1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtp(8) </title> 6</head> <body> <pre> 7SMTP(8) SMTP(8) 8 9<b>NAME</b> 10 smtp - Postfix SMTP+LMTP client 11 12<b>SYNOPSIS</b> 13 <b>smtp</b> [generic Postfix daemon options] 14 15<b>DESCRIPTION</b> 16 The Postfix SMTP+LMTP client implements the SMTP and LMTP 17 mail delivery protocols. It processes message delivery 18 requests from the queue manager. Each request specifies a 19 queue file, a sender address, a domain or host to deliver 20 to, and recipient information. This program expects to be 21 run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 22 23 The SMTP+LMTP client updates the queue file and marks 24 recipients as finished, or it informs the queue manager 25 that delivery should be tried again at a later time. 26 Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>, 27 <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate. 28 29 The SMTP+LMTP client looks up a list of mail exchanger 30 addresses for the destination host, sorts the list by 31 preference, and connects to each listed address until it 32 finds a server that responds. 33 34 When a server is not reachable, or when mail delivery 35 fails due to a recoverable error condition, the SMTP+LMTP 36 client will try to deliver the mail to an alternate host. 37 38 After a successful mail transaction, a connection may be 39 saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it 40 may be used by any SMTP+LMTP client for a subsequent 41 transaction. 42 43 By default, connection caching is enabled temporarily for 44 destinations that have a high volume of mail in the active 45 queue. Connection caching can be enabled permanently for 46 specific destinations. 47 48<b>SMTP DESTINATION SYNTAX</b> 49 SMTP destinations have the following form: 50 51 <i>domainname</i> 52 53 <i>domainname</i>:<i>port</i> 54 Look up the mail exchangers for the specified 55 domain, and connect to the specified port (default: 56 <b>smtp</b>). 57 58 [<i>hostname</i>] 59 60 [<i>hostname</i>]:<i>port</i> 61 Look up the address(es) of the specified host, and 62 connect to the specified port (default: <b>smtp</b>). 63 64 [<i>address</i>] 65 66 [<i>address</i>]:<i>port</i> 67 Connect to the host at the specified address, and 68 connect to the specified port (default: <b>smtp</b>). An 69 IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>]. 70 71<b>LMTP DESTINATION SYNTAX</b> 72 LMTP destinations have the following form: 73 74 <b>unix</b>:<i>pathname</i> 75 Connect to the local UNIX-domain server that is 76 bound to the specified <i>pathname</i>. If the process 77 runs chrooted, an absolute pathname is interpreted 78 relative to the Postfix queue directory. 79 80 <b>inet</b>:<i>hostname</i> 81 82 <b>inet:</b><i>hostname</i>:<i>port</i> 83 84 <b>inet</b>:[<i>address</i>] 85 86 <b>inet</b>:[<i>address</i>]:<i>port</i> 87 Connect to the specified TCP port on the specified 88 local or remote host. If no port is specified, con- 89 nect to the port defined as <b>lmtp</b> in <b>services</b>(4). 90 If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con- 91 figuration parameter (default value of 24) will be 92 used. An IPv6 address must be formatted as 93 [<b>ipv6</b>:<i>address</i>]. 94 95<b>SECURITY</b> 96 The SMTP+LMTP client is moderately security-sensitive. It 97 talks to SMTP or LMTP servers and to DNS servers on the 98 network. The SMTP+LMTP client can be run chrooted at fixed 99 low privilege. 100 101<b>STANDARDS</b> 102 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 103 <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> (ARPA Internet Text Messages) 104 <a href="http://tools.ietf.org/html/rfc1651">RFC 1651</a> (SMTP service extensions) 105 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 106 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 107 <a href="http://tools.ietf.org/html/rfc2033">RFC 2033</a> (LMTP protocol) 108 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes) 109 <a href="http://tools.ietf.org/html/rfc2045">RFC 2045</a> (MIME: Format of Internet Message Bodies) 110 <a href="http://tools.ietf.org/html/rfc2046">RFC 2046</a> (MIME: Media Types) 111 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 112 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 113 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 114 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 115 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 116 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 117 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 118 119<b>DIAGNOSTICS</b> 120 Problems and transactions are logged to <b>syslogd</b>(8). Cor- 121 rupted message files are marked so that the queue manager 122 can move them to the <b>corrupt</b> queue for further inspection. 123 124 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, 125 the postmaster is notified of bounces, protocol problems, 126 and of other trouble. 127 128<b>BUGS</b> 129 SMTP and LMTP connection caching does not work with TLS. 130 The necessary support for TLS object passivation and re- 131 activation does not exist without closing the session, 132 which defeats the purpose. 133 134 SMTP and LMTP connection caching assumes that SASL creden- 135 tials are valid for all destinations that map onto the 136 same IP address and TCP port. 137 138<b>CONFIGURATION PARAMETERS</b> 139 Before Postfix version 2.3, the LMTP client is a separate 140 program that implements only a subset of the functionality 141 available with SMTP: there is no support for TLS, and con- 142 nections are cached in-process, making it ineffective when 143 the client is used for multiple domains. 