autoupdate
[postfix-master.git] / postfix-master / smtpd.8.html
blob9c7f4021e0f83f85759d9ca3b31f810d391bd6f8
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
3 <html> <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
5 <title> Postfix manual - smtpd(8) </title>
6 </head> <body> <pre>
7 SMTPD(8) SMTPD(8)
9 <b>NAME</b>
10 smtpd - Postfix SMTP server
12 <b>SYNOPSIS</b>
13 <b>smtpd</b> [generic Postfix daemon options]
15 <b>sendmail -bs</b>
17 <b>DESCRIPTION</b>
18 The SMTP server accepts network connection requests and
19 performs zero or more SMTP transactions per connection.
20 Each received message is piped through the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> dae-
21 mon, and is placed into the <a href="QSHAPE_README.html#incoming_queue"><b>incoming</b> queue</a> as one single
22 queue file. For this mode of operation, the program
23 expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
25 Alternatively, the SMTP server be can run in stand-alone
26 mode; this is traditionally obtained with "<b>sendmail -bs</b>".
27 When the SMTP server runs stand-alone with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b>
28 privileges, it receives mail even while the mail system is
29 not running, deposits messages directly into the <b>maildrop</b>
30 queue, and disables the SMTP server's access policies. As
31 of Postfix version 2.3, the SMTP server refuses to receive
32 mail from the network when it runs with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b>
33 privileges.
35 The SMTP server implements a variety of policies for con-
36 nection requests, and for parameters given to <b>HELO, ETRN,</b>
37 <b>MAIL FROM, VRFY</b> and <b>RCPT TO</b> commands. They are detailed
38 below and in the <a href="postconf.5.html"><b>main.cf</b></a> configuration file.
40 <b>SECURITY</b>
41 The SMTP server is moderately security-sensitive. It talks
42 to SMTP clients and to DNS servers on the network. The
43 SMTP server can be run chrooted at fixed low privilege.
45 <b>STANDARDS</b>
46 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
47 <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
48 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
49 <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
50 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
51 <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
52 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
53 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
54 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
55 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
56 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
57 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
58 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
59 <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP Transmission Types)
60 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
62 <b>DIAGNOSTICS</b>
63 Problems and transactions are logged to <b>syslogd</b>(8).
65 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter,
66 the postmaster is notified of bounces, protocol problems,
67 policy violations, and of other trouble.
69 <b>CONFIGURATION PARAMETERS</b>
70 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as
71 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> processes run for only a limited amount of time.
72 Use the command "<b>postfix reload</b>" to speed up a change.
74 The text below provides only a parameter summary. See
75 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
77 <b>COMPATIBILITY CONTROLS</b>
78 The following parameters work around implementation errors
79 in other software, and/or allow you to override standards
80 in order to prevent undesirable use.
82 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
83 Enable inter-operability with SMTP clients that
84 implement an obsolete version of the AUTH command
85 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
87 <b><a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> (no)</b>
88 Disable the SMTP VRFY command.
90 <b><a href="postconf.5.html#smtpd_noop_commands">smtpd_noop_commands</a> (empty)</b>
91 List of commands that the Postfix SMTP server
92 replies to with "250 Ok", without doing any syntax
93 checks and without changing state.
95 <b><a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> (no)</b>
96 Require that addresses received in SMTP MAIL FROM
97 and RCPT TO commands are enclosed with &lt;&gt;, and that
98 those addresses do not contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style com-
99 ments or phrases.
101 Available in Postfix version 2.1 and later:
103 <b><a href="postconf.5.html#resolve_null_domain">resolve_null_domain</a> (no)</b>
104 Resolve an address that ends in the "@" null domain
105 as if the local hostname were specified, instead of
106 rejecting the address as invalid.
108 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
109 Request that the Postfix SMTP server rejects mail
110 from unknown sender addresses, even when no
111 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
112 is specified.
114 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
115 What remote SMTP clients the Postfix SMTP server
116 will not offer AUTH support to.
118 Available in Postfix version 2.2 and later:
120 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> (empty)</b>
121 Lookup tables, indexed by the remote SMTP client
122 address, with case insensitive lists of EHLO key-
123 words (pipelining, starttls, auth, etc.) that the
124 SMTP server will not send in the EHLO response to a
125 remote SMTP client.
127 <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> (empty)</b>
128 A case insensitive list of EHLO keywords (pipelin-
129 ing, starttls, auth, etc.) that the SMTP server
130 will not send in the EHLO response to a remote SMTP
131 client.
133 <b><a href="postconf.5.html#smtpd_delay_open_until_valid_rcpt">smtpd_delay_open_until_valid_rcpt</a> (yes)</b>
134 Postpone the start of an SMTP mail transaction
135 until a valid RCPT TO command is received.
