diff --git a/postfix/HISTORY b/postfix/HISTORY
index 1ea43b766..b93c5e051 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -27529,8 +27529,8 @@ Apologies for any names omitted.
Bugfix (defect introduced: Postfix 2.3, date 20051222): the
Dovecot auth client did not reset the 'reason' from a
previous Dovecot auth service response, before parsing the
- next Dovecot auth server response. Reported by Stephan
- Bosch, File: xsasl/xsasl_dovecot_server.c.
+ next Dovecot auth server response in the same SMTP session.
+ Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
20231105
@@ -27553,3 +27553,53 @@ Apologies for any names omitted.
Robustness: don't loop on an 'unfinished' queue file that
still has its all-zero SIZE record. File: postcat/postcat.c.
+
+20231126
+
+ Cleanup: implementation and documentation for the selection
+ of SMTP versus LMTP client protocol and parameters, based
+ on process name. Files: smtp/smtp.c, global/mail_proto.h,
+ proto/postconf.proto.
+
+ Cleanup: documented (in proxymap source code) the complexities
+ of determining the optimal proxywrite service process limit,
+ and make the 'invalid' proxymap service name error message
+ more similar to the error message for an invalid SMTP/LMTP
+ client process name. File: proxymap/proxymap.c.
+
+20231127
+
+ Documentation: in the stock main.cf file, mailbox_command
+ uses $default_privs, not $default_user. Vijay Sarvepalli,
+ Cert/CC. File: conf/main.cf.
+
+20231202
+
+ Bugfix: posttls-finger certificate match expectations for
+ opportunistic DANE incorrectly defaulted to ("nexthop",
+ "hostname") instead of ("nexthop", "dot-nexthop"), when no
+ TLSA records were found. Viktor Dukhovni. File: posttls-finger.c.
+
+20231204
+
+ Documentation: updated comments on address validation in
+ smtpd_check.c, making them consistent with the implementation.
+ File: smtpd/smtpd_check.c.
+
+20231208
+
+ Bugfix (defect introduced: Postfix 3.1, date: 20151128):
+ "postqueue -j" produced broken JSON when escaping a control
+ character as \uXXXX. Found during code maintenance. File:
+ postqueue/showq_json.c.
+
+20231209
+
+ Feature: the local(8) delivery agent exports an ENVID
+ environment variable with the RFC 3461 envelope ID if
+ available. Files: local/command.c, local/local.c,
+ proto/postconf.proto.
+
+ Feature: the pipe(8) delivery agent supports an ${envid}
+ command-line attribute that expands to the RFC 3461 envelope
+ ID if available. File: pipe/pipe.c.
diff --git a/postfix/WISHLIST b/postfix/WISHLIST
index 0b5209c43..47d4b7491 100644
--- a/postfix/WISHLIST
+++ b/postfix/WISHLIST
@@ -8,10 +8,10 @@ Wish list:
postfix-install should mention makedefs.out.
- Propagate information about parsed daemon command-line
- options to service callback functions. With this, a proxywrite
- server can enforce a process limit of 1 without duplicating
- libmaster's command-line parsing code.
+ In documentation and configuration file examples, replace
+ IPv4 address prefixes from Cloud9 with 192.168.* from RFC
+ 1918, and replace IPv6 address prefixes with unique local
+ IPv6 address prefixes fd00:* from RFC 4193.
Add a pre-release check for '.' instead of ','. Generalize
from grep '[a-zA-Z0-9]\. *[a-z]' proto/*|egrep -v
diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf
index 43c7956eb..2f4eba9ed 100644
--- a/postfix/conf/main.cf
+++ b/postfix/conf/main.cf
@@ -452,7 +452,7 @@ unknown_local_recipient_reject_code = 550
# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery. The command is run as
# the recipient with proper HOME, SHELL and LOGNAME environment settings.
-# Exception: delivery for root is done as $default_user.
+# Exception: delivery for root is done as $default_privs.
#
# Other environment variables of interest: USER (recipient username),
# EXTENSION (address extension), DOMAIN (domain part of address),
diff --git a/postfix/html/lmtp.8.html b/postfix/html/lmtp.8.html
index 0aa736afd..84e8b5cdb 100644
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@@ -5,20 +5,24 @@
Postfix manual - smtp(8)
-SMTP(8) SMTP(8)
+SMTP,(LMTP) SMTP,(LMTP)
NAME
- smtp - Postfix SMTP+LMTP client
+ smtp, lmtp - Postfix SMTP+LMTP client
SYNOPSISsmtp [generic Postfix daemon options] [flags=DORX]
+ lmtp [generic Postfix daemon options] [flags=DORX]
+
DESCRIPTION
The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery
protocols. It processes message delivery requests from the queue man-
ager. Each request specifies a queue file, a sender address, a domain
or host to deliver to, and recipient information. This program expects
- to be run from the master(8) process manager.
