Expand PMF_FN_* macros.
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / html / smtpd.8.html
blob836e9c09cdd9d778ee7b155972d4dc8e85243b78
1 <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2 "http://www.w3.org/TR/html4/loose.dtd">
3 <html> <head>
4 <meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
5 <title> Postfix manual - smtpd(8) </title>
6 </head> <body> <pre>
7 SMTPD(8) SMTPD(8)
9 <b>NAME</b>
10 smtpd - Postfix SMTP server
12 <b>SYNOPSIS</b>
13 <b>smtpd</b> [generic Postfix daemon options]
15 <b>sendmail -bs</b>
17 <b>DESCRIPTION</b>
18 The SMTP server accepts network connection requests and
19 performs zero or more SMTP transactions per connection.
20 Each received message is piped through the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> dae-
21 mon, and is placed into the <a href="QSHAPE_README.html#incoming_queue"><b>incoming</b> queue</a> as one single
22 queue file. For this mode of operation, the program
23 expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
25 Alternatively, the SMTP server be can run in stand-alone
26 mode; this is traditionally obtained with "<b>sendmail -bs</b>".
27 When the SMTP server runs stand-alone with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b>
28 privileges, it receives mail even while the mail system is
29 not running, deposits messages directly into the <b>maildrop</b>
30 queue, and disables the SMTP server's access policies. As
31 of Postfix version 2.3, the SMTP server refuses to receive
32 mail from the network when it runs with non $<b><a href="postconf.5.html#mail_owner">mail_owner</a></b>
33 privileges.
35 The SMTP server implements a variety of policies for con-
36 nection requests, and for parameters given to <b>HELO, ETRN,</b>
37 <b>MAIL FROM, VRFY</b> and <b>RCPT TO</b> commands. They are detailed
38 below and in the <a href="postconf.5.html"><b>main.cf</b></a> configuration file.
40 <b>SECURITY</b>
41 The SMTP server is moderately security-sensitive. It talks
42 to SMTP clients and to DNS servers on the network. The
43 SMTP server can be run chrooted at fixed low privilege.
45 <b>STANDARDS</b>
46 <a href="http://tools.ietf.org/html/rfc821">RFC 821</a> (SMTP protocol)
47 <a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
48 <a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
49 <a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
50 <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
51 <a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
52 <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Error Codes)
53 <a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
54 <a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
55 <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
56 <a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
57 <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
58 <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
59 <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP Transmission Types)
60 <a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
62 <b>DIAGNOSTICS</b>
63 Problems and transactions are logged to <b>syslogd</b>(8).
65 Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter,
66 the postmaster is notified of bounces, protocol problems,
67 policy violations, and of other trouble.
69 <b>CONFIGURATION PARAMETERS</b>
70 Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as
71 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> processes run for only a limited amount of time.
72 Use the command "<b>postfix reload</b>" to speed up a change.
74 The text below provides only a parameter summary. See
75 <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
77 <b>COMPATIBILITY CONTROLS</b>
78 The following parameters work around implementation errors
79 in other software, and/or allow you to override standards
80 in order to prevent undesirable use.
82 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
83 Enable inter-operability with SMTP clients that
84 implement an obsolete version of the AUTH command
85 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
87 <b><a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> (no)</b>
88 Disable the SMTP VRFY command.
90 <b><a href="postconf.5.html#smtpd_noop_commands">smtpd_noop_commands</a> (empty)</b>
91 List of commands that the Postfix SMTP server
92 replies to with "250 Ok", without doing any syntax
93 checks and without changing state.
95 <b><a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> (no)</b>
96 Require that addresses received in SMTP MAIL FROM
97 and RCPT TO commands are enclosed with &lt;&gt;, and that
98 those addresses do not contain <a href="http://tools.ietf.org/html/rfc822">RFC 822</a> style com-
99 ments or phrases.
101 Available in Postfix version 2.1 and later:
103 <b><a href="postconf.5.html#resolve_null_domain">resolve_null_domain</a> (no)</b>
104 Resolve an address that ends in the "@" null domain
105 as if the local hostname were specified, instead of
106 rejecting the address as invalid.
108 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
109 Request that the Postfix SMTP server rejects mail
110 from unknown sender addresses, even when no
111 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
112 is specified.
114 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
115 What remote SMTP clients the Postfix SMTP server
116 will not offer AUTH support to.
118 Available in Postfix version 2.2 and later:
120 <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a> (empty)</b>
121 Lookup tables, indexed by the remote SMTP client
122 address, with case insensitive lists of EHLO key-
123 words (pipelining, starttls, auth, etc.) that the
124 SMTP server will not send in the EHLO response to a
125 remote SMTP client.
127 <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> (empty)</b>
128 A case insensitive list of EHLO keywords (pipelin-
129 ing, starttls, auth, etc.) that the SMTP server
130 will not send in the EHLO response to a remote SMTP
131 client.
133 <b><a href="postconf.5.html#smtpd_delay_open_until_valid_rcpt">smtpd_delay_open_until_valid_rcpt</a> (yes)</b>
134 Postpone the start of an SMTP mail transaction
135 until a valid RCPT TO command is received.
