Become your own Certificate Authority, so that you can
-sign your own public keys. This example uses the CA.pl script that
-ships with OpenSSL. On some systems, OpenSSL installs this as
-/usr/local/ssl/misc/CA.pl. Some systems install this as
+sign your own certificates, and so that your own systems can
+authenticate certificates from your own CA. This example uses the
+CA.pl script that ships with OpenSSL. On some systems, OpenSSL
+installs this as /usr/local/openssl/misc/CA.pl. Some systems
+install this as
part of a package named openssl-perl or something similar.
The script creates a private key in ./demoCA/private/cakey.pem
and a public key in ./demoCA/cacert.pem.
@@ -2663,7 +2697,7 @@ an unsigned public key certificate.
-% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
+% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
........................................++++++
@@ -2698,7 +2732,7 @@ steps ago.
-% openssl ca -out foo-cert.pem -infiles foo-req.pem
+% openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:whatever
Check that the request matches the signature
@@ -2724,6 +2758,10 @@ Data Base Updated
and the Certification Authority certificate files. This requires
super-user privileges.
+ The following commands assume that the key and certificate will
+be installed for the local Postfix MTA. You will need to adjust the
+commands if the Postfix MTA is on a different host.
+
# cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index 1816f341c..7ab1a945d 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -219,42 +219,43 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2.9 and later:
smtp_cname_overrides_servername (version dependent)
- Allow DNS CNAME records to override the servername that the
- Postfix SMTP client uses for logging, SASL password lookup, TLS
- policy decisions, or TLS certificate verification.
+ When the remote SMTP servername is a DNS CNAME, replace the
+ servername with the result from CNAME expansion for the purpose
+ of logging, SASL password lookup, TLS policy decisions, or TLS
+ certificate verification.
Available in Postfix version 2.3 and later:
lmtp_discard_lhlo_keyword_address_maps (empty)
- Lookup tables, indexed by the remote LMTP server address, with
- case insensitive lists of LHLO keywords (pipelining, starttls,
+ Lookup tables, indexed by the remote LMTP server address, with
+ case insensitive lists of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server.
lmtp_discard_lhlo_keywords (empty)
- A case insensitive list of LHLO keywords (pipelining, starttls,
+ A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server.
Available in Postfix version 2.4.4 and later:
send_cyrus_sasl_authzid (no)
- When authenticating to a remote SMTP or LMTP server with the
- default setting "no", send no SASL authoriZation ID (authzid);
- send only the SASL authentiCation ID (authcid) plus the auth-
+ When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid);
+ send only the SASL authentiCation ID (authcid) plus the auth-
cid's password.
Available in Postfix version 2.5 and later:
smtp_header_checks (empty)
- Restricted header_checks(5) tables for the Postfix SMTP client.
+ Restricted header_checks(5) tables for the Postfix SMTP client.
smtp_mime_header_checks (empty)
- Restricted mime_header_checks(5) tables for the Postfix SMTP
+ Restricted mime_header_checks(5) tables for the Postfix SMTP
client.
smtp_nested_header_checks (empty)
- Restricted nested_header_checks(5) tables for the Postfix SMTP
+ Restricted nested_header_checks(5) tables for the Postfix SMTP
client.
smtp_body_checks (empty)
@@ -263,7 +264,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.6 and later:
tcp_windowsize (0)
- An optional workaround for routers that break TCP window scal-
+ An optional workaround for routers that break TCP window scal-
ing.
Available in Postfix version 2.8 and later:
@@ -274,14 +275,14 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.9 and later:
smtp_per_record_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
smtp_send_dummy_mail_auth (no)
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
Available in Postfix version 2.11 and later:
@@ -305,7 +306,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
smtp_send_xforward_command (no)
- Send the non-standard XFORWARD command when the Postfix SMTP
+ Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support.
SASL AUTHENTICATION CONTROLS
@@ -313,62 +314,62 @@ SMTP(8) SMTP(8)
Enable SASL authentication in the Postfix SMTP client.
smtp_sasl_password_maps (empty)
- Optional Postfix SMTP client lookup tables with one user-
- name:password entry per remote hostname or domain, or sender
+ Optional Postfix SMTP client lookup tables with one user-
+ name:password entry per remote hostname or domain, or sender
address when sender-dependent authentication is enabled.
smtp_sasl_security_options (noplaintext, noanonymous)
Postfix SMTP client SASL security options; as of Postfix 2.3 the
- list of available features depends on the SASL client implemen-
+ list of available features depends on the SASL client implemen-
tation that is selected with smtp_sasl_type.
Available in Postfix version 2.2 and later:
smtp_sasl_mechanism_filter (empty)
- If non-empty, a Postfix SMTP client filter for the remote SMTP
+ If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later:
smtp_sender_dependent_authentication (no)
Enable sender-dependent authentication in the Postfix SMTP
- client; this is available only with SASL authentication, and
- disables SMTP connection caching to ensure that mail from dif-
+ client; this is available only with SASL authentication, and
+ disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials.
smtp_sasl_path (empty)
Implementation-specific information that the Postfix SMTP client
- passes through to the SASL plug-in implementation that is
+ passes through to the SASL plug-in implementation that is
selected with smtp_sasl_type.
smtp_sasl_type (cyrus)
- The SASL plug-in type that the Postfix SMTP client should use
+ The SASL plug-in type that the Postfix SMTP client should use
for authentication.