+ to be run from the master(8) process manager. The process name, smtp or
+ lmtp, controls the protocol, and the names of the configuration parame-
+ ters that will be used.
The SMTP+LMTP client updates the queue file and marks recipients as
finished, or it informs the queue manager that delivery should be tried
@@ -180,20 +184,19 @@ SMTP(8) SMTP(8)
for all destinations that map onto the same IP address and TCP port.
CONFIGURATION PARAMETERS
- Before Postfix version 2.3, the LMTP client is a separate program that
- implements only a subset of the functionality available with SMTP:
- there is no support for TLS, and connections are cached in-process,
- making it ineffective when the client is used for multiple domains.
+ Postfix versions 2.3 and later implement the SMTP and LMTP client with
+ the same program, and choose the protocol and configuration parameters
+ based on the process name, smtp or lmtp.
Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" param-
- eter for the equivalent LMTP feature. This document describes only
+ eter for the equivalent LMTP feature. This document describes only
those LMTP-related parameters that aren't simply "mirror" parameters.
- Changes to main.cf are picked up automatically, as smtp(8) processes
+ Changes to main.cf are picked up automatically, as smtp(8) processes
run for only a limited amount of time. Use the command "postfix reload"
to speed up a change.
- The text below provides only a parameter summary. See postconf(5) for
+ The text below provides only a parameter summary. See postconf(5) for
more details including examples.
COMPATIBILITY CONTROLS
@@ -214,8 +217,8 @@ SMTP(8) SMTP(8)
will send via SMTP.
smtp_pix_workaround_delay_time (10s)
- How long the Postfix SMTP client pauses before sending
- ".<CR><LF>" in order to work around the PIX firewall
+ How long the Postfix SMTP client pauses before sending
+ ".<CR><LF>" in order to work around the PIX firewall
"<CR><LF>.<CR><LF>" bug.
smtp_pix_workaround_threshold_time (500s)
@@ -224,19 +227,19 @@ SMTP(8) SMTP(8)
delivery through firewalls with "smtp fixup" mode turned on.
smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
- A list that specifies zero or more workarounds for CISCO PIX
+ A list that specifies zero or more workarounds for CISCO PIX
firewall bugs.
smtp_pix_workaround_maps (empty)
- Lookup tables, indexed by the remote SMTP server address, with
+ Lookup tables, indexed by the remote SMTP server address, with
per-destination workarounds for CISCO PIX firewall bugs.
smtp_quote_rfc821_envelope (yes)
- Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO
+ Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO
commands as required by RFC 5321.
smtp_reply_filter (empty)
- A mechanism to transform replies from remote SMTP servers one
+ A mechanism to transform replies from remote SMTP servers one
line at a time.
smtp_skip_5xx_greeting (yes)
@@ -248,68 +251,68 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.0 and earlier:
smtp_skip_4xx_greeting (yes)
- Skip SMTP servers that greet with a 4XX status code (go away,
+ Skip SMTP servers that greet with a 4XX status code (go away,
try again later).
Available in Postfix version 2.2 and later:
smtp_discard_ehlo_keyword_address_maps (empty)
- Lookup tables, indexed by the remote SMTP server address, with
- case insensitive lists of EHLO keywords (pipelining, starttls,
+ Lookup tables, indexed by the remote SMTP server address, with
+ case insensitive lists of EHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix SMTP client will ignore in the EHLO
response from a remote SMTP server.
smtp_discard_ehlo_keywords (empty)
- A case insensitive list of EHLO keywords (pipelining, starttls,
+ A case insensitive list of EHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix SMTP client will ignore in the EHLO
response from a remote SMTP server.
smtp_generic_maps (empty)
- Optional lookup tables that perform address rewriting in the
- Postfix SMTP client, typically to transform a locally valid
- address into a globally valid address when sending mail across
+ Optional lookup tables that perform address rewriting in the
+ Postfix SMTP client, typically to transform a locally valid
+ address into a globally valid address when sending mail across
the Internet.
Available in Postfix version 2.2.9 and later:
smtp_cname_overrides_servername (version dependent)
- When the remote SMTP servername is a DNS CNAME, replace the
- servername with the result from CNAME expansion for the purpose
- of logging, SASL password lookup, TLS policy decisions, or TLS
+ When the remote SMTP servername is a DNS CNAME, replace the
+ servername with the result from CNAME expansion for the purpose
+ of logging, SASL password lookup, TLS policy decisions, or TLS
certificate verification.
