1<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN" 2 "http://www.w3.org/TR/html4/loose.dtd"> 3<html> <head> 4<meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> 5<title> Postfix manual - smtpd(8) </title> 6</head> <body> <pre> 7SMTPD(8) SMTPD(8) 8 9<b>NAME</b> 10 smtpd - Postfix SMTP server 11 12<b>SYNOPSIS</b> 13 <b>smtpd</b> [generic Postfix daemon options] 14 15 <b>sendmail -bs</b> 16 17<b>DESCRIPTION</b> 18 The SMTP server accepts network connection requests and 19 performs zero or more SMTP transactions per connection. 20 Each received message is piped through the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> dae- 21 mon, and is placed into the <a href="QSHAPE_README.html#incoming_queue"><b>incoming</b> queue</a> as one single 22 queue file. For this mode of operation, the program 23 expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager. 24 25 Alternatively, the SMTP server be can run in stand-alone 26 mode; this is traditionally obtained with "<b>sendmail -bs</b>". 27 When the SMTP server runs stand-alone with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b> 28 privileges, it receives mail even while the mail system is 29 not running, deposits messages directly into the <b>maildrop</b> 30 queue, and disables the SMTP server's access policies. As 31 of Postfix version 2.3, the SMTP server refuses to receive 32 mail from the network when it runs with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b> 33 privileges. 34 35 The SMTP server implements a variety of policies for con- 36 nection requests, and for parameters given to <b>HELO, ETRN,</b> 37 <b>MAIL FROM, VRFY</b> and <b>RCPT TO</b> commands. They are detailed 38 below and in the <a href="postconf.5.html"><b>main.cf</b></a> configuration file. 39 40<b>SECURITY</b> 41 The SMTP server is moderately security-sensitive. It talks 42 to SMTP clients and to DNS servers on the network. The 43 SMTP server can be run chrooted at fixed low privilege. 44 45<b>STANDARDS</b> 46 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol) 47 <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements) 48 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport) 49 <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions) 50 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration) 51 <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command) 52 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes) 53 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command) 54 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol) 55 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining) 56 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command) 57 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension) 58 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes) 59 <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP Transmission Types) 60 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command) 61 62<b>DIAGNOSTICS</b> 63 Problems and transactions are logged to <b>syslogd</b>(8). 64 65 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter, 66 the postmaster is notified of bounces, protocol problems, 67 policy violations, and of other trouble. 68 69<b>CONFIGURATION PARAMETERS</b> 70 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as 71 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> processes run for only a limited amount of time. 72 Use the command "<b>postfix reload</b>" to speed up a change. 73 74 The text below provides only a parameter summary. See 75 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. 76 77<b>COMPATIBILITY CONTROLS</b> 78 The following parameters work around implementation errors 79 in other software, and/or allow you to override standards 80 in order to prevent undesirable use. 81 82 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b> 83 Enable inter-operability with SMTP clients that 84 implement an obsolete version of the AUTH command 85 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). 86 87 <b><a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> (no)</b> 88 Disable the SMTP VRFY command. 89 90 <b><a href="postconf.5.html#smtpd_noop_commands">smtpd_noop_commands</a> (empty)</b> 91 List of commands that the Postfix SMTP server 92 replies to with "250 Ok", without doing any syntax 93 checks and without changing state. 94 95 <b><a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> (no)</b> 96 Require that addresses received in SMTP MAIL FROM 97 and RCPT TO commands are enclosed with <>, and that 98 those addresses do not contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style com- 99 ments or phrases. 100 101 Available in Postfix version 2.1 and later: 102 103 <b><a href="postconf.5.html#resolve_null_domain">resolve_null_domain</a> (no)</b> 104 Resolve an address that ends in the "@" null domain 105 as if the local hostname were specified, instead of 106 rejecting the address as invalid. 107 108 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b> 109 Request that the Postfix SMTP server rejects mail 110 from unknown sender addresses, even when no 111 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction 112 is specified. 113 114 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b> 115 What remote SMTP clients the Postfix SMTP server 116 will not offer AUTH support to. 117 118 Available in Postfix version 2.2 and later: 119 120 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> (empty)</b> 121 Lookup tables, indexed by the remote SMTP client 122 address, with case insensitive lists of EHLO key- 123 words (pipelining, starttls, auth, etc.) that the 124 SMTP server will not send in the EHLO response to a 125 remote SMTP client. 126 127 <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> (empty)</b> 128 A case insensitive list of EHLO keywords (pipelin- 129 ing, starttls, auth, etc.) that the SMTP server 130 will not send in the EHLO response to a remote SMTP 131 client. 132 133 <b><a href="postconf.5.html#smtpd_delay_open_until_valid_rcpt">smtpd_delay_open_until_valid_rcpt</a> (yes)</b> 134 Postpone the start of an SMTP mail transaction 135 until a valid RCPT TO command is received. 136 137 Available in Postfix version 2.3 and later: 138 139 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b> 140 Force the Postfix SMTP server to issue a TLS ses- 141 sion id, even when TLS session caching is turned 142 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty). 143 144 Available in Postfix version 2.6 and later: 145 146 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> 147 An optional workaround for routers that break TCP 148 window scaling. 149 150 Available in Postfix version 2.7 and later: 151 152 <b><a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> (empty)</b> 153 A mechanism to transform commands from remote SMTP 154 clients. 