137 Available in Postfix version 2.3 and later:
139 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
140 Force the Postfix SMTP server to issue a TLS ses-
141 sion id, even when TLS session caching is turned
142 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
144 Available in Postfix version 2.6 and later:
146 <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
147 An optional workaround for routers that break TCP
148 window scaling.
150 <b>ADDRESS REWRITING CONTROLS</b>
151 See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed
152 discussion of Postfix address rewriting.
154 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
155 Enable or disable recipient validation, built-in
156 content filtering, or address mapping.
158 Available in Postfix version 2.2 and later:
160 <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b>
161 Rewrite message header addresses in mail from these
162 clients and update incomplete addresses with the
163 domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't
164 rewrite message headers from other clients at all,
165 or rewrite message headers and update incomplete
166 addresses with the domain specified in the
167 <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter.
169 <b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
170 As of version 1.0, Postfix can be configured to send new
171 mail to an external content filter AFTER the mail is
172 queued. This content filter is expected to inject mail
173 back into a (Postfix or other) MTA for further delivery.
174 See the <a href="FILTER_README.html">FILTER_README</a> document for details.
176 <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b>
177 The name of a mail delivery transport that filters
178 mail after it is queued.
180 <b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
181 As of version 2.1, the Postfix SMTP server can be config-
182 ured to send incoming mail to a real-time SMTP-based con-
183 tent filter BEFORE mail is queued. This content filter is
184 expected to inject mail back into Postfix. See the
185 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config-
186 ure and operate this feature.
188 <b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b>
189 The hostname and TCP port of the mail filtering
190 proxy server.
192 <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
193 How the Postfix SMTP server announces itself to the
194 proxy filter.
196 <b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b>
197 The time limit for connecting to a proxy filter and
198 for sending or receiving information.
200 <b>BEFORE QUEUE MILTER CONTROLS</b>
201 As of version 2.3, Postfix supports the Sendmail version 8
202 Milter (mail filter) protocol. These content filters run
203 outside Postfix. They can inspect the SMTP command stream
204 and the message content, and can request modifications
205 before mail is queued. For details see the <a href="MILTER_README.html">MILTER_README</a>
206 document.
208 <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b>
209 A list of Milter (mail filter) applications for new
210 mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server.
212 <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b>
213 The mail filter protocol version and optional pro-
214 tocol extensions for communication with a Milter
215 application; prior to Postfix 2.6 the default pro-
216 tocol is 2.
218 <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b>
219 The default action when a Milter (mail filter)
220 application is unavailable or mis-configured.
222 <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
223 The {daemon_name} macro value for Milter (mail fil-
224 ter) applications.
226 <b><a href="postconf.5.html#milter_macro_v">milter_macro_v</a> ($<a href="postconf.5.html#mail_name">mail_name</a> $<a href="postconf.5.html#mail_version">mail_version</a>)</b>
227 The {v} macro value for Milter (mail filter) appli-
228 cations.
230 <b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b>
231 The time limit for connecting to a Milter (mail
232 filter) application, and for negotiating protocol
233 options.
235 <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b>
236 The time limit for sending an SMTP command to a
237 Milter (mail filter) application, and for receiving
238 the response.
240 <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b>
241 The time limit for sending message content to a
242 Milter (mail filter) application, and for receiving
243 the response.
245 <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b>
246 The macros that are sent to Milter (mail filter)
247 applications after completion of an SMTP connec-
248 tion.
250 <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b>
251 The macros that are sent to Milter (mail filter)
252 applications after the SMTP HELO or EHLO command.
254 <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b>
255 The macros that are sent to Milter (mail filter)
256 applications after the SMTP MAIL FROM command.
258 <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b>
259 The macros that are sent to Milter (mail filter)
260 applications after the SMTP RCPT TO command.
262 <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b>
263 The macros that are sent to version 4 or higher
264 Milter (mail filter) applications after the SMTP
265 DATA command.
267 <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b>
268 The macros that are sent to version 3 or higher
269 Milter (mail filter) applications after an unknown
270 SMTP command.
272 <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b>
273 The macros that are sent to Milter (mail filter)
274 applications after the end of the message header.
276 <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b>
277 The macros that are sent to Milter (mail filter)
278 applications after the message end-of-data.
280 <b>GENERAL CONTENT INSPECTION CONTROLS</b>
281 The following parameters are applicable for both built-in
282 and external content filters.
284 Available in Postfix version 2.1 and later:
286 <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
287 Enable or disable recipient validation, built-in
288 content filtering, or address mapping.
290 <b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
291 The following parameters are applicable for both before-
292 queue and after-queue content filtering.
294 Available in Postfix version 2.1 and later:
296 <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b>
297 What SMTP clients are allowed to use the XFORWARD
298 feature.
300 <b>SASL AUTHENTICATION CONTROLS</b>
301 Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti-
302 cate remote SMTP clients to the Postfix SMTP server, and
303 to authenticate the Postfix SMTP client to a remote SMTP
304 server. See the <a href="SASL_README.html">SASL_README</a> document for details.