137 Available in Postfix version 2.3 and later:
139 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
140 Force the Postfix SMTP server to issue a TLS ses-
141 sion id, even when TLS session caching is turned
142 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
144 Available in Postfix version 2.6 and later:
146 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
147 An optional workaround for routers that break TCP
148 window scaling.
150 Available in Postfix version 2.7 and later:
152 <b><a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> (empty)</b>
153 A mechanism to transform commands from remote SMTP
154 clients.
156 Available in Postfix version 2.9 and later:
158 <b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
159 Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
160 limit, from a time limit per read or write system
161 call, to a time limit to read or write a complete
162 record (an SMTP command line, SMTP response line,
163 SMTP message content line, or TLS protocol mes-
164 sage).
166 <b>ADDRESS REWRITING CONTROLS</b>
167 See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed
168 discussion of Postfix address rewriting.
170 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
171 Enable or disable recipient validation, built-in
172 content filtering, or address mapping.
174 Available in Postfix version 2.2 and later:
176 <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b>
177 Rewrite message header addresses in mail from these
178 clients and update incomplete addresses with the
179 domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't
180 rewrite message headers from other clients at all,
181 or rewrite message headers and update incomplete
182 addresses with the domain specified in the
183 <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter.
185 <b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
186 As of version 1.0, Postfix can be configured to send new
187 mail to an external content filter AFTER the mail is
188 queued. This content filter is expected to inject mail
189 back into a (Postfix or other) MTA for further delivery.
190 See the <a href="FILTER_README.html">FILTER_README</a> document for details.
192 <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b>
193 After the message is queued, send the entire mes-
194 sage to the specified <i>transport:destination</i>.
196 <b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
197 As of version 2.1, the Postfix SMTP server can be config-
198 ured to send incoming mail to a real-time SMTP-based con-
199 tent filter BEFORE mail is queued. This content filter is
200 expected to inject mail back into Postfix. See the
201 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config-
202 ure and operate this feature.
204 <b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b>
205 The hostname and TCP port of the mail filtering
206 proxy server.
208 <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
209 How the Postfix SMTP server announces itself to the
210 proxy filter.
212 <b><a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a> (empty)</b>
213 List of options that control how the Postfix SMTP
214 server communicates with a before-queue content
215 filter.
217 <b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b>
218 The time limit for connecting to a proxy filter and
219 for sending or receiving information.
221 <b>BEFORE QUEUE MILTER CONTROLS</b>
222 As of version 2.3, Postfix supports the Sendmail version 8
223 Milter (mail filter) protocol. These content filters run
224 outside Postfix. They can inspect the SMTP command stream
225 and the message content, and can request modifications
226 before mail is queued. For details see the <a href="MILTER_README.html">MILTER_README</a>
227 document.
229 <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b>
230 A list of Milter (mail filter) applications for new
231 mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server.
233 <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b>
234 The mail filter protocol version and optional pro-
235 tocol extensions for communication with a Milter
236 application; prior to Postfix 2.6 the default pro-
237 tocol is 2.
239 <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b>
240 The default action when a Milter (mail filter)
241 application is unavailable or mis-configured.
243 <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
244 The {daemon_name} macro value for Milter (mail fil-
245 ter) applications.
247 <b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b>
248 The {v} macro value for Milter (mail filter) appli-
249 cations.
251 <b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b>
252 The time limit for connecting to a Milter (mail
253 filter) application, and for negotiating protocol
254 options.
256 <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b>
257 The time limit for sending an SMTP command to a
258 Milter (mail filter) application, and for receiving
259 the response.
261 <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b>
262 The time limit for sending message content to a
263 Milter (mail filter) application, and for receiving
264 the response.
266 <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b>
267 The macros that are sent to Milter (mail filter)
268 applications after completion of an SMTP connec-
269 tion.
271 <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b>
272 The macros that are sent to Milter (mail filter)
273 applications after the SMTP HELO or EHLO command.
275 <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b>
276 The macros that are sent to Milter (mail filter)
277 applications after the SMTP MAIL FROM command.
279 <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b>
280 The macros that are sent to Milter (mail filter)
281 applications after the SMTP RCPT TO command.
283 <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b>
284 The macros that are sent to version 4 or higher
285 Milter (mail filter) applications after the SMTP
286 DATA command.
288 <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b>
289 The macros that are sent to version 3 or higher
290 Milter (mail filter) applications after an unknown
291 SMTP command.
293 <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b>
294 The macros that are sent to Milter (mail filter)
295 applications after the end of the message header.
