mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 18:07:41 +00:00
Code Issues Releases Wiki Activity

postfix-2.9-20110212

Browse Source
This commit is contained in:
Wietse Venema 2011-02-12 00:00:00 -05:00 committed by Viktor Dukhovni
parent 1ac00dbaf1
commit 1b9ba18ece
34 changed files with 1006 additions and 559 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
postfix/HISTORY
View File

@ -16576,3 +16576,18 @@ Apologies for any names omitted.
Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c. >= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
Cleanup: read/write deadline support for single_server TLS
applications (i.e. smtpd(8), smtp(8)). File: tls/tls_bio_ops.c.
20110212
Infrastructure: run-time switch for read/write deadline
support. Files: util/vstream.[hc], global/smtp_stream.[hc],
tls/tls_bio_ops.c.
Cleanup: configurable read/write deadline support with
smtpd_per_record_deadline (normal: "no", overload: "yes")
and smtp_per_record_deadline (default: "no"). Files:
global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c,
smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink.

20
postfix/README_FILES/MILTER_README
View File

@ -12,10 +12,11 @@ is queued.
The reason for adding Milter support to Postfix is that there exists a large The reason for adding Milter support to Postfix is that there exists a large
collection of applications, not only to block unwanted mail, but also to verify collection of applications, not only to block unwanted mail, but also to verify
authenticity (examples: DomainKeys Identified Mail (DKIM), SenderID+SPF and authenticity (examples: OpenDKIM, DomainKeys Identified Mail (DKIM),
DomainKeys) or to digitally sign mail (examples: DomainKeys Identified Mail SenderID+SPF and DomainKeys) or to digitally sign mail (examples: OpenDKIM,
(DKIM), DomainKeys). Having yet another Postfix-specific version of all that DomainKeys Identified Mail (DKIM), DomainKeys). Having yet another Postfix-
software is a poor use of human and system resources. specific version of all that software is a poor use of human and system
resources.
The Milter protocol has evolved over time, and different Postfix versions The Milter protocol has evolved over time, and different Postfix versions
implement different feature sets. See the workarounds and limitations sections implement different feature sets. See the workarounds and limitations sections
@ -92,8 +93,15 @@ such a library, but Sendmail does.
Sendmail libmilter library by default. With other systems, libmilter may be Sendmail libmilter library by default. With other systems, libmilter may be
provided by a package (called "sendmail-devel" on some Linux systems). provided by a package (called "sendmail-devel" on some Linux systems).
Once libmilter is installed, applications such as dkim-milter and sid- Once libmilter is installed, applications such as OpenDKIM, dkim-milter and
milter build out of the box without requiring any tinkering: sid-milter build out of the box without requiring any tinkering:
$ ggzzccaatt ooppeennddkkiimm--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
$ ccdd ooppeennddkkiimm--xx..yy..zz
$ ..//ccoonnffiigguurree ......ooppttiioonnss......
$ mmaakkee
[...lots of output omitted...]
$ mmaakkee iinnssttaallll
$ ggzzccaatt ddkkiimm--mmiilltteerr--xx..yy..zz..ttaarr..ggzz || ttaarr xxff -- $ ggzzccaatt ddkkiimm--mmiilltteerr--xx..yy..zz..ttaarr..ggzz || ttaarr xxff --
$ ccdd ddkkiimm--mmiilltteerr--xx..yy..zz $ ccdd ddkkiimm--mmiilltteerr--xx..yy..zz

5
postfix/README_FILES/POSTSCREEN_README
View File

@ -318,11 +318,12 @@ in SMTP engine anyway. This is to make postscreen(8) logging more informative.
When a client sends multiple commands, postscreen(8) logs this as: When a client sends multiple commands, postscreen(8) logs this as:
CCOOMMMMAANNDD PPIIPPEELLIINNIINNGG aafftteerr time ffrroomm [address]:port CCOOMMMMAANNDD PPIIPPEELLIINNIINNGG ffrroomm [address]:port aafftteerr command: text
Translation: the SMTP client at [address]:port sent multiple SMTP commands, Translation: the SMTP client at [address]:port sent multiple SMTP commands,
instead of sending one command and then waiting for the server to reply. This instead of sending one command and then waiting for the server to reply. This
happened time seconds after the "220 " server greeting was sent. happened after the client sent command. The text shows part of the input that
was sent too early; it is not logged with Postfix 2.8.
The postscreen_pipelining_action parameter specifies the action that is taken The postscreen_pipelining_action parameter specifies the action that is taken
next. See "When tests fail after the 220 SMTP server greeting" below. next. See "When tests fail after the 220 SMTP server greeting" below.

24
postfix/RELEASE_NOTES
View File

@ -14,6 +14,30 @@ specifies the release date of a stable release or snapshot release.
If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8 If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
before proceeding. before proceeding.
Major changes with snapshot 20110130
====================================
Support for per-record deadlines. These change the behavior of
Postfix timeout parameters, from a time limit per read or write
system call, to a time limit to send or receive a complete record
(an SMTP command line, SMTP response line, SMTP message content
line, or TLS protocol message). This limits the impact from hostile
peers that trickle data one byte at a time.
The new configuration parameters and their default settings are:
smtpd_per_record_deadline (normal: no, overload: yes),
smtp_per_record_deadline (no), and lmtp_per_record_deadline (no).
Note: when per-record deadlines are enabled, a short timeout may
cause problems with TLS over very slow network connections. The
reasons are that a TLS protocol message can be up to 16 kbytes long
(with TLSv1), and that an entire TLS protocol message must be sent
or received within the per-record deadline.
Per-record deadlines were introduced with postscreen(8). This program
does not receive mail, and therefore has no problems with TLS over
slow connections.
Incompatible changes with snapshot 20110130 Incompatible changes with snapshot 20110130
=========================================== ===========================================

2
postfix/WISHLIST
View File

@ -9,6 +9,8 @@ Wish list:
Don't forget Apple's code donation for fetching mail from Don't forget Apple's code donation for fetching mail from
IMAP server. IMAP server.
Update MILTER_README with pointer to OpenDKIM.
postconf command-line option to show the compile-time postconf command-line option to show the compile-time
settings (CCARGS, AUXLIBS) in case binary packages settings (CCARGS, AUXLIBS) in case binary packages
don't install the makedefs.out file. don't install the makedefs.out file.

14
postfix/html/MILTER_README.html
View File

@ -28,11 +28,13 @@ SMTP commands (HELO, MAIL FROM, etc.) as well as mail content
<p> The reason for adding Milter support to Postfix is that there <p> The reason for adding Milter support to Postfix is that there
exists a large collection of applications, not only to block unwanted exists a large collection of applications, not only to block unwanted
mail, but also to verify authenticity (examples: <a mail, but also to verify authenticity (examples: <a
href="http://www.opendkim.org/">OpenDKIM</a>, <a
href="http://sourceforge.net/projects/dkim-milter/">DomainKeys href="http://sourceforge.net/projects/dkim-milter/">DomainKeys
Identified Mail (DKIM)</a>, <a Identified Mail (DKIM)</a>, <a
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
<a href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>) <a href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>)
or to digitally sign mail (examples: <a or to digitally sign mail (examples: <a
href="http://www.opendkim.org/">OpenDKIM</a>, <a
href="http://sourceforge.net/projects/dkim-milter/">DomainKeys href="http://sourceforge.net/projects/dkim-milter/">DomainKeys
Identified Mail (DKIM)</a>, <a Identified Mail (DKIM)</a>, <a
href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>). href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>).
@ -212,10 +214,22 @@ other systems, libmilter may be provided by a package (called
"sendmail-devel" on some Linux systems). </p> "sendmail-devel" on some Linux systems). </p>
<p> Once libmilter is installed, applications such as <a <p> Once libmilter is installed, applications such as <a
href="http://www.opendkim.org/">OpenDKIM</a>, <a
href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a> and href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a> and
<a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a> <a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
build out of the box without requiring any tinkering:</p> build out of the box without requiring any tinkering:</p>
<blockquote>
<pre>
$ <b>gzcat opendkim-<i>x.y.z</i>.tar.gz | tar xf -</b>
$ <b>cd opendkim-<i>x.y.z</i></b>
$ <b>./configure ...<i>options</i>...</b>
$ <b>make</b>
[...<i>lots of output omitted</i>...]
$ <b>make install</b>
</pre>
</blockquote>
<blockquote> <blockquote>
<pre> <pre>
$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b> $ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>

11
postfix/html/POSTSCREEN_README.html
View File

@ -432,13 +432,14 @@ logging more informative. </p>
as: </p> as: </p>
<pre> <pre>
<b>COMMAND PIPELINING after</b> <i>time</i> <b>from</b> <i>[address]:port</i> <b>COMMAND PIPELINING from</b> <i>[address]:port</i> <b>after</b> <i>command</i>: <i>text</i>
</pre> </pre>
<p> Translation: the SMTP client at <i>[address]:port</i> sent multiple <p> Translation: the SMTP client at <i>[address]:port</i> sent
SMTP commands, instead of sending one command and then waiting for multiple SMTP commands, instead of sending one command and then
the server to reply. This happened <i>time</i> seconds after the waiting for the server to reply. This happened after the client
"220 " server greeting was sent. </p> sent <i>command</i>. The <i>text</i> shows part of the input that
was sent too early; it is not logged with Postfix 2.8. </p>
<p> The <a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> parameter specifies the action <p> The <a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> parameter specifies the action
that is taken next. See "<a href="#fail_after_220">When tests fail that is taken next. See "<a href="#fail_after_220">When tests fail

214
postfix/html/lmtp.8.html
View File

@ -295,11 +295,21 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b> <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b>
DNS Resolver options for the Postfix SMTP client. DNS Resolver options for the Postfix SMTP client.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time lim-
its, from a time limit per read or write system
call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b>MIME PROCESSING CONTROLS</b> <b>MIME PROCESSING CONTROLS</b>
Available in Postfix version 2.0 and later: Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
Disable the conversion of 8BITMIME format to 7BIT Disable the conversion of 8BITMIME format to 7BIT
format. format.
<b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
@ -314,108 +324,108 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
Send the non-standard XFORWARD command when the Send the non-standard XFORWARD command when the
Postfix SMTP server EHLO response announces XFOR- Postfix SMTP server EHLO response announces XFOR-
WARD support. WARD support.
<b>SASL AUTHENTICATION CONTROLS</b> <b>SASL AUTHENTICATION CONTROLS</b>
<b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
Enable SASL authentication in the Postfix SMTP Enable SASL authentication in the Postfix SMTP
client. client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
Optional SMTP client lookup tables with one user- Optional SMTP client lookup tables with one user-
name:password entry per remote hostname or domain, name:password entry per remote hostname or domain,
or sender address when sender-dependent authentica- or sender address when sender-dependent authentica-
tion is enabled. tion is enabled.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
Postfix SMTP client SASL security options; as of Postfix SMTP client SASL security options; as of
Postfix 2.3 the list of available features depends Postfix 2.3 the list of available features depends
on the SASL client implementation that is selected on the SASL client implementation that is selected
with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
If non-empty, a Postfix SMTP client filter for the If non-empty, a Postfix SMTP client filter for the
remote SMTP server's list of offered SASL mecha- remote SMTP server's list of offered SASL mecha-
nisms. nisms.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
Enable sender-dependent authentication in the Post- Enable sender-dependent authentication in the Post-
fix SMTP client; this is available only with SASL fix SMTP client; this is available only with SASL
authentication, and disables SMTP connection authentication, and disables SMTP connection
caching to ensure that mail from different senders caching to ensure that mail from different senders
will use the appropriate credentials. will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that the Post- Implementation-specific information that the Post-
fix SMTP client passes through to the SASL plug-in fix SMTP client passes through to the SASL plug-in
implementation that is selected with implementation that is selected with
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
The SASL plug-in type that the Postfix SMTP client The SASL plug-in type that the Postfix SMTP client
should use for authentication. should use for authentication.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
An optional table to prevent repeated SASL authen- An optional table to prevent repeated SASL authen-
tication failures with the same remote SMTP server tication failures with the same remote SMTP server
hostname, username and password. hostname, username and password.
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
entry before it is removed. entry before it is removed.
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
When a remote SMTP server rejects a SASL authenti- When a remote SMTP server rejects a SASL authenti-
cation request with a 535 reply code, defer mail cation request with a 535 reply code, defer mail
delivery instead of returning mail as undeliver- delivery instead of returning mail as undeliver-
able. able.
<b>STARTTLS SUPPORT CONTROLS</b> <b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document. found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
The default SMTP TLS security level for the Postfix The default SMTP TLS security level for the Postfix
SMTP client; when a non-empty value is specified, SMTP client; when a non-empty value is specified,
this overrides the obsolete parameters this overrides the obsolete parameters
<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b> <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b> <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
The SASL authentication security options that the The SASL authentication security options that the
Postfix SMTP client uses for TLS encrypted SMTP Postfix SMTP client uses for TLS encrypted SMTP
sessions. sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
Time limit for Postfix SMTP client write and read Time limit for Postfix SMTP client write and read
operations during TLS startup and shutdown hand- operations during TLS startup and shutdown hand-
shake procedures. shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
A file containing CA certificates of root CAs A file containing CA certificates of root CAs
trusted to sign either remote SMTP server certifi- trusted to sign either remote SMTP server certifi-
cates or intermediate CA certificates. cates or intermediate CA certificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority Directory with PEM format certificate authority
certificates that the Postfix SMTP client uses to certificates that the Postfix SMTP client uses to
verify a remote SMTP server certificate. verify a remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
File with the Postfix SMTP client RSA certificate File with the Postfix SMTP client RSA certificate
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
The minimum TLS cipher grade that the Postfix SMTP The minimum TLS cipher grade that the Postfix SMTP
client will use with mandatory TLS encryption. client will use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
@ -424,43 +434,43 @@ SMTP(8) SMTP(8)
levels. levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
Additional list of ciphers or cipher types to Additional list of ciphers or cipher types to
exclude from the SMTP client cipher list at manda- exclude from the SMTP client cipher list at manda-
tory TLS security levels. tory TLS security levels.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
File with the Postfix SMTP client DSA certificate File with the Postfix SMTP client DSA certificate
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
File with the Postfix SMTP client DSA private key File with the Postfix SMTP client DSA private key
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
File with the Postfix SMTP client RSA private key File with the Postfix SMTP client RSA private key
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP client logging of Enable additional Postfix SMTP client logging of
TLS activity. TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
Log the hostname of a remote SMTP server that Log the hostname of a remote SMTP server that
offers STARTTLS, when TLS is not already enabled offers STARTTLS, when TLS is not already enabled
for that server. for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client Optional lookup tables with the Postfix SMTP client
TLS security policy by next-hop destination; when a TLS security policy by next-hop destination; when a
non-empty value is specified, this overrides the non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
List of SSL/TLS protocols that the Postfix SMTP List of SSL/TLS protocols that the Postfix SMTP
client will use with mandatory TLS encryption. client will use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
The verification depth for remote SMTP server cer- The verification depth for remote SMTP server cer-
tificates. tificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
@ -468,7 +478,7 @@ SMTP(8) SMTP(8)
for the "secure" TLS security level. for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix Name of the file containing the optional Postfix
SMTP client TLS session cache. SMTP client TLS session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
@ -480,9 +490,9 @@ SMTP(8) SMTP(8)
for the "verify" TLS security level. for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random server in order to seed its internal pseudo random
number generator (PRNG). number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
@ -494,7 +504,7 @@ SMTP(8) SMTP(8)
ciphers. ciphers.
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
The OpenSSL cipherlist for "LOW" or higher grade The OpenSSL cipherlist for "LOW" or higher grade
ciphers. ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
@ -502,38 +512,38 @@ SMTP(8) SMTP(8)
ciphers. ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers The OpenSSL cipherlist for "NULL" grade ciphers
that provide authentication without encryption. that provide authentication without encryption.
Available in Postfix version 2.4 and later: Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b> <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
<b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b> <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
The SASL authentication security options that the The SASL authentication security options that the
Postfix SMTP client uses for TLS encrypted SMTP Postfix SMTP client uses for TLS encrypted SMTP
sessions with a verified server certificate. sessions with a verified server certificate.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
List of acceptable remote SMTP server certificate List of acceptable remote SMTP server certificate
fingerprints for the "fingerprint" TLS security fingerprints for the "fingerprint" TLS security
level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint). level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint).
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
The message digest algorithm used to construct The message digest algorithm used to construct
remote SMTP server certificate fingerprints. remote SMTP server certificate fingerprints.
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
List of TLS protocols that the Postfix SMTP client List of TLS protocols that the Postfix SMTP client
will exclude or include with opportunistic TLS will exclude or include with opportunistic TLS
encryption. encryption.
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
The minimum TLS cipher grade that the Postfix SMTP The minimum TLS cipher grade that the Postfix SMTP
client will use with opportunistic TLS encryption. client will use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
File with the Postfix SMTP client ECDSA certificate File with the Postfix SMTP client ECDSA certificate
@ -546,40 +556,40 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.7 and later: Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
Try to detect a mail hijacking attack based on a Try to detect a mail hijacking attack based on a
TLS protocol vulnerability (CVE-2009-3555), where TLS protocol vulnerability (CVE-2009-3555), where
an attacker prepends malicious HELO, MAIL, RCPT, an attacker prepends malicious HELO, MAIL, RCPT,
DATA commands to a Postfix SMTP client TLS session. DATA commands to a Postfix SMTP client TLS session.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
<b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
List or bit-mask of OpenSSL bug work-arounds to List or bit-mask of OpenSSL bug work-arounds to
disable. disable.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compati- The following configuration parameters exist for compati-
bility with Postfix versions before 2.3. Support for these bility with Postfix versions before 2.3. Support for these
will be removed in a future release. will be removed in a future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP Opportunistic mode: use TLS when a remote SMTP
server announces STARTTLS support, otherwise send server announces STARTTLS support, otherwise send
the mail in the clear. the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers Enforcement mode: require that remote SMTP servers
use TLS encryption, and never send mail in the use TLS encryption, and never send mail in the
clear. clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the With mandatory TLS encryption, require that the
remote SMTP server hostname matches the information remote SMTP server hostname matches the information
in the remote SMTP server certificate. in the remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client Optional lookup tables with the Postfix SMTP client
TLS usage policy by next-hop destination and by TLS usage policy by next-hop destination and by
remote SMTP server hostname. remote SMTP server hostname.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
@ -589,27 +599,27 @@ SMTP(8) SMTP(8)
<b>RESOURCE AND RATE CONTROLS</b> <b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
The maximal number of parallel deliveries to the The maximal number of parallel deliveries to the
same destination via the smtp message delivery same destination via the smtp message delivery
transport. transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
The maximal number of recipients per message for The maximal number of recipients per message for
the smtp message delivery transport. the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The SMTP client time limit for completing a TCP The SMTP client time limit for completing a TCP
connection, or zero (use the operating system connection, or zero (use the operating system
built-in time limit). built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The SMTP client time limit for sending the HELO or The SMTP client time limit for sending the HELO or
EHLO command, and for receiving the initial server EHLO command, and for receiving the initial server
response. response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
The LMTP client time limit for sending the LHLO The LMTP client time limit for sending the LHLO
command, and for receiving the initial server command, and for receiving the initial server
response. response.
@ -618,30 +628,30 @@ SMTP(8) SMTP(8)
command, and for receiving the server response. command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The SMTP client time limit for sending the MAIL The SMTP client time limit for sending the MAIL
FROM command, and for receiving the server FROM command, and for receiving the server
response. response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
RCPT TO command, and for receiving the server RCPT TO command, and for receiving the server
response. response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
DATA command, and for receiving the server DATA command, and for receiving the server
response. response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
message content. message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
".", and for receiving the server response. ".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
The SMTP client time limit for sending the QUIT The SMTP client time limit for sending the QUIT
command, and for receiving the server response. command, and for receiving the server response.
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
@ -652,12 +662,12 @@ SMTP(8) SMTP(8)
lookups, or zero (no limit). lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery The maximal number of SMTP sessions per delivery
request before giving up or delivering to a fall- request before giving up or delivering to a fall-
back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
The SMTP client time limit for sending the RSET The SMTP client time limit for sending the RSET
command, and for receiving the server response. command, and for receiving the server response.
Available in Postfix version 2.2 and earlier: Available in Postfix version 2.2 and earlier:
@ -669,11 +679,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the Permanently enable SMTP connection caching for the
specified destinations. specified destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a Temporarily enable SMTP connection caching while a
destination has a high volume of mail in the active destination has a high volume of mail in the active
queue. queue.
@ -683,15 +693,25 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
When SMTP connection caching is enabled, the amount When SMTP connection caching is enabled, the amount
of time that an unused SMTP client socket is kept of time that an unused SMTP client socket is kept
open before it is closed. open before it is closed.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or Time limit for connection cache connect, send or
receive operations. receive operations.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time lim-
its, from a time limit per read or write system
call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a The increment in verbose logging level when a