Available in Postfix version 2.5 and later:
smtp_sasl_auth_cache_name (empty)
- An optional table to prevent repeated SASL authentication fail-
- ures with the same remote SMTP server hostname, username and
+ An optional table to prevent repeated SASL authentication fail-
+ ures with the same remote SMTP server hostname, username and
password.
smtp_sasl_auth_cache_time (90d)
- The maximal age of an smtp_sasl_auth_cache_name entry before it
+ The maximal age of an smtp_sasl_auth_cache_name entry before it
is removed.
smtp_sasl_auth_soft_bounce (yes)
- When a remote SMTP server rejects a SASL authentication request
- with a 535 reply code, defer mail delivery instead of returning
+ When a remote SMTP server rejects a SASL authentication request
+ with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable.
Available in Postfix version 2.9 and later:
smtp_send_dummy_mail_auth (no)
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
STARTTLS SUPPORT CONTROLS
- Detailed information about STARTTLS configuration may be found in the
+ Detailed information about STARTTLS configuration may be found in the
TLS_README document.
smtp_tls_security_level (empty)
@@ -378,20 +379,20 @@ SMTP(8) SMTP(8)
smtp_tls_enforce_peername.
smtp_sasl_tls_security_options ($smtp_sasl_security_options)
- The SASL authentication security options that the Postfix SMTP
+ The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
smtp_starttls_timeout (300s)
- Time limit for Postfix SMTP client write and read operations
+ Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
smtp_tls_CAfile (empty)
- A file containing CA certificates of root CAs trusted to sign
- either remote SMTP server certificates or intermediate CA cer-
+ A file containing CA certificates of root CAs trusted to sign
+ either remote SMTP server certificates or intermediate CA cer-
tificates.
smtp_tls_CApath (empty)
- Directory with PEM format certificate authority certificates
+ Directory with PEM format certificate authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server
certificate.
@@ -399,7 +400,7 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client RSA certificate in PEM format.
smtp_tls_mandatory_ciphers (medium)
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption.
smtp_tls_exclude_ciphers (empty)
@@ -407,8 +408,8 @@ SMTP(8) SMTP(8)
client cipher list at all TLS security levels.
smtp_tls_mandatory_exclude_ciphers (empty)
- Additional list of ciphers or cipher types to exclude from the
- Postfix SMTP client cipher list at mandatory TLS security lev-
+ Additional list of ciphers or cipher types to exclude from the
+ Postfix SMTP client cipher list at mandatory TLS security lev-
els.
smtp_tls_dcert_file (empty)
@@ -424,7 +425,7 @@ SMTP(8) SMTP(8)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_note_starttls_offer (no)
- Log the hostname of a remote SMTP server that offers STARTTLS,
+ Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server.
smtp_tls_policy_maps (empty)
@@ -433,14 +434,14 @@ SMTP(8) SMTP(8)
fied, this overrides the obsolete smtp_tls_per_site parameter.
smtp_tls_mandatory_protocols (!SSLv2)
- List of SSL/TLS protocols that the Postfix SMTP client will use
+ List of SSL/TLS protocols that the Postfix SMTP client will use
with mandatory TLS encryption.
smtp_tls_scert_verifydepth (9)
The verification depth for remote SMTP server certificates.
smtp_tls_secure_cert_match (nexthop, dot-nexthop)
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level.
smtp_tls_session_cache_database (empty)
@@ -448,16 +449,16 @@ SMTP(8) SMTP(8)
session cache.
smtp_tls_session_cache_timeout (3600s)
- The expiration time of Postfix SMTP client TLS session cache
+ The expiration time of Postfix SMTP client TLS session cache
information.
smtp_tls_verify_cert_match (hostname)
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level.
tls_daemon_random_bytes (32)
- The number of pseudo-random bytes that an smtp(8) or smtpd(8)
- process requests from the tlsmgr(8) server in order to seed its
+ The number of pseudo-random bytes that an smtp(8) or smtpd(8)
+ process requests from the tlsmgr(8) server in order to seed its
internal pseudo random number generator (PRNG).
tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
@@ -473,52 +474,52 @@ SMTP(8) SMTP(8)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
Available in Postfix version 2.4 and later:
smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_secu-
rity_options)
- The SASL authentication security options that the Postfix SMTP
- client uses for TLS encrypted SMTP sessions with a verified
+ The SASL authentication security options that the Postfix SMTP
+ client uses for TLS encrypted SMTP sessions with a verified
server certificate.
Available in Postfix version 2.5 and later:
smtp_tls_fingerprint_cert_match (empty)
- List of acceptable remote SMTP server certificate fingerprints
- for the "fingerprint" TLS security level (smtp_tls_secu-
+ List of acceptable remote SMTP server certificate fingerprints
+ for the "fingerprint" TLS security level (smtp_tls_secu-
rity_level = fingerprint).
smtp_tls_fingerprint_digest (md5)
- The message digest algorithm used to construct remote SMTP
+ The message digest algorithm used to construct remote SMTP
server certificate fingerprints.
Available in Postfix version 2.6 and later:
smtp_tls_protocols (!SSLv2)
- List of TLS protocols that the Postfix SMTP client will exclude
+ List of TLS protocols that the Postfix SMTP client will exclude
or include with opportunistic TLS encryption.
smtp_tls_ciphers (export)
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption.
smtp_tls_eccert_file (empty)
- File with the Postfix SMTP client ECDSA certificate in PEM for-
+ File with the Postfix SMTP client ECDSA certificate in PEM for-
mat.
smtp_tls_eckey_file ($smtp_tls_eccert_file)
- File with the Postfix SMTP client ECDSA private key in PEM for-
+ File with the Postfix SMTP client ECDSA private key in PEM for-
mat.