144 145 Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i> 146 "mirror" parameter for the equivalent LMTP feature. This 147 document describes only those LMTP-related parameters that 148 aren't simply "mirror" parameters. 149 150 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a> 151 processes run for only a limited amount of time. Use the 152 command "<b>postfix reload</b>" to speed up a change. 153 154 The text below provides only a parameter summary. See 155 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. 156 157<b>COMPATIBILITY CONTROLS</b> 158 <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b> 159 Ignore DNS MX lookups that produce no response. 160 161 <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b> 162 Always send EHLO at the start of an SMTP session. 163 164 <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b> 165 Never send EHLO at the start of an SMTP session. 166 167 <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b> 168 Defer mail delivery when no MX record resolves to 169 an IP address. 170 171 <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b> 172 The maximal length of message header and body lines 173 that Postfix will send via SMTP. 174 175 <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b> 176 How long the Postfix SMTP client pauses before 177 sending ".<CR><LF>" in order to work around the PIX 178 firewall "<CR><LF>.<CR><LF>" bug. 179 180 <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b> 181 How long a message must be queued before the Post- 182 fix SMTP client turns on the PIX firewall 183 "<CR><LF>.<CR><LF>" bug workaround for delivery 184 through firewalls with "smtp fixup" mode turned on. 185 186 <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b> 187 A list that specifies zero or more workarounds for 188 CISCO PIX firewall bugs. 189 190 <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b> 191 Lookup tables, indexed by the remote SMTP server 192 address, with per-destination workarounds for CISCO 193 PIX firewall bugs. 194 195 <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b> 196 Quote addresses in SMTP MAIL FROM and RCPT TO com- 197 mands as required by <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a>. 198 199 <b><a href="postconf.5.html#smtp_reply_filter">smtp_reply_filter</a> (empty)</b> 200 A mechanism to transform replies from remote SMTP 201 servers one line at a time. 202 203 <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b> 204 Skip SMTP servers that greet with a 5XX status code 205 (go away, do not try again later). 206 207 <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b> 208 Do not wait for the response to the SMTP QUIT com- 209 mand. 210 211 Available in Postfix version 2.0 and earlier: 212 213 <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b> 214 Skip SMTP servers that greet with a 4XX status code 215 (go away, try again later). 216 217 Available in Postfix version 2.2 and later: 218 219 <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b> 220 Lookup tables, indexed by the remote SMTP server 221 address, with case insensitive lists of EHLO key- 222 words (pipelining, starttls, auth, etc.) that the 223 Postfix SMTP client will ignore in the EHLO 224 response from a remote SMTP server. 225 226 <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b> 227 A case insensitive list of EHLO keywords (pipelin- 228 ing, starttls, auth, etc.) that the Postfix SMTP 229 client will ignore in the EHLO response from a 230 remote SMTP server. 231 232 <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b> 233 Optional lookup tables that perform address rewrit- 234 ing in the SMTP client, typically to transform a 235 locally valid address into a globally valid address 236 when sending mail across the Internet. 237 238 Available in Postfix version 2.2.9 and later: 239 240 <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> 241 Allow DNS CNAME records to override the servername 242 that the Postfix SMTP client uses for logging, SASL 243 password lookup, TLS policy decisions, or TLS cer- 244 tificate verification. 245 246 Available in Postfix version 2.3 and later: 247 248 <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> 249 Lookup tables, indexed by the remote LMTP server 250 address, with case insensitive lists of LHLO key- 251 words (pipelining, starttls, auth, etc.) that the 252 LMTP client will ignore in the LHLO response from a 253 remote LMTP server. 254 255 <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> 256 A case insensitive list of LHLO keywords (pipelin- 257 ing, starttls, auth, etc.) that the LMTP client 258 will ignore in the LHLO response from a remote LMTP 259 server. 260 261 Available in Postfix version 2.4.4 and later: 262 263 <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> 264 When authenticating to a remote SMTP or LMTP server 265 with the default setting "no", send no SASL autho- 266 riZation ID (authzid); send only the SASL authenti- 267 Cation ID (authcid) plus the authcid's password. 268 269 Available in Postfix version 2.5 and later: 270 271 <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> 272 Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix 273 SMTP client. 274 275 <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> 276 Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the 277 Postfix SMTP client. 278 279 <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> 280 Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the 281 Postfix SMTP client. 