mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 01:49:47 +00:00
Code Issues Releases Wiki Activity

postfix-2.12-20140223

Browse Source
This commit is contained in:
Wietse Venema 2014-02-23 00:00:00 -05:00 committed by Viktor Dukhovni
parent b36a31ca30
commit 6605bfc21d
18 changed files with 428 additions and 316 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
postfix/HISTORY
View File

@ -19559,14 +19559,32 @@ Apologies for any names omitted.
Workaround: require that a queue file is older than Workaround: require that a queue file is older than
$minimal_backoff_time, before falling back from failed TLS $minimal_backoff_time, before falling back from failed TLS
(both during or after the TLS handshake) to plaintext to plaintext (both during or after the TLS handshake).
delivery. Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c, Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
smtp/lmtp_params.c, smtp/smtp_params.c. smtp/lmtp_params.c, smtp/smtp_params.c.
20140219 20140220
Workaround: disable the fallback to plaintext when all Workaround: in case "minimal_backoff_time = $queue_run_delay".
recipients have already been bounced or deferred. This Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.
happens for example when TLS breaks after the TLS handshake
while talking to the "final" SMTP server. Wietse and Viktor. Cleanup: consolidate the code to log the start of a new
Files: smtp/smtp.h. mail transaction in one place, so that code can easily be
added to log TLS status information in addition to the
existing client and SASL status information. Files:
smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
smtpd/smtpd.c.
20140223
Workaround: when a session breaks after the TLS handshake,
do not fall back from TLS to plaintext when all recipients
were deferred or rejected during the TLS phase. Files:
smtp/smtp.h, smtp/smtp_rcpt.c.
Logging: the TLS client logged that an "Untrusted" TLS
connection was established instead of "Anonymous".
Viktor Dukhovni. File: tls/tls_client.c.
Documentation: new self-signed certificate example and
updated private CA example. File: proto/TLS_README.html.

46
postfix/README_FILES/TLS_README
View File

@ -2011,12 +2011,37 @@ key certificates of remote hosts.
In the examples below, user input is shown in bboolldd font, and a "#" prompt In the examples below, user input is shown in bboolldd font, and a "#" prompt
indicates a super-user shell. indicates a super-user shell.
* Become your own Certificate Authority, so that you can sign your own public * Self-signed server certificate.
keys. This example uses the CA.pl script that ships with OpenSSL. On some
systems, OpenSSL installs this as /usr/local/ssl/misc/CA.pl. Some systems * Private Certificate Authority.
install this as part of a package named openssl-perl or something similar.
The script creates a private key in ./demoCA/private/cakey.pem and a public SSeellff--ssiiggnneedd sseerrvveerr cceerrttiiffiiccaattee
key in ./demoCA/cacert.pem.
The following commands (credits: Viktor Dukhovni) generate and install a
private key and 10-year self-signed certificate for the local Postfix system.
This requires super-user privileges.
# dir="$(postconf -h config_directory)"
# fqdn=$(postconf -h myhostname)
# ymd=$(date +%Y-%m-%d)
# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
# (umask 077; openssl genrsa -out "${key}" 2048) &&
openssl req -new -key "${key}" \
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"smtpd_tls_cert_file = ${cert}" \
"smtpd_tls_key_file = ${key}"
PPrriivvaattee CCeerrttiiffiiccaattee AAuutthhoorriittyy
* Become your own Certificate Authority, so that you can sign your own
certificates, and so that your own systems can authenticate certificates
from your own CA. This example uses the CA.pl script that ships with
OpenSSL. On some systems, OpenSSL installs this as /usr/local/openssl/misc/
CA.pl. Some systems install this as part of a package named openssl-perl or
something similar. The script creates a private key in ./demoCA/private/
cakey.pem and a public key in ./demoCA/cacert.pem.
% //uussrr//llooccaall//ssssll//mmiisscc//CCAA..ppll --nneewwccaa % //uussrr//llooccaall//ssssll//mmiisscc//CCAA..ppll --nneewwccaa
CA certificate filename (or enter to create) CA certificate filename (or enter to create)
@ -2032,8 +2057,7 @@ indicates a super-user shell.
* Create an unpassworded private key for host foo.porcupine.org and create an * Create an unpassworded private key for host foo.porcupine.org and create an
unsigned public key certificate. unsigned public key certificate.
% ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm --ddaayyss % ooppeennssssll rreeqq --nneeww --nnooddeess --kkeeyyoouutt ffoooo--kkeeyy..ppeemm --oouutt ffoooo--rreeqq..ppeemm
336655
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key Generating a 1024 bit RSA private key
........................................++++++ ........................................++++++
@ -2065,7 +2089,7 @@ indicates a super-user shell.
* Sign the public key certificate for host foo.porcupine.org with the * Sign the public key certificate for host foo.porcupine.org with the
Certification Authority private key that we created a few steps ago. Certification Authority private key that we created a few steps ago.
% ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --iinnffiilleess ffoooo--rreeqq..ppeemm % ooppeennssssll ccaa --oouutt ffoooo--cceerrtt..ppeemm --ddaayyss 336655 --iinnffiilleess ffoooo--rreeqq..ppeemm
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:wwhhaatteevveerr Enter PEM pass phrase:wwhhaatteevveerr
Check that the request matches the signature Check that the request matches the signature
@ -2089,6 +2113,10 @@ indicates a super-user shell.
Certification Authority certificate files. This requires super-user Certification Authority certificate files. This requires super-user
privileges. privileges.
The following commands assume that the key and certificate will be
installed for the local Postfix MTA. You will need to adjust the commands
if the Postfix MTA is on a different host.
# ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm ffoooo--kkeeyy..ppeemm ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx # ccpp ddeemmooCCAA//ccaacceerrtt..ppeemm ffoooo--kkeeyy..ppeemm ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx
# cchhmmoodd 664444 //eettcc//ppoossttffiixx//ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm # cchhmmoodd 664444 //eettcc//ppoossttffiixx//ffoooo--cceerrtt..ppeemm //eettcc//ppoossttffiixx//ccaacceerrtt..ppeemm
# cchhmmoodd 440000 //eettcc//ppoossttffiixx//ffoooo--kkeeyy..ppeemm # cchhmmoodd 440000 //eettcc//ppoossttffiixx//ffoooo--kkeeyy..ppeemm