Available in Postfix version 2.7 and later:
smtp_tls_block_early_mail_reply (no)
- Try to detect a mail hijacking attack based on a TLS protocol
- vulnerability (CVE-2009-3555), where an attacker prepends mali-
- cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
+ Try to detect a mail hijacking attack based on a TLS protocol
+ vulnerability (CVE-2009-3555), where an attacker prepends mali-
+ cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session.
Available in Postfix version 2.8 and later:
@@ -529,11 +530,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.11 and later:
smtp_tls_trust_anchor_file (empty)
- Zero or more PEM-format files with trust-anchor certificates
+ Zero or more PEM-format files with trust-anchor certificates
and/or public keys.
smtp_tls_force_insecure_host_tlsa_lookup (no)
- Lookup the associated DANE TLSA RRset even when a hostname is
+ Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
tls_dane_trust_anchor_digest_enable (yes)
@@ -543,49 +544,49 @@ SMTP(8) SMTP(8)
The name of the tlsmgr(8) service entry in master.cf.
OBSOLETE STARTTLS CONTROLS
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
smtp_use_tls (no)
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
smtp_enforce_tls (no)
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
smtp_tls_enforce_peername (yes)
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
smtp_tls_per_site (empty)
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
smtp_tls_cipherlist (empty)
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
RESOURCE AND RATE CONTROLS
smtp_destination_concurrency_limit ($default_destination_concur-
rency_limit)
- The maximal number of parallel deliveries to the same destina-
+ The maximal number of parallel deliveries to the same destina-
tion via the smtp message delivery transport.
smtp_destination_recipient_limit ($default_destination_recipient_limit)
- The maximal number of recipients per message for the smtp mes-
+ The maximal number of recipients per message for the smtp mes-
sage delivery transport.
smtp_connect_timeout (30s)
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
smtp_helo_timeout (300s)
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
lmtp_lhlo_timeout (300s)
@@ -597,19 +598,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
smtp_mail_timeout (300s)
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
smtp_rcpt_timeout (300s)
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
smtp_data_init_timeout (120s)
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
smtp_data_xfer_timeout (180s)
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
smtp_data_done_timeout (600s)
@@ -623,13 +624,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
smtp_mx_address_limit (5)
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
smtp_mx_session_limit (2)
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
relay host, or zero (no limit).
smtp_rset_timeout (20s)
@@ -639,17 +640,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
lmtp_cache_connection (yes)
- Keep Postfix LMTP client connections open for up to $max_idle
+ Keep Postfix LMTP client connections open for up to $max_idle
seconds.
Available in Postfix version 2.2 and later:
smtp_connection_cache_destinations (empty)
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
smtp_connection_cache_on_demand (yes)
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the active queue.
smtp_connection_reuse_time_limit (300s)
@@ -663,37 +664,37 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
connection_cache_protocol_timeout (5s)
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 and later:
smtp_per_record_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
smtp_connection_reuse_count_limit (0)
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
TROUBLE SHOOTING CONTROLS
debug_peer_level (2)
- The increment in verbose logging level when a remote client or
+ The increment in verbose logging level when a remote client or
server matches a pattern in the debug_peer_list parameter.
debug_peer_list (empty)
- Optional list of remote client or server hostname or network
+ Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to
increase by the amount specified in $debug_peer_level.
error_notice_recipient (postmaster)
- The recipient of postmaster notifications about mail delivery
+ The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
@@ -707,46 +708,46 @@ SMTP(8) SMTP(8)
MISCELLANEOUS CONTROLS
best_mx_transport (empty)
- Where the Postfix SMTP client should deliver mail when it
+ Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf con-
+ The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_timeout (18000s)
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
- The maximal number of digits after the decimal point when log-
+ The maximal number of digits after the decimal point when log-
ging sub-second delay values.
disable_dns_lookups (no)
Disable DNS lookups in the Postfix SMTP and LMTP clients.
inet_interfaces (all)
- The network interface addresses that this mail system receives
+ The network interface addresses that this mail system receives
mail on.
inet_protocols (all)
- The Internet protocols Postfix will attempt to use when making
+ The Internet protocols Postfix will attempt to use when making
or accepting connections.
ipc_timeout (3600s)
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
lmtp_assume_final (no)
- When a remote LMTP server announces no DSN support, assume that
- the server performs final delivery, and send "delivered" deliv-
+ When a remote LMTP server announces no DSN support, assume that
+ the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
lmtp_tcp_port (24)
The default TCP port that the Postfix LMTP client connects to.
max_idle (100s)
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
max_use (100)
@@ -760,20 +761,20 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
proxy_interfaces (empty)
- The network interface addresses that this mail system receives
+ The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit.
smtp_address_preference (any)
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
- client will try first, when a destination has IPv6 and IPv4
+ client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
smtp_bind_address (empty)
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
smtp_bind_address6 (empty)
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
smtp_helo_name ($myhostname)
@@ -793,8 +794,8 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- The mail system name that is prepended to the process name in
- syslog records, so that "smtpd" becomes, for example, "post-
+ The mail system name that is prepended to the process name in
+ syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
Available with Postfix 2.2 and earlier:
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html
index 1816f341c..7ab1a945d 100644
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@@ -219,42 +219,43 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2.9 and later:
smtp_cname_overrides_servername (version dependent)
- Allow DNS CNAME records to override the servername that the
- Postfix SMTP client uses for logging, SASL password lookup, TLS
- policy decisions, or TLS certificate verification.
