12449
12597
<p> This feature is available in Postfix 2.7, and as an optional
12450
12598
patch for Postfix 2.6. </p>
12600
%PARAM postscreen_cache_map btree:$data_directory/postscreen_cache
12602
<p> Persistent storage for the postscreen(8) server decisions. </p>
12604
<p> This feature is available in Postfix 2.8. </p>
12606
%PARAM smtpd_service_name smtpd
12608
<p> The internal service that postscreen(8) forwards allowed
12609
connections to. In a future version there may be different
12610
classes of SMTP service. </p>
12612
<p> This feature is available in Postfix 2.8. </p>
12614
%PARAM postscreen_post_queue_limit $default_process_limit
12616
<p> The number of clients that can be waiting for service from a
12617
real SMTP server process. When this queue is full, all clients will
12618
receive a 421 reponse. </p>
12620
<p> This feature is available in Postfix 2.8. </p>
12622
%PARAM postscreen_pre_queue_limit $default_process_limit
12624
<p> The number of non-whitelisted clients that can be waiting for
12625
a decision whether they will receive service from a real SMTP server
12626
process. When this queue is full, all non-whitelisted clients will
12627
receive a 421 reponse. </p>
12629
<p> This feature is available in Postfix 2.8. </p>
12631
%PARAM postscreen_greet_ttl 1d
12633
<p> The amount of time that postscreen(8) will use the result from
12634
a successful PREGREET test. During this time, the client IP address
12635
is excluded from this test. The default is relatively short, because
12636
a good client can immediately talk to a real Postfix SMTP server. </p>
12638
<p> Specify a non-zero time value (an integral value plus an optional
12639
one-letter suffix that specifies the time unit). Time units: s
12640
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
12642
<p> This feature is available in Postfix 2.8. </p>
12644
%PARAM postscreen_cache_retention_time 7d
12646
<p> The amount of time that postscreen(8) will cache an expired
12647
temporary whitelist entry before it is removed. This prevents clients
12648
from being logged as "NEW" just because their cache entry expired
12649
an hour ago. It also prevents the cache from filling up with clients
12650
that passed some deep protocol test once and never came back. </p>
12652
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
12655
<p> This feature is available in Postfix 2.8. </p>
12657
%PARAM postscreen_cache_cleanup_interval 12h
12659
<p> The amount of time between postscreen(8) cache cleanup runs.
12660
Cache cleanup increases the load on the cache database and should
12661
therefore not be run frequently. This feature requires that the
12662
cache database supports the "delete" and "sequence" operators.
12663
Specify a zero interval to disable cache cleanup. </p>
12665
<p> After each cache cleanup run, the postscreen(8) daemon logs the
12666
number of entries that were retained and dropped. A cleanup run is
12667
logged as "partial" when the daemon terminates early after "<b>postfix
12668
reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
12671
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
12674
<p> This feature is available in Postfix 2.8. </p>
12676
%PARAM postscreen_greet_wait ${stress?2}${stress:6}s
12678
<p> The amount of time that postscreen(8) will wait for an SMTP
12679
client to send a command before its turn, and for DNS blocklist
12680
lookup results to arrive (default: up to 2 seconds under stress,
12681
up to 6 seconds otherwise). <p>
12683
<p> Specify a non-zero time value (an integral value plus an optional
12684
one-letter suffix that specifies the time unit). </p>
12686
<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
12689
<p> This feature is available in Postfix 2.8. </p>
12691
%PARAM postscreen_dnsbl_sites
12693
<p>Optional list of DNS white/blacklist domains, filters and weight
12694
factors. When the list is non-empty, the dnsblog(8) daemon will
12695
query these domains with the IP addresses of remote SMTP clients,
12696
and postscreen(8) will update an SMTP client's DNSBL score with
12697
each non-error reply. </p>
12699
<p> Caution: when postscreen rejects mail, it replies with the DNSBL
12700
domain name. Use the postscreen_dnsbl_reply_map feature to hide
12701
"password" information in DNSBL domain names. </p>
12703
<p> When a client's score is equal to or greater than the threshold
12704
specified with postscreen_dnsbl_threshold, postscreen(8) can drop
12705
the connection with the SMTP client. </p>
12707
<p> Specify a list of domain=filter*weight entries, separated by
12708
comma or whitespace. </p>
12712
<li> <p> When no "=filter" is specified, postscreen(8) will use any
12713
non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL
12714
replies that match the filter. The filter has the form d.d.d.d,
12715
where each d is a number, or a pattern inside [] that contains one
12716
or more ";"-separated numbers or number..number ranges. </p>
12718
<li> <p> When no "*weight" is specified, postscreen(8) increments
12719
the SMTP client's DNSBL score by 1. Otherwise, the weight must be
12720
an integral number, and postscreen(8) adds the specified weight to
12721
the SMTP client's DNSBL score. Specify a negative number for
12724
<li> <p> When one postscreen_dnsbl_sites entry produces multiple
12725
DNSBL responses, postscreen(8) applies the weight at most once.
12732
<p> To use example.com as a high-confidence blocklist, and to
12733
block mail with example.net and example.org only when both agree:
12737
postscreen_dnsbl_threshold = 2
12738
postscreen_dnsbl_sites = example.com*2, example.net, example.org
12741
<p> To filter only DNSBL replies containing 127.0.0.4: </p>
12744
postscreen_dnsbl_sites = example.com=127.0.0.4
12747
<p> This feature is available in Postfix 2.8. </p>
12749
%PARAM postscreen_dnsbl_action ignore
12751
<p>The action that postscreen(8) takes when an SMTP client's combined
12752
DNSBL score is equal to or greater than a threshold (as defined
12753
with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold
12754
parameters). Specify one of the following: </p>
12758
<dt> <b>ignore</b> (default) </dt>
12760
<dd> Ignore the failure of this test. Allow other tests to complete.
12761
Repeat this test the next time the client connects.