155 156<b>ADDRESS REWRITING CONTROLS</b> 157 See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed 158 discussion of Postfix address rewriting. 159 160 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b> 161 Enable or disable recipient validation, built-in 162 content filtering, or address mapping. 163 164 Available in Postfix version 2.2 and later: 165 166 <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b> 167 Rewrite message header addresses in mail from these 168 clients and update incomplete addresses with the 169 domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't 170 rewrite message headers from other clients at all, 171 or rewrite message headers and update incomplete 172 addresses with the domain specified in the 173 <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter. 174 175<b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b> 176 As of version 1.0, Postfix can be configured to send new 177 mail to an external content filter AFTER the mail is 178 queued. This content filter is expected to inject mail 179 back into a (Postfix or other) MTA for further delivery. 180 See the <a href="FILTER_README.html">FILTER_README</a> document for details. 181 182 <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b> 183 After the message is queued, send the entire mes- 184 sage to the specified <i>transport:destination</i>. 185 186<b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b> 187 As of version 2.1, the Postfix SMTP server can be config- 188 ured to send incoming mail to a real-time SMTP-based con- 189 tent filter BEFORE mail is queued. This content filter is 190 expected to inject mail back into Postfix. See the 191 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config- 192 ure and operate this feature. 193 194 <b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b> 195 The hostname and TCP port of the mail filtering 196 proxy server. 197 198 <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 199 How the Postfix SMTP server announces itself to the 200 proxy filter. 201 202 <b><a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a> (empty)</b> 203 List of options that control how the Postfix SMTP 204 server communicates with a before-queue content 205 filter. 206 207 <b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b> 208 The time limit for connecting to a proxy filter and 209 for sending or receiving information. 210 211<b>BEFORE QUEUE MILTER CONTROLS</b> 212 As of version 2.3, Postfix supports the Sendmail version 8 213 Milter (mail filter) protocol. These content filters run 214 outside Postfix. They can inspect the SMTP command stream 215 and the message content, and can request modifications 216 before mail is queued. For details see the <a href="MILTER_README.html">MILTER_README</a> 217 document. 218 219 <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b> 220 A list of Milter (mail filter) applications for new 221 mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server. 222 223 <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b> 224 The mail filter protocol version and optional pro- 225 tocol extensions for communication with a Milter 226 application; prior to Postfix 2.6 the default pro- 227 tocol is 2. 228 229 <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b> 230 The default action when a Milter (mail filter) 231 application is unavailable or mis-configured. 232 233 <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 234 The {daemon_name} macro value for Milter (mail fil- 235 ter) applications. 236 237 <b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b> 238 The {v} macro value for Milter (mail filter) appli- 239 cations. 240 241 <b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b> 242 The time limit for connecting to a Milter (mail 243 filter) application, and for negotiating protocol 244 options. 245 246 <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b> 247 The time limit for sending an SMTP command to a 248 Milter (mail filter) application, and for receiving 249 the response. 250 251 <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b> 252 The time limit for sending message content to a 253 Milter (mail filter) application, and for receiving 254 the response. 255 256 <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b> 257 The macros that are sent to Milter (mail filter) 258 applications after completion of an SMTP connec- 259 tion. 260 261 <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b> 262 The macros that are sent to Milter (mail filter) 263 applications after the SMTP HELO or EHLO command. 264 265 <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b> 266 The macros that are sent to Milter (mail filter) 267 applications after the SMTP MAIL FROM command. 268 269 <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b> 270 The macros that are sent to Milter (mail filter) 271 applications after the SMTP RCPT TO command. 272 273 <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b> 274 The macros that are sent to version 4 or higher 275 Milter (mail filter) applications after the SMTP 276 DATA command. 277 278 <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b> 279 The macros that are sent to version 3 or higher 280 Milter (mail filter) applications after an unknown 281 SMTP command. 282 283 <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b> 284 The macros that are sent to Milter (mail filter) 285 applications after the end of the message header. 286 287 <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b> 288 The macros that are sent to Milter (mail filter) 289 applications after the message end-of-data. 290 291<b>GENERAL CONTENT INSPECTION CONTROLS</b> 292 The following parameters are applicable for both built-in 293 and external content filters. 294 295 Available in Postfix version 2.1 and later: 296 297 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b> 298 Enable or disable recipient validation, built-in 299 content filtering, or address mapping. 300 301<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> 302 The following parameters are applicable for both before- 303 queue and after-queue content filtering. 304 305 Available in Postfix version 2.1 and later: 306 307 <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b> 308 What SMTP clients are allowed to use the XFORWARD 309 feature. 310 311<b>SASL AUTHENTICATION CONTROLS</b> 312 Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti- 313 cate remote SMTP clients to the Postfix SMTP server, and 314 to authenticate the Postfix SMTP client to a remote SMTP 315 server. See the <a href="SASL_README.html">SASL_README</a> document for details. 