57
postfix/html/postconf.5.html
View File

@ -4034,6 +4034,17 @@ configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.5 and later. </p> <p> This feature is available in Postfix 2.5 and later. </p>
</DD>
<DT><b><a name="lmtp_per_record_deadline">lmtp_per_record_deadline</a>
(default: no)</b></DT><DD>
<p> The LMTP-specific version of the <a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a>
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
</DD> </DD>
<DT><b><a name="lmtp_pix_workaround_delay_time">lmtp_pix_workaround_delay_time</a> <DT><b><a name="lmtp_pix_workaround_delay_time">lmtp_pix_workaround_delay_time</a>
@ -9545,6 +9556,29 @@ available. </p>
<a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> parameter. </p> <a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> parameter. </p>
</DD>
<DT><b><a name="smtp_per_record_deadline">smtp_per_record_deadline</a>
(default: no)</b></DT><DD>
<p> Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message). This
limits the impact from hostile peers that trickle data one byte at
a time. </p>
<p> Note: when per-record deadlines are enabled, a short timeout
may cause problems with TLS over very slow network connections.
The reasons are that a TLS protocol message can be up to 16 kbytes
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
<p> This feature is available in Postfix 2.9 and later. With older
Postfix releases, the behavior is as if this parameter is set to
"no". </p>
</DD> </DD>
<DT><b><a name="smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> <DT><b><a name="smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a>
@ -12697,6 +12731,29 @@ DNS lookup and increases the maximal inbound delivery rate. </p>
<p> This feature is available in Postfix 2.3 and later. </p> <p> This feature is available in Postfix 2.3 and later. </p>
</DD>
<DT><b><a name="smtpd_per_record_deadline">smtpd_per_record_deadline</a>
(default: normal: no, overload: yes)</b></DT><DD>
<p> Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time limit, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message). This
limits the impact from hostile peers that trickle data one byte at
a time. </p>
<p> Note: when per-record deadlines are enabled, a short timeout
may cause problems with TLS over very slow network connections.
The reasons are that a TLS protocol message can be up to 16 kbytes
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
<p> This feature is available in Postfix 2.9 and later. With older
Postfix releases, the behavior is as if this parameter is set to
"no". </p>
</DD> </DD>
<DT><b><a name="smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a> <DT><b><a name="smtpd_policy_service_max_idle">smtpd_policy_service_max_idle</a>

211
postfix/html/postscreen.8.html
View File

@ -76,64 +76,65 @@ POSTSCREEN(8) POSTSCREEN(8)
Support for AUTH may be added in the future. In the mean Support for AUTH may be added in the future. In the mean
time, if you need to make these services available on port time, if you need to make these services available on port
25, then do not enable the optional "after 220 server 25, then do not enable the optional "after 220 server
greeting" tests. greeting" tests, and do not use DNSBLs that reject traffic
from dial-up and residential networks.
The optional "after 220 server greeting" tests involve The optional "after 220 server greeting" tests involve
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. When these
tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo- tests succeed, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> adds the client to the tempo-
rary whitelist but it cannot not hand off the "live" con- rary whitelist but it cannot not hand off the "live" con-
nection to a Postfix SMTP server process in the middle of nection to a Postfix SMTP server process in the middle of
a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to a session. Instead, <a href="postscreen.8.html"><b>postscreen</b>(8)</a> defers attempts to
deliver mail with a 4XX status, and waits for the client deliver mail with a 4XX status, and waits for the client
to disconnect. The next time a good client connects, it to disconnect. The next time a good client connects, it
will be allowed to talk to a Postfix SMTP server process will be allowed to talk to a Postfix SMTP server process
to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of to deliver mail. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> mitigates the impact of
this limitation by giving such tests a long expiration this limitation by giving such tests a long expiration
time. time.
<b>CONFIGURATION PARAMETERS</b> <b>CONFIGURATION PARAMETERS</b>
Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as Changes to <a href="postconf.5.html">main.cf</a> are not picked up automatically, as
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use <a href="postscreen.8.html"><b>postscreen</b>(8)</a> processes may run for several hours. Use
the command "postfix reload" after a configuration change. the command "postfix reload" after a configuration change.
The text below provides only a parameter summary. See The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples. <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress- NOTE: Some <a href="postscreen.8.html"><b>postscreen</b>(8)</a> parameters implement stress-
dependent behavior. This is supported only when the dependent behavior. This is supported only when the
default parameter value is stress-dependent (that is, it default parameter value is stress-dependent (that is, it
looks like ${stress?X}${stress:Y}, or it is the $<i>name</i> of looks like ${stress?X}${stress:Y}, or it is the $<i>name</i> of
an smtpd parameter with a stress-dependent default). an smtpd parameter with a stress-dependent default).
Other parameters always evaluate as if the <b>stress</b> parame- Other parameters always evaluate as if the <b>stress</b> parame-
ter value is the empty string. ter value is the empty string.
<b>COMPATIBILITY CONTROLS</b> <b>COMPATIBILITY CONTROLS</b>
<b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b> <b><a href="postconf.5.html#postscreen_command_filter">postscreen_command_filter</a> ($<a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a>)</b>
A mechanism to transform commands from remote SMTP A mechanism to transform commands from remote SMTP
clients. clients.
<b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_dis</a>-</b> <b><a href="postconf.5.html#postscreen_discard_ehlo_keyword_address_maps">postscreen_discard_ehlo_keyword_address_maps</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">smtpd_dis</a>-</b>
<b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">card_ehlo_keyword_address_maps</a>)</b> <b><a href="postconf.5.html#smtpd_discard_ehlo_keyword_address_maps">card_ehlo_keyword_address_maps</a>)</b>
Lookup tables, indexed by the remote SMTP client Lookup tables, indexed by the remote SMTP client
address, with case insensitive lists of EHLO key- address, with case insensitive lists of EHLO key-
words (pipelining, starttls, auth, etc.) that the words (pipelining, starttls, auth, etc.) that the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the EHLO <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server will not send in the EHLO
response to a remote SMTP client. response to a remote SMTP client.
<b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_key</a>-</b> <b><a href="postconf.5.html#postscreen_discard_ehlo_keywords">postscreen_discard_ehlo_keywords</a> ($<a href="postconf.5.html#smtpd_discard_ehlo_keywords">smtpd_discard_ehlo_key</a>-</b>
<b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">words</a>)</b> <b><a href="postconf.5.html#smtpd_discard_ehlo_keywords">words</a>)</b>
A case insensitive list of EHLO keywords (pipelin- A case insensitive list of EHLO keywords (pipelin-
ing, starttls, auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> ing, starttls, auth, etc.) that the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
server will not send in the EHLO response to a server will not send in the EHLO response to a
remote SMTP client. remote SMTP client.
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#postscreen_expansion_filter">postscreen_expansion_filter</a> (see 'postconf -d' output)</b>
List of characters that are permitted in List of characters that are permitted in
<a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions. <a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> attribute expansions.
<b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b> <b><a href="postconf.5.html#postscreen_reject_footer">postscreen_reject_footer</a> ($<a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a>)</b>
Optional information that is appended after a 4XX Optional information that is appended after a 4XX
or 5XX server response. or 5XX server response.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@ -141,9 +142,9 @@ POSTSCREEN(8) POSTSCREEN(8)
be returned to the sender. be returned to the sender.
<b>PERMANENT WHITE/BLACKLIST TEST</b> <b>PERMANENT WHITE/BLACKLIST TEST</b>
This test is executed immediately after a remote SMTP This test is executed immediately after a remote SMTP
client connects. If a client is permanently whitelisted, client connects. If a client is permanently whitelisted,
the client will be handed off immediately to a Postfix the client will be handed off immediately to a Postfix
SMTP server process. SMTP server process.
<b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b> <b><a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>)</b>
@ -151,45 +152,45 @@ POSTSCREEN(8) POSTSCREEN(8)
addresses. addresses.
<b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_blacklist_action">postscreen_blacklist_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client is permanently blacklisted with the client is permanently blacklisted with the
<a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter. <a href="postconf.5.html#postscreen_access_list">postscreen_access_list</a> parameter.
<b>BEFORE-GREETING TESTS</b> <b>BEFORE-GREETING TESTS</b>
These tests are executed before the remote SMTP client These tests are executed before the remote SMTP client
receives the "220 servername" greeting. If no tests remain receives the "220 servername" greeting. If no tests remain
after the successful completion of this phase, the client after the successful completion of this phase, the client
will be handed off immediately to a Postfix SMTP server will be handed off immediately to a Postfix SMTP server
process. process.
<b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b> <b><a href="postconf.5.html#dnsblog_service_name">dnsblog_service_name</a> (dnsblog)</b>
The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in mas- The name of the <a href="dnsblog.8.html"><b>dnsblog</b>(8)</a> service entry in mas-
ter.cf. ter.cf.
<b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_dnsbl_action">postscreen_dnsbl_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client's combined DNSBL score is equal to or client's combined DNSBL score is equal to or
greater than a threshold (as defined with the greater than a threshold (as defined with the
<a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>- <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> and <a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_thresh</a>-
<a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters). <a href="postconf.5.html#postscreen_dnsbl_threshold">old</a> parameters).
<b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b> <b><a href="postconf.5.html#postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a> (empty)</b>
A mapping from actual DNSBL domain name which A mapping from actual DNSBL domain name which
includes a secret password, to the DNSBL domain includes a secret password, to the DNSBL domain
name that postscreen will reply with when it name that postscreen will reply with when it
rejects mail. rejects mail.
<b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b> <b><a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> (empty)</b>
Optional list of DNS white/blacklist domains, fil- Optional list of DNS white/blacklist domains, fil-
ters and weight factors. ters and weight factors.
<b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b> <b><a href="postconf.5.html#postscreen_dnsbl_threshold">postscreen_dnsbl_threshold</a> (1)</b>
The inclusive lower bound for blocking an SMTP The inclusive lower bound for blocking an SMTP
client, based on its combined DNSBL score as client, based on its combined DNSBL score as
defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter. defined with the <a href="postconf.5.html#postscreen_dnsbl_sites">postscreen_dnsbl_sites</a> parameter.
<b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_greet_action">postscreen_greet_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client speaks before its turn within the time spec- client speaks before its turn within the time spec-
ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter. ified with the <a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> parameter.
@ -197,39 +198,39 @@ POSTSCREEN(8) POSTSCREEN(8)
The <i>text</i> in the optional "220-<i>text</i>..." server The <i>text</i> in the optional "220-<i>text</i>..." server
response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real response that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> sends ahead of the real
Postfix SMTP server's "220 text..." response, in an Postfix SMTP server's "220 text..." response, in an
attempt to confuse bad SMTP clients so that they attempt to confuse bad SMTP clients so that they
speak before their turn (pre-greet). speak before their turn (pre-greet).
<b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b> <b><a href="postconf.5.html#postscreen_greet_wait">postscreen_greet_wait</a> (${stress?2}${stress:6}s)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will wait for
an SMTP client to send a command before its turn, an SMTP client to send a command before its turn,
and for DNS blocklist lookup results to arrive and for DNS blocklist lookup results to arrive
(default: up to 2 seconds under stress, up to 6 (default: up to 2 seconds under stress, up to 6
seconds otherwise). seconds otherwise).
<b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b> <b><a href="postconf.5.html#smtpd_service_name">smtpd_service_name</a> (smtpd)</b>
The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards The internal service that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> forwards
allowed connections to. allowed connections to.
<b>AFTER-GREETING TESTS</b> <b>AFTER-GREETING TESTS</b>
These tests are executed after the remote SMTP client These tests are executed after the remote SMTP client
receives the "220 servername" greeting. If a client passes receives the "220 servername" greeting. If a client passes
all tests during this phase, it will receive a 4XX all tests during this phase, it will receive a 4XX
response to RCPT TO commands until the client hangs up. response to RCPT TO commands until the client hangs up.
After this, the client will be allowed to talk directly to After this, the client will be allowed to talk directly to
a Postfix SMTP server process. a Postfix SMTP server process.
<b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b> <b><a href="postconf.5.html#postscreen_bare_newline_action">postscreen_bare_newline_action</a> (ignore)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends a bare newline character, that is, a client sends a bare newline character, that is, a
newline not preceded by carriage return. newline not preceded by carriage return.
<b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b> <b><a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> (no)</b>
Enable "bare newline" SMTP protocol tests in the Enable "bare newline" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b> <b><a href="postconf.5.html#postscreen_disable_vrfy_command">postscreen_disable_vrfy_command</a> ($<a href="postconf.5.html#disable_vrfy_command">disable_vrfy_command</a>)</b>
Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> Disable the SMTP VRFY command in the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
daemon. daemon.
<b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b> <b><a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> ($<a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>)</b>
@ -237,157 +238,157 @@ POSTSCREEN(8) POSTSCREEN(8)
siders in violation of the SMTP protocol. siders in violation of the SMTP protocol.
<b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b> <b><a href="postconf.5.html#postscreen_helo_required">postscreen_helo_required</a> ($<a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a>)</b>
Require that a remote SMTP client sends HELO or Require that a remote SMTP client sends HELO or
EHLO before commencing a MAIL transaction. EHLO before commencing a MAIL transaction.
<b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b> <b><a href="postconf.5.html#postscreen_non_smtp_command_action">postscreen_non_smtp_command_action</a> (drop)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends non-SMTP commands as specified with client sends non-SMTP commands as specified with
the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter. the <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a> parameter.
<b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b> <b><a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> (no)</b>
Enable "non-SMTP command" tests in the Enable "non-SMTP command" tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b> <b><a href="postconf.5.html#postscreen_pipelining_action">postscreen_pipelining_action</a> (enforce)</b>
The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP The action that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> takes when an SMTP
client sends multiple commands instead of sending client sends multiple commands instead of sending
one command and waiting for the server to respond. one command and waiting for the server to respond.
<b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b> <b><a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> (no)</b>
Enable "pipelining" SMTP protocol tests in the Enable "pipelining" SMTP protocol tests in the
<a href="postscreen.8.html"><b>postscreen</b>(8)</a> server. <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server.
<b>CACHE CONTROLS</b> <b>CACHE CONTROLS</b>
<b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b> <b><a href="postconf.5.html#postscreen_cache_cleanup_interval">postscreen_cache_cleanup_interval</a> (12h)</b>
The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache The amount of time between <a href="postscreen.8.html"><b>postscreen</b>(8)</a> cache
cleanup runs. cleanup runs.
<b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$data_direc-</b> <b><a href="postconf.5.html#postscreen_cache_map">postscreen_cache_map</a> (btree:$data_direc-</b>
<b>tory/postscreen_cache)</b> <b>tory/postscreen_cache)</b>
Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server Persistent storage for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> server
decisions. decisions.
<b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b> <b><a href="postconf.5.html#postscreen_cache_retention_time">postscreen_cache_retention_time</a> (7d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will cache an
expired temporary whitelist entry before it is expired temporary whitelist entry before it is
removed. removed.
<b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b> <b><a href="postconf.5.html#postscreen_bare_newline_ttl">postscreen_bare_newline_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful "bare newline" SMTP proto- result from a successful "bare newline" SMTP proto-
col test. col test.
<b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b> <b><a href="postconf.5.html#postscreen_dnsbl_ttl">postscreen_dnsbl_ttl</a> (1h)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful DNS blocklist test. result from a successful DNS blocklist test.
<b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b> <b><a href="postconf.5.html#postscreen_greet_ttl">postscreen_greet_ttl</a> (1d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful PREGREET test. result from a successful PREGREET test.
<b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b> <b><a href="postconf.5.html#postscreen_non_smtp_command_ttl">postscreen_non_smtp_command_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful "non_smtp_command" SMTP result from a successful "non_smtp_command" SMTP
protocol test. protocol test.
<b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b> <b><a href="postconf.5.html#postscreen_pipelining_ttl">postscreen_pipelining_ttl</a> (30d)</b>
The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the The amount of time that <a href="postscreen.8.html"><b>postscreen</b>(8)</a> will use the
result from a successful "pipelining" SMTP protocol result from a successful "pipelining" SMTP protocol
test. test.
<b>RESOURCE CONTROLS</b> <b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
Upon input, long lines are chopped up into pieces Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines of at most this length; upon delivery, long lines
are reconstructed. are reconstructed.
<b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b> <b><a href="postconf.5.html#postscreen_client_connection_count_limit">postscreen_client_connection_count_limit</a></b>
<b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b> <b>($<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>)</b>
How many simultaneous connections any client is How many simultaneous connections any client is
allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon. allowed to have with the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> daemon.
<b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b> <b><a href="postconf.5.html#postscreen_command_count_limit">postscreen_command_count_limit</a> (20)</b>
The limit on the total number of commands per SMTP The limit on the total number of commands per SMTP
session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol session for <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol
engine. engine.
<b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b> <b><a href="postconf.5.html#postscreen_command_time_limit">postscreen_command_time_limit</a> (${stress?10}${stress:300}s)</b>
The time limit to read an entire command line with The time limit to read an entire command line with
<a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine. <a href="postscreen.8.html"><b>postscreen</b>(8)</a>'s built-in SMTP protocol engine.
<b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> <b><a href="postconf.5.html#postscreen_post_queue_limit">postscreen_post_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of clients that can be waiting for ser- The number of clients that can be waiting for ser-
vice from a real SMTP server process. vice from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b> <b><a href="postconf.5.html#postscreen_pre_queue_limit">postscreen_pre_queue_limit</a> ($<a href="postconf.5.html#default_process_limit">default_process_limit</a>)</b>
The number of non-whitelisted clients that can be The number of non-whitelisted clients that can be
waiting for a decision whether they will receive waiting for a decision whether they will receive
service from a real SMTP server process. service from a real SMTP server process.
<b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b> <b><a href="postconf.5.html#postscreen_watchdog_timeout">postscreen_watchdog_timeout</a> (10s)</b>
How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to How much time a <a href="postscreen.8.html"><b>postscreen</b>(8)</a> process may take to
respond to an SMTP client command or to perform a respond to an SMTP client command or to perform a
cache operation before it is terminated by a built- cache operation before it is terminated by a built-
in watchdog timer. in watchdog timer.
<b>STARTTLS CONTROLS</b> <b>STARTTLS CONTROLS</b>
<b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b> <b><a href="postconf.5.html#postscreen_tls_security_level">postscreen_tls_security_level</a> ($<a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a>)</b>
The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a> The SMTP TLS security level for the <a href="postscreen.8.html"><b>postscreen</b>(8)</a>
server; when a non-empty value is specified, this server; when a non-empty value is specified, this
overrides the obsolete parameters overrides the obsolete parameters
<a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>. <a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> and <a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a>.
<b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b> <b><a href="postconf.5.html#tlsproxy_service_name">tlsproxy_service_name</a> (tlsproxy)</b>
The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in mas- The name of the <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> service entry in mas-
ter.cf. ter.cf.
<b>OBSOLETE STARTTLS SUPPORT CONTROLS</b> <b>OBSOLETE STARTTLS SUPPORT CONTROLS</b>
These parameters are supported for compatibility with These parameters are supported for compatibility with
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters. <a href="smtpd.8.html"><b>smtpd</b>(8)</a> legacy parameters.
<b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b> <b><a href="postconf.5.html#postscreen_use_tls">postscreen_use_tls</a> ($<a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>)</b>
Opportunistic TLS: announce STARTTLS support to Opportunistic TLS: announce STARTTLS support to
SMTP clients, but do not require that clients use SMTP clients, but do not require that clients use
TLS encryption. TLS encryption.
<b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b> <b><a href="postconf.5.html#postscreen_enforce_tls">postscreen_enforce_tls</a> ($<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>)</b>
Mandatory TLS: announce STARTTLS support to SMTP Mandatory TLS: announce STARTTLS support to SMTP
clients, and require that clients use TLS encryp- clients, and require that clients use TLS encryp-
tion. tion.
<b>MISCELLANEOUS CONTROLS</b> <b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files. <a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal The maximal number of digits after the decimal
point when logging sub-second delay values. point when logging sub-second delay values.
<b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
The location of all postfix administrative com- The location of all postfix administrative com-
mands. mands.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix The maximum amount of time that an idle Postfix
daemon process waits for an incoming connection daemon process waits for an incoming connection
before terminating voluntarily. before terminating voluntarily.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b> <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon The process ID of a Postfix command or daemon
process. process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b> <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
The process name of a Postfix command or daemon The process name of a Postfix command or daemon
process. process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b> <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging. The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the The mail system name that is prepended to the
process name in syslog records, so that "smtpd" process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd". becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b> <b>SEE ALSO</b>
@ -400,14 +401,14 @@ POSTSCREEN(8) POSTSCREEN(8)
<a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto <a href="POSTSCREEN_README.html">POSTSCREEN_README</a>, Postfix Postscreen Howto
<b>LICENSE</b> <b>LICENSE</b>
The Secure Mailer license must be distributed with this The Secure Mailer license must be distributed with this
software. software.
<b>HISTORY</b> <b>HISTORY</b>
This service was introduced with Postfix version 2.8. This service was introduced with Postfix version 2.8.
Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work Many ideas in <a href="postscreen.8.html"><b>postscreen</b>(8)</a> were explored in earlier work
by Michael Tokarev, in OpenBSD spamd, and in MailChannels by Michael Tokarev, in OpenBSD spamd, and in MailChannels
Traffic Control. Traffic Control.
<b>AUTHOR(S)</b> <b>AUTHOR(S)</b>