Available in Postfix version 2.3 and later:
lmtp_discard_lhlo_keyword_address_maps (empty)
- Lookup tables, indexed by the remote LMTP server address, with
- case insensitive lists of LHLO keywords (pipelining, starttls,
+ Lookup tables, indexed by the remote LMTP server address, with
+ case insensitive lists of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server.
lmtp_discard_lhlo_keywords (empty)
- A case insensitive list of LHLO keywords (pipelining, starttls,
+ A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the Postfix LMTP client will ignore in the LHLO
response from a remote LMTP server.
Available in Postfix version 2.4.4 and later:
send_cyrus_sasl_authzid (no)
- When authenticating to a remote SMTP or LMTP server with the
- default setting "no", send no SASL authoriZation ID (authzid);
- send only the SASL authentiCation ID (authcid) plus the auth-
+ When authenticating to a remote SMTP or LMTP server with the
+ default setting "no", send no SASL authoriZation ID (authzid);
+ send only the SASL authentiCation ID (authcid) plus the auth-
cid's password.
Available in Postfix version 2.5 and later:
smtp_header_checks (empty)
- Restricted header_checks(5) tables for the Postfix SMTP client.
+ Restricted header_checks(5) tables for the Postfix SMTP client.
smtp_mime_header_checks (empty)
- Restricted mime_header_checks(5) tables for the Postfix SMTP
+ Restricted mime_header_checks(5) tables for the Postfix SMTP
client.
smtp_nested_header_checks (empty)
- Restricted nested_header_checks(5) tables for the Postfix SMTP
+ Restricted nested_header_checks(5) tables for the Postfix SMTP
client.
smtp_body_checks (empty)
@@ -318,7 +321,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.6 and later:
tcp_windowsize (0)
- An optional workaround for routers that break TCP window scal-
+ An optional workaround for routers that break TCP window scal-
ing.
Available in Postfix version 2.8 and later:
@@ -329,16 +332,16 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.9 - 3.6:
smtp_per_record_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.9 and later:
smtp_send_dummy_mail_auth (no)
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
Available in Postfix version 2.11 and later:
@@ -349,7 +352,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.0 and later:
smtp_delivery_status_filter ($default_delivery_status_filter)
- Optional filter for the smtp(8) delivery agent to change the
+ Optional filter for the smtp(8) delivery agent to change the
delivery status code or explanatory text of successful or unsuc-
cessful deliveries.
@@ -359,38 +362,38 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.3 and later:
smtp_balance_inet_protocols (yes)
- When a remote destination resolves to a combination of IPv4 and
+ When a remote destination resolves to a combination of IPv4 and
IPv6 addresses, ensure that the Postfix SMTP client can try both
address types before it runs into the smtp_mx_address_limit.
Available in Postfix 3.5 and later:
info_log_address_format (external)
- The email address form that will be used in non-debug logging
+ The email address form that will be used in non-debug logging
(info, warning, etc.).
Available in Postfix 3.6 and later:
dnssec_probe (ns:.)
- The DNS query type (default: "ns") and DNS query name (default:
+ The DNS query type (default: "ns") and DNS query name (default:
".") that Postfix may use to determine whether DNSSEC validation
is available.
- known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis-
+ known_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submis-sion=587)
- Optional setting that avoids lookups in the services(5) data-
+ Optional setting that avoids lookups in the services(5) data-
base.
Available in Postfix version 3.7 and later:
smtp_per_request_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per plaintext or TLS read or write call, to a com-
- bined time limit for sending a complete SMTP request and for
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
smtp_min_data_rate (500)
- The minimum plaintext data transfer rate in bytes/second for
+ The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
smtp_per_request_deadline.
@@ -400,16 +403,16 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.8 and later:
use_srv_lookup (empty)
- Enables discovery for the specified service(s) using DNS SRV
+ Enables discovery for the specified service(s) using DNS SRV
records.
ignore_srv_lookup_error (no)
- When SRV record lookup fails, fall back to MX or IP address
+ When SRV record lookup fails, fall back to MX or IP address
lookup as if SRV record lookup was not enabled.
allow_srv_lookup_fallback (no)
- When SRV record lookup fails or no SRV record exists, fall back
- to MX or IP address lookup as if SRV record lookup was not
+ When SRV record lookup fails or no SRV record exists, fall back
+ to MX or IP address lookup as if SRV record lookup was not
enabled.
MIME PROCESSING CONTROLS
@@ -428,7 +431,7 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
smtp_send_xforward_command (no)
- Send the non-standard XFORWARD command when the Postfix SMTP
+ Send the non-standard XFORWARD command when the Postfix SMTP
server EHLO response announces XFORWARD support.