316 317 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b> 318 Enable inter-operability with SMTP clients that 319 implement an obsolete version of the AUTH command 320 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). 321 322 <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b> 323 Enable SASL authentication in the Postfix SMTP 324 server. 325 326 <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b> 327 The name of the Postfix SMTP server's local SASL 328 authentication realm. 329 330 <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b> 331 Postfix SMTP server SASL security options; as of 332 Postfix 2.3 the list of available features depends 333 on the SASL server implementation that is selected 334 with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. 335 336 <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b> 337 Optional lookup table with the SASL login names 338 that own sender (MAIL FROM) addresses. 339 340 Available in Postfix version 2.1 and later: 341 342 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b> 343 What remote SMTP clients the Postfix SMTP server 344 will not offer AUTH support to. 345 346 Available in Postfix version 2.1 and 2.2: 347 348 <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b> 349 The application name that the Postfix SMTP server 350 uses for SASL server initialization. 351 352 Available in Postfix version 2.3 and later: 353 354 <b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b> 355 Report the SASL authenticated user name in the 356 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header. 357 358 <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b> 359 Implementation-specific information that the Post- 360 fix SMTP server passes through to the SASL plug-in 361 implementation that is selected with 362 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. 363 364 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b> 365 The SASL plug-in type that the Postfix SMTP server 366 should use for authentication. 367 368 Available in Postfix version 2.5 and later: 369 370 <b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b> 371 Search path for Cyrus SASL application configura- 372 tion files, currently used only to locate the 373 $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file. 374 375<b>STARTTLS SUPPORT CONTROLS</b> 376 Detailed information about STARTTLS configuration may be 377 found in the <a href="TLS_README.html">TLS_README</a> document. 378 379 <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b> 380 The SMTP TLS security level for the Postfix SMTP 381 server; when a non-empty value is specified, this 382 overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and 383 <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. 384 385 <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b> 386 <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b> 387 The SASL authentication security options that the 388 Postfix SMTP server uses for TLS encrypted SMTP 389 sessions. 390 391 <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (300s)</b> 392 The time limit for Postfix SMTP server write and 393 read operations during TLS startup and shutdown 394 handshake procedures. 395 396 <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b> 397 A file containing (PEM format) CA certificates of 398 root CAs trusted to sign either remote SMTP client 399 certificates or intermediate CA certificates. 400 401 <b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b> 402 A directory containing (PEM format) CA certificates 403 of root CAs trusted to sign either remote SMTP 404 client certificates or intermediate CA certifi- 405 cates. 406 407 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b> 408 Force the Postfix SMTP server to issue a TLS ses- 409 sion id, even when TLS session caching is turned 410 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty). 411 412 <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b> 413 Ask a remote SMTP client for a client certificate. 414 415 <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b> 416 When TLS encryption is optional in the Postfix SMTP 417 server, do not announce or accept SASL authentica- 418 tion over unencrypted connections. 419 420 <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b> 421 The verification depth for remote SMTP client cer- 422 tificates. 423 424 <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b> 425 File with the Postfix SMTP server RSA certificate 426 in PEM format. 427 428 <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b> 429 List of ciphers or cipher types to exclude from the 430 SMTP server cipher list at all TLS security levels. 431 432 <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b> 433 File with the Postfix SMTP server DSA certificate 434 in PEM format. 435 436 <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b> 437 File with DH parameters that the Postfix SMTP 438 server should use with EDH ciphers. 439 440 <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b> 441 File with DH parameters that the Postfix SMTP 442 server should use with EDH ciphers. 443 444 <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b> 445 File with the Postfix SMTP server DSA private key 446 in PEM format. 447 448 <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b> 449 File with the Postfix SMTP server RSA private key 450 in PEM format. 451 452 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> 453 Enable additional Postfix SMTP server logging of 454 TLS activity. 455 456 <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b> 457 The minimum TLS cipher grade that the Postfix SMTP 458 server will use with mandatory TLS encryption. 459 460 <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b> 461 Additional list of ciphers or cipher types to 462 exclude from the SMTP server cipher list at manda- 463 tory TLS security levels. 464 465 <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> 466 The SSL/TLS protocols accepted by the Postfix SMTP 467 server with mandatory TLS encryption. 468 469 <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b> 470 Request that the Postfix SMTP server produces 471 Received: message headers that include information 472 about the protocol and cipher used, as well as the 473 client CommonName and client certificate issuer 474 CommonName. 475 476 <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b> 477 With mandatory TLS encryption, require a trusted 478 remote SMTP client certificate in order to allow 479 TLS connections to proceed. 480 481 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> 482 Name of the file containing the optional Postfix 483 SMTP server TLS session cache. 