214
postfix/html/smtp.8.html
View File

@ -295,11 +295,21 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b> <b><a href="postconf.5.html#smtp_dns_resolver_options">smtp_dns_resolver_options</a> (empty)</b>
DNS Resolver options for the Postfix SMTP client. DNS Resolver options for the Postfix SMTP client.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time lim-
its, from a time limit per read or write system
call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b>MIME PROCESSING CONTROLS</b> <b>MIME PROCESSING CONTROLS</b>
Available in Postfix version 2.0 and later: Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b> <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
Disable the conversion of 8BITMIME format to 7BIT Disable the conversion of 8BITMIME format to 7BIT
format. format.
<b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b> <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
@ -314,108 +324,108 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
Send the non-standard XFORWARD command when the Send the non-standard XFORWARD command when the
Postfix SMTP server EHLO response announces XFOR- Postfix SMTP server EHLO response announces XFOR-
WARD support. WARD support.
<b>SASL AUTHENTICATION CONTROLS</b> <b>SASL AUTHENTICATION CONTROLS</b>
<b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b> <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
Enable SASL authentication in the Postfix SMTP Enable SASL authentication in the Postfix SMTP
client. client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
Optional SMTP client lookup tables with one user- Optional SMTP client lookup tables with one user-
name:password entry per remote hostname or domain, name:password entry per remote hostname or domain,
or sender address when sender-dependent authentica- or sender address when sender-dependent authentica-
tion is enabled. tion is enabled.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
Postfix SMTP client SASL security options; as of Postfix SMTP client SASL security options; as of
Postfix 2.3 the list of available features depends Postfix 2.3 the list of available features depends
on the SASL client implementation that is selected on the SASL client implementation that is selected
with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
If non-empty, a Postfix SMTP client filter for the If non-empty, a Postfix SMTP client filter for the
remote SMTP server's list of offered SASL mecha- remote SMTP server's list of offered SASL mecha-
nisms. nisms.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
Enable sender-dependent authentication in the Post- Enable sender-dependent authentication in the Post-
fix SMTP client; this is available only with SASL fix SMTP client; this is available only with SASL
authentication, and disables SMTP connection authentication, and disables SMTP connection
caching to ensure that mail from different senders caching to ensure that mail from different senders
will use the appropriate credentials. will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that the Post- Implementation-specific information that the Post-
fix SMTP client passes through to the SASL plug-in fix SMTP client passes through to the SASL plug-in
implementation that is selected with implementation that is selected with
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
The SASL plug-in type that the Postfix SMTP client The SASL plug-in type that the Postfix SMTP client
should use for authentication. should use for authentication.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
An optional table to prevent repeated SASL authen- An optional table to prevent repeated SASL authen-
tication failures with the same remote SMTP server tication failures with the same remote SMTP server
hostname, username and password. hostname, username and password.
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
entry before it is removed. entry before it is removed.
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
When a remote SMTP server rejects a SASL authenti- When a remote SMTP server rejects a SASL authenti-
cation request with a 535 reply code, defer mail cation request with a 535 reply code, defer mail
delivery instead of returning mail as undeliver- delivery instead of returning mail as undeliver-
able. able.
<b>STARTTLS SUPPORT CONTROLS</b> <b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document. found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
The default SMTP TLS security level for the Postfix The default SMTP TLS security level for the Postfix
SMTP client; when a non-empty value is specified, SMTP client; when a non-empty value is specified,
this overrides the obsolete parameters this overrides the obsolete parameters
<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b> <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b> <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
The SASL authentication security options that the The SASL authentication security options that the
Postfix SMTP client uses for TLS encrypted SMTP Postfix SMTP client uses for TLS encrypted SMTP
sessions. sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
Time limit for Postfix SMTP client write and read Time limit for Postfix SMTP client write and read
operations during TLS startup and shutdown hand- operations during TLS startup and shutdown hand-
shake procedures. shake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
A file containing CA certificates of root CAs A file containing CA certificates of root CAs
trusted to sign either remote SMTP server certifi- trusted to sign either remote SMTP server certifi-
cates or intermediate CA certificates. cates or intermediate CA certificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority Directory with PEM format certificate authority
certificates that the Postfix SMTP client uses to certificates that the Postfix SMTP client uses to
verify a remote SMTP server certificate. verify a remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
File with the Postfix SMTP client RSA certificate File with the Postfix SMTP client RSA certificate
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
The minimum TLS cipher grade that the Postfix SMTP The minimum TLS cipher grade that the Postfix SMTP
client will use with mandatory TLS encryption. client will use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
@ -424,43 +434,43 @@ SMTP(8) SMTP(8)
levels. levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
Additional list of ciphers or cipher types to Additional list of ciphers or cipher types to
exclude from the SMTP client cipher list at manda- exclude from the SMTP client cipher list at manda-
tory TLS security levels. tory TLS security levels.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
File with the Postfix SMTP client DSA certificate File with the Postfix SMTP client DSA certificate
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b> <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
File with the Postfix SMTP client DSA private key File with the Postfix SMTP client DSA private key
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b> <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
File with the Postfix SMTP client RSA private key File with the Postfix SMTP client RSA private key
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b> <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP client logging of Enable additional Postfix SMTP client logging of
TLS activity. TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
Log the hostname of a remote SMTP server that Log the hostname of a remote SMTP server that
offers STARTTLS, when TLS is not already enabled offers STARTTLS, when TLS is not already enabled
for that server. for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client Optional lookup tables with the Postfix SMTP client
TLS security policy by next-hop destination; when a TLS security policy by next-hop destination; when a
non-empty value is specified, this overrides the non-empty value is specified, this overrides the
obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
List of SSL/TLS protocols that the Postfix SMTP List of SSL/TLS protocols that the Postfix SMTP
client will use with mandatory TLS encryption. client will use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
The verification depth for remote SMTP server cer- The verification depth for remote SMTP server cer-
tificates. tificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
@ -468,7 +478,7 @@ SMTP(8) SMTP(8)
for the "secure" TLS security level. for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix Name of the file containing the optional Postfix
SMTP client TLS session cache. SMTP client TLS session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
@ -480,9 +490,9 @@ SMTP(8) SMTP(8)
for the "verify" TLS security level. for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random server in order to seed its internal pseudo random
number generator (PRNG). number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
@ -494,7 +504,7 @@ SMTP(8) SMTP(8)
ciphers. ciphers.
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
The OpenSSL cipherlist for "LOW" or higher grade The OpenSSL cipherlist for "LOW" or higher grade
ciphers. ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
@ -502,38 +512,38 @@ SMTP(8) SMTP(8)
ciphers. ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers The OpenSSL cipherlist for "NULL" grade ciphers
that provide authentication without encryption. that provide authentication without encryption.
Available in Postfix version 2.4 and later: Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b> <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
<b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b> <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
The SASL authentication security options that the The SASL authentication security options that the
Postfix SMTP client uses for TLS encrypted SMTP Postfix SMTP client uses for TLS encrypted SMTP
sessions with a verified server certificate. sessions with a verified server certificate.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
List of acceptable remote SMTP server certificate List of acceptable remote SMTP server certificate
fingerprints for the "fingerprint" TLS security fingerprints for the "fingerprint" TLS security
level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint). level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a></b> = fingerprint).
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
The message digest algorithm used to construct The message digest algorithm used to construct
remote SMTP server certificate fingerprints. remote SMTP server certificate fingerprints.
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
List of TLS protocols that the Postfix SMTP client List of TLS protocols that the Postfix SMTP client
will exclude or include with opportunistic TLS will exclude or include with opportunistic TLS
encryption. encryption.
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
The minimum TLS cipher grade that the Postfix SMTP The minimum TLS cipher grade that the Postfix SMTP
client will use with opportunistic TLS encryption. client will use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
File with the Postfix SMTP client ECDSA certificate File with the Postfix SMTP client ECDSA certificate
@ -546,40 +556,40 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.7 and later: Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
Try to detect a mail hijacking attack based on a Try to detect a mail hijacking attack based on a
TLS protocol vulnerability (CVE-2009-3555), where TLS protocol vulnerability (CVE-2009-3555), where
an attacker prepends malicious HELO, MAIL, RCPT, an attacker prepends malicious HELO, MAIL, RCPT,
DATA commands to a Postfix SMTP client TLS session. DATA commands to a Postfix SMTP client TLS session.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
<b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
List or bit-mask of OpenSSL bug work-arounds to List or bit-mask of OpenSSL bug work-arounds to
disable. disable.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compati- The following configuration parameters exist for compati-
bility with Postfix versions before 2.3. Support for these bility with Postfix versions before 2.3. Support for these
will be removed in a future release. will be removed in a future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP Opportunistic mode: use TLS when a remote SMTP
server announces STARTTLS support, otherwise send server announces STARTTLS support, otherwise send
the mail in the clear. the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers Enforcement mode: require that remote SMTP servers
use TLS encryption, and never send mail in the use TLS encryption, and never send mail in the
clear. clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the With mandatory TLS encryption, require that the
remote SMTP server hostname matches the information remote SMTP server hostname matches the information
in the remote SMTP server certificate. in the remote SMTP server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client Optional lookup tables with the Postfix SMTP client
TLS usage policy by next-hop destination and by TLS usage policy by next-hop destination and by
remote SMTP server hostname. remote SMTP server hostname.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
@ -589,27 +599,27 @@ SMTP(8) SMTP(8)
<b>RESOURCE AND RATE CONTROLS</b> <b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b> <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
The maximal number of parallel deliveries to the The maximal number of parallel deliveries to the
same destination via the smtp message delivery same destination via the smtp message delivery
transport. transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b> <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b> <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
The maximal number of recipients per message for The maximal number of recipients per message for
the smtp message delivery transport. the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The SMTP client time limit for completing a TCP The SMTP client time limit for completing a TCP
connection, or zero (use the operating system connection, or zero (use the operating system
built-in time limit). built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The SMTP client time limit for sending the HELO or The SMTP client time limit for sending the HELO or
EHLO command, and for receiving the initial server EHLO command, and for receiving the initial server
response. response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
The LMTP client time limit for sending the LHLO The LMTP client time limit for sending the LHLO
command, and for receiving the initial server command, and for receiving the initial server
response. response.
@ -618,30 +628,30 @@ SMTP(8) SMTP(8)
command, and for receiving the server response. command, and for receiving the server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The SMTP client time limit for sending the MAIL The SMTP client time limit for sending the MAIL
FROM command, and for receiving the server FROM command, and for receiving the server
response. response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
RCPT TO command, and for receiving the server RCPT TO command, and for receiving the server
response. response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
DATA command, and for receiving the server DATA command, and for receiving the server
response. response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
message content. message content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
The SMTP client time limit for sending the SMTP The SMTP client time limit for sending the SMTP
".", and for receiving the server response. ".", and for receiving the server response.
<b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
The SMTP client time limit for sending the QUIT The SMTP client time limit for sending the QUIT
command, and for receiving the server response. command, and for receiving the server response.
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
@ -652,12 +662,12 @@ SMTP(8) SMTP(8)
lookups, or zero (no limit). lookups, or zero (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery The maximal number of SMTP sessions per delivery
request before giving up or delivering to a fall- request before giving up or delivering to a fall-
back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
The SMTP client time limit for sending the RSET The SMTP client time limit for sending the RSET
command, and for receiving the server response. command, and for receiving the server response.
Available in Postfix version 2.2 and earlier: Available in Postfix version 2.2 and earlier:
@ -669,11 +679,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the Permanently enable SMTP connection caching for the
specified destinations. specified destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a Temporarily enable SMTP connection caching while a
destination has a high volume of mail in the active destination has a high volume of mail in the active
queue. queue.
@ -683,15 +693,25 @@ SMTP(8) SMTP(8)
<b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b> <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
When SMTP connection caching is enabled, the amount When SMTP connection caching is enabled, the amount
of time that an unused SMTP client socket is kept of time that an unused SMTP client socket is kept
open before it is closed. open before it is closed.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or Time limit for connection cache connect, send or
receive operations. receive operations.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time lim-
its, from a time limit per read or write system
call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a The increment in verbose logging level when a