297 <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b>
298 The macros that are sent to Milter (mail filter)
299 applications after the message end-of-data.
301 <b>GENERAL CONTENT INSPECTION CONTROLS</b>
302 The following parameters are applicable for both built-in
303 and external content filters.
305 Available in Postfix version 2.1 and later:
307 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
308 Enable or disable recipient validation, built-in
309 content filtering, or address mapping.
311 <b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
312 The following parameters are applicable for both before-
313 queue and after-queue content filtering.
315 Available in Postfix version 2.1 and later:
317 <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b>
318 What SMTP clients are allowed to use the XFORWARD
319 feature.
321 <b>SASL AUTHENTICATION CONTROLS</b>
322 Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti-
323 cate remote SMTP clients to the Postfix SMTP server, and
324 to authenticate the Postfix SMTP client to a remote SMTP
325 server. See the <a href="SASL_README.html">SASL_README</a> document for details.
327 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
328 Enable inter-operability with SMTP clients that
329 implement an obsolete version of the AUTH command
330 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
332 <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
333 Enable SASL authentication in the Postfix SMTP
334 server.
336 <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b>
337 The name of the Postfix SMTP server's local SASL
338 authentication realm.
340 <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b>
341 Postfix SMTP server SASL security options; as of
342 Postfix 2.3 the list of available features depends
343 on the SASL server implementation that is selected
344 with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
346 <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b>
347 Optional lookup table with the SASL login names
348 that own sender (MAIL FROM) addresses.
350 Available in Postfix version 2.1 and later:
352 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
353 What remote SMTP clients the Postfix SMTP server
354 will not offer AUTH support to.
356 Available in Postfix version 2.1 and 2.2:
358 <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
359 The application name that the Postfix SMTP server
360 uses for SASL server initialization.
362 Available in Postfix version 2.3 and later:
364 <b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b>
365 Report the SASL authenticated user name in the
366 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header.
368 <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b>
369 Implementation-specific information that the Post-
370 fix SMTP server passes through to the SASL plug-in
371 implementation that is selected with
372 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
374 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b>
375 The SASL plug-in type that the Postfix SMTP server
376 should use for authentication.
378 Available in Postfix version 2.5 and later:
380 <b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b>
381 Search path for Cyrus SASL application configura-
382 tion files, currently used only to locate the
383 $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file.
385 <b>STARTTLS SUPPORT CONTROLS</b>
386 Detailed information about STARTTLS configuration may be
387 found in the <a href="TLS_README.html">TLS_README</a> document.
389 <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
390 The SMTP TLS security level for the Postfix SMTP
391 server; when a non-empty value is specified, this
392 overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
393 <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
395 <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
396 <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
397 The SASL authentication security options that the
398 Postfix SMTP server uses for TLS encrypted SMTP
399 sessions.
401 <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (see 'postconf -d' output)</b>
402 The time limit for Postfix SMTP server write and
403 read operations during TLS startup and shutdown
404 handshake procedures.
406 <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
407 A file containing (PEM format) CA certificates of
408 root CAs trusted to sign either remote SMTP client
409 certificates or intermediate CA certificates.
411 <b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b>
412 A directory containing (PEM format) CA certificates
413 of root CAs trusted to sign either remote SMTP
414 client certificates or intermediate CA certifi-
415 cates.
417 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
418 Force the Postfix SMTP server to issue a TLS ses-
419 sion id, even when TLS session caching is turned
420 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
422 <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
423 Ask a remote SMTP client for a client certificate.
425 <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
426 When TLS encryption is optional in the Postfix SMTP
427 server, do not announce or accept SASL authentica-
428 tion over unencrypted connections.
430 <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b>
431 The verification depth for remote SMTP client cer-
432 tificates.
434 <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
435 File with the Postfix SMTP server RSA certificate
436 in PEM format.
438 <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
439 List of ciphers or cipher types to exclude from the
440 SMTP server cipher list at all TLS security levels.
442 <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
443 File with the Postfix SMTP server DSA certificate
444 in PEM format.
446 <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
447 File with DH parameters that the Postfix SMTP
448 server should use with EDH ciphers.
450 <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
451 File with DH parameters that the Postfix SMTP
452 server should use with EDH ciphers.
454 <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
455 File with the Postfix SMTP server DSA private key
456 in PEM format.
458 <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
459 File with the Postfix SMTP server RSA private key
460 in PEM format.
462 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
463 Enable additional Postfix SMTP server logging of
464 TLS activity.
466 <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
467 The minimum TLS cipher grade that the Postfix SMTP
468 server will use with mandatory TLS encryption.
470 <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
471 Additional list of ciphers or cipher types to
472 exclude from the SMTP server cipher list at manda-
473 tory TLS security levels.
