~ubuntu-branches/ubuntu/saucy/postfix/saucy

client request is blocked by the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>, <a href="postconf.5.html#reject_rhsbl_client">reject_rhsbl_client</a>,

5383

<a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or <a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction.

5433

<a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a>, <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> or

5434

<a href="postconf.5.html#reject_rhsbl_recipient">reject_rhsbl_recipient</a> restriction.

5384

5435

5385

5436

5386

5437

6188

6239

6189

6240

6190

6241

The internet domain name of this mail system. The default is to

6191

use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component. $<a href="postconf.5.html#mydomain">mydomain</a> is used as

6242

use $<a href="postconf.5.html#myhostname">myhostname</a> minus the first component, or "localdomain" (Postfix

6243

2.3 and later). $<a href="postconf.5.html#mydomain">mydomain</a> is used as

6192

6244

a default value for many other configuration parameters.

6193

6245

6194

6246

6208

6260

6209

6261

6210

6262

The internet hostname of this mail system. The default is to use

6211

the fully-qualified domain name from gethostname(). $<a href="postconf.5.html#myhostname">myhostname</a> is

6212

used as a default value for many other configuration parameters.

6213

6263

the fully-qualified domain name (FQDN) from gethostname(), or to

6264

use the non-FQDN result from gethostname() and append ".$<a href="postconf.5.html#mydomain">mydomain</a>".

6265

$<a href="postconf.5.html#myhostname">myhostname</a> is used as a default value for many other configuration

6266

parameters.

6214

6267

6215

6268

6216

6269

Example:

6578

6631

6579

6632

</DD>

6580

6633

6634

<DT><a name="postscreen_access_list">postscreen_access_list</a>

6635

(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</DT><DD>

6636

6637

Permanent white/blacklist for remote SMTP client IP addresses.

6638

<a href="postscreen.8.html">postscreen(8)</a> searches this list immediately after a remote SMTP

6639

client connects. Specify a comma- or whitespace-separated list of

6640

commands (in upper or lower case) or lookup tables. The search stops

6641

upon the first command that fires for the client IP address.

6642

6643

<dl>

6644

6645

<dt> <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> </dt> <dd> Whitelist the client and

6646

terminate the search if the client IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>.

6647

Do not subject the client to any before/after 220 greeting tests.

6648

Pass the connection immediately to a Postfix SMTP server process.

6649

</dd>

6650

6651

<dt> <a href="DATABASE_README.html">type:table</a> </dt> <dd> Query the specified lookup

6652

table. Each table lookup result is an access list, except that

6653

access lists inside a table cannot specify <a href="DATABASE_README.html">type:table</a> entries.

6654

To discourage the use of hash, btree, etc. tables, there is no

6655

support for substring matching like <a href="smtpd.8.html">smtpd(8)</a>. Use CIDR tables

6656

instead. </dd>

6657

6658

<dt> permit </dt> <dd> Whitelist the client and terminate

6659

the search. Do not subject the client to any before/after 220

6660

greeting tests. Pass the connection immediately to a Postfix SMTP

6661

server process. </dd>

6662

6663

<dt> reject </dt> <dd> Blacklist the client and terminate

6664

the search. Subject the client to the action configured with the

6665

<a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> configuration parameter. </dd>

6666

6667

<dt> dunno </dt> <dd> All <a href="postscreen.8.html">postscreen(8)</a> access lists

6668

implicitly have this command at the end. When dunno

6669

is executed inside a lookup table, return from the lookup table and

6670

evaluate the next command. When dunno is executed

6671

outside a lookup table, terminate the search, and subject the client

6672

to the configured before/after 220 greeting tests. </dd>

6673

6674

</dl>

6675

6676

Example:

6677

6678

<pre>

6679

/etc/postfix/<a href="postconf.5.html">main.cf</a>:

6680

<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,

6681

<a href="cidr_table.5.html">cidr</a>:/etc/postfix/postscreen_access.cidr

6682

</pre>

6683

6684

<pre>

6685

/etc/postfix/postscreen_access.<a href="cidr_table.5.html">cidr</a>:

6686

# Rules are evaluated in the order as specified.

6687

# Blacklist 192.168.* except 192.168.0.1.

6688

192.168.0.1 dunno

6689

192.168.0.0/16 reject

6690

</pre>

6691

6692

This feature is available in Postfix 2.8.

6693

6694

6695

</DD>

6696

6697

<DT><a name="postscreen_bare_newline_action">postscreen_bare_newline_action</a>

6698

(default: ignore)</DT><DD>

6699

6700

The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client sends

6701

a bare newline character, that is, a newline not preceded by carriage

6702

return. Specify one of the following:

6703

6704

<dl>

6705

6706

<dt> ignore </dt>

6707

6708

<dd> Ignore the failure of this test. Allow other tests to complete.

6709

Do not repeat this test before some the result from some

6710

other test expires.

6711

This option is useful for testing and collecting statistics

6712

without blocking mail permanently. </dd>

6713

6714

<dt> enforce </dt>

6715

6716

<dd> Allow other tests to complete. Reject attempts to deliver mail

6717

with a 550 SMTP reply, and log the helo/sender/recipient information.

6718

Repeat this test the next time the client connects. </dd>

6719

6720

6721

6722

<dd> Drop the connection immediately with a 521 SMTP reply. Repeat

6723

this test the next time the client connects. </dd>

6724

6725

</dl>

6726

6727

This feature is available in Postfix 2.8.

6728

6729

6730

</DD>

6731

6732

<DT><a name="postscreen_bare_newline_enable">postscreen_bare_newline_enable</a>

6733

(default: no)</DT><DD>

6734

6735

Enable "bare newline" SMTP protocol tests in the <a href="postscreen.8.html">postscreen(8)</a>

6736

server. These tests are expensive: a client must disconnect after

6737

it passes the test, before it can talk to a real Postfix SMTP server.

6738

6739

6740

This feature is available in Postfix 2.8.

6741

6742

6743

</DD>

6744

6745

<DT><a name="postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a>

6746

(default: 30d)</DT><DD>

6747

6748

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from

6749

a successful "bare newline" SMTP protocol test. During this

6750

time, the client IP address is excluded from this test. The default

6751

is long because a client must disconnect after it passes the test,

6752

before it can talk to a real Postfix SMTP server.

6753

6754

Specify a non-zero time value (an integral value plus an optional

6755

one-letter suffix that specifies the time unit). Time units: s

6756

(seconds), m (minutes), h (hours), d (days), w (weeks).

6757

6758

This feature is available in Postfix 2.8.

6759

6760

6761

</DD>

6762

6763

<DT><a name="postscreen_blacklist_action">postscreen_blacklist_action</a>

6764

(default: ignore)</DT><DD>

6765

6766

The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client is

6767

permanently blacklisted with the <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.

6768

Specify one of the following:

6769

6770

<dl>

6771

6772

<dt> ignore (default) </dt>

6773

6774

<dd> Ignore this result. Allow other tests to complete. Repeat

6775

this test the next time the client connects.

6776

This option is useful for testing and collecting statistics

6777

without blocking mail. </dd>

6778

6779

<dt> enforce </dt>

6780

6781

<dd> Allow other tests to complete. Reject attempts to deliver mail

6782

with a 550 SMTP reply, and log the helo/sender/recipient information.

6783

Repeat this test the next time the client connects. </dd>

6784

6785

6786

6787

<dd> Drop the connection immediately with a 521 SMTP reply. Repeat

6788

this test the next time the client connects. </dd>

6789

6790

</dl>

6791

6792

This feature is available in Postfix 2.8.

6793

6794

6795

</DD>

6796

6797

<DT><a name="postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a>

6798

(default: 12h)</DT><DD>

6799

6800

The amount of time between <a href="postscreen.8.html">postscreen(8)</a> cache cleanup runs.

6801

Cache cleanup increases the load on the cache database and should

6802

therefore not be run frequently. This feature requires that the

6803

cache database supports the "delete" and "sequence" operators.

6804

Specify a zero interval to disable cache cleanup.

6805

6806

After each cache cleanup run, the <a href="postscreen.8.html">postscreen(8)</a> daemon logs the

6807

number of entries that were retained and dropped. A cleanup run is

6808

logged as "partial" when the daemon terminates early after "postfix

6809

reload", "postfix stop", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>

6810

seconds.

6811

6812

Time units: s (seconds), m (minutes), h (hours), d (days), w

6813

(weeks).

6814

6815

This feature is available in Postfix 2.8.

6816

6817

6818

</DD>

6819

6820

<DT><a name="postscreen_cache_map">postscreen_cache_map</a>

6821

(default: btree:$<a href="postconf.5.html#data_directory">data_directory</a>/postscreen_cache)</DT><DD>

6822

6823

Persistent storage for the <a href="postscreen.8.html">postscreen(8)</a> server decisions.

6824

6825

This feature is available in Postfix 2.8.

6826

6827

6828

</DD>

6829

6830

<DT><a name="postscreen_cache_retention_time">postscreen_cache_retention_time</a>

6831

(default: 7d)</DT><DD>

6832

6833

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will cache an expired

6834

temporary whitelist entry before it is removed. This prevents clients

6835

from being logged as "NEW" just because their cache entry expired

6836

an hour ago. It also prevents the cache from filling up with clients

6837

that passed some deep protocol test once and never came back.

6838

6839

Time units: s (seconds), m (minutes), h (hours), d (days), w

6840

(weeks).

6841

6842

This feature is available in Postfix 2.8.

6843

6844

6845

</DD>

6846

6847

<DT><a name="postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a>

6848

(default: $<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</DT><DD>

6849

6850

How many simultaneous connections any client is allowed to have

6851

with the <a href="postscreen.8.html">postscreen(8)</a> daemon. By default, this limit is the same

6852

as with the Postfix SMTP server. Note that the triage process can

6853

take several seconds, with the time spent in <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>

6854

delay, and with the time spent talking to the <a href="postscreen.8.html">postscreen(8)</a> built-in

6855

dummy SMTP protocol engine.

6856

6857

This feature is available in Postfix 2.8.

6858

6859

6860

</DD>

6861

6862

<DT><a name="postscreen_command_count_limit">postscreen_command_count_limit</a>

6863

(default: 20)</DT><DD>

6864

6865

The limit on the total number of commands per SMTP session for

6866

<a href="postscreen.8.html">postscreen(8)</a>'s built-in SMTP protocol engine. This SMTP engine

6867

defers or rejects all attempts to deliver mail, therefore there is

6868

no need to enforce separate limits on the number of junk commands

6869

and error commands.