406
postfix/html/smtpd.8.html
View File

@ -153,46 +153,56 @@ SMTPD(8) SMTPD(8)
A mechanism to transform commands from remote SMTP A mechanism to transform commands from remote SMTP
clients. clients.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
limit, from a time limit per read or write system
call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b>ADDRESS REWRITING CONTROLS</b> <b>ADDRESS REWRITING CONTROLS</b>
See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed See the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document for a detailed
discussion of Postfix address rewriting. discussion of Postfix address rewriting.
<b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b> <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
Enable or disable recipient validation, built-in Enable or disable recipient validation, built-in
content filtering, or address mapping. content filtering, or address mapping.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b> <b><a href="postconf.5.html#local_header_rewrite_clients">local_header_rewrite_clients</a> (<a href="postconf.5.html#permit_inet_interfaces">permit_inet_interfaces</a>)</b>
Rewrite message header addresses in mail from these Rewrite message header addresses in mail from these
clients and update incomplete addresses with the clients and update incomplete addresses with the
domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't domain name in $<a href="postconf.5.html#myorigin">myorigin</a> or $<a href="postconf.5.html#mydomain">mydomain</a>; either don't
rewrite message headers from other clients at all, rewrite message headers from other clients at all,
or rewrite message headers and update incomplete or rewrite message headers and update incomplete
addresses with the domain specified in the addresses with the domain specified in the
<a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter. <a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> parameter.
<b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b> <b>AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
As of version 1.0, Postfix can be configured to send new As of version 1.0, Postfix can be configured to send new
mail to an external content filter AFTER the mail is mail to an external content filter AFTER the mail is
queued. This content filter is expected to inject mail queued. This content filter is expected to inject mail
back into a (Postfix or other) MTA for further delivery. back into a (Postfix or other) MTA for further delivery.
See the <a href="FILTER_README.html">FILTER_README</a> document for details. See the <a href="FILTER_README.html">FILTER_README</a> document for details.
<b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b> <b><a href="postconf.5.html#content_filter">content_filter</a> (empty)</b>
After the message is queued, send the entire mes- After the message is queued, send the entire mes-
sage to the specified <i>transport:destination</i>. sage to the specified <i>transport:destination</i>.
<b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b> <b>BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS</b>
As of version 2.1, the Postfix SMTP server can be config- As of version 2.1, the Postfix SMTP server can be config-
ured to send incoming mail to a real-time SMTP-based con- ured to send incoming mail to a real-time SMTP-based con-
tent filter BEFORE mail is queued. This content filter is tent filter BEFORE mail is queued. This content filter is
expected to inject mail back into Postfix. See the expected to inject mail back into Postfix. See the
<a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config- <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document for details on how to config-
ure and operate this feature. ure and operate this feature.
<b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b> <b><a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a> (empty)</b>
The hostname and TCP port of the mail filtering The hostname and TCP port of the mail filtering
proxy server. proxy server.
<b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> <b><a href="postconf.5.html#smtpd_proxy_ehlo">smtpd_proxy_ehlo</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -200,8 +210,8 @@ SMTPD(8) SMTPD(8)
proxy filter. proxy filter.
<b><a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a> (empty)</b> <b><a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a> (empty)</b>
List of options that control how the Postfix SMTP List of options that control how the Postfix SMTP
server communicates with a before-queue content server communicates with a before-queue content
filter. filter.
<b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b> <b><a href="postconf.5.html#smtpd_proxy_timeout">smtpd_proxy_timeout</a> (100s)</b>
@ -210,24 +220,24 @@ SMTPD(8) SMTPD(8)
<b>BEFORE QUEUE MILTER CONTROLS</b> <b>BEFORE QUEUE MILTER CONTROLS</b>
As of version 2.3, Postfix supports the Sendmail version 8 As of version 2.3, Postfix supports the Sendmail version 8
Milter (mail filter) protocol. These content filters run Milter (mail filter) protocol. These content filters run
outside Postfix. They can inspect the SMTP command stream outside Postfix. They can inspect the SMTP command stream
and the message content, and can request modifications and the message content, and can request modifications
before mail is queued. For details see the <a href="MILTER_README.html">MILTER_README</a> before mail is queued. For details see the <a href="MILTER_README.html">MILTER_README</a>
document. document.
<b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b> <b><a href="postconf.5.html#smtpd_milters">smtpd_milters</a> (empty)</b>
A list of Milter (mail filter) applications for new A list of Milter (mail filter) applications for new
mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server. mail that arrives via the Postfix <a href="smtpd.8.html"><b>smtpd</b>(8)</a> server.
<b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b> <b><a href="postconf.5.html#milter_protocol">milter_protocol</a> (6)</b>
The mail filter protocol version and optional pro- The mail filter protocol version and optional pro-
tocol extensions for communication with a Milter tocol extensions for communication with a Milter
application; prior to Postfix 2.6 the default pro- application; prior to Postfix 2.6 the default pro-
tocol is 2. tocol is 2.
<b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b> <b><a href="postconf.5.html#milter_default_action">milter_default_action</a> (tempfail)</b>
The default action when a Milter (mail filter) The default action when a Milter (mail filter)
application is unavailable or mis-configured. application is unavailable or mis-configured.
<b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> <b><a href="postconf.5.html#milter_macro_daemon_name">milter_macro_daemon_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -239,190 +249,190 @@ SMTPD(8) SMTPD(8)
cations. cations.
<b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#milter_connect_timeout">milter_connect_timeout</a> (30s)</b>
The time limit for connecting to a Milter (mail The time limit for connecting to a Milter (mail
filter) application, and for negotiating protocol filter) application, and for negotiating protocol
options. options.
<b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b> <b><a href="postconf.5.html#milter_command_timeout">milter_command_timeout</a> (30s)</b>
The time limit for sending an SMTP command to a The time limit for sending an SMTP command to a
Milter (mail filter) application, and for receiving Milter (mail filter) application, and for receiving
the response. the response.
<b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b> <b><a href="postconf.5.html#milter_content_timeout">milter_content_timeout</a> (300s)</b>
The time limit for sending message content to a The time limit for sending message content to a
Milter (mail filter) application, and for receiving Milter (mail filter) application, and for receiving
the response. the response.
<b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_connect_macros">milter_connect_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to Milter (mail filter) The macros that are sent to Milter (mail filter)
applications after completion of an SMTP connec- applications after completion of an SMTP connec-
tion. tion.
<b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_helo_macros">milter_helo_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to Milter (mail filter) The macros that are sent to Milter (mail filter)
applications after the SMTP HELO or EHLO command. applications after the SMTP HELO or EHLO command.
<b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_mail_macros">milter_mail_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to Milter (mail filter) The macros that are sent to Milter (mail filter)
applications after the SMTP MAIL FROM command. applications after the SMTP MAIL FROM command.
<b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_rcpt_macros">milter_rcpt_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to Milter (mail filter) The macros that are sent to Milter (mail filter)
applications after the SMTP RCPT TO command. applications after the SMTP RCPT TO command.
<b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_data_macros">milter_data_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to version 4 or higher The macros that are sent to version 4 or higher
Milter (mail filter) applications after the SMTP Milter (mail filter) applications after the SMTP
DATA command. DATA command.
<b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_unknown_command_macros">milter_unknown_command_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to version 3 or higher The macros that are sent to version 3 or higher
Milter (mail filter) applications after an unknown Milter (mail filter) applications after an unknown
SMTP command. SMTP command.
<b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_end_of_header_macros">milter_end_of_header_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to Milter (mail filter) The macros that are sent to Milter (mail filter)
applications after the end of the message header. applications after the end of the message header.
<b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#milter_end_of_data_macros">milter_end_of_data_macros</a> (see 'postconf -d' output)</b>
The macros that are sent to Milter (mail filter) The macros that are sent to Milter (mail filter)
applications after the message end-of-data. applications after the message end-of-data.
<b>GENERAL CONTENT INSPECTION CONTROLS</b> <b>GENERAL CONTENT INSPECTION CONTROLS</b>
The following parameters are applicable for both built-in The following parameters are applicable for both built-in
and external content filters. and external content filters.
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b> <b><a href="postconf.5.html#receive_override_options">receive_override_options</a> (empty)</b>
Enable or disable recipient validation, built-in Enable or disable recipient validation, built-in
content filtering, or address mapping. content filtering, or address mapping.
<b>EXTERNAL CONTENT INSPECTION CONTROLS</b> <b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
The following parameters are applicable for both before- The following parameters are applicable for both before-
queue and after-queue content filtering. queue and after-queue content filtering.
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b> <b><a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a> (empty)</b>
What SMTP clients are allowed to use the XFORWARD What SMTP clients are allowed to use the XFORWARD
feature. feature.
<b>SASL AUTHENTICATION CONTROLS</b> <b>SASL AUTHENTICATION CONTROLS</b>
Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti- Postfix SASL support (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>) can be used to authenti-
cate remote SMTP clients to the Postfix SMTP server, and cate remote SMTP clients to the Postfix SMTP server, and
to authenticate the Postfix SMTP client to a remote SMTP to authenticate the Postfix SMTP client to a remote SMTP
server. See the <a href="SASL_README.html">SASL_README</a> document for details. server. See the <a href="SASL_README.html">SASL_README</a> document for details.
<b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b> <b><a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> (no)</b>
Enable inter-operability with SMTP clients that Enable inter-operability with SMTP clients that
implement an obsolete version of the AUTH command implement an obsolete version of the AUTH command
(<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>). (<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a>).
<b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b> <b><a href="postconf.5.html#smtpd_sasl_auth_enable">smtpd_sasl_auth_enable</a> (no)</b>
Enable SASL authentication in the Postfix SMTP Enable SASL authentication in the Postfix SMTP
server. server.
<b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b> <b><a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> (empty)</b>
The name of the Postfix SMTP server's local SASL The name of the Postfix SMTP server's local SASL
authentication realm. authentication realm.
<b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b> <b><a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_security_options</a> (noanonymous)</b>
Postfix SMTP server SASL security options; as of Postfix SMTP server SASL security options; as of
Postfix 2.3 the list of available features depends Postfix 2.3 the list of available features depends
on the SASL server implementation that is selected on the SASL server implementation that is selected
with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
<b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b> <b><a href="postconf.5.html#smtpd_sender_login_maps">smtpd_sender_login_maps</a> (empty)</b>
Optional lookup table with the SASL login names Optional lookup table with the SASL login names
that own sender (MAIL FROM) addresses. that own sender (MAIL FROM) addresses.
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b> <b><a href="postconf.5.html#smtpd_sasl_exceptions_networks">smtpd_sasl_exceptions_networks</a> (empty)</b>
What remote SMTP clients the Postfix SMTP server What remote SMTP clients the Postfix SMTP server
will not offer AUTH support to. will not offer AUTH support to.
Available in Postfix version 2.1 and 2.2: Available in Postfix version 2.1 and 2.2:
<b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b> <b><a href="postconf.5.html#smtpd_sasl_application_name">smtpd_sasl_application_name</a> (smtpd)</b>
The application name that the Postfix SMTP server The application name that the Postfix SMTP server
uses for SASL server initialization. uses for SASL server initialization.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b> <b><a href="postconf.5.html#smtpd_sasl_authenticated_header">smtpd_sasl_authenticated_header</a> (no)</b>
Report the SASL authenticated user name in the Report the SASL authenticated user name in the
<a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header. <a href="smtpd.8.html"><b>smtpd</b>(8)</a> Received message header.
<b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b> <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> (smtpd)</b>
Implementation-specific information that the Post- Implementation-specific information that the Post-
fix SMTP server passes through to the SASL plug-in fix SMTP server passes through to the SASL plug-in
implementation that is selected with implementation that is selected with
<b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>. <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b>.
<b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b> <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a> (cyrus)</b>
The SASL plug-in type that the Postfix SMTP server The SASL plug-in type that the Postfix SMTP server
should use for authentication. should use for authentication.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b> <b><a href="postconf.5.html#cyrus_sasl_config_path">cyrus_sasl_config_path</a> (empty)</b>
Search path for Cyrus SASL application configura- Search path for Cyrus SASL application configura-
tion files, currently used only to locate the tion files, currently used only to locate the
$<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file. $<a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a>.conf file.
<b>STARTTLS SUPPORT CONTROLS</b> <b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be Detailed information about STARTTLS configuration may be
found in the <a href="TLS_README.html">TLS_README</a> document. found in the <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_security_level">smtpd_tls_security_level</a> (empty)</b>
The SMTP TLS security level for the Postfix SMTP The SMTP TLS security level for the Postfix SMTP
server; when a non-empty value is specified, this server; when a non-empty value is specified, this
overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and overrides the obsolete parameters <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> and
<a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>. <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a>.
<b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b> <b><a href="postconf.5.html#smtpd_sasl_tls_security_options">smtpd_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtpd_sasl_security_options">smtpd_sasl_secu</a>-</b>
<b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b> <b><a href="postconf.5.html#smtpd_sasl_security_options">rity_options</a>)</b>
The SASL authentication security options that the The SASL authentication security options that the
Postfix SMTP server uses for TLS encrypted SMTP Postfix SMTP server uses for TLS encrypted SMTP
sessions. sessions.
<b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#smtpd_starttls_timeout">smtpd_starttls_timeout</a> (see 'postconf -d' output)</b>
The time limit for Postfix SMTP server write and The time limit for Postfix SMTP server write and
read operations during TLS startup and shutdown read operations during TLS startup and shutdown
handshake procedures. handshake procedures.
<b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> (empty)</b>
A file containing (PEM format) CA certificates of A file containing (PEM format) CA certificates of
root CAs trusted to sign either remote SMTP client root CAs trusted to sign either remote SMTP client
certificates or intermediate CA certificates. certificates or intermediate CA certificates.
<b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> (empty)</b>
A directory containing (PEM format) CA certificates A directory containing (PEM format) CA certificates
of root CAs trusted to sign either remote SMTP of root CAs trusted to sign either remote SMTP
client certificates or intermediate CA certifi- client certificates or intermediate CA certifi-
cates. cates.
<b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b> <b><a href="postconf.5.html#smtpd_tls_always_issue_session_ids">smtpd_tls_always_issue_session_ids</a> (yes)</b>
Force the Postfix SMTP server to issue a TLS ses- Force the Postfix SMTP server to issue a TLS ses-
sion id, even when TLS session caching is turned sion id, even when TLS session caching is turned
off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty). off (<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> is empty).
<b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b> <b><a href="postconf.5.html#smtpd_tls_ask_ccert">smtpd_tls_ask_ccert</a> (no)</b>
Ask a remote SMTP client for a client certificate. Ask a remote SMTP client for a client certificate.
<b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b> <b><a href="postconf.5.html#smtpd_tls_auth_only">smtpd_tls_auth_only</a> (no)</b>
When TLS encryption is optional in the Postfix SMTP When TLS encryption is optional in the Postfix SMTP
server, do not announce or accept SASL authentica- server, do not announce or accept SASL authentica-
tion over unencrypted connections. tion over unencrypted connections.
<b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b> <b><a href="postconf.5.html#smtpd_tls_ccert_verifydepth">smtpd_tls_ccert_verifydepth</a> (9)</b>
The verification depth for remote SMTP client cer- The verification depth for remote SMTP client cer-
tificates. tificates.
<b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> (empty)</b>
File with the Postfix SMTP server RSA certificate File with the Postfix SMTP server RSA certificate
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_exclude_ciphers">smtpd_tls_exclude_ciphers</a> (empty)</b>
@ -430,56 +440,56 @@ SMTPD(8) SMTPD(8)
SMTP server cipher list at all TLS security levels. SMTP server cipher list at all TLS security levels.
<b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a> (empty)</b>
File with the Postfix SMTP server DSA certificate File with the Postfix SMTP server DSA certificate
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> (empty)</b>
File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
File with DH parameters that the Postfix SMTP File with DH parameters that the Postfix SMTP
server should use with EDH ciphers. server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> (empty)</b>
File with DH parameters that the Postfix SMTP
server should use with EDH ciphers.
<b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b> <b><a href="postconf.5.html#smtpd_tls_dkey_file">smtpd_tls_dkey_file</a> ($<a href="postconf.5.html#smtpd_tls_dcert_file">smtpd_tls_dcert_file</a>)</b>
File with the Postfix SMTP server DSA private key File with the Postfix SMTP server DSA private key
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b> <b><a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> ($<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>)</b>
File with the Postfix SMTP server RSA private key File with the Postfix SMTP server RSA private key
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b> <b><a href="postconf.5.html#smtpd_tls_loglevel">smtpd_tls_loglevel</a> (0)</b>
Enable additional Postfix SMTP server logging of Enable additional Postfix SMTP server logging of
TLS activity. TLS activity.
<b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b> <b><a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a> (medium)</b>
The minimum TLS cipher grade that the Postfix SMTP The minimum TLS cipher grade that the Postfix SMTP
server will use with mandatory TLS encryption. server will use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_mandatory_exclude_ciphers">smtpd_tls_mandatory_exclude_ciphers</a> (empty)</b>
Additional list of ciphers or cipher types to Additional list of ciphers or cipher types to
exclude from the SMTP server cipher list at manda- exclude from the SMTP server cipher list at manda-
tory TLS security levels. tory TLS security levels.
<b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b> <b><a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
The SSL/TLS protocols accepted by the Postfix SMTP The SSL/TLS protocols accepted by the Postfix SMTP
server with mandatory TLS encryption. server with mandatory TLS encryption.
<b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b> <b><a href="postconf.5.html#smtpd_tls_received_header">smtpd_tls_received_header</a> (no)</b>
Request that the Postfix SMTP server produces Request that the Postfix SMTP server produces
Received: message headers that include information Received: message headers that include information
about the protocol and cipher used, as well as the about the protocol and cipher used, as well as the
client CommonName and client certificate issuer client CommonName and client certificate issuer
CommonName. CommonName.