12762
This option is useful for testing and collecting statistics
12763
without blocking mail. </dd>
12765
<dt> <b>enforce</b> </dt>
12767
<dd> Allow other tests to complete. Reject attempts to deliver mail
12768
with a 550 SMTP reply, and log the helo/sender/recipient information.
12769
Repeat this test the next time the client connects. </dd>
12771
<dt> <b>drop</b> </dt>
12773
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
12774
this test the next time the client connects. </dd>
12778
<p> This feature is available in Postfix 2.8. </p>
12780
%PARAM postscreen_greet_action ignore
12782
<p>The action that postscreen(8) takes when an SMTP client speaks
12783
before its turn within the time specified with the postscreen_greet_wait
12784
parameter. Specify one of the following: </p>
12788
<dt> <b>ignore</b> (default) </dt>
12790
<dd> Ignore the failure of this test. Allow other tests to complete.
12791
Repeat this test the next time the client connects.
12792
This option is useful for testing and collecting statistics
12793
without blocking mail. </dd>
12795
<dt> <b>enforce</b> </dt>
12797
<dd> Allow other tests to complete. Reject attempts to deliver mail
12798
with a 550 SMTP reply, and log the helo/sender/recipient information.
12799
Repeat this test the next time the client connects. </dd>
12801
<dt> <b>drop</b> </dt>
12803
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
12804
this test the next time the client connects. </dd>
12808
<p> In either case, postscreen(8) will not whitelist the SMTP client
12811
<p> This feature is available in Postfix 2.8. </p>
12813
#%PARAM postscreen_whitelist_networks $mynetworks
12815
#<p> Network addresses that are permanently whitelisted, and that
12816
#will not be subjected to postscreen(8) checks. This parameter uses
12817
#the same address syntax as the mynetworks parameter. This feature
12818
#never uses the remote SMTP client hostname. </p>
12820
#<p> This feature is available in Postfix 2.8. </p>
12822
#%PARAM postscreen_blacklist_networks
12824
#<p> Network addresses that are permanently blacklisted; see the
12825
#postscreen_blacklist_action parameter for possible actions. This
12826
#parameter uses the same address syntax as the mynetworks parameter.
12827
#The blacklist has higher precedence than whitelists. This feature
12828
#never uses the remote SMTP client hostname. </p>
12830
#<p> This feature is available in Postfix 2.8. </p>
12832
%PARAM postscreen_access_list permit_mynetworks
12834
<p> Permanent white/blacklist for remote SMTP client IP addresses.
12835
postscreen(8) searches this list immediately after a remote SMTP
12836
client connects. Specify a comma- or whitespace-separated list of
12837
commands (in upper or lower case) or lookup tables. The search stops
12838
upon the first command that fires for the client IP address. </p>
12842
<dt> <b> permit_mynetworks </b> </dt> <dd> Whitelist the client and
12843
terminate the search if the client IP address matches $mynetworks.
12844
Do not subject the client to any before/after 220 greeting tests.
12845
Pass the connection immediately to a Postfix SMTP server process.
12848
<dt> <b> type:table </b> </dt> <dd> Query the specified lookup
12849
table. Each table lookup result is an access list, except that
12850
access lists inside a table cannot specify type:table entries. <br>
12851
To discourage the use of hash, btree, etc. tables, there is no
12852
support for substring matching like smtpd(8). Use CIDR tables
12855
<dt> <b> permit </b> </dt> <dd> Whitelist the client and terminate
12856
the search. Do not subject the client to any before/after 220
12857
greeting tests. Pass the connection immediately to a Postfix SMTP
12858
server process. </dd>
12860
<dt> <b> reject </b> </dt> <dd> Blacklist the client and terminate
12861
the search. Subject the client to the action configured with the
12862
postscreen_blacklist_action configuration parameter. </dd>
12864
<dt> <b> dunno </b> </dt> <dd> All postscreen(8) access lists
12865
implicitly have this command at the end. <br> When <b> dunno </b>
12866
is executed inside a lookup table, return from the lookup table and
12867
evaluate the next command. <br> When <b> dunno </b> is executed
12868
outside a lookup table, terminate the search, and subject the client
12869
to the configured before/after 220 greeting tests. </dd>
12876
/etc/postfix/main.cf:
12877
postscreen_access_list = permit_mynetworks,
12878
cidr:/etc/postfix/postscreen_access.cidr
12882
/etc/postfix/postscreen_access.cidr:
12883
# Rules are evaluated in the order as specified.
12884
# Blacklist 192.168.* except 192.168.0.1.
12886
192.168.0.0/16 reject
12889
<p> This feature is available in Postfix 2.8. </p>
12891
%PARAM postscreen_greet_banner $smtpd_banner
12893
<p> The <i>text</i> in the optional "220-<i>text</i>..." server
12895
postscreen(8) sends ahead of the real Postfix SMTP server's "220
12896
text..." response, in an attempt to confuse bad SMTP clients so
12897
that they speak before their turn (pre-greet). Specify an empty
12898
value to disable this feature. </p>
12900
<p> This feature is available in Postfix 2.8. </p>
12902
%PARAM postscreen_blacklist_action ignore
12904
<p> The action that postscreen(8) takes when an SMTP client is
12905
permanently blacklisted with the postscreen_access_list parameter.
12906
Specify one of the following: </p>
12910
<dt> <b>ignore</b> (default) </dt>
12912
<dd> Ignore this result. Allow other tests to complete. Repeat
12913
this test the next time the client connects.
12914
This option is useful for testing and collecting statistics
12915
without blocking mail. </dd>
12917
<dt> <b>enforce</b> </dt>
12919
<dd> Allow other tests to complete. Reject attempts to deliver mail
12920
with a 550 SMTP reply, and log the helo/sender/recipient information.
12921
Repeat this test the next time the client connects. </dd>
12923
<dt> <b>drop</b> </dt>
12925
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
12926
this test the next time the client connects. </dd>
12930
<p> This feature is available in Postfix 2.8. </p>
12452
12932
%PARAM smtpd_command_filter
12454
12934
<p> A mechanism to transform commands from remote SMTP clients.
