6634
<DT><b><a name="postscreen_access_list">postscreen_access_list</a>
6635
(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b></DT><DD>
6637
<p> Permanent white/blacklist for remote SMTP client IP addresses.
6638
<a href="postscreen.8.html">postscreen(8)</a> searches this list immediately after a remote SMTP
6639
client connects. Specify a comma- or whitespace-separated list of
6640
commands (in upper or lower case) or lookup tables. The search stops
6641
upon the first command that fires for the client IP address. </p>
6645
<dt> <b> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> </b> </dt> <dd> Whitelist the client and
6646
terminate the search if the client IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>.
6647
Do not subject the client to any before/after 220 greeting tests.
6648
Pass the connection immediately to a Postfix SMTP server process.
6651
<dt> <b> <a href="DATABASE_README.html">type:table</a> </b> </dt> <dd> Query the specified lookup
6652
table. Each table lookup result is an access list, except that
6653
access lists inside a table cannot specify <a href="DATABASE_README.html">type:table</a> entries. <br>
6654
To discourage the use of hash, btree, etc. tables, there is no
6655
support for substring matching like <a href="smtpd.8.html">smtpd(8)</a>. Use CIDR tables
6658
<dt> <b> permit </b> </dt> <dd> Whitelist the client and terminate
6659
the search. Do not subject the client to any before/after 220
6660
greeting tests. Pass the connection immediately to a Postfix SMTP
6661
server process. </dd>
6663
<dt> <b> reject </b> </dt> <dd> Blacklist the client and terminate
6664
the search. Subject the client to the action configured with the
6665
<a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> configuration parameter. </dd>
6667
<dt> <b> dunno </b> </dt> <dd> All <a href="postscreen.8.html">postscreen(8)</a> access lists
6668
implicitly have this command at the end. <br> When <b> dunno </b>
6669
is executed inside a lookup table, return from the lookup table and
6670
evaluate the next command. <br> When <b> dunno </b> is executed
6671
outside a lookup table, terminate the search, and subject the client
6672
to the configured before/after 220 greeting tests. </dd>
6679
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
6680
<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
6681
<a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr
6685
/etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>:
6686
# Rules are evaluated in the order as specified.
6687
# Blacklist 192.168.* except 192.168.0.1.
6689
192.168.0.0/16 reject
6692
<p> This feature is available in Postfix 2.8. </p>
6697
<DT><b><a name="postscreen_bare_newline_action">postscreen_bare_newline_action</a>
6698
(default: ignore)</b></DT><DD>
6700
<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client sends
6701
a bare newline character, that is, a newline not preceded by carriage
6702
return. Specify one of the following: </p>
6706
<dt> <b>ignore</b> </dt>
6708
<dd> Ignore the failure of this test. Allow other tests to complete.
6709
Do <i>not</i> repeat this test before some the result from some
6711
This option is useful for testing and collecting statistics
6712
without blocking mail permanently. </dd>
6714
<dt> <b>enforce</b> </dt>
6716
<dd> Allow other tests to complete. Reject attempts to deliver mail
6717
with a 550 SMTP reply, and log the helo/sender/recipient information.
6718
Repeat this test the next time the client connects. </dd>
6720
<dt> <b>drop</b> </dt>
6722
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
6723
this test the next time the client connects. </dd>
6727
<p> This feature is available in Postfix 2.8. </p>
6732
<DT><b><a name="postscreen_bare_newline_enable">postscreen_bare_newline_enable</a>
6733
(default: no)</b></DT><DD>
6735
<p> Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html">postscreen(8)</a>
6736
server. These tests are expensive: a client must disconnect after
6737
it passes the test, before it can talk to a real Postfix SMTP server.
6740
<p> This feature is available in Postfix 2.8. </p>
6745
<DT><b><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>
6746
(default: 30d)</b></DT><DD>
6748
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
6749
a successful "bare newline" SMTP protocol test. During this
6750
time, the client IP address is excluded from this test. The default
6751
is long because a client must disconnect after it passes the test,
6752
before it can talk to a real Postfix SMTP server. </p>
6754
<p> Specify a non-zero time value (an integral value plus an optional
6755
one-letter suffix that specifies the time unit). Time units: s
6756
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
6758
<p> This feature is available in Postfix 2.8. </p>
6763
<DT><b><a name="postscreen_blacklist_action">postscreen_blacklist_action</a>
6764
(default: ignore)</b></DT><DD>
6766
<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client is
6767
permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.