SASL AUTHENTICATION CONTROLS
@@ -436,88 +439,88 @@ SMTP(8) SMTP(8)
Enable SASL authentication in the Postfix SMTP client.
smtp_sasl_password_maps (empty)
- Optional Postfix SMTP client lookup tables with one user-
- name:password entry per sender, remote hostname or next-hop
+ Optional Postfix SMTP client lookup tables with one user-
+ name:password entry per sender, remote hostname or next-hop
domain.
smtp_sasl_security_options (noplaintext, noanonymous)
Postfix SMTP client SASL security options; as of Postfix 2.3 the
- list of available features depends on the SASL client implemen-
+ list of available features depends on the SASL client implemen-
tation that is selected with smtp_sasl_type.
Available in Postfix version 2.2 and later:
smtp_sasl_mechanism_filter (empty)
- If non-empty, a Postfix SMTP client filter for the remote SMTP
+ If non-empty, a Postfix SMTP client filter for the remote SMTP
server's list of offered SASL mechanisms.
Available in Postfix version 2.3 and later:
smtp_sender_dependent_authentication (no)
Enable sender-dependent authentication in the Postfix SMTP
- client; this is available only with SASL authentication, and
- disables SMTP connection caching to ensure that mail from dif-
+ client; this is available only with SASL authentication, and
+ disables SMTP connection caching to ensure that mail from dif-
ferent senders will use the appropriate credentials.
smtp_sasl_path (empty)
Implementation-specific information that the Postfix SMTP client
- passes through to the SASL plug-in implementation that is
+ passes through to the SASL plug-in implementation that is
selected with smtp_sasl_type.
smtp_sasl_type (cyrus)
- The SASL plug-in type that the Postfix SMTP client should use
+ The SASL plug-in type that the Postfix SMTP client should use
for authentication.
Available in Postfix version 2.5 and later:
smtp_sasl_auth_cache_name (empty)
- An optional table to prevent repeated SASL authentication fail-
- ures with the same remote SMTP server hostname, username and
+ An optional table to prevent repeated SASL authentication fail-
+ ures with the same remote SMTP server hostname, username and
password.
smtp_sasl_auth_cache_time (90d)
- The maximal age of an smtp_sasl_auth_cache_name entry before it
+ The maximal age of an smtp_sasl_auth_cache_name entry before it
is removed.
smtp_sasl_auth_soft_bounce (yes)
- When a remote SMTP server rejects a SASL authentication request
- with a 535 reply code, defer mail delivery instead of returning
+ When a remote SMTP server rejects a SASL authentication request
+ with a 535 reply code, defer mail delivery instead of returning
mail as undeliverable.
Available in Postfix version 2.9 and later:
smtp_send_dummy_mail_auth (no)
- Whether or not to append the "AUTH=<>" option to the MAIL FROM
+ Whether or not to append the "AUTH=<>" option to the MAIL FROM
command in SASL-authenticated SMTP sessions.
Available in Postfix version 3.9 and later:
smtp_sasl_password_result_delimiter (:)
- The delimiter between username and password in sasl_passwd_maps
+ The delimiter between username and password in sasl_passwd_maps
lookup results.
STARTTLS SUPPORT CONTROLS
- Detailed information about STARTTLS configuration may be found in the
+ Detailed information about STARTTLS configuration may be found in the
TLS_README document.
smtp_tls_security_level (empty)
The default SMTP TLS security level for the Postfix SMTP client.
smtp_sasl_tls_security_options ($smtp_sasl_security_options)
- The SASL authentication security options that the Postfix SMTP
+ The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
smtp_starttls_timeout (300s)
- Time limit for Postfix SMTP client write and read operations
+ Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
smtp_tls_CAfile (empty)
- A file containing CA certificates of root CAs trusted to sign
- either remote SMTP server certificates or intermediate CA cer-
+ A file containing CA certificates of root CAs trusted to sign
+ either remote SMTP server certificates or intermediate CA cer-
tificates.
smtp_tls_CApath (empty)
- Directory with PEM format Certification Authority certificates
+ Directory with PEM format Certification Authority certificates
that the Postfix SMTP client uses to verify a remote SMTP server
certificate.
@@ -525,7 +528,7 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client RSA certificate in PEM format.
smtp_tls_mandatory_ciphers (medium)
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with mandatory TLS encryption.
smtp_tls_exclude_ciphers (empty)
@@ -533,8 +536,8 @@ SMTP(8) SMTP(8)
client cipher list at all TLS security levels.
smtp_tls_mandatory_exclude_ciphers (empty)
- Additional list of ciphers or cipher types to exclude from the
- Postfix SMTP client cipher list at mandatory TLS security lev-
+ Additional list of ciphers or cipher types to exclude from the
+ Postfix SMTP client cipher list at mandatory TLS security lev-
els.
smtp_tls_dcert_file (empty)
@@ -550,7 +553,7 @@ SMTP(8) SMTP(8)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_note_starttls_offer (no)
- Log the hostname of a remote SMTP server that offers STARTTLS,
+ Log the hostname of a remote SMTP server that offers STARTTLS,
when TLS is not already enabled for that server.
