support.
331 <b>SASL AUTHENTICATION CONTROLS</b>
332 <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
333 Enable SASL authentication in the Postfix SMTP
334 client.
336 <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
337 Optional SMTP client lookup tables with one user-
338 name:password entry per remote hostname or domain,
339 or sender address when sender-dependent authentica-
340 tion is enabled.
342 <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
343 Postfix SMTP client SASL security options; as of
344 Postfix 2.3 the list of available features depends
345 on the SASL client implementation that is selected
346 with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
348 Available in Postfix version 2.2 and later:
350 <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
351 If non-empty, a Postfix SMTP client filter for the
352 remote SMTP server's list of offered SASL mecha-
353 nisms.
355 Available in Postfix version 2.3 and later:
357 <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
358 Enable sender-dependent authentication in the Post-
359 fix SMTP client; this is available only with SASL
360 authentication, and disables SMTP connection
361 caching to ensure that mail from different senders
362 will use the appropriate credentials.
364 <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
365 Implementation-specific information that the Post-
366 fix SMTP client passes through to the SASL plug-in
367 implementation that is selected with
368 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
370 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
371 The SASL plug-in type that the Postfix SMTP client
372 should use for authentication.
374 Available in Postfix version 2.5 and later:
376 <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
377 An optional table to prevent repeated SASL authen-
378 tication failures with the same remote SMTP server
379 hostname, username and password.
381 <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
382 The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
383 entry before it is removed.
385 <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
386 When a remote SMTP server rejects a SASL authenti-
387 cation request with a 535 reply code, defer mail
388 delivery instead of returning mail as undeliver-
389 able.
391 <b>STARTTLS SUPPORT CONTROLS</b>
392 Detailed information about STARTTLS configuration may be
393 found in the <a href="TLS_README.html">TLS_README</a> document.
395 <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
396 The default SMTP TLS security level for the Postfix
397 SMTP client; when a non-empty value is specified,
398 this overrides the obsolete parameters
399 <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
400 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
402 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
403 <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
404 The SASL authentication security options that the
405 Postfix SMTP client uses for TLS encrypted SMTP
406 sessions.
408 <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
409 Time limit for Postfix SMTP client write and read
410 operations during TLS startup and shutdown hand-
411 shake procedures.
413 <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
414 A file containing CA certificates of root CAs
415 trusted to sign either remote SMTP server certifi-
416 cates or intermediate CA certificates.
418 <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
419 Directory with PEM format certificate authority
420 certificates that the Postfix SMTP client uses to
421 verify a remote SMTP server certificate.
423 <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
424 File with the Postfix SMTP client RSA certificate
425 in PEM format.
427 <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
428 The minimum TLS cipher grade that the Postfix SMTP
429 client will use with mandatory TLS encryption.
431 <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
432 List of ciphers or cipher types to exclude from the
433 Postfix SMTP client cipher list at all TLS security
434 levels.
436 <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
437 Additional list of ciphers or cipher types to
438 exclude from the SMTP client cipher list at manda-
439 tory TLS security levels.
441 <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
442 File with the Postfix SMTP client DSA certificate
443 in PEM format.
445 <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
446 File with the Postfix SMTP client DSA private key
447 in PEM format.
449 <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
450 File with the Postfix SMTP client RSA private key
451 in PEM format.
453 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
454 Enable additional Postfix SMTP client logging of
455 TLS activity.
457 <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
458 Log the hostname of a remote SMTP server that
459 offers STARTTLS, when TLS is not already enabled
460 for that server.
462 <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
463 Optional lookup tables with the Postfix SMTP client
464 TLS security policy by next-hop destination; when a
465 non-empty value is specified, this overrides the
466 obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
468 <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
469 List of SSL/TLS protocols that the Postfix SMTP
470 client will use with mandatory TLS encryption.
472 <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
473 The verification depth for remote SMTP server cer-
474 tificates.
476 <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
477 The server certificate peername verification method
478 for the "secure" TLS security level.
480 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
481 Name of the file containing the optional Postfix
482 SMTP client TLS session cache.
484 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
485 The expiration time of Postfix SMTP client TLS ses-
486 sion cache information.
488 <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
489 The server certificate peername verification method
490 for the "verify" TLS security level.
492 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
493 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
494 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
495 server in order to seed its internal pseudo random
496 number generator (PRNG).
498 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
499 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
500 The OpenSSL cipherlist for "HIGH" grade ciphers.
502 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b>
503 The OpenSSL cipherlist for "MEDIUM" or higher grade
504 ciphers.
506 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
507 The OpenSSL cipherlist for "LOW" or higher grade
508 ciphers.
510 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
511 The OpenSSL cipherlist for "EXPORT" or higher grade
512 ciphers.
514 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
515 The OpenSSL cipherlist for "NULL" grade ciphers
516 that provide authentication without encryption.
518 Available in Postfix version 2.4 and later:
520 <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
521 <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
522 The SASL authentication security options that the
523 Postfix SMTP client uses for TLS encrypted SMTP
524 sessions with a verified server certificate.