6768
Specify one of the following: </p>
6772
<dt> <b>ignore</b> (default) </dt>
6774
<dd> Ignore this result. Allow other tests to complete. Repeat
6775
this test the next time the client connects.
6776
This option is useful for testing and collecting statistics
6777
without blocking mail. </dd>
6779
<dt> <b>enforce</b> </dt>
6781
<dd> Allow other tests to complete. Reject attempts to deliver mail
6782
with a 550 SMTP reply, and log the helo/sender/recipient information.
6783
Repeat this test the next time the client connects. </dd>
6785
<dt> <b>drop</b> </dt>
6787
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
6788
this test the next time the client connects. </dd>
6792
<p> This feature is available in Postfix 2.8. </p>
6797
<DT><b><a name="postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a>
6798
(default: 12h)</b></DT><DD>
6800
<p> The amount of time between <a href="postscreen.8.html">postscreen(8)</a> cache cleanup runs.
6801
Cache cleanup increases the load on the cache database and should
6802
therefore not be run frequently. This feature requires that the
6803
cache database supports the "delete" and "sequence" operators.
6804
Specify a zero interval to disable cache cleanup. </p>
6806
<p> After each cache cleanup run, the <a href="postscreen.8.html">postscreen(8)</a> daemon logs the
6807
number of entries that were retained and dropped. A cleanup run is
6808
logged as "partial" when the daemon terminates early after "<b>postfix
6809
reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
6812
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
6815
<p> This feature is available in Postfix 2.8. </p>
6820
<DT><b><a name="postscreen_cache_map">postscreen_cache_map</a>
6821
(default: btree:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</b></DT><DD>
6823
<p> Persistent storage for the <a href="postscreen.8.html">postscreen(8)</a> server decisions. </p>
6825
<p> This feature is available in Postfix 2.8. </p>
6830
<DT><b><a name="postscreen_cache_retention_time">postscreen_cache_retention_time</a>
6831
(default: 7d)</b></DT><DD>
6833
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache an expired
6834
temporary whitelist entry before it is removed. This prevents clients
6835
from being logged as "NEW" just because their cache entry expired
6836
an hour ago. It also prevents the cache from filling up with clients
6837
that passed some deep protocol test once and never came back. </p>
6839
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
6842
<p> This feature is available in Postfix 2.8. </p>
6847
<DT><b><a name="postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a>
6848
(default: $<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b></DT><DD>
6850
<p> How many simultaneous connections any client is allowed to have
6851
with the <a href="postscreen.8.html">postscreen(8)</a> daemon. By default, this limit is the same
6852
as with the Postfix SMTP server. Note that the triage process can
6853
take several seconds, with the time spent in <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>
6854
delay, and with the time spent talking to the <a href="postscreen.8.html">postscreen(8)</a> built-in
6855
dummy SMTP protocol engine. </p>
6857
<p> This feature is available in Postfix 2.8. </p>
6862
<DT><b><a name="postscreen_command_count_limit">postscreen_command_count_limit</a>
6863
(default: 20)</b></DT><DD>
6865
<p> The limit on the total number of commands per SMTP session for
6866
<a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP protocol engine. This SMTP engine
6867
defers or rejects all attempts to deliver mail, therefore there is
6868
no need to enforce separate limits on the number of junk commands
6869
and error commands. </p>
6871
<p> This feature is available in Postfix 2.8. </p>
6876
<DT><b><a name="postscreen_command_filter">postscreen_command_filter</a>
6877
(default: $<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b></DT><DD>
6879
<p> A mechanism to transform commands from remote SMTP clients.
6880
See <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> for further details. </p>
6882
<p> This feature is available in Postfix 2.8 and later. </p>
6887
<DT><b><a name="postscreen_command_time_limit">postscreen_command_time_limit</a>
6888
(default: ${stress?10}${stress:300}s)</b></DT><DD>
6890
<p> The time limit to read an entire command line with <a href="postscreen.8.html">postscreen(8)</a>'s
6891
built-in SMTP protocol engine. </p>
6893
<p> This feature is available in Postfix 2.8. </p>
6898
<DT><b><a name="postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a>
6899
(default: $<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b></DT><DD>
6901
<p> Disable the SMTP VRFY command in the <a href="postscreen.8.html">postscreen(8)</a> daemon. See
6902
<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> for details. </p>
6904
<p> This feature is available in Postfix 2.8. </p>
6909
<DT><b><a name="postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a>
6910
(default: $<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>)</b></DT><DD>
6912
<p> Lookup tables, indexed by the remote SMTP client address, with
6913
case insensitive lists of EHLO keywords (pipelining, starttls, auth,
6914
etc.) that the <a href="postscreen.8.html">postscreen(8)</a> server will not send in the EHLO response
6915
to a remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.