6870

6871

This feature is available in Postfix 2.8.

6872

6873

6874

</DD>

6875

6876

<DT><a name="postscreen_command_filter">postscreen_command_filter</a>

6877

(default: $<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</DT><DD>

6878

6879

A mechanism to transform commands from remote SMTP clients.

6880

See <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> for further details.

6881

6882

This feature is available in Postfix 2.8 and later.

6883

6884

6885

</DD>

6886

6887

<DT><a name="postscreen_command_time_limit">postscreen_command_time_limit</a>

6888

(default: ${stress?10}${stress:300}s)</DT><DD>

6889

6890

The time limit to read an entire command line with <a href="postscreen.8.html">postscreen(8)</a>'s

6891

built-in SMTP protocol engine.

6892

6893

This feature is available in Postfix 2.8.

6894

6895

6896

</DD>

6897

6898

<DT><a name="postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a>

6899

(default: $<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</DT><DD>

6900

6901

Disable the SMTP VRFY command in the <a href="postscreen.8.html">postscreen(8)</a> daemon. See

6902

<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a> for details.

6903

6904

This feature is available in Postfix 2.8.

6905

6906

6907

</DD>

6908

6909

<DT><a name="postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a>

6910

(default: $<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_discard_ehlo_keyword_address_maps</a>)</DT><DD>

6911

6912

Lookup tables, indexed by the remote SMTP client address, with

6913

case insensitive lists of EHLO keywords (pipelining, starttls, auth,

6914

etc.) that the <a href="postscreen.8.html">postscreen(8)</a> server will not send in the EHLO response

6915

to a remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a> for details.

6916

The table is not searched by hostname for robustness reasons.

6917

6918

This feature is available in Postfix 2.8 and later.

6919

6920

6921

</DD>

6922

6923

<DT><a name="postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a>

6924

(default: $<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>)</DT><DD>

6925

6926

A case insensitive list of EHLO keywords (pipelining, starttls,

6927

auth, etc.) that the <a href="postscreen.8.html">postscreen(8)</a> server will not send in the EHLO

6928

response to a remote SMTP client. See <a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_keywords</a>

6929

for details.

6930

6931

This feature is available in Postfix 2.8 and later.

6932

6933

6934

</DD>

6935

6936

<DT><a name="postscreen_dnsbl_action">postscreen_dnsbl_action</a>

6937

(default: ignore)</DT><DD>

6938

6939

The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client's combined

6940

DNSBL score is equal to or greater than a threshold (as defined

6941

with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>

6942

parameters). Specify one of the following:

6943

6944

<dl>

6945

6946

<dt> ignore (default) </dt>

6947

6948

<dd> Ignore the failure of this test. Allow other tests to complete.

6949

Repeat this test the next time the client connects.

6950

This option is useful for testing and collecting statistics

6951

without blocking mail. </dd>

6952

6953

<dt> enforce </dt>

6954

6955

<dd> Allow other tests to complete. Reject attempts to deliver mail

6956

with a 550 SMTP reply, and log the helo/sender/recipient information.

6957

Repeat this test the next time the client connects. </dd>

6958

6959

6960

6961

<dd> Drop the connection immediately with a 521 SMTP reply. Repeat

6962

this test the next time the client connects. </dd>

6963

6964

</dl>

6965

6966

This feature is available in Postfix 2.8.

6967

6968

6969

</DD>

6970

6971

<DT><a name="postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a>

6972

(default: empty)</DT><DD>

6973

6974

A mapping from actual DNSBL domain name which includes a secret

6975

password, to the DNSBL domain name that postscreen will reply with

6976

when it rejects mail. When no mapping is found, the actual DNSBL

6977

domain will be used.

6978

6979

For maximal stability it is best to use a file that is read

6980

into memory such as <a href="pcre_table.5.html">pcre</a>:, <a href="regexp_table.5.html">regexp</a>: or texthash: (texthash: is similar

6981

to hash:, except a) there is no need to run <a href="postmap.1.html">postmap(1)</a> before the

6982

file can be used, and b) texthash: does not detect changes after

6983

the file is read).

6984

6985

Example:

6986

6987

<pre>

6988

/etc/postfix/<a href="postconf.5.html">main.cf</a>:

6989

<a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> = texthash:/etc/postfix/dnsbl_reply

6990

</pre>

6991

6992

<pre>

6993

/etc/postfix/dnsbl_reply:

6994

secret.zen.spamhaus.org zen.spamhaus.org

6995

</pre>

6996

6997

This feature is available in Postfix 2.8.

6998

6999

7000

</DD>

7001

7002

<DT><a name="postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>

7003

(default: empty)</DT><DD>

7004

7005

Optional list of DNS white/blacklist domains, filters and weight

7006

factors. When the list is non-empty, the <a href="dnsblog.8.html">dnsblog(8)</a> daemon will

7007

query these domains with the IP addresses of remote SMTP clients,

7008

and <a href="postscreen.8.html">postscreen(8)</a> will update an SMTP client's DNSBL score with

7009

each non-error reply.

7010

7011

Caution: when postscreen rejects mail, it replies with the DNSBL

7012

domain name. Use the <a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> feature to hide

7013

"password" information in DNSBL domain names.

7014

7015

When a client's score is equal to or greater than the threshold

7016

specified with <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>, <a href="postscreen.8.html">postscreen(8)</a> can drop

7017

the connection with the SMTP client.

7018

7019

Specify a list of domain=filter*weight entries, separated by

7020

comma or whitespace.

7021

7022

<ul>

7023

7024

<li> When no "=filter" is specified, <a href="postscreen.8.html">postscreen(8)</a> will use any

7025

non-error DNSBL reply. Otherwise, <a href="postscreen.8.html">postscreen(8)</a> uses only DNSBL

7026

replies that match the filter. The filter has the form d.d.d.d,

7027

where each d is a number, or a pattern inside [] that contains one

7028

or more ";"-separated numbers or number..number ranges.

7029

7030

<li> When no "*weight" is specified, <a href="postscreen.8.html">postscreen(8)</a> increments

7031

the SMTP client's DNSBL score by 1. Otherwise, the weight must be

7032

an integral number, and <a href="postscreen.8.html">postscreen(8)</a> adds the specified weight to

7033

the SMTP client's DNSBL score. Specify a negative number for

7034

whitelisting.

7035

7036

<li> When one <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> entry produces multiple

7037

DNSBL responses, <a href="postscreen.8.html">postscreen(8)</a> applies the weight at most once.

7038

7039

7040

</ul>

7041

7042

Examples:

7043

7044

To use example.com as a high-confidence blocklist, and to

7045

block mail with example.net and example.org only when both agree:

7046

7047

7048

<pre>

7049

<a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> = 2

7050

<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = example.com*2, example.net, example.org

7051

</pre>

7052

7053

To filter only DNSBL replies containing 127.0.0.4:

7054

7055

<pre>

7056

<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> = example.com=127.0.0.4

7057

</pre>

7058

7059

This feature is available in Postfix 2.8.

7060

7061

7062

</DD>

7063

7064

<DT><a name="postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a>

7065

(default: 1)</DT><DD>

7066

7067

The inclusive lower bound for blocking an SMTP client, based on

7068

its combined DNSBL score as defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a>

7069

parameter.

7070

7071

This feature is available in Postfix 2.8.

7072

7073

7074

</DD>

7075

7076

<DT><a name="postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a>

7077

(default: 1h)</DT><DD>

7078

7079

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from

7080

a successful DNS blocklist test. During this time, the client IP address

7081

is excluded from this test. The default is relatively short, because a

7082

good client can immediately talk to a real Postfix SMTP server.

7083

7084

7085

Specify a non-zero time value (an integral value plus an optional

7086

one-letter suffix that specifies the time unit). Time units: s

7087

(seconds), m (minutes), h (hours), d (days), w (weeks).

7088

7089

This feature is available in Postfix 2.8.

7090

7091

7092

</DD>

7093

7094

<DT><a name="postscreen_enforce_tls">postscreen_enforce_tls</a>

7095

(default: $<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</DT><DD>

7096

7097

Mandatory TLS: announce STARTTLS support to SMTP clients, and

7098

require that clients use TLS encryption. See smtpd_postscreen_enforce_tls

7099

for details.

7100

7101

This feature is available in Postfix 2.8 and later.

7102

Preferably, use <a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> instead.

7103

7104

7105

</DD>

7106

7107

<DT><a name="postscreen_expansion_filter">postscreen_expansion_filter</a>

7108

(default: see "postconf -d" output)</DT><DD>

7109

7110

List of characters that are permitted in <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a>

7111

attribute expansions. See <a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> for further

7112

details.

7113

7114

This feature is available in Postfix 2.8 and later.

7115

7116

7117

</DD>

7118

7119

<DT><a name="postscreen_forbidden_commands">postscreen_forbidden_commands</a>

7120

(default: $<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</DT><DD>

7121

7122

List of commands that the <a href="postscreen.8.html">postscreen(8)</a> server considers in

7123

violation of the SMTP protocol. See <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> for

7124

syntax, and <a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> for possible actions.

7125

7126

7127

This feature is available in Postfix 2.8.

7128

7129

7130

</DD>

7131

7132

<DT><a name="postscreen_greet_action">postscreen_greet_action</a>

7133

(default: ignore)</DT><DD>

7134

7135

The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client speaks

7136

before its turn within the time specified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a>

7137

parameter. Specify one of the following:

7138

7139

<dl>

7140

7141

<dt> ignore (default) </dt>

7142

7143

<dd> Ignore the failure of this test. Allow other tests to complete.

7144

Repeat this test the next time the client connects.

7145

This option is useful for testing and collecting statistics

7146

without blocking mail. </dd>

7147

7148

<dt> enforce </dt>

7149

7150

<dd> Allow other tests to complete. Reject attempts to deliver mail

7151

with a 550 SMTP reply, and log the helo/sender/recipient information.

7152

Repeat this test the next time the client connects. </dd>

7153

7154

7155

7156

<dd> Drop the connection immediately with a 521 SMTP reply. Repeat

7157

this test the next time the client connects. </dd>

7158

7159

</dl>

7160

7161

In either case, <a href="postscreen.8.html">postscreen(8)</a> will not whitelist the SMTP client

7162

IP address.