282 283 <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> 284 Restricted <a href="header_checks.5.html"><b>body_checks</b>(5)</a> tables for the Postfix 285 SMTP client. 286 287 Available in Postfix version 2.6 and later: 288 289 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 290 An optional workaround for routers that break TCP 291 window scaling. 292 293<b>MIME PROCESSING CONTROLS</b> 294 Available in Postfix version 2.0 and later: 295 296 <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> 297 Disable the conversion of 8BITMIME format to 7BIT 298 format. 299 300 <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> 301 The maximal length of MIME multipart boundary 302 strings. 303 304 <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b> 305 The maximal recursion level that the MIME processor 306 will handle. 307 308<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 309 Available in Postfix version 2.1 and later: 310 311 <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> 312 Send the non-standard XFORWARD command when the 313 Postfix SMTP server EHLO response announces XFOR- 314 WARD support. 315 316<b>SASL AUTHENTICATION CONTROLS</b> 317 <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> 318 Enable SASL authentication in the Postfix SMTP 319 client. 320 321 <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> 322 Optional SMTP client lookup tables with one user- 323 name:password entry per remote hostname or domain, 324 or sender address when sender-dependent authentica- 325 tion is enabled. 326 327 <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> 328 Postfix SMTP client SASL security options; as of 329 Postfix 2.3 the list of available features depends 330 on the SASL client implementation that is selected 331 with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 332 333 Available in Postfix version 2.2 and later: 334 335 <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> 336 If non-empty, a Postfix SMTP client filter for the 337 remote SMTP server's list of offered SASL mecha- 338 nisms. 339 340 Available in Postfix version 2.3 and later: 341 342 <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> 343 Enable sender-dependent authentication in the Post- 344 fix SMTP client; this is available only with SASL 345 authentication, and disables SMTP connection 346 caching to ensure that mail from different senders 347 will use the appropriate credentials. 348 349 <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> 350 Implementation-specific information that the Post- 351 fix SMTP client passes through to the SASL plug-in 352 implementation that is selected with 353 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. 354 355 <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> 356 The SASL plug-in type that the Postfix SMTP client 357 should use for authentication. 358 359 Available in Postfix version 2.5 and later: 360 361 <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> 362 An optional table to prevent repeated SASL authen- 363 tication failures with the same remote SMTP server 364 hostname, username and password. 365 366 <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> 367 The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> 368 entry before it is removed. 369 370 <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> 371 When a remote SMTP server rejects a SASL authenti- 372 cation request with a 535 reply code, defer mail 373 delivery instead of returning mail as undeliver- 374 able. 375 376<b>STARTTLS SUPPORT CONTROLS</b> 377 Detailed information about STARTTLS configuration may be 378 found in the <a href="TLS_README.html">TLS_README</a> document. 379 380 <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> 381 The default SMTP TLS security level for the Postfix 382 SMTP client; when a non-empty value is specified, 383 this overrides the obsolete parameters 384 <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and 385 <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. 386 387 <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b> 388 <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b> 389 The SASL authentication security options that the 390 Postfix SMTP client uses for TLS encrypted SMTP 391 sessions. 392 393 <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> 394 Time limit for Postfix SMTP client write and read 395 operations during TLS startup and shutdown hand- 396 shake procedures. 397 398 <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> 399 A file containing CA certificates of root CAs 400 trusted to sign either remote SMTP server certifi- 401 cates or intermediate CA certificates. 402 403 <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> 404 Directory with PEM format certificate authority 405 certificates that the Postfix SMTP client uses to 406 verify a remote SMTP server certificate. 407 408 <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> 409 File with the Postfix SMTP client RSA certificate 410 in PEM format. 411 412 <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> 413 The minimum TLS cipher grade that the Postfix SMTP 414 client will use with mandatory TLS encryption. 415 416 <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> 417 List of ciphers or cipher types to exclude from the 418 Postfix SMTP client cipher list at all TLS security 419 levels. 420 421 <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> 422 Additional list of ciphers or cipher types to 423 exclude from the SMTP client cipher list at manda- 424 tory TLS security levels. 425 426 <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> 427 File with the Postfix SMTP client DSA certificate 428 in PEM format. 