The LMTP-specific version of the smtp_reply_filter +configuration parameter. See there for details.
+ +This feature is available in Postfix 2.7 and later.
+ +This feature is available in Postfix 2.3 and later.
+ + +The LMTP-specific version of the smtp_tls_block_early_mail_reply +configuration parameter. See there for details.
+ +This feature is available in Postfix 2.7 and later.
+ +A mechanism to transform replies from remote SMTP servers one +line at a time. This is a last-resort tool to work around server +replies that break inter-operability with the Postfix SMTP client. +Other uses involve fault injection to test Postfix's handling of +invalid responses.
+ +Notes:
+ +In the case of a multi-line reply, the Postfix SMTP client +uses the last reply line's numerical SMTP reply code and enhanced +status code.
+ +The numerical SMTP reply code (XYZ) takes precedence over +the enhanced status code (X.Y.Z). When the enhanced status code +initial digit differs from the SMTP reply code initial digit, or +when no enhanced status code is present, the Postfix SMTP client +uses a generic enhanced status code (X.0.0) instead.
+ +Specify the name of a "type:table" lookup table. The search +string is a single SMTP reply line as received from the remote SMTP +server, except that the trailing <CR><LF> are removed.
+ +Examples:
+ ++/etc/postfix/main.cf: + smtp_reply_filter = pcre:/etc/postfix/command_filter ++ +
+/etc/postfix/reply_filter: + # Transform garbage into part of a multi-line reply. Note + # that the Postfix SMTP client uses only the last numerical + # SMTP reply code and enhanced status code from a multi-line + # reply, so it does not matter what we substitute here as + # long as it has the right syntax. + !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage ++ +
This feature is available in Postfix 2.7.
+ +Try to detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555), where an attacker prepends malicious -HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session. The -attack would succeed with non-Postfix SMTP servers that reply to -the malicious HELO/MAIL/RCPT/DATA commands after negotiating the -Postfix SMTP client TLS session.
+HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. +The attack would succeed with non-Postfix SMTP servers that reply +to the malicious HELO, MAIL, RCPT, DATA commands after negotiating +the Postfix SMTP client TLS session.This feature is available in Postfix 2.7.
@@ -11091,15 +11164,17 @@ Example:A mechanism to substitute incoming SMTP commands. This is a -last-resort tool to work around problems with clients that send -invalid command syntax that would otherwise be rejected by Postfix. +
A mechanism to transform commands from remote SMTP clients. +This is a last-resort tool to work around client commands that break +inter-operability with the Postfix SMTP server. Other uses involve +fault injection to test Postfix's handling of invalid commands.
Specify the name of a "type:table" lookup table. The search
-string is the SMTP command as received from the SMTP client, except
-that initial whitespace and the trailing
Examples:
@@ -11120,9 +11195,9 @@ result value is executed by the Postfix SMTP server.
- # Work around clients that send RCPT TO:<'user@domain'>.
+ # Work around clients that send RCPT TO:<'user@domain'>.
# WARNING: do not lose the parameters that follow the address.
- /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2
+ /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2
This feature is available in Postfix 2.7.
diff --git a/postfix/html/smtp.8.html b/postfix/html/smtp.8.html index 4114cf4b1..724ec30ed 100644 --- a/postfix/html/smtp.8.html +++ b/postfix/html/smtp.8.html @@ -196,12 +196,16 @@ SMTP(8) SMTP(8) Quote addresses in SMTP MAIL FROM and RCPT TO com- mands as required by RFC 2821. + smtp_reply_filter (empty) + A mechanism to transform replies from remote SMTP + servers one line at a time. + smtp_skip_5xx_greeting (yes) Skip SMTP servers that greet with a 5XX status code (go away, do not try again later). smtp_skip_quit_response (yes) - Do not wait for the response to the SMTP QUIT com- + Do not wait for the response to the SMTP QUIT com- mand. Available in Postfix version 2.0 and earlier: @@ -213,44 +217,44 @@ SMTP(8) SMTP(8) Available in Postfix version 2.2 and later: smtp_discard_ehlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote SMTP server - address, with case insensitive lists of EHLO key- - words (pipelining, starttls, auth, etc.) that the - Postfix SMTP client will ignore in the EHLO + Lookup tables, indexed by the remote SMTP server + address, with case insensitive lists of EHLO key- + words (pipelining, starttls, auth, etc.) that the + Postfix SMTP client will ignore in the EHLO response from a remote SMTP server. smtp_discard_ehlo_keywords (empty) - A case insensitive list of EHLO keywords (pipelin- - ing, starttls, auth, etc.) that the Postfix SMTP - client will ignore in the EHLO response from a + A case insensitive list of EHLO keywords (pipelin- + ing, starttls, auth, etc.) that the Postfix SMTP + client will ignore in the EHLO response from a remote SMTP server. smtp_generic_maps (empty) Optional lookup tables that perform address rewrit- - ing in the SMTP client, typically to transform a + ing in the SMTP client, typically to transform a locally valid address into a globally valid address when sending mail across the Internet. Available in Postfix version 2.2.9 and later: smtp_cname_overrides_servername (version dependent) - Allow DNS CNAME records to override the servername + Allow DNS CNAME records to override the servername that the Postfix SMTP client uses for logging, SASL - password lookup, TLS policy decisions, or TLS cer- + password lookup, TLS policy decisions, or TLS cer- tificate verification. Available in Postfix version 2.3 and later: lmtp_discard_lhlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote LMTP server - address, with case insensitive lists of LHLO key- - words (pipelining, starttls, auth, etc.) that the + Lookup tables, indexed by the remote LMTP server + address, with case insensitive lists of LHLO key- + words (pipelining, starttls, auth, etc.) that the LMTP client will ignore in the LHLO response from a remote LMTP server. lmtp_discard_lhlo_keywords (empty) - A case insensitive list of LHLO keywords (pipelin- - ing, starttls, auth, etc.) that the LMTP client + A case insensitive list of LHLO keywords (pipelin- + ing, starttls, auth, etc.) that the LMTP client will ignore in the LHLO response from a remote LMTP server. @@ -258,14 +262,14 @@ SMTP(8) SMTP(8) send_cyrus_sasl_authzid (no) When authenticating to a remote SMTP or LMTP server - with the default setting "no", send no SASL autho- + with the default setting "no", send no SASL autho- riZation ID (authzid); send only the SASL authenti- Cation ID (authcid) plus the authcid's password. Available in Postfix version 2.5 and later: smtp_header_checks (empty) - Restricted header_checks(5) tables for the Postfix + Restricted header_checks(5) tables for the Postfix SMTP client. smtp_mime_header_checks (empty) @@ -273,24 +277,24 @@ SMTP(8) SMTP(8) Postfix SMTP client. smtp_nested_header_checks (empty) - Restricted nested_header_checks(5) tables for the + Restricted nested_header_checks(5) tables for the Postfix SMTP client. smtp_body_checks (empty) - Restricted body_checks(5) tables for the Postfix + Restricted body_checks(5) tables for the Postfix SMTP client. Available in Postfix version 2.6 and later: tcp_windowsize (0) - An optional workaround for routers that break TCP + An optional workaround for routers that break TCP window scaling. MIME PROCESSING CONTROLS Available in Postfix version 2.0 and later: disable_mime_output_conversion (no) - Disable the conversion of 8BITMIME format to 7BIT + Disable the conversion of 8BITMIME format to 7BIT format. mime_boundary_length_limit (2048) @@ -305,108 +309,108 @@ SMTP(8) SMTP(8) Available in Postfix version 2.1 and later: smtp_send_xforward_command (no) - Send the non-standard XFORWARD command when the - Postfix SMTP server EHLO response announces XFOR- + Send the non-standard XFORWARD command when the + Postfix SMTP server EHLO response announces XFOR- WARD support. SASL AUTHENTICATION CONTROLS smtp_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP client. smtp_sasl_password_maps (empty) - Optional SMTP client lookup tables with one user- - name:password entry per remote hostname or domain, + Optional SMTP client lookup tables with one user- + name:password entry per remote hostname or domain, or sender address when sender-dependent authentica- tion is enabled. smtp_sasl_security_options (noplaintext, noanonymous) - Postfix SMTP client SASL security options; as of - Postfix 2.3 the list of available features depends - on the SASL client implementation that is selected + Postfix SMTP client SASL security options; as of + Postfix 2.3 the list of available features depends + on the SASL client implementation that is selected with smtp_sasl_type. Available in Postfix version 2.2 and later: smtp_sasl_mechanism_filter (empty) - If non-empty, a Postfix SMTP client filter for the - remote SMTP server's list of offered SASL mecha- + If non-empty, a Postfix SMTP client filter for the + remote SMTP server's list of offered SASL mecha- nisms. Available in Postfix version 2.3 and later: smtp_sender_dependent_authentication (no) Enable sender-dependent authentication in the Post- - fix SMTP client; this is available only with SASL - authentication, and disables SMTP connection - caching to ensure that mail from different senders + fix SMTP client; this is available only with SASL + authentication, and disables SMTP connection + caching to ensure that mail from different senders will use the appropriate credentials. smtp_sasl_path (empty) - Implementation-specific information that the Post- - fix SMTP client passes through to the SASL plug-in - implementation that is selected with + Implementation-specific information that the Post- + fix SMTP client passes through to the SASL plug-in + implementation that is selected with smtp_sasl_type. smtp_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP client + The SASL plug-in type that the Postfix SMTP client should use for authentication. Available in Postfix version 2.5 and later: smtp_sasl_auth_cache_name (empty) - An optional table to prevent repeated SASL authen- - tication failures with the same remote SMTP server + An optional table to prevent repeated SASL authen- + tication failures with the same remote SMTP server hostname, username and password. smtp_sasl_auth_cache_time (90d) - The maximal age of an smtp_sasl_auth_cache_name + The maximal age of an smtp_sasl_auth_cache_name entry before it is removed. smtp_sasl_auth_soft_bounce (yes) - When a remote SMTP server rejects a SASL authenti- - cation request with a 535 reply code, defer mail - delivery instead of returning mail as undeliver- + When a remote SMTP server rejects a SASL authenti- + cation request with a 535 reply code, defer mail + delivery instead of returning mail as undeliver- able. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtp_tls_security_level (empty) The default SMTP TLS security level for the Postfix - SMTP client; when a non-empty value is specified, - this overrides the obsolete parameters + SMTP client; when a non-empty value is specified, + this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. smtp_sasl_tls_security_options ($smtp_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions. smtp_starttls_timeout (300s) - Time limit for Postfix SMTP client write and read - operations during TLS startup and shutdown hand- + Time limit for Postfix SMTP client write and read + operations during TLS startup and shutdown hand- shake procedures. smtp_tls_CAfile (empty) - A file containing CA certificates of root CAs - trusted to sign either remote SMTP server certifi- + A file containing CA certificates of root CAs + trusted to sign either remote SMTP server certifi- cates or intermediate CA certificates. smtp_tls_CApath (empty) - Directory with PEM format certificate authority - certificates that the Postfix SMTP client uses to + Directory with PEM format certificate authority + certificates that the Postfix SMTP client uses to verify a remote SMTP server certificate. smtp_tls_cert_file (empty) - File with the Postfix SMTP client RSA certificate + File with the Postfix SMTP client RSA certificate in PEM format. smtp_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP + The minimum TLS cipher grade that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_exclude_ciphers (empty) @@ -415,43 +419,43 @@ SMTP(8) SMTP(8) levels. smtp_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to - exclude from the SMTP client cipher list at manda- + Additional list of ciphers or cipher types to + exclude from the SMTP client cipher list at manda- tory TLS security levels. smtp_tls_dcert_file (empty) - File with the Postfix SMTP client DSA certificate + File with the Postfix SMTP client DSA certificate in PEM format. smtp_tls_dkey_file ($smtp_tls_dcert_file) - File with the Postfix SMTP client DSA private key + File with the Postfix SMTP client DSA private key in PEM format. smtp_tls_key_file ($smtp_tls_cert_file) - File with the Postfix SMTP client RSA private key + File with the Postfix SMTP client RSA private key in PEM format. smtp_tls_loglevel (0) - Enable additional Postfix SMTP client logging of + Enable additional Postfix SMTP client logging of TLS activity. smtp_tls_note_starttls_offer (no) - Log the hostname of a remote SMTP server that - offers STARTTLS, when TLS is not already enabled + Log the hostname of a remote SMTP server that + offers STARTTLS, when TLS is not already enabled for that server. smtp_tls_policy_maps (empty) Optional lookup tables with the Postfix SMTP client TLS security policy by next-hop destination; when a - non-empty value is specified, this overrides the + non-empty value is specified, this overrides the obsolete smtp_tls_per_site parameter. smtp_tls_mandatory_protocols (SSLv3, TLSv1) - List of SSL/TLS protocols that the Postfix SMTP + List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. smtp_tls_scert_verifydepth (9) - The verification depth for remote SMTP server cer- + The verification depth for remote SMTP server cer- tificates. smtp_tls_secure_cert_match (nexthop, dot-nexthop) @@ -459,7 +463,7 @@ SMTP(8) SMTP(8) for the "secure" TLS security level. smtp_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP client TLS session cache. smtp_tls_session_cache_timeout (3600s) @@ -471,9 +475,9 @@ SMTP(8) SMTP(8) for the "verify" TLS security level. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist @@ -485,7 +489,7 @@ SMTP(8) SMTP(8) ciphers. tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH) - The OpenSSL cipherlist for "LOW" or higher grade + The OpenSSL cipherlist for "LOW" or higher grade ciphers. tls_export_cipherlist (ALL:+RC4:@STRENGTH) @@ -493,38 +497,38 @@ SMTP(8) SMTP(8) ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.4 and later: smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options) - The SASL authentication security options that the - Postfix SMTP client uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP client uses for TLS encrypted SMTP sessions with a verified server certificate. Available in Postfix version 2.5 and later: smtp_tls_fingerprint_cert_match (empty) - List of acceptable remote SMTP server certificate - fingerprints for the "fingerprint" TLS security + List of acceptable remote SMTP server certificate + fingerprints for the "fingerprint" TLS security level (smtp_tls_security_level = fingerprint). smtp_tls_fingerprint_digest (md5) - The message digest algorithm used to construct + The message digest algorithm used to construct remote SMTP server certificate fingerprints. Available in Postfix version 2.6 and later: smtp_tls_protocols (!SSLv2) - List of TLS protocols that the Postfix SMTP client - will exclude or include with opportunistic TLS + List of TLS protocols that the Postfix SMTP client + will exclude or include with opportunistic TLS encryption. smtp_tls_ciphers (export) - The minimum TLS cipher grade that the Postfix SMTP - client will use with opportunistic TLS encryption. + The minimum TLS cipher grade that the Postfix SMTP + client will use with opportunistic TLS encryption. smtp_tls_eccert_file (empty) File with the Postfix SMTP client ECDSA certificate @@ -537,10 +541,10 @@ SMTP(8) SMTP(8) Available in Postfix version 2.7 and later: smtp_tls_block_early_mail_reply (no) - Try to detect a mail hijacking attack based on a - TLS protocol vulnerability (CVE-2009-3555), where - an attacker prepends malicious HELO/MAIL/RCPT/DATA - commands to a Postfix client TLS session. + Try to detect a mail hijacking attack based on a + TLS protocol vulnerability (CVE-2009-3555), where + an attacker prepends malicious HELO, MAIL, RCPT, + DATA commands to a Postfix SMTP client TLS session. OBSOLETE STARTTLS CONTROLS The following configuration parameters exist for compati- diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index ef6b45033..9685afcc5 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -106,90 +106,91 @@ SMTPD(8) SMTPD(8) rejecting the address as invalid. smtpd_command_filter (empty) - A mechanism to substitute incoming SMTP commands. + A mechanism to transform commands from remote SMTP + clients. smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail - from unknown sender addresses, even when no - explicit reject_unlisted_sender access restriction + Request that the Postfix SMTP server rejects mail + from unknown sender addresses, even when no + explicit reject_unlisted_sender access restriction is specified. smtpd_sasl_exceptions_networks (empty) - What remote SMTP clients the Postfix SMTP server + What remote SMTP clients the Postfix SMTP server will not offer AUTH support to. Available in Postfix version 2.2 and later: smtpd_discard_ehlo_keyword_address_maps (empty) - Lookup tables, indexed by the remote SMTP client - address, with case insensitive lists of EHLO key- - words (pipelining, starttls, auth, etc.) that the + Lookup tables, indexed by the remote SMTP client + address, with case insensitive lists of EHLO key- + words (pipelining, starttls, auth, etc.) that the SMTP server will not send in the EHLO response to a remote SMTP client. smtpd_discard_ehlo_keywords (empty) - A case insensitive list of EHLO keywords (pipelin- - ing, starttls, auth, etc.) that the SMTP server + A case insensitive list of EHLO keywords (pipelin- + ing, starttls, auth, etc.) that the SMTP server will not send in the EHLO response to a remote SMTP client. smtpd_delay_open_until_valid_rcpt (yes) - Postpone the start of an SMTP mail transaction + Postpone the start of an SMTP mail transaction until a valid RCPT TO command is received. Available in Postfix version 2.3 and later: smtpd_tls_always_issue_session_ids (yes) - Force the Postfix SMTP server to issue a TLS ses- - sion id, even when TLS session caching is turned + Force the Postfix SMTP server to issue a TLS ses- + sion id, even when TLS session caching is turned off (smtpd_tls_session_cache_database is empty). Available in Postfix version 2.6 and later: tcp_windowsize (0) - An optional workaround for routers that break TCP + An optional workaround for routers that break TCP window scaling. ADDRESS REWRITING CONTROLS - See the ADDRESS_REWRITING_README document for a detailed + See the ADDRESS_REWRITING_README document for a detailed discussion of Postfix address rewriting. receive_override_options (empty) - Enable or disable recipient validation, built-in + Enable or disable recipient validation, built-in content filtering, or address mapping. Available in Postfix version 2.2 and later: local_header_rewrite_clients (permit_inet_interfaces) Rewrite message header addresses in