7163

7164

This feature is available in Postfix 2.8.

7165

7166

7167

</DD>

7168

7169

<DT><a name="postscreen_greet_banner">postscreen_greet_banner</a>

7170

(default: $<a href="postconf.5.html#smtpd_banner">smtpd_banner</a>)</DT><DD>

7171

7172

The text in the optional "220-text..." server

7173

response that

7174

<a href="postscreen.8.html">postscreen(8)</a> sends ahead of the real Postfix SMTP server's "220

7175

text..." response, in an attempt to confuse bad SMTP clients so

7176

that they speak before their turn (pre-greet). Specify an empty

7177

value to disable this feature.

7178

7179

This feature is available in Postfix 2.8.

7180

7181

7182

</DD>

7183

7184

<DT><a name="postscreen_greet_ttl">postscreen_greet_ttl</a>

7185

(default: 1d)</DT><DD>

7186

7187

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from

7188

a successful PREGREET test. During this time, the client IP address

7189

is excluded from this test. The default is relatively short, because

7190

a good client can immediately talk to a real Postfix SMTP server.

7191

7192

Specify a non-zero time value (an integral value plus an optional

7193

one-letter suffix that specifies the time unit). Time units: s

7194

(seconds), m (minutes), h (hours), d (days), w (weeks).

7195

7196

This feature is available in Postfix 2.8.

7197

7198

7199

</DD>

7200

7201

<DT><a name="postscreen_greet_wait">postscreen_greet_wait</a>

7202

(default: ${stress?2}${stress:6}s)</DT><DD>

7203

7204

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will wait for an SMTP

7205

client to send a command before its turn, and for DNS blocklist

7206

lookup results to arrive (default: up to 2 seconds under stress,

7207

up to 6 seconds otherwise).

7208

7209

Specify a non-zero time value (an integral value plus an optional

7210

one-letter suffix that specifies the time unit).

7211

7212

Time units: s (seconds), m (minutes), h (hours), d (days), w

7213

(weeks).

7214

7215

This feature is available in Postfix 2.8.

7216

7217

7218

</DD>

7219

7220

<DT><a name="postscreen_helo_required">postscreen_helo_required</a>

7221

(default: $<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</DT><DD>

7222

7223

Require that a remote SMTP client sends HELO or EHLO before

7224

commencing a MAIL transaction.

7225

7226

This feature is available in Postfix 2.8.

7227

7228

7229

</DD>

7230

7231

<DT><a name="postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a>

7232

(default: drop)</DT><DD>

7233

7234

The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client sends

7235

non-SMTP commands as specified with the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>

7236

parameter. Specify one of the following:

7237

7238

<dl>

7239

7240

<dt> ignore </dt>

7241

7242

<dd> Ignore the failure of this test. Allow other tests to complete.

7243

Do not repeat this test before some the result from some

7244

other test expires.

7245

This option is useful for testing and collecting statistics

7246

without blocking mail permanently. </dd>

7247

7248

<dt> enforce </dt>

7249

7250

<dd> Allow other tests to complete. Reject attempts to deliver mail

7251

with a 550 SMTP reply, and log the helo/sender/recipient information.

7252

Repeat this test the next time the client connects. </dd>

7253

7254

7255

7256

<dd> Drop the connection immediately with a 521 SMTP reply. Repeat

7257

this test the next time the client connects. This action is the

7258

same as with the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>

7259

feature. </dd>

7260

7261

</dl>

7262

7263

This feature is available in Postfix 2.8.

7264

7265

7266

</DD>

7267

7268

<DT><a name="postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a>

7269

(default: no)</DT><DD>

7270

7271

Enable "non-SMTP command" tests in the <a href="postscreen.8.html">postscreen(8)</a> server. These

7272

tests are expensive: a client must disconnect after it passes the

7273

test, before it can talk to a real Postfix SMTP server.

7274

7275

This feature is available in Postfix 2.8.

7276

7277

7278

</DD>

7279

7280

<DT><a name="postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a>

7281

(default: 30d)</DT><DD>

7282

7283

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from

7284

a successful "non_smtp_command" SMTP protocol test. During this

7285

time, the client IP address is excluded from this test. The default

7286

is long because a client must disconnect after it passes the test,

7287

before it can talk to a real Postfix SMTP server.

7288

7289

Specify a non-zero time value (an integral value plus an optional

7290

one-letter suffix that specifies the time unit). Time units: s

7291

(seconds), m (minutes), h (hours), d (days), w (weeks).

7292

7293

This feature is available in Postfix 2.8.

7294

7295

7296

</DD>

7297

7298

<DT><a name="postscreen_pipelining_action">postscreen_pipelining_action</a>

7299

(default: enforce)</DT><DD>

7300

7301

The action that <a href="postscreen.8.html">postscreen(8)</a> takes when an SMTP client sends

7302

multiple commands instead of sending one command and waiting for

7303

the server to respond. Specify one of the following:

7304

7305

<dl>

7306

7307

<dt> ignore </dt>

7308

7309

<dd> Ignore the failure of this test. Allow other tests to complete.

7310

Do not repeat this test before some the result from some

7311

other test expires.

7312

This option is useful for testing and collecting statistics

7313

without blocking mail permanently. </dd>

7314

7315

<dt> enforce </dt>

7316

7317

<dd> Allow other tests to complete. Reject attempts to deliver mail

7318

with a 550 SMTP reply, and log the helo/sender/recipient information.

7319

Repeat this test the next time the client connects. </dd>

7320

7321

7322

7323

<dd> Drop the connection immediately with a 521 SMTP reply. Repeat

7324

this test the next time the client connects. </dd>

7325

7326

</dl>

7327

7328

This feature is available in Postfix 2.8.

7329

7330

7331

</DD>

7332

7333

<DT><a name="postscreen_pipelining_enable">postscreen_pipelining_enable</a>

7334

(default: no)</DT><DD>

7335

7336

Enable "pipelining" SMTP protocol tests in the <a href="postscreen.8.html">postscreen(8)</a>

7337

server. These tests are expensive: a good client must disconnect

7338

after it passes the test, before it can talk to a real Postfix SMTP

7339

server.

7340

7341

This feature is available in Postfix 2.8.

7342

7343

7344

</DD>

7345

7346

<DT><a name="postscreen_pipelining_ttl">postscreen_pipelining_ttl</a>

7347

(default: 30d)</DT><DD>

7348

7349

The amount of time that <a href="postscreen.8.html">postscreen(8)</a> will use the result from

7350

a successful "pipelining" SMTP protocol test. During this time, the

7351

client IP address is excluded from this test. The default is

7352

long because a good client must disconnect after it passes the test,

7353

before it can talk to a real Postfix SMTP server.

7354

7355

Specify a non-zero time value (an integral value plus an optional

7356

one-letter suffix that specifies the time unit). Time units: s

7357

(seconds), m (minutes), h (hours), d (days), w (weeks).

7358

7359

This feature is available in Postfix 2.8.

7360

7361

7362

</DD>

7363

7364

<DT><a name="postscreen_post_queue_limit">postscreen_post_queue_limit</a>

7365

(default: $<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</DT><DD>

7366

7367

The number of clients that can be waiting for service from a

7368

real SMTP server process. When this queue is full, all clients will

7369

receive a 421 reponse.

7370

7371

This feature is available in Postfix 2.8.

7372

7373

7374

</DD>

7375

7376

<DT><a name="postscreen_pre_queue_limit">postscreen_pre_queue_limit</a>

7377

(default: $<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</DT><DD>

7378

7379

The number of non-whitelisted clients that can be waiting for

7380

a decision whether they will receive service from a real SMTP server

7381

process. When this queue is full, all non-whitelisted clients will

7382

receive a 421 reponse.

7383

7384

This feature is available in Postfix 2.8.

7385

7386

7387

</DD>

7388

7389

<DT><a name="postscreen_reject_footer">postscreen_reject_footer</a>

7390

(default: $<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</DT><DD>

7391

7392

Optional information that is appended after a 4XX or 5XX server

7393

response. See <a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> for further details.

7394

7395

This feature is available in Postfix 2.8 and later.

7396

7397

7398

</DD>

7399

7400

<DT><a name="postscreen_tls_security_level">postscreen_tls_security_level</a>

7401

(default: $<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</DT><DD>

7402

7403

The SMTP TLS security level for the <a href="postscreen.8.html">postscreen(8)</a> server; when

7404

a non-empty value is specified, this overrides the obsolete parameters

7405

<a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. See <a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>

7406

for details.

7407

7408

This feature is available in Postfix 2.8 and later.

7409

7410

7411

</DD>

7412

7413

<DT><a name="postscreen_use_tls">postscreen_use_tls</a>

7414

(default: $<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</DT><DD>

7415

7416

Opportunistic TLS: announce STARTTLS support to SMTP clients,

7417

but do not require that clients use TLS encryption.

7418

7419

This feature is available in Postfix 2.8 and later.

7420

Preferably, use <a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> instead.

7421

7422

7423

</DD>

7424

7425

<DT><a name="postscreen_watchdog_timeout">postscreen_watchdog_timeout</a>

7426

(default: 10s)</DT><DD>

7427

7428

How much time a <a href="postscreen.8.html">postscreen(8)</a> process may take to respond to

7429

an SMTP client command or to perform a cache operation before it

7430

is terminated by a built-in watchdog timer. This is a safety

7431

mechanism that prevents <a href="postscreen.8.html">postscreen(8)</a> from becoming non-responsive

7432

due to a bug in Postfix itself or in system software. To avoid

7433

false alarms and unnecessary cache corruption this limit cannot be

7434

set under 10s.

7435

7436

Specify a non-zero time value (an integral value plus an optional

7437

one-letter suffix that specifies the time unit). Time units: s

7438

(seconds), m (minutes), h (hours), d (days), w (weeks).

7439

7440

This feature is available in Postfix 2.8.

7441

7442

7443

</DD>

7444

6581

7445

<DT><a name="prepend_delivered_header">prepend_delivered_header</a>

6582

7446

(default: command, file, forward)</DT><DD>

6583

7447

6781

7645

6782

7646

</DD>

6783

7647

7648

<DT><a name="qmgr_daemon_timeout">qmgr_daemon_timeout</a>

7649

(default: 1000s)</DT><DD>

7650

7651

How much time a Postfix queue manager process may take to handle

7652

a request before it is terminated by a built-in watchdog timer.