429 430 <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> 431 File with the Postfix SMTP client DSA private key 432 in PEM format. 433 434 <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> 435 File with the Postfix SMTP client RSA private key 436 in PEM format. 437 438 <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> 439 Enable additional Postfix SMTP client logging of 440 TLS activity. 441 442 <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> 443 Log the hostname of a remote SMTP server that 444 offers STARTTLS, when TLS is not already enabled 445 for that server. 446 447 <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> 448 Optional lookup tables with the Postfix SMTP client 449 TLS security policy by next-hop destination; when a 450 non-empty value is specified, this overrides the 451 obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. 452 453 <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> 454 List of SSL/TLS protocols that the Postfix SMTP 455 client will use with mandatory TLS encryption. 456 457 <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> 458 The verification depth for remote SMTP server cer- 459 tificates. 460 461 <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> 462 The server certificate peername verification method 463 for the "secure" TLS security level. 464 465 <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> 466 Name of the file containing the optional Postfix 467 SMTP client TLS session cache. 468 469 <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> 470 The expiration time of Postfix SMTP client TLS ses- 471 sion cache information. 472 473 <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> 474 The server certificate peername verification method 475 for the "verify" TLS security level. 476 477 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 478 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> 479 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 480 server in order to seed its internal pseudo random 481 number generator (PRNG). 482 483 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> 484 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 485 The OpenSSL cipherlist for "HIGH" grade ciphers. 486 487 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 488 The OpenSSL cipherlist for "MEDIUM" or higher grade 489 ciphers. 490 491 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 492 The OpenSSL cipherlist for "LOW" or higher grade 493 ciphers. 494 495 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 496 The OpenSSL cipherlist for "EXPORT" or higher grade 497 ciphers. 498 499 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 500 The OpenSSL cipherlist for "NULL" grade ciphers 501 that provide authentication without encryption. 502 503 Available in Postfix version 2.4 and later: 504 505 <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b> 506 <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b> 507 The SASL authentication security options that the 508 Postfix SMTP client uses for TLS encrypted SMTP 509 sessions with a verified server certificate. 510 511 Available in Postfix version 2.5 and later: 512 513 <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> 514 List of acceptable remote SMTP server certificate 515 fingerprints for the "fingerprint" TLS security 516 level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint). 517 518 <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> 519 The message digest algorithm used to construct 520 remote SMTP server certificate fingerprints. 521 522 Available in Postfix version 2.6 and later: 523 524 <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> 525 List of TLS protocols that the Postfix SMTP client 526 will exclude or include with opportunistic TLS 527 encryption. 528 529 <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> 530 The minimum TLS cipher grade that the Postfix SMTP 531 client will use with opportunistic TLS encryption. 532 533 <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> 534 File with the Postfix SMTP client ECDSA certificate 535 in PEM format. 536 537 <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> 538 File with the Postfix SMTP client ECDSA private key 539 in PEM format. 540 541 Available in Postfix version 2.7 and later: 542 543 <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> 544 Try to detect a mail hijacking attack based on a 545 TLS protocol vulnerability (CVE-2009-3555), where 546 an attacker prepends malicious HELO, MAIL, RCPT, 547 DATA commands to a Postfix SMTP client TLS session. 548 549<b>OBSOLETE STARTTLS CONTROLS</b> 550 The following configuration parameters exist for compati- 551 bility with Postfix versions before 2.3. Support for these 552 will be removed in a future release. 553 554 <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> 555 Opportunistic mode: use TLS when a remote SMTP 556 server announces STARTTLS support, otherwise send 557 the mail in the clear. 558 559 <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> 560 Enforcement mode: require that remote SMTP servers 561 use TLS encryption, and never send mail in the 562 clear. 563 564 <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> 565 With mandatory TLS encryption, require that the 566 remote SMTP server hostname matches the information 567 in the remote SMTP server certificate. 568 569 <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> 570 Optional lookup tables with the Postfix SMTP client 571 TLS usage policy by next-hop destination and by 572 remote SMTP server hostname. 