6916
The table is not searched by hostname for robustness reasons. </p>
6918
<p> This feature is available in Postfix 2.8 and later. </p>
6923
<DT><b><a name="postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a>
6924
(default: $<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</b></DT><DD>
6926
<p> A case insensitive list of EHLO keywords (pipelining, starttls,
6927
auth, etc.) that the <a href="postscreen.8.html">postscreen(8)</a> server will not send in the EHLO
6928
response to a remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>
6931
<p> This feature is available in Postfix 2.8 and later. </p>
6936
<DT><b><a name="postscreen_dnsbl_action">postscreen_dnsbl_action</a>
6937
(default: ignore)</b></DT><DD>
6939
<p>The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client's combined
6940
DNSBL score is equal to or greater than a threshold (as defined
6941
with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>
6942
parameters). Specify one of the following: </p>
6946
<dt> <b>ignore</b> (default) </dt>
6948
<dd> Ignore the failure of this test. Allow other tests to complete.
6949
Repeat this test the next time the client connects.
6950
This option is useful for testing and collecting statistics
6951
without blocking mail. </dd>
6953
<dt> <b>enforce</b> </dt>
6955
<dd> Allow other tests to complete. Reject attempts to deliver mail
6956
with a 550 SMTP reply, and log the helo/sender/recipient information.
6957
Repeat this test the next time the client connects. </dd>
6959
<dt> <b>drop</b> </dt>
6961
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
6962
this test the next time the client connects. </dd>
6966
<p> This feature is available in Postfix 2.8. </p>
6971
<DT><b><a name="postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a>
6972
(default: empty)</b></DT><DD>
6974
<p> A mapping from actual DNSBL domain name which includes a secret
6975
password, to the DNSBL domain name that postscreen will reply with
6976
when it rejects mail. When no mapping is found, the actual DNSBL
6977
domain will be used. </p>
6979
<p> For maximal stability it is best to use a file that is read
6980
into memory such as <a href="pcre_table.5.html">pcre</a>:, <a href="regexp_table.5.html">regexp</a>: or texthash: (texthash: is similar
6981
to hash:, except a) there is no need to run <a href="postmap.1.html">postmap(1)</a> before the
6982
file can be used, and b) texthash: does not detect changes after
6983
the file is read). </p>
6988
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
6989
<a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> = texthash:/etc/postfix/dnsbl_reply
6993
/etc/postfix/dnsbl_reply:
6994
secret.zen.spamhaus.org zen.spamhaus.org
6997
<p> This feature is available in Postfix 2.8. </p>
7002
<DT><b><a name="postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>
7003
(default: empty)</b></DT><DD>
7005
<p>Optional list of DNS white/blacklist domains, filters and weight
7006
factors. When the list is non-empty, the <a href="dnsblog.8.html">dnsblog(8)</a> daemon will
7007
query these domains with the IP addresses of remote SMTP clients,
7008
and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with
7009
each non-error reply. </p>
7011
<p> Caution: when postscreen rejects mail, it replies with the DNSBL
7012
domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide
7013
"password" information in DNSBL domain names. </p>
7015
<p> When a client's score is equal to or greater than the threshold
7016
specified with <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>, <a href="postscreen.8.html">postscreen(8)</a> can drop
7017
the connection with the SMTP client. </p>
7019
<p> Specify a list of domain=filter*weight entries, separated by
7020
comma or whitespace. </p>
7024
<li> <p> When no "=filter" is specified, <a href="postscreen.8.html">postscreen(8)</a> will use any
7025
non-error DNSBL reply. Otherwise, <a href="postscreen.8.html">postscreen(8)</a> uses only DNSBL
7026
replies that match the filter. The filter has the form d.d.d.d,
7027
where each d is a number, or a pattern inside [] that contains one
7028
or more ";"-separated numbers or number..number ranges. </p>
7030
<li> <p> When no "*weight" is specified, <a href="postscreen.8.html">postscreen(8)</a> increments
7031
the SMTP client's DNSBL score by 1. Otherwise, the weight must be
7032
an integral number, and <a href="postscreen.8.html">postscreen(8)</a> adds the specified weight to
7033
the SMTP client's DNSBL score. Specify a negative number for
7036
<li> <p> When one <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> entry produces multiple
7037
DNSBL responses, <a href="postscreen.8.html">postscreen(8)</a> applies the weight at most once.