7653

7654

7655

7656

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

7657

The default time unit is s (seconds).

7658

7659

7660

7661

</DD>

7662

6784

7663

<DT><a name="qmgr_fudge_factor">qmgr_fudge_factor</a>

6785

7664

(default: 100)</DT><DD>

6786

7665

6798

7677

6799

7678

</DD>

6800

7679

7680

<DT><a name="qmgr_ipc_timeout">qmgr_ipc_timeout</a>

7681

(default: 60s)</DT><DD>

7682

7683

The time limit for the queue manager to send or receive information

7684

over an internal communication channel. The purpose is to break

7685

out of deadlock situations. If the time limit is exceeded the

7686

software either retries or aborts the operation.

7687

7688

7689

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

7690

The default time unit is s (seconds).

7691

7692

7693

7694

</DD>

7695

6801

7696

<DT><a name="qmgr_message_active_limit">qmgr_message_active_limit</a>

6802

7697

(default: 20000)</DT><DD>

6803

7698

7143

8038

7144

8039

Note: automatic BCC recipients are produced only for new mail.

7145

8040

To avoid mailer loops, automatic BCC recipients are not generated

7146

for mail that Postfix forwards internally, nor for mail that Postfix

7147

generates itself.

8041

after Postfix forwards mail internally, or after Postfix generates

8042

mail itself.

7148

8043

7149

8044

7150

8045

Example:

7545

8440

7546

8441

</DD>

7547

8442

8443

<DT><a name="reset_owner_alias">reset_owner_alias</a>

8444

(default: no)</DT><DD>

8445

8446

Reset the <a href="local.8.html">local(8)</a> delivery agent's idea of the owner-alias

8447

attribute, when delivering mail to a child alias that does not have

8448

its own owner alias.

8449

8450

This feature is available in Postfix 2.8 and later. With older

8451

Postfix releases, the behavior is as if this parameter is set to

8452

"yes".

8453

8454

As documented in <a href="aliases.5.html">aliases(5)</a>, when an alias name has a

8455

companion alias named owner-name, delivery errors will be

8456

reported to the owner alias instead of the sender. This configuration

8457

is recommended for mailing lists.

8458

8459

A less known property of the owner alias is that it also forces

8460

the <a href="local.8.html">local(8)</a> delivery agent to write local and remote addresses

8461

from alias expansion to a new queue file, instead of attempting to

8462

deliver mail to local addresses as soon as they come out of alias

8463

expansion.

8464

8465

Writing local addresses from alias expansion to a new queue

8466

file allows for robust handling of temporary delivery errors: errors

8467

with one local member have no effect on deliveries to other members

8468

of the list. On the other hand, delivery to local addresses as

8469

soon as they come out of alias expansion is fragile: a temporary

8470

error with one local address from alias expansion will cause the

8471

entire alias to be expanded repeatedly until the error goes away,

8472

or until the message expires in the queue. In that case, a problem

8473

with one list member results in multiple message deliveries to other

8474

list members.

8475

8476

The default behavior of Postfix 2.8 and later is to keep the

8477

owner-alias attribute of the parent alias, when delivering mail to

8478

a child alias that does not have its own owner alias. Then, local

8479

addresses from that child alias will be written to a new queue file,

8480

and a temporary error with one local address will not affect delivery

8481

to other mailing list members.

8482

8483

Unfortunately, older Postfix releases reset the owner-alias

8484

attribute when delivering mail to a child alias that does not have

8485

its own owner alias. The <a href="local.8.html">local(8)</a> delivery agent then attempts to

8486

deliver local addresses as soon as they come out of child alias

8487

expansion. If delivery to any address from child alias expansion

8488

fails with a temporary error condition, the entire mailing list may

8489

be expanded repeatedly until the mail expires in the queue, resulting

8490

in multiple deliveries of the same message to mailing list members.

8491

8492

8493

8494

</DD>

8495

7548

8496

<DT><a name="resolve_dequoted_address">resolve_dequoted_address</a>

7549

8497

(default: yes)</DT><DD>

7550

8498

7698

8646

7699

8647

Note: automatic BCC recipients are produced only for new mail.

7700

8648

To avoid mailer loops, automatic BCC recipients are not generated

7701

for mail that Postfix forwards internally, nor for mail that Postfix

7702

generates itself.

8649

after Postfix forwards mail internally, or after Postfix generates

8650

mail itself.

7703

8651

7704

8652

7705

8653

Example:

7873

8821

7874

8822

</DD>

7875

8823

8824

<DT><a name="smtp_address_preference">smtp_address_preference</a>

8825

(default: ipv6)</DT><DD>

8826

8827

The address type ("ipv6", "ipv4" or "any") that the Postfix

8828

SMTP client will try first, when a destination has IPv6 and IPv4

8829

addresses with equal MX preference. This feature has no effect

8830

unless the <a href="postconf.5.html#inet_protocols">inet_protocols</a> setting enables both IPv4 and IPv6.

8831

8832

This feature is available in Postfix 2.8 and later.

8833

8834

8835

</DD>

8836

7876

8837

<DT><a name="smtp_always_send_ehlo">smtp_always_send_ehlo</a>

7877

8838

(default: yes)</DT><DD>

7878

8839

8288

9249

8289

9250

</DD>

8290

9251

9252

<DT><a name="smtp_dns_resolver_options">smtp_dns_resolver_options</a>

9253

(default: empty)</DT><DD>

9254

9255

DNS Resolver options for the Postfix SMTP client. Specify zero

9256

or more of the following options, separated by comma or whitespace.

9257

Option names are case-sensitive. Some options refer to domain names

9258

that are specified in the file /etc/resolv.conf or equivalent.

9259

9260

<dl>

9261

9262

<dt>res_defnames</dt>

9263

9264

<dd> Append the current domain name to single-component names (those

9265

that do not contain a "." character). This can produce incorrect

9266

results, and is the hard-coded behavior prior to Postfix 2.8. </dd>

9267

9268

<dt>res_dnsrch</dt>

9269

9270

<dd> Search for host names in the current domain and in parent

9271

domains. This can produce incorrect results and is therefore not

9272

recommended. </dd>

9273

9274

</dl>

9275

9276

This feature is available in Postfix 2.8 and later.

9277

9278

9279

</DD>

9280

8291

9281

<DT><a name="smtp_enforce_tls">smtp_enforce_tls</a>

8292

9282

(default: no)</DT><DD>

8293

9283

9150

10140

but it is best to include all the required certificates directly in

9151

10141

$<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>.

9152

10142

10143

Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from

10144

appending the system-supplied default CAs and trusting third-party

10145

certificates.

10146

9153

10147

Example:

9154

10148

9155

10149

<pre>

9173

10167

To use this option in chroot mode, this directory (or a copy)

9174

10168

must be inside the chroot jail.

9175

10169

10170

Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from

10171

appending the system-supplied default CAs and trusting third-party

10172

certificates.

10173

9176

10174

Example:

9177

10175

9178

10176

<pre>

10563

11561

(default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)</DT><DD>

10564

11562

10565

11563

10566

Clients that are excluded from connection count, connection rate,

10567

or SMTP request rate restrictions. See the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter

11564

Clients that are excluded from smtpd_client_*_count/rate_limit

11565

restrictions. See the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter

10568

11566

description for the parameter value syntax.

10569

11567

10570

11568

10824

11822

<dd> Permit the request when the remote SMTP client certificate is

10825

11823

verified successfully. This option must be used only if a special

10826

11824

CA issues the certificates and only this CA is listed as trusted

10827

CA, otherwise all clients with a recognized certificate would be

10828

allowed to relay. This feature is available with Postfix version 2.2.</dd>

11825

CA. Otherwise, clients with a third-party certificate would also

11826

be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the

11827

trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,

11828

to prevent Postfix from appending the system-supplied default CAs.

11829

This feature is available with Postfix version 2.2.</dd>

10829

11830

10830

11831

<dt><a name="permit_tls_clientcerts">permit_tls_clientcerts</a></dt>

10831

11832

10840

11841

10841

11842

<dd>Reject the request when the reversed client network address is

10842

11843

listed with the A record "d.d.d.d" under rbl_domain

10843

(Postfix version 2.1 and later only). If no "=d.d.d.d" is

10844

specified, reject the request when the reversed client network

10845

address is listed with any A record under rbl_domain.

11844

(Postfix version 2.1 and later only). Each "d" is a number,

11845

or a pattern inside "[]" that contains one or more ";"-separated

11846

numbers or number..number ranges (Postfix version 2.8 and later).

11847

If no "=d.d.d.d" is specified, reject the request when the

11848

reversed client network address is listed with any A record under

11849

rbl_domain.

10846

11850

The <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> parameter specifies the response code for

10847

11851

rejected requests (default: 554), the <a href="postconf.5.html#default_rbl_reply">default_rbl_reply</a> parameter

10848

11852

specifies the default server reply, and the <a href="postconf.5.html#rbl_reply_maps">rbl_reply_maps</a> parameter

10849

11853

specifies tables with server replies indexed by rbl_domain.

10850

11854

This feature is available in Postfix 2.0 and later. </dd>

10851

11855

11856

<dt><a name="permit_dnswl_client">permit_dnswl_client dnswl_domain=d.d.d.d</a></dt>

11857

11858

<dd>Accept the request when the reversed client network address is

11859

listed with the A record "d.d.d.d" under dnswl_domain.

11860

Each "d" is a number, or a pattern inside "[]" that contains

11861

one or more ";"-separated numbers or number..number ranges.

11862

If no "=d.d.d.d" is specified, accept the request when the

11863

reversed client network address is listed with any A record under

11864

dnswl_domain. For safety, <a href="postconf.5.html#permit_dnswl_client">permit_dnswl_client</a> is silently

11865

ignored when it would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>. The

11866

result is DEFER_IF_REJECT when whitelist lookup fails. This feature

11867

is available in Postfix 2.8 and later. </dd>

11868

10852

11869

<dt><a name="reject_rhsbl_client">reject_rhsbl_client rbl_domain=d.d.d.d</a></dt>

10853

11870

10854

11871

<dd>Reject the request when the client hostname is listed with the

10855

11872

A record "d.d.d.d" under rbl_domain (Postfix version

10856

2.1 and later only). If no "=d.d.d.d" is specified, reject

10857

the request when the client hostname is listed with

11873

2.1 and later only). Each "d" is a number, or a pattern

11874

inside "[]" that contains one or more ";"-separated numbers or

11875

number..number ranges (Postfix version 2.8 and later). If no

11876

"=d.d.d.d" is specified, reject the request when the client

11877

hostname is listed with

10858

11878

any A record under rbl_domain. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a>

10859

11879

description above for additional RBL related configuration parameters.