<b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b> <b><a href="postconf.5.html#smtpd_tls_req_ccert">smtpd_tls_req_ccert</a> (no)</b>
With mandatory TLS encryption, require a trusted With mandatory TLS encryption, require a trusted
remote SMTP client certificate in order to allow remote SMTP client certificate in order to allow
TLS connections to proceed. TLS connections to proceed.
<b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a> (empty)</b>
Name of the file containing the optional Postfix Name of the file containing the optional Postfix
SMTP server TLS session cache. SMTP server TLS session cache.
<b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b> <b><a href="postconf.5.html#smtpd_tls_session_cache_timeout">smtpd_tls_session_cache_timeout</a> (3600s)</b>
@ -487,14 +497,14 @@ SMTPD(8) SMTPD(8)
sion cache information. sion cache information.
<b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b> <b><a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a> (no)</b>
Run the Postfix SMTP server in the non-standard Run the Postfix SMTP server in the non-standard
"wrapper" mode, instead of using the STARTTLS com- "wrapper" mode, instead of using the STARTTLS com-
mand. mand.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
server in order to seed its internal pseudo random server in order to seed its internal pseudo random
number generator (PRNG). number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b> <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
@ -506,7 +516,7 @@ SMTPD(8) SMTPD(8)
ciphers. ciphers.
<b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
The OpenSSL cipherlist for "LOW" or higher grade The OpenSSL cipherlist for "LOW" or higher grade
ciphers. ciphers.
<b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
@ -514,26 +524,26 @@ SMTPD(8) SMTPD(8)
ciphers. ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers The OpenSSL cipherlist for "NULL" grade ciphers
that provide authentication without encryption. that provide authentication without encryption.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b> <b><a href="postconf.5.html#smtpd_tls_fingerprint_digest">smtpd_tls_fingerprint_digest</a> (md5)</b>
The message digest algorithm used to construct The message digest algorithm used to construct
client-certificate fingerprints for client-certificate fingerprints for
<b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>. <b><a href="postconf.5.html#check_ccert_access">check_ccert_access</a></b> and <b><a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a></b>.
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> (empty)</b>
List of TLS protocols that the Postfix SMTP server List of TLS protocols that the Postfix SMTP server
will exclude or include with opportunistic TLS will exclude or include with opportunistic TLS
encryption. encryption.
<b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b> <b><a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a> (export)</b>
The minimum TLS cipher grade that the Postfix SMTP The minimum TLS cipher grade that the Postfix SMTP
server will use with opportunistic TLS encryption. server will use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_eccert_file">smtpd_tls_eccert_file</a> (empty)</b>
File with the Postfix SMTP server ECDSA certificate File with the Postfix SMTP server ECDSA certificate
@ -544,7 +554,7 @@ SMTPD(8) SMTPD(8)
in PEM format. in PEM format.
<b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> (see 'postconf -d' output)</b>
The Postfix SMTP server security grade for The Postfix SMTP server security grade for
ephemeral elliptic-curve Diffie-Hellman (EECDH) key ephemeral elliptic-curve Diffie-Hellman (EECDH) key
exchange. exchange.
@ -564,22 +574,22 @@ SMTPD(8) SMTPD(8)
ence order. ence order.
<b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#tls_disable_workarounds">tls_disable_workarounds</a> (see 'postconf -d' output)</b>
List or bit-mask of OpenSSL bug work-arounds to List or bit-mask of OpenSSL bug work-arounds to
disable. disable.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compati- The following configuration parameters exist for compati-
bility with Postfix versions before 2.3. Support for these bility with Postfix versions before 2.3. Support for these
will be removed in a future release. will be removed in a future release.
<b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a> (no)</b>
Opportunistic TLS: announce STARTTLS support to Opportunistic TLS: announce STARTTLS support to
SMTP clients, but do not require that clients use SMTP clients, but do not require that clients use
TLS encryption. TLS encryption.
<b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> (no)</b>
Mandatory TLS: announce STARTTLS support to SMTP Mandatory TLS: announce STARTTLS support to SMTP
clients, and require that clients use TLS encryp- clients, and require that clients use TLS encryp-
tion. tion.
<b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtpd_tls_cipherlist">smtpd_tls_cipherlist</a> (empty)</b>
@ -587,68 +597,68 @@ SMTPD(8) SMTPD(8)
server TLS cipher list. server TLS cipher list.
<b>VERP SUPPORT CONTROLS</b> <b>VERP SUPPORT CONTROLS</b>
With VERP style delivery, each recipient of a message With VERP style delivery, each recipient of a message
receives a customized copy of the message with his/her own receives a customized copy of the message with his/her own
recipient address encoded in the envelope sender address. recipient address encoded in the envelope sender address.
The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
details of Postfix support for variable envelope return details of Postfix support for variable envelope return
path addresses. VERP style delivery is requested with the path addresses. VERP style delivery is requested with the
SMTP XVERP command or with the "sendmail -V" command-line SMTP XVERP command or with the "sendmail -V" command-line
option and is available in Postfix version 1.1 and later. option and is available in Postfix version 1.1 and later.
<b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b> <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
The two default VERP delimiter characters. The two default VERP delimiter characters.
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b> <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
The characters Postfix accepts as VERP delimiter The characters Postfix accepts as VERP delimiter
characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands. and in SMTP commands.
Available in Postfix version 1.1 and 2.0: Available in Postfix version 1.1 and 2.0:
<b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> <b><a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
What SMTP clients are allowed to specify the XVERP What SMTP clients are allowed to specify the XVERP
command. command.
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b> <b><a href="postconf.5.html#smtpd_authorized_verp_clients">smtpd_authorized_verp_clients</a> ($<a href="postconf.5.html#authorized_verp_clients">authorized_verp_clients</a>)</b>
What SMTP clients are allowed to specify the XVERP What SMTP clients are allowed to specify the XVERP
command. command.
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of The <a href="DEBUG_README.html">DEBUG_README</a> document describes how to debug parts of
the Postfix mail system. The methods vary from making the the Postfix mail system. The methods vary from making the
software log a lot of detail, to running some daemon pro- software log a lot of detail, to running some daemon pro-
cesses under control of a call tracer or debugger. cesses under control of a call tracer or debugger.
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a The increment in verbose logging level when a
remote client or server matches a pattern in the remote client or server matches a pattern in the
<a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname Optional list of remote client or server hostname
or network address patterns that cause the verbose or network address patterns that cause the verbose
logging level to increase by the amount specified logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about The recipient of postmaster notifications about
mail delivery problems that are caused by policy, mail delivery problems that are caused by policy,
resource, software or protocol errors. resource, software or protocol errors.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b> <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
What categories of Postfix-generated mail are sub- What categories of Postfix-generated mail are sub-
ject to before-queue content inspection by ject to before-queue content inspection by
<a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>. <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b> <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
The list of error classes that are reported to the The list of error classes that are reported to the
postmaster. postmaster.
<b><a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> (empty)</b> <b><a href="postconf.5.html#smtpd_reject_footer">smtpd_reject_footer</a> (empty)</b>
Optional information that is appended after each Optional information that is appended after each
SMTP server 4XX or 5XX response. SMTP server 4XX or 5XX response.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b> <b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
@ -658,22 +668,22 @@ SMTPD(8) SMTPD(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b> <b><a href="postconf.5.html#smtpd_authorized_xclient_hosts">smtpd_authorized_xclient_hosts</a> (empty)</b>
What SMTP clients are allowed to use the XCLIENT What SMTP clients are allowed to use the XCLIENT
feature. feature.
<b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b> <b>KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS</b>
As of Postfix version 2.0, the SMTP server rejects mail As of Postfix version 2.0, the SMTP server rejects mail
for unknown recipients. This prevents the mail queue from for unknown recipients. This prevents the mail queue from
clogging up with undeliverable MAILER-DAEMON messages. clogging up with undeliverable MAILER-DAEMON messages.
Additional information on this topic is in the Additional information on this topic is in the
<a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents. <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> and <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> documents.
<b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b> <b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
Display the name of the recipient table in the Display the name of the recipient table in the
"User unknown" responses. "User unknown" responses.
<b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b> <b><a href="postconf.5.html#canonical_maps">canonical_maps</a> (empty)</b>
Optional address mapping lookup tables for message Optional address mapping lookup tables for message
headers and envelopes. headers and envelopes.
<b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b> <b><a href="postconf.5.html#recipient_canonical_maps">recipient_canonical_maps</a> (empty)</b>
@ -684,7 +694,7 @@ SMTPD(8) SMTPD(8)
<b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b> <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, local-</b>
<b>host)</b> <b>host)</b>
The list of domains that are delivered via the The list of domains that are delivered via the
$<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport. $<a href="postconf.5.html#local_transport">local_transport</a> mail delivery transport.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
@ -693,146 +703,146 @@ SMTPD(8) SMTPD(8)
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys- The network interface addresses that this mail sys-
tem receives mail on by way of a proxy or network tem receives mail on by way of a proxy or network
address translation unit. address translation unit.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b> <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
The Internet protocols Postfix will attempt to use The Internet protocols Postfix will attempt to use
when making or accepting connections. when making or accepting connections.
<b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b> <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
<b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b> <b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
Lookup tables with all names or addresses of local Lookup tables with all names or addresses of local
recipients: a recipient address is local when its recipients: a recipient address is local when its
domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or domain matches $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or
$<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>.
<b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b> <b><a href="postconf.5.html#unknown_local_recipient_reject_code">unknown_local_recipient_reject_code</a> (550)</b>
The numerical Postfix SMTP server response code The numerical Postfix SMTP server response code
when a recipient address is local, and when a recipient address is local, and
$<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup $<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient. tables that does not match the recipient.
Parameters concerning known/unknown recipients of relay Parameters concerning known/unknown recipients of relay
destinations: destinations:
<b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b> <b><a href="postconf.5.html#relay_domains">relay_domains</a> ($<a href="postconf.5.html#mydestination">mydestination</a>)</b>
What destination domains (and subdomains thereof) What destination domains (and subdomains thereof)
this system will relay mail to. this system will relay mail to.
<b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b> <b><a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> (empty)</b>
Optional lookup tables with all valid addresses in Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>. the domains that match $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b> <b><a href="postconf.5.html#unknown_relay_recipient_reject_code">unknown_relay_recipient_reject_code</a> (550)</b>
The numerical Postfix SMTP server reply code when a The numerical Postfix SMTP server reply code when a
recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and recipient address matches $<a href="postconf.5.html#relay_domains">relay_domains</a>, and
<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> specifies a list of lookup
tables that does not match the recipient address. tables that does not match the recipient address.
Parameters concerning known/unknown recipients in virtual Parameters concerning known/unknown recipients in virtual
alias domains: alias domains:
<b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b> <b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
Postfix is final destination for the specified list Postfix is final destination for the specified list
of virtual alias domains, that is, domains for of virtual alias domains, that is, domains for
which all addresses are aliased to addresses in which all addresses are aliased to addresses in
other local or remote domains. other local or remote domains.
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b> <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
Optional lookup tables that alias specific mail Optional lookup tables that alias specific mail
addresses or domains to other local or remote addresses or domains to other local or remote
address. address.
<b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b> <b><a href="postconf.5.html#unknown_virtual_alias_reject_code">unknown_virtual_alias_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address The SMTP server reply code when a recipient address
matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>- matches $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, and $<a href="postconf.5.html#virtual_alias_maps">vir</a>-
<a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables <a href="postconf.5.html#virtual_alias_maps">tual_alias_maps</a> specifies a list of lookup tables
that does not match the recipient address. that does not match the recipient address.
Parameters concerning known/unknown recipients in virtual Parameters concerning known/unknown recipients in virtual
mailbox domains: mailbox domains:
<b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b> <b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
Postfix is final destination for the specified list Postfix is final destination for the specified list
of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>- of domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">vir</a>-
<a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport. <a href="postconf.5.html#virtual_transport">tual_transport</a> mail delivery transport.
<b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b> <b><a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> (empty)</b>
Optional lookup tables with all valid addresses in Optional lookup tables with all valid addresses in
the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>. the domains that match $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
<b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b> <b><a href="postconf.5.html#unknown_virtual_mailbox_reject_code">unknown_virtual_mailbox_reject_code</a> (550)</b>
The SMTP server reply code when a recipient address The SMTP server reply code when a recipient address
matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>- matches $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and $<a href="postconf.5.html#virtual_mailbox_maps">vir</a>-
<a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables <a href="postconf.5.html#virtual_mailbox_maps">tual_mailbox_maps</a> specifies a list of lookup tables
that does not match the recipient address. that does not match the recipient address.
<b>RESOURCE AND RATE CONTROLS</b> <b>RESOURCE AND RATE CONTROLS</b>
The following parameters limit resource usage by the SMTP The following parameters limit resource usage by the SMTP
server and/or control client request rates. server and/or control client request rates.
<b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b> <b><a href="postconf.5.html#line_length_limit">line_length_limit</a> (2048)</b>
Upon input, long lines are chopped up into pieces Upon input, long lines are chopped up into pieces
of at most this length; upon delivery, long lines of at most this length; upon delivery, long lines
are reconstructed. are reconstructed.
<b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b> <b><a href="postconf.5.html#queue_minfree">queue_minfree</a> (0)</b>
The minimal amount of free space in bytes in the The minimal amount of free space in bytes in the
queue file system that is needed to receive mail. queue file system that is needed to receive mail.
<b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b> <b><a href="postconf.5.html#message_size_limit">message_size_limit</a> (10240000)</b>
The maximal size in bytes of a message, including The maximal size in bytes of a message, including
envelope information. envelope information.
<b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b> <b><a href="postconf.5.html#smtpd_recipient_limit">smtpd_recipient_limit</a> (1000)</b>
The maximal number of recipients that the Postfix The maximal number of recipients that the Postfix
SMTP server accepts per message delivery request. SMTP server accepts per message delivery request.
<b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, overload: 10s)</b> <b><a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> (normal: 300s, overload: 10s)</b>
The time limit for sending a Postfix SMTP server The time limit for sending a Postfix SMTP server
response and for receiving a remote SMTP client response and for receiving a remote SMTP client
request. request.
<b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b> <b><a href="postconf.5.html#smtpd_history_flush_threshold">smtpd_history_flush_threshold</a> (100)</b>
The maximal number of lines in the Postfix SMTP The maximal number of lines in the Postfix SMTP
server command history before it is flushed upon server command history before it is flushed upon
receipt of EHLO, RSET, or end of DATA. receipt of EHLO, RSET, or end of DATA.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b> <b><a href="postconf.5.html#smtpd_peername_lookup">smtpd_peername_lookup</a> (yes)</b>
Attempt to look up the remote SMTP client hostname, Attempt to look up the remote SMTP client hostname,
and verify that the name matches the client IP and verify that the name matches the client IP
address. address.
The per SMTP client connection count and request rate lim- The per SMTP client connection count and request rate lim-
its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser- its are implemented in co-operation with the <a href="anvil.8.html"><b>anvil</b>(8)</a> ser-
vice, and are available in Postfix version 2.2 and later. vice, and are available in Postfix version 2.2 and later.
<b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b> <b><a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (50)</b>
How many simultaneous connections any client is How many simultaneous connections any client is
allowed to make to this service. allowed to make to this service.
<b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b> <b><a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (0)</b>
The maximal number of connection attempts any The maximal number of connection attempts any
client is allowed to make to this service per time client is allowed to make to this service per time
unit. unit.
<b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b> <b><a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (0)</b>
The maximal number of message delivery requests The maximal number of message delivery requests
that any client is allowed to make to this service that any client is allowed to make to this service
per time unit, regardless of whether or not Postfix per time unit, regardless of whether or not Postfix
actually accepts those messages. actually accepts those messages.
<b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b> <b><a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (0)</b>
The maximal number of recipient addresses that any The maximal number of recipient addresses that any
client is allowed to send to this service per time client is allowed to send to this service per time
unit, regardless of whether or not Postfix actually unit, regardless of whether or not Postfix actually
accepts those recipients. accepts those recipients.
<b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b> <b><a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> ($<a href="postconf.5.html#mynetworks">mynetworks</a>)</b>
Clients that are excluded from Clients that are excluded from
smtpd_client_*_count/rate_limit restrictions. smtpd_client_*_count/rate_limit restrictions.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
@ -842,6 +852,16 @@ SMTPD(8) SMTPD(8)
sions that a remote SMTP client is allowed to nego- sions that a remote SMTP client is allowed to nego-
tiate with this service per time unit. tiate with this service per time unit.
Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
limit, from a time limit per read or write system
call, to a time limit to read or write a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b>TARPIT CONTROLS</b> <b>TARPIT CONTROLS</b>
When a remote SMTP client makes errors, the Postfix SMTP When a remote SMTP client makes errors, the Postfix SMTP
server can insert delays before responding. This can help server can insert delays before responding. This can help