526 Available in Postfix version 2.5 and later:
528 <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
529 List of acceptable remote SMTP server certificate
530 fingerprints for the "fingerprint" TLS security
531 level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint).
533 <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
534 The message digest algorithm used to construct
535 remote SMTP server certificate fingerprints.
537 Available in Postfix version 2.6 and later:
539 <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
540 List of TLS protocols that the Postfix SMTP client
541 will exclude or include with opportunistic TLS
542 encryption.
544 <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
545 The minimum TLS cipher grade that the Postfix SMTP
546 client will use with opportunistic TLS encryption.
548 <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
549 File with the Postfix SMTP client ECDSA certificate
550 in PEM format.
552 <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
553 File with the Postfix SMTP client ECDSA private key
554 in PEM format.
556 Available in Postfix version 2.7 and later:
558 <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
559 Try to detect a mail hijacking attack based on a
560 TLS protocol vulnerability (CVE-2009-3555), where
561 an attacker prepends malicious HELO, MAIL, RCPT,
562 DATA commands to a Postfix SMTP client TLS session.
564 Available in Postfix version 2.8 and later:
566 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
567 List or bit-mask of OpenSSL bug work-arounds to
568 disable.
570 <b>OBSOLETE STARTTLS CONTROLS</b>
571 The following configuration parameters exist for compati-
572 bility with Postfix versions before 2.3. Support for these
573 will be removed in a future release.
575 <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
576 Opportunistic mode: use TLS when a remote SMTP
577 server announces STARTTLS support, otherwise send
578 the mail in the clear.
580 <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
581 Enforcement mode: require that remote SMTP servers
582 use TLS encryption, and never send mail in the
583 clear.
585 <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
586 With mandatory TLS encryption, require that the
587 remote SMTP server hostname matches the information
588 in the remote SMTP server certificate.
590 <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
591 Optional lookup tables with the Postfix SMTP client
592 TLS usage policy by next-hop destination and by
593 remote SMTP server hostname.
595 <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
596 Obsolete Postfix &lt; 2.3 control for the Postfix SMTP
597 client TLS cipher list.
599 <b>RESOURCE AND RATE CONTROLS</b>
600 <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
601 <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
602 The maximal number of parallel deliveries to the
603 same destination via the smtp message delivery
604 transport.
606 <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
607 <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
608 The maximal number of recipients per message for
609 the smtp message delivery transport.
611 <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
612 The SMTP client time limit for completing a TCP
613 connection, or zero (use the operating system
614 built-in time limit).
616 <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
617 The SMTP client time limit for sending the HELO or
618 EHLO command, and for receiving the initial server
619 response.
621 <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
622 The LMTP client time limit for sending the LHLO
623 command, and for receiving the initial server
624 response.
626 <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
627 The SMTP client time limit for sending the XFORWARD
628 command, and for receiving the server response.
630 <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
631 The SMTP client time limit for sending the MAIL
632 FROM command, and for receiving the server
633 response.
635 <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
636 The SMTP client time limit for sending the SMTP
637 RCPT TO command, and for receiving the server
638 response.
640 <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
641 The SMTP client time limit for sending the SMTP
642 DATA command, and for receiving the server
643 response.
645 <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
646 The SMTP client time limit for sending the SMTP
647 message content.
649 <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
650 The SMTP client time limit for sending the SMTP
651 ".", and for receiving the server response.
653 <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
654 The SMTP client time limit for sending the QUIT
655 command, and for receiving the server response.
657 Available in Postfix version 2.1 and later:
659 <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
660 The maximal number of MX (mail exchanger) IP
661 addresses that can result from mail exchanger
662 lookups, or zero (no limit).
664 <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
665 The maximal number of SMTP sessions per delivery
666 request before giving up or delivering to a fall-
667 back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
669 <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
670 The SMTP client time limit for sending the RSET
671 command, and for receiving the server response.
673 Available in Postfix version 2.2 and earlier:
675 <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
676 Keep Postfix LMTP client connections open for up to
677 $<a href="postconf.5.html#max_idle">max_idle</a> seconds.
679 Available in Postfix version 2.2 and later:
681 <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
682 Permanently enable SMTP connection caching for the
683 specified destinations.
685 <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
686 Temporarily enable SMTP connection caching while a
687 destination has a high volume of mail in the active
688 queue.
690 <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
691 The amount of time during which Postfix will use an
692 SMTP connection repeatedly.
694 <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
695 When SMTP connection caching is enabled, the amount
696 of time that an unused SMTP client socket is kept
697 open before it is closed.
699 Available in Postfix version 2.3 and later:
701 <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
702 Time limit for connection cache connect, send or
703 receive operations.
705 Available in Postfix version 2.9 and later:
707 <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
708 Change the behavior of the smtp_*_timeout time lim-
709 its, from a time limit per read or write system
710 call, to a time limit to read or write a complete
711 record (an SMTP command line, SMTP response line,
712 SMTP message content line, or TLS protocol mes-
713 sage).