48
postfix/html/TLS_README.html
View File

@ -2635,10 +2635,44 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
<ul> <ul>
<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
<li> <p> <a name="#private-ca">Private Certificate Authority</a>. </p>
</ul>
<h3><a name="self-signed">Self-signed server certificate</a></h3>
<p> The following commands (credits: Viktor Dukhovni) generate
and install a private key and 10-year self-signed certificate for
the local Postfix system. This requires super-user privileges. </p>
<blockquote>
<pre>
# dir="$(postconf -h <a href="postconf.5.html#config_directory">config_directory</a>)"
# fqdn=$(postconf -h <a href="postconf.5.html#myhostname">myhostname</a>)
# ymd=$(date +%Y-%m-%d)
# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
# (umask 077; openssl genrsa -out "${key}" 2048) &&
openssl req -new -key "${key}" \
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a> = ${cert}" \
"<a href="postconf.5.html#smtpd_tls_key_file">smtpd_tls_key_file</a> = ${key}"
</pre>
</blockquote>
<h3><a name="private-ca">Private Certificate Authority</a></h3>
<ul>
<li> <p> Become your own Certificate Authority, so that you can <li> <p> Become your own Certificate Authority, so that you can
sign your own public keys. This example uses the CA.pl script that sign your own certificates, and so that your own systems can
ships with OpenSSL. On some systems, OpenSSL installs this as authenticate certificates from your own CA. This example uses the
<tt>/usr/local/ssl/misc/CA.pl</tt>. Some systems install this as CA.pl script that ships with OpenSSL. On some systems, OpenSSL
installs this as <tt>/usr/local/openssl/misc/CA.pl</tt>. Some systems
install this as
part of a package named <tt>openssl-perl</tt> or something similar. part of a package named <tt>openssl-perl</tt> or something similar.
The script creates a private key in <tt>./demoCA/private/cakey.pem</tt> The script creates a private key in <tt>./demoCA/private/cakey.pem</tt>
and a public key in <tt>./demoCA/cacert.pem</tt>.</p> and a public key in <tt>./demoCA/cacert.pem</tt>.</p>
@ -2663,7 +2697,7 @@ an unsigned public key certificate. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365</b> % <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key Generating a 1024 bit RSA private key
........................................++++++ ........................................++++++
@ -2698,7 +2732,7 @@ steps ago. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl ca -out foo-cert.pem -infiles foo-req.pem</b> % <b>openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:<b>whatever</b> Enter PEM pass phrase:<b>whatever</b>
Check that the request matches the signature Check that the request matches the signature
@ -2724,6 +2758,10 @@ Data Base Updated
and the Certification Authority certificate files. This requires and the Certification Authority certificate files. This requires
super-user privileges. </p> super-user privileges. </p>
<p> The following commands assume that the key and certificate will
be installed for the local Postfix MTA. You will need to adjust the
commands if the Postfix MTA is on a different host. </p>
<blockquote> <blockquote>
<pre> <pre>
# <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b> # <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b>