475 <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
476 The SSL/TLS protocols accepted by the Postfix SMTP
477 server with mandatory TLS encryption.
479 <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
480 Request that the Postfix SMTP server produces
481 Received: message headers that include information
482 about the protocol and cipher used, as well as the
483 client CommonName and client certificate issuer
484 CommonName.
486 <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
487 With mandatory TLS encryption, require a trusted
488 remote SMTP client certificate in order to allow
489 TLS connections to proceed.
491 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
492 Name of the file containing the optional Postfix
493 SMTP server TLS session cache.
495 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
496 The expiration time of Postfix SMTP server TLS ses-
497 sion cache information.
499 <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b>
500 Run the Postfix SMTP server in the non-standard
501 "wrapper" mode, instead of using the STARTTLS com-
502 mand.
504 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
505 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
506 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
507 server in order to seed its internal pseudo random
508 number generator (PRNG).
510 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
511 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
512 The OpenSSL cipherlist for "HIGH" grade ciphers.
514 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b>
515 The OpenSSL cipherlist for "MEDIUM" or higher grade
516 ciphers.
518 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
519 The OpenSSL cipherlist for "LOW" or higher grade
520 ciphers.
522 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
523 The OpenSSL cipherlist for "EXPORT" or higher grade
524 ciphers.
526 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
527 The OpenSSL cipherlist for "NULL" grade ciphers
528 that provide authentication without encryption.
530 Available in Postfix version 2.5 and later:
532 <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b>
533 The message digest algorithm used to construct
534 client-certificate fingerprints for
535 <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>.
537 Available in Postfix version 2.6 and later:
539 <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
540 List of TLS protocols that the Postfix SMTP server
541 will exclude or include with opportunistic TLS
542 encryption.
544 <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
545 The minimum TLS cipher grade that the Postfix SMTP
546 server will use with opportunistic TLS encryption.
548 <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
549 File with the Postfix SMTP server ECDSA certificate
550 in PEM format.
552 <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
553 File with the Postfix SMTP server ECDSA private key
554 in PEM format.
556 <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b>
557 The Postfix SMTP server security grade for
558 ephemeral elliptic-curve Diffie-Hellman (EECDH) key
559 exchange.
561 <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b>
562 The elliptic curve used by the SMTP server for sen-
563 sibly strong ephemeral ECDH key exchange.
565 <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b>
566 The elliptic curve used by the SMTP server for max-
567 imally strong ephemeral ECDH key exchange.
569 Available in Postfix version 2.8 and later:
571 <b><a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> (no)</b>
572 With SSLv3 and later, use the server's cipher pref-
573 erence order instead of the client's cipher prefer-
574 ence order.
576 <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
577 List or bit-mask of OpenSSL bug work-arounds to
578 disable.
580 <b>OBSOLETE STARTTLS CONTROLS</b>
581 The following configuration parameters exist for compati-
582 bility with Postfix versions before 2.3. Support for these
583 will be removed in a future release.
585 <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
586 Opportunistic TLS: announce STARTTLS support to
587 SMTP clients, but do not require that clients use
588 TLS encryption.
590 <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
591 Mandatory TLS: announce STARTTLS support to SMTP
592 clients, and require that clients use TLS encryp-
593 tion.
595 <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
596 Obsolete Postfix &lt; 2.3 control for the Postfix SMTP
597 server TLS cipher list.
599 <b>VERP SUPPORT CONTROLS</b>
600 With VERP style delivery, each recipient of a message
601 receives a customized copy of the message with his/her own
602 recipient address encoded in the envelope sender address.
603 The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
604 details of Postfix support for variable envelope return
605 path addresses. VERP style delivery is requested with the
606 SMTP XVERP command or with the "sendmail -V" command-line
607 option and is available in Postfix version 1.1 and later.
609 <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
610 The two default VERP delimiter characters.
612 <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
613 The characters Postfix accepts as VERP delimiter
614 characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
615 and in SMTP commands.
617 Available in Postfix version 1.1 and 2.0:
619 <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
620 What SMTP clients are allowed to specify the XVERP
621 command.
623 Available in Postfix version 2.1 and later:
625 <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
626 What SMTP clients are allowed to specify the XVERP
627 command.
629 <b>TROUBLE SHOOTING CONTROLS</b>
630 The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
631 the Postfix mail system. The methods vary from making the
632 software log a lot of detail, to running some daemon pro-
633 cesses under control of a call tracer or debugger.