12623
13113
<p> This feature is available in Postfix 2.7 and later. </p>
13115
%PARAM smtp_address_preference ipv6
13117
<p> The address type ("ipv6", "ipv4" or "any") that the Postfix
13118
SMTP client will try first, when a destination has IPv6 and IPv4
13119
addresses with equal MX preference. This feature has no effect
13120
unless the inet_protocols setting enables both IPv4 and IPv6. </p>
13122
<p> This feature is available in Postfix 2.8 and later. </p>
13124
%PARAM lmtp_address_preference ipv6
13126
<p> The LMTP-specific version of the smtp_address_preference
13127
configuration parameter. See there for details. </p>
13129
<p> This feature is available in Postfix 2.8 and later. </p>
13131
%PARAM smtp_dns_resolver_options
13133
<p> DNS Resolver options for the Postfix SMTP client. Specify zero
13134
or more of the following options, separated by comma or whitespace.
13135
Option names are case-sensitive. Some options refer to domain names
13136
that are specified in the file /etc/resolv.conf or equivalent. </p>
13140
<dt><b>res_defnames</b></dt>
13142
<dd> Append the current domain name to single-component names (those
13143
that do not contain a "." character). This can produce incorrect
13144
results, and is the hard-coded behavior prior to Postfix 2.8. </dd>
13146
<dt><b>res_dnsrch</b></dt>
13148
<dd> Search for host names in the current domain and in parent
13149
domains. This can produce incorrect results and is therefore not
13154
<p> This feature is available in Postfix 2.8 and later. </p>
13156
%PARAM lmtp_dns_resolver_options
13158
<p> The LMTP-specific version of the smtp_dns_resolver_options
13159
configuration parameter. See there for details. </p>
13161
<p> This feature is available in Postfix 2.8 and later. </p>
13163
%PARAM postscreen_dnsbl_threshold 1
13165
<p> The inclusive lower bound for blocking an SMTP client, based on
13166
its combined DNSBL score as defined with the postscreen_dnsbl_sites
13169
<p> This feature is available in Postfix 2.8. </p>
13171
%PARAM postscreen_command_count_limit 20
13173
<p> The limit on the total number of commands per SMTP session for
13174
postscreen(8)'s built-in SMTP protocol engine. This SMTP engine
13175
defers or rejects all attempts to deliver mail, therefore there is
13176
no need to enforce separate limits on the number of junk commands
13177
and error commands. </p>
13179
<p> This feature is available in Postfix 2.8. </p>
13181
%PARAM postscreen_command_time_limit ${stress?10}${stress:300}s
13183
<p> The time limit to read an entire command line with postscreen(8)'s
13184
built-in SMTP protocol engine. </p>
13186
<p> This feature is available in Postfix 2.8. </p>
13188
%PARAM postscreen_dnsbl_ttl 1h
13190
<p> The amount of time that postscreen(8) will use the result from
13191
a successful DNS blocklist test. During this time, the client IP address
13192
is excluded from this test. The default is relatively short, because a
13193
good client can immediately talk to a real Postfix SMTP server.
13196
<p> Specify a non-zero time value (an integral value plus an optional
13197
one-letter suffix that specifies the time unit). Time units: s
13198
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
13200
<p> This feature is available in Postfix 2.8. </p>
13202
%PARAM postscreen_pipelining_action enforce
13204
<p> The action that postscreen(8) takes when an SMTP client sends
13205
multiple commands instead of sending one command and waiting for
13206
the server to respond. Specify one of the following: </p>
13210
<dt> <b>ignore</b> </dt>
13212
<dd> Ignore the failure of this test. Allow other tests to complete.
13213
Do <i>not</i> repeat this test before some the result from some
13214
other test expires.
13215
This option is useful for testing and collecting statistics
13216
without blocking mail permanently. </dd>
13218
<dt> <b>enforce</b> </dt>
13220
<dd> Allow other tests to complete. Reject attempts to deliver mail
13221
with a 550 SMTP reply, and log the helo/sender/recipient information.
13222
Repeat this test the next time the client connects. </dd>
13224
<dt> <b>drop</b> </dt>
13226
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
13227
this test the next time the client connects. </dd>
13231
<p> This feature is available in Postfix 2.8. </p>
13233
%PARAM postscreen_pipelining_ttl 30d
13235
<p> The amount of time that postscreen(8) will use the result from
13236
a successful "pipelining" SMTP protocol test. During this time, the
13237
client IP address is excluded from this test. The default is
13238
long because a good client must disconnect after it passes the test,
13239
before it can talk to a real Postfix SMTP server. </p>
13241
<p> Specify a non-zero time value (an integral value plus an optional
13242
one-letter suffix that specifies the time unit). Time units: s
13243
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
13245
<p> This feature is available in Postfix 2.8. </p>
13247
%PARAM postscreen_pipelining_enable no
13249
<p> Enable "pipelining" SMTP protocol tests in the postscreen(8)
13250
server. These tests are expensive: a good client must disconnect
13251
after it passes the test, before it can talk to a real Postfix SMTP
13254
<p> This feature is available in Postfix 2.8. </p>
13256
%PARAM postscreen_watchdog_timeout 10s
13258
<p> How much time a postscreen(8) process may take to respond to
13259
an SMTP client command or to perform a cache operation before it
13260
is terminated by a built-in watchdog timer. This is a safety
13261
mechanism that prevents postscreen(8) from becoming non-responsive
13262
due to a bug in Postfix itself or in system software. To avoid
13263
false alarms and unnecessary cache corruption this limit cannot be
13264
set under 10s. </p>
13266
<p> Specify a non-zero time value (an integral value plus an optional
13267
one-letter suffix that specifies the time unit). Time units: s
13268
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
13270
<p> This feature is available in Postfix 2.8. </p>
13272
%PARAM postscreen_helo_required $smtpd_helo_required
13274
<p> Require that a remote SMTP client sends HELO or EHLO before
13275
commencing a MAIL transaction. </p>
13277
<p> This feature is available in Postfix 2.8. </p>
13279
%PARAM postscreen_forbidden_commands $smtpd_forbidden_commands
13281
<p> List of commands that the postscreen(8) server considers in
13282
violation of the SMTP protocol. See smtpd_forbidden_commands for
13283
syntax, and postscreen_non_smtp_command_action for possible actions.