231
postfix/html/lmtp.8.html
View File

@ -219,42 +219,43 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2.9 and later: Available in Postfix version 2.2.9 and later:
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
Allow DNS CNAME records to override the servername that the When the remote SMTP servername is a DNS CNAME, replace the
Postfix SMTP client uses for logging, SASL password lookup, TLS servername with the result from CNAME expansion for the purpose
policy decisions, or TLS certificate verification. of logging, SASL password lookup, TLS policy decisions, or TLS
certificate verification.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b>
Lookup tables, indexed by the remote LMTP server address, with Lookup tables, indexed by the remote LMTP server address, with
case insensitive lists of LHLO keywords (pipelining, starttls, case insensitive lists of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server. response from a remote LMTP server.
<b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
A case insensitive list of LHLO keywords (pipelining, starttls, A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server. response from a remote LMTP server.
Available in Postfix version 2.4.4 and later: Available in Postfix version 2.4.4 and later:
<b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
When authenticating to a remote SMTP or LMTP server with the When authenticating to a remote SMTP or LMTP server with the
default setting "no", send no SASL authoriZation ID (authzid); default setting "no", send no SASL authoriZation ID (authzid);
send only the SASL authentiCation ID (authcid) plus the auth- send only the SASL authentiCation ID (authcid) plus the auth-
cid's password. cid's password.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b>
Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client.
<b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b>
Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP
client. client.
<b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b>
Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP
client. client.
<b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b>
@ -263,7 +264,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
An optional workaround for routers that break TCP window scal- An optional workaround for routers that break TCP window scal-
ing. ing.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
@ -274,14 +275,14 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.9 and later: Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes- response line, SMTP message content line, or TLS protocol mes-
sage). sage).
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM
command in SASL-authenticated SMTP sessions. command in SASL-authenticated SMTP sessions.
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
@ -305,7 +306,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
Send the non-standard XFORWARD command when the Postfix SMTP Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support. server EHLO response announces XFORWARD support.
<b>SASL AUTHENTICATION CONTROLS</b> <b>SASL AUTHENTICATION CONTROLS</b>
@ -313,62 +314,62 @@ SMTP(8) SMTP(8)
Enable SASL authentication in the Postfix SMTP client. Enable SASL authentication in the Postfix SMTP client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
Optional Postfix SMTP client lookup tables with one user- Optional Postfix SMTP client lookup tables with one user-
name:password entry per remote hostname or domain, or sender name:password entry per remote hostname or domain, or sender
address when sender-dependent authentication is enabled. address when sender-dependent authentication is enabled.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
Postfix SMTP client SASL security options; as of Postfix 2.3 the Postfix SMTP client SASL security options; as of Postfix 2.3 the
list of available features depends on the SASL client implemen- list of available features depends on the SASL client implemen-
tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
If non-empty, a Postfix SMTP client filter for the remote SMTP If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
Enable sender-dependent authentication in the Postfix SMTP Enable sender-dependent authentication in the Postfix SMTP
client; this is available only with SASL authentication, and client; this is available only with SASL authentication, and
disables SMTP connection caching to ensure that mail from dif- disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials. ferent senders will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that the Postfix SMTP client Implementation-specific information that the Postfix SMTP client
passes through to the SASL plug-in implementation that is passes through to the SASL plug-in implementation that is
selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
The SASL plug-in type that the Postfix SMTP client should use The SASL plug-in type that the Postfix SMTP client should use
for authentication. for authentication.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
An optional table to prevent repeated SASL authentication fail- An optional table to prevent repeated SASL authentication fail-
ures with the same remote SMTP server hostname, username and ures with the same remote SMTP server hostname, username and
password. password.
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
is removed. is removed.
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
When a remote SMTP server rejects a SASL authentication request When a remote SMTP server rejects a SASL authentication request
with a 535 reply code, defer mail delivery instead of returning with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable. mail as undeliverable.
Available in Postfix version 2.9 and later: Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM
command in SASL-authenticated SMTP sessions. command in SASL-authenticated SMTP sessions.
<b>STARTTLS SUPPORT CONTROLS</b> <b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be found in the Detailed information about STARTTLS configuration may be found in the
<a href="TLS_README.html">TLS_README</a> document. <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
@ -378,20 +379,20 @@ SMTP(8) SMTP(8)
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b> <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
The SASL authentication security options that the Postfix SMTP The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions. client uses for TLS encrypted SMTP sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
Time limit for Postfix SMTP client write and read operations Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures. during TLS startup and shutdown handshake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
A file containing CA certificates of root CAs trusted to sign A file containing CA certificates of root CAs trusted to sign
either remote SMTP server certificates or intermediate CA cer- either remote SMTP server certificates or intermediate CA cer-
tificates. tificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority certificates Directory with PEM format certificate authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server that the Postfix SMTP client uses to verify a remote SMTP server
certificate. certificate.
@ -399,7 +400,7 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client RSA certificate in PEM format. File with the Postfix SMTP client RSA certificate in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
The minimum TLS cipher grade that the Postfix SMTP client will The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption. use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
@ -407,8 +408,8 @@ SMTP(8) SMTP(8)
client cipher list at all TLS security levels. client cipher list at all TLS security levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
Additional list of ciphers or cipher types to exclude from the Additional list of ciphers or cipher types to exclude from the
Postfix SMTP client cipher list at mandatory TLS security lev- Postfix SMTP client cipher list at mandatory TLS security lev-
els. els.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
@ -424,7 +425,7 @@ SMTP(8) SMTP(8)
Enable additional Postfix SMTP client logging of TLS activity. Enable additional Postfix SMTP client logging of TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
Log the hostname of a remote SMTP server that offers STARTTLS, Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server. when TLS is not already enabled for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
@ -433,14 +434,14 @@ SMTP(8) SMTP(8)
fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
List of SSL/TLS protocols that the Postfix SMTP client will use List of SSL/TLS protocols that the Postfix SMTP client will use
with mandatory TLS encryption. with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
The verification depth for remote SMTP server certificates. The verification depth for remote SMTP server certificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
How the Postfix SMTP client verifies the server certificate How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level. peername for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
@ -448,16 +449,16 @@ SMTP(8) SMTP(8)
session cache. session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
The expiration time of Postfix SMTP client TLS session cache The expiration time of Postfix SMTP client TLS session cache
information. information.
<b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
How the Postfix SMTP client verifies the server certificate How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level. peername for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
internal pseudo random number generator (PRNG). internal pseudo random number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
@ -473,52 +474,52 @@ SMTP(8) SMTP(8)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers that provide The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. authentication without encryption.
Available in Postfix version 2.4 and later: Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b> <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b> <b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b>
The SASL authentication security options that the Postfix SMTP The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions with a verified client uses for TLS encrypted SMTP sessions with a verified
server certificate. server certificate.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
List of acceptable remote SMTP server certificate fingerprints List of acceptable remote SMTP server certificate fingerprints
for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b> for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint). <b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint).
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
The message digest algorithm used to construct remote SMTP The message digest algorithm used to construct remote SMTP
server certificate fingerprints. server certificate fingerprints.
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
List of TLS protocols that the Postfix SMTP client will exclude List of TLS protocols that the Postfix SMTP client will exclude
or include with opportunistic TLS encryption. or include with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
The minimum TLS cipher grade that the Postfix SMTP client will The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption. use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
File with the Postfix SMTP client ECDSA certificate in PEM for- File with the Postfix SMTP client ECDSA certificate in PEM for-
mat. mat.
<b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
File with the Postfix SMTP client ECDSA private key in PEM for- File with the Postfix SMTP client ECDSA private key in PEM for-
mat. mat.
Available in Postfix version 2.7 and later: Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
Try to detect a mail hijacking attack based on a TLS protocol Try to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555), where an attacker prepends mali- vulnerability (CVE-2009-3555), where an attacker prepends mali-
cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session. TLS session.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
@ -529,11 +530,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
Zero or more PEM-format files with trust-anchor certificates Zero or more PEM-format files with trust-anchor certificates
and/or public keys. and/or public keys.
<b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
Lookup the associated DANE TLSA RRset even when a hostname is Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone. not an alias and its address records lie in an unsigned zone.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b> <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
@ -543,49 +544,49 @@ SMTP(8) SMTP(8)
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a Postfix versions before 2.3. Support for these will be removed in a
future release. future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear. STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear. encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server hostname matches the information in the remote SMTP
server certificate. server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host- policy by next-hop destination and by remote SMTP server host-
name. name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list. cipher list.
<b>RESOURCE AND RATE CONTROLS</b> <b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b> <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
The maximal number of parallel deliveries to the same destina- The maximal number of parallel deliveries to the same destina-
tion via the smtp message delivery transport. tion via the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b> <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b>
The maximal number of recipients per message for the smtp mes- The maximal number of recipients per message for the smtp mes-
sage delivery transport. sage delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec- The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit). tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server command, and for receiving the initial remote SMTP server
response. response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -597,19 +598,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response. mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message The Postfix SMTP client time limit for sending the SMTP message
content. content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -623,13 +624,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero result from Postfix SMTP client mail exchanger lookups, or zero
(no limit). (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -639,17 +640,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier: Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a> Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds. seconds.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified Permanently enable SMTP connection caching for the specified
destinations. destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -663,37 +664,37 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera- Time limit for connection cache connect, send or receive opera-
tions. tions.
Available in Postfix version 2.9 and later: Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes- response line, SMTP message content line, or TLS protocol mes-
sage). sage).
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b> <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero that an SMTP session may be reused before it is closed, or zero
(no limit). (no limit).
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a remote client or The increment in verbose logging level when a remote client or
server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname or network Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to address patterns that cause the verbose logging level to
increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto- problems that are caused by policy, resource, software or proto-
col errors. col errors.
@ -707,46 +708,46 @@ SMTP(8) SMTP(8)
<b>MISCELLANEOUS CONTROLS</b> <b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition. detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files. figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer. request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log- The maximal number of digits after the decimal point when log-
ging sub-second delay values. ging sub-second delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients. Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The network interface addresses that this mail system receives The network interface addresses that this mail system receives
mail on. mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b> <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
The Internet protocols Postfix will attempt to use when making The Internet protocols Postfix will attempt to use when making
or accepting connections. or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an The time limit for sending or receiving information over an
internal communication channel. internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv- the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed". ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to. The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily. waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b> <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -760,20 +761,20 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process. The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail system receives The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit. mail on by way of a proxy or network address translation unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b> <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4 client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference. addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection. client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection. client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -793,8 +794,8 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging. The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post- syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd". fix/smtpd".
Available with Postfix 2.2 and earlier: Available with Postfix 2.2 and earlier:

231
postfix/html/smtp.8.html
View File

@ -219,42 +219,43 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2.9 and later: Available in Postfix version 2.2.9 and later:
<b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b> <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
Allow DNS CNAME records to override the servername that the When the remote SMTP servername is a DNS CNAME, replace the
Postfix SMTP client uses for logging, SASL password lookup, TLS servername with the result from CNAME expansion for the purpose
policy decisions, or TLS certificate verification. of logging, SASL password lookup, TLS policy decisions, or TLS
certificate verification.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b> <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b>
Lookup tables, indexed by the remote LMTP server address, with Lookup tables, indexed by the remote LMTP server address, with
case insensitive lists of LHLO keywords (pipelining, starttls, case insensitive lists of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server. response from a remote LMTP server.
<b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b> <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
A case insensitive list of LHLO keywords (pipelining, starttls, A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server. response from a remote LMTP server.
Available in Postfix version 2.4.4 and later: Available in Postfix version 2.4.4 and later:
<b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b> <b><a href="postconf.5.html#send_cyrus_sasl_authzid">send_cyrus_sasl_authzid</a> (no)</b>
When authenticating to a remote SMTP or LMTP server with the When authenticating to a remote SMTP or LMTP server with the
default setting "no", send no SASL authoriZation ID (authzid); default setting "no", send no SASL authoriZation ID (authzid);
send only the SASL authentiCation ID (authcid) plus the auth- send only the SASL authentiCation ID (authcid) plus the auth-
cid's password. cid's password.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_header_checks">smtp_header_checks</a> (empty)</b>
Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client. Restricted <a href="header_checks.5.html"><b>header_checks</b>(5)</a> tables for the Postfix SMTP client.
<b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_mime_header_checks">smtp_mime_header_checks</a> (empty)</b>
Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP Restricted <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>(5) tables for the Postfix SMTP
client. client.
<b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_nested_header_checks">smtp_nested_header_checks</a> (empty)</b>
Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP Restricted <b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b>(5) tables for the Postfix SMTP
client. client.
<b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b> <b><a href="postconf.5.html#smtp_body_checks">smtp_body_checks</a> (empty)</b>
@ -263,7 +264,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b> <b><a href="postconf.5.html#tcp_windowsize">tcp_windowsize</a> (0)</b>
An optional workaround for routers that break TCP window scal- An optional workaround for routers that break TCP window scal-
ing. ing.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
@ -274,14 +275,14 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.9 and later: Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes- response line, SMTP message content line, or TLS protocol mes-
sage). sage).
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM
command in SASL-authenticated SMTP sessions. command in SASL-authenticated SMTP sessions.
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
@ -305,7 +306,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b> <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
Send the non-standard XFORWARD command when the Postfix SMTP Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support. server EHLO response announces XFORWARD support.
<b>SASL AUTHENTICATION CONTROLS</b> <b>SASL AUTHENTICATION CONTROLS</b>
@ -313,62 +314,62 @@ SMTP(8) SMTP(8)
Enable SASL authentication in the Postfix SMTP client. Enable SASL authentication in the Postfix SMTP client.
<b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
Optional Postfix SMTP client lookup tables with one user- Optional Postfix SMTP client lookup tables with one user-
name:password entry per remote hostname or domain, or sender name:password entry per remote hostname or domain, or sender
address when sender-dependent authentication is enabled. address when sender-dependent authentication is enabled.
<b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b> <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
Postfix SMTP client SASL security options; as of Postfix 2.3 the Postfix SMTP client SASL security options; as of Postfix 2.3 the
list of available features depends on the SASL client implemen- list of available features depends on the SASL client implemen-
tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. tation that is selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
If non-empty, a Postfix SMTP client filter for the remote SMTP If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms. server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b> <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
Enable sender-dependent authentication in the Postfix SMTP Enable sender-dependent authentication in the Postfix SMTP
client; this is available only with SASL authentication, and client; this is available only with SASL authentication, and
disables SMTP connection caching to ensure that mail from dif- disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials. ferent senders will use the appropriate credentials.
<b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
Implementation-specific information that the Postfix SMTP client Implementation-specific information that the Postfix SMTP client
passes through to the SASL plug-in implementation that is passes through to the SASL plug-in implementation that is
selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>. selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b> <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
The SASL plug-in type that the Postfix SMTP client should use The SASL plug-in type that the Postfix SMTP client should use
for authentication. for authentication.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> (empty)</b>
An optional table to prevent repeated SASL authentication fail- An optional table to prevent repeated SASL authentication fail-
ures with the same remote SMTP server hostname, username and ures with the same remote SMTP server hostname, username and
password. password.
<b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b> <b><a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a> (90d)</b>
The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
is removed. is removed.
<b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b> <b><a href="postconf.5.html#smtp_sasl_auth_soft_bounce">smtp_sasl_auth_soft_bounce</a> (yes)</b>
When a remote SMTP server rejects a SASL authentication request When a remote SMTP server rejects a SASL authentication request
with a 535 reply code, defer mail delivery instead of returning with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable. mail as undeliverable.
Available in Postfix version 2.9 and later: Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b> <b><a href="postconf.5.html#smtp_send_dummy_mail_auth">smtp_send_dummy_mail_auth</a> (no)</b>
Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM Whether or not to append the "AUTH=&lt;&gt;" option to the MAIL FROM
command in SASL-authenticated SMTP sessions. command in SASL-authenticated SMTP sessions.
<b>STARTTLS SUPPORT CONTROLS</b> <b>STARTTLS SUPPORT CONTROLS</b>
Detailed information about STARTTLS configuration may be found in the Detailed information about STARTTLS configuration may be found in the
<a href="TLS_README.html">TLS_README</a> document. <a href="TLS_README.html">TLS_README</a> document.
<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
@ -378,20 +379,20 @@ SMTP(8) SMTP(8)
<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>. <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b> <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a>)</b>
The SASL authentication security options that the Postfix SMTP The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions. client uses for TLS encrypted SMTP sessions.
<b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
Time limit for Postfix SMTP client write and read operations Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures. during TLS startup and shutdown handshake procedures.
<b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
A file containing CA certificates of root CAs trusted to sign A file containing CA certificates of root CAs trusted to sign
either remote SMTP server certificates or intermediate CA cer- either remote SMTP server certificates or intermediate CA cer-
tificates. tificates.
<b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
Directory with PEM format certificate authority certificates Directory with PEM format certificate authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server that the Postfix SMTP client uses to verify a remote SMTP server
certificate. certificate.
@ -399,7 +400,7 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client RSA certificate in PEM format. File with the Postfix SMTP client RSA certificate in PEM format.
<b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
The minimum TLS cipher grade that the Postfix SMTP client will The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption. use with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
@ -407,8 +408,8 @@ SMTP(8) SMTP(8)
client cipher list at all TLS security levels. client cipher list at all TLS security levels.
<b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
Additional list of ciphers or cipher types to exclude from the Additional list of ciphers or cipher types to exclude from the
Postfix SMTP client cipher list at mandatory TLS security lev- Postfix SMTP client cipher list at mandatory TLS security lev-
els. els.
<b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
@ -424,7 +425,7 @@ SMTP(8) SMTP(8)
Enable additional Postfix SMTP client logging of TLS activity. Enable additional Postfix SMTP client logging of TLS activity.
<b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
Log the hostname of a remote SMTP server that offers STARTTLS, Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server. when TLS is not already enabled for that server.
<b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
@ -433,14 +434,14 @@ SMTP(8) SMTP(8)
fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter. fied, this overrides the obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
<b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b> <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (!SSLv2)</b>
List of SSL/TLS protocols that the Postfix SMTP client will use List of SSL/TLS protocols that the Postfix SMTP client will use
with mandatory TLS encryption. with mandatory TLS encryption.
<b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b> <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (9)</b>
The verification depth for remote SMTP server certificates. The verification depth for remote SMTP server certificates.
<b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b> <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
How the Postfix SMTP client verifies the server certificate How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level. peername for the "secure" TLS security level.
<b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
@ -448,16 +449,16 @@ SMTP(8) SMTP(8)
session cache. session cache.
<b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b> <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
The expiration time of Postfix SMTP client TLS session cache The expiration time of Postfix SMTP client TLS session cache
information. information.
<b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b> <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
How the Postfix SMTP client verifies the server certificate How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level. peername for the "verify" TLS security level.
<b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b> <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a> or <a href="smtpd.8.html"><b>smtpd</b>(8)</a>
process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> server in order to seed its
internal pseudo random number generator (PRNG). internal pseudo random number generator (PRNG).
<b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b> <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
@ -473,52 +474,52 @@ SMTP(8) SMTP(8)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
<b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b> <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
The OpenSSL cipherlist for "NULL" grade ciphers that provide The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. authentication without encryption.
Available in Postfix version 2.4 and later: Available in Postfix version 2.4 and later:
<b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b> <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a> ($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b> <b><a href="postconf.5.html#smtp_sasl_tls_security_options">rity_options</a>)</b>
The SASL authentication security options that the Postfix SMTP The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions with a verified client uses for TLS encrypted SMTP sessions with a verified
server certificate. server certificate.
Available in Postfix version 2.5 and later: Available in Postfix version 2.5 and later:
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> (empty)</b>
List of acceptable remote SMTP server certificate fingerprints List of acceptable remote SMTP server certificate fingerprints
for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b> for the "fingerprint" TLS security level (<b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_secu</a>-</b>
<b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint). <b><a href="postconf.5.html#smtp_tls_security_level">rity_level</a></b> = fingerprint).
<b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b> <b><a href="postconf.5.html#smtp_tls_fingerprint_digest">smtp_tls_fingerprint_digest</a> (md5)</b>
The message digest algorithm used to construct remote SMTP The message digest algorithm used to construct remote SMTP
server certificate fingerprints. server certificate fingerprints.
Available in Postfix version 2.6 and later: Available in Postfix version 2.6 and later:
<b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b> <b><a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> (!SSLv2)</b>
List of TLS protocols that the Postfix SMTP client will exclude List of TLS protocols that the Postfix SMTP client will exclude
or include with opportunistic TLS encryption. or include with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b> <b><a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a> (export)</b>
The minimum TLS cipher grade that the Postfix SMTP client will The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption. use with opportunistic TLS encryption.
<b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a> (empty)</b>
File with the Postfix SMTP client ECDSA certificate in PEM for- File with the Postfix SMTP client ECDSA certificate in PEM for-