smtp_tls_policy_maps (empty)
@@ -559,14 +562,14 @@ SMTP(8) SMTP(8)
fied, this overrides the obsolete smtp_tls_per_site parameter.
smtp_tls_mandatory_protocols (see 'postconf -d' output)
- TLS protocols that the Postfix SMTP client will use with manda-
+ TLS protocols that the Postfix SMTP client will use with manda-
tory TLS encryption.
smtp_tls_scert_verifydepth (9)
The verification depth for remote SMTP server certificates.
smtp_tls_secure_cert_match (nexthop, dot-nexthop)
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "secure" TLS security level.
smtp_tls_session_cache_database (empty)
@@ -574,16 +577,16 @@ SMTP(8) SMTP(8)
session cache.
smtp_tls_session_cache_timeout (3600s)
- The expiration time of Postfix SMTP client TLS session cache
+ The expiration time of Postfix SMTP client TLS session cache
information.
smtp_tls_verify_cert_match (hostname)
- How the Postfix SMTP client verifies the server certificate
+ How the Postfix SMTP client verifies the server certificate
peername for the "verify" TLS security level.
tls_daemon_random_bytes (32)
- The number of pseudo-random bytes that an smtp(8) or smtpd(8)
- process requests from the tlsmgr(8) server in order to seed its
+ The number of pseudo-random bytes that an smtp(8) or smtpd(8)
+ process requests from the tlsmgr(8) server in order to seed its
internal pseudo random number generator (PRNG).
tls_high_cipherlist (see 'postconf -d' output)
@@ -593,7 +596,7 @@ SMTP(8) SMTP(8)
The OpenSSL cipherlist for "medium" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
- The OpenSSL cipherlist for "NULL" grade ciphers that provide
+ The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption.
Available in in Postfix version 2.3..3.7:
@@ -608,45 +611,45 @@ SMTP(8) SMTP(8)
smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_secu-rity_options)
- The SASL authentication security options that the Postfix SMTP
- client uses for TLS encrypted SMTP sessions with a verified
+ The SASL authentication security options that the Postfix SMTP
+ client uses for TLS encrypted SMTP sessions with a verified
server certificate.
Available in Postfix version 2.5 and later:
smtp_tls_fingerprint_cert_match (empty)
- List of acceptable remote SMTP server certificate fingerprints
- for the "fingerprint" TLS security level (smtp_tls_secu-
+ List of acceptable remote SMTP server certificate fingerprints
+ for the "fingerprint" TLS security level (smtp_tls_secu-rity_level = fingerprint).
smtp_tls_fingerprint_digest (see 'postconf -d' output)
- The message digest algorithm used to construct remote SMTP
+ The message digest algorithm used to construct remote SMTP
server certificate fingerprints.
Available in Postfix version 2.6 and later:
smtp_tls_protocols (see 'postconf -d' output)
- TLS protocols that the Postfix SMTP client will use with oppor-
+ TLS protocols that the Postfix SMTP client will use with oppor-
tunistic TLS encryption.
smtp_tls_ciphers (medium)
- The minimum TLS cipher grade that the Postfix SMTP client will
+ The minimum TLS cipher grade that the Postfix SMTP client will
use with opportunistic TLS encryption.
smtp_tls_eccert_file (empty)
- File with the Postfix SMTP client ECDSA certificate in PEM for-
+ File with the Postfix SMTP client ECDSA certificate in PEM for-
mat.
smtp_tls_eckey_file ($smtp_tls_eccert_file)
- File with the Postfix SMTP client ECDSA private key in PEM for-
+ File with the Postfix SMTP client ECDSA private key in PEM for-
mat.
Available in Postfix version 2.7 and later:
smtp_tls_block_early_mail_reply (no)
- Try to detect a mail hijacking attack based on a TLS protocol
- vulnerability (CVE-2009-3555), where an attacker prepends mali-
- cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
+ Try to detect a mail hijacking attack based on a TLS protocol
+ vulnerability (CVE-2009-3555), where an attacker prepends mali-
+ cious HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client
TLS session.
Available in Postfix version 2.8 and later:
@@ -666,11 +669,11 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.11 and later:
smtp_tls_trust_anchor_file (empty)
- Zero or more PEM-format files with trust-anchor certificates
+ Zero or more PEM-format files with trust-anchor certificates
and/or public keys.
smtp_tls_force_insecure_host_tlsa_lookup (no)
- Lookup the associated DANE TLSA RRset even when a hostname is
+ Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
tlsmgr_service_name (tlsmgr)
@@ -679,14 +682,14 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.0 and later:
smtp_tls_wrappermode (no)
- Request that the Postfix SMTP client connects using the SUBMIS-
+ Request that the Postfix SMTP client connects using the SUBMIS-
SIONS/SMTPS protocol instead of using the STARTTLS command.