635 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
636 The increment in verbose logging level when a
637 remote client or server matches a pattern in the
638 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
640 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
641 Optional list of remote client or server hostname
642 or network address patterns that cause the verbose
643 logging level to increase by the amount specified
644 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
646 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
647 The recipient of postmaster notifications about
648 mail delivery problems that are caused by policy,
649 resource, software or protocol errors.
651 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
652 What categories of Postfix-generated mail are sub-
653 ject to before-queue content inspection by
654 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
656 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
657 The list of error classes that are reported to the
658 postmaster.
660 <b><a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> (empty)</b>
661 Optional information that is appended after each
662 SMTP server 4XX or 5XX response.
664 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
665 Safety net to keep mail queued that would otherwise
666 be returned to the sender.
668 Available in Postfix version 2.1 and later:
670 <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
671 What SMTP clients are allowed to use the XCLIENT
672 feature.
674 <b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
675 As of Postfix version 2.0, the SMTP server rejects mail
676 for unknown recipients. This prevents the mail queue from
677 clogging up with undeliverable MAILER-DAEMON messages.
678 Additional information on this topic is in the
679 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
681 <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
682 Display the name of the recipient table in the
683 "User unknown" responses.
685 <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
686 Optional address mapping lookup tables for message
687 headers and envelopes.
689 <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
690 Optional address mapping lookup tables for envelope
691 and header recipient addresses.
693 Parameters concerning known/unknown local recipients:
695 <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b>
696 <b>host)</b>
697 The list of domains that are delivered via the
698 $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
700 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
701 The network interface addresses that this mail sys-
702 tem receives mail on.
704 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
705 The network interface addresses that this mail sys-
706 tem receives mail on by way of a proxy or network
707 address translation unit.
709 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
710 The Internet protocols Postfix will attempt to use
711 when making or accepting connections.
713 <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
714 <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
715 Lookup tables with all names or addresses of local
716 recipients: a recipient address is local when its
717 domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
718 $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
720 <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
721 The numerical Postfix SMTP server response code
722 when a recipient address is local, and
723 $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
724 tables that does not match the recipient.
726 Parameters concerning known/unknown recipients of relay
727 destinations:
729 <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
730 What destination domains (and subdomains thereof)
731 this system will relay mail to.
733 <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
734 Optional lookup tables with all valid addresses in
735 the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
737 <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
738 The numerical Postfix SMTP server reply code when a
739 recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
740 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
741 tables that does not match the recipient address.
743 Parameters concerning known/unknown recipients in virtual
744 alias domains:
746 <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
747 Postfix is final destination for the specified list
748 of virtual alias domains, that is, domains for
749 which all addresses are aliased to addresses in
750 other local or remote domains.
752 <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
753 Optional lookup tables that alias specific mail
754 addresses or domains to other local or remote
755 address.
757 <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
758 The SMTP server reply code when a recipient address
759 matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
760 <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
761 that does not match the recipient address.
763 Parameters concerning known/unknown recipients in virtual
764 mailbox domains:
766 <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
767 Postfix is final destination for the specified list
768 of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
769 <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
771 <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
772 Optional lookup tables with all valid addresses in
773 the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
775 <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
776 The SMTP server reply code when a recipient address
777 matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
778 <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
779 that does not match the recipient address.
781 <b>RESOURCE AND RATE CONTROLS</b>
782 The following parameters limit resource usage by the SMTP
783 server and/or control client request rates.
785 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
786 Upon input, long lines are chopped up into pieces
787 of at most this length; upon delivery, long lines
788 are reconstructed.
790 <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
791 The minimal amount of free space in bytes in the
792 queue file system that is needed to receive mail.
794 <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
795 The maximal size in bytes of a message, including
796 envelope information.
798 <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
799 The maximal number of recipients that the Postfix
800 SMTP server accepts per message delivery request.
802 <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, overload: 10s)</b>
803 The time limit for sending a Postfix SMTP server
804 response and for receiving a remote SMTP client
805 request.
807 <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
808 The maximal number of lines in the Postfix SMTP
809 server command history before it is flushed upon
810 receipt of EHLO, RSET, or end of DATA.
812 Available in Postfix version 2.3 and later:
814 <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
815 Attempt to look up the remote SMTP client hostname,
816 and verify that the name matches the client IP
817 address.
819 The per SMTP client connection count and request rate lim-
820 its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
821 vice, and are available in Postfix version 2.2 and later.
823 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
824 How many simultaneous connections any client is
825 allowed to make to this service.
827 <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
828 The maximal number of connection attempts any
829 client is allowed to make to this service per time
830 unit.
832 <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
833 The maximal number of message delivery requests
834 that any client is allowed to make to this service
835 per time unit, regardless of whether or not Postfix
836 actually accepts those messages.