484 485 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> 486 The expiration time of Postfix SMTP server TLS ses- 487 sion cache information. 488 489 <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b> 490 Run the Postfix SMTP server in the non-standard 491 "wrapper" mode, instead of using the STARTTLS com- 492 mand. 493 494 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> 495 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> 496 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> 497 server in order to seed its internal pseudo random 498 number generator (PRNG). 499 500 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> 501 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> 502 The OpenSSL cipherlist for "HIGH" grade ciphers. 503 504 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b> 505 The OpenSSL cipherlist for "MEDIUM" or higher grade 506 ciphers. 507 508 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> 509 The OpenSSL cipherlist for "LOW" or higher grade 510 ciphers. 511 512 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> 513 The OpenSSL cipherlist for "EXPORT" or higher grade 514 ciphers. 515 516 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> 517 The OpenSSL cipherlist for "NULL" grade ciphers 518 that provide authentication without encryption. 519 520 Available in Postfix version 2.5 and later: 521 522 <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b> 523 The message digest algorithm used to construct 524 client-certificate fingerprints for 525 <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>. 526 527 Available in Postfix version 2.6 and later: 528 529 <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b> 530 List of TLS protocols that the Postfix SMTP server 531 will exclude or include with opportunistic TLS 532 encryption. 533 534 <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b> 535 The minimum TLS cipher grade that the Postfix SMTP 536 server will use with opportunistic TLS encryption. 537 538 <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b> 539 File with the Postfix SMTP server ECDSA certificate 540 in PEM format. 541 542 <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b> 543 File with the Postfix SMTP server ECDSA private key 544 in PEM format. 545 546 <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b> 547 The Postfix SMTP server security grade for 548 ephemeral elliptic-curve Diffie-Hellman (EECDH) key 549 exchange. 550 551 <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b> 552 The elliptic curve used by the SMTP server for sen- 553 sibly strong ephemeral ECDH key exchange. 554 555 <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b> 556 The elliptic curve used by the SMTP server for max- 557 imally strong ephemeral ECDH key exchange. 558 559<b>OBSOLETE STARTTLS CONTROLS</b> 560 The following configuration parameters exist for compati- 561 bility with Postfix versions before 2.3. Support for these 562 will be removed in a future release. 563 564 <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b> 565 Opportunistic TLS: announce STARTTLS support to 566 SMTP clients, but do not require that clients use 567 TLS encryption. 568 569 <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b> 570 Mandatory TLS: announce STARTTLS support to SMTP 571 clients, and require that clients use TLS encryp- 572 tion. 573 574 <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b> 575 Obsolete Postfix < 2.3 control for the Postfix SMTP 576 server TLS cipher list. 577 578<b>VERP SUPPORT CONTROLS</b> 579 With VERP style delivery, each recipient of a message 580 receives a customized copy of the message with his/her own 581 recipient address encoded in the envelope sender address. 582 The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation 583 details of Postfix support for variable envelope return 584 path addresses. VERP style delivery is requested with the 585 SMTP XVERP command or with the "sendmail -V" command-line 586 option and is available in Postfix version 1.1 and later. 587 588 <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b> 589 The two default VERP delimiter characters. 590 591 <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b> 592 The characters Postfix accepts as VERP delimiter 593 characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line 594 and in SMTP commands. 595 596 Available in Postfix version 1.1 and 2.0: 597 598 <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> 599 What SMTP clients are allowed to specify the XVERP 600 command. 601 602 Available in Postfix version 2.1 and later: 603 604 <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b> 605 What SMTP clients are allowed to specify the XVERP 606 command. 607 608<b>TROUBLE SHOOTING CONTROLS</b> 609 The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of 610 the Postfix mail system. The methods vary from making the 611 software log a lot of detail, to running some daemon pro- 612 cesses under control of a call tracer or debugger. 613 614 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> 615 The increment in verbose logging level when a 616 remote client or server matches a pattern in the 617 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. 618 619 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> 620 Optional list of remote client or server hostname 621 or network address patterns that cause the verbose 622 logging level to increase by the amount specified 623 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. 624 625 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> 626 The recipient of postmaster notifications about 627 mail delivery problems that are caused by policy, 628 resource, software or protocol errors. 629 630 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> 631 What categories of Postfix-generated mail are sub- 632 ject to before-queue content inspection by 633 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. 634 635 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> 636 The list of error classes that are reported to the 637 postmaster. 638 639 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> 640 Safety net to keep mail queued that would otherwise 641 be returned to the sender. 642 643 Available in Postfix version 2.1 and later: 644 645 <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b> 646 What SMTP clients are allowed to use the XCLIENT 647 feature. 648 649<b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b> 650 As of Postfix version 2.0, the SMTP server rejects mail 651 for unknown recipients. This prevents the mail queue from 652 clogging up with undeliverable MAILER-DAEMON messages. 