715 <b>TROUBLE SHOOTING CONTROLS</b>
716 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
717 The increment in verbose logging level when a
718 remote client or server matches a pattern in the
719 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
721 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
722 Optional list of remote client or server hostname
723 or network address patterns that cause the verbose
724 logging level to increase by the amount specified
725 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
727 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
728 The recipient of postmaster notifications about
729 mail delivery problems that are caused by policy,
730 resource, software or protocol errors.
732 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
733 What categories of Postfix-generated mail are sub-
734 ject to before-queue content inspection by
735 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
737 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
738 The list of error classes that are reported to the
739 postmaster.
741 <b>MISCELLANEOUS CONTROLS</b>
742 <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
743 Where the Postfix SMTP client should deliver mail
744 when it detects a "mail loops back to myself" error
745 condition.
747 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
748 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
749 <a href="master.5.html">master.cf</a> configuration files.
751 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
752 How much time a Postfix daemon process may take to
753 handle a request before it is terminated by a
754 built-in watchdog timer.
756 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
757 The maximal number of digits after the decimal
758 point when logging sub-second delay values.
760 <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
761 Disable DNS lookups in the Postfix SMTP and LMTP
762 clients.
764 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
765 The network interface addresses that this mail sys-
766 tem receives mail on.
768 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
769 The Internet protocols Postfix will attempt to use
770 when making or accepting connections.
772 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
773 The time limit for sending or receiving information
774 over an internal communication channel.
776 <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
777 When an LMTP server announces no DSN support,
778 assume that the server performs final delivery, and
779 send "delivered" delivery status notifications
780 instead of "relayed".
782 <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
783 The default TCP port that the Postfix LMTP client
784 connects to.
786 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
787 The maximum amount of time that an idle Postfix
788 daemon process waits for an incoming connection
789 before terminating voluntarily.
791 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
792 The maximal number of incoming connections that a
793 Postfix daemon process will service before termi-
794 nating voluntarily.
796 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
797 The process ID of a Postfix command or daemon
798 process.
800 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
801 The process name of a Postfix command or daemon
802 process.
804 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
805 The network interface addresses that this mail sys-
806 tem receives mail on by way of a proxy or network
807 address translation unit.
809 <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (ipv6)</b>
810 The address type ("ipv6", "ipv4" or "any") that the
811 Postfix SMTP client will try first, when a destina-
812 tion has IPv6 and IPv4 addresses with equal MX
813 preference.
815 <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
816 An optional numerical network address that the
817 Postfix SMTP client should bind to when making an
818 IPv4 connection.
820 <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
821 An optional numerical network address that the
822 Postfix SMTP client should bind to when making an
823 IPv6 connection.
825 <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
826 The hostname to send in the SMTP EHLO or HELO com-
827 mand.
829 <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
830 The hostname to send in the LMTP LHLO command.
832 <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
833 What mechanisms the Postfix SMTP client uses to
834 look up a host's IP address.
836 <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
837 Randomize the order of equal-preference MX host
838 addresses.
840 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
841 The syslog facility of Postfix logging.
843 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
844 The mail system name that is prepended to the
845 process name in syslog records, so that "smtpd"
846 becomes, for example, "postfix/smtpd".
848 Available with Postfix 2.2 and earlier:
850 <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
851 Optional list of relay hosts for SMTP destinations
852 that can't be found or that are unreachable.
854 Available with Postfix 2.3 and later:
856 <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
857 Optional list of relay hosts for SMTP destinations
858 that can't be found or that are unreachable.
860 <b>SEE ALSO</b>
861 <a href="generic.5.html">generic(5)</a>, output address rewriting
862 <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection
863 <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection
864 <a href="qmgr.8.html">qmgr(8)</a>, queue manager
865 <a href="bounce.8.html">bounce(8)</a>, delivery status reports
866 <a href="scache.8.html">scache(8)</a>, connection cache server
867 <a href="postconf.5.html">postconf(5)</a>, configuration parameters
868 <a href="master.5.html">master(5)</a>, generic daemon options
869 <a href="master.8.html">master(8)</a>, process manager
870 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management
871 syslogd(8), system logging
873 <b>README FILES</b>
874 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto
875 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
877 <b>LICENSE</b>
878 The Secure Mailer license must be distributed with this
879 software.
881 <b>AUTHOR(S)</b>
882 Wietse Venema
883 IBM T.J. Watson Research
884 P.O. Box 704
885 Yorktown Heights, NY 10598, USA
887 Command pipelining in cooperation with:
888 Jon Ribbens
889 Oaktree Internet Solutions Ltd.,
890 Internet House,
891 Canal Basin,
892 Coventry,
893 CV1 4LY, United Kingdom.
895 SASL support originally by:
896 Till Franke
897 SuSE Rhein/Main AG
898 65760 Eschborn, Germany
900 TLS support originally by:
901 Lutz Jaenicke
902 BTU Cottbus
903 Allgemeine Elektrotechnik
904 Universitaetsplatz 3-4
905 D-03044 Cottbus, Germany
907 Revised TLS and SMTP connection cache support by:
908 Victor Duchovni
909 Morgan Stanley
911 SMTP(8)
912 </pre> </body> </html>