838 <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
839 The maximal number of recipient addresses that any
840 client is allowed to send to this service per time
841 unit, regardless of whether or not Postfix actually
842 accepts those recipients.
844 <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
845 Clients that are excluded from
846 smtpd_client_*_count/rate_limit restrictions.
848 Available in Postfix version 2.3 and later:
850 <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b>
851 The maximal number of new (i.e., uncached) TLS ses-
852 sions that a remote SMTP client is allowed to nego-
853 tiate with this service per time unit.
855 Available in Postfix version 2.9 and later:
857 <b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
858 Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
859 limit, from a time limit per read or write system
860 call, to a time limit to read or write a complete
861 record (an SMTP command line, SMTP response line,
862 SMTP message content line, or TLS protocol mes-
863 sage).
865 <b>TARPIT CONTROLS</b>
866 When a remote SMTP client makes errors, the Postfix SMTP
867 server can insert delays before responding. This can help
868 to slow down run-away software. The behavior is con-
869 trolled by an error counter that counts the number of
870 errors within an SMTP session that a client makes without
871 delivering mail.
873 <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
874 With Postfix version 2.1 and later: the SMTP server
875 response delay after a client has made more than
876 $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
877 $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
878 mail.
880 <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
881 The number of errors a remote SMTP client is
882 allowed to make without delivering mail before the
883 Postfix SMTP server slows down all its responses.
885 <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (normal: 20, overload: 1)</b>
886 The maximal number of errors a remote SMTP client
887 is allowed to make without delivering mail.
889 <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (normal: 100, overload: 1)</b>
890 The number of junk commands (NOOP, VRFY, ETRN or
891 RSET) that a remote SMTP client can send before the
892 Postfix SMTP server starts to increment the error
893 counter with each junk command.
895 Available in Postfix version 2.1 and later:
897 <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
898 The number of recipients that a remote SMTP client
899 can send in excess of the limit specified with
900 $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP
901 server increments the per-session error count for
902 each excess recipient.
904 <b>ACCESS POLICY DELEGATION CONTROLS</b>
905 As of version 2.1, Postfix can be configured to delegate
906 access policy decisions to an external server that runs
907 outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
908 more information.
910 <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
911 The time after which an idle SMTPD policy service
912 connection is closed.
914 <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
915 The time after which an active SMTPD policy service
916 connection is closed.
918 <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
919 The time limit for connecting to, writing to or
920 receiving from a delegated SMTPD policy server.
922 <b>ACCESS CONTROLS</b>
923 The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
924 all the SMTP server access control features.
926 <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
927 Wait until the RCPT TO command before evaluating
928 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric-
929 tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
930 the ETRN command before evaluating
931 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
932 tions.
934 <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
935 <b>put)</b>
936 What Postfix features match subdomains of
937 "domain.tld" automatically, instead of requiring an
938 explicit ".domain.tld" pattern.
940 <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
941 Optional SMTP server access restrictions in the
942 context of a client SMTP connection request.
944 <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
945 Require that a remote SMTP client introduces itself
946 with the HELO or EHLO command before sending the
947 MAIL command or other commands that require EHLO
948 negotiation.
950 <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
951 Optional restrictions that the Postfix SMTP server
952 applies in the context of the SMTP HELO command.
954 <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
955 Optional restrictions that the Postfix SMTP server
956 applies in the context of the MAIL FROM command.
958 <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
959 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
960 The access restrictions that the Postfix SMTP
961 server applies in the context of the RCPT TO com-
962 mand.
964 <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
965 Optional SMTP server access restrictions in the
966 context of a client ETRN request.
968 <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
969 Forward mail with sender-specified routing
970 (user[@%!]remote[@%!]site) from untrusted clients
971 to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
973 <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
974 User-defined aliases for groups of access restric-
975 tions.
977 <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b>&lt;&gt;<b>)</b>
978 The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
979 instead of the null sender address.
981 <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
982 Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP
983 access feature to only domains whose primary MX
984 hosts match the listed networks.
986 Available in Postfix version 2.0 and later:
988 <b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
989 Optional access restrictions that the Postfix SMTP
990 server applies in the context of the SMTP DATA com-
991 mand.
993 <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
994 What characters are allowed in $name expansions of
995 RBL reply templates.
997 Available in Postfix version 2.1 and later:
999 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
1000 Request that the Postfix SMTP server rejects mail
1001 from unknown sender addresses, even when no
1002 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
1003 is specified.
1005 <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
1006 Request that the Postfix SMTP server rejects mail
1007 for unknown recipient addresses, even when no
1008 explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
1009 tion is specified.