653 Additional information on this topic is in the 654 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents. 655 656 <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b> 657 Display the name of the recipient table in the 658 "User unknown" responses. 659 660 <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b> 661 Optional address mapping lookup tables for message 662 headers and envelopes. 663 664 <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b> 665 Optional address mapping lookup tables for envelope 666 and header recipient addresses. 667 668 Parameters concerning known/unknown local recipients: 669 670 <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b> 671 <b>host)</b> 672 The list of domains that are delivered via the 673 $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport. 674 675 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> 676 The network interface addresses that this mail sys- 677 tem receives mail on. 678 679 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> 680 The network interface addresses that this mail sys- 681 tem receives mail on by way of a proxy or network 682 address translation unit. 683 684 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b> 685 The Internet protocols Postfix will attempt to use 686 when making or accepting connections. 687 688 <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b> 689 <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b> 690 Lookup tables with all names or addresses of local 691 recipients: a recipient address is local when its 692 domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or 693 $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. 694 695 <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b> 696 The numerical Postfix SMTP server response code 697 when a recipient address is local, and 698 $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup 699 tables that does not match the recipient. 700 701 Parameters concerning known/unknown recipients of relay 702 destinations: 703 704 <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b> 705 What destination domains (and subdomains thereof) 706 this system will relay mail to. 707 708 <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b> 709 Optional lookup tables with all valid addresses in 710 the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>. 711 712 <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b> 713 The numerical Postfix SMTP server reply code when a 714 recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and 715 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup 716 tables that does not match the recipient address. 717 718 Parameters concerning known/unknown recipients in virtual 719 alias domains: 720 721 <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b> 722 Postfix is final destination for the specified list 723 of virtual alias domains, that is, domains for 724 which all addresses are aliased to addresses in 725 other local or remote domains. 726 727 <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b> 728 Optional lookup tables that alias specific mail 729 addresses or domains to other local or remote 730 address. 731 732 <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b> 733 The SMTP server reply code when a recipient address 734 matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>- 735 <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables 736 that does not match the recipient address. 737 738 Parameters concerning known/unknown recipients in virtual 739 mailbox domains: 740 741 <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b> 742 Postfix is final destination for the specified list 743 of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>- 744 <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport. 745 746 <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b> 747 Optional lookup tables with all valid addresses in 748 the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. 749 750 <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b> 751 The SMTP server reply code when a recipient address 752 matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>- 753 <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables 754 that does not match the recipient address. 755 756<b>RESOURCE AND RATE CONTROLS</b> 757 The following parameters limit resource usage by the SMTP 758 server and/or control client request rates. 759 760 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> 761 Upon input, long lines are chopped up into pieces 762 of at most this length; upon delivery, long lines 763 are reconstructed. 764 765 <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b> 766 The minimal amount of free space in bytes in the 767 queue file system that is needed to receive mail. 768 769 <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b> 770 The maximal size in bytes of a message, including 771 envelope information. 772 773 <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b> 774 The maximal number of recipients that the Postfix 775 SMTP server accepts per message delivery request. 776 777 <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, stress: 10s)</b> 778 The time limit for sending a Postfix SMTP server 779 response and for receiving a remote SMTP client 780 request. 781 782 <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b> 783 The maximal number of lines in the Postfix SMTP 784 server command history before it is flushed upon 785 receipt of EHLO, RSET, or end of DATA. 786 787 Available in Postfix version 2.3 and later: 788 789 <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b> 790 Attempt to look up the remote SMTP client hostname, 791 and verify that the name matches the client IP 792 address. 793 794 The per SMTP client connection count and request rate lim- 795 its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser- 796 vice, and are available in Postfix version 2.2 and later. 797 798 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b> 799 How many simultaneous connections any client is 800 allowed to make to this service. 801 802 <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b> 803 The maximal number of connection attempts any 804 client is allowed to make to this service per time 805 unit. 806 807 <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b> 808 The maximal number of message delivery requests 809 that any client is allowed to make to this service 810 per time unit, regardless of whether or not Postfix 811 actually accepts those messages. 812 813 <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b> 814 The maximal number of recipient addresses that any 815 client is allowed to send to this service per time 816 unit, regardless of whether or not Postfix actually 817 accepts those recipients. 