Available in Postfix version 3.1 and later:
smtp_tls_dane_insecure_mx_policy (see 'postconf -d' output)
- The TLS policy for MX hosts with "secure" TLSA records when the
- nexthop destination security level is dane, but the MX record
+ The TLS policy for MX hosts with "secure" TLSA records when the
+ nexthop destination security level is dane, but the MX record
was found via an "insecure" MX lookup.
Available in Postfix version 3.2 and later:
@@ -701,23 +704,23 @@ SMTP(8) SMTP(8)
Try to make multiple deliveries per TLS-encrypted connection.
smtp_tls_chain_files (empty)
- List of one or more PEM files, each holding one or more private
+ List of one or more PEM files, each holding one or more private
keys directly followed by a corresponding certificate chain.
smtp_tls_servername (empty)
- Optional name to send to the remote SMTP server in the TLS
+ Optional name to send to the remote SMTP server in the TLS
Server Name Indication (SNI) extension.
Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
tls_fast_shutdown_enable (yes)
- A workaround for implementations that hang Postfix while shut-
+ A workaround for implementations that hang Postfix while shut-
ting down a TLS session, until Postfix times out.
Available in Postfix version 3.8 and later:
tls_ffdhe_auto_groups (see 'postconf -d' output)
- The prioritized list of finite-field Diffie-Hellman ephemeral
+ The prioritized list of finite-field Diffie-Hellman ephemeral
(FFDHE) key exchange groups supported by the Postfix SMTP client
and server.
@@ -727,50 +730,50 @@ SMTP(8) SMTP(8)
Optional configuration file with baseline OpenSSL settings.
tls_config_name (empty)
- The application name passed by Postfix to OpenSSL library ini-
+ The application name passed by Postfix to OpenSSL library ini-
tialization functions.
Available in Postfix version 3.9 and later:
smtp_tls_enable_rpk (no)
- Request that remote SMTP servers send an RFC7250 raw public key
+ Request that remote SMTP servers send an RFC7250 raw public key
instead of an X.509 certificate.
OBSOLETE STARTTLS CONTROLS
- The following configuration parameters exist for compatibility with
- Postfix versions before 2.3. Support for these will be removed in a
+ The following configuration parameters exist for compatibility with
+ Postfix versions before 2.3. Support for these will be removed in a
future release.
smtp_use_tls (no)
- Opportunistic mode: use TLS when a remote SMTP server announces
+ Opportunistic mode: use TLS when a remote SMTP server announces
STARTTLS support, otherwise send the mail in the clear.
smtp_enforce_tls (no)
- Enforcement mode: require that remote SMTP servers use TLS
+ Enforcement mode: require that remote SMTP servers use TLS
encryption, and never send mail in the clear.
smtp_tls_enforce_peername (yes)
- With mandatory TLS encryption, require that the remote SMTP
- server hostname matches the information in the remote SMTP
+ With mandatory TLS encryption, require that the remote SMTP
+ server hostname matches the information in the remote SMTP
server certificate.
smtp_tls_per_site (empty)
- Optional lookup tables with the Postfix SMTP client TLS usage
- policy by next-hop destination and by remote SMTP server host-
+ Optional lookup tables with the Postfix SMTP client TLS usage
+ policy by next-hop destination and by remote SMTP server host-
name.
smtp_tls_cipherlist (empty)
- Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
+ Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS
cipher list.
RESOURCE AND RATE CONTROLSsmtp_connect_timeout (30s)
- The Postfix SMTP client time limit for completing a TCP connec-
+ The Postfix SMTP client time limit for completing a TCP connec-
tion, or zero (use the operating system built-in time limit).
smtp_helo_timeout (300s)
- The Postfix SMTP client time limit for sending the HELO or EHLO
- command, and for receiving the initial remote SMTP server
+ The Postfix SMTP client time limit for sending the HELO or EHLO
+ command, and for receiving the initial remote SMTP server
response.
lmtp_lhlo_timeout (300s)
@@ -782,19 +785,19 @@ SMTP(8) SMTP(8)
mand, and for receiving the remote SMTP server response.
smtp_mail_timeout (300s)
- The Postfix SMTP client time limit for sending the MAIL FROM
+ The Postfix SMTP client time limit for sending the MAIL FROM
command, and for receiving the remote SMTP server response.
smtp_rcpt_timeout (300s)
- The Postfix SMTP client time limit for sending the SMTP RCPT TO
+ The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
smtp_data_init_timeout (120s)
- The Postfix SMTP client time limit for sending the SMTP DATA
+ The Postfix SMTP client time limit for sending the SMTP DATA
command, and for receiving the remote SMTP server response.