573 574 <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> 575 Obsolete Postfix < 2.3 control for the Postfix SMTP 576 client TLS cipher list. 577 578<b>RESOURCE AND RATE CONTROLS</b> 579 <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> 580 <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> 581 The maximal number of parallel deliveries to the 582 same destination via the smtp message delivery 583 transport. 584 585 <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> 586 <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> 587 The maximal number of recipients per message for 588 the smtp message delivery transport. 589 590 <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> 591 The SMTP client time limit for completing a TCP 592 connection, or zero (use the operating system 593 built-in time limit). 594 595 <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> 596 The SMTP client time limit for sending the HELO or 597 EHLO command, and for receiving the initial server 598 response. 599 600 <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> 601 The LMTP client time limit for sending the LHLO 602 command, and for receiving the initial server 603 response. 604 605 <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b> 606 The SMTP client time limit for sending the XFORWARD 607 command, and for receiving the server response. 608 609 <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> 610 The SMTP client time limit for sending the MAIL 611 FROM command, and for receiving the server 612 response. 613 614 <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> 615 The SMTP client time limit for sending the SMTP 616 RCPT TO command, and for receiving the server 617 response. 618 619 <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> 620 The SMTP client time limit for sending the SMTP 621 DATA command, and for receiving the server 622 response. 623 624 <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> 625 The SMTP client time limit for sending the SMTP 626 message content. 627 628 <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> 629 The SMTP client time limit for sending the SMTP 630 ".", and for receiving the server response. 631 632 <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> 633 The SMTP client time limit for sending the QUIT 634 command, and for receiving the server response. 635 636 Available in Postfix version 2.1 and later: 637 638 <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> 639 The maximal number of MX (mail exchanger) IP 640 addresses that can result from mail exchanger 641 lookups, or zero (no limit). 642 643 <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> 644 The maximal number of SMTP sessions per delivery 645 request before giving up or delivering to a fall- 646 back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). 647 648 <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> 649 The SMTP client time limit for sending the RSET 650 command, and for receiving the server response. 651 652 Available in Postfix version 2.2 and earlier: 653 654 <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> 655 Keep Postfix LMTP client connections open for up to 656 $<a href="postconf.5.html#max_idle">max_idle</a> seconds. 657 658 Available in Postfix version 2.2 and later: 659 660 <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> 661 Permanently enable SMTP connection caching for the 662 specified destinations. 663 664 <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> 665 Temporarily enable SMTP connection caching while a 666 destination has a high volume of mail in the active 667 queue. 668 669 <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> 670 The amount of time during which Postfix will use an 671 SMTP connection repeatedly. 672 673 <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> 674 When SMTP connection caching is enabled, the amount 675 of time that an unused SMTP client socket is kept 676 open before it is closed. 677 678 Available in Postfix version 2.3 and later: 679 680 <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> 681 Time limit for connection cache connect, send or 682 receive operations. 683 684<b>TROUBLE SHOOTING CONTROLS</b> 685 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 686 The increment in verbose logging level when a 687 remote client or server matches a pattern in the 688 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 689 690 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 691 Optional list of remote client or server hostname 692 or network address patterns that cause the verbose 693 logging level to increase by the amount specified 694 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 695 696 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 697 The recipient of postmaster notifications about 698 mail delivery problems that are caused by policy, 699 resource, software or protocol errors. 700 701 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 702 What categories of Postfix-generated mail are sub- 703 ject to before-queue content inspection by 704 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. 705 706 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 707 The list of error classes that are reported to the 708 postmaster. 709 710<b>MISCELLANEOUS CONTROLS</b> 711 <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> 712 Where the Postfix SMTP client should deliver mail 713 when it detects a "mail loops back to myself" error 714 condition. 715 716 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 717 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and 718 <a href="master.5.html">master.cf</a> configuration files. 