818 819 <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> 820 Clients that are excluded from connection count, 821 connection rate, or SMTP request rate restrictions. 822 823 Available in Postfix version 2.3 and later: 824 825 <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b> 826 The maximal number of new (i.e., uncached) TLS ses- 827 sions that a remote SMTP client is allowed to nego- 828 tiate with this service per time unit. 829 830<b>TARPIT CONTROLS</b> 831 When a remote SMTP client makes errors, the Postfix SMTP 832 server can insert delays before responding. This can help 833 to slow down run-away software. The behavior is con- 834 trolled by an error counter that counts the number of 835 errors within an SMTP session that a client makes without 836 delivering mail. 837 838 <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b> 839 With Postfix version 2.1 and later: the SMTP server 840 response delay after a client has made more than 841 $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than 842 $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering 843 mail. 844 845 <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b> 846 The number of errors a remote SMTP client is 847 allowed to make without delivering mail before the 848 Postfix SMTP server slows down all its responses. 849 850 <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (normal: 20, stress: 1)</b> 851 The maximal number of errors a remote SMTP client 852 is allowed to make without delivering mail. 853 854 <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (normal: 100, stress: 1)</b> 855 The number of junk commands (NOOP, VRFY, ETRN or 856 RSET) that a remote SMTP client can send before the 857 Postfix SMTP server starts to increment the error 858 counter with each junk command. 859 860 Available in Postfix version 2.1 and later: 861 862 <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b> 863 The number of recipients that a remote SMTP client 864 can send in excess of the limit specified with 865 $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP 866 server increments the per-session error count for 867 each excess recipient. 868 869<b>ACCESS POLICY DELEGATION CONTROLS</b> 870 As of version 2.1, Postfix can be configured to delegate 871 access policy decisions to an external server that runs 872 outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for 873 more information. 874 875 <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b> 876 The time after which an idle SMTPD policy service 877 connection is closed. 878 879 <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b> 880 The time after which an active SMTPD policy service 881 connection is closed. 882 883 <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b> 884 The time limit for connecting to, writing to or 885 receiving from a delegated SMTPD policy server. 886 887<b>ACCESS CONTROLS</b> 888 The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to 889 all the SMTP server access control features. 890 891 <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b> 892 Wait until the RCPT TO command before evaluating 893 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric- 894 tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until 895 the ETRN command before evaluating 896 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric- 897 tions. 898 899 <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b> 900 <b>put)</b> 901 What Postfix features match subdomains of 902 "domain.tld" automatically, instead of requiring an 903 explicit ".domain.tld" pattern. 904 905 <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b> 906 Optional SMTP server access restrictions in the 907 context of a client SMTP connection request. 908 909 <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b> 910 Require that a remote SMTP client introduces itself 911 with the HELO or EHLO command before sending the 912 MAIL command or other commands that require EHLO 913 negotiation. 914 915 <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b> 916 Optional restrictions that the Postfix SMTP server 917 applies in the context of the SMTP HELO command. 918 919 <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b> 920 Optional restrictions that the Postfix SMTP server 921 applies in the context of the MAIL FROM command. 922 923 <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b> 924 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b> 925 The access restrictions that the Postfix SMTP 926 server applies in the context of the RCPT TO com- 927 mand. 928 929 <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b> 930 Optional SMTP server access restrictions in the 931 context of a client ETRN request. 932 933 <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b> 934 Forward mail with sender-specified routing 935 (user[@%!]remote[@%!]site) from untrusted clients 936 to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>. 937 938 <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b> 939 User-defined aliases for groups of access restric- 940 tions. 941 942 <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b> 943 The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables 944 instead of the null sender address. 945 946 <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b> 947 Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP 948 access feature to only domains whose primary MX 949 hosts match the listed networks. 950 951 Available in Postfix version 2.0 and later: 952 953 <b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b> 954 Optional access restrictions that the Postfix SMTP 955 server applies in the context of the SMTP DATA com- 956 mand. 957 958 <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b> 959 What characters are allowed in $name expansions of 960 RBL reply templates. 961 962 Available in Postfix version 2.1 and later: 963 964 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b> 965 Request that the Postfix SMTP server rejects mail 966 from unknown sender addresses, even when no 967 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction 968 is specified. 969 970 <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b> 971 Request that the Postfix SMTP server rejects mail 972 for unknown recipient addresses, even when no 973 explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric- 974 tion is specified. 975 976 Available in Postfix version 2.2 and later: 977 978 <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b> 979 Optional access restrictions that the Postfix SMTP 980 server applies in the context of the SMTP END-OF- 981 DATA command. 