+ When the remote SMTP servername is a DNS CNAME, replace the
+ servername with the result from CNAME expansion for the purpose
+ of logging, SASL password lookup, TLS policy decisions, or TLS
+ certificate verification.
Available in Postfix version 2.3 and later:
lmtp_discard_lhlo_keyword_address_maps (empty)
- Lookup tables, indexed by the remote LMTP server address, with
- case insensitive lists of LHLO keywords (pipelining, starttls,
+ Lookup tables, indexed by the remote LMTP server address, with
+ case insensitive lists of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server.
lmtp_discard_lhlo_keywords (empty)
- A case insensitive list of LHLO keywords (pipelining, starttls,
+ A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server.
Available in Postfix version 2.4.4 and later:
send_cyrus_sasl_authzid (no)
- When authenticating to a remote SMTP or LMTP server with the
- default setting "no", send no SASL authoriZation ID (authzid);
- send only the SASL authentiCation ID (authcid) plus the auth-
+ When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid);
+ send only the SASL authentiCation ID (authcid) plus the auth-
cid's password.
Available in Postfix version 2.5 and later:
smtp_header_checks (empty)
- Restricted header_checks(5) tables for the Postfix SMTP client.
+ Restricted header_checks(5) tables for the Postfix SMTP client.
smtp_mime_header_checks (empty)
- Restricted mime_header_checks(5) tables for the Postfix SMTP
+ Restricted mime_header_checks(5) tables for the Postfix SMTP
client.
smtp_nested_header_checks (empty)
- Restricted nested_header_checks(5) tables for the Postfix SMTP
+ Restricted nested_header_checks(5) tables for the Postfix SMTP
client.
smtp_body_checks (empty)
@@ -263,7 +264,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.6 and later:
tcp_windowsize (0)
- An optional workaround for routers that break TCP window scal-
+ An optional workaround for routers that break TCP window scal-
ing.
Available in Postfix version 2.8 and later:
@@ -274,14 +275,14 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.9 and later:
smtp_per_record_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
smtp_send_dummy_mail_auth (no)
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
Available in Postfix version 2.11 and later:
@@ -305,7 +306,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
smtp_send_xforward_command (no)
- Send the non-standard XFORWARD command when the Postfix SMTP
+ Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support.
SASL AUTHENTICATION CONTROLS
@@ -313,62 +314,62 @@ SMTP(8) SMTP(8)
Enable SASL authentication in the Postfix SMTP client.
smtp_sasl_password_maps (empty)
- Optional Postfix SMTP client lookup tables with one user-
- name:password entry per remote hostname or domain, or sender
+ Optional Postfix SMTP client lookup tables with one user-
+ name:password entry per remote hostname or domain, or sender
address when sender-dependent authentication is enabled.
smtp_sasl_security_options (noplaintext, noanonymous)
Postfix SMTP client SASL security options; as of Postfix 2.3 the
- list of available features depends on the SASL client implemen-
+ list of available features depends on the SASL client implemen-
tation that is selected with smtp_sasl_type.
Available in Postfix version 2.2 and later:
smtp_sasl_mechanism_filter (empty)
- If non-empty, a Postfix SMTP client filter for the remote SMTP
+ If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later:
smtp_sender_dependent_authentication (no)
Enable sender-dependent authentication in the Postfix SMTP
- client; this is available only with SASL authentication, and
- disables SMTP connection caching to ensure that mail from dif-
+ client; this is available only with SASL authentication, and
+ disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials.
smtp_sasl_path (empty)
Implementation-specific information that the Postfix SMTP client
- passes through to the SASL plug-in implementation that is
+ passes through to the SASL plug-in implementation that is
selected with smtp_sasl_type.
smtp_sasl_type (cyrus)
- The SASL plug-in type that the Postfix SMTP client should use
+ The SASL plug-in type that the Postfix SMTP client should use
for authentication.
Available in Postfix version 2.5 and later:
smtp_sasl_auth_cache_name (empty)
- An optional table to prevent repeated SASL authentication fail-
- ures with the same remote SMTP server hostname, username and
+ An optional table to prevent repeated SASL authentication fail-
+ ures with the same remote SMTP server hostname, username and
password.
smtp_sasl_auth_cache_time (90d)
- The maximal age of an smtp_sasl_auth_cache_name entry before it
+ The maximal age of an smtp_sasl_auth_cache_name entry before it
is removed.
smtp_sasl_auth_soft_bounce (yes)
- When a remote SMTP server rejects a SASL authentication request
- with a 535 reply code, defer mail delivery instead of returning
+ When a remote SMTP server rejects a SASL authentication request
+ with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable.
Available in Postfix version 2.9 and later:
smtp_send_dummy_mail_auth (no)
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
STARTTLS SUPPORT CONTROLS
- Detailed information about STARTTLS configuration may be found in the
+ Detailed information about STARTTLS configuration may be found in the
TLS_README document.
smtp_tls_security_level (empty)
@@ -378,20 +379,20 @@ SMTP(8) SMTP(8)
smtp_tls_enforce_peername.
smtp_sasl_tls_security_options ($smtp_sasl_security_options)
- The SASL authentication security options that the Postfix SMTP
+ The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
smtp_starttls_timeout (300s)
- Time limit for Postfix SMTP client write and read operations
+ Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
smtp_tls_CAfile (empty)
- A file containing CA certificates of root CAs trusted to sign
- either remote SMTP server certificates or intermediate CA cer-
+ A file containing CA certificates of root CAs trusted to sign
+ either remote SMTP server certificates or intermediate CA cer-
tificates.
smtp_tls_CApath (empty)
- Directory with PEM format certificate authority certificates
+ Directory with PEM format certificate authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server
certificate.