mail from these - clients and update incomplete addresses with the + clients and update incomplete addresses with the domain name in $myorigin or $mydomain; either don't - rewrite message headers from other clients at all, - or rewrite message headers and update incomplete - addresses with the domain specified in the + rewrite message headers from other clients at all, + or rewrite message headers and update incomplete + addresses with the domain specified in the remote_header_rewrite_domain parameter. AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS - As of version 1.0, Postfix can be configured to send new - mail to an external content filter AFTER the mail is - queued. This content filter is expected to inject mail - back into a (Postfix or other) MTA for further delivery. + As of version 1.0, Postfix can be configured to send new + mail to an external content filter AFTER the mail is + queued. This content filter is expected to inject mail + back into a (Postfix or other) MTA for further delivery. See the FILTER_README document for details. content_filter (empty) - The name of a mail delivery transport that filters + The name of a mail delivery transport that filters mail after it is queued. BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS - As of version 2.1, the Postfix SMTP server can be config- - ured to send incoming mail to a real-time SMTP-based con- + As of version 2.1, the Postfix SMTP server can be config- + ured to send incoming mail to a real-time SMTP-based con- tent filter BEFORE mail is queued. This content filter is - expected to inject mail back into Postfix. See the - SMTPD_PROXY_README document for details on how to config- + expected to inject mail back into Postfix. See the + SMTPD_PROXY_README document for details on how to config- ure and operate this feature. smtpd_proxy_filter (empty) - The hostname and TCP port of the mail filtering + The hostname and TCP port of the mail filtering proxy server. smtpd_proxy_ehlo ($myhostname) @@ -197,8 +198,8 @@ SMTPD(8) SMTPD(8) proxy filter. smtpd_proxy_options (empty) - List of options that control how the Postfix SMTP - server communicates with a before-queue content + List of options that control how the Postfix SMTP + server communicates with a before-queue content filter. smtpd_proxy_timeout (100s) @@ -207,24 +208,24 @@ SMTPD(8) SMTPD(8) BEFORE QUEUE MILTER CONTROLS As of version 2.3, Postfix supports the Sendmail version 8 - Milter (mail filter) protocol. These content filters run - outside Postfix. They can inspect the SMTP command stream - and the message content, and can request modifications - before mail is queued. For details see the MILTER_README + Milter (mail filter) protocol. These content filters run + outside Postfix. They can inspect the SMTP command stream + and the message content, and can request modifications + before mail is queued. For details see the MILTER_README document. smtpd_milters (empty) A list of Milter (mail filter) applications for new - mail that arrives via the Postfix smtpd(8) server. + mail that arrives via the Postfix smtpd(8) server. milter_protocol (6) - The mail filter protocol version and optional pro- - tocol extensions for communication with a Milter - application; prior to Postfix 2.6 the default pro- + The mail filter protocol version and optional pro- + tocol extensions for communication with a Milter + application; prior to Postfix 2.6 the default pro- tocol is 2. milter_default_action (tempfail) - The default action when a Milter (mail filter) + The default action when a Milter (mail filter) application is unavailable or mis-configured. milter_macro_daemon_name ($myhostname) @@ -236,190 +237,190 @@ SMTPD(8) SMTPD(8) cations. milter_connect_timeout (30s) - The time limit for connecting to a Milter (mail - filter) application, and for negotiating protocol + The time limit for connecting to a Milter (mail + filter) application, and for negotiating protocol options. milter_command_timeout (30s) - The time limit for sending an SMTP command to a + The time limit for sending an SMTP command to a Milter (mail filter) application, and for receiving the response. milter_content_timeout (300s) - The time limit for sending message content to a + The time limit for sending message content to a Milter (mail filter) application, and for receiving the response. milter_connect_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) - applications after completion of an SMTP connec- + The macros that are sent to Milter (mail filter) + applications after completion of an SMTP connec- tion. milter_helo_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) + The macros that are sent to Milter (mail filter) applications after the SMTP HELO or EHLO command. milter_mail_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) + The macros that are sent to Milter (mail filter) applications after the SMTP MAIL FROM command. milter_rcpt_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) + The macros that are sent to Milter (mail filter) applications after the SMTP RCPT TO command. milter_data_macros (see 'postconf -d' output) - The macros that are sent to version 4 or higher - Milter (mail filter) applications after the SMTP + The macros that are sent to version 4 or higher + Milter (mail filter) applications after the SMTP DATA command. milter_unknown_command_macros (see 'postconf -d' output) - The macros that are sent to version 3 or higher - Milter (mail filter) applications after an unknown + The macros that are sent to version 3 or higher + Milter (mail filter) applications after an unknown SMTP command. milter_end_of_header_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) + The macros that are sent to Milter (mail filter) applications after the end of the message header. milter_end_of_data_macros (see 'postconf -d' output) - The macros that are sent to Milter (mail filter) + The macros that are sent to Milter (mail filter) applications after the message end-of-data. GENERAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both built-in + The following parameters are applicable for both built-in and external content filters. Available in Postfix version 2.1 and later: receive_override_options (empty) - Enable or disable recipient validation, built-in + Enable or disable recipient validation, built-in content filtering, or address mapping. EXTERNAL CONTENT INSPECTION CONTROLS - The following parameters are applicable for both before- + The following parameters are applicable for both before- queue and after-queue content filtering. Available in Postfix version 2.1 and later: smtpd_authorized_xforward_hosts (empty) - What SMTP clients are allowed to use the XFORWARD + What SMTP clients are allowed to use the XFORWARD feature. SASL AUTHENTICATION CONTROLS - Postfix SASL support (RFC 4954) can be used to authenti- - cate remote SMTP clients to the Postfix SMTP server, and - to authenticate the Postfix SMTP client to a remote SMTP + Postfix SASL support (RFC 4954) can be used to authenti- + cate remote SMTP clients to the Postfix SMTP server, and + to authenticate the Postfix SMTP client to a remote SMTP server. See the SASL_README document for details. broken_sasl_auth_clients (no) - Enable inter-operability with SMTP clients that - implement an obsolete version of the AUTH command + Enable inter-operability with SMTP clients that + implement an obsolete version of the AUTH command (RFC 4954). smtpd_sasl_auth_enable (no) - Enable SASL authentication in the Postfix SMTP + Enable SASL authentication in the Postfix SMTP server. smtpd_sasl_local_domain (empty) - The name of the Postfix SMTP server's local SASL + The name of the Postfix SMTP server's local SASL authentication realm. smtpd_sasl_security_options (noanonymous) - Postfix SMTP server SASL security options; as of - Postfix 2.3 the list of available features depends - on the SASL server implementation that is selected + Postfix SMTP server SASL security options; as of + Postfix 2.3 the list of available features depends + on the SASL server implementation that is selected with smtpd_sasl_type. smtpd_sender_login_maps (empty) - Optional lookup table with the SASL login names + Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses. Available in Postfix version 2.1 and later: smtpd_sasl_exceptions_networks (empty) - What remote SMTP clients the Postfix SMTP server + What remote SMTP clients the Postfix SMTP server will not offer AUTH support to. Available in Postfix version 2.1 and 2.2: smtpd_sasl_application_name (smtpd) - The application name that the Postfix SMTP server + The application name that the Postfix SMTP server uses for SASL server initialization. Available in Postfix version 2.3 and later: smtpd_sasl_authenticated_header (no) - Report the SASL authenticated user name in the + Report the SASL authenticated user name in the smtpd(8) Received message header. smtpd_sasl_path (smtpd) - Implementation-specific information that the Post- - fix SMTP server passes through to the SASL plug-in - implementation that is selected with + Implementation-specific information that the Post- + fix SMTP server passes through to the SASL plug-in + implementation that is selected with smtpd_sasl_type. smtpd_sasl_type (cyrus) - The SASL plug-in type that the Postfix SMTP server + The SASL plug-in type that the Postfix SMTP server should use for authentication. Available in Postfix version 2.5 and later: cyrus_sasl_config_path (empty) - Search path for Cyrus SASL application configura- - tion files, currently used only to locate the + Search path for Cyrus SASL application configura- + tion files, currently used only to locate the $smtpd_sasl_path.conf file. STARTTLS SUPPORT CONTROLS - Detailed information about STARTTLS configuration may be + Detailed information about STARTTLS configuration may be found in the TLS_README document. smtpd_tls_security_level (empty) - The SMTP TLS security level for the Postfix SMTP - server; when