982 983<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b> 984 Postfix version 2.1 introduces sender and recipient 985 address verification. This feature is implemented by 986 sending probe email messages that are not actually deliv- 987 ered. This feature is requested via the reject_unveri- 988 fied_sender and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access 989 restrictions. The status of verification probes is main- 990 tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>- 991 <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure 992 and operate the Postfix sender/recipient address verifica- 993 tion service. 994 995 <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (${stress?1}${stress:3})</b> 996 How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for 997 the completion of an address verification request 998 in progress. 999 1000 <b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b> 1001 The delay between queries for the completion of an 1002 address verification request in progress. 1003 1004 <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b> 1005 The sender address to use in address verification 1006 probes; prior to Postfix 2.5 the default was "post- 1007 master". 1008 1009 <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b> 1010 The numerical Postfix SMTP server response code 1011 when a recipient address is rejected by the 1012 <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction. 1013 1014 <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b> 1015 The numerical Postfix SMTP server response when a 1016 recipient address is rejected by the reject_unveri- 1017 fied_recipient restriction. 1018 1019 Available in Postfix version 2.6 and later: 1020 1021 <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b> 1022 The numerical Postfix SMTP server response code 1023 when a sender address probe fails due to a tempo- 1024 rary error condition. 1025 1026 <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b> 1027 The numerical Postfix SMTP server response when a 1028 recipient address probe fails due to a temporary 1029 error condition. 1030 1031 <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b> 1032 The Postfix SMTP server's reply when rejecting mail 1033 with <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>. 1034 1035 <b><a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> (empty)</b> 1036 The Postfix SMTP server's reply when rejecting mail 1037 with <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>. 1038 1039 <b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b> 1040 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b> 1041 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unver</a>- 1042 <a href="postconf.5.html#reject_unverified_sender">ified_sender</a> fails due to a temporary error condi- 1043 tion. 1044 1045 <b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b> 1046 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b> 1047 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unver</a>- 1048 <a href="postconf.5.html#reject_unverified_recipient">ified_recipient</a> fails due to a temporary error con- 1049 dition. 1050 1051<b>ACCESS CONTROL RESPONSES</b> 1052 The following parameters control numerical SMTP reply 1053 codes and/or text responses. 1054 1055 <b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b> 1056 The numerical Postfix SMTP server response code for 1057 an <a href="access.5.html"><b>access</b>(5)</a> map "reject" action. 1058 1059 <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b> 1060 The numerical Postfix SMTP server response code 1061 when a remote SMTP client request is rejected by 1062 the "defer" restriction. 1063 1064 <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b> 1065 The numerical Postfix SMTP server response code 1066 when the client HELO or EHLO command parameter is 1067 rejected by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> 1068 restriction. 1069 1070 <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b> 1071 The numerical Postfix SMTP server response code 1072 when a remote SMTP client request is blocked by the 1073 <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>, 1074 <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> 1075 restriction. 1076 1077 <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b> 1078 The numerical Postfix SMTP server reply code when a 1079 client request is rejected by the 1080 <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>, 1081 <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a> 1082 restriction. 1083 1084 <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b> 1085 The numerical Postfix SMTP server response code 1086 when a request is rejected by the <b>reject_plain-</b> 1087 <b>text_session</b> restriction. 1088 1089 <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b> 1090 The numerical Postfix SMTP server response code 1091 when a remote SMTP client request is rejected by 1092 the "reject" restriction. 1093 1094 <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b> 1095 The numerical Postfix SMTP server response code 1096 when a client request is rejected by the 1097 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction. 1098 1099 <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b> 1100 The numerical Postfix SMTP server response code 1101 when a sender or recipient address is rejected by 1102 the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or 1103 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction. 1104 1105 <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b> 1106 The numerical Postfix SMTP server response code 1107 when a client without valid address <=> name map- 1108 ping is rejected by the reject_unknown_client_host- 1109 name restriction. 1110 1111 <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b> 1112 The numerical Postfix SMTP server response code 1113 when the hostname specified with the HELO or EHLO 1114 command is rejected by the 1115 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction. 1116 1117 Available in Postfix version 2.0 and later: 1118 1119 <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b> 1120 The default SMTP server response template for a 1121 request that is rejected by an RBL-based restric- 1122 tion. 1123 1124 <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b> 1125 The numerical Postfix SMTP server response code 1126 when a remote SMTP client request is blocked by the 1127 <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction. 1128 1129 <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b> 1130 Optional lookup tables with RBL response templates. 