10860

This feature is available in Postfix 2.0 and later. </dd>

11880

This feature is available in Postfix 2.0 and later; with Postfix

11881

version 2.8 and later, <a href="postconf.5.html#reject_rhsbl_reverse_client">reject_rhsbl_reverse_client</a> will usually

11882

produce better results. </dd>

11883

11884

<dt><a name="permit_rhswl_client">permit_rhswl_client rhswl_domain=d.d.d.d</a></dt>

11885

11886

<dd>Accept the request when the client hostname is listed with the

11887

A record "d.d.d.d" under rhswl_domain. Each "d"

11888

is a number, or a pattern inside "[]" that contains one or more

11889

";"-separated numbers or number..number ranges. If no

11890

"=d.d.d.d" is specified, accept the request when the client

11891

hostname is listed with any A record under rhswl_domain.

11892

Caution: client name whitelisting is fragile, since the client

11893

name lookup can fail due to temporary outages. Client name

11894

whitelisting should be used only to reduce false positives in e.g.

11895

DNS-based blocklists, and not for making access rule exceptions.

11896

For safety, <a href="postconf.5.html#permit_rhswl_client">permit_rhswl_client</a> is silently ignored when it

11897

would override <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>. The result is DEFER_IF_REJECT

11898

when whitelist lookup fails. This feature is available in Postfix

11899

2.8 and later. </dd>

11900

11901

<dt><a name="reject_rhsbl_reverse_client">reject_rhsbl_reverse_client rbl_domain=d.d.d.d</a></dt>

11902

11903

<dd>Reject the request when the unverified reverse client hostname

11904

is listed with the A record "d.d.d.d" under rbl_domain.

11905

Each "d" is a number, or a pattern inside "[]" that contains

11906

one or more ";"-separated numbers or number..number ranges.

11907

If no "=d.d.d.d" is specified, reject the request when the

11908

unverified reverse client hostname is listed with any A record under

11909

rbl_domain. See the <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description above for

11910

additional RBL related configuration parameters. This feature is

11911

available in Postfix 2.8 and later. </dd>

10861

11912

10862

11913

<dt><a name="reject_unknown_client_hostname">reject_unknown_client_hostname</a> (with Postfix < 2.3: reject_unknown_client)</dt>

10863

11914

11042

12093

are removed. The result value is executed by the Postfix SMTP

11043

12094

server.

11044

12095

11045

Postfix already implements a number of workarounds for malformed

11046

client commands.

12096

There is no need to use <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> for the following

12097

cases:

11047

12098

11048

12099

<ul>

11049

12100

11051

12102

"user@ipaddress".

11052

12103

11053

12104

<li> Postfix already accepts the correct form

11054

"user@[ipaddress]".

12105

"user@[ipaddress]". Use <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> or <a href="postconf.5.html#canonical_maps">canonical_maps</a>

12106

to translate these into domain names if necessary.

11055

12107

11056

<li> Use "<a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> = no" to accept "User Name

11057

<user@example.com>". Postfix will ignore the "User Name"

11058

part before delivering the mail.

12108

<li> Use "<a href="postconf.5.html#strict_rfc821_envelopes">strict_rfc821_envelopes</a> = no" to accept "RCPT TO:<User

12109

Name <user@example.com>>". Postfix will ignore the "User

12110

Name" part and deliver to the <user@example.com> address.

12111

11059

12112

11060

12113

</ul>

11061

12114

11062

Examples:

12115

Examples of problems that can be solved with the <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>

12116

feature:

11063

12117

11064

12118

<pre>

11065

12119

/etc/postfix/<a href="postconf.5.html">main.cf</a>:

11083

12137

/^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2

11084

12138

</pre>

11085

12139

12140

<pre>

12141

# Bounce-never mail sink. Use <a href="postconf.5.html#notify_classes">notify_classes</a>=bounce,resource,software

12142

# to send bounced mail to the postmaster (with message body removed).

12143

/^(RCPT\s+TO:.*?)\bNOTIFY=\S+\b(.*)/ $1 NOTIFY=NEVER $2

12144

/^(RCPT\s+TO:.*)/ $1 NOTIFY=NEVER

12145

</pre>

12146

11086

12147

This feature is available in Postfix 2.7.

11087

12148

11088

12149

11122

12183

<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>, <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>,

11123

12184

<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> or <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.

11124

12185

12186

<li>However, no recipient information is available in the case of

12187

multi-recipient mail. Acting on only one recipient would be misleading,

12188

because any decision will affect all recipients equally. Acting on

12189

all recipients would require a possibly very large amount of memory,

12190

and would also be misleading for the reasons mentioned before.

12191

11125

12192

</ul>

11126

12193

11127

12194

11230

12297

11231

12298

This feature is available in Postfix 2.2 and later.

11232

12299

11233

See <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> for syntax details.

12300

See <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> for details and limitations.

11234

12301

11235

12302

11236

12303

</DD>

11359

12426

(default: CONNECT, GET, POST)</DT><DD>

11360

12427

11361

12428

11362

List of commands that causes the Postfix SMTP server to immediately

12429

List of commands that cause the Postfix SMTP server to immediately

11363

12430

terminate the session with a 221 code. This can be used to disconnect

11364

12431

clients that obviously attempt to abuse the system. In addition to the

11365

12432

commands listed in this parameter, commands that follow the "Label:"

11374

12441

</DD>

11375

12442

11376

12443

<DT><a name="smtpd_hard_error_limit">smtpd_hard_error_limit</a>

11377

(default: normal: 20, stress: 1)</DT><DD>

12444

(default: normal: 20, overload: 1)</DT><DD>

11378

12445

11379

12446

11380

12447

The maximal number of errors a remote SMTP client is allowed to

11381

12448

make without delivering mail. The Postfix SMTP server disconnects

11382

12449

when the limit is exceeded. Normally the default limit is 20, but

11383

it changes under overload to just 1 with Postfix 2.6 and later.

12450

it changes under overload to just 1. With Postfix 2.5 and earlier,

12451

the SMTP server always allows up to 20 errors by default.

12452

11384

12453

11385

12454

11386

12455

11420

12489

The default is to permit everything.

11421

12490

11422

12491

12492

Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this

12493

restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can

12494

simply skip <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> by not sending HELO or EHLO).

12495

12496

11423

12497

11424

12498

Specify a list of restrictions, separated by commas and/or whitespace.

11425

12499

Continue long lines by starting the next line with whitespace.

11438

12512

11439

12513

<dd>Search the specified <a href="access.5.html">access(5)</a> database for the HELO or EHLO

11440

12514

hostname or parent domains, and execute the corresponding action.

11441

</dd>

12515

Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this

12516

restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can

12517

simply skip <a href="postconf.5.html#check_helo_access">check_helo_access</a> by not sending HELO or EHLO). </dd>

11442

12518

11443

12519

<dt><a name="check_helo_mx_access">check_helo_mx_access</a> <a href="DATABASE_README.html">type:table</a></dt>

11444

12520

11445

12521

<dd>Search the specified <a href="access.5.html">access(5)</a> database for the MX hosts for

11446

12522

the HELO or EHLO hostname, and execute the corresponding action.

11447

Note: a result of "OK" is not allowed for safety reasons. Instead,

11448

use DUNNO in order to exclude specific hosts from blacklists. This

11449

feature is available in Postfix 2.1 and later. </dd>

12523

Note 1: a result of "OK" is not allowed for safety reasons. Instead,

12524

use DUNNO in order to exclude specific hosts from blacklists. Note

12525

2: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this

12526

restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can

12527

simply skip <a href="postconf.5.html#check_helo_mx_access">check_helo_mx_access</a> by not sending HELO or EHLO). This

12528

feature is available in Postfix 2.1 and later.

12529

</dd>

11450

12530

11451

12531

<dt><a name="check_helo_ns_access">check_helo_ns_access</a> <a href="DATABASE_README.html">type:table</a></dt>

11452

12532

11453

12533

<dd>Search the specified <a href="access.5.html">access(5)</a> database for the DNS servers

11454

12534

for the HELO or EHLO hostname, and execute the corresponding action.

11455

Note: a result of "OK" is not allowed for safety reasons. Instead,

11456

use DUNNO in order to exclude specific hosts from blacklists. This

11457

feature is available in Postfix 2.1 and later. </dd>

12535

Note 1: a result of "OK" is not allowed for safety reasons. Instead,

12536

use DUNNO in order to exclude specific hosts from blacklists. Note

12537

2: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this

12538

restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can

12539

simply skip <a href="postconf.5.html#check_helo_ns_access">check_helo_ns_access</a> by not sending HELO or EHLO). This

12540

feature is available in Postfix 2.1 and later.

12541

</dd>

11458

12542

11459

12543

<dt><a name="reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> (with Postfix < 2.3: reject_invalid_hostname)</dt>

11460

12544

11461

12545

<dd>Reject the request when the HELO or EHLO hostname syntax is

11462

invalid. The <a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> specifies the response

11463

code for rejected requests (default: 501).</dd>

12546

invalid. Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce

12547

this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply

12548

skip <a href="postconf.5.html#reject_invalid_helo_hostname">reject_invalid_helo_hostname</a> by not sending HELO or EHLO).

12549

The <a href="postconf.5.html#invalid_hostname_reject_code">invalid_hostname_reject_code</a> specifies the response code

12550

for rejected requests (default: 501).</dd>

11464

12551

11465

12552

<dt><a name="reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a> (with Postfix < 2.3: reject_non_fqdn_hostname)</dt>

11466

12553

11467

12554

<dd>Reject the request when the HELO or EHLO hostname is not in

11468

fully-qualified domain form, as required by the RFC. The

11469

<a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> parameter specifies the response code for

12555

fully-qualified domain form, as required by the RFC. Note: specify

12556

"<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully enforce this restriction

12557

(without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a client can simply skip

12558

<a href="postconf.5.html#reject_non_fqdn_helo_hostname">reject_non_fqdn_helo_hostname</a> by not sending HELO or EHLO).