306 <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
307 Enable inter-operability with SMTP clients that
308 implement an obsolete version of the AUTH command
309 (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
311 <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
312 Enable SASL authentication in the Postfix SMTP
313 server.
315 <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b>
316 The name of the Postfix SMTP server's local SASL
317 authentication realm.
319 <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b>
320 Postfix SMTP server SASL security options; as of
321 Postfix 2.3 the list of available features depends
322 on the SASL server implementation that is selected
323 with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
325 <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b>
326 Optional lookup table with the SASL login names
327 that own sender (MAIL FROM) addresses.
329 Available in Postfix version 2.1 and later:
331 <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
332 What remote SMTP clients the Postfix SMTP server
333 will not offer AUTH support to.
335 Available in Postfix version 2.1 and 2.2:
337 <b>smtpd_sasl_application_name (smtpd)</b>
338 The application name that the Postfix SMTP server
339 uses for SASL server initialization.
341 Available in Postfix version 2.3 and later:
343 <b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b>
344 Report the SASL authenticated user name in the
345 <a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header.
347 <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b>
348 Implementation-specific information that the Post-
349 fix SMTP server passes through to the SASL plug-in
350 implementation that is selected with
351 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
353 <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b>
354 The SASL plug-in type that the Postfix SMTP server
355 should use for authentication.
357 Available in Postfix version 2.5 and later:
359 <b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b>
360 Search path for Cyrus SASL application configura-
361 tion files, currently used only to locate the
362 $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file.
364 <b>STARTTLS SUPPORT CONTROLS</b>
365 Detailed information about STARTTLS configuration may be
366 found in the <a href="TLS_README.html">TLS_README</a> document.
368 <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
369 The SMTP TLS security level for the Postfix SMTP
370 server; when a non-empty value is specified, this
371 overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
372 <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
374 <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
375 <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
376 The SASL authentication security options that the
377 Postfix SMTP server uses for TLS encrypted SMTP
378 sessions.
380 <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (300s)</b>
381 The time limit for Postfix SMTP server write and
382 read operations during TLS startup and shutdown
383 handshake procedures.
385 <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
386 A file containing (PEM format) CA certificates of
387 root CAs trusted to sign either remote SMTP client
388 certificates or intermediate CA certificates.
390 <b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b>
391 A directory containing (PEM format) CA certificates
392 of root CAs trusted to sign either remote SMTP
393 client certificates or intermediate CA certifi-
394 cates.
396 <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
397 Force the Postfix SMTP server to issue a TLS ses-
398 sion id, even when TLS session caching is turned
399 off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
401 <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
402 Ask a remote SMTP client for a client certificate.
404 <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
405 When TLS encryption is optional in the Postfix SMTP
406 server, do not announce or accept SASL authentica-
407 tion over unencrypted connections.
409 <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b>
410 The verification depth for remote SMTP client cer-
411 tificates.
413 <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
414 File with the Postfix SMTP server RSA certificate
415 in PEM format.
417 <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
418 List of ciphers or cipher types to exclude from the
419 SMTP server cipher list at all TLS security levels.
421 <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
422 File with the Postfix SMTP server DSA certificate
423 in PEM format.
425 <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
426 File with DH parameters that the Postfix SMTP
427 server should use with EDH ciphers.
429 <b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
430 File with DH parameters that the Postfix SMTP
431 server should use with EDH ciphers.
433 <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
434 File with the Postfix SMTP server DSA private key
435 in PEM format.
437 <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
438 File with the Postfix SMTP server RSA private key
439 in PEM format.
441 <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
442 Enable additional Postfix SMTP server logging of
443 TLS activity.
445 <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
446 The minimum TLS cipher grade that the Postfix SMTP
447 server will use with mandatory TLS encryption.
449 <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
450 Additional list of ciphers or cipher types to
451 exclude from the SMTP server cipher list at manda-
452 tory TLS security levels.
454 <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
455 The SSL/TLS protocols accepted by the Postfix SMTP
456 server with mandatory TLS encryption.
458 <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
459 Request that the Postfix SMTP server produces
460 Received: message headers that include information
461 about the protocol and cipher used, as well as the
462 client CommonName and client certificate issuer
463 CommonName.
465 <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
466 With mandatory TLS encryption, require a trusted
467 remote SMTP client certificate in order to allow
468 TLS connections to proceed.
470 <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
471 Name of the file containing the optional Postfix
472 SMTP server TLS session cache.
474 <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
475 The expiration time of Postfix SMTP server TLS ses-
476 sion cache information.
478 <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b>
479 Run the Postfix SMTP server in the non-standard
480 "wrapper" mode, instead of using the STARTTLS com-
481 mand.
483 <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
484 The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
485 or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
486 server in order to seed its internal pseudo random
487 number generator (PRNG).
489 <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
490 <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
491 The OpenSSL cipherlist for "HIGH" grade ciphers.
493 <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b>
494 The OpenSSL cipherlist for "MEDIUM" or higher grade
495 ciphers.
497 <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
498 The OpenSSL cipherlist for "LOW" or higher grade
499 ciphers.
501 <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
502 The OpenSSL cipherlist for "EXPORT" or higher grade
503 ciphers.