smtp_data_xfer_timeout (180s)
- The Postfix SMTP client time limit for sending the SMTP message
+ The Postfix SMTP client time limit for sending the SMTP message
content.
smtp_data_done_timeout (600s)
@@ -808,13 +811,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.1 and later:
smtp_mx_address_limit (5)
- The maximal number of MX (mail exchanger) IP addresses that can
- result from Postfix SMTP client mail exchanger lookups, or zero
+ The maximal number of MX (mail exchanger) IP addresses that can
+ result from Postfix SMTP client mail exchanger lookups, or zero
(no limit).
smtp_mx_session_limit (2)
- The maximal number of SMTP sessions per delivery request before
- the Postfix SMTP client gives up or delivers to a fall-back
+ The maximal number of SMTP sessions per delivery request before
+ the Postfix SMTP client gives up or delivers to a fall-back
relay host, or zero (no limit).
smtp_rset_timeout (20s)
@@ -824,17 +827,17 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.2 and earlier:
lmtp_cache_connection (yes)
- Keep Postfix LMTP client connections open for up to $max_idle
+ Keep Postfix LMTP client connections open for up to $max_idle
seconds.
Available in Postfix version 2.2 and later:
smtp_connection_cache_destinations (empty)
- Permanently enable SMTP connection caching for the specified
+ Permanently enable SMTP connection caching for the specified
destinations.
smtp_connection_cache_on_demand (yes)
- Temporarily enable SMTP connection caching while a destination
+ Temporarily enable SMTP connection caching while a destination
has a high volume of mail in the active queue.
smtp_connection_reuse_time_limit (300s)
@@ -848,23 +851,23 @@ SMTP(8) SMTP(8)
Available in Postfix version 2.3 and later:
connection_cache_protocol_timeout (5s)
- Time limit for connection cache connect, send or receive opera-
+ Time limit for connection cache connect, send or receive opera-
tions.
Available in Postfix version 2.9 - 3.6:
smtp_per_record_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per read or write system call, to a time limit to
- send or receive a complete record (an SMTP command line, SMTP
- response line, SMTP message content line, or TLS protocol mes-
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per read or write system call, to a time limit to
+ send or receive a complete record (an SMTP command line, SMTP
+ response line, SMTP message content line, or TLS protocol mes-
sage).
Available in Postfix version 2.11 and later:
smtp_connection_reuse_count_limit (0)
- When SMTP connection caching is enabled, the number of times
- that an SMTP session may be reused before it is closed, or zero
+ When SMTP connection caching is enabled, the number of times
+ that an SMTP session may be reused before it is closed, or zero
(no limit).
Available in Postfix version 3.4 and later:
@@ -875,13 +878,13 @@ SMTP(8) SMTP(8)
Available in Postfix version 3.7 and later:
smtp_per_request_deadline (no)
- Change the behavior of the smtp_*_timeout time limits, from a
- time limit per plaintext or TLS read or write call, to a com-
- bined time limit for sending a complete SMTP request and for
+ Change the behavior of the smtp_*_timeout time limits, from a
+ time limit per plaintext or TLS read or write call, to a com-
+ bined time limit for sending a complete SMTP request and for
receiving a complete SMTP response.
smtp_min_data_rate (500)
- The minimum plaintext data transfer rate in bytes/second for
+ The minimum plaintext data transfer rate in bytes/second for
DATA requests, when deadlines are enabled with
smtp_per_request_deadline.
@@ -889,54 +892,54 @@ SMTP(8) SMTP(8)
transport_destination_concurrency_limit ($default_destination_concur-rency_limit)
- A transport-specific override for the default_destination_con-
+ A transport-specific override for the default_destination_con-
currency_limit parameter value, where transport is the master.cf
name of the message delivery transport.
transport_destination_recipient_limit ($default_destination_recipi-ent_limit)
A transport-specific override for the default_destination_recip-
- ient_limit parameter value, where transport is the master.cf
+ ient_limit parameter value, where transport is the master.cf
name of the message delivery transport.
SMTPUTF8 CONTROLS
Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
smtputf8_enable (yes)
- Enable preliminary SMTPUTF8 support for the protocols described
+ Enable preliminary SMTPUTF8 support for the protocols described
in RFC 6531, RFC 6532, and RFC 6533.
smtputf8_autodetect_classes (sendmail, verify)
- Detect that a message requires SMTPUTF8 support for the speci-
+ Detect that a message requires SMTPUTF8 support for the speci-
fied mail origin classes.
Available in Postfix version 3.2 and later:
enable_idna2003_compatibility (no)
- Enable 'transitional' compatibility between IDNA2003 and
- IDNA2008, when converting UTF-8 domain names to/from the ASCII
+ Enable 'transitional' compatibility between IDNA2003 and
+ IDNA2008, when converting UTF-8 domain names to/from the ASCII
form that is used for DNS lookups.