12559

The <a href="postconf.5.html#non_fqdn_reject_code">non_fqdn_reject_code</a> parameter specifies the response code for

11470

12560

rejected requests (default: 504).</dd>

11471

12561

11472

12562

<dt><a name="reject_rhsbl_helo">reject_rhsbl_helo rbl_domain=d.d.d.d</a></dt>

11473

12563

11474

12564

<dd>Reject the request when the HELO or EHLO hostname hostname is

11475

12565

listed with the A record "d.d.d.d" under rbl_domain

11476

(Postfix version 2.1 and later only). If no "=d.d.d.d" is

12566

(Postfix version 2.1 and later only). Each "d" is a number,

12567

or a pattern inside "[]" that contains one or more ";"-separated

12568

numbers or number..number ranges (Postfix version 2.8 and later).

12569

If no "=d.d.d.d" is

11477

12570

specified, reject the request when the HELO or EHLO hostname is

11478

12571

listed with any A record under rbl_domain. See the

11479

12572

<a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> description for additional RBL related configuration

11480

parameters. This feature is available in Postfix 2.0 and later.

11481

</dd>

12573

parameters. Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully

12574

enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a

12575

client can simply skip <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> by not sending HELO or

12576

EHLO). This feature is available in Postfix 2.0

12577

and later. </dd>

11482

12578

11483

12579

<dt><a name="reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> (with Postfix < 2.3: reject_unknown_hostname)</dt>

11484

12580

11487

12583

specifies the numerical response code for rejected requests (default:

11488

12584

450). The <a href="postconf.5.html#unknown_helo_hostname_tempfail_action">unknown_helo_hostname_tempfail_action</a> parameter

11489

12585

specifies the action after a temporary DNS error (default:

11490

<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>). </dd>

12586

<a href="postconf.5.html#defer_if_permit">defer_if_permit</a>). Note: specify "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes" to fully

12587

enforce this restriction (without "<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> = yes", a

12588

client can simply skip <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a> by not sending

12589

HELO or EHLO). </dd>

11491

12590

11492

12591

</dl>

11493

12592

11536

12635

</DD>

11537

12636

11538

12637

<DT><a name="smtpd_junk_command_limit">smtpd_junk_command_limit</a>

11539

(default: normal: 100, stress: 1)</DT><DD>

12638

(default: normal: 100, overload: 1)</DT><DD>

11540

12639

11541

12640

11542

12641

The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote

11545

12644

command count is reset after mail is delivered. See also the

11546

12645

<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> and <a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> configuration

11547

12646

parameters. Normally the default limit is 100, but it changes under

11548

overload to just 1 with Postfix 2.6 and later.

11549

12647

overload to just 1. With Postfix 2.5 and earlier, the SMTP server

12648

always allows up to 100 junk commands by default.

11550

12649

11551

12650

11552

12651

</DD>

11889

12988

11890

12989

<dd>Reject the request when the RCPT TO domain is listed with the

11891

12990

A record "d.d.d.d" under rbl_domain (Postfix version

11892

2.1 and later only). If no "=d.d.d.d" is specified, reject

12991

2.1 and later only). Each "d" is a number, or a pattern

12992

inside "[]" that contains one or more ";"-separated numbers or

12993

number..number ranges (Postfix version 2.8 and later). If no

12994

"=d.d.d.d" is specified, reject

11893

12995

the request when the RCPT TO domain is listed with

11894

12996

any A record under rbl_domain. The <a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a>

11895

12997

parameter specifies the response code for rejected requests (default:

11980

13082

11981

13083

</DD>

11982

13084

13085

<DT><a name="smtpd_reject_footer">smtpd_reject_footer</a>

13086

(default: empty)</DT><DD>

13087

13088

Optional information that is appended after each SMTP server

13089

4XX or 5XX response.

13090

13091

Example:

13092

13093

<pre>

13094

/etc/postfix/<a href="postconf.5.html">main.cf</a>:

13095

<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> = For assistance, call 800-555-0101.

13096

Please provide the following information in your problem report:

13097

time ($localtime), client ($client_address) and server

13098

($server_name).

13099

</pre>

13100

13101

Server response:

13102

13103

<pre>

13104

550-5.5.1 <user@example> Recipient address rejected: User unknown

13105

550 5.5.1 For assistance, call 800-555-0101. Please provide the

13106

following information in your problem report: time (Jan 4 15:42:00),

13107

client (192.168.1.248) and server (mail1.example.com).

13108

</pre>

13109

13110

Note: the above text is meant to make it easier to find the

13111

Postfix logfile records for a failed SMTP session. The text itself

13112

is not logged to the Postfix SMTP server's maillog file.

13113

13114

Be sure to keep the text as short as possible. Long text may

13115

be truncated before it is logged to the remote SMTP client's maillog

13116

file, or before it is returned to the sender in a delivery status

13117

notification.

13118

13119

This feature supports a limited number of $name attributes in

13120

the footer text. These are replaced by their current value for the

13121

SMTP session:

13122

13123

<dl>

13124

13125

<dt> client_address </dt> <dd> The Client IP address that

13126

is logged in the maillog file. </dd>

13127

13128

<dt> client_port </dt> <dd> The client TCP port that is

13129

logged in the maillog file. </dd>

13130

13131

<dt> localtime </dt> <dd> The server local time (Mmm dd

13132

hh:mm:ss) that is logged in the maillog file. </dd>

13133

13134

<dt> server_name </dt> <dd> The server's <a href="postconf.5.html#myhostname">myhostname</a> value.

13135

This attribute is made available for sites with multiple MTAs

13136

(perhaps behind a load-balancer), where the server name can help

13137

the server support team to quickly find the right log files. </dd>

13138

13139

</dl>

13140

13141

Notes:

13142

13143

<ul>

13144

13145

<li> NOT SUPPORTED are other attributes such as sender, recipient,

13146

or <a href="postconf.5.html">main.cf</a> parameters.

13147

13148

<li> For safety reasons, text that does not match

13149

$<a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> is censored.

13150

13151

</ul>

13152

13153

This feature supports the two-character sequence \n as a request

13154

for a line break in the footer text. Postfix automatically inserts

13155

after each line break the three-digit SMTP reply code (and optional

13156

enhanced status code) from the original Postfix reject message.

13157

13158

13159

This feature is available in Postfix 2.8 and later.

13160

13161

13162

</DD>

13163

11983

13164

<DT><a name="smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a>

11984

13165

(default: yes)</DT><DD>

11985

13166

12433

13614

12434

13615

<dd>Reject the request when the MAIL FROM domain is listed with

12435

13616

the A record "d.d.d.d" under rbl_domain (Postfix

12436

version 2.1 and later only). If no "=d.d.d.d" is specified,

13617

version 2.1 and later only). Each "d" is a number, or a

13618

pattern inside "[]" that contains one or more ";"-separated numbers

13619

or number..number ranges (Postfix version 2.8 and later). If no

13620

"=d.d.d.d" is specified,

12437

13621

reject the request when the MAIL FROM domain is

12438

13622

listed with any A record under rbl_domain. The

12439

13623

<a href="postconf.5.html#maps_rbl_reject_code">maps_rbl_reject_code</a> parameter specifies the response code for

12526

13710

12527

13711

</DD>

12528

13712

13713

<DT><a name="smtpd_service_name">smtpd_service_name</a>

13714

(default: smtpd)</DT><DD>

13715

13716

The internal service that <a href="postscreen.8.html">postscreen(8)</a> forwards allowed

13717

connections to. In a future version there may be different

13718

classes of SMTP service.

13719

13720

This feature is available in Postfix 2.8.

13721

13722

13723

</DD>

13724

12529

13725

<DT><a name="smtpd_soft_error_limit">smtpd_soft_error_limit</a>

12530

13726

(default: 10)</DT><DD>

12531

13727

12549

13745

</DD>

12550

13746

12551

13747

<DT><a name="smtpd_starttls_timeout">smtpd_starttls_timeout</a>

12552

(default: 300s)</DT><DD>

13748

(default: see "postconf -d" output)</DT><DD>

12553

13749

12554

13750

The time limit for Postfix SMTP server write and read operations

12555

during TLS startup and shutdown handshake procedures.

13751

during TLS startup and shutdown handshake procedures. The current

13752

default value is stress-dependent. Before Postfix version 2.8, it

13753

was fixed at 300s.

12556

13754

12557

13755

This feature is available in Postfix 2.2 and later.

12558

13756

12560

13758

</DD>

12561

13759

12562

13760

<DT><a name="smtpd_timeout">smtpd_timeout</a>

12563

(default: normal: 300s, stress: 10s)</DT><DD>

13761

(default: normal: 300s, overload: 10s)</DT><DD>

12564

13762

12565

13763

12566

13764

The time limit for sending a Postfix SMTP server response and for

12567

13765

receiving a remote SMTP client request. Normally the default limit

12568

is 300s, but it changes under overload to just 10s with Postfix 2.6

12569

and later.

13766

is 300s, but it changes under overload to just 10s. With Postfix

13767

2.5 and earlier, the SMTP server always uses a time limit of 300s

13768

by default.

12570

13769

12571

13770

12572

13771

12595

13794

but it is best to include all the required certificates directly in the

12596

13795

server certificate file.

12597

13796

13797

Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from

13798

appending the system-supplied default CAs and trusting third-party

13799

certificates.

13800

12598

13801

By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are not

12599

13802

requested, and <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> should remain empty. If you do make use

12600

13803

of client certificates, the distinguished names (DNs) of the certificate

12626

13829

<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> in chroot mode, this directory (or a copy) must be

12627

13830

inside the chroot jail.

12628

13831

13832

Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" to prevent Postfix from

13833

appending the system-supplied default CAs and trusting third-party

13834

certificates.

13835

12629

13836

By default (see <a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>), client certificates are

12630

13837

not requested, and <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> should remain empty. In contrast

12631

13838

to <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>, DNs of certificate authorities installed

12970

14177

<dl>

12971

14178

12972

14179

<dt>none</dt> <dd> Don't use EECDH. Ciphers based on EECDH key

12973

exchange will be disabled. This is the default in official Postfix

12974

releases (<a href="postconf.5.html#mail_version">mail_version</a> = major.minor.patchlevel). </dd>

14180

exchange will be disabled. This is the default in Postfix versions

14181

2.6 and 2.7. </dd>

12975

14182

12976

14183

<dt>strong</dt> <dd> Use EECDH with approximately 128

12977

14184

bits of security at a reasonable computational cost. This is the

12978

14185

current best-practice trade-off between security and computational

12979

efficiency. This is the default in Postfix snapshot releases

12980

(<a href="postconf.5.html#mail_version">mail_version</a> = major.minor-releasedate). </dd>

14186

efficiency. This is the default in Postfix version 2.8 and later.