7044
<p> To use example.com as a high-confidence blocklist, and to
7045
block mail with example.net and example.org only when both agree:
7049
<a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> = 2
7050
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = example.com*2, example.net, example.org
7053
<p> To filter only DNSBL replies containing 127.0.0.4: </p>
7056
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = example.com=127.0.0.4
7059
<p> This feature is available in Postfix 2.8. </p>
7064
<DT><b><a name="postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>
7065
(default: 1)</b></DT><DD>
7067
<p> The inclusive lower bound for blocking an SMTP client, based on
7068
its combined DNSBL score as defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>
7071
<p> This feature is available in Postfix 2.8. </p>
7076
<DT><b><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>
7077
(default: 1h)</b></DT><DD>
7079
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
7080
a successful DNS blocklist test. During this time, the client IP address
7081
is excluded from this test. The default is relatively short, because a
7082
good client can immediately talk to a real Postfix SMTP server.
7085
<p> Specify a non-zero time value (an integral value plus an optional
7086
one-letter suffix that specifies the time unit). Time units: s
7087
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
7089
<p> This feature is available in Postfix 2.8. </p>
7094
<DT><b><a name="postscreen_enforce_tls">postscreen_enforce_tls</a>
7095
(default: $<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b></DT><DD>
7097
<p> Mandatory TLS: announce STARTTLS support to SMTP clients, and
7098
require that clients use TLS encryption. See smtpd_postscreen_enforce_tls
7101
<p> This feature is available in Postfix 2.8 and later.
7102
Preferably, use <a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> instead. </p>
7107
<DT><b><a name="postscreen_expansion_filter">postscreen_expansion_filter</a>
7108
(default: see "postconf -d" output)</b></DT><DD>
7110
<p> List of characters that are permitted in <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a>
7111
attribute expansions. See <a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> for further
7114
<p> This feature is available in Postfix 2.8 and later. </p>
7119
<DT><b><a name="postscreen_forbidden_commands">postscreen_forbidden_commands</a>
7120
(default: $<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b></DT><DD>
7122
<p> List of commands that the <a href="postscreen.8.html">postscreen(8)</a> server considers in
7123
violation of the SMTP protocol. See <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> for
7124
syntax, and <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> for possible actions.
7127
<p> This feature is available in Postfix 2.8. </p>
7132
<DT><b><a name="postscreen_greet_action">postscreen_greet_action</a>
7133
(default: ignore)</b></DT><DD>
7135
<p>The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client speaks
7136
before its turn within the time specified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>
7137
parameter. Specify one of the following: </p>
7141
<dt> <b>ignore</b> (default) </dt>
7143
<dd> Ignore the failure of this test. Allow other tests to complete.
7144
Repeat this test the next time the client connects.
7145
This option is useful for testing and collecting statistics
7146
without blocking mail. </dd>
7148
<dt> <b>enforce</b> </dt>
7150
<dd> Allow other tests to complete. Reject attempts to deliver mail
7151
with a 550 SMTP reply, and log the helo/sender/recipient information.