13286
<p> This feature is available in Postfix 2.8. </p>
13288
%PARAM postscreen_disable_vrfy_command $disable_vrfy_command
13290
<p> Disable the SMTP VRFY command in the postscreen(8) daemon. See
13291
disable_vrfy_command for details. </p>
13293
<p> This feature is available in Postfix 2.8. </p>
13295
%PARAM postscreen_non_smtp_command_action drop
13297
<p> The action that postscreen(8) takes when an SMTP client sends
13298
non-SMTP commands as specified with the postscreen_forbidden_commands
13299
parameter. Specify one of the following: </p>
13303
<dt> <b>ignore</b> </dt>
13305
<dd> Ignore the failure of this test. Allow other tests to complete.
13306
Do <i>not</i> repeat this test before some the result from some
13307
other test expires.
13308
This option is useful for testing and collecting statistics
13309
without blocking mail permanently. </dd>
13311
<dt> <b>enforce</b> </dt>
13313
<dd> Allow other tests to complete. Reject attempts to deliver mail
13314
with a 550 SMTP reply, and log the helo/sender/recipient information.
13315
Repeat this test the next time the client connects. </dd>
13317
<dt> <b>drop</b> </dt>
13319
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
13320
this test the next time the client connects. This action is the
13321
same as with the Postfix SMTP server's smtpd_forbidden_commands
13326
<p> This feature is available in Postfix 2.8. </p>
13328
%PARAM postscreen_non_smtp_command_ttl 30d
13330
<p> The amount of time that postscreen(8) will use the result from
13331
a successful "non_smtp_command" SMTP protocol test. During this
13332
time, the client IP address is excluded from this test. The default
13333
is long because a client must disconnect after it passes the test,
13334
before it can talk to a real Postfix SMTP server. </p>
13336
<p> Specify a non-zero time value (an integral value plus an optional
13337
one-letter suffix that specifies the time unit). Time units: s
13338
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
13340
<p> This feature is available in Postfix 2.8. </p>
13342
%PARAM postscreen_non_smtp_command_enable no
13344
<p> Enable "non-SMTP command" tests in the postscreen(8) server. These
13345
tests are expensive: a client must disconnect after it passes the
13346
test, before it can talk to a real Postfix SMTP server. </p>
13348
<p> This feature is available in Postfix 2.8. </p>
13350
%PARAM postscreen_dnsbl_reply_map
13352
<p> A mapping from actual DNSBL domain name which includes a secret
13353
password, to the DNSBL domain name that postscreen will reply with
13354
when it rejects mail. When no mapping is found, the actual DNSBL
13355
domain will be used. </p>
13357
<p> For maximal stability it is best to use a file that is read
13358
into memory such as pcre:, regexp: or texthash: (texthash: is similar
13359
to hash:, except a) there is no need to run postmap(1) before the
13360
file can be used, and b) texthash: does not detect changes after
13361
the file is read). </p>
13366
/etc/postfix/main.cf:
13367
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
13371
/etc/postfix/dnsbl_reply:
13372
secret.zen.spamhaus.org zen.spamhaus.org
13375
<p> This feature is available in Postfix 2.8. </p>
13377
%PARAM postscreen_bare_newline_action ignore
13379
<p> The action that postscreen(8) takes when an SMTP client sends
13380
a bare newline character, that is, a newline not preceded by carriage
13381
return. Specify one of the following: </p>
13385
<dt> <b>ignore</b> </dt>
13387
<dd> Ignore the failure of this test. Allow other tests to complete.
13388
Do <i>not</i> repeat this test before some the result from some
13389
other test expires.
13390
This option is useful for testing and collecting statistics
13391
without blocking mail permanently. </dd>
13393
<dt> <b>enforce</b> </dt>
13395
<dd> Allow other tests to complete. Reject attempts to deliver mail
13396
with a 550 SMTP reply, and log the helo/sender/recipient information.
13397
Repeat this test the next time the client connects. </dd>
13399
<dt> <b>drop</b> </dt>
13401
<dd> Drop the connection immediately with a 521 SMTP reply. Repeat
13402
this test the next time the client connects. </dd>
13406
<p> This feature is available in Postfix 2.8. </p>
13408
%PARAM postscreen_bare_newline_ttl 30d
13410
<p> The amount of time that postscreen(8) will use the result from
13411
a successful "bare newline" SMTP protocol test. During this
13412
time, the client IP address is excluded from this test. The default
13413
is long because a client must disconnect after it passes the test,
13414
before it can talk to a real Postfix SMTP server. </p>
13416
<p> Specify a non-zero time value (an integral value plus an optional
13417
one-letter suffix that specifies the time unit). Time units: s
13418
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
13420
<p> This feature is available in Postfix 2.8. </p>
13422
%PARAM postscreen_bare_newline_enable no
13424
<p> Enable "bare newline" SMTP protocol tests in the postscreen(8)
13425
server. These tests are expensive: a client must disconnect after
13426
it passes the test, before it can talk to a real Postfix SMTP server.