505 <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
506 The OpenSSL cipherlist for "NULL" grade ciphers
507 that provide authentication without encryption.
509 Available in Postfix version 2.5 and later:
511 <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b>
512 The message digest algorithm used to construct
513 client-certificate fingerprints for
514 <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>.
516 Available in Postfix version 2.6 and later:
518 <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
519 List of TLS protocols that the Postfix SMTP server
520 will exclude or include with opportunistic TLS
521 encryption.
523 <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
524 The minimum TLS cipher grade that the Postfix SMTP
525 server will use with opportunistic TLS encryption.
527 <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
528 File with the Postfix SMTP server ECDSA certificate
529 in PEM format.
531 <b><a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> ($<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b>
532 File with the Postfix SMTP server ECDSA private key
533 in PEM format.
535 <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b>
536 The Postfix SMTP server security grade for
537 ephemeral elliptic-curve Diffie-Hellman (EECDH) key
538 exchange.
540 <b><a href="postconf.5.html#tls_eecdh_strong_curve">tls_eecdh_strong_curve</a> (prime256v1)</b>
541 The elliptic curve used by the SMTP server for sen-
542 sibly strong ephemeral ECDH key exchange.
544 <b><a href="postconf.5.html#tls_eecdh_ultra_curve">tls_eecdh_ultra_curve</a> (secp384r1)</b>
545 The elliptic curve used by the SMTP server for max-
546 imally strong ephemeral ECDH key exchange.
548 <b>OBSOLETE STARTTLS CONTROLS</b>
549 The following configuration parameters exist for compati-
550 bility with Postfix versions before 2.3. Support for these
551 will be removed in a future release.
553 <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
554 Opportunistic TLS: announce STARTTLS support to
555 SMTP clients, but do not require that clients use
556 TLS encryption.
558 <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
559 Mandatory TLS: announce STARTTLS support to SMTP
560 clients, and require that clients use TLS encryp-
561 tion.
563 <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
564 Obsolete Postfix &lt; 2.3 control for the Postfix SMTP
565 server TLS cipher list.
567 <b>VERP SUPPORT CONTROLS</b>
568 With VERP style delivery, each recipient of a message
569 receives a customized copy of the message with his/her own
570 recipient address encoded in the envelope sender address.
571 The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
572 details of Postfix support for variable envelope return
573 path addresses. VERP style delivery is requested with the
574 SMTP XVERP command or with the "sendmail -V" command-line
575 option and is available in Postfix version 1.1 and later.
577 <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
578 The two default VERP delimiter characters.
580 <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
581 The characters Postfix accepts as VERP delimiter
582 characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
583 and in SMTP commands.
585 Available in Postfix version 1.1 and 2.0:
587 <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
588 What SMTP clients are allowed to specify the XVERP
589 command.
591 Available in Postfix version 2.1 and later:
593 <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
594 What SMTP clients are allowed to specify the XVERP
595 command.
597 <b>TROUBLE SHOOTING CONTROLS</b>
598 The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
599 the Postfix mail system. The methods vary from making the
600 software log a lot of detail, to running some daemon pro-
601 cesses under control of a call tracer or debugger.
603 <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
604 The increment in verbose logging level when a
605 remote client or server matches a pattern in the
606 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
608 <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
609 Optional list of remote client or server hostname
610 or network address patterns that cause the verbose
611 logging level to increase by the amount specified
612 in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
614 <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
615 The recipient of postmaster notifications about
616 mail delivery problems that are caused by policy,
617 resource, software or protocol errors.
619 <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
620 What categories of Postfix-generated mail are sub-
621 ject to before-queue content inspection by
622 <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
624 <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
625 The list of error classes that are reported to the
626 postmaster.
628 <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
629 Safety net to keep mail queued that would otherwise
630 be returned to the sender.
632 Available in Postfix version 2.1 and later:
634 <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
635 What SMTP clients are allowed to use the XCLIENT
636 feature.
638 <b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
639 As of Postfix version 2.0, the SMTP server rejects mail
640 for unknown recipients. This prevents the mail queue from
641 clogging up with undeliverable MAILER-DAEMON messages.
642 Additional information on this topic is in the
643 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
645 <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
646 Display the name of the recipient table in the
647 "User unknown" responses.
649 <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
650 Optional address mapping lookup tables for message
651 headers and envelopes.
653 <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
654 Optional address mapping lookup tables for envelope
655 and header recipient addresses.
657 Parameters concerning known/unknown local recipients:
659 <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b>
660 <b>host)</b>
661 The list of domains that are delivered via the
662 $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
664 <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
665 The network interface addresses that this mail sys-
666 tem receives mail on.
668 <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
669 The network interface addresses that this mail sys-
670 tem receives mail on by way of a proxy or network
671 address translation unit.
673 <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
674 The Internet protocols Postfix will attempt to use
675 when making or accepting connections.
677 <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
678 <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
679 Lookup tables with all names or addresses of local
680 recipients: a recipient address is local when its
681 domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
682 $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
684 <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
685 The numerical Postfix SMTP server response code
686 when a recipient address is local, and
687 $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
688 tables that does not match the recipient.