1011 Available in Postfix version 2.2 and later:
1013 <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
1014 Optional access restrictions that the Postfix SMTP
1015 server applies in the context of the SMTP END-OF-
1016 DATA command.
1018 <b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
1019 Postfix version 2.1 introduces sender and recipient
1020 address verification. This feature is implemented by
1021 sending probe email messages that are not actually deliv-
1022 ered. This feature is requested via the reject_unveri-
1023 fied_sender and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
1024 restrictions. The status of verification probes is main-
1025 tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
1026 <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
1027 and operate the Postfix sender/recipient address verifica-
1028 tion service.
1030 <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (normal: 3, overload: 1)</b>
1031 How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
1032 the completion of an address verification request
1033 in progress.
1035 <b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
1036 The delay between queries for the completion of an
1037 address verification request in progress.
1039 <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b>
1040 The sender address to use in address verification
1041 probes; prior to Postfix 2.5 the default was "post-
1042 master".
1044 <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
1045 The numerical Postfix SMTP server response code
1046 when a recipient address is rejected by the
1047 <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
1049 <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
1050 The numerical Postfix SMTP server response when a
1051 recipient address is rejected by the reject_unveri-
1052 fied_recipient restriction.
1054 Available in Postfix version 2.6 and later:
1056 <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b>
1057 The numerical Postfix SMTP server response code
1058 when a sender address probe fails due to a tempo-
1059 rary error condition.
1061 <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b>
1062 The numerical Postfix SMTP server response when a
1063 recipient address probe fails due to a temporary
1064 error condition.
1066 <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b>
1067 The Postfix SMTP server's reply when rejecting mail
1068 with <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>.
1070 <b><a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> (empty)</b>
1071 The Postfix SMTP server's reply when rejecting mail
1072 with <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.
1074 <b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b>
1075 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b>
1076 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unver</a>-
1077 <a href="postconf.5.html#reject_unverified_sender">ified_sender</a> fails due to a temporary error condi-
1078 tion.
1080 <b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b>
1081 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b>
1082 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unver</a>-
1083 <a href="postconf.5.html#reject_unverified_recipient">ified_recipient</a> fails due to a temporary error con-
1084 dition.
1086 <b>ACCESS CONTROL RESPONSES</b>
1087 The following parameters control numerical SMTP reply
1088 codes and/or text responses.
1090 <b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
1091 The numerical Postfix SMTP server response code for
1092 an <a href="access.5.html"><b>access</b>(5)</a> map "reject" action.
1094 <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
1095 The numerical Postfix SMTP server response code
1096 when a remote SMTP client request is rejected by
1097 the "defer" restriction.
1099 <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
1100 The numerical Postfix SMTP server response code
1101 when the client HELO or EHLO command parameter is
1102 rejected by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
1103 restriction.
1105 <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
1106 The numerical Postfix SMTP server response code
1107 when a remote SMTP client request is blocked by the
1108 <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
1109 <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>, <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or
1110 <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction.
1112 <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
1113 The numerical Postfix SMTP server reply code when a
1114 client request is rejected by the
1115 <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
1116 <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a>
1117 restriction.
1119 <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
1120 The numerical Postfix SMTP server response code
1121 when a request is rejected by the <b>reject_plain-</b>
1122 <b>text_session</b> restriction.
1124 <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
1125 The numerical Postfix SMTP server response code
1126 when a remote SMTP client request is rejected by
1127 the "reject" restriction.
1129 <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
1130 The numerical Postfix SMTP server response code
1131 when a client request is rejected by the
1132 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction.
1134 <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
1135 The numerical Postfix SMTP server response code
1136 when a sender or recipient address is rejected by
1137 the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
1138 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction.
1140 <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
1141 The numerical Postfix SMTP server response code
1142 when a client without valid address &lt;=&gt; name map-
1143 ping is rejected by the reject_unknown_client_host-
1144 name restriction.
1146 <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
1147 The numerical Postfix SMTP server response code
1148 when the hostname specified with the HELO or EHLO
1149 command is rejected by the
1150 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
1152 Available in Postfix version 2.0 and later:
1154 <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
1155 The default SMTP server response template for a
1156 request that is rejected by an RBL-based restric-
1157 tion.
1159 <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
1160 The numerical Postfix SMTP server response code
1161 when a remote SMTP client request is blocked by the
1162 <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction.
1164 <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b>
1165 Optional lookup tables with RBL response templates.
1167 Available in Postfix version 2.6 and later:
1169 <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b>
1170 The numerical Postfix SMTP server response code for
1171 an <a href="access.5.html"><b>access</b>(5)</a> map "defer" action, including
1172 "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>".