13429
<p> This feature is available in Postfix 2.8. </p>
13431
%PARAM postscreen_client_connection_count_limit $smtpd_client_connection_count_limit
13433
<p> How many simultaneous connections any client is allowed to have
13434
with the postscreen(8) daemon. By default, this limit is the same
13435
as with the Postfix SMTP server. Note that the triage process can
13436
take several seconds, with the time spent in postscreen_greet_wait
13437
delay, and with the time spent talking to the postscreen(8) built-in
13438
dummy SMTP protocol engine. </p>
13440
<p> This feature is available in Postfix 2.8. </p>
13442
%PARAM dnsblog_reply_delay 0s
13444
<p> A debugging aid to artifically delay DNS responses. </p>
13446
<p> This feature is available in Postfix 2.8. </p>
13448
%PARAM reset_owner_alias no
13450
<p> Reset the local(8) delivery agent's idea of the owner-alias
13451
attribute, when delivering mail to a child alias that does not have
13452
its own owner alias. </p>
13454
<p> This feature is available in Postfix 2.8 and later. With older
13455
Postfix releases, the behavior is as if this parameter is set to
13458
<p> As documented in aliases(5), when an alias <i>name</i> has a
13459
companion alias named owner-<i>name</i>, delivery errors will be
13460
reported to the owner alias instead of the sender. This configuration
13461
is recommended for mailing lists. <p>
13463
<p> A less known property of the owner alias is that it also forces
13464
the local(8) delivery agent to write local and remote addresses
13465
from alias expansion to a new queue file, instead of attempting to
13466
deliver mail to local addresses as soon as they come out of alias
13469
<p> Writing local addresses from alias expansion to a new queue
13470
file allows for robust handling of temporary delivery errors: errors
13471
with one local member have no effect on deliveries to other members
13472
of the list. On the other hand, delivery to local addresses as
13473
soon as they come out of alias expansion is fragile: a temporary
13474
error with one local address from alias expansion will cause the
13475
entire alias to be expanded repeatedly until the error goes away,
13476
or until the message expires in the queue. In that case, a problem
13477
with one list member results in multiple message deliveries to other
13480
<p> The default behavior of Postfix 2.8 and later is to keep the
13481
owner-alias attribute of the parent alias, when delivering mail to
13482
a child alias that does not have its own owner alias. Then, local
13483
addresses from that child alias will be written to a new queue file,
13484
and a temporary error with one local address will not affect delivery
13485
to other mailing list members. </p>
13487
<p> Unfortunately, older Postfix releases reset the owner-alias
13488
attribute when delivering mail to a child alias that does not have
13489
its own owner alias. The local(8) delivery agent then attempts to
13490
deliver local addresses as soon as they come out of child alias
13491
expansion. If delivery to any address from child alias expansion
13492
fails with a temporary error condition, the entire mailing list may
13493
be expanded repeatedly until the mail expires in the queue, resulting
13494
in multiple deliveries of the same message to mailing list members.
13497
%PARAM qmgr_ipc_timeout 60s
13499
<p> The time limit for the queue manager to send or receive information
13500
over an internal communication channel. The purpose is to break
13501
out of deadlock situations. If the time limit is exceeded the
13502
software either retries or aborts the operation. </p>
13505
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
13506
The default time unit is s (seconds).
13509
%PARAM qmgr_daemon_timeout 1000s
13511
<p> How much time a Postfix queue manager process may take to handle
13512
a request before it is terminated by a built-in watchdog timer.
13516
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
13517
The default time unit is s (seconds).
13520
%PARAM tls_preempt_cipherlist no
13522
<p> With SSLv3 and later, use the server's cipher preference order
13523
instead of the client's cipher preference order. </p>
13525
<p> By default, the OpenSSL server selects the client's most preferred
13526
cipher that the server supports. With SSLv3 and later, the server may
13527
choose its own most preferred cipher that is supported (offered) by
13528
the client. Setting "tls_preempt_cipherlist = yes" enables server cipher
13531
<p> While server cipher selection may in some cases lead to a more secure
13532
or performant cipher choice, there is some risk of interoperability
13533
issues. In the past, some SSL clients have listed lower priority ciphers
13534
that they did not implement correctly. If the server chooses a cipher
13535
that the client prefers less, it may select a cipher whose client
13536
implementation is flawed. </p>
13538
<p> This feature is available in Postfix 2.8 and later, in combination
13539
with OpenSSL 0.9.7 and later. </p>
13541
%PARAM tls_disable_workarounds see "postconf -d" output
13543
<p> List or bit-mask of OpenSSL bug work-arounds to disable. </p>
13545
<p> The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS
13546
implementations. Applications, such as Postfix, that want to maximize
13547
interoperability ask the OpenSSL library to enable the full set of
13548
recommended work-arounds. </p>
13550
<p> From time to time, it is discovered that a work-around creates a
13551
security issue, and should no longer be used. If upgrading OpenSSL
13552
to a fixed version is not an option or an upgrade is not available
13553
in a timely manner, or in closed environments where no buggy clients
13554
or servers exist, it may be appropriate to disable some or all of the
13555
OpenSSL interoperability work-arounds. This parameter specifies which
13556
bug work-arounds to disable. </p>
13558
<p> If the value of the parameter is a hexadecimal long integer starting
13559
with "0x", the bug work-arounds corresponding to the bits specified in
13560
its value are removed from the <b>SSL_OP_ALL</b> work-around bit-mask
13561
(see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more
13562
bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying
13563
0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should
13564
also be sufficient on 64-bit systems, until OpenSSL abandons support
13565
for 32-bit systems and starts using the high 32 bits of a 64-bit
13566
bug-workaround mask. </p>
13568
<p> Otherwise, the parameter is a white-space or comma separated list
13569
of specific named bug work-arounds chosen from the list below. It
13570
is possible that your OpenSSL version includes new bug work-arounds
13571
added after your Postfix source code was last updated, in that case
13572
you can only disable one of these via the hexadecimal syntax above. </p>
13576
<dt><b>MICROSOFT_SESS_ID_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
13578
<dt><b>NETSCAPE_CHALLENGE_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
13580
<dt><b>LEGACY_SERVER_CONNECT</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
13582
<dt><b>NETSCAPE_REUSE_CIPHER_CHANGE_BUG</b></dt> <dd> also aliased
13583
as <b>CVE-2010-4180</b>. Postfix 2.8 disables this work-around by
13584
default with OpenSSL versions that may predate the fix. Fixed in
13585
OpenSSL 0.9.8q and OpenSSL 1.0.0c.</dd>
13587
<dt><b>SSLREF2_REUSE_CERT_TYPE_BUG</b></dt> <dd>See
13588
SSL_CTX_set_options(3)</dd>
13590
<dt><b>MICROSOFT_BIG_SSLV3_BUFFER</b></dt> <dd>See
13591
SSL_CTX_set_options(3)</dd>
13593
<dt><b>MSIE_SSLV2_RSA_PADDING</b></dt> <dd> also aliased as
13594
<b>CVE-2005-2969</b>. Postfix 2.8 disables this work-around by
13595
default with OpenSSL versions that may predate the fix. Fixed in
13596
OpenSSL 0.9.7h and OpenSSL 0.9.8a.</dd>
13598
<dt><b>SSLEAY_080_CLIENT_DH_BUG</b></dt> <dd>See
13599
SSL_CTX_set_options(3)</dd>
13601
<dt><b>TLS_D5_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
13603
<dt><b>TLS_BLOCK_PADDING_BUG</b></dt> <dd>See SSL_CTX_set_options(3)</dd>
13605
<dt><b>TLS_ROLLBACK_BUG</b></dt> <dd>See SSL_CTX_set_options(3).