@@ -399,7 +400,7 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client RSA certificate in PEM format.
smtp_tls_mandatory_ciphers (medium)
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption.
smtp_tls_exclude_ciphers (empty)
@@ -407,8 +408,8 @@ SMTP(8) SMTP(8)
client cipher list at all TLS security levels.
smtp_tls_mandatory_exclude_ciphers (empty)
- Additional list of ciphers or cipher types to exclude from the
- Postfix SMTP client cipher list at mandatory TLS security lev-
+ Additional list of ciphers or cipher types to exclude from the
+ Postfix SMTP client cipher list at mandatory TLS security lev-
els.
smtp_tls_dcert_file (empty)
@@ -424,7 +425,7 @@ SMTP(8) SMTP(8)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_note_starttls_offer (no)
- Log the hostname of a remote SMTP server that offers STARTTLS,
+ Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server.
smtp_tls_policy_maps (empty)
@@ -433,14 +434,14 @@ SMTP(8) SMTP(8)
fied, this overrides the obsolete smtp_tls_per_site parameter.
smtp_tls_mandatory_protocols (!SSLv2)
- List of SSL/TLS protocols that the Postfix SMTP client will use
+ List of SSL/TLS protocols that the Postfix SMTP client will use
with mandatory TLS encryption.
smtp_tls_scert_verifydepth (9)
The verification depth for remote SMTP server certificates.
smtp_tls_secure_cert_match (nexthop, dot-nexthop)
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level.
smtp_tls_session_cache_database (empty)
@@ -448,16 +449,16 @@ SMTP(8) SMTP(8)
session cache.
smtp_tls_session_cache_timeout (3600s)
- The expiration time of Postfix SMTP client TLS session cache
+ The expiration time of Postfix SMTP client TLS session cache
information.
smtp_tls_verify_cert_match (hostname)
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level.
tls_daemon_random_bytes (32)
- The number of pseudo-random bytes that an smtp(8) or smtpd(8)
- process requests from the tlsmgr(8) server in order to seed its
+ The number of pseudo-random bytes that an smtp(8) or smtpd(8)
+ process requests from the tlsmgr(8) server in order to seed its
internal pseudo random number generator (PRNG).
tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
@@ -473,52 +474,52 @@ SMTP(8) SMTP(8)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
Available in Postfix version 2.4 and later:
smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_secu-
rity_options)
- The SASL authentication security options that the Postfix SMTP
- client uses for TLS encrypted SMTP sessions with a verified
+ The SASL authentication security options that the Postfix SMTP
+ client uses for TLS encrypted SMTP sessions with a verified
server certificate.
Available in Postfix version 2.5 and later:
smtp_tls_fingerprint_cert_match (empty)
- List of acceptable remote SMTP server certificate fingerprints
- for the "fingerprint" TLS security level (smtp_tls_secu-
+ List of acceptable remote SMTP server certificate fingerprints
+ for the "fingerprint" TLS security level (smtp_tls_secu-
rity_level = fingerprint).
smtp_tls_fingerprint_digest (md5)
- The message digest algorithm used to construct remote SMTP
+ The message digest algorithm used to construct remote SMTP
server certificate fingerprints.
Available in Postfix version 2.6 and later:
smtp_tls_protocols (!SSLv2)
- List of TLS protocols that the Postfix SMTP client will exclude
+ List of TLS protocols that the Postfix SMTP client will exclude
or include with opportunistic TLS encryption.
smtp_tls_ciphers (export)
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption.
smtp_tls_eccert_file (empty)
- File with the Postfix SMTP client ECDSA certificate in PEM for-
+ File with the Postfix SMTP client ECDSA certificate in PEM for-
mat.
smtp_tls_eckey_file ($smtp_tls_eccert_file)
- File with the Postfix SMTP client ECDSA private key in PEM for-
+ File with the Postfix SMTP client ECDSA private key in PEM for-
mat.
Available in Postfix version 2.7 and later:
smtp_tls_block_early_mail_reply (no)
- Try to detect a mail hijacking attack based on a TLS protocol
- vulnerability (CVE-2009-3555), where an attacker prepends mali-
- cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
+ Try to detect a mail hijacking attack based on a TLS protocol
+ vulnerability (CVE-2009-3555), where an attacker prepends mali-
+ cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session.
Available in Postfix version 2.8 and later:
@@ -529,11 +530,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.11 and later:
smtp_tls_trust_anchor_file (empty)
- Zero or more PEM-format files with trust-anchor certificates
+ Zero or more PEM-format files with trust-anchor certificates
and/or public keys.
smtp_tls_force_insecure_host_tlsa_lookup (no)
- Lookup the associated DANE TLSA RRset even when a hostname is
+ Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
tls_dane_trust_anchor_digest_enable (yes)
@@ -543,49 +544,49 @@ SMTP(8) SMTP(8)
The name of the tlsmgr(8) service entry in master.cf.