a non-empty value is specified, this + The SMTP TLS security level for the Postfix SMTP + server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. smtpd_sasl_tls_security_options ($smtpd_sasl_secu- rity_options) - The SASL authentication security options that the - Postfix SMTP server uses for TLS encrypted SMTP + The SASL authentication security options that the + Postfix SMTP server uses for TLS encrypted SMTP sessions. smtpd_starttls_timeout (300s) - The time limit for Postfix SMTP server write and - read operations during TLS startup and shutdown + The time limit for Postfix SMTP server write and + read operations during TLS startup and shutdown handshake procedures. smtpd_tls_CAfile (empty) - A file containing (PEM format) CA certificates of - root CAs trusted to sign either remote SMTP client + A file containing (PEM format) CA certificates of + root CAs trusted to sign either remote SMTP client certificates or intermediate CA certificates. smtpd_tls_CApath (empty) A directory containing (PEM format) CA certificates - of root CAs trusted to sign either remote SMTP - client certificates or intermediate CA certifi- + of root CAs trusted to sign either remote SMTP + client certificates or intermediate CA certifi- cates. smtpd_tls_always_issue_session_ids (yes) - Force the Postfix SMTP server to issue a TLS ses- - sion id, even when TLS session caching is turned + Force the Postfix SMTP server to issue a TLS ses- + sion id, even when TLS session caching is turned off (smtpd_tls_session_cache_database is empty). smtpd_tls_ask_ccert (no) - Ask a remote SMTP client for a client certificate. + Ask a remote SMTP client for a client certificate. smtpd_tls_auth_only (no) When TLS encryption is optional in the Postfix SMTP - server, do not announce or accept SASL authentica- + server, do not announce or accept SASL authentica- tion over unencrypted connections. smtpd_tls_ccert_verifydepth (9) - The verification depth for remote SMTP client cer- + The verification depth for remote SMTP client cer- tificates. smtpd_tls_cert_file (empty) - File with the Postfix SMTP server RSA certificate + File with the Postfix SMTP server RSA certificate in PEM format. smtpd_tls_exclude_ciphers (empty) @@ -427,56 +428,56 @@ SMTPD(8) SMTPD(8) SMTP server cipher list at all TLS security levels. smtpd_tls_dcert_file (empty) - File with the Postfix SMTP server DSA certificate + File with the Postfix SMTP server DSA certificate in PEM format. smtpd_tls_dh1024_param_file (empty) - File with DH parameters that the Postfix SMTP - server should use with EDH ciphers. - - smtpd_tls_dh512_param_file (empty) File with DH parameters that the Postfix SMTP server should use with EDH ciphers. + smtpd_tls_dh512_param_file (empty) + File with DH parameters that the Postfix SMTP + server should use with EDH ciphers. + smtpd_tls_dkey_file ($smtpd_tls_dcert_file) - File with the Postfix SMTP server DSA private key + File with the Postfix SMTP server DSA private key in PEM format. smtpd_tls_key_file ($smtpd_tls_cert_file) - File with the Postfix SMTP server RSA private key + File with the Postfix SMTP server RSA private key in PEM format. smtpd_tls_loglevel (0) - Enable additional Postfix SMTP server logging of + Enable additional Postfix SMTP server logging of TLS activity. smtpd_tls_mandatory_ciphers (medium) - The minimum TLS cipher grade that the Postfix SMTP + The minimum TLS cipher grade that the Postfix SMTP server will use with mandatory TLS encryption. smtpd_tls_mandatory_exclude_ciphers (empty) - Additional list of ciphers or cipher types to - exclude from the SMTP server cipher list at manda- + Additional list of ciphers or cipher types to + exclude from the SMTP server cipher list at manda- tory TLS security levels. smtpd_tls_mandatory_protocols (SSLv3, TLSv1) - The SSL/TLS protocols accepted by the Postfix SMTP + The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory TLS encryption. smtpd_tls_received_header (no) Request that the Postfix SMTP server produces Received: message headers that include information - about the protocol and cipher used, as well as the - client CommonName and client certificate issuer + about the protocol and cipher used, as well as the + client CommonName and client certificate issuer CommonName. smtpd_tls_req_ccert (no) - With mandatory TLS encryption, require a trusted - remote SMTP client certificate in order to allow + With mandatory TLS encryption, require a trusted + remote SMTP client certificate in order to allow TLS connections to proceed. smtpd_tls_session_cache_database (empty) - Name of the file containing the optional Postfix + Name of the file containing the optional Postfix SMTP server TLS session cache. smtpd_tls_session_cache_timeout (3600s) @@ -484,14 +485,14 @@ SMTPD(8) SMTPD(8) sion cache information. smtpd_tls_wrappermode (no) - Run the Postfix SMTP server in the non-standard - "wrapper" mode, instead of using the STARTTLS com- + Run the Postfix SMTP server in the non-standard + "wrapper" mode, instead of using the STARTTLS com- mand. tls_daemon_random_bytes (32) - The number of pseudo-random bytes that an smtp(8) - or smtpd(8) process requests from the tlsmgr(8) - server in order to seed its internal pseudo random + The number of pseudo-random bytes that an smtp(8) + or smtpd(8) process requests from the tlsmgr(8) + server in order to seed its internal pseudo random number generator (PRNG). tls_high_cipherlist @@ -503,7 +504,7 @@ SMTPD(8) SMTPD(8) ciphers. tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH) - The OpenSSL cipherlist for "LOW" or higher grade + The OpenSSL cipherlist for "LOW" or higher grade ciphers. tls_export_cipherlist (ALL:+RC4:@STRENGTH) @@ -511,26 +512,26 @@ SMTPD(8) SMTPD(8) ciphers. tls_null_cipherlist (eNULL:!aNULL) - The OpenSSL cipherlist for "NULL" grade ciphers + The OpenSSL cipherlist for "NULL" grade ciphers that provide authentication without encryption. Available in Postfix version 2.5 and later: smtpd_tls_fingerprint_digest (md5) - The message digest algorithm used to construct + The message digest algorithm used to construct client-certificate fingerprints for check_ccert_access and permit_tls_clientcerts. Available in Postfix version 2.6 and later: smtpd_tls_protocols (empty) - List of TLS protocols that the Postfix SMTP server - will exclude or include with opportunistic TLS + List of TLS protocols that the Postfix SMTP server + will exclude or include with opportunistic TLS encryption. smtpd_tls_ciphers (export) - The minimum TLS cipher grade that the Postfix SMTP - server will use with opportunistic TLS encryption. + The minimum TLS cipher grade that the Postfix SMTP + server will use with opportunistic TLS encryption. smtpd_tls_eccert_file (empty) File with the Postfix SMTP server ECDSA certificate @@ -541,7 +542,7 @@ SMTPD(8) SMTPD(8) in PEM format. smtpd_tls_eecdh_grade (see 'postconf -d' output) - The Postfix SMTP server security grade for + The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange. @@ -554,18 +555,18 @@ SMTPD(8) SMTPD(8) imally strong ephemeral ECDH key exchange. OBSOLETE STARTTLS CONTROLS - The following configuration parameters exist for compati- + The following configuration parameters exist for compati- bility with Postfix versions before 2.3. Support for these will be removed in a future release. smtpd_use_tls (no) - Opportunistic TLS: announce STARTTLS support to - SMTP clients, but do not require that clients use + Opportunistic TLS: announce STARTTLS support to + SMTP clients, but do not require that clients use TLS encryption. smtpd_enforce_tls (no) - Mandatory TLS: announce STARTTLS support to SMTP - clients, and require that clients use TLS encryp- + Mandatory TLS: announce STARTTLS support to SMTP + clients, and require that clients use TLS encryp- tion. smtpd_tls_cipherlist (empty) @@ -573,64 +574,64 @@ SMTPD(8) SMTPD(8) server TLS cipher list. VERP SUPPORT CONTROLS - With VERP style delivery, each recipient of a message + With VERP style delivery, each recipient of a message receives a customized copy of the message with his/her own - recipient address encoded in the envelope sender address. + recipient address encoded in the envelope sender address. The VERP_README file describes configuration and operation - details of Postfix support for variable envelope return + details of Postfix support for variable envelope return path addresses. VERP style delivery is requested with the - SMTP XVERP command or with the "sendmail -V" command-line - option and is available in Postfix version 1.1 and later. + SMTP XVERP command or with the "sendmail -V" command-line + option and is available in Postfix version 1.1 and later. default_verp_delimiters (+=) The two default VERP delimiter characters. verp_delimiter_filter (-=+) - The characters Postfix accepts as VERP delimiter - characters on the Postfix sendmail(1) command line + The characters Postfix accepts as VERP delimiter + characters on the Postfix sendmail(1) command line and in SMTP commands. Available in Postfix version 1.1 and 2.0: authorized_verp_clients ($mynetworks) - What SMTP clients are allowed to specify the XVERP + What SMTP clients are allowed to specify the XVERP command. Available in Postfix version 2.1 and later: smtpd_authorized_verp_clients ($authorized_verp_clients) - What SMTP clients are allowed to specify the XVERP + What SMTP clients are allowed to specify the XVERP command. TROUBLE SHOOTING CONTROLS - The DEBUG_README document describes how to debug parts of - the Postfix mail system. The methods vary from making the - software log a lot of detail, to running some daemon pro- + The DEBUG_README document describes how to debug parts of + the Postfix mail system. The methods vary from making the + software log a lot of detail, to running some daemon pro- cesses under control of a call tracer or debugger. debug_peer_level (2) - The increment in verbose logging level when a - remote client or server matches a pattern