13606
This is disabled in OpenSSL 0.9.7 and later. Nobody should still
13607
be using 0.9.6! </dd>
13609
<dt><b>DONT_INSERT_EMPTY_FRAGMENTS</b></dt> <dd>See
13610
SSL_CTX_set_options(3)</dd>
13612
<dt><b>CRYPTOPRO_TLSEXT_BUG</b></dt> <dd>New with GOST support in
13613
OpenSSL 1.0.0.</dd>
13617
<p> This feature is available in Postfix 2.8 and later. </p>
13619
%PARAM tlsproxy_watchdog_timeout 10s
13621
<p> How much time a tlsproxy(8) process may take to process local
13622
or remote I/O before it is terminated by a built-in watchdog timer.
13623
This is a safety mechanism that prevents tlsproxy(8) from becoming
13624
non-responsive due to a bug in Postfix itself or in system software.
13625
To avoid false alarms and unnecessary cache corruption this limit
13626
cannot be set under 10s. </p>
13628
<p> Specify a non-zero time value (an integral value plus an optional
13629
one-letter suffix that specifies the time unit). Time units: s
13630
(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
13632
<p> This feature is available in Postfix 2.8. </p>
13634
%PARAM postscreen_discard_ehlo_keywords $smtpd_discard_ehlo_keywords
13636
<p> A case insensitive list of EHLO keywords (pipelining, starttls,
13637
auth, etc.) that the postscreen(8) server will not send in the EHLO
13638
response to a remote SMTP client. See smtpd_discard_ehlo_keywords
13641
<p> This feature is available in Postfix 2.8 and later. </p>
13643
%PARAM postscreen_discard_ehlo_keyword_address_maps $smtpd_discard_ehlo_keyword_address_maps
13645
<p> Lookup tables, indexed by the remote SMTP client address, with
13646
case insensitive lists of EHLO keywords (pipelining, starttls, auth,
13647
etc.) that the postscreen(8) server will not send in the EHLO response
13648
to a remote SMTP client. See smtpd_discard_ehlo_keywords for details.
13649
The table is not searched by hostname for robustness reasons. </p>
13651
<p> This feature is available in Postfix 2.8 and later. </p>
13653
%PARAM postscreen_use_tls $smtpd_use_tls
13655
<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
13656
but do not require that clients use TLS encryption. </p>
13658
<p> This feature is available in Postfix 2.8 and later.
13659
Preferably, use postscreen_tls_security_level instead. </p>
13661
%PARAM postscreen_enforce_tls $smtpd_enforce_tls
13663
<p> Mandatory TLS: announce STARTTLS support to SMTP clients, and
13664
require that clients use TLS encryption. See smtpd_postscreen_enforce_tls
13667
<p> This feature is available in Postfix 2.8 and later.
13668
Preferably, use postscreen_tls_security_level instead. </p>
13670
%PARAM postscreen_tls_security_level $smtpd_tls_security_level
13672
<p> The SMTP TLS security level for the postscreen(8) server; when
13673
a non-empty value is specified, this overrides the obsolete parameters
13674
postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_security_level
13677
<p> This feature is available in Postfix 2.8 and later. </p>
13679
%PARAM tlsproxy_enforce_tls $smtpd_enforce_tls
13681
<p> Mandatory TLS: announce STARTTLS support to SMTP clients, and
13682
require that clients use TLS encryption. See smtpd_enforce_tls for
13683
further details. </p>
13685
<p> This feature is available in Postfix 2.8 and later. </p>
13687
%PARAM tlsproxy_tls_CAfile $smtpd_tls_CAfile
13689
<p> A file containing (PEM format) CA certificates of root CAs
13690
trusted to sign either remote SMTP client certificates or intermediate
13691
CA certificates. See smtpd_tls_CAfile for further details. </p>
13693
<p> This feature is available in Postfix 2.8 and later. </p>
13695
%PARAM tlsproxy_tls_CApath $smtpd_tls_CApath
13697
<p> A directory containing (PEM format) CA certificates of root CAs
13698
trusted to sign either remote SMTP client certificates or intermediate
13699
CA certificates. See smtpd_tls_CApath for further details. </p>
13701
<p> This feature is available in Postfix 2.8 and later. </p>
13703
%PARAM tlsproxy_tls_always_issue_session_ids $smtpd_tls_always_issue_session_ids
13705
<p> Force the Postfix tlsproxy(8) server to issue a TLS session id,
13706
even when TLS session caching is turned off. See
13707
smtpd_tls_always_issue_session_ids for further details. </p>
13709
<p> This feature is available in Postfix 2.8 and later. </p>
13711
%PARAM tlsproxy_tls_ask_ccert $smtpd_tls_ask_ccert
13713
<p> Ask a remote SMTP client for a client certificate. See
13714
smtpd_tls_ask_ccert for further details. </p>
13716
<p> This feature is available in Postfix 2.8 and later. </p>
13718
%PARAM tlsproxy_tls_ccert_verifydepth $smtpd_tls_ccert_verifydepth
13720
<p> The verification depth for remote SMTP client certificates. A
13721
depth of 1 is sufficient if the issuing CA is listed in a local CA
13722
file. See smtpd_tls_ccert_verifydepth for further details. </p>
13724
<p> This feature is available in Postfix 2.8 and later. </p>
13726
%PARAM tlsproxy_tls_cert_file $smtpd_tls_cert_file
13728
<p> File with the Postfix tlsproxy(8) server RSA certificate in PEM
13729
format. This file may also contain the Postfix tlsproxy(8) server
13730
private RSA key. See smtpd_tls_cert_file for further details. </p>
13732
<p> This feature is available in Postfix 2.8 and later. </p>
13734
%PARAM tlsproxy_tls_ciphers $smtpd_tls_ciphers
13736
<p> The minimum TLS cipher grade that the Postfix tlsproxy(8) server
13737
will use with opportunistic TLS encryption. See smtpd_tls_ciphers
13738
for further details. </p>
13740
<p> This feature is available in Postfix 2.8 and later. </p>
13742
%PARAM tlsproxy_tls_dcert_file $smtpd_tls_dcert_file
13744
<p> File with the Postfix tlsproxy(8) server DSA certificate in PEM
13745
format. This file may also contain the Postfix tlsproxy(8) server
13746
private DSA key. See smtpd_tls_dcert_file for further details.