1174 <b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b>
1175 The Postfix SMTP server's action when a reject-type
1176 restriction fails due to a temporary error condi-
1177 tion.
1179 <b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b>
1180 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b>
1181 The Postfix SMTP server's action when
1182 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> fails due to an tempo-
1183 rary error condition.
1185 <b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
1186 The Postfix SMTP server's action when
1187 <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
1188 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> fail due to a tem-
1189 porary error condition.
1191 <b>MISCELLANEOUS CONTROLS</b>
1192 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
1193 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
1194 <a href="master.5.html">master.cf</a> configuration files.
1196 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
1197 How much time a Postfix daemon process may take to
1198 handle a request before it is terminated by a
1199 built-in watchdog timer.
1201 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
1202 The location of all postfix administrative com-
1203 mands.
1205 <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
1206 The sender address of postmaster notifications that
1207 are generated by the mail system.
1209 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
1210 The time limit for sending or receiving information
1211 over an internal communication channel.
1213 <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
1214 The mail system name that is displayed in Received:
1215 headers, in the SMTP greeting banner, and in
1216 bounced mail.
1218 <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
1219 The UNIX system account that owns the Postfix queue
1220 and most Postfix daemon processes.
1222 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
1223 The maximum amount of time that an idle Postfix
1224 daemon process waits for an incoming connection
1225 before terminating voluntarily.
1227 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
1228 The maximal number of incoming connections that a
1229 Postfix daemon process will service before termi-
1230 nating voluntarily.
1232 <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
1233 The internet hostname of this mail system.
1235 <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
1236 The list of "trusted" SMTP clients that have more
1237 privileges than "strangers".
1239 <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
1240 The domain name that locally-posted mail appears to
1241 come from, and that locally posted mail is deliv-
1242 ered to.
1244 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
1245 The process ID of a Postfix command or daemon
1246 process.
1248 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
1249 The process name of a Postfix command or daemon
1250 process.
1252 <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
1253 The location of the Postfix top-level queue direc-
1254 tory.
1256 <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
1257 The separator between user names and address exten-
1258 sions (user+foo).
1260 <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
1261 The text that follows the 220 status code in the
1262 SMTP greeting banner.
1264 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
1265 The syslog facility of Postfix logging.
1267 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
1268 The mail system name that is prepended to the
1269 process name in syslog records, so that "smtpd"
1270 becomes, for example, "postfix/smtpd".
1272 Available in Postfix version 2.2 and later:
1274 <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
1275 List of commands that cause the Postfix SMTP server
1276 to immediately terminate the session with a 221
1277 code.
1279 Available in Postfix version 2.5 and later:
1281 <b><a href="postconf.5.html#smtpd_client_port_logging">smtpd_client_port_logging</a> (no)</b>
1282 Enable logging of the remote SMTP client port in
1283 addition to the hostname and IP address.
1285 <b>SEE ALSO</b>
1286 <a href="anvil.8.html">anvil(8)</a>, connection/rate limiting
1287 <a href="cleanup.8.html">cleanup(8)</a>, message canonicalization
1288 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management
1289 <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver
1290 <a href="verify.8.html">verify(8)</a>, address verification service
1291 <a href="postconf.5.html">postconf(5)</a>, configuration parameters
1292 <a href="master.5.html">master(5)</a>, generic daemon options
1293 <a href="master.8.html">master(8)</a>, process manager
1294 syslogd(8), system logging
1296 <b>README FILES</b>
1297 <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients
1298 <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation
1299 <a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter
1300 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients
1301 <a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications
1302 <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, built-in access policies
1303 <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>, external policy server
1304 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>, external before-queue content filter
1305 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto
1306 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
1307 <a href="VERP_README.html">VERP_README</a>, Postfix XVERP extension
1308 <a href="XCLIENT_README.html">XCLIENT_README</a>, Postfix XCLIENT extension
1309 <a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
1311 <b>LICENSE</b>
1312 The Secure Mailer license must be distributed with this
1313 software.
1315 <b>AUTHOR(S)</b>
1316 Wietse Venema
1317 IBM T.J. Watson Research
1318 P.O. Box 704
1319 Yorktown Heights, NY 10598, USA
1321 SASL support originally by:
1322 Till Franke
1323 SuSE Rhein/Main AG
1324 65760 Eschborn, Germany
1326 TLS support originally by:
1327 Lutz Jaenicke
1328 BTU Cottbus
1329 Allgemeine Elektrotechnik
1330 Universitaetsplatz 3-4
1331 D-03044 Cottbus, Germany
1333 Revised TLS support by:
1334 Victor Duchovni
1335 Morgan Stanley
1337 SMTPD(8)
1338 </pre> </body> </html>