in the + The increment in verbose logging level when a + remote client or server matches a pattern in the debug_peer_list parameter. debug_peer_list (empty) - Optional list of remote client or server hostname - or network address patterns that cause the verbose - logging level to increase by the amount specified + Optional list of remote client or server hostname + or network address patterns that cause the verbose + logging level to increase by the amount specified in $debug_peer_level. error_notice_recipient (postmaster) - The recipient of postmaster notifications about - mail delivery problems that are caused by policy, + The recipient of postmaster notifications about + mail delivery problems that are caused by policy, resource, software or protocol errors. internal_mail_filter_classes (empty) - What categories of Postfix-generated mail are sub- - ject to before-queue content inspection by + What categories of Postfix-generated mail are sub- + ject to before-queue content inspection by non_smtpd_milters, header_checks and body_checks. notify_classes (resource, software) - The list of error classes that are reported to the + The list of error classes that are reported to the postmaster. soft_bounce (no) @@ -640,22 +641,22 @@ SMTPD(8) SMTPD(8) Available in Postfix version 2.1 and later: smtpd_authorized_xclient_hosts (empty) - What SMTP clients are allowed to use the XCLIENT + What SMTP clients are allowed to use the XCLIENT feature. KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS - As of Postfix version 2.0, the SMTP server rejects mail - for unknown recipients. This prevents the mail queue from - clogging up with undeliverable MAILER-DAEMON messages. - Additional information on this topic is in the + As of Postfix version 2.0, the SMTP server rejects mail + for unknown recipients. This prevents the mail queue from + clogging up with undeliverable MAILER-DAEMON messages. + Additional information on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README documents. show_user_unknown_table_name (yes) - Display the name of the recipient table in the + Display the name of the recipient table in the "User unknown" responses. canonical_maps (empty) - Optional address mapping lookup tables for message + Optional address mapping lookup tables for message headers and envelopes. recipient_canonical_maps (empty) @@ -666,7 +667,7 @@ SMTPD(8) SMTPD(8) mydestination ($myhostname, localhost.$mydomain, local- host) - The list of domains that are delivered via the + The list of domains that are delivered via the $local_transport mail delivery transport. inet_interfaces (all) @@ -675,146 +676,146 @@ SMTPD(8) SMTPD(8) proxy_interfaces (empty) The network interface addresses that this mail sys- - tem receives mail on by way of a proxy or network + tem receives mail on by way of a proxy or network address translation unit. inet_protocols (ipv4) - The Internet protocols Postfix will attempt to use + The Internet protocols Postfix will attempt to use when making or accepting connections. local_recipient_maps (proxy:unix:passwd.byname $alias_maps) - Lookup tables with all names or addresses of local - recipients: a recipient address is local when its - domain matches $mydestination, $inet_interfaces or + Lookup tables with all names or addresses of local + recipients: a recipient address is local when its + domain matches $mydestination, $inet_interfaces or $proxy_interfaces. unknown_local_recipient_reject_code (550) - The numerical Postfix SMTP server response code - when a recipient address is local, and - $local_recipient_maps specifies a list of lookup + The numerical Postfix SMTP server response code + when a recipient address is local, and + $local_recipient_maps specifies a list of lookup tables that does not match the recipient. - Parameters concerning known/unknown recipients of relay + Parameters concerning known/unknown recipients of relay destinations: relay_domains ($mydestination) - What destination domains (and subdomains thereof) + What destination domains (and subdomains thereof) this system will relay mail to. relay_recipient_maps (empty) - Optional lookup tables with all valid addresses in + Optional lookup tables with all valid addresses in the domains that match $relay_domains. unknown_relay_recipient_reject_code (550) The numerical Postfix SMTP server reply code when a - recipient address matches $relay_domains, and - relay_recipient_maps specifies a list of lookup + recipient address matches $relay_domains, and + relay_recipient_maps specifies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual + Parameters concerning known/unknown recipients in virtual alias domains: virtual_alias_domains ($virtual_alias_maps) Postfix is final destination for the specified list - of virtual alias domains, that is, domains for - which all addresses are aliased to addresses in + of virtual alias domains, that is, domains for + which all addresses are aliased to addresses in other local or remote domains. virtual_alias_maps ($virtual_maps) - Optional lookup tables that alias specific mail - addresses or domains to other local or remote + Optional lookup tables that alias specific mail + addresses or domains to other local or remote address. unknown_virtual_alias_reject_code (550) The SMTP server reply code when a recipient address - matches $virtual_alias_domains, and $vir- - tual_alias_maps specifies a list of lookup tables + matches $virtual_alias_domains, and $vir- + tual_alias_maps specifies a list of lookup tables that does not match the recipient address. - Parameters concerning known/unknown recipients in virtual + Parameters concerning known/unknown recipients in virtual mailbox domains: virtual_mailbox_domains ($virtual_mailbox_maps) Postfix is final destination for the specified list - of domains; mail is delivered via the $vir- + of domains; mail is delivered via the $vir- tual_transport mail delivery transport. virtual_mailbox_maps (empty) - Optional lookup tables with all valid addresses in + Optional lookup tables with all valid addresses in the domains that match $virtual_mailbox_domains. unknown_virtual_mailbox_reject_code (550) The SMTP server reply code when a recipient address - matches $virtual_mailbox_domains, and $vir- + matches $virtual_mailbox_domains, and $vir- tual_mailbox_maps specifies a list of lookup tables that does not match the recipient address. RESOURCE AND RATE CONTROLS - The following parameters limit resource usage by the SMTP + The following parameters limit resource usage by the SMTP server and/or control client request rates. line_length_limit (2048) - Upon input, long lines are chopped up into pieces - of at most this length; upon delivery, long lines + Upon input, long lines are chopped up into pieces + of at most this length; upon delivery, long lines are reconstructed. queue_minfree (0) - The minimal amount of free space in bytes in the + The minimal amount of free space in bytes in the queue file system that is needed to receive mail. message_size_limit (10240000) - The maximal size in bytes of a message, including + The maximal size in bytes of a message, including envelope information. smtpd_recipient_limit (1000) - The maximal number of recipients that the Postfix + The maximal number of recipients that the Postfix SMTP server accepts per message delivery request. smtpd_timeout (normal: 300s, stress: 10s) - The time limit for sending a Postfix SMTP server - response and for receiving a remote SMTP client + The time limit for sending a Postfix SMTP server + response and for receiving a remote SMTP client request. smtpd_history_flush_threshold (100) - The maximal number of lines in the Postfix SMTP - server command history before it is flushed upon + The maximal number of lines in the Postfix SMTP + server command history before it is flushed upon receipt of EHLO, RSET, or end of DATA. Available in Postfix version 2.3 and later: smtpd_peername_lookup (yes) Attempt to look up the remote SMTP client hostname, - and verify that the name matches the client IP + and verify that the name matches the client IP address. The per SMTP client connection count and request rate lim- its are implemented in co-operation with the anvil(8) ser- - vice, and are available in Postfix version 2.2 and later. + vice, and are available in Postfix version 2.2 and later. smtpd_client_connection_count_limit (50) - How many simultaneous connections any client is + How many simultaneous connections any client is allowed to make to this service. smtpd_client_connection_rate_limit (0) The maximal number of connection attempts any - client is allowed to make to this service per time + client is allowed to make to this service per time unit. smtpd_client_message_rate_limit (0) - The maximal number of message delivery requests - that any client is allowed to make to this service + The maximal number of message delivery requests + that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages. smtpd_client_recipient_rate_limit (0) - The maximal number of recipient addresses that any - client is allowed to send to this service per time + The maximal number of recipient addresses that any + client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients. smtpd_client_event_limit_exceptions ($mynetworks) - Clients that are excluded from connection count, + Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions. Available in Postfix version 2.3 and later: @@ -825,52 +826,52 @@ SMTPD(8) SMTPD(8) tiate with this service per time unit. TARPIT CONTROLS - When a remote SMTP client makes errors, the Postfix SMTP - server can insert delays before responding. This can help - to slow down run-away software. The behavior is con- - trolled by an error counter that counts the number of - errors within an SMTP session that a client makes without + When a remote SMTP client makes errors, the Postfix SMTP + server can insert delays before responding. This can help + to slow down run-away