13749
<p> This feature is available in Postfix 2.8 and later. </p>
13751
%PARAM tlsproxy_tls_dh1024_param_file $smtpd_tls_dh1024_param_file
13753
<p> File with DH parameters that the Postfix tlsproxy(8) server
13754
should use with EDH ciphers. See smtpd_tls_dh1024_param_file for
13755
further details. </p>
13757
<p> This feature is available in Postfix 2.8 and later. </p>
13759
%PARAM tlsproxy_tls_dh512_param_file $smtpd_tls_dh512_param_file
13761
<p> File with DH parameters that the Postfix tlsproxy(8) server
13762
should use with EDH ciphers. See smtpd_tls_dh512_param_file for
13763
further details. </p>
13765
<p> This feature is available in Postfix 2.8 and later. </p>
13767
%PARAM tlsproxy_tls_dkey_file $smtpd_tls_dkey_file
13769
<p> File with the Postfix tlsproxy(8) server DSA private key in PEM
13770
format. This file may be combined with the Postfix tlsproxy(8)
13771
server DSA certificate file specified with $smtpd_tls_dcert_file.
13772
See smtpd_tls_dkey_file for further details. </p>
13774
<p> This feature is available in Postfix 2.8 and later. </p>
13776
%PARAM tlsproxy_tls_eccert_file $smtpd_tls_eccert_file
13778
<p> File with the Postfix tlsproxy(8) server ECDSA certificate in
13779
PEM format. This file may also contain the Postfix tlsproxy(8)
13780
server private ECDSA key. See smtpd_tls_eccert_file for further
13783
<p> This feature is available in Postfix 2.8 and later. </p>
13785
%PARAM tlsproxy_tls_eckey_file $smtpd_tls_eckey_file
13787
<p> File with the Postfix tlsproxy(8) server ECDSA private key in
13788
PEM format. This file may be combined with the Postfix tlsproxy(8)
13789
server ECDSA certificate file specified with $smtpd_tls_eccert_file.
13790
See smtpd_tls_eckey_file for further details. </p>
13792
<p> This feature is available in Postfix 2.8 and later. </p>
13794
%PARAM tlsproxy_tls_eecdh_grade $smtpd_tls_eecdh_grade
13796
<p> The Postfix tlsproxy(8) server security grade for ephemeral
13797
elliptic-curve Diffie-Hellman (EECDH) key exchange. See
13798
smtpd_tls_eecdh_grade for further details. </p>
13800
<p> This feature is available in Postfix 2.8 and later. </p>
13802
%PARAM tlsproxy_tls_exclude_ciphers $smtpd_tls_exclude_ciphers
13804
<p> List of ciphers or cipher types to exclude from the tlsproxy(8)
13805
server cipher list at all TLS security levels. See
13806
smtpd_tls_exclude_ciphers for further details. </p>
13808
<p> This feature is available in Postfix 2.8 and later. </p>
13810
%PARAM tlsproxy_tls_fingerprint_digest $smtpd_tls_fingerprint_digest
13812
<p> The message digest algorithm used to construct client-certificate
13813
fingerprints. See smtpd_tls_fingerprint_digest for further details.
13816
<p> This feature is available in Postfix 2.8 and later. </p>
13818
%PARAM tlsproxy_tls_key_file $smtpd_tls_key_file
13820
<p> File with the Postfix tlsproxy(8) server RSA private key in PEM
13821
format. This file may be combined with the Postfix tlsproxy(8)
13822
server RSA certificate file specified with $smtpd_tls_cert_file.
13823
See smtpd_tls_key_file for further details. </p>
13825
<p> This feature is available in Postfix 2.8 and later. </p>
13827
%PARAM tlsproxy_tls_loglevel $smtpd_tls_loglevel
13829
<p> Enable additional Postfix tlsproxy(8) server logging of TLS
13830
activity. Each logging level also includes the information that
13831
is logged at a lower logging level. See smtpd_tls_loglevel for
13832
further details. </p>
13834
<p> This feature is available in Postfix 2.8 and later. </p>
13836
%PARAM tlsproxy_tls_mandatory_ciphers $smtpd_tls_mandatory_ciphers
13838
<p> The minimum TLS cipher grade that the Postfix tlsproxy(8) server
13839
will use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers
13840
for further details. </p>
13842
<p> This feature is available in Postfix 2.8 and later. </p>
13844
%PARAM tlsproxy_tls_mandatory_exclude_ciphers $smtpd_tls_mandatory_exclude_ciphers
13846
<p> Additional list of ciphers or cipher types to exclude from the
13847
tlsproxy(8) server cipher list at mandatory TLS security levels.