mat. mat.
<b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b> <b><a href="postconf.5.html#smtp_tls_eckey_file">smtp_tls_eckey_file</a> ($<a href="postconf.5.html#smtp_tls_eccert_file">smtp_tls_eccert_file</a>)</b>
File with the Postfix SMTP client ECDSA private key in PEM for- File with the Postfix SMTP client ECDSA private key in PEM for-
mat. mat.
Available in Postfix version 2.7 and later: Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
Try to detect a mail hijacking attack based on a TLS protocol Try to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555), where an attacker prepends mali- vulnerability (CVE-2009-3555), where an attacker prepends mali-
cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session. TLS session.
Available in Postfix version 2.8 and later: Available in Postfix version 2.8 and later:
@ -529,11 +530,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a> (empty)</b>
Zero or more PEM-format files with trust-anchor certificates Zero or more PEM-format files with trust-anchor certificates
and/or public keys. and/or public keys.
<b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b> <b><a href="postconf.5.html#smtp_tls_force_insecure_host_tlsa_lookup">smtp_tls_force_insecure_host_tlsa_lookup</a> (no)</b>
Lookup the associated DANE TLSA RRset even when a hostname is Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone. not an alias and its address records lie in an unsigned zone.
<b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b> <b><a href="postconf.5.html#tls_dane_trust_anchor_digest_enable">tls_dane_trust_anchor_digest_enable</a> (yes)</b>
@ -543,49 +544,49 @@ SMTP(8) SMTP(8)
The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>. The name of the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a> service entry in <a href="master.5.html">master.cf</a>.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compatibility with The following configuration parameters exist for compatibility with
Postfix versions before 2.3. Support for these will be removed in a Postfix versions before 2.3. Support for these will be removed in a
future release. future release.
<b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
Opportunistic mode: use TLS when a remote SMTP server announces Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear. STARTTLS support, otherwise send the mail in the clear.
<b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b> <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
Enforcement mode: require that remote SMTP servers use TLS Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear. encryption, and never send mail in the clear.
<b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b> <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
With mandatory TLS encryption, require that the remote SMTP With mandatory TLS encryption, require that the remote SMTP
server hostname matches the information in the remote SMTP server hostname matches the information in the remote SMTP
server certificate. server certificate.
<b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
Optional lookup tables with the Postfix SMTP client TLS usage Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server host- policy by next-hop destination and by remote SMTP server host-
name. name.
<b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b> <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS Obsolete Postfix &lt; 2.3 control for the Postfix SMTP client TLS
cipher list. cipher list.
<b>RESOURCE AND RATE CONTROLS</b> <b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b> <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b> <b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
The maximal number of parallel deliveries to the same destina- The maximal number of parallel deliveries to the same destina-
tion via the smtp message delivery transport. tion via the smtp message delivery transport.
<b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b> <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipient_limit</a>)</b>
The maximal number of recipients per message for the smtp mes- The maximal number of recipients per message for the smtp mes-
sage delivery transport. sage delivery transport.
<b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b> <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
The Postfix SMTP client time limit for completing a TCP connec- The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit). tion, or zero (use the operating system built-in time limit).
<b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the HELO or EHLO The Postfix SMTP client time limit for sending the HELO or EHLO
command, and for receiving the initial remote SMTP server command, and for receiving the initial remote SMTP server
response. response.
<b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b> <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
@ -597,19 +598,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response. mand, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the MAIL FROM The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b> <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
The Postfix SMTP client time limit for sending the SMTP RCPT TO The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b> <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
The Postfix SMTP client time limit for sending the SMTP DATA The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response. command, and for receiving the remote SMTP server response.
<b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b> <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
The Postfix SMTP client time limit for sending the SMTP message The Postfix SMTP client time limit for sending the SMTP message
content. content.
<b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b> <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
@ -623,13 +624,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later: Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b> <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
The maximal number of MX (mail exchanger) IP addresses that can The maximal number of MX (mail exchanger) IP addresses that can
result from Postfix SMTP client mail exchanger lookups, or zero result from Postfix SMTP client mail exchanger lookups, or zero
(no limit). (no limit).
<b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b> <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
The maximal number of SMTP sessions per delivery request before The maximal number of SMTP sessions per delivery request before
the Postfix SMTP client gives up or delivers to a fall-back the Postfix SMTP client gives up or delivers to a fall-back
<a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit). <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
<b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b> <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
@ -639,17 +640,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier: Available in Postfix version 2.2 and earlier:
<b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b> <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a> Keep Postfix LMTP client connections open for up to $<a href="postconf.5.html#max_idle">max_idle</a>
seconds. seconds.
Available in Postfix version 2.2 and later: Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b> <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
Permanently enable SMTP connection caching for the specified Permanently enable SMTP connection caching for the specified
destinations. destinations.
<b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b> <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
Temporarily enable SMTP connection caching while a destination Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. has a high volume of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
<b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b> <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
@ -663,37 +664,37 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:
<b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b> <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
Time limit for connection cache connect, send or receive opera- Time limit for connection cache connect, send or receive opera-
tions. tions.
Available in Postfix version 2.9 and later: Available in Postfix version 2.9 and later:
<b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b> <b><a href="postconf.5.html#smtp_per_record_deadline">smtp_per_record_deadline</a> (no)</b>
Change the behavior of the smtp_*_timeout time limits, from a Change the behavior of the smtp_*_timeout time limits, from a
time limit per read or write system call, to a time limit to time limit per read or write system call, to a time limit to
send or receive a complete record (an SMTP command line, SMTP send or receive a complete record (an SMTP command line, SMTP
response line, SMTP message content line, or TLS protocol mes- response line, SMTP message content line, or TLS protocol mes-
sage). sage).
Available in Postfix version 2.11 and later: Available in Postfix version 2.11 and later:
<b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b> <b><a href="postconf.5.html#smtp_connection_reuse_count_limit">smtp_connection_reuse_count_limit</a> (0)</b>
When SMTP connection caching is enabled, the number of times When SMTP connection caching is enabled, the number of times
that an SMTP session may be reused before it is closed, or zero that an SMTP session may be reused before it is closed, or zero
(no limit). (no limit).
<b>TROUBLE SHOOTING CONTROLS</b> <b>TROUBLE SHOOTING CONTROLS</b>
<b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b> <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
The increment in verbose logging level when a remote client or The increment in verbose logging level when a remote client or
server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter. server matches a pattern in the <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
<b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b> <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
Optional list of remote client or server hostname or network Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to address patterns that cause the verbose logging level to
increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>. increase by the amount specified in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
<b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b> <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
The recipient of postmaster notifications about mail delivery The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto- problems that are caused by policy, resource, software or proto-
col errors. col errors.
@ -707,46 +708,46 @@ SMTP(8) SMTP(8)
<b>MISCELLANEOUS CONTROLS</b> <b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b> <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
Where the Postfix SMTP client should deliver mail when it Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition. detects a "mail loops back to myself" error condition.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files. figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b> <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
How much time a Postfix daemon process may take to handle a How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer. request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b> <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
The maximal number of digits after the decimal point when log- The maximal number of digits after the decimal point when log-
ging sub-second delay values. ging sub-second delay values.
<b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b> <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
Disable DNS lookups in the Postfix SMTP and LMTP clients. Disable DNS lookups in the Postfix SMTP and LMTP clients.
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b> <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
The network interface addresses that this mail system receives The network interface addresses that this mail system receives
mail on. mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b> <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (all)</b>
The Internet protocols Postfix will attempt to use when making The Internet protocols Postfix will attempt to use when making
or accepting connections. or accepting connections.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b> <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
The time limit for sending or receiving information over an The time limit for sending or receiving information over an
internal communication channel. internal communication channel.
<b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b> <b><a href="postconf.5.html#lmtp_assume_final">lmtp_assume_final</a> (no)</b>
When a remote LMTP server announces no DSN support, assume that When a remote LMTP server announces no DSN support, assume that
the server performs final delivery, and send "delivered" deliv- the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed". ery status notifications instead of "relayed".
<b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b> <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
The default TCP port that the Postfix LMTP client connects to. The default TCP port that the Postfix LMTP client connects to.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b> <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily. waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b> <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
@ -760,20 +761,20 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process. The process name of a Postfix command or daemon process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b> <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail system receives The network interface addresses that this mail system receives
mail on by way of a proxy or network address translation unit. mail on by way of a proxy or network address translation unit.
<b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b> <b><a href="postconf.5.html#smtp_address_preference">smtp_address_preference</a> (any)</b>
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
client will try first, when a destination has IPv6 and IPv4 client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference. addresses with equal MX preference.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection. client should bind to when making an IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b> <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
An optional numerical network address that the Postfix SMTP An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection. client should bind to when making an IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b> <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
@ -793,8 +794,8 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging. The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b> <b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
The mail system name that is prepended to the process name in The mail system name that is prepended to the process name in
syslog records, so that "smtpd" becomes, for example, "post- syslog records, so that "smtpd" becomes, for example, "post-
fix/smtpd". fix/smtpd".
Available with Postfix 2.2 and earlier: Available with Postfix 2.2 and earlier:

5
postfix/man/man8/smtp.8
View File

@ -217,8 +217,9 @@ a globally valid address when sending mail across the Internet.
.PP .PP
Available in Postfix version 2.2.9 and later: Available in Postfix version 2.2.9 and later:
.IP "\fBsmtp_cname_overrides_servername (version dependent)\fR" .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
Allow DNS CNAME records to override the servername that the When the remote SMTP servername is a DNS CNAME, replace the
Postfix SMTP client uses for logging, SASL password lookup, TLS servername with the result from CNAME expansion for the purpose of
logging, SASL password lookup, TLS
policy decisions, or TLS certificate verification. policy decisions, or TLS certificate verification.
.PP .PP
Available in Postfix version 2.3 and later: Available in Postfix version 2.3 and later:

48
postfix/proto/TLS_README.html
View File

@ -2635,10 +2635,44 @@ font, and a "<tt>#</tt>" prompt indicates a super-user shell. </p>
<ul> <ul>
<li> <p> <a name="#self-signed">Self-signed server certificate</a>.</p>
<li> <p> <a name="#private-ca">Private Certificate Authority</a>. </p>
</ul>
<h3><a name="self-signed">Self-signed server certificate</a></h3>
<p> The following commands (credits: Viktor Dukhovni) generate
and install a private key and 10-year self-signed certificate for
the local Postfix system. This requires super-user privileges. </p>
<blockquote>
<pre>
# dir="$(postconf -h config_directory)"
# fqdn=$(postconf -h myhostname)
# ymd=$(date +%Y-%m-%d)
# key="${dir}/key-${ymd}.pem"; rm -f "${key}"
# cert="${dir}/cert-${ymd}.pem"; rm -f "${cert}"
# (umask 077; openssl genrsa -out "${key}" 2048) &&
openssl req -new -key "${key}" \
-x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert}" &&
postconf -e \
"smtpd_tls_cert_file = ${cert}" \
"smtpd_tls_key_file = ${key}"
</pre>
</blockquote>
<h3><a name="private-ca">Private Certificate Authority</a></h3>
<ul>
<li> <p> Become your own Certificate Authority, so that you can <li> <p> Become your own Certificate Authority, so that you can
sign your own public keys. This example uses the CA.pl script that sign your own certificates, and so that your own systems can
ships with OpenSSL. On some systems, OpenSSL installs this as authenticate certificates from your own CA. This example uses the
<tt>/usr/local/ssl/misc/CA.pl</tt>. Some systems install this as CA.pl script that ships with OpenSSL. On some systems, OpenSSL
installs this as <tt>/usr/local/openssl/misc/CA.pl</tt>. Some systems
install this as
part of a package named <tt>openssl-perl</tt> or something similar. part of a package named <tt>openssl-perl</tt> or something similar.
The script creates a private key in <tt>./demoCA/private/cakey.pem</tt> The script creates a private key in <tt>./demoCA/private/cakey.pem</tt>
and a public key in <tt>./demoCA/cacert.pem</tt>.</p> and a public key in <tt>./demoCA/cacert.pem</tt>.</p>
@ -2663,7 +2697,7 @@ an unsigned public key certificate. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365</b> % <b>openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key Generating a 1024 bit RSA private key
........................................++++++ ........................................++++++
@ -2698,7 +2732,7 @@ steps ago. </p>
<blockquote> <blockquote>
<pre> <pre>
% <b>openssl ca -out foo-cert.pem -infiles foo-req.pem</b> % <b>openssl ca -out foo-cert.pem -days 365 -infiles foo-req.pem</b>
Using configuration from /etc/ssl/openssl.cnf Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:<b>whatever</b> Enter PEM pass phrase:<b>whatever</b>
Check that the request matches the signature Check that the request matches the signature
@ -2724,6 +2758,10 @@ Data Base Updated
and the Certification Authority certificate files. This requires and the Certification Authority certificate files. This requires
super-user privileges. </p> super-user privileges. </p>
<p> The following commands assume that the key and certificate will
be installed for the local Postfix MTA. You will need to adjust the
commands if the Postfix MTA is on a different host. </p>
<blockquote> <blockquote>
<pre> <pre>
# <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b> # <b>cp demoCA/cacert.pem foo-key.pem foo-cert.pem /etc/postfix</b>