software. The behavior is con- + trolled by an error counter that counts the number of + errors within an SMTP session that a client makes without delivering mail. smtpd_error_sleep_time (1s) With Postfix version 2.1 and later: the SMTP server - response delay after a client has made more than - $smtpd_soft_error_limit errors, and fewer than - $smtpd_hard_error_limit errors, without delivering + response delay after a client has made more than + $smtpd_soft_error_limit errors, and fewer than + $smtpd_hard_error_limit errors, without delivering mail. smtpd_soft_error_limit (10) - The number of errors a remote SMTP client is - allowed to make without delivering mail before the + The number of errors a remote SMTP client is + allowed to make without delivering mail before the Postfix SMTP server slows down all its responses. smtpd_hard_error_limit (normal: 20, stress: 1) - The maximal number of errors a remote SMTP client + The maximal number of errors a remote SMTP client is allowed to make without delivering mail. smtpd_junk_command_limit (normal: 100, stress: 1) - The number of junk commands (NOOP, VRFY, ETRN or + The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote SMTP client can send before the - Postfix SMTP server starts to increment the error + Postfix SMTP server starts to increment the error counter with each junk command. Available in Postfix version 2.1 and later: smtpd_recipient_overshoot_limit (1000) - The number of recipients that a remote SMTP client - can send in excess of the limit specified with + The number of recipients that a remote SMTP client + can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP - server increments the per-session error count for + server increments the per-session error count for each excess recipient. ACCESS POLICY DELEGATION CONTROLS - As of version 2.1, Postfix can be configured to delegate - access policy decisions to an external server that runs - outside Postfix. See the file SMTPD_POLICY_README for + As of version 2.1, Postfix can be configured to delegate + access policy decisions to an external server that runs + outside Postfix. See the file SMTPD_POLICY_README for more information. smtpd_policy_service_max_idle (300s) - The time after which an idle SMTPD policy service + The time after which an idle SMTPD policy service connection is closed. smtpd_policy_service_max_ttl (1000s) @@ -878,150 +879,150 @@ SMTPD(8) SMTPD(8) connection is closed. smtpd_policy_service_timeout (100s) - The time limit for connecting to, writing to or + The time limit for connecting to, writing to or receiving from a delegated SMTPD policy server. ACCESS CONTROLS - The SMTPD_ACCESS_README document gives an introduction to + The SMTPD_ACCESS_README document gives an introduction to all the SMTP server access control features. smtpd_delay_reject (yes) - Wait until the RCPT TO command before evaluating + Wait until the RCPT TO command before evaluating $smtpd_client_restrictions, $smtpd_helo_restric- tions and $smtpd_sender_restrictions, or wait until - the ETRN command before evaluating + the ETRN command before evaluating $smtpd_client_restrictions and $smtpd_helo_restric- tions. - parent_domain_matches_subdomains (see 'postconf -d' out- + parent_domain_matches_subdomains (see 'postconf -d' out- put) What Postfix features match subdomains of "domain.tld" automatically, instead of requiring an explicit ".domain.tld" pattern. smtpd_client_restrictions (empty) - Optional SMTP server access restrictions in the + Optional SMTP server access restrictions in the context of a client SMTP connection request. smtpd_helo_required (no) Require that a remote SMTP client introduces itself - at the beginning of an SMTP session with the HELO + at the beginning of an SMTP session with the HELO or EHLO command. smtpd_helo_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of the SMTP HELO command. smtpd_sender_restrictions (empty) - Optional restrictions that the Postfix SMTP server + Optional restrictions that the Postfix SMTP server applies in the context of the MAIL FROM command. smtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination) The access restrictions that the Postfix SMTP - server applies in the context of the RCPT TO com- + server applies in the context of the RCPT TO com- mand. smtpd_etrn_restrictions (empty) - Optional SMTP server access restrictions in the + Optional SMTP server access restrictions in the context of a client ETRN request. allow_untrusted_routing (no) - Forward mail with sender-specified routing - (user[@%!]remote[@%!]site) from untrusted clients + Forward mail with sender-specified routing + (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains. smtpd_restriction_classes (empty) - User-defined aliases for groups of access restric- + User-defined aliases for groups of access restric- tions. smtpd_null_access_lookup_key (<>) - The lookup key to be used in SMTP access(5) tables + The lookup key to be used in SMTP access(5) tables instead of the null sender address. permit_mx_backup_networks (empty) Restrict the use of the permit_mx_backup SMTP - access feature to only domains whose primary MX + access feature to only domains whose primary MX hosts match the listed networks. Available in Postfix version 2.0 and later: smtpd_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP + Optional access restrictions that the Postfix SMTP server applies in the context of the SMTP DATA com- mand. smtpd_expansion_filter (see 'postconf -d' output) - What characters are allowed in $name expansions of + What characters are allowed in $name expansions of RBL reply templates. Available in Postfix version 2.1 and later: smtpd_reject_unlisted_sender (no) - Request that the Postfix SMTP server rejects mail - from unknown sender addresses, even when no - explicit reject_unlisted_sender access restriction + Request that the Postfix SMTP server rejects mail + from unknown sender addresses, even when no + explicit reject_unlisted_sender access restriction is specified. smtpd_reject_unlisted_recipient (yes) - Request that the Postfix SMTP server rejects mail + Request that the Postfix SMTP server rejects mail for unknown recipient addresses, even when no - explicit reject_unlisted_recipient access restric- + explicit reject_unlisted_recipient access restric- tion is specified. Available in Postfix version 2.2 and later: smtpd_end_of_data_restrictions (empty) - Optional access restrictions that the Postfix SMTP - server applies in the context of the SMTP END-OF- + Optional access restrictions that the Postfix SMTP + server applies in the context of the SMTP END-OF- DATA command. SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS - Postfix version 2.1 introduces sender and recipient - address verification. This feature is implemented by - sending probe email messages that are not actually deliv- - ered. This feature is requested via the reject_unveri- - fied_sender and reject_unverified_recipient access - restrictions. The status of verification probes is main- + Postfix version 2.1 introduces sender and recipient + address verification. This feature is implemented by + sending probe email messages that are not actually deliv- + ered. This feature is requested via the reject_unveri- + fied_sender and reject_unverified_recipient access + restrictions. The status of verification probes is main- tained by the verify(8) server. See the file ADDRESS_VER- - IFICATION_README for information about how to configure + IFICATION_README for information about how to configure and operate the Postfix sender/recipient address verifica- tion service. address_verify_poll_count (3) - How many times to query the verify(8) service for - the completion of an address verification request + How many times to query the verify(8) service for + the completion of an address verification request in progress. address_verify_poll_delay (3s) - The delay between queries for the completion of an + The delay between queries for the completion of an address verification request in progress. address_verify_sender ($double_bounce_sender) - The sender address to use in address verification + The sender address to use in address verification probes; prior to Postfix 2.5 the default was "post- master". unverified_sender_reject_code (450) - The numerical Postfix SMTP server response code - when a recipient address is rejected by the + The numerical Postfix SMTP server response code + when a recipient address is rejected by the reject_unverified_sender restriction. unverified_recipient_reject_code (450) - The numerical Postfix SMTP server response when a + The numerical Postfix SMTP server response when a recipient address is rejected by the reject_unveri- fied_recipient restriction. Available in Postfix version 2.6 and later: unverified_sender_defer_code (450) - The numerical Postfix SMTP server response code - when a sender address probe fails due to a tempo- + The numerical Postfix SMTP server response code + when a sender address probe fails due to a tempo- rary error condition. unverified_recipient_defer_code (450) - The numerical Postfix SMTP server response when a - recipient address probe fails due to a temporary + The numerical Postfix SMTP server response when a + recipient address probe fails due to a temporary error condition. unverified_sender_reject_reason (empty) @@ -1035,7 +1036,7 @@ SMTPD(8) SMTPD(8) unverified_sender_tempfail_action ($reject_temp- fail_action) The Postfix SMTP server's action when reject_unver- - ified_sender fails due to a temporary error condi- + ified_sender fails due to a temporary error condi- tion. unverified_recipient_tempfail_action ($reject_temp- @@ -1045,7 +1046,7 @@ SMTPD(8) SMTPD(8) dition. ACCESS CONTROL RESPONSES - The following parameters control numerical SMTP reply + The following parameters control numerical SMTP reply codes and/or text responses. access_map_reject_code (554) @@ -1053,18 +1054,18 @@ SMTPD(8) SMTPD(8) an access(5) map "reject" action. defer_code (450) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "defer" restriction. invalid_hostname_reject_code (501) - The numerical Postfix SMTP server response code - when the client HELO or EHLO command parameter is - rejected by the reject_invalid_helo_hostname + The numerical Postfix SMTP server response code + when the client HELO or EHLO command parameter is + rejected by the reject_invalid_helo_hostname restriction. maps_rbl_reject_code (554) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender or reject_rhsbl_recipient @@ -1072,53 +1073,53 @@ SMTPD(8) SMTPD(8) non_fqdn_reject_code (504) The numerical Postfix SMTP server reply code when a - client request is rejected by the + client request is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient restriction. plaintext_reject_code (450) - The numerical Postfix SMTP server response code - when a request is rejected by the reject_plain- + The numerical Postfix SMTP server response code + when a request is rejected by the reject_plain- text_session restriction. reject_code (554) - The numerical Postfix SMTP server response code - when a remote SMTP client request is rejected by + The numerical Postfix SMTP server response code + when a remote SMTP client request is rejected by the "reject" restriction. relay_domains_reject_code (554) - The numerical Postfix SMTP server response code - when a client request is rejected by the + The numerical Postfix SMTP server response code + when a client request is rejected by the reject_unauth_destination recipient restriction. unknown_address_reject_code (450) - The numerical Postfix SMTP server response code - when a sender or recipient address is rejected by + The numerical Postfix SMTP server response code + when a sender or recipient address is rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain restriction. unknown_client_reject_code (450) - The numerical Postfix SMTP server response code - when a client without valid address <=> name map- + The numerical Postfix SMTP server response code + when a client without valid address <=> name map- ping is rejected by the reject_unknown_client_host- name restriction. unknown_hostname_reject_code (450) - The numerical Postfix SMTP server response code - when the hostname specified with the HELO or EHLO - command is rejected by the + The numerical Postfix SMTP server response code + when the hostname specified with the HELO or EHLO + command is rejected by the reject_unknown_helo_hostname restriction. Available in Postfix version 2.0 and later: default_rbl_reply (see 'postconf -d' output) - The default SMTP server response template for a - request that is rejected by an RBL-based restric- + The default SMTP server response template for a + request that is rejected by an RBL-based restric- tion. multi_recipient_bounce_reject_code (550) - The numerical Postfix SMTP server response code + The numerical Postfix SMTP server response code when a remote SMTP client request is blocked by the reject_multi_recipient_bounce restriction. @@ -1129,38 +1130,38 @@ SMTPD(8) SMTPD(8) access_map_defer_code (450) The numerical Postfix SMTP server response code for - an access(5) map "defer" action, including + an access(5) map "defer" action, including "defer_if_permit" or "defer_if_reject". reject_tempfail_action (defer_if_permit) The Postfix SMTP server's action when a reject-type - restriction fails due to a temporary error condi- + restriction fails due to a temporary error condi- tion. unknown_helo_hostname_tempfail_action ($reject_temp- fail_action) - The Postfix SMTP server's action when + The Postfix SMTP server's action when reject_unknown_helo_hostname fails due to an tempo- rary error condition. unknown_address_tempfail_action ($reject_tempfail_action) - The Postfix SMTP server's action when + The Postfix SMTP server's action when reject_unknown_sender_domain or - reject_unknown_recipient_domain fail due to a tem- + reject_unknown_recipient_domain fail due to a tem- porary error condition. MISCELLANEOUS CONTROLS config_directory (see 'postconf -d' output) - The default location of the Postfix main.cf and + The default location of the Postfix main.cf and master.cf configuration files. daemon_timeout (18000s) - How much time a Postfix daemon process may take to - handle a request before it is terminated by a + How much time a Postfix daemon process may take to + handle a request before it is terminated by a built-in watchdog timer. command_directory (see 'postconf -d' output) - The location of all postfix administrative com- + The location of all postfix administrative com- mands. double_bounce_sender (double-bounce) @@ -1181,37 +1182,37 @@ SMTPD(8) SMTPD(8) and most Postfix daemon processes. max_idle (100s) - The maximum amount of time that an idle Postfix - daemon process waits for an incoming connection + The maximum amount of time that an idle Postfix + daemon process waits for an incoming connection before terminating voluntarily. max_use (100) - The maximal number of incoming connections that a - Postfix daemon process will service before termi- + The maximal number of incoming connections that a + Postfix daemon process will service before termi- nating voluntarily. myhostname (see 'postconf -d' output) The internet hostname of this mail system. mynetworks (see 'postconf -d' output) - The list of "trusted" SMTP clients that have more + The list of "trusted" SMTP clients that have more privileges than "strangers". myorigin ($myhostname) The domain name that locally-posted mail appears to - come from, and that locally posted mail is deliv- + come from, and that locally posted mail is deliv- ered to. process_id (read-only) - The process ID of a Postfix command or daemon + The process ID of a Postfix command or daemon process. process_name (read-only) - The process name of a Postfix command or daemon + The process name of a Postfix command or daemon process. queue_directory (see 'postconf -d' output) - The location of the Postfix top-level queue direc- + The location of the Postfix top-level queue direc- tory. recipient_delimiter (empty) @@ -1219,28 +1220,28 @@ SMTPD(8) SMTPD(8) sions (user+foo). smtpd_banner ($myhostname ESMTP $mail_name) - The text that follows the 220 status code in the + The text that follows the 220 status code in the SMTP greeting banner. syslog_facility (mail) The syslog facility of Postfix logging. syslog_name (see 'postconf -d' output) - The mail system name that is prepended to the - process name in syslog records, so that "smtpd" + The mail system name that is prepended to the + process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd". Available in Postfix version 2.2 and later: smtpd_forbidden_commands (CONNECT, GET, POST) - List of commands that causes the Postfix SMTP - server to immediately terminate the session with a + List of commands that causes the Postfix SMTP + server to immediately terminate the session with a 221 code. Available in Postfix version 2.5 and later: smtpd_client_port_logging (no) - Enable logging of the remote SMTP client port in + Enable logging of the remote SMTP client port in addition to the hostname and IP address. SEE ALSO @@ -1270,7 +1271,7 @@ SMTPD(8) SMTPD(8) XFORWARD_README, Postfix XFORWARD extension LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index ea56195c4..4ae4cb785 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -2192,6 +2192,11 @@ for receiving the server response. .PP Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). +.SH lmtp_reply_filter (default: empty) +The LMTP-specific version of the smtp_reply_filter +configuration parameter. See there for details. +.PP +This feature is available in Postfix 2.7 and later. .SH lmtp_rset_timeout (default: 20s) The LMTP client time limit for sending the RSET command, and for receiving the server response. The LMTP client sends RSET in @@ -2317,6 +2322,11 @@ The LMTP-specific version of the smtp_tls_CApath configuration parameter. See there for details. .PP This feature is available in Postfix 2.3 and later. +.SH lmtp_tls_block_early_mail_reply (default: empty) +The LMTP-specific version of the smtp_tls_block_early_mail_reply +configuration parameter. See there for details. +.PP +This feature is available in Postfix 2.7 and later. .SH lmtp_tls_cert_file (default: empty) The LMTP-specific version of the smtp_tls_cert_file configuration parameter. See there for details. @@ -4977,6 +4987,55 @@ for receiving the server response. .PP Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). +.SH smtp_reply_filter (default: empty) +A mechanism to transform replies from remote SMTP servers one +line at a time. This is a last-resort tool to work around server +replies that break inter-operability with the Postfix SMTP client. +Other uses involve fault injection to test Postfix's handling of +invalid responses. +.PP +Notes: +.IP \(bu +In the case of a multi-line reply, the Postfix SMTP client +uses the last reply line's numerical SMTP reply code and enhanced +status code. +.IP \(bu +The numerical SMTP reply code (XYZ) takes precedence over +the enhanced status code (X.Y.Z). When the enhanced status code +initial digit differs from the SMTP reply code initial digit, or +when no enhanced status code is present, the Postfix SMTP client +uses a generic enhanced status code (X.0.0) instead. +.PP +Specify the name of a "type:table" lookup table. The search +string is a single SMTP reply line as received from the remote SMTP +server, except that the trailingA mechanism to substitute incoming SMTP commands. This is a -last-resort tool to work around problems with clients that send -invalid command syntax that would otherwise be rejected by Postfix. +
A mechanism to transform commands from remote SMTP clients. +This is a last-resort tool to work around client commands that break +inter-operability with the Postfix SMTP server. Other uses involve +fault injection to test Postfix's handling of invalid commands.