TROUBLE SHOOTING CONTROLSdebug_peer_level (2)
- The increment in verbose logging level when a nexthop destina-
- tion, remote client or server name or network address matches a
+ The increment in verbose logging level when a nexthop destina-
+ tion, remote client or server name or network address matches a
pattern given with the debug_peer_list parameter.
debug_peer_list (empty)
- Optional list of nexthop destination, remote client or server
- name or network address patterns that, if matched, cause the
- verbose logging level to increase by the amount specified in
+ Optional list of nexthop destination, remote client or server
+ name or network address patterns that, if matched, cause the
+ verbose logging level to increase by the amount specified in
$debug_peer_level.
error_notice_recipient (postmaster)
- The recipient of postmaster notifications about mail delivery
+ The recipient of postmaster notifications about mail delivery
problems that are caused by policy, resource, software or proto-
col errors.
internal_mail_filter_classes (empty)
- What categories of Postfix-generated mail are subject to
- before-queue content inspection by non_smtpd_milters,
+ What categories of Postfix-generated mail are subject to
+ before-queue content inspection by non_smtpd_milters,
header_checks and body_checks.
notify_classes (resource, software)
@@ -944,46 +947,46 @@ SMTP(8) SMTP(8)
MISCELLANEOUS CONTROLSbest_mx_transport (empty)
- Where the Postfix SMTP client should deliver mail when it
+ Where the Postfix SMTP client should deliver mail when it
detects a "mail loops back to myself" error condition.
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and master.cf con-
+ The default location of the Postfix main.cf and master.cf con-
figuration files.
daemon_timeout (18000s)
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
- The maximal number of digits after the decimal point when log-
+ The maximal number of digits after the decimal point when log-
ging sub-second delay values.
disable_dns_lookups (no)
Disable DNS lookups in the Postfix SMTP and LMTP clients.
inet_interfaces (all)
- The local network interface addresses that this mail system
+ The local network interface addresses that this mail system
receives mail on.
inet_protocols (see 'postconf -d' output)
- The Internet protocols Postfix will attempt to use when making
+ The Internet protocols Postfix will attempt to use when making
or accepting connections.
ipc_timeout (3600s)
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
lmtp_assume_final (no)
- When a remote LMTP server announces no DSN support, assume that
- the server performs final delivery, and send "delivered" deliv-
+ When a remote LMTP server announces no DSN support, assume that
+ the server performs final delivery, and send "delivered" deliv-
ery status notifications instead of "relayed".
lmtp_tcp_port (24)
The default TCP port that the Postfix LMTP client connects to.
max_idle (100s)
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
max_use (100)
@@ -997,21 +1000,21 @@ SMTP(8) SMTP(8)
The process name of a Postfix command or daemon process.
proxy_interfaces (empty)
- The remote network interface addresses that this mail system
- receives mail on by way of a proxy or network address transla-
+ The remote network interface addresses that this mail system
+ receives mail on by way of a proxy or network address transla-
tion unit.
smtp_address_preference (any)
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP
- client will try first, when a destination has IPv6 and IPv4
+ client will try first, when a destination has IPv6 and IPv4
addresses with equal MX preference.
smtp_bind_address (empty)
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv4 connection.
smtp_bind_address6 (empty)
- An optional numerical network address that the Postfix SMTP
+ An optional numerical network address that the Postfix SMTP
client should bind to when making an IPv6 connection.
smtp_helo_name ($myhostname)
@@ -1031,7 +1034,7 @@ SMTP(8) SMTP(8)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available with Postfix 2.2 and earlier:
@@ -1043,14 +1046,14 @@ SMTP(8) SMTP(8)
Available with Postfix 2.3 and later:
smtp_fallback_relay ($fallback_relay)
- Optional list of relay destinations that will be used when an
- SMTP destination is not found, or when delivery fails due to a
+ Optional list of relay destinations that will be used when an
+ SMTP destination is not found, or when delivery fails due to a
non-permanent error.
Available with Postfix 3.0 and later:
smtp_address_verify_target (rcpt)
- In the context of email address verification, the SMTP protocol
+ In the context of email address verification, the SMTP protocol
stage that determines whether an email address is deliverable.
Available with Postfix 3.1 and later:
@@ -1072,7 +1075,7 @@ SMTP(8) SMTP(8)
Available in Postfix 3.7 and later:
smtp_bind_address_enforce (no)
- Defer delivery when the Postfix SMTP client cannot apply the
+ Defer delivery when the Postfix SMTP client cannot apply the
smtp_bind_address or smtp_bind_address6 setting.
SEE ALSO
@@ -1131,5 +1134,5 @@ SMTP(8) SMTP(8)
Victor Duchovni
Morgan Stanley
- SMTP(8)
+ 8 SMTP,(LMTP)