39
postfix/man/man5/postconf.5
View File

@ -2236,6 +2236,11 @@ The LMTP-specific version of the smtp_nested_header_checks
configuration parameter. See there for details. configuration parameter. See there for details.
.PP .PP
This feature is available in Postfix 2.5 and later. This feature is available in Postfix 2.5 and later.
.SH lmtp_per_record_deadline (default: no)
The LMTP-specific version of the smtp_per_record_deadline
configuration parameter. See there for details.
.PP
This feature is available in Postfix 2.8 and later.
.SH lmtp_pix_workaround_delay_time (default: 10s) .SH lmtp_pix_workaround_delay_time (default: 10s)
The LMTP-specific version of the smtp_pix_workaround_delay_time The LMTP-specific version of the smtp_pix_workaround_delay_time
configuration parameter. See there for details. configuration parameter. See there for details.
@ -5499,6 +5504,23 @@ This feature is available in Postfix 2.5 and later.
.SH smtp_never_send_ehlo (default: no) .SH smtp_never_send_ehlo (default: no)
Never send EHLO at the start of an SMTP session. See also the Never send EHLO at the start of an SMTP session. See also the
smtp_always_send_ehlo parameter. smtp_always_send_ehlo parameter.
.SH smtp_per_record_deadline (default: no)
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message). This
limits the impact from hostile peers that trickle data one byte at
a time.
.PP
Note: when per-record deadlines are enabled, a short timeout
may cause problems with TLS over very slow network connections.
The reasons are that a TLS protocol message can be up to 16 kbytes
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline.
.PP
This feature is available in Postfix 2.9 and later. With older
Postfix releases, the behavior is as if this parameter is set to
"no".
.SH smtp_pix_workaround_delay_time (default: 10s) .SH smtp_pix_workaround_delay_time (default: 10s)
How long the Postfix SMTP client pauses before sending How long the Postfix SMTP client pauses before sending
".<CR><LF>" in order to work around the PIX firewall ".<CR><LF>" in order to work around the PIX firewall
@ -7912,6 +7934,23 @@ lookup is disabled. Turning off name lookup reduces delays due to
DNS lookup and increases the maximal inbound delivery rate. DNS lookup and increases the maximal inbound delivery rate.
.PP .PP
This feature is available in Postfix 2.3 and later. This feature is available in Postfix 2.3 and later.
.SH smtpd_per_record_deadline (default: normal: no, overload: yes)
Change the behavior of the smtpd_timeout time limit, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message). This
limits the impact from hostile peers that trickle data one byte at
a time.
.PP
Note: when per-record deadlines are enabled, a short timeout
may cause problems with TLS over very slow network connections.
The reasons are that a TLS protocol message can be up to 16 kbytes
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline.
.PP
This feature is available in Postfix 2.9 and later. With older
Postfix releases, the behavior is as if this parameter is set to
"no".
.SH smtpd_policy_service_max_idle (default: 300s) .SH smtpd_policy_service_max_idle (default: 300s)
The time after which an idle SMTPD policy service connection is The time after which an idle SMTPD policy service connection is
closed. closed.

3
postfix/man/man8/postscreen.8
View File

@ -82,7 +82,8 @@ XFORWARD.
Support for AUTH may be added in the future. Support for AUTH may be added in the future.
In the mean time, if you need to make these services available In the mean time, if you need to make these services available
on port 25, then do not enable the optional "after 220 on port 25, then do not enable the optional "after 220
server greeting" tests. server greeting" tests, and do not use DNSBLs that reject
traffic from dial-up and residential networks.
The optional "after 220 server greeting" tests involve The optional "after 220 server greeting" tests involve
\fBpostscreen\fR(8)'s built-in SMTP protocol engine. When \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When

14
postfix/man/man8/smtp.8
View File

@ -256,6 +256,13 @@ An optional workaround for routers that break TCP window scaling.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
.IP "\fBsmtp_dns_resolver_options (empty)\fR" .IP "\fBsmtp_dns_resolver_options (empty)\fR"
DNS Resolver options for the Postfix SMTP client. DNS Resolver options for the Postfix SMTP client.
.PP
Available in Postfix version 2.9 and later:
.IP "\fBsmtp_per_record_deadline (no)\fR"
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to read
or write a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
.SH "MIME PROCESSING CONTROLS" .SH "MIME PROCESSING CONTROLS"
.na .na
.nf .nf
@ -547,6 +554,13 @@ Available in Postfix version 2.3 and later:
.IP "\fBconnection_cache_protocol_timeout (5s)\fR" .IP "\fBconnection_cache_protocol_timeout (5s)\fR"
Time limit for connection cache connect, send or receive Time limit for connection cache connect, send or receive
operations. operations.
.PP
Available in Postfix version 2.9 and later:
.IP "\fBsmtp_per_record_deadline (no)\fR"
Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to read
or write a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
.SH "TROUBLE SHOOTING CONTROLS" .SH "TROUBLE SHOOTING CONTROLS"
.na .na
.nf .nf

14
postfix/man/man8/smtpd.8
View File

@ -143,6 +143,13 @@ An optional workaround for routers that break TCP window scaling.
Available in Postfix version 2.7 and later: Available in Postfix version 2.7 and later:
.IP "\fBsmtpd_command_filter (empty)\fR" .IP "\fBsmtpd_command_filter (empty)\fR"
A mechanism to transform commands from remote SMTP clients. A mechanism to transform commands from remote SMTP clients.
.PP
Available in Postfix version 2.9 and later:
.IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
Change the behavior of the smtpd_timeout time limit, from a
time limit per read or write system call, to a time limit to read
or write a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
.SH "ADDRESS REWRITING CONTROLS" .SH "ADDRESS REWRITING CONTROLS"
.na .na
.nf .nf
@ -673,6 +680,13 @@ Available in Postfix version 2.3 and later:
The maximal number of new (i.e., uncached) TLS sessions that a The maximal number of new (i.e., uncached) TLS sessions that a
remote SMTP client is allowed to negotiate with this service per remote SMTP client is allowed to negotiate with this service per
time unit. time unit.
.PP
Available in Postfix version 2.9 and later:
.IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
Change the behavior of the smtpd_timeout time limit, from a
time limit per read or write system call, to a time limit to read
or write a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
.SH "TARPIT CONTROLS" .SH "TARPIT CONTROLS"
.na .na
.nf .nf

2
postfix/mantools/postlink
View File

@ -631,6 +631,7 @@ while (<>) {
s;\bsmtp_body_checks\b;<a href="postconf.5.html#smtp_body_checks">$&</a>;g; s;\bsmtp_body_checks\b;<a href="postconf.5.html#smtp_body_checks">$&</a>;g;
s;\bsmtp_reply_filter\b;<a href="postconf.5.html#smtp_reply_filter">$&</a>;g; s;\bsmtp_reply_filter\b;<a href="postconf.5.html#smtp_reply_filter">$&</a>;g;
s;\bsmtp_address_preference\b;<a href="postconf.5.html#smtp_address_preference">$&</a>;g; s;\bsmtp_address_preference\b;<a href="postconf.5.html#smtp_address_preference">$&</a>;g;
s;\bsmtp_per_record_deadline\b;<a href="postconf.5.html#smtp_per_record_deadline">$&</a>;g;
s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g; s;\bsmtpd_enforce_tls\b;<a href="postconf.5.html#smtpd_enforce_tls">$&</a>;g;
s;\bsmtpd_sasl_tls_security_options\b;<a href="postconf.5.html#smtpd_sasl_tls_security_options">$&</a>;g; s;\bsmtpd_sasl_tls_security_options\b;<a href="postconf.5.html#smtpd_sasl_tls_security_options">$&</a>;g;
s;\bsmtpd_sasl_type\b;<a href="postconf.5.html#smtpd_sasl_type">$&</a>;g; s;\bsmtpd_sasl_type\b;<a href="postconf.5.html#smtpd_sasl_type">$&</a>;g;
@ -667,6 +668,7 @@ while (<>) {
s;\bsmtpd_tls_wrappermode\b;<a href="postconf.5.html#smtpd_tls_wrappermode">$&</a>;g; s;\bsmtpd_tls_wrappermode\b;<a href="postconf.5.html#smtpd_tls_wrappermode">$&</a>;g;
s;\bsmtpd_use_tls\b;<a href="postconf.5.html#smtpd_use_tls">$&</a>;g; s;\bsmtpd_use_tls\b;<a href="postconf.5.html#smtpd_use_tls">$&</a>;g;
s;\bsmtpd_reject_footer\b;<a href="postconf.5.html#smtpd_reject_footer">$&</a>;g; s;\bsmtpd_reject_footer\b;<a href="postconf.5.html#smtpd_reject_footer">$&</a>;g;
s;\bsmtpd_per_record_deadline\b;<a href="postconf.5.html#smtpd_per_record_deadline">$&</a>;g;
s;\btls_daemon_random_bytes\b;<a href="postconf.5.html#tls_daemon_random_bytes">$&</a>;g; s;\btls_daemon_random_bytes\b;<a href="postconf.5.html#tls_daemon_random_bytes">$&</a>;g;
s;\btls_daemon_random_source\b;<a href="postconf.5.html#tls_daemon_random_source">$&</a>;g; s;\btls_daemon_random_source\b;<a href="postconf.5.html#tls_daemon_random_source">$&</a>;g;
s;\btls_ran[-</Bb>]*\n* *[<Bb>]*dom_bytes\b;<a href="postconf.5.html#tls_random_bytes">$&</a>;g; s;\btls_ran[-</Bb>]*\n* *[<Bb>]*dom_bytes\b;<a href="postconf.5.html#tls_random_bytes">$&</a>;g;