Specify the name of a "type:table" lookup table. The search
-string is the SMTP command as received from the SMTP client, except
-that initial whitespace and the trailing
Examples:
@@ -12619,20 +12621,81 @@ result value is executed by the Postfix SMTP server.
- # Work around clients that send RCPT TO:<'user@domain'>.
+ # Work around clients that send RCPT TO:<'user@domain'>.
# WARNING: do not lose the parameters that follow the address.
- /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2
+ /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/ RCPT TO:<$1>$2
This feature is available in Postfix 2.7.
+%PARAM smtp_reply_filter + +A mechanism to transform replies from remote SMTP servers one +line at a time. This is a last-resort tool to work around server +replies that break inter-operability with the Postfix SMTP client. +Other uses involve fault injection to test Postfix's handling of +invalid responses.
+ +Notes:
+ +In the case of a multi-line reply, the Postfix SMTP client +uses the last reply line's numerical SMTP reply code and enhanced +status code.
+ +The numerical SMTP reply code (XYZ) takes precedence over +the enhanced status code (X.Y.Z). When the enhanced status code +initial digit differs from the SMTP reply code initial digit, or +when no enhanced status code is present, the Postfix SMTP client +uses a generic enhanced status code (X.0.0) instead.
+ +Specify the name of a "type:table" lookup table. The search +string is a single SMTP reply line as received from the remote SMTP +server, except that the trailing <CR><LF> are removed.
+ +Examples:
+ ++/etc/postfix/main.cf: + smtp_reply_filter = pcre:/etc/postfix/command_filter ++ +
+/etc/postfix/reply_filter: + # Transform garbage into part of a multi-line reply. Note + # that the Postfix SMTP client uses only the last numerical + # SMTP reply code and enhanced status code from a multi-line + # reply, so it does not matter what we substitute here as + # long as it has the right syntax. + !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage ++ +
This feature is available in Postfix 2.7.
+ +%PARAM lmtp_reply_filter + +The LMTP-specific version of the smtp_reply_filter +configuration parameter. See there for details.
+ +This feature is available in Postfix 2.7 and later.
+ %PARAM smtp_tls_block_early_mail_reply noTry to detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555), where an attacker prepends malicious -HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session. The -attack would succeed with non-Postfix SMTP servers that reply to -the malicious HELO/MAIL/RCPT/DATA commands after negotiating the -Postfix SMTP client TLS session.
+HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. +The attack would succeed with non-Postfix SMTP servers that reply +to the malicious HELO, MAIL, RCPT, DATA commands after negotiating +the Postfix SMTP client TLS session.This feature is available in Postfix 2.7.
+ +%PARAM lmtp_tls_block_early_mail_reply + +The LMTP-specific version of the smtp_tls_block_early_mail_reply +configuration parameter. See there for details.
+ +This feature is available in Postfix 2.7 and later.
diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 548cbef93..b364d90a3 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -1019,6 +1019,12 @@ extern bool var_smtp_always_ehlo; #define DEF_SMTP_NEVER_EHLO 0 extern bool var_smtp_never_ehlo; +#define VAR_SMTP_RESP_FILTER "smtp_reply_filter" +#define DEF_SMTP_RESP_FILTER "" +#define VAR_LMTP_RESP_FILTER "lmtp_reply_filter" +#define DEF_LMTP_RESP_FILTER "" +extern char *var_smtp_resp_filter; + #define VAR_SMTP_BIND_ADDR "smtp_bind_address" #define DEF_SMTP_BIND_ADDR "" #define VAR_LMTP_BIND_ADDR "lmtp_bind_address" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index bb091f28c..aeb38e3da 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20091110" +#define MAIL_RELEASE_DATE "20091115" #define MAIL_VERSION_NUMBER "2.7" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/Makefile.in b/postfix/src/smtp/Makefile.in index 64b8ffbb8..1c04146e1 100644 --- a/postfix/src/smtp/Makefile.in +++ b/postfix/src/smtp/Makefile.in @@ -222,6 +222,7 @@ smtp_connect.o: ../../include/host_port.h smtp_connect.o: ../../include/htable.h smtp_connect.o: ../../include/inet_addr_list.h smtp_connect.o: ../../include/iostuff.h +smtp_connect.o: ../../include/mail_addr.h smtp_connect.o: ../../include/mail_error.h smtp_connect.o: ../../include/mail_params.h smtp_connect.o: ../../include/mail_proto.h diff --git a/postfix/src/smtp/lmtp_params.c b/postfix/src/smtp/lmtp_params.c index ad6b0b15a..f822ddefe 100644 --- a/postfix/src/smtp/lmtp_params.c +++ b/postfix/src/smtp/lmtp_params.c @@ -51,6 +51,7 @@ VAR_LMTP_MIME_CHKS, DEF_LMTP_MIME_CHKS, &var_smtp_mime_chks, 0, 0, VAR_LMTP_NEST_CHKS, DEF_LMTP_NEST_CHKS, &var_smtp_nest_chks, 0, 0, VAR_LMTP_BODY_CHKS, DEF_LMTP_BODY_CHKS, &var_smtp_body_chks, 0, 0, + VAR_LMTP_RESP_FILTER, DEF_LMTP_RESP_FILTER, &var_smtp_resp_filter, 0, 0, 0, }; static const CONFIG_TIME_TABLE lmtp_time_table[] = { diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 06469e21d..84a62f5e1 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -163,6 +163,9 @@ /* .IP "\fBsmtp_quote_rfc821_envelope (yes)\fR" /* Quote addresses in SMTP MAIL FROM and RCPT TO commands as required /* by RFC 2821. +/* .IP "\fBsmtp_reply_filter (empty)\fR" +/* A mechanism to transform replies from remote SMTP servers one +/* line at a time. /* .IP "\fBsmtp_skip_5xx_greeting (yes)\fR" /* Skip SMTP servers that greet with a 5XX status code (go away, do /* not try again later). @@ -405,7 +408,7 @@ /* .IP "\fBsmtp_tls_block_early_mail_reply (no)\fR" /* Try to detect a mail hijacking attack based on a TLS protocol /* vulnerability (CVE-2009-3555), where an attacker prepends malicious -/* HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session. +/* HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. /* OBSOLETE STARTTLS CONTROLS /* .ad /* .fi @@ -792,6 +795,7 @@ char *var_smtp_head_chks; char *var_smtp_mime_chks; char *var_smtp_nest_chks; char *var_smtp_body_chks; +char *var_smtp_resp_filter; bool var_lmtp_assume_final; /* Special handling of 535 AUTH errors. */ @@ -1060,6 +1064,14 @@ static void pre_init(char *unused_name, char **unused_argv) smtp_body_checks = hbc_body_checks_create( VAR_SMTP_BODY_CHKS, var_smtp_body_chks, smtp_hbc_callbacks); + + /* + * Server reply filter. + */ + if (*var_smtp_resp_filter) + smtp_chat_resp_filter = + dict_open(var_smtp_resp_filter, O_RDONLY, + DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX); } /* pre_accept - see if tables have changed */ diff --git a/postfix/src/smtp/smtp.h b/postfix/src/smtp/smtp.h index 3e5e24172..f636fe778 100644 --- a/postfix/src/smtp/smtp.h +++ b/postfix/src/smtp/smtp.h @@ -20,6 +20,7 @@ #include