7152
Repeat this test the next time the client connects. </dd>
7154
<dt> <b>drop</b> </dt>
7156
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
7157
this test the next time the client connects. </dd>
7161
<p> In either case, <a href="postscreen.8.html">postscreen(8)</a> will not whitelist the SMTP client
7164
<p> This feature is available in Postfix 2.8. </p>
7169
<DT><b><a name="postscreen_greet_banner">postscreen_greet_banner</a>
7170
(default: $<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</b></DT><DD>
7172
<p> The <i>text</i> in the optional "220-<i>text</i>..." server
7174
<a href="postscreen.8.html">postscreen(8)</a> sends ahead of the real Postfix SMTP server's "220
7175
text..." response, in an attempt to confuse bad SMTP clients so
7176
that they speak before their turn (pre-greet). Specify an empty
7177
value to disable this feature. </p>
7179
<p> This feature is available in Postfix 2.8. </p>
7184
<DT><b><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>
7185
(default: 1d)</b></DT><DD>
7187
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
7188
a successful PREGREET test. During this time, the client IP address
7189
is excluded from this test. The default is relatively short, because
7190
a good client can immediately talk to a real Postfix SMTP server. </p>
7192
<p> Specify a non-zero time value (an integral value plus an optional
7193
one-letter suffix that specifies the time unit). Time units: s
7194
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
7196
<p> This feature is available in Postfix 2.8. </p>
7201
<DT><b><a name="postscreen_greet_wait">postscreen_greet_wait</a>
7202
(default: ${stress?2}${stress:6}s)</b></DT><DD>
7204
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will wait for an SMTP
7205
client to send a command before its turn, and for DNS blocklist
7206
lookup results to arrive (default: up to 2 seconds under stress,
7207
up to 6 seconds otherwise). <p>
7209
<p> Specify a non-zero time value (an integral value plus an optional
7210
one-letter suffix that specifies the time unit). </p>
7212
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
7215
<p> This feature is available in Postfix 2.8. </p>
7220
<DT><b><a name="postscreen_helo_required">postscreen_helo_required</a>
7221
(default: $<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b></DT><DD>
7223
<p> Require that a remote SMTP client sends HELO or EHLO before
7224
commencing a MAIL transaction. </p>
7226
<p> This feature is available in Postfix 2.8. </p>
7231
<DT><b><a name="postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a>
7232
(default: drop)</b></DT><DD>
7234
<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client sends
7235
non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>
7236
parameter. Specify one of the following: </p>
7240
<dt> <b>ignore</b> </dt>
7242
<dd> Ignore the failure of this test. Allow other tests to complete.
7243
Do <i>not</i> repeat this test before some the result from some
7245
This option is useful for testing and collecting statistics
7246
without blocking mail permanently. </dd>
7248
<dt> <b>enforce</b> </dt>
7250
<dd> Allow other tests to complete. Reject attempts to deliver mail
7251
with a 550 SMTP reply, and log the helo/sender/recipient information.
7252
Repeat this test the next time the client connects. </dd>
7254
<dt> <b>drop</b> </dt>
7256
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
7257
this test the next time the client connects. This action is the
7258
same as with the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>
7263
<p> This feature is available in Postfix 2.8. </p>
7268
<DT><b><a name="postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a>
7269
(default: no)</b></DT><DD>
7271
<p> Enable "non-SMTP command" tests in the <a href="postscreen.8.html">postscreen(8)</a> server. These
7272
tests are expensive: a client must disconnect after it passes the
7273
test, before it can talk to a real Postfix SMTP server. </p>
7275
<p> This feature is available in Postfix 2.8. </p>
7280
<DT><b><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>
7281
(default: 30d)</b></DT><DD>
7283
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
7284
a successful "non_smtp_command" SMTP protocol test. During this
7285
time, the client IP address is excluded from this test. The default
7286
is long because a client must disconnect after it passes the test,
7287
before it can talk to a real Postfix SMTP server. </p>
7289
<p> Specify a non-zero time value (an integral value plus an optional
7290
one-letter suffix that specifies the time unit). Time units: s
7291
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
7293
<p> This feature is available in Postfix 2.8. </p>
7298
<DT><b><a name="postscreen_pipelining_action">postscreen_pipelining_action</a>
7299
(default: enforce)</b></DT><DD>
7301
<p> The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client sends
7302
multiple commands instead of sending one command and waiting for
7303
the server to respond. Specify one of the following: </p>
7307
<dt> <b>ignore</b> </dt>
7309
<dd> Ignore the failure of this test. Allow other tests to complete.
7310
Do <i>not</i> repeat this test before some the result from some
7312
This option is useful for testing and collecting statistics
7313
without blocking mail permanently. </dd>
7315
<dt> <b>enforce</b> </dt>
7317
<dd> Allow other tests to complete. Reject attempts to deliver mail
7318
with a 550 SMTP reply, and log the helo/sender/recipient information.