14
postfix/proto/MILTER_README.html
View File

@ -28,11 +28,13 @@ SMTP commands (HELO, MAIL FROM, etc.) as well as mail content
<p> The reason for adding Milter support to Postfix is that there <p> The reason for adding Milter support to Postfix is that there
exists a large collection of applications, not only to block unwanted exists a large collection of applications, not only to block unwanted
mail, but also to verify authenticity (examples: <a mail, but also to verify authenticity (examples: <a
href="http://www.opendkim.org/">OpenDKIM</a>, <a
href="http://sourceforge.net/projects/dkim-milter/">DomainKeys href="http://sourceforge.net/projects/dkim-milter/">DomainKeys
Identified Mail (DKIM)</a>, <a Identified Mail (DKIM)</a>, <a
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
<a href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>) <a href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>)
or to digitally sign mail (examples: <a or to digitally sign mail (examples: <a
href="http://www.opendkim.org/">OpenDKIM</a>, <a
href="http://sourceforge.net/projects/dkim-milter/">DomainKeys href="http://sourceforge.net/projects/dkim-milter/">DomainKeys
Identified Mail (DKIM)</a>, <a Identified Mail (DKIM)</a>, <a
href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>). href="http://sourceforge.net/projects/dk-milter/">DomainKeys</a>).
@ -212,10 +214,22 @@ other systems, libmilter may be provided by a package (called
"sendmail-devel" on some Linux systems). </p> "sendmail-devel" on some Linux systems). </p>
<p> Once libmilter is installed, applications such as <a <p> Once libmilter is installed, applications such as <a
href="http://www.opendkim.org/">OpenDKIM</a>, <a
href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a> and href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a> and
<a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a> <a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
build out of the box without requiring any tinkering:</p> build out of the box without requiring any tinkering:</p>
<blockquote>
<pre>
$ <b>gzcat opendkim-<i>x.y.z</i>.tar.gz | tar xf -</b>
$ <b>cd opendkim-<i>x.y.z</i></b>
$ <b>./configure ...<i>options</i>...</b>
$ <b>make</b>
[...<i>lots of output omitted</i>...]
$ <b>make install</b>
</pre>
</blockquote>
<blockquote> <blockquote>
<pre> <pre>
$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b> $ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>

11
postfix/proto/POSTSCREEN_README.html
View File

@ -432,13 +432,14 @@ logging more informative. </p>
as: </p> as: </p>
<pre> <pre>
<b>COMMAND PIPELINING after</b> <i>time</i> <b>from</b> <i>[address]:port</i> <b>COMMAND PIPELINING from</b> <i>[address]:port</i> <b>after</b> <i>command</i>: <i>text</i>
</pre> </pre>
<p> Translation: the SMTP client at <i>[address]:port</i> sent multiple <p> Translation: the SMTP client at <i>[address]:port</i> sent
SMTP commands, instead of sending one command and then waiting for multiple SMTP commands, instead of sending one command and then
the server to reply. This happened <i>time</i> seconds after the waiting for the server to reply. This happened after the client
"220 " server greeting was sent. </p> sent <i>command</i>. The <i>text</i> shows part of the input that
was sent too early; it is not logged with Postfix 2.8. </p>
<p> The postscreen_pipelining_action parameter specifies the action <p> The postscreen_pipelining_action parameter specifies the action
that is taken next. See "<a href="#fail_after_220">When tests fail that is taken next. See "<a href="#fail_after_220">When tests fail

44
postfix/proto/postconf.proto
View File

@ -14011,3 +14011,47 @@ service performs plaintext &lt;=&gt; TLS ciphertext conversion. <p>
<p> This feature is available in Postfix 2.8 and later. </p> <p> This feature is available in Postfix 2.8 and later. </p>
%PARAM smtpd_per_record_deadline normal: no, overload: yes
<p> Change the behavior of the smtpd_timeout time limit, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message). This
limits the impact from hostile peers that trickle data one byte at
a time. </p>
<p> Note: when per-record deadlines are enabled, a short timeout
may cause problems with TLS over very slow network connections.
The reasons are that a TLS protocol message can be up to 16 kbytes
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
<p> This feature is available in Postfix 2.9 and later. With older
Postfix releases, the behavior is as if this parameter is set to
"no". </p>
%PARAM smtp_per_record_deadline no
<p> Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to send
or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message). This
limits the impact from hostile peers that trickle data one byte at
a time. </p>
<p> Note: when per-record deadlines are enabled, a short timeout
may cause problems with TLS over very slow network connections.
The reasons are that a TLS protocol message can be up to 16 kbytes
long (with TLSv1), and that an entire TLS protocol message must be
sent or received within the per-record deadline. </p>
<p> This feature is available in Postfix 2.9 and later. With older
Postfix releases, the behavior is as if this parameter is set to
"no". </p>
%PARAM lmtp_per_record_deadline no
<p> The LMTP-specific version of the smtp_per_record_deadline
configuration parameter. See there for details. </p>
<p> This feature is available in Postfix 2.8 and later. </p>

13
postfix/src/global/mail_params.h
View File

@ -3583,6 +3583,19 @@ extern bool var_tlsp_tls_set_sessid;
#define DEF_SMTPD_REJ_FOOTER "" #define DEF_SMTPD_REJ_FOOTER ""
extern char *var_smtpd_rej_footer; extern char *var_smtpd_rej_footer;
/*
* Per-record time limit support.
*/
#define VAR_SMTPD_REC_DEADLINE "smtpd_per_record_deadline"
#define DEF_SMTPD_REC_DEADLINE "${stress?yes}${stress:no}"
extern bool var_smtpd_rec_deadline;
#define VAR_SMTP_REC_DEADLINE "smtp_per_record_deadline"
#define DEF_SMTP_REC_DEADLINE 0
#define VAR_LMTP_REC_DEADLINE "lmtp_per_record_deadline"
#define DEF_LMTP_REC_DEADLINE 0
extern bool var_smtp_rec_deadline;
/* LICENSE /* LICENSE
/* .ad /* .ad
/* .fi /* .fi

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20110207" #define MAIL_RELEASE_DATE "20110212"
#define MAIL_VERSION_NUMBER "2.9" #define MAIL_VERSION_NUMBER "2.9"
#ifdef SNAPSHOT #ifdef SNAPSHOT

37
postfix/src/global/smtp_stream.c
View File

@ -6,9 +6,10 @@
/* SYNOPSIS /* SYNOPSIS
/* #include <smtp_stream.h> /* #include <smtp_stream.h>
/* /*
/* void smtp_timeout_setup(stream, timeout) /* void smtp_stream_setup(stream, timeout, enable_deadline)
/* VSTREAM *stream; /* VSTREAM *stream;
/* int timeout; /* int timeout;
/* int enable_deadline;
/* /*
/* void smtp_printf(stream, format, ...) /* void smtp_printf(stream, format, ...)
/* VSTREAM *stream; /* VSTREAM *stream;
@ -44,16 +45,24 @@
/* VSTREAM *stream; /* VSTREAM *stream;
/* char *format; /* char *format;
/* va_list ap; /* va_list ap;
/* LEGACY API
/* void smtp_timeout_setup(stream, timeout)
/* VSTREAM *stream;
/* int timeout;
/* int enable_deadline;
/* DESCRIPTION /* DESCRIPTION
/* This module reads and writes text records delimited by CR LF, /* This module reads and writes text records delimited by CR LF,
/* with error detection: timeouts or unexpected end-of-file. /* with error detection: timeouts or unexpected end-of-file.
/* A trailing CR LF is added upon writing and removed upon reading. /* A trailing CR LF is added upon writing and removed upon reading.
/* /*
/* smtp_timeout_setup() arranges for a time limit on the smtp read /* smtp_stream_setup() prepares the specified stream for SMTP read
/* and write operations described below. /* and write operations described below.
/* This routine alters the behavior of streams as follows: /* This routine alters the behavior of streams as follows:
/* .IP \(bu /* .IP \(bu
/* The read/write total time limit is set to the specified value. /* When enable_deadline is non-zero, the stream is configured
/* to enforce a total time limit for each smtp_stream read/write
/* operation. Otherwise, the stream is configured to enforce
/* a time limit for each individual read/write system call.
/* .IP \f(bu /* .IP \f(bu
/* The stream is configured to use double buffering. /* The stream is configured to use double buffering.
/* .IP \f(bu /* .IP \f(bu
@ -90,6 +99,9 @@
/* The stream is not flushed. /* The stream is not flushed.
/* /*
/* smtp_vprintf() is the machine underneath smtp_printf(). /* smtp_vprintf() is the machine underneath smtp_printf().
/*
/* smtp_timeout_setup() is a backwards-compatibility interface
/* for programs that don't require per-record deadline support.
/* DIAGNOSTICS /* DIAGNOSTICS
/* .fi /* .fi
/* .ad /* .ad
@ -102,7 +114,7 @@
/* .IP SMTP_ERR_EOF /* .IP SMTP_ERR_EOF
/* An I/O error happened, or the peer has disconnected unexpectedly. /* An I/O error happened, or the peer has disconnected unexpectedly.
/* .IP SMTP_ERR_TIME /* .IP SMTP_ERR_TIME
/* The time limit specified to smtp_timeout_setup() was exceeded. /* The time limit specified to smtp_stream_setup() was exceeded.
/* .PP /* .PP
/* Additional error codes that may be used by applications: /* Additional error codes that may be used by applications:
/* .IP SMTP_ERR_QUIET /* .IP SMTP_ERR_QUIET
@ -166,9 +178,8 @@ static void smtp_timeout_reset(VSTREAM *stream)
* in the buffer. Such system calls would really hurt when receiving or * in the buffer. Such system calls would really hurt when receiving or
* sending body content one line at a time. * sending body content one line at a time.
*/ */
vstream_control(stream, if (vstream_fstat(stream, VSTREAM_FLAG_DEADLINE))
VSTREAM_CTL_TIME_LIMIT, stream->timeout, vstream_control(stream, VSTREAM_CTL_START_DEADLINE, VSTREAM_CTL_END);
VSTREAM_CTL_END);
} }
/* smtp_longjmp - raise an exception */ /* smtp_longjmp - raise an exception */
@ -190,13 +201,21 @@ static NORETURN smtp_longjmp(VSTREAM *stream, int err, const char *context)
vstream_longjmp(stream, err); vstream_longjmp(stream, err);
} }
/* smtp_timeout_setup - configure timeout trap */ /* smtp_stream_setup - configure timeout trap */
void smtp_timeout_setup(VSTREAM *stream, int maxtime) void smtp_stream_setup(VSTREAM *stream, int maxtime, int enable_deadline)
{ {
const char *myname = "smtp_stream_setup";
if (msg_verbose)
msg_info("%s: maxtime=%d enable_deadline=%d",
myname, maxtime, enable_deadline);
vstream_control(stream, vstream_control(stream,
VSTREAM_CTL_DOUBLE, VSTREAM_CTL_DOUBLE,
VSTREAM_CTL_TIMEOUT, maxtime, VSTREAM_CTL_TIMEOUT, maxtime,
enable_deadline ? VSTREAM_CTL_START_DEADLINE
: VSTREAM_CTL_STOP_DEADLINE,
VSTREAM_CTL_EXCEPT, VSTREAM_CTL_EXCEPT,
VSTREAM_CTL_END); VSTREAM_CTL_END);
} }

5
postfix/src/global/smtp_stream.h
View File

@ -32,7 +32,7 @@
#define SMTP_ERR_QUIET 3 /* silent cleanup (application) */ #define SMTP_ERR_QUIET 3 /* silent cleanup (application) */
#define SMTP_ERR_NONE 4 /* non-error case */ #define SMTP_ERR_NONE 4 /* non-error case */
extern void smtp_timeout_setup(VSTREAM *, int); extern void smtp_stream_setup(VSTREAM *, int, int);
extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...); extern void PRINTFLIKE(2, 3) smtp_printf(VSTREAM *, const char *,...);
extern void smtp_flush(VSTREAM *); extern void smtp_flush(VSTREAM *);
extern int smtp_fgetc(VSTREAM *); extern int smtp_fgetc(VSTREAM *);
@ -43,6 +43,9 @@ extern void smtp_fputc(int, VSTREAM *);
extern void smtp_vprintf(VSTREAM *, const char *, va_list); extern void smtp_vprintf(VSTREAM *, const char *, va_list);
#define smtp_timeout_setup(stream, timeout) \
smtp_stream_setup((stream), (timeout), 0)
#define SMTP_GET_FLAG_NONE 0 #define SMTP_GET_FLAG_NONE 0
#define SMTP_GET_FLAG_SKIP (1<<0) /* skip over excess input */ #define SMTP_GET_FLAG_SKIP (1<<0) /* skip over excess input */

3
postfix/src/postscreen/postscreen.c
View File

@ -68,7 +68,8 @@
/* Support for AUTH may be added in the future. /* Support for AUTH may be added in the future.
/* In the mean time, if you need to make these services available /* In the mean time, if you need to make these services available
/* on port 25, then do not enable the optional "after 220 /* on port 25, then do not enable the optional "after 220
/* server greeting" tests. /* server greeting" tests, and do not use DNSBLs that reject
/* traffic from dial-up and residential networks.
/* /*
/* The optional "after 220 server greeting" tests involve /* The optional "after 220 server greeting" tests involve
/* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When /* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When

4
postfix/src/postscreen/postscreen_tests.c
View File

@ -175,8 +175,8 @@ void psc_parse_tests(PSC_STATE *state,
/* /*
* Parse the cache entry, and allow for older postscreen versions that * Parse the cache entry, and allow for older postscreen versions that
* implemented fewer tests. We pretend that these tests were disabled * implemented fewer tests. We pretend that the newer tests were disabled
* when the cache entry was written. * at the time that the cache entry was written.
* *
* Flag the cache entry as "new" when the cache entry has fields for all * Flag the cache entry as "new" when the cache entry has fields for all
* enabled tests, but the remote SMTP client has not yet passed all those * enabled tests, but the remote SMTP client has not yet passed all those

1
postfix/src/smtp/lmtp_params.c
View File

@ -108,5 +108,6 @@
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr, VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_LMTP_SASL_AUTH_SOFT_BOUNCE, DEF_LMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce, VAR_LMTP_SASL_AUTH_SOFT_BOUNCE, DEF_LMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final, VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final,
VAR_LMTP_REC_DEADLINE, DEF_LMTP_REC_DEADLINE, &var_smtp_rec_deadline,
0, 0,
}; };

15
postfix/src/smtp/smtp.c
View File

@ -234,6 +234,13 @@
/* Available in Postfix version 2.8 and later: /* Available in Postfix version 2.8 and later:
/* .IP "\fBsmtp_dns_resolver_options (empty)\fR" /* .IP "\fBsmtp_dns_resolver_options (empty)\fR"
/* DNS Resolver options for the Postfix SMTP client. /* DNS Resolver options for the Postfix SMTP client.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtp_per_record_deadline (no)\fR"
/* Change the behavior of the smtp_*_timeout time limits, from a
/* time limit per read or write system call, to a time limit to read
/* or write a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* MIME PROCESSING CONTROLS /* MIME PROCESSING CONTROLS
/* .ad /* .ad
/* .fi /* .fi
@ -513,6 +520,13 @@
/* .IP "\fBconnection_cache_protocol_timeout (5s)\fR" /* .IP "\fBconnection_cache_protocol_timeout (5s)\fR"
/* Time limit for connection cache connect, send or receive /* Time limit for connection cache connect, send or receive
/* operations. /* operations.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtp_per_record_deadline (no)\fR"
/* Change the behavior of the smtp_*_timeout time limits, from a
/* time limit per read or write system call, to a time limit to read
/* or write a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* TROUBLE SHOOTING CONTROLS /* TROUBLE SHOOTING CONTROLS
/* .ad /* .ad
/* .fi /* .fi
@ -815,6 +829,7 @@ char *var_smtp_body_chks;
char *var_smtp_resp_filter; char *var_smtp_resp_filter;
bool var_lmtp_assume_final; bool var_lmtp_assume_final;
char *var_smtp_dns_res_opt; char *var_smtp_dns_res_opt;
bool var_smtp_rec_deadline;
/* Special handling of 535 AUTH errors. */ /* Special handling of 535 AUTH errors. */
char *var_smtp_sasl_auth_cache_name; char *var_smtp_sasl_auth_cache_name;

1
postfix/src/smtp/smtp_params.c
View File

@ -112,5 +112,6 @@
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr, VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce, VAR_SMTP_SASL_AUTH_SOFT_BOUNCE, DEF_SMTP_SASL_AUTH_SOFT_BOUNCE, &var_smtp_sasl_auth_soft_bounce,
VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final, VAR_LMTP_ASSUME_FINAL, DEF_LMTP_ASSUME_FINAL, &var_lmtp_assume_final,
VAR_SMTP_REC_DEADLINE, DEF_SMTP_REC_DEADLINE, &var_smtp_rec_deadline,
0, 0,
}; };