690 Parameters concerning known/unknown recipients of relay
691 destinations:
693 <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
694 What destination domains (and subdomains thereof)
695 this system will relay mail to.
697 <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
698 Optional lookup tables with all valid addresses in
699 the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
701 <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
702 The numerical Postfix SMTP server reply code when a
703 recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
704 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
705 tables that does not match the recipient address.
707 Parameters concerning known/unknown recipients in virtual
708 alias domains:
710 <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
711 Postfix is final destination for the specified list
712 of virtual alias domains, that is, domains for
713 which all addresses are aliased to addresses in
714 other local or remote domains.
716 <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
717 Optional lookup tables that alias specific mail
718 addresses or domains to other local or remote
719 address.
721 <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
722 The SMTP server reply code when a recipient address
723 matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
724 <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
725 that does not match the recipient address.
727 Parameters concerning known/unknown recipients in virtual
728 mailbox domains:
730 <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
731 Postfix is final destination for the specified list
732 of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
733 <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
735 <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
736 Optional lookup tables with all valid addresses in
737 the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
739 <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
740 The SMTP server reply code when a recipient address
741 matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
742 <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
743 that does not match the recipient address.
745 <b>RESOURCE AND RATE CONTROLS</b>
746 The following parameters limit resource usage by the SMTP
747 server and/or control client request rates.
749 <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
750 Upon input, long lines are chopped up into pieces
751 of at most this length; upon delivery, long lines
752 are reconstructed.
754 <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
755 The minimal amount of free space in bytes in the
756 queue file system that is needed to receive mail.
758 <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
759 The maximal size in bytes of a message, including
760 envelope information.
762 <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
763 The maximal number of recipients that the Postfix
764 SMTP server accepts per message delivery request.
766 <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, stress: 10s)</b>
767 The time limit for sending a Postfix SMTP server
768 response and for receiving a remote SMTP client
769 request.
771 <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
772 The maximal number of lines in the Postfix SMTP
773 server command history before it is flushed upon
774 receipt of EHLO, RSET, or end of DATA.
776 Available in Postfix version 2.3 and later:
778 <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
779 Attempt to look up the remote SMTP client hostname,
780 and verify that the name matches the client IP
781 address.
783 The per SMTP client connection count and request rate lim-
784 its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
785 vice, and are available in Postfix version 2.2 and later.
787 <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
788 How many simultaneous connections any client is
789 allowed to make to this service.
791 <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
792 The maximal number of connection attempts any
793 client is allowed to make to this service per time
794 unit.
796 <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
797 The maximal number of message delivery requests
798 that any client is allowed to make to this service
799 per time unit, regardless of whether or not Postfix
800 actually accepts those messages.
802 <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
803 The maximal number of recipient addresses that any
804 client is allowed to send to this service per time
805 unit, regardless of whether or not Postfix actually
806 accepts those recipients.
808 <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
809 Clients that are excluded from connection count,
810 connection rate, or SMTP request rate restrictions.
812 Available in Postfix version 2.3 and later:
814 <b><a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (0)</b>
815 The maximal number of new (i.e., uncached) TLS ses-
816 sions that a remote SMTP client is allowed to nego-
817 tiate with this service per time unit.
819 <b>TARPIT CONTROLS</b>
820 When a remote SMTP client makes errors, the Postfix SMTP
821 server can insert delays before responding. This can help
822 to slow down run-away software. The behavior is con-
823 trolled by an error counter that counts the number of
824 errors within an SMTP session that a client makes without
825 delivering mail.
827 <b><a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> (1s)</b>
828 With Postfix version 2.1 and later: the SMTP server
829 response delay after a client has made more than
830 $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors, and fewer than
831 $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering
832 mail.
834 <b><a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> (10)</b>
835 The number of errors a remote SMTP client is
836 allowed to make without delivering mail before the
837 Postfix SMTP server slows down all its responses.
839 <b><a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> (normal: 20, stress: 1)</b>
840 The maximal number of errors a remote SMTP client
841 is allowed to make without delivering mail.
843 <b><a href="postconf.5.html#smtpd_junk_command_limit">smtpd_junk_command_limit</a> (normal: 100, stress: 1)</b>
844 The number of junk commands (NOOP, VRFY, ETRN or
845 RSET) that a remote SMTP client can send before the
846 Postfix SMTP server starts to increment the error
847 counter with each junk command.
849 Available in Postfix version 2.1 and later:
851 <b><a href="postconf.5.html#smtpd_recipient_overshoot_limit">smtpd_recipient_overshoot_limit</a> (1000)</b>
852 The number of recipients that a remote SMTP client
853 can send in excess of the limit specified with
854 $<a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a>, before the Postfix SMTP
855 server increments the per-session error count for
856 each excess recipient.
858 <b>ACCESS POLICY DELEGATION CONTROLS</b>
859 As of version 2.1, Postfix can be configured to delegate
860 access policy decisions to an external server that runs
861 outside Postfix. See the file <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a> for
862 more information.
864 <b><a href="postconf.5.html#smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> (300s)</b>
865 The time after which an idle SMTPD policy service
866 connection is closed.