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20140219" #define MAIL_RELEASE_DATE "20140223"
#define MAIL_VERSION_NUMBER "2.12" #define MAIL_VERSION_NUMBER "2.12"
#ifdef SNAPSHOT #ifdef SNAPSHOT

3
postfix/src/smtp/lmtp_params.c
View File

@ -71,8 +71,9 @@
VAR_LMTP_RSET_TMOUT, DEF_LMTP_RSET_TMOUT, &var_smtp_rset_tmout, 1, 0, VAR_LMTP_RSET_TMOUT, DEF_LMTP_RSET_TMOUT, &var_smtp_rset_tmout, 1, 0,
VAR_LMTP_QUIT_TMOUT, DEF_LMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0, VAR_LMTP_QUIT_TMOUT, DEF_LMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
VAR_LMTP_PIX_THRESH, DEF_LMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0, VAR_LMTP_PIX_THRESH, DEF_LMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_LMTP_PIX_DELAY, DEF_LMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0, VAR_LMTP_PIX_DELAY, DEF_LMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_LMTP_CACHE_CONNT, DEF_LMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0, VAR_LMTP_CACHE_CONNT, DEF_LMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
VAR_LMTP_REUSE_TIME, DEF_LMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0, VAR_LMTP_REUSE_TIME, DEF_LMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,
#ifdef USE_TLS #ifdef USE_TLS

6
postfix/src/smtp/smtp.c
View File

@ -195,8 +195,9 @@
/* .PP /* .PP
/* Available in Postfix version 2.2.9 and later: /* Available in Postfix version 2.2.9 and later:
/* .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR" /* .IP "\fBsmtp_cname_overrides_servername (version dependent)\fR"
/* Allow DNS CNAME records to override the servername that the /* When the remote SMTP servername is a DNS CNAME, replace the
/* Postfix SMTP client uses for logging, SASL password lookup, TLS /* servername with the result from CNAME expansion for the purpose of
/* logging, SASL password lookup, TLS
/* policy decisions, or TLS certificate verification. /* policy decisions, or TLS certificate verification.
/* .PP /* .PP
/* Available in Postfix version 2.3 and later: /* Available in Postfix version 2.3 and later:
@ -797,6 +798,7 @@ char *var_smtp_bind_addr;
char *var_smtp_bind_addr6; char *var_smtp_bind_addr6;
bool var_smtp_rand_addr; bool var_smtp_rand_addr;
int var_smtp_pix_thresh; int var_smtp_pix_thresh;
int var_queue_run_delay;
int var_min_backoff_time; int var_min_backoff_time;
int var_smtp_pix_delay; int var_smtp_pix_delay;
int var_smtp_line_limit; int var_smtp_line_limit;

4
postfix/src/smtp/smtp.h
View File

@ -474,7 +474,7 @@ extern HBC_CALL_BACKS smtp_hbc_callbacks[];
#define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \ #define PLAINTEXT_FALLBACK_OK_AFTER_TLS_SESSION_FAILURE \
(session->tls_context != 0 \ (session->tls_context != 0 \
&& SMTP_RCPT_LEFT(state) > 0 \ && SMTP_RCPT_LEFT(state) > SMTP_RCPT_MARK_COUNT(state) \
&& session->tls->level == TLS_LEV_MAY \ && session->tls->level == TLS_LEV_MAY \
&& PREACTIVE_DELAY >= var_min_backoff_time \ && PREACTIVE_DELAY >= var_min_backoff_time \
&& !HAVE_SASL_CREDENTIALS) && !HAVE_SASL_CREDENTIALS)
@ -553,6 +553,8 @@ extern void smtp_chat_notify(SMTP_SESSION *);
#define SMTP_RCPT_LEFT(state) (state)->rcpt_left #define SMTP_RCPT_LEFT(state) (state)->rcpt_left
#define SMTP_RCPT_MARK_COUNT(state) ((state)->rcpt_drop + (state)->rcpt_keep)
extern void smtp_rcpt_cleanup(SMTP_STATE *); extern void smtp_rcpt_cleanup(SMTP_STATE *);
extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *); extern void smtp_rcpt_done(SMTP_STATE *, SMTP_RESP *, RECIPIENT *);

1
postfix/src/smtp/smtp_params.c
View File

@ -73,6 +73,7 @@
VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0, VAR_SMTP_QUIT_TMOUT, DEF_SMTP_QUIT_TMOUT, &var_smtp_quit_tmout, 1, 0,
VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0, VAR_SMTP_PIX_THRESH, DEF_SMTP_PIX_THRESH, &var_smtp_pix_thresh, 0, 0,
VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0, VAR_SMTP_PIX_DELAY, DEF_SMTP_PIX_DELAY, &var_smtp_pix_delay, 1, 0,
VAR_QUEUE_RUN_DELAY, DEF_QUEUE_RUN_DELAY, &var_queue_run_delay, 1, 0,
VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0, VAR_MIN_BACKOFF_TIME, DEF_MIN_BACKOFF_TIME, &var_min_backoff_time, 1, 0,
VAR_SMTP_CACHE_CONNT, DEF_SMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0, VAR_SMTP_CACHE_CONNT, DEF_SMTP_CACHE_CONNT, &var_smtp_cache_conn, 1, 0,
VAR_SMTP_REUSE_TIME, DEF_SMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0, VAR_SMTP_REUSE_TIME, DEF_SMTP_REUSE_TIME, &var_smtp_reuse_time, 1, 0,