7319
Repeat this test the next time the client connects. </dd>
7321
<dt> <b>drop</b> </dt>
7323
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
7324
this test the next time the client connects. </dd>
7328
<p> This feature is available in Postfix 2.8. </p>
7333
<DT><b><a name="postscreen_pipelining_enable">postscreen_pipelining_enable</a>
7334
(default: no)</b></DT><DD>
7336
<p> Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html">postscreen(8)</a>
7337
server. These tests are expensive: a good client must disconnect
7338
after it passes the test, before it can talk to a real Postfix SMTP
7341
<p> This feature is available in Postfix 2.8. </p>
7346
<DT><b><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>
7347
(default: 30d)</b></DT><DD>
7349
<p> The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from
7350
a successful "pipelining" SMTP protocol test. During this time, the
7351
client IP address is excluded from this test. The default is
7352
long because a good client must disconnect after it passes the test,
7353
before it can talk to a real Postfix SMTP server. </p>
7355
<p> Specify a non-zero time value (an integral value plus an optional
7356
one-letter suffix that specifies the time unit). Time units: s
7357
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
7359
<p> This feature is available in Postfix 2.8. </p>
7364
<DT><b><a name="postscreen_post_queue_limit">postscreen_post_queue_limit</a>
7365
(default: $<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b></DT><DD>
7367
<p> The number of clients that can be waiting for service from a
7368
real SMTP server process. When this queue is full, all clients will
7369
receive a 421 reponse. </p>
7371
<p> This feature is available in Postfix 2.8. </p>
7376
<DT><b><a name="postscreen_pre_queue_limit">postscreen_pre_queue_limit</a>
7377
(default: $<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b></DT><DD>
7379
<p> The number of non-whitelisted clients that can be waiting for
7380
a decision whether they will receive service from a real SMTP server
7381
process. When this queue is full, all non-whitelisted clients will
7382
receive a 421 reponse. </p>
7384
<p> This feature is available in Postfix 2.8. </p>
7389
<DT><b><a name="postscreen_reject_footer">postscreen_reject_footer</a>
7390
(default: $<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b></DT><DD>
7392
<p> Optional information that is appended after a 4XX or 5XX server
7393
response. See <a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> for further details. </p>
7395
<p> This feature is available in Postfix 2.8 and later. </p>
7400
<DT><b><a name="postscreen_tls_security_level">postscreen_tls_security_level</a>
7401
(default: $<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b></DT><DD>
7403
<p> The SMTP TLS security level for the <a href="postscreen.8.html">postscreen(8)</a> server; when
7404
a non-empty value is specified, this overrides the obsolete parameters
7405
<a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. See <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>
7408
<p> This feature is available in Postfix 2.8 and later. </p>
7413
<DT><b><a name="postscreen_use_tls">postscreen_use_tls</a>
7414
(default: $<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b></DT><DD>
7416
<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
7417
but do not require that clients use TLS encryption. </p>
7419
<p> This feature is available in Postfix 2.8 and later.
7420
Preferably, use <a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> instead. </p>
7425
<DT><b><a name="postscreen_watchdog_timeout">postscreen_watchdog_timeout</a>
7426
(default: 10s)</b></DT><DD>
7428
<p> How much time a <a href="postscreen.8.html">postscreen(8)</a> process may take to respond to
7429
an SMTP client command or to perform a cache operation before it
7430
is terminated by a built-in watchdog timer. This is a safety
7431
mechanism that prevents <a href="postscreen.8.html">postscreen(8)</a> from becoming non-responsive
7432
due to a bug in Postfix itself or in system software. To avoid
7433
false alarms and unnecessary cache corruption this limit cannot be
7436
<p> Specify a non-zero time value (an integral value plus an optional
7437
one-letter suffix that specifies the time unit). Time units: s
7438
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
7440
<p> This feature is available in Postfix 2.8. </p>
6581
7445
<DT><b><a name="prepend_delivered_header">prepend_delivered_header</a>
6582
7446
(default: command, file, forward)</b></DT><DD>
15300
<DT><b><a name="tlsproxy_enforce_tls">tlsproxy_enforce_tls</a>
15301
(default: $<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b></DT><DD>
15303
<p> Mandatory TLS: announce STARTTLS support to SMTP clients, and
15304
require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for
15305
further details. </p>
15307
<p> This feature is available in Postfix 2.8 and later. </p>
15312
<DT><b><a name="tlsproxy_service_name">tlsproxy_service_name</a>
15313
(default: tlsproxy)</b></DT><DD>
15315
<p> The name of the <a href="tlsproxy.8.html">tlsproxy(8)</a> service entry in <a href="master.5.html">master.cf</a>. This
15316
service performs plaintext <=> TLS ciphertext conversion. <p>
15318
<p> This feature is available in Postfix 2.8 and later. </p>
15323
<DT><b><a name="tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a>
15324
(default: $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</b></DT><DD>
15326
<p> A file containing (PEM format) CA certificates of root CAs
15327
trusted to sign either remote SMTP client certificates or intermediate
15328
CA certificates. See <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> for further details. </p>
15330
<p> This feature is available in Postfix 2.8 and later. </p>
15335
<DT><b><a name="tlsproxy_tls_CApath">tlsproxy_tls_CApath</a>
15336
(default: $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</b></DT><DD>
15338
<p> A directory containing (PEM format) CA certificates of root CAs
15339
trusted to sign either remote SMTP client certificates or intermediate
15340
CA certificates. See <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> for further details. </p>
15342
<p> This feature is available in Postfix 2.8 and later. </p>
15347
<DT><b><a name="tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a>
15348