719 720 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 721 How much time a Postfix daemon process may take to 722 handle a request before it is terminated by a 723 built-in watchdog timer. 724 725 <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> 726 The maximal number of digits after the decimal 727 point when logging sub-second delay values. 728 729 <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> 730 Disable DNS lookups in the Postfix SMTP and LMTP 731 clients. 732 733 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 734 The network interface addresses that this mail sys- 735 tem receives mail on. 736 737 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b> 738 The Internet protocols Postfix will attempt to use 739 when making or accepting connections. 740 741 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 742 The time limit for sending or receiving information 743 over an internal communication channel. 744 745 <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> 746 When an LMTP server announces no DSN support, 747 assume that the server performs final delivery, and 748 send "delivered" delivery status notifications 749 instead of "relayed". 750 751 <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> 752 The default TCP port that the Postfix LMTP client 753 connects to. 754 755 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 756 The maximum amount of time that an idle Postfix 757 daemon process waits for an incoming connection 758 before terminating voluntarily. 759 760 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 761 The maximal number of incoming connections that a 762 Postfix daemon process will service before termi- 763 nating voluntarily. 764 765 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 766 The process ID of a Postfix command or daemon 767 process. 768 769 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 770 The process name of a Postfix command or daemon 771 process. 772 773 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 774 The network interface addresses that this mail sys- 775 tem receives mail on by way of a proxy or network 776 address translation unit. 777 778 <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> 779 An optional numerical network address that the 780 Postfix SMTP client should bind to when making an 781 IPv4 connection. 782 783 <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> 784 An optional numerical network address that the 785 Postfix SMTP client should bind to when making an 786 IPv6 connection. 787 788 <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 789 The hostname to send in the SMTP EHLO or HELO com- 790 mand. 791 792 <b><a href="postconf.5.html#lmtp_lhlo_name">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 793 The hostname to send in the LMTP LHLO command. 794 795 <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> 796 What mechanisms the Postfix SMTP client uses to 797 look up a host's IP address. 798 799 <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> 800 Randomize the order of equal-preference MX host 801 addresses. 802 803 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 804 The syslog facility of Postfix logging. 805 806 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 807 The mail system name that is prepended to the 808 process name in syslog records, so that "smtpd" 809 becomes, for example, "postfix/smtpd". 810 811 Available with Postfix 2.2 and earlier: 812 813 <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b> 814 Optional list of relay hosts for SMTP destinations 815 that can't be found or that are unreachable. 816 817 Available with Postfix 2.3 and later: 818 819 <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b> 820 Optional list of relay hosts for SMTP destinations 821 that can't be found or that are unreachable. 822 823<b>SEE ALSO</b> 824 <a href="generic.5.html">generic(5)</a>, output address rewriting 825 <a href="header_checks.5.html">header_checks(5)</a>, message header content inspection 826 <a href="header_checks.5.html">body_checks(5)</a>, body parts content inspection 827 <a href="qmgr.8.html">qmgr(8)</a>, queue manager 828 <a href="bounce.8.html">bounce(8)</a>, delivery status reports 829 <a href="scache.8.html">scache(8)</a>, connection cache server 830 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 831 <a href="master.5.html">master(5)</a>, generic daemon options 832 <a href="master.8.html">master(8)</a>, process manager 833 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 834 syslogd(8), system logging 835 836<b>README FILES</b> 837 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 838 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 839 840<b>LICENSE</b> 841 The Secure Mailer license must be distributed with this 842 software. 843 844<b>AUTHOR(S)</b> 845 Wietse Venema 846 IBM T.J. Watson Research 847 P.O. Box 704 848 Yorktown Heights, NY 10598, USA 849 850 Command pipelining in cooperation with: 851 Jon Ribbens 852 Oaktree Internet Solutions Ltd., 853 Internet House, 854 Canal Basin, 855 Coventry, 856 CV1 4LY, United Kingdom. 857 858 SASL support originally by: 859 Till Franke 860 SuSE Rhein/Main AG 861 65760 Eschborn, Germany 862 863 TLS support originally by: 864 Lutz Jaenicke 865 BTU Cottbus 866 Allgemeine Elektrotechnik 867 Universitaetsplatz 3-4 868 D-03044 Cottbus, Germany 869 870 Revised TLS and SMTP connection cache support by: 871 Victor Duchovni 872 Morgan Stanley 873 874 SMTP(8) 875</pre> </body> </html> 876