18
postfix/src/smtp/smtp_proto.c
View File

@ -295,7 +295,8 @@ int smtp_helo(SMTP_STATE *state)
/* /*
* Prepare for disaster. * Prepare for disaster.
*/ */
smtp_timeout_setup(state->session->stream, var_smtp_helo_tmout); smtp_stream_setup(state->session->stream, var_smtp_helo_tmout,
var_smtp_rec_deadline);
if ((except = vstream_setjmp(state->session->stream)) != 0) if ((except = vstream_setjmp(state->session->stream)) != 0)
return (smtp_stream_except(state, except, where)); return (smtp_stream_except(state, except, where));
@ -642,7 +643,8 @@ int smtp_helo(SMTP_STATE *state)
/* /*
* Prepare for disaster. * Prepare for disaster.
*/ */
smtp_timeout_setup(state->session->stream, var_smtp_starttls_tmout); smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
var_smtp_rec_deadline);
if ((except = vstream_setjmp(state->session->stream)) != 0) if ((except = vstream_setjmp(state->session->stream)) != 0)
return (smtp_stream_except(state, except, return (smtp_stream_except(state, except,
"receiving the STARTTLS response")); "receiving the STARTTLS response"));
@ -1216,8 +1218,8 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
|| send_state > SMTP_STATE_QUIT) || send_state > SMTP_STATE_QUIT)
msg_panic("%s: bad sender state %d (receiver state %d)", msg_panic("%s: bad sender state %d (receiver state %d)",
myname, send_state, recv_state); myname, send_state, recv_state);
smtp_timeout_setup(session->stream, smtp_stream_setup(session->stream, *xfer_timeouts[send_state],
*xfer_timeouts[send_state]); var_smtp_rec_deadline);
if ((except = vstream_setjmp(session->stream)) != 0) { if ((except = vstream_setjmp(session->stream)) != 0) {
msg_warn("smtp_proto: spurious flush before read in send state %d", msg_warn("smtp_proto: spurious flush before read in send state %d",
send_state); send_state);
@ -1570,8 +1572,8 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
*/ */
#define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
smtp_timeout_setup(session->stream, smtp_stream_setup(session->stream, *xfer_timeouts[recv_state],
*xfer_timeouts[recv_state]); var_smtp_rec_deadline);
if (LOST_CONNECTION_INSIDE_DATA) { if (LOST_CONNECTION_INSIDE_DATA) {
if (vstream_setjmp(session->stream) != 0) if (vstream_setjmp(session->stream) != 0)
RETURN(smtp_stream_except(state, SMTP_ERR_EOF, RETURN(smtp_stream_except(state, SMTP_ERR_EOF,
@ -1879,8 +1881,8 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
*/ */
if (send_state == SMTP_STATE_DOT && nrcpt > 0) { if (send_state == SMTP_STATE_DOT && nrcpt > 0) {
smtp_timeout_setup(session->stream, smtp_stream_setup(session->stream, var_smtp_data1_tmout,
var_smtp_data1_tmout); var_smtp_rec_deadline);
if ((except = vstream_setjmp(session->stream)) == 0) { if ((except = vstream_setjmp(session->stream)) == 0) {

22
postfix/src/smtpd/smtpd.c
View File

@ -127,6 +127,13 @@
/* Available in Postfix version 2.7 and later: /* Available in Postfix version 2.7 and later:
/* .IP "\fBsmtpd_command_filter (empty)\fR" /* .IP "\fBsmtpd_command_filter (empty)\fR"
/* A mechanism to transform commands from remote SMTP clients. /* A mechanism to transform commands from remote SMTP clients.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout time limit, from a
/* time limit per read or write system call, to a time limit to read
/* or write a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* ADDRESS REWRITING CONTROLS /* ADDRESS REWRITING CONTROLS
/* .ad /* .ad
/* .fi /* .fi
@ -631,6 +638,13 @@
/* The maximal number of new (i.e., uncached) TLS sessions that a /* The maximal number of new (i.e., uncached) TLS sessions that a
/* remote SMTP client is allowed to negotiate with this service per /* remote SMTP client is allowed to negotiate with this service per
/* time unit. /* time unit.
/* .PP
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout time limit, from a
/* time limit per read or write system call, to a time limit to read
/* or write a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* TARPIT CONTROLS /* TARPIT CONTROLS
/* .ad /* .ad
/* .fi /* .fi
@ -1248,6 +1262,7 @@ char *var_unk_name_tf_act;
char *var_unk_addr_tf_act; char *var_unk_addr_tf_act;
char *var_unv_rcpt_tf_act; char *var_unv_rcpt_tf_act;
char *var_unv_from_tf_act; char *var_unv_from_tf_act;
bool var_smtpd_rec_deadline;
int smtpd_proxy_opts; int smtpd_proxy_opts;
@ -4338,7 +4353,7 @@ static void smtpd_proto(SMTPD_STATE *state)
* cleans up, but no attempt is made to inform the client of the nature * cleans up, but no attempt is made to inform the client of the nature
* of the problem. * of the problem.
*/ */
smtp_timeout_setup(state->client, var_smtpd_tmout); smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_rec_deadline);
while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE) while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
/* void */ ; /* void */ ;
@ -5165,6 +5180,10 @@ int main(int argc, char **argv)
VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
0, 0,
}; };
static const CONFIG_NBOOL_TABLE nbool_table[] = {
VAR_SMTPD_REC_DEADLINE, DEF_SMTPD_REC_DEADLINE, &var_smtpd_rec_deadline,
0,
};
static const CONFIG_STR_TABLE str_table[] = { static const CONFIG_STR_TABLE str_table[] = {
VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0, VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0,
VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0, VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0,
@ -5281,6 +5300,7 @@ int main(int argc, char **argv)
MAIL_SERVER_STR_TABLE, str_table, MAIL_SERVER_STR_TABLE, str_table,
MAIL_SERVER_RAW_TABLE, raw_table, MAIL_SERVER_RAW_TABLE, raw_table,
MAIL_SERVER_BOOL_TABLE, bool_table, MAIL_SERVER_BOOL_TABLE, bool_table,
MAIL_SERVER_NBOOL_TABLE, nbool_table,
MAIL_SERVER_TIME_TABLE, time_table, MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_PRE_INIT, pre_jail_init, MAIL_SERVER_PRE_INIT, pre_jail_init,
MAIL_SERVER_PRE_ACCEPT, pre_accept, MAIL_SERVER_PRE_ACCEPT, pre_accept,

53
postfix/src/tls/tls_bio_ops.c
View File

@ -103,6 +103,19 @@
/* System library. */ /* System library. */
#include <sys_defs.h> #include <sys_defs.h>
#include <sys/time.h>
#ifndef timersub
/* res = a - b */
#define timersub(a, b, res) do { \
(res)->tv_sec = (a)->tv_sec - (b)->tv_sec; \
(res)->tv_usec = (a)->tv_usec - (b)->tv_usec; \
if ((res)->tv_usec < 0) { \
(res)->tv_sec--; \
(res)->tv_usec += 1000000; \
} \
} while (0)
#endif
#ifdef USE_TLS #ifdef USE_TLS
@ -129,6 +142,24 @@ int tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext,
int err; int err;
int retval = 0; int retval = 0;
int done; int done;
int enable_deadline;
struct timeval time_limit; /* initial time limit */
struct timeval time_left; /* amount of time left */
struct timeval time_entry; /* time of tls_bio() entry */
struct timeval time_now; /* time after SSL_mumble() call */
struct timeval time_elapsed; /* total elapsed time */
/*
* Deadline management is simpler than with VSTREAMs, because we don't
* need to decrement a per-stream time limit. We just work within the
* budget that is available for this tls_bio() call.
*/
enable_deadline = vstream_fstat(TLScontext->stream, VSTREAM_FLAG_DEADLINE);
if (enable_deadline) {
time_limit.tv_sec = timeout;
time_limit.tv_usec = 0;
GETTIMEOFDAY(&time_entry);
}
/* /*
* If necessary, retry the SSL handshake or read/write operation after * If necessary, retry the SSL handshake or read/write operation after
@ -194,12 +225,24 @@ int tls_bio(int fd, int timeout, TLS_SESS_STATE *TLScontext,
done = 1; done = 1;
break; break;
case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_WRITE:
if (write_wait(fd, timeout) < 0)
return (-1); /* timeout error */
break;
case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_READ:
if (read_wait(fd, timeout) < 0) if (enable_deadline) {
return (-1); /* timeout error */ GETTIMEOFDAY(&time_now);
timersub(&time_now, &time_entry, &time_elapsed);
timersub(&time_limit, &time_elapsed, &time_left);
timeout = time_left.tv_sec + (time_left.tv_usec > 0);
if (timeout <= 0) {
errno = ETIMEDOUT;
return (-1);
}
}
if (err == SSL_ERROR_WANT_WRITE) {
if (write_wait(fd, timeout) < 0)
return (-1); /* timeout error */
} else {
if (read_wait(fd, timeout) < 0)
return (-1); /* timeout error */
}
break; break;
/* /*

52
postfix/src/util/vstream.c
View File

@ -138,6 +138,10 @@
/* /*
/* int vstream_wr_timeout(stream) /* int vstream_wr_timeout(stream)
/* VSTREAM *stream; /* VSTREAM *stream;
/*
/* int vstream_fstat(stream, flags)
/* VSTREAM *stream;
/* int flags;
/* DESCRIPTION /* DESCRIPTION
/* The \fIvstream\fR module implements light-weight buffered I/O /* The \fIvstream\fR module implements light-weight buffered I/O
/* similar to the standard I/O routines. /* similar to the standard I/O routines.
@ -298,7 +302,7 @@
/* .IP "VSTREAM_CTL_TIMEOUT (int) /* .IP "VSTREAM_CTL_TIMEOUT (int)
/* The deadline for a descriptor to become readable in case of a read /* The deadline for a descriptor to become readable in case of a read
/* request, or writable in case of a write request. Specify a value /* request, or writable in case of a write request. Specify a value
/* <= 0 to disable deadlines. /* of 0 to disable deadlines.
/* .IP "VSTREAM_CTL_EXCEPT (no value)" /* .IP "VSTREAM_CTL_EXCEPT (no value)"
/* Enable exception handling with vstream_setjmp() and vstream_longjmp(). /* Enable exception handling with vstream_setjmp() and vstream_longjmp().
/* This involves allocation of additional memory that normally isn't /* This involves allocation of additional memory that normally isn't
@ -319,12 +323,14 @@
/* int. Use an explicit cast to avoid problems on LP64 /* int. Use an explicit cast to avoid problems on LP64
/* environments and other environments where ssize_t is larger /* environments and other environments where ssize_t is larger
/* than int. /* than int.
/* .IP "VSTREAM_CTL_TIME_LIMIT (int)" /* .IP VSTREAM_CTL_START_DEADLINE
/* Specify an upper bound on the total time to complete all /* Change the VSTREAM_CTL_TIMEOUT behavior, to limit the total
/* subsequent read or write operations. This is different from /* time for all subsequent file descriptor read or write
/* VSTREAM_CTL_TIMEOUT, which specifies a deadline for each /* operations, and recharge the deadline timer.
/* read or write operation. Specify a relative time in seconds, /* .IP VSTREAM_CTL_STOP_DEADLINE
/* or zero to disable this feature. /* Revert VSTREAM_CTL_TIMEOUT behavior to the default, i.e.
/* a time limit for individual file descriptor read or write
/* operations.
/* .PP /* .PP
/* vstream_fileno() gives access to the file handle associated with /* vstream_fileno() gives access to the file handle associated with
/* a buffered stream. With streams that have separate read/write /* a buffered stream. With streams that have separate read/write
@ -402,6 +408,15 @@
/* /*
/* vstream_rd_mumble() and vstream_wr_mumble() report on /* vstream_rd_mumble() and vstream_wr_mumble() report on
/* read and write error conditions, respectively. /* read and write error conditions, respectively.
/*
/* vstream_fstat() queries stream status information about
/* user-requested features. The \fIflags\fR argument is the
/* bitwise OR of one or more of the following, and the result
/* value is the bitwise OR of the features that are activated.
/* .IP VSTREAM_FLAG_DEADLINE
/* The deadline feature is activated.
/* .IP VSTREAM_FLAG_DOUBLE
/* The double-buffering feature is activated.
/* DIAGNOSTICS /* DIAGNOSTICS
/* Panics: interface violations. Fatal errors: out of memory. /* Panics: interface violations. Fatal errors: out of memory.
/* SEE ALSO /* SEE ALSO
@ -1314,7 +1329,6 @@ void vstream_control(VSTREAM *stream, int name,...)
int old_fd; int old_fd;
ssize_t req_bufsize = 0; ssize_t req_bufsize = 0;
VSTREAM *stream2; VSTREAM *stream2;
int time_limit;
#define SWAP(type,a,b) do { type temp = (a); (a) = (b); (b) = (temp); } while (0) #define SWAP(type,a,b) do { type temp = (a); (a) = (b); (b) = (temp); } while (0)
@ -1377,6 +1391,8 @@ void vstream_control(VSTREAM *stream, int name,...)
if (stream->timeout == 0) if (stream->timeout == 0)
GETTIMEOFDAY(&stream->iotime); GETTIMEOFDAY(&stream->iotime);
stream->timeout = va_arg(ap, int); stream->timeout = va_arg(ap, int);
if (stream->timeout < 0)
msg_panic("%s: bad timeout %d", myname, stream->timeout);
break; break;
case VSTREAM_CTL_EXCEPT: case VSTREAM_CTL_EXCEPT:
if (stream->jbuf == 0) if (stream->jbuf == 0)
@ -1428,17 +1444,15 @@ void vstream_control(VSTREAM *stream, int name,...)
* that we need to do I/O. This avoids a performance hit when * that we need to do I/O. This avoids a performance hit when
* sending or receiving body content one line at a time. * sending or receiving body content one line at a time.
*/ */
case VSTREAM_CTL_TIME_LIMIT: case VSTREAM_CTL_STOP_DEADLINE:
time_limit = va_arg(ap, int); stream->buf.flags &= ~VSTREAM_FLAG_DEADLINE;
if (time_limit < 0) { break;
msg_panic("%s: bad time limit: %d", myname, time_limit); case VSTREAM_CTL_START_DEADLINE:
} else if (time_limit == 0) { if (stream->timeout <= 0)
stream->buf.flags &= ~VSTREAM_FLAG_DEADLINE; msg_panic("%s: bad timeout %d", myname, stream->timeout);
} else { stream->buf.flags |= VSTREAM_FLAG_DEADLINE;
stream->buf.flags |= VSTREAM_FLAG_DEADLINE; stream->time_limit.tv_sec = stream->timeout;
stream->time_limit.tv_sec = time_limit; stream->time_limit.tv_usec = 0;
stream->time_limit.tv_usec = 0;
}
break; break;
default: default:
msg_panic("%s: bad name %d", myname, name); msg_panic("%s: bad name %d", myname, name);

5
postfix/src/util/vstream.h
View File

@ -126,6 +126,8 @@ extern int vstream_fdclose(VSTREAM *);
#define vstream_ftime(vp) ((time_t) ((vp)->iotime.tv_sec)) #define vstream_ftime(vp) ((time_t) ((vp)->iotime.tv_sec))
#define vstream_ftimeval(vp) ((vp)->iotime) #define vstream_ftimeval(vp) ((vp)->iotime)
#define vstream_fstat(vp, fl) ((vp)->buf.flags & (fl))
extern void vstream_control(VSTREAM *, int,...); extern void vstream_control(VSTREAM *, int,...);
#define VSTREAM_CTL_END 0 #define VSTREAM_CTL_END 0
@ -144,7 +146,8 @@ extern void vstream_control(VSTREAM *, int,...);
#endif #endif
#define VSTREAM_CTL_BUFSIZE 12 #define VSTREAM_CTL_BUFSIZE 12
#define VSTREAM_CTL_SWAP_FD 13 #define VSTREAM_CTL_SWAP_FD 13
#define VSTREAM_CTL_TIME_LIMIT 14 #define VSTREAM_CTL_START_DEADLINE 14
#define VSTREAM_CTL_STOP_DEADLINE 15
extern VSTREAM *PRINTFLIKE(1, 2) vstream_printf(const char *,...); extern VSTREAM *PRINTFLIKE(1, 2) vstream_printf(const char *,...);
extern VSTREAM *PRINTFLIKE(2, 3) vstream_fprintf(VSTREAM *, const char *,...); extern VSTREAM *PRINTFLIKE(2, 3) vstream_fprintf(VSTREAM *, const char *,...);