868 <b><a href="postconf.5.html#smtpd_policy_service_max_ttl">smtpd_policy_service_max_ttl</a> (1000s)</b>
869 The time after which an active SMTPD policy service
870 connection is closed.
872 <b><a href="postconf.5.html#smtpd_policy_service_timeout">smtpd_policy_service_timeout</a> (100s)</b>
873 The time limit for connecting to, writing to or
874 receiving from a delegated SMTPD policy server.
876 <b>ACCESS CONTROLS</b>
877 The <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a> document gives an introduction to
878 all the SMTP server access control features.
880 <b><a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> (yes)</b>
881 Wait until the RCPT TO command before evaluating
882 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, $smtpd_helo_restric-
883 tions and $<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>, or wait until
884 the ETRN command before evaluating
885 $<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> and $smtpd_helo_restric-
886 tions.
888 <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
889 <b>put)</b>
890 What Postfix features match subdomains of
891 "domain.tld" automatically, instead of requiring an
892 explicit ".domain.tld" pattern.
894 <b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
895 Optional SMTP server access restrictions in the
896 context of a client SMTP connection request.
898 <b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
899 Require that a remote SMTP client introduces itself
900 at the beginning of an SMTP session with the HELO
901 or EHLO command.
903 <b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
904 Optional restrictions that the Postfix SMTP server
905 applies in the context of the SMTP HELO command.
907 <b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
908 Optional restrictions that the Postfix SMTP server
909 applies in the context of the MAIL FROM command.
911 <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
912 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
913 The access restrictions that the Postfix SMTP
914 server applies in the context of the RCPT TO com-
915 mand.
917 <b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
918 Optional SMTP server access restrictions in the
919 context of a client ETRN request.
921 <b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
922 Forward mail with sender-specified routing
923 (user[@%!]remote[@%!]site) from untrusted clients
924 to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
926 <b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
927 User-defined aliases for groups of access restric-
928 tions.
930 <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b>&lt;&gt;<b>)</b>
931 The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
932 instead of the null sender address.
934 <b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
935 Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP
936 access feature to only domains whose primary MX
937 hosts match the listed networks.
939 Available in Postfix version 2.0 and later:
941 <b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
942 Optional access restrictions that the Postfix SMTP
943 server applies in the context of the SMTP DATA com-
944 mand.
946 <b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
947 What characters are allowed in $name expansions of
948 RBL reply templates.
950 Available in Postfix version 2.1 and later:
952 <b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
953 Request that the Postfix SMTP server rejects mail
954 from unknown sender addresses, even when no
955 explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
956 is specified.
958 <b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
959 Request that the Postfix SMTP server rejects mail
960 for unknown recipient addresses, even when no
961 explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
962 tion is specified.
964 Available in Postfix version 2.2 and later:
966 <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
967 Optional access restrictions that the Postfix SMTP
968 server applies in the context of the SMTP END-OF-
969 DATA command.
971 <b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
972 Postfix version 2.1 introduces sender and recipient
973 address verification. This feature is implemented by
974 sending probe email messages that are not actually deliv-
975 ered. This feature is requested via the reject_unveri-
976 fied_sender and <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a> access
977 restrictions. The status of verification probes is main-
978 tained by the <a href="verify.8.html"><b>verify</b>(8)</a> server. See the file <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VER</a>-
979 <a href="ADDRESS_VERIFICATION_README.html">IFICATION_README</a> for information about how to configure
980 and operate the Postfix sender/recipient address verifica-
981 tion service.
983 <b><a href="postconf.5.html#address_verify_poll_count">address_verify_poll_count</a> (3)</b>
984 How many times to query the <a href="verify.8.html"><b>verify</b>(8)</a> service for
985 the completion of an address verification request
986 in progress.
988 <b><a href="postconf.5.html#address_verify_poll_delay">address_verify_poll_delay</a> (3s)</b>
989 The delay between queries for the completion of an
990 address verification request in progress.
992 <b><a href="postconf.5.html#address_verify_sender">address_verify_sender</a> ($<a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a>)</b>
993 The sender address to use in address verification
994 probes; prior to Postfix 2.5 the default was "post-
995 master".
997 <b><a href="postconf.5.html#unverified_sender_reject_code">unverified_sender_reject_code</a> (450)</b>
998 The numerical Postfix SMTP server response code
999 when a recipient address is rejected by the
1000 <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a> restriction.
1002 <b><a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> (450)</b>
1003 The numerical Postfix SMTP server response when a
1004 recipient address is rejected by the reject_unveri-
1005 fied_recipient restriction.
1007 Available in Postfix version 2.6 and later:
1009 <b><a href="postconf.5.html#unverified_sender_defer_code">unverified_sender_defer_code</a> (450)</b>
1010 The numerical Postfix SMTP server response code
1011 when a sender address probe fails due to a tempo-
1012 rary error condition.
1014 <b><a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> (450)</b>
1015 The numerical Postfix SMTP server response when a
1016 recipient address probe fails due to a temporary
1017 error condition.
1019 <b><a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> (empty)</b>
1020 The Postfix SMTP server's reply when rejecting mail
1021 with <a href="postconf.5.html#reject_unverified_sender">reject_unverified_sender</a>.