1131 1132 Available in Postfix version 2.6 and later: 1133 1134 <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b> 1135 The numerical Postfix SMTP server response code for 1136 an <a href="access.5.html"><b>access</b>(5)</a> map "defer" action, including 1137 "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>". 1138 1139 <b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b> 1140 The Postfix SMTP server's action when a reject-type 1141 restriction fails due to a temporary error condi- 1142 tion. 1143 1144 <b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b> 1145 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b> 1146 The Postfix SMTP server's action when 1147 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> fails due to an tempo- 1148 rary error condition. 1149 1150 <b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b> 1151 The Postfix SMTP server's action when 1152 <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or 1153 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> fail due to a tem- 1154 porary error condition. 1155 1156<b>MISCELLANEOUS CONTROLS</b> 1157 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> 1158 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and 1159 <a href="master.5.html">master.cf</a> configuration files. 1160 1161 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> 1162 How much time a Postfix daemon process may take to 1163 handle a request before it is terminated by a 1164 built-in watchdog timer. 1165 1166 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> 1167 The location of all postfix administrative com- 1168 mands. 1169 1170 <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b> 1171 The sender address of postmaster notifications that 1172 are generated by the mail system. 1173 1174 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> 1175 The time limit for sending or receiving information 1176 over an internal communication channel. 1177 1178 <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b> 1179 The mail system name that is displayed in Received: 1180 headers, in the SMTP greeting banner, and in 1181 bounced mail. 1182 1183 <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b> 1184 The UNIX system account that owns the Postfix queue 1185 and most Postfix daemon processes. 1186 1187 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> 1188 The maximum amount of time that an idle Postfix 1189 daemon process waits for an incoming connection 1190 before terminating voluntarily. 1191 1192 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b> 1193 The maximal number of incoming connections that a 1194 Postfix daemon process will service before termi- 1195 nating voluntarily. 1196 1197 <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b> 1198 The internet hostname of this mail system. 1199 1200 <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b> 1201 The list of "trusted" SMTP clients that have more 1202 privileges than "strangers". 1203 1204 <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> 1205 The domain name that locally-posted mail appears to 1206 come from, and that locally posted mail is deliv- 1207 ered to. 1208 1209 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> 1210 The process ID of a Postfix command or daemon 1211 process. 1212 1213 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> 1214 The process name of a Postfix command or daemon 1215 process. 1216 1217 <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b> 1218 The location of the Postfix top-level queue direc- 1219 tory. 1220 1221 <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b> 1222 The separator between user names and address exten- 1223 sions (user+foo). 1224 1225 <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b> 1226 The text that follows the 220 status code in the 1227 SMTP greeting banner. 1228 1229 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> 1230 The syslog facility of Postfix logging. 1231 1232 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> 1233 The mail system name that is prepended to the 1234 process name in syslog records, so that "smtpd" 1235 becomes, for example, "postfix/smtpd". 1236 1237 Available in Postfix version 2.2 and later: 1238 1239 <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b> 1240 List of commands that causes the Postfix SMTP 1241 server to immediately terminate the session with a 1242 221 code. 1243 1244 Available in Postfix version 2.5 and later: 1245 1246 <b><a href="postconf.5.html#smtpd_client_port_logging">smtpd_client_port_logging</a> (no)</b> 1247 Enable logging of the remote SMTP client port in 1248 addition to the hostname and IP address. 1249 1250<b>SEE ALSO</b> 1251 <a href="anvil.8.html">anvil(8)</a>, connection/rate limiting 1252 <a href="cleanup.8.html">cleanup(8)</a>, message canonicalization 1253 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management 1254 <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver 1255 <a href="verify.8.html">verify(8)</a>, address verification service 1256 <a href="postconf.5.html">postconf(5)</a>, configuration parameters 1257 <a href="master.5.html">master(5)</a>, generic daemon options 1258 <a href="master.8.html">master(8)</a>, process manager 1259 syslogd(8), system logging 1260 1261<b>README FILES</b> 1262 <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients 1263 <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation 1264 <a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter 1265 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients 1266 <a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications 1267 <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, built-in access policies 1268 <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>, external policy server 1269 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>, external before-queue content filter 1270 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto 1271 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto 1272 <a href="VERP_README.html">VERP_README</a>, Postfix XVERP extension 1273 <a href="XCLIENT_README.html">XCLIENT_README</a>, Postfix XCLIENT extension 1274 <a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension 1275 1276<b>LICENSE</b> 1277 The Secure Mailer license must be distributed with this 1278 software. 1279 1280<b>AUTHOR(S)</b> 1281 Wietse Venema 1282 IBM T.J. Watson Research 1283 P.O. Box 704 1284 Yorktown Heights, NY 10598, USA 1285 1286 SASL support originally by: 1287 Till Franke 1288 SuSE Rhein/Main AG 1289 65760 Eschborn, Germany 1290 1291 TLS support originally by: 1292 Lutz Jaenicke 1293 BTU Cottbus 1294 Allgemeine Elektrotechnik 1295 Universitaetsplatz 3-4 1296 D-03044 Cottbus, Germany 1297 1298 Revised TLS support by: 1299 Victor Duchovni 1300 Morgan Stanley 1301 1302 SMTPD(8) 1303</pre> </body> </html> 1304