(default: $<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a>)</b></DT><DD>
15350
<p> Force the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server to issue a TLS session id,
15351
even when TLS session caching is turned off. See
15352
<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> for further details. </p>
15354
<p> This feature is available in Postfix 2.8 and later. </p>
15359
<DT><b><a name="tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a>
15360
(default: $<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</b></DT><DD>
15362
<p> Ask a remote SMTP client for a client certificate. See
15363
<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> for further details. </p>
15365
<p> This feature is available in Postfix 2.8 and later. </p>
15370
<DT><b><a name="tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a>
15371
(default: $<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a>)</b></DT><DD>
15373
<p> The verification depth for remote SMTP client certificates. A
15374
depth of 1 is sufficient if the issuing CA is listed in a local CA
15375
file. See <a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> for further details. </p>
15377
<p> This feature is available in Postfix 2.8 and later. </p>
15382
<DT><b><a name="tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a>
15383
(default: $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b></DT><DD>
15385
<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server RSA certificate in PEM
15386
format. This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15387
private RSA key. See <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> for further details. </p>
15389
<p> This feature is available in Postfix 2.8 and later. </p>
15394
<DT><b><a name="tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a>
15395
(default: $<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</b></DT><DD>
15397
<p> The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15398
will use with opportunistic TLS encryption. See <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>
15399
for further details. </p>
15401
<p> This feature is available in Postfix 2.8 and later. </p>
15406
<DT><b><a name="tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a>
15407
(default: $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b></DT><DD>
15409
<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server DSA certificate in PEM
15410
format. This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15411
private DSA key. See <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> for further details.
15414
<p> This feature is available in Postfix 2.8 and later. </p>
15419
<DT><b><a name="tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a>
15420
(default: $<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</b></DT><DD>
15422
<p> File with DH parameters that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15423
should use with EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> for
15424
further details. </p>
15426
<p> This feature is available in Postfix 2.8 and later. </p>
15431
<DT><b><a name="tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a>
15432
(default: $<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</b></DT><DD>
15434
<p> File with DH parameters that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15435
should use with EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> for
15436
further details. </p>
15438
<p> This feature is available in Postfix 2.8 and later. </p>
15443
<DT><b><a name="tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a>
15444
(default: $<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</b></DT><DD>
15446
<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server DSA private key in PEM
15447
format. This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
15448
server DSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>.
15449
See <a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> for further details. </p>
15451
<p> This feature is available in Postfix 2.8 and later. </p>
15456
<DT><b><a name="tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a>
15457
(default: $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</b></DT><DD>
15459
<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server ECDSA certificate in
15460
PEM format. This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
15461
server private ECDSA key. See <a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> for further
15464
<p> This feature is available in Postfix 2.8 and later. </p>
15469
<DT><b><a name="tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a>
15470
(default: $<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</b></DT><DD>
15472
<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server ECDSA private key in
15473
PEM format. This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
15474
server ECDSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>.
15475
See <a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> for further details. </p>
15477
<p> This feature is available in Postfix 2.8 and later. </p>
15482
<DT><b><a name="tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a>
15483
(default: $<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</b></DT><DD>
15485
<p> The Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server security grade for ephemeral
15486
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
15487
<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details. </p>
15489
<p> This feature is available in Postfix 2.8 and later. </p>
15494
<DT><b><a name="tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a>
15495
(default: $<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</b></DT><DD>
15497
<p> List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html">tlsproxy(8)</a>
15498
server cipher list at all TLS security levels. See
15499
<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> for further details. </p>
15501
<p> This feature is available in Postfix 2.8 and later. </p>
15506
<DT><b><a name="tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a>
15507
(default: $<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</b></DT><DD>
15509
<p> The message digest algorithm used to construct client-certificate
15510
fingerprints. See <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> for further details.