OBSOLETE STARTTLS CONTROLS
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
smtp_use_tls (no)
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
smtp_enforce_tls (no)
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
smtp_tls_enforce_peername (yes)
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
smtp_tls_per_site (empty)
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
smtp_tls_cipherlist (empty)
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
RESOURCE AND RATE CONTROLS
smtp_destination_concurrency_limit ($default_destination_concur-
rency_limit)
- The maximal number of parallel deliveries to the same destina-
+ The maximal number of parallel deliveries to the same destina-
tion via the smtp message delivery transport.
smtp_destination_recipient_limit ($default_destination_recipient_limit)
- The maximal number of recipients per message for the smtp mes-
+ The maximal number of recipients per message for the smtp mes-
sage delivery transport.
smtp_connect_timeout (30s)
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
smtp_helo_timeout (300s)
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
lmtp_lhlo_timeout (300s)
@@ -597,19 +598,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
smtp_mail_timeout (300s)
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
smtp_rcpt_timeout (300s)
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
smtp_data_init_timeout (120s)
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
smtp_data_xfer_timeout (180s)
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
smtp_data_done_timeout (600s)
@@ -623,13 +624,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
smtp_mx_address_limit (5)
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
smtp_mx_session_limit (2)
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
relay host, or zero (no limit).
smtp_rset_timeout (20s)
@@ -639,17 +640,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
lmtp_cache_connection (yes)
- Keep Postfix LMTP client connections open for up to $max_idle
+ Keep Postfix LMTP client connections open for up to $max_idle
seconds.
Available in Postfix version 2.2 and later:
smtp_connection_cache_destinations (empty)
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
smtp_connection_cache_on_demand (yes)
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the active queue.
smtp_connection_reuse_time_limit (300s)
@@ -663,37 +664,37 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
connection_cache_protocol_timeout (5s)
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 and later:
smtp_per_record_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
smtp_connection_reuse_count_limit (0)
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
TROUBLE SHOOTING CONTROLS
debug_peer_level (2)
- The increment in verbose logging level when a remote client or
+ The increment in verbose logging level when a remote client or
server matches a pattern in the debug_peer_list parameter.
debug_peer_list (empty)
- Optional list of remote client or server hostname or network
+ Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to
increase by the amount specified in $debug_peer_level.
error_notice_recipient (postmaster)
- The recipient of postmaster notifications about mail delivery
+ The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
@@ -707,46 +708,46 @@ SMTP(8) SMTP(8)
MISCELLANEOUS CONTROLS
best_mx_transport (empty)
- Where the Postfix SMTP client should deliver mail when it
+ Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf con-
+ The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_timeout (18000s)
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
- The maximal number of digits after the decimal point when log-
+ The maximal number of digits after the decimal point when log-
ging sub-second delay values.
disable_dns_lookups (no)
Disable DNS lookups in the Postfix SMTP and LMTP clients.
inet_interfaces (all)
- The network interface addresses that this mail system receives
+ The network interface addresses that this mail system receives
mail on.
inet_protocols (all)
- The Internet protocols Postfix will attempt to use when making
+ The Internet protocols Postfix will attempt to use when making
or accepting connections.
ipc_timeout (3600s)
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
lmtp_assume_final (no)
- When a remote LMTP server announces no DSN support, assume that
- the server performs final delivery, and send "delivered" deliv-
+ When a remote LMTP server announces no DSN support, assume that
+ the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
lmtp_tcp_port (24)
The default TCP port that the Postfix LMTP client connects to.
max_idle (100s)
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
max_use (100)
@@ -760,20 +761,20 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
proxy_interfaces (empty)
- The network interface addresses that this mail system receives
+ The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit.
smtp_address_preference (any)
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
- client will try first, when a destination has IPv6 and IPv4
+ client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
smtp_bind_address (empty)
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
smtp_bind_address6 (empty)
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
smtp_helo_name ($myhostname)
@@ -793,8 +794,8 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- The mail system name that is prepended to the process name in
- syslog records, so that "smtpd" becomes, for example, "post-
+ The mail system name that is prepended to the process name in
+ syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd".
Available with Postfix 2.2 and earlier:
diff --git a/postfix/man/man8/smtp.8 b/postfix/man/man8/smtp.8
index e25ac4a17..f29492d85 100644
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@@ -217,8 +217,9 @@ a globally valid address when sending mail across the Internet.
.PP
Available in Postfix version 2.2.9 and later:
.IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
-Allow DNS CNAME records to override the servername that the
-Postfix SMTP client uses for logging, SASL password lookup, TLS
+When the remote SMTP servername is a DNS CNAME, replace the
+servername with the result from CNAME expansion for the purpose of
+logging, SASL password lookup, TLS
policy decisions, or TLS certificate verification.
.PP
Available in Postfix version 2.3 and later:
diff --git a/postfix/proto/TLS_README.html b/postfix/proto/TLS_README.html
index 1151359f8..55d6c8718 100644
--- a/postfix/proto/TLS_README.html
+++ b/postfix/proto/TLS_README.html
@@ -2635,10 +2635,44 @@ font, and a "#" prompt indicates a super-user shell.
+
+
+
+ The following commands (credits: Viktor Dukhovni) generate
+and install a private key and 10-year self-signed certificate for
+the local Postfix system. This requires super-user privileges.