1023 <b><a href="postconf.5.html#unverified_recipient_reject_reason">unverified_recipient_reject_reason</a> (empty)</b>
1024 The Postfix SMTP server's reply when rejecting mail
1025 with <a href="postconf.5.html#reject_unverified_recipient">reject_unverified_recipient</a>.
1027 <b><a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b>
1028 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b>
1029 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_sender">reject_unver</a>-
1030 <a href="postconf.5.html#reject_unverified_sender">ified_sender</a> fails due to a temporary error condi-
1031 tion.
1033 <b><a href="postconf.5.html#unverified_recipient_tempfail_action">unverified_recipient_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b>
1034 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b>
1035 The Postfix SMTP server's action when <a href="postconf.5.html#reject_unverified_recipient">reject_unver</a>-
1036 <a href="postconf.5.html#reject_unverified_recipient">ified_recipient</a> fails due to a temporary error con-
1037 dition.
1039 <b>ACCESS CONTROL RESPONSES</b>
1040 The following parameters control numerical SMTP reply
1041 codes and/or text responses.
1043 <b><a href="postconf.5.html#access_map_reject_code">access_map_reject_code</a> (554)</b>
1044 The numerical Postfix SMTP server response code for
1045 an <a href="access.5.html"><b>access</b>(5)</a> map "reject" action.
1047 <b><a href="postconf.5.html#defer_code">defer_code</a> (450)</b>
1048 The numerical Postfix SMTP server response code
1049 when a remote SMTP client request is rejected by
1050 the "defer" restriction.
1052 <b><a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> (501)</b>
1053 The numerical Postfix SMTP server response code
1054 when the client HELO or EHLO command parameter is
1055 rejected by the <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a>
1056 restriction.
1058 <b><a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> (554)</b>
1059 The numerical Postfix SMTP server response code
1060 when a remote SMTP client request is blocked by the
1061 <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,
1062 <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a>
1063 restriction.
1065 <b><a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> (504)</b>
1066 The numerical Postfix SMTP server reply code when a
1067 client request is rejected by the
1068 <a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a>,
1069 <a href="postconf.5.html#reject_non_fqdn_sender">reject_non_fqdn_sender</a> or <a href="postconf.5.html#reject_non_fqdn_recipient">reject_non_fqdn_recipient</a>
1070 restriction.
1072 <b><a href="postconf.5.html#plaintext_reject_code">plaintext_reject_code</a> (450)</b>
1073 The numerical Postfix SMTP server response code
1074 when a request is rejected by the <b>reject_plain-</b>
1075 <b>text_session</b> restriction.
1077 <b><a href="postconf.5.html#reject_code">reject_code</a> (554)</b>
1078 The numerical Postfix SMTP server response code
1079 when a remote SMTP client request is rejected by
1080 the "reject" restriction.
1082 <b><a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> (554)</b>
1083 The numerical Postfix SMTP server response code
1084 when a client request is rejected by the
1085 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> recipient restriction.
1087 <b><a href="postconf.5.html#unknown_address_reject_code">unknown_address_reject_code</a> (450)</b>
1088 The numerical Postfix SMTP server response code
1089 when a sender or recipient address is rejected by
1090 the <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
1091 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> restriction.
1093 <b><a href="postconf.5.html#unknown_client_reject_code">unknown_client_reject_code</a> (450)</b>
1094 The numerical Postfix SMTP server response code
1095 when a client without valid address &lt;=&gt; name map-
1096 ping is rejected by the reject_unknown_client_host-
1097 name restriction.
1099 <b><a href="postconf.5.html#unknown_hostname_reject_code">unknown_hostname_reject_code</a> (450)</b>
1100 The numerical Postfix SMTP server response code
1101 when the hostname specified with the HELO or EHLO
1102 command is rejected by the
1103 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> restriction.
1105 Available in Postfix version 2.0 and later:
1107 <b><a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> (see 'postconf -d' output)</b>
1108 The default SMTP server response template for a
1109 request that is rejected by an RBL-based restric-
1110 tion.
1112 <b><a href="postconf.5.html#multi_recipient_bounce_reject_code">multi_recipient_bounce_reject_code</a> (550)</b>
1113 The numerical Postfix SMTP server response code
1114 when a remote SMTP client request is blocked by the
1115 <a href="postconf.5.html#reject_multi_recipient_bounce">reject_multi_recipient_bounce</a> restriction.
1117 <b><a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> (empty)</b>
1118 Optional lookup tables with RBL response templates.
1120 Available in Postfix version 2.6 and later:
1122 <b><a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> (450)</b>
1123 The numerical Postfix SMTP server response code for
1124 an <a href="access.5.html"><b>access</b>(5)</a> map "defer" action, including
1125 "<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>" or "<a href="postconf.5.html#defer_if_reject">defer_if_reject</a>".
1127 <b><a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a> (<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>)</b>
1128 The Postfix SMTP server's action when a reject-type
1129 restriction fails due to a temporary error condi-
1130 tion.