15513
<p> This feature is available in Postfix 2.8 and later. </p>
15518
<DT><b><a name="tlsproxy_tls_key_file">tlsproxy_tls_key_file</a>
15519
(default: $<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</b></DT><DD>
15521
<p> File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server RSA private key in PEM
15522
format. This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>
15523
server RSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>.
15524
See <a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> for further details. </p>
15526
<p> This feature is available in Postfix 2.8 and later. </p>
15531
<DT><b><a name="tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a>
15532
(default: $<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</b></DT><DD>
15534
<p> Enable additional Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server logging of TLS
15535
activity. Each logging level also includes the information that
15536
is logged at a lower logging level. See <a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> for
15537
further details. </p>
15539
<p> This feature is available in Postfix 2.8 and later. </p>
15544
<DT><b><a name="tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a>
15545
(default: $<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</b></DT><DD>
15547
<p> The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15548
will use with mandatory TLS encryption. See <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>
15549
for further details. </p>
15551
<p> This feature is available in Postfix 2.8 and later. </p>
15556
<DT><b><a name="tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a>
15557
(default: $<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>)</b></DT><DD>
15559
<p> Additional list of ciphers or cipher types to exclude from the
15560
<a href="tlsproxy.8.html">tlsproxy(8)</a> server cipher list at mandatory TLS security levels.
15561
See <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> for further details. </p>
15563
<p> This feature is available in Postfix 2.8 and later. </p>
15568
<DT><b><a name="tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a>
15569
(default: $<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</b></DT><DD>
15571
<p> The SSL/TLS protocols accepted by the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server
15572
with mandatory TLS encryption. If the list is empty, the server
15573
supports all available SSL/TLS protocol versions. See
15574
<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> for further details. </p>
15576
<p> This feature is available in Postfix 2.8 and later. </p>
15581
<DT><b><a name="tlsproxy_tls_protocols">tlsproxy_tls_protocols</a>
15582
(default: $<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</b></DT><DD>
15584
<p> List of TLS protocols that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server will
15585
exclude or include with opportunistic TLS encryption. See
15586
<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> for further details. </p>
15588
<p> This feature is available in Postfix 2.8 and later. </p>
15593
<DT><b><a name="tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a>
15594
(default: $<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</b></DT><DD>
15596
<p> With mandatory TLS encryption, require a trusted remote SMTP
15597
client certificate in order to allow TLS connections to proceed.
15598
See <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> for further details. </p>
15600
<p> This feature is available in Postfix 2.8 and later. </p>
15605
<DT><b><a name="tlsproxy_tls_security_level">tlsproxy_tls_security_level</a>
15606
(default: $<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b></DT><DD>
15608
<p> The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server;
15609
when a non-empty value is specified, this overrides the obsolete
15610
parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. See
15611
<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> for further details. </p>
15613
<p> This feature is available in Postfix 2.8 and later. </p>
15618
<DT><b><a name="tlsproxy_tls_session_cache_timeout">tlsproxy_tls_session_cache_timeout</a>
15619
(default: $<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>)</b></DT><DD>
15621
<p> The expiration time of Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server TLS session
15622
cache information. A cache cleanup is performed periodically every
15623
$<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> seconds. See
15624
<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> for further details. </p>
15626
<p> This feature is available in Postfix 2.8 and later. </p>
15631
<DT><b><a name="tlsproxy_use_tls">tlsproxy_use_tls</a>
15632
(default: $<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b></DT><DD>
15634
<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
15635
but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>
15636
for further details. </p>
15638
<p> This feature is available in Postfix 2.8 and later. </p>
15643
<DT><b><a name="tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a>
15644
(default: 10s)</b></DT><DD>
15646
<p> How much time a <a href="tlsproxy.8.html">tlsproxy(8)</a> process may take to process local
15647
or remote I/O before it is terminated by a built-in watchdog timer.
15648
This is a safety mechanism that prevents <a href="tlsproxy.8.html">tlsproxy(8)</a> from becoming
15649
non-responsive due to a bug in Postfix itself or in system software.
15650
To avoid false alarms and unnecessary cache corruption this limit
15651
cannot be set under 10s. </p>
15653
<p> Specify a non-zero time value (an integral value plus an optional
15654
one-letter suffix that specifies the time unit). Time units: s
15655
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
15657
<p> This feature is available in Postfix 2.8. </p>
13969
15662
<DT><b><a name="trace_service_name">trace_service_name</a>
13970
15663
(default: trace)</b></DT><DD>