14187

</dd>

12981

14188

12982

14189

<dt>ultra</dt> <dd> Use EECDH with approximately 192 bits of

12983

14190

security at computational cost that is approximately twice as high

13739

14946

13740

14947

</DD>

13741

14948

14949

<DT><a name="tls_append_default_CA">tls_append_default_CA</a>

14950

(default: no)</DT><DD>

14951

14952

Append the system-supplied default certificate authority

14953

certificates to the ones specified with *_tls_CApath or *_tls_CAfile.

14954

The default is "no"; this prevents Postfix from trusting third-party

14955

certificates and giving them relay permission with

14956

<a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>.

14957

14958

This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,

14959

2.7.2 and later versions. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = yes" for

14960

backwards compatibility, to avoid breaking certificate verification

14961

with sites that don't use <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a>.

14962

14963

14964

</DD>

14965

13742

14966

<DT><a name="tls_daemon_random_bytes">tls_daemon_random_bytes</a>

13743

14967

(default: 32)</DT><DD>

13744

14968

13753

14977

13754

14978

</DD>

13755

14979

14980

<DT><a name="tls_disable_workarounds">tls_disable_workarounds</a>

14981

(default: see "postconf -d" output)</DT><DD>

14982

14983

List or bit-mask of OpenSSL bug work-arounds to disable.

14984

14985

The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS

14986

implementations. Applications, such as Postfix, that want to maximize

14987

interoperability ask the OpenSSL library to enable the full set of

14988

recommended work-arounds.

14989

14990

From time to time, it is discovered that a work-around creates a

14991

security issue, and should no longer be used. If upgrading OpenSSL

14992

to a fixed version is not an option or an upgrade is not available

14993

in a timely manner, or in closed environments where no buggy clients

14994

or servers exist, it may be appropriate to disable some or all of the

14995

OpenSSL interoperability work-arounds. This parameter specifies which

14996

bug work-arounds to disable.

14997

14998

If the value of the parameter is a hexadecimal long integer starting

14999

with "0x", the bug work-arounds corresponding to the bits specified in

15000

its value are removed from the SSL_OP_ALL work-around bit-mask

15001

(see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more

15002

bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying

15003

0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should

15004

also be sufficient on 64-bit systems, until OpenSSL abandons support

15005

for 32-bit systems and starts using the high 32 bits of a 64-bit

15006

bug-workaround mask.

15007

15008

Otherwise, the parameter is a white-space or comma separated list

15009

of specific named bug work-arounds chosen from the list below. It

15010

is possible that your OpenSSL version includes new bug work-arounds

15011

added after your Postfix source code was last updated, in that case

15012

you can only disable one of these via the hexadecimal syntax above.

15013

15014

<dl>

15015

15016

<dt>MICROSOFT_SESS_ID_BUG</dt> <dd>See SSL_CTX_set_options(3)</dd>

15017

15018

<dt>NETSCAPE_CHALLENGE_BUG</dt> <dd>See SSL_CTX_set_options(3)</dd>

15019

15020

<dt>LEGACY_SERVER_CONNECT</dt> <dd>See SSL_CTX_set_options(3)</dd>

15021

15022

<dt>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</dt> <dd> also aliased

15023

as CVE-2010-4180. Postfix 2.8 disables this work-around by

15024

default with OpenSSL versions that may predate the fix. Fixed in

15025

OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>

15026

15027

<dt>SSLREF2_REUSE_CERT_TYPE_BUG</dt> <dd>See

15028

SSL_CTX_set_options(3)</dd>

15029

15030

<dt>MICROSOFT_BIG_SSLV3_BUFFER</dt> <dd>See

15031

SSL_CTX_set_options(3)</dd>

15032

15033

<dt>MSIE_SSLV2_RSA_PADDING</dt> <dd> also aliased as

15034

CVE-2005-2969. Postfix 2.8 disables this work-around by

15035

default with OpenSSL versions that may predate the fix. Fixed in

15036

OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>

15037

15038

<dt>SSLEAY_080_CLIENT_DH_BUG</dt> <dd>See

15039

SSL_CTX_set_options(3)</dd>

15040

15041

<dt>TLS_D5_BUG</dt> <dd>See SSL_CTX_set_options(3)</dd>

15042

15043

<dt>TLS_BLOCK_PADDING_BUG</dt> <dd>See SSL_CTX_set_options(3)</dd>

15044

15045

<dt>TLS_ROLLBACK_BUG</dt> <dd>See SSL_CTX_set_options(3).

15046

This is disabled in OpenSSL 0.9.7 and later. Nobody should still

15047

be using 0.9.6! </dd>

15048

15049

<dt>DONT_INSERT_EMPTY_FRAGMENTS</dt> <dd>See

15050

SSL_CTX_set_options(3)</dd>

15051

15052

<dt>CRYPTOPRO_TLSEXT_BUG</dt> <dd>New with GOST support in

15053

OpenSSL 1.0.0.</dd>

15054

15055

</dl>

15056

15057

This feature is available in Postfix 2.8 and later.

15058

15059

15060

</DD>

15061

13756

15062

<DT><a name="tls_eecdh_strong_curve">tls_eecdh_strong_curve</a>

13757

15063

(default: prime256v1)</DT><DD>

13758

15064

13890

15196

13891

15197

</DD>

13892

15198

15199

<DT><a name="tls_preempt_cipherlist">tls_preempt_cipherlist</a>

15200

(default: no)</DT><DD>

15201

15202

With SSLv3 and later, use the server's cipher preference order

15203

instead of the client's cipher preference order.

15204

15205

By default, the OpenSSL server selects the client's most preferred

15206

cipher that the server supports. With SSLv3 and later, the server may

15207

choose its own most preferred cipher that is supported (offered) by

15208

the client. Setting "<a href="postconf.5.html#tls_preempts_cipherlist">tls_preempt_cipherlist</a> = yes" enables server cipher

15209

preferences.

15210

15211

While server cipher selection may in some cases lead to a more secure

15212

or performant cipher choice, there is some risk of interoperability

15213

issues. In the past, some SSL clients have listed lower priority ciphers

15214

that they did not implement correctly. If the server chooses a cipher

15215

that the client prefers less, it may select a cipher whose client

15216

implementation is flawed.

15217

15218

This feature is available in Postfix 2.8 and later, in combination

15219

with OpenSSL 0.9.7 and later.

15220

15221

15222

</DD>

15223

13893

15224

<DT><a name="tls_random_bytes">tls_random_bytes</a>

13894

15225

(default: 32)</DT><DD>

13895

15226

13966

15297

13967

15298

</DD>

13968

15299

15300

<DT><a name="tlsproxy_enforce_tls">tlsproxy_enforce_tls</a>

15301

(default: $<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</DT><DD>

15302

15303

Mandatory TLS: announce STARTTLS support to SMTP clients, and

15304

require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for

15305

further details.

15306

15307

This feature is available in Postfix 2.8 and later.

15308

15309

15310

</DD>

15311

15312

<DT><a name="tlsproxy_service_name">tlsproxy_service_name</a>

15313

(default: tlsproxy)</DT><DD>

15314

15315

The name of the <a href="tlsproxy.8.html">tlsproxy(8)</a> service entry in <a href="master.5.html">master.cf</a>. This

15316

service performs plaintext <=> TLS ciphertext conversion.

15317

15318

This feature is available in Postfix 2.8 and later.

15319

15320

15321

</DD>

15322

15323

<DT><a name="tlsproxy_tls_CAfile">tlsproxy_tls_CAfile</a>

15324

(default: $<a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a>)</DT><DD>

15325

15326

A file containing (PEM format) CA certificates of root CAs

15327

trusted to sign either remote SMTP client certificates or intermediate

15328

CA certificates. See <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> for further details.

15329

15330

This feature is available in Postfix 2.8 and later.

15331

15332

15333

</DD>

15334

15335

<DT><a name="tlsproxy_tls_CApath">tlsproxy_tls_CApath</a>

15336

(default: $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>)</DT><DD>

15337

15338

A directory containing (PEM format) CA certificates of root CAs

15339

trusted to sign either remote SMTP client certificates or intermediate

15340

CA certificates. See <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> for further details.

15341

15342

This feature is available in Postfix 2.8 and later.

15343

15344

15345

</DD>

15346

15347

<DT><a name="tlsproxy_tls_always_issue_session_ids">tlsproxy_tls_always_issue_session_ids</a>

15348

(default: $<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a>)</DT><DD>

15349

15350

Force the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server to issue a TLS session id,

15351

even when TLS session caching is turned off. See

15352

<a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> for further details.

15353

15354

This feature is available in Postfix 2.8 and later.

15355

15356

15357

</DD>

15358

15359

<DT><a name="tlsproxy_tls_ask_ccert">tlsproxy_tls_ask_ccert</a>

15360

(default: $<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a>)</DT><DD>

15361

15362

Ask a remote SMTP client for a client certificate. See

15363

<a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> for further details.

15364

15365

This feature is available in Postfix 2.8 and later.

15366

15367

15368

</DD>

15369

15370

<DT><a name="tlsproxy_tls_ccert_verifydepth">tlsproxy_tls_ccert_verifydepth</a>

15371

(default: $<a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a>)</DT><DD>

15372

15373

The verification depth for remote SMTP client certificates. A

15374

depth of 1 is sufficient if the issuing CA is listed in a local CA

15375

file. See <a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> for further details.

15376

15377

This feature is available in Postfix 2.8 and later.

15378

15379

15380

</DD>

15381

15382

<DT><a name="tlsproxy_tls_cert_file">tlsproxy_tls_cert_file</a>

15383

(default: $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</DT><DD>

15384

15385

File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server RSA certificate in PEM

15386

format. This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15387

private RSA key. See <a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> for further details.

15388

15389

This feature is available in Postfix 2.8 and later.

15390

15391

15392

</DD>

15393

15394

<DT><a name="tlsproxy_tls_ciphers">tlsproxy_tls_ciphers</a>

15395

(default: $<a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>)</DT><DD>

15396

15397

The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15398

will use with opportunistic TLS encryption. See <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>

15399

for further details.