13848
See smtpd_tls_mandatory_exclude_ciphers for further details. </p>
13850
<p> This feature is available in Postfix 2.8 and later. </p>
13852
%PARAM tlsproxy_tls_mandatory_protocols $smtpd_tls_mandatory_protocols
13854
<p> The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server
13855
with mandatory TLS encryption. If the list is empty, the server
13856
supports all available SSL/TLS protocol versions. See
13857
smtpd_tls_mandatory_protocols for further details. </p>
13859
<p> This feature is available in Postfix 2.8 and later. </p>
13861
%PARAM tlsproxy_tls_protocols $smtpd_tls_protocols
13863
<p> List of TLS protocols that the Postfix tlsproxy(8) server will
13864
exclude or include with opportunistic TLS encryption. See
13865
smtpd_tls_protocols for further details. </p>
13867
<p> This feature is available in Postfix 2.8 and later. </p>
13869
%PARAM tlsproxy_tls_req_ccert $smtpd_tls_req_ccert
13871
<p> With mandatory TLS encryption, require a trusted remote SMTP
13872
client certificate in order to allow TLS connections to proceed.
13873
See smtpd_tls_req_ccert for further details. </p>
13875
<p> This feature is available in Postfix 2.8 and later. </p>
13877
%PARAM tlsproxy_tls_security_level $smtpd_tls_security_level
13879
<p> The SMTP TLS security level for the Postfix tlsproxy(8) server;
13880
when a non-empty value is specified, this overrides the obsolete
13881
parameters smtpd_use_tls and smtpd_enforce_tls. See
13882
smtpd_tls_security_level for further details. </p>
13884
<p> This feature is available in Postfix 2.8 and later. </p>
13886
%PARAM tlsproxy_tls_session_cache_timeout $smtpd_tls_session_cache_timeout
13888
<p> The expiration time of Postfix tlsproxy(8) server TLS session
13889
cache information. A cache cleanup is performed periodically every
13890
$smtpd_tls_session_cache_timeout seconds. See
13891
smtpd_tls_session_cache_timeout for further details. </p>
13893
<p> This feature is available in Postfix 2.8 and later. </p>
13895
%PARAM tlsproxy_use_tls $smtpd_use_tls
13897
<p> Opportunistic TLS: announce STARTTLS support to SMTP clients,
13898
but do not require that clients use TLS encryption. See smtpd_use_tls
13899
for further details. </p>
13901
<p> This feature is available in Postfix 2.8 and later. </p>
13903
%PARAM smtpd_reject_footer
13905
<p> Optional information that is appended after each SMTP server
13906
4XX or 5XX response. </p>
13911
/etc/postfix/main.cf:
13912
smtpd_reject_footer = For assistance, call 800-555-0101.
13913
Please provide the following information in your problem report:
13914
time ($localtime), client ($client_address) and server
13918
<p> Server response: </p>
13921
550-5.5.1 <user@example> Recipient address rejected: User unknown
13922
550 5.5.1 For assistance, call 800-555-0101. Please provide the
13923
following information in your problem report: time (Jan 4 15:42:00),
13924
client (192.168.1.248) and server (mail1.example.com).
13927
<p> Note: the above text is meant to make it easier to find the
13928
Postfix logfile records for a failed SMTP session. The text itself
13929
is not logged to the Postfix SMTP server's maillog file. </p>
13931
<p> Be sure to keep the text as short as possible. Long text may
13932
be truncated before it is logged to the remote SMTP client's maillog
13933
file, or before it is returned to the sender in a delivery status
13936
<p> This feature supports a limited number of $name attributes in
13937
the footer text. These are replaced by their current value for the
13942
<dt> <b>client_address</b> </dt> <dd> The Client IP address that
13943
is logged in the maillog file. </dd>
13945
<dt> <b>client_port</b> </dt> <dd> The client TCP port that is
13946
logged in the maillog file. </dd>
13948
<dt> <b>localtime</b> </dt> <dd> The server local time (Mmm dd
13949
hh:mm:ss) that is logged in the maillog file. </dd>
13951
<dt> <b>server_name</b> </dt> <dd> The server's myhostname value.
13952
This attribute is made available for sites with multiple MTAs
13953
(perhaps behind a load-balancer), where the server name can help
13954
the server support team to quickly find the right log files. </dd>
13962
<li> <p> NOT SUPPORTED are other attributes such as sender, recipient,
13963
or main.cf parameters. </p>
13965
<li> <p> For safety reasons, text that does not match
13966
$smtpd_expansion_filter is censored. </p>
13970
<p> This feature supports the two-character sequence \n as a request
13971
for a line break in the footer text. Postfix automatically inserts
13972
after each line break the three-digit SMTP reply code (and optional
13973
enhanced status code) from the original Postfix reject message.
13976
<p> This feature is available in Postfix 2.8 and later. </p>
13978
%PARAM postscreen_expansion_filter see "postconf -d" output
13980
<p> List of characters that are permitted in postscreen_reject_footer
13981
attribute expansions. See smtpd_expansion_filter for further
13984
<p> This feature is available in Postfix 2.8 and later. </p>
13986
%PARAM postscreen_reject_footer $smtpd_reject_footer
13988
<p> Optional information that is appended after a 4XX or 5XX server
13989
response. See smtpd_reject_footer for further details. </p>
13991
<p> This feature is available in Postfix 2.8 and later. </p>
13993
%PARAM postscreen_command_filter $smtpd_command_filter
13995
<p> A mechanism to transform commands from remote SMTP clients.
13996
See smtpd_command_filter for further details. </p>
13998
<p> This feature is available in Postfix 2.8 and later. </p>
14000
%PARAM dnsblog_service_name dnsblog
14002
<p> The name of the dnsblog(8) service entry in master.cf. This
14003
service performs DNS white/blacklist lookups. </p>
14005
<p> This feature is available in Postfix 2.8 and later. </p>
14007
%PARAM tlsproxy_service_name tlsproxy
14009
<p> The name of the tlsproxy(8) service entry in master.cf. This
14010
service performs plaintext <=> TLS ciphertext conversion. <p>
14012
<p> This feature is available in Postfix 2.8 and later. </p>