6
postfix/src/smtp/smtp_rcpt.c
View File

@ -26,6 +26,9 @@
/* int SMTP_RCPT_LEFT(state) /* int SMTP_RCPT_LEFT(state)
/* SMTP_STATE *state; /* SMTP_STATE *state;
/* /*
/* int SMTP_RCPT_MARK_COUNT(state)
/* SMTP_STATE *state;
/*
/* void smtp_rcpt_done(state, resp, rcpt) /* void smtp_rcpt_done(state, resp, rcpt)
/* SMTP_STATE *state; /* SMTP_STATE *state;
/* SMTP_RESP *resp; /* SMTP_RESP *resp;
@ -64,6 +67,9 @@
/* SMTP_RCPT_LEFT() returns the number of left_over recipients /* SMTP_RCPT_LEFT() returns the number of left_over recipients
/* (the total number of marked and non-marked recipients). /* (the total number of marked and non-marked recipients).
/* /*
/* SMTP_RCPT_MARK_COUNT() returns the number of left_over
/* recipients that are marked.
/*
/* smtp_rcpt_cleanup() cleans up the in-memory recipient list. /* smtp_rcpt_cleanup() cleans up the in-memory recipient list.
/* It removes the recipients marked DROP from the left-over /* It removes the recipients marked DROP from the left-over
/* recipients, unmarks the left-over recipients, and enforces /* recipients, unmarks the left-over recipients, and enforces

6
postfix/src/smtp/smtp_trouble.c
View File

@ -452,5 +452,11 @@ int smtp_stream_except(SMTP_STATE *state, int code, const char *description)
dsb_simple(why, "4.3.0", "local data error while talking to %s", dsb_simple(why, "4.3.0", "local data error while talking to %s",
session->namaddr); session->namaddr);
} }
/*
* The smtp_bulk_fail() call below will not throttle the destination when
* falling back to plaintext, because RETRY_AS_PLAINTEXT clears the
* FINAL_SERVER flag.
*/
return (smtp_bulk_fail(state, SMTP_THROTTLE)); return (smtp_bulk_fail(state, SMTP_THROTTLE));
} }

34
postfix/src/smtpd/smtpd.c
View File

@ -2036,27 +2036,29 @@ static int mail_open_stream(SMTPD_STATE *state)
/* /*
* Log the queue ID with the message origin. * Log the queue ID with the message origin.
*/ */
#ifdef USE_SASL_AUTH
if (state->sasl_username)
smtpd_sasl_mail_log(state);
else
#endif
/*
* See also: smtpd_sasl_proto.c, for a longer client= logfile record.
*/
#define PRINT_OR_NULL(cond, str) \ #define PRINT_OR_NULL(cond, str) \
((cond) ? (str) : "") ((cond) ? (str) : "")
#define PRINT2_OR_NULL(cond, name, value) \ #define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
msg_info("%s: client=%s%s%s%s%s", msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
(state->queue_id ? state->queue_id : "NOQUEUE"), (state->queue_id ? state->queue_id : "NOQUEUE"),
state->namaddr, state->namaddr,
PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), #ifdef USE_SASL_AUTH
", orig_queue_id=", FORWARD_IDENT(state)), PRINT2_OR_NULL(state->sasl_method,
PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), ", sasl_method=", state->sasl_method),
", orig_client=", FORWARD_NAMADDR(state))); PRINT2_OR_NULL(state->sasl_username,
", sasl_username=", state->sasl_username),
PRINT2_OR_NULL(state->sasl_sender,
", sasl_sender=", state->sasl_sender),
#else
"", "", "", "", "", "",
#endif
/* Insert transaction TLS status here. */
PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
", orig_queue_id=", FORWARD_IDENT(state)),
PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
", orig_client=", FORWARD_NAMADDR(state)));
return (0); return (0);
} }

34
postfix/src/smtpd/smtpd_sasl_proto.c
View File

@ -24,9 +24,6 @@
/* SMTPD_STATE *state; /* SMTPD_STATE *state;
/* const char *sender; /* const char *sender;
/* /*
/* void smtpd_sasl_mail_log(state)
/* SMTPD_STATE *state;
/*
/* void smtpd_sasl_mail_reset(state) /* void smtpd_sasl_mail_reset(state)
/* SMTPD_STATE *state; /* SMTPD_STATE *state;
/* /*
@ -64,9 +61,6 @@
/* option to the MAIL FROM command. The result is an error response /* option to the MAIL FROM command. The result is an error response
/* in case of problems. /* in case of problems.
/* /*
/* smtpd_sasl_mail_log() logs SASL-specific information after
/* processing the MAIL FROM command.
/*
/* smtpd_sasl_mail_reset() performs cleanup for the SASL-specific /* smtpd_sasl_mail_reset() performs cleanup for the SASL-specific
/* AUTH=sender option to the MAIL FROM command. /* AUTH=sender option to the MAIL FROM command.
/* /*
@ -253,34 +247,6 @@ char *smtpd_sasl_mail_opt(SMTPD_STATE *state, const char *addr)
return (0); return (0);
} }
/* smtpd_sasl_mail_log - SASL-specific MAIL FROM logging */
void smtpd_sasl_mail_log(SMTPD_STATE *state)
{
/*
* See also: smtpd.c, for a shorter client= logfile record.
*/
#define PRINT_OR_NULL(cond, str) \
((cond) ? (str) : "")
#define PRINT2_OR_NULL(cond, name, value) \
PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
(state->queue_id ? state->queue_id : "NOQUEUE"),
state->namaddr,
PRINT2_OR_NULL(state->sasl_method,
", sasl_method=", state->sasl_method),
PRINT2_OR_NULL(state->sasl_username,
", sasl_username=", state->sasl_username),
PRINT2_OR_NULL(state->sasl_sender,
", sasl_sender=", state->sasl_sender),
PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
", orig_queue_id=", FORWARD_IDENT(state)),
PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
", orig_client=", FORWARD_NAMADDR(state)));
}
/* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */ /* smtpd_sasl_mail_reset - SASL-specific MAIL FROM cleanup */
void smtpd_sasl_mail_reset(SMTPD_STATE *state) void smtpd_sasl_mail_reset(SMTPD_STATE *state)

1
postfix/src/smtpd/smtpd_sasl_proto.h
View File

@ -14,7 +14,6 @@
extern int smtpd_sasl_auth_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *); extern int smtpd_sasl_auth_cmd(SMTPD_STATE *, int, SMTPD_TOKEN *);
extern void smtpd_sasl_auth_reset(SMTPD_STATE *); extern void smtpd_sasl_auth_reset(SMTPD_STATE *);
extern char *smtpd_sasl_mail_opt(SMTPD_STATE *, const char *); extern char *smtpd_sasl_mail_opt(SMTPD_STATE *, const char *);
extern void smtpd_sasl_mail_log(SMTPD_STATE *);
extern void smtpd_sasl_mail_reset(SMTPD_STATE *); extern void smtpd_sasl_mail_reset(SMTPD_STATE *);
#define smtpd_sasl_auth_extern smtpd_sasl_login #define smtpd_sasl_auth_extern smtpd_sasl_login

4
postfix/src/tls/tls_client.c
View File

@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
*/ */
if (log_mask & TLS_LOG_SUMMARY) if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s " msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" : "(%d/%d bits)",
!TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" :
TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name, props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits); TLScontext->cipher_usebits, TLScontext->cipher_algbits);