15400

15401

This feature is available in Postfix 2.8 and later.

15402

15403

15404

</DD>

15405

15406

<DT><a name="tlsproxy_tls_dcert_file">tlsproxy_tls_dcert_file</a>

15407

(default: $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</DT><DD>

15408

15409

File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server DSA certificate in PEM

15410

format. This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15411

private DSA key. See <a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> for further details.

15412

15413

15414

This feature is available in Postfix 2.8 and later.

15415

15416

15417

</DD>

15418

15419

<DT><a name="tlsproxy_tls_dh1024_param_file">tlsproxy_tls_dh1024_param_file</a>

15420

(default: $<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a>)</DT><DD>

15421

15422

File with DH parameters that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15423

should use with EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> for

15424

further details.

15425

15426

This feature is available in Postfix 2.8 and later.

15427

15428

15429

</DD>

15430

15431

<DT><a name="tlsproxy_tls_dh512_param_file">tlsproxy_tls_dh512_param_file</a>

15432

(default: $<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a>)</DT><DD>

15433

15434

File with DH parameters that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15435

should use with EDH ciphers. See <a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> for

15436

further details.

15437

15438

This feature is available in Postfix 2.8 and later.

15439

15440

15441

</DD>

15442

15443

<DT><a name="tlsproxy_tls_dkey_file">tlsproxy_tls_dkey_file</a>

15444

(default: $<a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a>)</DT><DD>

15445

15446

File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server DSA private key in PEM

15447

format. This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>

15448

server DSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>.

15449

See <a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> for further details.

15450

15451

This feature is available in Postfix 2.8 and later.

15452

15453

15454

</DD>

15455

15456

<DT><a name="tlsproxy_tls_eccert_file">tlsproxy_tls_eccert_file</a>

15457

(default: $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>)</DT><DD>

15458

15459

File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server ECDSA certificate in

15460

PEM format. This file may also contain the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>

15461

server private ECDSA key. See <a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> for further

15462

details.

15463

15464

This feature is available in Postfix 2.8 and later.

15465

15466

15467

</DD>

15468

15469

<DT><a name="tlsproxy_tls_eckey_file">tlsproxy_tls_eckey_file</a>

15470

(default: $<a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a>)</DT><DD>

15471

15472

File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server ECDSA private key in

15473

PEM format. This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>

15474

server ECDSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a>.

15475

See <a href="postconf.5.html#smtpd_tls_eckey_file">smtpd_tls_eckey_file</a> for further details.

15476

15477

This feature is available in Postfix 2.8 and later.

15478

15479

15480

</DD>

15481

15482

<DT><a name="tlsproxy_tls_eecdh_grade">tlsproxy_tls_eecdh_grade</a>

15483

(default: $<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a>)</DT><DD>

15484

15485

The Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server security grade for ephemeral

15486

elliptic-curve Diffie-Hellman (EECDH) key exchange. See

15487

<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> for further details.

15488

15489

This feature is available in Postfix 2.8 and later.

15490

15491

15492

</DD>

15493

15494

<DT><a name="tlsproxy_tls_exclude_ciphers">tlsproxy_tls_exclude_ciphers</a>

15495

(default: $<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a>)</DT><DD>

15496

15497

List of ciphers or cipher types to exclude from the <a href="tlsproxy.8.html">tlsproxy(8)</a>

15498

server cipher list at all TLS security levels. See

15499

<a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> for further details.

15500

15501

This feature is available in Postfix 2.8 and later.

15502

15503

15504

</DD>

15505

15506

<DT><a name="tlsproxy_tls_fingerprint_digest">tlsproxy_tls_fingerprint_digest</a>

15507

(default: $<a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a>)</DT><DD>

15508

15509

The message digest algorithm used to construct client-certificate

15510

fingerprints. See <a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> for further details.

15511

15512

15513

This feature is available in Postfix 2.8 and later.

15514

15515

15516

</DD>

15517

15518

<DT><a name="tlsproxy_tls_key_file">tlsproxy_tls_key_file</a>

15519

(default: $<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a>)</DT><DD>

15520

15521

File with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server RSA private key in PEM

15522

format. This file may be combined with the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a>

15523

server RSA certificate file specified with $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>.

15524

See <a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> for further details.

15525

15526

This feature is available in Postfix 2.8 and later.

15527

15528

15529

</DD>

15530

15531

<DT><a name="tlsproxy_tls_loglevel">tlsproxy_tls_loglevel</a>

15532

(default: $<a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a>)</DT><DD>

15533

15534

Enable additional Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server logging of TLS

15535

activity. Each logging level also includes the information that

15536

is logged at a lower logging level. See <a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> for

15537

further details.

15538

15539

This feature is available in Postfix 2.8 and later.

15540

15541

15542

</DD>

15543

15544

<DT><a name="tlsproxy_tls_mandatory_ciphers">tlsproxy_tls_mandatory_ciphers</a>

15545

(default: $<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>)</DT><DD>

15546

15547

The minimum TLS cipher grade that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15548

will use with mandatory TLS encryption. See <a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>

15549

for further details.

15550

15551

This feature is available in Postfix 2.8 and later.

15552

15553

15554

</DD>

15555

15556

<DT><a name="tlsproxy_tls_mandatory_exclude_ciphers">tlsproxy_tls_mandatory_exclude_ciphers</a>

15557

(default: $<a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a>)</DT><DD>

15558

15559

Additional list of ciphers or cipher types to exclude from the

15560

<a href="tlsproxy.8.html">tlsproxy(8)</a> server cipher list at mandatory TLS security levels.

15561

See <a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> for further details.

15562

15563

This feature is available in Postfix 2.8 and later.

15564

15565

15566

</DD>

15567

15568

<DT><a name="tlsproxy_tls_mandatory_protocols">tlsproxy_tls_mandatory_protocols</a>

15569

(default: $<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a>)</DT><DD>

15570

15571

The SSL/TLS protocols accepted by the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server

15572

with mandatory TLS encryption. If the list is empty, the server

15573

supports all available SSL/TLS protocol versions. See

15574

<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> for further details.

15575

15576

This feature is available in Postfix 2.8 and later.

15577

15578

15579

</DD>

15580

15581

<DT><a name="tlsproxy_tls_protocols">tlsproxy_tls_protocols</a>

15582

(default: $<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a>)</DT><DD>

15583

15584

List of TLS protocols that the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server will

15585

exclude or include with opportunistic TLS encryption. See

15586

<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> for further details.

15587

15588

This feature is available in Postfix 2.8 and later.

15589

15590

15591

</DD>

15592

15593

<DT><a name="tlsproxy_tls_req_ccert">tlsproxy_tls_req_ccert</a>

15594

(default: $<a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a>)</DT><DD>

15595

15596

With mandatory TLS encryption, require a trusted remote SMTP

15597

client certificate in order to allow TLS connections to proceed.

15598

See <a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> for further details.

15599

15600

This feature is available in Postfix 2.8 and later.

15601

15602

15603

</DD>

15604

15605

<DT><a name="tlsproxy_tls_security_level">tlsproxy_tls_security_level</a>

15606

(default: $<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</DT><DD>

15607

15608

The SMTP TLS security level for the Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server;

15609

when a non-empty value is specified, this overrides the obsolete

15610

parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. See

15611

<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> for further details.

15612

15613

This feature is available in Postfix 2.8 and later.

15614

15615

15616

</DD>

15617

15618

<DT><a name="tlsproxy_tls_session_cache_timeout">tlsproxy_tls_session_cache_timeout</a>

15619

(default: $<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a>)</DT><DD>

15620

15621

The expiration time of Postfix <a href="tlsproxy.8.html">tlsproxy(8)</a> server TLS session

15622

cache information. A cache cleanup is performed periodically every

15623

$<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> seconds. See

15624

<a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> for further details.

15625

15626

This feature is available in Postfix 2.8 and later.

15627

15628

15629

</DD>

15630

15631

<DT><a name="tlsproxy_use_tls">tlsproxy_use_tls</a>

15632

(default: $<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</DT><DD>

15633

15634

Opportunistic TLS: announce STARTTLS support to SMTP clients,

15635

but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>

15636

for further details.

15637

15638

This feature is available in Postfix 2.8 and later.

15639

15640

15641

</DD>

15642

15643

<DT><a name="tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a>

15644

(default: 10s)</DT><DD>

15645

15646

How much time a <a href="tlsproxy.8.html">tlsproxy(8)</a> process may take to process local

15647

or remote I/O before it is terminated by a built-in watchdog timer.

15648

This is a safety mechanism that prevents <a href="tlsproxy.8.html">tlsproxy(8)</a> from becoming

15649

non-responsive due to a bug in Postfix itself or in system software.

15650

To avoid false alarms and unnecessary cache corruption this limit

15651

cannot be set under 10s.

15652

15653

Specify a non-zero time value (an integral value plus an optional

15654

one-letter suffix that specifies the time unit). Time units: s

15655

(seconds), m (minutes), h (hours), d (days), w (weeks).

15656

15657

This feature is available in Postfix 2.8.

15658

15659

15660

</DD>

15661

13969

15662

<DT><a name="trace_service_name">trace_service_name</a>

13970

15663

(default: trace)</DT><DD>

13971

15664

14226

15919

</DD>

14227

15920

14228

15921

<DT><a name="undisclosed_recipients_header">undisclosed_recipients_header</a>

14229

(default: To: undisclosed-recipients:;)</DT><DD>

15922

(default: see "postconf -d" output)</DT><DD>

14230

15923

14231

15924

14232

15925

Message header that the Postfix <a href="cleanup.8.html">cleanup(8)</a> server inserts when a

14233

message contains no To: or Cc: message header. With Postfix 2.4

14234

and later, specify an empty value to disable this feature.

15926

message contains no To: or Cc: message header. With Postfix 2.8

15927

and later, the default value is empty. With Postfix 2.4-2.7,

15928

specify an empty value to disable this feature.

15929

15930

Example:

15931

15932

<pre>

15933

# Default value before Postfix 2.8.

15934

# Note: the ":" and ";" are both required.

15935

<a href="postconf.5.html#undisclosed_recipients_header">undisclosed_recipients_header</a> = To: undisclosed-recipients:;

15936

</pre>

14235

15937

14236

15938

14237

15939

</DD>

Older »