+
+
+
+# dir="$(postconf -h config_directory)"
+# fqdn=$(postconf -h myhostname)
+# ymd=$(date +%Y-%m-%d)
+# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
+# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
+# (umask 077; openssl genrsa -out "${key}" 2048) &&
+ openssl req -new -key "${key}" \
+ -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
+ postconf -e \
+ "smtpd_tls_cert_file = ${cert}" \
+ "smtpd_tls_key_file = ${key}"
+
+
+
+
+
+
+
-
Become your own Certificate Authority, so that you can
-sign your own public keys. This example uses the CA.pl script that
-ships with OpenSSL. On some systems, OpenSSL installs this as
-/usr/local/ssl/misc/CA.pl. Some systems install this as
+sign your own certificates, and so that your own systems can
+authenticate certificates from your own CA. This example uses the
+CA.pl script that ships with OpenSSL. On some systems, OpenSSL
+installs this as /usr/local/openssl/misc/CA.pl. Some systems
+install this as
part of a package named openssl-perl or something similar.
The script creates a private key in ./demoCA/private/cakey.pem
and a public key in ./demoCA/cacert.pem.
@@ -2663,7 +2697,7 @@ an unsigned public key certificate.
-% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
+% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
........................................++++++
@@ -2698,7 +2732,7 @@ steps ago.
-% openssl ca -out foo-cert.pem -infiles foo-req.pem
+% openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:whatever
Check that the request matches the signature
@@ -2724,6 +2758,10 @@ Data Base Updated
and the Certification Authority certificate files. This requires
super-user privileges.
+ The following commands assume that the key and certificate will
+be installed for the local Postfix MTA. You will need to adjust the
+commands if the Postfix MTA is on a different host.
+
# cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index e933d4b8f..49aabae86 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20140219"
+#define MAIL_RELEASE_DATE "20140223"
#define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT
diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c
index fdd11868e..a39c6a498 100644
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@@ -71,8 +71,9 @@
VAR_LMTP_RSET_TMOUT, DEF_LMTP_RSET_TMOUT, &var_smtp_rset_tmout, 1, 0,
VAR_LMTP_QUIT_TMOUT, DEF_LMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
VAR_LMTP_PIX_THRESH, DEF_LMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
- VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_LMTP_PIX_DELAY, DEF_LMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
+ VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
+ VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_LMTP_CACHE_CONNT, DEF_LMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
VAR_LMTP_REUSE_TIME, DEF_LMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,
#ifdef USE_TLS
diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c
index 768b57647..65beb67c5 100644
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@@ -195,8 +195,9 @@
/* .PP
/* Available in Postfix version 2.2.9 and later:
/* .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
-/* Allow DNS CNAME records to override the servername that the
-/* Postfix SMTP client uses for logging, SASL password lookup, TLS
+/* When the remote SMTP servername is a DNS CNAME, replace the
+/* servername with the result from CNAME expansion for the purpose of
+/* logging, SASL password lookup, TLS
/* policy decisions, or TLS certificate verification.
/* .PP
/* Available in Postfix version 2.3 and later:
@@ -797,6 +798,7 @@ char *var_smtp_bind_addr;
char *var_smtp_bind_addr6;
bool var_smtp_rand_addr;
int var_smtp_pix_thresh;
+int var_queue_run_delay;
int var_min_backoff_time;
int var_smtp_pix_delay;
int var_smtp_line_limit;
diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h
index 66e891024..ee9e5062f 100644
--- a/postfix/src/smtp/smtp.h
+++ b/postfix/src/smtp/smtp.h
@@ -474,7 +474,7 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[];
#define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \
(session->tls_context != 0 \
- && SMTP_RCPT_LEFT(state) > 0 \
+ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \
&& session->tls->level == TLS_LEV_MAY \
&& PREACTIVE_DELAY >= var_min_backoff_time \
&& !HAVE_SASL_CREDENTIALS)
@@ -553,6 +553,8 @@ extern void smtp_chat_notify(SMTP_SESSION *);
#define SMTP_RCPT_LEFT(state) (state)->rcpt_left
+#define SMTP_RCPT_MARK_COUNT(state) ((state)->rcpt_drop + (state)->rcpt_keep)
+
extern void smtp_rcpt_cleanup(SMTP_STATE *);
extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *);
diff --git a/postfix/src/smtp/smtp_params.c b/postfix/src/smtp/smtp_params.c
index 55a6e7153..98c93b368 100644
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@@ -73,6 +73,7 @@
VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
+ VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_SMTP_CACHE_CONNT, DEF_SMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
VAR_SMTP_REUSE_TIME, DEF_SMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,
diff --git a/postfix/src/smtp/smtp_rcpt.c b/postfix/src/smtp/smtp_rcpt.c
index acb125236..e8fe0b324 100644
--- a/postfix/src/smtp/smtp_rcpt.c
+++ b/postfix/src/smtp/smtp_rcpt.c
@@ -26,6 +26,9 @@
/* int SMTP_RCPT_LEFT(state)
/* SMTP_STATE *state;
/*
+/* int SMTP_RCPT_MARK_COUNT(state)
+/* SMTP_STATE *state;
+/*
/* void smtp_rcpt_done(state, resp, rcpt)
/* SMTP_STATE *state;
/* SMTP_RESP *resp;
@@ -64,6 +67,9 @@
/* SMTP_RCPT_LEFT() returns the number of left_over recipients
/* (the total number of marked and non-marked recipients).
/*
+/* SMTP_RCPT_MARK_COUNT() returns the number of left_over
+/* recipients that are marked.
+/*
/* smtp_rcpt_cleanup() cleans up the in-memory recipient list.