1132 <b><a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_temp</a>-</b>
1133 <b><a href="postconf.5.html#reject_tempfail_action">fail_action</a>)</b>
1134 The Postfix SMTP server's action when
1135 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> fails due to an tempo-
1136 rary error condition.
1138 <b><a href="postconf.5.html#unknown_address_tempfail_action">unknown_address_tempfail_action</a> ($<a href="postconf.5.html#reject_tempfail_action">reject_tempfail_action</a>)</b>
1139 The Postfix SMTP server's action when
1140 <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a> or
1141 <a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a> fail due to a tem-
1142 porary error condition.
1144 <b>MISCELLANEOUS CONTROLS</b>
1145 <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
1146 The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
1147 <a href="master.5.html">master.cf</a> configuration files.
1149 <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
1150 How much time a Postfix daemon process may take to
1151 handle a request before it is terminated by a
1152 built-in watchdog timer.
1154 <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
1155 The location of all postfix administrative com-
1156 mands.
1158 <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
1159 The sender address of postmaster notifications that
1160 are generated by the mail system.
1162 <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
1163 The time limit for sending or receiving information
1164 over an internal communication channel.
1166 <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
1167 The mail system name that is displayed in Received:
1168 headers, in the SMTP greeting banner, and in
1169 bounced mail.
1171 <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
1172 The UNIX system account that owns the Postfix queue
1173 and most Postfix daemon processes.
1175 <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
1176 The maximum amount of time that an idle Postfix
1177 daemon process waits for an incoming connection
1178 before terminating voluntarily.
1180 <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
1181 The maximal number of incoming connections that a
1182 Postfix daemon process will service before termi-
1183 nating voluntarily.
1185 <b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
1186 The internet hostname of this mail system.
1188 <b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
1189 The list of "trusted" SMTP clients that have more
1190 privileges than "strangers".
1192 <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
1193 The domain name that locally-posted mail appears to
1194 come from, and that locally posted mail is deliv-
1195 ered to.
1197 <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
1198 The process ID of a Postfix command or daemon
1199 process.
1201 <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
1202 The process name of a Postfix command or daemon
1203 process.
1205 <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
1206 The location of the Postfix top-level queue direc-
1207 tory.
1209 <b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
1210 The separator between user names and address exten-
1211 sions (user+foo).
1213 <b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
1214 The text that follows the 220 status code in the
1215 SMTP greeting banner.
1217 <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
1218 The syslog facility of Postfix logging.
1220 <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
1221 The mail system name that is prepended to the
1222 process name in syslog records, so that "smtpd"
1223 becomes, for example, "postfix/smtpd".
1225 Available in Postfix version 2.2 and later:
1227 <b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
1228 List of commands that causes the Postfix SMTP
1229 server to immediately terminate the session with a
1230 221 code.
1232 Available in Postfix version 2.5 and later:
1234 <b><a href="postconf.5.html#smtpd_client_port_logging">smtpd_client_port_logging</a> (no)</b>
1235 Enable logging of the remote SMTP client port in
1236 addition to the hostname and IP address.
1238 <b>SEE ALSO</b>
1239 <a href="anvil.8.html">anvil(8)</a>, connection/rate limiting
1240 <a href="cleanup.8.html">cleanup(8)</a>, message canonicalization
1241 <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management
1242 <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver
1243 <a href="verify.8.html">verify(8)</a>, address verification service
1244 <a href="postconf.5.html">postconf(5)</a>, configuration parameters
1245 <a href="master.5.html">master(5)</a>, generic daemon options
1246 <a href="master.8.html">master(8)</a>, process manager
1247 syslogd(8), system logging
1249 <b>README FILES</b>
1250 <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a>, blocking unknown hosted or relay recipients
1251 <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> Postfix address manipulation
1252 <a href="FILTER_README.html">FILTER_README</a>, external after-queue content filter
1253 <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a>, blocking unknown local recipients
1254 <a href="MILTER_README.html">MILTER_README</a>, before-queue mail filter applications
1255 <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, built-in access policies
1256 <a href="SMTPD_POLICY_README.html">SMTPD_POLICY_README</a>, external policy server
1257 <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a>, external before-queue content filter
1258 <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto
1259 <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
1260 <a href="VERP_README.html">VERP_README</a>, Postfix XVERP extension
1261 <a href="XCLIENT_README.html">XCLIENT_README</a>, Postfix XCLIENT extension
1262 <a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
1264 <b>LICENSE</b>
1265 The Secure Mailer license must be distributed with this
1266 software.
1268 <b>AUTHOR(S)</b>
1269 Wietse Venema
1270 IBM T.J. Watson Research
1271 P.O. Box 704
1272 Yorktown Heights, NY 10598, USA
1274 SASL support originally by:
1275 Till Franke
1276 SuSE Rhein/Main AG
1277 65760 Eschborn, Germany
1279 TLS support originally by:
1280 Lutz Jaenicke
1281 BTU Cottbus
1282 Allgemeine Elektrotechnik
1283 Universitaetsplatz 3-4
1284 D-03044 Cottbus, Germany
1286 Revised TLS support by:
1287 Victor Duchovni
1288 Morgan Stanley
1290 SMTPD(8)
1291 </pre> </body> </html>