/* It removes the recipients marked DROP from the left-over
/* recipients, unmarks the left-over recipients, and enforces
diff --git a/postfix/src/smtp/smtp_trouble.c b/postfix/src/smtp/smtp_trouble.c
index c5ed83f29..386e9668f 100644
--- a/postfix/src/smtp/smtp_trouble.c
+++ b/postfix/src/smtp/smtp_trouble.c
@@ -452,5 +452,11 @@ int smtp_stream_except(SMTP_STATE *state, int code, const char *description)
dsb_simple(why, "4.3.0", "local data error while talking to %s",
session->namaddr);
}
+
+ /*
+ * The smtp_bulk_fail() call below will not throttle the destination when
+ * falling back to plaintext, because RETRY_AS_PLAINTEXT clears the
+ * FINAL_SERVER flag.
+ */
return (smtp_bulk_fail(state, SMTP_THROTTLE));
}
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 6344a6127..fa0131307 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -2036,27 +2036,29 @@ static int mail_open_stream(SMTPD_STATE *state)
/*
* Log the queue ID with the message origin.
*/
-#ifdef USE_SASL_AUTH
- if (state->sasl_username)
- smtpd_sasl_mail_log(state);
- else
-#endif
-
- /*
- * See also: smtpd_sasl_proto.c, for a longer client= logfile record.
- */
#define PRINT_OR_NULL(cond, str) \
((cond) ? (str) : "")
#define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
- msg_info("%s: client=%s%s%s%s%s",
- (state->queue_id ? state->queue_id : "NOQUEUE"),
- state->namaddr,
- PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
- ", orig_queue_id=", FORWARD_IDENT(state)),
- PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
- ", orig_client=", FORWARD_NAMADDR(state)));
+ msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
+ (state->queue_id ? state->queue_id : "NOQUEUE"),
+ state->namaddr,
+#ifdef USE_SASL_AUTH
+ PRINT2_OR_NULL(state->sasl_method,
+ ", sasl_method=", state->sasl_method),
+ PRINT2_OR_NULL(state->sasl_username,
+ ", sasl_username=", state->sasl_username),
+ PRINT2_OR_NULL(state->sasl_sender,
+ ", sasl_sender=", state->sasl_sender),
+#else
+ "", "", "", "", "", "",
+#endif
+ /* Insert transaction TLS status here. */
+ PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
+ ", orig_queue_id=", FORWARD_IDENT(state)),
+ PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
+ ", orig_client=", FORWARD_NAMADDR(state)));
return (0);
}
diff --git a/postfix/src/smtpd/smtpd_sasl_proto.c b/postfix/src/smtpd/smtpd_sasl_proto.c
index 2c01f8dbd..a04d9daf6 100644
--- a/postfix/src/smtpd/smtpd_sasl_proto.c
+++ b/postfix/src/smtpd/smtpd_sasl_proto.c
@@ -24,9 +24,6 @@
/* SMTPD_STATE *state;
/* const char *sender;
/*
-/* void smtpd_sasl_mail_log(state)
-/* SMTPD_STATE *state;
-/*
/* void smtpd_sasl_mail_reset(state)
/* SMTPD_STATE *state;
/*
@@ -64,9 +61,6 @@
/* option to the MAIL FROM command. The result is an error response
/* in case of problems.
/*
-/* smtpd_sasl_mail_log() logs SASL-specific information after
-/* processing the MAIL FROM command.
-/*
/* smtpd_sasl_mail_reset() performs cleanup for the SASL-specific
/* AUTH=sender option to the MAIL FROM command.
/*
@@ -253,34 +247,6 @@ char *smtpd_sasl_mail_opt(SMTPD_STATE *state, const char *addr)
return (0);
}
-/* smtpd_sasl_mail_log - SASL-specific MAIL FROM logging */
-
-void smtpd_sasl_mail_log(SMTPD_STATE *state)
-{
-
- /*
- * See also: smtpd.c, for a shorter client= logfile record.
- */
-#define PRINT_OR_NULL(cond, str) \
- ((cond) ? (str) : "")
-#define PRINT2_OR_NULL(cond, name, value) \
- PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
-
- msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
- (state->queue_id ? state->queue_id : "NOQUEUE"),
- state->namaddr,
- PRINT2_OR_NULL(state->sasl_method,
- ", sasl_method=", state->sasl_method),
- PRINT2_OR_NULL(state->sasl_username,
- ", sasl_username=", state->sasl_username),
- PRINT2_OR_NULL(state->sasl_sender,
- ", sasl_sender=", state->sasl_sender),
- PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
- ", orig_queue_id=", FORWARD_IDENT(state)),
- PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
- ", orig_client=", FORWARD_NAMADDR(state)));
-}
-
/* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */
void smtpd_sasl_mail_reset(SMTPD_STATE *state)
diff --git a/postfix/src/smtpd/smtpd_sasl_proto.h b/postfix/src/smtpd/smtpd_sasl_proto.h
index 7f8ac3d4b..d52bd4be3 100644
--- a/postfix/src/smtpd/smtpd_sasl_proto.h
+++ b/postfix/src/smtpd/smtpd_sasl_proto.h
@@ -14,7 +14,6 @@
extern int smtpd_sasl_auth_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *);
extern void smtpd_sasl_auth_reset(SMTPD_STATE *);
extern char *smtpd_sasl_mail_opt(SMTPD_STATE *, const char *);
-extern void smtpd_sasl_mail_log(SMTPD_STATE *);
extern void smtpd_sasl_mail_reset(SMTPD_STATE *);
#define smtpd_sasl_auth_extern smtpd_sasl_login
diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 7732cfa7b..039e70482 100644
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
- "(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
+ "(%d/%d bits)",
+ !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
+ TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);